---

- name: Tests

  hosts: ipaserver

  become: true

  gather_facts: false

  tasks:

  - name: Ensure hostgroup is present, with a host.

    ipahostgroup:

      ipaadmin_password: MyPassword123

      name: cluster

      host:

      - "{{ groups.ipaserver[0] }}"

  - name: Ensure some sudocmds are available

    ipasudocmd:

      ipaadmin_password: MyPassword123

      name:

          - /sbin/ifconfig

          - /usr/bin/vim

      state: present

  - name: Ensure sudocmdgroup is available

    ipasudocmdgroup:

      ipaadmin_password: MyPassword123

      name: test_sudorule

      sudocmd: /usr/bin/vim

      state: present

  - name: Ensure sudorules are absent

    ipasudorule:

      ipaadmin_password: MyPassword123

      name:

      - testrule1

      - allusers

      - allhosts

      - allcommands

      state: absent

  - name: Ensure sudorule is present

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

    register: result

    failed_when: not result.changed

  - name: Ensure sudorule is present again

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

    register: result

    failed_when: result.changed

  - name: Ensure sudorule is present, runAsUserCategory.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      runAsUserCategory: all

    register: result

    failed_when: result.changed

  - name: Ensure sudorule is present, with usercategory 'all'

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: allusers

      usercategory: all

    register: result

    failed_when: not result.changed

  - name: Ensure sudorule is present, with usercategory 'all', again

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: allusers

      usercategory: all

    register: result

    failed_when: result.changed

  - name: Ensure sudorule is present, with hostategory 'all'

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: allhosts

      hostcategory: all

    register: result

    failed_when: not result.changed

  - name: Ensure sudorule is present, with hostategory 'all', again

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: allhosts

      hostcategory: all

    register: result

    failed_when: result.changed

  - name: Ensure sudorule is disabled

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      state: disabled

  - name: Ensure sudorule is disabled, again

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      state: disabled

    register: result

    failed_when: result.changed

  - name: Ensure sudorule is enabled

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      state: enabled

    register: result

    failed_when: not result.changed

  - name: Ensure sudorule is enabled, again

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      state: enabled

    register: result

    failed_when: result.changed

  - name: Ensure sudorule is present and some sudocmd are allowed.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      allow_sudocmd:

      - /sbin/ifconfig

      action: member

    register: result

    failed_when: not result.changed

  - name: Ensure sudorule is present and some sudocmd are allowed, again.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      allow_sudocmd:

      - /sbin/ifconfig

      action: member

    register: result

    failed_when: result.changed

  - name: Ensure sudorule is present and some sudocmd are denyed.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      deny_sudocmd:

      - /usr/bin/vim

      action: member

    register: result

    failed_when: not result.changed

  - name: Ensure sudorule is present and some sudocmd are denyed, again.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      deny_sudocmd:

      - /usr/bin/vim

      action: member

    register: result

    failed_when: result.changed

  - name: Ensure sudorule is present and, sudocmds are absent.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      allow_sudocmd: /sbin/ifconfig

      deny_sudocmd: /usr/bin/vim

      action: member

      state: absent

    register: result

    failed_when: not result.changed

  - name: Ensure sudorule is present and, sudocmds are absent, again.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      allow_sudocmd: /sbin/ifconfig

      deny_sudocmd: /usr/bin/vim

      action: member

      state: absent

    register: result

    failed_when: result.changed

  - name: Ensure sudorule is present with cmdcategory 'all'.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: allcommands

      cmdcategory: all

    register: result

    failed_when: not result.changed

  - name: Ensure sudorule is present with cmdcategory 'all', again.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: allcommands

      cmdcategory: all

    register: result

    failed_when: result.changed

  - name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      host: "{{ groups.ipaserver[0] }}"

      action: member

    register: result

    failed_when: not result.changed

  - name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule, again.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      host: "{{ groups.ipaserver[0] }}"

      action: member

    register: result

    failed_when: result.changed

  - name: Ensure hostgroup is present in sudorule.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      hostgroup: cluster

      action: member

    register: result

    failed_when: not result.changed

  - name: Ensure hostgroup is present in sudorule, again.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      hostgroup: cluster

      action: member

    register: result

    failed_when: result.changed

  - name: Ensure sudorule is present, with an allow_sudocmdgroup.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      allow_sudocmdgroup: test_sudorule

      state: present

    register: result

    failed_when: not result.changed

  - name: Ensure sudorule is present, with an allow_sudocmdgroup, again.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      allow_sudocmdgroup: test_sudorule

      state: present

    register: result

    failed_when: result.changed

  - name: Ensure sudorule is present, but allow_sudocmdgroup is absent.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      allow_sudocmdgroup: test_sudorule

      action: member

      state: absent

    register: result

    failed_when: not result.changed

  - name: Ensure sudorule is present, but allow_sudocmdgroup is absent.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      allow_sudocmdgroup: test_sudorule

      action: member

      state: absent

    register: result

    failed_when: result.changed

  - name: Ensure sudorule is present, with an deny_sudocmdgroup.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      deny_sudocmdgroup: test_sudorule

      state: present

    register: result

    failed_when: not result.changed

  - name: Ensure sudorule is present, with an deny_sudocmdgroup, again.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      deny_sudocmdgroup: test_sudorule

      state: present

    register: result

    failed_when: result.changed

  - name: Ensure sudorule is present, but deny_sudocmdgroup is absent.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      deny_sudocmdgroup: test_sudorule

      action: member

      state: absent

    register: result

    failed_when: not result.changed

  - name: Ensure sudorule is present, but deny_sudocmdgroup is absent, again.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      deny_sudocmdgroup: test_sudorule

      action: member

      state: absent

    register: result

    failed_when: result.changed

  - name: Ensure sudorule is absent

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      state: absent

    register: result

    failed_when: not result.changed

  - name: Ensure sudorule is absent, again.

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: testrule1

      state: absent

    register: result

    failed_when: result.changed

  - name: Ensure sudorule allhosts is absent

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: allhosts

      state: absent

    register: result

    failed_when: not result.changed

  - name: Ensure sudorule allhosts is absent, again

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: allhosts

      state: absent

    register: result

    failed_when: result.changed

  - name: Ensure sudorule allusers is absent

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: allusers

      state: absent

    register: result

    failed_when: not result.changed

  - name: Ensure sudorule allusers is absent, again

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: allusers

      state: absent

    register: result

    failed_when: result.changed

  - name: Ensure sudorule allcommands is absent

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: allcommands

      state: absent

    register: result

    failed_when: not result.changed

  - name: Ensure sudorule allcommands is absent, again

    ipasudorule:

      ipaadmin_password: MyPassword123

      name: allcommands

      state: absent

    register: result

    failed_when: result.changed

  # cleanup

  - name : Ensure sudocmdgroup is absent

    ipasudocmdgroup:

      ipaadmin_password: MyPassword123

      name: test_sudorule

      state: absent

  - name: Ensure hostgroup is absent.

    ipahostgroup:

      ipaadmin_password: MyPassword123

      name: cluster

      state: absent

  - name: Ensure sudocmds are absent

    ipasudocmd:

      ipaadmin_password: MyPassword123

      name:

      - /sbin/ifconfig

      - /usr/bin/vim

      state: absent