--- - name: Test sudorule hosts: ipaserver become: true gather_facts: true tasks: # setup - name: Ensure user is absent ipauser: ipaadmin_password: SomeADMINpassword name: user01 state: absent - name: Ensure group is absent ipagroup: ipaadmin_password: SomeADMINpassword name: group01 state: absent - name: Ensure user is present ipauser: ipaadmin_password: SomeADMINpassword name: user01 first: user last: zeroone - name: Ensure group is present, with user01 on it. ipagroup: ipaadmin_password: SomeADMINpassword name: group01 user: user01 - name: Ensure sudocmdgroup is absent ipasudocmdgroup: ipaadmin_password: SomeADMINpassword name: test_sudorule state: absent - name: Ensure hostgroup is present, with a host. ipahostgroup: ipaadmin_password: SomeADMINpassword name: cluster host: "{{ ansible_fqdn }}" - name: Ensure some sudocmds are available ipasudocmd: ipaadmin_password: SomeADMINpassword name: - /sbin/ifconfig - /usr/bin/vim state: present - name: Ensure sudocmdgroup is available ipasudocmdgroup: ipaadmin_password: SomeADMINpassword name: test_sudorule sudocmd: /usr/bin/vim state: present - name: Ensure sudorules are absent ipasudorule: ipaadmin_password: SomeADMINpassword name: - testrule1 - allusers - allhosts - allcommands state: absent # tests - name: Ensure sudorule is present ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 register: result failed_when: not result.changed - name: Ensure sudorule is present again ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 register: result failed_when: result.changed - name: Ensure user01 is on the list of users sudorule execute as. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 runasuser: - user01 action: member register: result failed_when: not result.changed - name: Ensure user01 is on the list of users sudorule execute as, again. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 runasuser: - user01 action: member register: result failed_when: result.changed - name: Ensure user01 is not on the list of users sudorule execute as. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 runasuser: - user01 action: member state: absent register: result failed_when: not result.changed - name: Ensure user01 is not on the list of users sudorule execute as, again. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 runasuser: - user01 action: member state: absent register: result failed_when: result.changed - name: Ensure group01 is on the list of group sudorule execute as. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 runasgroup: - group01 action: member register: result failed_when: not result.changed - name: Ensure group01 is on the list of group sudorule execute as, again. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 runasgroup: - group01 action: member register: result failed_when: result.changed - name: Ensure group01 is not on the list of group sudorule execute as. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 runasgroup: - group01 action: member state: absent register: result failed_when: not result.changed - name: Ensure group01 is not on the list of groups sudorule execute as, again. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 runasgroup: - group01 action: member state: absent register: result failed_when: result.changed - name: Ensure sudorule is present, with usercategory 'all' ipasudorule: ipaadmin_password: SomeADMINpassword name: allusers usercategory: all register: result failed_when: not result.changed - name: Ensure sudorule is present, with usercategory 'all', again ipasudorule: ipaadmin_password: SomeADMINpassword name: allusers usercategory: all register: result failed_when: result.changed - name: Ensure sudorule is with usercategory 'all' is absent ipasudorule: ipaadmin_password: SomeADMINpassword name: allusers state: absent register: result failed_when: not result.changed - name: Ensure sudorule is present, with runasusercategory 'all'. ipasudorule: ipaadmin_password: SomeADMINpassword name: allusers runasusercategory: all register: result failed_when: not result.changed - name: Ensure sudorule is present, with runasusercategory 'all', again. ipasudorule: ipaadmin_password: SomeADMINpassword name: allusers runasusercategory: all register: result failed_when: result.changed - name: Ensure sudorule is with runasusercategory 'all' is absent ipasudorule: ipaadmin_password: SomeADMINpassword name: allusers state: absent register: result failed_when: not result.changed - name: Ensure sudorule is present, with runasgroupcategory 'all'. ipasudorule: ipaadmin_password: SomeADMINpassword name: allusers runasgroupcategory: all register: result failed_when: not result.changed - name: Ensure sudorule is present, with runasgroupcategory 'all', again. ipasudorule: ipaadmin_password: SomeADMINpassword name: allusers runasgroupcategory: all register: result failed_when: result.changed - name: Ensure sudorule is with runasgroupcategory 'all' is absent ipasudorule: ipaadmin_password: SomeADMINpassword name: allusers state: absent register: result failed_when: not result.changed - name: Ensure sudorule is present, with usercategory 'all'. ipasudorule: ipaadmin_password: SomeADMINpassword name: allusers usercategory: all register: result failed_when: not result.changed - name: Ensure sudorule is present, with usercategory 'all', again. ipasudorule: ipaadmin_password: SomeADMINpassword name: allusers usercategory: all register: result failed_when: result.changed - name: Ensure sudorule is present, with hostategory 'all' ipasudorule: ipaadmin_password: SomeADMINpassword name: allhosts hostcategory: all register: result failed_when: not result.changed - name: Ensure sudorule is present, with hostategory 'all', again ipasudorule: ipaadmin_password: SomeADMINpassword name: allhosts hostcategory: all register: result failed_when: result.changed - name: Ensure sudorule is disabled ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 state: disabled - name: Ensure sudorule is disabled, again ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 state: disabled register: result failed_when: result.changed - name: Ensure sudorule is enabled ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 state: enabled register: result failed_when: not result.changed - name: Ensure sudorule is enabled, again ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 state: enabled register: result failed_when: result.changed - name: Ensure user is present in sudorule. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 user: user01 action: member register: result failed_when: not result.changed - name: Ensure user is present in sudorule, again. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 user: user01 action: member register: result failed_when: result.changed - name: Ensure user is absent from sudorule. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 user: user01 action: member state: absent register: result failed_when: not result.changed - name: Ensure user is absent from sudorule, again. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 user: user01 action: member state: absent register: result failed_when: result.changed - name: Ensure group is present in sudorule. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 group: group01 action: member register: result failed_when: not result.changed - name: Ensure group is present in sudorule, again. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 group: group01 action: member register: result failed_when: result.changed - name: Ensure group is absent from sudorule. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 group: group01 action: member state: absent register: result failed_when: not result.changed - name: Ensure group is absent from sudorule, again. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 group: group01 action: member state: absent register: result failed_when: result.changed - name: Ensure sudorule has a sudooption. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 sudooption: '!authenticate' action: member register: result failed_when: not result.changed - name: Ensure sudorule has a sudooption, again. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 sudooption: '!authenticate' action: member register: result failed_when: result.changed - name: Ensure sudorule has an order. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 order: 1 register: result failed_when: not result.changed - name: Ensure sudorule has an order, again. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 order: 1 register: result failed_when: result.changed - name: Ensure sudorule has another order. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 order: 10 register: result failed_when: not result.changed - name: Ensure sudorule is present and some sudocmd are allowed. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmd: - /sbin/ifconfig action: member register: result failed_when: not result.changed - name: Ensure sudorule is present and some sudocmd are allowed, again. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmd: - /sbin/ifconfig action: member register: result failed_when: result.changed - name: Ensure sudorule is present and some sudocmd are denyed. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 deny_sudocmd: - /usr/bin/vim action: member register: result failed_when: not result.changed - name: Ensure sudorule is present and some sudocmd are denyed, again. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 deny_sudocmd: - /usr/bin/vim action: member register: result failed_when: result.changed - name: Ensure sudorule is present and, sudocmds are absent. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmd: /sbin/ifconfig deny_sudocmd: /usr/bin/vim action: member state: absent register: result failed_when: not result.changed - name: Ensure sudorule is present and, sudocmds are absent, again. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmd: /sbin/ifconfig deny_sudocmd: /usr/bin/vim action: member state: absent register: result failed_when: result.changed - name: Ensure sudorule is present with cmdcategory 'all'. ipasudorule: ipaadmin_password: SomeADMINpassword name: allcommands cmdcategory: all register: result failed_when: not result.changed - name: Ensure sudorule is present with cmdcategory 'all', again. ipasudorule: ipaadmin_password: SomeADMINpassword name: allcommands cmdcategory: all register: result failed_when: result.changed - name: Ensure host "{{ ansible_fqdn }}" is present in sudorule. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 host: "{{ ansible_fqdn }}" action: member register: result failed_when: not result.changed - name: Ensure host "{{ ansible_fqdn }}" is present in sudorule, again. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 host: "{{ ansible_fqdn }}" action: member register: result failed_when: result.changed - name: Ensure hostgroup is present in sudorule. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 hostgroup: cluster action: member register: result failed_when: not result.changed - name: Ensure hostgroup is present in sudorule, again. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 hostgroup: cluster action: member register: result failed_when: result.changed - name: Ensure sudorule is present, with an allow_sudocmdgroup. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmdgroup: test_sudorule state: present register: result failed_when: not result.changed - name: Ensure sudorule is present, with an allow_sudocmdgroup, again. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmdgroup: test_sudorule state: present register: result failed_when: result.changed - name: Ensure sudorule is present, but allow_sudocmdgroup is absent. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmdgroup: test_sudorule action: member state: absent register: result failed_when: not result.changed - name: Ensure sudorule is present, but allow_sudocmdgroup is absent. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 allow_sudocmdgroup: test_sudorule action: member state: absent register: result failed_when: result.changed - name: Ensure sudorule is present, with an deny_sudocmdgroup. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 deny_sudocmdgroup: test_sudorule state: present register: result failed_when: not result.changed - name: Ensure sudorule is present, with an deny_sudocmdgroup, again. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 deny_sudocmdgroup: test_sudorule state: present register: result failed_when: result.changed - name: Ensure sudorule is present, but deny_sudocmdgroup is absent. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 deny_sudocmdgroup: test_sudorule action: member state: absent register: result failed_when: not result.changed - name: Ensure sudorule is present, but deny_sudocmdgroup is absent, again. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 deny_sudocmdgroup: test_sudorule action: member state: absent register: result failed_when: result.changed - name: Ensure sudorule is absent ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 state: absent register: result failed_when: not result.changed - name: Ensure sudorule is absent, again. ipasudorule: ipaadmin_password: SomeADMINpassword name: testrule1 state: absent register: result failed_when: result.changed - name: Ensure sudorule allhosts is absent ipasudorule: ipaadmin_password: SomeADMINpassword name: allhosts state: absent register: result failed_when: not result.changed - name: Ensure sudorule allhosts is absent, again ipasudorule: ipaadmin_password: SomeADMINpassword name: allhosts state: absent register: result failed_when: result.changed - name: Ensure sudorule allusers is absent ipasudorule: ipaadmin_password: SomeADMINpassword name: allusers state: absent register: result failed_when: not result.changed - name: Ensure sudorule allusers is absent, again ipasudorule: ipaadmin_password: SomeADMINpassword name: allusers state: absent register: result failed_when: result.changed - name: Ensure sudorule allcommands is absent ipasudorule: ipaadmin_password: SomeADMINpassword name: allcommands state: absent register: result failed_when: not result.changed - name: Ensure sudorule allcommands is absent, again ipasudorule: ipaadmin_password: SomeADMINpassword name: allcommands state: absent register: result failed_when: result.changed # cleanup - name : Ensure sudocmdgroup is absent ipasudocmdgroup: ipaadmin_password: SomeADMINpassword name: test_sudorule state: absent - name: Ensure sudocmds are absent ipasudocmd: ipaadmin_password: SomeADMINpassword name: - /sbin/ifconfig - /usr/bin/vim state: absent - name: Ensure sudorules are absent ipasudorule: ipaadmin_password: SomeADMINpassword name: - testrule1 - allusers - allhosts - allcommands state: absent - name: Ensure hostgroup is absent. ipahostgroup: ipaadmin_password: SomeADMINpassword name: cluster state: absent