ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-07-27 15:11:23 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

Fix SID Lookup Issues on Assorted Windows Modules (#28979)

Browse source 
* fix sid lookup issues and update copyright/license to latest format

* simplify win_owner and win_share by removing unnecessary function
This commit is contained in:
Andrew Saraceni 2017-09-10 17:34:51 -04:00 committed by Jordan Borean
commit 8f050d3719
7 changed files with 52 additions and 332 deletions
Download patch file Download diff file Expand all files Collapse all files

137
lib/ansible/modules/windows/win_acl.ps1
View file

@ -1,113 +1,43 @@
#!powershell #!powershell
# This file is part of Ansible
#
# Copyright 2015, Phil Schwartz <schwartzmx@gmail.com> # Copyright 2015, Phil Schwartz <schwartzmx@gmail.com>
# Copyright 2015, Trond Hindenes # Copyright 2015, Trond Hindenes
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de> # Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
# # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by #Requires -Module Ansible.ModuleUtils.Legacy.psm1
# the Free Software Foundation, either version 3 of the License, or #Requires -Module Ansible.ModuleUtils.SID.psm1
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# WANT_JSON
# POWERSHELL_COMMON
# win_acl module (File/Resources Permission Additions/Removal) # win_acl module (File/Resources Permission Additions/Removal)
#Functions #Functions
Function UserSearch function Get-UserSID {
{ param(
Param ([string]$accountName) [String]$AccountName
#Check if there's a realm specified )
$searchDomain = $false $userSID = $null
$searchDomainUPN = $false $searchAppPools = $false
$SearchAppPools = $false
if ($accountName.Split("\").count -gt 1)
{
if ($accountName.Split("\")[0] -eq $env:COMPUTERNAME)
{
} if ($AccountName.Split("\").Count -gt 1) {
elseif ($accountName.Split("\")[0] -eq "IIS APPPOOL") if ($AccountName.Split("\")[0] -eq "IIS APPPOOL") {
{ $searchAppPools = $true
$SearchAppPools = $true $AccountName = $AccountName.Split("\")[1]
$accountName = $accountName.split("\")[1]
}
else
{
$searchDomain = $true
$accountName = $accountName.split("\")[1]
} }
} }
Elseif ($accountName.contains("@"))
{
$searchDomain = $true
$searchDomainUPN = $true
}
Else
{
#Default to local user account
$accountName = $env:COMPUTERNAME + "\" + $accountName
}
if (($searchDomain -eq $false) -and ($SearchAppPools -eq $false)) if ($searchAppPools) {
{ Import-Module -Name WebAdministration
# do not use Win32_UserAccount, because e.g. SYSTEM (BUILTIN\SYSTEM or COMPUUTERNAME\SYSTEM) will not be listed. on Win32_Account groups will be listed too $testIISPath = Test-Path -Path "IIS:"
$localaccount = get-wmiobject -class "Win32_Account" -namespace "root\CIMV2" -filter "(LocalAccount = True)" | where {$_.Caption -eq $accountName} if ($testIISPath) {
if ($localaccount) $appPoolObj = Get-ItemProperty -Path "IIS:\AppPools\$AccountName"
{ $userSID = $appPoolObj.applicationPoolSid
return $localaccount.SID
} }
} }
Elseif ($SearchAppPools -eq $true) else {
{ $userSID = Convert-ToSID -account_name $AccountName
Import-Module WebAdministration
$testiispath = Test-path "IIS:"
if ($testiispath -eq $false)
{
return $null
}
else
{
$apppoolobj = Get-ItemProperty IIS:\AppPools\$accountName
return $apppoolobj.applicationPoolSid
}
} }
Else
{
#Search by samaccountname
$Searcher = [adsisearcher]""
If ($searchDomainUPN -eq $false) { return $userSID
$Searcher.Filter = "sAMAccountName=$($accountName)"
}
Else {
$Searcher.Filter = "userPrincipalName=$($accountName)"
}
$result = $Searcher.FindOne()
if ($result)
{
$user = $result.GetDirectoryEntry()
# get binary SID from AD account
$binarySID = $user.ObjectSid.Value
# convert to string SID
return (New-Object System.Security.Principal.SecurityIdentifier($binarySID,0)).Value
}
}
} }
# Need to adjust token privs when executing Set-ACL in certain cases. # Need to adjust token privs when executing Set-ACL in certain cases.
@ -234,9 +164,8 @@ If (-Not (Test-Path -Path $path)) {
} }
# Test that the user/group is resolvable on the local machine # Test that the user/group is resolvable on the local machine
$sid = UserSearch -AccountName ($user) $sid = Get-UserSID -AccountName $user
if (!$sid) if (!$sid) {
{
Fail-Json $result "$user is not a valid user or group on the host machine or domain" Fail-Json $result "$user is not a valid user or group on the host machine or domain"
} }
@ -260,14 +189,14 @@ Try {
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]$inherit $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]$inherit
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]$propagation $PropagationFlag = [System.Security.AccessControl.PropagationFlags]$propagation
If ($type -eq "allow") { If ($type -eq "allow") {
$objType =[System.Security.AccessControl.AccessControlType]::Allow $objType =[System.Security.AccessControl.AccessControlType]::Allow
} }
Else { Else {
$objType =[System.Security.AccessControl.AccessControlType]::Deny $objType =[System.Security.AccessControl.AccessControlType]::Deny
} }
$objUser = New-Object System.Security.Principal.SecurityIdentifier($sid) $objUser = New-Object System.Security.Principal.SecurityIdentifier($sid)
If ($path -match "^HK(CC|CR|CU|LM|U):\\") { If ($path -match "^HK(CC|CR|CU|LM|U):\\") {
$objACE = New-Object System.Security.AccessControl.RegistryAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) $objACE = New-Object System.Security.AccessControl.RegistryAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
@ -276,7 +205,7 @@ Try {
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
} }
$objACL = Get-ACL $path $objACL = Get-ACL $path
# Check if the ACE exists already in the objects ACL list # Check if the ACE exists already in the objects ACL list
$match = $false $match = $false
@ -300,7 +229,7 @@ Try {
Break Break
} }
} else { } else {
If (($rule.FileSystemRights -eq $objACE.FileSystemRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($ruleIdentity -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) { If (($rule.FileSystemRights -eq $objACE.FileSystemRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($ruleIdentity -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) {
$match = $true $match = $true
Break Break
} }
@ -335,11 +264,11 @@ Try {
# A rule didn't exist that was trying to be removed # A rule didn't exist that was trying to be removed
Else { Else {
Exit-Json $result "the specified rule does not exist" Exit-Json $result "the specified rule does not exist"
} }
} }
} }
Catch { Catch {
Fail-Json $result "an error occurred when attempting to $state $rights permission(s) on $path for $user - $($_.Exception.Message)" Fail-Json $result "an error occurred when attempting to $state $rights permission(s) on $path for $user - $($_.Exception.Message)"
} }
Exit-Json $result Exit-Json $result

21
lib/ansible/modules/windows/win_acl.py
View file

@ -1,27 +1,8 @@
#!/usr/bin/python #!/usr/bin/python
# -*- coding: utf-8 -*-
# Copyright 2015, Phil Schwartz <schwartzmx@gmail.com> # Copyright 2015, Phil Schwartz <schwartzmx@gmail.com>
# Copyright 2015, Trond Hindenes # Copyright 2015, Trond Hindenes
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de> # Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
# # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# this is a windows documentation stub. actual code lives in the .ps1
# file of the same name
ANSIBLE_METADATA = {'metadata_version': '1.1', ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ['preview'], 'status': ['preview'],

87
lib/ansible/modules/windows/win_owner.ps1
View file

@ -1,85 +1,9 @@
#!powershell #!powershell
# This file is part of Ansible
#
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de> # Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
# # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# WANT_JSON #Requires -Module Ansible.ModuleUtils.Legacy.psm1
# POWERSHELL_COMMON #Requires -Module Ansible.ModuleUtils.SID.psm1
#Functions
Function UserSearch
{
Param ([string]$accountName)
#Check if there's a realm specified
$searchDomain = $false
$searchDomainUPN = $false
if ($accountName.Split("\").count -gt 1)
{
if ($accountName.Split("\")[0] -ne $env:COMPUTERNAME)
{
$searchDomain = $true
$accountName = $accountName.split("\")[1]
}
}
Elseif ($accountName.contains("@"))
{
$searchDomain = $true
$searchDomainUPN = $true
}
Else
{
#Default to local user account
$accountName = $env:COMPUTERNAME + "\" + $accountName
}
if ($searchDomain -eq $false)
{
# do not use Win32_UserAccount, because e.g. SYSTEM (BUILTIN\SYSTEM or COMPUUTERNAME\SYSTEM) will not be listed. on Win32_Account groups will be listed too
$localaccount = get-wmiobject -class "Win32_Account" -namespace "root\CIMV2" -filter "(LocalAccount = True)" | where {$_.Caption -eq $accountName}
if ($localaccount)
{
return $localaccount.SID
}
}
Else
{
#Search by samaccountname
$Searcher = [adsisearcher]""
If ($searchDomainUPN -eq $false) {
$Searcher.Filter = "sAMAccountName=$($accountName)"
}
Else {
$Searcher.Filter = "userPrincipalName=$($accountName)"
}
$result = $Searcher.FindOne()
if ($result)
{
$user = $result.GetDirectoryEntry()
# get binary SID from AD account
$binarySID = $user.ObjectSid.Value
# convert to string SID
return (New-Object System.Security.Principal.SecurityIdentifier($binarySID,0)).Value
}
}
}
$result = @{ $result = @{
changed = $false changed = $false
@ -97,9 +21,8 @@ If (-Not (Test-Path -Path $path)) {
} }
# Test that the user/group is resolvable on the local machine # Test that the user/group is resolvable on the local machine
$sid = UserSearch -AccountName ($user) $sid = Convert-ToSID -account_name $user
if (-not $sid) if (!$sid) {
{
Fail-Json $result "$user is not a valid user or group on the host machine or domain" Fail-Json $result "$user is not a valid user or group on the host machine or domain"
} }

21
lib/ansible/modules/windows/win_owner.py
View file

@ -1,25 +1,6 @@
#!/usr/bin/python #!/usr/bin/python
# -*- coding: utf-8 -*-
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de> # Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
# # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# this is a windows documentation stub. actual code lives in the .ps1
# file of the same name
ANSIBLE_METADATA = {'metadata_version': '1.1', ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ['preview'], 'status': ['preview'],

95
lib/ansible/modules/windows/win_share.ps1
View file

@ -1,87 +1,12 @@
#!powershell #!powershell
# This file is part of Ansible
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de> # Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
# # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# WANT_JSON #Requires -Module Ansible.ModuleUtils.Legacy.psm1
# POWERSHELL_COMMON #Requires -Module Ansible.ModuleUtils.SID.psm1
#Functions #Functions
Function UserSearch Function NormalizeAccounts {
{
Param ([string]$accountName)
#Check if there's a realm specified
$searchDomain = $false
$searchDomainUPN = $false
if ($accountName.Split("\").count -gt 1)
{
if ($accountName.Split("\")[0] -ne $env:COMPUTERNAME)
{
$searchDomain = $true
$accountName = $accountName.split("\")[1]
}
}
Elseif ($accountName.contains("@"))
{
$searchDomain = $true
$searchDomainUPN = $true
}
Else
{
#Default to local user account
$accountName = $env:COMPUTERNAME + "\" + $accountName
}
if ($searchDomain -eq $false)
{
# do not use Win32_UserAccount, because e.g. SYSTEM (BUILTIN\SYSTEM or COMPUUTERNAME\SYSTEM) will not be listed. on Win32_Account groups will be listed too
$localaccount = get-wmiobject -class "Win32_Account" -namespace "root\CIMV2" -filter "(LocalAccount = True)" | where {$_.Caption -eq $accountName}
if ($localaccount)
{
return $localaccount.SID
}
}
Else
{
#Search by samaccountname
$Searcher = [adsisearcher]""
If ($searchDomainUPN -eq $false) {
$Searcher.Filter = "sAMAccountName=$($accountName)"
}
Else {
$Searcher.Filter = "userPrincipalName=$($accountName)"
}
$result = $Searcher.FindOne()
if ($result)
{
$user = $result.GetDirectoryEntry()
# get binary SID from AD account
$binarySID = $user.ObjectSid.Value
# convert to string SID
return (New-Object System.Security.Principal.SecurityIdentifier($binarySID,0)).Value
}
}
}
Function NormalizeAccounts
{
param( param(
[parameter(valuefrompipeline=$true)] [parameter(valuefrompipeline=$true)]
$users $users
@ -89,17 +14,17 @@ Function NormalizeAccounts
$users = $users.Trim() $users = $users.Trim()
If ($users -eq "") { If ($users -eq "") {
$splittedUsers = [Collections.Generic.List[String]] @() $splitUsers = [Collections.Generic.List[String]] @()
} }
Else { Else {
$splittedUsers = [Collections.Generic.List[String]] $users.Split(",") $splitUsers = [Collections.Generic.List[String]] $users.Split(",")
} }
$normalizedUsers = [Collections.Generic.List[String]] @() $normalizedUsers = [Collections.Generic.List[String]] @()
ForEach($splittedUser in $splittedUsers) { ForEach($splitUser in $splitUsers) {
$sid = UserSearch $splittedUser $sid = Convert-ToSID -account_name $splitUser
If (!$sid) { if (!$sid) {
Fail-Json $result "$splittedUser is not a valid user or group on the host machine or domain" Fail-Json $result "$splitUser is not a valid user or group on the host machine or domain"
} }
$normalizedUser = (New-Object System.Security.Principal.SecurityIdentifier($sid)).Translate([System.Security.Principal.NTAccount]) $normalizedUser = (New-Object System.Security.Principal.SecurityIdentifier($sid)).Translate([System.Security.Principal.NTAccount])

21
lib/ansible/modules/windows/win_share.py
View file

@ -1,25 +1,6 @@
#!/usr/bin/python #!/usr/bin/python
# -*- coding: utf-8 -*-
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de> # Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
# # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# this is a windows documentation stub. actual code lives in the .ps1
# file of the same name
ANSIBLE_METADATA = {'metadata_version': '1.1', ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ['preview'], 'status': ['preview'],

2
test/integration/targets/win_owner/tasks/main.yml
View file

@ -45,7 +45,7 @@
path: "{{test_win_owner_path}}" path: "{{test_win_owner_path}}"
user: invalid-user user: invalid-user
register: invalid_user register: invalid_user
failed_when: invalid_user.msg != 'invalid-user is not a valid user or group on the host machine or domain' failed_when: invalid_user.msg is not search("account_name invalid-user is not a valid account, cannot get SID.*")
- name: set owner defaults check - name: set owner defaults check
win_owner: win_owner: