ansible/test/integration/targets/win_domain_group/tasks/main.yml

354 lines
12 KiB
YAML
Raw Normal View History

# this won't run in Ansible's integration tests until we get a domain set up
# these are here if someone wants to run the module tests locally on their own
# domain.
# Requirements:
# LDAP Base path set in defaults/main.yml like DC=ansible,DC=local
# Custom OU path set in defaults/main.yml like OU=ou1,DC=ansible,DC=local
---
- name: ensure the test group is deleted before the test
win_domain_group:
name: '{{test_win_domain_group_name}}'
state: absent
ignore_protection: True
- name: fail pass in an invalid path
win_domain_group:
name: '{{test_win_domain_group_name}}'
state: present
organizational_unit: OU=fakeou,{{test_win_domain_group_ldap_base}}
register: fail_invalid_path
failed_when: fail_invalid_path.msg != 'the group path OU=fakeou,' + test_win_domain_group_ldap_base + ' does not exist, please specify a valid LDAP path'
- name: create group with defaults check
win_domain_group:
name: '{{test_win_domain_group_name}}'
scope: global
state: present
register: create_default_check
check_mode: yes
- name: get actual group with defaults check
win_command: powershell.exe "Import-Module ActiveDirectory; Get-ADGroup -Identity '{{test_win_domain_group_name}}'"
register: create_default_actual_check
ignore_errors: True
- name: assert create group with defaults checl
assert:
that:
- create_default_check is changed
- create_default_actual_check.rc == 1
- name: create group with defaults
win_domain_group:
name: '{{test_win_domain_group_name}}'
scope: global
state: present
register: create_default
- name: get actual group with defaults
win_command: powershell.exe "Import-Module ActiveDirectory; Get-ADGroup -Identity '{{test_win_domain_group_name}}'"
register: create_default_actual
- name: assert create group with defaults
assert:
that:
- create_default is created
- create_default is changed
- create_default.category == 'Security'
- create_default.description == None
- create_default.display_name == None
- create_default.distinguished_name == 'CN=' + test_win_domain_group_name + ',CN=Users,' + test_win_domain_group_ldap_base
- create_default.group_scope == 'Global'
- create_default.guid is defined
- create_default.managed_by == None
- create_default.name == test_win_domain_group_name
- create_default.protected_from_accidental_deletion == False
- create_default.sid is defined
- create_default_actual.rc == 0
- name: create group with defaults again
win_domain_group:
name: '{{test_win_domain_group_name}}'
scope: global
state: present
register: create_default_again
- name: assert create group with defaults again
assert:
that:
- create_default_again is not changed
- create_default_again is not created
- name: remove group check
win_domain_group:
name: '{{test_win_domain_group_name}}'
state: absent
register: remove_group_check
check_mode: yes
- name: get actual remove group check
win_command: powershell.exe "Import-Module ActiveDirectory; Get-ADGroup -Identity '{{test_win_domain_group_name}}'"
register: remove_group_actual_check
- name: assert remove group check
assert:
that:
- remove_group_check is changed
- remove_group_actual_check.rc == 0
- name: remove group
win_domain_group:
name: '{{test_win_domain_group_name}}'
state: absent
register: remove_group
- name: get actual remove group
win_command: powershell.exe "Import-Module ActiveDirectory; Get-ADGroup -Identity '{{test_win_domain_group_name}}'"
register: remove_group_actual
ignore_errors: True
- name: assert remove group
assert:
that:
- remove_group is changed
- remove_group is not created
- remove_group_actual.rc == 1
- name: remove group again
win_domain_group:
name: '{{test_win_domain_group_name}}'
state: absent
register: remove_group_again
- name: assert remove group again
assert:
that:
- remove_group_again is not changed
- remove_group_again is not created
- name: create non default group check
win_domain_group:
name: '{{test_win_domain_group_name}}'
state: present
description: Group Description
display_name: Group Display Name
managed_by: Domain Admins
organizational_unit: '{{test_win_domain_group_ou_path}}'
category: distribution
scope: domainlocal
attributes:
mail: test@email.com
wWWHomePage: www.google.com
protect: True
register: create_non_default_check
check_mode: yes
- name: get actual create non default group check
win_command: powershell.exe "Import-Module ActiveDirectory; Get-ADGroup -Identity '{{test_win_domain_group_name}}'"
register: create_non_default_actual_check
ignore_errors: True
- name: assert create non default group check
assert:
that:
- create_non_default_check is changed
- create_non_default_check is created
- create_non_default_actual_check.rc == 1
- name: create non default group
win_domain_group:
name: '{{test_win_domain_group_name}}'
state: present
description: Group Description
display_name: Group Display Name
managed_by: Domain Admins
organizational_unit: '{{test_win_domain_group_ou_path}}'
category: distribution
scope: domainlocal
attributes:
mail: test@email.com
wWWHomePage: www.google.com
protect: True
register: create_non_default
- name: get actual create non default group
win_command: powershell.exe "Import-Module ActiveDirectory; Get-ADGroup -Identity '{{test_win_domain_group_name}}'"
register: create_non_default_actual
ignore_errors: True
- name: assert create non default group
assert:
that:
- create_non_default is changed
- create_non_default is created
- create_non_default.category == 'Distribution'
- create_non_default.description == 'Group Description'
- create_non_default.display_name == 'Group Display Name'
- create_non_default.distinguished_name == 'CN=' + test_win_domain_group_name + ',' + test_win_domain_group_ou_path
- create_non_default.group_scope == 'DomainLocal'
