mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-06-10 10:45:55 +00:00
22f31d02f2
When setting 'runasuser' or 'runasgroup' for a sudorule, either IPA or external users and groups can be used, but only IPA users and groups were being searched for when modifying the attributes, making this task not idempotent if an external group or user was used.. This patch fixes this issue by comparing users and groups to the IPA and external setting. The IPA CLI commands are slightly confusing, as the sudorule-add and sudorule-mod display separate options for internal and external users and groups, but these options are deprecated and do not work anymore, in favor of sudorule-add-runasuser and sudorule-add-runasgroup, which don't diferentiate between internal and external users, from the CLI user perspective.
922 lines
28 KiB
YAML
922 lines
28 KiB
YAML
---
|
|
|
|
- name: Test sudorule
|
|
hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
|
become: true
|
|
gather_facts: true
|
|
|
|
tasks:
|
|
|
|
# setup
|
|
- name: Ensure user is absent
|
|
ipauser:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: user01
|
|
state: absent
|
|
|
|
- name: Ensure group is absent
|
|
ipagroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: group01
|
|
state: absent
|
|
|
|
- name: Ensure user is present
|
|
ipauser:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: user01
|
|
first: user
|
|
last: zeroone
|
|
|
|
- name: Ensure group is present, with user01 on it.
|
|
ipagroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: group01
|
|
user: user01
|
|
|
|
- name: Ensure sudocmdgroup is absent
|
|
ipasudocmdgroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: test_sudorule
|
|
state: absent
|
|
|
|
- name: Ensure hostgroup is present, with a host.
|
|
ipahostgroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: cluster
|
|
host: "{{ ansible_facts['fqdn'] }}"
|
|
|
|
- name: Ensure some sudocmds are available
|
|
ipasudocmd:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name:
|
|
- /sbin/ifconfig
|
|
- /usr/bin/vim
|
|
state: present
|
|
|
|
- name: Ensure sudocmdgroup is available
|
|
ipasudocmdgroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: test_sudorule
|
|
sudocmd: /usr/bin/vim
|
|
state: present
|
|
|
|
- name: Ensure sudorules are absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name:
|
|
- test_upstream_issue_664
|
|
- testrule1
|
|
- allusers
|
|
- allhosts
|
|
- allcommands
|
|
state: absent
|
|
|
|
# tests
|
|
|
|
- name: Ensure sudorule is present
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure user01 is on the list of users sudorule execute as.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
runasuser:
|
|
- user01
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure user01 is on the list of users sudorule execute as, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
runasuser:
|
|
- user01
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure user01 is not on the list of users sudorule execute as.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
runasuser:
|
|
- user01
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure user01 is not on the list of users sudorule execute as, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
runasuser:
|
|
- user01
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure group01 is on the list of group sudorule execute as.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
runasgroup:
|
|
- group01
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure group01 is on the list of group sudorule execute as, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
runasgroup:
|
|
- group01
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure group01 is not on the list of group sudorule execute as.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
runasgroup:
|
|
- group01
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure group01 is not on the list of groups sudorule execute as, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
runasgroup:
|
|
- group01
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present, with usercategory 'all'
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allusers
|
|
usercategory: all
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present, with usercategory 'all', again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allusers
|
|
usercategory: all
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is with usercategory 'all' is absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allusers
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present, with runasusercategory 'all'.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allusers
|
|
runasusercategory: all
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present, with runasusercategory 'all', again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allusers
|
|
runasusercategory: all
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is with runasusercategory 'all' is absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allusers
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present, with runasgroupcategory 'all'.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allusers
|
|
runasgroupcategory: all
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present, with runasgroupcategory 'all', again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allusers
|
|
runasgroupcategory: all
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is with runasgroupcategory 'all' is absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allusers
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present, with usercategory 'all'.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allusers
|
|
usercategory: all
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present, with usercategory 'all', again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allusers
|
|
usercategory: all
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present, with hostategory 'all'
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allhosts
|
|
hostcategory: all
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present, with hostategory 'all', again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allhosts
|
|
hostcategory: all
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is disabled
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
state: disabled
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is disabled, again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
state: disabled
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is enabled
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
state: enabled
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is enabled, again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
state: enabled
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure user is present in sudorule.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
user: user01
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure user is present in sudorule, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
user: user01
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure user is absent from sudorule.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
user: user01
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure user is absent from sudorule, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
user: user01
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure group is present in sudorule.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
group: group01
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure group is present in sudorule, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
group: group01
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure group is absent from sudorule.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
group: group01
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure group is absent from sudorule, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
group: group01
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule has a sudooption.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
sudooption: '!authenticate'
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule has a sudooption, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
sudooption: '!authenticate'
