sudorule: Reduce addition and deletion of members to changed only

Use gen_add_list and gen_intersection_list for host, hostgroup, user, group, allow_sudocmd, allow_sudocmdgroup, deny_sudocmd, deny_sudocmdgroup, sudooption, runasuser, runasgroup and res_find member handling. The functions are used to reduce the add lists to the new entries only and the delete lists to the entries that are in the user and the show list result. This enables to remove the ignores for "already a member" and "not a member" errors..
2026-05-08 06:13:21 +00:00 · 2021-08-23 09:37:19 +02:00
parent 50a36ed954
commit 8561e0bb4b
1 changed files with 132 additions and 7 deletions
--- a/plugins/modules/ipasudorule.py
+++ b/plugins/modules/ipasudorule.py
@@ -190,7 +190,7 @@ RETURN = """
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
    temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \
-    module_params_get, gen_add_del_lists
+    module_params_get, gen_add_del_lists, gen_add_list, gen_intersection_list


 def find_sudorule(module, name):
@@ -579,6 +579,58 @@ def main():
                    if res_find is None:
                        ansible_module.fail_json(msg="No sudorule '%s'" % name)

+                    # Generate add lists for host, hostgroup, user, group,
+                    # allow_sudocmd, allow_sudocmdgroup, deny_sudocmd,
+                    # deny_sudocmdgroup, sudooption, runasuser, runasgroup
+                    # and res_find to only try to add the items that not in
+                    # the sudorule already
+                    if host is not None and \
+                       "memberhost_host" in res_find:
+                        host = gen_add_list(
+                            host, res_find["memberhost_host"])
+                    if hostgroup is not None and \
+                       "memberhost_hostgroup" in res_find:
+                        hostgroup = gen_add_list(
+                            hostgroup, res_find["memberhost_hostgroup"])
+                    if user is not None and \
+                       "memberuser_user" in res_find:
+                        user = gen_add_list(
+                            user, res_find["memberuser_user"])
+                    if group is not None and \
+                       "memberuser_group" in res_find:
+                        group = gen_add_list(
+                            group, res_find["memberuser_group"])
+                    if allow_sudocmd is not None and \
+                       "memberallowcmd_sudocmd" in res_find:
+                        allow_sudocmd = gen_add_list(
+                            allow_sudocmd, res_find["memberallowcmd_sudocmd"])
+                    if allow_sudocmdgroup is not None and \
+                       "memberallowcmd_sudocmdgroup" in res_find:
+                        allow_sudocmdgroup = gen_add_list(
+                            allow_sudocmdgroup,
+                            res_find["memberallowcmd_sudocmdgroup"])
+                    if deny_sudocmd is not None and \
+                       "memberdenycmd_sudocmd" in res_find:
+                        deny_sudocmd = gen_add_list(
+                            deny_sudocmd, res_find["memberdenycmd_sudocmd"])
+                    if deny_sudocmdgroup is not None and \
+                       "memberdenycmd_sudocmdgroup" in res_find:
+                        deny_sudocmdgroup = gen_add_list(
+                            deny_sudocmdgroup,
+                            res_find["memberdenycmd_sudocmdgroup"])
+                    if sudooption is not None and \
+                       "ipasudoopt" in res_find:
+                        sudooption = gen_add_list(
+                            sudooption, res_find["ipasudoopt"])
+                    if runasuser is not None and \
+                       "ipasudorunas_user" in res_find:
+                        runasuser = gen_add_list(
+                            runasuser, res_find["ipasudorunas_user"])
+                    if runasgroup is not None and \
+                       "ipasudorunasgroup_group" in res_find:
+                        runasgroup = gen_add_list(
+                            runasgroup, res_find["ipasudorunasgroup_group"])
+
                    # Add hosts and hostgroups
                    if host is not None or hostgroup is not None:
                        commands.append([name, "sudorule_add_host",
@@ -612,12 +664,12 @@ def main():
                                          }])

                    # Add RunAS Users
-                    if runasuser is not None:
+                    if runasuser is not None and len(runasuser) > 0:
                        commands.append([name, "sudorule_add_runasuser",
                                         {"user": runasuser}])

