mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-06-10 18:55:53 +00:00
7e04a46f07
Current implementation does not allow the change of an existingi Vault
type. To allow it, data is retrieved from the current vault, the vault
is modifiend, and then, data is stored again in the new vault.
Due to changing the process of modifying a vault, this change also
fixes the update of asymmetric vault keys. To change the key used,
the task must provide the old private key, used to retrieve data,
and the new public_key, used to store the data again. A new alias
was added to public_key (new_public_key) and public_key_file
(new_public_key_file) so that the playbook better express the
intention of the tak.
Vault tests have been updated to better test against the new update
process, and a new test file has bee added:
tests/vault/test_vault_change_type.
142 lines
3.9 KiB
YAML
142 lines
3.9 KiB
YAML
---
|
|
- name: Test vault
|
|
hosts: ipaserver
|
|
become: true
|
|
# Need to gather facts for ansible_env.
|
|
gather_facts: true
|
|
|
|
tasks:
|
|
- name: Setup testing environment.
|
|
import_tasks: env_setup.yml
|
|
|
|
- name: Ensure standard vault is present
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
vault_type: standard
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure standard vault is present, again
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
vault_type: standard
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Archive data to standard vault, matching `no_log` field.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
vault_data: SomeADMINpassword
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Retrieve data from standard vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
state: retrieved
|
|
register: result
|
|
failed_when: result.vault.data != 'SomeADMINpassword' or result.changed
|
|
|
|
- name: Archive data to standard vault
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
vault_data: Hello World.
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Retrieve data from standard vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
state: retrieved
|
|
register: result
|
|
failed_when: result.vault.data != 'Hello World.' or result.changed
|
|
|
|
- name: Retrieve data from standard vault into file {{ ansible_env.HOME }}/data.txt.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
out: "{{ ansible_env.HOME }}/data.txt"
|
|
state: retrieved
|
|
register: result
|
|
failed_when: result.changed or result.failed or (result.vault.data | default(false))
|
|
|
|
- name: Verify retrieved data.
|
|
slurp:
|
|
src: "{{ ansible_env.HOME }}/data.txt"
|
|
register: slurpfile
|
|
failed_when: slurpfile['content'] | b64decode != 'Hello World.'
|
|
|
|
- name: Archive data with non-ASCII characters to standard vault
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
vault_data: The world of π is half rounded.
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Retrieve data from standard vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
state: retrieved
|
|
register: result
|
|
failed_when: result.vault.data != 'The world of π is half rounded.' or result.changed
|
|
|
|
- name: Archive data in standard vault, from file.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
vault_type: standard
|
|
in: "{{ ansible_env.HOME }}/in.txt"
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Retrieve data from standard vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
state: retrieved
|
|
register: result
|
|
failed_when: result.vault.data != 'Another World.' or result.changed
|
|
|
|
- name: Archive data with single character to standard vault
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
vault_data: c
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Retrieve data from standard vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
state: retrieved
|
|
register: result
|
|
failed_when: result.vault.data != 'c' or result.changed
|
|
|
|
- name: Ensure standard vault is absent
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure standard vault is absent, again
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Cleanup testing environment.
|
|
import_tasks: env_cleanup.yml
|