Skip to content

Commit

Permalink
refactor: use the ini_file module to test sssd.conf
Browse files Browse the repository at this point in the history 
The `ini` lookup is problematic with ansible 2.9 due to the
arguments being completely different, and because ansible attempts
to evaluate `{{ lookup('ini', ...) }}` even if guarded by a `when`,
any use of the new style 2.x `ini` arguments will fail.
Instead, just use the `ini_file` module itself, and rely on the fact
that it will report `changed: true` if the values are different.

Use `community.general.ini_file` instead of `ini_file` everywhere
for consistency.

Refactor the `tests_dyndns.yml` test so that it works in CI with
a single host - in that case, just check that the sssd.conf was
written correctly.

Rename tests_sssd_custom_setttings.yml to tests_sssd_custom_settings.yml

Use the new `ad_integration_sssd_custom_settings` in tests instead of
writing to sssd.conf directly with `ini_file`

The `tests_dyndns.yml` test wasn't working properly - in order for
any parameters to be set, you must specify `ad_dyndns_update: true`

Use non-FQCN `win_command` in a couple of places that Ansible 2.9 was
giving an error about.

Signed-off-by: Rich Megginson <[email protected]>
  • Loading branch information
@richm
richm committed Nov 10, 2023
1 parent 0796843 commit a71b826
Show file tree
Hide file tree
Showing 6 changed files with 162 additions and 207 deletions.
2 changes: 1 addition & 1 deletion .ansible-lint
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,6 @@ exclude_paths:
mock_modules:
- win_domain_group
- win_domain_user
- ini_file
- community.general.ini_file
mock_roles:
- linux-system-roles.ad_integration
2 changes: 1 addition & 1 deletion tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -255,7 +255,7 @@
# now being set to `none` or `''`, remove the options form sssd.conf so sssd
# will determine the default values.
- name: Cleanup dynamic DNS configuration options
ini_file:
community.general.ini_file:
path: /etc/sssd/sssd.conf
state: absent
section: "domain/{{ ad_integration_realm | lower }}"
Expand Down
172 changes: 80 additions & 92 deletions tests/tests_dyndns.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,124 +18,112 @@
# ansible_winrm_server_cert_validation=ignore

- name: Ensure that the role configures dynamic dns
hosts: client
gather_facts: false # test that role works in this case

hosts: all,!ad
vars:
# if we don't have a real AD server, just verify the config
# file is written properly
__ad_integration_test_sssd_config_only: "{{
ansible_play_hosts_all | length == 1 }}"
# note - value from inventory such as described above
# will override this value
ad_integration_realm: sample-realm.com
tasks:
- name: Test - Run the system role with dumby vars
- name: Test - Run the system role with bogus vars
include_role:
name: linux-system-roles.ad_integration
vars:
ad_dyndns_iface: "TESTING"
ad_dyndns_iface: TESTING
ad_dyndns_server: 127.0.0.1
ad_dyndns_auth: "GSS-TSIG"
ad_dyndns_auth: GSS-TSIG
ad_dyndns_update: true

- name: Test - Verify sssd.conf options were written
block:
- name: Copy sssd.conf file from host to local /tmp/
fetch:
src: /etc/sssd/sssd.conf
dest: /tmp/
flat: true
changed_when: false
- name: Assert sssd.conf options were written
assert:
that:
- "{{ lookup('ini', 'dyndns_update', section='domain/' +
ad_integration_realm | lower, file='/tmp/sssd.conf') }} == True"
- "{{ lookup('ini', 'dyndns_ttl', section='domain/' +
ad_integration_realm | lower, file='/tmp/sssd.conf') }} == 3600"
- "'{{ lookup('ini', 'dyndns_iface', section='domain/' +
ad_integration_realm | lower, file='/tmp/sssd.conf') }}'
== 'TESTING'"
- "{{ lookup('ini', 'dyndns_refresh_interval', section='domain/' +
ad_integration_realm | lower, file='/tmp/sssd.conf') }}
== 86400"
- "{{ lookup('ini', 'dyndns_update_ptr', section='domain/' +
ad_integration_realm | lower, file='/tmp/sssd.conf') }} == True"
- "{{ lookup('ini', 'dyndns_force_tcp', section='domain/' +
ad_integration_realm | lower, file='/tmp/sssd.conf') }}
== false"
- "'{{ lookup('ini', 'dyndns_auth', section='domain/' +
ad_integration_realm | lower, file='/tmp/sssd.conf') }}'
== 'GSS-TSIG'"
- "'{{ lookup('ini', 'dyndns_server', section='domain/' +
ad_integration_realm | lower, file='/tmp/sssd.conf') }}'
== '127.0.0.1'"
- name: Remove /tmp/sssd.conf
file:
path: /tmp/sssd.conf
state: absent
changed_when: false
- name: Check custom dyndns settings
community.general.ini_file:
path: /etc/sssd/sssd.conf
state: present
section: domain/{{ ad_integration_realm | lower }}
option: "{{ item.key }}"
value: "{{ item.value }}"
create: true
owner: root
group: root
mode: u=rw,g=,o=
loop:
- key: dyndns_update
value: "True"
- key: dyndns_iface
value: TESTING
- key: dyndns_auth
value: GSS-TSIG
- key: dyndns_server
value: 127.0.0.1
register: __result
failed_when: __result is changed

- name: Test - Check sssd.log for unsupported options
block:
- name: Search /var/log/sssd/sssd.log for [sss_ini_call_validators]
# noqa: command-instead-of-shell
shell: "grep -i 'sss_ini_call_validators' /var/log/sssd/sssd.log"
register: sssd_log
changed_when: false
failed_when: false
- name: Fail if signature found
fail:
msg: Appears to be an unsupported option in /etc/sssd/sssd.conf
when: sssd_log.stdout | length > 0
- name: Search /var/log/sssd/sssd.log for [sss_ini_call_validators]
command: grep -i sss_ini_call_validators /var/log/sssd/sssd.log
register: sssd_log
changed_when: false
failed_when: false

- name: Fail if signature found
fail:
msg: Appears to be an unsupported option in /etc/sssd/sssd.conf
when: sssd_log.stdout | length > 0

- name: Test - Re-run the system role to remove vars
block:
- name: Rerun system role
include_role:
name: linux-system-roles.ad_integration
vars:
ad_dyndns_iface: null
ad_dyndns_server: null
- name: Restart sssd
service:
name: sssd
state: restarted
include_role:
name: linux-system-roles.ad_integration
vars:
ad_dyndns_iface: null
ad_dyndns_server: null
ad_dyndns_update: true

- name: Test - Verify sssd.conf options were removed
block:
- name: Copy sssd.conf file from host to local /tmp/
fetch:
src: /etc/sssd/sssd.conf
dest: /tmp/
flat: true
changed_when: false
- name: Assert sssd.conf options were removed
assert:
that:
- "'{{ lookup('ini', 'dyndns_iface', default='removed',
section='domain/' + ad_integration_realm | lower,
file='/tmp/sssd.conf') }}' == 'removed'"
- "'{{ lookup('ini', 'dyndns_server', default='removed',
section='domain/' + ad_integration_realm | lower,
file='/tmp/sssd.conf') }}' == 'removed'"
- name: Remove /tmp/sssd.conf
file:
path: /tmp/sssd.conf
state: absent
changed_when: false
- name: Restart sssd
service:
name: sssd
state: restarted
when: not __ad_integration_test_sssd_config_only | d(false)

- name: Check custom dyndns settings are removed
community.general.ini_file:
path: /etc/sssd/sssd.conf
state: absent
section: domain/{{ ad_integration_realm | lower }}
option: "{{ item.key }}"
create: true
owner: root
group: root
mode: u=rw,g=,o=
loop:
- key: dyndns_iface
value: null
- key: dyndns_server
value: null
register: __result
failed_when: __result is changed

- name: Test - Verify IPv4 DNS records were created
when: not __ad_integration_test_sssd_config_only | d(false)
block:
- name: Gather facts
setup:

# I am executing dig via shell instead of using the dig lookup because
# in my situation my ansible control host is on a different network and
# DNS than the VMs I am testing against.
- name: Get IP for host's FQDN
# noqa: command-instead-of-shell
shell: "dig +short {{ ansible_fqdn }} A"
command: dig +short {{ ansible_fqdn }} A
register: dig_hostname
changed_when: false
failed_when: false

- name: Get hostname for host's IP address
# noqa: command-instead-of-shell
shell: "dig +short -x {{ ansible_default_ipv4.address }} PTR"
command: dig +short -x {{ ansible_default_ipv4.address }} PTR
register: dig_ip
changed_when: false
failed_when: false

- name: Assert IPv4 DNS records were created
assert:
that:
Expand Down
25 changes: 8 additions & 17 deletions tests/tests_full_integration_dyndns.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,8 @@
ansible.windows.win_command: >-
dnscmd.exe /config {{ network_ad }} /allowupdate 1
- name: Disable dns forwarders
ansible.windows.win_command: dnscmd.exe /config /norecursion 1
# noqa: fqcn[action]
win_command: dnscmd.exe /config /norecursion 1

- name: Ensure that the role configures dynamic dns
hosts: client
Expand All @@ -79,20 +80,9 @@
ad_dyndns_auth: "none"
ad_dyndns_update: true
ad_dyndns_refresh_interval: 60
- name: Apply additional changes on sssd
ini_file:
path: /etc/sssd/sssd.conf
state: present
section: "domain/{{ ad_integration_realm | lower }}"
option: "{{ item.key }}"
value: "{{ item.value }}"
create: true
owner: root
group: root
mode: 0600
loop:
- key: debug_level
value: 9
ad_integration_sssd_custom_settings:
- key: debug_level
value: 9
- name: Clean sssd log
command: >-
truncate -s 0 /var/log/sssd/sssd_{{ ad_integration_realm }}.log
Expand All @@ -105,7 +95,7 @@
- name: Pause for 5 to give sssd chance to refresh dn record on AD
ansible.builtin.pause:
minutes: 5
- name: Check sssd log fo dydndns update info
- name: Check sssd log for dydndns update info
command: >-
grep -A 20 "nsupdate"
/var/log/sssd/sssd_{{ ad_integration_realm }}.log
Expand Down Expand Up @@ -148,7 +138,8 @@
AD network: {{ network_ad }}, Client IP:
{{ hostvars[groups['client'][0]].ansible_host }}
- name: List all AD zones
ansible.windows.win_command: dnscmd.exe /EnumZones
# noqa: fqcn[action]
win_command: dnscmd.exe /EnumZones
register: zones
failed_when: false
- name: Grab AD zone
Expand Down
72 changes: 72 additions & 0 deletions tests/tests_sssd_custom_settings.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
# SPDX-License-Identifier: MIT
---

- name: Ensure that the role configures dynamic dns
hosts: all,!ad
gather_facts: false # test that role works in this case
vars:
ad_integration_realm: sample-realm.com
__ad_integration_test_sssd_config_only: true
ad_integration_sssd_custom_settings:
- key: auth_provider_test
value: ad
- key: override_shell_test
value: /bin/bash

tasks:
- name: Test - Run the system role with bogus vars
include_role:
name: linux-system-roles.ad_integration

- name: Check custom SSSD settings
community.general.ini_file:
path: /etc/sssd/sssd.conf
state: "{{ item.state | default('present') }}"
section: domain/{{ ad_integration_realm | lower }}
option: "{{ item.key }}"
value: "{{ item.value }}"
create: true
owner: root
group: root
mode: u=rw,g=,o=
loop: "{{ ad_integration_sssd_custom_settings }}"
register: __result
failed_when: __result is changed

- name: Search /var/log/sssd/sssd.log for [sss_ini_call_validators]
command: >-
grep -i sss_ini_call_validators /var/log/sssd/sssd.log
register: sssd_log
changed_when: false
failed_when: false

- name: Fail if signature found
fail:
msg: Appears to be an unsupported option in /etc/sssd/sssd.conf
when: sssd_log.stdout | length > 0

- name: Test - Re-Build a list of settings with state=absent
set_fact:
update_list: "{{ ad_integration_sssd_custom_settings |
map('combine', {'state': 'absent'}) | list }}"

- name: Test - Re-run the system role to remove vars
include_role:
name: linux-system-roles.ad_integration
vars:
ad_integration_sssd_custom_settings: "{{ update_list }}"

- name: Check custom SSSD settings
community.general.ini_file:
path: /etc/sssd/sssd.conf
state: "{{ item.state | default('present') }}"
section: domain/{{ ad_integration_realm | lower }}
option: "{{ item.key }}"
value: "{{ item.value }}"
create: true
owner: root
group: root
mode: u=rw,g=,o=
loop: "{{ update_list }}"
register: __result
failed_when: __result is changed
Loading

0 comments on commit a71b826

Please sign in to comment.