---
- name: Test HBAC rule user category
hosts: ipaserver
become: true
gather_facts: false
tasks:
- name: Ensure HBAC rules are absent
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name:
- testrule
state: absent
- name: Ensure HBAC rule is present, with usercategory 'all'
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
usercategory: all
register: result
failed_when: not result.changed
- name: Ensure HBAC rule is present, with usercategory 'all', again.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
usercategory: all
register: result
failed_when: result.changed
- name: Ensure HBAC rule is present, with no usercategory.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
usercategory: ""
register: result
failed_when: not result.changed
- name: Ensure HBAC rule is present, with no usercategory, again.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
usercategory: ""
register: result
failed_when: result.changed
- name: Ensure HBAC rule is present, with hostcategory 'all'
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
hostcategory: all
register: result
failed_when: not result.changed
- name: Ensure HBAC rule is present, with hostcategory 'all', again.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
hostcategory: all
register: result
failed_when: result.changed
- name: Ensure HBAC rule is present, with no hostcategory.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
hostcategory: ""
register: result
failed_when: not result.changed
- name: Ensure HBAC rule is present, with no hostcategory, again.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
hostcategory: ""
register: result
failed_when: result.changed
- name: Ensure HBAC rule is present, with servicecategory 'all'
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
servicecategory: all
register: result
failed_when: not result.changed
- name: Ensure HBAC rule is present, with servicecategory 'all', again.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
servicecategory: all
register: result
failed_when: result.changed
- name: Ensure HBAC rule is present, with no servicecategory.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
servicecategory: ""
register: result
failed_when: not result.changed
- name: Ensure HBAC rule is present, with no servicecategory, again.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
servicecategory: ""
register: result
failed_when: result.changed
- name: Ensure `user` cannot be added if usercategory is `all`.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: allusers
user: shouldfail01
usercategory: "all"
register: result
failed_when: not result.failed or "Users cannot be added when user category='all'" not in result.msg
- name: Ensure `group` cannot be added if usercategory is `all`.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: allusers
group: shouldfail01
usercategory: "all"
register: result
failed_when: not result.failed or "Users cannot be added when user category='all'" not in result.msg
- name: Ensure `host` cannot be added if hostcategory is `all`.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: allusers
host: host.shouldfail.com
hostcategory: "all"
register: result
failed_when: not result.failed or "Hosts cannot be added when host category='all'" not in result.msg
- name: Ensure `hostgroup` cannot be added if hostcategory is `all`.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: allusers
hostgroup: shouldfail_hostgroup
hostcategory: "all"
register: result
failed_when: not result.failed or "Hosts cannot be added when host category='all'" not in result.msg
- name: Ensure `hbacsvc` cannot be added if hbacsvccategory is `all`.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: allusers
hbacsvc: "HTTP/fail.example.com"
servicecategory: "all"
register: result
failed_when: not result.failed or "Services cannot be added when service category='all'" not in result.msg
- name: Ensure `hbacsvcgroup` cannot be added if hbacsvccategory is `all`.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: allusers
hbacsvcgroup: shouldfail_svcgroup
servicecategory: "all"
register: result
failed_when: not result.failed or "Services cannot be added when service category='all'" not in result.msg
- name: Ensure HBAC rules are absent
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name:
- testrule
state: absent