diff --git a/.github/workflows/test_ansible.yml b/.github/workflows/test_ansible.yml new file mode 100644 index 0000000..2d40ce0 --- /dev/null +++ b/.github/workflows/test_ansible.yml @@ -0,0 +1,28 @@ +--- +name: test-freeipa-matrix +run-name: Test Distro Matrx +on: + - push + - pull_request + +jobs: + test-freeipa-distro-matrix: + name: Test distro matrix + runs-on: ubuntu-24.04 + strategy: + matrix: + test_distro: + - fedora-latest + - fedora-rawhide + - c10s + steps: + - name: Clone the repository + uses: actions/checkout@v4 + + - name: Run FreeIPA tests + uses: rjeffman/FreeIPA-Cluster-Test@v1.2.0 + with: + cluster_configuration: tests/evironments/server_only.yaml + distro: ${{ matrix.test_distro }} + test_playbooks: >- + tests/playbooks/test_hbac.yaml diff --git a/tests/environments/server_only.yaml b/tests/environments/server_only.yaml new file mode 100644 index 0000000..6e1b68b --- /dev/null +++ b/tests/environments/server_only.yaml @@ -0,0 +1,10 @@ +--- +ipa_deployments: + - name: server-only + domain: ipa.test + realm: IPA.TEST + admin_password: SomeADMINpassword + dm_password: SomeDMpassword + cluster: + servers: + - name: server diff --git a/tests/playbooks/test_hbac.yaml b/tests/playbooks/test_hbac.yaml new file mode 100644 index 0000000..bdf1285 --- /dev/null +++ b/tests/playbooks/test_hbac.yaml @@ -0,0 +1,607 @@ +--- +- name: Test hbacrule + hosts: "{{ ipa_test_host | default('ipaserver') }}" + become: true + + module_defaults: + freeipa.ansible_freeipa.ipahost: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + freeipa.ansible_freeipa.ipahostgroup: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + freeipa.ansible_freeipa.ipauser: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + freeipa.ansible_freeipa.ipagroup: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + freeipa.ansible_freeipa.ipahbacsvc: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + freeipa.ansible_freeipa.ipahbacsvcgroup: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + freeipa.ansible_freeipa.ipahbacrule: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + + tasks: + - name: Get Domain from server name + ansible.builtin.set_fact: + ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join('.') }}" + when: ipaserver_domain is not defined + + # CLEANUP TEST ITEMS + + - name: Ensure test hosts are absent + freipa.ansibel_freeipa.ipahost: + name: + - "{{ 'testhost01.' + ipaserver_domain }}" + - "{{ 'testhost02.' + ipaserver_domain }}" + - "{{ 'testhost03.' + ipaserver_domain }}" + - "{{ 'testhost04.' + ipaserver_domain }}" + state: absent + + - name: Ensure test hostgroups are absent + freipa.ansibel_freeipa.ipahostgroup: + name: testhostgroup01,testhostgroup02,testhostgroup03,testhostgroup04 + state: absent + + - name: Ensure test users are absent + freipa.ansibel_freeipa.ipauser: + name: testuser01,testuser02,testuser03,testuser04 + state: absent + + - name: Ensure test user groups are absent + freipa.ansibel_freeipa.ipagroup: + name: testgroup01,testgroup02,testgroup03,testgroup04 + state: absent + + - name: Ensure test HBAC Services are absent + freipa.ansibel_freeipa.ipahbacsvc: + name: testhbacsvc01,testhbacsvc02,testhbacsvc03,testhbacsvc04 + state: absent + + - name: Ensure test HBAC Service Groups are absent + freipa.ansibel_freeipa.ipahbacsvcgroup: + name: testhbacsvcgroup01,testhbacsvcgroup02,testhbacsvcgroup03,testhbacsvcgroup04 + state: absent + + # CREATE TEST ITEMS + + - name: Ensure hosts "{{ 'host[1..4].' + ipaserver_domain }}" are present + ipahost: + hosts: + - name: "{{ 'testhost01.' + ipaserver_domain }}" + force: yes + - name: "{{ 'testhost02.' + ipaserver_domain }}" + force: yes + - name: "{{ 'testhost03.' + ipaserver_domain }}" + force: yes + - name: "{{ 'testhost04.' + ipaserver_domain }}" + force: yes + register: result + failed_when: not result.changed or result.failed + + - name: Ensure host-group testhostgroup01 is present + ipahostgroup: + name: testhostgroup01 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure host-group testhostgroup02 is present + ipahostgroup: + name: testhostgroup02 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure host-group testhostgroup03 is present + ipahostgroup: + name: testhostgroup03 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure host-group testhostgroup04 is present + ipahostgroup: + name: testhostgroup04 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure testusers are present + ipauser: + users: + - name: testuser01 + first: test + last: user01 + - name: testuser02 + first: test + last: user02 + - name: testuser03 + first: test + last: user03 + - name: testuser04 + first: test + last: user04 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure user group testgroup01 is present + ipagroup: + name: testgroup01 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure user group testgroup02 is present + ipagroup: + name: testgroup02 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure user group testgroup03 is present + ipagroup: + name: testgroup03 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure user group testgroup04 is present + ipagroup: + name: testgroup04 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure HBAC Service testhbacsvc01 is present + ipahbacsvc: + name: testhbacsvc01 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure HBAC Service testhbacsvc02 is present + ipahbacsvc: + name: testhbacsvc02 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure HBAC Service testhbacsvc03 is present + ipahbacsvc: + name: testhbacsvc03 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure HBAC Service testhbacsvc04 is present + ipahbacsvc: + name: testhbacsvc04 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure HBAC Service Group testhbacsvcgroup01 is present + ipahbacsvcgroup: + name: testhbacsvcgroup01 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure HBAC Service Group testhbacsvcgroup02 is present + ipahbacsvcgroup: + name: testhbacsvcgroup02 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure HBAC Service Group testhbacsvcgroup03 is present + ipahbacsvcgroup: + name: testhbacsvcgroup03 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure HBAC Service Group testhbacsvcgroup04 is present + ipahbacsvcgroup: + name: testhbacsvcgroup04 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 is absent + ipahbacrule: + name: hbacrule01 + state: absent + + # ENSURE HBACRULE + + - name: Ensure HBAC rule hbacrule01 is present + ipahbacrule: + name: hbacrule01 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure HBAC rule hbacrule01 is present again + ipahbacrule: + name: hbacrule01 + register: result + failed_when: result.changed or result.failed + + # CHANGE HBACRULE WITH ALL MEMBERS + + - name: Ensure HBAC rule hbacrule01 is present with hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups + ipahbacrule: + name: hbacrule01 + host: + - "{{ 'testhost01.' + ipaserver_domain }}" + - "{{ 'testhost02.' + ipaserver_domain }}" + hostgroup: testhostgroup01,testhostgroup02 + user: testuser01,testuser02 + group: testgroup01,testgroup02 + hbacsvc: testhbacsvc01,testhbacsvc02 + hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure HBAC rule hbacrule01 is present with hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups again + ipahbacrule: + name: hbacrule01 + host: + - "{{ 'testhost01.' + ipaserver_domain }}" + - "{{ 'testhost02.' + ipaserver_domain }}" + hostgroup: testhostgroup01,testhostgroup02 + user: testuser01,testuser02 + group: testgroup01,testgroup02 + hbacsvc: testhbacsvc01,testhbacsvc02 + hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02 + register: result + failed_when: result.changed or result.failed + + # REMOVE MEMBERS ONE BY ONE + + - name: Ensure test HBAC rule hbacrule01 host members are absent + ipahbacrule: + name: hbacrule01 + host: + - "{{ 'testhost01.' + ipaserver_domain }}" + - "{{ 'testhost02.' + ipaserver_domain }}" + state: absent + action: member + register: result + failed_when: not result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 host members are absent again + ipahbacrule: + name: hbacrule01 + host: + - "{{ 'testhost01.' + ipaserver_domain }}" + - "{{ 'testhost02.' + ipaserver_domain }}" + state: absent + action: member + register: result + failed_when: result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 hostgroup members are absent + ipahbacrule: + name: hbacrule01 + hostgroup: testhostgroup01,testhostgroup02 + state: absent + action: member + register: result + failed_when: not result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 hostgroup members are absent again + ipahbacrule: + name: hbacrule01 + hostgroup: testhostgroup01,testhostgroup02 + state: absent + action: member + register: result + failed_when: result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 user members are absent + ipahbacrule: + name: hbacrule01 + user: testuser01,testuser02 + state: absent + action: member + register: result + failed_when: not result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 user members are absent again + ipahbacrule: + name: hbacrule01 + user: testuser01,testuser02 + state: absent + action: member + register: result + failed_when: result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 user group members are absent + ipahbacrule: + name: hbacrule01 + group: testgroup01,testgroup02 + state: absent + action: member + register: result + failed_when: not result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 user group members are absent again + ipahbacrule: + name: hbacrule01 + group: testgroup01,testgroup02 + state: absent + action: member + register: result + failed_when: result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 hbacsvc members are absent + ipahbacrule: + name: hbacrule01 + hbacsvc: testhbacsvc01,testhbacsvc02 + state: absent + action: member + register: result + failed_when: not result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 hbacsvc members are absent again + ipahbacrule: + name: hbacrule01 + hbacsvc: testhbacsvc01,testhbacsvc02 + state: absent + action: member + register: result + failed_when: result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are absent + ipahbacrule: + name: hbacrule01 + hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02 + state: absent + action: member + register: result + failed_when: not result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are absent again + ipahbacrule: + name: hbacrule01 + hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02 + state: absent + action: member + register: result + failed_when: result.changed or result.failed + + # ADD MEMBERS BACK + + - name: Ensure test HBAC rule hbacrule01 host members are present + ipahbacrule: + name: hbacrule01 + host: + - "{{ 'testhost01.' + ipaserver_domain }}" + - "{{ 'testhost02.' + ipaserver_domain }}" + action: member + register: result + failed_when: not result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 host members are present again + ipahbacrule: + name: hbacrule01 + host: + - "{{ 'testhost01.' + ipaserver_domain }}" + - "{{ 'testhost02.' + ipaserver_domain }}" + action: member + register: result + failed_when: result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 hostgroup members are present + ipahbacrule: + name: hbacrule01 + hostgroup: testhostgroup01,testhostgroup02 + action: member + register: result + failed_when: not result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 hostgroup members are present again + ipahbacrule: + name: hbacrule01 + hostgroup: testhostgroup01,testhostgroup02 + action: member + register: result + failed_when: result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 user members are present + ipahbacrule: + name: hbacrule01 + user: testuser01,testuser02 + action: member + register: result + failed_when: not result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 user members are present again + ipahbacrule: + name: hbacrule01 + user: testuser01,testuser02 + action: member + register: result + failed_when: result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 user group members are present + ipahbacrule: + name: hbacrule01 + group: testgroup01,testgroup02 + action: member + register: result + failed_when: not result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 user group members are present again + ipahbacrule: + name: hbacrule01 + group: testgroup01,testgroup02 + action: member + register: result + failed_when: result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 hbacsvc members are present + ipahbacrule: + name: hbacrule01 + hbacsvc: testhbacsvc01,testhbacsvc02 + action: member + register: result + failed_when: not result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 hbacsvc members are present again + ipahbacrule: + name: hbacrule01 + hbacsvc: testhbacsvc01,testhbacsvc02 + action: member + register: result + failed_when: result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are present + ipahbacrule: + name: hbacrule01 + hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02 + action: member + register: result + failed_when: not result.changed or result.failed + + - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are present again + ipahbacrule: + name: hbacrule01 + hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02 + action: member + register: result + failed_when: result.changed or result.failed + + # CHANGE TO DIFFERENT MEMBERS + + - name: Ensure HBAC rule hbacrule01 is present with different objects + ipahbacrule: + name: hbacrule01 + host: + - "{{ 'testhost03.' + ipaserver_domain }}" + - "{{ 'testhost04.' + ipaserver_domain }}" + hostgroup: testhostgroup03,testhostgroup04 + user: testuser03,testuser04 + group: testgroup03,testgroup04 + hbacsvc: testhbacsvc03,testhbacsvc04 + hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04 + register: result + failed_when: not result.changed or result.failed + + - name: Ensure HBAC rule hbacrule01 is present with different objects, again + ipahbacrule: + name: hbacrule01 + host: + - "{{ 'testhost03.' + ipaserver_domain }}" + - "{{ 'testhost04.' + ipaserver_domain }}" + hostgroup: testhostgroup03,testhostgroup04 + user: testuser03,testuser04 + group: testgroup03,testgroup04 + hbacsvc: testhbacsvc03,testhbacsvc04 + hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04 + register: result + failed_when: result.changed or result.failed + + # ENSURE OLD TEST MEMBERS ARE ABSENT + + - name: Ensure HBAC rule hbacrule01 members (same) are present + ipahbacrule: + name: hbacrule01 + host: + - "{{ 'testhost01.' + ipaserver_domain }}" + - "{{ 'testhost02.' + ipaserver_domain }}" + hostgroup: testhostgroup01,testhostgroup02 + user: testuser01,testuser02 + group: testgroup01,testgroup02 + hbacsvc: testhbacsvc01,testhbacsvc02 + hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02 + state: absent + action: member + register: result + failed_when: result.changed or result.failed + + # ENSURE NEW TEST MEMBERS ARE ABSENT + + - name: Ensure HBAC rule hbacrule01 members are absent + ipahbacrule: + name: hbacrule01 + host: + - "{{ 'testhost03.' + ipaserver_domain }}" + - "{{ 'testhost04.' + ipaserver_domain }}" + hostgroup: testhostgroup03,testhostgroup04 + user: testuser03,testuser04 + group: testgroup03,testgroup04 + hbacsvc: testhbacsvc03,testhbacsvc04 + hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04 + state: absent + action: member + register: result + failed_when: not result.changed or result.failed + + - name: Ensure HBAC rule hbacrule01 members are absent again + ipahbacrule: + name: hbacrule01 + host: + - "{{ 'testhost03.' + ipaserver_domain }}" + - "{{ 'testhost04.' + ipaserver_domain }}" + hostgroup: testhostgroup03,testhostgroup04 + user: testuser03,testuser04 + group: testgroup03,testgroup04 + hbacsvc: testhbacsvc03,testhbacsvc04 + hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04 + state: absent + action: member + register: result + failed_when: result.changed or result.failed + + # ENSURE SIMPLE HOSTNAMES MATCH + + - name: Ensure HBAC rule hbacrule01 simple host members are usable + ipahbacrule: + name: hbacrule01 + host: + - "testhost01" + - "testhost03" + register: result + failed_when: not result.changed or result.failed + + - name: Ensure HBAC rule hbacrule01 simple host members are usable again (and match) + ipahbacrule: + name: hbacrule01 + host: + - "testhost01" + - "testhost03" + register: result + failed_when: result.changed or result.failed + + # CLEANUP TEST ITEMS + + - name: Ensure test HBAC rule hbacrule01 is absent + ipahbacrule: + name: hbacrule01 + state: absent + + - name: Ensure test hosts are absent + ipahostgroup: + name: + - "{{ 'testhost01.' + ipaserver_domain }}" + - "{{ 'testhost02.' + ipaserver_domain }}" + - "{{ 'testhost03.' + ipaserver_domain }}" + - "{{ 'testhost04.' + ipaserver_domain }}" + state: absent + + - name: Ensure test hostgroups are absent + ipahostgroup: + name: testhostgroup01,testhostgroup02,testhostgroup03,testhostgroup04 + state: absent + + - name: Ensure test users are absent + ipauser: + name: testuser01,testuser02,testuser03,testuser04 + state: absent + + - name: Ensure test user groups are absent + ipagroup: + name: testgroup01,testgroup02,testgroup03,testgroup04 + state: absent + + - name: Ensure test HBAC Services are absent + ipahbacsvc: + name: testhbacsvc01,testhbacsvc02,testhbacsvc03,testhbacsvc04 + state: absent + + - name: Ensure test HBAC Service Groups are absent + ipahbacsvcgroup: + name: testhbacsvcgroup01,testhbacsvcgroup02,testhbacsvcgroup03,testhbacsvcgroup04 + state: absent