From 320168071ff56c00ff65870e781a261075fccc66 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Wed, 21 Sep 2022 18:28:55 -0300 Subject: [PATCH] ipaconfig: Do not allow enable_sid set to False. Once enabled, SID cannot be disabled. This patch ensures that an error is raised if one tries to disable SID. --- README-config.md | 2 +- plugins/modules/ipaconfig.py | 15 ++++++++------- tests/config/test_config_sid.yml | 13 +++++++++++++ 3 files changed, 22 insertions(+), 8 deletions(-) diff --git a/README-config.md b/README-config.md index 13023ea..d6fe40a 100644 --- a/README-config.md +++ b/README-config.md @@ -148,7 +148,7 @@ Variable | Description | Required `user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no -`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no +`enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no `netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no `add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py index 87810b2..9c19afb 100644 --- a/plugins/modules/ipaconfig.py +++ b/plugins/modules/ipaconfig.py @@ -175,7 +175,7 @@ options: enable_sid: description: > New users and groups automatically get a SID assigned. - Requires IPA 4.9.8+. + Cannot be deactivated once activated. Requires IPA 4.9.8+. required: false type: bool netbios_name: @@ -525,11 +525,16 @@ def main(): result = config_show(ansible_module) if params: + enable_sid = params.get("enable_sid") + sid_is_enabled = has_enable_sid and is_enable_sid(ansible_module) + + if sid_is_enabled and enable_sid is False: + ansible_module.fail_json(msg="SID cannot be disabled.") + netbios_name = params.get("netbios_name") if netbios_name: netbios_name = netbios_name.upper() add_sids = params.get("add_sids") - enable_sid = params.get("enable_sid") required_sid = any([netbios_name, add_sids]) if required_sid and not enable_sid: ansible_module.fail_json( @@ -551,13 +556,9 @@ def main(): del params["add_sids"] if ( not any([netbios_name, add_sids]) - and is_enable_sid(ansible_module) + and sid_is_enabled ): del params["enable_sid"] - else: - for param in ["enable_sid", "netbios_name", "add_sids"]: - if param in params: - del params[params] params = { k: v for k, v in params.items() diff --git a/tests/config/test_config_sid.yml b/tests/config/test_config_sid.yml index 1761795..bd550a5 100644 --- a/tests/config/test_config_sid.yml +++ b/tests/config/test_config_sid.yml @@ -6,6 +6,9 @@ tasks: + - name: Set FreeIPA facts. + include_tasks: ../env_freeipa_facts.yml + # GET CURRENT CONFIG - name: Return current values of the global configuration options @@ -32,6 +35,14 @@ register: result failed_when: result.failed or result.changed + - name: Try to Ensure SID is disabled. + ipaconfig: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + enable_sid: no + register: result + failed_when: not result.failed or "SID cannot be disabled." not in result.msg + - name: Ensure netbios_name is "IPATESTPLAY" ipaconfig: ipaadmin_password: SomeADMINpassword @@ -59,6 +70,8 @@ enable_sid: yes add_sids: yes + # only run tests if version supports enable-sid + when: ipa_version is version("4.9.8", ">=") # REVERT TO PREVIOUS CONFIG always: # Once SID is enabled, it cannot be reverted. -- 2.37.3