diff --git a/plugins/modules/ipaautomember.py b/plugins/modules/ipaautomember.py
index c82f9952140edaf76db22c7e5bc85b672cc47980..aeaf7173ead46e859ea281fac00f0654fbef48a0 100644
--- a/plugins/modules/ipaautomember.py
+++ b/plugins/modules/ipaautomember.py
@@ -185,6 +185,15 @@ def transform_conditions(conditions):
return transformed
+def check_condition_keys(ansible_module, conditions, aciattrs):
+ if conditions is None:
+ return
+ for condition in conditions:
+ if condition["key"] not in aciattrs:
+ ansible_module.fail_json(
+ msg="Invalid automember condition key '%s'" % condition["key"])
+
+
def main():
ansible_module = AnsibleModule(
argument_spec=dict(
@@ -274,6 +283,28 @@ def main():
# Make sure automember rule exists
res_find = find_automember(ansible_module, name, automember_type)
+ # Check inclusive and exclusive conditions
+ if inclusive is not None or exclusive is not None:
+ # automember_type is either "group" or "hostgorup"
+ if automember_type == "group":
+ _type = "user"
+ elif automember_type == "hostgroup":
+ _type = "host"
+ else:
+ ansible_module.fail_json(
+ msg="Bad automember type '%s'" % automember_type)
+
+ try:
+ aciattrs = api_command(
+ ansible_module, "json_metadata", to_text(_type), {}
+ )['objects'][_type]['aciattrs']
+ except Exception as ex:
+ ansible_module.fail_json(
+ msg="%s: %s: %s" % ("json_metadata", _type, str(ex)))
+
+ check_condition_keys(ansible_module, inclusive, aciattrs)
+ check_condition_keys(ansible_module, exclusive, aciattrs)
+
# Create command
if state == 'present':
args = gen_args(description, automember_type)
diff --git a/tests/automember/test_automember.yml b/tests/automember/test_automember.yml
index 96b8c28790d33bea7998e02b29ba00e63eea95f7..24b8fb320a844ba372f726c338fd7ceed99c30d1 100644
--- a/tests/automember/test_automember.yml
+++ b/tests/automember/test_automember.yml
@@ -164,6 +164,34 @@
register: result
failed_when: result.changed or result.failed
+ - name: Ensure testgroup group automember conditions fails on invalid inclusive key
+ ipaautomember:
+ ipaadmin_principal: admin
+ ipaadmin_password: SomeADMINpassword
+ name: testgroup
+ automember_type: group
+ inclusive:
+ - key: cns
+ expression: 'foo'
+ action: member
+ register: result
+ failed_when: result.changed or not result.failed or
+ "Invalid automember condition key 'cns'" not in result.msg
+
+ - name: Ensure testgroup group automember conditions fails on invalid exlusive key
+ ipaautomember:
+ ipaadmin_principal: admin
+ ipaadmin_password: SomeADMINpassword
+ name: testgroup
+ automember_type: group
+ exclusive:
+ - key: cns
+ expression: 'foo'
+ action: member
+ register: result
+ failed_when: result.changed or not result.failed or
+ "Invalid automember condition key 'cns'" not in result.msg
+
- name: Ensure testhostgroup hostgroup automember rule is present
ipaautomember:
ipaadmin_password: SomeADMINpassword
@@ -282,6 +310,35 @@
register: result
failed_when: result.changed or result.failed
+
+ - name: Ensure testhostgroup hostgroup automember conditions fails on invalid inclusive key
+ ipaautomember:
+ ipaadmin_principal: admin
+ ipaadmin_password: SomeADMINpassword
+ name: testhostgroup
+ automember_type: hostgroup
+ inclusive:
+ - key: cns
+ expression: 'foo'
+ action: member
+ register: result
+ failed_when: result.changed or not result.failed or
+ "Invalid automember condition key 'cns'" not in result.msg
+
+ - name: Ensure testhostgroup hostgroup automember conditions fails on invalid exlusive key
+ ipaautomember:
+ ipaadmin_principal: admin
+ ipaadmin_password: SomeADMINpassword
+ name: testhostgroup
+ automember_type: hostgroup
+ exclusive:
+ - key: cns
+ expression: 'foo'
+ action: member
+ register: result
+ failed_when: result.changed or not result.failed or
+ "Invalid automember condition key 'cns'" not in result.msg
+
# CLEANUP TEST ITEMS
- name: Ensure group testgroup is absent