                    # Add RunAS Groups
-                    if runasgroup is not None:
+                    if runasgroup is not None and len(runasgroup) > 0:
                        commands.append([name, "sudorule_add_runasgroup",
                                         {"group": runasgroup}])

@@ -638,6 +690,83 @@ def main():
                    if res_find is None:
                        ansible_module.fail_json(msg="No sudorule '%s'" % name)

+                    # Generate intersection lists for host, hostgroup, user,
+                    # group, allow_sudocmd, allow_sudocmdgroup, deny_sudocmd
+                    # deny_sudocmdgroup, sudooption, runasuser, runasgroup
+                    # and res_find to only try to remove the items that are
+                    # in sudorule
+                    if host is not None:
+                        if "memberhost_host" in res_find:
+                            host = gen_intersection_list(
+                                host, res_find["memberhost_host"])
+                        else:
+                            host = None
+                    if hostgroup is not None:
+                        if "memberhost_hostgroup" in res_find:
+                            hostgroup = gen_intersection_list(
+                                hostgroup, res_find["memberhost_hostgroup"])
+                        else:
+                            hostgroup = None
+                    if user is not None:
+                        if "memberuser_user" in res_find:
+                            user = gen_intersection_list(
+                                user, res_find["memberuser_user"])
+                        else:
+                            user = None
+                    if group is not None:
+                        if "memberuser_group" in res_find:
+                            group = gen_intersection_list(
+                                group, res_find["memberuser_group"])
+                        else:
+                            group = None
+                    if allow_sudocmd is not None:
+                        if "memberallowcmd_sudocmd" in res_find:
+                            allow_sudocmd = gen_intersection_list(
+                                allow_sudocmd,
+                                res_find["memberallowcmd_sudocmd"])
+                        else:
+                            allow_sudocmd = None
+                    if allow_sudocmdgroup is not None:
+                        if "memberallowcmd_sudocmdgroup" in res_find:
+                            allow_sudocmdgroup = gen_intersection_list(
+                                allow_sudocmdgroup,
+                                res_find["memberallowcmd_sudocmdgroup"])
+                        else:
+                            allow_sudocmdgroup = None
+                    if deny_sudocmd is not None:
+                        if "memberdenycmd_sudocmd" in res_find:
+                            deny_sudocmd = gen_intersection_list(
+                                deny_sudocmd,
+                                res_find["memberdenycmd_sudocmd"])
+                        else:
+                            deny_sudocmd = None
+                    if deny_sudocmdgroup is not None:
+                        if "memberdenycmd_sudocmdgroup" in res_find:
+                            deny_sudocmdgroup = gen_intersection_list(
+                                deny_sudocmdgroup,
+                                res_find["memberdenycmd_sudocmdgroup"])
+                        else:
+                            deny_sudocmdgroup = None
+                    if sudooption is not None:
+                        if "ipasudoopt" in res_find:
+                            sudooption = gen_intersection_list(
+                                sudooption, res_find["ipasudoopt"])
+                        else:
+                            sudooption = None
+                    if runasuser is not None:
+                        if "ipasudorunas_user" in res_find:
+                            runasuser = gen_intersection_list(
+                                runasuser, res_find["ipasudorunas_user"])
+                        else:
+                            runasuser = None
+                    if runasgroup is not None:
+                        if "ipasudorunasgroup_group" in res_find:
+                            runasgroup = gen_intersection_list(
+                                runasgroup,
+                                res_find["ipasudorunasgroup_group"])
+                        else:
+                            runasgroup = None
+
                    # Remove hosts and hostgroups
                    if host is not None or hostgroup is not None:
                        commands.append([name, "sudorule_remove_host",
@@ -733,16 +862,12 @@ def main():
                ansible_module.fail_json(msg="%s: %s: %s" % (command, name,
                                                             str(ex)))
            # Get all errors
-            # All "already a member" and "not a member" failures in the
            # result are ignored. All others are reported.
            if "failed" in result and len(result["failed"]) > 0:
                for item in result["failed"]:
                    failed_item = result["failed"][item]
                    for member_type in failed_item:
                        for member, failure in failed_item[member_type]:
-                            if "already a member" in failure \
-                               or "not a member" in failure:
-                                continue
                            errors.append("%s: %s %s: %s" % (
                                command, member_type, member, failure))
        if len(errors) > 0: