ansible-core 2.19 is not automatically converting empty and non empty lists
to bool values. Conditionals must have a boolean result.
The solution is to evaluate the length of the lists instead.
ansible-core 2.19 is not automatically converting empty and non empty lists
to bool values. Conditionals must have a boolean result.
The solution is to evaluate the length of the lists instead.
In ansible-core 2.19 there's no automatic coercion from None or empty
strings to the boolean value "false", so we need to compare the result
of the filter 'regex_search' to 'None' and the empty string to evaluate
if any match occurred.
In fixing this issue, it was found that the tests were incorrectly
evaluating the results, and the comparisons were fixed.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
As ansible-core 2.19 'upper' and 'lower' filters make lists into strings
and these strings are not interpreted as lists when running the plugins,
it is needed to use 'map(<filter>)' to apply the filter to all entries
of a list.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
In ansible-core, templates and expressions must use trusted sources,
such as playbooks or roles, and module results are considered untrusted
sources.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
In ansible-core 2.19, when clauses (when, failed_when, etc) do not
convert values to bool automatically, also, templating with "|bool" does
not work too, so an actual value comparison is required.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
When adding a new idrange of type 'ipa-local', the 'base_id',
'range_size', 'rid_base' and 'secondary_rid_base' are required so that
range entries are correctly set when SID are enabled.
Fixes: https://issues.redhat.com/browse/RHEL-79820
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The tests hosts are generated with IP addresses in env_setup, but
removed without update_dns turned on. Therefore the IP addresses are not
removed from DNS.
This results in a failure if the host test test_host_ipaddresses is run
afterwards.
Current version of ansible-list pre-commit hook required changes in the
ansible-freeipa yamllint configuration and these changes triggered
issues in the current playbooks on roles and tests.
This patch adds the required changes to yaml lint configuration and
fixes the affected playbooks.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
When using AD objects, a user expects to use the more human readable
form, like "user@ad.domain", but this impose some dificulties on
evaluating which object is being referenced as AD has several forms to
refer to the same object.
Each object is AD is identified uniquely by its SID, and this is the
identifier that IPA stores in its database. When managing AD objects,
IPA finds its SID and works with that value.
ansible-freeipa tried to process these objects using the human readable
values, and it cause idempontence error when ensuring the values were
present or modified, and, at least in some cases, prevented the objects
to be made absent, as the object list created didn't match the SID to
the value used as module parameter.
By using SID to process the AD objects in ipagroup, the addition or
removal of members works and idempotence of these members is ensured.
The only issue with thils approach is that it only works no server
nodes. In client nodes, the conversion to SID is not available and the
same issues that existed before will still be present.
Tests were updated to reflect these changes, a new test, specific to
idempotence issues of AD objects was added:
tests/group/test_group_ad_users.yml
Resolves: https://issues.redhat.com/browse/RHEL-70023
When running test_idoverrideuser_client_context.yml on a client host, it
tried to run a task that does not have the required fields and fails
the test.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This patch improves tests/env_freeipa_facts.yml by ensuring
ipaserver_realm is set, making AD server availability discoverable, and
allowing playbooks to run with 'gather_facts: false' by gathering
minimal facts.
When handling users and hosts is ipasudorule we were missing nome entry
attributes returned from FreeIPA, which would cause the add/del lists to
be incorrectly generated.
By adding the proper lists, both attributes are handled correctly.
A new test to verify the fix is added:
tests/sudorule/test_sudorule_user_host_external.yml
Fixes https://issues.redhat.com/browse/RHEL-68439
When creating the lists of external members, the attribute
'ipaexternalmember' also needs to be added to the list of external
members that are part of the group object for external groups.
A test to verify the correct behavior was added and the test suite for
group external members have been cleaned up with 'yes' values changed to
'true' and the use of module_defaults.
When a revoked certificate with reason 6 (certificateHold) is revoked
with reason 8 (removeFromCRL), the effect is that the certificate is
valid again, as it is the same procedure as 'state: release'.
This is, at least, the behavior with IPA CLI comands, which is
implemented by this patch.
A new test is added to verify this behavior:
tests/cert/test_cert_remove_hold_with_removeFromCRL.yml
Unless there's a real need to use privileged access or to gather Ansible
facts upfront, we should always set "become: false" and
"gather_facts: false". In the case that only a few Ansible facts are
required, 'ansible.builtin.setup' with 'gather_subset' should be used.
As the YAML 1.2 standard dictates, boolean values should only use 'true'
or 'false' values.
This patch fixes these issues in the 'sudorule' test suite.
Currently, ipasudorule must add or modify a single sudorule at a time,
incurring in more load in the server if there are many rules to be
processed.
This patch adds suport for adding multiple sudorules in one playbook
task by using the parameter 'sudorules' and defining a list of sudorules
configurations to be ensured.
As multiple sudorules will be processed, the patch also enables batch
mode processing of sudorules, trying to reduce the load on the server.
Test 'tests/sudorule/test_sudorule_client_context.yml' was modified to
include tasks with 'sudorules' to be executed both on the server or on
the client context.
New tests were added to the sudorule test suite:
tests/sudorule/test_sudorules.yml
tests/sudorule/test_sudorules_member_case_insensitive.yml
For some time now, we had some issues with molecule when building test
images for ansible-freeipa, and replaced the image creation with custom
build scripts that use commom container tools (like Dockerfiles and the
build command).
As there's no more tasks that require the use of molecule, this patch
removes the last bits used by it, and fixes documentation and lint
scripts and configuration.
It seems that in recent versions, a minimum of 2048 bits for RSA keys
are required to request a certificate. This seems to be enforced by
crypto policies.
By adjusting the key size all ipacert tests pass.
The new generate_test_data.yml is creating the test data with
ansible.builtin.shell and is not calling shell scripts any more. The
generation in the yml file and also the set_fact calls make sure that
the test data is used.
This patch removes 'molecule' as a dependency for tests, by using the
scripts under `utils` to setup the environment.
By not using molecule, we have more flexibility on using either docker
or podman as the container engine, and makes it easy to reproduce the
environment on different distros, allowing for a more consistent error
reproduction off Azure.
On some systems it is required or desired to run Ansible with a specific
Python interpreter. This patch allows the selection of the Python binary
to use for the pytest playbook tests by setting the environment variable
IPA_PYTHON_PATH. Set it the the full path of the Python interpreter.
As we do not use molecule features, using a Dockerfile and the
ansible-freeipa deployment roles is enough to create the container
testing images.
This patch removes the usage of molecule in favor of the custom
ansible-freeipa image building script, which allow us to have a similar
process for creating images both on the ustream CI, or on a developer's
environment.
Also, CentOS 7 is removed from the build script, as it in not possible
to run CentOS 7 containers with current versions of systemd.
The tests test_users_present.yml and test_users_absent.yml has been
merged into test_users_present_absent.yml to fix the independent test
order execution.
The test test_users_present_slice.yml has been renamed to
test_users_present_absent_slice.yml.
Both tests are cleaning up possible exiting entries before running the tests
and are verifying the present and absent task result.
Truncate stdout and stderr in the way that it hopefully shows all
important information. At least 15 lines of stdout (Ansible tasks) and
remaining from stderr to fill up to maxlen size.
The test log mostly only showed lines from stderr as the log was a
concatenation of stdout and stderr and only the last 2500 chars of this
have been used. This was hiding the test result from stdout and failures
have not beeen visible.
setuptools might not be installed before importing and using
galaxy_importer. This could result in a backtrace by disabling
ANSIBLE_TEST_LOCAL_IMAGE in galaxy-importer.cfg to run latest tests.
The parameters
- subtree (ipapermlocation)
- target (ipapermtarget)
- targetto (ipapermtargetto)
- targetfrom (ipapermtargetfrom)
have not been idempotent as the result returned from permission_show was
a DN and not a string.
The find_permission function has been exetended to convert the values
for these parameters to strings.
Fixes: #1257
The generated certificates have been X.509 v1. This is not supported any
more. Only X.509 v3 is supported.
A new certificates/extensions.conf file has been added to make v3
certificates.
The existing certificates/pkinit/extensions.conf has been renamed to
certificates/pkinit-extensions.conf with additional changes. For example
"[kdc_cert]" had to be removed for v3.
The extensions config files are using environment variables, which are
set by the generate-certificates.sh script before calling openssl.
The script generate-certificates.sh has been reworked for a simpler
structure, also new options have been added: "ca" and "cleanup".
This patch force processing of permission, attribute and group
attributes in lower case, to match behavior of IPA CLI, transforming
all of them into lowercase characters.
The new behavior fixes idempotence issues when mixing different
capitalization in different tasks for the same attribute.
A new test playbook is avaiable at:
tests/delegation/test_delegation_member_case_insensitive.yml
Some attributes for ipagroup objects are stored using lower case letters
and should be converted upon retrieving parameter data.
This patch adds the missing conversion and provides a new test playbook:
tests/group/test_group_case_insensitive.yml
