mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-05-08 06:13:21 +00:00
3ea452ef6f
This patch applies several changes to the ipatrust test playbook:
* Add externally defined parameters so execution in local trust
environments can be configured. The available parameters are:
* winserver_admin_password: the Administrator password for the AD
server (default: 'SomeW1Npassword')
* winserver_domain: the AD server domain (default: 'windows.local')
* winserver realm: the AD server realm (by default, the uppercase
version of winserver_domain)
* ipaserver_domain: the FreeIPA server domain (default: 'ipa.test')
* ipaserver_realm: the FreeIPA server realm (by default, the
uppercase version of ipaserver_domain
* Modify trust verification to check for the existence of the trust as
it the output of `ipa trust-find`, instead of cheking for the number
of items returned, as the number might vary.
* Add idempotency tests by re-executing tasks and verifying that no
change was performed.
* Added tests to verify creation of trusts with different 'range_type'.
* Use a Kerberos cache for shell scripts, and destroy it on exit.
* Properly remove all `idrange` that might be created upon setting up a
trust.
169 lines
5.8 KiB
YAML
169 lines
5.8 KiB
YAML
---
|
|
- name: Test ipatrust
|
|
hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
|
become: true
|
|
gather_facts: false
|
|
|
|
vars:
|
|
adserver:
|
|
domain: "{{ winserver_domain | default('windows.local')}}"
|
|
realm: "{{ winserver_realm | default(winserver_domain) | default('windows.local') | upper }}"
|
|
password: "{{ winserver_admin_password | default('SomeW1Npassword') }}"
|
|
ipaserver:
|
|
domain: "{{ ipaserver_domain | default('ipa.test')}}"
|
|
realm: "{{ ipaserver_realm | default(ipaserver_domain) | default('ipa.test') | upper }}"
|
|
trust_exists: 'Realm name: {{ adserver.domain }}'
|
|
ad_range_exists: 'Range name: {{ adserver.realm }}_id_range'
|
|
ipa_range_exists: 'Range name: {{ ipaserver.realm }}_subid_range'
|
|
|
|
tasks:
|
|
|
|
- block:
|
|
|
|
- name: Delete test trust
|
|
ipatrust:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
realm: "{{ adserver.domain }}"
|
|
state: absent
|
|
|
|
- name: Clear test idranges
|
|
shell: |
|
|
kinit -c test_krb5_cache admin <<< SomeADMINpassword
|
|
ipa idrange-del {{ adserver.realm }}_id_range || true
|
|
ipa idrange-del {{ ipaserver.realm }}_subid_range || true
|
|
kdestroy -c test_krb5_cache -q -A
|
|
|
|
- name: Add trust with range_type 'ipa-ad-trust'
|
|
ipatrust:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
realm: "{{ adserver.domain }}"
|
|
admin: Administrator
|
|
trust_type: ad
|
|
range_type: ipa-ad-trust
|
|
password: "{{ adserver.password }}"
|
|
state: present
|
|
register: result
|
|
failed_when: result.failed or not result.changed
|
|
|
|
- name: check if 'ipa-ad-trust' trust exists
|
|
shell: |
|
|
echo 'SomeADMINpassword' | kinit admin
|
|
ipa trust-find
|
|
kdestroy -c test_krb5_cache -q -A
|
|
register: check_add_trust
|
|
failed_when: "trust_exists not in check_add_trust.stdout"
|
|
|
|
- name: Add trust with range_type 'ipa-ad-trust', again
|
|
ipatrust:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
realm: "{{ adserver.domain }}"
|
|
admin: Administrator
|
|
range_type: ipa-ad-trust
|
|
password: "{{ adserver.password }}"
|
|
state: present
|
|
register: result
|
|
failed_when: result.failed or result.changed
|
|
|
|
- name: Delete 'ipa-ad-trust' trust
|
|
ipatrust:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
realm: "{{ adserver.domain }}"
|
|
state: absent
|
|
register: result
|
|
failed_when: result.failed or not result.changed
|
|
|
|
- name: Check if 'ipa-ad-trust' trust was removed
|
|
shell: |
|
|
kinit -c test_krb5_cache admin <<< SomeADMINpassword
|
|
ipa trust-find
|
|
kdestroy -c test_krb5_cache -q -A
|
|
register: check_add_trust
|
|
failed_when: "trust_exists in check_add_trust.stdout"
|
|
|
|
- name: Delete 'ipa-ad-trust' trust, again
|
|
ipatrust:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
realm: "{{ adserver.domain }}"
|
|
state: absent
|
|
register: result
|
|
failed_when: result.failed or result.changed
|
|
|
|
- name: Clear test idranges
|
|
shell: |
|
|
kinit -c test_krb5_cache admin <<< SomeADMINpassword
|
|
ipa idrange-del {{ adserver.realm }}_id_range || true
|
|
ipa idrange-del {{ ipaserver.realm }}_subid_range || true
|
|
kdestroy -c test_krb5_cache -q -A
|
|
|
|
- name: Add trust with range_type 'ipa-ad-trust-posix'
|
|
ipatrust:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
realm: "{{ adserver.domain }}"
|
|
admin: Administrator
|
|
range_type: ipa-ad-trust-posix
|
|
password: "{{ adserver.password }}"
|
|
state: present
|
|
register: result
|
|
failed_when: result.failed or not result.changed
|
|
|
|
- name: Check if 'ipa-ad-trust-posix' trust exists
|
|
shell: |
|
|
kinit -c test_krb5_cache admin <<< SomeADMINpassword
|
|
ipa trust-find
|
|
kdestroy -c test_krb5_cache -q -A
|
|
register: check_add_trust
|
|
failed_when: "trust_exists not in check_add_trust.stdout"
|
|
|
|
- name: Add trust with range_type 'ipa-ad-trust-posix', again
|
|
ipatrust:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
realm: "{{ adserver.domain }}"
|
|
admin: Administrator
|
|
range_type: ipa-ad-trust-posix
|
|
password: "{{ adserver.password }}"
|
|
state: present
|
|
register: result
|
|
failed_when: result.failed or result.changed
|
|
|
|
- name: Delete 'ipa-ad-trust-posix' trust
|
|
ipatrust:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
realm: "{{ adserver.domain }}"
|
|
state: absent
|
|
register: result
|
|
failed_when: result.failed or not result.changed
|
|
|
|
- name: Check if trust 'ipa-ad-trust-posix' was removed
|
|
shell: |
|
|
kinit -c test_krb5_cache admin <<< SomeADMINpassword
|
|
ipa trust-find
|
|
kdestroy -c test_krb5_cache -q -A
|
|
register: check_del_trust
|
|
failed_when: "trust_exists in check_del_trust.stdout"
|
|
|
|
- name: Delete 'ipa-ad-trust-posix' trust, again
|
|
ipatrust:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
realm: "{{ adserver.domain }}"
|
|
state: absent
|
|
register: result
|
|
failed_when: result.failed or result.changed
|
|
|
|
- name: Clear test idranges
|
|
shell: |
|
|
kinit -c test_krb5_cache admin <<< SomeADMINpassword
|
|
ipa idrange-del {{ adserver.realm }}_id_range || true
|
|
ipa idrange-del {{ ipaserver.realm }}_subid_range || true
|
|
kdestroy -c test_krb5_cache -q -A
|
|
|
|
when: trust_test_is_supported | default(false)
|