Adapted version of From c808ad6e3408c2145ba660025c75531920f05d73 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Tue, 18 Oct 2022 10:26:01 -0300 Subject: [PATCH] ipaconfig: Do not require enable_sid for add_sids or netbios_name Current behavior of ipaconfig mimics FreeIPA CLI and requires that 'enable_sid' is set to True every time add_sids or netbios_name are used. It is sufficient that SID generation is enabled to use add_sids and netbios_name, but the IPA API requires 'enable_sid' so that the operations are executed. This patch allows ansible-freeipa plugin ipaconfig to run 'add_sids' or set 'netbios_name without requiring 'enable_sid' to be set on the playbook. If SID generation is enabled, 'add_sids' and 'netbios_name' can be used without 'enable_sid: yes'. If SID generation is not enabled, an error message will be raised if 'enable_sid: yes' is not used. --- README-config.md | 4 +-- plugins/modules/ipaconfig.py | 53 +++++++++++++++++--------------- tests/config/test_config_sid.yml | 48 +++++++++++++++++++++++++++-- 3 files changed, 76 insertions(+), 29 deletions(-) diff --git a/README-config.md b/README-config.md index d6fe40a..a1d6117 100644 --- a/README-config.md +++ b/README-config.md @@ -149,8 +149,8 @@ Variable | Description | Required `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no `enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no -`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no -`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no +`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and SID generation to be activated. | no +`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and SID generation to be activated. (bool) | no Return Values diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py index 9c19afb..7e78492 100644 --- a/plugins/modules/ipaconfig.py +++ b/plugins/modules/ipaconfig.py @@ -180,14 +180,14 @@ options: type: bool netbios_name: description: > - NetBIOS name of the IPA domain. - Requires IPA 4.9.8+ and 'enable_sid: yes'. + NetBIOS name of the IPA domain. Requires IPA 4.9.8+ + and SID generation to be activated. required: false type: string add_sids: description: > - Add SIDs for existing users and groups. - Requires IPA 4.9.8+ and 'enable_sid: yes'. + Add SIDs for existing users and groups. Requires IPA 4.9.8+ + and SID generation to be activated. required: false type: bool ''' @@ -362,7 +362,7 @@ def get_netbios_name(module): def is_enable_sid(module): - """When 'enable-sid' is true admin user and admins group have SID set.""" + """When 'enable_sid' is true admin user and admins group have SID set.""" _result = module.ipa_command("user_show", "admin", {"all": True}) sid = _result["result"].get("ipantsecurityidentifier", [""]) if not sid[0].endswith("-500"): @@ -517,7 +517,7 @@ def main(): changed = False exit_args = {} - # Connect to IPA API (enable-sid requires context == 'client') + # Connect to IPA API (enable_sid requires context == 'client') with ansible_module.ipa_connect(context="client"): has_enable_sid = ansible_module.ipa_command_param_exists( "config_mod", "enable_sid") @@ -532,20 +532,8 @@ def main(): ansible_module.fail_json(msg="SID cannot be disabled.") netbios_name = params.get("netbios_name") - if netbios_name: - netbios_name = netbios_name.upper() add_sids = params.get("add_sids") - required_sid = any([netbios_name, add_sids]) - if required_sid and not enable_sid: - ansible_module.fail_json( - msg="'enable-sid: yes' required for 'netbios_name' " - "and 'add-sids'." - ) - if enable_sid: - if not has_enable_sid: - ansible_module.fail_json( - msg="This version of IPA does not support enable-sid." - ) + if has_enable_sid: if ( netbios_name and netbios_name == get_netbios_name(ansible_module) @@ -554,12 +542,27 @@ def main(): netbios_name = None if not add_sids and "add_sids" in params: del params["add_sids"] - if ( - not any([netbios_name, add_sids]) - and sid_is_enabled - ): - del params["enable_sid"] - + if any([netbios_name, add_sids]): + if sid_is_enabled: + params["enable_sid"] = True + else: + if not enable_sid: + ansible_module.fail_json( + msg="SID generation must be enabled for " + "'netbios_name' and 'add_sids'. Use " + "'enable_sid: yes'." + ) + else: + if sid_is_enabled and "enable_sid" in params: + del params["enable_sid"] + + else: + if any([enable_sid, netbios_name, add_sids is not None]): + ansible_module.fail_json( + msg="This version of IPA does not support enable_sid, " + "add_sids or netbios_name setting through the " + "config module" + ) params = { k: v for k, v in params.items() if k not in result or result[k] != v diff --git a/tests/config/test_config_sid.yml b/tests/config/test_config_sid.yml index bd550a5..d8d78f1 100644 --- a/tests/config/test_config_sid.yml +++ b/tests/config/test_config_sid.yml @@ -19,6 +19,32 @@ # TESTS - block: + - name: Check if SID is enabled. + ipaconfig: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + enable_sid: yes + check_mode: yes + register: sid_disabled + + - name: Ensure netbios_name can't be changed without SID enabled. + ipaconfig: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + netbios_name: IPATESTPLAY + register: result + failed_when: not result.failed and "SID generation must be enabled" in result.msg + when: sid_disabled.changed + + - name: Ensure SIDs can't be changed without SID enabled. + ipaconfig: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + add_sids: yes + register: result + failed_when: not result.failed and "SID generation must be enabled" in result.msg + when: sid_disabled.changed + - name: Ensure SID is enabled. ipaconfig: ipaadmin_password: SomeADMINpassword @@ -56,18 +82,36 @@ ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" - enable_sid: yes netbios_name: IPATESTPLAY register: result failed_when: result.failed or result.changed + - name: Ensure netbios_name cannot be set with lowercase characters + ipaconfig: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + netbios_name: IPATESTplay + register: result + failed_when: + (not result.failed + and "Up to 15 characters and only uppercase ASCII letters, digits and dashes are allowed" not in result.message) + + - name: Ensure netbios_name cannot be set different lowercase characters + ipaconfig: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" + netbios_name: otherPLAY + register: result + failed_when: + (not result.failed + and "Up to 15 characters and only uppercase ASCII letters, digits and dashes are allowed" not in result.message) + # add_sids is not idempotent as it always tries to generate the missing # SIDs for users and groups. - name: Add SIDs to users and groups. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" - enable_sid: yes add_sids: yes # only run tests if version supports enable-sid -- 2.37.3