In ansible-core 2.19 there's no automatic coercion from None or empty
strings to the boolean value "false", so we need to compare the result
of the filter 'regex_search' to 'None' and the empty string to evaluate
if any match occurred.
In fixing this issue, it was found that the tests were incorrectly
evaluating the results, and the comparisons were fixed.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The tests hosts are generated with IP addresses in env_setup, but
removed without update_dns turned on. Therefore the IP addresses are not
removed from DNS.
This results in a failure if the host test test_host_ipaddresses is run
afterwards.
- Replace outdated noqa 503 with noqa no-handler
- Drop outdated and not needed noqa 505 for include_vars
- Drop outdated noqa deprecated-command-syntax for
ansible.builtin.shell using cmd tag
These warnings have been reported by utils/lint_check.sh using
ansible-lint 6.22.1.
The tests test_services_absent.yml, test_services_present.yml and
test_services_present_slice.yml have been updated to use in memory data
for testing instead of loading json files. This made is simpler to use
variables from the playbook for example for fqdn host names.
New tests for certificates with and without trailing new lines have been
added for single service and multiple service handling.
Adding an option to create multiple services in one go.
Adding tests (present/absent/without_skip_host_check)
Copied from PR #1054
Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>
In latest ansible-lint versions, the use of "blocks" has a required
order to be implemented. According to ansible-lint error mesage, the
order is name, when, block, rescue, always.
As not following this rule is now an error, this patch fixes all tests
for the 'key-order[task]' error.
Use Fully Qualified Collection Name (FQCN) for ansible builtins. This is
ansible.builtin.set_fact instead of set_fact for example and aplies for
all actions that are part of ansible.builtin.
All the replaced ansible.builtins:
assert, command, copy, debug, fail, fetch, file, import_playbook,
import_tasks, include_role, include_tasks, include_vars, package,
set_fact, shell, slurp, stat, systemd
The parameter 'warn' from ansible.builtin.shell was deprecated in
ansible-core version 2.11 and removed in version 2.14.
This patch removes the usage of this parameter from ansible-freeipa
tests, and adds 'deprecated-command-syntax' to the skip list of
ansible-lint configuration to cope with the change in the linter.
The parameters auth_ind and pac_type are allowing to use "" to reset to
the default value.
The new check in params_get is not allowing to use empty strings in lists,
therefore allow_empty_string=True had to be added to the call.
A test has been added to verify that the empty strings are supported and
working. An idempotency issue with pac_type has been found with the test
and fixed additionally.
When creating the lists to add/remove principal aliases, if the realm
was not specified, the alias would be used as it did not matched the
existing one, which has the realm part.
This patch fixes the add/del list creation by adding the current API
realm to each alias that does not have the realm part and then use
this modified list to be compared against the existing principal list.
This change also allows the use of the whole list in a single call to
the IPA API to add/remove the principals, instead of a call for every
one item in the list.
When running the tests that can be executed either on server or client
context, without defining 'ipa_context', the context is automatically
identified.
Currently, the tests in upstream CI run only on a server, and the
context is identified as "server" context, and in order to run the test
using a client context 'ipa_context' must be set to 'client'.
This patch fixes all the client context tests by correctly setting
ipa_context when running the client context tests in a server host.
Update service README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/service/test_service_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
In current implementation, when using `smb: yes`, only a small subset
of the attributes can be used in the playbook. This happened due the
use of `service_add_smb`, which adds a new service and does not modify
an existing one, and not coping with attributes not supported by this
IPA API call.
The implementation was modified so that a service with `smb: true` is
treated like any other service, which, in effect, simplified and fixed
service search, and allowed for the use of the same attributes as with
any service. Although simplified, when using `smb: true` an extra
query is done against the LDAP server, as a second `service_show` is
performed.
Tests have been updated to reflect the new imprlementation.
Tests for service certificates were still using pre-generated
certificate files. This patch uses the same approach as other tests,
it generates a certficate, when needed, and use file lookup.
Without this change the "Import variables specific to distribution"
tasks fail with "Could not find file on the Ansible Controller..."
on environments with inject facts disabled.
This changes the tests to run with ansible with
inject_facts_as_vars = false and fixes other roles and playbooks.
Some attributes are not present in all supported versions of FreeIPA,
and this might cause tests to fail due to unsupported versions.
This patch add the means to test if a test can be executed based on
the target host FreeIPA version.
The attribute `allow_retrieve_keytab_host` was not working due to
wrong processing of the input and verification if the values should
be updated. Both the issues are fixed by this change.
Tests were added to better verify service keytab members.
The name "www.ansible.com" was used as a host, but this required
that DNS forwarding is enabled and configured to test serivces
for hosts that have an IP address but are not host objects in IPA.
This change set a a host name that lies in the testing domain, and has
an IP address defined, buth is not added as a host object,
so the forwarding DNS configuration is not needed for this test.
In some case the tests needs to have the class A, B and C of reverse DNS
set in order to function properly. Those missing classes where
added/updated in dnsrecord, services and host tests.
Due to use of some shell commands that required a Kerberos ticket,
the ipaservice test test_service_disable would no work if a ticket
was not granted before it ran. This patch adresses this issue by
acquiring a ticket for the `admin` user before it is needed, and
destroying the tickets by the end of the test execution.
Services without certificates, but with keytabs were not being
disabled. This change allows execution of service_disable if
there is a certificate or if has_keytab is true.
A new test was added to verify the issue:
tests/service/test_service_disable.yml
This patch changes auth_ind variable to receive a list of values
instead of a single one, so that more than one value can be set
at once.
Tests have been updated to reflect the change.
There is a new service management module placed in the pluginsfolder:
plugins/modules/ipaservice.py
The service module allows to ensure presence and absence of services, and
manage members and certificates of the service.
Here is the documentation for the module:
README-service.md
New example playbooks have been added:
playbooks/service/service-host-is-absent.yml
playbooks/service/service-host-is-present.yml
playbooks/service/service-is-absent.yml
playbooks/service/service-is-disabled.yml
playbooks/service/service-is-present-with-all-attributes.yml
playbooks/service/service-is-present-without-host-object.yml
playbooks/service/service-is-present.yml
playbooks/service/service-member-allow_create_keytab-absent.yml
playbooks/service/service-member-allow_create_keytab-present.yml
playbooks/service/service-member-allow_retrieve_keytab-absent.yml
playbooks/service/service-member-allow_retrieve_keytab-present.yml
playbooks/service/service-member-certificate-absent.yml
playbooks/service/service-member-certificate-present.yml
playbooks/service/service-member-principal-absent.yml
playbooks/service/service-member-principal-present.yml
New tests added for the module:
tests/service/test-service.yml
