search

ansible-collections / community.windows

Windows community collection for Ansible
https://galaxy.ansible.com/community/windows
GNU General Public License v3.0
198 stars 153 forks source link

win_firewall_rule fails when program is set to any #471

Closed PfurtschellerP closed 1 year ago

PfurtschellerP commented 1 year ago
SUMMARY

When using the win_firewall_rule module and having set program to any the module fails with the following message:

The full traceback is:
Value does not fall within the expected range.
At line:268 char:37
+ ...                                 $existingRule.$prop = $new_rule.$prop
+                                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException
ISSUE TYPE
COMPONENT NAME

win_firewall_rule

ANSIBLE VERSION
ansible [core 2.13.6]
  config file = None
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/.local/lib/python3.9/site-packages/ansible
  ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/user/.local/bin/ansible
  python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110]
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
Collection        Version
----------------- -------
community.windows 1.11.1
CONFIGURATION
OS / ENVIRONMENT

Ansible execution from Debian 11 and AWX/RHEL8.6. Target system is Windows Server 2019 Standard

STEPS TO REPRODUCE
---
- name: Test
  hosts: targethost
  vars:
    fw_rules:
      - Name: Remote-Administration-RPC-EPMAP
        DisplayName: Remote Administration (RPC-EPMAP)
        DisplayGroup: Remote Administration
        Profile: Any
        Enabled: 'True'
        Action: Allow
        Program: Any # "%SystemRoot%\\system32\\svchost.exe"
        LocalAddress: Any
        RemoteAddress: Any
        Protocol: TCP
        LocalPort: RPC-EPMap
        RemotePort: Any
        Service: RPCSS
  tasks:
      - name: Apply firewall rules
        community.windows.win_test_firewall_rule:
          name: '{{ rule.DisplayName }}'
          group: '{{ rule.DisplayGroup }}'
          profiles: '{{ "domain,private,public" if rule.Profile == "Any" else rule.Profile }}'
          enabled: '{{ rule.Enabled }}'
          action: '{{ rule.Action }}'
          program: '{{ rule.Program | default(omit) }}'
          localip: '{{ rule.LocalAddress }}'
          remoteip: '{{ rule.RemoteAddress }}'
          protocol: '{{ rule.Protocol }}'
          localport: '{{ rule.LocalPort | default(omit) }}'
          remoteport: '{{ rule.RemotePort | default(omit) }}'
          service: '{{ rule.Service | default(omit) }}'
          state: present
      loop: '{{ fw_rules }}'
      loop_control:
        loop_var: rule
EXPECTED RESULTS

The program attribute of the firewall rule should change to any.

ACTUAL RESULTS

The modules fails.

TASK [Apply firewall rules] ******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was:     + FullyQualifiedErrorId : System.ArgumentException
failed: [10.10.10.25] (item={'Name': 'Remote-Administration-RPC-EPMAP', 'DisplayName': 'Remote Administration (RPC-EPMAP)', 'DisplayGroup': 'Remote Administration', 'Profile': 'Any', 'Enabled': 'True', 'Action': 'Allow', 'Program': 'any', 'LocalAddress': 'Any', 'RemoteAddress': 'Any', 'Protocol': 'TCP', 'LocalPort': 'RPC-EPMap', 'RemotePort': 'Any', 'Service': 'RPCSS'}) => {"ansible_loop_var": "rule", "changed": false, "msg": "Value does not fall within the expected range.", "rule": {"Action": "Allow", "DisplayGroup": "Remote Administration", "DisplayName": "Remote Administration (RPC-EPMAP)", "Enabled": "True", "LocalAddress": "Any", "LocalPort": "RPC-EPMap", "Name": "Remote-Administration-RPC-EPMAP", "Profile": "Any", "Program": "any", "Protocol": "TCP", "RemoteAddress": "Any", "RemotePort": "Any", "Service": "RPCSS"}}
PfurtschellerP commented 1 year ago

After experimenting a bit with the module I think I found the cause. $existing_rule.ApplicationName can't be set to $null (which seems to be required for it to really be set to any). I added the following to lines: Variable Conversion around line 170

  if ($null -ne $program -and $program -ne "any") { 
      $new_rule.ApplicationName = [System.Environment]::ExpandEnvironmentVariables($program) 
  } elseif ($program -eq "any") {
      $new_rule.ApplicationName = $program
  }

Parameter assignment around line 275

 If ($prop -eq 'Profiles') {
      $existingRule.Profiles = [int] $new_rule.$prop
  }
  # If Application Name is "any" the value of the firewall rule has to be $null, so must use Set-NetFirewallRule here. 
  ElseIf(($prop -eq 'ApplicationName') -and ($new_rule.$prop -eq "any")) {
      Set-NetFirewallRule -DisplayName "$($existingRule.Name)" -Program "any"            
  }
  Else {
      $existingRule.$prop = $new_rule.$prop
  }

I am not an experienced Powershell user but this seems to fix this issue. I created a draft PR here https://github.com/ansible-collections/community.windows/pull/472