internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-26 21:33:05 +00:00
Code Issues Projects Releases Wiki Activity

Add missing attributes to ipasudorule.

Browse Source 
This patch adds the following attributes to ipasudorule:

    - order
    - sudooption
    - runasuser
    - runasgroup

It also fixes behavior of sudocmd assigned to the the sudorule, with the
adittion of the attributes:

    - allow_sudocmds
    - deny_sudocmds
    - allow_sudocmdgroups
    - deny_sudocmdgroups

README-sudorule and tests have been updated to comply with the changes.
This commit is contained in:
Rafael Guterres Jeffman
2019-12-31 11:04:49 -03:00
parent 6b3cae53a5
commit dc0a5585fb
11 changed files with 501 additions and 146 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
README-sudorule.md
View File

@@ -68,7 +68,7 @@ Example playbook to make sure sudocmds are present in Sudo Rule:
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
cmd:
allow_sudocmd:
- /sbin/ifconfig
action: member
```
@@ -87,7 +87,7 @@ Example playbook to make sure sudocmds are not present in Sudo Rule:
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
cmd:
allow_sudocmd:
- /sbin/ifconfig
action: member
state: absent
@@ -130,8 +130,14 @@ Variable | Description | Required
`hostgroup` | List of host group name strings assigned to this sudorule. | no
`user` | List of user name strings assigned to this sudorule. | no
`group` | List of user group name strings assigned to this sudorule. | no
`cmd` | List of sudocmd name strings assigned to this sudorule. | no
`cmdgroup` | List of sudocmd group name strings assigned wto this sudorule. | no
`allow_sudocmd` | List of sudocmd name strings assigned to the allow group of this sudorule. | no
`deny_sudocmd` | List of sudocmd name strings assigned to the deny group of this sudorule. | no
`allow_sudocmdgroup` | List of sudocmd groups name strings assigned to the allow group of this sudorule. | no
`deny_sudocmdgroup` | List of sudocmd groups name strings assigned to the deny group of this sudorule. | no
`sudooption` \| `option` | List of options to the sudorule | no
`order` | Integer to order the sudorule | no
`runasuser` | List of users for Sudo to execute as. | no
`runasgroup` | List of groups for Sudo to execute as. | no
`action` | Work on sudorule or member level. It can be on of `member` or `sudorule` and defaults to `sudorule`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no

14
playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure sudooption is absent in sudorule
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
sudooption: "!root"
action: member
state: absent

13
playbooks/sudorule/ensure-sudorule-has-sudooption.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure sudooption is present in sudorule
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
sudooption: "!root"
action: member

12
playbooks/sudorule/ensure-sudorule-is-present-with-order.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure sudorule is present with the given order.
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
order: 2

2
playbooks/sudorule/ensure-sudorule-is-present.yml
View File

@@ -9,4 +9,6 @@
ipaadmin_password: MyPassword123
name: testrule1
description: A test sudo rule.
allow_sudocmd: /bin/ls
deny_sudocmd: /bin/vim
state: present

14
playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure sudorule is present with the given order.
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
runasuser: admin
action: member
state: absent

13
playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure sudorule is present with the given order.
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
runasuser: admin
action: member

7
playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml
View File

@@ -8,8 +8,13 @@
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
cmd:
allow_sudocmd:
- /sbin/ifconfig
deny_sudocmd:
- /usr/bin/vim
allow_sudocmdgroup:
- devops
deny_sudocmdgroup:
- users
action: member
state: absent

7
playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml
View File

@@ -8,7 +8,12 @@
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
cmd:
allow_sudocmd:
- /sbin/ifconfig
deny_sudocmd:
- /usr/bin/vim
allow_sudocmdgroup:
- devops
deny_sudocmdgroup:
- users
action: member

347
plugins/modules/ipasudorule.py
View File

@@ -79,18 +79,43 @@ options:
description: Host category the sudo rule applies to.
required: false
choices: ["all"]
cmd:
description: List of sudocmds assigned to this sudorule.
allow_sudocmd:
description: List of allowed sudocmds assigned to this sudorule.
required: false
type: list
cmdgroup:
description: List of sudocmd groups assigned to this sudorule.
