Merge pull request #1398 from t-woerner/sysaccount

Sysaccount management

tests/role/test_role_sysaccount_member.yml

@@ -0,0 +1,161 @@
+---
+- name: Test sysaccount
+  hosts: "{{ ipa_test_host | default('ipaserver') }}"
+  # It is normally not needed to set "become" to "true" for a module test.
+  # Only set it to true if it is needed to execute commands as root.
+  become: false
+  # Enable "gather_facts" only if "ansible_facts" variable needs to be used.
+  gather_facts: false
+  module_defaults:
+    ipaprivilege:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+    iparole:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+    ipasysaccount:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+
+  tasks:
+
+  - name: Verify if role sysaccount member tests are possible
+    ansible.builtin.shell:
+      cmd: |
+        echo SomeADMINpassword | kinit -c {{ krb5ccname }} admin > /dev/null
+        RESULT=$(KRB5CCNAME={{ krb5ccname }} ipa role-add-member --help)
+        kdestroy -A -c {{ krb5ccname }} > /dev/null
+        echo $RESULT
+    vars:
+      krb5ccname: "__check_ipa_role_add_member__"
+    register: check_role_add_member
+
+  - name: Execute tests
+    when: '"sysaccounts" in check_role_add_member.stdout'
+    block:
+
+    # CLEANUP TEST ITEMS
+
+    - name: Ensure sysaccount my-app is absent
+      ipasysaccount:
+        name: my-app
+        state: absent
+
+    - name: Ensure role "my-app role" is absent
+      iparole:
+        name: my-app role
+        state: absent
+
+    - name: Ensure privilege "my-app password change privilege" is absent
+      ipaprivilege:
+        name: my-app password change privilege
+        state: absent
+
+    # CREATE TEST ITEMS
+
+    - name: Ensure privilege "my-app password change privilege" is present
+      ipaprivilege:
+        name: my-app password change privilege
+        permission:
+        - "System: Change User password"
+      register: result
+      failed_when: not result.changed or result.failed
+
+    # TESTS
+
+    - name: Ensure sysaccount my-app is present with random password
+      ipasysaccount:
+        name: my-app
+        random: true
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure role "my-app role" is present with sysaccount member my-app
+      iparole:
+        name: my-app role
+        sysaccount: my-app
+        privilege: my-app password change privilege
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure role "my-app role" is present with sysaccount member my-app, again
+      iparole:
+        name: my-app role
+        sysaccount: my-app
+        privilege: my-app password change privilege
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure role my-app role does not have sysaccount member my-app
+      iparole:
+        name: my-app role
+        sysaccount: my-app
+        action: member
+        state: absent
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure role my-app role does not have sysaccount member my-app, again
+      iparole:
+        name: my-app role
+        sysaccount: my-app
+        action: member
+        state: absent
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure role my-app role has sysaccount member my-app
+      iparole:
+        name: my-app role
+        sysaccount: my-app
+        action: member
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure role my-app role has sysaccount member my-app, again
+      iparole:
+        name: my-app role
+        sysaccount: my-app
+        action: member
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure role my-app role has zero sysaccount members
+      iparole:
+        name: my-app role
+        sysaccount: []
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure role my-app role has zero sysaccount members, again
+      iparole:
+        name: my-app role
+        sysaccount: []
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure role my-app role does not have sysaccount member my-app, again
+      iparole:
+        name: my-app role
+        sysaccount: my-app
+        action: member
+        state: absent
+      register: result
+      failed_when: result.changed or result.failed
+
+    # CLEANUP TEST ITEMS
+
+    - name: Ensure sysaccount my-app is absent
+      ipasysaccount:
+        name: my-app
+        state: absent
+
+    - name: Ensure role my-app role is absent
+      iparole:
+        name: my-app role
+        state: absent
+
+    - name: Ensure privilege "my-app password change privilege" is absent
+      ipaprivilege:
+        name: my-app password change privilege
+        state: absent

tests/sysaccount/test_sysaccount.yml

@@ -0,0 +1,150 @@
+---
+- name: Test sysaccount
+  hosts: "{{ ipa_test_host | default('ipaserver') }}"
+  # It is normally not needed to set "become" to "true" for a module test.
+  # Only set it to true if it is needed to execute commands as root.
+  become: false
+  # Enable "gather_facts" only if "ansible_facts" variable needs to be used.
+  gather_facts: false
+  module_defaults:
+    ipasysaccount:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+
+  tasks:
+
+  - name: Verify sysaccount tests are possible
+    ansible.builtin.shell:
+      cmd: |
+        echo SomeADMINpassword | kinit -c {{ krb5ccname }} admin > /dev/null
+        RESULT=$(KRB5CCNAME={{ krb5ccname }} ipa sysaccount-add --help)
+        kdestroy -A -c {{ krb5ccname }} > /dev/null
+        echo $RESULT
+    vars:
+      krb5ccname: "__check_ipa_sysaccount_add__"
+    register: check_sysaccount_add
+
+  - name: Execute tests
+    when: '"ipa: ERROR: unknown command" not in check_sysaccount_add.stderr'
+    block:
+
+    # CLEANUP TEST ITEMS
+
+    - name: Ensure sysaccount my-app is absent
+      ipasysaccount:
+        name: my-app
+        state: absent
+
+    # CREATE TEST ITEMS
+
+    # TESTS
+
+    - name: Ensure sysaccount my-app is present with random password
+      ipasysaccount:
+        name: my-app
+        random: true
+      register: result
+      failed_when: not result.changed or
+                   result.sysaccount.randompassword is not defined or
+                   result.failed
+
+    - name: Ensure sysaccount my-app is present, again with updated random password and update_password always
+      ipasysaccount:
+        name: my-app
+        random: true
+      register: result2
+      failed_when: not result2.changed or
+                   result2.sysaccount.randompassword is not defined or
+                   result2.sysaccount.randompassword == result.sysaccount.randompassword or
+                   result2.failed
+
+    - name: Ensure sysaccount my-app is present, again with random password and update_password on_create
+      ipasysaccount:
+        name: my-app
+        random: true
+        update_password: on_create
+      register: result
+      failed_when: not result2.changed or
+                   result.sysaccount.randompassword is defined or
+                   result.failed
+
+    # more tests here
+
+    - name: Ensure sysaccount my-app is disabled
+      ipasysaccount:
+        name: my-app
+        state: disabled
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure sysaccount my-app is disabled, again
+      ipasysaccount:
+        name: my-app
+        state: disabled
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure sysaccount my-app is enabled
+      ipasysaccount:
+        name: my-app
+        state: enabled
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure sysaccount my-app is enabled, again
+      ipasysaccount:
+        name: my-app
+        state: enabled
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure sysaccount my-app is privileged
+      ipasysaccount:
+        name: my-app
+        privileged: true
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure sysaccount my-app is privileged, again
+      ipasysaccount:
+        name: my-app
+        privileged: true
+      register: result
+      failed_when: result.changed or result.failed
+
+    # ADDITIONAL TEST HERE?
+
+    - name: Ensure sysaccount my-app is not privileged
+      ipasysaccount:
+        name: my-app
+        privileged: false
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure sysaccount my-app is not privileged, again
+      ipasysaccount:
+        name: my-app
+        privileged: false
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure sysaccount my-app is absent
+      ipasysaccount:
+        name: my-app
+        state: absent
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure sysaccount my-app is absent again
+      ipasysaccount:
+        name: my-app
+        state: absent
+      register: result
+      failed_when: result.changed or result.failed
+
+    # CLEANUP TEST ITEMS
+
+    - name: Ensure sysaccount my-app is absent
+      ipasysaccount:
+        name: my-app
+        state: absent

tests/sysaccount/test_sysaccount_client_context.yml

@@ -0,0 +1,40 @@
+---
+- name: Test sysaccount
+  hosts: ipaclients, ipaserver
+  # It is normally not needed to set "become" to "true" for a module test.
+  # Only set it to true if it is needed to execute commands as root.
+  become: false
+  # Enable "gather_facts" only if "ansible_facts" variable needs to be used.
+  gather_facts: false
+
+  tasks:
+  - name: Include FreeIPA facts.
+    ansible.builtin.include_tasks: ../env_freeipa_facts.yml
+
+  # Test will only be executed if host is not a server.
+  - name: Execute with server context in the client.
+    ipasysaccount:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: server
+      name: ThisShouldNotWork
+    register: result
+    failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*"))
+    when: ipa_host_is_client
+
+# Import basic module tests, and execute with ipa_context set to 'client'.
+# If ipaclients is set, it will be executed using the client, if not,
+# ipaserver will be used.
+#
+# With this setup, tests can be executed against an IPA client, against
+# an IPA server using "client" context, and ensure that tests are executed
+# in upstream CI.
+
+- name: Test sysaccount using client context, in client host.
+  import_playbook: test_sysaccount.yml
+  when: groups['ipaclients']
+  vars:
+    ipa_test_host: ipaclients
+
+- name: Test sysaccount using client context, in server host.
+  import_playbook: test_sysaccount.yml
+  when: groups['ipaclients'] is not defined or not groups['ipaclients']