From 368cee9364d432665ffef9ffb8a4acef94bbb6d5 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Fri, 3 Sep 2021 13:28:38 -0300
Subject: [PATCH] ipaprivilege: Allow execution of plugin in client host.
Update privilege README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/privilege/test_privilege_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
---
README-privilege.md | 1 +
tests/privilege/test_privilege.yml | 20 +++++++++-
.../test_privilege_client_context.yml | 38 +++++++++++++++++++
3 files changed, 58 insertions(+), 1 deletion(-)
create mode 100644 tests/privilege/test_privilege_client_context.yml
diff --git a/README-privilege.md b/README-privilege.md
index ddb78a1a..3b2537f8 100644
--- a/README-privilege.md
+++ b/README-privilege.md
@@ -133,6 +133,7 @@ Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin`. | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node. | no
+`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`name` \| `cn` | The list of privilege name strings. | yes
`description` | Privilege description. | no
`rename` \| `new_name` | Rename the privilege object. | no
diff --git a/tests/privilege/test_privilege.yml b/tests/privilege/test_privilege.yml
index 0f6a29d7..71c08d16 100644
--- a/tests/privilege/test_privilege.yml
+++ b/tests/privilege/test_privilege.yml
@@ -1,6 +1,6 @@
---
- name: Test privilege
- hosts: ipaserver
+ hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: true
tasks:
@@ -10,6 +10,7 @@
- name: Ensure privilege "Broad Privilege" is absent
ipaprivilege:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name:
- Broad Privilege
- DNS Privilege
@@ -22,6 +23,7 @@
- name: Ensure privilege Broad Privilege is present
ipaprivilege:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: Broad Privilege
description: Broad Privilege
register: result
@@ -30,6 +32,7 @@
- name: Ensure privilege Broad Privilege is present again
ipaprivilege:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: Broad Privilege
description: Broad Privilege
register: result
@@ -38,6 +41,7 @@
- name: Change privilege Broad Privilege description
ipaprivilege:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: Broad Privilege
description: Broad Privilege description
register: result
@@ -46,6 +50,7 @@
- name: Ensure privilege Broad Privilege has permissions
ipaprivilege:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: Broad Privilege
permission:
- "Write IPA Configuration"
@@ -58,6 +63,7 @@
- name: Ensure privilege Broad Privilege has permissions, again
ipaprivilege:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: Broad Privilege
permission:
- "Write IPA Configuration"
@@ -70,6 +76,7 @@
- name: Ensure privilege Broad Privilege member permission "Write IPA Configuration" is absent
ipaprivilege:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: Broad Privilege
permission:
- "Write IPA Configuration"
@@ -81,6 +88,7 @@
- name: Ensure privilege Broad Privilege member permission "Write IPA Configuration" is absent again
ipaprivilege:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: Broad Privilege
permission:
- "Write IPA Configuration"
@@ -92,6 +100,7 @@
- name: Ensure privilege Broad Privilege is absent
ipaprivilege:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: Broad Privilege
state: absent
register: result
@@ -100,6 +109,7 @@
- name: Ensure privilege Broad Privilege is present
ipaprivilege:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: Broad Privilege
register: result
failed_when: not result.changed or result.failed
@@ -107,6 +117,7 @@
- name: Ensure privilege Broad Privilege is renamed to "DNS Privilege"
ipaprivilege:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: Broad Privilege
rename: DNS Privilege
state: renamed
@@ -116,6 +127,7 @@
- name: Ensure privilege Broad Privilege cannot be renamed, because it does not exist.
ipaprivilege:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: Broad Privilege
rename: DNS Privilege
state: renamed
@@ -125,6 +137,7 @@
- name: Ensure privilege cannot be renamed to the same name.
ipaprivilege:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: DNS Privilege
rename: DNS Privilege
state: renamed
@@ -134,6 +147,7 @@
- name: Ensure privilege cannot be renamed to the same name.
ipaprivilege:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: DNS Privilege
rename: DNS Privilege
state: renamed
@@ -143,12 +157,14 @@
- name: Ensure "Broad Privilege" is absent.
ipaprivilege:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: Broad Privilege
state: absent
- name: Ensure privilege Broad Privilege is created with permission. (issue 529)
ipaprivilege:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: Broad Privilege
permission:
- "Write IPA Configuration"
@@ -158,6 +174,7 @@
- name: Ensure privilege Broad Privilege is created with permission, again. (issue 529)
ipaprivilege:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: Broad Privilege
permission:
- "Write IPA Configuration"
@@ -169,6 +186,7 @@
- name: Ensure privilege testing privileges are absent
ipaprivilege:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name:
- Broad Privilege
- DNS Privilege
diff --git a/tests/privilege/test_privilege_client_context.yml b/tests/privilege/test_privilege_client_context.yml
new file mode 100644
index 00000000..cd125f75
--- /dev/null
+++ b/tests/privilege/test_privilege_client_context.yml
@@ -0,0 +1,38 @@
+---
+- name: Test privilege
+ hosts: ipaclients, ipaserver
+ become: no
+ gather_facts: no
+
+ tasks:
+ - name: Include FreeIPA facts.
+ include_tasks: ../env_freeipa_facts.yml
+
+ # Test will only be executed if host is not a server.
+ - name: Execute with server context in the client.
+ ipaprivilege:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: server
+ name: ThisShouldNotWork
+ register: result
+ failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*"))
+ when: ipa_host_is_client
+
+# Import basic module tests, and execute with ipa_context set to 'client'.
+# If ipaclients is set, it will be executed using the client, if not,
+# ipaserver will be used.
+#
+# With this setup, tests can be executed against an IPA client, against
+# an IPA server using "client" context, and ensure that tests are executed
+# in upstream CI.
+
+- name: Test privilege using client context, in client host.
+ import_playbook: test_privilege.yml
+ when: groups['ipaclients']
+ vars:
+ ipa_test_host: ipaclients
+
+- name: Test privilege using client context, in server host.
+ import_playbook: test_privilege.yml
+ when: groups['ipaclients'] is not defined or not groups['ipaclients']
+
--
GitLab