ipahost: Add support for 'passkey' in 'auth_ind'

The value 'passkey' was missing as a valid value for auth_ind attribute. Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
2026-03-26 21:33:05 +00:00 · 2025-07-04 17:59:05 -03:00
parent a733c031b0
commit 1488fb7b5e
3 changed files with 40 additions and 4 deletions
--- a/README-host.md
+++ b/README-host.md
@@ -354,7 +354,7 @@ Variable | Description | Required
 `mac_address` \| `macaddress` | List of hardware MAC addresses. | no
 `sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no
 `userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no
-`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. An additional check ensures that only types can be used that are supported by the IPA version. Choices: ["radius", "otp", "pkinit", "hardened", "idp", ""] | no
+`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. An additional check ensures that only types can be used that are supported by the IPA version. Choices: ["radius", "otp", "pkinit", "hardened", "idp", "passkey", ""] | no
 `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no
 `ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no
 `ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no
--- a/plugins/modules/ipahost.py
+++ b/plugins/modules/ipahost.py
@@ -184,7 +184,7 @@ options:
        type: list
        elements: str
        aliases: ["krbprincipalauthind"]
-        choices: ["radius", "otp", "pkinit", "hardened", "idp", ""]
+        choices: ["radius", "otp", "pkinit", "hardened", "idp", "passkey", ""]
        required: false
      requires_pre_auth:
        description: Pre-authentication is required for the service
@@ -356,7 +356,7 @@ options:
    type: list
    elements: str
    aliases: ["krbprincipalauthind"]
-    choices: ["radius", "otp", "pkinit", "hardened", "idp", ""]
+    choices: ["radius", "otp", "pkinit", "hardened", "idp", "passkey", ""]
    required: false
  requires_pre_auth:
    description: Pre-authentication is required for the service
@@ -758,7 +758,7 @@ def main():
        auth_ind=dict(type='list', elements="str",
                      aliases=["krbprincipalauthind"], default=None,
                      choices=["radius", "otp", "pkinit", "hardened", "idp",
-                               ""]),
+                               "passkey", ""]),
        requires_pre_auth=dict(type="bool", aliases=["ipakrbrequirespreauth"],
                               default=None),
        ok_as_delegate=dict(type="bool", aliases=["ipakrbokasdelegate"],
--- a/tests/host/test_host_empty_string_params.yml
+++ b/tests/host/test_host_empty_string_params.yml
@@ -5,6 +5,9 @@
  gather_facts: yes

  tasks:
+  - name: Include FreeIPA facts.
+    ansible.builtin.include_tasks: ../env_freeipa_facts.yml
+
  - name: Get Domain from server name
    ansible.builtin.set_fact:
      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join('.') }}"
@@ -58,6 +61,39 @@
    register: result
    failed_when: result.changed or result.failed

+  - name: Ensure host "{{ host1_fqdn }}" present with auth_ind passkey
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: "{{ host1_fqdn }}"
+      auth_ind:
+      - passkey
+    register: result
+    when: passkey_is_supported
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure host "{{ host1_fqdn }}" present with auth_ind passkey, again
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: "{{ host1_fqdn }}"
+      auth_ind:
+      - passkey
+    register: result
+    when: passkey_is_supported
+    failed_when: result.changed or result.failed
+
+  - name: Check if correct message is given if passkey is not supported.
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: "{{ host1_fqdn }}"
+      auth_ind:
+      - passkey
+    register: result
+    when: not passkey_is_supported
+    failed_when: not result.failed or "'passkey' is not supported" not in result.msg
+
  - name: Ensure host "{{ host1_fqdn }}" present with empty auth_ind
    ipahost:
      ipaadmin_password: SomeADMINpassword