ipahost: Honour update_password also for random

If random is enabled and update_password is limited to "create_only", the random password may only be changed if the host does not exist yet. Additionally the generation of the random password will fail, if the host is already enrolled if update_password is "always" (default value). An error will be reported early in this case now. The command host_show is now used instead of host_find, as `has_password` and `has_keytab` are only returned by host_show, but not by host_find. The find_host function has been adapated for this change. Resolves: #253 (ipahost is not idempotent)
2026-03-26 21:33:05 +00:00 · 2020-05-11 12:38:11 +02:00
parent 67261c3dcd
commit b3d5b32e31
3 changed files with 56 additions and 23 deletions
--- a/README-host.md
+++ b/README-host.md
@@ -173,14 +173,14 @@ Example playbook to ensure host presence with a random password:
      name: host01.example.com
      random: yes
      force: yes
+      update_password: on_create
    register: ipahost

  - name: Print generated random password
    debug:
      var: ipahost.host.randompassword
 ```
-Please remember that the `force` tag will also force the generation of a new random password even if the host already exists and if `update_password` is limited to `on_create`.
-
+Please remember that a new random password will be generated for an existing but not enrolled host if `update_password` is not limited to `on_create`. For an already enrolled host the task will fail with `update_password` default setting `always`.

 Example playbook to ensure presence of several hosts with a random password:

@@ -198,9 +198,11 @@ Example playbook to ensure presence of several hosts with a random password:
      - name: host01.example.com
        random: yes
        force: yes
+        update_password: on_create
      - name: host02.example.com
        random: yes
        force: yes
+        update_password: on_create
    register: ipahost

  - name: Print generated random password for host01.example.com
@@ -211,7 +213,7 @@ Example playbook to ensure presence of several hosts with a random password:
    debug:
      var: ipahost.host["host02.example.com"].randompassword
 ```
-Please remember that the `force` tag will also force the generation of a new random password even if the host alreay exists and if `update_password` is limited to `on_create`.
+Please remember that a new random password will be generated for an existing but not enrolled host if `update_password` is not limited to `on_create`. For an already enrolled host the task will fail with `update_password` default setting `always`.


 Example playbook to ensure presence of host member principal:
@@ -337,8 +339,8 @@ Variable | Description | Required
 `location` \| `ns_host_location` | Host location (e.g. "Lab 2"). | no
 `platform` \| `ns_hardware_platform` | Host hardware platform (e.g. "Lenovo T61"). | no
 `os` \| `ns_os_version` | Host operating system and version (e.g. "Fedora 9"). | no
-`password` \| `user_password` \| `userpassword` | Password used in bulk enrollment. | no
-`random` \| `random_password` |  Initiate the generation of a random password to be used in bulk enrollment. | no
+`password` \| `user_password` \| `userpassword` | Password used in bulk enrollment for absent or not enrolled hosts. | no
+`random` \| `random_password` |  Initiate the generation of a random password to be used in bulk enrollment for absent or not enrolled hosts. | no
 `certificate` \| `usercertificate` | List of base-64 encoded host certificates | no
 `managedby` \| `principalname` \| `krbprincipalname` | List of hosts that can manage this host | no
 `principal` \| `principalname` \| `krbprincipalname` | List of principal aliases for this host | no
--- a/plugins/modules/ipahost.py
+++ b/plugins/modules/ipahost.py
@@ -420,23 +420,22 @@ if six.PY3:
 def find_host(module, name):
    _args = {
        "all": True,
-        "fqdn": to_text(name),
    }

-    _result = api_command(module, "host_find", to_text(name), _args)
+    try:
+        _result = api_command(module, "host_show", to_text(name), _args)
+    except ipalib_errors.NotFound as e:
+        msg = str(e)
+        if "host not found" in msg:
+            return None
+        module.fail_json(msg="host_show failed: %s" % msg)

-    if len(_result["result"]) > 1:
-        module.fail_json(
-            msg="There is more than one host '%s'" % (name))
-    elif len(_result["result"]) == 1:
-        _res = _result["result"][0]
-        certs = _res.get("usercertificate")
-        if certs is not None:
-            _res["usercertificate"] = [encode_certificate(cert) for
-                                       cert in certs]
-        return _res
-    else:
-        return None
+    _res = _result["result"]
+    certs = _res.get("usercertificate")
+    if certs is not None:
+        _res["usercertificate"] = [encode_certificate(cert) for
+                                   cert in certs]
+    return _res


 def find_dnsrecord(module, name):
@@ -903,9 +902,25 @@ def main():
                    # Found the host
                    if res_find is not None:
                        # Ignore password with update_password == on_create
-                        if update_password == "on_create" and \
-                           "userpassword" in args:
-                            del args["userpassword"]
+                        if update_password == "on_create":
+                            # Ignore userpassword and random for existing
+                            # host if update_password is "on_create"
+                            if "userpassword" in args:
+                                del args["userpassword"]
+                            if "random" in args:
+                                del args["random"]
+                        elif "userpassword" in args or "random" in args:
+                            # Allow an existing OTP to be reset but don't
+                            # allow a OTP or to be added to an enrolled host.
+                            # Also do not allow to change the password for an
+                            # enrolled host.
+
+                            if not res_find["has_password"] and \
+                               res_find["has_keytab"]:
+                                ansible_module.fail_json(
+                                    msg="%s: Password cannot be set on "
+                                    "enrolled host." % host
+                                )

                        # Ignore force, ip_address and no_reverse for mod
                        for x in ["force", "ip_address", "no_reverse"]:
@@ -953,7 +968,7 @@ def main():
                        principal_add, principal_del = gen_add_del_lists(
                            principal, res_find.get("principal"))
                        # Principals are not returned as utf8 for IPA using
-                        # python2 using host_find, therefore we need to
+                        # python2 using host_show, therefore we need to
                        # convert the principals that we should remove.
                        principal_del = [to_text(x) for x in principal_del]

--- a/tests/host/test_host_random.yml
+++ b/tests/host/test_host_random.yml
@@ -77,6 +77,22 @@
    debug:
      var: ipahost.host["{{host2_fqdn }}"].randompassword

+  - name: Enrolled host "{{ groups.ipaserver[0] }}" fails to set random password with update_password always
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      hosts:
+      - name: "{{ groups.ipaserver[0] }}"
+        random: yes
+      update_password: always
+    register: ipahost
+    failed_when: ipahost.changed
+
+  - assert:
+      that:
+      - ipahost.host["{{ groups.ipaserver[0] }}"].randompassword is
+        not defined
+      - "'Password cannot be set on enrolled host' in ipahost.msg"
+
  - name: Hosts "{{ host1_fqdn }}" and "{{ host2_fqdn }}" absent
    ipahost:
      ipaadmin_password: SomeADMINpassword