internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-06-11 19:25:54 +00:00
Code Issues Projects Releases Wiki Activity

sudorule: fix idempotence issues and refactor.

Browse Source 
This change refactors member management for ipasudorule module and
fixes idempotence issues related to case insensitive comparison.
This commit is contained in:
Rafael Guterres Jeffman
2022-01-19 21:22:02 -03:00
parent 65015e63e9
commit 2266756968
2 changed files with 485 additions and 321 deletions
Download Patch File Download Diff File Expand all files Collapse all files

516
plugins/modules/ipasudorule.py
View File

@@ -297,17 +297,19 @@ def main():
hostcategory = ansible_module.params_get("hostcategory") # noqa hostcategory = ansible_module.params_get("hostcategory") # noqa
nomembers = ansible_module.params_get("nomembers") # noqa nomembers = ansible_module.params_get("nomembers") # noqa
host = ansible_module.params_get("host") host = ansible_module.params_get("host")
hostgroup = ansible_module.params_get("hostgroup") hostgroup = ansible_module.params_get_lowercase("hostgroup")
user = ansible_module.params_get("user") user = ansible_module.params_get_lowercase("user")
group = ansible_module.params_get("group") group = ansible_module.params_get_lowercase("group")
allow_sudocmd = ansible_module.params_get('allow_sudocmd') allow_sudocmd = ansible_module.params_get('allow_sudocmd')
allow_sudocmdgroup = ansible_module.params_get('allow_sudocmdgroup') allow_sudocmdgroup = \
ansible_module.params_get_lowercase('allow_sudocmdgroup')
deny_sudocmd = ansible_module.params_get('deny_sudocmd') deny_sudocmd = ansible_module.params_get('deny_sudocmd')
deny_sudocmdgroup = ansible_module.params_get('deny_sudocmdgroup') deny_sudocmdgroup = \
ansible_module.params_get_lowercase('deny_sudocmdgroup')
sudooption = ansible_module.params_get("sudooption") sudooption = ansible_module.params_get("sudooption")
order = ansible_module.params_get("order") order = ansible_module.params_get("order")
runasuser = ansible_module.params_get("runasuser") runasuser = ansible_module.params_get_lowercase("runasuser")
runasgroup = ansible_module.params_get("runasgroup") runasgroup = ansible_module.params_get_lowercase("runasgroup")
action = ansible_module.params_get("action") action = ansible_module.params_get("action")
# state # state
@@ -383,6 +385,17 @@ def main():
) )
commands = [] commands = []
host_add, host_del = [], []
user_add, user_del = [], []
group_add, group_del = [], []
hostgroup_add, hostgroup_del = [], []
allow_cmd_add, allow_cmd_del = [], []
allow_cmdgroup_add, allow_cmdgroup_del = [], []
deny_cmd_add, deny_cmd_del = [], []
deny_cmdgroup_add, deny_cmdgroup_del = [], []
sudooption_add, sudooption_del = [], []
runasuser_add, runasuser_del = [], []
runasgroup_add, runasgroup_del = [], []
for name in names: for name in names:
# Make sure sudorule exists # Make sure sudorule exists
@@ -487,95 +500,11 @@ def main():
runasgroup_add, runasgroup_del = gen_add_del_lists( runasgroup_add, runasgroup_del = gen_add_del_lists(
runasgroup, runasgroup,
( (
res_find.get('ipasudorunas_group', []) res_find.get('ipasudorunasgroup_group', [])
+ res_find.get('ipasudorunasextgroup', []) + res_find.get('ipasudorunasextgroup', [])
) )
) )
# Add hosts and hostgroups
if len(host_add) > 0 or len(hostgroup_add) > 0:
commands.append([name, "sudorule_add_host",
{
"host": host_add,
"hostgroup": hostgroup_add,
}])
# Remove hosts and hostgroups
if len(host_del) > 0 or len(hostgroup_del) > 0:
commands.append([name, "sudorule_remove_host",
{
"host": host_del,
"hostgroup": hostgroup_del,
}])
# Add users and groups
if len(user_add) > 0 or len(group_add) > 0:
commands.append([name, "sudorule_add_user",
{
"user": user_add,
"group": group_add,
}])
# Remove users and groups
if len(user_del) > 0 or len(group_del) > 0:
commands.append([name, "sudorule_remove_user",
{
"user": user_del,
"group": group_del,
}])
# Add commands allowed
if len(allow_cmd_add) > 0 or len(allow_cmdgroup_add) > 0:
commands.append([name, "sudorule_add_allow_command",
{"sudocmd": allow_cmd_add,
