Skip to content
  1. Sep 01, 2021
    • Thomas Woerner's avatar
      ansible_freeipa_module: New IPAAnsibleModule class · d01c42d7
      Thomas Woerner authored
      This class is an extended version of the Ansible Module that provides
      IPA specific methods to simplify module generation.
      
      Simple example:
      
          from ansible.module_utils.ansible_freeipa_module import \
              IPAAnsibleModule
      
          def main():
              ansible_module = IPAAnsibleModule(
                  argument_spec=dict(
                        name=dict(type="str", aliases=["cn"], default=None),
                        state=dict(type="str", default="present",
                                   choices=["present", "absent"]),
                  ),
              )
      
              # Get parameters
              name = ansible_module.params_get("name")
              state = ansible_module.params_get("state")
      
              # Connect to IPA API
              with ansible_module.ipa_connect():
      
                  # Execute command
                  if state == "present":
                      ansible_module.ipa_command(["command_add", name, {}])
                  else:
                      ansible_module.ipa_command(["command_del", name, {}])
      
              # Done
      
              ansible_module.exit_json(changed=True)
      
          if __name__ == "__main__":
              main()
      d01c42d7
    • Rafael Guterres Jeffman's avatar
      pylint: Upgrade to version 2.10.2. · 928540fa
      Rafael Guterres Jeffman authored
      This PR sets pylint to version 2.10.2 in all linter actions, and
      fixes code in plugins so that this version new checks are either
      satisfied or ignored if needed.
      928540fa
  2. Aug 24, 2021
    • Thomas Woerner's avatar
      New ipamodule_base_vars · 7a665bdb
      Thomas Woerner authored
      There are common parameters in all modules like ipaadmin_principal and
      ipaadmin_password. As this list of common parameters will be extended
      soon, there is a need to reduce the code and documentation duplicates.
      
      A ModuleDocFragment is added to provide the module documentation for the
      common parameters. This is used in the modules with
      extends_documentation_fragment.
      
      ansible_freeipa_module has additional ipamodule_base_spec and
      get_ipamodule_base_vars. ipamodule_base_spec extends argument_spec in
      the module and get_ipamodule_base_vars is used to return a dict
      containing the common parameters.
      7a665bdb
  3. Aug 20, 2021
    • Thomas Woerner's avatar
      hbacrule: Create FQDN from single hostnames · b8488cb9
      Thomas Woerner authored
      Single hostnames can be used for hbacrule_add_host and will match fqdn
      in IPA internally. Simple host names have to be extended to be FQDN to
      be able to compare them for _host_add and _host_remove.
      
      Two new functions have been added to ansible_freeipa_module:
      
      - api_get_domain - Get the domain from the api
      - ensure_fqdn - Extend a single name with the domain
      
      This fixes #617 - hbacrule_add_host: already a member
      b8488cb9
  4. May 25, 2021
  5. May 18, 2021
    • Thomas Woerner's avatar
      New server management module · 16795b8b
      Thomas Woerner authored
      There is a new server management module placed in the plugins folder:
      
          plugins/modules/ipaserver.py
      
      The server module allows to ensure presence and absence of servers. The
      module requires an existing server, the deployment of a new server can
      not be done with the module.
      
      DNSName has been added to ansible_freeipa_module in plugins/module_utils
      as this is used for locations.
      
      Here is the documentation for the module:
      
          README-server.md
      
      New example playbooks have been added:
      
          playbooks/server/server-absent-continue.yml
          playbooks/server/server-absent-force.yml
          playbooks/server/server-absent-ignore_last_of_role.yml
          playbooks/server/server-absent-ignore_topology_disconnect.yml
          playbooks/server/server-absent.yml
          playbooks/server/server-hidden.yml
          playbooks/server/server-location.yml
          playbooks/server/server-no-location.yml
          playbooks/server/server-no-service-weight.yml
          playbooks/server/server-not-hidden.yml
          playbooks/server/server-present.yml
          playbooks/server/server-service-weight.yml
      
      New tests for the module:
      
          tests/server/test_server.yml
      
      Change in module_utils/ansible_freeipa_module:
      
          DNSName is imported from ipapython.dnsutil and also added to __all__
      16795b8b
  6. May 11, 2021
  7. May 05, 2021
    • Rafael Guterres Jeffman's avatar
      Fix compare_args_ipa when passing None as parameter. · c17e9fe2
      Rafael Guterres Jeffman authored
      There were no test for the arguments of compare_args_ipa() to check
      if they were `None`, and they were used in contexts where `None`
      would raise exceptions.
      
      A test was added to return `False` if only one of the parameters is
      `None`, and `True` if both are None.
      c17e9fe2
  8. May 04, 2021
    • Rafael Guterres Jeffman's avatar
      Force plugins to execute using LANGUAGE='C'. · 09942c3d
      Rafael Guterres Jeffman authored
      IPA translates exception messages and Ansible uses controller's
      language to execute plugins on target hosts, and since ansible-freeipa
      uses Exceptions messages to detect some errors and/or states, using any
      language that has a translation for the required messages may cause the
      plugin to misbehave.
      
      This patch modifies ansible_freeipa_module in plugin/module_utils to
      force the use of "C" as the language by setting the environment variable
      LANGUAGE.
      
      Tests were added to verify the correct behavior:
      
          tests/environment/test_locale.yml
      
      The first test will fail, if ansible_freeipa_module is not patched, with
      the message:
      
         host_show failed: nonexistent: host nicht gefunden
      
      This issue is not present if the language selected does not provide
      a translation for the eror message.
      
      This patch does not fix encoding issues that might occur in certain
      releases (e.g.: CentOS 8.3).
      
      Fix #516
      09942c3d
  9. Feb 16, 2021
  10. Dec 29, 2020
  11. Nov 16, 2020
    • Rafael Guterres Jeffman's avatar
      Add FreeIPA version check to module_utils.ansible_freeipa_module. · 2aaabc77
      Rafael Guterres Jeffman authored
      Some attribute values are only accepted for specific FreeIPA versions,
      for example `self` for permission's `bindtype`. Although there are
      options to check for command and parameter availability, there is no
      check for verifying if a value should be accepted.
      
      This patch add a function to evaluate the target FreeIPA host version,
      by comparing a giver version to the current installed one.
      
      The version evaluation uses Python packaging's version comparision,
      which is compatible with PEP 440, if available. If not available, it
      falls back to a string split, that will work for the most common cases,
      but might fail for versions including strings with `rc` or `dev`, for
      example.
      2aaabc77
  12. Nov 13, 2020
    • Rafael Guterres Jeffman's avatar
      Bypass Ansible filtering on data returned by the module. · 88f84cef
      Rafael Guterres Jeffman authored
      Due to Ansible filtering out values in the output that might be match
      values in sensible attributes that have `no_log` set, if a module need
      to return data to the controller, it cannot rely on
      `ansible_module.exit_json` if there is a chance that a partial match
      may occur.
      
      See: https://github.com/ansible/ansible/issues/71789
      
      The change provided here uses the same implementation that is used on
      Ansible's `AnsibleModule.exit_json`, without the data filtering layer,
      so every attribute with be printed and, therefore, logged by Ansible.
      
      This is needed for the Vault module, as we need to return values that
      are explicit requested by the user and that might, at least partially,
      match the values in attributes with `no_log` set.
      
      Tests that reproduced the issue, and show it was fixed were provided
      for all Vault types.
      88f84cef
  13. Aug 17, 2020
    • Rafael Guterres Jeffman's avatar
      Added support for client defined result data in FReeIPABaseModule · 531e544b
      Rafael Guterres Jeffman authored
      Modified support for processing result of IPA API commands so that
      client code can define its own processing and add return values to
      self.exit_args based on command result.
      
      If a subclass need to process the result of IPA API commands it should
      override the method `process_command_result`. The default implementation
      will simply evaluate if `changed` should be true.
      531e544b
  14. Aug 06, 2020
    • Sergio Oliveira Campos's avatar
      Allow multiple dns zones to be absent. · 75d16c2d
      Sergio Oliveira Campos authored
      This PR allow ipadnszone module to ensure that multiple dns zones
      are absent at once, to be consistent with other ansible-freeipa
      modules.
      
      To fix this issue, it was required that custom arguents must be
      passed using keyword arguments so that `get_ipa_command_args()`
      is kept generic.
      75d16c2d
  15. Aug 03, 2020
    • Sergio Oliveira Campos's avatar
      Fixed error msgs on FreeIPABaseModule subclasses · 563a03d9
      Sergio Oliveira Campos authored
      When a fail_json is called a SystemExit exeception is raised.
      Since the FreeIPABaseModule has an internal context manager to deal
      with exceptions this ContextManager captures the SystemExit. After
      dealing destroying the kinit session the SystemExit must be raised again
      to allow the fail_json to work properly.
      563a03d9
  16. May 12, 2020
    • Thomas Woerner's avatar
      ansible_freeipa_module: New function api_check_command · fdcdad2c
      Thomas Woerner authored
      This function can be used to check if a command is available in the API.
      
      This is used in ipauser module to check if user_add_certmapdata is available
      in the API.
      fdcdad2c
    • Thomas Woerner's avatar
      ansible_freeipa_module: New function DN_x500_text · 6a69bbea
      Thomas Woerner authored
      This function is needed to properly convert issuer and subject from a
      certificate or the issuer and subject parameters in ipauser for certmapdata
      to the data representation where the items in DN are reversed.
      
      The function additionally provides a fallback solution for IPA < 4.5.
      Certmapdata is not supported for IPA < 4.5, but the conversion is done
      before the API version can be checked.
      6a69bbea
    • Thomas Woerner's avatar
      ansible_freeipa_module: New function load_cert_from_str · 571cc210
      Thomas Woerner authored
      For certmapdata processing in ipauser it is needed to be able to load a cert
      from a string given in the task to be able to get the issuer and subject of
      the certificate. The format of the certifiacte here is lacking the markers
      for the begin and end of the certificate. Therefore load_pem_x509_certificate
      can not be used directly. Also in IPA < 4.5 it is needed to load the
      certificate with load_certificate instead of load_pem_x509_certificate. The
      function is implementing this properly.
      571cc210
  17. May 06, 2020
    • Thomas Woerner's avatar
      Do not remove member attributes while updating others · 457050c6
      Thomas Woerner authored
      Because of a missing check member attributes (for use with action: member)
      are cleared when a non-member attribute is changed. The fix simply adds a
      check for None (parameter not set) to gen_add_del_lists in
      ansible_freeipa_module to make sure that the parameter is only changed if
      it should be changed.
      
      All places where the add and removal lists have been generated manually
      have been changed to also use gen_add_del_lists.
      
      Resolves: #252 (The "Manager" attribute is removed when updating any user
                      attribute)
      457050c6
  18. Apr 26, 2020
  19. Apr 16, 2020
    • Thomas Woerner's avatar
      ansible_freeipa_module: Set KRB5CCNAME for api_connect (non root) · 871cce52
      Thomas Woerner authored
      In the case that the admin password has been set and become was not set
      the call to backend.connect in api_connect failed. The solution is simply
      to set os.environ["KRB5CCNAME"] in temp_kinit after kinit_password has
      been called using the temporary ccache. os.environ["KRB5CCNAME"] is not
      used automatically by api.Backend.[ldap2,rpcclient].connect. Afterwards
      os.environ["KRB5CCNAME"] is unset in temp_kdestroy if ccache_name is not
      None.
      
      Fixes: #249 (Kerberos errors while using the modules with a non-sudoer user)
      871cce52
  20. Mar 26, 2020
    • Sergio Oliveira Campos's avatar
      Fixed a bug in AnsibleFreeIPAParams · 22059072
      Sergio Oliveira Campos authored
      When accessing an instance of AnsibleFreeIPAParams with .get the obj was
      by-passing the call to _afm_convert which was the primaty reason why it
      was created.
      
      Also the class now extends Mapping instead of dict.
      22059072
  21. Mar 24, 2020
  22. Feb 20, 2020
Loading