From 6ce1055bac021fd379a5db4d166a9142a326fa1d Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Fri, 3 Sep 2021 13:28:25 -0300
Subject: [PATCH] ipahbacsvcgroup: Allow execution of plugin in client host.
Update hbacsvcgroup README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/hbacsvcgroup/test_hbacsvcgroup_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
---
README-hbacsvcgroup.md | 1 +
tests/hbacsvcgroup/test_hbacsvcgroup.yml | 12 +++++-
.../test_hbacsvcgroup_client_context.yml | 37 +++++++++++++++++++
3 files changed, 49 insertions(+), 1 deletion(-)
create mode 100644 tests/hbacsvcgroup/test_hbacsvcgroup_client_context.yml
diff --git a/README-hbacsvcgroup.md b/README-hbacsvcgroup.md
index 56d5f7a6..c2beae41 100644
--- a/README-hbacsvcgroup.md
+++ b/README-hbacsvcgroup.md
@@ -136,6 +136,7 @@ Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`name` \| `cn` | The list of hbacsvcgroup name strings. | no
`description` | The hbacsvcgroup description string. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
diff --git a/tests/hbacsvcgroup/test_hbacsvcgroup.yml b/tests/hbacsvcgroup/test_hbacsvcgroup.yml
index d0cd02cd..024b3904 100644
--- a/tests/hbacsvcgroup/test_hbacsvcgroup.yml
+++ b/tests/hbacsvcgroup/test_hbacsvcgroup.yml
@@ -1,6 +1,6 @@
---
- name: Test hbacsvcgroup
- hosts: ipaserver
+ hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: true
gather_facts: false
@@ -8,17 +8,20 @@
- name: Ensure HBAC Service Group login is absent
ipahbacsvcgroup:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: login
state: absent
- name: Ensure HBAC Service for sshd is present
ipahbacsvc:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: login
- name: Ensure HBAC Service Group login is present
ipahbacsvcgroup:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: login
register: result
failed_when: not result.changed or result.failed
@@ -26,6 +29,7 @@
- name: Ensure HBAC Service Group login is present again
ipahbacsvcgroup:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: login
register: result
failed_when: result.changed or result.failed
@@ -33,6 +37,7 @@
- name: Ensure HBAC Service sshd is present in HBAC Service Group login
ipahbacsvcgroup:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: login
hbacsvc:
- sshd
@@ -43,6 +48,7 @@
- name: Ensure HBAC Service sshd is present in HBAC Service Group login again
ipahbacsvcgroup:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: login
hbacsvc:
- sshd
@@ -53,6 +59,7 @@
- name: Ensure HBAC Services sshd and foo are absent in HBAC Service Group login
ipahbacsvcgroup:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: login
hbacsvc:
- sshd
@@ -65,6 +72,7 @@
- name: Ensure HBAC Services sshd and foo are absent in HBAC Service Group login again
ipahbacsvcgroup:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: login
hbacsvc:
- sshd
@@ -77,6 +85,7 @@
- name: Ensure HBAC Service Group login is absent
ipahbacsvcgroup:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: login
state: absent
register: result
@@ -85,6 +94,7 @@
- name: Ensure HBAC Service Group login is absent again
ipahbacsvcgroup:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: login
state: absent
register: result
diff --git a/tests/hbacsvcgroup/test_hbacsvcgroup_client_context.yml b/tests/hbacsvcgroup/test_hbacsvcgroup_client_context.yml
new file mode 100644
index 00000000..569fe5b4
--- /dev/null
+++ b/tests/hbacsvcgroup/test_hbacsvcgroup_client_context.yml
@@ -0,0 +1,37 @@
+---
+- name: Test hbacsvcgroup
+ hosts: ipaclients, ipaserver
+ become: no
+ gather_facts: no
+
+ tasks:
+ - name: Include FreeIPA facts.
+ include_tasks: ../env_freeipa_facts.yml
+
+ # Test will only be executed if host is not a server.
+ - name: Execute with server context in the client.
+ ipahbacsvcgroup:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: server
+ name: ThisShouldNotWork
+ register: result
+ failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*"))
+ when: ipa_host_is_client
+
+# Import basic module tests, and execute with ipa_context set to 'client'.
+# If ipaclients is set, it will be executed using the client, if not,
+# ipaserver will be used.
+#
+# With this setup, tests can be executed against an IPA client, against
+# an IPA server using "client" context, and ensure that tests are executed
+# in upstream CI.
+
+- name: Test hbacsvcgroup using client context, in client host.
+ import_playbook: test_hbacsvcgroup.yml
+ when: groups['ipaclients']
+ vars:
+ ipa_test_host: ipaclients
+
+- name: Test hbacsvcgroup using client context, in server host.
+ import_playbook: test_hbacsvcgroup.yml
+ when: groups['ipaclients'] is not defined or not groups['ipaclients']
--
GitLab