ansible-test with ansible-2.14 is adding a lot of new tests to ensure
that the documentation section and the agument spec is complete. Needed
changes:
DOCUMENTATION section
- `type: str` needs to be set for string parameters
- `type: list` needs to be set for list parameters
- `elements: str` needs to be given for list of string parameters
- `author` needs to be given with the github user also: `Name (@user)`
argument_spec
- `elements="str"` needs to be added to all list of string parameters
The `copyright` date is extended with `-2022`.
ansible_freeipa_module is providing netaddr and also DNSName, therefore
it is not needed to have own imports in the module. These own imports
would need an addional try exception clause to be able to pass the
ansible-test fake execution test.
All imports that are only available after installing IPA need to be in a
try exception clause to be able to pass the fake execution test.
If the imports can not be done, all used and needed attributes are
defined with the value None, MODULE_IMPORT_ERROR is set to the import
error and fail_json is called.
Since FreeIPA 4.9.8 the 'config_mod' command has parameters to enable
and configure SIDs, and set the Netbios name.
This patch adds the following parameters to ipaconfig plugin:
enable_sids: New users and groups automatically get a SID assigned
add_sids: Add SIDs for existing users and groups
netbios_name: NetBIOS name of the IPA domain
Both add_sids and netbios_name requires 'enable_sid: yes'.
'enable_sid' and 'netbios_name' are returned when querying IPA
configuration.
'add_sids' always generate SIDs for users and groups, so, muiltiple
executions of the playbook with 'add_sids: yes' will return 'changed',
even if users and groups SIDs are not modified.
A new test playbook is available:
tests/config/test_config_sid.yml
New examples playbooks are available:
playbooks/config/change-ipa-domain-netbios-name.yml
playbooks/config/generate-users-groups-sids.yml
Fixes: #781
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2069174
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2069184
Before "short description" was used in most plugins, modules and also
in the new module templates.
ansible-doc was therefore not showing the short description. To fix the
issue the flag was renamed to short_description instead.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2121362
'ansible-doc' -l lists most idm modules as 'UNDOCUMENTED'
Attributes 'first' and 'last' are required if user does not exist, but
current documentation doesn't make it clear. This patch adds a note on
both attributes to make clear the cases where the attribute is required
flake8 reports an issue in ipavault:
plugins/modules/ipavault.py:528:20: E275 missing whitespace after keyword
The missing whitespace has been added: "and not(" -> "and not ("
FreeIPA 4.9.10+ and 4.10 use proper mapping for boolean values, and
only searching for "TRUE" does not work anymore.
This patch fix ipadnszone plugin and IPAParamMapping class handling
of boolean values.
As an idrange has no members, when using `state: absent`, all
parameters but 'name' and 'state' are invalid. The list of invalid
parameters when 'state: absent', have been fixed to include some
missing parameters.
When ensuring presence of an idrange using dom_name instead of dom_sid,
the SID must be obtained so that the idrange can be created.
Related to RHBZ#2086993 and RHBZ#2086994.
There is a new idrange management module placed in the plugins folder:
plugins/modules/ipaidrange.py
The idrange module allows to ensure presence and absence of idranges.
Here is the documentation of the module:
README-idrange.md
New example playbooks have been added:
playbooks/idrange/idrange-absent.yml
playbooks/idrange/idrange-ad-posix-present.yml
playbooks/idrange/idrange-ad-present.yml
playbooks/idrange/idrange-present.yml
New tests for the module can be found at:
tests/idrange/test_idrange.yml
tests/idrange/test_idrange_client_context.yml
The group CLI option `idoverrideusers` was not supported by
ansible-freeipa, and this patch adds support to it.
Tests require an AD trust, and a user `aduser@ad.ipa.test` to exist, or
the user name must be provided (variable, CLI) through `test_ad_user`.
A new test playbook was added:
tests/group/test_group_idoverrideuser.yml
This patch updates the ipatrust documentation about the 'trust_type'
parameter, and changes one password to be similar to the standard
passwords used in other modules.
This change allows clearing automountmap 'description' attribute by
passing an empty string ("") as the playbook parameter.
New test cases were added to check this behavior.
Due to a change in 'ansible_freeipa_module.compare_args_ipa', playbook
parameters using empty strings are correctly evaluated, and do not need
to be removed before comparison is performed.
A new test playbook, with tests for clearing attributes with an empty
string ("") is available at:
tests/user/test_user_empty_lists.yml
Modules ipadnsconfig and ipadnsforwardzone allow the setting of forward
policy for zone forwarders, but the parameter names differ between the
modules.
This patch ensures that the same parameter names can be used in each
module. To keep backwar compatibility in both modules, both
`forward_policy` and `forwardpolicy` are now supported.
The parameters user_auth_type, pac_type and configstring are allowing to
use "" to reset to the default value or for configstring to set an empty
list.
The new check in params_get is not allowing to use empty strings in lists,
therefore allow_empty_string=True had to be added to the call.
A test has been added to verify that the empty strings are supported and
working.
Additionally empty pac_type, user_auth_type and domain_resolution_order
have been added to exit_args as if they have not been set.
The parameter auth_ind is allowing to use "" to reset to the default
value.
The new check in params_get is not allowing to use empty strings in lists,
therefore allow_empty_string=True had to be added to the call.
A test has been added to verify that the empty strings are supported and
working.
The parameters auth_ind and pac_type are allowing to use "" to reset to
the default value.
The new check in params_get is not allowing to use empty strings in lists,
therefore allow_empty_string=True had to be added to the call.
A test has been added to verify that the empty strings are supported and
working. An idempotency issue with pac_type has been found with the test
and fixed additionally.
The parameters userauthtype and sshpubkey allowing to use "" to reset to
the default value.
The new check in params_get is not allowing to use empty strings in lists,
therefore allow_empty_string=True had to be added to the call.
A test has been added to verify that the empty strings are supported and
working. An idempotency issue with sshpubkey has been found with the test
and fixed additionally.
Ensuring absence of members (services and targets) that do not exist may
not fail as they are not members for servicedelegationtarget and
servicedelegationrule.
servicedelegation_normalize_principals in ansible_freeipa_module has
been extended with a check_exists argument that defaults to False. state
== "present" is now given as this argument to turn on the element exists
check only if elements should be added.
If a hbacrule member has any value, the only way to clear it is by
creating a task with 'state: absent' and 'action: member' and provide
a list with all the values for that member.
This patch allows the use of '<member>: []' with 'action: hbacrule'
to clear a hbacrule member.
A new test playbook can be found at:
tests/hbacrule/test_hbacrule_member_empty.yml
There is a new servicedelegationrule management module placed in the plugins
folder:
plugins/modules/ipaservicedelegationrule.py
The servicedelegationrule module allows to ensure presence and absence of
servicedelegationrules and servicedelegationrule members.
Here is the documentation of the module:
README-servicedelegationrule.md
New example playbooks have been added:
playbooks/servicedelegationrule/servicedelegationrule-absent.yml
playbooks/servicedelegationrule/servicedelegationrule-principal-member-absent.yml
playbooks/servicedelegationrule/servicedelegationrule-principal-member-present.yml
playbooks/servicedelegationrule/servicedelegationrule-target-member-absent.yml
playbooks/servicedelegationrule/servicedelegationrule-target-member-present.yml
playbooks/servicedelegationrule/servicedelegationrule-present.yml
New tests for the module:
tests/servicedelegationrule/test_servicedelegationrule.yml
tests/servicedelegationrule/test_servicedelegationrule_client_context.yml
tests/servicedelegationrule/test_servicedelegationrule_hostprincipal.yml
There is a new servicedelegationtarget management module placed in the plugins
folder:
plugins/modules/ipaservicedelegationtarget.py
The servicedelegationtarget module allows to ensure presence and absence of
servicedelegationtargets and servicedelegationtarget members.
Here is the documentation of the module:
README-servicedelegationtarget.md
New example playbooks have been added:
playbooks/servicedelegationtarget/servicedelegationtarget-absent.yml
playbooks/servicedelegationtarget/servicedelegationtarget-member-absent.yml
playbooks/servicedelegationtarget/servicedelegationtarget-member-present.yml
playbooks/servicedelegationtarget/servicedelegationtarget-present.yml
New tests for the module:
tests/servicedelegationtarget/test_servicedelegationtarget.yml
tests/servicedelegationtarget/test_servicedelegationtarget_client_context.yml
tests/servicedelegationtarget/test_servicedelegationtarget_hostprincipal.yml
Similar to PR 286
This PR explicitly sets `no_log` option for `update_password` attribute to `False`, so that the warning on `no_log` not being set is not issued anymore. Ansible incorrectly issued the warning, as `update_password` does not carry sensitive information.
When ensuring states 'undeleted', 'enabled', 'disabled', and 'unlocked'
the error messages for an unexistent user were not consistent.
This change changes the message for all states to "No user '%s'."
When trying to ensure 'state: absent' with 'preserved: yes' in ipauser,
after the first execution the playbook would fail with "user is already
present". Similar idempotence issue would happen when 'state: undelete'
was used.
This PR fixes both issues, and improve tests for the states where user
is preserved, enabled and disabled. The 'find_user' function now uses
IPA API 'user_show' instead of 'user_find' so that only the requested
user is actually returned.
The services returned by group_find are of type
ipapython.kerberos.Principal. Addtionally the services are case
insensitive. Therefore services need to be converted to a lowercase
sting for proper comparison.
test_group.yml has been extended with service tests.
Upstream tests were not testing one path of code related to variable
`deny_sudocmdgroup`, and a regression was added.
This patch fixes a call to the current configuration dictionary, and
add tests so that the code path is executed in the upstream tests.
This patch adds support for 'action: member' for ipadnsconfig plugin,
impacting management of DNS forwarders setting.
Use of 'state: absent' now requires 'action: member'. With 'state:
present', orwarders can be either defined through 'action: dnsconfig'
or added using 'action: member'.
Tests have been updated to reflec the new behavior.
