internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-26 21:33:05 +00:00
Code Issues Projects Releases Wiki Activity

Fixes removal of all from sudorule categories.

Browse Source 
This patch allows the removal of option `all` from user, host, group,
runasuser, and runasgroup categories, by allowing an empty string as
a valid choice for each option.
This commit is contained in:
Rafael Guterres Jeffman
2020-04-06 17:49:17 -03:00
parent 0fb05dfaca
commit 9d348cb368
3 changed files with 204 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
README-sudorule.md
View File

@@ -122,11 +122,11 @@ Variable | Description | Required
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `cn` | The list of sudorule name strings. | yes
`description` | The sudorule description string. | no
`usercategory` | User category the rule applies to. Choices: ["all"] | no
`hostcategory` | Host category the rule applies to. Choices: ["all"] | no
`cmdcategory` | Command category the rule applies to. Choices: ["all"] | no
`runasusercategory` | RunAs User category the rule applies to. Choices: ["all"] | no
`runasgroupcategory` | RunAs Group category the rule applies to. Choices: ["all"] | no
`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
`cmdcategory` \| `cmdcat` | Command category the rule applies to. Choices: ["all", ""] | no
`runasusercategory` \| `rusasusercat` | RunAs User category the rule applies to. Choices: ["all", ""] | no
`runasgroupcategory` \| `runasgroupcat` | RunAs Group category the rule applies to. Choices: ["all", ""] | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`host` | List of host name strings assigned to this sudorule. | no
`hostgroup` | List of host group name strings assigned to this sudorule. | no

27
plugins/modules/ipasudorule.py
View File

@@ -51,18 +51,21 @@ options:
usercategory:
description: User category the sudo rule applies to
required: false
choices: ["all"]
choices: ["all", ""]
aliases: ["usercat"]
usergroup:
description: List of user groups assigned to the sudo rule.
required: false
runasgroupcategory:
description: RunAs Group category applied to the sudo rule.
required: false
choices: ["all"]
choices: ["all", ""]
aliases: ["runasgroupcat"]
runasusercategory:
description: RunAs User category applied to the sudorule.
required: false
choices: ["all"]
choices: ["all", ""]
aliases: ["runasusercat"]
nomembers:
description: Suppress processing of membership attributes
required: false
@@ -78,7 +81,8 @@ options:
hostcategory:
description: Host category the sudo rule applies to.
required: false
choices: ["all"]
choices: ["all", ""]
aliases: ["hostcat"]
allow_sudocmd:
description: List of allowed sudocmds assigned to this sudorule.
required: false
@@ -98,7 +102,8 @@ options:
cmdcategory:
description: Command category the sudo rule applies to
required: false
choices: ["all"]
choices: ["all", ""]
aliases: ["cmdcat"]
order:
description: Order to apply this rule.
required: false
@@ -241,9 +246,9 @@ def main():
# present
description=dict(required=False, type="str", default=None),
usercategory=dict(required=False, type="str", default=None,
choices=["all"]),
choices=["all", ""], aliases=['usercat']),
hostcategory=dict(required=False, type="str", default=None,
choices=["all"]),
choices=["all", ""], aliases=['hostcat']),
nomembers=dict(required=False, type='bool', default=None),
host=dict(required=False, type='list', default=None),
hostgroup=dict(required=False, type='list', default=None),
@@ -254,11 +259,13 @@ def main():
allow_sudocmdgroup=dict(required=False, type="list", default=None),
deny_sudocmdgroup=dict(required=False, type="list", default=None),
cmdcategory=dict(required=False, type="str", default=None,
choices=["all"]),
choices=["all", ""], aliases=['cmdcat']),
runasusercategory=dict(required=False, type="str", default=None,
choices=["all"]),
choices=["all", ""],
aliases=['runasusercat']),
runasgroupcategory=dict(required=False, type="str", default=None,
choices=["all"]),
choices=["all", ""],
aliases=['runasgroupcat']),
runasuser=dict(required=False, type="list", default=None),
runasgroup=dict(required=False, type="list", default=None),
order=dict(type="int", required=False, aliases=['sudoorder']),

182
tests/sudorule/test_sudorule_categories.yml Normal file
View File

@@ -0,0 +1,182 @@
---
- name: Test sudorule user category
hosts: ipaserver
become: true
gather_facts: false
tasks:
- name: Ensure sudorules are absent
ipasudorule:
ipaadmin_password: SomeADMINpassword
name:
- allusers
state: absent
- name: Ensure sudorule is present, with usercategory 'all'
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
usercategory: all
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with usercategory 'all', again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
usercategory: all
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with no usercategory.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
usercategory: ""
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with no usercategory, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
usercategory: ""
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with hostcategory 'all'
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
hostcategory: all
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with hostcategory 'all', again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
hostcategory: all
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with no usercategory.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
hostcategory: ""
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with no hostcategory, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
hostcategory: ""
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with cmdcategory 'all'
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
cmdcategory: all
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with cmdcategory 'all', again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
cmdcategory: all
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with no cmdcategory.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
cmdcategory: ""
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with no cmdcategory, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
cmdcategory: ""
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with runasusercategory 'all'
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasusercategory: all
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with runasusercategory 'all', again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasusercategory: all
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with no runasusercategory.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasusercategory: ""
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with no runasusercategory, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasusercategory: ""
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with runasgroupcategory 'all'
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasgroupcategory: all
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with runasgroupcategory 'all', again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasgroupcategory: all
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with no runasgroupcategory.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasgroupcategory: ""
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with no runasgroupcategory, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: allusers
runasgroupcategory: ""
register: result
failed_when: result.changed
# cleanup
- name: Ensure sudorules are absent
ipasudorule:
ipaadmin_password: SomeADMINpassword
name:
- allusers
state: absent