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule has an order.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
order: 1
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule has an order, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
order: 1
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule has another order.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
order: 10
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present and some sudocmd are allowed.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
allow_sudocmd:
|
|
- /sbin/ifconfig
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present and some sudocmd are allowed, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
allow_sudocmd:
|
|
- /sbin/ifconfig
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present and some sudocmd are denyed.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
deny_sudocmd:
|
|
- /usr/bin/vim
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present and some sudocmd are denyed, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
deny_sudocmd:
|
|
- /usr/bin/vim
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present and, sudocmds are absent.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
allow_sudocmd: /sbin/ifconfig
|
|
deny_sudocmd: /usr/bin/vim
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present and, sudocmds are absent, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
allow_sudocmd: /sbin/ifconfig
|
|
deny_sudocmd: /usr/bin/vim
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present with cmdcategory 'all'.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allcommands
|
|
cmdcategory: all
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present with cmdcategory 'all', again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allcommands
|
|
cmdcategory: all
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure host "{{ ansible_facts['fqdn'] }}" is present in sudorule.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
host: "{{ ansible_facts['fqdn'] }}"
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure host "{{ ansible_facts['fqdn'] }}" is present in sudorule, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
host: "{{ ansible_facts['fqdn'] }}"
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure hostgroup is present in sudorule.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
hostgroup: cluster
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure hostgroup is present in sudorule, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
hostgroup: cluster
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present, with an allow_sudocmdgroup.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
allow_sudocmdgroup: test_sudorule
|
|
state: present
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present, with an allow_sudocmdgroup, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
allow_sudocmdgroup: test_sudorule
|
|
state: present
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
allow_sudocmdgroup: test_sudorule
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
allow_sudocmdgroup: test_sudorule
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present, with an deny_sudocmdgroup.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
deny_sudocmdgroup: test_sudorule
|
|
state: present
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present, with an deny_sudocmdgroup, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
deny_sudocmdgroup: test_sudorule
|
|
state: present
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present, but deny_sudocmdgroup is absent.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
deny_sudocmdgroup: test_sudorule
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is present, but deny_sudocmdgroup is absent, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
deny_sudocmdgroup: test_sudorule
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is absent, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: testrule1
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule allhosts is absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allhosts
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule allhosts is absent, again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allhosts
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule allusers is absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allusers
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule allusers is absent, again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allusers
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule allcommands is absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allcommands
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule allcommands is absent, again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: allcommands
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule with external user in 'runasuser' is present
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: test_upstream_issue_664
|
|
runasuser:
|
|
- apache
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule with external user in 'runasuser' is present, again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: test_upstream_issue_664
|
|
runasuser:
|
|
- apache
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule member external user in 'runasuser' is absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: test_upstream_issue_664
|
|
runasuser:
|
|
- apache
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule member external user in 'runasuser' is absent, again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: test_upstream_issue_664
|
|
runasuser:
|
|
- apache
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule member external user in 'runasuser' is present
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: test_upstream_issue_664
|
|
runasuser:
|
|
- apache
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule member external user in 'runasuser' is present, again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: test_upstream_issue_664
|
|
runasuser:
|
|
- apache
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule with external group in 'runasgroup' is present
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: test_upstream_issue_664
|
|
runasgroup:
|
|
- wheel
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule with external group in 'runasgroup' user is present, again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: test_upstream_issue_664
|
|
runasgroup:
|
|
- wheel
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule member external group in 'runasgroup' is absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: test_upstream_issue_664
|
|
runasgroup:
|
|
- wheel
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule member external group in 'runasgroup' is absent, again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: test_upstream_issue_664
|
|
runasgroup:
|
|
- wheel
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule member external group in 'runasgroup' is present
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: test_upstream_issue_664
|
|
runasgroup:
|
|
- wheel
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule member external group in 'runasgroup' is present, again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: test_upstream_issue_664
|
|
runasgroup:
|
|
- wheel
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sudorule 'test_upstream_issue_664' is absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: test_upstream_issue_664
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
# cleanup
|
|
- name: Ensure sudocmdgroup is absent
|
|
ipasudocmdgroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: test_sudorule
|
|
state: absent
|
|
|
|
- name: Ensure sudocmds are absent
|
|
ipasudocmd:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name:
|
|
- /sbin/ifconfig
|
|
- /usr/bin/vim
|
|
state: absent
|
|
|
|
- name: Ensure sudorules are absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name:
|
|
- test_upstream_issue_664
|
|
- testrule1
|
|
- allusers
|
|
- allhosts
|
|
- allcommands
|
|
state: absent
|
|
|
|
- name: Ensure hostgroup is absent.
|
|
ipahostgroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
name: cluster
|
|
state: absent
|