New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
win_user_right: add module with tests #26276
Conversation
The test
|
@SamLiu79 @timothyvandenbrande @ar7z1 @blakfeld @brianlloyd @chrishoffman @if-meaton @joshludwig @petemounce @schwartzmx @smadam813 As a maintainer of a module in the same namespace this new module has been submitted to, your vote counts for shipits. Please review this module and add |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also looks great- a couple things that could be tightened up and a couple of potential perf issues for large policies.
foreach ($existing_user in $existing_users) { | ||
$user_match = $true | ||
foreach ($user in $users) { | ||
$user_sid = Get-SID -account_name $user |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is potentially expensive if either list is large, since you have to re-lookup the specified user SIDs on each value . Might be better to do a single-pass over each upfront to build a HashSet and use set theory methods to find users to remove. Could also probably call the LINQ set-theory extension methods (they'd take care of building the underlying sets for you).
|
||
# sort the user objects for later comparison and remove duplicates | ||
$new_users = $new_users | Sort-Object -Unique | ||
$existing_users = $existing_users | Sort-Object -Unique |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't at least the uniqueness be handled inside the Build-XList function (if not also the sort)?
removed = @() | ||
} | ||
|
||
foreach ($entry in $existing_list) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another potentially good place for HashSet and set-theory methods (especially if they got built once outside as HashSet, since order probably doesn't matter)...
$name = Get-AnsibleParam -obj $params -name "name" -type "str" -failifempty $true | ||
$users = Get-AnsibleParam -obj $params -name "users" -type "list" -failifempty $true | ||
$action = Get-AnsibleParam -obj $params -name "action" -type "str" -default "set" -validateset "add","remove","set" | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to add diff support (esp since you've already done the work of calculating the diff)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have added diff support, I didn't remove the added/removed return items as they were used in the tests and thought they were still useful to have.
# check the return code and if the file has been populated, otherwise error out | ||
if (($export_result.rc -ne 0) -or ((Get-Item -Path $secedit_ini_path).Length -eq 0)) { | ||
Remove-Item -Path $secedit_ini_path # file is empty and we don't need it | ||
Fail-Json $result "Failed to export secedit.ini file to $($secedit_ini_path).`nRC: $($export_result.rc)`nSTDOUT: $($export_result.stdout)`nSTDERR: $($export_result.stderr)`nLOG: $($export_result.log)" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to include all that in the message, or just return discrete keys in the fail dict? Could see reasons for either...
Remove-Item -Path $secedit_ini_path # file is empty and we don't need it | ||
Fail-Json $result "Failed to export secedit.ini file to $($secedit_ini_path).`nRC: $($export_result.rc)`nSTDOUT: $($export_result.stdout)`nSTDERR: $($export_result.stderr)`nLOG: $($export_result.log)" | ||
} | ||
$secedit_ini = ConvertFrom-Ini -file_path $secedit_ini_path |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couldn't we just extract the initial change calculation into a function and re-run it here, failing if it reported changed?
options: | ||
name: | ||
description: | ||
- The name of the User Right as shown by the Constant name here |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/Constant name here/C(Constant Name) value from/
that: | ||
- add_right_on_existing_check|changed | ||
- add_right_on_existing_check.removed == [] | ||
- add_right_on_existing_check.added == ["BUILTIN\\Users", "BUILTIN\\Guests"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why the mix of double-quoted/escaped and single-quoted stuff below?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
\U
and \G
throws an error when using single quotes, I'll change it so they are all consistent and use double quotes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You mean single backslashes ?
We are recommending in our new documentation to use single quotes as much as possible to prevent this behavior and the need to escape backslashes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so 'BUILTIN\User'
fails but "BUILTIN\\Users"
is fine, note this is only for the assertions and not for the module parameters, there are test cases where there is an entry called '{{ansible_hostanme}}\Users'
and that works fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh right, Jinja2 and Python don't care about single or double quotes, which is making our generic advice a bit more difficult than we planned :-( We still have to document the behavior of Jinja2...
cc: @jhawkesworth
+label new_module |
@nitzmahone, I've made the changes from your comments, let me know if there is anything I've miseed. |
8b19df7
to
e3b0269
Compare
@nitzmahone, just updated this PR to no longer use SecEdit.exe, makes things simpler as we don't need to parse an ini file. |
So the module freeze deadline for v2.4 is getting closer (2017-08-29). Now is the time to finish up, get it reviewed and merged with no delay. |
SUMMARY
Added a new module win_user_right that allows you to add/remove/set user rights for either local or domain accounts.
ISSUE TYPE
COMPONENT NAME
win_user_right
ANSIBLE VERSION
ADDITIONAL INFORMATION
This module is to extend #22775 where it allows you to idempotently set users/groups on user rights without knowing the SID for said account.