From d6700b964f743f57cebb2c49dad1dd1a31b99f86 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Wed, 18 Nov 2020 16:18:32 -0300
Subject: [PATCH] ipasudocmdgroup: Fix creation of sudocmdgroups with sudocmds.

This PR fixes the creation of sudocmdgroups when the sudocmds are
specified, allowing groups to be created with sudocmd members in a
single task.

Fix issue #440.
---
 plugins/modules/ipasudocmdgroup.py       | 42 +++++++++----------
 tests/sudocmdgroup/test_sudocmdgroup.yml | 52 +++++++++++++++++++++++-
 2 files changed, 70 insertions(+), 24 deletions(-)

diff --git a/plugins/modules/ipasudocmdgroup.py b/plugins/modules/ipasudocmdgroup.py
index a5b0e4e4..9d9ce674 100644
--- a/plugins/modules/ipasudocmdgroup.py
+++ b/plugins/modules/ipasudocmdgroup.py
@@ -113,22 +113,18 @@ from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
     temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \
     gen_add_del_lists
 
+import ipalib
+
 
 def find_sudocmdgroup(module, name):
-    _args = {
-        "all": True,
-        "cn": to_text(name),
-    }
-
-    _result = api_command(module, "sudocmdgroup_find", to_text(name), _args)
-
-    if len(_result["result"]) > 1:
-        module.fail_json(
-            msg="There is more than one sudocmdgroup '%s'" % (name))
-    elif len(_result["result"]) == 1:
-        return _result["result"][0]
-    else:
+    args = {"all": True}
+
+    try:
+        _result = api_command(module, "sudocmdgroup_show", to_text(name), args)
+    except ipalib.errors.NotFound:
         return None
+    else:
+        return _result["result"]
 
 
 def gen_args(description, nomembers):
@@ -141,10 +137,10 @@ def gen_args(description, nomembers):
     return _args
 
 
-def gen_member_args(sudocmdgroup):
+def gen_member_args(sudocmd):
     _args = {}
-    if sudocmdgroup is not None:
-        _args["member_sudocmdgroup"] = sudocmdgroup
+    if sudocmd is not None:
+        _args["member_sudocmd"] = sudocmd
 
     return _args
 
@@ -258,28 +254,28 @@ def main():
                     if not compare_args_ipa(ansible_module, member_args,
                                             res_find):
                         # Generate addition and removal lists
-                        sudocmdgroup_add, sudocmdgroup_del = \
+                        sudocmd_add, sudocmd_del = \
                             gen_add_del_lists(
-                                sudocmdgroup,
-                                res_find.get("member_sudocmdgroup"))
+                                sudocmd,
+                                res_find.get("member_sudocmd"))
 
                         # Add members
-                        if len(sudocmdgroup_add) > 0:
+                        if len(sudocmd_add) > 0:
                             commands.append([name, "sudocmdgroup_add_member",
                                              {
                                                  "sudocmd": [to_text(c)
                                                              for c in
-                                                             sudocmdgroup_add]
+                                                             sudocmd_add]
                                              }
                                              ])
                         # Remove members
-                        if len(sudocmdgroup_del) > 0:
+                        if len(sudocmd_del) > 0:
                             commands.append([name,
                                              "sudocmdgroup_remove_member",
                                              {
                                                  "sudocmd": [to_text(c)
                                                              for c in
-                                                             sudocmdgroup_del]
+                                                             sudocmd_del]
                                              }
                                              ])
                 elif action == "member":
diff --git a/tests/sudocmdgroup/test_sudocmdgroup.yml b/tests/sudocmdgroup/test_sudocmdgroup.yml
index ce149de6..0b039d3a 100644
--- a/tests/sudocmdgroup/test_sudocmdgroup.yml
+++ b/tests/sudocmdgroup/test_sudocmdgroup.yml
@@ -1,5 +1,4 @@
 ---
-
 - name: Test sudocmdgroup
   hosts: ipaserver
   become: true
@@ -53,6 +52,57 @@
     register: result
     failed_when: result.changed
 
+  - name: Ensure sudocmdgroup is present, with sudocmds.
+    ipasudocmdgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: network
+      sudocmd:
+      - /usr/sbin/ifconfig
+      - /usr/sbin/iwlist
+      state: present
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure sudocmdgroup is present, with sudocmds, again.
+    ipasudocmdgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: network
+      sudocmd:
+      - /usr/sbin/ifconfig
+      - /usr/sbin/iwlist
+      state: present
+    register: result
+    failed_when: result.changed
+
+  - name: Verify sudocmdgroup creation with sudocmds
+    block:
+    - name: Get Kerberos ticket for `admin`.
+      shell: echo SomeADMINpassword | kinit -c test_sudocmdgroup_krb5ccname admin
+
+    - name: Check sudocmdgroup-show output.
+      shell: ipa sudocmdgroup-show network --all
+      register: result
+      failed_when: result.failed or not("/usr/sbin/ifconfig" in result.stdout and "/usr/sbin/iwlist" in result.stdout)
+
+    - name: Destroy Kerberos tickets.
+      shell: kdestroy -A -q -c test_sudocmdgroup_krb5ccname
+
+  - name: Ensure sudocmdgroup, with sudocmds, is absent
+    ipasudocmdgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: network
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure sudocmdgroup, with sudocmds, is absent again
+    ipasudocmdgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: network
+      state: absent
+    register: result
+    failed_when: result.changed
+
   - name: Ensure testing sudocmdgroup is present
     ipasudocmdgroup:
       ipaadmin_password: SomeADMINpassword
-- 
GitLab