source-git / ansible-freeipa

Clone
Source Code
GIT

Files

  1.   8a9012d31c448db2cfb31a24aedcdffa95e3f618
  2.   tests
  3.   permission
  4.   test_permission.yml
Blob Blame History Raw 
---
- name: Test permission
  hosts: ipaserver
  become: true

  tasks:
  - include_tasks: ../env_freeipa_facts.yml

  - name: Ensure testing groups are present.
    ipagroup:
      ipaadmin_password: SomeADMINpassword
      name: "{{ item }}"
      state: present
    with_items:
      - rbacgroup1
      - rbacgroup2

  # CLEANUP TEST ITEMS

  - name: Ensure permission perm-test-1 is absent
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name:
      - perm-test-1
      - perm-test-bindtype-test
      - perm-test-renamed
      state: absent

  # TESTS

  - name: Ensure permission perm-test-1 is present
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      object_type: host
      memberof: rbacgroup1
      filter: '(cn=*.ipa.*)'
      right: all
    register: result
    failed_when: not result.changed or result.failed

  - name: Ensure permission perm-test-1 is present again
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      object_type: host
      memberof: rbacgroup1
      filter: '(cn=*.ipa.*)'
      right: all
    register: result
    failed_when: result.changed or result.failed

  - name: Ensure permission perm-test-1 has an extra filter '(cn=*.internal.*)'
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      filter: '(cn=*.internal.*)'
      action: member
    register: result
    failed_when: not result.changed or result.failed

  - name: Ensure permission perm-test-1 has an extra filter '(cn=*.internal.*)', again
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      filter: '(cn=*.internal.*)'
      action: member
    register: result
    failed_when: result.changed or result.failed

  - name: Ensure permission perm-test-1 `right` has `write`
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      right: write
      action: member
    register: result
    failed_when: not result.changed or result.failed

  - name: Ensure permission perm-test-1 `right` has `write`, again
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      right: write
      action: member
    register: result
    failed_when: result.changed or result.failed

  - name: Ensure permission perm-test-1 `right` has no `write`
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      right: write
      action: member
      state: absent
    register: result
    failed_when: not result.changed or result.failed

  - name: Ensure permission perm-test-1 `right` has no `write`, again
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      right: write
      action: member
      state: absent
    register: result
    failed_when: result.changed or result.failed

  - name: Ensure permission perm-test-1 `memberof` has `rbackgroup2`
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      memberof: rbacgroup2
      action: member
    register: result
    failed_when: not result.changed or result.failed

  - name: Ensure permission perm-test-1 `memberof` has `rbackgroup2`, again
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      memberof: rbacgroup2
      action: member
    register: result
    failed_when: result.changed or result.failed

  - name: Ensure permission perm-test-1 `memberof` item `rbackgroup1` is absent
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      memberof: rbacgroup1
      action: member
      state: absent
    register: result
    failed_when: not result.changed or result.failed

  - name: Ensure permission perm-test-1 `memberof` item `rbackgroup1` is absent, again
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      memberof: rbacgroup1
      action: member
      state: absent
    register: result
    failed_when: result.changed or result.failed

  - name: Ensure permission perm-test-1 is present with attr carlicense
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      attrs:
      - carlicense
    register: result
    failed_when: not result.changed or result.failed

  - name: Ensure permission perm-test-1 is present with attr carlicense again
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      attrs:
      - carlicense
    register: result
    failed_when: result.changed or result.failed

  - name: Ensure permission perm-test-1 is present with attr carlicense and displayname
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      attrs:
      - carlicense
      - displayname
    register: result
    failed_when: not result.changed or result.failed

  - name: Ensure permission perm-test-1 is present with attr carlicense and displayname again
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      attrs:
      - carlicense
      - displayname
    register: result
    failed_when: result.changed or result.failed

  - name: Ensure attr gecos is present in permission perm-test-1
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      attrs:
      - gecos
      action: member
    register: result
    failed_when: not result.changed or result.failed

