ansible/test/integration/targets/win_acl_inheritance/tasks/main.yml
2019-03-15 14:57:59 +10:00

174 lines
6 KiB
YAML

---
# Test setup
# Use single task to save in CI runtime
- name: create test folders
win_shell: |
$ErrorActionPreference = 'Stop'
$tmp_dir = '{{ test_win_acl_inheritance_path }}'
if (Test-Path -LiteralPath $tmp_dir) {
Remove-Item -LiteralPath $tmp_dir -Force -Recurse
}
New-Item -Path $tmp_dir -ItemType Directory > $null
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$current_sid = ([System.DirectoryServices.AccountManagement.UserPrincipal]::Current).Sid
$system_sid = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList @([System.Security.Principal.WellKnownSidType]::LocalSystemSid, $null)
$everyone_sid = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList @([System.Security.Principal.WellKnownSidType]::WorldSid, $null)
$sd = New-Object -TypeName System.Security.AccessControl.DirectorySecurity
$sd.SetAccessRuleProtection($true, $false)
$sd.AddAccessRule(
(New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList @(
$system_sid,
[System.Security.AccessControl.FileSystemRights]::FullControl,
[System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit",
[System.Security.AccessControl.PropagationFlags]::None,
[System.Security.AccessControl.AccessControlType]::Allow
))
)
$sd.AddAccessRule(
(New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList @(
$current_sid,
[System.Security.AccessControl.FileSystemRights]::FullControl,
[System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit",
[System.Security.AccessControl.PropagationFlags]::None,
[System.Security.AccessControl.AccessControlType]::Allow
))
)
$sd.AddAccessRule(
(New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList @(
$everyone_sid,
[System.Security.AccessControl.FileSystemRights]::Read,
[System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit",
[System.Security.AccessControl.PropagationFlags]::None,
[System.Security.AccessControl.AccessControlType]::Allow
))
)
Set-Acl -LiteralPath $tmp_dir -AclObject $sd
New-Item -Path "$tmp_dir\folder" -ItemType Directory > $null
Set-Content -LiteralPath "$tmp_dir\folder\file.txt" -Value 'a'
$system_sid.Value
$current_sid.Value
$everyone_sid.Value
register: test_sids # register the output SID values used for comparison tests below
# Run tests
- name: remove inheritance check
win_acl_inheritance:
path: '{{ test_win_acl_inheritance_path }}\folder'
reorganize: True
state: absent
register: remove_check
check_mode: True
- name: get actual remove inheritance check
test_get_acl:
path: '{{ test_win_acl_inheritance_path }}\folder'
register: actual_remove_check
- name: assert remove inheritance check
assert:
that:
- remove_check is changed
- actual_remove_check.inherited == True
- actual_remove_check.user_details[test_sids.stdout_lines[0]].isinherited == True
- actual_remove_check.user_details[test_sids.stdout_lines[1]].isinherited == True
- actual_remove_check.user_details[test_sids.stdout_lines[2]].isinherited == True
- name: remove inheritance
win_acl_inheritance:
path: '{{ test_win_acl_inheritance_path }}\folder'
reorganize: True
state: absent
register: remove
- name: get actual remove inheritance
test_get_acl:
path: '{{ test_win_acl_inheritance_path }}\folder'
register: actual_remove
- name: assert remove inheritance
assert:
that:
- remove is changed
- actual_remove.inherited == False
- actual_remove.user_details[test_sids.stdout_lines[0]].isinherited == False
- actual_remove.user_details[test_sids.stdout_lines[1]].isinherited == False
- actual_remove.user_details[test_sids.stdout_lines[2]].isinherited == False
- name: remove inheritance again
win_acl_inheritance:
path: '{{ test_win_acl_inheritance_path }}\folder'
reorganize: True
state: absent
register: remove_again
- name: assert remove inheritance again
assert:
that:
- remove_again is not changed
- name: add inheritance check
win_acl_inheritance:
path: '{{ test_win_acl_inheritance_path }}\folder'
reorganize: True
state: present
register: add_check
check_mode: True
- name: get actual add inheritance check
test_get_acl:
path: '{{ test_win_acl_inheritance_path }}\folder'
register: actual_add_check
- name: assert add inheritance check
assert:
that:
- add_check is changed
- actual_add_check.inherited == False
- actual_add_check.user_details[test_sids.stdout_lines[0]].isinherited == False
- actual_add_check.user_details[test_sids.stdout_lines[1]].isinherited == False
- actual_add_check.user_details[test_sids.stdout_lines[2]].isinherited == False
- name: add inheritance
win_acl_inheritance:
path: '{{ test_win_acl_inheritance_path }}\folder'
reorganize: True
state: present
register: add
- name: get actual add inheritance
test_get_acl:
path: '{{ test_win_acl_inheritance_path }}\folder'
register: actual_add
- name: assert add inheritance
assert:
that:
- add is changed
- actual_add.inherited == True
- actual_add.user_details[test_sids.stdout_lines[0]].isinherited == True
- actual_add.user_details[test_sids.stdout_lines[1]].isinherited == True
- actual_add.user_details[test_sids.stdout_lines[2]].isinherited == True
- name: add inheritance again
win_acl_inheritance:
path: '{{ test_win_acl_inheritance_path }}\folder'
reorganize: True
state: present
register: add_again
- name: assert add inheritance again
assert:
that:
- add_again is not changed
# Test cleanup
- name: remove test folder
win_file:
path: '{{ test_win_acl_inheritance_path }}'
state: absent