internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-26 21:33:05 +00:00
Code Issues Projects Releases Wiki Activity

ipaservice: Allow execution of plugin in client host.

Browse Source 
Update service README file and add tests for executing plugin with
`ipaapi_context` set to `client`.

A new test playbook can be found at:

    tests/service/test_service_client_context.yml

The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
This commit is contained in:
Rafael Guterres Jeffman
2021-09-03 13:31:57 -03:00
parent 27b50957d1
commit f1381edcd4
5 changed files with 95 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README-service.md
View File

@@ -291,6 +291,7 @@ Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`name` \| `service` | The list of service name strings. | yes
`certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. | no

8
tests/service/env_cleanup.yml
View File

@@ -3,6 +3,7 @@
- name: Ensure services are absent.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name:
- "HTTP/{{ svc_fqdn }}"
- "HTTP/{{ nohost_fqdn }}"
@@ -16,6 +17,7 @@
- name: Ensure host "{{ svc_fqdn }}" is absent
ipahost:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "{{ svc_fqdn }}"
update_dns: yes
state: absent
@@ -23,6 +25,7 @@
- name: Ensure host is absent
ipahost:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -34,6 +37,7 @@
- name: Ensure testing users are absent.
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name:
- user01
- user02
@@ -42,6 +46,7 @@
- name: Ensure testing groups are absent.
ipagroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name:
- group01
- group02
@@ -50,6 +55,7 @@
- name: Ensure testing hostgroup hostgroup01 is absent.
ipagroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name:
- hostgroup01
state: absent
@@ -57,6 +63,7 @@
- name: Ensure testing hostgroup hostgroup02 is absent.
ipagroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name:
- hostgroup02
state: absent
@@ -64,6 +71,7 @@
- name: Remove IP address for "nohost" host.
ipadnsrecord:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
zone_name: "{{ test_domain }}."
name: nohost
del_all: yes

8
tests/service/env_setup.yml
View File

@@ -10,6 +10,7 @@
- name: Add IP address for "nohost" host.
ipadnsrecord:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
zone_name: "{{ test_domain }}."
name: nohost
a_ip_address: "{{ ipv4_prefix + '.100' }}"
@@ -17,6 +18,7 @@
- name: Add hosts for tests.
ipahost:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
hosts:
- name: "{{ host1_fqdn }}"
ip_address: "{{ ipv4_prefix + '.101' }}"
@@ -31,6 +33,7 @@
- name: Ensure testing user user01 is present.
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: user01
first: user01
last: last
@@ -38,6 +41,7 @@
- name: Ensure testing user user02 is present.
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: user02
first: user02
last: last
@@ -45,19 +49,23 @@
- name: Ensure testing group group01 is present.
ipagroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: group01
- name: Ensure testing group group02 is present.
ipagroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: group02
- name: Ensure testing hostgroup hostgroup01 is present.
ipahostgroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: hostgroup01
- name: Ensure testing hostgroup hostgroup02 is present.
ipahostgroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: hostgroup02

42
tests/service/test_service.yml
View File

@@ -12,7 +12,7 @@
#
---
- name: Test service
hosts: ipaserver
hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: yes
tasks:
@@ -28,6 +28,7 @@
- name: Ensure service is present
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
pac_type:
- MS-PAC
@@ -44,6 +45,7 @@
- name: Ensure service is present, again
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
pac_type:
- MS-PAC
@@ -60,6 +62,7 @@
- name: Modify service.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
pac_type: NONE
ok_as_delegate: yes
@@ -70,6 +73,7 @@
- name: Modify service, again.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
pac_type: NONE
ok_as_delegate: yes
@@ -80,6 +84,7 @@
- name: Ensure service is present, without host object.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ nohost_fqdn }}"
skip_host_check: yes
register: result
@@ -88,6 +93,7 @@
- name: Ensure service is present, without host object, again.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ nohost_fqdn }}"
skip_host_check: yes
register: result
@@ -96,6 +102,7 @@
- name: Ensure service is present, with host not in DNS.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: HTTP/svc.ihavenodns.info
skip_host_check: no
force: yes
@@ -105,6 +112,7 @@
- name: Ensure service is present, with host not in DNS, again.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: HTTP/svc.ihavenodns.info
skip_host_check: no
force: yes
@@ -114,6 +122,7 @@
- name: Ensure service is present, whithout host object and with host not in DNS.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: HTTP/no.idontexist.info
skip_host_check: yes
force: yes
@@ -123,6 +132,7 @@
- name: Ensure service is present, whithout host object and with host not in DNS, again.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: HTTP/no.idontexist.info
skip_host_check: yes
force: yes
@@ -132,6 +142,7 @@
- name: Principal host/test.example.com present in service.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
principal:
- host/test.example.com
@@ -142,6 +153,7 @@
- name: Principal host/test.example.com present in service, again.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
principal:
- host/test.example.com
@@ -153,6 +165,7 @@
- name: Principal host/test.example.com absent in service.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
principal:
- host/test.example.com
@@ -164,6 +177,7 @@
- name: Principal host/test.example.com absent in service, again.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
principal:
- host/test.example.com
@@ -176,6 +190,7 @@
- name: Ensure host can manage service.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
host:
- "{{ host1_fqdn }}"
@@ -187,6 +202,7 @@
- name: Ensure host can manage service, again.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
host: "{{ host1_fqdn }}"
action: member
@@ -196,6 +212,7 @@
- name: Ensure host cannot manage service.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
host:
- "{{ host1_fqdn }}"
@@ -208,6 +225,7 @@
- name: Ensure host cannot manage service, again.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
host:
- "{{ host1_fqdn }}"
@@ -220,6 +238,7 @@
- name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users, groups, hosts and hostgroups.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
allow_create_keytab_user:
- user01
@@ -240,6 +259,7 @@
- name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users, groups, hosts and hostgroups, again.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
allow_create_keytab_user:
- user01
@@ -260,6 +280,7 @@
- name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users, groups, hosts and hostgroups.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
allow_create_keytab_user:
- user01
@@ -281,6 +302,7 @@
- name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users, groups, hosts and hostgroups, again.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
allow_create_keytab_user:
- user01
@@ -302,6 +324,7 @@
- name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users, groups, hosts and hostgroups
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
allow_retrieve_keytab_user:
- user01
@@ -322,6 +345,7 @@
- name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users, groups, hosts and hostgroups, again.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
allow_retrieve_keytab_user:
- user01
@@ -342,6 +366,7 @@
- name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users, groups, hosts and hostgroups.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
allow_retrieve_keytab_user:
- user01
@@ -363,6 +388,7 @@
- name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users, groups, hosts and hostgroups, again.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
allow_retrieve_keytab_user:
- user01
@@ -384,6 +410,7 @@
- name: Ensure service is absent
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
continue: yes
state: absent
@@ -393,6 +420,7 @@
- name: Ensure service is absent, again
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
continue: yes
state: absent
@@ -402,6 +430,7 @@
- name: Ensure service is present, with multiple auth_ind values.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
auth_ind: otp,radius
skip_host_check: no
@@ -412,6 +441,7 @@
- name: Ensure service is present, with multiple auth_ind values, again.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
auth_ind: otp,radius
skip_host_check: no
@@ -422,6 +452,7 @@
- name: Clear auth_ind.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
auth_ind: ""
skip_host_check: no
@@ -432,6 +463,7 @@
- name: Clear auth_ind, again.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "HTTP/{{ svc_fqdn }}"
auth_ind: ""
skip_host_check: no
@@ -442,6 +474,7 @@
- name: Ensure services are absent.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name:
- "HTTP/{{ svc_fqdn }}"
- "HTTP/{{ nohost_fqdn }}"
@@ -455,6 +488,7 @@
- name: Ensure services are absent.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name:
- "HTTP/{{ svc_fqdn }}"
- "HTTP/{{ nohost_fqdn }}"
@@ -468,6 +502,7 @@
- name: Ensure SMB service is present.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "{{ host1_fqdn }}"
pac_type: NONE
smb: yes
@@ -478,6 +513,7 @@
- name: Ensure SMB service is again.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "{{ host1_fqdn }}"
pac_type: NONE
smb: yes
@@ -488,6 +524,7 @@
- name: Modify SMB service.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "{{ host1_fqdn }}"
smb: yes
netbiosname: SAMBASVC
@@ -503,6 +540,7 @@
- name: Modify SMB service, again.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "{{ host1_fqdn }}"
smb: yes
netbiosname: SAMBASVC
@@ -518,6 +556,7 @@
- name: Ensure SMB service is absent.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "cifs/{{ host1_fqdn }}"
continue: yes
state: absent
@@ -527,6 +566,7 @@
- name: Ensure SMB service is absent, again.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "cifs/{{ host1_fqdn }}"
continue: yes
state: absent

37
tests/service/test_service_client_context.yml Normal file
View File

@@ -0,0 +1,37 @@
---
- name: Test service
hosts: ipaclients, ipaserver
become: no
gather_facts: no
tasks:
- name: Include FreeIPA facts.
include_tasks: ../env_freeipa_facts.yml
# Test will only be executed if host is not a server.
- name: Execute with server context in the client.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: server
name: ThisShouldNotWork
register: result
failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*"))
when: ipa_host_is_client
# Import basic module tests, and execute with ipa_context set to 'client'.
# If ipaclients is set, it will be executed using the client, if not,
# ipaserver will be used.
#
# With this setup, tests can be executed against an IPA client, against
# an IPA server using "client" context, and ensure that tests are executed
# in upstream CI.
- name: Test service using client context, in client host.
import_playbook: test_service.yml
when: groups['ipaclients']
vars:
ipa_test_host: ipaclients
- name: Test service using client context, in server host.
import_playbook: test_service.yml
when: groups['ipaclients'] is not defined or not groups['ipaclients']