If a task with 'action: automember' tried to modify an automember rule
and did not provide either 'inclusive' or 'exclusive' parameters, the
regex for the missing arguments would be removed.
This patch fixes this behavior to only modify those parameters that
were set on the task, and leave the missing parameters in the state
they were before the task.
Tests have been updated to verify expected behavior.
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1976922
When setting 'runasuser' or 'runasgroup' for a sudorule, either IPA or
external users and groups can be used, but only IPA users and groups
were being searched for when modifying the attributes, making this task
not idempotent if an external group or user was used..
This patch fixes this issue by comparing users and groups to the IPA
and external setting.
The IPA CLI commands are slightly confusing, as the sudorule-add and
sudorule-mod display separate options for internal and external users
and groups, but these options are deprecated and do not work anymore,
in favor of sudorule-add-runasuser and sudorule-add-runasgroup, which
don't diferentiate between internal and external users, from the CLI
user perspective.
This patch removes the custom command result handler in favor of the
IPAAnsibleModule default member handler and fixes creation of add and
del lists of permissions, fixing the behavior of the moudule execution
when 'check_mode: yes'.
When creating the lists to add/remove principal aliases, if the realm
was not specified, the alias would be used as it did not matched the
existing one, which has the realm part.
This patch fixes the add/del list creation by adding the current API
realm to each alias that does not have the realm part and then use
this modified list to be compared against the existing principal list.
This change also allows the use of the whole list in a single call to
the IPA API to add/remove the principals, instead of a call for every
one item in the list.
When running the tests that can be executed either on server or client
context, without defining 'ipa_context', the context is automatically
identified.
Currently, the tests in upstream CI run only on a server, and the
context is identified as "server" context, and in order to run the test
using a client context 'ipa_context' must be set to 'client'.
This patch fixes all the client context tests by correctly setting
ipa_context when running the client context tests in a server host.
This patch fixes yamllint's "line too long" (line-lenght) warnings
by ensuring all lines in YAML files have, at most, 160 characters.
If a line cannot be written as a multiline block, line-length rule
evaluation is disabled for the specific line, both on yamllint and
on ansible-lint.
Update vault README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/vault/test_vault_client_context.yml
As `ipavault` only works in client context, an error is raised if it
is explicitly executed in a server context.
Update selfservice README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/selfservice/test_selfservice_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update service README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/service/test_service_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update user README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/user/test_user_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update trust README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/trust/test_trust_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update sudorule README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/sudorule/test_sudorule_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update sudocmdgroup README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/sudocmdgroup/test_sudocmdgroup_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update sudocmd README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/sudocmd/test_sudocmd_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update server README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/server/test_server_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update role README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/role/test_role_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update pwpolicy README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/pwpolicy/test_pwpolicy_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update privilege README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/privilege/test_privilege_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update permission README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/permission/test_permission_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Due to differences in data returned when running in a client context,
some values had to be modified so that comparision works and an
unnecessary call to IPA API is executed.
Update location README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/location/test_location_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update hostgroup README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/hostgroup/test_hostgroup_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update host README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/host/test_host_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update hbacsvcgroup README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/hbacsvcgroup/test_hbacsvcgroup_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update hbacsvc README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/hbacsvc/test_hbacsvc_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update hbacrule README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/hbacrule/test_hbacrule_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update group README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/group/test_group_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update dnszone README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/dnszone/test_dnszone_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Due to differences in data returned when running in a client context,
verification if zone is active had to be modified.
Update dnsrecord README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/dnsrecord/test_dnsrecord_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update dnsforwardzone README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/dnsforwardzone/test_dnsforwardzone_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Due to differences in data returned when running ipadnsforwardzone in
a client context, some values had to be modified so that comparision
works, avoiding unnecessary IPA API calls.
Update dnsconfig README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/dnsconfig/test_dnsconfig_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update delegation README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/delegation/test_delegation_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update config README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/config/test_config_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
As the tests for ipaconfig may render the server in an inconsistent
state if they fail, the tests in tests/config/test_config.yml were
wrapped in a way that if one test fails, the default FreeIPA
configuration is restored to the server.
Update automountlocation README file and add tests for executing plugin
with `ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/automountlocation/test_automountlocation_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
This patch fixes setting ipaserver_domain and ipaserver_realm facts for
iparole tests, fixing variable evaluation and allowing the tests to be
executed even if `gather_facts: no`.
Update automember README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/automember/test_automember_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
This patch adds a new fact `ipa_host_is_client`, available in the
include task file `env_freeipa_facts.yml`.
The variable `ipa_host_is_client` is set to TRUE if the client host
is not an IPA server (primary or replica). It can be used if a test
cannot be executed in a server, independent of the value set to
`ipaapi_context`.
As the server name was hard coded, when running tests for ipasever
module using a server not name as 'ipaserver', the tests would fail.
This patch allows the configuration of the server name using the
variable 'ipa_server_name', and if not provided, try to infer the name
from the ansible_hostname variable, or, if not possible, defaults to
'ipaserver'.
The same behavior is applied to 'ipasever_domain', with the default
being 'ipa.test'.
Currently, if a test fails during execution of ipaconfig playbook
tests, or if the failed task is the task reverting to the original
configuration fails, the testing host might be left in a state that
may cause other tests to fail due to the inconsistent configuration
state.
This patch ensures that if a test fails, a known configuration, the
same as used is the default installation of FreeIPA used in upstream
CI, is applied to the host, providing safe environment for testing.
The nonposix, posix and external parameters need to be mutually
exclusive. external was missing in this list. Only one of the three
parameters can be used.
external can not be set to no/false. This results in an error now.
if nonposix is used, posix is set as not nonposix. The nonposix
parameter is not used within the code anymore..
New tests have been added to tests the addition of users with for
nonposix and posix groups. The tests for the external group is not
active due to the need of an AD.
Fixes: #528 (Error creating nonposix group)
