|
|
e788bc |
From 766cf5a285aa24d1ca8058a90605ca03d04f14f5 Mon Sep 17 00:00:00 2001
|
|
|
e788bc |
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
|
|
e788bc |
Date: Wed, 13 Apr 2022 08:12:26 -0300
|
|
|
e788bc |
Subject: [PATCH] ipatrust: Fix support for `range_type`.
|
|
|
e788bc |
|
|
|
e788bc |
The ipatrust module was ignoring the value of `range_type`, which is
|
|
|
e788bc |
required to allow for different types of idranges.
|
|
|
e788bc |
---
|
|
|
e788bc |
plugins/modules/ipatrust.py | 4 +++-
|
|
|
e788bc |
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
e788bc |
|
|
|
e788bc |
diff --git a/plugins/modules/ipatrust.py b/plugins/modules/ipatrust.py
|
|
|
e788bc |
index 6251ecc..40b61b5 100644
|
|
|
e788bc |
--- a/plugins/modules/ipatrust.py
|
|
|
e788bc |
+++ b/plugins/modules/ipatrust.py
|
|
|
e788bc |
@@ -157,7 +157,7 @@ def add_trust(module, realm, args):
|
|
|
e788bc |
|
|
|
e788bc |
|
|
|
e788bc |
def gen_args(trust_type, admin, password, server, trust_secret, base_id,
|
|
|
e788bc |
- range_size, _range_type, two_way, external):
|
|
|
e788bc |
+ range_size, range_type, two_way, external):
|
|
|
e788bc |
_args = {}
|
|
|
e788bc |
if trust_type is not None:
|
|
|
e788bc |
_args["trust_type"] = trust_type
|
|
|
e788bc |
@@ -173,6 +173,8 @@ def gen_args(trust_type, admin, password, server, trust_secret, base_id,
|
|
|
e788bc |
_args["base_id"] = base_id
|
|
|
e788bc |
if range_size is not None:
|
|
|
e788bc |
_args["range_size"] = range_size
|
|
|
e788bc |
+ if range_type is not None:
|
|
|
e788bc |
+ _args["range_type"] = range_type
|
|
|
e788bc |
if two_way is not None:
|
|
|
e788bc |
_args["bidirectional"] = two_way
|
|
|
e788bc |
if external is not None:
|
|
|
e788bc |
--
|
|
|
e788bc |
2.37.3
|
|
|
e788bc |
|
|
|
e788bc |
From 3ea452ef6fa25798211623806a862aa4b9e70815 Mon Sep 17 00:00:00 2001
|
|
|
e788bc |
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
|
|
e788bc |
Date: Wed, 30 Mar 2022 14:22:15 -0300
|
|
|
e788bc |
Subject: [PATCH] tests/trust: Improved test coverage and execution.
|
|
|
e788bc |
|
|
|
e788bc |
This patch applies several changes to the ipatrust test playbook:
|
|
|
e788bc |
|
|
|
e788bc |
* Add externally defined parameters so execution in local trust
|
|
|
e788bc |
environments can be configured. The available parameters are:
|
|
|
e788bc |
* winserver_admin_password: the Administrator password for the AD
|
|
|
e788bc |
server (default: 'SomeW1Npassword')
|
|
|
e788bc |
* winserver_domain: the AD server domain (default: 'windows.local')
|
|
|
e788bc |
* winserver realm: the AD server realm (by default, the uppercase
|
|
|
e788bc |
version of winserver_domain)
|
|
|
e788bc |
* ipaserver_domain: the FreeIPA server domain (default: 'ipa.test')
|
|
|
e788bc |
* ipaserver_realm: the FreeIPA server realm (by default, the
|
|
|
e788bc |
uppercase version of ipaserver_domain
|
|
|
e788bc |
|
|
|
e788bc |
* Modify trust verification to check for the existence of the trust as
|
|
|
e788bc |
it the output of `ipa trust-find`, instead of cheking for the number
|
|
|
e788bc |
of items returned, as the number might vary.
|
|
|
e788bc |
|
|
|
e788bc |
* Add idempotency tests by re-executing tasks and verifying that no
|
|
|
e788bc |
change was performed.
|
|
|
e788bc |
|
|
|
e788bc |
* Added tests to verify creation of trusts with different 'range_type'.
|
|
|
e788bc |
|
|
|
e788bc |
* Use a Kerberos cache for shell scripts, and destroy it on exit.
|
|
|
e788bc |
|
|
|
e788bc |
* Properly remove all `idrange` that might be created upon setting up a
|
|
|
e788bc |
trust.
|
|
|
e788bc |
---
|
|
|
e788bc |
tests/trust/test_trust.yml | 161 +++++++++++++++++++++++++++++++------
|
|
|
e788bc |
1 file changed, 137 insertions(+), 24 deletions(-)
|
|
|
e788bc |
|
|
|
e788bc |
diff --git a/tests/trust/test_trust.yml b/tests/trust/test_trust.yml
|
|
|
e788bc |
index e4ecdf5..5d1280d 100644
|
|
|
e788bc |
--- a/tests/trust/test_trust.yml
|
|
|
e788bc |
+++ b/tests/trust/test_trust.yml
|
|
|
e788bc |
@@ -1,55 +1,168 @@
|
|
|
e788bc |
---
|
|
|
e788bc |
-- name: find trust
|
|
|
e788bc |
+- name: Test ipatrust
|
|
|
e788bc |
hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
|
|
e788bc |
become: true
|
|
|
e788bc |
gather_facts: false
|
|
|
e788bc |
|
|
|
e788bc |
+ vars:
|
|
|
e788bc |
+ adserver:
|
|
|
e788bc |
+ domain: "{{ winserver_domain | default('windows.local')}}"
|
|
|
e788bc |
+ realm: "{{ winserver_realm | default(winserver_domain) | default('windows.local') | upper }}"
|
|
|
e788bc |
+ password: "{{ winserver_admin_password | default('SomeW1Npassword') }}"
|
|
|
e788bc |
+ ipaserver:
|
|
|
e788bc |
+ domain: "{{ ipaserver_domain | default('ipa.test')}}"
|
|
|
e788bc |
+ realm: "{{ ipaserver_realm | default(ipaserver_domain) | default('ipa.test') | upper }}"
|
|
|
e788bc |
+ trust_exists: 'Realm name: {{ adserver.domain }}'
|
|
|
e788bc |
+ ad_range_exists: 'Range name: {{ adserver.realm }}_id_range'
|
|
|
e788bc |
+ ipa_range_exists: 'Range name: {{ ipaserver.realm }}_subid_range'
|
|
|
e788bc |
+
|
|
|
e788bc |
tasks:
|
|
|
e788bc |
|
|
|
e788bc |
- block:
|
|
|
e788bc |
|
|
|
e788bc |
- - name: delete trust
|
|
|
e788bc |
+ - name: Delete test trust
|
|
|
e788bc |
ipatrust:
|
|
|
e788bc |
ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
e788bc |
- realm: windows.local
|
|
|
e788bc |
+ realm: "{{ adserver.domain }}"
|
|
|
e788bc |
state: absent
|
|
|
e788bc |
- register: del_trust
|
|
|
e788bc |
|
|
|
e788bc |
- - name: check for trust
|
|
|
e788bc |
+ - name: Clear test idranges
|
|
|
e788bc |
shell: |
|
|
|
e788bc |
- echo 'SomeADMINpassword' | kinit admin
|
|
|
e788bc |
- ipa trust-find windows.local
|
|
|
e788bc |
- register: check_find_trust
|
|
|
e788bc |
- failed_when: "'0 trusts matched' not in check_find_trust.stdout"
|
|
|
e788bc |
+ kinit -c test_krb5_cache admin <<< SomeADMINpassword
|
|
|
e788bc |
+ ipa idrange-del {{ adserver.realm }}_id_range || true
|
|
|
e788bc |
+ ipa idrange-del {{ ipaserver.realm }}_subid_range || true
|
|
|
e788bc |
+ kdestroy -c test_krb5_cache -q -A
|
|
|
e788bc |
|
|
|
e788bc |
- - name: delete id range
|
|
|
e788bc |
+ - name: Add trust with range_type 'ipa-ad-trust'
|
|
|
e788bc |
+ ipatrust:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
e788bc |
+ realm: "{{ adserver.domain }}"
|
|
|
e788bc |
+ admin: Administrator
|
|
|
e788bc |
+ trust_type: ad
|
|
|
e788bc |
+ range_type: ipa-ad-trust
|
|
|
e788bc |
+ password: "{{ adserver.password }}"
|
|
|
e788bc |
+ state: present
|
|
|
e788bc |
+ register: result
|
|
|
e788bc |
+ failed_when: result.failed or not result.changed
|
|
|
e788bc |
+
|
|
|
e788bc |
+ - name: check if 'ipa-ad-trust' trust exists
|
|
|
e788bc |
shell: |
|
|
|
e788bc |
echo 'SomeADMINpassword' | kinit admin
|
|
|
e788bc |
- ipa idrange-del WINDOWS.LOCAL_id_range
|
|
|
e788bc |
- when: del_trust['changed'] | bool
|
|
|
e788bc |
+ ipa trust-find
|
|
|
e788bc |
+ kdestroy -c test_krb5_cache -q -A
|
|
|
e788bc |
