internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-26 21:33:05 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #275 from rjeffman/vault_add_state_retrieved

Browse Source 
Vault add state retrieved
This commit is contained in:
Thomas Woerner
2020-06-11 15:06:26 +02:00
committed by GitHub
parent 02705c9e47 da87f1648e
commit 40048c781a
14 changed files with 1141 additions and 1090 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
README-vault.md
View File

@@ -144,8 +144,7 @@ Example playbook to retrieve vault data from a symmetric vault:
name: symvault
username: admin
password: SomeVAULTpassword
retrieve: true
action: member
state: retrieved
```
Example playbook to make sure vault data is absent in a symmetric vault:
@@ -180,6 +179,9 @@ Example playbook to make sure vault is absent:
name: symvault
username: admin
state: absent
register: result
- debug:
msg: "{{ result.data }}"
```
Variables
@@ -199,7 +201,7 @@ Variable | Description | Required
`public_key ` \| `vault_public_key` \| `ipavaultpublickey` | Base64 encoded vault public key. | no
`public_key_file` \| `vault_public_key_file` | Path to file with public key. | no
`private_key `\| `vault_private_key` | Base64 encoded vault private key. Used only to retrieve data. | no
`private_key_file` \| `vault_private_key_file` | Path to file with private key. | no
`private_key_file` \| `vault_private_key_file` | Path to file with private key. Used only to retrieve data. | no
`salt` \| `vault_salt` \| `ipavaultsalt` | Vault salt. | no
`vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no
`user` \| `username` | Any user can own one or more user vaults. | no
@@ -211,9 +213,21 @@ Variable | Description | Required
`data` \|`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
`in` \| `datafile_in` | Path to file with data to be stored in the vault. | no
`out` \| `datafile_out` | Path to file to store data retrieved from the vault. | no
`retrieve` | If set to True, retrieve data stored in the vault. (bool) | no
`action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
`state` | The state to ensure. It can be one of `present`, `absent` or `retrieved`, default: `present`. | no
Return Values
=============
ipavault
--------
There is only a return value if `state` is `retrieved`.
Variable | Description | Returned When
-------- | ----------- | -------------
`data` | The data stored in the vault. | If `state` is `retrieved`.
Notes

12
playbooks/vault/retrive-data-asymmetric-vault.yml
View File

@@ -1,19 +1,17 @@
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: True
become: no
gather_facts: no
tasks:
- name: Retrieve data from assymetric vault with a private key file.
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
name: asymvault
username: user01
private_key_file: private.pem
retrieve: True
state: retrieved
register: result
- debug:
msg: "Data: {{ result.data }}"
- debug:
msg: "Decoded Data: {{ result.data | b64decode }}"

7
playbooks/vault/retrive-data-symmetric-vault.yml
View File

@@ -1,8 +1,8 @@
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: True
become: no
gather_facts: no
tasks:
- name: Retrieve data from symmetric vault.
@@ -11,8 +11,7 @@
name: symvault
username: admin
password: SomeVAULTpassword
retrieve: yes
action: member
state: retrieved
register: result
- debug:
msg: "{{ result.data | b64decode }}"

251
plugins/modules/ipavault.py
View File

@@ -74,7 +74,7 @@ options:
description: file with password to be used on symmetric vault.
required: false
type: string
aliases: ["ipavaultpassword", "vault_password"]
aliases: ["vault_password_file"]
salt:
description: Vault salt.
required: false
@@ -99,16 +99,24 @@ options:
description: Vault is shared.
required: false
type: boolean
owners:
description: Users that are owners of the container.
required: false
type: list
users:
description: Users that are member of the container.
description: Users that are member of the vault.
required: false
type: list
groups:
description: Groups that are member of the container.
description: Groups that are member of the vault.
required: false
type: list
owners:
description: Users that are owners of the vault.
required: false
type: list
ownergroups:
description: Groups that are owners of the vault.
required: false
type: list
ownerservices:
description: Services that are owners of the vault.
required: false
type: list
services:
@@ -130,10 +138,6 @@ options:
required: false
type: string
aliases: ["datafile_out"]
retrieve:
description: If set to True, retrieve data stored in the vault.
required: false
type: bool
action:
description: Work on vault or member level.
default: vault
@@ -141,7 +145,7 @@ options:
state:
description: State to ensure
default: present
choices: ["present", "absent"]
choices: ["present", "absent", "retrieved"]
author:
- Rafael Jeffman
"""
@@ -228,8 +232,7 @@ EXAMPLES = """
name: symvault
username: admin
password: SomeVAULTpassword
retrieve: yes
action: member
state: retrieved
register: result
- debug:
msg: "{{ result.data | b64decode }}"
@@ -266,14 +269,13 @@ EXAMPLES = """
More data archived.
action: member
# Retrive data archived in an asymmetric vault
# Retrive data archived in an asymmetric vault, using a private key file.
- ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
username: admin
retrieve: yes
private_key:
private_key_file: private.pem
state: retrieved
# Ensure asymmetric vault is absent.
- ipavault:
@@ -285,10 +287,14 @@ EXAMPLES = """
"""
RETURN = """
user:
description: The vault data.
returned: If state is retrieved.
type: string
"""
import os
from base64 import b64encode, b64decode
from base64 import b64decode
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
temp_kdestroy, valid_creds, api_connect, api_command, \
@@ -355,18 +361,21 @@ def gen_member_args(args, users, groups, services):
if arg in _args:
del _args[arg]
if users is not None:
_args['user'] = users
if groups is not None:
_args['group'] = groups
if services is not None:
_args['services'] = services
if any([users, groups, services]):
if users is not None:
_args['user'] = users
if groups is not None:
_args['group'] = groups
if services is not None:
_args['services'] = services
return _args
return _args
return None
def data_storage_args(args, data, password, password_file, private_key,
private_key_file, retrieve, datafile_in, datafile_out):
private_key_file, datafile_in, datafile_out):
_args = {}
if 'username' in args:
@@ -407,51 +416,38 @@ def check_parameters(module, state, action, description, username, service,
shared, users, groups, services, owners, ownergroups,
ownerservices, vault_type, salt, password, password_file,
public_key, public_key_file, private_key,
private_key_file, retrieve, vault_data, datafile_in,
datafile_out):
private_key_file, vault_data, datafile_in, datafile_out):
invalid = []
if state == "present":
if salt is not None:
if vault_type is not None and vault_type != "symmetric":
module.fail_json(
msg="Attribute `salt` can only be used with `symmetric` "
"vaults.")
if not any([password, password_file]):
module.fail_json(
msg="Value of `salt` can only modified by providing "
"vault password.")
invalid = ['private_key', 'private_key_file', 'datafile_out']
if action == "member":
invalid = ['description']
if not retrieve:
if datafile_out is not None:
module.fail_json(
msg="Retrieve must be enabled to use datafile_out.")
if any([private_key, private_key_file]):
module.fail_json(
msg="Attributes private_key and private_key_file can only "
"be used when retrieving data from asymmetric vaults.")
else:
check = ['description', 'salt', 'datafile_in', 'users', 'groups',
'owners', 'ownergroups', 'public_key', 'public_key_file',
'vault_data']
for arg in check:
if vars()[arg] is not None:
module.fail_json(
msg="`%s` cannot be used with `retrieve`." % arg)
invalid.extend(['description'])
elif state == "absent":
invalid = ['description', 'salt', 'vault_type', 'private_key',
'private_key_file', 'retrieve', 'datafile_in',
'datafile_out', 'vault_data']
'private_key_file', 'datafile_in', 'datafile_out',
'vault_data']
if action == "vault":
invalid.extend(['users', 'groups', 'services', 'owners',
'ownergroups', 'ownerservices', 'password',
'password_file', 'public_key', 'public_key_file'])
elif state == "retrieved":
invalid = ['description', 'salt', 'datafile_in', 'users', 'groups',
'owners', 'ownergroups', 'public_key', 'public_key_file',
'vault_data']
if action == 'member':
module.fail_json(
msg="State `retrieved` do not support action `member`.")
for arg in invalid:
if vars()[arg] is not None:
module.fail_json(
msg="Argument '%s' can not be used with state '%s', "
"action '%s'" % (arg, state, action))
for arg in invalid:
if vars()[arg] is not None:
module.fail_json(
@@ -459,30 +455,30 @@ def check_parameters(module, state, action, description, username, service,
"action '%s'" % (arg, state, action))
def check_encryption_params(module, state, vault_type, salt, password,
password_file, public_key, public_key_file,
private_key, private_key_file, retrieve,
def check_encryption_params(module, state, action, vault_type, salt,
password, password_file, public_key,
public_key_file, private_key, private_key_file,
vault_data, datafile_in, datafile_out, res_find):
vault_type_invalid = []
if state == "present":
if vault_type == "standard":
vault_type_invalid = ['public_key', 'public_key_file', 'password',
'password_file', 'salt']
if vault_type == "standard":
vault_type_invalid = ['public_key', 'public_key_file', 'password',
'password_file', 'salt']
if vault_type is None or vault_type == "symmetric":
vault_type_invalid = ['public_key', 'public_key_file',
'private_key', 'private_key_file']
if not any([password, password_file]):
module.fail_json(
msg="Symmetric vault requires password or password_file "
"to store data.")
if vault_type is None or vault_type == "symmetric":
vault_type_invalid = ['public_key', 'public_key_file',
'private_key', 'private_key_file']
if vault_type == "asymmetric":
vault_type_invalid = ['password', 'password_file']
if not any([public_key, public_key_file]) and res_find is None:
module.fail_json(
msg="Assymmetric vault requires public_key "
"or public_key_file to store data.")
if password is None and password_file is None and action != 'member':
module.fail_json(
msg="Symmetric vault requires password or password_file "
"to store data or change `salt`.")
if vault_type == "asymmetric":
vault_type_invalid = ['password', 'password_file']
if not any([public_key, public_key_file]) and res_find is None:
module.fail_json(
msg="Assymmetric vault requires public_key "
"or public_key_file to store data.")
for param in vault_type_invalid:
if vars()[param] is not None:
@@ -516,7 +512,6 @@ def main():
vault_private_key_file=dict(type="str", required=False,
default=None,
aliases=['private_key_file']),
retrieve=dict(type="bool", required=False, default=None),
vault_salt=dict(type="str", required=False, default=None,
aliases=['ipavaultsalt', 'salt']),
username=dict(type="str", required=False, default=None,
@@ -546,7 +541,7 @@ def main():
action=dict(type="str", default="vault",
choices=["vault", "data", "member"]),
state=dict(type="str", default="present",
choices=["present", "absent"]),
choices=["present", "absent", "retrieved"]),
),
supports_check_mode=True,
mutually_exclusive=[['username', 'service', 'shared'],
@@ -593,8 +588,6 @@ def main():
datafile_in = module_params_get(ansible_module, "datafile_in")
datafile_out = module_params_get(ansible_module, "datafile_out")
retrieve = module_params_get(ansible_module, "retrieve")
action = module_params_get(ansible_module, "action")
state = module_params_get(ansible_module, "state")
@@ -609,6 +602,11 @@ def main():
if len(names) < 1:
ansible_module.fail_json(msg="No name given.")
elif state == "retrieved":
if len(names) != 1:
ansible_module.fail_json(
msg="Only one vault can be retrieved at a time.")
else:
ansible_module.fail_json(msg="Invalid state '%s'" % state)
@@ -616,8 +614,7 @@ def main():
service, shared, users, groups, services, owners,
ownergroups, ownerservices, vault_type, salt, password,
password_file, public_key, public_key_file, private_key,
private_key_file, retrieve, vault_data, datafile_in,
datafile_out)
private_key_file, vault_data, datafile_in, datafile_out)
# Init
changed = False
@@ -656,15 +653,14 @@ def main():
else:
args['ipavaulttype'] = vault_type = "symmetric"
# verify data encription args
check_encryption_params(ansible_module, state, vault_type, salt,
password, password_file, public_key,
public_key_file, private_key,
private_key_file, retrieve, vault_data,
datafile_in, datafile_out, res_find)
# Create command
if state == "present":
# verify data encription args
check_encryption_params(
ansible_module, state, action, vault_type, salt, password,
password_file, public_key, public_key_file, private_key,
private_key_file, vault_data, datafile_in, datafile_out,
res_find)
# Found the vault
if action == "vault":
@@ -710,25 +706,36 @@ def main():
# Add users and groups
user_add_args = gen_member_args(args, user_add,
group_add, service_add)
commands.append([name, 'vault_add_member', user_add_args])
if user_add_args is not None:
commands.append(
[name, 'vault_add_member', user_add_args])
# Remove users and groups
user_del_args = gen_member_args(args, user_del,
group_del, service_del)
commands.append(
[name, 'vault_remove_member', user_del_args])
if user_del_args is not None:
commands.append(
[name, 'vault_remove_member', user_del_args])
# Add owner users and groups
owner_add_args = gen_member_args(
args, owner_add, ownergroups_add, ownerservice_add)
commands.append(
[name, 'vault_add_owner', owner_add_args])
if owner_add_args is not None:
# ansible_module.warn("OWNER ADD: %s" % owner_add_args)
commands.append(
[name, 'vault_add_owner', owner_add_args])
# Remove owner users and groups
owner_del_args = gen_member_args(
args, owner_del, ownergroups_del, ownerservice_del)
commands.append(
[name, 'vault_remove_owner', owner_del_args])
if owner_del_args is not None:
# ansible_module.warn("OWNER DEL: %s" % owner_del_args)
commands.append(
[name, 'vault_remove_owner', owner_del_args])
if vault_type == 'symmetric' \
and 'ipavaultsalt' not in args:
args['ipavaultsalt'] = os.urandom(32)
if vault_type == 'symmetric' \
and 'ipavaultsalt' not in args:
@@ -746,15 +753,32 @@ def main():
commands.append([name, 'vault_add_owner', owner_args])
pwdargs = data_storage_args(
args, vault_data, password, password_file,
private_key, private_key_file, retrieve, datafile_in,
datafile_out)
args, vault_data, password, password_file, private_key,
private_key_file, datafile_in, datafile_out)
if any([vault_data, datafile_in]):
commands.append([name, "vault_archive", pwdargs])
if retrieve:
if 'data' in pwdargs:
del pwdargs['data']
commands.append([name, "vault_retrieve", pwdargs])
elif state == "retrieved":
if res_find is None:
ansible_module.fail_json(
msg="Vault `%s` not found to retrieve data." % name)
vault_type = res_find['cn']
# verify data encription args
check_encryption_params(
ansible_module, state, action, vault_type, salt, password,
password_file, public_key, public_key_file, private_key,
private_key_file, vault_data, datafile_in, datafile_out,
res_find)
pwdargs = data_storage_args(
args, vault_data, password, password_file, private_key,
private_key_file, datafile_in, datafile_out)
if 'data' in pwdargs:
del pwdargs['data']
commands.append([name, "vault_retrieve", pwdargs])
elif state == "absent":
if 'ipavaulttype' in args:
@@ -782,21 +806,30 @@ def main():
msg="Invalid action '%s' for state '%s'" %
(action, state))
else:
ansible_module.fail_json(msg="Unkown state '%s'" % state)
ansible_module.fail_json(msg="Unknown state '%s'" % state)
# Execute commands
errors = []
for name, command, args in commands:
try:
# ansible_module.warn("RUN: %s %s %s" % (command, name, args))
result = api_command(ansible_module, command, name, args)
if command == 'vault_archive':
changed = 'Archived data into' in result['summary']
elif command == 'vault_retrieve':
exit_args['data'] = b64encode(result['result']['data'])
if 'result' not in result:
raise Exception("No result obtained.")
if 'data' in result['result']:
exit_args['data'] = result['result']['data']
elif 'vault_data' in result['result']:
exit_args['data'] = result['result']['vault_data']
else:
raise Exception("No data retrieved.")
changed = False
else:
# ansible_module.warn("RESULT: %s" % (result))
if "completed" in result:
if result["completed"] > 0:
changed = True

