blob: c827e6bfc3510a59397af4073543a036d805466f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
---
- name: make sure win output dir exists
win_file:
path: "{{win_output_dir}}"
state: directory
- name: reboot with defaults
win_reboot:
- name: schedule a reboot for sometime in the future
win_command: shutdown.exe /r /t 599
- name: reboot with a shutdown already scheduled
win_reboot:
# test a reboot that reboots again during the test_command phase
- name: create test file
win_file:
path: '{{win_output_dir}}\win_reboot_test'
state: touch
- name: reboot with secondary reboot stage
win_reboot:
test_command: powershell.exe -NoProfile -EncodedCommand {{lookup('template', 'post_reboot.ps1')|b64encode(encoding='utf-16-le')}}
# try and reboot the host with a non admin user, we expect an error here
# this requires a bit of setup to create the user and allow it to connect
# over WinRM
- name: create password fact
set_fact:
standard_user: ansible_user_test
standard_pass: password123! + {{ lookup('password', '/dev/null chars=ascii_letters,digits length=8') }}
- name: get original SDDL for WinRM listener
win_shell: (Get-Item -Path WSMan:\localhost\Service\RootSDDL).Value
register: original_sddl
- name: create standard user
win_user:
name: '{{standard_user}}'
password: '{{standard_pass}}'
update_password: always
groups: Users
state: present
register: user_res
- name: add standard user to WinRM listener
win_shell: |
$sid = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList "{{user_res.sid}}"
$sd = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $false, $false, "{{original_sddl.stdout_lines[0]}}"
$sd.DiscretionaryAcl.AddAccess(
[System.Security.AccessControl.AccessControlType]::Allow,
$sid,
(0x80000000 -bor 0x20000000),
[System.Security.AccessControl.InheritanceFlags]::None,
[System.Security.AccessControl.PropagationFlags]::None
)
$new_sddl = $sd.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All)
Set-Item -Path WSMan:\localhost\Service\RootSDDL -Value $new_sddl -Force
- block:
- name: fail to reboot with non admin user
win_reboot:
vars:
ansible_user: '{{standard_user}}'
ansible_password: '{{standard_pass}}'
ansible_winrm_transport: ntlm
register: fail_shutdown
failed_when: "fail_shutdown.msg != 'Shutdown command failed, error was: Access is denied.(5)'"
always:
- name: set the original SDDL to the WinRM listener
win_shell: Set-Item -Path WSMan:\localhost\Service\RootSDDL -Value "{{original_sddl.stdout_lines[0]}}" -Force
- name: remove standard user
win_user:
name: '{{standard_user}}'
state: absent
|
