From b5e93c705fc56f6592121aa09bfb9f6dce5cee35 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Tue, 11 Aug 2020 16:23:15 -0300
Subject: [PATCH 1/2] Fix `allow_retrieve_keytab_host` in service module.

The attribute `allow_retrieve_keytab_host` was not working due to
wrong processing of the input and verification if the values should
be updated. Both the issues are fixed by this change.

Tests were added to better verify service keytab members.
---
 plugins/modules/ipaservice.py         |   4 +-
 tests/service/env_cleanup.yml         |  68 +++++
 tests/service/env_setup.yml           |  73 +++++
 tests/service/env_vars.yml            |  15 +
 tests/service/test_service_keytab.yml | 397 ++++++++++++++++++++++++++
 5 files changed, 555 insertions(+), 2 deletions(-)
 create mode 100644 tests/service/env_cleanup.yml
 create mode 100644 tests/service/env_setup.yml
 create mode 100644 tests/service/env_vars.yml
 create mode 100644 tests/service/test_service_keytab.yml

diff --git a/plugins/modules/ipaservice.py b/plugins/modules/ipaservice.py
index b0d25355..8bc390d1 100644
--- a/plugins/modules/ipaservice.py
+++ b/plugins/modules/ipaservice.py
@@ -460,7 +460,7 @@ def main():
     allow_retrieve_keytab_group = module_params_get(
         ansible_module, "allow_retrieve_keytab_group")
     allow_retrieve_keytab_host = module_params_get(
-        ansible_module, "allow_create_keytab_host")
+        ansible_module, "allow_retrieve_keytab_host")
     allow_retrieve_keytab_hostgroup = module_params_get(
         ansible_module, "allow_retrieve_keytab_hostgroup")
     delete_continue = module_params_get(ansible_module, "delete_continue")
@@ -727,7 +727,7 @@ def main():
                 # Allow retrieve keytab
                 if len(allow_retrieve_keytab_user_add) > 0 or \
                    len(allow_retrieve_keytab_group_add) > 0 or \
-                   len(allow_retrieve_keytab_hostgroup_add) > 0 or \
+                   len(allow_retrieve_keytab_host_add) > 0 or \
                    len(allow_retrieve_keytab_hostgroup_add) > 0:
                     commands.append(
                         [name, "service_allow_retrieve_keytab",
diff --git a/tests/service/env_cleanup.yml b/tests/service/env_cleanup.yml
new file mode 100644
index 00000000..f96a75b9
--- /dev/null
+++ b/tests/service/env_cleanup.yml
@@ -0,0 +1,68 @@
+---
+# Cleanup tasks for the service module tests.
+- name: Ensure services are absent.
+  ipaservice:
+    ipaadmin_password: SomeADMINpassword
+    name:
+      - "HTTP/{{ svc_fqdn }}"
+      - "HTTP/{{ nohost_fqdn }}"
+      - HTTP/svc.ihavenodns.info
+      - HTTP/no.idontexist.local
+      - "cifs/{{ host1_fqdn }}"
+    state: absent
+
+- name: Ensure host "{{ svc_fqdn }}" is absent
+  ipahost:
+    ipaadmin_password: SomeADMINpassword
+    name: "{{ svc_fqdn }}"
+    update_dns: yes
+    state: absent
+
+- name: Ensure host is absent
+  ipahost:
+    ipaadmin_password: SomeADMINpassword
+    name:
+      - "{{ host1_fqdn }}"
+      - "{{ host2_fqdn }}"
+      - "{{ nohost_fqdn }}"
+      - svc.ihavenodns.info
+    update_dns: no
+    state: absent
+
+- name: Ensure testing users are absent.
+  ipauser:
+    ipaadmin_password: SomeADMINpassword
+    name:
+    - user01
+    - user02
+    state: absent
+
+- name: Ensure testing groups are absent.
+  ipagroup:
+    ipaadmin_password: SomeADMINpassword
+    name:
+    - group01
+    - group02
+    state: absent
+
+- name: Ensure testing hostgroup hostgroup01 is absent.
+  ipagroup:
+    ipaadmin_password: SomeADMINpassword
+    name:
+      - hostgroup01
+    state: absent
+
+- name: Ensure testing hostgroup hostgroup02 is absent.
+  ipagroup:
+    ipaadmin_password: SomeADMINpassword
+    name:
+      - hostgroup02
+    state: absent
+
+- name: Remove IP address for "nohost" host.
+  ipadnsrecord:
+    ipaadmin_password: SomeADMINpassword
+    zone_name: "{{ test_domain }}."
+    name: nohost
+    del_all: yes
+    state: absent
diff --git a/tests/service/env_setup.yml b/tests/service/env_setup.yml
new file mode 100644
index 00000000..309cfc03
--- /dev/null
+++ b/tests/service/env_setup.yml
@@ -0,0 +1,73 @@
+# Setup environment for service module tests.
+---
+- name: Setup variables and facts.
+  include_tasks: env_vars.yml
+
+# Cleanup before setup.
+- name: Cleanup test environment.
+  include_tasks: env_cleanup.yml
+
+- name: Add IP address for "nohost" host.
+  ipadnsrecord:
+    ipaadmin_password: SomeADMINpassword
+    zone_name: "{{ test_domain }}."
+    name: nohost
+    a_ip_address: "{{ ipv4_prefix + '.100' }}"
+
+- name: Add hosts for tests.
+  ipahost:
+    ipaadmin_password: SomeADMINpassword
+    hosts:
+      - name: "{{ host1_fqdn }}"
+        ip_address: "{{ ipv4_prefix + '.101' }}"
+      - name: "{{ host2_fqdn }}"
+        ip_address: "{{ ipv4_prefix + '.102' }}"
+      - name: "{{ svc_fqdn }}"
+        ip_address: "{{ ipv4_prefix + '.201' }}"
+      - name: svc.ihavenodns.info
+        force: yes
+    update_dns: yes
+
+- name: Ensure testing user user01 is present.
+  ipauser:
+    ipaadmin_password: SomeADMINpassword
+    name: user01
+    first: user01
+    last: last
+
+- name: Ensure testing user user02 is present.
+  ipauser:
+    ipaadmin_password: SomeADMINpassword
+    name: user02
+    first: user02
+    last: last
+
+- name: Ensure testing group group01 is present.
+  ipagroup:
+    ipaadmin_password: SomeADMINpassword
+    name: group01
+
+- name: Ensure testing group group02 is present.
+  ipagroup:
+    ipaadmin_password: SomeADMINpassword
+    name: group02
+
+- name: Ensure testing hostgroup hostgroup01 is present.
+  ipahostgroup:
+    ipaadmin_password: SomeADMINpassword
+    name: hostgroup01
+
+- name: Ensure testing hostgroup hostgroup02 is present.
+  ipahostgroup:
+    ipaadmin_password: SomeADMINpassword
+    name: hostgroup02
+
+- name: Ensure services are absent.
+  ipaservice:
+    ipaadmin_password: SomeADMINpassword
+    name:
+    - "HTTP/{{ svc_fqdn }}"
+    - "HTTP/{{ nohost_fqdn }}"
+    - HTTP/svc.ihavenodns.info
+    - HTTP/no.idontexist.info
+    state: absent
diff --git a/tests/service/env_vars.yml b/tests/service/env_vars.yml
new file mode 100644
index 00000000..eb53c7a0
--- /dev/null
+++ b/tests/service/env_vars.yml
@@ -0,0 +1,15 @@
+---
+    - name: Get Domain from server name
+      set_fact:
+        test_domain: "{{ ansible_fqdn.split('.')[1:] | join('.') }}"
+
+    - name: Set host1, host2 and svc hosts fqdn
+      set_fact:
+        host1_fqdn: "{{ 'host1.' + test_domain }}"
+        host2_fqdn: "{{ 'host2.' + test_domain }}"
+        svc_fqdn: "{{ 'svc.' + test_domain }}"
+        nohost_fqdn: "{{ 'nohost.' + test_domain }}"
+
+    - name: Get IPv4 address prefix from server node
+      set_fact:
+        ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] | join('.') }}"
diff --git a/tests/service/test_service_keytab.yml b/tests/service/test_service_keytab.yml
new file mode 100644
index 00000000..09188029
--- /dev/null
+++ b/tests/service/test_service_keytab.yml
@@ -0,0 +1,397 @@
+---
+- name: Test service
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  # setup
+  - name: Setup test envirnoment.
+    include_tasks: env_setup.yml
+
+  # Add service to test keytab create/retrieve attributes.
+  - name: Ensure test service is present
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      pac_type:
+        - MS-PAC
+        - PAD
+      auth_ind: otp
+      force: yes
+      requires_pre_auth: yes
+      ok_as_delegate: no
+      ok_to_auth_as_delegate: no
+
+  # tests
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_create_keytab_user:
+      - user01
+      - user02
+      action: member
+    register: result
+    failed_when: not result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users, again.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_create_keytab_user:
+      - user01
+      - user02
+      action: member
+    register: result
+    failed_when: result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_create_keytab_user:
+      - user01
+      - user02
+      action: member
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users, again.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_create_keytab_user:
+      - user01
+      - user02
+      action: member
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for group.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_create_keytab_group:
+      - group01
+      - group02
+      action: member
+    register: result
+    failed_when: not result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for group, again.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_create_keytab_group:
+      - group01
+      - group02
+      action: member
+    register: result
+    failed_when: result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for group.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_create_keytab_group:
+      - group01
+      - group02
+      action: member
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for group, again.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_create_keytab_group:
+      - group01
+      - group02
+      action: member
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for host.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_create_keytab_host:
+      - "{{ host1_fqdn }}"
+      - "{{ host2_fqdn }}"
+      action: member
+    register: result
+    failed_when: not result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for host, again.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_create_keytab_host:
+      - "{{ host1_fqdn }}"
+      - "{{ host2_fqdn }}"
+      action: member
+    register: result
+    failed_when: result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for host.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_create_keytab_host:
+      - "{{ host1_fqdn }}"
+      - "{{ host2_fqdn }}"
+      action: member
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for host, again.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_create_keytab_host:
+      - "{{ host1_fqdn }}"
+      - "{{ host2_fqdn }}"
+      action: member
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for hostgroup.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_create_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      action: member
+    register: result
+    failed_when: not result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for hostgroup, again.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_create_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      action: member
+    register: result
+    failed_when: result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for hostgroup.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_create_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      state: absent
+      action: member
+    register: result
+    failed_when: not result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for hostgroup, again.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_create_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      action: member
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_retrieve_keytab_user:
+      - user01
+      - user02
+      action: member
+    register: result
+    failed_when: not result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users, again.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_retrieve_keytab_user:
+      - user01
+      - user02
+      action: member
+    register: result
+    failed_when: result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_retrieve_keytab_user:
+      - user01
+      - user02
+      action: member
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users, again.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_retrieve_keytab_user:
+      - user01
+      - user02
+      action: member
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for group.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_retrieve_keytab_group:
+      - group01
+      - group02
+      action: member
+    register: result
+    failed_when: not result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for group, again.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_retrieve_keytab_group:
+      - group01
+      - group02
+      action: member
+    register: result
+    failed_when: result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for group.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_retrieve_keytab_group:
+      - group01
+      - group02
+      action: member
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for group, again.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_retrieve_keytab_group:
+      - group01
+      - group02
+      action: member
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for host.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_retrieve_keytab_host:
+      - "{{ host1_fqdn }}"
+      - "{{ host2_fqdn }}"
+      action: member
+    register: result
+    failed_when: not result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for host, again.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_retrieve_keytab_host:
+      - "{{ host1_fqdn }}"
+      - "{{ host2_fqdn }}"
+      action: member
+    register: result
+    failed_when: result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for host.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_retrieve_keytab_host:
+      - "{{ host1_fqdn }}"
+      - "{{ host2_fqdn }}"
+      action: member
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for host, again.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_retrieve_keytab_host:
+      - "{{ host1_fqdn }}"
+      - "{{ host2_fqdn }}"
+      action: member
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for hostgroup.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_retrieve_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      action: member
+    register: result
+    failed_when: not result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for hostgroup, again.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_retrieve_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      action: member
+    register: result
+    failed_when: result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for hostgroup.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_retrieve_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      action: member
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for hostgroup, again.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "HTTP/{{ svc_fqdn }}"
+      allow_retrieve_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      action: member
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  # cleanup
+  - name: Clean-up envirnoment.
+    include_tasks: env_cleanup.yml

