Current version of ansible-list pre-commit hook required changes in the
ansible-freeipa yamllint configuration and these changes triggered
issues in the current playbooks on roles and tests.
This patch adds the required changes to yaml lint configuration and
fixes the affected playbooks.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The new generate_test_data.yml is creating the test data with
ansible.builtin.shell and is not calling shell scripts any more. The
generation in the yml file and also the set_fact calls make sure that
the test data is used.
The tests test_users_present.yml and test_users_absent.yml has been
merged into test_users_present_absent.yml to fix the independent test
order execution.
The test test_users_present_slice.yml has been renamed to
test_users_present_absent_slice.yml.
Both tests are cleaning up possible exiting entries before running the tests
and are verifying the present and absent task result.
- Replace outdated noqa 503 with noqa no-handler
- Drop outdated and not needed noqa 505 for include_vars
- Drop outdated noqa deprecated-command-syntax for
ansible.builtin.shell using cmd tag
These warnings have been reported by utils/lint_check.sh using
ansible-lint 6.22.1.
FreeIPA suports renaming user objects with the CLI parameter "rename",
and this parameter was missing in ansible-freeipa ipauser module.
This patch adds support for a new state 'renamed' and the 'rename'
parameter.
Tests were updated to cope with the changes.
Related to RHBZ#2234379, RHBZ#2234380
Fixes#1103
If a playbook to ensure the existence of a user contains 'random:false'
and 'update_password: always' is executed twice, the second execution
will raise an exception due to "No modifications to perform", as there
is actually nothing to modify.
The fix for the issue is to remove 'random' if it is not set to true, as
setting it to 'false' would have no effect on the user object.
Related: https://issues.redhat.com/browse/RHEL-4934
Since FreeIPA version 4.8.0 ipauser has support for smb-logon-script,
smb-profile-path, smb-home-dir, and smb-home-drive drive attributes.
On FreeIPA, these attributes are only available when modifying a user,
so if the user defined in the playbook does not exist, two calls to IPA
API are executed, a 'user_add' followed by a 'user_mod'.
(see https://github.com/freeipa/freeipa/blob/master/doc/designs/adtrust/samba-domain-controller.md
A new example playbook can be found at:
playbooks/user/smb-attributes.yml
A new test playbook can be found at:
tests/user/test_user_smb_attrs.yml
This patch adds a new parameter to ipauser, 'gecos', which can be used
to set the 'gecos' field of an IPA user. The default behavior of
automatically set the GECOS field to "<first> <last>" is not modified,
it is only possible to change the field to a custom value.
No validation on the value provided is done, as it is with FreeIPA.
The way how randompasswords are returned by the ipauser module depends
so far on the number of users that are handled by the module.
This is unexpected if for example a json file is provided with the users
parameter. As it might be unknown how many users are in the json file,
this behaviour is unexpected. The return should not vary in this case.
This chamge makes the return simply depend on the use of the users
paramater. As soon as this parameter is used, the return will always be:
"user": { "<the user>": { "randompassword": "<the user random password>" } }
In the simply case with one user it will be still
"user": { "randompassword": "<the user random password>" }
Fixes: #1052 (ipauser should consitently return randompasswords when
used with users)
ansible-lint is issuing an warning when using '# noqa 505' instead of
'#noqa missing-import' on playbooks. This patch changes all occurrences
of the tag to use the newer format.
Use Fully Qualified Collection Name (FQCN) for ansible builtins. This is
ansible.builtin.set_fact instead of set_fact for example and aplies for
all actions that are part of ansible.builtin.
All the replaced ansible.builtins:
assert, command, copy, debug, fail, fetch, file, import_playbook,
import_tasks, include_role, include_tasks, include_vars, package,
set_fact, shell, slurp, stat, systemd
The parameter 'warn' from ansible.builtin.shell was deprecated in
ansible-core version 2.11 and removed in version 2.14.
This patch removes the usage of this parameter from ansible-freeipa
tests, and adds 'deprecated-command-syntax' to the skip list of
ansible-lint configuration to cope with the change in the linter.
Due to a change in 'ansible_freeipa_module.compare_args_ipa', playbook
parameters using empty strings are correctly evaluated, and do not need
to be removed before comparison is performed.
A new test playbook, with tests for clearing attributes with an empty
string ("") is available at:
tests/user/test_user_empty_lists.yml
The parameters userauthtype and sshpubkey allowing to use "" to reset to
the default value.
The new check in params_get is not allowing to use empty strings in lists,
therefore allow_empty_string=True had to be added to the call.
A test has been added to verify that the empty strings are supported and
working. An idempotency issue with sshpubkey has been found with the test
and fixed additionally.
When trying to ensure 'state: absent' with 'preserved: yes' in ipauser,
after the first execution the playbook would fail with "user is already
present". Similar idempotence issue would happen when 'state: undelete'
was used.
This PR fixes both issues, and improve tests for the states where user
is preserved, enabled and disabled. The 'find_user' function now uses
IPA API 'user_show' instead of 'user_find' so that only the requested
user is actually returned.
The client context on server test is failing with a date that is
expired. The server context on server test is not failing.
Setting an expired date with the command line is possible though.
When running the tests that can be executed either on server or client
context, without defining 'ipa_context', the context is automatically
identified.
Currently, the tests in upstream CI run only on a server, and the
context is identified as "server" context, and in order to run the test
using a client context 'ipa_context' must be set to 'client'.
This patch fixes all the client context tests by correctly setting
ipa_context when running the client context tests in a server host.
This patch fixes yamllint's "line too long" (line-lenght) warnings
by ensuring all lines in YAML files have, at most, 160 characters.
If a line cannot be written as a multiline block, line-length rule
evaluation is disabled for the specific line, both on yamllint and
on ansible-lint.
Update user README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/user/test_user_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
json_query is not part of Ansible Core. As this is the only used module
that is not in Core it has been replaced by constructig a new dict with
the needed user names from users dict using a loop and set_fact.
For failed_when result.failed should be used to make sure that
the task fails if there was an error.
For the "Duplicate names in users failure test" failed_when: not
result.failed has been added as this test needs to fail.
For failed_when result.failed should be used to make sure that
the task fails if there was an error.
Fixed also "User test cert members present again" task, it was failing
due to also having first and last parameters with action: member.
The file lookup is by default setting `rstrip=True` which could lead
into a stripped new line. This is not happening always but resulted in
failed tests sometimes with certificates pasted to the b64encode filter.
For calls of lookup in the certificae tests `rstrip=False` has been
added to make sure that this is not happening any more. Not in
test_dnsrecord as lookup(..., rstrip=False) is adding a new line if
there was not a new line and this is an issue for dnsrecord. The user
and host tests have also been simplified to create the base64 encoded
file in the beginning and use this file then later on in the tests
without the need to use the b64encode filter.
Ref: https://github.com/ansible/ansible/issues/57521#issuecomment-502238000
This patch adds Ansible tasks to create and remove self-signed
certificates, instead of using previously created certificates.
The certificates are then `lookup`, instead of being used inline
in the playbooks.
Playbooks are easier to read and maintain with this changes, and
there is no need to change the playbooks, if a certificate expires.
users.json is generated for the tests and not part of the repo any more.
This test was lacking the include to generate the file.
Related to: b7e1a99b6e
tests/user/test_users*.yml: Use extended dynamic users.json
test_users_absent.yml was using users_absent.json. It has been adapted to
use users.json instead with an additional json_query to get only the names
from users_present.json.
create_users_json.yml has been added to create users.json if it is missing
containing 500 users. It is included by test_users_present.yml and
test_users_absent.yml.
users_present.sh has been renamed to users.sh and modified to create by
default users.json with 1000 users and additional with password and
passwordexpiration in two years.
jmespath has been added to pip install list in
tests/azure/templates/playbook_tests.yml to emable the use of json_query.
The requirement for jmespath has been added to tests/README.md.
It was possible to have several entries for names with the hosts and users
lists. This resulted sometimes in errors but also unexpected changes. A new
check has been added to make sure that the names in the users and hosts
lists are unique.
New tests have been added to verify this in the existing files:
- tests/host/test_hosts.yml
- tests/user/test_users.yml
certmapdata was not processed properly. The certificate was not loaded and
therefore the `issuer` and `subject` could not be compared to the
certmapdata entries in the user record. The function `load_cert_from_str`
from ansible_freeipa_moduleis used for this.
Additionally there was no way to use the certmapdata data format. This
is now possible with the `data` option in the certmapdata dict.
Example: "data: X509:<I>dc=com,dc=example,CN=ca<S>dc=com,dc=example,CN=test"
`data` may not be used together with `certificate`, `issuer` and `subject`
in the same record.
Given certmapdata for the ipauser module is now converted to the internal
data representation using also the new function `DN_x500_text` from
`ansible_freeipa_module`.
New functions `convert_certmapdata` and `check_certmapdata` have been added
to ipauser.
tests/user/certmapdata/test_user_certmapdata.yml has been extended with
additional tasks to verify more complex issuer and subjects and also using
the data format.
Because of a missing check member attributes (for use with action: member)
are cleared when a non-member attribute is changed. The fix simply adds a
check for None (parameter not set) to gen_add_del_lists in
ansible_freeipa_module to make sure that the parameter is only changed if
it should be changed.
All places where the add and removal lists have been generated manually
have been changed to also use gen_add_del_lists.
Resolves: #252 (The "Manager" attribute is removed when updating any user
attribute)
Most tests have simply been using the Tests as name, but this there is a
lack of information in automated runs. The name should be similar to the
test file name.
The random password is only returned if random is yes and user did not exist
or update_password is yes.
If only one user is handled by the module, the returned dict is containing
this dict:
{ "randompassword": "<the user random password>" }
If several users are handled by the module:
{ "<user>": { "randompassword": "<the user random password>" } }
This is related to issue #134 (ipahost does not return the random password)
