ipauser: Add choices pkinit, hardened and idp to user_auth_type

The parameter user_auth_type has been updated in FreeIPA. The choices pkinit, hardened and idp have been missing and are now added. An additional check was added to verify that the values of the user_auth_type list are valid for the used IPA version.
2026-05-08 06:13:21 +00:00 · 2023-07-18 16:06:33 +02:00
parent 62d34d0a22
commit c4b273c896
1 changed files with 21 additions and 3 deletions
--- a/plugins/modules/ipauser.py
+++ b/plugins/modules/ipauser.py
@@ -208,7 +208,7 @@ options:
          Use empty string to reset userauthtype to the initial value.
        type: list
        elements: str
-        choices: ['password', 'radius', 'otp', '']
+        choices: ["password", "radius", "otp", "pkinit", "hardened", "idp", ""]
        required: false
        aliases: ["ipauserauthtype"]
      userclass:
@@ -465,7 +465,7 @@ options:
      Use empty string to reset userauthtype to the initial value.
    type: list
    elements: str
-    choices: ['password', 'radius', 'otp', '']
+    choices: ["password", "radius", "otp", "pkinit", "hardened", "idp", ""]
    required: false
    aliases: ["ipauserauthtype"]
  userclass:
@@ -888,6 +888,15 @@ def check_parameters(  # pylint: disable=unused-argument
                    module.fail_json(msg="certmapdata: subject is missing")


+def check_userauthtype(module, userauthtype):
+    _invalid = module.ipa_command_invalid_param_choices(
+        "user_add", "ipauserauthtype", userauthtype)
+    if _invalid:
+        module.fail_json(
+            msg="The use of userauthtype '%s' is not supported "
+            "by your IPA version" % "','".join(_invalid))
+
+
 def extend_emails(email, default_email_domain):
    if email is not None:
        return ["%s@%s" % (_email, default_email_domain)
@@ -1023,7 +1032,8 @@ def main():
                       default=None),
        userauthtype=dict(type='list', elements="str",
                          aliases=["ipauserauthtype"], default=None,
-                          choices=['password', 'radius', 'otp', '']),
+                          choices=["password", "radius", "otp", "pkinit",
+                                   "hardened", "idp", ""]),
        userclass=dict(type="list", elements="str", aliases=["class"],
                       default=None),
        radius=dict(type="str", aliases=["ipatokenradiusconfiglink"],
@@ -1213,6 +1223,10 @@ def main():

        server_realm = ansible_module.ipa_get_realm()

+        # Check API specific parameters
+
+        check_userauthtype(ansible_module, userauthtype)
+
        # Default email domain

        result = ansible_module.ipa_command_no_name("config_show", {})
@@ -1303,6 +1317,10 @@ def main():
                    smb_home_dir, smb_home_drive)
                certmapdata = convert_certmapdata(certmapdata)

+                # Check API specific parameters
+
+                check_userauthtype(ansible_module, userauthtype)
+
                # Extend email addresses

                email = extend_emails(email, default_email_domain)