- set_fact: become_test_username: ansible_become_test become_test_admin_username: ansible_become_admin gen_pw: password123! + {{ lookup('password', '/dev/null chars=ascii_letters,digits length=8') }} - name: create unprivileged user win_user: name: "{{ become_test_username }}" password: "{{ gen_pw }}" update_password: always groups: Users - name: create a privileged user win_user: name: "{{ become_test_admin_username }}" password: "{{ gen_pw }}" update_password: always groups: Administrators - name: execute tests and ensure that test user is deleted regardless of success/failure block: - name: ensure current user is not the become user win_shell: whoami register: whoami_out failed_when: whoami_out.stdout_lines[0].endswith(become_test_username) or whoami_out.stdout_lines[0].endswith(become_test_admin_username) - name: get become user profile dir so we can clean it up later vars: &become_vars ansible_become_user: "{{ become_test_username }}" ansible_become_password: "{{ gen_pw }}" ansible_become_method: runas ansible_become: yes win_shell: $env:USERPROFILE register: profile_dir_out - name: ensure profile dir contains test username (eg, if become fails silently, prevent deletion of real user profile) assert: that: - become_test_username in profile_dir_out.stdout_lines[0] - name: get become admin user profile dir so we can clean it up later vars: &admin_become_vars ansible_become_user: "{{ become_test_admin_username }}" ansible_become_password: "{{ gen_pw }}" ansible_become_method: runas ansible_become: yes win_shell: $env:USERPROFILE register: admin_profile_dir_out - name: ensure profile dir contains admin test username assert: that: - become_test_admin_username in admin_profile_dir_out.stdout_lines[0] - name: test become runas via task vars (underprivileged user) vars: *become_vars win_shell: whoami register: whoami_out - name: verify output assert: that: - whoami_out.stdout_lines[0].endswith(become_test_username) - name: test become runas to ensure underprivileged user has medium integrity level vars: *become_vars win_shell: whoami /groups register: whoami_out - name: verify output assert: that: - '"Mandatory Label\Medium Mandatory Level" in whoami_out.stdout' - name: test become runas via task vars (privileged user) vars: *admin_become_vars win_shell: whoami register: whoami_out - name: verify output assert: that: - whoami_out.stdout_lines[0].endswith(become_test_admin_username) - name: test become runas to ensure privileged user has high integrity level vars: *admin_become_vars win_shell: whoami /groups register: whoami_out - name: verify output assert: that: - '"Mandatory Label\High Mandatory Level" in whoami_out.stdout' - name: test become runas via task keywords vars: ansible_become_password: "{{ gen_pw }}" become: yes become_method: runas become_user: "{{ become_test_username }}" win_shell: whoami register: whoami_out - name: verify output assert: that: - whoami_out.stdout_lines[0].endswith(become_test_username) - name: test become via block vars vars: *become_vars block: - name: ask who the current user is win_shell: whoami register: whoami_out - name: verify output assert: that: - whoami_out.stdout_lines[0].endswith(become_test_username) - name: test with module that will return non-zero exit code (https://github.com/ansible/ansible/issues/30468) vars: *become_vars setup: - name: test become with SYSTEM account win_command: whoami become: yes become_method: runas become_user: SYSTEM register: whoami_out - name: verify output assert: that: - whoami_out.stdout_lines[0] == "nt authority\\system" - name: test become with NetworkService account win_command: whoami become: yes become_method: runas become_user: NetworkService register: whoami_out - name: verify output assert: that: - whoami_out.stdout_lines[0] == "nt authority\\network service" - name: test become with LocalService account win_command: whoami become: yes become_method: runas become_user: LocalService register: whoami_out - name: verify output assert: that: - whoami_out.stdout_lines[0] == "nt authority\\local service" # Test out Async on Windows Server 2012+ - name: get OS version win_shell: if ([System.Environment]::OSVersion.Version -ge [Version]"6.2") { $true } else { $false } register: os_version - name: test become + async on older hosts vars: *become_vars win_command: whoami async: 10 register: whoami_out ignore_errors: yes - name: verify older hosts failed with become + async assert: that: - whoami_out is failed when: os_version.stdout_lines[0] == "False" - name: verify newer hosts worked with become + async assert: that: - whoami_out is successful when: os_version.stdout_lines[0] == "True" # FUTURE: test raw + script become behavior once they're running under the exec wrapper again # FUTURE: add standalone playbook tests to include password prompting and play become keywords always: - name: ensure underprivileged test user is deleted win_user: name: "{{ become_test_username }}" state: absent - name: ensure privileged test user is deleted win_user: name: "{{ become_test_admin_username }}" state: absent - name: ensure underprivileged test user profile is deleted # NB: have to work around powershell limitation of long filenames until win_file fixes it win_shell: rmdir /S /Q {{ profile_dir_out.stdout_lines[0] }} args: executable: cmd.exe when: become_test_username in profile_dir_out.stdout_lines[0] - name: ensure privileged test user profile is deleted # NB: have to work around powershell limitation of long filenames until win_file fixes it win_shell: rmdir /S /Q {{ admin_profile_dir_out.stdout_lines[0] }} args: executable: cmd.exe when: become_test_admin_username in admin_profile_dir_out.stdout_lines[0]