+ register: check_add_trust
|
|
|
e788bc |
+ failed_when: "trust_exists not in check_add_trust.stdout"
|
|
|
e788bc |
|
|
|
e788bc |
- - name: check for range
|
|
|
e788bc |
+ - name: Add trust with range_type 'ipa-ad-trust', again
|
|
|
e788bc |
+ ipatrust:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
e788bc |
+ realm: "{{ adserver.domain }}"
|
|
|
e788bc |
+ admin: Administrator
|
|
|
e788bc |
+ range_type: ipa-ad-trust
|
|
|
e788bc |
+ password: "{{ adserver.password }}"
|
|
|
e788bc |
+ state: present
|
|
|
e788bc |
+ register: result
|
|
|
e788bc |
+ failed_when: result.failed or result.changed
|
|
|
e788bc |
+
|
|
|
e788bc |
+ - name: Delete 'ipa-ad-trust' trust
|
|
|
e788bc |
+ ipatrust:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
e788bc |
+ realm: "{{ adserver.domain }}"
|
|
|
e788bc |
+ state: absent
|
|
|
e788bc |
+ register: result
|
|
|
e788bc |
+ failed_when: result.failed or not result.changed
|
|
|
e788bc |
+
|
|
|
e788bc |
+ - name: Check if 'ipa-ad-trust' trust was removed
|
|
|
e788bc |
shell: |
|
|
|
e788bc |
- echo 'SomeADMINpassword' | kinit admin
|
|
|
e788bc |
- ipa idrange-find WINDOWS.LOCAL_id_range
|
|
|
e788bc |
- register: check_del_idrange
|
|
|
e788bc |
- failed_when: "'0 ranges matched' not in check_del_idrange.stdout"
|
|
|
e788bc |
+ kinit -c test_krb5_cache admin <<< SomeADMINpassword
|
|
|
e788bc |
+ ipa trust-find
|
|
|
e788bc |
+ kdestroy -c test_krb5_cache -q -A
|
|
|
e788bc |
+ register: check_add_trust
|
|
|
e788bc |
+ failed_when: "trust_exists in check_add_trust.stdout"
|
|
|
e788bc |
+
|
|
|
e788bc |
+ - name: Delete 'ipa-ad-trust' trust, again
|
|
|
e788bc |
+ ipatrust:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
e788bc |
+ realm: "{{ adserver.domain }}"
|
|
|
e788bc |
+ state: absent
|
|
|
e788bc |
+ register: result
|
|
|
e788bc |
+ failed_when: result.failed or result.changed
|
|
|
e788bc |
+
|
|
|
e788bc |
+ - name: Clear test idranges
|
|
|
e788bc |
+ shell: |
|
|
|
e788bc |
+ kinit -c test_krb5_cache admin <<< SomeADMINpassword
|
|
|
e788bc |
+ ipa idrange-del {{ adserver.realm }}_id_range || true
|
|
|
e788bc |
+ ipa idrange-del {{ ipaserver.realm }}_subid_range || true
|
|
|
e788bc |
+ kdestroy -c test_krb5_cache -q -A
|
|
|
e788bc |
|
|
|
e788bc |
- - name: add trust
|
|
|
e788bc |
+ - name: Add trust with range_type 'ipa-ad-trust-posix'
|
|
|
e788bc |
ipatrust:
|
|
|
e788bc |
ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
e788bc |
- realm: windows.local
|
|
|
e788bc |
+ realm: "{{ adserver.domain }}"
|
|
|
e788bc |
admin: Administrator
|
|
|
e788bc |
- password: secret_ad_pw
|
|
|
e788bc |
+ range_type: ipa-ad-trust-posix
|
|
|
e788bc |
+ password: "{{ adserver.password }}"
|
|
|
e788bc |
state: present
|
|
|
e788bc |
+ register: result
|
|
|
e788bc |
+ failed_when: result.failed or not result.changed
|
|
|
e788bc |
|
|
|
e788bc |
- - name: check for trust
|
|
|
e788bc |
+ - name: Check if 'ipa-ad-trust-posix' trust exists
|
|
|
e788bc |
shell: |
|
|
|
e788bc |
- echo 'SomeADMINpassword' | kinit admin
|
|
|
e788bc |
- ipa trust-find windows.local
|
|
|
e788bc |
+ kinit -c test_krb5_cache admin <<< SomeADMINpassword
|
|
|
e788bc |
+ ipa trust-find
|
|
|
e788bc |
+ kdestroy -c test_krb5_cache -q -A
|
|
|
e788bc |
register: check_add_trust
|
|
|
e788bc |
- failed_when: "'1 trust matched' not in check_add_trust.stdout"
|
|
|
e788bc |
+ failed_when: "trust_exists not in check_add_trust.stdout"
|
|
|
e788bc |
+
|
|
|
e788bc |
+ - name: Add trust with range_type 'ipa-ad-trust-posix', again
|
|
|
e788bc |
+ ipatrust:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
e788bc |
+ realm: "{{ adserver.domain }}"
|
|
|
e788bc |
+ admin: Administrator
|
|
|
e788bc |
+ range_type: ipa-ad-trust-posix
|
|
|
e788bc |
+ password: "{{ adserver.password }}"
|
|
|
e788bc |
+ state: present
|
|
|
e788bc |
+ register: result
|
|
|
e788bc |
+ failed_when: result.failed or result.changed
|
|
|
e788bc |
+
|
|
|
e788bc |
+ - name: Delete 'ipa-ad-trust-posix' trust
|
|
|
e788bc |
+ ipatrust:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
e788bc |
+ realm: "{{ adserver.domain }}"
|
|
|
e788bc |
+ state: absent
|
|
|
e788bc |
+ register: result
|
|
|
e788bc |
+ failed_when: result.failed or not result.changed
|
|
|
e788bc |
+
|
|
|
e788bc |
+ - name: Check if trust 'ipa-ad-trust-posix' was removed
|
|
|
e788bc |
+ shell: |
|
|
|
e788bc |
+ kinit -c test_krb5_cache admin <<< SomeADMINpassword
|
|
|
e788bc |
+ ipa trust-find
|
|
|
e788bc |
+ kdestroy -c test_krb5_cache -q -A
|
|
|
e788bc |
+ register: check_del_trust
|
|
|
e788bc |
+ failed_when: "trust_exists in check_del_trust.stdout"
|
|
|
e788bc |
+
|
|
|
e788bc |
+ - name: Delete 'ipa-ad-trust-posix' trust, again
|
|
|
e788bc |
+ ipatrust:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
e788bc |
+ realm: "{{ adserver.domain }}"
|
|
|
e788bc |
+ state: absent
|
|
|
e788bc |
+ register: result
|
|
|
e788bc |
+ failed_when: result.failed or result.changed
|
|
|
e788bc |
+
|
|
|
e788bc |
+ - name: Clear test idranges
|
|
|
e788bc |
+ shell: |
|
|
|
e788bc |
+ kinit -c test_krb5_cache admin <<< SomeADMINpassword
|
|
|
e788bc |
+ ipa idrange-del {{ adserver.realm }}_id_range || true
|
|
|
e788bc |
+ ipa idrange-del {{ ipaserver.realm }}_subid_range || true
|
|
|
e788bc |
+ kdestroy -c test_krb5_cache -q -A
|
|
|
e788bc |
|
|
|
e788bc |
when: trust_test_is_supported | default(false)
|
|
|
e788bc |
--
|
|
|
e788bc |
2.37.3
|
|
|
e788bc |
|
|
|
e788bc |
From 50b16cb33ff80f479825228b54349ba93b7c2ad5 Mon Sep 17 00:00:00 2001
|
|
|
e788bc |
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
|
|
e788bc |
Date: Wed, 30 Mar 2022 14:42:12 -0300
|
|
|
e788bc |
Subject: [PATCH] tests/ipatrust: Modify AD realm name to an invalid name.
|
|
|
e788bc |
|
|
|
e788bc |
As the task is expected to fail, the AD realm name was modified to show
|
|
|
e788bc |
the expected behavior more clearly.
|
|
|
e788bc |
---
|
|
|
e788bc |
tests/trust/test_trust_client_context.yml | 2 +-
|
|
|
e788bc |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
e788bc |
|
|
|
e788bc |
diff --git a/tests/trust/test_trust_client_context.yml b/tests/trust/test_trust_client_context.yml
|
|
|
e788bc |
index 2ea3853..6f4ff06 100644
|
|
|
e788bc |
--- a/tests/trust/test_trust_client_context.yml
|
|
|
e788bc |
+++ b/tests/trust/test_trust_client_context.yml
|
|
|
e788bc |
@@ -13,7 +13,7 @@
|
|
|
e788bc |
ipatrust:
|
|
|
e788bc |
ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
ipaapi_context: server
|
|
|
e788bc |
- realm: windows.local
|
|
|
e788bc |
+ realm: this.test.should.fail
|
|
|
e788bc |
register: result
|
|
|
e788bc |
failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*"))
|
|
|
e788bc |
when: ipa_host_is_client
|
|
|
e788bc |
--
|
|
|
e788bc |
2.37.3
|
|
|
e788bc |
|