internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-26 21:33:05 +00:00
Code Issues Projects Releases Wiki Activity
Files
6df89ad7db6a76a34dae70e25ea2f19cd55560f4
ansible-freeipa/tests/idrange/test_idrange.yml
Rafael Guterres Jeffman 6df89ad7db ipaidrange: Require usage of range id parameters 
When adding a new idrange of type 'ipa-local', the 'base_id',
'range_size', 'rid_base' and 'secondary_rid_base' are required so that
range entries are correctly set when SID are enabled.

Fixes: https://issues.redhat.com/browse/RHEL-79820

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
2025-06-03 21:46:15 -03:00

420 lines
15 KiB
YAML
Raw Blame History

---
- name: Test idrange
hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: no
gather_facts: no
vars:
adserver:
domain: "{{ winserver_domain | default('windows.local')}}"
realm: "{{ winserver_realm | default(winserver_domain) | default('windows.local') | upper }}"
password: "{{ winserver_admin_password | default('SomeW1Npassword') }}"
ip_address: "{{ winserver_ip | default(omit) }}"
tasks:
# CLEANUP TEST ITEMS
- name: Remove test trust.
ansible.builtin.include_tasks: tasks_remove_trust.yml
when: trust_test_is_supported | default(false)
- name: Ensure testing idranges are absent
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name:
- "{{ adserver.realm }}_id_range"
- local_id_range
- ad_id_range
- ad_posix_id_range
continue: yes
state: absent
# CREATE TEST ITEMS
# TESTS
# Test local idrange, only if ipa-adtrust-install was not executed.
- name: Test local idrange
block:
- name: Can't add idrange without base_id
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: local_id_range
range_size: 200000
rid_base: 1000000
secondary_rid_base: 200000000
register: result
failed_when: "not (result.failed and 'Missing required parameters: base_id' in result.msg)"
- name: Can't add idrange without range_size
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: local_id_range
base_id: 150000000
rid_base: 1000000
secondary_rid_base: 200000000
register: result
failed_when: "not (result.failed and 'Missing required parameters: range_size' in result.msg)"
- name: Can't add idrange without rid_base
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: local_id_range
base_id: 150000000
range_size: 200000
secondary_rid_base: 200000000
register: result
failed_when: "not (result.failed and 'Missing required parameters: rid_base' in result.msg)"
- name: Can't add idrange without secondary_rid_base
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: local_id_range
base_id: 150000000
range_size: 200000
rid_base: 1000000
register: result
failed_when: "not (result.failed and 'Missing required parameters: secondary_rid_base' in result.msg)"
- name: Ensure idrange with minimal attributes is present
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: local_id_range
base_id: 150000000
range_size: 200000
rid_base: 1000000
secondary_rid_base: 200000000
register: result
failed_when:
not (result.failed or result.changed) or (result.failed and 'ipa-adtrust-install has already been run' not in result.msg)
- name: Ensure idrange with minimal attributes is present, again
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: local_id_range
base_id: 150000000
range_size: 200000
rid_base: 1000000
secondary_rid_base: 200000000
register: result
failed_when:
result.changed or (result.failed and 'ipa-adtrust-install has already been run' not in result.msg)
- name: Ensure idrange with minimal attributes is absent
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: local_id_range
state: absent
register: range_delete
failed_when: range_delete.failed or (result.changed and not range_delete.changed)
# Test local idrange, even after ipa-adtrust-install.
- name: Ensure local idrange is present
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: local_id_range
base_id: 150000000
range_size: 200000
rid_base: 1000000
secondary_rid_base: 200000000
register: result
failed_when: not result.changed or result.failed
- name: Ensure local idrange is present again
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: local_id_range
base_id: 150000000
range_size: 200000
rid_base: 1000000
secondary_rid_base: 200000000
register: result
failed_when: result.changed or result.failed
- name: Ensure local idrange is absent
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: local_id_range
state: absent
continue: no
register: result
failed_when: not result.changed or result.failed
- name: Ensure local idrange is absent again
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: local_id_range
state: absent
continue: no
register: result
failed_when: result.changed or result.failed
rescue:
- name: Ensure local idranges is absent
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: local_id_range
state: absent
- name: Execute idrange tests if trust test environment is supported
when: trust_test_is_supported | default(false)
block:
# Create trust with range_type: ipa-ad-trust
- name: Create trust with range_type 'ipa-ad-trust'
ansible.builtin.include_tasks: tasks_set_trust.yml
vars:
trust_base_id: 10000000
trust_range_size: 200000
trust_range_type: ipa-ad-trust
# Can't use secondary_rid_base with dom_sid/dom_name
- name: Ensure AD-trust idrange is present
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ad_id_range
base_id: 150000000
range_size: 200000
rid_base: 1000000
idrange_type: ipa-ad-trust
dom_sid: "{{ ipa_domain_sid }}"
auto_private_groups: "false"
register: result
failed_when: not result.changed or result.failed
- name: Ensure AD-trust idrange is present again
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ad_id_range
base_id: 150000000
range_size: 200000
rid_base: 1000000
idrange_type: ipa-ad-trust
dom_sid: "{{ ipa_domain_sid }}"
auto_private_groups: "false"
register: result
failed_when: result.changed or result.failed
- name: Check if AD-trust idrange is present, uning domain name
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ad_id_range
base_id: 150000000
range_size: 200000
rid_base: 1000000
idrange_type: ipa-ad-trust
dom_name: "{{ adserver.domain }}"
auto_private_groups: "false"
check_mode: true
register: result
failed_when: result.changed or result.failed
- name: Modify AD-trust idrange 'base_id'
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ad_id_range
base_id: 151230000
register: result
failed_when: not result.changed or result.failed
- name: Modify AD-trust idrange 'base_id', again
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ad_id_range
base_id: 151230000
register: result
failed_when: result.changed or result.failed
- name: Modify AD-trust idrange 'range_size'
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ad_id_range
range_size: 100000
register: result
failed_when: not result.changed or result.failed
- name: Modify AD-trust idrange 'rid_base'
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ad_id_range
rid_base: 12345678
register: result
failed_when: not result.changed or result.failed
- name: Modify AD-trust idrange 'auto_private_groups'
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ad_id_range
auto_private_groups: "hybrid"
register: result
failed_when: not result.changed or result.failed
# Remove trust and idrange
- name: Remove test trust.
ansible.builtin.include_tasks: tasks_remove_trust.yml
- name: Ensure AD-trust idrange is absent
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ad_id_range
state: absent
# Create trust with range_type: ipa-ad-trust-posix
- name: Create trust with range_type 'ipa-ad-trust'
ansible.builtin.include_tasks: tasks_set_trust.yml
vars:
trust_base_id: 10000000
trust_range_size: 200000
trust_range_type: ipa-ad-trust
- name: Ensure AD-trust idrange is present, with dom_name
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ad_id_range
base_id: 150000000
range_size: 200000
rid_base: 1000000
idrange_type: ipa-ad-trust
dom_name: "{{ adserver.domain }}"
auto_private_groups: "false"
register: result
failed_when: not result.changed or result.failed
# Remove trust and idrange
- name: Remove test trust.
ansible.builtin.include_tasks: tasks_remove_trust.yml
- name: Ensure AD-trust idrange is absent
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ad_id_range
state: absent
# Remove trust and idrange
- name: Remove test trust.
ansible.builtin.include_tasks: tasks_remove_trust.yml
- name: Ensure AD-trust idrange is absent
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ad_id_range
state: absent
# Create trust with range_type: ipa-ad-trust-posix
- name: Create trust with range_type 'ipa-ad-trust-posix'
ansible.builtin.include_tasks: tasks_set_trust.yml
vars:
trust_base_id: 10000000
trust_range_size: 2000000
trust_range_type: ipa-ad-trust-posix
# Can't use secondary_rid_base or rid_base with "ad-trust-posix"
- name: Ensure AD-trust-posix idrange is present
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ad_posix_id_range
base_id: 150000000
range_size: 200000
idrange_type: ipa-ad-trust-posix
dom_sid: "{{ ipa_domain_sid }}"
register: result
failed_when: not result.changed or result.failed
- name: Ensure AD-trust-posix idrange is present again
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ad_posix_id_range
base_id: 150000000
range_size: 200000
idrange_type: ipa-ad-trust-posix
dom_sid: "{{ ipa_domain_sid }}"
register: result
failed_when: result.changed or result.failed
- name: Check if AD-trust-posix idrange is present, using dom_name
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ad_posix_id_range
base_id: 150000000
range_size: 200000
idrange_type: ipa-ad-trust-posix
dom_name: "{{ adserver.domain }}"
check_mode: yes
register: result
failed_when: result.changed or result.failed
# Remove trust and idrange
- name: Remove test trust.
ansible.builtin.include_tasks: tasks_remove_trust.yml
- name: Ensure AD-trust idrange is absent
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ad_posix_id_range
state: absent
# Create trust with range_type: ipa-ad-trust-posix
- name: Create trust with range_type 'ipa-ad-trust-posix'
ansible.builtin.include_tasks: tasks_set_trust.yml
vars:
trust_base_id: 10000000
trust_range_size: 2000000
trust_range_type: ipa-ad-trust-posix
# Can't use secondary_rid_base or rid_base with "ad-trust-posix"
- name: Ensure AD-trust-posix idrange is present, with dom_name
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ad_posix_id_range
base_id: 150000000
range_size: 200000
idrange_type: ipa-ad-trust-posix
dom_name: "{{ adserver.domain }}"
register: result
failed_when: not result.changed or result.failed
always:
# CLEANUP TEST ITEMS
- name: Remove test trust.
ansible.builtin.include_tasks: tasks_remove_trust.yml
- name: Ensure testing idranges are absent
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name:
- "{{ adserver.realm }}_id_range"
- local_id_range
- ad_id_range
- ad_posix_id_range
continue: yes
state: absent
Reference in New Issue View Git Blame Copy Permalink