internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-26 21:33:05 +00:00
Code Issues Projects Releases Wiki Activity

ipauser: Add support for 'passkey' in 'user_auth_type'

Browse Source 
The value 'passkey' was missing as a valid value for user_auth_type
attribute.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This commit is contained in:
Rafael Guterres Jeffman
2025-07-04 18:14:48 -03:00
parent 17b100baec
commit 536b7cb5f3
3 changed files with 45 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README-user.md
View File

@@ -452,7 +452,7 @@ Variable | Description | Required
`manager` | List of manager user names. | no `manager` | List of manager user names. | no
`carlicense` | List of car licenses. | no `carlicense` | List of car licenses. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no `sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no
`userauthtype` \| `ipauserauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp`, `pkinit`, `hardened`, `idp` and `""`. An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset userauthtype to the initial value. | no `userauthtype` \| `ipauserauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp`, `pkinit`, `hardened`, `idp`, `passkey` and `""`. An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset userauthtype to the initial value. | no
`userclass` | User category. (semantics placed on this attribute are for local interpretation). | no `userclass` | User category. (semantics placed on this attribute are for local interpretation). | no
`radius` | RADIUS proxy configuration | no `radius` | RADIUS proxy configuration | no
`radiususer` | RADIUS proxy username | no `radiususer` | RADIUS proxy username | no

8
plugins/modules/ipauser.py
View File

@@ -208,7 +208,8 @@ options:
Use empty string to reset userauthtype to the initial value. Use empty string to reset userauthtype to the initial value.
type: list type: list
elements: str elements: str
choices: ["password", "radius", "otp", "pkinit", "hardened", "idp", ""] choices: ["password", "radius", "otp", "pkinit", "hardened", "idp",
"passkey", ""]
required: false required: false
aliases: ["ipauserauthtype"] aliases: ["ipauserauthtype"]
userclass: userclass:
@@ -480,7 +481,8 @@ options:
Use empty string to reset userauthtype to the initial value. Use empty string to reset userauthtype to the initial value.
type: list type: list
elements: str elements: str
choices: ["password", "radius", "otp", "pkinit", "hardened", "idp", ""] choices: ["password", "radius", "otp", "pkinit", "hardened", "idp",
"passkey", ""]
required: false required: false
aliases: ["ipauserauthtype"] aliases: ["ipauserauthtype"]
userclass: userclass:
@@ -1070,7 +1072,7 @@ def main():
userauthtype=dict(type='list', elements="str", userauthtype=dict(type='list', elements="str",
aliases=["ipauserauthtype"], default=None, aliases=["ipauserauthtype"], default=None,
choices=["password", "radius", "otp", "pkinit", choices=["password", "radius", "otp", "pkinit",
"hardened", "idp", ""]), "hardened", "idp", "passkey", ""]),
userclass=dict(type="list", elements="str", aliases=["class"], userclass=dict(type="list", elements="str", aliases=["class"],
default=None), default=None),
radius=dict(type="str", aliases=["ipatokenradiusconfiglink"], radius=dict(type="str", aliases=["ipatokenradiusconfiglink"],

39
tests/user/test_user.yml
View File

@@ -5,6 +5,9 @@
gather_facts: false gather_facts: false
tasks: tasks:
- name: Include FreeIPA facts.
ansible.builtin.include_tasks: ../env_freeipa_facts.yml
- name: Remove test users - name: Remove test users
ipauser: ipauser:
ipaadmin_password: SomeADMINpassword ipaadmin_password: SomeADMINpassword
@@ -392,6 +395,42 @@
register: result register: result
failed_when: not result.changed or result.failed failed_when: not result.changed or result.failed
- name: Ensure user pinky with userauthtype passkey exists
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: pinky
first: pinky
last: user
userauthtype: passkey
register: result
failed_when: not result.changed or result.failed
when: passkey_is_supported
- name: Ensure user pinky with userauthtype passkey exists, again
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: pinky
first: pinky
last: user
userauthtype: passkey
register: result
failed_when: result.changed or result.failed
when: passkey_is_supported
- name: Check if correct message is given if passkey is not supported.
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: pinky
first: pinky
last: user
userauthtype: passkey
register: result
when: not passkey_is_supported
failed_when: not result.failed or "'passkey' is not supported" not in result.msg
- name: User pinky absent and preserved for future exclusion. - name: User pinky absent and preserved for future exclusion.
ipauser: ipauser:
ipaadmin_password: SomeADMINpassword ipaadmin_password: SomeADMINpassword