From d6700b964f743f57cebb2c49dad1dd1a31b99f86 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman <rjeffman@redhat.com> Date: Wed, 18 Nov 2020 16:18:32 -0300 Subject: [PATCH] ipasudocmdgroup: Fix creation of sudocmdgroups with sudocmds. This PR fixes the creation of sudocmdgroups when the sudocmds are specified, allowing groups to be created with sudocmd members in a single task. Fix issue #440. --- plugins/modules/ipasudocmdgroup.py | 42 +++++++++---------- tests/sudocmdgroup/test_sudocmdgroup.yml | 52 +++++++++++++++++++++++- 2 files changed, 70 insertions(+), 24 deletions(-) diff --git a/plugins/modules/ipasudocmdgroup.py b/plugins/modules/ipasudocmdgroup.py index a5b0e4e4..9d9ce674 100644 --- a/plugins/modules/ipasudocmdgroup.py +++ b/plugins/modules/ipasudocmdgroup.py @@ -113,22 +113,18 @@ from ansible.module_utils.ansible_freeipa_module import temp_kinit, \ temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \ gen_add_del_lists +import ipalib + def find_sudocmdgroup(module, name): - _args = { - "all": True, - "cn": to_text(name), - } - - _result = api_command(module, "sudocmdgroup_find", to_text(name), _args) - - if len(_result["result"]) > 1: - module.fail_json( - msg="There is more than one sudocmdgroup '%s'" % (name)) - elif len(_result["result"]) == 1: - return _result["result"][0] - else: + args = {"all": True} + + try: + _result = api_command(module, "sudocmdgroup_show", to_text(name), args) + except ipalib.errors.NotFound: return None + else: + return _result["result"] def gen_args(description, nomembers): @@ -141,10 +137,10 @@ def gen_args(description, nomembers): return _args -def gen_member_args(sudocmdgroup): +def gen_member_args(sudocmd): _args = {} - if sudocmdgroup is not None: - _args["member_sudocmdgroup"] = sudocmdgroup + if sudocmd is not None: + _args["member_sudocmd"] = sudocmd return _args @@ -258,28 +254,28 @@ def main(): if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists - sudocmdgroup_add, sudocmdgroup_del = \ + sudocmd_add, sudocmd_del = \ gen_add_del_lists( - sudocmdgroup, - res_find.get("member_sudocmdgroup")) + sudocmd, + res_find.get("member_sudocmd")) # Add members - if len(sudocmdgroup_add) > 0: + if len(sudocmd_add) > 0: commands.append([name, "sudocmdgroup_add_member", { "sudocmd": [to_text(c) for c in - sudocmdgroup_add] + sudocmd_add] } ]) # Remove members - if len(sudocmdgroup_del) > 0: + if len(sudocmd_del) > 0: commands.append([name, "sudocmdgroup_remove_member", { "sudocmd": [to_text(c) for c in - sudocmdgroup_del] + sudocmd_del] } ]) elif action == "member": diff --git a/tests/sudocmdgroup/test_sudocmdgroup.yml b/tests/sudocmdgroup/test_sudocmdgroup.yml index ce149de6..0b039d3a 100644 --- a/tests/sudocmdgroup/test_sudocmdgroup.yml +++ b/tests/sudocmdgroup/test_sudocmdgroup.yml @@ -1,5 +1,4 @@ --- - - name: Test sudocmdgroup hosts: ipaserver become: true @@ -53,6 +52,57 @@ register: result failed_when: result.changed + - name: Ensure sudocmdgroup is present, with sudocmds. + ipasudocmdgroup: + ipaadmin_password: SomeADMINpassword + name: network + sudocmd: + - /usr/sbin/ifconfig + - /usr/sbin/iwlist + state: present + register: result + failed_when: not result.changed + + - name: Ensure sudocmdgroup is present, with sudocmds, again. + ipasudocmdgroup: + ipaadmin_password: SomeADMINpassword + name: network + sudocmd: + - /usr/sbin/ifconfig + - /usr/sbin/iwlist + state: present + register: result + failed_when: result.changed + + - name: Verify sudocmdgroup creation with sudocmds + block: + - name: Get Kerberos ticket for `admin`. + shell: echo SomeADMINpassword | kinit -c test_sudocmdgroup_krb5ccname admin + + - name: Check sudocmdgroup-show output. + shell: ipa sudocmdgroup-show network --all + register: result + failed_when: result.failed or not("/usr/sbin/ifconfig" in result.stdout and "/usr/sbin/iwlist" in result.stdout) + + - name: Destroy Kerberos tickets. + shell: kdestroy -A -q -c test_sudocmdgroup_krb5ccname + + - name: Ensure sudocmdgroup, with sudocmds, is absent + ipasudocmdgroup: + ipaadmin_password: SomeADMINpassword + name: network + state: absent + register: result + failed_when: not result.changed + + - name: Ensure sudocmdgroup, with sudocmds, is absent again + ipasudocmdgroup: + ipaadmin_password: SomeADMINpassword + name: network + state: absent + register: result + failed_when: result.changed + - name: Ensure testing sudocmdgroup is present ipasudocmdgroup: ipaadmin_password: SomeADMINpassword -- GitLab