diff --git a/README-dnsforwardzone.md b/README-dnsforwardzone.md index 32de7bf..8191929 100644 --- a/README-dnsforwardzone.md +++ b/README-dnsforwardzone.md @@ -49,7 +49,7 @@ Example playbook to ensure presence of a forwardzone to ipa DNS: tasks: - name: ensure presence of forwardzone for DNS requests for example.com to 8.8.8.8 ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 state: present name: example.com forwarders: @@ -59,13 +59,13 @@ Example playbook to ensure presence of a forwardzone to ipa DNS: - name: ensure the forward zone is disabled ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 name: example.com state: disabled - name: ensure presence of multiple upstream DNS servers for example.com ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 state: present name: example.com forwarders: @@ -74,7 +74,7 @@ Example playbook to ensure presence of a forwardzone to ipa DNS: - name: ensure presence of another forwarder to any existing ones for example.com ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 state: present name: example.com forwarders: @@ -83,7 +83,7 @@ Example playbook to ensure presence of a forwardzone to ipa DNS: - name: ensure the forwarder for example.com does not exists (delete it if needed) ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 name: example.com state: absent ``` @@ -99,12 +99,9 @@ Variable | Description | Required `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no `name` \| `cn` | Zone name (FQDN). | yes if `state` == `present` -`forwarders` \| `idnsforwarders` | Per-zone forwarders. A custom port can be specified for each forwarder. Options | no -  | `ip_address`: The forwarder IP address. | yes -  | `port`: The forwarder IP port. | no -`forwardpolicy` \| `idnsforwardpolicy` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no +`forwarders` \| `idnsforwarders` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`) | no +`forwardpolicy` \| `idnsforwardpolicy` | Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no `skip_overlap_check` | Force DNS zone creation even if it will overlap with an existing zone. Defaults to False. | no -`permission` | Allow DNS Forward Zone to be managed. (bool) | no `action` | Work on group or member level. It can be on of `member` or `dnsforwardzone` and defaults to `dnsforwardzone`. | no `state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | yes diff --git a/README-dnszone.md b/README-dnszone.md index c5a7ab3..766efe5 100644 --- a/README-dnszone.md +++ b/README-dnszone.md @@ -152,46 +152,6 @@ Example playbook to remove a zone: ``` -Example playbook to create a zone for reverse DNS lookup, from an IP address: - -```yaml - ---- -- name: dnszone present - hosts: ipaserver - become: true - - tasks: - - name: Ensure zone for reverse DNS lookup is present. - ipadnszone: - ipaadmin_password: SomeADMINpassword - name_from_ip: 192.168.1.2 - state: present -``` - -Note that, on the previous example the zone created with `name_from_ip` might be "1.168.192.in-addr.arpa.", "168.192.in-addr.arpa.", or "192.in-addr.arpa.", depending on the DNS response the system get while querying for zones, and for this reason, when creating a zone using `name_from_ip`, the inferred zone name is returned to the controller, in the attribute `dnszone.name`. Since the zone inferred might not be what a user expects, `name_from_ip` can only be used with `state: present`. To have more control over the zone name, the prefix length for the IP address can be provided. - -Example playbook to create a zone for reverse DNS lookup, from an IP address, given the prefix length and displaying the resulting zone name: - -```yaml - ---- -- name: dnszone present - hosts: ipaserver - become: true - - tasks: - - name: Ensure zone for reverse DNS lookup is present. - ipadnszone: - ipaadmin_password: SomeADMINpassword - name_from_ip: 192.168.1.2/24 - state: present - register: result - - name: Display inferred zone name. - debug: - msg: "Zone name: {{ result.dnszone.name }}" -``` - Variables ========= @@ -203,8 +163,7 @@ Variable | Description | Required -------- | ----------- | -------- `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no -`name` \| `zone_name` | The zone name string or list of strings. | no -`name_from_ip` | Derive zone name from reverse of IP (PTR). Can only be used with `state: present`. | no +`name` \| `zone_name` | The zone name string. | yes `forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no   | `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes   | `port` - The custom port that should be used on this server. | no @@ -230,17 +189,6 @@ Variable | Description | Required `skip_nameserver_check` | Force DNS zone creation even if nameserver is not resolvable | no -Return Values -============= - -ipadnszone ----------- - -Variable | Description | Returned When --------- | ----------- | ------------- -`dnszone` | DNS Zone dict with zone name infered from `name_from_ip`.
Options: | If `state` is `present`, `name_from_ip` is used, and a zone was created. -  | `name` - The name of the zone created, inferred from `name_from_ip`. | Always - Authors ======= diff --git a/README-vault.md b/README-vault.md index e7a31a2..c7ae691 100644 --- a/README-vault.md +++ b/README-vault.md @@ -165,22 +165,6 @@ Example playbook to make sure vault data is absent in a symmetric vault: state: absent ``` -Example playbook to change the password of a symmetric: - -```yaml ---- -- name: Playbook to handle vaults - hosts: ipaserver - become: true - - tasks: - - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - old_password: SomeVAULTpassword - new_password: SomeNEWpassword -``` - Example playbook to make sure vault is absent: ```yaml @@ -197,7 +181,7 @@ Example playbook to make sure vault is absent: state: absent register: result - debug: - msg: "{{ result.vault.data }}" + msg: "{{ result.data }}" ``` Variables @@ -213,11 +197,8 @@ Variable | Description | Required `name` \| `cn` | The list of vault name strings. | yes `description` | The vault description string. | no `nomembers` | Suppress processing of membership attributes. (bool) | no -`password` \| `vault_password` \| `ipavaultpassword` \| `old_password`| Vault password. | no -`password_file` \| `vault_password_file` \| `old_password_file`| File containing Base64 encoded Vault password. | no -`new_password` | Vault new password. | no -`new_password_file` | File containing Base64 encoded new Vault password. | no -`public_key ` \| `vault_public_key` \| `old_password_file` | Base64 encoded vault public key. | no +`password ` \| `vault_password` \| `ipavaultpassword` | Vault password. | no +`public_key ` \| `vault_public_key` \| `ipavaultpublickey` | Base64 encoded vault public key. | no `public_key_file` \| `vault_public_key_file` | Path to file with public key. | no `private_key `\| `vault_private_key` | Base64 encoded vault private key. Used only to retrieve data. | no `private_key_file` \| `vault_private_key_file` | Path to file with private key. Used only to retrieve data. | no @@ -248,11 +229,6 @@ Variable | Description | Returned When -------- | ----------- | ------------- `data` | The data stored in the vault. | If `state` is `retrieved`. -Variable | Description | Returned When --------- | ----------- | ------------- -`vault` | Vault dict with archived data. (dict)
Options: | If `state` is `retrieved`. -  | `data` - The vault data. | Always - Notes ===== diff --git a/playbooks/dnszone/dnszone-reverse-from-ip.yml b/playbooks/dnszone/dnszone-reverse-from-ip.yml deleted file mode 100644 index 218a318..0000000 --- a/playbooks/dnszone/dnszone-reverse-from-ip.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: Playbook to ensure DNS zone exist - hosts: ipaserver - become: true - - tasks: - - name: Ensure zone exist, finding zone name from IP address. - ipadnszone: - ipaadmin_password: SomeADMINpassword - name_from_ip: 10.1.2.3/24 - register: result - - - name: Zone name inferred from `name_from_ip` - debug: - msg: "Zone created: {{ result.dnszone.name }}" diff --git a/playbooks/vault/change-password-symmetric-vault.yml b/playbooks/vault/change-password-symmetric-vault.yml index 396a79f..3871f45 100644 --- a/playbooks/vault/change-password-symmetric-vault.yml +++ b/playbooks/vault/change-password-symmetric-vault.yml @@ -10,7 +10,7 @@ ipaadmin_password: SomeADMINpassword name: symvault password: SomeVAULTpassword - - name: Change vault password. + - name: Change vault passord. ipavault: ipaadmin_password: SomeADMINpassword name: symvault diff --git a/playbooks/vault/retrive-data-asymmetric-vault.yml b/playbooks/vault/retrive-data-asymmetric-vault.yml index f71f826..5f67c59 100644 --- a/playbooks/vault/retrive-data-asymmetric-vault.yml +++ b/playbooks/vault/retrive-data-asymmetric-vault.yml @@ -14,4 +14,4 @@ state: retrieved register: result - debug: - msg: "Data: {{ result.vault.data }}" + msg: "Data: {{ result.data }}" diff --git a/playbooks/vault/retrive-data-symmetric-vault.yml b/playbooks/vault/retrive-data-symmetric-vault.yml index 24692a8..163f8b9 100644 --- a/playbooks/vault/retrive-data-symmetric-vault.yml +++ b/playbooks/vault/retrive-data-symmetric-vault.yml @@ -14,4 +14,4 @@ state: retrieved register: result - debug: - msg: "{{ result.vault.data }}" + msg: "{{ result.data | b64decode }}" diff --git a/plugins/module_utils/ansible_freeipa_module.py b/plugins/module_utils/ansible_freeipa_module.py index ed8f6f6..122ea2e 100644 --- a/plugins/module_utils/ansible_freeipa_module.py +++ b/plugins/module_utils/ansible_freeipa_module.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: @@ -505,7 +506,7 @@ class FreeIPABaseModule(AnsibleModule): # when needed. self.ipa_params = AnsibleFreeIPAParams(self) - def get_ipa_command_args(self, **kwargs): + def get_ipa_command_args(self): """ Return a dict to be passed to an IPA command. @@ -537,7 +538,7 @@ class FreeIPABaseModule(AnsibleModule): elif hasattr(self, param_name): method = getattr(self, param_name) if callable(method): - value = method(**kwargs) + value = method() # We don't have a way to guess the value so fail. else: @@ -609,16 +610,13 @@ class FreeIPABaseModule(AnsibleModule): exit the module with proper arguments. """ - # TODO: shouldn't we also disconnect from api backend? - temp_kdestroy(self.ccache_dir, self.ccache_name) - - if exc_type == SystemExit: - raise - if exc_val: self.fail_json(msg=str(exc_val)) - self.exit_json(changed=self.changed, **self.exit_args) + # TODO: shouldn't we also disconnect from api backend? + temp_kdestroy(self.ccache_dir, self.ccache_name) + + self.exit_json(changed=self.changed, user=self.exit_args) def get_command_errors(self, command, result): """Look for erros into command results.""" @@ -657,21 +655,13 @@ class FreeIPABaseModule(AnsibleModule): except Exception as excpt: self.fail_json(msg="%s: %s: %s" % (command, name, str(excpt))) else: - self.process_command_result(name, command, args, result) - self.get_command_errors(command, result) - - def process_command_result(self, name, command, args, result): - """ - Process an API command result. + if "completed" in result: + if result["completed"] > 0: + self.changed = True + else: + self.changed = True - This method can be overriden in subclasses, and change self.exit_values - to return data in the result for the controller. - """ - if "completed" in result: - if result["completed"] > 0: - self.changed = True - else: - self.changed = True + self.get_command_errors(command, result) def require_ipa_attrs_change(self, command_args, ipa_attrs): """ diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py index 050f7fc..41a6d0a 100644 --- a/plugins/modules/ipaconfig.py +++ b/plugins/modules/ipaconfig.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/plugins/modules/ipadnsconfig.py b/plugins/modules/ipadnsconfig.py index 2dca92e..b89344d 100644 --- a/plugins/modules/ipadnsconfig.py +++ b/plugins/modules/ipadnsconfig.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/plugins/modules/ipadnsforwardzone.py b/plugins/modules/ipadnsforwardzone.py index 5ed6060..90bd387 100644 --- a/plugins/modules/ipadnsforwardzone.py +++ b/plugins/modules/ipadnsforwardzone.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: @@ -53,16 +54,9 @@ options: forwarders: description: - List of the DNS servers to forward to + required: true + type: list aliases: ["idnsforwarders"] - options: - ip_address: - description: Forwarder IP address (either IPv4 or IPv6). - required: false - type: string - port: - description: Forwarder port. - required: false - type: int forwardpolicy: description: Per-zone conditional forwarding policy required: false @@ -74,11 +68,6 @@ options: - Force DNS zone creation even if it will overlap with an existing zone. required: false default: false - permission: - description: - - Allow DNS Forward Zone to be managed. - required: false - type: bool ''' EXAMPLES = ''' @@ -139,41 +128,20 @@ def gen_args(forwarders, forwardpolicy, skip_overlap_check): return _args -def forwarder_list(forwarders): - """Convert the forwarder dict into a list compatible with IPA API.""" - if forwarders is None: - return None - fwd_list = [] - for forwarder in forwarders: - if forwarder.get('port', None) is not None: - formatter = "{ip_address} port {port}" - else: - formatter = "{ip_address}" - fwd_list.append(formatter.format(**forwarder)) - return fwd_list - - def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), - name=dict(type="list", aliases=["cn"], default=None, + name=dict(type="str", aliases=["cn"], default=None, required=True), - forwarders=dict(type="list", default=None, required=False, - aliases=["idnsforwarders"], elements='dict', - options=dict( - ip_address=dict(type='str', required=True), - port=dict(type='int', required=False, - default=None), - )), + forwarders=dict(type='list', aliases=["idnsforwarders"], + required=False), forwardpolicy=dict(type='str', aliases=["idnsforwardpolicy"], required=False, choices=['only', 'first', 'none']), skip_overlap_check=dict(type='bool', required=False), - permission=dict(type='bool', required=False, - aliases=['managedby']), action=dict(type="str", default="dnsforwardzone", choices=["member", "dnsforwardzone"]), # state @@ -190,22 +158,14 @@ def main(): "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") - names = module_params_get(ansible_module, "name") + name = module_params_get(ansible_module, "name") action = module_params_get(ansible_module, "action") - forwarders = forwarder_list( - module_params_get(ansible_module, "forwarders")) + forwarders = module_params_get(ansible_module, "forwarders") forwardpolicy = module_params_get(ansible_module, "forwardpolicy") skip_overlap_check = module_params_get(ansible_module, "skip_overlap_check") - permission = module_params_get(ansible_module, "permission") state = module_params_get(ansible_module, "state") - if state == 'present' and len(names) != 1: - ansible_module.fail_json( - msg="Only one dnsforwardzone can be added at a time.") - if state == 'absent' and len(names) < 1: - ansible_module.fail_json(msg="No name given.") - # absent stae means delete if the action is NOT member but update if it is # if action is member then update an exisiting resource # and if action is not member then create a resource @@ -216,30 +176,18 @@ def main(): else: operation = "add" - if state in ["enabled", "disabled"]: - if action == "member": - ansible_module.fail_json( - msg="Action `member` cannot be used with state `%s`" - % (state)) - invalid = [ - "forwarders", "forwardpolicy", "skip_overlap_check", "permission" - ] - for x in invalid: - if vars()[x] is not None: - ansible_module.fail_json( - msg="Argument '%s' can not be used with action " - "'%s', state `%s`" % (x, action, state)) - wants_enable = (state == "enabled") + if state == "disabled": + wants_enable = False + else: + wants_enable = True if operation == "del": - invalid = [ - "forwarders", "forwardpolicy", "skip_overlap_check", "permission" - ] + invalid = ["forwarders", "forwardpolicy", "skip_overlap_check"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " - "'%s', state `%s`" % (x, action, state)) + "'%s'" % (x, action)) changed = False exit_args = {} @@ -259,116 +207,99 @@ def main(): ipaadmin_password) api_connect() - for name in names: - commands = [] + # Make sure forwardzone exists + existing_resource = find_dnsforwardzone(ansible_module, name) + + if existing_resource is None and operation == "update": + # does not exist and is updating + # trying to update something that doesn't exist, so error + ansible_module.fail_json(msg="""dnsforwardzone '%s' is not + valid""" % (name)) + elif existing_resource is None and operation == "del": + # does not exists and should be absent + # set command command = None - - # Make sure forwardzone exists - existing_resource = find_dnsforwardzone(ansible_module, name) - - # validate parameters - if state == 'present': - if existing_resource is None and not forwarders: - ansible_module.fail_json(msg='No forwarders specified.') - - if existing_resource is None: - if operation == "add": - # does not exist but should be present - # determine args - args = gen_args(forwarders, forwardpolicy, - skip_overlap_check) - # set command - command = "dnsforwardzone_add" - # enabled or disabled? - - elif operation == "update": - # does not exist and is updating - # trying to update something that doesn't exist, so error - ansible_module.fail_json( - msg="dnsforwardzone '%s' not found." % (name)) - - elif operation == "del": - # there's nothnig to do. - continue - - else: # existing_resource is not None - if state != "absent": - if forwarders: - forwarders = list( - set(existing_resource["idnsforwarders"] - + forwarders)) - else: - if forwarders: - forwarders = list( - set(existing_resource["idnsforwarders"]) - - set(forwarders)) - - if operation == "add": - # exists and should be present, has it changed? - # determine args - args = gen_args( - forwarders, forwardpolicy, skip_overlap_check) - if 'skip_overlap_check' in args: - del args['skip_overlap_check'] - - # set command - if not compare_args_ipa( - ansible_module, args, existing_resource): - command = "dnsforwardzone_mod" - - elif operation == "del": - # exists but should be absent - # set command - command = "dnsforwardzone_del" - args = {} - - elif operation == "update": - # exists and is updating - # calculate the new forwarders and mod - args = gen_args( - forwarders, forwardpolicy, skip_overlap_check) - if "skip_overlap_check" in args: - del args['skip_overlap_check'] - - # command - if not compare_args_ipa( - ansible_module, args, existing_resource): - command = "dnsforwardzone_mod" - - if state in ['enabled', 'disabled']: - if existing_resource is not None: - is_enabled = existing_resource["idnszoneactive"][0] - else: - ansible_module.fail_json( - msg="dnsforwardzone '%s' not found." % (name)) - - # does the enabled state match what we want (if we care) - if is_enabled != "IGNORE": - if wants_enable and is_enabled != "TRUE": - commands.append([name, "dnsforwardzone_enable", {}]) - elif not wants_enable and is_enabled != "FALSE": - commands.append([name, "dnsforwardzone_disable", {}]) - - # if command is set... - if command is not None: - commands.append([name, command, args]) - - if permission is not None: - if existing_resource is None: - managedby = None - else: - managedby = existing_resource.get('managedby', None) - if permission and managedby is None: - commands.append( - [name, 'dnsforwardzone_add_permission', {}] - ) - elif not permission and managedby is not None: - commands.append( - [name, 'dnsforwardzone_remove_permission', {}] - ) - - for name, command, args in commands: - api_command(ansible_module, command, name, args) + # enabled or disabled? + is_enabled = "IGNORE" + elif existing_resource is not None and operation == "del": + # exists but should be absent + # set command + command = "dnsforwardzone_del" + # enabled or disabled? + is_enabled = "IGNORE" + elif forwarders is None: + # forwarders are not defined its not a delete, update state? + # set command + command = None + # enabled or disabled? + if existing_resource is not None: + is_enabled = existing_resource["idnszoneactive"][0] + else: + is_enabled = "IGNORE" + elif existing_resource is not None and operation == "update": + # exists and is updating + # calculate the new forwarders and mod + # determine args + if state != "absent": + forwarders = list(set(existing_resource["idnsforwarders"] + + forwarders)) + else: + forwarders = list(set(existing_resource["idnsforwarders"]) + - set(forwarders)) + args = gen_args(forwarders, forwardpolicy, + skip_overlap_check) + if skip_overlap_check is not None: + del args['skip_overlap_check'] + + # command + if not compare_args_ipa(ansible_module, args, existing_resource): + command = "dnsforwardzone_mod" + else: + command = None + + # enabled or disabled? + is_enabled = existing_resource["idnszoneactive"][0] + + elif existing_resource is None and operation == "add": + # does not exist but should be present + # determine args + args = gen_args(forwarders, forwardpolicy, + skip_overlap_check) + # set command + command = "dnsforwardzone_add" + # enabled or disabled? + is_enabled = "TRUE" + + elif existing_resource is not None and operation == "add": + # exists and should be present, has it changed? + # determine args + args = gen_args(forwarders, forwardpolicy, skip_overlap_check) + if skip_overlap_check is not None: + del args['skip_overlap_check'] + + # set command + if not compare_args_ipa(ansible_module, args, existing_resource): + command = "dnsforwardzone_mod" + else: + command = None + + # enabled or disabled? + is_enabled = existing_resource["idnszoneactive"][0] + + # if command is set then run it with the args + if command is not None: + api_command(ansible_module, command, name, args) + changed = True + + # does the enabled state match what we want (if we care) + if is_enabled != "IGNORE": + if wants_enable and is_enabled != "TRUE": + api_command(ansible_module, "dnsforwardzone_enable", + name, {}) + changed = True + elif not wants_enable and is_enabled != "FALSE": + api_command(ansible_module, "dnsforwardzone_disable", + name, {}) changed = True except Exception as e: diff --git a/plugins/modules/ipadnsrecord.py b/plugins/modules/ipadnsrecord.py index 2f63919..89528e5 100644 --- a/plugins/modules/ipadnsrecord.py +++ b/plugins/modules/ipadnsrecord.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/plugins/modules/ipadnszone.py b/plugins/modules/ipadnszone.py index ed0c241..717978e 100644 --- a/plugins/modules/ipadnszone.py +++ b/plugins/modules/ipadnszone.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: @@ -40,14 +41,8 @@ options: name: description: The zone name string. required: true - type: list - alises: ["zone_name"] - name_from_ip: - description: | - Derive zone name from reverse of IP (PTR). - Can only be used with `state: present`. - required: false type: str + alises: ["zone_name"] forwarders: description: The list of global DNS forwarders. required: false @@ -193,14 +188,6 @@ EXAMPLES = """ """ RETURN = """ -dnszone: - description: DNS Zone dict with zone name infered from `name_from_ip`. - returned: - If `state` is `present`, `name_from_ip` is used, and a zone was created. - options: - name: - description: The name of the zone created, inferred from `name_from_ip`. - returned: always """ from ipapython.dnsutil import DNSName # noqa: E402 @@ -210,12 +197,6 @@ from ansible.module_utils.ansible_freeipa_module import ( is_ipv6_addr, is_valid_port, ) # noqa: E402 -import netaddr -import six - - -if six.PY3: - unicode = str class DNSZoneModule(FreeIPABaseModule): @@ -287,7 +268,7 @@ class DNSZoneModule(FreeIPABaseModule): return True - def get_ipa_nsec3paramrecord(self, **kwargs): + def get_ipa_nsec3paramrecord(self): nsec3param_rec = self.ipa_params.nsec3param_rec if nsec3param_rec is not None: error_msg = ( @@ -299,7 +280,7 @@ class DNSZoneModule(FreeIPABaseModule): self.fail_json(msg=error_msg) return nsec3param_rec - def get_ipa_idnsforwarders(self, **kwargs): + def get_ipa_idnsforwarders(self): if self.ipa_params.forwarders is not None: forwarders = [] for forwarder in self.ipa_params.forwarders: @@ -323,14 +304,14 @@ class DNSZoneModule(FreeIPABaseModule): return forwarders - def get_ipa_idnsallowtransfer(self, **kwargs): + def get_ipa_idnsallowtransfer(self): if self.ipa_params.allow_transfer is not None: error_msg = "Invalid ip_address for DNS allow_transfer: %s" self.validate_ips(self.ipa_params.allow_transfer, error_msg) return (";".join(self.ipa_params.allow_transfer) or "none") + ";" - def get_ipa_idnsallowquery(self, **kwargs): + def get_ipa_idnsallowquery(self): if self.ipa_params.allow_query is not None: error_msg = "Invalid ip_address for DNS allow_query: %s" self.validate_ips(self.ipa_params.allow_query, error_msg) @@ -353,141 +334,81 @@ class DNSZoneModule(FreeIPABaseModule): return ".".join((name, domain)) - def get_ipa_idnssoarname(self, **kwargs): + def get_ipa_idnssoarname(self): if self.ipa_params.admin_email is not None: return DNSName( self._replace_at_symbol_in_rname(self.ipa_params.admin_email) ) - def get_ipa_idnssoamname(self, **kwargs): + def get_ipa_idnssoamname(self): if self.ipa_params.name_server is not None: return DNSName(self.ipa_params.name_server) - def get_ipa_skip_overlap_check(self, **kwargs): - zone = kwargs.get('zone') - if not zone and self.ipa_params.skip_overlap_check is not None: + def get_ipa_skip_overlap_check(self): + if not self.zone and self.ipa_params.skip_overlap_check is not None: return self.ipa_params.skip_overlap_check - def get_ipa_skip_nameserver_check(self, **kwargs): - zone = kwargs.get('zone') - if not zone and self.ipa_params.skip_nameserver_check is not None: + def get_ipa_skip_nameserver_check(self): + if not self.zone and self.ipa_params.skip_nameserver_check is not None: return self.ipa_params.skip_nameserver_check - def __reverse_zone_name(self, ipaddress): - """ - Infer reverse zone name from an ip address. - - This function uses the same heuristics as FreeIPA to infer the zone - name from ip. - """ - try: - ip = netaddr.IPAddress(str(ipaddress)) - except (netaddr.AddrFormatError, ValueError): - net = netaddr.IPNetwork(ipaddress) - items = net.ip.reverse_dns.split('.') - prefixlen = net.prefixlen - ip_version = net.version - else: - items = ip.reverse_dns.split('.') - prefixlen = 24 if ip.version == 4 else 64 - ip_version = ip.version - if ip_version == 4: - return u'.'.join(items[4 - prefixlen // 8:]) - elif ip_version == 6: - return u'.'.join(items[32 - prefixlen // 4:]) - else: - self.fail_json(msg="Invalid IP version for reverse zone.") - def get_zone(self, zone_name): get_zone_args = {"idnsname": zone_name, "all": True} response = self.api_command("dnszone_find", args=get_zone_args) - zone = None - is_zone_active = False - if response["count"] == 1: - zone = response["result"][0] - is_zone_active = zone.get("idnszoneactive") == ["TRUE"] + self.zone = response["result"][0] + self.is_zone_active = self.zone.get("idnszoneactive") == ["TRUE"] + return self.zone - return zone, is_zone_active - - def get_zone_names(self): - zone_names = self.__get_zone_names_from_params() - if len(zone_names) > 1 and self.ipa_params.state != "absent": - self.fail_json( - msg=("Please provide a single name. Multiple values for 'name'" - "can only be supplied for state 'absent'.") - ) + # Zone doesn't exist yet + self.zone = None + self.is_zone_active = False - return zone_names - - def __get_zone_names_from_params(self): - if not self.ipa_params.name: - return [self.__reverse_zone_name(self.ipa_params.name_from_ip)] + @property + def zone_name(self): return self.ipa_params.name - def check_ipa_params(self): - if not self.ipa_params.name and not self.ipa_params.name_from_ip: - self.fail_json( - msg="Either `name` or `name_from_ip` must be provided." - ) - if self.ipa_params.state != "present" and self.ipa_params.name_from_ip: - self.fail_json( - msg=( - "Cannot use argument `name_from_ip` with state `%s`." - % self.ipa_params.state - ) - ) - def define_ipa_commands(self): - for zone_name in self.get_zone_names(): - # Look for existing zone in IPA - zone, is_zone_active = self.get_zone(zone_name) - args = self.get_ipa_command_args(zone=zone) - just_added = False - - if self.ipa_params.state in ["present", "enabled", "disabled"]: - if not zone: - # Since the zone doesn't exist we just create it - # with given args - self.add_ipa_command("dnszone_add", zone_name, args) - is_zone_active = True - just_added = True - - else: - # Zone already exist so we need to verify if given args - # matches the current config. If not we updated it. - if self.require_ipa_attrs_change(args, zone): - self.add_ipa_command("dnszone_mod", zone_name, args) - - if self.ipa_params.state == "enabled" and not is_zone_active: - self.add_ipa_command("dnszone_enable", zone_name) - - if self.ipa_params.state == "disabled" and is_zone_active: - self.add_ipa_command("dnszone_disable", zone_name) - - if self.ipa_params.state == "absent": - if zone: - self.add_ipa_command("dnszone_del", zone_name) - - # Due to a bug in FreeIPA dnszone-add won't set - # SOA Serial. The good news is that dnszone-mod does the job. - # See: https://pagure.io/freeipa/issue/8227 - # Because of that, if the zone was just added with a given serial - # we run mod just after to workaround the bug - if just_added and self.ipa_params.serial is not None: - args = { - "idnssoaserial": self.ipa_params.serial, - } - self.add_ipa_command("dnszone_mod", zone_name, args) - - def process_command_result(self, name, command, args, result): - super(DNSZoneModule, self).process_command_result( - name, command, args, result - ) - if command == "dnszone_add" and self.ipa_params.name_from_ip: - dnszone_exit_args = self.exit_args.setdefault('dnszone', {}) - dnszone_exit_args['name'] = name + # Look for existing zone in IPA + self.get_zone(self.zone_name) + args = self.get_ipa_command_args() + just_added = False + + if self.ipa_params.state in ["present", "enabled", "disabled"]: + if not self.zone: + # Since the zone doesn't exist we just create it + # with given args + self.add_ipa_command("dnszone_add", self.zone_name, args) + self.is_zone_active = True + just_added = True + + else: + # Zone already exist so we need to verify if given args + # matches the current config. If not we updated it. + if self.require_ipa_attrs_change(args, self.zone): + self.add_ipa_command("dnszone_mod", self.zone_name, args) + + if self.ipa_params.state == "enabled" and not self.is_zone_active: + self.add_ipa_command("dnszone_enable", self.zone_name) + + if self.ipa_params.state == "disabled" and self.is_zone_active: + self.add_ipa_command("dnszone_disable", self.zone_name) + + if self.ipa_params.state == "absent": + if self.zone: + self.add_ipa_command("dnszone_del", self.zone_name) + + # Due to a bug in FreeIPA dnszone-add won't set + # SOA Serial. The good news is that dnszone-mod does the job. + # See: https://pagure.io/freeipa/issue/8227 + # Because of that, if the zone was just added with a given serial + # we run mod just after to workaround the bug + if just_added and self.ipa_params.serial is not None: + args = { + "idnssoaserial": self.ipa_params.serial, + } + self.add_ipa_command("dnszone_mod", self.zone_name, args) def get_argument_spec(): @@ -505,9 +426,8 @@ def get_argument_spec(): ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict( - type="list", default=None, required=False, aliases=["zone_name"] + type="str", default=None, required=True, aliases=["zone_name"] ), - name_from_ip=dict(type="str", default=None, required=False), forwarders=dict( type="list", default=None, @@ -547,11 +467,7 @@ def get_argument_spec(): def main(): - DNSZoneModule( - argument_spec=get_argument_spec(), - mutually_exclusive=[["name", "name_from_ip"]], - required_one_of=[["name", "name_from_ip"]], - ).ipa_run() + DNSZoneModule(argument_spec=get_argument_spec()).ipa_run() if __name__ == "__main__": diff --git a/plugins/modules/ipagroup.py b/plugins/modules/ipagroup.py index 4a137f6..915bc49 100644 --- a/plugins/modules/ipagroup.py +++ b/plugins/modules/ipagroup.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: @@ -506,15 +507,16 @@ def main(): # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. errors = [] - for failed_item in result.get("failed", []): - failed = result["failed"][failed_item] - for member_type in failed: - for member, failure in failed[member_type]: - if "already a member" in failure \ - or "not a member" in failure: - continue - errors.append("%s: %s %s: %s" % ( - command, member_type, member, failure)) + if "failed" in result and len(result["failed"]) > 0: + for item in result["failed"]: + failed_item = result["failed"][item] + for member_type in failed_item: + for member, failure in failed_item[member_type]: + if "already a member" in failure \ + or "not a member" in failure: + continue + errors.append("%s: %s %s: %s" % ( + command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) diff --git a/plugins/modules/ipahbacrule.py b/plugins/modules/ipahbacrule.py index a1b5e8f..12725c7 100644 --- a/plugins/modules/ipahbacrule.py +++ b/plugins/modules/ipahbacrule.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/plugins/modules/ipahbacsvc.py b/plugins/modules/ipahbacsvc.py index 50693c1..969a62e 100644 --- a/plugins/modules/ipahbacsvc.py +++ b/plugins/modules/ipahbacsvc.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/plugins/modules/ipahbacsvcgroup.py b/plugins/modules/ipahbacsvcgroup.py index ee0b250..d55dc13 100644 --- a/plugins/modules/ipahbacsvcgroup.py +++ b/plugins/modules/ipahbacsvcgroup.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/plugins/modules/ipahost.py b/plugins/modules/ipahost.py index 0beac40..7a981f1 100644 --- a/plugins/modules/ipahost.py +++ b/plugins/modules/ipahost.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: @@ -798,15 +799,10 @@ def main(): server_realm = api_get_realm() commands = [] - host_set = set() for host in names: if isinstance(host, dict): name = host.get("name") - if name in host_set: - ansible_module.fail_json( - msg="host '%s' is used more than once" % name) - host_set.add(name) description = host.get("description") locality = host.get("locality") location = host.get("location") @@ -1341,8 +1337,6 @@ def main(): else: ansible_module.fail_json(msg="Unkown state '%s'" % state) - del host_set - # Execute commands errors = [] diff --git a/plugins/modules/ipahostgroup.py b/plugins/modules/ipahostgroup.py index ff8761e..4c18e94 100644 --- a/plugins/modules/ipahostgroup.py +++ b/plugins/modules/ipahostgroup.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: @@ -422,15 +423,14 @@ def main(): # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. errors = [] - for failed_item in result.get("failed", []): - failed = result["failed"][failed_item] + if "failed" in result and "member" in result["failed"]: + failed = result["failed"]["member"] for member_type in failed: for member, failure in failed[member_type]: - if "already a member" in failure \ - or "not a member" in failure: - continue - errors.append("%s: %s %s: %s" % ( - command, member_type, member, failure)) + if "already a member" not in failure \ + and "not a member" not in failure: + errors.append("%s: %s %s: %s" % ( + command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) diff --git a/plugins/modules/ipapwpolicy.py b/plugins/modules/ipapwpolicy.py index c2e4704..0d68fb1 100644 --- a/plugins/modules/ipapwpolicy.py +++ b/plugins/modules/ipapwpolicy.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/plugins/modules/ipaservice.py b/plugins/modules/ipaservice.py index 3503726..23a0d6b 100644 --- a/plugins/modules/ipaservice.py +++ b/plugins/modules/ipaservice.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: @@ -459,7 +460,7 @@ def main(): allow_retrieve_keytab_group = module_params_get( ansible_module, "allow_retrieve_keytab_group") allow_retrieve_keytab_host = module_params_get( - ansible_module, "allow_retrieve_keytab_host") + ansible_module, "allow_create_keytab_host") allow_retrieve_keytab_hostgroup = module_params_get( ansible_module, "allow_retrieve_keytab_hostgroup") delete_continue = module_params_get(ansible_module, "delete_continue") @@ -726,7 +727,7 @@ def main(): # Allow retrieve keytab if len(allow_retrieve_keytab_user_add) > 0 or \ len(allow_retrieve_keytab_group_add) > 0 or \ - len(allow_retrieve_keytab_host_add) > 0 or \ + len(allow_retrieve_keytab_hostgroup_add) > 0 or \ len(allow_retrieve_keytab_hostgroup_add) > 0: commands.append( [name, "service_allow_retrieve_keytab", @@ -811,11 +812,9 @@ def main(): elif state == "disabled": if action == "service": - if res_find is not None: - has_cert = bool(res_find.get('usercertificate')) - has_keytab = res_find.get('has_keytab', False) - if has_cert or has_keytab: - commands.append([name, 'service_disable', {}]) + if res_find is not None and \ + len(res_find.get('usercertificate', [])) > 0: + commands.append([name, 'service_disable', {}]) else: ansible_module.fail_json( msg="Invalid action '%s' for state '%s'" % diff --git a/plugins/modules/ipasudocmd.py b/plugins/modules/ipasudocmd.py index f6f3bd5..7494793 100644 --- a/plugins/modules/ipasudocmd.py +++ b/plugins/modules/ipasudocmd.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/plugins/modules/ipasudocmdgroup.py b/plugins/modules/ipasudocmdgroup.py index 75e1e5f..a5b0e4e 100644 --- a/plugins/modules/ipasudocmdgroup.py +++ b/plugins/modules/ipasudocmdgroup.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/plugins/modules/ipasudorule.py b/plugins/modules/ipasudorule.py index c810a18..741028c 100644 --- a/plugins/modules/ipasudorule.py +++ b/plugins/modules/ipasudorule.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/plugins/modules/ipatopologysegment.py b/plugins/modules/ipatopologysegment.py index ee7dbb4..5740cde 100644 --- a/plugins/modules/ipatopologysegment.py +++ b/plugins/modules/ipatopologysegment.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/plugins/modules/ipatopologysuffix.py b/plugins/modules/ipatopologysuffix.py index ce65304..ab1e413 100644 --- a/plugins/modules/ipatopologysuffix.py +++ b/plugins/modules/ipatopologysuffix.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/plugins/modules/ipauser.py b/plugins/modules/ipauser.py index 4169376..b8152ee 100644 --- a/plugins/modules/ipauser.py +++ b/plugins/modules/ipauser.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: @@ -957,15 +958,10 @@ def main(): # commands commands = [] - user_set = set() for user in names: if isinstance(user, dict): name = user.get("name") - if name in user_set: - ansible_module.fail_json( - msg="user '%s' is used more than once" % name) - user_set.add(name) # present first = user.get("first") last = user.get("last") @@ -1374,8 +1370,6 @@ def main(): else: ansible_module.fail_json(msg="Unkown state '%s'" % state) - del user_set - # Execute commands errors = [] diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py index 4c3b0a2..ad5dd41 100644 --- a/plugins/modules/ipavault.py +++ b/plugins/modules/ipavault.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: @@ -68,20 +69,12 @@ options: description: password to be used on symmetric vault. required: false type: string - aliases: ["ipavaultpassword", "vault_password", "old_password"] + aliases: ["ipavaultpassword", "vault_password"] password_file: description: file with password to be used on symmetric vault. required: false type: string - aliases: ["vault_password_file", "old_password_file"] - new_password: - description: new password to be used on symmetric vault. - required: false - type: string - new_password_file: - description: file with new password to be used on symmetric vault. - required: false - type: string + aliases: ["vault_password_file"] salt: description: Vault salt. required: false @@ -242,15 +235,7 @@ EXAMPLES = """ state: retrieved register: result - debug: - msg: "{{ result.vault.data }}" - -# Change password of a symmetric vault -- ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: admin - old_password: SomeVAULTpassword - new_password: SomeNEWpassword + msg: "{{ result.data | b64decode }}" # Ensure vault symvault is absent - ipavault: @@ -266,7 +251,7 @@ EXAMPLES = """ username: user01 description: An asymmetric vault vault_type: asymmetric - public_key: | + public_key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTR HTkFEQ0JpUUtCZ1FDdGFudjRkK3ptSTZ0T3ova1RXdGowY3AxRAowUENoYy8vR0pJMTUzTi 9CN3UrN0h3SXlRVlZoNUlXZG1UcCtkWXYzd09yeVpPbzYvbHN5eFJaZ2pZRDRwQ3VGCjlxM @@ -302,15 +287,10 @@ EXAMPLES = """ """ RETURN = """ -vault: - description: Vault dict with archived data. - returned: If state is `retrieved`. - type: dict - options: - data: - description: The vault data. - returned: always - type: string +user: + description: The vault data. + returned: If state is retrieved. + type: string """ import os @@ -436,29 +416,18 @@ def check_parameters(module, state, action, description, username, service, shared, users, groups, services, owners, ownergroups, ownerservices, vault_type, salt, password, password_file, public_key, public_key_file, private_key, - private_key_file, vault_data, datafile_in, datafile_out, - new_password, new_password_file): + private_key_file, vault_data, datafile_in, datafile_out): invalid = [] if state == "present": invalid = ['private_key', 'private_key_file', 'datafile_out'] - if all([password, password_file]) \ - or all([new_password, new_password_file]): - module.fail_json(msg="Password specified multiple times.") - - if any([new_password, new_password_file]) \ - and not any([password, password_file]): - module.fail_json( - msg="Either `password` or `password_file` must be provided to " - "change symmetric vault password.") - if action == "member": invalid.extend(['description']) elif state == "absent": invalid = ['description', 'salt', 'vault_type', 'private_key', 'private_key_file', 'datafile_in', 'datafile_out', - 'vault_data', 'new_password', 'new_password_file'] + 'vault_data'] if action == "vault": invalid.extend(['users', 'groups', 'services', 'owners', @@ -468,7 +437,7 @@ def check_parameters(module, state, action, description, username, service, elif state == "retrieved": invalid = ['description', 'salt', 'datafile_in', 'users', 'groups', 'owners', 'ownergroups', 'public_key', 'public_key_file', - 'vault_data', 'new_password', 'new_password_file'] + 'vault_data'] if action == 'member': module.fail_json( msg="State `retrieved` do not support action `member`.") @@ -489,19 +458,11 @@ def check_parameters(module, state, action, description, username, service, def check_encryption_params(module, state, action, vault_type, salt, password, password_file, public_key, public_key_file, private_key, private_key_file, - vault_data, datafile_in, datafile_out, - new_password, new_password_file, res_find): + vault_data, datafile_in, datafile_out, res_find): vault_type_invalid = [] - - if vault_type is None and res_find is not None: - vault_type = res_find['ipavaulttype'] - if isinstance(vault_type, (tuple, list)): - vault_type = vault_type[0] - if vault_type == "standard": vault_type_invalid = ['public_key', 'public_key_file', 'password', - 'password_file', 'salt', 'new_password', - 'new_password_file'] + 'password_file', 'salt'] if vault_type is None or vault_type == "symmetric": vault_type_invalid = ['public_key', 'public_key_file', @@ -512,24 +473,8 @@ def check_encryption_params(module, state, action, vault_type, salt, msg="Symmetric vault requires password or password_file " "to store data or change `salt`.") - if any([new_password, new_password_file]) and res_find is None: - module.fail_json( - msg="Cannot modify password of inexistent vault.") - - if ( - salt is not None - and not( - any([password, password_file]) - and any([new_password, new_password_file]) - ) - ): - module.fail_json( - msg="Vault `salt` can only change when changing the password.") - if vault_type == "asymmetric": - vault_type_invalid = [ - 'password', 'password_file', 'new_password', 'new_password_file' - ] + vault_type_invalid = ['password', 'password_file'] if not any([public_key, public_key_file]) and res_find is None: module.fail_json( msg="Assymmetric vault requires public_key " @@ -542,43 +487,6 @@ def check_encryption_params(module, state, action, vault_type, salt, (param, vault_type or 'symmetric')) -def change_password(module, res_find, password, password_file, new_password, - new_password_file): - """ - Change the password of a symmetric vault. - - To change the password of a vault, it is needed to retrieve the stored - data with the current password, and store the data again, with the new - password, forcing it to override the old one. - """ - # verify parameters. - if not any([new_password, new_password_file]): - return [] - if res_find["ipavaulttype"][0] != "symmetric": - module.fail_json(msg="Cannot change password of `%s` vault." - % res_find["ipavaulttype"]) - - # prepare arguments to retrieve data. - name = res_find["cn"][0] - args = {} - if password: - args["password"] = password - if password_file: - args["password"] = password_file - # retrieve current stored data - result = api_command(module, 'vault_retrieve', name, args) - args['data'] = result['result']['data'] - - # modify arguments to store data with new password. - if password: - args["password"] = new_password - if password_file: - args["password"] = new_password_file - args["override_password"] = True - # return the command to store data with the new password. - return [(name, "vault_archive", args)] - - def main(): ansible_module = AnsibleModule( argument_spec=dict( @@ -625,18 +533,10 @@ def main(): datafile_out=dict(type="str", required=False, default=None, aliases=['out']), vault_password=dict(type="str", required=False, default=None, - no_log=True, - aliases=['ipavaultpassword', 'password', - "old_password"]), + aliases=['ipavaultpassword', 'password'], + no_log=True), vault_password_file=dict(type="str", required=False, default=None, - no_log=False, - aliases=[ - 'password_file', "old_password_file" - ]), - new_password=dict(type="str", required=False, default=None, - no_log=True), - new_password_file=dict(type="str", required=False, default=None, - no_log=False), + no_log=False, aliases=['password_file']), # state action=dict(type="str", default="vault", choices=["vault", "data", "member"]), @@ -646,7 +546,6 @@ def main(): supports_check_mode=True, mutually_exclusive=[['username', 'service', 'shared'], ['datafile_in', 'vault_data'], - ['new_password', 'new_password_file'], ['vault_password', 'vault_password_file'], ['vault_public_key', 'vault_public_key_file']], ) @@ -677,8 +576,6 @@ def main(): salt = module_params_get(ansible_module, "vault_salt") password = module_params_get(ansible_module, "vault_password") password_file = module_params_get(ansible_module, "vault_password_file") - new_password = module_params_get(ansible_module, "new_password") - new_password_file = module_params_get(ansible_module, "new_password_file") public_key = module_params_get(ansible_module, "vault_public_key") public_key_file = module_params_get(ansible_module, "vault_public_key_file") @@ -717,8 +614,7 @@ def main(): service, shared, users, groups, services, owners, ownergroups, ownerservices, vault_type, salt, password, password_file, public_key, public_key_file, private_key, - private_key_file, vault_data, datafile_in, datafile_out, - new_password, new_password_file) + private_key_file, vault_data, datafile_in, datafile_out) # Init changed = False @@ -764,7 +660,7 @@ def main(): ansible_module, state, action, vault_type, salt, password, password_file, public_key, public_key_file, private_key, private_key_file, vault_data, datafile_in, datafile_out, - new_password, new_password_file, res_find) + res_find) # Found the vault if action == "vault": @@ -777,12 +673,7 @@ def main(): commands.append([name, "vault_mod_internal", args]) else: - if vault_type == 'symmetric' \ - and 'ipavaultsalt' not in args: - args['ipavaultsalt'] = os.urandom(32) - commands.append([name, "vault_add_internal", args]) - if vault_type != 'standard' and vault_data is None: vault_data = '' @@ -830,6 +721,7 @@ def main(): owner_add_args = gen_member_args( args, owner_add, ownergroups_add, ownerservice_add) if owner_add_args is not None: + # ansible_module.warn("OWNER ADD: %s" % owner_add_args) commands.append( [name, 'vault_add_owner', owner_add_args]) @@ -837,9 +729,18 @@ def main(): owner_del_args = gen_member_args( args, owner_del, ownergroups_del, ownerservice_del) if owner_del_args is not None: + # ansible_module.warn("OWNER DEL: %s" % owner_del_args) commands.append( [name, 'vault_remove_owner', owner_del_args]) + if vault_type == 'symmetric' \ + and 'ipavaultsalt' not in args: + args['ipavaultsalt'] = os.urandom(32) + + if vault_type == 'symmetric' \ + and 'ipavaultsalt' not in args: + args['ipavaultsalt'] = os.urandom(32) + elif action in "member": # Add users and groups if any([users, groups, services]): @@ -857,22 +758,19 @@ def main(): if any([vault_data, datafile_in]): commands.append([name, "vault_archive", pwdargs]) - cmds = change_password( - ansible_module, res_find, password, password_file, - new_password, new_password_file) - commands.extend(cmds) - elif state == "retrieved": if res_find is None: ansible_module.fail_json( msg="Vault `%s` not found to retrieve data." % name) + vault_type = res_find['cn'] + # verify data encription args check_encryption_params( ansible_module, state, action, vault_type, salt, password, password_file, public_key, public_key_file, private_key, private_key_file, vault_data, datafile_in, datafile_out, - new_password, new_password_file, res_find) + res_find) pwdargs = data_storage_args( args, vault_data, password, password_file, private_key, @@ -915,6 +813,7 @@ def main(): errors = [] for name, command, args in commands: try: + # ansible_module.warn("RUN: %s %s %s" % (command, name, args)) result = api_command(ansible_module, command, name, args) if command == 'vault_archive': @@ -923,15 +822,14 @@ def main(): if 'result' not in result: raise Exception("No result obtained.") if 'data' in result['result']: - data_return = exit_args.setdefault('vault', {}) - data_return['data'] = result['result']['data'] + exit_args['data'] = result['result']['data'] elif 'vault_data' in result['result']: - data_return = exit_args.setdefault('vault', {}) - data_return['data'] = result['result']['vault_data'] + exit_args['data'] = result['result']['vault_data'] else: raise Exception("No data retrieved.") changed = False else: + # ansible_module.warn("RESULT: %s" % (result)) if "completed" in result: if result["completed"] > 0: changed = True diff --git a/roles/ipaclient/action_plugins/ipaclient_get_otp.py b/roles/ipaclient/action_plugins/ipaclient_get_otp.py index 8e04ad9..dcddc0a 100644 --- a/roles/ipaclient/action_plugins/ipaclient_get_otp.py +++ b/roles/ipaclient/action_plugins/ipaclient_get_otp.py @@ -164,8 +164,7 @@ class ActionModule(ActionBase): return result data = self._execute_module(module_name='ipaclient_get_facts', - module_args=dict(), task_vars=task_vars) - + module_args=dict(), task_vars=None) try: domain = data['ansible_facts']['ipa']['domain'] realm = data['ansible_facts']['ipa']['realm'] @@ -246,3 +245,4 @@ class ActionModule(ActionBase): finally: # delete the local temp directory shutil.rmtree(local_temp_dir, ignore_errors=True) + run_cmd(['/usr/bin/kdestroy', '-c', tmp_ccache]) diff --git a/roles/ipaclient/files/py3test.py b/roles/ipaclient/files/py3test.py old mode 100755 new mode 100644 diff --git a/roles/ipaclient/library/ipaclient_api.py b/roles/ipaclient/library/ipaclient_api.py index 9252bb5..865438f 100644 --- a/roles/ipaclient/library/ipaclient_api.py +++ b/roles/ipaclient/library/ipaclient_api.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaclient/library/ipaclient_fix_ca.py b/roles/ipaclient/library/ipaclient_fix_ca.py index 09f682d..a3a1dae 100644 --- a/roles/ipaclient/library/ipaclient_fix_ca.py +++ b/roles/ipaclient/library/ipaclient_fix_ca.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaclient/library/ipaclient_fstore.py b/roles/ipaclient/library/ipaclient_fstore.py index b210171..db1218a 100644 --- a/roles/ipaclient/library/ipaclient_fstore.py +++ b/roles/ipaclient/library/ipaclient_fstore.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaclient/library/ipaclient_get_facts.py b/roles/ipaclient/library/ipaclient_get_facts.py index 05c5bca..003715e 100644 --- a/roles/ipaclient/library/ipaclient_get_facts.py +++ b/roles/ipaclient/library/ipaclient_get_facts.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- import os diff --git a/roles/ipaclient/library/ipaclient_get_otp.py b/roles/ipaclient/library/ipaclient_get_otp.py index 793b8f8..03e8b2b 100644 --- a/roles/ipaclient/library/ipaclient_get_otp.py +++ b/roles/ipaclient/library/ipaclient_get_otp.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaclient/library/ipaclient_ipa_conf.py b/roles/ipaclient/library/ipaclient_ipa_conf.py index bf2b951..ac31e01 100644 --- a/roles/ipaclient/library/ipaclient_ipa_conf.py +++ b/roles/ipaclient/library/ipaclient_ipa_conf.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaclient/library/ipaclient_join.py b/roles/ipaclient/library/ipaclient_join.py index 95eed4b..b67be37 100644 --- a/roles/ipaclient/library/ipaclient_join.py +++ b/roles/ipaclient/library/ipaclient_join.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaclient/library/ipaclient_set_hostname.py b/roles/ipaclient/library/ipaclient_set_hostname.py index 51afdc2..4145df9 100644 --- a/roles/ipaclient/library/ipaclient_set_hostname.py +++ b/roles/ipaclient/library/ipaclient_set_hostname.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaclient/library/ipaclient_setup_automount.py b/roles/ipaclient/library/ipaclient_setup_automount.py index 58ee2f7..1fda9ba 100644 --- a/roles/ipaclient/library/ipaclient_setup_automount.py +++ b/roles/ipaclient/library/ipaclient_setup_automount.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaclient/library/ipaclient_setup_firefox.py b/roles/ipaclient/library/ipaclient_setup_firefox.py index 4c74cf6..36116ae 100644 --- a/roles/ipaclient/library/ipaclient_setup_firefox.py +++ b/roles/ipaclient/library/ipaclient_setup_firefox.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaclient/library/ipaclient_setup_krb5.py b/roles/ipaclient/library/ipaclient_setup_krb5.py index 134d78e..9eb3e94 100644 --- a/roles/ipaclient/library/ipaclient_setup_krb5.py +++ b/roles/ipaclient/library/ipaclient_setup_krb5.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaclient/library/ipaclient_setup_nis.py b/roles/ipaclient/library/ipaclient_setup_nis.py index 7a3f169..e04b87c 100644 --- a/roles/ipaclient/library/ipaclient_setup_nis.py +++ b/roles/ipaclient/library/ipaclient_setup_nis.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaclient/library/ipaclient_setup_nss.py b/roles/ipaclient/library/ipaclient_setup_nss.py index 04ab0ae..c1bd173 100644 --- a/roles/ipaclient/library/ipaclient_setup_nss.py +++ b/roles/ipaclient/library/ipaclient_setup_nss.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaclient/library/ipaclient_setup_ntp.py b/roles/ipaclient/library/ipaclient_setup_ntp.py index c0daa83..b41a910 100644 --- a/roles/ipaclient/library/ipaclient_setup_ntp.py +++ b/roles/ipaclient/library/ipaclient_setup_ntp.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaclient/library/ipaclient_setup_ssh.py b/roles/ipaclient/library/ipaclient_setup_ssh.py index a8329fd..f721b2a 100644 --- a/roles/ipaclient/library/ipaclient_setup_ssh.py +++ b/roles/ipaclient/library/ipaclient_setup_ssh.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaclient/library/ipaclient_setup_sssd.py b/roles/ipaclient/library/ipaclient_setup_sssd.py index 596db3f..3fd767f 100644 --- a/roles/ipaclient/library/ipaclient_setup_sssd.py +++ b/roles/ipaclient/library/ipaclient_setup_sssd.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaclient/library/ipaclient_test.py b/roles/ipaclient/library/ipaclient_test.py index 62faa2c..d5d7f71 100644 --- a/roles/ipaclient/library/ipaclient_test.py +++ b/roles/ipaclient/library/ipaclient_test.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaclient/library/ipaclient_test_keytab.py b/roles/ipaclient/library/ipaclient_test_keytab.py index 3d4351a..75ed109 100644 --- a/roles/ipaclient/library/ipaclient_test_keytab.py +++ b/roles/ipaclient/library/ipaclient_test_keytab.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaclient/module_utils/ansible_ipa_client.py b/roles/ipaclient/module_utils/ansible_ipa_client.py index 20c69ca..48ef132 100644 --- a/roles/ipaclient/module_utils/ansible_ipa_client.py +++ b/roles/ipaclient/module_utils/ansible_ipa_client.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml index 4421f0c..0de3dea 100644 --- a/roles/ipaclient/tasks/install.yml +++ b/roles/ipaclient/tasks/install.yml @@ -134,6 +134,7 @@ "Password cannot be set on enrolled host" not in result_ipaclient_get_otp.msg delegate_to: "{{ result_ipaclient_test.servers[0] }}" + delegate_facts: yes ignore_errors: yes - name: Install - Report error for OTP generation diff --git a/roles/ipareplica/files/py3test.py b/roles/ipareplica/files/py3test.py old mode 100755 new mode 100644 diff --git a/roles/ipareplica/library/ipareplica_add_to_ipaservers.py b/roles/ipareplica/library/ipareplica_add_to_ipaservers.py index b347581..acd553b 100644 --- a/roles/ipareplica/library/ipareplica_add_to_ipaservers.py +++ b/roles/ipareplica/library/ipareplica_add_to_ipaservers.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipareplica/library/ipareplica_create_ipa_conf.py b/roles/ipareplica/library/ipareplica_create_ipa_conf.py index a043c2d..3a85a6f 100644 --- a/roles/ipareplica/library/ipareplica_create_ipa_conf.py +++ b/roles/ipareplica/library/ipareplica_create_ipa_conf.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: @@ -261,7 +262,6 @@ def main(): config.subject_base = options.subject_base config.dirman_password = dirman_password config.ca_host_name = ca_host_name - config.setup_ca = options.setup_ca remote_api = gen_remote_api(master_host_name, paths.ETC_IPA) installer._remote_api = remote_api diff --git a/roles/ipareplica/library/ipareplica_custodia_import_dm_password.py b/roles/ipareplica/library/ipareplica_custodia_import_dm_password.py index d1cab9e..c580ed5 100644 --- a/roles/ipareplica/library/ipareplica_custodia_import_dm_password.py +++ b/roles/ipareplica/library/ipareplica_custodia_import_dm_password.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipareplica/library/ipareplica_ds_apply_updates.py b/roles/ipareplica/library/ipareplica_ds_apply_updates.py index 3b0614f..3796874 100644 --- a/roles/ipareplica/library/ipareplica_ds_apply_updates.py +++ b/roles/ipareplica/library/ipareplica_ds_apply_updates.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: @@ -176,7 +177,6 @@ def main(): config = gen_ReplicaConfig() config.dirman_password = dirman_password config.subject_base = options.subject_base - config.master_host_name = master_host_name remote_api = gen_remote_api(master_host_name, paths.ETC_IPA) diff --git a/roles/ipareplica/library/ipareplica_ds_enable_ssl.py b/roles/ipareplica/library/ipareplica_ds_enable_ssl.py index 3738b25..a1b638e 100644 --- a/roles/ipareplica/library/ipareplica_ds_enable_ssl.py +++ b/roles/ipareplica/library/ipareplica_ds_enable_ssl.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: @@ -172,7 +173,6 @@ def main(): config = gen_ReplicaConfig() config.dirman_password = dirman_password config.subject_base = options.subject_base - config.master_host_name = master_host_name remote_api = gen_remote_api(master_host_name, paths.ETC_IPA) # installer._remote_api = remote_api diff --git a/roles/ipareplica/library/ipareplica_enable_ipa.py b/roles/ipareplica/library/ipareplica_enable_ipa.py index a83744a..d18552b 100644 --- a/roles/ipareplica/library/ipareplica_enable_ipa.py +++ b/roles/ipareplica/library/ipareplica_enable_ipa.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipareplica/library/ipareplica_install_ca_certs.py b/roles/ipareplica/library/ipareplica_install_ca_certs.py index 345649f..b93f0b9 100644 --- a/roles/ipareplica/library/ipareplica_install_ca_certs.py +++ b/roles/ipareplica/library/ipareplica_install_ca_certs.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipareplica/library/ipareplica_krb_enable_ssl.py b/roles/ipareplica/library/ipareplica_krb_enable_ssl.py index 2b00ccd..a302b0f 100644 --- a/roles/ipareplica/library/ipareplica_krb_enable_ssl.py +++ b/roles/ipareplica/library/ipareplica_krb_enable_ssl.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipareplica/library/ipareplica_master_password.py b/roles/ipareplica/library/ipareplica_master_password.py index 9630932..02f9fd1 100644 --- a/roles/ipareplica/library/ipareplica_master_password.py +++ b/roles/ipareplica/library/ipareplica_master_password.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipareplica/library/ipareplica_prepare.py b/roles/ipareplica/library/ipareplica_prepare.py index 3887669..ed89b69 100644 --- a/roles/ipareplica/library/ipareplica_prepare.py +++ b/roles/ipareplica/library/ipareplica_prepare.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipareplica/library/ipareplica_promote_openldap_conf.py b/roles/ipareplica/library/ipareplica_promote_openldap_conf.py index 260b317..207794c 100644 --- a/roles/ipareplica/library/ipareplica_promote_openldap_conf.py +++ b/roles/ipareplica/library/ipareplica_promote_openldap_conf.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipareplica/library/ipareplica_promote_sssd.py b/roles/ipareplica/library/ipareplica_promote_sssd.py index eaae271..66d84d0 100644 --- a/roles/ipareplica/library/ipareplica_promote_sssd.py +++ b/roles/ipareplica/library/ipareplica_promote_sssd.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipareplica/library/ipareplica_restart_kdc.py b/roles/ipareplica/library/ipareplica_restart_kdc.py index 21648c5..b9c9900 100644 --- a/roles/ipareplica/library/ipareplica_restart_kdc.py +++ b/roles/ipareplica/library/ipareplica_restart_kdc.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipareplica/library/ipareplica_setup_adtrust.py b/roles/ipareplica/library/ipareplica_setup_adtrust.py index 06b4c7c..c830ebf 100644 --- a/roles/ipareplica/library/ipareplica_setup_adtrust.py +++ b/roles/ipareplica/library/ipareplica_setup_adtrust.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: @@ -109,7 +110,7 @@ def main(): # additional ccache=dict(required=True), _top_dir=dict(required=True), - setup_ca=dict(required=True, type='bool'), + setup_ca=dict(required=True), config_master_host_name=dict(required=True), ), supports_check_mode=True, diff --git a/roles/ipareplica/library/ipareplica_setup_ca.py b/roles/ipareplica/library/ipareplica_setup_ca.py index a05ad47..d71299b 100644 --- a/roles/ipareplica/library/ipareplica_setup_ca.py +++ b/roles/ipareplica/library/ipareplica_setup_ca.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipareplica/library/ipareplica_setup_certmonger.py b/roles/ipareplica/library/ipareplica_setup_certmonger.py index 95604da..982aab0 100644 --- a/roles/ipareplica/library/ipareplica_setup_certmonger.py +++ b/roles/ipareplica/library/ipareplica_setup_certmonger.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipareplica/library/ipareplica_setup_custodia.py b/roles/ipareplica/library/ipareplica_setup_custodia.py index a18608e..5a74e87 100644 --- a/roles/ipareplica/library/ipareplica_setup_custodia.py +++ b/roles/ipareplica/library/ipareplica_setup_custodia.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: @@ -168,7 +169,6 @@ def main(): config.promote = installer.promote config.kra_enabled = kra_enabled config.kra_host_name = kra_host_name - config.setup_ca = options.setup_ca remote_api = gen_remote_api(master_host_name, paths.ETC_IPA) diff --git a/roles/ipareplica/library/ipareplica_setup_dns.py b/roles/ipareplica/library/ipareplica_setup_dns.py index 9bb42a6..1557afe 100644 --- a/roles/ipareplica/library/ipareplica_setup_dns.py +++ b/roles/ipareplica/library/ipareplica_setup_dns.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipareplica/library/ipareplica_setup_ds.py b/roles/ipareplica/library/ipareplica_setup_ds.py index a54fa8f..8a44120 100644 --- a/roles/ipareplica/library/ipareplica_setup_ds.py +++ b/roles/ipareplica/library/ipareplica_setup_ds.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipareplica/library/ipareplica_setup_http.py b/roles/ipareplica/library/ipareplica_setup_http.py index 64856fe..987ea95 100644 --- a/roles/ipareplica/library/ipareplica_setup_http.py +++ b/roles/ipareplica/library/ipareplica_setup_http.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: @@ -163,7 +164,7 @@ def main(): config.subject_base = options.subject_base config.dirman_password = dirman_password config.setup_ca = options.setup_ca - config.master_host_name = master_host_name + # config.master_host_name = master_host_name config.ca_host_name = ca_host_name config.promote = installer.promote diff --git a/roles/ipareplica/library/ipareplica_setup_kra.py b/roles/ipareplica/library/ipareplica_setup_kra.py index c44dbb9..3149c10 100644 --- a/roles/ipareplica/library/ipareplica_setup_kra.py +++ b/roles/ipareplica/library/ipareplica_setup_kra.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: @@ -119,9 +120,6 @@ options: _subject_base: description: The installer _subject_base setting required: no - dirman_password: - description: Directory Manager (master) password - required: no author: - Thomas Woerner ''' @@ -175,12 +173,10 @@ def main(): _ca_enabled=dict(required=False, type='bool'), _kra_enabled=dict(required=False, type='bool'), _kra_host_name=dict(required=False), - _ca_host_name=dict(required=False), _top_dir=dict(required=True), _add_to_ipaservers=dict(required=True, type='bool'), _ca_subject=dict(required=True), _subject_base=dict(required=True), - dirman_password=dict(required=True, no_log=True), ), supports_check_mode=True, ) @@ -237,7 +233,6 @@ def main(): ca_enabled = ansible_module.params.get('_ca_enabled') kra_enabled = ansible_module.params.get('_kra_enabled') kra_host_name = ansible_module.params.get('_kra_host_name') - ca_host_name = ansible_module.params.get('_ca_host_name') options.subject_base = ansible_module.params.get('subject_base') if options.subject_base is not None: @@ -248,7 +243,6 @@ def main(): options._ca_subject = ansible_module.params.get('_ca_subject') options._subject_base = ansible_module.params.get('_subject_base') - dirman_password = ansible_module.params.get('dirman_password') # init # @@ -260,25 +254,14 @@ def main(): constants.DEFAULT_CONFIG) api_bootstrap_finalize(env) config = gen_ReplicaConfig() - config.dirman_password = dirman_password config.subject_base = options.subject_base config.promote = installer.promote config.kra_enabled = kra_enabled config.kra_host_name = kra_host_name - config.ca_host_name = ca_host_name - config.master_host_name = master_host_name remote_api = gen_remote_api(master_host_name, paths.ETC_IPA) installer._remote_api = remote_api - conn = remote_api.Backend.ldap2 - ccache = os.environ['KRB5CCNAME'] - - # There is a api.Backend.ldap2.connect call somewhere in ca, ds, dns or - # ntpinstance - api.Backend.ldap2.connect() - conn.connect(ccache=ccache) - with redirect_stdout(ansible_log): ansible_log.debug("-- INSTALL KRA --") diff --git a/roles/ipareplica/library/ipareplica_setup_krb.py b/roles/ipareplica/library/ipareplica_setup_krb.py index 703ae76..c8d09f7 100644 --- a/roles/ipareplica/library/ipareplica_setup_krb.py +++ b/roles/ipareplica/library/ipareplica_setup_krb.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: @@ -62,9 +63,6 @@ options: _top_dir: description: The installer _top_dir setting required: no - dirman_password: - description: Directory Manager (master) password - required: no author: - Thomas Woerner ''' @@ -100,7 +98,6 @@ def main(): ccache=dict(required=True), _pkinit_pkcs12_info=dict(required=False, type='list'), _top_dir=dict(required=True), - dirman_password=dict(required=True, no_log=True), ), supports_check_mode=True, ) @@ -129,7 +126,6 @@ def main(): '_pkinit_pkcs12_info') options._top_dir = ansible_module.params.get('_top_dir') - dirman_password = ansible_module.params.get('dirman_password') # init # @@ -145,10 +141,8 @@ def main(): constants.DEFAULT_CONFIG) api_bootstrap_finalize(env) config = gen_ReplicaConfig() - config.dirman_password = dirman_password config.master_host_name = config_master_host_name config.subject_base = options.subject_base - config.setup_ca = options.setup_ca ccache = os.environ['KRB5CCNAME'] diff --git a/roles/ipareplica/library/ipareplica_setup_otpd.py b/roles/ipareplica/library/ipareplica_setup_otpd.py index a211b9e..1b8117d 100644 --- a/roles/ipareplica/library/ipareplica_setup_otpd.py +++ b/roles/ipareplica/library/ipareplica_setup_otpd.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipareplica/library/ipareplica_test.py b/roles/ipareplica/library/ipareplica_test.py index 37b288e..ebb1163 100644 --- a/roles/ipareplica/library/ipareplica_test.py +++ b/roles/ipareplica/library/ipareplica_test.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py index a2a70d5..368ec6b 100644 --- a/roles/ipareplica/module_utils/ansible_ipa_replica.py +++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml index ddb3f85..fc7f83e 100644 --- a/roles/ipareplica/tasks/install.yml +++ b/roles/ipareplica/tasks/install.yml @@ -226,8 +226,6 @@ setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}" setup_kra: "{{ result_ipareplica_test.setup_kra }}" setup_dns: "{{ ipareplica_setup_dns }}" - ### server ### - setup_ca: "{{ ipareplica_setup_ca }}" ### ssl certificate ### dirsrv_cert_files: "{{ ipareplica_dirsrv_cert_files | default([]) }}" ### client ### @@ -283,7 +281,7 @@ ccache: "{{ result_ipareplica_prepare.ccache }}" installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}" _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}" - _dirsrv_pkcs12_info: "{{ result_ipareplica_prepare._dirsrv_pkcs12_info if result_ipareplica_prepare._dirsrv_pkcs12_info != None else omit }}" + _dirsrv_pkcs12_info: "{{ result_ipareplica_prepare._dirsrv_pkcs12_info }}" subject_base: "{{ result_ipareplica_prepare.subject_base }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}" @@ -334,7 +332,6 @@ _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}" _subject_base: "{{ result_ipareplica_prepare._subject_base }}" dirman_password: "{{ ipareplica_dirman_password }}" - setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" - name: Install - Setup KRB ipareplica_setup_krb: @@ -348,9 +345,8 @@ config_master_host_name: "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" ccache: "{{ result_ipareplica_prepare.ccache }}" - _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}" + _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" - dirman_password: "{{ ipareplica_dirman_password }}" # We need to point to the master in ipa default conf when certmonger # asks for HTTP certificate in newer ipa versions. In these versions @@ -392,7 +388,6 @@ _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}" _subject_base: "{{ result_ipareplica_prepare._subject_base }}" dirman_password: "{{ ipareplica_dirman_password }}" - setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" master: "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" when: result_ipareplica_test.change_master_for_certmonger @@ -412,8 +407,8 @@ ccache: "{{ result_ipareplica_prepare.ccache }}" _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}" _ca_file: "{{ result_ipareplica_prepare._ca_file }}" - _dirsrv_pkcs12_info: "{{ result_ipareplica_prepare._dirsrv_pkcs12_info if result_ipareplica_prepare._dirsrv_pkcs12_info != None else omit }}" - _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}" + _dirsrv_pkcs12_info: "{{ result_ipareplica_prepare._dirsrv_pkcs12_info }}" + _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" dirman_password: "{{ ipareplica_dirman_password }}" ds_ca_subject: "{{ result_ipareplica_setup_ds.ds_ca_subject }}" @@ -434,7 +429,7 @@ ccache: "{{ result_ipareplica_prepare.ccache }}" _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}" _ca_file: "{{ result_ipareplica_prepare._ca_file }}" - _http_pkcs12_info: "{{ result_ipareplica_prepare._http_pkcs12_info if result_ipareplica_prepare._http_pkcs12_info != None else omit }}" + _http_pkcs12_info: "{{ result_ipareplica_prepare._http_pkcs12_info }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" dirman_password: "{{ ipareplica_dirman_password }}" @@ -476,7 +471,6 @@ _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}" _subject_base: "{{ result_ipareplica_prepare._subject_base }}" dirman_password: "{{ ipareplica_dirman_password }}" - setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" when: result_ipareplica_test.change_master_for_certmonger - name: Install - Setup otpd @@ -513,7 +507,7 @@ _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}" _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}" _ca_file: "{{ result_ipareplica_prepare._ca_file }}" - _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}" + _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" dirman_password: "{{ ipareplica_dirman_password }}" @@ -535,7 +529,7 @@ _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}" _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}" _subject_base: "{{ result_ipareplica_prepare._subject_base }}" - _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}" + _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" dirman_password: "{{ ipareplica_dirman_password }}" config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" @@ -560,7 +554,7 @@ ccache: "{{ result_ipareplica_prepare.ccache }}" _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}" _ca_file: "{{ result_ipareplica_prepare._ca_file }}" - _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}" + _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" dirman_password: "{{ ipareplica_dirman_password }}" @@ -580,7 +574,7 @@ ccache: "{{ result_ipareplica_prepare.ccache }}" _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}" _ca_file: "{{ result_ipareplica_prepare._ca_file }}" - _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}" + _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" dirman_password: "{{ ipareplica_dirman_password }}" ds_ca_subject: "{{ result_ipareplica_setup_ds.ds_ca_subject }}" @@ -617,12 +611,10 @@ _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}" _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}" _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}" - _ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}" _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}" _subject_base: "{{ result_ipareplica_prepare._subject_base }}" - dirman_password: "{{ ipareplica_dirman_password }}" when: result_ipareplica_test.setup_kra - name: Install - Restart KDC diff --git a/roles/ipaserver/files/py3test.py b/roles/ipaserver/files/py3test.py old mode 100755 new mode 100644 diff --git a/roles/ipaserver/library/ipaserver_enable_ipa.py b/roles/ipaserver/library/ipaserver_enable_ipa.py index e3a9d53..00bf3da 100644 --- a/roles/ipaserver/library/ipaserver_enable_ipa.py +++ b/roles/ipaserver/library/ipaserver_enable_ipa.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaserver/library/ipaserver_load_cache.py b/roles/ipaserver/library/ipaserver_load_cache.py index 80030c6..ad29455 100644 --- a/roles/ipaserver/library/ipaserver_load_cache.py +++ b/roles/ipaserver/library/ipaserver_load_cache.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaserver/library/ipaserver_master_password.py b/roles/ipaserver/library/ipaserver_master_password.py index dc1c000..bf9c52b 100644 --- a/roles/ipaserver/library/ipaserver_master_password.py +++ b/roles/ipaserver/library/ipaserver_master_password.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaserver/library/ipaserver_prepare.py b/roles/ipaserver/library/ipaserver_prepare.py index 1153dd8..1341abf 100644 --- a/roles/ipaserver/library/ipaserver_prepare.py +++ b/roles/ipaserver/library/ipaserver_prepare.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaserver/library/ipaserver_set_ds_password.py b/roles/ipaserver/library/ipaserver_set_ds_password.py index 2b2fb52..4b5b3b3 100644 --- a/roles/ipaserver/library/ipaserver_set_ds_password.py +++ b/roles/ipaserver/library/ipaserver_set_ds_password.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaserver/library/ipaserver_setup_adtrust.py b/roles/ipaserver/library/ipaserver_setup_adtrust.py index d6663e1..341cb4e 100644 --- a/roles/ipaserver/library/ipaserver_setup_adtrust.py +++ b/roles/ipaserver/library/ipaserver_setup_adtrust.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaserver/library/ipaserver_setup_ca.py b/roles/ipaserver/library/ipaserver_setup_ca.py index 31af30b..53a3633 100644 --- a/roles/ipaserver/library/ipaserver_setup_ca.py +++ b/roles/ipaserver/library/ipaserver_setup_ca.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaserver/library/ipaserver_setup_custodia.py b/roles/ipaserver/library/ipaserver_setup_custodia.py index aaa3b47..565020b 100644 --- a/roles/ipaserver/library/ipaserver_setup_custodia.py +++ b/roles/ipaserver/library/ipaserver_setup_custodia.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaserver/library/ipaserver_setup_dns.py b/roles/ipaserver/library/ipaserver_setup_dns.py index 8072e40..396b439 100644 --- a/roles/ipaserver/library/ipaserver_setup_dns.py +++ b/roles/ipaserver/library/ipaserver_setup_dns.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaserver/library/ipaserver_setup_ds.py b/roles/ipaserver/library/ipaserver_setup_ds.py index ccb76a3..3fc9d50 100644 --- a/roles/ipaserver/library/ipaserver_setup_ds.py +++ b/roles/ipaserver/library/ipaserver_setup_ds.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaserver/library/ipaserver_setup_http.py b/roles/ipaserver/library/ipaserver_setup_http.py index e00465d..4d9a54d 100644 --- a/roles/ipaserver/library/ipaserver_setup_http.py +++ b/roles/ipaserver/library/ipaserver_setup_http.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaserver/library/ipaserver_setup_kra.py b/roles/ipaserver/library/ipaserver_setup_kra.py index 8c1240c..5296c09 100644 --- a/roles/ipaserver/library/ipaserver_setup_kra.py +++ b/roles/ipaserver/library/ipaserver_setup_kra.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaserver/library/ipaserver_setup_krb.py b/roles/ipaserver/library/ipaserver_setup_krb.py index cb000eb..1101d8d 100644 --- a/roles/ipaserver/library/ipaserver_setup_krb.py +++ b/roles/ipaserver/library/ipaserver_setup_krb.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaserver/library/ipaserver_setup_ntp.py b/roles/ipaserver/library/ipaserver_setup_ntp.py index 1e57a85..ab1fde7 100644 --- a/roles/ipaserver/library/ipaserver_setup_ntp.py +++ b/roles/ipaserver/library/ipaserver_setup_ntp.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaserver/library/ipaserver_setup_otpd.py b/roles/ipaserver/library/ipaserver_setup_otpd.py index d67748e..e72d27b 100644 --- a/roles/ipaserver/library/ipaserver_setup_otpd.py +++ b/roles/ipaserver/library/ipaserver_setup_otpd.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py index 541415e..4ac100c 100644 --- a/roles/ipaserver/library/ipaserver_test.py +++ b/roles/ipaserver/library/ipaserver_test.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py index fe71311..d934751 100644 --- a/roles/ipaserver/module_utils/ansible_ipa_server.py +++ b/roles/ipaserver/module_utils/ansible_ipa_server.py @@ -1,3 +1,4 @@ +#!/usr/bin/python # -*- coding: utf-8 -*- # Authors: diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml index 687f72d..30f9da2 100644 --- a/roles/ipaserver/tasks/install.yml +++ b/roles/ipaserver/tasks/install.yml @@ -203,7 +203,7 @@ # no_host_dns: "{{ result_ipaserver_test.no_host_dns }}" dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}" dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default(omit) }}" - _dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info if result_ipaserver_test._dirsrv_pkcs12_info != None else omit }}" + _dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info }}" external_cert_files: "{{ ipaserver_external_cert_files | default(omit) }}" subject_base: "{{ result_ipaserver_prepare.subject_base }}" @@ -240,7 +240,7 @@ no_hbac_allow: "{{ ipaserver_no_hbac_allow }}" idstart: "{{ result_ipaserver_test.idstart }}" idmax: "{{ result_ipaserver_test.idmax }}" - _pkinit_pkcs12_info: "{{ result_ipaserver_test._pkinit_pkcs12_info if result_ipaserver_test._pkinit_pkcs12_info != None else omit }}" + _pkinit_pkcs12_info: "{{ result_ipaserver_test._pkinit_pkcs12_info }}" - name: Install - Setup custodia ipaserver_setup_custodia: @@ -270,7 +270,7 @@ no_pkinit: "{{ result_ipaserver_test.no_pkinit }}" dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}" dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}" - _dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info if result_ipaserver_test._dirsrv_pkcs12_info != None else omit }}" + _dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info }}" external_ca: "{{ ipaserver_external_ca }}" external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}" external_ca_profile: @@ -334,7 +334,7 @@ idmax: "{{ result_ipaserver_test.idmax }}" http_cert_files: "{{ ipaserver_http_cert_files | default([]) }}" no_ui_redirect: "{{ ipaserver_no_ui_redirect }}" - _http_pkcs12_info: "{{ result_ipaserver_test._http_pkcs12_info if result_ipaserver_test._http_pkcs12_info != None else omit }}" + _http_pkcs12_info: "{{ result_ipaserver_test._http_pkcs12_info }}" - name: Install - Setup KRA ipaserver_setup_kra: @@ -394,7 +394,7 @@ idstart: "{{ result_ipaserver_test.idstart }}" idmax: "{{ result_ipaserver_test.idmax }}" dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}" - _dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info if result_ipaserver_test._dirsrv_pkcs12_info != None else omit }}" + _dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info }}" - name: Install - Setup client include_role: diff --git a/tests/dnsforwardzone/test_dnsforwardzone.yml b/tests/dnsforwardzone/test_dnsforwardzone.yml index 223cf3d..1a45e82 100644 --- a/tests/dnsforwardzone/test_dnsforwardzone.yml +++ b/tests/dnsforwardzone/test_dnsforwardzone.yml @@ -5,21 +5,19 @@ gather_facts: false tasks: - - name: ensure test forwardzones are absent + - name: ensure forwardzone example.com is absent - prep ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword - name: - - example.com - - newfailzone.com + ipaadmin_password: password01 + name: example.com state: absent - name: ensure forwardzone example.com is created ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 state: present name: example.com forwarders: - - ip_address: 8.8.8.8 + - 8.8.8.8 forwardpolicy: first skip_overlap_check: true register: result @@ -27,11 +25,11 @@ - name: ensure forwardzone example.com is present again ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 state: present name: example.com forwarders: - - ip_address: 8.8.8.8 + - 8.8.8.8 forwardpolicy: first skip_overlap_check: true register: result @@ -39,13 +37,12 @@ - name: ensure forwardzone example.com has two forwarders ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 state: present name: example.com forwarders: - - ip_address: 8.8.8.8 - - ip_address: 4.4.4.4 - port: 8053 + - 8.8.8.8 + - 4.4.4.4 forwardpolicy: first skip_overlap_check: true register: result @@ -53,246 +50,165 @@ - name: ensure forwardzone example.com has one forwarder again ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 name: example.com forwarders: - - ip_address: 8.8.8.8 + - 8.8.8.8 forwardpolicy: first skip_overlap_check: true state: present register: result - failed_when: result.changed + failed_when: not result.changed - name: skip_overlap_check can only be set on creation so change nothing ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 name: example.com forwarders: - - ip_address: 8.8.8.8 + - 8.8.8.8 forwardpolicy: first skip_overlap_check: false state: present register: result failed_when: result.changed - - name: ensure forwardzone example.com is absent. - ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword - name: example.com - state: absent - register: result - failed_when: not result.changed - - - name: ensure forwardzone example.com is absent, again. - ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword - name: example.com - state: absent - register: result - failed_when: result.changed - - name: change all the things at once ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 state: present name: example.com forwarders: - - ip_address: 8.8.8.8 - - ip_address: 4.4.4.4 - port: 8053 + - 8.8.8.8 + - 4.4.4.4 forwardpolicy: only - skip_overlap_check: true - permission: yes - register: result - failed_when: not result.changed - - - name: change zone forward policy - ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword - name: example.com - forwardpolicy: first + skip_overlap_check: false register: result failed_when: not result.changed - - name: change zone forward policy, again + - name: ensure forwardzone example.com is absent for next testset ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword - name: example.com - forwardpolicy: first - register: result - failed_when: result.changed - - - name: ensure forwardzone example.com is absent. - ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 name: example.com state: absent - name: ensure forwardzone example.com is created with minimal args ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 state: present name: example.com skip_overlap_check: true forwarders: - - ip_address: 8.8.8.8 + - 8.8.8.8 register: result failed_when: not result.changed - name: add a forwarder to any existing ones ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 state: present name: example.com forwarders: - - ip_address: 4.4.4.4 - port: 8053 + - 4.4.4.4 action: member register: result failed_when: not result.changed - name: check the list of forwarders is what we expect ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 state: present name: example.com forwarders: - - ip_address: 4.4.4.4 - port: 8053 - - ip_address: 8.8.8.8 + - 4.4.4.4 + - 8.8.8.8 action: member register: result failed_when: result.changed - name: remove a single forwarder ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 state: absent name: example.com forwarders: - - ip_address: 8.8.8.8 + - 8.8.8.8 action: member register: result failed_when: not result.changed - name: check the list of forwarders is what we expect now ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 state: present name: example.com forwarders: - - ip_address: 4.4.4.4 - port: 8053 + - 4.4.4.4 action: member register: result failed_when: result.changed - - name: Add a permission for per-forward zone access delegation. + - name: ensure forwardzone example.com is absent again ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 name: example.com - permission: yes - action: member - register: result - failed_when: not result.changed + state: absent - - name: Add a permission for per-forward zone access delegation, again. + - name: try to create a new forwarder with action=member ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 + state: present name: example.com - permission: yes + forwarders: + - 4.4.4.4 action: member + skip_overlap_check: true register: result failed_when: result.changed - - name: Remove a permission for per-forward zone access delegation. - ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword - name: example.com - permission: no - action: member - register: result - failed_when: not result.changed - - - name: Remove a permission for per-forward zone access delegation, again. + - name: ensure forwardzone example.com is absent - tidy up ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 name: example.com - permission: no - action: member - register: result - failed_when: result.changed + state: absent - - name: disable the forwarder + - name: try to create a new forwarder is disabled state ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword - name: example.com + ipaadmin_password: password01 state: disabled - register: result - failed_when: not result.changed - - - name: disable the forwarder again - ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword name: example.com - state: disabled + forwarders: + - 4.4.4.4 + skip_overlap_check: true register: result - failed_when: result.changed + failed_when: not result.changed - name: enable the forwarder ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 name: example.com state: enabled register: result failed_when: not result.changed - - name: enable the forwarder, again - ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword - name: example.com - state: enabled - register: result - failed_when: result.changed - - - name: ensure forwardzone example.com is absent again - ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword - name: example.com - state: absent - - - name: try to create a new forwarder with action=member + - name: disable the forwarder again ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword - state: present + ipaadmin_password: password01 name: example.com - forwarders: - - ip_address: 4.4.4.4 - port: 8053 + state: disabled action: member - skip_overlap_check: true register: result - failed_when: not result.failed or "not found" not in result.msg + failed_when: not result.changed - - name: try to create a new forwarder with disabled state + - name: ensure it stays disabled ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword + ipaadmin_password: password01 name: example.com state: disabled register: result - failed_when: not result.failed or "not found" not in result.msg - - - name: Ensure forwardzone is not added without forwarders, with correct message. - ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword - name: newfailzone.com - register: result - failed_when: not result.failed or "No forwarders specified" not in result.msg + failed_when: result.changed - name: ensure forwardzone example.com is absent - tidy up ipadnsforwardzone: - ipaadmin_password: SomeADMINpassword - name: - - example.com - - newfailzone.com + ipaadmin_password: password01 + name: example.com state: absent diff --git a/tests/dnszone/test_dnszone.yml b/tests/dnszone/test_dnszone.yml index bd820df..f7bd1f0 100644 --- a/tests/dnszone/test_dnszone.yml +++ b/tests/dnszone/test_dnszone.yml @@ -149,40 +149,3 @@ forwarders: [] register: result failed_when: not result.changed - - - name: Create zones test1 - ipadnszone: - ipaadmin_password: SomeADMINpassword - name: test1.testzone.local - - - name: Create zones test2 - ipadnszone: - ipaadmin_password: SomeADMINpassword - name: test2.testzone.local - - - name: Create zones test3 - ipadnszone: - ipaadmin_password: SomeADMINpassword - name: test3.testzone.local - - - name: Ensure multiple zones are absent - ipadnszone: - ipaadmin_password: SomeADMINpassword - name: - - test1.testzone.local - - test2.testzone.local - - test3.testzone.local - state: absent - register: result - failed_when: not result.changed - - - name: Ensure multiple zones are absent, again - ipadnszone: - ipaadmin_password: SomeADMINpassword - name: - - test1.testzone.local - - test2.testzone.local - - test3.testzone.local - state: absent - register: result - failed_when: result.changed diff --git a/tests/dnszone/test_dnszone_name_from_ip.yml b/tests/dnszone/test_dnszone_name_from_ip.yml deleted file mode 100644 index 9bd2eb0..0000000 --- a/tests/dnszone/test_dnszone_name_from_ip.yml +++ /dev/null @@ -1,112 +0,0 @@ ---- -- name: Test dnszone - hosts: ipaserver - become: yes - gather_facts: yes - - tasks: - - # Setup - - name: Ensure zone is absent. - ipadnszone: - ipaadmin_password: SomeADMINpassword - name: "{{ item }}" - state: absent - with_items: - - 2.0.192.in-addr.arpa. - - 0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.f.ip6.arpa. - - 1.0.