psrp - fix test_command rc for win_reboot (#55354)
(cherry picked from commit 49655a452d
)
This commit is contained in:
parent
33824f313e
commit
5af5e70f6b
3 changed files with 28 additions and 50 deletions
2
changelogs/fragments/win_reboot-psrp-command.yaml
Normal file
2
changelogs/fragments/win_reboot-psrp-command.yaml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
bugfixes:
|
||||||
|
- win_reboot - pass return value for ``test_command`` result when using the ``psrp`` connection plugin
|
|
@ -46,6 +46,14 @@ class ActionModule(RebootActionModule, ActionBase):
|
||||||
def get_shutdown_command(self, task_vars, distribution):
|
def get_shutdown_command(self, task_vars, distribution):
|
||||||
return self.DEFAULT_SHUTDOWN_COMMAND
|
return self.DEFAULT_SHUTDOWN_COMMAND
|
||||||
|
|
||||||
|
def run_test_command(self, distribution, **kwargs):
|
||||||
|
# Need to wrap the test_command in our PowerShell encoded wrapper. This is done to align the command input to a
|
||||||
|
# common shell and to allow the psrp connection plugin to report the correct exit code without manually setting
|
||||||
|
# $LASTEXITCODE for just that plugin.
|
||||||
|
test_command = self._task.args.get('test_command', self.DEFAULT_TEST_COMMAND)
|
||||||
|
kwargs['test_command'] = self._connection._shell._encode_script(test_command)
|
||||||
|
super(ActionModule, self).run_test_command(distribution, **kwargs)
|
||||||
|
|
||||||
def perform_reboot(self, task_vars, distribution):
|
def perform_reboot(self, task_vars, distribution):
|
||||||
shutdown_command = self.get_shutdown_command(task_vars, distribution)
|
shutdown_command = self.get_shutdown_command(task_vars, distribution)
|
||||||
shutdown_command_args = self.get_shutdown_command_args(distribution)
|
shutdown_command_args = self.get_shutdown_command_args(distribution)
|
||||||
|
|
|
@ -26,7 +26,7 @@
|
||||||
|
|
||||||
- name: reboot with secondary reboot stage
|
- name: reboot with secondary reboot stage
|
||||||
win_reboot:
|
win_reboot:
|
||||||
test_command: powershell.exe -NoProfile -EncodedCommand {{lookup('template', 'post_reboot.ps1')|b64encode(encoding='utf-16-le')}}
|
test_command: '{{ lookup("template", "post_reboot.ps1") }}'
|
||||||
|
|
||||||
- name: reboot with test command that fails
|
- name: reboot with test command that fails
|
||||||
win_reboot:
|
win_reboot:
|
||||||
|
@ -35,59 +35,27 @@
|
||||||
register: reboot_fail_test
|
register: reboot_fail_test
|
||||||
failed_when: "reboot_fail_test.msg != 'Timed out waiting for post-reboot test command (timeout=120)'"
|
failed_when: "reboot_fail_test.msg != 'Timed out waiting for post-reboot test command (timeout=120)'"
|
||||||
|
|
||||||
# try and reboot the host with a non admin user, we expect an error here
|
- name: remove SeRemoteShutdownPrivilege
|
||||||
# this requires a bit of setup to create the user and allow it to connect
|
win_user_right:
|
||||||
# over WinRM
|
name: SeRemoteShutdownPrivilege
|
||||||
- name: create password fact
|
users: []
|
||||||
set_fact:
|
action: set
|
||||||
standard_user: ansible_user_test
|
register: removed_shutdown_privilege
|
||||||
standard_pass: password123! + {{ lookup('password', '/dev/null chars=ascii_letters,digits length=8') }}
|
|
||||||
|
|
||||||
- name: get original SDDL for WinRM listener
|
|
||||||
win_shell: (Get-Item -Path WSMan:\localhost\Service\RootSDDL).Value
|
|
||||||
register: original_sddl
|
|
||||||
|
|
||||||
- name: create standard user
|
|
||||||
win_user:
|
|
||||||
name: '{{standard_user}}'
|
|
||||||
password: '{{standard_pass}}'
|
|
||||||
update_password: always
|
|
||||||
groups: Users
|
|
||||||
state: present
|
|
||||||
register: user_res
|
|
||||||
|
|
||||||
- name: add standard user to WinRM listener
|
|
||||||
win_shell: |
|
|
||||||
$sid = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList "{{user_res.sid}}"
|
|
||||||
$sd = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $false, $false, "{{original_sddl.stdout_lines[0]}}"
|
|
||||||
$sd.DiscretionaryAcl.AddAccess(
|
|
||||||
[System.Security.AccessControl.AccessControlType]::Allow,
|
|
||||||
$sid,
|
|
||||||
(0x80000000 -bor 0x20000000),
|
|
||||||
[System.Security.AccessControl.InheritanceFlags]::None,
|
|
||||||
[System.Security.AccessControl.PropagationFlags]::None
|
|
||||||
)
|
|
||||||
$new_sddl = $sd.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All)
|
|
||||||
Set-Item -Path WSMan:\localhost\Service\RootSDDL -Value $new_sddl -Force
|
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
- name: fail to reboot with non admin user
|
- name: try and reboot without required privilege
|
||||||
win_reboot:
|
win_reboot:
|
||||||
vars:
|
register: fail_privilege
|
||||||
ansible_user: '{{standard_user}}'
|
failed_when:
|
||||||
ansible_password: '{{standard_pass}}'
|
- "'Reboot command failed, error was:' not in fail_privilege.msg"
|
||||||
ansible_winrm_transport: ntlm
|
- "'Access is denied.(5)' not in fail_privilege.msg"
|
||||||
register: fail_shutdown
|
|
||||||
failed_when: "'Reboot command failed, error was: Access is denied.(5)' not in fail_shutdown.msg"
|
|
||||||
|
|
||||||
always:
|
always:
|
||||||
- name: set the original SDDL to the WinRM listener
|
- name: reset the SeRemoteShutdownPrivilege
|
||||||
win_shell: 'Set-Item -Path WSMan:\localhost\Service\RootSDDL -Value "{{original_sddl.stdout_lines[0]}}" -Force'
|
win_user_right:
|
||||||
|
name: SeRemoteShutdownPrivilege
|
||||||
- name: remove standard user
|
users: '{{ removed_shutdown_privilege.removed }}'
|
||||||
win_user:
|
action: add
|
||||||
name: '{{standard_user}}'
|
|
||||||
state: absent
|
|
||||||
|
|
||||||
- name: Use invalid parameter
|
- name: Use invalid parameter
|
||||||
reboot:
|
reboot:
|
||||||
|
|
Loading…
Add table
Reference in a new issue