internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-26 21:33:05 +00:00
Code Issues Projects Releases Wiki Activity

ipaservice: Add support for 'passkey' in 'auth_ind'

Browse Source 
The value 'passkey' was missing as a valid value for auth_ind attribute.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This commit is contained in:
Rafael Guterres Jeffman
2025-07-04 18:11:19 -03:00
parent 1488fb7b5e
commit 17b100baec
3 changed files with 37 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README-service.md
View File

@@ -361,7 +361,7 @@ Variable | Description | Required
-------- | ----------- | -------- -------- | ----------- | --------
`certificate` \| `usercertificate` | Base-64 encoded service certificate. | no `certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. Use empty string to reset pac_type to the initial value. | no `pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. Use empty string to reset pac_type to the initial value. | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, `hardened`, `idp` or `""`. An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset auth_ind to the initial value. | no `auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, `hardened`, `idp`, `passkey` or `""`. An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset auth_ind to the initial value. | no
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no `ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no `ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no

6
plugins/modules/ipaservice.py
View File

@@ -74,7 +74,7 @@ options:
type: list type: list
elements: str elements: str
required: false required: false
choices: ["otp", "radius", "pkinit", "hardened", "idp", ""] choices: ["otp", "radius", "pkinit", "hardened", "idp", "passkey", ""]
aliases: ["krbprincipalauthind"] aliases: ["krbprincipalauthind"]
skip_host_check: skip_host_check:
description: Skip checking if host object exists. description: Skip checking if host object exists.
@@ -192,7 +192,7 @@ options:
type: list type: list
elements: str elements: str
required: false required: false
choices: ["otp", "radius", "pkinit", "hardened", "idp", ""] choices: ["otp", "radius", "pkinit", "hardened", "idp", "passkey", ""]
aliases: ["krbprincipalauthind"] aliases: ["krbprincipalauthind"]
skip_host_check: skip_host_check:
description: Skip checking if host object exists. description: Skip checking if host object exists.
@@ -560,7 +560,7 @@ def init_ansible_module():
auth_ind=dict(type="list", elements="str", auth_ind=dict(type="list", elements="str",
aliases=["krbprincipalauthind"], aliases=["krbprincipalauthind"],
choices=["otp", "radius", "pkinit", "hardened", "idp", choices=["otp", "radius", "pkinit", "hardened", "idp",
""]), "passkey", ""]),
skip_host_check=dict(type="bool"), skip_host_check=dict(type="bool"),
force=dict(type="bool"), force=dict(type="bool"),
requires_pre_auth=dict( requires_pre_auth=dict(

33
tests/service/test_service_empty_string_params.yml
View File

@@ -5,6 +5,8 @@
gather_facts: yes gather_facts: yes
tasks: tasks:
- name: Include tasks ../env_freeipa_facts.yml
ansible.builtin.include_tasks: ../env_freeipa_facts.yml
# CLEANUP TEST ITEMS # CLEANUP TEST ITEMS
@@ -83,6 +85,37 @@
register: result register: result
failed_when: result.changed or result.failed failed_when: result.changed or result.failed
- name: Ensure service "test-service/{{ ansible_facts['fqdn'] }}" is present with auth_ind passkey
ipaservice:
ipaadmin_password: SomeADMINpassword
name: "test-service/{{ ansible_facts['fqdn'] }}"
auth_ind:
- passkey
register: result
failed_when: not result.changed or result.failed
when: passkey_is_supported
- name: Ensure service "test-service/{{ ansible_facts['fqdn'] }}" is present with auth_ind passkey, again
ipaservice:
ipaadmin_password: SomeADMINpassword
name: "test-service/{{ ansible_facts['fqdn'] }}"
auth_ind:
- passkey
register: result
failed_when: result.changed or result.failed
when: passkey_is_supported
- name: Check if correct message is given if passkey is not supported.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "test-service/{{ ansible_facts['fqdn'] }}"
auth_ind:
- passkey
register: result
failed_when: not result.failed or "'passkey' is not supported" not in result.msg
when: not passkey_is_supported
- name: Ensure service "test-service/{{ ansible_facts['fqdn'] }}" is present with empty auth_ind - name: Ensure service "test-service/{{ ansible_facts['fqdn'] }}" is present with empty auth_ind
ipaservice: ipaservice:
ipaadmin_password: SomeADMINpassword ipaadmin_password: SomeADMINpassword