  - name: Ensure attr gecos is present in permission perm-test-1 again
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      attrs:
      - gecos
      action: member
    register: result
    failed_when: result.changed or result.failed

  - name: Ensure attr gecos is absent in permission perm-test-1
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      attrs:
      - gecos
      action: member
      state: absent
    register: result
    failed_when: not result.changed or result.failed

  - name: Ensure attr gecos is absent in permission perm-test-1 again
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      attrs:
      - gecos
      action: member
      state: absent
    register: result
    failed_when: result.changed or result.failed

  - name: Ensure attributes carlicense and displayname are present in permission "System{{':'}} Update DNS Entries"
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: "System: Update DNS Entries"
      attrs:
      - carlicense
      - displayname
      action: member
    register: result
    failed_when: not result.changed or result.failed

  - name: Ensure attributes carlicense and displayname are present in permission "System{{':'}} Update DNS Entries" again
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: "System: Update DNS Entries"
      attrs:
      - carlicense
      - displayname
      action: member
    register: result
    failed_when: result.changed or result.failed

  - name: Ensure attributes carlicense and displayname are present in permission "System{{':'}} Update DNS Entries"
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: "System: Update DNS Entries"
      attrs:
      - carlicense
      - displayname
      action: member
      state: absent
    register: result
    failed_when: not result.changed or result.failed

  - name: Ensure attributes carlicense and displayname are present in permission "System{{':'}} Update DNS Entries" again
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: "System: Update DNS Entries"
      attrs:
      - carlicense
      - displayname
      action: member
      state: absent
    register: result
    failed_when: result.changed or result.failed

  - name: Ensure permission perm-test-1 has rawfilter '(objectclass=ipagroup)'
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      rawfilter: '(objectclass=ipagroup)'
      action: member
    register: result
    failed_when: not result.changed or result.failed

  - name: Ensure permission perm-test-1 has rawfilter '(objectclass=ipagroup)', again
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      rawfilter: '(objectclass=ipagroup)'
      action: member
    register: result
    failed_when: result.changed or result.failed

  - name: Ensure filter and rawfilter cannot be used together.
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      rawfilter: '(objectclass=ipagroup)'
      filter: '(cn=*.internal.*)'
      action: member
    register: result
    failed_when: not result.failed or "Cannot specify target filter and extra target filter simultaneously" not in result.msg

  - name: Rename permission perm-test-1 to perm-test-renamed
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      rename: perm-test-renamed
      state: renamed
    register: result
    failed_when: not result.changed or result.failed

  - name: Ensure permission perm-test-1 is absent
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      state: absent
    register: result
    failed_when: result.changed or result.failed

  - name: Ensure permission perm-test-renamed is present
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-renamed
      object_type: host
      right: all
    register: result
    failed_when: result.changed or result.failed

  - name: Ensure permission with bindtype 'self' is present, if IPA version >= 4.8.7
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-bindtype-test
      bindtype: self
      object_type: host
      right: all
    when: ipa_version is version('4.8.7', '>=')
    register: result
    failed_when: not result.changed or result.failed

  - name: Fail to set permission perm-test-renamed bindtype to 'self', if IPA version < 4.8.7
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: perm-test-bindtype-test
      bindtype: self
      object_type: host
      right: all
    when: ipa_version is version('4.8.7', '<')
    register: result
    failed_when: not result.failed or "Bindtype 'self' is not supported by your IPA version." not in result.msg

  # CLEANUP TEST ITEMS

  - name: Ensure testing permissions are absent
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name:
      - perm-test-1
      - perm-test-bindtype-test
      - perm-test-renamed
      state: absent

  - name: Ensure testing groups are absent.
    ipagroup:
      ipaadmin_password: SomeADMINpassword
      name: "{{ item }}"
      state: absent
    with_items:
      - rbacgroup1
      - rbacgroup2

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation