blob: c31bda92af972a8859e93a9482b93cc0740004cc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
- set_fact:
become_test_username: ansible_become_test
gen_pw: password123! + {{ lookup('password', '/dev/null chars=ascii_letters,digits length=8') }}
- name: create unprivileged user
win_user:
name: "{{ become_test_username }}"
password: "{{ gen_pw }}"
update_password: always
groups: Users
- name: execute tests and ensure that test user is deleted regardless of success/failure
block:
- name: ensure current user is not the become user
win_shell: whoami
register: whoami_out
- name: verify output
assert:
that:
- not whoami_out.stdout_lines[0].endswith(become_test_username)
- name: get become user profile dir so we can clean it up later
vars: &become_vars
ansible_become_user: "{{ become_test_username }}"
ansible_become_password: "{{ gen_pw }}"
ansible_become_method: runas
ansible_become: yes
win_shell: $env:USERPROFILE
register: profile_dir_out
- name: ensure profile dir contains test username (eg, if become fails silently, prevent deletion of real user profile)
assert:
that:
- become_test_username in profile_dir_out.stdout_lines[0]
- name: test become runas via task vars
vars: *become_vars
win_shell: whoami
register: whoami_out
- name: verify output
assert:
that:
- whoami_out.stdout_lines[0].endswith(become_test_username)
- name: test become runas via task keywords
vars:
ansible_become_password: "{{ gen_pw }}"
become: yes
become_method: runas
become_user: "{{ become_test_username }}"
win_shell: whoami
register: whoami_out
- name: verify output
assert:
that:
- whoami_out.stdout_lines[0].endswith(become_test_username)
- name: test become via block vars
vars: *become_vars
block:
- name: ask who the current user is
win_shell: whoami
register: whoami_out
- name: verify output
assert:
that:
- whoami_out.stdout_lines[0].endswith(become_test_username)
- name: test with module that will return non-zero exit code (https://github.com/ansible/ansible/issues/30468)
vars: *become_vars
setup:
- name: test become with SYSTEM account
win_command: whoami
become: yes
become_method: runas
become_user: SYSTEM
register: whoami_out
- name: verify output
assert:
that:
- whoami_out.stdout_lines[0] == "nt authority\\system"
- name: test become with NetworkService account
win_command: whoami
become: yes
become_method: runas
become_user: NetworkService
register: whoami_out
- name: verify output
assert:
that:
- whoami_out.stdout_lines[0] == "nt authority\\network service"
- name: test become with LocalService account
win_command: whoami
become: yes
become_method: runas
become_user: LocalService
register: whoami_out
- name: verify output
assert:
that:
- whoami_out.stdout_lines[0] == "nt authority\\local service"
# FUTURE: test raw + script become behavior once they're running under the exec wrapper again
# FUTURE: add standalone playbook tests to include password prompting and play become keywords
always:
- name: ensure test user is deleted
win_user:
name: "{{ become_test_username }}"
state: absent
- name: ensure test user profile is deleted
# NB: have to work around powershell limitation of long filenames until win_file fixes it
win_shell: rmdir /S /Q {{ profile_dir_out.stdout_lines[0] }}
args:
executable: cmd.exe
when: become_test_username in profile_dir_out.stdout_lines[0]
|
