Commit 13b7b3ab authored by Fabien Combernous's avatar Fabien Combernous

Merge branch...

Merge branch '54-follow-up-from-resolve-ensure-administrator-account-is-updated-idempotently' into 'master'

Resolve "Follow-up from "Resolve 'ensure administrator account is updated'", idempotently"

Closes #54

See merge request adullact/puppet-freeipa!56
parents bcafe062 5ccfd81e
...@@ -8,9 +8,6 @@ class freeipa::config::humanadmins { ...@@ -8,9 +8,6 @@ class freeipa::config::humanadmins {
$dc_domain_split = regsubst($freeipa::domain, '([^.]+)\.*', 'dc=\1,', 'G') $dc_domain_split = regsubst($freeipa::domain, '([^.]+)\.*', 'dc=\1,', 'G')
$dc = regsubst($dc_domain_split, ',$', '') $dc = regsubst($dc_domain_split, ',$', '')
exec { 'kinit as puppet_admin':
command => 'kinit admin -k -t /home/admin/admin.keytab',
}
# Loop through $human_admins # Loop through $human_admins
$freeipa::humanadmins.each | String $adminname, Hash[Enum['password','ensure'], String] $adminsettings | { $freeipa::humanadmins.each | String $adminname, Hash[Enum['password','ensure'], String] $adminsettings | {
...@@ -21,20 +18,22 @@ class freeipa::config::humanadmins { ...@@ -21,20 +18,22 @@ class freeipa::config::humanadmins {
case $_ensure_admin { case $_ensure_admin {
'present': { 'present': {
exec { "Create ${adminname} account": exec { "Create ${adminname} account":
command => "ipa user-add ${adminname} --first=${adminname} --last=${adminname} ", command => "kinit admin -k -t /home/admin/admin.keytab; ipa user-add ${adminname} --first=${adminname} --last=${adminname} ",
unless => "ipa user-show ${adminname} | grep login", unless => "ipa user-show ${adminname} | grep login",
} }
-> exec { "Add ${adminname} account to admins group in FreeIPA": -> exec { "Add ${adminname} account to admins group in FreeIPA":
command => "ipa group-add-member admins --users=${adminname}", command => "kinit admin -k -t /home/admin/admin.keytab; ipa group-add-member admins --users=${adminname}",
unless => "ipa group-show admins | grep ${adminname}", unless => "ipa group-show admins | grep ${adminname}",
} }
-> exec { "Update ${adminname} password": -> exec { "Update ${adminname} password":
command => "ldappasswd -Z -H ldap://localhost -x -D \"cn=Directory Manager\" -w ${freeipa::directory_services_password} -s ${adminsettings['password']} \"uid=${adminname},cn=users,cn=accounts,${dc}\"", command => "ldappasswd -Z -H ldap://localhost -x -D \"cn=Directory Manager\" -w ${freeipa::directory_services_password} -s ${adminsettings['password']} \"uid=${adminname},cn=users,cn=accounts,${dc}\"",
unless => "echo \"${adminsettings['password']}\" | kinit ${adminname}"
} }
} }
'absent': { 'absent': {
exec { "Delete ${adminname} account": exec { "Delete ${adminname} account":
command => "ipa user-del ${adminname}", command => "kinit admin -k -t /home/admin/admin.keytab; ipa user-del ${adminname}",
onlyif => "kinit admin -k -t /home/admin/admin.keytab; ipa user-show ${adminname}",
} }
} }
default: { fail("unexpected value ${adminsettings['ensure']}") } default: { fail("unexpected value ${adminsettings['ensure']}") }
......
...@@ -9,14 +9,14 @@ describe 'freeipa class' do ...@@ -9,14 +9,14 @@ describe 'freeipa class' do
ipa_role => 'master', ipa_role => 'master',
domain => 'example.lan', domain => 'example.lan',
ipa_server_fqdn => 'ipa-server-1.example.lan', ipa_server_fqdn => 'ipa-server-1.example.lan',
puppet_admin_password => 'vagrant123', puppet_admin_password => 'secret123',
directory_services_password => 'vagrant123', directory_services_password => 'secret123',
humanadmins => { foo => { password => 'vagrant123', ensure => 'present'}, bar => { password => 'vagrant123', ensure => 'present'} }, humanadmins => { foo => { password => 'secret123', ensure => 'present'}, bar => { password => 'secret123', ensure => 'present'} },
install_ipa_server => true, install_ipa_server => true,
ip_address => '10.10.10.35', ip_address => '10.10.10.35',
enable_ip_address => true, enable_ip_address => true,
enable_hostname => true, enable_hostname => true,
enable_manage_admins => false, enable_manage_admins => true,
manage_host_entry => true, manage_host_entry => true,
install_epel => true, install_epel => true,
webui_disable_kerberos => true, webui_disable_kerberos => true,
...@@ -44,9 +44,9 @@ describe 'freeipa class' do ...@@ -44,9 +44,9 @@ describe 'freeipa class' do
ipa_role => 'replica', ipa_role => 'replica',
domain => 'example.lan', domain => 'example.lan',
ipa_server_fqdn => 'ipa-server-2.example.lan', ipa_server_fqdn => 'ipa-server-2.example.lan',
puppet_admin_password => 'vagrant123', puppet_admin_password => 'secret123',
directory_services_password => 'vagrant123', directory_services_password => 'secret123',
password_usedto_joindomain => 'vagrant123', password_usedto_joindomain => 'secret123',
install_ipa_server => true, install_ipa_server => true,
ip_address => '10.10.10.36', ip_address => '10.10.10.36',
enable_ip_address => true, enable_ip_address => true,
...@@ -75,9 +75,9 @@ describe 'freeipa class' do ...@@ -75,9 +75,9 @@ describe 'freeipa class' do
class {'freeipa': class {'freeipa':
ipa_role => 'client', ipa_role => 'client',
domain => 'example.lan', domain => 'example.lan',
puppet_admin_password => 'vagrant123', puppet_admin_password => 'secret123',
directory_services_password => 'vagrant123', directory_services_password => 'secret123',
password_usedto_joindomain => 'vagrant123', password_usedto_joindomain => 'secret123',
ip_address => '10.10.10.37', ip_address => '10.10.10.37',
install_epel => true, install_epel => true,
ipa_master_fqdn => 'ipa-server-1.example.lan' ipa_master_fqdn => 'ipa-server-1.example.lan'
...@@ -98,8 +98,8 @@ describe 'freeipa class' do ...@@ -98,8 +98,8 @@ describe 'freeipa class' do
ipa_role => 'replica', ipa_role => 'replica',
domain => 'example.lan', domain => 'example.lan',
ipa_server_fqdn => 'ipa-server-1.example.lan', ipa_server_fqdn => 'ipa-server-1.example.lan',
puppet_admin_password => 'vagrant123', puppet_admin_password => 'secret123',
directory_services_password => 'vagrant123', directory_services_password => 'secret123',
install_ipa_server => true, install_ipa_server => true,
ip_address => '10.10.10.35', ip_address => '10.10.10.35',
enable_ip_address => true, enable_ip_address => true,
...@@ -125,9 +125,9 @@ describe 'freeipa class' do ...@@ -125,9 +125,9 @@ describe 'freeipa class' do
class { 'freeipa': class { 'freeipa':
ipa_role => 'client', ipa_role => 'client',
domain => 'example.lan', domain => 'example.lan',
puppet_admin_password => 'vagrant123', puppet_admin_password => 'secret123',
directory_services_password => 'vagrant123', directory_services_password => 'secret123',
password_usedto_joindomain => 'vagrant123', password_usedto_joindomain => 'secret123',
ip_address => '10.10.10.35', ip_address => '10.10.10.35',
install_epel => true, install_epel => true,
ipa_master_fqdn => 'ipa-server-1.example.lan' ipa_master_fqdn => 'ipa-server-1.example.lan'
...@@ -143,11 +143,11 @@ describe 'freeipa class' do ...@@ -143,11 +143,11 @@ describe 'freeipa class' do
# Install ssh key on root on master # Install ssh key on root on master
hosts_as('master').each do |master| hosts_as('master').each do |master|
