1 # Copyright (c) 2018 Ansible Project
2 # Simplified BSD License (see licenses/simplified_bsd.txt or https://opensource.org/licenses/BSD-2-Clause)
3 
4 #AnsibleRequires -CSharpUtil Ansible.Privilege
5 
Import-PrivilegeUtil()6 Function Import-PrivilegeUtil {
7     <#
8     .SYNOPSIS
9     No-op, as the C# types are automatically loaded.
10     #>
11     [CmdletBinding()]
12     Param()
13     $msg = "Import-PrivilegeUtil is deprecated and no longer needed, this cmdlet will be removed in a future version"
14     if ((Get-Command -Name Add-DeprecationWarning -ErrorAction SilentlyContinue) -and (Get-Variable -Name result -ErrorAction SilentlyContinue)) {
15         Add-DeprecationWarning -obj $result.Value -message $msg -version 2.12
16     } else {
17         $module = Get-Variable -Name module -ErrorAction SilentlyContinue
18         if ($null -ne $module -and $module.Value.GetType().FullName -eq "Ansible.Basic.AnsibleModule") {
19             $module.Value.Deprecate($msg, "2.12")
20         }
21     }
22 }
23 
Get-AnsiblePrivilege()24 Function Get-AnsiblePrivilege {
25     <#
26     .SYNOPSIS
27     Get the status of a privilege for the current process. This returns
28         $true - the privilege is enabled
29         $false - the privilege is disabled
30         $null - the privilege is removed from the token
31 
32     If Name is not a valid privilege name, this will throw an
33     ArgumentException.
34 
35     .EXAMPLE
36     Get-AnsiblePrivilege -Name SeDebugPrivilege
37     #>
38     [CmdletBinding()]
39     param(
40         [Parameter(Mandatory=$true)][String]$Name
41     )
42 
43     if (-not [Ansible.Privilege.PrivilegeUtil]::CheckPrivilegeName($Name)) {
44         throw [System.ArgumentException] "Invalid privilege name '$Name'"
45     }
46 
47     $process_token = [Ansible.Privilege.PrivilegeUtil]::GetCurrentProcess()
48     $privilege_info = [Ansible.Privilege.PrivilegeUtil]::GetAllPrivilegeInfo($process_token)
49     if ($privilege_info.ContainsKey($Name)) {
50         $status = $privilege_info.$Name
51         return $status.HasFlag([Ansible.Privilege.PrivilegeAttributes]::Enabled)
52     } else {
53         return $null
54     }
55 }
56 
Set-AnsiblePrivilegenull57 Function Set-AnsiblePrivilege {
58     <#
59     .SYNOPSIS
60     Enables/Disables a privilege on the current process' token. If a privilege
61     has been removed from the process token, this will throw an
62     InvalidOperationException.
63 
64     .EXAMPLE
65     # enable a privilege
66     Set-AnsiblePrivilege -Name SeCreateSymbolicLinkPrivilege -Value $true
67 
68     # disable a privilege
69     Set-AnsiblePrivilege -Name SeCreateSymbolicLinkPrivilege -Value $false
70     #>
71     [CmdletBinding(SupportsShouldProcess)]
72     param(
73         [Parameter(Mandatory=$true)][String]$Name,
74         [Parameter(Mandatory=$true)][bool]$Value
75     )
76 
77     $action = switch($Value) {
78         $true { "Enable" }
79         $false { "Disable" }
80     }
81 
82     $current_state = Get-AnsiblePrivilege -Name $Name
83     if ($current_state -eq $Value) {
84         return  # no change needs to occur
85     } elseif ($null -eq $current_state) {
86         # once a privilege is removed from a token we cannot do anything with it
87         throw [System.InvalidOperationException] "Cannot $($action.ToLower()) the privilege '$Name' as it has been removed from the token"
88     }
89 
90     $process_token = [Ansible.Privilege.PrivilegeUtil]::GetCurrentProcess()
91     if ($PSCmdlet.ShouldProcess($Name, "$action the privilege $Name")) {
92         $new_state = New-Object -TypeName 'System.Collections.Generic.Dictionary`2[[System.String], [System.Nullable`1[System.Boolean]]]'
93         $new_state.Add($Name, $Value)
94         [Ansible.Privilege.PrivilegeUtil]::SetTokenPrivileges($process_token, $new_state) > $null
95     }
96 }
97 
98 Export-ModuleMember -Function Import-PrivilegeUtil, Get-AnsiblePrivilege, Set-AnsiblePrivilege
99 
100