From cc3b8b9f729a6176434a6e76d9940869b8b226c5 Mon Sep 17 00:00:00 2001 From: Jordan Borean Date: Wed, 1 May 2019 17:21:26 +1000 Subject: [PATCH] win_acl - fix network path qualifier parsing (#55970) --- changelogs/fragments/win_acl-network.yaml | 2 + lib/ansible/modules/windows/win_acl.ps1 | 15 ++++--- .../targets/win_acl/defaults/main.yml | 1 + .../targets/win_acl/tasks/tests.yml | 42 +++++++++++++++++++ 4 files changed, 55 insertions(+), 5 deletions(-) create mode 100644 changelogs/fragments/win_acl-network.yaml diff --git a/changelogs/fragments/win_acl-network.yaml b/changelogs/fragments/win_acl-network.yaml new file mode 100644 index 00000000000..d467f928126 --- /dev/null +++ b/changelogs/fragments/win_acl-network.yaml @@ -0,0 +1,2 @@ +bugfixes: +- win_acl - Fix qualifier parser when using UNC paths - https://github.com/ansible/ansible/issues/55875 diff --git a/lib/ansible/modules/windows/win_acl.ps1 b/lib/ansible/modules/windows/win_acl.ps1 index d1d8e80af23..af55f2ae21f 100644 --- a/lib/ansible/modules/windows/win_acl.ps1 +++ b/lib/ansible/modules/windows/win_acl.ps1 @@ -90,8 +90,9 @@ $state = Get-AnsibleParam -obj $params -name "state" -type "str" -default "prese $inherit = Get-AnsibleParam -obj $params -name "inherit" -type "str" $propagation = Get-AnsibleParam -obj $params -name "propagation" -type "str" -default "None" -validateset "InheritOnly","None","NoPropagateInherit" -# We mount the HKCR, HKU, and HKCC registry hives so PS can access them -$path_qualifier = Split-Path -Path $path -Qualifier +# We mount the HKCR, HKU, and HKCC registry hives so PS can access them. +# Network paths have no qualifiers so we use -EA SilentlyContinue to ignore that +$path_qualifier = Split-Path -Path $path -Qualifier -ErrorAction SilentlyContinue if ($path_qualifier -eq "HKCR:" -and (-not (Test-Path -LiteralPath HKCR:\))) { New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT > $null } @@ -120,8 +121,10 @@ ElseIf ($null -eq $inherit) { } # Bug in Set-Acl, Get-Acl where -LiteralPath only works for the Registry provider if the location is in that root -# qualifier. -Push-Location -LiteralPath $path_qualifier +# qualifier. We also don't have a qualifier for a network path so only change if not null +if ($null -ne $path_qualifier) { + Push-Location -LiteralPath $path_qualifier +} Try { SetPrivilegeTokens @@ -218,7 +221,9 @@ Catch { } Finally { # Make sure we revert the location stack to the original path just for cleanups sake - Pop-Location + if ($null -ne $path_qualifier) { + Pop-Location + } } Exit-Json -obj $result diff --git a/test/integration/targets/win_acl/defaults/main.yml b/test/integration/targets/win_acl/defaults/main.yml index 53532202ac5..9999acd1ba1 100644 --- a/test/integration/targets/win_acl/defaults/main.yml +++ b/test/integration/targets/win_acl/defaults/main.yml @@ -1,4 +1,5 @@ --- test_acl_path: '{{ win_output_dir }}\win_acl .ÅÑŚÌβŁÈ [$!@^&test(;)]' +test_acl_network_path: \\localhost\{{ test_acl_path[0:1] }}$\{{ test_acl_path[3:] }} # Use HKU as that path is not automatically loaded in the PSProvider making our test more complex test_acl_reg_path: HKU:\.DEFAULT\Ansible Test .ÅÑŚÌβŁÈ [$!@^&test(;)] diff --git a/test/integration/targets/win_acl/tasks/tests.yml b/test/integration/targets/win_acl/tasks/tests.yml index 68601dc8ba3..56f52733733 100644 --- a/test/integration/targets/win_acl/tasks/tests.yml +++ b/test/integration/targets/win_acl/tasks/tests.yml @@ -171,6 +171,48 @@ that: - not remove_deny_right_again is changed +- name: add write rights to Guest - network + win_acl: + path: '{{ test_acl_network_path }}' + type: allow + user: Guests + rights: Write + register: allow_right + +- name: get result of add write rights to Guest - network + win_shell: '$path = ''{{ test_acl_path }}''; {{ test_ace_cmd }}' + register: allow_right_actual + +- name: assert add write rights to Guest - network + assert: + that: + - allow_right is changed + - (allow_right_actual.stdout|from_json)|count == 1 + - (allow_right_actual.stdout|from_json)[0].identity == 'BUILTIN\Guests' + - (allow_right_actual.stdout|from_json)[0].inheritance_flags == 'ContainerInherit, ObjectInherit' + - (allow_right_actual.stdout|from_json)[0].propagation_flags == 'None' + - (allow_right_actual.stdout|from_json)[0].rights == 'Write, Synchronize' + - (allow_right_actual.stdout|from_json)[0].type == 'Allow' + +- name: remove write rights from Guest - network + win_acl: + path: '{{ test_acl_network_path }}' + type: allow + user: Guests + rights: Write + state: absent + register: remove_right + +- name: get result of remove write rights from Guest - network + win_shell: '$path = ''{{ test_acl_path }}''; {{ test_ace_cmd }}' + register: remove_right_actual + +- name: assert remove write rights from Guest + assert: + that: + - remove_right is changed + - remove_right_actual.stdout_lines == ["[", "", "]"] + - name: add write rights to Guest - registry win_acl: path: '{{ test_acl_reg_path }}'