diff --git a/.ansible-lint b/.ansible-lint index cc718f3..366a5da 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -23,6 +23,6 @@ exclude_paths: mock_modules: - win_domain_group - win_domain_user - - ini_file + - community.general.ini_file mock_roles: - linux-system-roles.ad_integration diff --git a/tasks/main.yml b/tasks/main.yml index e1233b1..88acbf3 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -255,7 +255,7 @@ # now being set to `none` or `''`, remove the options form sssd.conf so sssd # will determine the default values. - name: Cleanup dynamic DNS configuration options - ini_file: + community.general.ini_file: path: /etc/sssd/sssd.conf state: absent section: "domain/{{ ad_integration_realm | lower }}" diff --git a/tests/tests_dyndns.yml b/tests/tests_dyndns.yml index c0c3827..746515c 100644 --- a/tests/tests_dyndns.yml +++ b/tests/tests_dyndns.yml @@ -18,124 +18,112 @@ # ansible_winrm_server_cert_validation=ignore - name: Ensure that the role configures dynamic dns - hosts: client - gather_facts: false # test that role works in this case - + hosts: all,!ad + vars: + # if we don't have a real AD server, just verify the config + # file is written properly + __ad_integration_test_sssd_config_only: "{{ + ansible_play_hosts_all | length == 1 }}" + # note - value from inventory such as described above + # will override this value + ad_integration_realm: sample-realm.com tasks: - - name: Test - Run the system role with dumby vars + - name: Test - Run the system role with bogus vars include_role: name: linux-system-roles.ad_integration vars: - ad_dyndns_iface: "TESTING" + ad_dyndns_iface: TESTING ad_dyndns_server: 127.0.0.1 - ad_dyndns_auth: "GSS-TSIG" + ad_dyndns_auth: GSS-TSIG + ad_dyndns_update: true - - name: Test - Verify sssd.conf options were written - block: - - name: Copy sssd.conf file from host to local /tmp/ - fetch: - src: /etc/sssd/sssd.conf - dest: /tmp/ - flat: true - changed_when: false - - name: Assert sssd.conf options were written - assert: - that: - - "{{ lookup('ini', 'dyndns_update', section='domain/' + - ad_integration_realm | lower, file='/tmp/sssd.conf') }} == True" - - "{{ lookup('ini', 'dyndns_ttl', section='domain/' + - ad_integration_realm | lower, file='/tmp/sssd.conf') }} == 3600" - - "'{{ lookup('ini', 'dyndns_iface', section='domain/' + - ad_integration_realm | lower, file='/tmp/sssd.conf') }}' - == 'TESTING'" - - "{{ lookup('ini', 'dyndns_refresh_interval', section='domain/' + - ad_integration_realm | lower, file='/tmp/sssd.conf') }} - == 86400" - - "{{ lookup('ini', 'dyndns_update_ptr', section='domain/' + - ad_integration_realm | lower, file='/tmp/sssd.conf') }} == True" - - "{{ lookup('ini', 'dyndns_force_tcp', section='domain/' + - ad_integration_realm | lower, file='/tmp/sssd.conf') }} - == false" - - "'{{ lookup('ini', 'dyndns_auth', section='domain/' + - ad_integration_realm | lower, file='/tmp/sssd.conf') }}' - == 'GSS-TSIG'" - - "'{{ lookup('ini', 'dyndns_server', section='domain/' + - ad_integration_realm | lower, file='/tmp/sssd.conf') }}' - == '127.0.0.1'" - - name: Remove /tmp/sssd.conf - file: - path: /tmp/sssd.conf - state: absent - changed_when: false + - name: Check custom dyndns settings + community.general.ini_file: + path: /etc/sssd/sssd.conf + state: present + section: domain/{{ ad_integration_realm | lower }} + option: "{{ item.key }}" + value: "{{ item.value }}" + create: true + owner: root + group: root + mode: u=rw,g=,o= + loop: + - key: dyndns_update + value: "True" + - key: dyndns_iface + value: TESTING + - key: dyndns_auth + value: GSS-TSIG + - key: dyndns_server + value: 127.0.0.1 + register: __result + failed_when: __result is changed - - name: Test - Check sssd.log for unsupported options - block: - - name: Search /var/log/sssd/sssd.log for [sss_ini_call_validators] - # noqa: command-instead-of-shell - shell: "grep -i 'sss_ini_call_validators' /var/log/sssd/sssd.log" - register: sssd_log - changed_when: false - failed_when: false - - name: Fail if signature found - fail: - msg: Appears to be an unsupported option in /etc/sssd/sssd.conf - when: sssd_log.stdout | length > 0 + - name: Search /var/log/sssd/sssd.log for [sss_ini_call_validators] + command: grep -i sss_ini_call_validators /var/log/sssd/sssd.log + register: sssd_log + changed_when: false + failed_when: false + + - name: Fail if signature found + fail: + msg: Appears to be an unsupported option in /etc/sssd/sssd.conf + when: sssd_log.stdout | length > 0 - name: Test - Re-run the system role to remove vars - block: - - name: Rerun system role - include_role: - name: linux-system-roles.ad_integration - vars: - ad_dyndns_iface: null - ad_dyndns_server: null - - name: Restart sssd - service: - name: sssd - state: restarted + include_role: + name: linux-system-roles.ad_integration + vars: + ad_dyndns_iface: null + ad_dyndns_server: null + ad_dyndns_update: true - - name: Test - Verify sssd.conf options were removed - block: - - name: Copy sssd.conf file from host to local /tmp/ - fetch: - src: /etc/sssd/sssd.conf - dest: /tmp/ - flat: true - changed_when: false - - name: Assert sssd.conf options were removed - assert: - that: - - "'{{ lookup('ini', 'dyndns_iface', default='removed', - section='domain/' + ad_integration_realm | lower, - file='/tmp/sssd.conf') }}' == 'removed'" - - "'{{ lookup('ini', 'dyndns_server', default='removed', - section='domain/' + ad_integration_realm | lower, - file='/tmp/sssd.conf') }}' == 'removed'" - - name: Remove /tmp/sssd.conf - file: - path: /tmp/sssd.conf - state: absent - changed_when: false + - name: Restart sssd + service: + name: sssd + state: restarted + when: not __ad_integration_test_sssd_config_only | d(false) + + - name: Check custom dyndns settings are removed + community.general.ini_file: + path: /etc/sssd/sssd.conf + state: absent + section: domain/{{ ad_integration_realm | lower }} + option: "{{ item.key }}" + create: true + owner: root + group: root + mode: u=rw,g=,o= + loop: + - key: dyndns_iface + value: null + - key: dyndns_server + value: null + register: __result + failed_when: __result is changed - name: Test - Verify IPv4 DNS records were created + when: not __ad_integration_test_sssd_config_only | d(false) block: - name: Gather facts setup: + # I am executing dig via shell instead of using the dig lookup because # in my situation my ansible control host is on a different network and # DNS than the VMs I am testing against. - name: Get IP for host's FQDN - # noqa: command-instead-of-shell - shell: "dig +short {{ ansible_fqdn }} A" + command: dig +short {{ ansible_fqdn }} A register: dig_hostname changed_when: false failed_when: false + - name: Get hostname for host's IP address - # noqa: command-instead-of-shell - shell: "dig +short -x {{ ansible_default_ipv4.address }} PTR" + command: dig +short -x {{ ansible_default_ipv4.address }} PTR register: dig_ip changed_when: false failed_when: false + - name: Assert IPv4 DNS records were created assert: that: diff --git a/tests/tests_full_integration_dyndns.yml