allow_sudocmdgroup:
description: List of allowed sudocmd groups assigned to this sudorule.
required: false
type: list
deny_sudocmd:
description: List of denied sudocmds assigned to this sudorule.
required: false
type: list
deny_sudocmdgroup:
description: List of denied sudocmd groups assigned to this sudorule.
required: false
type: list
cmdcategory:
description: Cammand category the sudo rule applies to
description: Command category the sudo rule applies to
required: false
choices: ["all"]
order:
description: Order to apply this rule.
required: false
type: int
sudooption:
description:
required: false
type: list
aliases: ["options"]
runasuser:
description: List of users for Sudo to execute as.
required: false
type: list
runasgroup:
description: List of groups for Sudo to execute as.
required: false
type: list
action:
description: Work on sudorule or member level
default: sudorule
@@ -111,13 +136,13 @@ EXAMPLES = """
# Ensure sudocmd is present in Sudo Rule
- ipasudorule:
ipaadmin_password: pass1234
name: testrule1
cmd:
- /sbin/ifconfig
- /usr/bin/vim
action: member
state: absent
ipaadmin_password: pass1234
name: testrule1
allow_sudocmd:
- /sbin/ifconfig
- /usr/bin/vim
action: member
state: absent
# Ensure host server is present in Sudo Rule
- ipasudorule:
@@ -160,7 +185,7 @@ RETURN = """
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \
module_params_get
module_params_get, gen_add_del_lists
def find_sudorule(module, name):
@@ -180,14 +205,26 @@ def find_sudorule(module, name):
return None
def gen_args(ansible_module):
arglist = ['description', 'usercategory', 'hostcategory', 'cmdcategory',
'runasusercategory', 'runasgroupcategory', 'nomembers']
def gen_args(description, usercat, hostcat, cmdcat, runasusercat,
runasgroupcat, order, nomembers):
_args = {}
for arg in arglist:
value = module_params_get(ansible_module, arg)
if value is not None:
_args[arg] = value
if description is not None:
_args['description'] = description
if usercat is not None:
_args['usercategory'] = usercat
if hostcat is not None:
_args['hostcategory'] = hostcat
if cmdcat is not None:
_args['cmdcategory'] = cmdcat
if runasusercat is not None:
_args['ipasudorunasusercategory'] = runasusercat
if runasgroupcat is not None:
_args['ipasudorunasgroupcategory'] = runasgroupcat
if order is not None:
_args['sudoorder'] = order
if nomembers is not None:
_args['nomembers'] = nomembers
return _args
@@ -212,13 +249,21 @@ def main():
hostgroup=dict(required=False, type='list', default=None),
user=dict(required=False, type='list', default=None),
group=dict(required=False, type='list', default=None),
cmd=dict(required=False, type="list", default=None),
allow_sudocmd=dict(required=False, type="list", default=None),
deny_sudocmd=dict(required=False, type="list", default=None),
allow_sudocmdgroup=dict(required=False, type="list", default=None),
deny_sudocmdgroup=dict(required=False, type="list", default=None),
cmdcategory=dict(required=False, type="str", default=None,
choices=["all"]),
runasusercategory=dict(required=False, type="str", default=None,
choices=["all"]),
runasgroupcategory=dict(required=False, type="str", default=None,
choices=["all"]),
runasuser=dict(required=False, type="list", default=None),
runasgroup=dict(required=False, type="list", default=None),
order=dict(type="int", required=False, aliases=['sudoorder']),
sudooption=dict(required=False, type='list', default=None,
aliases=["options"]),
action=dict(type="str", default="sudorule",
choices=["member", "sudorule"]),
# state
@@ -256,8 +301,16 @@ def main():
hostgroup = module_params_get(ansible_module, "hostgroup")
user = module_params_get(ansible_module, "user")
group = module_params_get(ansible_module, "group")
cmd = module_params_get(ansible_module, 'cmd')
cmdgroup = module_params_get(ansible_module, 'cmdgroup')
allow_sudocmd = module_params_get(ansible_module, 'allow_sudocmd')
allow_sudocmdgroup = module_params_get(ansible_module,
'allow_sudocmdgroup')
deny_sudocmd = module_params_get(ansible_module, 'deny_sudocmd')
deny_sudocmdgroup = module_params_get(ansible_module,
'deny_sudocmdgroup')
sudooption = module_params_get(ansible_module, "sudooption")
order = module_params_get(ansible_module, "order")
runasuser = module_params_get(ansible_module, "runasuser")
runasgroup = module_params_get(ansible_module, "runasgroup")
action = module_params_get(ansible_module, "action")
# state
@@ -272,28 +325,30 @@ def main():
if action == "member":
invalid = ["description", "usercategory", "hostcategory",
"cmdcategory", "runasusercategory",
"runasgroupcategory", "nomembers"]
"runasgroupcategory", "order", "nomembers"]
for x in invalid:
if x in vars() and vars()[x] is not None:
for arg in invalid:
if arg in vars() and vars()[arg] is not None:
ansible_module.fail_json(
msg="Argument '%s' can not be used with action "
"'%s'" % (x, action))
"'%s'" % (arg, action))
elif state == "absent":
if len(names) < 1:
ansible_module.fail_json(msg="No name given.")
