ansible-freeipa/tests/config/test_config_sid.yml

---
- name: Test config
  hosts: "{{ ipa_test_host | default('ipaserver') }}"
  become: no
  gather_facts: no

  tasks:

  - name: Set FreeIPA facts.
    ansible.builtin.include_tasks: ../env_freeipa_facts.yml

  # GET CURRENT CONFIG

  - name: Return current values of the global configuration options
    ipaconfig:
      ipaadmin_password: SomeADMINpassword
      ipaapi_context: "{{ ipa_context | default(omit) }}"
    register: previous

  # TESTS
  - name: Test config sid
    block:
    - name: Check if SID is enabled.
      ipaconfig:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
        enable_sid: yes
      check_mode: yes
      register: sid_disabled

    - name: Ensure netbios_name can't be changed without SID enabled.
      ipaconfig:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
        netbios_name: IPATESTPLAY
      register: result
      failed_when: not result.failed and "SID generation must be enabled" in result.msg
      when: sid_disabled.changed

    - name: Ensure SIDs can't be changed without SID enabled.
      ipaconfig:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
        add_sids: yes
      register: result
      failed_when: not result.failed and "SID generation must be enabled" in result.msg
      when: sid_disabled.changed

    - name: Ensure SID is enabled.
      ipaconfig:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
        enable_sid: yes
      register: result
      failed_when: result.failed or previous.config.enable_sid == result.changed

    - name: Ensure SID is enabled, again.
      ipaconfig:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
        enable_sid: yes
      register: result
      failed_when: result.failed or result.changed

    - name: Try to Ensure SID is disabled.
      ipaconfig:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
        enable_sid: no
      register: result
      failed_when: not result.failed or "SID cannot be disabled." not in result.msg

    - name: Ensure netbios_name is "IPATESTPLAY"
      ipaconfig:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
        enable_sid: yes
        netbios_name: IPATESTPLAY
      register: result
      failed_when: result.failed or not result.changed

    - name: Ensure netbios_name is "IPATESTPLAY", again
      ipaconfig:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
        netbios_name: IPATESTPLAY
      register: result
      failed_when: result.failed or result.changed

    - name: Ensure netbios_name cannot be set with lowercase characters
      ipaconfig:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
        netbios_name: IPATESTplay
      register: result
      failed_when:
        (not result.failed
         and "Up to 15 characters and only uppercase ASCII letters, digits and dashes are allowed" not in result.message)

    - name: Ensure netbios_name cannot be set different lowercase characters
      ipaconfig:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
        netbios_name: otherPLAY
      register: result
      failed_when:
        (not result.failed
         and "Up to 15 characters and only uppercase ASCII letters, digits and dashes are allowed" not in result.message)

    # add_sids is not idempotent as it always tries to generate the missing
    # SIDs for users and groups.
    - name: Add SIDs to users and groups.
      ipaconfig:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
        add_sids: yes

    # only run tests if version supports enable-sid
    when: ipa_version is version("4.9.8", ">=")
    # REVERT TO PREVIOUS CONFIG
    always:
    # Once SID is enabled, it cannot be reverted.
    - name: Revert netbios_name to original configuration
      ipaconfig:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
        netbios_name: "{{ previous.config.netbios_name | default(omit) }}"
        enable_sid: yes