Merge pull request #810 from rjeffman/ipatrust_fix_range_type

ipatrust: fix range_type and test enhancement.

Merge pull request #810 from rjeffman/ipatrust_fix_range_type
bd084ad3 · Thomas Woerner · GitHub · 1276e388 · 766cf5a2 · bd084ad3
Unverified Commit bd084ad3 authored Apr 27, 2022 by Thomas Woerner Committed by GitHub Apr 27, 2022
--- a/plugins/modules/ipatrust.py
+++ b/plugins/modules/ipatrust.py
@@ -158,7 +158,7 @@ def add_trust(module, realm, args):
 def gen_args(trust_type, admin, password, server, trust_secret, base_id,
-             range_size, _range_type, two_way, external):
+             range_size, range_type, two_way, external):
    _args = {}
    if trust_type is not None:
        _args["trust_type"] = trust_type
@@ -174,6 +174,8 @@ def gen_args(trust_type, admin, password, server, trust_secret, base_id,
        _args["base_id"] = base_id
    if range_size is not None:
        _args["range_size"] = range_size
+    if range_type is not None:
+        _args["range_type"] = range_type
    if two_way is not None:
        _args["bidirectional"] = two_way
    if external is not None:

--- a/tests/trust/test_trust.yml
+++ b/tests/trust/test_trust.yml
 ---
- name: find trust
+- name: Test ipatrust
  hosts: "{{ ipa_test_host | default('ipaserver') }}"
  become: true
  gather_facts: false
+  vars:
+    adserver:
+      domain: "{{ winserver_domain | default('windows.local')}}"
+      realm: "{{ winserver_realm | default(winserver_domain) | default('windows.local') | upper }}"
+      password: "{{ winserver_admin_password | default('SomeW1Npassword') }}"
+    ipaserver:
+      domain: "{{ ipaserver_domain | default('ipa.test')}}"
+      realm: "{{ ipaserver_realm | default(ipaserver_domain) | default('ipa.test') | upper }}"
+    trust_exists: 'Realm name: {{ adserver.domain }}'
+    ad_range_exists: 'Range name: {{ adserver.realm }}_id_range'
+    ipa_range_exists: 'Range name: {{ ipaserver.realm }}_subid_range'
  tasks:
  - block:
-    - name: delete trust
+    - name: Delete test trust
      ipatrust:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
-        realm: windows.local
+        realm: "{{ adserver.domain }}"
        state: absent
-      register: del_trust
-    - name: check for trust
+    - name: Clear test idranges
      shell: |
-        echo 'SomeADMINpassword' | kinit admin
+        kinit -c test_krb5_cache admin <<< SomeADMINpassword
-        ipa trust-find windows.local
+        ipa idrange-del {{ adserver.realm }}_id_range || true
-      register: check_find_trust
+        ipa idrange-del {{ ipaserver.realm }}_subid_range || true
-      failed_when: "'0 trusts matched' not in check_find_trust.stdout"
+        kdestroy -c test_krb5_cache -q -A
-    - name: delete id range
+    - name: Add trust with range_type 'ipa-ad-trust'
+      ipatrust:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        realm: "{{ adserver.domain }}"
+        admin: Administrator
+        trust_type: ad
+        range_type: ipa-ad-trust
+        password: "{{ adserver.password }}"
+        state: present
+      register: result
+      failed_when: result.failed or not result.changed
+    - name: check if 'ipa-ad-trust' trust exists
      shell: |
        echo 'SomeADMINpassword' | kinit admin
-        ipa idrange-del WINDOWS.LOCAL_id_range
+        ipa trust-find
-      when: del_trust['changed'] | bool
+        kdestroy -c test_krb5_cache -q -A
+      register: check_add_trust
+      failed_when: "trust_exists not in check_add_trust.stdout"
-    - name: check for range
+    - name: Add trust with range_type 'ipa-ad-trust', again
+      ipatrust:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        realm: "{{ adserver.domain }}"
+        admin: Administrator
+        range_type: ipa-ad-trust
+        password: "{{ adserver.password }}"
+        state: present
+      register: result
+      failed_when: result.failed or result.changed
+    - name: Delete 'ipa-ad-trust' trust
+      ipatrust:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        realm: "{{ adserver.domain }}"
+        state: absent
+      register: result
+      failed_when: result.failed or not result.changed
+    - name: Check if 'ipa-ad-trust' trust was removed
      shell: |
-        echo 'SomeADMINpassword' | kinit admin
+        kinit -c test_krb5_cache admin <<< SomeADMINpassword
-        ipa idrange-find WINDOWS.LOCAL_id_range
+        ipa trust-find
-      register: check_del_idrange
+        kdestroy -c test_krb5_cache -q -A
-      failed_when: "'0 ranges matched' not in check_del_idrange.stdout"
+      register: check_add_trust
+      failed_when: "trust_exists in check_add_trust.stdout"
+    - name: Delete 'ipa-ad-trust' trust, again
+      ipatrust:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        realm: "{{ adserver.domain }}"
+        state: absent
+      register: result
+      failed_when: result.failed or result.changed
+    - name: Clear test idranges
+      shell: |
+        kinit -c test_krb5_cache admin <<< SomeADMINpassword
+        ipa idrange-del {{ adserver.realm }}_id_range || true
+        ipa idrange-del {{ ipaserver.realm }}_subid_range || true
+        kdestroy -c test_krb5_cache -q -A
-    - name: add trust
+    - name: Add trust with range_type 'ipa-ad-trust-posix'
      ipatrust:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
-        realm: windows.local
+        realm: "{{ adserver.domain }}"
        admin: Administrator
-        password: secret_ad_pw
+        range_type: ipa-ad-trust-posix
+        password: "{{ adserver.password }}"
        state: present
+      register: result
+      failed_when: result.failed or not result.changed
-    - name: check for trust
+    - name: Check if 'ipa-ad-trust-posix' trust exists
      shell: |
-        echo 'SomeADMINpassword' | kinit admin
+        kinit -c test_krb5_cache admin <<< SomeADMINpassword
-        ipa trust-find windows.local
+        ipa trust-find
+        kdestroy -c test_krb5_cache -q -A
      register: check_add_trust
-      failed_when: "'1 trust matched' not in check_add_trust.stdout"
+      failed_when: "trust_exists not in check_add_trust.stdout"
+    - name: Add trust with range_type 'ipa-ad-trust-posix', again
+      ipatrust:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        realm: "{{ adserver.domain }}"
+        admin: Administrator
+        range_type: ipa-ad-trust-posix
+        password: "{{ adserver.password }}"
+        state: present
+      register: result
+      failed_when: result.failed or result.changed
+    - name: Delete 'ipa-ad-trust-posix' trust
+      ipatrust:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        realm: "{{ adserver.domain }}"
+        state: absent
+      register: result
+      failed_when: result.failed or not result.changed
+    - name: Check if trust 'ipa-ad-trust-posix' was removed
+      shell: |
+        kinit -c test_krb5_cache admin <<< SomeADMINpassword
+        ipa trust-find
+        kdestroy -c test_krb5_cache -q -A
+      register: check_del_trust
+      failed_when: "trust_exists in check_del_trust.stdout"
+    - name: Delete 'ipa-ad-trust-posix' trust, again
+      ipatrust:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        realm: "{{ adserver.domain }}"
+        state: absent
+      register: result
+      failed_when: result.failed or result.changed
+    - name: Clear test idranges
+      shell: |
+        kinit -c test_krb5_cache admin <<< SomeADMINpassword
+        ipa idrange-del {{ adserver.realm }}_id_range || true
+        ipa idrange-del {{ ipaserver.realm }}_subid_range || true
+        kdestroy -c test_krb5_cache -q -A
    when: trust_test_is_supported | default(false)
--- a/tests/trust/test_trust_client_context.yml
+++ b/tests/trust/test_trust_client_context.yml
@@ -13,7 +13,7 @@
    ipatrust:
      ipaadmin_password: SomeADMINpassword
      ipaapi_context: server
-      realm: windows.local
+      realm: this.test.should.fail
    register: result
    failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*"))
    when: ipa_host_is_client