Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
A
Ansible FreeIPA
Manage
Activity
Members
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Deploy
Model registry
Help
Help
Support
GitLab documentation
Compare GitLab plans
GitLab community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Mirror
Ansible FreeIPA
Commits
97670e8e
Unverified
Commit
97670e8e
authored
3 years ago
by
Rafael Guterres Jeffman
Committed by
GitHub
3 years ago
Browse files
Options
Downloads
Plain Diff
Merge pull request #640 from t-woerner/group_class_fixes
group: Fix nonposix, posix and external handling and conversions
parents
ccb07cbe
1f250243
Branches
Branches containing commit
Tags
Tags containing commit
No related merge requests found
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
README-group.md
+3
-3
3 additions, 3 deletions
README-group.md
plugins/modules/ipagroup.py
+37
-41
37 additions, 41 deletions
plugins/modules/ipagroup.py
tests/group/test_group_external_nonposix.yml
+180
-7
180 additions, 7 deletions
tests/group/test_group_external_nonposix.yml
with
220 additions
and
51 deletions
README-group.md
+
3
−
3
View file @
97670e8e
...
...
@@ -157,9 +157,9 @@ Variable | Description | Required
`name` \| `cn` | The list of group name strings. | no
`description` | The group description string. | no
`gid` \| `gidnumber` | The GID integer. | no
`posix` | Create a non-POSIX group or change a non-POSIX to a posix group. (bool) | no
`nonposix` | Create as a non-POSIX group. (bool) | no
`external` | Allow adding external non-IPA members from trusted domains. (bool) | no
`posix` | Create a non-POSIX group or change a non-POSIX to a posix group.
`nonposix`, `posix` and `external` are mutually exclusive.
(bool) | no
`nonposix` | Create as a non-POSIX group.
`nonposix`, `posix` and `external` are mutually exclusive.
(bool) | no
`external` | Allow adding external non-IPA members from trusted domains.
`nonposix`, `posix` and `external` are mutually exclusive.
(bool) | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`user` | List of user name strings assigned to this group. | no
`group` | List of group name strings assigned to this group. | no
...
...
This diff is collapsed.
Click to expand it.
plugins/modules/ipagroup.py
+
37
−
41
View file @
97670e8e
...
...
@@ -232,43 +232,25 @@ def is_external_group(res_find):
def
is_posix_group
(
res_find
):
"""
Verify if the result group is an
external
group.
"""
"""
Verify if the result group is an
posix
group.
"""
return
res_find
and
'
posixgroup
'
in
res_find
[
'
objectclass
'
]
def
check_objectclass_args
(
module
,
res_find
,
nonposix
,
posix
,
external
):
def
check_objectclass_args
(
module
,
res_find
,
posix
,
external
):
# Only a nonposix group can be changed to posix or external
# A posix group can not be changed to nonposix or external
if
is_posix_group
(
res_find
):
if
(
(
posix
is
not
None
and
posix
is
False
)
or
nonposix
or
external
):
if
external
is
not
None
and
external
or
posix
is
False
:
module
.
fail_json
(
msg
=
"
Cannot change `
POSIX` status of a group
"
"
to `non-POSIX` or
`external`.
"
)
#
Can't change an existing
external
group
msg
=
"
Cannot change `
posix` group to `non-posix` or
"
"
`external`.
"
)
#
An external group can not be changed to nonposix or posix or non
external
if
is_external_group
(
res_find
):
if
(
posix
or
(
nonposix
is
not
None
and
nonposix
is
False
)
or
(
external
is
not
None
and
external
is
False
)
):
if
external
is
False
or
posix
is
not
None
:
module
.
fail_json
(
msg
=
"
Cannot change `external` status of group
"
"
to `POSIX` or `non-external`.
"
)
def
should_modify_group
(
module
,
res_find
,
args
,
nonposix
,
posix
,
external
):
if
not
compare_args_ipa
(
module
,
args
,
res_find
):
return
True
if
any
([
posix
,
nonposix
]):
set_posix
=
posix
or
(
nonposix
is
not
None
and
not
nonposix
)
if
set_posix
and
not
is_posix_group
(
res_find
):
return
True
if
not
is_external_group
(
res_find
)
and
external
:
if
not
is_posix_group
(
res_find
):
return
True
return
False
msg
=
"
Cannot change `external` group to `posix` or
"
"
`non-posix`.
"
)
def
main
():
...
...
@@ -301,7 +283,9 @@ def main():
state
=
dict
(
type
=
"
str
"
,
default
=
"
present
"
,
choices
=
[
"
present
"
,
"
absent
"
]),
),
mutually_exclusive
=
[[
'
posix
'
,
'
nonposix
'
]],
# It does not make sense to set posix, nonposix or external at the
# same time
mutually_exclusive
=
[[
'
posix
'
,
'
nonposix
'
,
'
external
'
]],
supports_check_mode
=
True
,
)
...
...
@@ -358,11 +342,19 @@ def main():
msg
=
"
Argument
'
%s
'
can not be used with state
'
%s
'"
%
(
x
,
state
))
if
external
is
False
:
ansible_module
.
fail_json
(
msg
=
"
group can not be non-external
"
)
# Init
changed
=
False
exit_args
=
{}
# If nonposix is used, set posix as not nonposix
if
nonposix
is
not
None
:
posix
=
not
nonposix
# Connect to IPA API
with
ansible_module
.
ipa_connect
():
...
...
@@ -391,8 +383,8 @@ def main():
# Create command
if
state
==
"
present
"
:
# Can't change an existing posix group
check_objectclass_args
(
ansible_module
,
res_find
,
non
posix
,
posix
,
external
)
check_objectclass_args
(
ansible_module
,
res_find
,
posix
,
external
)
# Generate args
args
=
gen_args
(
description
,
gid
,
nomembers
)
...
...
@@ -400,21 +392,25 @@ def main():
if
action
==
"
group
"
:
# Found the group
if
res_find
is
not
None
:
# For all settings i
s
args, check if there are
# For all settings i
n
args, check if there are
# different settings in the find result.
# If yes: modify
if
should_modify_group
(
ansible_module
,
res_find
,
args
,
nonposix
,
posix
,
external
):
if
(
posix
or
(
nonposix
is
not
None
and
not
nonposix
)
# Also if it is a modification from nonposix to posix
# or nonposix to external.
if
not
compare_args_ipa
(
ansible_module
,
args
,
res_find
)
or
\
(
not
is_posix_group
(
res_find
)
and
not
is_external_group
(
res_find
)
and
(
posix
or
external
)
):
if
posix
:
args
[
'
posix
'
]
=
True
if
external
:
args
[
'
external
'
]
=
True
commands
.
append
([
name
,
"
group_mod
"
,
args
])
else
:
if
nonposix
or
(
posix
is
not
None
and
not
posix
)
:
if
posix
is
not
None
and
not
posix
:
args
[
'
nonposix
'
]
=
True
if
external
:
args
[
'
external
'
]
=
True
...
...
This diff is collapsed.
Click to expand it.
tests/group/test_group_external_nonposix.yml
+
180
−
7
View file @
97670e8e
...
...
@@ -14,6 +14,28 @@
-
posixgroup
state
:
absent
-
name
:
Ensure test users testuser1, testuser2 and testuser3 are absent
ipauser
:
ipaadmin_password
:
SomeADMINpassword
name
:
testuser1,testuser2,testuser3
state
:
absent
-
name
:
Ensure test users testuser1..testuser3 are present
ipauser
:
ipaadmin_password
:
SomeADMINpassword
users
:
-
name
:
testuser1
first
:
testuser1
last
:
Last
-
name
:
testuser2
first
:
testuser2
last
:
Last
-
name
:
testuser3
first
:
testuser3
last
:
Last
register
:
result
failed_when
:
not result.changed or result.failed
-
name
:
Add nonposix group.
ipagroup
:
ipaadmin_password
:
SomeADMINpassword
...
...
@@ -52,7 +74,7 @@
name
:
extgroup
external
:
no
register
:
result
failed_when
:
not result.failed or "
C
annot
change `external` status of group
" not in result.msg
failed_when
:
not result.failed or "
group c
an
not
be non-external
" not in result.msg
-
name
:
Set external group to be posix.
ipagroup
:
...
...
@@ -60,7 +82,7 @@
name
:
extgroup
posix
:
yes
register
:
result
failed_when
:
not result.failed or "Cannot change `external`
status of
group" not in result.msg
failed_when
:
not result.failed or "Cannot change `external` group" not in result.msg
-
name
:
Add nonposix group.
ipagroup
:
...
...
@@ -92,23 +114,23 @@
name
:
posixgroup
external
:
yes
register
:
result
failed_when
:
not result.failed or "Cannot change `
POSIX` status of a
group" not in result.msg
failed_when
:
not result.failed or "Cannot change `
posix`
group" not in result.msg
-
name
:
Set posix group to be non-
POSIX
.
-
name
:
Set posix group to be non-
posix
.
ipagroup
:
ipaadmin_password
:
SomeADMINpassword
name
:
posixgroup
posix
:
no
register
:
result
failed_when
:
not result.failed or "Cannot change `
POSIX` status of a
group" not in result.msg
failed_when
:
not result.failed or "Cannot change `
posix`
group" not in result.msg
-
name
:
Set posix group to be non-
POSIX
.
-
name
:
Set posix group to be non-
posix
.
ipagroup
:
ipaadmin_password
:
SomeADMINpassword
name
:
posixgroup
nonposix
:
yes
register
:
result
failed_when
:
not result.failed or "Cannot change `
POSIX` status of a
group" not in result.msg
failed_when
:
not result.failed or "Cannot change `
posix`
group" not in result.msg
-
name
:
Add nonposix group.
ipagroup
:
...
...
@@ -126,8 +148,159 @@
register
:
result
failed_when
:
result.failed or result.changed
# NONPOSIX MEMBER TEST
-
name
:
Ensure users testuser1, testuser2 and testuser3 are present in group nonposixgroup
ipagroup
:
ipaadmin_password
:
SomeADMINpassword
name
:
nonposixgroup
nonposix
:
yes
user
:
-
testuser1
-
testuser2
-
testuser3
register
:
result
failed_when
:
not result.changed or result.failed
-
name
:
Ensure users testuser1, testuser2 and testuser3 are present in group nonposixgroup again
ipagroup
:
ipaadmin_password
:
SomeADMINpassword
name
:
nonposixgroup
nonposix
:
yes
user
:
-
testuser1
-
testuser2
-
testuser3
register
:
result
failed_when
:
result.changed or result.failed
# POSIX MEMBER TEST
-
name
:
Ensure users testuser1, testuser2 and testuser3 are present in group posixgroup
ipagroup
:
ipaadmin_password
:
SomeADMINpassword
name
:
posixgroup
posix
:
yes
user
:
-
testuser1
-
testuser2
-
testuser3
register
:
result
failed_when
:
not result.changed or result.failed
-
name
:
Ensure users testuser1, testuser2 and testuser3 are present in group posixgroup again
ipagroup
:
ipaadmin_password
:
SomeADMINpassword
name
:
posixgroup
posix
:
yes
user
:
-
testuser1
-
testuser2
-
testuser3
register
:
result
failed_when
:
result.changed or result.failed
# EXTERNAL MEMBER TEST (REQUIRES AD)
-
block
:
-
name
:
Ensure users testuser1, testuser2 and testuser3 are present in group externalgroup
ipagroup
:
ipaadmin_password
:
SomeADMINpassword
name
:
externalgroup
external
:
yes
user
:
-
testuser1
-
testuser2
-
testuser3
register
:
result
failed_when
:
not result.changed or result.failed
-
name
:
Ensure users testuser1, testuser2 and testuser3 are present in group externalgroup again
ipagroup
:
ipaadmin_password
:
SomeADMINpassword
name
:
externalgroup
external
:
yes
user
:
-
testuser1
-
testuser2
-
testuser3
register
:
result
failed_when
:
result.changed or result.failed
when
:
trust_test_is_supported | default(false)
# CONVERT NONPOSIX TO POSIX GROUP WITH USERS
-
name
:
Ensure nonposix group nonposixgroup as posix
ipagroup
:
ipaadmin_password
:
SomeADMINpassword
name
:
nonposixgroup
posix
:
yes
register
:
result
failed_when
:
not result.changed or result.failed
-
name
:
Ensure nonposix group nonposixgroup as posix, again
ipagroup
:
ipaadmin_password
:
SomeADMINpassword
name
:
nonposixgroup
posix
:
yes
register
:
result
failed_when
:
result.changed or result.failed
-
name
:
Ensure nonposix group nonposixgroup (now posix) has users still
ipagroup
:
ipaadmin_password
:
SomeADMINpassword
name
:
nonposixgroup
posix
:
yes
user
:
-
testuser1
-
testuser2
-
testuser3
register
:
result
failed_when
:
result.changed or result.failed
# FAIL ON COMBINATIONS OF NONPOSIX, POSIX AND EXTERNAL
-
name
:
Fail to ensure group as nonposix and posix
ipagroup
:
ipaadmin_password
:
SomeADMINpassword
name
:
posixgroup
nonposix
:
yes
posix
:
yes
register
:
result
failed_when
:
not result.failed or "parameters are mutually exclusive" not in result.msg
-
name
:
Fail to ensure group as nonposix and external
ipagroup
:
ipaadmin_password
:
SomeADMINpassword
name
:
posixgroup
nonposix
:
yes
external
:
yes
register
:
result
failed_when
:
not result.failed or "parameters are mutually exclusive" not in result.msg
-
name
:
Fail to ensure group as posix and external
ipagroup
:
ipaadmin_password
:
SomeADMINpassword
name
:
posixgroup
posix
:
yes
external
:
yes
register
:
result
failed_when
:
not result.failed or "parameters are mutually exclusive" not in result.msg
# CLEANUP
-
name
:
Remove testing groups.
ipagroup
:
ipaadmin_password
:
SomeADMINpassword
name
:
extgroup,nonposixgroup,posixgroup
state
:
absent
-
name
:
Ensure test users testuser1, testuser2 and testuser3 are absent
ipauser
:
ipaadmin_password
:
SomeADMINpassword
name
:
testuser1,testuser2,testuser3
state
:
absent
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment