2015-01-15 04:25:22 +00:00
#!powershell
# This file is part of Ansible
#
2015-06-18 22:25:05 +00:00
# Copyright 2015, Phil Schwartz <schwartzmx@gmail.com>
2015-10-18 15:06:28 +00:00
# Copyright 2015, Trond Hindenes
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
2015-01-15 04:25:22 +00:00
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
2015-07-14 23:35:28 +00:00
2015-01-15 04:25:22 +00:00
# WANT_JSON
# POWERSHELL_COMMON
2015-07-14 23:35:28 +00:00
2015-01-15 04:25:22 +00:00
# win_acl module (File/Resources Permission Additions/Removal)
2015-07-14 23:35:28 +00:00
#Functions
Function UserSearch
{
2016-12-08 05:34:16 +00:00
Param ( [ string ] $accountName )
2015-07-14 23:35:28 +00:00
#Check if there's a realm specified
2016-11-07 21:07:53 +00:00
$searchDomain = $false
$searchDomainUPN = $false
$SearchAppPools = $false
if ( $accountName . Split ( " \ " ) . count -gt 1 )
2015-07-14 23:35:28 +00:00
{
2016-11-07 21:07:53 +00:00
if ( $accountName . Split ( " \ " ) [ 0 ] -eq $env:COMPUTERNAME )
{
}
elseif ( $accountName . Split ( " \ " ) [ 0 ] -eq " IIS APPPOOL " )
2015-07-14 23:35:28 +00:00
{
2016-11-07 21:07:53 +00:00
$SearchAppPools = $true
$accountName = $accountName . split ( " \ " ) [ 1 ]
2015-07-14 23:35:28 +00:00
}
2016-11-07 21:07:53 +00:00
else
2015-07-14 23:35:28 +00:00
{
2016-12-08 05:34:16 +00:00
$searchDomain = $true
$accountName = $accountName . split ( " \ " ) [ 1 ]
2015-07-14 23:35:28 +00:00
}
}
2016-12-08 05:34:16 +00:00
Elseif ( $accountName . contains ( " @ " ) )
2015-07-14 23:35:28 +00:00
{
2016-12-08 05:34:16 +00:00
$searchDomain = $true
$searchDomainUPN = $true
2015-07-14 23:35:28 +00:00
}
Else
{
#Default to local user account
2016-12-08 05:34:16 +00:00
$accountName = $env:COMPUTERNAME + " \ " + $accountName
2015-07-14 23:35:28 +00:00
}
2016-11-07 21:07:53 +00:00
if ( ( $searchDomain -eq $false ) -and ( $SearchAppPools -eq $false ) )
2015-07-14 23:35:28 +00:00
{
2015-10-15 10:01:11 +00:00
# do not use Win32_UserAccount, because e.g. SYSTEM (BUILTIN\SYSTEM or COMPUUTERNAME\SYSTEM) will not be listed. on Win32_Account groups will be listed too
2016-12-08 05:34:16 +00:00
$localaccount = get-wmiobject -class " Win32_Account " -namespace " root\CIMV2 " -filter " (LocalAccount = True) " | where { $_ . Caption -eq $accountName }
2015-07-14 23:35:28 +00:00
if ( $localaccount )
{
2015-10-15 10:01:11 +00:00
return $localaccount . SID
2015-07-14 23:35:28 +00:00
}
}
2016-11-07 21:07:53 +00:00
Elseif ( $SearchAppPools -eq $true )
{
Import-Module WebAdministration
$testiispath = Test-path " IIS: "
if ( $testiispath -eq $false )
{
return $null
}
else
{
$apppoolobj = Get-ItemProperty IIS : \ AppPools \ $accountName
return $apppoolobj . applicationPoolSid
}
}
2017-06-22 16:47:58 +00:00
Else
2015-07-14 23:35:28 +00:00
{
#Search by samaccountname
$Searcher = [ adsisearcher ] " "
2016-12-08 14:38:05 +00:00
2016-12-08 05:34:16 +00:00
If ( $searchDomainUPN -eq $false ) {
$Searcher . Filter = " sAMAccountName= $( $accountName ) "
}
Else {
$Searcher . Filter = " userPrincipalName= $( $accountName ) "
}
$result = $Searcher . FindOne ( )
2015-07-14 23:35:28 +00:00
if ( $result )
{
2015-10-15 10:01:11 +00:00
$user = $result . GetDirectoryEntry ( )
# get binary SID from AD account
$binarySID = $user . ObjectSid . Value
# convert to string SID
return ( New-Object System . Security . Principal . SecurityIdentifier ( $binarySID , 0 ) ) . Value
2015-07-14 23:35:28 +00:00
}
}
}
2017-03-06 20:56:17 +00:00
# Need to adjust token privs when executing Set-ACL in certain cases.
# e.g. d:\testdir is owned by group in which current user is not a member and no perms are inherited from d:\
# This also sets us up for setting the owner as a feature.
$AdjustTokenPrivileges = @"
using System ;
using System . Runtime . InteropServices ;
namespace Ansible {
public class TokenManipulator {
[ DllImport ( " advapi32.dll " , ExactSpelling = true , SetLastError = true ) ]
internal static extern bool AdjustTokenPrivileges ( IntPtr htok , bool disall ,
ref TokPriv1Luid newst , int len , IntPtr prev , IntPtr relen ) ;
[ DllImport ( " kernel32.dll " , ExactSpelling = true ) ]
internal static extern IntPtr GetCurrentProcess ( ) ;
[ DllImport ( " advapi32.dll " , ExactSpelling = true , SetLastError = true ) ]
internal static extern bool OpenProcessToken ( IntPtr h , int acc ,
ref IntPtr phtok ) ;
[ DllImport ( " advapi32.dll " , SetLastError = true ) ]
internal static extern bool LookupPrivilegeValue ( string host , string name ,
ref long pluid ) ;
[ StructLayout ( LayoutKind . Sequential , Pack = 1 ) ]
internal struct TokPriv1Luid
{
public int Count ;
public long Luid ;
public int Attr ;
}
internal const int SE_PRIVILEGE_DISABLED = 0x00000000 ;
internal const int SE_PRIVILEGE_ENABLED = 0x00000002 ;
internal const int TOKEN_QUERY = 0x00000008 ;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020 ;
public static bool AddPrivilege ( string privilege ) {
try {
bool retVal ;
TokPriv1Luid tp ;
IntPtr hproc = GetCurrentProcess ( ) ;
IntPtr htok = IntPtr . Zero ;
retVal = OpenProcessToken ( hproc , TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY , ref htok ) ;
tp . Count = 1 ;
tp . Luid = 0 ;
tp . Attr = SE_PRIVILEGE_ENABLED ;
retVal = LookupPrivilegeValue ( null , privilege , ref tp . Luid ) ;
retVal = AdjustTokenPrivileges ( htok , false , ref tp , 0 , IntPtr . Zero , IntPtr . Zero ) ;
return retVal ;
}
catch ( Exception ex ) {
throw ex ;
}
}
public static bool RemovePrivilege ( string privilege ) {
try {
bool retVal ;
TokPriv1Luid tp ;
IntPtr hproc = GetCurrentProcess ( ) ;
IntPtr htok = IntPtr . Zero ;
retVal = OpenProcessToken ( hproc , TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY , ref htok ) ;
tp . Count = 1 ;
tp . Luid = 0 ;
tp . Attr = SE_PRIVILEGE_DISABLED ;
retVal = LookupPrivilegeValue ( null , privilege , ref tp . Luid ) ;
retVal = AdjustTokenPrivileges ( htok , false , ref tp , 0 , IntPtr . Zero , IntPtr . Zero ) ;
return retVal ;
}
catch ( Exception ex ) {
throw ex ;
}
}
}
}
" @
add-type $AdjustTokenPrivileges
Function SetPrivilegeTokens ( ) {
# Set privilege tokens only if admin.
# Admins would have these privs or be able to set these privs in the UI Anyway
$adminRole = [ System.Security.Principal.WindowsBuiltInRole ] :: Administrator
$myWindowsID = [ System.Security.Principal.WindowsIdentity ] :: GetCurrent ( )
$myWindowsPrincipal = new-object System . Security . Principal . WindowsPrincipal ( $myWindowsID )
if ( $myWindowsPrincipal . IsInRole ( $adminRole ) ) {
# See the following for details of each privilege
# https://msdn.microsoft.com/en-us/library/windows/desktop/bb530716(v=vs.85).aspx
[ void][Ansible.TokenManipulator ] :: AddPrivilege ( " SeRestorePrivilege " ) #Grants all write access control to any file, regardless of ACL.
[ void][Ansible.TokenManipulator ] :: AddPrivilege ( " SeBackupPrivilege " ) #Grants all read access control to any file, regardless of ACL.
