a568bbed3c
* win_mapped_drive - refactor module and docs * Updated code to work with become and split tokens * use win_credential_manager instead of cmdkey * updated credential manager module name * harden the system token impersonation process
99 lines
3 KiB
YAML
99 lines
3 KiB
YAML
---
|
|
# test setup
|
|
- name: gather facts required by the tests
|
|
setup:
|
|
gather_subset: platform
|
|
|
|
- name: ensure mapped drive is deleted before test
|
|
win_mapped_drive:
|
|
letter: '{{test_win_mapped_drive_letter}}'
|
|
state: absent
|
|
|
|
- name: ensure temp mapped drive user exist
|
|
win_user:
|
|
name: '{{test_win_mapped_drive_temp_user}}'
|
|
password: '{{test_win_mapped_drive_temp_password}}'
|
|
state: present
|
|
groups:
|
|
- Administrators
|
|
|
|
- name: ensure temp folders exist
|
|
win_file:
|
|
path: '{{item}}'
|
|
state: directory
|
|
with_items:
|
|
- '{{test_win_mapped_drive_local_path}}'
|
|
- '{{test_win_mapped_drive_local_path2}}'
|
|
|
|
# can't use win_share as it doesnt't support Server 2008 and 2008 R2
|
|
- name: ensure shares exist
|
|
win_shell: $share = Get-WmiObject -Class Win32_Share | Where-Object { $_.Name -eq '{{item.name}}' }; if (-not $share) { $share = [wmiClass]'Win32_Share'; $share.Create('{{item.path}}', '{{item.name}}', 0) }
|
|
with_items:
|
|
- { name: '{{test_win_mapped_drive_path}}', path: '{{test_win_mapped_drive_local_path}}' }
|
|
- { name: '{{test_win_mapped_drive_path2}}', path: '{{test_win_mapped_drive_local_path2}}' }
|
|
|
|
# This ensures we test out the split token/become behaviour
|
|
- name: ensure builtin Administrator has a split token
|
|
win_regedit:
|
|
path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
|
|
name: FilterAdministratorToken
|
|
data: 1
|
|
type: dword
|
|
register: admin_uac
|
|
|
|
- name: reboot to apply Admin approval mode setting
|
|
win_reboot:
|
|
when: admin_uac is changed
|
|
|
|
- block:
|
|
# tests
|
|
- include_tasks: tests.yml
|
|
|
|
# test cleanup
|
|
always:
|
|
- name: remove stored credential
|
|
win_credential:
|
|
name: '{{ ansible_hostname }}'
|
|
type: domain_password
|
|
state: absent
|
|
vars:
|
|
ansible_become: yes
|
|
ansible_become_method: runas
|
|
ansible_become_user: '{{ ansible_user }}'
|
|
ansible_become_pass: '{{ ansible_password }}'
|
|
|
|
- name: ensure mapped drive is deleted at the end of the test
|
|
win_mapped_drive:
|
|
letter: '{{test_win_mapped_drive_letter}}'
|
|
state: absent
|
|
|
|
- name: ensure shares are removed
|
|
win_shell: $share = Get-WmiObject -Class Win32_Share | Where-Object { $_.Name -eq '{{item}}' }; if ($share) { $share.Delete() }
|
|
with_items:
|
|
- '{{test_win_mapped_drive_path}}'
|
|
- '{{test_win_mapped_drive_path2}}'
|
|
|
|
- name: ensure temp folders are deleted
|
|
win_file:
|
|
path: '{{item}}'
|
|
state: absent
|
|
with_items:
|
|
- '{{test_win_mapped_drive_local_path}}'
|
|
- '{{test_win_mapped_drive_local_path2}}'
|
|
|
|
- name: ensure temp mapped driver user is deleted
|
|
win_user:
|
|
name: '{{test_win_mapped_drive_temp_user}}'
|
|
state: absent
|
|
|
|
- name: disable Admin approval mode if changed in test
|
|
win_regedit:
|
|
path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
|
|
name: FilterAdministratorToken
|
|
data: 0
|
|
type: dword
|
|
when: admin_uac is changed
|
|
|
|
- name: reboot to apply Admin approval mode setting
|
|
win_reboot:
|
|
when: admin_uac is changed
|