64
tests/vault/env_cleanup.yml Normal file
View File

@@ -0,0 +1,64 @@
# Tasks executed to clean up test environment for Vault module.
- name: Ensure user vaults are absent
ipavault:
ipaadmin_password: SomeADMINpassword
name:
- stdvault
- symvault
- asymvault
username: "{{username}}"
state: absent
loop:
- admin
- user01
loop_control:
loop_var: username
- name: Ensure shared vaults are absent
ipavault:
ipaadmin_password: SomeADMINpassword
name:
- sharedvault
- svcvault
state: absent
- name: Ensure test users do not exist.
ipauser:
ipaadmin_password: SomeADMINpassword
name:
- user01
- user02
- user03
state: absent
- name: Ensure test groups do not exist.
ipagroup:
ipaadmin_password: SomeADMINpassword
name: vaultgroup
state: absent
- name: Remove password file from target host.
file:
path: "{{ ansible_env.HOME }}/password.txt"
state: absent
- name: Remove public key file from target host.
file:
path: "{{ ansible_env.HOME }}/public.pem"
state: absent
- name: Remove private key file from target host.
file:
path: "{{ ansible_env.HOME }}/private.pem"
state: absent
- name: Remove output data file from target host.
file:
path: "{{ ansible_env.HOME }}/data.txt"
state: absent
- name: Remove input data file from target host.
file:
path: "{{ ansible_env.HOME }}/in.txt"
state: absent

55
tests/vault/env_setup.yml Normal file
View File

@@ -0,0 +1,55 @@
# Tasks executed to ensure a sane environment to test IPA Vault module.
- name: Create private key file.
shell:
cmd: openssl genrsa -out private.pem 2048
delegate_to: localhost
become: no
- name: Create public key file.
shell:
cmd: openssl rsa -in private.pem -outform PEM -pubout -out public.pem
delegate_to: localhost
become: no
- name: Ensure environment is clean.
import_tasks: env_cleanup.yml
- name: Copy password file to target host.
copy:
src: "{{ playbook_dir }}/password.txt"
dest: "{{ ansible_env.HOME }}/password.txt"
- name: Copy public key file to target host.
copy:
src: "{{ playbook_dir }}/public.pem"
dest: "{{ ansible_env.HOME }}/public.pem"
- name: Copy private key file to target host.
copy:
src: "{{ playbook_dir }}/private.pem"
dest: "{{ ansible_env.HOME }}/private.pem"
- name: Copy input data file to target host.
copy:
src: "{{ playbook_dir }}/in.txt"
dest: "{{ ansible_env.HOME }}/in.txt"
- name: Ensure vaultgroup exists.
ipagroup:
ipaadmin_password: SomeADMINpassword
name: vaultgroup
- name: Ensure testing users exist.
ipauser:
ipaadmin_password: SomeADMINpassword
users:
- name: user01
first: First
last: Start
- name: user02
first: Second
last: Middle
- name: user03
first: Third
last: Last

27
tests/vault/private.pem
View File

@@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEArM5/f6dd/YIm/a9eoGVTW8jobEgrf9PXRA3aHsA7kJo6fB18
HD4+RVUwx/lqlkPYbUi9bXV/rJAkUwAEDOnJeqXESZ+gVCVmigRzmKWK2ad9agmY
SiqyyNxFIJvZAo0dG4CAWjYK27tLg4Ih6oGsZIDG+WVES5W89K+L0bwVjq4tshhe
DMO57unvmIKEmaBE0ewPfvkdZh5k8Gts9H4fh0fGk5tbIYa0bhwMUpL+WHOm6nbd
+n7BbaVc820TgZDO/rSYtnuXaIc6Wx0U9LXZkUmk3apMnzknNaTqguAQdTn79G8P
qrGqmyWd/E1cH2b5jzIxiGo8psL5sxWVY7WJdwIDAQABAoIBAA6e9iit14UAgx4J
vX7is9fbOtcWkB+jo94NMfxSFXgZpIMl139oQMqK97KjxsHqAaDVe7mMLH5EP96J
7M3O5g4rgl0cVWtpMrDQyZsLvqDFzBWxtCHqVPAruumUZhsSJ3lROQro8ag/w5bf
5tC5ogVq4+rsB4hBphgp1jGrsUM+E8O7DXXFH68F8WgBi725WvcjnbI9irkb0Gcq
1bCPJwN3fA1i2VWiRwVYWbNTWnDoNM9ZdYYxK0kuUkD+QtreycWPf9V49lvUi1Vp
FVNmBUDvGK3K1MwbgXRwOXhacY7Ptjkdvaeb2Qcu5RjTkruGhzUYsOP3p/cw+wKV
vzQqceECgYEA5Wz7V2SlRa2r//z+ETQkJfENJ0KDnCb0pMClCQh3jTNPA6DbhiMk
FTkcoNbqcpTiVSlvhh6TKscSgqYQUjQ/OqyG7SkjKVjQ72j5beQLxiLTtUyj1OmP
Xh9cWJXx8iQ+45cPon+kMOAIiTwiB3mmFRfQjIGve1DPUo9J+NZ4XdECgYEAwNKg
OdGYxxKtCrXVz1mdg6PDlV8qh7nxxZbPch+aMIQl1+oTCgSiw8oOYEd8g0HOdV6t
1G+IWhvPxiiWy3/AE0QhgoKk2GUsSjWSMLcJbaUzDoEHFjTLjecRlqdzo7qxRXqB
meN4L5WJYKnLC482K7hvufS+uo5fB5qwPmt13McCgYAe4TVPRP+tyjttYCr+O8tl
w/UmRKCcQu4Iwtkzxwz4V2CaN2t0uYQgyygcSfESbRGtrr8RCUp7poHKTfnCZr/f
8NrUTwYpiYfNwY5ZCSnAiG2AaIlgnfMrEwOF9OC028YPMgTrtUxvO6hKeGqIIQqG
qkbqsoXhDjZpgVnOgWeAEQKBgGuiZ0w/IqAlXbC31fUb2iBMfvXXnJ8M/dfFGmFj
IKfqbFF9WUljUxQlqya1YNzIFB5STohiBeP+2FmN+Lb5xdc7VdVLZgdhWnrGMqe8
1Kd+6uQyxCjyKZo5nQjSymtf4GqfOs8TOdieCYSK40u9koiPONa9tuXeaU+OWslN
JQqrAoGBAJ3MKOvsnQzuZVP2vz0ZqLwIE3XjRiFGveVpizq4hwOVeuNsV08JvA0t
pueNIy9klPScFc9OUdiZWkEX09BwJkVIrOHotuSB8AStO5UAntNnuyWLJEFC4Uq4
GpB8lbj9jkxSKaU7X3Gac23K9JL8euLh7E7rPuZRYa6mYN4nbKqu
-----END RSA PRIVATE KEY-----

9
tests/vault/public.pem
View File

@@ -1,9 +0,0 @@
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArM5/f6dd/YIm/a9eoGVT
W8jobEgrf9PXRA3aHsA7kJo6fB18HD4+RVUwx/lqlkPYbUi9bXV/rJAkUwAEDOnJ
eqXESZ+gVCVmigRzmKWK2ad9agmYSiqyyNxFIJvZAo0dG4CAWjYK27tLg4Ih6oGs
ZIDG+WVES5W89K+L0bwVjq4tshheDMO57unvmIKEmaBE0ewPfvkdZh5k8Gts9H4f
h0fGk5tbIYa0bhwMUpL+WHOm6nbd+n7BbaVc820TgZDO/rSYtnuXaIc6Wx0U9LXZ
kUmk3apMnzknNaTqguAQdTn79G8PqrGqmyWd/E1cH2b5jzIxiGo8psL5sxWVY7WJ
dwIDAQAB
-----END PUBLIC KEY-----

318
tests/vault/tasks_vault_members.yml Normal file
View File

@@ -0,0 +1,318 @@
---
# Tasks to test member management for Vault module.
- name: Setup testing environment.
import_tasks: env_setup.yml
- name: Ensure vault is present
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
vault_type: "{{vault.vault_type}}"
register: result
failed_when: not result.changed
when: vault.vault_type == 'standard'
- name: Ensure vault is present
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
vault_password: SomeVAULTpassword
vault_type: "{{vault.vault_type}}"
register: result
failed_when: not result.changed
when: vault.vault_type == 'symmetric'
- name: Ensure vault is present
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
vault_type: "{{vault.vault_type}}"
public_key: "{{lookup('file', 'private.pem') | b64encode}}"
register: result
failed_when: not result.changed
when: vault.vault_type == 'asymmetric'
- name: Ensure vault member user is present.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
action: member
users:
- user02
register: result
failed_when: not result.changed
- name: Ensure vault member user is present, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
action: member
users:
- user02
register: result
failed_when: result.changed
- name: Ensure more vault member users are present.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
action: member
users:
- admin
- user02
register: result
failed_when: not result.changed
- name: Ensure vault member user is still present.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
action: member
users:
- user02
register: result
failed_when: result.changed
- name: Ensure vault users are absent.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
action: member
users:
- admin
- user02
state: absent
register: result
failed_when: not result.changed
- name: Ensure vault users are absent, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
action: member
users:
- admin
- user02
state: absent
register: result
failed_when: result.changed
- name: Ensure vault user is absent, once more.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
action: member
users:
- admin
state: absent
register: result
failed_when: result.changed
- name: Ensure vault member group is present.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
action: member
groups: vaultgroup
register: result
failed_when: not result.changed
- name: Ensure vault member group is present, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
action: member
groups: vaultgroup
register: result
failed_when: result.changed
- name: Ensure vault member group is absent.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
action: member
groups: vaultgroup
state: absent
register: result
failed_when: not result.changed
- name: Ensure vault member group is absent, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
action: member
groups: vaultgroup
state: absent
register: result
failed_when: result.changed
- name: Ensure vault member service is present.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
action: member
services: "HTTP/{{ groups.ipaserver[0] }}"
register: result
failed_when: not result.changed
- name: Ensure vault member service is present, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
action: member
services: "HTTP/{{ groups.ipaserver[0] }}"
register: result
failed_when: result.changed
- name: Ensure vault member service is absent.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
action: member
services: "HTTP/{{ groups.ipaserver[0] }}"
state: absent
register: result
failed_when: not result.changed
- name: Ensure vault member service is absent, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
action: member
services: "HTTP/{{ groups.ipaserver[0] }}"
state: absent
register: result
failed_when: result.changed
- name: Ensure user03 is an owner of vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
owners: user03
action: member
register: result
failed_when: not result.changed
- name: Ensure user03 is an owner of vault, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
owners: user03
action: member
register: result
failed_when: result.changed
- name: Ensure user03 is not owner of vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
owners: user03
state: absent
action: member
register: result
failed_when: not result.changed
- name: Ensure user03 is not owner of vault, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
owners: user03
state: absent
action: member
register: result
failed_when: result.changed
- name: Ensure vaultgroup is an ownergroup of vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
ownergroups: vaultgroup
action: member
register: result
failed_when: not result.changed
- name: Ensure vaultgroup is an ownergroup of vault, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
ownergroups: vaultgroup
action: member
register: result
failed_when: result.changed
- name: Ensure vaultgroup is not ownergroup of vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
ownergroups: vaultgroup
state: absent
action: member
register: result
failed_when: not result.changed
- name: Ensure vaultgroup is not ownergroup of vault, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
ownergroups: vaultgroup
state: absent
action: member
register: result
failed_when: result.changed
- name: Ensure service is an owner of vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
action: member
register: result
failed_when: not result.changed
- name: Ensure service is an owner of vault, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
action: member
register: result
failed_when: result.changed
- name: Ensure service is not owner of vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
state: absent
action: member
register: result
failed_when: not result.changed
- name: Ensure service is not owner of vault, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
state: absent
action: member
register: result
failed_when: result.changed
- name: Ensure {{vault.vault_type}} vault is absent
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
state: absent
register: result
failed_when: not result.changed
- name: Ensure {{vault.vault_type}} vault is absent, again
ipavault:
ipaadmin_password: SomeADMINpassword
name: "{{vault.name}}"
state: absent
register: result
failed_when: result.changed
- name: Cleanup testing environment.
import_tasks: env_cleanup.yml

929
tests/vault/test_vault.yml
View File

@@ -1,929 +0,0 @@
---
- name: Test vault
hosts: ipaserver
become: true
# Need to gather facts for ansible_env.
gather_facts: true
tasks:
- name: Copy password file to target host.
copy:
src: "{{ playbook_dir }}/password.txt"
dest: "{{ ansible_env.HOME }}/password.txt"
- name: Copy public key file to target host.
copy:
src: "{{ playbook_dir }}/public.pem"
dest: "{{ ansible_env.HOME }}/public.pem"
- name: Copy private key file to target host.
copy:
src: "{{ playbook_dir }}/private.pem"
dest: "{{ ansible_env.HOME }}/private.pem"
- name: Copy input data file to target host.
copy:
src: "{{ playbook_dir }}/in.txt"
dest: "{{ ansible_env.HOME }}/in.txt"
- name: Ensure user vaults are absent
ipavault:
ipaadmin_password: SomeADMINpassword
name:
- stdvault
- symvault
- asymvault
username: user01
state: absent
- name: Ensure test users do not exist.
ipauser:
ipaadmin_password: SomeADMINpassword
name:
- user01
- user02
- user03
state: absent
- name: Ensure test groups do not exist.
ipagroup:
ipaadmin_password: SomeADMINpassword
name: vaultgroup
state: absent
- name: Ensure vaultgroup exists.
ipagroup:
ipaadmin_password: SomeADMINpassword
name: vaultgroup
- name: Ensure user01 exists.
ipauser:
ipaadmin_password: SomeADMINpassword
name: user01
first: First
last: Start
- name: Ensure user02 exists.
ipauser:
ipaadmin_password: SomeADMINpassword
name: user02
first: Second
last: Middle
- name: Ensure user03 exists.
ipauser:
ipaadmin_password: SomeADMINpassword
name: user03
first: Third
last: Last
- name: Ensure shared vaults are absent
ipavault:
ipaadmin_password: SomeADMINpassword
name: sharedvault
shared: True
state: absent
- name: Ensure standard vault is absent
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
state: absent
- name: Ensure service vault is absent
ipavault:
ipaadmin_password: SomeADMINpassword
name: svcvault
service: "HTTP/{{ groups.ipaserver[0] }}"
state: absent
# tests
- name: Ensure standard vault is present
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
vault_type: standard
register: result
failed_when: not result.changed
- name: Ensure standard vault is present, again
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
vault_type: standard
register: result
failed_when: result.changed
- name: Ensure standard vault is absent
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
vault_type: standard
state: absent
register: result
failed_when: not result.changed
- name: Ensure standard vault is absent, again
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
vault_type: standard
state: absent
register: result
failed_when: result.changed
- name: Ensure symmetric vault is present
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: user01
vault_password: SomeVAULTpassword
vault_type: symmetric
register: result
failed_when: not result.changed
- name: Ensure symmetric vault is present, again
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: user01
vault_password: SomeVAULTpassword
vault_type: symmetric
register: result
failed_when: result.changed
- name: Archive data to symmetric vault
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: user01
vault_password: SomeVAULTpassword
vault_data: Hello World.
register: result
failed_when: not result.changed
- name: Archive data with non-ASCII characters to symmetric vault
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: user01
vault_password: SomeVAULTpassword
vault_data: The world of π is half rounded.
register: result
failed_when: not result.changed
- name: Ensure symmetric vault is absent
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: user01
state: absent
register: result
failed_when: not result.changed
- name: Ensure symmetric vault is absent, again
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: user01
state: absent
register: result
failed_when: result.changed
- name: Ensure symmetric vault is present
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: user01
vault_password: SomeVAULTpassword
vault_type: symmetric
register: result
failed_when: not result.changed
- name: Ensure symmetric vault is present, with a different password
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: user01
vault_password: SomeOtherVAULTpassword
vault_type: symmetric
register: result
failed_when: result.changed
- name: Ensure symmetric vault is absent
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: user01
state: absent
register: result
failed_when: not result.changed
- name: Ensure symmetric vault is present, with password from file.
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: user01
vault_password_file: "{{ ansible_env.HOME }}/password.txt"
vault_type: symmetric
register: result
failed_when: not result.changed
- name: Ensure symmetric vault is present, with password from file, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: user01
vault_password_file: password.txt
vault_type: symmetric
register: result
failed_when: result.changed
- name: Ensure asymmetric vault is present, with public key file.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
username: admin
description: An asymmetric private vault.
public_key_file: "{{ ansible_env.HOME }}/public.pem"
vault_type: asymmetric
register: result
failed_when: not result.changed
- name: Ensure asymmetric vault is present, with public key file, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
username: admin
description: An asymmetric private vault.
public_key_file: "{{ ansible_env.HOME }}/public.pem"
vault_type: asymmetric
register: result
failed_when: result.changed
- name: Archive data in asymmetric vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
username: admin
vault_data: Hello World.
register: result
failed_when: not result.changed
- name: Ensure asymmetric vault is absent.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
username: admin
state: absent
register: result
failed_when: not result.changed
- name: Ensure asymmetric vault is absent, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
username: admin
state: absent
register: result
failed_when: result.changed
- name: Ensure asymmetric vault is present.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
username: user01
description: An asymmetric private vault.
vault_public_key:
LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFyTTUvZjZkZC9ZSW0vYTllb0dWVApXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4SEQ0K1JWVXd4L2xxbGtQWWJVaTliWFYvckpBa1V3QUVET25KCmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVlTaXF5eU54RklKdlpBbzBkRzRDQVdqWUsyN3RMZzRJaDZvR3MKWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZURNTzU3dW52bUlLRW1hQkUwZXdQZnZrZFpoNWs4R3RzOUg0ZgpoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkK243QmJhVmM4MjBUZ1pETy9yU1l0bnVYYUljNld4MFU5TFhaCmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFBxckdxbXlXZC9FMWNIMmI1anpJeGlHbzhwc0w1c3hXVlk3V0oKZHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
vault_type: asymmetric
register: result
failed_when: not result.changed
- name: Ensure asymmetric vault is present, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
username: user01
description: An asymmetric private vault.
vault_public_key:
LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFyTTUvZjZkZC9ZSW0vYTllb0dWVApXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4SEQ0K1JWVXd4L2xxbGtQWWJVaTliWFYvckpBa1V3QUVET25KCmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVlTaXF5eU54RklKdlpBbzBkRzRDQVdqWUsyN3RMZzRJaDZvR3MKWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZURNTzU3dW52bUlLRW1hQkUwZXdQZnZrZFpoNWs4R3RzOUg0ZgpoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkK243QmJhVmM4MjBUZ1pETy9yU1l0bnVYYUljNld4MFU5TFhaCmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFBxckdxbXlXZC9FMWNIMmI1anpJeGlHbzhwc0w1c3hXVlk3V0oKZHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
vault_type: asymmetric
register: result
failed_when: result.changed
- name: Archive data in asymmetric vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
username: user01
vault_data: Hello World.
register: result
failed_when: not result.changed
- name: Retrieve data from asymmetric vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
username: user01
vault_type: asymmetric
retrieve: true
private_key:
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBck01L2Y2ZGQvWUltL2E5ZW9HVlRXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4CkhENCtSVlV3eC9scWxrUFliVWk5YlhWL3JKQWtVd0FFRE9uSmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVkKU2lxeXlOeEZJSnZaQW8wZEc0Q0FXallLMjd0TGc0SWg2b0dzWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZQpETU81N3Vudm1JS0VtYUJFMGV3UGZ2a2RaaDVrOEd0czlINGZoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkCituN0JiYVZjODIwVGdaRE8vclNZdG51WGFJYzZXeDBVOUxYWmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFAKcXJHcW15V2QvRTFjSDJiNWp6SXhpR284cHNMNXN4V1ZZN1dKZHdJREFRQUJBb0lCQUE2ZTlpaXQxNFVBZ3g0Sgp2WDdpczlmYk90Y1drQitqbzk0Tk1meFNGWGdacElNbDEzOW9RTXFLOTdLanhzSHFBYURWZTdtTUxINUVQOTZKCjdNM081ZzRyZ2wwY1ZXdHBNckRReVpzTHZxREZ6Qld4dENIcVZQQXJ1dW1VWmhzU0ozbFJPUXJvOGFnL3c1YmYKNXRDNW9nVnE0K3JzQjRoQnBoZ3Axakdyc1VNK0U4TzdEWFhGSDY4RjhXZ0JpNzI1V3Zjam5iSTlpcmtiMEdjcQoxYkNQSndOM2ZBMWkyVldpUndWWVdiTlRXbkRvTk05WmRZWXhLMGt1VWtEK1F0cmV5Y1dQZjlWNDlsdlVpMVZwCkZWTm1CVUR2R0szSzFNd2JnWFJ3T1hoYWNZN1B0amtkdmFlYjJRY3U1UmpUa3J1R2h6VVlzT1AzcC9jdyt3S1YKdnpRcWNlRUNnWUVBNVd6N1YyU2xSYTJyLy96K0VUUWtKZkVOSjBLRG5DYjBwTUNsQ1FoM2pUTlBBNkRiaGlNawpGVGtjb05icWNwVGlWU2x2aGg2VEtzY1NncVlRVWpRL09xeUc3U2tqS1ZqUTcyajViZVFMeGlMVHRVeWoxT21QClhoOWNXSlh4OGlRKzQ1Y1BvbitrTU9BSWlUd2lCM21tRlJmUWpJR3ZlMURQVW85SitOWjRYZEVDZ1lFQXdOS2cKT2RHWXh4S3RDclhWejFtZGc2UERsVjhxaDdueHhaYlBjaCthTUlRbDErb1RDZ1NpdzhvT1lFZDhnMEhPZFY2dAoxRytJV2h2UHhpaVd5My9BRTBRaGdvS2syR1VzU2pXU01MY0piYVV6RG9FSEZqVExqZWNSbHFkem83cXhSWHFCCm1lTjRMNVdKWUtuTEM0ODJLN2h2dWZTK3VvNWZCNXF3UG10MTNNY0NnWUFlNFRWUFJQK3R5anR0WUNyK084dGwKdy9VbVJLQ2NRdTRJd3Rrenh3ejRWMkNhTjJ0MHVZUWd5eWdjU2ZFU2JSR3RycjhSQ1VwN3BvSEtUZm5DWnIvZgo4TnJVVHdZcGlZZk53WTVaQ1NuQWlHMkFhSWxnbmZNckV3T0Y5T0MwMjhZUE1nVHJ0VXh2TzZoS2VHcUlJUXFHCnFrYnFzb1hoRGpacGdWbk9nV2VBRVFLQmdHdWlaMHcvSXFBbFhiQzMxZlViMmlCTWZ2WFhuSjhNL2RmRkdtRmoKSUtmcWJGRjlXVWxqVXhRbHF5YTFZTnpJRkI1U1RvaGlCZVArMkZtTitMYjV4ZGM3VmRWTFpnZGhXbnJHTXFlOAoxS2QrNnVReXhDanlLWm81blFqU3ltdGY0R3FmT3M4VE9kaWVDWVNLNDB1OWtvaVBPTmE5dHVYZWFVK09Xc2xOCkpRcXJBb0dCQUozTUtPdnNuUXp1WlZQMnZ6MFpxTHdJRTNYalJpRkd2ZVZwaXpxNGh3T1ZldU5zVjA4SnZBMHQKcHVlTkl5OWtsUFNjRmM5T1VkaVpXa0VYMDlCd0prVklyT0hvdHVTQjhBU3RPNVVBbnRObnV5V0xKRUZDNFVxNApHcEI4bGJqOWpreFNLYVU3WDNHYWMyM0s5Skw4ZXVMaDdFN3JQdVpSWWE2bVlONG5iS3F1Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
register: result
failed_when: result.data | b64decode != 'Hello World.' or result.changed
- name: Retrieve data from asymmetric vault, with private key file.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
username: user01
vault_type: asymmetric
retrieve: true
private_key_file: "{{ ansible_env.HOME }}/private.pem"
register: result
failed_when: result.data | b64decode != 'Hello World.' or result.changed
- name: Ensure asymmetric vault is absent.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
username: user01
state: absent
register: result
failed_when: not result.changed
- name: Ensure asymmetric vault is absent, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
username: user01
state: absent
register: result
failed_when: result.changed
- name: Ensure standard vault is present.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
vault_type: standard
username: user01
description: A standard private vault.
register: result
failed_when: not result.changed
- name: Ensure standard vault is present, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
vault_type: standard
description: A standard private vault.
register: result
failed_when: result.changed
- name: Archive data in standard vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
vault_data: Hello World.
register: result
failed_when: not result.changed
- name: Retrieve data from standard vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
retrieve: yes
out: "{{ ansible_env.HOME }}/data.txt"
register: result
failed_when: result.changed
- name: Verify retrieved data.
slurp:
src: "{{ ansible_env.HOME }}/data.txt"
register: slurpfile
failed_when: slurpfile['content'] | b64decode != 'Hello World.'
- name: Archive data in standard vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
in: "{{ ansible_env.HOME }}/in.txt"
register: result
failed_when: not result.changed
- name: Retrieve data from standard vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
vault_type: standard
retrieve: true
register: result
failed_when: result.data | b64decode != 'Another World.' or result.changed
- name: Ensure standard vault member user is present.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
action: member
users:
- user02
register: result
failed_when: not result.changed
- name: Ensure standard vault member user is present, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
action: member
users:
- user02
register: result
failed_when: result.changed
- name: Ensure more vault member users are present.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
action: member
users:
- user01
- user02
register: result
failed_when: not result.changed
- name: Ensure vault member user is still present.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
action: member
users:
- user02
register: result
failed_when: result.changed
- name: Ensure vault users are absent.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
action: member
users:
- user01
- user02
state: absent
register: result
failed_when: not result.changed
- name: Ensure vault users are absent, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
action: member
users:
- user01
- user02
state: absent
register: result
failed_when: result.changed
- name: Ensure vault user is absent, once more.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
action: member
users:
- user01
state: absent
register: result
failed_when: result.changed
- name: Ensure vault member group is present.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
action: member
groups: vaultgroup
register: result
failed_when: not result.changed
- name: Ensure vault member group is present, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
action: member
groups: vaultgroup
register: result
failed_when: result.changed
- name: Ensure vault member group is absent.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
action: member
groups: vaultgroup
state: absent
register: result
failed_when: not result.changed
- name: Ensure vault member group is absent, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
action: member
groups: vaultgroup
state: absent
register: result
failed_when: result.changed
- name: Ensure vault member service is present.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
action: member
services: "HTTP/{{ groups.ipaserver[0] }}"
register: result
failed_when: not result.changed
- name: Ensure vault member service is present, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
action: member
services: "HTTP/{{ groups.ipaserver[0] }}"
register: result
failed_when: result.changed
- name: Ensure vault member service is absent.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
action: member
services: "HTTP/{{ groups.ipaserver[0] }}"
state: absent
register: result
failed_when: not result.changed
- name: Ensure vault member service is absent, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
action: member
services: "HTTP/{{ groups.ipaserver[0] }}"
state: absent
register: result
failed_when: result.changed
- name: Ensure vault is absent.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
state: absent
register: result
failed_when: not result.changed
- name: Ensure vault is absent, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
state: absent
register: result
failed_when: result.changed
- name: Ensure shared vault is present.
ipavault:
ipaadmin_password: SomeADMINpassword
name: sharedvault
shared: True
ipavaultpassword: SomeVAULTpassword
register: result
failed_when: not result.changed
- name: Ensure shared vault is absent.
ipavault:
ipaadmin_password: SomeADMINpassword
name: sharedvault
shared: True
state: absent
register: result
failed_when: not result.changed
- name: Ensure service vault is present.
ipavault:
ipaadmin_password: SomeADMINpassword
name: svcvault
ipavaultpassword: SomeVAULTpassword
service: "HTTP/{{ groups.ipaserver[0] }}"
register: result
failed_when: not result.changed
- name: Ensure service vault is absent.
ipavault:
ipaadmin_password: SomeADMINpassword
name: svcvault
service: "HTTP/{{ groups.ipaserver[0] }}"
state: absent
register: result
failed_when: not result.changed
- name: Ensure vault is present, with members.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
vault_type: standard
users:
- user02
- user03
groups:
- vaultgroup
register: result
failed_when: not result.changed
- name: Ensure vault is present, with members, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
vault_type: standard
users:
- user02
- user03
groups:
- vaultgroup
register: result
failed_when: result.changed
- name: Ensure user02 is not a member of vault stdvault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
users: user02
state: absent
action: member
register: result
failed_when: not result.changed
- name: Ensure user02 is not a member of vault stdvault, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
users: user02
state: absent
action: member
register: result
failed_when: result.changed
- name: Ensure user02 is a member of vault stdvault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
users: user02
action: member
register: result
failed_when: not result.changed
- name: Ensure user02 is a member of vault stdvault, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
users: user03
action: member
register: result
failed_when: result.changed
- name: Ensure user03 owns vault stdvault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
owners: user03
action: member
register: result
failed_when: not result.changed
- name: Ensure user03 owns vault stdvault, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
owners: user03
action: member
register: result
failed_when: result.changed
- name: Ensure user03 is not owner of stdvault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
owners: user03
state: absent
action: member
register: result
failed_when: not result.changed
- name: Ensure user03 is not owner of stdvault, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
owners: user03
state: absent
action: member
register: result
failed_when: result.changed
- name: Ensure vaultgroup is owner of stdvault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
ownergroups: vaultgroup
action: member
register: result
failed_when: not result.changed
- name: Ensure vaultgroup is owner of stdvault, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
ownergroups: vaultgroup
action: member
register: result
failed_when: result.changed
- name: Ensure vaultgroup is not owner of stdvault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
ownergroups: vaultgroup
state: absent
action: member
register: result
failed_when: not result.changed
- name: Ensure vaultgroup is not owner of stdvault, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
ownergroups: vaultgroup
state: absent
action: member
register: result
failed_when: result.changed
- name: Ensure vault is owned by HTTP service.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
action: member
register: result
failed_when: not result.changed
- name: Ensure vault is owned by HTTP service, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
action: member
register: result
failed_when: result.changed
- name: Ensure vault is not owned by HTTP service.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
state: absent
action: member
register: result
failed_when: not result.changed
- name: Ensure vault is not owned by HTTP service, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
state: absent
action: member
register: result
failed_when: result.changed
- name: Ensure vault is absent.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
state: absent
# cleaup
- name: Ensure user01 vaults are absent
ipavault:
ipaadmin_password: SomeADMINpassword
name:
- stdvault
- symvault
- asymvault
username: user01
state: absent
- name: Ensure test vaults are absent
ipavault:
ipaadmin_password: SomeADMINpassword
name:
- stdvault
- symvault
- asymvault
username: admin
state: absent
- name: Ensure shared vaults are absent
ipavault:
ipaadmin_password: SomeADMINpassword
name: sharedvault
shared: True
state: absent
- name: Ensure service vaults are absent
ipavault:
ipaadmin_password: SomeADMINpassword
name: svcvault
service: "HTTP/{{ groups.ipaserver[0] }}"
state: absent
- name: Ensure test users do not exist.
ipauser:
ipaadmin_password: SomeADMINpassword
name:
- user01
- user02
- user03
state: absent
- name: Ensure test groups do not exist.
ipagroup:
ipaadmin_password: SomeADMINpassword
name: vaultgroup
state: absent
- name: Remove password file from target host.
file:
path: "{{ ansible_env.HOME }}/password.txt"
state: absent
- name: Remove public key file from target host.
file:
path: "{{ ansible_env.HOME }}/public.pem"
state: absent
- name: Remove private key file from target host.
file:
path: "{{ ansible_env.HOME }}/private.pem"
state: absent
- name: Remove output data file from target host.
file:
path: "{{ ansible_env.HOME }}/data.txt"
state: absent
- name: Remove input data file from target host.
file:
path: "{{ ansible_env.HOME }}/in.txt"
state: absent

192
tests/vault/test_vault_asymmetric.yml Normal file
View File

@@ -0,0 +1,192 @@
---
- name: Test vault
hosts: ipaserver
become: true
# Need to gather facts for ansible_env.
gather_facts: true
tasks:
- name: Setup testing environment.
import_tasks: env_setup.yml
- name: Ensure asymmetric vault is present
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
vault_type: asymmetric
public_key: "{{ lookup('file', 'public.pem') | b64encode }}"
register: result
failed_when: not result.changed
- name: Ensure asymmetric vault is present, again
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
vault_type: asymmetric
public_key: "{{ lookup('file', 'public.pem') | b64encode }}"
register: result
failed_when: result.changed
- name: Archive data to asymmetric vault
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
data: Hello World.
register: result
failed_when: not result.changed
- name: Retrieve data from asymmetric vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
private_key: "{{ lookup('file', 'private.pem') | b64encode }}"
state: retrieved
register: result
failed_when: result.data != 'Hello World.' or result.changed
- name: Retrieve data from asymmetric vault into file {{ ansible_env.HOME }}/data.txt.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
out: "{{ ansible_env.HOME }}/data.txt"
private_key: "{{ lookup('file', 'private.pem') | b64encode }}"
state: retrieved
register: result
failed_when: result.changed
- name: Verify retrieved data.
slurp:
src: "{{ ansible_env.HOME }}/data.txt"
register: slurpfile
failed_when: slurpfile['content'] | b64decode != 'Hello World.'
- name: Archive data with non-ASCII characters to asymmetric vault
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
data: The world of π is half rounded.
register: result
failed_when: not result.changed
- name: Retrieve data from asymmetric vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
private_key: "{{ lookup('file', 'private.pem') | b64encode }}"
state: retrieved
register: result
failed_when: result.data != 'The world of π is half rounded.' or result.changed
- name: Archive data in asymmetric vault, from file.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
vault_type: asymmetric
in: "{{ ansible_env.HOME }}/in.txt"
register: result
failed_when: not result.changed
- name: Retrieve data from asymmetric vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
private_key: "{{ lookup('file', 'private.pem') | b64encode }}"
state: retrieved
register: result
failed_when: result.data != 'Another World.' or result.changed
- name: Archive data with single character to asymmetric vault
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
data: c
register: result
failed_when: not result.changed
- name: Retrieve data from asymmetric vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
private_key: "{{ lookup('file', 'private.pem') | b64encode }}"
state: retrieved
register: result
failed_when: result.data != 'c' or result.changed
- name: Ensure asymmetric vault is absent
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
state: absent
register: result
failed_when: not result.changed
- name: Ensure asymmetric vault is absent, again
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
state: absent
register: result
failed_when: result.changed
- name: Ensure asymmetric vault is present, with public key from file.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
public_key_file: "{{ ansible_env.HOME }}/public.pem"
vault_type: asymmetric
register: result
failed_when: not result.changed
- name: Ensure asymmetric vault is present, with password from file, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
public_key_file: "{{ ansible_env.HOME }}/public.pem"
vault_type: asymmetric
register: result
failed_when: result.changed
- name: Archive data to asymmetric vault
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
data: Hello World.
register: result
failed_when: not result.changed
- name: Retrieve data from asymmetric vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
private_key: "{{ lookup('file', 'private.pem') | b64encode }}"
state: retrieved
register: result
failed_when: result.data != 'Hello World.' or result.changed
- name: Retrieve data from asymmetric vault, with password file.
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
private_key_file: "{{ ansible_env.HOME }}/private.pem"
state: retrieved
register: result
failed_when: result.data != 'Hello World.' or result.changed
- name: Ensure asymmetric vault is absent
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
state: absent
register: result
failed_when: not result.changed
- name: Ensure asymmetric vault is absent, again
ipavault:
ipaadmin_password: SomeADMINpassword
name: asymvault
state: absent
register: result
failed_when: result.changed
- name: Cleanup testing environment.
import_tasks: env_setup.yml

20
tests/vault/test_vault_members.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Test vault
hosts: ipaserver
become: true
# Need to gather facts for ansible_env.
gather_facts: true
tasks:
- name: Test vault module member operations.
include_tasks:
file: tasks_vault_members.yml
apply:
tags:
- "{{ vault.vault_type }}"
loop_control:
loop_var: vault
loop:
- { name: "stdvault", vault_type: "standard" }
- { name: "symvault", vault_type: "symmetric" }
- { name: "asymvault", vault_type: "asymmetric" }

125
tests/vault/test_vault_standard.yml Normal file
View File

@@ -0,0 +1,125 @@
---
- name: Test vault
hosts: ipaserver
become: true
# Need to gather facts for ansible_env.
gather_facts: true
tasks:
- name: Setup testing environment.
import_tasks: env_setup.yml
- name: Ensure standard vault is present
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
vault_type: standard
register: result
failed_when: not result.changed
- name: Ensure standard vault is present, again
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
vault_type: standard
register: result
failed_when: result.changed
- name: Archive data to standard vault
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
vault_data: Hello World.
register: result
failed_when: not result.changed
- name: Retrieve data from standard vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
state: retrieved
register: result
failed_when: result.data != 'Hello World.' or result.changed
- name: Retrieve data from standard vault into file {{ ansible_env.HOME }}/data.txt.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
out: "{{ ansible_env.HOME }}/data.txt"
state: retrieved
register: result
failed_when: result.changed
- name: Verify retrieved data.
slurp:
src: "{{ ansible_env.HOME }}/data.txt"
register: slurpfile
failed_when: slurpfile['content'] | b64decode != 'Hello World.'
- name: Archive data with non-ASCII characters to standard vault
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
vault_data: The world of π is half rounded.
register: result
failed_when: not result.changed
- name: Retrieve data from standard vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
state: retrieved
register: result
failed_when: result.data != 'The world of π is half rounded.' or result.changed
- name: Archive data in standard vault, from file.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
vault_type: standard
in: "{{ ansible_env.HOME }}/in.txt"
register: result
failed_when: not result.changed
- name: Retrieve data from standard vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
state: retrieved
register: result
failed_when: result.data != 'Another World.' or result.changed
- name: Archive data with single character to standard vault
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
vault_data: c
register: result
failed_when: not result.changed
- name: Retrieve data from standard vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
state: retrieved
register: result
failed_when: result.data != 'c' or result.changed
- name: Ensure standard vault is absent
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
state: absent
register: result
failed_when: not result.changed
- name: Ensure standard vault is absent, again
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
state: absent
register: result
failed_when: result.changed
- name: Cleanup testing environment.
import_tasks: env_setup.yml

198
tests/vault/test_vault_symmetric.yml Normal file
View File

@@ -0,0 +1,198 @@
---
- name: Test vault
hosts: ipaserver
become: true
# Need to gather facts for ansible_env.
gather_facts: true
tasks:
- name: Setup testing environment.
import_tasks: env_setup.yml
- name: Ensure symmetric vault is present
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
vault_type: symmetric
password: SomeVAULTpassword
register: result
failed_when: not result.changed
- name: Ensure symmetric vault is present, again
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
vault_type: symmetric
password: SomeVAULTpassword
register: result
failed_when: result.changed
- name: Archive data to symmetric vault
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
vault_data: Hello World.
password: SomeVAULTpassword
register: result
failed_when: not result.changed
- name: Retrieve data from symmetric vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
password: SomeVAULTpassword
state: retrieved
register: result
failed_when: result.data != 'Hello World.' or result.changed
- name: Retrieve data from symmetric vault into file {{ ansible_env.HOME }}/data.txt.
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
password: SomeVAULTpassword
out: "{{ ansible_env.HOME }}/data.txt"
state: retrieved
register: result
failed_when: result.changed
- name: Verify retrieved data.
slurp:
src: "{{ ansible_env.HOME }}/data.txt"
register: slurpfile
failed_when: slurpfile['content'] | b64decode != 'Hello World.'
- name: Archive data with non-ASCII characters to symmetric vault
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
password: SomeVAULTpassword
vault_data: The world of π is half rounded.
register: result
failed_when: not result.changed
- name: Retrieve data from symmetric vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
password: SomeVAULTpassword
state: retrieved
register: result
failed_when: result.data != 'The world of π is half rounded.' or result.changed
- name: Archive data in symmetric vault, from file.
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
in: "{{ ansible_env.HOME }}/in.txt"
password: SomeVAULTpassword
register: result
failed_when: not result.changed
- name: Retrieve data from symmetric vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
password: SomeVAULTpassword
state: retrieved
register: result
failed_when: result.data != 'Another World.' or result.changed
- name: Archive data with single character to symmetric vault
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
password: SomeVAULTpassword
vault_data: c
register: result
failed_when: not result.changed
- name: Retrieve data from symmetric vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
password: SomeVAULTpassword
state: retrieved
register: result
failed_when: result.data != 'c' or result.changed
- name: Ensure symmetric vault is absent
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
state: absent
register: result
failed_when: not result.changed
- name: Ensure symmetric vault is absent, again
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
state: absent
register: result
failed_when: result.changed
- name: Ensure symmetric vault is present, with password from file.
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: user01
password_file: "{{ ansible_env.HOME }}/password.txt"
vault_type: symmetric
register: result
failed_when: not result.changed
- name: Ensure symmetric vault is present, with password from file, again.
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: user01
password_file: "{{ ansible_env.HOME }}/password.txt"
vault_type: symmetric
register: result
failed_when: result.changed
- name: Archive data to symmetric vault
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
vault_data: Hello World.
password: SomeVAULTpassword
register: result
failed_when: not result.changed
- name: Retrieve data from symmetric vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
password: SomeVAULTpassword
state: retrieved
register: result
failed_when: result.data != 'Hello World.' or result.changed
- name: Retrieve data from symmetric vault, with password file.
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
password_file: "{{ ansible_env.HOME }}/password.txt"
state: retrieved
register: result
failed_when: result.data != 'Hello World.' or result.changed
- name: Ensure symmetric vault is absent
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
state: absent
register: result
failed_when: not result.changed
- name: Ensure symmetric vault is absent, again
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
state: absent
register: result
failed_when: result.changed
- name: Cleanup testing environment.
import_tasks: env_cleanup.yml