it 'doest a kinit' do it 'doest a kinit' do
on(master, "echo 'vagrant123' | kinit admin") on(master, "echo 'secret123' | kinit admin")
end end
it 'creates user toto in freeipa' do it 'creates user toto in freeipa' do
on(master, "echo 'vagrant123' | ipa user-add toto --first=John --last=Smith --password") on(master, "echo 'secret123' | ipa user-add toto --first=John --last=Smith --password")
end end
it 'creates ssh key' do it 'creates ssh key' do
...@@ -198,46 +198,27 @@ describe 'freeipa class' do ...@@ -198,46 +198,27 @@ describe 'freeipa class' do
end end
end end
context 'Test creation of admin accounts' do context 'Test update and delete on admin accounts' do
hosts_as('master').each do |master| hosts_as('master').each do |master|
it 'updates admin password' do it 'test a kinit on a user' do
pp = <<-EOS pp = <<-EOS
class { 'freeipa': exec { 'execute kinit foo':
ipa_role => 'master', path => '/bin/',
domain => 'example.lan', command => 'echo "secret123" | kinit foo',
ipa_server_fqdn => 'ipa-server-1.example.lan', }
puppet_admin_password => 'vagrant123', EOS
directory_services_password => 'vagrant123',
humanadmins => { foo => { password => 'vagrant123', ensure => 'present'}, bar => { password => 'vagrant123'} },
install_ipa_server => true,
ip_address => '10.10.10.35',
enable_ip_address => true,
enable_hostname => true,
manage_host_entry => true,
install_epel => true,
webui_disable_kerberos => true,
webui_enable_proxy => true,
webui_force_https => true,
ipa_master_fqdn => 'ipa-server-1.example.lan',
}
EOS
apply_manifest_on(master, pp, catch_failures: true) apply_manifest_on(master, pp, catch_failures: true)
end end
end
end
context 'Test update and delete on admin accounts' do
hosts_as('master').each do |master|
it 'updates admin password' do it 'updates admin password' do
pp = <<-EOS pp = <<-EOS
class { 'freeipa': class { 'freeipa':
ipa_role => 'master', ipa_role => 'master',
domain => 'example.lan', domain => 'example.lan',
ipa_server_fqdn => 'ipa-server-1.example.lan', ipa_server_fqdn => 'ipa-server-1.example.lan',
puppet_admin_password => 'vagrant123', puppet_admin_password => 'secret123',
directory_services_password => 'vagrant123', directory_services_password => 'secret123',
humanadmins => { foo => { password => 'beaker456', ensure => 'present'}, bar => { password => 'vagrant123', ensure => 'absent'} }, humanadmins => { foo => { password => 'secret456', ensure => 'present'}, bar => { password => 'secret123', ensure => 'absent'} },
install_ipa_server => true, install_ipa_server => true,
ip_address => '10.10.10.35', ip_address => '10.10.10.35',
enable_ip_address => true, enable_ip_address => true,
...@@ -252,6 +233,27 @@ describe 'freeipa class' do ...@@ -252,6 +233,27 @@ describe 'freeipa class' do
EOS EOS
apply_manifest_on(master, pp, catch_failures: true) apply_manifest_on(master, pp, catch_failures: true)
apply_manifest_on(master, pp, catch_changes: true)
end
it 'test a kinit on a user after password update' do
pp = <<-EOS
exec { 'execute kinit foo':
path => '/bin/',
command => 'echo "secret456" | kinit foo',
}
EOS
apply_manifest_on(master, pp, catch_failures: true)
end
it 'test a kinit on a deleted user' do
pp = <<-EOS
exec { 'execute kinit bar':
path => '/bin/',
command => 'echo "secret123" | kinit bar',
}
EOS
apply_manifest_on(master, pp, expect_failures: true)
end end
end end
end end
......
type Freeipa::Humanadmins = Hash[String, Hash[Enum['username','password','ensure'], String]] type Freeipa::Humanadmins = Hash[String[1], Hash[Enum['username','password','ensure'], String[1]]]
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment