internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-05-06 21:33:14 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #779 from t-woerner/module_params_get_fail_empty_str_in_list

Browse Source 
module_params_get*: Fail on empty string in string list parameters
This commit is contained in:
Varun Mylaraiah
2022-03-03 18:36:53 +05:30
committed by GitHub
parent d0402d7905 e30bcfd876
commit f0a71eda84
10 changed files with 529 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README-service.md
View File

@@ -293,8 +293,8 @@ Variable | Description | Required
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `service` | The list of service name strings. | yes
`certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no
`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. Use empty string to reset pac_type to the initial value. | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit` or `hardened`. Use empty string to reset auth_ind to the initial value. | no
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no

41
plugins/module_utils/ansible_freeipa_module.py
View File

@@ -398,11 +398,32 @@ else:
return value
def module_params_get(module, name):
return _afm_convert(module.params.get(name))
def module_params_get_lowercase(module, name):
def module_params_get(module, name, allow_empty_string=False):
value = _afm_convert(module.params.get(name))
# Fail on empty strings in the list or if allow_empty_string is True
# if there is another entry in the list together with the empty
# string.
# Due to an issue in Ansible it is possible to use the empty string
# "" for lists with choices, even if the empty list is not part of
# the choices.
# Ansible issue https://github.com/ansible/ansible/issues/77108
if isinstance(value, list):
for val in value:
if isinstance(val, (str, unicode)) and not val:
if not allow_empty_string:
module.fail_json(
msg="Parameter '%s' contains an empty string" %
name)
elif len(value) > 1:
module.fail_json(
msg="Parameter '%s' may not contain another "
"entry together with an empty string" % name)
return value
def module_params_get_lowercase(module, name, allow_empty_string=False):
value = module_params_get(module, name, allow_empty_string)
if isinstance(value, list):
value = [v.lower() for v in value]
if isinstance(value, (str, unicode)):
@@ -897,7 +918,7 @@ else:
finally:
temp_kdestroy(ccache_dir, ccache_name)
def params_get(self, name):
def params_get(self, name, allow_empty_string=False):
"""
Retrieve value set for module parameter.
@@ -905,11 +926,13 @@ else:
----------
name: string
The name of the parameter to retrieve.
allow_empty_string: bool
The parameter allowes to have empty strings in a list
"""
return module_params_get(self, name)
return module_params_get(self, name, allow_empty_string)
def params_get_lowercase(self, name):
def params_get_lowercase(self, name, allow_empty_string=False):
"""
Retrieve value set for module parameter as lowercase, if not None.
@@ -917,9 +940,11 @@ else:
----------
name: string
The name of the parameter to retrieve.
allow_empty_string: bool
The parameter allowes to have empty strings in a list
"""
return module_params_get_lowercase(self, name)
return module_params_get_lowercase(self, name, allow_empty_string)
def params_fail_used_invalid(self, invalid_params, state, action=None):
"""

15
plugins/modules/ipaconfig.py
View File

@@ -346,11 +346,13 @@ def main():
"ca_renewal_master_server": "ca_renewal_master_server",
"domain_resolution_order": "ipadomainresolutionorder"
}
allow_empty_string = ["pac_type", "user_auth_type", "configstring"]
reverse_field_map = {v: k for k, v in field_map.items()}
params = {}
for x in field_map:
val = ansible_module.params_get(x)
val = ansible_module.params_get(
x, allow_empty_string=(x in allow_empty_string))
if val is not None:
params[field_map.get(x, x)] = val
@@ -401,6 +403,10 @@ def main():
k: v for k, v in params.items()
if k not in result or result[k] != v
}
# Remove empty string args from params if result arg is not set
for k in ["ipakrbauthzdata", "ipauserauthtype", "ipaconfigstring"]:
if k not in result and k in params and params[k] == [""]:
del params[k]
if params \
and not compare_args_ipa(ansible_module, params, result):
changed = True
@@ -441,6 +447,13 @@ def main():
raise ValueError(
"Unexpected attribute type: %s" % arg_type)
exit_args[k] = type_map[arg_type](value)
# Add empty pac_type and user_auth_type if they are not set
for key in ["pac_type", "user_auth_type"]:
if key not in exit_args:
exit_args[key] = ""
# Add empty domain_resolution_order if it is not set
if "domain_resolution_order" not in exit_args:
exit_args["domain_resolution_order"] = []
# Done
ansible_module.exit_json(changed=changed, config=exit_args)

2
plugins/modules/ipahost.py
View File

@@ -764,7 +764,7 @@ def main():
mac_address = ansible_module.params_get("mac_address")
sshpubkey = ansible_module.params_get("sshpubkey")
userclass = ansible_module.params_get("userclass")
auth_ind = ansible_module.params_get("auth_ind")
auth_ind = ansible_module.params_get("auth_ind", allow_empty_string=True)
requires_pre_auth = ansible_module.params_get("requires_pre_auth")
ok_as_delegate = ansible_module.params_get("ok_as_delegate")
ok_to_auth_as_delegate = ansible_module.params_get(

