From ff03b3153beb35d9027f177417b43f473ea55494 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Mon, 8 Jun 2020 16:08:14 +0200 Subject: [PATCH 1/4] ipahostgroup: Add support for group membership management A group membership manager is a user or a group that can add members to a group or remove members from a hostgroup. This is related to https://pagure.io/freeipa/issue/8114 New parameters have been added to the module: - `membermanager_user`: List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. - `membermanager_group`: List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. These parameters behave like member parameters. A new test has been added: - tests/hostgroup/test_hostgroup_membermanager.yml --- README-hostgroup.md | 2 + plugins/modules/ipahostgroup.py | 91 +++++++- .../test_hostgroup_membermanager.yml | 210 ++++++++++++++++++ 3 files changed, 302 insertions(+), 1 deletion(-) create mode 100644 tests/hostgroup/test_hostgroup_membermanager.yml diff --git a/README-hostgroup.md b/README-hostgroup.md index 85701244..e021d89a 100644 --- a/README-hostgroup.md +++ b/README-hostgroup.md @@ -137,6 +137,8 @@ Variable | Description | Required `nomembers` | Suppress processing of membership attributes. (bool) | no `host` | List of host name strings assigned to this hostgroup. | no `hostgroup` | List of hostgroup name strings assigned to this hostgroup. | no +`membermanager_user` | List of member manager users assigned to this hostgroup. Only usable with IPA versions 4.8.4 and up. | no +`membermanager_group` | List of member manager groups assigned to this hostgroup. Only usable with IPA versions 4.8.4 and up. | no `action` | Work on hostgroup or member level. It can be on of `member` or `hostgroup` and defaults to `hostgroup`. | no `state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no diff --git a/plugins/modules/ipahostgroup.py b/plugins/modules/ipahostgroup.py index 7e1891d3..4c18e940 100644 --- a/plugins/modules/ipahostgroup.py +++ b/plugins/modules/ipahostgroup.py @@ -58,6 +58,18 @@ options: description: List of hostgroup names assigned to this hostgroup. required: false type: list + membermanager_user: + description: + - List of member manager users assigned to this hostgroup. + - Only usable with IPA versions 4.8.4 and up. + required: false + type: list + membermanager_group: + description: + - List of member manager groups assigned to this hostgroup. + - Only usable with IPA versions 4.8.4 and up. + required: false + type: list action: description: Work on hostgroup or member level default: hostgroup @@ -117,7 +129,7 @@ RETURN = """ from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.ansible_freeipa_module import temp_kinit, \ temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \ - module_params_get, gen_add_del_lists + module_params_get, gen_add_del_lists, api_check_command def find_hostgroup(module, name): @@ -171,6 +183,9 @@ def main(): nomembers=dict(required=False, type='bool', default=None), host=dict(required=False, type='list', default=None), hostgroup=dict(required=False, type='list', default=None), + membermanager_user=dict(required=False, type='list', default=None), + membermanager_group=dict(required=False, type='list', + default=None), action=dict(type="str", default="hostgroup", choices=["member", "hostgroup"]), # state @@ -196,6 +211,10 @@ def main(): nomembers = module_params_get(ansible_module, "nomembers") host = module_params_get(ansible_module, "host") hostgroup = module_params_get(ansible_module, "hostgroup") + membermanager_user = module_params_get(ansible_module, + "membermanager_user") + membermanager_group = module_params_get(ansible_module, + "membermanager_group") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") @@ -239,6 +258,15 @@ def main(): ipaadmin_password) api_connect() + has_add_membermanager = api_check_command( + "hostgroup_add_member_manager") + if ((membermanager_user is not None or + membermanager_group is not None) and not has_add_membermanager): + ansible_module.fail_json( + msg="Managing a membermanager user or group is not supported " + "by your IPA version" + ) + commands = [] for name in names: @@ -288,6 +316,41 @@ def main(): "host": host_del, "hostgroup": hostgroup_del, }]) + + membermanager_user_add, membermanager_user_del = \ + gen_add_del_lists( + membermanager_user, + res_find.get("membermanager_user") + ) + + membermanager_group_add, membermanager_group_del = \ + gen_add_del_lists( + membermanager_group, + res_find.get("membermanager_group") + ) + + if has_add_membermanager: + # Add membermanager users and groups + if len(membermanager_user_add) > 0 or \ + len(membermanager_group_add) > 0: + commands.append( + [name, "hostgroup_add_member_manager", + { + "user": membermanager_user_add, + "group": membermanager_group_add, + }] + ) + # Remove member manager + if len(membermanager_user_del) > 0 or \ + len(membermanager_group_del) > 0: + commands.append( + [name, "hostgroup_remove_member_manager", + { + "user": membermanager_user_del, + "group": membermanager_group_del, + }] + ) + elif action == "member": if res_find is None: ansible_module.fail_json( @@ -299,6 +362,19 @@ def main(): "host": host, "hostgroup": hostgroup, }]) + + if has_add_membermanager: + # Add membermanager users and groups + if membermanager_user is not None or \ + membermanager_group is not None: + commands.append( + [name, "hostgroup_add_member_manager", + { + "user": membermanager_user, + "group": membermanager_group, + }] + ) + elif state == "absent": if action == "hostgroup": if res_find is not None: @@ -315,6 +391,19 @@ def main(): "host": host, "hostgroup": hostgroup, }]) + + if has_add_membermanager: + # Remove membermanager users and groups + if membermanager_user is not None or \ + membermanager_group is not None: + commands.append( + [name, "hostgroup_remove_member_manager", + { + "user": membermanager_user, + "group": membermanager_group, + }] + ) + else: ansible_module.fail_json(msg="Unkown state '%s'" % state) diff --git a/tests/hostgroup/test_hostgroup_membermanager.yml b/tests/hostgroup/test_hostgroup_membermanager.yml new file mode 100644 index 00000000..c32d1088 --- /dev/null +++ b/tests/hostgroup/test_hostgroup_membermanager.yml @@ -0,0 +1,210 @@ +--- +- name: Test hostgroup membermanagers + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - name: Ensure host-group testhostgroup is absent + ipahostgroup: + ipaadmin_password: SomeADMINpassword + name: + - testhostgroup + state: absent + + - name: Ensure user manangeruser1 and manageruser2 is absent + ipauser: + ipaadmin_password: SomeADMINpassword + name: manageruser1,manageruser2 + state: absent + + - name: Ensure group managergroup1 and managergroup2 are absent + ipagroup: + ipaadmin_password: SomeADMINpassword + name: managergroup1,managergroup2 + state: absent + + - name: Ensure host-group testhostgroup is present + ipahostgroup: + ipaadmin_password: SomeADMINpassword + name: + - testhostgroup + + - name: Ensure user manageruser1 and manageruser2 are present + ipauser: + ipaadmin_password: SomeADMINpassword + users: + - name: manageruser1 + first: manageruser1 + last: Last1 + - name: manageruser2 + first: manageruser2 + last: Last2 + register: result + failed_when: not result.changed + + - name: Ensure managergroup1 is present + ipagroup: + ipaadmin_password: SomeADMINpassword + name: managergroup1 + register: result + failed_when: not result.changed + + - name: Ensure managergroup2 is present + ipagroup: + ipaadmin_password: SomeADMINpassword + name: managergroup2 + register: result + failed_when: not result.changed + + - name: Ensure membermanager user1 is present for testhostgroup + ipahostgroup: + ipaadmin_password: SomeADMINpassword + name: testhostgroup + membermanager_user: manageruser1 + register: result + failed_when: not result.changed + + - name: Ensure membermanager user1 is present for testhostgroup again + ipahostgroup: + ipaadmin_password: SomeADMINpassword + name: testhostgroup + membermanager_user: manageruser1 + register: result + failed_when: result.changed + + - name: Ensure membermanager group1 is present for testhostgroup + ipahostgroup: + ipaadmin_password: SomeADMINpassword + name: testhostgroup + membermanager_group: managergroup1 + register: result + failed_when: not result.changed + + - name: Ensure membermanager group1 is present for testhostgroup again + ipahostgroup: + ipaadmin_password: SomeADMINpassword + name: testhostgroup + membermanager_group: managergroup1 + register: result + failed_when: result.changed + + - name: Ensure membermanager user2 and group2 members are present for testhostgroup + ipahostgroup: + ipaadmin_password: SomeADMINpassword + name: testhostgroup + membermanager_user: manageruser2 + membermanager_group: managergroup2 + action: member + register: result + failed_when: not result.changed + + - name: Ensure membermanager user2 and group2 members are present for testhostgroup again + ipahostgroup: + ipaadmin_password: SomeADMINpassword + name: testhostgroup + membermanager_user: manageruser2 + membermanager_group: managergroup2 + action: member + register: result + failed_when: result.changed + + - name: Ensure membermanager user and group members are present for testhostgroup again + ipahostgroup: + ipaadmin_password: SomeADMINpassword + name: testhostgroup + membermanager_user: manageruser1,manageruser2 + membermanager_group: managergroup1,managergroup2 + action: member + register: result + failed_when: result.changed + + - name: Ensure membermanager user1 and group1 members are absent for testhostgroup + ipahostgroup: + ipaadmin_password: SomeADMINpassword + name: testhostgroup + membermanager_user: manageruser1 + membermanager_group: managergroup1 + action: member + state: absent + register: result + failed_when: not result.changed + + - name: Ensure membermanager user1 and group1 members are absent for testhostgroup again + ipahostgroup: + ipaadmin_password: SomeADMINpassword + name: testhostgroup + membermanager_user: manageruser1 + membermanager_group: managergroup1 + action: member + state: absent + register: result + failed_when: result.changed + + + - name: Ensure membermanager user1 and group1 members are present for testhostgroup + ipahostgroup: + ipaadmin_password: SomeADMINpassword + name: testhostgroup + membermanager_user: manageruser1 + membermanager_group: managergroup1 + action: member + register: result + failed_when: not result.changed + + - name: Ensure membermanager user1 and group1 members are present for testhostgroup again + ipahostgroup: + ipaadmin_password: SomeADMINpassword + name: testhostgroup + membermanager_user: manageruser1 + membermanager_group: managergroup1 + action: member + register: result + failed_when: result.changed + + - name: Ensure membermanager user and group members are absent for testhostgroup + ipahostgroup: + ipaadmin_password: SomeADMINpassword + name: testhostgroup + membermanager_user: manageruser1,manageruser2 + membermanager_group: managergroup1,managergroup2 + action: member + state: absent + register: result + failed_when: not result.changed + + - name: Ensure membermanager user and group members are absent for testhostgroup again + ipahostgroup: + ipaadmin_password: SomeADMINpassword + name: testhostgroup + membermanager_user: manageruser1,manageruser2 + membermanager_group: managergroup1,managergroup2 + action: member + state: absent + register: result + failed_when: result.changed + + - name: Ensure user manangeruser1 and manageruser2 is absent + ipauser: + ipaadmin_password: SomeADMINpassword + name: manageruser1,manageruser2 + state: absent + register: result + failed_when: not result.changed + + - name: Ensure group managergroup1 and managergroup2 are absent + ipagroup: + ipaadmin_password: SomeADMINpassword + name: managergroup1,managergroup2 + state: absent + register: result + failed_when: not result.changed + + - name: Ensure host-group testhostgroup is absent + ipahostgroup: + ipaadmin_password: SomeADMINpassword + name: + - testhostgroup + state: absent + register: result + failed_when: not result.changed From 04564248213135333bc1d0fa82edb9c70c02c3ad Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Mon, 4 May 2020 20:48:48 -0300 Subject: [PATCH 2/4] Fixes password behavior on Vault module. This patch fixes handling of password and public_key files, parameter validation depending on vault type, usage of `salt` attribute and data retrieval. Tests were updated to reflect the changes. New example playbooks are added: playbooks/vault/vault-is-present-with-password-file.yml playbooks/vault/vault-is-present-with-public-key-file.yml --- plugins/modules/ipavault.py | 53 +++++++++++++++++-------------------- tests/vault/test_vault.yml | 9 +++++++ 2 files changed, 33 insertions(+), 29 deletions(-) diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py index dc59d4be..d97c022c 100644 --- a/plugins/modules/ipavault.py +++ b/plugins/modules/ipavault.py @@ -366,7 +366,7 @@ def gen_member_args(args, users, groups, services): def data_storage_args(args, data, password, password_file, private_key, - private_key_file, retrieve, datafile_in, datafile_out): + private_key_file, datafile_in, datafile_out): _args = {} if 'username' in args: @@ -407,8 +407,7 @@ def check_parameters(module, state, action, description, username, service, shared, users, groups, services, owners, ownergroups, ownerservices, vault_type, salt, password, password_file, public_key, public_key_file, private_key, - private_key_file, retrieve, vault_data, datafile_in, - datafile_out): + private_key_file, vault_data, datafile_in, datafile_out): invalid = [] if state == "present": if salt is not None: @@ -423,24 +422,20 @@ def check_parameters(module, state, action, description, username, service, if action == "member": invalid = ['description'] - if not retrieve: - if datafile_out is not None: - module.fail_json( - msg="Retrieve must be enabled to use datafile_out.") + elif state == "absent": + invalid = ['description', 'salt', 'vault_type', 'datafile_in', + 'vault_data'] - if any([private_key, private_key_file]): - module.fail_json( - msg="Attributes private_key and private_key_file can only " - "be used when retrieving data from asymmetric vaults.") - else: - check = ['description', 'salt', 'datafile_in', 'users', 'groups', - 'owners', 'ownergroups', 'public_key', 'public_key_file', - 'vault_data'] + if action == "vault": + invalid.extend(['users', 'groups', 'owners', 'ownergroups', + 'password', 'password_file', 'public_key', + 'public_key_file']) - for arg in check: - if vars()[arg] is not None: - module.fail_json( - msg="`%s` cannot be used with `retrieve`." % arg) + for arg in invalid: + if vars()[arg] is not None: + module.fail_json( + msg="Argument '%s' can not be used with state '%s', " + "action '%s'" % (arg, state, action)) elif state == "absent": invalid = ['description', 'salt', 'vault_type', 'private_key', @@ -461,8 +456,8 @@ def check_parameters(module, state, action, description, username, service, def check_encryption_params(module, state, vault_type, salt, password, password_file, public_key, public_key_file, - private_key, private_key_file, retrieve, - vault_data, datafile_in, datafile_out, res_find): + private_key, private_key_file, vault_data, + datafile_in, datafile_out, res_find): vault_type_invalid = [] if state == "present": if vault_type == "standard": @@ -593,8 +588,6 @@ def main(): datafile_in = module_params_get(ansible_module, "datafile_in") datafile_out = module_params_get(ansible_module, "datafile_out") - retrieve = module_params_get(ansible_module, "retrieve") - action = module_params_get(ansible_module, "action") state = module_params_get(ansible_module, "state") @@ -616,8 +609,7 @@ def main(): service, shared, users, groups, services, owners, ownergroups, ownerservices, vault_type, salt, password, password_file, public_key, public_key_file, private_key, - private_key_file, retrieve, vault_data, datafile_in, - datafile_out) + private_key_file, vault_data, datafile_in, datafile_out) # Init changed = False @@ -660,7 +652,7 @@ def main(): check_encryption_params(ansible_module, state, vault_type, salt, password, password_file, public_key, public_key_file, private_key, - private_key_file, retrieve, vault_data, + private_key_file, vault_data, datafile_in, datafile_out, res_find) # Create command @@ -734,6 +726,10 @@ def main(): and 'ipavaultsalt' not in args: args['ipavaultsalt'] = os.urandom(32) + if vault_type == 'symmetric' \ + and 'ipavaultsalt' not in args: + args['ipavaultsalt'] = os.urandom(32) + elif action in "member": # Add users and groups if any([users, groups, services]): @@ -746,9 +742,8 @@ def main(): commands.append([name, 'vault_add_owner', owner_args]) pwdargs = data_storage_args( - args, vault_data, password, password_file, - private_key, private_key_file, retrieve, datafile_in, - datafile_out) + args, vault_data, password, password_file, private_key, + private_key_file, datafile_in, datafile_out) if any([vault_data, datafile_in]): commands.append([name, "vault_archive", pwdargs]) if retrieve: diff --git a/tests/vault/test_vault.yml b/tests/vault/test_vault.yml index c0af2700..6211c8d9 100644 --- a/tests/vault/test_vault.yml +++ b/tests/vault/test_vault.yml @@ -394,6 +394,15 @@ register: result failed_when: not result.changed + - name: Archive data from a file, in standard vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + username: user01 + in: "{{ ansible_env.HOME }}/in.txt" + register: result + failed_when: not result.changed + - name: Retrieve data from standard vault. ipavault: ipaadmin_password: SomeADMINpassword From 0bcb4eaf0fc66e6bdf1c4a2afaaf92de1be4538e Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Mon, 18 May 2020 18:08:34 -0300 Subject: [PATCH 3/4] Add state `retrieved` to ipavault to retrieve vault stored data. This patch adds support for retrieving data stored in an IPA vault by adding a new valid state for ipavault: `retrieved`. To allow the retrieval of data from assymetric vaults, the attributes `private_key`, `private_key_files` and `out` were also added to the module. The private key files, `private.pem`, should be paired with the already existing `public.pem` public key files. Tests were updated to reflect changes and two new playbooks were added: playbooks/vault/retrive-data-asymmetric-vault.yml playbooks/vault/retrive-data-symmetric-vault.yml --- README-vault.md | 24 +- .../vault/retrive-data-asymmetric-vault.yml | 12 +- .../vault/retrive-data-symmetric-vault.yml | 7 +- plugins/modules/ipavault.py | 230 ++++++++++-------- tests/vault/test_vault.yml | 29 +-- 5 files changed, 169 insertions(+), 133 deletions(-) diff --git a/README-vault.md b/README-vault.md index 61f68414..c7ae6916 100644 --- a/README-vault.md +++ b/README-vault.md @@ -144,8 +144,7 @@ Example playbook to retrieve vault data from a symmetric vault: name: symvault username: admin password: SomeVAULTpassword - retrieve: true - action: member + state: retrieved ``` Example playbook to make sure vault data is absent in a symmetric vault: @@ -180,6 +179,9 @@ Example playbook to make sure vault is absent: name: symvault username: admin state: absent + register: result + - debug: + msg: "{{ result.data }}" ``` Variables @@ -199,7 +201,7 @@ Variable | Description | Required `public_key ` \| `vault_public_key` \| `ipavaultpublickey` | Base64 encoded vault public key. | no `public_key_file` \| `vault_public_key_file` | Path to file with public key. | no `private_key `\| `vault_private_key` | Base64 encoded vault private key. Used only to retrieve data. | no -`private_key_file` \| `vault_private_key_file` | Path to file with private key. | no +`private_key_file` \| `vault_private_key_file` | Path to file with private key. Used only to retrieve data. | no `salt` \| `vault_salt` \| `ipavaultsalt` | Vault salt. | no `vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no `user` \| `username` | Any user can own one or more user vaults. | no @@ -211,9 +213,21 @@ Variable | Description | Required `data` \|`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no `in` \| `datafile_in` | Path to file with data to be stored in the vault. | no `out` \| `datafile_out` | Path to file to store data retrieved from the vault. | no -`retrieve` | If set to True, retrieve data stored in the vault. (bool) | no `action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no -`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no +`state` | The state to ensure. It can be one of `present`, `absent` or `retrieved`, default: `present`. | no + + +Return Values +============= + +ipavault +-------- + +There is only a return value if `state` is `retrieved`. + +Variable | Description | Returned When +-------- | ----------- | ------------- +`data` | The data stored in the vault. | If `state` is `retrieved`. Notes diff --git a/playbooks/vault/retrive-data-asymmetric-vault.yml b/playbooks/vault/retrive-data-asymmetric-vault.yml index 420acc78..5f67c593 100644 --- a/playbooks/vault/retrive-data-asymmetric-vault.yml +++ b/playbooks/vault/retrive-data-asymmetric-vault.yml @@ -1,19 +1,17 @@ --- - name: Tests hosts: ipaserver - become: true - gather_facts: True + become: no + gather_facts: no tasks: - name: Retrieve data from assymetric vault with a private key file. ipavault: ipaadmin_password: SomeADMINpassword - name: symvault - username: admin + name: asymvault + username: user01 private_key_file: private.pem - retrieve: True + state: retrieved register: result - debug: msg: "Data: {{ result.data }}" - - debug: - msg: "Decoded Data: {{ result.data | b64decode }}" diff --git a/playbooks/vault/retrive-data-symmetric-vault.yml b/playbooks/vault/retrive-data-symmetric-vault.yml index 0ac13372..163f8b95 100644 --- a/playbooks/vault/retrive-data-symmetric-vault.yml +++ b/playbooks/vault/retrive-data-symmetric-vault.yml @@ -1,8 +1,8 @@ --- - name: Tests hosts: ipaserver - become: true - gather_facts: True + become: no + gather_facts: no tasks: - name: Retrieve data from symmetric vault. @@ -11,8 +11,7 @@ name: symvault username: admin password: SomeVAULTpassword - retrieve: yes - action: member + state: retrieved register: result - debug: msg: "{{ result.data | b64decode }}" diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py index d97c022c..ad5dd413 100644 --- a/plugins/modules/ipavault.py +++ b/plugins/modules/ipavault.py @@ -74,7 +74,7 @@ options: description: file with password to be