internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-26 21:33:05 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #1290 from rjeffman/multiple_sudorule

Browse Source 
ipasudorule: Add support for batch mode and multiple sudorules
This commit is contained in:
Thomas Woerner
2024-11-19 14:55:40 +01:00
committed by GitHub
parent 5a774d2612 6c94fe9bd5
commit d580431832
11 changed files with 1482 additions and 292 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
README-sudorule.md
View File

@@ -129,6 +129,49 @@ Example playbook to make sure Sudo Rule is absent:
state: absent state: absent
``` ```
Example playbook to ensure multiple Sudo Rule are present using batch mode:
```yaml
---
- name: Playbook to handle sudorules
hosts: ipaserver
become: true
- name: Ensure multiple Sudo Rules are present using batch mode.
ipasudorule:
ipaadmin_password: SomeADMINpassword
sudorules:
- name: testrule1
hostmask:
- 192.168.122.1/24
- name: testrule2
hostcategory: all
```
Example playbook to ensure multiple Sudo Rule members are present using batch mode:
```yaml
---
- name: Playbook to handle sudorules
hosts: ipaserver
become: true
- name: Ensure multiple Sudo Rules are present using batch mode.
ipasudorule:
ipaadmin_password: SomeADMINpassword
action: member
sudorules:
- name: testrule1
user:
- user01
- user02
group:
- group01
- name: testrule2
hostgroup:
- hostgroup01
- hostgroup02
```
Variables Variables
========= =========
@@ -139,7 +182,9 @@ Variable | Description | Required
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no `ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no `ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of sudorule name strings. | yes `name` \| `cn` | The list of sudorule name strings. | no
`sudorules` | The list of sudorule dicts. Each `sudorule` dict entry can contain sudorule variables.<br>There is one required option in the `sudorule` dict:| no
&nbsp; | `name` - The sudorule name string of the entry. | yes
`description` | The sudorule description string. | no `description` | The sudorule description string. | no
`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no `usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no `hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no

233
plugins/module_utils/ansible_freeipa_module.py
View File

@@ -526,6 +526,10 @@ def module_params_get(module, name, allow_empty_list_item=False):
def module_params_get_lowercase(module, name, allow_empty_list_item=False): def module_params_get_lowercase(module, name, allow_empty_list_item=False):
value = module_params_get(module, name, allow_empty_list_item) value = module_params_get(module, name, allow_empty_list_item)
return convert_param_value_to_lowercase(value)
def convert_param_value_to_lowercase(value):
if isinstance(value, list): if isinstance(value, list):
value = [v.lower() for v in value] value = [v.lower() for v in value]
if isinstance(value, (str, unicode)): if isinstance(value, (str, unicode)):
@@ -1584,3 +1588,232 @@ class IPAAnsibleModule(AnsibleModule):
ts = time.time() ts = time.time()
# pylint: disable=super-with-arguments # pylint: disable=super-with-arguments
super(IPAAnsibleModule, self).warn("%f %s" % (ts, warning)) super(IPAAnsibleModule, self).warn("%f %s" % (ts, warning))
class EntryFactory:
"""
Implement an Entry Factory to extract objects from modules.
When defining an ansible-freeipa module which allows the setting of
multiple objects in a single task, the object parameters can be set
as a set of parameters, or as a list of dictionaries with multiple
objects.
The EntryFactory abstracts the extraction of the entry values so
that the entries set in a module can be treated as a list of objects
independent of the way the objects have been defined (as single object
defined by its parameters or as a list).
Parameters
----------
ansible_module: The ansible module to be processed.
invalid_params: The list of invalid parameters for the current
state/action combination.
multiname: The name of the list of objects parameters.
params: a dict of the entry parameters with its configuration as a
dict. The 'convert' configuration is a list of functions to be
applied, in order, to the provided value for the paarameter. Any
other configuration field is ignored in the current implementation.
validate_entry: an optional function to validate the entry values.
This function is called after the parameters for the current
state/action are checked, and can be used to perform further
validation or modification to the entry values. If the entry is
not valid, 'fail_json' should be called. The function must return
the entry, modified or not. The funcion signature is
'def fn(module:IPAAnsibleModule, entry: Entry) -> Entry:'
**user_vars: any other keyword argument is passed to the
validate_entry callback as user data.
Example
-------
def validate_entry(module, entry, mydata):
if (something_is_wrong(entry)):
module.fail_json(msg=f"Something wrong with {entry.name}")
entry.some_field = mydata
return entry
def main():
# ...
# Create param mapping, all moudle parameters must be
# present as keys of this dictionary
params = {
"name": {},
"description": {}
"user": {
"convert": [convert_param_value_to_lowercase]
},
"group": {"convert": [convert_param_value_to_lowercase]}
}
entries = EntryFactory(
module, invalid_params, "entries", params,
validate_entry=validate_entry,
mydata=1234
)
#...
with module.ipa_connect(context=context):
# ...
for entry in entries:
# process entry and create commands
# ...
"""
def __init__(
self,
ansible_module,
invalid_params,
multiname,
params,
validate_entry=None,
**user_vars
):
"""Initialize the Entry Factory."""
self.ansible_module = ansible_module
self.invalid_params = set(invalid_params)
self.multiname = multiname
self.params = params
self.convert = {
param: (config or {}).get("convert", [])
for param, config in params.items()
}
self.validate_entry = validate_entry
self.user_vars = user_vars
self.__entries = self._get_entries()
def __iter__(self):
"""Initialize factory iterator."""
return iter(self.__entries)
def __next__(self):
"""Retrieve next entry."""
return next(self.__entries)
def check_invalid_parameter_usage(self, entry_dict, fail_on_check=True):
"""
Check if entry_dict parameters are valid for the current state/action.
Parameters
----------
entry_dict: A dictionary representing the module parameters.
fail_on_check: If set to True wil make the module execution fail
if invalid parameters are used.
Return
------
If fail_on_check is not True, returns True if the entry parameters
are valid and execution should proceed, False otherwise.
"""
state = self.ansible_module.params_get("state")
action = self.ansible_module.params_get("action")
if action is None:
msg = "Arguments '{0}' can not be used with state '{1}'"
else:
msg = "Arguments '{0}' can not be used with action " \
"'{2}' and state '{1}'"
entry_params = set(k for k, v in entry_dict.items() if v is not None)
match_invalid = self.invalid_params & entry_params
if match_invalid:
if fail_on_check:
self.ansible_module.fail_json(
msg=msg.format(", ".join(match_invalid), state, action))
return False
if not entry_dict.get("name"):
if fail_on_check:
self.ansible_module.fail_json(msg="Entry 'name' is not set.")
return False
return True
class Entry:
"""Provide an abstraction to handle module entries."""
def __init__(self, values):
"""Initialize entry to be used as dict or object."""
self.values = values
for key, value in values.items():
setattr(self, key, value)
def copy(self):
"""Make a copy of the entry."""
return EntryFactory.Entry(self.values.copy())
def __setitem__(self, item, value):
"""Allow entries to be treated as dictionaries."""
self.values[item] = value
setattr(self, item, value)
def __getitem__(self, item):
"""Allow entries to be treated as dictionaries."""
return self.values[item]
def __setattr__(self, attrname, value):
if attrname != "values" and attrname in self.values:
self.values[attrname] = value
super().__setattr__(attrname, value)
def __repr__(self):
"""Provide a string representation of the stored values."""
return repr(self.values)
def _get_entries(self):
"""Retrieve all entries from the module."""
def copy_entry_and_set_name(entry, name):
_result = entry.copy()
_result.name = name
return _result
names = self.ansible_module.params_get("name")
if names is not None:
if not isinstance(names, list):
names = [names]
# Get entrie(s) defined by the 'name' parameter.
# For most states and modules, 'name' will represent a single
# entry, but for some states, like 'absent', it could be a
# list of names.
_entry = self._extract_entry(
self.ansible_module,
IPAAnsibleModule.params_get
)
# copy attribute values if 'name' returns a list
_entries = [
copy_entry_and_set_name(_entry, _name)
for _name in names
]
else:
_entries = [
self._extract_entry(data, dict.get)
for data in self.ansible_module.params_get(self.multiname)
]
return _entries
def _extract_entry(self, data, param_get):
"""Extract an entry from the given data, using the given method."""
