Skip to content
Snippets Groups Projects
Commit 7e0624d8 authored by Rafael Guterres Jeffman's avatar Rafael Guterres Jeffman
Browse files

ipavault: Allow execution of plugin in client host.

Update vault README file and add tests for executing plugin with
`ipaapi_context` set to `client`.

A new test playbook can be found at:

    tests/vault/test_vault_client_context.yml

As `ipavault` only works in client context, an error is raised if it
is explicitly executed in a server context.
parent d9dcc8f5
Branches
Tags
No related merge requests found
......@@ -217,6 +217,7 @@ Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Currently only `client` is supported by this module, and use of `server` will raise a failure. | no
`name` \| `cn` | The list of vault name strings. | yes
`description` | The vault description string. | no
`password` \| `vault_password` \| `ipavaultpassword` \| `old_password`| Vault password. | no
......
......@@ -443,6 +443,11 @@ def check_parameters( # pylint: disable=unused-argument
password, password_file, public_key, public_key_file, private_key,
private_key_file, vault_data, datafile_in, datafile_out, new_password,
new_password_file):
if module.params_get("ipaapi_context") == "server":
module.fail_json(
msg="Context 'server' for ipavault not yet supported."
)
invalid = []
if state == "present":
invalid = ['datafile_out']
......@@ -718,7 +723,7 @@ def main():
changed = False
exit_args = {}
with ansible_module.ipa_connect(context='ansible-freeipa') as ccache_name:
with ansible_module.ipa_connect(context="client") as ccache_name:
if ccache_name is not None:
os.environ["KRB5CCNAME"] = ccache_name
......
......@@ -26,6 +26,7 @@
- name: Ensure test users do not exist.
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name:
- user01
- user02
......@@ -35,6 +36,7 @@
- name: Ensure test groups do not exist.
ipagroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: vaultgroup
state: absent
......
......@@ -35,11 +35,13 @@
- name: Ensure vaultgroup exists.
ipagroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: vaultgroup
- name: Ensure testing users exist.
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
users:
- name: user01
first: First
......
---
- name: Test vault
hosts: ipaserver
become: no
# Need to gather facts for ansible_env.
gather_facts: yes
tasks:
- name: Setup testing environment.
import_tasks: env_setup.yml
# vault requires 'ipaapi_context: client', and uses this
# context by defoult, so we test only for the case where
# 'ipaapi_context: server' is explicitly set.
- name: Execute with server context.
ipavault:
ipaadmin_password: SomeADMINpassword
ipaapi_context: server
name: ThisShouldNotWork
vault_type: standard
register: result
failed_when: not (result.failed and result.msg is regex("Context 'server' for ipavault not yet supported."))
- name: Cleanup testing environment.
import_tasks: env_cleanup.yml
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment