Skip to content
  1. Aug 02, 2024
  2. Jul 31, 2024
  3. Jul 22, 2024
    • Thomas Woerner's avatar
      Fix multi user tests · a95c222e
      Thomas Woerner authored
      The tests test_users_present.yml and test_users_absent.yml has been
      merged into test_users_present_absent.yml to fix the independent test
      order execution.
      
      The test test_users_present_slice.yml has been renamed to
      test_users_present_absent_slice.yml.
      
      Both tests are cleaning up possible exiting entries before running the tests
      and are verifying the present and absent task result.
      a95c222e
  4. Jul 19, 2024
  5. Jul 17, 2024
    • Thomas Woerner's avatar
      Truncate stdout and stderr in upstream test log · 3dfa026e
      Thomas Woerner authored
      Truncate stdout and stderr in the way that it hopefully shows all
      important information. At least 15 lines of stdout (Ansible tasks) and
      remaining from stderr to fill up to maxlen size.
      
      The test log mostly only showed lines from stderr as the log was a
      concatenation of stdout and stderr and only the last 2500 chars of this
      have been used. This was hiding the test result from stdout and failures
      have not beeen visible.
      3dfa026e
  6. Jul 01, 2024
  7. Jun 28, 2024
  8. Jun 26, 2024
    • Thomas Woerner's avatar
      permission: Fix idempotency issues for DN parameters · 173acf28
      Thomas Woerner authored
      The parameters
      
      - subtree (ipapermlocation)
      - target (ipapermtarget)
      - targetto (ipapermtargetto)
      - targetfrom (ipapermtargetfrom)
      
      have not been idempotent as the result returned from permission_show was
      a DN and not a string.
      
      The find_permission function has been exetended to convert the values
      for these parameters to strings.
      
      Fixes: #1257
      173acf28
  9. Mar 05, 2024
    • Thomas Woerner's avatar
      Fix ca-less test to use X.509 v3 certificates · b92da826
      Thomas Woerner authored
      The generated certificates have been X.509 v1. This is not supported any
      more. Only X.509 v3 is supported.
      
      A new certificates/extensions.conf file has been added to make v3
      certificates.
      
      The existing certificates/pkinit/extensions.conf has been renamed to
      certificates/pkinit-extensions.conf with additional changes. For example
      "[kdc_cert]" had to be removed for v3.
      
      The extensions config files are using environment variables, which are
      set by the generate-certificates.sh script before calling openssl.
      
      The script generate-certificates.sh has been reworked for a simpler
      structure, also new options have been added: "ca" and "cleanup".
      b92da826
  10. Feb 12, 2024
    • Rafael Guterres Jeffman's avatar
      ipadelegation: Fix idempotence issues due to capitalization. · e9c6e936
      Rafael Guterres Jeffman authored
      This patch force processing of permission, attribute and group
      attributes in lower case, to match behavior of IPA CLI, transforming
      all of them into lowercase characters.
      
      The new behavior fixes idempotence issues when mixing different
      capitalization in different tasks for the same attribute.
      
      A new test playbook is avaiable at:
      
          tests/delegation/test_delegation_member_case_insensitive.yml
      e9c6e936
    • Rafael Guterres Jeffman's avatar
      ipagroup: Fix idempotence issues due to capitalization · 7b7d9c99
      Rafael Guterres Jeffman authored
      Some attributes for ipagroup objects are stored using lower case letters
      and should be converted upon retrieving parameter data.
      
      This patch adds the missing conversion and provides a new test playbook:
      
          tests/group/test_group_case_insensitive.yml
      7b7d9c99
  11. Feb 10, 2024
    • Rafael Guterres Jeffman's avatar
      ipahostgroup: Fix idempotence issues due to capitalization · 22401d18
      Rafael Guterres Jeffman authored
      ipahostgroup parameters 'host', 'hostgroup', 'membermanager_user' and
      'membermanager_group' must be compared in a case insensitive manner
      and stored as lower case strings.
      
      This patch fixes the comparison and storage of this parameters, and
      change the handling of members to use the same structure as in newer
      modules.
      
      Two new tests files were added:
      
          tests/hostgroup/test_hostgroup_case_insensitive.yml
          tests/hostgroup/test_hostgroup_membermanager_case_insensitive.yml
      22401d18
  12. Feb 09, 2024
  13. Feb 06, 2024
    • Rafael Guterres Jeffman's avatar
      ipahbacrule: Fix handling of hbacsvcgroup in members · b87b346a
      Rafael Guterres Jeffman authored
      FreeIPA provides a default hbacsvcgroup named "Sudo", with capital 'S',
      that is different from every other hbacsvcgroup, which are all
      represented by lower case letters.
      
      As data from IPA API was not modified, this causes an idempotence error
      when using different capitalization with the 'hbacsvcgroup' parameter.
      
