From daee6a6c744a740329ca231a277229567619e10c Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Fri, 31 Jul 2020 11:33:47 -0300
Subject: [PATCH] Fix verification of parameters for modifying `salt`
 attribute.

When modifying an existing vault to change the value of `salt`, the
password must also change. It is fine to "change" the password to the
same value, thus only changing the salt value.
---
 plugins/modules/ipavault.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py
index dffd9722..a608e64d 100644
--- a/plugins/modules/ipavault.py
+++ b/plugins/modules/ipavault.py
@@ -517,6 +517,16 @@ def check_encryption_params(module, state, action, vault_type, salt,
             module.fail_json(
                 msg="Cannot modify password of inexistent vault.")
 
+        if (
+            salt is not None
+            and not(
+                any([password, password_file])
+                and any([new_password, new_password_file])
+            )
+        ):
+            module.fail_json(
+                msg="Vault `salt` can only change when changing the password.")
+
     if vault_type == "asymmetric":
         vault_type_invalid = [
             'password', 'password_file', 'new_password', 'new_password_file'
-- 
GitLab