internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-31 07:43:06 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: internet:v1.10.0
Branches Tags
internet:master internet:run_collection_playbooks internet:validate_emaildomain internet:0.4 internet:automember_verify_condition_keys internet:ipaautomember_documantation_fix internet:fix_image_build internet:t-woerner-permission-typo1 internet:fix-role-readme-title-1 internet:fix-role-readme-title internet:t-woerner-group-readme-external internet:fix_logger_info_calls
internet:v1.16.0 internet:v1.15.1 internet:v1.15.0 internet:v1.14.7 internet:v1.14.6 internet:v1.14.5 internet:v1.14.4 internet:v1.14.3 internet:v1.14.2 internet:v1.14.1 internet:v1.14.0 internet:v1.13.2 internet:v1.13.1 internet:v1.13.0 internet:v1.12.1 internet:v1.12.0 internet:v1.11.1 internet:v1.11.0 internet:v1.10.0 internet:v1.9.2 internet:v1.9.1 internet:v1.9.0 internet:v1.8.4 internet:v1.8.3 internet:v1.8.2 internet:v1.8.1 internet:v1.8.0 internet:v1.7.0 internet:v1.6.3 internet:v1.6.2 internet:v1.6.1 internet:v1.6.0 internet:v1.5.3 internet:v1.5.2 internet:v1.5.1 internet:v1.5.0 internet:v0.4.2 internet:v0.4.1 internet:v0.4.0 internet:v0.3.8 internet:v0.3.7 internet:v0.3.6 internet:v0.3.5 internet:v0.3.4 internet:v0.3.3 internet:v0.3.2 internet:v0.3.1 internet:v0.3.0 internet:v0.2.1 internet:v0.2.0 internet:v0.1.12 internet:v0.1.11 internet:v0.1.10 internet:v0.1.9 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0
...
compare: internet:v1.11.1
Branches Tags
internet:master internet:run_collection_playbooks internet:validate_emaildomain internet:0.4 internet:automember_verify_condition_keys internet:ipaautomember_documantation_fix internet:fix_image_build internet:t-woerner-permission-typo1 internet:fix-role-readme-title-1 internet:fix-role-readme-title internet:t-woerner-group-readme-external internet:fix_logger_info_calls
internet:v1.16.0 internet:v1.15.1 internet:v1.15.0 internet:v1.14.7 internet:v1.14.6 internet:v1.14.5 internet:v1.14.4 internet:v1.14.3 internet:v1.14.2 internet:v1.14.1 internet:v1.14.0 internet:v1.13.2 internet:v1.13.1 internet:v1.13.0 internet:v1.12.1 internet:v1.12.0 internet:v1.11.1 internet:v1.11.0 internet:v1.10.0 internet:v1.9.2 internet:v1.9.1 internet:v1.9.0 internet:v1.8.4 internet:v1.8.3 internet:v1.8.2 internet:v1.8.1 internet:v1.8.0 internet:v1.7.0 internet:v1.6.3 internet:v1.6.2 internet:v1.6.1 internet:v1.6.0 internet:v1.5.3 internet:v1.5.2 internet:v1.5.1 internet:v1.5.0 internet:v0.4.2 internet:v0.4.1 internet:v0.4.0 internet:v0.3.8 internet:v0.3.7 internet:v0.3.6 internet:v0.3.5 internet:v0.3.4 internet:v0.3.3 internet:v0.3.2 internet:v0.3.1 internet:v0.3.0 internet:v0.2.1 internet:v0.2.0 internet:v0.1.12 internet:v0.1.11 internet:v0.1.10 internet:v0.1.9 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0

86 Commits
v1.10.0 ... v1.11.1

Author SHA1 Message Date
Thomas Woerner
cf779e43bb Merge pull request #1123 from rjeffman/ci_increase_test_verbosity 
ci: Increase verbosity for Ansible playbook runs
 2023-07-24 10:05:25 +02:00
Rafael Guterres Jeffman
1a48a0fb63 Merge pull request #1122 from t-woerner/fix_ipa_command_invalid_param_choices_for_IPA_4_6 
ansible_freeipa_module: Fix ipa_command_invalid_param_choices
 2023-07-21 16:15:40 -03:00
Rafael Guterres Jeffman
ed3a0d5a1b ci: Increase verbosity for Ansible playbook runs 
Some test failures requires more information than just the playbook
simple output. By increasing verbosity, the used parameters and the
failed line will be visible in the test error report, making it easier
to identify, reproduce and fix the issue.
 2023-07-21 12:06:47 -03:00
Thomas Woerner
d58b492f1d ansible_freeipa_module: Fix ipa_command_invalid_param_choices 
Fix ipa_command_invalid_param_choices for IPA 4.6 (RHEL-7)

- krbprincipalauthind in host_add does not have choices defined
- krbprincipalauthind in service_add does not have choices defined

api.Command[command].params[name].cli_metavar returns "STR" and
ast.literal_eval failes with a ValueError "malformed string".

There is no way to verify that the given values are valid or not in
this case. The check is done later on while applying the change
with host_add, host_mod, service_add and service_mod.
 2023-07-21 16:44:04 +02:00
Thomas Woerner
88d4a36e17 Merge pull request #1055 from rjeffman/ipauser_idp_attrs 
ipauser: Support for External IdP attributes.
 2023-07-20 14:00:48 +02:00
Rafael Guterres Jeffman
6fa8223662 ipauser: Support for External IdP attributes. 
Add support for 'idp' and 'idp_user_id' to ipauser plugin.

FreeIPA 4.10.0 is required for both attributes.
 2023-07-19 14:38:30 -03:00
Rafael Guterres Jeffman
c9e8656494 Merge pull request #1119 from t-woerner/update_authtypes_authind_readmes 
Update authtypes authind readmes
 2023-07-19 11:37:34 -03:00
Thomas Woerner
a791c6a0ca README-user.md: Add choices pkinit, hardened and idp to user_auth_type 
The parameter user_auth_type has been updated in FreeIPA. The choices
pkinit, hardened and idp have been missing and are now added.
 2023-07-19 16:17:10 +02:00
Thomas Woerner
9cbccdade9 README-service.md: Add choice idp to auth_ind 
The parameter auth_ind has been updated in FreeIPA. The choice
idp have been missing and is now added.
 2023-07-19 16:07:50 +02:00
Thomas Woerner
42c07d6336 README-host.md: Add choice idp to auth_ind 
The parameter auth_ind has been updated in FreeIPA. The choice
idp have been missing and is now added.
 2023-07-19 16:07:27 +02:00
Thomas Woerner
a728a8d43e README-config.md: Add choices pkinit, hardened and idp to user_auth_type 
The parameter user_auth_type has been updated in FreeIPA. The choices
pkinit, hardened and idp have been missing and are now added.
 2023-07-19 16:07:19 +02:00
Thomas Woerner
bd3266e9f1 Merge pull request #1117 from rjeffman/doc_update_ubuntu_support 
ipaserver: Update README with detailed Ubuntu support
 2023-07-19 14:10:45 +02:00
Rafael Guterres Jeffman
48063d2b3a Merge pull request #1118 from t-woerner/update_authtypes_authind 
Update authtypes authind
 2023-07-19 08:59:18 -03:00
Thomas Woerner
5d08214516 Merge pull request #1075 from rjeffman/automount_indirect_maps 
ipaautomountmap: add support for indirect maps
 2023-07-19 13:53:55 +02:00
Rafael Guterres Jeffman
ef0b7e80f0 ipaserver: Update README with detailed Ubuntu support 
Ubuntu does not have a FreeIPA server package since version 20.04. As
versions 16.04 (Xenial Xerus) and 18.04 (Bionic Beaver) will be
supported by Canonical until 2026 and 2028, repectively, we should keep
existing support for both versions in the ipaserver, ipareplica and
ipabackup roles until them.

This patch changes documentation to reflect that only those versions are
supported.
 2023-07-19 08:51:06 -03:00
Rafael Guterres Jeffman
a33fcf45f8 ipaautomountmap: add support for indirect maps 
Indirect maps were not supported by ansible-freeipa ipaautomountmap.
This patch adds support for adding indirect automount maps using the
"parent" and "mount" parameters, if the map do not yet exist. An
existing map cannot be modified.

The "parent" parameter must match an existing automount map, and the
"mount" parameter is required if "parent" is used.

A new example playbook can be found at:

    playbooks/automount/automount-map-indirect-map.yml

A new test playbook was added to test the feature:

    tests/automount/test_automountmap_indirect.yml
 2023-07-19 08:41:25 -03:00
Thomas Woerner
c4b273c896 ipauser: Add choices pkinit, hardened and idp to user_auth_type 
The parameter user_auth_type has been updated in FreeIPA. The choices
pkinit, hardened and idp have been missing and are now added.

An additional check was added to verify that the values of the
user_auth_type list are valid for the used IPA version.
 2023-07-19 11:38:14 +02:00
Thomas Woerner
62d34d0a22 ipaservice: Add choice idp to auth_ind 
The parameter auth_ind has been updated in FreeIPA. The choice
idp have been missing and is now added.

An additional check was added to verify that the values of the
auth_ind list are valid for the used IPA version.
 2023-07-19 11:38:14 +02:00
Thomas Woerner
3ed0c229c4 ipahost: Add choice idp to auth_ind 
The parameter auth_ind has been updated in FreeIPA. The choice
idp have been missing and is now added.

An additional check was added to verify that the values of the
auth_ind list are valid for the used IPA version.
 2023-07-19 11:38:14 +02:00
Thomas Woerner
c089c010e6 ipaconfig: Add choices pkinit, hardened and idp to user_auth_type 
The parameter user_auth_type has been updated in FreeIPA. The choices
pkinit, hardened and idp have been missing and are now added.

An additional check was added to verify that the values of the
user_auth_type list are valid for the used IPA version.
 2023-07-19 11:38:14 +02:00
Thomas Woerner
cfbdd83a64 ansible_freeipa_module: New ipa_command_invalid_param_choices method 
New IPAAnsibleModule.ipa_command_invalid_param_choices method to return
invalid parameter choices for an IPA command.

This is needed to verify for example if userauthtype and authind are
supporting the idp value.
 2023-07-19 11:38:06 +02:00
Thomas Woerner
fef1bdcf8e Merge pull request #1116 from rjeffman/fix_runtests_collections 
utils/run-tests.sh: Install Ansible collections on virtual environment
 2023-07-17 15:35:54 +02:00
Thomas Woerner
411d363d91 Merge pull request #1056 from rjeffman/ipauser_smb_params 
ipauser: Add support for SMB attributes.
 2023-07-17 15:24:22 +02:00
Rafael Guterres Jeffman
1555132d85 utils/run-tests.sh: Install Ansible collections on virtual environment 
When runing tests using 'utils/run-tests.sh' from inside an existing
Python virtual environment the Ansible collections are not installed due
to the order of execution of the script. On a machine that does not have
the 'containers.*' collection the test fails as there is no container
connector available.

This patch moves the section that installs Ansible collections to run
after the virtual environment is configured, and then install the
collections (usually, only 'containers.podman'), allowing the tests to
be executed.
 2023-07-15 14:55:44 -03:00
Rafael Guterres Jeffman
57ad57dda3 ipauser: Add support for SMB attributes. 
Since FreeIPA version 4.8.0 ipauser has support for smb-logon-script,
smb-profile-path, smb-home-dir, and smb-home-drive drive attributes.

On FreeIPA, these attributes are only available when modifying a user,
so if the user defined in the playbook does not exist, two calls to IPA
API are executed, a 'user_add' followed by a 'user_mod'.
(see https://github.com/freeipa/freeipa/blob/master/doc/designs/adtrust/samba-domain-controller.md

A new example playbook can be found at:

     playbooks/user/smb-attributes.yml

A new test playbook can be found at:

     tests/user/test_user_smb_attrs.yml
 2023-07-14 10:53:30 -03:00
Thomas Woerner
dab64c7cf6 Merge pull request #1098 from rjeffman/doc_diferentiate_location_host_and_server 
doc: Differentiate location meaning between host and server
 2023-07-14 15:39:37 +02:00
Rafael Guterres Jeffman
b7145bc2cc doc: Differentiate location meaning between host and server 
Host location and server location have very different meanings in IPA.
ipahost uses 'location' as an optional hint to where the host may be
physically located, ipaserever uses location to identify which DNS
location the server is part of.

This change updates documentation to make attribute description more
clear. Surrounding text have been changed to match text style as used in
other plugins.

This patch is related to: https://github.com/freeipa/freeipa/pull/6840
 2023-07-14 10:25:51 -03:00
Thomas Woerner
c9f1da5d6b Merge pull request #1076 from rjeffman/fix_usercheck_dictcheck 
Fix handling of ipapwpolicy attributes usercheck and dictcheck
 2023-07-14 15:25:20 +02:00
Thomas Woerner
f4070f6a30 Merge pull request #1100 from rjeffman/ci_update_ansible_2_15 
upstream CI: Update ansible-core version
 2023-07-14 15:11:21 +02:00
Thomas Woerner
ad9a03ece6 Merge pull request #1114 from rjeffman/remove_virtualenv 
Remove dependency on 'virtualenv'
 2023-07-14 15:05:09 +02:00
Rafael Guterres Jeffman
1bfe6888a4 Remove dependency on 'virtualenv' 
'virtualenv' is an external dependency with the same purpose of Python's
'venv' module. This patch removes the external dependency in favor of
the readily available package.
 2023-07-13 15:07:08 -03:00
Thomas Woerner
51ddaa6491 Merge pull request #1044 from rjeffman/ipauser_street 
ipauser: Add support for parameter "street"
 2023-07-12 20:34:49 +02:00
Rafael Guterres Jeffman
f56861cc15 ipauser: Add support for parameter "street" 
ipauser plugin was missing user parameter "street".

Tests were updated to reflect the new parameter.
 2023-07-12 12:31:26 -03:00
Thomas Woerner
c4de680497 Merge pull request #1039 from rjeffman/ipauser_gecos 
ipauser: Add support to modify GECOS field.
 2023-07-12 17:08:53 +02:00
Rafael Guterres Jeffman
7b2701b985 ipapwpolicy: Updated module documentation. 
Most of ipapwpolicy parameters can be set to an empty string ("") so
that the policy is not applied to pwpolicy. This was not refelected on
the documentation.

This change adds 'or ""' to all the fields that can be disabled by
setting it to an empty string. Also, `data types were reviewed and fixed.
 2023-07-11 10:15:43 -03:00
Rafael Guterres Jeffman
694c717829 ipapwpolicy: Modify handling of usercheck and dictcheck 
Modified handling of boolean values by using Ansible's 'boolean()' check
function so that a string can be used and either a bool value is
accepted or an empty string.

As the error message was changed to use the same Ansible message, tests
were also updated.
 2023-07-11 10:15:43 -03:00
Rafael Guterres Jeffman
083396e133 module_utils: Export Ansible's 'boolean' parsing function. 
Export Ansible's 'boolean' parsing function so it can be used to verify
if a string can be handled as a truthy value, allowing module parameters
to use strings instead of bools, as strings can be cleared by using
empty strings.
 2023-07-11 08:33:35 -03:00
Rafael Guterres Jeffman
9a8a1db38f ipauser: Add support to modify GECOS field. 
This patch adds a new parameter to ipauser, 'gecos', which can be used
to set the 'gecos' field of an IPA user. The default behavior of
automatically set the GECOS field to "<first> <last>" is not modified,
it is only possible to change the field to a custom value.

No validation on the value provided is done, as it is with FreeIPA.
 2023-07-10 14:34:44 -03:00
Rafael Guterres Jeffman
8f9c344bc1 Merge pull request #1106 from renich/patch-1 
Singular to plural on random serial numbers setting
 2023-06-15 11:15:55 -03:00
Renich Bon Ciric
067b683b81 Singular to plural on random serial numbers setting 
The setting was in singular in the example while being documented in plural form.
 2023-06-14 16:53:22 -06:00
Rafael Guterres Jeffman
51f64e4393 upstream CI: Update ansible-core version 
ansible-core 2.15 has been released on May 15th, 2023, and version 2.12
has reached EOL on May 22nd, 2023.

This patch updates the ansible-core versions used on upstream CI tests
to reflect Ansible's new releases.
 2023-06-09 10:05:47 -03:00
Rafael Guterres Jeffman
45700bc02b Merge pull request #1082 from t-woerner/fix_pwpolicy_maxsequence_test 
pwpolicy test: Fix maxsequence test
 2023-06-07 12:35:00 -03:00
Thomas Woerner
d04a12e522 pwpolicy test: Fix maxsequence test 
The maxsequence test was testing maxrepeat. Therefore the typo reported
with https://github.com/freeipa/ansible-freeipa/pull/1081 was never
seen.

The test has been fixed.
 2023-06-07 17:17:20 +02:00
Thomas Woerner
4e9ec11b23 Merge pull request #1081 from cutrightjm/patch-1 
Fix typo in ipapwpolicy.py
 2023-06-07 17:17:01 +02:00
Thomas Woerner
2d93051101 Merge pull request #1078 from rjeffman/ipapwpolicy_simple_attribute_test 
ipapwpolicy: simplified and faster attribute verification
 2023-06-07 17:12:36 +02:00
Jacob Cutright
1a7b279d78 Fix typo in ipapwpolicy.py 
The 'maxsequence' attribute was never applied as there was a typo when
it was set. By fixing the field name, 'maxsequence' is correclty set.

The failure was not seen before due to missing tests. The tests will be
added in a separate PR.
 2023-06-07 12:04:49 -03:00
Thomas Woerner
be228d1df3 Merge pull request #1094 from rjeffman/ci_disable_pytests 
Upstream CI: Disable execution of pytest tests
 2023-06-07 17:00:59 +02:00
Thomas Woerner
ce95c638be Merge pull request #1099 from rjeffman/roles_disallow_fqdn_domain_match 
Don't allow the FQDN to match the domain on server installs
 2023-06-07 16:56:06 +02:00
Thomas Woerner
876f39a6c5 Merge pull request #687 from yrro/ipacert 
ipacert module
 2023-06-07 16:54:47 +02:00
Rafael Guterres Jeffman
950840e050 Merge pull request #1101 from t-woerner/multiple_service_management 
Multiple service management
 2023-06-07 11:53:14 -03:00
Sam Morris
87e1edf575 New certificate management module. 
There is a new certificate management module placed in the plugins
folder:

    plugins/modules/ipacert.py

The certificate module allows to request, revoke, release and retrieve
certificates for users, hosts and services.

Here is the documentation for the module:

    README-cert.md

New example playbooks have been added:

    playbooks/cert/cert-hold.yml
    playbooks/cert/cert-release.yml
    playbooks/cert/cert-request-host.yml
    playbooks/cert/cert-request-service.yml
    playbooks/cert/cert-request-user.yml
    playbooks/cert/cert-retrieve.yml
    playbooks/cert/cert-revoke.yml

New tests for the module can be found at:

    tests/cert/test_cert_client_context.yml
    tests/cert/test_cert_host.yml
    tests/cert/test_cert_service.yml
    tests/cert/test_cert_user.yml

The module has been co-authored by Sam Morris (@yrro) and Rafael
Guterres Jeffman (@rjeffman).
 2023-06-07 11:35:25 -03:00
Thomas Woerner
09250cb2c5 ipaservice: Updated and new tests for certificates and multi service handling 
The tests test_services_absent.yml, test_services_present.yml and
test_services_present_slice.yml have been updated to use in memory data
for testing instead of loading json files. This made is simpler to use
variables from the playbook for example for fqdn host names.

New tests for certificates with and without trailing new lines have been
added for single service and multiple service handling.
 2023-06-07 13:36:48 +02:00
Thomas Woerner
872c9e4cb2 ipaservice: Add Denis Karpelevich to the authors header 
Denis added the multi service handling code. Therefore he should be
listed in the file header.
 2023-06-07 13:36:48 +02:00
Thomas Woerner
efe9c68600 ipaservice: Properly Handle certs with leading or trailing white space 
Any leading or trailing whitespace is removed while adding the
certificates with serive_add_cert. To be able to compare the results
from service_show with the given certificates we have to remove the
white space also.
 2023-06-07 13:36:28 +02:00
Denis Karpelevich
0d9873b81c Allow multiple services creation 
Adding an option to create multiple services in one go.
Adding tests (present/absent/without_skip_host_check)

Copied from PR #1054

Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>
 2023-06-06 12:40:33 +02:00
Rafael Guterres Jeffman
5b91703bd7 Don't allow the FQDN to match the domain on server installs 
If server FQDN matches the domain name, the installation will succeed,
but DNS records will not work. If 'setup_dns: true' is used, there will
be no A record for the host, only a NS record, and the PTR record will
point to the domain name.

Based on: https://github.com/freeipa/freeipa/pull/6853
Related to: https://pagure.io/freeipa/issue/9003
 2023-06-05 12:56:47 -03:00
Rafael Guterres Jeffman
180afd7586 Merge pull request #1077 from rjeffman/update_gitignore 
Make Git ignore temporary and output files.
 2023-05-30 10:59:09 -03:00
Thomas Woerner
7f16914032 Merge pull request #1097 from rjeffman/fix_ansible_lint_var_naming 
upstream CI: Disable ansible-lint var-naming check
 2023-05-30 14:45:14 +02:00
Rafael Guterres Jeffman
306522acd8 upstream CI: Disable ansible-lint var-naming check 
Latest ansible-lint version (6.16.1) started to raise an error when
variable names from within roles are not prefixed with  the role name.
Error: var-naming[no-role-prefix].

As Ansible sanity check does not enforce this, it will be disabled, for
now on ansible-freeipa's upstream CI.

A future effort to reduce the checks that are not being evaluated should
be done as preparation for future Ansible Galaxy and Automation Hub
requirements.
 2023-05-16 16:08:51 -03:00
Rafael Guterres Jeffman
a155324188 Upstream CI: Disable execution of pytest tests. 
The tests under 'tests/pytests' were a POC to bring tests that evaluate
the result of playbook execution on the IPA environment. This is
currently only implemented for dnszone tests, and similar test coverage
is obtained with other tests.

As there is an ongoing issue with Ansible's docker pluging
("the connection plugin 'docker' was not found"), which is stil under
investigation, by removing the pytest tests we'll remove the consistent
failures currently seen on upstream CI, and will not loose test
coverage, specially if we take into account downstream tests.

Also, a new version for the pytests will be available once multihost
testing is implemented for upstream.
 2023-05-15 15:41:09 -03:00
Rafael Guterres Jeffman
8ec5b1fe21 Merge pull request #1092 from t-woerner/fix_requests_version_require_for_build_container 
tests/azure/templates/build_container.yml: Quote requests with version
 2023-05-08 11:41:38 -03:00
Thomas Woerner
316255d524 tests/azure/templates/build_container.yml: Quote requests with version 
The version requirement for requests need to be quoted not to lead into
a pip install command issue.

This is related to PR #1089 (Pin requests to < 2.29 temporarily)
 2023-05-08 16:28:20 +02:00
Rafael Guterres Jeffman
36b7a18e40 Merge pull request #1088 from t-woerner/fix_new_ansible_lint_disallowed_ignores 
Fix new ansible lint disallowes ignores
 2023-05-05 12:08:41 -03:00
Thomas Woerner
a32fcb3765 ansible_freeipa_module.py: Calm down ansible-test on print and sys.exit 
The function exit_raw_json is a replacement for AnsibleModule.exit_json
without flterting out values for no_log parameters.

Ansible added checks for pylint to forbid print and also sys.exit and
fails with ansible-bad-function. As the check is not known outside of
ansible-test, the disable line needed also W0012:

    # pylint: disable=W0012,ansible-bad-function
 2023-05-05 16:56:38 +02:00
Thomas Woerner
2d4cad6c1b ipaserver_test.py: Add missing default for random_serial_numbers 
random_serial_numbers was missing the default value in the DOCMENTATION
section.
 2023-05-05 16:56:38 +02:00
Thomas Woerner
a4b8e10a40 ansible-test: Do not use automatic field numbering specification 
Automatic field numbering specification is not allowed by ansible-test.
 2023-05-05 16:26:45 +02:00
Thomas Woerner
98681bd4d2 Use "#!/usr/bin/env python" for python shebang 
ansible is not allowing to use "#!/usr/bin/python".

Due to a change in ansible-lint it is not possible to ignore the "bad"
shebang.
 2023-05-05 16:26:45 +02:00
Thomas Woerner
2882e2426a Add -eu to all bash shebangs 
ansible requires to either use "#!/bin/bash -eu" or "#!/bin/bash -eux"
for bash shebangs.
 2023-05-05 16:26:45 +02:00
Thomas Woerner
f056775d95 Remove old or empty sanity ignore files 
The old ignore file ignore-2.12.txt is not needed and used anymore. The
new files ignore-2.13.txt and ignore-2.14.txt are empty after
ansible-lint made nearly all ignores disallowed.

All the newly disallowed ignores need to be fixed.

See https://github.com/ansible/ansible-lint/pull/3102
 2023-05-05 16:26:45 +02:00
Rafael Guterres Jeffman
ad5450cd6f Merge pull request #1089 from t-woerner/pin_requests_below_2_29 
Pin requests to < 2.29 temporarily
 2023-05-05 11:25:39 -03:00
Thomas Woerner
e75d82131d Pin requests to < 2.29 temporarily 
Due to https://github.com/docker/docker-py/issues/3113 requests need to
be pinned below 2.29 as a temporary solution.
 2023-05-05 15:06:38 +02:00
Rafael Guterres Jeffman
99e468ad60 Merge pull request #1083 from t-woerner/fix_azure_molecule_docker 
tests/azure: Install molecule-plguins to get docker driver
 2023-04-27 17:45:35 -03:00
Thomas Woerner
3cc111782c tests/azure: Install molecule-plguins to get docker driver 
The docker driver is not part of molecule 5.0.0 anymore.
molecule-plugins need to be installed to get the driver.
 2023-04-27 14:01:09 +02:00
Rafael Guterres Jeffman
b429b4495e Merge pull request #1035 from t-woerner/new_module_github_user_fix 
Fixes and enhancements for utils/new_module and templates
 2023-04-20 10:03:19 -03:00
Rafael Guterres Jeffman
0f99ef2199 Merge pull request #1080 from t-woerner/module_defaults 
Create action group in collection for use with module_defaults
 2023-04-20 10:03:10 -03:00
Thomas Woerner
1c8f1c28e1 utils/templates/test_module*.yml.in: Use generic module_defaults 
The usage of module_defaults allows to reduce the size of the tests and
to have the needed information in the tasks only. The default values for the
parameters are automatically passed to the module by Ansible.

It is not possible to use a module group for module_defaults as this could
only be done with Ansible Collections. The tests are also used upstream and
downstream without a collection.

Without groups of a collection it is needed to add the defaults for all
modules separately.

Simple example:

    module_defaults:
      ipahost:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"

Several module example using YAML anchors and aliases:

    module_defaults:
      ipahost: &ipa_module_defaults
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
      ipauser: *ipa_module_defaults
      ipagroup: *ipa_module_defaults
 2023-04-20 10:10:51 +02:00
Thomas Woerner
47d5211185 utils/templates/test_module*.yml.in: Better docs for become and gather_facts 
The documentation for "become" and "gather_facts" has been updated to
make sure that these parameters are enabled only in new tests if it is
really needed.
 2023-04-20 10:10:51 +02:00
Thomas Woerner
4a18ad03c8 utils/templates/{README*.md.in,test_module*.yml.in}: Use true and false 
The values "yes" and "no" will not be valid in the future for bool
parameters. Therefore "yes" and "no" have been replaced by "true" and
"false".
 2023-04-20 10:09:07 +02:00
Thomas Woerner
966797dbee utils/build-galaxy-release.sh: Create module action group 
The module action group <collection-prefix>.modules is created
automatically while building the galaxy release.

The action group can be used for module_defaults in this way:

    module_defauls:
      group/<collection-prefix>.modules:
        ipaadmin_password: SomeADMINpassword

Example:

    module_defaults:
      group/freeipa.ansible_freeipa.modules:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
    collections:
    - freeipa.ansible_freeipa
 2023-04-20 10:04:41 +02:00
Thomas Woerner
892c0dd6f0 utils/galaxyfy.py: Handle module_defaults, match roles and modules 
The section module_defaults was not handled by utils/galaxyfy.py, also
there was no verification that only roles and modules provided by
ansible-freeipa are matched for prepending the collection prefix.
 2023-04-20 10:04:26 +02:00
Rafael Guterres Jeffman
645a234d92 Make Git ignore temporary and output files. 
Ignore vim .swp files and files generated by creating ansible-freeipa
collection, when checking repository status.
 2023-04-18 10:21:24 -03:00
Thomas Woerner
5cbc8b7ada New utils/facts.py: Provide facts about the repo like role and module lists 
The list of modules and roles is needed in several scripts now,
therefore it makes sense to have one place for this.

Here are the current variables:

BASE_DIR:           Base directory of the repo
ROLES:              List of roles in the roles folder
MANAGEMENT_MODULES: List of management modules in the plugins/modules
                    folder
ROLES_MODULES:      List of modules in the roles/*/library folders
ALL_MODULES:        List of all modules, the management and the roles
                    modules

All lists are sorted.
 2023-04-18 13:36:42 +02:00
Thomas Woerner
5e5fbd87bf utils/templates/ipamodule.py.in: Add missing bracket 
The parameter argument spec of name was missing the closing bracket. The
bracket has been added.
 2023-04-14 17:23:37 +02:00
Rafael Guterres Jeffman
35ded3bf53 utils/new_module: Ensure correct number of parameters for new_module 
When testing the number parameters for new_module, the
`github_user` was not being taken into account.
 2023-04-14 17:23:37 +02:00
Thomas Woerner
209c6365ea utils/new_module: Fix github_user test 
new_module was always failing with "github_user is not valid". The wrong
variable was checked: $githubuser instead of $github_user.
 2023-04-14 17:23:37 +02:00
Rafael Guterres Jeffman
a69446021b ipapwpolicy: simplified and faster attribute verification 
Use a simpler and faster 'any()' test instead of creating two lists and
checking if resulting list is empty.
 2023-04-11 18:45:49 -03:00
108 changed files with 4410 additions and 564 deletions
Expand all files Collapse all files

1
.ansible-lint
View File

@@ -35,6 +35,7 @@ skip_list:
- yaml # yamllint should be executed separately.
- experimental # Do not run any experimental tests
- name[template] # Allow Jinja templating inside task names
- var-naming
use_default_rules: true

2
.github/workflows/ansible-test.yml vendored
View File

@@ -11,7 +11,5 @@ jobs:
- uses: actions/checkout@v3.1.0
with:
fetch-depth: 0
- name: Install virtualenv using pip
run: pip install virtualenv
- name: Run ansible-test
run: bash tests/sanity/sanity.sh

36
.github/workflows/docs.yml vendored
View File

@@ -5,23 +5,6 @@ on:
- pull_request
jobs:
check_docs_oldest_supported:
name: Check Ansible Documentation with ansible-core 2.12.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3.1.0
with:
fetch-depth: 0
- uses: actions/setup-python@v4.3.0
with:
python-version: '3.x'
- name: Install Ansible 2.12
run: |
python -m pip install "ansible-core >=2.12,<2.13"
- name: Run ansible-doc-test
run: |
ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
check_docs_previous:
name: Check Ansible Documentation with ansible-core 2.13.
runs-on: ubuntu-latest
steps:
@@ -38,7 +21,7 @@ jobs:
run: |
ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
check_docs_current:
check_docs_previous:
name: Check Ansible Documentation with ansible-core 2.14.
runs-on: ubuntu-latest
steps:
@@ -55,6 +38,23 @@ jobs:
run: |
ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
check_docs_current:
name: Check Ansible Documentation with ansible-core 2.15.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3.1.0
with:
fetch-depth: 0
- uses: actions/setup-python@v4.3.0
with:
python-version: '3.x'
- name: Install Ansible 2.15
run: |
python -m pip install "ansible-core >=2.15,<2.16"
- name: Run ansible-doc-test
run: |
ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
check_docs_ansible_latest:
name: Check Ansible Documentation with latest Ansible version.
runs-on: ubuntu-latest

2
.github/workflows/lint.yml vendored
View File

@@ -16,7 +16,7 @@ jobs:
python-version: "3.x"
- name: Run ansible-lint
run: |
pip install "ansible-core >=2.14,<2.15" ansible-lint
pip install "ansible-core >=2.15,<2.16" ansible-lint
utils/build-galaxy-release.sh -ki
cd .galaxy-build
ansible-lint

6
.gitignore vendored
View File

@@ -1,5 +1,11 @@
*.pyc
*.retry
*.swp
# collection files
freeipa-ansible_freeipa*.tar.gz
redhat-rhel_idm*.tar.gz
importer_result.json
# ignore virtual environments
/.tox/

25
README-automountmap.md
View File

@@ -54,6 +54,21 @@ Example playbook to ensure presence of an automount map:
desc: "this is a map for servers in the DMZ"
```
Automount maps can contain a submount key, which defines a mount location within the map the references another map. On FreeIPA, this is known as an indirect map. An indirect automount map is equivalent to adding a proper automount key to a map, referencyng another map (this second map is the indirect map). Use `parent` and `mount` parameters to create an indirect automount map with ansible-freeipa, without the need to directly manage the automount keys.
Example playbook to ensure an indirect automount map is present:
```yaml
---
- name: Playbook to add an indirect automount map
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
name: auto.indirect
location: DMZ
parent: auto.DMZ
mount: dmz_indirect
```
Example playbook to ensure auto.DMZi is absent:
```yaml
@@ -81,16 +96,14 @@ Variable | Description | Required
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `mapname` \| `map` \| `automountmapname` | Name of the map to manage | yes
`location` \| `automountlocation` \| `automountlocationcn` | Location name. | yes
`parentmap` | Parent map of the indirect map. Can only be used when creating new maps. Default: auto.master | no
`mount` | Indirect map mount point, relative to parent map. | yes, if `parent` is used.
`desc` \| `description` | Description of the map | yes
`state` | The state to ensure. It can be one of `present`, or `absent`, default: `present`. | no
Notes
=====
Creation of indirect mount points are not supported.
Authors
=======
Chris Procter
- Chris Procter
- Rafael Jeffman

175
README-cert.md Normal file
View File

@@ -0,0 +1,175 @@
Cert module
============
Description
-----------
The cert module makes it possible to request, revoke and retrieve SSL certificates for hosts, services and users.
Features
--------
* Certificate request
* Certificate hold/release
* Certificate revocation
* Certificate retrieval
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipacert module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
* Some tool to generate a certificate signing request (CSR) might be needed, like `openssl`.
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to request a new certificate for a service:
```yaml
---
- name: Certificate request
hosts: ipaserver
tasks:
- name: Request a certificate for a web server
ipacert:
ipaadmin_password: SomeADMINpassword
state: requested
csr: |
-----BEGIN CERTIFICATE REQUEST-----
MIGYMEwCAQAwGTEXMBUGA1UEAwwOZnJlZWlwYSBydWxlcyEwKjAFBgMrZXADIQBs
HlqIr4b/XNK+K8QLJKIzfvuNK0buBhLz3LAzY7QDEqAAMAUGAytlcANBAF4oSCbA
5aIPukCidnZJdr491G4LBE+URecYXsPknwYb+V+ONnf5ycZHyaFv+jkUBFGFeDgU
SYaXm/gF8cDYjQI=
-----END CERTIFICATE REQUEST-----
principal: HTTP/www.example.com
register: cert
```
Example playbook to revoke an existing certificate:
```yaml
---
- name: Revoke certificate
hosts: ipaserver
tasks:
- name Revoke a certificate
ipacert:
ipaadmin_password: SomeADMINpassword
serial_number: 123456789
state: revoked
```
Example to hold a certificate (alias for revoking a certificate with reason `certificateHold (6)`):
```yaml
---
- name: Hold a certificate
hosts: ipaserver
tasks:
- name: Hold certificate
ipacert:
ipaadmin_password: SomeADMINpassword
serial_number: 0xAB1234
state: held
```
Example playbook to release hold of certificate (may be used with any revoked certificates, despite of the rovoke reason):
```yaml
---
- name: Release hold
hosts: ipaserver
tasks:
- name: Take a revoked certificate off hold
ipacert:
ipaadmin_password: SomeADMINpassword
serial_number: 0xAB1234
state: released
```
Example playbook to retrieve a certificate and save it to a file in the target node:
```yaml
---
- name: Retriev certificate
hosts: ipaserver
tasks:
- name: Retrieve a certificate and save it to file 'cert.pem'
ipacert:
ipaadmin_password: SomeADMINpassword
certificate_out: cert.pem
state: retrieved
```
ipacert
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`csr` | X509 certificate signing request, in PEM format. | yes, if `state: requested`
`principal` | Host/service/user principal for the certificate. | yes, if `state: requested`
`add` \| `add_principal` | Automatically add the principal if it doesn't exist (service principals only). (bool) | no
`profile_id` \| `profile` | Certificate Profile to use | no
`ca` | Name of the issuing certificate authority. | no
`chain` | Include certificate chain in output. (bool) | no
`serial_number` | Certificate serial number. (int) | yes, if `state` is `retrieved`, `held`, `released` or `revoked`.
`revocation_reason` \| `reason` | Reason for revoking the certificate. Use one of the reason strings, or the corresponding value: "unspecified" (0), "keyCompromise" (1), "cACompromise" (2), "affiliationChanged" (3), "superseded" (4), "cessationOfOperation" (5), "certificateHold" (6), "removeFromCRL" (8), "privilegeWithdrawn" (9), "aACompromise" (10) | yes, if `state: revoked`
`certificate_out` | Write certificate (chain if `chain` is set) to this file, on the target node. | no
`state` | The state to ensure. It can be one of `requested`, `held`, `released`, `revoked`, or `retrieved`. `held` is the same as revoke with reason "certificateHold" (6). `released` is the same as `cert-revoke-hold` on IPA CLI, releasing the hold status of a certificate. | yes
Return Values
=============
Values are returned only if `state` is `requested` or `retrieved` and if `certificate_out` is not defined.
Variable | Description | Returned When
-------- | ----------- | -------------
`certificate` | Certificate fields and data. (dict) <br>Options: | if `state` is `requested` or `retrieved` and if `certificate_out` is not defined
&nbsp; | `certificate` - Issued X509 certificate in PEM encoding. Will include certificate chain if `chain: true`. (list) | always
&nbsp; | `san_dnsname` - X509 Subject Alternative Name. | When DNSNames are present in the Subject Alternative Name extension of the issued certificate.
&nbsp; | `issuer` - X509 distinguished name of issuer. | always
&nbsp; | `subject` - X509 distinguished name of certificate subject. | always
&nbsp; | `serial_number` - Serial number of the issued certificate. (int) | always
&nbsp; | `revoked` - Revoked status of the certificate. (bool) | if certificate was revoked
&nbsp; | `owner_user` - The username that owns the certificate. | if `state: retrieved` and certificate is owned by a user
&nbsp; | `owner_host` - The host that owns the certificate. | if `state: retrieved` and certificate is owned by a host
&nbsp; | `owner_service` - The service that owns the certificate. | if `state: retrieved` and certificate is owned by a service
&nbsp; | `valid_not_before` - Time when issued certificate becomes valid, in GeneralizedTime format (YYYYMMDDHHMMSSZ) | always
&nbsp; | `valid_not_after` - Time when issued certificate ceases to be valid, in GeneralizedTime format (YYYYMMDDHHMMSSZ) | always
Authors
=======
Sam Morris
Rafael Jeffman

2
README-config.md
View File

@@ -145,7 +145,7 @@ Variable | Description | Required
`selinuxusermaporder` \| `ipaselinuxusermaporder`| Set ordered list in increasing priority of SELinux users | no
`selinuxusermapdefault`\| `ipaselinuxusermapdefault` | Set default SELinux user when no match is found in SELinux map rule | no
`pac_type` \| `ipakrbauthzdata` | set default types of PAC supported for services (choices: `MS-PAC`, `PAD`, `nfs:NONE`). Use `""` to clear this variable. | no
`user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
`user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `pkinit`, `hardened`, `idp`, `disabled`, `""`). An additional check ensures that only types can be used that are supported by the IPA version. Use `""` to clear this variable. | no
`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
`ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
`enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no

4
README-host.md
View File

@@ -335,7 +335,7 @@ Variable | Description | Required
-------- | ----------- | --------
`description` | The host description. | no
`locality` | Host locality (e.g. "Baltimore, MD"). | no
`location` \| `ns_host_location` | Host location (e.g. "Lab 2"). | no
`location` \| `ns_host_location` | Host physical location hint (e.g. "Lab 2"). | no
`platform` \| `ns_hardware_platform` | Host hardware platform (e.g. "Lenovo T61"). | no
`os` \| `ns_os_version` | Host operating system and version (e.g. "Fedora 9"). | no
`password` \| `user_password` \| `userpassword` | Password used in bulk enrollment for absent or not enrolled hosts. | no
@@ -354,7 +354,7 @@ Variable | Description | Required
`mac_address` \| `macaddress` | List of hardware MAC addresses. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no
`userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. An additional check ensures that only types can be used that are supported by the IPA version. Choices: ["radius", "otp", "pkinit", "hardened", "idp", ""] | no
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no
`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no
`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no

28
README-pwpolicy.md
View File

@@ -128,20 +128,20 @@ Variable | Description | Required
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of pwpolicy name strings. If name is not given, `global_policy` will be used automatically. | no
`maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int) | no
`minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int) | no
`history` \| `krbpwdhistorylength` | Password history size. (int) | no
`minclasses` \| `krbpwdmindiffchars` | Minimum number of character classes. (int) | no
`minlength` \| `krbpwdminlength` | Minimum length of password. (int) | no
`priority` \| `cospriority` | Priority of the policy, higher number means lower priority. (int) | no
`maxfail` \| `krbpwdmaxfailure` | Consecutive failures before lockout. (int) | no
`failinterval` \| `krbpwdfailurecountinterval` | Period after which failure count will be reset in seconds. (int) | no
`lockouttime` \| `krbpwdlockoutduration` | Period for which lockout is enforced in seconds. (int) | no
`maxrepeat` \| `ipapwdmaxrepeat` | Maximum number of same consecutive characters. Requires IPA 4.9+ (int) | no
`maxsequence` \| `ipapwdmaxsequence` | The maximum length of monotonic character sequences (abcd). Requires IPA 4.9+ (int) | no
`dictcheck` \| `ipapwdictcheck` | Check if the password is a dictionary word. Requires IPA 4.9+ (int) | no
`usercheck` \| `ipapwdusercheck` | Check if the password contains the username. Requires IPA 4.9+ (int) | no
`gracelimit` \| `passwordgracelimit` | Number of LDAP authentications allowed after expiration. Requires IPA 4.9.10 (int) | no
`maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int or "") | no
`minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int or "") | no
`history` \| `krbpwdhistorylength` | Password history size. (int or "") | no
`minclasses` \| `krbpwdmindiffchars` | Minimum number of character classes. (int or "") | no
`minlength` \| `krbpwdminlength` | Minimum length of password. (int or "") | no
`priority` \| `cospriority` | Priority of the policy, higher number means lower priority. (int or "") | no
`maxfail` \| `krbpwdmaxfailure` | Consecutive failures before lockout. (int or "") | no
`failinterval` \| `krbpwdfailurecountinterval` | Period after which failure count will be reset in seconds. (int or "") | no
`lockouttime` \| `krbpwdlockoutduration` | Period for which lockout is enforced in seconds. (int or "") | no
`maxrepeat` \| `ipapwdmaxrepeat` | Maximum number of same consecutive characters. Requires IPA 4.9+ (int or "") | no
`maxsequence` \| `ipapwdmaxsequence` | The maximum length of monotonic character sequences (abcd). Requires IPA 4.9+ (int or "") | no
`dictcheck` \| `ipapwdictcheck` | Check if the password is a dictionary word. Requires IPA 4.9+. (bool or "") | no
`usercheck` \| `ipapwdusercheck` | Check if the password contains the username. Requires IPA 4.9+. (bool or "") | no
`gracelimit` \| `passwordgracelimit` | Number of LDAP authentications allowed after expiration. Requires IPA 4.9.10 (int or "") | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes

16
README-server.md
View File

@@ -249,14 +249,14 @@ Variable | Description | Required
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of server name strings. | yes
`location` \| `ipalocation_location` | The server location string. Only in state: present. "" for location reset. | no
`service_weight` \| `ipaserviceweight` | Weight for server services. Type Values 0 to 65535, -1 for weight reset. Only in state: present. (int) | no
`hidden` | Set hidden state of a server. Only in state: present. (bool) | no
`no_members` | Suppress processing of membership attributes. Only in state: present. (bool) | no
`delete_continue` \| `continue` | Continuous mode: Don't stop on errors. Only in state: absent. (bool) | no
`ignore_last_of_role` | Skip a check whether the last CA master or DNS server is removed. Only in state: absent. (bool) | no
`ignore_topology_disconnect` | Ignore topology connectivity problems after removal. Only in state: absent. (bool) | no
`force` | Force server removal even if it does not exist. Will always result in changed. Only in state: absent. (bool) | no
`location` \| `ipalocation_location` | The server DNS location. Only available with 'state: present'. Use "" for location reset. | no
`service_weight` \| `ipaserviceweight` | Weight for server services. Type Values 0 to 65535, -1 for weight reset. Only available with 'state: present'. (int) | no
`hidden` | Set hidden state of a server. Only available with 'state: present'. (bool) | no
`no_members` | Suppress processing of membership attributes. Only avialable with 'state: present'. (bool) | no
`delete_continue` \| `continue` | Continuous mode: Don't stop on errors. Only available with 'state: absent'. (bool) | no
`ignore_last_of_role` | Skip a check whether the last CA master or DNS server is removed. Only available with 'state: absent'. (bool) | no
`ignore_topology_disconnect` | Ignore topology connectivity problems after removal. Only available with 'state: absent'. (bool) | no
`force` | Force server removal even if it does not exist. Will always result in changed. Only available with 'state: absent'. (bool) | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. `present` is only working with existing servers. | no

2
README-service.md
View File

@@ -294,7 +294,7 @@ Variable | Description | Required
`name` \| `service` | The list of service name strings. | yes
`certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. Use empty string to reset pac_type to the initial value. | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit` or `hardened`. Use empty string to reset auth_ind to the initial value. | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, `hardened`, `idp` or `""`. An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset auth_ind to the initial value. | no
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no

39
README-user.md
View File

@@ -58,6 +58,7 @@ Example playbook to ensure a user is present:
last: Acme
uid: 10001
gid: 100
gecos: "The Pinky"
phone: "+555123457"
email: pinky@acme.com
passwordexpiration: "2023-01-19 23:59:59"
@@ -352,6 +353,33 @@ Example playbook to ensure users are absent:
state: absent
```
When using FreeIPA 4.8.0+, SMB logon script, profile, home directory and home drive can be set for users.
In the example playbook to set SMB attributes note that `smb_profile_path` and `smb_home_dir` use paths in UNC format, which includes backslashes ('\\`). If the paths are quoted, the backslash needs to be escaped becoming "\\", so the path `\\server\dir` becomes `"\\\\server\\dir"`. If the paths are unquoted the slashes do not have to be escaped.
The YAML specification states that a colon (':') is a key separator and a dash ('-') is an item marker, only with a space after them, so using both unquoted as part of a path should not be a problem. If a space is needed after a colon or a dash, then a quoted string must be used as in `"user - home"`. For the `smb_home_drive` attribute is is recomended that a quoted string is used, to improve readability.
Example playbook to set SMB attributes:
```yaml
---
- name: Plabook to handle users
hosts: ipaserver
become: false
tasks:
- name: Ensure user 'smbuser' is present with smb attributes
ipauser:
ipaadmin_password: SomeADMINpassword
name: smbuser
first: SMB
last: User
smb_logon_script: N:\logonscripts\startup
smb_profile_path: \\server\profiles\some_profile
smb_home_dir: \\users\home\smbuser
smb_home_drive: "U:"
```
Variables
=========
@@ -395,6 +423,8 @@ Variable | Description | Required
`random` | Generate a random user password | no
`uid` \| `uidnumber` | User ID Number (system will assign one if not provided). | no
`gid` \| `gidnumber` | Group ID Number. | no
`gecos` | GECOS | no
`street` | Street address | no
`city` | City | no
`userstate` \| `st` | State/Province | no
`postalcode` \| `zip` | Postalcode/ZIP | no
@@ -407,7 +437,7 @@ Variable | Description | Required
`manager` | List of manager user names. | no
`carlicense` | List of car licenses. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no
`userauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp` and ``. Use empty string to reset userauthtype to the initial value. | no
`userauthtype` \| `ipauserauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp`, `pkinit`, `hardened`, `idp` and `""`. An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset userauthtype to the initial value. | no
`userclass` | User category. (semantics placed on this attribute are for local interpretation). | no
`radius` | RADIUS proxy configuration | no
`radiususer` | RADIUS proxy username | no
@@ -415,6 +445,8 @@ Variable | Description | Required
`employeenumber` | Employee Number | no
`employeetype` | Employee Type | no
`preferredlanguage` | Preferred Language | no
`idp` \| `ipaidpconfiglink` | External IdP configuration | no
`idp_user_id` \| `ipaidpsub` | A string that identifies the user at external IdP | no
`certificate` | List of base-64 encoded user certificates. | no
`certmapdata` | List of certificate mappings. Either `data` or `certificate` or `issuer` together with `subject` need to be specified. Only usable with IPA versions 4.5 and up. <br>Options: | no
&nbsp; | `certificate` - Base-64 encoded user certificate, not usable with other certmapdata options. | no
@@ -422,6 +454,10 @@ Variable | Description | Required
&nbsp; | `subject` - Subject of the certificate, only usable together with `issuer` option. | no
&nbsp; | `data` - Certmap data, not usable with other certmapdata options. | no
`noprivate` | Do not create user private group. (bool) | no
`smb_logon_script` \| `ipantlogonscript` | SMB logon script path. Requires FreeIPA version 4.8.0+. | no
`smb_profile_path:` \| `ipantprofilepath` | SMB profile path, in UNC format. Requires FreeIPA version 4.8.0+. | no
`smb_home_dir` \| `ipanthomedirectory` | SMB Home Directory, in UNC format. Requires FreeIPA version 4.8.0+. | no
`smb_home_drive` \| `ipanthomedirectorydrive` | SMB Home Directory Drive, a single upercase letter (A-Z) followed by a colon (:), for example "U:". Requires FreeIPA version 4.8.0+. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
@@ -442,3 +478,4 @@ Authors
=======
Thomas Woerner
Rafael Jeffman

2
README.md
View File

@@ -17,6 +17,7 @@ Features
* Modules for automount key management
* Modules for automount location management
* Modules for automount map management
* Modules for certificate management
* Modules for config management
* Modules for delegation management
* Modules for dns config management
@@ -436,6 +437,7 @@ Modules in plugin/modules
* [ipaautomountkey](README-automountkey.md)
* [ipaautomountlocation](README-automountlocation.md)
* [ipaautomountmap](README-automountmap.md)
* [ipacert](README-cert.md)
* [ipaconfig](README-config.md)
* [ipadelegation](README-delegation.md)
* [ipadnsconfig](README-dnsconfig.md)

14
playbooks/automount/automount-map-indirect-map.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Managed automount maps
hosts: ipaserver
become: false
gather_facts: false
tasks:
- name: Playbook to add an indirect automount map
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
name: auto.indirect
location: DMZ
parent: auto.DMZ
mount: dmz_indirect

14
playbooks/cert/cert-hold.yml Normal file
View File

@@ -0,0 +1,14 @@
- name: Certificate manage example
hosts: ipaserver
become: false
gather_facts: false
module_defaults:
ipacert:
ipaadmin_password: SomeADMINpassword
ipaapi_context: client
tasks:
- name: Temporarily hold a certificate
ipacert:
serial_number: 12345
state: held

15
playbooks/cert/cert-release.yml Normal file
View File

@@ -0,0 +1,15 @@
---
- name: Certificate manage example
hosts: ipaserver
become: false
gather_facts: false
module_defaults:
ipacert:
ipaadmin_password: SomeADMINpassword
ipaapi_context: client
tasks:
- name: Release a certificate hold
ipacert:
serial_number: 12345
state: released

26
playbooks/cert/cert-request-host.yml Normal file
View File

@@ -0,0 +1,26 @@
---
- name: Certificate manage example
hosts: ipaserver
become: false
gather_facts: false
module_defaults:
ipacert:
ipaadmin_password: SomeADMINpassword
ipaapi_context: client
tasks:
- name: Request a certificate for a host
ipacert:
csr: |
-----BEGIN CERTIFICATE REQUEST-----
MIIBWjCBxAIBADAbMRkwFwYDVQQDDBBob3N0LmV4YW1wbGUuY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCzR3Vd4Cwl0uVgwB3+wxz+4JldFk3x526bPeuK
g8EEc+rEHILzJWeXC8ywCYPOgK9n7hrdMfVQiIx3yHYrY+0IYuLehWow4o1iJEf5
urPNAP9K9C4Y7MMXzzoQmoWR3IFQQpOYwvWOtiZfvrhmtflnYEGLE2tgz53gOQHD
NnbCCwIDAQABoAAwDQYJKoZIhvcNAQELBQADgYEAgF+6YC39WhnvmFgNz7pjAh5E
2ea3CgG+zrzAyiSBGG6WpXEjqMRnAQxciQNGxQacxjwWrscZidZzqg8URJPugewq
tslYB1+RkZn+9UWtfnWvz89+xnOgco7JlytnbH10Nfxt5fXXx13rY0tl54jBtk2W
422eYZ12wb4gjNcQy3A=
-----END CERTIFICATE REQUEST-----
principal: host/host.example.com
state: requested

23
playbooks/cert/cert-request-service.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- name: Certificate manage example
hosts: ipaserver
become: false
gather_facts: false
module_defaults:
ipacert:
ipaadmin_password: SomeADMINpassword
ipaapi_context: client
tasks:
- name: Request a certificate for a service
ipacert:
csr: |
-----BEGIN CERTIFICATE REQUEST-----
MIGYMEwCAQAwGTEXMBUGA1UEAwwOZnJlZWlwYSBydWxlcyEwKjAFBgMrZXADIQBs
HlqIr4b/XNK+K8QLJKIzfvuNK0buBhLz3LAzY7QDEqAAMAUGAytlcANBAF4oSCbA
5aIPukCidnZJdr491G4LBE+URecYXsPknwYb+V+ONnf5ycZHyaFv+jkUBFGFeDgU
SYaXm/gF8cDYjQI=
-----END CERTIFICATE REQUEST-----
principal: HTTP/www.example.com
add: true
state: requested

27
playbooks/cert/cert-request-user.yml Normal file
View File

@@ -0,0 +1,27 @@
---
- name: Certificate manage example
hosts: ipaserver
become: false
gather_facts: false
module_defaults:
ipacert:
ipaadmin_password: SomeADMINpassword
ipaapi_context: client
tasks:
- name: Request a certificate for a user with a specific profile
ipacert:
csr: |
-----BEGIN CERTIFICATE REQUEST-----
MIIBejCB5AIBADAQMQ4wDAYDVQQDDAVwaW5reTCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEA7uChccy1Is1FTM0SF23WPYW472E3ozeLh2kzhKR9Ni6FLmeEGgu7
/hicR1VwvXHYkNwI1tpW9LqxRVvgr6vheqHySljrBcoRfshfYvKejp03l2327Bfq
BNxXqLcHylNEyg8SH0u63bWyxtgoDBfdZwdGAhYuJ+g4ev79J5eYoB0CAwEAAaAr
MCkGCSqGSIb3DQEJDjEcMBowGAYHKoZIzlYIAQQNDAtoZWxsbyB3b3JsZDANBgkq
hkiG9w0BAQsFAAOBgQADCi5BHDv1mrBFDWqYytFpQ1mrvr/mdax3AYXxNL2UEV8j
AqZAFTEnJXL/u1eVQtI1yotqxakyUBN4XZBP2CBgJRO93Mtry8cgvU1sPdU8Mavx
5gSnlP74Hio2ziscWWydlxpYxFx0gkKvu+0nyIpz954SVYwQ2wwk5FRqZnxI5w==
-----END CERTIFICATE REQUEST-----
principal: pinky
profile: IECUserRoles
state: requested

16
playbooks/cert/cert-retrieve.yml Normal file
View File

@@ -0,0 +1,16 @@
---
- name: Certificate manage example
hosts: ipaserver
become: false
gather_facts: false
module_defaults:
ipacert:
ipaadmin_password: SomeADMINpassword
ipaapi_context: client
tasks:
- name: Retrieve a certificate
ipacert:
serial_number: 12345
state: retrieved
register: cert_retrieved

18
playbooks/cert/cert-revoke.yml Normal file
View File

@@ -0,0 +1,18 @@
---
- name: Certificate manage example
hosts: ipaserver
become: false
gather_facts: false
module_defaults:
ipacert:
ipaadmin_password: SomeADMINpassword
ipaapi_context: client
tasks:
- name: Permanently revoke a certificate issued by a lightweight sub-CA
ipacert:
serial_number: 12345
ca: vpn-ca
# reason: keyCompromise (1)
reason: 1
state: revoked

12
playbooks/user/add-user-external-idp.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Playbook to handle users
hosts: ipaserver
become: true
tasks:
- name: Create user associated with an external IdP
ipauser:
ipaadmin_password: SomeADMINpassword
name: idpuser
idp: keycloak
idp_user_id: idpuser@exemple.com

17
playbooks/user/smb-attributes.yml Normal file
View File

@@ -0,0 +1,17 @@
---
- name: Plabook to handle users
hosts: ipaserver
become: false
gather_facts: false
tasks:
- name: Ensure user 'smbuser' is present with smb attributes
ipauser:
ipaadmin_password: SomeADMINpassword
name: smbuser
first: SMB
last: User
smb_logon_script: N:\logonscripts\startup
smb_profile_path: \\server\profiles\some_profile
smb_home_dir: \\users\home\smbuser
smb_home_drive: "U:"

49
plugins/module_utils/ansible_freeipa_module.py
View File

@@ -29,7 +29,8 @@ __all__ = ["gssapi", "netaddr", "api", "ipalib_errors", "Env",
"DEFAULT_CONFIG", "LDAP_GENERALIZED_TIME_FORMAT",
"kinit_password", "kinit_keytab", "run", "DN", "VERSION",
"paths", "tasks", "get_credentials_if_valid", "Encoding",
"load_pem_x509_certificate", "DNSName", "getargspec"]
"DNSName", "getargspec", "certificate_loader",
"write_certificate_list", "boolean"]
import os
# ansible-freeipa requires locale to be C, IPA requires utf-8.
@@ -41,6 +42,7 @@ import tempfile
import shutil
import socket
import base64
import ast
from datetime import datetime
from contextlib import contextmanager
from ansible.module_utils.basic import AnsibleModule
@@ -48,6 +50,7 @@ from ansible.module_utils._text import to_text
from ansible.module_utils.common.text.converters import jsonify
from ansible.module_utils import six
from ansible.module_utils.common._collections_compat import Mapping
from ansible.module_utils.parsing.convert_bool import boolean
# Import getargspec from inspect or provide own getargspec for
# Python 2 compatibility with Python 3.11+.
@@ -106,6 +109,7 @@ try:
except ImportError:
from ipalib.x509 import load_certificate
certificate_loader = load_certificate
from ipalib.x509 import write_certificate_list
# Try to import is_ipa_configured or use a fallback implementation.
try:
@@ -747,8 +751,8 @@ def exit_raw_json(module, **kwargs):
contains sensible data, it will be appear in the logs.
"""
module.do_cleanup_files()
print(jsonify(kwargs))
sys.exit(0)
print(jsonify(kwargs)) # pylint: disable=W0012,ansible-bad-function
sys.exit(0) # pylint: disable=W0012,ansible-bad-function
def __get_domain_validator():
@@ -1166,6 +1170,45 @@ class IPAAnsibleModule(AnsibleModule):
"""
return api_check_param(command, name)
def ipa_command_invalid_param_choices(self, command, name, value):
"""
Return invalid parameter choices for IPA command.
Parameters
----------
command: string
The IPA API command to test.
name: string
The parameter name to check.
value: string
The parameter value to verify.
"""
if command not in api.Command:
self.fail_json(msg="The command '%s' does not exist." % command)
if name not in api.Command[command].params:
self.fail_json(msg="The command '%s' does not have a parameter "
"named '%s'." % (command, name))
if not hasattr(api.Command[command].params[name], "cli_metavar"):
self.fail_json(msg="The parameter '%s' of the command '%s' does "
"not have choices." % (name, command))
# For IPA 4.6 (RHEL-7):
# - krbprincipalauthind in host_add does not have choices defined
# - krbprincipalauthind in service_add does not have choices defined
#
# api.Command[command].params[name].cli_metavar returns "STR" and
# ast.literal_eval failes with a ValueError "malformed string".
#
# There is no way to verify that the given values are valid or not in
# this case. The check is done later on while applying the change
# with host_add, host_mod, service_add and service_mod.
try:
_choices = ast.literal_eval(
api.Command[command].params[name].cli_metavar)
except ValueError:
return None
return (set(value or []) - set([""])) - set(_choices)
@staticmethod
def ipa_check_version(oper, requested_version):
"""

155
plugins/modules/ipaautomountmap.py
View File

@@ -37,6 +37,7 @@ module: ipaautomountmap
author:
- Chris Procter (@chr15p)
- Thomas Woerner (@t-woerner)
- Rafael Jeffman (@rjeffman)
short_description: Manage FreeIPA autommount map
description:
- Add, delete, and modify an IPA automount map
@@ -59,6 +60,16 @@ options:
type: str
aliases: ["description"]
required: false
parentmap:
description: |
Parent map of the indirect map. Can only be used when creating
new maps.
type: str
required: false
mount:
description: Indirect map mount point, relative to parent map.
type: str
required: false
state:
description: State to ensure
type: str
@@ -75,6 +86,14 @@ EXAMPLES = '''
location: DMZ
desc: "this is a map for servers in the DMZ"
- name: ensure indirect map exists
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
name: auto.INDIRECT
location: DMZ
parentmap: auto.DMZ
mount: indirect
- name: remove a map named auto.DMZ in location DMZ if it exists
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
@@ -110,6 +129,35 @@ class AutomountMap(IPAAnsibleModule):
else:
return response["result"]
def get_indirect_map_keys(self, location, name):
"""Check if 'name' is an indirect map for 'parentmap'."""
try:
maps = self.ipa_command("automountmap_find", location, {})
except Exception: # pylint: disable=broad-except
return []
result = []
for check_map in maps.get("result", []):
_mapname = check_map['automountmapname'][0]
keys = self.ipa_command(
"automountkey_find",
location,
{
"automountmapautomountmapname": _mapname,
"all": True
}
)
cmp_value = (
name if _mapname == "auto.master" else "ldap:{0}".format(name)
)
result.extend([
(location, _mapname, key.get("automountkey")[0])
for key in keys.get("result", [])
for mount_info in key.get("automountinformation", [])
if cmp_value in mount_info
])
return result
def check_ipa_params(self):
invalid = []
name = self.params_get("name")
@@ -118,15 +166,27 @@ class AutomountMap(IPAAnsibleModule):
if len(name) != 1:
self.fail_json(msg="Exactly one name must be provided for"
" 'state: present'.")
mount = self.params_get("mount") or False
parentmap = self.params_get("parentmap")
if parentmap:
if not mount:
self.fail_json(
msg="Must provide 'mount' parameter for indirect map."
)
elif parentmap != "auto.master" and mount[0] == "/":
self.fail_json(
msg="mount point is relative to parent map, "
"cannot begin with '/'"
)
if state == "absent":
if len(name) == 0:
self.fail_json(msg="At least one 'name' must be provided for"
" 'state: absent'")
invalid = ["desc"]
invalid = ["desc", "parentmap", "mount"]
self.params_fail_used_invalid(invalid, state)
def get_args(self, mapname, desc):
def get_args(self, mapname, desc, parentmap, mount):
# automountmapname is required for all automountmap operations.
if not mapname:
self.fail_json(msg="automountmapname cannot be None or empty.")
@@ -134,6 +194,11 @@ class AutomountMap(IPAAnsibleModule):
# An empty string is valid and will clear the attribute.
if desc is not None:
_args["description"] = desc
# indirect map attributes
if parentmap is not None:
_args["parentmap"] = parentmap
if mount is not None:
_args["key"] = mount
return _args
def define_ipa_commands(self):
@@ -141,28 +206,102 @@ class AutomountMap(IPAAnsibleModule):
state = self.params_get("state")
location = self.params_get("location")
desc = self.params_get("desc")
mount = self.params_get("mount")
parentmap = self.params_get("parentmap")
for mapname in name:
automountmap = self.get_automountmap(location, mapname)
is_indirect_map = any([parentmap, mount])
if state == "present":
args = self.get_args(mapname, desc)
args = self.get_args(mapname, desc, parentmap, mount)
if automountmap is None:
self.commands.append([location, "automountmap_add", args])
if is_indirect_map:
if (
parentmap and
self.get_automountmap(location, parentmap) is None
):
self.fail_json(msg="Parent map does not exist.")
self.commands.append(
[location, "automountmap_add_indirect", args]
)
else:
self.commands.append(
[location, "automountmap_add", args]
)
else:
if not compare_args_ipa(self, args, automountmap):
has_changes = not compare_args_ipa(
self, args, automountmap, ['parentmap', 'key']
)
if is_indirect_map:
map_config = (
location, parentmap or "auto.master", mount
)
indirects = self.get_indirect_map_keys(
location, mapname
)
if map_config not in indirects or has_changes:
self.fail_json(
msg="Indirect maps can only be created, "
"not modified."
)
elif has_changes:
self.commands.append(
[location, "automountmap_mod", args]
)
if state == "absent":
elif state == "absent":
def find_keys(parent_loc, parent_map, parent_key):
return self.ipa_command(
"automountkey_show",
parent_loc,
{
"automountmapautomountmapname": parent_map,
"automountkey": parent_key,
}
).get("result")
if automountmap is not None:
indirects = self.get_indirect_map_keys(location, mapname)
# Remove indirect map configurations for this map
self.commands.extend([
(
ploc,
"automountkey_del",
{
"automountmapautomountmapname": pmap,
"automountkey": pkey,
}
)
for ploc, pmap, pkey in indirects
if find_keys(ploc, pmap, pkey)
])
# Remove map
self.commands.append([
location,
"automountmap_del",
{"automountmapname": [mapname]}
])
# ensure commands are unique and automountkey commands are
# executed first in the list
def hashable_dict(dictionaire):
return tuple(
(k, tuple(v) if isinstance(v, (list, tuple)) else v)
for k, v in dictionaire.items()
)
cmds = [
(name, cmd, hashable_dict(args))
for name, cmd, args in self.commands
]
self.commands = [
(name, cmd, dict(args))
for name, cmd, args in
sorted(set(cmds), key=lambda cmd: cmd[1])
]
def main():
ipa_module = AutomountMap(
@@ -184,6 +323,10 @@ def main():
required=False,
default=None
),
parentmap=dict(
type="str", required=False, default=None
),
mount=dict(type="str", required=False, default=None),
),
)
changed = False

571
plugins/modules/ipacert.py Normal file
View File

@@ -0,0 +1,571 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Sam Morris <sam@robots.org.uk>
# Rafael Guterres Jeffman <rjeffman@redhat.com>
#
# Copyright (C) 2021 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
ANSIBLE_METADATA = {
"metadata_version": "1.0",
"supported_by": "community",
"status": ["preview"],
}
DOCUMENTATION = """
---
module: ipacert
short description: Manage FreeIPA certificates
description: Manage FreeIPA certificates
extends_documentation_fragment:
- ipamodule_base_docs
options:
csr:
description: |
X509 certificate signing request, in RFC 7468 PEM encoding.
Only available if `state: requested`, required if `csr_file` is not
provided.
type: str
csr_file:
description: |
Path to file with X509 certificate signing request, in RFC 7468 PEM
encoding. Only available if `state: requested`, required if `csr_file`
is not provided.
type: str
principal:
description: |
Host/service/user principal for the certificate.
Required if `state: requested`. Only available if `state: requested`.
type: str
add:
description: |
Automatically add the principal if it doesn't exist (service
principals only). Only available if `state: requested`.
type: bool
aliases: ["add_principal"]
required: false
ca:
description: Name of the issuing certificate authority.
type: str
required: false
serial_number:
description: |
Certificate serial number. Cannot be used with `state: requested`.
Required for all states, except `requested`.
type: int
profile:
description: Certificate Profile to use.
type: str
aliases: ["profile_id"]
required: false
revocation_reason:
description: |
Reason for revoking the certificate. Use one of the reason strings,
or the corresponding value: "unspecified" (0), "keyCompromise" (1),
"cACompromise" (2), "affiliationChanged" (3), "superseded" (4),
"cessationOfOperation" (5), "certificateHold" (6), "removeFromCRL" (8),
"privilegeWithdrawn" (9), "aACompromise" (10).
Use only if `state: revoked`. Required if `state: revoked`.
type: raw
aliases: ['reason']
certificate_out:
description: |
Write certificate (chain if `chain` is set) to this file, on the target
node.. Use only when `state` is `requested` or `retrieved`.
type: str
required: false
state:
description: |
The state to ensure. `held` is the same as revoke with reason
"certificateHold" (6). `released` is the same as `cert-revoke-hold`
on IPA CLI, releasing the hold status of a certificate.
choices: ["requested", "held", "released", "revoked", "retrieved"]
required: true
type: str
author:
authors:
- Sam Morris (@yrro)
- Rafael Guterres Jeffman (@rjeffman)
"""
EXAMPLES = """
- name: Request a certificate for a web server
ipacert:
ipaadmin_password: SomeADMINpassword
state: requested
csr: |
-----BEGIN CERTIFICATE REQUEST-----
MIGYMEwCAQAwGTEXMBUGA1UEAwwOZnJlZWlwYSBydWxlcyEwKjAFBgMrZXADIQBs
HlqIr4b/XNK+K8QLJKIzfvuNK0buBhLz3LAzY7QDEqAAMAUGAytlcANBAF4oSCbA
5aIPukCidnZJdr491G4LBE+URecYXsPknwYb+V+ONnf5ycZHyaFv+jkUBFGFeDgU
SYaXm/gF8cDYjQI=
-----END CERTIFICATE REQUEST-----
principal: HTTP/www.example.com
register: cert
- name: Request certificate for a user, with an appropriate profile.
ipacert:
ipaadmin_password: SomeADMINpassword
csr: |
-----BEGIN CERTIFICATE REQUEST-----
MIIBejCB5AIBADAQMQ4wDAYDVQQDDAVwaW5reTCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEA7uChccy1Is1FTM0SF23WPYW472E3ozeLh2kzhKR9Ni6FLmeEGgu7
/hicR1VwvXHYkNwI1tpW9LqxRVvgr6vheqHySljrBcoRfshfYvKejp03l2327Bfq
BNxXqLcHylNEyg8SH0u63bWyxtgoDBfdZwdGAhYuJ+g4ev79J5eYoB0CAwEAAaAr
MCkGCSqGSIb3DQEJDjEcMBowGAYHKoZIzlYIAQQNDAtoZWxsbyB3b3JsZDANBgkq
hkiG9w0BAQsFAAOBgQADCi5BHDv1mrBFDWqYytFpQ1mrvr/mdax3AYXxNL2UEV8j
AqZAFTEnJXL/u1eVQtI1yotqxakyUBN4XZBP2CBgJRO93Mtry8cgvU1sPdU8Mavx
5gSnlP74Hio2ziscWWydlxpYxFx0gkKvu+0nyIpz954SVYwQ2wwk5FRqZnxI5w==
-----END CERTIFICATE REQUEST-----
principal: pinky
profile_id: IECUserRoles
state: requested
- name: Temporarily hold a certificate
ipacert:
ipaadmin_password: SomeADMINpassword
serial_number: 12345
state: held
- name: Remove a certificate hold
ipacert:
ipaadmin_password: SomeADMINpassword
state: released
serial_number: 12345
- name: Permanently revoke a certificate issued by a lightweight sub-CA
ipacert:
ipaadmin_password: SomeADMINpassword
state: revoked
ca: vpn-ca
serial_number: 0x98765
reason: keyCompromise
- name: Retrieve a certificate
ipacert:
ipaadmin_password: SomeADMINpassword
serial_number: 12345
state: retrieved
register: cert_retrieved
"""
RETURN = """
certificate:
description: Certificate fields and data.
returned: |
if `state` is `requested` or `retrived` and `certificate_out`
is not defined.
type: dict
contains:
certificate:
description: |
Issued X509 certificate in PEM encoding. Will include certificate
chain if `chain: true` is used.
type: list
elements: str
returned: always
issuer:
description: X509 distinguished name of issuer.
type: str
sample: CN=Certificate Authority,O=EXAMPLE.COM
returned: always
serial_number:
description: Serial number of the issued certificate.
type: int
sample: 902156300
returned: always
valid_not_after:
description: |
Time when issued certificate ceases to be valid,
in GeneralizedTime format (YYYYMMDDHHMMSSZ).
type: str
returned: always
valid_not_before:
description: |
Time when issued certificate becomes valid, in
GeneralizedTime format (YYYYMMDDHHMMSSZ).
type: str
returned: always
subject:
description: X509 distinguished name of certificate subject.
type: str
sample: CN=www.example.com,O=EXAMPLE.COM
returned: always
san_dnsname:
description: X509 Subject Alternative Name.
type: list
elements: str
sample: ['www.example.com', 'other.example.com']
returned: |
when DNSNames are present in the Subject Alternative Name
extension of the issued certificate.
revoked:
description: Revoked status of the certificate.
type: bool
returned: always
owner_user:
description: The username that owns the certificate.
type: str
returned: when `state` is `retrieved`
owner_host:
description: The host that owns the certificate.
type: str
returned: when `state` is `retrieved`
owner_service:
description: The service that owns the certificate.
type: str
returned: when `state` is `retrieved`
"""
import base64
import time
import ssl
from ansible.module_utils import six
from ansible.module_utils._text import to_text
from ansible.module_utils.ansible_freeipa_module import (
IPAAnsibleModule, certificate_loader, write_certificate_list,
)
if six.PY3:
unicode = str
# Reasons are defined in RFC 5280 sec. 5.3.1; removeFromCRL is not present in
# this list; run the module with state=released instead.
REVOCATION_REASONS = {
'unspecified': 0,
'keyCompromise': 1,
'cACompromise': 2,
'affiliationChanged': 3,
'superseded': 4,
'cessationOfOperation': 5,
'certificateHold': 6,
'removeFromCRL': 8,
'privilegeWithdrawn': 9,
'aACompromise': 10,
}
def gen_args(
module, principal=None, add_principal=None, ca=None, chain=None,
profile=None, certificate_out=None, reason=None
):
args = {}
if principal is not None:
args['principal'] = principal
if add_principal is not None:
args['add'] = add_principal
if ca is not None:
args['cacn'] = ca
if profile is not None:
args['profile_id'] = profile
if certificate_out is not None:
args['out'] = certificate_out
if chain:
args['chain'] = True
if ca:
args['cacn'] = ca
if reason is not None:
args['revocation_reason'] = get_revocation_reason(module, reason)
return args
def get_revocation_reason(module, reason):
"""Ensure revocation reasion is a valid integer code."""
reason_int = -1
try:
reason_int = int(reason)
except ValueError:
reason_int = REVOCATION_REASONS.get(reason, -1)
if reason_int not in REVOCATION_REASONS.values():
module.fail_json(msg="Invalid revocation reason: %s" % reason)
return reason_int
def parse_cert_timestamp(dt):
"""Ensure time is in GeneralizedTime format (YYYYMMDDHHMMSSZ)."""
return time.strftime(
"%Y%m%d%H%M%SZ",
time.strptime(dt, "%a %b %d %H:%M:%S %Y UTC")
)
def result_handler(_module, result, _command, _name, _args, exit_args, chain):
"""Split certificate into fields."""
if chain:
exit_args['certificate'] = [
ssl.DER_cert_to_PEM_cert(c)
for c in result['result'].get('certificate_chain', [])
]
else:
exit_args['certificate'] = [
ssl.DER_cert_to_PEM_cert(
base64.b64decode(result['result']['certificate'])
)
]
exit_args['san_dnsname'] = [
str(dnsname)
for dnsname in result['result'].get('san_dnsname', [])
]
exit_args.update({
key: result['result'][key]
for key in [
'issuer', 'subject', 'serial_number',
'revoked', 'revocation_reason'
]
if key in result['result']
})
exit_args.update({
key: result['result'][key][0]
for key in ['owner_user', 'owner_host', 'owner_service']
if key in result['result']
})
exit_args.update({
key: parse_cert_timestamp(result['result'][key])
for key in ['valid_not_after', 'valid_not_before']
if key in result['result']
})
def do_cert_request(
module, csr, principal, add_principal=None, ca=None, profile=None,
chain=None, certificate_out=None
):
"""Request a certificate."""
args = gen_args(
module, principal=principal, ca=ca, chain=chain,
add_principal=add_principal, profile=profile,
)
exit_args = {}
commands = [[to_text(csr), "cert_request", args]]
changed = module.execute_ipa_commands(
commands,
result_handler=result_handler,
exit_args=exit_args,
chain=chain
)
if certificate_out is not None:
certs = (
certificate_loader(cert.encode("utf-8"))
for cert in exit_args['certificate']
)
write_certificate_list(certs, certificate_out)
exit_args = {}
return changed, exit_args
def do_cert_revoke(ansible_module, serial_number, reason=None, ca=None):
"""Revoke a certificate."""
_ign, cert = do_cert_retrieve(ansible_module, serial_number, ca)
if not cert or cert.get('revoked', False):
return False, cert
args = gen_args(ansible_module, ca=ca, reason=reason)
commands = [[serial_number, "cert_revoke", args]]
changed = ansible_module.execute_ipa_commands(commands)
return changed, cert
def do_cert_release(ansible_module, serial_number, ca=None):
"""Release hold on certificate."""
_ign, cert = do_cert_retrieve(ansible_module, serial_number, ca)
revoked = cert.get('revoked', True)
reason = cert.get('revocation_reason', -1)
if cert and not revoked:
return False, cert
if revoked and reason != 6: # can only release held certificates
ansible_module.fail_json(
msg="Cannot release hold on certificate revoked with"
" reason: %d" % reason
)
args = gen_args(ansible_module, ca=ca)
commands = [[serial_number, "cert_remove_hold", args]]
changed = ansible_module.execute_ipa_commands(commands)
return changed, cert
def do_cert_retrieve(
module, serial_number, ca=None, chain=None, outfile=None
):
"""Retrieve a certificate with 'cert-show'."""
args = gen_args(module, ca=ca, chain=chain, certificate_out=outfile)
exit_args = {}
commands = [[serial_number, "cert_show", args]]
module.execute_ipa_commands(
commands,
result_handler=result_handler,
exit_args=exit_args,
chain=chain,
)
if outfile is not None:
exit_args = {}
return False, exit_args
def main():
ansible_module = IPAAnsibleModule(
argument_spec=dict(
# requested
csr=dict(type="str"),
csr_file=dict(type="str"),
principal=dict(type="str"),
add_principal=dict(type="bool", required=False, aliases=["add"]),
profile_id=dict(type="str", aliases=["profile"], required=False),
# revoked
revocation_reason=dict(type="raw", aliases=["reason"]),
# general
serial_number=dict(type="int"),
ca=dict(type="str"),
chain=dict(type="bool", required=False),
certificate_out=dict(type="str", required=False),
# state
state=dict(
type="str",
required=True,
choices=[
"requested", "held", "released", "revoked", "retrieved"
]
),
),
mutually_exclusive=[["csr", "csr_file"]],
required_if=[
('state', 'requested', ['principal']),
('state', 'retrieved', ['serial_number']),
('state', 'held', ['serial_number']),
('state', 'released', ['serial_number']),
('state', 'revoked', ['serial_number', 'revocation_reason']),
],
supports_check_mode=False,
)
ansible_module._ansible_debug = True
# Get parameters
# requested
csr = ansible_module.params_get("csr")
csr_file = ansible_module.params_get("csr_file")
principal = ansible_module.params_get("principal")
add_principal = ansible_module.params_get("add_principal")
profile = ansible_module.params_get("profile_id")
# revoked
reason = ansible_module.params_get("revocation_reason")
# general
serial_number = ansible_module.params.get("serial_number")
ca = ansible_module.params_get("ca")
chain = ansible_module.params_get("chain")
certificate_out = ansible_module.params_get("certificate_out")
# state
state = ansible_module.params_get("state")
# Check parameters
if ansible_module.params_get("ipaapi_context") == "server":
ansible_module.fail_json(
msg="Context 'server' for ipacert is not yet supported."
)
invalid = []
if state == "requested":
invalid = ["serial_number", "revocation_reason"]
if csr is None and csr_file is None:
ansible_module.fail_json(
msg="Required 'csr' or 'csr_file' with 'state: requested'.")
else:
invalid = [
"csr", "principal", "add_principal", "profile"
"certificate_out"
]
if state in ["released", "held"]:
invalid.extend(["revocation_reason", "certificate_out", "chain"])
if state == "retrieved":
invalid.append("revocation_reason")
if state == "revoked":
invalid.extend(["certificate_out", "chain"])
elif state == "held":
reason = 6 # certificateHold
ansible_module.params_fail_used_invalid(invalid, state)
# Init
changed = False
exit_args = {}
# Connect to IPA API
# If executed on 'server' contexot, cert plugin uses the IPA RA agent
# TLS client certificate/key, which users are not able to access,
# resulting in a 'permission denied' exception when attempting to connect
# the CA service. Therefore 'client' context in forced for this module.
with ansible_module.ipa_connect(context="client"):
if state == "requested":
if csr_file is not None:
with open(csr_file, "rt") as csr_in:
csr = "".join(csr_in.readlines())
changed, exit_args = do_cert_request(
ansible_module,
csr,
principal,
add_principal,
ca,
profile,
chain,
certificate_out
)
elif state in ("held", "revoked"):
changed, exit_args = do_cert_revoke(
ansible_module, serial_number, reason, ca)
elif state == "released":
changed, exit_args = do_cert_release(
ansible_module, serial_number, ca)
elif state == "retrieved":
changed, exit_args = do_cert_retrieve(
ansible_module, serial_number, ca, chain, certificate_out)
# Done
ansible_module.exit_json(changed=changed, certificate=exit_args)
if __name__ == "__main__":
main()

13
plugins/modules/ipaconfig.py
View File

@@ -160,7 +160,8 @@ options:
required: false
type: list
elements: str
choices: ["password", "radius", "otp", "disabled", ""]
choices: ["password", "radius", "otp", "pkinit", "hardened", "idp",
"disabled", ""]
aliases: ["ipauserauthtype"]
ca_renewal_master_server:
description: Renewal master for IPA certificate authority.
@@ -425,6 +426,7 @@ def main():
choices=["MS-PAC", "PAD", "nfs:NONE", ""]),
user_auth_type=dict(type="list", elements="str", required=False,
choices=["password", "radius", "otp",
"pkinit", "hardened", "idp",
"disabled", ""],
aliases=["ipauserauthtype"]),
ca_renewal_master_server=dict(type="str", required=False),
@@ -525,6 +527,15 @@ def main():
result = config_show(ansible_module)
if params:
# Verify ipauserauthtype(s)
if "ipauserauthtype" in params and params["ipauserauthtype"]:
_invalid = ansible_module.ipa_command_invalid_param_choices(
"config_mod", "ipauserauthtype", params["ipauserauthtype"])
if _invalid:
ansible_module.fail_json(
msg="The use of userauthtype '%s' is not "
"supported by your IPA version" % "','".join(_invalid))
enable_sid = params.get("enable_sid")
sid_is_enabled = has_enable_sid and is_enable_sid(ansible_module)

5
plugins/modules/ipadnsrecord.py
View File

@@ -1394,15 +1394,16 @@ def gen_args(entry):
if record_value is not None:
record_type = entry['record_type']
rec = "{}record".format(record_type.lower())
rec = "{0}record".format(record_type.lower())
args[rec] = ensure_data_is_list(record_value)
else:
for field in _RECORD_FIELDS:
record_value = entry.get(field) or entry.get("%sord" % field)
if record_value is not None:
# pylint: disable=use-maxsplit-arg
record_type = field.split('_')[0]
rec = "{}record".format(record_type.lower())
rec = "{0}record".format(record_type.lower())
args[rec] = ensure_data_is_list(record_value)
records = {

21
plugins/modules/ipahost.py
View File

@@ -63,7 +63,7 @@ options:
type: str
required: false
location:
description: Host location (e.g. "Lab 2")
description: Host physical location hist (e.g. "Lab 2")
type: str
aliases: ["ns_host_location"]
required: false
@@ -184,7 +184,7 @@ options:
type: list
elements: str
aliases: ["krbprincipalauthind"]
choices: ["radius", "otp", "pkinit", "hardened", ""]
choices: ["radius", "otp", "pkinit", "hardened", "idp", ""]
required: false
requires_pre_auth:
description: Pre-authentication is required for the service
@@ -356,7 +356,7 @@ options:
type: list
elements: str
aliases: ["krbprincipalauthind"]
choices: ["radius", "otp", "pkinit", "hardened", ""]
choices: ["radius", "otp", "pkinit", "hardened", "idp", ""]
required: false
requires_pre_auth:
description: Pre-authentication is required for the service
@@ -667,6 +667,15 @@ def check_parameters( # pylint: disable=unused-argument
module.params_fail_used_invalid(invalid, state, action)
def check_authind(module, auth_ind):
_invalid = module.ipa_command_invalid_param_choices(
"host_add", "krbprincipalauthind", auth_ind)
if _invalid:
module.fail_json(
msg="The use of krbprincipalauthind '%s' is not supported "
"by your IPA version" % "','".join(_invalid))
# pylint: disable=unused-argument
def result_handler(module, result, command, name, args, errors, exit_args,
single_host):
@@ -776,7 +785,8 @@ def main():
default=None),
auth_ind=dict(type='list', elements="str",
aliases=["krbprincipalauthind"], default=None,
choices=['radius', 'otp', 'pkinit', 'hardened', '']),
choices=["radius", "otp", "pkinit", "hardened", "idp",
""]),
requires_pre_auth=dict(type="bool", aliases=["ipakrbrequirespreauth"],
default=None),
ok_as_delegate=dict(type="bool", aliases=["ipakrbokasdelegate"],
@@ -919,6 +929,8 @@ def main():
# Check version specific settings
check_authind(ansible_module, auth_ind)
server_realm = ansible_module.ipa_get_realm()
commands = []
@@ -961,6 +973,7 @@ def main():
sshpubkey = host.get("sshpubkey")
userclass = host.get("userclass")
auth_ind = host.get("auth_ind")
check_authind(ansible_module, auth_ind)
requires_pre_auth = host.get("requires_pre_auth")
ok_as_delegate = host.get("ok_as_delegate")
ok_to_auth_as_delegate = host.get("ok_to_auth_as_delegate")

67
plugins/modules/ipapwpolicy.py
View File

@@ -45,82 +45,84 @@ options:
required: false
aliases: ["cn"]
maxlife:
description: Maximum password lifetime (in days)
description: Maximum password lifetime (in days). (int or "")
type: str
required: false
aliases: ["krbmaxpwdlife"]
minlife:
description: Minimum password lifetime (in hours)
description: Minimum password lifetime (in hours). (int or "")
type: str
required: false
aliases: ["krbminpwdlife"]
history:
description: Password history size
description: Password history size. (int or "")
type: str
required: false
aliases: ["krbpwdhistorylength"]
minclasses:
description: Minimum number of character classes
description: Minimum number of character classes. (int or "")
type: str
required: false
aliases: ["krbpwdmindiffchars"]
minlength:
description: Minimum length of password
description: Minimum length of password. (int or "")
type: str
required: false
aliases: ["krbpwdminlength"]
priority:
description: Priority of the policy (higher number means lower priority)
description: >
Priority of the policy (higher number means lower priority). (int or "")
type: str
required: false
aliases: ["cospriority"]
maxfail:
description: Consecutive failures before lockout
description: Consecutive failures before lockout. (int or "")
type: str
required: false
aliases: ["krbpwdmaxfailure"]
failinterval:
description: Period after which failure count will be reset (seconds)
description: >
Period after which failure count will be reset (seconds). (int or "")
type: str
required: false
aliases: ["krbpwdfailurecountinterval"]
lockouttime:
description: Period for which lockout is enforced (seconds)
description: Period for which lockout is enforced (seconds). (int or "")
type: str
required: false
aliases: ["krbpwdlockoutduration"]
maxrepeat:
description: >
Maximum number of same consecutive characters.
Requires IPA 4.9+
Requires IPA 4.9+. (int or "")
type: str
required: false
aliases: ["ipapwdmaxrepeat"]
maxsequence:
description: >
The maximum length of monotonic character sequences (abcd).
Requires IPA 4.9+
Requires IPA 4.9+. (int or "")
type: str
required: false
aliases: ["ipapwdmaxsequence"]
dictcheck:
description: >
Check if the password is a dictionary word.
Requires IPA 4.9+
Requires IPA 4.9+. (bool or "")
type: str
required: false
aliases: ["ipapwdictcheck"]
usercheck:
description: >
Check if the password contains the username.
Requires IPA 4.9+
Requires IPA 4.9+. (bool or "")
type: str
required: false
aliases: ["ipapwdusercheck"]
gracelimit:
description: >
Number of LDAP authentications allowed after expiration.
Requires IPA 4.10.1+
Requires IPA 4.10.1+. (int or "")
type: str
required: false
aliases: ["passwordgracelimit"]
@@ -151,7 +153,7 @@ RETURN = """
"""
from ansible.module_utils.ansible_freeipa_module import \
IPAAnsibleModule, compare_args_ipa
IPAAnsibleModule, compare_args_ipa, boolean
def find_pwpolicy(module, name):
@@ -197,7 +199,7 @@ def gen_args(module,
if maxrepeat is not None:
_args["ipapwdmaxrepeat"] = maxrepeat
if maxsequence is not None:
_args["ipapwdmaxrsequence"] = maxsequence
_args["ipapwdmaxsequence"] = maxsequence
if dictcheck is not None:
if module.ipa_check_version("<", "4.9.10"):
# Allowed values: "TRUE", "FALSE", ""
@@ -230,17 +232,15 @@ def check_supported_params(
"pwpolicy_add", "passwordgracelimit")
# If needed, report unsupported password checking paramteres
if not has_password_check:
check_password_params = [maxrepeat, maxsequence, dictcheck, usercheck]
unsupported = [
x for x in check_password_params if x is not None
]
if unsupported:
module.fail_json(
msg="Your IPA version does not support arguments: "
"maxrepeat, maxsequence, dictcheck, usercheck.")
if (
not has_password_check
and any([maxrepeat, maxsequence, dictcheck, usercheck])
):
module.fail_json(
msg="Your IPA version does not support arguments: "
"maxrepeat, maxsequence, dictcheck, usercheck.")
if gracelimit is not None and not has_gracelimit:
if not has_gracelimit and gracelimit is not None:
module.fail_json(
msg="Your IPA version does not support 'gracelimit'.")
@@ -361,17 +361,12 @@ def main():
gracelimit = int_or_empty_param(gracelimit, "gracelimit")
def bool_or_empty_param(value, param): # pylint: disable=R1710
# As of Ansible 2.14, values True, False, Yes an No, with variable
# capitalization are accepted by Ansible.
if not value:
if value is None or value == "":
return value
if value in ["TRUE", "True", "true", "YES", "Yes", "yes"]:
return True
if value in ["FALSE", "False", "false", "NO", "No", "no"]:
return False
ansible_module.fail_json(
msg="Invalid value '%s' for argument '%s'." % (value, param)
)
try:
return boolean(value)
except TypeError as terr:
ansible_module.fail_json(msg="Param '%s': %s" % (param, str(terr)))
dictcheck = bool_or_empty_param(dictcheck, "dictcheck")
usercheck = bool_or_empty_param(usercheck, "usercheck")

20
plugins/modules/ipaserver.py
View File

@@ -45,9 +45,9 @@ options:
aliases: ["cn"]
location:
description: |
The server location string.
"" for location reset.
Only in state: present.
The server DNS location.
Only available with 'state: present'.
Use "" for location reset.
type: str
required: false
aliases: ["ipalocation_location"]
@@ -55,46 +55,46 @@ options:
description: |
Weight for server services
Values 0 to 65535, -1 for weight reset.
Only in state: present.
Only available with 'state: present'.
required: false
type: int
aliases: ["ipaserviceweight"]
hidden:
description: |
Set hidden state of a server.
Only in state: present.
Only available with 'state: present'.
required: false
type: bool
no_members:
description: |
Suppress processing of membership attributes
Only in state: present.
Only available with 'state: present'.
required: false
type: bool
delete_continue:
description: |
Continuous mode: Don't stop on errors.
Only in state: absent.
Only available with 'state: absent'.
required: false
type: bool
aliases: ["continue"]
ignore_last_of_role:
description: |
Skip a check whether the last CA master or DNS server is removed.
Only in state: absent.
Only available with 'state: absent'.
required: false
type: bool
ignore_topology_disconnect:
description: |
Ignore topology connectivity problems after removal.
Only in state: absent.
Only available with 'state: absent'.
required: false
type: bool
force:
description: |
Force server removal even if it does not exist.
Will always result in changed.
Only in state: absent.
Only available with 'state: absent'.
required: false
type: bool
state:

328
plugins/modules/ipaservice.py
View File

@@ -1,6 +1,7 @@
# -*- coding: utf-8 -*-
# Authors:
# Denis Karpelevich <dkarpele@redhat.com>
# Rafael Guterres Jeffman <rjeffman@redhat.com>
# Thomas Woerner <twoerner@redhat.com>
#
@@ -45,6 +46,127 @@ options:
elements: str
required: true
aliases: ["service"]
services:
description: The list of service dicts.
type: list
elements: dict
suboptions:
name:
description: The service to manage
type: str
required: true
aliases: ["service"]
certificate:
description: Base-64 encoded service certificate.
required: false
type: list
elements: str
aliases: ["usercertificate"]
pac_type:
description: Supported PAC type.
required: false
choices: ["MS-PAC", "PAD", "NONE", ""]
type: list
elements: str
aliases: ["pac_type", "ipakrbauthzdata"]
auth_ind:
description: Defines an allow list for Authentication Indicators.
type: list
elements: str
required: false
choices: ["otp", "radius", "pkinit", "hardened", "idp", ""]
aliases: ["krbprincipalauthind"]
skip_host_check:
description: Skip checking if host object exists.
required: False
type: bool
force:
description: Force principal name even if host is not in DNS.
required: False
type: bool
requires_pre_auth:
description: Pre-authentication is required for the service.
required: false
type: bool
aliases: ["ipakrbrequirespreauth"]
ok_as_delegate:
description: Client credentials may be delegated to the service.
required: false
type: bool
aliases: ["ipakrbokasdelegate"]
ok_to_auth_as_delegate:
description: Allow service to authenticate on behalf of a client.
required: false
type: bool
aliases: ["ipakrboktoauthasdelegate"]
principal:
description: List of principal aliases for the service.
required: false
type: list
elements: str
aliases: ["krbprincipalname"]
smb:
description: Add a SMB service.
required: false
type: bool
netbiosname:
description: NETBIOS name for the SMB service.
required: false
type: str
host:
description: Host that can manage the service.
required: false
type: list
elements: str
aliases: ["managedby_host"]
allow_create_keytab_user:
description: Users allowed to create a keytab of this host.
required: false
type: list
elements: str
aliases: ["ipaallowedtoperform_write_keys_user"]
allow_create_keytab_group:
description: Groups allowed to create a keytab of this host.
required: false
type: list
elements: str
aliases: ["ipaallowedtoperform_write_keys_group"]
allow_create_keytab_host:
description: Hosts allowed to create a keytab of this host.
required: false
type: list
elements: str
aliases: ["ipaallowedtoperform_write_keys_host"]
allow_create_keytab_hostgroup:
description: Host group allowed to create a keytab of this host.
required: false
type: list
elements: str
aliases: ["ipaallowedtoperform_write_keys_hostgroup"]
allow_retrieve_keytab_user:
description: User allowed to retrieve a keytab of this host.
required: false
type: list
elements: str
aliases: ["ipaallowedtoperform_read_keys_user"]
allow_retrieve_keytab_group:
description: Groups allowed to retrieve a keytab of this host.
required: false
type: list
elements: str
aliases: ["ipaallowedtoperform_read_keys_group"]
allow_retrieve_keytab_host:
description: Hosts allowed to retrieve a keytab of this host.
required: false
type: list
elements: str
aliases: ["ipaallowedtoperform_read_keys_host"]
allow_retrieve_keytab_hostgroup:
description: Host groups allowed to retrieve a keytab of this host.
required: false
type: list
elements: str
aliases: ["ipaallowedtoperform_read_keys_hostgroup"]
certificate:
description: Base-64 encoded service certificate.
required: false
@@ -63,7 +185,7 @@ options:
type: list
elements: str
required: false
choices: ["otp", "radius", "pkinit", "hardened", ""]
choices: ["otp", "radius", "pkinit", "hardened", "idp", ""]
aliases: ["krbprincipalauthind"]
skip_host_check:
description: Skip checking if host object exists.
@@ -239,6 +361,15 @@ EXAMPLES = """
- host1.example.com
- host2.example.com
action: member
# Ensure multiple services are present.
- ipaservice:
ipaadmin_password: SomeADMINpassword
services:
- name: HTTP/www.example.com
host:
- host1.example.com
- name: HTTP/www.service.com
"""
RETURN = """
@@ -248,6 +379,9 @@ from ansible.module_utils.ansible_freeipa_module import \
IPAAnsibleModule, compare_args_ipa, encode_certificate, \
gen_add_del_lists, gen_add_list, gen_intersection_list, ipalib_errors, \
api_get_realm, to_text
from ansible.module_utils import six
if six.PY3:
unicode = str
def find_service(module, name):
@@ -321,8 +455,9 @@ def check_parameters(module, state, action, names):
'allow_retrieve_keytab_hostgroup']
if state == 'present':
if len(names) != 1:
module.fail_json(msg="Only one service can be added at a time.")
if names is not None and len(names) != 1:
module.fail_json(msg="Only one service can be added at a time "
"using 'name'.")
if action == 'service':
invalid = ['delete_continue']
@@ -338,9 +473,6 @@ def check_parameters(module, state, action, names):
invalid.append('delete_continue')
elif state == 'absent':
if len(names) < 1:
module.fail_json(msg="No name given.")
if action == "service":
invalid.extend(invalid_not_member)
else:
@@ -359,68 +491,96 @@ def check_parameters(module, state, action, names):
module.params_fail_used_invalid(invalid, state, action)
def check_authind(module, auth_ind):
_invalid = module.ipa_command_invalid_param_choices(
"service_add", "krbprincipalauthind", auth_ind)
if _invalid:
module.fail_json(
msg="The use of krbprincipalauthind '%s' is not supported "
"by your IPA version" % "','".join(_invalid))
def init_ansible_module():
service_spec = dict(
# service attributesstr
certificate=dict(type="list", elements="str",
aliases=['usercertificate'],
default=None, required=False),
principal=dict(type="list", elements="str",
aliases=["krbprincipalname"], default=None),
smb=dict(type="bool", required=False),
netbiosname=dict(type="str", required=False),
pac_type=dict(type="list", elements="str",
aliases=["ipakrbauthzdata"],
choices=["MS-PAC", "PAD", "NONE", ""]),
auth_ind=dict(type="list", elements="str",
aliases=["krbprincipalauthind"],
choices=["otp", "radius", "pkinit", "hardened", "idp",
""]),
skip_host_check=dict(type="bool"),
force=dict(type="bool"),
requires_pre_auth=dict(
type="bool", aliases=["ipakrbrequirespreauth"]),
ok_as_delegate=dict(type="bool", aliases=["ipakrbokasdelegate"]),
ok_to_auth_as_delegate=dict(type="bool",
aliases=["ipakrboktoauthasdelegate"]),
host=dict(type="list", elements="str", aliases=["managedby_host"],
required=False),
allow_create_keytab_user=dict(
type="list", elements="str", required=False, no_log=False,
aliases=['ipaallowedtoperform_write_keys_user']),
allow_retrieve_keytab_user=dict(
type="list", elements="str", required=False, no_log=False,
aliases=['ipaallowedtoperform_read_keys_user']),
allow_create_keytab_group=dict(
type="list", elements="str", required=False, no_log=False,
aliases=['ipaallowedtoperform_write_keys_group']),
allow_retrieve_keytab_group=dict(
type="list", elements="str", required=False, no_log=False,
aliases=['ipaallowedtoperform_read_keys_group']),
allow_create_keytab_host=dict(
type="list", elements="str", required=False, no_log=False,
aliases=['ipaallowedtoperform_write_keys_host']),
allow_retrieve_keytab_host=dict(
type="list", elements="str", required=False, no_log=False,
aliases=['ipaallowedtoperform_read_keys_host']),
allow_create_keytab_hostgroup=dict(
type="list", elements="str", required=False, no_log=False,
aliases=['ipaallowedtoperform_write_keys_hostgroup']),
allow_retrieve_keytab_hostgroup=dict(
type="list", elements="str", required=False, no_log=False,
aliases=['ipaallowedtoperform_read_keys_hostgroup']),
delete_continue=dict(type="bool", required=False,
aliases=['continue']),
)
ansible_module = IPAAnsibleModule(
argument_spec=dict(
# general
name=dict(type="list", elements="str", aliases=["service"],
required=True),
# service attributesstr
certificate=dict(type="list", elements="str",
aliases=['usercertificate'],
default=None, required=False),
principal=dict(type="list", elements="str",
aliases=["krbprincipalname"], default=None),
smb=dict(type="bool", required=False),
netbiosname=dict(type="str", required=False),
pac_type=dict(type="list", elements="str",
aliases=["ipakrbauthzdata"],
choices=["MS-PAC", "PAD", "NONE", ""]),
auth_ind=dict(type="list", elements="str",
aliases=["krbprincipalauthind"],
choices=["otp", "radius", "pkinit", "hardened", ""]),
skip_host_check=dict(type="bool"),
force=dict(type="bool"),
requires_pre_auth=dict(
type="bool", aliases=["ipakrbrequirespreauth"]),
ok_as_delegate=dict(type="bool", aliases=["ipakrbokasdelegate"]),
ok_to_auth_as_delegate=dict(type="bool",
aliases=["ipakrboktoauthasdelegate"]),
host=dict(type="list", elements="str", aliases=["managedby_host"],
required=False),
allow_create_keytab_user=dict(
type="list", elements="str", required=False, no_log=False,
aliases=['ipaallowedtoperform_write_keys_user']),
allow_retrieve_keytab_user=dict(
type="list", elements="str", required=False, no_log=False,
aliases=['ipaallowedtoperform_read_keys_user']),
allow_create_keytab_group=dict(
type="list", elements="str", required=False, no_log=False,
aliases=['ipaallowedtoperform_write_keys_group']),
allow_retrieve_keytab_group=dict(
type="list", elements="str", required=False, no_log=False,
aliases=['ipaallowedtoperform_read_keys_group']),
allow_create_keytab_host=dict(
type="list", elements="str", required=False, no_log=False,
aliases=['ipaallowedtoperform_write_keys_host']),
allow_retrieve_keytab_host=dict(
type="list", elements="str", required=False, no_log=False,
aliases=['ipaallowedtoperform_read_keys_host']),
allow_create_keytab_hostgroup=dict(
type="list", elements="str", required=False, no_log=False,
aliases=['ipaallowedtoperform_write_keys_hostgroup']),
allow_retrieve_keytab_hostgroup=dict(
type="list", elements="str", required=False, no_log=False,
aliases=['ipaallowedtoperform_read_keys_hostgroup']),
delete_continue=dict(type="bool", required=False,
aliases=['continue']),
default=None, required=False),
services=dict(type="list",
default=None,
options=dict(
# Here name is a simple string
name=dict(type="str", required=True,
aliases=["service"]),
# Add service specific parameters
**service_spec
),
elements='dict',
required=False),
# action
action=dict(type="str", default="service",
choices=["member", "service"]),
# state
state=dict(type="str", default="present",
choices=["present", "absent", "disabled"]),
# Add service specific parameters for simple use case
**service_spec
),
mutually_exclusive=[["name", "services"]],
required_one_of=[["name", "services"]],
supports_check_mode=True,
)
@@ -436,10 +596,17 @@ def main():
# general
names = ansible_module.params_get("name")
services = ansible_module.params_get("services")
# service attributes
principal = ansible_module.params_get("principal")
certificate = ansible_module.params_get("certificate")
# Any leading or trailing whitespace is removed while adding the
# certificate with serive_add_cert. To be able to compare the results
# from service_show with the given certificates we have to remove the
# white space also.
if certificate is not None:
certificate = [cert.strip() for cert in certificate]
pac_type = ansible_module.params_get("pac_type", allow_empty_string=True)
auth_ind = ansible_module.params_get("auth_ind", allow_empty_string=True)
skip_host_check = ansible_module.params_get("skip_host_check")
@@ -462,8 +629,16 @@ def main():
state = ansible_module.params_get("state")
# check parameters
if (names is None or len(names) < 1) and \
(services is None or len(services) < 1):
ansible_module.fail_json(msg="At least one name or services is "
"required")
check_parameters(ansible_module, state, action, names)
# Use services if names is None
if services is not None:
names = services
# Init
changed = False
@@ -477,11 +652,50 @@ def main():
if skip_host_check and not has_skip_host_check:
ansible_module.fail_json(
msg="Skipping host check is not supported by your IPA version")
check_authind(ansible_module, auth_ind)
commands = []
keytab_members = ["user", "group", "host", "hostgroup"]
service_set = set()
for name in names:
for service in names:
if isinstance(service, dict):
name = service.get("name")
if name in service_set:
ansible_module.fail_json(
msg="service '%s' is used more than once" % name)
service_set.add(name)
principal = service.get("principal")
certificate = service.get("certificate")
# Any leading or trailing whitespace is removed while adding
# the certificate with serive_add_cert. To be able to compare
# the results from service_show with the given certificates
# we have to remove the white space also.
if certificate is not None:
certificate = [cert.strip() for cert in certificate]
pac_type = service.get("pac_type")
auth_ind = service.get("auth_ind")
check_authind(ansible_module, auth_ind)
skip_host_check = service.get("skip_host_check")
if skip_host_check and not has_skip_host_check:
ansible_module.fail_json(
msg="Skipping host check is not supported by your IPA "
"version")
force = service.get("force")
requires_pre_auth = service.get("requires_pre_auth")
ok_as_delegate = service.get("ok_as_delegate")
ok_to_auth_as_delegate = service.get("ok_to_auth_as_delegate")
smb = service.get("smb")
netbiosname = service.get("netbiosname")
host = service.get("host")
delete_continue = service.get("delete_continue")
elif isinstance(service, (str, unicode)):
name = service
else:
ansible_module.fail_json(msg="Service '%s' is not valid" %
repr(service))
res_find = find_service(ansible_module, name)
res_principals = []

320
plugins/modules/ipauser.py
View File

@@ -80,6 +80,10 @@ options:
description: The home directory
type: str
required: false
gecos:
description: The GECOS
type: str
required: false
shell:
description: The login shell
type: str
@@ -133,6 +137,10 @@ options:
type: int
required: false
aliases: ["gidnumber"]
street:
description: Street address
type: str
required: false
city:
description: City
type: str
@@ -200,7 +208,7 @@ options:
Use empty string to reset userauthtype to the initial value.
type: list
elements: str
choices: ['password', 'radius', 'otp', '']
choices: ["password", "radius", "otp", "pkinit", "hardened", "idp", ""]
required: false
aliases: ["ipauserauthtype"]
userclass:
@@ -234,10 +242,45 @@ options:
description: Employee Type
type: str
required: false
smb_logon_script:
description: SMB logon script path
type: str
required: false
aliases: ["ipantlogonscript"]
smb_profile_path:
description: SMB profile path
type: str
required: false
aliases: ["ipantprofilepath"]
smb_home_dir:
description: SMB Home Directory
type: str
required: false
aliases: ["ipanthomedirectory"]
smb_home_drive:
description: SMB Home Directory Drive
type: str
required: false
choices: [
'A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:', 'I:', 'J:',
'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:', 'R:', 'S:', 'T:',
'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:', ''
]
aliases: ["ipanthomedirectorydrive"]
preferredlanguage:
description: Preferred Language
type: str
required: false
idp:
description: External IdP configuration
type: str
required: false
aliases: ["ipaidpconfiglink"]
idp_user_id:
description: A string that identifies the user at external IdP
type: str
required: false
aliases: ["ipaidpsub"]
certificate:
description: List of base-64 encoded user certificates
type: list
@@ -304,6 +347,10 @@ options:
description: The home directory
type: str
required: false
gecos:
description: The GECOS
type: str
required: false
shell:
description: The login shell
type: str
@@ -357,6 +404,10 @@ options:
type: int
required: false
aliases: ["gidnumber"]
street:
description: Street address
type: str
required: false
city:
description: City
type: str
@@ -424,7 +475,7 @@ options:
Use empty string to reset userauthtype to the initial value.
type: list
elements: str
choices: ['password', 'radius', 'otp', '']
choices: ["password", "radius", "otp", "pkinit", "hardened", "idp", ""]
required: false
aliases: ["ipauserauthtype"]
userclass:
@@ -458,10 +509,45 @@ options:
description: Employee Type
type: str
required: false
smb_logon_script:
description: SMB logon script path
type: str
required: false
aliases: ["ipantlogonscript"]
smb_profile_path:
description: SMB profile path
type: str
required: false
aliases: ["ipantprofilepath"]
smb_home_dir:
description: SMB Home Directory
type: str
required: false
aliases: ["ipanthomedirectory"]
smb_home_drive:
description: SMB Home Directory Drive
type: str
required: false
choices: [
'A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:', 'I:', 'J:',
'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:', 'R:', 'S:', 'T:',
'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:', ''
]
aliases: ["ipanthomedirectorydrive"]
preferredlanguage:
description: Preferred Language
type: str
required: false
idp:
description: External IdP configuration
type: str
required: false
aliases: ["ipaidpconfiglink"]
idp_user_id:
description: A string that identifies the user at external IdP
type: str
required: false
aliases: ["ipaidpsub"]
certificate:
description: List of base-64 encoded user certificates
type: list
@@ -597,6 +683,17 @@ EXAMPLES = """
ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: disabled
# Ensure a user has SMB attributes
- ipauser:
ipaadmin_password: SomeADMINpassword
name: smbuser
first: SMB
last: User
smb_logon_script: N:\\logonscripts\\startup
smb_profile_path: \\\\server\\profiles\\some_profile
smb_home_dir: \\\\users\\home\\smbuser
smb_home_drive: "U:"
"""
RETURN = """
@@ -652,12 +749,14 @@ def find_user(module, name):
return _result
def gen_args(first, last, fullname, displayname, initials, homedir, shell,
email, principalexpiration, passwordexpiration, password,
random, uid, gid, city, userstate, postalcode, phone, mobile,
pager, fax, orgunit, title, carlicense, sshpubkey, userauthtype,
userclass, radius, radiususer, departmentnumber, employeenumber,
employeetype, preferredlanguage, noprivate, nomembers):
def gen_args(first, last, fullname, displayname, initials, homedir, gecos,
shell, email, principalexpiration, passwordexpiration, password,
random, uid, gid, street, city, userstate, postalcode, phone,
mobile, pager, fax, orgunit, title, carlicense, sshpubkey,
userauthtype, userclass, radius, radiususer, departmentnumber,
employeenumber, employeetype, preferredlanguage, smb_logon_script,
smb_profile_path, smb_home_dir, smb_home_drive, idp, idp_user_id,
noprivate, nomembers):
# principal, manager, certificate and certmapdata are handled not in here
_args = {}
if first is not None:
@@ -672,6 +771,8 @@ def gen_args(first, last, fullname, displayname, initials, homedir, shell,
_args["initials"] = initials
if homedir is not None:
_args["homedirectory"] = homedir
if gecos is not None:
_args["gecos"] = gecos
if shell is not None:
_args["loginshell"] = shell
if email is not None and len(email) > 0:
@@ -688,6 +789,8 @@ def gen_args(first, last, fullname, displayname, initials, homedir, shell,
_args["uidnumber"] = to_text(str(uid))
if gid is not None:
_args["gidnumber"] = to_text(str(gid))
if street is not None:
_args["street"] = street
if city is not None:
_args["l"] = city
if userstate is not None:
@@ -726,48 +829,57 @@ def gen_args(first, last, fullname, displayname, initials, homedir, shell,
_args["employeetype"] = employeetype
if preferredlanguage is not None:
_args["preferredlanguage"] = preferredlanguage
if idp is not None:
_args["ipaidpconfiglink"] = idp
if idp_user_id is not None:
_args["ipaidpsub"] = idp_user_id
if noprivate is not None:
_args["noprivate"] = noprivate
if nomembers is not None:
_args["no_members"] = nomembers
if smb_logon_script is not None:
_args["ipantlogonscript"] = smb_logon_script
if smb_profile_path is not None:
_args["ipantprofilepath"] = smb_profile_path
if smb_home_dir is not None:
_args["ipanthomedirectory"] = smb_home_dir
if smb_home_drive is not None:
_args["ipanthomedirectorydrive"] = smb_home_drive
return _args
def check_parameters( # pylint: disable=unused-argument
module, state, action, first, last, fullname, displayname, initials,
homedir, shell, email, principal, principalexpiration,
passwordexpiration, password, random, uid, gid, city, phone, mobile,
pager, fax, orgunit, title, manager, carlicense, sshpubkey,
homedir, gecos, shell, email, principal, principalexpiration,
passwordexpiration, password, random, uid, gid, street, city, phone,
mobile, pager, fax, orgunit, title, manager, carlicense, sshpubkey,
userauthtype, userclass, radius, radiususer, departmentnumber,
employeenumber, employeetype, preferredlanguage, certificate,
certmapdata, noprivate, nomembers, preserve, update_password):
invalid = []
if state == "present":
if action == "member":
invalid = ["first", "last", "fullname", "displayname", "initials",
"homedir", "shell", "email", "principalexpiration",
"passwordexpiration", "password", "random", "uid",
"gid", "city", "phone", "mobile", "pager", "fax",
"orgunit", "title", "carlicense", "sshpubkey",
"userauthtype", "userclass", "radius", "radiususer",
"departmentnumber", "employeenumber", "employeetype",
"preferredlanguage", "noprivate", "nomembers",
"preserve", "update_password"]
certmapdata, noprivate, nomembers, preserve, update_password,
smb_logon_script, smb_profile_path, smb_home_dir, smb_home_drive,
idp, ipa_user_id,
):
if state == "present" and action == "user":
invalid = ["preserve"]
else:
invalid = ["first", "last", "fullname", "displayname", "initials",
"homedir", "shell", "email", "principalexpiration",
"passwordexpiration", "password", "random", "uid",
"gid", "city", "phone", "mobile", "pager", "fax",
"orgunit", "title", "carlicense", "sshpubkey",
"userauthtype", "userclass", "radius", "radiususer",
"departmentnumber", "employeenumber", "employeetype",
"preferredlanguage", "noprivate", "nomembers",
"update_password"]
if action == "user":
invalid.extend(["principal", "manager",
"certificate", "certmapdata",
])
invalid = [
"first", "last", "fullname", "displayname", "initials", "homedir",
"shell", "email", "principalexpiration", "passwordexpiration",
"password", "random", "uid", "gid", "street", "city", "phone",
"mobile", "pager", "fax", "orgunit", "title", "carlicense",
"sshpubkey", "userauthtype", "userclass", "radius", "radiususer",
"departmentnumber", "employeenumber", "employeetype",
"preferredlanguage", "noprivate", "nomembers", "update_password",
"gecos", "smb_logon_script", "smb_profile_path", "smb_home_dir",
"smb_home_drive", "idp", "idp_user_id"
]
if state == "present" and action == "member":
invalid.append("preserve")
else:
if action == "user":
invalid.extend(
["principal", "manager", "certificate", "certmapdata"])
if state != "absent" and preserve is not None:
module.fail_json(
@@ -801,6 +913,15 @@ def check_parameters( # pylint: disable=unused-argument
module.fail_json(msg="certmapdata: subject is missing")
def check_userauthtype(module, userauthtype):
_invalid = module.ipa_command_invalid_param_choices(
"user_add", "ipauserauthtype", userauthtype)
if _invalid:
module.fail_json(
msg="The use of userauthtype '%s' is not supported "
"by your IPA version" % "','".join(_invalid))
def extend_emails(email, default_email_domain):
if email is not None:
return ["%s@%s" % (_email, default_email_domain)
@@ -902,6 +1023,7 @@ def main():
displayname=dict(type="str", default=None),
initials=dict(type="str", default=None),
homedir=dict(type="str", default=None),
gecos=dict(type="str", default=None),
shell=dict(type="str", aliases=["loginshell"], default=None),
email=dict(type="list", elements="str", default=None),
principal=dict(type="list", elements="str",
@@ -917,6 +1039,7 @@ def main():
random=dict(type='bool', default=None),
uid=dict(type="int", aliases=["uidnumber"], default=None),
gid=dict(type="int", aliases=["gidnumber"], default=None),
street=dict(type="str", default=None),
city=dict(type="str", default=None),
userstate=dict(type="str", aliases=["st"], default=None),
postalcode=dict(type="str", aliases=["zip"], default=None),
@@ -934,7 +1057,8 @@ def main():
default=None),
userauthtype=dict(type='list', elements="str",
aliases=["ipauserauthtype"], default=None,
choices=['password', 'radius', 'otp', '']),
choices=["password", "radius", "otp", "pkinit",
"hardened", "idp", ""]),
userclass=dict(type="list", elements="str", aliases=["class"],
default=None),
radius=dict(type="str", aliases=["ipatokenradiusconfiglink"],
@@ -945,6 +1069,17 @@ def main():
departmentnumber=dict(type="list", elements="str", default=None),
employeenumber=dict(type="str", default=None),
employeetype=dict(type="str", default=None),
smb_logon_script=dict(type="str", default=None,
aliases=["ipantlogonscript"]),
smb_profile_path=dict(type="str", default=None,
aliases=["ipantprofilepath"]),
smb_home_dir=dict(type="str", default=None,
aliases=["ipanthomedirectory"]),
smb_home_drive=dict(type="str", default=None,
choices=[
("%c:" % chr(x))
for x in range(ord('A'), ord('Z') + 1)
] + [""], aliases=["ipanthomedirectorydrive"]),
preferredlanguage=dict(type="str", default=None),
certificate=dict(type="list", elements="str",
aliases=["usercertificate"], default=None),
@@ -959,6 +1094,9 @@ def main():
elements='dict', required=False),
noprivate=dict(type='bool', default=None),
nomembers=dict(type='bool', default=None),
idp=dict(type="str", default=None, aliases=['ipaidpconfiglink']),
idp_user_id=dict(type="str", default=None,
aliases=['ipaidpconfiglink']),
)
ansible_module = IPAAnsibleModule(
@@ -1015,6 +1153,7 @@ def main():
displayname = ansible_module.params_get("displayname")
initials = ansible_module.params_get("initials")
homedir = ansible_module.params_get("homedir")
gecos = ansible_module.params_get("gecos")
shell = ansible_module.params_get("shell")
email = ansible_module.params_get("email")
principal = ansible_module.params_get("principal")
@@ -1033,6 +1172,7 @@ def main():
random = ansible_module.params_get("random")
uid = ansible_module.params_get("uid")
gid = ansible_module.params_get("gid")
street = ansible_module.params_get("street")
city = ansible_module.params_get("city")
userstate = ansible_module.params_get("userstate")
postalcode = ansible_module.params_get("postalcode")
@@ -1055,6 +1195,12 @@ def main():
employeenumber = ansible_module.params_get("employeenumber")
employeetype = ansible_module.params_get("employeetype")
preferredlanguage = ansible_module.params_get("preferredlanguage")
smb_logon_script = ansible_module.params_get("smb_logon_script")
smb_profile_path = ansible_module.params_get("smb_profile_path")
smb_home_dir = ansible_module.params_get("smb_home_dir")
smb_home_drive = ansible_module.params_get("smb_home_drive")
idp = ansible_module.params_get("idp")
idp_user_id = ansible_module.params_get("idp_user_id")
certificate = ansible_module.params_get("certificate")
certmapdata = ansible_module.params_get("certmapdata")
noprivate = ansible_module.params_get("noprivate")
@@ -1080,13 +1226,15 @@ def main():
check_parameters(
ansible_module, state, action,
first, last, fullname, displayname, initials, homedir, shell, email,
first, last, fullname, displayname, initials, homedir, gecos, shell,
email,
principal, principalexpiration, passwordexpiration, password, random,
uid, gid, city, phone, mobile, pager, fax, orgunit, title, manager,
carlicense, sshpubkey, userauthtype, userclass, radius, radiususer,
departmentnumber, employeenumber, employeetype, preferredlanguage,
certificate, certmapdata, noprivate, nomembers, preserve,
update_password)
uid, gid, street, city, phone, mobile, pager, fax, orgunit, title,
manager, carlicense, sshpubkey, userauthtype, userclass, radius,
radiususer, departmentnumber, employeenumber, employeetype,
preferredlanguage, certificate, certmapdata, noprivate, nomembers,
preserve, update_password, smb_logon_script, smb_profile_path,
smb_home_dir, smb_home_drive, idp, idp_user_id)
certmapdata = convert_certmapdata(certmapdata)
# Use users if names is None
@@ -1105,6 +1253,10 @@ def main():
server_realm = ansible_module.ipa_get_realm()
# Check API specific parameters
check_userauthtype(ansible_module, userauthtype)
# Default email domain
result = ansible_module.ipa_command_no_name("config_show", {})
@@ -1133,6 +1285,7 @@ def main():
displayname = user.get("displayname")
initials = user.get("initials")
homedir = user.get("homedir")
gecos = user.get("gecos")
shell = user.get("shell")
email = user.get("email")
principal = user.get("principal")
@@ -1150,6 +1303,7 @@ def main():
random = user.get("random")
uid = user.get("uid")
gid = user.get("gid")
street = user.get("street")
city = user.get("city")
userstate = user.get("userstate")
postalcode = user.get("postalcode")
@@ -1170,6 +1324,12 @@ def main():
employeenumber = user.get("employeenumber")
employeetype = user.get("employeetype")
preferredlanguage = user.get("preferredlanguage")
smb_logon_script = user.get("smb_logon_script")
smb_profile_path = user.get("smb_profile_path")
smb_home_dir = user.get("smb_home_dir")
smb_home_drive = user.get("smb_home_drive")
idp = user.get("idp")
idp_user_id = user.get("idp_user_id")
certificate = user.get("certificate")
certmapdata = user.get("certmapdata")
noprivate = user.get("noprivate")
@@ -1178,16 +1338,21 @@ def main():
check_parameters(
ansible_module, state, action,
first, last, fullname, displayname, initials, homedir,
shell, email, principal, principalexpiration,
passwordexpiration, password, random, uid, gid, city,
phone, mobile, pager, fax, orgunit, title, manager,
gecos, shell, email, principal, principalexpiration,
passwordexpiration, password, random, uid, gid, street,
city, phone, mobile, pager, fax, orgunit, title, manager,
carlicense, sshpubkey, userauthtype, userclass, radius,
radiususer, departmentnumber, employeenumber,
employeetype, preferredlanguage, certificate,
certmapdata, noprivate, nomembers, preserve,
update_password)
update_password, smb_logon_script, smb_profile_path,
smb_home_dir, smb_home_drive, idp, idp_user_id)
certmapdata = convert_certmapdata(certmapdata)
# Check API specific parameters
check_userauthtype(ansible_module, userauthtype)
# Extend email addresses
email = extend_emails(email, default_email_domain)
@@ -1227,6 +1392,34 @@ def main():
msg="The use of certmapdata is not supported by "
"your IPA version")
# Check if SMB attributes are available
if (
any([
smb_logon_script, smb_profile_path, smb_home_dir,
smb_home_drive
])
and not ansible_module.ipa_command_param_exists(
"user_mod", "ipanthomedirectory"
)
):
ansible_module.fail_json(
msg="The use of smb_logon_script, smb_profile_path, "
"smb_profile_path, and smb_home_drive is not supported "
"by your IPA version")
# Check if IdP support is available
require_idp = (
idp is not None
or idp_user_id is not None
or userauthtype == "idp"
)
has_idp_support = ansible_module.ipa_command_param_exists(
"user_add", "ipaidpconfiglink"
)
if require_idp and not has_idp_support:
ansible_module.fail_json(
msg="Your IPA version does not support External IdP.")
# Make sure user exists
res_find = find_user(ansible_module, name)
@@ -1235,12 +1428,16 @@ def main():
# Generate args
args = gen_args(
first, last, fullname, displayname, initials, homedir,
gecos,
shell, email, principalexpiration, passwordexpiration,
password, random, uid, gid, city, userstate, postalcode,
phone, mobile, pager, fax, orgunit, title, carlicense,
sshpubkey, userauthtype, userclass, radius, radiususer,
departmentnumber, employeenumber, employeetype,
preferredlanguage, noprivate, nomembers)
password, random, uid, gid, street, city, userstate,
postalcode, phone, mobile, pager, fax, orgunit, title,
carlicense, sshpubkey, userauthtype, userclass, radius,
radiususer, departmentnumber, employeenumber, employeetype,
preferredlanguage, smb_logon_script, smb_profile_path,
smb_home_dir, smb_home_drive, idp, idp_user_id, noprivate,
nomembers,
)
if action == "user":
# Found the user
@@ -1276,8 +1473,21 @@ def main():
ansible_module.fail_json(
msg="Last name is needed")
smb_attrs = {
k: args[k]
for k in [
"ipanthomedirectory",
"ipanthomedirectorydrive",
"ipantlogonscript",
"ipantprofilepath",
]
if k in args
}
for key in smb_attrs.keys():
del args[key]
commands.append([name, "user_add", args])
if smb_attrs:
commands.append([name, "user_mod", smb_attrs])
# Handle members: principal, manager, certificate and
# certmapdata
if res_find is not None:

2
roles/ipabackup/README.md
View File

@@ -34,7 +34,7 @@ Supported Distributions
* RHEL/CentOS 7.6+
* Fedora 26+
* Ubuntu
* Ubuntu 16.04 and 18.04
Requirements

3
roles/ipaclient/library/ipaclient_api.py
View File

@@ -236,7 +236,8 @@ def main():
except Exception as e:
logger.debug("config_show failed %s", e, exc_info=True)
module.fail_json(
"Failed to retrieve CA certificate subject base: {}".format(e),
"Failed to retrieve CA certificate subject base: "
"{0}".format(e),
rval=CLIENT_INSTALL_ERROR)
else:
subject_base = str(DN(config['ipacertificatesubjectbase'][0]))

6
roles/ipaclient/library/ipaclient_join.py
View File

@@ -241,7 +241,7 @@ def main():
config=krb_name)
except RuntimeError as e:
module.fail_json(
msg="Kerberos authentication failed: {}".format(e))
msg="Kerberos authentication failed: {0}".format(e))
elif keytab:
join_args.append("-f")
@@ -254,10 +254,10 @@ def main():
attempts=kinit_attempts)
except GSSError as e:
module.fail_json(
msg="Kerberos authentication failed: {}".format(e))
msg="Kerberos authentication failed: {0}".format(e))
else:
module.fail_json(
msg="Keytab file could not be found: {}".format(keytab))
msg="Keytab file could not be found: {0}".format(keytab))
elif password:
join_args.append("-w")

10
roles/ipaclient/library/ipaclient_test.py
View File

@@ -432,7 +432,7 @@ def main():
if options.ca_cert_files is not None:
for value in options.ca_cert_files:
if not isinstance(value, list):
raise ValueError("Expected list, got {!r}".format(value))
raise ValueError("Expected list, got {0!r}".format(value))
# this is what init() does
value = value[-1]
if not os.path.exists(value):
@@ -575,13 +575,13 @@ def main():
hostname_source = "Machine's FQDN"
if hostname != hostname.lower():
raise ScriptError(
"Invalid hostname '{}', must be lower-case.".format(hostname),
"Invalid hostname '{0}', must be lower-case.".format(hostname),
rval=CLIENT_INSTALL_ERROR
)
if hostname in ('localhost', 'localhost.localdomain'):
raise ScriptError(
"Invalid hostname, '{}' must not be used.".format(hostname),
"Invalid hostname, '{0}' must not be used.".format(hostname),
rval=CLIENT_INSTALL_ERROR)
if hasattr(constants, "MAXHOSTNAMELEN"):
@@ -589,7 +589,7 @@ def main():
validate_hostname(hostname, maxlen=constants.MAXHOSTNAMELEN)
except ValueError as e:
raise ScriptError(
'invalid hostname: {}'.format(e),
'invalid hostname: {0}'.format(e),
rval=CLIENT_INSTALL_ERROR)
if hasattr(tasks, "is_nosssd_supported"):
@@ -695,7 +695,7 @@ def main():
rval=CLIENT_INSTALL_ERROR)
if ret == ipadiscovery.NOT_FQDN:
raise ScriptError(
"{} is not a fully-qualified hostname".format(hostname),
"{0} is not a fully-qualified hostname".format(hostname),
rval=CLIENT_INSTALL_ERROR)
if ret in (ipadiscovery.NO_LDAP_SERVER, ipadiscovery.NOT_IPA_SERVER) \
or not ds.domain:

2
roles/ipareplica/README.md
View File

@@ -28,7 +28,7 @@ Supported Distributions
* RHEL/CentOS 7.6+
* Fedora 26+
* Ubuntu
* Ubuntu 16.04 and 18.04
Requirements

2
roles/ipareplica/library/ipareplica_enable_ipa.py
View File

@@ -171,7 +171,7 @@ def main():
# Print a warning if CA role is only installed on one server
if len(ca_servers) == 1:
msg = u'''
WARNING: The CA service is only installed on one server ({}).
WARNING: The CA service is only installed on one server ({0}).
It is strongly recommended to install it on another server.
Run ipa-ca-install(1) on another master to accomplish this.
'''.format(ca_servers[0])

4
roles/ipareplica/library/ipareplica_prepare.py
View File

@@ -469,7 +469,7 @@ def main():
env._finalize_core(**dict(constants.DEFAULT_CONFIG))
# pylint: disable=no-member
xmlrpc_uri = 'https://{}/ipa/xml'.format(ipautil.format_netloc(env.host))
xmlrpc_uri = 'https://{0}/ipa/xml'.format(ipautil.format_netloc(env.host))
if hasattr(ipaldap, "realm_to_ldapi_uri"):
realm_to_ldapi_uri = ipaldap.realm_to_ldapi_uri
else:
@@ -609,7 +609,7 @@ def main():
ansible_log.debug("-- REMOTE_API --")
ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
xmlrpc_uri = 'https://{}/ipa/xml'.format(
xmlrpc_uri = 'https://{0}/ipa/xml'.format(
ipautil.format_netloc(config.master_host_name))
remote_api = create_api(mode=None)
remote_api.bootstrap(in_server=True,

7
roles/ipareplica/library/ipareplica_test.py
View File

@@ -450,7 +450,7 @@ def main():
if installer.ca_cert_files is not None:
if not isinstance(installer.ca_cert_files, list):
ansible_module.fail_json(
msg="Expected list, got {!r}".format(installer.ca_cert_files))
msg="Expected list, got {0!r}".format(installer.ca_cert_files))
for cert in installer.ca_cert_files:
if not os.path.exists(cert):
ansible_module.fail_json(msg="'%s' does not exist" % cert)
@@ -521,6 +521,11 @@ def main():
ansible_module.fail_json(
msg="NTP configuration cannot be updated during promotion")
# host_name an domain_name must be different at this point.
if options.host_name.lower() == options.domain_name.lower():
ansible_module.fail_json(
msg="hostname cannot be the same as the domain name")
# done #
ansible_module.exit_json(

4
roles/ipareplica/module_utils/ansible_ipa_replica.py
View File

@@ -334,7 +334,7 @@ def gen_env_boostrap_finalize_core(etc_ipa, default_config):
def api_bootstrap_finalize(env):
# pylint: disable=no-member
xmlrpc_uri = \
'https://{}/ipa/xml'.format(ipautil.format_netloc(env.host))
'https://{0}/ipa/xml'.format(ipautil.format_netloc(env.host))
api.bootstrap(in_server=True,
context='installer',
confdir=paths.ETC_IPA,
@@ -479,7 +479,7 @@ def ansible_module_get_parsed_ip_addresses(ansible_module,
def gen_remote_api(master_host_name, etc_ipa):
ldapuri = 'ldaps://%s' % ipautil.format_netloc(master_host_name)
xmlrpc_uri = 'https://{}/ipa/xml'.format(
xmlrpc_uri = 'https://{0}/ipa/xml'.format(
ipautil.format_netloc(master_host_name))
remote_api = create_api(mode=None)
remote_api.bootstrap(in_server=True,

4
roles/ipaserver/README.md
View File

@@ -25,7 +25,7 @@ Supported Distributions
* RHEL/CentOS 7.6+
* Fedora 26+
* Ubuntu
* Ubuntu 16.04 and 18.04
Requirements
@@ -179,7 +179,7 @@ ipaserver_domain=example.com
ipaserver_realm=EXAMPLE.COM
ipaadmin_password=MySecretPassword123
ipadm_password=MySecretPassword234
ipaserver_random_serial_number=true
ipaserver_random_serial_numbers=true
```
By setting the variable in the inventory file, the same ipaserver deployment playbook, shown before, can be used.

8
roles/ipaserver/library/ipaserver_test.py
View File

@@ -211,6 +211,7 @@ options:
random_serial_numbers:
description: The installer random_serial_numbers setting
type: bool
default: no
required: no
allow_zone_overlap:
description: Create DNS zone even if it already exists
@@ -1054,6 +1055,11 @@ def main():
domain_name = domain_name.lower()
# Both host_name and domain_name are lowercase at this point.
if host_name == domain_name:
ansible_module.fail_json(
msg="hostname cannot be the same as the domain name")
if not options.realm_name:
realm_name = domain_name.upper()
else:
@@ -1067,7 +1073,7 @@ def main():
try:
validate_domain_name(realm_name, entity="realm")
except ValueError as e:
raise ScriptError("Invalid realm name: {}".format(unicode(e)))
raise ScriptError("Invalid realm name: {0}".format(unicode(e)))
if not options.setup_adtrust:
# If domain name and realm does not match, IPA server will not be able

1
setup.cfg
View File

@@ -60,6 +60,7 @@ disable =
[pylint.BASIC]
good-names =
ex, i, j, k, Run, _, e, x, dn, cn, ip, os, unicode, __metaclass__, ds,
dt, ca,
# These are utils tools, and not part of the released collection.
galaxyfy-playbook, galaxyfy-README, galaxyfy-module-EXAMPLES,
module_EXAMPLES

2
tests/README.md
View File

@@ -105,7 +105,7 @@ It's also possible to run the tests in a container.
Before setting up a container you will need to install molecule framework:
```
pip install molecule[docker]>=3
pip install molecule-plugins[docker]
```
Now you can start a test container using the following command:

143
tests/automount/test_automountmap_indirect.yml Normal file
View File

@@ -0,0 +1,143 @@
---
- name: Test automountmap
hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: no
gather_facts: no
tasks:
# setup environment
- name: Ensure test maps are absent
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
location: TestIndirect
name:
- DirectMap
- IndirectMap
- IndirectMapDefault
- IndirectMapDefaultAbsolute
state: absent
- name: Ensure test location is present
ipaautomountlocation:
ipaadmin_password: SomeADMINpassword
name: TestIndirect
- name: Ensure parent map is present
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
location: TestIndirect
name: DirectMap
# TESTS
- name: Mount point cannot start with '/' if parentmap is not 'auto.master'
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
location: TestIndirect
name: IndirectMap
parentmap: DirectMap
mount: '/absolute/path/will/fail'
register: result
failed_when: not result.failed or 'mount point is relative to parent map' not in result.msg
- name: Ensure indirect map is present
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
location: TestIndirect
name: IndirectMap
parentmap: DirectMap
mount: indirect
register: result
failed_when: result.failed or not result.changed
- name: Ensure indirect map is present, again
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
location: TestIndirect
name: IndirectMap
parentmap: DirectMap
mount: indirect
register: result
failed_when: result.failed or result.changed
- name: Ensure indirect map is absent
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
location: TestIndirect
name: IndirectMap
state: absent
register: result
failed_when: result.failed or not result.changed
- name: Ensure indirect map is absent, again
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
location: TestIndirect
name: IndirectMap
state: absent
register: result
failed_when: result.failed or result.changed
- name: Ensure indirect map is present, after being deleted
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
location: TestIndirect
name: IndirectMap
parentmap: DirectMap
mount: indirect
register: result
failed_when: result.failed or not result.changed
- name: Ensure indirect map is present, after being deleted, again
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
location: TestIndirect
name: IndirectMap
parentmap: DirectMap
mount: indirect
register: result
failed_when: result.failed or result.changed
- name: Ensure indirect map is present with default parent (auto.master)
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
location: TestIndirect
name: IndirectMapDefault
mount: indirect_with_default
register: result
failed_when: result.failed or not result.changed
- name: Ensure indirect map is present with default parent (auto.master), again
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
location: TestIndirect
name: IndirectMapDefault
mount: indirect_with_default
register: result
failed_when: result.failed or result.changed
- name: Absolute paths must workd with 'auto.master'
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
location: TestIndirect
name: IndirectMapDefaultAbsolute
mount: /valid/path/indirect_with_default
register: result
failed_when: result.failed or not result.changed
# Cleanup
- name: Ensure test maps are absent
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
location: TestIndirect
name:
- DirectMap
- IndirectMap
- IndirectMapDefault
- IndirectMapDefaultAbsolute
state: absent
- name: Ensure test location is absent
ipaautomountlocation:
ipaadmin_password: SomeADMINpassword
name: TestIndirect
state: absent

10
tests/azure/azure-pipelines.yml
View File

@@ -27,7 +27,7 @@ stages:
parameters:
build_number: $(Build.BuildNumber)
scenario: fedora-latest
ansible_version: "-core >=2.13,<2.14"
ansible_version: "-core >=2.14,<2.15"
# Galaxy on Fedora
@@ -38,7 +38,7 @@ stages:
parameters:
build_number: $(Build.BuildNumber)
scenario: fedora-latest
ansible_version: "-core >=2.13,<2.14"
ansible_version: "-core >=2.14,<2.15"
# CentOS 9 Stream
@@ -49,7 +49,7 @@ stages:
parameters:
build_number: $(Build.BuildNumber)
scenario: c9s
ansible_version: "-core >=2.13,<2.14"
ansible_version: "-core >=2.14,<2.15"
# CentOS 8 Stream
@@ -60,7 +60,7 @@ stages:
parameters:
build_number: $(Build.BuildNumber)
scenario: c8s
ansible_version: "-core >=2.13,<2.14"
ansible_version: "-core >=2.14,<2.15"
# CentOS 7
@@ -71,4 +71,4 @@ stages:
parameters:
build_number: $(Build.BuildNumber)
scenario: centos-7
ansible_version: "-core >=2.13,<2.14"
ansible_version: "-core >=2.14,<2.15"

108
tests/azure/nightly.yml
View File

@@ -16,15 +16,6 @@ stages:
# Fedora
- stage: FedoraLatest_Ansible_Core_2_12
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
scenario: fedora-latest
ansible_version: "-core >=2.12,<2.13"
- stage: FedoraLatest_Ansible_Core_2_13
dependsOn: []
jobs:
@@ -43,6 +34,15 @@ stages:
scenario: fedora-latest
ansible_version: "-core >=2.14,<2.15"
- stage: FedoraLatest_Ansible_Core_2_15
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
scenario: fedora-latest
ansible_version: "-core >=2.15,<2.16"
- stage: FedoraLatest_Ansible_latest
dependsOn: []
jobs:
@@ -54,15 +54,6 @@ stages:
# Galaxy on Fedora
- stage: Galaxy_FedoraLatest_Ansible_Core_2_12
dependsOn: []
jobs:
- template: templates/galaxy_tests.yml
parameters:
build_number: $(Build.BuildNumber)
scenario: fedora-latest
ansible_version: "-core >=2.12,<2.13"
- stage: Galaxy_FedoraLatest_Ansible_Core_2_13
dependsOn: []
jobs:
@@ -81,6 +72,15 @@ stages:
scenario: fedora-latest
ansible_version: "-core >=2.14,<2.15"
- stage: Galaxy_FedoraLatest_Ansible_Core_2_15
dependsOn: []
jobs:
- template: templates/galaxy_tests.yml
parameters:
build_number: $(Build.BuildNumber)
scenario: fedora-latest
ansible_version: "-core >=2.15,<2.16"
- stage: Galaxy_FedoraLatest_Ansible_latest
dependsOn: []
jobs:
@@ -92,15 +92,6 @@ stages:
# Fedora Rawhide
- stage: FedoraRawhide_Ansible_Core_2_12
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
scenario: fedora-rawhide
ansible_version: "-core >=2.12,<2.13"
- stage: FedoraRawhide_Ansible_Core_2_13
dependsOn: []
jobs:
@@ -119,6 +110,15 @@ stages:
scenario: fedora-rawhide
ansible_version: "-core >=2.14,<2.15"
- stage: FedoraRawhide_Ansible_Core_2_15
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
scenario: fedora-rawhide
ansible_version: "-core >=2.15,<2.16"
- stage: FedoraRawhide_Ansible_latest
dependsOn: []
jobs:
@@ -130,15 +130,6 @@ stages:
# CentoOS 9 Stream
- stage: c9s_Ansible_Core_2_12
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
scenario: c9s
ansible_version: "-core >=2.12,<2.13"
- stage: c9s_Ansible_Core_2_13
dependsOn: []
jobs:
@@ -157,6 +148,15 @@ stages:
scenario: c9s
ansible_version: "-core >=2.14,<2.15"
- stage: c9s_Ansible_Core_2_15
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
scenario: c9s
ansible_version: "-core >=2.15,<2.16"
- stage: c9s_Ansible_latest
dependsOn: []
jobs:
@@ -168,15 +168,6 @@ stages:
# CentOS 8 Stream
- stage: c8s_Ansible_Core_2_12
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
scenario: c8s
ansible_version: "-core >=2.12,<2.13"
- stage: c8s_Ansible_Core_2_13
dependsOn: []
jobs:
@@ -195,6 +186,15 @@ stages:
scenario: c8s
ansible_version: "-core >=2.14,<2.15"
- stage: c8s_Ansible_Core_2_15
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
scenario: c8s
ansible_version: "-core >=2.15,<2.16"
- stage: c8s_Ansible_latest
dependsOn: []
jobs:
@@ -206,15 +206,6 @@ stages:
# CentOS 7
- stage: CentOS7_Ansible_Core_2_12
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
scenario: centos-7
ansible_version: "-core >=2.12,<2.13"
- stage: CentOS7_Ansible_Core_2_13
dependsOn: []
jobs:
@@ -233,6 +224,15 @@ stages:
scenario: centos-7
ansible_version: "-core >=2.14,<2.15"
- stage: CentOS7_Ansible_Core_2_15
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
scenario: centos-7
ansible_version: "-core >=2.15,<2.16"
- stage: CentOS7_Ansible_latest
dependsOn: []
jobs:

12
tests/azure/pr-pipeline.yml
View File

@@ -16,7 +16,7 @@ stages:
parameters:
build_number: $(Build.BuildNumber)
scenario: fedora-latest
ansible_version: "-core >=2.12,<2.13"
ansible_version: "-core >=2.14,<2.15"
# Galaxy on Fedora
@@ -27,7 +27,7 @@ stages:
parameters:
build_number: $(Build.BuildNumber)
scenario: fedora-latest
ansible_version: "-core >=2.12,<2.13"
ansible_version: "-core >=2.14,<2.15"
# CentOS 9 Stream
@@ -38,7 +38,7 @@ stages:
parameters:
build_number: $(Build.BuildNumber)
scenario: c9s
ansible_version: "-core >=2.13,<2.14"
ansible_version: "-core >=2.14,<2.15"
# CentOS 8 Stream
@@ -49,7 +49,7 @@ stages:
parameters:
build_number: $(Build.BuildNumber)
scenario: c8s
ansible_version: "-core >=2.13,<2.14"
ansible_version: "-core >=2.14,<2.15"
# CentOS 7
@@ -60,7 +60,7 @@ stages:
parameters:
build_number: $(Build.BuildNumber)
scenario: centos-7
ansible_version: "-core >=2.13,<2.14"
ansible_version: "-core >=2.14,<2.15"
# Rawhide
@@ -71,4 +71,4 @@ stages:
parameters:
build_number: $(Build.BuildNumber)
scenario: fedora-rawhide
ansible_version: "-core >=2.13,<2.14"
ansible_version: "-core >=2.14,<2.15"

2
tests/azure/templates/build_container.yml
View File

@@ -22,7 +22,7 @@ jobs:
retryCountOnTaskFailure: 5
displayName: Install tools
- script: pip install molecule[docker]
- script: pip install molecule-plugins[docker] "requests<2.29"
retryCountOnTaskFailure: 5
displayName: Install molecule

4
tests/azure/templates/galaxy_pytest_script.yml
View File

@@ -23,7 +23,8 @@ jobs:
- script: |
pip install \
"molecule[docker]>=3" \
"molecule-plugins[docker]" \
"requests<2.29" \
"ansible${{ parameters.ansible_version }}"
retryCountOnTaskFailure: 5
displayName: Install molecule and Ansible
@@ -55,6 +56,7 @@ jobs:
env:
IPA_SERVER_HOST: ${{ parameters.scenario }}
RUN_TESTS_IN_DOCKER: true
IPA_VERBOSITY: "-vvv"
- task: PublishTestResults@2
inputs:

4
tests/azure/templates/galaxy_script.yml
View File

@@ -33,7 +33,8 @@ jobs:
- script: |
pip install \
"molecule[docker]>=3" \
"molecule-plugins[docker]" \
"requests<2.29" \
"ansible${{ parameters.ansible_version }}"
retryCountOnTaskFailure: 5
displayName: Install molecule and Ansible
@@ -75,6 +76,7 @@ jobs:
IPA_DISABLED_TESTS: ${{ variables.ipa_disabled_tests }}
IPA_ENABLED_MODULES: ${{ variables.ipa_enabled_modules }}
IPA_ENABLED_TESTS: ${{ variables.ipa_enabled_tests }}
IPA_VERBOSITY: "-vvv"
- task: PublishTestResults@2
inputs:

11
tests/azure/templates/galaxy_tests.yml
View File

@@ -34,8 +34,9 @@ jobs:
scenario: ${{ parameters.scenario }}
ansible_version: ${{ parameters.ansible_version }}
- template: galaxy_pytest_script.yml
parameters:
build_number: ${{ parameters.build_number }}
scenario: ${{ parameters.scenario }}
ansible_version: ${{ parameters.ansible_version }}
# Temporarily disable due to issues with ansible docker plugin.
#- template: galaxy_pytest_script.yml
# parameters:
# build_number: ${{ parameters.build_number }}
# scenario: ${{ parameters.scenario }}
# ansible_version: ${{ parameters.ansible_version }}

11
tests/azure/templates/group_tests.yml
View File

@@ -34,8 +34,9 @@ jobs:
scenario: ${{ parameters.scenario }}
ansible_version: ${{ parameters.ansible_version }}
- template: pytest_tests.yml
parameters:
build_number: ${{ parameters.build_number }}
scenario: ${{ parameters.scenario }}
ansible_version: ${{ parameters.ansible_version }}
# Temporarily disabled due to ansible docker plugin issue.
#- template: pytest_tests.yml
# parameters:
# build_number: ${{ parameters.build_number }}
# scenario: ${{ parameters.scenario }}
# ansible_version: ${{ parameters.ansible_version }}

4
tests/azure/templates/playbook_fast.yml
View File

@@ -32,7 +32,8 @@ jobs:
- script: |
pip install \
"molecule[docker]>=3" \
"molecule-plugins[docker]" \
"requests<2.29" \
"ansible${{ parameters.ansible_version }}"
retryCountOnTaskFailure: 5
displayName: Install molecule and Ansible
@@ -81,6 +82,7 @@ jobs:
RUN_TESTS_IN_DOCKER: true
IPA_DISABLED_MODULES: ${{ variables.ipa_disabled_modules }}
IPA_DISABLED_TESTS: ${{ variables.ipa_disabled_tests }}
IPA_VERBOSITY: "-vvv"
- task: PublishTestResults@2
inputs:

4
tests/azure/templates/playbook_tests.yml
View File

@@ -32,7 +32,8 @@ jobs:
- script: |
pip install \
"molecule[docker]>=3" \
"molecule-plugins[docker]" \
"requests<2.29" \
"ansible${{ parameters.ansible_version }}"
retryCountOnTaskFailure: 5
displayName: Install molecule and Ansible
@@ -77,6 +78,7 @@ jobs:
IPA_DISABLED_TESTS: ${{ variables.ipa_disabled_tests }}
IPA_ENABLED_MODULES: ${{ variables.ipa_enabled_modules }}
IPA_ENABLED_TESTS: ${{ variables.ipa_enabled_tests }}
IPA_VERBOSITY: "-vvv"
- task: PublishTestResults@2
inputs:

4
tests/azure/templates/pytest_tests.yml
View File

@@ -26,7 +26,8 @@ jobs:
- script: |
pip install \
"molecule[docker]>=3" \
"molecule-plugins[docker]" \
"requests<2.29" \
"ansible${{ parameters.ansible_version }}"
retryCountOnTaskFailure: 5
displayName: Install molecule and Ansible
@@ -65,6 +66,7 @@ jobs:
IPA_DISABLED_TESTS: ${{ variables.ipa_disabled_tests }}
IPA_ENABLED_MODULES: ${{ variables.ipa_enabled_modules }}
IPA_ENABLED_TESTS: ${{ variables.ipa_enabled_tests }}
IPA_VERBOSITY: "-vvv"
- task: PublishTestResults@2
inputs:

60
tests/cert/test_cert_client_context.yml Normal file
View File

@@ -0,0 +1,60 @@
---
- name: Test cert
hosts: ipaclients, ipaserver
become: false
gather_facts: false
module_defaults:
ipacert:
ipaadmin_password: SomeADMINpassword
ipaapi_contetx: "{{ ipa_context | default(omit) }}"
tasks:
- name: Include FreeIPA facts.
ansible.builtin.include_tasks: ../env_freeipa_facts.yml
# Test will only be executed if host is not a server.
- name: Execute with server context in the client.
ipacert:
ipaapi_context: server
name: ThisShouldNotWork
register: result
failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*"))
when: ipa_host_is_client
# Import basic module tests, and execute with ipa_context set to 'client'.
# If ipaclients is set, it will be executed using the client, if not,
# ipaserver will be used.
#
# With this setup, tests can be executed against an IPA client, against
# an IPA server using "client" context, and ensure that tests are executed
# in upstream CI.
- name: Test host certs using client context, in client host.
ansible.builtin.import_playbook: test_cert_host.yml
when: groups['ipaclients']
vars:
ipa_test_host: ipaclients
- name: Test service certs using client context, in client host.
ansible.builtin.import_playbook: test_cert_service.yml
when: groups['ipaclients']
vars:
ipa_test_host: ipaclients
- name: Test user certs using client context, in client host.
ansible.builtin.import_playbook: test_cert_user.yml
when: groups['ipaclients']
vars:
ipa_test_host: ipaclients
- name: Test host certs using client context, in server host.
ansible.builtin.import_playbook: test_cert_host.yml
when: groups['ipaclients'] is not defined or not groups['ipaclients']
- name: Test service certs using client context, in server host.
ansible.builtin.import_playbook: test_cert_service.yml
when: groups['ipaclients'] is not defined or not groups['ipaclients']
- name: Test user certs using client context, in server host.
ansible.builtin.import_playbook: test_cert_user.yml
when: groups['ipaclients'] is not defined or not groups['ipaclients']

214
tests/cert/test_cert_host.yml Normal file
View File

@@ -0,0 +1,214 @@
---
- name: Test host certificate requests
hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: false
gather_facts: false
module_defaults:
ipahost:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
ipacert:
ipaadmin_password: SomeADMINpassword
# ipacert only supports client context
ipaapi_context: "client"
tasks:
# SETUP
- name: Ensure test files do not exist
ansible.builtin.file:
path: "{{ item }}"
state: absent
with_items:
- "/root/retrieved.pem"
- "/root/cert_1.pem"
- "/root/host.csr"
# Ensure test items exist
- name: Ensure domain name is set
ansible.builtin.set_fact:
ipa_domain: ipa.test
when: ipa_domain is not defined
- name: Ensure test host exists
ipahost:
name: "certhost.{{ ipa_domain }}"
state: present
force: true
- name: Create CSR
ansible.builtin.shell:
cmd: "openssl req -newkey rsa:1024 -keyout /dev/null -nodes -subj /CN=certhost.{{ ipa_domain }}"
register: host_req
- name: Create CSR file
ansible.builtin.copy:
dest: "/root/host.csr"
content: "{{ host_req.stdout }}"
mode: 0644
# TESTS
- name: Request certificate for host
ipacert:
csr: '{{ host_req.stdout }}'
principal: "host/certhost.{{ ipa_domain }}"
state: requested
register: host_cert
failed_when: not host_cert.changed or host_cert.failed
- name: Display data from the requested certificate.
ansible.builtin.debug:
var: host_cert
- name: Retrieve certificate for host
ipacert:
serial_number: "{{ host_cert.certificate.serial_number }}"
state: retrieved
register: retrieved
failed_when: retrieved.certificate.serial_number != host_cert.certificate.serial_number
- name: Display data from the retrieved certificate.
ansible.builtin.debug:
var: retrieved
- name: Place certificate on hold
ipacert:
serial_number: '{{ host_cert.certificate.serial_number }}'
state: held
register: result
failed_when: not result.changed or result.failed
- name: Place certificate on hold, again
ipacert:
serial_number: '{{ host_cert.certificate.serial_number }}'
state: held
register: result
failed_when: result.changed or result.failed
- name: Release hold on certificate
ipacert:
serial_number: '{{ host_cert.certificate.serial_number }}'
state: released
register: result
failed_when: not result.changed or result.failed
- name: Release hold on certificate, again
ipacert:
serial_number: '{{ host_cert.certificate.serial_number }}'
state: released
register: result
failed_when: result.changed or result.failed
- name: Revoke certificate
ipacert:
serial_number: '{{ host_cert.certificate.serial_number }}'
state: revoked
reason: keyCompromise
register: result
failed_when: not result.changed or result.failed
- name: Revoke certificate, again
ipacert:
serial_number: '{{ host_cert.certificate.serial_number }}'
state: revoked
reason: keyCompromise
register: result
failed_when: result.changed or result.failed
- name: Try to revoke inexistent certificate
ipacert:
serial_number: 0x123456789
reason: 9
state: revoked
register: result
failed_when: not (result.failed and ("Request failed with status 404" in result.msg or "Certificate serial number 0x123456789 not found" in result.msg))
- name: Try to release revoked certificate
ipacert:
serial_number: '{{ host_cert.certificate.serial_number }}'
state: released
register: result
failed_when: not result.failed or "Cannot release hold on certificate revoked with reason" not in result.msg
- name: Request certificate for host and save to file
ipacert:
csr: '{{ host_req.stdout }}'
principal: "host/certhost.{{ ipa_domain }}"
certificate_out: "/root/cert_1.pem"
state: requested
register: result
failed_when: not result.changed or result.failed or result.certificate
- name: Check requested certificate file
ansible.builtin.file:
path: "/root/cert_1.pem"
check_mode: true
register: result
failed_when: result.changed or result.failed
- name: Retrieve certificate for host to a file
ipacert:
serial_number: "{{ host_cert.certificate.serial_number }}"
certificate_out: "/root/retrieved.pem"
state: retrieved
register: result
failed_when: result.changed or result.failed or result.certificate
- name: Check retrieved certificate file
ansible.builtin.file:
path: "/root/retrieved.pem"
check_mode: true
register: result
failed_when: result.changed or result.failed
- name: Request with invalid CSR.
ipacert:
csr: |
-----BEGIN CERTIFICATE REQUEST-----
BNxXqLcHylNEyg8SH0u63bWyxtgoDBfdZwdGAhYuJ+g4ev79J5eYoB0CAwEAAaAr
MCkGCSqGSIb3DQEJDjEcMBowGAYHKoZIzlYIAQQNDAtoZWxsbyB3b3JsZDANBgkq
hkiG9w0BAQsFAAOBgQADCi5BHDv1mrBFDWqYytFpQ1mrvr/mdax3AYXxNL2UEV8j
AqZAFTEnJXL/u1eVQtI1yotqxakyUBN4XZBP2CBgJRO93Mtry8cgvU1sPdU8Mavx
5gSnlP74Hio2ziscWWydlxpYxFx0gkKvu+0nyIpz954SVYwQ2wwk5FRqZnxI5w==
-----END CERTIFICATE REQUEST-----
principal: "host/certhost.{{ ipa_domain }}"
state: requested
register: result
failed_when: not (result.failed and "Failure decoding Certificate Signing Request" in result.msg)
- name: Request certificate using a file
ipacert:
csr_file: "/root/host.csr"
principal: "host/certhost.{{ ipa_domain }}"
state: requested
register: result
failed_when: not result.changed or result.failed
- name: Request certificate using an invalid profile
ipacert:
csr_file: "/root/host.csr"
principal: "host/certhost.{{ ipa_domain }}"
profile: invalid_profile
state: requested
register: result
failed_when: not (result.failed and "Request failed with status 400" in result.msg)
# CLEANUP TEST ITEMS
- name: Removet test host
ipahost:
name: "certhost.{{ ipa_domain }}"
state: absent
- name: Ensure test files do not exist
ansible.builtin.file:
path: "{{ item }}"
state: absent
with_items:
- "/root/retrieved.pem"
- "/root/cert_1.pem"
- "/root/host.csr"

232
tests/cert/test_cert_service.yml Normal file
View File

@@ -0,0 +1,232 @@
---
- name: Test service certificate requests
hosts: "{{ ipa_test_host | default('ipaserver') }}"
# Change "become" or "gather_facts" to "yes",
# if you test playbook requires any.
become: false
gather_facts: false
module_defaults:
ipahost:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
ipacert:
ipaadmin_password: SomeADMINpassword
# ipacert only supports client context
ipaapi_context: "client"
tasks:
# SETUP
- name: Ensure test files do not exist
ansible.builtin.file:
path: "{{ item }}"
state: absent
with_items:
- "/root/retrieved.pem"
- "/root/cert_1.pem"
- "/root/service.csr"
# Ensure test items exist
- name: Ensure domain name is set
ansible.builtin.set_fact:
ipa_domain: ipa.test
when: ipa_domain is not defined
- name: Ensure test host exist
ipahost:
name: "certservice.{{ ipa_domain }}"
force: true
state: present
- name: Ensure service exist
ipaservice:
name: "HTTP/certservice.{{ ipa_domain }}"
force: true
state: present
- name: Create signing request for certificate
ansible.builtin.shell:
cmd: "openssl req -newkey rsa:1024 -keyout /dev/null -nodes -subj /CN=certservice.{{ ipa_domain }}"
register: service_req
- name: Create CSR file
ansible.builtin.copy:
dest: "/root/service.csr"
content: "{{ service_req.stdout }}"
mode: '0644'
# TESTS
- name: Request certificate for service
ipacert:
csr: '{{ service_req.stdout }}'
principal: "HTTP/certservice.{{ ipa_domain }}"
add_principal: true
state: requested
register: service_cert
failed_when: not service_cert.changed or service_cert.failed
- name: Display data from the requested certificate.
ansible.builtin.debug:
var: service_cert
- name: Retrieve certificate for service
ipacert:
serial_number: "{{ service_cert.certificate.serial_number }}"
state: retrieved
register: retrieved
failed_when: retrieved.certificate.serial_number != service_cert.certificate.serial_number
- name: Display data from the retrieved certificate.
ansible.builtin.debug:
var: retrieved
- name: Place certificate on hold
ipacert:
serial_number: '{{ service_cert.certificate.serial_number }}'
state: held
register: result
failed_when: not result.changed or result.failed
- name: Place certificate on hold, again
ipacert:
serial_number: '{{ service_cert.certificate.serial_number }}'
state: held
register: result
failed_when: result.changed or result.failed
- name: Release hold on certificate
ipacert:
serial_number: '{{ service_cert.certificate.serial_number }}'
state: released
register: result
failed_when: not result.changed or result.failed
- name: Release hold on certificate, again
ipacert:
serial_number: '{{ service_cert.certificate.serial_number }}'
state: released
register: result
failed_when: result.changed or result.failed
- name: Revoke certificate
ipacert:
serial_number: '{{ service_cert.certificate.serial_number }}'
state: revoked
reason: keyCompromise
register: result
failed_when: not result.changed or result.failed
- name: Revoke certificate, again
ipacert:
serial_number: '{{ service_cert.certificate.serial_number }}'
state: revoked
reason: keyCompromise
register: result
failed_when: result.changed or result.failed
- name: Try to revoke inexistent certificate
ipacert:
serial_number: 0x123456789
reason: 9
state: revoked
register: result
failed_when: not (result.failed and ("Request failed with status 404" in result.msg or "Certificate serial number 0x123456789 not found" in result.msg))
- name: Try to release revoked certificate
ipacert:
serial_number: '{{ service_cert.certificate.serial_number }}'
state: released
register: result
failed_when: not result.failed or "Cannot release hold on certificate revoked with reason" not in result.msg
- name: Request certificate for service and save to file
ipacert:
csr: '{{ service_req.stdout }}'
principal: "HTTP/certservice.{{ ipa_domain }}"
add_principal: true
certificate_out: "/root/cert_1.pem"
state: requested
register: result
failed_when: not result.changed or result.failed or result.certificate
- name: Check requested certificate file
ansible.builtin.file:
path: "/root/cert_1.pem"
check_mode: true
register: result
failed_when: result.changed or result.failed
- name: Retrieve certificate for service to a file
ipacert:
serial_number: "{{ service_cert.certificate.serial_number }}"
certificate_out: "/root/retrieved.pem"
state: retrieved
register: result
failed_when: result.changed or result.failed or result.certificate
- name: Check retrieved certificate file
ansible.builtin.file:
path: "/root/retrieved.pem"
check_mode: true
register: result
failed_when: result.changed or result.failed
- name: Request with invalid CSR.
ipacert:
csr: |
-----BEGIN CERTIFICATE REQUEST-----
BNxXqLcHylNEyg8SH0u63bWyxtgoDBfdZwdGAhYuJ+g4ev79J5eYoB0CAwEAAaAr
MCkGCSqGSIb3DQEJDjEcMBowGAYHKoZIzlYIAQQNDAtoZWxsbyB3b3JsZDANBgkq
hkiG9w0BAQsFAAOBgQADCi5BHDv1mrBFDWqYytFpQ1mrvr/mdax3AYXxNL2UEV8j
AqZAFTEnJXL/u1eVQtI1yotqxakyUBN4XZBP2CBgJRO93Mtry8cgvU1sPdU8Mavx
5gSnlP74Hio2ziscWWydlxpYxFx0gkKvu+0nyIpz954SVYwQ2wwk5FRqZnxI5w==
-----END CERTIFICATE REQUEST-----
principal: "HTTP/certservice.{{ ipa_domain }}"
state: requested
register: result
failed_when: not (result.failed and "Failure decoding Certificate Signing Request" in result.msg)
- name: Request certificate using a file
ipacert:
csr_file: "/root/service.csr"
principal: "HTTP/certservice.{{ ipa_domain }}"
state: requested
register: result
failed_when: not result.changed or result.failed
- name: Request certificate using an invalid profile
ipacert:
csr_file: "/root/service.csr"
principal: "HTTP/certservice.{{ ipa_domain }}"
profile: invalid_profile
state: requested
register: result
failed_when: not (result.failed and "Request failed with status 400" in result.msg)
# CLEANUP TEST ITEMS
- name: Remove test service
ipaservice:
name: "HTTP/certservice.{{ ipa_domain }}"
state: absent
continue: true
- name: Remove test host
ipahost:
name: certservice.example.com
state: absent
- name: Ensure test files do not exist
ansible.builtin.file:
path: "{{ item }}"
state: absent
with_items:
- "/root/retrieved.pem"
- "/root/cert_1.pem"
- "/root/service.csr"

213
tests/cert/test_cert_user.yml Normal file
View File

@@ -0,0 +1,213 @@
---
- name: Test user certificate requests
hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: false
gather_facts: false
module_defaults:
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
ipacert:
ipaadmin_password: SomeADMINpassword
# ipacert only supports client context
ipaapi_context: "client"
tasks:
# Ensure test files do not exist
- name: Check retrieved certificate file
ansible.builtin.file:
path: "{{ item }}"
state: absent
with_items:
- "/root/retrieved.pem"
- "/root/cert_1.pem"
- "/root/user.csr"
# Ensure test items exist.
- name: Ensure test user exists
ipauser:
name: certuser
first: certificate
last: user
- name: Crete CSR
ansible.builtin.shell:
cmd:
'openssl req -newkey rsa:1024 -keyout /dev/null -nodes -subj /CN=certuser -reqexts IECUserRoles
-config <(cat /etc/pki/tls/openssl.cnf; printf "[IECUserRoles]\n1.2.840.10070.8.1=ASN1:UTF8String:hello world")'
executable: /bin/bash
register: user_req
- name: Create CSR file
ansible.builtin.copy:
dest: "/root/user.csr"
content: "{{ user_req.stdout }}"
mode: 0644
# TESTS
- name: Request certificate for user
ipacert:
csr: '{{ user_req.stdout }}'
principal: certuser
profile: IECUserRoles
state: requested
register: user_cert
failed_when: not user_cert.changed or user_cert.failed
- name: Display data from the requested certificate.
ansible.builtin.debug:
var: user_cert
- name: Retrieve certificate for user
ipacert:
serial_number: "{{ user_cert.certificate.serial_number }}"
state: retrieved
register: retrieved
failed_when: retrieved.certificate.serial_number != user_cert.certificate.serial_number
- name: Display data from the retrieved certificate.
ansible.builtin.debug:
var: retrieved
- name: Place certificate on hold
ipacert:
serial_number: '{{ user_cert.certificate.serial_number }}'
state: held
register: result
failed_when: not result.changed or result.failed
- name: Place certificate on hold, again
ipacert:
serial_number: '{{ user_cert.certificate.serial_number }}'
state: held
register: result
failed_when: result.changed or result.failed
- name: Release hold on certificate
ipacert:
serial_number: '{{ user_cert.certificate.serial_number }}'
state: released
register: result
failed_when: not result.changed or result.failed
- name: Release hold on certificate, again
ipacert:
serial_number: '{{ user_cert.certificate.serial_number }}'
state: released
register: result
failed_when: result.changed or result.failed
- name: Revoke certificate
ipacert:
serial_number: '{{ user_cert.certificate.serial_number }}'
state: revoked
reason: keyCompromise
register: result
failed_when: not result.changed or result.failed
- name: Revoke certificate, again
ipacert:
serial_number: '{{ user_cert.certificate.serial_number }}'
state: revoked
reason: keyCompromise
register: result
failed_when: result.changed or result.failed
- name: Try to revoke inexistent certificate
ipacert:
serial_number: 0x123456789
reason: 9
state: revoked
register: result
failed_when: not (result.failed and ("Request failed with status 404" in result.msg or "Certificate serial number 0x123456789 not found" in result.msg))
- name: Try to release revoked certificate
ipacert:
serial_number: '{{ user_cert.certificate.serial_number }}'
state: released
register: result
failed_when: not result.failed or "Cannot release hold on certificate revoked with reason" not in result.msg
- name: Request certificate for user and save to file
ipacert:
csr: '{{ user_req.stdout }}'
principal: certuser
profile: IECUserRoles
certificate_out: "/root/cert_1.pem"
state: requested
register: result
failed_when: not result.changed or result.failed or result.certificate
- name: Check requested certificate file
ansible.builtin.file:
path: "/root/cert_1.pem"
check_mode: true
register: result
failed_when: result.changed or result.failed
- name: Retrieve certificate for user to a file
ipacert:
serial_number: "{{ user_cert.certificate.serial_number }}"
certificate_out: "/root/retrieved.pem"
state: retrieved
register: result
failed_when: result.changed or result.failed or result.certificate
- name: Check retrieved certificate file
ansible.builtin.file:
path: "/root/retrieved.pem"
check_mode: true
register: result
failed_when: result.changed or result.failed
- name: Request with invalid CSR.
ipacert:
csr: |
-----BEGIN CERTIFICATE REQUEST-----
BNxXqLcHylNEyg8SH0u63bWyxtgoDBfdZwdGAhYuJ+g4ev79J5eYoB0CAwEAAaAr
MCkGCSqGSIb3DQEJDjEcMBowGAYHKoZIzlYIAQQNDAtoZWxsbyB3b3JsZDANBgkq
hkiG9w0BAQsFAAOBgQADCi5BHDv1mrBFDWqYytFpQ1mrvr/mdax3AYXxNL2UEV8j
AqZAFTEnJXL/u1eVQtI1yotqxakyUBN4XZBP2CBgJRO93Mtry8cgvU1sPdU8Mavx
5gSnlP74Hio2ziscWWydlxpYxFx0gkKvu+0nyIpz954SVYwQ2wwk5FRqZnxI5w==
-----END CERTIFICATE REQUEST-----
principal: certuser
state: requested
register: result
failed_when: not (result.failed and "Failure decoding Certificate Signing Request" in result.msg)
- name: Request certificate using a file
ipacert:
csr_file: "/root/user.csr"
principal: certuser
state: requested
register: result
failed_when: not result.changed or result.failed
- name: Request certificate using an invalid profile
ipacert:
csr_file: "/root/user.csr"
principal: certuser
profile: invalid_profile
state: requested
register: result
failed_when: not (result.failed and "Request failed with status 400" in result.msg)
# CLEANUP TEST ITEMS
- name: Remove test user
ipauser:
name: certuser
state: absent
- name: Check retrieved certificate file
ansible.builtin.file:
path: "{{ item }}"
state: absent
with_items:
- "/root/retrieved.pem"
- "/root/cert_1.pem"
- "/root/user.csr"

2
tests/external-signed-ca-with-automatic-copy/external-ca.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/bin/bash -eu
master=$1
if [ -z "$master" ]; then

2
tests/group/groups.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/bin/bash -eu
NUM=${1-1000}
FILE="groups.json"

6
tests/pwpolicy/test_pwpolicy.yml
View File

@@ -223,7 +223,7 @@
ipapwpolicy:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
maxrepeat: 4
maxsequence: 4
register: result
failed_when: not result.changed or result.failed
@@ -231,7 +231,7 @@
ipapwpolicy:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
maxrepeat: 4
maxsequence: 4
register: result
failed_when: result.changed or result.failed
@@ -239,7 +239,7 @@
ipapwpolicy:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
maxrepeat: 0
maxsequence: 0
register: result
failed_when: not result.changed or result.failed

4
tests/pwpolicy/test_pwpolicy_invalid_data_type.yml
View File

@@ -103,7 +103,7 @@
name: ops
dictcheck: "error"
register: result
failed_when: result.changed or (result.failed and "Invalid value 'error' for argument 'dictcheck" not in result.msg)
failed_when: result.changed or (result.failed and "is not a valid boolean" not in result.msg)
when: ipa_version is version("4.9", ">=")
- name: Ensure invalid values for usercheck raise proper error.
@@ -113,7 +113,7 @@
name: ops
usercheck: "error"
register: result
failed_when: result.changed or (result.failed and "Invalid value 'error' for argument 'usercheck'" not in result.msg)
failed_when: result.changed or (result.failed and "is not a valid boolean" not in result.msg)
when: ipa_version is version("4.9", ">=")
- name: Ensure invalid values for gracelimit raise proper error.

2
tests/pytests/conftest.py
View File

@@ -40,7 +40,7 @@ def pytest_configure(config):
if os.path.exists(config_dir):
inventory_path = os.path.join(config_dir, "test.inventory.yml")
inventory = get_inventory(inventory_path)
print("Configuring execution using {}".format(inventory_path))
print("Configuring execution using {0}".format(inventory_path))
ipaservers = inventory["all"]["children"]["ipaserver"]["hosts"]
ipaserver = list(ipaservers.values())[0]
private_key = os.path.join(config_dir, "id_rsa")

55
tests/sanity/ignore-2.12.txt
View File

@@ -1,55 +0,0 @@
plugins/module_utils/ansible_freeipa_module.py compile-2.6!skip
plugins/module_utils/ansible_freeipa_module.py import-2.6!skip
plugins/module_utils/ansible_freeipa_module.py pylint:ansible-bad-function
plugins/modules/ipaclient_get_facts.py compile-2.6!skip
plugins/modules/ipaclient_get_facts.py import-2.6!skip
plugins/modules/ipaclient_api.py pylint:ansible-format-automatic-specification
plugins/modules/ipaclient_join.py pylint:ansible-format-automatic-specification
plugins/modules/ipaclient_test.py pylint:ansible-format-automatic-specification
plugins/modules/ipaconfig.py compile-2.6!skip
plugins/modules/ipaconfig.py import-2.6!skip
plugins/modules/ipadnsrecord.py compile-2.6!skip
plugins/modules/ipadnsrecord.py import-2.6!skip
plugins/modules/ipadnsrecord.py pylint:ansible-format-automatic-specification
plugins/modules/ipadnsrecord.py pylint:use-maxsplit-arg
plugins/modules/ipareplica_enable_ipa.py pylint:ansible-format-automatic-specification
plugins/modules/ipareplica_prepare.py pylint:ansible-format-automatic-specification
plugins/modules/ipareplica_test.py pylint:ansible-format-automatic-specification
plugins/modules/iparole.py compile-2.6!skip
plugins/modules/iparole.py import-2.6!skip
plugins/modules/ipaserver_setup_ca.py compile-2.6!skip
plugins/modules/ipaserver_setup_ca.py import-2.6!skip
plugins/modules/ipaserver_test.py pylint:ansible-format-automatic-specification
plugins/modules/ipaservice.py compile-2.6!skip
plugins/modules/ipaservice.py import-2.6!skip
plugins/modules/ipasudorule.py compile-2.6!skip
plugins/modules/ipasudorule.py import-2.6!skip
plugins/modules/ipavault.py compile-2.6!skip
plugins/modules/ipavault.py import-2.6!skip
roles/ipaclient/library/ipaclient_api.py pylint:ansible-format-automatic-specification
roles/ipaclient/library/ipaclient_join.py pylint:ansible-format-automatic-specification
roles/ipaclient/library/ipaclient_test.py pylint:ansible-format-automatic-specification
roles/ipareplica/library/ipareplica_enable_ipa.py pylint:ansible-format-automatic-specification
roles/ipareplica/library/ipareplica_prepare.py pylint:ansible-format-automatic-specification
roles/ipareplica/library/ipareplica_test.py pylint:ansible-format-automatic-specification
roles/ipaserver/library/ipaserver_test.py pylint:ansible-format-automatic-specification
roles/ipareplica/module_utils/ansible_ipa_replica.py pylint:ansible-format-automatic-specification
tests/external-signed-ca-with-automatic-copy/external-ca.sh shebang!skip
tests/pytests/conftest.py pylint:ansible-format-automatic-specification
tests/sanity/sanity.sh shebang!skip
tests/user/users.sh shebang!skip
tests/user/users_absent.sh shebang!skip
tests/group/groups.sh shebang!skip
tests/utils.py pylint:ansible-format-automatic-specification
utils/ansible-doc-test shebang!skip
utils/build-galaxy-release.sh shebang!skip
utils/build-srpm.sh shebang!skip
utils/changelog shebang!skip
utils/check_test_configuration.py shebang!skip
utils/galaxyfy-README.py shebang!skip
utils/galaxyfy-module-EXAMPLES.py shebang!skip
utils/galaxyfy-playbook.py shebang!skip
utils/galaxyfy.py shebang!skip
utils/gen_modules_docs.sh shebang!skip
utils/lint_check.sh shebang!skip
utils/new_module shebang!skip

37
tests/sanity/ignore-2.13.txt
View File

@@ -1,37 +0,0 @@
plugins/module_utils/ansible_freeipa_module.py pylint:ansible-bad-function
plugins/modules/ipaclient_api.py pylint:ansible-format-automatic-specification
plugins/modules/ipaclient_join.py pylint:ansible-format-automatic-specification
plugins/modules/ipaclient_test.py pylint:ansible-format-automatic-specification
plugins/modules/ipadnsrecord.py pylint:ansible-format-automatic-specification
plugins/modules/ipadnsrecord.py pylint:use-maxsplit-arg
plugins/modules/ipareplica_enable_ipa.py pylint:ansible-format-automatic-specification
plugins/modules/ipareplica_prepare.py pylint:ansible-format-automatic-specification
plugins/modules/ipareplica_test.py pylint:ansible-format-automatic-specification
plugins/modules/ipaserver_test.py pylint:ansible-format-automatic-specification
roles/ipaclient/library/ipaclient_api.py pylint:ansible-format-automatic-specification
roles/ipaclient/library/ipaclient_join.py pylint:ansible-format-automatic-specification
roles/ipaclient/library/ipaclient_test.py pylint:ansible-format-automatic-specification
roles/ipareplica/library/ipareplica_enable_ipa.py pylint:ansible-format-automatic-specification
roles/ipareplica/library/ipareplica_prepare.py pylint:ansible-format-automatic-specification
roles/ipareplica/library/ipareplica_test.py pylint:ansible-format-automatic-specification
roles/ipaserver/library/ipaserver_test.py pylint:ansible-format-automatic-specification
roles/ipareplica/module_utils/ansible_ipa_replica.py pylint:ansible-format-automatic-specification
tests/external-signed-ca-with-automatic-copy/external-ca.sh shebang!skip
tests/pytests/conftest.py pylint:ansible-format-automatic-specification
tests/sanity/sanity.sh shebang!skip
tests/user/users.sh shebang!skip
tests/user/users_absent.sh shebang!skip
tests/group/groups.sh shebang!skip
tests/utils.py pylint:ansible-format-automatic-specification
utils/ansible-doc-test shebang!skip
utils/build-galaxy-release.sh shebang!skip
utils/build-srpm.sh shebang!skip
utils/changelog shebang!skip
utils/check_test_configuration.py shebang!skip
utils/galaxyfy-README.py shebang!skip
utils/galaxyfy-module-EXAMPLES.py shebang!skip
utils/galaxyfy-playbook.py shebang!skip
utils/galaxyfy.py shebang!skip
utils/gen_modules_docs.sh shebang!skip
utils/lint_check.sh shebang!skip
utils/new_module shebang!skip

37
tests/sanity/ignore-2.14.txt
View File

@@ -1,37 +0,0 @@
plugins/module_utils/ansible_freeipa_module.py pylint:ansible-bad-function
plugins/modules/ipaclient_api.py pylint:ansible-format-automatic-specification
plugins/modules/ipaclient_join.py pylint:ansible-format-automatic-specification
plugins/modules/ipaclient_test.py pylint:ansible-format-automatic-specification
plugins/modules/ipadnsrecord.py pylint:ansible-format-automatic-specification
plugins/modules/ipadnsrecord.py pylint:use-maxsplit-arg
plugins/modules/ipareplica_enable_ipa.py pylint:ansible-format-automatic-specification
plugins/modules/ipareplica_prepare.py pylint:ansible-format-automatic-specification
plugins/modules/ipareplica_test.py pylint:ansible-format-automatic-specification
plugins/modules/ipaserver_test.py pylint:ansible-format-automatic-specification
roles/ipaclient/library/ipaclient_api.py pylint:ansible-format-automatic-specification
roles/ipaclient/library/ipaclient_join.py pylint:ansible-format-automatic-specification
roles/ipaclient/library/ipaclient_test.py pylint:ansible-format-automatic-specification
roles/ipareplica/library/ipareplica_enable_ipa.py pylint:ansible-format-automatic-specification
roles/ipareplica/library/ipareplica_prepare.py pylint:ansible-format-automatic-specification
roles/ipareplica/library/ipareplica_test.py pylint:ansible-format-automatic-specification
roles/ipaserver/library/ipaserver_test.py pylint:ansible-format-automatic-specification
roles/ipareplica/module_utils/ansible_ipa_replica.py pylint:ansible-format-automatic-specification
tests/external-signed-ca-with-automatic-copy/external-ca.sh shebang!skip
tests/pytests/conftest.py pylint:ansible-format-automatic-specification
tests/sanity/sanity.sh shebang!skip
tests/user/users.sh shebang!skip
tests/user/users_absent.sh shebang!skip
tests/group/groups.sh shebang!skip
tests/utils.py pylint:ansible-format-automatic-specification
utils/ansible-doc-test shebang!skip
utils/build-galaxy-release.sh shebang!skip
utils/build-srpm.sh shebang!skip
utils/changelog shebang!skip
utils/check_test_configuration.py shebang!skip
utils/galaxyfy-README.py shebang!skip
utils/galaxyfy-module-EXAMPLES.py shebang!skip
utils/galaxyfy-playbook.py shebang!skip
utils/galaxyfy.py shebang!skip
utils/gen_modules_docs.sh shebang!skip
utils/lint_check.sh shebang!skip
utils/new_module shebang!skip

4
tests/sanity/sanity.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/bin/bash -eu
TOPDIR=$(readlink -f "$(dirname "$0")/../..")
pushd "${TOPDIR}" >/dev/null || exit 1
@@ -8,7 +8,7 @@ ANSIBLE_COLLECTION=freeipa-ansible_freeipa
use_docker=$(docker -v >/dev/null 2>&1 && echo "True" || echo "False")
virtualenv "$VENV"
python -m venv "$VENV"
# shellcheck disable=SC1091
source "$VENV"/bin/activate

200
tests/service/certificate/test_service_certificate_newline.yml Normal file
View File

@@ -0,0 +1,200 @@
---
- name: Test service with certificates with and without trailing new line
hosts: ipaserver
become: true
tasks:
- name: Include tasks ../../env_freeipa_facts.yml
ansible.builtin.include_tasks: ../../env_freeipa_facts.yml
- name: Setup test environment
ansible.builtin.include_tasks: ../env_vars.yml
- name: Generate self-signed certificates.
ansible.builtin.shell:
cmd: |
openssl req -x509 -newkey rsa:2048 -days 365 -nodes -keyout "private{{ item }}.key" -out "cert{{ item }}.pem" -subj '/CN=test'
openssl x509 -outform der -in "cert{{ item }}.pem" -out "cert{{ item }}.der"
base64 "cert{{ item }}.der" -w5000 > "cert{{ item }}.b64"
with_items: [1, 2, 3]
become: no
delegate_to: localhost
# The rstrip=False for lookup will add keep the newline at the end of the
# cert and this is automatically revoved in IPA, This is an additional
# test of ipaservice later on to behave correctly in both cases.
- name: Set fact cert1,2,3 from lookup
ansible.builtin.set_fact:
cert1: "{{ lookup('file', 'cert1.b64', rstrip=False) }}"
cert2: "{{ lookup('file', 'cert2.b64', rstrip=True) }}"
cert3: "{{ lookup('file', 'cert3.b64', rstrip=False) }}"
- name: Host {{ svc_fqdn }} absent
ipahost:
ipaadmin_password: SomeADMINpassword
name: "{{ svc_fqdn }}"
state: absent
- name: Host {{ svc_fqdn }} present
ipahost:
ipaadmin_password: SomeADMINpassword
name: "{{ svc_fqdn }}"
force: true
register: result
failed_when: not result.changed or result.failed
- name: Service FOO/{{ svc_fqdn }} absent
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "FOO/{{ svc_fqdn }}"
continue: true
state: absent
- name: Service FOO/{{ svc_fqdn }} present
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "FOO/{{ svc_fqdn }}"
force: yes
register: result
failed_when: not result.changed or result.failed
- name: Service FOO/{{ svc_fqdn }} certs 1,2 members present
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "FOO/{{ svc_fqdn }}"
certificate:
- "{{ cert1 }}"
- "{{ cert2 }}"
action: member
register: result
failed_when: not result.changed or result.failed
- name: Service FOO/{{ svc_fqdn }} certs 1,2 members present again
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "FOO/{{ svc_fqdn }}"
certificate:
- "{{ cert1 }}"
- "{{ cert2 }}"
action: member
register: result
failed_when: result.changed or result.failed
- name: Service FOO/{{ svc_fqdn }} certs 1,2,3 members present
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "FOO/{{ svc_fqdn }}"
certificate:
- "{{ cert1 }}"
- "{{ cert2 }}"
- "{{ cert3 }}"
action: member
register: result
failed_when: not result.changed or result.failed
- name: Service FOO/{{ svc_fqdn }} certs 1,2,3 members present again
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "FOO/{{ svc_fqdn }}"
certificate:
- "{{ cert1 }}"
- "{{ cert2 }}"
- "{{ cert3 }}"
action: member
register: result
failed_when: result.changed or result.failed
- name: Service FOO/{{ svc_fqdn }} certs 2,3 member absent
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "FOO/{{ svc_fqdn }}"
certificate:
- "{{ cert2 }}"
- "{{ cert3 }}"
state: absent
action: member
register: result
failed_when: not result.changed or result.failed
- name: Service FOO/{{ svc_fqdn }} certs 2,3 member absent again
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "FOO/{{ svc_fqdn }}"
certificate:
- "{{ cert2 }}"
- "{{ cert3 }}"
action: member
state: absent
register: result
failed_when: result.changed or result.failed
- name: Service FOO/{{ svc_fqdn }} certs 1,2,3 members absent
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "FOO/{{ svc_fqdn }}"
certificate:
- "{{ cert1 }}"
- "{{ cert2 }}"
- "{{ cert3 }}"
action: member
state: absent
register: result
failed_when: not result.changed or result.failed
- name: Service FOO/{{ svc_fqdn }} certs 1,2,3 members absent again
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "FOO/{{ svc_fqdn }}"
certificate:
- "{{ cert1 }}"
- "{{ cert2 }}"
- "{{ cert3 }}"
action: member
state: absent
register: result
failed_when: result.changed or result.failed
- name: Service FOO/{{ svc_fqdn }} absent
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "FOO/{{ svc_fqdn }}"
continue: true
state: absent
register: result
failed_when: not result.changed or result.failed
- name: Service FOO/{{ svc_fqdn }} absent again
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "FOO/{{ svc_fqdn }}"
continue: true
state: absent
register: result
failed_when: result.changed or result.failed
- name: Host {{ svc_fqdn }} absent
ipahost:
ipaadmin_password: SomeADMINpassword
name: "{{ svc_fqdn }}"
state: absent
register: result
failed_when: not result.changed or result.failed
- name: Remove certificate files. # noqa: deprecated-command-syntax
ansible.builtin.shell:
cmd: rm -f "private{{ item }}.key" "cert{{ item }}.pem" "cert{{ item }}.der" "cert{{ item }}.b64"
with_items: [1, 2, 3]
become: no
delegate_to: localhost

314
tests/service/certificate/test_services_certificate_newline.yml Normal file
View File

@@ -0,0 +1,314 @@
---
- name: Test services with certificates with and without trailing new line
hosts: ipaserver
become: true
tasks:
- name: Include tasks ../../env_freeipa_facts.yml
ansible.builtin.include_tasks: ../../env_freeipa_facts.yml
- name: Setup test environment
ansible.builtin.include_tasks: ../env_vars.yml
- name: Generate self-signed certificates.
ansible.builtin.shell:
cmd: |
openssl req -x509 -newkey rsa:2048 -days 365 -nodes -keyout "private{{ item }}.key" -out "cert{{ item }}.pem" -subj '/CN=test'
openssl x509 -outform der -in "cert{{ item }}.pem" -out "cert{{ item }}.der"
base64 "cert{{ item }}.der" -w5000 > "cert{{ item }}.b64"
with_items: [11, 12, 13, 21, 22, 23, 31, 32, 33]
become: no
delegate_to: localhost
# The rstrip=False for lookup will add keep the newline at the end of the
# cert and this is automatically revoved in IPA, This is an additional
# test of ipaservice later on to behave correctly in both cases.
- name: Set fact for certs 11,12,13,21,22,23,31,32,33 from lookup
ansible.builtin.set_fact:
cert11: "{{ lookup('file', 'cert11.b64', rstrip=True) }}"
cert12: "{{ lookup('file', 'cert12.b64', rstrip=False) }}"
cert13: "{{ lookup('file', 'cert13.b64', rstrip=True) }}"
cert21: "{{ lookup('file', 'cert21.b64', rstrip=False) }}"
cert22: "{{ lookup('file', 'cert22.b64', rstrip=False) }}"
cert23: "{{ lookup('file', 'cert23.b64', rstrip=True) }}"
cert31: "{{ lookup('file', 'cert31.b64', rstrip=False) }}"
cert32: "{{ lookup('file', 'cert32.b64', rstrip=True) }}"
cert33: "{{ lookup('file', 'cert33.b64', rstrip=False) }}"
- name: Services FOO,BAR,BAZ/{{ svc_fqdn }} absent
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name:
- "FOO/{{ svc_fqdn }}"
- "BAR/{{ svc_fqdn }}"
- "BAZ/{{ svc_fqdn }}"
continue: true
state: absent
- name: Host {{ svc_fqdn }} absent
ipahost:
ipaadmin_password: SomeADMINpassword
name: "{{ svc_fqdn }}"
state: absent
- name: Host {{ svc_fqdn }} present
ipahost:
ipaadmin_password: SomeADMINpassword
name: "{{ svc_fqdn }}"
force: true
register: result
failed_when: not result.changed or result.failed
- name: Services FOO,BAR,BAZ/{{ svc_fqdn }} present
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
services:
- name: "FOO/{{ svc_fqdn }}"
force: yes
- name: "BAR/{{ svc_fqdn }}"
force: yes
- name: "BAZ/{{ svc_fqdn }}"
force: yes
register: result
failed_when: not result.changed or result.failed
- name: Services FOO,BAR,BAZ/{{ svc_fqdn }} present
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
services:
- name: "FOO/{{ svc_fqdn }}"
force: yes
- name: "BAR/{{ svc_fqdn }}"
force: yes
- name: "BAZ/{{ svc_fqdn }}"
force: yes
register: result
failed_when: result.changed or result.failed
- name: Service FOO,BAR,BAZ/{{ svc_fqdn }} certs x1,x2 members present
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
services:
- name: "FOO/{{ svc_fqdn }}"
certificate:
- "{{ cert11 }}"
- "{{ cert12 }}"
- name: "BAR/{{ svc_fqdn }}"
certificate:
- "{{ cert21 }}"
- "{{ cert22 }}"
- name: "BAZ/{{ svc_fqdn }}"
certificate:
- "{{ cert31 }}"
- "{{ cert32 }}"
action: member
register: result
failed_when: not result.changed or result.failed
- name: Service FOO,BAR,BAZ/{{ svc_fqdn }} certs x1,x2 members present again
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
services:
- name: "FOO/{{ svc_fqdn }}"
certificate:
- "{{ cert11 }}"
- "{{ cert12 }}"
- name: "BAR/{{ svc_fqdn }}"
certificate:
- "{{ cert21 }}"
- "{{ cert22 }}"
- name: "BAZ/{{ svc_fqdn }}"
certificate:
- "{{ cert31 }}"
- "{{ cert32 }}"
action: member
register: result
failed_when: result.changed or result.failed
- name: Service FOO,BAR,BAZ/{{ svc_fqdn }} certs x1,x2,x3 members present
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
services:
- name: "FOO/{{ svc_fqdn }}"
certificate:
- "{{ cert11 }}"
- "{{ cert12 }}"
- "{{ cert13 }}"
- name: "BAR/{{ svc_fqdn }}"
certificate:
- "{{ cert21 }}"
- "{{ cert22 }}"
- "{{ cert23 }}"
- name: "BAZ/{{ svc_fqdn }}"
certificate:
- "{{ cert31 }}"
- "{{ cert32 }}"
- "{{ cert33 }}"
action: member
register: result
failed_when: not result.changed or result.failed
- name: Service FOO,BAR,BAZ/{{ svc_fqdn }} certs x1,x2,x3 members present again
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
services:
- name: "FOO/{{ svc_fqdn }}"
certificate:
- "{{ cert11 }}"
- "{{ cert12 }}"
- "{{ cert13 }}"
- name: "BAR/{{ svc_fqdn }}"
certificate:
- "{{ cert21 }}"
- "{{ cert22 }}"
- "{{ cert23 }}"
- name: "BAZ/{{ svc_fqdn }}"
certificate:
- "{{ cert31 }}"
- "{{ cert32 }}"
- "{{ cert33 }}"
action: member
register: result
failed_when: result.changed or result.failed
- name: Service FOO,BAR,BAZ/{{ svc_fqdn }} certs x2,x3 members absent
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
services:
- name: "FOO/{{ svc_fqdn }}"
certificate:
- "{{ cert12 }}"
- "{{ cert13 }}"
- name: "BAR/{{ svc_fqdn }}"
certificate:
- "{{ cert22 }}"
- "{{ cert23 }}"
- name: "BAZ/{{ svc_fqdn }}"
certificate:
- "{{ cert32 }}"
- "{{ cert33 }}"
action: member
state: absent
register: result
failed_when: not result.changed or result.failed
- name: Service FOO,BAR,BAZ/{{ svc_fqdn }} certs x2,x3 members absent, again
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
services:
- name: "FOO/{{ svc_fqdn }}"
certificate:
- "{{ cert12 }}"
- "{{ cert13 }}"
- name: "BAR/{{ svc_fqdn }}"
certificate:
- "{{ cert22 }}"
- "{{ cert23 }}"
- name: "BAZ/{{ svc_fqdn }}"
certificate:
- "{{ cert32 }}"
- "{{ cert33 }}"
action: member
state: absent
register: result
failed_when: result.changed or result.failed
- name: Service FOO,BAR,BAZ/{{ svc_fqdn }} certs x1,x2,x3 members absent
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
services:
- name: "FOO/{{ svc_fqdn }}"
certificate:
- "{{ cert11 }}"
- "{{ cert12 }}"
- "{{ cert13 }}"
- name: "BAR/{{ svc_fqdn }}"
certificate:
- "{{ cert21 }}"
- "{{ cert22 }}"
- "{{ cert23 }}"
- name: "BAZ/{{ svc_fqdn }}"
certificate:
- "{{ cert31 }}"
- "{{ cert32 }}"
- "{{ cert33 }}"
action: member
state: absent
register: result
failed_when: not result.changed or result.failed
- name: Service FOO,BAR,BAZ/{{ svc_fqdn }} certs x1,x2,x3 members absent, again
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
services:
- name: "FOO/{{ svc_fqdn }}"
certificate:
- "{{ cert11 }}"
- "{{ cert12 }}"
- "{{ cert13 }}"
- name: "BAR/{{ svc_fqdn }}"
certificate:
- "{{ cert21 }}"
- "{{ cert22 }}"
- "{{ cert23 }}"
- name: "BAZ/{{ svc_fqdn }}"
certificate:
- "{{ cert31 }}"
- "{{ cert32 }}"
- "{{ cert33 }}"
action: member
state: absent
register: result
failed_when: result.changed or result.failed
- name: Services FOO,BAR,BAZ/{{ svc_fqdn }} absent
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name:
- "FOO/{{ svc_fqdn }}"
- "BAR/{{ svc_fqdn }}"
- "BAZ/{{ svc_fqdn }}"
continue: true
state: absent
register: result
failed_when: not result.changed or result.failed
- name: Services FOO,BAR,BAZ/{{ svc_fqdn }} absent, again
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name:
- "FOO/{{ svc_fqdn }}"
- "BAR/{{ svc_fqdn }}"
- "BAZ/{{ svc_fqdn }}"
continue: true
state: absent
register: result
failed_when: result.changed or result.failed
- name: Host {{ svc_fqdn }} absent
ipahost:
ipaadmin_password: SomeADMINpassword
name: "{{ svc_fqdn }}"
state: absent
register: result
failed_when: not result.changed or result.failed
- name: Remove certificate files. # noqa: deprecated-command-syntax
ansible.builtin.shell:
cmd: rm -f "private{{ item }}.key" "cert{{ item }}.pem" "cert{{ item }}.der" "cert{{ item }}.b64"
with_items: [11, 12, 13, 21, 22, 23, 31, 32, 33]
become: no
delegate_to: localhost

98
tests/service/generate_test_data.yml Normal file
View File

@@ -0,0 +1,98 @@
# Generate lists for hosts and services
---
- name: Get Domain from server name
ansible.builtin.set_fact:
ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join('.') }}"
when: ipaserver_domain is not defined
- name: Create present services.json data
ansible.builtin.shell: |
echo "["
for i in $(seq 1 "{{ NUM }}"); do
echo " {"
echo " \"name\": \"HTTP/www$i.{{ DOMAIN }}\","
echo " \"principal\": \"host/test$i.{{ DOMAIN }}\","
echo " \"force\": \"true\""
if [ "$i" -lt "{{ NUM }}" ]; then
echo " },"
else
echo " }"
fi
done
echo "]"
vars:
NUM: 500
DOMAIN: "{{ ipaserver_domain }}"
register: command
- name: Set service_list
ansible.builtin.set_fact:
service_list: "{{ command.stdout | from_json }}"
- name: Create absent services.json data
ansible.builtin.shell: |
echo "["
for i in $(seq 1 "{{ NUM }}"); do
echo " {"
echo " \"name\": \"HTTP/www$i.{{ DOMAIN }}\","
echo " \"continue\": \"true\""
if [ "$i" -lt "{{ NUM }}" ]; then
echo " },"
else
echo " }"
fi
done
echo "]"
vars:
NUM: 500
DOMAIN: "{{ ipaserver_domain }}"
register: command
- name: Set service_absent_list
ansible.builtin.set_fact:
service_absent_list: "{{ command.stdout | from_json }}"
- name: Create present hosts.json data
ansible.builtin.shell: |
echo "["
for i in $(seq 1 "{{ NUM }}"); do
echo " {"
echo " \"name\": \"www$i.{{ DOMAIN }}\","
echo " \"force\": \"true\""
if [ "$i" -lt "{{ NUM }}" ]; then
echo " },"
else
echo " }"
fi
done
echo "]"
vars:
NUM: 500
DOMAIN: "{{ ipaserver_domain }}"
register: command
- name: Set host_list
ansible.builtin.set_fact:
host_list: "{{ command.stdout | from_json }}"
- name: Create absent hosts.json data
ansible.builtin.shell: |
echo "["
for i in $(seq 1 "{{ NUM }}"); do
echo " {"
echo " \"name\": \"www$i.{{ DOMAIN }}\""
if [ "$i" -lt "{{ NUM }}" ]; then
echo " },"
else
echo " }"
fi
done
echo "]"
vars:
NUM: 500
DOMAIN: "{{ ipaserver_domain }}"
register: command
- name: Set host_absent_list
ansible.builtin.set_fact:
host_absent_list: "{{ command.stdout | from_json }}"

15
tests/service/test_services_absent.yml Normal file
View File

@@ -0,0 +1,15 @@
---
- name: Test services absent
hosts: ipaserver
become: true
gather_facts: false
tasks:
- name: Include generate_test_data.yml
ansible.builtin.include_tasks: generate_test_data.yml
- name: Services absent len:{{ service_list | length }}
ipaservice:
ipaadmin_password: SomeADMINpassword
services: "{{ service_absent_list }}"
state: absent

71
tests/service/test_services_present.yml Normal file
View File

@@ -0,0 +1,71 @@
---
- name: Test services present
hosts: ipaserver
become: true
gather_facts: true
tasks:
- name: Include generate_test_data.yml
ansible.builtin.include_tasks: generate_test_data.yml
- name: Hosts present len:{{ host_list | length }}
ipahost:
ipaadmin_password: SomeADMINpassword
hosts: "{{ host_list }}"
force: true
register: result
failed_when: not result.changed or result.failed
- name: Hosts present len:{{ host_list | length }}, again
ipahost:
ipaadmin_password: SomeADMINpassword
hosts: "{{ host_list }}"
force: true
register: result
failed_when: result.changed or result.failed
- name: Services present len:{{ service_list | length }}
ipaservice:
ipaadmin_password: SomeADMINpassword
services: "{{ service_list }}"
register: result
failed_when: not result.changed or result.failed
- name: Services present len:{{ service_list | length }}, again
ipaservice:
ipaadmin_password: SomeADMINpassword
services: "{{ service_list }}"
register: result
failed_when: result.changed or result.failed
- name: Services absent len:{{ service_list | length }}
ipaservice:
ipaadmin_password: SomeADMINpassword
services: "{{ service_absent_list }}"
state: absent
register: result
failed_when: not result.changed or result.failed
- name: Services absent len:{{ service_list | length }}, again
ipaservice:
ipaadmin_password: SomeADMINpassword
services: "{{ service_absent_list }}"
state: absent
register: result
failed_when: result.changed or result.failed
- name: Hosts absent len:{{ host_list | length }}
ipahost:
ipaadmin_password: SomeADMINpassword
hosts: "{{ host_absent_list }}"
state: absent
register: result
failed_when: not result.changed or result.failed
- name: Hosts absent len:{{ host_list | length }}, again
ipahost:
ipaadmin_password: SomeADMINpassword
hosts: "{{ host_absent_list }}"
state: absent
register: result
failed_when: result.changed or result.failed

91
tests/service/test_services_present_slice.yml Normal file
View File

@@ -0,0 +1,91 @@
---
- name: Test services present slice
hosts: ipaserver
become: true
gather_facts: true
vars:
slice_size: 100
tasks:
- name: Include generate_test_data.yml
ansible.builtin.include_tasks: generate_test_data.yml
- name: Size of slice
ansible.builtin.debug:
msg: "{{ slice_size }}"
- name: Size of services list
ansible.builtin.debug:
msg: "{{ service_list | length }}"
- name: Size of hosts list
ansible.builtin.debug:
msg: "{{ host_list | length }}"
- name: Hosts present
ipahost:
ipaadmin_password: SomeADMINpassword
hosts: "{{ host_list[item : item + slice_size] }}"
loop: "{{ range(0, host_list | length, slice_size) | list }}"
register: result
failed_when: not result.changed or result.failed
- name: Hosts present, again
ipahost:
ipaadmin_password: SomeADMINpassword
hosts: "{{ host_list[item : item + slice_size] }}"
loop: "{{ range(0, host_list | length, slice_size) | list }}"
register: result
failed_when: result.changed or result.failed
- name: Services present
ipaservice:
ipaadmin_password: SomeADMINpassword
services: "{{ service_list[item : item + slice_size] }}"
loop: "{{ range(0, service_list | length, slice_size) | list }}"
register: result
failed_when: not result.changed or result.failed
- name: Services present, again
ipaservice:
ipaadmin_password: SomeADMINpassword
services: "{{ service_list[item : item + slice_size] }}"
loop: "{{ range(0, service_list | length, slice_size) | list }}"
register: result
failed_when: result.changed or result.failed
- name: Services absent
ipaservice:
ipaadmin_password: SomeADMINpassword
services: "{{ service_absent_list[item : item + slice_size] }}"
state: absent
loop: "{{ range(0, service_absent_list | length, slice_size) | list }}"
register: result
failed_when: not result.changed or result.failed
- name: Services absent, again
ipaservice:
ipaadmin_password: SomeADMINpassword
services: "{{ service_absent_list[item : item + slice_size] }}"
state: absent
loop: "{{ range(0, service_absent_list | length, slice_size) | list }}"
register: result
failed_when: result.changed or result.failed
- name: Hosts absent
ipahost:
ipaadmin_password: SomeADMINpassword
hosts: "{{ host_absent_list[item : item + slice_size] }}"
state: absent
loop: "{{ range(0, host_absent_list | length, slice_size) | list }}"
register: result
failed_when: not result.changed or result.failed
- name: Hosts absent, again
ipahost:
ipaadmin_password: SomeADMINpassword
hosts: "{{ host_absent_list[item : item + slice_size] }}"
state: absent
loop: "{{ range(0, host_absent_list | length, slice_size) | list }}"
register: result
failed_when: result.changed or result.failed

100
tests/service/test_services_without_skip_host_check.yml Normal file
View File

@@ -0,0 +1,100 @@
---
- name: Test services without using option skip_host_check
hosts: ipaserver
become: true
tasks:
# setup
- name: Test services without using option skip_host_check
block:
- name: Setup test environment
ansible.builtin.include_tasks: env_setup.yml
- name: Services are present
ipaservice:
ipaadmin_password: SomeADMINpassword
services:
- name: "HTTP/{{ svc_fqdn }}"
principal:
- host/test.example.com
- name: "mysvc/{{ host1_fqdn }}"
pac_type: NONE
ok_as_delegate: yes
ok_to_auth_as_delegate: yes
- name: "HTTP/{{ host1_fqdn }}"
allow_create_keytab_user:
- user01
- user02
allow_create_keytab_group:
- group01
- group02
allow_create_keytab_host:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
allow_create_keytab_hostgroup:
- hostgroup01
- hostgroup02
- name: "mysvc/{{ host2_fqdn }}"
auth_ind: otp,radius
register: result
failed_when: not result.changed or result.failed
- name: Services are present again
ipaservice:
ipaadmin_password: SomeADMINpassword
services:
- name: "HTTP/{{ svc_fqdn }}"
- name: "mysvc/{{ host1_fqdn }}"
- name: "HTTP/{{ host1_fqdn }}"
- name: "mysvc/{{ host2_fqdn }}"
register: result
failed_when: result.changed or result.failed
# failed_when: not result.failed has been added as this test needs to
# fail because two services with the same name should be added in the same
# task.
- name: Duplicate names in services failure test
ipaservice:
ipaadmin_password: SomeADMINpassword
services:
- name: "HTTP/{{ svc_fqdn }}"
- name: "mysvc/{{ host1_fqdn }}"
- name: "HTTP/{{ nohost_fqdn }}"
- name: "HTTP/{{ svc_fqdn }}"
register: result
failed_when: result.changed or not result.failed or "is used more than once" not in result.msg
- name: Services/name and name 'service' present
ipaservice:
ipaadmin_password: SomeADMINpassword
name: "HTTP/{{ svc_fqdn }}"
services:
- name: "HTTP/{{ svc_fqdn }}"
register: result
failed_when: result.changed or not result.failed or "parameters are mutually exclusive" not in result.msg
- name: Services/name and name are absent
ipaservice:
ipaadmin_password: SomeADMINpassword
register: result
failed_when: result.changed or not result.failed or "one of the following is required" not in result.msg
- name: Name is absent
ipaservice:
ipaadmin_password: SomeADMINpassword
name:
register: result
failed_when: result.changed or not result.failed or "At least one name or services is required" not in result.msg
- name: Only one service can be added at a time using name.
ipaservice:
ipaadmin_password: SomeADMINpassword
name: example.com,example1.com
register: result
failed_when: result.changed or not result.failed or "Only one service can be added at a time using 'name'." not in result.msg
always:
# cleanup
- name: Cleanup test environment
ansible.builtin.include_tasks: env_cleanup.yml

130
tests/user/test_user.yml
View File

@@ -9,7 +9,7 @@
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: manager1,manager2,manager3,pinky,pinky2
name: manager1,manager2,manager3,pinky,pinky2,igagarin
state: absent
- name: User manager1 present
@@ -59,6 +59,7 @@
#password: foo2
principal: pa
random: yes
street: PinkyStreet
city: PinkyCity
userstate: PinkyState
postalcode: PinkyZip
@@ -86,6 +87,33 @@
register: result
failed_when: not result.changed or result.failed
- name: Set street, again
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: pinky
street: PinkyStreet
register: result
failed_when: result.changed or result.failed
- name: Clear street attribute.
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: pinky
street: ""
register: result
failed_when: not result.changed or result.failed
- name: Clear street attribute, again
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: pinky
street: ""
register: result
failed_when: result.changed or result.failed
- name: User pinky present with changed settings
ipauser:
ipaadmin_password: SomeADMINpassword
@@ -342,9 +370,107 @@
register: result
failed_when: result.changed or result.failed
- name: Ensure user with GECOS information exists.
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: igagarin
first: Iuri
last: Gagarin
gecos: Юрий Алексеевич Гагарин
register: result
failed_when: not result.changed or result.failed
- name: Ensure user with GECOS information exists, again.
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: igagarin
first: Iuri
last: Gagarin
gecos: Юрий Алексеевич Гагарин
register: result
failed_when: result.changed or result.failed
- name: Modify GECOS information.
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: igagarin
gecos: Юрий Гагарин
register: result
failed_when: not result.changed or result.failed
- name: Updating with existent data, should not change user.
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: igagarin
first: Iuri
last: Gagarin
gecos: Юрий Гагарин
register: result
failed_when: result.changed or result.failed
- name: Ensure GECOS parameter is cleared.
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: igagarin
gecos: ""
register: result
failed_when: not result.changed or result.failed
- name: Ensure GECOS parameter is cleared, again
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: igagarin
gecos: ""
register: result
failed_when: result.changed or result.failed
- name: Ensure GECOS parameter cannot be used with state absent.
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: igagarin
gecos: Юрий Гагарин
state: absent
register: result
failed_when: not result.failed or "Argument 'gecos' can not be used with action 'user' and state 'absent'" not in result.msg
- name: Ensure user igagarin is absent.
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: igagarin
state: absent
register: result
failed_when: not result.changed or result.failed
- name: Ensure user with non-ascii name exists.
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: igagarin
first: Юрий
last: Гагарин
register: result
failed_when: not result.changed or result.failed
- name: Ensure user with non-ascii name exists has proper GECOS value.
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: igagarin
gecos: Юрий Гагарин
register: result
failed_when: result.changed or result.failed
- name: Remove test users
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: manager1,manager2,manager3,pinky,pinky2
name: manager1,manager2,manager3,pinky,pinky2,igagarin
state: absent

107
tests/user/test_user_idp_attrs.yml Normal file
View File

@@ -0,0 +1,107 @@
---
- name: Test user
hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: false
gather_facts: false
module_defaults:
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
tasks:
- name: Include tasks ../env_freeipa_facts.yml
ansible.builtin.include_tasks: ../env_freeipa_facts.yml
# CLEANUP TEST ITEMS
- name: Ensure user idpuser is absent
ipauser:
name: idpuser
state: absent
# CREATE TEST ITEMS
- name: Run tests if FreeIPA 4.10.0+ is installed
when: ipa_version is version('4.10.0', '>=')
block:
- name: Ensure IDP provider is present
# TODO: Use an ansible-freeipa plugin instead of 'shell'
ansible.builtin.shell:
cmd: |
kinit -c test_krb5_cache admin <<< SomeADMINpassword
KRB5CCNAME=test_krb5_cache ipa idp-add keycloak --provider keycloak \
--org master \
--base-url https://client.ipademo.local:8443/auth \
--client-id ipa_oidc_client \
--secret <<< $(echo -e "Secret123\nSecret123")
kdestroy -c test_krb5_cache -q -A
register: addidp
failed_when:
- '"Added Identity Provider" not in addidp.stdout'
- '"already exists" not in addidp.stderr'
# TESTS
- name: Ensure user idpuser is present
ipauser:
name: idpuser
first: IDP
last: User
userauthtype: idp
idp: keycloak
idp_user_id: "idpuser@ipademo.local"
register: result
failed_when: not result.changed or result.failed
- name: Ensure user idpuser is present again
ipauser:
name: idpuser
first: IDP
last: User
userauthtype: idp
idp: keycloak
idp_user_id: "idpuser@ipademo.local"
register: result
failed_when: result.changed or result.failed
- name: Clear 'idp_user_id'
ipauser:
name: idpuser
idp_user_id: ""
register: result
failed_when: not result.changed or result.failed
- name: Clear 'idp'
ipauser:
name: idpuser
idp: ""
register: result
failed_when: not result.changed or result.failed
- name: Ensure user idpuser is absent
ipauser:
name: idpuser
state: absent
register: result
failed_when: not result.changed or result.failed
- name: Ensure user idpuser is absent again
ipauser:
name: idpuser
state: absent
register: result
failed_when: result.changed or result.failed
# CLEANUP TEST ITEMS
- name: Ensure IDP provider is absent
# TODO: Use an ansible-freeipa plugin instead of 'shell'
ansible.builtin.shell:
cmd: |
kinit -c test_krb5_cache admin <<< SomeADMINpassword
ipa idp-del keycloak
kdestroy -c test_krb5_cache -q -A
always:
- name: Ensure user idpuser is absent
ipauser:
name: idpuser
state: absent

253
tests/user/test_user_smb_attrs.yml Normal file
View File

@@ -0,0 +1,253 @@
---
- name: Test users
hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: no
gather_facts: no
tasks:
- name: Set FreeIPA environment facts.
ansible.builtin.include_tasks: ../env_freeipa_facts.yml
- name: Only run tests for IPA 4.8.0+
when: ipa_version is version('4.8.0', '>=')
block:
# SETUP
- name: Remove test users
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
state: absent
# TESTS
- name: Ensure user testuser exists with all smb paramters
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
first: test
last: user
smb_profile_path: "/some/profile/path"
smb_home_dir: "/some/home/dir"
smb_home_drive: "U{{ ':' }}"
smb_logon_script: "/some/profile/script.sh"
register: result
failed_when: not result.changed or result.failed
- name: Ensure user testuser exists all smb paramters, again
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
first: test
last: user
smb_logon_script: "/some/profile/script.sh"
smb_profile_path: "/some/profile/path"
smb_home_dir: "/some/home/dir"
smb_home_drive: "U{{ ':' }}"
register: result
failed_when: result.changed or result.failed
- name: Check SMB logon script is correct
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_logon_script: "/some/profile/script.sh"
register: result
check_mode: true
failed_when: result.changed or result.failed
- name: Check SMB profile path is correct
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_profile_path: "/some/profile/path"
register: result
check_mode: true
failed_when: result.changed or result.failed
- name: Check SMB Home Directory is correct
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_home_dir: "/some/home/dir"
register: result
check_mode: true
failed_when: result.changed or result.failed
- name: Check SMB Home Drive is correct
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
first: test
last: user
smb_home_drive: "U{{ ':' }}"
register: result
check_mode: true
failed_when: result.changed or result.failed
- name: Set SMB logon script
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_logon_script: "/some/profile/another_script.sh"
register: result
failed_when: not result.changed or result.failed
- name: Set SMB logon script, again
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_logon_script: "/some/profile/another_script.sh"
register: result
failed_when: result.changed or result.failed
- name: Clear SMB logon script
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_logon_script: ""
register: result
failed_when: not result.changed or result.failed
- name: Clear SMB logon script, again
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_logon_script: ""
register: result
failed_when: result.changed or result.failed
- name: Set SMB profile path
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_profile_path: "/some/profile/another_path"
register: result
failed_when: not result.changed or result.failed
- name: Set SMB profile path, again
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_profile_path: "/some/profile/another_path"
register: result
failed_when: result.changed or result.failed
- name: Clear SMB profile path
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_profile_path: ""
register: result
failed_when: not result.changed or result.failed
- name: Clear SMB profile, again
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_profile_path: ""
register: result
failed_when: result.changed or result.failed
- name: Set SMB home directory
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_home_dir: "/some/other/home"
register: result
failed_when: not result.changed or result.failed
- name: Set SMB home directory, again
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_home_dir: "/some/other/home"
register: result
failed_when: result.changed or result.failed
- name: Clear SMB home directory
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_home_dir: ""
register: result
failed_when: not result.changed or result.failed
- name: Clear SMB home directory, again
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_home_dir: ""
register: result
failed_when: result.changed or result.failed
- name: Set SMB home drive
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_home_drive: "Z{{ ':' }}"
register: result
failed_when: not result.changed or result.failed
- name: Set SMB home drive, again
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_home_drive: "Z{{ ':' }}"
register: result
failed_when: result.changed or result.failed
- name: Set SMB home drive to invalid value
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_home_drive: "INVALID:"
register: result
failed_when: not result.failed or "value of smb_home_drive must be one of" not in result.msg
- name: Clear SMB home drive
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_home_drive: ""
register: result
failed_when: not result.changed or result.failed
- name: Clear SMB home drive, again
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
smb_home_drive: ""
register: result
failed_when: result.changed or result.failed
always:
# CLEANUP
- name: Remove test users
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
state: absent

2
tests/user/test_users.yml
View File

@@ -151,6 +151,7 @@
#password: foo2
principal: pa
random: yes
street: PinkyStreet
city: PinkyCity
userstate: PinkyState
postalcode: PinkyZip
@@ -194,6 +195,7 @@
#password: foo2
principal: pa
random: yes
street: PinkyStreet
city: PinkyCity
userstate: PinkyState
postalcode: PinkyZip

2
tests/user/users.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/bin/bash -eu
NUM=${1-1000}
FILE="users.json"

2
tests/user/users_absent.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/bin/bash -eu
NUM=1000
FILE="users_absent.json"

2
tests/utils.py
View File

@@ -180,7 +180,7 @@ def run_playbook(playbook, allow_failures=False):
if allow_failures:
return result
status_code_msg = "ansible-playbook return code: {}".format(
status_code_msg = "ansible-playbook return code: {0}".format(
result.returncode
)
assert_msg = "\n".join(

2
utils/ansible-doc-test
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Authors:

2
utils/ansible-freeipa.spec.in
View File

@@ -125,7 +125,7 @@ done
for i in utils/*.py utils/new_module utils/changelog utils/ansible-doc-test;
do
sed -i '{s@/usr/bin/python*@%{python}@}' $i
sed -i '{s@/usr/bin/env python*@%{python}@}' $i
done

4
utils/build-galaxy-release.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/bin/bash -eu
#
# Build Ansible Collection from ansible-freeipa repo
#
@@ -114,6 +114,8 @@ echo -e "\033[ACreating CHANGELOG.rst... \033[32;1mDONE\033[0m"
sed -i -e "s/ansible.module_utils.ansible_freeipa_module/ansible_collections.${collection_prefix}.plugins.module_utils.ansible_freeipa_module/" plugins/modules/*.py
python utils/create_action_group.py "meta/runtime.yml" "$collection_prefix"
(cd plugins/module_utils && {
ln -sf ../../roles/*/module_utils/*.py .
})

2
utils/build-srpm.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/bin/bash -eu
git_version=$(git describe --tags | sed -e "s/^v//")
version=${git_version%%-*}

2
utils/changelog
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Authors:

2
utils/check_test_configuration.py
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python
#!/usr/bin/env python
"""Check which tests are scheduled to be executed."""

24
utils/create_action_group.py Normal file
View File

@@ -0,0 +1,24 @@
import sys
import yaml
from facts import MANAGEMENT_MODULES
def create_action_group(yml_file, project_prefix):
yaml_data = None
with open(yml_file) as f_in:
yaml_data = yaml.safe_load(f_in)
yaml_data.setdefault("action_groups", {})[
"%s.modules" % project_prefix
] = MANAGEMENT_MODULES
with open(yml_file, 'w') as f_out:
yaml.safe_dump(yaml_data, f_out, default_flow_style=False,
explicit_start=True)
if len(sys.argv) != 3:
print("Usage: %s <runtime file> <collection prefix>" % sys.argv[0])
sys.exit(-1)
create_action_group(sys.argv[1], sys.argv[2])

41
utils/facts.py Normal file
View File

@@ -0,0 +1,41 @@
import os
def get_roles(dir):
roles = []
_rolesdir = "%s/roles/" % dir
for _role in os.listdir(_rolesdir):
_roledir = "%s/%s" % (_rolesdir, _role)
if not os.path.isdir(_roledir) or \
not os.path.isdir("%s/meta" % _roledir) or \
not os.path.isdir("%s/tasks" % _roledir):
continue
roles.append(_role)
return sorted(roles)
def get_modules(dir):
management_modules = []
roles_modules = []
for root, _dirs, files in os.walk(dir):
if not root.startswith("%s/plugins/" % dir) and \
not root.startswith("%s/roles/" % dir):
continue
for _file in files:
if _file.endswith(".py"):
if root == "%s/plugins/modules" % dir:
management_modules.append(_file[:-3])
elif root.startswith("%s/roles/" % dir):
if root.endswith("/library"):
roles_modules.append(_file[:-3])
return sorted(management_modules), sorted(roles_modules)
BASE_DIR = os.path.abspath(os.path.dirname(__file__) + "/..")
ROLES = get_roles(BASE_DIR)
MANAGEMENT_MODULES, ROLES_MODULES = get_modules(BASE_DIR)
ALL_MODULES = sorted(MANAGEMENT_MODULES + ROLES_MODULES)

2
utils/galaxyfy-README.py
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Authors:

2
utils/galaxyfy-module-EXAMPLES.py
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Authors:

2
utils/galaxyfy-playbook.py
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Authors:

82
utils/galaxyfy.py
View File

@@ -1,10 +1,10 @@
#!/usr/bin/python
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Copyright (C) 2019,2020 Red Hat
# Copyright (C) 2019-2023 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
@@ -21,49 +21,95 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import re
from facts import ROLES, ALL_MODULES
def get_indent(txt):
return len(txt) - len(txt.lstrip())
def galaxyfy_playbook(project_prefix, collection_prefix, lines):
po1 = re.compile('(%s.*:)$' % project_prefix)
po2 = re.compile('(.*:) (%s.*)$' % project_prefix)
po_module = re.compile('(%s.*):$' % project_prefix)
po_module_arg = re.compile('(%s.*): (.*)$' % project_prefix)
po_module_unnamed = re.compile('- (%s.*):$' % project_prefix)
po_role = re.compile('(.*:) (%s.*)$' % project_prefix)
pattern_module = r'%s.\1:' % collection_prefix
pattern_module_arg = r'%s.\1: \2' % collection_prefix
pattern_module_unnamed = r'- %s.\1:' % collection_prefix
pattern_role = r'\1 %s.\2' % collection_prefix
out_lines = []
pattern1 = r'%s.\1' % collection_prefix
pattern2 = r'\1 %s.\2' % collection_prefix
changed = False
changeable = False
include_role = False
module_defaults = False
module_defaults_indent = -1
for line in lines:
stripped = line.strip()
if stripped.startswith("- name:") or \
stripped.startswith("- block:"):
changeable = True
module_defaults = False
module_defaults_indent = -1
elif stripped in ["set_fact:", "ansible.builtin.set_fact:", "vars:"]:
changeable = False
include_role = False
module_defaults = False
module_defaults_indent = -1
elif stripped == "roles:":
changeable = True
include_role = False
module_defaults = False
module_defaults_indent = -1
elif (stripped.startswith("include_role:") or
stripped.startswith("ansible.builtin.include_role:")):
include_role = True
module_defaults = False
module_defaults_indent = -1
elif include_role and stripped.startswith("name:"):
line = po2.sub(pattern2, line)
changed = True
match = po_role.search(line)
if match and match.group(2) in ROLES:
line = po_role.sub(pattern_role, line)
changed = True
elif stripped == "module_defaults:":
changeable = True
include_role = False
module_defaults = True
module_defaults_indent = -1
elif module_defaults:
_indent = get_indent(line)
if module_defaults_indent == -1:
module_defaults_indent = _indent
if _indent == module_defaults_indent:
# only module, no YAML anchor or alias
match = po_module.search(line)
if match and match.group(1) in ALL_MODULES:
line = po_module.sub(pattern_module, line)
changed = True
# module with YAML anchor or alias
match = po_module_arg.search(line)
if match and match.group(1) in ALL_MODULES:
line = po_module_arg.sub(pattern_module_arg, line)
changed = True
elif changeable and stripped.startswith("- role:"):
line = po2.sub(pattern2, line)
changed = True
match = po_role.search(line)
if match and match.group(2) in ROLES:
line = po_role.sub(pattern_role, line)
changed = True
elif (changeable and stripped.startswith(project_prefix)
and not stripped.startswith(collection_prefix) # noqa
and stripped.endswith(":")): # noqa
line = po1.sub(pattern1, line)
changed = True
changeable = False # Only change first line in task
match = po_module.search(line)
if match and match.group(1) in ALL_MODULES:
line = po_module.sub(pattern_module, line)
changed = True
changeable = False # Only change first line in task
elif (stripped.startswith("- %s" % project_prefix)
and stripped.endswith(":")): # noqa
line = po1.sub(pattern1, line)
changed = True
match = po_module_unnamed.search(line)
if match and match.group(1) in ALL_MODULES:
line = po_module_unnamed.sub(pattern_module_unnamed, line)
changed = True
out_lines.append(line)

2
utils/gen_modules_docs.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/bin/bash -eu
for i in roles/ipa*/*/*.py; do
python utils/gen_module_docs.py "$i"

2
utils/lint_check.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/bin/bash -eu
INFO="\033[37;1m"
WARN="\033[33;1m"

Some files were not shown because too many files have changed in this diff Show More