ipaconfig: Set allow_empty_string for user_auth_type, pac_type, configstring

The parameters user_auth_type, pac_type and configstring are allowing to use "" to reset to the default value or for configstring to set an empty list. The new check in params_get is not allowing to use empty strings in lists, therefore allow_empty_string=True had to be added to the call. A test has been added to verify that the empty strings are supported and working. Additionally empty pac_type, user_auth_type and domain_resolution_order have been added to exit_args as if they have not been set.
2026-03-26 21:33:05 +00:00 · 2022-02-23 15:17:08 +01:00
parent abf0cc3251
commit e30bcfd876
2 changed files with 157 additions and 1 deletions
--- a/plugins/modules/ipaconfig.py
+++ b/plugins/modules/ipaconfig.py
@@ -346,11 +346,13 @@ def main():
        "ca_renewal_master_server": "ca_renewal_master_server",
        "domain_resolution_order": "ipadomainresolutionorder"
    }
+    allow_empty_string = ["pac_type", "user_auth_type", "configstring"]
    reverse_field_map = {v: k for k, v in field_map.items()}

    params = {}
    for x in field_map:
-        val = ansible_module.params_get(x)
+        val = ansible_module.params_get(
+            x, allow_empty_string=(x in allow_empty_string))

        if val is not None:
            params[field_map.get(x, x)] = val
@@ -401,6 +403,10 @@ def main():
                k: v for k, v in params.items()
                if k not in result or result[k] != v
            }
+            # Remove empty string args from params if result arg is not set
+            for k in ["ipakrbauthzdata", "ipauserauthtype", "ipaconfigstring"]:
+                if k not in result and k in params and params[k] == [""]:
+                    del params[k]
            if params \
               and not compare_args_ipa(ansible_module, params, result):
                changed = True
@@ -441,6 +447,13 @@ def main():
                            raise ValueError(
                                "Unexpected attribute type: %s" % arg_type)
                        exit_args[k] = type_map[arg_type](value)
+            # Add empty pac_type and user_auth_type if they are not set
+            for key in ["pac_type", "user_auth_type"]:
+                if key not in exit_args:
+                    exit_args[key] = ""
+            # Add empty domain_resolution_order if it is not set
+            if "domain_resolution_order" not in exit_args:
+                exit_args["domain_resolution_order"] = []

    # Done
    ansible_module.exit_json(changed=changed, config=exit_args)
--- a/tests/config/test_config_empty_string_params.yml
+++ b/tests/config/test_config_empty_string_params.yml
@@ -0,0 +1,143 @@
+---
+- name: Test config
+  hosts: "{{ ipa_test_host | default('ipaserver') }}"
+  become: yes
+  gather_facts: no
+
+  tasks:
+
+  # GET CURRENT CONFIG
+
+  - name: Return current values of the global configuration options
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+    register: previousconfig
+
+  - name: Ensure config with empty pac_type, user_auth_type and configstring
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      pac_type: ""
+      user_auth_type: ""
+      configstring: ""
+
+  # TESTS
+
+  - name: Ensure config with pac_type "nfs:NONE" and PAD
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      pac_type:
+      - "nfs:NONE"
+      - PAD
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure config with pac_type "nfs:NONE" and PAD, again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      pac_type:
+      - "nfs:NONE"
+      - PAD
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure config with empty pac_type
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      pac_type: ""
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure config with empty pac_type, again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      pac_type: ""
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure config with user_auth_type otp and radius
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      user_auth_type:
+      - otp
+      - radius
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure config with user_auth_type otp and radius, again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      user_auth_type:
+      - otp
+      - radius
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure config with empty user_auth_type
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      user_auth_type: ""
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure config with empty user_auth_type, again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      user_auth_type: ""
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure config with configstring AllowNThash and "KDC:Disable Lockout"
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      configstring:
+      - AllowNThash
+      - "KDC:Disable Lockout"
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure config with configstring AllowNThash and "KDC:Disable Lockout", again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      configstring:
+      - AllowNThash
+      - "KDC:Disable Lockout"
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure config with empty configstring
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      configstring: ""
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure config with empty configstring, again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      configstring: ""
+    register: result
+    failed_when: result.changed or result.failed
+
+  # REVERT TO PREVIOUS CONFIG
+
+  - name: Reset to previous pac_type and user_auth_type
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      pac_type: '{{ previousconfig.config.pac_type }}'
+      user_auth_type: '{{ previousconfig.config.user_auth_type }}'
+      configstring: '{{ previousconfig.config.configstring }}'