internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-05-13 21:12:02 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: internet:v1.10.0
Branches Tags
internet:master internet:run_collection_playbooks internet:validate_emaildomain internet:0.4 internet:automember_verify_condition_keys internet:ipaautomember_documantation_fix internet:fix_image_build internet:t-woerner-permission-typo1 internet:fix-role-readme-title-1 internet:fix-role-readme-title internet:t-woerner-group-readme-external internet:fix_logger_info_calls
internet:v1.16.0 internet:v1.15.1 internet:v1.15.0 internet:v1.14.7 internet:v1.14.6 internet:v1.14.5 internet:v1.14.4 internet:v1.14.3 internet:v1.14.2 internet:v1.14.1 internet:v1.14.0 internet:v1.13.2 internet:v1.13.1 internet:v1.13.0 internet:v1.12.1 internet:v1.12.0 internet:v1.11.1 internet:v1.11.0 internet:v1.10.0 internet:v1.9.2 internet:v1.9.1 internet:v1.9.0 internet:v1.8.4 internet:v1.8.3 internet:v1.8.2 internet:v1.8.1 internet:v1.8.0 internet:v1.7.0 internet:v1.6.3 internet:v1.6.2 internet:v1.6.1 internet:v1.6.0 internet:v1.5.3 internet:v1.5.2 internet:v1.5.1 internet:v1.5.0 internet:v0.4.2 internet:v0.4.1 internet:v0.4.0 internet:v0.3.8 internet:v0.3.7 internet:v0.3.6 internet:v0.3.5 internet:v0.3.4 internet:v0.3.3 internet:v0.3.2 internet:v0.3.1 internet:v0.3.0 internet:v0.2.1 internet:v0.2.0 internet:v0.1.12 internet:v0.1.11 internet:v0.1.10 internet:v0.1.9 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0
..
compare: internet:validate_emaildomain
Branches Tags
internet:master internet:run_collection_playbooks internet:validate_emaildomain internet:0.4 internet:automember_verify_condition_keys internet:ipaautomember_documantation_fix internet:fix_image_build internet:t-woerner-permission-typo1 internet:fix-role-readme-title-1 internet:fix-role-readme-title internet:t-woerner-group-readme-external internet:fix_logger_info_calls
internet:v1.16.0 internet:v1.15.1 internet:v1.15.0 internet:v1.14.7 internet:v1.14.6 internet:v1.14.5 internet:v1.14.4 internet:v1.14.3 internet:v1.14.2 internet:v1.14.1 internet:v1.14.0 internet:v1.13.2 internet:v1.13.1 internet:v1.13.0 internet:v1.12.1 internet:v1.12.0 internet:v1.11.1 internet:v1.11.0 internet:v1.10.0 internet:v1.9.2 internet:v1.9.1 internet:v1.9.0 internet:v1.8.4 internet:v1.8.3 internet:v1.8.2 internet:v1.8.1 internet:v1.8.0 internet:v1.7.0 internet:v1.6.3 internet:v1.6.2 internet:v1.6.1 internet:v1.6.0 internet:v1.5.3 internet:v1.5.2 internet:v1.5.1 internet:v1.5.0 internet:v0.4.2 internet:v0.4.1 internet:v0.4.0 internet:v0.3.8 internet:v0.3.7 internet:v0.3.6 internet:v0.3.5 internet:v0.3.4 internet:v0.3.3 internet:v0.3.2 internet:v0.3.1 internet:v0.3.0 internet:v0.2.1 internet:v0.2.0 internet:v0.1.12 internet:v0.1.11 internet:v0.1.10 internet:v0.1.9 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0

410 Commits
v1.10.0 ... validate_e

Author SHA1 Message Date
Rafael Guterres Jeffman
22700620c6 ipaconfig: Validate emaildomain 
When setting the default email domain, there was no validation on the
provide value. Using ipapython.validate.Email applies the same
validation method as implemented in IPA.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
 2025-03-05 16:49:11 -03:00
Rafael Guterres Jeffman
e8688d4cf5 Merge pull request #1337 from t-woerner/ipagroup_fix_externalmember_client_context_fail 
ipagroup: Fix test for externalmember use in client context
 2025-02-04 11:54:15 -03:00
Thomas Woerner
d540be425a ipagroup: Fix test for externalmember use in client context 
The test has been changed with the management fix for AD objects. The
conditional was lacking brackets and therefore did not properly work.
The brackets have been added.

Related: https://issues.redhat.com/browse/RHEL-70023
 2025-02-04 12:32:42 +01:00
Thomas Woerner
c1d7ed1df6 Merge pull request #1335 from rjeffman/ipagroup_fix_1 
ipagroup: Fix management of AD objects
 2025-02-03 13:43:35 +01:00
Thomas Woerner
0fc8ddf450 Merge pull request #1327 from rjeffman/remove_unsupported_systems 
Remove 'vars' files of unsupported distributions
 2025-02-03 12:58:16 +01:00
Rafael Guterres Jeffman
012f0deb00 Remove 'vars' files of unsupported distributions 
This patch removes 'vars' files from roles for unsupported distributions
and change minimum supported Fedora to version 40+.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
 2025-01-31 12:45:45 -03:00
Thomas Woerner
f27b0e3011 Merge pull request #1334 from rjeffman/update_c10s_image 
Update c10s image
 2025-01-31 16:03:32 +01:00
Rafael Guterres Jeffman
8b4b22dd00 Use non-development CentOS 10 Stream image 
As the official, non-development, CentOS 10 Stream image is available,
ansible-freeipa tests must use it instead of the centos-development one.
 2025-01-31 11:32:59 -03:00
Rafael Guterres Jeffman
91c4b83311 Configure yamllint to be compatible with ansible-lint 
Current version of ansible-list pre-commit hook required changes in the
ansible-freeipa yamllint configuration and these changes triggered
issues in the current playbooks on roles and tests.

This patch adds the required changes to yaml lint configuration and
fixes the affected playbooks.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
 2025-01-31 11:32:59 -03:00
Rafael Guterres Jeffman
6925503a10 ipagroup: Fix management of AD objects 
When using AD objects, a user expects to use the more human readable
form, like "user@ad.domain", but this impose some dificulties on
evaluating which object is being referenced as AD has several forms to
refer to the same object.

Each object is AD is identified uniquely by its SID, and this is the
identifier that IPA stores in its database. When managing AD objects,
IPA finds its SID and works with that value.

ansible-freeipa tried to process these objects using the human readable
values, and it cause idempontence error when ensuring the values were
present or modified, and, at least in some cases, prevented the objects
to be made absent, as the object list created didn't match the SID to
the value used as module parameter.

By using SID to process the AD objects in ipagroup, the addition or
removal of members works and idempotence of these members is ensured.

The only issue with thils approach is that it only works no server
nodes. In client nodes, the conversion to SID is not available and the
same issues that existed before will still be present.

Tests were updated to reflect these changes, a new test, specific to
idempotence issues of AD objects was added:

   tests/group/test_group_ad_users.yml

Resolves: https://issues.redhat.com/browse/RHEL-70023
 2025-01-31 10:29:48 -03:00
Thomas Woerner
0da0b22ae7 Merge pull request #1336 from rjeffman/idoverrideuser_client_context_test 
tests/idoverrideuser: Fix client context test when running on client
 2025-01-31 13:00:32 +01:00
Rafael Guterres Jeffman
f5f454915c tests/idoverrideuser: Fix client context test when running on client 
When running test_idoverrideuser_client_context.yml on a client host, it
tried to run a task that does not have the required fields and fails
the test.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
 2025-01-29 00:56:56 -03:00
Rafael Guterres Jeffman
8581b79eba tests: Improve FreeIPA facts 
This patch improves tests/env_freeipa_facts.yml by ensuring
ipaserver_realm is set, making AD server availability discoverable, and
allowing playbooks to run with 'gather_facts: false' by gathering
minimal facts.
 2025-01-29 00:41:38 -03:00
Rafael Guterres Jeffman
a9602431ce ansible_freeipa_module_utils: Add functions to handle objects SID 
When managing AD objects the SID of the objects are stored in FreeIPA
database, but a user would still use the human readable values, like
"AD\\user" or "user@ad.domain". This can cause idempotence issues in
many cases, and prevent some actions to be performed, like ensure
absence of the object.

The methods added allow the conversion of one or multiple objects, and
will be used by any module that manages AD objects.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
 2025-01-29 00:41:38 -03:00
Rafael Guterres Jeffman
9195494f37 Merge pull request #1243 from t-woerner/ipareplica_ip_addresses_use_for_client 
ipareplica: Pass ipareplica_ip_addresses to client deployment part
 2024-12-12 10:00:09 -03:00
Thomas Woerner
81abf6889b ipareplica: Pass ipareplica_ip_addresses to client deployment part 
The IP addresses set with ipareplica_ip_addresses have not been passed
to ipaclient role for client deployment part. This resulted in not
setting the IP addresses.

The description for ipareplica_ip_addresses in the ipareplica README and
also the role modules was wrong and have been fixed to "List of IPA
replica IP addresses".

Related: https://pagure.io/freeipa/issue/7405

Resolves: https://github.com/freeipa/ansible-freeipa/issues/1244
 2024-12-12 12:10:56 +01:00
Thomas Woerner
81906edec6 Merge pull request #1322 from rjeffman/rhel70023 
ipagroup: Correctly handle externalmember in member actions
 2024-12-12 12:02:37 +01:00
Thomas Woerner
5071653db3 Merge pull request #1321 from rjeffman/rhel-68439 
ipasudorule: Evaluate all members related to hosts and users
 2024-12-12 11:27:01 +01:00
Rafael Guterres Jeffman
df4ec30a51 ipasudorule: Evaluate all members related to hosts and users 
When handling users and hosts is ipasudorule we were missing nome entry
attributes returned from FreeIPA, which would cause the add/del lists to
be incorrectly generated.

By adding the proper lists, both attributes are handled correctly.

A new test to verify the fix is added:

    tests/sudorule/test_sudorule_user_host_external.yml

Fixes https://issues.redhat.com/browse/RHEL-68439
 2024-12-11 10:56:11 -03:00
Thomas Woerner
73160a037b Merge pull request #1323 from rjeffman/rhel70021 
ipacert: Revoking with  removeFromCRL should be handled as cert release
 2024-12-11 14:54:59 +01:00
Rafael Guterres Jeffman
b7ed9ecfd5 Merge pull request #1324 from t-woerner/no_role_plugin_duplicates 
utils/build-galaxy-release.sh: Do not create duplicates for role plugins
 2024-12-11 10:29:07 -03:00
Thomas Woerner
a4f608854d ansible_ipa_server.py: Calm down ansible-test "metaclass-boilerplate" 
ansible-test sanity test "metaclass-boilerplate" fails now to recognize
the line "__metaclass__ = type" if there is a pylint disable comment
appended to the same line to not fail on using bad class naming.

The pylint disable comment has been moved to an extra preceding line and
an additional enable commend has been added after the metaclass line.
 2024-12-11 14:19:09 +01:00
Thomas Woerner
8e6c5e566d utils/build-galaxy-release.sh: Do not create duplicates for role plugins 
This change reduces the size of the Ansible collection and removes unused
files.

While creating the collection, the role plugins have been linked into the
global plugin folders, but a subsequent sed call replaced the links with
changed files. The original files have also been changed with another sed
call in the same way. This resulted in the duplication of the changed
files.

The plugins of the roles are now moved into the global plugin folders and
only changed there. The now empty plugin folders in the roles are
removed.
 2024-12-10 17:12:09 +01:00
Rafael Guterres Jeffman
431dc8667a ipagroup: Correctly handle externalmember in member actions 
When creating the lists of external members, the attribute
'ipaexternalmember' also needs to be added to the list of external
members that are part of the group object for external groups.

A test to verify the correct behavior was added and the test suite for
group external members have been cleaned up with 'yes' values changed to
'true' and the use of module_defaults.
 2024-12-10 08:25:49 -03:00
Rafael Guterres Jeffman
bc16ccaef7 ipacert: Revoking with removeFromCRL should be handled as cert release 
When a revoked certificate with reason 6 (certificateHold) is revoked
with reason 8 (removeFromCRL), the effect is that the certificate is
valid again, as it is the same procedure as 'state: release'.

This is, at least, the behavior with IPA CLI comands, which is
implemented by this patch.

A new test is added to verify this behavior:

    tests/cert/test_cert_remove_hold_with_removeFromCRL.yml
 2024-12-05 15:42:58 -03:00
Thomas Woerner
227c95e62e Merge pull request #1319 from rjeffman/fix_show_broad_exception 
modules: Do not hide errors using IPA *_show command with Exception
 2024-12-03 15:09:14 +01:00
Rafael Guterres Jeffman
5abb515c92 utils/templates: Use ipalib_errors.NotFound instead of Exception 
Modify the plugin templates so that the code generated does not hide
errors when querying IPA wih *_show command by handlig only the exeption
where an object is not found.
 2024-12-02 23:27:56 -03:00
Rafael Guterres Jeffman
1c4b50fa51 modules: Do not hide errors using IPA *_show command with Exception 
When searching for objects with *_show IPA API command, most plugins
were hiding errors other than "ipalib_errors.NotFound" by handling the
broad exception Exception instead.

This patch uses "ipalib_errors.NotFound" whenever "*_show" is used so
that the only exception handled is when an object is not found. Other
errors will not be handled making the module break as expected.
 2024-12-02 22:58:51 -03:00
Rafael Guterres Jeffman
8fc2de1673 Merge pull request #1318 from t-woerner/testing_container_create_enable_cap_sys_admin 
infra/image: Use SYS_ADMIN capability for server deployment
 2024-12-02 14:41:35 -03:00
Thomas Woerner
8d74fe34ef Enable c10s testing for PRs and nightly and after merge testing 2024-12-02 15:38:39 +01:00
Thomas Woerner
87ad46f7a4 Enable to build c10s test container image 2024-12-02 15:11:48 +01:00
Thomas Woerner
4c3f4e6f7d infra/image: Use SYS_ADMIN capability for server deployment 
This adds the capabilities SYS_ADMIN and SYSLOG to the container_create
call in build.sh as long as server deployment has been enabled.

The privileged option has been removed as it is no longer needed.

The hostnamectl-wrapper for the container has been removed as it is no
longer needed.
 2024-12-02 15:06:44 +01:00
Rafael Guterres Jeffman
489f4d5784 Merge pull request #1316 from t-woerner/c10s_niddomainname 
infra/image/dockerfile/c10s: Fix client part deployment for the server
 2024-11-29 08:39:21 -03:00
Rafael Guterres Jeffman
29fc03c625 Merge pull request #1315 from t-woerner/container_copy_fetch 
infra/image/shcontainer: New container_copy and container_fetch
 2024-11-28 11:02:44 -03:00
Rafael Guterres Jeffman
651337541a Merge pull request #1317 from t-woerner/minimum_ansible_2_14 
Change minimum Ansible version to 2.14
 2024-11-26 10:16:04 -03:00
Thomas Woerner
e61b8db66c Change minimum Ansible version to 2.14 
RHEL-9 is still using ansible-core 2.14.
 2024-11-26 11:56:24 +01:00
Thomas Woerner
2dc1deeb87 infra/image/dockerfile/c10s: Fix client part deployment for the server 
The client part deployment fails in the configuration of NIS. The command
/usr/bin/nisdomainname is failing in a container in this task as the
container is not privileged.

The hostnamectl-wrapper is copied from the freeipa-container container
project to replace /usr/bin/nisdomainname in the container.
 2024-11-19 15:54:03 +01:00
Thomas Woerner
82a53b9ae4 infra/image/shcontainer: New container_copy and container_fetch 
container_copy can be used to copy a file to the container,
container_fetch can be used to copy a file from the container.

For more information, please have a look at the podman-cp man page.
 2024-11-19 15:08:46 +01:00
Thomas Woerner
d580431832 Merge pull request #1290 from rjeffman/multiple_sudorule 
ipasudorule: Add support for batch mode and multiple sudorules
 2024-11-19 14:55:40 +01:00
Rafael Guterres Jeffman
6c94fe9bd5 tests/sudorule: Don't become or gather_facts and use only true/false 
Unless there's a real need to use privileged access or to gather Ansible
facts upfront, we should always set "become: false" and
"gather_facts: false". In the case that only a few Ansible facts are
required, 'ansible.builtin.setup' with 'gather_subset' should be used.

As the YAML 1.2 standard dictates, boolean values should only use 'true'
or 'false' values.

This patch fixes these issues in the 'sudorule' test suite.
 2024-11-18 11:59:51 -03:00
Rafael Guterres Jeffman
4fa0621156 ipasudorule: Add support for batch mode and multiple sudorules 
Currently, ipasudorule must add or modify a single sudorule at a time,
incurring in more load in the server if there are many rules to be
processed.

This patch adds suport for adding multiple sudorules in one playbook
task by using the parameter 'sudorules' and defining a list of sudorules
configurations to be ensured.

As multiple sudorules will be processed, the patch also enables batch
mode processing of sudorules, trying to reduce the load on the server.

Test 'tests/sudorule/test_sudorule_client_context.yml' was modified to
include tasks with 'sudorules' to be executed both on the server or on
the client context.

New tests were added to the sudorule test suite:

    tests/sudorule/test_sudorules.yml
    tests/sudorule/test_sudorules_member_case_insensitive.yml
 2024-11-18 11:59:21 -03:00
Rafael Guterres Jeffman
da775a21b2 ansible_freeipa_module_utils: Add EntryFactory class 
This patch adds the class EntryFactory to the ansible-freeipa module
utils. This class allows the handling of modules with multiple object
entries as list of objects. When the multi-object parameter is not used,
it creates a list of a single object, allowing for the same code idiom
to be used.

The entries created can be used both as objects, by acessing the values
as properties, or as dictionaires, by accessing the elements as
key-value pairs.
 2024-11-15 08:43:19 -03:00
Thomas Woerner
5a774d2612 Merge pull request #1306 from rjeffman/use_azure_loops 
upstream CI: Use Azure 'loops' to create stages
 2024-11-13 16:24:29 +01:00
Rafael Guterres Jeffman
3e405fd08d upstream CI: Use Azure 'loops' to create stages 
This patch modify the pipelines to create stages using the 'each'
expression on Azure pipelines, so that the configuration and the list of
distributions can be set using variables.

Testing CentOS 8 Stream and Galaxy collections still need to be handled
in a separate group, although, the pipeline configuration becomes easily
changed, specially when updating Ansible versions.
 2024-11-13 11:08:36 -03:00
Thomas Woerner
cb3226910b Merge pull request #1311 from rjeffman/consistent_cli_arguments 
infra/image/build.sh: Use consistent options for hostname
 2024-11-12 12:45:30 +01:00
Rafael Guterres Jeffman
a96611fb3f infra/image/build.sh: Use consistent options for hostname 
This patch makes the CLI argument for setting the image hostname
consistent with 'start.sh', settling on '-n HOSTNAME' for both scripts.
 2024-11-12 08:35:46 -03:00
Thomas Woerner
e92f09b920 Merge pull request #1308 from rjeffman/mv_set_test_modules 
upstream CI: Move scripts that evaluate repo changes to infra/azure
 2024-11-07 10:14:50 +01:00
Thomas Woerner
97b0638f30 Merge pull request #1310 from rjeffman/remove_pydocstyle 
linters: Remove pydocstyle from linter checks
 2024-11-07 10:04:21 +01:00
Rafael Guterres Jeffman
24569b850a linters: Remove pydocstyle from linter checks 
Pydocstyle has been deprecated is no longer in development. It is also
not a requirement for Ansible tests.

This patch removes pydocstyle from current checks performed.
 2024-11-06 15:15:53 -03:00
Rafael Guterres Jeffman
08a2ba1592 Merge pull request #1281 from t-woerner/multi_user_test_generate_test_data 
tests/user/test_users_present_*: Use new generate_test_data.yml
 2024-11-04 14:19:19 -03:00
Rafael Guterres Jeffman
3d5ff1f5fd Merge pull request #1298 from t-woerner/fixipaip_no_hard_coded_adminpassword 
fixipaip infra image service: No need for hard coded admin password
 2024-11-04 14:09:00 -03:00
Rafael Guterres Jeffman
2b28626012 Merge pull request #1275 from t-woerner/drop_superfluous_test_services_absent 
test_services_absent is also part of test_services_present, not needed
 2024-11-04 14:06:58 -03:00
Thomas Woerner
7c7d98872e Merge pull request #1309 from rjeffman/update_fedora_41 
Update images to Fedora 41
 2024-11-04 15:38:15 +01:00
Rafael Guterres Jeffman
8956a7a1dd build images: Force use --privileged on containers 
Deploying FreeIPA in the testing containers requires privileged access.
 2024-11-04 11:21:08 -03:00
Rafael Guterres Jeffman
25577fa9bc build images: Update images for Fedora 41 
Fedora has released version 41, which was the previous 'rawhide'
version, and now the 'fedora-latest' requires dnf5 related packages.
 2024-11-04 11:21:08 -03:00
Rafael Guterres Jeffman
f6bd62feb4 upstream CI: Move scripts that evaluate repo changes to infra/azure 
All scripts related to the Azure CI now reside on inrfa/azure, but the
scripts that evaluate the changes made against ansible-freeipa's main
development branch.

This patch move these scripts to the proper locations.
 2024-10-31 19:17:20 -03:00
Thomas Woerner
33c1c00643 Merge pull request #1300 from rjeffman/update_upstream_ci 
Fix upstream CI and remove molecule
 2024-10-31 15:23:41 +01:00
Rafael Guterres Jeffman
0f530df092 upstream CI: Update Ansible version 
ansible-core versions 2.15 and 2.16 and used for all pipelines, but
version 2.17 is not used for CentOS 8 Stream, as platform python on
this version is 3.6 which is not supported in this ansible-core version.
 2024-10-31 11:06:41 -03:00
Rafael Guterres Jeffman
a707d1887d upstream CI: Use Ubuntu 24.04 to build test images 2024-10-31 11:06:41 -03:00
Rafael Guterres Jeffman
e1786c9ddc upstream CI: Enable creation of CentOS 10 Stream images 2024-10-31 11:06:41 -03:00
Rafael Guterres Jeffman
367d30a30c upstream CI: Simplify pipelines enviroment creation 
Several optimizations have been done to the pipelines, to make them
closer to what can be reproduced, with the existing scripts, in a
development environment:

- Use start.sh and build.sh scripts to build and start containers
- Use variables to configure different stages instead of using separate
  files
- Use a commom 'prepare_environment' to create the environment for every
  pipeline
- Use a single file defining testing steps (run_tests.yml)
- Remove Centos 7 pipelines
- Reduce the number of pipelines in the test matrix due to the amount of
  time that tests were using
- Use Azure "loop" (each) to create test groups

The above changes make the pipelines easier to understand and modify.
 2024-10-31 11:06:41 -03:00
Rafael Guterres Jeffman
77c34aeca2 upstream ci: Move Azure scripts to infra directory 
Move Azure scripts to infra directory, as only roles and modules test
playbooks should exist in the tests directory.
 2024-10-31 11:06:41 -03:00
Rafael Guterres Jeffman
5b33cb5e80 Remove molecule dependencies 
For some time now, we had some issues with molecule when building test
images for ansible-freeipa, and replaced the image creation with custom
build scripts that use commom container tools (like Dockerfiles and the
build command).

As there's no more tasks that require the use of molecule, this patch
removes the last bits used by it, and fixes documentation and lint
scripts and configuration.
 2024-10-31 11:06:41 -03:00
Rafael Guterres Jeffman
c979843b1a upstream CI: Allow podman options when creating containers 
When using containers to test ansible-freeipa there's a need to deal
with 'podman' the development environment and the Azure environment. In
the Azure environment, with Ubuntu hosts, using 'cap-add' does not allow
FreeIPA to be installed on the containers, and they need to be executed
with privileged mode. On the other hand, on development environments,
such as recent Fedora hosts, there's no need to run the container with
extra privileges.

This patch modifies the utility function 'container_create' to allow the
usage of key-value argumes such as "cpus=4" and "privileged", that will
be used in the container creation.

The currently available options are "privileged", "cpus", "memory" and
"hostname". By default "cpus=2" and "hostname=ipaserver.test.local".

Also, too make the image build script more self-contained, if the
required Ansible collections are not installed, they will be temporarily
installed so that the image can be built.
 2024-10-31 11:06:41 -03:00
Rafael Guterres Jeffman
a8ce235261 utils/set_test_modules: Allow to ignore Git differences 
To force setting the IPA_ENABLE_* variables to run all tests, source the
script using '-I' or set the environment variable SKIP_GIT_TESTS to
'True'.

This will allow the correct selection of Azure pipelines tests to be
based on a single environment variable, what will reduce the number of
test running templates to a singe file.
 2024-10-30 16:40:26 -03:00
Thomas Woerner
bdcc8153f8 Merge pull request #1305 from rjeffman/ipacert_testfix_key_size 
ipacert: Fix ipacert tests
 2024-10-30 14:15:38 +01:00
Rafael Guterres Jeffman
57bc35df80 ipacert: Fix ipacert tests 
It seems that in recent versions, a minimum of 2048 bits for RSA keys
are required to request a certificate. This seems to be enforced by
crypto policies.

By adjusting the key size all ipacert tests pass.
 2024-10-30 08:19:53 -03:00
Thomas Woerner
a2f59e1a34 Merge pull request #1285 from offdutypirate/fix-doc-typos 
fix minor typo in hbacrule and hbacsvcgroup docs
 2024-10-14 13:08:49 +02:00
Rafael Guterres Jeffman
16636de681 Merge pull request #1268 from t-woerner/ipauser_use_date_string 
ipauser: Use date string, not datetime object for expiration dates
 2024-10-11 15:30:01 -03:00
Thomas Woerner
55ec25a759 ipauser: Use date string, not datetime object for expiration dates 
So far a datetime object was created for the expiration dates
krbpasswordexpiration and krbprincipalexpiration. This resulted in also
sending these objects to the API. With this change, the dates are
converted into strings using the LDAP_GENERALIZED_TIME_FORMAT defined in
ipalib.constants. This way only strings are used with the IPA API.

A new function has been added to ansible_freeipa_module:

- date_string: Convert datetime to gernalized time format string

This fuction is used on the result of user_show to convert the
expiration dates to the gernalized time format string.

The existing function date_format in ansible_freeipa_module has been
renamed to convert_date and fixed in the way that it also uses
date_string to return a gernalized time format string and not a
datetime object. This function was only used in the ipauser module so
far.
 2024-10-11 15:52:02 +02:00
Thomas Woerner
2b10256575 test_services_absent is also part of test_services_present, not needed 
This test is not needed as it is already part of test_services_present.
 2024-10-11 15:51:39 +02:00
Thomas Woerner
907650c746 tests/user/test_users_present_*: Use new generate_test_data.yml 
The new generate_test_data.yml is creating the test data with
ansible.builtin.shell and is not calling shell scripts any more. The
generation in the yml file and also the set_fact calls make sure that
the test data is used.
 2024-10-11 15:51:14 +02:00
Thomas Woerner
b128a5cb9f fixipaip infra image service: No need for hard coded admin password 
The admin password is not needed for the system service as it running
as root. The use of `-e in_server=true` is sufficient for all ipa calls.
 2024-10-11 15:50:09 +02:00
Rafael Guterres Jeffman
220c4f0016 Merge pull request #1299 from t-woerner/pylint_github_workflow_disable_too-many-positional-arguments 
pylint gihub workflow: Disable too-many-positional-arguments
 2024-10-11 10:27:52 -03:00
Thomas Woerner
7f1df9d8f8 pylint gihub workflow: Disable too-many-positional-arguments 
This change disables the too-many-positional-arguments message for the
pylint github workflow.
 2024-10-11 14:48:59 +02:00
Rafael Guterres Jeffman
75d8ea283f Merge pull request #1292 from t-woerner/new_infra_image_start 
New infra image start
 2024-10-08 18:56:58 -03:00
Thomas Woerner
91a3013513 Add ansible-freeipa-tests inventory using podman 
This inventory file is usable for the containers started with
infra/image/start.sh.
 2024-10-02 13:44:09 +02:00
Thomas Woerner
85ef81c842 infra/image/system-service/fixipaip.sh: Behave idempotent 
This makes sure that the service is not failing on already applied
modifications.
 2024-10-02 13:44:09 +02:00
Thomas Woerner
ad44f11887 infra/image/build.sh: "-s" help fix and cleanup 
The help has been fixed for the -s option and the comments about how to
start the container later on has been removed as there will be a script
that is handling this..
 2024-10-02 13:44:09 +02:00
Thomas Woerner
80693c431a Use container-ipa.target from freeipa-container container project 
This reduces the number of started services in the container. The
fixipaip.service needed to be adapted to ensure that the service is
started properly.

The dockerfiles have been adapted for this change also.
 2024-10-02 13:44:09 +02:00
Thomas Woerner
9ebc365d69 Renamed infra/image/inventory to build-inventory, dropped interpreter 
This change also removed ansible_python_interpreter setting in the
inventory as the interpreter should be discovered by ansible for the
distributions.

The dockerfiles have been adapted to not force the installation of
python3 for CentOS-Stream 8, 9 and 10.
 2024-10-02 13:44:09 +02:00
Thomas Woerner
50ba326ed8 infra/image/build.sh: Use new shcontainer 
This removes a lot of duplicate code from the script.
 2024-10-02 13:44:09 +02:00
Thomas Woerner
691e5915b9 New infra/image/start.sh script to start the generated containers 
The script will try to get the latest image from quay to start it. With
the -l option it will try to use a local image first. This is for example
useful to test changes in the images build script locally.

This also adds infra/image/shcontainer. Some of the content is copied
from utils/shcontainer.
 2024-10-02 13:43:37 +02:00
f-trivino
178cf218b9 Merge pull request #1284 from t-woerner/infra_image_system_services_dns_and_kinit 
Infra image system services dns and kinit
 2024-08-07 15:33:34 +02:00
Thomas Woerner
36f26bdf63 infra/image/system-service/fixipaip.sh: Use of admin for kinit call 
The kinit call have been missing the principal.
 2024-08-07 14:58:24 +02:00
Thomas Woerner
e2bdbeef6d infra/image system-services: Fix DNS forwarder 
The DNS forwarder is set while deploying the IPA server. This forwarder
might not be correct later on.

The old /etc/resolv.conf is copied to /etc/resolv.conf.fixnet by the
fixnet service and later on the fixipaip service is trying to get the
nameserver from the copied file. If the retrieval failed of if the
namesever is 127.0.0.1, then the nameserver will be set to 8.8.8.8.

After fixing the IP addresses for the forward and reverse zone, also the
forwarder is set for the dnsserver "${HOSTNAME}".
 2024-08-07 14:58:09 +02:00
f-trivino
88dc4c6923 Merge pull request #1282 from t-woerner/infra_image_enhance_system_services 
infra/image/system-services: Enhance checks, also fix reverse zone
 2024-08-07 10:54:29 +02:00
Thomas Woerner
e05fbce04c infra/image/system-services: Enhance checks, also fix reverse zone 
Checks for IPv4 addresses have been added and reverse zone handling
for fixipaip.sh

The services are logging StandardOutput and StandardError to journal
now.
 2024-08-07 10:50:10 +02:00
Jon Moore
c2ff12b101 fix minor typo in hbacrule and hbacsvcgroup docs 
Signed-off-by: Jon Moore <jonmoore@redhat.com>
 2024-08-06 16:03:21 -05:00
f-trivino
7dbe6edbf0 Merge pull request #1276 from t-woerner/run_containers_ubuntu_24_04_test 
Run tests with podman and ubuntu 20.04
 2024-08-02 18:35:59 +02:00
Thomas Woerner
02ba890eb4 tests/utils.py: Shorten run_playbook for smaller traceback with assert 
Most of the content has been moved to the new function _run_playbook to
reduce the traceback output in the case of a test failure.
 2024-08-02 17:21:58 +02:00
Rafael Guterres Jeffman
8515c9a48b upstream ci: Remove 'molecule' from tests. 
This patch removes 'molecule' as a dependency for tests, by using the
scripts under `utils` to setup the environment.

By not using molecule, we have more flexibility on using either docker
or podman as the container engine, and makes it easy to reproduce the
environment on different distros, allowing for a more consistent error
reproduction off Azure.
 2024-08-02 17:21:58 +02:00
Rafael Guterres Jeffman
94311f439c gitignore: Ignore test results from run-tests.sh 2024-08-02 17:21:58 +02:00
Rafael Guterres Jeffman
7aa9483b2c tests: Allow to set Python interpreter to be used by Ansible 
On some systems it is required or desired to run Ansible with a specific
Python interpreter. This patch allows the selection of the Python binary
to use for the pytest playbook tests by setting the environment variable
IPA_PYTHON_PATH. Set it the the full path of the Python interpreter.
 2024-08-02 17:21:47 +02:00
Rafael Guterres Jeffman
68bca84481 utils: Rewrite run-tests.sh to use functions and extenal scripts 
To modify Azure tests and depend on shell scripts and pytest instead
of molecule, the run-tests.sh script has been rewritten to depend on
bash functions and on a bash script that prepare and start a testing
container.

This patch adds a new script, 'utils/setup_test_container.sh' that
can be used to start a new container, using either podman or docker,
based on the available ansible-freeipa images. The new container can
then be used to run ansible-freeipa tests against it.

Also the following files with bash functions were added, and are
used by both scripts:

    utils/shansible: Functions to run playbooks in the container
    utils/shcontainer: Functions to setup/run a container
    utils/shfun: Generic shell helper functions (e.g.: log)
 2024-08-02 17:19:39 +02:00
Thomas Woerner
c9010d52ef Merge pull request #1280 from keestux/fix/ipahost-documentation-correction 
README-host.md: correction of managedby_host description
 2024-08-02 17:04:48 +02:00
f-trivino
0c6a7c8a14 Merge pull request #1273 from t-woerner/new_image_build_with_podman 
New image builder without molecule using podman
 2024-07-31 17:09:21 +02:00
Thomas Woerner
0d246b1c11 infra/image/build.sh: Fail if deployment failed or podman is missing 
If the deployment was enabled and failed, the script still continued
without failing. If podman was missing it failed without a proper error.

The script now fails and does not enable the services and also does not
commit after the failed deployment. Also is fails if podman is missing.
 2024-07-31 16:10:02 +02:00
Rafael Guterres Jeffman
785681f100 ci lint: Allow ShellCheck to test source-d scripts. 
As the scripts 'utils/run-tests.sh' and 'utils/setup_test_container.sh'
use some scripts as function libraries, this change forces shellcheck to
also verify those scripts.
 2024-07-31 16:10:02 +02:00
Rafael Guterres Jeffman
480c83f504 fixup! New image builder without molecule using podman 2024-07-31 16:10:02 +02:00
Rafael Guterres Jeffman
928ed30b8b ustream ci: Use infra scripts to build testing images 
As we do not use molecule features, using a Dockerfile and the
ansible-freeipa deployment roles is enough to create the container
testing images.

This patch removes the usage of molecule in favor of the custom
ansible-freeipa image building script, which allow us to have a similar
process for creating images both on the ustream CI, or on a developer's
environment.

Also, CentOS 7 is removed from the build script, as it in not possible
to run CentOS 7 containers with current versions of systemd.
 2024-07-31 16:10:02 +02:00
Rafael Guterres Jeffman
fb6fed58cb rjeffman: this is a fixup for infra/images/build.sh 
This patch modifies the image building script by adding:

- An usage message.
- An option "-I" to NOT install IPA to the generated container.
- An opiton "-c NAME" to both set the name and use an existing container
  to ONLY install IPA.
- Rename "scenario" to "DISTRO" as "scenario" should be used for the
  container scenario usage, rather than the distro (I'll change the name
  also in the Azure scripts)
- Use 'log' (from shlog) to print messages.
 2024-07-31 16:10:02 +02:00
Rafael Guterres Jeffman
b0e03a032d Add shell utitily functions for scripts 
Add two shell libaries with utilities to write shell scripts.

The 'utils/shlog' file provides macro names for ANSI escape sequences to
control color output on terminals, a 'log' functions with pre-defined
behavior for ERROR, WARN, DEBUG, INFO and SUCCESS level messages, and
the 'quiet' function which executes a command and hides its output.

The 'utils/shfun' file provides an interruptinon handler for SIGINT, and
the following functions:

- run_if_exists: run a command if it is available
- cleanup: cleanup environment, possibly stopping a container and a
  Python virtual environment.
- start_virtual_environmnt: initiates a Python virtual environment
- in_python_virtualenv: test if the script is running inside a Python
  virtual environment
- die: abort the script with an error message end exit code 1

New files:

  - utils/shlog
  - utils/shfun
 2024-07-31 16:10:02 +02:00
Thomas Woerner
7ac0ec6bd4 tests/azure/templates/build_container.yml: Use new image builder 
The new infra/image/build.sh script is used instead of molecule.
 2024-07-31 16:10:02 +02:00
Thomas Woerner
8153239ef7 New image builder without molecule using podman 
The new image builder is not using molecule and uses podman directly for
the generation of the ansible-test images.

Two additional services are installed to simplify the use of the
container in the test:

- fixnet.service uses /root/fixnet.sh to fix IP address of the server in
  /etc/hosts and to set localhost as the nameserver.
  This service is executed before IPA is started. This eliminates the
  need to restart the IPA server after the container has been started
  and the IPs have been fixed.
- fixipaip.service uses /root/fixipaip.sh to fix the IP address of the
  IPA dnsrecords of server and ipa-ca.

With these services it is now only needed to wait till all services in
the container are started. There is no need to restart the IPA server
anymore. Simply use something like this before starting the tests:

    while [ -n "$(podman exec ansible-test systemctl list-jobs | grep -vi 'no jobs running')" ]; do echo "waiting.."; sleep 5; done

New files
- infra/image/build.sh
- infra/image/dockerfile/c8s
- infra/image/dockerfile/c9s
- infra/image/dockerfile/c10s
- infra/image/dockerfile/fedora-latest
- infra/image/dockerfile/fedora-rawhide
- infra/image/inventory
- infra/image/system-service/fixipaip.service
- infra/image/system-service/fixipaip.sh
- infra/image/system-service/fixnet.service
- infra/image/system-service/fixnet.sh
 2024-07-31 16:09:29 +02:00
Kees Bakker
c2f6a19677 README-host.md: correction of managedby_host description 2024-07-30 10:36:26 +02:00
Rafael Guterres Jeffman
0002d4c7f7 Merge pull request #1274 from t-woerner/fix_multi_user_tests 
Fix multi user tests
 2024-07-22 11:40:10 -03:00
Thomas Woerner
a95c222ed6 Fix multi user tests 
The tests test_users_present.yml and test_users_absent.yml has been
merged into test_users_present_absent.yml to fix the independent test
order execution.

The test test_users_present_slice.yml has been renamed to
test_users_present_absent_slice.yml.

Both tests are cleaning up possible exiting entries before running the tests
and are verifying the present and absent task result.
 2024-07-22 16:29:19 +02:00
Rafael Guterres Jeffman
d9a20e16c1 Merge pull request #1272 from t-woerner/add_missing_cleanup_for_test_services_present 
tests/service/test_services_present.yml: Add missing cleanup
 2024-07-22 11:26:45 -03:00
Rafael Guterres Jeffman
a4860f7b04 Merge pull request #1270 from t-woerner/truncate_stdout_and_stderr_in_upstream_test_log 
Truncate stdout and stderr in upstream test log
 2024-07-20 11:53:30 -03:00
Thomas Woerner
e71602be6e tests/service/test_services_present.yml: Add missing cleanup 
The cleanup of the test services and hosts have been missing, which
could lead to a test failure.
 2024-07-19 17:08:20 +02:00
Thomas Woerner
3dfa026eda Truncate stdout and stderr in upstream test log 
Truncate stdout and stderr in the way that it hopefully shows all
important information. At least 15 lines of stdout (Ansible tasks) and
remaining from stderr to fill up to maxlen size.

The test log mostly only showed lines from stderr as the log was a
concatenation of stdout and stderr and only the last 2500 chars of this
have been used. This was hiding the test result from stdout and failures
have not beeen visible.
 2024-07-17 10:54:30 +02:00
Rafael Guterres Jeffman
16a4eb81ce Merge pull request #1264 from t-woerner/module_documentation_fixes 
Documentation fixes for issues found by ansible-test part of ansible-core 2.17.1
 2024-07-01 09:31:47 -03:00
Thomas Woerner
cd16490531 Role modules: Docs: Fix default value for string list parameters 
Fix default values for string list parameters where default is missing
in the DOCUMENTATION section, but is defined in argument_specs.
 2024-07-01 11:33:28 +02:00
Thomas Woerner
7b6bc32fa0 tests/utils.py: Fix missing whitespace around arithmetic operator (E226) 2024-07-01 11:31:13 +02:00
Thomas Woerner
6b3fb78db6 ipareplica_prepare: Documentation: Fixed name of ipa_client_installed 
The ipa_client_installed option was named as client_configured in the
DOCUMENTATION section.
 2024-07-01 11:17:52 +02:00
Thomas Woerner
67df9e83c7 ipaclient_setup_nss: Documentation: Add default for selinux_works 
The default value for selinux_works was missing in the DOCUMENTATION
section.
 2024-07-01 11:15:49 +02:00
Thomas Woerner
14be339af0 service: Docs: Fix required for name, add delete_continue to services 
DOCUMENTATOIN section: Fix required for name, add missing
delete_continue to services option.
 2024-07-01 10:39:04 +02:00
Thomas Woerner
76251ead2c idp: Drop no_log from docs section, allow to log token_uri and keys_uri 
The no_log tag is only allowed in the argument_spec, but not in the
DOCUMENTATION section. Set no_log=False for token_uri and
keys_uri=keys_uri in the argument_spec to enforce logging.
 2024-07-01 10:33:04 +02:00
Thomas Woerner
74028bd36c idoverrideuser: Docs: Fix sshpubkey element type, nomembers type 
The element type for sshpubkey was using 'element' instead of 'elements'
also the type for nomembers was wrong in the DOCUMENTATION section.
 2024-07-01 10:30:57 +02:00
Thomas Woerner
43217b9e70 cert: Fix short_description tag, add chain option, remove authors 
Several fixes for the DOCUMENTATION section: The short_description tag
was 'short description', the chain option was missing and the unknown
authers tag has been removed.
 2024-07-01 10:25:11 +02:00
Thomas Woerner
96209f6945 inventory/freeipa: Documentation: Fix version_added and drop plugin_type 
In the freeipa inventoty plugin, fix version to 1.13.0 and drop unknown
tag plugin_type.
 2024-07-01 10:23:21 +02:00
Thomas Woerner
7eac30127a ipamodule_base_docs: Documentation: Fix default for delete_continue 
The default setting for delete_continue was True instead of true for
delete_continue in the DOCUMENTATION section.
 2024-07-01 10:20:21 +02:00
Rafael Guterres Jeffman
719d1cd056 Merge pull request #1263 from t-woerner/tests_sanity_setuptools 
tests/sanity/sanity.sh: Install setuptools with pip
 2024-06-28 12:29:42 -03:00
Rafael Guterres Jeffman
832d44d986 Merge pull request #1262 from t-woerner/user_fix_idp_user_id_aliases 
user: Fix idp_user_id aliases
 2024-06-28 12:29:13 -03:00
Rafael Guterres Jeffman
82f403c0de Merge pull request #1261 from t-woerner/inventory_plugin_try_imports 
plugins/inventory/freeipa: Try imports for requests and urllib3
 2024-06-28 12:27:06 -03:00
Rafael Guterres Jeffman
fa4a90e628 Merge pull request #1259 from t-woerner/permission_DN_parameters_idempotency_fixes 
permission: Fix idempotency issues for DN parameters
 2024-06-28 12:26:45 -03:00
Rafael Guterres Jeffman
c38ff9b78c Merge pull request #1255 from t-woerner/service_readme_multi_services 
README-service.md: Add multi service handling
 2024-06-28 12:24:40 -03:00
Rafael Guterres Jeffman
85b1c54ce1 Merge pull request #1250 from t-woerner/convert_input_certificates 
Convert input certificates
 2024-06-28 12:24:07 -03:00
Rafael Guterres Jeffman
6d5f3f3274 Merge pull request #1248 from t-woerner/fix_batch_errors 
ansible_freeipa_module: Fix errors in batch mode
 2024-06-28 12:23:39 -03:00
Rafael Guterres Jeffman
1dba4ba408 Merge pull request #1246 from t-woerner/ipa_4_12_fixes 
Fixes for FreeIPA 4.12
 2024-06-28 12:23:20 -03:00
Thomas Woerner
e867373fc0 tests/sanity/sanity.sh: Install setuptools with pip 
setuptools might not be installed before importing and using
galaxy_importer. This could result in a backtrace by disabling
ANSIBLE_TEST_LOCAL_IMAGE in galaxy-importer.cfg to run latest tests.
 2024-06-28 17:08:16 +02:00
Thomas Woerner
c5c8cb3b04 user: Fix idp_user_id aliases 
The alias for idp_user_id was ipaidpconfiglink by mistake. It was
already correct (ipaidpsub) in the DOCUMENTATION section and also
in the README.
 2024-06-28 17:02:24 +02:00
Thomas Woerner
8944999657 service: Add multi service examples to EXAMPLES 
The EXAMPLES section only contained a very simple example for multi
service handling. The examples from the README have been added.
 2024-06-28 16:55:56 +02:00
Thomas Woerner
b7a04bc49b README-service.md: Add multi service handling 
The service READNE so far lacks the documentation of multi service
handling within a single task.

The alias for the continue parameter was also added.

Fixes: #1113
 2024-06-28 16:55:40 +02:00
Thomas Woerner
935bef4b9f Merge pull request #1130 from rjeffman/ansible_support_2_14_plus 
Bump minimum supported Ansible version
 2024-06-28 16:48:27 +02:00
Thomas Woerner
8e139e2fe9 plugins/inventory/freeipa: Try imports for requests and urllib3 
The bindings for requests and urllib3 might not be available, especially
in the ansible-test fake execution test (next version). These imports are
now in a try exception clause to make sure that the fake execution test
will be passing and also that there is a better error message if the
bindings are missing.

urllib3.exceptions.InsecureRequestWarning is now also only disabled if
no certificate has been given for the verification of the connection.
 2024-06-28 16:35:44 +02:00
Rafael Guterres Jeffman
332d41dc46 ansible-freeipa.spec: Bump minimum supported Ansible version to 2.15 
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.

This patch updates the minimum supported Ansible version and the list
of available modules.
 2024-06-28 10:51:44 -03:00
Rafael Guterres Jeffman
ab94ff07a0 utils/templates: Bump minimum supported Ansible version to 2.15 
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
 2024-06-28 10:51:44 -03:00
Rafael Guterres Jeffman
5a5b3c1655 ipasmartcard_*: Bump minimum supported Ansible version to 2.15 
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
 2024-06-28 10:51:44 -03:00
Rafael Guterres Jeffman
74663b877a ipabackup: Bump minimum supported Ansible version to 2.15 
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
 2024-06-28 10:51:44 -03:00
Rafael Guterres Jeffman
2f06f194f1 ipaserver: Bump minimum supported Ansible version to 2.15 
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
 2024-06-28 10:51:44 -03:00
Rafael Guterres Jeffman
3148c10480 ipareplica: Bump minimum supported Ansible version to 2.15 
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
 2024-06-28 10:51:44 -03:00
Rafael Guterres Jeffman
f4187a1453 ipaclient: Bump minimum supported Ansible version to 2.15 
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
 2024-06-28 10:51:44 -03:00
Rafael Guterres Jeffman
7126dec0f3 README-*: Bump minimum Ansible supported version to 2.15 
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.

This patch includes the change to the version number in the collection
and all plugin README files. The collection README was also update to
remove text that related only to previous Ansible versions.
 2024-06-28 10:51:44 -03:00
Rafael Guterres Jeffman
3d241e55b4 Set collection ansible-core minimum version to 2.15 2024-06-28 10:51:27 -03:00
Thomas Woerner
173acf282b permission: Fix idempotency issues for DN parameters 
The parameters

- subtree (ipapermlocation)
- target (ipapermtarget)
- targetto (ipapermtargetto)
- targetfrom (ipapermtargetfrom)

have not been idempotent as the result returned from permission_show was
a DN and not a string.

The find_permission function has been exetended to convert the values
for these parameters to strings.

Fixes: #1257
 2024-06-26 14:57:28 +02:00
Thomas Woerner
39ba225784 ansible_freeipa_module: Fix errors in batch mode 
The error string returned by execute_ipa_commands in batch mode
additionally contains the whole parameter list for the command. This is
different to non batch mode execution and breaks tests that are checking
the returned error message.

A left over debug message also have been removed from the error
processing.
 2024-06-25 17:31:45 +02:00
Thomas Woerner
b7ccd8fed5 ipauser: Use new convert_input_certificates 
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
 2024-06-25 16:07:05 +02:00
Thomas Woerner
ef94b703df ipaidoverrideusere: Use new convert_input_certificates 
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
 2024-06-25 16:07:05 +02:00
Thomas Woerner
0dc58be3f6 ipahost: Use new convert_input_certificates 
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
 2024-06-25 16:07:05 +02:00
Thomas Woerner
b64da1dbb7 ipaservice: Use new convert_input_certificates 
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
 2024-06-25 16:07:05 +02:00
Thomas Woerner
84b5d33c62 ansible_freeipa_module: New function convert_input_certificates 
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.

New function:
- convert_input_certificates(module, certs, state)
 2024-06-25 16:06:59 +02:00
Thomas Woerner
5ac7143f42 ipareplica: After an HSM replica install ensure all certs are visible 
FreeIPA commit ea0bf4020ce0b1e32572e128e9323c5af60ec93d

    After an HSM replica install ensure all certs are visible

    If a certificate on a token does not have NSS trust set then
    it won't be visible in the softoken. This can be disconcerting
    for those used to seeing all the certificates.

    Loop through the possibilities and set no trust (or Peer) for
    all the certificates on the token.

    Also ensure that the CA certificate has the correct nickname.

    Related: https://pagure.io/freeipa/issue/9273
 2024-06-20 15:21:36 +02:00
Thomas Woerner
07d91e02d1 ipareplica: Refactor CA file handling 
replicainstall.install_ca_cert has been removed, paths.IPA_CERTUPDATE is
called instead if the client was configured before deploying with
iparepica role.

FreeIPA commit 8f25b2a74a587548976f3d29f0b69d566d70125d

    Refactor CA file handling in replica installer

    Clean up and remove obsolete code from ipa-replica-install. For several
    versions replica installer first ensures that a host is an IPA client,
    then promotes the client to a replica. The client installer code sets up
    CA stores like IPA_CA_CRT already.
 2024-06-20 15:21:36 +02:00
Thomas Woerner
127d758100 ipareplica_install_ca_certs: Do not return unchanged config attributes 
The config attributes config_master_host_name and also config_ca_host_name
are not changed within ipareplica_install_ca_certs, therefore it is not
needed to return them and also to use the returned values for following
tasks.
 2024-06-20 15:21:36 +02:00
Thomas Woerner
4ff6e35c28 ipaserver: Set hsm attributes to None for now 
The HSM parameters

    token_name
    token_library_path
    token_password
    token_password_file

are set to None to enable deployment with IPA 4.12 as a workaround till
HSM can be fully supported by the ipaserver role.
 2024-06-20 15:21:36 +02:00
Rafael Guterres Jeffman
a1230cabc6 Merge pull request #1242 from t-woerner/fix_build_galaxy_release_sh_offline2 
utils/build-galaxy-release.sh: Fix unary operator expected (v2)
 2024-05-27 11:00:03 -03:00
Thomas Woerner
411f5f3467 utils/build-galaxy-release.sh: Fix unary operator expected (v2) 
This fixes a bad tests if offline is not set:
utils/build-galaxy-release.sh: line 130: [: -ne: unary operator expected

Fixes f17f83d6bd
 2024-05-27 15:39:35 +02:00
Thomas Woerner
8779384614 Merge pull request #1225 from rjeffman/ci_pin_ansible_lint_version 
Bump linter tools versions an fix linter errors
 2024-05-27 14:33:52 +02:00
Rafael Guterres Jeffman
2cc1484ad7 Merge pull request #1229 from t-woerner/batch_command 
Use batch command internally
 2024-05-23 14:53:23 -03:00
Rafael Guterres Jeffman
77c1d206d3 fixup! pylint: Ignore usage of 'unicode' before assignment 2024-05-22 14:31:00 -03:00
Rafael Guterres Jeffman
52241fe233 pylint: ensure variables are initialized 
pylint doesn't know that some functions may terminate execution, like,
AnsibleModule's fail_json, and assume that, depending on the code path,
some variables may not be initialized when used.

This change ensure that variables are always initialized independent of
the code path.
 2024-05-22 10:50:34 -03:00
Rafael Guterres Jeffman
f53ca3ad39 pylint: Ignore usage of 'unicode' before assignment 
New versions of pylint ignore Python 2 functions and types, evaluating
'unicode' as "undefined". ansible-freeipa will always define 'unicode'
when running under Python 3, and it is always defined under Python 2.

This patch fixes these false positives.
 2024-05-22 10:42:00 -03:00
Rafael Guterres Jeffman
60905ef5bf upstream ci: Update Github actions 
Github actions checkout v3.1.0 and setup-python v4.3.0 use deprecated
Node.js 16.

Bumping version to checkout v4.1.1 and setup-python v5.1.0 fixes the
workflows, as both use the recommended Node.js 20.

The checkout depth has been set to 1 (shallow copy) for all tasks that
do not require git history to be available.
 2024-05-22 10:40:49 -03:00
Rafael Guterres Jeffman
0d48da060d lint tools: bump code verification tools versions 
Bump version of ansible-lint, Flake8, Pylint and yamllint to newer
versions as used in Ansible tests.
 2024-05-22 10:40:49 -03:00
Thomas Woerner
5cdbcf6442 ipahost: Enable batch command with keeponly 
The use of the batch command is enabled for execute_ipa_commands.

Additionally keeponly is set to ["randompassword"] as this is the only
parameter that is used from the data returned from the commands.
 2024-05-22 11:51:22 +02:00
Thomas Woerner
08b0fc02ba ipagroup: Enable batch command use with keeponly 
The use of the batch command is enabled for execute_ipa_commands.

Additionally keeponly is set to [] as nothing is used from the data returned
from the commands.
 2024-05-22 11:50:11 +02:00
Thomas Woerner
6cec03eb15 ipaservice: Enable batch command use with keeponly 
The use of the batch command is enabled for execute_ipa_commands.

Additionally keeponly is set to [] as nothing is used from the data returned
from the commands.
 2024-05-22 11:48:36 +02:00
Thomas Woerner
65a1fd7804 ipauser: Enable batch command use with keeponly 
The use of the batch command is enabled for execute_ipa_commands.

Additionally keeponly is set to ["randompassword"] as this is the only
parameter that is used from the data returned from the commands.
 2024-05-22 11:45:03 +02:00
Thomas Woerner
bcb6a68230 IPAAnsibleModule: Add support for batch command in execute_ipa_commands 
The method execute_ipa_commands has been extended to handle multi
commands with the batch command.

New constants for execute_ipa_commands debugging:

    DEBUG_COMMAND_ALL = 0b1111
    DEBUG_COMMAND_LIST = 0b0001
        Print the while command list
    DEBUG_COMMAND_COUNT = 0b0010
        Print the command number
    DEBUG_COMMAND_BATCH = 0b0100
        Print information about the batch slice size and currently executed
        batch slice

New parameters have been added to execute_ipa_commands:

    batch: bool
        Enable batch command use to speed up processing
    batch_slice_size: integer
        Maximum mumber of commands processed in a slice with the batch
        command
    keeponly: list of string
        The attributes to keep in the results returned.
        Default: None (Keep all)
    debug: integer
        Enable debug output for the exection using DEBUG_COMMAND_*

Batch mode can be enabled within the module with setting batch to True
for execute_ipa_commands.

Fixes: #1128 (batch command support)
 2024-05-22 11:44:38 +02:00
Rafael Guterres Jeffman
8f8a16f815 Merge pull request #1239 from t-woerner/fix_group_readme_rename 
README-group.md: Add missing ":" in multi rename example
 2024-05-21 09:09:11 -03:00
Rafael Guterres Jeffman
bfcc62a27f Merge pull request #1238 from t-woerner/fix_user_readme_rename 
README-user.md: Fix state for user rename in example playbook
 2024-05-21 09:08:25 -03:00
Rafael Guterres Jeffman
8ba32bfc26 Merge pull request #1237 from t-woerner/fix_idempotency_issues_ipahost 
ipahost: Fix idempotency issues
 2024-05-21 09:06:45 -03:00
Thomas Woerner
69306a6177 README-group.md: Add missing ":" in multi rename example 
The name tag in the multi rename example is was missing a ":".
 2024-05-16 21:21:39 +02:00
Thomas Woerner
967a2d8e56 README-user.md: Fix state for user rename in example playbook 
A user rename requires "state: renamed". This has been wrong in the
example.
 2024-05-16 21:02:05 +02:00
Rafael Guterres Jeffman
2626715db6 Merge pull request #1222 from t-woerner/ipaserver_use_IPAChangeConf_and_realm_to_ldapi_uri 
ipaserver_prepare: Properly create IPA_DEFAULT_CONF
 2024-05-16 12:16:08 -03:00
Rafael Guterres Jeffman
2166a9f7a2 Merge pull request #1231 from t-woerner/inventory_plugin 
New inventory plugin
 2024-05-14 09:00:37 -03:00
Rafael Guterres Jeffman
8b4bb631a5 Merge pull request #1235 from t-woerner/fix_idempotency_issues_ipauser 
ipauser: Fix idempotency issues for members
 2024-05-14 08:55:10 -03:00
Thomas Woerner
f17f83d6bd utils/build-galaxy-release.sh: Fix unary operator expected 
This fixes a bad tests if offline is not set:
utils/build-galaxy-release.sh: line 130: [: -ne: unary operator expected
 2024-05-14 12:59:14 +02:00
Thomas Woerner
a3517a3a23 New inventory plugin 
The inventory plugin compiles a dynamic inventory from IPA domain, filters
servers by role(s).

Usage:

Create yml file, for example `freeipa.yml`:

    ---
    plugin: freeipa
    server: server.ipa.local
    ipaadmin_password: SomeADMINpassword
    verify: ca.crt

Get compiled inventory:

    ansible-inventory -i freeipa.yml --graph
 2024-05-14 12:58:39 +02:00
Rafael Guterres Jeffman
5aa1c7cb57 Merge pull request #1236 from t-woerner/fix_idempotency_issues_ipaservice 
ipaservice: Do not set continue to None for service_del
 2024-05-13 12:06:25 -03:00
Thomas Woerner
15e9201dab ipahost: Fix idempotency issues 
This simplified the result_handler and also made the exception_handler
superfluous.
 2024-05-13 13:31:52 +02:00
Thomas Woerner
6caa58e8be ansible_freeipa_module: Import and provide normalize_sshpubkey 
normalize_sshpubkey is imported from ipalib.util and also added to
__all__ for use in modules.
 2024-05-13 13:31:47 +02:00
Thomas Woerner
5c61f14cc1 ipaservice: Do not set continue to None for service_del 
delete_continue defaults to None. The use of continue: None is resulting
in an error with the batch command. Therefore only set continue if it is
not None.
 2024-05-13 13:23:26 +02:00
Thomas Woerner
b3a74e616a ipauser: Fix idempotency issues for members 
These are manager, principal, certificate and certmapdata.

The result_handler function has been adapted and the exception_handler
function has been removed.

A new function has been added:

   convert_certificate
 2024-05-13 13:18:26 +02:00
Rafael Guterres Jeffman
cbff802d13 Merge pull request #1226 from t-woerner/ipalib.install.kinit_moved_to_ipalib_freeipa_7286 
ipalib.install.kinit moved to ipalib
 2024-03-28 10:57:02 -03:00
Rafael Guterres Jeffman
4ceb6aa05d Merge pull request #1224 from t-woerner/ipaclient_dns_resolver_fix_changed 
ipaclient_configure_dns_resolver: Return proper changed state
 2024-03-28 10:13:06 -03:00
Thomas Woerner
35614d7a88 ipalib.install.kinit moved to ipalib 
FreeIPA PR https://github.com/freeipa/freeipa/pull/7286 moved
ipalib.install.kinit to ipalib.

It is first tried to import kinit_keytab and kinit_password from
ipalib.kinit, then ipalib.install.kinit and finally in some cases
where support for IPA 4.5.0 is needed still also ipapython.ipautil.

Related: https://github.com/freeipa/freeipa/pull/7286
 2024-03-27 15:33:29 +01:00
Rafael Guterres Jeffman
7a9ea832a1 Merge pull request #1227 from t-woerner/fix_build_galaxy_release_sh_offline 
utils/build-galaxy-release.sh: Fix offline default value
 2024-03-26 12:17:08 -03:00
Thomas Woerner
2804ec3f83 utils/build-galaxy-release.sh: Fix offline default value 
The offline default value was 0, which resulted in 0 for
${offline/1/--offline}.

This broke the ansible-galaxy collection install call.
 2024-03-26 14:46:11 +01:00
Thomas Woerner
bef748cfdc ipaclient_configure_dns_resolver: Return proper changed state 
The changed state returned from ipaclient_configure_dns_resolver was
always True. The internal functions (copies from FreeIPA code) have been
fixed to return a changed state.

Fixes: #1217 (ipaclient: Configure DNS resolver always reports as changed)
 2024-03-21 16:19:46 +01:00
Rafael Guterres Jeffman
c24e8b498e Merge pull request #1223 from t-woerner/galaxy_collection_for_rpm 
utils/build-galaxy-release.sh: Enable offline generation for rpm
 2024-03-21 09:27:41 -03:00
Thomas Woerner
fe16df8a6c utils/build-galaxy-release.sh: Enable offline generation for rpm 
Two new options have been added to enable the offline build within rpm:

    -o <A.B.C>  Build offline without using git, using version A.B.C
                Also enables -a
    -p <path>   Installation the generated collection in the path, the
                ansible_collections sub directory will be created and will
                contain the collection: ansible_collections/<namespace>/<name>
                Also enables -i

The usage text has been fixed also for specifying namespace and name.
The collection variable has been renamed to name.

Example usage:

    utils/build-galaxy-release.sh -o 1.12.1 \
        -p %{buildroot}%{_datadir}/ansible/collections \
        freeipa ansible_freeipa
 2024-03-20 13:45:07 +01:00
Rafael Guterres Jeffman
d804dc470e Merge pull request #1221 from t-woerner/ipaserver_only_one_custodia_setup 
ipaserver: Run custodia setup only once
 2024-03-14 10:44:41 -03:00
Thomas Woerner
8fa3daece8 ipaserver_prepare: Properly create IPA_DEFAULT_CONF 
Use IPAChangeConf and realm_to_ldapi_uri to create IPA_DEFAULT_CONF.

With realm_to_ldapi_uri the ldap_uri is correctly using /run instead of
/var/run.

Before IPA_DEFAULT_CONF was created using file operations.
 2024-03-13 14:27:09 +01:00
Thomas Woerner
0cad1fa879 ipaserver: Run custodia setup only once 
The custodia setup is executed twice. At first in
ipaserver_setup_custodia and then additionally in ipaserver_setup_ca.

The custodia setup code in ipaserver_setup_ca.py has been adapted to fit
the code in ipaserver_setup_custodia.py.

