Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

win_share - Implement append paramtere for access rules #59469

Merged
merged 12 commits into from Dec 4, 2019
Merged

win_share - Implement append paramtere for access rules #59469

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
422299c
win_share - Implement append paramtere for access rules
ShachafGoldstein Jul 23, 2019
7c896a9
changed fragment
ShachafGoldstein Jul 23, 2019
5287d2c
add test
ShachafGoldstein Jul 23, 2019
bc3c9aa
missing bracket
ShachafGoldstein Jul 23, 2019
06a9c14
removed whitespace
ShachafGoldstein Jul 23, 2019
d6598f3
Wrong number of lines
ShachafGoldstein Jul 30, 2019
788e29b
Forgot the actual new parameter in the test
ShachafGoldstein Aug 3, 2019
563d86e
community review
ShachafGoldstein Aug 17, 2019
096c5b6
Change option names
ShachafGoldstein Nov 26, 2019
f850084
version update
ShachafGoldstein Nov 26, 2019
b788ef7
Update tests.yml
ShachafGoldstein Nov 26, 2019
ae6f8d2
Add idempotence to rule_action: add
jborean93 Dec 4, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 2 additions & 0 deletions changelogs/fragments/win_share-Implement-append-paramtere-for-access-rules.yml
View file
Open in desktop
@@ -0,0 +1,2 @@
minor_changes:
- "win_share - Implement append parameter for access rules (https://github.com/ansible/ansible/issues/59237)"
115 changes: 67 additions & 48 deletions lib/ansible/modules/windows/win_share.ps1
View file
Open in desktop
Expand Up @@ -47,6 +47,7 @@ $check_mode = Get-AnsibleParam -obj $params -name "_ansible_check_mode" -type "b

$name = Get-AnsibleParam -obj $params -name "name" -type "str" -failifempty $true
$state = Get-AnsibleParam -obj $params -name "state" -type "str" -default "present" -validateset "present","absent"
$rule_action = Get-AnsibleParam -obj $params -name "rule_action" -type "str" -default "set" -validateset "set","add"

if (-not (Get-Command -Name Get-SmbShare -ErrorAction SilentlyContinue)) {
Fail-Json $result "The current host does not support the -SmbShare cmdlets required by this module. Please run on Server 2012 or Windows 8 and later"
Expand Down Expand Up @@ -151,65 +152,83 @@ If ($state -eq "absent") {

# remove permissions
$permissions = Get-SmbShareAccess -Name $name
ForEach ($permission in $permissions) {
If ($permission.AccessControlType -eq "Deny") {
$cim_count = 0
foreach ($count in $permissions) {
$cim_count++
}
# Don't remove the Deny entry for Everyone if there are no other permissions set (cim_count == 1)
if (-not ($permission.AccountName -eq 'Everyone' -and $cim_count -eq 1)) {
If (-not ($permissionDeny.Contains($permission.AccountName))) {
if (-not $check_mode) {
Unblock-SmbShareAccess -Force -Name $name -AccountName $permission.AccountName | Out-Null
if($rule_action -eq "set") {
ForEach ($permission in $permissions) {
If ($permission.AccessControlType -eq "Deny") {
$cim_count = 0
foreach ($count in $permissions) {
$cim_count++
}
# Don't remove the Deny entry for Everyone if there are no other permissions set (cim_count == 1)
if (-not ($permission.AccountName -eq 'Everyone' -and $cim_count -eq 1)) {
If (-not ($permissionDeny.Contains($permission.AccountName))) {
if (-not $check_mode) {
Unblock-SmbShareAccess -Force -Name $name -AccountName $permission.AccountName | Out-Null
}
$result.changed = $true
$result.actions += "Unblock-SmbShareAccess -Force -Name $name -AccountName $($permission.AccountName)"
} else {
# Remove from the deny list as it already has the permissions
$permissionDeny.remove($permission.AccountName) | Out-Null
}
$result.changed = $true
$result.actions += "Unblock-SmbShareAccess -Force -Name $name -AccountName $($permission.AccountName)"
} else {
# Remove from the deny list as it already has the permissions
$permissionDeny.remove($permission.AccountName) | Out-Null
}
}
} ElseIf ($permission.AccessControlType -eq "Allow") {
If ($permission.AccessRight -eq "Full") {
If (-not ($permissionFull.Contains($permission.AccountName))) {
if (-not $check_mode) {
Revoke-SmbShareAccess -Force -Name $name -AccountName $permission.AccountName | Out-Null
} ElseIf ($permission.AccessControlType -eq "Allow") {
If ($permission.AccessRight -eq "Full") {
If (-not ($permissionFull.Contains($permission.AccountName))) {
if (-not $check_mode) {
Revoke-SmbShareAccess -Force -Name $name -AccountName $permission.AccountName | Out-Null
}
$result.changed = $true
$result.actions += "Revoke-SmbShareAccess -Force -Name $name -AccountName $($permission.AccountName)"

Continue
}
$result.changed = $true
$result.actions += "Revoke-SmbShareAccess -Force -Name $name -AccountName $($permission.AccountName)"

