From 766cf5a285aa24d1ca8058a90605ca03d04f14f5 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Wed, 13 Apr 2022 08:12:26 -0300 Subject: [PATCH] ipatrust: Fix support for `range_type`. The ipatrust module was ignoring the value of `range_type`, which is required to allow for different types of idranges. --- plugins/modules/ipatrust.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/plugins/modules/ipatrust.py b/plugins/modules/ipatrust.py index 6251ecc..40b61b5 100644 --- a/plugins/modules/ipatrust.py +++ b/plugins/modules/ipatrust.py @@ -157,7 +157,7 @@ def add_trust(module, realm, args): def gen_args(trust_type, admin, password, server, trust_secret, base_id, - range_size, _range_type, two_way, external): + range_size, range_type, two_way, external): _args = {} if trust_type is not None: _args["trust_type"] = trust_type @@ -173,6 +173,8 @@ def gen_args(trust_type, admin, password, server, trust_secret, base_id, _args["base_id"] = base_id if range_size is not None: _args["range_size"] = range_size + if range_type is not None: + _args["range_type"] = range_type if two_way is not None: _args["bidirectional"] = two_way if external is not None: -- 2.37.3 From 3ea452ef6fa25798211623806a862aa4b9e70815 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Wed, 30 Mar 2022 14:22:15 -0300 Subject: [PATCH] tests/trust: Improved test coverage and execution. This patch applies several changes to the ipatrust test playbook: * Add externally defined parameters so execution in local trust environments can be configured. The available parameters are: * winserver_admin_password: the Administrator password for the AD server (default: 'SomeW1Npassword') * winserver_domain: the AD server domain (default: 'windows.local') * winserver realm: the AD server realm (by default, the uppercase version of winserver_domain) * ipaserver_domain: the FreeIPA server domain (default: 'ipa.test') * ipaserver_realm: the FreeIPA server realm (by default, the uppercase version of ipaserver_domain * Modify trust verification to check for the existence of the trust as it the output of `ipa trust-find`, instead of cheking for the number of items returned, as the number might vary. * Add idempotency tests by re-executing tasks and verifying that no change was performed. * Added tests to verify creation of trusts with different 'range_type'. * Use a Kerberos cache for shell scripts, and destroy it on exit. * Properly remove all `idrange` that might be created upon setting up a trust. --- tests/trust/test_trust.yml | 161 +++++++++++++++++++++++++++++++------ 1 file changed, 137 insertions(+), 24 deletions(-) diff --git a/tests/trust/test_trust.yml b/tests/trust/test_trust.yml index e4ecdf5..5d1280d 100644 --- a/tests/trust/test_trust.yml +++ b/tests/trust/test_trust.yml @@ -1,55 +1,168 @@ --- -- name: find trust +- name: Test ipatrust hosts: "{{ ipa_test_host | default('ipaserver') }}" become: true gather_facts: false + vars: + adserver: + domain: "{{ winserver_domain | default('windows.local')}}" + realm: "{{ winserver_realm | default(winserver_domain) | default('windows.local') | upper }}" + password: "{{ winserver_admin_password | default('SomeW1Npassword') }}" + ipaserver: + domain: "{{ ipaserver_domain | default('ipa.test')}}" + realm: "{{ ipaserver_realm | default(ipaserver_domain) | default('ipa.test') | upper }}" + trust_exists: 'Realm name: {{ adserver.domain }}' + ad_range_exists: 'Range name: {{ adserver.realm }}_id_range' + ipa_range_exists: 'Range name: {{ ipaserver.realm }}_subid_range' + tasks: - block: - - name: delete trust + - name: Delete test trust ipatrust: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" - realm: windows.local + realm: "{{ adserver.domain }}" state: absent - register: del_trust - - name: check for trust + - name: Clear test idranges shell: | - echo 'SomeADMINpassword' | kinit admin - ipa trust-find windows.local - register: check_find_trust - failed_when: "'0 trusts matched' not in check_find_trust.stdout" + kinit -c test_krb5_cache admin <<< SomeADMINpassword + ipa idrange-del {{ adserver.realm }}_id_range || true + ipa idrange-del {{ ipaserver.realm }}_subid_range || true + kdestroy -c test_krb5_cache -q -A - - name: delete id range + - name: Add trust with range_type 'ipa-ad-trust' + ipatrust: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + realm: "{{ adserver.domain }}" + admin: Administrator + trust_type: ad + range_type: ipa-ad-trust + password: "{{ adserver.password }}" + state: present + register: result + failed_when: result.failed or not result.changed + + - name: check if 'ipa-ad-trust' trust exists shell: | echo 'SomeADMINpassword' | kinit admin - ipa idrange-del WINDOWS.LOCAL_id_range - when: del_trust['changed'] | bool + ipa trust-find + kdestroy -c test_krb5_cache -q -A + register: check_add_trust + failed_when: "trust_exists not in check_add_trust.stdout" - - name: check for range + - name: Add trust with range_type 'ipa-ad-trust', again + ipatrust: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + realm: "{{ adserver.domain }}" + admin: Administrator + range_type: ipa-ad-trust + password: "{{ adserver.password }}" + state: present + register: result + failed_when: result.failed or result.changed + + - name: Delete 'ipa-ad-trust' trust + ipatrust: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + realm: "{{ adserver.domain }}" + state: absent + register: result + failed_when: result.failed or not result.changed + + - name: Check if 'ipa-ad-trust' trust was removed shell: | - echo 'SomeADMINpassword' | kinit admin - ipa idrange-find WINDOWS.LOCAL_id_range - register: check_del_idrange - failed_when: "'0 ranges matched' not in check_del_idrange.stdout" + kinit -c test_krb5_cache admin <<< SomeADMINpassword + ipa trust-find + kdestroy -c test_krb5_cache -q -A + register: check_add_trust + failed_when: "trust_exists in check_add_trust.stdout" + + - name: Delete 'ipa-ad-trust' trust, again + ipatrust: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + realm: "{{ adserver.domain }}" + state: absent + register: result + failed_when: result.failed or result.changed + + - name: Clear test idranges + shell: | + kinit -c test_krb5_cache admin <<< SomeADMINpassword + ipa idrange-del {{ adserver.realm }}_id_range || true + ipa idrange-del {{ ipaserver.realm }}_subid_range || true + kdestroy -c test_krb5_cache -q -A - - name: add trust + - name: Add trust with range_type 'ipa-ad-trust-posix' ipatrust: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" - realm: windows.local + realm: "{{ adserver.domain }}" admin: Administrator - password: secret_ad_pw + range_type: ipa-ad-trust-posix + password: "{{ adserver.password }}" state: present + register: result + failed_when: result.failed or not result.changed - - name: check for trust + - name: Check if 'ipa-ad-trust-posix' trust exists shell: | - echo 'SomeADMINpassword' | kinit admin - ipa trust-find windows.local + kinit -c test_krb5_cache admin <<< SomeADMINpassword + ipa trust-find + kdestroy -c test_krb5_cache -q -A register: check_add_trust - failed_when: "'1 trust matched' not in check_add_trust.stdout" + failed_when: "trust_exists not in check_add_trust.stdout" + + - name: Add trust with range_type 'ipa-ad-trust-posix', again + ipatrust: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + realm: "{{ adserver.domain }}" + admin: Administrator + range_type: ipa-ad-trust-posix + password: "{{ adserver.password }}" + state: present + register: result + failed_when: result.failed or result.changed + + - name: Delete 'ipa-ad-trust-posix' trust + ipatrust: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + realm: "{{ adserver.domain }}" + state: absent + register: result + failed_when: result.failed or not result.changed + + - name: Check if trust 'ipa-ad-trust-posix' was removed + shell: | + kinit -c test_krb5_cache admin <<< SomeADMINpassword + ipa trust-find + kdestroy -c test_krb5_cache -q -A + register: check_del_trust + failed_when: "trust_exists in check_del_trust.stdout" + + - name: Delete 'ipa-ad-trust-posix' trust, again + ipatrust: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + realm: "{{ adserver.domain }}" + state: absent + register: result + failed_when: result.failed or result.changed + + - name: Clear test idranges + shell: | + kinit -c test_krb5_cache admin <<< SomeADMINpassword + ipa idrange-del {{ adserver.realm }}_id_range || true + ipa idrange-del {{ ipaserver.realm }}_subid_range || true + kdestroy -c test_krb5_cache -q -A when: trust_test_is_supported | default(false) -- 2.37.3 From 50b16cb33ff80f479825228b54349ba93b7c2ad5 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Wed, 30 Mar 2022 14:42:12 -0300 Subject: [PATCH] tests/ipatrust: Modify AD realm name to an invalid name. As the task is expected to fail, the AD realm name was modified to show the expected behavior more clearly. --- tests/trust/test_trust_client_context.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/trust/test_trust_client_context.yml b/tests/trust/test_trust_client_context.yml index 2ea3853..6f4ff06 100644 --- a/tests/trust/test_trust_client_context.yml +++ b/tests/trust/test_trust_client_context.yml @@ -13,7 +13,7 @@ ipatrust: ipaadmin_password: SomeADMINpassword ipaapi_context: server - realm: windows.local + realm: this.test.should.fail register: result failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*")) when: ipa_host_is_client -- 2.37.3