used on symmetric vault. required: false type: string - aliases: ["ipavaultpassword", "vault_password"] + aliases: ["vault_password_file"] salt: description: Vault salt. required: false @@ -99,16 +99,24 @@ options: description: Vault is shared. required: false type: boolean - owners: - description: Users that are owners of the container. - required: false - type: list users: - description: Users that are member of the container. + description: Users that are member of the vault. required: false type: list groups: - description: Groups that are member of the container. + description: Groups that are member of the vault. + required: false + type: list + owners: + description: Users that are owners of the vault. + required: false + type: list + ownergroups: + description: Groups that are owners of the vault. + required: false + type: list + ownerservices: + description: Services that are owners of the vault. required: false type: list services: @@ -130,10 +138,6 @@ options: required: false type: string aliases: ["datafile_out"] - retrieve: - description: If set to True, retrieve data stored in the vault. - required: false - type: bool action: description: Work on vault or member level. default: vault @@ -141,7 +145,7 @@ options: state: description: State to ensure default: present - choices: ["present", "absent"] + choices: ["present", "absent", "retrieved"] author: - Rafael Jeffman """ @@ -228,8 +232,7 @@ EXAMPLES = """ name: symvault username: admin password: SomeVAULTpassword - retrieve: yes - action: member + state: retrieved register: result - debug: msg: "{{ result.data | b64decode }}" @@ -266,14 +269,13 @@ EXAMPLES = """ More data archived. action: member -# Retrive data archived in an asymmetric vault +# Retrive data archived in an asymmetric vault, using a private key file. - ipavault: ipaadmin_password: SomeADMINpassword name: asymvault username: admin - retrieve: yes - private_key: - + private_key_file: private.pem + state: retrieved # Ensure asymmetric vault is absent. - ipavault: @@ -285,10 +287,14 @@ EXAMPLES = """ """ RETURN = """ +user: + description: The vault data. + returned: If state is retrieved. + type: string """ import os -from base64 import b64encode, b64decode +from base64 import b64decode from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.ansible_freeipa_module import temp_kinit, \ temp_kdestroy, valid_creds, api_connect, api_command, \ @@ -355,14 +361,17 @@ def gen_member_args(args, users, groups, services): if arg in _args: del _args[arg] - if users is not None: - _args['user'] = users - if groups is not None: - _args['group'] = groups - if services is not None: - _args['services'] = services + if any([users, groups, services]): + if users is not None: + _args['user'] = users + if groups is not None: + _args['group'] = groups + if services is not None: + _args['services'] = services - return _args + return _args + + return None def data_storage_args(args, data, password, password_file, private_key, @@ -410,43 +419,35 @@ def check_parameters(module, state, action, description, username, service, private_key_file, vault_data, datafile_in, datafile_out): invalid = [] if state == "present": - if salt is not None: - if vault_type is not None and vault_type != "symmetric": - module.fail_json( - msg="Attribute `salt` can only be used with `symmetric` " - "vaults.") - if not any([password, password_file]): - module.fail_json( - msg="Value of `salt` can only modified by providing " - "vault password.") + invalid = ['private_key', 'private_key_file', 'datafile_out'] + if action == "member": - invalid = ['description'] - - elif state == "absent": - invalid = ['description', 'salt', 'vault_type', 'datafile_in', - 'vault_data'] - - if action == "vault": - invalid.extend(['users', 'groups', 'owners', 'ownergroups', - 'password', 'password_file', 'public_key', - 'public_key_file']) - - for arg in invalid: - if vars()[arg] is not None: - module.fail_json( - msg="Argument '%s' can not be used with state '%s', " - "action '%s'" % (arg, state, action)) + invalid.extend(['description']) elif state == "absent": invalid = ['description', 'salt', 'vault_type', 'private_key', - 'private_key_file', 'retrieve', 'datafile_in', - 'datafile_out', 'vault_data'] + 'private_key_file', 'datafile_in', 'datafile_out', + 'vault_data'] if action == "vault": invalid.extend(['users', 'groups', 'services', 'owners', 'ownergroups', 'ownerservices', 'password', 'password_file', 'public_key', 'public_key_file']) + elif state == "retrieved": + invalid = ['description', 'salt', 'datafile_in', 'users', 'groups', + 'owners', 'ownergroups', 'public_key', 'public_key_file', + 'vault_data'] + if action == 'member': + module.fail_json( + msg="State `retrieved` do not support action `member`.") + + for arg in invalid: + if vars()[arg] is not None: + module.fail_json( + msg="Argument '%s' can not be used with state '%s', " + "action '%s'" % (arg, state, action)) + for arg in invalid: if vars()[arg] is not None: module.fail_json( @@ -454,30 +455,30 @@ def check_parameters(module, state, action, description, username, service, "action '%s'" % (arg, state, action)) -def check_encryption_params(module, state, vault_type, salt, password, - password_file, public_key, public_key_file, - private_key, private_key_file, vault_data, - datafile_in, datafile_out, res_find): +def check_encryption_params(module, state, action, vault_type, salt, + password, password_file, public_key, + public_key_file, private_key, private_key_file, + vault_data, datafile_in, datafile_out, res_find): vault_type_invalid = [] - if state == "present": - if vault_type == "standard": - vault_type_invalid = ['public_key', 'public_key_file', 'password', - 'password_file', 'salt'] + if vault_type == "standard": + vault_type_invalid = ['public_key', 'public_key_file', 'password', + 'password_file', 'salt'] - if vault_type is None or vault_type == "symmetric": - vault_type_invalid = ['public_key', 'public_key_file', - 'private_key', 'private_key_file'] - if not any([password, password_file]): - module.fail_json( - msg="Symmetric vault requires password or password_file " - "to store data.") + if vault_type is None or vault_type == "symmetric": + vault_type_invalid = ['public_key', 'public_key_file', + 'private_key', 'private_key_file'] - if vault_type == "asymmetric": - vault_type_invalid = ['password', 'password_file'] - if not any([public_key, public_key_file]) and res_find is None: - module.fail_json( - msg="Assymmetric vault requires public_key " - "or public_key_file to store data.") + if password is None and password_file is None and action != 'member': + module.fail_json( + msg="Symmetric vault requires password or password_file " + "to store data or change `salt`.") + + if vault_type == "asymmetric": + vault_type_invalid = ['password', 'password_file'] + if not any([public_key, public_key_file]) and res_find is None: + module.fail_json( + msg="Assymmetric vault requires public_key " + "or public_key_file to store data.") for param in vault_type_invalid: if vars()[param] is not None: @@ -511,7 +512,6 @@ def main(): vault_private_key_file=dict(type="str", required=False, default=None, aliases=['private_key_file']), - retrieve=dict(type="bool", required=False, default=None), vault_salt=dict(type="str", required=False, default=None, aliases=['ipavaultsalt', 'salt']), username=dict(type="str", required=False, default=None, @@ -541,7 +541,7 @@ def main(): action=dict(type="str", default="vault", choices=["vault", "data", "member"]), state=dict(type="str", default="present", - choices=["present", "absent"]), + choices=["present", "absent", "retrieved"]), ), supports_check_mode=True, mutually_exclusive=[['username', 'service', 'shared'], @@ -602,6 +602,11 @@ def main(): if len(names) < 1: ansible_module.fail_json(msg="No name given.") + elif state == "retrieved": + if len(names) != 1: + ansible_module.fail_json( + msg="Only one vault can be retrieved at a time.") + else: ansible_module.fail_json(msg="Invalid state '%s'" % state) @@ -648,15 +653,14 @@ def main(): else: args['ipavaulttype'] = vault_type = "symmetric" - # verify data encription args - check_encryption_params(ansible_module, state, vault_type, salt, - password, password_file, public_key, - public_key_file, private_key, - private_key_file, vault_data, - datafile_in, datafile_out, res_find) - # Create command if state == "present": + # verify data encription args + check_encryption_params( + ansible_module, state, action, vault_type, salt, password, + password_file, public_key, public_key_file, private_key, + private_key_file, vault_data, datafile_in, datafile_out, + res_find) # Found the vault if action == "vault": @@ -702,25 +706,32 @@ def main(): # Add users and groups user_add_args = gen_member_args(args, user_add, group_add, service_add) - commands.append([name, 'vault_add_member', user_add_args]) + if user_add_args is not None: + commands.append( + [name, 'vault_add_member', user_add_args]) # Remove users and groups user_del_args = gen_member_args(args, user_del, group_del, service_del) - commands.append( - [name, 'vault_remove_member', user_del_args]) + if user_del_args is not None: + commands.append( + [name, 'vault_remove_member', user_del_args]) # Add owner users and groups owner_add_args = gen_member_args( args, owner_add, ownergroups_add, ownerservice_add) - commands.append( - [name, 'vault_add_owner', owner_add_args]) + if owner_add_args is not None: + # ansible_module.warn("OWNER ADD: %s" % owner_add_args) + commands.append( + [name, 'vault_add_owner', owner_add_args]) # Remove owner users and groups owner_del_args = gen_member_args( args, owner_del, ownergroups_del, ownerservice_del) - commands.append( - [name, 'vault_remove_owner', owner_del_args]) + if owner_del_args is not None: + # ansible_module.warn("OWNER DEL: %s" % owner_del_args) + commands.append( + [name, 'vault_remove_owner', owner_del_args]) if vault_type == 'symmetric' \ and 'ipavaultsalt' not in args: @@ -746,10 +757,28 @@ def main(): private_key_file, datafile_in, datafile_out) if any([vault_data, datafile_in]): commands.append([name, "vault_archive", pwdargs]) - if retrieve: - if 'data' in pwdargs: - del pwdargs['data'] - commands.append([name, "vault_retrieve", pwdargs]) + + elif state == "retrieved": + if res_find is None: + ansible_module.fail_json( + msg="Vault `%s` not found to retrieve data." % name) + + vault_type = res_find['cn'] + + # verify data encription args + check_encryption_params( + ansible_module, state, action, vault_type, salt, password, + password_file, public_key, public_key_file, private_key, + private_key_file, vault_data, datafile_in, datafile_out, + res_find) + + pwdargs = data_storage_args( + args, vault_data, password, password_file, private_key, + private_key_file, datafile_in, datafile_out) + if 'data' in pwdargs: + del pwdargs['data'] + + commands.append([name, "vault_retrieve", pwdargs]) elif state == "absent": if 'ipavaulttype' in args: @@ -777,21 +806,30 @@ def main(): msg="Invalid action '%s' for state '%s'" % (action, state)) else: - ansible_module.fail_json(msg="Unkown state '%s'" % state) + ansible_module.fail_json(msg="Unknown state '%s'" % state) # Execute commands errors = [] for name, command, args in commands: try: + # ansible_module.warn("RUN: %s %s %s" % (command, name, args)) result = api_command(ansible_module, command, name, args) if command == 'vault_archive': changed = 'Archived data into' in result['summary'] elif command == 'vault_retrieve': - exit_args['data'] = b64encode(result['result']['data']) + if 'result' not in result: + raise Exception("No result obtained.") + if 'data' in result['result']: + exit_args['data'] = result['result']['data'] + elif 'vault_data' in result['result']: + exit_args['data'] = result['result']['vault_data'] + else: + raise Exception("No data retrieved.") changed = False else: + # ansible_module.warn("RESULT: %s" % (result)) if "completed" in result: if result["completed"] > 0: changed = True diff --git a/tests/vault/test_vault.yml b/tests/vault/test_vault.yml index 6211c8d9..2e2c03e3 100644 --- a/tests/vault/test_vault.yml +++ b/tests/vault/test_vault.yml @@ -1,5 +1,4 @@ --- - - name: Test vault hosts: ipaserver become: true @@ -120,7 +119,6 @@ ipavault: ipaadmin_password: SomeADMINpassword name: stdvault - vault_type: standard state: absent register: result failed_when: not result.changed @@ -129,7 +127,6 @@ ipavault: ipaadmin_password: SomeADMINpassword name: stdvault - vault_type: standard state: absent register: result failed_when: result.changed @@ -221,7 +218,6 @@ register: result failed_when: not result.changed - - name: Ensure symmetric vault is present, with password from file. ipavault: ipaadmin_password: SomeADMINpassword @@ -330,11 +326,11 @@ name: asymvault username: user01 vault_type: asymmetric - retrieve: true private_key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBck01L2Y2ZGQvWUltL2E5ZW9HVlRXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4CkhENCtSVlV3eC9scWxrUFliVWk5YlhWL3JKQWtVd0FFRE9uSmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVkKU2lxeXlOeEZJSnZaQW8wZEc0Q0FXallLMjd0TGc0SWg2b0dzWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZQpETU81N3Vudm1JS0VtYUJFMGV3UGZ2a2RaaDVrOEd0czlINGZoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkCituN0JiYVZjODIwVGdaRE8vclNZdG51WGFJYzZXeDBVOUxYWmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFAKcXJHcW15V2QvRTFjSDJiNWp6SXhpR284cHNMNXN4V1ZZN1dKZHdJREFRQUJBb0lCQUE2ZTlpaXQxNFVBZ3g0Sgp2WDdpczlmYk90Y1drQitqbzk0Tk1meFNGWGdacElNbDEzOW9RTXFLOTdLanhzSHFBYURWZTdtTUxINUVQOTZKCjdNM081ZzRyZ2wwY1ZXdHBNckRReVpzTHZxREZ6Qld4dENIcVZQQXJ1dW1VWmhzU0ozbFJPUXJvOGFnL3c1YmYKNXRDNW9nVnE0K3JzQjRoQnBoZ3Axakdyc1VNK0U4TzdEWFhGSDY4RjhXZ0JpNzI1V3Zjam5iSTlpcmtiMEdjcQoxYkNQSndOM2ZBMWkyVldpUndWWVdiTlRXbkRvTk05WmRZWXhLMGt1VWtEK1F0cmV5Y1dQZjlWNDlsdlVpMVZwCkZWTm1CVUR2R0szSzFNd2JnWFJ3T1hoYWNZN1B0amtkdmFlYjJRY3U1UmpUa3J1R2h6VVlzT1AzcC9jdyt3S1YKdnpRcWNlRUNnWUVBNVd6N1YyU2xSYTJyLy96K0VUUWtKZkVOSjBLRG5DYjBwTUNsQ1FoM2pUTlBBNkRiaGlNawpGVGtjb05icWNwVGlWU2x2aGg2VEtzY1NncVlRVWpRL09xeUc3U2tqS1ZqUTcyajViZVFMeGlMVHRVeWoxT21QClhoOWNXSlh4OGlRKzQ1Y1BvbitrTU9BSWlUd2lCM21tRlJmUWpJR3ZlMURQVW85SitOWjRYZEVDZ1lFQXdOS2cKT2RHWXh4S3RDclhWejFtZGc2UERsVjhxaDdueHhaYlBjaCthTUlRbDErb1RDZ1NpdzhvT1lFZDhnMEhPZFY2dAoxRytJV2h2UHhpaVd5My9BRTBRaGdvS2syR1VzU2pXU01MY0piYVV6RG9FSEZqVExqZWNSbHFkem83cXhSWHFCCm1lTjRMNVdKWUtuTEM0ODJLN2h2dWZTK3VvNWZCNXF3UG10MTNNY0NnWUFlNFRWUFJQK3R5anR0WUNyK084dGwKdy9VbVJLQ2NRdTRJd3Rrenh3ejRWMkNhTjJ0MHVZUWd5eWdjU2ZFU2JSR3RycjhSQ1VwN3BvSEtUZm5DWnIvZgo4TnJVVHdZcGlZZk53WTVaQ1NuQWlHMkFhSWxnbmZNckV3T0Y5T0MwMjhZUE1nVHJ0VXh2TzZoS2VHcUlJUXFHCnFrYnFzb1hoRGpacGdWbk9nV2VBRVFLQmdHdWlaMHcvSXFBbFhiQzMxZlViMmlCTWZ2WFhuSjhNL2RmRkdtRmoKSUtmcWJGRjlXVWxqVXhRbHF5YTFZTnpJRkI1U1RvaGlCZVArMkZtTitMYjV4ZGM3VmRWTFpnZGhXbnJHTXFlOAoxS2QrNnVReXhDanlLWm81blFqU3ltdGY0R3FmT3M4VE9kaWVDWVNLNDB1OWtvaVBPTmE5dHVYZWFVK09Xc2xOCkpRcXJBb0dCQUozTUtPdnNuUXp1WlZQMnZ6MFpxTHdJRTNYalJpRkd2ZVZwaXpxNGh3T1ZldU5zVjA4SnZBMHQKcHVlTkl5OWtsUFNjRmM5T1VkaVpXa0VYMDlCd0prVklyT0hvdHVTQjhBU3RPNVVBbnRObnV5V0xKRUZDNFVxNApHcEI4bGJqOWpreFNLYVU3WDNHYWMyM0s5Skw4ZXVMaDdFN3JQdVpSWWE2bVlONG5iS3F1Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + state: retrieved register: result - failed_when: result.data | b64decode != 'Hello World.' or result.changed + failed_when: result.changed or result.failed or result['data'] != 'Hello World.' - name: Retrieve data from asymmetric vault, with private key file. ipavault: @@ -342,10 +338,10 @@ name: asymvault username: user01 vault_type: asymmetric - retrieve: true private_key_file: "{{ ansible_env.HOME }}/private.pem" + state: retrieved register: result - failed_when: result.data | b64decode != 'Hello World.' or result.changed + failed_when: result.failed or result.changed or result['data'] != 'Hello World.' - name: Ensure asymmetric vault is absent. ipavault: @@ -394,22 +390,13 @@ register: result failed_when: not result.changed - - name: Archive data from a file, in standard vault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - in: "{{ ansible_env.HOME }}/in.txt" - register: result - failed_when: not result.changed - - name: Retrieve data from standard vault. ipavault: ipaadmin_password: SomeADMINpassword name: stdvault username: user01 - retrieve: yes out: "{{ ansible_env.HOME }}/data.txt" + state: retrieved register: result failed_when: result.changed @@ -419,7 +406,7 @@ register: slurpfile failed_when: slurpfile['content'] | b64decode != 'Hello World.' - - name: Archive data in standard vault. + - name: Archive data in standard vault, from file. ipavault: ipaadmin_password: SomeADMINpassword name: stdvault @@ -434,9 +421,9 @@ name: stdvault username: user01 vault_type: standard - retrieve: true + state: retrieved register: result - failed_when: result.data | b64decode != 'Another World.' or result.changed + failed_when: result.data != 'Another World.' or result.changed - name: Ensure standard vault member user is present. ipavault: From da87f1648ed33981809228254d65b82c49400dec Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Thu, 28 May 2020 13:09:09 -0300 Subject: [PATCH 4/4] Split vault tests in different files. This change split vault tests in several files, organized by vault type and operation (vault vs. member) so that it is easier to add new tests for issues and verify if tests are missing. --- tests/vault/env_cleanup.yml | 64 ++ tests/vault/env_setup.yml | 55 ++ tests/vault/private.pem | 27 - tests/vault/public.pem | 9 - tests/vault/tasks_vault_members.yml | 318 +++++++++ tests/vault/test_vault.yml | 925 -------------------------- tests/vault/test_vault_asymmetric.yml | 192 ++++++ tests/vault/test_vault_members.yml | 20 + tests/vault/test_vault_standard.yml | 125 ++++ tests/vault/test_vault_symmetric.yml | 198 ++++++ 10 files changed, 972 insertions(+), 961 deletions(-) create mode 100644 tests/vault/env_cleanup.yml create mode 100644 tests/vault/env_setup.yml delete mode 100644 tests/vault/private.pem delete mode 100644 tests/vault/public.pem create mode 100644 tests/vault/tasks_vault_members.yml delete mode 100644 tests/vault/test_vault.yml create mode 100644 tests/vault/test_vault_asymmetric.yml create mode 100644 tests/vault/test_vault_members.yml create mode 100644 tests/vault/test_vault_standard.yml create mode 100644 tests/vault/test_vault_symmetric.yml diff --git a/tests/vault/env_cleanup.yml b/tests/vault/env_cleanup.yml new file mode 100644 index 00000000..081a9d96 --- /dev/null +++ b/tests/vault/env_cleanup.yml @@ -0,0 +1,64 @@ +# Tasks executed to clean up test environment for Vault module. + + - name: Ensure user vaults are absent + ipavault: + ipaadmin_password: SomeADMINpassword + name: + - stdvault + - symvault + - asymvault + username: "{{username}}" + state: absent + loop: + - admin + - user01 + loop_control: + loop_var: username + + - name: Ensure shared vaults are absent + ipavault: + ipaadmin_password: SomeADMINpassword + name: + - sharedvault + - svcvault + state: absent + + - name: Ensure test users do not exist. + ipauser: + ipaadmin_password: SomeADMINpassword + name: + - user01 + - user02 + - user03 + state: absent + + - name: Ensure test groups do not exist. + ipagroup: + ipaadmin_password: SomeADMINpassword + name: vaultgroup + state: absent + + - name: Remove password file from target host. + file: + path: "{{ ansible_env.HOME }}/password.txt" + state: absent + + - name: Remove public key file from target host. + file: + path: "{{ ansible_env.HOME }}/public.pem" + state: absent + + - name: Remove private key file from target host. + file: + path: "{{ ansible_env.HOME }}/private.pem" + state: absent + + - name: Remove output data file from target host. + file: + path: "{{ ansible_env.HOME }}/data.txt" + state: absent + + - name: Remove input data file from target host. + file: + path: "{{ ansible_env.HOME }}/in.txt" + state: absent diff --git a/tests/vault/env_setup.yml b/tests/vault/env_setup.yml new file mode 100644 index 00000000..a8437b86 --- /dev/null +++ b/tests/vault/env_setup.yml @@ -0,0 +1,55 @@ +# Tasks executed to ensure a sane environment to test IPA Vault module. + + - name: Create private key file. + shell: + cmd: openssl genrsa -out private.pem 2048 + delegate_to: localhost + become: no + + - name: Create public key file. + shell: + cmd: openssl rsa -in private.pem -outform PEM -pubout -out public.pem + delegate_to: localhost + become: no + + - name: Ensure environment is clean. + import_tasks: env_cleanup.yml + + - name: Copy password file to target host. + copy: + src: "{{ playbook_dir }}/password.txt" + dest: "{{ ansible_env.HOME }}/password.txt" + + - name: Copy public key file to target host. + copy: + src: "{{ playbook_dir }}/public.pem" + dest: "{{ ansible_env.HOME }}/public.pem" + + - name: Copy private key file to target host. + copy: + src: "{{ playbook_dir }}/private.pem" + dest: "{{ ansible_env.HOME }}/private.pem" + + - name: Copy input data file to target host. + copy: + src: "{{ playbook_dir }}/in.txt" + dest: "{{ ansible_env.HOME }}/in.txt" + + - name: Ensure vaultgroup exists. + ipagroup: + ipaadmin_password: SomeADMINpassword + name: vaultgroup + + - name: Ensure testing users exist. + ipauser: + ipaadmin_password: SomeADMINpassword + users: + - name: user01 + first: First + last: Start + - name: user02 + first: Second + last: Middle + - name: user03 + first: Third + last: Last diff --git a/tests/vault/private.pem b/tests/vault/private.pem deleted file mode 100644 index 0ac895b9..00000000 --- a/tests/vault/private.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArM5/f6dd/YIm/a9eoGVTW8jobEgrf9PXRA3aHsA7kJo6fB18 -HD4+RVUwx/lqlkPYbUi9bXV/rJAkUwAEDOnJeqXESZ+gVCVmigRzmKWK2ad9agmY -SiqyyNxFIJvZAo0dG4CAWjYK27tLg4Ih6oGsZIDG+WVES5W89K+L0bwVjq4tshhe -DMO57unvmIKEmaBE0ewPfvkdZh5k8Gts9H4fh0fGk5tbIYa0bhwMUpL+WHOm6nbd -+n7BbaVc820TgZDO/rSYtnuXaIc6Wx0U9LXZkUmk3apMnzknNaTqguAQdTn79G8P -qrGqmyWd/E1cH2b5jzIxiGo8psL5sxWVY7WJdwIDAQABAoIBAA6e9iit14UAgx4J -vX7is9fbOtcWkB+jo94NMfxSFXgZpIMl139oQMqK97KjxsHqAaDVe7mMLH5EP96J -7M3O5g4rgl0cVWtpMrDQyZsLvqDFzBWxtCHqVPAruumUZhsSJ3lROQro8ag/w5bf -5tC5ogVq4+rsB4hBphgp1jGrsUM+E8O7DXXFH68F8WgBi725WvcjnbI9irkb0Gcq -1bCPJwN3fA1i2VWiRwVYWbNTWnDoNM9ZdYYxK0kuUkD+QtreycWPf9V49lvUi1Vp -FVNmBUDvGK3K1MwbgXRwOXhacY7Ptjkdvaeb2Qcu5RjTkruGhzUYsOP3p/cw+wKV -vzQqceECgYEA5Wz7V2SlRa2r//z+ETQkJfENJ0KDnCb0pMClCQh3jTNPA6DbhiMk -FTkcoNbqcpTiVSlvhh6TKscSgqYQUjQ/OqyG7SkjKVjQ72j5beQLxiLTtUyj1OmP -Xh9cWJXx8iQ+45cPon+kMOAIiTwiB3mmFRfQjIGve1DPUo9J+NZ4XdECgYEAwNKg -OdGYxxKtCrXVz1mdg6PDlV8qh7nxxZbPch+aMIQl1+oTCgSiw8oOYEd8g0HOdV6t -1G+IWhvPxiiWy3/AE0QhgoKk2GUsSjWSMLcJbaUzDoEHFjTLjecRlqdzo7qxRXqB -meN4L5WJYKnLC482K7hvufS+uo5fB5qwPmt13McCgYAe4TVPRP+tyjttYCr+O8tl -w/UmRKCcQu4Iwtkzxwz4V2CaN2t0uYQgyygcSfESbRGtrr8RCUp7poHKTfnCZr/f -8NrUTwYpiYfNwY5ZCSnAiG2AaIlgnfMrEwOF9OC028YPMgTrtUxvO6hKeGqIIQqG -qkbqsoXhDjZpgVnOgWeAEQKBgGuiZ0w/IqAlXbC31fUb2iBMfvXXnJ8M/dfFGmFj -IKfqbFF9WUljUxQlqya1YNzIFB5STohiBeP+2FmN+Lb5xdc7VdVLZgdhWnrGMqe8 -1Kd+6uQyxCjyKZo5nQjSymtf4GqfOs8TOdieCYSK40u9koiPONa9tuXeaU+OWslN -JQqrAoGBAJ3MKOvsnQzuZVP2vz0ZqLwIE3XjRiFGveVpizq4hwOVeuNsV08JvA0t -pueNIy9klPScFc9OUdiZWkEX09BwJkVIrOHotuSB8AStO5UAntNnuyWLJEFC4Uq4 -GpB8lbj9jkxSKaU7X3Gac23K9JL8euLh7E7rPuZRYa6mYN4nbKqu ------END RSA PRIVATE KEY----- diff --git a/tests/vault/public.pem b/tests/vault/public.pem deleted file mode 100644 index d8a9f71b..00000000 --- a/tests/vault/public.pem +++ /dev/null @@ -1,9 +0,0 @@ ------BEGIN PUBLIC KEY----- -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArM5/f6dd/YIm/a9eoGVT -W8jobEgrf9PXRA3aHsA7kJo6fB18HD4+RVUwx/lqlkPYbUi9bXV/rJAkUwAEDOnJ -eqXESZ+gVCVmigRzmKWK2ad9agmYSiqyyNxFIJvZAo0dG4CAWjYK27tLg4Ih6oGs -ZIDG+WVES5W89K+L0bwVjq4tshheDMO57unvmIKEmaBE0ewPfvkdZh5k8Gts9H4f -h0fGk5tbIYa0bhwMUpL+WHOm6nbd+n7BbaVc820TgZDO/rSYtnuXaIc6Wx0U9LXZ -kUmk3apMnzknNaTqguAQdTn79G8PqrGqmyWd/E1cH2b5jzIxiGo8psL5sxWVY7WJ -dwIDAQAB ------END PUBLIC KEY----- diff --git a/tests/vault/tasks_vault_members.yml b/tests/vault/tasks_vault_members.yml new file mode 100644 index 00000000..12332ff1 --- /dev/null +++ b/tests/vault/tasks_vault_members.yml @@ -0,0 +1,318 @@ +--- +# Tasks to test member management for Vault module. + - name: Setup testing environment. + import_tasks: env_setup.yml + + - name: Ensure vault is present + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + vault_type: "{{vault.vault_type}}" + register: result + failed_when: not result.changed + when: vault.vault_type == 'standard' + + - name: Ensure vault is present + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + vault_password: SomeVAULTpassword + vault_type: "{{vault.vault_type}}" + register: result + failed_when: not result.changed + when: vault.vault_type == 'symmetric' + + - name: Ensure vault is present + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + vault_type: "{{vault.vault_type}}" + public_key: "{{lookup('file', 'private.pem') | b64encode}}" + register: result + failed_when: not result.changed + when: vault.vault_type == 'asymmetric' + + - name: Ensure vault member user is present. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + users: + - user02 + register: result + failed_when: not result.changed + + - name: Ensure vault member user is present, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + users: + - user02 + register: result + failed_when: result.changed + + - name: Ensure more vault member users are present. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + users: + - admin + - user02 + register: result + failed_when: not result.changed + + - name: Ensure vault member user is still present. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + users: + - user02 + register: result + failed_when: result.changed + + - name: Ensure vault users are absent. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + users: + - admin + - user02 + state: absent + register: result + failed_when: not result.changed + + - name: Ensure vault users are absent, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + users: + - admin + - user02 + state: absent + register: result + failed_when: result.changed + + - name: Ensure vault user is absent, once more. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + users: + - admin + state: absent + register: result + failed_when: result.changed + + - name: Ensure vault member group is present. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + groups: vaultgroup + register: result + failed_when: not result.changed + + - name: Ensure vault member group is present, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + groups: vaultgroup + register: result + failed_when: result.changed + + - name: Ensure vault member group is absent. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + groups: vaultgroup + state: absent + register: result + failed_when: not result.changed + + - name: Ensure vault member group is absent, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + groups: vaultgroup + state: absent + register: result + failed_when: result.changed + + - name: Ensure vault member service is present. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + services: "HTTP/{{ groups.ipaserver[0] }}" + register: result + failed_when: not result.changed + + - name: Ensure vault member service is present, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + services: "HTTP/{{ groups.ipaserver[0] }}" + register: result + failed_when: result.changed + + - name: Ensure vault member service is absent. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + services: "HTTP/{{ groups.ipaserver[0] }}" + state: absent + register: result + failed_when: not result.changed + + - name: Ensure vault member service is absent, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + services: "HTTP/{{ groups.ipaserver[0] }}" + state: absent + register: result + failed_when: result.changed + + - name: Ensure user03 is an owner of vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + owners: user03 + action: member + register: result + failed_when: not result.changed + + - name: Ensure user03 is an owner of vault, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + owners: user03 + action: member + register: result + failed_when: result.changed + + - name: Ensure user03 is not owner of vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + owners: user03 + state: absent + action: member + register: result + failed_when: not result.changed + + - name: Ensure user03 is not owner of vault, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + owners: user03 + state: absent + action: member + register: result + failed_when: result.changed + + - name: Ensure vaultgroup is an ownergroup of vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + ownergroups: vaultgroup + action: member + register: result + failed_when: not result.changed + + - name: Ensure vaultgroup is an ownergroup of vault, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + ownergroups: vaultgroup + action: member + register: result + failed_when: result.changed + + - name: Ensure vaultgroup is not ownergroup of vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + ownergroups: vaultgroup + state: absent + action: member + register: result + failed_when: not result.changed + + - name: Ensure vaultgroup is not ownergroup of vault, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + ownergroups: vaultgroup + state: absent + action: member + register: result + failed_when: result.changed + + - name: Ensure service is an owner of vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + ownerservices: "HTTP/{{ groups.ipaserver[0] }}" + action: member + register: result + failed_when: not result.changed + + - name: Ensure service is an owner of vault, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + ownerservices: "HTTP/{{ groups.ipaserver[0] }}" + action: member + register: result + failed_when: result.changed + + - name: Ensure service is not owner of vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + ownerservices: "HTTP/{{ groups.ipaserver[0] }}" + state: absent + action: member + register: result + failed_when: not result.changed + + - name: Ensure service is not owner of vault, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + ownerservices: "HTTP/{{ groups.ipaserver[0] }}" + state: absent + action: member + register: result + failed_when: result.changed + + - name: Ensure {{vault.vault_type}} vault is absent + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + state: absent + register: result + failed_when: not result.changed + + - name: Ensure {{vault.vault_type}} vault is absent, again + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + state: absent + register: result + failed_when: result.changed + + - name: Cleanup testing environment. + import_tasks: env_cleanup.yml diff --git a/tests/vault/test_vault.yml b/tests/vault/test_vault.yml deleted file mode 100644 index 2e2c03e3..00000000 --- a/tests/vault/test_vault.yml +++ /dev/null @@ -1,925 +0,0 @@ ---- -- name: Test vault - hosts: ipaserver - become: true - # Need to gather facts for ansible_env. - gather_facts: true - - tasks: - - - name: Copy password file to target host. - copy: - src: "{{ playbook_dir }}/password.txt" - dest: "{{ ansible_env.HOME }}/password.txt" - - - name: Copy public key file to target host. - copy: - src: "{{ playbook_dir }}/public.pem" - dest: "{{ ansible_env.HOME }}/public.pem" - - - name: Copy private key file to target host. - copy: - src: "{{ playbook_dir }}/private.pem" - dest: "{{ ansible_env.HOME }}/private.pem" - - - name: Copy input data file to target host. - copy: - src: "{{ playbook_dir }}/in.txt" - dest: "{{ ansible_env.HOME }}/in.txt" - - - name: Ensure user vaults are absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: - - stdvault - - symvault - - asymvault - username: user01 - state: absent - - - name: Ensure test users do not exist. - ipauser: - ipaadmin_password: SomeADMINpassword - name: - - user01 - - user02 - - user03 - state: absent - - - name: Ensure test groups do not exist. - ipagroup: - ipaadmin_password: SomeADMINpassword - name: vaultgroup - state: absent - - - name: Ensure vaultgroup exists. - ipagroup: - ipaadmin_password: SomeADMINpassword - name: vaultgroup - - - name: Ensure user01 exists. - ipauser: - ipaadmin_password: SomeADMINpassword - name: user01 - first: First - last: Start - - - name: Ensure user02 exists. - ipauser: - ipaadmin_password: SomeADMINpassword - name: user02 - first: Second - last: Middle - - - name: Ensure user03 exists. - ipauser: - ipaadmin_password: SomeADMINpassword - name: user03 - first: Third - last: Last - - - name: Ensure shared vaults are absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: sharedvault - shared: True - state: absent - - - name: Ensure standard vault is absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - state: absent - - - name: Ensure service vault is absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: svcvault - service: "HTTP/{{ groups.ipaserver[0] }}" - state: absent - - # tests - - name: Ensure standard vault is present - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - vault_type: standard - register: result - failed_when: not result.changed - - - name: Ensure standard vault is present, again - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - vault_type: standard - register: result - failed_when: result.changed - - - name: Ensure standard vault is absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - state: absent - register: result - failed_when: not result.changed - - - name: Ensure standard vault is absent, again - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - state: absent - register: result - failed_when: result.changed - - - name: Ensure symmetric vault is present - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - vault_password: SomeVAULTpassword - vault_type: symmetric - register: result - failed_when: not result.changed - - - name: Ensure symmetric vault is present, again - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - vault_password: SomeVAULTpassword - vault_type: symmetric - register: result - failed_when: result.changed - - - name: Archive data to symmetric vault - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - vault_password: SomeVAULTpassword - vault_data: Hello World. - register: result - failed_when: not result.changed - - - name: Archive data with non-ASCII characters to symmetric vault - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - vault_password: SomeVAULTpassword - vault_data: The world of π is half rounded. - register: result - failed_when: not result.changed - - - name: Ensure symmetric vault is absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - state: absent - register: result - failed_when: not result.changed - - - name: Ensure symmetric vault is absent, again - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - state: absent - register: result - failed_when: result.changed - - - name: Ensure symmetric vault is present - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - vault_password: SomeVAULTpassword - vault_type: symmetric - register: result - failed_when: not result.changed - - - name: Ensure symmetric vault is present, with a different password - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - vault_password: SomeOtherVAULTpassword - vault_type: symmetric - register: result - failed_when: result.changed - - - name: Ensure symmetric vault is absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - state: absent - register: result - failed_when: not result.changed - - - name: Ensure symmetric vault is present, with password from file. - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - vault_password_file: "{{ ansible_env.HOME }}/password.txt" - vault_type: symmetric - register: result - failed_when: not result.changed - - - name: Ensure symmetric vault is present, with password from file, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - vault_password_file: password.txt - vault_type: symmetric - register: result - failed_when: result.changed - - - name: Ensure asymmetric vault is present, with public key file. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: admin - description: An asymmetric private vault. - public_key_file: "{{ ansible_env.HOME }}/public.pem" - vault_type: asymmetric - register: result - failed_when: not result.changed - - - name: Ensure asymmetric vault is present, with public key file, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: admin - description: An asymmetric private vault. - public_key_file: "{{ ansible_env.HOME }}/public.pem" - vault_type: asymmetric - register: result - failed_when: result.changed - - - name: Archive data in asymmetric vault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: admin - vault_data: Hello World. - register: result - failed_when: not result.changed - - - name: Ensure asymmetric vault is absent. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: admin - state: absent - register: result - failed_when: not result.changed - - - name: Ensure asymmetric vault is absent, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: admin - state: absent - register: result - failed_when: result.changed - - - name: Ensure asymmetric vault is present. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: user01 - description: An asymmetric private vault. - vault_public_key: - LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFyTTUvZjZkZC9ZSW0vYTllb0dWVApXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4SEQ0K1JWVXd4L2xxbGtQWWJVaTliWFYvckpBa1V3QUVET25KCmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVlTaXF5eU54RklKdlpBbzBkRzRDQVdqWUsyN3RMZzRJaDZvR3MKWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZURNTzU3dW52bUlLRW1hQkUwZXdQZnZrZFpoNWs4R3RzOUg0ZgpoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkK243QmJhVmM4MjBUZ1pETy9yU1l0bnVYYUljNld4MFU5TFhaCmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFBxckdxbXlXZC9FMWNIMmI1anpJeGlHbzhwc0w1c3hXVlk3V0oKZHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== - vault_type: asymmetric - register: result - failed_when: not result.changed - - - name: Ensure asymmetric vault is present, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: user01 - description: An asymmetric private vault. - vault_public_key: - LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFyTTUvZjZkZC9ZSW0vYTllb0dWVApXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4SEQ0K1JWVXd4L2xxbGtQWWJVaTliWFYvckpBa1V3QUVET25KCmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVlTaXF5eU54RklKdlpBbzBkRzRDQVdqWUsyN3RMZzRJaDZvR3MKWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZURNTzU3dW52bUlLRW1hQkUwZXdQZnZrZFpoNWs4R3RzOUg0ZgpoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkK243QmJhVmM4MjBUZ1pETy9yU1l0bnVYYUljNld4MFU5TFhaCmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFBxckdxbXlXZC9FMWNIMmI1anpJeGlHbzhwc0w1c3hXVlk3V0oKZHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== - vault_type: asymmetric - register: result - failed_when: result.changed - - - name: Archive data in asymmetric vault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: user01 - vault_data: Hello World. - register: result - failed_when: not result.changed - - - name: Retrieve data from asymmetric vault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: user01 - vault_type: asymmetric - private_key: - LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBck01L2Y2ZGQvWUltL2E5ZW9HVlRXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4CkhENCtSVlV3eC9scWxrUFliVWk5YlhWL3JKQWtVd0FFRE9uSmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVkKU2lxeXlOeEZJSnZaQW8wZEc0Q0FXallLMjd0TGc0SWg2b0dzWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZQpETU81N3Vudm1JS0VtYUJFMGV3UGZ2a2RaaDVrOEd0czlINGZoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkCituN0JiYVZjODIwVGdaRE8vclNZdG51WGFJYzZXeDBVOUxYWmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFAKcXJHcW15V2QvRTFjSDJiNWp6SXhpR284cHNMNXN4V1ZZN1dKZHdJREFRQUJBb0lCQUE2ZTlpaXQxNFVBZ3g0Sgp2WDdpczlmYk90Y1drQitqbzk0Tk1meFNGWGdacElNbDEzOW9RTXFLOTdLanhzSHFBYURWZTdtTUxINUVQOTZKCjdNM081ZzRyZ2wwY1ZXdHBNckRReVpzTHZxREZ6Qld4dENIcVZQQXJ1dW1VWmhzU0ozbFJPUXJvOGFnL3c1YmYKNXRDNW9nVnE0K3JzQjRoQnBoZ3Axakdyc1VNK0U4TzdEWFhGSDY4RjhXZ0JpNzI1V3Zjam5iSTlpcmtiMEdjcQoxYkNQSndOM2ZBMWkyVldpUndWWVdiTlRXbkRvTk05WmRZWXhLMGt1VWtEK1F0cmV5Y1dQZjlWNDlsdlVpMVZwCkZWTm1CVUR2R0szSzFNd2JnWFJ3T1hoYWNZN1B0amtkdmFlYjJRY3U1UmpUa3J1R2h6VVlzT1AzcC9jdyt3S1YKdnpRcWNlRUNnWUVBNVd6N1YyU2xSYTJyLy96K0VUUWtKZkVOSjBLRG5DYjBwTUNsQ1FoM2pUTlBBNkRiaGlNawpGVGtjb05icWNwVGlWU2x2aGg2VEtzY1NncVlRVWpRL09xeUc3U2tqS1ZqUTcyajViZVFMeGlMVHRVeWoxT21QClhoOWNXSlh4OGlRKzQ1Y1BvbitrTU9BSWlUd2lCM21tRlJmUWpJR3ZlMURQVW85SitOWjRYZEVDZ1lFQXdOS2cKT2RHWXh4S3RDclhWejFtZGc2UERsVjhxaDdueHhaYlBjaCthTUlRbDErb1RDZ1NpdzhvT1lFZDhnMEhPZFY2dAoxRytJV2h2UHhpaVd5My9BRTBRaGdvS2syR1VzU2pXU01MY0piYVV6RG9FSEZqVExqZWNSbHFkem83cXhSWHFCCm1lTjRMNVdKWUtuTEM0ODJLN2h2dWZTK3VvNWZCNXF3UG10MTNNY0NnWUFlNFRWUFJQK3R5anR0WUNyK084dGwKdy9VbVJLQ2NRdTRJd3Rrenh3ejRWMkNhTjJ0MHVZUWd5eWdjU2ZFU2JSR3RycjhSQ1VwN3BvSEtUZm5DWnIvZgo4TnJVVHdZcGlZZk53WTVaQ1NuQWlHMkFhSWxnbmZNckV3T0Y5T0MwMjhZUE1nVHJ0VXh2TzZoS2VHcUlJUXFHCnFrYnFzb1hoRGpacGdWbk9nV2VBRVFLQmdHdWlaMHcvSXFBbFhiQzMxZlViMmlCTWZ2WFhuSjhNL2RmRkdtRmoKSUtmcWJGRjlXVWxqVXhRbHF5YTFZTnpJRkI1U1RvaGlCZVArMkZtTitMYjV4ZGM3VmRWTFpnZGhXbnJHTXFlOAoxS2QrNnVReXhDanlLWm81blFqU3ltdGY0R3FmT3M4VE9kaWVDWVNLNDB1OWtvaVBPTmE5dHVYZWFVK09Xc2xOCkpRcXJBb0dCQUozTUtPdnNuUXp1WlZQMnZ6MFpxTHdJRTNYalJpRkd2ZVZwaXpxNGh3T1ZldU5zVjA4SnZBMHQKcHVlTkl5OWtsUFNjRmM5T1VkaVpXa0VYMDlCd0prVklyT0hvdHVTQjhBU3RPNVVBbnRObnV5V0xKRUZDNFVxNApHcEI4bGJqOWpreFNLYVU3WDNHYWMyM0s5Skw4ZXVMaDdFN3JQdVpSWWE2bVlONG5iS3F1Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== - state: retrieved - register: result - failed_when: result.changed or result.failed or result['data'] != 'Hello World.' - - - name: Retrieve data from asymmetric vault, with private key file. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: user01 - vault_type: asymmetric - private_key_file: "{{ ansible_env.HOME }}/private.pem" - state: retrieved - register: result - failed_when: result.failed or result.changed or result['data'] != 'Hello World.' - - - name: Ensure asymmetric vault is absent. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: user01 - state: absent - register: result - failed_when: not result.changed - - - name: Ensure asymmetric vault is absent, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: user01 - state: absent - register: result - failed_when: result.changed - - - name: Ensure standard vault is present. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - vault_type: standard - username: user01 - description: A standard private vault. - register: result - failed_when: not result.changed - - - name: Ensure standard vault is present, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - vault_type: standard - description: A standard private vault. - register: result - failed_when: result.changed - - - name: Archive data in standard vault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - vault_data: Hello World. - register: result - failed_when: not result.changed - - - name: Retrieve data from standard vault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - out: "{{ ansible_env.HOME }}/data.txt" - state: retrieved - register: result - failed_when: result.changed - - - name: Verify retrieved data. - slurp: - src: "{{ ansible_env.HOME }}/data.txt" - register: slurpfile - failed_when: slurpfile['content'] | b64decode != 'Hello World.' - - - name: Archive data in standard vault, from file. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - in: "{{ ansible_env.HOME }}/in.txt" - register: result - failed_when: not result.changed - - - name: Retrieve data from standard vault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - vault_type: standard - state: retrieved - register: result - failed_when: result.data != 'Another World.' or result.changed - - - name: Ensure standard vault member user is present. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - users: - - user02 - register: result - failed_when: not result.changed - - - name: Ensure standard vault member user is present, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - users: - - user02 - register: result - failed_when: result.changed - - - name: Ensure more vault member users are present. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - users: - - user01 - - user02 - register: result - failed_when: not result.changed - - - name: Ensure vault member user is still present. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - users: - - user02 - register: result - failed_when: result.changed - - - name: Ensure vault users are absent. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - users: - - user01 - - user02 - state: absent - register: result - failed_when: not result.changed - - - name: Ensure vault users are absent, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - users: - - user01 - - user02 - state: absent - register: result - failed_when: result.changed - - - name: Ensure vault user is absent, once more. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - users: - - user01 - state: absent - register: result - failed_when: result.changed - - - name: Ensure vault member group is present. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - groups: vaultgroup - register: result - failed_when: not result.changed - - - name: Ensure vault member group is present, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - groups: vaultgroup - register: result - failed_when: result.changed - - - name: Ensure vault member group is absent. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - groups: vaultgroup - state: absent - register: result - failed_when: not result.changed - - - name: Ensure vault member group is absent, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - groups: vaultgroup - state: absent - register: result - failed_when: result.changed - - - name: Ensure vault member service is present. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - services: "HTTP/{{ groups.ipaserver[0] }}" - register: result - failed_when: not result.changed - - - name: Ensure vault member service is present, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - services: "HTTP/{{ groups.ipaserver[0] }}" - register: result - failed_when: result.changed - - - name: Ensure vault member service is absent. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - services: "HTTP/{{ groups.ipaserver[0] }}" - state: absent - register: result - failed_when: not result.changed - - - name: Ensure vault member service is absent, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - services: "HTTP/{{ groups.ipaserver[0] }}" - state: absent - register: result - failed_when: result.changed - - - name: Ensure vault is absent. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - state: absent - register: result - failed_when: not result.changed - - - name: Ensure vault is absent, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - state: absent - register: result - failed_when: result.changed - - - name: Ensure shared vault is present. - ipavault: - ipaadmin_password: SomeADMINpassword - name: sharedvault - shared: True - ipavaultpassword: SomeVAULTpassword - register: result - failed_when: not result.changed - - - name: Ensure shared vault is absent. - ipavault: - ipaadmin_password: SomeADMINpassword - name: sharedvault - shared: True - state: absent - register: result - failed_when: not result.changed - - - name: Ensure service vault is present. - ipavault: - ipaadmin_password: SomeADMINpassword - name: svcvault - ipavaultpassword: SomeVAULTpassword - service: "HTTP/{{ groups.ipaserver[0] }}" - register: result - failed_when: not result.changed - - - name: Ensure service vault is absent. - ipavault: - ipaadmin_password: SomeADMINpassword - name: svcvault - service: "HTTP/{{ groups.ipaserver[0] }}" - state: absent - register: result - failed_when: not result.changed - - - name: Ensure vault is present, with members. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - vault_type: standard - users: - - user02 - - user03 - groups: - - vaultgroup - register: result - failed_when: not result.changed - - - name: Ensure vault is present, with members, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - vault_type: standard - users: - - user02 - - user03 - groups: - - vaultgroup - register: result - failed_when: result.changed - - - name: Ensure user02 is not a member of vault stdvault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - users: user02 - state: absent - action: member - register: result - failed_when: not result.changed - - - name: Ensure user02 is not a member of vault stdvault, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - users: user02 - state: absent - action: member - register: result - failed_when: result.changed - - - name: Ensure user02 is a member of vault stdvault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - users: user02 - action: member - register: result - failed_when: not result.changed - - - name: Ensure user02 is a member of vault stdvault, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - users: user03 - action: member - register: result - failed_when: result.changed - - - name: Ensure user03 owns vault stdvault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - owners: user03 - action: member - register: result - failed_when: not result.changed - - - name: Ensure user03 owns vault stdvault, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - owners: user03 - action: member - register: result - failed_when: result.changed - - - name: Ensure user03 is not owner of stdvault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - owners: user03 - state: absent - action: member - register: result - failed_when: not result.changed - - - name: Ensure user03 is not owner of stdvault, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - owners: user03 - state: absent - action: member - register: result - failed_when: result.changed - - - name: Ensure vaultgroup is owner of stdvault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - ownergroups: vaultgroup - action: member - register: result - failed_when: not result.changed - - - name: Ensure vaultgroup is owner of stdvault, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - ownergroups: vaultgroup - action: member - register: result - failed_when: result.changed - - - name: Ensure vaultgroup is not owner of stdvault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - ownergroups: vaultgroup - state: absent - action: member - register: result - failed_when: not result.changed - - - name: Ensure vaultgroup is not owner of stdvault, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - ownergroups: vaultgroup - state: absent - action: member - register: result - failed_when: result.changed - - - name: Ensure vault is owned by HTTP service. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - ownerservices: "HTTP/{{ groups.ipaserver[0] }}" - action: member - register: result - failed_when: not result.changed - - - name: Ensure vault is owned by HTTP service, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - ownerservices: "HTTP/{{ groups.ipaserver[0] }}" - action: member - register: result - failed_when: result.changed - - - name: Ensure vault is not owned by HTTP service. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - ownerservices: "HTTP/{{ groups.ipaserver[0] }}" - state: absent - action: member - register: result - failed_when: not result.changed - - - name: Ensure vault is not owned by HTTP service, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - ownerservices: "HTTP/{{ groups.ipaserver[0] }}" - state: absent - action: member - register: result - failed_when: result.changed - - - name: Ensure vault is absent. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - state: absent - - # cleaup - - name: Ensure user01 vaults are absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: - - stdvault - - symvault - - asymvault - username: user01 - state: absent - - - name: Ensure test vaults are absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: - - stdvault - - symvault - - asymvault - username: admin - state: absent - - - name: Ensure shared vaults are absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: sharedvault - shared: True - state: absent - - - name: Ensure service vaults are absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: svcvault - service: "HTTP/{{ groups.ipaserver[0] }}" - state: absent - - - name: Ensure test users do not exist. - ipauser: - ipaadmin_password: SomeADMINpassword - name: - - user01 - - user02 - - user03 - state: absent - - - name: Ensure test groups do not exist. - ipagroup: - ipaadmin_password: SomeADMINpassword - name: vaultgroup - state: absent - - - name: Remove password file from target host. - file: - path: "{{ ansible_env.HOME }}/password.txt" - state: absent - - - name: Remove public key file from target host. - file: - path: "{{ ansible_env.HOME }}/public.pem" - state: absent - - - name: Remove private key file from target host. - file: - path: "{{ ansible_env.HOME }}/private.pem" - state: absent - - - name: Remove output data file from target host. - file: - path: "{{ ansible_env.HOME }}/data.txt" - state: absent - - - name: Remove input data file from target host. - file: - path: "{{ ansible_env.HOME }}/in.txt" - state: absent diff --git a/tests/vault/test_vault_asymmetric.yml b/tests/vault/test_vault_asymmetric.yml new file mode 100644 index 00000000..1a1d3dca --- /dev/null +++ b/tests/vault/test_vault_asymmetric.yml @@ -0,0 +1,192 @@ +--- +- name: Test vault + hosts: ipaserver + become: true + # Need to gather facts for ansible_env. + gather_facts: true + + tasks: + - name: Setup testing environment. + import_tasks: env_setup.yml + + - name: Ensure asymmetric vault is present + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + vault_type: asymmetric + public_key: "{{ lookup('file', 'public.pem') | b64encode }}" + register: result + failed_when: not result.changed + + - name: Ensure asymmetric vault is present, again + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + vault_type: asymmetric + public_key: "{{ lookup('file', 'public.pem') | b64encode }}" + register: result + failed_when: result.changed + + - name: Archive data to asymmetric vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + data: Hello World. + register: result + failed_when: not result.changed + + - name: Retrieve data from asymmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + private_key: "{{ lookup('file', 'private.pem') | b64encode }}" + state: retrieved + register: result + failed_when: result.data != 'Hello World.' or result.changed + + - name: Retrieve data from asymmetric vault into file {{ ansible_env.HOME }}/data.txt. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + out: "{{ ansible_env.HOME }}/data.txt" + private_key: "{{ lookup('file', 'private.pem') | b64encode }}" + state: retrieved + register: result + failed_when: result.changed + + - name: Verify retrieved data. + slurp: + src: "{{ ansible_env.HOME }}/data.txt" + register: slurpfile + failed_when: slurpfile['content'] | b64decode != 'Hello World.' + + - name: Archive data with non-ASCII characters to asymmetric vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + data: The world of π is half rounded. + register: result + failed_when: not result.changed + + - name: Retrieve data from asymmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + private_key: "{{ lookup('file', 'private.pem') | b64encode }}" + state: retrieved + register: result + failed_when: result.data != 'The world of π is half rounded.' or result.changed + + - name: Archive data in asymmetric vault, from file. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + vault_type: asymmetric + in: "{{ ansible_env.HOME }}/in.txt" + register: result + failed_when: not result.changed + + - name: Retrieve data from asymmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + private_key: "{{ lookup('file', 'private.pem') | b64encode }}" + state: retrieved + register: result + failed_when: result.data != 'Another World.' or result.changed + + - name: Archive data with single character to asymmetric vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + data: c + register: result + failed_when: not result.changed + + - name: Retrieve data from asymmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + private_key: "{{ lookup('file', 'private.pem') | b64encode }}" + state: retrieved + register: result + failed_when: result.data != 'c' or result.changed + + - name: Ensure asymmetric vault is absent + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + state: absent + register: result + failed_when: not result.changed + + - name: Ensure asymmetric vault is absent, again + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + state: absent + register: result + failed_when: result.changed + + - name: Ensure asymmetric vault is present, with public key from file. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + public_key_file: "{{ ansible_env.HOME }}/public.pem" + vault_type: asymmetric + register: result + failed_when: not result.changed + + - name: Ensure asymmetric vault is present, with password from file, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + public_key_file: "{{ ansible_env.HOME }}/public.pem" + vault_type: asymmetric + register: result + failed_when: result.changed + + - name: Archive data to asymmetric vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + data: Hello World. + register: result + failed_when: not result.changed + + - name: Retrieve data from asymmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + private_key: "{{ lookup('file', 'private.pem') | b64encode }}" + state: retrieved + register: result + failed_when: result.data != 'Hello World.' or result.changed + + - name: Retrieve data from asymmetric vault, with password file. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + private_key_file: "{{ ansible_env.HOME }}/private.pem" + state: retrieved + register: result + failed_when: result.data != 'Hello World.' or result.changed + + - name: Ensure asymmetric vault is absent + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + state: absent + register: result + failed_when: not result.changed + + - name: Ensure asymmetric vault is absent, again + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + state: absent + register: result + failed_when: result.changed + + - name: Cleanup testing environment. + import_tasks: env_setup.yml diff --git a/tests/vault/test_vault_members.yml b/tests/vault/test_vault_members.yml new file mode 100644 index 00000000..219236ae --- /dev/null +++ b/tests/vault/test_vault_members.yml @@ -0,0 +1,20 @@ +--- +- name: Test vault + hosts: ipaserver + become: true + # Need to gather facts for ansible_env. + gather_facts: true + + tasks: + - name: Test vault module member operations. + include_tasks: + file: tasks_vault_members.yml + apply: + tags: + - "{{ vault.vault_type }}" + loop_control: + loop_var: vault + loop: + - { name: "stdvault", vault_type: "standard" } + - { name: "symvault", vault_type: "symmetric" } + - { name: "asymvault", vault_type: "asymmetric" } diff --git a/tests/vault/test_vault_standard.yml b/tests/vault/test_vault_standard.yml new file mode 100644 index 00000000..5e0da98e --- /dev/null +++ b/tests/vault/test_vault_standard.yml @@ -0,0 +1,125 @@ +--- +- name: Test vault + hosts: ipaserver + become: true + # Need to gather facts for ansible_env. + gather_facts: true + + tasks: + - name: Setup testing environment. + import_tasks: env_setup.yml + + - name: Ensure standard vault is present + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + vault_type: standard + register: result + failed_when: not result.changed + + - name: Ensure standard vault is present, again + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + vault_type: standard + register: result + failed_when: result.changed + + - name: Archive data to standard vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + vault_data: Hello World. + register: result + failed_when: not result.changed + + - name: Retrieve data from standard vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + state: retrieved + register: result + failed_when: result.data != 'Hello World.' or result.changed + + - name: Retrieve data from standard vault into file {{ ansible_env.HOME }}/data.txt. + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + out: "{{ ansible_env.HOME }}/data.txt" + state: retrieved + register: result + failed_when: result.changed + + - name: Verify retrieved data. + slurp: + src: "{{ ansible_env.HOME }}/data.txt" + register: slurpfile + failed_when: slurpfile['content'] | b64decode != 'Hello World.' + + - name: Archive data with non-ASCII characters to standard vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + vault_data: The world of π is half rounded. + register: result + failed_when: not result.changed + + - name: Retrieve data from standard vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + state: retrieved + register: result + failed_when: result.data != 'The world of π is half rounded.' or result.changed + + - name: Archive data in standard vault, from file. + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + vault_type: standard + in: "{{ ansible_env.HOME }}/in.txt" + register: result + failed_when: not result.changed + + - name: Retrieve data from standard vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + state: retrieved + register: result + failed_when: result.data != 'Another World.' or result.changed + + - name: Archive data with single character to standard vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + vault_data: c + register: result + failed_when: not result.changed + + - name: Retrieve data from standard vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + state: retrieved + register: result + failed_when: result.data != 'c' or result.changed + + - name: Ensure standard vault is absent + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + state: absent + register: result + failed_when: not result.changed + + - name: Ensure standard vault is absent, again + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + state: absent + register: result + failed_when: result.changed + + - name: Cleanup testing environment. + import_tasks: env_setup.yml diff --git a/tests/vault/test_vault_symmetric.yml b/tests/vault/test_vault_symmetric.yml new file mode 100644 index 00000000..c9429f4f --- /dev/null +++ b/tests/vault/test_vault_symmetric.yml @@ -0,0 +1,198 @@ +--- +- name: Test vault + hosts: ipaserver + become: true + # Need to gather facts for ansible_env. + gather_facts: true + + tasks: + - name: Setup testing environment. + import_tasks: env_setup.yml + + - name: Ensure symmetric vault is present + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + vault_type: symmetric + password: SomeVAULTpassword + register: result + failed_when: not result.changed + + - name: Ensure symmetric vault is present, again + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + vault_type: symmetric + password: SomeVAULTpassword + register: result + failed_when: result.changed + + - name: Archive data to symmetric vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + vault_data: Hello World. + password: SomeVAULTpassword + register: result + failed_when: not result.changed + + - name: Retrieve data from symmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeVAULTpassword + state: retrieved + register: result + failed_when: result.data != 'Hello World.' or result.changed + + - name: Retrieve data from symmetric vault into file {{ ansible_env.HOME }}/data.txt. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeVAULTpassword + out: "{{ ansible_env.HOME }}/data.txt" + state: retrieved + register: result + failed_when: result.changed + + - name: Verify retrieved data. + slurp: + src: "{{ ansible_env.HOME }}/data.txt" + register: slurpfile + failed_when: slurpfile['content'] | b64decode != 'Hello World.' + + - name: Archive data with non-ASCII characters to symmetric vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeVAULTpassword + vault_data: The world of π is half rounded. + register: result + failed_when: not result.changed + + - name: Retrieve data from symmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeVAULTpassword + state: retrieved + register: result + failed_when: result.data != 'The world of π is half rounded.' or result.changed + + - name: Archive data in symmetric vault, from file. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + in: "{{ ansible_env.HOME }}/in.txt" + password: SomeVAULTpassword + register: result + failed_when: not result.changed + + - name: Retrieve data from symmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeVAULTpassword + state: retrieved + register: result + failed_when: result.data != 'Another World.' or result.changed + + - name: Archive data with single character to symmetric vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeVAULTpassword + vault_data: c + register: result + failed_when: not result.changed + + - name: Retrieve data from symmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeVAULTpassword + state: retrieved + register: result + failed_when: result.data != 'c' or result.changed + + - name: Ensure symmetric vault is absent + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + state: absent + register: result + failed_when: not result.changed + + - name: Ensure symmetric vault is absent, again + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + state: absent + register: result + failed_when: result.changed + + - name: Ensure symmetric vault is present, with password from file. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + username: user01 + password_file: "{{ ansible_env.HOME }}/password.txt" + vault_type: symmetric + register: result + failed_when: not result.changed + + - name: Ensure symmetric vault is present, with password from file, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + username: user01 + password_file: "{{ ansible_env.HOME }}/password.txt" + vault_type: symmetric + register: result + failed_when: result.changed + + - name: Archive data to symmetric vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + vault_data: Hello World. + password: SomeVAULTpassword + register: result + failed_when: not result.changed + + - name: Retrieve data from symmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeVAULTpassword + state: retrieved + register: result + failed_when: result.data != 'Hello World.' or result.changed + + - name: Retrieve data from symmetric vault, with password file. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password_file: "{{ ansible_env.HOME }}/password.txt" + state: retrieved + register: result + failed_when: result.data != 'Hello World.' or result.changed + + - name: Ensure symmetric vault is absent + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + state: absent + register: result + failed_when: not result.changed + + - name: Ensure symmetric vault is absent, again + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + state: absent + register: result + failed_when: result.changed + + - name: Cleanup testing environment. + import_tasks: env_cleanup.yml