automember: Verify condition keys

The automember_add_condition and automember_remove_condition commands are not verifying condition keys in all cases. This is for example not done in the removal case if a condition is not part of the automember rule. For consistent behaviour this needs to be done in the automember module now. The condition keys are verified with the user and group aciattrs returned by the API command json_metadata now. Related: RHBZ#1976926
2026-03-26 21:33:05 +00:00 · 2021-07-13 13:14:28 +02:00
parent 25f7eb93f5
commit 382ee6ffa0
2 changed files with 88 additions and 0 deletions
--- a/plugins/modules/ipaautomember.py
+++ b/plugins/modules/ipaautomember.py
@@ -185,6 +185,15 @@ def transform_conditions(conditions):
    return transformed
 def check_condition_keys(ansible_module, conditions, aciattrs):
    if conditions is None:
        return
    for condition in conditions:
        if condition["key"] not in aciattrs:
            ansible_module.fail_json(
                msg="Invalid automember condition key '%s'" % condition["key"])
 def main():
    ansible_module = AnsibleModule(
        argument_spec=dict(
@@ -274,6 +283,28 @@ def main():
            # Make sure automember rule exists
            res_find = find_automember(ansible_module, name, automember_type)
            # Check inclusive and exclusive conditions
            if inclusive is not None or exclusive is not None:
                # automember_type is either "group" or "hostgorup"
                if automember_type == "group":
                    _type = "user"
                elif automember_type == "hostgroup":
                    _type = "host"
                else:
                    ansible_module.fail_json(
                        msg="Bad automember type '%s'" % automember_type)
                try:
                    aciattrs = api_command(
                        ansible_module, "json_metadata", to_text(_type), {}
                    )['objects'][_type]['aciattrs']
                except Exception as ex:
                    ansible_module.fail_json(
                        msg="%s: %s: %s" % ("json_metadata", _type, str(ex)))
                check_condition_keys(ansible_module, inclusive, aciattrs)
                check_condition_keys(ansible_module, exclusive, aciattrs)
            # Create command
            if state == 'present':
                args = gen_args(description, automember_type)
--- a/tests/automember/test_automember.yml
+++ b/tests/automember/test_automember.yml
@@ -164,6 +164,34 @@
    register: result
    failed_when: result.changed or result.failed
  - name: Ensure testgroup group automember conditions fails on invalid inclusive key
    ipaautomember:
      ipaadmin_principal: admin
      ipaadmin_password: SomeADMINpassword
      name: testgroup
      automember_type: group
      inclusive:
        - key: cns
          expression: 'foo'
      action: member
    register: result
    failed_when: result.changed or not result.failed or
                 "Invalid automember condition key 'cns'" not in result.msg
  - name: Ensure testgroup group automember conditions fails on invalid exlusive key
    ipaautomember:
      ipaadmin_principal: admin
      ipaadmin_password: SomeADMINpassword
      name: testgroup
      automember_type: group
      exclusive:
        - key: cns
          expression: 'foo'
      action: member
    register: result
    failed_when: result.changed or not result.failed or
                 "Invalid automember condition key 'cns'" not in result.msg
  - name: Ensure testhostgroup hostgroup automember rule is present
    ipaautomember:
      ipaadmin_password: SomeADMINpassword
@@ -282,6 +310,35 @@
    register: result
    failed_when: result.changed or result.failed
  - name: Ensure testhostgroup hostgroup automember conditions fails on invalid inclusive key
    ipaautomember:
      ipaadmin_principal: admin
      ipaadmin_password: SomeADMINpassword
      name: testhostgroup
      automember_type: hostgroup
      inclusive:
        - key: cns
          expression: 'foo'
      action: member
    register: result
    failed_when: result.changed or not result.failed or
                 "Invalid automember condition key 'cns'" not in result.msg
  - name: Ensure testhostgroup hostgroup automember conditions fails on invalid exlusive key
    ipaautomember:
      ipaadmin_principal: admin
      ipaadmin_password: SomeADMINpassword
      name: testhostgroup
      automember_type: hostgroup
      exclusive:
        - key: cns
          expression: 'foo'
      action: member
    register: result
    failed_when: result.changed or not result.failed or
                 "Invalid automember condition key 'cns'" not in result.msg
  # CLEANUP TEST ITEMS
  - name: Ensure group testgroup is absent