mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-06-11 11:15:55 +00:00
23829c5ec4
The attrs handling was not complete and did not support to ensure presence or absence of attributes with action:member. The includedattrs and excludedattrs parameters have not been added with this change as the use of attrs will automatically set includedattrs and excludedattrs. The includedattrs and excludedattrs parameters are only usable for managed permissions and duplicating attrs. The permission module may not handle privileges. An IPA internal only API has been used for this. The prvilege variable and all related code paths have been removed. Fixes: #424 ([Permission Handling] Not able to add additional attributes with existing attributes) Fixes: #425 ([Permission Handling] Not able to add member privilege while adding permission)
224 lines
6.3 KiB
YAML
224 lines
6.3 KiB
YAML
---
|
|
- name: Test permission
|
|
hosts: ipaserver
|
|
become: true
|
|
|
|
tasks:
|
|
- include_tasks: ../env_freeipa_facts.yml
|
|
|
|
# CLEANUP TEST ITEMS
|
|
|
|
- name: Ensure permission perm-test-1 is absent
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name:
|
|
- perm-test-1
|
|
- perm-test-bindtype-test
|
|
- perm-test-renamed
|
|
state: absent
|
|
|
|
# TESTS
|
|
|
|
- name: Ensure permission perm-test-1 is present
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: perm-test-1
|
|
object_type: host
|
|
right: all
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure permission perm-test-1 is present again
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: perm-test-1
|
|
object_type: host
|
|
right: all
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure permission perm-test-1 is present with attr carlicense
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: perm-test-1
|
|
attrs:
|
|
- carlicense
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure permission perm-test-1 is present with attr carlicense again
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: perm-test-1
|
|
attrs:
|
|
- carlicense
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure permission perm-test-1 is present with attr carlicense and displayname
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: perm-test-1
|
|
attrs:
|
|
- carlicense
|
|
- displayname
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure permission perm-test-1 is present with attr carlicense and displayname again
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: perm-test-1
|
|
attrs:
|
|
- carlicense
|
|
- displayname
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure attr gecos is present in permission perm-test-1
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: perm-test-1
|
|
attrs:
|
|
- gecos
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure attr gecos is present in permission perm-test-1 again
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: perm-test-1
|
|
attrs:
|
|
- gecos
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure attr gecos is absent in permission perm-test-1
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: perm-test-1
|
|
attrs:
|
|
- gecos
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure attr gecos is absent in permission perm-test-1 again
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: perm-test-1
|
|
attrs:
|
|
- gecos
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure attributes carlicense and displayname are present in permission "System{{':'}} Update DNS Entries"
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: "System: Update DNS Entries"
|
|
attrs:
|
|
- carlicense
|
|
- displayname
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure attributes carlicense and displayname are present in permission "System{{':'}} Update DNS Entries" again
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: "System: Update DNS Entries"
|
|
attrs:
|
|
- carlicense
|
|
- displayname
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure attributes carlicense and displayname are present in permission "System{{':'}} Update DNS Entries"
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: "System: Update DNS Entries"
|
|
attrs:
|
|
- carlicense
|
|
- displayname
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure attributes carlicense and displayname are present in permission "System{{':'}} Update DNS Entries" again
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: "System: Update DNS Entries"
|
|
attrs:
|
|
- carlicense
|
|
- displayname
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Rename permission perm-test-1 to perm-test-renamed
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: perm-test-1
|
|
rename: perm-test-renamed
|
|
state: renamed
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure permission perm-test-1 is absent
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: perm-test-1
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure permission perm-test-renamed is present
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: perm-test-renamed
|
|
object_type: host
|
|
right: all
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure permission with bindtype 'self' is present, if IPA version >= 4.8.7
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: perm-test-bindtype-test
|
|
bindtype: self
|
|
object_type: host
|
|
right: all
|
|
when: ipa_version is version('4.8.7', '>=')
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Fail to set permission perm-test-renamed bindtype to 'self', if IPA version < 4.8.7
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: perm-test-bindtype-test
|
|
bindtype: self
|
|
object_type: host
|
|
right: all
|
|
when: ipa_version is version('4.8.7', '<')
|
|
register: result
|
|
failed_when: not result.failed or "Bindtype 'self' is not supported by your IPA version." not in result.msg
|
|
|
|
# CLEANUP TEST ITEMS
|
|
|
|
- name: Ensure permission perm-test-1 is absent
|
|
ipapermission:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name:
|
|
- perm-test-1
|
|
- perm-test-bindtype-test
|
|
- perm-test-renamed
|
|
state: absent
|