Merge pull request #921 from rjeffman/ipaconfig_fix_enablesid_false

ipaconfig: Do not allow enable_sid set to False.

README-config.md

@@ -148,7 +148,7 @@ Variable | Description | Required
 `user_auth_type` \| `ipauserauthtype` |  set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
 `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
 `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
-`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no
+`enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no
 `netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no
 `add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no
 

plugins/modules/ipaconfig.py

@@ -175,7 +175,7 @@ options:
     enable_sid:
         description: >
           New users and groups automatically get a SID assigned.
-          Requires IPA 4.9.8+.
+          Cannot be deactivated once activated. Requires IPA 4.9.8+.
         required: false
         type: bool
     netbios_name:
@@ -525,11 +525,16 @@ def main():
         result = config_show(ansible_module)
 
         if params:
+            enable_sid = params.get("enable_sid")
+            sid_is_enabled = has_enable_sid and is_enable_sid(ansible_module)
+
+            if sid_is_enabled and enable_sid is False:
+                ansible_module.fail_json(msg="SID cannot be disabled.")
+
             netbios_name = params.get("netbios_name")
             if netbios_name:
                 netbios_name = netbios_name.upper()
             add_sids = params.get("add_sids")
-            enable_sid = params.get("enable_sid")
             required_sid = any([netbios_name, add_sids])
             if required_sid and not enable_sid:
                 ansible_module.fail_json(
@@ -551,13 +556,9 @@ def main():
                     del params["add_sids"]
                 if (
                     not any([netbios_name, add_sids])
-                    and is_enable_sid(ansible_module)
+                    and sid_is_enabled
                 ):
                     del params["enable_sid"]
-            else:
-                for param in ["enable_sid", "netbios_name", "add_sids"]:
-                    if param in params:
-                        del params[params]
 
             params = {
                 k: v for k, v in params.items()

tests/config/test_config_sid.yml

@@ -6,6 +6,9 @@
 
   tasks:
 
+  - name: Set FreeIPA facts.
+    include_tasks: ../env_freeipa_facts.yml
+
   # GET CURRENT CONFIG
 
   - name: Return current values of the global configuration options
@@ -32,6 +35,14 @@
       register: result
       failed_when: result.failed or result.changed
 
+    - name: Try to Ensure SID is disabled.
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        enable_sid: no
+      register: result
+      failed_when: not result.failed or "SID cannot be disabled." not in result.msg
+
     - name: Ensure netbios_name is "IPATESTPLAY"
       ipaconfig:
         ipaadmin_password: SomeADMINpassword
@@ -59,6 +70,8 @@
         enable_sid: yes
         add_sids: yes
 
+    # only run tests if version supports enable-sid
+    when: ipa_version is version("4.9.8", ">=")
     # REVERT TO PREVIOUS CONFIG
     always:
     # Once SID is enabled, it cannot be reverted.