win_become: another option to support become flags for runas (#34551)

* win_become: another option to support become flags for runas * removed uneeded entries * fixed up whitespace issue * Copy edit
2025-10-23 20:44:00 -07:00 · 2018-01-20 07:58:10 +10:00 · 2018-01-20 07:58:10 +10:00 · d0e6889f93
commit d0e6889f93
parent 1c22d82c5e
5 changed files with 318 additions and 69 deletions
--- a/test/integration/targets/win_become/tasks/main.yml
+++ b/test/integration/targets/win_become/tasks/main.yml
@ -9,6 +9,7 @@
    password: "{{ gen_pw }}"
    update_password: always
    groups: Users
+  register: user_limited_result

 - name: create a privileged user
  win_user:
@ -16,13 +17,24 @@
    password: "{{ gen_pw }}"
    update_password: always
    groups: Administrators
+  register: user_admin_result
+
+- name: add requisite logon rights for test user
+  win_user_right:
+    name: '{{item}}'
+    users: '{{become_test_username}}'
+    action: add
+  with_items:
+  - SeNetworkLogonRight
+  - SeInteractiveLogonRight
+  - SeBatchLogonRight

 - name: execute tests and ensure that test user is deleted regardless of success/failure
  block:
  - name: ensure current user is not the become user
-    win_shell: whoami
+    win_whoami:
    register: whoami_out
-    failed_when: whoami_out.stdout_lines[0].endswith(become_test_username) or whoami_out.stdout_lines[0].endswith(become_test_admin_username)
+    failed_when: whoami_out.account.sid == user_limited_result.sid or whoami_out.account.sid == user_admin_result.sid

  - name: get become user profile dir so we can clean it up later
    vars: &become_vars
@ -54,43 +66,31 @@

  - name: test become runas via task vars (underprivileged user)
    vars: *become_vars
-    win_shell: whoami
+    win_whoami:
    register: whoami_out

  - name: verify output
    assert:
      that:
-      - whoami_out.stdout_lines[0].endswith(become_test_username)
-
-  - name: test become runas to ensure underprivileged user has medium integrity level
-    vars: *become_vars
-    win_shell: whoami /groups
-    register: whoami_out
-  
-  - name: verify output
-    assert:
-      that:
-      - '"Mandatory Label\Medium Mandatory Level" in whoami_out.stdout'
+      - whoami_out.account.sid == user_limited_result.sid
+      - whoami_out.account.account_name == become_test_username
+      - whoami_out.label.account_name == 'Medium Mandatory Level'
+      - whoami_out.label.sid == 'S-1-16-8192'
+      - whoami_out.logon_type == 'Interactive'

  - name: test become runas via task vars (privileged user)
    vars: *admin_become_vars
-    win_shell: whoami
+    win_whoami:
    register: whoami_out
  
  - name: verify output
    assert:
      that:
-      - whoami_out.stdout_lines[0].endswith(become_test_admin_username)
-
-  - name: test become runas to ensure privileged user has high integrity level
-    vars: *admin_become_vars
-    win_shell: whoami /groups
-    register: whoami_out
-  
-  - name: verify output
-    assert:
-      that:
-      - '"Mandatory Label\High Mandatory Level" in whoami_out.stdout'
+      - whoami_out.account.sid == user_admin_result.sid
+      - whoami_out.account.account_name == become_test_admin_username
+      - whoami_out.label.account_name == 'High Mandatory Level'
+      - whoami_out.label.sid == 'S-1-16-12288'
+      - whoami_out.logon_type == 'Interactive'

  - name: test become runas via task keywords
    vars:
@ -110,20 +110,24 @@
    vars: *become_vars
    block:
    - name: ask who the current user is
-      win_shell: whoami
+      win_whoami:
      register: whoami_out

    - name: verify output
      assert:
        that:
-        - whoami_out.stdout_lines[0].endswith(become_test_username)
+        - whoami_out.account.sid == user_limited_result.sid
+        - whoami_out.account.account_name == become_test_username
+        - whoami_out.label.account_name == 'Medium Mandatory Level'
+        - whoami_out.label.sid == 'S-1-16-8192'
+        - whoami_out.logon_type == 'Interactive'
  
  - name: test with module that will return non-zero exit code (https://github.com/ansible/ansible/issues/30468)
    vars: *become_vars
    setup:
    
  - name: test become with SYSTEM account
-    win_command: whoami
+    win_whoami:
    become: yes
    become_method: runas
    become_user: SYSTEM
@ -132,10 +136,15 @@
  - name: verify output
    assert:
      that:
-      - whoami_out.stdout_lines[0] == "nt authority\\system"
+      - whoami_out.account.sid == "S-1-5-18"
+      - whoami_out.account.account_name == "SYSTEM"
+      - whoami_out.account.domain_name == "NT AUTHORITY"
+      - whoami_out.label.account_name == 'System Mandatory Level'
+      - whoami_out.label.sid == 'S-1-16-16384'
+      - whoami_out.logon_type == 'System'