def get_entry_param_value(parameter, conversions):
_value = param_get(data, parameter)
if _value and conversions:
for fn in conversions:
_value = fn(_value)
return _value
# Build 'parameter: value' mapping for all module parameters
_entry = {
parameter: get_entry_param_value(parameter, conversions)
for parameter, conversions in self.convert.items()
}
# Check if any invalid parameter is used.
self.check_invalid_parameter_usage(_entry)
# Create Entry object
_result = EntryFactory.Entry(_entry)
# Call entry validation callback, if provided.
if self.validate_entry:
_result = self.validate_entry(
self.ansible_module, _result, **self.user_vars)
return _result

730
plugins/modules/ipasudorule.py
View File

File diff suppressed because it is too large Load Diff

3
setup.cfg
View File

@@ -82,6 +82,9 @@ ignored-modules =
os, os,
SSSDConfig SSSDConfig
[pylint.DESIGN]
max-attributes=12
[pylint.REFACTORING] [pylint.REFACTORING]
max-nested-blocks = 9 max-nested-blocks = 9

8
tests/sudorule/test_sudorule.yml
View File

@@ -3,11 +3,15 @@
- name: Test sudorule - name: Test sudorule
hosts: "{{ ipa_test_host | default('ipaserver') }}" hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: true become: true
gather_facts: true gather_facts: false
tasks: tasks:
# setup # setup
- name: Ensure DNS Ansible facts are available
ansible.builtin.setup:
gather_subset: dns
- name: Ensure test user is present - name: Ensure test user is present
ipauser: ipauser:
ipaadmin_password: SomeADMINpassword ipaadmin_password: SomeADMINpassword
@@ -1157,7 +1161,7 @@
hostmask: 192.168.120.0/24 hostmask: 192.168.120.0/24
action: member action: member
register: result register: result
check_mode: yes check_mode: true
failed_when: not result.changed or result.failed failed_when: not result.changed or result.failed
- name: Ensure sudorule hostmask member is present - name: Ensure sudorule hostmask member is present

19
tests/sudorule/test_sudorule_categories.yml
View File

@@ -1,13 +1,22 @@
--- ---
- name: Test sudorule user category - name: Test sudorule user category
hosts: ipaserver hosts: ipaserver
become: yes become: false
gather_facts: yes gather_facts: false
tasks: tasks:
- name: Get Domain from the server name - name: Test sudorule single hostnames
ansible.builtin.set_fact: block:
ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join('.') }}" # setup test environment
- name: Ensure ipaserver_domain is set
when: ipaserver_domain is not defined
block:
- name: Retrieve host information
ansible.builtin.setup:
gather_subset: dns
- name: Get Domain from the server name
ansible.builtin.set_fact:
ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join('.') }}"
- name: Ensure sudorules are absent - name: Ensure sudorules are absent
ipasudorule: ipasudorule:

16
tests/sudorule/test_sudorule_client_context.yml
View File

@@ -1,8 +1,8 @@
--- ---
- name: Test sudorule - name: Test sudorule
hosts: ipaclients, ipaserver hosts: ipaclients, ipaserver
become: no become: false
gather_facts: no gather_facts: false
tasks: tasks:
- name: Include FreeIPA facts. - name: Include FreeIPA facts.
@@ -37,3 +37,15 @@
when: groups['ipaclients'] is not defined or not groups['ipaclients'] when: groups['ipaclients'] is not defined or not groups['ipaclients']
vars: vars:
ipa_context: client ipa_context: client
- name: Test sudorule using client context, in client host.
ansible.builtin.import_playbook: test_sudorules.yml
when: groups['ipaclients']
vars:
ipa_test_host: ipaclients
- name: Test sudorule using client context, in server host.
ansible.builtin.import_playbook: test_sudorules.yml
when: groups['ipaclients'] is not defined or not groups['ipaclients']
vars:
ipa_context: client

6
tests/sudorule/test_sudorule_member_case_insensitive.yml
View File

@@ -1,8 +1,8 @@
--- ---
- name: Test sudorule members should be case insensitive. - name: Test sudorule members should be case insensitive.
hosts: "{{ ipa_test_host | default('ipaserver') }}" hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: no become: false
gather_facts: no gather_facts: false
vars: vars:
groups_present: groups_present:
@@ -37,7 +37,7 @@
ipahost: ipahost:
ipaadmin_password: SomeADMINpassword ipaadmin_password: SomeADMINpassword
name: "{{ item }}.{{ ipa_domain }}" name: "{{ item }}.{{ ipa_domain }}"
force: yes force: true
loop: "{{ groups_present }}" loop: "{{ groups_present }}"
- name: Ensure test users exist. - name: Ensure test users exist.

19
tests/sudorule/test_sudorule_single_hostnames.yml
View File

@@ -1,17 +1,22 @@
--- ---
- name: Test sudorule with single hostnames. - name: Test sudorule with single hostnames.
hosts: "{{ ipa_test_host | default('ipaserver') }}" hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: no become: false
gather_facts: no gather_facts: false
tasks: tasks:
- name: Test sudorule single hostnames - name: Test sudorule single hostnames
block: block:
# setup test environment # setup test environment
- name: Get Domain from the server name - name: Ensure ipaserver_domain is set
ansible.builtin.set_fact:
ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join('.') }}"
when: ipaserver_domain is not defined when: ipaserver_domain is not defined
block:
- name: Retrieve host information
ansible.builtin.setup:
gather_subset: dns
- name: Get Domain from the server name
ansible.builtin.set_fact:
ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join('.') }}"
- name: Ensure test sudo rule is absent - name: Ensure test sudo rule is absent
ipasudorule: ipasudorule:
@@ -24,9 +29,9 @@
ipaadmin_password: SomeADMINpassword ipaadmin_password: SomeADMINpassword
hosts: hosts:
- name: "host01.{{ ipaserver_domain }}" - name: "host01.{{ ipaserver_domain }}"
force: yes force: true
- name: "host02.{{ ipaserver_domain }}" - name: "host02.{{ ipaserver_domain }}"
force: yes force: true
# start tests # start tests
- name: Ensure sudorule exist with host member using FQDN. - name: Ensure sudorule exist with host member using FQDN.

382
tests/sudorule/test_sudorules.yml Normal file
View File

@@ -0,0 +1,382 @@
---
- name: Test sudorule
hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: false
gather_facts: false
module_defaults:
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
ipagroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
ipahostgroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
ipasudocmdgroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
ipasudocmd:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
tasks:
# setup
- name: Ensure ansible facts for DNS are available
ansible.builtin.setup:
gather_subset: dns
- name: Ensure test users are absent
ipauser:
name:
- user01
- user02
state: absent
- name: Ensure test groups are absent
ipagroup:
name:
- group01
- group02
state: absent
- name: Ensure test hostgroup is absent
ipahostgroup:
name: cluster
state: absent
- name: Ensure test users are present
ipauser:
users:
- name: user01
first: user
last: zeroone
- name: user02
first: user
last: zerotwo
- name: Ensure groups are present
ipagroup:
groups:
- name: group01
user: user01
- name: group02
- name: Ensure sudocmdgroup is absent
ipasudocmdgroup:
name: test_sudorule_cmdgroup
state: absent
- name: Ensure hostgroup is present, with a host.
ipahostgroup:
name: cluster
host: "{{ ansible_facts['fqdn'] }}"
- name: Ensure some sudocmds are available
ipasudocmd:
name:
- /sbin/ifconfig
- /usr/bin/vim
- /usr/bin/emacs
state: present
- name: Ensure sudocmdgroup is available
ipasudocmdgroup:
name: test_sudorule_cmdgroup
sudocmd: /usr/bin/vim
state: present
- name: Ensure another sudocmdgroup is available
ipasudocmdgroup:
name: test_sudorule_cmdgroup_2
sudocmd: /usr/bin/emacs
state: present
- name: Ensure sudorules are absent
ipasudorule:
name:
- testrule1
- testrule2
- allusers
- allhosts
- allcommands
state: absent
# tests
- name: Run sudorules tests.
