Fix up protect from accidental deletion on new objects (#50)

ansible-collections · Jun 28, 2023 · 6bf01b5 · 6bf01b5
1 parent b99f6ab
commit 6bf01b5
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 0 deletions.
diff --git a/changelogs/fragments/protect-from-deletion.yml b/changelogs/fragments/protect-from-deletion.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- Fix up ``protect_from_deletion`` when creating new AD objects - https://github.com/ansible-collections/microsoft.ad/issues/47
diff --git a/plugins/module_utils/_ADObject.psm1 b/plugins/module_utils/_ADObject.psm1
@@ -959,6 +959,19 @@ Function Invoke-AnsibleADObject {
                 }
             }
 
+            # Only New-ADObject has the -ProtectedFromAccidentialDeletion while
+            # other cmdlets do not. Check for this and manually run with
+            # Set-ADObject later if protection is desired.
+            # https://github.com/ansible-collections/microsoft.ad/issues/47
+            $protectFromDeletion = $false
+            if (
+                $newParams.ContainsKey('ProtectedFromAccidentalDeletion') -and
+                -not $newCommand.Parameters.ContainsKey('ProtectedFromAccidentalDeletion')
+            ) {
+                $protectFromDeletion = $newParams.ProtectedFromAccidentalDeletion
+                $newParams.Remove('ProtectedFromAccidentalDeletion')
+            }
+
             try {
                 $adObject = & $newCommand @newParams @adParams
             }
@@ -976,6 +989,10 @@ Function Invoke-AnsibleADObject {
             else {
                 $objectDN = $adObject.DistinguishedName
                 $objectGuid = $adObject.ObjectGUID
+
+                if ($protectFromDeletion) {
+                    $adObject | Set-ADObject @adParams -ProtectedFromAccidentalDeletion $true
+                }
             }
         }
         else {
@@ -1086,6 +1103,15 @@ Function Invoke-AnsibleADObject {
                 $module.Result.changed = $true
             }
 
+            $protectFromDeletion = $null
+            if (
+                $setParams.ContainsKey('ProtectedFromAccidentalDeletion') -and
+                -not $setCommand.Parameters.ContainsKey('ProtectedFromAccidentalDeletion')
+            ) {
+                $protectFromDeletion = $setParams.ProtectedFromAccidentalDeletion
+                $setParams.Remove('ProtectedFromAccidentalDeletion')
+            }
+
             if ($setParams.Count) {
                 try {
                     $finalADObject = & $setCommand @commonParams @setParams @adParams
@@ -1098,6 +1124,11 @@ Function Invoke-AnsibleADObject {
                 $module.Result.changed = $true
             }
 
+            if ($null -ne $protectFromDeletion) {
+                $finalADObject = Set-ADObject -ProtectedFromAccidentalDeletion $protectFromDeletion @commonParams @adParams
+                $module.Result.changed = $true
+            }
+
             # Won't be set in check mode
             if ($finalADObject) {
                 $objectDN = $finalADObject.DistinguishedName

diff --git a/tests/integration/targets/computer/tasks/tests.yml b/tests/integration/targets/computer/tasks/tests.yml
@@ -122,6 +122,7 @@
     trusted_for_delegation: true
     upn: MyComputer@{{ domain_realm }}
     path: CN=Users,{{ setup_domain_info.output[0].defaultNamingContext }}
+    protect_from_deletion: true
   register: custom_comp
 
 - set_fact:
@@ -137,6 +138,7 @@
     - msDS-AllowedToActOnBehalfOfOtherIdentity
     - msDS-SupportedEncryptionTypes
     - objectSid
+    - ProtectedFromAccidentalDeletion
     - sAMAccountName
     - servicePrincipalName
     - userAccountControl
@@ -174,6 +176,7 @@
     - custom_comp_actual.objects[0]['msDS-SupportedEncryptionTypes_AnsibleFlags'] == ["AES128_CTS_HMAC_SHA1_96", "AES256_CTS_HMAC_SHA1_96"]
     - custom_comp_actual.objects[0].sAMAccountName == 'SamMyComputer$'
     - custom_comp_actual.objects[0].ObjectClass == 'computer'
+    - custom_comp_actual.objects[0].ProtectedFromAccidentalDeletion == true
     - custom_comp_actual.objects[0].servicePrincipalName == 'HTTP/MyComputer'
     - custom_comp_actual.objects[0].userPrincipalName == 'MyComputer@' ~ domain_realm
     - '"ADS_UF_ACCOUNTDISABLE" in custom_comp_actual.objects[0].userAccountControl_AnsibleFlags'
@@ -197,6 +200,7 @@
     sam_account_name: MyComputer2$
     trusted_for_delegation: false
     upn: mycomputer@{{ domain_realm }}
+    protect_from_deletion: false
   register: change_comp
 