      This patch fixes the issue by using the CaseInsensitive comparator to
      create the hbacsvcgroup list.
      
      Tests were update to make sure a regression is not included in the
      future.
      b87b346a
  14. Jan 23, 2024
    • Rafael Guterres Jeffman's avatar
      ipasudorule: Allow setting groups for runasuser. · 1fde1764
      Rafael Guterres Jeffman authored
      On IPA CLI sudorule-add/del-runasuser accept 'group' as a parameter,
      and this option was missing in ansible-freeipa ipasudorule module.
      
      This patch adds a new parameter 'runasuser_group' to allow setting
      Groups of RunAs Users, as allowed by CLI and WebUI.
      
      New example playboks can be found at:
      
          playbooks/sudorule/ensure-sudorule-runasusesr-group-is-absent.yml
          playbooks/sudorule/ensure-sudorule-runasusesr-group-is-present.yml
      1fde1764
  15. Dec 20, 2023
    • Rafael Guterres Jeffman's avatar
      ipagroup: Add support for renaming groups · 1ecdbd3a
      Rafael Guterres Jeffman authored
      FreeIPA suports renaming groupobjects with the CLI parameter "rename",
      and this parameter was missing in ansible-freeipa ipagroup module.
      
      This patch adds support for a new state 'renamed' and the 'rename'
      parameter.
      
      Tests were updated to cope with the changes.
      1ecdbd3a
    • Thomas Woerner's avatar
      Fixes for ansible-lint 6.22.1 · 47a1d50c
      Thomas Woerner authored
      - Replace outdated noqa 503 with noqa no-handler
      - Drop outdated and not needed noqa 505 for include_vars
      - Drop outdated noqa deprecated-command-syntax for
        ansible.builtin.shell using cmd tag
      
      These warnings have been reported by utils/lint_check.sh using
      ansible-lint 6.22.1.
      47a1d50c
    • Rafael Guterres Jeffman's avatar
      tests/group: Use module_defaults on tests_group · 3fe41a52
      Rafael Guterres Jeffman authored
      Use module_defaults to improve reading test cases.
      3fe41a52
  16. Dec 19, 2023
    • Rafael Guterres Jeffman's avatar
      ipauser: Add support for renaming users · 3eb86b2c
      Rafael Guterres Jeffman authored
      FreeIPA suports renaming user objects with the CLI parameter "rename",
      and this parameter was missing in ansible-freeipa ipauser module.
      
      This patch adds support for a new state 'renamed' and the 'rename'
      parameter.
      
      Tests were updated to cope with the changes.
      
      Related to RHBZ#2234379, RHBZ#2234380
      
      Fixes #1103
      3eb86b2c
    • Rafael Guterres Jeffman's avatar
      ipadnszone: Add support for per-zone privilege delegation · 3bd68ac0
      Rafael Guterres Jeffman authored
      IPA DNS Zones management can be delegated by adding a "Manage DNS zone"
      permission. The CLI commands that manage these permissions are
      dnszone-add-permission and dnszone-remove-permission.
      
      The ansible-freeipa module ipadnszone did not have this capability, and
      it now support dnszone per-zone management delegation by setting the
      module parameter 'permission'. If set to 'true' the permission will be
      assigned to the zone, if set to false the permission will be removed.
      3bd68ac0
  17. Dec 07, 2023
  18. Dec 06, 2023
    • Thomas Woerner's avatar
      test_host_random: No jinja2 templating in conditional statements · 2c9ee7d8
      Thomas Woerner authored
      With ansible-core 2.14.12 using jinja2 templating in conditional
      statements with ansible_facts['fqdn'] is marked as unsafe and results in
      a failure.
      
      The issues with using jinja2 templating in conditional statements for
      asserts have been solved and a new server_fqdn fact has been added for
      ansible_facts['fqdn'].
      2c9ee7d8
  19. Dec 05, 2023
    • Thomas Woerner's avatar
    • Thomas Woerner's avatar
      ipaidp: Fix validation and reset of parameters · ff084fbd
      Thomas Woerner authored
      The uri parameters auth_uri, dev_auth_uri, token_uri, userinfo_uri and
      keys_uri have not been validated before. Also the base_url was not
      normalized. The auth_uri, dev_auth_uri, token_uri and userinfo_uri need
      to be set for new entries, but might be empty or empty string for reset
      or updates.
      
      The ipaidpclientsecret needs to be decoded from binary string in
      find_idp result to not trigger no change ipd_mod calls.
      
      The code for validate_uri and base_url normalization has been copied
      from the ipaserver idp plugin.
      
      ansible_freeipa_module:
      urlparse from urllib.parse with a fallback to six.moves.urllib.parse is
      imported and also exported. urlparse is needed for validate_uri in ipaidp
      module.
      
