ipavault: Allow execution of plugin in client host.

Update vault README file and add tests for executing plugin with `ipaapi_context` set to `client`. A new test playbook can be found at: tests/vault/test_vault_client_context.yml As `ipavault` only works in client context, an error is raised if it is explicitly executed in a server context.
2026-03-26 21:33:05 +00:00 · 2021-09-03 13:31:57 -03:00
parent d9dcc8f5dc
commit 7e0624d836
5 changed files with 36 additions and 1 deletions
--- a/README-vault.md
+++ b/README-vault.md
@@ -217,6 +217,7 @@ Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaapi_context` | The context in which the module will execute. Currently only `client` is supported by this module, and use of `server` will raise a failure. | no
 `name` \| `cn` | The list of vault name strings. | yes
 `description` | The vault description string. | no
 `password` \| `vault_password` \| `ipavaultpassword` \| `old_password`| Vault password. | no
--- a/plugins/modules/ipavault.py
+++ b/plugins/modules/ipavault.py
@@ -443,6 +443,11 @@ def check_parameters(  # pylint: disable=unused-argument
        password, password_file, public_key, public_key_file, private_key,
        private_key_file, vault_data, datafile_in, datafile_out, new_password,
        new_password_file):
+    if module.params_get("ipaapi_context") == "server":
+        module.fail_json(
+            msg="Context 'server' for ipavault not yet supported."
+        )
+
    invalid = []
    if state == "present":
        invalid = ['datafile_out']
@@ -718,7 +723,7 @@ def main():
    changed = False
    exit_args = {}

-    with ansible_module.ipa_connect(context='ansible-freeipa') as ccache_name:
+    with ansible_module.ipa_connect(context="client") as ccache_name:
        if ccache_name is not None:
            os.environ["KRB5CCNAME"] = ccache_name

--- a/tests/vault/env_cleanup.yml
+++ b/tests/vault/env_cleanup.yml
@@ -26,6 +26,7 @@
  - name: Ensure test users do not exist.
    ipauser:
      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
      name:
      - user01
      - user02
@@ -35,6 +36,7 @@
  - name: Ensure test groups do not exist.
    ipagroup:
      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
      name: vaultgroup
      state: absent

--- a/tests/vault/env_setup.yml
+++ b/tests/vault/env_setup.yml
@@ -35,11 +35,13 @@
  - name: Ensure vaultgroup exists.
    ipagroup:
      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
      name: vaultgroup

  - name: Ensure testing users exist.
    ipauser:
      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
      users:
      - name: user01
        first: First
--- a/tests/vault/test_vault_client_context.yml
+++ b/tests/vault/test_vault_client_context.yml
@@ -0,0 +1,25 @@
+---
+- name: Test vault
+  hosts: ipaserver
+  become: no
+  # Need to gather facts for ansible_env.
+  gather_facts: yes
+
+  tasks:
+  - name: Setup testing environment.
+    import_tasks: env_setup.yml
+
+  # vault requires 'ipaapi_context: client', and uses this
+  # context by defoult, so we test only for the case where
+  # 'ipaapi_context: server' is explicitly set.
+  - name: Execute with server context.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: server
+      name: ThisShouldNotWork
+      vault_type: standard
+    register: result
+    failed_when: not (result.failed and result.msg is regex("Context 'server' for ipavault not yet supported."))
+
+  - name: Cleanup testing environment.
+    import_tasks: env_cleanup.yml