--- - name: Test permission hosts: "{{ ipa_test_host | default('ipaserver') }}" become: true tasks: - name: Include task ../env_freeipa_facts.yml ansible.builtin.include_tasks: ../env_freeipa_facts.yml - name: Ensure testing groups are present. ipagroup: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: "{{ item }}" state: present with_items: - rbacgroup1 - rbacgroup2 # CLEANUP TEST ITEMS - name: Ensure permission perm-test-1 is absent ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: - perm-test-1 - perm-test-bindtype-test - perm-test-renamed state: absent # TESTS - name: Ensure permission perm-test-1 is present ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 object_type: host memberof: rbacgroup1 filter: '(cn=*.ipa.*)' right: all register: result failed_when: not result.changed or result.failed - name: Ensure permission perm-test-1 is present again ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 object_type: host memberof: rbacgroup1 filter: '(cn=*.ipa.*)' right: all register: result failed_when: result.changed or result.failed - name: Ensure permission perm-test-1 has an extra filter '(cn=*.internal.*)' ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 filter: '(cn=*.internal.*)' action: member register: result failed_when: not result.changed or result.failed - name: Ensure permission perm-test-1 has an extra filter '(cn=*.internal.*)', again ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 filter: '(cn=*.internal.*)' action: member register: result failed_when: result.changed or result.failed - name: Ensure permission perm-test-1 `right` has `write` ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 right: write action: member register: result failed_when: not result.changed or result.failed - name: Ensure permission perm-test-1 `right` has `write`, again ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 right: write action: member register: result failed_when: result.changed or result.failed - name: Ensure permission perm-test-1 `right` has no `write` ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 right: write action: member state: absent register: result failed_when: not result.changed or result.failed - name: Ensure permission perm-test-1 `right` has no `write`, again ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 right: write action: member state: absent register: result failed_when: result.changed or result.failed - name: Ensure permission perm-test-1 `memberof` has `rbackgroup2` ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 memberof: rbacgroup2 action: member register: result failed_when: not result.changed or result.failed - name: Ensure permission perm-test-1 `memberof` has `rbackgroup2`, again ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 memberof: rbacgroup2 action: member register: result failed_when: result.changed or result.failed - name: Ensure permission perm-test-1 `memberof` item `rbackgroup1` is absent ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 memberof: rbacgroup1 action: member state: absent register: result failed_when: not result.changed or result.failed - name: Ensure permission perm-test-1 `memberof` item `rbackgroup1` is absent, again ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 memberof: rbacgroup1 action: member state: absent register: result failed_when: result.changed or result.failed - name: Ensure permission perm-test-1 is present with attr carlicense ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 attrs: - carlicense register: result failed_when: not result.changed or result.failed - name: Ensure permission perm-test-1 is present with attr carlicense again ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 attrs: - carlicense register: result failed_when: result.changed or result.failed - name: Ensure permission perm-test-1 is present with attr carlicense and displayname ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 attrs: - carlicense - displayname register: result failed_when: not result.changed or result.failed - name: Ensure permission perm-test-1 is present with attr carlicense and displayname again ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 attrs: - carlicense - displayname register: result failed_when: result.changed or result.failed - name: Ensure attr gecos is present in permission perm-test-1 ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 attrs: - gecos action: member register: result failed_when: not result.changed or result.failed - name: Ensure attr gecos is present in permission perm-test-1 again ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 attrs: - gecos action: member register: result failed_when: result.changed or result.failed - name: Ensure attr gecos is absent in permission perm-test-1 ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 attrs: - gecos action: member state: absent register: result failed_when: not result.changed or result.failed - name: Ensure attr gecos is absent in permission perm-test-1 again ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 attrs: - gecos action: member state: absent register: result failed_when: result.changed or result.failed - name: Ensure attributes carlicense and displayname are present in permission "System{{ ':' }} Update DNS Entries" ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: "System: Update DNS Entries" attrs: - carlicense - displayname action: member register: result failed_when: not result.changed or result.failed - name: Ensure attributes carlicense and displayname are present in permission "System{{ ':' }} Update DNS Entries" again ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: "System: Update DNS Entries" attrs: - carlicense - displayname action: member register: result failed_when: result.changed or result.failed - name: Ensure attributes carlicense and displayname are present in permission "System{{ ':' }} Update DNS Entries" ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: "System: Update DNS Entries" attrs: - carlicense - displayname action: member state: absent register: result failed_when: not result.changed or result.failed - name: Ensure attributes carlicense and displayname are present in permission "System{{ ':' }} Update DNS Entries" again ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: "System: Update DNS Entries" attrs: - carlicense - displayname action: member state: absent register: result failed_when: result.changed or result.failed - name: Ensure permission perm-test-1 has rawfilter '(objectclass=ipagroup)' ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 rawfilter: '(objectclass=ipagroup)' action: member register: result failed_when: not result.changed or result.failed - name: Ensure permission perm-test-1 has rawfilter '(objectclass=ipagroup)', again ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 rawfilter: '(objectclass=ipagroup)' action: member register: result failed_when: result.changed or result.failed - name: Ensure filter and rawfilter cannot be used together. ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 rawfilter: '(objectclass=ipagroup)' filter: '(cn=*.internal.*)' action: member register: result failed_when: not result.failed or "Cannot specify target filter and extra target filter simultaneously" not in result.msg - name: Rename permission perm-test-1 to perm-test-renamed ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 rename: perm-test-renamed state: renamed register: result failed_when: not result.changed or result.failed - name: Ensure permission perm-test-1 is absent ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-1 state: absent register: result failed_when: result.changed or result.failed - name: Ensure permission perm-test-renamed is present ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-renamed object_type: host right: all register: result failed_when: result.changed or result.failed - name: Ensure permission with bindtype 'self' is present, if IPA version >= 4.8.7 ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-bindtype-test bindtype: self object_type: host right: all when: ipa_version is version('4.8.7', '>=') register: result failed_when: not result.changed or result.failed - name: Fail to set permission perm-test-renamed bindtype to 'self', if IPA version < 4.8.7 ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: perm-test-bindtype-test bindtype: self object_type: host right: all when: ipa_version is version('4.8.7', '<') register: result failed_when: not result.failed or "Bindtype 'self' is not supported by your IPA version." not in result.msg # CLEANUP TEST ITEMS - name: Ensure testing permissions are absent ipapermission: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: - perm-test-1 - perm-test-bindtype-test - perm-test-renamed state: absent - name: Ensure testing groups are absent. ipagroup: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: "{{ item }}" state: absent with_items: - rbacgroup1 - rbacgroup2