b/tests/tests_full_integration_dyndns.yml index 1989542..8c377f8 100644 --- a/tests/tests_full_integration_dyndns.yml +++ b/tests/tests_full_integration_dyndns.yml @@ -57,7 +57,8 @@ ansible.windows.win_command: >- dnscmd.exe /config {{ network_ad }} /allowupdate 1 - name: Disable dns forwarders - ansible.windows.win_command: dnscmd.exe /config /norecursion 1 + # noqa: fqcn[action] + win_command: dnscmd.exe /config /norecursion 1 - name: Ensure that the role configures dynamic dns hosts: client @@ -79,20 +80,9 @@ ad_dyndns_auth: "none" ad_dyndns_update: true ad_dyndns_refresh_interval: 60 - - name: Apply additional changes on sssd - ini_file: - path: /etc/sssd/sssd.conf - state: present - section: "domain/{{ ad_integration_realm | lower }}" - option: "{{ item.key }}" - value: "{{ item.value }}" - create: true - owner: root - group: root - mode: 0600 - loop: - - key: debug_level - value: 9 + ad_integration_sssd_custom_settings: + - key: debug_level + value: 9 - name: Clean sssd log command: >- truncate -s 0 /var/log/sssd/sssd_{{ ad_integration_realm }}.log @@ -105,7 +95,7 @@ - name: Pause for 5 to give sssd chance to refresh dn record on AD ansible.builtin.pause: minutes: 5 - - name: Check sssd log fo dydndns update info + - name: Check sssd log for dydndns update info command: >- grep -A 20 "nsupdate" /var/log/sssd/sssd_{{ ad_integration_realm }}.log @@ -148,7 +138,8 @@ AD network: {{ network_ad }}, Client IP: {{ hostvars[groups['client'][0]].ansible_host }} - name: List all AD zones - ansible.windows.win_command: dnscmd.exe /EnumZones + # noqa: fqcn[action] + win_command: dnscmd.exe /EnumZones register: zones failed_when: false - name: Grab AD zone diff --git a/tests/tests_sssd_custom_settings.yml b/tests/tests_sssd_custom_settings.yml new file mode 100644 index 0000000..d4d680b --- /dev/null +++ b/tests/tests_sssd_custom_settings.yml @@ -0,0 +1,72 @@ +# SPDX-License-Identifier: MIT +--- + +- name: Ensure that the role configures dynamic dns + hosts: all,!ad + gather_facts: false # test that role works in this case + vars: + ad_integration_realm: sample-realm.com + __ad_integration_test_sssd_config_only: true + ad_integration_sssd_custom_settings: + - key: auth_provider_test + value: ad + - key: override_shell_test + value: /bin/bash + + tasks: + - name: Test - Run the system role with bogus vars + include_role: + name: linux-system-roles.ad_integration + + - name: Check custom SSSD settings + community.general.ini_file: + path: /etc/sssd/sssd.conf + state: "{{ item.state | default('present') }}" + section: domain/{{ ad_integration_realm | lower }} + option: "{{ item.key }}" + value: "{{ item.value }}" + create: true + owner: root + group: root + mode: u=rw,g=,o= + loop: "{{ ad_integration_sssd_custom_settings }}" + register: __result + failed_when: __result is changed + + - name: Search /var/log/sssd/sssd.log for [sss_ini_call_validators] + command: >- + grep -i sss_ini_call_validators /var/log/sssd/sssd.log + register: sssd_log + changed_when: false + failed_when: false + + - name: Fail if signature found + fail: + msg: Appears to be an unsupported option in /etc/sssd/sssd.conf + when: sssd_log.stdout | length > 0 + + - name: Test - Re-Build a list of settings with state=absent + set_fact: + update_list: "{{ ad_integration_sssd_custom_settings | + map('combine', {'state': 'absent'}) | list }}" + + - name: Test - Re-run the system role to remove vars + include_role: + name: linux-system-roles.ad_integration + vars: + ad_integration_sssd_custom_settings: "{{ update_list }}" + + - name: Check custom SSSD settings + community.general.ini_file: + path: /etc/sssd/sssd.conf + state: "{{ item.state | default('present') }}" + section: domain/{{ ad_integration_realm | lower }} + option: "{{ item.key }}" + value: "{{ item.value }}" + create: true + owner: root + group: root + mode: u=rw,g=,o= + loop: "{{ update_list }}" + register: __result + failed_when: __result is changed diff --git a/tests/tests_sssd_custom_setttings.yml b/tests/tests_sssd_custom_setttings.yml deleted file mode 100644 index 041a7b4..0000000 --- a/tests/tests_sssd_custom_setttings.yml +++ /dev/null @@ -1,96 +0,0 @@ -# SPDX-License-Identifier: MIT ---- - -- name: Ensure that the role configures dynamic dns - hosts: all,!ad - gather_facts: false # test that role works in this case - vars: - ad_integration_realm: sample-realm.com - __ad_integration_test_sssd_config_only: true - ad_integration_sssd_custom_settings: - - key: "auth_provider_test" - value: "ad" - - key: "override_shell_test" - value: "/bin/bash" - - tasks: - - name: Test - Run the system role with bogus vars - ansible.builtin.include_role: - name: linux-system-roles.ad_integration - - - name: Test - Verify sssd.conf custom settings were written - block: - - name: Copy sssd.conf file from host to local /tmp/ - ansible.builtin.fetch: - src: /etc/sssd/sssd.conf - dest: /tmp/ - flat: true - changed_when: false - - name: Assert sssd.conf options were written - ansible.builtin.assert: - that: - - "{{ lookup('ini', item.key, section='domain/' + - ad_integration_realm | lower, file='/tmp/sssd.conf') | tojson }} - == {{ item.value | tojson }}" - loop: "{{ ad_integration_sssd_custom_settings }}" - - name: Remove /tmp/sssd.conf - ansible.builtin.file: - path: /tmp/sssd.conf - state: absent - changed_when: false - - - name: Test - Check sssd.log for unsupported options - block: - - name: Search /var/log/sssd/sssd.log for [sss_ini_call_validators] - # noqa: command-instead-of-shell - ansible.builtin.command: | - grep -i sss_ini_call_validators /var/log/sssd/sssd.log - register: sssd_log - changed_when: false - failed_when: false - - name: Fail if signature found - ansible.builtin.fail: - msg: Appears to be an unsupported option in /etc/sssd/sssd.conf - when: sssd_log.stdout | length > 0 - - - name: Test - Re-Build a list of settings with state=absent - ansible.builtin.set_fact: - update_list: "{{ update_list + update }}" - loop: "{{ ad_integration_sssd_custom_settings }}" - loop_control: - index_var: idx - vars: - update_list: [] - update: - - key: "{{ item['key'] }}" - value: "{{ item['value'] }}" - state: absent - - - name: Test - Re-run the system role to remove vars - block: - - name: Rerun system role - ansible.builtin.include_role: - name: linux-system-roles.ad_integration - vars: - ad_integration_sssd_custom_settings: "{{ update_list }}" - - - name: Test - Verify sssd.conf options were removed - block: - - name: Copy sssd.conf file from host to local /tmp/ - ansible.builtin.fetch: - src: /etc/sssd/sssd.conf - dest: /tmp/ - flat: true - changed_when: false - - name: Assert sssd.conf options were removed - ansible.builtin.assert: - that: - - "{{ lookup('ini', item.key, default='removed', - section='domain/' + ad_integration_realm | lower, - file='/tmp/sssd.conf') | tojson }} == {{ 'removed' | tojson }}" - loop: "{{ ad_integration_sssd_custom_settings }}" - - name: Remove /tmp/sssd.conf - ansible.builtin.file: - path: /tmp/sssd.conf - state: absent - changed_when: false