|
 |
9b9c8d |
From 320168071ff56c00ff65870e781a261075fccc66 Mon Sep 17 00:00:00 2001
|
|
|
9b9c8d |
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
|
|
9b9c8d |
Date: Wed, 21 Sep 2022 18:28:55 -0300
|
|
|
9b9c8d |
Subject: [PATCH] ipaconfig: Do not allow enable_sid set to False.
|
|
|
9b9c8d |
|
|
|
9b9c8d |
Once enabled, SID cannot be disabled. This patch ensures that an error
|
|
|
9b9c8d |
is raised if one tries to disable SID.
|
|
|
9b9c8d |
---
|
|
|
9b9c8d |
README-config.md | 2 +-
|
|
|
9b9c8d |
plugins/modules/ipaconfig.py | 15 ++++++++-------
|
|
|
9b9c8d |
tests/config/test_config_sid.yml | 13 +++++++++++++
|
|
|
9b9c8d |
3 files changed, 22 insertions(+), 8 deletions(-)
|
|
|
9b9c8d |
|
|
|
9b9c8d |
diff --git a/README-config.md b/README-config.md
|
|
|
9b9c8d |
index 13023ea..d6fe40a 100644
|
|
|
9b9c8d |
--- a/README-config.md
|
|
|
9b9c8d |
+++ b/README-config.md
|
|
|
9b9c8d |
@@ -148,7 +148,7 @@ Variable | Description | Required
|
|
|
9b9c8d |
`user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
|
|
|
9b9c8d |
`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
|
|
|
9b9c8d |
`ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
|
|
|
9b9c8d |
-`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no
|
|
|
9b9c8d |
+`enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no
|
|
|
9b9c8d |
`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no
|
|
|
9b9c8d |
`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no
|
|
|
9b9c8d |
|
|
|
9b9c8d |
diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py
|
|
|
9b9c8d |
index 87810b2..9c19afb 100644
|
|
|
9b9c8d |
--- a/plugins/modules/ipaconfig.py
|
|
|
9b9c8d |
+++ b/plugins/modules/ipaconfig.py
|
|
|
9b9c8d |
@@ -175,7 +175,7 @@ options:
|
|
|
9b9c8d |
enable_sid:
|
|
|
9b9c8d |
description: >
|
|
|
9b9c8d |
New users and groups automatically get a SID assigned.
|
|
|
9b9c8d |
- Requires IPA 4.9.8+.
|
|
|
9b9c8d |
+ Cannot be deactivated once activated. Requires IPA 4.9.8+.
|
|
|
9b9c8d |
required: false
|
|
|
9b9c8d |
type: bool
|
|
|
9b9c8d |
netbios_name:
|
|
|
9b9c8d |
@@ -525,11 +525,16 @@ def main():
|
|
|
9b9c8d |
result = config_show(ansible_module)
|
|
|
9b9c8d |
|
|
|
9b9c8d |
if params:
|
|
|
9b9c8d |
+ enable_sid = params.get("enable_sid")
|
|
|
9b9c8d |
+ sid_is_enabled = has_enable_sid and is_enable_sid(ansible_module)
|
|
|
9b9c8d |
+
|
|
|
9b9c8d |
+ if sid_is_enabled and enable_sid is False:
|
|
|
9b9c8d |
+ ansible_module.fail_json(msg="SID cannot be disabled.")
|
|
|
9b9c8d |
+
|
|
|
9b9c8d |
netbios_name = params.get("netbios_name")
|
|
|
9b9c8d |
if netbios_name:
|
|
|
9b9c8d |
netbios_name = netbios_name.upper()
|
|
|
9b9c8d |
add_sids = params.get("add_sids")
|
|
|
9b9c8d |
- enable_sid = params.get("enable_sid")
|
|
|
9b9c8d |
required_sid = any([netbios_name, add_sids])
|
|
|
9b9c8d |
if required_sid and not enable_sid:
|
|
|
9b9c8d |
ansible_module.fail_json(
|
|
|
9b9c8d |
@@ -551,13 +556,9 @@ def main():
|
|
|
9b9c8d |
del params["add_sids"]
|
|
|
9b9c8d |
if (
|
|
|
9b9c8d |
not any([netbios_name, add_sids])
|
|
|
9b9c8d |
- and is_enable_sid(ansible_module)
|
|
|
9b9c8d |
+ and sid_is_enabled
|
|
|
9b9c8d |
):
|
|
|
9b9c8d |
del params["enable_sid"]
|
|
|
9b9c8d |
- else:
|
|
|
9b9c8d |
- for param in ["enable_sid", "netbios_name", "add_sids"]:
|
|
|
9b9c8d |
- if param in params:
|
|
|
9b9c8d |
- del params[params]
|
|
|
9b9c8d |
|
|
|
9b9c8d |
params = {
|
|
|
9b9c8d |
k: v for k, v in params.items()
|
|
|
9b9c8d |
diff --git a/tests/config/test_config_sid.yml b/tests/config/test_config_sid.yml
|
|
|
9b9c8d |
index 1761795..bd550a5 100644
|
|
|
9b9c8d |
--- a/tests/config/test_config_sid.yml
|
|
|
9b9c8d |
+++ b/tests/config/test_config_sid.yml
|
|
|
9b9c8d |
@@ -6,6 +6,9 @@
|
|
|
9b9c8d |
|
|
|
9b9c8d |
tasks:
|
|
|
9b9c8d |
|
|
|
9b9c8d |
+ - name: Set FreeIPA facts.
|
|
|
9b9c8d |
+ include_tasks: ../env_freeipa_facts.yml
|
|
|
9b9c8d |
+
|
|
|
9b9c8d |
# GET CURRENT CONFIG
|
|
|
9b9c8d |
|
|
|
9b9c8d |
- name: Return current values of the global configuration options
|
|
|
9b9c8d |
@@ -32,6 +35,14 @@
|
|
|
9b9c8d |
register: result
|
|
|
9b9c8d |
failed_when: result.failed or result.changed
|
|
|
9b9c8d |
|
|
|
9b9c8d |
+ - name: Try to Ensure SID is disabled.
|
|
|
9b9c8d |
+ ipaconfig:
|
|
|
9b9c8d |
+ ipaadmin_password: SomeADMINpassword
|
|
|
9b9c8d |
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
9b9c8d |
+ enable_sid: no
|
|
|
9b9c8d |
+ register: result
|
|
|
9b9c8d |
+ failed_when: not result.failed or "SID cannot be disabled." not in result.msg
|
|
|
9b9c8d |
+
|
|
|
9b9c8d |
- name: Ensure netbios_name is "IPATESTPLAY"
|
|
|
9b9c8d |
ipaconfig:
|
|
|
9b9c8d |
ipaadmin_password: SomeADMINpassword
|
|
|
9b9c8d |
@@ -59,6 +70,8 @@
|
|
|
9b9c8d |
enable_sid: yes
|
|
|
9b9c8d |
add_sids: yes
|
|
|
9b9c8d |
|
|
|
9b9c8d |
+ # only run tests if version supports enable-sid
|
|
|
9b9c8d |
+ when: ipa_version is version("4.9.8", ">=")
|
|
|
9b9c8d |
# REVERT TO PREVIOUS CONFIG
|
|
|
9b9c8d |
always:
|
|
|
9b9c8d |
# Once SID is enabled, it cannot be reverted.
|
|
|
9b9c8d |
--
|
|
|
9b9c8d |
2.37.3
|
|
|
9b9c8d |
|