internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-27 05:43:05 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: internet:v1.7.0
Branches Tags
internet:master internet:run_collection_playbooks internet:validate_emaildomain internet:0.4 internet:automember_verify_condition_keys internet:ipaautomember_documantation_fix internet:fix_image_build internet:t-woerner-permission-typo1 internet:fix-role-readme-title-1 internet:fix-role-readme-title internet:t-woerner-group-readme-external internet:fix_logger_info_calls
internet:v1.16.0 internet:v1.15.1 internet:v1.15.0 internet:v1.14.7 internet:v1.14.6 internet:v1.14.5 internet:v1.14.4 internet:v1.14.3 internet:v1.14.2 internet:v1.14.1 internet:v1.14.0 internet:v1.13.2 internet:v1.13.1 internet:v1.13.0 internet:v1.12.1 internet:v1.12.0 internet:v1.11.1 internet:v1.11.0 internet:v1.10.0 internet:v1.9.2 internet:v1.9.1 internet:v1.9.0 internet:v1.8.4 internet:v1.8.3 internet:v1.8.2 internet:v1.8.1 internet:v1.8.0 internet:v1.7.0 internet:v1.6.3 internet:v1.6.2 internet:v1.6.1 internet:v1.6.0 internet:v1.5.3 internet:v1.5.2 internet:v1.5.1 internet:v1.5.0 internet:v0.4.2 internet:v0.4.1 internet:v0.4.0 internet:v0.3.8 internet:v0.3.7 internet:v0.3.6 internet:v0.3.5 internet:v0.3.4 internet:v0.3.3 internet:v0.3.2 internet:v0.3.1 internet:v0.3.0 internet:v0.2.1 internet:v0.2.0 internet:v0.1.12 internet:v0.1.11 internet:v0.1.10 internet:v0.1.9 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0
...
compare: internet:v1.8.4
Branches Tags
internet:master internet:run_collection_playbooks internet:validate_emaildomain internet:0.4 internet:automember_verify_condition_keys internet:ipaautomember_documantation_fix internet:fix_image_build internet:t-woerner-permission-typo1 internet:fix-role-readme-title-1 internet:fix-role-readme-title internet:t-woerner-group-readme-external internet:fix_logger_info_calls
internet:v1.16.0 internet:v1.15.1 internet:v1.15.0 internet:v1.14.7 internet:v1.14.6 internet:v1.14.5 internet:v1.14.4 internet:v1.14.3 internet:v1.14.2 internet:v1.14.1 internet:v1.14.0 internet:v1.13.2 internet:v1.13.1 internet:v1.13.0 internet:v1.12.1 internet:v1.12.0 internet:v1.11.1 internet:v1.11.0 internet:v1.10.0 internet:v1.9.2 internet:v1.9.1 internet:v1.9.0 internet:v1.8.4 internet:v1.8.3 internet:v1.8.2 internet:v1.8.1 internet:v1.8.0 internet:v1.7.0 internet:v1.6.3 internet:v1.6.2 internet:v1.6.1 internet:v1.6.0 internet:v1.5.3 internet:v1.5.2 internet:v1.5.1 internet:v1.5.0 internet:v0.4.2 internet:v0.4.1 internet:v0.4.0 internet:v0.3.8 internet:v0.3.7 internet:v0.3.6 internet:v0.3.5 internet:v0.3.4 internet:v0.3.3 internet:v0.3.2 internet:v0.3.1 internet:v0.3.0 internet:v0.2.1 internet:v0.2.0 internet:v0.1.12 internet:v0.1.11 internet:v0.1.10 internet:v0.1.9 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0

110 Commits
v1.7.0 ... v1.8.4

Author SHA1 Message Date
Rafael Guterres Jeffman
433d1096f8 Merge pull request #911 from t-woerner/update_spec_file 
utils/ansible-freeipa.spec.in: Sync with Fedora rawhide spec file
 2022-09-09 14:46:30 -03:00
Thomas Woerner
6a2d007b41 Merge pull request #912 from rjeffman/ipaconfig_fix_playbook_titles 
ipaconfig: Fix example playbook titles.
 2022-09-09 19:41:19 +02:00
Thomas Woerner
b0f58ef3a8 Merge pull request #906 from rjeffman/ipaconfig_sid 
ipaconfig: Add support for SID related attributes.
 2022-09-09 19:38:08 +02:00
Rafael Guterres Jeffman
3c8d6c7c7a ipaconfig: Add support for SID related attributes. 
Since FreeIPA 4.9.8 the 'config_mod' command has parameters to enable
and configure SIDs, and set the Netbios name.

This patch adds the following parameters to ipaconfig plugin:
    enable_sids: New users and groups automatically get a SID assigned
    add_sids: Add SIDs for existing users and groups
    netbios_name: NetBIOS name of the IPA domain

Both add_sids and netbios_name requires 'enable_sid: yes'.

'enable_sid' and 'netbios_name' are returned when querying IPA
configuration.

'add_sids' always generate SIDs for users and groups, so, muiltiple
executions of the playbook with 'add_sids: yes' will return 'changed',
even if users and groups SIDs are not modified.

A new test playbook is available:

    tests/config/test_config_sid.yml

New examples playbooks are available:

    playbooks/config/change-ipa-domain-netbios-name.yml
    playbooks/config/generate-users-groups-sids.yml

Fixes: #781
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2069174
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2069184
 2022-09-09 11:40:05 -03:00
Rafael Guterres Jeffman
3b28050f1e ipaconfig: Fix example playbook titles. 2022-09-09 11:24:59 -03:00
Thomas Woerner
2973c80975 Merge pull request #904 from rjeffman/ipabackup_fix_parameter_eval_order 
ipabackup: Fix order of ipabackup_name parameter evaluation.
 2022-09-08 16:32:06 +02:00
Thomas Woerner
0f8f55dfd9 Merge pull request #910 from rjeffman/fix_fast_pr_tests 
upstream CI: Force retrieval of ansible-freeipa master.
 2022-09-08 16:30:28 +02:00
Rafael Guterres Jeffman
777f25d91c upstream CI: Force retrieval of ansible-freeipa master. 
This patch forces the addition of a remote repository pointing to the
main ansible-freeipa repo, and fetch its contents before confaring the
modified files. The remote repository is removed after the modified
file list is generated.
 2022-09-08 08:51:56 -03:00
Rafael Guterres Jeffman
727861cb85 upstream CI: Force retrieval of ansible-freeipa master. 
This patch forces the addition of a remote repository pointing to the
main ansible-freeipa repo, and fetch its contents before confaring the
modified files. The remote repository is removed after the modified
file list is generated.
 2022-09-08 08:50:56 -03:00
Rafael Guterres Jeffman
e6da214bfb ipabackup: Fix order of ipabackup_name parameter evaluation. 
When performing a backup with 'state:present', if 'ipabackup_name' is
provided, the backup will be performed, but the role with return an
error since 'ipabackup_name' should not be set for this state.

This patch moves the parameter evaluation to be performed before the
actual backup is performed, so that the backup is not performed and an
error is reported.
 2022-09-08 08:50:56 -03:00
Thomas Woerner
68a99ba5f9 utils/ansible-freeipa.spec.in: Sync with Fedora rawhide spec file 
The spec file was updated and was lacking several updates.
 2022-09-08 13:42:30 +02:00
Thomas Woerner
d936a3794e Merge pull request #901 from rjeffman/tests_ipabackup 
ipabackup: Add playbook tests for ipabackup.
 2022-09-07 14:26:53 +02:00
Thomas Woerner
bb0ba1ef2c Merge pull request #908 from rjeffman/ci_fix_module_comparison 
upstream CI: Ensure 'master' branch is available for set_test_modules
 2022-09-06 21:25:51 +02:00
Rafael Guterres Jeffman
1eb83548fa upstream CI: Ensure 'master' branch is available for set_test_modules 
If the repository is setup in a way that master branch is not available
for comparing the current HEAD against it, the comparison will fail and
not module/role will be scheduled for testing.

This patch forces fetching 'master' from ansible-freeipa repository,
allowing the comparison to be performed.
 2022-09-06 15:47:01 -03:00
Thomas Woerner
5d7afb5f85 Merge pull request #893 from rjeffman/ci_tests_fast_run 
upstream CI: run PR tests only for affected plugins
 2022-09-06 19:28:41 +02:00
Rafael Guterres Jeffman
f7c45c4f46 ipabackup: Add playbook tests for ipabackup. 
A new test playbook for ipabackup role can be found at:

    tests/role_backup/test_backup.yml

The test is not yet complete, as 'state: restored' is not tested.
 2022-09-06 09:35:21 -03:00
Rafael Guterres Jeffman
38a4bf804f Merge pull request #905 from t-woerner/ipaserver_ipareplica_module_log_isatty 
ipaserver/ipareplica: Add isatty method to AnsibleModuleLog
 2022-09-05 17:24:28 -03:00
Thomas Woerner
7077776de3 ipaserver/ipareplica: Add isatty method to AnsibleModuleLog 
In some cases ipa code is using sys.stdout.isatty. As stdout is mapped
to AnsibleModuleLog this call will lead in a traceback as it was not
defined.

The staticmethod isatty has been added to AnsibleModuleLog in ipaserver
role module_utils/ansible_ipa_server.py and in ipareplica role
module_utils/ansible_ipa_repica.py.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2120415
       ansible-freeipa Replica Install Setup DNS fails
Fixes: #251 - 'AnsibleModuleLog' object has no attribute 'isatty'
Fixes: #117 - 'AnsibleModuleLog' object has no attribute 'isatty'
 2022-09-05 13:23:02 +02:00
Rafael Guterres Jeffman
2514158498 upstream CI: run PR tests only for affected plugins 
The current workflow for bug fixing or new enhancements in
ansible-freeipa includes running Ansible playbooks tests for all the
available plugins for every pull request, even for contained
modifications.

This patch creates a new workflow for pull requests where only the
affected plugins are tested in the PR. Changes that might affect other
parts of the code will trigger tests for the parts affected.

A utility script, utils/filter_tests, is used to set the variables
IPA_ENABLED_MODULES and IPA_ENABLED_TESTS before executing the tests,
effectively limiting which tests are executed. The script uses the
python plugin 'utils/filter_plugins.py' which lists all test modules
that should be executed for a list of modified source files.

Tests are selected for execution based on the plugin name. For example,
a change to 'plugins/modules/ipalocation.py' would trigger all playbook
tests under 'tests/location'. If a test playbook is modified, it is
scheduled to be executed. Changes to any file under
'plugins/module_utils' will force the execution of all tests, since any
module might be affected by that change.

The nature of the change is not evaluated, so a simple typo fix of a
comment in a file under 'plugins/module_utils' would still schedule all
test playbooks to be executed.

For roles, any file changed under the role directory would set the role
to be included in the tests. Playbook tests for roles must be created
under 'tests/<rolename>_role', where role name in the name of the role
without 'ipa', for example, the 'ipabackup' role test playbooks would
be stored under 'tests/backup_role'.

Since there is the possibility that the list of tests to be executed
might be less than the number of tests groups used (3), a new pytest
dependency was added, pytest-custom_exit_code, so that having no tests
to run isn't a test failure.

A new pipeline on Azure needs to be created to use the new test script.
 2022-09-02 19:06:46 -03:00
Rafael Guterres Jeffman
c6cc4df77b check_test_configuration: Add support for IPA_* environment variables 
This patch adds support for IPA_ENABLED_* and IPA_DISABLED_* environment
variables as existing global configuration for the tests.
 2022-08-31 15:06:43 -03:00
Rafael Guterres Jeffman
b3ee4f9bed tests: Drop pytest-split-tests in favor of pytest-split 
The plugin pytest-split-tests is used to split the tests in several
groups so that the tests can be executed in parallel is upstream CI.

The issue is thet pytest-split-tests last release was more that a
year ago, upstream developers have not been responsive, and there is
a bug when the number of tests to be executed by a group is zero.
The patch to fix this issue has been open for a year.

This patch deprecates the use of pytest-split-tests, changing the
plugin used to split the tests to pytest-split, which is actively
mainatined.
 2022-08-31 15:06:43 -03:00
Thomas Woerner
401d5d5acc Merge pull request #849 from rjeffman/dev_run_tests_locally 
Run tests locally with upstream CI images.
 2022-08-31 15:40:00 +02:00
Rafael Guterres Jeffman
b971c6c5eb Merge pull request #897 from t-woerner/add_ipaserver_idstart_check 
ipaserver: Add missing idstart check
 2022-08-31 10:01:03 -03:00
Thomas Woerner
de8911af50 ipaserver: Add missing idstart check 
The idstart needs to be larger than UID_MAX or GID_MAX from /etc/login.defs.
This is "Require idstart to be larger than UID_MAX" for freeipa.