      Resolves: RHEL-17954, RHEL-17955, RHEL-17957 and RHEL-17958
      ff084fbd
  20. Nov 28, 2023
  21. Nov 16, 2023
    • Thomas Woerner's avatar
      idoverride{user,group}: Fix delete_continue with state absent · 92e44f6a
      Thomas Woerner authored
      All tasks for idoverrideuser and idoverridegroup with state absent
      failed with "'continue' is required" when delete_continue was not set.
      
      This happended as delete_continue was internally None and continue: None
      was provided to the API.
      
      The fix is simply to use '"continue": delete_continue or False' so that
      continue is set to False in this case.
      92e44f6a
  22. Nov 11, 2023
    • Rafael Guterres Jeffman's avatar
      ipahost: Remove dangling dns records during test setup · 16c8ee87
      Rafael Guterres Jeffman authored
      When testing ipahost through the test playbooks, if there are previous
      DNS A/AAAA records, the test fails due to a false positive idempotence
      issue.
      
      This patch ensures that all DNS records for the test hosts are absent
      before test execution.
      
      This issue could be seen in the 2023-11-06 Azure Nightly pipeline
      execution.
      16c8ee87
  23. Oct 21, 2023
    • Thomas Woerner's avatar
      ipaidview: Fail to apply unknown (invalid) hosts · 21271949
      Thomas Woerner authored
      The task to apply an unknown (invalid) host to an idview was not failing
      as expected and only reported no change.
      
      A new host verification step has been added to fail before trying to
      apply invalid hosts. unapplying an invalid host is not failing as the
      invalid host is indeed not applied.
      21271949
    • Thomas Woerner's avatar
      hbacrule: Fix use of builtin sudo hbacsvcgroup · 48f2ef88
      Thomas Woerner authored
      hbacsvcgroup names are converted to lower case while creation with
      hbacsvcgroup_add.
      
      The hbacsvcgroup for sudo is builtin with the name "Sudo" though. This
      breaks the lower case comparison. Therefore all memberservice_hbacsvcgroup
      items are converted to lower case if "Sudo" is in the list.
      48f2ef88
  24. Oct 20, 2023
    • Rafael Guterres Jeffman's avatar
      upstream CI: Build containers in parallel jobs · 6845acd5
      Rafael Guterres Jeffman authored
      In the current build container pipeline, all steps are serialized in a
      single job, and if one of the jobs fail to build, due to broken
      dependent image, or some Azure glitch, like slow connection, the only
      way to rebuild the failed container is to rebuild all containers.
      
      By building containers in parallel jobs, if a container fails to build
      it is possible to restart only the failed job.
      6845acd5
  25. Oct 19, 2023
    • Rafael Guterres Jeffman's avatar
      upstream ci: Run PR tests using a single job. · fe2d17e4
      Rafael Guterres Jeffman authored
      The usual scenario for PR checks is to execute only a few tests, and
      searching for the results in several jobs makes it harder to find
      issues.
      
      By using a single job run the tests would take some more time to
      complete, although not much, as only a small subset is executed, and
      test verification would be easier and less error prone.
      fe2d17e4
    • Rafael Guterres Jeffman's avatar
      upstream ci: Use a single random seed for spliting tests · 319a0d3d
      Rafael Guterres Jeffman authored
      Dependind on how long it took for the jobs to start, a different seed
      would be used to group tests and tests could either repeat or not be
      selected at all.
      
      By using a seed based on the day the test run reduces the chance of
      using different random seeds, and still allow for the tests to be
      executed in a different order.
      
      The execution in different order is important to identify tests that
      work or fail only if executed after other tests.
      319a0d3d
  26. Oct 17, 2023
    • Rafael Guterres Jeffman's avatar
      upstream CI: Pin Python version to 3.11 · 55b8729c
      Rafael Guterres Jeffman authored
      Azure Ubuntu images have Python 3.12 available, and as we did not pin
      the requested Python version, the latest available one was used, causing
      image preparation and tests to fail.
      
      This patch pins Python version to 3.11 until test can be executed with
      Python 3.12 and later.
      55b8729c
  27. Sep 27, 2023
    • Thomas Woerner's avatar
      New idp management module · f9ff4132
      Thomas Woerner authored
      There is a new idp management module placed in the plugins folder:
      
          plugins/modules/ipaidp.py
      
      The idp module allows to ensure presence or absence of external Identity
      Providers.
      
      Here is the documentation for the module:
      
          README-idp.md
      
      New idp example playbooks:
      
          playbooks/idp/idp-present.yml
          playbooks/idp/idp-absent.yml
      
      New tests for the module:
      
          tests/idp/test_idp.yml
          tests/idp/test_idp_client_context.yml
      f9ff4132
Loading