---
- name: Test sudorule
hosts: ipaserver
become: true
gather_facts: true
tasks:
# setup
- name: Ensure user is absent
ipauser:
ipaadmin_password: SomeADMINpassword
name: user01
state: absent
- name: Ensure group is absent
ipagroup:
ipaadmin_password: SomeADMINpassword
name: group01
state: absent
- name: Ensure user is present
ipauser:
ipaadmin_password: SomeADMINpassword
name: user01
first: user
last: zeroone
- name: Ensure group is present, with user01 on it.
ipagroup:
ipaadmin_password: SomeADMINpassword
name: group01
user: user01
- name: Ensure sudocmdgroup is absent
ipasudocmdgroup:
ipaadmin_password: SomeADMINpassword
name: test_sudorule
state: absent
- name: Ensure hostgroup is present, with a host.
ipahostgroup:
ipaadmin_password: SomeADMINpassword
name: cluster
host: "{{ ansible_fqdn }}"
- name: Ensure some sudocmds are available
ipasudocmd:
ipaadmin_password: SomeADMINpassword
name:
- /sbin/ifconfig
- /usr/bin/vim
state: present
- name: Ensure sudocmdgroup is available
ipasudocmdgroup:
ipaadmin_password: SomeADMINpassword
name: test_sudorule
sudocmd: /usr/bin/vim
state: present
- name: Ensure sudorules are absent
ipasudorule:
ipaadmin_password: SomeADMINpassword
name:
- testrule1
- allusers
- allhosts
- allcommands
state: absent
# tests
- name: Ensure sudorule is present
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
register: result
failed_when: not result.changed
- name: Ensure sudorule is present again
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
register: result
failed_when: result.changed
- name: Ensure user01 is on the list of users sudorule execute as.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
runasuser:
- user01
action: member
register: result
failed_when: not result.changed
- name: Ensure user01 is on the list of users sudorule execute as, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
runasuser:
- user01
action: member
register: result
failed_when: result.changed
- name: Ensure user01 is not on the list of users sudorule execute as.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
runasuser:
- user01
action: member
state: absent
register: result
failed_when: not result.changed
- name: Ensure user01 is not on the list of users sudorule execute as, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
runasuser:
- user01
action: member
state: absent
register: result
failed_when: result.changed
- name: Ensure group01 is on the list of group sudorule execute as.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
runasgroup:
- group01
action: member
register: result
failed_when: not result.changed
- name: Ensure group01 is on the list of group sudorule execute as, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
runasgroup:
- group01
action: member
register: result
failed_when: result.changed
- name: Ensure group01 is not on the list of group sudorule execute as.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
runasgroup:
- group01
action: member
state: absent
register: result
failed_when: not result.changed
- name: Ensure group01 is not on the list of groups sudorule execute as, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
runasgroup:
- group01
action: member
state: absent
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with usercategory 'all'
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
usercategory: all
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with usercategory 'all', again
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
usercategory: all
register: result
failed_when: result.changed
- name: Ensure sudorule is with usercategory 'all' is absent
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with runasusercategory 'all'.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasusercategory: all
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with runasusercategory 'all', again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasusercategory: all
register: result
failed_when: result.changed
- name: Ensure sudorule is with runasusercategory 'all' is absent
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with runasgroupcategory 'all'.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasgroupcategory: all
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with runasgroupcategory 'all', again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasgroupcategory: all
register: result
failed_when: result.changed
- name: Ensure sudorule is with runasgroupcategory 'all' is absent
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with usercategory 'all'.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
usercategory: all
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with usercategory 'all', again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
usercategory: all
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with hostategory 'all'
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allhosts
hostcategory: all
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with hostategory 'all', again
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allhosts
hostcategory: all
register: result
failed_when: result.changed
- name: Ensure sudorule is disabled
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
state: disabled
- name: Ensure sudorule is disabled, again
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
state: disabled
register: result
failed_when: result.changed
- name: Ensure sudorule is enabled
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
state: enabled
register: result
failed_when: not result.changed
- name: Ensure sudorule is enabled, again
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
state: enabled
register: result
failed_when: result.changed
- name: Ensure user is present in sudorule.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
user: user01
action: member
register: result
failed_when: not result.changed
- name: Ensure user is present in sudorule, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
user: user01
action: member
register: result
failed_when: result.changed
- name: Ensure user is absent from sudorule.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
user: user01
action: member
state: absent
register: result
failed_when: not result.changed
- name: Ensure user is absent from sudorule, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
user: user01
action: member
state: absent
register: result
failed_when: result.changed
- name: Ensure group is present in sudorule.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
group: group01
action: member
register: result
failed_when: not result.changed
- name: Ensure group is present in sudorule, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
group: group01
action: member
register: result
failed_when: result.changed
- name: Ensure group is absent from sudorule.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
group: group01
action: member
state: absent
register: result
failed_when: not result.changed
- name: Ensure group is absent from sudorule, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
group: group01
action: member
state: absent
register: result
failed_when: result.changed
- name: Ensure sudorule has a sudooption.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
sudooption: '!authenticate'
action: member
register: result
failed_when: not result.changed
- name: Ensure sudorule has a sudooption, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
sudooption: '!authenticate'
action: member
register: result
failed_when: result.changed
- name: Ensure sudorule has an order.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
order: 1
register: result
failed_when: not result.changed
- name: Ensure sudorule has an order, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
order: 1
register: result
failed_when: result.changed
- name: Ensure sudorule has another order.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
order: 10
register: result
failed_when: not result.changed
- name: Ensure sudorule is present and some sudocmd are allowed.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
allow_sudocmd:
- /sbin/ifconfig
action: member
register: result
failed_when: not result.changed
- name: Ensure sudorule is present and some sudocmd are allowed, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
allow_sudocmd:
- /sbin/ifconfig
action: member
register: result
failed_when: result.changed
- name: Ensure sudorule is present and some sudocmd are denyed.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
deny_sudocmd:
- /usr/bin/vim
action: member
register: result
failed_when: not result.changed
- name: Ensure sudorule is present and some sudocmd are denyed, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
deny_sudocmd:
- /usr/bin/vim
action: member
register: result
failed_when: result.changed
- name: Ensure sudorule is present and, sudocmds are absent.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
allow_sudocmd: /sbin/ifconfig
deny_sudocmd: /usr/bin/vim
action: member
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule is present and, sudocmds are absent, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
allow_sudocmd: /sbin/ifconfig
deny_sudocmd: /usr/bin/vim
action: member
state: absent
register: result
failed_when: result.changed
- name: Ensure sudorule is present with cmdcategory 'all'.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allcommands
cmdcategory: all
register: result
failed_when: not result.changed
- name: Ensure sudorule is present with cmdcategory 'all', again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allcommands
cmdcategory: all
register: result
failed_when: result.changed
- name: Ensure host "{{ ansible_fqdn }}" is present in sudorule.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
host: "{{ ansible_fqdn }}"
action: member
register: result
failed_when: not result.changed
- name: Ensure host "{{ ansible_fqdn }}" is present in sudorule, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
host: "{{ ansible_fqdn }}"
action: member
register: result
failed_when: result.changed
- name: Ensure hostgroup is present in sudorule.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
hostgroup: cluster
action: member
register: result
failed_when: not result.changed
- name: Ensure hostgroup is present in sudorule, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
hostgroup: cluster
action: member
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with an allow_sudocmdgroup.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
allow_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with an allow_sudocmdgroup, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
allow_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: result.changed
- name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
allow_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
allow_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with an deny_sudocmdgroup.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
deny_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with an deny_sudocmdgroup, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
deny_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: result.changed
- name: Ensure sudorule is present, but deny_sudocmdgroup is absent.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
deny_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, but deny_sudocmdgroup is absent, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
deny_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
failed_when: result.changed
- name: Ensure sudorule is absent
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule is absent, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
state: absent
register: result
failed_when: result.changed
- name: Ensure sudorule allhosts is absent
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allhosts
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule allhosts is absent, again
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allhosts
state: absent
register: result
failed_when: result.changed
- name: Ensure sudorule allusers is absent
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule allusers is absent, again
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
state: absent
register: result
failed_when: result.changed
- name: Ensure sudorule allcommands is absent
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allcommands
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule allcommands is absent, again
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allcommands
state: absent
register: result
failed_when: result.changed
# cleanup
- name : Ensure sudocmdgroup is absent
ipasudocmdgroup:
ipaadmin_password: SomeADMINpassword
name: test_sudorule
state: absent
- name: Ensure sudocmds are absent
ipasudocmd:
ipaadmin_password: SomeADMINpassword
name:
- /sbin/ifconfig
- /usr/bin/vim
state: absent
- name: Ensure sudorules are absent
ipasudorule:
ipaadmin_password: SomeADMINpassword
name:
- testrule1
- allusers
- allhosts
- allcommands
state: absent
- name: Ensure hostgroup is absent.
ipahostgroup:
ipaadmin_password: SomeADMINpassword
name: cluster
state: absent