--- - name: Test idp hosts: "{{ ipa_test_host | default('ipaserver') }}" become: false gather_facts: false module_defaults: ipaidp: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" tasks: # CHECK IF WE HAVE IDP SUPPORT - name: Verify if ipd management is supported ansible.builtin.shell: cmd: | echo SomeADMINpassword | kinit -c {{ krb5ccname }} admin RESULT=$(KRB5CCNAME={{ krb5ccname }} ipa command-show idp_add) kdestroy -A -c {{ krb5ccname }} echo $RESULT vars: krb5ccname: "__check_command_idp_add__" register: check_command_idp_add - name: Run tests for idp when: not "idp_add" in check_command_idp_add.stderr block: # CLEANUP TEST ITEMS - name: Ensure idps my-keycloak-idp, my-github-idp and my-google-idp are absent ipaidp: name: - my-keycloak-idp - my-github-idp - my-google-idp delete_continue: true state: absent # CREATE TEST ITEMS # TESTS - name: Ensure keycloak idp my-keycloak-idp is present ipaidp: name: my-keycloak-idp provider: keycloak organization: main base_url: keycloak.idm.example.com:8443/auth client_id: my-client-id register: result failed_when: not result.changed or result.failed - name: Ensure keycloak idp my-keycloak-idp is present, again ipaidp: name: my-keycloak-idp provider: keycloak organization: main base_url: keycloak.idm.example.com:8443/auth client_id: my-client-id register: result failed_when: result.changed or result.failed - name: Ensure keycloak idp my-keycloak-idp is present with all params ipaidp: name: my-keycloak-idp organization: main base_url: https://keycloak.idm.example.com:8443/auth keys_uri: https://keycloak.idm.example.com:8443/certs issuer_url: https://keycloak.idm.example.com:8443/issuer secret: secret scope: https://keycloak.idm.example.com:8443/scope idp_user_id: testuser client_id: my-client-id register: result failed_when: not result.changed or result.failed - name: Ensure keycloak idp my-keycloak-idp is present with all params, again ipaidp: name: my-keycloak-idp organization: main base_url: https://keycloak.idm.example.com:8443/auth keys_uri: https://keycloak.idm.example.com:8443/certs issuer_url: https://keycloak.idm.example.com:8443/issuer secret: secret scope: https://keycloak.idm.example.com:8443/scope idp_user_id: testuser client_id: my-client-id register: result # failed_when: result.changed or result.failed - name: Ensure keycloak idp my-keycloak-idp auth_uri is empty ipaidp: name: my-keycloak-idp auth_uri: "" client_id: my-client-id register: result failed_when: not result.changed or result.failed - name: Ensure keycloak idp my-keycloak-idp auth_uri is empty, again ipaidp: name: my-keycloak-idp auth_uri: "" client_id: my-client-id register: result failed_when: result.changed or result.failed - name: Ensure keycloak idp my-keycloak-idp dev_auth_uri is empty ipaidp: name: my-keycloak-idp dev_auth_uri: "" client_id: my-client-id register: result failed_when: not result.changed or result.failed - name: Ensure keycloak idp my-keycloak-idp dev_auth_uri is empty, again ipaidp: name: my-keycloak-idp dev_auth_uri: "" client_id: my-client-id register: result failed_when: result.changed or result.failed - name: Ensure keycloak idp my-keycloak-idp token_uri is empty ipaidp: name: my-keycloak-idp token_uri: "" client_id: my-client-id register: result failed_when: not result.changed or result.failed - name: Ensure keycloak idp my-keycloak-idp token_uri is empty, again ipaidp: name: my-keycloak-idp token_uri: "" client_id: my-client-id register: result failed_when: result.changed or result.failed - name: Ensure keycloak idp my-keycloak-idp userinfo_uri is empty ipaidp: name: my-keycloak-idp userinfo_uri: "" client_id: my-client-id register: result failed_when: not result.changed or result.failed - name: Ensure keycloak idp my-keycloak-idp userinfo_uri is empty, again ipaidp: name: my-keycloak-idp userinfo_uri: "" client_id: my-client-id register: result failed_when: result.changed or result.failed - name: Ensure keycloak idp my-keycloak-idp keys_uri is empty ipaidp: name: my-keycloak-idp keys_uri: "" client_id: my-client-id register: result failed_when: not result.changed or result.failed - name: Ensure keycloak idp my-keycloak-idp keys_uri is empty, again ipaidp: name: my-keycloak-idp keys_uri: "" client_id: my-client-id register: result failed_when: result.changed or result.failed - name: Ensure keycloak idp my-keycloak-idp issuer_url is empty ipaidp: name: my-keycloak-idp issuer_url: "" client_id: my-client-id register: result failed_when: not result.changed or result.failed - name: Ensure keycloak idp my-keycloak-idp issuer_url is empty, again ipaidp: name: my-keycloak-idp issuer_url: "" client_id: my-client-id register: result failed_when: result.changed or result.failed - name: Ensure keycloak idp my-keycloak-idp scope is empty ipaidp: name: my-keycloak-idp scope: "" client_id: my-client-id register: result failed_when: not result.changed or result.failed - name: Ensure keycloak idp my-keycloak-idp scope is empty, again ipaidp: name: my-keycloak-idp scope: "" client_id: my-client-id register: result failed_when: result.changed or result.failed - name: Ensure keycloak idp my-keycloak-idp idp_user_id is empty ipaidp: name: my-keycloak-idp idp_user_id: "" client_id: my-client-id register: result failed_when: not result.changed or result.failed - name: Ensure keycloak idp my-keycloak-idp idp_user_id is empty, again ipaidp: name: my-keycloak-idp idp_user_id: "" client_id: my-client-id register: result failed_when: result.changed or result.failed - name: Ensure idp my-keycloak-idp is absent ipaidp: name: my-keycloak-idp delete_continue: true state: absent - name: Ensure keycloak idp my-keycloak-idp is failing with missing parameters ipaidp: name: my-keycloak-idp provider: keycloak client_id: my-client-id register: result failed_when: result.changed or not result.failed or " is missing" not in result.msg - name: Ensure github idp my-github-idp is present ipaidp: name: my-github-idp provider: github client_id: my-github-client-id register: result failed_when: not result.changed or result.failed - name: Ensure github idp my-github-idp is present, again ipaidp: name: my-github-idp provider: github client_id: my-github-client-id register: result failed_when: result.changed or result.failed - name: Ensure google idp my-google-idp is present using provider defaults without specifying provider ipaidp: name: my-google-idp auth_uri: https://accounts.google.com/o/oauth2/auth dev_auth_uri: https://oauth2.googleapis.com/device/code token_uri: https://oauth2.googleapis.com/token keys_uri: https://www.googleapis.com/oauth2/v3/certs userinfo_uri: https://openidconnect.googleapis.com/v1/userinfo client_id: my-google-client-id scope: "openid email" idp_user_id: email register: result failed_when: not result.changed or result.failed - name: Ensure google idp my-google-idp is present using provider defaults without specifying provider, again ipaidp: name: my-google-idp auth_uri: https://accounts.google.com/o/oauth2/auth dev_auth_uri: https://oauth2.googleapis.com/device/code token_uri: https://oauth2.googleapis.com/token keys_uri: https://www.googleapis.com/oauth2/v3/certs userinfo_uri: https://openidconnect.googleapis.com/v1/userinfo client_id: my-google-client-id scope: "openid email" idp_user_id: email register: result failed_when: result.changed or result.failed - name: Ensure google idp my-google-idp is present without changes using provider ipaidp: name: my-google-idp provider: google client_id: my-google-client-id register: result failed_when: result.changed or result.failed # CLEANUP TEST ITEMS - name: Ensure idps my-keycloak-idp, my-github-idp and my-google-idp are absent ipaidp: name: - my-keycloak-idp - my-github-idp - my-google-idp delete_continue: true state: absent