Continue
}
# user got requested permissions
$permissionFull.remove($permission.AccountName) | Out-Null
} ElseIf ($permission.AccessRight -eq "Change") {
If (-not ($permissionChange.Contains($permission.AccountName))) {
if (-not $check_mode) {
Revoke-SmbShareAccess -Force -Name $name -AccountName $permission.AccountName | Out-Null
}
$result.changed = $true
$result.actions += "Revoke-SmbShareAccess -Force -Name $name -AccountName $($permission.AccountName)"

# user got requested permissions
$permissionFull.remove($permission.AccountName) | Out-Null
} ElseIf ($permission.AccessRight -eq "Change") {
If (-not ($permissionChange.Contains($permission.AccountName))) {
if (-not $check_mode) {
Revoke-SmbShareAccess -Force -Name $name -AccountName $permission.AccountName | Out-Null
Continue
}
$result.changed = $true
$result.actions += "Revoke-SmbShareAccess -Force -Name $name -AccountName $($permission.AccountName)"

Continue
}
# user got requested permissions
$permissionChange.remove($permission.AccountName) | Out-Null
} ElseIf ($permission.AccessRight -eq "Read") {
If (-not ($permissionRead.Contains($permission.AccountName))) {
if (-not $check_mode) {
Revoke-SmbShareAccess -Force -Name $name -AccountName $permission.AccountName | Out-Null
}
$result.changed = $true
$result.actions += "Revoke-SmbShareAccess -Force -Name $name -AccountName $($permission.AccountName)"

# user got requested permissions
$permissionChange.remove($permission.AccountName) | Out-Null
} ElseIf ($permission.AccessRight -eq "Read") {
If (-not ($permissionRead.Contains($permission.AccountName))) {
if (-not $check_mode) {
Revoke-SmbShareAccess -Force -Name $name -AccountName $permission.AccountName | Out-Null
Continue
}
$result.changed = $true
$result.actions += "Revoke-SmbShareAccess -Force -Name $name -AccountName $($permission.AccountName)"

Continue
# user got requested permissions
$permissionRead.Remove($permission.AccountName) | Out-Null
}
}
}
} ElseIf ($rule_action -eq "add") {
ForEach($permission in $permissions) {
If ($permission.AccessControlType -eq "Deny") {
If ($permissionDeny.Contains($permission.AccountName)) {
$permissionDeny.Remove($permission.AccountName)
}
} ElseIf ($permission.AccessControlType -eq "Allow") {
If ($permissionFull.Contains($permission.AccountName) -and $permission.AccessRight -eq "Full") {
$permissionFull.Remove($permission.AccountName)
} ElseIf ($permissionChange.Contains($permission.AccountName) -and $permission.AccessRight -eq "Change") {
$permissionChange.Remove($permission.AccountName)
} ElseIf ($permissionRead.Contains($permission.AccountName) -and $permission.AccessRight -eq "Read") {
$permissionRead.Remove($permission.AccountName)
}

# user got requested permissions
$permissionRead.Remove($permission.AccountName) | Out-Null
}
}
}
Expand Down
7 changes: 7 additions & 0 deletions lib/ansible/modules/windows/win_share.py
View file
Open in desktop
Expand Up @@ -75,9 +75,16 @@
type: bool
default: no
version_added: "2.4"
rule_action:
description: Whether to add or set (replace) access control entries.
type: str
choices: [ set, add ]
default: set
version_added: "2.10"
author:
- Hans-Joachim Kliemeck (@h0nIg)
- David Baumann (@daBONDi)
- Shachaf Goldstein (@Shachaf92)
'''

EXAMPLES = r'''
Expand Down
38 changes: 38 additions & 0 deletions test/integration/targets/win_share/tasks/tests.yml
View file
Open in desktop
Expand Up @@ -398,6 +398,44 @@
- set_acl_actual_again.stdout_lines[2] == 'Change|Allow|BUILTIN\\Users'
- set_acl_actual_again.stdout_lines[3] == 'Full|Allow|BUILTIN\\Administrators'

- name: Append ACLs on share
win_share:
name: "{{test_win_share_name}}"
state: present
path: "{{test_win_share_path}}"
change: Remote Desktop Users
rule_action: add
register: append_acl

- name: get actual share ACLs
win_shell: foreach ($acl in Get-SmbShareAccess -Name '{{test_win_share_name}}') { Write-Host "$($acl.AccessRight)|$($acl.AccessControlType)|$($acl.AccountName)" }
register: append_acl_actual

- name: assert Append ACLs on share
assert:
that:
- append_acl is changed
- append_acl_actual.stdout_lines|length == 5
- append_acl_actual.stdout_lines[0] == 'Full|Deny|BUILTIN\Remote Desktop Users'
- append_acl_actual.stdout_lines[1] == 'Read|Allow|BUILTIN\\Guests'
- append_acl_actual.stdout_lines[2] == 'Change|Allow|BUILTIN\\Users'
- append_acl_actual.stdout_lines[3] == 'Full|Allow|BUILTIN\\Administrators'
- append_acl_actual.stdout_lines[4] == 'Change|Allow|BUILTIN\\Remote Desktop Users'

- name: Append ACLs on share (idempotent)
win_share:
name: "{{test_win_share_name}}"
state: present
path: "{{test_win_share_path}}"
change: Remote Desktop Users
rule_action: add
register: append_acl_again

- name: assert Append ACLs on share (idempotent)
assert:
that:
- not append_acl_again is changed

- name: remove share check
win_share:
name: "{{test_win_share_name}}"
Expand Down