mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-06-10 10:45:55 +00:00
df97de31b5
The sudorule disabled test is lacking the register and failed_when lines. The lines have been added to make sure that it is verified that the task set the changed flag and does not fail.
711 lines
18 KiB
YAML
711 lines
18 KiB
YAML
---
|
|
|
|
- name: Test sudorule
|
|
hosts: ipaserver
|
|
become: true
|
|
gather_facts: true
|
|
|
|
tasks:
|
|
|
|
# setup
|
|
- name: Ensure user is absent
|
|
ipauser:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: user01
|
|
state: absent
|
|
|
|
- name: Ensure group is absent
|
|
ipagroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: group01
|
|
state: absent
|
|
|
|
- name: Ensure user is present
|
|
ipauser:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: user01
|
|
first: user
|
|
last: zeroone
|
|
|
|
- name: Ensure group is present, with user01 on it.
|
|
ipagroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: group01
|
|
user: user01
|
|
|
|
- name: Ensure sudocmdgroup is absent
|
|
ipasudocmdgroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: test_sudorule
|
|
state: absent
|
|
|
|
- name: Ensure hostgroup is present, with a host.
|
|
ipahostgroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: cluster
|
|
host: "{{ ansible_facts['fqdn'] }}"
|
|
|
|
- name: Ensure some sudocmds are available
|
|
ipasudocmd:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name:
|
|
- /sbin/ifconfig
|
|
- /usr/bin/vim
|
|
state: present
|
|
|
|
- name: Ensure sudocmdgroup is available
|
|
ipasudocmdgroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: test_sudorule
|
|
sudocmd: /usr/bin/vim
|
|
state: present
|
|
|
|
- name: Ensure sudorules are absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name:
|
|
- testrule1
|
|
- allusers
|
|
- allhosts
|
|
- allcommands
|
|
state: absent
|
|
|
|
# tests
|
|
|
|
- name: Ensure sudorule is present
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is present again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure user01 is on the list of users sudorule execute as.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
runasuser:
|
|
- user01
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure user01 is on the list of users sudorule execute as, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
runasuser:
|
|
- user01
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure user01 is not on the list of users sudorule execute as.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
runasuser:
|
|
- user01
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure user01 is not on the list of users sudorule execute as, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
runasuser:
|
|
- user01
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure group01 is on the list of group sudorule execute as.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
runasgroup:
|
|
- group01
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure group01 is on the list of group sudorule execute as, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
runasgroup:
|
|
- group01
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure group01 is not on the list of group sudorule execute as.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
runasgroup:
|
|
- group01
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure group01 is not on the list of groups sudorule execute as, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
runasgroup:
|
|
- group01
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule is present, with usercategory 'all'
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allusers
|
|
usercategory: all
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is present, with usercategory 'all', again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allusers
|
|
usercategory: all
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule is with usercategory 'all' is absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allusers
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is present, with runasusercategory 'all'.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allusers
|
|
runasusercategory: all
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is present, with runasusercategory 'all', again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allusers
|
|
runasusercategory: all
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule is with runasusercategory 'all' is absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allusers
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is present, with runasgroupcategory 'all'.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allusers
|
|
runasgroupcategory: all
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is present, with runasgroupcategory 'all', again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allusers
|
|
runasgroupcategory: all
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule is with runasgroupcategory 'all' is absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allusers
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is present, with usercategory 'all'.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allusers
|
|
usercategory: all
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is present, with usercategory 'all', again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allusers
|
|
usercategory: all
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule is present, with hostategory 'all'
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allhosts
|
|
hostcategory: all
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is present, with hostategory 'all', again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allhosts
|
|
hostcategory: all
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule is disabled
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
state: disabled
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sudorule is disabled, again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
state: disabled
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule is enabled
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
state: enabled
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is enabled, again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
state: enabled
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure user is present in sudorule.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
user: user01
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure user is present in sudorule, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
user: user01
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure user is absent from sudorule.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
user: user01
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure user is absent from sudorule, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
user: user01
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure group is present in sudorule.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
group: group01
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure group is present in sudorule, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
group: group01
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure group is absent from sudorule.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
group: group01
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure group is absent from sudorule, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
group: group01
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule has a sudooption.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
sudooption: '!authenticate'
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule has a sudooption, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
sudooption: '!authenticate'
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule has an order.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
order: 1
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule has an order, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
order: 1
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule has another order.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
order: 10
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is present and some sudocmd are allowed.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
allow_sudocmd:
|
|
- /sbin/ifconfig
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is present and some sudocmd are allowed, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
allow_sudocmd:
|
|
- /sbin/ifconfig
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule is present and some sudocmd are denyed.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
deny_sudocmd:
|
|
- /usr/bin/vim
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is present and some sudocmd are denyed, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
deny_sudocmd:
|
|
- /usr/bin/vim
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule is present and, sudocmds are absent.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
allow_sudocmd: /sbin/ifconfig
|
|
deny_sudocmd: /usr/bin/vim
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is present and, sudocmds are absent, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
allow_sudocmd: /sbin/ifconfig
|
|
deny_sudocmd: /usr/bin/vim
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule is present with cmdcategory 'all'.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allcommands
|
|
cmdcategory: all
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is present with cmdcategory 'all', again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allcommands
|
|
cmdcategory: all
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure host "{{ ansible_facts['fqdn'] }}" is present in sudorule.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
host: "{{ ansible_facts['fqdn'] }}"
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure host "{{ ansible_facts['fqdn'] }}" is present in sudorule, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
host: "{{ ansible_facts['fqdn'] }}"
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure hostgroup is present in sudorule.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
hostgroup: cluster
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure hostgroup is present in sudorule, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
hostgroup: cluster
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule is present, with an allow_sudocmdgroup.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
allow_sudocmdgroup: test_sudorule
|
|
state: present
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is present, with an allow_sudocmdgroup, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
allow_sudocmdgroup: test_sudorule
|
|
state: present
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
allow_sudocmdgroup: test_sudorule
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
allow_sudocmdgroup: test_sudorule
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule is present, with an deny_sudocmdgroup.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
deny_sudocmdgroup: test_sudorule
|
|
state: present
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is present, with an deny_sudocmdgroup, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
deny_sudocmdgroup: test_sudorule
|
|
state: present
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule is present, but deny_sudocmdgroup is absent.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
deny_sudocmdgroup: test_sudorule
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is present, but deny_sudocmdgroup is absent, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
deny_sudocmdgroup: test_sudorule
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule is absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule is absent, again.
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: testrule1
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule allhosts is absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allhosts
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule allhosts is absent, again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allhosts
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule allusers is absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allusers
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule allusers is absent, again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allusers
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
- name: Ensure sudorule allcommands is absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allcommands
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- name: Ensure sudorule allcommands is absent, again
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: allcommands
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
# cleanup
|
|
- name : Ensure sudocmdgroup is absent
|
|
ipasudocmdgroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: test_sudorule
|
|
state: absent
|
|
|
|
- name: Ensure sudocmds are absent
|
|
ipasudocmd:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name:
|
|
- /sbin/ifconfig
|
|
- /usr/bin/vim
|
|
state: absent
|
|
|
|
- name: Ensure sudorules are absent
|
|
ipasudorule:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name:
|
|
- testrule1
|
|
- allusers
|
|
- allhosts
|
|
- allcommands
|
|
state: absent
|
|
|
|
- name: Ensure hostgroup is absent.
|
|
ipahostgroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: cluster
|
|
state: absent
|