From 621d714b95cec22ff75de7217a81aca1ba4b224d Mon Sep 17 00:00:00 2001
From: Amit Weinstock <aweinsto@redhat.com>
Date: Mon, 6 Jan 2025 16:18:21 +0200
Subject: [PATCH] migrate module to basic

---
 plugins/modules/win_audit_policy_system.ps1   | 111 +++++++-----------
 .../win_audit_policy_system/tasks/add.yml     |   5 -
 .../win_audit_policy_system/tasks/main.yml    |   1 +
 .../win_audit_policy_system/tasks/modify.yml  |  98 ++++++++++++++++
 .../win_audit_policy_system/tasks/remove.yml  |  10 +-
 5 files changed, 144 insertions(+), 81 deletions(-)
 create mode 100644 tests/integration/targets/win_audit_policy_system/tasks/modify.yml

diff --git a/plugins/modules/win_audit_policy_system.ps1 b/plugins/modules/win_audit_policy_system.ps1
index 07640cee..caed9342 100644
--- a/plugins/modules/win_audit_policy_system.ps1
+++ b/plugins/modules/win_audit_policy_system.ps1
@@ -1,24 +1,12 @@
 #!powershell
 
-# Copyright: (c) 2017, Noah Sparks <nsparks@outlook.com>
 # Copyright: (c) 2017, Ansible Project
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
-
-#Requires -Module Ansible.ModuleUtils.Legacy
+#AnsibleRequires -CSharpUtil Ansible.Basic
 #Requires -Module Ansible.ModuleUtils.CommandUtil
 
-$ErrorActionPreference = 'Stop'
-
-$params = Parse-Args -arguments $args -supports_check_mode $true
-$check_mode = Get-AnsibleParam -obj $params -name "_ansible_check_mode" -type "bool" -default $false
 
-$results = @{
-    changed = $false
-}
 
-######################################
-### populate sets for -validateset ###
-######################################
 $categories_rc = run-command -command 'auditpol /list /category /r'
 $subcategories_rc = run-command -command 'auditpol /list /subcategory:* /r'
 
@@ -26,8 +14,8 @@ If ($categories_rc.item('rc') -eq 0) {
     $categories = ConvertFrom-Csv $categories_rc.item('stdout') | Select-Object -expand Category*
 }
 Else {
-    Fail-Json -obj $results -message "Failed to retrive audit policy categories. Please make sure the auditpol command is functional on
-    the system and that the account ansible is running under is able to retrieve them. $($_.Exception.Message)"
+    $module.FailJson("Failed to retrive audit policy categories. Please make sure the auditpol command is functional on
+    the system and that the account ansible is running under is able to retrieve them." , $($_.Exception.Message))
 }
 
 If ($subcategories_rc.item('rc') -eq 0) {
@@ -35,20 +23,30 @@ If ($subcategories_rc.item('rc') -eq 0) {
         Where-Object { $_ -notin $categories }
 }
 Else {
-    Fail-Json -obj $results -message "Failed to retrive audit policy subcategories. Please make sure the auditpol command is functional on
-    the system and that the account ansible is running under is able to retrieve them. $($_.Exception.Message)"
+    $module.FailJson("Failed to retrive audit policy subcategories. Please make sure the auditpol command is functional on
+    the system and that the account ansible is running under is able to retrieve them." , $($_.Exception.Message))
 }
 
-######################
-### ansible params ###
-######################
-$category = Get-AnsibleParam -obj $params -name "category" -type "str" -ValidateSet $categories
-$subcategory = Get-AnsibleParam -obj $params -name "subcategory" -type "str" -ValidateSet $subcategories
-$audit_type = Get-AnsibleParam -obj $params -name "audit_type" -type "list" -failifempty -
+$spec = @{
+    options = @{
+        category = @{ type = 'str' ; choices = $categories }
+        subcategory = @{ type = 'str' ; choices = $subcategories }
+        audit_type = @{ type = 'list'; elements = 'str' ; required = $true }
+    }
+    supports_check_mode = $true
+    mutually_exclusive = @(
+        , @('subcategory', 'category')
+    )
+    required_one_of = @(
+        , @('subcategory', 'category')
+    )
+}
+$module = [Ansible.Basic.AnsibleModule]::Create($args, $spec)
 
-########################
-### Start Processing ###
-########################
+$category = $module.Params.category
+$subcategory = $module.Params.subcategory
+$audit_type = $module.Params.audit_type
+$check_mode = $module.Checkmode
 Function Get-AuditPolicy ($GetString) {
     $auditpolcsv = Run-Command -command $GetString
     If ($auditpolcsv.item('rc') -eq 0) {
@@ -66,67 +64,44 @@ Function Get-AuditPolicy ($GetString) {
     $HT
 }
 
-################
-### Validate ###
-################
 
-#make sure category and subcategory are valid
-If (-Not $category -and -Not $subcategory) { Fail-Json -obj $results -message "You must provide either a Category or Subcategory parameter" }
-If ($category -and $subcategory) { Fail-Json -obj $results -message "Must pick either a specific subcategory or category. You cannot define both" }
-
-
-$possible_audit_types = 'success', 'failure', 'none'
-$audit_type | ForEach-Object {
-    If ($_ -notin $possible_audit_types) {
-        Fail-Json -obj $result -message "$_ is not a valid audit_type. Please choose from $($possible_audit_types -join ',')"
-    }
-}
-
-#############################################################
-### build lists for setting, getting, and comparing rules ###
-#############################################################
-$audit_type_string = $audit_type -join ' and '
 
 $SetString = 'auditpol /set'
 $GetString = 'auditpol /get /r'
 
 If ($category) { $SetString = "$SetString /category:`"$category`""; $GetString = "$GetString /category:`"$category`"" }
-If ($subcategory) { $SetString = "$SetString /subcategory:`"$subcategory`""; $GetString = "$GetString /subcategory:`"$subcategory`"" }
-
+Elseif ($subcategory) { $SetString = "$SetString /subcategory:`"$subcategory`""; $GetString = "$GetString /subcategory:`"$subcategory`"" }
 
-Switch ($audit_type_string) {
-    'success and failure' { $SetString = "$SetString /success:enable /failure:enable"; $audit_type_check = $audit_type_string }
-    'failure' { $SetString = "$SetString /success:disable /failure:enable"; $audit_type_check = $audit_type_string }
-    'success' { $SetString = "$SetString /success:enable /failure:disable"; $audit_type_check = $audit_type_string }
-    'none' { $SetString = "$SetString /success:disable /failure:disable"; $audit_type_check = 'No Auditing' }
-    default { Fail-Json -obj $result -message "It seems you have specified an invalid combination of items for audit_type. Please review documentation" }
+if ('success' -in $audit_type -and 'failure' -in $audit_type) {
+    $SetString = "$SetString /success:enable /failure:enable"; $audit_type_check = "success and failure"
+}
+Elseif ( 'success' -in $audit_type ) {
+    $SetString = "$SetString /success:enable /failure:disable"; $audit_type_check = "success"
+}
+Elseif ( 'failure' -in $audit_type ) {
+    $SetString = "$SetString /success:disable /failure:enable"; $audit_type_check = "failure"
+}
+Else {
+    $SetString = "$SetString /success:disable /failure:disable"; $audit_type_check = 'No Auditing'
 }
 
-#########################
-### check Idempotence ###
-#########################
 
 $CurrentRule = Get-AuditPolicy $GetString
-
 #exit if the audit_type is already set properly for the category
 If (-not ($CurrentRule.Values | Where-Object { $_ -ne $audit_type_check }) ) {
-    $results.current_audit_policy = Get-AuditPolicy $GetString
-    Exit-Json -obj $results
+    $module.result.current_audit_policy = $CurrentRule
+    $module.ExitJson()
 }
 
-####################
-### Apply Change ###
-####################
-
 If (-not $check_mode) {
     $ApplyPolicy = Run-Command -command $SetString
 
     If ($ApplyPolicy.Item('rc') -ne 0) {
-        $results.current_audit_policy = Get-AuditPolicy $GetString
-        Fail-Json $results "Failed to set audit policy - $($_.Exception.Message)"
+        $module.result.current_audit_policy = Get-AuditPolicy $GetString
+        $module.FailJson("Failed to set audit policy $($_.Exception.Message)")
     }
 }
 
-$results.changed = $true
-$results.current_audit_policy = Get-AuditPolicy $GetString
-Exit-Json $results
+$module.result.changed = $true
+$module.result.current_audit_policy = Get-AuditPolicy $GetString
+$module.ExitJson()
\ No newline at end of file
diff --git a/tests/integration/targets/win_audit_policy_system/tasks/add.yml b/tests/integration/targets/win_audit_policy_system/tasks/add.yml
index 75ea2304..7b2039eb 100644
--- a/tests/integration/targets/win_audit_policy_system/tasks/add.yml
+++ b/tests/integration/targets/win_audit_policy_system/tasks/add.yml
@@ -29,11 +29,6 @@
     - "{{ subcategory.current_audit_policy.values() | list }}"
     - "{{ category.current_audit_policy.values() | list | unique }}"
 
