Commit 13b7b3ab authored by Fabien Combernous's avatar Fabien Combernous

Merge branch...

Merge branch '54-follow-up-from-resolve-ensure-administrator-account-is-updated-idempotently' into 'master'

Resolve "Follow-up from "Resolve 'ensure administrator account is updated'", idempotently"

Closes #54

See merge request adullact/puppet-freeipa!56
parents bcafe062 5ccfd81e
......@@ -8,9 +8,6 @@ class freeipa::config::humanadmins {
$dc_domain_split = regsubst($freeipa::domain, '([^.]+)\.*', 'dc=\1,', 'G')
$dc = regsubst($dc_domain_split, ',$', '')
exec { 'kinit as puppet_admin':
command => 'kinit admin -k -t /home/admin/admin.keytab',
}
# Loop through $human_admins
$freeipa::humanadmins.each | String $adminname, Hash[Enum['password','ensure'], String] $adminsettings | {
......@@ -21,20 +18,22 @@ class freeipa::config::humanadmins {
case $_ensure_admin {
'present': {
exec { "Create ${adminname} account":
command => "ipa user-add ${adminname} --first=${adminname} --last=${adminname} ",
command => "kinit admin -k -t /home/admin/admin.keytab; ipa user-add ${adminname} --first=${adminname} --last=${adminname} ",
unless => "ipa user-show ${adminname} | grep login",
}
-> exec { "Add ${adminname} account to admins group in FreeIPA":
command => "ipa group-add-member admins --users=${adminname}",
command => "kinit admin -k -t /home/admin/admin.keytab; ipa group-add-member admins --users=${adminname}",
unless => "ipa group-show admins | grep ${adminname}",
}
-> exec { "Update ${adminname} password":
command => "ldappasswd -Z -H ldap://localhost -x -D \"cn=Directory Manager\" -w ${freeipa::directory_services_password} -s ${adminsettings['password']} \"uid=${adminname},cn=users,cn=accounts,${dc}\"",
unless => "echo \"${adminsettings['password']}\" | kinit ${adminname}"
}
}
'absent': {
exec { "Delete ${adminname} account":
command => "ipa user-del ${adminname}",
command => "kinit admin -k -t /home/admin/admin.keytab; ipa user-del ${adminname}",
onlyif => "kinit admin -k -t /home/admin/admin.keytab; ipa user-show ${adminname}",
}
}
default: { fail("unexpected value ${adminsettings['ensure']}") }
......
......@@ -9,14 +9,14 @@ describe 'freeipa class' do
ipa_role => 'master',
domain => 'example.lan',
ipa_server_fqdn => 'ipa-server-1.example.lan',
puppet_admin_password => 'vagrant123',
directory_services_password => 'vagrant123',
humanadmins => { foo => { password => 'vagrant123', ensure => 'present'}, bar => { password => 'vagrant123', ensure => 'present'} },
puppet_admin_password => 'secret123',
directory_services_password => 'secret123',
humanadmins => { foo => { password => 'secret123', ensure => 'present'}, bar => { password => 'secret123', ensure => 'present'} },
install_ipa_server => true,
ip_address => '10.10.10.35',
enable_ip_address => true,
enable_hostname => true,
enable_manage_admins => false,
enable_manage_admins => true,
manage_host_entry => true,
install_epel => true,
webui_disable_kerberos => true,
......@@ -44,9 +44,9 @@ describe 'freeipa class' do
ipa_role => 'replica',
domain => 'example.lan',
ipa_server_fqdn => 'ipa-server-2.example.lan',
puppet_admin_password => 'vagrant123',
directory_services_password => 'vagrant123',
password_usedto_joindomain => 'vagrant123',
puppet_admin_password => 'secret123',
directory_services_password => 'secret123',
password_usedto_joindomain => 'secret123',
install_ipa_server => true,
ip_address => '10.10.10.36',
enable_ip_address => true,
......@@ -75,9 +75,9 @@ describe 'freeipa class' do
class {'freeipa':
ipa_role => 'client',
domain => 'example.lan',
puppet_admin_password => 'vagrant123',
directory_services_password => 'vagrant123',
password_usedto_joindomain => 'vagrant123',
puppet_admin_password => 'secret123',
directory_services_password => 'secret123',
password_usedto_joindomain => 'secret123',
ip_address => '10.10.10.37',
install_epel => true,
ipa_master_fqdn => 'ipa-server-1.example.lan'
......@@ -98,8 +98,8 @@ describe 'freeipa class' do