"sudocmdgroup": allow_cmdgroup_add,
}])
if len(allow_cmd_del) > 0 or len(allow_cmdgroup_del) > 0:
commands.append([name, "sudorule_remove_allow_command",
{"sudocmd": allow_cmd_del,
"sudocmdgroup": allow_cmdgroup_del
}])
# Add commands denied
if len(deny_cmd_add) > 0 or len(deny_cmdgroup_add) > 0:
commands.append([name, "sudorule_add_deny_command",
{"sudocmd": deny_cmd_add,
"sudocmdgroup": deny_cmdgroup_add,
}])
if len(deny_cmd_del) > 0 or len(deny_cmdgroup_del) > 0:
commands.append([name, "sudorule_remove_deny_command",
{"sudocmd": deny_cmd_del,
"sudocmdgroup": deny_cmdgroup_del
}])
# Add RunAS Users
if len(runasuser_add) > 0:
commands.append([name, "sudorule_add_runasuser",
{"user": runasuser_add}])
# Remove RunAS Users
if len(runasuser_del) > 0:
commands.append([name, "sudorule_remove_runasuser",
{"user": runasuser_del}])
# Add RunAS Groups
if len(runasgroup_add) > 0:
commands.append([name, "sudorule_add_runasgroup",
{"group": runasgroup_add}])
# Remove RunAS Groups
if len(runasgroup_del) > 0:
commands.append([name, "sudorule_remove_runasgroup",
{"group": runasgroup_del}])
# Add sudo options
for sudoopt in sudooption_add:
commands.append([name, "sudorule_add_option",
{"ipasudoopt": sudoopt}])
# Remove sudo options
for sudoopt in sudooption_del:
commands.append([name, "sudorule_remove_option",
{"ipasudoopt": sudoopt}])
elif action == "member": elif action == "member":
if res_find is None: if res_find is None:
ansible_module.fail_json(msg="No sudorule '%s'" % name) ansible_module.fail_json(msg="No sudorule '%s'" % name)
@@ -585,56 +514,47 @@ def main():
# deny_sudocmdgroup, sudooption, runasuser, runasgroup # deny_sudocmdgroup, sudooption, runasuser, runasgroup
# and res_find to only try to add the items that not in # and res_find to only try to add the items that not in
# the sudorule already # the sudorule already
if host is not None and \ if host is not None:
"memberhost_host" in res_find: host_add = gen_add_list(
host = gen_add_list( host, res_find.get("memberhost_host"))
host, res_find["memberhost_host"]) if hostgroup is not None:
if hostgroup is not None and \ hostgroup_add = gen_add_list(
"memberhost_hostgroup" in res_find: hostgroup, res_find.get("memberhost_hostgroup"))
hostgroup = gen_add_list( if user is not None:
hostgroup, res_find["memberhost_hostgroup"]) user_add = gen_add_list(
if user is not None and \ user, res_find.get("memberuser_user"))
"memberuser_user" in res_find: if group is not None:
user = gen_add_list( group_add = gen_add_list(
user, res_find["memberuser_user"]) group, res_find.get("memberuser_group"))
if group is not None and \ if allow_sudocmd is not None:
"memberuser_group" in res_find: allow_cmd_add = gen_add_list(
group = gen_add_list( allow_sudocmd,
group, res_find["memberuser_group"]) res_find.get("memberallowcmd_sudocmd")
if allow_sudocmd is not None and \ )
"memberallowcmd_sudocmd" in res_find: if allow_sudocmdgroup is not None:
allow_sudocmd = gen_add_list( allow_cmdgroup_add = gen_add_list(
allow_sudocmd, res_find["memberallowcmd_sudocmd"])
if allow_sudocmdgroup is not None and \
"memberallowcmd_sudocmdgroup" in res_find:
allow_sudocmdgroup = gen_add_list(
allow_sudocmdgroup, allow_sudocmdgroup,
res_find["memberallowcmd_sudocmdgroup"]) res_find.get("memberallowcmd_sudocmdgroup")
if deny_sudocmd is not None and \ )
"memberdenycmd_sudocmd" in res_find: if deny_sudocmd is not None:
deny_sudocmd = gen_add_list( deny_cmd_add = gen_add_list(
deny_sudocmd, res_find["memberdenycmd_sudocmd"]) deny_sudocmd,
if deny_sudocmdgroup is not None and \ res_find.get("memberdenycmd_sudocmd")
"memberdenycmd_sudocmdgroup" in res_find: )
deny_sudocmdgroup = gen_add_list( if deny_sudocmdgroup is not None:
deny_cmdgroup_add = gen_add_list(
deny_sudocmdgroup, deny_sudocmdgroup,
res_find["memberdenycmd_sudocmdgroup"]) res_find("memberdenycmd_sudocmdgroup")
if sudooption is not None and \ )
"ipasudoopt" in res_find: if sudooption is not None:
sudooption = gen_add_list( sudooption_add = gen_add_list(
sudooption, res_find["ipasudoopt"]) sudooption, res_find.get("ipasudoopt"))
# runasuser attribute can be used with both IPA and # runasuser attribute can be used with both IPA and
# non-IPA (external) users, so we need to compare # non-IPA (external) users, so we need to compare
# the provided list against both users and external # the provided list against both users and external
# users list. # users list.
if ( if runasuser is not None:
runasuser is not None runasuser_add = gen_add_list(
and (
"ipasudorunas_user" in res_find
or "ipasudorunasextuser" in res_find
)
):
runasuser = gen_add_list(
runasuser, runasuser,
(list(res_find.get('ipasudorunas_user', [])) (list(res_find.get('ipasudorunas_user', []))
+ list(res_find.get('ipasudorunasextuser', []))) + list(res_find.get('ipasudorunasextuser', [])))
@@ -643,69 +563,13 @@ def main():
# non-IPA (external) groups, so we need to compare # non-IPA (external) groups, so we need to compare
# the provided list against both users and external # the provided list against both users and external
# groups list. # groups list.
if ( if runasgroup is not None:
runasgroup is not None runasgroup_add = gen_add_list(
and (
"ipasudorunasgroup_group" in res_find
or "ipasudorunasextgroup" in res_find
)
):
runasgroup = gen_add_list(
runasgroup, runasgroup,
(list(res_find.get("ipasudorunasgroup_group", [])) (list(res_find.get("ipasudorunasgroup_group", []))
+ list(res_find.get("ipasudorunasextgroup", []))) + list(res_find.get("ipasudorunasextgroup", [])))
) )
# Add hosts and hostgroups
if host is not None or hostgroup is not None:
commands.append([name, "sudorule_add_host",
{
"host": host,
"hostgroup": hostgroup,
}])
# Add users and groups
if user is not None or group is not None:
commands.append([name, "sudorule_add_user",
{
"user": user,
"group": group,
}])
# Add commands
if allow_sudocmd is not None \
or allow_sudocmdgroup is not None:
commands.append([name, "sudorule_add_allow_command",
{"sudocmd": allow_sudocmd,
"sudocmdgroup": allow_sudocmdgroup,
}])
# Add commands
if deny_sudocmd is not None \
or deny_sudocmdgroup is not None:
commands.append([name, "sudorule_add_deny_command",
{"sudocmd": deny_sudocmd,
"sudocmdgroup": deny_sudocmdgroup,
}])
# Add RunAS Users
if runasuser is not None and len(runasuser) > 0:
commands.append([name, "sudorule_add_runasuser",
{"user": runasuser}])
# Add RunAS Groups
if runasgroup is not None and len(runasgroup) > 0:
commands.append([name, "sudorule_add_runasgroup",
{"group": runasgroup}])
# Add options
if sudooption is not None:
existing_opts = res_find.get('ipasudoopt', [])
for sudoopt in sudooption:
if sudoopt not in existing_opts:
commands.append([name, "sudorule_add_option",
{"ipasudoopt": sudoopt}])
elif state == "absent": elif state == "absent":
if action == "sudorule": if action == "sudorule":
if res_find is not None: if res_find is not None:
@@ -721,153 +585,70 @@ def main():
# and res_find to only try to remove the items that are # and res_find to only try to remove the items that are
# in sudorule # in sudorule
if host is not None: if host is not None:
if "memberhost_host" in res_find: host_del = gen_intersection_list(
host = gen_intersection_list( host, res_find.get("memberhost_host"))
