Fixes attempt to create rules with members when category is all.

Current implementation of hbacrule and sudorule allow for a new rule creation script to be partialy successful when a member is provided and the respective member category is set to `all` (either users, hosts, services, commands, and their group counterparts). Since the creation of the rule is independent of the adittion of members, the rule is succesfully created, but member addition fails, leaving with a created rule that has no members on it. This patch fixes both modules by verifying if user, host, service or commands (and groups of members) are being added if the corresponding category is set to `all`, when the state is `present` and the action is not `member`. If so, it fails before the rule is created.
2026-05-07 13:53:23 +00:00 · 2020-05-29 15:19:12 -03:00
parent 44af47d93a
commit cf54d139c2
4 changed files with 149 additions and 2 deletions
--- a/plugins/modules/ipahbacrule.py
+++ b/plugins/modules/ipahbacrule.py
@@ -270,6 +270,16 @@ def main():
                    ansible_module.fail_json(
                        msg="Argument '%s' can not be used with action "
                        "'%s'" % (x, action))
+        else:
+            if hostcategory == 'all' and any([host, hostgroup]):
+                ansible_module.fail_json(
+                    msg="Hosts cannot be added when host category='all'")
+            if usercategory == 'all' and any([user, group]):
+                ansible_module.fail_json(
+                    msg="Users cannot be added when user category='all'")
+            if servicecategory == 'all' and any([hbacsvc, hbacsvcgroup]):
+                ansible_module.fail_json(
+                    msg="Services cannot be added when service category='all'")

    elif state == "absent":
        if len(names) < 1:
--- a/plugins/modules/ipasudorule.py
+++ b/plugins/modules/ipasudorule.py
@@ -339,6 +339,17 @@ def main():
                    ansible_module.fail_json(
                        msg="Argument '%s' can not be used with action "
                        "'%s'" % (arg, action))
+        else:
+            if hostcategory == 'all' and any([host, hostgroup]):
+                ansible_module.fail_json(
+                    msg="Hosts cannot be added when host category='all'")
+            if usercategory == 'all' and any([user, group]):
+                ansible_module.fail_json(
+                    msg="Users cannot be added when user category='all'")
+            if cmdcategory == 'all' \
+               and any([allow_sudocmd, allow_sudocmdgroup]):
+                ansible_module.fail_json(
+                    msg="Commands cannot be added when command category='all'")

    elif state == "absent":
        if len(names) < 1: