mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-06-10 02:35:54 +00:00
9f773ff5ac
When clearing minimum length parameter, FreeIPA raises an error, and the error is different when executing the playbook in server or client context. Since the error message is evaluated in the text, both errors must be accepted as "not a failure", since ansible-freeipa did the correct call. Once https://pagure.io/freeipa/issue/9297 is fixed, the test must be updated to not accept any of these error messages.
379 lines
12 KiB
YAML
379 lines
12 KiB
YAML
---
|
|
- name: Test pwpolicy
|
|
hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
|
become: true
|
|
gather_facts: false
|
|
|
|
tasks:
|
|
- name: Setup FreeIPA test facts.
|
|
ansible.builtin.import_tasks: ../env_freeipa_facts.yml
|
|
|
|
- name: Ensure maxlife of 90 for global_policy
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
maxlife: 90
|
|
|
|
- name: Ensure absence of group ops
|
|
ipagroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: ops
|
|
state: absent
|
|
|
|
- name: Ensure absence of pwpolicies for group ops
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: ops
|
|
state: absent
|
|
|
|
- name: Ensure presence of group ops
|
|
ipagroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: ops
|
|
state: present
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure presence of pwpolicies for group ops
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: ops
|
|
minlife: 7
|
|
maxlife: 49
|
|
history: 5
|
|
priority: 1
|
|
lockouttime: 300
|
|
minlength: 8
|
|
minclasses: 5
|
|
maxfail: 3
|
|
failinterval: 5
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure presence of pwpolicies for group ops again
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: ops
|
|
minlife: 7
|
|
maxlife: 49
|
|
history: 5
|
|
priority: 1
|
|
lockouttime: 300
|
|
minlength: 8
|
|
minclasses: 5
|
|
maxfail: 3
|
|
failinterval: 5
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure maxlife of 49 for global_policy
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
maxlife: 49
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure maxlife of 49 for global_policy again
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
maxlife: 49
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure absence of pwpoliciy global_policy will fail
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.failed or "'global_policy' can not be made absent." not in result.msg
|
|
|
|
- name: Ensure absence of pwpolicies for group ops
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: ops
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure maxlife of 90 for global_policy
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
maxlife: 90
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure absence of pwpolicies for group ops
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: ops
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure presence of pwpolicies for group ops
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: ops
|
|
minlife: 7
|
|
maxlife: 49
|
|
history: 5
|
|
priority: 1
|
|
lockouttime: 300
|
|
minlength: 8
|
|
minclasses: 5
|
|
maxfail: 3
|
|
failinterval: 5
|
|
|
|
- name: Ensure policies are cleared
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: ops
|
|
minlife: ""
|
|
maxlife: ""
|
|
history: ""
|
|
# priority: ""
|
|
lockouttime: ""
|
|
minclasses: ""
|
|
maxfail: ""
|
|
failinterval: ""
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure policies are cleared, again
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: ops
|
|
minlife: ""
|
|
maxlife: ""
|
|
history: ""
|
|
# priority: ""
|
|
lockouttime: ""
|
|
minclasses: ""
|
|
maxfail: ""
|
|
failinterval: ""
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure minlength is not cleared due to FreeIPA issue
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: ops
|
|
minlength: ""
|
|
register: result
|
|
failed_when:
|
|
result.changed or (
|
|
result.failed and not (
|
|
"an internal error has occurred" in result.msg
|
|
or "int() argument must be" in result.msg
|
|
)
|
|
)
|
|
when: ipa_version is version("4.9", ">=")
|
|
|
|
- name: Ensure minlength is not cleared due to FreeIPA issue
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: ops
|
|
minlength: ""
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
when: ipa_version is version("4.7", "<")
|
|
|
|
- name: Execute tests if ipa_version >= 4.9.0
|
|
when: ipa_version is version("4.9", ">=")
|
|
block:
|
|
- name: Ensure maxrepeat of 2 for global_policy
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
maxrepeat: 2
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure maxrepeat of 2 for global_policy, again
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
maxrepeat: 2
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure maxrepeat of 0 for global_policy
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
maxrepeat: 0
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure maxsequence of 4 for global_policy
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
maxrepeat: 4
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure maxsequence of 4 for global_policy, again
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
maxrepeat: 4
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure maxsequence of 0 for global_policy
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
maxrepeat: 0
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure usercheck and dictcheck have known values
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
dictcheck: false
|
|
usercheck: false
|
|
|
|
- name: Ensure dictcheck is set for global_policy
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
dictcheck: yes
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure dictcheck is set for global_policy, again
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
dictcheck: yes
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure dictcheck is not set for global_policy
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
dictcheck: no
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure usercheck is set for global_policy
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
usercheck: yes
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure usercheck is set for global_policy, again
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
usercheck: yes
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure usercheck is not set for global_policy
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
usercheck: no
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure usercheck and dictcheck are cleared for global_policy
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
dictcheck: ""
|
|
usercheck: ""
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure usercheck and dictcheck are cleared for global_policy, again
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
dictcheck: ""
|
|
usercheck: ""
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Execute tests if ipa_version >= 4.9.10
|
|
when: ipa_version is version("4.9.10", ">=")
|
|
block:
|
|
- name: Ensure grace limit is set to 10 for global_policy
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
gracelimit: 10
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure grace limit is set to 0 for global_policy
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
gracelimit: 0
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure grace limit is set to 0 for global_policy
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
gracelimit: 0
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure grace limit is set to 0 for global_policy
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
gracelimit: -1
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure grace limit is cleared for global_policy
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
gracelimit: ""
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure grace limit is cleared for global_policy, again
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
gracelimit: ""
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure grace limit is not set to -2 for global_policy
|
|
ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
gracelimit: -2
|
|
register: result
|
|
failed_when: not result.failed and "must be at least -1" not in result.msg
|