[ void][Ansible.TokenManipulator ] :: AddPrivilege ( " SeTakeOwnershipPrivilege " ) #Grants ability to take owernship of an object w/out being granted discretionary access
}
}
2015-01-15 04:25:22 +00:00
$params = Parse-Args $args ;
2015-10-17 22:00:47 +00:00
2017-04-13 18:34:33 +00:00
$result = @ {
changed = $false
}
2015-10-17 22:00:47 +00:00
$path = Get-Attr $params " path " -failifempty $true
$user = Get-Attr $params " user " -failifempty $true
$rights = Get-Attr $params " rights " -failifempty $true
2015-11-17 14:36:52 +00:00
$type = Get-Attr $params " type " -failifempty $true -validateSet " allow " , " deny " -resultobj $result
2015-10-17 22:00:47 +00:00
$state = Get-Attr $params " state " " present " -validateSet " present " , " absent " -resultobj $result
$inherit = Get-Attr $params " inherit " " "
$propagation = Get-Attr $params " propagation " " None " -validateSet " None " , " NoPropagateInherit " , " InheritOnly " -resultobj $result
If ( -Not ( Test-Path -Path $path ) ) {
Fail-Json $result " $path file or directory does not exist on the host "
2015-01-15 04:25:22 +00:00
}
2015-10-17 22:00:47 +00:00
# Test that the user/group is resolvable on the local machine
$sid = UserSearch -AccountName ( $user )
if ( ! $sid )
{
Fail-Json $result " $user is not a valid user or group on the host machine or domain "
2015-01-15 04:25:22 +00:00
}
2015-10-17 22:00:47 +00:00
If ( Test-Path -Path $path -PathType Leaf ) {
$inherit = " None "
2015-01-15 04:25:22 +00:00
}
2015-10-17 22:00:47 +00:00
ElseIf ( $inherit -eq " " ) {
$inherit = " ContainerInherit, ObjectInherit "
2015-01-15 04:25:22 +00:00
}
2017-03-06 20:56:17 +00:00
$ErrorActionPreference = " Stop "
2015-01-15 04:25:22 +00:00
Try {
2017-03-06 20:56:17 +00:00
SetPrivilegeTokens
2017-03-02 06:38:27 +00:00
If ( $path -match " ^HK(CC|CR|CU|LM|U):\\ " ) {
2017-03-06 20:56:17 +00:00
$colRights = [ System.Security.AccessControl.RegistryRights ] $rights
2017-03-02 06:38:27 +00:00
}
Else {
2017-03-06 20:56:17 +00:00
$colRights = [ System.Security.AccessControl.FileSystemRights ] $rights
2017-03-02 06:38:27 +00:00
}
2017-03-06 20:56:17 +00:00
2015-01-15 04:25:22 +00:00
$InheritanceFlag = [ System.Security.AccessControl.InheritanceFlags ] $inherit
$PropagationFlag = [ System.Security.AccessControl.PropagationFlags ] $propagation
2015-07-14 23:35:28 +00:00
2015-10-17 22:00:47 +00:00
If ( $type -eq " allow " ) {
2015-01-15 04:25:22 +00:00
$objType = [ System.Security.AccessControl.AccessControlType ] :: Allow
}
Else {
$objType = [ System.Security.AccessControl.AccessControlType ] :: Deny
}
2015-07-14 23:35:28 +00:00
2015-10-15 10:01:11 +00:00
$objUser = New-Object System . Security . Principal . SecurityIdentifier ( $sid )
2017-03-02 06:38:27 +00:00
If ( $path -match " ^HK(CC|CR|CU|LM|U):\\ " ) {
2017-03-06 20:56:17 +00:00
$objACE = New-Object System . Security . AccessControl . RegistryAccessRule ( $objUser , $colRights , $InheritanceFlag , $PropagationFlag , $objType )
2017-03-02 06:38:27 +00:00
}
Else {
2017-03-06 20:56:17 +00:00
$objACE = New-Object System . Security . AccessControl . FileSystemAccessRule ( $objUser , $colRights , $InheritanceFlag , $PropagationFlag , $objType )
2017-03-02 06:38:27 +00:00
}
2015-07-15 16:42:27 +00:00
$objACL = Get-ACL $path
2015-07-14 23:35:28 +00:00
2015-06-18 22:25:05 +00:00
# Check if the ACE exists already in the objects ACL list
$match = $false
2017-07-11 00:01:55 +00:00
