From e30bcfd876bec39c8cd2c2fe0806c917eda04cfe Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Wed, 23 Feb 2022 15:17:08 +0100
Subject: [PATCH] ipaconfig: Set allow_empty_string for user_auth_type,
 pac_type, configstring

The parameters user_auth_type, pac_type and configstring are allowing to
use "" to reset to the default value or for configstring to set an empty
list.

The new check in params_get is not allowing to use empty strings in lists,
therefore allow_empty_string=True had to be added to the call.

A test has been added to verify that the empty strings are supported and
working.

Additionally empty pac_type, user_auth_type and domain_resolution_order
have been added to exit_args as if they have not been set.
---
 plugins/modules/ipaconfig.py                  |  15 +-
 .../test_config_empty_string_params.yml       | 143 ++++++++++++++++++
 2 files changed, 157 insertions(+), 1 deletion(-)
 create mode 100644 tests/config/test_config_empty_string_params.yml

diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py
index 2a155bdf..f7901f2c 100644
--- a/plugins/modules/ipaconfig.py
+++ b/plugins/modules/ipaconfig.py
@@ -346,11 +346,13 @@ def main():
         "ca_renewal_master_server": "ca_renewal_master_server",
         "domain_resolution_order": "ipadomainresolutionorder"
     }
+    allow_empty_string = ["pac_type", "user_auth_type", "configstring"]
     reverse_field_map = {v: k for k, v in field_map.items()}
 
     params = {}
     for x in field_map:
-        val = ansible_module.params_get(x)
+        val = ansible_module.params_get(
+            x, allow_empty_string=(x in allow_empty_string))
 
         if val is not None:
             params[field_map.get(x, x)] = val
@@ -401,6 +403,10 @@ def main():
                 k: v for k, v in params.items()
                 if k not in result or result[k] != v
             }
+            # Remove empty string args from params if result arg is not set
+            for k in ["ipakrbauthzdata", "ipauserauthtype", "ipaconfigstring"]:
+                if k not in result and k in params and params[k] == [""]:
+                    del params[k]
             if params \
                and not compare_args_ipa(ansible_module, params, result):
                 changed = True
@@ -441,6 +447,13 @@ def main():
                             raise ValueError(
                                 "Unexpected attribute type: %s" % arg_type)
                         exit_args[k] = type_map[arg_type](value)
+            # Add empty pac_type and user_auth_type if they are not set
+            for key in ["pac_type", "user_auth_type"]:
+                if key not in exit_args:
+                    exit_args[key] = ""
+            # Add empty domain_resolution_order if it is not set
+            if "domain_resolution_order" not in exit_args:
+                exit_args["domain_resolution_order"] = []
 
     # Done
     ansible_module.exit_json(changed=changed, config=exit_args)
diff --git a/tests/config/test_config_empty_string_params.yml b/tests/config/test_config_empty_string_params.yml
new file mode 100644
index 00000000..5329c203
--- /dev/null
+++ b/tests/config/test_config_empty_string_params.yml
@@ -0,0 +1,143 @@
+---
+- name: Test config
+  hosts: "{{ ipa_test_host | default('ipaserver') }}"
+  become: yes
+  gather_facts: no
+
+  tasks:
+
+  # GET CURRENT CONFIG
+
+  - name: Return current values of the global configuration options
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+    register: previousconfig
+
+  - name: Ensure config with empty pac_type, user_auth_type and configstring
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      pac_type: ""
+      user_auth_type: ""
+      configstring: ""
+
+  # TESTS
+
+  - name: Ensure config with pac_type "nfs:NONE" and PAD
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      pac_type:
+      - "nfs:NONE"
+      - PAD
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure config with pac_type "nfs:NONE" and PAD, again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      pac_type:
+      - "nfs:NONE"
+      - PAD
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure config with empty pac_type
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      pac_type: ""
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure config with empty pac_type, again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      pac_type: ""
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure config with user_auth_type otp and radius
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      user_auth_type:
+      - otp
+      - radius
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure config with user_auth_type otp and radius, again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      user_auth_type:
+      - otp
+      - radius
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure config with empty user_auth_type
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      user_auth_type: ""
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure config with empty user_auth_type, again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      user_auth_type: ""
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure config with configstring AllowNThash and "KDC:Disable Lockout"
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      configstring:
+      - AllowNThash
+      - "KDC:Disable Lockout"
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure config with configstring AllowNThash and "KDC:Disable Lockout", again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      configstring:
+      - AllowNThash
+      - "KDC:Disable Lockout"
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure config with empty configstring
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      configstring: ""
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure config with empty configstring, again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      configstring: ""
+    register: result
+    failed_when: result.changed or result.failed
+
+  # REVERT TO PREVIOUS CONFIG
+
+  - name: Reset to previous pac_type and user_auth_type
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      pac_type: '{{ previousconfig.config.pac_type }}'
+      user_auth_type: '{{ previousconfig.config.user_auth_type }}'
+      configstring: '{{ previousconfig.config.configstring }}'
-- 
GitLab