win_acl doesn't work with registry keys

[mhunsber]

SUMMARY

Since the module uses the LiteralPath argument for getting and setting the ACL, it does not work for registry keys. This is due to a weird behavior in PowerShell's Get-Acl and Set-Acl cmdlets where you have to be in the drive of the registry key for LiteralPath to work.

In earlier versions of powershell, e.g. PSv2, LiteralPath doesn't exist for Get-Acl and Set-Acl

ISSUE TYPE

• Bug Report

COMPONENT NAME

win_acl

ANSIBLE VERSION

ansible 2.8.0.dev0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/admin/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /home/admin/ansible/lib/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.15rc1 (default, Nov 12 2018, 14:31:15) [GCC 7.3.0]

CONFIGURATION

OS / ENVIRONMENT

Windows Server 2012 R2
Windows 10

STEPS TO REPRODUCE

try to use win_acl on a registry key

---

- hosts: windows
  tasks:
    - name: 'Administrators have full control on HKCU:\Environment'
      win_acl:
        path: 'HKCU:\Environment'
        user: Administrators
        type: allow
        rights: FullControl
        inherit: ContainerInherit,ObjectInherit
        propagation: None
        state: present

EXPECTED RESULTS

expected to get "ok" or "changed"

ACTUAL RESULTS

Using module file /home/admin/ansible/lib/ansible/modules/windows/win_acl.ps1
Pipelining is enabled.
<192.168.101.103> ESTABLISH WINRM CONNECTION FOR USER: Administrator on PORT 5985 TO 192.168.101.103
EXEC (via pipeline wrapper)
fatal: [testhost]: FAILED! => {
    "changed": false,
    "msg": "an error occurred when attempting to present FullControl permission(s) on HKCU:\\Environment for Administrators - Cannot find path 'HKEY_CURRENT_USER\\Environment' because it does not exist."
}

PLAY RECAP *******************************************************************************************************************************************************
testhost            : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

[mhunsber]

If I change win_acl.ps1 lines 130-136 to the following, it behaves as expected, but I don't know if this is a better approach than just using -Path because it feels like a hack.

    If ($path -match "^HK(CC|CR|CU|LM|U):\\") {
        $objACE = New-Object System.Security.AccessControl.RegistryAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
        Set-Location -LiteralPath $Matches[0]
        $objACL = Get-ACL -LiteralPath $path
    }
    Else {
        $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
        $objACL = Get-ACL -LiteralPath $path
    }

I also opened a bug report in PowerShell here, since I wasn't able to find any references to the problem elsewhere, but I tried it on several different machines and got the same results

[ansibot]

cc @dagwieers @if-meaton @jborean93 @jhawkesworth @nitzmahone @schwartzmx @trondhindenes
click here for bot help

[jborean93]

@mhunsber thanks for finding this bug, should have a fix relatively shortly.

[jborean93]

@mhunsber here is a PR to fix your issue #54427. If you have time to review it, that would be great.

[mhunsber]

@jborean93 looks good, I tested with the changes in my instance and it worked.
I did not know about Push-Location and Pop-Location, so that was nice to learn today.

[jborean93]

Thanks for the confirmation, it honestly shouldn't be needed but it's nice to cleanup after yourself and Push/Pop makes that quite simple.