File: setup.yml

package info (click to toggle)
ansible-core 2.19.0~beta6-1
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 32,628 kB
  • sloc: python: 180,313; cs: 4,929; sh: 4,601; xml: 34; makefile: 21
file content (116 lines) | stat: -rw-r--r-- 4,625 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
 
- name: setup test facts
  set_fact:
    cert_pw: "{{ 'password123!' + lookup('password', '/dev/null chars=ascii_letters,digits length=8') }}"

- name: setup WDAC certificates
  win_shell: |
    $ErrorActionPreference = 'Stop'

    $testPrefix = 'Ansible-WDAC'
    $certPassword = ConvertTo-SecureString -String '{{ cert_pw }}' -Force -AsPlainText
    $remoteTmpDir = '{{ remote_tmp_dir }}'

    $enhancedKeyUsage = [Security.Cryptography.OidCollection]::new()
    $null = $enhancedKeyUsage.Add('1.3.6.1.5.5.7.3.3')  # Code Signing
    $caParams = @{
        Extension = @(
            [Security.Cryptography.X509Certificates.X509BasicConstraintsExtension]::new($true, $false, 0, $true),
            [Security.Cryptography.X509Certificates.X509KeyUsageExtension]::new('KeyCertSign', $false),
            [Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension ]::new($enhancedKeyUsage, $false)
        )
        CertStoreLocation = 'Cert:\CurrentUser\My'
        NotAfter = (Get-Date).AddDays(1)
        Type = 'Custom'
    }
    $ca = New-SelfSignedCertificate @caParams -Subject "CN=$testPrefix-Root"

    $certParams = @{
        CertStoreLocation = 'Cert:\CurrentUser\My'
        KeyUsage = 'DigitalSignature'
        TextExtension = @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}")
        Type = 'Custom'
    }
    $cert = New-SelfSignedCertificate @certParams -Subject "CN=$testPrefix-Signed" -Signer $ca
    $null = $cert | Export-PfxCertificate -Password $certPassword -FilePath "$remoteTmpDir\signing.pfx"
    $cert.Export('Cert') | Set-Content -LiteralPath "$remoteTmpDir\signing.cer" -Encoding Byte

    $certUntrusted = New-SelfSignedCertificate @certParams -Subject "CN=$testPrefix-Untrusted"
    $null = $certUntrusted | Export-PfxCertificate -Password $certPassword -FilePath "$remoteTmpDir\untrusted.pfx"

    $caWithoutKey = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($ca.Export('Cert'))
    $certWithoutKey = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($cert.Export('Cert'))

    Remove-Item -LiteralPath "Cert:\CurrentUser\My\$($ca.Thumbprint)" -DeleteKey -Force
    Remove-Item -LiteralPath "Cert:\CurrentUser\My\$($cert.Thumbprint)" -DeleteKey -Force
    Remove-Item -LiteralPath "Cert:\CurrentUser\My\$($certUntrusted.Thumbprint)" -DeleteKey -Force

    $root = Get-Item Cert:\LocalMachine\Root
    $root.Open('ReadWrite')
    $root.Add($caWithoutKey)
    $root.Dispose()

    $trustedPublisher = Get-Item Cert:\LocalMachine\TrustedPublisher
    $trustedPublisher.Open('ReadWrite')
    $trustedPublisher.Add($certWithoutKey)
    $trustedPublisher.Dispose()

    @{
        ca_thumbprint = $caWithoutKey.Thumbprint
        thumbprint = $certWithoutKey.Thumbprint
        untrusted_thumbprint = $certUntrusted.Thumbprint
    } | ConvertTo-Json
  register: cert_info_raw
  become: true
  become_method: runas
  vars:
    ansible_become_user: '{{ ansible_user }}'
    ansible_become_pass: '{{ ansible_password | default(ansible_test_connection_password) }}'

- name: parse raw cert_info
  set_fact:
    cert_info: "{{ cert_info_raw.stdout | from_json }}"

- name: fetch signing certificates
  fetch:
    src: '{{ remote_tmp_dir }}\{{ item }}.pfx'
    dest: '{{ local_tmp_dir }}/wdac-{{ item }}.pfx'
    flat: yes
  loop:
  - signing
  - untrusted

- name: install OpenAuthenticode
  shell: |
    if (-not (Get-Module -Name OpenAuthenticode -ListAvailable | Where-Object Version -ge '0.5.0')) {
        $url = 'https://ansible-ci-files.s3.us-east-1.amazonaws.com/test/integration/targets/win_app_control/openauthenticode.0.6.1.nupkg'
        Invoke-WebRequest -Uri $url -OutFile '{{ local_tmp_dir }}/openauthenticode.0.6.1.nupkg'

        Register-PSResourceRepository -Name AnsibleTemp -Trusted -Uri '{{ local_tmp_dir }}'
        try {
            Install-PSResource -Name OpenAuthenticode -Repository AnsibleTemp
        } finally {
            Unregister-PSResourceRepository -Name AnsibleTemp
        }

        $true
    } else {
        $false
    }
  args:
    executable: pwsh
  register: open_auth_install
  changed_when: open_auth_install.stdout | bool
  notify: remove openauthenticode
  delegate_to: localhost

- name: sign Ansible content
  script: >-
    New-AnsiblePowerShellSignature.ps1
    -CollectionPath {{ local_tmp_dir ~ "/ansible_collections/ns/col" | quote }}
    -CertPath {{ local_tmp_dir ~ "/wdac-signing.pfx" | quote }}
    -UntrustedCertPath {{ local_tmp_dir ~ "/wdac-untrusted.pfx" | quote }}
    -CertPass {{ cert_pw | quote }}
    -Verbose
  environment:
    NO_COLOR: '1'
  delegate_to: localhost