Skip to content
Snippets Groups Projects
Commit b87b346a authored by Rafael Guterres Jeffman's avatar Rafael Guterres Jeffman
Browse files

ipahbacrule: Fix handling of hbacsvcgroup in members 

FreeIPA provides a default hbacsvcgroup named "Sudo", with capital 'S',
that is different from every other hbacsvcgroup, which are all
represented by lower case letters.

As data from IPA API was not modified, this causes an idempotence error
when using different capitalization with the 'hbacsvcgroup' parameter.

This patch fixes the issue by using the CaseInsensitive comparator to
create the hbacsvcgroup list.

Tests were update to make sure a regression is not included in the
future.
parent 4321478c
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
plugins/modules/ipahbacrule.py
+ 7
7
View file @ b87b346a
...@@ -188,13 +188,12 @@ def find_hbacrule(module, name): ...@@ -188,13 +188,12 @@ def find_hbacrule(module, name):
elif len(_result["result"]) == 1: elif len(_result["result"]) == 1:
res = _result["result"][0] res = _result["result"][0]
# hbacsvcgroup names are converted to lower case while creation with # hbacsvcgroup names are converted to lower case while creation with
# hbacsvcgroup_add. # hbacsvcgroup_add, but builtin names may have mixed case as "Sudo",
# The hbacsvcgroup for sudo is builtin with the name "Sudo" though. # breaking the lower case comparison. Therefore all
# This breaks the lower case comparison. Therefore all # memberservice_hbacsvcgroup items are converted to lower case.
# memberservice_hbacsvcgroup items are converted to lower case if # (See: https://pagure.io/freeipa/issue/9464).
# "Sudo" is in the list.
_member = "memberservice_hbacsvcgroup" _member = "memberservice_hbacsvcgroup"
if _member in res and "Sudo" in res[_member]: if _member in res:
res[_member] = [item.lower() for item in res[_member]] res[_member] = [item.lower() for item in res[_member]]
return res return res
...@@ -400,7 +399,8 @@ def main(): ...@@ -400,7 +399,8 @@ def main():
if hbacsvc is not None: if hbacsvc is not None:
hbacsvc_add, hbacsvc_del = gen_add_del_lists( hbacsvc_add, hbacsvc_del = gen_add_del_lists(
hbacsvc, res_find.get("memberservice_hbacsvc")) hbacsvc, res_find.get("memberservice_hbacsvc"),
)
if hbacsvcgroup is not None: if hbacsvcgroup is not None:
hbacsvcgroup_add, hbacsvcgroup_del = gen_add_del_lists( hbacsvcgroup_add, hbacsvcgroup_del = gen_add_del_lists(
......
tests/hbacrule/test_hbacrule_member_case_insensitive.yml
+ 41
1
View file @ b87b346a
...@@ -468,11 +468,51 @@ ...@@ -468,11 +468,51 @@
register: result register: result
failed_when: result.changed or result.failed failed_when: result.changed or result.failed
# Specifically test 'Sudo', as FreeIPA adds a "Sudo" hbacsvcgroup instead of "sudo"
- name: Ensure 'sudo' works as hbacsvcgroup.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: "test_sudo"
hbacsvcgroup:
- sudo
register: result
failed_when: not result.changed or result.failed
- name: Ensure 'sudo' works as hbacsvcgroup, again.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: "test_sudo"
hbacsvcgroup:
- sudo
register: result
failed_when: result.changed or result.failed
- name: Ensure 'sudo' works as hbacsvcgroup, action member.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: "test_sudo"
hbacsvcgroup:
- sudo
action: member
register: result
failed_when: result.changed or result.failed
- name: Ensure 'Sudo' works as hbacsvcgroup, action member.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: "test_sudo"
hbacsvcgroup:
- Sudo
register: result
failed_when: result.changed or result.failed
always: always:
- name: Ensure test hbacrule is absent - name: Ensure test hbacrule is absent
ipahbacrule: ipahbacrule:
ipaadmin_password: SomeADMINpassword ipaadmin_password: SomeADMINpassword
name: testrule name:
- testrule
- test_sudo
state: absent state: absent
- name: Ensure test users are absent - name: Ensure test users are absent
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment