From 382ee6ffa070a9851cc8bcd1f19a5756e048f754 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Tue, 13 Jul 2021 13:14:28 +0200
Subject: [PATCH] automember: Verify condition keys

The automember_add_condition and automember_remove_condition commands
are not verifying condition keys in all cases. This is for example not
done in the removal case if a condition is not part of the automember
rule.

For consistent behaviour this needs to be done in the automember module
now. The condition keys are verified with the user and group aciattrs
returned by the API command json_metadata now.

Related: RHBZ#1976926
---
 plugins/modules/ipaautomember.py     | 31 +++++++++++++++
 tests/automember/test_automember.yml | 57 ++++++++++++++++++++++++++++
 2 files changed, 88 insertions(+)

diff --git a/plugins/modules/ipaautomember.py b/plugins/modules/ipaautomember.py
index c82f9952..aeaf7173 100644
--- a/plugins/modules/ipaautomember.py
+++ b/plugins/modules/ipaautomember.py
@@ -185,6 +185,15 @@ def transform_conditions(conditions):
     return transformed
 
 
+def check_condition_keys(ansible_module, conditions, aciattrs):
+    if conditions is None:
+        return
+    for condition in conditions:
+        if condition["key"] not in aciattrs:
+            ansible_module.fail_json(
+                msg="Invalid automember condition key '%s'" % condition["key"])
+
+
 def main():
     ansible_module = AnsibleModule(
         argument_spec=dict(
@@ -274,6 +283,28 @@ def main():
             # Make sure automember rule exists
             res_find = find_automember(ansible_module, name, automember_type)
 
+            # Check inclusive and exclusive conditions
+            if inclusive is not None or exclusive is not None:
+                # automember_type is either "group" or "hostgorup"
+                if automember_type == "group":
+                    _type = "user"
+                elif automember_type == "hostgroup":
+                    _type = "host"
+                else:
+                    ansible_module.fail_json(
+                        msg="Bad automember type '%s'" % automember_type)
+
+                try:
+                    aciattrs = api_command(
+                        ansible_module, "json_metadata", to_text(_type), {}
+                    )['objects'][_type]['aciattrs']
+                except Exception as ex:
+                    ansible_module.fail_json(
+                        msg="%s: %s: %s" % ("json_metadata", _type, str(ex)))
+
+                check_condition_keys(ansible_module, inclusive, aciattrs)
+                check_condition_keys(ansible_module, exclusive, aciattrs)
+
             # Create command
             if state == 'present':
                 args = gen_args(description, automember_type)
diff --git a/tests/automember/test_automember.yml b/tests/automember/test_automember.yml
index 96b8c287..24b8fb32 100644
--- a/tests/automember/test_automember.yml
+++ b/tests/automember/test_automember.yml
@@ -164,6 +164,34 @@
     register: result
     failed_when: result.changed or result.failed
 
+  - name: Ensure testgroup group automember conditions fails on invalid inclusive key
+    ipaautomember:
+      ipaadmin_principal: admin
+      ipaadmin_password: SomeADMINpassword
+      name: testgroup
+      automember_type: group
+      inclusive:
+        - key: cns
+          expression: 'foo'
+      action: member
+    register: result
+    failed_when: result.changed or not result.failed or
+                 "Invalid automember condition key 'cns'" not in result.msg
+
+  - name: Ensure testgroup group automember conditions fails on invalid exlusive key
+    ipaautomember:
+      ipaadmin_principal: admin
+      ipaadmin_password: SomeADMINpassword
+      name: testgroup
+      automember_type: group
+      exclusive:
+        - key: cns
+          expression: 'foo'
+      action: member
+    register: result
+    failed_when: result.changed or not result.failed or
+                 "Invalid automember condition key 'cns'" not in result.msg
+
   - name: Ensure testhostgroup hostgroup automember rule is present
     ipaautomember:
       ipaadmin_password: SomeADMINpassword
@@ -282,6 +310,35 @@
     register: result
     failed_when: result.changed or result.failed
 
+
+  - name: Ensure testhostgroup hostgroup automember conditions fails on invalid inclusive key
+    ipaautomember:
+      ipaadmin_principal: admin
+      ipaadmin_password: SomeADMINpassword
+      name: testhostgroup
+      automember_type: hostgroup
+      inclusive:
+        - key: cns
+          expression: 'foo'
+      action: member
+    register: result
+    failed_when: result.changed or not result.failed or
+                 "Invalid automember condition key 'cns'" not in result.msg
+
+  - name: Ensure testhostgroup hostgroup automember conditions fails on invalid exlusive key
+    ipaautomember:
+      ipaadmin_principal: admin
+      ipaadmin_password: SomeADMINpassword
+      name: testhostgroup
+      automember_type: hostgroup
+      exclusive:
+        - key: cns
+          expression: 'foo'
+      action: member
+    register: result
+    failed_when: result.changed or not result.failed or
+                 "Invalid automember condition key 'cns'" not in result.msg
+
   # CLEANUP TEST ITEMS
 
   - name: Ensure group testgroup is absent
-- 
GitLab