1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
#!powershell
#AnsibleRequires -CSharpUtil Ansible.Basic
#Requires -Module Ansible.ModuleUtils.PrivilegeUtil
$module = [Ansible.Basic.AnsibleModule]::Create($args, @{})
Function Assert-Equal($actual, $expected) {
if ($actual -cne $expected) {
$call_stack = (Get-PSCallStack)[1]
$module.Result.actual = $actual
$module.Result.expected = $expected
$module.Result.line = $call_stack.ScriptLineNumber
$module.Result.method = $call_stack.Position.Text
$module.FailJson("AssertionError: actual != expected")
}
}
# taken from https://docs.microsoft.com/en-us/windows/desktop/SecAuthZ/privilege-constants
$total_privileges = @(
"SeAssignPrimaryTokenPrivilege",
"SeAuditPrivilege",
"SeBackupPrivilege",
"SeChangeNotifyPrivilege",
"SeCreateGlobalPrivilege",
"SeCreatePagefilePrivilege",
"SeCreatePermanentPrivilege",
"SeCreateSymbolicLinkPrivilege",
"SeCreateTokenPrivilege",
"SeDebugPrivilege",
"SeEnableDelegationPrivilege",
"SeImpersonatePrivilege",
"SeIncreaseBasePriorityPrivilege",
"SeIncreaseQuotaPrivilege",
"SeIncreaseWorkingSetPrivilege",
"SeLoadDriverPrivilege",
"SeLockMemoryPrivilege",
"SeMachineAccountPrivilege",
"SeManageVolumePrivilege",
"SeProfileSingleProcessPrivilege",
"SeRelabelPrivilege",
"SeRemoteShutdownPrivilege",
"SeRestorePrivilege",
"SeSecurityPrivilege",
"SeShutdownPrivilege",
"SeSyncAgentPrivilege",
"SeSystemEnvironmentPrivilege",
"SeSystemProfilePrivilege",
"SeSystemtimePrivilege",
"SeTakeOwnershipPrivilege",
"SeTcbPrivilege",
"SeTimeZonePrivilege",
"SeTrustedCredManAccessPrivilege",
"SeUndockPrivilege"
)
$raw_privilege_output = &whoami /priv | Where-Object { $_.StartsWith("Se") }
$actual_privileges = @{}
foreach ($raw_privilege in $raw_privilege_output) {
$split = $raw_privilege.TrimEnd() -split " "
$actual_privileges."$($split[0])" = ($split[-1] -eq "Enabled")
}
$process = [Ansible.Privilege.PrivilegeUtil]::GetCurrentProcess()
### Test PS cmdlets ###
# test ps Get-AnsiblePrivilege
foreach ($privilege in $total_privileges) {
$expected = $null
if ($actual_privileges.ContainsKey($privilege)) {
$expected = $actual_privileges.$privilege
}
$actual = Get-AnsiblePrivilege -Name $privilege
Assert-Equal -actual $actual -expected $expected
}
# test c# GetAllPrivilegeInfo
$actual = [Ansible.Privilege.PrivilegeUtil]::GetAllPrivilegeInfo($process)
Assert-Equal -actual $actual.GetType().Name -expected 'Dictionary`2'
Assert-Equal -actual $actual.Count -expected $actual_privileges.Count
foreach ($privilege in $total_privileges) {
if ($actual_privileges.ContainsKey($privilege)) {
$actual_value = $actual.$privilege
if ($actual_privileges.$privilege) {
Assert-Equal -actual $actual_value.HasFlag([Ansible.Privilege.PrivilegeAttributes]::Enabled) -expected $true
}
else {
Assert-Equal -actual $actual_value.HasFlag([Ansible.Privilege.PrivilegeAttributes]::Enabled) -expected $false
}
}
}
# test Set-AnsiblePrivilege
Set-AnsiblePrivilege -Name SeUndockPrivilege -Value $false # ensure we start with a disabled privilege
Set-AnsiblePrivilege -Name SeUndockPrivilege -Value $true -WhatIf
$actual = Get-AnsiblePrivilege -Name SeUndockPrivilege
Assert-Equal -actual $actual -expected $false
Set-AnsiblePrivilege -Name SeUndockPrivilege -Value $true
$actual = Get-AnsiblePrivilege -Name SeUndockPrivilege
Assert-Equal -actual $actual -expected $true
Set-AnsiblePrivilege -Name SeUndockPrivilege -Value $false -WhatIf
$actual = Get-AnsiblePrivilege -Name SeUndockPrivilege
Assert-Equal -actual $actual -expected $true
Set-AnsiblePrivilege -Name SeUndockPrivilege -Value $false
$actual = Get-AnsiblePrivilege -Name SeUndockPrivilege
Assert-Equal -actual $actual -expected $false
$module.Result.data = "success"
$module.ExitJson()
|
