tests/azure: Deactivate NTP in prepare-build

In CentOS 8 and also Fedora the configuration and start of chrony
fails with

  Fatal error : adjtimex(0x8001) failed : Operation not permitted

For more information: https://bugzilla.redhat.com/show_bug.cgi?id=1772053

NTP will not be needed before a separate namespace is used for clocks.

molecule/centos-8-build/molecule.yml

@@ -3,7 +3,7 @@ driver:
   name: docker
 platforms:
   - name: centos-8-build
-    image: centos:8
+    image: "centos:centos8"
     pre_build_image: true
     hostname: ipaserver.test.local
     dns_servers:

molecule/fedora-latest-build/molecule.yml

@@ -3,7 +3,7 @@ driver:
   name: docker
 platforms:
   - name: fedora-latest-build
-    image: fedora-latest
+    image: "fedora:latest"
     dockerfile: Dockerfile
     hostname: ipaserver.test.local
     dns_servers:

molecule/resources/playbooks/prepare-build.yml

@@ -25,3 +25,4 @@
       ipadm_password: SomeDMpassword
       ipaserver_domain: test.local
       ipaserver_realm: TEST.LOCAL
+      ipaclient_no_ntp: yes

playbooks/permission/permission-absent.yml

@@ -4,8 +4,8 @@
   become: true
 
   tasks:
-  - name: Ensure permission TestPerm1 is absent
+  - name: Ensure permission is absent
     ipapermission:
+      ipaadmin_password: SomeADMINpassword
       name: TestPerm1
       state: absent
-

playbooks/permission/permission-allow-read-employeenum.yml

@@ -4,11 +4,12 @@
   become: true
 
   tasks:
-  - name: Ensure permission TestPerm2 is present with Read rights to employeenumber
+  - name: Ensure permission is present with set of rights to attribute employeenumber
     ipapermission:
-      name: TestPerm2
+      ipaadmin_password: SomeADMINpassword
+      name: TestPerm1
       object_type: user
-      perm_rights: 
+      right:
         - read
         - search
         - compare

playbooks/permission/permission-member-absent.yml

@@ -4,8 +4,9 @@
   become: true
 
   tasks:
-  - name: Ensure privilege User Administrators privilege is absent on Permission TestPerm1
+  - name: Ensure permission privilege, "User Administrators", is absent
     ipapermission:
+      ipaadmin_password: SomeADMINpassword
       name: TestPerm1
       privilege: "User Administrators"
       action: member

playbooks/permission/permission-member-present.yml

@@ -4,8 +4,9 @@
   become: true
 
   tasks:
-  - name: Ensure permission TestPerm1 is present with the User Administrators privilege present
+  - name: Ensure permission is present with "User Administrators" privilege
     ipapermission:
+      ipaadmin_password: SomeADMINpassword
       name: TestPerm1
       privilege: "User Administrators"
       action: member

playbooks/permission/permission-present.yml

@@ -4,8 +4,9 @@
   become: true
 
   tasks:
-  - name: Ensure permission TestPerm1 is present
+  - name: Ensure permission is present
     ipapermission:
+      ipaadmin_password: SomeADMINpassword
       name: TestPerm1
       object_type: host
-      perm_rights: all
+      right: all

playbooks/permission/permission-renamed.yml

@@ -4,8 +4,9 @@
   become: true
 
   tasks:
-  - name: Ensure permission TestPerm1 is present
+  - name: Ensure permission TestPerm1 is renamed to TestPermRenamed
     ipapermission:
+      ipaadmin_password: SomeADMINpassword
       name: TestPerm1
       rename: TestPermRenamed
       state: renamed

playbooks/selfservice/selfservice-absent.yml

@@ -1,11 +1,11 @@
 ---
-- name: Delegation absent
+- name: Selfservice absent
   hosts: ipaserver
   become: true
 
   tasks:
-  - name: Ensure delegation "basic manager attributes" is absent
+  - name: Ensure selfservice "basic manager attributes" is absent
-    ipadelegation:
+    ipaselfservice:
       ipaadmin_password: SomeADMINpassword
       name: "basic manager attributes"
       state: absent

playbooks/selfservice/selfservice-member-absent.yml

@@ -1,15 +1,15 @@
 ---
-- name: Delegation member absent
+- name: Selfservice member absent
   hosts: ipaserver
   become: true
 
   tasks:
-  - name: Ensure delegation "basic manager attributes" member attributes employeenumber and employeetype are absent
+  - name: Ensure selfservice "basic manager attributes" member attributes employeenumber and employeetype are absent
-    ipadelegation:
+    ipaselfservice:
       ipaadmin_password: SomeADMINpassword
       name: "basic manager attributes"
       attribute:
-      - employeenumber
+      - businesscategory
-      - employeetype
+      - departmentnumber
       action: member
       state: absent

playbooks/selfservice/selfservice-member-present.yml

@@ -1,11 +1,11 @@
 ---
-- name: Delegation member present
+- name: Selfservice member present
   hosts: ipaserver
   become: true
 
   tasks:
-  - name: Ensure delegation "basic manager attributes" member attribute departmentnumber is present
+  - name: Ensure selfservice "basic manager attributes" member attribute departmentnumber is present
-    ipadelegation:
+    ipaselfservice:
       ipaadmin_password: SomeADMINpassword
       name: "basic manager attributes"
       attribute:

playbooks/selfservice/selfservice-present.yml

@@ -1,11 +1,11 @@
 ---
-- name: Delegation present
+- name: Selfservice present
   hosts: ipaserver
   become: true
 
   tasks:
-  - name: Ensure delegation "basic manager attributes" is present
+  - name: Ensure selfservice "basic manager attributes" is present
-    ipadelegation:
+    ipaselfservice:
       ipaadmin_password: SomeADMINpassword
       name: "basic manager attributes"
       permission: read

playbooks/vault/vault-is-present-with-password-file.yml

@@ -7,7 +7,7 @@
   tasks:
   - copy:
       src: "{{ playbook_dir }}/password.txt"
-      dest: "{{ ansible_env.HOME }}/password.txt"
+      dest: "{{ ansible_facts['env'].HOME }}/password.txt"
       owner: "{{ ansible_user }}"
       group: "{{ ansible_user }}"
       mode: 0600
@@ -16,7 +16,7 @@
       name: symvault
       username: admin
       vault_type: symmetric
-      vault_password_file: "{{ ansible_env.HOME }}/password.txt"
+      vault_password_file: "{{ ansible_facts['env'].HOME }}/password.txt"
   - file:
-      path: "{{ ansible_env.HOME }}/password.txt"
+      path: "{{ ansible_facts['env'].HOME }}/password.txt"
       state: absent

playbooks/vault/vault-is-present-with-public-key-file.yml

@@ -12,7 +12,7 @@
   tasks:
   - copy:
       src: "{{ playbook_dir }}/public.pem"
-      dest: "{{ ansible_env.HOME }}/public.pem"
+      dest: "{{ ansible_facts['env'].HOME }}/public.pem"
       owner: "{{ ansible_user }}"
       group: "{{ ansible_user }}"
       mode: 0600
@@ -21,7 +21,7 @@
       name: asymvault
       username: admin
       vault_type: asymmetric
-      vault_public_key_file: "{{ ansible_env.HOME }}/public.pem"
+      vault_public_key_file: "{{ ansible_facts['env'].HOME }}/public.pem"
   - file:
-      path: "{{ ansible_env.HOME }}/public.pem"
+      path: "{{ ansible_facts['env'].HOME }}/public.pem"
       state: absent

plugins/modules/ipadnsrecord.py

@@ -1350,8 +1350,6 @@ def define_commands_for_present_state(module, zone_name, entry, res_find):
                     module, zone_name, name, args[record])
                 _commands.extend(cmds)
                 del args['%s_extra_create_reverse' % ipv]
-                if '%s_ip_address' not in args:
-                    del args[record]
         for record, fields in _RECORD_PARTS.items():
             part_fields = [f for f in fields if f in args]
             if part_fields:

plugins/modules/ipapermission.py

@@ -277,10 +277,8 @@ def main():
             ansible_module.fail_json(
                 msg="Only one permission can be added at a time.")
         if action == "member":
-            invalid = ["right", "bindtype", "subtree",
+            invalid = ["bindtype", "target", "targetto", "targetfrom",
-                       "extra_target_filter", "rawfilter", "target",
+                       "subtree", "targetgroup", "object_type", "rename"]
-                       "targetto", "targetfrom", "memberof", "targetgroup",
-                       "object_type", "rename"]
         else:
             invalid = ["rename"]
 
@@ -299,13 +297,12 @@ def main():
     if state == "absent":
         if len(names) < 1:
             ansible_module.fail_json(msg="No name given.")
-        invalid = ["right",
+        invalid = ["bindtype", "subtree", "target", "targetto",
-                   "bindtype", "subtree",
+                   "targetfrom", "targetgroup", "object_type",
-                   "extra_target_filter", "rawfilter", "target", "targetto",
-                   "targetfrom", "memberof", "targetgroup", "object_type",
                    "no_members", "rename"]
         if action != "member":
-            invalid += ["attrs"]
+            invalid += ["right", "attrs", "memberof",
+                        "extra_target_filter", "rawfilter"]
 
     for x in invalid:
         if vars()[x] is not None:
@@ -317,6 +314,11 @@ def main():
         ansible_module.fail_json(
             msg="Bindtype 'self' is not supported by your IPA version.")
 
+    if all([extra_target_filter, rawfilter]):
+        ansible_module.fail_json(
+            msg="Cannot specify target filter and extra target filter "
+                "simultaneously.")
+
     # Init
 
     changed = False
@@ -359,16 +361,31 @@ def main():
                         ansible_module.fail_json(
                             msg="No permission '%s'" % name)
 
-                    # attrs
+                    member_attrs = {}
-                    if attrs is not None:
+                    check_members = {
-                        _attrs = list(set(list(res_find["attrs"]) + attrs))
+                        "attrs": attrs,
-                        if len(_attrs) > len(res_find["attrs"]):
+                        "memberof": memberof,
-                            commands.append([name, "permission_mod",
+                        "ipapermright": right,
-                                             {"attrs": _attrs}])
+                        "ipapermtargetfilter": rawfilter,
+                        "extratargetfilter": extra_target_filter,
+                        # subtree member management is currently disabled.
+                        # "ipapermlocation": subtree,
+                    }
+
+                    for _member, _member_change in check_members.items():
+                        if _member_change is not None:
+                            _res_list = res_find[_member]
+                            _new_set = set(_res_list + _member_change)
+                            if _new_set != set(_res_list):
+                                member_attrs[_member] = list(_new_set)
+
+                    if member_attrs:
+                        commands.append([name, "permission_mod", member_attrs])
 
                 else:
                     ansible_module.fail_json(
                         msg="Unknown action '%s'" % action)
+
             elif state == "renamed":
                 if action == "permission":
                     # Generate args
@@ -393,6 +410,7 @@ def main():
                 else:
                     ansible_module.fail_json(
                         msg="Unknown action '%s'" % action)
+
             elif state == "absent":
                 if action == "permission":
                     if res_find is not None:
@@ -403,20 +421,26 @@ def main():
                         ansible_module.fail_json(
                             msg="No permission '%s'" % name)
 
-                    # attrs
+                    member_attrs = {}
-                    if attrs is not None:
+                    check_members = {
-                        # New attribute list (remove given ones from find
+                        "attrs": attrs,
-                        # result)
+                        "memberof": memberof,
-                        # Make list with unique entries
+                        "ipapermright": right,
-                        _attrs = list(set(res_find["attrs"]) - set(attrs))
+                        "ipapermtargetfilter": rawfilter,
-                        if len(_attrs) < 1:
+                        "extratargetfilter": extra_target_filter,
-                            ansible_module.fail_json(
+                        # subtree member management is currently disabled.
-                                msg="At minimum one attribute is needed.")
+                        # "ipapermlocation": subtree,
+                    }
 
-                        # Entries New number of attributes is smaller
+                    for _member, _member_change in check_members.items():
-                        if len(_attrs) < len(res_find["attrs"]):
+                        if _member_change is not None:
-                            commands.append([name, "permission_mod",
+                            _res_set = set(res_find[_member])
-                                             {"attrs": _attrs}])
+                            _new_set = _res_set - set(_member_change)
+                            if _new_set != _res_set:
+                                member_attrs[_member] = list(_new_set)
+
+                    if member_attrs:
+                        commands.append([name, "permission_mod", member_attrs])
 
             else:
                 ansible_module.fail_json(msg="Unknown state '%s'" % state)

plugins/modules/ipasudorule.py

@@ -429,16 +429,16 @@ def main():
 
                     # Generate addition and removal lists
                     host_add, host_del = gen_add_del_lists(
-                        host, res_find.get('member_host', []))
+                        host, res_find.get('memberhost_host', []))
 
                     hostgroup_add, hostgroup_del = gen_add_del_lists(
-                        hostgroup, res_find.get('member_hostgroup', []))
+                        hostgroup, res_find.get('memberhost_hostgroup', []))
 
                     user_add, user_del = gen_add_del_lists(
-                        user, res_find.get('member_user', []))
+                        user, res_find.get('memberuser_user', []))
 
                     group_add, group_del = gen_add_del_lists(
-                        group, res_find.get('member_group', []))
+                        group, res_find.get('memberuser_group', []))
 
                     allow_cmd_add, allow_cmd_del = gen_add_del_lists(
                         allow_sudocmd,

roles/ipabackup/tasks/copy_backup_from_server.yml

@@ -10,7 +10,7 @@
   set_fact:
     ipabackup_controller_dir:
         "{{ ipabackup_controller_path | default(lookup('env','PWD')) }}/{{
-         ipabackup_name_prefix | default(ansible_fqdn) }}_{{
+         ipabackup_name_prefix | default(ansible_facts['fqdn']) }}_{{
          ipabackup_item }}/"
 
 - name: Stat backup on server

roles/ipabackup/tasks/get_ipabackup_dir.yml

@@ -1,6 +1,6 @@
 ---
 - name: Get IPA_BACKUP_DIR dir from ipaplatform
-  command: "{{ ansible_playbook_python }}"
+  command: "{{ ansible_python_interpreter | default('/usr/bin/python') }}"
   args:
     stdin: |
       from ipaplatform.paths import paths

roles/ipabackup/tasks/restore.yml

@@ -6,9 +6,9 @@
 - name: Import variables specific to distribution
   include_vars: "{{ item }}"
   with_first_found:
-    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_version'] }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_major_version'] }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_facts['distribution'] }}.yml"
     - "{{ role_path }}/vars/default.yml"
 
 ### GET SERVICES FROM BACKUP

roles/ipaclient/tasks/install.yml

@@ -33,7 +33,7 @@
     domain: "{{ ipaserver_domain | default(ipaclient_domain) | default(omit) }}"
     servers: "{{ ipaclient_servers | default(omit) }}"
     realm: "{{ ipaserver_realm | default(ipaclient_realm) | default(omit) }}"
-    hostname: "{{ ipaclient_hostname | default(ansible_fqdn) }}"
+    hostname: "{{ ipaclient_hostname | default(ansible_facts['fqdn']) }}"
     ntp_servers: "{{ ipaclient_ntp_servers | default(omit) }}"
     ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}"
     no_ntp: "{{ ipaclient_no_ntp }}"
@@ -181,8 +181,12 @@
     # Do not fail on error codes 3 and 5:
     #   3 - Unable to open keytab
     #   5 - Principal name or realm not found in keytab
+    #   7 - Failed to set cursor, typically when errcode
+    #       would be issued in past
     failed_when: result_ipa_rmkeytab.rc != 0 and
-                 result_ipa_rmkeytab.rc != 3 and result_ipa_rmkeytab.rc != 5
+                 result_ipa_rmkeytab.rc != 3 and
+                 result_ipa_rmkeytab.rc != 5 and
+                 result_ipa_rmkeytab.rc != 7
     when: (ipaclient_use_otp | bool or ipaclient_force_join | bool) and not ipaclient_on_master | bool
 
   - name: Install - Backup and set hostname

roles/ipaclient/tasks/main.yml

@@ -4,9 +4,9 @@
 - name: Import variables specific to distribution
   include_vars: "{{ item }}"
   with_first_found:
-    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_version'] }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_major_version'] }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_facts['distribution'] }}.yml"
     - "{{ role_path }}/vars/default.yml"
 
 - name: Install IPA client

roles/ipareplica/tasks/install.yml

@@ -72,7 +72,7 @@
             default(omit) }}"
     servers: "{{ ipareplica_servers | default(omit) }}"
     realm: "{{ ipareplica_realm | default(ipaserver_realm) |default(omit) }}"
-    hostname: "{{ ipareplica_hostname | default(ansible_fqdn) }}"
+    hostname: "{{ ipareplica_hostname | default(ansible_facts['fqdn']) }}"
     ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"
     hidden_replica: "{{ ipareplica_hidden_replica }}"
     skip_mem_check: "{{ not ipareplica_mem_check }}"

roles/ipareplica/tasks/main.yml

@@ -4,9 +4,9 @@
 - name: Import variables specific to distribution
   include_vars: "{{ item }}"
   with_first_found:
-    - "vars/{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
+    - "vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_version'] }}.yml"
-    - "vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
+    - "vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_major_version'] }}.yml"
-    - "vars/{{ ansible_distribution }}.yml"
+    - "vars/{{ ansible_facts['distribution'] }}.yml"
     - "vars/default.yml"
 
 - name: Install IPA replica

roles/ipareplica/tasks/uninstall.yml

@@ -25,7 +25,7 @@
 #  command: >
 #    /usr/sbin/ipa-replica-manage
 #    del
-#    {{ ipareplica_hostname | default(ansible_fqdn) }}
+#    {{ ipareplica_hostname | default(ansible_facts['fqdn']) }}
 #    --force
 #    --password={{ ipadm_password }}
 #  failed_when: False

roles/ipaserver/tasks/install.yml

@@ -65,7 +65,7 @@
     master_password: "{{ ipaserver_master_password | default(omit) }}"
     domain: "{{ ipaserver_domain | default(omit) }}"
     realm: "{{ ipaserver_realm | default(omit) }}"
-    hostname: "{{ ipaserver_hostname | default(ansible_fqdn) }}"
+    hostname: "{{ ipaserver_hostname | default(ansible_facts['fqdn']) }}"
     ca_cert_files: "{{ ipaserver_ca_cert_files | default(omit) }}"
     no_host_dns: "{{ ipaserver_no_host_dns }}"
     pki_config_override: "{{ ipaserver_pki_config_override | default(omit) }}"

roles/ipaserver/tasks/main.yml

@@ -4,9 +4,9 @@
 - name: Import variables specific to distribution
   include_vars: "{{ item }}"
   with_first_found:
-    - "vars/{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
+    - "vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_version'] }}.yml"
-    - "vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
+    - "vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_major_version'] }}.yml"
-    - "vars/{{ ansible_distribution }}.yml"
+    - "vars/{{ ansible_facts['distribution'] }}.yml"
     - "vars/default.yml"
 
 - name: Install IPA server

tests/ansible.cfg

@@ -3,3 +3,4 @@ roles_path = ../roles:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/rol
 library = ../plugins/modules:~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules
 module_utils = ../plugins/module_utils:~/.ansible/plugins/module_utils:/usr/share/ansible/plugins/module_utils
 host_key_checking = false
+inject_facts_as_vars = false

tests/azure/azure-pipelines.yml

@@ -15,7 +15,7 @@ trigger:
 - master
 
 pool:
-  vmImage: 'ubuntu-18.04'
+  vmImage: 'ubuntu-20.04'
 
 stages:
 - stage: Centos7

tests/azure/build-containers.yml

@@ -11,7 +11,7 @@ schedules:
 trigger: none
 
 pool:
-  vmImage: 'ubuntu-18.04'
+  vmImage: 'ubuntu-20.04'
 
 jobs:
 

tests/azure/templates/build_container.yml

@@ -15,7 +15,7 @@ jobs:
     inputs:
       versionSpec: '3.6'
 
-  - script: python -m pip install --upgrade pip setuptools wheel
+  - script: python -m pip install --upgrade pip setuptools wheel ansible
     displayName: Install tools
 
   - script: pip install molecule[docker]
@@ -23,6 +23,8 @@ jobs:
 
   - script: molecule create -s ${{ parameters.build_scenario_name }}
     displayName: Create test container
+    env:
+      ANSIBLE_LIBRARY: ./molecule
 
   - script: |
       docker stop ${{ parameters.build_scenario_name }}

tests/azure/templates/playbook_tests.yml

@@ -44,6 +44,8 @@ jobs:
       cp -a plugins/module_utils/* ~/.ansible/module_utils
       molecule create -s ${{ parameters.scenario }}
     displayName: Setup test container
+    env:
+      ANSIBLE_LIBRARY: ./molecule
 
   - script: |
       pytest \

tests/azure/templates/pytest_tests.yml

@@ -36,6 +36,8 @@ jobs:
       cp -a plugins/module_utils/* ~/.ansible/module_utils
       molecule create -s ${{ parameters.scenario }}
     displayName: Setup test container
+    env:
+      ANSIBLE_LIBRARY: ./molecule
 
   - script: |
       pytest \

tests/dnsrecord/env_vars.yml

@@ -2,9 +2,9 @@
 # Set common vars and facts for test.
 - name: Set IPv4 address prefix.
   set_fact:
-    ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+    ipv4_prefix: "{{ ansible_facts['default_ipv4'].address.split('.')[:-1] |
                      join('.') }}"
-    ipv4_reverse_sufix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+    ipv4_reverse_sufix: "{{ ansible_facts['default_ipv4'].address.split('.')[:-1] |
                             reverse |
                             join('.') }}"
 

tests/dnsrecord/test_compatibility_with_ansible_module.yml

@@ -29,26 +29,32 @@
       ipaadmin_password: SomeADMINpassword
       name: host01
       zone_name: testzone.local
-      record_type: 'AAAA'
+      del_all: yes
-      record_value: '::1'
       state: absent
 
-  - name: Ensure that dns record 'vm-001' is absent
+  - name: Ensure that dns records for 'vm-001' are absent
     ipadnsrecord:
       ipaadmin_password: SomeADMINpassword
       name: vm-001
       zone_name: testzone.local
-      record_type: 'AAAA'
+      del_all: yes
-      record_value: '::1'
+      state: absent
+
+  - name: Ensure a PTR record is absent for 'vm-001'
+    ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      name: '1'
+      record_type: 'PTR'
+      record_value: 'vm-001'
+      zone_name: 2.168.192.in-addr.arpa
       state: absent
 
   - name: Ensure a PTR record is absent
     ipadnsrecord:
       ipaadmin_password: SomeADMINpassword
-      name: 5
-      record_type: 'PTR'
-      record_value: 'internal.ipa.testzone.local'
       zone_name: 2.168.192.in-addr.arpa
+      name: "5"
+      del_all: yes
       state: absent
 
   - name: Ensure a TXT record is absent
@@ -79,7 +85,7 @@
       state: absent
 
   # tests
-  - name: Ensure dns record is present
+  - name: Ensure AAAA  dns record is present
     ipadnsrecord:
       ipaadmin_password: SomeADMINpassword
       name: vm-001
@@ -88,9 +94,9 @@
       zone_name: testzone.local
       state: present
     register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed
 
-  - name: Ensure that dns record exists with a TTL
+  - name: Ensure that AAAA dns record exists with a TTL
     ipadnsrecord:
       ipaadmin_password: SomeADMINpassword
       name: host01
@@ -100,18 +106,52 @@
       zone_name: testzone.local
       state: present
     register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed
 
   - name: Ensure a PTR record is present
     ipadnsrecord:
       ipaadmin_password: SomeADMINpassword
-      name: 5
+      name: '5'
       record_type: 'PTR'
       record_value: 'internal.ipa.testzone.local'
       zone_name: 2.168.192.in-addr.arpa
       state: present
     register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure A record is present, with reverse
+    ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      name: vm-001
+      record_type: 'A'
+      record_value: '192.168.2.1'
+      create_reverse: yes
+      zone_name: testzone.local
+      state: present
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure A record is present
+    ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      name: vm-001
+      record_type: 'A'
+      record_value: '192.168.2.1'
+      zone_name: testzone.local
+      state: present
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure PTR record is present
+    ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      name: '1'
+      record_type: 'PTR'
+      record_value: vm-001.testzone.local
+      zone_name: 2.168.192.in-addr.arpa
+      state: present
+    register: result
+    failed_when: result.changed or result.failed
 
   - name: Ensure a TXT record is present
     ipadnsrecord:
@@ -122,7 +162,7 @@
       zone_name: testzone.local
       state: present
     register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed
 
   - name: Ensure a SRV record is present
     ipadnsrecord:
@@ -133,7 +173,7 @@
       zone_name: testzone.local
       state: present
     register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed
 
   - name: Ensure an MX record is present
     ipadnsrecord:
@@ -144,7 +184,7 @@
       zone_name: testzone.local
       state: present
     register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed
 
   - name: Ensure that dns record is removed
     ipadnsrecord:
@@ -155,7 +195,7 @@
       record_value: '::1'
       state: absent
     register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed
 
    # cleanup
   - name: Ensure that dns record 'host01' is absent
@@ -167,7 +207,7 @@
       record_value: '::1'
       state: absent
     register: result
-    failed_when: result.changed
+    failed_when: result.changed or result.failed
 
   - name: Ensure that dns record 'vm-001' is absent
     ipadnsrecord:
@@ -178,7 +218,7 @@
       record_value: '::1'
       state: absent
     register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed
 
   - name: Ensure a PTR record is absent
     ipadnsrecord:
@@ -189,7 +229,7 @@
       zone_name: 2.168.192.in-addr.arpa
       state: absent
     register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed
 
   - name: Ensure a TXT record is absent
     ipadnsrecord:
@@ -200,7 +240,7 @@
       zone_name: testzone.local
       state: absent
     register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed
 
   - name: Ensure a SRV record is absent
     ipadnsrecord:
@@ -211,7 +251,7 @@
       zone_name: testzone.local
       state: absent
     register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed
 
   - name: Ensure an MX record is absent
     ipadnsrecord:
@@ -222,7 +262,7 @@
       zone_name: testzone.local
       state: absent
     register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed
 
   - name: Ensure DNS zones to be used are absent.
     ipadnszone:

tests/dnsrecord/test_dnsrecord.yml

@@ -564,7 +564,7 @@
       ipaadmin_password: SomeADMINpassword
       name: iron01
       zone_name: "{{ safezone }}"
-      ip_address: "{{ ansible_default_ipv4.address }}"
+      ip_address: "{{ ansible_facts['default_ipv4'].address }}"
     register: result
     failed_when: not result.changed
 

tests/hbacrule/test_hbacrule.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Get Domain from server name
     set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
     when: ipaserver_domain is not defined
 
   # CLEANUP TEST ITEMS

tests/host/certificate/test_host_certificate.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Get Domain from server name
     set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
     when: ipaserver_domain is not defined
 
   - name: Generate self-signed certificates.

tests/host/certificate/test_hosts_certificate.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Get Domain from server name
     set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
     when: ipaserver_domain is not defined
 
   - name: Host test absent

tests/host/test_host.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Get Domain from server name
     set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
     when: ipaserver_domain is not defined
 
   - name: Set host1_fqdn .. host6_fqdn
@@ -33,7 +33,7 @@
 
   - name: Get IPv4 address prefix from server node
     set_fact:
-      ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+      ipv4_prefix: "{{ ansible_facts['default_ipv4'].address.split('.')[:-1] |
                        join('.') }}"
 
   - name: Host "{{ host1_fqdn }}" present

tests/host/test_host_allow_create_keytab.yml

@@ -6,12 +6,12 @@
   tasks:
   - name: Get Domain from server name
     set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
     when: ipaserver_domain is not defined
 
   - name: Get Realm from server name
     set_fact:
-      ipaserver_realm: "{{ ansible_fqdn.split('.')[1:] | join ('.') | upper }}"
+      ipaserver_realm: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') | upper }}"
     when: ipaserver_realm is not defined
 
   - name: Set host1_fqdn .. host3_fqdn

tests/host/test_host_allow_retrieve_keytab.yml

@@ -6,12 +6,12 @@
   tasks:
   - name: Get Domain from server name
     set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
     when: ipaserver_domain is not defined
 
   - name: Get Realm from server name
     set_fact:
-      ipaserver_realm: "{{ ansible_fqdn.split('.')[1:] | join ('.') | upper }}"
+      ipaserver_realm: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') | upper }}"
     when: ipaserver_realm is not defined
 
   - name: Set host1_fqdn .. host3_fqdn

tests/host/test_host_bool_params.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Get Domain from server name
     set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
     when: ipaserver_domain is not defined
 
   - name: Set host1_fqdn .. host6_fqdn

tests/host/test_host_ipaddresses.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Get Domain from server name
     set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
     when: ipaserver_domain is not defined
 
   - name: Set host1_fqdn .. host6_fqdn
@@ -17,7 +17,7 @@
 
   - name: Get IPv4 address prefix from server node
     set_fact:
-      ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+      ipv4_prefix: "{{ ansible_facts['default_ipv4'].address.split('.')[:-1] |
                        join('.') }}"
 
   - name: Host absent

tests/host/test_host_managedby_host.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Get Domain from server name
     set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
     when: ipaserver_domain is not defined
 
   - name: Set host1_fqdn .. host2_fqdn
@@ -55,39 +55,39 @@
     register: result
     failed_when: result.changed
 
-  - name: Host "{{ host1_fqdn }}" managed by "{{ ansible_fqdn }}"
+  - name: Host "{{ host1_fqdn }}" managed by "{{ ansible_facts['fqdn'] }}"
     ipahost:
       ipaadmin_password: SomeADMINpassword
       name: "{{ host1_fqdn }}"
-      managedby_host: "{{ ansible_fqdn }}"
+      managedby_host: "{{ ansible_facts['fqdn'] }}"
       action: member
     register: result
     failed_when: not result.changed
 
-  - name: Host "{{ host1_fqdn }}" managed by "{{ ansible_fqdn }}" again
+  - name: Host "{{ host1_fqdn }}" managed by "{{ ansible_facts['fqdn'] }}" again
     ipahost:
       ipaadmin_password: SomeADMINpassword
       name: "{{ host1_fqdn }}"
-      managedby_host: "{{ ansible_fqdn }}"
+      managedby_host: "{{ ansible_facts['fqdn'] }}"
       action: member
     register: result
     failed_when: result.changed
 
-  - name: Host "{{ host1_fqdn }}" not managed by "{{ ansible_fqdn }}"
+  - name: Host "{{ host1_fqdn }}" not managed by "{{ ansible_facts['fqdn'] }}"
     ipahost:
       ipaadmin_password: SomeADMINpassword
       name: "{{ host1_fqdn }}"
-      managedby_host: "{{ ansible_fqdn }}"
+      managedby_host: "{{ ansible_facts['fqdn'] }}"
       action: member
       state: absent
     register: result
     failed_when: not result.changed
 
-  - name: Host "{{ host1_fqdn }}" not managed by "{{ ansible_fqdn }}" again
+  - name: Host "{{ host1_fqdn }}" not managed by "{{ ansible_facts['fqdn'] }}" again
     ipahost:
       ipaadmin_password: SomeADMINpassword
       name: "{{ host1_fqdn }}"
-      managedby_host: "{{ ansible_fqdn }}"
+      managedby_host: "{{ ansible_facts['fqdn'] }}"
       action: member
       state: absent
     register: result

tests/host/test_host_principal.yml

@@ -6,12 +6,12 @@
   tasks:
   - name: Get Domain from server name
     set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
     when: ipaserver_domain is not defined
 
   - name: Get Realm from server name
     set_fact:
-      ipaserver_realm: "{{ ansible_fqdn.split('.')[1:] | join ('.') | upper }}"
+      ipaserver_realm: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') | upper }}"
     when: ipaserver_realm is not defined
 
   - name: Set host1_fqdn

tests/host/test_host_random.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Get Domain from server name
     set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
     when: ipaserver_domain is not defined
 
   - name: Set host1_fqdn and host2_fqdn
@@ -77,11 +77,11 @@
     debug:
       var: ipahost.host["{{host2_fqdn }}"].randompassword
 
-  - name: Enrolled host "{{ ansible_fqdn }}" fails to set random password with update_password always
+  - name: Enrolled host "{{ ansible_facts['fqdn'] }}" fails to set random password with update_password always
     ipahost:
       ipaadmin_password: SomeADMINpassword
       hosts:
-      - name: "{{ ansible_fqdn }}"
+      - name: "{{ ansible_facts['fqdn'] }}"
         random: yes
       update_password: always
     register: ipahost
@@ -89,7 +89,7 @@
 
   - assert:
       that:
-      - ipahost.host["{{ ansible_fqdn }}"].randompassword is
+      - ipahost.host["{{ ansible_facts['fqdn'] }}"].randompassword is
         not defined
       - "'Password cannot be set on enrolled host' in ipahost.msg"
 

tests/host/test_host_reverse.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Get Domain from server name
     set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
     when: ipaserver_domain is not defined
 
   - name: Set host1_fqdn
@@ -23,7 +23,7 @@
 
   - name: Get IPv4 address prefix from server node
     set_fact:
-      ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+      ipv4_prefix: "{{ ansible_facts['default_ipv4'].address.split('.')[:-1] |
                        join('.') }}"
 
   - name: Set zone prefixes.

tests/host/test_hosts.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Get Domain from server name
     set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
     when: ipaserver_domain is not defined
 
   - name: Set host1_fqdn .. host6_fqdn

tests/host/test_hosts_managedby_host.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Get Domain from server name
     set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
     when: ipaserver_domain is not defined
 
   - name: Set host1_fqdn .. host5_fqdn

tests/host/test_hosts_principal.yml

@@ -6,12 +6,12 @@
   tasks:
   - name: Get Domain from server name
     set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
     when: ipaserver_domain is not defined
 
   - name: Get Realm from server name
     set_fact:
-      ipaserver_realm: "{{ ansible_fqdn.split('.')[1:] | join ('.') | upper }}"
+      ipaserver_realm: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') | upper }}"
     when: ipaserver_realm is not defined
 
   - name: Set host1_fqdn .. host2_fqdn

tests/hostgroup/test_hostgroup.yml

@@ -7,7 +7,7 @@
   tasks:
   - name: Get Domain from server name
     set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
     when: ipaserver_domain is not defined
 
   - name: Ensure host-group databases, mysql-server and oracle-server are absent

tests/permission/test_permission.yml

@@ -6,6 +6,15 @@
   tasks:
   - include_tasks: ../env_freeipa_facts.yml
 
+  - name: Ensure testing groups are present.
+    ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{ item }}"
+      state: present
+    with_items:
+      - rbacgroup1
+      - rbacgroup2
+
   # CLEANUP TEST ITEMS
 
   - name: Ensure permission perm-test-1 is absent
@@ -24,6 +33,8 @@
       ipaadmin_password: SomeADMINpassword
       name: perm-test-1
       object_type: host
+      memberof: rbacgroup1
+      filter: '(cn=*.ipa.*)'
       right: all
     register: result
     failed_when: not result.changed or result.failed
@@ -33,10 +44,106 @@
       ipaadmin_password: SomeADMINpassword
       name: perm-test-1
       object_type: host
+      memberof: rbacgroup1
+      filter: '(cn=*.ipa.*)'
       right: all
     register: result
     failed_when: result.changed or result.failed
 
+  - name: Ensure permission perm-test-1 has an extra filter '(cn=*.internal.*)'
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      filter: '(cn=*.internal.*)'
+      action: member
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 has an extra filter '(cn=*.internal.*)', again
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      filter: '(cn=*.internal.*)'
+      action: member
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 `right` has `write`
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      right: write
+      action: member
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 `right` has `write`, again
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      right: write
+      action: member
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 `right` has no `write`
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      right: write
+      action: member
+      state: absent
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 `right` has no `write`, again
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      right: write
+      action: member
+      state: absent
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 `memberof` has `rbackgroup2`
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      memberof: rbacgroup2
+      action: member
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 `memberof` has `rbackgroup2`, again
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      memberof: rbacgroup2
+      action: member
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 `memberof` item `rbackgroup1` is absent
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      memberof: rbacgroup1
+      action: member
+      state: absent
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 `memberof` item `rbackgroup1` is absent, again
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      memberof: rbacgroup1
+      action: member
+      state: absent
+    register: result
+    failed_when: result.changed or result.failed
+
   - name: Ensure permission perm-test-1 is present with attr carlicense
     ipapermission:
       ipaadmin_password: SomeADMINpassword
@@ -163,6 +270,34 @@
     register: result
     failed_when: result.changed or result.failed
 
+  - name: Ensure permission perm-test-1 has rawfilter '(objectclass=ipagroup)'
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      rawfilter: '(objectclass=ipagroup)'
+      action: member
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 has rawfilter '(objectclass=ipagroup)', again
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      rawfilter: '(objectclass=ipagroup)'
+      action: member
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure filter and rawfilter cannot be used together.
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      rawfilter: '(objectclass=ipagroup)'
+      filter: '(cn=*.internal.*)'
+      action: member
+    register: result
+    failed_when: not result.failed or "Cannot specify target filter and extra target filter simultaneously" not in result.msg
+
   - name: Rename permission perm-test-1 to perm-test-renamed
     ipapermission:
       ipaadmin_password: SomeADMINpassword
@@ -213,7 +348,7 @@
 
   # CLEANUP TEST ITEMS
 
-  - name: Ensure permission perm-test-1 is absent
+  - name: Ensure testing permissions are absent
     ipapermission:
       ipaadmin_password: SomeADMINpassword
       name:
@@ -221,3 +356,12 @@
       - perm-test-bindtype-test
       - perm-test-renamed
       state: absent
+
+  - name: Ensure testing groups are absent.
+    ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{ item }}"
+      state: absent
+    with_items:
+      - rbacgroup1
+      - rbacgroup2

tests/role/env_facts.yml

@@ -1,7 +1,7 @@
 ---
 - name: Get Domain from server name
   set_fact:
-    ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+    ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
   when: ipaserver_domain is not defined
 
 - name: Set fact for realm name

tests/service/certificate/test_service_certificate.yml

@@ -29,12 +29,12 @@
   # setup
   - name: Get Domain from server name
     set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
     when: ipaserver_domain is not defined
 
   - name: Get IPv4 address prefix from server node
     set_fact:
-      ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+      ipv4_prefix: "{{ ansible_facts['default_ipv4'].address.split('.')[:-1] |
                        join('.') }}"
 
   - name: Set test host FQDN

tests/service/env_vars.yml

@@ -1,7 +1,7 @@
 ---
     - name: Get Domain from server name
       set_fact:
-        test_domain: "{{ ansible_fqdn.split('.')[1:] | join('.') }}"
+        test_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join('.') }}"
 
     - name: Set host1, host2 and svc hosts fqdn
       set_fact:
@@ -12,4 +12,4 @@
 
     - name: Get IPv4 address prefix from server node
       set_fact:
-        ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] | join('.') }}"
+        ipv4_prefix: "{{ ansible_facts['default_ipv4'].address.split('.')[:-1] | join('.') }}"

tests/service/test_service_disable.yml

@@ -19,13 +19,13 @@
   - name: Ensure service is absent
     ipaservice:
       ipaadmin_password: SomeADMINpassword
-      name: "mysvc1/{{ ansible_fqdn }}"
+      name: "mysvc1/{{ ansible_facts['fqdn'] }}"
       state: absent
 
   - name: Ensure service is present
     ipaservice:
       ipaadmin_password: SomeADMINpassword
-      name: "mysvc1/{{ ansible_fqdn }}"
+      name: "mysvc1/{{ ansible_facts['fqdn'] }}"
       certificate:
         - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
       force: no
@@ -33,51 +33,51 @@
     failed_when: not result.changed
 
   - name: Obtain keytab
-    shell: ipa-getkeytab -s "{{ ansible_fqdn }}" -p "mysvc1/{{ ansible_fqdn }}" -k mysvc1.keytab
+    shell: ipa-getkeytab -s "{{ ansible_facts['fqdn'] }}" -p "mysvc1/{{ ansible_facts['fqdn'] }}" -k mysvc1.keytab
 
   - name: Verify keytab
-    shell: ipa service-find "mysvc1/{{ ansible_fqdn }}"
+    shell: ipa service-find "mysvc1/{{ ansible_facts['fqdn'] }}"
     register: result
     failed_when: result.failed or result.stdout | regex_search(" Keytab. true")
 
   - name: Ensure service is disabled
     ipaservice:
       ipaadmin_password: SomeADMINpassword
-      name: "mysvc1/{{ ansible_fqdn }}"
+      name: "mysvc1/{{ ansible_facts['fqdn'] }}"
       state: disabled
     register: result
     failed_when: not result.changed
 
   - name: Verify keytab
-    shell: ipa service-find "mysvc1/{{ ansible_fqdn }}"
+    shell: ipa service-find "mysvc1/{{ ansible_facts['fqdn'] }}"
     register: result
     failed_when: result.failed or result.stdout | regex_search(" Keytab. true")
 
   - name: Obtain keytab
-    shell: ipa-getkeytab -s "{{ ansible_fqdn }}" -p "mysvc1/{{ ansible_fqdn }}" -k mysvc1.keytab
+    shell: ipa-getkeytab -s "{{ ansible_facts['fqdn'] }}" -p "mysvc1/{{ ansible_facts['fqdn'] }}" -k mysvc1.keytab
 
   - name: Verify keytab
-    shell: ipa service-find "mysvc1/{{ ansible_fqdn }}"
+    shell: ipa service-find "mysvc1/{{ ansible_facts['fqdn'] }}"
     register: result
     failed_when: result.failed or result.stdout | regex_search(" Keytab. true")
 
   - name: Ensure service is disabled
     ipaservice:
       ipaadmin_password: SomeADMINpassword
-      name: "mysvc1/{{ ansible_fqdn }}"
+      name: "mysvc1/{{ ansible_facts['fqdn'] }}"
       state: disabled
     register: result
     failed_when: not result.changed
 
   - name: Verify keytab
-    shell: ipa service-find "mysvc1/{{ ansible_fqdn }}"
+    shell: ipa service-find "mysvc1/{{ ansible_facts['fqdn'] }}"
     register: result
     failed_when: result.failed or result.stdout | regex_search(" Keytab. true")
 
   - name: Ensure service is disabled, with no keytab.
     ipaservice:
       ipaadmin_password: SomeADMINpassword
-      name: "mysvc1/{{ ansible_fqdn }}"
+      name: "mysvc1/{{ ansible_facts['fqdn'] }}"
       state: disabled
     register: result
     failed_when: result.changed
@@ -85,7 +85,7 @@
   - name: Ensure service is absent
     ipaservice:
       ipaadmin_password: SomeADMINpassword
-      name: "mysvc1/{{ ansible_fqdn }}"
+      name: "mysvc1/{{ ansible_facts['fqdn'] }}"
 
   - name: Destroy Kerberos tickets.
     shell: kdestroy -A -q -c ${KRB5CCNAME}

tests/sudorule/test_sudorule.yml

@@ -43,7 +43,7 @@
     ipahostgroup:
       ipaadmin_password: SomeADMINpassword
       name: cluster
-      host: "{{ ansible_fqdn }}"
+      host: "{{ ansible_facts['fqdn'] }}"
 
   - name: Ensure some sudocmds are available
     ipasudocmd:
@@ -500,20 +500,20 @@
     register: result
     failed_when: result.changed
 
-  - name: Ensure host "{{ ansible_fqdn }}" is present in sudorule.
+  - name: Ensure host "{{ ansible_facts['fqdn'] }}" is present in sudorule.
     ipasudorule:
       ipaadmin_password: SomeADMINpassword
       name: testrule1
-      host: "{{ ansible_fqdn }}"
+      host: "{{ ansible_facts['fqdn'] }}"
       action: member
     register: result
     failed_when: not result.changed
 
-  - name: Ensure host "{{ ansible_fqdn }}" is present in sudorule, again.
+  - name: Ensure host "{{ ansible_facts['fqdn'] }}" is present in sudorule, again.
     ipasudorule:
       ipaadmin_password: SomeADMINpassword
       name: testrule1
-      host: "{{ ansible_fqdn }}"
+      host: "{{ ansible_facts['fqdn'] }}"
       action: member
     register: result
     failed_when: result.changed

tests/sudorule/test_sudorule_categories.yml

@@ -7,7 +7,7 @@
   tasks:
   - name: Get Domain from the server name
     set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
 
   - name: Ensure sudorules are absent
     ipasudorule:

tests/vault/env_cleanup.yml

@@ -40,7 +40,7 @@
 
   - name: Remove files from target host.
     file:
-      path: "{{ ansible_env.HOME }}/{{ item }}"
+      path: "{{ ansible_facts['env'].HOME }}/{{ item }}"
       state: absent
     with_items:
     - A_private.pem

tests/vault/env_setup.yml

@@ -19,7 +19,7 @@
   - name: Copy files to target host.
     copy:
       src: "{{ playbook_dir }}/{{ item }}"
-      dest: "{{ ansible_env.HOME }}/{{ item }}"
+      dest: "{{ ansible_facts['env'].HOME }}/{{ item }}"
     with_items:
     - A_private.pem
     - A_public.pem

tests/vault/tasks_vault_members.yml

@@ -151,7 +151,7 @@
       ipaadmin_password: SomeADMINpassword
       name: "{{vault.name}}"
       action: member
-      services: "HTTP/{{ ansible_fqdn }}"
+      services: "HTTP/{{ ansible_facts['fqdn'] }}"
     register: result
     failed_when: not result.changed
 
@@ -160,7 +160,7 @@
       ipaadmin_password: SomeADMINpassword
       name: "{{vault.name}}"
       action: member
-      services: "HTTP/{{ ansible_fqdn }}"
+      services: "HTTP/{{ ansible_facts['fqdn'] }}"
     register: result
     failed_when: result.changed
 
@@ -169,7 +169,7 @@
       ipaadmin_password: SomeADMINpassword
       name: "{{vault.name}}"
       action: member
-      services: "HTTP/{{ ansible_fqdn }}"
+      services: "HTTP/{{ ansible_facts['fqdn'] }}"
       state: absent
     register: result
     failed_when: not result.changed
@@ -179,7 +179,7 @@
       ipaadmin_password: SomeADMINpassword
       name: "{{vault.name}}"
       action: member
-      services: "HTTP/{{ ansible_fqdn }}"
+      services: "HTTP/{{ ansible_facts['fqdn'] }}"
       state: absent
     register: result
     failed_when: result.changed
@@ -264,7 +264,7 @@
     ipavault:
       ipaadmin_password: SomeADMINpassword
       name: "{{vault.name}}"
-      ownerservices: "HTTP/{{ ansible_fqdn }}"
+      ownerservices: "HTTP/{{ ansible_facts['fqdn'] }}"
       action: member
     register: result
     failed_when: not result.changed
@@ -273,7 +273,7 @@
     ipavault:
       ipaadmin_password: SomeADMINpassword
       name: "{{vault.name}}"
-      ownerservices: "HTTP/{{ ansible_fqdn }}"
+      ownerservices: "HTTP/{{ ansible_facts['fqdn'] }}"
       action: member
     register: result
     failed_when: result.changed
@@ -282,7 +282,7 @@
     ipavault:
       ipaadmin_password: SomeADMINpassword
       name: "{{vault.name}}"
-      ownerservices: "HTTP/{{ ansible_fqdn }}"
+      ownerservices: "HTTP/{{ ansible_facts['fqdn'] }}"
       state: absent
       action: member
     register: result
@@ -292,7 +292,7 @@
     ipavault:
       ipaadmin_password: SomeADMINpassword
       name: "{{vault.name}}"
-      ownerservices: "HTTP/{{ ansible_fqdn }}"
+      ownerservices: "HTTP/{{ ansible_facts['fqdn'] }}"
       state: absent
       action: member
     register: result

tests/vault/test_vault_asymmetric.yml

@@ -68,7 +68,7 @@
       ipaadmin_password: SomeADMINpassword
       name: asymvault
       vault_type: asymmetric
-      public_key_file: "{{ ansible_env.HOME }}/A_public.pem"
+      public_key_file: "{{ ansible_facts['env'].HOME }}/A_public.pem"
       private_key: "{{ lookup('file', 'B_private.b64') }}"
     register: result
     failed_when: result.failed or not result.changed
@@ -77,7 +77,7 @@
     ipavault:
       ipaadmin_password: SomeADMINpassword
       name: asymvault
-      private_key_file: "{{ ansible_env.HOME }}/A_private.pem"
+      private_key_file: "{{ ansible_facts['env'].HOME }}/A_private.pem"
       state: retrieved
     register: result
     failed_when: result.failed or result.changed or result.vault.data != 'SomeValue'
@@ -87,8 +87,8 @@
       ipaadmin_password: SomeADMINpassword
       name: asymvault
       vault_type: asymmetric
-      public_key_file: "{{ ansible_env.HOME }}/B_public.pem"
+      public_key_file: "{{ ansible_facts['env'].HOME }}/B_public.pem"
-      private_key_file: "{{ ansible_env.HOME }}/A_private.pem"
+      private_key_file: "{{ ansible_facts['env'].HOME }}/A_private.pem"
     register: result
     failed_when: result.failed or not result.changed
 
@@ -115,8 +115,8 @@
     ipavault:
       ipaadmin_password: SomeADMINpassword
       name: asymvault
-      public_key_file: "{{ ansible_env.HOME }}/B_public.pem"
+      public_key_file: "{{ ansible_facts['env'].HOME }}/B_public.pem"
-      private_key_file: "{{ ansible_env.HOME }}/A_private.pem"
+      private_key_file: "{{ ansible_facts['env'].HOME }}/A_private.pem"
     register: result
     failed_when: result.failed or not result.changed
 
@@ -154,11 +154,11 @@
     register: result
     failed_when: result.vault.data != 'Hello World.' or result.changed
 
-  - name: Retrieve data from asymmetric vault into file {{ ansible_env.HOME }}/data.txt.
+  - name: Retrieve data from asymmetric vault into file {{ ansible_facts['env'].HOME }}/data.txt.
     ipavault:
       ipaadmin_password: SomeADMINpassword
       name: asymvault
-      out: "{{ ansible_env.HOME }}/data.txt"
+      out: "{{ ansible_facts['env'].HOME }}/data.txt"
       private_key: "{{ lookup('file', 'B_private.b64') }}"
       state: retrieved
     register: result
@@ -166,7 +166,7 @@
 
   - name: Verify retrieved data.
     slurp:
-      src: "{{ ansible_env.HOME }}/data.txt"
+      src: "{{ ansible_facts['env'].HOME }}/data.txt"
     register: slurpfile
     failed_when: slurpfile['content'] | b64decode != 'Hello World.'
 
@@ -192,7 +192,7 @@
       ipaadmin_password: SomeADMINpassword
       name: asymvault
       vault_type: asymmetric
-      in: "{{ ansible_env.HOME }}/in.txt"
+      in: "{{ ansible_facts['env'].HOME }}/in.txt"
     register: result
     failed_when: not result.changed
 
@@ -242,7 +242,7 @@
     ipavault:
       ipaadmin_password: SomeADMINpassword
       name: asymvault
-      public_key_file: "{{ ansible_env.HOME }}/B_public.pem"
+      public_key_file: "{{ ansible_facts['env'].HOME }}/B_public.pem"
       vault_type: asymmetric
     register: result
     failed_when: not result.changed
@@ -251,7 +251,7 @@
     ipavault:
       ipaadmin_password: SomeADMINpassword
       name: asymvault
-      public_key_file: "{{ ansible_env.HOME }}/B_public.pem"
+      public_key_file: "{{ ansible_facts['env'].HOME }}/B_public.pem"
       vault_type: asymmetric
     register: result
     failed_when: result.changed
@@ -277,7 +277,7 @@
     ipavault:
       ipaadmin_password: SomeADMINpassword
       name: asymvault
-      private_key_file: "{{ ansible_env.HOME }}/B_private.pem"
+      private_key_file: "{{ ansible_facts['env'].HOME }}/B_private.pem"
       state: retrieved
     register: result
     failed_when: result.vault.data != 'Hello World.' or result.changed

tests/vault/test_vault_standard.yml

@@ -57,18 +57,18 @@
     register: result
     failed_when: result.vault.data != 'Hello World.' or result.changed
 
-  - name: Retrieve data from standard vault into file {{ ansible_env.HOME }}/data.txt.
+  - name: Retrieve data from standard vault into file {{ ansible_facts['env'].HOME }}/data.txt.
     ipavault:
       ipaadmin_password: SomeADMINpassword
       name: stdvault
-      out: "{{ ansible_env.HOME }}/data.txt"
+      out: "{{ ansible_facts['env'].HOME }}/data.txt"
       state: retrieved
     register: result
     failed_when: result.changed or result.failed or (result.vault.data | default(false))
 
   - name: Verify retrieved data.
     slurp:
-      src: "{{ ansible_env.HOME }}/data.txt"
+      src: "{{ ansible_facts['env'].HOME }}/data.txt"
     register: slurpfile
     failed_when: slurpfile['content'] | b64decode != 'Hello World.'
 
@@ -93,7 +93,7 @@
       ipaadmin_password: SomeADMINpassword
       name: stdvault
       vault_type: standard
-      in: "{{ ansible_env.HOME }}/in.txt"
+      in: "{{ ansible_facts['env'].HOME }}/in.txt"
     register: result
     failed_when: not result.changed
 

tests/vault/test_vault_symmetric.yml

@@ -63,19 +63,19 @@
     register: result
     failed_when: result.changed or result.failed or result.vault.data != 'Hello World.'
 
-  - name: Retrieve data from symmetric vault into file {{ ansible_env.HOME }}/data.txt.
+  - name: Retrieve data from symmetric vault into file {{ ansible_facts['env'].HOME }}/data.txt.
     ipavault:
       ipaadmin_password: SomeADMINpassword
       name: symvault
       password: SomeVAULTpassword
-      out: "{{ ansible_env.HOME }}/data.txt"
+      out: "{{ ansible_facts['env'].HOME }}/data.txt"
       state: retrieved
     register: result
     failed_when: result.changed or result.failed or (result.vault.data | default(false))
 
   - name: Verify retrieved data.
     slurp:
-      src: "{{ ansible_env.HOME }}/data.txt"
+      src: "{{ ansible_facts['env'].HOME }}/data.txt"
     register: slurpfile
     failed_when: slurpfile['content'] | b64decode != 'Hello World.'
 
@@ -101,7 +101,7 @@
     ipavault:
       ipaadmin_password: SomeADMINpassword
       name: symvault
-      in: "{{ ansible_env.HOME }}/in.txt"
+      in: "{{ ansible_facts['env'].HOME }}/in.txt"
       password: SomeVAULTpassword
     register: result
     failed_when: result.failed or not result.changed
@@ -154,7 +154,7 @@
       ipaadmin_password: SomeADMINpassword
       name: symvault
       username: user01
-      password_file: "{{ ansible_env.HOME }}/password.txt"
+      password_file: "{{ ansible_facts['env'].HOME }}/password.txt"
       vault_type: symmetric
     register: result
     failed_when: result.failed or not result.changed
@@ -164,7 +164,7 @@
       ipaadmin_password: SomeADMINpassword
       name: symvault
       username: user01
-      password_file: "{{ ansible_env.HOME }}/password.txt"
+      password_file: "{{ ansible_facts['env'].HOME }}/password.txt"
       vault_type: symmetric
     register: result
     failed_when: result.failed or result.changed
@@ -191,7 +191,7 @@
     ipavault:
       ipaadmin_password: SomeADMINpassword
       name: symvault
-      password_file: "{{ ansible_env.HOME }}/password.txt"
+      password_file: "{{ ansible_facts['env'].HOME }}/password.txt"
       state: retrieved
     register: result
     failed_when: result.failed or result.changed or result.vault.data != 'Hello World.'
@@ -328,7 +328,7 @@
       ipaadmin_password: SomeADMINpassword
       name: symvault
       password: APasswordToChange
-      new_password_file: "{{ ansible_env.HOME }}/password.txt"
+      new_password_file: "{{ ansible_facts['env'].HOME }}/password.txt"
       vault_type: symmetric
     register: result
     failed_when: not result.changed or result.failed

utils/build-galaxy-release.sh

@@ -15,49 +15,61 @@ find . -name "*~" -exec rm {} \;
 sed -i -e "s/ansible.module_utils.ansible_freeipa_module/ansible_collections.${collection_prefix}.plugins.module_utils.ansible_freeipa_module/" plugins/modules/*.py
 
 (cd plugins/module_utils && {
-    ln -s ../../roles/*/module_utils/*.py .
+    ln -sf ../../roles/*/module_utils/*.py .
 })
 
 (cd plugins/modules && {
     sed -i -e "s/ansible.module_utils.ansible_ipa_/ansible_collections.${collection_prefix}.plugins.module_utils.ansible_ipa_/" ../../roles/*/library/*.py
-    ln -s ../../roles/*/library/*.py .
+    ln -sf ../../roles/*/library/*.py .
 })
 
 [ ! -x plugins/action_plugins ] && mkdir plugins/action_plugins
 (cd plugins/action_plugins && {
-    ln -s ../../roles/*/action_plugins/*.py .
+    ln -sf ../../roles/*/action_plugins/*.py .
 })
 
+echo "Fixing examples in plugins/modules..."
 find plugins/modules -name "*.py" -print0 |
-    while IFS= read -d -r '' line; do
+    while IFS= read -d '' -r line; do
-        python utils/galaxyfy-module-EXAMPLES.py "$x" \
+        python utils/galaxyfy-module-EXAMPLES.py "$line" \
                "ipa" "$collection_prefix"
     done
+echo -e "\033[AFixing examples in plugins/modules... \033[32;1mDONE\033[0m"
 
+echo "Fixing examples in roles/*/library..."
 find roles/*/library -name "*.py" -print0 |
-    while IFS= read -d -r '' line; do
+    while IFS= read -d '' -r line; do
-        python utils/galaxyfy-module-EXAMPLES.py "$x" \
+        python utils/galaxyfy-module-EXAMPLES.py "$line" \
                "ipa" "$collection_prefix"
     done
+echo -e "\033[AFixing examples in roles/*/library... \033[32;1mDONE\033[0m"
 
-for x in roles/*/tasks/*.yml; do
+echo "Fixing playbooks in roles/*/tasks..."
-    python utils/galaxyfy-playbook.py "$x" "ipa" "$collection_prefix"
+for line in roles/*/tasks/*.yml; do
+    python utils/galaxyfy-playbook.py "$line" "ipa" "$collection_prefix"
 done
+echo -e "\033[AFixing playbooks in roles/*tasks... \033[32;1mDONE\033[0m"
 
+echo "Fixing playbooks in playbooks..."
 find playbooks -name "*.yml" -print0 |
-    while IFS= read -d -r '' line; do
+    while IFS= read -d '' -r line; do
-        python utils/galaxyfy-playbook.py "$x" "ipa" "$collection_prefix"
+        python utils/galaxyfy-playbook.py "$line" "ipa" "$collection_prefix"
     done
+echo -e "\033[AFixing playbooks in playbooks... \033[32;1mDONE\033[0m"
 
+echo "Fixing README(s)..."
 find . -name "README*.md" -print0 |
-    while IFS= read -d -r '' line; do
+    while IFS= read -d '' -r line; do
-        python utils/galaxyfy-README.py "$x" "ipa" "$collection_prefix"
+        python utils/galaxyfy-README.py "$line" "ipa" "$collection_prefix"
     done
+echo -e "\033[AFixing examples in plugins/modules... \033[32;1mDONE\033[0m"
 
+echo "Fixing playbbooks in tests..."
 find tests -name "*.yml" -print0 |
-    while IFS= read -d -r '' line; do
+    while IFS= read -d '' -r line; do
-        python utils/galaxyfy-playbook.py "$x" "ipa" "$collection_prefix"
+        python utils/galaxyfy-playbook.py "$line" "ipa" "$collection_prefix"
     done
+echo -e "\033[AFixing playbooks in tests... \033[32;1mDONE\033[0m"
 
 #git diff