From d990832681c5a31154e8ce911401abf2ec3f5c1e Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Tue, 17 May 2022 22:30:02 -0300
Subject: [PATCH] idrange: Fix addition of idrange with dom_name.

When ensuring presence of an idrange using dom_name instead of dom_sid,
the SID must be obtained so that the idrange can be created.

Related to RHBZ#2086993 and RHBZ#2086994.
---
 README-idrange.md              |  2 +-
 plugins/modules/ipaidrange.py  | 13 +++--
 tests/idrange/test_idrange.yml | 89 ++++++++++++++++++++++++++++++++++
 3 files changed, 99 insertions(+), 5 deletions(-)

diff --git a/README-idrange.md b/README-idrange.md
index 8855f0ef..0f584ab7 100644
--- a/README-idrange.md
+++ b/README-idrange.md
@@ -175,8 +175,8 @@ Variable | Description | Required
 `rid_base` \| `ipabaserid` | First RID of the corresponding RID range. (int) | no
 `secondary_rid_base` \| `ipasecondarybaserid` | First RID of the secondary RID range. (int) | no
 `dom_sid` \| `ipanttrusteddomainsid` | Domain SID of the trusted domain. | no
-`dom_name` \| `ipanttrusteddomainname` | Name of the trusted domain. | no
 `idrange_type` \| `iparangetype` | ID range type, one of `ipa-ad-trust`, `ipa-ad-trust-posix`, `ipa-local`. Only valid if idrange does not exist. | no
+`dom_name` \| `ipanttrusteddomainname` | Name of the trusted domain. Can only be used when `ipaapi_context: server`. | no
 `auto_private_groups` \| `ipaautoprivategroups` | Auto creation of private groups, one of `true`, `false`, `hybrid`. | no
 `delete_continue` \| `continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
 `state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
diff --git a/plugins/modules/ipaidrange.py b/plugins/modules/ipaidrange.py
index 78553f94..b9e5dd98 100644
--- a/plugins/modules/ipaidrange.py
+++ b/plugins/modules/ipaidrange.py
@@ -74,7 +74,9 @@ options:
     required: false
     aliases: ["ipanttrusteddomainsid"]
   dom_name:
-    description: Domain name of the trusted domain.
+    description: |
+      Domain name of the trusted domain. Can only be used when
+      `ipaapi_context: server`.
     type: string
     required: false
     aliases: ["ipanttrusteddomainname"]
@@ -134,7 +136,7 @@ RETURN = """
 
 
 from ansible.module_utils.ansible_freeipa_module import \
-    IPAAnsibleModule, compare_args_ipa
+    IPAAnsibleModule, compare_args_ipa, get_trusted_domain_sid_from_name
 from ansible.module_utils import six
 
 if six.PY3:
@@ -154,7 +156,7 @@ def find_idrange(module, name):
 
 def gen_args(
     base_id, range_size, rid_base, secondary_rid_base, idrange_type, dom_sid,
-    auto_private_groups
+    dom_name, auto_private_groups
 ):
     _args = {}
     # Integer parameters are stored as strings.
@@ -169,6 +171,8 @@ def gen_args(
         _args["ipasecondarybaserid"] = secondary_rid_base
     if idrange_type is not None:
         _args["iparangetype"] = idrange_type
+    if dom_name is not None:
+        dom_sid = get_trusted_domain_sid_from_name(dom_name)
     if dom_sid is not None:
         _args["ipanttrusteddomainsid"] = dom_sid
     if auto_private_groups is not None:
@@ -230,6 +234,7 @@ def main():
     secondary_rid_base = ansible_module.params_get("secondary_rid_base")
     idrange_type = ansible_module.params_get("idrange_type")
     dom_sid = ansible_module.params_get("dom_sid")
+    dom_name = ansible_module.params_get("dom_name")
     auto_private_groups = \
         ansible_module.params_get_lowercase("auto_private_groups")
 
@@ -278,7 +283,7 @@ def main():
                 # Generate args
                 args = gen_args(
                     base_id, range_size, rid_base, secondary_rid_base,
-                    idrange_type, dom_sid, auto_private_groups
+                    idrange_type, dom_sid, dom_name, auto_private_groups
                 )
 
                 # Found the idrange
diff --git a/tests/idrange/test_idrange.yml b/tests/idrange/test_idrange.yml
index 0d12af90..9acc3beb 100644
--- a/tests/idrange/test_idrange.yml
+++ b/tests/idrange/test_idrange.yml
@@ -227,6 +227,50 @@
           name: ad_id_range
           state: absent
 
+      # Create trust with range_type: ipa-ad-trust-posix
+      - name: Create trust with range_type 'ipa-ad-trust'
+        include_tasks: tasks_set_trust.yml
+        vars:
+          trust_base_id: 10000000
+          trust_range_size: 200000
+          trust_range_type: ipa-ad-trust
+
+      - name: Ensure AD-trust idrange is present, with dom_name
+        ipaidrange:
+          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
+          name: ad_id_range
+          base_id: 150000000
+          range_size: 200000
+          rid_base: 1000000
+          idrange_type: ipa-ad-trust
+          dom_name: "{{ adserver.domain }}"
+          auto_private_groups: "false"
+        register: result
+        failed_when: not result.changed or result.failed
+
+      # Remove trust and idrange
+      - name: Remove test trust.
+        include_tasks: tasks_remove_trust.yml
+
+      - name: Ensure AD-trust idrange is absent
+        ipaidrange:
+          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
+          name: ad_id_range
+          state: absent
+
+      # Remove trust and idrange
+      - name: Remove test trust.
+        include_tasks: tasks_remove_trust.yml
+
+      - name: Ensure AD-trust idrange is absent
+        ipaidrange:
+          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
+          name: ad_id_range
+          state: absent
+
       # Create trust with range_type: ipa-ad-trust-posix
       - name: Create trust with range_type 'ipa-ad-trust-posix'
         include_tasks: tasks_set_trust.yml
@@ -260,6 +304,51 @@
         register: result
         failed_when: result.changed or result.failed
 
+      - name: Check if AD-trust-posix idrange is present, using dom_name
+        ipaidrange:
+          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
+          name: ad_posix_id_range
+          base_id: 150000000
+          range_size: 200000
+          idrange_type: ipa-ad-trust-posix
+          dom_name: "{{ adserver.domain }}"
+        check_mode: yes
+        register: result
+        failed_when: result.changed or result.failed
+
+      # Remove trust and idrange
+      - name: Remove test trust.
+        include_tasks: tasks_remove_trust.yml
+
+      - name: Ensure AD-trust idrange is absent
+        ipaidrange:
+          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
+          name: ad_posix_id_range
+          state: absent
+
+      # Create trust with range_type: ipa-ad-trust-posix
+      - name: Create trust with range_type 'ipa-ad-trust-posix'
+        include_tasks: tasks_set_trust.yml
+        vars:
+          trust_base_id: 10000000
+          trust_range_size: 2000000
+          trust_range_type: ipa-ad-trust-posix
+
+      # Can't use secondary_rid_base or rid_base with "ad-trust-posix"
+      - name: Ensure AD-trust-posix idrange is present, with dom_name
+        ipaidrange:
+          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
+          name: ad_posix_id_range
+          base_id: 150000000
+          range_size: 200000
+          idrange_type: ipa-ad-trust-posix
+          dom_name: "{{ adserver.domain }}"
+        register: result
+        failed_when: not result.changed or result.failed
+
     always:
       # CLEANUP TEST ITEMS
       - name: Remove test trust.
-- 
GitLab