From da87f1648ed33981809228254d65b82c49400dec Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Thu, 28 May 2020 13:09:09 -0300
Subject: [PATCH] Split vault tests in different files.
This change split vault tests in several files, organized by vault
type and operation (vault vs. member) so that it is easier to add
new tests for issues and verify if tests are missing.
---
tests/vault/env_cleanup.yml | 64 ++
tests/vault/env_setup.yml | 55 ++
tests/vault/private.pem | 27 -
tests/vault/public.pem | 9 -
tests/vault/tasks_vault_members.yml | 318 +++++++++
tests/vault/test_vault.yml | 925 --------------------------
tests/vault/test_vault_asymmetric.yml | 192 ++++++
tests/vault/test_vault_members.yml | 20 +
tests/vault/test_vault_standard.yml | 125 ++++
tests/vault/test_vault_symmetric.yml | 198 ++++++
10 files changed, 972 insertions(+), 961 deletions(-)
create mode 100644 tests/vault/env_cleanup.yml
create mode 100644 tests/vault/env_setup.yml
delete mode 100644 tests/vault/private.pem
delete mode 100644 tests/vault/public.pem
create mode 100644 tests/vault/tasks_vault_members.yml
delete mode 100644 tests/vault/test_vault.yml
create mode 100644 tests/vault/test_vault_asymmetric.yml
create mode 100644 tests/vault/test_vault_members.yml
create mode 100644 tests/vault/test_vault_standard.yml
create mode 100644 tests/vault/test_vault_symmetric.yml
diff --git a/tests/vault/env_cleanup.yml b/tests/vault/env_cleanup.yml
new file mode 100644
index 00000000..081a9d96
--- /dev/null
+++ b/tests/vault/env_cleanup.yml
@@ -0,0 +1,64 @@
+# Tasks executed to clean up test environment for Vault module.
+
+ - name: Ensure user vaults are absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - stdvault
+ - symvault
+ - asymvault
+ username: "{{username}}"
+ state: absent
+ loop:
+ - admin
+ - user01
+ loop_control:
+ loop_var: username
+
+ - name: Ensure shared vaults are absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - sharedvault
+ - svcvault
+ state: absent
+
+ - name: Ensure test users do not exist.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - user01
+ - user02
+ - user03
+ state: absent
+
+ - name: Ensure test groups do not exist.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: vaultgroup
+ state: absent
+
+ - name: Remove password file from target host.
+ file:
+ path: "{{ ansible_env.HOME }}/password.txt"
+ state: absent
+
+ - name: Remove public key file from target host.
+ file:
+ path: "{{ ansible_env.HOME }}/public.pem"
+ state: absent
+
+ - name: Remove private key file from target host.
+ file:
+ path: "{{ ansible_env.HOME }}/private.pem"
+ state: absent
+
+ - name: Remove output data file from target host.
+ file:
+ path: "{{ ansible_env.HOME }}/data.txt"
+ state: absent
+
+ - name: Remove input data file from target host.
+ file:
+ path: "{{ ansible_env.HOME }}/in.txt"
+ state: absent
diff --git a/tests/vault/env_setup.yml b/tests/vault/env_setup.yml
new file mode 100644
index 00000000..a8437b86
--- /dev/null
+++ b/tests/vault/env_setup.yml
@@ -0,0 +1,55 @@
+# Tasks executed to ensure a sane environment to test IPA Vault module.
+
+ - name: Create private key file.
+ shell:
+ cmd: openssl genrsa -out private.pem 2048
+ delegate_to: localhost
+ become: no
+
+ - name: Create public key file.
+ shell:
+ cmd: openssl rsa -in private.pem -outform PEM -pubout -out public.pem
+ delegate_to: localhost
+ become: no
+
+ - name: Ensure environment is clean.
+ import_tasks: env_cleanup.yml
+
+ - name: Copy password file to target host.
+ copy:
+ src: "{{ playbook_dir }}/password.txt"
+ dest: "{{ ansible_env.HOME }}/password.txt"
+
+ - name: Copy public key file to target host.
+ copy:
+ src: "{{ playbook_dir }}/public.pem"
+ dest: "{{ ansible_env.HOME }}/public.pem"
+
+ - name: Copy private key file to target host.
+ copy:
+ src: "{{ playbook_dir }}/private.pem"
+ dest: "{{ ansible_env.HOME }}/private.pem"
+
+ - name: Copy input data file to target host.
