internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-05-08 14:23:11 +00:00
Code Issues Projects Releases Wiki Activity

New idp management module

Browse Source 
There is a new idp management module placed in the plugins folder:

    plugins/modules/ipaidp.py

The idp module allows to ensure presence or absence of external Identity
Providers.

Here is the documentation for the module:

    README-idp.md

New idp example playbooks:

    playbooks/idp/idp-present.yml
    playbooks/idp/idp-absent.yml

New tests for the module:

    tests/idp/test_idp.yml
    tests/idp/test_idp_client_context.yml
This commit is contained in:
Thomas Woerner
2023-09-27 10:40:20 +02:00
parent 69c6b4d644
commit f9ff41320f
9 changed files with 945 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

141
tests/idp/test_idp.yml Normal file
View File

@@ -0,0 +1,141 @@
---
- name: Test idp
hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: false
gather_facts: false
module_defaults:
ipaidp:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
tasks:
# CHECK IF WE HAVE IDP SUPPORT
- name: Verify if ipd management is supported
ansible.builtin.shell:
cmd: |
echo SomeADMINpassword | kinit -c {{ krb5ccname }} admin
RESULT=$(KRB5CCNAME={{ krb5ccname }} ipa command-show idp_add)
kdestroy -A -c {{ krb5ccname }}
echo $RESULT
vars:
krb5ccname: "__check_command_idp_add__"
register: check_command_idp_add
- name: Run tests for idp
when: not "idp_add" in check_command_idp_add.stderr
block:
# CLEANUP TEST ITEMS
- name: Ensure idps my-keycloak-idp, my-github-idp and my-google-idp are absent
ipaidp:
name:
- my-keycloak-idp
- my-github-idp
- my-google-idp
delete_continue: true
state: absent
# CREATE TEST ITEMS
# TESTS
- name: Ensure keycloak idp my-keycloak-idp is present
ipaidp:
name: my-keycloak-idp
provider: keycloak
organization: main
base_url: keycloak.idm.example.com:8443/auth
client_id: my-client-id
register: result
failed_when: not result.changed or result.failed
- name: Ensure keycloak idp my-keycloak-idp is present, again
ipaidp:
name: my-keycloak-idp
provider: keycloak
organization: main
base_url: keycloak.idm.example.com:8443/auth
client_id: my-client-id
register: result
failed_when: result.changed or result.failed
- name: Ensure idp my-keycloak-idp is absent
ipaidp:
name: my-keycloak-idp
delete_continue: true
state: absent
- name: Ensure keycloak idp my-keycloak-idp is failing with missing parameters
ipaidp:
name: my-keycloak-idp
provider: keycloak
client_id: my-client-id
register: result
failed_when: result.changed or not result.failed or
" is missing" not in result.msg
- name: Ensure github idp my-github-idp is present
ipaidp:
name: my-github-idp
provider: github
client_id: my-github-client-id
register: result
failed_when: not result.changed or result.failed
- name: Ensure github idp my-github-idp is present, again
ipaidp:
name: my-github-idp
provider: github
client_id: my-github-client-id
register: result
failed_when: result.changed or result.failed
- name: Ensure google idp my-google-idp is present using provider defaults without specifying provider
ipaidp:
name: my-google-idp
auth_uri: https://accounts.google.com/o/oauth2/auth
dev_auth_uri: https://oauth2.googleapis.com/device/code
token_uri: https://oauth2.googleapis.com/token
keys_uri: https://www.googleapis.com/oauth2/v3/certs
userinfo_uri: https://openidconnect.googleapis.com/v1/userinfo
client_id: my-google-client-id
scope: "openid email"
idp_user_id: email
register: result
failed_when: not result.changed or result.failed
- name: Ensure google idp my-google-idp is present using provider defaults without specifying provider, again
ipaidp:
name: my-google-idp
auth_uri: https://accounts.google.com/o/oauth2/auth
dev_auth_uri: https://oauth2.googleapis.com/device/code
token_uri: https://oauth2.googleapis.com/token
keys_uri: https://www.googleapis.com/oauth2/v3/certs
userinfo_uri: https://openidconnect.googleapis.com/v1/userinfo
client_id: my-google-client-id
scope: "openid email"
idp_user_id: email
register: result
failed_when: result.changed or result.failed
- name: Ensure google idp my-google-idp is present without changes using provider
ipaidp:
name: my-google-idp
provider: google
client_id: my-google-client-id
register: result
failed_when: result.changed or result.failed
# CLEANUP TEST ITEMS
- name: Ensure idps my-keycloak-idp, my-github-idp and my-google-idp are absent
ipaidp:
name:
- my-keycloak-idp
- my-github-idp
- my-google-idp
delete_continue: true
state: absent

40
tests/idp/test_idp_client_context.yml Normal file
View File

@@ -0,0 +1,40 @@
---
- name: Test idp
hosts: ipaclients, ipaserver
# It is normally not needed to set "become" to "true" for a module test.
# Only set it to true if it is needed to execute commands as root.
become: false
# Enable "gather_facts" only if "ansible_facts" variable needs to be used.
gather_facts: false
tasks:
- name: Include FreeIPA facts.
ansible.builtin.include_tasks: ../env_freeipa_facts.yml
# Test will only be executed if host is not a server.
- name: Execute with server context in the client.
ipaidp:
ipaadmin_password: SomeADMINpassword
ipaapi_context: server
name: ThisShouldNotWork
register: result
failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*"))
when: ipa_host_is_client
# Import basic module tests, and execute with ipa_context set to 'client'.
# If ipaclients is set, it will be executed using the client, if not,
# ipaserver will be used.
#
# With this setup, tests can be executed against an IPA client, against
# an IPA server using "client" context, and ensure that tests are executed
# in upstream CI.
- name: Test idp using client context, in client host.
import_playbook: test_idp.yml
when: groups['ipaclients']
vars:
ipa_test_host: ipaclients
- name: Test idp using client context, in server host.
import_playbook: test_idp.yml
when: groups['ipaclients'] is not defined or not groups['ipaclients']