ansible/test/integration/targets/win_firewall_rule/tasks/main.yml
Shachaf92 f6ac4361e7 win_firewall_rule - support ICMP types and codes (#60361)
* win_firewall_rule - support ICMP types and codes

* Update main.yml

* Add more examples and change type to list
2019-11-14 11:32:01 +10:00

474 lines
12 KiB
YAML

- name: Remove potentially leftover firewall rule
win_firewall_rule:
name: http
state: absent
action: allow
direction: in
- name: Add firewall rule
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
action: allow
direction: in
protocol: tcp
register: add_firewall_rule
- name: Check that creating new firewall rule succeeds with a change
assert:
that:
- add_firewall_rule.changed == true
- name: Add same firewall rule (again)
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
action: allow
direction: in
protocol: tcp
register: add_firewall_rule_again
- name: Check that creating same firewall rule succeeds without a change
assert:
that:
- add_firewall_rule_again.changed == false
- name: Remove firewall rule
win_firewall_rule:
name: http
enabled: yes
state: absent
localport: 80
action: allow
direction: in
protocol: tcp
register: remove_firewall_rule
- name: Check that removing existing firewall rule succeeds with a change
assert:
that:
- remove_firewall_rule.changed == true
- name: Remove absent firewall rule
win_firewall_rule:
name: http
enabled: yes
state: absent
localport: 80
action: allow
direction: in
protocol: tcp
register: remove_absent_firewall_rule
- name: Check that removing non existing firewall rule succeeds without a change
assert:
that:
- remove_absent_firewall_rule.changed == false
- name: Add firewall rule
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
action: allow
direction: in
protocol: tcp
- name: Change firewall rule
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
action: block
direction: in
protocol: tcp
register: change_firewall_rule
- name: Check that changing firewall rule succeeds
assert:
that:
- change_firewall_rule.changed == true
- name: Disable firewall rule
win_firewall_rule:
name: http
enabled: no
- name: Get the actual values from the changed firewall rule
win_shell: '(New-Object -ComObject HNetCfg.FwPolicy2).Rules | Where-Object { $_.Name -eq "http" } | Foreach-Object { $_.LocalPorts; $_.Enabled; $_.Action; $_.Direction; $_.Protocol }'
register: firewall_rule_actual
- name: Ensure that disabling the rule did not change the previous values
assert:
that:
- "firewall_rule_actual.stdout_lines[0] == '80'" # LocalPorts = 80
- "firewall_rule_actual.stdout_lines[1] == 'False'" # Enabled = False
- "firewall_rule_actual.stdout_lines[2] == '0'" # Action = block
- "firewall_rule_actual.stdout_lines[3] == '1'" # Direction = in
- "firewall_rule_actual.stdout_lines[4] == '6'" # Protocol = tcp
- name: Add firewall rule when remoteip is range
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
remoteip: 192.168.0.1-192.168.0.5
action: allow
direction: in
protocol: tcp
- name: Add same firewall rule when remoteip is range (again)
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
remoteip: 192.168.0.1-192.168.0.5
action: allow
direction: in
protocol: tcp
register: add_firewall_rule_with_range_remoteip_again
- name: Check that creating same firewall rule when remoteip is range succeeds without a change
assert:
that:
- add_firewall_rule_with_range_remoteip_again.changed == false
- name: Add firewall rule when remoteip in CIDR notation
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
remoteip: 192.168.0.0/24
action: allow
direction: in
protocol: tcp
- name: Add same firewall rule when remoteip in CIDR notation (again)
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
remoteip: 192.168.0.0/24
action: allow
direction: in
protocol: tcp
register: add_firewall_rule_with_cidr_remoteip_again
- name: Check that creating same firewall rule succeeds without a change when remoteip in CIDR notation
assert:
that:
- add_firewall_rule_with_cidr_remoteip_again.changed == false
- name: Add firewall rule when remoteip contains a netmask
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
remoteip: 192.168.1.0/255.255.255.0
action: allow
direction: in
protocol: tcp
- name: Add same firewall rule when remoteip contains a netmask (again)
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
remoteip: 192.168.1.0/255.255.255.0
action: allow
direction: in
protocol: tcp
register: add_firewall_rule_remoteip_contains_netmask_again
- name: Check that creating same firewall rule succeeds without a change when remoteip contains a netmask
assert:
that:
- add_firewall_rule_remoteip_contains_netmask_again.changed == false
- name: Add firewall rule when remoteip is IPv4
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
remoteip: 192.168.0.1
action: allow
direction: in
protocol: tcp
- name: Add same firewall rule when remoteip is IPv4 (again)
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
remoteip: 192.168.0.1
action: allow
direction: in
protocol: tcp
register: add_firewall_rule_with_ipv4_remoteip_again
- name: Check that creating same firewall rule when remoteip is IPv4 succeeds without a change
assert:
that:
- add_firewall_rule_with_ipv4_remoteip_again.changed == false
- name: Add firewall rule when remoteip contains a netmask
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
remoteip: 192.168.2.0/255.255.255.0
action: allow
direction: in
protocol: tcp
- name: Add same firewall rule when remoteip in CIDR notation
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
remoteip: 192.168.2.0/24
action: allow
direction: in
protocol: tcp
register: add_same_firewall_rule_with_cidr_remoteip
- name: Check that creating same firewall rule succeeds without a change when remoteip contains a netmask or CIDR
assert:
that:
- add_same_firewall_rule_with_cidr_remoteip.changed == false
- name: Add firewall rule with multiple ports
win_firewall_rule:
name: http
enabled: yes
state: present
localport: '80,81'
action: allow
direction: in
protocol: tcp
register: add_firewall_rule_with_multiple_ports
- name: Check that creating firewall rule with multiple ports succeeds with a change
assert:
that:
- add_firewall_rule_with_multiple_ports.changed == true
- name: Add firewall rule with interface types in string format
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
action: allow
direction: in
protocol: tcp
interfacetypes: 'ras,lan,wireless'
register: add_firewall_rule_with_string_interface_types
- name: Check that creating firewall rule with interface types in string format succeeds with a change
assert:
that:
- add_firewall_rule_with_string_interface_types.changed == true
- name: Add firewall rule with interface types in list format
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
action: allow
direction: in
protocol: tcp
interfacetypes: [ras, lan]
register: add_firewall_rule_with_list_interface_types
- name: Check that creating firewall rule with interface types in list format succeeds with a change
assert:
that:
- add_firewall_rule_with_list_interface_types.changed == true
- name: Add firewall rule with interface type 'any'
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
action: allow
direction: in
protocol: tcp
interfacetypes: any
register: add_firewall_rule_with_interface_type_any
- name: Check that creating firewall rule with interface type 'any' succeeds with a change
assert:
that:
- add_firewall_rule_with_interface_type_any.changed == true
- name: Add firewall rule with edge traversal option 'deferapp'
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
action: allow
direction: in
protocol: tcp
edge: deferapp
register: add_firewall_rule_with_edge_traversal
# Setup action creates ansible_distribution_version variable
- action: setup
- name: Check that creating firewall rule with enge traversal option 'deferapp' succeeds with a change
assert:
that:
- add_firewall_rule_with_edge_traversal.changed == true
# Works on windows >= Windows 7/Windows Server 2008 R2
when: ansible_distribution_version is version('6.1', '>=')
- name: Add firewall rule with 'authenticate' secure flag
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
action: allow
direction: in
protocol: tcp
security: authenticate
register: add_firewall_rule_with_secure_flags
- name: Check that creating firewall rule with secure flag 'authenticate' succeeds with a change
assert:
that:
- add_firewall_rule_with_secure_flags.changed == true
# Works on windows >= Windows 8/Windows Server 2012
when: ansible_distribution_version is version('6.2', '>=')
- name: Add firewall rule with profiles in string format
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
action: allow
direction: in
protocol: tcp
profiles: 'domain,public'
register: add_firewall_rule_with_string_profiles
- name: Check that creating firewall rule with profiles in string format succeeds with a change
assert:
that:
- add_firewall_rule_with_string_profiles.changed == true
- name: Set firewall rule profile back to 'all'
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
action: allow
direction: in
protocol: tcp
profiles: [Domain, Public, Private]
register: add_firewall_rule_with_string_profiles
- name: Check that setting firewall rule profile back to 'all' succeeds with a change
assert:
that:
- add_firewall_rule_with_string_profiles.changed == true
- name: Add firewall rule with profiles in list format
win_firewall_rule:
name: http
enabled: yes
state: present
localport: 80
action: allow
direction: in
protocol: tcp
profiles: [Domain, Private]
register: add_firewall_rule_with_list_profiles
- name: Check that creating firewall rule with profiles in list format succeeds with a change
assert:
that:
- add_firewall_rule_with_list_profiles.changed == true
# Test for variable expansion in the path
- name: Add rule with path that needs to be expanded
win_firewall_rule:
name: VarExpansionTest
enabled: yes
state: present
action: allow
direction: in
protocol: tcp
program: '%SystemRoot%\system32\svchost.exe'
- name: Add same rule with path that needs to be expanded
win_firewall_rule:
name: VarExpansionTest
enabled: yes
state: present
action: allow
direction: in
protocol: tcp
program: '%SystemRoot%\system32\svchost.exe'
register: add_firewall_rule_with_var_expand_path
- name: Check that creating same firewall rule with expanded vars identified
assert:
that:
- add_firewall_rule_with_var_expand_path.changed == false
- name: Add firewall rule for application group
win_firewall_rule:
name: Rule for application group
enabled: yes
state: present
localport: 80
action: allow
direction: in
protocol: tcp
group: application
register: add_firewall_rule_with_group
- name: Check that creating firewall rule for application group succeeds with a change
assert:
that:
- add_firewall_rule_with_group.changed == true
# Test icmptypecode
- name: Add rule with icmptypecode
win_firewall_rule:
name: icmptest
enabled: yes
state: present
action: allow
direction: in
protocol: icmpv4
icmp_type_code: '8:*'
register: add_firewall_rule_with_icmptypecode
- name: Check that creating same firewall rule with expanded vars identified
assert:
that:
- add_firewall_rule_with_icmptypecode.changed == true