mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-06-10 02:35:54 +00:00
d36d25d62a
There is a new hbacrule (HBAC Rule) management module placed in the plugins folder: plugins/modules/ipahbacrule.py The hbacrule module allows to ensure presence and absence of HBAC Rules. Here is the documentation for the module: README-hbacrule.md New example playbooks have been added: playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml playbooks/hbacrule/ensure-hbarule-allhosts-present.yml playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml New tests added for the module: tests/hbacrule/test_hbacrule.yml
339 lines
8.6 KiB
YAML
339 lines
8.6 KiB
YAML
---
|
|
- name: Tests
|
|
hosts: ipaserver
|
|
become: true
|
|
gather_facts: false
|
|
|
|
tasks:
|
|
- name: Ensure HBAC Rule allhosts is absent
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: allhosts,sshd-pinky,loginRule
|
|
state: absent
|
|
|
|
- name: User pinky absent
|
|
ipauser:
|
|
ipaadmin_password: MyPassword123
|
|
name: pinky
|
|
state: absent
|
|
|
|
- name: User group login absent
|
|
ipagroup:
|
|
ipaadmin_password: MyPassword123
|
|
name: login
|
|
state: absent
|
|
|
|
- name: User pinky present
|
|
ipauser:
|
|
ipaadmin_password: MyPassword123
|
|
name: pinky
|
|
uid: 10001
|
|
gid: 100
|
|
phone: "+555123457"
|
|
email: pinky@acme.com
|
|
principalexpiration: "20220119235959"
|
|
#passwordexpiration: "2022-01-19 23:59:59"
|
|
first: pinky
|
|
last: Acme
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: User group login present
|
|
ipagroup:
|
|
ipaadmin_password: MyPassword123
|
|
name: login
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure HBAC Rule allhosts is present
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: allhosts
|
|
usercategory: all
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure HBAC Rule allhosts is present again
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: allhosts
|
|
usercategory: all
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure host "{{ groups.ipaserver[0] }}" is present in HBAC Rule allhosts
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: allhosts
|
|
host: "{{ groups.ipaserver[0] }}"
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure host "{{ groups.ipaserver[0] }}" is present in HBAC Rule allhosts again
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: allhosts
|
|
host: "{{ groups.ipaserver[0] }}"
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure HBAC Rule sshd-pinky is present
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: sshd-pinky
|
|
hostcategory: all
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure HBAC Rule sshd-pinky is present again
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: sshd-pinky
|
|
hostcategory: all
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure user pinky is present in HBAC Rule sshd-pinky
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: sshd-pinky
|
|
user: pinky
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure user pinky is present in HBAC Rule sshd-pinky again
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: sshd-pinky
|
|
user: pinky
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure HBAC service sshd is present in HBAC Rule sshd-pinky
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: sshd-pinky
|
|
hbacsvc: sshd
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure HBAC service sshd is present in HBAC Rule sshd-pinky again
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: sshd-pinky
|
|
hbacsvc: sshd
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure HBAC Rule loginRule is present with HBAC service sshd
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: loginRule
|
|
group: login
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure HBAC Rule loginRule is present with HBAC service sshd again
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: loginRule
|
|
group: login
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure user pinky is present in HBAC Rule loginRule
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: loginRule
|
|
user: pinky
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure user pinky is present in HBAC Rule loginRule again
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: loginRule
|
|
user: pinky
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure user pinky is absent in HBAC Rule loginRule
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: loginRule
|
|
user: pinky
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure user pinky is absent in HBAC Rule loginRule again
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: loginRule
|
|
user: pinky
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure HBAC Rule loginRule is absent
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: loginRule
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure HBAC Rule loginRule is absent again
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: loginRule
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure HBAC service sshd is absent in HBAC Rule sshd-pinky
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: sshd-pinky
|
|
hbacsvc: sshd
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure HBAC service sshd is absent in HBAC Rule sshd-pinky again
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: sshd-pinky
|
|
hbacsvc: sshd
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure user pinky is absent in HBAC Rule sshd-pinky
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: sshd-pinky
|
|
user: pinky
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure user pinky is absent in HBAC Rule sshd-pinky again
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: sshd-pinky
|
|
user: pinky
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure HBAC Rule sshd-pinky is disabled
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: sshd-pinky
|
|
state: disabled
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure HBAC Rule sshd-pinky is disabled again
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: sshd-pinky
|
|
state: disabled
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure HBAC Rule sshd-pinky is enabled
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: sshd-pinky
|
|
state: enabled
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure HBAC Rule sshd-pinky is enabled again
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: sshd-pinky
|
|
state: enabled
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure HBAC Rule sshd-pinky is absent
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: sshd-pinky
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure HBAC Rule sshd-pinky is absent again
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: sshd-pinky
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure host "{{ groups.ipaserver[0] }}" is absent in HBAC Rule allhosts
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: allhosts
|
|
host: "{{ groups.ipaserver[0] }}"
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure host "{{ groups.ipaserver[0] }}" is absent in HBAC Rule allhosts again
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: allhosts
|
|
host: "{{ groups.ipaserver[0] }}"
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure HBAC Rule allhosts is absent
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: allhosts
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure HBAC Rule allhosts is absent again
|
|
ipahbacrule:
|
|
ipaadmin_password: MyPassword123
|
|
name: allhosts
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: User pinky absent
|
|
ipauser:
|
|
ipaadmin_password: MyPassword123
|
|
name: pinky
|
|
state: absent
|
|
|
|
- name: User group login absent
|
|
ipagroup:
|
|
ipaadmin_password: MyPassword123
|
|
name: login
|
|
state: absent
|