From 7e0624d8362671d59fc49e33f616a4ef29c5b114 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Fri, 3 Sep 2021 13:31:57 -0300
Subject: [PATCH] ipavault: Allow execution of plugin in client host.

Update vault README file and add tests for executing plugin with
`ipaapi_context` set to `client`.

A new test playbook can be found at:

    tests/vault/test_vault_client_context.yml

As `ipavault` only works in client context, an error is raised if it
is explicitly executed in a server context.
---
 README-vault.md                           |  1 +
 plugins/modules/ipavault.py               |  7 ++++++-
 tests/vault/env_cleanup.yml               |  2 ++
 tests/vault/env_setup.yml                 |  2 ++
 tests/vault/test_vault_client_context.yml | 25 +++++++++++++++++++++++
 5 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 tests/vault/test_vault_client_context.yml

diff --git a/README-vault.md b/README-vault.md
index 3f5f989e..545c343a 100644
--- a/README-vault.md
+++ b/README-vault.md
@@ -217,6 +217,7 @@ Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaapi_context` | The context in which the module will execute. Currently only `client` is supported by this module, and use of `server` will raise a failure. | no
 `name` \| `cn` | The list of vault name strings. | yes
 `description` | The vault description string. | no
 `password` \| `vault_password` \| `ipavaultpassword` \| `old_password`| Vault password. | no
diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py
index 7af6c353..abd5eddf 100644
--- a/plugins/modules/ipavault.py
+++ b/plugins/modules/ipavault.py
@@ -443,6 +443,11 @@ def check_parameters(  # pylint: disable=unused-argument
         password, password_file, public_key, public_key_file, private_key,
         private_key_file, vault_data, datafile_in, datafile_out, new_password,
         new_password_file):
+    if module.params_get("ipaapi_context") == "server":
+        module.fail_json(
+            msg="Context 'server' for ipavault not yet supported."
+        )
+
     invalid = []
     if state == "present":
         invalid = ['datafile_out']
@@ -718,7 +723,7 @@ def main():
     changed = False
     exit_args = {}
 
-    with ansible_module.ipa_connect(context='ansible-freeipa') as ccache_name:
+    with ansible_module.ipa_connect(context="client") as ccache_name:
         if ccache_name is not None:
             os.environ["KRB5CCNAME"] = ccache_name
 
diff --git a/tests/vault/env_cleanup.yml b/tests/vault/env_cleanup.yml
index 9b0d6f7e..e545e791 100644
--- a/tests/vault/env_cleanup.yml
+++ b/tests/vault/env_cleanup.yml
@@ -26,6 +26,7 @@
   - name: Ensure test users do not exist.
     ipauser:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name:
       - user01
       - user02
@@ -35,6 +36,7 @@
   - name: Ensure test groups do not exist.
     ipagroup:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: vaultgroup
       state: absent
 
diff --git a/tests/vault/env_setup.yml b/tests/vault/env_setup.yml
index 059caf5f..4e2d40e8 100644
--- a/tests/vault/env_setup.yml
+++ b/tests/vault/env_setup.yml
@@ -35,11 +35,13 @@
   - name: Ensure vaultgroup exists.
     ipagroup:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: vaultgroup
 
   - name: Ensure testing users exist.
     ipauser:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       users:
       - name: user01
         first: First
diff --git a/tests/vault/test_vault_client_context.yml b/tests/vault/test_vault_client_context.yml
new file mode 100644
index 00000000..2ebb410e
--- /dev/null
+++ b/tests/vault/test_vault_client_context.yml
@@ -0,0 +1,25 @@
+---
+- name: Test vault
+  hosts: ipaserver
+  become: no
+  # Need to gather facts for ansible_env.
+  gather_facts: yes
+
+  tasks:
+  - name: Setup testing environment.
+    import_tasks: env_setup.yml
+
+  # vault requires 'ipaapi_context: client', and uses this
+  # context by defoult, so we test only for the case where
+  # 'ipaapi_context: server' is explicitly set.
+  - name: Execute with server context.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: server
+      name: ThisShouldNotWork
+      vault_type: standard
+    register: result
+    failed_when: not (result.failed and result.msg is regex("Context 'server' for ipavault not yet supported."))
+
+  - name: Cleanup testing environment.
+    import_tasks: env_cleanup.yml
-- 
GitLab