From 954ae98200a5836e2a012188a30d1ee4caeb4f7a Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Fri, 27 Aug 2021 18:45:04 +0200
Subject: [PATCH] role: Use IPAAnsibleModule class

ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
---
 plugins/modules/iparole.py | 82 ++++++++++++--------------------------
 1 file changed, 26 insertions(+), 56 deletions(-)

diff --git a/plugins/modules/iparole.py b/plugins/modules/iparole.py
index 22adb867..3fafd37a 100644
--- a/plugins/modules/iparole.py
+++ b/plugins/modules/iparole.py
@@ -33,13 +33,9 @@ DOCUMENTATION = """
 module: iparole
 short description: Manage FreeIPA role
 description: Manage FreeIPA role
+extends_documentation_fragment:
+  - ipamodule_base_docs
 options:
-  ipaadmin_principal:
-    description: The admin principal.
-    default: admin
-  ipaadmin_password:
-    description: The admin password.
-    required: false
   role:
     description: The list of role name strings.
     required: true
@@ -101,11 +97,9 @@ EXAMPLES = """
 # pylint: disable=wrong-import-position
 # pylint: disable=import-error
 # pylint: disable=no-name-in-module
-from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils._text import to_text
 from ansible.module_utils.ansible_freeipa_module import \
-    temp_kinit, temp_kdestroy, valid_creds, api_connect, api_command, \
-    gen_add_del_lists, compare_args_ipa, module_params_get, api_get_realm
+    IPAAnsibleModule, gen_add_del_lists, compare_args_ipa
 import six
 
 
@@ -116,7 +110,7 @@ if six.PY3:
 def find_role(module, name):
     """Find if a role with the given name already exist."""
     try:
-        _result = api_command(module, "role_show", name, {"all": True})
+        _result = module.ipa_command("role_show", name, {"all": True})
     except Exception:  # pylint: disable=broad-except
         # An exception is raised if role name is not found.
         return None
@@ -133,7 +127,7 @@ def gen_args(module):
     args = {}
 
     for param, arg in arg_map.items():
-        value = module_params_get(module, param)
+        value = module.params_get(param)
         if value is not None:
             args[arg] = value
 
@@ -142,8 +136,8 @@ def gen_args(module):
 
 def check_parameters(module):
     """Check if parameters passed for module processing are valid."""
-    action = module_params_get(module, "action")
-    state = module_params_get(module, "state")
+    action = module.params_get("action")
+    state = module.params_get("state")
 
     invalid = []
 
@@ -157,30 +151,15 @@ def check_parameters(module):
             invalid.extend(['privilege'])
 
     for arg in invalid:
-        if module_params_get(module, arg) is not None:
+        if module.params_get(arg) is not None:
             module.fail_json(
                 msg="Argument '%s' can not be used with action '%s'" %
                 (arg, state))
 
 
-def verify_credentials(module):
-    """Ensure there are valid Kerberos credentials."""
-    ccache_dir = None
-    ccache_name = None
-
-    ipaadmin_principal = module_params_get(module, "ipaadmin_principal")
-    ipaadmin_password = module_params_get(module, "ipaadmin_password")
-
-    if not valid_creds(module, ipaadmin_principal):
-        ccache_dir, ccache_name = temp_kinit(ipaadmin_principal,
-                                             ipaadmin_password)
-
-    return (ccache_dir, ccache_name)
-
-
 def member_intersect(module, attr, memberof, res_find):
     """Filter member arguments from role found by intersection."""
-    params = module_params_get(module, attr)
+    params = module.params_get(attr)
     if not res_find:
         return params
     filtered = []
@@ -192,7 +171,7 @@ def member_intersect(module, attr, memberof, res_find):
 
 def member_difference(module, attr, memberof, res_find):
     """Filter member arguments from role found by difference."""
-    params = module_params_get(module, attr)
+    params = module.params_get(attr)
     if not res_find:
         return params
     filtered = []
@@ -247,7 +226,7 @@ def filter_service(module, res_find, predicate):
     modified service to be compared to.
     """
     _services = []
-    service = module_params_get(module, 'service')
+    service = module.params_get('service')
     if service:
         existing = [to_text(x) for x in res_find.get('member_service', [])]
         for svc in service:
@@ -261,7 +240,7 @@ def ensure_role_with_members_is_present(module, name, res_find, action):
     """Define commands to ensure member are present for action `role`."""
     commands = []
     privilege_add, privilege_del = gen_add_del_lists(
-        module_params_get(module, "privilege"),
+        module.params_get("privilege"),
         res_find.get('memberof_privilege', []))
 
     if privilege_add:
@@ -276,7 +255,7 @@ def ensure_role_with_members_is_present(module, name, res_find, action):
 
     for key in ["user", "group", "host", "hostgroup"]:
         add_list, del_list = gen_add_del_lists(
-            module_params_get(module, key),
+            module.params_get(key),
             res_find.get('member_%s' % key, [])
         )
         if add_list:
@@ -285,8 +264,10 @@ def ensure_role_with_members_is_present(module, name, res_find, action):
             del_members[key] = [to_text(item) for item in del_list]
 
     service = [
-        to_text(svc) if '@' in svc else ('%s@%s' % (svc, api_get_realm()))
-        for svc in (module_params_get(module, 'service') or [])
+        to_text(svc)
+        if '@' in svc
+        else ('%s@%s' % (svc, module.ipa_get_realm()))
+        for svc in (module.params_get('service') or [])
     ]
     existing = [str(svc) for svc in res_find.get('member_service', [])]
     add_list, del_list = gen_add_del_lists(service, existing)
@@ -363,7 +344,7 @@ def process_commands(module, commands):
 
     for name, command, args in commands:
         try:
-            result = api_command(module, command, name, args)
+            result = module.ipa_command(command, name, args)
             if "completed" in result:
                 if result["completed"] > 0:
                     changed = True
@@ -385,7 +366,7 @@ def role_commands_for_name(module, state, action, name):
     """Define commands for the Role module."""
     commands = []
 
-    rename = module_params_get(module, "rename")
+    rename = module.params_get("rename")
 
     res_find = find_role(module, name)
 
@@ -420,12 +401,9 @@ def role_commands_for_name(module, state, action, name):
 
 def create_module():
     """Create module description."""
-    ansible_module = AnsibleModule(
+    ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # generalgroups
-            ipaadmin_principal=dict(type="str", default="admin"),
-            ipaadmin_password=dict(type="str", required=False, no_log=True),
-
             name=dict(type="list", aliases=["cn"], default=None,
                       required=True),
             # present
@@ -462,15 +440,13 @@ def main():
     check_parameters(ansible_module)
 
     # Init
-    ccache_dir = None
-    ccache_name = None
-    try:
-        ccache_dir, ccache_name = verify_credentials(ansible_module)
-        api_connect()
 
-        state = module_params_get(ansible_module, "state")
-        action = module_params_get(ansible_module, "action")
-        names = module_params_get(ansible_module, "name")
+    # Connect to IPA API
+    with ansible_module.ipa_connect():
+
+        state = ansible_module.params_get("state")
+        action = ansible_module.params_get("action")
+        names = ansible_module.params_get("name")
         commands = []
 
         for name in names:
@@ -479,12 +455,6 @@ def main():
 
         changed, exit_args = process_commands(ansible_module, commands)
 
-    except Exception as exception:  # pylint: disable=broad-except
-        ansible_module.fail_json(msg=str(exception))
-
-    finally:
-        temp_kdestroy(ccache_dir, ccache_name)
-
     # Done
     ansible_module.exit_json(changed=changed, **exit_args)
 
-- 
GitLab