Skip to content

Commit

Permalink
win_acl/Certificates: Add tests for Crypto API
Browse files Browse the repository at this point in the history
  • Loading branch information
@jpitlor
jpitlor committed Sep 7, 2023
1 parent 568379e commit 07a2d03
Show file tree
Hide file tree
Showing 3 changed files with 70 additions and 26 deletions.
15 changes: 7 additions & 8 deletions plugins/module_utils/_CertACLHelper.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,14 +123,13 @@ private enum CryptProvParam : uint
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CryptSetProvParam(SafeCryptHandle safeProvHandle, CryptProvParam dwParam, [MarshalAs(UnmanagedType.LPArray)] byte[] pbData, SecurityInformationFlags dwFlags);

SafeCryptHandle handle;
bool ncrypt = false;
private SafeCryptHandle handle;
private bool ncrypt = false;

public CertAclHelper(X509Certificate2 certificate)
{
SafeCryptHandle certPkeyHandle;
KeySpec keySpec;

bool ownHandle;
if (CryptAcquireCertificatePrivateKey(
certificate.Handle,
Expand Down Expand Up @@ -166,7 +165,7 @@ public FileSecurity Acl
uint securityDescriptorSize = 0;
if (ncrypt)
{
int securityDescriptorResult = NCryptGetProperty(
var securityDescriptorResult = NCryptGetProperty(
handle,
"Security Descr",
new SafeSecurityDescriptorPtr(),
Expand Down Expand Up @@ -216,9 +215,9 @@ public FileSecurity Acl
}

}
byte[] buffer = new byte[securityDescriptorSize];
var buffer = new byte[securityDescriptorSize];
Marshal.Copy(securityDescriptorBuffer.DangerousGetHandle(), buffer, 0, buffer.Length);
FileSecurity acl = new FileSecurity();
var acl = new FileSecurity();
acl.SetSecurityDescriptorBinaryForm(buffer);

return acl;
Expand All @@ -227,8 +226,8 @@ public FileSecurity Acl
{
if (ncrypt)
{
byte[] sd = value.GetSecurityDescriptorBinaryForm();
int setPropertyResult = NCryptSetProperty(
var sd = value.GetSecurityDescriptorBinaryForm();
var setPropertyResult = NCryptSetProperty(
handle,
"Security Descr",
sd,
Expand Down
25 changes: 20 additions & 5 deletions tests/integration/targets/win_acl/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,21 @@
- absent
- present

- name: create certificate for testing
win_shell: '(New-SelfSignedCertificate -Subject "ACL Test" -KeyExportPolicy Exportable).Thumbprint'
register: test_acl_certificate_thumbprint
- name: create certificates for testing
win_shell: |
$certParams = @{
KeyAlgorithm = 'RSA'
KeyExportPolicy = 'Exportable'
KeyLength = 2048
}
(New-SelfSignedCertificate @certParams -Subject "ACL Test CNG" -Provider "Microsoft Software Key Storage Provider").Thumbprint
(New-SelfSignedCertificate @certParams -Subject "ACL Test CryptoAPI" -Provider "Microsoft Base Cryptographic Provider v1.0" -KeySpec Signature).Thumbprint
register: test_acl_cert_info

- name: set variables of certificate thumbprints
set_fact:
test_acl_certificiate_cng_thumbprint: '{{ test_acl_cert_info.stdout_lines[0] }}'
test_acl_certificiate_cryptoapi_thumbprint: '{{ test_acl_cert_info.stdout_lines[1] }}'

- block:
- name: create test dir for link target
Expand Down Expand Up @@ -53,9 +65,12 @@
delete_key: yes
state: absent

- name: uninstall testing certificate
- name: uninstall testing certificates
win_certificate_store:
thumbprint: '{{ test_acl_certificate_thumbprint.stdout_lines[0] }}'
thumbprint: '{{ item }}'
state: absent
store_location: LocalMachine
store_name: My
with_items:
- test_acl_certificiate_cng_thumbprint
- test_acl_certificiate_cryptoapi_thumbprint
56 changes: 43 additions & 13 deletions tests/integration/targets/win_acl/tasks/tests.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,16 @@
}
$keyFullPath = $env:ProgramData + "\Microsoft\Crypto\Keys\" + $containerName;
ConvertTo-Json -InputObject @((Get-Acl $keyFullPath).Access)
test_crypto_cert_ace_cmd: |
$certificate = Get-ChildItem Cert:\LocalMachine\My | Where-Object Thumbprint -eq $thumbprint
$privateKey = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($certificate)
$containerName = if ($privateKey.GetType().Name -ieq "RSACng") {
$privateKey.Key.UniqueName
} else {
$privateKey.CspKeyContainerInfo.UniqueKeyContainerName
}
$keyFullPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\" + $containerName;
ConvertTo-Json -InputObject @((Get-Acl $keyFullPath).Access)
test_ace_cmd: |
# Overcome bug in Set-Acl/Get-Acl for registry paths and -LiteralPath
New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS > $null
Expand Down Expand Up @@ -446,7 +456,7 @@
# have very different access masks than private keys in the crypt API
- name: add FullControl rights on certificate - check mode
win_acl:
path: 'Cert:\LocalMachine\My\{{ test_acl_certificate_thumbprint.stdout_lines[0] }}'
path: 'Cert:\LocalMachine\My\{{ test_acl_certificiate_cng_thumbprint }}'
user: Guests
type: allow
state: present
Expand All @@ -461,15 +471,15 @@

- name: add FullControl rights on certificate
win_acl:
path: 'Cert:\LocalMachine\My\{{ test_acl_certificate_thumbprint.stdout_lines[0] }}'
path: 'Cert:\LocalMachine\My\{{ test_acl_certificiate_cng_thumbprint }}'
user: Guests
type: allow
state: present
rights: FullControl
register: add_fullcontrol_rights_on_certificate

