[18807] win_firewall_rule module uses HNetCfg.FwPolicy2 COM Object (#27381)

* #18807 win_firewall_rule uses HNetCfg.FwPolicy2 COM object * Added missing tests * Added support for InterfaceTypes property * Added support for EdgeTraversalOptions property * Added SecureFlags property * Port ranges are not possible in W2K8 * Added windows version checks * Fixed doc: removed 'force' option and all notes * Fixed copirights and docs
2025-05-20 07:59:10 -07:00 · 2017-08-29 23:18:03 +03:00 · 2017-08-29 23:18:03 +03:00 · 06fadefbdc
commit 06fadefbdc
parent 38a5033b48
3 changed files with 414 additions and 522 deletions
--- a/test/integration/targets/win_firewall_rule/tasks/main.yml
+++ b/test/integration/targets/win_firewall_rule/tasks/main.yml
@ -2,11 +2,8 @@
  win_firewall_rule:
    name: http
    state: absent
-    action: "{{ item }}"
+    action: allow
    direction: in
-  with_items:
-     - allow
-     - block

 - name: Add firewall rule
  win_firewall_rule:
@ -82,7 +79,7 @@
    direction: in
    protocol: tcp

- name: Add different firewall rule
+- name: Change firewall rule
  win_firewall_rule:
    name: http
    enabled: yes
@ -91,31 +88,12 @@
    action: block
    direction: in
    protocol: tcp
-  ignore_errors: yes
-  register: add_different_firewall_rule_without_force
+  register: change_firewall_rule

- name: Check that creating different firewall rule without enabling force setting fails
+- name: Check that changing firewall rule succeeds
  assert:
    that:
-    - add_different_firewall_rule_without_force.failed == true
-    - add_different_firewall_rule_without_force.changed == false
-
- name: Add different firewall rule with force setting
-  win_firewall_rule:
-    name: http
-    enabled: yes
-    state: present
-    localport: 80
-    action: block
-    direction: in
-    protocol: tcp
-    force: yes
-  register: add_different_firewall_rule_with_force
-
- name: Check that creating different firewall rule with enabling force setting succeeds
-  assert:
-    that:
-    - add_different_firewall_rule_with_force.changed == true
+    - change_firewall_rule.changed == true

 - name: Add firewall rule when remoteip is range
  win_firewall_rule:
@ -127,7 +105,6 @@
    action: allow
    direction: in
    protocol: tcp
-    force: yes

 - name: Add same firewall rule when remoteip is range (again)
  win_firewall_rule:
@ -156,7 +133,6 @@
    action: allow
    direction: in
    protocol: tcp
-    force: yes

 - name: Add same firewall rule when remoteip in CIDR notation (again)
  win_firewall_rule:
@ -181,11 +157,10 @@
    enabled: yes
    state: present
    localport: 80
-    remoteip: 192.168.0.0/255.255.255.0
+    remoteip: 192.168.1.0/255.255.255.0
    action: allow
    direction: in
    protocol: tcp
-    force: yes

 - name: Add same firewall rule when remoteip contains a netmask (again)
  win_firewall_rule:
@ -193,7 +168,7 @@
    enabled: yes
    state: present
    localport: 80
-    remoteip: 192.168.0.0/255.255.255.0
+    remoteip: 192.168.1.0/255.255.255.0
    action: allow
    direction: in
    protocol: tcp
@ -214,7 +189,6 @@
    action: allow
    direction: in
    protocol: tcp
-    force: yes

 - name: Add same firewall rule when remoteip is IPv4 (again)
  win_firewall_rule:
@ -232,3 +206,122 @@
  assert:
    that:
    - add_firewall_rule_with_ipv4_remoteip_again.changed == false
+
+- name: Add firewall rule when remoteip contains a netmask
+  win_firewall_rule:
+    name: http
+    enabled: yes
+    state: present
+    localport: 80
+    remoteip: 192.168.2.0/255.255.255.0
+    action: allow
+    direction: in
+    protocol: tcp
+
+- name: Add same firewall rule when remoteip in CIDR notation
+  win_firewall_rule:
+    name: http
+    enabled: yes
+    state: present
+    localport: 80
+    remoteip: 192.168.2.0/24
+    action: allow
+    direction: in
+    protocol: tcp
+  register: add_same_firewall_rule_with_cidr_remoteip
+
+- name: Check that creating same firewall rule succeeds without a change when remoteip contains a netmask or CIDR
+  assert:
+    that:
+    - add_same_firewall_rule_with_cidr_remoteip.changed == false
+
+- name: Add firewall rule with multiple ports
+  win_firewall_rule:
+    name: http
+    enabled: yes
+    state: present
+    localport: '80,81'
+    action: allow
+    direction: in
+    protocol: tcp
+  register: add_firewall_rule_with_multiple_ports
+
+- name: Check that creating firewall rule with multiple ports succeeds with a change
+  assert:
+    that:
+    - add_firewall_rule_with_multiple_ports.changed == true
+
+- name: Add firewall rule with interface types
+  win_firewall_rule:
+    name: http
+    enabled: yes
+    state: present
+    localport: 80
+    action: allow
+    direction: in
+    protocol: tcp
+    interfacetypes: 'ras,lan,wireless'
+  register: add_firewall_rule_with_interface_types
+
+- name: Check that creating firewall rule with interface types succeeds with a change
+  assert:
+    that:
+    - add_firewall_rule_with_interface_types.changed == true
+
+- name: Add firewall rule with interface type 'any'
+  win_firewall_rule:
+    name: http
+    enabled: yes
+    state: present
+    localport: 80
+    action: allow
+    direction: in
+    protocol: tcp
+    interfacetypes: any
+  register: add_firewall_rule_with_interface_type_any
+
+- name: Check that creating firewall rule with interface type 'any' succeeds with a change
+  assert:
+    that:
+    - add_firewall_rule_with_interface_type_any.changed == true
+
+- name: Add firewall rule with edge traversal option 'deferapp'
+  win_firewall_rule:
+    name: http
+    enabled: yes
+    state: present
+    localport: 80
+    action: allow
+    direction: in
+    protocol: tcp
+    edge: deferapp
+  register: add_firewall_rule_with_edge_traversal
+
+# Setup action creates ansible_distribution_version variable
+- action: setup
+
+- name: Check that creating firewall rule with enge traversal option 'deferapp' succeeds with a change
+  assert:
+    that:
+    - add_firewall_rule_with_edge_traversal.changed == true
+  # Works on windows >= Windows 7/Windows Server 2008 R2
+  when: ansible_distribution_version | version_compare('6.1', '>=')
+
+- name: Add firewall rule with 'authenticate' secure flag
+  win_firewall_rule:
+    name: http
+    enabled: yes
+    state: present
+    localport: 80
+    action: allow
+    direction: in
+    protocol: tcp
+    security: authenticate
+  register: add_firewall_rule_with_secure_flags
+
+- name: Check that creating firewall rule with secure flag 'authenticate' succeeds with a change
+  assert:
+    that:
+    - add_firewall_rule_with_secure_flags.changed == true
+  # Works on windows >= Windows 8/Windows Server 2012
+  when: ansible_distribution_version | version_compare('6.2', '>=')