diff options
author | Jordan Borean <jborean93@gmail.com> | 2018-12-13 11:15:25 +1000 |
---|---|---|
committer | Matt Davis <nitzmahone@users.noreply.github.com> | 2018-12-12 17:15:25 -0800 |
commit | 190d1ed7f1cd6be4746e937906d571f0abe4a53d (patch) | |
tree | d2acc57e18c58c769cf04676223da582886ba166 /test/integration/targets/win_become | |
parent | b3ac5b637a4ff6259c82b659517ab04f5c0b2f11 (diff) | |
download | ansible-190d1ed7f1cd6be4746e937906d571f0abe4a53d.tar.gz |
win become: refactor and add support for passwordless become (#48082)
* win become: refactor and add support for passwordless become
* make tests more stable
* fix up dep message for Load-CommandUtils
* Add further check for System impersonation token
* re-add support for become with accounts that have no password
* doc fixes and slight code improvements
* fix doc sanity issue
Diffstat (limited to 'test/integration/targets/win_become')
-rw-r--r-- | test/integration/targets/win_become/tasks/main.yml | 131 |
1 files changed, 2 insertions, 129 deletions
diff --git a/test/integration/targets/win_become/tasks/main.yml b/test/integration/targets/win_become/tasks/main.yml index 9033e6af14..7f1b6bc204 100644 --- a/test/integration/targets/win_become/tasks/main.yml +++ b/test/integration/targets/win_become/tasks/main.yml @@ -143,57 +143,6 @@ - '"LogonUser failed" not in become_invalid_pass.msg' - '"Win32ErrorCode 1326)" not in become_invalid_pass.msg' - - name: test become with SYSTEM account - win_whoami: - become: yes - become_method: runas - become_user: SYSTEM - register: whoami_out - - - name: verify output - assert: - that: - - whoami_out.account.sid == "S-1-5-18" - - whoami_out.account.account_name == "SYSTEM" - - whoami_out.account.domain_name == "NT AUTHORITY" - - whoami_out.label.account_name == 'System Mandatory Level' - - whoami_out.label.sid == 'S-1-16-16384' - - whoami_out.logon_type == 'System' - - - name: test become with NetworkService account - win_whoami: - become: yes - become_method: runas - become_user: NetworkService - register: whoami_out - - - name: verify output - assert: - that: - - whoami_out.account.sid == "S-1-5-20" - - whoami_out.account.account_name == "NETWORK SERVICE" - - whoami_out.account.domain_name == "NT AUTHORITY" - - whoami_out.label.account_name == 'System Mandatory Level' - - whoami_out.label.sid == 'S-1-16-16384' - - whoami_out.logon_type == 'Service' - - - name: test become with LocalService account - win_whoami: - become: yes - become_method: runas - become_user: LocalService - register: whoami_out - - - name: verify output - assert: - that: - - whoami_out.account.sid == "S-1-5-19" - - whoami_out.account.account_name == "LOCAL SERVICE" - - whoami_out.account.domain_name == "NT AUTHORITY" - - whoami_out.label.account_name == 'System Mandatory Level' - - whoami_out.label.sid == 'S-1-16-16384' - - whoami_out.logon_type == 'Service' - - name: test become + async vars: *become_vars win_command: whoami @@ -228,82 +177,6 @@ register: failed_flags_invalid_flag failed_when: "failed_flags_invalid_flag.msg != \"internal error: failed to parse become_flags 'logon_flags=with_profile,invalid': become_flags logon_flags value 'invalid' is not valid, valid values are: with_profile, netcredentials_only\"" - # Server 2008 doesn't work with network and network_cleartext, there isn't really a reason why you would want this anyway - - name: check if we are running on a dinosaur, neanderthal or an OS of the modern age - win_shell: | - $version = [System.Environment]::OSVersion.Version - if ($version -lt [Version]"6.1") { - "dinosaur" - } elseif ($version -lt [Version]"6.2") { - "neanderthal" - } else { - "False" - } - register: os_version - - - name: become different types - vars: *become_vars - win_whoami: - become_flags: logon_type={{item.type}} - register: become_logon_type - when: not ((item.type == 'network' or item.type == 'network_cleartext') and os_version.stdout_lines[0] == "dinosaur") - failed_when: become_logon_type.logon_type != item.actual and become_logon_type.sid != user_limited_result.sid - with_items: - - type: interactive - actual: Interactive - - type: batch - actual: Batch - - type: network - actual: Network - - type: network_cleartext - actual: NetworkCleartext - - - name: become netcredentials with network user - vars: - ansible_become_user: fakeuser - ansible_become_password: fakepassword - ansible_become_method: runas - ansible_become: True - ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only - win_whoami: - register: become_netcredentials - - - name: assert become netcredentials with network user - assert: - that: - # new_credentials still come up as the ansible_user so we can't test that - - become_netcredentials.label.account_name == 'High Mandatory Level' - - become_netcredentials.label.sid == 'S-1-16-12288' - - - name: become logon_flags bitwise tests when loading the profile - # Error code of 2 means no file found == no profile loaded - win_shell: | - Add-Type -Name "Native" -Namespace "Ansible" -MemberDefinition '[DllImport("Userenv.dll", SetLastError=true)]public static extern bool GetProfileType(out UInt32 pdwFlags);' - $profile_type = $null - $res = [Ansible.Native]::GetProfileType([ref]$profile_type) - if (-not $res) { - $last_err = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() - if ($last_err -eq 2) { - return $false - } else { - throw [System.ComponentModel.Win32Exception]$last_err - } - } else { - return $true - } - vars: *admin_become_vars - become_flags: logon_flags={{item.flags}} - register: become_logon_flags - failed_when: become_logon_flags.stdout_lines[0]|bool != item.actual - when: os_version.stdout_lines[0] not in ["dinosaur", "neanderthal"] # usual suspect 2008 doesn't support the no profile flags - with_items: - - flags: - actual: False - - flags: netcredentials_only - actual: False - - flags: with_profile,netcredentials_only - actual: True - - name: echo some non ascii characters win_command: cmd.exe /c echo über den Fußgängerübergang gehen vars: *become_vars @@ -348,7 +221,7 @@ win_user: name: "{{ become_test_username }}" state: absent - + - name: ensure privileged test user is deleted win_user: name: "{{ become_test_admin_username }}" @@ -360,7 +233,7 @@ args: executable: cmd.exe when: become_test_username in profile_dir_out.stdout_lines[0] - + - name: ensure privileged test user profile is deleted # NB: have to work around powershell limitation of long filenames until win_file fixes it win_shell: rmdir /S /Q {{ admin_profile_dir_out.stdout_lines[0] }} |