From 2136c7340975869deb1fca69d82cd1aeaf5bf77e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 9 Dec 2019 18:27:12 +0200 Subject: [PATCH 01/40] Install and enable firewalld if it is configured for ipaserver role ipaserver role by default tries to configure firewalld but it didn't check if firewalld related packages were installed. Similar to DNS and trust to AD features, install firewalld-related packages before trying to configure firewalld. Additionally, enable and start firewalld.service because otherwise firewall-cmd cannot communicate with firewalld itself (it is not starting on demand). If and administrator considers not to use firewalld, a default for ipaserver_setup_firewalld variable has to be set to 'no'. Fixes: https://github.com/freeipa/ansible-freeipa/issues/116 --- README.md | 1 + roles/ipaserver/tasks/install.yml | 13 +++++++++++++ roles/ipaserver/vars/CentOS-7.yml | 3 ++- roles/ipaserver/vars/Fedora-25.yml | 3 ++- roles/ipaserver/vars/Fedora-26.yml | 3 ++- roles/ipaserver/vars/Fedora-27.yml | 1 + roles/ipaserver/vars/Fedora.yml | 3 ++- roles/ipaserver/vars/RedHat-7.3.yml | 3 ++- roles/ipaserver/vars/RedHat-7.yml | 3 ++- roles/ipaserver/vars/RedHat-8.yml | 1 + roles/ipaserver/vars/Ubuntu.yml | 1 + roles/ipaserver/vars/default.yml | 1 + 12 files changed, 30 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 5efbd088..f0c995f0 100644 --- a/README.md +++ b/README.md @@ -155,6 +155,7 @@ ipaserver_install_packages=no ipaserver_setup_firewalld=no ``` The installation of packages and also the configuration of the firewall are by default enabled. +Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`. For more server settings, please have a look at the [server role documentation](roles/ipaserver/README.md). diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml index 268f5d36..85df9a7d 100644 --- a/roles/ipaserver/tasks/install.yml +++ b/roles/ipaserver/tasks/install.yml @@ -19,6 +19,19 @@ state: present when: ipaserver_setup_adtrust | bool + - name: Install - Ensure that firewall packages installed + package: + name: "{{ ipaserver_packages_firewalld }}" + state: present + when: ipaserver_setup_firewalld | bool + + - name: Firewalld service - Ensure that firewalld is running + systemd: + name: firewalld + enabled: yes + state: started + when: ipaserver_setup_firewalld | bool + when: ipaserver_install_packages | bool #- name: Install - Include Python2/3 import test diff --git a/roles/ipaserver/vars/CentOS-7.yml b/roles/ipaserver/vars/CentOS-7.yml index 079b719c..11863757 100644 --- a/roles/ipaserver/vars/CentOS-7.yml +++ b/roles/ipaserver/vars/CentOS-7.yml @@ -2,4 +2,5 @@ # vars/rhel.yml ipaserver_packages: [ "ipa-server", "libselinux-python" ] ipaserver_packages_dns: [ "ipa-server-dns" ] -ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ] \ No newline at end of file +ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ] +ipaserver_packages_firewalld: [ "firewalld" ] \ No newline at end of file diff --git a/roles/ipaserver/vars/Fedora-25.yml b/roles/ipaserver/vars/Fedora-25.yml index d97afb19..374056c0 100644 --- a/roles/ipaserver/vars/Fedora-25.yml +++ b/roles/ipaserver/vars/Fedora-25.yml @@ -1,3 +1,4 @@ ipaserver_packages: [ "ipa-server", "libselinux-python" ] ipaserver_packages_dns: [ "ipa-server-dns" ] -ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ] \ No newline at end of file +ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ] +ipaserver_packages_firewalld: [ "firewalld" ] \ No newline at end of file diff --git a/roles/ipaserver/vars/Fedora-26.yml b/roles/ipaserver/vars/Fedora-26.yml index d97afb19..374056c0 100644 --- a/roles/ipaserver/vars/Fedora-26.yml +++ b/roles/ipaserver/vars/Fedora-26.yml @@ -1,3 +1,4 @@ ipaserver_packages: [ "ipa-server", "libselinux-python" ] ipaserver_packages_dns: [ "ipa-server-dns" ] -ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ] \ No newline at end of file +ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ] +ipaserver_packages_firewalld: [ "firewalld" ] \ No newline at end of file diff --git a/roles/ipaserver/vars/Fedora-27.yml b/roles/ipaserver/vars/Fedora-27.yml index fa21e34c..b8bfb577 100644 --- a/roles/ipaserver/vars/Fedora-27.yml +++ b/roles/ipaserver/vars/Fedora-27.yml @@ -1,3 +1,4 @@ ipaserver_packages: [ "ipa-server", "libselinux-python" ] ipaserver_packages_dns: [ "ipa-server-dns" ] ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ] +ipaserver_packages_firewalld: [ "firewalld" ] diff --git a/roles/ipaserver/vars/Fedora.yml b/roles/ipaserver/vars/Fedora.yml index 9db4446a..55a38382 100644 --- a/roles/ipaserver/vars/Fedora.yml +++ b/roles/ipaserver/vars/Fedora.yml @@ -1,3 +1,4 @@ ipaserver_packages: [ "freeipa-server", "python3-libselinux" ] ipaserver_packages_dns: [ "freeipa-server-dns" ] -ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ] \ No newline at end of file +ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ] +ipaserver_packages_firewalld: [ "firewalld" ] \ No newline at end of file diff --git a/roles/ipaserver/vars/RedHat-7.3.yml b/roles/ipaserver/vars/RedHat-7.3.yml index 079b719c..11863757 100644 --- a/roles/ipaserver/vars/RedHat-7.3.yml +++ b/roles/ipaserver/vars/RedHat-7.3.yml @@ -2,4 +2,5 @@ # vars/rhel.yml ipaserver_packages: [ "ipa-server", "libselinux-python" ] ipaserver_packages_dns: [ "ipa-server-dns" ] -ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ] \ No newline at end of file +ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ] +ipaserver_packages_firewalld: [ "firewalld" ] \ No newline at end of file diff --git a/roles/ipaserver/vars/RedHat-7.yml b/roles/ipaserver/vars/RedHat-7.yml index 079b719c..11863757 100644 --- a/roles/ipaserver/vars/RedHat-7.yml +++ b/roles/ipaserver/vars/RedHat-7.yml @@ -2,4 +2,5 @@ # vars/rhel.yml ipaserver_packages: [ "ipa-server", "libselinux-python" ] ipaserver_packages_dns: [ "ipa-server-dns" ] -ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ] \ No newline at end of file +ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ] +ipaserver_packages_firewalld: [ "firewalld" ] \ No newline at end of file diff --git a/roles/ipaserver/vars/RedHat-8.yml b/roles/ipaserver/vars/RedHat-8.yml index 5b9caac1..7f5ae464 100644 --- a/roles/ipaserver/vars/RedHat-8.yml +++ b/roles/ipaserver/vars/RedHat-8.yml @@ -3,3 +3,4 @@ ipaserver_packages: [ "@idm:DL1/server" ] ipaserver_packages_dns: [ "@idm:DL1/dns" ] ipaserver_packages_adtrust: [ "@idm:DL1/adtrust" ] +ipaserver_packages_firewalld: [ "firewalld" ] diff --git a/roles/ipaserver/vars/Ubuntu.yml b/roles/ipaserver/vars/Ubuntu.yml index b3944a92..d0e01ea8 100644 --- a/roles/ipaserver/vars/Ubuntu.yml +++ b/roles/ipaserver/vars/Ubuntu.yml @@ -2,3 +2,4 @@ ipaserver_packages: [ "freeipa-server" ] ipaserver_packages_dns: [ "freeipa-server-dns" ] ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ] +ipaserver_packages_firewalld: [ "firewalld" ] diff --git a/roles/ipaserver/vars/default.yml b/roles/ipaserver/vars/default.yml index eb5c4894..9f6d58a4 100644 --- a/roles/ipaserver/vars/default.yml +++ b/roles/ipaserver/vars/default.yml @@ -3,3 +3,4 @@ ipaserver_packages: [ "ipa-server", "python3-libselinux" ] ipaserver_packages_dns: [ "ipa-server-dns" ] ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ] +ipaserver_packages_firewalld: [ "firewalld" ] From 592680f51fc416e117b243c9c55fc84037e55185 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 9 Dec 2019 19:19:20 +0200 Subject: [PATCH 02/40] Install and enable firewalld if it is configured for ipareplica role ipareplica role by default tries to configure firewalld but it didn't check if firewalld related packages were installed. Similar to DNS and trust to AD features, install firewalld-related packages before trying to configure firewalld. Additionally, enable and start firewalld.service because otherwise firewall-cmd cannot communicate with firewalld itself (it is not starting on demand). If and administrator considers not to use firewalld, a default for ipareplica_setup_firewalld variable has to be set to 'no'. Fixes: https://github.com/freeipa/ansible-freeipa/issues/116 --- README.md | 1 + roles/ipareplica/tasks/install.yml | 13 +++++++++++++ roles/ipareplica/vars/CentOS-7.yml | 3 ++- roles/ipareplica/vars/Fedora-25.yml | 3 ++- roles/ipareplica/vars/Fedora-26.yml | 3 ++- roles/ipareplica/vars/Fedora-27.yml | 3 ++- roles/ipareplica/vars/Fedora.yml | 3 ++- roles/ipareplica/vars/RedHat-7.3.yml | 3 ++- roles/ipareplica/vars/RedHat-7.yml | 3 ++- roles/ipareplica/vars/RedHat-8.yml | 1 + roles/ipareplica/vars/Ubuntu.yml | 1 + roles/ipareplica/vars/default.yml | 1 + 12 files changed, 31 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index f0c995f0..4f90ac2f 100644 --- a/README.md +++ b/README.md @@ -231,6 +231,7 @@ ipareplica_setup_firewalld=no ``` The installation of packages and also the configuration of the firewall are by default enabled. +Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`. For more replica settings, please have a look at the [replica role documentation](roles/ipareplica/README.md). diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml index 259ae3fb..98681e06 100644 --- a/roles/ipareplica/tasks/install.yml +++ b/roles/ipareplica/tasks/install.yml @@ -20,6 +20,19 @@ state: present when: ipareplica_setup_adtrust | bool + - name: Install - Ensure that firewall packages installed + package: + name: "{{ ipareplica_packages_firewalld }}" + state: present + when: ipareplica_setup_firewalld | bool + + - name: Firewalld service - Ensure that firewalld is running + systemd: + name: firewalld + enabled: yes + state: started + when: ipareplica_setup_firewalld | bool + when: ipareplica_install_packages | bool #- name: Install - Include Python2/3 import test diff --git a/roles/ipareplica/vars/CentOS-7.yml b/roles/ipareplica/vars/CentOS-7.yml index 2baa874f..614de3e5 100644 --- a/roles/ipareplica/vars/CentOS-7.yml +++ b/roles/ipareplica/vars/CentOS-7.yml @@ -2,4 +2,5 @@ # vars/RedHat-7.yml ipareplica_packages: [ "ipa-server", "libselinux-python" ] ipareplica_packages_dns: [ "ipa-server-dns" ] -ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ] \ No newline at end of file +ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ] +ipareplica_packages_firewalld: [ "firewalld" ] \ No newline at end of file diff --git a/roles/ipareplica/vars/Fedora-25.yml b/roles/ipareplica/vars/Fedora-25.yml index f1dc77f6..ce981ff8 100644 --- a/roles/ipareplica/vars/Fedora-25.yml +++ b/roles/ipareplica/vars/Fedora-25.yml @@ -2,4 +2,5 @@ # vars/Fedora-25.yml ipareplica_packages: [ "ipa-server", "libselinux-python" ] ipareplica_packages_dns: [ "ipa-server-dns" ] -ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ] \ No newline at end of file +ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ] +ipareplica_packages_firewalld: [ "firewalld" ] \ No newline at end of file diff --git a/roles/ipareplica/vars/Fedora-26.yml b/roles/ipareplica/vars/Fedora-26.yml index a5250267..5a65e43a 100644 --- a/roles/ipareplica/vars/Fedora-26.yml +++ b/roles/ipareplica/vars/Fedora-26.yml @@ -2,4 +2,5 @@ # vars/Fedora-26.yml ipareplica_packages: [ "ipa-server", "libselinux-python" ] ipareplica_packages_dns: [ "ipa-server-dns" ] -ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ] \ No newline at end of file +ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ] +ipareplica_packages_firewalld: [ "firewalld" ] \ No newline at end of file diff --git a/roles/ipareplica/vars/Fedora-27.yml b/roles/ipareplica/vars/Fedora-27.yml index f4e7ffcc..5d6f02a1 100644 --- a/roles/ipareplica/vars/Fedora-27.yml +++ b/roles/ipareplica/vars/Fedora-27.yml @@ -2,4 +2,5 @@ # vars/Fedora.yml ipareplica_packages: [ "ipa-server", "libselinux-python" ] ipareplica_packages_dns: [ "ipa-server-dns" ] -ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ] \ No newline at end of file +ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ] +ipareplica_packages_firewalld: [ "firewalld" ] \ No newline at end of file diff --git a/roles/ipareplica/vars/Fedora.yml b/roles/ipareplica/vars/Fedora.yml index 5998d6de..f19fb996 100644 --- a/roles/ipareplica/vars/Fedora.yml +++ b/roles/ipareplica/vars/Fedora.yml @@ -2,4 +2,5 @@ # vars/Fedora.yml ipareplica_packages: [ "freeipa-server", "python3-libselinux" ] ipareplica_packages_dns: [ "freeipa-server-dns" ] -ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ] \ No newline at end of file +ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ] +ipareplica_packages_firewalld: [ "firewalld" ] \ No newline at end of file diff --git a/roles/ipareplica/vars/RedHat-7.3.yml b/roles/ipareplica/vars/RedHat-7.3.yml index f7a951bc..a0e7ffea 100644 --- a/roles/ipareplica/vars/RedHat-7.3.yml +++ b/roles/ipareplica/vars/RedHat-7.3.yml @@ -2,4 +2,5 @@ # vars/RedHat-7.3.yml ipareplica_packages: [ "ipa-server", "libselinux-python" ] ipareplica_packages_dns: [ "ipa-server-dns" ] -ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ] \ No newline at end of file +ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ] +ipareplica_packages_firewalld: [ "firewalld" ] \ No newline at end of file diff --git a/roles/ipareplica/vars/RedHat-7.yml b/roles/ipareplica/vars/RedHat-7.yml index 2baa874f..614de3e5 100644 --- a/roles/ipareplica/vars/RedHat-7.yml +++ b/roles/ipareplica/vars/RedHat-7.yml @@ -2,4 +2,5 @@ # vars/RedHat-7.yml ipareplica_packages: [ "ipa-server", "libselinux-python" ] ipareplica_packages_dns: [ "ipa-server-dns" ] -ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ] \ No newline at end of file +ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ] +ipareplica_packages_firewalld: [ "firewalld" ] \ No newline at end of file diff --git a/roles/ipareplica/vars/RedHat-8.yml b/roles/ipareplica/vars/RedHat-8.yml index 2aad358b..02573025 100644 --- a/roles/ipareplica/vars/RedHat-8.yml +++ b/roles/ipareplica/vars/RedHat-8.yml @@ -3,3 +3,4 @@ ipareplica_packages: [ "@idm:DL1/server" ] ipareplica_packages_dns: [ "@idm:DL1/dns" ] ipareplica_packages_adtrust: [ "@idm:DL1/adtrust" ] +ipareplica_packages_firewalld: [ "firewalld" ] diff --git a/roles/ipareplica/vars/Ubuntu.yml b/roles/ipareplica/vars/Ubuntu.yml index 761989a6..7cdabbfb 100644 --- a/roles/ipareplica/vars/Ubuntu.yml +++ b/roles/ipareplica/vars/Ubuntu.yml @@ -2,3 +2,4 @@ ipareplica_packages: [ "freeipa-server" ] ipareplica_packages_dns: [ "freeipa-server-dns" ] ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ] +ipareplica_packages_firewalld: [ "firewalld" ] diff --git a/roles/ipareplica/vars/default.yml b/roles/ipareplica/vars/default.yml index a1898867..ce7393a1 100644 --- a/roles/ipareplica/vars/default.yml +++ b/roles/ipareplica/vars/default.yml @@ -3,3 +3,4 @@ ipareplica_packages: [ "freeipa-server", "python3-libselinux" ] ipareplica_packages_dns: [ "freeipa-server-dns" ] ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ] +ipareplica_packages_firewalld: [ "firewalld" ] From 9c853894d5832ddf7d400f77f5033d8ff3f246b7 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Tue, 10 Dec 2019 22:20:58 +0100 Subject: [PATCH 03/40] ipaserver_test: Do not use zone_overlap_check for domain name validation The use of zone_overlay_check for the domain name validation is not good for a repeated execution of the server deployment where setup_dns is enabled. The zone overlay check will fail with "DNS zone X already exists in DNS". zone_overlay_check is later on used in dns.install_check so it is not needed to do it here also. Fixes issues #164 (domain option validator should not call zone overlap..) --- roles/ipaserver/library/ipaserver_test.py | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py index 1075e6d4..5668231f 100644 --- a/roles/ipaserver/library/ipaserver_test.py +++ b/roles/ipaserver/library/ipaserver_test.py @@ -719,12 +719,7 @@ def main(): msg="File %s does not exist." % options.dirsrv_config_file) # domain_name - if options.setup_dns and not options.allow_zone_overlap and \ - options.domain_name is not None: - try: - check_zone_overlap(options.domain_name, False) - except ValueError as e: - ansible_module.fail_json(msg=str(e)) + # Validation is done later on in ipaserver_prepare dns.install_check # dm_password with redirect_stdout(ansible_log): From 0210899eb7187e5d70b490455647cb2bb595169a Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Mon, 9 Dec 2019 14:51:40 -0300 Subject: [PATCH 04/40] Allow execution of API commands that do not require a name. There are some commands in the IPA API that do not require arguments, and current implementation does not allow these commands to be execute. This patch adds api_command_no_name to allow the execution of such commands, which is required, for example, to create a vaultcontainer management module. --- plugins/module_utils/ansible_freeipa_module.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/plugins/module_utils/ansible_freeipa_module.py b/plugins/module_utils/ansible_freeipa_module.py index a8312bc5..8154a12c 100644 --- a/plugins/module_utils/ansible_freeipa_module.py +++ b/plugins/module_utils/ansible_freeipa_module.py @@ -151,6 +151,13 @@ def api_command(module, command, name, args): return api.Command[command](name, **args) +def api_command_no_name(module, command, args): + """ + Call ipa.Command without a name. + """ + return api.Command[command](**args) + + def api_check_param(command, name): """ Return if param exists in command param list From 501ca5128e79b32f03ee9828cf0111b34a6fdd34 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Thu, 12 Dec 2019 15:01:32 +0100 Subject: [PATCH 05/40] Update README-host: Drop options from allow_*_keytab_ parameters docs Drop options from the allow_create_keytab_ and allow_retrieve_keytab_ parameter documentation. There are no options. --- README-host.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README-host.md b/README-host.md index 77ca098d..edec8d98 100644 --- a/README-host.md +++ b/README-host.md @@ -269,14 +269,14 @@ Variable | Description | Required `certificate` \| `usercertificate` | List of base-64 encoded host certificates | no `managedby` \| `principalname` \| `krbprincipalname` | List of hosts that can manage this host | no `principal` \| `principalname` \| `krbprincipalname` | List of principal aliases for this host | no -`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host.
Options: | no -`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host.
Options: | no -`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host` | Hosts allowed to create a keytab of this host.
Options: | no -`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_hostgroup` | Host groups allowed to create a keytab of this host.
Options: | no -`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retieve a keytab of this host.
Options: | no -`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retieve a keytab of this host.
Options: | no -`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retieve a keytab of this host.
Options: | no -`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retieve a keytab of this host.
Options: | no +`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no +`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. | no +`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host` | Hosts allowed to create a keytab of this host. | no +`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_hostgroup` | Host groups allowed to create a keytab of this host. | no +`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retieve a keytab of this host. | no +`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retieve a keytab of this host. | no +`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retieve a keytab of this host. | no +`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retieve a keytab of this host. | no `mac_address` \| `macaddress` | List of hardware MAC addresses. | no `sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no `userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no From bc3d3f41396f3b2c49a352ef8eb1f68f35b31672 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Thu, 12 Dec 2019 22:56:03 +0100 Subject: [PATCH 06/40] ipauser: Extend email addresses with default email domain if no domain is set If there is no domain set for email addresses, extend the email addresses with the default email domain that is gathered from the config_show output. This fixes RHBZ#1747413 ([ansible-freeipa] user module throwing an error if..) --- plugins/modules/ipauser.py | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/plugins/modules/ipauser.py b/plugins/modules/ipauser.py index ac452958..3722b321 100644 --- a/plugins/modules/ipauser.py +++ b/plugins/modules/ipauser.py @@ -460,7 +460,8 @@ from ansible.module_utils.basic import AnsibleModule from ansible.module_utils._text import to_text from ansible.module_utils.ansible_freeipa_module import temp_kinit, \ temp_kdestroy, valid_creds, api_connect, api_command, date_format, \ - compare_args_ipa, module_params_get, api_check_param, api_get_realm + compare_args_ipa, module_params_get, api_check_param, api_get_realm, \ + api_command_no_name import six @@ -646,6 +647,14 @@ def check_parameters(module, state, action, module.fail_json(msg="certmapdata: subject is missing") +def extend_emails(email, default_email_domain): + if email is not None: + return [ "%s@%s" % (_email, default_email_domain) + if "@" not in _email else _email + for _email in email] + return email + + def gen_certmapdata_args(certmapdata): certificate = certmapdata.get("certificate") issuer = certmapdata.get("issuer") @@ -883,6 +892,17 @@ def main(): server_realm = api_get_realm() + # Default email domain + + result = api_command_no_name(ansible_module, "config_show", {}) + default_email_domain = result["result"]["ipadefaultemaildomain"][0] + + # Extend email addresses + + email = extend_emails(email, default_email_domain) + + # commands + commands = [] for user in names: @@ -949,6 +969,10 @@ def main(): certmapdata, noprivate, nomembers, preserve, update_password) + # Extend email addresses + + email = extend_emails(email, default_email_domain) + elif isinstance(user, str) or isinstance(user, unicode): name = user else: From 26966e9b3ddad936098a4ad26ced68cb3ce23bbc Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Fri, 13 Dec 2019 22:33:46 +0100 Subject: [PATCH 07/40] Update galaxy.yml: Add empty dependencies to calm down ansible-agalxy command dependencoies may not be an empty dict like in the past, but it may also not be missing. It simply needs to be empty. Fixes #146 (ansible-freeipa collection not installable by 2.9 ansible-galaxy collection install) --- galaxy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/galaxy.yml b/galaxy.yml index 8c9788b2..9740ba3d 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -15,6 +15,8 @@ readme: "README.md" license: "GPL-3.0-or-later" license_file: "COPYING" +dependencies: + tags: - "identity" - "ipa" From b719b1afebce30d9ee891bb8dc6eb2da07e4095b Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Fri, 13 Dec 2019 22:38:01 +0100 Subject: [PATCH 08/40] utils/build-galaxy-release.sh: Use ansible-galaxy instead of mazer ansible-galaxy needs to be used to build the Ansible collection. mazer should not be used any more. --- utils/build-galaxy-release.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/build-galaxy-release.sh b/utils/build-galaxy-release.sh index 4f4597e2..fc6bcdd6 100644 --- a/utils/build-galaxy-release.sh +++ b/utils/build-galaxy-release.sh @@ -35,7 +35,7 @@ done #git diff -mazer build +ansible-galaxy collection build rm plugins/module_utils/ansible_ipa_* rm plugins/modules/ipaserver_* From af4e8432ad5348994ca7c0764530bdaaf2d1fa1e Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Sat, 30 Nov 2019 21:19:33 -0300 Subject: [PATCH 09/40] New vault management module. There is a new vault management module placed in the plugins folder: plugins/modules/ipavault.py The vault module allows to ensure presence and absence of vaults, manage members and owner of the vault, and archive data in the vault. Here is the documentation for the module: README-vault.md New example playbooks have been added: playbooks/vault/data-archive-in-asymmetric-vault.yml playbooks/vault/data-archive-in-symmetric-vault.yml playbooks/vault/ensure-asymetric-vault-is-absent.yml playbooks/vault/ensure-asymetric-vault-is-present.yml playbooks/vault/ensure-service-vault-is-absent.yml playbooks/vault/ensure-service-vault-is-present.yml playbooks/vault/ensure-shared-vault-is-absent.yml playbooks/vault/ensure-shared-vault-is-present.yml playbooks/vault/ensure-standard-vault-is-absent.yml playbooks/vault/ensure-standard-vault-is-present.yml playbooks/vault/ensure-symetric-vault-is-absent.yml playbooks/vault/ensure-symetric-vault-is-present.yml playbooks/vault/ensure-vault-is-present-with-members.yml playbooks/vault/ensure-vault-member-group-is-absent.yml playbooks/vault/ensure-vault-member-group-is-present.yml playbooks/vault/ensure-vault-member-user-is-absent.yml playbooks/vault/ensure-vault-member-user-is-present.yml playbooks/vault/ensure-vault-owner-is-absent.yml playbooks/vault/ensure-vault-owner-is-present.yml New tests added for the module: tests/vault/test_vault.yml --- README-vault.md | 203 ++++++ README.md | 2 + .../data-archive-in-asymmetric-vault.yml | 13 + .../vault/data-archive-in-symmetric-vault.yml | 14 + .../ensure-asymetric-vault-is-absent.yml | 12 + .../ensure-asymetric-vault-is-present.yml | 13 + .../vault/ensure-service-vault-is-absent.yml | 12 + .../vault/ensure-service-vault-is-present.yml | 13 + .../vault/ensure-shared-vault-is-absent.yml | 12 + .../vault/ensure-shared-vault-is-present.yml | 13 + .../vault/ensure-standard-vault-is-absent.yml | 12 + .../ensure-standard-vault-is-present.yml | 13 + .../vault/ensure-symetric-vault-is-absent.yml | 12 + .../ensure-symetric-vault-is-present.yml | 13 + .../ensure-vault-is-present-with-members.yml | 17 + .../ensure-vault-member-group-is-absent.yml | 14 + .../ensure-vault-member-group-is-present.yml | 14 + .../ensure-vault-member-user-is-absent.yml | 16 + .../ensure-vault-member-user-is-present.yml | 14 + .../vault/ensure-vault-owner-is-absent.yml | 15 + .../vault/ensure-vault-owner-is-present.yml | 15 + plugins/modules/ipavault.py | 646 ++++++++++++++++++ tests/vault/test_vault.yml | 562 +++++++++++++++ 23 files changed, 1670 insertions(+) create mode 100644 README-vault.md create mode 100644 playbooks/vault/data-archive-in-asymmetric-vault.yml create mode 100644 playbooks/vault/data-archive-in-symmetric-vault.yml create mode 100644 playbooks/vault/ensure-asymetric-vault-is-absent.yml create mode 100644 playbooks/vault/ensure-asymetric-vault-is-present.yml create mode 100644 playbooks/vault/ensure-service-vault-is-absent.yml create mode 100644 playbooks/vault/ensure-service-vault-is-present.yml create mode 100644 playbooks/vault/ensure-shared-vault-is-absent.yml create mode 100644 playbooks/vault/ensure-shared-vault-is-present.yml create mode 100644 playbooks/vault/ensure-standard-vault-is-absent.yml create mode 100644 playbooks/vault/ensure-standard-vault-is-present.yml create mode 100644 playbooks/vault/ensure-symetric-vault-is-absent.yml create mode 100644 playbooks/vault/ensure-symetric-vault-is-present.yml create mode 100644 playbooks/vault/ensure-vault-is-present-with-members.yml create mode 100644 playbooks/vault/ensure-vault-member-group-is-absent.yml create mode 100644 playbooks/vault/ensure-vault-member-group-is-present.yml create mode 100644 playbooks/vault/ensure-vault-member-user-is-absent.yml create mode 100644 playbooks/vault/ensure-vault-member-user-is-present.yml create mode 100644 playbooks/vault/ensure-vault-owner-is-absent.yml create mode 100644 playbooks/vault/ensure-vault-owner-is-present.yml create mode 100644 plugins/modules/ipavault.py create mode 100644 tests/vault/test_vault.yml diff --git a/README-vault.md b/README-vault.md new file mode 100644 index 00000000..4be24696 --- /dev/null +++ b/README-vault.md @@ -0,0 +1,203 @@ +Vault module +=================== + +Description +----------- + +The vault module allows to ensure presence and absence of vault and members of vaults. + +The vault module is as compatible as possible to the Ansible upstream `ipa_vault` module, and additionally offers to make sure that vault members, groups and owners are present or absent in a vault, and allow the archival of data in vaults. + + +Features +-------- +* Vault management + + +Supported FreeIPA Versions +-------------------------- + +FreeIPA versions 4.4.0 and up are supported by the ipavault module. + + +Requirements +------------ + +**Controller** +* Ansible version: 2.8+ + +**Node** +* Supported FreeIPA version (see above) +* KRA service must be enabled + + +Usage +===== + +Example inventory file + +```ini +[ipaserver] +ipaserver.test.local +``` + +Example playbook to make sure vault is present: + +```yaml +--- +- name: Playbook to handle vaults + hosts: ipaserver + become: true + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + vault_password: MyVaultPassword123 + description: A standard private vault. +``` + +Example playbook to make sure that a vault and its members are present: + +```yaml +--- +- name: Playbook to handle vaults + hosts: ipaserver + become: true + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + users: user01 +``` + +`action` controls if the vault, data, member or owner will be handled. To add or remove members or vault data, set `action` to `member`. + +Example playbook to make sure that a vault member is present in vault: + +```yaml +--- +- name: Playbook to handle vaults + hosts: ipaserver + become: true + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + users: user01 + action: member +``` + +Example playbook to make sure that a vault owner is absent in vault: + +```yaml +--- +- name: Playbook to handle vaults + hosts: ipaserver + become: true + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + owner: user01 + action: member + state: absent +``` + +Example playbook to make sure vault data is present in a symmetric vault: + +```yaml +--- +- name: Playbook to handle vaults + hosts: ipaserver + become: true + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + vault_password: MyVaultPassword123 + vault_data: > + Data archived. + More data archived. + action: member +``` + +Example playbook to make sure vault data is absent in a symmetric vault: + +```yaml +--- +- name: Playbook to handle vaults + hosts: ipaserver + become: true + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + vault_password: MyVaultPassword123 + action: member + state: absent +``` + +Example playbook to make sure vault is absent: + +```yaml +--- +- name: Playbook to handle vaults + hosts: ipaserver + become: true + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + state: absent +``` + +Variables +========= + +ipavault +------- + +Variable | Description | Required +-------- | ----------- | -------- +`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no +`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no +`name` \| `cn` | The list of vault name strings. | yes +`description` | The vault description string. | no +`nomembers` | Suppress processing of membership attributes. (bool) | no +`vault_public_key` \| `ipavaultpublickey` | Vault public key. | no +`vault_salt` \| `ipavaultsalt` | Vault salt. | no +`vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no +`service` | Any service can own one or more service vaults. | no +`user` | Any user can own one or more user vaults. | no +`shared` | Vault is shared. Default to false. (bool) | no +`users` | Users that are members of the vault. | no +`groups` | Groups that are member of the vault. | no +`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no +`action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no +`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no + + +Notes +===== + +ipavault uses a client context to execute, and it might affect execution time. + + +Authors +======= + +Rafael Jeffman diff --git a/README.md b/README.md index 5efbd088..9b150a1a 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,7 @@ Features * Modules for sudorule management * Modules for topology management * Modules for user management +* Modules for vault management Supported FreeIPA Versions -------------------------- @@ -416,3 +417,4 @@ Modules in plugin/modules * [ipatopologysegment](README-topology.md) * [ipatopologysuffix](README-topology.md) * [ipauser](README-user.md) +* [ipavault](README-vault.md) diff --git a/playbooks/vault/data-archive-in-asymmetric-vault.yml b/playbooks/vault/data-archive-in-asymmetric-vault.yml new file mode 100644 index 00000000..f70d76db --- /dev/null +++ b/playbooks/vault/data-archive-in-asymmetric-vault.yml @@ -0,0 +1,13 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: asymvault + username: user01 + vault_data: The world of π is half rounded. + action: member diff --git a/playbooks/vault/data-archive-in-symmetric-vault.yml b/playbooks/vault/data-archive-in-symmetric-vault.yml new file mode 100644 index 00000000..eb8b0a0f --- /dev/null +++ b/playbooks/vault/data-archive-in-symmetric-vault.yml @@ -0,0 +1,14 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + vault_password: MyVaultPassword123 + vault_data: The world of π is half rounded. + action: member diff --git a/playbooks/vault/ensure-asymetric-vault-is-absent.yml b/playbooks/vault/ensure-asymetric-vault-is-absent.yml new file mode 100644 index 00000000..62866c43 --- /dev/null +++ b/playbooks/vault/ensure-asymetric-vault-is-absent.yml @@ -0,0 +1,12 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: asymvault + username: admin + state: absent diff --git a/playbooks/vault/ensure-asymetric-vault-is-present.yml b/playbooks/vault/ensure-asymetric-vault-is-present.yml new file mode 100644 index 00000000..f946779b --- /dev/null +++ b/playbooks/vault/ensure-asymetric-vault-is-present.yml @@ -0,0 +1,13 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: asymvault + username: admin + vault_public_key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDdGFudjRkK3ptSTZ0T3ova1RXdGowY3AxRAowUENoYy8vR0pJMTUzTi9CN3UrN0h3SXlRVlZoNUlXZG1UcCtkWXYzd09yeVpPbzYvbHN5eFJaZ2pZRDRwQ3VGCjlxM295VTFEMnFOZERYeGtSaFFETXBiUEVSWWlHbE1jbzdhN0hIVDk1bGNQbmhObVFkb3VGdHlVbFBUVS96V1kKZldYWTBOeU1UbUtoeFRseUV3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo= + vault_type: asymmetric diff --git a/playbooks/vault/ensure-service-vault-is-absent.yml b/playbooks/vault/ensure-service-vault-is-absent.yml new file mode 100644 index 00000000..1affb4c7 --- /dev/null +++ b/playbooks/vault/ensure-service-vault-is-absent.yml @@ -0,0 +1,12 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: svcvault + service: "HTTP/{{ groups.ipaserver[0] }}" + state: absent diff --git a/playbooks/vault/ensure-service-vault-is-present.yml b/playbooks/vault/ensure-service-vault-is-present.yml new file mode 100644 index 00000000..423fef1f --- /dev/null +++ b/playbooks/vault/ensure-service-vault-is-present.yml @@ -0,0 +1,13 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: svcvault + service: "HTTP/{{ groups.ipaserver[0] }}" + ipavaultpassword: MyVaultPassword123 + state: present diff --git a/playbooks/vault/ensure-shared-vault-is-absent.yml b/playbooks/vault/ensure-shared-vault-is-absent.yml new file mode 100644 index 00000000..fdf1babd --- /dev/null +++ b/playbooks/vault/ensure-shared-vault-is-absent.yml @@ -0,0 +1,12 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: sharedvault + shared: True + state: absent diff --git a/playbooks/vault/ensure-shared-vault-is-present.yml b/playbooks/vault/ensure-shared-vault-is-present.yml new file mode 100644 index 00000000..9f25e407 --- /dev/null +++ b/playbooks/vault/ensure-shared-vault-is-present.yml @@ -0,0 +1,13 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: sharedvault + shared: True + ipavaultpassword: MyVaultPassword123 + state: present diff --git a/playbooks/vault/ensure-standard-vault-is-absent.yml b/playbooks/vault/ensure-standard-vault-is-absent.yml new file mode 100644 index 00000000..c52806e6 --- /dev/null +++ b/playbooks/vault/ensure-standard-vault-is-absent.yml @@ -0,0 +1,12 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: admin + state: absent diff --git a/playbooks/vault/ensure-standard-vault-is-present.yml b/playbooks/vault/ensure-standard-vault-is-present.yml new file mode 100644 index 00000000..a55f55cc --- /dev/null +++ b/playbooks/vault/ensure-standard-vault-is-present.yml @@ -0,0 +1,13 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + vault_type: standard + username: admin + description: A standard private vault. diff --git a/playbooks/vault/ensure-symetric-vault-is-absent.yml b/playbooks/vault/ensure-symetric-vault-is-absent.yml new file mode 100644 index 00000000..87c3bdc2 --- /dev/null +++ b/playbooks/vault/ensure-symetric-vault-is-absent.yml @@ -0,0 +1,12 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + state: absent diff --git a/playbooks/vault/ensure-symetric-vault-is-present.yml b/playbooks/vault/ensure-symetric-vault-is-present.yml new file mode 100644 index 00000000..ea10d573 --- /dev/null +++ b/playbooks/vault/ensure-symetric-vault-is-present.yml @@ -0,0 +1,13 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + vault_password: MyVaultPassword123 + vault_type: symmetric diff --git a/playbooks/vault/ensure-vault-is-present-with-members.yml b/playbooks/vault/ensure-vault-is-present-with-members.yml new file mode 100644 index 00000000..65cd72d4 --- /dev/null +++ b/playbooks/vault/ensure-vault-is-present-with-members.yml @@ -0,0 +1,17 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + vault_type: standard + username: admin + users: + - user01 + - user02 + groups: + - ipausers diff --git a/playbooks/vault/ensure-vault-member-group-is-absent.yml b/playbooks/vault/ensure-vault-member-group-is-absent.yml new file mode 100644 index 00000000..f26bc670 --- /dev/null +++ b/playbooks/vault/ensure-vault-member-group-is-absent.yml @@ -0,0 +1,14 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: keychain + username: admin + state: absent + action: member + groups: ipausers diff --git a/playbooks/vault/ensure-vault-member-group-is-present.yml b/playbooks/vault/ensure-vault-member-group-is-present.yml new file mode 100644 index 00000000..84dc087e --- /dev/null +++ b/playbooks/vault/ensure-vault-member-group-is-present.yml @@ -0,0 +1,14 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: keychain + username: admin + state: present + action: member + groups: ipausers diff --git a/playbooks/vault/ensure-vault-member-user-is-absent.yml b/playbooks/vault/ensure-vault-member-user-is-absent.yml new file mode 100644 index 00000000..99c9d6cc --- /dev/null +++ b/playbooks/vault/ensure-vault-member-user-is-absent.yml @@ -0,0 +1,16 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: keychain + username: admin + state: absent + action: member + users: + - user01 + - user02 diff --git a/playbooks/vault/ensure-vault-member-user-is-present.yml b/playbooks/vault/ensure-vault-member-user-is-present.yml new file mode 100644 index 00000000..820a9f7c --- /dev/null +++ b/playbooks/vault/ensure-vault-member-user-is-present.yml @@ -0,0 +1,14 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: keychain + username: admin + state: present + action: member + users: user1 diff --git a/playbooks/vault/ensure-vault-owner-is-absent.yml b/playbooks/vault/ensure-vault-owner-is-absent.yml new file mode 100644 index 00000000..33670fc8 --- /dev/null +++ b/playbooks/vault/ensure-vault-owner-is-absent.yml @@ -0,0 +1,15 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + owners: user01 + ownergroups: ipausers + action: member + state: absent diff --git a/playbooks/vault/ensure-vault-owner-is-present.yml b/playbooks/vault/ensure-vault-owner-is-present.yml new file mode 100644 index 00000000..52b1d93c --- /dev/null +++ b/playbooks/vault/ensure-vault-owner-is-present.yml @@ -0,0 +1,15 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + - ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + owners: user01 + ownergroups: ipausers + action: member + state: present diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py new file mode 100644 index 00000000..32137ee7 --- /dev/null +++ b/plugins/modules/ipavault.py @@ -0,0 +1,646 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Authors: +# Rafael Guterres Jeffman +# +# Copyright (C) 2019 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +ANSIBLE_METADATA = { + "metadata_version": "1.0", + "supported_by": "community", + "status": ["preview"], +} + +DOCUMENTATION = """ +--- +module: ipavault +short description: Manage vaults and secret vaults. +description: Manage vaults and secret vaults. KRA service must be enabled. +options: + ipaadmin_principal: + description: The admin principal + default: admin + ipaadmin_password: + description: The admin password + required: false + name: + description: The vault name + required: true + aliases: ["cn"] + description: + description: The vault description + required: false + vault_public_key: + description: Base64 encoded public key. + required: false + type: list + aliases: ["ipavaultpublickey"] + vault_salt: + description: Vault salt. + required: false + type: list + aliases: ["ipavaultsalt"] + vault_password: + description: password to be used on symmetric vault. + required: false + type: string + aliases: ["ipavaultpassword"] + vault_type: + description: Vault types are based on security level. + required: true + default: symmetric + choices: ["standard", "symmetric", "asymmetric"] + aliases: ["ipavaulttype"] + service: + description: Any service can own one or more service vaults. + required: false + type: list + username: + description: Any user can own one or more user vaults. + required: false + type: string + aliases: ["user"] + shared: + description: Vault is shared. + required: false + type: boolean + vault_data: + description: Data to be stored in the vault. + required: false + type: string + aliases: ["ipavaultdata"] + owners: + description: Users that are owners of the container. + required: false + type: list + users: + description: Users that are member of the container. + required: false + type: list + groups: + description: Groups that are member of the container. + required: false + type: list + action: + description: Work on vault or member level. + default: vault + choices: ["vault", "member"] + state: + description: State to ensure + default: present + choices: ["present", "absent"] +author: + - Rafael Jeffman +""" + +EXAMPLES = """ +# Ensure vault symvault is present +- ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + vault_password: MyVaultPassword123 + vault_salt: MTIzNDU2Nzg5MAo= + vault_type: symmetric + +# Ensure group ipausers is a vault member. +- ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + groups: ipausers + action: member + +# Ensure group ipausers is not a vault member. +- ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + groups: ipausers + action: member + state: absent + +# Ensure vault users are present. +- ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + users: + - user01 + - user02 + action: member + +# Ensure vault users are absent. +- ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + users: + - user01 + - user02 + action: member + status: absent + +# Ensure user owns vault. +- ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + action: member + owners: user01 + +# Ensure user does not own vault. +- ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + owners: user01 + action: member + status: absent + +# Ensure data is archived to a symmetric vault +- ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: admin + vault_password: MyVaultPassword123 + vault_data: > + Data archived. + More data archived. + action: member + +# Ensure vault symvault is absent +- ipavault: + ipaadmin_password: MyPassword123 + name: symvault + user: admin + state: absent + +# Ensure asymmetric vault is present. +- ipavault: + ipaadmin_password: MyPassword123 + name: asymvault + username: user01 + description: An asymmetric vault + vault_type: asymmetric + vault_public_key: + LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTR + HTkFEQ0JpUUtCZ1FDdGFudjRkK3ptSTZ0T3ova1RXdGowY3AxRAowUENoYy8vR0pJMTUzTi + 9CN3UrN0h3SXlRVlZoNUlXZG1UcCtkWXYzd09yeVpPbzYvbHN5eFJaZ2pZRDRwQ3VGCjlxM + 295VTFEMnFOZERYeGtSaFFETXBiUEVSWWlHbE1jbzdhN0hIVDk1bGNQbmhObVFkb3VGdHlV + bFBUVS96V1kKZldYWTBOeU1UbUtoeFRseUV3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVk + tLS0tLQo= + +# Ensure data is archived in an asymmetric vault +- ipavault: + ipaadmin_password: MyPassword123 + name: asymvault + username: admin + vault_data: > + Data archived. + More data archived. + action: member + +# Ensure asymmetric vault is absent. +- ipavault: + ipaadmin_password: MyPassword123 + name: asymvault + username: user01 + vault_type: asymmetric + state: absent +""" + +RETURN = """ +""" + +import os +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.ansible_freeipa_module import temp_kinit, \ + temp_kdestroy, valid_creds, api_connect, api_command, \ + gen_add_del_lists, compare_args_ipa, module_params_get +from ipalib.errors import EmptyModlist + + +def find_vault(module, name, username, service, shared): + _args = { + "all": True, + "cn": name, + } + + if username is not None: + _args['username'] = username + elif service is not None: + _args['service'] = service + else: + _args['shared'] = shared + + _result = api_command(module, "vault_find", name, _args) + + if len(_result["result"]) > 1: + module.fail_json( + msg="There is more than one vault '%s'" % (name)) + if len(_result["result"]) == 1: + return _result["result"][0] + + return None + + +def gen_args(description, username, service, shared, vault_type, salt, + public_key, vault_data): + _args = {} + + if description is not None: + _args['description'] = description + if username is not None: + _args['username'] = username + if service is not None: + _args['service'] = service + if shared is not None: + _args['shared'] = shared + if vault_type is not None: + _args['ipavaulttype'] = vault_type + if salt is not None: + _args['ipavaultsalt'] = salt + if public_key is not None: + _args['ipavaultpublickey'] = public_key + if vault_data is not None: + _args['data'] = vault_data.encode('utf-8') + + return _args + + +def gen_member_args(args, users, groups): + _args = args.copy() + + for arg in ['ipavaulttype', 'description', 'ipavaultpublickey', + 'ipavaultsalt']: + if arg in _args: + del _args[arg] + + _args['user'] = users + _args['group'] = groups + + return _args + + +def data_storage_args(args, data, password): + _args = {} + + if 'username' in args: + _args['username'] = args['username'] + if 'service' in args: + _args['service'] = args['service'] + if 'shared' in args: + _args['shared'] = args['shared'] + + if password is not None: + _args['password'] = password + + _args['data'] = data + + return _args + + +def check_parameters(module, state, action, description, username, service, + shared, users, groups, owners, ownergroups, vault_type, + salt, password, public_key, vault_data): + invalid = [] + if state == "present": + if action == "member": + invalid = ['description', 'public_key', 'salt'] + + for param in invalid: + if vars()[param] is not None: + module.fail_json( + msg="Argument '%s' can not be used with action '%s'" % + (param, action)) + + elif state == "absent": + invalid = ['description', 'salt'] + + if action == "vault": + invalid.extend(['users', 'groups', 'owners', 'ownergroups', + 'password', 'public_key']) + + for arg in invalid: + if vars()[arg] is not None: + module.fail_json( + msg="Argument '%s' can not be used with action '%s'" % + (arg, state)) + + +def check_encryption_params(module, state, vault_type, password, public_key, + vault_data, res_find): + if state == "present": + if vault_type == "symmetric": + if password is None \ + and (vault_data is not None or res_find is None): + module.fail_json( + msg="Vault password required for symmetric vault.") + + if vault_type == "asymmetric": + if public_key is None and res_find is None: + module.fail_json( + msg="Public Key required for asymmetric vault.") + + +def main(): + ansible_module = AnsibleModule( + argument_spec=dict( + # generalgroups + ipaadmin_principal=dict(type="str", default="admin"), + ipaadmin_password=dict(type="str", required=False, no_log=True), + + name=dict(type="list", aliases=["cn"], default=None, + required=True), + + # present + + description=dict(required=False, type="str", default=None), + vault_type=dict(type="str", aliases=["ipavaulttype"], + default=None, required=False, + choices=["standard", "symmetric", "asymmetric"]), + vault_public_key=dict(type="str", required=False, default=None, + aliases=['ipavaultpublickey']), + vault_salt=dict(type="str", required=False, default=None, + aliases=['ipavaultsalt']), + username=dict(type="str", required=False, default=None, + aliases=['user']), + service=dict(type="str", required=False, default=None), + shared=dict(type="bool", required=False, default=None), + + users=dict(required=False, type='list', default=None), + groups=dict(required=False, type='list', default=None), + owners=dict(required=False, type='list', default=None), + ownergroups=dict(required=False, type='list', default=None), + + vault_data=dict(type="str", required=False, default=None, + aliases=['ipavaultdata']), + vault_password=dict(type="str", required=False, default=None, + no_log=True, aliases=['ipavaultpassword']), + + # state + action=dict(type="str", default="vault", + choices=["vault", "data", "member"]), + state=dict(type="str", default="present", + choices=["present", "absent"]), + ), + supports_check_mode=True, + mutually_exclusive=[['username', 'service', 'shared']], + required_one_of=[['username', 'service', 'shared']] + ) + + ansible_module._ansible_debug = True + + # general + ipaadmin_principal = module_params_get(ansible_module, + "ipaadmin_principal") + ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") + names = module_params_get(ansible_module, "name") + + # present + description = module_params_get(ansible_module, "description") + + username = module_params_get(ansible_module, "username") + service = module_params_get(ansible_module, "service") + shared = module_params_get(ansible_module, "shared") + + users = module_params_get(ansible_module, "users") + groups = module_params_get(ansible_module, "groups") + owners = module_params_get(ansible_module, "owners") + ownergroups = module_params_get(ansible_module, "ownergroups") + + vault_type = module_params_get(ansible_module, "vault_type") + salt = module_params_get(ansible_module, "vault_salt") + password = module_params_get(ansible_module, "vault_password") + public_key = module_params_get(ansible_module, "vault_public_key") + + vault_data = module_params_get(ansible_module, "vault_data") + + action = module_params_get(ansible_module, "action") + # state + state = module_params_get(ansible_module, "state") + + # Check parameters + + if state == "present": + if len(names) != 1: + ansible_module.fail_json( + msg="Only one vault can be added at a time.") + + elif state == "absent": + if len(names) < 1: + ansible_module.fail_json(msg="No name given.") + + else: + ansible_module.fail_json(msg="Invalid state '%s'" % state) + + check_parameters(ansible_module, state, action, description, username, + service, shared, users, groups, owners, ownergroups, + vault_type, salt, password, public_key, vault_data) + # Init + + changed = False + exit_args = {} + ccache_dir = None + ccache_name = None + try: + if not valid_creds(ansible_module, ipaadmin_principal): + ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, + ipaadmin_password) + + api_connect(context='ansible-freeipa') + + commands = [] + + for name in names: + # Make sure vault exists + res_find = find_vault( + ansible_module, name, username, service, shared) + + # Generate args + args = gen_args(description, username, service, shared, vault_type, + salt, public_key, vault_data) + + # Set default vault_type if needed. + if vault_type is None and vault_data is not None: + if res_find is not None: + res_vault_type = res_find.get('ipavaulttype')[0] + args['ipavaulttype'] = vault_type = res_vault_type + else: + args['ipavaulttype'] = vault_type = "symmetric" + + # verify data encription args + check_encryption_params(ansible_module, state, vault_type, + password, public_key, vault_data, res_find) + + # Create command + if state == "present": + + # Found the vault + if action == "vault": + if res_find is not None: + # For all settings is args, check if there are + # different settings in the find result. + # If yes: modify + if not compare_args_ipa(ansible_module, args, + res_find): + commands.append([name, "vault_mod_internal", args]) + else: + if 'ipavaultsault' not in args: + args['ipavaultsalt'] = os.urandom(32) + commands.append([name, "vault_add_internal", args]) + # archive empty data to set password + pwdargs = data_storage_args( + args, args.get('data', ''), password) + commands.append([name, "vault_archive", pwdargs]) + + # Set res_find to empty dict for next step # noqa + res_find = {} + + # Generate adittion and removal lists + user_add, user_del = \ + gen_add_del_lists(users, + res_find.get('member_user', [])) + group_add, group_del = \ + gen_add_del_lists(groups, + res_find.get('member_group', [])) + owner_add, owner_del = \ + gen_add_del_lists(owners, + res_find.get('owner_user', [])) + ownergroups_add, ownergroups_del = \ + gen_add_del_lists(ownergroups, + res_find.get('owner_group', [])) + + # Add users and groups + if len(user_add) > 0 or len(group_add) > 0: + user_add_args = gen_member_args(args, user_add, + group_add) + commands.append([name, 'vault_add_member', + user_add_args]) + + # Remove users and groups + if len(user_del) > 0 or len(group_del) > 0: + user_del_args = gen_member_args(args, user_del, + group_del) + commands.append([name, 'vault_remove_member', + user_del_args]) + + # Add owner users and groups + if len(user_add) > 0 or len(group_add) > 0: + owner_add_args = gen_member_args(args, owner_add, + ownergroups_add) + commands.append([name, 'vault_add_owner', + owner_add_args]) + + # Remove owner users and groups + if len(user_del) > 0 or len(group_del) > 0: + owner_del_args = gen_member_args(args, owner_del, + ownergroups_del) + commands.append([name, 'vault_remove_owner', + owner_del_args]) + + elif action in "member": + # Add users and groups + if users is not None or groups is not None: + user_args = gen_member_args(args, users, groups) + commands.append([name, 'vault_add_member', user_args]) + if owners is not None or ownergroups is not None: + owner_args = gen_member_args(args, owners, ownergroups) + commands.append([name, 'vault_add_owner', owner_args]) + + if vault_data is not None: + data_args = data_storage_args( + args, args.get('data', ''), password) + commands.append([name, 'vault_archive', data_args]) + + elif state == "absent": + if 'ipavaulttype' in args: + del args['ipavaulttype'] + + if action == "vault": + if res_find is not None: + commands.append([name, "vault_del", args]) + + elif action == "member": + # remove users and groups + if users is not None or groups is not None: + user_args = gen_member_args(args, users, groups) + commands.append([name, 'vault_remove_member', + user_args]) + + if owners is not None or ownergroups is not None: + owner_args = gen_member_args(args, owners, ownergroups) + commands.append([name, 'vault_remove_owner', + owner_args]) + else: + ansible_module.fail_json( + msg="Invalid action '%s' for state '%s'" % + (action, state)) + else: + ansible_module.fail_json(msg="Unkown state '%s'" % state) + + # Execute commands + + errors = [] + for name, command, args in commands: + try: + result = api_command(ansible_module, command, name, args) + + if command == 'vault_archive': + changed = 'Archived data into' in result['summary'] + else: + if "completed" in result: + if result["completed"] > 0: + changed = True + else: + changed = True + except EmptyModlist: + result = {} + except Exception as exception: + ansible_module.fail_json( + msg="%s: %s: %s" % (command, name, str(exception))) + + # Get all errors + # All "already a member" and "not a member" failures in the + # result are ignored. All others are reported. + if "failed" in result and len(result["failed"]) > 0: + for item in result["failed"]: + failed_item = result["failed"][item] + for member_type in failed_item: + for member, failure in failed_item[member_type]: + if "already a member" in failure \ + or "not a member" in failure: + continue + errors.append("%s: %s %s: %s" % ( + command, member_type, member, failure)) + if len(errors) > 0: + ansible_module.fail_json(msg=", ".join(errors)) + + except Exception as exception: + ansible_module.fail_json(msg=str(exception)) + + finally: + temp_kdestroy(ccache_dir, ccache_name) + + # Done + ansible_module.exit_json(changed=changed, **exit_args) + + +if __name__ == "__main__": + main() diff --git a/tests/vault/test_vault.yml b/tests/vault/test_vault.yml new file mode 100644 index 00000000..b48f1ea4 --- /dev/null +++ b/tests/vault/test_vault.yml @@ -0,0 +1,562 @@ +--- + +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + + - name: Ensure user vaults are absent + ipavault: + ipaadmin_password: MyPassword123 + name: + - stdvault + - symvault + - asymvault + username: user01 + state: absent + + - name: Ensure test users do not exist. + ipauser: + ipaadmin_password: MyPassword123 + name: + - user01 + - user02 + - user03 + state: absent + + - name: Ensure test groups do not exist. + ipagroup: + ipaadmin_password: MyPassword123 + name: vaultgroup + state: absent + + - name: Ensure vaultgroup exists. + ipagroup: + ipaadmin_password: MyPassword123 + name: vaultgroup + + - name: Ensure user01 exists. + ipauser: + ipaadmin_password: MyPassword123 + name: user01 + first: First + last: Start + + - name: Ensure user02 exists. + ipauser: + ipaadmin_password: MyPassword123 + name: user02 + first: Second + last: Middle + + - name: Ensure user03 exists. + ipauser: + ipaadmin_password: MyPassword123 + name: user03 + first: Third + last: Last + + - name: Ensure shared vaults are absent + ipavault: + ipaadmin_password: MyPassword123 + name: sharedvault + shared: True + state: absent + + - name: Ensure service vaults are absent + ipavault: + ipaadmin_password: MyPassword123 + name: svcvault + service: "HTTP/{{ groups.ipaserver[0] }}" + state: absent + + - name: Ensure symmetric vault is present + ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: user01 + vault_password: MyVaultPassword123 + vault_type: symmetric + register: result + failed_when: not result.changed + + - name: Ensure symmetric vault is present, again + ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: user01 + vault_password: MyVaultPassword123 + vault_type: symmetric + register: result + failed_when: result.changed + + - name: Archive data to symmetric vault + ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: user01 + vault_password: MyVaultPassword123 + vault_data: Hello World. + action: member + register: result + failed_when: not result.changed + + - name: Archive data with non-ASCII characters to symmetric vault + ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: user01 + vault_password: MyVaultPassword123 + vault_data: The world of π is half rounded. + action: member + register: result + failed_when: not result.changed + + - name: Ensure symmetric vault is absent + ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: user01 + state: absent + register: result + failed_when: not result.changed + + - name: Ensure symmetric vault is absent, again + ipavault: + ipaadmin_password: MyPassword123 + name: symvault + username: user01 + state: absent + register: result + failed_when: result.changed + + - name: Ensure asymmetric vault is present. + ipavault: + ipaadmin_password: MyPassword123 + name: asymvault + username: user01 + description: A symmetric private vault. + vault_public_key: + LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTR + HTkFEQ0JpUUtCZ1FDdGFudjRkK3ptSTZ0T3ova1RXdGowY3AxRAowUENoYy8vR0pJMTUzTi + 9CN3UrN0h3SXlRVlZoNUlXZG1UcCtkWXYzd09yeVpPbzYvbHN5eFJaZ2pZRDRwQ3VGCjlxM + 295VTFEMnFOZERYeGtSaFFETXBiUEVSWWlHbE1jbzdhN0hIVDk1bGNQbmhObVFkb3VGdHlV + bFBUVS96V1kKZldYWTBOeU1UbUtoeFRseUV3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVk + tLS0tLQo= + vault_type: asymmetric + register: result + failed_when: not result.changed + + - name: Ensure asymmetric vault is present, again. + ipavault: + ipaadmin_password: MyPassword123 + name: asymvault + username: user01 + vault_public_key: + LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTR + HTkFEQ0JpUUtCZ1FDdGFudjRkK3ptSTZ0T3ova1RXdGowY3AxRAowUENoYy8vR0pJMTUzTi + 9CN3UrN0h3SXlRVlZoNUlXZG1UcCtkWXYzd09yeVpPbzYvbHN5eFJaZ2pZRDRwQ3VGCjlxM + 295VTFEMnFOZERYeGtSaFFETXBiUEVSWWlHbE1jbzdhN0hIVDk1bGNQbmhObVFkb3VGdHlV + bFBUVS96V1kKZldYWTBOeU1UbUtoeFRseUV3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVk + tLS0tLQo= + vault_type: asymmetric + register: result + failed_when: result.changed + + - name: Archive data in asymmetric vault. + ipavault: + ipaadmin_password: MyPassword123 + name: asymvault + username: user01 + vault_data: Hello World. + action: member + register: result + failed_when: not result.changed + + - name: Ensure asymmetric vault is absent. + ipavault: + ipaadmin_password: MyPassword123 + name: asymvault + username: user01 + state: absent + register: result + failed_when: not result.changed + + - name: Ensure asymmetric vault is absent, again. + ipavault: + ipaadmin_password: MyPassword123 + name: asymvault + username: user01 + state: absent + register: result + failed_when: result.changed + + - name: Ensure standard vault is present. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + vault_type: standard + username: user01 + description: A standard private vault. + register: result + failed_when: not result.changed + + - name: Ensure standard vault is present, again. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + vault_type: standard + description: A standard private vault. + register: result + failed_when: result.changed + + - name: Archive data in standard vault. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + vault_data: Hello World. + action: member + register: result + failed_when: not result.changed + + - name: Ensure standard vault member user is present. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + action: member + users: + - user02 + register: result + failed_when: not result.changed + + - name: Ensure standard vault member user is present, again. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + action: member + users: + - user02 + register: result + failed_when: result.changed + + - name: Ensure more vault member users are present. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + action: member + users: + - user01 + - user02 + register: result + failed_when: not result.changed + + - name: Ensure vault member user is still present. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + action: member + users: + - user02 + register: result + failed_when: result.changed + + - name: Ensure vault users are absent. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + action: member + users: + - user01 + - user02 + state: absent + register: result + failed_when: not result.changed + + - name: Ensure vault users are absent, again. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + action: member + users: + - user01 + - user02 + state: absent + register: result + failed_when: result.changed + + - name: Ensure vault user is absent, once more. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + action: member + users: + - user01 + state: absent + register: result + failed_when: result.changed + + - name: Ensure vault member group is present. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + action: member + groups: vaultgroup + register: result + failed_when: not result.changed + + - name: Ensure vault member group is present, again. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + action: member + groups: vaultgroup + register: result + failed_when: result.changed + + - name: Ensure vault member group is absent. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + action: member + groups: vaultgroup + state: absent + register: result + failed_when: not result.changed + + - name: Ensure vault member group is absent, again. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + action: member + groups: vaultgroup + state: absent + register: result + failed_when: result.changed + + - name: Ensure vault is absent. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + state: absent + register: result + failed_when: not result.changed + + - name: Ensure vault is absent, again. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + state: absent + register: result + failed_when: result.changed + + - name: Ensure shared vault is present. + ipavault: + ipaadmin_password: MyPassword123 + name: sharedvault + shared: True + ipavaultpassword: MyVaultPassword123 + register: result + failed_when: not result.changed + + - name: Ensure shared vault is absent. + ipavault: + ipaadmin_password: MyPassword123 + name: sharedvault + shared: True + state: absent + register: result + failed_when: not result.changed + + - name: Ensure service vault is present. + ipavault: + ipaadmin_password: MyPassword123 + name: svcvault + ipavaultpassword: MyVaultPassword123 + service: "HTTP/{{ groups.ipaserver[0] }}" + register: result + failed_when: not result.changed + + - name: Ensure service vault is absent. + ipavault: + ipaadmin_password: MyPassword123 + name: svcvault + service: "HTTP/{{ groups.ipaserver[0] }}" + state: absent + register: result + failed_when: not result.changed + + - name: Ensure vault is present, with members. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + vault_type: standard + users: + - user02 + - user03 + groups: + - vaultgroup + register: result + failed_when: not result.changed + + - name: Ensure vault is present, with members, again. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + vault_type: standard + users: + - user02 + - user03 + groups: + - vaultgroup + register: result + failed_when: result.changed + + - name: Ensure user02 is not a member of vault stdvault. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + users: user02 + state: absent + action: member + register: result + failed_when: not result.changed + + - name: Ensure user02 is not a member of vault stdvault, again. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + users: user02 + state: absent + action: member + register: result + failed_when: result.changed + + - name: Ensure user02 is a member of vault stdvault. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + users: user02 + action: member + register: result + failed_when: not result.changed + + - name: Ensure user02 is a member of vault stdvault, again. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + users: user03 + action: member + register: result + failed_when: result.changed + + - name: Ensure user03 owns vault stdvault. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + owners: user03 + action: member + register: result + failed_when: not result.changed + + - name: Ensure user03 owns vault stdvault, again. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + owners: user03 + action: member + register: result + failed_when: result.changed + + - name: Ensure user03 is not owner of stdvault. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + owners: user03 + state: absent + action: member + register: result + failed_when: not result.changed + + - name: Ensure user03 is not owner of stdvault, again. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + owners: user03 + state: absent + action: member + register: result + failed_when: result.changed + + - name: Ensure vault is absent. + ipavault: + ipaadmin_password: MyPassword123 + name: stdvault + username: user01 + state: absent + + # cleaup + - name: Ensure test vaults are absent + ipavault: + ipaadmin_password: MyPassword123 + name: + - stdvault + - symvault + - asymvault + username: user01 + state: absent + + - name: Ensure shared vaults are absent + ipavault: + ipaadmin_password: MyPassword123 + name: sharedvault + shared: True + state: absent + + - name: Ensure service vaults are absent + ipavault: + ipaadmin_password: MyPassword123 + name: svcvault + service: "HTTP/{{ groups.ipaserver[0] }}" + state: absent + + - name: Ensure test users do not exist. + ipauser: + ipaadmin_password: MyPassword123 + name: + - user01 + - user02 + - user03 + state: absent + + - name: Ensure test groups do not exist. + ipagroup: + ipaadmin_password: MyPassword123 + name: vaultgroup + state: absent From b6100f0c19e2caf73ab70bbc572d3e47e6066b48 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Tue, 17 Dec 2019 14:04:43 +0100 Subject: [PATCH 10/40] ipahost: Fix choices of auth_ind parameter, allow to reset parameter The choices for the auth_ind parameter have been wrong. The choices are now ['radius', 'otp', 'pkinit', 'hardened', '']. The empty string has been added to be able to rest auth_ind for the host entry. --- README-host.md | 2 +- plugins/modules/ipahost.py | 15 ++++++++++++--- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/README-host.md b/README-host.md index edec8d98..be5ad79b 100644 --- a/README-host.md +++ b/README-host.md @@ -280,7 +280,7 @@ Variable | Description | Required `mac_address` \| `macaddress` | List of hardware MAC addresses. | no `sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no `userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no -`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened"] | no +`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no `ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no `ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no diff --git a/plugins/modules/ipahost.py b/plugins/modules/ipahost.py index ec5e1963..b1303959 100644 --- a/plugins/modules/ipahost.py +++ b/plugins/modules/ipahost.py @@ -147,9 +147,10 @@ options: Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Other values may be used for custom configurations. + Use empty string to reset auth_ind to the initial value. type: list aliases: ["krbprincipalauthind"] - choices: ["radius", "otp", "pkinit", "hardened"] + choices: ["radius", "otp", "pkinit", "hardened", ""] required: false requires_pre_auth: description: Pre-authentication is required for the service @@ -277,9 +278,10 @@ options: Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Other values may be used for custom configurations. + Use empty string to reset auth_ind to the initial value. type: list aliases: ["krbprincipalauthind"] - choices: ["radius", "otp", "pkinit", "hardened"] + choices: ["radius", "otp", "pkinit", "hardened", ""] required: false requires_pre_auth: description: Pre-authentication is required for the service @@ -590,7 +592,7 @@ def main(): default=None), auth_ind=dict(type='list', aliases=["krbprincipalauthind"], default=None, - choices=['password', 'radius', 'otp']), + choices=['radius', 'otp', 'pkinit', 'hardened', '']), requires_pre_auth=dict(type="bool", aliases=["ipakrbrequirespreauth"], default=None), ok_as_delegate=dict(type="bool", aliases=["ipakrbokasdelegate"], @@ -835,6 +837,13 @@ def main(): if x in args: del args[x] + # Ignore auth_ind if it is empty (for resetting) + # and not set in for the host + if "krbprincipalauthind" not in res_find and \ + "krbprincipalauthind" in args and \ + args["krbprincipalauthind"] == ['']: + del args["krbprincipalauthind"] + # For all settings is args, check if there are # different settings in the find result. # If yes: modify From 36c1c837086c42049f09cf689a1ebd61627abae0 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Tue, 17 Dec 2019 15:30:45 +0100 Subject: [PATCH 11/40] ipauser: Allow reset of userauthtype, do not depend on first,last for mod It was not possible to reset the userauthtype. The empty string has been added to userauthtype for this. Also ipauser will only depend on given first and last name if the user does not exist yet. For the update operation these parameters are not needed anymore. --- README-user.md | 2 +- plugins/modules/ipauser.py | 38 ++++++++++++++++++++++++++------------ 2 files changed, 27 insertions(+), 13 deletions(-) diff --git a/README-user.md b/README-user.md index 56772a77..991121c6 100644 --- a/README-user.md +++ b/README-user.md @@ -408,7 +408,7 @@ Variable | Description | Required `manager` | List of manager user names. | no `carlicense` | List of car licenses. | no `sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no -`userauthtype` | List of supported user authentication types. Choices: `password`, `radius` and `otp` | no +`userauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp` and ``. Use empty string to reset userauthtype to the initial value. | no `userclass` | User category. (semantics placed on this attribute are for local interpretation). | no `radius` | RADIUS proxy configuration | no `radiususer` | RADIUS proxy username | no diff --git a/plugins/modules/ipauser.py b/plugins/modules/ipauser.py index ac452958..36e8bae8 100644 --- a/plugins/modules/ipauser.py +++ b/plugins/modules/ipauser.py @@ -153,9 +153,12 @@ options: required: false aliases: ["ipasshpubkey"] userauthtype: - description: List of supported user authentication types - choices=['password', 'radius', 'otp'] + description: + List of supported user authentication types + Use empty string to reset userauthtype to the initial value. + choices=['password', 'radius', 'otp', ''] required: false + aliases: ["ipauserauthtype"] userclass: description: - User category @@ -310,9 +313,12 @@ options: required: false aliases: ["ipasshpubkey"] userauthtype: - description: List of supported user authentication types - choices=['password', 'radius', 'otp'] + description: + List of supported user authentication types + Use empty string to reset userauthtype to the initial value. + choices=['password', 'radius', 'otp', ''] required: false + aliases: ["ipauserauthtype"] userclass: description: - User category @@ -701,7 +707,7 @@ def main(): default=None), userauthtype=dict(type='list', aliases=["ipauserauthtype"], default=None, - choices=['password', 'radius', 'otp']), + choices=['password', 'radius', 'otp', '']), userclass=dict(type="list", aliases=["class"], default=None), radius=dict(type="str", aliases=["ipatokenradiusconfiglink"], @@ -845,13 +851,6 @@ def main(): if names is not None and len(names) != 1: ansible_module.fail_json( msg="Only one user can be added at a time using name.") - if action != "member": - # Only check first and last here if names is set - if names is not None: - if first is None: - ansible_module.fail_json(msg="First name is needed") - if last is None: - ansible_module.fail_json(msg="Last name is needed") check_parameters( ansible_module, state, action, @@ -1011,6 +1010,13 @@ def main(): if "noprivate" in args: del args["noprivate"] + # Ignore userauthtype if it is empty (for resetting) + # and not set in for the user + if "ipauserauthtype" not in res_find and \ + "ipauserauthtype" in args and \ + args["ipauserauthtype"] == ['']: + del args["ipauserauthtype"] + # For all settings is args, check if there are # different settings in the find result. # If yes: modify @@ -1019,6 +1025,14 @@ def main(): commands.append([name, "user_mod", args]) else: + # Make sure we have a first and last name + if first is None: + ansible_module.fail_json( + msg="First name is needed") + if last is None: + ansible_module.fail_json( + msg="Last name is needed") + commands.append([name, "user_add", args]) # Handle members: principal, manager, certificate and From 24515e40ad289552d45bddd33c7a0dda93117a7f Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Wed, 18 Dec 2019 12:28:03 +0100 Subject: [PATCH 12/40] ipahost: Enhanced failure msg for member params used without member action The failure message if member parameters like certificate, managedby_host, principal, allow_create_keytab_* and allow_retrieve_keytab_* are used without member action for state absent has been enhanced to propose the member action. --- plugins/modules/ipahost.py | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/plugins/modules/ipahost.py b/plugins/modules/ipahost.py index ec5e1963..8ee95328 100644 --- a/plugins/modules/ipahost.py +++ b/plugins/modules/ipahost.py @@ -511,19 +511,25 @@ def check_parameters( "userclass", "auth_ind", "requires_pre_auth", "ok_as_delegate", "ok_to_auth_as_delegate", "force", "reverse", "ip_address", "update_password"] - if action == "host": - invalid.extend([ - "certificate", "managedby_host", "principal", - "allow_create_keytab_user", "allow_create_keytab_group", - "allow_create_keytab_host", "allow_create_keytab_hostgroup", - "allow_retrieve_keytab_user", "allow_retrieve_keytab_group", - "allow_retrieve_keytab_host", - "allow_retrieve_keytab_hostgroup"]) for x in invalid: if vars()[x] is not None: module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) + if action == "host": + invalid = [ + "certificate", "managedby_host", "principal", + "allow_create_keytab_user", "allow_create_keytab_group", + "allow_create_keytab_host", "allow_create_keytab_hostgroup", + "allow_retrieve_keytab_user", "allow_retrieve_keytab_group", + "allow_retrieve_keytab_host", + "allow_retrieve_keytab_hostgroup" + ] + for x in invalid: + if vars()[x] is not None: + module.fail_json( + msg="Argument '%s' can only be used with action " + "'member' for state '%s'" % (x, state)) def main(): From 28fef00803064b5d8250f5240ffa85a08e307ba1 Mon Sep 17 00:00:00 2001 From: Varun Mylaraiah Date: Mon, 23 Dec 2019 08:38:39 +0530 Subject: [PATCH 13/40] Update README-hbacsvcgroup.md --- README-hbacsvcgroup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README-hbacsvcgroup.md b/README-hbacsvcgroup.md index e2a8260f..89dd0222 100644 --- a/README-hbacsvcgroup.md +++ b/README-hbacsvcgroup.md @@ -4,7 +4,7 @@ HBACsvcgroup module Description ----------- -The hbacsvcgroup (HBAC Service Group) module allows to ensure presence and absence of HBAP Service Groups and members of the groups. +The hbacsvcgroup (HBAC Service Group) module allows to ensure presence and absence of HBAC Service Groups and members of the groups. Features From 6b3cae53a5650b8bb1e797582e1e727a3ba94a33 Mon Sep 17 00:00:00 2001 From: Varun Mylaraiah Date: Mon, 30 Dec 2019 15:21:29 +0530 Subject: [PATCH 14/40] Update README-sudorule.md --- README-sudorule.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README-sudorule.md b/README-sudorule.md index aca1b2d0..bb3498b1 100644 --- a/README-sudorule.md +++ b/README-sudorule.md @@ -106,6 +106,7 @@ Example playbook to make sure Sudo Rule is absent: - ipasudorule: ipaadmin_password: MyPassword123 name: testrule1 + state: absent ``` From 34f23e68b79ba0255d209509baf1fc46351c4d94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Mar=C3=ADn?= Date: Thu, 16 Jan 2020 16:03:40 +0100 Subject: [PATCH 15/40] Add missing validation in ipasudocmd This fixes the issue https://github.com/freeipa/ansible-freeipa/issues/185, where the python script was launching an exception There was a lack of verification that the input string (for the description) was a text string --- plugins/modules/ipasudocmd.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/ipasudocmd.py b/plugins/modules/ipasudocmd.py index 8e25561e..7c6188b9 100644 --- a/plugins/modules/ipasudocmd.py +++ b/plugins/modules/ipasudocmd.py @@ -97,7 +97,7 @@ def find_sudocmd(module, name): def gen_args(description): _args = {} if description is not None: - _args["description"] = description + _args["description"] = to_text(description) return _args From 35f2f32b828d2a7a631b3cf74b75b9be71990b29 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Thu, 23 Jan 2020 12:38:58 +0100 Subject: [PATCH 16/40] ipareplica: Use ipaserver_realm as a fallback for realm Use ipaserver_realm as a fallback if ipareplica_realm is not defined. This had been done for ipareplica_domain and ipaserver_domain, but was missing for ipareplica_realm and ipaserver_realm. Related: #114 (ipareplica 'Env' object has no attribute 'realm') --- roles/ipareplica/tasks/install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml index 98681e06..3345beba 100644 --- a/roles/ipareplica/tasks/install.yml +++ b/roles/ipareplica/tasks/install.yml @@ -57,7 +57,7 @@ domain: "{{ ipareplica_domain | default(ipaserver_domain) | default(omit) }}" servers: "{{ ipareplica_servers | default(omit) }}" - realm: "{{ ipareplica_realm | default(omit) }}" + realm: "{{ ipareplica_realm | default(ipaserver_realm) |default(omit) }}" hostname: "{{ ipareplica_hostname | default(ansible_fqdn) }}" ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}" hidden_replica: "{{ ipareplica_hidden_replica }}" From dc0a5585fb036fbeba2200564e26c478465afeec Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Tue, 31 Dec 2019 11:04:49 -0300 Subject: [PATCH 17/40] Add missing attributes to ipasudorule. This patch adds the following attributes to ipasudorule: - order - sudooption - runasuser - runasgroup It also fixes behavior of sudocmd assigned to the the sudorule, with the adittion of the attributes: - allow_sudocmds - deny_sudocmds - allow_sudocmdgroups - deny_sudocmdgroups README-sudorule and tests have been updated to comply with the changes. --- README-sudorule.md | 14 +- ...sure-sudorule-does-not-have-sudooption.yml | 14 + .../ensure-sudorule-has-sudooption.yml | 13 + .../ensure-sudorule-is-present-with-order.yml | 12 + .../sudorule/ensure-sudorule-is-present.yml | 2 + .../ensure-sudorule-runasuser-is-absent.yml | 14 + .../ensure-sudorule-runasuser-is-present.yml | 13 + .../ensure-sudorule-sudocmd-is-absent.yml | 7 +- .../ensure-sudorule-sudocmd-is-present.yml | 7 +- plugins/modules/ipasudorule.py | 347 +++++++++++++----- tests/sudorule/test_sudorule.yml | 204 +++++++--- 11 files changed, 501 insertions(+), 146 deletions(-) create mode 100644 playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml create mode 100644 playbooks/sudorule/ensure-sudorule-has-sudooption.yml create mode 100644 playbooks/sudorule/ensure-sudorule-is-present-with-order.yml create mode 100644 playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml create mode 100644 playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml diff --git a/README-sudorule.md b/README-sudorule.md index bb3498b1..50c73ade 100644 --- a/README-sudorule.md +++ b/README-sudorule.md @@ -68,7 +68,7 @@ Example playbook to make sure sudocmds are present in Sudo Rule: - ipasudorule: ipaadmin_password: MyPassword123 name: testrule1 - cmd: + allow_sudocmd: - /sbin/ifconfig action: member ``` @@ -87,7 +87,7 @@ Example playbook to make sure sudocmds are not present in Sudo Rule: - ipasudorule: ipaadmin_password: MyPassword123 name: testrule1 - cmd: + allow_sudocmd: - /sbin/ifconfig action: member state: absent @@ -130,8 +130,14 @@ Variable | Description | Required `hostgroup` | List of host group name strings assigned to this sudorule. | no `user` | List of user name strings assigned to this sudorule. | no `group` | List of user group name strings assigned to this sudorule. | no -`cmd` | List of sudocmd name strings assigned to this sudorule. | no -`cmdgroup` | List of sudocmd group name strings assigned wto this sudorule. | no +`allow_sudocmd` | List of sudocmd name strings assigned to the allow group of this sudorule. | no +`deny_sudocmd` | List of sudocmd name strings assigned to the deny group of this sudorule. | no +`allow_sudocmdgroup` | List of sudocmd groups name strings assigned to the allow group of this sudorule. | no +`deny_sudocmdgroup` | List of sudocmd groups name strings assigned to the deny group of this sudorule. | no +`sudooption` \| `option` | List of options to the sudorule | no +`order` | Integer to order the sudorule | no +`runasuser` | List of users for Sudo to execute as. | no +`runasgroup` | List of groups for Sudo to execute as. | no `action` | Work on sudorule or member level. It can be on of `member` or `sudorule` and defaults to `sudorule`. | no `state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no diff --git a/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml b/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml new file mode 100644 index 00000000..13070440 --- /dev/null +++ b/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml @@ -0,0 +1,14 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure sudooption is absent in sudorule + - ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + sudooption: "!root" + action: member + state: absent diff --git a/playbooks/sudorule/ensure-sudorule-has-sudooption.yml b/playbooks/sudorule/ensure-sudorule-has-sudooption.yml new file mode 100644 index 00000000..1f32b9a5 --- /dev/null +++ b/playbooks/sudorule/ensure-sudorule-has-sudooption.yml @@ -0,0 +1,13 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure sudooption is present in sudorule + - ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + sudooption: "!root" + action: member diff --git a/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml b/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml new file mode 100644 index 00000000..9a3c2b21 --- /dev/null +++ b/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml @@ -0,0 +1,12 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure sudorule is present with the given order. + - ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + order: 2 diff --git a/playbooks/sudorule/ensure-sudorule-is-present.yml b/playbooks/sudorule/ensure-sudorule-is-present.yml index 5b8f32bc..89041afb 100644 --- a/playbooks/sudorule/ensure-sudorule-is-present.yml +++ b/playbooks/sudorule/ensure-sudorule-is-present.yml @@ -9,4 +9,6 @@ ipaadmin_password: MyPassword123 name: testrule1 description: A test sudo rule. + allow_sudocmd: /bin/ls + deny_sudocmd: /bin/vim state: present diff --git a/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml b/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml new file mode 100644 index 00000000..56612f15 --- /dev/null +++ b/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml @@ -0,0 +1,14 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure sudorule is present with the given order. + - ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + runasuser: admin + action: member + state: absent diff --git a/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml b/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml new file mode 100644 index 00000000..8af49b93 --- /dev/null +++ b/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml @@ -0,0 +1,13 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure sudorule is present with the given order. + - ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + runasuser: admin + action: member diff --git a/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml b/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml index 942d0b53..328242ab 100644 --- a/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml +++ b/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml @@ -8,8 +8,13 @@ - ipasudorule: ipaadmin_password: MyPassword123 name: testrule1 - cmd: + allow_sudocmd: - /sbin/ifconfig + deny_sudocmd: - /usr/bin/vim + allow_sudocmdgroup: + - devops + deny_sudocmdgroup: + - users action: member state: absent diff --git a/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml b/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml index 61fcbb0d..55acd61f 100644 --- a/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml +++ b/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml @@ -8,7 +8,12 @@ - ipasudorule: ipaadmin_password: MyPassword123 name: testrule1 - cmd: + allow_sudocmd: - /sbin/ifconfig + deny_sudocmd: - /usr/bin/vim + allow_sudocmdgroup: + - devops + deny_sudocmdgroup: + - users action: member diff --git a/plugins/modules/ipasudorule.py b/plugins/modules/ipasudorule.py index c21f247a..285a9469 100644 --- a/plugins/modules/ipasudorule.py +++ b/plugins/modules/ipasudorule.py @@ -79,18 +79,43 @@ options: description: Host category the sudo rule applies to. required: false choices: ["all"] - cmd: - description: List of sudocmds assigned to this sudorule. + allow_sudocmd: + description: List of allowed sudocmds assigned to this sudorule. required: false type: list - cmdgroup: - description: List of sudocmd groups assigned to this sudorule. + allow_sudocmdgroup: + description: List of allowed sudocmd groups assigned to this sudorule. + required: false + type: list + deny_sudocmd: + description: List of denied sudocmds assigned to this sudorule. + required: false + type: list + deny_sudocmdgroup: + description: List of denied sudocmd groups assigned to this sudorule. required: false type: list cmdcategory: - description: Cammand category the sudo rule applies to + description: Command category the sudo rule applies to required: false choices: ["all"] + order: + description: Order to apply this rule. + required: false + type: int + sudooption: + description: + required: false + type: list + aliases: ["options"] + runasuser: + description: List of users for Sudo to execute as. + required: false + type: list + runasgroup: + description: List of groups for Sudo to execute as. + required: false + type: list action: description: Work on sudorule or member level default: sudorule @@ -111,13 +136,13 @@ EXAMPLES = """ # Ensure sudocmd is present in Sudo Rule - ipasudorule: - ipaadmin_password: pass1234 - name: testrule1 - cmd: - - /sbin/ifconfig - - /usr/bin/vim - action: member - state: absent + ipaadmin_password: pass1234 + name: testrule1 + allow_sudocmd: + - /sbin/ifconfig + - /usr/bin/vim + action: member + state: absent # Ensure host server is present in Sudo Rule - ipasudorule: @@ -160,7 +185,7 @@ RETURN = """ from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.ansible_freeipa_module import temp_kinit, \ temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \ - module_params_get + module_params_get, gen_add_del_lists def find_sudorule(module, name): @@ -180,14 +205,26 @@ def find_sudorule(module, name): return None -def gen_args(ansible_module): - arglist = ['description', 'usercategory', 'hostcategory', 'cmdcategory', - 'runasusercategory', 'runasgroupcategory', 'nomembers'] +def gen_args(description, usercat, hostcat, cmdcat, runasusercat, + runasgroupcat, order, nomembers): _args = {} - for arg in arglist: - value = module_params_get(ansible_module, arg) - if value is not None: - _args[arg] = value + + if description is not None: + _args['description'] = description + if usercat is not None: + _args['usercategory'] = usercat + if hostcat is not None: + _args['hostcategory'] = hostcat + if cmdcat is not None: + _args['cmdcategory'] = cmdcat + if runasusercat is not None: + _args['ipasudorunasusercategory'] = runasusercat + if runasgroupcat is not None: + _args['ipasudorunasgroupcategory'] = runasgroupcat + if order is not None: + _args['sudoorder'] = order + if nomembers is not None: + _args['nomembers'] = nomembers return _args @@ -212,13 +249,21 @@ def main(): hostgroup=dict(required=False, type='list', default=None), user=dict(required=False, type='list', default=None), group=dict(required=False, type='list', default=None), - cmd=dict(required=False, type="list", default=None), + allow_sudocmd=dict(required=False, type="list", default=None), + deny_sudocmd=dict(required=False, type="list", default=None), + allow_sudocmdgroup=dict(required=False, type="list", default=None), + deny_sudocmdgroup=dict(required=False, type="list", default=None), cmdcategory=dict(required=False, type="str", default=None, choices=["all"]), runasusercategory=dict(required=False, type="str", default=None, choices=["all"]), runasgroupcategory=dict(required=False, type="str", default=None, choices=["all"]), + runasuser=dict(required=False, type="list", default=None), + runasgroup=dict(required=False, type="list", default=None), + order=dict(type="int", required=False, aliases=['sudoorder']), + sudooption=dict(required=False, type='list', default=None, + aliases=["options"]), action=dict(type="str", default="sudorule", choices=["member", "sudorule"]), # state @@ -256,8 +301,16 @@ def main(): hostgroup = module_params_get(ansible_module, "hostgroup") user = module_params_get(ansible_module, "user") group = module_params_get(ansible_module, "group") - cmd = module_params_get(ansible_module, 'cmd') - cmdgroup = module_params_get(ansible_module, 'cmdgroup') + allow_sudocmd = module_params_get(ansible_module, 'allow_sudocmd') + allow_sudocmdgroup = module_params_get(ansible_module, + 'allow_sudocmdgroup') + deny_sudocmd = module_params_get(ansible_module, 'deny_sudocmd') + deny_sudocmdgroup = module_params_get(ansible_module, + 'deny_sudocmdgroup') + sudooption = module_params_get(ansible_module, "sudooption") + order = module_params_get(ansible_module, "order") + runasuser = module_params_get(ansible_module, "runasuser") + runasgroup = module_params_get(ansible_module, "runasgroup") action = module_params_get(ansible_module, "action") # state @@ -272,28 +325,30 @@ def main(): if action == "member": invalid = ["description", "usercategory", "hostcategory", "cmdcategory", "runasusercategory", - "runasgroupcategory", "nomembers"] + "runasgroupcategory", "order", "nomembers"] - for x in invalid: - if x in vars() and vars()[x] is not None: + for arg in invalid: + if arg in vars() and vars()[arg] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " - "'%s'" % (x, action)) + "'%s'" % (arg, action)) elif state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "usercategory", "hostcategory", "cmdcategory", "runasusercategory", - "runasgroupcategory", "nomembers"] + "runasgroupcategory", "nomembers", "order"] if action == "sudorule": invalid.extend(["host", "hostgroup", "user", "group", - "cmd", "cmdgroup"]) - for x in invalid: - if vars()[x] is not None: + "runasuser", "runasgroup", "allow_sudocmd", + "allow_sudocmdgroup", "deny_sudocmd", + "deny_sudocmdgroup", "sudooption"]) + for arg in invalid: + if vars()[arg] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % - (x, state)) + (arg, state)) elif state in ["enabled", "disabled"]: if len(names) < 1: @@ -305,12 +360,14 @@ def main(): invalid = ["description", "usercategory", "hostcategory", "cmdcategory", "runasusercategory", "runasgroupcategory", "nomembers", "nomembers", "host", "hostgroup", - "user", "group", "cmd", "cmdgroup"] - for x in invalid: - if vars()[x] is not None: + "user", "group", "allow_sudocmd", "allow_sudocmdgroup", + "deny_sudocmd", "deny_sudocmdgroup", "runasuser", + "runasgroup", "order", "sudooption"] + for arg in invalid: + if vars()[arg] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % - (x, state)) + (arg, state)) else: ansible_module.fail_json(msg="Invalid state '%s'" % state) @@ -335,7 +392,9 @@ def main(): # Create command if state == "present": # Generate args - args = gen_args(ansible_module) + args = gen_args(description, usercategory, hostcategory, + cmdcategory, runasusercategory, + runasgroupcategory, order, nomembers) if action == "sudorule": # Found the sudorule if res_find is not None: @@ -351,44 +410,42 @@ def main(): res_find = {} # Generate addition and removal lists - host_add = list( - set(host or []) - - set(res_find.get("member_host", []))) - host_del = list( - set(res_find.get("member_host", [])) - - set(host or [])) - hostgroup_add = list( - set(hostgroup or []) - - set(res_find.get("member_hostgroup", []))) - hostgroup_del = list( - set(res_find.get("member_hostgroup", [])) - - set(hostgroup or [])) + host_add, host_del = gen_add_del_lists( + host, res_find.get('member_host', [])) - user_add = list( - set(user or []) - - set(res_find.get("member_user", []))) - user_del = list( - set(res_find.get("member_user", [])) - - set(user or [])) - group_add = list( - set(group or []) - - set(res_find.get("member_group", []))) - group_del = list( - set(res_find.get("member_group", [])) - - set(group or [])) + hostgroup_add, hostgroup_del = gen_add_del_lists( + hostgroup, res_find.get('member_hostgroup', [])) - cmd_add = list( - set(cmd or []) - - set(res_find.get("member_cmd", []))) - cmd_del = list( - set(res_find.get("member_cmd", [])) - - set(cmd or [])) - cmdgroup_add = list( - set(cmdgroup or []) - - set(res_find.get("member_cmdgroup", []))) - cmdgroup_del = list( - set(res_find.get("member_cmdgroup", [])) - - set(cmdgroup or [])) + user_add, user_del = gen_add_del_lists( + user, res_find.get('member_user', [])) + + group_add, group_del = gen_add_del_lists( + group, res_find.get('member_group', [])) + + allow_cmd_add, allow_cmd_del = gen_add_del_lists( + allow_sudocmd, + res_find.get('memberallowcmd_sudocmd', [])) + + allow_cmdgroup_add, allow_cmdgroup_del = gen_add_del_lists( + allow_sudocmdgroup, + res_find.get('memberallowcmd_sudocmdgroup', [])) + + deny_cmd_add, deny_cmd_del = gen_add_del_lists( + deny_sudocmd, + res_find.get('memberdenycmd_sudocmd', [])) + + deny_cmdgroup_add, deny_cmdgroup_del = gen_add_del_lists( + deny_sudocmdgroup, + res_find.get('memberdenycmd_sudocmdgroup', [])) + + sudooption_add, sudooption_del = gen_add_del_lists( + sudooption, res_find.get('ipasudoopt', [])) + + runasuser_add, runasuser_del = gen_add_del_lists( + runasuser, res_find.get('ipasudorunas_user', [])) + + runasgroup_add, runasgroup_del = gen_add_del_lists( + runasgroup, res_find.get('ipasudorunas_group', [])) # Add hosts and hostgroups if len(host_add) > 0 or len(hostgroup_add) > 0: @@ -420,20 +477,59 @@ def main(): "group": group_del, }]) - # Add commands - if len(cmd_add) > 0 or len(cmdgroup_add) > 0: + # Add commands allowed + if len(allow_cmd_add) > 0 or len(allow_cmdgroup_add) > 0: commands.append([name, "sudorule_add_allow_command", - { - "sudocmd": cmd_add, - "sudocmdgroup": cmdgroup_add, - }]) + {"sudocmd": allow_cmd_add, + "sudocmdgroup": allow_cmdgroup_add, + }]) - if len(cmd_del) > 0 or len(cmdgroup_del) > 0: + if len(allow_cmd_del) > 0 or len(allow_cmdgroup_del) > 0: + commands.append([name, "sudorule_remove_allow_command", + {"sudocmd": allow_cmd_del, + "sudocmdgroup": allow_cmdgroup_del + }]) + + # Add commands denied + if len(deny_cmd_add) > 0 or len(deny_cmdgroup_add) > 0: commands.append([name, "sudorule_add_deny_command", - { - "sudocmd": cmd_del, - "sudocmdgroup": cmdgroup_del - }]) + {"sudocmd": deny_cmd_add, + "sudocmdgroup": deny_cmdgroup_add, + }]) + + if len(deny_cmd_del) > 0 or len(deny_cmdgroup_del) > 0: + commands.append([name, "sudorule_remove_deny_command", + {"sudocmd": deny_cmd_del, + "sudocmdgroup": deny_cmdgroup_del + }]) + + # Add RunAS Users + if len(runasuser_add) > 0: + commands.append([name, "sudorule_add_runasuser", + {"user": runasuser_add}]) + # Remove RunAS Users + if len(runasuser_del) > 0: + commands.append([name, "sudorule_remove_runasuser", + {"user": runasuser_del}]) + + # Add RunAS Groups + if len(runasgroup_add) > 0: + commands.append([name, "sudorule_add_runasgroup", + {"group": runasgroup_add}]) + # Remove RunAS Groups + if len(runasgroup_del) > 0: + commands.append([name, "sudorule_remove_runasgroup", + {"group": runasgroup_del}]) + + # Add sudo options + for sudoopt in sudooption_add: + commands.append([name, "sudorule_add_option", + {"ipasudoopt": sudoopt}]) + + # Remove sudo options + for sudoopt in sudooption_del: + commands.append([name, "sudorule_remove_option", + {"ipasudoopt": sudoopt}]) elif action == "member": if res_find is None: @@ -456,11 +552,38 @@ def main(): }]) # Add commands - if cmd is not None: + if allow_sudocmd is not None \ + or allow_sudocmdgroup is not None: commands.append([name, "sudorule_add_allow_command", - { - "sudocmd": cmd, - }]) + {"sudocmd": allow_sudocmd, + "sudocmdgroup": allow_sudocmdgroup, + }]) + + # Add commands + if deny_sudocmd is not None \ + or deny_sudocmdgroup is not None: + commands.append([name, "sudorule_add_deny_command", + {"sudocmd": deny_sudocmd, + "sudocmdgroup": deny_sudocmdgroup, + }]) + + # Add RunAS Users + if runasuser is not None: + commands.append([name, "sudorule_add_runasuser", + {"user": runasuser}]) + + # Add RunAS Groups + if runasgroup is not None: + commands.append([name, "sudorule_add_runasgroup", + {"group": runasgroup}]) + + # Add options + if sudooption is not None: + existing_opts = res_find.get('ipasudoopt', []) + for sudoopt in sudooption: + if sudoopt not in existing_opts: + commands.append([name, "sudorule_add_option", + {"ipasudoopt": sudoopt}]) elif state == "absent": if action == "sudorule": @@ -487,12 +610,40 @@ def main(): "group": group, }]) - # Remove commands - if cmd is not None: - commands.append([name, "sudorule_add_deny_command", - { - "sudocmd": cmd, - }]) + # Remove allow commands + if allow_sudocmd is not None \ + or allow_sudocmdgroup is not None: + commands.append([name, "sudorule_remove_allow_command", + {"sudocmd": allow_sudocmd, + "sudocmdgroup": allow_sudocmdgroup + }]) + + # Remove deny commands + if deny_sudocmd is not None \ + or deny_sudocmdgroup is not None: + commands.append([name, "sudorule_remove_deny_command", + {"sudocmd": deny_sudocmd, + "sudocmdgroup": deny_sudocmdgroup + }]) + + # Remove RunAS Users + if runasuser is not None: + commands.append([name, "sudorule_remove_runasuser", + {"user": runasuser}]) + + # Remove RunAS Groups + if runasgroup is not None: + commands.append([name, "sudorule_remove_runasgroup", + {"group": runasgroup}]) + + # Remove options + if sudooption is not None: + existing_opts = res_find.get('ipasudoopt', []) + for sudoopt in sudooption: + if sudoopt in existing_opts: + commands.append([name, + "sudorule_remove_option", + {"ipasudoopt": sudoopt}]) elif state == "enabled": if res_find is None: @@ -530,9 +681,9 @@ def main(): changed = True else: changed = True - except Exception as e: + except Exception as ex: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, - str(e))) + str(ex))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. @@ -549,8 +700,8 @@ def main(): if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) - except Exception as e: - ansible_module.fail_json(msg=str(e)) + except Exception as ex: + ansible_module.fail_json(msg=str(ex)) finally: temp_kdestroy(ccache_dir, ccache_name) diff --git a/tests/sudorule/test_sudorule.yml b/tests/sudorule/test_sudorule.yml index 88ed90ab..25090bb1 100644 --- a/tests/sudorule/test_sudorule.yml +++ b/tests/sudorule/test_sudorule.yml @@ -16,15 +16,22 @@ - name: Ensure some sudocmds are available ipasudocmd: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: - /sbin/ifconfig - /usr/bin/vim state: present + - name: Ensure sudocmdgroup is available + ipasudocmdgroup: + ipaadmin_password: MyPassword123 + name: test_sudorule + sudocmd: /usr/bin/vim + state: present + - name: Ensure sudorules are absent ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: - testrule1 - allusers @@ -34,21 +41,21 @@ - name: Ensure sudorule is present ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 register: result failed_when: not result.changed - name: Ensure sudorule is present again ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 register: result failed_when: result.changed - name: Ensure sudorule is present, runAsUserCategory. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 runAsUserCategory: all register: result @@ -56,7 +63,7 @@ - name: Ensure sudorule is present, with usercategory 'all' ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allusers usercategory: all register: result @@ -64,7 +71,7 @@ - name: Ensure sudorule is present, with usercategory 'all', again ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allusers usercategory: all register: result @@ -72,7 +79,7 @@ - name: Ensure sudorule is present, with hostategory 'all' ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allhosts hostcategory: all register: result @@ -80,7 +87,7 @@ - name: Ensure sudorule is present, with hostategory 'all', again ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allhosts hostcategory: all register: result @@ -88,13 +95,13 @@ - name: Ensure sudorule is disabled ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 state: disabled - name: Ensure sudorule is disabled, again ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 state: disabled register: result @@ -102,7 +109,7 @@ - name: Ensure sudorule is enabled ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 state: enabled register: result @@ -110,37 +117,77 @@ - name: Ensure sudorule is enabled, again ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 state: enabled register: result failed_when: result.changed - - name: Ensure sudorule is present and some sudocmd are a member of it. + - name: Ensure sudorule is present and some sudocmd are allowed. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 - cmd: + allow_sudocmd: - /sbin/ifconfig + action: member + register: result + failed_when: not result.changed + + - name: Ensure sudorule is present and some sudocmd are allowed, again. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + allow_sudocmd: + - /sbin/ifconfig + action: member + register: result + failed_when: result.changed + + - name: Ensure sudorule is present and some sudocmd are denyed. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + deny_sudocmd: - /usr/bin/vim action: member register: result failed_when: not result.changed - - name: Ensure sudorule is present and some sudocmd are a member of it, again. + - name: Ensure sudorule is present and some sudocmd are denyed, again. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 - cmd: - - /sbin/ifconfig + deny_sudocmd: - /usr/bin/vim action: member register: result failed_when: result.changed + - name: Ensure sudorule is present and, sudocmds are absent. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + allow_sudocmd: /sbin/ifconfig + deny_sudocmd: /usr/bin/vim + action: member + state: absent + register: result + failed_when: not result.changed + + - name: Ensure sudorule is present and, sudocmds are absent, again. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + allow_sudocmd: /sbin/ifconfig + deny_sudocmd: /usr/bin/vim + action: member + state: absent + register: result + failed_when: result.changed + - name: Ensure sudorule is present with cmdcategory 'all'. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allcommands cmdcategory: all register: result @@ -148,7 +195,7 @@ - name: Ensure sudorule is present with cmdcategory 'all', again. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allcommands cmdcategory: all register: result @@ -156,7 +203,7 @@ - name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 host: "{{ groups.ipaserver[0] }}" action: member @@ -165,7 +212,7 @@ - name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule, again. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 host: "{{ groups.ipaserver[0] }}" action: member @@ -190,25 +237,77 @@ register: result failed_when: result.changed - - name: Ensure sudorule sudocmds are absent + - name: Ensure sudorule is present, with an allow_sudocmdgroup. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 - cmd: - - /sbin/ifconfig - - /usr/bin/vim + allow_sudocmdgroup: test_sudorule + state: present + register: result + failed_when: not result.changed + + - name: Ensure sudorule is present, with an allow_sudocmdgroup, again. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + allow_sudocmdgroup: test_sudorule + state: present + register: result + failed_when: result.changed + + - name: Ensure sudorule is present, but allow_sudocmdgroup is absent. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + allow_sudocmdgroup: test_sudorule action: member state: absent register: result failed_when: not result.changed - - name: Ensure sudorule sudocmds are absent, again + - name: Ensure sudorule is present, but allow_sudocmdgroup is absent. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 - cmd: - - /sbin/ifconfig - - /usr/bin/vim + allow_sudocmdgroup: test_sudorule + action: member + state: absent + register: result + failed_when: result.changed + + - name: Ensure sudorule is present, with an deny_sudocmdgroup. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + deny_sudocmdgroup: test_sudorule + state: present + register: result + failed_when: not result.changed + + - name: Ensure sudorule is present, with an deny_sudocmdgroup, again. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + deny_sudocmdgroup: test_sudorule + state: present + register: result + failed_when: result.changed + + - name: Ensure sudorule is present, but deny_sudocmdgroup is absent. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + deny_sudocmdgroup: test_sudorule + action: member + state: absent + register: result + failed_when: not result.changed + + - name: Ensure sudorule is present, but deny_sudocmdgroup is absent, again. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + deny_sudocmdgroup: test_sudorule action: member state: absent register: result @@ -216,7 +315,7 @@ - name: Ensure sudorule is absent ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 state: absent register: result @@ -224,7 +323,7 @@ - name: Ensure sudorule is absent, again. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 state: absent register: result @@ -232,7 +331,7 @@ - name: Ensure sudorule allhosts is absent ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allhosts state: absent register: result @@ -240,7 +339,7 @@ - name: Ensure sudorule allhosts is absent, again ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allhosts state: absent register: result @@ -248,7 +347,7 @@ - name: Ensure sudorule allusers is absent ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allusers state: absent register: result @@ -256,7 +355,7 @@ - name: Ensure sudorule allusers is absent, again ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allusers state: absent register: result @@ -264,7 +363,7 @@ - name: Ensure sudorule allcommands is absent ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allcommands state: absent register: result @@ -272,8 +371,29 @@ - name: Ensure sudorule allcommands is absent, again ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allcommands state: absent register: result failed_when: result.changed + + # cleanup + - name : Ensure sudocmdgroup is absent + ipasudocmdgroup: + ipaadmin_password: MyPassword123 + name: test_sudorule + state: absent + + - name: Ensure hostgroup is absent. + ipahostgroup: + ipaadmin_password: MyPassword123 + name: cluster + state: absent + + - name: Ensure sudocmds are absent + ipasudocmd: + ipaadmin_password: MyPassword123 + name: + - /sbin/ifconfig + - /usr/bin/vim + state: absent From 4dd1d25eacd1481be0a881a017144ff4d3396ccd Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Thu, 6 Feb 2020 15:38:00 +0100 Subject: [PATCH 18/40] ipapwpolicy: Use global_policy if name is not set If the name is not set, the policy global_policy is now used. It was needed before to explicitly name the global_policy. Also a check has been added to fail early if global_policy is used with state absent. The README for pwpolicy has been extended with an example for global_policy and also the description of the name variable. The test has also been extended to check a change of maxlife for global_policy and that global_policy can not be used with state: absent Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1797532 --- README-pwpolicy.md | 19 +++++++++++-- plugins/modules/ipapwpolicy.py | 9 ++++-- tests/pwpolicy/test_pwpolicy.yml | 49 ++++++++++++++++++++++++++++++++ 3 files changed, 73 insertions(+), 4 deletions(-) diff --git a/README-pwpolicy.md b/README-pwpolicy.md index 16306b74..847b32d3 100644 --- a/README-pwpolicy.md +++ b/README-pwpolicy.md @@ -56,7 +56,7 @@ Example playbook to ensure presence of pwpolicies for exisiting group ops: maxfail: 3 ``` -Example playbook to ensure absence of pwpolicies for group ops +Example playbook to ensure absence of pwpolicies for group ops: ```yaml --- @@ -72,6 +72,21 @@ Example playbook to ensure absence of pwpolicies for group ops state: absent ``` +Example playbook to ensure maxlife is set to 49 in global policy: + +```yaml +--- +- name: Playbook to handle pwpolicies + hosts: ipaserver + become: true + + tasks: + # Ensure absence of pwpolicies for group ops + - ipapwpolicy: + ipaadmin_password: MyPassword123 + maxlife: 49 +``` + Variables ========= @@ -83,7 +98,7 @@ Variable | Description | Required -------- | ----------- | -------- `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no -`name` \| `cn` | The list of pwpolicy name strings. | no +`name` \| `cn` | The list of pwpolicy name strings. If name is not given, `global_policy` will be used automatically. | no `maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int) | no `minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int) | no `history` \| `krbpwdhistorylength` | Password history size. (int) | no diff --git a/plugins/modules/ipapwpolicy.py b/plugins/modules/ipapwpolicy.py index 9437b595..f1687039 100644 --- a/plugins/modules/ipapwpolicy.py +++ b/plugins/modules/ipapwpolicy.py @@ -167,7 +167,7 @@ def main(): ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, - required=True), + required=False), # present maxlife=dict(type="int", aliases=["krbmaxpwdlife"], default=None), @@ -218,6 +218,9 @@ def main(): # Check parameters + if names is None: + names = ["global_policy"] + if state == "present": if len(names) != 1: ansible_module.fail_json( @@ -225,8 +228,10 @@ def main(): if state == "absent": if len(names) < 1: + ansible_module.fail_json(msg="No name given.") + if "global_policy" in names: ansible_module.fail_json( - msg="No name given.") + msg="'global_policy' can not be made absent.") invalid = ["maxlife", "minlife", "history", "minclasses", "minlength", "priority", "maxfail", "failinterval", "lockouttime"] diff --git a/tests/pwpolicy/test_pwpolicy.yml b/tests/pwpolicy/test_pwpolicy.yml index 5c69345c..f93f2756 100644 --- a/tests/pwpolicy/test_pwpolicy.yml +++ b/tests/pwpolicy/test_pwpolicy.yml @@ -5,10 +5,30 @@ gather_facts: false tasks: + - name: Ensure maxlife of 90 for global_policy + ipapwpolicy: + ipaadmin_password: SomeADMINpassword + maxlife: 90 + + - name: Ensure absence of group ops + ipagroup: + ipaadmin_password: SomeADMINpassword + name: ops + state: absent + + - name: Ensure absence of pwpolicies for group ops + ipapwpolicy: + ipaadmin_password: SomeADMINpassword + name: ops + state: absent + - name: Ensure presence of group ops ipagroup: ipaadmin_password: SomeADMINpassword name: ops + state: present + register: result + failed_when: not result.changed - name: Ensure presence of pwpolicies for group ops ipapwpolicy: @@ -42,6 +62,28 @@ register: result failed_when: result.changed + - name: Ensure maxlife of 49 for global_policy + ipapwpolicy: + ipaadmin_password: SomeADMINpassword + maxlife: 49 + register: result + failed_when: not result.changed + + - name: Ensure maxlife of 49 for global_policy again + ipapwpolicy: + ipaadmin_password: SomeADMINpassword + maxlife: 49 + register: result + failed_when: result.changed + + - name: Ensure absence of pwpoliciy global_policy will fail + ipapwpolicy: + ipaadmin_password: SomeADMINpassword + state: absent + register: result + ignore_errors: True + failed_when: result is defined and result + - name: Ensure absence of pwpolicies for group ops ipapwpolicy: ipaadmin_password: SomeADMINpassword @@ -50,6 +92,13 @@ register: result failed_when: not result.changed + - name: Ensure maxlife of 90 for global_policy + ipapwpolicy: + ipaadmin_password: MyPassword123 + maxlife: 90 + register: result + failed_when: not result.changed + - name: Ensure absence of pwpolicies for group ops ipapwpolicy: ipaadmin_password: SomeADMINpassword From 3865ce657e3ea1b621aa054c792201aedfde2d11 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Fri, 7 Feb 2020 10:11:38 +0100 Subject: [PATCH 19/40] ipahbacrule: Fix handing of members with action hbacrule Changing members (host, hostgroup, hbacsvc, hbacsvcgroup, user, group) with action hbacrule was not working due to the use of the wrong parameter prefix. This has been fixed and the old members are removed correctly now. The test script has been reworked completely to verify the fix. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1787996 --- plugins/modules/ipahbacrule.py | 24 +- tests/hbacrule/test_hbacrule.yml | 735 +++++++++++++++++++++---------- 2 files changed, 525 insertions(+), 234 deletions(-) diff --git a/plugins/modules/ipahbacrule.py b/plugins/modules/ipahbacrule.py index 385876b3..82340c25 100644 --- a/plugins/modules/ipahbacrule.py +++ b/plugins/modules/ipahbacrule.py @@ -344,41 +344,41 @@ def main(): # Generate addition and removal lists host_add = list( set(host or []) - - set(res_find.get("member_host", []))) + set(res_find.get("memberhost_host", []))) host_del = list( - set(res_find.get("member_host", [])) - + set(res_find.get("memberhost_host", [])) - set(host or [])) hostgroup_add = list( set(hostgroup or []) - - set(res_find.get("member_hostgroup", []))) + set(res_find.get("memberhost_hostgroup", []))) hostgroup_del = list( - set(res_find.get("member_hostgroup", [])) - + set(res_find.get("memberhost_hostgroup", [])) - set(hostgroup or [])) hbacsvc_add = list( set(hbacsvc or []) - - set(res_find.get("member_hbacsvc", []))) + set(res_find.get("memberservice_hbacsvc", []))) hbacsvc_del = list( - set(res_find.get("member_hbacsvc", [])) - + set(res_find.get("memberservice_hbacsvc", [])) - set(hbacsvc or [])) hbacsvcgroup_add = list( set(hbacsvcgroup or []) - - set(res_find.get("member_hbacsvcgroup", []))) + set(res_find.get("memberservice_hbacsvcgroup", []))) hbacsvcgroup_del = list( - set(res_find.get("member_hbacsvcgroup", [])) - + set(res_find.get("memberservice_hbacsvcgroup", [])) - set(hbacsvcgroup or [])) user_add = list( set(user or []) - - set(res_find.get("member_user", []))) + set(res_find.get("memberuser_user", []))) user_del = list( - set(res_find.get("member_user", [])) - + set(res_find.get("memberuser_user", [])) - set(user or [])) group_add = list( set(group or []) - - set(res_find.get("member_group", []))) + set(res_find.get("memberuser_group", []))) group_del = list( - set(res_find.get("member_group", [])) - + set(res_find.get("memberuser_group", [])) - set(group or [])) # Add hosts and hostgroups diff --git a/tests/hbacrule/test_hbacrule.yml b/tests/hbacrule/test_hbacrule.yml index a5615cce..38858d39 100644 --- a/tests/hbacrule/test_hbacrule.yml +++ b/tests/hbacrule/test_hbacrule.yml @@ -1,338 +1,629 @@ --- -- name: Tests +- name: Playbook to handle hbacrules hosts: ipaserver become: true - gather_facts: false tasks: - - name: Ensure HBAC Rule allhosts is absent - ipahbacrule: + - name: Get Domain from server name + set_fact: + ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}" + when: ipaserver_domain is not defined + + # CLEANUP TEST ITEMS + + - name: Ensure test hosts are absent + ipahost: ipaadmin_password: MyPassword123 - name: allhosts,sshd-pinky,loginRule + name: + - "{{ 'testhost01.' + ipaserver_domain }}" + - "{{ 'testhost02.' + ipaserver_domain }}" + - "{{ 'testhost03.' + ipaserver_domain }}" + - "{{ 'testhost04.' + ipaserver_domain }}" state: absent - - name: User pinky absent + - name: Ensure test hostgroups are absent + ipahostgroup: + ipaadmin_password: MyPassword123 + name: testhostgroup01,testhostgroup02,testhostgroup03,testhostgroup04 + state: absent + + - name: Ensure test users are absent ipauser: ipaadmin_password: MyPassword123 - name: pinky + name: testuser01,testuser02,testuser03,testuser04 state: absent - - name: User group login absent + - name: Ensure test user groups are absent ipagroup: ipaadmin_password: MyPassword123 - name: login + name: testgroup01,testgroup02,testgroup03,testgroup04 state: absent - - name: User pinky present + - name: Ensure test HBAC Services are absent + ipahbacsvc: + ipaadmin_password: MyPassword123 + name: testhbacsvc01,testhbacsvc02,testhbacsvc03,testhbacsvc04 + state: absent + + - name: Ensure test HBAC Service Groups are absent + ipahbacsvcgroup: + ipaadmin_password: MyPassword123 + name: testhbacsvcgroup01,testhbacsvcgroup02,testhbacsvcgroup03,testhbacsvcgroup04 + state: absent + + # CREATE TEST ITEMS + + - name: Ensure hosts "{{ 'host[1..4].' + ipaserver_domain }}" are present + ipahost: + ipaadmin_password: MyPassword123 + hosts: + - name: "{{ 'testhost01.' + ipaserver_domain }}" + force: yes + - name: "{{ 'testhost02.' + ipaserver_domain }}" + force: yes + - name: "{{ 'testhost03.' + ipaserver_domain }}" + force: yes + - name: "{{ 'testhost04.' + ipaserver_domain }}" + force: yes + register: result + failed_when: not result.changed + + - name: Ensure host-group testhostgroup01 is present + ipahostgroup: + ipaadmin_password: MyPassword123 + name: testhostgroup01 + register: result + failed_when: not result.changed + + - name: Ensure host-group testhostgroup02 is present + ipahostgroup: + ipaadmin_password: MyPassword123 + name: testhostgroup02 + register: result + failed_when: not result.changed + + - name: Ensure host-group testhostgroup03 is present + ipahostgroup: + ipaadmin_password: MyPassword123 + name: testhostgroup03 + register: result + failed_when: not result.changed + + - name: Ensure host-group testhostgroup04 is present + ipahostgroup: + ipaadmin_password: MyPassword123 + name: testhostgroup04 + register: result + failed_when: not result.changed + + - name: Ensure testusers are present ipauser: ipaadmin_password: MyPassword123 - name: pinky - uid: 10001 - gid: 100 - phone: "+555123457" - email: pinky@acme.com - principalexpiration: "20220119235959" - #passwordexpiration: "2022-01-19 23:59:59" - first: pinky - last: Acme + users: + - name: testuser01 + first: test + last: user01 + - name: testuser02 + first: test + last: user02 + - name: testuser03 + first: test + last: user03 + - name: testuser04 + first: test + last: user04 register: result failed_when: not result.changed - - name: User group login present + - name: Ensure user group testgroup01 is present ipagroup: ipaadmin_password: MyPassword123 - name: login + name: testgroup01 register: result failed_when: not result.changed - - name: Ensure HBAC Rule allhosts is present - ipahbacrule: + - name: Ensure user group testgroup02 is present + ipagroup: ipaadmin_password: MyPassword123 - name: allhosts - usercategory: all + name: testgroup02 register: result failed_when: not result.changed - - name: Ensure HBAC Rule allhosts is present again - ipahbacrule: + - name: Ensure user group testgroup03 is present + ipagroup: ipaadmin_password: MyPassword123 - name: allhosts - usercategory: all - register: result - failed_when: result.changed - - - name: Ensure host "{{ groups.ipaserver[0] }}" is present in HBAC Rule allhosts - ipahbacrule: - ipaadmin_password: MyPassword123 - name: allhosts - host: "{{ groups.ipaserver[0] }}" - action: member + name: testgroup03 register: result failed_when: not result.changed - - name: Ensure host "{{ groups.ipaserver[0] }}" is present in HBAC Rule allhosts again - ipahbacrule: + - name: Ensure user group testgroup04 is present + ipagroup: ipaadmin_password: MyPassword123 - name: allhosts - host: "{{ groups.ipaserver[0] }}" - action: member - register: result - failed_when: result.changed - - - name: Ensure HBAC Rule sshd-pinky is present - ipahbacrule: - ipaadmin_password: MyPassword123 - name: sshd-pinky - hostcategory: all + name: testgroup04 register: result failed_when: not result.changed - - name: Ensure HBAC Rule sshd-pinky is present again - ipahbacrule: + - name: Ensure HBAC Service testhbacsvc01 is present + ipahbacsvc: ipaadmin_password: MyPassword123 - name: sshd-pinky - hostcategory: all - register: result - failed_when: result.changed - - - name: Ensure user pinky is present in HBAC Rule sshd-pinky - ipahbacrule: - ipaadmin_password: MyPassword123 - name: sshd-pinky - user: pinky - action: member + name: testhbacsvc01 register: result failed_when: not result.changed - - name: Ensure user pinky is present in HBAC Rule sshd-pinky again - ipahbacrule: + - name: Ensure HBAC Service testhbacsvc02 is present + ipahbacsvc: ipaadmin_password: MyPassword123 - name: sshd-pinky - user: pinky - action: member - register: result - failed_when: result.changed - - - name: Ensure HBAC service sshd is present in HBAC Rule sshd-pinky - ipahbacrule: - ipaadmin_password: MyPassword123 - name: sshd-pinky - hbacsvc: sshd - action: member + name: testhbacsvc02 register: result failed_when: not result.changed - - name: Ensure HBAC service sshd is present in HBAC Rule sshd-pinky again - ipahbacrule: + - name: Ensure HBAC Service testhbacsvc03 is present + ipahbacsvc: ipaadmin_password: MyPassword123 - name: sshd-pinky - hbacsvc: sshd - action: member - register: result - failed_when: result.changed - - - name: Ensure HBAC Rule loginRule is present with HBAC service sshd - ipahbacrule: - ipaadmin_password: MyPassword123 - name: loginRule - group: login + name: testhbacsvc03 register: result failed_when: not result.changed - - name: Ensure HBAC Rule loginRule is present with HBAC service sshd again - ipahbacrule: + - name: Ensure HBAC Service testhbacsvc04 is present + ipahbacsvc: ipaadmin_password: MyPassword123 - name: loginRule - group: login - register: result - failed_when: result.changed - - - name: Ensure user pinky is present in HBAC Rule loginRule - ipahbacrule: - ipaadmin_password: MyPassword123 - name: loginRule - user: pinky - action: member + name: testhbacsvc04 register: result failed_when: not result.changed - - name: Ensure user pinky is present in HBAC Rule loginRule again - ipahbacrule: + - name: Ensure HBAC Service Group testhbacsvcgroup01 is present + ipahbacsvcgroup: ipaadmin_password: MyPassword123 - name: loginRule - user: pinky - action: member + name: testhbacsvcgroup01 register: result - failed_when: result.changed + failed_when: not result.changed - - name: Ensure user pinky is absent in HBAC Rule loginRule + - name: Ensure HBAC Service Group testhbacsvcgroup02 is present + ipahbacsvcgroup: + ipaadmin_password: MyPassword123 + name: testhbacsvcgroup02 + register: result + failed_when: not result.changed + + - name: Ensure HBAC Service Group testhbacsvcgroup03 is present + ipahbacsvcgroup: + ipaadmin_password: MyPassword123 + name: testhbacsvcgroup03 + register: result + failed_when: not result.changed + + - name: Ensure HBAC Service Group testhbacsvcgroup04 is present + ipahbacsvcgroup: + ipaadmin_password: MyPassword123 + name: testhbacsvcgroup04 + register: result + failed_when: not result.changed + + - name: Ensure test HBAC rule hbacrule01 is absent ipahbacrule: ipaadmin_password: MyPassword123 - name: loginRule - user: pinky - action: member + name: hbacrule01 state: absent + + # ENSURE HBACRULE + + - name: Ensure HBAC rule hbacrule01 is present + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 register: result failed_when: not result.changed - - name: Ensure user pinky is absent in HBAC Rule loginRule again + - name: Ensure HBAC rule hbacrule01 is present again ipahbacrule: ipaadmin_password: MyPassword123 - name: loginRule - user: pinky + name: hbacrule01 + register: result + failed_when: result.changed + + # CHANGE HBACRULE WITH ALL MEMBERS + + - name: Ensure HBAC rule hbacrule01 is present with hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + host: + - "{{ 'testhost01.' + ipaserver_domain }}" + - "{{ 'testhost02.' + ipaserver_domain }}" + hostgroup: testhostgroup01,testhostgroup02 + user: testuser01,testuser02 + group: testgroup01,testgroup02 + hbacsvc: testhbacsvc01,testhbacsvc02 + hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02 + register: result + failed_when: not result.changed + + - name: Ensure HBAC rule hbacrule01 is present with hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups again + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + host: + - "{{ 'testhost01.' + ipaserver_domain }}" + - "{{ 'testhost02.' + ipaserver_domain }}" + hostgroup: testhostgroup01,testhostgroup02 + user: testuser01,testuser02 + group: testgroup01,testgroup02 + hbacsvc: testhbacsvc01,testhbacsvc02 + hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02 + register: result + failed_when: result.changed + + # REMOVE MEMBERS ONE BY ONE + + - name: Ensure test HBAC rule hbacrule01 host members are absent + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + host: + - "{{ 'testhost01.' + ipaserver_domain }}" + - "{{ 'testhost02.' + ipaserver_domain }}" + state: absent action: member - state: absent - register: result - failed_when: result.changed - - - name: Ensure HBAC Rule loginRule is absent - ipahbacrule: - ipaadmin_password: MyPassword123 - name: loginRule - state: absent register: result failed_when: not result.changed - - name: Ensure HBAC Rule loginRule is absent again + - name: Ensure test HBAC rule hbacrule01 host members are absent again ipahbacrule: ipaadmin_password: MyPassword123 - name: loginRule + name: hbacrule01 + host: + - "{{ 'testhost01.' + ipaserver_domain }}" + - "{{ 'testhost02.' + ipaserver_domain }}" state: absent - register: result - failed_when: result.changed - - - name: Ensure HBAC service sshd is absent in HBAC Rule sshd-pinky - ipahbacrule: - ipaadmin_password: MyPassword123 - name: sshd-pinky - hbacsvc: sshd action: member - state: absent register: result - failed_when: not result.changed + failed_when: result.changed - - name: Ensure HBAC service sshd is absent in HBAC Rule sshd-pinky again + - name: Ensure test HBAC rule hbacrule01 hostgroup members are absent ipahbacrule: ipaadmin_password: MyPassword123 - name: sshd-pinky - hbacsvc: sshd + name: hbacrule01 + hostgroup: testhostgroup01,testhostgroup02 + state: absent action: member - state: absent register: result - failed_when: result.changed + failed_when: not result.changed - - name: Ensure user pinky is absent in HBAC Rule sshd-pinky + - name: Ensure test HBAC rule hbacrule01 hostgroup members are absent again ipahbacrule: ipaadmin_password: MyPassword123 - name: sshd-pinky - user: pinky + name: hbacrule01 + hostgroup: testhostgroup01,testhostgroup02 + state: absent action: member - state: absent register: result - failed_when: not result.changed + failed_when: result.changed - - name: Ensure user pinky is absent in HBAC Rule sshd-pinky again + - name: Ensure test HBAC rule hbacrule01 user members are absent ipahbacrule: ipaadmin_password: MyPassword123 - name: sshd-pinky - user: pinky + name: hbacrule01 + user: testuser01,testuser02 + state: absent action: member - state: absent - register: result - failed_when: result.changed - - - name: Ensure HBAC Rule sshd-pinky is disabled - ipahbacrule: - ipaadmin_password: MyPassword123 - name: sshd-pinky - state: disabled register: result failed_when: not result.changed - - name: Ensure HBAC Rule sshd-pinky is disabled again + - name: Ensure test HBAC rule hbacrule01 user members are absent again ipahbacrule: ipaadmin_password: MyPassword123 - name: sshd-pinky - state: disabled - register: result - failed_when: result.changed - - - name: Ensure HBAC Rule sshd-pinky is enabled - ipahbacrule: - ipaadmin_password: MyPassword123 - name: sshd-pinky - state: enabled - register: result - failed_when: not result.changed - - - name: Ensure HBAC Rule sshd-pinky is enabled again - ipahbacrule: - ipaadmin_password: MyPassword123 - name: sshd-pinky - state: enabled - register: result - failed_when: result.changed - - - name: Ensure HBAC Rule sshd-pinky is absent - ipahbacrule: - ipaadmin_password: MyPassword123 - name: sshd-pinky + name: hbacrule01 + user: testuser01,testuser02 state: absent - register: result - failed_when: not result.changed - - - name: Ensure HBAC Rule sshd-pinky is absent again - ipahbacrule: - ipaadmin_password: MyPassword123 - name: sshd-pinky - state: absent - register: result - failed_when: result.changed - - - name: Ensure host "{{ groups.ipaserver[0] }}" is absent in HBAC Rule allhosts - ipahbacrule: - ipaadmin_password: MyPassword123 - name: allhosts - host: "{{ groups.ipaserver[0] }}" action: member - state: absent register: result - failed_when: not result.changed + failed_when: result.changed - - name: Ensure host "{{ groups.ipaserver[0] }}" is absent in HBAC Rule allhosts again + - name: Ensure test HBAC rule hbacrule01 user group members are absent ipahbacrule: ipaadmin_password: MyPassword123 - name: allhosts - host: "{{ groups.ipaserver[0] }}" + name: hbacrule01 + group: testgroup01,testgroup02 + state: absent action: member - state: absent - register: result - failed_when: result.changed - - - name: Ensure HBAC Rule allhosts is absent - ipahbacrule: - ipaadmin_password: MyPassword123 - name: allhosts - state: absent register: result failed_when: not result.changed - - name: Ensure HBAC Rule allhosts is absent again + - name: Ensure test HBAC rule hbacrule01 user group members are absent again ipahbacrule: ipaadmin_password: MyPassword123 - name: allhosts + name: hbacrule01 + group: testgroup01,testgroup02 state: absent + action: member register: result failed_when: result.changed - - name: User pinky absent + - name: Ensure test HBAC rule hbacrule01 hbacsvc members are absent + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + hbacsvc: testhbacsvc01,testhbacsvc02 + state: absent + action: member + register: result + failed_when: not result.changed + + - name: Ensure test HBAC rule hbacrule01 hbacsvc members are absent again + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + hbacsvc: testhbacsvc01,testhbacsvc02 + state: absent + action: member + register: result + failed_when: result.changed + + - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are absent + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02 + state: absent + action: member + register: result + failed_when: not result.changed + + - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are absent again + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02 + state: absent + action: member + register: result + failed_when: result.changed + + # ADD MEMBERS BACK + + - name: Ensure test HBAC rule hbacrule01 host members are present + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + host: + - "{{ 'testhost01.' + ipaserver_domain }}" + - "{{ 'testhost02.' + ipaserver_domain }}" + action: member + register: result + failed_when: not result.changed + + - name: Ensure test HBAC rule hbacrule01 host members are present again + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + host: + - "{{ 'testhost01.' + ipaserver_domain }}" + - "{{ 'testhost02.' + ipaserver_domain }}" + action: member + register: result + failed_when: result.changed + + - name: Ensure test HBAC rule hbacrule01 hostgroup members are present + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + hostgroup: testhostgroup01,testhostgroup02 + action: member + register: result + failed_when: not result.changed + + - name: Ensure test HBAC rule hbacrule01 hostgroup members are present again + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + hostgroup: testhostgroup01,testhostgroup02 + action: member + register: result + failed_when: result.changed + + - name: Ensure test HBAC rule hbacrule01 user members are present + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + user: testuser01,testuser02 + action: member + register: result + failed_when: not result.changed + + - name: Ensure test HBAC rule hbacrule01 user members are present again + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + user: testuser01,testuser02 + action: member + register: result + failed_when: result.changed + + - name: Ensure test HBAC rule hbacrule01 user group members are present + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + group: testgroup01,testgroup02 + action: member + register: result + failed_when: not result.changed + + - name: Ensure test HBAC rule hbacrule01 user group members are present again + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + group: testgroup01,testgroup02 + action: member + register: result + failed_when: result.changed + + - name: Ensure test HBAC rule hbacrule01 hbacsvc members are present + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + hbacsvc: testhbacsvc01,testhbacsvc02 + action: member + register: result + failed_when: not result.changed + + - name: Ensure test HBAC rule hbacrule01 hbacsvc members are present again + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + hbacsvc: testhbacsvc01,testhbacsvc02 + action: member + register: result + failed_when: result.changed + + - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are present + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02 + action: member + register: result + failed_when: not result.changed + + - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are present again + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02 + action: member + register: result + failed_when: result.changed + + # CHANGE TO DIFFERENT MEMBERS + + - name: Ensure HBAC rule hbacrule01 is present with different hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + host: + - "{{ 'testhost03.' + ipaserver_domain }}" + - "{{ 'testhost04.' + ipaserver_domain }}" + hostgroup: testhostgroup03,testhostgroup04 + user: testuser03,testuser04 + group: testgroup03,testgroup04 + hbacsvc: testhbacsvc03,testhbacsvc04 + hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04 + register: result + failed_when: not result.changed + + - name: Ensure HBAC rule hbacrule01 is present with different hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups again + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + host: + - "{{ 'testhost03.' + ipaserver_domain }}" + - "{{ 'testhost04.' + ipaserver_domain }}" + hostgroup: testhostgroup03,testhostgroup04 + user: testuser03,testuser04 + group: testgroup03,testgroup04 + hbacsvc: testhbacsvc03,testhbacsvc04 + hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04 + register: result + failed_when: result.changed + + # ENSURE OLD TEST MEMBERS ARE ABSENT + + - name: Ensure HBAC rule hbacrule01 members (same) are present + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + host: + - "{{ 'testhost01.' + ipaserver_domain }}" + - "{{ 'testhost02.' + ipaserver_domain }}" + hostgroup: testhostgroup01,testhostgroup02 + user: testuser01,testuser02 + group: testgroup01,testgroup02 + hbacsvc: testhbacsvc01,testhbacsvc02 + hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02 + state: absent + action: member + register: result + failed_when: result.changed + + # ENSURE NEW TEST MEMBERS ARE ABSENT + + - name: Ensure HBAC rule hbacrule01 members are absent + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + host: + - "{{ 'testhost03.' + ipaserver_domain }}" + - "{{ 'testhost04.' + ipaserver_domain }}" + hostgroup: testhostgroup03,testhostgroup04 + user: testuser03,testuser04 + group: testgroup03,testgroup04 + hbacsvc: testhbacsvc03,testhbacsvc04 + hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04 + state: absent + action: member + register: result + failed_when: not result.changed + + - name: Ensure HBAC rule hbacrule01 members are absent again + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + host: + - "{{ 'testhost03.' + ipaserver_domain }}" + - "{{ 'testhost04.' + ipaserver_domain }}" + hostgroup: testhostgroup03,testhostgroup04 + user: testuser03,testuser04 + group: testgroup03,testgroup04 + hbacsvc: testhbacsvc03,testhbacsvc04 + hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04 + state: absent + action: member + register: result + failed_when: result.changed + + # CLEANUP TEST ITEMS + + - name: Ensure test HBAC rule hbacrule01 is absent + ipahbacrule: + ipaadmin_password: MyPassword123 + name: hbacrule01 + state: absent + + - name: Ensure test hosts are absent + ipahostgroup: + ipaadmin_password: MyPassword123 + name: + - "{{ 'testhost01.' + ipaserver_domain }}" + - "{{ 'testhost02.' + ipaserver_domain }}" + - "{{ 'testhost03.' + ipaserver_domain }}" + - "{{ 'testhost04.' + ipaserver_domain }}" + state: absent + + - name: Ensure test hostgroups are absent + ipahostgroup: + ipaadmin_password: MyPassword123 + name: testhostgroup01,testhostgroup02,testhostgroup03,testhostgroup04 + state: absent + + - name: Ensure test users are absent ipauser: ipaadmin_password: MyPassword123 - name: pinky + name: testuser01,testuser02,testuser03,testuser04 state: absent - - name: User group login absent + - name: Ensure test user groups are absent ipagroup: ipaadmin_password: MyPassword123 - name: login + name: testgroup01,testgroup02,testgroup03,testgroup04 + state: absent + + - name: Ensure test HBAC Services are absent + ipahbacsvc: + ipaadmin_password: MyPassword123 + name: testhbacsvc01,testhbacsvc02,testhbacsvc03,testhbacsvc04 + state: absent + + - name: Ensure test HBAC Service Groups are absent + ipahbacsvcgroup: + ipaadmin_password: MyPassword123 + name: testhbacsvcgroup01,testhbacsvcgroup02,testhbacsvcgroup03,testhbacsvcgroup04 state: absent From 28d8896be50e1fae022ea0f585c9bd346a6b38c9 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Tue, 11 Feb 2020 10:59:30 +0100 Subject: [PATCH 20/40] tests: Fix top name tags in tests Most tests have simply been using the Tests as name, but this there is a lack of information in automated runs. The name should be similar to the test file name. --- tests/group/test_group.yml | 2 +- tests/hbacrule/test_hbacrule.yml | 2 +- tests/hbacsvc/test_hbacsvc.yml | 2 +- tests/hbacsvcgroup/test_hbacsvcgroup.yml | 2 +- tests/hostgroup/test_hostgroup.yml | 2 +- tests/pwpolicy/test_pwpolicy.yml | 2 +- tests/sudocmd/test_sudocmd.yml | 2 +- tests/sudocmdgroup/test_sudocmdgroup.yml | 2 +- tests/sudorule/test_sudorule.yml | 2 +- tests/user/test_user.yml | 2 +- tests/user/test_users.yml | 2 +- tests/user/test_users_absent.yml | 2 +- tests/user/test_users_present.yml | 2 +- tests/user/test_users_present_slice.yml | 2 +- tests/vault/test_vault.yml | 2 +- 15 files changed, 15 insertions(+), 15 deletions(-) diff --git a/tests/group/test_group.yml b/tests/group/test_group.yml index 5fc63dd1..23b4e4ea 100644 --- a/tests/group/test_group.yml +++ b/tests/group/test_group.yml @@ -1,5 +1,5 @@ --- -- name: Tests +- name: Test group hosts: ipaserver become: true gather_facts: false diff --git a/tests/hbacrule/test_hbacrule.yml b/tests/hbacrule/test_hbacrule.yml index 38858d39..0372e6ce 100644 --- a/tests/hbacrule/test_hbacrule.yml +++ b/tests/hbacrule/test_hbacrule.yml @@ -1,5 +1,5 @@ --- -- name: Playbook to handle hbacrules +- name: Test hbacrule hosts: ipaserver become: true diff --git a/tests/hbacsvc/test_hbacsvc.yml b/tests/hbacsvc/test_hbacsvc.yml index d919b668..f6d8393c 100644 --- a/tests/hbacsvc/test_hbacsvc.yml +++ b/tests/hbacsvc/test_hbacsvc.yml @@ -1,5 +1,5 @@ --- -- name: Tests +- name: Test hbacsvc hosts: ipaserver become: true gather_facts: false diff --git a/tests/hbacsvcgroup/test_hbacsvcgroup.yml b/tests/hbacsvcgroup/test_hbacsvcgroup.yml index 9a659f1e..5a9e67d1 100644 --- a/tests/hbacsvcgroup/test_hbacsvcgroup.yml +++ b/tests/hbacsvcgroup/test_hbacsvcgroup.yml @@ -1,5 +1,5 @@ --- -- name: Tests +- name: Test hbacsvcgroup hosts: ipaserver become: true gather_facts: false diff --git a/tests/hostgroup/test_hostgroup.yml b/tests/hostgroup/test_hostgroup.yml index c3c44966..29935130 100644 --- a/tests/hostgroup/test_hostgroup.yml +++ b/tests/hostgroup/test_hostgroup.yml @@ -1,5 +1,5 @@ --- -- name: Tests +- name: Test hostgroup hosts: ipaserver become: true gather_facts: false diff --git a/tests/pwpolicy/test_pwpolicy.yml b/tests/pwpolicy/test_pwpolicy.yml index f93f2756..1a01fca6 100644 --- a/tests/pwpolicy/test_pwpolicy.yml +++ b/tests/pwpolicy/test_pwpolicy.yml @@ -1,5 +1,5 @@ --- -- name: Tests +- name: Test pwpolicy hosts: ipaserver become: true gather_facts: false diff --git a/tests/sudocmd/test_sudocmd.yml b/tests/sudocmd/test_sudocmd.yml index 97427869..523a6f74 100644 --- a/tests/sudocmd/test_sudocmd.yml +++ b/tests/sudocmd/test_sudocmd.yml @@ -1,6 +1,6 @@ --- -- name: Tests +- name: Test sudocmd hosts: ipaserver become: true gather_facts: false diff --git a/tests/sudocmdgroup/test_sudocmdgroup.yml b/tests/sudocmdgroup/test_sudocmdgroup.yml index 226e986f..688c0844 100644 --- a/tests/sudocmdgroup/test_sudocmdgroup.yml +++ b/tests/sudocmdgroup/test_sudocmdgroup.yml @@ -1,6 +1,6 @@ --- -- name: Tests +- name: Test sudocmdgroup hosts: ipaserver become: true gather_facts: false diff --git a/tests/sudorule/test_sudorule.yml b/tests/sudorule/test_sudorule.yml index 25090bb1..4b4b6966 100644 --- a/tests/sudorule/test_sudorule.yml +++ b/tests/sudorule/test_sudorule.yml @@ -1,6 +1,6 @@ --- -- name: Tests +- name: Test sudorule hosts: ipaserver become: true gather_facts: false diff --git a/tests/user/test_user.yml b/tests/user/test_user.yml index c172049f..541ea7cf 100644 --- a/tests/user/test_user.yml +++ b/tests/user/test_user.yml @@ -1,5 +1,5 @@ --- -- name: Tests +- name: Test user hosts: ipaserver become: true gather_facts: false diff --git a/tests/user/test_users.yml b/tests/user/test_users.yml index 129594d3..d66115cb 100644 --- a/tests/user/test_users.yml +++ b/tests/user/test_users.yml @@ -1,5 +1,5 @@ --- -- name: Tests +- name: Test users hosts: ipaserver become: true gather_facts: false diff --git a/tests/user/test_users_absent.yml b/tests/user/test_users_absent.yml index eaab27f7..1611c6d3 100644 --- a/tests/user/test_users_absent.yml +++ b/tests/user/test_users_absent.yml @@ -1,5 +1,5 @@ --- -- name: Tests +- name: Test users absent hosts: ipaserver become: true gather_facts: false diff --git a/tests/user/test_users_present.yml b/tests/user/test_users_present.yml index 370b1372..9489c0d3 100644 --- a/tests/user/test_users_present.yml +++ b/tests/user/test_users_present.yml @@ -1,5 +1,5 @@ --- -- name: Tests +- name: Test users present hosts: ipaserver become: true gather_facts: false diff --git a/tests/user/test_users_present_slice.yml b/tests/user/test_users_present_slice.yml index 8c6524d8..f6e67106 100644 --- a/tests/user/test_users_present_slice.yml +++ b/tests/user/test_users_present_slice.yml @@ -1,5 +1,5 @@ --- -- name: Tests +- name: Test users present slice hosts: ipaserver become: true gather_facts: false diff --git a/tests/vault/test_vault.yml b/tests/vault/test_vault.yml index b48f1ea4..de5a2635 100644 --- a/tests/vault/test_vault.yml +++ b/tests/vault/test_vault.yml @@ -1,6 +1,6 @@ --- -- name: Tests +- name: Test vault hosts: ipaserver become: true gather_facts: false From 3780a9a00e77ae0fd2944b36adad446d094fc90f Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Tue, 11 Feb 2020 10:34:39 +0100 Subject: [PATCH 21/40] ansible_freeipa_module: Fix comparison of bool parameters in compare_args_ipa Bool types are not iterable. Therefore the comparison using sets was failing with a TypeError. This prevented to change the bool parameters for hosts. A test for the host module has been added to verify that the bool parameters can be modified. New test: tests/host/test_host_bool_params.yml Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1784514 --- .../module_utils/ansible_freeipa_module.py | 18 ++- tests/host/test_host_bool_params.yml | 119 ++++++++++++++++++ 2 files changed, 133 insertions(+), 4 deletions(-) create mode 100644 tests/host/test_host_bool_params.yml diff --git a/plugins/module_utils/ansible_freeipa_module.py b/plugins/module_utils/ansible_freeipa_module.py index 8154a12c..9e97b88b 100644 --- a/plugins/module_utils/ansible_freeipa_module.py +++ b/plugins/module_utils/ansible_freeipa_module.py @@ -222,10 +222,20 @@ def compare_args_ipa(module, args, ipa): arg = [to_text(_arg) for _arg in arg] if isinstance(ipa_arg[0], unicode) and isinstance(arg[0], int): arg = [to_text(_arg) for _arg in arg] - # module.warn("%s <=> %s" % (arg, ipa_arg)) - if set(arg) != set(ipa_arg): - # module.warn("DIFFERENT") - return False + # module.warn("%s <=> %s" % (repr(arg), repr(ipa_arg))) + try: + arg_set = set(arg) + ipa_arg_set = set(ipa_arg) + except TypeError: + if arg != ipa_arg: + # module.warn("%s != %s" % (repr(arg), repr(ipa_arg))) + return False + else: + if arg_set != ipa_arg_set: + # module.warn("%s != %s" % (repr(arg), repr(ipa_arg))) + return False + + # module.warn("%s == %s" % (repr(arg), repr(ipa_arg))) return True diff --git a/tests/host/test_host_bool_params.yml b/tests/host/test_host_bool_params.yml new file mode 100644 index 00000000..824ea999 --- /dev/null +++ b/tests/host/test_host_bool_params.yml @@ -0,0 +1,119 @@ +--- +- name: Test host bool parameters + hosts: ipaserver + become: true + + tasks: + - name: Get Domain from server name + set_fact: + ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}" + when: ipaserver_domain is not defined + + - name: Set host1_fqdn .. host6_fqdn + set_fact: + host1_fqdn: "{{ 'host1.' + ipaserver_domain }}" + + - name: Host absent + ipahost: + ipaadmin_password: MyPassword123 + name: + - "{{ host1_fqdn }}" + update_dns: yes + state: absent + + - name: Host "{{ host1_fqdn }}" present with requires_pre_auth, ok_as_delegate and ok_to_auth_as_delegate + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + force: yes + requires_pre_auth: yes + ok_as_delegate: yes + ok_to_auth_as_delegate: yes + register: result + failed_when: not result.changed + + - name: Host "{{ host1_fqdn }}" present with requires_pre_auth, ok_as_delegate and ok_to_auth_as_delegate again + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + requires_pre_auth: yes + ok_as_delegate: yes + ok_to_auth_as_delegate: yes + register: result + failed_when: result.changed + + - name: Host "{{ host1_fqdn }}" present with requires_pre_auth, ok_as_delegate and ok_to_auth_as_delegate set to no + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + requires_pre_auth: no + ok_as_delegate: no + ok_to_auth_as_delegate: no + register: result + failed_when: not result.changed + + - name: Host "{{ host1_fqdn }}" present with requires_pre_auth, ok_as_delegate and ok_to_auth_as_delegate set to no again + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + requires_pre_auth: no + ok_as_delegate: no + ok_to_auth_as_delegate: no + register: result + failed_when: result.changed + + - name: Host "{{ host1_fqdn }}" present with requires_pre_auth + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + requires_pre_auth: yes + register: result + failed_when: not result.changed + + - name: Host "{{ host1_fqdn }}" present with requires_pre_auth again + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + requires_pre_auth: yes + register: result + failed_when: result.changed + + - name: Host "{{ host1_fqdn }}" present with ok_as_delegate + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + ok_as_delegate: yes + register: result + failed_when: not result.changed + + - name: Host "{{ host1_fqdn }}" present with ok_as_delegate again + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + ok_as_delegate: yes + register: result + failed_when: result.changed + + - name: Host "{{ host1_fqdn }}" present with ok_to_auth_as_delegate + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + ok_to_auth_as_delegate: yes + register: result + failed_when: not result.changed + + - name: Host "{{ host1_fqdn }}" present with ok_to_auth_as_delegate again + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + ok_to_auth_as_delegate: yes + register: result + failed_when: result.changed + + - name: Host absent + ipahost: + ipaadmin_password: MyPassword123 + name: + - "{{ host1_fqdn }}" + update_dns: yes + state: absent From 1875dd6cb26a951bf6cd8b96a3d86a0045c21ca4 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Wed, 12 Feb 2020 20:47:33 -0300 Subject: [PATCH 22/40] Modify roles README for consistency. Modify examples in server and replica roles for consistency with client role, by defining language for code blocks. --- roles/ipareplica/README.md | 94 +++++++++++++++++++++---------------- roles/ipaserver/README.md | 95 ++++++++++++++++++++++---------------- 2 files changed, 107 insertions(+), 82 deletions(-) diff --git a/roles/ipareplica/README.md b/roles/ipareplica/README.md index ef058c42..9e49fec2 100644 --- a/roles/ipareplica/README.md +++ b/roles/ipareplica/README.md @@ -47,60 +47,72 @@ Usage Example inventory file with fixed principal using auto-discovery with DNS records: - [ipareplicas] - ipareplica1.example.com - ipareplica2.example.com - - [ipareplicas:vars] - ipaadmin_principal=admin +```ini +[ipareplicas] +ipareplica1.example.com +ipareplica2.example.com + +[ipareplicas:vars] +ipaadmin_principal=admin +``` Example playbook to setup the IPA client(s) using principal from inventory file and password from an [Ansible Vault](http://docs.ansible.com/ansible/latest/playbooks_vault.html) file: - - name: Playbook to configure IPA replicas - hosts: ipareplicas - become: true - vars_files: - - playbook_sensitive_data.yml - - roles: - - role: ipareplica - state: present +```yaml +--- +- name: Playbook to configure IPA replicas + hosts: ipareplicas + become: true + vars_files: + - playbook_sensitive_data.yml + + roles: + - role: ipareplica + state: present +``` Example playbook to unconfigure the IPA client(s) using principal and password from inventory file: - - name: Playbook to unconfigure IPA replicas - hosts: ipareplicas - become: true - - roles: - - role: ipareplica - state: absent +```yaml +--- +- name: Playbook to unconfigure IPA replicas + hosts: ipareplicas + become: true + + roles: + - role: ipareplica + state: absent +``` Example inventory file with fixed server, principal, password and domain: - [ipaserver] - ipaserver.example.com - - [ipareplicas] - ipareplica1.example.com - ipareplica2.example.com - - [ipareplicas:vars] - ipaclient_domain=example.com - ipaadmin_principal=admin - ipaadmin_password=MySecretPassword123 - ipadm_password=MySecretPassword456 +```ini +[ipaserver] +ipaserver.example.com + +[ipareplicas] +ipareplica1.example.com +ipareplica2.example.com + +[ipareplicas:vars] +ipaclient_domain=example.com +ipaadmin_principal=admin +ipaadmin_password=MySecretPassword123 +ipadm_password=MySecretPassword456 +``` Example playbook to setup the IPA client(s) using principal and password from inventory file: - - name: Playbook to configure IPA replicas with username/password - hosts: ipareplicas - become: true - - roles: - - role: ipareplica - state: present +```yaml +--- +- name: Playbook to configure IPA replicas with username/password + hosts: ipareplicas + become: true + roles: + - role: ipareplica + state: present +``` Playbooks ========= diff --git a/roles/ipaserver/README.md b/roles/ipaserver/README.md index 88afb3ac..55c9daa1 100644 --- a/roles/ipaserver/README.md +++ b/roles/ipaserver/README.md @@ -42,8 +42,7 @@ Requirements Limitations ----------- -External signed CA - +**External signed CA** External signed CA is now supported. But the currently needed two step process is an issue for the processing in a simple playbook. Work is planned to have a new method to handle CSR for external signed CAs in a separate step before starting the server installation. @@ -54,57 +53,70 @@ Usage Example inventory file with fixed domain and realm, setting up of the DNS server and using forwarders from /etc/resolv.conf: - [ipaserver] - ipaserver2.example.com - - [ipaserver:vars] - ipaserver_domain=example.com - ipaserver_realm=EXAMPLE.COM - ipaserver_setup_dns=yes - ipaserver_auto_forwarders=yes +```ini +[ipaserver] +ipaserver2.example.com + +[ipaserver:vars] +ipaserver_domain=example.com +ipaserver_realm=EXAMPLE.COM +ipaserver_setup_dns=yes +ipaserver_auto_forwarders=yes +``` Example playbook to setup the IPA server using admin and dirman passwords from an [Ansible Vault](http://docs.ansible.com/ansible/latest/playbooks_vault.html) file: - - name: Playbook to configure IPA server - hosts: ipaserver - become: true - vars_files: - - playbook_sensitive_data.yml - - roles: - - role: ipaserver - state: present +```yaml +--- +- name: Playbook to configure IPA server + hosts: ipaserver + become: true + vars_files: + - playbook_sensitive_data.yml + + roles: + - role: ipaserver + state: present +``` Example playbook to unconfigure the IPA client(s) using principal and password from inventory file: - - name: Playbook to unconfigure IPA server - hosts: ipaserver - become: true - - roles: - - role: ipaserver - state: absent +```yaml +--- +- name: Playbook to unconfigure IPA server + hosts: ipaserver + become: true + + roles: + - role: ipaserver + state: absent +``` Example inventory file with fixed domain, realm, admin and dirman passwords: - [ipaserver] - ipaserver.example.com - - [ipaserver:vars] - ipaserver_domain=example.com - ipaserver_realm=EXAMPLE.COM - ipaadmin_password=MySecretPassword123 - ipadm_password=MySecretPassword234 +```ini +[ipaserver] +ipaserver.example.com + +[ipaserver:vars] +ipaserver_domain=example.com +ipaserver_realm=EXAMPLE.COM +ipaadmin_password=MySecretPassword123 +ipadm_password=MySecretPassword234 +``` Example playbook to setup the IPA server using admin and dirman passwords from inventory file: - - name: Playbook to configure IPA server - hosts: ipaserver - become: true - - roles: - - role: ipaserver - state: present +```yaml +--- +- name: Playbook to configure IPA server + hosts: ipaserver + become: true + + roles: + - role: ipaserver + state: present +``` Example playbook to setup the IPA primary with external signed CA using the previous inventory file: @@ -135,6 +147,7 @@ Sign with CA: This is up to you Server installation step 2: Copy `-chain.crt` to the IPA server and continue with installation of the primary. ```yaml +--- - name: Playbook to configure IPA server step3 hosts: ipaserver become: true From 167c76311da72c2bfabf4b2bce9e128c11d519d0 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Wed, 12 Feb 2020 16:54:13 +0100 Subject: [PATCH 23/40] ipahost: Add support for several IP addresses and also to change them ipahost was so far ignoring IP addresses when the host already existed. This happened because host_mod is not providing functionality to do this. Now ipaddress is a list and it is possible to ensure a host with several IP addresses (these can be IPv4 and IPv6). Also it is possible to ensure presence and absence of IP addresses for an exising host using action member. There are no IP address conclict checks as this would lead into issues with updating an existing host that already is using a duplicate IP address for example for round-robin (RR). Also this might lead into issues with ensuring a new host with several IP addresses in this case. Also to ensure a list of hosts with changing the IP address of one host to another in the list would result in issues here. New example playbooks have been added: playbooks/host/host-present-with-several-ip-addresses.yml playbooks/host/host-member-ipaddresses-absent.yml playbooks/host/host-member-ipaddresses-present.yml A new test has been added for verification: tests/host/test_host_ipaddresses.yml Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1783976 https://bugzilla.redhat.com/show_bug.cgi?id=1783979 --- README-host.md | 79 ++++- .../host/host-member-ipaddresses-absent.yml | 17 + .../host/host-member-ipaddresses-present.yml | 16 + ...host-present-with-several-ip-addresses.yml | 24 ++ .../module_utils/ansible_freeipa_module.py | 23 ++ plugins/modules/ipahost.py | 179 +++++++--- tests/host/test_host_ipaddresses.yml | 312 ++++++++++++++++++ 7 files changed, 600 insertions(+), 50 deletions(-) create mode 100644 playbooks/host/host-member-ipaddresses-absent.yml create mode 100644 playbooks/host/host-member-ipaddresses-present.yml create mode 100644 playbooks/host/host-present-with-several-ip-addresses.yml create mode 100644 tests/host/test_host_ipaddresses.yml diff --git a/README-host.md b/README-host.md index be5ad79b..ecc59a9c 100644 --- a/README-host.md +++ b/README-host.md @@ -65,6 +65,79 @@ Example playbook to ensure host presence: - "52:54:00:BD:97:1E" state: present ``` +Compared to `ipa host-add` command no IP address conflict check is done as the ipahost module supports to have several IPv4 and IPv6 addresses for a host. + + +Example playbook to ensure host presence with several IP addresses: + +```yaml +--- +- name: Playbook to handle hosts + hosts: ipaserver + become: true + + tasks: + # Ensure host is present + - ipahost: + ipaadmin_password: MyPassword123 + name: host01.example.com + description: Example host + ip_address: + - 192.168.0.123 + - 192.168.0.124 + - fe80::20c:29ff:fe02:a1b3 + - fe80::20c:29ff:fe02:a1b4 + locality: Lab + ns_host_location: Lab + ns_os_version: CentOS 7 + ns_hardware_platform: Lenovo T61 + mac_address: + - "08:00:27:E3:B1:2D" + - "52:54:00:BD:97:1E" + state: present +``` + + +Example playbook to ensure IP addresses are present for a host: + +```yaml +--- +- name: Playbook to handle hosts + hosts: ipaserver + become: true + + tasks: + # Ensure host is present + - ipahost: + ipaadmin_password: MyPassword123 + name: host01.example.com + ip_address: + - 192.168.0.124 + - fe80::20c:29ff:fe02:a1b4 + action: member + state: present +``` + + +Example playbook to ensure IP addresses are absent for a host: + +```yaml +--- +- name: Playbook to handle hosts + hosts: ipaserver + become: true + + tasks: + # Ensure host is present + - ipahost: + ipaadmin_password: MyPassword123 + name: host01.example.com + ip_address: + - 192.168.0.124 + - fe80::20c:29ff:fe02:a1b4 + action: member + state: absent +``` Example playbook to ensure host presence without DNS: @@ -215,7 +288,7 @@ Example playbook to disable a host: update_dns: yes state: disabled ``` -`update_dns` controls if the DNS entries will be updated. +`update_dns` controls if the DNS entries will be updated in this case. For `state` present it is controlling the update of the DNS SSHFP records, but not the the other DNS records. Example playbook to ensure a host is absent: @@ -286,8 +359,8 @@ Variable | Description | Required `ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no `force` | Force host name even if not in DNS. | no `reverse` | Reverse DNS detection. | no -`ip_address` \| `ipaddress` | The host IP address. | no -`update_dns` | Update DNS entries. | no +`ip_address` \| `ipaddress` | The host IP address list. It can contain IPv4 and IPv6 addresses. No conflict check for IP addresses is done. | no +`update_dns` | For existing hosts: DNS SSHFP records are updated with `state` present and all DNS entries for a host removed with `state` absent. | no Return Values diff --git a/playbooks/host/host-member-ipaddresses-absent.yml b/playbooks/host/host-member-ipaddresses-absent.yml new file mode 100644 index 00000000..2466dbdd --- /dev/null +++ b/playbooks/host/host-member-ipaddresses-absent.yml @@ -0,0 +1,17 @@ +--- +- name: Host member IP addresses absent + hosts: ipaserver + become: true + + tasks: + - name: Ensure host01.example.com IP addresses absent + ipahost: + ipaadmin_password: MyPassword123 + name: host01.example.com + ip_address: + - 192.168.0.123 + - fe80::20c:29ff:fe02:a1b3 + - 192.168.0.124 + - fe80::20c:29ff:fe02:a1b4 + action: member + state: absent diff --git a/playbooks/host/host-member-ipaddresses-present.yml b/playbooks/host/host-member-ipaddresses-present.yml new file mode 100644 index 00000000..f473993e --- /dev/null +++ b/playbooks/host/host-member-ipaddresses-present.yml @@ -0,0 +1,16 @@ +--- +- name: Host member IP addresses present + hosts: ipaserver + become: true + + tasks: + - name: Ensure host01.example.com IP addresses present + ipahost: + ipaadmin_password: MyPassword123 + name: host01.example.com + ip_address: + - 192.168.0.123 + - fe80::20c:29ff:fe02:a1b3 + - 192.168.0.124 + - fe80::20c:29ff:fe02:a1b4 + action: member diff --git a/playbooks/host/host-present-with-several-ip-addresses.yml b/playbooks/host/host-present-with-several-ip-addresses.yml new file mode 100644 index 00000000..4956562a --- /dev/null +++ b/playbooks/host/host-present-with-several-ip-addresses.yml @@ -0,0 +1,24 @@ +--- +- name: Host present with several IP addresses + hosts: ipaserver + become: true + + tasks: + - name: Ensure host is present + ipahost: + ipaadmin_password: MyPassword123 + name: host01.example.com + description: Example host + ip_address: + - 192.168.0.123 + - fe80::20c:29ff:fe02:a1b3 + - 192.168.0.124 + - fe80::20c:29ff:fe02:a1b4 + locality: Lab + ns_host_location: Lab + ns_os_version: CentOS 7 + ns_hardware_platform: Lenovo T61 + mac_address: + - "08:00:27:E3:B1:2D" + - "52:54:00:BD:97:1E" + state: present diff --git a/plugins/module_utils/ansible_freeipa_module.py b/plugins/module_utils/ansible_freeipa_module.py index 9e97b88b..6acdbef4 100644 --- a/plugins/module_utils/ansible_freeipa_module.py +++ b/plugins/module_utils/ansible_freeipa_module.py @@ -42,6 +42,7 @@ try: from ipalib.x509 import Encoding except ImportError: from cryptography.hazmat.primitives.serialization import Encoding +import socket import base64 import six @@ -285,3 +286,25 @@ def encode_certificate(cert): if not six.PY2: encoded = encoded.decode('ascii') return encoded + + +def is_ipv4_addr(ipaddr): + """ + Test if figen IP address is a valid IPv4 address + """ + try: + socket.inet_pton(socket.AF_INET, ipaddr) + except socket.error: + return False + return True + + +def is_ipv6_addr(ipaddr): + """ + Test if figen IP address is a valid IPv6 address + """ + try: + socket.inet_pton(socket.AF_INET6, ipaddr) + except socket.error: + return False + return True diff --git a/plugins/modules/ipahost.py b/plugins/modules/ipahost.py index dba41815..a5fd4829 100644 --- a/plugins/modules/ipahost.py +++ b/plugins/modules/ipahost.py @@ -176,11 +176,16 @@ options: default: true required: false ip_address: - description: The host IP address + description: + The host IP address list (IPv4 and IPv6). No IP address conflict + check will be done. aliases: ["ipaddress"] required: false update_dns: - description: Update DNS entries + description: + Controls the update of the DNS SSHFP records for existing hosts and + the removal of all DNS entries if a host gets removed with state + absent. required: false description: description: The host description @@ -306,11 +311,16 @@ options: default: true required: false ip_address: - description: The host IP address + description: + The host IP address list (IPv4 and IPv6). No IP address conflict + check will be done. aliases: ["ipaddress"] required: false update_dns: - description: Update DNS entries + description: + Controls the update of the DNS SSHFP records for existing hosts and + the removal of all DNS entries if a host gets removed with state + absent. required: false update_password: description: @@ -398,7 +408,8 @@ from ansible.module_utils.basic import AnsibleModule from ansible.module_utils._text import to_text from ansible.module_utils.ansible_freeipa_module import temp_kinit, \ temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \ - module_params_get, gen_add_del_lists, encode_certificate, api_get_realm + module_params_get, gen_add_del_lists, encode_certificate, api_get_realm, \ + is_ipv4_addr, is_ipv6_addr import six @@ -428,6 +439,32 @@ def find_host(module, name): return None +def find_dnsrecord(module, name): + domain_name = name[name.find(".")+1:] + host_name = name[:name.find(".")] + + _args = { + "all": True, + "idnsname": to_text(host_name), + } + + _result = api_command(module, "dnsrecord_find", to_text(domain_name), + _args) + + if len(_result["result"]) > 1: + module.fail_json( + msg="There is more than one host '%s'" % (name)) + elif len(_result["result"]) == 1: + _res = _result["result"][0] + certs = _res.get("usercertificate") + if certs is not None: + _res["usercertificate"] = [encode_certificate(cert) for + cert in certs] + return _res + else: + return None + + def show_host(module, name): _result = api_command(module, "host_show", to_text(name), {}) return _result["result"] @@ -470,16 +507,34 @@ def gen_args(description, locality, location, platform, os, password, random, _args["ipakrboktoauthasdelegate"] = ok_to_auth_as_delegate if force is not None: _args["force"] = force - if reverse is not None: - _args["no_reverse"] = not reverse if ip_address is not None: - _args["ip_address"] = ip_address + # IP addresses are handed extra, therefore it is needed to set + # the force option here to make sure that host-add is able to + # add a host without IP address. + _args["force"] = True if update_dns is not None: _args["updatedns"] = update_dns return _args +def gen_dnsrecord_args(module, ip_address, reverse): + _args = {} + if reverse is not None: + _args["a_extra_create_reverse"] = reverse + _args["aaaa_extra_create_reverse"] = reverse + if ip_address is not None: + for ip in ip_address: + if is_ipv4_addr(ip): + _args.setdefault("arecord", []).append(ip) + elif is_ipv6_addr(ip): + _args.setdefault("aaaarecord", []).append(ip) + else: + module.fail_json(msg="'%s' is not a valid IP address." % ip) + + return _args + + def check_parameters( module, state, action, description, locality, location, platform, os, password, random, @@ -499,8 +554,7 @@ def check_parameters( "os", "password", "random", "mac_address", "sshpubkey", "userclass", "auth_ind", "requires_pre_auth", "ok_as_delegate", "ok_to_auth_as_delegate", "force", - "reverse", "ip_address", "update_dns", - "update_password"] + "reverse", "update_dns", "update_password"] for x in invalid: if vars()[x] is not None: module.fail_json( @@ -512,7 +566,7 @@ def check_parameters( "password", "random", "mac_address", "sshpubkey", "userclass", "auth_ind", "requires_pre_auth", "ok_as_delegate", "ok_to_auth_as_delegate", "force", - "reverse", "ip_address", "update_password"] + "reverse", "update_password"] for x in invalid: if vars()[x] is not None: module.fail_json( @@ -549,9 +603,6 @@ def main(): default=None, no_log=True), random=dict(type="bool", aliases=["random_password"], default=None), - - - certificate=dict(type="list", aliases=["usercertificate"], default=None), managedby_host=dict(type="list", @@ -608,7 +659,7 @@ def main(): default=None), force=dict(type='bool', default=None), reverse=dict(type='bool', default=None), - ip_address=dict(type="str", aliases=["ipaddress"], + ip_address=dict(type="list", aliases=["ipaddress"], default=None), update_dns=dict(type="bool", aliases=["updatedns"], default=None), @@ -820,6 +871,7 @@ def main(): # Make sure host exists res_find = find_host(ansible_module, name) + res_find_dnsrecord = find_dnsrecord(ansible_module, name) # Create command if state == "present": @@ -829,6 +881,8 @@ def main(): random, mac_address, sshpubkey, userclass, auth_ind, requires_pre_auth, ok_as_delegate, ok_to_auth_as_delegate, force, reverse, ip_address, update_dns) + dnsrecord_args = gen_dnsrecord_args( + ansible_module, ip_address, reverse) if action == "host": # Found the host @@ -938,39 +992,20 @@ def main(): res_find.get( "ipaallowedtoperform_read_keys_hostgroup")) - else: - certificate_add = certificate or [] - certificate_del = [] - managedby_host_add = managedby_host or [] - managedby_host_del = [] - principal_add = principal or [] - principal_del = [] - allow_create_keytab_user_add = \ - allow_create_keytab_user or [] - allow_create_keytab_user_del = [] - allow_create_keytab_group_add = \ - allow_create_keytab_group or [] - allow_create_keytab_group_del = [] - allow_create_keytab_host_add = \ - allow_create_keytab_host or [] - allow_create_keytab_host_del = [] - allow_create_keytab_hostgroup_add = \ - allow_create_keytab_hostgroup or [] - allow_create_keytab_hostgroup_del = [] - allow_retrieve_keytab_user_add = \ - allow_retrieve_keytab_user or [] - allow_retrieve_keytab_user_del = [] - allow_retrieve_keytab_group_add = \ - allow_retrieve_keytab_group or [] - allow_retrieve_keytab_group_del = [] - allow_retrieve_keytab_host_add = \ - allow_retrieve_keytab_host or [] - allow_retrieve_keytab_host_del = [] - allow_retrieve_keytab_hostgroup_add = \ - allow_retrieve_keytab_hostgroup or [] - allow_retrieve_keytab_hostgroup_del = [] + # IP addresses are not really a member of hosts, but + # we will simply treat it as this to enable the + # addition and removal of IPv4 and IPv6 addresses in + # a simple way. + _dnsrec = res_find_dnsrecord or {} + dnsrecord_a_add, dnsrecord_a_del = gen_add_del_lists( + dnsrecord_args.get("arecord"), + _dnsrec.get("arecord")) + dnsrecord_aaaa_add, dnsrecord_aaaa_del = \ + gen_add_del_lists( + dnsrecord_args.get("aaaarecord"), + _dnsrec.get("aaaarecord")) - else: + if action != "host" or (action == "host" and res_find is None): certificate_add = certificate or [] certificate_del = [] managedby_host_add = managedby_host or [] @@ -1001,6 +1036,10 @@ def main(): allow_retrieve_keytab_hostgroup_add = \ allow_retrieve_keytab_hostgroup or [] allow_retrieve_keytab_hostgroup_del = [] + dnsrecord_a_add = dnsrecord_args.get("arecord") or [] + dnsrecord_a_del = [] + dnsrecord_aaaa_add = dnsrecord_args.get("aaaarecord") or [] + dnsrecord_aaaa_del = [] # Remove canonical principal from principal_del canonical_principal = "host/" + name + "@" + server_realm @@ -1135,6 +1174,36 @@ def main(): "hostgroup": allow_retrieve_keytab_hostgroup_del, }]) + if len(dnsrecord_a_add) > 0 or len(dnsrecord_aaaa_add) > 0: + domain_name = name[name.find(".")+1:] + host_name = name[:name.find(".")] + + commands.append([domain_name, + "dnsrecord_add", + { + "idnsname": host_name, + "arecord": dnsrecord_a_add, + "a_extra_create_reverse": reverse, + "aaaarecord": dnsrecord_aaaa_add, + "aaaa_extra_create_reverse": reverse + }]) + + if len(dnsrecord_a_del) > 0 or len(dnsrecord_aaaa_del) > 0: + domain_name = name[name.find(".")+1:] + host_name = name[:name.find(".")] + + # There seems to be an issue with dnsrecord_del (not + # for dnsrecord_add) if aaaarecord is an empty list. + # Therefore this is done differently here: + _args = {"idnsname": host_name} + if len(dnsrecord_a_del) > 0: + _args["arecord"] = dnsrecord_a_del + if len(dnsrecord_aaaa_del) > 0: + _args["aaaarecord"] = dnsrecord_aaaa_del + + commands.append([domain_name, + "dnsrecord_del", _args]) + elif state == "absent": if action == "host": @@ -1215,6 +1284,17 @@ def main(): "hostgroup": allow_retrieve_keytab_hostgroup, }]) + dnsrecord_args = gen_dnsrecord_args(ansible_module, + ip_address, reverse) + if "arecord" in dnsrecord_args or \ + "aaaarecord" in dnsrecord_args: + domain_name = name[name.find(".")+1:] + host_name = name[:name.find(".")] + dnsrecord_args["idnsname"] = host_name + + commands.append([domain_name, "dnsrecord_del", + dnsrecord_args]) + elif state == "disabled": if res_find is not None: commands.append([name, "host_disable", {}]) @@ -1259,6 +1339,11 @@ def main(): # Host is already disabled, ignore error if "This entry is already disabled" in msg: continue + + # Ignore no modification error. + if "no modifications to be performed" in msg: + continue + ansible_module.fail_json(msg="%s: %s: %s" % (command, name, msg)) diff --git a/tests/host/test_host_ipaddresses.yml b/tests/host/test_host_ipaddresses.yml new file mode 100644 index 00000000..0a97dd55 --- /dev/null +++ b/tests/host/test_host_ipaddresses.yml @@ -0,0 +1,312 @@ +--- +- name: Test host IP addresses + hosts: ipaserver + become: true + + tasks: + - name: Get Domain from server name + set_fact: + ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}" + when: ipaserver_domain is not defined + + - name: Set host1_fqdn .. host6_fqdn + set_fact: + host1_fqdn: "{{ 'host1.' + ipaserver_domain }}" + host2_fqdn: "{{ 'host2.' + ipaserver_domain }}" + host3_fqdn: "{{ 'host3.' + ipaserver_domain }}" + + - name: Get IPv4 address prefix from server node + set_fact: + ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] | + join('.') }}" + + - name: Host absent + ipahost: + ipaadmin_password: MyPassword123 + name: + - "{{ host1_fqdn }}" + - "{{ host2_fqdn }}" + - "{{ host3_fqdn }}" + update_dns: yes + state: absent + + - name: Host "{{ host1_fqdn }}" present + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + ip_address: + - "{{ ipv4_prefix + '.201' }}" + - fe80::20c:29ff:fe02:a1b2 + update_dns: yes + reverse: no + register: result + failed_when: not result.changed + + - name: Host "{{ host1_fqdn }}" present again + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + ip_address: + - "{{ ipv4_prefix + '.201' }}" + - fe80::20c:29ff:fe02:a1b2 + update_dns: yes + reverse: no + register: result + failed_when: result.changed + + - name: Host "{{ host1_fqdn }}" present again with new IP address + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + ip_address: + - "{{ ipv4_prefix + '.211' }}" + - fe80::20c:29ff:fe02:a1b3 + - "{{ ipv4_prefix + '.221' }}" + - fe80::20c:29ff:fe02:a1b4 + update_dns: yes + reverse: no + register: result + failed_when: not result.changed + + - name: Host "{{ host1_fqdn }}" present again with new IP address again + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + ip_address: + - "{{ ipv4_prefix + '.211' }}" + - fe80::20c:29ff:fe02:a1b3 + - "{{ ipv4_prefix + '.221' }}" + - fe80::20c:29ff:fe02:a1b4 + update_dns: yes + reverse: no + register: result + failed_when: result.changed + + - name: Host "{{ host1_fqdn }}" member IPv4 address present + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + ip_address: "{{ ipv4_prefix + '.201' }}" + action: member + register: result + failed_when: not result.changed + + - name: Host "{{ host1_fqdn }}" member IPv4 address present again + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + ip_address: "{{ ipv4_prefix + '.201' }}" + action: member + register: result + failed_when: result.changed + + - name: Host "{{ host1_fqdn }}" member IPv4 address absent + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + ip_address: "{{ ipv4_prefix + '.201' }}" + action: member + state: absent + register: result + failed_when: not result.changed + + - name: Host "{{ host1_fqdn }}" member IPv4 address absent again + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + ip_address: "{{ ipv4_prefix + '.201' }}" + action: member + state: absent + register: result + failed_when: result.changed + + - name: Host "{{ host1_fqdn }}" member IPv6 address present + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + ip_address: fe80::20c:29ff:fe02:a1b2 + action: member + register: result + failed_when: not result.changed + + - name: Host "{{ host1_fqdn }}" member IPv6 address present again + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + ip_address: fe80::20c:29ff:fe02:a1b2 + action: member + register: result + failed_when: result.changed + + - name: Host "{{ host1_fqdn }}" member IPv6 address absent + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + ip_address: fe80::20c:29ff:fe02:a1b2 + action: member + state: absent + register: result + failed_when: not result.changed + + - name: Host "{{ host1_fqdn }}" member IPv6 address absent again + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + ip_address: fe80::20c:29ff:fe02:a1b2 + action: member + state: absent + register: result + + - name: Host "{{ host1_fqdn }}" member all ip-addresses absent + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + ip_address: + - "{{ ipv4_prefix + '.211' }}" + - fe80::20c:29ff:fe02:a1b3 + - "{{ ipv4_prefix + '.221' }}" + - fe80::20c:29ff:fe02:a1b4 + action: member + state: absent + register: result + failed_when: not result.changed + + - name: Host "{{ host1_fqdn }}" all member ip-addresses absent again + ipahost: + ipaadmin_password: MyPassword123 + name: "{{ host1_fqdn }}" + ip_address: + - "{{ ipv4_prefix + '.211' }}" + - fe80::20c:29ff:fe02:a1b3 + - "{{ ipv4_prefix + '.221' }}" + - fe80::20c:29ff:fe02:a1b4 + action: member + state: absent + register: result + failed_when: result.changed + + - name: Hosts "{{ host1_fqdn }}" and "{{ host2_fqdn }}" present with same IP addresses + ipahost: + ipaadmin_password: MyPassword123 + hosts: + - name: "{{ host1_fqdn }}" + ip_address: + - "{{ ipv4_prefix + '.211' }}" + - fe80::20c:29ff:fe02:a1b3 + - "{{ ipv4_prefix + '.221' }}" + - fe80::20c:29ff:fe02:a1b4 + - name: "{{ host2_fqdn }}" + ip_address: + - "{{ ipv4_prefix + '.211' }}" + - fe80::20c:29ff:fe02:a1b3 + - "{{ ipv4_prefix + '.221' }}" + - fe80::20c:29ff:fe02:a1b4 + register: result + failed_when: not result.changed + + - name: Hosts "{{ host1_fqdn }}" and "{{ host2_fqdn }}" present with same IP addresses again + ipahost: + ipaadmin_password: MyPassword123 + hosts: + - name: "{{ host1_fqdn }}" + ip_address: + - "{{ ipv4_prefix + '.211' }}" + - fe80::20c:29ff:fe02:a1b3 + - "{{ ipv4_prefix + '.221' }}" + - fe80::20c:29ff:fe02:a1b4 + - name: "{{ host2_fqdn }}" + ip_address: + - "{{ ipv4_prefix + '.211' }}" + - fe80::20c:29ff:fe02:a1b3 + - "{{ ipv4_prefix + '.221' }}" + - fe80::20c:29ff:fe02:a1b4 + register: result + failed_when: result.changed + + - name: Hosts "{{ host3_fqdn }}" present with same IP addresses + ipahost: + ipaadmin_password: MyPassword123 + hosts: + - name: "{{ host3_fqdn }}" + ip_address: + - "{{ ipv4_prefix + '.211' }}" + - fe80::20c:29ff:fe02:a1b3 + - "{{ ipv4_prefix + '.221' }}" + - fe80::20c:29ff:fe02:a1b4 + register: result + failed_when: not result.changed + + - name: Hosts "{{ host3_fqdn }}" present with same IP addresses again + ipahost: + ipaadmin_password: MyPassword123 + hosts: + - name: "{{ host3_fqdn }}" + ip_address: + - "{{ ipv4_prefix + '.211' }}" + - fe80::20c:29ff:fe02:a1b3 + - "{{ ipv4_prefix + '.221' }}" + - fe80::20c:29ff:fe02:a1b4 + register: result + failed_when: result.changed + + - name: Host "{{ host3_fqdn }}" present with differnt IP addresses + ipahost: + ipaadmin_password: MyPassword123 + hosts: + - name: "{{ host3_fqdn }}" + ip_address: + - "{{ ipv4_prefix + '.111' }}" + - fe80::20c:29ff:fe02:a1b1 + - "{{ ipv4_prefix + '.121' }}" + - fe80::20c:29ff:fe02:a1b2 + register: result + failed_when: not result.changed + + - name: Host "{{ host3_fqdn }}" present with different IP addresses again + ipahost: + ipaadmin_password: MyPassword123 + hosts: + - name: "{{ host3_fqdn }}" + ip_address: + - "{{ ipv4_prefix + '.111' }}" + - fe80::20c:29ff:fe02:a1b1 + - "{{ ipv4_prefix + '.121' }}" + - fe80::20c:29ff:fe02:a1b2 + register: result + failed_when: result.changed + + - name: Host "{{ host3_fqdn }}" present with old IP addresses + ipahost: + ipaadmin_password: MyPassword123 + hosts: + - name: "{{ host3_fqdn }}" + ip_address: + - "{{ ipv4_prefix + '.211' }}" + - fe80::20c:29ff:fe02:a1b3 + - "{{ ipv4_prefix + '.221' }}" + - fe80::20c:29ff:fe02:a1b4 + register: result + failed_when: not result.changed + + - name: Host "{{ host3_fqdn }}" present with old IP addresses again + ipahost: + ipaadmin_password: MyPassword123 + hosts: + - name: "{{ host3_fqdn }}" + ip_address: + - "{{ ipv4_prefix + '.211' }}" + - fe80::20c:29ff:fe02:a1b3 + - "{{ ipv4_prefix + '.221' }}" + - fe80::20c:29ff:fe02:a1b4 + register: result + failed_when: result.changed + + - name: Host absent + ipahost: + ipaadmin_password: MyPassword123 + name: + - "{{ host1_fqdn }}" + - "{{ host2_fqdn }}" + - "{{ host3_fqdn }}" + update_dns: yes + state: absent From 8f32cb04c1e161e1e3217f10413685a2cc9bf492 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Thu, 13 Feb 2020 14:10:38 +0100 Subject: [PATCH 24/40] tests/host/test_host: Fix use of wrong host in the host5 test host1 was used instead of host5 in the repeated host5 test. This lead to an error with the new IP address handling in ipahost. It was correctly reporting a change for host1 which resulted in a failed test. --- tests/host/test_host.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/host/test_host.yml b/tests/host/test_host.yml index 1a555a13..f3ec11df 100644 --- a/tests/host/test_host.yml +++ b/tests/host/test_host.yml @@ -129,7 +129,7 @@ - name: Host "{{ host5_fqdn }}" present again ipahost: ipaadmin_password: MyPassword123 - name: "{{ host1_fqdn }}" + name: "{{ host5_fqdn }}" ip_address: "{{ ipv4_prefix + '.205' }}" update_dns: yes reverse: no From 1a3c9114c338c24e037448ad0ec72b9f11209ba3 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Fri, 24 Jan 2020 23:34:44 -0300 Subject: [PATCH 25/40] Properly handle base64 enconding of certificates stored as bytes. This change is needed to properly handle base64 encoding of certificates stored as bytes, under Python 3, as used by IPA service. It does not affect Python 2.7 as bytes are identical to str in this version of the language. When retireving certificates stored by FreeIPA service data is returned as bytes, under Python 3, and encoding then breaks, as there is no bytes.public_bytes method. In Python 3, encoding with base64 will be the same for strings and bytes. --- plugins/module_utils/ansible_freeipa_module.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/module_utils/ansible_freeipa_module.py b/plugins/module_utils/ansible_freeipa_module.py index 8154a12c..1ea64346 100644 --- a/plugins/module_utils/ansible_freeipa_module.py +++ b/plugins/module_utils/ansible_freeipa_module.py @@ -268,7 +268,7 @@ def encode_certificate(cert): Encode a certificate using base64 with also taking FreeIPA and Python versions into account """ - if isinstance(cert, str) or isinstance(cert, unicode): + if isinstance(cert, (str, unicode, bytes)): encoded = base64.b64encode(cert) else: encoded = base64.b64encode(cert.public_bytes(Encoding.DER)) From 0816b0773b1535780c7c3e5f05bda39434ab6bac Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Fri, 14 Feb 2020 13:21:54 +0100 Subject: [PATCH 26/40] ipahost: Fail on action member for new hosts, fix dnsrecord_add reverse flag The check to make sure that member can not be used on non existing hosts has bee missing. Also the reverse flag for the dnsrecord_add call was None if the varaible was not set. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1803026 --- plugins/modules/ipahost.py | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/plugins/modules/ipahost.py b/plugins/modules/ipahost.py index a5fd4829..558560e8 100644 --- a/plugins/modules/ipahost.py +++ b/plugins/modules/ipahost.py @@ -1005,6 +1005,11 @@ def main(): dnsrecord_args.get("aaaarecord"), _dnsrec.get("aaaarecord")) + else: + if res_find is None: + ansible_module.fail_json( + msg="No host '%s'" % name) + if action != "host" or (action == "host" and res_find is None): certificate_add = certificate or [] certificate_del = [] @@ -1178,15 +1183,17 @@ def main(): domain_name = name[name.find(".")+1:] host_name = name[:name.find(".")] + _args = {"idnsname": host_name} + if reverse is not None: + _args["a_extra_create_reverse"] = reverse + _args["aaaa_extra_create_reverse"] = reverse + if len(dnsrecord_a_add) > 0: + _args["arecord"] = dnsrecord_a_add + if len(dnsrecord_aaaa_add) > 0: + _args["aaaarecord"] = dnsrecord_aaaa_add + commands.append([domain_name, - "dnsrecord_add", - { - "idnsname": host_name, - "arecord": dnsrecord_a_add, - "a_extra_create_reverse": reverse, - "aaaarecord": dnsrecord_aaaa_add, - "aaaa_extra_create_reverse": reverse - }]) + "dnsrecord_add", _args]) if len(dnsrecord_a_del) > 0 or len(dnsrecord_aaaa_del) > 0: domain_name = name[name.find(".")+1:] From 22d8784da29dcfede0744ef6b691b4506eae5deb Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Thu, 20 Feb 2020 12:58:11 +0100 Subject: [PATCH 27/40] ipahost: Do not fail on missing DNS or zone when no IP address given If no IP address is given and either DNS is not configured or if the zone is not found then ipahost may not fail in dnsrecord_find. The error happened for example by ensuring the absence of a host that is not part of the domain or for a host that has been added with force and is using a domain that is not served by the DNS server in the domain. It also happened if there was no DNS server in the domain at all. A new test case has been added to test_host_ipaddresses.yml The fix requires ipalib_errors provided by ansible_freeipa_module. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1804838 --- plugins/modules/ipahost.py | 17 +++++++++++++++-- tests/host/test_host_ipaddresses.yml | 9 +++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/plugins/modules/ipahost.py b/plugins/modules/ipahost.py index 558560e8..062f7680 100644 --- a/plugins/modules/ipahost.py +++ b/plugins/modules/ipahost.py @@ -409,7 +409,7 @@ from ansible.module_utils._text import to_text from ansible.module_utils.ansible_freeipa_module import temp_kinit, \ temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \ module_params_get, gen_add_del_lists, encode_certificate, api_get_realm, \ - is_ipv4_addr, is_ipv6_addr + is_ipv4_addr, is_ipv6_addr, ipalib_errors import six @@ -871,7 +871,20 @@ def main(): # Make sure host exists res_find = find_host(ansible_module, name) - res_find_dnsrecord = find_dnsrecord(ansible_module, name) + try: + res_find_dnsrecord = find_dnsrecord(ansible_module, name) + except ipalib_errors.NotFound as e: + msg = str(e) + if ip_address is None and \ + ("DNS is not configured" in msg or \ + "DNS zone not found" in msg): + # IP address(es) not given and no DNS support in IPA + # -> Ignore failure + # IP address(es) not given and DNS zone is not found + # -> Ignore failure + res_find_dnsrecord = None + else: + ansible_module.fail_json(msg="%s: %s" % (host, msg)) # Create command if state == "present": diff --git a/tests/host/test_host_ipaddresses.yml b/tests/host/test_host_ipaddresses.yml index 0a97dd55..136a6101 100644 --- a/tests/host/test_host_ipaddresses.yml +++ b/tests/host/test_host_ipaddresses.yml @@ -301,6 +301,15 @@ register: result failed_when: result.changed + - name: Absent host01.ihavenodns.info test + ipahost: + ipaadmin_password: MyPassword123 + hosts: + - name: host01.ihavenodns.info + state: absent + register: result + failed_when: result.changed + - name: Host absent ipahost: ipaadmin_password: MyPassword123 From 4d94cb09a9fb09dd2576223b9be7f77d515202fb Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Thu, 20 Feb 2020 12:54:32 +0100 Subject: [PATCH 28/40] ansible_freeipa_module: Import ipalib.errors as ipalib_errors For beeing able to catch ipalib.errors.NotFound errors in ipahost it is needed to import ipalib.errors. ipalib.errors is now imported as ipalib_errors to not have name conflicts with the errors list used in some of the modules. Related: https://bugzilla.redhat.com/show_bug.cgi?id=1804838 --- plugins/module_utils/ansible_freeipa_module.py | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/module_utils/ansible_freeipa_module.py b/plugins/module_utils/ansible_freeipa_module.py index 6acdbef4..5066de35 100644 --- a/plugins/module_utils/ansible_freeipa_module.py +++ b/plugins/module_utils/ansible_freeipa_module.py @@ -28,6 +28,7 @@ import shutil import gssapi from datetime import datetime from ipalib import api +from ipalib import errors as ipalib_errors from ipalib.config import Env from ipalib.constants import DEFAULT_CONFIG, LDAP_GENERALIZED_TIME_FORMAT try: From 4e5ad5a7fe6b1a813ce9773da7cc34f2cea9bf26 Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Tue, 25 Feb 2020 23:21:51 +0100 Subject: [PATCH 29/40] test_pwpolicy: unite admin passwords One test did not use the admin password as the rest of the tests. This caused the tests/pwpolicy/test_pwpolicy.yml suite to fail. Changing the password to the same as in others fixes the issue. Signed-off-by: Petr Vobornik --- tests/pwpolicy/test_pwpolicy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/pwpolicy/test_pwpolicy.yml b/tests/pwpolicy/test_pwpolicy.yml index 1a01fca6..d5a254e4 100644 --- a/tests/pwpolicy/test_pwpolicy.yml +++ b/tests/pwpolicy/test_pwpolicy.yml @@ -94,7 +94,7 @@ - name: Ensure maxlife of 90 for global_policy ipapwpolicy: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword maxlife: 90 register: result failed_when: not result.changed From d3c6b976ba1da90cbdd6706cf5c9c79323962a1e Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Wed, 26 Feb 2020 12:35:56 +0100 Subject: [PATCH 30/40] tests: Unite admin passwords The tests have been using MyPassword123 and also SomeADMINpassword within the tasks of the tests. SomeADMINpassword should be used everywhere. --- tests/group/test_group.yml | 38 ++--- tests/hbacrule/test_hbacrule.yml | 130 +++++++++--------- tests/hbacsvc/test_hbacsvc.yml | 14 +- tests/hbacsvcgroup/test_hbacsvcgroup.yml | 20 +-- tests/host/test_host.yml | 34 ++--- tests/host/test_host_allow_create_keytab.yml | 44 +++--- .../host/test_host_allow_retrieve_keytab.yml | 44 +++--- tests/host/test_host_bool_params.yml | 24 ++-- tests/host/test_host_ipaddresses.yml | 50 +++---- tests/host/test_host_managedby_host.yml | 24 ++-- tests/host/test_host_principal.yml | 22 +-- tests/host/test_host_random.yml | 10 +- tests/host/test_hosts.yml | 10 +- tests/host/test_hosts_managedby_host.yml | 16 +-- tests/host/test_hosts_principal.yml | 22 +-- tests/hostgroup/test_hostgroup.yml | 36 ++--- tests/pwpolicy/test_pwpolicy.yml | 2 +- tests/sudocmd/test_sudocmd.yml | 26 ++-- tests/sudocmdgroup/test_sudocmdgroup.yml | 32 ++--- tests/sudorule/test_sudorule.yml | 92 ++++++------- tests/user/test_user_random.yml | 10 +- tests/vault/test_vault.yml | 112 +++++++-------- 22 files changed, 406 insertions(+), 406 deletions(-) diff --git a/tests/group/test_group.yml b/tests/group/test_group.yml index 23b4e4ea..28df3a5a 100644 --- a/tests/group/test_group.yml +++ b/tests/group/test_group.yml @@ -7,19 +7,19 @@ tasks: - name: Ensure users user1, user2 and user3 are absent ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: user1,user2,user3 state: absent - name: Ensure group group3, group2 and group1 are absent ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group3,group2,group1 state: absent - name: Ensure users user1..user3 are present ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword users: - name: user1 first: user1 @@ -35,49 +35,49 @@ - name: Ensure group1 is present ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group1 register: result failed_when: not result.changed - name: Ensure group1 is present again ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group1 register: result failed_when: result.changed - name: Ensure group2 is present ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group2 register: result failed_when: not result.changed - name: Ensure group2 is present again ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group2 register: result failed_when: result.changed - name: Ensure group3 is present ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group3 register: result failed_when: not result.changed - name: Ensure group3 is present again ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group3 register: result failed_when: result.changed - name: Ensure groups group2 and group3 are present in group group1 ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group1 group: - group2 @@ -88,7 +88,7 @@ - name: Ensure groups group2 and group3 are present in group group1 again ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group1 group: - group2 @@ -99,7 +99,7 @@ - name: Ensure group3 ia present in group group1 ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group1 group: - group3 @@ -109,7 +109,7 @@ - name: Ensure users user1, user2 and user3 are present in group group1 ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group1 user: - user1 @@ -121,7 +121,7 @@ - name: Ensure users user1, user2 and user3 are present in group group1 again ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group1 user: - user1 @@ -132,7 +132,7 @@ failed_when: result.changed #- ipagroup: - # ipaadmin_password: MyPassword123 + # ipaadmin_password: SomeADMINpassword # name: group1 # user: # - user7 @@ -140,7 +140,7 @@ - name: Ensure user user7 is absent in group group1 ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group1 user: - user7 @@ -151,7 +151,7 @@ - name: Ensure group group4 is absent ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group4 state: absent register: result @@ -159,7 +159,7 @@ - name: Ensure group group3, group2 and group1 are absent ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group3,group2,group1 state: absent register: result @@ -167,7 +167,7 @@ - name: Ensure users user1, user2 and user3 are absent ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: user1,user2,user3 state: absent register: result diff --git a/tests/hbacrule/test_hbacrule.yml b/tests/hbacrule/test_hbacrule.yml index 0372e6ce..4d0c2030 100644 --- a/tests/hbacrule/test_hbacrule.yml +++ b/tests/hbacrule/test_hbacrule.yml @@ -13,7 +13,7 @@ - name: Ensure test hosts are absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ 'testhost01.' + ipaserver_domain }}" - "{{ 'testhost02.' + ipaserver_domain }}" @@ -23,31 +23,31 @@ - name: Ensure test hostgroups are absent ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testhostgroup01,testhostgroup02,testhostgroup03,testhostgroup04 state: absent - name: Ensure test users are absent ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testuser01,testuser02,testuser03,testuser04 state: absent - name: Ensure test user groups are absent ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testgroup01,testgroup02,testgroup03,testgroup04 state: absent - name: Ensure test HBAC Services are absent ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testhbacsvc01,testhbacsvc02,testhbacsvc03,testhbacsvc04 state: absent - name: Ensure test HBAC Service Groups are absent ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testhbacsvcgroup01,testhbacsvcgroup02,testhbacsvcgroup03,testhbacsvcgroup04 state: absent @@ -55,7 +55,7 @@ - name: Ensure hosts "{{ 'host[1..4].' + ipaserver_domain }}" are present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ 'testhost01.' + ipaserver_domain }}" force: yes @@ -70,35 +70,35 @@ - name: Ensure host-group testhostgroup01 is present ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testhostgroup01 register: result failed_when: not result.changed - name: Ensure host-group testhostgroup02 is present ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testhostgroup02 register: result failed_when: not result.changed - name: Ensure host-group testhostgroup03 is present ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testhostgroup03 register: result failed_when: not result.changed - name: Ensure host-group testhostgroup04 is present ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testhostgroup04 register: result failed_when: not result.changed - name: Ensure testusers are present ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword users: - name: testuser01 first: test @@ -117,91 +117,91 @@ - name: Ensure user group testgroup01 is present ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testgroup01 register: result failed_when: not result.changed - name: Ensure user group testgroup02 is present ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testgroup02 register: result failed_when: not result.changed - name: Ensure user group testgroup03 is present ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testgroup03 register: result failed_when: not result.changed - name: Ensure user group testgroup04 is present ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testgroup04 register: result failed_when: not result.changed - name: Ensure HBAC Service testhbacsvc01 is present ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testhbacsvc01 register: result failed_when: not result.changed - name: Ensure HBAC Service testhbacsvc02 is present ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testhbacsvc02 register: result failed_when: not result.changed - name: Ensure HBAC Service testhbacsvc03 is present ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testhbacsvc03 register: result failed_when: not result.changed - name: Ensure HBAC Service testhbacsvc04 is present ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testhbacsvc04 register: result failed_when: not result.changed - name: Ensure HBAC Service Group testhbacsvcgroup01 is present ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testhbacsvcgroup01 register: result failed_when: not result.changed - name: Ensure HBAC Service Group testhbacsvcgroup02 is present ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testhbacsvcgroup02 register: result failed_when: not result.changed - name: Ensure HBAC Service Group testhbacsvcgroup03 is present ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testhbacsvcgroup03 register: result failed_when: not result.changed - name: Ensure HBAC Service Group testhbacsvcgroup04 is present ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testhbacsvcgroup04 register: result failed_when: not result.changed - name: Ensure test HBAC rule hbacrule01 is absent ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 state: absent @@ -209,14 +209,14 @@ - name: Ensure HBAC rule hbacrule01 is present ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 register: result failed_when: not result.changed - name: Ensure HBAC rule hbacrule01 is present again ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 register: result failed_when: result.changed @@ -225,7 +225,7 @@ - name: Ensure HBAC rule hbacrule01 is present with hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 host: - "{{ 'testhost01.' + ipaserver_domain }}" @@ -240,7 +240,7 @@ - name: Ensure HBAC rule hbacrule01 is present with hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups again ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 host: - "{{ 'testhost01.' + ipaserver_domain }}" @@ -257,7 +257,7 @@ - name: Ensure test HBAC rule hbacrule01 host members are absent ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 host: - "{{ 'testhost01.' + ipaserver_domain }}" @@ -269,7 +269,7 @@ - name: Ensure test HBAC rule hbacrule01 host members are absent again ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 host: - "{{ 'testhost01.' + ipaserver_domain }}" @@ -281,7 +281,7 @@ - name: Ensure test HBAC rule hbacrule01 hostgroup members are absent ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 hostgroup: testhostgroup01,testhostgroup02 state: absent @@ -291,7 +291,7 @@ - name: Ensure test HBAC rule hbacrule01 hostgroup members are absent again ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 hostgroup: testhostgroup01,testhostgroup02 state: absent @@ -301,7 +301,7 @@ - name: Ensure test HBAC rule hbacrule01 user members are absent ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 user: testuser01,testuser02 state: absent @@ -311,7 +311,7 @@ - name: Ensure test HBAC rule hbacrule01 user members are absent again ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 user: testuser01,testuser02 state: absent @@ -321,7 +321,7 @@ - name: Ensure test HBAC rule hbacrule01 user group members are absent ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 group: testgroup01,testgroup02 state: absent @@ -331,7 +331,7 @@ - name: Ensure test HBAC rule hbacrule01 user group members are absent again ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 group: testgroup01,testgroup02 state: absent @@ -341,7 +341,7 @@ - name: Ensure test HBAC rule hbacrule01 hbacsvc members are absent ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 hbacsvc: testhbacsvc01,testhbacsvc02 state: absent @@ -351,7 +351,7 @@ - name: Ensure test HBAC rule hbacrule01 hbacsvc members are absent again ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 hbacsvc: testhbacsvc01,testhbacsvc02 state: absent @@ -361,7 +361,7 @@ - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are absent ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02 state: absent @@ -371,7 +371,7 @@ - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are absent again ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02 state: absent @@ -383,7 +383,7 @@ - name: Ensure test HBAC rule hbacrule01 host members are present ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 host: - "{{ 'testhost01.' + ipaserver_domain }}" @@ -394,7 +394,7 @@ - name: Ensure test HBAC rule hbacrule01 host members are present again ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 host: - "{{ 'testhost01.' + ipaserver_domain }}" @@ -405,7 +405,7 @@ - name: Ensure test HBAC rule hbacrule01 hostgroup members are present ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 hostgroup: testhostgroup01,testhostgroup02 action: member @@ -414,7 +414,7 @@ - name: Ensure test HBAC rule hbacrule01 hostgroup members are present again ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 hostgroup: testhostgroup01,testhostgroup02 action: member @@ -423,7 +423,7 @@ - name: Ensure test HBAC rule hbacrule01 user members are present ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 user: testuser01,testuser02 action: member @@ -432,7 +432,7 @@ - name: Ensure test HBAC rule hbacrule01 user members are present again ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 user: testuser01,testuser02 action: member @@ -441,7 +441,7 @@ - name: Ensure test HBAC rule hbacrule01 user group members are present ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 group: testgroup01,testgroup02 action: member @@ -450,7 +450,7 @@ - name: Ensure test HBAC rule hbacrule01 user group members are present again ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 group: testgroup01,testgroup02 action: member @@ -459,7 +459,7 @@ - name: Ensure test HBAC rule hbacrule01 hbacsvc members are present ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 hbacsvc: testhbacsvc01,testhbacsvc02 action: member @@ -468,7 +468,7 @@ - name: Ensure test HBAC rule hbacrule01 hbacsvc members are present again ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 hbacsvc: testhbacsvc01,testhbacsvc02 action: member @@ -477,7 +477,7 @@ - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are present ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02 action: member @@ -486,7 +486,7 @@ - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are present again ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02 action: member @@ -497,7 +497,7 @@ - name: Ensure HBAC rule hbacrule01 is present with different hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 host: - "{{ 'testhost03.' + ipaserver_domain }}" @@ -512,7 +512,7 @@ - name: Ensure HBAC rule hbacrule01 is present with different hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups again ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 host: - "{{ 'testhost03.' + ipaserver_domain }}" @@ -529,7 +529,7 @@ - name: Ensure HBAC rule hbacrule01 members (same) are present ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 host: - "{{ 'testhost01.' + ipaserver_domain }}" @@ -548,7 +548,7 @@ - name: Ensure HBAC rule hbacrule01 members are absent ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 host: - "{{ 'testhost03.' + ipaserver_domain }}" @@ -565,7 +565,7 @@ - name: Ensure HBAC rule hbacrule01 members are absent again ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 host: - "{{ 'testhost03.' + ipaserver_domain }}" @@ -584,13 +584,13 @@ - name: Ensure test HBAC rule hbacrule01 is absent ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hbacrule01 state: absent - name: Ensure test hosts are absent ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ 'testhost01.' + ipaserver_domain }}" - "{{ 'testhost02.' + ipaserver_domain }}" @@ -600,30 +600,30 @@ - name: Ensure test hostgroups are absent ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testhostgroup01,testhostgroup02,testhostgroup03,testhostgroup04 state: absent - name: Ensure test users are absent ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testuser01,testuser02,testuser03,testuser04 state: absent - name: Ensure test user groups are absent ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testgroup01,testgroup02,testgroup03,testgroup04 state: absent - name: Ensure test HBAC Services are absent ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testhbacsvc01,testhbacsvc02,testhbacsvc03,testhbacsvc04 state: absent - name: Ensure test HBAC Service Groups are absent ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testhbacsvcgroup01,testhbacsvcgroup02,testhbacsvcgroup03,testhbacsvcgroup04 state: absent diff --git a/tests/hbacsvc/test_hbacsvc.yml b/tests/hbacsvc/test_hbacsvc.yml index f6d8393c..87a6bbd5 100644 --- a/tests/hbacsvc/test_hbacsvc.yml +++ b/tests/hbacsvc/test_hbacsvc.yml @@ -7,27 +7,27 @@ tasks: - name: Ensure HBAC Service for http is absent ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: http,tftp state: absent - name: Ensure HBAC Service for http is present ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: http register: result failed_when: not result.changed - name: Ensure HBAC Service for http is present again ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: http register: result failed_when: result.changed - name: Ensure HBAC Service for tftp is present ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: tftp description: TFTP service register: result @@ -35,7 +35,7 @@ - name: Ensure HBAC Service for tftp is present again ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: tftp description: TFTP service register: result @@ -43,7 +43,7 @@ - name: Ensure HBAC Services for http and tftp are absent ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: http,tftp state: absent register: result @@ -51,7 +51,7 @@ - name: Ensure HBAC Services for http and tftp are absent again ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: http,tftp state: absent register: result diff --git a/tests/hbacsvcgroup/test_hbacsvcgroup.yml b/tests/hbacsvcgroup/test_hbacsvcgroup.yml index 5a9e67d1..853efa29 100644 --- a/tests/hbacsvcgroup/test_hbacsvcgroup.yml +++ b/tests/hbacsvcgroup/test_hbacsvcgroup.yml @@ -7,32 +7,32 @@ tasks: - name: Ensure HBAC Service Group login is absent ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login state: absent - name: Ensure HBAC Service for sshd is present ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login - name: Ensure HBAC Service Group login is present ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login register: result failed_when: not result.changed - name: Ensure HBAC Service Group login is present again ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login register: result failed_when: result.changed - name: Ensure HBAC Service sshd is present in HBAC Service Group login ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login hbacsvc: - sshd @@ -42,7 +42,7 @@ - name: Ensure HBAC Service sshd is present in HBAC Service Group login again ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login hbacsvc: - sshd @@ -52,7 +52,7 @@ - name: Ensure HBAC Services sshd and foo are absent in HBAC Service Group login ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login hbacsvc: - sshd @@ -64,7 +64,7 @@ - name: Ensure HBAC Services sshd and foo are absent in HBAC Service Group login again ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login hbacsvc: - sshd @@ -76,7 +76,7 @@ - name: Ensure HBAC Service Group login is absent ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login state: absent register: result @@ -84,7 +84,7 @@ - name: Ensure HBAC Service Group login is absent again ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login state: absent register: result diff --git a/tests/host/test_host.yml b/tests/host/test_host.yml index f3ec11df..efb0524a 100644 --- a/tests/host/test_host.yml +++ b/tests/host/test_host.yml @@ -20,7 +20,7 @@ - name: Host absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" @@ -38,7 +38,7 @@ - name: Host "{{ host1_fqdn }}" present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ip_address: "{{ ipv4_prefix + '.201' }}" update_dns: yes @@ -48,7 +48,7 @@ - name: Host "{{ host1_fqdn }}" present again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ip_address: "{{ ipv4_prefix + '.201' }}" update_dns: yes @@ -58,7 +58,7 @@ - name: Host "{{ host2_fqdn }}" present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host2_fqdn }}" ip_address: "{{ ipv4_prefix + '.202' }}" update_dns: yes @@ -68,7 +68,7 @@ - name: Host "{{ host2_fqdn }}" present again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host2_fqdn }}" ip_address: "{{ ipv4_prefix + '.202' }}" update_dns: yes @@ -78,7 +78,7 @@ - name: Host "{{ host3_fqdn }}" present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host3_fqdn }}" ip_address: "{{ ipv4_prefix + '.203' }}" update_dns: yes @@ -88,7 +88,7 @@ - name: Host "{{ host3_fqdn }}" present again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host3_fqdn }}" ip_address: "{{ ipv4_prefix + '.203' }}" update_dns: yes @@ -98,7 +98,7 @@ - name: Host "{{ host4_fqdn }}" present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host4_fqdn }}" ip_address: "{{ ipv4_prefix + '.204' }}" update_dns: yes @@ -108,7 +108,7 @@ - name: Host "{{ host4_fqdn }}" present again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host4_fqdn }}" ip_address: "{{ ipv4_prefix + '.204' }}" update_dns: yes @@ -118,7 +118,7 @@ - name: Host "{{ host5_fqdn }}" present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host5_fqdn }}" ip_address: "{{ ipv4_prefix + '.205' }}" update_dns: yes @@ -128,7 +128,7 @@ - name: Host "{{ host5_fqdn }}" present again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host5_fqdn }}" ip_address: "{{ ipv4_prefix + '.205' }}" update_dns: yes @@ -138,7 +138,7 @@ - name: Host "{{ host6_fqdn }}" present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host6_fqdn }}" ip_address: "{{ ipv4_prefix + '.206' }}" update_dns: yes @@ -148,7 +148,7 @@ - name: Host "{{ host6_fqdn }}" present again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host6_fqdn }}" ip_address: "{{ ipv4_prefix + '.206' }}" update_dns: yes @@ -160,7 +160,7 @@ # not enabled. #- name: Hosts host1..host6 disabled # ipahost: - # ipaadmin_password: MyPassword123 + # ipaadmin_password: SomeADMINpassword # name: # - "{{ host1_fqdn }}" # - "{{ host2_fqdn }}" @@ -174,7 +174,7 @@ # #- name: Hosts host1..host6 disabled again # ipahost: - # ipaadmin_password: MyPassword123 + # ipaadmin_password: SomeADMINpassword # name: # - "{{ host1_fqdn }}" # - "{{ host2_fqdn }}" @@ -188,7 +188,7 @@ - name: Hosts host1..host6 absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" @@ -203,7 +203,7 @@ - name: Hosts host1..host6 absent again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" diff --git a/tests/host/test_host_allow_create_keytab.yml b/tests/host/test_host_allow_create_keytab.yml index eb7b7764..b9ad0a19 100644 --- a/tests/host/test_host_allow_create_keytab.yml +++ b/tests/host/test_host_allow_create_keytab.yml @@ -22,7 +22,7 @@ - name: Host host1..., host2... and host3... absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" @@ -31,13 +31,13 @@ - name: Ensure host-groups hostgroup1 and hostgroup2 absent ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hostgroup1,hostgroup2 state: absent - name: Ensure users user1 and user2 absent ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword users: - name: user1 - name: user2 @@ -45,13 +45,13 @@ - name: Ensure group1 and group2 absent ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group1,group2 state: absent - name: Host host2... and host3... present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host2_fqdn }}" force: yes @@ -62,7 +62,7 @@ - name: Ensure host-group hostgroup1 present ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hostgroup1 state: present register: result @@ -70,7 +70,7 @@ - name: Ensure host-group hostgroup2 present ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hostgroup2 state: present register: result @@ -78,7 +78,7 @@ - name: Ensure users user1 and user2 present ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword users: - name: user1 first: First1 @@ -91,21 +91,21 @@ - name: Ensure group1 present ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group1 register: result failed_when: not result.changed - name: Ensure group2 present ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group2 register: result failed_when: not result.changed - name: Host host1... present with allow_create_keytab users,groups,hosts and hostgroups ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" allow_create_keytab_user: - user1 @@ -125,7 +125,7 @@ - name: Host host1... present with allow_create_keytab users,groups,hosts and hostgroups again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" allow_create_keytab_user: - user1 @@ -145,14 +145,14 @@ - name: Host host1... absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" state: absent - name: Host host1... present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" force: yes register: result @@ -160,7 +160,7 @@ - name: Host host1... ensure allow_create_keytab users,groups,hosts and hostgroups present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" allow_create_keytab_user: - user1 @@ -180,7 +180,7 @@ - name: Host host1... ensure allow_create_keytab users,groups,hosts and hostgroups present again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" allow_create_keytab_user: - user1 @@ -200,7 +200,7 @@ - name: Host host1... ensure allow_create_keytab users,groups,hosts and hostgroups absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" allow_create_keytab_user: - user1 @@ -221,7 +221,7 @@ - name: Host host1... ensure allow_create_keytab users,groups,hosts and hostgroups absent again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" allow_create_keytab_user: - user1 @@ -242,7 +242,7 @@ - name: Host host1..., host2... and host3... absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" @@ -253,7 +253,7 @@ - name: Ensure host-groups hostgroup1 and hostgroup2 absent ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hostgroup1,hostgroup2 state: absent register: result @@ -261,7 +261,7 @@ - name: Ensure users user1 and user2 absent ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword users: - name: user1 - name: user2 @@ -271,7 +271,7 @@ - name: Ensure group1 and group2 absent ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group1,group2 state: absent register: result diff --git a/tests/host/test_host_allow_retrieve_keytab.yml b/tests/host/test_host_allow_retrieve_keytab.yml index 65d86aa6..8f955407 100644 --- a/tests/host/test_host_allow_retrieve_keytab.yml +++ b/tests/host/test_host_allow_retrieve_keytab.yml @@ -22,7 +22,7 @@ - name: Host host1..., host2... and host3... absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" @@ -31,13 +31,13 @@ - name: Ensure host-groups hostgroup1 and hostgroup2 absent ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hostgroup1,hostgroup2 state: absent - name: Ensure users user1 and user2 absent ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword users: - name: user1 - name: user2 @@ -45,13 +45,13 @@ - name: Ensure group1 and group2 absent ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group1,group2 state: absent - name: Host host2... and host3... present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host2_fqdn }}" force: yes @@ -62,7 +62,7 @@ - name: Ensure host-group hostgroup1 present ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hostgroup1 state: present register: result @@ -70,7 +70,7 @@ - name: Ensure host-group hostgroup2 present ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hostgroup2 state: present register: result @@ -78,7 +78,7 @@ - name: Ensure users user1 and user2 present ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword users: - name: user1 first: First1 @@ -91,21 +91,21 @@ - name: Ensure group1 present ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group1 register: result failed_when: not result.changed - name: Ensure group2 present ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group2 register: result failed_when: not result.changed - name: Host host1... present with allow_retrieve_keytab users,groups,hosts and hostgroups ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" allow_retrieve_keytab_user: - user1 @@ -125,7 +125,7 @@ - name: Host host1... present with allow_retrieve_keytab users,groups,hosts and hostgroups again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" allow_retrieve_keytab_user: - user1 @@ -145,14 +145,14 @@ - name: Host host1... absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" state: absent - name: Host host1... present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" force: yes register: result @@ -160,7 +160,7 @@ - name: Host host1... ensure allow_retrieve_keytab users,groups,hosts and hostgroups present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" allow_retrieve_keytab_user: - user1 @@ -180,7 +180,7 @@ - name: Host host1... ensure allow_retrieve_keytab users,groups,hosts and hostgroups present again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" allow_retrieve_keytab_user: - user1 @@ -200,7 +200,7 @@ - name: Host host1... ensure allow_retrieve_keytab users,groups,hosts and hostgroups absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" allow_retrieve_keytab_user: - user1 @@ -221,7 +221,7 @@ - name: Host host1... ensure allow_retrieve_keytab users,groups,hosts and hostgroups absent again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" allow_retrieve_keytab_user: - user1 @@ -242,7 +242,7 @@ - name: Host host1..., host2... and host3... absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" @@ -253,7 +253,7 @@ - name: Ensure host-groups hostgroup1 and hostgroup2 absent ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: hostgroup1,hostgroup2 state: absent register: result @@ -261,7 +261,7 @@ - name: Ensure users user1 and user2 absent ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword users: - name: user1 - name: user2 @@ -271,7 +271,7 @@ - name: Ensure group1 and group2 absent ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group1,group2 state: absent register: result diff --git a/tests/host/test_host_bool_params.yml b/tests/host/test_host_bool_params.yml index 824ea999..efded1f1 100644 --- a/tests/host/test_host_bool_params.yml +++ b/tests/host/test_host_bool_params.yml @@ -15,7 +15,7 @@ - name: Host absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" update_dns: yes @@ -23,7 +23,7 @@ - name: Host "{{ host1_fqdn }}" present with requires_pre_auth, ok_as_delegate and ok_to_auth_as_delegate ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" force: yes requires_pre_auth: yes @@ -34,7 +34,7 @@ - name: Host "{{ host1_fqdn }}" present with requires_pre_auth, ok_as_delegate and ok_to_auth_as_delegate again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" requires_pre_auth: yes ok_as_delegate: yes @@ -44,7 +44,7 @@ - name: Host "{{ host1_fqdn }}" present with requires_pre_auth, ok_as_delegate and ok_to_auth_as_delegate set to no ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" requires_pre_auth: no ok_as_delegate: no @@ -54,7 +54,7 @@ - name: Host "{{ host1_fqdn }}" present with requires_pre_auth, ok_as_delegate and ok_to_auth_as_delegate set to no again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" requires_pre_auth: no ok_as_delegate: no @@ -64,7 +64,7 @@ - name: Host "{{ host1_fqdn }}" present with requires_pre_auth ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" requires_pre_auth: yes register: result @@ -72,7 +72,7 @@ - name: Host "{{ host1_fqdn }}" present with requires_pre_auth again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" requires_pre_auth: yes register: result @@ -80,7 +80,7 @@ - name: Host "{{ host1_fqdn }}" present with ok_as_delegate ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ok_as_delegate: yes register: result @@ -88,7 +88,7 @@ - name: Host "{{ host1_fqdn }}" present with ok_as_delegate again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ok_as_delegate: yes register: result @@ -96,7 +96,7 @@ - name: Host "{{ host1_fqdn }}" present with ok_to_auth_as_delegate ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ok_to_auth_as_delegate: yes register: result @@ -104,7 +104,7 @@ - name: Host "{{ host1_fqdn }}" present with ok_to_auth_as_delegate again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ok_to_auth_as_delegate: yes register: result @@ -112,7 +112,7 @@ - name: Host absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" update_dns: yes diff --git a/tests/host/test_host_ipaddresses.yml b/tests/host/test_host_ipaddresses.yml index 136a6101..45500707 100644 --- a/tests/host/test_host_ipaddresses.yml +++ b/tests/host/test_host_ipaddresses.yml @@ -22,7 +22,7 @@ - name: Host absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" @@ -32,7 +32,7 @@ - name: Host "{{ host1_fqdn }}" present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ip_address: - "{{ ipv4_prefix + '.201' }}" @@ -44,7 +44,7 @@ - name: Host "{{ host1_fqdn }}" present again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ip_address: - "{{ ipv4_prefix + '.201' }}" @@ -56,7 +56,7 @@ - name: Host "{{ host1_fqdn }}" present again with new IP address ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ip_address: - "{{ ipv4_prefix + '.211' }}" @@ -70,7 +70,7 @@ - name: Host "{{ host1_fqdn }}" present again with new IP address again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ip_address: - "{{ ipv4_prefix + '.211' }}" @@ -84,7 +84,7 @@ - name: Host "{{ host1_fqdn }}" member IPv4 address present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ip_address: "{{ ipv4_prefix + '.201' }}" action: member @@ -93,7 +93,7 @@ - name: Host "{{ host1_fqdn }}" member IPv4 address present again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ip_address: "{{ ipv4_prefix + '.201' }}" action: member @@ -102,7 +102,7 @@ - name: Host "{{ host1_fqdn }}" member IPv4 address absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ip_address: "{{ ipv4_prefix + '.201' }}" action: member @@ -112,7 +112,7 @@ - name: Host "{{ host1_fqdn }}" member IPv4 address absent again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ip_address: "{{ ipv4_prefix + '.201' }}" action: member @@ -122,7 +122,7 @@ - name: Host "{{ host1_fqdn }}" member IPv6 address present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ip_address: fe80::20c:29ff:fe02:a1b2 action: member @@ -131,7 +131,7 @@ - name: Host "{{ host1_fqdn }}" member IPv6 address present again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ip_address: fe80::20c:29ff:fe02:a1b2 action: member @@ -140,7 +140,7 @@ - name: Host "{{ host1_fqdn }}" member IPv6 address absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ip_address: fe80::20c:29ff:fe02:a1b2 action: member @@ -150,7 +150,7 @@ - name: Host "{{ host1_fqdn }}" member IPv6 address absent again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ip_address: fe80::20c:29ff:fe02:a1b2 action: member @@ -159,7 +159,7 @@ - name: Host "{{ host1_fqdn }}" member all ip-addresses absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ip_address: - "{{ ipv4_prefix + '.211' }}" @@ -173,7 +173,7 @@ - name: Host "{{ host1_fqdn }}" all member ip-addresses absent again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" ip_address: - "{{ ipv4_prefix + '.211' }}" @@ -187,7 +187,7 @@ - name: Hosts "{{ host1_fqdn }}" and "{{ host2_fqdn }}" present with same IP addresses ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" ip_address: @@ -206,7 +206,7 @@ - name: Hosts "{{ host1_fqdn }}" and "{{ host2_fqdn }}" present with same IP addresses again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" ip_address: @@ -225,7 +225,7 @@ - name: Hosts "{{ host3_fqdn }}" present with same IP addresses ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host3_fqdn }}" ip_address: @@ -238,7 +238,7 @@ - name: Hosts "{{ host3_fqdn }}" present with same IP addresses again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host3_fqdn }}" ip_address: @@ -251,7 +251,7 @@ - name: Host "{{ host3_fqdn }}" present with differnt IP addresses ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host3_fqdn }}" ip_address: @@ -264,7 +264,7 @@ - name: Host "{{ host3_fqdn }}" present with different IP addresses again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host3_fqdn }}" ip_address: @@ -277,7 +277,7 @@ - name: Host "{{ host3_fqdn }}" present with old IP addresses ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host3_fqdn }}" ip_address: @@ -290,7 +290,7 @@ - name: Host "{{ host3_fqdn }}" present with old IP addresses again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host3_fqdn }}" ip_address: @@ -303,7 +303,7 @@ - name: Absent host01.ihavenodns.info test ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: host01.ihavenodns.info state: absent @@ -312,7 +312,7 @@ - name: Host absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" diff --git a/tests/host/test_host_managedby_host.yml b/tests/host/test_host_managedby_host.yml index 78c5a43d..e6fb9dc6 100644 --- a/tests/host/test_host_managedby_host.yml +++ b/tests/host/test_host_managedby_host.yml @@ -16,7 +16,7 @@ - name: Host absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" @@ -25,7 +25,7 @@ - name: Host "{{ host1_fqdn }}" present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" force: yes register: result @@ -33,7 +33,7 @@ - name: Host "{{ host2_fqdn }}" present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host2_fqdn }}" force: yes register: result @@ -41,7 +41,7 @@ - name: Host "{{ host1_fqdn }}" managed by "{{ 'host2.' + ipaserver_domain }}" ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" managedby_host: "{{ host2_fqdn }}" register: result @@ -49,7 +49,7 @@ - name: Host "{{ host1_fqdn }}" managed by "{{ 'host2.' + ipaserver_domain }}" again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" managedby_host: "{{ host2_fqdn }}" register: result @@ -57,7 +57,7 @@ - name: Host "{{ host1_fqdn }}" managed by "{{ groups.ipaserver[0] }}" ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" managedby_host: "{{ groups.ipaserver[0] }}" action: member @@ -66,7 +66,7 @@ - name: Host "{{ host1_fqdn }}" managed by "{{ groups.ipaserver[0] }}" again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" managedby_host: "{{ groups.ipaserver[0] }}" action: member @@ -75,7 +75,7 @@ - name: Host "{{ host1_fqdn }}" not managed by "{{ groups.ipaserver[0] }}" ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" managedby_host: "{{ groups.ipaserver[0] }}" action: member @@ -85,7 +85,7 @@ - name: Host "{{ host1_fqdn }}" not managed by "{{ groups.ipaserver[0] }}" again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" managedby_host: "{{ groups.ipaserver[0] }}" action: member @@ -95,7 +95,7 @@ - name: Host "{{ host1_fqdn }}" not managed by "{{ 'host2.' + ipaserver_domain }}" ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" managedby_host: "{{ host2_fqdn }}" state: absent @@ -105,7 +105,7 @@ - name: Host "{{ host1_fqdn }}" not managed by "{{ 'host2.' + ipaserver_domain }}" again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" managedby_host: "{{ host2_fqdn }}" action: member @@ -115,7 +115,7 @@ - name: Host absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" diff --git a/tests/host/test_host_principal.yml b/tests/host/test_host_principal.yml index 0dce400a..6c7d0dc0 100644 --- a/tests/host/test_host_principal.yml +++ b/tests/host/test_host_principal.yml @@ -20,7 +20,7 @@ - name: Host host1 absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" update_dns: yes @@ -28,7 +28,7 @@ - name: Host host1... present with principal host/testhost1... ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" principal: - "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}" @@ -38,7 +38,7 @@ - name: Host host1... principal host/host1... present (existing already) ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" principal: - "{{ 'host/host1.' + ipaserver_domain + '@' + ipaserver_realm }}" @@ -48,7 +48,7 @@ - name: Host host1... principal host/testhost1... present again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" principal: "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}" action: member @@ -57,7 +57,7 @@ - name: Host host1... principal host/testhost1... absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" principal: "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}" action: member @@ -67,7 +67,7 @@ - name: Host host1... principal host/testhost1... absent again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" principal: "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}" action: member @@ -77,7 +77,7 @@ - name: Host host1... principal host/testhost1... and host/myhost1... present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" principal: - "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}" @@ -88,7 +88,7 @@ - name: Host host1... principal host/testhost1... and host/myhost1... present again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" principal: - "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}" @@ -99,7 +99,7 @@ - name: Host host1... principal host/testhost1... and host/myhost1... absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" principal: - "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}" @@ -111,7 +111,7 @@ - name: Host host1... principal host/testhost1... and host/myhost1... absent again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" principal: - "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}" @@ -123,7 +123,7 @@ - name: Host host1... absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" update_dns: yes diff --git a/tests/host/test_host_random.yml b/tests/host/test_host_random.yml index 84893f90..4d1b2545 100644 --- a/tests/host/test_host_random.yml +++ b/tests/host/test_host_random.yml @@ -16,7 +16,7 @@ - name: Test hosts absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" @@ -25,7 +25,7 @@ - name: Host "{{ host1_fqdn }}" present with random password ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host1_fqdn }}" random: yes force: yes @@ -43,14 +43,14 @@ - name: Host "{{ host1_fqdn }}" absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" state: absent - name: Hosts "{{ host1_fqdn }}" and "{{ host2_fqdn }}" present with random password ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" random: yes @@ -79,7 +79,7 @@ - name: Hosts "{{ host1_fqdn }}" and "{{ host2_fqdn }}" absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" diff --git a/tests/host/test_hosts.yml b/tests/host/test_hosts.yml index 8e92bf32..30fd6538 100644 --- a/tests/host/test_hosts.yml +++ b/tests/host/test_hosts.yml @@ -21,7 +21,7 @@ - name: Host host1..host6 absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" - name: "{{ host2_fqdn }}" @@ -33,7 +33,7 @@ - name: Hosts host1..host6 present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" force: yes @@ -52,7 +52,7 @@ - name: Hosts host1..host6 present again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" force: yes @@ -71,7 +71,7 @@ - name: Hosts host1..host6 absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" - name: "{{ host2_fqdn }}" @@ -85,7 +85,7 @@ - name: Hosts host1..host6 absent again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" - name: "{{ host2_fqdn }}" diff --git a/tests/host/test_hosts_managedby_host.yml b/tests/host/test_hosts_managedby_host.yml index a692745a..bd6452c4 100644 --- a/tests/host/test_hosts_managedby_host.yml +++ b/tests/host/test_hosts_managedby_host.yml @@ -19,7 +19,7 @@ - name: Host absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" @@ -31,7 +31,7 @@ - name: Host "{{ host5_fqdn }}" present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ host5_fqdn }}" force: yes register: result @@ -39,7 +39,7 @@ - name: Hosts "{{ host1_fqdn }}" .. "{{ 'host5.' + ipaserver_domain }}" present and managed by "{{ 'host5.' + ipaserver_domain }}" ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" managedby_host: "{{ host5_fqdn }}" @@ -61,7 +61,7 @@ - name: Hosts "{{ host1_fqdn }}" .. "{{ 'host5.' + ipaserver_domain }}" present and managed by "{{ 'host5.' + ipaserver_domain }}" again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" managedby_host: "{{ host5_fqdn }}" @@ -83,7 +83,7 @@ - name: Hosts "{{ host1_fqdn }}" .. "{{ 'host5.' + ipaserver_domain }}" managed by "{{ 'host5.' + ipaserver_domain }}" ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" managedby_host: "{{ host5_fqdn }}" @@ -101,7 +101,7 @@ - name: Hosts "{{ host1_fqdn }}" .. "{{ 'host5.' + ipaserver_domain }}" not managed by "{{ 'host5.' + ipaserver_domain }}" ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" managedby_host: "{{ host5_fqdn }}" @@ -120,7 +120,7 @@ - name: Hosts "{{ host1_fqdn }}" .. "{{ 'host5.' + ipaserver_domain }}" not managed by "{{ 'host5.' + ipaserver_domain }}" again ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" managedby_host: "{{ host5_fqdn }}" @@ -139,7 +139,7 @@ - name: Hosts "{{ host1_fqdn }}" .. "{{ 'host5.' + ipaserver_domain }}" absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" - name: "{{ host2_fqdn }}" diff --git a/tests/host/test_hosts_principal.yml b/tests/host/test_hosts_principal.yml index 5918d35d..87e3a853 100644 --- a/tests/host/test_hosts_principal.yml +++ b/tests/host/test_hosts_principal.yml @@ -21,7 +21,7 @@ - name: Host host1... and host2... absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" @@ -30,7 +30,7 @@ - name: Host hostX... present with principal host/testhostX... X=[1,2] ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" principal: @@ -45,7 +45,7 @@ - name: Host hostX... principal 'host/hostX... present (existing already) X=[1,2] ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" principal: @@ -59,7 +59,7 @@ - name: Host hostX... principal host/testhostX... present again X=[1,2] ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" principal: @@ -73,7 +73,7 @@ - name: Host hostX.. principal host/testhostX... absent X=[1,2] ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" principal: @@ -88,7 +88,7 @@ - name: Host hostX... principal host/testhostX... absent again X=[1,2] ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" principal: @@ -103,7 +103,7 @@ - name: Host hostX... principal host/testhostX... and host/myhostX... present X=[1,2] ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" principal: @@ -119,7 +119,7 @@ - name: Host hostX... principal host/testhostX... and host/myhostX... present again X=[1,2] ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" principal: @@ -135,7 +135,7 @@ - name: Host hostX... principal host/testhostX... and host/myhostX... absent X=[1,2] ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" principal: @@ -153,7 +153,7 @@ - name: Host hostX... principal host/testhostX... and host/myhostX... absent again X=[1,2] ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" principal: @@ -171,7 +171,7 @@ - name: Hosts host1... and host2... absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" diff --git a/tests/hostgroup/test_hostgroup.yml b/tests/hostgroup/test_hostgroup.yml index 29935130..ba449a06 100644 --- a/tests/hostgroup/test_hostgroup.yml +++ b/tests/hostgroup/test_hostgroup.yml @@ -12,7 +12,7 @@ - name: Ensure host-group databases, mysql-server and oracle-server are absent ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - databases - mysql-server @@ -21,7 +21,7 @@ - name: Test hosts db1 and db2 absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ 'db1.' + ipaserver_domain }}" - "{{ 'db2.' + ipaserver_domain }}" @@ -29,7 +29,7 @@ - name: Host "{{ 'db1.' + ipaserver_domain }}" present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ 'db1.' + ipaserver_domain }}" force: yes register: result @@ -37,7 +37,7 @@ - name: Host "{{ 'db2.' + ipaserver_domain }}" present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ 'db2.' + ipaserver_domain }}" force: yes register: result @@ -45,7 +45,7 @@ - name: Ensure host-group mysql-server is present ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: mysql-server state: present register: result @@ -53,7 +53,7 @@ - name: Ensure host-group mysql-server is present again ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: mysql-server state: present register: result @@ -61,7 +61,7 @@ - name: Ensure host-group oracle-server is present ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: oracle-server state: present register: result @@ -69,7 +69,7 @@ - name: Ensure host-group oracle-server is present again ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: oracle-server state: present register: result @@ -77,7 +77,7 @@ - name: Ensure host-group databases is present ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases state: present host: @@ -89,7 +89,7 @@ - name: Ensure host-group databases is present again ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases state: present host: @@ -101,7 +101,7 @@ - name: Ensure host db2 is member of host-group databases ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases state: present host: @@ -112,7 +112,7 @@ - name: Ensure host db2 is member of host-group databases again ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases state: present host: @@ -123,7 +123,7 @@ - name: Ensure host-group mysql-server is member of host-group databases ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases state: present hostgroup: @@ -134,7 +134,7 @@ - name: Ensure host-group mysql-server is member of host-group databases again ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases state: present hostgroup: @@ -145,7 +145,7 @@ - name: Ensure host-group oracle-server is member of host-group databases (again) ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases state: present hostgroup: @@ -156,7 +156,7 @@ - name: Ensure host-group databases, mysql-server and oracle-server are absent ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - databases - mysql-server @@ -167,7 +167,7 @@ - name: Ensure host-group databases, mysql-server and oracle-server are absent again ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - databases - mysql-server @@ -178,7 +178,7 @@ - name: Test hosts db1 and db2 absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - "{{ 'db1.' + ipaserver_domain }}" - "{{ 'db2.' + ipaserver_domain }}" diff --git a/tests/pwpolicy/test_pwpolicy.yml b/tests/pwpolicy/test_pwpolicy.yml index 1a01fca6..d5a254e4 100644 --- a/tests/pwpolicy/test_pwpolicy.yml +++ b/tests/pwpolicy/test_pwpolicy.yml @@ -94,7 +94,7 @@ - name: Ensure maxlife of 90 for global_policy ipapwpolicy: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword maxlife: 90 register: result failed_when: not result.changed diff --git a/tests/sudocmd/test_sudocmd.yml b/tests/sudocmd/test_sudocmd.yml index 523a6f74..c66e8108 100644 --- a/tests/sudocmd/test_sudocmd.yml +++ b/tests/sudocmd/test_sudocmd.yml @@ -8,7 +8,7 @@ tasks: - name: Ensure sudocmds are absent ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - /usr/bin/su - /usr/sbin/ifconfig @@ -17,7 +17,7 @@ - name: Ensure sudocmd is present ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: /usr/bin/su state: present register: result @@ -25,7 +25,7 @@ - name: Ensure sudocmd is present again ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: /usr/bin/su state: present register: result @@ -33,7 +33,7 @@ - name: Ensure sudocmd is absent ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: /usr/bin/su state: absent register: result @@ -41,7 +41,7 @@ - name: Ensure sudocmd is absent again ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: /usr/bin/su state: absent register: result @@ -49,7 +49,7 @@ - name: Ensure multiple sudocmd are present ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - /usr/sbin/ifconfig - /usr/sbin/iwlist @@ -59,7 +59,7 @@ - name: Ensure multiple sudocmd are present again ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - /usr/sbin/ifconfig - /usr/sbin/iwlist @@ -69,7 +69,7 @@ - name: Ensure multiple sudocmd are absent ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - /usr/sbin/ifconfig - /usr/sbin/iwlist @@ -79,7 +79,7 @@ - name: Ensure multiple sudocmd are absent again ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - /usr/sbin/ifconfig - /usr/sbin/iwlist @@ -88,7 +88,7 @@ failed_when: result.changed - name: Ensure sudocmds are absent ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - /usr/bin/su - /usr/sbin/ifconfig @@ -97,21 +97,21 @@ - name: Ensure sudocmds are absent ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - /usr/sbin/ifconfig state: absent - name: Ensure sudocmds are present ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - /usr/sbin/iwlist state: present - name: Ensure multiple sudocmd are absent when only one was present ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - /usr/sbin/ifconfig - /usr/sbin/iwlist diff --git a/tests/sudocmdgroup/test_sudocmdgroup.yml b/tests/sudocmdgroup/test_sudocmdgroup.yml index 688c0844..ce149de6 100644 --- a/tests/sudocmdgroup/test_sudocmdgroup.yml +++ b/tests/sudocmdgroup/test_sudocmdgroup.yml @@ -8,7 +8,7 @@ tasks: - name: Ensure sudocmds are present ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - /usr/bin/su - /usr/sbin/ifconfig @@ -17,13 +17,13 @@ - name: Ensure sudocmdgroup is absent ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network state: absent - name: Ensure sudocmdgroup is present ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network state: present register: result @@ -31,7 +31,7 @@ - name: Ensure sudocmdgroup is present again ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network state: present register: result @@ -39,7 +39,7 @@ - name: Ensure sudocmdgroup is absent ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network state: absent register: result @@ -47,7 +47,7 @@ - name: Ensure sudocmdgroup is absent again ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network state: absent register: result @@ -55,7 +55,7 @@ - name: Ensure testing sudocmdgroup is present ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network state: present register: result @@ -63,7 +63,7 @@ - name: Ensure sudo commands are present in existing sudocmdgroup ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network sudocmd: - /usr/sbin/ifconfig @@ -74,7 +74,7 @@ - name: Ensure sudo commands are present in existing sudocmdgroup, again ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network sudocmd: - /usr/sbin/ifconfig @@ -85,7 +85,7 @@ - name: Ensure sudo commands are absent in existing sudocmdgroup ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network sudocmd: - /usr/sbin/ifconfig @@ -97,7 +97,7 @@ - name: Ensure sudo commands are absent in existing sudocmdgroup, again ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network sudocmd: - /usr/sbin/ifconfig @@ -109,7 +109,7 @@ - name: Ensure sudo commands are present in sudocmdgroup ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network sudocmd: - /usr/sbin/ifconfig @@ -121,7 +121,7 @@ - name: Ensure one sudo command is not present in sudocmdgroup ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network sudocmd: - /usr/sbin/ifconfig @@ -132,7 +132,7 @@ - name: Ensure one sudo command is present in sudocmdgroup ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network sudocmd: - /usr/sbin/ifconfig @@ -143,7 +143,7 @@ - name: Ensure the other sudo command is not present in sudocmdgroup ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network sudocmd: - /usr/sbin/iwlist @@ -154,7 +154,7 @@ - name: Ensure the other sudo commandsis not present in sudocmdgroup, again ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network sudocmd: - /usr/sbin/iwlist diff --git a/tests/sudorule/test_sudorule.yml b/tests/sudorule/test_sudorule.yml index 4b4b6966..0c4aef7f 100644 --- a/tests/sudorule/test_sudorule.yml +++ b/tests/sudorule/test_sudorule.yml @@ -9,14 +9,14 @@ - name: Ensure hostgroup is present, with a host. ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: cluster host: - "{{ groups.ipaserver[0] }}" - name: Ensure some sudocmds are available ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - /sbin/ifconfig - /usr/bin/vim @@ -24,14 +24,14 @@ - name: Ensure sudocmdgroup is available ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: test_sudorule sudocmd: /usr/bin/vim state: present - name: Ensure sudorules are absent ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - testrule1 - allusers @@ -41,21 +41,21 @@ - name: Ensure sudorule is present ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 register: result failed_when: not result.changed - name: Ensure sudorule is present again ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 register: result failed_when: result.changed - name: Ensure sudorule is present, runAsUserCategory. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 runAsUserCategory: all register: result @@ -63,7 +63,7 @@ - name: Ensure sudorule is present, with usercategory 'all' ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allusers usercategory: all register: result @@ -71,7 +71,7 @@ - name: Ensure sudorule is present, with usercategory 'all', again ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allusers usercategory: all register: result @@ -79,7 +79,7 @@ - name: Ensure sudorule is present, with hostategory 'all' ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allhosts hostcategory: all register: result @@ -87,7 +87,7 @@ - name: Ensure sudorule is present, with hostategory 'all', again ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allhosts hostcategory: all register: result @@ -95,13 +95,13 @@ - name: Ensure sudorule is disabled ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 state: disabled - name: Ensure sudorule is disabled, again ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 state: disabled register: result @@ -109,7 +109,7 @@ - name: Ensure sudorule is enabled ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 state: enabled register: result @@ -117,7 +117,7 @@ - name: Ensure sudorule is enabled, again ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 state: enabled register: result @@ -125,7 +125,7 @@ - name: Ensure sudorule is present and some sudocmd are allowed. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmd: - /sbin/ifconfig @@ -135,7 +135,7 @@ - name: Ensure sudorule is present and some sudocmd are allowed, again. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmd: - /sbin/ifconfig @@ -145,7 +145,7 @@ - name: Ensure sudorule is present and some sudocmd are denyed. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 deny_sudocmd: - /usr/bin/vim @@ -155,7 +155,7 @@ - name: Ensure sudorule is present and some sudocmd are denyed, again. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 deny_sudocmd: - /usr/bin/vim @@ -165,7 +165,7 @@ - name: Ensure sudorule is present and, sudocmds are absent. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmd: /sbin/ifconfig deny_sudocmd: /usr/bin/vim @@ -176,7 +176,7 @@ - name: Ensure sudorule is present and, sudocmds are absent, again. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmd: /sbin/ifconfig deny_sudocmd: /usr/bin/vim @@ -187,7 +187,7 @@ - name: Ensure sudorule is present with cmdcategory 'all'. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allcommands cmdcategory: all register: result @@ -195,7 +195,7 @@ - name: Ensure sudorule is present with cmdcategory 'all', again. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allcommands cmdcategory: all register: result @@ -203,7 +203,7 @@ - name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 host: "{{ groups.ipaserver[0] }}" action: member @@ -212,7 +212,7 @@ - name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule, again. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 host: "{{ groups.ipaserver[0] }}" action: member @@ -221,7 +221,7 @@ - name: Ensure hostgroup is present in sudorule. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 hostgroup: cluster action: member @@ -230,7 +230,7 @@ - name: Ensure hostgroup is present in sudorule, again. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 hostgroup: cluster action: member @@ -239,7 +239,7 @@ - name: Ensure sudorule is present, with an allow_sudocmdgroup. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmdgroup: test_sudorule state: present @@ -248,7 +248,7 @@ - name: Ensure sudorule is present, with an allow_sudocmdgroup, again. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmdgroup: test_sudorule state: present @@ -257,7 +257,7 @@ - name: Ensure sudorule is present, but allow_sudocmdgroup is absent. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmdgroup: test_sudorule action: member @@ -267,7 +267,7 @@ - name: Ensure sudorule is present, but allow_sudocmdgroup is absent. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmdgroup: test_sudorule action: member @@ -277,7 +277,7 @@ - name: Ensure sudorule is present, with an deny_sudocmdgroup. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 deny_sudocmdgroup: test_sudorule state: present @@ -286,7 +286,7 @@ - name: Ensure sudorule is present, with an deny_sudocmdgroup, again. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 deny_sudocmdgroup: test_sudorule state: present @@ -295,7 +295,7 @@ - name: Ensure sudorule is present, but deny_sudocmdgroup is absent. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 deny_sudocmdgroup: test_sudorule action: member @@ -305,7 +305,7 @@ - name: Ensure sudorule is present, but deny_sudocmdgroup is absent, again. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 deny_sudocmdgroup: test_sudorule action: member @@ -315,7 +315,7 @@ - name: Ensure sudorule is absent ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 state: absent register: result @@ -323,7 +323,7 @@ - name: Ensure sudorule is absent, again. ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 state: absent register: result @@ -331,7 +331,7 @@ - name: Ensure sudorule allhosts is absent ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allhosts state: absent register: result @@ -339,7 +339,7 @@ - name: Ensure sudorule allhosts is absent, again ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allhosts state: absent register: result @@ -347,7 +347,7 @@ - name: Ensure sudorule allusers is absent ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allusers state: absent register: result @@ -355,7 +355,7 @@ - name: Ensure sudorule allusers is absent, again ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allusers state: absent register: result @@ -363,7 +363,7 @@ - name: Ensure sudorule allcommands is absent ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allcommands state: absent register: result @@ -371,7 +371,7 @@ - name: Ensure sudorule allcommands is absent, again ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allcommands state: absent register: result @@ -380,19 +380,19 @@ # cleanup - name : Ensure sudocmdgroup is absent ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: test_sudorule state: absent - name: Ensure hostgroup is absent. ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: cluster state: absent - name: Ensure sudocmds are absent ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - /sbin/ifconfig - /usr/bin/vim diff --git a/tests/user/test_user_random.yml b/tests/user/test_user_random.yml index 47e4a350..44b9373a 100644 --- a/tests/user/test_user_random.yml +++ b/tests/user/test_user_random.yml @@ -6,7 +6,7 @@ tasks: - name: Users user1 and user2 absent ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - user1 - user2 @@ -14,7 +14,7 @@ - name: User user1 present with random password ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: user1 first: first1 last: last1 @@ -30,14 +30,14 @@ - name: User user1 absent ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - user1 state: absent - name: Users user1 and user1 present with random password ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword users: - name: user1 first: first1 @@ -63,7 +63,7 @@ - name: Users user1 and user2 absent ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - user1 - user2 diff --git a/tests/vault/test_vault.yml b/tests/vault/test_vault.yml index de5a2635..5b467f61 100644 --- a/tests/vault/test_vault.yml +++ b/tests/vault/test_vault.yml @@ -9,7 +9,7 @@ - name: Ensure user vaults are absent ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - stdvault - symvault @@ -19,7 +19,7 @@ - name: Ensure test users do not exist. ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - user01 - user02 @@ -28,53 +28,53 @@ - name: Ensure test groups do not exist. ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: vaultgroup state: absent - name: Ensure vaultgroup exists. ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: vaultgroup - name: Ensure user01 exists. ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: user01 first: First last: Start - name: Ensure user02 exists. ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: user02 first: Second last: Middle - name: Ensure user03 exists. ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: user03 first: Third last: Last - name: Ensure shared vaults are absent ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sharedvault shared: True state: absent - name: Ensure service vaults are absent ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: svcvault service: "HTTP/{{ groups.ipaserver[0] }}" state: absent - name: Ensure symmetric vault is present ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: user01 vault_password: MyVaultPassword123 @@ -84,7 +84,7 @@ - name: Ensure symmetric vault is present, again ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: user01 vault_password: MyVaultPassword123 @@ -94,7 +94,7 @@ - name: Archive data to symmetric vault ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: user01 vault_password: MyVaultPassword123 @@ -105,7 +105,7 @@ - name: Archive data with non-ASCII characters to symmetric vault ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: user01 vault_password: MyVaultPassword123 @@ -116,7 +116,7 @@ - name: Ensure symmetric vault is absent ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: user01 state: absent @@ -125,7 +125,7 @@ - name: Ensure symmetric vault is absent, again ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: user01 state: absent @@ -134,7 +134,7 @@ - name: Ensure asymmetric vault is present. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: asymvault username: user01 description: A symmetric private vault. @@ -151,7 +151,7 @@ - name: Ensure asymmetric vault is present, again. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: asymvault username: user01 vault_public_key: @@ -167,7 +167,7 @@ - name: Archive data in asymmetric vault. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: asymvault username: user01 vault_data: Hello World. @@ -177,7 +177,7 @@ - name: Ensure asymmetric vault is absent. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: asymvault username: user01 state: absent @@ -186,7 +186,7 @@ - name: Ensure asymmetric vault is absent, again. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: asymvault username: user01 state: absent @@ -195,7 +195,7 @@ - name: Ensure standard vault is present. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault vault_type: standard username: user01 @@ -205,7 +205,7 @@ - name: Ensure standard vault is present, again. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 vault_type: standard @@ -215,7 +215,7 @@ - name: Archive data in standard vault. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 vault_data: Hello World. @@ -225,7 +225,7 @@ - name: Ensure standard vault member user is present. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 action: member @@ -236,7 +236,7 @@ - name: Ensure standard vault member user is present, again. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 action: member @@ -247,7 +247,7 @@ - name: Ensure more vault member users are present. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 action: member @@ -259,7 +259,7 @@ - name: Ensure vault member user is still present. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 action: member @@ -270,7 +270,7 @@ - name: Ensure vault users are absent. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 action: member @@ -283,7 +283,7 @@ - name: Ensure vault users are absent, again. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 action: member @@ -296,7 +296,7 @@ - name: Ensure vault user is absent, once more. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 action: member @@ -308,7 +308,7 @@ - name: Ensure vault member group is present. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 action: member @@ -318,7 +318,7 @@ - name: Ensure vault member group is present, again. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 action: member @@ -328,7 +328,7 @@ - name: Ensure vault member group is absent. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 action: member @@ -339,7 +339,7 @@ - name: Ensure vault member group is absent, again. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 action: member @@ -350,7 +350,7 @@ - name: Ensure vault is absent. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 state: absent @@ -359,7 +359,7 @@ - name: Ensure vault is absent, again. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 state: absent @@ -368,7 +368,7 @@ - name: Ensure shared vault is present. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sharedvault shared: True ipavaultpassword: MyVaultPassword123 @@ -377,7 +377,7 @@ - name: Ensure shared vault is absent. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sharedvault shared: True state: absent @@ -386,7 +386,7 @@ - name: Ensure service vault is present. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: svcvault ipavaultpassword: MyVaultPassword123 service: "HTTP/{{ groups.ipaserver[0] }}" @@ -395,7 +395,7 @@ - name: Ensure service vault is absent. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: svcvault service: "HTTP/{{ groups.ipaserver[0] }}" state: absent @@ -404,7 +404,7 @@ - name: Ensure vault is present, with members. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 vault_type: standard @@ -418,7 +418,7 @@ - name: Ensure vault is present, with members, again. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 vault_type: standard @@ -432,7 +432,7 @@ - name: Ensure user02 is not a member of vault stdvault. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 users: user02 @@ -443,7 +443,7 @@ - name: Ensure user02 is not a member of vault stdvault, again. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 users: user02 @@ -454,7 +454,7 @@ - name: Ensure user02 is a member of vault stdvault. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 users: user02 @@ -464,7 +464,7 @@ - name: Ensure user02 is a member of vault stdvault, again. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 users: user03 @@ -474,7 +474,7 @@ - name: Ensure user03 owns vault stdvault. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 owners: user03 @@ -484,7 +484,7 @@ - name: Ensure user03 owns vault stdvault, again. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 owners: user03 @@ -494,7 +494,7 @@ - name: Ensure user03 is not owner of stdvault. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 owners: user03 @@ -505,7 +505,7 @@ - name: Ensure user03 is not owner of stdvault, again. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 owners: user03 @@ -516,7 +516,7 @@ - name: Ensure vault is absent. ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: user01 state: absent @@ -524,7 +524,7 @@ # cleaup - name: Ensure test vaults are absent ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - stdvault - symvault @@ -534,21 +534,21 @@ - name: Ensure shared vaults are absent ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sharedvault shared: True state: absent - name: Ensure service vaults are absent ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: svcvault service: "HTTP/{{ groups.ipaserver[0] }}" state: absent - name: Ensure test users do not exist. ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - user01 - user02 @@ -557,6 +557,6 @@ - name: Ensure test groups do not exist. ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: vaultgroup state: absent From 2b29a90c0d0ac8b4dc2dae621a6bdfc5b6394f5e Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Wed, 26 Feb 2020 12:39:22 +0100 Subject: [PATCH 31/40] READMES: Unite admin password Use SomeADMINpassword as the admin password everywhere, also in the README files. --- README-group.md | 12 ++++++------ README-hbacrule.md | 10 +++++----- README-hbacsvc.md | 6 +++--- README-hbacsvcgroup.md | 10 +++++----- README-host.md | 22 +++++++++++----------- README-hostgroup.md | 8 ++++---- README-pwpolicy.md | 6 +++--- README-sudocmd.md | 4 ++-- README-sudocmdgroup.md | 8 ++++---- README-sudorule.md | 8 ++++---- README-topology.md | 8 ++++---- README-user.md | 26 +++++++++++++------------- README-vault.md | 14 +++++++------- 13 files changed, 71 insertions(+), 71 deletions(-) diff --git a/README-group.md b/README-group.md index 8bba3237..0fb8a265 100644 --- a/README-group.md +++ b/README-group.md @@ -52,20 +52,20 @@ Example playbook to add groups: tasks: # Create group ops with gid 1234 - ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: ops gidnumber: 1234 # Create group sysops - ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sysops user: - pinky # Create group appops - ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: appops ``` @@ -80,7 +80,7 @@ Example playbook to add users to a group: tasks: # Add user member brain to group sysops - ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sysops action: member user: @@ -100,7 +100,7 @@ Example playbook to add group members to a group: tasks: # Add group members sysops and appops to group sysops - ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: ops group: - sysops @@ -118,7 +118,7 @@ Example playbook to remove groups: tasks: # Remove goups sysops, appops and ops - ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sysops,appops,ops state: absent ``` diff --git a/README-hbacrule.md b/README-hbacrule.md index 39a242c1..d14692f9 100644 --- a/README-hbacrule.md +++ b/README-hbacrule.md @@ -50,7 +50,7 @@ Example playbook to make sure HBAC Rule login exists: tasks: # Ensure HBAC Rule login is present - ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login ``` @@ -66,7 +66,7 @@ Example playbook to make sure HBAC Rule login exists with the only HBAC Service tasks: # Ensure HBAC Rule login is present with the only HBAC Service sshd - ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login hbacsvc: - sshd @@ -83,7 +83,7 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Rule login: tasks: # Ensure HBAC Service sshd is present in HBAC Rule login - ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login hbacsvc: - sshd @@ -101,7 +101,7 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Rule login: tasks: # Ensure HBAC Service sshd is present in HBAC Rule login - ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login hbacsvc: - sshd @@ -120,7 +120,7 @@ Example playbook to make sure HBAC Rule login is absent: tasks: # Ensure HBAC Rule login is present - ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login state: absent ``` diff --git a/README-hbacsvc.md b/README-hbacsvc.md index 861ed6f9..7203e549 100644 --- a/README-hbacsvc.md +++ b/README-hbacsvc.md @@ -50,7 +50,7 @@ Example playbook to make sure HBAC Service for http is present tasks: # Ensure HBAC Service for http is present - ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: http description: Web service ``` @@ -66,7 +66,7 @@ Example playbook to make sure HBAC Service for tftp is present tasks: # Ensure HBAC Service for tftp is present - ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: tftp description: TFTPWeb service ``` @@ -82,7 +82,7 @@ Example playbook to make sure HBAC Services for http and tftp are absent tasks: # Ensure HBAC Service for http and tftp are absent - ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: http,tftp state: absent ``` diff --git a/README-hbacsvcgroup.md b/README-hbacsvcgroup.md index 89dd0222..56d5f7a6 100644 --- a/README-hbacsvcgroup.md +++ b/README-hbacsvcgroup.md @@ -50,7 +50,7 @@ Example playbook to make sure HBAC Service Group login exists: tasks: # Ensure HBAC Service Group login is present - ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login ``` @@ -66,7 +66,7 @@ Example playbook to make sure HBAC Service Group login exists with the only HBAC tasks: # Ensure HBAC Service Group login is present with the only HBAC Service sshd - ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login hbacsvc: - sshd @@ -83,7 +83,7 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Service Group tasks: # Ensure HBAC Service sshd is present in HBAC Service Group login - ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login hbacsvc: - sshd @@ -101,7 +101,7 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Service Group tasks: # Ensure HBAC Service sshd is present in HBAC Service Group login - ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login hbacsvc: - sshd @@ -120,7 +120,7 @@ Example playbook to make sure HBAC Service Group login is absent: tasks: # Ensure HBAC Service Group login is present - ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login state: absent ``` diff --git a/README-host.md b/README-host.md index ecc59a9c..5f540cac 100644 --- a/README-host.md +++ b/README-host.md @@ -52,7 +52,7 @@ Example playbook to ensure host presence: tasks: # Ensure host is present - ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com description: Example host ip_address: 192.168.0.123 @@ -79,7 +79,7 @@ Example playbook to ensure host presence with several IP addresses: tasks: # Ensure host is present - ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com description: Example host ip_address: @@ -109,7 +109,7 @@ Example playbook to ensure IP addresses are present for a host: tasks: # Ensure host is present - ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com ip_address: - 192.168.0.124 @@ -130,7 +130,7 @@ Example playbook to ensure IP addresses are absent for a host: tasks: # Ensure host is present - ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com ip_address: - 192.168.0.124 @@ -151,7 +151,7 @@ Example playbook to ensure host presence without DNS: tasks: # Ensure host is present without DNS - ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host02.example.com description: Example host force: yes @@ -169,7 +169,7 @@ Example playbook to ensure host presence with a random password: tasks: - name: Host host01.example.com present with random password ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com random: yes force: yes @@ -193,7 +193,7 @@ Example playbook to ensure presence of several hosts with a random password: tasks: - name: Hosts host01.example.com and host01.example.com present with random passwords ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: host01.example.com random: yes @@ -225,7 +225,7 @@ Example playbook to ensure presence of host member principal: tasks: - name: Host host01.example.com present with principals host/testhost01.example.com and host/myhost01.example.com ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com principal: - host/testhost01.example.com @@ -244,7 +244,7 @@ Example playbook to ensure presence of host member certificate: tasks: - name: Host host01.example.com present with certificate ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com certificate: - MIIC/zCCAeegAwIBAg... @@ -262,7 +262,7 @@ Example playbook to ensure presence of member managedby_host for serveral hosts: tasks: ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: host01.exmaple.com managedby_host: server.exmaple.com @@ -283,7 +283,7 @@ Example playbook to disable a host: tasks: # Ensure host is disabled - ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com update_dns: yes state: disabled diff --git a/README-hostgroup.md b/README-hostgroup.md index 39ea77f0..85701244 100644 --- a/README-hostgroup.md +++ b/README-hostgroup.md @@ -52,7 +52,7 @@ Example playbook to make sure hostgroup databases exists: tasks: # Ensure host-group databases is present - ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases host: - db.example.com @@ -72,7 +72,7 @@ Example playbook to make sure that hosts and hostgroups are present in existing tasks: # Ensure hosts and hostgroups are present in existing databases hostgroup - ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases host: - db.example.com @@ -94,7 +94,7 @@ Example playbook to make sure hosts and hostgroups are absent in databases hostg tasks: # Ensure hosts and hostgroups are absent in databases hostgroup - ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases host: - db.example.com @@ -116,7 +116,7 @@ Example playbook to make sure host-group databases is absent: tasks: # Ensure host-group databases is absent - ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases state: absent ``` diff --git a/README-pwpolicy.md b/README-pwpolicy.md index 847b32d3..f0b5d885 100644 --- a/README-pwpolicy.md +++ b/README-pwpolicy.md @@ -45,7 +45,7 @@ Example playbook to ensure presence of pwpolicies for exisiting group ops: tasks: - name: Ensure presence of pwpolicies for group ops ipapwpolicy: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: ops minlife: 7 maxlife: 49 @@ -67,7 +67,7 @@ Example playbook to ensure absence of pwpolicies for group ops: tasks: # Ensure absence of pwpolicies for group ops - ipapwpolicy: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: ops state: absent ``` @@ -83,7 +83,7 @@ Example playbook to ensure maxlife is set to 49 in global policy: tasks: # Ensure absence of pwpolicies for group ops - ipapwpolicy: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword maxlife: 49 ``` diff --git a/README-sudocmd.md b/README-sudocmd.md index 2842a2fc..64300e08 100644 --- a/README-sudocmd.md +++ b/README-sudocmd.md @@ -52,7 +52,7 @@ Example playbook to make sure sudocmd exists: tasks: # Ensure sudocmd is present - ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: /usr/bin/su state: present ``` @@ -68,7 +68,7 @@ Example playbook to make sure sudocmd is absent: tasks: # Ensure sudocmd are absent - ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: /usr/bin/su state: absent ``` diff --git a/README-sudocmdgroup.md b/README-sudocmdgroup.md index f24b2cc4..cca08c19 100644 --- a/README-sudocmdgroup.md +++ b/README-sudocmdgroup.md @@ -52,7 +52,7 @@ Example playbook to make sure sudocmdgroup is present: tasks: # Ensure sudocmdgroup is present - ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group01 description: Group of important commands ``` @@ -68,7 +68,7 @@ Example playbook to make sure that a sudo command and sudocmdgroups are present tasks: # Ensure sudo commands are present in existing sudocmdgroup - ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group01 sudocmd: - /usr/bin/su @@ -88,7 +88,7 @@ Example playbook to make sure that a sudo command and sudocmdgroups are absent i tasks: # Ensure sudocmds are absent in existing sudocmdgroup - ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group01 sudocmd: - /usr/bin/su @@ -108,7 +108,7 @@ Example playbook to make sure sudocmdgroup is absent: tasks: # Ensure sudocmdgroup is absent - ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: group01 state: absent ``` diff --git a/README-sudorule.md b/README-sudorule.md index 50c73ade..ffcab963 100644 --- a/README-sudorule.md +++ b/README-sudorule.md @@ -50,7 +50,7 @@ Example playbook to make sure Sudo Rule is present: tasks: # Ensure Sudo Rule is present - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 ``` @@ -66,7 +66,7 @@ Example playbook to make sure sudocmds are present in Sudo Rule: tasks: # Ensure Sudo Rule is present - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmd: - /sbin/ifconfig @@ -85,7 +85,7 @@ Example playbook to make sure sudocmds are not present in Sudo Rule: tasks: # Ensure Sudo Rule is present - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmd: - /sbin/ifconfig @@ -104,7 +104,7 @@ Example playbook to make sure Sudo Rule is absent: tasks: # Ensure Sudo Rule is present - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 state: absent ``` diff --git a/README-topology.md b/README-topology.md index dc595ebd..84ab240d 100644 --- a/README-topology.md +++ b/README-topology.md @@ -50,7 +50,7 @@ Example playbook to add a topology segment with default name (cn): tasks: - name: Add topology segment ipatopologysegment: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword suffix: domain left: ipareplica1.test.local right: ipareplica2.test.local @@ -70,7 +70,7 @@ Example playbook to delete a topology segment: tasks: - name: Delete topology segment ipatopologysegment: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword suffix: domain left: ipareplica1.test.local right: ipareplica2.test.local @@ -90,7 +90,7 @@ Example playbook to reinitialize a topology segment: tasks: - name: Reinitialize topology segment ipatopologysegment: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword suffix: domain left: ipareplica1.test.local right: ipareplica2.test.local @@ -111,7 +111,7 @@ Example playbook to verify a topology suffix: tasks: - name: Verify topology suffix ipatopologysuffix: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword suffix: domain state: verified ``` diff --git a/README-user.md b/README-user.md index 991121c6..6958ebe5 100644 --- a/README-user.md +++ b/README-user.md @@ -52,7 +52,7 @@ Example playbook to ensure a user is present: tasks: # Ensure user pinky is present - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky first: pinky last: Acme @@ -66,7 +66,7 @@ Example playbook to ensure a user is present: # Ensure user brain is present - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: brain first: brain last: Acme @@ -85,7 +85,7 @@ These two `ipauser` module calls can be combined into one with the `users` varia tasks: # Ensure users pinky and brain are present - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword users: - name: pinky first: pinky @@ -153,7 +153,7 @@ Ensure user pinky is present with a generated random password and print the rand tasks: # Ensure user pinky is present with a random password - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: brain first: brain last: Acme @@ -176,7 +176,7 @@ Ensure users pinky and brain are present with a generated random password and pr tasks: # Ensure users pinky and brain are present with random password - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword users: - name: pinky first: pinky @@ -212,7 +212,7 @@ Example playbook to delete a user, but preserve it: tasks: # Remove but preserve user pinky - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky preserve: yes state: absent @@ -231,7 +231,7 @@ Example playbook to delete a user, but preserve it using the `users` variable: tasks: # Remove but preserve user pinky - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword users: - name: pinky preserve: yes @@ -252,7 +252,7 @@ Example playbook to undelete a preserved user. tasks: # Undelete preserved user pinky - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky state: undeleted ``` @@ -271,7 +271,7 @@ Example playbook to disable a user: tasks: # Disable user pinky - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky state: disabled ``` @@ -290,7 +290,7 @@ Example playbook to enable users: tasks: # Enable user pinky and brain - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky,brain state: enabled ``` @@ -309,7 +309,7 @@ Example playbook to unlock users: tasks: # Unlock user pinky and brain - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky,brain state: unlocked ``` @@ -326,7 +326,7 @@ Example playbook to ensure users are absent: tasks: # Ensure users pinky and brain are absent - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky,brain state: absent ``` @@ -345,7 +345,7 @@ Example playbook to ensure users are absent: tasks: # Ensure users pinky and brain are absent - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword users: - name: pinky - name: brain diff --git a/README-vault.md b/README-vault.md index 4be24696..9c0c833c 100644 --- a/README-vault.md +++ b/README-vault.md @@ -51,7 +51,7 @@ Example playbook to make sure vault is present: tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin vault_password: MyVaultPassword123 @@ -68,7 +68,7 @@ Example playbook to make sure that a vault and its members are present: tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin users: user01 @@ -86,7 +86,7 @@ Example playbook to make sure that a vault member is present in vault: tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin users: user01 @@ -103,7 +103,7 @@ Example playbook to make sure that a vault owner is absent in vault: tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin owner: user01 @@ -121,7 +121,7 @@ Example playbook to make sure vault data is present in a symmetric vault: tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin vault_password: MyVaultPassword123 @@ -141,7 +141,7 @@ Example playbook to make sure vault data is absent in a symmetric vault: tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin vault_password: MyVaultPassword123 @@ -159,7 +159,7 @@ Example playbook to make sure vault is absent: tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin state: absent From d370ed27370792979acc2e17d9b8d9022b20241e Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Wed, 26 Feb 2020 12:40:22 +0100 Subject: [PATCH 32/40] playbooks: Unite admin password Use SomeADMINpassword as the admin password everywhere, also in all playbooks. --- playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml | 2 +- playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml | 2 +- playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml | 2 +- playbooks/hbacrule/ensure-hbarule-allhosts-present.yml | 2 +- .../ensure-hbarule-allhosts-server-member-absent.yml | 2 +- .../ensure-hbarule-allhosts-server-member-present.yml | 2 +- playbooks/hbacsvc/ensure-hbacsvc-absent.yml | 2 +- playbooks/hbacsvc/ensure-hbacsvc-present.yml | 4 ++-- playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml | 2 +- .../hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml | 2 +- .../hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml | 2 +- playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml | 2 +- playbooks/host/delete-host.yml | 2 +- playbooks/host/disable-host.yml | 2 +- playbooks/host/ensure_host_with_randompassword.yml | 2 +- playbooks/host/host-member-allow_create_keytab-absent.yml | 2 +- playbooks/host/host-member-allow_create_keytab-present.yml | 2 +- playbooks/host/host-member-allow_retrieve_keytab-absent.yml | 2 +- .../host/host-member-allow_retrieve_keytab-present.yml | 2 +- playbooks/host/host-member-certificate-absent.yml | 2 +- playbooks/host/host-member-certificate-present.yml | 2 +- playbooks/host/host-member-ipaddresses-absent.yml | 2 +- playbooks/host/host-member-ipaddresses-present.yml | 2 +- playbooks/host/host-member-managedby_host-absent.yml | 2 +- playbooks/host/host-member-managedby_host-present.yml | 2 +- playbooks/host/host-member-principal-absent.yml | 2 +- playbooks/host/host-member-principal-present.yml | 2 +- playbooks/host/host-present-with-allow_create_keytab.yml | 2 +- playbooks/host/host-present-with-allow_retrieve_keytab.yml | 2 +- playbooks/host/host-present-with-certificate.yml | 2 +- playbooks/host/host-present-with-managedby_host.yml | 2 +- playbooks/host/host-present-with-principal.yml | 2 +- playbooks/host/host-present-with-randompassword.yml | 2 +- playbooks/host/host-present-with-several-ip-addresses.yml | 2 +- playbooks/host/host-present.yml | 2 +- playbooks/host/hosts-member-certificate-absent.yml | 2 +- playbooks/host/hosts-member-certificate-present.yml | 2 +- playbooks/host/hosts-member-managedby_host-absent.yml | 2 +- playbooks/host/hosts-member-managedby_host-present.yml | 2 +- playbooks/host/hosts-member-principal-absent.yml | 2 +- playbooks/host/hosts-member-principal-present.yml | 2 +- playbooks/host/hosts-present-with-certificate.yml | 2 +- playbooks/host/hosts-present-with-managedby_host.yml | 2 +- playbooks/host/hosts-present-with-randompasswords.yml | 2 +- playbooks/hostgroup/ensure-hostgroup-is-absent.yml | 2 +- playbooks/hostgroup/ensure-hostgroup-is-present.yml | 2 +- .../ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml | 2 +- ...ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml | 2 +- playbooks/sudocmd/ensure-sudocmd-is-absent.yml | 2 +- playbooks/sudocmd/ensure-sudocmd-is-present.yml | 2 +- .../ensure-sudocmd-are-absent-in-sudocmdgroup.yml | 2 +- .../ensure-sudocmd-are-present-in-sudocmdgroup.yml | 4 ++-- .../sudorule/ensure-sudorule-does-not-have-sudooption.yml | 2 +- playbooks/sudorule/ensure-sudorule-has-sudooption.yml | 2 +- .../sudorule/ensure-sudorule-host-member-is-absent.yml | 2 +- .../sudorule/ensure-sudorule-host-member-is-present.yml | 2 +- .../sudorule/ensure-sudorule-hostgroup-member-is-absent.yml | 2 +- .../ensure-sudorule-hostgroup-member-is-present.yml | 2 +- playbooks/sudorule/ensure-sudorule-is-disabled.yml | 2 +- playbooks/sudorule/ensure-sudorule-is-enabled.yml | 2 +- .../sudorule/ensure-sudorule-is-present-with-order.yml | 2 +- playbooks/sudorule/ensure-sudorule-is-present.yml | 2 +- playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml | 2 +- playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml | 2 +- playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml | 2 +- playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml | 2 +- playbooks/topology/add-topologysegment.yml | 2 +- playbooks/topology/delete-topologysegment.yml | 2 +- playbooks/topology/reinitialize-topologysegment.yml | 2 +- playbooks/topology/verify-topologysuffix.yml | 2 +- playbooks/user/add-group.yml | 6 +++--- playbooks/user/add-groups-to-group.yml | 2 +- playbooks/user/add-user-to-group.yml | 2 +- playbooks/user/add-user.yml | 2 +- playbooks/user/delete-group.yml | 2 +- playbooks/user/delete-preserve-user.yml | 2 +- playbooks/user/delete-user.yml | 2 +- playbooks/user/disable-user.yml | 2 +- playbooks/user/enable-user.yml | 2 +- playbooks/user/ensure_user_with_randompassword.yml | 2 +- playbooks/user/ensure_users_with_randompasswords.yml | 2 +- playbooks/user/undelete-user.yml | 2 +- playbooks/user/unlock-users.yml | 2 +- playbooks/vault/data-archive-in-asymmetric-vault.yml | 2 +- playbooks/vault/data-archive-in-symmetric-vault.yml | 2 +- playbooks/vault/ensure-asymetric-vault-is-absent.yml | 2 +- playbooks/vault/ensure-asymetric-vault-is-present.yml | 2 +- playbooks/vault/ensure-service-vault-is-absent.yml | 2 +- playbooks/vault/ensure-service-vault-is-present.yml | 2 +- playbooks/vault/ensure-shared-vault-is-absent.yml | 2 +- playbooks/vault/ensure-shared-vault-is-present.yml | 2 +- playbooks/vault/ensure-standard-vault-is-absent.yml | 2 +- playbooks/vault/ensure-standard-vault-is-present.yml | 2 +- playbooks/vault/ensure-symetric-vault-is-absent.yml | 2 +- playbooks/vault/ensure-symetric-vault-is-present.yml | 2 +- playbooks/vault/ensure-vault-is-present-with-members.yml | 2 +- playbooks/vault/ensure-vault-member-group-is-absent.yml | 2 +- playbooks/vault/ensure-vault-member-group-is-present.yml | 2 +- playbooks/vault/ensure-vault-member-user-is-absent.yml | 2 +- playbooks/vault/ensure-vault-member-user-is-present.yml | 2 +- playbooks/vault/ensure-vault-owner-is-absent.yml | 2 +- playbooks/vault/ensure-vault-owner-is-present.yml | 2 +- 102 files changed, 106 insertions(+), 106 deletions(-) diff --git a/playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml b/playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml index 73dfd2ac..fda5aeac 100644 --- a/playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml +++ b/playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml @@ -7,6 +7,6 @@ tasks: - name: Ensure HBAC Rule allhosts is absent ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allhosts state: absent diff --git a/playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml b/playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml index 33196df5..4a5c7b15 100644 --- a/playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml +++ b/playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml @@ -7,6 +7,6 @@ tasks: - name: Ensure HBAC Rule allhosts is disabled ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allhosts state: disabled diff --git a/playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml b/playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml index ad97b975..86b815f1 100644 --- a/playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml +++ b/playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml @@ -7,6 +7,6 @@ tasks: - name: Ensure HBAC Rule allhosts is enabled ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allhosts state: enabled diff --git a/playbooks/hbacrule/ensure-hbarule-allhosts-present.yml b/playbooks/hbacrule/ensure-hbarule-allhosts-present.yml index 203f914a..d43bc4e5 100644 --- a/playbooks/hbacrule/ensure-hbarule-allhosts-present.yml +++ b/playbooks/hbacrule/ensure-hbarule-allhosts-present.yml @@ -7,6 +7,6 @@ tasks: - name: Ensure HBAC Rule allhosts is present ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allhosts usercategory: all diff --git a/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml b/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml index d3a77394..bbe5e8ca 100644 --- a/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml +++ b/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml @@ -7,7 +7,7 @@ tasks: - name: Ensure host server is absent in HBAC Rule allhosts ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allhosts host: server action: member diff --git a/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml b/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml index 286402fc..d1703b27 100644 --- a/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml +++ b/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml @@ -7,7 +7,7 @@ tasks: - name: Ensure host server is present in HBAC Rule allhosts ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allhosts host: server action: member diff --git a/playbooks/hbacsvc/ensure-hbacsvc-absent.yml b/playbooks/hbacsvc/ensure-hbacsvc-absent.yml index cb766e73..357fa8af 100644 --- a/playbooks/hbacsvc/ensure-hbacsvc-absent.yml +++ b/playbooks/hbacsvc/ensure-hbacsvc-absent.yml @@ -7,6 +7,6 @@ tasks: - name: Ensure HBAC Services for http and tftp are absent ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: http,tftp state: absent diff --git a/playbooks/hbacsvc/ensure-hbacsvc-present.yml b/playbooks/hbacsvc/ensure-hbacsvc-present.yml index 1ed1d7c9..6892125d 100644 --- a/playbooks/hbacsvc/ensure-hbacsvc-present.yml +++ b/playbooks/hbacsvc/ensure-hbacsvc-present.yml @@ -7,12 +7,12 @@ tasks: - name: Ensure HBAC Service for http is present ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: http description: Web service - name: Ensure HBAC Service for tftp is present ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: tftp description: TFTP service diff --git a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml index c4e24d13..7564b9bf 100644 --- a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml +++ b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml @@ -7,7 +7,7 @@ tasks: - name: Ensure HBAC Service Group login is absent ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login hbacsvc: - sshd diff --git a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml index b72703c3..f37fa27c 100644 --- a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml +++ b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml @@ -7,7 +7,7 @@ tasks: - name: Ensure HBAC Services sshd is absent in HBAC Service Group login ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login hbacsvc: - sshd diff --git a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml index 9b213c7b..c03c5571 100644 --- a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml +++ b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml @@ -7,7 +7,7 @@ tasks: - name: Ensure HBAC Service sshd is present in HBAC Service Group login ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login hbacsvc: - sshd diff --git a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml index 9b213c7b..c03c5571 100644 --- a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml +++ b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml @@ -7,7 +7,7 @@ tasks: - name: Ensure HBAC Service sshd is present in HBAC Service Group login ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login hbacsvc: - sshd diff --git a/playbooks/host/delete-host.yml b/playbooks/host/delete-host.yml index 30eaf3ef..c441c8bb 100644 --- a/playbooks/host/delete-host.yml +++ b/playbooks/host/delete-host.yml @@ -6,6 +6,6 @@ tasks: - name: Ensure host host01.example.com is absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com state: absent diff --git a/playbooks/host/disable-host.yml b/playbooks/host/disable-host.yml index 3e265fe2..c6e277c7 100644 --- a/playbooks/host/disable-host.yml +++ b/playbooks/host/disable-host.yml @@ -6,6 +6,6 @@ tasks: - name: Disable host host01.example.com ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com state: disabled diff --git a/playbooks/host/ensure_host_with_randompassword.yml b/playbooks/host/ensure_host_with_randompassword.yml index cd1a1331..d6376033 100644 --- a/playbooks/host/ensure_host_with_randompassword.yml +++ b/playbooks/host/ensure_host_with_randompassword.yml @@ -6,7 +6,7 @@ tasks: - name: Host "{{ 'host1.' + ipaserver_domain }}" present with random password ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: "{{ 'host1.' + ipaserver_domain }}" random: yes force: yes diff --git a/playbooks/host/host-member-allow_create_keytab-absent.yml b/playbooks/host/host-member-allow_create_keytab-absent.yml index 55e3110d..5ec1a171 100644 --- a/playbooks/host/host-member-allow_create_keytab-absent.yml +++ b/playbooks/host/host-member-allow_create_keytab-absent.yml @@ -6,7 +6,7 @@ tasks: - name: Host host1.example.com members allow_create_keytab absent for users, groups, hosts and hostgroups ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.exmaple.com allow_create_keytab_user: - user01 diff --git a/playbooks/host/host-member-allow_create_keytab-present.yml b/playbooks/host/host-member-allow_create_keytab-present.yml index f5865497..36c31dd2 100644 --- a/playbooks/host/host-member-allow_create_keytab-present.yml +++ b/playbooks/host/host-member-allow_create_keytab-present.yml @@ -6,7 +6,7 @@ tasks: - name: Host host1.example.com members allow_create_keytab present for users, groups, hosts and hostgroups ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.exmaple.com allow_create_keytab_user: - user01 diff --git a/playbooks/host/host-member-allow_retrieve_keytab-absent.yml b/playbooks/host/host-member-allow_retrieve_keytab-absent.yml index b8830f60..b7752e7c 100644 --- a/playbooks/host/host-member-allow_retrieve_keytab-absent.yml +++ b/playbooks/host/host-member-allow_retrieve_keytab-absent.yml @@ -6,7 +6,7 @@ tasks: - name: Host host1.example.com members allow_retrieve_keytab absent for users, groups, hosts and hostgroups ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.exmaple.com allow_retrieve_keytab_user: - user01 diff --git a/playbooks/host/host-member-allow_retrieve_keytab-present.yml b/playbooks/host/host-member-allow_retrieve_keytab-present.yml index fde116cc..ee849e06 100644 --- a/playbooks/host/host-member-allow_retrieve_keytab-present.yml +++ b/playbooks/host/host-member-allow_retrieve_keytab-present.yml @@ -6,7 +6,7 @@ tasks: - name: Host host1.example.com members allow_retrieve_keytab present for users, groups, hosts and hostgroups ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.exmaple.com allow_retrieve_keytab_user: - user01 diff --git a/playbooks/host/host-member-certificate-absent.yml b/playbooks/host/host-member-certificate-absent.yml index 918951f8..841b39cd 100644 --- a/playbooks/host/host-member-certificate-absent.yml +++ b/playbooks/host/host-member-certificate-absent.yml @@ -5,7 +5,7 @@ tasks: - name: Host host01.example.com member certificate absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com certificate: - MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3 diff --git a/playbooks/host/host-member-certificate-present.yml b/playbooks/host/host-member-certificate-present.yml index 066ae0a9..8071a942 100644 --- a/playbooks/host/host-member-certificate-present.yml +++ b/playbooks/host/host-member-certificate-present.yml @@ -5,7 +5,7 @@ tasks: - name: Host host01.example.com member certificate present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com certificate: - MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3 diff --git a/playbooks/host/host-member-ipaddresses-absent.yml b/playbooks/host/host-member-ipaddresses-absent.yml index 2466dbdd..31c2eec7 100644 --- a/playbooks/host/host-member-ipaddresses-absent.yml +++ b/playbooks/host/host-member-ipaddresses-absent.yml @@ -6,7 +6,7 @@ tasks: - name: Ensure host01.example.com IP addresses absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com ip_address: - 192.168.0.123 diff --git a/playbooks/host/host-member-ipaddresses-present.yml b/playbooks/host/host-member-ipaddresses-present.yml index f473993e..2dd88e13 100644 --- a/playbooks/host/host-member-ipaddresses-present.yml +++ b/playbooks/host/host-member-ipaddresses-present.yml @@ -6,7 +6,7 @@ tasks: - name: Ensure host01.example.com IP addresses present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com ip_address: - 192.168.0.123 diff --git a/playbooks/host/host-member-managedby_host-absent.yml b/playbooks/host/host-member-managedby_host-absent.yml index f899a52f..e9fc6b4c 100644 --- a/playbooks/host/host-member-managedby_host-absent.yml +++ b/playbooks/host/host-member-managedby_host-absent.yml @@ -5,7 +5,7 @@ tasks: ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.exmaple.com managedby_host: server.exmaple.com action: member diff --git a/playbooks/host/host-member-managedby_host-present.yml b/playbooks/host/host-member-managedby_host-present.yml index 073d81ad..c00548cf 100644 --- a/playbooks/host/host-member-managedby_host-present.yml +++ b/playbooks/host/host-member-managedby_host-present.yml @@ -5,7 +5,7 @@ tasks: ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.exmaple.com managedby_host: server.exmaple.com action: member diff --git a/playbooks/host/host-member-principal-absent.yml b/playbooks/host/host-member-principal-absent.yml index b2c3a8d8..2688737e 100644 --- a/playbooks/host/host-member-principal-absent.yml +++ b/playbooks/host/host-member-principal-absent.yml @@ -6,7 +6,7 @@ tasks: - name: Host host01.example.com principals host/testhost01.example.com and host/myhost01.example.com absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com principal: - host/testhost01.example.com diff --git a/playbooks/host/host-member-principal-present.yml b/playbooks/host/host-member-principal-present.yml index b56fd591..8b5d0cf5 100644 --- a/playbooks/host/host-member-principal-present.yml +++ b/playbooks/host/host-member-principal-present.yml @@ -6,7 +6,7 @@ tasks: - name: Host host01.example.com principals host/testhost01.example.com and host/myhost01.example.com present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com principal: - host/testhost01.example.com diff --git a/playbooks/host/host-present-with-allow_create_keytab.yml b/playbooks/host/host-present-with-allow_create_keytab.yml index f7b9c6f4..bcdd5df5 100644 --- a/playbooks/host/host-present-with-allow_create_keytab.yml +++ b/playbooks/host/host-present-with-allow_create_keytab.yml @@ -6,7 +6,7 @@ tasks: - name: Host host1.example.com present with allow_create_keytab for users, groups, hosts and hostgroups ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.exmaple.com allow_create_keytab_user: - user01 diff --git a/playbooks/host/host-present-with-allow_retrieve_keytab.yml b/playbooks/host/host-present-with-allow_retrieve_keytab.yml index 5a9f3af5..f12b15f6 100644 --- a/playbooks/host/host-present-with-allow_retrieve_keytab.yml +++ b/playbooks/host/host-present-with-allow_retrieve_keytab.yml @@ -6,7 +6,7 @@ tasks: - name: Host host1.example.com present with allow_retrieve_keytab for users, groups, hosts and hostgroups ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.exmaple.com allow_retrieve_keytab_user: - user01 diff --git a/playbooks/host/host-present-with-certificate.yml b/playbooks/host/host-present-with-certificate.yml index f5da46d7..919d7c0b 100644 --- a/playbooks/host/host-present-with-certificate.yml +++ b/playbooks/host/host-present-with-certificate.yml @@ -5,7 +5,7 @@ tasks: - name: Host host01.example.com present with certificate ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com certificate: - MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3 diff --git a/playbooks/host/host-present-with-managedby_host.yml b/playbooks/host/host-present-with-managedby_host.yml index b85f5e60..51a1c21f 100644 --- a/playbooks/host/host-present-with-managedby_host.yml +++ b/playbooks/host/host-present-with-managedby_host.yml @@ -5,7 +5,7 @@ tasks: ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.exmaple.com managedby_host: server.exmaple.com force: yes diff --git a/playbooks/host/host-present-with-principal.yml b/playbooks/host/host-present-with-principal.yml index 5b8ad4ee..e84f45a5 100644 --- a/playbooks/host/host-present-with-principal.yml +++ b/playbooks/host/host-present-with-principal.yml @@ -6,7 +6,7 @@ tasks: - name: Host host01.example.com present with principals host/testhost01.example.com and host/myhost01.example.com ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com principal: - host/testhost01.example.com diff --git a/playbooks/host/host-present-with-randompassword.yml b/playbooks/host/host-present-with-randompassword.yml index 9063c480..2e9d793d 100644 --- a/playbooks/host/host-present-with-randompassword.yml +++ b/playbooks/host/host-present-with-randompassword.yml @@ -6,7 +6,7 @@ tasks: - name: Host host01.example.com present with random password ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com random: yes force: yes diff --git a/playbooks/host/host-present-with-several-ip-addresses.yml b/playbooks/host/host-present-with-several-ip-addresses.yml index 4956562a..e74f67c6 100644 --- a/playbooks/host/host-present-with-several-ip-addresses.yml +++ b/playbooks/host/host-present-with-several-ip-addresses.yml @@ -6,7 +6,7 @@ tasks: - name: Ensure host is present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com description: Example host ip_address: diff --git a/playbooks/host/host-present.yml b/playbooks/host/host-present.yml index d40c1ecf..afb9a0ec 100644 --- a/playbooks/host/host-present.yml +++ b/playbooks/host/host-present.yml @@ -6,7 +6,7 @@ tasks: - name: Ensure host is present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com description: Example host ip_address: 192.168.0.123 diff --git a/playbooks/host/hosts-member-certificate-absent.yml b/playbooks/host/hosts-member-certificate-absent.yml index bb2d5b03..ec9ba94f 100644 --- a/playbooks/host/hosts-member-certificate-absent.yml +++ b/playbooks/host/hosts-member-certificate-absent.yml @@ -6,7 +6,7 @@ tasks: - name: Hosts host01.example.com and host01.exmaple.com member certificate absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: host01.example.com certificate: diff --git a/playbooks/host/hosts-member-certificate-present.yml b/playbooks/host/hosts-member-certificate-present.yml index c402ef4a..2976244a 100644 --- a/playbooks/host/hosts-member-certificate-present.yml +++ b/playbooks/host/hosts-member-certificate-present.yml @@ -6,7 +6,7 @@ tasks: - name: Hosts host01.example.com and host01.exmaple.com member certificate present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: host01.example.com certificate: diff --git a/playbooks/host/hosts-member-managedby_host-absent.yml b/playbooks/host/hosts-member-managedby_host-absent.yml index 9b584e51..40ae3b7d 100644 --- a/playbooks/host/hosts-member-managedby_host-absent.yml +++ b/playbooks/host/hosts-member-managedby_host-absent.yml @@ -5,7 +5,7 @@ tasks: ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: host01.exmaple.com managedby_host: server.exmaple.com diff --git a/playbooks/host/hosts-member-managedby_host-present.yml b/playbooks/host/hosts-member-managedby_host-present.yml index f8d4e2b7..fe70a59f 100644 --- a/playbooks/host/hosts-member-managedby_host-present.yml +++ b/playbooks/host/hosts-member-managedby_host-present.yml @@ -5,7 +5,7 @@ tasks: ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: host01.exmaple.com managedby_host: server.exmaple.com diff --git a/playbooks/host/hosts-member-principal-absent.yml b/playbooks/host/hosts-member-principal-absent.yml index edd33521..733bb126 100644 --- a/playbooks/host/hosts-member-principal-absent.yml +++ b/playbooks/host/hosts-member-principal-absent.yml @@ -6,7 +6,7 @@ tasks: - name: Hosts host01.exmaple.com and host02.exmaple.com member principals host/testhost0X.exmaple.com absent ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: host01.exmaple.com principal: diff --git a/playbooks/host/hosts-member-principal-present.yml b/playbooks/host/hosts-member-principal-present.yml index 54c9a8f6..68d26fe5 100644 --- a/playbooks/host/hosts-member-principal-present.yml +++ b/playbooks/host/hosts-member-principal-present.yml @@ -6,7 +6,7 @@ tasks: - name: Hosts host01.exmaple.com and host02.exmaple.com member principals host/testhost0X.exmaple.com present ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: host01.exmaple.com principal: diff --git a/playbooks/host/hosts-present-with-certificate.yml b/playbooks/host/hosts-present-with-certificate.yml index 34e402f7..78102e25 100644 --- a/playbooks/host/hosts-present-with-certificate.yml +++ b/playbooks/host/hosts-present-with-certificate.yml @@ -6,7 +6,7 @@ tasks: - name: Hosts host01.example.com and host01.exmaple.com present with certificate ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: host01.example.com certificate: diff --git a/playbooks/host/hosts-present-with-managedby_host.yml b/playbooks/host/hosts-present-with-managedby_host.yml index 5f3546b6..262f6c1d 100644 --- a/playbooks/host/hosts-present-with-managedby_host.yml +++ b/playbooks/host/hosts-present-with-managedby_host.yml @@ -5,7 +5,7 @@ tasks: ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: host01.exmaple.com managedby_host: server.exmaple.com diff --git a/playbooks/host/hosts-present-with-randompasswords.yml b/playbooks/host/hosts-present-with-randompasswords.yml index f747ca31..5a1ea9c0 100644 --- a/playbooks/host/hosts-present-with-randompasswords.yml +++ b/playbooks/host/hosts-present-with-randompasswords.yml @@ -6,7 +6,7 @@ tasks: - name: Hosts host01.example.com and host01.example.com present with random passwords ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword hosts: - name: host01.example.com random: yes diff --git a/playbooks/hostgroup/ensure-hostgroup-is-absent.yml b/playbooks/hostgroup/ensure-hostgroup-is-absent.yml index 86508fc6..c9e37d3f 100644 --- a/playbooks/hostgroup/ensure-hostgroup-is-absent.yml +++ b/playbooks/hostgroup/ensure-hostgroup-is-absent.yml @@ -6,6 +6,6 @@ tasks: # Ensure host-group databases is present - ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases state: absent diff --git a/playbooks/hostgroup/ensure-hostgroup-is-present.yml b/playbooks/hostgroup/ensure-hostgroup-is-present.yml index a2c7ae9a..bc059dba 100644 --- a/playbooks/hostgroup/ensure-hostgroup-is-present.yml +++ b/playbooks/hostgroup/ensure-hostgroup-is-present.yml @@ -6,7 +6,7 @@ tasks: # Ensure host-group databases is present - ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases host: - db.example.com diff --git a/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml b/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml index 149dfcff..b3fbd558 100644 --- a/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml +++ b/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml @@ -6,7 +6,7 @@ tasks: # Ensure hosts and hostgroups are present in existing databases hostgroup - ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases host: - db.example.com diff --git a/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml b/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml index 4b22fd66..c103ce92 100644 --- a/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml +++ b/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml @@ -6,7 +6,7 @@ tasks: # Ensure hosts and hostgroups are present in existing databases hostgroup - ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases host: - db.example.com diff --git a/playbooks/sudocmd/ensure-sudocmd-is-absent.yml b/playbooks/sudocmd/ensure-sudocmd-is-absent.yml index 1b3bbf45..3539ed00 100644 --- a/playbooks/sudocmd/ensure-sudocmd-is-absent.yml +++ b/playbooks/sudocmd/ensure-sudocmd-is-absent.yml @@ -6,6 +6,6 @@ tasks: # Ensure sudo command is absent - ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: /usr/bin/su state: absent diff --git a/playbooks/sudocmd/ensure-sudocmd-is-present.yml b/playbooks/sudocmd/ensure-sudocmd-is-present.yml index 3aa0f471..d648de54 100644 --- a/playbooks/sudocmd/ensure-sudocmd-is-present.yml +++ b/playbooks/sudocmd/ensure-sudocmd-is-present.yml @@ -6,6 +6,6 @@ tasks: # Ensure sudo command is present - ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: /usr/bin/su state: present diff --git a/playbooks/sudocmdgroup/ensure-sudocmd-are-absent-in-sudocmdgroup.yml b/playbooks/sudocmdgroup/ensure-sudocmd-are-absent-in-sudocmdgroup.yml index bde823e5..49ba2d5a 100644 --- a/playbooks/sudocmdgroup/ensure-sudocmd-are-absent-in-sudocmdgroup.yml +++ b/playbooks/sudocmdgroup/ensure-sudocmd-are-absent-in-sudocmdgroup.yml @@ -6,7 +6,7 @@ tasks: # Ensure sudocmds are absent in sudocmdgroup - ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network sudocmd: - /usr/sbin/ifconfig diff --git a/playbooks/sudocmdgroup/ensure-sudocmd-are-present-in-sudocmdgroup.yml b/playbooks/sudocmdgroup/ensure-sudocmd-are-present-in-sudocmdgroup.yml index c415695b..fe9ab207 100644 --- a/playbooks/sudocmdgroup/ensure-sudocmd-are-present-in-sudocmdgroup.yml +++ b/playbooks/sudocmdgroup/ensure-sudocmd-are-present-in-sudocmdgroup.yml @@ -6,7 +6,7 @@ tasks: # Ensure sudo commands are present - ipasudocmd: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: - /usr/sbin/ifconfig - /usr/sbin/iwlist @@ -14,7 +14,7 @@ # Ensure sudo commands are present in existing sudocmdgroup - ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network sudocmd: - /usr/sbin/ifconfig diff --git a/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml b/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml index 13070440..b48a710d 100644 --- a/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml +++ b/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml @@ -7,7 +7,7 @@ tasks: # Ensure sudooption is absent in sudorule - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 sudooption: "!root" action: member diff --git a/playbooks/sudorule/ensure-sudorule-has-sudooption.yml b/playbooks/sudorule/ensure-sudorule-has-sudooption.yml index 1f32b9a5..d1a394cf 100644 --- a/playbooks/sudorule/ensure-sudorule-has-sudooption.yml +++ b/playbooks/sudorule/ensure-sudorule-has-sudooption.yml @@ -7,7 +7,7 @@ tasks: # Ensure sudooption is present in sudorule - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 sudooption: "!root" action: member diff --git a/playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml b/playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml index f74765c2..2f0655c5 100644 --- a/playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml +++ b/playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml @@ -7,7 +7,7 @@ tasks: # Ensure host server is absent in Sudo Rule - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 host: server action: member diff --git a/playbooks/sudorule/ensure-sudorule-host-member-is-present.yml b/playbooks/sudorule/ensure-sudorule-host-member-is-present.yml index 4ecf3f33..e0ce73de 100644 --- a/playbooks/sudorule/ensure-sudorule-host-member-is-present.yml +++ b/playbooks/sudorule/ensure-sudorule-host-member-is-present.yml @@ -7,7 +7,7 @@ tasks: # Ensure host server is present in Sudo Rule - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 host: server action: member diff --git a/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml b/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml index 301030f5..c30d63a0 100644 --- a/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml +++ b/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml @@ -7,7 +7,7 @@ tasks: # Ensure hostgroup cluster is absent in Sudo Rule - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 hostgroup: cluster action: member diff --git a/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml b/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml index b4473b27..4813213b 100644 --- a/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml +++ b/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml @@ -7,7 +7,7 @@ tasks: # Ensure hostgrep cluster is present in Sudo Rule - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 hostgroup: cluster action: member diff --git a/playbooks/sudorule/ensure-sudorule-is-disabled.yml b/playbooks/sudorule/ensure-sudorule-is-disabled.yml index 90afbd24..b51da118 100644 --- a/playbooks/sudorule/ensure-sudorule-is-disabled.yml +++ b/playbooks/sudorule/ensure-sudorule-is-disabled.yml @@ -6,6 +6,6 @@ tasks: # Ensure sudorule command is disabled - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 state: disabled diff --git a/playbooks/sudorule/ensure-sudorule-is-enabled.yml b/playbooks/sudorule/ensure-sudorule-is-enabled.yml index 6618344c..4cba3bec 100644 --- a/playbooks/sudorule/ensure-sudorule-is-enabled.yml +++ b/playbooks/sudorule/ensure-sudorule-is-enabled.yml @@ -6,6 +6,6 @@ tasks: # Ensure sudorule command is enabled - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 state: enabled diff --git a/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml b/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml index 9a3c2b21..b884886e 100644 --- a/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml +++ b/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml @@ -7,6 +7,6 @@ tasks: # Ensure sudorule is present with the given order. - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 order: 2 diff --git a/playbooks/sudorule/ensure-sudorule-is-present.yml b/playbooks/sudorule/ensure-sudorule-is-present.yml index 89041afb..e88017cf 100644 --- a/playbooks/sudorule/ensure-sudorule-is-present.yml +++ b/playbooks/sudorule/ensure-sudorule-is-present.yml @@ -6,7 +6,7 @@ tasks: # Ensure sudorule command is present - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 description: A test sudo rule. allow_sudocmd: /bin/ls diff --git a/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml b/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml index 56612f15..465f386c 100644 --- a/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml +++ b/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml @@ -7,7 +7,7 @@ tasks: # Ensure sudorule is present with the given order. - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 runasuser: admin action: member diff --git a/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml b/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml index 8af49b93..4a5bee94 100644 --- a/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml +++ b/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml @@ -7,7 +7,7 @@ tasks: # Ensure sudorule is present with the given order. - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 runasuser: admin action: member diff --git a/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml b/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml index 328242ab..3ded226e 100644 --- a/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml +++ b/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml @@ -6,7 +6,7 @@ tasks: - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmd: - /sbin/ifconfig diff --git a/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml b/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml index 55acd61f..23dd56de 100644 --- a/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml +++ b/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml @@ -6,7 +6,7 @@ tasks: - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmd: - /sbin/ifconfig diff --git a/playbooks/topology/add-topologysegment.yml b/playbooks/topology/add-topologysegment.yml index ebf55445..cf157e2c 100644 --- a/playbooks/topology/add-topologysegment.yml +++ b/playbooks/topology/add-topologysegment.yml @@ -6,7 +6,7 @@ tasks: - name: Add topology segment ipatopologysegment: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword suffix: domain left: ipareplica1.test.local right: ipareplica2.test.local diff --git a/playbooks/topology/delete-topologysegment.yml b/playbooks/topology/delete-topologysegment.yml index a3f2c680..984ea1f5 100644 --- a/playbooks/topology/delete-topologysegment.yml +++ b/playbooks/topology/delete-topologysegment.yml @@ -6,7 +6,7 @@ tasks: - name: Delete topology segment ipatopologysegment: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword suffix: domain left: ipareplica1.test.local right: ipareplica2.test.local diff --git a/playbooks/topology/reinitialize-topologysegment.yml b/playbooks/topology/reinitialize-topologysegment.yml index 1f21cd23..efe6bc3e 100644 --- a/playbooks/topology/reinitialize-topologysegment.yml +++ b/playbooks/topology/reinitialize-topologysegment.yml @@ -6,7 +6,7 @@ tasks: - name: Reinitialize topology segment ipatopologysegment: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword suffix: domain left: ipareplica1.test.local right: ipareplica2.test.local diff --git a/playbooks/topology/verify-topologysuffix.yml b/playbooks/topology/verify-topologysuffix.yml index b27ca3d6..70e788c3 100644 --- a/playbooks/topology/verify-topologysuffix.yml +++ b/playbooks/topology/verify-topologysuffix.yml @@ -6,6 +6,6 @@ tasks: - name: Verify topology suffix ipatopologysuffix: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword suffix: domain state: verified diff --git a/playbooks/user/add-group.yml b/playbooks/user/add-group.yml index a36ca14f..46e0faab 100644 --- a/playbooks/user/add-group.yml +++ b/playbooks/user/add-group.yml @@ -6,19 +6,19 @@ tasks: - name: Create group ops with gid 1234 ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: ops gidnumber: 1234 - name: Create group sysops ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sysops user: - pinky - name: Create group appops ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: appops diff --git a/playbooks/user/add-groups-to-group.yml b/playbooks/user/add-groups-to-group.yml index ecc9b455..d91e5264 100644 --- a/playbooks/user/add-groups-to-group.yml +++ b/playbooks/user/add-groups-to-group.yml @@ -6,7 +6,7 @@ tasks: - name: Add group members sysops and appops to group sysops ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: ops group: - sysops diff --git a/playbooks/user/add-user-to-group.yml b/playbooks/user/add-user-to-group.yml index 9ed5eb1a..635c0a91 100644 --- a/playbooks/user/add-user-to-group.yml +++ b/playbooks/user/add-user-to-group.yml @@ -6,7 +6,7 @@ tasks: - name: Add user member brain to group sysops ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sysops action: member user: diff --git a/playbooks/user/add-user.yml b/playbooks/user/add-user.yml index 345a028e..ed72e51d 100644 --- a/playbooks/user/add-user.yml +++ b/playbooks/user/add-user.yml @@ -6,7 +6,7 @@ tasks: - name: Create user pinky ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky first: pinky last: Acme diff --git a/playbooks/user/delete-group.yml b/playbooks/user/delete-group.yml index 2d863c37..ae9f78c7 100644 --- a/playbooks/user/delete-group.yml +++ b/playbooks/user/delete-group.yml @@ -6,6 +6,6 @@ tasks: - name: Remove goups sysops, appops and ops ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sysops,appops,ops state: absent diff --git a/playbooks/user/delete-preserve-user.yml b/playbooks/user/delete-preserve-user.yml index c202b159..5d93a3d3 100644 --- a/playbooks/user/delete-preserve-user.yml +++ b/playbooks/user/delete-preserve-user.yml @@ -6,7 +6,7 @@ tasks: - name: Delete and preserve user pinky ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky preserve: yes state: absent diff --git a/playbooks/user/delete-user.yml b/playbooks/user/delete-user.yml index 101a2b4b..d9239e04 100644 --- a/playbooks/user/delete-user.yml +++ b/playbooks/user/delete-user.yml @@ -6,6 +6,6 @@ tasks: - name: Remove user pinky and brain ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky state: absent diff --git a/playbooks/user/disable-user.yml b/playbooks/user/disable-user.yml index 192fd531..17c55940 100644 --- a/playbooks/user/disable-user.yml +++ b/playbooks/user/disable-user.yml @@ -6,6 +6,6 @@ tasks: - name: Disable user pinky ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky state: disabled diff --git a/playbooks/user/enable-user.yml b/playbooks/user/enable-user.yml index dfbba493..fd3ebf3b 100644 --- a/playbooks/user/enable-user.yml +++ b/playbooks/user/enable-user.yml @@ -6,6 +6,6 @@ tasks: - name: Enable user pinky ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky state: enabled diff --git a/playbooks/user/ensure_user_with_randompassword.yml b/playbooks/user/ensure_user_with_randompassword.yml index 4ca9f214..ee821f0a 100644 --- a/playbooks/user/ensure_user_with_randompassword.yml +++ b/playbooks/user/ensure_user_with_randompassword.yml @@ -6,7 +6,7 @@ tasks: - name: User user1 present with random password ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: user1 first: first1 last: last1 diff --git a/playbooks/user/ensure_users_with_randompasswords.yml b/playbooks/user/ensure_users_with_randompasswords.yml index 06f50c71..c0398877 100644 --- a/playbooks/user/ensure_users_with_randompasswords.yml +++ b/playbooks/user/ensure_users_with_randompasswords.yml @@ -6,7 +6,7 @@ tasks: - name: Users user1 and user1 present with random password ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword users: - name: user1 first: first1 diff --git a/playbooks/user/undelete-user.yml b/playbooks/user/undelete-user.yml index 79feda07..2b95100f 100644 --- a/playbooks/user/undelete-user.yml +++ b/playbooks/user/undelete-user.yml @@ -6,6 +6,6 @@ tasks: - name: Undelete preserved user pinky ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky state: undeleted diff --git a/playbooks/user/unlock-users.yml b/playbooks/user/unlock-users.yml index 337e97f4..36edac25 100644 --- a/playbooks/user/unlock-users.yml +++ b/playbooks/user/unlock-users.yml @@ -6,6 +6,6 @@ tasks: - name: Unlock users pinky and brain ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky,brain state: unlocked diff --git a/playbooks/vault/data-archive-in-asymmetric-vault.yml b/playbooks/vault/data-archive-in-asymmetric-vault.yml index f70d76db..5fd55dfe 100644 --- a/playbooks/vault/data-archive-in-asymmetric-vault.yml +++ b/playbooks/vault/data-archive-in-asymmetric-vault.yml @@ -6,7 +6,7 @@ tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: asymvault username: user01 vault_data: The world of π is half rounded. diff --git a/playbooks/vault/data-archive-in-symmetric-vault.yml b/playbooks/vault/data-archive-in-symmetric-vault.yml index eb8b0a0f..f94e9d87 100644 --- a/playbooks/vault/data-archive-in-symmetric-vault.yml +++ b/playbooks/vault/data-archive-in-symmetric-vault.yml @@ -6,7 +6,7 @@ tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin vault_password: MyVaultPassword123 diff --git a/playbooks/vault/ensure-asymetric-vault-is-absent.yml b/playbooks/vault/ensure-asymetric-vault-is-absent.yml index 62866c43..7ee6cf39 100644 --- a/playbooks/vault/ensure-asymetric-vault-is-absent.yml +++ b/playbooks/vault/ensure-asymetric-vault-is-absent.yml @@ -6,7 +6,7 @@ tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: asymvault username: admin state: absent diff --git a/playbooks/vault/ensure-asymetric-vault-is-present.yml b/playbooks/vault/ensure-asymetric-vault-is-present.yml index f946779b..247f36fc 100644 --- a/playbooks/vault/ensure-asymetric-vault-is-present.yml +++ b/playbooks/vault/ensure-asymetric-vault-is-present.yml @@ -6,7 +6,7 @@ tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: asymvault username: admin vault_public_key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDdGFudjRkK3ptSTZ0T3ova1RXdGowY3AxRAowUENoYy8vR0pJMTUzTi9CN3UrN0h3SXlRVlZoNUlXZG1UcCtkWXYzd09yeVpPbzYvbHN5eFJaZ2pZRDRwQ3VGCjlxM295VTFEMnFOZERYeGtSaFFETXBiUEVSWWlHbE1jbzdhN0hIVDk1bGNQbmhObVFkb3VGdHlVbFBUVS96V1kKZldYWTBOeU1UbUtoeFRseUV3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo= diff --git a/playbooks/vault/ensure-service-vault-is-absent.yml b/playbooks/vault/ensure-service-vault-is-absent.yml index 1affb4c7..65c4c8d8 100644 --- a/playbooks/vault/ensure-service-vault-is-absent.yml +++ b/playbooks/vault/ensure-service-vault-is-absent.yml @@ -6,7 +6,7 @@ tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: svcvault service: "HTTP/{{ groups.ipaserver[0] }}" state: absent diff --git a/playbooks/vault/ensure-service-vault-is-present.yml b/playbooks/vault/ensure-service-vault-is-present.yml index 423fef1f..cf6da223 100644 --- a/playbooks/vault/ensure-service-vault-is-present.yml +++ b/playbooks/vault/ensure-service-vault-is-present.yml @@ -6,7 +6,7 @@ tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: svcvault service: "HTTP/{{ groups.ipaserver[0] }}" ipavaultpassword: MyVaultPassword123 diff --git a/playbooks/vault/ensure-shared-vault-is-absent.yml b/playbooks/vault/ensure-shared-vault-is-absent.yml index fdf1babd..0191ab1c 100644 --- a/playbooks/vault/ensure-shared-vault-is-absent.yml +++ b/playbooks/vault/ensure-shared-vault-is-absent.yml @@ -6,7 +6,7 @@ tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sharedvault shared: True state: absent diff --git a/playbooks/vault/ensure-shared-vault-is-present.yml b/playbooks/vault/ensure-shared-vault-is-present.yml index 9f25e407..c403afcc 100644 --- a/playbooks/vault/ensure-shared-vault-is-present.yml +++ b/playbooks/vault/ensure-shared-vault-is-present.yml @@ -6,7 +6,7 @@ tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sharedvault shared: True ipavaultpassword: MyVaultPassword123 diff --git a/playbooks/vault/ensure-standard-vault-is-absent.yml b/playbooks/vault/ensure-standard-vault-is-absent.yml index c52806e6..3d7cd8ab 100644 --- a/playbooks/vault/ensure-standard-vault-is-absent.yml +++ b/playbooks/vault/ensure-standard-vault-is-absent.yml @@ -6,7 +6,7 @@ tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault username: admin state: absent diff --git a/playbooks/vault/ensure-standard-vault-is-present.yml b/playbooks/vault/ensure-standard-vault-is-present.yml index a55f55cc..64d08fec 100644 --- a/playbooks/vault/ensure-standard-vault-is-present.yml +++ b/playbooks/vault/ensure-standard-vault-is-present.yml @@ -6,7 +6,7 @@ tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault vault_type: standard username: admin diff --git a/playbooks/vault/ensure-symetric-vault-is-absent.yml b/playbooks/vault/ensure-symetric-vault-is-absent.yml index 87c3bdc2..a0d5bbcd 100644 --- a/playbooks/vault/ensure-symetric-vault-is-absent.yml +++ b/playbooks/vault/ensure-symetric-vault-is-absent.yml @@ -6,7 +6,7 @@ tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin state: absent diff --git a/playbooks/vault/ensure-symetric-vault-is-present.yml b/playbooks/vault/ensure-symetric-vault-is-present.yml index ea10d573..949f60e2 100644 --- a/playbooks/vault/ensure-symetric-vault-is-present.yml +++ b/playbooks/vault/ensure-symetric-vault-is-present.yml @@ -6,7 +6,7 @@ tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin vault_password: MyVaultPassword123 diff --git a/playbooks/vault/ensure-vault-is-present-with-members.yml b/playbooks/vault/ensure-vault-is-present-with-members.yml index 65cd72d4..ba96ad14 100644 --- a/playbooks/vault/ensure-vault-is-present-with-members.yml +++ b/playbooks/vault/ensure-vault-is-present-with-members.yml @@ -6,7 +6,7 @@ tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: stdvault vault_type: standard username: admin diff --git a/playbooks/vault/ensure-vault-member-group-is-absent.yml b/playbooks/vault/ensure-vault-member-group-is-absent.yml index f26bc670..c5e7f7d5 100644 --- a/playbooks/vault/ensure-vault-member-group-is-absent.yml +++ b/playbooks/vault/ensure-vault-member-group-is-absent.yml @@ -6,7 +6,7 @@ tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: keychain username: admin state: absent diff --git a/playbooks/vault/ensure-vault-member-group-is-present.yml b/playbooks/vault/ensure-vault-member-group-is-present.yml index 84dc087e..12b52613 100644 --- a/playbooks/vault/ensure-vault-member-group-is-present.yml +++ b/playbooks/vault/ensure-vault-member-group-is-present.yml @@ -6,7 +6,7 @@ tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: keychain username: admin state: present diff --git a/playbooks/vault/ensure-vault-member-user-is-absent.yml b/playbooks/vault/ensure-vault-member-user-is-absent.yml index 99c9d6cc..7d0578a6 100644 --- a/playbooks/vault/ensure-vault-member-user-is-absent.yml +++ b/playbooks/vault/ensure-vault-member-user-is-absent.yml @@ -6,7 +6,7 @@ tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: keychain username: admin state: absent diff --git a/playbooks/vault/ensure-vault-member-user-is-present.yml b/playbooks/vault/ensure-vault-member-user-is-present.yml index 820a9f7c..a04e6e20 100644 --- a/playbooks/vault/ensure-vault-member-user-is-present.yml +++ b/playbooks/vault/ensure-vault-member-user-is-present.yml @@ -6,7 +6,7 @@ tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: keychain username: admin state: present diff --git a/playbooks/vault/ensure-vault-owner-is-absent.yml b/playbooks/vault/ensure-vault-owner-is-absent.yml index 33670fc8..817a324b 100644 --- a/playbooks/vault/ensure-vault-owner-is-absent.yml +++ b/playbooks/vault/ensure-vault-owner-is-absent.yml @@ -6,7 +6,7 @@ tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin owners: user01 diff --git a/playbooks/vault/ensure-vault-owner-is-present.yml b/playbooks/vault/ensure-vault-owner-is-present.yml index 52b1d93c..7c4cfb20 100644 --- a/playbooks/vault/ensure-vault-owner-is-present.yml +++ b/playbooks/vault/ensure-vault-owner-is-present.yml @@ -6,7 +6,7 @@ tasks: - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin owners: user01 From 472050de7b68078614f0bbcdf6615a42d4f4a806 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Wed, 26 Feb 2020 12:41:05 +0100 Subject: [PATCH 33/40] plugins: Unite admin password Use SomeADMINpassword as the admin password also in the examples in the management modules. --- plugins/modules/ipagroup.py | 14 +++++++------- plugins/modules/ipahbacrule.py | 16 ++++++++-------- plugins/modules/ipahbacsvc.py | 4 ++-- plugins/modules/ipahbacsvcgroup.py | 8 ++++---- plugins/modules/ipahost.py | 8 ++++---- plugins/modules/ipahostgroup.py | 8 ++++---- plugins/modules/ipapwpolicy.py | 2 +- plugins/modules/ipasudocmd.py | 4 ++-- plugins/modules/ipasudocmdgroup.py | 8 ++++---- plugins/modules/ipasudorule.py | 12 ++++++------ plugins/modules/ipauser.py | 14 +++++++------- plugins/modules/ipavault.py | 24 ++++++++++++------------ 12 files changed, 61 insertions(+), 61 deletions(-) diff --git a/plugins/modules/ipagroup.py b/plugins/modules/ipagroup.py index 50838cbf..477c5051 100644 --- a/plugins/modules/ipagroup.py +++ b/plugins/modules/ipagroup.py @@ -90,23 +90,23 @@ author: EXAMPLES = """ # Create group ops with gid 1234 - ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: ops gidnumber: 1234 # Create group sysops - ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sysops # Create group appops - ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: appops # Add user member pinky to group sysops - ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sysops action: member user: @@ -114,7 +114,7 @@ EXAMPLES = """ # Add user member brain to group sysops - ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sysops action: member user: @@ -122,7 +122,7 @@ EXAMPLES = """ # Add group members sysops and appops to group sysops - ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: ops group: - sysops @@ -130,7 +130,7 @@ EXAMPLES = """ # Remove goups sysops, appops and ops - ipagroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sysops,appops,ops state: absent """ diff --git a/plugins/modules/ipahbacrule.py b/plugins/modules/ipahbacrule.py index 82340c25..fd0ce238 100644 --- a/plugins/modules/ipahbacrule.py +++ b/plugins/modules/ipahbacrule.py @@ -103,52 +103,52 @@ author: EXAMPLES = """ # Ensure HBAC Rule allhosts is present - ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allhosts usercategory: all # Ensure host server is present in HBAC Rule allhosts - ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allhosts host: server action: member # Ensure HBAC Rule sshd-pinky is present - ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sshd-pinky hostcategory: all # Ensure user pinky is present in HBAC Rule sshd-pinky - ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sshd-pinky user: pinky action: member # Ensure HBAC service sshd is present in HBAC Rule sshd-pinky - ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sshd-pinky hbacsvc: sshd action: member # Ensure HBAC Rule sshd-pinky is disabled - ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sshd-pinky state: disabled # Ensure HBAC Rule sshd-pinky is enabled - ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sshd-pinky state: enabled # Ensure HBAC Rule sshd-pinky is absent - ipahbacrule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: sshd-pinky state: absent """ diff --git a/plugins/modules/ipahbacsvc.py b/plugins/modules/ipahbacsvc.py index cf9bc60c..969a62ef 100644 --- a/plugins/modules/ipahbacsvc.py +++ b/plugins/modules/ipahbacsvc.py @@ -56,13 +56,13 @@ author: EXAMPLES = """ # Ensure HBAC Service for http is present - ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: http description: Web service # Ensure HBAC Service for tftp is absent - ipahbacsvc: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: tftp state: absent """ diff --git a/plugins/modules/ipahbacsvcgroup.py b/plugins/modules/ipahbacsvcgroup.py index 643f2805..3b9132a0 100644 --- a/plugins/modules/ipahbacsvcgroup.py +++ b/plugins/modules/ipahbacsvcgroup.py @@ -69,14 +69,14 @@ author: EXAMPLES = """ # Ensure hbacsvcgroup login is present - ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login hbacsvc: - sshd # Ensure hbacsvc sshd is present in existing login hbacsvcgroup - ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases hbacsvc: - sshd @@ -84,7 +84,7 @@ EXAMPLES = """ # Ensure hbacsvc sshd is abdsent in existing login hbacsvcgroup - ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases hbacsvc: - sshd @@ -93,7 +93,7 @@ EXAMPLES = """ # Ensure hbacsvcgroup login is absent - ipahbacsvcgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: login state: absent """ diff --git a/plugins/modules/ipahost.py b/plugins/modules/ipahost.py index 062f7680..7108839c 100644 --- a/plugins/modules/ipahost.py +++ b/plugins/modules/ipahost.py @@ -343,7 +343,7 @@ author: EXAMPLES = """ # Ensure host is present - ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com description: Example host ip_address: 192.168.0.123 @@ -358,14 +358,14 @@ EXAMPLES = """ # Ensure host is present without DNS - ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host02.example.com description: Example host force: yes # Initiate generation of a random password for the host - ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com description: Example host ip_address: 192.168.0.123 @@ -373,7 +373,7 @@ EXAMPLES = """ # Ensure host is disabled - ipahost: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: host01.example.com update_dns: yes state: disabled diff --git a/plugins/modules/ipahostgroup.py b/plugins/modules/ipahostgroup.py index 9dbfa625..5fcca1d6 100644 --- a/plugins/modules/ipahostgroup.py +++ b/plugins/modules/ipahostgroup.py @@ -73,7 +73,7 @@ author: EXAMPLES = """ # Ensure host-group databases is present - ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases host: - db.example.com @@ -83,7 +83,7 @@ EXAMPLES = """ # Ensure hosts and hostgroups are present in existing databases hostgroup - ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases host: - db.example.com @@ -94,7 +94,7 @@ EXAMPLES = """ # Ensure hosts and hostgroups are absent in databases hostgroup - ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases host: - db.example.com @@ -106,7 +106,7 @@ EXAMPLES = """ # Ensure host-group databases is absent - ipahostgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: databases state: absent """ diff --git a/plugins/modules/ipapwpolicy.py b/plugins/modules/ipapwpolicy.py index f1687039..0d68fb1c 100644 --- a/plugins/modules/ipapwpolicy.py +++ b/plugins/modules/ipapwpolicy.py @@ -98,7 +98,7 @@ author: EXAMPLES = """ # Ensure pwpolicy is set for ops - ipapwpolicy: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: ops minlife: 7 maxlife: 49 diff --git a/plugins/modules/ipasudocmd.py b/plugins/modules/ipasudocmd.py index 7c6188b9..74947933 100644 --- a/plugins/modules/ipasudocmd.py +++ b/plugins/modules/ipasudocmd.py @@ -57,13 +57,13 @@ author: EXAMPLES = """ # Ensure sudocmd is present - ipacommand: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: su state: present # Ensure sudocmd is absent - ipacommand: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: su state: absent """ diff --git a/plugins/modules/ipasudocmdgroup.py b/plugins/modules/ipasudocmdgroup.py index bfa01300..3cbb2803 100644 --- a/plugins/modules/ipasudocmdgroup.py +++ b/plugins/modules/ipasudocmdgroup.py @@ -73,13 +73,13 @@ author: EXAMPLES = """ # Ensure sudocmd-group 'network' is present - ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network state: present # Ensure sudocmdgroup and sudocmd are present in 'network' sudocmdgroup - ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network sudocmd: - /usr/sbin/ifconfig @@ -88,7 +88,7 @@ EXAMPLES = """ # Ensure sudocmdgroup and sudocmd are absent in 'network' sudocmdgroup - ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network sudocmd: - /usr/sbin/ifconfig @@ -98,7 +98,7 @@ EXAMPLES = """ # Ensure sudocmd-group 'network' is absent - ipasudocmdgroup: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: network action: member state: absent diff --git a/plugins/modules/ipasudorule.py b/plugins/modules/ipasudorule.py index 285a9469..24d0d7ee 100644 --- a/plugins/modules/ipasudorule.py +++ b/plugins/modules/ipasudorule.py @@ -131,7 +131,7 @@ author: EXAMPLES = """ # Ensure Sudo Rule tesrule1 is present - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 # Ensure sudocmd is present in Sudo Rule @@ -146,35 +146,35 @@ EXAMPLES = """ # Ensure host server is present in Sudo Rule - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 host: server action: member # Ensure hostgroup cluster is present in Sudo Rule - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 hostgroup: cluster action: member # Ensure sudo rule for usercategory "all" - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allusers usercategory: all action: enabled # Ensure sudo rule for hostcategory "all" - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: allhosts hostcategory: all action: enabled # Ensure Sudo Rule tesrule1 is absent - ipasudorule: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: testrule1 state: absent """ diff --git a/plugins/modules/ipauser.py b/plugins/modules/ipauser.py index 8d547594..73f16eff 100644 --- a/plugins/modules/ipauser.py +++ b/plugins/modules/ipauser.py @@ -392,7 +392,7 @@ author: EXAMPLES = """ # Create user pinky - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky first: pinky last: Acme @@ -406,39 +406,39 @@ EXAMPLES = """ # Create user brain - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: brain first: brain last: Acme # Delete user pinky, but preserved - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky preserve: yes state: absent # Undelete user pinky - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky state: undeleted # Disable user pinky - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky,brain state: disabled # Enable user pinky and brain - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky,brain state: enabled # Remove user pinky and brain - ipauser: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: pinky,brain state: disabled """ diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py index 32137ee7..d102202e 100644 --- a/plugins/modules/ipavault.py +++ b/plugins/modules/ipavault.py @@ -111,7 +111,7 @@ author: EXAMPLES = """ # Ensure vault symvault is present - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin vault_password: MyVaultPassword123 @@ -120,7 +120,7 @@ EXAMPLES = """ # Ensure group ipausers is a vault member. - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin groups: ipausers @@ -128,7 +128,7 @@ EXAMPLES = """ # Ensure group ipausers is not a vault member. - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin groups: ipausers @@ -137,7 +137,7 @@ EXAMPLES = """ # Ensure vault users are present. - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin users: @@ -147,7 +147,7 @@ EXAMPLES = """ # Ensure vault users are absent. - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin users: @@ -158,7 +158,7 @@ EXAMPLES = """ # Ensure user owns vault. - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin action: member @@ -166,7 +166,7 @@ EXAMPLES = """ # Ensure user does not own vault. - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin owners: user01 @@ -175,7 +175,7 @@ EXAMPLES = """ # Ensure data is archived to a symmetric vault - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault username: admin vault_password: MyVaultPassword123 @@ -186,14 +186,14 @@ EXAMPLES = """ # Ensure vault symvault is absent - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: symvault user: admin state: absent # Ensure asymmetric vault is present. - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: asymvault username: user01 description: An asymmetric vault @@ -208,7 +208,7 @@ EXAMPLES = """ # Ensure data is archived in an asymmetric vault - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: asymvault username: admin vault_data: > @@ -218,7 +218,7 @@ EXAMPLES = """ # Ensure asymmetric vault is absent. - ipavault: - ipaadmin_password: MyPassword123 + ipaadmin_password: SomeADMINpassword name: asymvault username: user01 vault_type: asymmetric From 5a83c08f4c2362e990b2f67b54b9037abe801177 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Sat, 25 Jan 2020 00:10:55 -0300 Subject: [PATCH 34/40] New service management module. There is a new service management module placed in the pluginsfolder: plugins/modules/ipaservice.py The service module allows to ensure presence and absence of services, and manage members and certificates of the service. Here is the documentation for the module: README-service.md New example playbooks have been added: playbooks/service/service-host-is-absent.yml playbooks/service/service-host-is-present.yml playbooks/service/service-is-absent.yml playbooks/service/service-is-disabled.yml playbooks/service/service-is-present-with-all-attributes.yml playbooks/service/service-is-present-without-host-object.yml playbooks/service/service-is-present.yml playbooks/service/service-member-allow_create_keytab-absent.yml playbooks/service/service-member-allow_create_keytab-present.yml playbooks/service/service-member-allow_retrieve_keytab-absent.yml playbooks/service/service-member-allow_retrieve_keytab-present.yml playbooks/service/service-member-certificate-absent.yml playbooks/service/service-member-certificate-present.yml playbooks/service/service-member-principal-absent.yml playbooks/service/service-member-principal-present.yml New tests added for the module: tests/service/test-service.yml --- README-service.md | 319 +++++++ README.md | 2 + playbooks/service/service-host-is-absent.yml | 14 + playbooks/service/service-host-is-present.yml | 13 + playbooks/service/service-is-absent.yml | 12 + playbooks/service/service-is-disabled.yml | 12 + ...service-is-present-with-all-attributes.yml | 23 + .../service-is-present-with-host-force.yml | 13 + ...service-is-present-without-host-object.yml | 12 + playbooks/service/service-is-present.yml | 11 + ...vice-member-allow_create_keytab-absent.yml | 24 + ...ice-member-allow_create_keytab-present.yml | 23 + ...ce-member-allow_retrieve_keytab-absent.yml | 24 + ...e-member-allow_retrieve_keytab-present.yml | 23 + .../service-member-certificate-absent.yml | 16 + .../service-member-certificate-present.yml | 15 + .../service-member-principal-absent.yml | 14 + .../service-member-principal-present.yml | 13 + plugins/modules/ipaservice.py | 811 ++++++++++++++++++ tests/service/certificate/cert1.der | Bin 0 -> 771 bytes tests/service/certificate/cert1.pem | 19 + tests/service/certificate/cert2.der | Bin 0 -> 771 bytes tests/service/certificate/cert2.pem | 19 + tests/service/certificate/private1.key | 28 + tests/service/certificate/private2.key | 28 + .../certificate/test_service_certificate.yml | 225 +++++ tests/service/test_service.yml | 536 ++++++++++++ .../test_service_without_skip_host_check.yml | 476 ++++++++++ 28 files changed, 2725 insertions(+) create mode 100644 README-service.md create mode 100644 playbooks/service/service-host-is-absent.yml create mode 100644 playbooks/service/service-host-is-present.yml create mode 100644 playbooks/service/service-is-absent.yml create mode 100644 playbooks/service/service-is-disabled.yml create mode 100644 playbooks/service/service-is-present-with-all-attributes.yml create mode 100644 playbooks/service/service-is-present-with-host-force.yml create mode 100644 playbooks/service/service-is-present-without-host-object.yml create mode 100644 playbooks/service/service-is-present.yml create mode 100644 playbooks/service/service-member-allow_create_keytab-absent.yml create mode 100644 playbooks/service/service-member-allow_create_keytab-present.yml create mode 100644 playbooks/service/service-member-allow_retrieve_keytab-absent.yml create mode 100644 playbooks/service/service-member-allow_retrieve_keytab-present.yml create mode 100644 playbooks/service/service-member-certificate-absent.yml create mode 100644 playbooks/service/service-member-certificate-present.yml create mode 100644 playbooks/service/service-member-principal-absent.yml create mode 100644 playbooks/service/service-member-principal-present.yml create mode 100644 plugins/modules/ipaservice.py create mode 100644 tests/service/certificate/cert1.der create mode 100644 tests/service/certificate/cert1.pem create mode 100644 tests/service/certificate/cert2.der create mode 100644 tests/service/certificate/cert2.pem create mode 100644 tests/service/certificate/private1.key create mode 100644 tests/service/certificate/private2.key create mode 100644 tests/service/certificate/test_service_certificate.yml create mode 100644 tests/service/test_service.yml create mode 100644 tests/service/test_service_without_skip_host_check.yml diff --git a/README-service.md b/README-service.md new file mode 100644 index 00000000..8125190b --- /dev/null +++ b/README-service.md @@ -0,0 +1,319 @@ +Service module +============== + +Description +----------- + +The service module allows to ensure presence and absence of services. + + +Features +-------- + +* Service management + + +Supported FreeIPA Versions +-------------------------- + +FreeIPA versions 4.4.0 and up are supported by the ipaservice module. + +Option `skip_host_check` requires FreeIPA version 4.7.0 or later. + + +Requirements +------------ + +**Controller** +* Ansible version: 2.8+ + +**Node** +* Supported FReeIPA version (see above) + + +Usage +===== + +Example inventory file + +```ini +[ipaserver] +ipaserver.test.local +``` + + +Example playbook to make sure service is present: + +```yaml +--- +- name: Playbook to manage IPA service. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure service is present + - ipaservice: + ipaadmin_password: SomeADMINpassword + name: HTTP/www.example.com + certificate: + - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw + DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT + ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH + VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM + LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT + oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s + 4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc + xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1 + UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q + eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs + 5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic + uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH + 2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no + obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC + /SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq + pac_type: PAD + auth_ind: otp + requires_pre_auth: false + ok_as_delegate: false + ok_to_auth_as_delegate: false + skip-host-check: true + force: true +``` + + +Example playbook to make sure service is absent: + +```yaml +--- +- name: Playbook to manage IPA service. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure service is present + - ipaservice: + ipaadmin_password: SomeADMINpassword + name: HTTP/www.example.com + state: absent +``` + + +Example playbook to make sure service is disabled: + +```yaml +--- +- name: Playbook to manage IPA service. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure service is present + - ipaservice: + ipaadmin_password: SomeADMINpassword + name: HTTP/www.example.com + state: disabled +``` + +Example playbook to add a service even if the host object does not exist, but only if it does have a DNS entry: + +```yaml +--- +- name: Playbook to manage IPA service. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure service is present + - ipaservice: + ipaadmin_password: SomeADMINpassword + name: HTTP/www.example.com + skip_host_check: true + force: false +``` + +Example playbook to add a service if it does have a DNS entry, but host object exits: + +```yaml +--- +- name: Playbook to manage IPA service. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure service is present + - ipaservice: + ipaadmin_password: SomeADMINpassword + name: HTTP/www.example.com + skip_host_check: false + force: true +``` + +Example playbook to ensure service has a certificate: + +```yaml +--- +- name: Playbook to manage IPA service. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure service member certificate is present. + - ipaservice: + ipaadmin_password: SomeADMINpassword + name: HTTP/www.example.com + certificate: + - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw + DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT + ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH + VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM + LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT + oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s + 4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc + xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1 + UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q + eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs + 5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic + uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH + 2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no + obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC + /SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq + action: member + state: present +``` + +Example playbook to add a principal to the service: + +```yaml +--- +- name: Playbook to manage IPA service. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Principal host/test.example.com present in service. + - ipaservice: + ipaadmin_password: SomeADMINpassword + name: HTTP/www.example.com + principal: host/principal.example.com + action: member +``` + +Example playbook to enable a host to manage service: + +```yaml +--- +- name: Playbook to manage IPA service. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure host can manage service, again. + - ipaservice: + ipaadmin_password: SomeADMINpassword + name: HTTP/www.example.com + host: host1.example.com + action: member +``` + +Example playbook to allow users, groups, hosts or hostgroups to create a keytab of this service: + +```yaml +--- +- name: Playbook to manage IPA service. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Allow users, groups, hosts or host groups to create a keytab of this service. + - ipaservice: + ipaadmin_password: SomeADMINpassword + name: HTTP/www.example.com + allow_create_keytab_user: + - user01 + - user02 + allow_create_keytab_group: + - group01 + - group02 + allow_create_keytab_host: + - host1.example.com + - host2.example.com + allow_create_keytab_hostgroup: + - hostgroup01 + - hostgroup02 + action: member +``` + +Example playbook to allow users, groups, hosts or hostgroups to retrieve a keytab of this service: + +```yaml +--- +- name: Playbook to manage IPA service. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Allow users, groups, hosts or host groups to retrieve a keytab of this service. + - ipaservice: + ipaadmin_password: SomeADMINpassword + name: HTTP/www.example.com + allow_retrieve_keytab_user: + - user01 + - user02 + allow_retrieve_keytab_group: + - group01 + - group02 + allow_retrieve_keytab_host: + - "{{ host1_fqdn }}" + - "{{ host2_fqdn }}" + allow_retrieve_keytab_hostgroup: + - hostgroup01 + - hostgroup02 + action: member +``` + + +Variables +--------- + +ipaservice + +Variable | Description | Required +-------- | ----------- | -------- +`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no +`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no +`name` \| `service` | The list of service name strings. | yes +`certificate` \| `usercertificate` | Base-64 encoded service certificate. | no +`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. | no +`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no +`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no +`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no +`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no +`skip_host_check` | Force service to be created even when host object does not exist to manage it. Default to false. (bool)| no +`force` | Force principal name even if host not in DNS. Default to false. (bool) | no +`host` \| `managedby_host`| Hosts that can manage the service. | no +`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no +`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group`| Groups allowed to create a keytab of this host. | no +`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host`| Hosts allowed to create a keytab of this host. | no +`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_group`| Host groups allowed to create a keytab of this host. | no +`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retrieve a keytab of this host. | no +`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retrieve a keytab of this host. | no +`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retrieve a keytab from of host. | no +`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retrieve a keytab of this host. | no +`action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no +`state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no + + +Authors +======= + +Rafael Jeffman diff --git a/README.md b/README.md index eea80266..f5d4c257 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,7 @@ Features * Modules for host management * Modules for hostgroup management * Modules for pwpolicy management +* Modules for service management * Modules for sudocmd management * Modules for sudocmdgroup management * Modules for sudorule management @@ -413,6 +414,7 @@ Modules in plugin/modules * [ipahost](README-host.md) * [ipahostgroup](README-hostgroup.md) * [ipapwpolicy](README-pwpolicy.md) +* [ipaservice](README-service.md) * [ipasudocmd](README-sudocmd.md) * [ipasudocmdgroup](README-sudocmdgroup.md) * [ipasudorule](README-sudorule.md) diff --git a/playbooks/service/service-host-is-absent.yml b/playbooks/service/service-host-is-absent.yml new file mode 100644 index 00000000..5963340f --- /dev/null +++ b/playbooks/service/service-host-is-absent.yml @@ -0,0 +1,14 @@ +--- +- name: Playbook to manage IPA service. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure management host is absent. + - ipaservice: + ipaadmin_password: MyPassword123 + name: HTTP/www.example.com + host: "{{ groups.ipaserver[0] }}" + action: member + state: absent diff --git a/playbooks/service/service-host-is-present.yml b/playbooks/service/service-host-is-present.yml new file mode 100644 index 00000000..2460051e --- /dev/null +++ b/playbooks/service/service-host-is-present.yml @@ -0,0 +1,13 @@ +--- +- name: Playbook to manage IPA service. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure management host is present. + - ipaservice: + ipaadmin_password: MyPassword123 + name: HTTP/www.example.com + host: "{{ groups.ipaserver[0] }}" + action: member diff --git a/playbooks/service/service-is-absent.yml b/playbooks/service/service-is-absent.yml new file mode 100644 index 00000000..fe65771e --- /dev/null +++ b/playbooks/service/service-is-absent.yml @@ -0,0 +1,12 @@ +--- +- name: Playbook to manage IPA service. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure service is absent + - ipaservice: + ipaadmin_password: MyPassword123 + name: HTTP/www.example.com + state: absent diff --git a/playbooks/service/service-is-disabled.yml b/playbooks/service/service-is-disabled.yml new file mode 100644 index 00000000..2bf01fb1 --- /dev/null +++ b/playbooks/service/service-is-disabled.yml @@ -0,0 +1,12 @@ +--- +- name: Playbook to disable IPA service. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure service is disabled + - ipaservice: + ipaadmin_password: MyPassword123 + name: HTTP/www.example.com + state: disabled diff --git a/playbooks/service/service-is-present-with-all-attributes.yml b/playbooks/service/service-is-present-with-all-attributes.yml new file mode 100644 index 00000000..f7e59ebc --- /dev/null +++ b/playbooks/service/service-is-present-with-all-attributes.yml @@ -0,0 +1,23 @@ +--- +- name: Playbook to manage IPA service. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure service is present + - ipaservice: + ipaadmin_password: MyPassword123 + name: HTTP/www.example.com + certificate: + - MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+ + pac_type: + - MS-PAC + - PAD + auth_ind: otp + force: no + requires_pre_auth: yes + ok_as_delegate: no + ok_to_auth_as_delegate: no + action: service + state: present diff --git a/playbooks/service/service-is-present-with-host-force.yml b/playbooks/service/service-is-present-with-host-force.yml new file mode 100644 index 00000000..2268ea8f --- /dev/null +++ b/playbooks/service/service-is-present-with-host-force.yml @@ -0,0 +1,13 @@ +--- +- name: Playbook to manage IPA service. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure service is present + - ipaservice: + ipaadmin_password: MyPassword123 + name: HTTP/ihavenodns.info + force: yes + # state: absent diff --git a/playbooks/service/service-is-present-without-host-object.yml b/playbooks/service/service-is-present-without-host-object.yml new file mode 100644 index 00000000..ddf72b8e --- /dev/null +++ b/playbooks/service/service-is-present-without-host-object.yml @@ -0,0 +1,12 @@ +--- +- name: Playbook to manage IPA service. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure service is present + - ipaservice: + ipaadmin_password: MyPassword123 + name: HTTP/www.ansible.com + skip_host_check: yes diff --git a/playbooks/service/service-is-present.yml b/playbooks/service/service-is-present.yml new file mode 100644 index 00000000..06e88343 --- /dev/null +++ b/playbooks/service/service-is-present.yml @@ -0,0 +1,11 @@ +--- +- name: Playbook to manage IPA service. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure service is present + - ipaservice: + ipaadmin_password: MyPassword123 + name: HTTP/www.example.com diff --git a/playbooks/service/service-member-allow_create_keytab-absent.yml b/playbooks/service/service-member-allow_create_keytab-absent.yml new file mode 100644 index 00000000..d4a15ea4 --- /dev/null +++ b/playbooks/service/service-member-allow_create_keytab-absent.yml @@ -0,0 +1,24 @@ +--- +- name: Service member allow_create_keytab absent + hosts: ipaserver + become: true + + tasks: + - name: Service HTTP/www.example.com members allow_create_keytab absent for users, groups, hosts and hostgroups + ipaservice: + ipaadmin_password: MyPassword123 + name: HTTP/www.example.com + allow_create_keytab_user: + - user01 + - user02 + allow_create_keytab_group: + - group01 + - group02 + allow_create_keytab_host: + - host01.example.com + - host02.example.com + allow_create_keytab_hostgroup: + - hostgroup01 + - hostgroup02 + action: member + state: absent diff --git a/playbooks/service/service-member-allow_create_keytab-present.yml b/playbooks/service/service-member-allow_create_keytab-present.yml new file mode 100644 index 00000000..b28b6dc2 --- /dev/null +++ b/playbooks/service/service-member-allow_create_keytab-present.yml @@ -0,0 +1,23 @@ +--- +- name: Service member allow_create_keytab present + hosts: ipaserver + become: true + + tasks: + - name: Service HTTP/www.example.com members allow_create_keytab present for users, groups, hosts and hostgroups + ipaservice: + ipaadmin_password: MyPassword123 + name: HTTP/www.example.com + allow_create_keytab_user: + - user01 + - user02 + allow_create_keytab_group: + - group01 + - group02 + allow_create_keytab_host: + - host01.example.com + - host02.example.com + allow_create_keytab_hostgroup: + - hostgroup01 + - hostgroup02 + action: member diff --git a/playbooks/service/service-member-allow_retrieve_keytab-absent.yml b/playbooks/service/service-member-allow_retrieve_keytab-absent.yml new file mode 100644 index 00000000..ceada70e --- /dev/null +++ b/playbooks/service/service-member-allow_retrieve_keytab-absent.yml @@ -0,0 +1,24 @@ +--- +- name: Service member allow_retrieve_keytab absent + hosts: ipaserver + become: true + + tasks: + - name: Service HTTP/www.example.com members allow_retrieve_keytab absent for users, groups, hosts and hostgroups + ipaservice: + ipaadmin_password: MyPassword123 + name: HTTP/www.example.com + allow_retrieve_keytab_user: + - user01 + - user02 + allow_retrieve_keytab_group: + - group01 + - group02 + allow_retrieve_keytab_host: + - host01.example.com + - host02.example.com + allow_retrieve_keytab_hostgroup: + - hostgroup01 + - hostgroup02 + action: member + state: absent diff --git a/playbooks/service/service-member-allow_retrieve_keytab-present.yml b/playbooks/service/service-member-allow_retrieve_keytab-present.yml new file mode 100644 index 00000000..ac98904b --- /dev/null +++ b/playbooks/service/service-member-allow_retrieve_keytab-present.yml @@ -0,0 +1,23 @@ +--- +- name: Service member allow_retrieve_keytab present + hosts: ipaserver + become: true + + tasks: + - name: Service HTTP/www.example.com members allow_retrieve_keytab present for users, groups, hosts and hostgroups + ipaservice: + ipaadmin_password: MyPassword123 + name: HTTP/www.example.com + allow_retrieve_keytab_user: + - user01 + - user02 + allow_retrieve_keytab_group: + - group01 + - group02 + allow_retrieve_keytab_host: + - host01.example.com + - host02.example.com + allow_retrieve_keytab_hostgroup: + - hostgroup01 + - hostgroup02 + action: member diff --git a/playbooks/service/service-member-certificate-absent.yml b/playbooks/service/service-member-certificate-absent.yml new file mode 100644 index 00000000..57b71e5e --- /dev/null +++ b/playbooks/service/service-member-certificate-absent.yml @@ -0,0 +1,16 @@ +--- +- name: Service certificate absent. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure service certificate is absent + - ipaservice: + ipaadmin_password: MyPassword123 + name: HTTP/www.example.com + + certificate: + - MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+ + action: member + state: absent diff --git a/playbooks/service/service-member-certificate-present.yml b/playbooks/service/service-member-certificate-present.yml new file mode 100644 index 00000000..bfa01d05 --- /dev/null +++ b/playbooks/service/service-member-certificate-present.yml @@ -0,0 +1,15 @@ +--- +- name: Service certificate present. + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure service certificate is present + - ipaservice: + ipaadmin_password: MyPassword123 + name: HTTP/www.example.com + certificate: + - MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+ + action: member + state: present diff --git a/playbooks/service/service-member-principal-absent.yml b/playbooks/service/service-member-principal-absent.yml new file mode 100644 index 00000000..6bfb168c --- /dev/null +++ b/playbooks/service/service-member-principal-absent.yml @@ -0,0 +1,14 @@ +--- +- name: Service member principal absent + hosts: ipaserver + become: true + + tasks: + - name: Service HTTP/www.exmaple.com member principals host/test.exmaple.com absent + ipaservice: + ipaadmin_password: MyPassword123 + name: HTTP/www.example.com + principal: + - host/test.exmaple.com + action: member + state: absent diff --git a/playbooks/service/service-member-principal-present.yml b/playbooks/service/service-member-principal-present.yml new file mode 100644 index 00000000..aa94f32e --- /dev/null +++ b/playbooks/service/service-member-principal-present.yml @@ -0,0 +1,13 @@ +--- +- name: Service member principal present + hosts: ipaserver + become: true + + tasks: + - name: Service HTTP/www.exmaple.com member principals host/test.exmaple.com present + ipaservice: + ipaadmin_password: MyPassword123 + name: HTTP/www.example.com + principal: + - host/test.exmaple.com + action: member diff --git a/plugins/modules/ipaservice.py b/plugins/modules/ipaservice.py new file mode 100644 index 00000000..d3074ffe --- /dev/null +++ b/plugins/modules/ipaservice.py @@ -0,0 +1,811 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Authors: +# Rafael Guterres Jeffman +# +# Copyright (C) 2019 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +ANSIBLE_METADATA = { + "metadata_version": "1.0", + "supported_by": "community", + "status": ["preview"], +} + + +DOCUMENTATION = """ +--- +module: ipaservice +short description: Manage FreeIPA service +description: Manage FreeIPA service +options: + ipaadmin_principal: + description: The admin principal + default: admin + ipaadmin_password: + description: The admin password + required: false + name: + description: The service to manage + required: true + aliases: ["service"] + certificate: + description: Base-64 encoded service certificate. + required: false + type: list + aliases=['usercertificate'] + pac_type: + description: Supported PAC type. + required: false + choices: ["MS-PAC", "PAD", "NONE"] + type: list + aliases: ["pac_type", "ipakrbauthzdata"] + auth_ind: + description: Defines a whitelist for Authentication Indicators. + required: false + choices: ["otp", "radius", "pkinit", "hardened"] + aliases: ["krbprincipalauthind"] + skip_host_check: + description: Skip checking if host object exists. + required: False + type: bool + force: + description: Force principal name even if host is not in DNS. + required: False + type: bool + requires_pre_auth: + description: Pre-authentication is required for the service. + required: false + type: bool + default: False + aliases: ["ipakrbrequirespreauth"] + ok_as_delegate: + description: Client credentials may be delegated to the service. + required: false + type: bool + default: False + aliases: ["ipakrbokasdelegate"] + ok_to_auth_as_delegate: Allow service to authenticate on behalf of a client. + description: . + required: false + type: bool + default: False + aliases:["ipakrboktoauthasdelegate"] + principal: + description: + required: false + type: list + aliases: ["krbprincipalname"] + host: + description: Host that can manage the service. + required: false + type: list + aliases: ["managedby_host"] + allow_create_keytab_user: + descrption: Users allowed to create a keytab of this host. + required: false + type: list + aliases: ["ipaallowedtoperform_write_keys_user"] + allow_create_keytab_group: + descrption: Groups allowed to create a keytab of this host. + required: false + type: list + aliases: ["ipaallowedtoperform_write_keys_group"] + allow_create_keytab_host: + descrption: Hosts allowed to create a keytab of this host. + required: false + type: list + aliases: ["ipaallowedtoperform_write_keys_host"] + allow_create_keytab_hostgroup: + descrption: Host group allowed to create a keytab of this host. + required: false + type: list + aliases: ["ipaallowedtoperform_write_keys_hostgroup"] + allow_retrieve_keytab_user: + descrption: User allowed to retrieve a keytab of this host. + required: false + type: list + aliases: ["ipaallowedtoperform_read_keys_user"] + allow_retrieve_keytab_group: + descrption: Groups allowed to retrieve a keytab of this host. + required: false + type: list + aliases: ["ipaallowedtoperform_read_keys_group"] + allow_retrieve_keytab_host: + descrption: Hosts allowed to retrieve a keytab of this host. + required: false + type: list + aliases: ["ipaallowedtoperform_read_keys_host"] + allow_retrieve_keytab_hostgroup: + descrption: Host groups allowed to retrieve a keytab of this host. + required: false + type: list + aliases: ["ipaallowedtoperform_read_keys_hostgroup"] + action: + description: Work on service or member level + default: service + choices: ["member", "service"] + state: + description: State to ensure + default: present + choices: ["present", "absent", "enabled", "disabled"] +author: + - Rafael Jeffman +""" + +EXAMPLES = """ + # Ensure service is present + - ipaservice: + ipaadmin_password: SomeADMINpassword + name: HTTP/www.example.com + pac_type: + - MS-PAC + - PAD + auth_ind: otp + skip_host_check: true + force: false + requires_pre_auth: true + ok_as_delegate: false + ok_to_auth_as_delegate: false + + # Ensure service is absent + - ipaservice: + ipaadmin_password: SomeADMINpassword + name: HTTP/www.example.com + state: absent + + # Ensure service member certificate is present. + - ipaservice: + ipaadmin_password: SomeADMINpassword + name: HTTP/www.example.com + certificate: + - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw + DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT + ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH + VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM + LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT + oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s + 4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc + xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1 + UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q + eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs + 5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic + uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH + 2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no + obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC + /SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq + action: member + state: present + + # Ensure principal host/test.example.com present in service. + - ipaservice: + ipaadmin_password: SomeADMINpassword + name: HTTP/www.example.com + principal: + - host/test.example.com + action: member + + # Ensure host can manage service. + - ipaservice: + ipaadmin_password: SomeADMINpassword + name: HTTP/www.example.com + host: + - host1.example.com + - host2.example.com + action: member +""" + +RETURN = """ +""" + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.ansible_freeipa_module import temp_kinit, \ + temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \ + encode_certificate, gen_add_del_lists, module_params_get, to_text, \ + api_check_param + + +def find_service(module, name): + _args = { + "all": True, + } + + _result = api_command(module, "service_find", to_text(name), _args) + + if len(_result["result"]) > 1: + module.fail_json( + msg="There is more than one service '%s'" % (name)) + elif len(_result["result"]) == 1: + _res = _result["result"][0] + certs = _res.get("usercertificate") + if certs is not None: + _res["usercertificate"] = [encode_certificate(cert) for + cert in certs] + return _res + else: + return None + + +def gen_args(pac_type, auth_ind, skip_host_check, force, requires_pre_auth, + ok_as_delegate, ok_to_auth_as_delegate): + _args = {} + + if pac_type is not None: + _args['ipakrbauthzdata'] = pac_type + if auth_ind is not None: + _args['krbprincipalauthind'] = auth_ind + if skip_host_check is not None: + _args['skip_host_check'] = (skip_host_check) + if force is not None: + _args['force'] = (force) + if requires_pre_auth is not None: + _args['ipakrbrequirespreauth'] = (requires_pre_auth) + if ok_as_delegate is not None: + _args['ipakrbokasdelegate'] = (ok_as_delegate) + if ok_to_auth_as_delegate is not None: + _args['ipakrboktoauthasdelegate'] = (ok_to_auth_as_delegate) + + return _args + + +def check_parameters(module, state, action, names, parameters): + assert isinstance(parameters, dict) + + # invalid parameters for everything but state 'present', action 'service'. + invalid = ['pac_type', 'auth_ind', 'skip_host_check', + 'force', 'requires_pre_auth', 'ok_as_delegate', + 'ok_to_auth_as_delegate'] + + # invalid parameters when not handling service members. + invalid_not_member = \ + ['principal', 'certificate', 'host', 'allow_create_keytab_user', + 'allow_create_keytab_group', 'allow_create_keytab_host', + 'allow_create_keytab_hostgroup', 'allow_retrieve_keytab_user', + 'allow_retrieve_keytab_group', 'allow_retrieve_keytab_host', + 'allow_retrieve_keytab_hostgroup'] + + if state == 'present': + if len(names) != 1: + module.fail_json(msg="Only one service can be added at a time.") + + if action == 'service': + invalid = [] + + elif state == 'absent': + if len(names) < 1: + module.fail_json(msg="No name given.") + + if action == "service": + invalid.extend(invalid_not_member) + + elif state == 'disabled': + invalid.extend(invalid_not_member) + if action != "service": + module.fail_json( + msg="Invalid action '%s' for state '%s'" % (action, state)) + + else: + module.fail_json(msg="Invalid state '%s'" % (state)) + + for _invalid in invalid: + if parameters[_invalid] is not None: + module.fail_json( + msg="Argument '%s' can not be used with state '%s'" % + (_invalid, state)) + + +def init_ansible_module(): + ansible_module = AnsibleModule( + argument_spec=dict( + # general + ipaadmin_principal=dict(type="str", default="admin"), + ipaadmin_password=dict(type="str", required=False, no_log=True), + + name=dict(type="list", aliases=["service"], default=None, + required=True), + # service attributesstr + certificate=dict(type="list", aliases=['usercertificate'], + default=None, required=False), + principal=dict(type="list", aliases=["krbprincipalname"], + default=None), + pac_type=dict(type="list", aliases=["ipakrbauthzdata"], + choices=["MS-PAC", "PAD", "NONE"]), + auth_ind=dict(type="str", + aliases=["krbprincipalauthind"], + choices=["otp", "radius", "pkinit", "hardened"]), + skip_host_check=dict(type="bool"), + force=dict(type="bool"), + requires_pre_auth=dict( + type="bool", aliases=["ipakrbrequirespreauth"]), + ok_as_delegate=dict(type="bool", aliases=["ipakrbokasdelegate"]), + ok_to_auth_as_delegate=dict(type="bool", + aliases=["ipakrboktoauthasdelegate"]), + host=dict(type="list", aliases=["managedby_host"], required=False), + allow_create_keytab_user=dict( + type="list", required=False, + aliases=['ipaallowedtoperform_write_keys_user']), + allow_retrieve_keytab_user=dict( + type="list", required=False, + aliases=['ipaallowedtoperform_read_keys_user']), + allow_create_keytab_group=dict( + type="list", required=False, + aliases=['ipaallowedtoperform_write_keys_group']), + allow_retrieve_keytab_group=dict( + type="list", required=False, + aliases=['ipaallowedtoperform_read_keys_group']), + allow_create_keytab_host=dict( + type="list", required=False, + aliases=['ipaallowedtoperform_write_keys_host']), + allow_retrieve_keytab_host=dict( + type="list", required=False, + aliases=['ipaallowedtoperform_read_keys_host']), + allow_create_keytab_hostgroup=dict( + type="list", required=False, + aliases=['ipaallowedtoperform_write_keys_hostgroup']), + allow_retrieve_keytab_hostgroup=dict( + type="list", required=False, + aliases=['ipaallowedtoperform_read_keys_hostgroup']), + # action + action=dict(type="str", default="service", + choices=["member", "service"]), + # state + state=dict(type="str", default="present", + choices=["present", "absent", + "enabled", "disabled"]), + ), + supports_check_mode=True, + ) + + ansible_module._ansible_debug = True + + return ansible_module + + +def main(): + ansible_module = init_ansible_module() + + # Get parameters + + # general + ipaadmin_principal = module_params_get(ansible_module, + "ipaadmin_principal") + ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") + names = module_params_get(ansible_module, "name") + + # service attributes + principal = module_params_get(ansible_module, "principal") + certificate = module_params_get(ansible_module, "certificate") + pac_type = module_params_get(ansible_module, "pac_type") + auth_ind = module_params_get(ansible_module, "auth_ind") + skip_host_check = module_params_get(ansible_module, "skip_host_check") + force = module_params_get(ansible_module, "force") + requires_pre_auth = module_params_get(ansible_module, "requires_pre_auth") + ok_as_delegate = module_params_get(ansible_module, "ok_as_delegate") + ok_to_auth_as_delegate = module_params_get(ansible_module, + "ok_to_auth_as_delegate") + + host = module_params_get(ansible_module, "host") + + allow_create_keytab_user = module_params_get( + ansible_module, "allow_create_keytab_user") + allow_create_keytab_group = module_params_get( + ansible_module, "allow_create_keytab_group") + allow_create_keytab_host = module_params_get( + ansible_module, "allow_create_keytab_host") + allow_create_keytab_hostgroup = module_params_get( + ansible_module, "allow_create_keytab_hostgroup") + + allow_retrieve_keytab_user = module_params_get( + ansible_module, "allow_retrieve_keytab_user") + allow_retrieve_keytab_group = module_params_get( + ansible_module, "allow_retrieve_keytab_group") + allow_retrieve_keytab_host = module_params_get( + ansible_module, "allow_create_keytab_host") + allow_retrieve_keytab_hostgroup = module_params_get( + ansible_module, "allow_retrieve_keytab_hostgroup") + + # action + action = module_params_get(ansible_module, "action") + # state + state = module_params_get(ansible_module, "state") + + # check parameters + check_parameters(ansible_module, state, action, names, vars()) + + # Init + + changed = False + exit_args = {} + ccache_dir = None + ccache_name = None + try: + if not valid_creds(ansible_module, ipaadmin_principal): + ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, + ipaadmin_password) + api_connect() + + has_skip_host_check = api_check_param( + "service_add", "skip_host_check") + if skip_host_check and not has_skip_host_check: + ansible_module.fail_json( + msg="Skipping host check is not supported by your IPA version") + + commands = [] + + for name in names: + res_find = find_service(ansible_module, name) + + if state == "present": + if action == "service": + args = gen_args( + pac_type, auth_ind, skip_host_check, force, + requires_pre_auth, ok_as_delegate, + ok_to_auth_as_delegate) + if not has_skip_host_check and 'skip_host_check' in args: + del args['skip_host_check'] + + if res_find is None: + commands.append([name, 'service_add', args]) + + certificate_add = certificate or [] + certificate_del = [] + host_add = host or [] + host_del = [] + principal_add = principal or [] + principal_del = [] + allow_create_keytab_user_add = \ + allow_create_keytab_user or [] + allow_create_keytab_user_del = [] + allow_create_keytab_group_add = \ + allow_create_keytab_group or [] + allow_create_keytab_group_del = [] + allow_create_keytab_host_add = \ + allow_create_keytab_host or [] + allow_create_keytab_host_del = [] + allow_create_keytab_hostgroup_add = \ + allow_create_keytab_hostgroup or [] + allow_create_keytab_hostgroup_del = [] + allow_retrieve_keytab_user_add = \ + allow_retrieve_keytab_user or [] + allow_retrieve_keytab_user_del = [] + allow_retrieve_keytab_group_add = \ + allow_retrieve_keytab_group or [] + allow_retrieve_keytab_group_del = [] + allow_retrieve_keytab_host_add = \ + allow_retrieve_keytab_host or [] + allow_retrieve_keytab_host_del = [] + allow_retrieve_keytab_hostgroup_add = \ + allow_retrieve_keytab_hostgroup or [] + allow_retrieve_keytab_hostgroup_del = [] + + else: + for remove in ['skip_host_check', 'force']: + if remove in args: + del args[remove] + + if not compare_args_ipa(ansible_module, args, + res_find): + commands.append([name, "service_mod", args]) + + certificate_add, certificate_del = gen_add_del_lists( + certificate, res_find.get("usercertificate")) + + host_add, host_del = gen_add_del_lists( + host, res_find.get('managedby_host', [])) + + principal_add, principal_del = gen_add_del_lists( + principal, res_find.get("principal")) + + (allow_create_keytab_user_add, + allow_create_keytab_user_del) = \ + gen_add_del_lists( + allow_create_keytab_user, res_find.get( + 'ipaallowedtoperform_write_keys_user', + [])) + (allow_retrieve_keytab_user_add, + allow_retrieve_keytab_user_del) = \ + gen_add_del_lists( + allow_retrieve_keytab_user, res_find.get( + 'ipaallowedtoperform_read_keys_user', + [])) + (allow_create_keytab_group_add, + allow_create_keytab_group_del) = \ + gen_add_del_lists( + allow_create_keytab_group, res_find.get( + 'ipaallowedtoperform_write_keys_group', + [])) + (allow_retrieve_keytab_group_add, + allow_retrieve_keytab_group_del) = \ + gen_add_del_lists( + allow_retrieve_keytab_group, + res_find.get( + 'ipaallowedtoperform_read_keys_group', + [])) + (allow_create_keytab_host_add, + allow_create_keytab_host_del) = \ + gen_add_del_lists( + allow_create_keytab_host, + res_find.get( + 'ipaallowedtoperform_write_keys_host', + [])) + (allow_retrieve_keytab_host_add, + allow_retrieve_keytab_host_del) = \ + gen_add_del_lists( + allow_retrieve_keytab_host, + res_find.get( + 'ipaallowedtoperform_read_keys_host', + [])) + (allow_create_keytab_hostgroup_add, + allow_create_keytab_hostgroup_del) = \ + gen_add_del_lists( + allow_create_keytab_hostgroup, + res_find.get( + 'ipaallowedtoperform_write_keys_hostgroup', + [])) + (allow_retrieve_keytab_hostgroup_add, + allow_retrieve_keytab_hostgroup_del) = \ + gen_add_del_lists( + allow_retrieve_keytab_hostgroup, + res_find.get( + 'ipaallowedtoperform_read_keys_hostgroup', + [])) + + elif action == "member": + if res_find is None: + ansible_module.fail_json(msg="No service '%s'" % name) + + existing = res_find.get('usercertificate', []) + if certificate is None: + certificate_add = [] + else: + certificate_add = [c for c in certificate + if c not in existing] + certificate_del = [] + host_add = host or [] + host_del = [] + principal_add = principal or [] + principal_del = [] + + allow_create_keytab_user_add = \ + allow_create_keytab_user or [] + allow_create_keytab_user_del = [] + allow_create_keytab_group_add = \ + allow_create_keytab_group or [] + allow_create_keytab_group_del = [] + allow_create_keytab_host_add = \ + allow_create_keytab_host or [] + allow_create_keytab_host_del = [] + allow_create_keytab_hostgroup_add = \ + allow_create_keytab_hostgroup or [] + allow_create_keytab_hostgroup_del = [] + allow_retrieve_keytab_user_add = \ + allow_retrieve_keytab_user or [] + allow_retrieve_keytab_user_del = [] + allow_retrieve_keytab_group_add = \ + allow_retrieve_keytab_group or [] + allow_retrieve_keytab_group_del = [] + allow_retrieve_keytab_host_add = \ + allow_retrieve_keytab_host or [] + allow_retrieve_keytab_host_del = [] + allow_retrieve_keytab_hostgroup_add = \ + allow_retrieve_keytab_hostgroup or [] + allow_retrieve_keytab_hostgroup_del = [] + + # Add principals + for _principal in principal_add: + commands.append([name, "service_add_principal", + { + "krbprincipalname": + _principal, + }]) + + # Remove principals + for _principal in principal_del: + commands.append([name, "service_remove_principal", + { + "krbprincipalname": + _principal, + }]) + + for _certificate in certificate_add: + commands.append([name, "service_add_cert", + { + "usercertificate": + _certificate, + }]) + # Remove certificates + for _certificate in certificate_del: + commands.append([name, "service_remove_cert", + { + "usercertificate": + _certificate, + }]) + + # Add hosts. + if host is not None and len(host) > 0 and len(host_add) > 0: + commands.append([name, "service_add_host", + {"host": host_add}]) + # Remove hosts + if host is not None and len(host) > 0 and len(host_del) > 0: + commands.append([name, "service_remove_host", + {"host": host_del}]) + + # Allow create keytab + if len(allow_create_keytab_user_add) > 0 or \ + len(allow_create_keytab_group_add) > 0 or \ + len(allow_create_keytab_host_add) > 0 or \ + len(allow_create_keytab_hostgroup_add) > 0: + commands.append( + [name, "service_allow_create_keytab", + {'user': allow_create_keytab_user_add, + 'group': allow_create_keytab_group_add, + 'host': allow_create_keytab_host_add, + 'hostgroup': allow_create_keytab_hostgroup_add + }]) + + # Disallow create keytab + if len(allow_create_keytab_user_del) > 0 or \ + len(allow_create_keytab_group_del) > 0 or \ + len(allow_create_keytab_host_del) > 0 or \ + len(allow_create_keytab_hostgroup_del) > 0: + commands.append( + [name, "service_disallow_create_keytab", + {'user': allow_create_keytab_user_del, + 'group': allow_create_keytab_group_del, + 'host': allow_create_keytab_host_del, + 'hostgroup': allow_create_keytab_hostgroup_del + }]) + + # Allow retrieve keytab + if len(allow_retrieve_keytab_user_add) > 0 or \ + len(allow_retrieve_keytab_group_add) > 0 or \ + len(allow_retrieve_keytab_hostgroup_add) > 0 or \ + len(allow_retrieve_keytab_hostgroup_add) > 0: + commands.append( + [name, "service_allow_retrieve_keytab", + {'user': allow_retrieve_keytab_user_add, + 'group': allow_retrieve_keytab_group_add, + 'host': allow_retrieve_keytab_host_add, + 'hostgroup': allow_retrieve_keytab_hostgroup_add + }]) + + # Disllow retrieve keytab + if len(allow_retrieve_keytab_user_del) > 0 or \ + len(allow_retrieve_keytab_group_del) > 0 or \ + len(allow_retrieve_keytab_host_del) > 0 or \ + len(allow_retrieve_keytab_hostgroup_del) > 0: + commands.append( + [name, "service_disallow_retrieve_keytab", + {'user': allow_retrieve_keytab_user_del, + 'group': allow_retrieve_keytab_group_del, + 'host': allow_retrieve_keytab_host_del, + 'hostgroup': allow_retrieve_keytab_hostgroup_del + }]) + + elif state == "absent": + if action == "service": + if res_find is not None: + commands.append([name, 'service_del', {}]) + + elif action == "member": + if res_find is None: + ansible_module.fail_json(msg="No service '%s'" % name) + + # Remove principals + if principal is not None: + for _principal in principal: + commands.append([name, "service_remove_principal", + { + "krbprincipalname": + _principal, + }]) + # Remove certificates + if certificate is not None: + existing = res_find.get('usercertificate', []) + for _certificate in certificate: + if _certificate in existing: + commands.append([name, "service_remove_cert", + { + "usercertificate": + _certificate, + }]) + + # Add hosts + if host is not None: + commands.append( + [name, "service_remove_host", {"host": host}]) + + # Allow create keytab + if allow_create_keytab_user is not None or \ + allow_create_keytab_group is not None or \ + allow_create_keytab_host is not None or \ + allow_create_keytab_hostgroup is not None: + commands.append( + [name, "service_disallow_create_keytab", + {'user': allow_create_keytab_user, + 'group': allow_create_keytab_group, + 'host': allow_create_keytab_host, + 'hostgroup': allow_create_keytab_hostgroup + }]) + + # Allow retriev keytab + if allow_retrieve_keytab_user is not None or \ + allow_retrieve_keytab_group is not None or \ + allow_retrieve_keytab_host is not None or \ + allow_retrieve_keytab_hostgroup is not None: + commands.append( + [name, "service_disallow_retrieve_keytab", + {'user': allow_retrieve_keytab_user, + 'group': allow_retrieve_keytab_group, + 'host': allow_retrieve_keytab_host, + 'hostgroup': allow_retrieve_keytab_hostgroup + }]) + + elif state == "disabled": + if action == "service": + if res_find is not None and \ + len(res_find.get('usercertificate', [])) > 0: + commands.append([name, 'service_disable', {}]) + else: + ansible_module.fail_json( + msg="Invalid action '%s' for state '%s'" % + (action, state)) + else: + ansible_module.fail_json(msg="Unkown state '%s'" % state) + + # Execute commands + errors = [] + for name, command, args in commands: + try: + result = api_command(ansible_module, command, name, args) + + if "completed" in result: + if result["completed"] > 0: + changed = True + else: + changed = True + except Exception as ex: + ansible_module.fail_json(msg="%s: %s: %s" % (command, name, + str(ex))) + # Get all errors + # All "already a member" and "not a member" failures in the + # result are ignored. All others are reported. + if "failed" in result and len(result["failed"]) > 0: + for item in result["failed"]: + failed_item = result["failed"][item] + for member_type in failed_item: + for member, failure in failed_item[member_type]: + if "already a member" in failure \ + or "not a member" in failure: + continue + errors.append("%s: %s %s: %s" % ( + command, member_type, member, failure)) + if len(errors) > 0: + ansible_module.fail_json(msg=", ".join(errors)) + + except Exception as ex: + ansible_module.fail_json(msg=str(ex)) + + finally: + temp_kdestroy(ccache_dir, ccache_name) + + # Done + ansible_module.exit_json(changed=changed, **exit_args) + + +if __name__ == "__main__": + main() diff --git a/tests/service/certificate/cert1.der b/tests/service/certificate/cert1.der new file mode 100644 index 0000000000000000000000000000000000000000..b1b90efde6d33ab44ca7b62941eee06fdbc05da9 GIT binary patch literal 771 zcmXqLV)}2;#Q1yxGZP~dlZe5^6M6Lu+crHd-@kXE>cabLgbS>BkANhkjbLS#J;867*=|%sE9*)_Al& zo^Ql|K=js!)el@liX?W4?nyhX_H%K~(U+HsgcsV>ckkm8zq0RVqTJ?-KZQ2ceo=U+ zvoK+`+p>AT6_&2L5ht@!c8T{qP4!D(ILz)2~?WT*nbB^vg zl`USb?8vx7*FK@~qqs@)&1)rMOa(f-H+Kp-yZ-RwnUocC%sxueHTUUmtt|(6)=zoNh`BR7>G4sSHKTaAk4`4pM}+c8Au@qJ1{PR!OqCAAY8ZZ znsb5NxuUDHN}`O#B$S+9|M~DH;MjwwJJ%<6cBtM=yi^j@dE@KsjF3(K>*ns~;r=>% z!rM6(j!7%#?D)Zb#*@!GXs(~`7OR{4)q6JT?7GQ4b;ohnbCs(8F^}>b(?2-R^53&k z{bf!>U?x*%+oK6jQm(nl)rOTghUj1FI8-mcUstWbVP8W*yhzJFd&xU1p8XNgO8xyqL7L&Y J*3>sgvjD#_KokG~ literal 0 HcmV?d00001 diff --git a/tests/service/certificate/cert1.pem b/tests/service/certificate/cert1.pem new file mode 100644 index 00000000..ab3704bb --- /dev/null +++ b/tests/service/certificate/cert1.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQEL +BQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQx +MDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk ++OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa +8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0am +nvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cj +QQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidS +X0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYuku +H/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAP +BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0 +WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic +uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkG +wIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyE +iaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj +9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV +7MVq +-----END CERTIFICATE----- diff --git a/tests/service/certificate/cert2.der b/tests/service/certificate/cert2.der new file mode 100644 index 0000000000000000000000000000000000000000..e176c2ba50270b331c457e784dea5f5f6a09e53a GIT binary patch literal 771 zcmXqLV)}2;#Q1yxGZP~dlZcyC&Wnw@6$cKLNIea6o%isBP`jG}FB_*;n@8JsUPeZ4 zRt5upLtX=JHs(+kW*(N3)Z!8YIdNVi0|O%i6GIadBNKxtab9B(*AU9Z)X>DJgls4y zD+6;ABR>Ps9b8OJjEoFBqUW_=jJhSTa4EOQWbfoxa~FKQcEYD`_q<~n8PigZY;C@0 z^Yen-9Hq{g3ECU_S(@i^)hWu*uG3#2i{a%C2_f_e0 zyK4BiJUAmzmAk*vazc>ogUvRL-$WHU|K=*c-1y;<-aEPXkE3NZE^H}%o_3N3RUs+DfoW1jW_p2Mh88hbd$GQHV z%_^VyyXyR_!ndA@>sbv2Lpx$#iLkbFGBGnUFfI-@2sDrdhO;amix`W@+bt^UPu(VT zKdy|FJn(kPg=wzwt_JcTX=N4(1F;6|3iv?^gc%wCv#=U411aQS2gW5Z*clnZ?tKY- z&d7Z3c6Zoz0ltpsR}0D>JYF@wVVA|6&38f#%bNw550&j%Tw$Lg-rB2?bZni-iooaM z=Q2!Xv{T+q;C4M9xp7r)QKM^s?5;PT0^*eP6c-$~e(~Vs-*`9EzO(=Je;&K=J1%B& zsO{SP)iJMbuK)PX;``>ycBk^>=11i2{#>eLdSfClZ=Rxt@=Euw`tMR=IPK@$Qsyjm z`d(kgCw8zgUo_U|=em}CJf}}h{G;t;Ho2rhTI#4%E5rZ&SGbSn1RQD!brx`U{_yGZ zoVvmfMbDV;pL#BTCw7OHpsJR3?D^;AUt^o+H!;n=`tQ>U0ZF%#8=v!+d|CN-W%8W) JIzc Date: Mon, 2 Mar 2020 20:27:17 -0300 Subject: [PATCH 35/40] Removed trailling space on README.md. Removed a trailling space on README.md because it was often removed by text editors, adding an unnecessary line to the update patch. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f5d4c257..36ff2a24 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ Features Supported FreeIPA Versions -------------------------- -FreeIPA versions 4.6 and up are supported by all roles. +FreeIPA versions 4.6 and up are supported by all roles. The client role supports versions 4.4 and up, the server role is working with versions 4.5 and up, the replica role is currently only working with versions 4.6 and up. From a1444aa06f3ae38f154c66b5cecda68f0535718c Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Wed, 4 Mar 2020 12:13:35 -0300 Subject: [PATCH 36/40] Fixes documentation for module ipaservice. Add missing documentation for the `principal` variable. --- README-service.md | 3 ++- plugins/modules/ipaservice.py | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README-service.md b/README-service.md index 8125190b..da0c692c 100644 --- a/README-service.md +++ b/README-service.md @@ -197,7 +197,7 @@ Example playbook to add a principal to the service: gather_facts: false tasks: - # Principal host/test.example.com present in service. + # Principal host/principal.example.com present in service. - ipaservice: ipaadmin_password: SomeADMINpassword name: HTTP/www.example.com @@ -301,6 +301,7 @@ Variable | Description | Required `skip_host_check` | Force service to be created even when host object does not exist to manage it. Default to false. (bool)| no `force` | Force principal name even if host not in DNS. Default to false. (bool) | no `host` \| `managedby_host`| Hosts that can manage the service. | no +`principal` \| `krbprincipalname` | List of principal aliases for the service. | no `allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no `allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group`| Groups allowed to create a keytab of this host. | no `allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host`| Hosts allowed to create a keytab of this host. | no diff --git a/plugins/modules/ipaservice.py b/plugins/modules/ipaservice.py index d3074ffe..e0da817c 100644 --- a/plugins/modules/ipaservice.py +++ b/plugins/modules/ipaservice.py @@ -86,7 +86,7 @@ options: default: False aliases:["ipakrboktoauthasdelegate"] principal: - description: + description: List of principal aliases for the service. required: false type: list aliases: ["krbprincipalname"] From 282773f15ee3393474a41e244d36221977306662 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Wed, 4 Mar 2020 17:59:51 -0300 Subject: [PATCH 37/40] Add documentation of missing variables for sudorule. This patch adds documentation for the sudorule variables `runasusercategory` and `runasgroupcategory` that was missing. --- README-sudorule.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README-sudorule.md b/README-sudorule.md index 50c73ade..ff6dcec3 100644 --- a/README-sudorule.md +++ b/README-sudorule.md @@ -125,6 +125,8 @@ Variable | Description | Required `usercategory` | User category the rule applies to. Choices: ["all"] | no `hostcategory` | Host category the rule applies to. Choices: ["all"] | no `cmdcategory` | Command category the rule applies to. Choices: ["all"] | no +`runasusercategory` | RunAs User category the rule applies to. Choices: ["all"] | no +`runasgroupcategory` | RunAs Group category the rule applies to. Choices: ["all"] | no `nomembers` | Suppress processing of membership attributes. (bool) | no `host` | List of host name strings assigned to this sudorule. | no `hostgroup` | List of host group name strings assigned to this sudorule. | no From e22bf295290bff7d6f845bf76d354a9859296234 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Mon, 2 Mar 2020 15:58:40 -0300 Subject: [PATCH 38/40] New DNSConfig management module There is a new vaultcontainer management module placed in the plugins folder: plugins/modules/ipadnsconfig.py The dnsconfig module allows to modify global DNS configuration. Here is the documentation for the module: README-dnsconfig.md New example playbooks have been added: playbooks/dnsconfig/set_configuration.yml playbooks/dnsconfig/disable-global-forwarders.yml playbooks/dnsconfig/disallow-reverse-sync.yml New tests for the module: tests/dnsconfig/test_dnsconfig.yml --- README-dnsconfig.md | 140 ++++++++++ README.md | 1 + .../dnsconfig/disable-global-forwarders.yml | 9 + playbooks/dnsconfig/disallow-reverse-sync.yml | 9 + playbooks/dnsconfig/forwarders-absent.yml | 13 + playbooks/dnsconfig/set-configuration.yml | 14 + plugins/modules/ipadnsconfig.py | 257 ++++++++++++++++++ tests/dnsconfig/test_dnsconfig.yml | 141 ++++++++++ 8 files changed, 584 insertions(+) create mode 100644 README-dnsconfig.md create mode 100644 playbooks/dnsconfig/disable-global-forwarders.yml create mode 100644 playbooks/dnsconfig/disallow-reverse-sync.yml create mode 100644 playbooks/dnsconfig/forwarders-absent.yml create mode 100644 playbooks/dnsconfig/set-configuration.yml create mode 100644 plugins/modules/ipadnsconfig.py create mode 100644 tests/dnsconfig/test_dnsconfig.yml diff --git a/README-dnsconfig.md b/README-dnsconfig.md new file mode 100644 index 00000000..029ec515 --- /dev/null +++ b/README-dnsconfig.md @@ -0,0 +1,140 @@ +DNSConfig module +============ + +Description +----------- + +The dnsconfig module allows to modify global DNS configuration. + + +Features +-------- +* Global DNS configuration + + +Supported FreeIPA Versions +-------------------------- + +FreeIPA versions 4.4.0 and up are supported by the ipadnsconfig module. + + +Requirements +------------ + +**Controller** +* Ansible version: 2.8+ + +**Node** +* Supported FreeIPA version (see above) + + +Usage +===== + +Example inventory file + +```ini +[ipaserver] +ipaserver.test.local +``` + +Example playbook to set global DNS configuration: + +```yaml +--- +- name: Playbook to handle global DNS configuration + hosts: ipaserver + become: true + + tasks: + # Set dnsconfig. + - ipadnsconfig: + forwarders: + - ip_address: 8.8.4.4 + - ip_address: 2001:4860:4860::8888 + port: 53 + forward_policy: only + allow_sync_ptr: yes +``` + +Example playbook to ensure a global forwarder, with a custom port, is absent: + +```yaml +--- +- name: Playbook to handle global DNS configuration + hosts: ipaserver + become: true + + tasks: + # Ensure global forwarder with a custom port is absent. + - ipadnsconfig: + forwarders: + - ip_address: 2001:4860:4860::8888 + port: 53 + state: absent +``` + +Example playbook to disable global forwarders: + +```yaml +--- +- name: Playbook to disable global DNS forwarders + hosts: ipaserver + become: true + + tasks: + # Disable global forwarders. + - ipadnsconfig: + forward_policy: none +``` + +Example playbook to change global forward policy: + +```yaml +--- +- name: Playbook to change global forward policy + hosts: ipaserver + become: true + + tasks: + # Disable global forwarders. + - ipadnsconfig: + forward_policy: first +``` + +Example playbook to disallow synchronization of forward (A, AAAA) and reverse (PTR) records: + +```yaml +--- +- name: Playbook to disallow reverse synchronization. + hosts: ipaserver + become: true + + tasks: + # Disable global forwarders. + - ipadnsconfig: + allow_sync_ptr: no +``` + +Variables +========= + +ipadnsconfig +------------ + +Variable | Description | Required +-------- | ----------- | -------- +`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no +`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no +`forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no +  | `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes +  | `port` - The custom port that should be used on this server. | no +`forward_policy` | The global forwarding policy. It can be one of `only`, `first`, or `none`. | no +`allow_sync_ptr` | Allow synchronization of forward (A, AAAA) and reverse (PTR) records (bool). | yes +`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes + + +Authors +======= + +Rafael Guterres Jeffman diff --git a/README.md b/README.md index f5d4c257..ebc4e40f 100644 --- a/README.md +++ b/README.md @@ -407,6 +407,7 @@ Roles Modules in plugin/modules ========================= +* [ipadnsconfig](README-dnsconfig.md) * [ipagroup](README-group.md) * [ipahbacrule](README-hbacrule.md) * [ipahbacsvc](README-hbacsvc.md) diff --git a/playbooks/dnsconfig/disable-global-forwarders.yml b/playbooks/dnsconfig/disable-global-forwarders.yml new file mode 100644 index 00000000..3b4f638c --- /dev/null +++ b/playbooks/dnsconfig/disable-global-forwarders.yml @@ -0,0 +1,9 @@ +--- +- name: Playbook to disable global DNS forwarders + hosts: ipaserver + become: true + + tasks: + - name: Disable global forwarders. + ipadnsconfig: + forward_policy: none diff --git a/playbooks/dnsconfig/disallow-reverse-sync.yml b/playbooks/dnsconfig/disallow-reverse-sync.yml new file mode 100644 index 00000000..e99996ef --- /dev/null +++ b/playbooks/dnsconfig/disallow-reverse-sync.yml @@ -0,0 +1,9 @@ +--- +- name: Playbook to disallow reverse record synchronization. + hosts: ipaserver + become: true + + tasks: + - name: Disallow reverse record synchronization. + ipadnsconfig: + allow_sync_ptr: no diff --git a/playbooks/dnsconfig/forwarders-absent.yml b/playbooks/dnsconfig/forwarders-absent.yml new file mode 100644 index 00000000..21a393dd --- /dev/null +++ b/playbooks/dnsconfig/forwarders-absent.yml @@ -0,0 +1,13 @@ +--- +- name: Playbook to handle global DNS configuration + hosts: ipaserver + become: true + + tasks: + - name: Set dnsconfig. + ipadnsconfig: + forwarders: + - ip_address: 8.8.4.4 + - ip_address: 2001:4860:4860::8888 + port: 53 + state: absent diff --git a/playbooks/dnsconfig/set-configuration.yml b/playbooks/dnsconfig/set-configuration.yml new file mode 100644 index 00000000..17880aaf --- /dev/null +++ b/playbooks/dnsconfig/set-configuration.yml @@ -0,0 +1,14 @@ +--- +- name: Playbook to handle global DNS configuration + hosts: ipaserver + become: true + + tasks: + - name: Set dnsconfig. + ipadnsconfig: + forwarders: + - ip_address: 8.8.4.4 + - ip_address: 2001:4860:4860::8888 + port: 53 + forward_policy: only + allow_sync_ptr: yes diff --git a/plugins/modules/ipadnsconfig.py b/plugins/modules/ipadnsconfig.py new file mode 100644 index 00000000..4c9cf2d7 --- /dev/null +++ b/plugins/modules/ipadnsconfig.py @@ -0,0 +1,257 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Authors: +# Rafael Guterres Jeffman +# +# Copyright (C) 2019 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + + +ANSIBLE_METADATA = { + "metadata_version": "1.0", + "supported_by": "community", + "status": ["preview"], +} + +DOCUMENTATION = """ +--- +module: ipadnsconfig +short description: Manage FreeIPA dnsconfig +description: Manage FreeIPA dnsconfig +options: + ipaadmin_principal: + description: The admin principal + default: admin + ipaadmin_password: + description: The admin password + required: false + + forwarders: + description: The list of global DNS forwarders. + required: false + options: + ip_address: + description: The forwarder nameserver IP address list (IPv4 and IPv6). + required: true + port: + description: The port to forward requests to. + required: false + forward_policy: + description: + Global forwarding policy. Set to "none" to disable any configured + global forwarders. + required: false + choices: ['only', 'first', 'none'] + allow_sync_ptr: + description: + Allow synchronization of forward (A, AAAA) and reverse (PTR) records. + required: false + type: bool + state: + description: State to ensure + default: present + choices: ["present", "absent"] +""" + +EXAMPLES = """ +# Ensure global DNS forward configuration, allowing PTR record synchronization. +- ipadnsconfig: + forwarders: + - ip_address: 8.8.4.4 + - ip_address: 2001:4860:4860::8888 + port: 53 + forward_policy: only + allow_sync_ptr: yes + +# Ensure forwarder is absent. +- ipadnsconfig: + forwarders: + - ip_address: 2001:4860:4860::8888 + port: 53 + state: absent + +# Disable PTR record synchronization. +- ipadnsconfig: + allow_sync_ptr: no + +# Disable global forwarders. +- ipadnsconfig: + forward_policy: none +""" + +RETURN = """ +""" + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_text +from ansible.module_utils.ansible_freeipa_module import temp_kinit, \ + temp_kdestroy, valid_creds, api_connect, api_command, \ + api_command_no_name, compare_args_ipa, module_params_get, \ + gen_add_del_lists, is_ipv4_addr, is_ipv6_addr, ipalib_errors + + +def find_dnsconfig(module): + _args = { + "all": True, + } + + _result = api_command_no_name(module, "dnsconfig_show", _args) + + if "result" in _result: + if _result["result"].get('idnsforwarders', None) is None: + _result["result"]['idnsforwarders'] = [''] + return _result["result"] + else: + module.fail("Could not retrieve current DNS configuration.") + return None + + +def gen_args(module, state, dnsconfig, forwarders, forward_policy, + allow_sync_ptr): + _args = {} + + if forwarders: + _forwarders = [] + for forwarder in forwarders: + ip_address = forwarder.get('ip_address') + port = forwarder.get('port') + if not (is_ipv4_addr(ip_address) or is_ipv6_addr(ip_address)): + module.fail( + msg="Invalid IP for DNS forwarder: %s" % ip_address) + if port is None: + _forwarders.append(ip_address) + else: + _forwarders.append('%s port %d' % (ip_address, port)) + + global_forwarders = dnsconfig.get('idnsforwarders', []) + if state == 'absent': + _args['idnsforwarders'] = [ + fwd for fwd in global_forwarders if fwd not in _forwarders] + # When all forwarders should be excluded, use an empty string (''). + if not _args['idnsforwarders']: + _args['idnsforwarders'] = [''] + + elif state == 'present': + _args['idnsforwarders'] = [ + fwd for fwd in _forwarders if fwd not in global_forwarders] + # If no forwarders should be added, remove argument. + if not _args['idnsforwarders']: + del _args['idnsforwarders'] + + else: + # shouldn't happen, but let's be paranoid. + module.fail(msg="Invalid state: %s" % state) + + if forward_policy is not None: + _args['idnsforwardpolicy'] = forward_policy + + if allow_sync_ptr is not None: + _args['idnsallowsyncptr'] = 'TRUE' if allow_sync_ptr else 'FALSE' + + return _args + + +def main(): + forwarder_spec = dict( + ip_address=dict(type=str, required=True), + port=dict(type=int, required=False, default=None) + ) + + ansible_module = AnsibleModule( + argument_spec=dict( + # general + ipaadmin_principal=dict(type='str', default='admin'), + ipaadmin_password=dict(type='str', no_log=True), + + # dnsconfig + forwarders=dict(type='list', default=None, required=False, + options=dict(**forwarder_spec)), + forward_policy=dict(type='str', required=False, default=None, + choices=['only', 'first', 'none']), + allow_sync_ptr=dict(type='bool', required=False, default=None), + + # general + state=dict(type="str", default="present", + choices=["present", "absent"]), + + ) + ) + + ansible_module._ansible_debug = True + + # general + ipaadmin_principal = module_params_get(ansible_module, + "ipaadmin_principal") + ipaadmin_password = module_params_get(ansible_module, + "ipaadmin_password") + + forwarders = module_params_get(ansible_module, 'forwarders') or [] + forward_policy = module_params_get(ansible_module, 'forward_policy') + allow_sync_ptr = module_params_get(ansible_module, 'allow_sync_ptr') + + state = module_params_get(ansible_module, 'state') + + # Check parameters. + invalid = [] + if state == 'absent': + invalid = ['forward_policy', 'allow_sync_ptr'] + + for x in invalid: + if vars()[x] is not None: + ansible_module.fail_json( + msg="Argument '%s' can not be used with state '%s'" % + (x, state)) + + # Init + + changed = False + ccache_dir = None + ccache_name = None + try: + if not valid_creds(ansible_module, ipaadmin_principal): + ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, + ipaadmin_password) + api_connect() + + res_find = find_dnsconfig(ansible_module) + args = gen_args(ansible_module, state, res_find, forwarders, + forward_policy, allow_sync_ptr) + + # Execute command only if configuration changes. + if not compare_args_ipa(ansible_module, args, res_find): + try: + api_command_no_name(ansible_module, 'dnsconfig_mod', args) + # If command did not fail, something changed. + changed = True + + except Exception as e: + msg = str(e) + ansible_module.fail_json(msg="dnsconfig_mod: %s" % msg) + + except Exception as e: + ansible_module.fail_json(msg=str(e)) + + finally: + temp_kdestroy(ccache_dir, ccache_name) + + # Done + + ansible_module.exit_json(changed=changed) + + +if __name__ == "__main__": + main() diff --git a/tests/dnsconfig/test_dnsconfig.yml b/tests/dnsconfig/test_dnsconfig.yml new file mode 100644 index 00000000..1e1b1094 --- /dev/null +++ b/tests/dnsconfig/test_dnsconfig.yml @@ -0,0 +1,141 @@ +--- +- name: Test dnsconfig + hosts: ipaserver + become: true + gather_facts: true + + tasks: + # Setup. + - name: Ensure forwarders are absent. + ipadnsconfig: + forwarders: + - ip_address: 8.8.8.8 + - ip_address: 8.8.4.4 + - ip_address: 2001:4860:4860::8888 + - ip_address: 2001:4860:4860::8888 + port: 53 + state: absent + + # Tests. + + - name: Set dnsconfig. + ipadnsconfig: + forwarders: + - ip_address: 8.8.8.8 + - ip_address: 8.8.4.4 + - ip_address: 2001:4860:4860::8888 + port: 53 + forward_policy: only + allow_sync_ptr: yes + register: result + failed_when: not result.changed + + - name: Set dnsconfig, with the same values. + ipadnsconfig: + forwarders: + - ip_address: 8.8.8.8 + - ip_address: 8.8.4.4 + - ip_address: 2001:4860:4860::8888 + port: 53 + forward_policy: only + allow_sync_ptr: yes + register: result + failed_when: result.changed + + - name: Ensure forwarder is absent. + ipadnsconfig: + forwarders: + - ip_address: 8.8.8.8 + state: absent + register: result + failed_when: not result.changed + + - name: Ensure forwarder is absent, again. + ipadnsconfig: + forwarders: + - ip_address: 8.8.8.8 + state: absent + register: result + failed_when: result.changed + + - name: Disable global forwarders. + ipadnsconfig: + forward_policy: none + register: result + failed_when: not result.changed + + - name: Disable global forwarders, again. + ipadnsconfig: + forward_policy: none + register: result + failed_when: result.changed + + - name: Re-enable global forwarders. + ipadnsconfig: + forward_policy: first + register: result + failed_when: not result.changed + + - name: Re-enable global forwarders, again. + ipadnsconfig: + forward_policy: first + register: result + failed_when: result.changed + + - name: Disable PTR record synchronization. + ipadnsconfig: + allow_sync_ptr: no + register: result + failed_when: not result.changed + + - name: Disable PTR record synchronization, again. + ipadnsconfig: + allow_sync_ptr: no + register: result + failed_when: result.changed + + - name: Re-enable PTR record synchronization. + ipadnsconfig: + allow_sync_ptr: yes + register: result + failed_when: not result.changed + + - name: Re-enable PTR record synchronization, again. + ipadnsconfig: + allow_sync_ptr: yes + register: result + failed_when: result.changed + + - name: Ensure all forwarders are absent. + ipadnsconfig: + forwarders: + - ip_address: 8.8.8.8 + - ip_address: 8.8.4.4 + - ip_address: 2001:4860:4860::8888 + port: 53 + state: absent + register: result + failed_when: not result.changed + + + - name: Ensure all forwarders are absent, again. + ipadnsconfig: + forwarders: + - ip_address: 8.8.8.8 + - ip_address: 8.8.4.4 + - ip_address: 2001:4860:4860::8888 + port: 53 + state: absent + register: result + failed_when: result.changed + + # Cleanup. + - name: Ensure forwarders are absent. + ipadnsconfig: + forwarders: + - ip_address: 8.8.8.8 + - ip_address: 8.8.4.4 + - ip_address: 2001:4860:4860::8888 + - ip_address: 2001:4860:4860::8888 + port: 53 + state: absent From a2c80f26ea09bb4086767e645390b1b59d545c20 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Mon, 9 Mar 2020 10:20:02 +0100 Subject: [PATCH 39/40] README-group: Fix description of external parameter The external parameter was showing type flag instead of type bool. --- README-group.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README-group.md b/README-group.md index 0fb8a265..4a278560 100644 --- a/README-group.md +++ b/README-group.md @@ -138,7 +138,7 @@ Variable | Description | Required `description` | The group description string. | no `gid` \| `gidnumber` | The GID integer. | no `nonposix` | Create as a non-POSIX group. (bool) | no -`external` | Allow adding external non-IPA members from trusted domains. (flag) | no +`external` | Allow adding external non-IPA members from trusted domains. (bool) | no `nomembers` | Suppress processing of membership attributes. (bool) | no `user` | List of user name strings assigned to this group. | no `group` | List of group name strings assigned to this group. | no From 1e1ff7ad113fc97103b6aaa7d44a5db7e382a4c3 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Thu, 12 Mar 2020 20:49:01 -0300 Subject: [PATCH 40/40] Fixes behavior for host module attribute `reverse` Due to setting aaaa_extra_create_reverse or a_extra_create_reverse when not needed, host module fails to add a host with reverse address. This patch fixes the behavior by only adding *_extra_create_reverse when needed. --- plugins/modules/ipahost.py | 7 ++- tests/host/test_host_reverse.yml | 103 +++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+), 3 deletions(-) create mode 100644 tests/host/test_host_reverse.yml diff --git a/plugins/modules/ipahost.py b/plugins/modules/ipahost.py index 7108839c..9b22f5bf 100644 --- a/plugins/modules/ipahost.py +++ b/plugins/modules/ipahost.py @@ -1197,13 +1197,14 @@ def main(): host_name = name[:name.find(".")] _args = {"idnsname": host_name} - if reverse is not None: - _args["a_extra_create_reverse"] = reverse - _args["aaaa_extra_create_reverse"] = reverse if len(dnsrecord_a_add) > 0: _args["arecord"] = dnsrecord_a_add + if reverse is not None: + _args["a_extra_create_reverse"] = reverse if len(dnsrecord_aaaa_add) > 0: _args["aaaarecord"] = dnsrecord_aaaa_add + if reverse is not None: + _args["aaaa_extra_create_reverse"] = reverse commands.append([domain_name, "dnsrecord_add", _args]) diff --git a/tests/host/test_host_reverse.yml b/tests/host/test_host_reverse.yml new file mode 100644 index 00000000..9031b70b --- /dev/null +++ b/tests/host/test_host_reverse.yml @@ -0,0 +1,103 @@ +--- +- name: Test host + hosts: ipaserver + become: true + gather_facts: true + + tasks: + - name: Get Domain from server name + set_fact: + ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}" + when: ipaserver_domain is not defined + + - name: Set host1_fqdn + set_fact: + host1_fqdn: "{{ 'host1.' + ipaserver_domain }}" + + - name: Host absent + ipahost: + ipaadmin_password: SomeADMINpassword + name: + - "{{ host1_fqdn }}" + update_dns: yes + state: absent + + - name: Get IPv4 address prefix from server node + set_fact: + ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] | + join('.') }}" + reverse_zone: "{{ ansible_default_ipv4.address.split('.')[2::-1] | + join('.') }}" + + - name: Set zone for reverse address. + command: ipa dnszone-add "{{ item }}" --skip-nameserver-check --skip-overlap-check + with_items: + - "{{ reverse_zone + '.in-addr.arpa.' }}" + - 'ip6.arpa.' + ignore_errors: yes + + - name: Host "{{ host1_fqdn }}" present + ipahost: + ipaadmin_password: SomeADMINpassword + name: "{{ host1_fqdn }}" + ip_address: "{{ ipv4_prefix + '.201' }}" + update_dns: yes + reverse: yes + register: result + failed_when: not result.changed + + - name: Host "{{ host1_fqdn }}" present, again. + ipahost: + ipaadmin_password: SomeADMINpassword + name: "{{ host1_fqdn }}" + ip_address: "{{ ipv4_prefix + '.201' }}" + update_dns: yes + reverse: yes + register: result + failed_when: result.changed + + - name: Hosts host1 absent + ipahost: + ipaadmin_password: SomeADMINpassword + name: + - "{{ host1_fqdn }}" + update_dns: yes + state: absent + register: result + failed_when: not result.changed + + - name: Host "{{ host1_fqdn }}" present with IPv6 + ipahost: + ipaadmin_password: SomeADMINpassword + name: "{{ host1_fqdn }}" + ip_address: "fd00::0001" + update_dns: yes + reverse: yes + register: result + failed_when: not result.changed + + - name: Host "{{ host1_fqdn }}" present with IPv6, again. + ipahost: + ipaadmin_password: SomeADMINpassword + name: "{{ host1_fqdn }}" + ip_address: "fd00::0001" + update_dns: yes + reverse: yes + register: result + failed_when: result.changed + + - name: Hosts host1 absent + ipahost: + ipaadmin_password: SomeADMINpassword + name: + - "{{ host1_fqdn }}" + update_dns: yes + state: absent + register: result + failed_when: not result.changed + + - name: Set zone for reverse address. + command: ipa dnszone-del "{{ item }}" + with_items: + - "{{ reverse_zone + '.in-addr.arpa.' }}" + - 'ip6.arpa.'