-#alternative check for category...pretty noise and requires more lines
-#  - name: assert that audit_type is no auditing
-#    assert:
-#      that: item.value == "no auditing"
-#    with_dict: "{{ category.current_audit_policy }}"
 
 ####################
 ### apply change ###
diff --git a/tests/integration/targets/win_audit_policy_system/tasks/main.yml b/tests/integration/targets/win_audit_policy_system/tasks/main.yml
index c2e55acc..14bdec8a 100644
--- a/tests/integration/targets/win_audit_policy_system/tasks/main.yml
+++ b/tests/integration/targets/win_audit_policy_system/tasks/main.yml
@@ -12,6 +12,7 @@
 
 - block:
     - include_tasks: add.yml
+    - include_tasks: modify.yml
     - include_tasks: remove.yml
   always:
   - name: CLEANUP turn "{{ category_name }}" back to no auditing
diff --git a/tests/integration/targets/win_audit_policy_system/tasks/modify.yml b/tests/integration/targets/win_audit_policy_system/tasks/modify.yml
new file mode 100644
index 00000000..7a7d6f8c
--- /dev/null
+++ b/tests/integration/targets/win_audit_policy_system/tasks/modify.yml
@@ -0,0 +1,98 @@
+########################
+### check mode modify ###
+########################
+- name: check mode modify category
+  win_audit_policy_system:
+    category: "{{ category_name }}"
+    audit_type: failure
+  check_mode: yes
+  register: category
+
+- name: check mode modify subcategory
+  win_audit_policy_system:
+    subcategory: "{{ subcategory_name }}"
+    audit_type: failure
+  check_mode: yes
+  register: subcategory
+
+- name: check mode assert that changed is true
+  assert:
+    that:
+      - category is changed
+      - subcategory is changed
+
+- name: modify assert that audit_type is "success" for category
+  assert:
+    that:
+      - item == "success"
+  with_items:
+    - "{{ category.current_audit_policy.values() | list | unique }}"
+
+- name: modify assert that audit_type is "success and failure" for subcategory
+  assert:
+    that:
+      - item == "success and failure"
+  with_items:
+    - "{{ subcategory.current_audit_policy.values() | list }}"
+
+
+####################
+### apply change ###
+####################
+
+- name: modify category
+  win_audit_policy_system:
+    category: "{{ category_name }}"
+    audit_type: failure
+  register: category
+
+- name: modify subcategory
+  win_audit_policy_system:
+    subcategory: "{{ subcategory_name }}"
+    audit_type: failure
+  register: subcategory
+
+- name: modify assert that changed is true
+  assert:
+    that:
+      - category is changed
+      - subcategory is changed
+
+- name: modify assert that audit_type is "success" for category
+  assert:
+    that:
+      - item == "failure"
+  with_items:
+    - "{{ category.current_audit_policy.values() | list | unique }}"
+    - "{{ subcategory.current_audit_policy.values() | list }}"
+
+
+###############################
+### idempotent apply change ###
+###############################
+
+- name: idem modify category
+  win_audit_policy_system:
+    category: "{{ category_name }}"
+    audit_type: failure
+  register: category
+
+- name: idem modify subcategory
+  win_audit_policy_system:
+    subcategory: "{{ subcategory_name }}"
+    audit_type: failure
+  register: subcategory
+
+- name: idem assert that changed is false
+  assert:
+    that:
+      - category is not changed
+      - subcategory is not changed
+
+- name: idem assert that audit_type is "success" for category
+  assert:
+    that:
+      - item == "failure"
+  with_items:
+    - "{{ category.current_audit_policy.values() | list | unique }}"
+    - "{{ subcategory.current_audit_policy.values() | list }}"
diff --git a/tests/integration/targets/win_audit_policy_system/tasks/remove.yml b/tests/integration/targets/win_audit_policy_system/tasks/remove.yml
index 1cd60b0a..90813bba 100644
--- a/tests/integration/targets/win_audit_policy_system/tasks/remove.yml
+++ b/tests/integration/targets/win_audit_policy_system/tasks/remove.yml
@@ -21,18 +21,12 @@
       - category is changed
       - subcategory is changed
 
-- name: check mode assert that audit_type is still "success" (old value) for category
+- name: check mode assert that audit_type is still "failure" (old value) for category
   assert:
     that:
-      - item == "success"
+      - item == "failure"
   with_items:
     - "{{ category.current_audit_policy.values() | list | unique }}"
-
-- name: check mode assert that audit_type is still "success and failure" (old value) for subcategory
-  assert:
-    that:
-      - item == "success and failure"
-  with_items:
     - "{{ subcategory.current_audit_policy.values() | list }}"
 
 ######################