# Workaround to handle special use case 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' and
# 'APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES'- can't translate fully qualified name (win32 API bug/oddity)
# 'ALL APPLICATION PACKAGES' exists only on Win2k12 and Win2k16 and 'ALL RESTRICTED APPLICATION PACKAGES' exists only in Win2k16
$specialIdRefs = " ALL APPLICATION PACKAGES " , " ALL RESTRICTED APPLICATION PACKAGES "
ForEach ( $rule in $objACL . Access ) {
$idRefShortValue = ( $rule . IdentityReference . Value ) . split ( '\' ) [ -1 ]
if ( $idRefShortValue -in $specialIdRefs ) {
$ruleIdentity = ( New-Object Security . Principal . NTAccount $idRefShortValue ) . Translate ( [ Security.Principal.SecurityIdentifier ] )
}
else {
2017-03-06 20:56:17 +00:00
$ruleIdentity = $rule . IdentityReference . Translate ( [ System.Security.Principal.SecurityIdentifier ] )
2017-07-11 00:01:55 +00:00
}
If ( $path -match " ^HK(CC|CR|CU|LM|U):\\ " ) {
2017-03-06 20:56:17 +00:00
If ( ( $rule . RegistryRights -eq $objACE . RegistryRights ) -And ( $rule . AccessControlType -eq $objACE . AccessControlType ) -And ( $ruleIdentity -eq $objACE . IdentityReference ) -And ( $rule . IsInherited -eq $objACE . IsInherited ) -And ( $rule . InheritanceFlags -eq $objACE . InheritanceFlags ) -And ( $rule . PropagationFlags -eq $objACE . PropagationFlags ) ) {
$match = $true
Break
}
2017-07-11 00:01:55 +00:00
} else {
2017-03-06 20:56:17 +00:00
If ( ( $rule . FileSystemRights -eq $objACE . FileSystemRights ) -And ( $rule . AccessControlType -eq $objACE . AccessControlType ) -And ( $ruleIdentity -eq $objACE . IdentityReference ) -And ( $rule . IsInherited -eq $objACE . IsInherited ) -And ( $rule . InheritanceFlags -eq $objACE . InheritanceFlags ) -And ( $rule . PropagationFlags -eq $objACE . PropagationFlags ) ) {
$match = $true
Break
}
}
2017-03-02 06:38:27 +00:00
}
2015-10-17 22:00:47 +00:00
If ( $state -eq " present " -And $match -eq $false ) {
2015-01-15 04:25:22 +00:00
Try {
$objACL . AddAccessRule ( $objACE )
2015-07-15 16:42:27 +00:00
Set-ACL $path $objACL
2017-04-13 18:34:33 +00:00
$result . changed = $true
2015-01-15 04:25:22 +00:00
}
Catch {
2017-03-06 20:56:17 +00:00
Fail-Json $result " an exception occurred when adding the specified rule - $( $_ . Exception . Message ) "
2015-01-15 04:25:22 +00:00
}
}
2015-10-17 22:00:47 +00:00
ElseIf ( $state -eq " absent " -And $match -eq $true ) {
2015-01-15 04:25:22 +00:00
Try {
$objACL . RemoveAccessRule ( $objACE )
2015-07-15 16:42:27 +00:00
Set-ACL $path $objACL
2017-04-13 18:34:33 +00:00
$result . changed = $true
2015-01-15 04:25:22 +00:00
}
Catch {
2017-03-06 20:56:17 +00:00
Fail-Json $result " an exception occurred when removing the specified rule - $( $_ . Exception . Message ) "
2015-01-15 04:25:22 +00:00
}
}
2015-06-18 22:25:05 +00:00
Else {
# A rule was attempting to be added but already exists
If ( $match -eq $true ) {
Exit-Json $result " the specified rule already exists "
}
# A rule didn't exist that was trying to be removed
Else {
Exit-Json $result " the specified rule does not exist "
}
}
2015-01-15 04:25:22 +00:00
}
Catch {
2017-03-06 20:56:17 +00:00
Fail-Json $result " an error occurred when attempting to $state $rights permission(s) on $path for $user - $( $_ . Exception . Message ) "
2015-01-15 04:25:22 +00:00
}
2015-07-14 23:35:28 +00:00
2016-11-07 21:07:53 +00:00
Exit-Json $result