block:
- name: Ensure sudorules are present
ipasudorule:
sudorules:
- name: testrule1
- name: testrule2
- name: allhosts
- name: allcommands
register: result
failed_when: not result.changed or result.failed
- name: Ensure sudorules are present, again
ipasudorule:
sudorules:
- name: testrule1
- name: testrule2
- name: allhosts
- name: allcommands
register: result
failed_when: result.changed or result.failed
- name: Ensure testrule1 and testrule2 are absent
ipasudorule:
sudorules:
- name: testrule1
- name: testrule2
state: absent
register: result
failed_when: not result.changed or result.failed
- name: Ensure testrule1 and testrule2 are absent, again
ipasudorule:
sudorules:
- name: testrule1
- name: testrule2
state: absent
register: result
failed_when: result.changed or result.failed
- name: Ensure allhosts and allcommands sudorules are still present
ipasudorule:
sudorules:
- name: allhosts
- name: allcomands
state: absent
check_mode: true
register: result
failed_when: not result.changed or result.failed
- name: Ensure sudorules with parameters are present
ipasudorule:
sudorules:
- name: testrule1
runasuser:
- user01
- name: testrule2
runasuser_group:
- group01
state: present
register: result
failed_when: not result.changed or result.failed
- name: Ensure sudorules with parameters are present, again
ipasudorule:
sudorules:
- name: testrule1
runasuser:
- user01
- name: testrule2
runasuser_group:
- group01
state: present
register: result
failed_when: result.changed or result.failed
- name: Ensure sudorules with parameters are modified
ipasudorule:
sudorules:
- name: testrule1
runasuser:
- user02
- name: testrule2
runasuser_group:
- group02
state: present
register: result
failed_when: not result.changed or result.failed
- name: Ensure sudorules with parameters are modified again
ipasudorule:
sudorules:
- name: testrule1
runasuser:
- user02
- name: testrule2
runasuser_group:
- group02
state: present
register: result
failed_when: result.changed or result.failed
- name: Ensure sudorules members can be modified
ipasudorule:
sudorules:
- name: testrule1
runasuser:
- user01
- name: testrule2
runasuser_group:
- group01
action: member
state: present
register: result
failed_when: not result.changed or result.failed
- name: Ensure sudorules members can modified, again
ipasudorule:
sudorules:
- name: testrule1
runasuser:
- user01
- user02
- name: testrule2
runasuser_group:
- group01
- group02
action: member
state: present
register: result
failed_when: result.changed or result.failed
- name: Ensure sudorules members are absent
ipasudorule:
sudorules:
- name: testrule1
runasuser:
- user01
- name: testrule2
runasuser_group:
- group02
action: member
state: absent
register: result
failed_when: not result.changed or result.failed
- name: Ensure sudorules members are absent, again
ipasudorule:
sudorules:
- name: testrule1
runasuser:
- user01
- name: testrule2
runasuser_group:
- group02
action: member
state: absent
register: result
failed_when: result.changed or result.failed
- name: Ensure testrule1 and testrule2 are present, with proper attributes
ipasudorule:
sudorules:
- name: testrule1
runasuser:
- user02
- name: testrule2
runasuser_group:
- group01
state: present
register: result
failed_when: result.changed or result.failed
- name: Ensure testrule1 and testrule2 are disabled
ipasudorule:
sudorules:
- name: testrule1
- name: testrule2
state: disabled
register: result
failed_when: not result.changed or result.failed
- name: Ensure testrule1 and testrule2 are disabled, again
ipasudorule:
sudorules:
- name: testrule1
- name: testrule2
state: disabled
register: result
failed_when: result.changed or result.failed
- name: Ensure testrule1 and testrule2 are enabled
ipasudorule:
sudorules:
- name: testrule1
- name: testrule2
state: enabled
register: result
failed_when: not result.changed or result.failed
- name: Ensure testrule1 and testrule2 are enabled, again
ipasudorule:
sudorules:
- name: testrule1
- name: testrule2
state: enabled
register: result
failed_when: result.changed or result.failed
- name: Ensure multiple sudorules cannot be enabled with invalid parameters
ipasudorule:
sudorules:
- name: testrule1
runasuser: user01
- name: testrule2
runasuser: user01
state: enabled
register: result
failed_when: not result.failed and "Argument 'runasuser' can not be used with action 'sudorule' and state 'enabled'" not in result.msg
- name: Ensure multiple sudorules cannot be disabled with invalid parameters
ipasudorule:
sudorules:
- name: testrule1
runasuser: user01
- name: testrule2
runasuser: user01
state: disabled
register: result
failed_when: not result.failed and "Argument 'runasuser' can not be used with action 'sudorule' and state 'disabled'" not in result.msg
# cleanup
always:
- name: Cleanup sudorules
ipasudorule:
name:
- testrule1
- testrule2
- allusers
- allhosts
- allcommands
state: absent
- name: Ensure sudocmdgroup is absent
ipasudocmdgroup:
name:
- test_sudorule_cmdgroup
- test_sudorule_cmdgroup_2
state: absent
- name: Ensure sudocmds are absent
ipasudocmd:
name:
- /sbin/ifconfig
- /usr/bin/vim
- /usr/bin/emacs
state: absent
- name: Ensure hostgroup is absent.
ipahostgroup:
name: cluster
state: absent
- name: Ensure groups are absent
ipagroup:
name: group01,group02
state: absent
- name: Ensure user is absent
ipauser:
name: user01,user02
state: absent

311
tests/sudorule/test_sudorules_member_case_insensitive.yml Normal file
View File

@@ -0,0 +1,311 @@
---
- name: Test sudorules members should be case insensitive.
hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: false
gather_facts: false
module_defaults:
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
ipagroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
ipahost:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
ipahostgroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
ipasudocmdgroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
ipasudocmd:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
vars:
groups_present:
- eleMENT1
- Element2
- eLeMenT3
- ElemENT4
tasks:
- name: Test sudorule member case insensitive
block:
# SETUP
- name: Ensure domain name
ansible.builtin.set_fact:
ipa_domain: ipa.test
when: ipa_domain is not defined
- name: Ensure test groups are absent.
ipagroup:
name: "{{ groups_present }}"
state: absent
- name: Ensure test hostgroups are absent.
ipahostgroup:
name: "{{ groups_present }}"
state: absent
- name: Ensure test users are absent.
ipauser:
name: "{{ groups_present }}"
state: absent
- name: Ensure test groups exist.
ipagroup:
name: "{{ item }}"
loop: "{{ groups_present }}"
- name: Ensure test hostgroups exist.
ipahostgroup:
name: "{{ item }}"
loop: "{{ groups_present }}"
- name: Ensure test hosts exist.
ipahost:
name: "{{ item }}.{{ ipa_domain }}"
force: yes
loop: "{{ groups_present }}"
- name: Ensure test users exist.
ipauser:
name: "user{{ item }}"
first: "{{ item }}"
last: "{{ item }}"
loop: "{{ groups_present }}"
- name: Ensure sudorule do not exist
ipasudorule:
sudorules:
- name: "{{ item }}"
state: absent
loop: "{{ groups_present }}"
# TESTS
- name: Ensure sudorule exist with runasusers members
ipasudorule:
sudorules:
- name: "{{ item }}"
cmdcategory: all
runasuser: "user{{ item }}"
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or not result.changed
- name: Ensure sudorule exist with lowercase runasusers members
ipasudorule:
sudorules:
- name: "{{ item }}"
cmdcategory: all
runasuser: "user{{ item | lower }}"
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure sudorule exist with uppercase runasusers members
ipasudorule:
sudorules:
- name: "{{ item }}"
cmdcategory: all
runasuser: "user{{ item | upper }}"
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure sudorule exist with runasgroup members
ipasudorule:
sudorules:
- name: "{{ item }}"
cmdcategory: all
runasgroup: "{{ item }}"
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or not result.changed
- name: Ensure sudorule exist with lowercase runasgroup members
ipasudorule:
sudorules:
- name: "{{ item }}"
cmdcategory: all
runasgroup: "{{ item | lower }}"
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure sudorule exist with uppercase runasgroup members
ipasudorule:
sudorules:
- name: "{{ item }}"
cmdcategory: all
runasgroup: "{{ item | upper }}"
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure sudorule do not exist
ipasudorule:
sudorules:
- name: "{{ item }}"
state: absent
loop: "{{ groups_present }}"
#####
- name: Ensure sudorule exist with members
ipasudorule:
sudorules:
- name: "{{ item }}"
cmdcategory: all
hostgroup: "{{ item }}"
host: "{{ item }}.{{ ipa_domain }}"
group: "{{ item }}"
user: "user{{ item }}"
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or not result.changed
- name: Ensure sudorule exist with members, lowercase
ipasudorule:
sudorules:
- name: "{{ item }}"
cmdcategory: all
hostgroup: "{{ item | lower }}"
host: "{{ item | lower }}.{{ ipa_domain }}"
group: "{{ item | lower }}"
user: "user{{ item | lower }}"
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure sudorule exist with members, uppercase
ipasudorule:
sudorules:
- name: "{{ item }}"
cmdcategory: all
hostgroup: "{{ item | upper }}"
host: "{{ item | upper }}.{{ ipa_domain }}"
group: "{{ item | upper }}"
user: "user{{ item | upper }}"
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure sudorule member is absent
ipasudorule:
sudorules:
- name: "{{ item }}"
hostgroup: "{{ item }}"
host: "{{ item }}.{{ ipa_domain }}"
group: "{{ item }}"
user: "user{{ item }}"
action: member
state: absent
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or not result.changed
- name: Ensure sudorule member is absent, lowercase
ipasudorule:
sudorules:
- name: "{{ item }}"
hostgroup: "{{ item | lower }}"
host: "{{ item | lower }}.{{ ipa_domain }}"
group: "{{ item | lower }}"
user: "user{{ item | lower }}"
action: member
state: absent
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure sudorule member is absent, upercase
ipasudorule:
sudorules:
- name: "{{ item }}"
hostgroup: "{{ item | upper }}"
host: "{{ item | upper }}.{{ ipa_domain }}"
group: "{{ item | upper }}"
user: "user{{ item | upper }}"
action: member
state: absent
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure sudorule member is present, upercase
ipasudorule:
sudorules:
- name: "{{ item }}"
hostgroup: "{{ item | upper }}"
host: "{{ item | upper }}.{{ ipa_domain }}"
group: "{{ item | upper }}"
user: "user{{ item | upper }}"
action: member
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or not result.changed
- name: Ensure sudorule member is present, lowercase
ipasudorule:
sudorules:
- name: "{{ item }}"
hostgroup: "{{ item | lower }}"
host: "{{ item | lower }}.{{ ipa_domain }}"
group: "{{ item | lower }}"
user: "user{{ item | lower }}"
action: member
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure sudorule member is present, mixed case
ipasudorule:
sudorules:
- name: "{{ item }}"
hostgroup: "{{ item }}"
host: "{{ item }}.{{ ipa_domain }}"
group: "{{ item }}"
user: "user{{ item }}"
action: member
loop: "{{ groups_present }}"
register: result
failed_when: result.failed or result.changed
# cleanup
always:
- name: Ensure sudorule do not exist
ipasudorule:
name: "{{ item }}"
state: absent
loop: "{{ groups_present }}"
- name: Ensure test groups do not exist.
ipagroup:
name: "{{ item }}"
state: absent
loop: "{{ groups_present }}"
- name: Ensure test hostgroups do not exist.
ipahostgroup:
name: "{{ item }}"
state: absent
loop: "{{ groups_present }}"
- name: Ensure test hosts do not exist.
ipahost:
name: "{{ item }}.{{ ipa_domain }}"
state: absent
loop: "{{ groups_present }}"
- name: Ensure test users do not exist.
ipauser:
name: "user{{ item }}"
state: absent
loop: "{{ groups_present }}"