mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-06-10 02:35:54 +00:00
88f84cefee
Due to Ansible filtering out values in the output that might be match values in sensible attributes that have `no_log` set, if a module need to return data to the controller, it cannot rely on `ansible_module.exit_json` if there is a chance that a partial match may occur. See: https://github.com/ansible/ansible/issues/71789 The change provided here uses the same implementation that is used on Ansible's `AnsibleModule.exit_json`, without the data filtering layer, so every attribute with be printed and, therefore, logged by Ansible. This is needed for the Vault module, as we need to return values that are explicit requested by the user and that might, at least partially, match the values in attributes with `no_log` set. Tests that reproduced the issue, and show it was fixed were provided for all Vault types.
355 lines
11 KiB
YAML
355 lines
11 KiB
YAML
---
|
|
- name: Test vault
|
|
hosts: ipaserver
|
|
become: true
|
|
# Need to gather facts for ansible_env.
|
|
gather_facts: true
|
|
|
|
tasks:
|
|
- name: Setup testing environment.
|
|
import_tasks: env_setup.yml
|
|
|
|
- name: Ensure symmetric vault is present
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
vault_type: symmetric
|
|
password: SomeVAULTpassword
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure symmetric vault is present, again
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
vault_type: symmetric
|
|
password: SomeVAULTpassword
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Archive data to symmetric vault, matching `no_log` field.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
vault_data: SomeADMINpassword
|
|
password: SomeVAULTpassword
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Retrieve data from symmetric vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeVAULTpassword
|
|
state: retrieved
|
|
register: result
|
|
failed_when: result.vault.data != 'SomeADMINpassword' or result.changed
|
|
|
|
- name: Archive data to symmetric vault
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
vault_data: Hello World.
|
|
password: SomeVAULTpassword
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Retrieve data from symmetric vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeVAULTpassword
|
|
state: retrieved
|
|
register: result
|
|
failed_when: result.vault.data != 'Hello World.' or result.changed
|
|
|
|
- name: Retrieve data from symmetric vault into file {{ ansible_env.HOME }}/data.txt.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeVAULTpassword
|
|
out: "{{ ansible_env.HOME }}/data.txt"
|
|
state: retrieved
|
|
register: result
|
|
failed_when: result.changed or result.failed or (result.vault.data | default(false))
|
|
|
|
- name: Verify retrieved data.
|
|
slurp:
|
|
src: "{{ ansible_env.HOME }}/data.txt"
|
|
register: slurpfile
|
|
failed_when: slurpfile['content'] | b64decode != 'Hello World.'
|
|
|
|
- name: Archive data with non-ASCII characters to symmetric vault
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeVAULTpassword
|
|
vault_data: The world of π is half rounded.
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Retrieve data from symmetric vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeVAULTpassword
|
|
state: retrieved
|
|
register: result
|
|
failed_when: result.vault.data != 'The world of π is half rounded.' or result.changed
|
|
|
|
- name: Archive data in symmetric vault, from file.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
in: "{{ ansible_env.HOME }}/in.txt"
|
|
password: SomeVAULTpassword
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Retrieve data from symmetric vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeVAULTpassword
|
|
state: retrieved
|
|
register: result
|
|
failed_when: result.vault.data != 'Another World.' or result.changed
|
|
|
|
- name: Archive data with single character to symmetric vault
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeVAULTpassword
|
|
vault_data: c
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Retrieve data from symmetric vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeVAULTpassword
|
|
state: retrieved
|
|
register: result
|
|
failed_when: result.vault.data != 'c' or result.changed
|
|
|
|
- name: Ensure symmetric vault is absent
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure symmetric vault is absent, again
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure symmetric vault is present, with password from file.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
username: user01
|
|
password_file: "{{ ansible_env.HOME }}/password.txt"
|
|
vault_type: symmetric
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure symmetric vault is present, with password from file, again.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
username: user01
|
|
password_file: "{{ ansible_env.HOME }}/password.txt"
|
|
vault_type: symmetric
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Archive data to symmetric vault
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
vault_data: Hello World.
|
|
password: SomeVAULTpassword
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Retrieve data from symmetric vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeVAULTpassword
|
|
state: retrieved
|
|
register: result
|
|
failed_when: result.vault.data != 'Hello World.' or result.changed
|
|
|
|
- name: Retrieve data from symmetric vault, with password file.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password_file: "{{ ansible_env.HOME }}/password.txt"
|
|
state: retrieved
|
|
register: result
|
|
failed_when: result.vault.data != 'Hello World.' or result.changed
|
|
|
|
- name: Retrieve data from symmetric vault, with wrong password.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeWRONGpassword
|
|
state: retrieved
|
|
register: result
|
|
failed_when: not result.failed or "Invalid credentials" not in result.msg
|
|
|
|
- name: Change vault password.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeVAULTpassword
|
|
new_password: SomeNEWpassword
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Retrieve data from symmetric vault, with new password.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeNEWpassword
|
|
state: retrieved
|
|
register: result
|
|
failed_when: result.vault.data != 'Hello World.' or result.changed
|
|
|
|
- name: Retrieve data from symmetric vault, with old password.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeVAULTpassword
|
|
state: retrieved
|
|
register: result
|
|
failed_when: not result.failed or "Invalid credentials" not in result.msg
|
|
|
|
- name: Change symmetric vault salt, changing password
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeNEWpassword
|
|
new_password: SomeVAULTpassword
|
|
salt: AAAAAAAAAAAAAAAAAAAAAAA=
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Change symmetric vault salt, without changing password
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeVAULTpassword
|
|
new_password: SomeVAULTpassword
|
|
salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Try to change symmetric vault salt, without providing any password
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=
|
|
register: result
|
|
failed_when: not result.failed and "Vault `salt` can only change when changing the password." not in result.msg
|
|
|
|
- name: Try to change symmetric vault salt, without providing `password`
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=
|
|
new_password: SomeVAULTpassword
|
|
register: result
|
|
failed_when: not result.failed and "Vault `salt` can only change when changing the password." not in result.msg
|
|
|
|
- name: Try to change symmetric vault salt, without providing `new_password`
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=
|
|
password: SomeVAULTpassword
|
|
register: result
|
|
failed_when: not result.failed and "Vault `salt` can only change when changing the password." not in result.msg
|
|
|
|
- name: Try to change symmetric vault salt, using wrong password.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeWRONGpassword
|
|
new_password: SomeWRONGpassword
|
|
salt: MDEyMzQ1Njc4OTAxMjM0NQo=
|
|
register: result
|
|
failed_when: not result.failed
|
|
|
|
- name: Ensure symmetric vault is absent
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure symmetric vault is absent, again
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Try to change password of inexistent vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: inexistentvault
|
|
password: SomeVAULTpassword
|
|
new_password: SomeNEWpassword
|
|
register: result
|
|
failed_when: not result.failed or "Cannot modify password of inexistent vault" not in result.msg
|
|
|
|
- name: Ensure symmetric vault is present
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
vault_type: symmetric
|
|
password: APasswordToChange
|
|
vault_data: Hello World.
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Change symmetric vault password, using password file.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: APasswordToChange
|
|
new_password_file: "{{ ansible_env.HOME }}/password.txt"
|
|
vault_type: symmetric
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Retrieve data from symmetric vault.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeVAULTpassword
|
|
state: retrieved
|
|
register: result
|
|
failed_when: result.vault.data != 'Hello World.' or result.changed
|
|
|
|
- name: Ensure symmetric vault is absent
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Cleanup testing environment.
|
|
import_tasks: env_cleanup.yml
|