The extra Setup custodia step in the server roles has been removed
together with ipaserver_setup_custodia.py.
 2024-03-13 13:15:24 +01:00
Rafael Guterres Jeffman
780e6b1436 Merge pull request #1220 from t-woerner/ipaserver_test_return_generated_domain_name 
ipaserver_test: Return generated domain_name
 2024-03-11 11:08:39 -03:00
Rafael Guterres Jeffman
216a5d4f9d Merge pull request #1215 from t-woerner/fix_ca_less_to_use_X.509_v3 
Fix ca-less test to use X.509 v3 certificates
 2024-03-11 11:04:08 -03:00
Thomas Woerner
f8ff833b03 ipaserver_test: Return generated domain_name 
If ipaserver_domain is not given, the domain name is generated from the
host fqdn.

This generated value was so far not returned, but the empty given value
instead.
 2024-03-11 14:02:51 +01:00
Thomas Woerner
b92da82661 Fix ca-less test to use X.509 v3 certificates 
The generated certificates have been X.509 v1. This is not supported any
more. Only X.509 v3 is supported.

A new certificates/extensions.conf file has been added to make v3
certificates.

The existing certificates/pkinit/extensions.conf has been renamed to
certificates/pkinit-extensions.conf with additional changes. For example
"[kdc_cert]" had to be removed for v3.

The extensions config files are using environment variables, which are
set by the generate-certificates.sh script before calling openssl.

The script generate-certificates.sh has been reworked for a simpler
structure, also new options have been added: "ca" and "cleanup".
 2024-03-05 11:17:17 +01:00
Thomas Woerner
ce05b5e137 Merge pull request #1213 from rjeffman/dnszone_fix_yaml_code_block 
README-dnszone: Fix yaml code block declaration.
 2024-02-27 13:10:19 +01:00
Rafael Guterres Jeffman
a826bf1781 README-dnszone: Fix yaml code block declaration. 
There was a space between the code block marker and the highlight hint
in a playbook example.
 2024-02-15 09:39:14 -03:00
Thomas Woerner
a3a6919416 Merge pull request #760 from rjeffman/ipadelegation_case_insensitive 
ipadelegation: Fix idempotence issues due to capitalization.
 2024-02-12 15:33:30 +01:00
Rafael Guterres Jeffman
e9c6e93608 ipadelegation: Fix idempotence issues due to capitalization. 
This patch force processing of permission, attribute and group
attributes in lower case, to match behavior of IPA CLI, transforming
all of them into lowercase characters.

The new behavior fixes idempotence issues when mixing different
capitalization in different tasks for the same attribute.

A new test playbook is avaiable at:

    tests/delegation/test_delegation_member_case_insensitive.yml
 2024-02-12 11:10:21 -03:00
Thomas Woerner
f40f4d4c9a Merge pull request #1201 from rjeffman/ipagroup_case_insensitive 
ipagroup: Fix idempotence issues due to capitalization
 2024-02-12 14:59:41 +01:00
Rafael Guterres Jeffman
7b7d9c9957 ipagroup: Fix idempotence issues due to capitalization 
Some attributes for ipagroup objects are stored using lower case letters
and should be converted upon retrieving parameter data.

This patch adds the missing conversion and provides a new test playbook:

    tests/group/test_group_case_insensitive.yml
 2024-02-12 09:11:12 -03:00
Rafael Guterres Jeffman
c0c3394d8d Merge pull request #1211 from t-woerner/disable_config_tests_for_pac_type_without_MS-PAC 
Disable config tests for pac type without ms pac
 2024-02-12 09:09:06 -03:00
Thomas Woerner
11205102af Merge pull request #1202 from rjeffman/ipahostgroup_idempotence_issues 
ipahostgroup: Fix idempotence issues due to capitalization
 2024-02-12 11:45:05 +01:00
Rafael Guterres Jeffman
22401d18d6 ipahostgroup: Fix idempotence issues due to capitalization 
ipahostgroup parameters 'host', 'hostgroup', 'membermanager_user' and
'membermanager_group' must be compared in a case insensitive manner
and stored as lower case strings.

This patch fixes the comparison and storage of this parameters, and
change the handling of members to use the same structure as in newer
modules.

Two new tests files were added:

    tests/hostgroup/test_hostgroup_case_insensitive.yml
    tests/hostgroup/test_hostgroup_membermanager_case_insensitive.yml
 2024-02-09 21:19:58 -03:00
Thomas Woerner
9b5a54c4fa Merge pull request #1203 from rjeffman/ipahbacrule_fix_idempotence_issues 
ipahbacrule: Fix handling of hbacsvcgroup in members
 2024-02-09 19:49:28 +01:00
Thomas Woerner
9920a76777 config: Disable config tests due to pac type requirement MS-PAC 
The config tests are currently setting the pac type to empty or without
MS-PAC type. This results in failed authorization for IPA API.

An issue has been opened for FreeIPA to address this:
https://pagure.io/freeipa/issue/9527
 2024-02-09 14:43:46 +01:00
Rafael Guterres Jeffman
249eab6047 Merge pull request #1208 from t-woerner/ipaclient_automount_with_new_install_states 
ipaclient_setup_automount with new install states
 2024-02-07 13:10:24 -03:00
Thomas Woerner
29f046b8e2 Merge pull request #1206 from rjeffman/ipaserver_fix_deploy_EL8 
ipaserver: Fix deployment after Bronze-bit fix
 2024-02-07 16:54:11 +01:00
Rafael Guterres Jeffman
2317c20556 ipaserver: Fix deployment after Bronze-bit fix 
As FreeIPA now requires MS-PAC to be set in ipaKrbAuthzData to trigger
PAC generation, there's a timing issue that causes API malfunction which
is long enough to cause the client part insallation to fail.

By restarting KDC after DS password is set, we force cached values to be
refreshed, allowing the API to work correctly.

Resolves: https://github.com/freeipa/ansible-freeipa/issues/1200
 2024-02-07 12:16:38 -03:00
Thomas Woerner
0d1f8b53b8 ipaclient_setup_automount: Only return changed if there was a change 
The returned changed state was always True. changed is now only True if
automount_location is set and configure_automount was called.
 2024-02-07 14:39:34 +01:00
Thomas Woerner
0a468d32e8 ipaclient_setup_automount with new install states 
This is "Fix ipa-client-automount install/uninstall with new install
states" https://github.com/freeipa/freeipa/pull/7100 for ansible-freeipa:

Issue 8384 introduced a new installation state for the statestore
to identify when client/server installation is completely finished
rather than relying on has_files().

The problem is that ipa-client-automount may be called during
ipa-client-install and since installation is not complete at that
point the automount install was failing with "IPA client not
configured".

Add a new state, 'automount', to designate that automount installation
is in process. If check_client_configuration() fails it checks to
see if [installation] automount is True. If so it continues with the
installation.

This also addresses an issue where the filestore and statestore are
shared between the client and automount installers but the client
wasn't refreshing state after automount completed. This resulted in
an incomplete state and index file of backed-up files which caused
files to not be restored on uninstall and the state file to be
orphaned.

Fixes: https://pagure.io/freeipa/issue/9487
 2024-02-07 14:39:04 +01:00
Rafael Guterres Jeffman
03c65bd761 Merge pull request #1207 from t-woerner/ipaclient_enable_SELinux_for_SSSD 
ipaclient: Enable SELinux for SSSD
 2024-02-07 00:38:13 -03:00
Rafael Guterres Jeffman
b87b346a0a ipahbacrule: Fix handling of hbacsvcgroup in members 
FreeIPA provides a default hbacsvcgroup named "Sudo", with capital 'S',
that is different from every other hbacsvcgroup, which are all
represented by lower case letters.

As data from IPA API was not modified, this causes an idempotence error
when using different capitalization with the 'hbacsvcgroup' parameter.

This patch fixes the issue by using the CaseInsensitive comparator to
create the hbacsvcgroup list.

Tests were update to make sure a regression is not included in the
future.
 2024-02-06 16:29:04 -03:00
Thomas Woerner
e92db5c5cd ipaclient: Enable SELinux for SSSD 
This is "ipa-client-install: enable SELinux for SSSD"
https://github.com/freeipa/freeipa/pull/6978 for ansible-freeipa:

For passkeys (FIDO2) support, SSSD uses libfido2 library which needs
access to USB devices. Add SELinux booleans handling to ipa-client-install
so that correct SELinux booleans can be enabled and disabled during
install and uninstall. Ignore and record a warning when SELinux policy
does not support the boolean.

Fixes: https://pagure.io/freeipa/issue/9434
 2024-02-06 14:39:19 +01:00
Thomas Woerner
1028f61b6c Merge pull request #899 from rjeffman/sudorule_add_runasuser_group 
ipasudorule: Allow setting groups for runasuser.
 2024-01-24 22:11:43 +01:00
Rafael Guterres Jeffman
1fde1764af ipasudorule: Allow setting groups for runasuser. 
On IPA CLI sudorule-add/del-runasuser accept 'group' as a parameter,
and this option was missing in ansible-freeipa ipasudorule module.

This patch adds a new parameter 'runasuser_group' to allow setting
Groups of RunAs Users, as allowed by CLI and WebUI.

New example playboks can be found at:

    playbooks/sudorule/ensure-sudorule-runasusesr-group-is-absent.yml
    playbooks/sudorule/ensure-sudorule-runasusesr-group-is-present.yml
 2024-01-23 12:04:02 -03:00
Thomas Woerner
4321478cf0 Merge pull request #1178 from rjeffman/ipagroup_rename 
ipagroup: Add support for renaming groups
 2023-12-21 20:47:47 +01:00
Rafael Guterres Jeffman
900c76e810 Merge pull request #1195 from t-woerner/Fixes_for_ansible_lint_6_22_1 
Fixes for ansible-lint 6.22.1
 2023-12-20 16:10:46 -03:00
Rafael Guterres Jeffman
1ecdbd3a49 ipagroup: Add support for renaming groups 
FreeIPA suports renaming groupobjects with the CLI parameter "rename",
and this parameter was missing in ansible-freeipa ipagroup module.

This patch adds support for a new state 'renamed' and the 'rename'
parameter.

Tests were updated to cope with the changes.
 2023-12-20 11:29:22 -03:00
Thomas Woerner
47a1d50c84 Fixes for ansible-lint 6.22.1 
- Replace outdated noqa 503 with noqa no-handler
- Drop outdated and not needed noqa 505 for include_vars
- Drop outdated noqa deprecated-command-syntax for
  ansible.builtin.shell using cmd tag

These warnings have been reported by utils/lint_check.sh using
ansible-lint 6.22.1.
 2023-12-20 14:38:24 +01:00
Rafael Guterres Jeffman
3fe41a5260 tests/group: Use module_defaults on tests_group 
Use module_defaults to improve reading test cases.
 2023-12-20 09:21:17 -03:00
Thomas Woerner
3a304e8bd7 Merge pull request #1174 from rjeffman/ipauser_rename 
ipauser: Add support for renaming users
 2023-12-20 11:40:50 +01:00
Thomas Woerner
86e089fd42 Merge pull request #1147 from rjeffman/dnszone_permission 
ipadnszone: Add support for per-zone privilege delegation
 2023-12-20 11:21:35 +01:00
Rafael Guterres Jeffman
3eb86b2c2d ipauser: Add support for renaming users 
FreeIPA suports renaming user objects with the CLI parameter "rename",
and this parameter was missing in ansible-freeipa ipauser module.

This patch adds support for a new state 'renamed' and the 'rename'
parameter.

Tests were updated to cope with the changes.

Related to RHBZ#2234379, RHBZ#2234380

Fixes #1103
 2023-12-19 11:44:31 -03:00
Rafael Guterres Jeffman
3bd68ac0fa ipadnszone: Add support for per-zone privilege delegation 
IPA DNS Zones management can be delegated by adding a "Manage DNS zone"
permission. The CLI commands that manage these permissions are
dnszone-add-permission and dnszone-remove-permission.

The ansible-freeipa module ipadnszone did not have this capability, and
it now support dnszone per-zone management delegation by setting the
module parameter 'permission'. If set to 'true' the permission will be
assigned to the zone, if set to false the permission will be removed.
 2023-12-19 11:28:46 -03:00
Rafael Guterres Jeffman
0f2c37612e Merge pull request #1169 from t-woerner/ipaclient_automount_location 
ipaclient: Properly name automount_location var and add documentation
 2023-12-19 09:46:41 -03:00
Thomas Woerner
4e831b0cb8 Merge pull request #1143 from rjeffman/global_handle_datatype 
Handle data type or empty string in module_utils
 2023-12-19 13:35:04 +01:00
Rafael Guterres Jeffman
34973c04c6 idoveridegroup: Use module.params_get_type 
Use the commom parameter type handling method for parameters that accept
a value or an empty string.
 2023-12-15 10:48:00 -03:00
Rafael Guterres Jeffman
bc694b722c idoverideuser: Use module.params_get_type 
Use the commom parameter type handling method for parameters that accept
a value or an empty string.
 2023-12-15 10:48:00 -03:00
Rafael Guterres Jeffman
92d579be41 ipapwpolicy: Use modules.params_get_type 
Use the commom parameter type handling method for parameters that accept
a value or an empty string.
 2023-12-15 10:48:00 -03:00
Rafael Guterres Jeffman
e55a41ca0c ansible_freeipa_module: Ensure data type when retrieving parameter 
Some parameters, in modules, have a specific data type, but allow the
use of an empty string to clear the parameter.

By providing a method to retrieve the parameter with the correct data
type, or optionally an empty string, allows for consistency of parameter
handling between different modules.
 2023-12-15 10:41:41 -03:00
Thomas Woerner
0f7ebd22fd Merge pull request #1149 from rjeffman/fix_rhel_4934 
ipauser: Do not try to modify user when not changing password
 2023-12-14 14:56:21 +01:00
Rafael Guterres Jeffman
f4c9e28715 Rename parameter 'allow_empty_string' to 'allow_empty_list_item' 
The parameter 'allow_empty_string' in 'module_params_get' is used to
allow an item in a list to be an empty string. The problem is that the
naming is misleading, as it is checking a list item rather than a
string.

This patch rename the parameter to 'allow_empty_list_item' so that it
more clearly refers to list itens instead of standalone strings, and do
not collide with future parameters that may test for empty strings which
are not part of lists.
 2023-12-08 14:12:52 -03:00
Thomas Woerner
81e6cbe6b7 Merge pull request #1187 from rjeffman/ipaclient_fix_otp_error_report 
ipaclient: Fix OTP error reporting
 2023-12-08 17:17:13 +01:00
Rafael Guterres Jeffman
9ecbe2315e Merge pull request #1189 from t-woerner/revert_temp_commit_de3c6c0 
Revert "[TEMP] Enable only idp, service and user module tests"
 2023-12-07 11:41:32 -03:00
Thomas Woerner
102d6c5a6d Revert "[TEMP] Enable only idp, service and user module tests" 
This reverts commit de3c6c0ace.
 2023-12-07 15:31:08 +01:00
Thomas Woerner
66bbc50c4d Merge pull request #1151 from rjeffman/ipareplica_support_cluster_ipaserver 
ipareplica: Support inventory groups.ipaserver
 2023-12-07 14:30:28 +01:00
Thomas Woerner
a38106afae Merge pull request #1184 from rjeffman/ci_inscrease_pr_test_timeout 
upstream ci: Increase timeout for PR tests
 2023-12-07 14:05:41 +01:00
Rafael Guterres Jeffman
47940b48c6 upstream ci: Increase timeout for PR tests 
After the change for a single job to run PR tests, and if there is any
change to ansible_module_utils, all the playbook tests are executed,
and the result is a failure due to timeout.

This PR increases the timeout so that a PR with changes to
ansible_module_utils can have the tests executed.
 2023-12-07 09:11:20 -03:00
Rafael Guterres Jeffman
8114120814 Merge pull request #1183 from t-woerner/idp_fix_validation_and_reset 
ipaidp: Fix validation and reset of parameters
 2023-12-07 09:10:26 -03:00
Thomas Woerner
505cb356c1 Merge pull request #1188 from rjeffman/ci_bump_ansible_lint 
Bump minimum ansible-lint version to 6.22
 2023-12-07 10:11:21 +01:00
Rafael Guterres Jeffman
d2e0cad90b Bump minimum ansible-lint version to 6.22 
By the first quarter of 2024, all collections must pass ansible-lint
tests run with version 6.22.x. This PR ensure that all ansible-freeipa
tests depending on ansible-lint use a valid version of it.
 2023-12-06 15:35:17 -03:00
Rafael Guterres Jeffman
9c735939a2 Merge pull request #1186 from t-woerner/test_host_random_conditional_statements_no_jinja2_templating 
test_host_random: No jinja2 templating in conditional statements
 2023-12-06 15:26:38 -03:00
Rafael Guterres Jeffman
22214dafff ipaclient: Fix OTP error reporting 
When deploying an IPA client with ipaclient, if an error occured while
getting an OTP, no error message is logged, as the task that logs the
error is not excuted due to the previous taks failure.

By adding a 'rescue' section to the code block and moving the error
reporting to this new section, we ensure that the proper error messages
will be reported.
 2023-12-06 14:26:00 -03:00
Thomas Woerner
2c9ee7d842 test_host_random: No jinja2 templating in conditional statements 
With ansible-core 2.14.12 using jinja2 templating in conditional
statements with ansible_facts['fqdn'] is marked as unsafe and results in
a failure.

The issues with using jinja2 templating in conditional statements for
asserts have been solved and a new server_fqdn fact has been added for
ansible_facts['fqdn'].
 2023-12-06 13:23:47 +01:00
Thomas Woerner
de3c6c0ace [TEMP] Enable only idp, service and user module tests 2023-12-05 16:44:55 +01:00
Thomas Woerner
ff084fbd96 ipaidp: Fix validation and reset of parameters 
The uri parameters auth_uri, dev_auth_uri, token_uri, userinfo_uri and
keys_uri have not been validated before. Also the base_url was not
normalized. The auth_uri, dev_auth_uri, token_uri and userinfo_uri need
to be set for new entries, but might be empty or empty string for reset
or updates.

The ipaidpclientsecret needs to be decoded from binary string in
find_idp result to not trigger no change ipd_mod calls.

The code for validate_uri and base_url normalization has been copied
from the ipaserver idp plugin.

ansible_freeipa_module:
urlparse from urllib.parse with a fallback to six.moves.urllib.parse is
imported and also exported. urlparse is needed for validate_uri in ipaidp
module.

Resolves: RHEL-17954, RHEL-17955, RHEL-17957 and RHEL-17958
 2023-12-05 16:30:50 +01:00
Rafael Guterres Jeffman
ca5496918a ipauser: Do not try to modify user when not changing password 
If a playbook to ensure the existence of a user contains 'random:false'
and 'update_password: always' is executed twice, the second execution
will raise an exception due to "No modifications to perform", as there
is actually nothing to modify.

The fix for the issue is to remove 'random' if it is not set to true, as
setting it to 'false' would have no effect on the user object.

Related: https://issues.redhat.com/browse/RHEL-4934
 2023-11-28 16:03:27 -03:00
Rafael Guterres Jeffman
48c0fd0a28 Merge pull request #1180 from t-woerner/freeipa_9297_pwpolicy_minlength_reset 
test_pwpolicy: minlength parameter can be reset with empty string now
 2023-11-28 08:59:50 -03:00
Thomas Woerner
f2a1d50b82 test_pwpolicy: minlength parameter can be reset with empty string now 
The reset of the minlength parameter failed with an internal error so
far. This has been fixed in IPA and therefore requires to fix the test
in ansible-freeipa also.

Related: https://pagure.io/freeipa/issue/9297
 2023-11-28 11:48:31 +01:00
Thomas Woerner
1930d8c8be Merge pull request #1168 from rjeffman/dev_reproduce_upstream_groups 
Reproduce upstream CI groups in developer's machine
 2023-11-24 15:39:47 +01:00
Thomas Woerner
1837ee662c Merge pull request #1104 from rjeffman/ci_parallel_image_build 
upstream CI: Build containers in parallel jobs
 2023-11-24 14:50:44 +01:00
Thomas Woerner
26e171df79 Merge pull request #1170 from rjeffman/ci_ansible_future 
Update ansible-lint and pylint versions
 2023-11-24 14:46:22 +01:00
Thomas Woerner
01440e3c04 Merge pull request #1173 from rjeffman/ipahost_fix_dnsrecords 
ipahost: Remove dangling dns records during test setup
 2023-11-24 14:44:19 +01:00
Rafael Guterres Jeffman
2426e04c22 Merge pull request #1176 from t-woerner/idoverrideX_del_without_delete_continue 
idoverride{user,group}: Fix delete_continue with state absent
 2023-11-24 09:02:05 -03:00
Thomas Woerner
92e44f6a6c idoverride{user,group}: Fix delete_continue with state absent 
All tasks for idoverrideuser and idoverridegroup with state absent
failed with "'continue' is required" when delete_continue was not set.

This happended as delete_continue was internally None and continue: None
was provided to the API.

The fix is simply to use '"continue": delete_continue or False' so that
continue is set to False in this case.
 2023-11-16 13:47:04 +01:00
Rafael Guterres Jeffman
16c8ee87e9 ipahost: Remove dangling dns records during test setup 
When testing ipahost through the test playbooks, if there are previous
DNS A/AAAA records, the test fails due to a false positive idempotence
issue.

This patch ensures that all DNS records for the test hosts are absent
before test execution.

This issue could be seen in the 2023-11-06 Azure Nightly pipeline
execution.
 2023-11-10 20:26:51 -03:00
Rafael Guterres Jeffman
3109e9d1bc utils/run-tests.sh: Replicate Azure's test grouping 
When running ansible-freeipa's Azure pipelines for nightly and weekly
tests, due to the amount of tests to execute, tests are grouped and
executed in parallel jobs.

Due to a still unkonwn issue, depending on the order the tests are
executed, some random failures may occur and debugging them is hard due
to current implementation of the tests.

This patch adds support for replicating the tests of a specific Azure
test group once the seed used to create groups and the group number are
provided, allowing the test failures to be replicated on the developer's
workstation where it can be more easily debugged.

A new option is added to 'utils/run-tests.sh', '-A SEED.G' that is used
to define the seed and group to replicate the tests. The seed is a date,
with the format "YYYYMMDD", so, for example '-A 20230611.2' would
execute the same tests, in the same order as the second group of tests
for date 2023-06-11. To aid in usability 'YYYY-MM-DD' may also be used.

When using '-A' neither '-s' (test suites) or specific tests (positional
arguments) can be used.

Also, to help fixing tests, an option to stop the tests on the first
test failure ('-x') was added to the script.
 2023-11-09 12:36:59 -03:00
Rafael Guterres Jeffman
b457de545d Update ansible-lint and pylint versions 
ansible-lint 6.21+ and pylint 3.0+ will be required for Ansible
collections to be approved on Ansible Galaxy.

This patch updates pre-commit and upstream linters to use the required
versions.
 2023-11-08 15:11:02 -03:00
Thomas Woerner
b22bf4dfb9 ipaclient: Properly name automount_location var and add documentation 
The ipaclient_automount_location variable was badly named as
ipaautomount_location. Additionally it was not documented in the role
README file.

Fixes: #1166 (.. automount-location to the ipa-client role)
 2023-11-08 12:33:41 +01:00
Rafael Guterres Jeffman
f1a6f44477 Merge pull request #1158 from t-woerner/idview_fail_to_apply_invalid_hosts 
ipaidview: Fail to apply unknown (invalid) hosts
 2023-10-22 22:43:03 -03:00
Rafael Guterres Jeffman
1dbe19cefb Merge pull request #1156 from t-woerner/hbacsvcgroup_remove_oobsolete_result_handler 
hbacsvcgroup: Remove obsolete result_handler
 2023-10-22 22:42:06 -03:00
Rafael Guterres Jeffman
7982fad342 Merge pull request #1155 from t-woerner/hbacrule_with_svcgroup_Sudo 
hbacrule: Fix use of builtin sudo hbacsvcgroup
 2023-10-22 22:41:18 -03:00
Thomas Woerner
212719496c ipaidview: Fail to apply unknown (invalid) hosts 
The task to apply an unknown (invalid) host to an idview was not failing
as expected and only reported no change.

A new host verification step has been added to fail before trying to
apply invalid hosts. unapplying an invalid host is not failing as the
invalid host is indeed not applied.
 2023-10-21 01:10:13 +02:00
Thomas Woerner
3de6f9146e hbacsvcgroup: Remove obsolete result_handler 
The result_handler is not needed anymore as the idempotency issues with
members have been fixed already for this module.

Related: #685 hbacsvcgroup: Fix member management idempotence issues.
 2023-10-21 01:09:21 +02:00
Thomas Woerner
48f2ef88a4 hbacrule: Fix use of builtin sudo hbacsvcgroup 
hbacsvcgroup names are converted to lower case while creation with
hbacsvcgroup_add.

The hbacsvcgroup for sudo is builtin with the name "Sudo" though. This
breaks the lower case comparison. Therefore all memberservice_hbacsvcgroup
items are converted to lower case if "Sudo" is in the list.
 2023-10-21 01:08:44 +02:00
Rafael Guterres Jeffman
6845acd596 upstream CI: Build containers in parallel jobs 
In the current build container pipeline, all steps are serialized in a
single job, and if one of the jobs fail to build, due to broken
dependent image, or some Azure glitch, like slow connection, the only
way to rebuild the failed container is to rebuild all containers.

By building containers in parallel jobs, if a container fails to build
it is possible to restart only the failed job.
 2023-10-20 13:44:09 -03:00
Rafael Guterres Jeffman
f012da22ce ipareplica: Support inventory groups.ipaserver 
Altough most of ansible-freeipa documentation and playbooks use
'ipaserver' as the group for the first server deployed for a realm, the
ipareplica role only supported the use of groups["ipaservers"] as an
alternative to set ipareplica_servers.

Also supporting groups.ipaserver, as already supported by the ipaclient
role, make ansible-freeipa playbooks more consistent and current
documentation and examples easier to follow when deploying a cluster
with a server and a replica.
 2023-10-20 13:43:06 -03:00
Thomas Woerner
ba7bf0f6cd Merge pull request #1148 from rjeffman/fix_checkpr_test_selection 
upstream CI: Fix test selection for CheckPR pipeline.
 2023-10-20 16:35:03 +02:00
Rafael Guterres Jeffman
fe2d17e4df upstream ci: Run PR tests using a single job. 
The usual scenario for PR checks is to execute only a few tests, and
searching for the results in several jobs makes it harder to find
issues.

By using a single job run the tests would take some more time to
complete, although not much, as only a small subset is executed, and
test verification would be easier and less error prone.
 2023-10-19 09:41:55 -03:00
Rafael Guterres Jeffman
319a0d3d86 upstream ci: Use a single random seed for spliting tests 
Dependind on how long it took for the jobs to start, a different seed
would be used to group tests and tests could either repeat or not be
selected at all.

By using a seed based on the day the test run reduces the chance of
using different random seeds, and still allow for the tests to be
executed in a different order.

The execution in different order is important to identify tests that
work or fail only if executed after other tests.
 2023-10-19 09:41:55 -03:00
Rafael Guterres Jeffman
c71a2b33dd upstream CI: Fix test selection for CheckPR pipeline. 
Due to an error on processing Ansible key 'import_tasks' the script that
creates a list of modules to test is broken making some modules to be
not tested.

By fixing the handling of 'import_tasks' and module import, the list is
correct again and the list of modules to be tested now include the ones
which depend on the modified module.
 2023-10-19 09:41:55 -03:00
Thomas Woerner
02223dfb67 Merge pull request #1159 from rjeffman/ci_pin_ansible_lint 
upstream CI: Pin ansible-lint version to 6.20 series
 2023-10-19 13:18:27 +02:00
Rafael Guterres Jeffman
5731a1539b upstream CI: Pin ansible-lint version to 6.20 series 
The release version 6.21.0 of ansible-lint introduced a bug that breaks
the reporting of 'warning' messages. [1]

This patch pins ansible-lint version to the latest one in the 6.20
series, so that it can still be used to check pull requests.

[1]: https://github.com/ansible/ansible-lint/issues/3853
 2023-10-18 15:36:16 -03:00
Thomas Woerner
ee7354230b Merge pull request #1157 from rjeffman/ci_fix_docker_install 
upstream CI: Pin Python version to 3.11
 2023-10-18 16:14:49 +02:00
Rafael Guterres Jeffman
4bb40f3397 Merge pull request #1146 from t-woerner/update_ansible-freeipa.spec.in_for_doverridegroup 
utils/ansible-freeipa.spec.in: Add ref for idoverridegroup management
 2023-10-17 17:05:39 -03:00
Rafael Guterres Jeffman
55b8729c52 upstream CI: Pin Python version to 3.11 
Azure Ubuntu images have Python 3.12 available, and as we did not pin
the requested Python version, the latest available one was used, causing
image preparation and tests to fail.

This patch pins Python version to 3.11 until test can be executed with
Python 3.12 and later.
 2023-10-17 16:32:37 -03:00
Rafael Guterres Jeffman
539ace413d Merge pull request #1105 from t-woerner/new_idp_module 
New idp management module
 2023-09-27 12:12:14 -03:00
Thomas Woerner
0c20b34d28 utils/ansible-freeipa.spec.in: Add ref for idoverridegroup management 
The idoverridegroup management reference has been added to the
description.
 2023-09-27 14:43:11 +02:00
Thomas Woerner
f9ff41320f New idp management module 
There is a new idp management module placed in the plugins folder:

    plugins/modules/ipaidp.py

The idp module allows to ensure presence or absence of external Identity
Providers.

Here is the documentation for the module:

    README-idp.md

New idp example playbooks:

    playbooks/idp/idp-present.yml
    playbooks/idp/idp-absent.yml

New tests for the module:

    tests/idp/test_idp.yml
    tests/idp/test_idp_client_context.yml
 2023-09-27 10:52:55 +02:00
Thomas Woerner
69c6b4d644 Merge pull request #1145 from rjeffman/revert_ansible_2_9 
Revert "upstream ci: Run nightly tests against Ansible 2.9"
 2023-09-26 17:41:08 +02:00
Rafael Guterres Jeffman
b63716b724 Revert "upstream ci: Run nightly tests against Ansible 2.9" 
Most of our usptream CI test imagens do not handle Ansible 2.9 so, this
cange is being reverted.

This reverts commit 34654d1090.
 2023-09-26 11:25:58 -03:00
Thomas Woerner
3cf138674b Merge pull request #1144 from rjeffman/upstream_ci_ansible_2_9 
Ensure CI runs against the oldest supported Ansible versions.
 2023-09-25 16:04:59 +02:00
Thomas Woerner
12e0d110f6 Merge pull request #1112 from rjeffman/future_pylint 
Bump linter versions.
 2023-09-25 16:02:53 +02:00
Rafael Guterres Jeffman
34654d1090 upstream ci: Run nightly tests against Ansible 2.9 
Recently it was announced that Ansible 2.9 will be supported for some
time, and this patch ensures that we run the nightly tests against this
version of Ansible.
 2023-09-19 15:54:38 -03:00
Rafael Guterres Jeffman
72d3ab8e04 upstream ci: Run PR checks against the oldest supported ansible-core 
Recently, a change in the deployment roles forced the change to the
minimum version of ansible-core, and the change was unnoticed until
reported.

With this patch, we ensure all PRs checks are executed against the
minimun supported ansible-core version, so we can ensure that both
documentation and role metadata are correct and still valid.
 2023-09-19 15:54:38 -03:00
Rafael Guterres Jeffman
fb75aed663 Merge pull request #1141 from t-woerner/new_idoverridegroup_module 
New idoverridegroup management module.
 2023-09-18 11:05:30 -03:00
Thomas Woerner
6f5bb9eebf New idoverridegroup management module. 
There is a new idoverridegroup management module placed in the plugins
folder:

    plugins/modules/ipaidoverridegroup.py

The idoverridegroup module allows to ensure presence and absence of
idoverrides for groups.

Here is the documentation for the module:

    README-idoverridegroup.md

New example playbooks have been added:

    playbooks/idoverridegroup/idoverridegroup-absent.yml
    playbooks/idoverridegroup/idoverridegroup-present.yml

New tests for the module can be found at:

    tests/idoverridegroup/test_idoverridegroup.yml
    tests/idoverridegroup/test_idoverridegroup_client_context.yml
 2023-09-18 15:17:08 +02:00
Rafael Guterres Jeffman
e5b2c122ce Merge pull request #1139 from t-woerner/new_idoverrideuer_module 
New idoverrideuser management module.
 2023-09-16 09:03:48 -03:00
Thomas Woerner
c0692e1746 New idoverrideuser management module. 
There is a new idoverrideuser management module placed in the plugins
folder:

    plugins/modules/ipaidoverrideuser.py

The idoverrideuser module allows to ensure presence and absence of
idoverrides for users and certificate members.

Here is the documentation for the module:

    README-idoverrideuser.md

New example playbooks have been added:

    playbooks/idoverrideuser/idoverrideuser-absent.yml
    playbooks/idoverrideuser/idoverrideuser-certificate-absent.yml
    playbooks/idoverrideuser/idoverrideuser-certificate-present.yml
    playbooks/idoverrideuser/idoverrideuser-present.yml

New tests for the module can be found at:

    tests/idoverrideuser/test_idoverrideuser.yml
    tests/idoverrideuser/test_idoverrideuser_client_context.yml
 2023-09-15 18:35:21 +02:00
Rafael Guterres Jeffman
2d079c8eec Merge pull request #1142 from t-woerner/Do_not_use_del_os.environ 
Do not use "del os.environ" as the variable might not exist
 2023-09-14 11:19:03 -03:00
Thomas Woerner
b70a1ecf61 Do not use "del os.environ" as the variable might not exist 
The use of del os.environ assumes that the environment variable exists.
If the variable does not exist, this call will result in a traceback.
The solution is to use os.environ.pop(VARIABLE, None) instead.

This is the ansible-freeipa fix for https://pagure.io/freeipa/issue/9446
(Nightly test failure for replica installation with --setup-ca)
 2023-09-14 15:20:37 +02:00
Rafael Guterres Jeffman
7cb5e481e5 Merge pull request #1140 from t-woerner/new_module_template_fixes 
new_module template fixes
 2023-09-13 11:07:02 -03:00
Thomas Woerner
60593b7dd3 utils/templates/ipamodule*.py.in: Fix superfluous type in argument spec 
The type was given twice for state and action argument specs. This has
been fixed.
 2023-09-13 13:20:47 +02:00
Thomas Woerner
e84ed3b6ba utils/templates/test_module_client_context.yml.in: Fix FQDN issue 
Fixes left over FQDN issue for include_tasks.
 2023-09-13 13:09:24 +02:00
Rafael Guterres Jeffman
6e1f9f1a72 pylint: Fix redefined-builtin 2023-09-11 12:01:17 -03:00
Rafael Guterres Jeffman
46a307aaeb pylint: Fix unused-argument 2023-09-11 12:01:17 -03:00
Rafael Guterres Jeffman
d8f8211a1c ci: Bump pylint version 
Change pylint version to match latest version on Fedora 38.
 2023-09-11 12:01:17 -03:00
Rafael Guterres Jeffman
34daa992f5 development: Bump versions of development checks 
Update versions for linters and pre-commit checks, and fix ansible-lint
execution.
 2023-09-11 12:01:17 -03:00
Rafael Guterres Jeffman
07c1a5ee61 pylint: Unnecessary parens after '=' keyword 
This patch removes unnecessary usage of parens on attributions.
 2023-09-11 12:01:17 -03:00
Rafael Guterres Jeffman
63d0272385 Change 'Exception' to 'RuntimeError' when FreeIPA version is too old 
Changing the use of 'Exception' to 'RuntimeError' has the benefits of
making the error more specific and meaningful for what is being reported
and to remove warnings from linters (pylint).

The same change is applied to all deployment roles.
 2023-09-11 12:01:17 -03:00
Rafael Guterres Jeffman
d0a8005a7f pylint: Disable broad exception warnings 
In recent pylint versions, use of broad exceptions for both raise and
try/except blocks raise a linter warning. As its use is justifiable in
the case of ipavault, the warnings are disabled where they occur.
 2023-09-11 12:01:17 -03:00
Rafael Guterres Jeffman
24efad73fa pylint: Fix warning 'unnecessary "else" after "return"' 
Recent pylint versions warn against the use of an 'else' in a
'try-except' block if using a 'return' on the 'except' part is is the
idom used by ansible-freeipa when retrieving IPA data objects.

This change removes the usage of the 'else:' in such cases, and modify
the templates so that new modules do not have the same issue in the
future.
 2023-09-11 12:01:17 -03:00
Rafael Guterres Jeffman
fd1352ad7e pylint: Disable warning when using non-literal dict 
Recent pylint versions warns when a dictionaire is created using
'dict()' instead of '{...}'. Using 'dict()' in ansible-freeipa modules
actually enhances readability, so this change disables the check for
'use-dict-literal' in pylint.
 2023-09-11 12:01:17 -03:00
Thomas Woerner
de38e8f0bc Merge pull request #1138 from rjeffman/fix_spec_update_modules 
spec file: Updated list of modules
 2023-09-11 10:55:31 +02:00
Rafael Guterres Jeffman
847ae2a374 spec file: Updated list of modules 
Current spec file template was missing certificate, netgroup and
idview modules.
 2023-09-08 11:21:33 -03:00
Thomas Woerner
bcee9aba92 Merge pull request #1136 from rjeffman/bump_ansible_version_2.13 
Bump Ansible version to 2.13
 2023-09-08 15:47:57 +02:00
Rafael Guterres Jeffman
c34c66fa79 ansible-freeipa: Bump minimum supported Ansible version to 2.13 
As ansible-freeipa roles does not support Ansible 2.8, bump the
collection version to the currently oldest supported Ansible version
available, 2.13.
 2023-09-08 09:59:11 -03:00
Rafael Guterres Jeffman
0a3cd06c6e README-*: Bump minimum supported Ansible version to 2.13 
As ansible-freeipa roles do not support version 2.8 anymore, change the
minimum supported version to 2.13, which is the currently minimum
available and supported Ansible version.

This patch fixes documentation on all plugin READMEs, spec file and
module templates.
 2023-09-08 09:59:11 -03:00
Rafael Guterres Jeffman
b5b22c3f7e roles: Bump minimum Ansible version to 2.13 
Currently, the minimum supported Ansible version is 2.13, and
ansible-freeipa roles does not work with any version less than 2.9,
altough ansible-freeipa documentation states that the minimum version to
use is 2.8.

This patch fixes documentation and roles metadata to require that the
minimum Ansible version used is 2.13.
 2023-09-08 09:59:11 -03:00
Thomas Woerner
7ee385ee02 Merge pull request #1131 from rjeffman/roles_update_supported_distros 
Updated supported distros
 2023-09-07 13:05:24 +02:00
Thomas Woerner
7d9e4da9df Merge pull request #1120 from rjeffman/ci_fix_sanity_test_ansible_lint 
upstream ci: fix sanity test ansible lint failures
 2023-09-07 13:03:53 +02:00
Thomas Woerner
0a20b5902d Merge pull request #1133 from rjeffman/testday_1 
ipacert: Fix revocation example playbook on README
 2023-09-07 13:02:13 +02:00
Rafael Guterres Jeffman
be9a2db404 Merge pull request #1134 from t-woerner/new_idview_module 
New idview management module.
 2023-09-06 09:53:23 -03:00
Thomas Woerner
ba4a360520 New idview management module. 
There is a new idview management module placed in the plugins folder:

    plugins/modules/ipaidview.py

The idview module allows to ensure presence and absence of idviews and
idview host members.

Here is the documentation for the module:

    README-idview.md

New example playbooks have been added:

    playbooks/idview/idview-absent.yml
    playbooks/idview/idview-host-applied.yml
    playbooks/idview/idview-host-unapplied.yml
    playbooks/idview/idview-present.yml

New tests for the module can be found at:

    tests/idview/test_idview.yml
    tests/idview/test_idview_client_context.yml
 2023-09-06 12:40:32 +02:00
Rafael Guterres Jeffman
3534fcdce7 ansible-lint: Use the same command line as galaxy-importer 
Currently, there is a hard coded timeout in galaxy-importer that
prevents larger collections to execute the ansible-lint step [1].

This patch modifies the calls to ansible-lint on development tools and
upstream CI to use the same arguments as galaxy-importer and disables
the execution of the ansible-lint step for the Ansible's sanity test.

Requested ansible-lint version for tools is also updated, as a more
recent one is required.

This change will not allow development using an environment using Python
2.7, due to newer ansible-lint requirements. Roles and modules tests
against target nodes using Python 2.7 is still possible.

[1]: https://github.com/ansible/galaxy-importer/pull/231
 2023-09-05 14:10:09 -03:00
Rafael Guterres Jeffman
f0f21fc8aa ipacert: Fix revocation example playbook on README 
The revocation example playbook on README was wrong as it didn't have a
'reason' set, and the parameter must be used with 'state: revoked'.

This patch fixes the example and adds a new example using a reason
mnemonic instead of a reason number.
 2023-08-24 08:50:18 -03:00
Rafael Guterres Jeffman
5ed96eda05 Updated supported distros 
Updated all roles README files to add supported distros, as CentOS
Stream is supported (both 8 and 9) and also Debian clients.
 2023-08-23 15:35:04 -03:00
Thomas Woerner
cf779e43bb Merge pull request #1123 from rjeffman/ci_increase_test_verbosity 
ci: Increase verbosity for Ansible playbook runs
 2023-07-24 10:05:25 +02:00
Rafael Guterres Jeffman
1a48a0fb63 Merge pull request #1122 from t-woerner/fix_ipa_command_invalid_param_choices_for_IPA_4_6 
ansible_freeipa_module: Fix ipa_command_invalid_param_choices
 2023-07-21 16:15:40 -03:00
Rafael Guterres Jeffman
ed3a0d5a1b ci: Increase verbosity for Ansible playbook runs 
Some test failures requires more information than just the playbook
simple output. By increasing verbosity, the used parameters and the
failed line will be visible in the test error report, making it easier
to identify, reproduce and fix the issue.
 2023-07-21 12:06:47 -03:00
Thomas Woerner
d58b492f1d ansible_freeipa_module: Fix ipa_command_invalid_param_choices 
Fix ipa_command_invalid_param_choices for IPA 4.6 (RHEL-7)

- krbprincipalauthind in host_add does not have choices defined
- krbprincipalauthind in service_add does not have choices defined

api.Command[command].params[name].cli_metavar returns "STR" and
ast.literal_eval failes with a ValueError "malformed string".

There is no way to verify that the given values are valid or not in
this case. The check is done later on while applying the change
with host_add, host_mod, service_add and service_mod.
 2023-07-21 16:44:04 +02:00
Thomas Woerner
88d4a36e17 Merge pull request #1055 from rjeffman/ipauser_idp_attrs 
ipauser: Support for External IdP attributes.
 2023-07-20 14:00:48 +02:00
Rafael Guterres Jeffman
6fa8223662 ipauser: Support for External IdP attributes. 
Add support for 'idp' and 'idp_user_id' to ipauser plugin.

FreeIPA 4.10.0 is required for both attributes.
 2023-07-19 14:38:30 -03:00
Rafael Guterres Jeffman
c9e8656494 Merge pull request #1119 from t-woerner/update_authtypes_authind_readmes 
Update authtypes authind readmes
 2023-07-19 11:37:34 -03:00
Thomas Woerner
a791c6a0ca README-user.md: Add choices pkinit, hardened and idp to user_auth_type 
The parameter user_auth_type has been updated in FreeIPA. The choices
pkinit, hardened and idp have been missing and are now added.
 2023-07-19 16:17:10 +02:00
Thomas Woerner
9cbccdade9 README-service.md: Add choice idp to auth_ind 
The parameter auth_ind has been updated in FreeIPA. The choice
idp have been missing and is now added.
 2023-07-19 16:07:50 +02:00
Thomas Woerner
42c07d6336 README-host.md: Add choice idp to auth_ind 
The parameter auth_ind has been updated in FreeIPA. The choice
idp have been missing and is now added.
 2023-07-19 16:07:27 +02:00
Thomas Woerner
a728a8d43e README-config.md: Add choices pkinit, hardened and idp to user_auth_type 
The parameter user_auth_type has been updated in FreeIPA. The choices
pkinit, hardened and idp have been missing and are now added.
 2023-07-19 16:07:19 +02:00
Thomas Woerner
bd3266e9f1 Merge pull request #1117 from rjeffman/doc_update_ubuntu_support 
ipaserver: Update README with detailed Ubuntu support
 2023-07-19 14:10:45 +02:00
Rafael Guterres Jeffman
48063d2b3a Merge pull request #1118 from t-woerner/update_authtypes_authind 
Update authtypes authind
 2023-07-19 08:59:18 -03:00
Thomas Woerner
5d08214516 Merge pull request #1075 from rjeffman/automount_indirect_maps 
ipaautomountmap: add support for indirect maps
 2023-07-19 13:53:55 +02:00
Rafael Guterres Jeffman
ef0b7e80f0 ipaserver: Update README with detailed Ubuntu support 
Ubuntu does not have a FreeIPA server package since version 20.04. As
versions 16.04 (Xenial Xerus) and 18.04 (Bionic Beaver) will be
supported by Canonical until 2026 and 2028, repectively, we should keep
existing support for both versions in the ipaserver, ipareplica and
ipabackup roles until them.

This patch changes documentation to reflect that only those versions are
supported.
 2023-07-19 08:51:06 -03:00
Rafael Guterres Jeffman
a33fcf45f8 ipaautomountmap: add support for indirect maps 
Indirect maps were not supported by ansible-freeipa ipaautomountmap.
This patch adds support for adding indirect automount maps using the
"parent" and "mount" parameters, if the map do not yet exist. An
existing map cannot be modified.

The "parent" parameter must match an existing automount map, and the
"mount" parameter is required if "parent" is used.

A new example playbook can be found at:

    playbooks/automount/automount-map-indirect-map.yml

A new test playbook was added to test the feature:

    tests/automount/test_automountmap_indirect.yml
 2023-07-19 08:41:25 -03:00
Thomas Woerner
c4b273c896 ipauser: Add choices pkinit, hardened and idp to user_auth_type 
The parameter user_auth_type has been updated in FreeIPA. The choices
pkinit, hardened and idp have been missing and are now added.

An additional check was added to verify that the values of the
user_auth_type list are valid for the used IPA version.
 2023-07-19 11:38:14 +02:00
Thomas Woerner
62d34d0a22 ipaservice: Add choice idp to auth_ind 
The parameter auth_ind has been updated in FreeIPA. The choice
idp have been missing and is now added.

An additional check was added to verify that the values of the
auth_ind list are valid for the used IPA version.
 2023-07-19 11:38:14 +02:00
Thomas Woerner
3ed0c229c4 ipahost: Add choice idp to auth_ind 
The parameter auth_ind has been updated in FreeIPA. The choice
idp have been missing and is now added.

An additional check was added to verify that the values of the
auth_ind list are valid for the used IPA version.
 2023-07-19 11:38:14 +02:00
Thomas Woerner
c089c010e6 ipaconfig: Add choices pkinit, hardened and idp to user_auth_type 
The parameter user_auth_type has been updated in FreeIPA. The choices
pkinit, hardened and idp have been missing and are now added.

An additional check was added to verify that the values of the
user_auth_type list are valid for the used IPA version.
 2023-07-19 11:38:14 +02:00
Thomas Woerner
cfbdd83a64 ansible_freeipa_module: New ipa_command_invalid_param_choices method 
New IPAAnsibleModule.ipa_command_invalid_param_choices method to return
invalid parameter choices for an IPA command.

This is needed to verify for example if userauthtype and authind are
supporting the idp value.
 2023-07-19 11:38:06 +02:00
Thomas Woerner
fef1bdcf8e Merge pull request #1116 from rjeffman/fix_runtests_collections 
utils/run-tests.sh: Install Ansible collections on virtual environment
 2023-07-17 15:35:54 +02:00
Thomas Woerner
411d363d91 Merge pull request #1056 from rjeffman/ipauser_smb_params 
ipauser: Add support for SMB attributes.
 2023-07-17 15:24:22 +02:00
Rafael Guterres Jeffman
1555132d85 utils/run-tests.sh: Install Ansible collections on virtual environment 
When runing tests using 'utils/run-tests.sh' from inside an existing
Python virtual environment the Ansible collections are not installed due
to the order of execution of the script. On a machine that does not have
the 'containers.*' collection the test fails as there is no container
connector available.

This patch moves the section that installs Ansible collections to run
after the virtual environment is configured, and then install the
collections (usually, only 'containers.podman'), allowing the tests to
be executed.
 2023-07-15 14:55:44 -03:00
Rafael Guterres Jeffman
57ad57dda3 ipauser: Add support for SMB attributes. 
Since FreeIPA version 4.8.0 ipauser has support for smb-logon-script,
smb-profile-path, smb-home-dir, and smb-home-drive drive attributes.

On FreeIPA, these attributes are only available when modifying a user,
so if the user defined in the playbook does not exist, two calls to IPA
API are executed, a 'user_add' followed by a 'user_mod'.
(see https://github.com/freeipa/freeipa/blob/master/doc/designs/adtrust/samba-domain-controller.md

A new example playbook can be found at:

     playbooks/user/smb-attributes.yml

A new test playbook can be found at:

     tests/user/test_user_smb_attrs.yml
 2023-07-14 10:53:30 -03:00
Thomas Woerner
dab64c7cf6 Merge pull request #1098 from rjeffman/doc_diferentiate_location_host_and_server 
doc: Differentiate location meaning between host and server
 2023-07-14 15:39:37 +02:00
Rafael Guterres Jeffman
b7145bc2cc doc: Differentiate location meaning between host and server 
Host location and server location have very different meanings in IPA.
ipahost uses 'location' as an optional hint to where the host may be
physically located, ipaserever uses location to identify which DNS
location the server is part of.

This change updates documentation to make attribute description more
clear. Surrounding text have been changed to match text style as used in
other plugins.

This patch is related to: https://github.com/freeipa/freeipa/pull/6840
 2023-07-14 10:25:51 -03:00
Thomas Woerner
c9f1da5d6b Merge pull request #1076 from rjeffman/fix_usercheck_dictcheck 
Fix handling of ipapwpolicy attributes usercheck and dictcheck
 2023-07-14 15:25:20 +02:00
Thomas Woerner
f4070f6a30 Merge pull request #1100 from rjeffman/ci_update_ansible_2_15 
upstream CI: Update ansible-core version
 2023-07-14 15:11:21 +02:00
Thomas Woerner
ad9a03ece6 Merge pull request #1114 from rjeffman/remove_virtualenv 
Remove dependency on 'virtualenv'
 2023-07-14 15:05:09 +02:00
Rafael Guterres Jeffman
1bfe6888a4 Remove dependency on 'virtualenv' 
'virtualenv' is an external dependency with the same purpose of Python's
'venv' module. This patch removes the external dependency in favor of
the readily available package.
 2023-07-13 15:07:08 -03:00
Thomas Woerner
51ddaa6491 Merge pull request #1044 from rjeffman/ipauser_street 
ipauser: Add support for parameter "street"
 2023-07-12 20:34:49 +02:00
Rafael Guterres Jeffman
f56861cc15 ipauser: Add support for parameter "street" 
ipauser plugin was missing user parameter "street".

Tests were updated to reflect the new parameter.
 2023-07-12 12:31:26 -03:00
Thomas Woerner
c4de680497 Merge pull request #1039 from rjeffman/ipauser_gecos 
ipauser: Add support to modify GECOS field.
 2023-07-12 17:08:53 +02:00
Rafael Guterres Jeffman
7b2701b985 ipapwpolicy: Updated module documentation. 
Most of ipapwpolicy parameters can be set to an empty string ("") so
that the policy is not applied to pwpolicy. This was not refelected on
the documentation.

This change adds 'or ""' to all the fields that can be disabled by
setting it to an empty string. Also, `data types were reviewed and fixed.
 2023-07-11 10:15:43 -03:00
Rafael Guterres Jeffman
694c717829 ipapwpolicy: Modify handling of usercheck and dictcheck 
Modified handling of boolean values by using Ansible's 'boolean()' check
function so that a string can be used and either a bool value is
accepted or an empty string.

As the error message was changed to use the same Ansible message, tests
were also updated.
 2023-07-11 10:15:43 -03:00
Rafael Guterres Jeffman
083396e133 module_utils: Export Ansible's 'boolean' parsing function. 
Export Ansible's 'boolean' parsing function so it can be used to verify
if a string can be handled as a truthy value, allowing module parameters
to use strings instead of bools, as strings can be cleared by using
empty strings.
 2023-07-11 08:33:35 -03:00
Rafael Guterres Jeffman
9a8a1db38f ipauser: Add support to modify GECOS field. 
This patch adds a new parameter to ipauser, 'gecos', which can be used
to set the 'gecos' field of an IPA user. The default behavior of
automatically set the GECOS field to "<first> <last>" is not modified,
it is only possible to change the field to a custom value.

No validation on the value provided is done, as it is with FreeIPA.
 2023-07-10 14:34:44 -03:00
Rafael Guterres Jeffman
8f9c344bc1 Merge pull request #1106 from renich/patch-1 
Singular to plural on random serial numbers setting
 2023-06-15 11:15:55 -03:00
Renich Bon Ciric
067b683b81 Singular to plural on random serial numbers setting 
The setting was in singular in the example while being documented in plural form.
 2023-06-14 16:53:22 -06:00
Rafael Guterres Jeffman
51f64e4393 upstream CI: Update ansible-core version 
ansible-core 2.15 has been released on May 15th, 2023, and version 2.12
has reached EOL on May 22nd, 2023.

This patch updates the ansible-core versions used on upstream CI tests
to reflect Ansible's new releases.
 2023-06-09 10:05:47 -03:00
Rafael Guterres Jeffman
45700bc02b Merge pull request #1082 from t-woerner/fix_pwpolicy_maxsequence_test 
pwpolicy test: Fix maxsequence test
 2023-06-07 12:35:00 -03:00
Thomas Woerner
d04a12e522 pwpolicy test: Fix maxsequence test 
The maxsequence test was testing maxrepeat. Therefore the typo reported
with https://github.com/freeipa/ansible-freeipa/pull/1081 was never
seen.

The test has been fixed.
 2023-06-07 17:17:20 +02:00
Thomas Woerner
4e9ec11b23 Merge pull request #1081 from cutrightjm/patch-1 
Fix typo in ipapwpolicy.py
 2023-06-07 17:17:01 +02:00
Thomas Woerner
2d93051101 Merge pull request #1078 from rjeffman/ipapwpolicy_simple_attribute_test 
ipapwpolicy: simplified and faster attribute verification
 2023-06-07 17:12:36 +02:00
Jacob Cutright
1a7b279d78 Fix typo in ipapwpolicy.py 
The 'maxsequence' attribute was never applied as there was a typo when
it was set. By fixing the field name, 'maxsequence' is correclty set.

The failure was not seen before due to missing tests. The tests will be
added in a separate PR.
 2023-06-07 12:04:49 -03:00
Thomas Woerner
be228d1df3 Merge pull request #1094 from rjeffman/ci_disable_pytests 
Upstream CI: Disable execution of pytest tests
 2023-06-07 17:00:59 +02:00
Thomas Woerner
ce95c638be Merge pull request #1099 from rjeffman/roles_disallow_fqdn_domain_match 
Don't allow the FQDN to match the domain on server installs
 2023-06-07 16:56:06 +02:00
Thomas Woerner
876f39a6c5 Merge pull request #687 from yrro/ipacert 
ipacert module
 2023-06-07 16:54:47 +02:00
Rafael Guterres Jeffman
950840e050 Merge pull request #1101 from t-woerner/multiple_service_management 
Multiple service management
 2023-06-07 11:53:14 -03:00
Sam Morris
87e1edf575 New certificate management module. 
There is a new certificate management module placed in the plugins
folder:

    plugins/modules/ipacert.py

The certificate module allows to request, revoke, release and retrieve
certificates for users, hosts and services.

Here is the documentation for the module:

    README-cert.md

New example playbooks have been added:

    playbooks/cert/cert-hold.yml
    playbooks/cert/cert-release.yml
    playbooks/cert/cert-request-host.yml
    playbooks/cert/cert-request-service.yml
    playbooks/cert/cert-request-user.yml
    playbooks/cert/cert-retrieve.yml
    playbooks/cert/cert-revoke.yml

New tests for the module can be found at:

    tests/cert/test_cert_client_context.yml
    tests/cert/test_cert_host.yml
    tests/cert/test_cert_service.yml
    tests/cert/test_cert_user.yml

The module has been co-authored by Sam Morris (@yrro) and Rafael
Guterres Jeffman (@rjeffman).
 2023-06-07 11:35:25 -03:00
Thomas Woerner
09250cb2c5 ipaservice: Updated and new tests for certificates and multi service handling 
The tests test_services_absent.yml, test_services_present.yml and
test_services_present_slice.yml have been updated to use in memory data
for testing instead of loading json files. This made is simpler to use
variables from the playbook for example for fqdn host names.

New tests for certificates with and without trailing new lines have been
added for single service and multiple service handling.
 2023-06-07 13:36:48 +02:00
Thomas Woerner
872c9e4cb2 ipaservice: Add Denis Karpelevich to the authors header 
Denis added the multi service handling code. Therefore he should be
listed in the file header.
 2023-06-07 13:36:48 +02:00
Thomas Woerner
efe9c68600 ipaservice: Properly Handle certs with leading or trailing white space 
Any leading or trailing whitespace is removed while adding the
certificates with serive_add_cert. To be able to compare the results
from service_show with the given certificates we have to remove the
white space also.
 2023-06-07 13:36:28 +02:00
Denis Karpelevich
0d9873b81c Allow multiple services creation 
Adding an option to create multiple services in one go.
Adding tests (present/absent/without_skip_host_check)

Copied from PR #1054

Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>
 2023-06-06 12:40:33 +02:00
Rafael Guterres Jeffman
5b91703bd7 Don't allow the FQDN to match the domain on server installs 
If server FQDN matches the domain name, the installation will succeed,
but DNS records will not work. If 'setup_dns: true' is used, there will
be no A record for the host, only a NS record, and the PTR record will
point to the domain name.

Based on: https://github.com/freeipa/freeipa/pull/6853
Related to: https://pagure.io/freeipa/issue/9003
 2023-06-05 12:56:47 -03:00
Rafael Guterres Jeffman
180afd7586 Merge pull request #1077 from rjeffman/update_gitignore 
Make Git ignore temporary and output files.
 2023-05-30 10:59:09 -03:00
Thomas Woerner
7f16914032 Merge pull request #1097 from rjeffman/fix_ansible_lint_var_naming 
upstream CI: Disable ansible-lint var-naming check
 2023-05-30 14:45:14 +02:00
Rafael Guterres Jeffman
306522acd8 upstream CI: Disable ansible-lint var-naming check 
Latest ansible-lint version (6.16.1) started to raise an error when
variable names from within roles are not prefixed with  the role name.
Error: var-naming[no-role-prefix].

As Ansible sanity check does not enforce this, it will be disabled, for
now on ansible-freeipa's upstream CI.

A future effort to reduce the checks that are not being evaluated should
be done as preparation for future Ansible Galaxy and Automation Hub
requirements.
 2023-05-16 16:08:51 -03:00
Rafael Guterres Jeffman
a155324188 Upstream CI: Disable execution of pytest tests. 
The tests under 'tests/pytests' were a POC to bring tests that evaluate
the result of playbook execution on the IPA environment. This is
currently only implemented for dnszone tests, and similar test coverage
is obtained with other tests.

As there is an ongoing issue with Ansible's docker pluging
("the connection plugin 'docker' was not found"), which is stil under
investigation, by removing the pytest tests we'll remove the consistent
failures currently seen on upstream CI, and will not loose test
coverage, specially if we take into account downstream tests.

Also, a new version for the pytests will be available once multihost
testing is implemented for upstream.
 2023-05-15 15:41:09 -03:00
Rafael Guterres Jeffman
8ec5b1fe21 Merge pull request #1092 from t-woerner/fix_requests_version_require_for_build_container 
tests/azure/templates/build_container.yml: Quote requests with version
 2023-05-08 11:41:38 -03:00
Thomas Woerner
316255d524 tests/azure/templates/build_container.yml: Quote requests with version 
The version requirement for requests need to be quoted not to lead into
a pip install command issue.

This is related to PR #1089 (Pin requests to < 2.29 temporarily)
 2023-05-08 16:28:20 +02:00
Rafael Guterres Jeffman
36b7a18e40 Merge pull request #1088 from t-woerner/fix_new_ansible_lint_disallowed_ignores 
Fix new ansible lint disallowes ignores
 2023-05-05 12:08:41 -03:00
Thomas Woerner
a32fcb3765 ansible_freeipa_module.py: Calm down ansible-test on print and sys.exit 
The function exit_raw_json is a replacement for AnsibleModule.exit_json
without flterting out values for no_log parameters.

Ansible added checks for pylint to forbid print and also sys.exit and
fails with ansible-bad-function. As the check is not known outside of
ansible-test, the disable line needed also W0012:

    # pylint: disable=W0012,ansible-bad-function
 2023-05-05 16:56:38 +02:00
Thomas Woerner
2d4cad6c1b ipaserver_test.py: Add missing default for random_serial_numbers 
random_serial_numbers was missing the default value in the DOCMENTATION
section.
 2023-05-05 16:56:38 +02:00
Thomas Woerner
a4b8e10a40 ansible-test: Do not use automatic field numbering specification 
Automatic field numbering specification is not allowed by ansible-test.
 2023-05-05 16:26:45 +02:00
Thomas Woerner
98681bd4d2 Use "#!/usr/bin/env python" for python shebang 
ansible is not allowing to use "#!/usr/bin/python".

Due to a change in ansible-lint it is not possible to ignore the "bad"
shebang.
 2023-05-05 16:26:45 +02:00
Thomas Woerner
2882e2426a Add -eu to all bash shebangs 
ansible requires to either use "#!/bin/bash -eu" or "#!/bin/bash -eux"
for bash shebangs.
 2023-05-05 16:26:45 +02:00
Thomas Woerner
f056775d95 Remove old or empty sanity ignore files 
The old ignore file ignore-2.12.txt is not needed and used anymore. The
new files ignore-2.13.txt and ignore-2.14.txt are empty after
ansible-lint made nearly all ignores disallowed.

All the newly disallowed ignores need to be fixed.

See https://github.com/ansible/ansible-lint/pull/3102
 2023-05-05 16:26:45 +02:00
Rafael Guterres Jeffman
ad5450cd6f Merge pull request #1089 from t-woerner/pin_requests_below_2_29 
Pin requests to < 2.29 temporarily
 2023-05-05 11:25:39 -03:00
Thomas Woerner
e75d82131d Pin requests to < 2.29 temporarily 
Due to https://github.com/docker/docker-py/issues/3113 requests need to
be pinned below 2.29 as a temporary solution.
 2023-05-05 15:06:38 +02:00
Rafael Guterres Jeffman
99e468ad60 Merge pull request #1083 from t-woerner/fix_azure_molecule_docker 
tests/azure: Install molecule-plguins to get docker driver
 2023-04-27 17:45:35 -03:00
Thomas Woerner
3cc111782c tests/azure: Install molecule-plguins to get docker driver 
The docker driver is not part of molecule 5.0.0 anymore.
molecule-plugins need to be installed to get the driver.
 2023-04-27 14:01:09 +02:00
Rafael Guterres Jeffman
b429b4495e Merge pull request #1035 from t-woerner/new_module_github_user_fix 
Fixes and enhancements for utils/new_module and templates
 2023-04-20 10:03:19 -03:00
Rafael Guterres Jeffman
0f99ef2199 Merge pull request #1080 from t-woerner/module_defaults 
Create action group in collection for use with module_defaults
 2023-04-20 10:03:10 -03:00
Thomas Woerner
1c8f1c28e1 utils/templates/test_module*.yml.in: Use generic module_defaults 
The usage of module_defaults allows to reduce the size of the tests and
to have the needed information in the tasks only. The default values for the
parameters are automatically passed to the module by Ansible.

It is not possible to use a module group for module_defaults as this could
only be done with Ansible Collections. The tests are also used upstream and
downstream without a collection.

Without groups of a collection it is needed to add the defaults for all
modules separately.

Simple example:

    module_defaults:
      ipahost:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"

Several module example using YAML anchors and aliases:

    module_defaults:
      ipahost: &ipa_module_defaults
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
      ipauser: *ipa_module_defaults
      ipagroup: *ipa_module_defaults
 2023-04-20 10:10:51 +02:00
Thomas Woerner
47d5211185 utils/templates/test_module*.yml.in: Better docs for become and gather_facts 
The documentation for "become" and "gather_facts" has been updated to
make sure that these parameters are enabled only in new tests if it is
really needed.
 2023-04-20 10:10:51 +02:00
Thomas Woerner
4a18ad03c8 utils/templates/{README*.md.in,test_module*.yml.in}: Use true and false 
The values "yes" and "no" will not be valid in the future for bool
parameters. Therefore "yes" and "no" have been replaced by "true" and
"false".
 2023-04-20 10:09:07 +02:00
Thomas Woerner
966797dbee utils/build-galaxy-release.sh: Create module action group 
The module action group <collection-prefix>.modules is created
automatically while building the galaxy release.

The action group can be used for module_defaults in this way:

    module_defauls:
      group/<collection-prefix>.modules:
        ipaadmin_password: SomeADMINpassword

Example:

    module_defaults:
      group/freeipa.ansible_freeipa.modules:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
    collections:
    - freeipa.ansible_freeipa
 2023-04-20 10:04:41 +02:00
Thomas Woerner
892c0dd6f0 utils/galaxyfy.py: Handle module_defaults, match roles and modules 
The section module_defaults was not handled by utils/galaxyfy.py, also
there was no verification that only roles and modules provided by
ansible-freeipa are matched for prepending the collection prefix.
 2023-04-20 10:04:26 +02:00
Rafael Guterres Jeffman
645a234d92 Make Git ignore temporary and output files. 
Ignore vim .swp files and files generated by creating ansible-freeipa
collection, when checking repository status.
 2023-04-18 10:21:24 -03:00
Thomas Woerner
5cbc8b7ada New utils/facts.py: Provide facts about the repo like role and module lists 
The list of modules and roles is needed in several scripts now,
therefore it makes sense to have one place for this.

Here are the current variables:

BASE_DIR:           Base directory of the repo
ROLES:              List of roles in the roles folder
MANAGEMENT_MODULES: List of management modules in the plugins/modules
                    folder
ROLES_MODULES:      List of modules in the roles/*/library folders
ALL_MODULES:        List of all modules, the management and the roles
                    modules

All lists are sorted.
 2023-04-18 13:36:42 +02:00
Thomas Woerner
5e5fbd87bf utils/templates/ipamodule.py.in: Add missing bracket 
The parameter argument spec of name was missing the closing bracket. The
bracket has been added.
 2023-04-14 17:23:37 +02:00
Rafael Guterres Jeffman
35ded3bf53 utils/new_module: Ensure correct number of parameters for new_module 
When testing the number parameters for new_module, the
`github_user` was not being taken into account.
 2023-04-14 17:23:37 +02:00
Thomas Woerner
209c6365ea utils/new_module: Fix github_user test 
new_module was always failing with "github_user is not valid". The wrong
variable was checked: $githubuser instead of $github_user.
 2023-04-14 17:23:37 +02:00
Rafael Guterres Jeffman
a69446021b ipapwpolicy: simplified and faster attribute verification 
Use a simpler and faster 'any()' test instead of creating two lists and
checking if resulting list is empty.
 2023-04-11 18:45:49 -03:00
372 changed files with 16969 additions and 4340 deletions
Expand all files Collapse all files

2
.ansible-lint
View File

@@ -7,7 +7,6 @@ exclude_paths:
- .tox/ - .tox/
- .venv/ - .venv/
- .yamllint - .yamllint
- molecule/
- tests/azure/ - tests/azure/
- meta/runtime.yml - meta/runtime.yml
- requirements-docker.yml - requirements-docker.yml
@@ -35,6 +34,7 @@ skip_list:
- yaml # yamllint should be executed separately. - yaml # yamllint should be executed separately.
- experimental # Do not run any experimental tests - experimental # Do not run any experimental tests
- name[template] # Allow Jinja templating inside task names - name[template] # Allow Jinja templating inside task names
- var-naming
use_default_rules: true use_default_rules: true

4
.github/workflows/ansible-test.yml vendored
View File

@@ -8,10 +8,8 @@ jobs:
name: Verify ansible-test sanity name: Verify ansible-test sanity
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3.1.0 - uses: actions/checkout@v4.1.1
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Install virtualenv using pip
run: pip install virtualenv
- name: Run ansible-test - name: Run ansible-test
run: bash tests/sanity/sanity.sh run: bash tests/sanity/sanity.sh

54
.github/workflows/docs.yml vendored
View File

@@ -5,30 +5,13 @@ on:
- pull_request - pull_request
jobs: jobs:
check_docs_oldest_supported: check_docs_oldest_supported:
name: Check Ansible Documentation with ansible-core 2.12.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3.1.0
with:
fetch-depth: 0
- uses: actions/setup-python@v4.3.0
with:
python-version: '3.x'
- name: Install Ansible 2.12
run: |
python -m pip install "ansible-core >=2.12,<2.13"
- name: Run ansible-doc-test
run: |
ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
check_docs_previous:
name: Check Ansible Documentation with ansible-core 2.13. name: Check Ansible Documentation with ansible-core 2.13.
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3.1.0 - uses: actions/checkout@v4.1.1
with: with:
fetch-depth: 0 fetch-depth: 1
- uses: actions/setup-python@v4.3.0 - uses: actions/setup-python@v5.1.0
with: with:
python-version: '3.x' python-version: '3.x'
- name: Install Ansible 2.13 - name: Install Ansible 2.13
@@ -38,14 +21,14 @@ jobs:
run: | run: |
ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
check_docs_current: check_docs_previous:
name: Check Ansible Documentation with ansible-core 2.14. name: Check Ansible Documentation with ansible-core 2.14.
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3.1.0 - uses: actions/checkout@v4.1.1
with: with:
fetch-depth: 0 fetch-depth: 1
- uses: actions/setup-python@v4.3.0 - uses: actions/setup-python@v5.1.0
with: with:
python-version: '3.x' python-version: '3.x'
- name: Install Ansible 2.14 - name: Install Ansible 2.14
@@ -55,14 +38,31 @@ jobs:
run: | run: |
ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
check_docs_current:
name: Check Ansible Documentation with ansible-core 2.15.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4.1.1
with:
fetch-depth: 1
- uses: actions/setup-python@v5.1.0
with:
python-version: '3.x'
- name: Install Ansible 2.15
run: |
python -m pip install "ansible-core >=2.15,<2.16"
- name: Run ansible-doc-test
run: |
ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
check_docs_ansible_latest: check_docs_ansible_latest:
name: Check Ansible Documentation with latest Ansible version. name: Check Ansible Documentation with latest Ansible version.
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3.1.0 - uses: actions/checkout@v4.1.1
with: with:
fetch-depth: 0 fetch-depth: 1
- uses: actions/setup-python@v4.3.0 - uses: actions/setup-python@v5.1.0
with: with:
python-version: '3.x' python-version: '3.x'
- name: Install Ansible-latest - name: Install Ansible-latest

49
.github/workflows/lint.yml vendored
View File

@@ -8,55 +8,40 @@ jobs:
name: Verify ansible-lint name: Verify ansible-lint
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3.1.0 - uses: actions/checkout@v4.1.1
with: with:
fetch-depth: 0 fetch-depth: 0
- uses: actions/setup-python@v4.3.0 - uses: actions/setup-python@v5.1.0
with: with:
python-version: "3.x" python-version: "3.x"
- name: Run ansible-lint - name: Run ansible-lint
run: | run: |
pip install "ansible-core >=2.14,<2.15" ansible-lint pip install "ansible-core>=2.16,<2.17" 'ansible-lint==6.22'
utils/build-galaxy-release.sh -ki utils/build-galaxy-release.sh -ki
cd .galaxy-build cd .galaxy-build
ansible-lint ansible-lint --profile production --exclude tests/integration/ --exclude tests/unit/ --parseable --nocolor
yamllint: yamllint:
name: Verify yamllint name: Verify yamllint
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3.1.0 - uses: actions/checkout@v4.1.1
with: with:
fetch-depth: 0 fetch-depth: 1
- uses: actions/setup-python@v4.3.0 - uses: actions/setup-python@v5.1.0
with: with:
python-version: "3.x" python-version: "3.x"
- name: Run yaml-lint - name: Run yaml-lint
uses: ibiqlik/action-yamllint@v3.1.1 uses: ibiqlik/action-yamllint@v3.1.1
pydocstyle:
name: Verify pydocstyle
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3.1.0
with:
fetch-depth: 0
- uses: actions/setup-python@v4.3.0
with:
python-version: "3.x"
- name: Run pydocstyle
run: |
pip install pydocstyle
pydocstyle
flake8: flake8:
name: Verify flake8 name: Verify flake8
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3.1.0 - uses: actions/checkout@v4.1.1
with: with:
fetch-depth: 0 fetch-depth: 1
- uses: actions/setup-python@v4.3.0 - uses: actions/setup-python@v5.1.0
with: with:
python-version: "3.x" python-version: "3.x"
- name: Run flake8 - name: Run flake8
@@ -68,23 +53,25 @@ jobs:
name: Verify pylint name: Verify pylint
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3.1.0 - uses: actions/checkout@v4.1.1
with: with:
fetch-depth: 0 fetch-depth: 1
- uses: actions/setup-python@v4.3.0 - uses: actions/setup-python@v5.1.0
with: with:
python-version: "3.x" python-version: "3.x"
- name: Run pylint - name: Run pylint
run: | run: |
pip install pylint==2.14.4 wrapt==1.14.0 pip install 'pylint>=3.0'
pylint plugins roles --disable=import-error pylint plugins roles --disable=import-error
shellcheck: shellcheck:
name: Shellcheck name: Shellcheck
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3.1.0 - uses: actions/checkout@v4.1.1
with: with:
fetch-depth: 0 fetch-depth: 1
- name: Run ShellCheck - name: Run ShellCheck
uses: ludeeus/action-shellcheck@master uses: ludeeus/action-shellcheck@master
env:
SHELLCHECK_OPTS: -x

4
.github/workflows/readme.yml vendored
View File

@@ -8,9 +8,9 @@ jobs:
name: Verify readme name: Verify readme
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3.1.0 - uses: actions/checkout@v4.1.1
with: with:
fetch-depth: 0 fetch-depth: 1
- name: Run readme test - name: Run readme test
run: | run: |
error=0 error=0

7
.gitignore vendored
View File

@@ -1,8 +1,15 @@
*.pyc *.pyc
*.retry *.retry
*.swp
# collection files
freeipa-ansible_freeipa*.tar.gz
redhat-rhel_idm*.tar.gz
importer_result.json
# ignore virtual environments # ignore virtual environments
/.tox/ /.tox/
/.venv/ /.venv/
tests/logs/ tests/logs/
TEST*.xml

31
.pre-commit-config.yaml
View File

@@ -1,30 +1,36 @@
--- ---
repos: repos:
- repo: https://github.com/ansible/ansible-lint.git - repo: https://github.com/ansible/ansible-lint.git
rev: v6.6.1 rev: v24.5.0
hooks: hooks:
- id: ansible-lint - id: ansible-lint
always_run: false always_run: false
pass_filenames: true pass_filenames: true
files: \.(yaml|yml)$ files: \.(yaml|yml)$
exclude: /env[^/]*.(yaml|yml)$ exclude: /env[^/]*.(yaml|yml)$
entry: | entry: |-
env ANSIBLE_LIBRARY=./plugins/modules ANSIBLE_MODULE_UTILS=./plugins/module_utils ANSIBLE_DOC_FRAGMENT_PLUGINS=./plugins/doc_fragments ansible-lint env
ANSIBLE_LIBRARY=./plugins/modules
ANSIBLE_MODULE_UTILS=./plugins/module_utils
ANSIBLE_DOC_FRAGMENT_PLUGINS=./plugins/doc_fragments
ansible-lint
--offline
--profile production
--exclude tests/integration/
--exclude tests/unit/
--parseable
--nocolor
- repo: https://github.com/adrienverge/yamllint.git - repo: https://github.com/adrienverge/yamllint.git
rev: v1.28.0 rev: v1.35.1
hooks: hooks:
- id: yamllint - id: yamllint
files: \.(yaml|yml)$ files: \.(yaml|yml)$
- repo: https://github.com/pycqa/flake8 - repo: https://github.com/pycqa/flake8
rev: 5.0.3 rev: 7.0.0
hooks: hooks:
- id: flake8 - id: flake8
- repo: https://github.com/pycqa/pydocstyle
rev: 6.0.0
hooks:
- id: pydocstyle
- repo: https://github.com/pycqa/pylint - repo: https://github.com/pycqa/pylint
rev: v2.14.4 rev: v3.2.2
hooks: hooks:
- id: pylint - id: pylint
args: args:
@@ -44,4 +50,7 @@ repos:
name: ShellCheck name: ShellCheck
language: system language: system
entry: shellcheck entry: shellcheck
files: \.sh$ args: ['-x']
files: >
\.sh$
utils/sh*$

7
.yamllint
View File

@@ -20,4 +20,9 @@ rules:
max: 160 max: 160
# Disabled rules # Disabled rules
indentation: disable indentation: disable
comments: disable comments:
min-spaces-from-content: 1
comments-indentation: disable
octal-values:
forbid-implicit-octal: true
forbid-explicit-octal: true

2
README-automember.md
View File

@@ -22,7 +22,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

2
README-automountkey.md
View File

@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipaautomountkey module.
Requirements Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

2
README-automountlocation.md
View File

@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipaautomountlocation module.
Requirements Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

27
README-automountmap.md
View File

@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipaautomountmap module.
Requirements Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)
@@ -54,6 +54,21 @@ Example playbook to ensure presence of an automount map:
desc: "this is a map for servers in the DMZ" desc: "this is a map for servers in the DMZ"
``` ```
Automount maps can contain a submount key, which defines a mount location within the map the references another map. On FreeIPA, this is known as an indirect map. An indirect automount map is equivalent to adding a proper automount key to a map, referencyng another map (this second map is the indirect map). Use `parent` and `mount` parameters to create an indirect automount map with ansible-freeipa, without the need to directly manage the automount keys.
Example playbook to ensure an indirect automount map is present:
```yaml
---
- name: Playbook to add an indirect automount map
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
name: auto.indirect
location: DMZ
parent: auto.DMZ
mount: dmz_indirect
```
Example playbook to ensure auto.DMZi is absent: Example playbook to ensure auto.DMZi is absent:
```yaml ```yaml
@@ -81,16 +96,14 @@ Variable | Description | Required
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `mapname` \| `map` \| `automountmapname` | Name of the map to manage | yes `name` \| `mapname` \| `map` \| `automountmapname` | Name of the map to manage | yes
`location` \| `automountlocation` \| `automountlocationcn` | Location name. | yes `location` \| `automountlocation` \| `automountlocationcn` | Location name. | yes
`parentmap` | Parent map of the indirect map. Can only be used when creating new maps. Default: auto.master | no
`mount` | Indirect map mount point, relative to parent map. | yes, if `parent` is used.
`desc` \| `description` | Description of the map | yes `desc` \| `description` | Description of the map | yes
`state` | The state to ensure. It can be one of `present`, or `absent`, default: `present`. | no `state` | The state to ensure. It can be one of `present`, or `absent`, default: `present`. | no
Notes
=====
Creation of indirect mount points are not supported.
Authors Authors
======= =======
Chris Procter - Chris Procter
- Rafael Jeffman

192
README-cert.md Normal file
View File

@@ -0,0 +1,192 @@
Cert module
============
Description
-----------
The cert module makes it possible to request, revoke and retrieve SSL certificates for hosts, services and users.
Features
--------
* Certificate request
* Certificate hold/release
* Certificate revocation
* Certificate retrieval
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipacert module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
* Some tool to generate a certificate signing request (CSR) might be needed, like `openssl`.
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to request a new certificate for a service:
```yaml
---
- name: Certificate request
hosts: ipaserver
tasks:
- name: Request a certificate for a web server
ipacert:
ipaadmin_password: SomeADMINpassword
state: requested
csr: |
-----BEGIN CERTIFICATE REQUEST-----
MIGYMEwCAQAwGTEXMBUGA1UEAwwOZnJlZWlwYSBydWxlcyEwKjAFBgMrZXADIQBs
HlqIr4b/XNK+K8QLJKIzfvuNK0buBhLz3LAzY7QDEqAAMAUGAytlcANBAF4oSCbA
5aIPukCidnZJdr491G4LBE+URecYXsPknwYb+V+ONnf5ycZHyaFv+jkUBFGFeDgU
SYaXm/gF8cDYjQI=
-----END CERTIFICATE REQUEST-----
principal: HTTP/www.example.com
register: cert
```
Example playbook to revoke an existing certificate:
```yaml
---
- name: Revoke certificate
hosts: ipaserver
tasks:
- name Revoke a certificate
ipacert:
ipaadmin_password: SomeADMINpassword
serial_number: 123456789
reason: 5
state: revoked
```
When revoking a certificate a mnemonic can also be used to set the revocation reason:
```yaml
---
- name: Revoke certificate
hosts: ipaserver
tasks:
- name Revoke a certificate
ipacert:
ipaadmin_password: SomeADMINpassword
serial_number: 123456789
reason: cessationOfOperation
state: revoked
```
Example to hold a certificate (alias for revoking a certificate with reason `certificateHold (6)`):
```yaml
---
- name: Hold a certificate
hosts: ipaserver
tasks:
- name: Hold certificate
ipacert:
ipaadmin_password: SomeADMINpassword
serial_number: 0xAB1234
state: held
```
Example playbook to release hold of certificate (may be used with any revoked certificates, despite of the rovoke reason):
```yaml
---
- name: Release hold
hosts: ipaserver
tasks:
- name: Take a revoked certificate off hold
ipacert:
ipaadmin_password: SomeADMINpassword
serial_number: 0xAB1234
state: released
```
Example playbook to retrieve a certificate and save it to a file in the target node:
```yaml
---
- name: Retriev certificate
hosts: ipaserver
tasks:
- name: Retrieve a certificate and save it to file 'cert.pem'
ipacert:
ipaadmin_password: SomeADMINpassword
certificate_out: cert.pem
state: retrieved
```
ipacert
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`csr` | X509 certificate signing request, in PEM format. | yes, if `state: requested`
`principal` | Host/service/user principal for the certificate. | yes, if `state: requested`
`add` \| `add_principal` | Automatically add the principal if it doesn't exist (service principals only). (bool) | no
`profile_id` \| `profile` | Certificate Profile to use | no
`ca` | Name of the issuing certificate authority. | no
`chain` | Include certificate chain in output. (bool) | no
`serial_number` | Certificate serial number. (int) | yes, if `state` is `retrieved`, `held`, `released` or `revoked`.
`revocation_reason` \| `reason` | Reason for revoking the certificate. Use one of the reason strings, or the corresponding value: "unspecified" (0), "keyCompromise" (1), "cACompromise" (2), "affiliationChanged" (3), "superseded" (4), "cessationOfOperation" (5), "certificateHold" (6), "removeFromCRL" (8), "privilegeWithdrawn" (9), "aACompromise" (10) | yes, if `state: revoked`
`certificate_out` | Write certificate (chain if `chain` is set) to this file, on the target node. | no
`state` | The state to ensure. It can be one of `requested`, `held`, `released`, `revoked`, or `retrieved`. `held` is the same as revoke with reason "certificateHold" (6). `released` is the same as `cert-revoke-hold` on IPA CLI, releasing the hold status of a certificate. | yes
Return Values
=============
Values are returned only if `state` is `requested` or `retrieved` and if `certificate_out` is not defined.
Variable | Description | Returned When
-------- | ----------- | -------------
`certificate` | Certificate fields and data. (dict) <br>Options: | if `state` is `requested` or `retrieved` and if `certificate_out` is not defined
&nbsp; | `certificate` - Issued X509 certificate in PEM encoding. Will include certificate chain if `chain: true`. (list) | always
&nbsp; | `san_dnsname` - X509 Subject Alternative Name. | When DNSNames are present in the Subject Alternative Name extension of the issued certificate.
&nbsp; | `issuer` - X509 distinguished name of issuer. | always
&nbsp; | `subject` - X509 distinguished name of certificate subject. | always
&nbsp; | `serial_number` - Serial number of the issued certificate. (int) | always
&nbsp; | `revoked` - Revoked status of the certificate. (bool) | if certificate was revoked
&nbsp; | `owner_user` - The username that owns the certificate. | if `state: retrieved` and certificate is owned by a user
&nbsp; | `owner_host` - The host that owns the certificate. | if `state: retrieved` and certificate is owned by a host
&nbsp; | `owner_service` - The service that owns the certificate. | if `state: retrieved` and certificate is owned by a service
&nbsp; | `valid_not_before` - Time when issued certificate becomes valid, in GeneralizedTime format (YYYYMMDDHHMMSSZ) | always
&nbsp; | `valid_not_after` - Time when issued certificate ceases to be valid, in GeneralizedTime format (YYYYMMDDHHMMSSZ) | always
Authors
=======
Sam Morris
Rafael Jeffman

4
README-config.md
View File

@@ -25,7 +25,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)
@@ -145,7 +145,7 @@ Variable | Description | Required
`selinuxusermaporder` \| `ipaselinuxusermaporder`| Set ordered list in increasing priority of SELinux users | no `selinuxusermaporder` \| `ipaselinuxusermaporder`| Set ordered list in increasing priority of SELinux users | no
`selinuxusermapdefault`\| `ipaselinuxusermapdefault` | Set default SELinux user when no match is found in SELinux map rule | no `selinuxusermapdefault`\| `ipaselinuxusermapdefault` | Set default SELinux user when no match is found in SELinux map rule | no
`pac_type` \| `ipakrbauthzdata` | set default types of PAC supported for services (choices: `MS-PAC`, `PAD`, `nfs:NONE`). Use `""` to clear this variable. | no `pac_type` \| `ipakrbauthzdata` | set default types of PAC supported for services (choices: `MS-PAC`, `PAD`, `nfs:NONE`). Use `""` to clear this variable. | no
`user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no `user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `pkinit`, `hardened`, `idp`, `disabled`, `""`). An additional check ensures that only types can be used that are supported by the IPA version. Use `""` to clear this variable. | no
`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
`ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
`enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no `enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no

2
README-delegation.md
View File

@@ -23,7 +23,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

2
README-dnsconfig.md
View File

@@ -22,7 +22,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

2
README-dnsforwardzone.md
View File

@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipadnsforwardzone module.
Requirements Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

2
README-dnsrecord.md
View File

@@ -22,7 +22,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

23
README-dnszone.md
View File

@@ -23,7 +23,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
@@ -133,6 +133,22 @@ Example playbook to enable a zone:
state: enabled state: enabled
``` ```
Example playbook to allow per-zone privilege delegation:
```yaml
---
- name: Playbook to enable per-zone privilege delegation
hosts: ipaserver
become: true
tasks:
- name: Enable privilege delegation.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name: testzone.local
permission: true
```
Example playbook to remove a zone: Example playbook to remove a zone:
```yaml ```yaml
@@ -223,6 +239,7 @@ Variable | Description | Required
`ttl`| Time to live for records at zone apex | no `ttl`| Time to live for records at zone apex | no
`default_ttl`| Time to live for records without explicit TTL definition | no `default_ttl`| Time to live for records without explicit TTL definition | no
`nsec3param_rec`| NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt | no `nsec3param_rec`| NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt | no
`permission` \| `managedby` | Set per-zone access delegation permission. | no
`skip_overlap_check`| Force DNS zone creation even if it will overlap with an existing zone | no `skip_overlap_check`| Force DNS zone creation even if it will overlap with an existing zone | no
`skip_nameserver_check` | Force DNS zone creation even if nameserver is not resolvable | no `skip_nameserver_check` | Force DNS zone creation even if nameserver is not resolvable | no
@@ -238,4 +255,6 @@ Variable | Description | Returned When
Authors Authors
======= =======
Sergio Oliveira Campos - Sergio Oliveira Campos
- Thomas Woerner
- Rafael Jeffman

62
README-group.md
View File

@@ -8,8 +8,12 @@ The group module allows to ensure presence and absence of groups and members of
The group module is as compatible as possible to the Ansible upstream `ipa_group` module, but additionally offers to add users to a group and also to remove users from a group. The group module is as compatible as possible to the Ansible upstream `ipa_group` module, but additionally offers to add users to a group and also to remove users from a group.
## Note
Ensuring presence (adding) of several groups with mixed types (`external`, `nonposix` and `posix`) requires a fix in FreeIPA. The module implements a workaround to automatically use `client` context if the fix is not present in the target node FreeIPA and if more than one group is provided to the task using the `groups` parameter. If `ipaapi_context` is forced to be `server`, the module will fail in this case. Notes
-----
* Ensuring presence (adding) of several groups with mixed types (`external`, `nonposix` and `posix`) requires a fix in FreeIPA. The module implements a workaround to automatically use `client` context if the fix is not present in the target node FreeIPA and if more than one group is provided to the task using the `groups` parameter. If `ipaapi_context` is forced to be `server`, the module will fail in this case.
* Using `externalmember` or `idoverrideuser` is only supported with `ipaapi_context: server`. With 'client' context, module execution will fail.
Features Features
@@ -29,7 +33,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)
@@ -130,6 +134,45 @@ And ensure the presence of the groups with this example playbook:
groups: "{{ groups }}" groups: "{{ groups }}"
``` ```
Example playbook to rename a group:
```yaml
---
- name: Playbook to rename a single group
hosts: ipaserver
become: false
gather_facts: false
tasks:
- name: Rename group appops to webops
ipagroup:
ipaadmin_password: SomeADMINpassword
name: appops
rename: webops
state: renamed
```
Several groups can also be renamed with a single task, as in the example playbook:
```yaml
---
- name: Playbook to rename multiple groups
hosts: ipaserver
become: false
gather_facts: false
tasks:
- name: Rename group1 to newgroup1 and group2 to newgroup2
ipagroup:
ipaadmin_password: SomeADMINpassword
groups:
- name: group1
rename: newgroup1
- name: group2
rename: newgroup2
state: renamed
```
Example playbook to add users to a group: Example playbook to add users to a group:
```yaml ```yaml
@@ -174,7 +217,7 @@ Example playbook to add members from a trusted realm to an external group:
--- ---
- name: Playbook to handle groups. - name: Playbook to handle groups.
hosts: ipaserver hosts: ipaserver
tasks: tasks:
- name: Create an external group and add members from a trust to it. - name: Create an external group and add members from a trust to it.
ipagroup: ipagroup:
@@ -237,6 +280,7 @@ Example playbook to ensure groups are absent:
state: absent state: absent
``` ```
Variables Variables
========= =========
@@ -260,13 +304,15 @@ Variable | Description | Required
`service` | List of service name strings assigned to this group. Only usable with IPA versions 4.7 and up. | no `service` | List of service name strings assigned to this group. Only usable with IPA versions 4.7 and up. | no
`membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no `membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
`membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no `membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
`externalmember` \| `ipaexternalmember` \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. | no `externalmember` \| `ipaexternalmember` \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. Requires "server" context. | no
`idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up.| no `idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up. Requires "server" context. | no
`rename` \| `new_name` | Rename the user object to the new name string. Only usable with `state: renamed`. | no
`action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no `action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes `state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | yes
Authors Authors
======= =======
Thomas Woerner - Thomas Woerner
- Rafael Jeffman

12
README-hbacrule.md
View File

@@ -22,7 +22,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)
@@ -44,7 +44,7 @@ Example playbook to make sure HBAC Rule login exists:
```yaml ```yaml
--- ---
- name: Playbook to handle hbacrules - name: Playbook to handle hbacrules
hbacsvcs: ipaserver hosts: ipaserver
become: true become: true
tasks: tasks:
@@ -60,7 +60,7 @@ Example playbook to make sure HBAC Rule login exists with the only HBAC Service
```yaml ```yaml
--- ---
- name: Playbook to handle hbacrules - name: Playbook to handle hbacrules
hbacsvcs: ipaserver hosts: ipaserver
become: true become: true
tasks: tasks:
@@ -77,7 +77,7 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Rule login:
```yaml ```yaml
--- ---
- name: Playbook to handle hbacrules - name: Playbook to handle hbacrules
hbacsvcs: ipaserver hosts: ipaserver
become: true become: true
tasks: tasks:
@@ -95,7 +95,7 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Rule login:
```yaml ```yaml
--- ---
- name: Playbook to handle hbacrules - name: Playbook to handle hbacrules
hbacsvcs: ipaserver hosts: ipaserver
become: true become: true
tasks: tasks:
@@ -114,7 +114,7 @@ Example playbook to make sure HBAC Rule login is absent:
```yaml ```yaml
--- ---
- name: Playbook to handle hbacrules - name: Playbook to handle hbacrules
hbacsvcs: ipaserver hosts: ipaserver
become: true become: true
tasks: tasks:

2
README-hbacsvc.md
View File

@@ -22,7 +22,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

12
README-hbacsvcgroup.md
View File

@@ -22,7 +22,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)
@@ -44,7 +44,7 @@ Example playbook to make sure HBAC Service Group login exists:
```yaml ```yaml
--- ---
- name: Playbook to handle hbacsvcgroups - name: Playbook to handle hbacsvcgroups
hbacsvcs: ipaserver hosts: ipaserver
become: true become: true
tasks: tasks:
@@ -60,7 +60,7 @@ Example playbook to make sure HBAC Service Group login exists with the only HBAC
```yaml ```yaml
--- ---
- name: Playbook to handle hbacsvcgroups - name: Playbook to handle hbacsvcgroups
hbacsvcs: ipaserver hosts: ipaserver
become: true become: true
tasks: tasks:
@@ -77,7 +77,7 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Service Group
```yaml ```yaml
--- ---
- name: Playbook to handle hbacsvcgroups - name: Playbook to handle hbacsvcgroups
hbacsvcs: ipaserver hosts: ipaserver
become: true become: true
tasks: tasks:
@@ -95,7 +95,7 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Service Group
```yaml ```yaml
--- ---
- name: Playbook to handle hbacsvcgroups - name: Playbook to handle hbacsvcgroups
hbacsvcs: ipaserver hosts: ipaserver
become: true become: true
tasks: tasks:
@@ -114,7 +114,7 @@ Example playbook to make sure HBAC Service Group login is absent:
```yaml ```yaml
--- ---
- name: Playbook to handle hbacsvcgroups - name: Playbook to handle hbacsvcgroups
hbacsvcs: ipaserver hosts: ipaserver
become: true become: true
tasks: tasks:

8
README-host.md
View File

@@ -24,7 +24,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)
@@ -335,13 +335,13 @@ Variable | Description | Required
-------- | ----------- | -------- -------- | ----------- | --------
`description` | The host description. | no `description` | The host description. | no
`locality` | Host locality (e.g. "Baltimore, MD"). | no `locality` | Host locality (e.g. "Baltimore, MD"). | no
`location` \| `ns_host_location` | Host location (e.g. "Lab 2"). | no `location` \| `ns_host_location` | Host physical location hint (e.g. "Lab 2"). | no
`platform` \| `ns_hardware_platform` | Host hardware platform (e.g. "Lenovo T61"). | no `platform` \| `ns_hardware_platform` | Host hardware platform (e.g. "Lenovo T61"). | no
`os` \| `ns_os_version` | Host operating system and version (e.g. "Fedora 9"). | no `os` \| `ns_os_version` | Host operating system and version (e.g. "Fedora 9"). | no
`password` \| `user_password` \| `userpassword` | Password used in bulk enrollment for absent or not enrolled hosts. | no `password` \| `user_password` \| `userpassword` | Password used in bulk enrollment for absent or not enrolled hosts. | no
`random` \| `random_password` | Initiate the generation of a random password to be used in bulk enrollment for absent or not enrolled hosts. | no `random` \| `random_password` | Initiate the generation of a random password to be used in bulk enrollment for absent or not enrolled hosts. | no
`certificate` \| `usercertificate` | List of base-64 encoded host certificates | no `certificate` \| `usercertificate` | List of base-64 encoded host certificates | no
`managedby` \| `principalname` \| `krbprincipalname` | List of hosts that can manage this host | no `managedby_host` | List of hosts that can manage this host | no
`principal` \| `principalname` \| `krbprincipalname` | List of principal aliases for this host | no `principal` \| `principalname` \| `krbprincipalname` | List of principal aliases for this host | no
`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no `allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. | no `allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. | no
@@ -354,7 +354,7 @@ Variable | Description | Required
`mac_address` \| `macaddress` | List of hardware MAC addresses. | no `mac_address` \| `macaddress` | List of hardware MAC addresses. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no `sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no
`userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no `userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no `auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. An additional check ensures that only types can be used that are supported by the IPA version. Choices: ["radius", "otp", "pkinit", "hardened", "idp", ""] | no
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no
`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no `ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no
`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no `ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no

2
README-hostgroup.md
View File

@@ -26,7 +26,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

233
README-idoverridegroup.md Normal file
View File

@@ -0,0 +1,233 @@
Idoverridegroup module
============
Description
-----------
The idoverridegroup module allows to ensure presence and absence of idoverridegroups and idoverridegroup members.
Use Cases
---------
With idoverridegroup it is possible to manage group attributes within ID views. These attributes are for example the group name or gid.
Features
--------
* Idoverridegroup management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaidoverridegroup module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure test group test_group is present in idview test_idview
```yaml
---
- name: Playbook to manage idoverridegroup
hosts: ipaserver
become: false
tasks:
- name: Ensure test group test_group is present in idview test_idview.
ipaidoverridegroup:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_group
```
Example playbook to make sure test group test_group is present in idview test_idview with description
```yaml
---
- name: Playbook to manage idoverridegroup
hosts: ipaserver
become: false
tasks:
- name: Ensure test group test_group is present in idview test_idview with description
ipaidoverridegroup:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_group
description: "test_group description"
```
Example playbook to make sure test group test_group is present in idview test_idview without description
```yaml
---
- name: Playbook to manage idoverridegroup
hosts: ipaserver
become: false
tasks:
- name: Ensure test group test_group is present in idview test_idview without description
ipaidoverridegroup:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_group
description: ""
```
Example playbook to make sure test group test_group is present in idview test_idview with internal name test_123_group
```yaml
---
- name: Playbook to manage idoverridegroup
hosts: ipaserver
become: false
tasks:
- name: Ensure test group test_group is present in idview test_idview with internal name test_123_group
ipaidoverridegroup:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_group
name: test_123_group
```
Example playbook to make sure test group test_group is present in idview test_idview without internal name
```yaml
---
- name: Playbook to manage idoverridegroup
- name: Ensure test group test_group is present in idview test_idview without internal name
hosts: ipaserver
become: false
tasks:
- ipaidoverridegroup:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_group
name: ""
```
Example playbook to make sure test group test_group is present in idview test_idview with gid 20001
```yaml
---
- name: Playbook to manage idoverridegroup
hosts: ipaserver
become: false
tasks:
- name: Ensure test group test_group is present in idview test_idview with gid 20001
ipaidoverridegroup:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_group
gid: 20001
```
Example playbook to make sure test group test_group is present in idview test_idview without gid
```yaml
---
- name: Playbook to manage idoverridegroup
hosts: ipaserver
become: false
tasks:
- name: Ensure test group test_group is present in idview test_idview without gid
ipaidoverridegroup:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_group
gid: ""
```
Example playbook to make sure test group test_group is present in idview test_idview with enabling falling back to AD DC LDAP when resolving AD trusted objects. (For two-way trusts only.)
```yaml
---
- name: Playbook to manage idoverridegroup
hosts: ipaserver
become: false
tasks:
- name: Ensure test group test_group is present in idview test_idview with fallback_to_ldap enabled
ipaidoverridegroup:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_group
fallback_to_ldap: true
```
Example playbook to make sure test group test_group is absent in idview test_idview
```yaml
---
- name: Playbook to manage idoverridegroup
hosts: ipaserver
become: false
tasks:
- name: Ensure test group test_group is absent in idview test_idview
ipaidoverridegroup:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_group
continue: true
state: absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | no
`idview` \| `idviewcn` | The doverridegroup idview string. | yes
`anchor` \| `ipaanchoruuid` | The list of anchors to override. | yes
`description` \| `desc` | Description | no
`name` \| `group_name` \| `cn` | The group. | no
`gid` \| `gidnumber` | Group ID Number (int or "") | no
`fallback_to_ldap` | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. | no
`delete_continue` \| `continue` | Continuous mode. Don't stop on errors. Valid only if `state` is `absent`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
Authors
=======
Thomas Woerner

503
README-idoverrideuser.md Normal file
View File

@@ -0,0 +1,503 @@
Idoverrideuser module
============
Description
-----------
The idoverrideuser module allows to ensure presence and absence of idoverrideusers and idoverrideuser members.
Use Cases
---------
With idoverrideuser it is possible to manage user attributes within ID views. These attributes are for example the login name, home directory, certificate for authentication or SSH keys.
Features
--------
* Idoverrideuser management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaidoverrideuser module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure test user test_user is present in idview test_idview
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview.
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
```
Example playbook to make sure test user test_user is present in idview test_idview with description
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with description
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
description: "test_user description"
```
Example playbook to make sure test user test_user is present in idview test_idview without description
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without description
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
description: ""
```
Example playbook to make sure test user test_user is present in idview test_idview with internal name test_123_user
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with internal name test_123_user
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
name: test_123_user
```
Example playbook to make sure test user test_user is present in idview test_idview without internal name
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without internal name
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
name: ""
```
Example playbook to make sure test user test_user is present in idview test_idview with uid 20001
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with uid 20001
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
uid: 20001
```
Example playbook to make sure test user test_user is present in idview test_idview without uid
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without uid
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
uid: ""
```
Example playbook to make sure test user test_user is present in idview test_idview with gecos "Gecos Test"
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with gecos "Gecos Test"
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
gecos: Gecos Test
```
Example playbook to make sure test user test_user is present in idview test_idview without gecos
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without gecos
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
gecos: ""
```
Example playbook to make sure test user test_user is present in idview test_idview with gidnumber
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with gidnumber
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
gidnumber: 20001
```
Example playbook to make sure test user test_user is present in idview test_idview without gidnumber
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without gidnumber
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
gidnumber: ""
```
Example playbook to make sure test user test_user is present in idview test_idview with homedir /Users
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with homedir /Users
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
homedir: /Users
```
Example playbook to make sure test user test_user is present in idview test_idview without homedir
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without homedir
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
homedir: ""
```
Example playbook to make sure test user test_user is present in idview test_idview with shell
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with shell
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
shell: /bin/someshell
```
Example playbook to make sure test user test_user is present in idview test_idview without shell
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without shell
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
shell: ""
```
Example playbook to make sure test user test_user is present in idview test_idview with sshpubkey
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with sshpubkey
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
sshpubkey:
- ssh-rsa AAAAB3NzaC1yc2EAAADAQABAAABgQCqmVDpEX5gnSjKuv97Ay ...
```
Example playbook to make sure test user test_user is present in idview test_idview without sshpubkey
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without sshpubkey
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
sshpubkey: []
```
Example playbook to make sure test user test_user is present in idview test_idview with 1 certificate
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with 1 certificate
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
certificate:
- "{{ lookup('file', 'cert1.b64', rstrip=False) }}"
```
Example playbook to make sure test user test_user is present in idview test_idview with 3 certificate members
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with 3 certificate members
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
certificate:
- "{{ lookup('file', 'cert1.b64', rstrip=False) }}"
- "{{ lookup('file', 'cert2.b64', rstrip=False) }}"
- "{{ lookup('file', 'cert3.b64', rstrip=False) }}"
action: member
```
Example playbook to make sure test user test_user is present in idview test_idview without 2 certificate members
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without 2 certificate members
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
certificate:
- "{{ lookup('file', 'cert2.b64', rstrip=False) }}"
- "{{ lookup('file', 'cert3.b64', rstrip=False) }}"
action: member
state: absent
```
Example playbook to make sure test user test_user is present in idview test_idview without certificates
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without certificates
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
certificate: []
```
Example playbook to make sure test user test_user is present in idview test_idview with enabling falling back to AD DC LDAP when resolving AD trusted objects. (For two-way trusts only.)
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with fallback_to_ldap enabled
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
fallback_to_ldap: true
```
Example playbook to make sure test user test_user is absent in idview test_idview
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is absent in idview test_idview
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
continue: true
state: absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | no
`idview` \| `idviewcn` | The doverrideuser idview string. | yes
`anchor` \| `ipaanchoruuid` | The list of anchors to override. | yes
`description` \| `desc` | Description | no
`name` \| `login` | The user (internally uid) | no
`uid` \| `uidnumber` | User ID Number (int or "") | no
`gecos` | GECOS | no
`gidnumber` | Group ID Number (int or ""). | no
`homedir` \| `homedirectory` | Home directory. | no
`shell` \| `loginshell` | Login shell. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no
`certificate` \| `usercertificate` | List of Base-64 encoded user certificates. This variable can also be used with `action: member`. | no
`fallback_to_ldap` | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. | no
`delete_continue` \| `continue` | Continuous mode. Don't stop on errors. Valid only if `state` is `absent`. | no
`nomembers` \| `no_members` | Suppress processing of membership attributes. Valid only if `state` is `absent`. | no
`action` | Work on idoverrideuser or member level. It can be on of `member` or `idoverrideuser` and defaults to `idoverrideuser`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
Authors
=======
Thomas Woerner

192
README-idp.md Normal file
View File

@@ -0,0 +1,192 @@
Idp module
============
Description
-----------
The idp module allows to ensure presence and absence of idps.
Features
--------
* Idp management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaidp module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure keycloak idp my-keycloak-idp is present:
```yaml
---
- name: Playbook to manage IPA idp.
hosts: ipaserver
become: false
tasks:
- name: Ensure keycloak idp my-keycloak-idp is present
ipaidp:
ipaadmin_password: SomeADMINpassword
name: my-keycloak-idp
provider: keycloak
organization: main
base_url: keycloak.idm.example.com:8443/auth
client_id: my-client-id
```
Example playbook to make sure keycloak idp my-keycloak-idp is absent:
```yaml
---
- name: Playbook to manage IPA idp.
hosts: ipaserver
become: false
tasks:
- name: Ensure keycloak idp my-keycloak-idp is absent
ipaidp:
ipaadmin_password: SomeADMINpassword
name: my-keycloak-idp
delete_continue: true
state: absent
```
Example playbook to make sure github idp my-github-idp is present:
```yaml
---
- name: Playbook to manage IPA idp.
hosts: ipaserver
become: false
tasks:
- name: Ensure github idp my-github-idp is present
ipaidp:
ipaadmin_password: SomeADMINpassword
name: my-github-idp
provider: github
client_id: my-github-client-id
```
Example playbook to make sure google idp my-google-idp is present using provider defaults without specifying provider:
```yaml
---
- name: Playbook to manage IPA idp.
hosts: ipaserver
become: false
tasks:
- name: Ensure google idp my-google-idp is present using provider defaults without specifying provider
ipaidp:
ipaadmin_password: SomeADMINpassword
name: my-google-idp
auth_uri: https://accounts.google.com/o/oauth2/auth
dev_auth_uri: https://oauth2.googleapis.com/device/code
token_uri: https://oauth2.googleapis.com/token
keys_uri: https://www.googleapis.com/oauth2/v3/certs
userinfo_uri: https://openidconnect.googleapis.com/v1/userinfo
client_id: my-google-client-id
scope: "openid email"
idp_user_id: email
```
Example playbook to make sure google idp my-google-idp is present using provider:
```yaml
---
- name: Playbook to manage IPA idp.
hosts: ipaserver
become: false
tasks:
- name: Ensure google idp my-google-idp is present using provider
ipaidp:
ipaadmin_password: SomeADMINpassword
name: my-google-idp
provider: google
client_id: my-google-client-id
```
Example playbook to make sure idps my-keycloak-idp, my-github-idp and my-google-idp are absent:
```yaml
---
- name: Playbook to manage IPA idp.
hosts: ipaserver
become: false
tasks:
- name: Ensure idps my-keycloak-idp, my-github-idp and my-google-idp are absent
ipaidp:
ipaadmin_password: SomeADMINpassword
name:
- my-keycloak-idp
- my-github-idp
- my-google-idp
delete_continue: true
state: absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | false
`name` \| `cn` | The list of idp name strings. | yes
auth_uri \| ipaidpauthendpoint | OAuth 2.0 authorization endpoint string. | no
dev_auth_uri \| ipaidpdevauthendpoint | Device authorization endpoint string. | no
token_uri \| ipaidptokenendpoint | Token endpoint string. | no
userinfo_uri \| ipaidpuserinfoendpoint | User information endpoint string. | no
keys_uri \| ipaidpkeysendpoint | JWKS endpoint string. | no
issuer_url \| ipaidpissuerurl | The Identity Provider OIDC URL string. | no
client_id \| ipaidpclientid | OAuth 2.0 client identifier string. | no
secret \| ipaidpclientsecret | OAuth 2.0 client secret string. | no
scope \| ipaidpscope | OAuth 2.0 scope string. Multiple scopes separated by space. | no
idp_user_id \| ipaidpsub | Attribute string for user identity in OAuth 2.0 userinfo. | no
provider \| ipaidpprovider | Pre-defined template string. This provides the provider defaults, which can be overridden with the other IdP options. Choices: ["google","github","microsoft","okta","keycloak"] | no
organization \| ipaidporg | Organization ID string or Realm name for IdP provider templates. | no
base_url \| ipaidpbaseurl | Base URL string for IdP provider templates. | no
rename \| new_name | New name for the Identity Provider server object. Only with `state: renamed`. | no
delete_continue \| continue | Continuous mode. Don't stop on errors. Valid only if `state` is `absent`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `renamed`, default: `present`. | no
Authors
=======
Thomas Woerner

2
README-idrange.md
View File

@@ -37,7 +37,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

153
README-idview.md Normal file
View File

@@ -0,0 +1,153 @@
Idview module
============
Description
-----------
The idview module allows to ensure presence and absence of idviews and idview host members.
Use Cases
---------
With ID views it is possible to override user or group attributes for users stored in the LDAP server. For example the login name, home directory, certificate for authentication or SSH keys. An ID view is client-side and specifies new values for user or group attributes and also the client host or hosts on which the values apply.
The ID view and the applied hosts are managed with idview, the user attributes are managed with idoverrideuser and the group attributes with idoverridegroup.
Features
--------
* Idview management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaidview module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure idview "test_idview" is present:
```yaml
---
- name: Playbook to manage IPA idview.
hosts: ipaserver
become: false
tasks:
- ipaidview:
ipaadmin_password: SomeADMINpassword
name: test_idview
```
Example playbook to make sure idview "test_idview" member host "testhost.example.com" is present:
```yaml
---
- name: Playbook to manage IPA idview host member.
hosts: ipaserver
become: false
tasks:
- ipaidview:
ipaadmin_password: SomeADMINpassword
name: test_idview
host: testhost.example.com
action: member
```
Example playbook to make sure idview "test_idview" member host "testhost.example.com" is absent:
```yaml
---
- name: Playbook to manage IPA idview host member.
hosts: ipaserver
become: false
tasks:
- ipaidview:
ipaadmin_password: SomeADMINpassword
name: test_idview
host: testhost.example.com
action: member
state: absent
```
Example playbook to make sure idview "test_idview" is present with domain_resolution_order for "ad.example.com:ipa.example.com":
```yaml
---
- name: Playbook to manage IPA idview host member.
hosts: ipaserver
become: false
tasks:
- ipaidview:
ipaadmin_password: SomeADMINpassword
name: test_idview
domain_resolution_order: "ad.example.com:ipa.example.com"
```
Example playbook to make sure idview "test_idview" is absent:
```yaml
---
- name: Playbook to manage IPA idview.
hosts: ipaserver
become: false
tasks:
- ipaidview:
ipaadmin_password: SomeADMINpassword
name: test_idview
state: absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | no
`name` \| `cn` | The list of idview name strings. | yes
`description` \| `desc` | The description string of the idview. | no
`domain_resolution_order` \| `ipadomainresolutionorder` | Colon-separated list of domains used for short name qualification. | no
`host` \| `hosts` | List of hosts to apply the ID View to. A host can only be applied to a single idview at any time. Applying a host that is already applied to a different idview will change the idview the host is applied to to the new one. | no
`rename` \| `new_name` | Rename the ID view object to the new name string. Only usable with `state: renamed`. | no
`delete_continue` \| `continue` | Continuous mode. Don't stop on errors. Valid only if `state` is `absent`. | no
`action` | Work on idview or member level. It can be on of `member` or `idview` and defaults to `idview`. | no
`state` | The state to ensure. It can be one of `present`, `absent` and `renamed`, default: `present`. | no
Authors
=======
Thomas Woerner

106
README-inventory-plugin-freeipa.md Normal file
View File

@@ -0,0 +1,106 @@
Inventory plugin
================
Description
-----------
The inventory plugin compiles a dynamic inventory from IPA domain. The servers can be filtered by their role(s).
This plugin is using the Python requests binding, that is only available for Python 3.7 and up.
Features
--------
* Dynamic inventory
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.6.0 and up are supported by the inventory plugin.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Configuration
=============
The inventory plugin is automatically enabled from the Ansible collection or from the top directory of the git repo if the `plugins` folder is linked to `~/.ansible`.
If `ansible.cfg` was modified to point to the roles and modules with `roles_path`, `library` and `module_utils` tag, then it is needed to set `inventory_plugins` also:
```
inventory_plugins = /my/dir/ansible-freeipa/plugins/inventory
```
Usage
=====
Example inventory file "freeipa.yml":
```yml
---
plugin: freeipa
server: server.ipa.local
ipaadmin_password: SomeADMINpassword
```
Example inventory file "freeipa.yml" with server TLS certificate verification using local copy of `/etc/ipa/ca.crt` from the server:
```yml
---
plugin: freeipa
server: server.ipa.local
ipaadmin_password: SomeADMINpassword
verify: ca.crt
```
How to use the plugin
---------------------
With the `ansible-inventory` command it is possible to show the generated inventorey:
```bash
ansible-inventory -v -i freeipa.yml --graph
```
Example inventory file "freeipa.yml" for use with `playbooks/config/retrieve-config.yml`:
```yml
---
plugin: freeipa
server: server.ipa.local
ipaadmin_password: SomeADMINpassword
inventory_group: ipaserver
```
```bash
ansible-playbook -u root -i ipa.yml playbooks/config/retrieve-config.yml
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`server` | The FQDN of server to start the scan. (string) | yes
`verify` | The server TLS certificate file for verification (/etc/ipa/ca.crt). Turned off if not set. (string) | yes
`role` | The role(s) of the server. If several roles are given, only servers that have all the roles are returned. (list of strings) (choices: "IPA master", "CA server", "KRA server", "DNS server", "AD trust controller", "AD trust agent") | no
`inventory_group` | The inventory group to create. The default group name is "ipaservers". | no
Authors
=======
- Thomas Woerner

2
README-location.md
View File

@@ -22,7 +22,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

2
README-netgroup.md
View File

@@ -22,7 +22,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

2
README-permission.md
View File

@@ -22,7 +22,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

2
README-privilege.md
View File

@@ -22,7 +22,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

30
README-pwpolicy.md
View File

@@ -22,7 +22,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)
@@ -128,20 +128,20 @@ Variable | Description | Required
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no `ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no `ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of pwpolicy name strings. If name is not given, `global_policy` will be used automatically. | no `name` \| `cn` | The list of pwpolicy name strings. If name is not given, `global_policy` will be used automatically. | no
`maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int) | no `maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int or "") | no
`minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int) | no `minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int or "") | no
`history` \| `krbpwdhistorylength` | Password history size. (int) | no `history` \| `krbpwdhistorylength` | Password history size. (int or "") | no
`minclasses` \| `krbpwdmindiffchars` | Minimum number of character classes. (int) | no `minclasses` \| `krbpwdmindiffchars` | Minimum number of character classes. (int or "") | no
`minlength` \| `krbpwdminlength` | Minimum length of password. (int) | no `minlength` \| `krbpwdminlength` | Minimum length of password. (int or "") | no
`priority` \| `cospriority` | Priority of the policy, higher number means lower priority. (int) | no `priority` \| `cospriority` | Priority of the policy, higher number means lower priority. (int or "") | no
`maxfail` \| `krbpwdmaxfailure` | Consecutive failures before lockout. (int) | no `maxfail` \| `krbpwdmaxfailure` | Consecutive failures before lockout. (int or "") | no
`failinterval` \| `krbpwdfailurecountinterval` | Period after which failure count will be reset in seconds. (int) | no `failinterval` \| `krbpwdfailurecountinterval` | Period after which failure count will be reset in seconds. (int or "") | no
`lockouttime` \| `krbpwdlockoutduration` | Period for which lockout is enforced in seconds. (int) | no `lockouttime` \| `krbpwdlockoutduration` | Period for which lockout is enforced in seconds. (int or "") | no
`maxrepeat` \| `ipapwdmaxrepeat` | Maximum number of same consecutive characters. Requires IPA 4.9+ (int) | no `maxrepeat` \| `ipapwdmaxrepeat` | Maximum number of same consecutive characters. Requires IPA 4.9+ (int or "") | no
`maxsequence` \| `ipapwdmaxsequence` | The maximum length of monotonic character sequences (abcd). Requires IPA 4.9+ (int) | no `maxsequence` \| `ipapwdmaxsequence` | The maximum length of monotonic character sequences (abcd). Requires IPA 4.9+ (int or "") | no
`dictcheck` \| `ipapwdictcheck` | Check if the password is a dictionary word. Requires IPA 4.9+ (int) | no `dictcheck` \| `ipapwdictcheck` | Check if the password is a dictionary word. Requires IPA 4.9+. (bool or "") | no
`usercheck` \| `ipapwdusercheck` | Check if the password contains the username. Requires IPA 4.9+ (int) | no `usercheck` \| `ipapwdusercheck` | Check if the password contains the username. Requires IPA 4.9+. (bool or "") | no
`gracelimit` \| `passwordgracelimit` | Number of LDAP authentications allowed after expiration. Requires IPA 4.9.10 (int) | no `gracelimit` \| `passwordgracelimit` | Number of LDAP authentications allowed after expiration. Requires IPA 4.9.10 (int or "") | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes `state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes

2
README-role.md
View File

@@ -25,7 +25,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

2
README-selfservice.md
View File

@@ -23,7 +23,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

18
README-server.md
View File

@@ -22,7 +22,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)
@@ -249,14 +249,14 @@ Variable | Description | Required
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no `ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no `ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of server name strings. | yes `name` \| `cn` | The list of server name strings. | yes
`location` \| `ipalocation_location` | The server location string. Only in state: present. "" for location reset. | no `location` \| `ipalocation_location` | The server DNS location. Only available with 'state: present'. Use "" for location reset. | no
`service_weight` \| `ipaserviceweight` | Weight for server services. Type Values 0 to 65535, -1 for weight reset. Only in state: present. (int) | no `service_weight` \| `ipaserviceweight` | Weight for server services. Type Values 0 to 65535, -1 for weight reset. Only available with 'state: present'. (int) | no
`hidden` | Set hidden state of a server. Only in state: present. (bool) | no `hidden` | Set hidden state of a server. Only available with 'state: present'. (bool) | no
`no_members` | Suppress processing of membership attributes. Only in state: present. (bool) | no `no_members` | Suppress processing of membership attributes. Only avialable with 'state: present'. (bool) | no
`delete_continue` \| `continue` | Continuous mode: Don't stop on errors. Only in state: absent. (bool) | no `delete_continue` \| `continue` | Continuous mode: Don't stop on errors. Only available with 'state: absent'. (bool) | no
`ignore_last_of_role` | Skip a check whether the last CA master or DNS server is removed. Only in state: absent. (bool) | no `ignore_last_of_role` | Skip a check whether the last CA master or DNS server is removed. Only available with 'state: absent'. (bool) | no
`ignore_topology_disconnect` | Ignore topology connectivity problems after removal. Only in state: absent. (bool) | no `ignore_topology_disconnect` | Ignore topology connectivity problems after removal. Only available with 'state: absent'. (bool) | no
`force` | Force server removal even if it does not exist. Will always result in changed. Only in state: absent. (bool) | no `force` | Force server removal even if it does not exist. Will always result in changed. Only available with 'state: absent'. (bool) | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. `present` is only working with existing servers. | no `state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. `present` is only working with existing servers. | no

77
README-service.md
View File

@@ -25,7 +25,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FReeIPA version (see above) * Supported FReeIPA version (see above)
@@ -282,6 +282,65 @@ Example playbook to allow users, groups, hosts or hostgroups to retrieve a keyta
``` ```
Example playbook to ensure presence of serveral services in a single task:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
tasks:
- name: Ensure services are present
ipaservice:
ipaadmin_password: SomeADMINpassword
services:
- name: HTTP/www.example.com
principal:
- host/host1.example.com
- name: mysvc/www.example.com
pac_type: NONE
ok_as_delegate: yes
ok_to_auth_as_delegate: yes
- name: HTTP/www.example.com
allow_create_keytab_user:
- user01
- user02
allow_create_keytab_group:
- group01
- group02
allow_create_keytab_host:
- host1.example.com
- host2.example.com
allow_create_keytab_hostgroup:
- hostgroup01
- hostgroup02
- name: mysvc/host2.example.com
auth_ind: otp,radius
```
Example playbook to ensure presence of serveral services in a single task with `member` `action`:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
- name: Ensure service host members are present
ipaservice:
ipaadmin_password: SomeADMINpassword
services:
- name: HTTP/www1.example.com
host: host1.example.com
- name: HTTP/www2.example.com
host: host2.example.com
action: member
```
Variables Variables
--------- ---------
@@ -291,10 +350,18 @@ Variable | Description | Required
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no `ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no `ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `service` | The list of service name strings. | yes `name` \| `service` | The list of service name strings. `name` with *service variables* or `services` containing *service variables* need to be used. | no
`action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
**Service Variables:**
Variable | Description | Required
-------- | ----------- | --------
`certificate` \| `usercertificate` | Base-64 encoded service certificate. | no `certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. Use empty string to reset pac_type to the initial value. | no `pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. Use empty string to reset pac_type to the initial value. | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit` or `hardened`. Use empty string to reset auth_ind to the initial value. | no `auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, `hardened`, `idp` or `""`. An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset auth_ind to the initial value. | no
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no `ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no `ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no
@@ -310,11 +377,9 @@ Variable | Description | Required
`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retrieve a keytab of this host. | no `allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retrieve a keytab of this host. | no
`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retrieve a keytab from of host. | no `allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retrieve a keytab from of host. | no
`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retrieve a keytab of this host. | no `allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retrieve a keytab of this host. | no
`continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
`smb` | Service is an SMB service. If set, `cifs/` will be prefixed to the service name if needed. | no `smb` | Service is an SMB service. If set, `cifs/` will be prefixed to the service name if needed. | no
`netbiosname` | NETBIOS name for the SMB service. Only with `smb: yes`. | no `netbiosname` | NETBIOS name for the SMB service. Only with `smb: yes`. | no
`action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no `continue` \| `delete_continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
`state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
Authors Authors

2
README-servicedelegationrule.md
View File

@@ -24,7 +24,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

2
README-servicedelegationtarget.md
View File

@@ -24,7 +24,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

2
README-sudocmd.md
View File

@@ -24,7 +24,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

2
README-sudocmdgroup.md
View File

@@ -24,7 +24,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

69
README-sudorule.md
View File

@@ -22,7 +22,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)
@@ -93,6 +93,26 @@ Example playbook to make sure sudocmds are not present in Sudo Rule:
state: absent state: absent
``` ```
Example playbook to ensure a Group of RunAs User is present in sudo rule:
```yaml
---
- name: Playbook to manage sudorule member
hosts: ipaserver
become: no
gather_facts: no
tasks:
- name: Ensure sudorule 'runasuser' has 'ipasuers' group as runas users.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
runasuser_group: ipausers
action: member
```
Example playbook to make sure Sudo Rule is absent: Example playbook to make sure Sudo Rule is absent:
```yaml ```yaml
@@ -109,6 +129,49 @@ Example playbook to make sure Sudo Rule is absent:
state: absent state: absent
``` ```
Example playbook to ensure multiple Sudo Rule are present using batch mode:
```yaml
---
- name: Playbook to handle sudorules
hosts: ipaserver
become: true
- name: Ensure multiple Sudo Rules are present using batch mode.
ipasudorule:
ipaadmin_password: SomeADMINpassword
sudorules:
- name: testrule1
hostmask:
- 192.168.122.1/24
- name: testrule2
hostcategory: all
```
Example playbook to ensure multiple Sudo Rule members are present using batch mode:
```yaml
---
- name: Playbook to handle sudorules
hosts: ipaserver
become: true
- name: Ensure multiple Sudo Rules are present using batch mode.
ipasudorule:
ipaadmin_password: SomeADMINpassword
action: member
sudorules:
- name: testrule1
user:
- user01
- user02
group:
- group01
- name: testrule2
hostgroup:
- hostgroup01
- hostgroup02
```
Variables Variables
========= =========
@@ -119,7 +182,9 @@ Variable | Description | Required
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no `ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no `ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of sudorule name strings. | yes `name` \| `cn` | The list of sudorule name strings. | no
`sudorules` | The list of sudorule dicts. Each `sudorule` dict entry can contain sudorule variables.<br>There is one required option in the `sudorule` dict:| no
&nbsp; | `name` - The sudorule name string of the entry. | yes
`description` | The sudorule description string. | no `description` | The sudorule description string. | no
`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no `usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no `hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no

2
README-topology.md
View File

@@ -22,7 +22,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

2
README-trust.md
View File

@@ -21,7 +21,7 @@ Requirements
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**

64
README-user.md
View File

@@ -24,7 +24,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)
@@ -58,6 +58,7 @@ Example playbook to ensure a user is present:
last: Acme last: Acme
uid: 10001 uid: 10001
gid: 100 gid: 100
gecos: "The Pinky"
phone: "+555123457" phone: "+555123457"
email: pinky@acme.com email: pinky@acme.com
passwordexpiration: "2023-01-19 23:59:59" passwordexpiration: "2023-01-19 23:59:59"
@@ -278,7 +279,6 @@ Example playbook to disable a user:
This can also be done as an alternative with the `users` variable containing only names. This can also be done as an alternative with the `users` variable containing only names.
Example playbook to enable users: Example playbook to enable users:
```yaml ```yaml
@@ -297,6 +297,22 @@ Example playbook to enable users:
This can also be done as an alternative with the `users` variable containing only names. This can also be done as an alternative with the `users` variable containing only names.
Example playbook to rename users:
```yaml
---
- name: Playbook to handle users
hosts: ipaserver
become: true
tasks:
# Rename user pinky to reddy
- ipauser:
ipaadmin_password: SomeADMINpassword
name: pinky
rename: reddy
state: renamed
```
Example playbook to unlock users: Example playbook to unlock users:
@@ -352,6 +368,33 @@ Example playbook to ensure users are absent:
state: absent state: absent
``` ```
When using FreeIPA 4.8.0+, SMB logon script, profile, home directory and home drive can be set for users.
In the example playbook to set SMB attributes note that `smb_profile_path` and `smb_home_dir` use paths in UNC format, which includes backslashes ('\\`). If the paths are quoted, the backslash needs to be escaped becoming "\\", so the path `\\server\dir` becomes `"\\\\server\\dir"`. If the paths are unquoted the slashes do not have to be escaped.
The YAML specification states that a colon (':') is a key separator and a dash ('-') is an item marker, only with a space after them, so using both unquoted as part of a path should not be a problem. If a space is needed after a colon or a dash, then a quoted string must be used as in `"user - home"`. For the `smb_home_drive` attribute is is recomended that a quoted string is used, to improve readability.
Example playbook to set SMB attributes:
```yaml
---
- name: Plabook to handle users
hosts: ipaserver
become: false
tasks:
- name: Ensure user 'smbuser' is present with smb attributes
ipauser:
ipaadmin_password: SomeADMINpassword
name: smbuser
first: SMB
last: User
smb_logon_script: N:\logonscripts\startup
smb_profile_path: \\server\profiles\some_profile
smb_home_dir: \\users\home\smbuser
smb_home_drive: "U:"
```
Variables Variables
========= =========
@@ -373,7 +416,7 @@ Variable | Description | Required
`update_password` | Set password for a user in present state only on creation or always. It can be one of `always` or `on_create` and defaults to `always`. | no `update_password` | Set password for a user in present state only on creation or always. It can be one of `always` or `on_create` and defaults to `always`. | no
`preserve` | Delete a user, keeping the entry available for future use. (bool) | no `preserve` | Delete a user, keeping the entry available for future use. (bool) | no
`action` | Work on user or member level. It can be on of `member` or `user` and defaults to `user`. | no `action` | Work on user or member level. It can be on of `member` or `user` and defaults to `user`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `unlocked` or `undeleted`, default: `present`. Only `names` or `users` with only `name` set are allowed if state is not `present`. | yes `state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `renamed`, `unlocked` or `undeleted`, default: `present`. Only `names` or `users` with only `name` set are allowed if state is not `present`. | yes
@@ -395,6 +438,8 @@ Variable | Description | Required
`random` | Generate a random user password | no `random` | Generate a random user password | no
`uid` \| `uidnumber` | User ID Number (system will assign one if not provided). | no `uid` \| `uidnumber` | User ID Number (system will assign one if not provided). | no
`gid` \| `gidnumber` | Group ID Number. | no `gid` \| `gidnumber` | Group ID Number. | no
`gecos` | GECOS | no
`street` | Street address | no
`city` | City | no `city` | City | no
`userstate` \| `st` | State/Province | no `userstate` \| `st` | State/Province | no
`postalcode` \| `zip` | Postalcode/ZIP | no `postalcode` \| `zip` | Postalcode/ZIP | no
@@ -407,7 +452,7 @@ Variable | Description | Required
`manager` | List of manager user names. | no `manager` | List of manager user names. | no
`carlicense` | List of car licenses. | no `carlicense` | List of car licenses. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no `sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no
`userauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp` and ``. Use empty string to reset userauthtype to the initial value. | no `userauthtype` \| `ipauserauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp`, `pkinit`, `hardened`, `idp` and `""`. An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset userauthtype to the initial value. | no
`userclass` | User category. (semantics placed on this attribute are for local interpretation). | no `userclass` | User category. (semantics placed on this attribute are for local interpretation). | no
`radius` | RADIUS proxy configuration | no `radius` | RADIUS proxy configuration | no
`radiususer` | RADIUS proxy username | no `radiususer` | RADIUS proxy username | no
@@ -415,6 +460,8 @@ Variable | Description | Required
`employeenumber` | Employee Number | no `employeenumber` | Employee Number | no
`employeetype` | Employee Type | no `employeetype` | Employee Type | no
`preferredlanguage` | Preferred Language | no `preferredlanguage` | Preferred Language | no
`idp` \| `ipaidpconfiglink` | External IdP configuration | no
`idp_user_id` \| `ipaidpsub` | A string that identifies the user at external IdP | no
`certificate` | List of base-64 encoded user certificates. | no `certificate` | List of base-64 encoded user certificates. | no
`certmapdata` | List of certificate mappings. Either `data` or `certificate` or `issuer` together with `subject` need to be specified. Only usable with IPA versions 4.5 and up. <br>Options: | no `certmapdata` | List of certificate mappings. Either `data` or `certificate` or `issuer` together with `subject` need to be specified. Only usable with IPA versions 4.5 and up. <br>Options: | no
&nbsp; | `certificate` - Base-64 encoded user certificate, not usable with other certmapdata options. | no &nbsp; | `certificate` - Base-64 encoded user certificate, not usable with other certmapdata options. | no
@@ -422,10 +469,14 @@ Variable | Description | Required
&nbsp; | `subject` - Subject of the certificate, only usable together with `issuer` option. | no &nbsp; | `subject` - Subject of the certificate, only usable together with `issuer` option. | no
&nbsp; | `data` - Certmap data, not usable with other certmapdata options. | no &nbsp; | `data` - Certmap data, not usable with other certmapdata options. | no
`noprivate` | Do not create user private group. (bool) | no `noprivate` | Do not create user private group. (bool) | no
`smb_logon_script` \| `ipantlogonscript` | SMB logon script path. Requires FreeIPA version 4.8.0+. | no
`smb_profile_path:` \| `ipantprofilepath` | SMB profile path, in UNC format. Requires FreeIPA version 4.8.0+. | no
`smb_home_dir` \| `ipanthomedirectory` | SMB Home Directory, in UNC format. Requires FreeIPA version 4.8.0+. | no
`smb_home_drive` \| `ipanthomedirectorydrive` | SMB Home Directory Drive, a single upercase letter (A-Z) followed by a colon (:), for example "U:". Requires FreeIPA version 4.8.0+. | no
`rename` \| `new_name` | Rename the user object to the new name string. Only usable with `state: renamed`. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no `nomembers` | Suppress processing of membership attributes. (bool) | no
Return Values Return Values
============= =============
@@ -441,4 +492,5 @@ Variable | Description | Returned When
Authors Authors
======= =======
Thomas Woerner - Thomas Woerner
- Rafael Jeffman

2
README-vault.md
View File

@@ -24,7 +24,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)

39
README.md
View File

@@ -13,10 +13,12 @@ Features
* Repair mode for clients * Repair mode for clients
* Backup and restore, also to and from controller * Backup and restore, also to and from controller
* Smartcard setup for servers and clients * Smartcard setup for servers and clients
* Inventory plugin freeipa
* Modules for automembership rule management * Modules for automembership rule management
* Modules for automount key management * Modules for automount key management
* Modules for automount location management * Modules for automount location management
* Modules for automount map management * Modules for automount map management
* Modules for certificate management
* Modules for config management * Modules for config management
* Modules for delegation management * Modules for delegation management
* Modules for dns config management * Modules for dns config management
@@ -29,7 +31,11 @@ Features
* Modules for hbacsvcgroup management * Modules for hbacsvcgroup management
* Modules for host management * Modules for host management
* Modules for hostgroup management * Modules for hostgroup management
* Modules for idoverridegroup management
* Modules for idoverrideuser management
* Modules for idp management
* Modules for idrange management * Modules for idrange management
* Modules for idview management
* Modules for location management * Modules for location management
* Modules for netgroup management * Modules for netgroup management
* Modules for permission management * Modules for permission management
@@ -60,7 +66,7 @@ Supported Distributions
----------------------- -----------------------
* RHEL/CentOS 7.4+ * RHEL/CentOS 7.4+
* Fedora 26+ * Fedora 40+
* Ubuntu * Ubuntu
* Debian 10+ (ipaclient only, no server or replica!) * Debian 10+ (ipaclient only, no server or replica!)
@@ -68,7 +74,7 @@ Requirements
------------ ------------
**Controller** **Controller**
* Ansible version: 2.8+ (ansible-freeipa is an Ansible Collection) * Ansible version: 2.14+
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)
@@ -103,9 +109,10 @@ You can use the roles directly within the top directory of the git repo, but to
You can either adapt ansible.cfg: You can either adapt ansible.cfg:
``` ```
roles_path = /my/dir/ansible-freeipa/roles roles_path = /my/dir/ansible-freeipa/roles
library = /my/dir/ansible-freeipa/plugins/modules library = /my/dir/ansible-freeipa/plugins/modules
module_utils = /my/dir/ansible-freeipa/plugins/module_utils module_utils = /my/dir/ansible-freeipa/plugins/module_utils
inventory_plugins = /my/dir/ansible-freeipa/plugins/inventory
``` ```
Or you can link the directories: Or you can link the directories:
@@ -118,7 +125,7 @@ ansible-freeipa/plugins/module_utils to ~/.ansible/plugins/
**RPM package** **RPM package**
There are RPM packages available for Fedora 29+. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks. There are RPM packages available for Fedora. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
**Ansible Galaxy** **Ansible Galaxy**
@@ -128,18 +135,8 @@ This command will get the whole collection from galaxy:
ansible-galaxy collection install freeipa.ansible_freeipa ansible-galaxy collection install freeipa.ansible_freeipa
``` ```
Installing collections using the ansible-galaxy command is only supported with ansible 2.9+.
The mazer tool can be used for to install the collection for ansible 2.8:
```bash
mazer install freeipa.ansible_freeipa
```
Ansible galaxy does not support the use of dash ('-') in a name and is automatically replacing this with an underscore ('\_'). Therefore the name is `ansible_freeipa`. The ansible_freeipa collection will be placed in the directory `~/.ansible/collections/ansible_collections/freeipa/ansible_freeipa` where it will be automatically be found for this user. Ansible galaxy does not support the use of dash ('-') in a name and is automatically replacing this with an underscore ('\_'). Therefore the name is `ansible_freeipa`. The ansible_freeipa collection will be placed in the directory `~/.ansible/collections/ansible_collections/freeipa/ansible_freeipa` where it will be automatically be found for this user.
The needed adaptions of collection prefixes for `modules` and `module_utils` will be done with ansible-freeipa release `0.1.6` for galaxy.
Ansible inventory file Ansible inventory file
---------------------- ----------------------
@@ -436,6 +433,7 @@ Modules in plugin/modules
* [ipaautomountkey](README-automountkey.md) * [ipaautomountkey](README-automountkey.md)
* [ipaautomountlocation](README-automountlocation.md) * [ipaautomountlocation](README-automountlocation.md)
* [ipaautomountmap](README-automountmap.md) * [ipaautomountmap](README-automountmap.md)
* [ipacert](README-cert.md)
* [ipaconfig](README-config.md) * [ipaconfig](README-config.md)
* [ipadelegation](README-delegation.md) * [ipadelegation](README-delegation.md)
* [ipadnsconfig](README-dnsconfig.md) * [ipadnsconfig](README-dnsconfig.md)
@@ -448,7 +446,11 @@ Modules in plugin/modules
* [ipahbacsvcgroup](README-hbacsvcgroup.md) * [ipahbacsvcgroup](README-hbacsvcgroup.md)
* [ipahost](README-host.md) * [ipahost](README-host.md)
* [ipahostgroup](README-hostgroup.md) * [ipahostgroup](README-hostgroup.md)
* [idoverridegroup](README-idoverridegroup.md)
* [idoverrideuser](README-idoverrideuser.md)
* [idp](README-idp.md)
* [idrange](README-idrange.md) * [idrange](README-idrange.md)
* [idview](README-idview.md)
* [ipalocation](README-location.md) * [ipalocation](README-location.md)
* [ipanetgroup](README-netgroup.md) * [ipanetgroup](README-netgroup.md)
* [ipapermission](README-permission.md) * [ipapermission](README-permission.md)
@@ -470,3 +472,8 @@ Modules in plugin/modules
* [ipavault](README-vault.md) * [ipavault](README-vault.md)
If you want to write a new module please read [writing a new module](plugins/modules/README.md). If you want to write a new module please read [writing a new module](plugins/modules/README.md).
Inventory plugins in plugin/inventory
=====================================
* [freeipa](README-inventory-plugin-freeipa.md)

73
infra/azure/azure-pipelines.yml Normal file
View File

@@ -0,0 +1,73 @@
---
trigger:
- master
pool:
vmImage: 'ubuntu-20.04'
variables:
ansible_version: "-core >=2.16,<2.17"
ansible_latest: "-core"
ansible_minimum: "-core <2.16"
distros: "fedora-latest,c9s,c10s,fedora-rawhide"
stages:
- stage: fedora_latest_ansible_latest
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: fedora-latest
ansible_version: ${{ variables.ansible_latest }}
skip_git_test: true
- stage: fedora_latest_ansible_2_15
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: fedora-latest
ansible_version: ${{ variables.ansbile_minimum }}
skip_git_test: true
# Supported distros
- ${{ each distro in split(variables.distros, ',') }}:
- stage: ${{ replace(distro, '-', '_') }}_ansible_2_16
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: ${{ distro }}
ansible_version: ${{ variables.ansible_version }}
skip_git_test: true
test_galaxy: false
# Galaxy on Fedora
- stage: galaxy_fedora_latest_ansible_2_16
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: fedora-latest
ansible_version: ${{ variables.ansible_version }}
skip_git_test: true
test_galaxy: true
# CentOS 8 Stream, latest supported Ansible version.
- stage: c8s_ansible_2_16
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: c8s
ansible_version: "-core <2.17"
skip_git_test: true

35
infra/azure/build-containers.yml Normal file
View File

@@ -0,0 +1,35 @@
---
schedules:
- cron: "0 0 * * 0"
displayName: Weekly Sunday midnight build
branches:
include:
- master
always: true
trigger: none
pool:
vmImage: 'ubuntu-24.04'
variables: { distros: "fedora-latest,fedora-rawhide,c9s,c10s" }
stages:
- ${{ each distro in split(variables.distros, ',') }}:
- stage: build_${{ join('_', split(distro, '-')) }}
dependsOn: []
jobs:
- template: templates/build_container.yml
parameters:
distro: ${{ distro }}
# Special case for CentOS 8 Stream
- stage: CentOS_8_Stream
dependsOn: []
jobs:
- template: templates/build_container.yml
parameters:
distro: c8s
# ansible-core 2.17+ cannot be used to deploy on CentOS 8 Stream.
ansible_core_version: "<2.17"

79
infra/azure/nightly.yml Normal file
View File

@@ -0,0 +1,79 @@
---
schedules:
- cron: "0 19 * * *"
displayName: Nightly Builds
branches:
include:
- master
always: true
trigger: none
pool:
vmImage: 'ubuntu-20.04'
variables:
# We need to have two sets, as c8s is not supported by all ansible versions
recent_distros: "fedora-latest,fedora-rawhide,c10s,c9s"
distros: "fedora-latest,fedora-rawhide,c10s,c9s,c8s"
ansible_latest: "-core"
ansible_minimum: "-core <2.16"
ansible_version: "-core >=2.16,<2.17"
stages:
# Minimum ansible
- ${{ each distro in split(variables.distros, ',') }}:
- stage: ${{ replace(distro, '-', '_') }}_ansible_2_15
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: fedora-latest
ansible_version: ${{ variables.ansible_minimum }}
skip_git_test: true
test_galaxy: false
# Latest ansible
- ${{ each distro in split(variables.recent_distros, ',') }}:
- stage: ${{ replace(distro, '-', '_') }}_ansible_latest
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: ${{ distro }}
ansible_version: ${{ variables.ansible_latest }}
skip_git_test: true
test_galaxy: false
# Selected ansible-core version
- ${{ each distro in split(variables.distros, ',') }}:
- stage: ${{ replace(distro, '-', '_') }}_ansible_2_16
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: ${{ distro }}
ansible_version: ${{ variables.ansible_version }}
skip_git_test: true
test_galaxy: false
# Galaxy collection with selected ansible-core version
- ${{ each distro in split(variables.distros, ',') }}:
- stage: galaxy_${{ replace(distro, '-', '_') }}_asible_2_16
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: ${{ distro }}
ansible_version: ${{ variables.ansible_version }}
skip_git_test: true
test_galaxy: true

39
infra/azure/pr-pipeline.yml Normal file
View File

@@ -0,0 +1,39 @@
---
trigger:
- master
pool:
vmImage: 'ubuntu-20.04'
variables:
distros: "fedora-latest,c10s,c9s,c8s,fedora-rawhide"
ansible_version: "-core >=2.15,<2.16"
stages:
# Test with repository in all distros
- ${{ each distro in split(variables.distros, ',') }}:
- stage: ${{ replace(distro, '-', '_') }}_ansible_2_16
dependsOn: []
jobs:
- template: templates/run_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: ${{ distro }}
ansible_version: ${{ variables.ansible_version }}
skip_git_test: false
test_galaxy: false
# Galaxy on Fedora
- stage: galaxy_fedora_latest_ansible_2_16
dependsOn: []
jobs:
- template: templates/run_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: fedora-latest
ansible_version: ${{ variables.ansible_version }}
skip_git_test: false
test_galaxy: true

21
utils/get_test_modules.py → infra/azure/scripts/get_test_modules.py
View File

@@ -23,8 +23,6 @@ def get_plugins_from_playbook(playbook):
for tasks in task_block: for tasks in task_block:
for task in tasks: for task in tasks:
original_task = task original_task = task
if "." in task:
task = task.split(".")[-1]
if task == "block": if task == "block":
_result.update(get_tasks(tasks["block"])) _result.update(get_tasks(tasks["block"]))
elif task in ["include_tasks", "import_tasks" elif task in ["include_tasks", "import_tasks"
@@ -62,8 +60,7 @@ def get_plugins_from_playbook(playbook):
return [] return []
except yaml.parser.ParserError: # If not a YAML/JSON file. except yaml.parser.ParserError: # If not a YAML/JSON file.
return [] return []
else: return data if data else []
return data if data else []
data = load_playbook(playbook) data = load_playbook(playbook)
task_blocks = [t.get("tasks", []) if "tasks" in t else [] for t in data] task_blocks = [t.get("tasks", []) if "tasks" in t else [] for t in data]
@@ -128,8 +125,16 @@ def parse_playbooks(test_module):
"builtins.__import__", side_effect=import_mock "builtins.__import__", side_effect=import_mock
): ):
# pylint: disable=no-value-for-parameter # pylint: disable=no-value-for-parameter
loader = SourceFileLoader(playbook, source) try:
loader.exec_module(types.ModuleType(loader.name)) loader = SourceFileLoader(playbook, source)
loader.exec_module(
types.ModuleType(loader.name)
)
except Exception: # pylint: disable=broad-except
# If import fails, we'll assume there's no
# plugin to be loaded. This is of little risk
# it is rare that a plugin includes another.
pass
# pylint: disable=no-member # pylint: disable=no-member
candidates = [ candidates = [
f.split(".")[1:] f.split(".")[1:]
@@ -154,7 +159,7 @@ def map_test_module_sources(base):
"""Create a map of 'test-modules' to 'plugin-sources', from 'base'.""" """Create a map of 'test-modules' to 'plugin-sources', from 'base'."""
# Find root directory of playbook tests. # Find root directory of playbook tests.
script_dir = os.path.dirname(__file__) script_dir = os.path.dirname(__file__)
test_root = os.path.realpath(os.path.join(script_dir, f"../{base}")) test_root = os.path.realpath(os.path.join(script_dir, f"../../../{base}"))
# create modules:source_files map # create modules:source_files map
_result = {} _result = {}
for test_module in [d for d in os.scandir(test_root) if d.is_dir()]: for test_module in [d for d in os.scandir(test_root) if d.is_dir()]:
@@ -165,7 +170,7 @@ def map_test_module_sources(base):
def usage(err=0): def usage(err=0):
print("filter_plugins.py [-h|--help] [-p|--pytest] PY_SRC...") print("get_test_modules.py [-h|--help] [-p|--pytest] PY_SRC...")
print( print(
""" """
Print a comma-separated list of modules that should be tested if Print a comma-separated list of modules that should be tested if

67
infra/azure/scripts/set_test_modules Normal file
View File

@@ -0,0 +1,67 @@
#!/bin/bash -eu
# This file shoud be source'd (. set_test_modules) rather than executed.
#
# Set SKIP_GIT_TEST="True" or use -a to prevent git modification comparison.
#
RED="\033[31;1m"
RST="\033[0m"
die() {
echo -e "${RED}${*}${RST}" >&2
}
BASEDIR="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")"
TOPDIR="$(readlink -f "${BASEDIR}/../../..")"
[ -n "$(command -v python3)" ] && python="$(command -v python3)" || python="$(command -v python2)"
pushd "${TOPDIR}" >/dev/null 2>&1 || die "Failed to change directory."
SKIP_GIT_TEST=${SKIP_GIT_TEST:-"False"}
while getopts ":a" opt
do
case "${opt}" in
a) SKIP_GIT_TEST="True" ;;
*) ;; # ignore other options
esac
done
files_list=$(mktemp)
enabled_modules="None"
enabled_tests="None"
if [ "${SKIP_GIT_TEST}" != "True" ]
then
remote="$(basename "$(mktemp -u remote_XXXXXX)")"
git remote add "${remote}" https://github.com/freeipa/ansible-freeipa
git fetch --prune --no-tags --quiet "${remote}"
git diff "${remote}/master" --name-only > "${files_list}"
git remote remove "${remote}"
# shellcheck disable=SC2046
enabled_modules="$(${python} "${BASEDIR}/get_test_modules.py" $(cat "${files_list}"))"
[ -z "${enabled_modules}" ] && enabled_modules="None"
# Get individual tests that should be executed
mapfile -t tests < <(sed -n 's#.*/\(test_[^/]*\).yml#\1#p' "${files_list}" | tr -d " ")
[ ${#tests[@]} -gt 0 ] && enabled_tests=$(IFS=, ; echo "${tests[*]}")
[ -z "${enabled_tests}" ] && enabled_tests="None"
[ -n "${enabled_tests}" ] && IPA_ENABLED_TESTS="${enabled_tests},${IPA_ENABLED_TESTS}"
[ -n "${enabled_modules}" ] && IPA_ENABLED_MODULES="${enabled_modules},${IPA_ENABLED_MODULES}"
rm -f "${files_list}"
fi
# Get all modules that should have tests executed
export IPA_ENABLED_MODULES
export IPA_ENABLED_TESTS
echo "IPA_ENABLED_MODULES = [${IPA_ENABLED_MODULES}]"
echo "IPA_ENABLED_TESTS = [${IPA_ENABLED_TESTS}]"
popd >/dev/null 2>&1 || die "Failed to change back to original directory."

45
infra/azure/templates/build_container.yml Normal file
View File

@@ -0,0 +1,45 @@
---
parameters:
- name: distro
type: string
- name: python_version
type: string
default: 3.x
- name: ansible_core_version
default: ""
jobs:
- job: BuildTestImage_${{ join('_', split(parameters.distro, '-')) }}
displayName: Build ${{ parameters.distro }} test container
steps:
- task: UsePythonVersion@0
inputs:
versionSpec: '${{ parameters.python_version }}'
- script: python -m pip install --upgrade pip "ansible-core${{ parameters.ansible_core_version }}"
retryCountOnTaskFailure: 5
displayName: Install tools
- script: ansible-galaxy collection install containers.podman
displayName: Install Ansible Galaxy collections
- script: infra/image/build.sh -s ${{ parameters.distro }}
displayName: Build ${{ parameters.distro }} base image
env:
ANSIBLE_ROLES_PATH: "${PWD}/roles"
ANSIBLE_LIBRARY: "${PWD}/plugins/modules"
ANSIBLE_MODULE_UTILS: "${PWD}/plugins/module_utils"
- script: podman login -u="$QUAY_ROBOT_USERNAME" -p="$QUAY_ROBOT_TOKEN" quay.io
displayName: Registry login
env:
# Secrets needs to be mapped as env vars to work properly
QUAY_ROBOT_TOKEN: $(QUAY_ROBOT_TOKEN)
- script: |
podman push quay.io/ansible-freeipa/upstream-tests:${{parameters.distro}}-base quay.io/ansible-freeipa/upstream-tests:${{ parameters.distro }}-base
displayName: Push base image
- script: |
podman push quay.io/ansible-freeipa/upstream-tests:${{ parameters.distro }}-server quay.io/ansible-freeipa/upstream-tests:${{ parameters.distro }}-server
displayName: Push server image

30
infra/azure/templates/group_tests.yml Normal file
View File

@@ -0,0 +1,30 @@
---
parameters:
- name: distro
type: string
default: fedora-latest
- name: build_number
type: string
- name: ansible_version
type: string
default: ""
- name: skip_git_test
type: boolean
default: false
- name: test_galaxy
type: boolean
default: false
jobs:
- ${{ each group in split('1,2,3', ',') }}:
- template: run_tests.yml
parameters:
group_number: ${{ group }}
number_of_groups: 3
build_number: ${{ parameters.build_number }}
distro: ${{ parameters.distro }}
ansible_version: ${{ parameters.ansible_version }}
python_version: '< 3.12'
skip_git_test: ${{ parameters.skip_git_test }}
test_galaxy: ${{ parameters.test_galaxy }}

30
infra/azure/templates/prepare_environment.yaml Normal file
View File

@@ -0,0 +1,30 @@
---
parameters:
- name: distro
type: string
default: fedora-latest
- name: ansible_version
type: string
default: ""
- name: python_version
type: string
default: 3.x
- name: build_number
type: string
steps:
- task: UsePythonVersion@0
inputs:
versionSpec: '${{ parameters.python_version }}'
- script: |
pip install "ansible${{ parameters.ansible_version }}" -r requirements-tests.txt
retryCountOnTaskFailure: 5
displayName: Install test dependencies
- script: ansible-galaxy collection install -r requirements-podman.yml
retryCountOnTaskFailure: 5
displayName: Install Ansible collections
- script: infra/image/start.sh ${{ parameters.distro }}-server
displayName: Setup target container for ${{ parameters.distro }}

98
infra/azure/templates/run_tests.yml Normal file
View File

@@ -0,0 +1,98 @@
---
parameters:
- name: group_number
type: number
default: 1
- name: number_of_groups
type: number
default: 1
- name: distro
type: string
default: fedora-latest
- name: ansible_version
type: string
default: ""
- name: python_version
type: string
default: 3.x
- name: build_number
type: string
- name: skip_git_test
type: boolean
default: true
- name: test_type
type: string
default: "playbook"
- name: test_galaxy
type: boolean
default: false
jobs:
- job: Test_Group${{ parameters.group_number }}
displayName: Run playbook tests ${{ parameters.distro }} (${{ parameters.group_number }}/${{ parameters.number_of_groups }})
timeoutInMinutes: 360
variables:
- template: variables.yaml
- template: variables_${{ parameters.distro }}.yaml
steps:
- template: prepare_environment.yaml
parameters:
build_number: ${{ parameters.build_number }}
distro: ${{ parameters.distro }}
ansible_version: ${{ parameters.ansible_version }}
python_version: ${{ parameters.python_version }}
- bash: echo "##vso[task.setvariable variable=TOPDIR]${PWD}"
displayName: Set repo rootdir
- script: |
. "${TOPDIR}/infra/azure/scripts/set_test_modules"
python3 utils/check_test_configuration.py ${{ parameters.distro }}
displayName: Check test configuration
env:
SKIP_GIT_TEST: ${{ parameters.skip_git_test }}
- script: |
git fetch --unshallow
utils/build-galaxy-release.sh -i
retryCountOnTaskFailure: 5
displayName: Build Galaxy release
condition: ${{ parameters.test_galaxy }}
- script: |
echo "PWD: ${PWD}"
echo "TOPDIR: ${TOPDIR}"
echo "ROLES: ${ANSIBLE_ROLES_PATH}"
echo "LIBRARY: ${ANSIBLE_LIBRARY}"
echo "MODULE_UTILS: ${ANSIBLE_MODULE_UTILS}"
. "${TOPDIR}/infra/azure/scripts/set_test_modules"
[ "${{ parameters.test_galaxy }}" == "True" ] && cd ~/.ansible/collections/ansible_collections/freeipa/ansible_freeipa
pytest \
-m "${{ parameters.test_type }}" \
--verbose \
--color=yes \
--splits=${{ parameters.number_of_groups }} \
--group=${{ parameters.group_number }} \
--randomly-seed=$(date "+%Y%m%d") \
--suppress-no-test-exit-code \
--junit-xml=TEST-results-pr-check.xml
displayName: Run playbook tests
env:
SKIP_GIT_TEST: ${{ parameters.skip_git_test }}
${{ if not(parameters.test_galaxy) }}:
ANSIBLE_ROLES_PATH: "${PWD}/roles"
ANSIBLE_LIBRARY: "${PWD}/plugins"
ANSIBLE_MODULE_UTILS: "${PWD}/plugins/module_utils"
IPA_SERVER_HOST: ansible-freeipa-tests
RUN_TESTS_IN_DOCKER: podman
IPA_DISABLED_MODULES: ${{ variables.ipa_disabled_modules }}
IPA_DISABLED_TESTS: ${{ variables.ipa_disabled_tests }}
IPA_ENABLED_MODULES: ${{ variables.ipa_enabled_modules }}
IPA_ENABLED_TESTS: ${{ variables.ipa_enabled_tests }}
IPA_VERBOSITY: "-vvv"
- task: PublishTestResults@2
inputs:
mergeTestResults: true
testRunTitle: PlaybookTests-Build${{ parameters.build_number }}
condition: succeededOrFailed()

5
tests/azure/templates/variables.yaml → infra/azure/templates/variables.yaml
View File

@@ -15,8 +15,9 @@
# #
--- ---
variables: variables:
empty: true # empty: true
# ipa_enabled_modules: >- # ipa_enabled_modules: >-
# ipa_enabled_tests: >- # ipa_enabled_tests: >-
# ipa_disabled_modules: >- ipa_disabled_modules: >-
config
# ipa_disabled_tests: >- # ipa_disabled_tests: >-

0
tests/azure/templates/variables_c8s.yaml → infra/azure/templates/variables_c10s.yaml
View File

0
tests/azure/templates/variables_c9s.yaml → infra/azure/templates/variables_c8s.yaml
View File

21
infra/azure/templates/variables_c9s.yaml Normal file
View File

@@ -0,0 +1,21 @@
#
# Variables must be defined as comma separated lists.
# For easier management of items to enable/disable,
# use one test/module on each line, followed by a comma.
#
# Example:
#
# ipa_disabled_modules: >-
# dnsconfig,
# group,
# hostgroup
#
# If no variables are set, set "empty: true" as at least
# one item is needed in the set.
---
variables:
empty: true
# ipa_enabled_modules: >-
# ipa_enabled_tests: >-
# ipa_disabled_modules: >-
# ipa_disabled_tests: >-

0
tests/azure/templates/variables_centos-7.yaml → infra/azure/templates/variables_centos-7.yaml
View File

0
tests/azure/templates/variables_fedora-latest.yaml → infra/azure/templates/variables_fedora-latest.yaml
View File

0
tests/azure/templates/variables_fedora-rawhide.yaml → infra/azure/templates/variables_fedora-rawhide.yaml
View File

15
infra/image/build-inventory Normal file
View File

@@ -0,0 +1,15 @@
[ipaserver]
ansible-freeipa-image-builder ansible_connection=podman
[ipaserver:vars]
ipaadmin_password=SomeADMINpassword
ipadm_password=SomeDMpassword
ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL
ipaserver_setup_dns=true
ipaserver_auto_forwarders=true
ipaserver_no_dnssec_validation=true
ipaserver_auto_reverse=true
ipaserver_setup_kra=true
ipaserver_setup_firewalld=false
ipaclient_no_ntp=true

137
infra/image/build.sh Executable file
View File

@@ -0,0 +1,137 @@
#!/bin/bash -eu
BASEDIR="$(readlink -f "$(dirname "$0")")"
TOPDIR="$(readlink -f "${BASEDIR}/../..")"
# shellcheck disable=SC1091
. "${BASEDIR}/shcontainer"
# shellcheck disable=SC1091
. "${TOPDIR}/utils/shfun"
valid_distro() {
find "${BASEDIR}/dockerfile" -type f -printf "%f\n" | tr "\n" " "
}
usage() {
local prog="${0##*/}"
cat << EOF
usage: ${prog} [-h] [-n HOSTNAME] [-s] distro
${prog} build a container image to test ansible-freeipa.
EOF
}
help() {
cat << EOF
positional arguments:
distro The base distro to build the test container.
Availble distros: $(valid_distro)
optional arguments:
-n HOSTNAME Container hostname
-p Give extended privileges to the container
-s Deploy IPA server
EOF
}
name="ansible-freeipa-image-builder"
hostname="ipaserver.test.local"
cpus="2"
memory="3g"
quayname="quay.io/ansible-freeipa/upstream-tests"
deploy_server="N"
deploy_capabilities="SYS_ADMIN,SYSLOG"
capabilities=""
while getopts ":hn:s" option
do
case "${option}" in
h) help && exit 0 ;;
n) hostname="${OPTARG}" ;;
s) deploy_server="Y" ;;
*) die -u "Invalid option: ${option}" ;;
esac
done
shift $((OPTIND - 1))
distro=${1:-}
[ -n "${distro}" ] || die "Distro needs to be given.\nUse one of: $(valid_distro)"
[ -f "${BASEDIR}/dockerfile/${distro}" ] \
|| die "${distro} is not a valid distro target.\nUse one of: $(valid_distro)"
container_check
if [ "${deploy_server}" == "Y" ]
then
capabilities="${deploy_capabilities}"
[ -n "$(command -v "ansible-playbook")" ] || die "ansible-playbook is required to install FreeIPA."
deploy_playbook="${TOPDIR}/playbooks/install-server.yml"
[ -f "${deploy_playbook}" ] || die "Can't find playbook '${deploy_playbook}'"
inventory_file="${BASEDIR}/build-inventory"
[ -f "${inventory_file}" ] || die "Can't find inventory '${inventory_file}'"
fi
container_state=$(container_get_state "${name}")
tag="${distro}-base"
server_tag="${distro}-server"
container_remove_image_if_exists "${tag}"
[ "${deploy_server}" == "Y" ] && \
container_remove_image_if_exists "${server_tag}"
container_build "${tag}" "${BASEDIR}/dockerfile/${distro}" "${BASEDIR}"
container_create "${name}" "${tag}" \
"hostname=${hostname}" \
"memory=${memory}" \
"cpus=${cpus}" \
"${capabilities:+capabilities=$capabilities}"
container_commit "${name}" "${quayname}:${tag}"
if [ "${deploy_server}" == "Y" ]
then
deployed=false
# Set path to ansible-freeipa roles
[ -z "${ANSIBLE_ROLES_PATH:-""}" ] && export ANSIBLE_ROLES_PATH="${TOPDIR}/roles"
# Install collection containers.podman if not available
if [ -z "$(ansible-galaxy collection list containers.podman)" ]
then
tmpdir="$(mktemp -d)"
export ANSIBLE_COLLECTIONS_PATH="${tmpdir}"
ansible-galaxy collection install -p "${tmpdir}" containers.podman
fi
[ "${container_state}" != "running" ] && container_start "${name}"
container_wait_for_journald "${name}"
log info "= Deploying IPA ="
if ansible-playbook -u root -i "${inventory_file}" "${deploy_playbook}"
then
deployed=true
fi
echo
if $deployed; then
log info "= Enabling services ="
container_exec "${name}" systemctl enable fixnet
container_exec "${name}" systemctl enable fixipaip
echo
fi
container_stop "${name}"
$deployed || die "Deployment failed"
container_commit "${name}" "${quayname}:${server_tag}"
fi
log info "= DONE: Image created. ="

39
infra/image/dockerfile/c10s Normal file
View File

@@ -0,0 +1,39 @@
FROM quay.io/centos/centos:stream10
ENV container=podman
RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
dnf makecache; \
dnf --assumeyes install \
/usr/bin/dnf-3 \
sudo \
bash \
systemd \
procps-ng \
iproute \
hostname; \
rm -rf /var/cache/dnf/;
RUN (cd /lib/systemd/system/; \
if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
ln -s dbus-broker.service dbus.service; \
fi \
)
COPY system-service/container-ipa.target /lib/systemd/system/
RUN systemctl set-default container-ipa.target
RUN (cd /etc/systemd/system/; \
rm -rf multi-user.target.wants \
&& mkdir container-ipa.target.wants \
&& ln -s container-ipa.target.wants multi-user.target.wants \
)
COPY system-service/fixnet.sh /root/
COPY system-service/fixipaip.sh /root/
COPY system-service/fixnet.service /etc/systemd/system/
COPY system-service/fixipaip.service /etc/systemd/system/
RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
STOPSIGNAL RTMIN+3
VOLUME ["/sys/fs/cgroup"]
CMD ["/usr/sbin/init"]

43
infra/image/dockerfile/c8s Normal file
View File

@@ -0,0 +1,43 @@
FROM quay.io/centos/centos:stream8
ENV container=podman
RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo; \
sed -i s/^#.*baseurl=http/baseurl=http/g /etc/yum.repos.d/*.repo; \
sed -i s/^mirrorlist=http/#mirrorlist=http/g /etc/yum.repos.d/*.repo; \
dnf makecache; \
dnf --assumeyes install \
/usr/bin/dnf-3 \
sudo \
bash \
systemd \
procps-ng \
iproute; \
dnf clean all; \
rm -rf /var/cache/dnf/;
RUN (cd /lib/systemd/system/; \
if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
ln -s dbus-broker.service dbus.service; \
fi \
)
COPY system-service/container-ipa.target /lib/systemd/system/
RUN systemctl set-default container-ipa.target
RUN (cd /etc/systemd/system/; \
rm -rf multi-user.target.wants \
&& mkdir container-ipa.target.wants \
&& ln -s container-ipa.target.wants multi-user.target.wants \
)
COPY system-service/fixnet.sh /root/
COPY system-service/fixipaip.sh /root/
COPY system-service/fixnet.service /etc/systemd/system/
COPY system-service/fixipaip.service /etc/systemd/system/
RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
STOPSIGNAL RTMIN+3
VOLUME ["/sys/fs/cgroup"]
CMD ["/usr/sbin/init"]

38
infra/image/dockerfile/c9s Normal file
View File

@@ -0,0 +1,38 @@
FROM quay.io/centos/centos:stream9
ENV container=podman
RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
dnf makecache; \
dnf --assumeyes install \
/usr/bin/dnf-3 \
sudo \
bash \
systemd \
procps-ng \
iproute; \
rm -rf /var/cache/dnf/;
RUN (cd /lib/systemd/system/; \
if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
ln -s dbus-broker.service dbus.service; \
fi \
)
COPY system-service/container-ipa.target /lib/systemd/system/
RUN systemctl set-default container-ipa.target
RUN (cd /etc/systemd/system/; \
rm -rf multi-user.target.wants \
&& mkdir container-ipa.target.wants \
&& ln -s container-ipa.target.wants multi-user.target.wants \
)
COPY system-service/fixnet.sh /root/
COPY system-service/fixipaip.sh /root/
COPY system-service/fixnet.service /etc/systemd/system/
COPY system-service/fixipaip.service /etc/systemd/system/
RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
STOPSIGNAL RTMIN+3
VOLUME ["/sys/fs/cgroup"]
CMD ["/usr/sbin/init"]

41
infra/image/dockerfile/fedora-latest Normal file
View File

@@ -0,0 +1,41 @@
FROM fedora:latest
ENV container=podman
RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
dnf makecache; \
dnf --assumeyes install \
/usr/bin/python3 \
/usr/bin/python3-config \
python3-libdnf5 \
sudo \
bash \
systemd \
procps-ng \
iproute; \
dnf clean all; \
rm -rf /var/cache/dnf/;
RUN (cd /lib/systemd/system/; \
if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
ln -s dbus-broker.service dbus.service; \
fi \
)
COPY system-service/container-ipa.target /lib/systemd/system/
RUN systemctl set-default container-ipa.target
RUN (cd /etc/systemd/system/; \
rm -rf multi-user.target.wants \
&& mkdir container-ipa.target.wants \
&& ln -s container-ipa.target.wants multi-user.target.wants \
)
COPY system-service/fixnet.sh /root/
COPY system-service/fixipaip.sh /root/
COPY system-service/fixnet.service /etc/systemd/system/
COPY system-service/fixipaip.service /etc/systemd/system/
RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
STOPSIGNAL RTMIN+3
VOLUME ["/sys/fs/cgroup"]
CMD ["/usr/sbin/init"]

41
infra/image/dockerfile/fedora-rawhide Normal file
View File

@@ -0,0 +1,41 @@
FROM fedora:rawhide
ENV container=podman
RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
dnf makecache; \
dnf --assumeyes install \
/usr/bin/python3 \
/usr/bin/python3-config \
python3-libdnf5 \
sudo \
bash \
systemd \
procps-ng \
iproute; \
dnf clean all; \
rm -rf /var/cache/dnf/;
RUN (cd /lib/systemd/system/; \
if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
ln -s dbus-broker.service dbus.service; \
fi \
)
COPY system-service/container-ipa.target /lib/systemd/system/
RUN systemctl set-default container-ipa.target
RUN (cd /etc/systemd/system/; \
rm -rf multi-user.target.wants \
&& mkdir container-ipa.target.wants \
&& ln -s container-ipa.target.wants multi-user.target.wants \
)
COPY system-service/fixnet.sh /root/
COPY system-service/fixipaip.sh /root/
COPY system-service/fixnet.service /etc/systemd/system/
COPY system-service/fixipaip.service /etc/systemd/system/
RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
STOPSIGNAL RTMIN+3
VOLUME ["/sys/fs/cgroup"]
CMD ["/usr/sbin/init"]

6
infra/image/inventory Normal file
View File

@@ -0,0 +1,6 @@
[ipaserver]
ansible-freeipa-tests ansible_connection=podman
[ipaserver:vars]
ipaadmin_password=SomeADMINpassword
ipadm_password=SomeDMpassword

197
infra/image/shcontainer Normal file
View File

@@ -0,0 +1,197 @@
#!/bin/bash -eu
# This file is meant to be source'd by other scripts
SCRIPTDIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
TOPDIR="$(readlink -f "${SCRIPTDIR}/../..")"
. "${TOPDIR}/utils/shfun"
container_create() {
local name=${1}
local image=${2}
shift 2
declare -a extra_opts=()
for opt in "$@"
do
[ -z "${opt}" ] && continue
case "${opt}" in
hostname=*) extra_opts+=("--${opt}") ;;
cpus=*) extra_opts+=("--${opt}") ;;
memory=*) extra_opts+=("--${opt}") ;;
capabilities=*) extra_opts+=("--cap-add=${opt##*=}") ;;
*) log error "container_create: Invalid option: ${opt}" ;;
esac
done
# ensure default values are set
[[ " ${extra_opts[*]} " =~ " --cpus=" ]] || extra_opts+=("--cpus=2")
[[ " ${extra_opts[*]} " =~ " --hostname=" ]] \
|| extra_opts+=("--hostname=ipaserver.test.local")
log info "= Creating ${name} ="
podman create \
--security-opt label=disable \
--network bridge:interface_name=eth0 \
--systemd true \
--name "${name}" \
--memory-swap -1 \
--no-hosts \
--replace \
"${extra_opts[@]}" \
"${image}"
echo
}
container_start() {
local name="${1}"
log info "= Starting ${name} ="
podman start "${name}"
echo
}
container_stop() {
local name="${1}"
log info "= Stopping ${name} ="
podman stop "${name}"
echo
}
container_wait_for_journald() {
local name=${1}
log info "= Waiting till systemd-journald is running ="
max=20
wait=2
count=0
while ! podman exec "${name}" ps -x | grep -q "systemd-journald"
do
if [ $count -ge $max ]; then
die "Timeout: systemd-journald is not starting up"
fi
count=$((count+1))
log info "Waiting ${wait} seconds .."
sleep ${wait}
done
log info "done"
echo
}
container_wait_up() {
local name="${1}"
log info "= Waiting till all services are started ="
max=20
wait=15
count=0
while podman exec "${name}" systemctl list-jobs | \
grep -qvi "no jobs running"
do
if [ $count -ge $max ]; then
die "Timeout: Services are not starting up"
fi
count=$((count+1))
log info "Waiting ${wait} seconds .."
sleep ${wait}
done
log info "done"
echo
}
container_build() {
local tag="${1}"
local file="${2}"
local dir="${3}"
log info "= Building ${tag} ="
podman build -t "${tag}" -f "${file}" "${dir}"
echo
}
container_commit() {
local name="${1}"
local image="${2}"
log info "= Committing \"${image}\" ="
podman commit "${name}" "${image}"
echo
}
container_exec() {
local name="${1}"
shift 1
# "@Q" is only needed for the log output, the exec command is properly
# working without also for args containing spaces.
log info "= Executing \"${*@Q}\" ="
podman exec -t "${name}" "${@}"
echo
}
container_remove_image_if_exists()
{
# In older (as in Ubuntu 22.04) podman versions,
# 'podman image rm --force' fails if the image
# does not exist.
local tag_to_remove="${1}"
if podman image exists "${tag_to_remove}"
then
log info "= Cleanup ${tag_to_remove} ="
podman image rm "${tag_to_remove}" --force
echo
fi
}
container_get_state()
{
local name="${1}"
state=$(podman ps -q --all --format "{{.State}}" --filter "name=${name}")
echo "${state}"
}
container_pull() {
local source="${1}"
image=$(podman pull "${source}")
echo "${image}"
}
container_image_list() {
local source="${1}"
# Append "$" for an exact match if the source does not end with ":" to
# search for the repo only.
if [[ ${source} != *: ]]; then
source="${source}$"
fi
image=$(podman image list --format "{{ .Repository }}:{{ .Tag }}" | \
grep "^${source}")
echo "${image}"
}
container_check() {
[ -n "$(command -v "podman")" ] || die "podman is required."
}
container_copy() {
local name="${1}"
local source="${2}"
local destination="${3}"
log info "= Copying ${source} to ${name}:${destination} ="
podman cp "${source}" "${name}:${destination}"
echo
}
container_fetch() {
local name="${1}"
local source="${2}"
local destination="${3}"
log info "= Copying ${name}:${source} to ${destination} ="
podman cp "${name}:${source}" "${destination}"
echo
}

95
infra/image/start.sh Executable file
View File

@@ -0,0 +1,95 @@
#!/bin/bash -eu
BASEDIR="$(readlink -f "$(dirname "$0")")"
TOPDIR="$(readlink -f "${BASEDIR}/../..")"
# shellcheck disable=SC1091
. "${BASEDIR}/shcontainer"
# shellcheck disable=SC1091
. "${TOPDIR}/utils/shfun"
usage() {
local prog="${0##*/}"
cat << EOF
usage: ${prog} [-h] [-l] [-n HOSTNAME ] image
${prog} start a prebuilt ansible-freeipa test container image.
EOF
}
help() {
cat << EOF
positional arguments:
image The image to start, leave empty to get list of images
optional arguments:
-h Show this message
-l Try to use local image first, if not found download.
-n HOSTNAME Set container hostname
NOTE:
- The hostname must be the same as the hostname of the container
when FreeIPA was deployed. Use only if you built the image and
defined its hostname.
EOF
}
list_images() {
local quay_api="https://quay.io/api/v1/repository/ansible-freeipa/upstream-tests/tag"
log info "Available images on quay:"
curl --silent -L "${quay_api}" | jq '.tags[]|.name' | tr -d '"'| sort | uniq | sed "s/.*/ &/"
echo
log info "Local images (use -l):"
local_image=$(container_image_list "${repo}:")
echo "${local_image}" | sed -e "s/.*://" | sed "s/.*/ &/"
echo
}
repo="quay.io/ansible-freeipa/upstream-tests"
name="ansible-freeipa-tests"
hostname="ipaserver.test.local"
try_local_first="N"
while getopts ":hln:" option
do
case "${option}" in
h) help && exit 0 ;;
l) try_local_first="Y" ;;
n) hostname="${OPTARG}" ;;
*) die -u "Invalid option: ${option}" ;;
esac
done
shift $((OPTIND - 1))
image=${1:-}
container_check
if [ -z "${image}" ]; then
list_images
exit 0
fi
local_image=
if [ "${try_local_first}" == "Y" ]; then
log info "= Trying to use local image first ="
local_image=$(container_image_list "${repo}:${image}")
[ -n "${local_image}" ] && log info "Found ${local_image}"
echo
fi
if [ -z "${local_image}" ]; then
log info "= Downloading from quay ="
local_image=$(container_pull "${repo}:${image}")
echo
fi
[ -z "${local_image}" ] && die "Image '${image}' is not valid"
container_create "${name}" "${local_image}" "hostname=${hostname}"
container_start "${name}"
container_wait_for_journald "${name}"
container_wait_up "${name}"
log info "Container ${name} is ready to be used."

6
infra/image/system-service/container-ipa.target Normal file
View File

@@ -0,0 +1,6 @@
[Unit]
Description=Minimal target for containerized FreeIPA server
DefaultDependencies=false
AllowIsolate=yes
Requires=systemd-tmpfiles-setup.service systemd-journald.service dbus.service
After=systemd-tmpfiles-setup.service systemd-journald.service dbus.service

12
infra/image/system-service/fixipaip.service Normal file
View File

@@ -0,0 +1,12 @@
[Unit]
Description=Fix IPA server IP in IPA Server
After=ipa.service
[Service]
Type=oneshot
ExecStart=/root/fixipaip.sh
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=default.target

85
infra/image/system-service/fixipaip.sh Executable file
View File

@@ -0,0 +1,85 @@
#!/bin/bash -eu
function valid_fqdn()
{
local name="${1}"
[[ "${name}" =~ [[:space:]] ]] && return 1
[[ "${name}" =~ \. ]] || return 1
[[ "${name}" =~ \.\. ]] && return 1
for i in ${name//./ }; do
[[ "${i}" =~ ^[a-z0-9_/]+$ ]] || return 1
done
[[ "${name}" == "localhost.localdomain" ]] && return 1
return 0
}
function valid_ipv4()
{
local ip="${1}"
local rematch="^([0-9]{1,3}\.){3}[0-9]{1,3}$"
[[ "${ip}" =~ ${rematch} ]] || return 1
for i in ${ip//./ }; do
[[ ${i} -le 255 ]] || return 1
done
return 0
}
HOSTNAME=$(hostname)
IP=$(hostname -I | cut -d " " -f 1)
export KRB5CCNAME=ansible_freeipa_cache
if [ -z "${HOSTNAME}" ] || ! valid_fqdn "${HOSTNAME}" ; then
echo "ERROR: Got invalid hostname: '${HOSTNAME}'"
exit 1
fi
if [ -z "${IP}" ] || ! valid_ipv4 "${IP}" ; then
echo "ERROR: Got invalid IPv4 address: '${IP}'"
exit 1
fi
PTR=$(echo "${IP}" | awk -F"." '{print $4}')
if [ -z "${PTR}" ] || [ -n "${PTR//[0-9]}" ]; then
echo "ERROR: Failed to get PTR from IPv4 address: '${PTR}'"
exit 1
fi
FORWARDER=$(grep -s -m 1 ^nameserver /etc/resolv.conf.fixnet | cut -d" " -f 2)
if [ -z "${FORWARDER}" ] || [ "${FORWARDER}" == "127.0.0.1" ]; then
FORWARDER="8.8.8.8"
fi
echo "Fix IPA:"
echo " HOSTNAME: '${HOSTNAME}'"
echo " IP: '${IP}'"
echo " PTR: '${PTR}'"
echo " FORWARDER: '${FORWARDER}'"
ZONES=$(ipa -e in_server=true dnszone-find --name-from-ip="${HOSTNAME}." \
--raw --pkey-only | grep "idnsname:" | awk -F": " '{print $2}')
for zone in ${ZONES}; do
echo
if [[ "${zone}" == *".in-addr.arpa."* ]]; then
echo "Fixing reverse zone ${zone}:"
OLD_PTR=$(ipa -e in_server=true dnsrecord-find "${zone}" \
--ptr-rec="${HOSTNAME}." --raw | grep "idnsname:" | \
awk -F": " '{print $2}')
if [ -z "${OLD_PTR}" ] || [ -n "${OLD_PTR//[0-9]}" ]; then
echo "ERROR: Failed to get old PTR from '${zone}': '${OLD_PTR}'"
else
ipa -e in_server=true dnsrecord-mod "${zone}" "${OLD_PTR}" \
--ptr-rec="${HOSTNAME}." --rename="${PTR}" || true
fi
else
echo "Fixing forward zone ${zone}:"
ipa -e in_server=true dnsrecord-mod test.local "${HOSTNAME%%.*}" \
--a-rec="$IP" || true
ipa -e in_server=true dnsrecord-mod test.local ipa-ca \
--a-rec="$IP" || true
fi
done
ipa -e in_server=true dnsserver-mod "${HOSTNAME}" \
--forwarder="${FORWARDER}" || true
exit 0

14
infra/image/system-service/fixnet.service Normal file
View File

@@ -0,0 +1,14 @@
[Unit]
Description=Fix server IP in IPA Server
Wants=network.target
After=network.target
Before=ipa.service
[Service]
Type=oneshot
ExecStart=/root/fixnet.sh
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=ipa.service

66
infra/image/system-service/fixnet.sh Executable file
View File

@@ -0,0 +1,66 @@
#!/bin/bash -eu
function valid_fqdn()
{
local name="${1}"
[[ "${name}" =~ [[:space:]] ]] && return 1
[[ "${name}" =~ \. ]] || return 1
[[ "${name}" =~ \.\. ]] && return 1
for i in ${name//./ }; do
[[ "${i}" =~ ^[a-z0-9_/]+$ ]] || return 1
done
[[ "${name}" == "localhost.localdomain" ]] && return 1
return 0
}
function valid_ipv4()
{
local ip="${1}"
local rematch="^([0-9]{1,3}\.){3}[0-9]{1,3}$"
[[ "${ip}" =~ ${rematch} ]] || return 1
for i in ${ip//./ }; do
[[ ${i} -le 255 ]] || return 1
done
return 0
}
HOSTNAME=$(hostname)
IP=$(hostname -I | cut -d " " -f 1)
if [ -z "${HOSTNAME}" ] || ! valid_fqdn "${HOSTNAME}" ; then
echo "ERROR: Failed to retrieve hostname."
exit 1
fi
if [ -z "${IP}" ] || ! valid_ipv4 "${IP}" ; then
echo "ERROR: Got invalid IPv4 address: '${IP}'"
exit 1
fi
echo "Fix NET:"
echo " HOSTNAME: '${HOSTNAME}'"
echo " IP: '${IP}'"
echo
if grep -qE "^[^(#\s*)][0-9\.]+\s$HOSTNAME(\s|$)" /etc/hosts
then
sed -i.bak -e "s/.*${HOSTNAME}/${IP}\t${HOSTNAME}/" /etc/hosts
else
echo -e "$IP\t${HOSTNAME} ${HOSTNAME%%.*}" >> /etc/hosts
fi
cp -a /etc/resolv.conf /etc/resolv.conf.fixnet
cat > /etc/resolv.conf <<EOF
search ${HOSTNAME#*.}
nameserver 127.0.0.1
EOF
echo "/etc/hosts:"
cat "/etc/hosts"
echo
echo "/etc/resolv.conf:"
cat "/etc/resolv.conf"
exit 0

2
meta/runtime.yml
View File

@@ -1,2 +1,2 @@
--- ---
requires_ansible: ">=2.9" requires_ansible: ">=2.14.0"

30
molecule/c8s-build/Dockerfile
View File

@@ -1,30 +0,0 @@
FROM quay.io/centos/centos:stream8
ENV container=docker
RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
dnf makecache; \
dnf --assumeyes install \
/usr/bin/python3 \
/usr/bin/python3-config \
/usr/bin/dnf-3 \
sudo \
bash \
systemd \
procps-ng \
iproute && \
dnf clean all; \
(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*; \
rm -rf /var/cache/dnf/;
STOPSIGNAL RTMIN+3
VOLUME ["/sys/fs/cgroup"]
CMD ["/usr/sbin/init"]

19
molecule/c8s-build/molecule.yml
View File

@@ -1,19 +0,0 @@
---
driver:
name: docker
platforms:
- name: c8s-build
image: "quay.io/centos/centos:stream8"
dockerfile: Dockerfile
hostname: ipaserver.test.local
dns_servers:
- 8.8.8.8
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
command: /usr/sbin/init
privileged: true
provisioner:
name: ansible
playbooks:
prepare: ../resources/playbooks/prepare-build.yml
prerun: false

19
molecule/c8s/molecule.yml
View File

@@ -1,19 +0,0 @@
---
driver:
name: docker
platforms:
- name: c8s
image: quay.io/ansible-freeipa/upstream-tests:c8s
pre_build_image: true
hostname: ipaserver.test.local
dns_servers:
- 127.0.0.1
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
command: /usr/sbin/init
privileged: true
provisioner:
name: ansible
playbooks:
prepare: ../resources/playbooks/prepare.yml
prerun: false

29
molecule/c9s-build/Dockerfile
View File

@@ -1,29 +0,0 @@
FROM quay.io/centos/centos:stream9
ENV container=docker
RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
dnf makecache; \
dnf --assumeyes install \
/usr/bin/python3 \
/usr/bin/dnf-3 \
sudo \
bash \
systemd \
procps-ng \
iproute && \
dnf clean all; \
(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*; \
rm -rf /var/cache/dnf/;
STOPSIGNAL RTMIN+3
VOLUME ["/sys/fs/cgroup"]
CMD ["/usr/sbin/init"]

19
molecule/c9s-build/molecule.yml
View File

@@ -1,19 +0,0 @@
---
driver:
name: docker
platforms:
- name: c9s-build
image: "quay.io/centos/centos:stream9"
dockerfile: Dockerfile
hostname: ipaserver.test.local
dns_servers:
- 8.8.8.8
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
command: /usr/sbin/init
privileged: true
provisioner:
name: ansible
playbooks:
prepare: ../resources/playbooks/prepare-build.yml
prerun: false

19
molecule/c9s/molecule.yml
View File

@@ -1,19 +0,0 @@
---
driver:
name: docker
platforms:
- name: c9s
image: quay.io/ansible-freeipa/upstream-tests:c9s
pre_build_image: true
hostname: ipaserver.test.local
dns_servers:
- 127.0.0.1
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
command: /usr/sbin/init
privileged: true
provisioner:
name: ansible
playbooks:
prepare: ../resources/playbooks/prepare.yml
prerun: false

19
molecule/centos-7-build/molecule.yml
View File

@@ -1,19 +0,0 @@
---
driver:
name: docker
platforms:
- name: centos-7-build
image: centos/systemd
pre_build_image: true
hostname: ipaserver.test.local
dns_servers:
- 8.8.8.8
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
command: /usr/sbin/init
privileged: true
provisioner:
name: ansible
playbooks:
prepare: ../resources/playbooks/prepare-build.yml
prerun: false

19
molecule/centos-7/molecule.yml
View File

@@ -1,19 +0,0 @@
---
driver:
name: docker
platforms:
- name: centos-7
image: quay.io/ansible-freeipa/upstream-tests:centos-7
pre_build_image: true
hostname: ipaserver.test.local
dns_servers:
- 127.0.0.1
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
command: /usr/sbin/init
privileged: true
provisioner:
name: ansible
playbooks:
prepare: ../resources/playbooks/prepare.yml
prerun: false

1
molecule/default
View File

@@ -1 +0,0 @@
fedora-latest

30
molecule/fedora-latest-build/Dockerfile
View File

@@ -1,30 +0,0 @@
FROM fedora:latest
ENV container=docker
RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
dnf makecache; \
dnf --assumeyes install \
/usr/bin/python3 \
/usr/bin/python3-config \
/usr/bin/dnf-3 \
sudo \
bash \
systemd \
procps-ng \
iproute && \
dnf clean all; \
(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*; \
rm -rf /var/cache/dnf/;
STOPSIGNAL RTMIN+3
VOLUME ["/sys/fs/cgroup"]
CMD ["/usr/sbin/init"]

19
molecule/fedora-latest-build/molecule.yml
View File

@@ -1,19 +0,0 @@
---
driver:
name: docker
platforms:
- name: fedora-latest-build
image: "fedora:latest"
dockerfile: Dockerfile
hostname: ipaserver.test.local
dns_servers:
- 8.8.8.8
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
command: /usr/sbin/init
privileged: true
provisioner:
name: ansible
playbooks:
prepare: ../resources/playbooks/prepare-build.yml
prerun: false

19
molecule/fedora-latest/molecule.yml
View File

@@ -1,19 +0,0 @@
---
driver:
name: docker
platforms:
- name: fedora-latest
image: quay.io/ansible-freeipa/upstream-tests:fedora-latest
pre_build_image: true
hostname: ipaserver.test.local
dns_servers:
- 127.0.0.1
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
command: /usr/sbin/init
privileged: true
provisioner:
name: ansible
playbooks:
prepare: ../resources/playbooks/prepare.yml
prerun: false

30
molecule/fedora-rawhide-build/Dockerfile
View File

@@ -1,30 +0,0 @@
FROM fedora:rawhide
ENV container=docker
RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
dnf makecache; \
dnf --assumeyes install \
/usr/bin/python3 \
/usr/bin/python3-config \
/usr/bin/dnf-3 \
sudo \
bash \
systemd \
procps-ng \
iproute && \
dnf clean all; \
(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*; \
rm -rf /var/cache/dnf/;
STOPSIGNAL RTMIN+3
VOLUME ["/sys/fs/cgroup"]
CMD ["/usr/sbin/init"]

19
molecule/fedora-rawhide-build/molecule.yml
View File

@@ -1,19 +0,0 @@
---
driver:
name: docker
platforms:
- name: fedora-rawhide-build
image: "fedora:rawhide"
dockerfile: Dockerfile
hostname: ipaserver.test.local
dns_servers:
- 8.8.8.8
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
command: /usr/sbin/init
privileged: true
provisioner:
name: ansible
playbooks:
prepare: ../resources/playbooks/prepare-build.yml
prerun: false

19
molecule/fedora-rawhide/molecule.yml
View File

@@ -1,19 +0,0 @@
---
driver:
name: docker
platforms:
- name: fedora-rawhide
image: quay.io/ansible-freeipa/upstream-tests:fedora-rawhide
pre_build_image: true
hostname: ipaserver.test.local
dns_servers:
- 127.0.0.1
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
command: /usr/sbin/init
privileged: true
provisioner:
name: ansible
playbooks:
prepare: ../resources/playbooks/prepare.yml
prerun: false

1
molecule/resources/playbooks/library
View File

@@ -1 +0,0 @@
../../../plugins/modules/

1
molecule/resources/playbooks/module_utils
View File

@@ -1 +0,0 @@
../../../plugins/module_utils/

Some files were not shown because too many files have changed in this diff Show More