ipapwpolicy: Allow execution of plugin in client host.

Update pwpolicy README file and add tests for executing plugin with `ipaapi_context` set to `client`. A new test playbook can be found at: tests/pwpolicy/test_pwpolicy_client_context.yml The new test file can be executed in a FreeIPA client host that is not a server. In this case, it should be defined in the `ipaclients` group, in the inventory file.

ipapwpolicy: Allow execution of plugin in client host.
d5451cda · Rafael Guterres Jeffman · 368cee93 · d5451cda · d5451cda · d5451cda
Commit d5451cda authored 3 years ago by Rafael Guterres Jeffman
--- a/README-pwpolicy.md
+++ b/README-pwpolicy.md
@@ -98,6 +98,7 @@ Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
 `name` \| `cn` | The list of pwpolicy name strings. If name is not given, `global_policy` will be used automatically. | no
 `maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int) | no
 `minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int) | no

--- a/tests/pwpolicy/test_pwpolicy.yml
+++ b/tests/pwpolicy/test_pwpolicy.yml
 ---
 - name: Test pwpolicy
-  hosts: ipaserver
+  hosts: "{{ ipa_test_host | default('ipaserver') }}"
  become: true
  gather_facts: false

@@ -8,23 +8,27 @@
  - name: Ensure maxlife of 90 for global_policy
    ipapwpolicy:
      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
      maxlife: 90

  - name: Ensure absence of group ops
    ipagroup:
      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
      name: ops
      state: absent

  - name: Ensure absence of pwpolicies for group ops
    ipapwpolicy:
      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
      name: ops
      state: absent

  - name: Ensure presence of group ops
    ipagroup:
      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
      name: ops
      state: present
    register: result
@@ -33,6 +37,7 @@
  - name: Ensure presence of pwpolicies for group ops
    ipapwpolicy:
      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
      name: ops
      minlife: 7
      maxlife: 49
@@ -49,6 +54,7 @@
  - name: Ensure presence of pwpolicies for group ops again
    ipapwpolicy:
      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
      name: ops
      minlife: 7
      maxlife: 49
@@ -65,6 +71,7 @@
  - name: Ensure maxlife of 49 for global_policy
    ipapwpolicy:
      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
      maxlife: 49
    register: result
    failed_when: not result.changed or result.failed
@@ -72,6 +79,7 @@
  - name: Ensure maxlife of 49 for global_policy again
    ipapwpolicy:
      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
      maxlife: 49
    register: result
    failed_when: result.changed or result.failed
@@ -79,6 +87,7 @@
  - name: Ensure absence of pwpoliciy global_policy will fail
    ipapwpolicy:
      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
      state: absent
    register: result
    failed_when: not result.failed or "'global_policy' can not be made absent." not in result.msg
@@ -86,6 +95,7 @@
  - name: Ensure absence of pwpolicies for group ops
    ipapwpolicy:
      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
      name: ops
      state: absent
    register: result
@@ -94,6 +104,7 @@
  - name: Ensure maxlife of 90 for global_policy
    ipapwpolicy:
      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
      maxlife: 90
    register: result
    failed_when: not result.changed or result.failed
@@ -101,6 +112,7 @@
  - name: Ensure absence of pwpolicies for group ops
    ipapwpolicy:
      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
      name: ops
      state: absent
    register: result

--- a/tests/pwpolicy/test_pwpolicy_client_context.yml
+++ b/tests/pwpolicy/test_pwpolicy_client_context.yml
+---
+- name: Test pwpolicy
+  hosts: ipaclients, ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Include FreeIPA facts.
+    include_tasks: ../env_freeipa_facts.yml
+
+  # Test will only be executed if host is not a server.
+  - name: Execute with server context in the client.
+    ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: server
+      name: ThisShouldNotWork
+    register: result
+    failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*"))
+    when: ipa_host_is_client
+
+# Import basic module tests, and execute with ipa_context set to 'client'.
+# If ipaclients is set, it will be executed using the client, if not,
+# ipaserver will be used.
+#
+# With this setup, tests can be executed against an IPA client, against
+# an IPA server using "client" context, and ensure that tests are executed
+# in upstream CI.
+
+- name: Test pwpolicy using client context, in client host.
+  import_playbook: test_pwpolicy.yml
+  when: groups['ipaclients']
+  vars:
+    ipa_test_host: ipaclients
+
+- name: Test pwpolicy using client context, in server host.
+  import_playbook: test_pwpolicy.yml
+  when: groups['ipaclients'] is not defined or not groups['ipaclients']
+