mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-06-10 10:45:55 +00:00
59cb7eebd9
This patch fixes handling of password and public_key files, parameter
validation depending on vault type, usage of `salt` attribute and data
retrieval.
Tests were updated to reflect the changes.
New example playbooks are added:
playbooks/vault/vault-is-present-with-password-file.yml
playbooks/vault/vault-is-present-with-public-key-file.yml
playbooks/vault/retrive-data-asymmetric-vault.yml
playbooks/vault/retrive-data-symmetric-vault.yml
930 lines
27 KiB
YAML
930 lines
27 KiB
YAML
---
|
|
|
|
- name: Test vault
|
|
hosts: ipaserver
|
|
become: true
|
|
# Need to gather facts for ansible_env.
|
|
gather_facts: true
|
|
|
|
tasks:
|
|
|
|
- name: Copy password file to target host.
|
|
copy:
|
|
src: "{{ playbook_dir }}/password.txt"
|
|
dest: "{{ ansible_env.HOME }}/password.txt"
|
|
|
|
- name: Copy public key file to target host.
|
|
copy:
|
|
src: "{{ playbook_dir }}/public.pem"
|
|
dest: "{{ ansible_env.HOME }}/public.pem"
|
|
|
|
- name: Copy private key file to target host.
|
|
copy:
|
|
src: "{{ playbook_dir }}/private.pem"
|
|
dest: "{{ ansible_env.HOME }}/private.pem"
|
|
|
|
- name: Copy input data file to target host.
|
|
copy:
|
|
src: "{{ playbook_dir }}/in.txt"
|
|
dest: "{{ ansible_env.HOME }}/in.txt"
|
|
|
|
- name: Ensure user vaults are absent
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name:
|
|
- stdvault
|
|
- symvault
|
|
- asymvault
|
|
username: user01
|
|
state: absent
|
|
|
|
- name: Ensure test users do not exist.
|
|
ipauser:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name:
|
|
- user01
|
|
- user02
|
|
- user03
|
|
state: absent
|
|
|
|
- name: Ensure test groups do not exist.
|
|
ipagroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: vaultgroup
|
|
state: absent
|
|
|
|
- name: Ensure vaultgroup exists.
|
|
ipagroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: vaultgroup
|
|
|
|
- name: Ensure user01 exists.
|
|
ipauser:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: user01
|
|
first: First
|
|
last: Start
|
|
|
|
- name: Ensure user02 exists.
|
|
ipauser:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: user02
|
|
first: Second
|
|
last: Middle
|
|
|
|
- name: Ensure user03 exists.
|
|
ipauser:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: user03
|
|
first: Third
|
|
last: Last
|
|
|
|
- name: Ensure shared vaults are absent
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: sharedvault
|
|
shared: True
|
|
state: absent
|
|
|
|
- name: Ensure standard vault is absent
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
state: absent
|
|
|
|
- name: Ensure service vault is absent
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: svcvault
|
|
service: "HTTP/{{ groups.ipaserver[0] }}"
|
|
state: absent
|
|
|
|
# tests
|
|
- name: Ensure standard vault is present
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
vault_type: standard
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure standard vault is present, again
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
vault_type: standard
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure standard vault is absent
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
vault_type: standard
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure standard vault is absent, again
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
vault_type: standard
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure symmetric vault is present
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
username: user01
|
|
vault_password: SomeVAULTpassword
|
|
vault_type: symmetric
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure symmetric vault is present, again
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
username: user01
|
|
vault_password: SomeVAULTpassword
|
|
vault_type: symmetric
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Archive data to symmetric vault
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
username: user01
|
|
vault_password: SomeVAULTpassword
|
|
vault_data: Hello World.
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Archive data with non-ASCII characters to symmetric vault
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
username: user01
|
|
vault_password: SomeVAULTpassword
|
|
vault_data: The world of π is half rounded.
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure symmetric vault is absent
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
username: user01
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure symmetric vault is absent, again
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
username: user01
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure symmetric vault is present
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
username: user01
|
|
vault_password: SomeVAULTpassword
|
|
vault_type: symmetric
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure symmetric vault is present, with a different password
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
username: user01
|
|
vault_password: SomeOtherVAULTpassword
|
|
vault_type: symmetric
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure symmetric vault is absent
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
username: user01
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
|
|
- name: Ensure symmetric vault is present, with password from file.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
username: user01
|
|
vault_password_file: "{{ ansible_env.HOME }}/password.txt"
|
|
vault_type: symmetric
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure symmetric vault is present, with password from file, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
username: user01
|
|
vault_password_file: password.txt
|
|
vault_type: symmetric
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure asymmetric vault is present, with public key file.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: asymvault
|
|
username: admin
|
|
description: An asymmetric private vault.
|
|
public_key_file: "{{ ansible_env.HOME }}/public.pem"
|
|
vault_type: asymmetric
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure asymmetric vault is present, with public key file, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: asymvault
|
|
username: admin
|
|
description: An asymmetric private vault.
|
|
public_key_file: "{{ ansible_env.HOME }}/public.pem"
|
|
vault_type: asymmetric
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Archive data in asymmetric vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: asymvault
|
|
username: admin
|
|
vault_data: Hello World.
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure asymmetric vault is absent.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: asymvault
|
|
username: admin
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure asymmetric vault is absent, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: asymvault
|
|
username: admin
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure asymmetric vault is present.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: asymvault
|
|
username: user01
|
|
description: An asymmetric private vault.
|
|
vault_public_key:
|
|
LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFyTTUvZjZkZC9ZSW0vYTllb0dWVApXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4SEQ0K1JWVXd4L2xxbGtQWWJVaTliWFYvckpBa1V3QUVET25KCmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVlTaXF5eU54RklKdlpBbzBkRzRDQVdqWUsyN3RMZzRJaDZvR3MKWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZURNTzU3dW52bUlLRW1hQkUwZXdQZnZrZFpoNWs4R3RzOUg0ZgpoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkK243QmJhVmM4MjBUZ1pETy9yU1l0bnVYYUljNld4MFU5TFhaCmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFBxckdxbXlXZC9FMWNIMmI1anpJeGlHbzhwc0w1c3hXVlk3V0oKZHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
|
|
vault_type: asymmetric
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure asymmetric vault is present, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: asymvault
|
|
username: user01
|
|
description: An asymmetric private vault.
|
|
vault_public_key:
|
|
LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFyTTUvZjZkZC9ZSW0vYTllb0dWVApXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4SEQ0K1JWVXd4L2xxbGtQWWJVaTliWFYvckpBa1V3QUVET25KCmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVlTaXF5eU54RklKdlpBbzBkRzRDQVdqWUsyN3RMZzRJaDZvR3MKWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZURNTzU3dW52bUlLRW1hQkUwZXdQZnZrZFpoNWs4R3RzOUg0ZgpoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkK243QmJhVmM4MjBUZ1pETy9yU1l0bnVYYUljNld4MFU5TFhaCmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFBxckdxbXlXZC9FMWNIMmI1anpJeGlHbzhwc0w1c3hXVlk3V0oKZHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
|
|
vault_type: asymmetric
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Archive data in asymmetric vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: asymvault
|
|
username: user01
|
|
vault_data: Hello World.
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Retrieve data from asymmetric vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: asymvault
|
|
username: user01
|
|
vault_type: asymmetric
|
|
retrieve: true
|
|
private_key:
|
|
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBck01L2Y2ZGQvWUltL2E5ZW9HVlRXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4CkhENCtSVlV3eC9scWxrUFliVWk5YlhWL3JKQWtVd0FFRE9uSmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVkKU2lxeXlOeEZJSnZaQW8wZEc0Q0FXallLMjd0TGc0SWg2b0dzWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZQpETU81N3Vudm1JS0VtYUJFMGV3UGZ2a2RaaDVrOEd0czlINGZoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkCituN0JiYVZjODIwVGdaRE8vclNZdG51WGFJYzZXeDBVOUxYWmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFAKcXJHcW15V2QvRTFjSDJiNWp6SXhpR284cHNMNXN4V1ZZN1dKZHdJREFRQUJBb0lCQUE2ZTlpaXQxNFVBZ3g0Sgp2WDdpczlmYk90Y1drQitqbzk0Tk1meFNGWGdacElNbDEzOW9RTXFLOTdLanhzSHFBYURWZTdtTUxINUVQOTZKCjdNM081ZzRyZ2wwY1ZXdHBNckRReVpzTHZxREZ6Qld4dENIcVZQQXJ1dW1VWmhzU0ozbFJPUXJvOGFnL3c1YmYKNXRDNW9nVnE0K3JzQjRoQnBoZ3Axakdyc1VNK0U4TzdEWFhGSDY4RjhXZ0JpNzI1V3Zjam5iSTlpcmtiMEdjcQoxYkNQSndOM2ZBMWkyVldpUndWWVdiTlRXbkRvTk05WmRZWXhLMGt1VWtEK1F0cmV5Y1dQZjlWNDlsdlVpMVZwCkZWTm1CVUR2R0szSzFNd2JnWFJ3T1hoYWNZN1B0amtkdmFlYjJRY3U1UmpUa3J1R2h6VVlzT1AzcC9jdyt3S1YKdnpRcWNlRUNnWUVBNVd6N1YyU2xSYTJyLy96K0VUUWtKZkVOSjBLRG5DYjBwTUNsQ1FoM2pUTlBBNkRiaGlNawpGVGtjb05icWNwVGlWU2x2aGg2VEtzY1NncVlRVWpRL09xeUc3U2tqS1ZqUTcyajViZVFMeGlMVHRVeWoxT21QClhoOWNXSlh4OGlRKzQ1Y1BvbitrTU9BSWlUd2lCM21tRlJmUWpJR3ZlMURQVW85SitOWjRYZEVDZ1lFQXdOS2cKT2RHWXh4S3RDclhWejFtZGc2UERsVjhxaDdueHhaYlBjaCthTUlRbDErb1RDZ1NpdzhvT1lFZDhnMEhPZFY2dAoxRytJV2h2UHhpaVd5My9BRTBRaGdvS2syR1VzU2pXU01MY0piYVV6RG9FSEZqVExqZWNSbHFkem83cXhSWHFCCm1lTjRMNVdKWUtuTEM0ODJLN2h2dWZTK3VvNWZCNXF3UG10MTNNY0NnWUFlNFRWUFJQK3R5anR0WUNyK084dGwKdy9VbVJLQ2NRdTRJd3Rrenh3ejRWMkNhTjJ0MHVZUWd5eWdjU2ZFU2JSR3RycjhSQ1VwN3BvSEtUZm5DWnIvZgo4TnJVVHdZcGlZZk53WTVaQ1NuQWlHMkFhSWxnbmZNckV3T0Y5T0MwMjhZUE1nVHJ0VXh2TzZoS2VHcUlJUXFHCnFrYnFzb1hoRGpacGdWbk9nV2VBRVFLQmdHdWlaMHcvSXFBbFhiQzMxZlViMmlCTWZ2WFhuSjhNL2RmRkdtRmoKSUtmcWJGRjlXVWxqVXhRbHF5YTFZTnpJRkI1U1RvaGlCZVArMkZtTitMYjV4ZGM3VmRWTFpnZGhXbnJHTXFlOAoxS2QrNnVReXhDanlLWm81blFqU3ltdGY0R3FmT3M4VE9kaWVDWVNLNDB1OWtvaVBPTmE5dHVYZWFVK09Xc2xOCkpRcXJBb0dCQUozTUtPdnNuUXp1WlZQMnZ6MFpxTHdJRTNYalJpRkd2ZVZwaXpxNGh3T1ZldU5zVjA4SnZBMHQKcHVlTkl5OWtsUFNjRmM5T1VkaVpXa0VYMDlCd0prVklyT0hvdHVTQjhBU3RPNVVBbnRObnV5V0xKRUZDNFVxNApHcEI4bGJqOWpreFNLYVU3WDNHYWMyM0s5Skw4ZXVMaDdFN3JQdVpSWWE2bVlONG5iS3F1Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
|
|
register: result
|
|
failed_when: result.data | b64decode != 'Hello World.' or result.changed
|
|
|
|
- name: Retrieve data from asymmetric vault, with private key file.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: asymvault
|
|
username: user01
|
|
vault_type: asymmetric
|
|
retrieve: true
|
|
private_key_file: "{{ ansible_env.HOME }}/private.pem"
|
|
register: result
|
|
failed_when: result.data | b64decode != 'Hello World.' or result.changed
|
|
|
|
- name: Ensure asymmetric vault is absent.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: asymvault
|
|
username: user01
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure asymmetric vault is absent, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: asymvault
|
|
username: user01
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure standard vault is present.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
vault_type: standard
|
|
username: user01
|
|
description: A standard private vault.
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure standard vault is present, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
vault_type: standard
|
|
description: A standard private vault.
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Archive data in standard vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
vault_data: Hello World.
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Retrieve data from standard vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
retrieve: yes
|
|
out: "{{ ansible_env.HOME }}/data.txt"
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Verify retrieved data.
|
|
slurp:
|
|
src: "{{ ansible_env.HOME }}/data.txt"
|
|
register: slurpfile
|
|
failed_when: slurpfile['content'] | b64decode != 'Hello World.'
|
|
|
|
- name: Archive data in standard vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
in: "{{ ansible_env.HOME }}/in.txt"
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Retrieve data from standard vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
vault_type: standard
|
|
retrieve: true
|
|
register: result
|
|
failed_when: result.data | b64decode != 'Another World.' or result.changed
|
|
|
|
- name: Ensure standard vault member user is present.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
action: member
|
|
users:
|
|
- user02
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure standard vault member user is present, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
action: member
|
|
users:
|
|
- user02
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure more vault member users are present.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
action: member
|
|
users:
|
|
- user01
|
|
- user02
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure vault member user is still present.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
action: member
|
|
users:
|
|
- user02
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure vault users are absent.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
action: member
|
|
users:
|
|
- user01
|
|
- user02
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure vault users are absent, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
action: member
|
|
users:
|
|
- user01
|
|
- user02
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure vault user is absent, once more.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
action: member
|
|
users:
|
|
- user01
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure vault member group is present.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
action: member
|
|
groups: vaultgroup
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure vault member group is present, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
action: member
|
|
groups: vaultgroup
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure vault member group is absent.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
action: member
|
|
groups: vaultgroup
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure vault member group is absent, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
action: member
|
|
groups: vaultgroup
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure vault member service is present.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
action: member
|
|
services: "HTTP/{{ groups.ipaserver[0] }}"
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure vault member service is present, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
action: member
|
|
services: "HTTP/{{ groups.ipaserver[0] }}"
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure vault member service is absent.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
action: member
|
|
services: "HTTP/{{ groups.ipaserver[0] }}"
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure vault member service is absent, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
action: member
|
|
services: "HTTP/{{ groups.ipaserver[0] }}"
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure vault is absent.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure vault is absent, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure shared vault is present.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: sharedvault
|
|
shared: True
|
|
ipavaultpassword: SomeVAULTpassword
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure shared vault is absent.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: sharedvault
|
|
shared: True
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure service vault is present.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: svcvault
|
|
ipavaultpassword: SomeVAULTpassword
|
|
service: "HTTP/{{ groups.ipaserver[0] }}"
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure service vault is absent.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: svcvault
|
|
service: "HTTP/{{ groups.ipaserver[0] }}"
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure vault is present, with members.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
vault_type: standard
|
|
users:
|
|
- user02
|
|
- user03
|
|
groups:
|
|
- vaultgroup
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure vault is present, with members, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
vault_type: standard
|
|
users:
|
|
- user02
|
|
- user03
|
|
groups:
|
|
- vaultgroup
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure user02 is not a member of vault stdvault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
users: user02
|
|
state: absent
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure user02 is not a member of vault stdvault, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
users: user02
|
|
state: absent
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure user02 is a member of vault stdvault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
users: user02
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure user02 is a member of vault stdvault, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
users: user03
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure user03 owns vault stdvault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
owners: user03
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure user03 owns vault stdvault, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
owners: user03
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure user03 is not owner of stdvault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
owners: user03
|
|
state: absent
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure user03 is not owner of stdvault, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
owners: user03
|
|
state: absent
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure vaultgroup is owner of stdvault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
ownergroups: vaultgroup
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure vaultgroup is owner of stdvault, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
ownergroups: vaultgroup
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure vaultgroup is not owner of stdvault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
ownergroups: vaultgroup
|
|
state: absent
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure vaultgroup is not owner of stdvault, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
ownergroups: vaultgroup
|
|
state: absent
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure vault is owned by HTTP service.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure vault is owned by HTTP service, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure vault is not owned by HTTP service.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
|
|
state: absent
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure vault is not owned by HTTP service, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
|
|
state: absent
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure vault is absent.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: stdvault
|
|
username: user01
|
|
state: absent
|
|
|
|
# cleaup
|
|
- name: Ensure user01 vaults are absent
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name:
|
|
- stdvault
|
|
- symvault
|
|
- asymvault
|
|
username: user01
|
|
state: absent
|
|
|
|
- name: Ensure test vaults are absent
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name:
|
|
- stdvault
|
|
- symvault
|
|
- asymvault
|
|
username: admin
|
|
state: absent
|
|
|
|
- name: Ensure shared vaults are absent
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: sharedvault
|
|
shared: True
|
|
state: absent
|
|
|
|
- name: Ensure service vaults are absent
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: svcvault
|
|
service: "HTTP/{{ groups.ipaserver[0] }}"
|
|
state: absent
|
|
|
|
- name: Ensure test users do not exist.
|
|
ipauser:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name:
|
|
- user01
|
|
- user02
|
|
- user03
|
|
state: absent
|
|
|
|
- name: Ensure test groups do not exist.
|
|
ipagroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: vaultgroup
|
|
state: absent
|
|
|
|
- name: Remove password file from target host.
|
|
file:
|
|
path: "{{ ansible_env.HOME }}/password.txt"
|
|
state: absent
|
|
|
|
- name: Remove public key file from target host.
|
|
file:
|
|
path: "{{ ansible_env.HOME }}/public.pem"
|
|
state: absent
|
|
|
|
- name: Remove private key file from target host.
|
|
file:
|
|
path: "{{ ansible_env.HOME }}/private.pem"
|
|
state: absent
|
|
|
|
- name: Remove output data file from target host.
|
|
file:
|
|
path: "{{ ansible_env.HOME }}/data.txt"
|
|
state: absent
|
|
|
|
- name: Remove input data file from target host.
|
|
file:
|
|
path: "{{ ansible_env.HOME }}/in.txt"
|
|
state: absent
|