Fixes: #896 (Invalid RID/SID SSSD backtrace after deployment)
 2022-08-30 16:38:42 +02:00
Rafael Guterres Jeffman
7e6e6c2dc2 run-tests: Run tests locally with upstream CI images 
This patch allows local execution of playbook tests using ustream CI
testing images. Either 'podman' or 'docker' can be used to execute the
tests.
 2022-08-29 18:13:30 -03:00
Rafael Guterres Jeffman
668d89cdb2 Merge pull request #894 from t-woerner/ipaserver_no_ipaclient_package_install 
ipaserver: ipaclient part does not need to install packages
 2022-08-29 17:50:06 -03:00
Rafael Guterres Jeffman
0c1d4efc03 Merge pull request #895 from t-woerner/temporarily_disable_some_dns_tests_in_fedora_rawhide 
fedora rawhide: Temporarily disable failing DNS tests
 2022-08-29 17:35:50 -03:00
Thomas Woerner
eefe91b852 Merge pull request #890 from rjeffman/fix_disable_test_split 
upstream CI: Fix list evaluation in IPA_ENABLED/IPA_DISABLED tests
 2022-08-29 15:35:17 +02:00
Thomas Woerner
bed8bf6661 fedora rawhide: Temporarily disable failing DNS tests 
Some DNS tests have been disabled for Fedora latest, but not for Fedora
Rawhide. Therefore these tests are filin still in nighty:

- dnsforwardzone
- test_dnsconfig_forwarders_ports
 2022-08-29 14:59:56 +02:00
Thomas Woerner
577aeea3f3 ipaserver: ipaclient part does not need to install packages 
The client part installation is checking for the client packages. These
packages are part of the server packages that have been installed with
the server role and therefore the task is not needed.

This is helping to reduce the deployment time of a server.
 2022-08-29 10:10:20 +02:00
Rafael Guterres Jeffman
4775ad9a53 Merge pull request #892 from t-woerner/fix_short_description_tag 
Fix short_description flag in plugins, role modules and templates
 2022-08-26 15:26:57 -03:00
Thomas Woerner
81143be96a Fix short_description flag in plugins, role modules and templates 
Before "short description" was used in most plugins, modules and also
in the new module templates.

ansible-doc was therefore not showing the short description. To fix the
issue the flag was renamed to short_description instead.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2121362
       'ansible-doc' -l lists most idm modules as 'UNDOCUMENTED'
 2022-08-26 15:27:00 +02:00
Rafael Guterres Jeffman
7debaa23ac upstream CI: Fix list evaluation in IPA_ENABLED/IPA_DISABLED tests 
When enabling or disabling multiple tests, a comma separated list must
be used, but current code is using a colon to split the list.

This patch fixes this behavior.
 2022-08-25 13:06:10 -03:00
Rafael Guterres Jeffman
e05dc41e0f Merge pull request #876 from t-woerner/ipareplica_do_not_overwrite_ipaclient_no_ntp_for_client_part_deployment 
ipareplica: Do not overwrite ipaclient_no_ntp for client part deployment
 2022-08-25 09:30:42 -03:00
Thomas Woerner
8bab7d365b Merge pull request #889 from rjeffman/doc_user_required_fields 
ipauser: Add note on attributes 'first' and 'last' requirements
 2022-08-25 14:08:19 +02:00
Thomas Woerner
018337a19b Merge pull request #884 from rjeffman/ci_enable_distro_selection 
upstream CI: enable/disable tests based on test image
 2022-08-25 10:08:05 +02:00
Rafael Guterres Jeffman
bb08884221 ipauser: Add note on attributes 'first' and 'last' requirements 
Attributes 'first' and 'last' are required if user does not exist, but
current documentation doesn't make it clear. This patch adds a note on
both attributes to make clear the cases where the attribute is required
 2022-08-24 23:23:51 -03:00
Rafael Guterres Jeffman
abef329b8a upstream ci: Add step to display scenario configuration 
Since test configuration can vary in different scenarios (test images)
this patch adds a script to list the scenarios configuration, and a
step to the playbook test jobs to display the scenario configuration.
 2022-08-24 16:52:38 -03:00
Rafael Guterres Jeffman
3216f8df37 upstream ci: Avoid scheduling tests that will not be executed. 
Currently, all tests are scheduled to execution, even those that are
not executed due to being absent from the list of enabled tests
configured in the IPA_ENABLED_* variables. The tests that are not
executed are marked 'skipped'.

This patch change this behavior by not scheduling tests that are not
configured to be executed. It means that tests not the IPA_DISABLED_*
lists are not skipped anymore, but not scheduled to be executed. If
any test is in IPA_ENABLED_* lists, only those tests are marked for
execution. A side effect is that there is no visual feedback on which
tests were not executed, as disabled tests are not evaluated anymore.

Also, when IPA_SERVER_HOST was not set, all tests were skipped, but
an error should raised in this case, as there are no hosts to run the
tests against.

This patch modifies this behavior to fail the test with an exception if
IPA_SERVER_HOST is not set.
 2022-08-24 16:22:39 -03:00
Rafael Guterres Jeffman
edccf70bf6 upstream ci: Add support for distro specific test configuration. 
Sometimes, mostly due do differences in package versions, there are
some tests that fail on a single distribution which cannot be fixed
by ansible-freeipa, requiring that the offending package is fixed.

To keep tests running succesfully we have options to disable the
failing tests, but this changes are globally applied, meaning that, by
disabling a test, it is disable in all tested distributions.

This patch allows tests to be enabled or disabled for a specific
distribution, by setting the configuration on the 'variable' template
for the specific testing scenario.
 2022-08-24 16:22:39 -03:00
Thomas Woerner
fd79f95f9b Merge pull request #887 from rjeffman/doc_fix_ipasudorule 
ipasudorule: Fix usage of 'action' and 'state' in examples.
 2022-08-24 10:15:52 +02:00
Rafael Guterres Jeffman
e2fcd7767e ipasudorule: Fix usage of 'action' and 'state' in examples. 
Some examples in ipasudorule were using `action: enabled` when it
should've been `state: enabled`. The examples were fixed.
 2022-08-23 12:31:54 -03:00
Thomas Woerner
5a14f78d44 ipareplica: Do not overwrite ipaclient_no_ntp for client part deployment 
The NTP server chrony was always enabled and set up due to overwriting
the parameter ipaclient_no_ntp for the client part deployment.

For IPA deployments up to 4.6 no_ntp was always used for the client
part deployment in ipa-replica-install. But afterwards ntp was
configured in the replica deployment part if no_ntp was not set.

The ipareplica roles always relied on the client for setting up the NTP
server but overwrote the setting for the client deployment part. This
did not result in a failure to enable the chrony server in RHEL and Fedora
based distributions as NTP server was always required by the ipa-server
package.

Fixes: #871 (ipa-replica-install with no-ntp is ignored)
 2022-08-18 15:55:02 +02:00
Varun Mylaraiah
a3a7ecd817 Merge pull request #880 from t-woerner/flake8_ipavault_fix 
ipavault: Fix missing whitespace after keyword issue
 2022-08-16 17:34:32 +05:30
Varun Mylaraiah
63f016226c Merge pull request #877 from t-woerner/ipareplica_fix_ipaNTFlatName_update_issue 
ipareplica: ipareplica_setup_adtrust fails while updating ipaNTFlatName
 2022-08-16 17:31:40 +05:30
Thomas Woerner
a58f61792b ipavault: Fix missing whitespace after keyword issue 
flake8 reports an issue in ipavault:

  plugins/modules/ipavault.py:528:20: E275 missing whitespace after keyword

The missing whitespace has been added: "and not(" -> "and not ("
 2022-08-16 10:18:03 +02:00
Thomas Woerner
641c550cc3 ipareplica: ipareplica_setup_adtrust fails while updating ipaNTFlatName 
The internal parameter sid_generation_always is generated in
ipareplica_test to enable SID generation if ipareplica_setup_adtrust is
not enabled.

This parameter was not used for ipareplica_prepare though, therefore
adtrust.install_check was not executed and did not set the attribute
adtrust.netbios_name. As a result adtrust.netbios_name was None and the
try to use this as the new NetBIOS domain name failed with an
INVALID_SYNTAX error in adtrustinstance while executing
ipareplica_setup_adtrust.

This issue only occurs if SIDs are not enabled in the domain yet for
example with an old deployment.
 2022-08-15 16:17:57 +02:00
Thomas Woerner
c251632368 Merge pull request #867 from jpclipffel/master 
ipaclient: Removed invalid call `logger.info()`
 2022-07-28 14:25:20 +02:00
Varun Mylaraiah
452d20e28d Merge pull request #866 from t-woerner/sid_generation_always 
ipaserver/ipareplica: Always generate SIDs
 2022-07-28 17:35:23 +05:30
jpclipffel
c7699472a6 ipaclient: Removed invalid call logger.info() 
- Call was responsible for a `TypeError` exception
- Call was not useful (already followed by a proper `logger.warning` call)

Should fix issue #865: https://github.com/freeipa/ansible-freeipa/issues/865
 2022-07-27 16:16:10 +02:00
Thomas Woerner
eba457d5ff ipaserver/ipareplica: Always generate SIDs 
The SID is always generated in the command line installers in newer IPA
versions. This also needs to be done in the ipaserver and ipareplica roles.

For the IPA versions that are supporting this, the adtrust setup is always
executed to generated the SIDs, but only configures AD trust if
ipaserver_setup_adtrust or ipareplica_setup_adtrust is also enabled. A
check has been added to ipaserver_test and ipareplica_test to only enable
the SID generation for the IPA versions supporting this.

This is related to https://pagure.io/freeipa/8995

Fixes:
- https://bugzilla.redhat.com/show_bug.cgi?id=2110478
- https://bugzilla.redhat.com/show_bug.cgi?id=2110491
 2022-07-27 15:01:17 +02:00
Varun Mylaraiah
809e423947 Merge pull request #864 from t-woerner/fix_RSN_always_on 
ipaserver,ipareplica: Fix Random Serial Numbers always enabled
 2022-07-25 20:25:39 +05:30
Thomas Woerner
e5f0ab2fe4 Merge pull request #863 from rjeffman/ipadnsconfig_fix_idempotency 
ipadnsconfig: Fix boolean values comparison
 2022-07-25 16:54:08 +02:00
Thomas Woerner
f85c60676c ipaserver,ipareplica: Fix Random Serial Numbers always enabled 
The option _random_serial_numbers was using with the wrong type in
ipaserver_setup_ca.py and ipareplica_setup_ca.py. Therefore RSN was
always enabled.

Fixes:
- https://bugzilla.redhat.com/show_bug.cgi?id=2110523
- https://bugzilla.redhat.com/show_bug.cgi?id=2110526
 2022-07-25 16:31:31 +02:00
Rafael Guterres Jeffman
f9bf0cfec0 ipadnsconfig: Disable only tests that are failing due to python-dns 
This patch disables only the tests that are failing due to python-dns
issue in FreeIPA, allowing other tests in the test suite to be
executed.
 2022-07-21 00:49:11 -03:00
Rafael Guterres Jeffman
8f0d983845 ipadnsconfig: Separate tests for forwarders with custom ports. 
Due to an issue with python-dns, FreeIPA is raising an expection when
setting a DNS forwarder with a custom port. Separating the test for
ipadnsconfig that use forwarders with custom allows the other tests
to be correctly executed.
 2022-07-21 00:46:33 -03:00
Rafael Guterres Jeffman
aed5edae33 ipadnsconfig: Enable chech_mode support 2022-07-21 00:46:01 -03:00
Rafael Guterres Jeffman
889b2a5576 ipadnsconfig: Fixe comparison of bool values in IPA 4.9.10+ 
IPA 4.9.10+ handles LDAP boolean values correctly, and the comparison
should be executed with the values itself, instead of a string
representation.
 2022-07-21 00:42:52 -03:00
Thomas Woerner
e9d637c57a Merge pull request #854 from rjeffman/ci_enable_fedora_rawhide 
upstream CI: enable tests on Fedora Rawide.
 2022-07-08 18:12:12 +02:00
Thomas Woerner
b3a97eacec Merge pull request #850 from rjeffman/tests_allow_sanity_with_podman 
sanity.sh: Allow use of podman instead of docker
 2022-07-08 18:11:00 +02:00
Rafael Guterres Jeffman
aa745100e3 Merge pull request #859 from t-woerner/use_tasks_parse_ipa_version 
ansible_freeipa_module: Use ipaplatform.tasks.parse_ipa_version
 2022-07-08 12:47:06 -03:00
Rafael Guterres Jeffman
23faa83a0b sanity.sh: Allow use of podman instead of docker 
When running tests/sanity/sanity.sh locally, podman might be available
instead of Docker. Due to current configuration, only Docker is used by
sanity.sh.

This patch searches for the availability of docker, which is kept as
the default container engine to use, and use podman only if docker is
not found.

This change also allows the execution of the script from a directory
other than the repository root.
 2022-07-08 11:53:25 -03:00
Thomas Woerner
12729fc2c0 ansible_freeipa_module: Use ipaplatform.tasks.parse_ipa_version 
api_check_ipa_version was using packaging.version. IPA is using
pkg_resources.parse_version in ipaplatform.tasks.parse_ipa_version.

With this change tasks.parse_ipa_version from ipaplatform is used to
have exactly the same version comparison that also IPA has.

Additionally tasks is added to __all__.
 2022-07-08 14:58:44 +02:00
Rafael Guterres Jeffman
31810ad7c0 upstream CI: enable tests on Fedora Rawide. 
This patch enable upstream CI to build a testing Fedora Rawhide
container and enables its use in nightly and weekly test runs.
 2022-07-07 10:53:54 -03:00
Thomas Woerner
9dcff9a308 Merge pull request #851 from rjeffman/dnszone_fix_bool_behavior 
Fix handling of boolean values for FreeIPA 4.9.10+
 2022-07-06 20:44:13 +02:00
Rafael Guterres Jeffman
e500c133c0 Merge pull request #856 from t-woerner/argspec 
Provide own getargspec for roles and modules with Python 3.11
 2022-07-06 12:51:26 -03:00
Rafael Guterres Jeffman
a5306b2db5 pytests/test_dnszone: Fix evaluation of boolean values 
Evaluating boolean values output by FreeIPA must use regular
expressions to handle both "TRUE/FALSE" and "True/False".
 2022-07-06 12:11:16 -03:00
Rafael Guterres Jeffman
8ab3aa06ff pytest tests: Enhanced assertion for check_* methods. 
Checking if some output is present or absent from standard streams was
done by simple string searching. Due to recent changes in FreeIPA, this
search is not effective due to capitalization differences in boolean
values output. Changing the string searching to regular expression
searches fixes this behavior for current and previous versions of
FreeIPA.

This patch also adds more information on the assert tests in case of an
error, so that it is easier to understand why the test failed.
 2022-07-06 12:11:16 -03:00
Rafael Guterres Jeffman
87ff15a92c api_check_ipa_version: Fix version comparison for more than one digit 
The fallback function used to compare IPA versions was spliting the
version string into a tuple of strings, and the comparison of the tuple
would fail if comparing a field with one digit aginst a two-digit one,
for example, '8' with '10', as the string comparison would put '10'
before the '8'.

This patch forces the version fields to be converted to integers, so
a numerical comparison will be performed. If a version string field
cannot be converted to a number, than the string comparison will still
be used.
 2022-07-06 12:11:16 -03:00
Rafael Guterres Jeffman
c8d5cb7ee2 Fix handling of boolean values for FreeIPA 4.9.10+ 
FreeIPA 4.9.10+ and 4.10 use proper mapping for boolean values, and
only searching for "TRUE" does not work anymore.

This patch fix ipadnszone plugin and IPAParamMapping class handling
of boolean values.
 2022-07-06 12:11:16 -03:00
Rafael Guterres Jeffman
2fa4aa60b1 Merge pull request #857 from t-woerner/server_test_use_fqdn 
tests/server/test_server.yml: Fix generation of ipaserver_domain
 2022-07-06 10:41:38 -03:00
Rafael Guterres Jeffman
4332636fd2 Merge pull request #852 from t-woerner/rsn_missing 
ipaserver,ipareplica: Add random_serial_numbers to options
 2022-07-06 10:06:51 -03:00
Thomas Woerner
266f79b55f tests/server/test_server.yml: Fix generation of ipaserver_domain 
The generation of ipaserver_domain has issues: At first
ansible_facts['hostname'] instead of ansible_facts['fqdn'] is used
and second the first entry after the split operation is used and third
the final join is missing.
 2022-07-06 12:43:49 +02:00
Thomas Woerner
07b056ad25 Provide own getargspec for roles and modules with Python 3.11 
Python 3.11 dropped compat inspect.getargspec. As the roles and modules
need to support Python2 and Python3, the code for getargspec has been
copied from Python 3.10 and is added as a fallback as soon as getargspec
can not be imported from inspect. The copied getargspec is using
getfullargspec internally.

Fixes: #855 (Python's inspect.getargspec was removed in version 3.11)
 2022-07-06 11:25:49 +02:00
Thomas Woerner
7db5d59de1 ipaserver,ipareplica: Add random_serial_numbers to options 
With the support for Random Serial Numbers v3 in FreeIPA 4.10, the
attribute random_serial_numbers has been added to the installer options.

options._random_serial_numbers is generated by ca.install_check and
later used by ca.install in the _setup_ca module.

ca.install_check is using options.random_serial_numbers and generating
options._random_serial_numbers which is later used by ca.install in
ca.install the _setup_ca module.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2103928
       https://bugzilla.redhat.com/show_bug.cgi?id=2103924
 2022-07-06 09:31:41 +02:00
Rafael Guterres Jeffman
e19e16c734 Merge pull request #853 from t-woerner/concatenation_only_with_jinja 
ipaserver: Use jinja for list concatenation
 2022-07-05 12:06:05 -03:00
Thomas Woerner
0ff119a2a8 ipaserver: Use jinja for list concatenation 
With ansible-2.13 it is required to use jinja for list concatenation.

  list: "[] + ['a'] + ['b']"

needs to become

  list: "{{ [] + ['a'] + ['b'] }}"

copy_external_cert.yml needed to be changed.
 2022-07-05 16:42:23 +02:00
Thomas Woerner
90f6e14c40 Merge pull request #844 from rjeffman/ci_enable_ansible_core_2_12 
upstream CI: Update nightly Ansible versions.
 2022-06-24 12:26:00 +02:00
Rafael Guterres Jeffman
e044310dad upstream CI: Enable tests using ansible-core 2.12. 
As the current latest upstream version of ansible-core is 2.13.0, to
test against ansible-core 2.12 series we need to pin the version used
on the test.

This patch enables the already defined tests for ansible-core 2.12 that
were available but commented out.
 2022-06-23 13:19:17 -03:00
Rafael Guterres Jeffman
4be7a9fba0 upstream CI: Remove Ansible 2.9 from test matrix 
Ansible 2.9 is EOL, and we should only test with supported upstream
versions of Ansible.

This patch removes tests against Ansible 2.9.
 2022-06-23 13:19:17 -03:00
Thomas Woerner
98959807d2 Merge pull request #825 from rjeffman/ci_test_galaxy_collection 
upstream CI: Add support for testing ansible-freeipa as a collection.
 2022-06-23 18:01:42 +02:00
Thomas Woerner
a16379cfa0 Merge pull request #832 from rjeffman/idrange_fix_absent_invalid 
idrange: Fix list of invalid parameters for 'state:absent'.
 2022-06-23 17:59:04 +02:00
Thomas Woerner
672413f4dd Merge pull request #831 from rjeffman/idrange_fix_dom_name 
idrange: Fix usage of dom_name when idrange doesn't exist.
 2022-06-23 17:58:29 +02:00
Rafael Guterres Jeffman
8af4329fac Merge pull request #838 from t-woerner/smartcard_roles 
New roles for smartcard server and client setup
 2022-06-23 09:28:47 -03:00
Thomas Woerner
9932b1dc98 New roles for smartcard server and client setup 
There are new smartcard roles in the roles folder:

    roles/ipasmartcard_server
    roles/ipasmartcard_client

This roles allows to setup smartcard for servers and clients.

Here is the documentation for the roles:

    roles/ipasmartcard_server/README.md
    roles/ipasmartcard_client/README.md

New example playbooks have been added:

    playbooks/install-smartcard-server.yml
    playbooks/install-smartcard-replicas.yml
    playbooks/install-smartcard-servers.yml
    playbooks/install-smartcard-clients.yml
 2022-06-22 15:13:52 +02:00
Rafael Guterres Jeffman
1c44898e68 idrange: Fix list of invalid parameters for 'state:absent'. 
As an idrange has no members, when using `state: absent`, all
parameters but 'name' and 'state' are invalid. The list of invalid
parameters when 'state: absent', have been fixed to include some
missing parameters.
 2022-06-21 11:35:20 -03:00
Rafael Guterres Jeffman
f44dc55b90 upstream CI: Add support for testing ansible-freeipa as a collection. 
Provide a pipeline to test ansible-freeipa as an Ansible Galaxy
collection. The tests will use 'utils/build-galaxy-release.sh' to
create the galaxy release file, install it as a collection, and run
the tests in it, which were modified to use FQCN.

The tests will run only on 'fedora-latest' for each PR, and on all
platforms for nightly and weekly tests.
 2022-06-21 10:40:21 -03:00
Thomas Woerner
65b106449e Merge pull request #833 from rjeffman/idrange_fix_typo 
idrange: Fix typo in test comments.
 2022-06-21 12:56:23 +02:00
Thomas Woerner
7501c84844 Merge pull request #841 from rjeffman/requirements_virtualenv 
requirements-dev: Update requirements for virtual environments
 2022-06-21 12:55:34 +02:00
Rafael Guterres Jeffman
d45e6ac399 pylint: Ignore module ipaserver.dcerpc errors. 
When evaluating imports, pylint does not have access to IPA imports,
so they need to be ignored during import or usage.
 2022-06-20 15:34:27 -03:00
Rafael Guterres Jeffman
d990832681 idrange: Fix addition of idrange with dom_name. 
When ensuring presence of an idrange using dom_name instead of dom_sid,
the SID must be obtained so that the idrange can be created.

Related to RHBZ#2086993 and RHBZ#2086994.
 2022-06-17 10:21:05 -03:00
Rafael Guterres Jeffman
b998597815 ansible_module_utils: add method to retrive SID from dom_name. 
When managing idranges, it might be needed to obtain the domain SID
from the domain name. As this method needs to use the IPA API object
and requires imorting some ipaserver modules, teh best place for this
method to be implemented is on ansible_module_utils.
 2022-06-17 10:21:05 -03:00
Rafael Guterres Jeffman
d51ee9dc69 requirements-dev: Update requirements for virtual environments 
When developing ansible-freeipa using a Python virtual environment,
some ansible-freeipa utility scripts failed to execute due to missing
tools.

This patch add the required tools and modules to requirements-dev.txt
and pin the versions to the same available in Fedora 36.
 2022-06-17 10:16:49 -03:00
Thomas Woerner
fdfea1b6fb Merge pull request #354 from rjeffman/tests_ignore_tests 
Add support to define which playbook tests to execute with pytest.
 2022-06-15 19:50:31 +02:00
Rafael Guterres Jeffman
ac92ed1408 fixup! Add support to define which playbook tests to execute with pytest. 2022-06-15 09:53:32 -03:00
Rafael Guterres Jeffman
757b89dfae upstream tests: Disable dnsconfig and dnsforwardzone 
Due to an issue with IPA in Fedora 36, dnsconfig and dnsforwardzone
plugin tests must be disabled.

See FreeIPA issue: https://pagure.io/freeipa/issue/9158
 2022-06-14 21:43:05 -03:00
Rafael Guterres Jeffman
914e4879f8 tests/utils.py: Fix pylint issues. 2022-06-14 21:43:05 -03:00
Rafael Guterres Jeffman
13cff6354b Add support to define which playbook tests to execute with pytest. 
pytest provide the means to skip tests based on patterns, but writing
these patterns for ansible-freeipa might not be feasible.

This PR allows the selection of playbook tests and modules that will
be executed with pytest using the environmentt variables IPA_ENABLED_TESTS
IPA_ENABLED_MODULES, IPA_DISABLED_TESTS or IPA_DISABLED_MODULES.

When using IPA_ENABLED_MODULES, all modules will be disabled, and only
the modules in the enabled list will be tested. If using the test
filter, IPA_ENABLED_TESTS, all tests are disabled, unless they are in
the enabled test lists.

If the IPA_DISABLED_* version is used, tests and modules are enabled by
default, and the list is used to disable the module or specific test.

To disable a test or module in Azure CI, edit the file
`tests/azure/variables` and add the desired tests or modules to the
parameter variables `enabled_modules`, 'enabled_tests`, `disabled_tests`
or `disable_modules`.

Note that, if added to the `master` branch, this will affect the tests
for every pipeline that it is include (including 'nightly'), so it should
be used with care.

It can be used with TEMP commits to enable only the desired tests,
speeding up upstream tests.
 2022-06-14 21:23:18 -03:00
Thomas Woerner
4ff5aaa172 Merge pull request #830 from rjeffman/ci_fix_missing_changelog 
Fix ansible-test sanity missing CHANGELOG.rst.
 2022-06-14 15:40:20 +02:00
Rafael Guterres Jeffman
d82abdbef9 build-galaxy-release: Automatically create CHANGELOG. 
Recent versions of ansible-test require the existence of a CHANGELOG
file in the root of the collection. This changes extracts the changes
of the latest available release tag using `utils/changelog` and create
the CHANGELOG file with the result of the command.

The generated changelog will include the changes for the latest release
and, if present, the available changes that were not part of a release.
 2022-06-14 10:33:08 -03:00
Rafael Guterres Jeffman
5aa80204d5 Merge pull request #842 from t-woerner/changelog_for_galaxy 
utils/changelog: Fixed --tag option, new --galaxy option
 2022-06-14 10:21:25 -03:00
Thomas Woerner
8b8cbdd8c2 utils/changelog: Fixed --tag option, new --galaxy option 
The --tag TAG option is now printing the changes for the given TAG and
not since the given tag. The new option --galaxy is printing the changelog
since the latest tag and also for the latest tag.

These changes are simplifying the generation of the changelog file that
is needed to pass the tests for galaxy and AutomationHub collections.
 2022-06-14 15:07:11 +02:00
Thomas Woerner
a06b16f5bc Merge pull request #827 from rjeffman/ci_update_ansible 
Upstream CI updates.
 2022-06-14 12:31:52 +02:00
Rafael Guterres Jeffman
dc99b821eb idrange: Fix typo in test comments. 
There were some typos in the idrange test playbook.
 2022-05-23 08:39:27 -03:00
Rafael Guterres Jeffman
796f84357a upstream CI: Update default ansible-core version to 2.12. 
The current ansible-core available in Fedora and RHEL is 2.12 series.
This patch sets the version used for every PR CI to match this series.

Other versions should be used only in the nightly/weekly tests.
 2022-05-12 14:50:32 -03:00
Rafael Guterres Jeffman
9e6c79abbb upstream CI: Allow the use of latest ansible-core. 
This patch adds the latest ansible-core as a test target in upstream
nightl/weekly CI.

As, currently, the latest available ansible-core is still 2.12.z, the
current ansible-core 2.12 targets were disabled. They should be enabled
when ansible-core 2.13 is available.
 2022-05-12 14:50:32 -03:00
Rafael Guterres Jeffman
d3af87c731 upstream CI: removed all CentOS 8 support. 
CentOS 8 images are not supported anymore, and we are using CentOS 8
Stream images.

This patch removes all configuration for CentOS 8 and updates test
README to point to the available container images.
 2022-05-12 14:50:32 -03:00
Rafael Guterres Jeffman
7011283335 upstream CI: Relabel upstream PR pipeline jobs. 
As Ansible versions might change, and as we don't need to report which
version is used on every test, as the information is avaiable in case
it is needed, the jobs labels are changed to easier display which image
was used for testing.
 2022-05-12 14:50:32 -03:00
Rafael Guterres Jeffman
0297cbe973 Merge pull request #829 from t-woerner/build-galaxy-release_with_install 
utils/build-galaxy-release.sh: Add "-i" to install generated collection
 2022-05-12 12:12:15 -03:00
Thomas Woerner
1ec0d1e640 utils/build-galaxy-release.sh: Add "-i" to install generated collection 
The "-i" option can be used to install the generated collection using
the ansible-galaxy collection install command. It is using the force
flag to install the collection if there is already a collection with the
same name and namespace. The ansible-galaxy collection build command is
already using the force flag to create the collection.
 2022-05-12 15:06:39 +02:00
179 changed files with 4722 additions and 605 deletions
Expand all files Collapse all files

2
.ansible-lint
View File

@@ -10,6 +10,8 @@ exclude_paths:
- molecule/
- tests/azure/
- meta/runtime.yml
- requirements-docker.yml
- requirements-podman.yml
kinds:
- playbook: '**/tests/**/test_*.yml'

42
README-config.md
View File

@@ -65,6 +65,9 @@ Example playbook to read config options:
maxusername: 64
```
Example playbook to set global configuration options:
```yaml
---
- name: Playbook to ensure some config options are set
@@ -79,6 +82,40 @@ Example playbook to read config options:
```
Example playbook to enable SID and generate users and groups SIDs:
```yaml
---
- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
hosts: ipaserver
become: no
gather_facts: no
tasks:
- name: Enable SID and generate users and groups SIDS
ipaconfig:
ipaadmin_password: SomeADMINpassword
enable_sid: yes
add_sids: yes
```
Example playbook to change IPA domain NetBIOS name:
```yaml
---
- name: Playbook to change IPA domain netbios name
hosts: ipaserver
become: no
gather_facts: no
tasks:
- name: Set IPA domain netbios name
ipaconfig:
ipaadmin_password: SomeADMINpassword
enable_sid: yes
netbios_name: IPADOM
```
Variables
=========
@@ -111,6 +148,9 @@ Variable | Description | Required
`user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
`ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no
`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no
`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no
Return Values
@@ -140,6 +180,8 @@ Variable | Description | Returned When
&nbsp; | `user_auth_type` | &nbsp;
&nbsp; | `domain_resolution_order` | &nbsp;
&nbsp; | `ca_renewal_master_server` | &nbsp;
&nbsp; | `enable_sid` | &nbsp;
&nbsp; | `netbios_name` | &nbsp;
All returned fields take the same form as their namesake input parameters

2
README-idrange.md
View File

@@ -175,8 +175,8 @@ Variable | Description | Required
`rid_base` \| `ipabaserid` | First RID of the corresponding RID range. (int) | no
`secondary_rid_base` \| `ipasecondarybaserid` | First RID of the secondary RID range. (int) | no
`dom_sid` \| `ipanttrusteddomainsid` | Domain SID of the trusted domain. | no
`dom_name` \| `ipanttrusteddomainname` | Name of the trusted domain. | no
`idrange_type` \| `iparangetype` | ID range type, one of `ipa-ad-trust`, `ipa-ad-trust-posix`, `ipa-local`. Only valid if idrange does not exist. | no
`dom_name` \| `ipanttrusteddomainname` | Name of the trusted domain. Can only be used when `ipaapi_context: server`. | no
`auto_private_groups` \| `ipaautoprivategroups` | Auto creation of private groups, one of `true`, `false`, `hybrid`. | no
`delete_continue` \| `continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no

4
README-user.md
View File

@@ -381,8 +381,8 @@ Variable | Description | Required
Variable | Description | Required
-------- | ----------- | --------
`first` \| `givenname` | The first name string. | no
`last` \| `sn` | The last name string. | no
`first` \| `givenname` | The first name string. Required if user does not exist. | no
`last` \| `sn` | The last name string. Required if user does not exist. | no
`fullname` \| `cn` | The full name string. | no
`displayname` | The display name string. | no
`homedir` | The home directory string. | no

3
README.md
View File

@@ -12,6 +12,7 @@ Features
* One-time-password (OTP) support for client installation
* Repair mode for clients
* Backup and restore, also to and from controller
* Smartcard setup for servers and clients
* Modules for automembership rule management
* Modules for automount key management
* Modules for automount location management
@@ -425,6 +426,8 @@ Roles
* [Replica](roles/ipareplica/README.md)
* [Client](roles/ipaclient/README.md)
* [Backup](roles/ipabackup/README.md)
* [SmartCard server](roles/ipasmartcard_server/README.md)
* [SmartCard client](roles/ipasmartcard_client/README.md)
Modules in plugin/modules
=========================

2
molecule/default
View File

@@ -1 +1 @@
centos-8
fedora-latest

30
molecule/fedora-rawhide-build/Dockerfile Normal file
View File

@@ -0,0 +1,30 @@
FROM fedora:rawhide
ENV container=docker
RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
dnf makecache; \
dnf --assumeyes install \
/usr/bin/python3 \
/usr/bin/python3-config \
/usr/bin/dnf-3 \
sudo \
bash \
systemd \
procps-ng \
iproute && \
dnf clean all; \
(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*; \
rm -rf /var/cache/dnf/;
STOPSIGNAL RTMIN+3
VOLUME ["/sys/fs/cgroup"]
CMD ["/usr/sbin/init"]

6
molecule/centos-8-build/molecule.yml → molecule/fedora-rawhide-build/molecule.yml
View File

@@ -2,9 +2,9 @@
driver:
name: docker
platforms:
- name: centos-8-build
image: "centos:centos8"
pre_build_image: true
- name: fedora-rawhide-build
image: "fedora:rawhide"
dockerfile: Dockerfile
hostname: ipaserver.test.local
dns_servers:
- 8.8.8.8

4
molecule/centos-8/molecule.yml → molecule/fedora-rawhide/molecule.yml
View File

@@ -2,8 +2,8 @@
driver:
name: docker
platforms:
- name: centos-8
image: quay.io/ansible-freeipa/upstream-tests:centos-8
- name: fedora-rawhide
image: quay.io/ansible-freeipa/upstream-tests:fedora-rawhide
pre_build_image: true
hostname: ipaserver.test.local
dns_servers:

12
playbooks/config/change-ipa-domain-netbios-name.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Playbook to change IPA domain netbios name
hosts: ipaserver
become: no
gather_facts: no
tasks:
- name: Set IPA domain netbios name
ipaconfig:
ipaadmin_password: SomeADMINpassword
enable_sid: yes
netbios_name: IPADOM

12
playbooks/config/generate-users-groups-sids.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
hosts: ipaserver
become: no
gather_facts: no
tasks:
- name: Enable SID and generate users and groups SIDS
ipaconfig:
ipaadmin_password: SomeADMINpassword
enable_sid: yes
add_sids: yes

2
playbooks/config/retrieve-config.yml
View File

@@ -1,5 +1,5 @@
---
- name: Playbook to handle global DNS configuration
- name: Playbook to handle global IPA configuration
hosts: ipaserver
become: no
gather_facts: no

2
playbooks/config/set-ca-renewal-master-server.yml
View File

@@ -1,5 +1,5 @@
---
- name: Playbook to handle global DNS configuration
- name: Playbook to handle global IPA configuration
hosts: ipaserver
become: no
gather_facts: no

8
playbooks/install-smartcard-clients.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Playbook to setup smartcard for IPA clients
hosts: ipaclients
become: true
roles:
- role: ipasmartcard_client
state: present

8
playbooks/install-smartcard-replicas.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Playbook to setup smartcard for IPA replicas
hosts: ipareplicas
become: true
roles:
- role: ipasmartcard_server
state: present

8
playbooks/install-smartcard-server.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Playbook to setup smartcard for IPA server
hosts: ipaserver
become: true
roles:
- role: ipasmartcard_server
state: present

8
playbooks/install-smartcard-servers.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Playbook to setup smartcard for IPA server and replicas
hosts: ipaserver, ipareplicas
become: true
roles:
- role: ipasmartcard_server
state: present

103
plugins/module_utils/ansible_freeipa_module.py
View File

@@ -28,8 +28,8 @@ __metaclass__ = type
__all__ = ["gssapi", "netaddr", "api", "ipalib_errors", "Env",
"DEFAULT_CONFIG", "LDAP_GENERALIZED_TIME_FORMAT",
"kinit_password", "kinit_keytab", "run", "DN", "VERSION",
"paths", "get_credentials_if_valid", "Encoding",
"load_pem_x509_certificate", "DNSName"]
"paths", "tasks", "get_credentials_if_valid", "Encoding",
"load_pem_x509_certificate", "DNSName", "getargspec"]
import sys
@@ -48,29 +48,32 @@ else:
import gssapi
from datetime import datetime
from contextlib import contextmanager
import inspect
# Import getargspec from inspect or provide own getargspec for
# Python 2 compatibility with Python 3.11+.
try:
from inspect import getargspec
except ImportError:
from collections import namedtuple
from inspect import getfullargspec
# The code is copied from Python 3.10 inspect.py
# Authors: Ka-Ping Yee <ping@lfw.org>
# Yury Selivanov <yselivanov@sprymix.com>
ArgSpec = namedtuple('ArgSpec', 'args varargs keywords defaults')
def getargspec(func):
args, varargs, varkw, defaults, kwonlyargs, _kwonlydefaults, \
ann = getfullargspec(func)
if kwonlyargs or ann:
raise ValueError(
"Function has keyword-only parameters or annotations"
", use inspect.signature() API which can support them")
return ArgSpec(args, varargs, varkw, defaults)
# ansible-freeipa requires locale to be C, IPA requires utf-8.
os.environ["LANGUAGE"] = "C"
try:
from packaging import version
except ImportError:
# If `packaging` not found, split version string for creating version
# object. Although it is not PEP 440 compliant, it will work for stable
# FreeIPA releases.
import re
class version: # pylint: disable=invalid-name, too-few-public-methods
@staticmethod
def parse(version_str):
"""
Split a version string A.B.C, into a tuple.
This will not work for `rc`, `dev` or similar version string.
"""
return tuple(re.split("[-_.]", version_str)) # noqa: W605
from ipalib import api
from ipalib import errors as ipalib_errors # noqa
from ipalib.config import Env
@@ -84,6 +87,7 @@ else:
from ipapython.dn import DN
from ipapython.version import VERSION
from ipaplatform.paths import paths
from ipaplatform.tasks import tasks
from ipalib.krb_utils import get_credentials_if_valid
from ipapython.dnsutil import DNSName
from ipapython import kerberos
@@ -139,6 +143,13 @@ else:
return fstore.has_files()
# Try to import dcerpc
try:
import ipaserver.dcerpc # pylint: disable=no-member
_dcerpc_bindings_installed = True # pylint: disable=invalid-name
except ImportError:
_dcerpc_bindings_installed = False # pylint: disable=invalid-name
if six.PY3:
unicode = str
@@ -221,6 +232,8 @@ else:
ldap_cache: Control use of LDAP cache layer. (bool)
"""
global _dcerpc_bindings_installed # pylint: disable=C0103,W0603
env = Env()
env._bootstrap()
env._finalize_core(**dict(DEFAULT_CONFIG))
@@ -252,6 +265,7 @@ else:
backend = api.Backend.ldap2
else:
backend = api.Backend.rpcclient
_dcerpc_bindings_installed = False
if not backend.isconnected():
backend.connect(ccache=os.environ.get('KRB5CCNAME', None))
@@ -289,8 +303,8 @@ else:
operation = oper_map.get(oper)
if not operation:
raise NotImplementedError("Invalid operator: %s" % oper)
return operation(version.parse(VERSION),
version.parse(requested_version))
return operation(tasks.parse_ipa_version(VERSION),
tasks.parse_ipa_version(requested_version))
def date_format(value):
accepted_date_formats = [
@@ -701,6 +715,42 @@ else:
print(jsonify(kwargs))
sys.exit(0)
def __get_domain_validator():
if not _dcerpc_bindings_installed:
raise ipalib_errors.NotFound(
reason=(
'Cannot perform SID validation without Samba 4 support '
'installed. Make sure you have installed server-trust-ad '
'sub-package of IPA on the server'
)
)
# pylint: disable=no-member
domain_validator = ipaserver.dcerpc.DomainValidator(api)
# pylint: enable=no-member
if not domain_validator.is_configured():
raise ipalib_errors.NotFound(
reason=(
'Cross-realm trusts are not configured. Make sure you '
'have run ipa-adtrust-install on the IPA server first'
)
)
return domain_validator
def get_trusted_domain_sid_from_name(dom_name):
"""
Given a trust domain name, returns the domain SID.
Returns unicode string representation for a given trusted domain name
or None if SID for the given trusted domain name could not be found.
"""
domain_validator = __get_domain_validator()
sid = domain_validator.get_sid_from_domain_name(dom_name)
return unicode(sid) if sid is not None else None
class IPAParamMapping(Mapping):
"""
Provides IPA API mapping to playbook parameters or computed values.
@@ -799,7 +849,10 @@ else:
# Check if param_name is actually a param
if param_name in self.ansible_module.params:
value = self.ansible_module.params_get(param_name)
if isinstance(value, bool):
if (
self.ansible_module.ipa_check_version("<", "4.9.10")
and isinstance(value, bool)
):
value = "TRUE" if value else "FALSE"
# Since param wasn't a param check if it's a method name
@@ -1182,7 +1235,7 @@ else:
elif result_handler is not None:
if "errors" not in handlers_user_args:
# pylint: disable=deprecated-method
argspec = inspect.getargspec(result_handler)
argspec = getargspec(result_handler)
if "errors" in argspec.args:
handlers_user_args["errors"] = _errors

2
plugins/modules/ipaautomember.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipaautomember
short description: Add and delete FreeIPA Auto Membership Rules.
short_description: Add and delete FreeIPA Auto Membership Rules.
description: Add, modify and delete an IPA Auto Membership Rules.
extends_documentation_fragment:
- ipamodule_base_docs

126
plugins/modules/ipaconfig.py
View File

@@ -148,6 +148,24 @@ options:
required: false
type: list
aliases: ["ipadomainresolutionorder"]
enable_sid:
description: >
New users and groups automatically get a SID assigned.
Requires IPA 4.9.8+.
required: false
type: bool
netbios_name:
description: >
NetBIOS name of the IPA domain.
Requires IPA 4.9.8+ and 'enable_sid: yes'.
required: false
type: string
add_sids:
description: >
Add SIDs for existing users and groups.
Requires IPA 4.9.8+ and 'enable_sid: yes'.
required: false
type: bool
'''
EXAMPLES = '''
@@ -169,6 +187,24 @@ EXAMPLES = '''
ipaadmin_password: SomeADMINpassword
defaultshell: /bin/bash
maxusername: 64
- name: Playbook to enable SID and generate users and groups SIDs
hosts: ipaserver
tasks:
- name: Enable SID and generate users and groups SIDS
ipaconfig:
ipaadmin_password: SomeADMINpassword
enable_sid: yes
add_sids: yes
- name: Playbook to change IPA domain netbios name
hosts: ipaserver
tasks:
- name: Enable SID and generate users and groups SIDS
ipaconfig:
ipaadmin_password: SomeADMINpassword
enable_sid: yes
netbios_name: IPADOM
'''
RETURN = '''
@@ -247,6 +283,14 @@ config:
domain_resolution_order:
description: list of domains used for short name qualification
returned: always
enable_sid:
description: >
new users and groups automatically get a SID assigned.
Requires IPA 4.9.8+.
returned: always
netbios_name:
description: NetBIOS name of the IPA domain. Requires IPA 4.9.8+.
returned: if enable_sid is True
'''
@@ -260,6 +304,28 @@ def config_show(module):
return _result["result"]
def get_netbios_name(module):
try:
_result = module.ipa_command_no_name("trustconfig_show", {"all": True})
except Exception: # pylint: disable=broad-except
return None
else:
return _result["result"]["ipantflatname"][0]
def is_enable_sid(module):
"""When 'enable-sid' is true admin user and admins group have SID set."""
_result = module.ipa_command("user_show", "admin", {"all": True})
sid = _result["result"].get("ipantsecurityidentifier", [""])
if not sid[0].endswith("-500"):
return False
_result = module.ipa_command("group_show", "admins", {"all": True})
sid = _result["result"].get("ipantsecurityidentifier", [""])
if not sid[0].endswith("-512"):
return False
return True
def main():
ansible_module = IPAAnsibleModule(
argument_spec=dict(
@@ -313,7 +379,10 @@ def main():
aliases=["ipauserauthtype"]),
ca_renewal_master_server=dict(type="str", required=False),
domain_resolution_order=dict(type="list", required=False,
aliases=["ipadomainresolutionorder"])
aliases=["ipadomainresolutionorder"]),
enable_sid=dict(type="bool", required=False),
add_sids=dict(type="bool", required=False),
netbios_name=dict(type="str", required=False),
),
supports_check_mode=True,
)
@@ -344,7 +413,10 @@ def main():
"pac_type": "ipakrbauthzdata",
"user_auth_type": "ipauserauthtype",
"ca_renewal_master_server": "ca_renewal_master_server",
"domain_resolution_order": "ipadomainresolutionorder"
"domain_resolution_order": "ipadomainresolutionorder",
"enable_sid": "enable_sid",
"netbios_name": "netbios_name",
"add_sids": "add_sids",
}
allow_empty_string = ["pac_type", "user_auth_type", "configstring"]
reverse_field_map = {v: k for k, v in field_map.items()}
@@ -394,11 +466,47 @@ def main():
changed = False
exit_args = {}
# Connect to IPA API
with ansible_module.ipa_connect():
# Connect to IPA API (enable-sid requires context == 'client')
with ansible_module.ipa_connect(context="client"):
has_enable_sid = ansible_module.ipa_command_param_exists(
"config_mod", "enable_sid")
result = config_show(ansible_module)
if params:
netbios_name = params.get("netbios_name")
if netbios_name:
netbios_name = netbios_name.upper()
add_sids = params.get("add_sids")
enable_sid = params.get("enable_sid")
required_sid = any([netbios_name, add_sids])
if required_sid and not enable_sid:
ansible_module.fail_json(
"'enable-sid: yes' required for 'netbios_name' "
"and 'add-sids'."
)
if enable_sid:
if not has_enable_sid:
ansible_module.fail_json(
"This version of IPA does not support 'enable-sid'.")
if (
netbios_name
and netbios_name == get_netbios_name(ansible_module)
):
del params["netbios_name"]
netbios_name = None
if not add_sids and "add_sids" in params:
del params["add_sids"]
if (
not any([netbios_name, add_sids])
and is_enable_sid(ansible_module)
):
del params["enable_sid"]
else:
for param in ["enable_sid", "netbios_name", "add_sids"]:
if param in params:
del params[params]
params = {
k: v for k, v in params.items()
if k not in result or result[k] != v
@@ -441,7 +549,11 @@ def main():
elif (
isinstance(value, (tuple, list)) and arg_type == "bool"
):
exit_args[k] = (value[0] == "TRUE")
# FreeIPA 4.9.10+ and 4.10 use proper mapping for
# boolean values, so we need to convert it to str
# for comparison.
# See: https://github.com/freeipa/freeipa/pull/6294
exit_args[k] = (str(value[0]).upper() == "TRUE")
else:
if arg_type not in type_map:
raise ValueError(
@@ -454,6 +566,10 @@ def main():
# Add empty domain_resolution_order if it is not set
if "domain_resolution_order" not in exit_args:
exit_args["domain_resolution_order"] = []
# Set enable_sid
if has_enable_sid:
exit_args["enable_sid"] = is_enable_sid(ansible_module)
exit_args["netbios_name"] = get_netbios_name(ansible_module)
# Done
ansible_module.exit_json(changed=changed, config=exit_args)

2
plugins/modules/ipadelegation.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipadelegation
short description: Manage FreeIPA delegations
short_description: Manage FreeIPA delegations
description: Manage FreeIPA delegations and delegation attributes
extends_documentation_fragment:
- ipamodule_base_docs

10
plugins/modules/ipadnsconfig.py
View File

@@ -33,7 +33,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipadnsconfig
short description: Manage FreeIPA dnsconfig
short_description: Manage FreeIPA dnsconfig
description: Manage FreeIPA dnsconfig
extends_documentation_fragment:
- ipamodule_base_docs
@@ -173,7 +173,10 @@ def gen_args(module, state, action, dnsconfig, forwarders, forward_policy,
_args['idnsforwardpolicy'] = forward_policy
if allow_sync_ptr is not None:
_args['idnsallowsyncptr'] = 'TRUE' if allow_sync_ptr else 'FALSE'
if module.ipa_check_version("<", "4.9.10"):
_args['idnsallowsyncptr'] = "TRUE" if allow_sync_ptr else "FALSE"
else:
_args['idnsallowsyncptr'] = allow_sync_ptr
return _args
@@ -199,7 +202,8 @@ def main():
choices=["member", "dnsconfig"]),
state=dict(type="str", default="present",
choices=["present", "absent"]),
)
),
supports_check_mode=True,
)
ansible_module._ansible_debug = True

8
plugins/modules/ipadnsforwardzone.py
View File

@@ -344,7 +344,13 @@ def main():
if state in ['enabled', 'disabled']:
if existing_resource is not None:
is_enabled = existing_resource["idnszoneactive"][0]
# FreeIPA 4.9.10+ and 4.10 use proper mapping for
# boolean values, so we need to convert it to str
# for comparison.
# See: https://github.com/freeipa/freeipa/pull/6294
is_enabled = (
str(existing_resource["idnszoneactive"][0]).upper()
)
else:
ansible_module.fail_json(
msg="dnsforwardzone '%s' not found." % (name))

2
plugins/modules/ipadnsrecord.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipadnsrecord
short description: Manage FreeIPA DNS records
short_description: Manage FreeIPA DNS records
description: Manage FreeIPA DNS records
extends_documentation_fragment:
- ipamodule_base_docs

8
plugins/modules/ipadnszone.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipadnszone
short description: Manage FreeIPA dnszone
short_description: Manage FreeIPA dnszone
description: Manage FreeIPA dnszone
extends_documentation_fragment:
- ipamodule_base_docs
@@ -418,7 +418,11 @@ class DNSZoneModule(IPAAnsibleModule):
is_zone_active = False
else:
zone = response["result"]
is_zone_active = "TRUE" in zone.get("idnszoneactive")
# FreeIPA 4.9.10+ and 4.10 use proper mapping for boolean vaalues.
# See: https://github.com/freeipa/freeipa/pull/6294
is_zone_active = (
str(zone.get("idnszoneactive")[0]).upper() == "TRUE"
)
return zone, is_zone_active

2
plugins/modules/ipagroup.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipagroup
short description: Manage FreeIPA groups
short_description: Manage FreeIPA groups
description: Manage FreeIPA groups
extends_documentation_fragment:
- ipamodule_base_docs

20
plugins/modules/ipahbacrule.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipahbacrule
short description: Manage FreeIPA HBAC rules
short_description: Manage FreeIPA HBAC rules
description: Manage FreeIPA HBAC rules
extends_documentation_fragment:
- ipamodule_base_docs
@@ -472,18 +472,26 @@ def main():
# hbacrule_enable is not failing on an enabled hbacrule
# Therefore it is needed to have a look at the ipaenabledflag
# in res_find.
if "ipaenabledflag" not in res_find or \
res_find["ipaenabledflag"][0] != "TRUE":
# FreeIPA 4.9.10+ and 4.10 use proper mapping for
# boolean values, so we need to convert it to str
# for comparison.
# See: https://github.com/freeipa/freeipa/pull/6294
enabled_flag = str(res_find.get("ipaenabledflag", [False])[0])
if enabled_flag.upper() != "TRUE":
commands.append([name, "hbacrule_enable", {}])
elif state == "disabled":
if res_find is None:
ansible_module.fail_json(msg="No hbacrule '%s'" % name)
# hbacrule_disable is not failing on an disabled hbacrule
# hbacrule_disable is not failing on an enabled hbacrule
# Therefore it is needed to have a look at the ipaenabledflag
# in res_find.
if "ipaenabledflag" not in res_find or \
res_find["ipaenabledflag"][0] != "FALSE":
# FreeIPA 4.9.10+ and 4.10 use proper mapping for
# boolean values, so we need to convert it to str
# for comparison.
# See: https://github.com/freeipa/freeipa/pull/6294
enabled_flag = str(res_find.get("ipaenabledflag", [False])[0])
if enabled_flag.upper() != "FALSE":
commands.append([name, "hbacrule_disable", {}])
else:

2
plugins/modules/ipahbacsvc.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipahbacsvc
short description: Manage FreeIPA HBAC Services
short_description: Manage FreeIPA HBAC Services
description: Manage FreeIPA HBAC Services
extends_documentation_fragment:
- ipamodule_base_docs

2
plugins/modules/ipahbacsvcgroup.py
View File

@@ -33,7 +33,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipahbacsvcgroup
short description: Manage FreeIPA hbacsvcgroups
short_description: Manage FreeIPA hbacsvcgroups
description: Manage FreeIPA hbacsvcgroups
extends_documentation_fragment:
- ipamodule_base_docs

2
plugins/modules/ipahost.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipahost
short description: Manage FreeIPA hosts
short_description: Manage FreeIPA hosts
description: Manage FreeIPA hosts
extends_documentation_fragment:
- ipamodule_base_docs

2
plugins/modules/ipahostgroup.py
View File

@@ -33,7 +33,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipahostgroup
short description: Manage FreeIPA hostgroups
short_description: Manage FreeIPA hostgroups
description: Manage FreeIPA hostgroups
extends_documentation_fragment:
- ipamodule_base_docs

20
plugins/modules/ipaidrange.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipaidrange
short description: Manage FreeIPA idrange
short_description: Manage FreeIPA idrange
description: Manage FreeIPA idrange
extends_documentation_fragment:
- ipamodule_base_docs
@@ -74,7 +74,9 @@ options:
required: false
aliases: ["ipanttrusteddomainsid"]
dom_name:
description: Domain name of the trusted domain.
description: |
Domain name of the trusted domain. Can only be used when
`ipaapi_context: server`.
type: string
required: false
aliases: ["ipanttrusteddomainname"]
@@ -134,7 +136,7 @@ RETURN = """
from ansible.module_utils.ansible_freeipa_module import \
IPAAnsibleModule, compare_args_ipa
IPAAnsibleModule, compare_args_ipa, get_trusted_domain_sid_from_name
from ansible.module_utils import six
if six.PY3:
@@ -154,7 +156,7 @@ def find_idrange(module, name):
def gen_args(
base_id, range_size, rid_base, secondary_rid_base, idrange_type, dom_sid,
auto_private_groups
dom_name, auto_private_groups
):
_args = {}
# Integer parameters are stored as strings.
@@ -169,6 +171,8 @@ def gen_args(
_args["ipasecondarybaserid"] = secondary_rid_base
if idrange_type is not None:
_args["iparangetype"] = idrange_type
if dom_name is not None:
dom_sid = get_trusted_domain_sid_from_name(dom_name)
if dom_sid is not None:
_args["ipanttrusteddomainsid"] = dom_sid
if auto_private_groups is not None:
@@ -230,6 +234,7 @@ def main():
secondary_rid_base = ansible_module.params_get("secondary_rid_base")
idrange_type = ansible_module.params_get("idrange_type")
dom_sid = ansible_module.params_get("dom_sid")
dom_name = ansible_module.params_get("dom_name")
auto_private_groups = \
ansible_module.params_get_lowercase("auto_private_groups")
@@ -248,7 +253,10 @@ def main():
if state == "absent":
if len(names) < 1:
ansible_module.fail_json(msg="No name given.")
invalid = ["base_id", "range_size", "idrange_type", "dom_sid"]
invalid = [
"base_id", "range_size", "idrange_type", "dom_sid", "dom_name",
"rid_base", "secondary_rid_base", "auto_private_groups"
]
ansible_module.params_fail_used_invalid(invalid, state)
@@ -278,7 +286,7 @@ def main():
# Generate args
args = gen_args(
base_id, range_size, rid_base, secondary_rid_base,
idrange_type, dom_sid, auto_private_groups
idrange_type, dom_sid, dom_name, auto_private_groups
)
# Found the idrange

2
plugins/modules/ipalocation.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipalocation
short description: Manage FreeIPA location
short_description: Manage FreeIPA location
description: Manage FreeIPA location
extends_documentation_fragment:
- ipamodule_base_docs

2
plugins/modules/ipapermission.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipapermission
short description: Manage FreeIPA permission
short_description: Manage FreeIPA permission
description: Manage FreeIPA permission and permission members
extends_documentation_fragment:
- ipamodule_base_docs

2
plugins/modules/ipaprivilege.py
View File

@@ -35,7 +35,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipaprivilege
short description: Manage FreeIPA privilege
short_description: Manage FreeIPA privilege
description: Manage FreeIPA privilege and privilege members
extends_documentation_fragment:
- ipamodule_base_docs

2
plugins/modules/ipapwpolicy.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipapwpolicy
short description: Manage FreeIPA pwpolicies
short_description: Manage FreeIPA pwpolicies
description: Manage FreeIPA pwpolicies
options:
ipaadmin_principal:

2
plugins/modules/iparole.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: iparole
short description: Manage FreeIPA role
short_description: Manage FreeIPA role
description: Manage FreeIPA role
extends_documentation_fragment:
- ipamodule_base_docs

2
plugins/modules/ipaselfservice.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipaselfservice
short description: Manage FreeIPA selfservices
short_description: Manage FreeIPA selfservices
description: Manage FreeIPA selfservices and selfservice attributes
extends_documentation_fragment:
- ipamodule_base_docs

2
plugins/modules/ipaserver.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipaserver
short description: Manage FreeIPA server
short_description: Manage FreeIPA server
description: Manage FreeIPA server
extends_documentation_fragment:
- ipamodule_base_docs

2
plugins/modules/ipaservice.py
View File

@@ -33,7 +33,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipaservice
short description: Manage FreeIPA service
short_description: Manage FreeIPA service
description: Manage FreeIPA service
extends_documentation_fragment:
- ipamodule_base_docs

2
plugins/modules/ipaservicedelegationrule.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipaservicedelegationrule
short description: Manage FreeIPA servicedelegationrule
short_description: Manage FreeIPA servicedelegationrule
description: |
Manage FreeIPA servicedelegationrule and servicedelegationrule members
extends_documentation_fragment:

2
plugins/modules/ipaservicedelegationtarget.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipaservicedelegationtarget
short description: Manage FreeIPA servicedelegationtarget
short_description: Manage FreeIPA servicedelegationtarget
description: |
Manage FreeIPA servicedelegationtarget and servicedelegationtarget members
extends_documentation_fragment:

2
plugins/modules/ipasudocmd.py
View File

@@ -33,7 +33,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipasudocmd
short description: Manage FreeIPA sudo command
short_description: Manage FreeIPA sudo command
description: Manage FreeIPA sudo command
extends_documentation_fragment:
- ipamodule_base_docs

2
plugins/modules/ipasudocmdgroup.py
View File

@@ -33,7 +33,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipasudocmdgroup
short description: Manage FreeIPA sudocmd groups
short_description: Manage FreeIPA sudocmd groups
description: Manage FreeIPA sudocmd groups
extends_documentation_fragment:
- ipamodule_base_docs

26
plugins/modules/ipasudorule.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipasudorule
short description: Manage FreeIPA sudo rules
short_description: Manage FreeIPA sudo rules
description: Manage FreeIPA sudo rules
extends_documentation_fragment:
- ipamodule_base_docs
@@ -162,19 +162,19 @@ EXAMPLES = """
hostgroup: cluster
action: member
# Ensure sudo rule for usercategory "all"
# Ensure sudo rule for usercategory "all" is enabled
- ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
usercategory: all
action: enabled
state: enabled
# Ensure sudo rule for hostcategory "all"
# Ensure sudo rule for hostcategory "all" is enabled
- ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allhosts
hostcategory: all
action: enabled
state: enabled
# Ensure Sudo Rule tesrule1 is absent
- ipasudorule:
@@ -656,8 +656,12 @@ def main():
# sudorule_enable is not failing on an enabled sudorule
# Therefore it is needed to have a look at the ipaenabledflag
# in res_find.
if "ipaenabledflag" not in res_find or \
res_find["ipaenabledflag"][0] != "TRUE":
# FreeIPA 4.9.10+ and 4.10 use proper mapping for
# boolean values, so we need to convert it to str
# for comparison.
# See: https://github.com/freeipa/freeipa/pull/6294
enabled_flag = str(res_find.get("ipaenabledflag", [False])[0])
if enabled_flag.upper() != "TRUE":
commands.append([name, "sudorule_enable", {}])
elif state == "disabled":
@@ -666,8 +670,12 @@ def main():
# sudorule_disable is not failing on an disabled sudorule
# Therefore it is needed to have a look at the ipaenabledflag
# in res_find.
if "ipaenabledflag" not in res_find or \
res_find["ipaenabledflag"][0] != "FALSE":
# FreeIPA 4.9.10+ and 4.10 use proper mapping for
# boolean values, so we need to convert it to str
# for comparison.
# See: https://github.com/freeipa/freeipa/pull/6294
enabled_flag = str(res_find.get("ipaenabledflag", [False])[0])
if enabled_flag.upper() != "FALSE":
commands.append([name, "sudorule_disable", {}])
else:

2
plugins/modules/ipatopologysegment.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipatopologysegment
short description: Manage FreeIPA topology segments
short_description: Manage FreeIPA topology segments
description: Manage FreeIPA topology segments
extends_documentation_fragment:
- ipamodule_base_docs

2
plugins/modules/ipatopologysuffix.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipatopologysuffix
short description: Verify FreeIPA topology suffix
short_description: Verify FreeIPA topology suffix
description: Verify FreeIPA topology suffix
extends_documentation_fragment:
- ipamodule_base_docs

10
plugins/modules/ipauser.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipauser
short description: Manage FreeIPA users
short_description: Manage FreeIPA users
description: Manage FreeIPA users
extends_documentation_fragment:
- ipamodule_base_docs
@@ -47,11 +47,11 @@ options:
description: The user (internally uid).
required: true
first:
description: The first name
description: The first name. Required if user does not exist.
required: false
aliases: ["givenname"]
last:
description: The last name
description: The last name. Required if user doesnot exst.
required: false
aliases: ["sn"]
fullname:
@@ -212,11 +212,11 @@ options:
type: bool
required: false
first:
description: The first name
description: The first name. Required if user does not exist.
required: false
aliases: ["givenname"]
last:
description: The last name
description: The last name. Required if user does not exist.
required: false
aliases: ["sn"]
fullname:

4
plugins/modules/ipavault.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipavault
short description: Manage vaults and secret vaults.
short_description: Manage vaults and secret vaults.
description: Manage vaults and secret vaults. KRA service must be enabled.
extends_documentation_fragment:
- ipamodule_base_docs
@@ -525,7 +525,7 @@ def check_encryption_params( # pylint: disable=unused-argument
if (
salt is not None
and not(
and not (
any([password, password_file])
and any([new_password, new_password_file])
)

11
requirements-dev.txt
View File

@@ -1,5 +1,12 @@
-r requirements-tests.txt
ipdb
ipdb==0.13.4
pre-commit
flake8==4.0.1
flake8-bugbear
pylint==2.12.2
pylint==2.13.7
pydocstyle==6.0.0
yamllint==1.26.3
ansible-lint==5.3.2
dnspython==2.2.0
netaddr==0.8.0
gssapi==1.7.2

3
requirements-docker.yml Normal file
View File

@@ -0,0 +1,3 @@
---
collections:
- name: community.docker

3
requirements-podman.yml Normal file
View File

@@ -0,0 +1,3 @@
---
collections:
- name: containers.podman

3
requirements-tests.txt
View File

@@ -1,6 +1,7 @@
-r requirements.txt
pytest>=2.7
pytest-sourceorder>=0.5
pytest-split-tests>=1.0.3
pytest-split>=0.8.0
pytest-custom_exit_code>=0.3.0
pytest-testinfra>=5.0
pyyaml>=3

2
roles/ipabackup/library/ipabackup_get_backup_dir.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipabackup_get_backup_dir
short description:
short_description:
Get IPA_BACKUP_DIR from ipaplatform
description:
Get IPA_BACKUP_DIR from ipaplatform

12
roles/ipabackup/tasks/main.yml
View File

@@ -26,6 +26,12 @@
fail: msg="ipabackup_from_controller and ipabackup_to_controller are set"
when: ipabackup_from_controller | bool and ipabackup_to_controller | bool
- name: Fail for given ipabackup_name if state is not copied, restored or absent
fail: msg="ipabackup_name is given and state is not copied, restored or absent"
when: state is not defined or
(state != "copied" and state != "restored" and state != "absent") and
ipabackup_name is defined
- name: Get ipabackup_dir from IPA installation
include_tasks: "{{ role_path }}/tasks/get_ipabackup_dir.yml"
@@ -33,12 +39,6 @@
include_tasks: "{{ role_path }}/tasks/backup.yml"
when: state|default("present") == "present"
- name: Fail for given ipabackup_name if state is not copied, restored or absent
fail: msg="ipabackup_name is given and state is not copied, restored or absent"
when: state is not defined or
(state != "copied" and state != "restored" and state != "absent") and
ipabackup_name is defined
- name: Fail on missing ipabackup_name
fail: msg="ipabackup_name is not set"
when: (ipabackup_name is not defined or not ipabackup_name) and

7
roles/ipaclient/library/ipaclient_api.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {'metadata_version': '1.0',
DOCUMENTATION = '''
---
module: ipaclient_api
short description:
short_description:
Create temporary NSS database, call IPA API for remaining enrollment parts
description:
Create temporary NSS database, call IPA API for remaining enrollment parts
@@ -75,7 +75,6 @@ subject_base:
'''
import os
import inspect
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_client import (
@@ -83,7 +82,7 @@ from ansible.module_utils.ansible_ipa_client import (
paths, x509, NUM_VERSION, serialization, certdb, api,
delete_persistent_client_session_data, write_tmp_file,
ipa_generate_password, CalledProcessError, errors, disable_ra, DN,
CLIENT_INSTALL_ERROR, logger
CLIENT_INSTALL_ERROR, logger, getargspec
)
@@ -134,7 +133,7 @@ def main():
# Add CA certs to a temporary NSS database
try:
# pylint: disable=deprecated-method
argspec = inspect.getargspec(tmp_db.create_db)
argspec = getargspec(tmp_db.create_db)
# pylint: enable=deprecated-method
if "password_filename" not in argspec.args:
tmp_db.create_db()

2
roles/ipaclient/library/ipaclient_fix_ca.py
View File

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {'metadata_version': '1.0',
DOCUMENTATION = '''
---
module: ipaclient_fix_ca
short description: Fix IPA ca certificate
short_description: Fix IPA ca certificate
description: Repair Fix IPA ca certificate
options:
servers:

2
roles/ipaclient/library/ipaclient_fstore.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipaclient_fstore
short description: Backup files using IPA client sysrestore
short_description: Backup files using IPA client sysrestore
description: Backup files using IPA client sysrestore
options:
backup:

2
roles/ipaclient/library/ipaclient_get_facts.py
View File

@@ -7,7 +7,7 @@ __metaclass__ = type
DOCUMENTATION = """
---
module: ipaclient_get_facts
short description: Get facts about IPA client and server configuration.
short_description: Get facts about IPA client and server configuration.
description: Get facts about IPA client and server configuration.
author:
- Thomas Woerner

2
roles/ipaclient/library/ipaclient_get_otp.py
View File

@@ -30,7 +30,7 @@ ANSIBLE_METADATA = {'metadata_version': '1.0',
DOCUMENTATION = '''
---
module: ipaclient_get_otp
short description: Manage IPA hosts
short_description: Manage IPA hosts
description:
Manage hosts in a IPA domain.
The operation needs to be authenticated with Kerberos either by providing

2
roles/ipaclient/library/ipaclient_ipa_conf.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipaclient_ipa_conf
short description: Configure ipa.conf
short_description: Configure ipa.conf
description:
Configure ipa.conf
options:

2
roles/ipaclient/library/ipaclient_join.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipaclient_join
short description:
short_description:
Join a machine to an IPA realm and get a keytab for the host service
principal
description:

2
roles/ipaclient/library/ipaclient_set_hostname.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipaclient_set_hostname
short description: Backup and set hostname
short_description: Backup and set hostname
description:
Backup and set hostname
options:

2
roles/ipaclient/library/ipaclient_setup_automount.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipaclient_setup_automount
short description: Setup automount for IPA client
short_description: Setup automount for IPA client
description:
Setup automount for IPA client
options:

2
roles/ipaclient/library/ipaclient_setup_firefox.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipaclient_setup_firefox
short description: Setup firefox for IPA client
short_description: Setup firefox for IPA client
description:
Setup firefox for IPA client
options:

2
roles/ipaclient/library/ipaclient_setup_krb5.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipaclient_setup_krb5
short description: Setup krb5 for IPA client
short_description: Setup krb5 for IPA client
description:
Setup krb5 for IPA client
options:

9
roles/ipaclient/library/ipaclient_setup_nis.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipaclient_setup_nis
short description: Setup NIS for IPA client
short_description: Setup NIS for IPA client
description:
Setup NIS for IPA client
options:
@@ -57,11 +57,10 @@ EXAMPLES = '''
RETURN = '''
'''
import inspect
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_client import (
setup_logging, options, sysrestore, paths, configure_nisdomain
setup_logging, options, sysrestore, paths, configure_nisdomain,
getargspec
)
@@ -83,7 +82,7 @@ def main():
statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
# pylint: disable=deprecated-method
argspec = inspect.getargspec(configure_nisdomain)
argspec = getargspec(configure_nisdomain)
# pylint: enable=deprecated-method
if "statestore" not in argspec.args:
# NUM_VERSION < 40500:

9
roles/ipaclient/library/ipaclient_setup_nss.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipaclient_setup_nss
short description: Create IPA client NSS database
short_description: Create IPA client NSS database
description: Create IPA NSS database
options:
servers:
@@ -141,7 +141,6 @@ RETURN = '''
import os
import time
import inspect
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_client import (
@@ -151,7 +150,7 @@ from ansible.module_utils.ansible_ipa_client import (
get_certs_from_ldap, DN, certstore, x509, logger, certdb,
CalledProcessError, tasks, client_dns, configure_certmonger, services,
update_ssh_keys, save_state, configure_ldap_conf, configure_nslcd_conf,
configure_openldap_conf, hardcode_ldap_server
configure_openldap_conf, hardcode_ldap_server, getargspec
)
@@ -323,7 +322,7 @@ def main():
pass
# pylint: disable=deprecated-method
argspec_save_state = inspect.getargspec(save_state)
argspec_save_state = getargspec(save_state)
# Name Server Caching Daemon. Disable for SSSD, use otherwise
# (if installed)
@@ -387,7 +386,7 @@ def main():
if not options.no_ac:
# Modify nsswitch/pam stack
# pylint: disable=deprecated-method
argspec = inspect.getargspec(tasks.modify_nsswitch_pam_stack)
argspec = getargspec(tasks.modify_nsswitch_pam_stack)
if "sudo" in argspec.args:
tasks.modify_nsswitch_pam_stack(
sssd=options.sssd,

8
roles/ipaclient/library/ipaclient_setup_ntp.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipaclient_setup_ntp
short description: Setup NTP for IPA client
short_description: Setup NTP for IPA client
description:
Setup NTP for IPA client
options:
@@ -66,13 +66,11 @@ EXAMPLES = '''
RETURN = '''
'''
import inspect
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_client import (
setup_logging,
options, sysrestore, paths, sync_time, logger, ipadiscovery,
timeconf
timeconf, getargspec
)
@@ -114,7 +112,7 @@ def main():
if options.conf_ntp:
# Attempt to configure and sync time with NTP server (chrony).
# pylint: disable=deprecated-method
argspec = inspect.getargspec(sync_time)
argspec = getargspec(sync_time)
# pylint: enable=deprecated-method
if "options" not in argspec.args:
synced_ntp = sync_time(options.ntp_servers, options.ntp_pool,

2
roles/ipaclient/library/ipaclient_setup_ssh.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipaclient_setup_ssh
short description: Configure ssh and sshd for IPA client
short_description: Configure ssh and sshd for IPA client
description:
Configure ssh and sshd for IPA client
options:

2
roles/ipaclient/library/ipaclient_setup_sssd.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipaclient_setup_ssd
short description: Setup sssd for IPA client
short_description: Setup sssd for IPA client
description:
Setup sssd for IPA client
options:

8
roles/ipaclient/library/ipaclient_test.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipaclient_test
short description: Tries to discover IPA server
short_description: Tries to discover IPA server
description:
Tries to discover IPA server using DNS or host name
options:
@@ -197,7 +197,6 @@ nosssd_files:
import os
import socket
import inspect
try:
from ansible.module_utils.six.moves.configparser import RawConfigParser
@@ -212,7 +211,7 @@ from ansible.module_utils.ansible_ipa_client import (
CLIENT_INSTALL_ERROR, tasks, check_ldap_conf, timeconf, constants,
validate_hostname, nssldap_exists, gssapi, remove_file,
check_ip_addresses, ipadiscovery, print_port_conf_info,
IPA_PYTHON_VERSION
IPA_PYTHON_VERSION, getargspec
)
@@ -344,7 +343,7 @@ def main():
if options.realm_name:
# pylint: disable=deprecated-method
argspec = inspect.getargspec(validate_domain_name)
argspec = getargspec(validate_domain_name)
if "entity" in argspec.args:
# NUM_VERSION >= 40690:
validate_domain_name(options.realm_name, entity="realm")
@@ -881,7 +880,6 @@ def main():
is_ipaddr = False
if is_ipaddr:
logger.info()
logger.warning(
"It seems that you are using an IP address "
"instead of FQDN as an argument to --server. The "

2
roles/ipaclient/library/ipaclient_test_keytab.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipaclient_test_keytab
short description:
short_description:
Test if the krb5.keytab on the machine is valid and can be used.
description:
Test if the krb5.keytab on the machine is valid and can be used.

29
roles/ipaclient/module_utils/ansible_ipa_client.py
View File

@@ -46,7 +46,7 @@ __all__ = ["gssapi", "version", "ipadiscovery", "api", "errors", "x509",
"configure_nslcd_conf", "configure_ssh_config",
"configure_sshd_config", "configure_automount",
"configure_firefox", "sync_time", "check_ldap_conf",
"sssd_enable_ifp"]
"sssd_enable_ifp", "getargspec"]
import sys
@@ -110,10 +110,31 @@ else:
# IPA version >= 4.4
# import sys
import inspect
import gssapi
import logging
# Import getargspec from inspect or provide own getargspec for
# Python 2 compatibility with Python 3.11+.
try:
from inspect import getargspec
except ImportError:
from collections import namedtuple
from inspect import getfullargspec
# The code is copied from Python 3.10 inspect.py
# Authors: Ka-Ping Yee <ping@lfw.org>
# Yury Selivanov <yselivanov@sprymix.com>
ArgSpec = namedtuple('ArgSpec', 'args varargs keywords defaults')
def getargspec(func):
args, varargs, varkw, defaults, kwonlyargs, _kwonlydefaults, \
ann = getfullargspec(func)
if kwonlyargs or ann:
raise ValueError(
"Function has keyword-only parameters or annotations"
", use inspect.signature() API which can support them")
return ArgSpec(args, varargs, varkw, defaults)
from ipapython import version
try:
from ipaclient.install import ipadiscovery
@@ -200,7 +221,7 @@ else:
sys.path.remove(temp_dir)
# pylint: disable=deprecated-method
argspec = inspect.getargspec(
argspec = getargspec(
ipa_client_install.configure_krb5_conf)
if argspec.keywords is None:
def configure_krb5_conf(
@@ -240,7 +261,7 @@ else:
create_ipa_nssdb = certdb.create_ipa_nssdb
argspec = \
inspect.getargspec(ipa_client_install.configure_nisdomain)
getargspec(ipa_client_install.configure_nisdomain)
if len(argspec.args) == 3:
configure_nisdomain = ipa_client_install.configure_nisdomain
else:

2
roles/ipareplica/library/ipareplica_add_to_ipaservers.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_add_to_ipaservers
short description: Add to ipaservers
short_description: Add to ipaservers
description:
Add to ipaservers
options:

2
roles/ipareplica/library/ipareplica_create_ipa_conf.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_create_ipa_conf
short description: Create ipa.conf
short_description: Create ipa.conf
description:
Create ipa.conf
options:

8
roles/ipareplica/library/ipareplica_custodia_import_dm_password.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_custodia_import_dm_password
short description: Import dm password into custodia
short_description: Import dm password into custodia
description:
Import dm password into custodia
options:
@@ -96,13 +96,13 @@ RETURN = '''
'''
import os
import inspect
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_replica import (
AnsibleModuleLog, setup_logging, installer, DN, paths,
gen_env_boostrap_finalize_core, constants, api_bootstrap_finalize,
gen_ReplicaConfig, gen_remote_api, redirect_stdout, custodiainstance
gen_ReplicaConfig, gen_remote_api, redirect_stdout, custodiainstance,
getargspec
)
@@ -200,7 +200,7 @@ def main():
ansible_log.debug("-- CUSTODIA IMPORT DM PASSWORD --")
# pylint: disable=deprecated-method
argspec = inspect.getargspec(custodia.import_dm_password)
argspec = getargspec(custodia.import_dm_password)
# pylint: enable=deprecated-method
if "master_host_name" in argspec.args:
custodia.import_dm_password(config.master_host_name)

2
roles/ipareplica/library/ipareplica_ds_apply_updates.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_ds_apply_updates
short description: DS apply updates
short_description: DS apply updates
description:
DS apply updates
options:

2
roles/ipareplica/library/ipareplica_ds_enable_ssl.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_ds_enable_ssl
short description: DS enable SSL
short_description: DS enable SSL
description:
DS enable SSL
options:

2
roles/ipareplica/library/ipareplica_enable_ipa.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_enable_ipa
short description: Enable IPA
short_description: Enable IPA
description: Enable IPA
Enable IPA
options:

2
roles/ipareplica/library/ipareplica_install_ca_certs.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_install_ca_cert
short description: Install CA certs
short_description: Install CA certs
description:
Install CA certs
options:

2
roles/ipareplica/library/ipareplica_krb_enable_ssl.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_krb_enable_ssl
short description: KRB enable SSL
short_description: KRB enable SSL
description:
KRB enable SSL
options:

2
roles/ipareplica/library/ipareplica_master_password.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_master_password
short description: Generate kerberos master password if not given
short_description: Generate kerberos master password if not given
description:
Generate kerberos master password if not given
options:

17
roles/ipareplica/library/ipareplica_prepare.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_prepare
short description: Prepare ipa replica installation
short_description: Prepare ipa replica installation
description: |
Prepare ipa replica installation: Create IPA configuration file, run install
checks again and also update the host name and the hosts file if needed.
@@ -182,6 +182,9 @@ options:
skip_conncheck:
description: Skip connection check to remote master
required: yes
sid_generation_always:
description: Enable SID generation always
required: yes
author:
- Thomas Woerner
'''
@@ -275,6 +278,8 @@ def main():
# additional
server=dict(required=True),
skip_conncheck=dict(required=False, type='bool'),
sid_generation_always=dict(required=False, type='bool',
default=False),
),
supports_check_mode=True,
)
@@ -350,6 +355,13 @@ def main():
# '_hostname_overridden')
options.server = ansible_module.params.get('server')
options.skip_conncheck = ansible_module.params.get('skip_conncheck')
sid_generation_always = ansible_module.params.get('sid_generation_always')
# random serial numbers are master_only, therefore setting to False
options.random_serial_numbers = False
# options._random_serial_numbers is generated by ca.install_check and
# later used by ca.install in the _setup_ca module.
options._random_serial_numbers = False
# init #
@@ -755,7 +767,7 @@ def main():
ansible_log.debug("-- CHECK ADTRUST --")
if options.setup_adtrust:
if options.setup_adtrust or sid_generation_always:
adtrust.install_check(False, options, remote_api)
except errors.ACIError:
@@ -838,6 +850,7 @@ def main():
_http_ca_cert=http_ca_cert,
_pkinit_pkcs12_info=pkinit_pkcs12_info,
_pkinit_ca_cert=pkinit_ca_cert,
_random_serial_numbers=options._random_serial_numbers,
no_dnssec_validation=options.no_dnssec_validation,
config_setup_ca=config.setup_ca,
config_master_host_name=config.master_host_name,

2
roles/ipareplica/library/ipareplica_promote_openldap_conf.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_promote_openldap_conf
short description: Promote openldap.conf
short_description: Promote openldap.conf
description:
Promote openldap.conf
options:

2
roles/ipareplica/library/ipareplica_promote_sssd.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_promote_sssd
short description: Promote sssd
short_description: Promote sssd
description:
Promote sssd
options:

2
roles/ipareplica/library/ipareplica_restart_kdc.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_restart_kdc
short description: Restart KDC
short_description: Restart KDC
description:
Restart KDC
options:

7
roles/ipareplica/library/ipareplica_setup_adtrust.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_setup_adtrust
short description: Setup adtrust
short_description: Setup adtrust
description:
Setup adtrust
options:
@@ -71,6 +71,9 @@ options:
setup_ca:
description: Configure a dogtag CA
required: no
setup_adtrust:
description: Configure AD trust capability
required: yes
config_master_host_name:
description: The config master_host_name setting
required: no
@@ -112,6 +115,7 @@ def main():
ccache=dict(required=True),
_top_dir=dict(required=True),
setup_ca=dict(required=True, type='bool'),
setup_adtrust=dict(required=True, type='bool'),
config_master_host_name=dict(required=True),
),
supports_check_mode=True,
@@ -140,6 +144,7 @@ def main():
os.environ['KRB5CCNAME'] = ccache
options._top_dir = ansible_module.params.get('_top_dir')
options.setup_ca = ansible_module.params.get('setup_ca')
options.setup_adtrust = ansible_module.params.get('setup_adtrust')
config_master_host_name = ansible_module.params.get(
'config_master_host_name')
adtrust.netbios_name = ansible_module.params.get('adtrust_netbios_name')

8
roles/ipareplica/library/ipareplica_setup_ca.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_setup_ca
short description: Setup CA
short_description: Setup CA
description:
Setup CA
options:
@@ -85,6 +85,9 @@ options:
_subject_base:
description: The installer _subject_base setting
required: no
_random_serial_numbers:
description: The installer _random_serial_numbers setting
required: yes
dirman_password:
description: Directory Manager (master) password
required: no
@@ -144,6 +147,7 @@ def main():
_top_dir=dict(required=True),
_ca_subject=dict(required=True),
_subject_base=dict(required=True),
_random_serial_numbers=dict(required=True, type='bool'),
dirman_password=dict(required=True, no_log=True),
config_setup_ca=dict(required=True, type='bool'),
config_master_host_name=dict(required=True),
@@ -190,6 +194,8 @@ def main():
options._subject_base = ansible_module.params.get('_subject_base')
if options._subject_base is not None:
options._subject_base = DN(options._subject_base)
options._random_serial_numbers = ansible_module.params.get(
'_random_serial_numbers')
dirman_password = ansible_module.params.get('dirman_password')
config_setup_ca = ansible_module.params.get('config_setup_ca')
config_master_host_name = ansible_module.params.get(

2
roles/ipareplica/library/ipareplica_setup_certmonger.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_setup_certmonger
short description: Setup certmonger
short_description: Setup certmonger
description:
Setup certmonger
options:

2
roles/ipareplica/library/ipareplica_setup_custodia.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_setup_custodia
short description: Setup custodia
short_description: Setup custodia
description:
Setup custodia
options:

2
roles/ipareplica/library/ipareplica_setup_dns.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_setup_dns
short description: Setup DNS
short_description: Setup DNS
description:
Setup DNS
options:

10
roles/ipareplica/library/ipareplica_setup_ds.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_setup_ds
short description: Setup DS
short_description: Setup DS
description:
Setup DS
options:
@@ -149,7 +149,6 @@ RETURN = '''
'''
import os
import inspect
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_replica import (
@@ -157,7 +156,8 @@ from ansible.module_utils.ansible_ipa_replica import (
ansible_module_get_parsed_ip_addresses,
gen_env_boostrap_finalize_core, constants, api_bootstrap_finalize,
gen_ReplicaConfig, gen_remote_api, redirect_stdout, ipaldap,
install_replica_ds, install_dns_records, ntpinstance, ScriptError
install_replica_ds, install_dns_records, ntpinstance, ScriptError,
getargspec
)
@@ -317,7 +317,7 @@ def main():
# Configure dirsrv
with redirect_stdout(ansible_log):
# pylint: disable=deprecated-method
argspec = inspect.getargspec(install_replica_ds)
argspec = getargspec(install_replica_ds)
# pylint: enable=deprecated-method
if "promote" in argspec.args:
ds = install_replica_ds(config, options, ca_enabled,
@@ -343,7 +343,7 @@ def main():
# pylint: enable=deprecated-method
# Always try to install DNS records
# pylint: disable=deprecated-method
argspec = inspect.getargspec(install_dns_records)
argspec = getargspec(install_dns_records)
# pylint: enable=deprecated-method
if "fstore" not in argspec.args:
install_dns_records(config, options, remote_api)

7
roles/ipareplica/library/ipareplica_setup_http.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_setup_http
short description: Setup HTTP
short_description: Setup HTTP
description:
Setup HTTP
options:
@@ -90,14 +90,13 @@ RETURN = '''
'''
import os
import inspect
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_replica import (
AnsibleModuleLog, setup_logging, installer, DN, paths, sysrestore,
gen_env_boostrap_finalize_core, constants, api_bootstrap_finalize,
gen_ReplicaConfig, gen_remote_api, api, redirect_stdout, create_ipa_conf,
install_http
install_http, getargspec
)
@@ -203,7 +202,7 @@ def main():
master=config.master_host_name)
# pylint: disable=deprecated-method
argspec = inspect.getargspec(install_http)
argspec = getargspec(install_http)
# pylint: enable=deprecated-method
if "promote" in argspec.args:
install_http(

2
roles/ipareplica/library/ipareplica_setup_kra.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_setup_kra
short description: Setup KRA
short_description: Setup KRA
description:
Setup KRA
options:

7
roles/ipareplica/library/ipareplica_setup_krb.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_setup_krb
short description: Setup KRB
short_description: Setup KRB
description:
Setup KRB
options:
@@ -78,13 +78,12 @@ RETURN = '''
'''
import os
import inspect
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_replica import (
AnsibleModuleLog, setup_logging, installer, DN, paths, sysrestore,
gen_env_boostrap_finalize_core, constants, api_bootstrap_finalize,
gen_ReplicaConfig, api, redirect_stdout, install_krb
gen_ReplicaConfig, api, redirect_stdout, install_krb, getargspec
)
@@ -162,7 +161,7 @@ def main():
with redirect_stdout(ansible_log):
# pylint: disable=deprecated-method
argspec = inspect.getargspec(install_krb)
argspec = getargspec(install_krb)
# pylint: enable=deprecated-method
if "promote" in argspec.args:
install_krb(

2
roles/ipareplica/library/ipareplica_setup_otpd.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_setup_otpd
short description: Setup OTPD
short_description: Setup OTPD
description:
Setup OTPD
options:

18
roles/ipareplica/library/ipareplica_test.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipareplica_test
short description: IPA replica deployment tests
short_description: IPA replica deployment tests
description: IPA replica deployment tests
options:
ip_addresses:
@@ -136,7 +136,6 @@ RETURN = '''
'''
import os
import inspect
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_replica import (
@@ -144,7 +143,7 @@ from ansible.module_utils.ansible_ipa_replica import (
ansible_module_get_parsed_ip_addresses, service,
redirect_stdout, create_ipa_conf, ipautil,
x509, validate_domain_name, common_check,
IPA_PYTHON_VERSION
IPA_PYTHON_VERSION, getargspec, adtrustinstance
)
@@ -271,6 +270,14 @@ def main():
# # options.setup_adtrust = False
# # ansible_module.warn(msg="adtrust is not supported, disabling")
sid_generation_always = False
if not options.setup_adtrust:
# pylint: disable=deprecated-method
argspec = getargspec(adtrustinstance.ADTRUSTInstance.__init__)
# pylint: enable=deprecated-method
if "fulltrust" in argspec.args:
sid_generation_always = True
# if options.setup_kra and not kra_imported:
# # if "kra" not in options._allow_missing:
# ansible_module.fail_json(msg="kra can not be imported")
@@ -287,7 +294,7 @@ def main():
# create_ipa_conf has the additional master argument.
change_master_for_certmonger = False
# pylint: disable=deprecated-method
argspec = inspect.getargspec(create_ipa_conf)
argspec = getargspec(create_ipa_conf)
# pylint: enable=deprecated-method
if "master" in argspec.args:
change_master_for_certmonger = True
@@ -421,7 +428,7 @@ def main():
try:
with redirect_stdout(ansible_log):
# pylint: disable=deprecated-method
argspec = inspect.getargspec(common_check)
argspec = getargspec(common_check)
# pylint: enable=deprecated-method
if "skip_mem_check" in argspec.args:
common_check(options.no_ntp, options.skip_mem_check,
@@ -472,6 +479,7 @@ def main():
# additional
client_enrolled=client_enrolled,
change_master_for_certmonger=change_master_for_certmonger,
sid_generation_always=sid_generation_always
)

30
roles/ipareplica/module_utils/ansible_ipa_replica.py
View File

@@ -46,7 +46,8 @@ __all__ = ["contextlib", "dnsexception", "dnsresolver", "dnsreversename",
"common_check", "current_domain_level",
"check_domain_level_is_supported", "promotion_check_ipa_domain",
"SSSDConfig", "CalledProcessError", "timeconf", "ntpinstance",
"dnsname", "kernel_keyring", "krbinstance"]
"dnsname", "kernel_keyring", "krbinstance", "getargspec",
"adtrustinstance"]
import sys
@@ -59,6 +60,28 @@ else:
import logging
from contextlib import contextmanager as contextlib_contextmanager
# Import getargspec from inspect or provide own getargspec for
# Python 2 compatibility with Python 3.11+.
try:
from inspect import getargspec
except ImportError:
from collections import namedtuple
from inspect import getfullargspec
# The code is copied from Python 3.10 inspect.py
# Authors: Ka-Ping Yee <ping@lfw.org>
# Yury Selivanov <yselivanov@sprymix.com>
ArgSpec = namedtuple('ArgSpec', 'args varargs keywords defaults')
def getargspec(func):
args, varargs, varkw, defaults, kwonlyargs, _kwonlydefaults, \
ann = getfullargspec(func)
if kwonlyargs or ann:
raise ValueError(
"Function has keyword-only parameters or annotations"
", use inspect.signature() API which can support them")
return ArgSpec(args, varargs, varkw, defaults)
from ipapython.version import NUM_VERSION, VERSION
if NUM_VERSION < 30201:
@@ -105,6 +128,7 @@ else:
adtrust, bindinstance, ca, certs, dns, dsinstance, httpinstance,
installutils, kra, krbinstance,
otpdinstance, custodiainstance, service, upgradeinstance)
from ipaserver.install import adtrustinstance
try:
from ipaserver.masters import (
find_providing_servers, find_providing_server)
@@ -198,6 +222,10 @@ else:
def info(self, msg):
self.module.debug(msg)
@staticmethod
def isatty():
return False
def write(self, msg):
self.module.debug(msg)
# self.module.warn(msg)

8
roles/ipareplica/tasks/install.yml
View File

@@ -116,8 +116,6 @@
ipaclient_realm: "{{ result_ipareplica_test.realm | default(omit) }}"
ipaclient_servers: "{{ ipareplica_servers | default(omit) }}"
ipaclient_hostname: "{{ result_ipareplica_test.hostname }}"
ipaclient_no_ntp: "{{ result_ipareplica_test.ipa_python_version
< 40690 }}"
ipaclient_install_packages: "{{ ipareplica_install_packages }}"
when: not result_ipareplica_test.client_enrolled
@@ -201,6 +199,7 @@
### additional ###
server: "{{ result_ipareplica_test.server }}"
skip_conncheck: "{{ ipareplica_skip_conncheck }}"
sid_generation_always: "{{ result_ipareplica_test.sid_generation_always }}"
register: result_ipareplica_prepare
- name: Install - Add to ipaservers
@@ -557,6 +556,7 @@
_subject_base: "{{ result_ipareplica_prepare._subject_base }}"
_pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
_random_serial_numbers: "{{ result_ipareplica_prepare._random_serial_numbers }}"
dirman_password: "{{ ipareplica_dirman_password }}"
config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
config_master_host_name:
@@ -748,13 +748,15 @@
ccache: "{{ result_ipareplica_prepare.ccache }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}"
config_master_host_name:
"{{ result_ipareplica_prepare.config_master_host_name }}"
adtrust_netbios_name:
"{{ result_ipareplica_prepare.adtrust_netbios_name }}"
adtrust_reset_netbios_name:
"{{ result_ipareplica_prepare.adtrust_reset_netbios_name }}"
when: result_ipareplica_test.setup_adtrust
when: result_ipareplica_test.setup_adtrust or
result_ipareplica_test.sid_generation_always
- name: Install - Enable IPA
ipareplica_enable_ipa:

Some files were not shown because too many files have changed in this diff Show More