Skip to content

Commit

Permalink
win_security_policy: Allow setting a value to empty (ansible#42051)
Browse files Browse the repository at this point in the history
* win_security_policy: allow removing values (resolves ansible#40869)

* Removing warning

* Adding test for remove policy setting

* Fixing string comparison

* Make idempotent

* Adding idempotency and diff test

* added changelog fragment
  • Loading branch information
jamessemai authored and jborean93 committed Jul 13, 2018
1 parent b2527c5 commit dc32842
Show file tree
Hide file tree
Showing 3 changed files with 59 additions and 0 deletions.
2 changes: 2 additions & 0 deletions changelogs/fragments/win_security_policy-empty-value.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
bugfixes:
- win_security_policy - allows an empty string to reset a policy value https://github.com/ansible/ansible/issues/40869
4 changes: 4 additions & 0 deletions lib/ansible/modules/windows/win_security_policy.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,8 @@ if ($secedit_ini.$section.ContainsKey($key)) {
$secedit_ini.$section.$key = $value
$will_change = $true
}
} elseif ([string]$value -eq "") {
# Value is requested to be removed, and has already been removed, do nothing
} else {
if ($diff_mode) {
$result.diff.prepared = @"
Expand All @@ -194,6 +196,8 @@ if ($will_change -eq $true) {
if ($new_value -cne $value) {
Fail-Json $result "Failed to change the value for key '$key' in section '$section', the value is still $new_value"
}
} elseif ([string]$value -eq "") {
# Value was empty, so OK if no longer in the result
} else {
Fail-Json $result "The key '$key' in section '$section' is not a valid key, cannot set this value"
}
Expand Down
53 changes: 53 additions & 0 deletions test/integration/targets/win_security_policy/tasks/tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -131,3 +131,56 @@
that:
- change_existing_string_again is not changed
- change_existing_string_again.value == "New Guest"

- name: add policy setting
win_security_policy:
section: Privilege Rights
# following key is empty by default
key: SeCreateTokenPrivilege
# add Guests
value: '*S-1-5-32-546'

- name: get actual policy setting
test_win_security_policy:
section: Privilege Rights
key: SeCreateTokenPrivilege
register: add_policy_setting_actual

- name: assert add policy setting
assert:
that:
- add_policy_setting_actual.value == '*S-1-5-32-546'

- name: remove policy setting
win_security_policy:
section: Privilege Rights
key: SeCreateTokenPrivilege
value: ''
diff: yes
register: remove_policy_setting

- name: get actual policy setting
test_win_security_policy:
section: Privilege Rights
key: SeCreateTokenPrivilege
register: remove_policy_setting_actual

- name: assert remove policy setting
assert:
that:
- remove_policy_setting is changed
- remove_policy_setting.diff.prepared == "[Privilege Rights]\n-SeCreateTokenPrivilege = *S-1-5-32-546\n+SeCreateTokenPrivilege = "
- remove_policy_setting_actual.value is none

- name: remove policy setting again
win_security_policy:
section: Privilege Rights
key: SeCreateTokenPrivilege
value: ''
register: remove_policy_setting_again

- name: assert remove policy setting again
assert:
that:
- remove_policy_setting_again is not changed
- remove_policy_setting_again.value == ''

0 comments on commit dc32842

Please sign in to comment.