Merge pull request #1076 from rjeffman/fix_usercheck_dictcheck

Fix handling of ipapwpolicy attributes usercheck and dictcheck
2026-05-06 13:23:14 +00:00 · 2023-07-14 15:25:20 +02:00
parent f4070f6a30 7b2701b985
commit c9f1da5d6b
4 changed files with 40 additions and 42 deletions
--- a/plugins/modules/ipapwpolicy.py
+++ b/plugins/modules/ipapwpolicy.py
@@ -45,82 +45,84 @@ options:
    required: false
    aliases: ["cn"]
  maxlife:
-    description: Maximum password lifetime (in days)
+    description: Maximum password lifetime (in days). (int or "")
    type: str
    required: false
    aliases: ["krbmaxpwdlife"]
  minlife:
-    description: Minimum password lifetime (in hours)
+    description: Minimum password lifetime (in hours). (int or "")
    type: str
    required: false
    aliases: ["krbminpwdlife"]
  history:
-    description: Password history size
+    description: Password history size. (int or "")
    type: str
    required: false
    aliases: ["krbpwdhistorylength"]
  minclasses:
-    description: Minimum number of character classes
+    description: Minimum number of character classes. (int or "")
    type: str
    required: false
    aliases: ["krbpwdmindiffchars"]
  minlength:
-    description: Minimum length of password
+    description: Minimum length of password. (int or "")
    type: str
    required: false
    aliases: ["krbpwdminlength"]
  priority:
-    description: Priority of the policy (higher number means lower priority)
+    description: >
+      Priority of the policy (higher number means lower priority). (int or "")
    type: str
    required: false
    aliases: ["cospriority"]
  maxfail:
-    description: Consecutive failures before lockout
+    description: Consecutive failures before lockout. (int or "")
    type: str
    required: false
    aliases: ["krbpwdmaxfailure"]
  failinterval:
-    description: Period after which failure count will be reset (seconds)
+    description: >
+      Period after which failure count will be reset (seconds). (int or "")
    type: str
    required: false
    aliases: ["krbpwdfailurecountinterval"]
  lockouttime:
-    description: Period for which lockout is enforced (seconds)
+    description: Period for which lockout is enforced (seconds). (int or "")
    type: str
    required: false
    aliases: ["krbpwdlockoutduration"]
  maxrepeat:
    description: >
      Maximum number of same consecutive characters.
-      Requires IPA 4.9+
+      Requires IPA 4.9+. (int or "")
    type: str
    required: false
    aliases: ["ipapwdmaxrepeat"]
  maxsequence:
    description: >
      The maximum length of monotonic character sequences (abcd).
-      Requires IPA 4.9+
+      Requires IPA 4.9+. (int or "")
    type: str
    required: false
    aliases: ["ipapwdmaxsequence"]
  dictcheck:
    description: >
      Check if the password is a dictionary word.
-      Requires IPA 4.9+
+      Requires IPA 4.9+. (bool or "")
    type: str
    required: false
    aliases: ["ipapwdictcheck"]
  usercheck:
    description: >
      Check if the password contains the username.
-      Requires IPA 4.9+
+      Requires IPA 4.9+. (bool or "")
    type: str
    required: false
    aliases: ["ipapwdusercheck"]
  gracelimit:
    description: >
      Number of LDAP authentications allowed after expiration.
-      Requires IPA 4.10.1+
+      Requires IPA 4.10.1+. (int or "")
    type: str
    required: false
    aliases: ["passwordgracelimit"]
@@ -151,7 +153,7 @@ RETURN = """
 """

 from ansible.module_utils.ansible_freeipa_module import \
-    IPAAnsibleModule, compare_args_ipa
+    IPAAnsibleModule, compare_args_ipa, boolean


 def find_pwpolicy(module, name):
@@ -359,17 +361,12 @@ def main():
    gracelimit = int_or_empty_param(gracelimit, "gracelimit")

    def bool_or_empty_param(value, param):  # pylint: disable=R1710
-        # As of Ansible 2.14, values True, False, Yes an No, with variable
-        # capitalization are accepted by Ansible.
-        if not value:
+        if value is None or value == "":
            return value
-        if value in ["TRUE", "True", "true", "YES", "Yes", "yes"]:
-            return True
-        if value in ["FALSE", "False", "false", "NO", "No", "no"]:
-            return False
-        ansible_module.fail_json(
-            msg="Invalid value '%s' for argument '%s'." % (value, param)
-        )
+        try:
+            return boolean(value)
+        except TypeError as terr:
+            ansible_module.fail_json(msg="Param '%s': %s" % (param, str(terr)))

    dictcheck = bool_or_empty_param(dictcheck, "dictcheck")
    usercheck = bool_or_empty_param(usercheck, "usercheck")