invalid = ["description", "usercategory", "hostcategory",
"cmdcategory", "runasusercategory",
"runasgroupcategory", "nomembers"]
"runasgroupcategory", "nomembers", "order"]
if action == "sudorule":
invalid.extend(["host", "hostgroup", "user", "group",
"cmd", "cmdgroup"])
for x in invalid:
if vars()[x] is not None:
"runasuser", "runasgroup", "allow_sudocmd",
"allow_sudocmdgroup", "deny_sudocmd",
"deny_sudocmdgroup", "sudooption"])
for arg in invalid:
if vars()[arg] is not None:
ansible_module.fail_json(
msg="Argument '%s' can not be used with state '%s'" %
(x, state))
(arg, state))
elif state in ["enabled", "disabled"]:
if len(names) < 1:
@@ -305,12 +360,14 @@ def main():
invalid = ["description", "usercategory", "hostcategory",
"cmdcategory", "runasusercategory", "runasgroupcategory",
"nomembers", "nomembers", "host", "hostgroup",
"user", "group", "cmd", "cmdgroup"]
for x in invalid:
if vars()[x] is not None:
"user", "group", "allow_sudocmd", "allow_sudocmdgroup",
"deny_sudocmd", "deny_sudocmdgroup", "runasuser",
"runasgroup", "order", "sudooption"]
for arg in invalid:
if vars()[arg] is not None:
ansible_module.fail_json(
msg="Argument '%s' can not be used with state '%s'" %
(x, state))
(arg, state))
else:
ansible_module.fail_json(msg="Invalid state '%s'" % state)
@@ -335,7 +392,9 @@ def main():
# Create command
if state == "present":
# Generate args
args = gen_args(ansible_module)
args = gen_args(description, usercategory, hostcategory,
cmdcategory, runasusercategory,
runasgroupcategory, order, nomembers)
if action == "sudorule":
# Found the sudorule
if res_find is not None:
@@ -351,44 +410,42 @@ def main():
res_find = {}
# Generate addition and removal lists
host_add = list(
set(host or []) -
set(res_find.get("member_host", [])))
host_del = list(
set(res_find.get("member_host", [])) -
set(host or []))
hostgroup_add = list(
set(hostgroup or []) -
set(res_find.get("member_hostgroup", [])))
hostgroup_del = list(
set(res_find.get("member_hostgroup", [])) -
set(hostgroup or []))
host_add, host_del = gen_add_del_lists(
host, res_find.get('member_host', []))
user_add = list(
set(user or []) -
set(res_find.get("member_user", [])))
user_del = list(
set(res_find.get("member_user", [])) -
set(user or []))
group_add = list(
set(group or []) -
set(res_find.get("member_group", [])))
group_del = list(
set(res_find.get("member_group", [])) -
set(group or []))
hostgroup_add, hostgroup_del = gen_add_del_lists(
hostgroup, res_find.get('member_hostgroup', []))
cmd_add = list(
set(cmd or []) -
set(res_find.get("member_cmd", [])))
cmd_del = list(
set(res_find.get("member_cmd", [])) -
set(cmd or []))
cmdgroup_add = list(
set(cmdgroup or []) -
set(res_find.get("member_cmdgroup", [])))
cmdgroup_del = list(
set(res_find.get("member_cmdgroup", [])) -
set(cmdgroup or []))
user_add, user_del = gen_add_del_lists(
user, res_find.get('member_user', []))
group_add, group_del = gen_add_del_lists(
group, res_find.get('member_group', []))
allow_cmd_add, allow_cmd_del = gen_add_del_lists(
allow_sudocmd,
res_find.get('memberallowcmd_sudocmd', []))
allow_cmdgroup_add, allow_cmdgroup_del = gen_add_del_lists(
allow_sudocmdgroup,
res_find.get('memberallowcmd_sudocmdgroup', []))
deny_cmd_add, deny_cmd_del = gen_add_del_lists(
deny_sudocmd,
res_find.get('memberdenycmd_sudocmd', []))
deny_cmdgroup_add, deny_cmdgroup_del = gen_add_del_lists(
deny_sudocmdgroup,
res_find.get('memberdenycmd_sudocmdgroup', []))
sudooption_add, sudooption_del = gen_add_del_lists(
sudooption, res_find.get('ipasudoopt', []))
runasuser_add, runasuser_del = gen_add_del_lists(
runasuser, res_find.get('ipasudorunas_user', []))
runasgroup_add, runasgroup_del = gen_add_del_lists(
runasgroup, res_find.get('ipasudorunas_group', []))
# Add hosts and hostgroups
if len(host_add) > 0 or len(hostgroup_add) > 0:
@@ -420,20 +477,59 @@ def main():
"group": group_del,
}])
# Add commands
if len(cmd_add) > 0 or len(cmdgroup_add) > 0:
# Add commands allowed
if len(allow_cmd_add) > 0 or len(allow_cmdgroup_add) > 0:
commands.append([name, "sudorule_add_allow_command",
{
"sudocmd": cmd_add,
"sudocmdgroup": cmdgroup_add,
}])
{"sudocmd": allow_cmd_add,
"sudocmdgroup": allow_cmdgroup_add,
}])
if len(cmd_del) > 0 or len(cmdgroup_del) > 0:
if len(allow_cmd_del) > 0 or len(allow_cmdgroup_del) > 0:
commands.append([name, "sudorule_remove_allow_command",
{"sudocmd": allow_cmd_del,
"sudocmdgroup": allow_cmdgroup_del
}])
# Add commands denied
if len(deny_cmd_add) > 0 or len(deny_cmdgroup_add) > 0:
commands.append([name, "sudorule_add_deny_command",
{
"sudocmd": cmd_del,
"sudocmdgroup": cmdgroup_del
}])
{"sudocmd": deny_cmd_add,
"sudocmdgroup": deny_cmdgroup_add,
}])
if len(deny_cmd_del) > 0 or len(deny_cmdgroup_del) > 0:
commands.append([name, "sudorule_remove_deny_command",
{"sudocmd": deny_cmd_del,
"sudocmdgroup": deny_cmdgroup_del
}])
# Add RunAS Users
if len(runasuser_add) > 0:
commands.append([name, "sudorule_add_runasuser",
{"user": runasuser_add}])
# Remove RunAS Users
if len(runasuser_del) > 0:
commands.append([name, "sudorule_remove_runasuser",
{"user": runasuser_del}])
# Add RunAS Groups
if len(runasgroup_add) > 0:
commands.append([name, "sudorule_add_runasgroup",
{"group": runasgroup_add}])
# Remove RunAS Groups
if len(runasgroup_del) > 0:
commands.append([name, "sudorule_remove_runasgroup",
{"group": runasgroup_del}])
# Add sudo options
for sudoopt in sudooption_add:
commands.append([name, "sudorule_add_option",
{"ipasudoopt": sudoopt}])
# Remove sudo options
for sudoopt in sudooption_del:
commands.append([name, "sudorule_remove_option",
{"ipasudoopt": sudoopt}])
elif action == "member":
if res_find is None:
@@ -456,11 +552,38 @@ def main():
}])
# Add commands
if cmd is not None:
if allow_sudocmd is not None \
or allow_sudocmdgroup is not None:
commands.append([name, "sudorule_add_allow_command",
{
"sudocmd": cmd,
}])
{"sudocmd": allow_sudocmd,
"sudocmdgroup": allow_sudocmdgroup,
}])
# Add commands
if deny_sudocmd is not None \
or deny_sudocmdgroup is not None:
commands.append([name, "sudorule_add_deny_command",
{"sudocmd": deny_sudocmd,
"sudocmdgroup": deny_sudocmdgroup,
}])
# Add RunAS Users
if runasuser is not None:
commands.append([name, "sudorule_add_runasuser",
{"user": runasuser}])
# Add RunAS Groups
if runasgroup is not None:
commands.append([name, "sudorule_add_runasgroup",
{"group": runasgroup}])
# Add options
if sudooption is not None:
existing_opts = res_find.get('ipasudoopt', [])
for sudoopt in sudooption:
if sudoopt not in existing_opts:
commands.append([name, "sudorule_add_option",
{"ipasudoopt": sudoopt}])
elif state == "absent":
if action == "sudorule":
@@ -487,12 +610,40 @@ def main():
"group": group,
}])
# Remove commands
if cmd is not None:
commands.append([name, "sudorule_add_deny_command",
{
"sudocmd": cmd,
}])
# Remove allow commands
if allow_sudocmd is not None \
or allow_sudocmdgroup is not None:
commands.append([name, "sudorule_remove_allow_command",
{"sudocmd": allow_sudocmd,
"sudocmdgroup": allow_sudocmdgroup
}])
# Remove deny commands
if deny_sudocmd is not None \
or deny_sudocmdgroup is not None:
commands.append([name, "sudorule_remove_deny_command",
{"sudocmd": deny_sudocmd,
"sudocmdgroup": deny_sudocmdgroup
}])
# Remove RunAS Users
if runasuser is not None:
commands.append([name, "sudorule_remove_runasuser",
{"user": runasuser}])
# Remove RunAS Groups
if runasgroup is not None:
commands.append([name, "sudorule_remove_runasgroup",
{"group": runasgroup}])
# Remove options
if sudooption is not None:
existing_opts = res_find.get('ipasudoopt', [])
for sudoopt in sudooption:
if sudoopt in existing_opts:
commands.append([name,
"sudorule_remove_option",
{"ipasudoopt": sudoopt}])
elif state == "enabled":
if res_find is None:
@@ -530,9 +681,9 @@ def main():
changed = True
else:
changed = True
except Exception as e:
except Exception as ex:
ansible_module.fail_json(msg="%s: %s: %s" % (command, name,
str(e)))
str(ex)))
# Get all errors
# All "already a member" and "not a member" failures in the
# result are ignored. All others are reported.
@@ -549,8 +700,8 @@ def main():
if len(errors) > 0:
ansible_module.fail_json(msg=", ".join(errors))
except Exception as e:
ansible_module.fail_json(msg=str(e))
except Exception as ex:
ansible_module.fail_json(msg=str(ex))
finally:
temp_kdestroy(ccache_dir, ccache_name)

204
tests/sudorule/test_sudorule.yml
View File

@@ -16,15 +16,22 @@
- name: Ensure some sudocmds are available
ipasudocmd:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name:
- /sbin/ifconfig
- /usr/bin/vim
state: present
- name: Ensure sudocmdgroup is available
ipasudocmdgroup:
ipaadmin_password: MyPassword123
name: test_sudorule
sudocmd: /usr/bin/vim
state: present
- name: Ensure sudorules are absent
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name:
- testrule1
- allusers
@@ -34,21 +41,21 @@
- name: Ensure sudorule is present
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
register: result
failed_when: not result.changed
- name: Ensure sudorule is present again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
register: result
failed_when: result.changed
- name: Ensure sudorule is present, runAsUserCategory.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
runAsUserCategory: all
register: result
@@ -56,7 +63,7 @@
- name: Ensure sudorule is present, with usercategory 'all'
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allusers
usercategory: all
register: result
@@ -64,7 +71,7 @@
- name: Ensure sudorule is present, with usercategory 'all', again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allusers
usercategory: all
register: result
@@ -72,7 +79,7 @@
- name: Ensure sudorule is present, with hostategory 'all'
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allhosts
hostcategory: all
register: result
@@ -80,7 +87,7 @@
- name: Ensure sudorule is present, with hostategory 'all', again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allhosts
hostcategory: all
register: result
@@ -88,13 +95,13 @@
- name: Ensure sudorule is disabled
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
state: disabled
- name: Ensure sudorule is disabled, again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
state: disabled
register: result
@@ -102,7 +109,7 @@
- name: Ensure sudorule is enabled
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
state: enabled
register: result
@@ -110,37 +117,77 @@
- name: Ensure sudorule is enabled, again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
state: enabled
register: result
failed_when: result.changed
- name: Ensure sudorule is present and some sudocmd are a member of it.
- name: Ensure sudorule is present and some sudocmd are allowed.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
cmd:
allow_sudocmd:
- /sbin/ifconfig
action: member
register: result
failed_when: not result.changed
- name: Ensure sudorule is present and some sudocmd are allowed, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmd:
- /sbin/ifconfig
action: member
register: result
failed_when: result.changed
- name: Ensure sudorule is present and some sudocmd are denyed.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmd:
- /usr/bin/vim
action: member
register: result
failed_when: not result.changed
- name: Ensure sudorule is present and some sudocmd are a member of it, again.
- name: Ensure sudorule is present and some sudocmd are denyed, again.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
cmd:
- /sbin/ifconfig
deny_sudocmd:
- /usr/bin/vim
action: member
register: result
failed_when: result.changed
- name: Ensure sudorule is present and, sudocmds are absent.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmd: /sbin/ifconfig
deny_sudocmd: /usr/bin/vim
action: member
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule is present and, sudocmds are absent, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmd: /sbin/ifconfig
deny_sudocmd: /usr/bin/vim
action: member
state: absent
register: result
failed_when: result.changed
- name: Ensure sudorule is present with cmdcategory 'all'.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allcommands
cmdcategory: all
register: result
@@ -148,7 +195,7 @@
- name: Ensure sudorule is present with cmdcategory 'all', again.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allcommands
cmdcategory: all
register: result
@@ -156,7 +203,7 @@
- name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
host: "{{ groups.ipaserver[0] }}"
action: member
@@ -165,7 +212,7 @@
- name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule, again.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
host: "{{ groups.ipaserver[0] }}"
action: member
@@ -190,25 +237,77 @@
register: result
failed_when: result.changed
- name: Ensure sudorule sudocmds are absent
- name: Ensure sudorule is present, with an allow_sudocmdgroup.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
cmd:
- /sbin/ifconfig
- /usr/bin/vim
allow_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with an allow_sudocmdgroup, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: result.changed
- name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule sudocmds are absent, again
- name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
cmd:
- /sbin/ifconfig
- /usr/bin/vim
allow_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with an deny_sudocmdgroup.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with an deny_sudocmdgroup, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: result.changed
- name: Ensure sudorule is present, but deny_sudocmdgroup is absent.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, but deny_sudocmdgroup is absent, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
@@ -216,7 +315,7 @@
- name: Ensure sudorule is absent
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
state: absent
register: result
@@ -224,7 +323,7 @@
- name: Ensure sudorule is absent, again.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
state: absent
register: result
@@ -232,7 +331,7 @@
- name: Ensure sudorule allhosts is absent
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allhosts
state: absent
register: result
@@ -240,7 +339,7 @@
- name: Ensure sudorule allhosts is absent, again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allhosts
state: absent
register: result
@@ -248,7 +347,7 @@
- name: Ensure sudorule allusers is absent
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allusers
state: absent
register: result
@@ -256,7 +355,7 @@
- name: Ensure sudorule allusers is absent, again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allusers
state: absent
register: result
@@ -264,7 +363,7 @@
- name: Ensure sudorule allcommands is absent
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allcommands
state: absent
register: result
@@ -272,8 +371,29 @@
- name: Ensure sudorule allcommands is absent, again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allcommands
state: absent
register: result
failed_when: result.changed
# cleanup
- name : Ensure sudocmdgroup is absent
ipasudocmdgroup:
ipaadmin_password: MyPassword123
name: test_sudorule
state: absent
- name: Ensure hostgroup is absent.
ipahostgroup:
ipaadmin_password: MyPassword123
name: cluster
state: absent
- name: Ensure sudocmds are absent
ipasudocmd:
ipaadmin_password: MyPassword123
name:
- /sbin/ifconfig
- /usr/bin/vim
state: absent