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa. - - # tests - - name: Ensure zone exists for reverse IP. - ipadnszone: - ipaadmin_password: SomeADMINpassword - name_from_ip: 192.0.2.3/24 - register: ipv4_zone - failed_when: not ipv4_zone.changed or ipv4_zone.failed - - - name: Ensure zone exists for reverse IP, again. - ipadnszone: - ipaadmin_password: SomeADMINpassword - name_from_ip: 192.0.2.3/24 - register: result - failed_when: result.changed or result.failed - - - name: Ensure zone exists for reverse IP, given the zone name. - ipadnszone: - ipaadmin_password: SomeADMINpassword - name: "{{ ipv4_zone.dnszone.name }}" - register: result - failed_when: result.changed or result.failed - - - name: Modify existing zone, using `name_from_ip`. - ipadnszone: - ipaadmin_password: SomeADMINpassword - name_from_ip: 192.0.2.3/24 - default_ttl: 1234 - register: result - failed_when: not result.changed - - - name: Modify existing zone, using `name_from_ip`, again. - ipadnszone: - ipaadmin_password: SomeADMINpassword - name_from_ip: 192.0.2.3/24 - default_ttl: 1234 - register: result - failed_when: result.changed or result.failed - - - name: Ensure ipv6 zone exists for reverse IPv6. - ipadnszone: - ipaadmin_password: SomeADMINpassword - name_from_ip: fd00::0001 - register: ipv6_zone - failed_when: not ipv6_zone.changed or ipv6_zone.failed - - # - debug: - # msg: "{{ipv6_zone}}" - - - name: Ensure ipv6 zone was created. - ipadnszone: - ipaadmin_password: SomeADMINpassword - name: "{{ ipv6_zone.dnszone.name }}" - register: result - failed_when: result.changed or result.failed - - - name: Ensure ipv6 zone exists for reverse IPv6, again. - ipadnszone: - ipaadmin_password: SomeADMINpassword - name_from_ip: fd00::0001 - register: result - failed_when: result.changed - - - name: Ensure second ipv6 zone exists for reverse IPv6. - ipadnszone: - ipaadmin_password: SomeADMINpassword - name_from_ip: 2001:db8:cafe:1::1 - register: ipv6_sec_zone - failed_when: not ipv6_sec_zone.changed or ipv6_zone.failed - - - name: Ensure second ipv6 zone was created. - ipadnszone: - ipaadmin_password: SomeADMINpassword - name: "{{ ipv6_sec_zone.dnszone.name }}" - register: result - failed_when: result.changed or result.failed - - - name: Ensure second ipv6 zone exists for reverse IPv6, again. - ipadnszone: - ipaadmin_password: SomeADMINpassword - name_from_ip: 2001:db8:cafe:1::1 - register: result - failed_when: result.changed - - # Cleanup - - name: Ensure zone is absent. - ipadnszone: - ipaadmin_password: SomeADMINpassword - name: "{{ item }}" - state: absent - with_items: - - "{{ ipv6_zone.dnszone.name }}" - - "{{ ipv6_sec_zone.dnszone.name }}" - - "{{ ipv4_zone.dnszone.name }}" diff --git a/tests/group/test_group_membermanager.yml b/tests/group/test_group_membermanager.yml index 661f26d..1d38654 100644 --- a/tests/group/test_group_membermanager.yml +++ b/tests/group/test_group_membermanager.yml @@ -8,7 +8,7 @@ - name: Ensure user manangeruser1 and manageruser2 is absent ipauser: ipaadmin_password: SomeADMINpassword - name: manageruser1,manageruser2,unknown_user + name: manageruser1,manageruser2 state: absent - name: Ensure group testgroup, managergroup1 and managergroup2 are absent @@ -185,15 +185,6 @@ register: result failed_when: not result.changed - - name: Ensure unknown membermanager_user member failure - ipagroup: - ipaadmin_password: SomeADMINpassword - name: testgroup - membermanager_user: unknown_user - action: member - register: result - failed_when: result.changed or "no such entry" not in result.msg - - name: Ensure group testgroup, managergroup1 and managergroup2 are absent ipagroup: ipaadmin_password: SomeADMINpassword diff --git a/tests/host/test_hosts.yml b/tests/host/test_hosts.yml index f82cc61..30fd653 100644 --- a/tests/host/test_hosts.yml +++ b/tests/host/test_hosts.yml @@ -96,18 +96,3 @@ state: absent register: result failed_when: result.changed - - - name: Duplicate names in hosts failure test - ipahost: - ipaadmin_password: SomeADMINpassword - hosts: - - name: "{{ host1_fqdn }}" - force: yes - - name: "{{ host2_fqdn }}" - force: yes - - name: "{{ host3_fqdn }}" - force: yes - - name: "{{ host3_fqdn }}" - force: yes - register: result - failed_when: result.changed or "is used more than once" not in result.msg diff --git a/tests/hostgroup/test_hostgroup_membermanager.yml b/tests/hostgroup/test_hostgroup_membermanager.yml index c0f6546..c32d108 100644 --- a/tests/hostgroup/test_hostgroup_membermanager.yml +++ b/tests/hostgroup/test_hostgroup_membermanager.yml @@ -15,7 +15,7 @@ - name: Ensure user manangeruser1 and manageruser2 is absent ipauser: ipaadmin_password: SomeADMINpassword - name: manageruser1,manageruser2,unknown_user + name: manageruser1,manageruser2 state: absent - name: Ensure group managergroup1 and managergroup2 are absent @@ -200,15 +200,6 @@ register: result failed_when: not result.changed - - name: Ensure unknown membermanager_user member failure - ipahostgroup: - ipaadmin_password: SomeADMINpassword - name: testhostgroup - membermanager_user: unknown_user - action: member - register: result - failed_when: result.changed or "no such entry" not in result.msg - - name: Ensure host-group testhostgroup is absent ipahostgroup: ipaadmin_password: SomeADMINpassword diff --git a/tests/service/env_cleanup.yml b/tests/service/env_cleanup.yml deleted file mode 100644 index f96a75b..0000000 --- a/tests/service/env_cleanup.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- -# Cleanup tasks for the service module tests. -- name: Ensure services are absent. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: - - "HTTP/{{ svc_fqdn }}" - - "HTTP/{{ nohost_fqdn }}" - - HTTP/svc.ihavenodns.info - - HTTP/no.idontexist.local - - "cifs/{{ host1_fqdn }}" - state: absent - -- name: Ensure host "{{ svc_fqdn }}" is absent - ipahost: - ipaadmin_password: SomeADMINpassword - name: "{{ svc_fqdn }}" - update_dns: yes - state: absent - -- name: Ensure host is absent - ipahost: - ipaadmin_password: SomeADMINpassword - name: - - "{{ host1_fqdn }}" - - "{{ host2_fqdn }}" - - "{{ nohost_fqdn }}" - - svc.ihavenodns.info - update_dns: no - state: absent - -- name: Ensure testing users are absent. - ipauser: - ipaadmin_password: SomeADMINpassword - name: - - user01 - - user02 - state: absent - -- name: Ensure testing groups are absent. - ipagroup: - ipaadmin_password: SomeADMINpassword - name: - - group01 - - group02 - state: absent - -- name: Ensure testing hostgroup hostgroup01 is absent. - ipagroup: - ipaadmin_password: SomeADMINpassword - name: - - hostgroup01 - state: absent - -- name: Ensure testing hostgroup hostgroup02 is absent. - ipagroup: - ipaadmin_password: SomeADMINpassword - name: - - hostgroup02 - state: absent - -- name: Remove IP address for "nohost" host. - ipadnsrecord: - ipaadmin_password: SomeADMINpassword - zone_name: "{{ test_domain }}." - name: nohost - del_all: yes - state: absent diff --git a/tests/service/env_setup.yml b/tests/service/env_setup.yml deleted file mode 100644 index 309cfc0..0000000 --- a/tests/service/env_setup.yml +++ /dev/null @@ -1,73 +0,0 @@ -# Setup environment for service module tests. ---- -- name: Setup variables and facts. - include_tasks: env_vars.yml - -# Cleanup before setup. -- name: Cleanup test environment. - include_tasks: env_cleanup.yml - -- name: Add IP address for "nohost" host. - ipadnsrecord: - ipaadmin_password: SomeADMINpassword - zone_name: "{{ test_domain }}." - name: nohost - a_ip_address: "{{ ipv4_prefix + '.100' }}" - -- name: Add hosts for tests. - ipahost: - ipaadmin_password: SomeADMINpassword - hosts: - - name: "{{ host1_fqdn }}" - ip_address: "{{ ipv4_prefix + '.101' }}" - - name: "{{ host2_fqdn }}" - ip_address: "{{ ipv4_prefix + '.102' }}" - - name: "{{ svc_fqdn }}" - ip_address: "{{ ipv4_prefix + '.201' }}" - - name: svc.ihavenodns.info - force: yes - update_dns: yes - -- name: Ensure testing user user01 is present. - ipauser: - ipaadmin_password: SomeADMINpassword - name: user01 - first: user01 - last: last - -- name: Ensure testing user user02 is present. - ipauser: - ipaadmin_password: SomeADMINpassword - name: user02 - first: user02 - last: last - -- name: Ensure testing group group01 is present. - ipagroup: - ipaadmin_password: SomeADMINpassword - name: group01 - -- name: Ensure testing group group02 is present. - ipagroup: - ipaadmin_password: SomeADMINpassword - name: group02 - -- name: Ensure testing hostgroup hostgroup01 is present. - ipahostgroup: - ipaadmin_password: SomeADMINpassword - name: hostgroup01 - -- name: Ensure testing hostgroup hostgroup02 is present. - ipahostgroup: - ipaadmin_password: SomeADMINpassword - name: hostgroup02 - -- name: Ensure services are absent. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: - - "HTTP/{{ svc_fqdn }}" - - "HTTP/{{ nohost_fqdn }}" - - HTTP/svc.ihavenodns.info - - HTTP/no.idontexist.info - state: absent diff --git a/tests/service/env_vars.yml b/tests/service/env_vars.yml deleted file mode 100644 index eb53c7a..0000000 --- a/tests/service/env_vars.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - - name: Get Domain from server name - set_fact: - test_domain: "{{ ansible_fqdn.split('.')[1:] | join('.') }}" - - - name: Set host1, host2 and svc hosts fqdn - set_fact: - host1_fqdn: "{{ 'host1.' + test_domain }}" - host2_fqdn: "{{ 'host2.' + test_domain }}" - svc_fqdn: "{{ 'svc.' + test_domain }}" - nohost_fqdn: "{{ 'nohost.' + test_domain }}" - - - name: Get IPv4 address prefix from server node - set_fact: - ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] | join('.') }}" diff --git a/tests/service/test_service_disable.yml b/tests/service/test_service_disable.yml deleted file mode 100644 index 3b4a88f..0000000 --- a/tests/service/test_service_disable.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- -- name: Playbook to manage IPA service. - hosts: ipaserver - become: yes - gather_facts: yes - - tasks: - - name: Ensure service is absent - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "mysvc1/{{ ansible_fqdn }}" - - - name: Ensure service is present - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "mysvc1/{{ ansible_fqdn }}" - certificate: - - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq - force: no - register: result - failed_when: not result.changed - - - name: Obtain keytab - shell: ipa-getkeytab -s "{{ ansible_fqdn }}" -p "mysvc1/{{ ansible_fqdn }}" -k mysvc1.keytab - - - name: Verify keytab - shell: ipa service-find "mysvc1/{{ ansible_fqdn }}" - register: result - failed_when: result.failed or result.stdout | regex_search(" Keytab. true") - - - name: Ensure service is disabled - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "mysvc1/{{ ansible_fqdn }}" - state: disabled - register: result - failed_when: not result.changed - - - name: Verify keytab - shell: ipa service-find "mysvc1/{{ ansible_fqdn }}" - register: result - failed_when: result.failed or result.stdout | regex_search(" Keytab. true") - - - name: Obtain keytab - shell: ipa-getkeytab -s "{{ ansible_fqdn }}" -p "mysvc1/{{ ansible_fqdn }}" -k mysvc1.keytab - - - name: Verify keytab - shell: ipa service-find "mysvc1/{{ ansible_fqdn }}" - register: result - failed_when: result.failed or result.stdout | regex_search(" Keytab. true") - - - name: Ensure service is disabled - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "mysvc1/{{ ansible_fqdn }}" - state: disabled - register: result - failed_when: not result.changed - - - name: Verify keytab - shell: ipa service-find "mysvc1/{{ ansible_fqdn }}" - register: result - failed_when: result.failed or result.stdout | regex_search(" Keytab. true") - - - name: Ensure service is absent - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "mysvc1/{{ ansible_fqdn }}" diff --git a/tests/service/test_service_keytab.yml b/tests/service/test_service_keytab.yml deleted file mode 100644 index 0918802..0000000 --- a/tests/service/test_service_keytab.yml +++ /dev/null @@ -1,397 +0,0 @@ ---- -- name: Test service - hosts: ipaserver - become: yes - - tasks: - # setup - - name: Setup test envirnoment. - include_tasks: env_setup.yml - - # Add service to test keytab create/retrieve attributes. - - name: Ensure test service is present - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - pac_type: - - MS-PAC - - PAD - auth_ind: otp - force: yes - requires_pre_auth: yes - ok_as_delegate: no - ok_to_auth_as_delegate: no - - # tests - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_create_keytab_user: - - user01 - - user02 - action: member - register: result - failed_when: not result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users, again. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_create_keytab_user: - - user01 - - user02 - action: member - register: result - failed_when: result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_create_keytab_user: - - user01 - - user02 - action: member - state: absent - register: result - failed_when: not result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users, again. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_create_keytab_user: - - user01 - - user02 - action: member - state: absent - register: result - failed_when: result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for group. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_create_keytab_group: - - group01 - - group02 - action: member - register: result - failed_when: not result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for group, again. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_create_keytab_group: - - group01 - - group02 - action: member - register: result - failed_when: result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for group. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_create_keytab_group: - - group01 - - group02 - action: member - state: absent - register: result - failed_when: not result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for group, again. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_create_keytab_group: - - group01 - - group02 - action: member - state: absent - register: result - failed_when: result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for host. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_create_keytab_host: - - "{{ host1_fqdn }}" - - "{{ host2_fqdn }}" - action: member - register: result - failed_when: not result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for host, again. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_create_keytab_host: - - "{{ host1_fqdn }}" - - "{{ host2_fqdn }}" - action: member - register: result - failed_when: result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for host. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_create_keytab_host: - - "{{ host1_fqdn }}" - - "{{ host2_fqdn }}" - action: member - state: absent - register: result - failed_when: not result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for host, again. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_create_keytab_host: - - "{{ host1_fqdn }}" - - "{{ host2_fqdn }}" - action: member - state: absent - register: result - failed_when: result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for hostgroup. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_create_keytab_hostgroup: - - hostgroup01 - - hostgroup02 - action: member - register: result - failed_when: not result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for hostgroup, again. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_create_keytab_hostgroup: - - hostgroup01 - - hostgroup02 - action: member - register: result - failed_when: result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for hostgroup. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_create_keytab_hostgroup: - - hostgroup01 - - hostgroup02 - state: absent - action: member - register: result - failed_when: not result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for hostgroup, again. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_create_keytab_hostgroup: - - hostgroup01 - - hostgroup02 - action: member - state: absent - register: result - failed_when: result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_retrieve_keytab_user: - - user01 - - user02 - action: member - register: result - failed_when: not result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users, again. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_retrieve_keytab_user: - - user01 - - user02 - action: member - register: result - failed_when: result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_retrieve_keytab_user: - - user01 - - user02 - action: member - state: absent - register: result - failed_when: not result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users, again. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_retrieve_keytab_user: - - user01 - - user02 - action: member - state: absent - register: result - failed_when: result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for group. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_retrieve_keytab_group: - - group01 - - group02 - action: member - register: result - failed_when: not result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for group, again. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_retrieve_keytab_group: - - group01 - - group02 - action: member - register: result - failed_when: result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for group. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_retrieve_keytab_group: - - group01 - - group02 - action: member - state: absent - register: result - failed_when: not result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for group, again. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_retrieve_keytab_group: - - group01 - - group02 - action: member - state: absent - register: result - failed_when: result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for host. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_retrieve_keytab_host: - - "{{ host1_fqdn }}" - - "{{ host2_fqdn }}" - action: member - register: result - failed_when: not result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for host, again. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_retrieve_keytab_host: - - "{{ host1_fqdn }}" - - "{{ host2_fqdn }}" - action: member - register: result - failed_when: result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for host. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_retrieve_keytab_host: - - "{{ host1_fqdn }}" - - "{{ host2_fqdn }}" - action: member - state: absent - register: result - failed_when: not result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for host, again. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_retrieve_keytab_host: - - "{{ host1_fqdn }}" - - "{{ host2_fqdn }}" - action: member - state: absent - register: result - failed_when: result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for hostgroup. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_retrieve_keytab_hostgroup: - - hostgroup01 - - hostgroup02 - action: member - register: result - failed_when: not result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for hostgroup, again. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_retrieve_keytab_hostgroup: - - hostgroup01 - - hostgroup02 - action: member - register: result - failed_when: result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for hostgroup. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_retrieve_keytab_hostgroup: - - hostgroup01 - - hostgroup02 - action: member - state: absent - register: result - failed_when: not result.changed - - - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for hostgroup, again. - ipaservice: - ipaadmin_password: SomeADMINpassword - name: "HTTP/{{ svc_fqdn }}" - allow_retrieve_keytab_hostgroup: - - hostgroup01 - - hostgroup02 - action: member - state: absent - register: result - failed_when: result.changed - - # cleanup - - name: Clean-up envirnoment. - include_tasks: env_cleanup.yml diff --git a/tests/user/test_users.yml b/tests/user/test_users.yml index 81c7b60..5b5d453 100644 --- a/tests/user/test_users.yml +++ b/tests/user/test_users.yml @@ -85,25 +85,6 @@ register: result failed_when: result.changed - - name: Duplicate names in users failure test - ipauser: - ipaadmin_password: SomeADMINpassword - users: - - name: user1 - givenname: user1 - last: Last - - name: user2 - first: user2 - last: Last - - name: user3 - first: user3 - last: Last - - name: user3 - first: user3 - last: Last - register: result - failed_when: result.changed or "is used more than once" not in result.msg - - name: Remove test users ipauser: ipaadmin_password: SomeADMINpassword diff --git a/tests/vault/test_vault_asymmetric.yml b/tests/vault/test_vault_asymmetric.yml index 268922c..1a1d3dc 100644 --- a/tests/vault/test_vault_asymmetric.yml +++ b/tests/vault/test_vault_asymmetric.yml @@ -42,7 +42,7 @@ private_key: "{{ lookup('file', 'private.pem') | b64encode }}" state: retrieved register: result - failed_when: result.vault.data != 'Hello World.' or result.changed + failed_when: result.data != 'Hello World.' or result.changed - name: Retrieve data from asymmetric vault into file {{ ansible_env.HOME }}/data.txt. ipavault: @@ -75,7 +75,7 @@ private_key: "{{ lookup('file', 'private.pem') | b64encode }}" state: retrieved register: result - failed_when: result.vault.data != 'The world of π is half rounded.' or result.changed + failed_when: result.data != 'The world of π is half rounded.' or result.changed - name: Archive data in asymmetric vault, from file. ipavault: @@ -93,7 +93,7 @@ private_key: "{{ lookup('file', 'private.pem') | b64encode }}" state: retrieved register: result - failed_when: result.vault.data != 'Another World.' or result.changed + failed_when: result.data != 'Another World.' or result.changed - name: Archive data with single character to asymmetric vault ipavault: @@ -110,7 +110,7 @@ private_key: "{{ lookup('file', 'private.pem') | b64encode }}" state: retrieved register: result - failed_when: result.vault.data != 'c' or result.changed + failed_when: result.data != 'c' or result.changed - name: Ensure asymmetric vault is absent ipavault: @@ -161,7 +161,7 @@ private_key: "{{ lookup('file', 'private.pem') | b64encode }}" state: retrieved register: result - failed_when: result.vault.data != 'Hello World.' or result.changed + failed_when: result.data != 'Hello World.' or result.changed - name: Retrieve data from asymmetric vault, with password file. ipavault: @@ -170,7 +170,7 @@ private_key_file: "{{ ansible_env.HOME }}/private.pem" state: retrieved register: result - failed_when: result.vault.data != 'Hello World.' or result.changed + failed_when: result.data != 'Hello World.' or result.changed - name: Ensure asymmetric vault is absent ipavault: diff --git a/tests/vault/test_vault_standard.yml b/tests/vault/test_vault_standard.yml index 6ccb0d5..5e0da98 100644 --- a/tests/vault/test_vault_standard.yml +++ b/tests/vault/test_vault_standard.yml @@ -39,7 +39,7 @@ name: stdvault state: retrieved register: result - failed_when: result.vault.data != 'Hello World.' or result.changed + failed_when: result.data != 'Hello World.' or result.changed - name: Retrieve data from standard vault into file {{ ansible_env.HOME }}/data.txt. ipavault: @@ -70,7 +70,7 @@ name: stdvault state: retrieved register: result - failed_when: result.vault.data != 'The world of π is half rounded.' or result.changed + failed_when: result.data != 'The world of π is half rounded.' or result.changed - name: Archive data in standard vault, from file. ipavault: @@ -87,7 +87,7 @@ name: stdvault state: retrieved register: result - failed_when: result.vault.data != 'Another World.' or result.changed + failed_when: result.data != 'Another World.' or result.changed - name: Archive data with single character to standard vault ipavault: @@ -103,7 +103,7 @@ name: stdvault state: retrieved register: result - failed_when: result.vault.data != 'c' or result.changed + failed_when: result.data != 'c' or result.changed - name: Ensure standard vault is absent ipavault: diff --git a/tests/vault/test_vault_symmetric.yml b/tests/vault/test_vault_symmetric.yml index 5394c71..c9429f4 100644 --- a/tests/vault/test_vault_symmetric.yml +++ b/tests/vault/test_vault_symmetric.yml @@ -43,7 +43,7 @@ password: SomeVAULTpassword state: retrieved register: result - failed_when: result.vault.data != 'Hello World.' or result.changed + failed_when: result.data != 'Hello World.' or result.changed - name: Retrieve data from symmetric vault into file {{ ansible_env.HOME }}/data.txt. ipavault: @@ -77,7 +77,7 @@ password: SomeVAULTpassword state: retrieved register: result - failed_when: result.vault.data != 'The world of π is half rounded.' or result.changed + failed_when: result.data != 'The world of π is half rounded.' or result.changed - name: Archive data in symmetric vault, from file. ipavault: @@ -95,7 +95,7 @@ password: SomeVAULTpassword state: retrieved register: result - failed_when: result.vault.data != 'Another World.' or result.changed + failed_when: result.data != 'Another World.' or result.changed - name: Archive data with single character to symmetric vault ipavault: @@ -113,7 +113,7 @@ password: SomeVAULTpassword state: retrieved register: result - failed_when: result.vault.data != 'c' or result.changed + failed_when: result.data != 'c' or result.changed - name: Ensure symmetric vault is absent ipavault: @@ -167,7 +167,7 @@ password: SomeVAULTpassword state: retrieved register: result - failed_when: result.vault.data != 'Hello World.' or result.changed + failed_when: result.data != 'Hello World.' or result.changed - name: Retrieve data from symmetric vault, with password file. ipavault: @@ -176,99 +176,7 @@ password_file: "{{ ansible_env.HOME }}/password.txt" state: retrieved register: result - failed_when: result.vault.data != 'Hello World.' or result.changed - - - name: Retrieve data from symmetric vault, with wrong password. - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - password: SomeWRONGpassword - state: retrieved - register: result - failed_when: not result.failed or "Invalid credentials" not in result.msg - - - name: Change vault password. - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - password: SomeVAULTpassword - new_password: SomeNEWpassword - register: result - failed_when: not result.changed - - - name: Retrieve data from symmetric vault, with new password. - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - password: SomeNEWpassword - state: retrieved - register: result - failed_when: result.vault.data != 'Hello World.' or result.changed - - - name: Retrieve data from symmetric vault, with old password. - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - password: SomeVAULTpassword - state: retrieved - register: result - failed_when: not result.failed or "Invalid credentials" not in result.msg - - - name: Change symmetric vault salt, changing password - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - password: SomeNEWpassword - new_password: SomeVAULTpassword - salt: AAAAAAAAAAAAAAAAAAAAAAA= - register: result - failed_when: not result.changed - - - name: Change symmetric vault salt, without changing password - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - password: SomeVAULTpassword - new_password: SomeVAULTpassword - salt: MTIzNDU2Nzg5MDEyMzQ1Ngo= - register: result - failed_when: not result.changed - - - name: Try to change symmetric vault salt, without providing any password - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - salt: MTIzNDU2Nzg5MDEyMzQ1Ngo= - register: result - failed_when: not result.failed and "Vault `salt` can only change when changing the password." not in result.msg - - - name: Try to change symmetric vault salt, without providing `password` - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - salt: MTIzNDU2Nzg5MDEyMzQ1Ngo= - new_password: SomeVAULTpassword - register: result - failed_when: not result.failed and "Vault `salt` can only change when changing the password." not in result.msg - - - name: Try to change symmetric vault salt, without providing `new_password` - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - salt: MTIzNDU2Nzg5MDEyMzQ1Ngo= - password: SomeVAULTpassword - register: result - failed_when: not result.failed and "Vault `salt` can only change when changing the password." not in result.msg - - - name: Try to change symmetric vault salt, using wrong password. - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - password: SomeWRONGpassword - new_password: SomeWRONGpassword - salt: MDEyMzQ1Njc4OTAxMjM0NQo= - register: result - failed_when: not result.failed + failed_when: result.data != 'Hello World.' or result.changed - name: Ensure symmetric vault is absent ipavault: @@ -286,14 +194,5 @@ register: result failed_when: result.changed - - name: Try to change password of inexistent vault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: inexistentvault - password: SomeVAULTpassword - new_password: SomeNEWpassword - register: result - failed_when: not result.failed or "Cannot modify password of inexistent vault" not in result.msg - - name: Cleanup testing environment. import_tasks: env_cleanup.yml