  - name: test become with NetworkService account
-    win_command: whoami
+    win_whoami:
    become: yes
    become_method: runas
    become_user: NetworkService
@ -144,10 +153,15 @@
  - name: verify output
    assert:
      that:
-      - whoami_out.stdout_lines[0] == "nt authority\\network service"
+      - whoami_out.account.sid == "S-1-5-20"
+      - whoami_out.account.account_name == "NETWORK SERVICE"
+      - whoami_out.account.domain_name == "NT AUTHORITY"
+      - whoami_out.label.account_name == 'System Mandatory Level'
+      - whoami_out.label.sid == 'S-1-16-16384'
+      - whoami_out.logon_type == 'Service'

  - name: test become with LocalService account
-    win_command: whoami
+    win_whoami:
    become: yes
    become_method: runas
    become_user: LocalService
@ -156,11 +170,24 @@
  - name: verify output
    assert:
      that:
-      - whoami_out.stdout_lines[0] == "nt authority\\local service"
+      - whoami_out.account.sid == "S-1-5-19"
+      - whoami_out.account.account_name == "LOCAL SERVICE"
+      - whoami_out.account.domain_name == "NT AUTHORITY"
+      - whoami_out.label.account_name == 'System Mandatory Level'
+      - whoami_out.label.sid == 'S-1-16-16384'
+      - whoami_out.logon_type == 'Service'

  # Test out Async on Windows Server 2012+
  - name: get OS version
-    win_shell: if ([System.Environment]::OSVersion.Version -ge [Version]"6.2") { $true } else { $false }
+    win_shell: |
+      $version = [System.Environment]::OSVersion.Version
+      if ($version -ge [Version]"6.2") {
+          "async"
+      } elseif ($version -lt [Version]"6.1") {
+          "old-gramps"
+      } else {
+          ""
+      }
    register: os_version
  
  - name: test become + async on older hosts
@ -174,18 +201,85 @@
    assert:
      that:
      - whoami_out is failed
-    when: os_version.stdout_lines[0] == "False"
+    when: os_version.stdout_lines[0] != "async"

  - name: verify newer hosts worked with become + async
    assert:
      that:
      - whoami_out is successful
-    when: os_version.stdout_lines[0] == "True"
+    when: os_version.stdout_lines[0] == "async"
+
+  - name: test failure with string become invalid key
+    vars: *become_vars
+    win_whoami:
+    become_flags: logon_type=batch invalid_flags=a
+    become_method: runas
+    register: failed_flags_invalid_key
+    failed_when: failed_flags_invalid_key.msg != "become_flags key 'invalid_flags' is not a valid runas flag, must be 'logon_type' or 'logon_flags'"
+
+  - name: test failure with invalid logon_type
+    vars: *become_vars
+    win_whoami:
+    become_flags: logon_type=invalid
+    register: failed_flags_invalid_type
+    failed_when: "failed_flags_invalid_type.msg != \"become_flags logon_type value 'invalid' is not valid, valid values are: interactive, network, batch, service, unlock, network_cleartext, new_credentials\""
+
+  - name: test failure with invalid logon_flag
+    vars: *become_vars
+    win_whoami:
+    become_flags: logon_flags=with_profile,invalid
+    register: failed_flags_invalid_flag
+    failed_when: "failed_flags_invalid_flag.msg != \"become_flags logon_flags value 'invalid' is not valid, valid values are: with_profile, netcredentials_only\""
+
+  # Server 2008 doesn't work with network and network_cleartext, there isn't really a reason why you would want this anyway
+  - name: become different types
+    vars: *become_vars
+    win_whoami:
+    become_flags: logon_type={{item.type}}
+    register: become_logon_type
+    when: not ((item.type == 'network' or item.type == 'network_cleartext') and os_version.stdout_lines[0] == "old-gramps")
+    failed_when: become_logon_type.logon_type != item.actual and become_logon_type.sid != user_limited_result.sid
+    with_items:
+    - type: interactive
+      actual: Interactive
+    - type: batch
+      actual: Batch
+    - type: network
+      actual: Network
+    - type: network_cleartext
+      actual: NetworkCleartext
+
+  - name: become netcredentials with network user
+    vars:
+      ansible_become_user: fakeuser
+      ansible_become_password: fakepassword
+      ansible_become_method: runas
+      ansible_become: True
+      ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
+    win_whoami:
+    register: become_netcredentials
+
+  - name: assert become netcredentials with network user
+    assert:
+      that:
+      # new_credentials still come up as the ansible_user so we can't test that
+      - become_netcredentials.label.account_name == 'High Mandatory Level'
+      - become_netcredentials.label.sid == 'S-1-16-12288'

 # FUTURE: test raw + script become behavior once they're running under the exec wrapper again
 # FUTURE: add standalone playbook tests to include password prompting and play become keywords

  always:
+  - name: remove explicit logon rights for test user
+    win_user_right:
+      name: '{{item}}'
+      users: '{{become_test_username}}'
+      action: remove
+    with_items:
+    - SeNetworkLogonRight
+    - SeInteractiveLogonRight
+    - SeBatchLogonRight
+
  - name: ensure underprivileged test user is deleted
    win_user:
      name: "{{ become_test_username }}"