mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-06-10 02:35:54 +00:00
b87b346a0a
FreeIPA provides a default hbacsvcgroup named "Sudo", with capital 'S', that is different from every other hbacsvcgroup, which are all represented by lower case letters. As data from IPA API was not modified, this causes an idempotence error when using different capitalization with the 'hbacsvcgroup' parameter. This patch fixes the issue by using the CaseInsensitive comparator to create the hbacsvcgroup list. Tests were update to make sure a regression is not included in the future.
560 lines
16 KiB
YAML
560 lines
16 KiB
YAML
---
|
|
- name: Test group
|
|
hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
|
become: no
|
|
gather_facts: yes
|
|
|
|
vars:
|
|
user_list:
|
|
- User1
|
|
- uSer2
|
|
- usEr3
|
|
group_list:
|
|
- Group1
|
|
- gRoup2
|
|
- grOup3
|
|
host_list:
|
|
- HoSt01
|
|
- hOsT02
|
|
hostgroup_list:
|
|
- TestHostGroup
|
|
hbacsvc_list:
|
|
- Svc1
|
|
- sVC2
|
|
hbacsvcgroup_list:
|
|
- sVCgrOUp1
|
|
|
|
tasks:
|
|
- name: Include tasks ../env_freeipa_facts.yml
|
|
ansible.builtin.include_tasks: ../env_freeipa_facts.yml
|
|
|
|
- name: Test hbacrule member case insensitive
|
|
block:
|
|
# setup
|
|
|
|
- name: Ensure test hbacrule is absent
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule
|
|
state: absent
|
|
|
|
- name: Ensure test users are present
|
|
ipauser:
|
|
ipaadmin_password: SomeADMINpassword
|
|
users:
|
|
- name: "{{ item }}"
|
|
first: First
|
|
last: Last
|
|
with_items: "{{ user_list }}"
|
|
|
|
- name: Ensure test groups are present
|
|
ipagroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: "{{ item }}"
|
|
with_items: "{{ group_list }}"
|
|
|
|
- name: Ensure test hosts are present
|
|
ipahost:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: "{{ item }}.{{ ipaserver_domain }}"
|
|
force: yes
|
|
with_items: "{{ host_list }}"
|
|
|
|
- name: Ensure test hostgroups are present
|
|
ipahostgroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: "{{ item }}"
|
|
with_items: "{{ hostgroup_list }}"
|
|
|
|
- name: Ensure test hbac services are present
|
|
ipahbacsvc:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: "{{ item }}"
|
|
with_items: "{{ hbacsvc_list }}"
|
|
|
|
- name: Ensure test hbac service groups are present
|
|
ipahbacsvcgroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: "{{ item }}"
|
|
with_items: "{{ hbacsvcgroup_list }}"
|
|
|
|
# Test with action: hbacrule
|
|
|
|
- name: Check if hbacrule present with members would trigger changes, mixed case
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule
|
|
user:
|
|
- "{{ user_list[1] }}"
|
|
- "{{ user_list[2] }}"
|
|
group:
|
|
- "{{ group_list[1] }}"
|
|
- "{{ group_list[2] }}"
|
|
host:
|
|
- "{{ host_list[0] }}"
|
|
- "{{ host_list[1] }}"
|
|
hostgroup:
|
|
- "{{ hostgroup_list[0] }}"
|
|
hbacsvc:
|
|
- "{{ hbacsvc_list[0] }}"
|
|
- "{{ hbacsvc_list[1] }}"
|
|
hbacsvcgroup:
|
|
- "{{ hbacsvcgroup_list[0] }}"
|
|
- Sudo
|
|
check_mode: yes
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure hbacrule is present with members, mixed case
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule
|
|
user:
|
|
- "{{ user_list[1] }}"
|
|
- "{{ user_list[2] }}"
|
|
group:
|
|
- "{{ group_list[1] }}"
|
|
- "{{ group_list[2] }}"
|
|
host:
|
|
- "{{ host_list[0] }}"
|
|
- "{{ host_list[1] }}"
|
|
hostgroup:
|
|
- "{{ hostgroup_list[0] }}"
|
|
hbacsvc:
|
|
- "{{ hbacsvc_list[0] }}"
|
|
- "{{ hbacsvc_list[1] }}"
|
|
hbacsvcgroup:
|
|
- "{{ hbacsvcgroup_list[0] }}"
|
|
- Sudo
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Check if hbacrule present with members would not trigger changes, mixed case
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule
|
|
user:
|
|
- "{{ user_list[1] }}"
|
|
- "{{ user_list[2] }}"
|
|
group:
|
|
- "{{ group_list[1] }}"
|
|
- "{{ group_list[2] }}"
|
|
host:
|
|
- "{{ host_list[0] }}"
|
|
- "{{ host_list[1] }}"
|
|
hostgroup:
|
|
- "{{ hostgroup_list[0] }}"
|
|
hbacsvc:
|
|
- "{{ hbacsvc_list[0] }}"
|
|
- "{{ hbacsvc_list[1] }}"
|
|
hbacsvcgroup:
|
|
- "{{ hbacsvcgroup_list[0] }}"
|
|
- Sudo
|
|
check_mode: yes
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure hbacrule is present with members, lowercase
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule
|
|
user:
|
|
- "{{ user_list[1] | lower }}"
|
|
- "{{ user_list[2] | lower }}"
|
|
group:
|
|
- "{{ group_list[1] | lower }}"
|
|
- "{{ group_list[2] | lower }}"
|
|
host:
|
|
- "{{ host_list[0] | lower }}"
|
|
- "{{ host_list[1] | lower }}"
|
|
hostgroup:
|
|
- "{{ hostgroup_list[0] | lower }}"
|
|
hbacsvc:
|
|
- "{{ hbacsvc_list[0] | lower }}"
|
|
- "{{ hbacsvc_list[1] | lower }}"
|
|
hbacsvcgroup:
|
|
- "{{ hbacsvcgroup_list[0] | lower }}"
|
|
- sudo
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure hbacrule is present with members, upercase
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule
|
|
user:
|
|
- "{{ user_list[1] | upper }}"
|
|
- "{{ user_list[2] | upper }}"
|
|
group:
|
|
- "{{ group_list[1] | upper }}"
|
|
- "{{ group_list[2] | upper }}"
|
|
host:
|
|
- "{{ host_list[0] | upper }}"
|
|
- "{{ host_list[1] | upper }}"
|
|
hostgroup:
|
|
- "{{ hostgroup_list[0] | upper }}"
|
|
hbacsvc:
|
|
- "{{ hbacsvc_list[0] | upper }}"
|
|
- "{{ hbacsvc_list[1] | upper }}"
|
|
hbacsvcgroup:
|
|
- "{{ hbacsvcgroup_list[0] | upper }}"
|
|
- SUDO
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure test hbacrule is absent
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule
|
|
state: absent
|
|
|
|
# Test with action: members
|
|
|
|
- name: Ensure test hbacrule is present
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule
|
|
|
|
- name: Check if hbacrule members present would trigger changes, mixed case
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule
|
|
user:
|
|
- "{{ user_list[1] }}"
|
|
- "{{ user_list[2] }}"
|
|
group:
|
|
- "{{ group_list[1] }}"
|
|
- "{{ group_list[2] }}"
|
|
host:
|
|
- "{{ host_list[0] }}"
|
|
- "{{ host_list[1] }}"
|
|
hostgroup:
|
|
- "{{ hostgroup_list[0] }}"
|
|
hbacsvc:
|
|
- "{{ hbacsvc_list[0] }}"
|
|
- "{{ hbacsvc_list[1] }}"
|
|
hbacsvcgroup:
|
|
- "{{ hbacsvcgroup_list[0] }}"
|
|
- Sudo
|
|
check_mode: yes
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure hbacrule members present, mixed case
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule
|
|
user:
|
|
- "{{ user_list[1] }}"
|
|
- "{{ user_list[2] }}"
|
|
group:
|
|
- "{{ group_list[1] }}"
|
|
- "{{ group_list[2] }}"
|
|
host:
|
|
- "{{ host_list[0] }}"
|
|
- "{{ host_list[1] }}"
|
|
hostgroup:
|
|
- "{{ hostgroup_list[0] }}"
|
|
hbacsvc:
|
|
- "{{ hbacsvc_list[0] }}"
|
|
- "{{ hbacsvc_list[1] }}"
|
|
hbacsvcgroup:
|
|
- "{{ hbacsvcgroup_list[0] }}"
|
|
- Sudo
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Check if hbacrule members present would not trigger changes, mixed case
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule
|
|
user:
|
|
- "{{ user_list[1] }}"
|
|
- "{{ user_list[2] }}"
|
|
group:
|
|
- "{{ group_list[1] }}"
|
|
- "{{ group_list[2] }}"
|
|
host:
|
|
- "{{ host_list[0] }}"
|
|
- "{{ host_list[1] }}"
|
|
hostgroup:
|
|
- "{{ hostgroup_list[0] }}"
|
|
hbacsvc:
|
|
- "{{ hbacsvc_list[0] }}"
|
|
- "{{ hbacsvc_list[1] }}"
|
|
hbacsvcgroup:
|
|
- "{{ hbacsvcgroup_list[0] }}"
|
|
- Sudo
|
|
check_mode: yes
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure hbacrule members present, lowercase
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule
|
|
user:
|
|
- "{{ user_list[1] | lower }}"
|
|
- "{{ user_list[2] | lower }}"
|
|
group:
|
|
- "{{ group_list[1] | lower }}"
|
|
- "{{ group_list[2] | lower }}"
|
|
host:
|
|
- "{{ host_list[0] | lower }}"
|
|
- "{{ host_list[1] | lower }}"
|
|
hostgroup:
|
|
- "{{ hostgroup_list[0] | lower }}"
|
|
hbacsvc:
|
|
- "{{ hbacsvc_list[0] | lower }}"
|
|
- "{{ hbacsvc_list[1] | lower }}"
|
|
hbacsvcgroup:
|
|
- "{{ hbacsvcgroup_list[0] | lower }}"
|
|
- sudo
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure hbacrule members present, upercase
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule
|
|
user:
|
|
- "{{ user_list[1] | upper }}"
|
|
- "{{ user_list[2] | upper }}"
|
|
group:
|
|
- "{{ group_list[1] | upper }}"
|
|
- "{{ group_list[2] | upper }}"
|
|
host:
|
|
- "{{ host_list[0] | upper }}"
|
|
- "{{ host_list[1] | upper }}"
|
|
hostgroup:
|
|
- "{{ hostgroup_list[0] | upper }}"
|
|
hbacsvc:
|
|
- "{{ hbacsvc_list[0] | upper }}"
|
|
- "{{ hbacsvc_list[1] | upper }}"
|
|
hbacsvcgroup:
|
|
- "{{ hbacsvcgroup_list[0] | upper }}"
|
|
- SUDO
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
# Test absent members
|
|
|
|
- name: Check if hbacrule members absent would trigger change, upercase
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule
|
|
user:
|
|
- "{{ user_list[1] | upper }}"
|
|
- "{{ user_list[2] | upper }}"
|
|
group:
|
|
- "{{ group_list[1] | upper }}"
|
|
- "{{ group_list[2] | upper }}"
|
|
host:
|
|
- "{{ host_list[0] | upper }}"
|
|
- "{{ host_list[1] | upper }}"
|
|
hostgroup:
|
|
- "{{ hostgroup_list[0] | upper }}"
|
|
hbacsvc:
|
|
- "{{ hbacsvc_list[0] | upper }}"
|
|
- "{{ hbacsvc_list[1] | upper }}"
|
|
hbacsvcgroup:
|
|
- "{{ hbacsvcgroup_list[0] | upper }}"
|
|
- SUDO
|
|
action: member
|
|
state: absent
|
|
check_mode: yes
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure hbacrule members are absent, upercase
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule
|
|
user:
|
|
- "{{ user_list[1] | upper }}"
|
|
- "{{ user_list[2] | upper }}"
|
|
group:
|
|
- "{{ group_list[1] | upper }}"
|
|
- "{{ group_list[2] | upper }}"
|
|
host:
|
|
- "{{ host_list[0] | upper }}"
|
|
- "{{ host_list[1] | upper }}"
|
|
hostgroup:
|
|
- "{{ hostgroup_list[0] | upper }}"
|
|
hbacsvc:
|
|
- "{{ hbacsvc_list[0] | upper }}"
|
|
- "{{ hbacsvc_list[1] | upper }}"
|
|
hbacsvcgroup:
|
|
- "{{ hbacsvcgroup_list[0] | upper }}"
|
|
- SUDO
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Check if hbacrule members absent would not trigger change, upercase
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule
|
|
user:
|
|
- "{{ user_list[1] | upper }}"
|
|
- "{{ user_list[2] | upper }}"
|
|
group:
|
|
- "{{ group_list[1] | upper }}"
|
|
- "{{ group_list[2] | upper }}"
|
|
host:
|
|
- "{{ host_list[0] | upper }}"
|
|
- "{{ host_list[1] | upper }}"
|
|
hostgroup:
|
|
- "{{ hostgroup_list[0] | upper }}"
|
|
hbacsvc:
|
|
- "{{ hbacsvc_list[0] | upper }}"
|
|
- "{{ hbacsvc_list[1] | upper }}"
|
|
hbacsvcgroup:
|
|
- "{{ hbacsvcgroup_list[0] | upper }}"
|
|
- SUDO
|
|
action: member
|
|
state: absent
|
|
check_mode: yes
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure hbacrule members are absent, mixed case
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule
|
|
user:
|
|
- "{{ user_list[1] }}"
|
|
- "{{ user_list[2] }}"
|
|
group:
|
|
- "{{ group_list[1] }}"
|
|
- "{{ group_list[2] }}"
|
|
host:
|
|
- "{{ host_list[0] }}"
|
|
- "{{ host_list[1] }}"
|
|
hostgroup:
|
|
- "{{ hostgroup_list[0] }}"
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure hbacrule members are absent, lowercase
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule
|
|
user:
|
|
- "{{ user_list[1] | lower }}"
|
|
- "{{ user_list[2] | lower }}"
|
|
group:
|
|
- "{{ group_list[1] | lower }}"
|
|
- "{{ group_list[2] | lower }}"
|
|
host:
|
|
- "{{ host_list[0] | lower }}"
|
|
- "{{ host_list[1] | lower }}"
|
|
hostgroup:
|
|
- "{{ hostgroup_list[0] | lower }}"
|
|
hbacsvc:
|
|
- "{{ hbacsvc_list[0] | lower }}"
|
|
- "{{ hbacsvc_list[1] | lower }}"
|
|
hbacsvcgroup:
|
|
- "{{ hbacsvcgroup_list[0] | lower }}"
|
|
- sudo
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
# Specifically test 'Sudo', as FreeIPA adds a "Sudo" hbacsvcgroup instead of "sudo"
|
|
- name: Ensure 'sudo' works as hbacsvcgroup.
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: "test_sudo"
|
|
hbacsvcgroup:
|
|
- sudo
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure 'sudo' works as hbacsvcgroup, again.
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: "test_sudo"
|
|
hbacsvcgroup:
|
|
- sudo
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure 'sudo' works as hbacsvcgroup, action member.
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: "test_sudo"
|
|
hbacsvcgroup:
|
|
- sudo
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure 'Sudo' works as hbacsvcgroup, action member.
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: "test_sudo"
|
|
hbacsvcgroup:
|
|
- Sudo
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
always:
|
|
- name: Ensure test hbacrule is absent
|
|
ipahbacrule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name:
|
|
- testrule
|
|
- test_sudo
|
|
state: absent
|
|
|
|
- name: Ensure test users are absent
|
|
ipauser:
|
|
ipaadmin_password: SomeADMINpassword
|
|
users:
|
|
- name: "{{ item }}"
|
|
state: absent
|
|
with_items: "{{ user_list }}"
|
|
|
|
- name: Ensure test groups are absent
|
|
ipagroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: "{{ item }}"
|
|
state: absent
|
|
with_items: "{{ group_list }}"
|
|
|
|
- name: Ensure test hosts are absent
|
|
ipahost:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: "{{ item }}.{{ ipaserver_domain }}"
|
|
state: absent
|
|
with_items: "{{ host_list }}"
|
|
|
|
- name: Ensure test hostgroups are absent
|
|
ipahostgroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: "{{ item }}"
|
|
state: absent
|
|
with_items: "{{ hostgroup_list }}"
|
|
|
|
- name: Ensure test hbac services are absent
|
|
ipahbacsvc:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: "{{ item }}"
|
|
state: absent
|
|
with_items: "{{ hbacsvc_list }}"
|
|
|
|
- name: Ensure test hbac service groups are absent
|
|
ipahbacsvcgroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: "{{ item }}"
|
|
state: absent
|
|
with_items: "{{ hbacsvcgroup_list }}"
|