 - name: get result of change computer with custom options
@@ -207,6 +211,7 @@
     - location
     - msDS-AllowedToActOnBehalfOfOtherIdentity
     - msDS-SupportedEncryptionTypes
+    - ProtectedFromAccidentalDeletion
     - sAMAccountName
     - userAccountControl
     - userPrincipalName
@@ -235,6 +240,7 @@
     - change_comp_actual.objects[0].location == 'comp location'
     - change_comp_actual.objects[0]['msDS-SupportedEncryptionTypes'] == 20
     - change_comp_actual.objects[0]['msDS-SupportedEncryptionTypes_AnsibleFlags'] == ["RC4_HMAC", "AES256_CTS_HMAC_SHA1_96"]
+    - change_comp_actual.objects[0].ProtectedFromAccidentalDeletion == false
     - change_comp_actual.objects[0].sAMAccountName == 'MyComputer2$'
     - change_comp_actual.objects[0].userPrincipalName == 'mycomputer@' ~ domain_realm
     - '"ADS_UF_ACCOUNTDISABLE" not in change_comp_actual.objects[0].userAccountControl_AnsibleFlags'

diff --git a/tests/integration/targets/user/tasks/tests.yml b/tests/integration/targets/user/tasks/tests.yml
@@ -392,6 +392,7 @@
     password_never_expires: true
     path: '{{ setup_domain_info.output[0].defaultNamingContext }}'
     postal_code: 4000
+    protect_from_deletion: false
     sam_account_name: MyUserSam
     spn:
       set:
@@ -441,6 +442,7 @@
     password_never_expires: true
     path: '{{ setup_domain_info.output[0].defaultNamingContext }}'
     postal_code: 4000
+    protect_from_deletion: false
     sam_account_name: MyUserSam
     spn:
       set:
@@ -476,6 +478,7 @@
     - objectSid
     - postalcode
     - primaryGroupID
+    - ProtectedFromAccidentalDeletion
     - pwdLastSet
     - sAMAccountName
     - servicePrincipalName
@@ -522,6 +525,7 @@
     - create_user_actual.objects[0].memberOf == 'CN=Domain Admins,CN=Users,' ~ setup_domain_info.output[0].defaultNamingContext
     - create_user_actual.objects[0].postalcode == '4000'
     - create_user_actual.objects[0].primaryGroupID == 513  # Domain Users
+    - create_user_actual.objects[0].ProtectedFromAccidentalDeletion == false
     - create_user_actual.objects[0].pwdLastSet > 0
     - create_user_actual.objects[0].sAMAccountName == 'MyUserSam'
     - create_user_actual.objects[0].servicePrincipalName == 'HTTP/MyUser'
@@ -555,6 +559,7 @@
     password_never_expires: true
     path: '{{ setup_domain_info.output[0].defaultNamingContext }}'
     postal_code: 4000
+    protect_from_deletion: false
     sam_account_name: MyUserSam
     spn:
       set:
@@ -629,6 +634,7 @@
     - objectSid
     - postalcode
     - primaryGroupID
+    - ProtectedFromAccidentalDeletion
     - pwdLastSet
     - sAMAccountName
     - servicePrincipalName
@@ -659,6 +665,7 @@
     - update_user_check_actual.objects[0].memberOf == 'CN=Domain Admins,CN=Users,' ~ setup_domain_info.output[0].defaultNamingContext
     - update_user_check_actual.objects[0].postalcode == '4000'
     - update_user_check_actual.objects[0].primaryGroupID == 513  # Domain Users
+    - update_user_check_actual.objects[0].ProtectedFromAccidentalDeletion == false
     - update_user_check_actual.objects[0].pwdLastSet > 0
     - update_user_check_actual.objects[0].sAMAccountName == 'MyUserSam'
     - update_user_check_actual.objects[0].servicePrincipalName == 'HTTP/MyUser'
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		bugfixes:
		- Fix up ``protect_from_deletion`` when creating new AD objects - https://github.com/ansible-collections/microsoft.ad/issues/47