Merge pull request #742 from t-woerner/group_fix_services

group: Services are ipapython.kerberos.Principal and case insensitive
2026-03-26 21:33:05 +00:00 · 2022-01-24 14:56:21 -03:00
parent a44515c701 8cf2e7ef7b
commit 2de1dccbf5
2 changed files with 184 additions and 2 deletions
--- a/plugins/modules/ipagroup.py
+++ b/plugins/modules/ipagroup.py
@@ -181,6 +181,7 @@ EXAMPLES = """
 RETURN = """
 """

+from ansible.module_utils._text import to_text
 from ansible.module_utils.ansible_freeipa_module import \
    IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, \
    gen_add_list, gen_intersection_list
@@ -198,7 +199,14 @@ def find_group(module, name):
        module.fail_json(
            msg="There is more than one group '%s'" % (name))
    elif len(_result["result"]) == 1:
-        return _result["result"][0]
+        _res = _result["result"][0]
+        # The returned services are of type ipapython.kerberos.Principal,
+        # also services are not case sensitive. Therefore services are
+        # converted to lowercase strings to be able to do the comparison.
+        if "member_service" in _res:
+            _res["member_service"] = \
+                [to_text(svc).lower() for svc in _res["member_service"]]
+        return _res

    return None

@@ -308,7 +316,8 @@ def main():
    nomembers = ansible_module.params_get("nomembers")
    user = ansible_module.params_get("user")
    group = ansible_module.params_get("group")
-    service = ansible_module.params_get("service")
+    # Services are not case sensitive
+    service = ansible_module.params_get_lowercase("service")
    membermanager_user = ansible_module.params_get("membermanager_user")
    membermanager_group = ansible_module.params_get("membermanager_group")
    externalmember = ansible_module.params_get("externalmember")
--- a/tests/group/test_group.yml
+++ b/tests/group/test_group.yml
@@ -5,6 +5,23 @@
  gather_facts: false

  tasks:
+  # setup
+  - include_tasks: ../env_freeipa_facts.yml
+
+  # GET DOMAIN AND REALM
+
+  - name: Get Domain from server name
+    set_fact:
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
+    when: ipaserver_domain is not defined
+
+  - name: Get Realm from server name
+    set_fact:
+      ipaserver_realm: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') | upper }}"
+    when: ipaserver_realm is not defined
+
+  # CLEANUP TEST ITEMS
+
  - name: Ensure users user1, user2 and user3 are absent
    ipauser:
      ipaadmin_password: SomeADMINpassword
@@ -19,6 +36,8 @@
      name: group3,group2,group1
      state: absent

+  # CREATE TEST ITEMS
+
  - name: Ensure users user1..user3 are present
    ipauser:
      ipaadmin_password: SomeADMINpassword
@@ -36,6 +55,8 @@
    register: result
    failed_when: not result.changed or result.failed

+  # TESTS
+
  - name: Ensure group1 is present
    ipagroup:
      ipaadmin_password: SomeADMINpassword
@@ -119,6 +140,156 @@
    register: result
    failed_when: result.changed or result.failed

+    # service
+
+  - block:
+
+    - name: Ensure service "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}" is present in group group1
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure service "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}" is present in group group1, again
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure service "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}" is present in group group1
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure service "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}" is present in group group1, again
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure service "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}" is absent in group group1
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+        state: absent
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure service "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}" is absent in group group1, again
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+        state: absent
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure service "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}" is absent in group group1
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+        state: absent
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure service "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}" is absent in group group1, again
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+        state: absent
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure services are present in group group1
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        - "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure services are present in group group1, again
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'http/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        - "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure services are absent in group group1
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        - "{{ 'LDAP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+        state: absent
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure services are absent in group group1, again
+      ipagroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: group1
+        service:
+        - "{{ 'HTTP/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        - "{{ 'ldap/ipaserver.' + ipaserver_domain + '@' + ipaserver_realm }}"
+        action: member
+        state: absent
+      register: result
+      failed_when: result.changed or result.failed
+
+    when: ipa_version is version('4.7.0', '>=')
+
+    # user
+
  - name: Ensure users user1, user2 and user3 are present in group group1
    ipagroup:
      ipaadmin_password: SomeADMINpassword
@@ -297,6 +468,8 @@
    register: result
    failed_when: not result.changed or result.failed

+  # CLEANUP TEST ITEMS
+
  - name: Ensure group group3, group2 and group1 are absent
    ipagroup:
      ipaadmin_password: SomeADMINpassword