diff options
author | Jordan Borean <jborean93@gmail.com> | 2017-11-04 00:14:48 +0100 |
---|---|---|
committer | Matt Davis <nitzmahone@users.noreply.github.com> | 2017-11-04 00:14:48 +0100 |
commit | 15b492ca57e6d3b4ddf931fb7bd8d765734ce33d (patch) | |
tree | ca243a3bbb8b6d99fc775d487d0d7d83c62bf448 /test/integration/targets/win_become/tasks | |
parent | Use region derived from get_aws_connection_info() in dynamodb_table to fix ta... (diff) | |
download | ansible-15b492ca57e6d3b4ddf931fb7bd8d765734ce33d.tar.xz ansible-15b492ca57e6d3b4ddf931fb7bd8d765734ce33d.zip |
win_become: get admin token and fix async (#32485)
* win_become: make it easier to become with an admin token
* Fixed up pep8 whitespace
* fix for Server 2008
* Added support for async and become on newer hosts and fix warnings
Diffstat (limited to 'test/integration/targets/win_become/tasks')
-rw-r--r-- | test/integration/targets/win_become/tasks/main.yml | 102 |
1 files changed, 93 insertions, 9 deletions
diff --git a/test/integration/targets/win_become/tasks/main.yml b/test/integration/targets/win_become/tasks/main.yml index c31bda92af..9d046c44e8 100644 --- a/test/integration/targets/win_become/tasks/main.yml +++ b/test/integration/targets/win_become/tasks/main.yml @@ -1,5 +1,6 @@ - set_fact: become_test_username: ansible_become_test + become_test_admin_username: ansible_become_admin gen_pw: password123! + {{ lookup('password', '/dev/null chars=ascii_letters,digits length=8') }} - name: create unprivileged user @@ -9,16 +10,19 @@ update_password: always groups: Users +- name: create a privileged user + win_user: + name: "{{ become_test_admin_username }}" + password: "{{ gen_pw }}" + update_password: always + groups: Administrators + - name: execute tests and ensure that test user is deleted regardless of success/failure block: - name: ensure current user is not the become user win_shell: whoami register: whoami_out - - - name: verify output - assert: - that: - - not whoami_out.stdout_lines[0].endswith(become_test_username) + failed_when: whoami_out.stdout_lines[0].endswith(become_test_username) or whoami_out.stdout_lines[0].endswith(become_test_admin_username) - name: get become user profile dir so we can clean it up later vars: &become_vars @@ -34,7 +38,21 @@ that: - become_test_username in profile_dir_out.stdout_lines[0] - - name: test become runas via task vars + - name: get become admin user profile dir so we can clean it up later + vars: &admin_become_vars + ansible_become_user: "{{ become_test_admin_username }}" + ansible_become_password: "{{ gen_pw }}" + ansible_become_method: runas + ansible_become: yes + win_shell: $env:USERPROFILE + register: admin_profile_dir_out + + - name: ensure profile dir contains admin test username + assert: + that: + - become_test_admin_username in admin_profile_dir_out.stdout_lines[0] + + - name: test become runas via task vars (underprivileged user) vars: *become_vars win_shell: whoami register: whoami_out @@ -44,6 +62,36 @@ that: - whoami_out.stdout_lines[0].endswith(become_test_username) + - name: test become runas to ensure underprivileged user has medium integrity level + vars: *become_vars + win_shell: whoami /groups + register: whoami_out + + - name: verify output + assert: + that: + - '"Mandatory Label\Medium Mandatory Level" in whoami_out.stdout' + + - name: test become runas via task vars (privileged user) + vars: *admin_become_vars + win_shell: whoami + register: whoami_out + + - name: verify output + assert: + that: + - whoami_out.stdout_lines[0].endswith(become_test_admin_username) + + - name: test become runas to ensure privileged user has high integrity level + vars: *admin_become_vars + win_shell: whoami /groups + register: whoami_out + + - name: verify output + assert: + that: + - '"Mandatory Label\High Mandatory Level" in whoami_out.stdout' + - name: test become runas via task keywords vars: ansible_become_password: "{{ gen_pw }}" @@ -51,7 +99,6 @@ become_method: runas become_user: "{{ become_test_username }}" win_shell: whoami - register: whoami_out - name: verify output @@ -111,17 +158,54 @@ that: - whoami_out.stdout_lines[0] == "nt authority\\local service" + # Test out Async on Windows Server 2012+ + - name: get OS version + win_shell: if ([System.Environment]::OSVersion.Version -ge [Version]"6.2") { $true } else { $false } + register: os_version + + - name: test become + async on older hosts + vars: *become_vars + win_command: whoami + async: 10 + register: whoami_out + ignore_errors: yes + + - name: verify older hosts failed with become + async + assert: + that: + - whoami_out|failed + when: os_version.stdout_lines[0] == "False" + + - name: verify newer hosts worked with become + async + assert: + that: + - whoami_out|success + when: os_version.stdout_lines[0] == "True" + # FUTURE: test raw + script become behavior once they're running under the exec wrapper again # FUTURE: add standalone playbook tests to include password prompting and play become keywords always: - - name: ensure test user is deleted + - name: ensure underprivileged test user is deleted win_user: name: "{{ become_test_username }}" state: absent - - name: ensure test user profile is deleted + + - name: ensure privileged test user is deleted + win_user: + name: "{{ become_test_admin_username }}" + state: absent + + - name: ensure underprivileged test user profile is deleted # NB: have to work around powershell limitation of long filenames until win_file fixes it win_shell: rmdir /S /Q {{ profile_dir_out.stdout_lines[0] }} args: executable: cmd.exe when: become_test_username in profile_dir_out.stdout_lines[0] + + - name: ensure privileged test user profile is deleted + # NB: have to work around powershell limitation of long filenames until win_file fixes it + win_shell: rmdir /S /Q {{ admin_profile_dir_out.stdout_lines[0] }} + args: + executable: cmd.exe + when: become_test_admin_username in admin_profile_dir_out.stdout_lines[0] |