Merge pull request #749 from rjeffman/ipauser_fix_peserved_idempotence_issue

ipauser: Fix idempotence issue when using 'preserved'.
ipauser: Make 'no user' messages consistent.
2026-03-28 06:13:05 +00:00 · 2022-01-26 14:48:33 +01:00 · 2022-01-26 08:42:05 -03:00 · 2022-01-25 09:54:56 -03:00 · 2022-01-25 12:44:22 +01:00 · 2022-01-24 15:55:18 -03:00
9 changed files with 480 additions and 49 deletions
--- a/playbooks/dnsconfig/forwarders-absent.yml
+++ b/playbooks/dnsconfig/forwarders-absent.yml
@@ -4,10 +4,11 @@
  become: true

  tasks:
-  - name: Set dnsconfig.
+  - name: Set dnsconfig forwarders.
    ipadnsconfig:
      forwarders:
        - ip_address: 8.8.4.4
        - ip_address: 2001:4860:4860::8888
          port: 53
+      action: member
      state: absent
--- a/playbooks/dnsconfig/forwarders-present.yml
+++ b/playbooks/dnsconfig/forwarders-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Playbook to handle global DNS configuration
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Set dnsconfig forwarders.
+    ipadnsconfig:
+      forwarders:
+        - ip_address: 8.8.4.4
+        - ip_address: 2001:4860:4860::8888
+          port: 53
+      action: member
--- a/plugins/modules/ipagroup.py
+++ b/plugins/modules/ipagroup.py
@@ -181,6 +181,7 @@ EXAMPLES = """
 RETURN = """
 """

+from ansible.module_utils._text import to_text
 from ansible.module_utils.ansible_freeipa_module import \
    IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, \
    gen_add_list, gen_intersection_list
@@ -198,7 +199,14 @@ def find_group(module, name):
        module.fail_json(
            msg="There is more than one group '%s'" % (name))
    elif len(_result["result"]) == 1:
-        return _result["result"][0]
+        _res = _result["result"][0]
+        # The returned services are of type ipapython.kerberos.Principal,
+        # also services are not case sensitive. Therefore services are
+        # converted to lowercase strings to be able to do the comparison.
+        if "member_service" in _res:
+            _res["member_service"] = \
+                [to_text(svc).lower() for svc in _res["member_service"]]
+        return _res

    return None

@@ -308,7 +316,8 @@ def main():
    nomembers = ansible_module.params_get("nomembers")
    user = ansible_module.params_get("user")
    group = ansible_module.params_get("group")
-    service = ansible_module.params_get("service")
+    # Services are not case sensitive
+    service = ansible_module.params_get_lowercase("service")
    membermanager_user = ansible_module.params_get("membermanager_user")
    membermanager_group = ansible_module.params_get("membermanager_group")
    externalmember = ansible_module.params_get("externalmember")
--- a/plugins/modules/ipasudorule.py
+++ b/plugins/modules/ipasudorule.py
@@ -544,7 +544,7 @@ def main():
                    if deny_sudocmdgroup is not None:
                        deny_cmdgroup_add = gen_add_list(
                            deny_sudocmdgroup,
-                            res_find("memberdenycmd_sudocmdgroup")
+                            res_find.get("memberdenycmd_sudocmdgroup")
                        )
                    if sudooption is not None:
                        sudooption_add = gen_add_list(
--- a/plugins/modules/ipauser.py
+++ b/plugins/modules/ipauser.py
@@ -474,41 +474,31 @@ user:

 from ansible.module_utils.ansible_freeipa_module import \
    IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, date_format, \
-    encode_certificate, load_cert_from_str, DN_x500_text, to_text
+    encode_certificate, load_cert_from_str, DN_x500_text, to_text, \
+    ipalib_errors
 from ansible.module_utils import six
 if six.PY3:
    unicode = str


-def find_user(module, name, preserved=False):
+def find_user(module, name):
    _args = {
        "all": True,
-        "uid": name,
    }
-    if preserved:
-        _args["preserved"] = preserved

-    _result = module.ipa_command("user_find", name, _args)
+    try:
+        _result = module.ipa_command("user_show", name, _args).get("result")
+    except ipalib_errors.NotFound:
+        return None

-    if len(_result["result"]) > 1:
-        module.fail_json(
-            msg="There is more than one user '%s'" % (name))
-    elif len(_result["result"]) == 1:
-        # Transform each principal to a string
-        _result = _result["result"][0]
-        if "krbprincipalname" in _result \
-           and _result["krbprincipalname"] is not None:
-            _list = []
-            for x in _result["krbprincipalname"]:
-                _list.append(str(x))
-            _result["krbprincipalname"] = _list
-        certs = _result.get("usercertificate")
-        if certs is not None:
-            _result["usercertificate"] = [encode_certificate(x)
-                                          for x in certs]
-        return _result
-
-    return None
+    # Transform each principal to a string
+    _result["krbprincipalname"] = [
+        to_text(x) for x in (_result.get("krbprincipalname") or [])
+    ]
+    _result["usercertificate"] = [
+        encode_certificate(x) for x in (_result.get("usercertificate") or [])
+    ]
+    return _result


 def gen_args(first, last, fullname, displayname, initials, homedir, shell,
@@ -1085,12 +1075,6 @@ def main():

            # Make sure user exists
            res_find = find_user(ansible_module, name)
-            # Also search for preserved user if the user could not be found
-            if res_find is None:
-                res_find_preserved = find_user(ansible_module, name,
-                                               preserved=True)
-            else:
-                res_find_preserved = None

            # Create command
            if state == "present":
@@ -1104,10 +1088,6 @@ def main():
                    departmentnumber, employeenumber, employeetype,
                    preferredlanguage, noprivate, nomembers)

-                # Also check preserved users
-                if res_find is None and res_find_preserved is not None:
-                    res_find = res_find_preserved
-
                if action == "user":
                    # Found the user
                    if res_find is not None:
@@ -1310,16 +1290,16 @@ def main():
                                             gen_certmapdata_args(_data)])

            elif state == "absent":
-                # Also check preserved users
-                if res_find is None and res_find_preserved is not None:
-                    res_find = res_find_preserved
-
                if action == "user":
                    if res_find is not None:
                        args = {}
                        if preserve is not None:
                            args["preserve"] = preserve
-                        commands.append([name, "user_del", args])
+                        if (
+                            not res_find.get("preserved", False)
+                            or not args.get("preserve", False)
+                        ):
+                            commands.append([name, "user_del", args])
                elif action == "member":
                    if res_find is None:
                        ansible_module.fail_json(
@@ -1370,17 +1350,18 @@ def main():
                            commands.append([name, "user_remove_certmapdata",
                                             gen_certmapdata_args(_data)])
            elif state == "undeleted":
-                if res_find_preserved is not None:
-                    commands.append([name, "user_undel", {}])
+                if res_find is not None:
+                    if res_find.get("preserved", False):
+                        commands.append([name, "user_undel", {}])
                else:
-                    raise ValueError("No preserved user '%s'" % name)
+                    raise ValueError("No user '%s'" % name)

            elif state == "enabled":
                if res_find is not None:
                    if res_find["nsaccountlock"]:
                        commands.append([name, "user_enable", {}])
                else:
-                    raise ValueError("No disabled user '%s'" % name)
+                    raise ValueError("No user '%s'" % name)

            elif state == "disabled":
                if res_find is not None:
@@ -1392,6 +1373,8 @@ def main():
            elif state == "unlocked":
                if res_find is not None:
                    commands.append([name, "user_unlock", {}])
+                else:
+                    raise ValueError("No user '%s'" % name)

            else:
                ansible_module.fail_json(msg="Unkown state '%s'" % state)
--- a/tests/group/test_group.yml
+++ b/tests/group/test_group.yml
@@ -5,6 +5,23 @@
  gather_facts: false

  tasks:
+  # setup
+  - include_tasks: ../env_freeipa_facts.yml
+
+  # GET DOMAIN AND REALM
+
+  - name: Get Domain from server name
+    set_fact:
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
+    when: ipaserver_domain is not defined
+
+  - name: Get Realm from server name
+    set_fact:
+      ipaserver_realm: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') | upper }}"
+    when: ipaserver_realm is not defined
+
+  # CLEANUP TEST ITEMS
+
  - name: Ensure users user1, user2 and user3 are absent
    ipauser:
      ipaadmin_password: SomeADMINpassword
@@ -19,6 +36,8 @@
      name: group3,group2,group1
      state: absent

+  # CREATE TEST ITEMS
+
  - name: Ensure users user1..user3 are present
    ipauser:
      ipaadmin_password: SomeADMINpassword
@@ -36,6 +55,8 @@
    register: result
    failed_when: not result.changed or result.failed

+  # TESTS
+
  - name: Ensure group1 is present
    ipagroup:
      ipaadmin_password: SomeADMINpassword
@@ -119,6 +140,156 @@
    register: result
    failed_when: result.changed or result.failed

+    # service
+
+  - block:
+
+    - name: Ensure service "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}" is present in group group1
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure service "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}" is present in group group1, again
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure service "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}" is present in group group1
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure service "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}" is present in group group1, again
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure service "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}" is absent in group group1
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+        state: absent
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure service "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}" is absent in group group1, again
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+        state: absent
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure service "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}" is absent in group group1
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+        state: absent
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure service "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}" is absent in group group1, again
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+        state: absent
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure services are present in group group1
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        - "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure services are present in group group1, again
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'http/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        - "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure services are absent in group group1
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        - "{{ 'LDAP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+        state: absent
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure services are absent in group group1, again
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        - "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+        state: absent
+      register: result
+      failed_when: result.changed or result.failed
+
+    when: ipa_version is version('4.7.0', '>=')
+
+    # user
+
  - name: Ensure users user1, user2 and user3 are present in group group1
    ipagroup:
      ipaadmin_password: SomeADMINpassword
@@ -297,6 +468,8 @@
    register: result
    failed_when: not result.changed or result.failed

+  # CLEANUP TEST ITEMS
+
  - name: Ensure group group3, group2 and group1 are absent
    ipagroup:
      ipaadmin_password: SomeADMINpassword
--- a/tests/sudorule/test_sudorule.yml
+++ b/tests/sudorule/test_sudorule.yml
@@ -58,6 +58,7 @@
      name:
          - /sbin/ifconfig
          - /usr/bin/vim
+          - /usr/bin/emacs
      state: present

  - name: Ensure sudocmdgroup is available
@@ -68,6 +69,14 @@
      sudocmd: /usr/bin/vim
      state: present

+  - name: Ensure sudocmdgroup is available
+    ipasudocmdgroup:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: test_sudorule2
+      sudocmd: /usr/bin/emacs
+      state: present
+
  - name: Ensure sudorules are absent
    ipasudorule:
      ipaadmin_password: SomeADMINpassword
@@ -606,6 +615,7 @@
      ipaapi_context: "{{ ipa_context | default(omit) }}"
      name: testrule1
      allow_sudocmdgroup: test_sudorule
+      action: member
      state: present
    register: result
    failed_when: not result.changed or result.failed
@@ -616,6 +626,7 @@
      ipaapi_context: "{{ ipa_context | default(omit) }}"
      name: testrule1
      allow_sudocmdgroup: test_sudorule
+      action: member
      state: present
    register: result
    failed_when: result.changed or result.failed
@@ -648,6 +659,7 @@
      ipaapi_context: "{{ ipa_context | default(omit) }}"
      name: testrule1
      deny_sudocmdgroup: test_sudorule
+      action: member
      state: present
    register: result
    failed_when: not result.changed or result.failed
@@ -658,6 +670,7 @@
      ipaapi_context: "{{ ipa_context | default(omit) }}"
      name: testrule1
      deny_sudocmdgroup: test_sudorule
+      action: member
      state: present
    register: result
    failed_when: result.changed or result.failed
@@ -684,6 +697,114 @@
    register: result
    failed_when: result.changed or result.failed

+  - name: Ensure sudorule is present, with `test_sudorule` sudocmdgroup in allow_sudocmdgroup.
+    ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: testrule1
+      allow_sudocmdgroup: test_sudorule
+      state: present
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure sudorule is present, with `test_sudorule2` sudocmdgroup in allow_sudocmdgroup.
+    ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: testrule1
+      allow_sudocmdgroup: test_sudorule2
+      state: present
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure sudorule is present, with both sudocmdgroup in allow_sudocmdgroup.
+    ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: testrule1
+      allow_sudocmdgroup:
+        - test_sudorule
+        - test_sudorule2
+      state: present
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure sudorule is present, with both sudocmdgroup, again.
+    ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: testrule1
+      allow_sudocmdgroup:
+        - test_sudorule
+        - test_sudorule2
+      state: present
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure sudorule is present, with only `test_sudorule` sudocmdgroup in allow_sudocmdgroup.
+    ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: testrule1
+      allow_sudocmdgroup: test_sudorule
+      state: present
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure sudorule is present, with `test_sudorule` sudocmdgroup in deny_sudocmdgroup.
+    ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: testrule1
+      deny_sudocmdgroup: test_sudorule
+      state: present
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure sudorule is present, with `test_sudorule2` sudocmdgroup in deny_sudocmdgroup.
+    ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: testrule1
+      deny_sudocmdgroup: test_sudorule2
+      state: present
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure sudorule is present, with both sudocmdgroup in deny_sudocmdgroup.
+    ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: testrule1
+      deny_sudocmdgroup:
+        - test_sudorule
+        - test_sudorule2
+      state: present
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure sudorule is present, with both sudocmdgroup, again.
+    ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: testrule1
+      deny_sudocmdgroup:
+        - test_sudorule
+        - test_sudorule2
+      state: present
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure sudorule is present, with only `test_sudorule` sudocmdgroup in deny_sudocmdgroup.
+    ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: testrule1
+      deny_sudocmdgroup: test_sudorule
+      state: present
+    register: result
+    failed_when: not result.changed or result.failed
+
  - name: Ensure sudorule is absent
    ipasudorule:
      ipaadmin_password: SomeADMINpassword
@@ -889,7 +1010,9 @@
    ipasudocmdgroup:
      ipaadmin_password: SomeADMINpassword
      ipaapi_context: "{{ ipa_context | default(omit) }}"
-      name: test_sudorule
+      name:
+      - test_sudorule
+      - test_sudorule2
      state: absent

  - name: Ensure sudocmds are absent
@@ -899,6 +1022,7 @@
      name:
      - /sbin/ifconfig
      - /usr/bin/vim
+      - /usr/bin/emacs
      state: absent

  - name: Ensure sudorules are absent
--- a/tests/user/test_user.yml
+++ b/tests/user/test_user.yml
@@ -249,6 +249,16 @@
    register: result
    failed_when: not result.changed or result.failed

+  - name: User pinky absent and preserved, again
+    ipauser:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: pinky
+      preserve: yes
+      state: absent
+    register: result
+    failed_when: result.changed or result.failed
+
  - name: User pinky undeleted (preserved before)
    ipauser:
      ipaadmin_password: SomeADMINpassword
@@ -258,6 +268,15 @@
    register: result
    failed_when: not result.changed or result.failed

+  - name: User pinky undeleted (preserved before), again
+    ipauser:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: pinky
+      state: undeleted
+    register: result
+    failed_when: result.changed or result.failed
+
  - name: Users pinky disabled
    ipauser:
      ipaadmin_password: SomeADMINpassword
@@ -267,6 +286,15 @@
    register: result
    failed_when: not result.changed or result.failed

+  - name: Users pinky disabled, again
+    ipauser:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: pinky
+      state: disabled
+    register: result
+    failed_when: result.changed or result.failed
+
  - name: User pinky enabled
    ipauser:
      ipaadmin_password: SomeADMINpassword
@@ -276,6 +304,44 @@
    register: result
    failed_when: not result.changed or result.failed

+  - name: User pinky enabled, again
+    ipauser:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: pinky
+      state: enabled
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: User pinky absent and preserved for future exclusion.
+    ipauser:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: pinky
+      preserve: yes
+      state: absent
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: User pinky absent
+    ipauser:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: pinky
+      state: absent
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: User pinky absent and preserved, when already absent
+    ipauser:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: pinky
+      preserve: yes
+      state: absent
+    register: result
+    failed_when: result.changed or result.failed
+
  - name: Remove test users
    ipauser:
      ipaadmin_password: SomeADMINpassword
--- a/tests/user/test_users.yml
+++ b/tests/user/test_users.yml
@@ -369,6 +369,15 @@
    register: result
    failed_when: not result.changed or result.failed

+  - name: User pinky absent and preserved, again
+    ipauser:
+      ipaadmin_password: SomeADMINpassword
+      name: pinky
+      preserve: yes
+      state: absent
+    register: result
+    failed_when: result.changed or result.failed
+
  - name: User pinky undeleted (preserved before)
    ipauser:
      ipaadmin_password: SomeADMINpassword
@@ -377,6 +386,14 @@
    register: result
    failed_when: not result.changed or result.failed

+  - name: User pinky undeleted (preserved before), again
+    ipauser:
+      ipaadmin_password: SomeADMINpassword
+      name: pinky
+      state: undeleted
+    register: result
+    failed_when: result.changed or result.failed
+
  - name: Users pinky disabled
    ipauser:
      ipaadmin_password: SomeADMINpassword
@@ -385,6 +402,14 @@
    register: result
    failed_when: not result.changed or result.failed

+  - name: Users pinky disabled, again
+    ipauser:
+      ipaadmin_password: SomeADMINpassword
+      name: pinky
+      state: disabled
+    register: result
+    failed_when: result.changed or result.failed
+
  - name: User pinky enabled
    ipauser:
      ipaadmin_password: SomeADMINpassword
@@ -393,6 +418,43 @@
    register: result
    failed_when: not result.changed or result.failed

+  - name: User pinky enabled, again
+    ipauser:
+      ipaadmin_password: SomeADMINpassword
+      name: pinky
+      state: enabled
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: User pinky absent and preserved for future exclusion.
+    ipauser:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: pinky
+      preserve: yes
+      state: absent
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: User pinky absent
+    ipauser:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: pinky
+      state: absent
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: User pinky absent and preserved, when already absent
+    ipauser:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: pinky
+      preserve: yes
+      state: absent
+    register: result
+    failed_when: result.changed or result.failed
+
  - name: Remove test users
    ipauser:
      ipaadmin_password: SomeADMINpassword
Author	SHA1	Message	Date
Thomas Woerner	680cd4c6ee	Merge pull request #749 from rjeffman/ipauser_fix_peserved_idempotence_issue ipauser: Fix idempotence issue when using 'preserved'.	2022-01-26 14:48:33 +01:00
Rafael Guterres Jeffman	401b911171	ipauser: Make 'no user' messages consistent. When ensuring states 'undeleted', 'enabled', 'disabled', and 'unlocked' the error messages for an unexistent user were not consistent. This change changes the message for all states to "No user '%s'."	2022-01-26 08:42:05 -03:00
Rafael Guterres Jeffman	7f61e72a2c	ipauser: Fix idempotence issue when using 'preserved'. When trying to ensure 'state: absent' with 'preserved: yes' in ipauser, after the first execution the playbook would fail with "user is already present". Similar idempotence issue would happen when 'state: undelete' was used. This PR fixes both issues, and improve tests for the states where user is preserved, enabled and disabled. The 'find_user' function now uses IPA API 'user_show' instead of 'user_find' so that only the requested user is actually returned.	2022-01-25 09:54:56 -03:00
Thomas Woerner	3c3396a7b8	Merge pull request #748 from rjeffman/docs_dnsconfig_example_playbooks dnsconfig: Add 'action: member' to dnsconfig example playbooks.	2022-01-25 12:44:22 +01:00
Rafael Guterres Jeffman	45f583b1ed	dnsconfig: Add 'action: member' to dnsconfig example playbooks. As of verison 1.6.1 of ansible-freeipa, ipadnsconfig supports 'action: member' to manage DNS forwardes, and requires the use of this action if 'state: present'. This patch fixes the playbook examples.	2022-01-24 15:55:18 -03:00
Rafael Guterres Jeffman	2de1dccbf5	Merge pull request #742 from t-woerner/group_fix_services group: Services are ipapython.kerberos.Principal and case insensitive	2022-01-24 14:56:21 -03:00
Thomas Woerner	a44515c701	Merge pull request #744 from rjeffman/sudorule_fix_deny_sudocmdgroup sudorule: Fix management of deny_sudocmdgroup.	2022-01-24 17:52:39 +01:00
Thomas Woerner	8cf2e7ef7b	group: Services are ipapython.kerberos.Principal and case insensitive The services returned by group_find are of type ipapython.kerberos.Principal. Addtionally the services are case insensitive. Therefore services need to be converted to a lowercase sting for proper comparison. test_group.yml has been extended with service tests.	2022-01-24 15:53:40 +01:00
Rafael Guterres Jeffman	ec198d0e09	sudorule: Fix management of deny_sudocmdgroup. Upstream tests were not testing one path of code related to variable `deny_sudocmdgroup`, and a regression was added. This patch fixes a call to the current configuration dictionary, and add tests so that the code path is executed in the upstream tests.	2022-01-24 11:24:33 -03:00