+ copy:
+ src: "{{ playbook_dir }}/in.txt"
+ dest: "{{ ansible_env.HOME }}/in.txt"
+
+ - name: Ensure vaultgroup exists.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: vaultgroup
+
+ - name: Ensure testing users exist.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ users:
+ - name: user01
+ first: First
+ last: Start
+ - name: user02
+ first: Second
+ last: Middle
+ - name: user03
+ first: Third
+ last: Last
diff --git a/tests/vault/private.pem b/tests/vault/private.pem
deleted file mode 100644
index 0ac895b9..00000000
--- a/tests/vault/private.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArM5/f6dd/YIm/a9eoGVTW8jobEgrf9PXRA3aHsA7kJo6fB18
-HD4+RVUwx/lqlkPYbUi9bXV/rJAkUwAEDOnJeqXESZ+gVCVmigRzmKWK2ad9agmY
-SiqyyNxFIJvZAo0dG4CAWjYK27tLg4Ih6oGsZIDG+WVES5W89K+L0bwVjq4tshhe
-DMO57unvmIKEmaBE0ewPfvkdZh5k8Gts9H4fh0fGk5tbIYa0bhwMUpL+WHOm6nbd
-+n7BbaVc820TgZDO/rSYtnuXaIc6Wx0U9LXZkUmk3apMnzknNaTqguAQdTn79G8P
-qrGqmyWd/E1cH2b5jzIxiGo8psL5sxWVY7WJdwIDAQABAoIBAA6e9iit14UAgx4J
-vX7is9fbOtcWkB+jo94NMfxSFXgZpIMl139oQMqK97KjxsHqAaDVe7mMLH5EP96J
-7M3O5g4rgl0cVWtpMrDQyZsLvqDFzBWxtCHqVPAruumUZhsSJ3lROQro8ag/w5bf
-5tC5ogVq4+rsB4hBphgp1jGrsUM+E8O7DXXFH68F8WgBi725WvcjnbI9irkb0Gcq
-1bCPJwN3fA1i2VWiRwVYWbNTWnDoNM9ZdYYxK0kuUkD+QtreycWPf9V49lvUi1Vp
-FVNmBUDvGK3K1MwbgXRwOXhacY7Ptjkdvaeb2Qcu5RjTkruGhzUYsOP3p/cw+wKV
-vzQqceECgYEA5Wz7V2SlRa2r//z+ETQkJfENJ0KDnCb0pMClCQh3jTNPA6DbhiMk
-FTkcoNbqcpTiVSlvhh6TKscSgqYQUjQ/OqyG7SkjKVjQ72j5beQLxiLTtUyj1OmP
-Xh9cWJXx8iQ+45cPon+kMOAIiTwiB3mmFRfQjIGve1DPUo9J+NZ4XdECgYEAwNKg
-OdGYxxKtCrXVz1mdg6PDlV8qh7nxxZbPch+aMIQl1+oTCgSiw8oOYEd8g0HOdV6t
-1G+IWhvPxiiWy3/AE0QhgoKk2GUsSjWSMLcJbaUzDoEHFjTLjecRlqdzo7qxRXqB
-meN4L5WJYKnLC482K7hvufS+uo5fB5qwPmt13McCgYAe4TVPRP+tyjttYCr+O8tl
-w/UmRKCcQu4Iwtkzxwz4V2CaN2t0uYQgyygcSfESbRGtrr8RCUp7poHKTfnCZr/f
-8NrUTwYpiYfNwY5ZCSnAiG2AaIlgnfMrEwOF9OC028YPMgTrtUxvO6hKeGqIIQqG
-qkbqsoXhDjZpgVnOgWeAEQKBgGuiZ0w/IqAlXbC31fUb2iBMfvXXnJ8M/dfFGmFj
-IKfqbFF9WUljUxQlqya1YNzIFB5STohiBeP+2FmN+Lb5xdc7VdVLZgdhWnrGMqe8
-1Kd+6uQyxCjyKZo5nQjSymtf4GqfOs8TOdieCYSK40u9koiPONa9tuXeaU+OWslN
-JQqrAoGBAJ3MKOvsnQzuZVP2vz0ZqLwIE3XjRiFGveVpizq4hwOVeuNsV08JvA0t
-pueNIy9klPScFc9OUdiZWkEX09BwJkVIrOHotuSB8AStO5UAntNnuyWLJEFC4Uq4
-GpB8lbj9jkxSKaU7X3Gac23K9JL8euLh7E7rPuZRYa6mYN4nbKqu
------END RSA PRIVATE KEY-----
diff --git a/tests/vault/public.pem b/tests/vault/public.pem
deleted file mode 100644
index d8a9f71b..00000000
--- a/tests/vault/public.pem
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArM5/f6dd/YIm/a9eoGVT
-W8jobEgrf9PXRA3aHsA7kJo6fB18HD4+RVUwx/lqlkPYbUi9bXV/rJAkUwAEDOnJ
-eqXESZ+gVCVmigRzmKWK2ad9agmYSiqyyNxFIJvZAo0dG4CAWjYK27tLg4Ih6oGs
-ZIDG+WVES5W89K+L0bwVjq4tshheDMO57unvmIKEmaBE0ewPfvkdZh5k8Gts9H4f
-h0fGk5tbIYa0bhwMUpL+WHOm6nbd+n7BbaVc820TgZDO/rSYtnuXaIc6Wx0U9LXZ
-kUmk3apMnzknNaTqguAQdTn79G8PqrGqmyWd/E1cH2b5jzIxiGo8psL5sxWVY7WJ
-dwIDAQAB
------END PUBLIC KEY-----
diff --git a/tests/vault/tasks_vault_members.yml b/tests/vault/tasks_vault_members.yml
new file mode 100644
index 00000000..12332ff1
--- /dev/null
+++ b/tests/vault/tasks_vault_members.yml
@@ -0,0 +1,318 @@
+---
+# Tasks to test member management for Vault module.
+ - name: Setup testing environment.
+ import_tasks: env_setup.yml
+
+ - name: Ensure vault is present
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ vault_type: "{{vault.vault_type}}"
+ register: result
+ failed_when: not result.changed
+ when: vault.vault_type == 'standard'
+
+ - name: Ensure vault is present
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ vault_password: SomeVAULTpassword
+ vault_type: "{{vault.vault_type}}"
+ register: result
+ failed_when: not result.changed
+ when: vault.vault_type == 'symmetric'
+
+ - name: Ensure vault is present
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ vault_type: "{{vault.vault_type}}"
+ public_key: "{{lookup('file', 'private.pem') | b64encode}}"
+ register: result
+ failed_when: not result.changed
+ when: vault.vault_type == 'asymmetric'
+
+ - name: Ensure vault member user is present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ action: member
+ users:
+ - user02
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault member user is present, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ action: member
+ users:
+ - user02
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure more vault member users are present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ action: member
+ users:
+ - admin
+ - user02
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault member user is still present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ action: member
+ users:
+ - user02
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault users are absent.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ action: member
+ users:
+ - admin
+ - user02
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault users are absent, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ action: member
+ users:
+ - admin
+ - user02
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault user is absent, once more.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ action: member
+ users:
+ - admin
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault member group is present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ action: member
+ groups: vaultgroup
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault member group is present, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ action: member
+ groups: vaultgroup
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault member group is absent.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ action: member
+ groups: vaultgroup
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault member group is absent, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ action: member
+ groups: vaultgroup
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault member service is present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ action: member
+ services: "HTTP/{{ groups.ipaserver[0] }}"
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault member service is present, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ action: member
+ services: "HTTP/{{ groups.ipaserver[0] }}"
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault member service is absent.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ action: member
+ services: "HTTP/{{ groups.ipaserver[0] }}"
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault member service is absent, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ action: member
+ services: "HTTP/{{ groups.ipaserver[0] }}"
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure user03 is an owner of vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ owners: user03
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure user03 is an owner of vault, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ owners: user03
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure user03 is not owner of vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ owners: user03
+ state: absent
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure user03 is not owner of vault, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ owners: user03
+ state: absent
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vaultgroup is an ownergroup of vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ ownergroups: vaultgroup
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vaultgroup is an ownergroup of vault, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ ownergroups: vaultgroup
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vaultgroup is not ownergroup of vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ ownergroups: vaultgroup
+ state: absent
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vaultgroup is not ownergroup of vault, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ ownergroups: vaultgroup
+ state: absent
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure service is an owner of vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is an owner of vault, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure service is not owner of vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
+ state: absent
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is not owner of vault, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
+ state: absent
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure {{vault.vault_type}} vault is absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure {{vault.vault_type}} vault is absent, again
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{vault.name}}"
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Cleanup testing environment.
+ import_tasks: env_cleanup.yml
diff --git a/tests/vault/test_vault.yml b/tests/vault/test_vault.yml
deleted file mode 100644
index 2e2c03e3..00000000
--- a/tests/vault/test_vault.yml
+++ /dev/null
@@ -1,925 +0,0 @@
----
-- name: Test vault
- hosts: ipaserver
- become: true
- # Need to gather facts for ansible_env.
- gather_facts: true
-
- tasks:
-
- - name: Copy password file to target host.
- copy:
- src: "{{ playbook_dir }}/password.txt"
- dest: "{{ ansible_env.HOME }}/password.txt"
-
- - name: Copy public key file to target host.
- copy:
- src: "{{ playbook_dir }}/public.pem"
- dest: "{{ ansible_env.HOME }}/public.pem"
-
- - name: Copy private key file to target host.
- copy:
- src: "{{ playbook_dir }}/private.pem"
- dest: "{{ ansible_env.HOME }}/private.pem"
-
- - name: Copy input data file to target host.
- copy:
- src: "{{ playbook_dir }}/in.txt"
- dest: "{{ ansible_env.HOME }}/in.txt"
-
- - name: Ensure user vaults are absent
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name:
- - stdvault
- - symvault
- - asymvault
- username: user01
- state: absent
-
- - name: Ensure test users do not exist.
- ipauser:
- ipaadmin_password: SomeADMINpassword
- name:
- - user01
- - user02
- - user03
- state: absent
-
- - name: Ensure test groups do not exist.
- ipagroup:
- ipaadmin_password: SomeADMINpassword
- name: vaultgroup
- state: absent
-
- - name: Ensure vaultgroup exists.
- ipagroup:
- ipaadmin_password: SomeADMINpassword
- name: vaultgroup
-
- - name: Ensure user01 exists.
- ipauser:
- ipaadmin_password: SomeADMINpassword
- name: user01
- first: First
- last: Start
-
- - name: Ensure user02 exists.
- ipauser:
- ipaadmin_password: SomeADMINpassword
- name: user02
- first: Second
- last: Middle
-
- - name: Ensure user03 exists.
- ipauser:
- ipaadmin_password: SomeADMINpassword
- name: user03
- first: Third
- last: Last
-
- - name: Ensure shared vaults are absent
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: sharedvault
- shared: True
- state: absent
-
- - name: Ensure standard vault is absent
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- state: absent
-
- - name: Ensure service vault is absent
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: svcvault
- service: "HTTP/{{ groups.ipaserver[0] }}"
- state: absent
-
- # tests
- - name: Ensure standard vault is present
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- vault_type: standard
- register: result
- failed_when: not result.changed
-
- - name: Ensure standard vault is present, again
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- vault_type: standard
- register: result
- failed_when: result.changed
-
- - name: Ensure standard vault is absent
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- state: absent
- register: result
- failed_when: not result.changed
-
- - name: Ensure standard vault is absent, again
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- state: absent
- register: result
- failed_when: result.changed
-
- - name: Ensure symmetric vault is present
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: symvault
- username: user01
- vault_password: SomeVAULTpassword
- vault_type: symmetric
- register: result
- failed_when: not result.changed
-
- - name: Ensure symmetric vault is present, again
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: symvault
- username: user01
- vault_password: SomeVAULTpassword
- vault_type: symmetric
- register: result
- failed_when: result.changed
-
- - name: Archive data to symmetric vault
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: symvault
- username: user01
- vault_password: SomeVAULTpassword
- vault_data: Hello World.
- register: result
- failed_when: not result.changed
-
- - name: Archive data with non-ASCII characters to symmetric vault
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: symvault
- username: user01
- vault_password: SomeVAULTpassword
- vault_data: The world of π is half rounded.
- register: result
- failed_when: not result.changed
-
- - name: Ensure symmetric vault is absent
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: symvault
- username: user01
- state: absent
- register: result
- failed_when: not result.changed
-
- - name: Ensure symmetric vault is absent, again
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: symvault
- username: user01
- state: absent
- register: result
- failed_when: result.changed
-
- - name: Ensure symmetric vault is present
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: symvault
- username: user01
- vault_password: SomeVAULTpassword
- vault_type: symmetric
- register: result
- failed_when: not result.changed
-
- - name: Ensure symmetric vault is present, with a different password
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: symvault
- username: user01
- vault_password: SomeOtherVAULTpassword
- vault_type: symmetric
- register: result
- failed_when: result.changed
-
- - name: Ensure symmetric vault is absent
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: symvault
- username: user01
- state: absent
- register: result
- failed_when: not result.changed
-
- - name: Ensure symmetric vault is present, with password from file.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: symvault
- username: user01
- vault_password_file: "{{ ansible_env.HOME }}/password.txt"
- vault_type: symmetric
- register: result
- failed_when: not result.changed
-
- - name: Ensure symmetric vault is present, with password from file, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: symvault
- username: user01
- vault_password_file: password.txt
- vault_type: symmetric
- register: result
- failed_when: result.changed
-
- - name: Ensure asymmetric vault is present, with public key file.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: asymvault
- username: admin
- description: An asymmetric private vault.
- public_key_file: "{{ ansible_env.HOME }}/public.pem"
- vault_type: asymmetric
- register: result
- failed_when: not result.changed
-
- - name: Ensure asymmetric vault is present, with public key file, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: asymvault
- username: admin
- description: An asymmetric private vault.
- public_key_file: "{{ ansible_env.HOME }}/public.pem"
- vault_type: asymmetric
- register: result
- failed_when: result.changed
-
- - name: Archive data in asymmetric vault.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: asymvault
- username: admin
- vault_data: Hello World.
- register: result
- failed_when: not result.changed
-
- - name: Ensure asymmetric vault is absent.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: asymvault
- username: admin
- state: absent
- register: result
- failed_when: not result.changed
-
- - name: Ensure asymmetric vault is absent, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: asymvault
- username: admin
- state: absent
- register: result
- failed_when: result.changed
-
- - name: Ensure asymmetric vault is present.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: asymvault
- username: user01
- description: An asymmetric private vault.
- vault_public_key:
- LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFyTTUvZjZkZC9ZSW0vYTllb0dWVApXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4SEQ0K1JWVXd4L2xxbGtQWWJVaTliWFYvckpBa1V3QUVET25KCmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVlTaXF5eU54RklKdlpBbzBkRzRDQVdqWUsyN3RMZzRJaDZvR3MKWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZURNTzU3dW52bUlLRW1hQkUwZXdQZnZrZFpoNWs4R3RzOUg0ZgpoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkK243QmJhVmM4MjBUZ1pETy9yU1l0bnVYYUljNld4MFU5TFhaCmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFBxckdxbXlXZC9FMWNIMmI1anpJeGlHbzhwc0w1c3hXVlk3V0oKZHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
- vault_type: asymmetric
- register: result
- failed_when: not result.changed
-
- - name: Ensure asymmetric vault is present, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: asymvault
- username: user01
- description: An asymmetric private vault.
- vault_public_key:
- LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFyTTUvZjZkZC9ZSW0vYTllb0dWVApXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4SEQ0K1JWVXd4L2xxbGtQWWJVaTliWFYvckpBa1V3QUVET25KCmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVlTaXF5eU54RklKdlpBbzBkRzRDQVdqWUsyN3RMZzRJaDZvR3MKWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZURNTzU3dW52bUlLRW1hQkUwZXdQZnZrZFpoNWs4R3RzOUg0ZgpoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkK243QmJhVmM4MjBUZ1pETy9yU1l0bnVYYUljNld4MFU5TFhaCmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFBxckdxbXlXZC9FMWNIMmI1anpJeGlHbzhwc0w1c3hXVlk3V0oKZHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
- vault_type: asymmetric
- register: result
- failed_when: result.changed
-
- - name: Archive data in asymmetric vault.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: asymvault
- username: user01
- vault_data: Hello World.
- register: result
- failed_when: not result.changed
-
- - name: Retrieve data from asymmetric vault.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: asymvault
- username: user01
- vault_type: asymmetric
- private_key:
- LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBck01L2Y2ZGQvWUltL2E5ZW9HVlRXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4CkhENCtSVlV3eC9scWxrUFliVWk5YlhWL3JKQWtVd0FFRE9uSmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVkKU2lxeXlOeEZJSnZaQW8wZEc0Q0FXallLMjd0TGc0SWg2b0dzWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZQpETU81N3Vudm1JS0VtYUJFMGV3UGZ2a2RaaDVrOEd0czlINGZoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkCituN0JiYVZjODIwVGdaRE8vclNZdG51WGFJYzZXeDBVOUxYWmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFAKcXJHcW15V2QvRTFjSDJiNWp6SXhpR284cHNMNXN4V1ZZN1dKZHdJREFRQUJBb0lCQUE2ZTlpaXQxNFVBZ3g0Sgp2WDdpczlmYk90Y1drQitqbzk0Tk1meFNGWGdacElNbDEzOW9RTXFLOTdLanhzSHFBYURWZTdtTUxINUVQOTZKCjdNM081ZzRyZ2wwY1ZXdHBNckRReVpzTHZxREZ6Qld4dENIcVZQQXJ1dW1VWmhzU0ozbFJPUXJvOGFnL3c1YmYKNXRDNW9nVnE0K3JzQjRoQnBoZ3Axakdyc1VNK0U4TzdEWFhGSDY4RjhXZ0JpNzI1V3Zjam5iSTlpcmtiMEdjcQoxYkNQSndOM2ZBMWkyVldpUndWWVdiTlRXbkRvTk05WmRZWXhLMGt1VWtEK1F0cmV5Y1dQZjlWNDlsdlVpMVZwCkZWTm1CVUR2R0szSzFNd2JnWFJ3T1hoYWNZN1B0amtkdmFlYjJRY3U1UmpUa3J1R2h6VVlzT1AzcC9jdyt3S1YKdnpRcWNlRUNnWUVBNVd6N1YyU2xSYTJyLy96K0VUUWtKZkVOSjBLRG5DYjBwTUNsQ1FoM2pUTlBBNkRiaGlNawpGVGtjb05icWNwVGlWU2x2aGg2VEtzY1NncVlRVWpRL09xeUc3U2tqS1ZqUTcyajViZVFMeGlMVHRVeWoxT21QClhoOWNXSlh4OGlRKzQ1Y1BvbitrTU9BSWlUd2lCM21tRlJmUWpJR3ZlMURQVW85SitOWjRYZEVDZ1lFQXdOS2cKT2RHWXh4S3RDclhWejFtZGc2UERsVjhxaDdueHhaYlBjaCthTUlRbDErb1RDZ1NpdzhvT1lFZDhnMEhPZFY2dAoxRytJV2h2UHhpaVd5My9BRTBRaGdvS2syR1VzU2pXU01MY0piYVV6RG9FSEZqVExqZWNSbHFkem83cXhSWHFCCm1lTjRMNVdKWUtuTEM0ODJLN2h2dWZTK3VvNWZCNXF3UG10MTNNY0NnWUFlNFRWUFJQK3R5anR0WUNyK084dGwKdy9VbVJLQ2NRdTRJd3Rrenh3ejRWMkNhTjJ0MHVZUWd5eWdjU2ZFU2JSR3RycjhSQ1VwN3BvSEtUZm5DWnIvZgo4TnJVVHdZcGlZZk53WTVaQ1NuQWlHMkFhSWxnbmZNckV3T0Y5T0MwMjhZUE1nVHJ0VXh2TzZoS2VHcUlJUXFHCnFrYnFzb1hoRGpacGdWbk9nV2VBRVFLQmdHdWlaMHcvSXFBbFhiQzMxZlViMmlCTWZ2WFhuSjhNL2RmRkdtRmoKSUtmcWJGRjlXVWxqVXhRbHF5YTFZTnpJRkI1U1RvaGlCZVArMkZtTitMYjV4ZGM3VmRWTFpnZGhXbnJHTXFlOAoxS2QrNnVReXhDanlLWm81blFqU3ltdGY0R3FmT3M4VE9kaWVDWVNLNDB1OWtvaVBPTmE5dHVYZWFVK09Xc2xOCkpRcXJBb0dCQUozTUtPdnNuUXp1WlZQMnZ6MFpxTHdJRTNYalJpRkd2ZVZwaXpxNGh3T1ZldU5zVjA4SnZBMHQKcHVlTkl5OWtsUFNjRmM5T1VkaVpXa0VYMDlCd0prVklyT0hvdHVTQjhBU3RPNVVBbnRObnV5V0xKRUZDNFVxNApHcEI4bGJqOWpreFNLYVU3WDNHYWMyM0s5Skw4ZXVMaDdFN3JQdVpSWWE2bVlONG5iS3F1Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
- state: retrieved
- register: result
- failed_when: result.changed or result.failed or result['data'] != 'Hello World.'
-
- - name: Retrieve data from asymmetric vault, with private key file.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: asymvault
- username: user01
- vault_type: asymmetric
- private_key_file: "{{ ansible_env.HOME }}/private.pem"
- state: retrieved
- register: result
- failed_when: result.failed or result.changed or result['data'] != 'Hello World.'
-
- - name: Ensure asymmetric vault is absent.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: asymvault
- username: user01
- state: absent
- register: result
- failed_when: not result.changed
-
- - name: Ensure asymmetric vault is absent, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: asymvault
- username: user01
- state: absent
- register: result
- failed_when: result.changed
-
- - name: Ensure standard vault is present.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- vault_type: standard
- username: user01
- description: A standard private vault.
- register: result
- failed_when: not result.changed
-
- - name: Ensure standard vault is present, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- vault_type: standard
- description: A standard private vault.
- register: result
- failed_when: result.changed
-
- - name: Archive data in standard vault.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- vault_data: Hello World.
- register: result
- failed_when: not result.changed
-
- - name: Retrieve data from standard vault.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- out: "{{ ansible_env.HOME }}/data.txt"
- state: retrieved
- register: result
- failed_when: result.changed
-
- - name: Verify retrieved data.
- slurp:
- src: "{{ ansible_env.HOME }}/data.txt"
- register: slurpfile
- failed_when: slurpfile['content'] | b64decode != 'Hello World.'
-
- - name: Archive data in standard vault, from file.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- in: "{{ ansible_env.HOME }}/in.txt"
- register: result
- failed_when: not result.changed
-
- - name: Retrieve data from standard vault.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- vault_type: standard
- state: retrieved
- register: result
- failed_when: result.data != 'Another World.' or result.changed
-
- - name: Ensure standard vault member user is present.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- action: member
- users:
- - user02
- register: result
- failed_when: not result.changed
-
- - name: Ensure standard vault member user is present, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- action: member
- users:
- - user02
- register: result
- failed_when: result.changed
-
- - name: Ensure more vault member users are present.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- action: member
- users:
- - user01
- - user02
- register: result
- failed_when: not result.changed
-
- - name: Ensure vault member user is still present.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- action: member
- users:
- - user02
- register: result
- failed_when: result.changed
-
- - name: Ensure vault users are absent.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- action: member
- users:
- - user01
- - user02
- state: absent
- register: result
- failed_when: not result.changed
-
- - name: Ensure vault users are absent, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- action: member
- users:
- - user01
- - user02
- state: absent
- register: result
- failed_when: result.changed
-
- - name: Ensure vault user is absent, once more.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- action: member
- users:
- - user01
- state: absent
- register: result
- failed_when: result.changed
-
- - name: Ensure vault member group is present.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- action: member
- groups: vaultgroup
- register: result
- failed_when: not result.changed
-
- - name: Ensure vault member group is present, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- action: member
- groups: vaultgroup
- register: result
- failed_when: result.changed
-
- - name: Ensure vault member group is absent.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- action: member
- groups: vaultgroup
- state: absent
- register: result
- failed_when: not result.changed
-
- - name: Ensure vault member group is absent, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- action: member
- groups: vaultgroup
- state: absent
- register: result
- failed_when: result.changed
-
- - name: Ensure vault member service is present.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- action: member
- services: "HTTP/{{ groups.ipaserver[0] }}"
- register: result
- failed_when: not result.changed
-
- - name: Ensure vault member service is present, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- action: member
- services: "HTTP/{{ groups.ipaserver[0] }}"
- register: result
- failed_when: result.changed
-
- - name: Ensure vault member service is absent.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- action: member
- services: "HTTP/{{ groups.ipaserver[0] }}"
- state: absent
- register: result
- failed_when: not result.changed
-
- - name: Ensure vault member service is absent, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- action: member
- services: "HTTP/{{ groups.ipaserver[0] }}"
- state: absent
- register: result
- failed_when: result.changed
-
- - name: Ensure vault is absent.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- state: absent
- register: result
- failed_when: not result.changed
-
- - name: Ensure vault is absent, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- state: absent
- register: result
- failed_when: result.changed
-
- - name: Ensure shared vault is present.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: sharedvault
- shared: True
- ipavaultpassword: SomeVAULTpassword
- register: result
- failed_when: not result.changed
-
- - name: Ensure shared vault is absent.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: sharedvault
- shared: True
- state: absent
- register: result
- failed_when: not result.changed
-
- - name: Ensure service vault is present.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: svcvault
- ipavaultpassword: SomeVAULTpassword
- service: "HTTP/{{ groups.ipaserver[0] }}"
- register: result
- failed_when: not result.changed
-
- - name: Ensure service vault is absent.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: svcvault
- service: "HTTP/{{ groups.ipaserver[0] }}"
- state: absent
- register: result
- failed_when: not result.changed
-
- - name: Ensure vault is present, with members.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- vault_type: standard
- users:
- - user02
- - user03
- groups:
- - vaultgroup
- register: result
- failed_when: not result.changed
-
- - name: Ensure vault is present, with members, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- vault_type: standard
- users:
- - user02
- - user03
- groups:
- - vaultgroup
- register: result
- failed_when: result.changed
-
- - name: Ensure user02 is not a member of vault stdvault.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- users: user02
- state: absent
- action: member
- register: result
- failed_when: not result.changed
-
- - name: Ensure user02 is not a member of vault stdvault, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- users: user02
- state: absent
- action: member
- register: result
- failed_when: result.changed
-
- - name: Ensure user02 is a member of vault stdvault.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- users: user02
- action: member
- register: result
- failed_when: not result.changed
-
- - name: Ensure user02 is a member of vault stdvault, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- users: user03
- action: member
- register: result
- failed_when: result.changed
-
- - name: Ensure user03 owns vault stdvault.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- owners: user03
- action: member
- register: result
- failed_when: not result.changed
-
- - name: Ensure user03 owns vault stdvault, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- owners: user03
- action: member
- register: result
- failed_when: result.changed
-
- - name: Ensure user03 is not owner of stdvault.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- owners: user03
- state: absent
- action: member
- register: result
- failed_when: not result.changed
-
- - name: Ensure user03 is not owner of stdvault, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- owners: user03
- state: absent
- action: member
- register: result
- failed_when: result.changed
-
- - name: Ensure vaultgroup is owner of stdvault.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- ownergroups: vaultgroup
- action: member
- register: result
- failed_when: not result.changed
-
- - name: Ensure vaultgroup is owner of stdvault, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- ownergroups: vaultgroup
- action: member
- register: result
- failed_when: result.changed
-
- - name: Ensure vaultgroup is not owner of stdvault.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- ownergroups: vaultgroup
- state: absent
- action: member
- register: result
- failed_when: not result.changed
-
- - name: Ensure vaultgroup is not owner of stdvault, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- ownergroups: vaultgroup
- state: absent
- action: member
- register: result
- failed_when: result.changed
-
- - name: Ensure vault is owned by HTTP service.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
- action: member
- register: result
- failed_when: not result.changed
-
- - name: Ensure vault is owned by HTTP service, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
- action: member
- register: result
- failed_when: result.changed
-
- - name: Ensure vault is not owned by HTTP service.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
- state: absent
- action: member
- register: result
- failed_when: not result.changed
-
- - name: Ensure vault is not owned by HTTP service, again.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
- state: absent
- action: member
- register: result
- failed_when: result.changed
-
- - name: Ensure vault is absent.
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: stdvault
- username: user01
- state: absent
-
- # cleaup
- - name: Ensure user01 vaults are absent
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name:
- - stdvault
- - symvault
- - asymvault
- username: user01
- state: absent
-
- - name: Ensure test vaults are absent
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name:
- - stdvault
- - symvault
- - asymvault
- username: admin
- state: absent
-
- - name: Ensure shared vaults are absent
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: sharedvault
- shared: True
- state: absent
-
- - name: Ensure service vaults are absent
- ipavault:
- ipaadmin_password: SomeADMINpassword
- name: svcvault
- service: "HTTP/{{ groups.ipaserver[0] }}"
- state: absent
-
- - name: Ensure test users do not exist.
- ipauser:
- ipaadmin_password: SomeADMINpassword
- name:
- - user01
- - user02
- - user03
- state: absent
-
- - name: Ensure test groups do not exist.
- ipagroup:
- ipaadmin_password: SomeADMINpassword
- name: vaultgroup
- state: absent
-
- - name: Remove password file from target host.
- file:
- path: "{{ ansible_env.HOME }}/password.txt"
- state: absent
-
- - name: Remove public key file from target host.
- file:
- path: "{{ ansible_env.HOME }}/public.pem"
- state: absent
-
- - name: Remove private key file from target host.
- file:
- path: "{{ ansible_env.HOME }}/private.pem"
- state: absent
-
- - name: Remove output data file from target host.
- file:
- path: "{{ ansible_env.HOME }}/data.txt"
- state: absent
-
- - name: Remove input data file from target host.
- file:
- path: "{{ ansible_env.HOME }}/in.txt"
- state: absent
diff --git a/tests/vault/test_vault_asymmetric.yml b/tests/vault/test_vault_asymmetric.yml
new file mode 100644
index 00000000..1a1d3dca
--- /dev/null
+++ b/tests/vault/test_vault_asymmetric.yml
@@ -0,0 +1,192 @@
+---
+- name: Test vault
+ hosts: ipaserver
+ become: true
+ # Need to gather facts for ansible_env.
+ gather_facts: true
+
+ tasks:
+ - name: Setup testing environment.
+ import_tasks: env_setup.yml
+
+ - name: Ensure asymmetric vault is present
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ vault_type: asymmetric
+ public_key: "{{ lookup('file', 'public.pem') | b64encode }}"
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure asymmetric vault is present, again
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ vault_type: asymmetric
+ public_key: "{{ lookup('file', 'public.pem') | b64encode }}"
+ register: result
+ failed_when: result.changed
+
+ - name: Archive data to asymmetric vault
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ data: Hello World.
+ register: result
+ failed_when: not result.changed
+
+ - name: Retrieve data from asymmetric vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ private_key: "{{ lookup('file', 'private.pem') | b64encode }}"
+ state: retrieved
+ register: result
+ failed_when: result.data != 'Hello World.' or result.changed
+
+ - name: Retrieve data from asymmetric vault into file {{ ansible_env.HOME }}/data.txt.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ out: "{{ ansible_env.HOME }}/data.txt"
+ private_key: "{{ lookup('file', 'private.pem') | b64encode }}"
+ state: retrieved
+ register: result
+ failed_when: result.changed
+
+ - name: Verify retrieved data.
+ slurp:
+ src: "{{ ansible_env.HOME }}/data.txt"
+ register: slurpfile
+ failed_when: slurpfile['content'] | b64decode != 'Hello World.'
+
+ - name: Archive data with non-ASCII characters to asymmetric vault
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ data: The world of π is half rounded.
+ register: result
+ failed_when: not result.changed
+
+ - name: Retrieve data from asymmetric vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ private_key: "{{ lookup('file', 'private.pem') | b64encode }}"
+ state: retrieved
+ register: result
+ failed_when: result.data != 'The world of π is half rounded.' or result.changed
+
+ - name: Archive data in asymmetric vault, from file.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ vault_type: asymmetric
+ in: "{{ ansible_env.HOME }}/in.txt"
+ register: result
+ failed_when: not result.changed
+
+ - name: Retrieve data from asymmetric vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ private_key: "{{ lookup('file', 'private.pem') | b64encode }}"
+ state: retrieved
+ register: result
+ failed_when: result.data != 'Another World.' or result.changed
+
+ - name: Archive data with single character to asymmetric vault
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ data: c
+ register: result
+ failed_when: not result.changed
+
+ - name: Retrieve data from asymmetric vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ private_key: "{{ lookup('file', 'private.pem') | b64encode }}"
+ state: retrieved
+ register: result
+ failed_when: result.data != 'c' or result.changed
+
+ - name: Ensure asymmetric vault is absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure asymmetric vault is absent, again
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure asymmetric vault is present, with public key from file.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ public_key_file: "{{ ansible_env.HOME }}/public.pem"
+ vault_type: asymmetric
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure asymmetric vault is present, with password from file, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ public_key_file: "{{ ansible_env.HOME }}/public.pem"
+ vault_type: asymmetric
+ register: result
+ failed_when: result.changed
+
+ - name: Archive data to asymmetric vault
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ data: Hello World.
+ register: result
+ failed_when: not result.changed
+
+ - name: Retrieve data from asymmetric vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ private_key: "{{ lookup('file', 'private.pem') | b64encode }}"
+ state: retrieved
+ register: result
+ failed_when: result.data != 'Hello World.' or result.changed
+
+ - name: Retrieve data from asymmetric vault, with password file.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ private_key_file: "{{ ansible_env.HOME }}/private.pem"
+ state: retrieved
+ register: result
+ failed_when: result.data != 'Hello World.' or result.changed
+
+ - name: Ensure asymmetric vault is absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure asymmetric vault is absent, again
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Cleanup testing environment.
+ import_tasks: env_setup.yml
diff --git a/tests/vault/test_vault_members.yml b/tests/vault/test_vault_members.yml
new file mode 100644
index 00000000..219236ae
--- /dev/null
+++ b/tests/vault/test_vault_members.yml
@@ -0,0 +1,20 @@
+---
+- name: Test vault
+ hosts: ipaserver
+ become: true
+ # Need to gather facts for ansible_env.
+ gather_facts: true
+
+ tasks:
+ - name: Test vault module member operations.
+ include_tasks:
+ file: tasks_vault_members.yml
+ apply:
+ tags:
+ - "{{ vault.vault_type }}"
+ loop_control:
+ loop_var: vault
+ loop:
+ - { name: "stdvault", vault_type: "standard" }
+ - { name: "symvault", vault_type: "symmetric" }
+ - { name: "asymvault", vault_type: "asymmetric" }
diff --git a/tests/vault/test_vault_standard.yml b/tests/vault/test_vault_standard.yml
new file mode 100644
index 00000000..5e0da98e
--- /dev/null
+++ b/tests/vault/test_vault_standard.yml
@@ -0,0 +1,125 @@
+---
+- name: Test vault
+ hosts: ipaserver
+ become: true
+ # Need to gather facts for ansible_env.
+ gather_facts: true
+
+ tasks:
+ - name: Setup testing environment.
+ import_tasks: env_setup.yml
+
+ - name: Ensure standard vault is present
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ vault_type: standard
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure standard vault is present, again
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ vault_type: standard
+ register: result
+ failed_when: result.changed
+
+ - name: Archive data to standard vault
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ vault_data: Hello World.
+ register: result
+ failed_when: not result.changed
+
+ - name: Retrieve data from standard vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ state: retrieved
+ register: result
+ failed_when: result.data != 'Hello World.' or result.changed
+
+ - name: Retrieve data from standard vault into file {{ ansible_env.HOME }}/data.txt.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ out: "{{ ansible_env.HOME }}/data.txt"
+ state: retrieved
+ register: result
+ failed_when: result.changed
+
+ - name: Verify retrieved data.
+ slurp:
+ src: "{{ ansible_env.HOME }}/data.txt"
+ register: slurpfile
+ failed_when: slurpfile['content'] | b64decode != 'Hello World.'
+
+ - name: Archive data with non-ASCII characters to standard vault
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ vault_data: The world of π is half rounded.
+ register: result
+ failed_when: not result.changed
+
+ - name: Retrieve data from standard vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ state: retrieved
+ register: result
+ failed_when: result.data != 'The world of π is half rounded.' or result.changed
+
+ - name: Archive data in standard vault, from file.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ vault_type: standard
+ in: "{{ ansible_env.HOME }}/in.txt"
+ register: result
+ failed_when: not result.changed
+
+ - name: Retrieve data from standard vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ state: retrieved
+ register: result
+ failed_when: result.data != 'Another World.' or result.changed
+
+ - name: Archive data with single character to standard vault
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ vault_data: c
+ register: result
+ failed_when: not result.changed
+
+ - name: Retrieve data from standard vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ state: retrieved
+ register: result
+ failed_when: result.data != 'c' or result.changed
+
+ - name: Ensure standard vault is absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure standard vault is absent, again
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Cleanup testing environment.
+ import_tasks: env_setup.yml
diff --git a/tests/vault/test_vault_symmetric.yml b/tests/vault/test_vault_symmetric.yml
new file mode 100644
index 00000000..c9429f4f
--- /dev/null
+++ b/tests/vault/test_vault_symmetric.yml
@@ -0,0 +1,198 @@
+---
+- name: Test vault
+ hosts: ipaserver
+ become: true
+ # Need to gather facts for ansible_env.
+ gather_facts: true
+
+ tasks:
+ - name: Setup testing environment.
+ import_tasks: env_setup.yml
+
+ - name: Ensure symmetric vault is present
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ vault_type: symmetric
+ password: SomeVAULTpassword
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure symmetric vault is present, again
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ vault_type: symmetric
+ password: SomeVAULTpassword
+ register: result
+ failed_when: result.changed
+
+ - name: Archive data to symmetric vault
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ vault_data: Hello World.
+ password: SomeVAULTpassword
+ register: result
+ failed_when: not result.changed
+
+ - name: Retrieve data from symmetric vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ password: SomeVAULTpassword
+ state: retrieved
+ register: result
+ failed_when: result.data != 'Hello World.' or result.changed
+
+ - name: Retrieve data from symmetric vault into file {{ ansible_env.HOME }}/data.txt.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ password: SomeVAULTpassword
+ out: "{{ ansible_env.HOME }}/data.txt"
+ state: retrieved
+ register: result
+ failed_when: result.changed
+
+ - name: Verify retrieved data.
+ slurp:
+ src: "{{ ansible_env.HOME }}/data.txt"
+ register: slurpfile
+ failed_when: slurpfile['content'] | b64decode != 'Hello World.'
+
+ - name: Archive data with non-ASCII characters to symmetric vault
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ password: SomeVAULTpassword
+ vault_data: The world of π is half rounded.
+ register: result
+ failed_when: not result.changed
+
+ - name: Retrieve data from symmetric vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ password: SomeVAULTpassword
+ state: retrieved
+ register: result
+ failed_when: result.data != 'The world of π is half rounded.' or result.changed
+
+ - name: Archive data in symmetric vault, from file.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ in: "{{ ansible_env.HOME }}/in.txt"
+ password: SomeVAULTpassword
+ register: result
+ failed_when: not result.changed
+
+ - name: Retrieve data from symmetric vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ password: SomeVAULTpassword
+ state: retrieved
+ register: result
+ failed_when: result.data != 'Another World.' or result.changed
+
+ - name: Archive data with single character to symmetric vault
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ password: SomeVAULTpassword
+ vault_data: c
+ register: result
+ failed_when: not result.changed
+
+ - name: Retrieve data from symmetric vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ password: SomeVAULTpassword
+ state: retrieved
+ register: result
+ failed_when: result.data != 'c' or result.changed
+
+ - name: Ensure symmetric vault is absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure symmetric vault is absent, again
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure symmetric vault is present, with password from file.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: user01
+ password_file: "{{ ansible_env.HOME }}/password.txt"
+ vault_type: symmetric
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure symmetric vault is present, with password from file, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: user01
+ password_file: "{{ ansible_env.HOME }}/password.txt"
+ vault_type: symmetric
+ register: result
+ failed_when: result.changed
+
+ - name: Archive data to symmetric vault
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ vault_data: Hello World.
+ password: SomeVAULTpassword
+ register: result
+ failed_when: not result.changed
+
+ - name: Retrieve data from symmetric vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ password: SomeVAULTpassword
+ state: retrieved
+ register: result
+ failed_when: result.data != 'Hello World.' or result.changed
+
+ - name: Retrieve data from symmetric vault, with password file.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ password_file: "{{ ansible_env.HOME }}/password.txt"
+ state: retrieved
+ register: result
+ failed_when: result.data != 'Hello World.' or result.changed
+
+ - name: Ensure symmetric vault is absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure symmetric vault is absent, again
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Cleanup testing environment.
+ import_tasks: env_cleanup.yml
--
GitLab