- create_non_default.guid is defined
- create_non_default.managed_by == 'CN=Domain Admins,CN=Users,' + test_win_domain_group_ldap_base
- create_non_default.name == test_win_domain_group_name
- create_non_default.protected_from_accidental_deletion == True
- create_non_default.sid is defined
- create_non_default.attributes.mail == 'test@email.com'
- create_non_default.attributes.wWWHomePage == 'www.google.com'
- create_non_default_actual.rc == 0
- name: create non default group again
win_domain_group:
name: '{{test_win_domain_group_name}}'
state: present
description: Group Description
display_name: Group Display Name
managed_by: Domain Admins
organizational_unit: '{{test_win_domain_group_ou_path}}'
category: distribution
scope: domainlocal
attributes:
mail: test@email.com
wWWHomePage: www.google.com
register: create_non_default_again
- name: assert create non default group again
assert:
that:
- create_non_default_again is not changed
- create_non_default_again is not created
- name: try and move group with protection mode on
win_domain_group:
name: '{{test_win_domain_group_name}}'
state: present
organizational_unit: CN=Users,{{test_win_domain_group_ldap_base}}
register: fail_move_with_protection
failed_when: fail_move_with_protection.msg != 'cannot move group ' + test_win_domain_group_name + ' when ProtectedFromAccidentalDeletion is turned on, run this module with ignore_protection=true to override this'
- name: modify existing group check
win_domain_group:
name: '{{test_win_domain_group_name}}'
state: present
description: New Description
display_name: New Display Name
managed_by: Administrator
organizational_unit: 'CN=Users,{{test_win_domain_group_ldap_base}}'
category: security
scope: global
attributes:
mail: anothertest@email.com
ignore_protection: True
register: modify_existing_check
check_mode: yes
- name: get actual of modify existing group check
win_command: powershell.exe "Import-Module ActiveDirectory; (Get-ADGroup -Identity '{{test_win_domain_group_name}}').DistinguishedName"
register: modify_existing_actual_check
- name: assert modify existing group check
assert:
that:
- modify_existing_check is changed
- modify_existing_check is not created
- modify_existing_actual_check.stdout == 'CN=' + test_win_domain_group_name + ',' + test_win_domain_group_ou_path + '\r\n'
- name: modify existing group
win_domain_group:
name: '{{test_win_domain_group_name}}'
state: present
description: New Description
display_name: New Display Name
managed_by: Administrator
organizational_unit: CN=Users,{{test_win_domain_group_ldap_base}}
category: security
scope: global
attributes:
mail: anothertest@email.com
protect: True
ignore_protection: True
register: modify_existing
- name: get actual of modify existing group
win_command: powershell.exe "Import-Module ActiveDirectory; (Get-ADGroup -Identity '{{test_win_domain_group_name}}').DistinguishedName"
register: modify_existing_actual
- name: assert modify existing group
assert:
that:
- modify_existing is changed
- modify_existing is not created
- modify_existing.category == 'Security'
- modify_existing.description == 'New Description'
- modify_existing.display_name == 'New Display Name'
- modify_existing.distinguished_name == 'CN=' + test_win_domain_group_name + ',CN=Users,' + test_win_domain_group_ldap_base
- modify_existing.group_scope == 'Global'
- modify_existing.guid is defined
- modify_existing.managed_by == 'CN=Administrator,CN=Users,' + test_win_domain_group_ldap_base
- modify_existing.name == test_win_domain_group_name
- modify_existing.protected_from_accidental_deletion == True
- modify_existing.sid is defined
- modify_existing.attributes.mail == 'anothertest@email.com'
- modify_existing_actual.stdout == 'CN=' + test_win_domain_group_name + ',CN=Users,' + test_win_domain_group_ldap_base + '\r\n'
- name: modify existing group again
win_domain_group:
name: '{{test_win_domain_group_name}}'
state: present
description: New Description
display_name: New Display Name
managed_by: Administrator
organizational_unit: CN=Users,{{test_win_domain_group_ldap_base}}
category: Security
scope: global
attributes:
mail: anothertest@email.com
protect: True
ignore_protection: True
register: modify_existing_again
- name: assert modify existing group again
assert:
that:
- modify_existing_again is not changed
- modify_existing_again is not created
- name: fail change managed_by to invalid user
win_domain_group:
name: '{{test_win_domain_group_name}}'
state: present
scope: global
managed_by: fake user
register: fail_invalid_managed_by_user
failed_when: fail_invalid_managed_by_user.msg != 'failed to find managed_by user or group fake user to be used for comparison'
- name: fail delete group with protection mode on
win_domain_group:
name: '{{test_win_domain_group_name}}'
state: absent
register: fail_delete_with_protection
failed_when: fail_delete_with_protection.msg != 'cannot delete group ' + test_win_domain_group_name + ' when ProtectedFromAccidentalDeletion is turned on, run this module with ignore_protection=true to override this'
- name: delete group with protection mode on
win_domain_group:
name: '{{test_win_domain_group_name}}'
state: absent
ignore_protection: True
register: delete_with_force
- name: get actual delete group with protection mode on
win_command: powershell.exe "Import-Module ActiveDirectory; Get-ADGroup -Identity '{{test_win_domain_group_name}}'"
register: delete_with_force_actual
ignore_errors: True
- name: assert delete group with protection mode on
assert:
that:
- delete_with_force is changed
- delete_with_force is not created
- delete_with_force_actual.rc == 1
- name: ensure the test group is deleted after the test
win_domain_group:
name: '{{test_win_domain_group_name}}'
state: absent
ignore_protection: True