New hbacrule (HBAC Rule) management module

There is a new hbacrule (HBAC Rule) management module placed in the plugins folder: plugins/modules/ipahbacrule.py The hbacrule module allows to ensure presence and absence of HBAC Rules. Here is the documentation for the module: README-hbacrule.md New example playbooks have been added: playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml playbooks/hbacrule/ensure-hbarule-allhosts-present.yml playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml New tests added for the module: tests/hbacrule/test_hbacrule.yml

New hbacrule (HBAC Rule) management module
d36d25d6 · Thomas Woerner · 6af0d9b7 · d36d25d6 · d36d25d6 · d36d25d6
Commit d36d25d6 authored 5 years ago by Thomas Woerner
--- a/README-hbacrule.md
+++ b/README-hbacrule.md
+HBACrule module
+===============
+
+Description
+-----------
+
+The hbacrule (HBAC Rule) module allows to ensure presence and absence of HBAC Rules and host, hostgroups, HBAC Services, HBAC Service Groups, users, and user groups as members of HBAC Rule.
+
+
+Features
+--------
+* HBAC Rule management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipahbacrule module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure HBAC Rule login exists:
+
+```yaml
+---
+- name: Playbook to handle hbacrules
+  hbacsvcs: ipaserver
+  become: true
+
+  tasks:
+  # Ensure HBAC Rule login is present
+  - ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: login
+```
+
+
+Example playbook to make sure HBAC Rule login exists with the only HBAC Service sshd:
+
+```yaml
+---
+- name: Playbook to handle hbacrules
+  hbacsvcs: ipaserver
+  become: true
+
+  tasks:
+  # Ensure HBAC Rule login is present with the only HBAC Service sshd
+  - ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: login
+      hbacsvc:
+      - sshd
+```
+
+Example playbook to make sure HBAC Service sshd is present in HBAC Rule login:
+
+```yaml
+---
+- name: Playbook to handle hbacrules
+  hbacsvcs: ipaserver
+  become: true
+
+  tasks:
+  # Ensure HBAC Service sshd is present in HBAC Rule login
+  - ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: login
+      hbacsvc:
+      - sshd
+      action: member
+```
+
+Example playbook to make sure HBAC Service sshd is absent in HBAC Rule login:
+
+```yaml
+---
+- name: Playbook to handle hbacrules
+  hbacsvcs: ipaserver
+  become: true
+
+  tasks:
+  # Ensure HBAC Service sshd is present in HBAC Rule login
+  - ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: login
+      hbacsvc:
+      - sshd
+      action: member
+      state: absent
+```
+
+Example playbook to make sure HBAC Rule login is absent:
+
+```yaml
+---
+- name: Playbook to handle hbacrules
+  hbacsvcs: ipaserver
+  become: true
+
+  tasks:
+  # Ensure HBAC Rule login is present
+  - ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: login
+      state: absent
+```
+
+
+Variables
+=========
+
+ipahbacrule
+---------------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `cn` | The list of hbacrule name strings. | yes
+`description` | The hbacrule description string. | no
+`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all"] | no
+`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all"] | no
+`servicecategory` \| `servicecat` | HBAC service category the rule applies to. Choices: ["all"] | no
+`nomembers` | Suppress processing of membership attributes. (bool) | no
+`host` | List of host name strings assigned to this hbacrule. | no
+`hostgroup` | List of host group name strings assigned to this hbacrule. | no
+`hbacsvc` | List of HBAC Service name strings assigned to this hbacrule. | no
+`hbacsvcgroup` | List of HBAC Service Group name strings assigned to this hbacrule. | no
+`user` | List of user name strings assigned to this hbacrule. | no
+`group` | List of user group name strings assigned to this hbacrule. | no
+`action` | Work on hbacrule or member level. It can be on of `member` or `hbacrule` and defaults to `hbacrule`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no
+
+
+Authors
+=======
+
+Thomas Woerner
--- a/README.md
+++ b/README.md
@@ -12,6 +12,7 @@ Features
 * One-time-password (OTP) support for client installation
 * Repair mode for clients
 * Modules for group management
+* Modules for hbacrule management
 * Modules for hbacsvc management
 * Modules for hbacsvcgroup management
 * Modules for host management
@@ -394,6 +395,7 @@ Modules in plugin/modules
 =========================

 * [ipagroup](README-group.md)
+* [ipahbacrule](README-hbacrule.md)
 * [ipahbacsvc](README-hbacsvc.md)
 * [ipahbacsvcgroup](README-hbacsvc.md)
 * [ipahost](README-host.md)

--- a/playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure HBAC Rule allhosts is absent
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: allhosts
+      state: absent
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure HBAC Rule allhosts is disabled
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: allhosts
+      state: disabled
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure HBAC Rule allhosts is enabled
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: allhosts
+      state: enabled
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-present.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-present.yml
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure HBAC Rule allhosts is present
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: allhosts
+      usercategory: all
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure host server is absent in HBAC Rule allhosts
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: allhosts
+      host: server
+      action: member
+      state: absent
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure host server is present in HBAC Rule allhosts
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: allhosts
+      host: server
+      action: member
--- a/plugins/modules/ipahbacrule.py
+++ b/plugins/modules/ipahbacrule.py
--- a/tests/hbacrule/test_hbacrule.yml
+++ b/tests/hbacrule/test_hbacrule.yml
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure HBAC Rule allhosts is absent
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: allhosts,sshd-pinky,loginRule
+      state: absent
+
+  - name: User pinky absent
+    ipauser:
+      ipaadmin_password: MyPassword123
+      name: pinky
+      state: absent
+
+  - name: User group login absent
+    ipagroup:
+      ipaadmin_password: MyPassword123
+      name: login
+      state: absent
+
+  - name: User pinky present
+    ipauser:
+      ipaadmin_password: MyPassword123
+      name: pinky
+      uid: 10001
+      gid: 100
+      phone: "+555123457"
+      email: pinky@acme.com
+      principalexpiration: "20220119235959"
+      #passwordexpiration: "2022-01-19 23:59:59"
+      first: pinky
+      last: Acme
+    register: result
+    failed_when: not result.changed
+
+  - name: User group login present
+    ipagroup:
+      ipaadmin_password: MyPassword123
+      name: login
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure HBAC Rule allhosts is present
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: allhosts
+      usercategory: all
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure HBAC Rule allhosts is present again
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: allhosts
+      usercategory: all
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure host "{{ groups.ipaserver[0] }}" is present in HBAC Rule allhosts
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: allhosts
+      host: "{{ groups.ipaserver[0] }}"
+      action: member
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure host "{{ groups.ipaserver[0] }}" is present in HBAC Rule allhosts again
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: allhosts
+      host: "{{ groups.ipaserver[0] }}"
+      action: member
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure HBAC Rule sshd-pinky is present
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: sshd-pinky
+      hostcategory: all
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure HBAC Rule sshd-pinky is present again
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: sshd-pinky
+      hostcategory: all
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure user pinky is present in HBAC Rule sshd-pinky
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: sshd-pinky
+      user: pinky
+      action: member
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure user pinky is present in HBAC Rule sshd-pinky again
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: sshd-pinky
+      user: pinky
+      action: member
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure HBAC service sshd is present in HBAC Rule sshd-pinky
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: sshd-pinky
+      hbacsvc: sshd
+      action: member
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure HBAC service sshd is present in HBAC Rule sshd-pinky again
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: sshd-pinky
+      hbacsvc: sshd
+      action: member
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure HBAC Rule loginRule is present with HBAC service sshd
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: loginRule
+      group: login
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure HBAC Rule loginRule is present with HBAC service sshd again
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: loginRule
+      group: login
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure user pinky is present in HBAC Rule loginRule
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: loginRule
+      user: pinky
+      action: member
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure user pinky is present in HBAC Rule loginRule again
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: loginRule
+      user: pinky
+      action: member
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure user pinky is absent in HBAC Rule loginRule
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: loginRule
+      user: pinky
+      action: member
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure user pinky is absent in HBAC Rule loginRule again
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: loginRule
+      user: pinky
+      action: member
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure HBAC Rule loginRule is absent
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: loginRule
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure HBAC Rule loginRule is absent again
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: loginRule
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure HBAC service sshd is absent in HBAC Rule sshd-pinky
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: sshd-pinky
+      hbacsvc: sshd
+      action: member
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure HBAC service sshd is absent in HBAC Rule sshd-pinky again
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: sshd-pinky
+      hbacsvc: sshd
+      action: member
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure user pinky is absent in HBAC Rule sshd-pinky
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: sshd-pinky
+      user: pinky
+      action: member
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure user pinky is absent in HBAC Rule sshd-pinky again
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: sshd-pinky
+      user: pinky
+      action: member
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure HBAC Rule sshd-pinky is disabled
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: sshd-pinky
+      state: disabled
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure HBAC Rule sshd-pinky is disabled again
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: sshd-pinky
+      state: disabled
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure HBAC Rule sshd-pinky is enabled
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: sshd-pinky
+      state: enabled
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure HBAC Rule sshd-pinky is enabled again
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: sshd-pinky
+      state: enabled
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure HBAC Rule sshd-pinky is absent
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: sshd-pinky
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure HBAC Rule sshd-pinky is absent again
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: sshd-pinky
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure host "{{ groups.ipaserver[0] }}" is absent in HBAC Rule allhosts
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: allhosts
+      host: "{{ groups.ipaserver[0] }}"
+      action: member
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure host "{{ groups.ipaserver[0] }}" is absent in HBAC Rule allhosts again
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: allhosts
+      host: "{{ groups.ipaserver[0] }}"
+      action: member
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure HBAC Rule allhosts is absent
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: allhosts
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure HBAC Rule allhosts is absent again
+    ipahbacrule:
+      ipaadmin_password: MyPassword123
+      name: allhosts
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: User pinky absent
+    ipauser:
+      ipaadmin_password: MyPassword123
+      name: pinky
+      state: absent
+
+  - name: User group login absent
+    ipagroup:
+      ipaadmin_password: MyPassword123
+      name: login
+      state: absent