Blob Blame History Raw
From 4dd1d25eacd1481be0a881a017144ff4d3396ccd Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Thu, 6 Feb 2020 15:38:00 +0100
Subject: [PATCH] ipapwpolicy: Use global_policy if name is not set

If the name is not set, the policy global_policy is now used. It was needed
before to explicitly name the global_policy. Also a check has been added
to fail early if global_policy is used with state absent.

The README for pwpolicy has been extended with an example for global_policy
and also the description of the name variable.

The test has also been extended to check a change of maxlife for
global_policy and that global_policy can not be used with state: absent

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1797532
---
 README-pwpolicy.md               | 19 +++++++++++--
 plugins/modules/ipapwpolicy.py   |  9 ++++--
 tests/pwpolicy/test_pwpolicy.yml | 49 ++++++++++++++++++++++++++++++++
 3 files changed, 73 insertions(+), 4 deletions(-)

diff --git a/README-pwpolicy.md b/README-pwpolicy.md
index 16306b7..847b32d 100644
--- a/README-pwpolicy.md
+++ b/README-pwpolicy.md
@@ -56,7 +56,7 @@ Example playbook to ensure presence of pwpolicies for exisiting group ops:
       maxfail: 3
 ```
 
-Example playbook to ensure absence of pwpolicies for group ops
+Example playbook to ensure absence of pwpolicies for group ops:
 
 ```yaml
 ---
@@ -72,6 +72,21 @@ Example playbook to ensure absence of pwpolicies for group ops
       state: absent
 ```
 
+Example playbook to ensure maxlife is set to 49 in global policy:
+
+```yaml
+---
+- name: Playbook to handle pwpolicies
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure absence of pwpolicies for group ops
+  - ipapwpolicy:
+      ipaadmin_password: MyPassword123
+      maxlife: 49
+```
+
 
 Variables
 =========
@@ -83,7 +98,7 @@ Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
-`name` \| `cn` | The list of pwpolicy name strings. | no
+`name` \| `cn` | The list of pwpolicy name strings. If name is not given, `global_policy` will be used automatically. | no
 `maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int) | no
 `minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int) | no
 `history` \| `krbpwdhistorylength` | Password history size. (int) | no
diff --git a/plugins/modules/ipapwpolicy.py b/plugins/modules/ipapwpolicy.py
index 9437b59..f168703 100644
--- a/plugins/modules/ipapwpolicy.py
+++ b/plugins/modules/ipapwpolicy.py
@@ -167,7 +167,7 @@ def main():
             ipaadmin_password=dict(type="str", required=False, no_log=True),
 
             name=dict(type="list", aliases=["cn"], default=None,
-                      required=True),
+                      required=False),
             # present
 
             maxlife=dict(type="int", aliases=["krbmaxpwdlife"], default=None),
@@ -218,6 +218,9 @@ def main():
 
     # Check parameters
 
+    if names is None:
+        names = ["global_policy"]
+
     if state == "present":
         if len(names) != 1:
             ansible_module.fail_json(
@@ -225,8 +228,10 @@ def main():
 
     if state == "absent":
         if len(names) < 1:
+            ansible_module.fail_json(msg="No name given.")
+        if "global_policy" in names:
             ansible_module.fail_json(
-                msg="No name given.")
+                msg="'global_policy' can not be made absent.")
         invalid = ["maxlife", "minlife", "history", "minclasses",
                    "minlength", "priority", "maxfail", "failinterval",
                    "lockouttime"]
diff --git a/tests/pwpolicy/test_pwpolicy.yml b/tests/pwpolicy/test_pwpolicy.yml
index 5c69345..f93f275 100644
--- a/tests/pwpolicy/test_pwpolicy.yml
+++ b/tests/pwpolicy/test_pwpolicy.yml
@@ -5,10 +5,30 @@
   gather_facts: false
 
   tasks:
+  - name: Ensure maxlife of 90 for global_policy
+    ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      maxlife: 90
+
+  - name: Ensure absence of group ops
+    ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      name: ops
+      state: absent
+
+  - name: Ensure absence of pwpolicies for group ops
+    ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      name: ops
+      state: absent
+
   - name: Ensure presence of group ops
     ipagroup:
       ipaadmin_password: SomeADMINpassword
       name: ops
+      state: present
+    register: result
+    failed_when: not result.changed
 
   - name: Ensure presence of pwpolicies for group ops
     ipapwpolicy:
@@ -42,6 +62,28 @@
     register: result
     failed_when: result.changed
 
+  - name: Ensure maxlife of 49 for global_policy
+    ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      maxlife: 49
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure maxlife of 49 for global_policy again
+    ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      maxlife: 49
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure absence of pwpoliciy global_policy will fail
+    ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      state: absent
+    register: result
+    ignore_errors: True
+    failed_when: result is defined and result
+
   - name: Ensure absence of pwpolicies for group ops
     ipapwpolicy:
       ipaadmin_password: SomeADMINpassword
@@ -50,6 +92,13 @@
     register: result
     failed_when: not result.changed
 
+  - name: Ensure maxlife of 90 for global_policy
+    ipapwpolicy:
+      ipaadmin_password: MyPassword123
+      maxlife: 90
+    register: result
+    failed_when: not result.changed
+
   - name: Ensure absence of pwpolicies for group ops
     ipapwpolicy:
       ipaadmin_password: SomeADMINpassword