From 3ab575bcac310166e7d29c5a5349d90482f4e629 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Tue, 11 Aug 2020 17:27:56 -0300
Subject: [PATCH 2/2] Reorganize service module tests.

Modify old service module tests to use setup and cleanup include
files to make test environment more consistent.
---
 tests/service/test_service.yml                | 175 +-----------------
 .../test_service_without_skip_host_check.yml  | 137 +-------------
 2 files changed, 8 insertions(+), 304 deletions(-)

diff --git a/tests/service/test_service.yml b/tests/service/test_service.yml
index 26f509ef..7035bb9e 100644
--- a/tests/service/test_service.yml
+++ b/tests/service/test_service.yml
@@ -17,109 +17,8 @@
 
   tasks:
   # setup
-  - name: Get Domain from server name
-    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
-    when: ipaserver_domain is not defined
-
-  - name: Set host1, host2 and svc hosts fqdn
-    set_fact:
-      host1_fqdn: "{{ 'host1.' + ipaserver_domain }}"
-      host2_fqdn: "{{ 'host2.' + ipaserver_domain }}"
-      svc_fqdn: "{{ 'svc.' + ipaserver_domain }}"
-      nohost_fqdn: "{{ 'nohost.' + ipaserver_domain }}"
-
-  - name: Remove IP address for "nohost" host.
-    ipadnsrecord:
-      ipaadmin_password: SomeADMINpassword
-      zone_name: "{{ ipaserver_domain }}"
-      name: nohost
-      del_all: yes
-      state: absent
-
-  - name: Host absent
-    ipahost:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - "{{ nohost_fqdn }}"
-      - no.idontexist.info
-      - svc.ihavenodns.info
-      - "{{ host1_fqdn }}"
-      - "{{ host2_fqdn }}"
-      - "{{ svc_fqdn }}"
-      update_dns: no
-      state: absent
-
-  - name: Get IPv4 address prefix from server node
-    set_fact:
-      ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
-                       join('.') }}"
-
-  - name: Add IP address for "nohost" host.
-    ipadnsrecord:
-      ipaadmin_password: SomeADMINpassword
-      zone_name: "{{ ipaserver_domain }}"
-      name: nohost
-      a_ip_address: "{{ ipv4_prefix + '.100' }}"
-
-  - name: Add hosts for tests.
-    ipahost:
-      ipaadmin_password: SomeADMINpassword
-      hosts:
-          - name: "{{ host1_fqdn }}"
-            ip_address: "{{ ipv4_prefix + '.101' }}"
-          - name: "{{ host2_fqdn }}"
-            ip_address: "{{ ipv4_prefix + '.102' }}"
-            force: yes
-          - name: "{{ svc_fqdn }}"
-            ip_address: "{{ ipv4_prefix + '.201' }}"
-          - name: svc.ihavenodns.info
-            force: yes
-      update_dns: yes
-
-  - name: Ensure testing user user01 is present.
-    ipauser:
-      ipaadmin_password: SomeADMINpassword
-      name: user01
-      first: user01
-      last: last
-
-  - name: Ensure testing user user02 is present.
-    ipauser:
-      ipaadmin_password: SomeADMINpassword
-      name: user02
-      first: user02
-      last: last
-
-  - name: Ensure testing group group01 is present.
-    ipagroup:
-      ipaadmin_password: SomeADMINpassword
-      name: group01
-
-  - name: Ensure testing group group02 is present.
-    ipagroup:
-      ipaadmin_password: SomeADMINpassword
-      name: group02
-
-  - name: Ensure testing hostgroup hostgroup01 is present.
-    ipahostgroup:
-      ipaadmin_password: SomeADMINpassword
-      name: hostgroup01
-
-  - name: Ensure testing hostgroup hostgroup02 is present.
-    ipahostgroup:
-      ipaadmin_password: SomeADMINpassword
-      name: hostgroup02
-
-  - name: Ensure services are absent.
-    ipaservice:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - "HTTP/{{ svc_fqdn }}"
-      - "HTTP/{{ nohost_fqdn }}"
-      - HTTP/svc.ihavenodns.info
-      - HTTP/no.idontexist.info
-      state: absent
+  - name: Setup test environment
+    include_tasks: env_setup.yml
 
   # tests
   - name: Ensure service is present
@@ -476,7 +375,6 @@
     register: result
     failed_when: result.changed
 
-  #
   - name: Ensure service is absent
     ipaservice:
       ipaadmin_password: SomeADMINpassword
@@ -594,70 +492,5 @@
     failed_when: result.changed
 
   # cleanup
-
-  - name: Ensure services are absent.
-    ipaservice:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - "HTTP/{{ svc_fqdn }}"
-      - "HTTP/{{ nohost_fqdn }}"
-      - HTTP/svc.ihavenodns.info
-      - HTTP/no.idontexist.local
-      - "cifs/{{ host1_fqdn }}"
-      state: absent
-
-  - name: Ensure host "{{ svc_fqdn }}" is absent
-    ipahost:
-      ipaadmin_password: SomeADMINpassword
-      name: "{{ svc_fqdn }}"
-      update_dns: yes
-      state: absent
-
-  - name: Ensure host is absent
-    ipahost:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - "{{ host1_fqdn }}"
-      - "{{ host2_fqdn }}"
-      - "{{ nohost_fqdn }}"
-      - svc.ihavenodns.info
-      update_dns: no
-      state: absent
-
-  - name: Ensure testing users are absent.
-    ipauser:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - user01
-      - user02
-      state: absent
-
-  - name: Ensure testing groups are absent.
-    ipagroup:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - group01
-      - group02
-      state: absent
-
-  - name: Ensure testing hostgroup hostgroup01 is absent.
-    ipagroup:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - hostgroup01
-      state: absent
-
-  - name: Ensure testing hostgroup hostgroup02 is absent.
-    ipagroup:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - hostgroup02
-      state: absent
-
-  - name: Remove IP address for "nohost" host.
-    ipadnsrecord:
-      ipaadmin_password: SomeADMINpassword
-      zone_name: "{{ ipaserver_domain }}"
-      name: nohost
-      del_all: yes
-      state: absent
+  - name: Cleanup test environment
+    include_tasks: env_cleanup.yml
diff --git a/tests/service/test_service_without_skip_host_check.yml b/tests/service/test_service_without_skip_host_check.yml
index ce703e9a..0f89cc72 100644
--- a/tests/service/test_service_without_skip_host_check.yml
+++ b/tests/service/test_service_without_skip_host_check.yml
@@ -5,91 +5,8 @@
 
   tasks:
   # setup
-  - name: Get Domain from server name
-    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
-    when: ipaserver_domain is not defined
-
-  - name: Set host1, host2 and svc hosts fqdn
-    set_fact:
-      host1_fqdn: "{{ 'host1.' + ipaserver_domain }}"
-      host2_fqdn: "{{ 'host2.' + ipaserver_domain }}"
-      svc_fqdn: "{{ 'svc.' + ipaserver_domain }}"
-
-  - name: Host absent
-    ipahost:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - svc.ihavenodns.info
-      - "{{ host1_fqdn }}"
-      - "{{ host2_fqdn }}"
-      - "{{ svc_fqdn }}"
-      update_dns: yes
-      state: absent
-
-  - name: Get IPv4 address prefix from server node
-    set_fact:
-      ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
-                       join('.') }}"
-
-  - name: Add hosts for tests.
-    ipahost:
-      ipaadmin_password: SomeADMINpassword
-      hosts:
-      - name: "{{ host1_fqdn }}"
-        ip_address: "{{ ipv4_prefix + '.201' }}"
-        update_dns: yes
-      - name: "{{ host2_fqdn }}"
-        ip_address: "{{ ipv4_prefix + '.202' }}"
-        update_dns: yes
-      - name: "{{ svc_fqdn }}"
-        ip_address: "{{ ipv4_prefix + '.203' }}"
-        update_dns: yes
-      - name: svc.ihavenodns.info
-        update_dns: no
-        force: yes
-
-  - name: Ensure testing user user01 is present.
-    ipauser:
-      ipaadmin_password: SomeADMINpassword
-      name: user01
-      first: user01
-      last: last
-
-  - name: Ensure testing user user02 is present.
-    ipauser:
-      ipaadmin_password: SomeADMINpassword
-      name: user02
-      first: user02
-      last: last
-
-  - name: Ensure testing group group01 is present.
-    ipagroup:
-      ipaadmin_password: SomeADMINpassword
-      name: group01
-
-  - name: Ensure testing group group02 is present.
-    ipagroup:
-      ipaadmin_password: SomeADMINpassword
-      name: group02
-
-  - name: Ensure testing hostgroup hostgroup01 is present.
-    ipahostgroup:
-      ipaadmin_password: SomeADMINpassword
-      name: hostgroup01
-
-  - name: Ensure testing hostgroup hostgroup02 is present.
-    ipahostgroup:
-      ipaadmin_password: SomeADMINpassword
-      name: hostgroup02
-
-  - name: Ensure services are absent.
-    ipaservice:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - "HTTP/{{ svc_fqdn }}"
-      - HTTP/svc.ihavenodns.info
-      state: absent
+  - name: Setup test environment
+    include_tasks: env_setup.yml
 
   # tests
   - name: Ensure service is present
@@ -426,51 +343,5 @@
     failed_when: result.changed
 
   # cleanup
-
-  - name: Ensure services are absent.
-    ipaservice:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - "HTTP/{{ svc_fqdn }}"
-      - HTTP/svc.ihavenodns.info
-      state: absent
-
-  - name: Ensure host is absent
-    ipahost:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - "{{ svc_fqdn }}"
-      - "{{ host1_fqdn }}"
-      - "{{ host2_fqdn }}"
-      - svc.ihavenodns.info
-      state: absent
-
-  - name: Ensure testing users are absent.
-    ipauser:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - user01
-      - user02
-      state: absent
-
-  - name: Ensure testing groups are absent.
-    ipagroup:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - group01
-      - group02
-      state: absent
-
-  - name: Ensure testing hostgroup hostgroup01 is absent.
-    ipagroup:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - hostgroup01
-      state: absent
-
-  - name: Ensure testing hostgroup hostgroup02 is absent.
-    ipagroup:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - hostgroup02
-      state: absent
+  - name: Cleanup test environment
+    include_tasks: env_cleanup.yml