mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-03-26 21:33:05 +00:00
c715d3aad2
In latest ansible-lint versions, the use of "blocks" has a required order to be implemented. According to ansible-lint error mesage, the order is name, when, block, rescue, always. As not following this rule is now an error, this patch fixes all tests for the 'key-order[task]' error.
581 lines
20 KiB
YAML
581 lines
20 KiB
YAML
# This test uses skip_host_check, so it will fail if not using
|
|
# FreeIPA version 4.7.0 or later.
|
|
#
|
|
# To test against earlier versions, use test_without_skip_host_check.yml.
|
|
#
|
|
# This test define 6 hosts:
|
|
# - nohost_fqdn: a host with a DNS setup, not enrolled as a host in IPA.
|
|
# - no.idontexist.info: a host without DNS and not present in IPA.
|
|
# - svc.ihavenodns.inf: a host without DNS, but present in IPA.
|
|
# - svc_fqdn: a host with DNS and present in IPA.
|
|
# - host1_fqdn and host2_fqdn: used for member actions only.
|
|
#
|
|
---
|
|
- name: Test service
|
|
hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
|
become: yes
|
|
|
|
tasks:
|
|
# setup
|
|
- name: Include tasks ../env_freeipa_facts.yml
|
|
ansible.builtin.include_tasks: ../env_freeipa_facts.yml
|
|
|
|
# tests
|
|
- name: Tests with skip_host_check, require IPA version 4.8.0+.
|
|
when: ipa_version is version('4.7.0', '>=')
|
|
block:
|
|
- name: Setup test environment
|
|
ansible.builtin.include_tasks: env_setup.yml
|
|
|
|
- name: Ensure service is present
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
pac_type:
|
|
- MS-PAC
|
|
- PAD
|
|
auth_ind: otp
|
|
skip_host_check: no
|
|
force: yes
|
|
requires_pre_auth: yes
|
|
ok_as_delegate: no
|
|
ok_to_auth_as_delegate: no
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure service is present, again
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
pac_type:
|
|
- MS-PAC
|
|
- PAD
|
|
auth_ind: otp
|
|
skip_host_check: no
|
|
force: no
|
|
requires_pre_auth: yes
|
|
ok_as_delegate: no
|
|
ok_to_auth_as_delegate: no
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Modify service.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
pac_type: NONE
|
|
ok_as_delegate: yes
|
|
ok_to_auth_as_delegate: yes
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Modify service, again.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
pac_type: NONE
|
|
ok_as_delegate: yes
|
|
ok_to_auth_as_delegate: yes
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure service is present, without host object.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ nohost_fqdn }}"
|
|
skip_host_check: yes
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure service is present, without host object, again.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ nohost_fqdn }}"
|
|
skip_host_check: yes
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure service is present, with host not in DNS.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: HTTP/svc.ihavenodns.info
|
|
skip_host_check: no
|
|
force: yes
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure service is present, with host not in DNS, again.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: HTTP/svc.ihavenodns.info
|
|
skip_host_check: no
|
|
force: yes
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure service is present, whithout host object and with host not in DNS.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: HTTP/no.idontexist.info
|
|
skip_host_check: yes
|
|
force: yes
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure service is present, whithout host object and with host not in DNS, again.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: HTTP/no.idontexist.info
|
|
skip_host_check: yes
|
|
force: yes
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Principal host/test.example.com present in service.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
principal:
|
|
- host/test.example.com
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Principal host/test.example.com present in service, again.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
principal:
|
|
- host/test.example.com
|
|
action: member
|
|
register: result
|
|
failed_when:
|
|
result.changed or (result.failed and "already contains one or more values" not in result.msg)
|
|
|
|
- name: Principal host/test.example.com absent in service.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
principal:
|
|
- host/test.example.com
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Principal host/test.example.com absent in service, again.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
principal:
|
|
- host/test.example.com
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when:
|
|
result.changed or (result.failed and "does not contain 'one or more values to remove'" not in result.msg)
|
|
|
|
- name: Ensure host can manage service.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
host:
|
|
- "{{ host1_fqdn }}"
|
|
- "{{ host2_fqdn }}"
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure host can manage service, again.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
host: "{{ host1_fqdn }}"
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure host cannot manage service.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
host:
|
|
- "{{ host1_fqdn }}"
|
|
- "{{ host2_fqdn }}"
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure host cannot manage service, again.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
host:
|
|
- "{{ host1_fqdn }}"
|
|
- "{{ host2_fqdn }}"
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users, groups, hosts and hostgroups.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
allow_create_keytab_user:
|
|
- user01
|
|
- user02
|
|
allow_create_keytab_group:
|
|
- group01
|
|
- group02
|
|
allow_create_keytab_host:
|
|
- "{{ host1_fqdn }}"
|
|
- "{{ host2_fqdn }}"
|
|
allow_create_keytab_hostgroup:
|
|
- hostgroup01
|
|
- hostgroup02
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users, groups, hosts and hostgroups, again.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
allow_create_keytab_user:
|
|
- user01
|
|
- user02
|
|
allow_create_keytab_group:
|
|
- group01
|
|
- group02
|
|
allow_create_keytab_host:
|
|
- "{{ host1_fqdn }}"
|
|
- "{{ host2_fqdn }}"
|
|
allow_create_keytab_hostgroup:
|
|
- hostgroup01
|
|
- hostgroup02
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users, groups, hosts and hostgroups.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
allow_create_keytab_user:
|
|
- user01
|
|
- user02
|
|
allow_create_keytab_group:
|
|
- group01
|
|
- group02
|
|
allow_create_keytab_host:
|
|
- "{{ host1_fqdn }}"
|
|
- "{{ host2_fqdn }}"
|
|
allow_create_keytab_hostgroup:
|
|
- hostgroup01
|
|
- hostgroup02
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users, groups, hosts and hostgroups, again.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
allow_create_keytab_user:
|
|
- user01
|
|
- user02
|
|
allow_create_keytab_group:
|
|
- group01
|
|
- group02
|
|
allow_create_keytab_host:
|
|
- "{{ host1_fqdn }}"
|
|
- "{{ host2_fqdn }}"
|
|
allow_create_keytab_hostgroup:
|
|
- hostgroup01
|
|
- hostgroup02
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users, groups, hosts and hostgroups
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
allow_retrieve_keytab_user:
|
|
- user01
|
|
- user02
|
|
allow_retrieve_keytab_group:
|
|
- group01
|
|
- group02
|
|
allow_retrieve_keytab_host:
|
|
- "{{ host1_fqdn }}"
|
|
- "{{ host2_fqdn }}"
|
|
allow_retrieve_keytab_hostgroup:
|
|
- hostgroup01
|
|
- hostgroup02
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users, groups, hosts and hostgroups, again.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
allow_retrieve_keytab_user:
|
|
- user01
|
|
- user02
|
|
allow_retrieve_keytab_group:
|
|
- group01
|
|
- group02
|
|
allow_retrieve_keytab_host:
|
|
- "{{ host1_fqdn }}"
|
|
- "{{ host2_fqdn }}"
|
|
allow_retrieve_keytab_hostgroup:
|
|
- hostgroup01
|
|
- hostgroup02
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users, groups, hosts and hostgroups.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
allow_retrieve_keytab_user:
|
|
- user01
|
|
- user02
|
|
allow_retrieve_keytab_group:
|
|
- group01
|
|
- group02
|
|
allow_retrieve_keytab_host:
|
|
- "{{ host1_fqdn }}"
|
|
- "{{ host2_fqdn }}"
|
|
allow_retrieve_keytab_hostgroup:
|
|
- hostgroup01
|
|
- hostgroup02
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users, groups, hosts and hostgroups, again.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
allow_retrieve_keytab_user:
|
|
- user01
|
|
- user02
|
|
allow_retrieve_keytab_group:
|
|
- group01
|
|
- group02
|
|
allow_retrieve_keytab_host:
|
|
- "{{ host1_fqdn }}"
|
|
- "{{ host2_fqdn }}"
|
|
allow_retrieve_keytab_hostgroup:
|
|
- hostgroup01
|
|
- hostgroup02
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure service is absent
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
continue: yes
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure service is absent, again
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
continue: yes
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure service is present, with multiple auth_ind values.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
auth_ind: otp,radius
|
|
skip_host_check: no
|
|
force: yes
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure service is present, with multiple auth_ind values, again.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
auth_ind: otp,radius
|
|
skip_host_check: no
|
|
force: yes
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Clear auth_ind.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
auth_ind: ""
|
|
skip_host_check: no
|
|
force: yes
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Clear auth_ind, again.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "HTTP/{{ svc_fqdn }}"
|
|
auth_ind: ""
|
|
skip_host_check: no
|
|
force: yes
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure services are absent.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name:
|
|
- "HTTP/{{ svc_fqdn }}"
|
|
- "HTTP/{{ nohost_fqdn }}"
|
|
- HTTP/svc.ihavenodns.info
|
|
- HTTP/no.idontexist.local
|
|
continue: yes
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure services are absent.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name:
|
|
- "HTTP/{{ svc_fqdn }}"
|
|
- "HTTP/{{ nohost_fqdn }}"
|
|
- HTTP/svc.ihavenodns.info
|
|
- HTTP/no.idontexist.local
|
|
continue: yes
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure SMB service is present.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "{{ host1_fqdn }}"
|
|
pac_type: NONE
|
|
smb: yes
|
|
netbiosname: SAMBASVC
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure SMB service is again.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "{{ host1_fqdn }}"
|
|
pac_type: NONE
|
|
smb: yes
|
|
netbiosname: SAMBASVC
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Modify SMB service.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "{{ host1_fqdn }}"
|
|
smb: yes
|
|
netbiosname: SAMBASVC
|
|
allow_retrieve_keytab_user:
|
|
- user01
|
|
- user02
|
|
allow_retrieve_keytab_group:
|
|
- group01
|
|
- group02
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Modify SMB service, again.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "{{ host1_fqdn }}"
|
|
smb: yes
|
|
netbiosname: SAMBASVC
|
|
allow_retrieve_keytab_user:
|
|
- user01
|
|
- user02
|
|
allow_retrieve_keytab_group:
|
|
- group01
|
|
- group02
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure SMB service is absent.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "cifs/{{ host1_fqdn }}"
|
|
continue: yes
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure SMB service is absent, again.
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: "cifs/{{ host1_fqdn }}"
|
|
continue: yes
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
# cleanup
|
|
- name: Cleanup test environment
|
|
ansible.builtin.include_tasks: env_cleanup.yml
|