ipa_role => 'replica',
domain => 'example.lan',
ipa_server_fqdn => 'ipa-server-1.example.lan',
puppet_admin_password => 'vagrant123',
directory_services_password => 'vagrant123',
puppet_admin_password => 'secret123',
directory_services_password => 'secret123',
install_ipa_server => true,
ip_address => '10.10.10.35',
enable_ip_address => true,
......@@ -125,9 +125,9 @@ describe 'freeipa class' do
class { 'freeipa':
ipa_role => 'client',
domain => 'example.lan',
puppet_admin_password => 'vagrant123',
directory_services_password => 'vagrant123',
password_usedto_joindomain => 'vagrant123',
puppet_admin_password => 'secret123',
directory_services_password => 'secret123',
password_usedto_joindomain => 'secret123',
ip_address => '10.10.10.35',
install_epel => true,
ipa_master_fqdn => 'ipa-server-1.example.lan'
......@@ -143,11 +143,11 @@ describe 'freeipa class' do
# Install ssh key on root on master
hosts_as('master').each do |master|
it 'doest a kinit' do
on(master, "echo 'vagrant123' | kinit admin")
on(master, "echo 'secret123' | kinit admin")
end
it 'creates user toto in freeipa' do
on(master, "echo 'vagrant123' | ipa user-add toto --first=John --last=Smith --password")
on(master, "echo 'secret123' | ipa user-add toto --first=John --last=Smith --password")
end
it 'creates ssh key' do
......@@ -198,46 +198,27 @@ describe 'freeipa class' do
end
end
context 'Test creation of admin accounts' do
context 'Test update and delete on admin accounts' do
hosts_as('master').each do |master|
it 'updates admin password' do
it 'test a kinit on a user' do
pp = <<-EOS
class { 'freeipa':
ipa_role => 'master',
domain => 'example.lan',
ipa_server_fqdn => 'ipa-server-1.example.lan',
puppet_admin_password => 'vagrant123',
directory_services_password => 'vagrant123',
humanadmins => { foo => { password => 'vagrant123', ensure => 'present'}, bar => { password => 'vagrant123'} },
install_ipa_server => true,
ip_address => '10.10.10.35',
enable_ip_address => true,
enable_hostname => true,
manage_host_entry => true,
install_epel => true,
webui_disable_kerberos => true,
webui_enable_proxy => true,
webui_force_https => true,
ipa_master_fqdn => 'ipa-server-1.example.lan',
exec { 'execute kinit foo':
path => '/bin/',
command => 'echo "secret123" | kinit foo',
}
EOS
apply_manifest_on(master, pp, catch_failures: true)
end
end
end
context 'Test update and delete on admin accounts' do
hosts_as('master').each do |master|
it 'updates admin password' do
pp = <<-EOS
class { 'freeipa':
ipa_role => 'master',
domain => 'example.lan',
ipa_server_fqdn => 'ipa-server-1.example.lan',
puppet_admin_password => 'vagrant123',
directory_services_password => 'vagrant123',
humanadmins => { foo => { password => 'beaker456', ensure => 'present'}, bar => { password => 'vagrant123', ensure => 'absent'} },
puppet_admin_password => 'secret123',
directory_services_password => 'secret123',
humanadmins => { foo => { password => 'secret456', ensure => 'present'}, bar => { password => 'secret123', ensure => 'absent'} },
install_ipa_server => true,
ip_address => '10.10.10.35',
enable_ip_address => true,
......@@ -252,6 +233,27 @@ describe 'freeipa class' do
EOS
apply_manifest_on(master, pp, catch_failures: true)
apply_manifest_on(master, pp, catch_changes: true)
end
it 'test a kinit on a user after password update' do
pp = <<-EOS
exec { 'execute kinit foo':
path => '/bin/',
command => 'echo "secret456" | kinit foo',
}
EOS
apply_manifest_on(master, pp, catch_failures: true)
end
it 'test a kinit on a deleted user' do
pp = <<-EOS
exec { 'execute kinit bar':
path => '/bin/',
command => 'echo "secret123" | kinit bar',
}
EOS
apply_manifest_on(master, pp, expect_failures: true)
end
end
end
......
type Freeipa::Humanadmins = Hash[String, Hash[Enum['username','password','ensure'], String]]
type Freeipa::Humanadmins = Hash[String[1], Hash[Enum['username','password','ensure'], String[1]]]
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment