internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-05-06 13:23:14 +00:00
Code Issues Projects Releases Wiki Activity

Fixes removal of all from HBAC rule categories.

Browse Source 
This patch allows the removal of option `all` from user, host, and
service categories, by allowing an empty string as a valid choice
for each option.
This commit is contained in:
Rafael Guterres Jeffman
2020-04-07 18:29:51 -03:00
parent 9d348cb368
commit 5e734e847e
3 changed files with 126 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
README-hbacrule.md
View File

@@ -138,9 +138,9 @@ Variable | Description | Required
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `cn` | The list of hbacrule name strings. | yes
`description` | The hbacrule description string. | no
`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all"] | no
`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all"] | no
`servicecategory` \| `servicecat` | HBAC service category the rule applies to. Choices: ["all"] | no
`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
`servicecategory` \| `servicecat` | HBAC service category the rule applies to. Choices: ["all", ""] | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`host` | List of host name strings assigned to this hbacrule. | no
`hostgroup` | List of host group name strings assigned to this hbacrule. | no

12
plugins/modules/ipahbacrule.py
View File

@@ -49,17 +49,17 @@ options:
description: User category the rule applies to
required: false
aliases: ["usercat"]
choices: ["all"]
choices: ["all", ""]
hostcategory:
description: Host category the rule applies to
required: false
aliases: ["hostcat"]
choices: ["all"]
choices: ["all", ""]
servicecategory:
description: Service category the rule applies to
required: false
aliases: ["servicecat"]
choices: ["all"]
choices: ["all", ""]
nomembers:
description: Suppress processing of membership attributes
required: false
@@ -208,11 +208,11 @@ def main():
# present
description=dict(type="str", default=None),
usercategory=dict(type="str", default=None,
aliases=["usercat"], choices=["all"]),
aliases=["usercat"], choices=["all", ""]),
hostcategory=dict(type="str", default=None,
aliases=["hostcat"], choices=["all"]),
aliases=["hostcat"], choices=["all", ""]),
servicecategory=dict(type="str", default=None,
aliases=["servicecat"], choices=["all"]),
aliases=["servicecat"], choices=["all", ""]),
nomembers=dict(required=False, type='bool', default=None),
host=dict(required=False, type='list', default=None),
hostgroup=dict(required=False, type='list', default=None),

117
tests/hbacrule/test_hbacrule_categories.yml Normal file
View File

@@ -0,0 +1,117 @@
---
- name: Test HBAC rule user category
hosts: ipaserver
become: true
gather_facts: false
tasks:
- name: Ensure HBAC rules are absent
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name:
- testrule
state: absent
- name: Ensure HBAC rule is present, with usercategory 'all'
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
usercategory: all
register: result
failed_when: not result.changed
- name: Ensure HBAC rule is present, with usercategory 'all', again.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
usercategory: all
register: result
failed_when: result.changed
- name: Ensure HBAC rule is present, with no usercategory.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
usercategory: ""
register: result
failed_when: not result.changed
- name: Ensure HBAC rule is present, with no usercategory, again.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
usercategory: ""
register: result
failed_when: result.changed
- name: Ensure HBAC rule is present, with hostcategory 'all'
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
hostcategory: all
register: result
failed_when: not result.changed
- name: Ensure HBAC rule is present, with hostcategory 'all', again.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
hostcategory: all
register: result
failed_when: result.changed
- name: Ensure HBAC rule is present, with no hostcategory.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
hostcategory: ""
register: result
failed_when: not result.changed
- name: Ensure HBAC rule is present, with no hostcategory, again.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
hostcategory: ""
register: result
failed_when: result.changed
- name: Ensure HBAC rule is present, with servicecategory 'all'
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
servicecategory: all
register: result
failed_when: not result.changed
- name: Ensure HBAC rule is present, with servicecategory 'all', again.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
servicecategory: all
register: result
failed_when: result.changed
- name: Ensure HBAC rule is present, with no servicecategory.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
servicecategory: ""
register: result
failed_when: not result.changed
- name: Ensure HBAC rule is present, with no servicecategory, again.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
servicecategory: ""
register: result
failed_when: result.changed
- name: Ensure HBAC rules are absent
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name:
- testrule
state: absent