Blame SOURCES/ansible-freeipa-0.1.12-Fixes-service-disable-when-service-has-no-certificates-attached_rhbz#1836294.patch

fb9e9a
From e57e4908f936c524085fb5853fe4493c7711ab3f Mon Sep 17 00:00:00 2001
fb9e9a
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
fb9e9a
Date: Thu, 25 Jun 2020 16:26:30 -0300
fb9e9a
Subject: [PATCH] Fixes service disable when service has no certificates
fb9e9a
 attached.
fb9e9a
fb9e9a
Services without certificates, but with keytabs were not being
fb9e9a
disabled. This change allows execution of service_disable if
fb9e9a
there is a certificate or if has_keytab is true.
fb9e9a
fb9e9a
A new test was added to verify the issue:
fb9e9a
fb9e9a
    tests/service/test_service_disable.yml
fb9e9a
---
fb9e9a
 plugins/modules/ipaservice.py          |  8 +--
fb9e9a
 tests/service/test_service_disable.yml | 68 ++++++++++++++++++++++++++
fb9e9a
 2 files changed, 73 insertions(+), 3 deletions(-)
fb9e9a
 create mode 100644 tests/service/test_service_disable.yml
fb9e9a
fb9e9a
diff --git a/plugins/modules/ipaservice.py b/plugins/modules/ipaservice.py
fb9e9a
index 23a0d6b3..b0d25355 100644
fb9e9a
--- a/plugins/modules/ipaservice.py
fb9e9a
+++ b/plugins/modules/ipaservice.py
fb9e9a
@@ -812,9 +812,11 @@ def main():
fb9e9a
 
fb9e9a
             elif state == "disabled":
fb9e9a
                 if action == "service":
fb9e9a
-                    if res_find is not None and \
fb9e9a
-                       len(res_find.get('usercertificate', [])) > 0:
fb9e9a
-                        commands.append([name, 'service_disable', {}])
fb9e9a
+                    if res_find is not None:
fb9e9a
+                        has_cert = bool(res_find.get('usercertificate'))
fb9e9a
+                        has_keytab = res_find.get('has_keytab', False)
fb9e9a
+                        if has_cert or has_keytab:
fb9e9a
+                            commands.append([name, 'service_disable', {}])
fb9e9a
                 else:
fb9e9a
                     ansible_module.fail_json(
fb9e9a
                         msg="Invalid action '%s' for state '%s'" %
fb9e9a
diff --git a/tests/service/test_service_disable.yml b/tests/service/test_service_disable.yml
fb9e9a
new file mode 100644
fb9e9a
index 00000000..3b4a88fb
fb9e9a
--- /dev/null
fb9e9a
+++ b/tests/service/test_service_disable.yml
fb9e9a
@@ -0,0 +1,68 @@
fb9e9a
+---
fb9e9a
+- name: Playbook to manage IPA service.
fb9e9a
+  hosts: ipaserver
fb9e9a
+  become: yes
fb9e9a
+  gather_facts: yes
fb9e9a
+
fb9e9a
+  tasks:
fb9e9a
+  - name: Ensure service is absent
fb9e9a
+    ipaservice:
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
+      name: "mysvc1/{{ ansible_fqdn }}"
fb9e9a
+
fb9e9a
+  - name: Ensure service is present
fb9e9a
+    ipaservice:
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
+      name: "mysvc1/{{ ansible_fqdn }}"
fb9e9a
+      certificate:
fb9e9a
+        - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
fb9e9a
+      force: no
fb9e9a
+    register: result
fb9e9a
+    failed_when: not result.changed
fb9e9a
+
fb9e9a
+  - name: Obtain keytab
fb9e9a
+    shell: ipa-getkeytab -s "{{ ansible_fqdn }}" -p "mysvc1/{{ ansible_fqdn }}" -k mysvc1.keytab
fb9e9a
+
fb9e9a
+  - name: Verify keytab
fb9e9a
+    shell: ipa service-find "mysvc1/{{ ansible_fqdn }}"
fb9e9a
+    register: result
fb9e9a
+    failed_when: result.failed or result.stdout | regex_search(" Keytab. true")
fb9e9a
+
fb9e9a
+  - name: Ensure service is disabled
fb9e9a
+    ipaservice:
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
+      name: "mysvc1/{{ ansible_fqdn }}"
fb9e9a
+      state: disabled
fb9e9a
+    register: result
fb9e9a
+    failed_when: not result.changed
fb9e9a
+
fb9e9a
+  - name: Verify keytab
fb9e9a
+    shell: ipa service-find "mysvc1/{{ ansible_fqdn }}"
fb9e9a
+    register: result
fb9e9a
+    failed_when: result.failed or result.stdout | regex_search(" Keytab. true")
fb9e9a
+
fb9e9a
+  - name: Obtain keytab
fb9e9a
+    shell: ipa-getkeytab -s "{{ ansible_fqdn }}" -p "mysvc1/{{ ansible_fqdn }}" -k mysvc1.keytab
fb9e9a
+
fb9e9a
+  - name: Verify keytab
fb9e9a
+    shell: ipa service-find "mysvc1/{{ ansible_fqdn }}"
fb9e9a
+    register: result
fb9e9a
+    failed_when: result.failed or result.stdout | regex_search(" Keytab. true")
fb9e9a
+
fb9e9a
+  - name: Ensure service is disabled
fb9e9a
+    ipaservice:
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
+      name: "mysvc1/{{ ansible_fqdn }}"
fb9e9a
+      state: disabled
fb9e9a
+    register: result
fb9e9a
+    failed_when: not result.changed
fb9e9a
+
fb9e9a
+  - name: Verify keytab
fb9e9a
+    shell: ipa service-find "mysvc1/{{ ansible_fqdn }}"
fb9e9a
+    register: result
fb9e9a
+    failed_when: result.failed or result.stdout | regex_search(" Keytab. true")
fb9e9a
+
fb9e9a
+  - name: Ensure service is absent
fb9e9a
+    ipaservice:
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
+      name: "mysvc1/{{ ansible_fqdn }}"