internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-05-13 13:02:00 +00:00
Code Issues Projects Releases Wiki Activity

Add missing attributes to ipasudorule.

Browse Source 
This patch adds the following attributes to ipasudorule:

    - order
    - sudooption
    - runasuser
    - runasgroup

It also fixes behavior of sudocmd assigned to the the sudorule, with the
adittion of the attributes:

    - allow_sudocmds
    - deny_sudocmds
    - allow_sudocmdgroups
    - deny_sudocmdgroups

README-sudorule and tests have been updated to comply with the changes.
This commit is contained in:
Rafael Guterres Jeffman
2019-12-31 11:04:49 -03:00
parent 6b3cae53a5
commit dc0a5585fb
11 changed files with 501 additions and 146 deletions
Download Patch File Download Diff File Expand all files Collapse all files

204
tests/sudorule/test_sudorule.yml
View File

@@ -16,15 +16,22 @@
- name: Ensure some sudocmds are available
ipasudocmd:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name:
- /sbin/ifconfig
- /usr/bin/vim
state: present
- name: Ensure sudocmdgroup is available
ipasudocmdgroup:
ipaadmin_password: MyPassword123
name: test_sudorule
sudocmd: /usr/bin/vim
state: present
- name: Ensure sudorules are absent
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name:
- testrule1
- allusers
@@ -34,21 +41,21 @@
- name: Ensure sudorule is present
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
register: result
failed_when: not result.changed
- name: Ensure sudorule is present again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
register: result
failed_when: result.changed
- name: Ensure sudorule is present, runAsUserCategory.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
runAsUserCategory: all
register: result
@@ -56,7 +63,7 @@
- name: Ensure sudorule is present, with usercategory 'all'
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allusers
usercategory: all
register: result
@@ -64,7 +71,7 @@
- name: Ensure sudorule is present, with usercategory 'all', again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allusers
usercategory: all
register: result
@@ -72,7 +79,7 @@
- name: Ensure sudorule is present, with hostategory 'all'
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allhosts
hostcategory: all
register: result
@@ -80,7 +87,7 @@
- name: Ensure sudorule is present, with hostategory 'all', again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allhosts
hostcategory: all
register: result
@@ -88,13 +95,13 @@
- name: Ensure sudorule is disabled
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
state: disabled
- name: Ensure sudorule is disabled, again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
state: disabled
register: result
@@ -102,7 +109,7 @@
- name: Ensure sudorule is enabled
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
state: enabled
register: result
@@ -110,37 +117,77 @@
- name: Ensure sudorule is enabled, again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
state: enabled
register: result
failed_when: result.changed
- name: Ensure sudorule is present and some sudocmd are a member of it.
- name: Ensure sudorule is present and some sudocmd are allowed.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
cmd:
allow_sudocmd:
- /sbin/ifconfig
action: member
register: result
failed_when: not result.changed
- name: Ensure sudorule is present and some sudocmd are allowed, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmd:
- /sbin/ifconfig
action: member
register: result
failed_when: result.changed
- name: Ensure sudorule is present and some sudocmd are denyed.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmd:
- /usr/bin/vim
action: member
register: result
failed_when: not result.changed
- name: Ensure sudorule is present and some sudocmd are a member of it, again.
- name: Ensure sudorule is present and some sudocmd are denyed, again.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
cmd:
- /sbin/ifconfig
deny_sudocmd:
- /usr/bin/vim
action: member
register: result
failed_when: result.changed
- name: Ensure sudorule is present and, sudocmds are absent.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmd: /sbin/ifconfig
deny_sudocmd: /usr/bin/vim
action: member
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule is present and, sudocmds are absent, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmd: /sbin/ifconfig
deny_sudocmd: /usr/bin/vim
action: member
state: absent
register: result
failed_when: result.changed
- name: Ensure sudorule is present with cmdcategory 'all'.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allcommands
cmdcategory: all
register: result
@@ -148,7 +195,7 @@
- name: Ensure sudorule is present with cmdcategory 'all', again.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allcommands
cmdcategory: all
register: result
@@ -156,7 +203,7 @@
- name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
host: "{{ groups.ipaserver[0] }}"
action: member
@@ -165,7 +212,7 @@
- name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule, again.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
host: "{{ groups.ipaserver[0] }}"
action: member
@@ -190,25 +237,77 @@
register: result
failed_when: result.changed
- name: Ensure sudorule sudocmds are absent
- name: Ensure sudorule is present, with an allow_sudocmdgroup.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
cmd:
- /sbin/ifconfig
- /usr/bin/vim
allow_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with an allow_sudocmdgroup, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: result.changed
- name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule sudocmds are absent, again
- name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
cmd:
- /sbin/ifconfig
- /usr/bin/vim
allow_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with an deny_sudocmdgroup.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with an deny_sudocmdgroup, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: result.changed
- name: Ensure sudorule is present, but deny_sudocmdgroup is absent.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, but deny_sudocmdgroup is absent, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
@@ -216,7 +315,7 @@
- name: Ensure sudorule is absent
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
state: absent
register: result
@@ -224,7 +323,7 @@
- name: Ensure sudorule is absent, again.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
state: absent
register: result
@@ -232,7 +331,7 @@
- name: Ensure sudorule allhosts is absent
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allhosts
state: absent
register: result
@@ -240,7 +339,7 @@
- name: Ensure sudorule allhosts is absent, again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allhosts
state: absent
register: result
@@ -248,7 +347,7 @@
- name: Ensure sudorule allusers is absent
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allusers
state: absent
register: result
@@ -256,7 +355,7 @@
- name: Ensure sudorule allusers is absent, again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allusers
state: absent
register: result
@@ -264,7 +363,7 @@
- name: Ensure sudorule allcommands is absent
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allcommands
state: absent
register: result
@@ -272,8 +371,29 @@
- name: Ensure sudorule allcommands is absent, again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allcommands
state: absent
register: result
failed_when: result.changed
# cleanup
- name : Ensure sudocmdgroup is absent
ipasudocmdgroup:
ipaadmin_password: MyPassword123
name: test_sudorule
state: absent
- name: Ensure hostgroup is absent.
ipahostgroup:
ipaadmin_password: MyPassword123
name: cluster
state: absent
- name: Ensure sudocmds are absent
ipasudocmd:
ipaadmin_password: MyPassword123
name:
- /sbin/ifconfig
- /usr/bin/vim
state: absent