The service hostname needs to be gathered from ansibe_facts as it might
not be "ipaserver". ansible_facts['fqdn'] is now used as the service
hostname, therefore gather_facts had to be turned on.
When trying to ensure 'state: absent' with 'preserved: yes' in ipauser,
after the first execution the playbook would fail with "user is already
present". Similar idempotence issue would happen when 'state: undelete'
was used.
This PR fixes both issues, and improve tests for the states where user
is preserved, enabled and disabled. The 'find_user' function now uses
IPA API 'user_show' instead of 'user_find' so that only the requested
user is actually returned.
The services returned by group_find are of type
ipapython.kerberos.Principal. Addtionally the services are case
insensitive. Therefore services need to be converted to a lowercase
sting for proper comparison.
test_group.yml has been extended with service tests.
Upstream tests were not testing one path of code related to variable
`deny_sudocmdgroup`, and a regression was added.
This patch fixes a call to the current configuration dictionary, and
add tests so that the code path is executed in the upstream tests.
The client context on server test is failing with a date that is
expired. The server context on server test is not failing.
Setting an expired date with the command line is possible though.
This patch adds support for 'action: member' for ipadnsconfig plugin,
impacting management of DNS forwarders setting.
Use of 'state: absent' now requires 'action: member'. With 'state:
present', orwarders can be either defined through 'action: dnsconfig'
or added using 'action: member'.
Tests have been updated to reflec the new behavior.
If one tries to set a list of forwarders which include an already
existing forwarder, the existing forwarder is removed, and the list
of configured forwarders contain only the new ones.
This patch fixes this behavior by setting a union of the currently
available forwarders and the list of forwarders provided in the
playbook.
Tests were added to ensure this behavior.
The host members of ipahostgroup need to be lowercase and FQDN to be
able to do a proper comparison with exising hosts in the hostgroup.
Fixes: #666 (ipahostgroup not idempotent and with error)
Members of hbacrule must be compared in a case insensitive manner.
This patch fixes comparation of member parameters against existing
members by converting parameters to lowercase.
Also, there were some cases where a change with an empty set of members
was issued to IPA API, leading to a result of 'changed: yes' when
'changed: no' was expected. The fix involved a refactoring of the
member management code.
Add a task to FreeIPA facts task file to ensure that the variable
'ipaserver_domain' is set.
The value is set form `ansible_facts['fqdn'], if available, or set to
`ipa.test`, otherwise.
The test playbook provided adds some tests to verify if capitalization
of role members does not influence on the module behavior. It also adds
some tests to verify check_mode.
ERROR: plugins/modules/ipaautomountmap.py:118:30: E203: whitespace before ':'
ERROR: Found 1 compile issue(s) on python 2.6 which need to be resolved:
ERROR: plugins/modules/ipasudorule.py:382:63: SyntaxError: {ensure_fqdn(value.lower(), default_domain) for value in host}
This test is using the galaxy_importer from ansible project. The
configuration file galaxy-importer.cfg is copied from linux-system-roles
https://github.com/linux-system-roles/auto-maintenance/blob/master/\
lsr_role2collection/galaxy-importer.cfg
The tests script has extra code to parse the output of the importer to
highlight errors and to exit with a proper error code.
The test can be used locally also with "sh tests/sanity/sanity.sh"
New files:
- .github/workflows/ansible-test.yml
- tests/sanity/galaxy-importer.cfg
- tests/sanity/sanity.sh
There is a new automount key module placed in the plugins folder:
plugins/modules/ipaautomountkey.py
The server module allows to ensure presence and absence of automount
keys. The module requires an existing automount location and map to
place the key within.
Here is the documentation for the module:
README-automountkey.md
New example playbooks have been added:
playbooks/automount/automount-key-absent.yaml
playbooks/automount/automount-key-present.yaml
New tests for the module:
tests/automount/test_automountkey.yml
Currently, when adding an overlapping set of members causes playbook to
fail as the already existing members are added twice.
This patch refactors membership management by removing duplicate logic
and handling all changes to members in a single place. This change
removed code that was causing the execution failures.
There is a new server management module placed in the plugins folder:
plugins/modules/ipaautomountmap.py
The server module allows to ensure presence and absence of automount
maps. The module requires an existing automount location to place the
map within. It does not create any automount keys with in the map.
Here is the documentation for the module:
README-automountmap.md
New example playbooks have been added:
playbooks/automount/automount-map-absent.yaml
playbooks/automount/automount-map-present.yaml
New tests for the module:
tests/automount/test_automountmap.yml
All ansible-freeipa modules which allow object renaming should support
'state: renamed'.
This patch adds suport for the missing state, and fixes cases where a
user could try to rename the object and set its members, which would
fail depending on the operation order.
Fix#566
Single hostnames can be used for sudorule_add_host and will match fqdn
in IPA internally. Simple host names have to be extended to be FQDN to
be able to compare them for sudorule_host_add and sudorule_host_remove.
Fixes#672
The removal of group or hostgroup orphans has been added to the automember
module.
It can be ensured that orphans have been removed using action: orphans_removed
The automember_type needs to be set for this.
New examples have been added to README-automember.md
New playbooks:
- playbooks/automember/automember-group-orphans-removed.yml
- playbooks/automember/automember-hostgroup-orphans-removed.yml
New tests:
- tests/automember/test_automember_orphans_removed.yml
The fallback group and hostgroup for unmached entries can be set and
unset using default_group. If default_group is empty, then the default
group will be unset.
DN and ipa_get_based provided by ansible_freeipa_module are used in the
code.
New parameters:
- default_group: Default (fallback) group for all unmatched entries.
New parameters and examples have been added to README-automember.md
New playbooks:
- playbooks/automember/automember-default-group-not-set.yml
- playbooks/automember/automember-default-group-set.yml
- playbooks/automember/automember-default-hostgroup-not-set.yml
- playbooks/automember/automember-default-hostgroup-set.yml
New tests:
- tests/automember/test_automember_default_group.yml
There was state: rebuild before, but the code was incomplete and was not
able to run properly.
New parameters:
- users: Limit the rebuild to the given users only
- hosts: Limit the rebuild to the given hosts only
- no_wait: Don't wait for rebuilding membership
New parameters and examples have been added to README-automember.md
tests/automember/test_automember_client_context.yml has been using
state: rebuild and lacked the automember_type parameter.
grouping was used in functions and has been replaced by automember_type.
Some typos in examples have been fixed also.
New playbooks:
- playbooks/automember/automember-group-membership-all-users-rebuilt.yml
- playbooks/automember/automember-group-membership-users-rebuilt.yml
- playbooks/automember/automember-hostgroup-membership-all-hosts-rebuilt.yml
- playbooks/automember/automember-hostgroup-membership-hosts-rebuilt.yml
New tests:
- tests/automember/test_automember_rebuilt.yml
These are skips for python 2.6 with import-2.6!skip and
compile-2.6!skip, ignores for the exit_raw_json function in
ansible_freeipa_module.py for use with ipavault, the ignore of using
automatic field numbering for the string format function, the use of
string split without maxsplits (not working in Python2), skips of the
shebang tests for scripts in tests and utils and the ignore of missing
collection_name for deprecate function calls in
ansible_freeipa_module.py.
This patch modifies the Python version used to be the latest available,
and add stages to execute the tests using ansible-core 2.12. As we
use Ubuntu 20.04, Python version 3.8 is avaiable.
Previously, ansible-core 2.12 was not available as it cannot be
installed with Python 3.6, which was the version used.
The hbacsvc members of hbacsvcgroup must be compared in a case
insensitive manner. This patch fixes comparation of member parameters
against existing members by converting parameters to lowercase, as it
is how the hbacsvc members are stored for hbacsvcgroups.
Also, there were some cases where a change with an empty set of members
was issued to IPA API, leading to a result of 'changed: yes' when
'changed: no' was expected. The fix involved a refactoring of the
hbacsvcgroup member management code.
When using group_tests, the pytest playbook was not receiving the
Ansible version to use, executing always with the latest available
version.
This patch fixes the behavior by passing the Ansible version to use
for tests to pytest_tests playbook.
