From 22700620c6e27a460843be6316c410cd196b4384 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Wed, 5 Mar 2025 16:49:11 -0300
Subject: [PATCH] ipaconfig: Validate emaildomain

When setting the default email domain, there was no validation on the
provide value. Using ipapython.validate.Email applies the same
validation method as implemented in IPA.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
---
 plugins/module_utils/ansible_freeipa_module.py |  3 ++-
 plugins/modules/ipaconfig.py                   |  9 ++++++++-
 tests/config/test_config.yml                   | 10 ++++++++++
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/plugins/module_utils/ansible_freeipa_module.py b/plugins/module_utils/ansible_freeipa_module.py
index 2f861efa..c5ed5de7 100644
--- a/plugins/module_utils/ansible_freeipa_module.py
+++ b/plugins/module_utils/ansible_freeipa_module.py
@@ -33,7 +33,7 @@ __all__ = ["DEBUG_COMMAND_ALL", "DEBUG_COMMAND_LIST",
            "paths", "tasks", "get_credentials_if_valid", "Encoding",
            "DNSName", "getargspec", "certificate_loader",
            "write_certificate_list", "boolean", "template_str",
-           "urlparse", "normalize_sshpubkey"]
+           "urlparse", "normalize_sshpubkey", "Email"]
 
 DEBUG_COMMAND_ALL = 0b1111
 # Print the while command list:
@@ -116,6 +116,7 @@ try:
     from ipalib.krb_utils import get_credentials_if_valid
     from ipapython.dnsutil import DNSName
     from ipapython import kerberos
+    from ipapython.ipavalidate import Email
 
     try:
         from ipalib.x509 import Encoding
diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py
index c80da429..c41d6ef0 100644
--- a/plugins/modules/ipaconfig.py
+++ b/plugins/modules/ipaconfig.py
@@ -344,7 +344,7 @@ config:
 
 
 from ansible.module_utils.ansible_freeipa_module import \
-    IPAAnsibleModule, compare_args_ipa, ipalib_errors
+    IPAAnsibleModule, compare_args_ipa, ipalib_errors, Email
 
 
 def config_show(module):
@@ -515,6 +515,13 @@ def main():
                 msg="Argument '%s' must be between %d and %d."
                     % (arg, minimum, maximum))
 
+    # verify email domain
+    emaildomain = params.get("ipadefaultemaildomain", None)
+    if emaildomain:
+        if not Email("test@{0}".format(emaildomain)):
+            ansible_module.fail_json(
+                msg="Invalid 'emaildomain' value: %s" % emaildomain)
+
     changed = False
     exit_args = {}
 
diff --git a/tests/config/test_config.yml b/tests/config/test_config.yml
index 555a142e..68164210 100644
--- a/tests/config/test_config.yml
+++ b/tests/config/test_config.yml
@@ -34,6 +34,16 @@
           ipaapi_context: "{{ ipa_context | default(omit) }}"
           emaildomain: ipa.test
 
+      - name: Ensure the default e-mail domain cannot be set to an invalid email domain.
+        ipaconfig:
+          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
+          emaildomain: invalid@emaildomain
+        register: invalid_emaildomain
+        failed_when:
+          invalid_emaildomain.changed
+          or not (invalid_emaildomain.failed and "Invalid 'emaildomain' value:" in invalid_emaildomain.msg)
+
       - name: Set default shell to '/bin/sh'
         ipaconfig:
           ipaadmin_password: SomeADMINpassword