This patch add support for the attributes `maxtostname` and
`ca_renewal_master_server` attributes that were missing and
also provide a more complete set of tests.
This change split vault tests in several files, organized by vault
type and operation (vault vs. member) so that it is easier to add
new tests for issues and verify if tests are missing.
This patch adds support for retrieving data stored in an IPA vault by
adding a new valid state for ipavault: `retrieved`.
To allow the retrieval of data from assymetric vaults, the attributes
`private_key`, `private_key_files` and `out` were also added to the
module.
The private key files, `private.pem`, should be paired with the already
existing `public.pem` public key files.
Tests were updated to reflect changes and two new playbooks were added:
playbooks/vault/retrive-data-asymmetric-vault.yml
playbooks/vault/retrive-data-symmetric-vault.yml
This patch fixes handling of password and public_key files, parameter
validation depending on vault type, usage of `salt` attribute and data
retrieval.
Tests were updated to reflect the changes.
New example playbooks are added:
playbooks/vault/vault-is-present-with-password-file.yml
playbooks/vault/vault-is-present-with-public-key-file.yml
A group membership manager is a user or a group that can add members to
a group or remove members from a hostgroup.
This is related to https://pagure.io/freeipa/issue/8114
New parameters have been added to the module:
- `membermanager_user`: List of member manager users assigned to this
group. Only usable with IPA versions 4.8.4 and up.
- `membermanager_group`: List of member manager groups assigned to this
group. Only usable with IPA versions 4.8.4 and up.
These parameters behave like member parameters.
A new test has been added:
- tests/hostgroup/test_hostgroup_membermanager.yml
There is a new dnsrecord managem module placed in the plugins folder:
plugins/modules/ipadnsrecord.py
The dnsrecord module allows management of DNS records and is as compatible
as possible with the Ansible upstream `ipa_dnsrecord` module, but provide
some other features like multiple record management in one execution,
support for more DNS record types, and more.
Here is the documentation for the module:
README-dnsrecord
New example playbooks have been added:
playbooks/dnsrecord/ensure-dnsrecord-is-absent.yml
playbooks/dnsrecord/ensure-dnsrecord-is-present.yml
playbooks/dnsrecord/ensure-presence-multiple-records.yml
playbooks/dnsrecord/ensure-dnsrecord-with-reverse-is-present.yml
playbooks/dnsrecord/ensure-multiple-A-records-are-present.yml
playbooks/dnsrecord/ensure-A-and-AAAA-records-are-absent.yml
playbooks/dnsrecord/ensure-A-and-AAAA-records-are-present.yml
playbooks/dnsrecord/ensure-CNAME-record-is-absent.yml
playbooks/dnsrecord/ensure-CNAME-record-is-present.yml
playbooks/dnsrecord/ensure-MX-record-is-present.yml
playbooks/dnsrecord/ensure-PTR-record-is-present.yml
playbooks/dnsrecord/ensure-SRV-record-is-present.yml
playbooks/dnsrecord/ensure-SSHFP-record-is-present.yml
playbooks/dnsrecord/ensure-TLSA-record-is-present.yml
playbooks/dnsrecord/ensure-TXT-record-is-present.yml
playbooks/dnsrecord/ensure-URI-record-is-present.yml
New tests for the module can be found at:
tests/dnsrecord/test_dnsrecord.yml
tests/dnsrecord/test_compatibility_with_ansible_module.yml
tests/dnsrecord/test_dnsrecord_full_records.yml
A group membership manager is a user or a group that can add members to
a group or remove members from a group.
This is related to https://pagure.io/freeipa/issue/8114
New parameters have been added to the module:
- `membermanager_user`: List of member manager users assigned to this
group. Only usable with IPA versions 4.8.4 and up.
- `membermanager_group`: List of member manager groups assigned to this
group. Only usable with IPA versions 4.8.4 and up.
These parameters behave like member parameters.
A new test has been added:
- tests/group/test_group_membermanager.yml
This patch changes auth_ind variable to receive a list of values
instead of a single one, so that more than one value can be set
at once.
Tests have been updated to reflect the change.
This patch changes auth_ind variable to receive a list of values
instead of a single one, so that more than one value can be set
at once.
Tests have been updated to reflect the change.
This patch fixes handling of password and public_key files, parameter
validation depending on vault type, usage of `salt` attribute and data
retrieval.
Tests were updated to reflect the changes.
New example playbooks are added:
playbooks/vault/vault-is-present-with-password-file.yml
playbooks/vault/vault-is-present-with-public-key-file.yml
playbooks/vault/retrive-data-asymmetric-vault.yml
playbooks/vault/retrive-data-symmetric-vault.yml
plugins/modules/ipaconfig.py
The config module allows the user change global config settings.
The config module is as compatible as possible to the Ansible upstream
ipa_config module, but adds many extra variables.
Here is the documentation for the module:
README-config.md
Since ipahost uses dnsrecord-show, it raises an error when DNS zone is
not found, but it should not be an ipahost concern.
This patch fixes this behavior by returning no record if DNS zone is
not found, so processing resumes as if there is no record for the host.
It fixes behavior when `state: absent` and dnszone does not exist, so,
host should not exist either, and the ipahost answer is correct and
indifferent to DNS Zone state.
The `services` member and ownership atttributes were missing from
vault module. This change adds them.
Handling of owner and ownergroups needed to be changed to fix `services`
and, due to this, have also been fixed.
IPA CLI allows the creation of vaults without specifying user, service or a
shared vault, defaulting to create a user vault for the `admin` user. The
vault module, required that one of user, service or shared was explicitly
provided, and this patch makes the module behave like the CLI command.
Tests were added to reflect this change.
certmapdata was not processed properly. The certificate was not loaded and
therefore the `issuer` and `subject` could not be compared to the
certmapdata entries in the user record. The function `load_cert_from_str`
from ansible_freeipa_moduleis used for this.
Additionally there was no way to use the certmapdata data format. This
is now possible with the `data` option in the certmapdata dict.
Example: "data: X509:<I>dc=com,dc=example,CN=ca<S>dc=com,dc=example,CN=test"
`data` may not be used together with `certificate`, `issuer` and `subject`
in the same record.
Given certmapdata for the ipauser module is now converted to the internal
data representation using also the new function `DN_x500_text` from
`ansible_freeipa_module`.
New functions `convert_certmapdata` and `check_certmapdata` have been added
to ipauser.
tests/user/certmapdata/test_user_certmapdata.yml has been extended with
additional tasks to verify more complex issuer and subjects and also using
the data format.
If random is enabled and update_password is limited to "create_only", the
random password may only be changed if the host does not exist yet.
Additionally the generation of the random password will fail, if the host
is already enrolled if update_password is "always" (default value). An
error will be reported early in this case now.
The command host_show is now used instead of host_find, as `has_password`
and `has_keytab` are only returned by host_show, but not by host_find. The
find_host function has been adapated for this change.
Resolves: #253 (ipahost is not idempotent)
Because of a missing check member attributes (for use with action: member)
are cleared when a non-member attribute is changed. The fix simply adds a
check for None (parameter not set) to gen_add_del_lists in
ansible_freeipa_module to make sure that the parameter is only changed if
it should be changed.
All places where the add and removal lists have been generated manually
have been changed to also use gen_add_del_lists.
Resolves: #252 (The "Manager" attribute is removed when updating any user
attribute)
This patch allows the removal of option `all` from user, host, group,
runasuser, and runasgroup categories, by allowing an empty string as
a valid choice for each option.
There is a new management module placed in the plugins folder:
plugins/modules/ipadnszone.py
The dnszone module allows to manage DNS zones.
Here is the documentation for the module:
README-dnszone.md
New example playbooks have been added:
playbooks/dnszone/disable-zone-forwarders.yml
playbooks/dnszone/dnszone-absent.yml
playbooks/dnszone/dnszone-all-params.yml
playbooks/dnszone/dnszone-disable.yml
playbooks/dnszone/dnszone-enable.yml
playbooks/dnszone/dnszone-present.yml
New tests for the module:
tests/dnszone/test_dnszone.yml
tests/dnszone/test_dnszone_mod.yml
Due to setting aaaa_extra_create_reverse or a_extra_create_reverse when not
needed, host module fails to add a host with reverse address. This patch
fixes the behavior by only adding *_extra_create_reverse when needed.
There is a new vaultcontainer management module placed in the plugins folder:
plugins/modules/ipadnsconfig.py
The dnsconfig module allows to modify global DNS configuration.
Here is the documentation for the module:
README-dnsconfig.md
New example playbooks have been added:
playbooks/dnsconfig/set_configuration.yml
playbooks/dnsconfig/disable-global-forwarders.yml
playbooks/dnsconfig/disallow-reverse-sync.yml
New tests for the module:
tests/dnsconfig/test_dnsconfig.yml
There is a new service management module placed in the pluginsfolder:
plugins/modules/ipaservice.py
The service module allows to ensure presence and absence of services, and
manage members and certificates of the service.
Here is the documentation for the module:
README-service.md
New example playbooks have been added:
playbooks/service/service-host-is-absent.yml
playbooks/service/service-host-is-present.yml
playbooks/service/service-is-absent.yml
playbooks/service/service-is-disabled.yml
playbooks/service/service-is-present-with-all-attributes.yml
playbooks/service/service-is-present-without-host-object.yml
playbooks/service/service-is-present.yml
playbooks/service/service-member-allow_create_keytab-absent.yml
playbooks/service/service-member-allow_create_keytab-present.yml
playbooks/service/service-member-allow_retrieve_keytab-absent.yml
playbooks/service/service-member-allow_retrieve_keytab-present.yml
playbooks/service/service-member-certificate-absent.yml
playbooks/service/service-member-certificate-present.yml
playbooks/service/service-member-principal-absent.yml
playbooks/service/service-member-principal-present.yml
New tests added for the module:
tests/service/test-service.yml
One test did not use the admin password as the rest of the tests.
This caused the tests/pwpolicy/test_pwpolicy.yml suite to fail.
Changing the password to the same as in others fixes the issue.
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
