.github/workflows/lint.yml

@@ -16,7 +16,7 @@ jobs:
           python-version: "3.x"
       - name: Run ansible-lint
         run: |
-          pip install "ansible-core>=2.16,<2.17" 'ansible-lint>=6.21'
+          pip install "ansible-core>=2.16,<2.17" 'ansible-lint>=6.22'
           utils/build-galaxy-release.sh -ki
           cd .galaxy-build
           ansible-lint --profile production --exclude tests/integration/ --exclude tests/unit/ --parseable --nocolor

plugins/module_utils/ansible_freeipa_module.py

@@ -30,7 +30,8 @@ __all__ = ["gssapi", "netaddr", "api", "ipalib_errors", "Env",
            "kinit_password", "kinit_keytab", "run", "DN", "VERSION",
            "paths", "tasks", "get_credentials_if_valid", "Encoding",
            "DNSName", "getargspec", "certificate_loader",
-           "write_certificate_list", "boolean", "template_str"]
+           "write_certificate_list", "boolean", "template_str",
+           "urlparse"]
 
 import os
 # ansible-freeipa requires locale to be C, IPA requires utf-8.
@@ -147,6 +148,11 @@ try:
     except ImportError:
         _dcerpc_bindings_installed = False  # pylint: disable=invalid-name
 
+    try:
+        from urllib.parse import urlparse
+    except ImportError:
+        from ansible.module_utils.six.moves.urllib.parse import urlparse
+
 except ImportError as _err:
     ANSIBLE_FREEIPA_MODULE_IMPORT_ERROR = str(_err)
 

plugins/modules/ipaidp.py

@@ -185,7 +185,7 @@ RETURN = """
 
 
 from ansible.module_utils.ansible_freeipa_module import \
-    IPAAnsibleModule, compare_args_ipa, template_str
+    IPAAnsibleModule, compare_args_ipa, template_str, urlparse
 from ansible.module_utils import six
 from copy import deepcopy
 import string
@@ -274,7 +274,14 @@ def find_idp(module, name):
         # An exception is raised if idp name is not found.
         return None
 
-    return _result["result"]
+    res = _result["result"]
+
+    # Decode binary string secret
+    if "ipaidpclientsecret" in res and len(res["ipaidpclientsecret"]) > 0:
+        res["ipaidpclientsecret"][0] = \
+            res["ipaidpclientsecret"][0].decode("ascii")
+
+    return res
 
 
 def gen_args(auth_uri, dev_auth_uri, token_uri, userinfo_uri, keys_uri,
@@ -333,6 +340,16 @@ def convert_provider_to_endpoints(module, _args, provider):
     _args.update(points)
 
 
+def validate_uri(module, uri):
+    try:
+        parsed = urlparse(uri, 'https')
+    except Exception:
+        module.fail_json(msg="Invalid URI '%s': not an https scheme" % uri)
+
+    if not parsed.netloc:
+        module.fail_json(msg="Invalid URI '%s': missing netloc" % uri)
+
+
 def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
@@ -426,19 +443,6 @@ def main():
             if provider not in idp_providers:
                 ansible_module.fail_json(
                     msg="Provider '%s' is unknown" % provider)
-        else:
-            if not auth_uri:
-                ansible_module.fail_json(
-                    msg="Parameter '%s' is missing" % "auth_uri")
-            if not dev_auth_uri:
-                ansible_module.fail_json(
-                    msg="Parameter '%s' is missing" % "dev_auth_uri")
-            if not token_uri:
-                ansible_module.fail_json(
-                    msg="Parameter '%s' is missing" % "token_uri")
-            if not userinfo_uri:
-                ansible_module.fail_json(
-                    msg="Parameter '%s' is missing" % "userinfo_uri")
         invalid = ["rename", "delete_continue"]
     else:
         # state renamed and absent
@@ -459,6 +463,19 @@ def main():
 
     ansible_module.params_fail_used_invalid(invalid, state)
 
