---
- name: Test sudorule user category
hosts: ipaserver
become: yes
gather_facts: yes
tasks:
- name: Get Domain from the server name
set_fact:
ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}"
- name: Ensure sudorules are absent
ipasudorule:
ipaadmin_password: SomeADMINpassword
name:
- allusers
state: absent
- name: Ensure sudorule is present, with usercategory 'all'
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
usercategory: all
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with usercategory 'all', again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
usercategory: all
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with no usercategory.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
usercategory: ""
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with no usercategory, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
usercategory: ""
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with hostcategory 'all'
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
hostcategory: all
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with hostcategory 'all', again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
hostcategory: all
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with no usercategory.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
hostcategory: ""
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with no hostcategory, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
hostcategory: ""
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with cmdcategory 'all'
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
cmdcategory: all
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with cmdcategory 'all', again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
cmdcategory: all
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with no cmdcategory.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
cmdcategory: ""
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with no cmdcategory, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
cmdcategory: ""
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with runasusercategory 'all'
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasusercategory: all
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with runasusercategory 'all', again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasusercategory: all
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with no runasusercategory.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasusercategory: ""
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with no runasusercategory, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasusercategory: ""
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with runasgroupcategory 'all'
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasgroupcategory: all
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with runasgroupcategory 'all', again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasgroupcategory: all
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with no runasgroupcategory.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasgroupcategory: ""
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with no runasgroupcategory, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasgroupcategory: ""
register: result
failed_when: result.changed
- name: Ensure sudorules are absent
ipasudorule:
ipaadmin_password: SomeADMINpassword
name:
- allusers
state: absent
register: result
failed_when: not result.changed
- name: Ensure `host` cannot be added if hostcategory is `all`.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
description: sudo rule
host: "{{ 'shouldfail.' + ipaserver_domain }}"
hostcategory: "all"
register: result
failed_when: not result.failed or "Hosts cannot be added when host category='all'" not in result.msg
- name: Ensure `hostgroup` cannot be added if hostcategory is `all`.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
description: sudo rule
hostgroup: shouldfail_hostgroup
hostcategory: "all"
register: result
failed_when: not result.failed or "Hosts cannot be added when host category='all'" not in result.msg
- name: Ensure `user` cannot be added if usercategory is `all`.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
description: sudo rule
user: "shouldfail01"
usercategory: "all"
register: result
failed_when: not result.failed or "Users cannot be added when user category='all'" not in result.msg
- name: Ensure `group` cannot be added if usercategory is `all`.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
description: sudo rule
group: "shouldfail01"
usercategory: "all"
register: result
failed_when: not result.failed or "Users cannot be added when user category='all'" not in result.msg
- name: Ensure `command` cannot be added if cmdcategory is `all`.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
description: sudo rule
allow_sudocmd: "/bin/shouldfail"
cmdcategory: "all"
register: result
failed_when: not result.failed or "Commands cannot be added when command category='all'" not in result.msg
- name: Ensure `command group` cannot be added if cmdcategory is `all`.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
description: sudo rule
allow_sudocmdgroup: shouldfail_cmdgroup
cmdcategory: "all"
register: result
failed_when: not result.failed or "Commands cannot be added when command category='all'" not in result.msg
# cleanup
- name: Ensure sudorules are absent
ipasudorule:
ipaadmin_password: SomeADMINpassword
name:
- allusers
state: absent