Document Windows App Control Feature #2654
Conversation
| * Python with Ansible and the required collections installed | ||
| * Access to the certificate and private key trusted by the App Control policy, typically as a PFX file | ||
|
|
||
| .. literalinclude:: powershell/New-AnsiblePowerShellSignature.ps1 |
There was a problem hiding this comment.
This is quite a large script so a literalinclude may not be the best idea. Any suggestions on how to potentially just link to the script this points to instead as a hyperlink?
There was a problem hiding this comment.
The :download: directive that @samccann mentions is a good option. Although maybe it's not that informative and forces the reader to download a script and then go away from the docs and get off track.
You could do kind of a hybrid approach like this where you just include a portion of the script:
.. literalinclude:: powershell/New-AnsiblePowerShellSignature.ps1
:lines: 11-21
You can view the complete script at `New-AnsiblePowerShellSignature.ps1 <path/to/powershell/New-AnsiblePowerShellSignature.ps1>`_.
Another approach could be creating a codeblock that highlights excerpts from the script and adds some comments. Although looking at the script it's well documented with examples so it might be hard to squeeze all of that into a codeblock. If it would be possible to give a really concise overview (maybe the Signs just the content include in Ansible and the ansible.windows collection example?) to give the reader a sense of how to use the script then follow the codeblock with either the download directive or a hyperlink.
There was a problem hiding this comment.
That sounds like a good approach, I'll try them out and see how it looks.
There was a problem hiding this comment.
I ended up going with a simple hyperlink, people can open it in a new tab to view the source or download without having it automatically download.
There was a problem hiding this comment.
@jborean93 That sounds like a good approach but the link seems to be broken. Looking at the preview build here: https://ansible--2654.org.readthedocs.build/projects/ansible-core/2654/os_guide/windows_app_control.html
There was a problem hiding this comment.
Looks like I was missing the trailing _, not sure if I need to do anything extra to ensure the os_guide/powershell/* contents are present in the build directory.
There was a problem hiding this comment.
@jborean93 I think the way to achieve that is either with html_extra_path or html_static_path in conf.py. See here: https://www.sphinx-doc.org/en/master/usage/configuration.html#confval-html_static_path
I've tried html_extra_path but the directory structure in the build doesn't match the link url that gets generated.
Maybe we add it to the examples directory and link to the GitHub url?
|
|
||
| The policy then should then add the certificate as a trusted publisher to the ``User Mode Signing Scenario``, for example this is an example policy configuration that contains a trusted publisher: | ||
|
|
||
| .. code-block:: text |
There was a problem hiding this comment.
I originally had this as .. code-block:: xml to get some XML highlighting but it seems like we don't have it enabled/allowed in this repo. Happy with text here but if we want to enable xml I can always change this back.
There was a problem hiding this comment.
hey I'm not sure how do enable xml?
There was a problem hiding this comment.
jFYI, https://github.com/ansible-community/ansible-pygments is used as a custom pygments in ansible doc, this is specified in conf.py by pygments = 'ansible'
There was a problem hiding this comment.
The failing message was at https://github.com/ansible/ansible-documentation/actions/runs/15195285949/job/42737710900
/home/runner/work/ansible-documentation/ansible-documentation/docs/docsite/rst/os_guide/windows_app_control.rst:31:4: Warning: literal block with disallowed language: xml. If the language should be allowed, the checker needs to be updated. Currently allowed languages are: ansible-output, bash, console, csharp, diff, ini, jinja, json, md, none, powershell, python, rst, sh, shell, shell-session, text.
We have some documentation on this at https://github.com/ansible/ansible-documentation/blob/510375f072a8dce15a389ced9888dda93975b29d/docs/docsite/rst/dev_guide/style_guide/index.rst#syntax-highlighting---pygments and the list/check is coded at
ansible-documentation/tests/checkers/rst-yamllint.py
Lines 26 to 44 in 510375f
I'm not sure if it's just us simply adding xml to this list so the check doesn't fail or whether there are other things that need to be enabled in the build to get it working.
|
|
||
| The policy then should then add the certificate as a trusted publisher to the ``User Mode Signing Scenario``, for example this is an example policy configuration that contains a trusted publisher: | ||
|
|
||
| .. code-block:: text |
There was a problem hiding this comment.
Maybe?
| .. code-block:: text | |
| .. code-block:: XML |
There was a problem hiding this comment.
Unfortunately the xml highlighting needs to be enabled in the project first.
Co-authored-by: Abhijeet Kasurde <[email protected]>
|
@oraNod PTAL |
Co-authored-by: Sandra McCann <[email protected]>
| `Windows App Control <https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/>`_, formerly known as Windows Defender Application Control (``WDAC``), is a security feature of Windows that can be used to restrict what executables and scripts can be run on a Windows host. In the past, enabling WDAC will cause Ansible to fail when running on the Windows host. Starting with Ansible 2.19 and the ``ansible.windows`` collection at ``3.1.0``, Ansible can now run on Windows hosts with WDAC enabled. | ||
|
|
||
| .. Warning:: | ||
| The App Control implementation is considered a tech preview and can change in future releases. It is not possible to ensure all PowerShell modules will work with App Control enabled and that a module might enable arbitrary code to run in a way not typically allowed by App Control. It is recommended to test all modules with WDAC enabled before using them in production. |
There was a problem hiding this comment.
IMO this shouldn't be a warning. Notes of type warning should be reserved for something that will cause data loss, system damage, or some other kind of breakage. We should use warnings sparingly so that they are more obvious to users.
How about using the admonition directive like this?
.. admonition:: Experimental functionality
I would also change "tech preview" to "experimental functionality" because tech preview is more of a Red Hat term and probably best avoided in community docs. If there's some reason to use tech preview though, it's fine. It's just semantics and the point still comes across either way.
There was a problem hiding this comment.
Updated with the changes here.
This adds some documentation for a new feature added in Ansible 2.19.