From d5451cdacb0de74eac070c56c776462e0d69d5e7 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Fri, 3 Sep 2021 13:28:40 -0300
Subject: [PATCH] ipapwpolicy: Allow execution of plugin in client host.
Update pwpolicy README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/pwpolicy/test_pwpolicy_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
---
README-pwpolicy.md | 1 +
tests/pwpolicy/test_pwpolicy.yml | 14 ++++++-
.../pwpolicy/test_pwpolicy_client_context.yml | 38 +++++++++++++++++++
3 files changed, 52 insertions(+), 1 deletion(-)
create mode 100644 tests/pwpolicy/test_pwpolicy_client_context.yml
diff --git a/README-pwpolicy.md b/README-pwpolicy.md
index f0b5d885..94811596 100644
--- a/README-pwpolicy.md
+++ b/README-pwpolicy.md
@@ -98,6 +98,7 @@ Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`name` \| `cn` | The list of pwpolicy name strings. If name is not given, `global_policy` will be used automatically. | no
`maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int) | no
`minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int) | no
diff --git a/tests/pwpolicy/test_pwpolicy.yml b/tests/pwpolicy/test_pwpolicy.yml
index 03f08e0f..5ac18d76 100644
--- a/tests/pwpolicy/test_pwpolicy.yml
+++ b/tests/pwpolicy/test_pwpolicy.yml
@@ -1,6 +1,6 @@
---
- name: Test pwpolicy
- hosts: ipaserver
+ hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: true
gather_facts: false
@@ -8,23 +8,27 @@
- name: Ensure maxlife of 90 for global_policy
ipapwpolicy:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
maxlife: 90
- name: Ensure absence of group ops
ipagroup:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ops
state: absent
- name: Ensure absence of pwpolicies for group ops
ipapwpolicy:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ops
state: absent
- name: Ensure presence of group ops
ipagroup:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ops
state: present
register: result
@@ -33,6 +37,7 @@
- name: Ensure presence of pwpolicies for group ops
ipapwpolicy:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ops
minlife: 7
maxlife: 49
@@ -49,6 +54,7 @@
- name: Ensure presence of pwpolicies for group ops again
ipapwpolicy:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ops
minlife: 7
maxlife: 49
@@ -65,6 +71,7 @@
- name: Ensure maxlife of 49 for global_policy
ipapwpolicy:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
maxlife: 49
register: result
failed_when: not result.changed or result.failed
@@ -72,6 +79,7 @@
- name: Ensure maxlife of 49 for global_policy again
ipapwpolicy:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
maxlife: 49
register: result
failed_when: result.changed or result.failed
@@ -79,6 +87,7 @@
- name: Ensure absence of pwpoliciy global_policy will fail
ipapwpolicy:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
state: absent
register: result
failed_when: not result.failed or "'global_policy' can not be made absent." not in result.msg
@@ -86,6 +95,7 @@
- name: Ensure absence of pwpolicies for group ops
ipapwpolicy:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ops
state: absent
register: result
@@ -94,6 +104,7 @@
- name: Ensure maxlife of 90 for global_policy
ipapwpolicy:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
maxlife: 90
register: result
failed_when: not result.changed or result.failed
@@ -101,6 +112,7 @@
- name: Ensure absence of pwpolicies for group ops
ipapwpolicy:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ops
state: absent
register: result
diff --git a/tests/pwpolicy/test_pwpolicy_client_context.yml b/tests/pwpolicy/test_pwpolicy_client_context.yml
new file mode 100644
index 00000000..362f567f
--- /dev/null
+++ b/tests/pwpolicy/test_pwpolicy_client_context.yml
@@ -0,0 +1,38 @@
+---
+- name: Test pwpolicy
+ hosts: ipaclients, ipaserver
+ become: no
+ gather_facts: no
+
+ tasks:
+ - name: Include FreeIPA facts.
+ include_tasks: ../env_freeipa_facts.yml
+
+ # Test will only be executed if host is not a server.
+ - name: Execute with server context in the client.
+ ipapwpolicy:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: server
+ name: ThisShouldNotWork
+ register: result
+ failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*"))
+ when: ipa_host_is_client
+
+# Import basic module tests, and execute with ipa_context set to 'client'.
+# If ipaclients is set, it will be executed using the client, if not,
+# ipaserver will be used.
+#
+# With this setup, tests can be executed against an IPA client, against
+# an IPA server using "client" context, and ensure that tests are executed
+# in upstream CI.
+
+- name: Test pwpolicy using client context, in client host.
+ import_playbook: test_pwpolicy.yml
+ when: groups['ipaclients']
+ vars:
+ ipa_test_host: ipaclients
+
+- name: Test pwpolicy using client context, in server host.
+ import_playbook: test_pwpolicy.yml
+ when: groups['ipaclients'] is not defined or not groups['ipaclients']
+
--
GitLab