host, res_find["memberhost_host"])
else:
host = None
if hostgroup is not None: if hostgroup is not None:
if "memberhost_hostgroup" in res_find: hostgroup_del = gen_intersection_list(
hostgroup = gen_intersection_list( hostgroup, res_find.get("memberhost_hostgroup"))
hostgroup, res_find["memberhost_hostgroup"])
else:
hostgroup = None
if user is not None: if user is not None:
if "memberuser_user" in res_find: user_del = gen_intersection_list(
user = gen_intersection_list( user, res_find.get("memberuser_user"))
user, res_find["memberuser_user"])
else:
user = None
if group is not None: if group is not None:
if "memberuser_group" in res_find: group_del = gen_intersection_list(
group = gen_intersection_list( group, res_find.get("memberuser_group"))
group, res_find["memberuser_group"])
else:
group = None
if allow_sudocmd is not None: if allow_sudocmd is not None:
if "memberallowcmd_sudocmd" in res_find: allow_cmd_del = gen_intersection_list(
allow_sudocmd = gen_intersection_list( allow_sudocmd,
allow_sudocmd, res_find.get("memberallowcmd_sudocmd")
res_find["memberallowcmd_sudocmd"]) )
else:
allow_sudocmd = None
if allow_sudocmdgroup is not None: if allow_sudocmdgroup is not None:
if "memberallowcmd_sudocmdgroup" in res_find: allow_cmdgroup_del = gen_intersection_list(
allow_sudocmdgroup = gen_intersection_list( allow_sudocmdgroup,
allow_sudocmdgroup, res_find.get("memberallowcmd_sudocmdgroup")
res_find["memberallowcmd_sudocmdgroup"]) )
else:
allow_sudocmdgroup = None
if deny_sudocmd is not None: if deny_sudocmd is not None:
if "memberdenycmd_sudocmd" in res_find: deny_cmd_del = gen_intersection_list(
deny_sudocmd = gen_intersection_list( deny_sudocmd,
deny_sudocmd, res_find.get("memberdenycmd_sudocmd")
res_find["memberdenycmd_sudocmd"]) )
else:
deny_sudocmd = None
if deny_sudocmdgroup is not None: if deny_sudocmdgroup is not None:
if "memberdenycmd_sudocmdgroup" in res_find: deny_cmdgroup_del = gen_intersection_list(
deny_sudocmdgroup = gen_intersection_list( deny_sudocmdgroup,
deny_sudocmdgroup, res_find.get("memberdenycmd_sudocmdgroup")
res_find["memberdenycmd_sudocmdgroup"]) )
else:
deny_sudocmdgroup = None
if sudooption is not None: if sudooption is not None:
if "ipasudoopt" in res_find: sudooption_del = gen_intersection_list(
sudooption = gen_intersection_list( sudooption, res_find.get("ipasudoopt"))
sudooption, res_find["ipasudoopt"])
else:
sudooption = None
# runasuser attribute can be used with both IPA and # runasuser attribute can be used with both IPA and
# non-IPA (external) users, so we need to compare # non-IPA (external) users, so we need to compare
# the provided list against both users and external # the provided list against both users and external
# users list. # users list.
if runasuser is not None: if runasuser is not None:
if ( runasuser_del = gen_intersection_list(
"ipasudorunas_user" in res_find runasuser,
or "ipasudorunasextuser" in res_find (
): list(res_find.get('ipasudorunas_user', []))
runasuser = gen_intersection_list( + list(res_find.get('ipasudorunasextuser', []))
runasuser,
(
list(res_find.get('ipasudorunas_user', []))
+ list(res_find.get(
'ipasudorunasextuser', []))
)
) )
else: )
runasuser = None
# runasgroup attribute can be used with both IPA and # runasgroup attribute can be used with both IPA and
# non-IPA (external) groups, so we need to compare # non-IPA (external) groups, so we need to compare
# the provided list against both groups and external # the provided list against both groups and external
# groups list. # groups list.
if runasgroup is not None: if runasgroup is not None:
if ( runasgroup_del = gen_intersection_list(
"ipasudorunasgroup_group" in res_find runasgroup,
or "ipasudorunasextgroup" in res_find (
): list(res_find.get(
runasgroup = gen_intersection_list( "ipasudorunasgroup_group", []))
runasgroup, + list(res_find.get(
( "ipasudorunasextgroup", []))
list(res_find.get(
"ipasudorunasgroup_group", []))
+ list(res_find.get(
"ipasudorunasextgroup", []))
)
) )
else: )
runasgroup = None
# Remove hosts and hostgroups
if host is not None or hostgroup is not None:
commands.append([name, "sudorule_remove_host",
{
"host": host,
"hostgroup": hostgroup,
}])
# Remove users and groups
if user is not None or group is not None:
commands.append([name, "sudorule_remove_user",
{
"user": user,
"group": group,
}])
# Remove allow commands
if allow_sudocmd is not None \
or allow_sudocmdgroup is not None:
commands.append([name, "sudorule_remove_allow_command",
{"sudocmd": allow_sudocmd,
"sudocmdgroup": allow_sudocmdgroup
}])
# Remove deny commands
if deny_sudocmd is not None \
or deny_sudocmdgroup is not None:
commands.append([name, "sudorule_remove_deny_command",
{"sudocmd": deny_sudocmd,
"sudocmdgroup": deny_sudocmdgroup
}])
# Remove RunAS Users
if runasuser is not None:
commands.append([name, "sudorule_remove_runasuser",
{"user": runasuser}])
# Remove RunAS Groups
if runasgroup is not None:
commands.append([name, "sudorule_remove_runasgroup",
{"group": runasgroup}])
# Remove options
if sudooption is not None:
existing_opts = res_find.get('ipasudoopt', [])
for sudoopt in sudooption:
if sudoopt in existing_opts:
commands.append([name,
"sudorule_remove_option",
{"ipasudoopt": sudoopt}])
elif state == "enabled": elif state == "enabled":
if res_find is None: if res_find is None:
@@ -892,6 +673,99 @@ def main():
else: else:
ansible_module.fail_json(msg="Unkown state '%s'" % state) ansible_module.fail_json(msg="Unkown state '%s'" % state)
# Manage members.
# Manage hosts and hostgroups
if host_add or hostgroup_add:
commands.append([name, "sudorule_add_host",
{
"host": host_add,
"hostgroup": hostgroup_add,
}])
if host_del or hostgroup_del:
commands.append([name, "sudorule_remove_host",
{
"host": host_del,
"hostgroup": hostgroup_del,
}])
# Manage users and groups
if user_add or group_add:
commands.append([
name, "sudorule_add_user",
{"user": user_add, "group": group_add}
])
if user_del or group_del:
commands.append([
name, "sudorule_remove_user",
{"user": user_del, "group": group_del}
])
# Manage commands allowed
if allow_cmd_add or allow_cmdgroup_add:
commands.append([
name, "sudorule_add_allow_command",
{
"sudocmd": allow_cmd_add,
"sudocmdgroup": allow_cmdgroup_add,
}
])
if allow_cmd_del or allow_cmdgroup_del:
commands.append([
name, "sudorule_remove_allow_command",
{
"sudocmd": allow_cmd_del,
"sudocmdgroup": allow_cmdgroup_del
}
])
# Manage commands denied
if deny_cmd_add or deny_cmdgroup_add:
commands.append([
name, "sudorule_add_deny_command",
{
"sudocmd": deny_cmd_add,
"sudocmdgroup": deny_cmdgroup_add,
}
])
if deny_cmd_del or deny_cmdgroup_del:
commands.append([
name, "sudorule_remove_deny_command",
{
"sudocmd": deny_cmd_del,
"sudocmdgroup": deny_cmdgroup_del
}
])
# Manage RunAS users
if runasuser_add:
commands.append([
name, "sudorule_add_runasuser", {"user": runasuser_add}
])
if runasuser_del:
commands.append([
name, "sudorule_remove_runasuser", {"user": runasuser_del}
])
# Manage RunAS Groups
if runasgroup_add:
commands.append([
name, "sudorule_add_runasgroup", {"group": runasgroup_add}
])
if runasgroup_del:
commands.append([
name, "sudorule_remove_runasgroup",
{"group": runasgroup_del}
])
# Manage sudo options
if sudooption_add:
for option in sudooption_add:
commands.append([
name, "sudorule_add_option", {"ipasudoopt": option}
])
if sudooption_del:
for option in sudooption_del:
commands.append([
name, "sudorule_remove_option", {"ipasudoopt": option}
])
# Execute commands # Execute commands
changed = ansible_module.execute_ipa_commands( changed = ansible_module.execute_ipa_commands(

290
tests/sudorule/test_sudorule_member_case_insensitive.yml Normal file
View File

@@ -0,0 +1,290 @@
---
- name: Test sudorule members should be case insensitive.
hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: no
gather_facts: no
vars:
groups_present:
- eleMENT1
- Element2
- eLeMenT3
- ElemENT4
tasks:
- block:
# SETUP
- name: Ensure domain name
set_fact:
ipa_domain: ipa.test
when: ipa_domain is not defined
- name: Ensure test groups exist.
ipagroup:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
loop: "{{ groups_present }}"
- name: Ensure test hostgroups exist.
ipahostgroup:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
loop: "{{ groups_present }}"
- name: Ensure test hosts exist.
ipahost:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}.{{ ipa_domain }}"
force: yes
loop: "{{ groups_present }}"
- name: Ensure test users exist.
ipauser:
ipaadmin_password: SomeADMINpassword
name: "user{{ item }}"
first: "{{ item }}"
last: "{{ item }}"
loop: "{{ groups_present }}"
- name: Ensure sudorule do not exist
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
state: absent
loop: "{{ groups_present }}"
# TESTS
- name: Start tests.
debug:
msg: "Tests are starting."
- name: Ensure sudorule exist with runasusers members
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
cmdcategory: all
runasuser: "user{{ item }}"
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or not result.changed
- name: Ensure sudorule exist with lowercase runasusers members
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
cmdcategory: all
runasuser: "user{{ item | lower }}"
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure sudorule exist with uppercase runasusers members
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
cmdcategory: all
runasuser: "user{{ item | upper }}"
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure sudorule exist with runasgroup members
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
cmdcategory: all
runasgroup: "{{ item }}"
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or not result.changed
- name: Ensure sudorule exist with lowercase runasgroup members
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
cmdcategory: all
runasgroup: "{{ item | lower }}"
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure sudorule exist with uppercase runasgroup members
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
cmdcategory: all
runasgroup: "{{ item | upper }}"
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure sudorule do not exist
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
state: absent
loop: "{{ groups_present }}"
#####
- name: Ensure sudorule exist with members
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
cmdcategory: all
hostgroup: "{{ item }}"
host: "{{ item }}.{{ ipa_domain }}"
group: "{{ item }}"
user: "user{{ item }}"
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or not result.changed
- name: Ensure sudorule exist with members, lowercase
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
cmdcategory: all
hostgroup: "{{ item | lower }}"
host: "{{ item | lower }}.{{ ipa_domain }}"
group: "{{ item | lower }}"
user: "user{{ item | lower }}"
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure sudorule exist with members, uppercase
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
cmdcategory: all
hostgroup: "{{ item | upper }}"
host: "{{ item | upper }}.{{ ipa_domain }}"
group: "{{ item | upper }}"
user: "user{{ item | upper }}"
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure sudorule member is absent
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
hostgroup: "{{ item }}"
host: "{{ item }}.{{ ipa_domain }}"
group: "{{ item }}"
user: "user{{ item }}"
action: member
state: absent
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or not result.changed
- name: Ensure sudorule member is absent, lowercase
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
hostgroup: "{{ item | lower }}"
host: "{{ item | lower }}.{{ ipa_domain }}"
group: "{{ item | lower }}"
user: "user{{ item | lower }}"
action: member
state: absent
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure sudorule member is absent, upercase
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
hostgroup: "{{ item | upper }}"
host: "{{ item | upper }}.{{ ipa_domain }}"
group: "{{ item | upper }}"
user: "user{{ item | upper }}"
action: member
state: absent
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure sudorule member is present, upercase
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
hostgroup: "{{ item | upper }}"
host: "{{ item | upper }}.{{ ipa_domain }}"
group: "{{ item | upper }}"
user: "user{{ item | upper }}"
action: member
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or not result.changed
- name: Ensure sudorule member is present, lowercase
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
hostgroup: "{{ item | lower }}"
host: "{{ item | lower }}.{{ ipa_domain }}"
group: "{{ item | lower }}"
user: "user{{ item | lower }}"
action: member
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure sudorule member is present, mixed case
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
hostgroup: "{{ item }}"
host: "{{ item }}.{{ ipa_domain }}"
group: "{{ item }}"
user: "user{{ item }}"
action: member
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
- name: End tests.
debug:
msg: "All tests executed."
always:
# cleanup
- name: Ensure sudorule do not exist
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
state: absent
loop: "{{ groups_present }}"
- name: Ensure test groups do not exist.
ipagroup:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
state: absent
loop: "{{ groups_present }}"
- name: Ensure test hostgroups do not exist.
ipahostgroup:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
state: absent
loop: "{{ groups_present }}"
- name: Ensure test hosts do not exist.
ipahost:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}.{{ ipa_domain }}"
state: absent
loop: "{{ groups_present }}"
- name: Ensure test users do not exist.
ipauser:
ipaadmin_password: SomeADMINpassword
name: "user{{ item }}"
state: absent
loop: "{{ groups_present }}"