- name: get result of add FullControl rights on certificate
win_shell: '$thumbprint = ''{{ test_acl_certificate_thumbprint.stdout_lines[0] }}''; {{ test_cert_ace_cmd }}'
win_shell: '$thumbprint = ''{{ test_acl_certificiate_cng_thumbprint }}''; {{ test_cert_ace_cmd }}'
register: add_fullcontrol_rights_on_certificate_actual

- name: assert add FullControl rights on certificate
Expand All @@ -481,7 +491,7 @@

- name: add FullControl rights on certificate again
win_acl:
path: 'Cert:\LocalMachine\My\{{ test_acl_certificate_thumbprint.stdout_lines[0] }}'
path: 'Cert:\LocalMachine\My\{{ test_acl_certificiate_cng_thumbprint }}'
user: Guests
type: allow
state: present
Expand All @@ -495,7 +505,7 @@

- name: remove FullControl rights on certificate - check mode
win_acl:
path: 'Cert:\LocalMachine\My\{{ test_acl_certificate_thumbprint.stdout_lines[0] }}'
path: 'Cert:\LocalMachine\My\{{ test_acl_certificiate_cng_thumbprint }}'
user: Guests
type: allow
state: absent
Expand All @@ -510,15 +520,15 @@

- name: remove FullControl rights on certificate
win_acl:
path: 'Cert:\LocalMachine\My\{{ test_acl_certificate_thumbprint.stdout_lines[0] }}'
path: 'Cert:\LocalMachine\My\{{ test_acl_certificiate_cng_thumbprint }}'
user: Guests
type: allow
state: absent
rights: FullControl
register: remove_fullcontrol_rights_on_certificate

- name: get result of remove FullControl rights on certificate
win_shell: '$thumbprint = ''{{ test_acl_certificate_thumbprint.stdout_lines[0] }}''; {{ test_cert_ace_cmd }}'
win_shell: '$thumbprint = ''{{ test_acl_certificiate_cng_thumbprint }}''; {{ test_cert_ace_cmd }}'
register: remove_fullcontrol_rights_on_certificate_actual

- name: assert remove FullControl rights on certificate
Expand All @@ -530,7 +540,7 @@

- name: remove FullControl rights on certificate again
win_acl:
path: 'Cert:\LocalMachine\My\{{ test_acl_certificate_thumbprint.stdout_lines[0] }}'
path: 'Cert:\LocalMachine\My\{{ test_acl_certificiate_cng_thumbprint }}'
user: Guests
type: allow
state: absent
Expand All @@ -547,15 +557,15 @@

- name: add Read rights on certificate
win_acl:
path: 'Cert:\LocalMachine\My\{{ test_acl_certificate_thumbprint.stdout_lines[0] }}'
path: 'Cert:\LocalMachine\My\{{ test_acl_certificiate_cng_thumbprint }}'
user: Guests
type: allow
state: present
rights: Read
register: add_read_rights_on_certificate

- name: get result of add Read rights on certificate
win_shell: '$thumbprint = ''{{ test_acl_certificate_thumbprint.stdout_lines[0] }}''; {{ test_cert_ace_cmd }}'
win_shell: '$thumbprint = ''{{ test_acl_certificiate_cng_thumbprint }}''; {{ test_cert_ace_cmd }}'
register: add_read_rights_on_certificate_actual

- name: assert add Read rights on certificate
Expand All @@ -567,20 +577,40 @@

- name: remove Read rights on certificate
win_acl:
path: 'Cert:\LocalMachine\My\{{ test_acl_certificate_thumbprint.stdout_lines[0] }}'
path: 'Cert:\LocalMachine\My\{{ test_acl_certificiate_cng_thumbprint }}'
user: Guests
type: allow
state: absent
rights: Read
register: remove_read_rights_on_certificate

- name: get result of remove Read rights on certificate
win_shell: '$thumbprint = ''{{ test_acl_certificate_thumbprint.stdout_lines[0] }}''; {{ test_cert_ace_cmd }}'
win_shell: '$thumbprint = ''{{ test_acl_certificiate_cng_thumbprint }}''; {{ test_cert_ace_cmd }}'
register: remove_read_rights_on_certificate_actual

- name: assert remove Read rights on certificate
assert:
that:
- remove_read_rights_on_certificate is changed
- item.IdentityReference.Value != 'BUILTIN\Guests' or item.FileSystemRights != 1179785
with_items: '{{ remove_read_rights_on_certificate_actual.stdout|from_json }}'
with_items: '{{ remove_read_rights_on_certificate_actual.stdout|from_json }}'

- name: add FullControl rights on Crypto certificate
win_acl:
path: 'Cert:\LocalMachine\My\{{ test_acl_certificiate_cryptoapi_thumbprint }}'
user: Guests
type: allow
state: present
rights: FullControl
register: add_fullcontrol_rights_on_crypto_certificate

- name: get result of add FullControl rights on Crypto certificate
win_shell: '$thumbprint = ''{{ test_acl_certificiate_cryptoapi_thumbprint }}''; {{ test_crypto_cert_ace_cmd }}'
register: add_fullcontrol_rights_on_crypto_certificate_actual

- name: assert add FullControl rights on Crypto certificate
assert:
that:
- add_fullcontrol_rights_on_crypto_certificate is changed
- (add_fullcontrol_rights_on_crypto_certificate_actual.stdout|from_json|last).IdentityReference.Value == 'BUILTIN\Guests'
- (add_fullcontrol_rights_on_crypto_certificate_actual.stdout|from_json|last).FileSystemRights == 2032127

0 comments on commit 07a2d03

Please sign in to comment.