+    # Empty client_id test
+    if client_id is not None and client_id == "":
+        ansible_module.fail_json(msg="'client_id' is required")
+
+    # Normalize base_url
+    if base_url is not None and base_url.startswith('https://'):
+        base_url = base_url[len('https://'):]
+
+    # Validate uris
+    for uri in [auth_uri, dev_auth_uri, token_uri, userinfo_uri, keys_uri]:
+        if uri is not None and uri != "":
+            validate_uri(ansible_module, uri)
+
     # Init
 
     changed = False
@@ -507,6 +524,19 @@ def main():
                                             res_find):
                         commands.append([name, "idp_mod", args])
                 else:
+                    if "ipaidpauthendpoint" not in args:
+                        ansible_module.fail_json(
+                            msg="Parameter '%s' is missing" % "auth_uri")
+                    if "ipaidpdevauthendpoint" not in args:
+                        ansible_module.fail_json(
+                            msg="Parameter '%s' is missing" % "dev_auth_uri")
+                    if "ipaidptokenendpoint" not in args:
+                        ansible_module.fail_json(
+                            msg="Parameter '%s' is missing" % "token_uri")
+                    if "ipaidpuserinfoendpoint" not in args:
+                        ansible_module.fail_json(
+                            msg="Parameter '%s' is missing" % "userinfo_uri")
+
                     commands.append([name, "idp_add", args])
 
             elif state == "absent":

requirements-dev.txt

@@ -7,4 +7,4 @@ pylint==2.17.2
 wrapt==1.14.1
 pydocstyle==6.3.0
 yamllint==1.32.0
-ansible-lint
+ansible-lint >= 6.22

roles/ipaclient/tasks/install.yml

@@ -166,18 +166,19 @@
       register: result_ipaclient_get_otp
       delegate_to: "{{ result_ipaclient_test.servers[0] }}"
 
-    - name: Install - Report error for OTP generation
-      ansible.builtin.debug:
-        msg: "{{ result_ipaclient_get_otp.msg }}"
-      when: result_ipaclient_get_otp is failed
-      failed_when: yes
-
     - name: Install - Store the previously obtained OTP
       no_log: yes
       ansible.builtin.set_fact:
         ipaadmin_orig_password: "{{ ipaadmin_password | default(omit) }}"
         ipaadmin_password: "{{ result_ipaclient_get_otp.host.randompassword
                                if result_ipaclient_get_otp.host is defined }}"
+    rescue:
+    - name: Install - Report error for OTP generation
+      ansible.builtin.debug:
+        msg: "{{ result_ipaclient_get_otp.msg }}"
+      when: result_ipaclient_get_otp is failed
+      failed_when: yes
+
     always:
     - name: Install - Remove keytab temporary file
       ansible.builtin.file:

roles/ipareplica/tasks/install.yml

@@ -57,6 +57,11 @@
     ipareplica_servers: "{{ groups['ipaservers'] | list }}"
   when: groups.ipaservers is defined and ipareplica_servers is not defined
 
+- name: Install - Set ipareplica_servers from cluster inventory
+  ansible.builtin.set_fact:
+    ipareplica_servers: "{{ groups['ipaserver'] | list }}"
+  when: ipareplica_servers is not defined and groups.ipaserver is defined
+
 - name: Install - Set default principal if no keytab is given
   ansible.builtin.set_fact:
     ipaadmin_principal: admin

tests/azure/templates/playbook_fast.yml

@@ -21,7 +21,7 @@ parameters:
 jobs:
 - job: Test_Group${{ parameters.group_number }}
   displayName: Run playbook tests ${{ parameters.scenario }} (${{ parameters.group_number }}/${{ parameters.number_of_groups }})
-  timeoutInMinutes: 240
+  timeoutInMinutes: 360
   variables:
   - template: variables.yaml
   - template: variables_${{ parameters.scenario }}.yaml

tests/idp/test_idp.yml

@@ -62,6 +62,162 @@
       register: result
       failed_when: result.changed or result.failed
 
+    - name: Ensure keycloak idp my-keycloak-idp is present with all params
+      ipaidp:
+        name: my-keycloak-idp
+        organization: main
+        base_url: https://keycloak.idm.example.com:8443/auth
+        keys_uri: https://keycloak.idm.example.com:8443/certs
+        issuer_url: https://keycloak.idm.example.com:8443/issuer
+        secret: secret
+        scope: https://keycloak.idm.example.com:8443/scope
+        idp_user_id: testuser
+        client_id: my-client-id
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure keycloak idp my-keycloak-idp is present with all params, again
+      ipaidp:
+        name: my-keycloak-idp
+        organization: main
+        base_url: https://keycloak.idm.example.com:8443/auth
+        keys_uri: https://keycloak.idm.example.com:8443/certs
+        issuer_url: https://keycloak.idm.example.com:8443/issuer
+        secret: secret
+        scope: https://keycloak.idm.example.com:8443/scope
+        idp_user_id: testuser
+        client_id: my-client-id
+      register: result
+      # failed_when: result.changed or result.failed
+
+    - name: Ensure keycloak idp my-keycloak-idp auth_uri is empty
+      ipaidp:
+        name: my-keycloak-idp
+        auth_uri: ""
+        client_id: my-client-id
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure keycloak idp my-keycloak-idp auth_uri is empty, again
+      ipaidp:
+        name: my-keycloak-idp
+        auth_uri: ""
+        client_id: my-client-id
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure keycloak idp my-keycloak-idp dev_auth_uri is empty
+      ipaidp:
+        name: my-keycloak-idp
+        dev_auth_uri: ""
+        client_id: my-client-id
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure keycloak idp my-keycloak-idp dev_auth_uri is empty, again
+      ipaidp:
+        name: my-keycloak-idp
+        dev_auth_uri: ""
+        client_id: my-client-id
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure keycloak idp my-keycloak-idp token_uri is empty
+      ipaidp:
+        name: my-keycloak-idp
+        token_uri: ""
+        client_id: my-client-id
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure keycloak idp my-keycloak-idp token_uri is empty, again
+      ipaidp:
+        name: my-keycloak-idp
+        token_uri: ""
+        client_id: my-client-id
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure keycloak idp my-keycloak-idp userinfo_uri is empty
+      ipaidp:
+        name: my-keycloak-idp
+        userinfo_uri: ""
+        client_id: my-client-id
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure keycloak idp my-keycloak-idp userinfo_uri is empty, again
+      ipaidp:
+        name: my-keycloak-idp
+        userinfo_uri: ""
+        client_id: my-client-id
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure keycloak idp my-keycloak-idp keys_uri is empty
+      ipaidp:
+        name: my-keycloak-idp
+        keys_uri: ""
+        client_id: my-client-id
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure keycloak idp my-keycloak-idp keys_uri is empty, again
+      ipaidp:
+        name: my-keycloak-idp
+        keys_uri: ""
+        client_id: my-client-id
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure keycloak idp my-keycloak-idp issuer_url is empty
+      ipaidp:
+        name: my-keycloak-idp
+        issuer_url: ""
+        client_id: my-client-id
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure keycloak idp my-keycloak-idp issuer_url is empty, again
+      ipaidp:
+        name: my-keycloak-idp
+        issuer_url: ""
+        client_id: my-client-id
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure keycloak idp my-keycloak-idp scope is empty
+      ipaidp:
+        name: my-keycloak-idp
+        scope: ""
+        client_id: my-client-id
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure keycloak idp my-keycloak-idp scope is empty, again
+      ipaidp:
+        name: my-keycloak-idp
+        scope: ""
+        client_id: my-client-id
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure keycloak idp my-keycloak-idp idp_user_id is empty
+      ipaidp:
+        name: my-keycloak-idp
+        idp_user_id: ""
+        client_id: my-client-id
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure keycloak idp my-keycloak-idp idp_user_id is empty, again
+      ipaidp:
+        name: my-keycloak-idp
+        idp_user_id: ""
+        client_id: my-client-id
+      register: result
+      failed_when: result.changed or result.failed
+
     - name: Ensure idp my-keycloak-idp is absent
       ipaidp:
         name: my-keycloak-idp