internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-05-07 13:53:23 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #744 from rjeffman/sudorule_fix_deny_sudocmdgroup

Browse Source 
sudorule: Fix management of deny_sudocmdgroup.
This commit is contained in:
Thomas Woerner
2022-01-24 17:52:39 +01:00
committed by GitHub
parent b162122630 ec198d0e09
commit a44515c701
2 changed files with 126 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/modules/ipasudorule.py
View File

@@ -544,7 +544,7 @@ def main():
if deny_sudocmdgroup is not None:
deny_cmdgroup_add = gen_add_list(
deny_sudocmdgroup,
res_find("memberdenycmd_sudocmdgroup")
res_find.get("memberdenycmd_sudocmdgroup")
)
if sudooption is not None:
sudooption_add = gen_add_list(

126
tests/sudorule/test_sudorule.yml
View File

@@ -58,6 +58,7 @@
name:
- /sbin/ifconfig
- /usr/bin/vim
- /usr/bin/emacs
state: present
- name: Ensure sudocmdgroup is available
@@ -68,6 +69,14 @@
sudocmd: /usr/bin/vim
state: present
- name: Ensure sudocmdgroup is available
ipasudocmdgroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: test_sudorule2
sudocmd: /usr/bin/emacs
state: present
- name: Ensure sudorules are absent
ipasudorule:
ipaadmin_password: SomeADMINpassword
@@ -606,6 +615,7 @@
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
allow_sudocmdgroup: test_sudorule
action: member
state: present
register: result
failed_when: not result.changed or result.failed
@@ -616,6 +626,7 @@
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
allow_sudocmdgroup: test_sudorule
action: member
state: present
register: result
failed_when: result.changed or result.failed
@@ -648,6 +659,7 @@
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
deny_sudocmdgroup: test_sudorule
action: member
state: present
register: result
failed_when: not result.changed or result.failed
@@ -658,6 +670,7 @@
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
deny_sudocmdgroup: test_sudorule
action: member
state: present
register: result
failed_when: result.changed or result.failed
@@ -684,6 +697,114 @@
register: result
failed_when: result.changed or result.failed
- name: Ensure sudorule is present, with `test_sudorule` sudocmdgroup in allow_sudocmdgroup.
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
allow_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: not result.changed or result.failed
- name: Ensure sudorule is present, with `test_sudorule2` sudocmdgroup in allow_sudocmdgroup.
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
allow_sudocmdgroup: test_sudorule2
state: present
register: result
failed_when: not result.changed or result.failed
- name: Ensure sudorule is present, with both sudocmdgroup in allow_sudocmdgroup.
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
allow_sudocmdgroup:
- test_sudorule
- test_sudorule2
state: present
register: result
failed_when: not result.changed or result.failed
- name: Ensure sudorule is present, with both sudocmdgroup, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
allow_sudocmdgroup:
- test_sudorule
- test_sudorule2
state: present
register: result
failed_when: result.changed or result.failed
- name: Ensure sudorule is present, with only `test_sudorule` sudocmdgroup in allow_sudocmdgroup.
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
allow_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: not result.changed or result.failed
- name: Ensure sudorule is present, with `test_sudorule` sudocmdgroup in deny_sudocmdgroup.
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
deny_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: not result.changed or result.failed
- name: Ensure sudorule is present, with `test_sudorule2` sudocmdgroup in deny_sudocmdgroup.
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
deny_sudocmdgroup: test_sudorule2
state: present
register: result
failed_when: not result.changed or result.failed
- name: Ensure sudorule is present, with both sudocmdgroup in deny_sudocmdgroup.
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
deny_sudocmdgroup:
- test_sudorule
- test_sudorule2
state: present
register: result
failed_when: not result.changed or result.failed
- name: Ensure sudorule is present, with both sudocmdgroup, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
deny_sudocmdgroup:
- test_sudorule
- test_sudorule2
state: present
register: result
failed_when: result.changed or result.failed
- name: Ensure sudorule is present, with only `test_sudorule` sudocmdgroup in deny_sudocmdgroup.
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
deny_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: not result.changed or result.failed
- name: Ensure sudorule is absent
ipasudorule:
ipaadmin_password: SomeADMINpassword
@@ -889,7 +1010,9 @@
ipasudocmdgroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: test_sudorule
name:
- test_sudorule
- test_sudorule2
state: absent
- name: Ensure sudocmds are absent
@@ -899,6 +1022,7 @@
name:
- /sbin/ifconfig
- /usr/bin/vim
- /usr/bin/emacs
state: absent
- name: Ensure sudorules are absent