19
plugins/modules/ipaservice.py
View File

@@ -50,13 +50,13 @@ options:
pac_type:
description: Supported PAC type.
required: false
choices: ["MS-PAC", "PAD", "NONE"]
choices: ["MS-PAC", "PAD", "NONE", ""]
type: list
aliases: ["pac_type", "ipakrbauthzdata"]
auth_ind:
description: Defines a whitelist for Authentication Indicators.
required: false
choices: ["otp", "radius", "pkinit", "hardened"]
choices: ["otp", "radius", "pkinit", "hardened", ""]
aliases: ["krbprincipalauthind"]
skip_host_check:
description: Skip checking if host object exists.
@@ -356,7 +356,7 @@ def init_ansible_module():
smb=dict(type="bool", required=False),
netbiosname=dict(type="str", required=False),
pac_type=dict(type="list", aliases=["ipakrbauthzdata"],
choices=["MS-PAC", "PAD", "NONE"]),
choices=["MS-PAC", "PAD", "NONE", ""]),
auth_ind=dict(type="list",
aliases=["krbprincipalauthind"],
choices=["otp", "radius", "pkinit", "hardened", ""]),
@@ -420,8 +420,8 @@ def main():
# service attributes
principal = ansible_module.params_get("principal")
certificate = ansible_module.params_get("certificate")
pac_type = ansible_module.params_get("pac_type")
auth_ind = ansible_module.params_get("auth_ind")
pac_type = ansible_module.params_get("pac_type", allow_empty_string=True)
auth_ind = ansible_module.params_get("auth_ind", allow_empty_string=True)
skip_host_check = ansible_module.params_get("skip_host_check")
force = ansible_module.params_get("force")
requires_pre_auth = ansible_module.params_get("requires_pre_auth")
@@ -537,6 +537,15 @@ def main():
if remove in args:
del args[remove]
if (
"ipakrbauthzdata" in args
and (
args.get("ipakrbauthzdata", [""]) ==
res_find.get("ipakrbauthzdata", [""])
)
):
del args["ipakrbauthzdata"]
if (
"krbprincipalauthind" in args
and (

13
plugins/modules/ipauser.py
View File

@@ -892,8 +892,10 @@ def main():
title = ansible_module.params_get("title")
manager = ansible_module.params_get("manager")
carlicense = ansible_module.params_get("carlicense")
sshpubkey = ansible_module.params_get("sshpubkey")
userauthtype = ansible_module.params_get("userauthtype")
sshpubkey = ansible_module.params_get("sshpubkey",
allow_empty_string=True)
userauthtype = ansible_module.params_get("userauthtype",
allow_empty_string=True)
userclass = ansible_module.params_get("userclass")
radius = ansible_module.params_get("radius")
radiususer = ansible_module.params_get("radiususer")
@@ -1101,6 +1103,13 @@ def main():
if "noprivate" in args:
del args["noprivate"]
# Ignore sshpubkey if it is empty (for resetting)
# and not set in for the user
if "ipasshpubkey" not in res_find and \
"ipasshpubkey" in args and \
args["ipasshpubkey"] == ['']:
del args["ipasshpubkey"]
# Ignore userauthtype if it is empty (for resetting)
# and not set in for the user
if "ipauserauthtype" not in res_find and \

143
tests/config/test_config_empty_string_params.yml Normal file
View File

@@ -0,0 +1,143 @@
---
- name: Test config
hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: yes
gather_facts: no
tasks:
# GET CURRENT CONFIG
- name: Return current values of the global configuration options
ipaconfig:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
register: previousconfig
- name: Ensure config with empty pac_type, user_auth_type and configstring
ipaconfig:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
pac_type: ""
user_auth_type: ""
configstring: ""
# TESTS
- name: Ensure config with pac_type "nfs:NONE" and PAD
ipaconfig:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
pac_type:
- "nfs:NONE"
- PAD
register: result
failed_when: not result.changed or result.failed
- name: Ensure config with pac_type "nfs:NONE" and PAD, again
ipaconfig:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
pac_type:
- "nfs:NONE"
- PAD
register: result
failed_when: result.changed or result.failed
- name: Ensure config with empty pac_type
ipaconfig:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
pac_type: ""
register: result
failed_when: not result.changed or result.failed
- name: Ensure config with empty pac_type, again
ipaconfig:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
pac_type: ""
register: result
failed_when: result.changed or result.failed
- name: Ensure config with user_auth_type otp and radius
ipaconfig:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
user_auth_type:
- otp
- radius
register: result
failed_when: not result.changed or result.failed
- name: Ensure config with user_auth_type otp and radius, again
ipaconfig:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
user_auth_type:
- otp
- radius
register: result
failed_when: result.changed or result.failed
- name: Ensure config with empty user_auth_type
ipaconfig:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
user_auth_type: ""
register: result
failed_when: not result.changed or result.failed
- name: Ensure config with empty user_auth_type, again
ipaconfig:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
user_auth_type: ""
register: result
failed_when: result.changed or result.failed
- name: Ensure config with configstring AllowNThash and "KDC:Disable Lockout"
ipaconfig:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
configstring:
- AllowNThash
- "KDC:Disable Lockout"
register: result
failed_when: not result.changed or result.failed
- name: Ensure config with configstring AllowNThash and "KDC:Disable Lockout", again
ipaconfig:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
configstring:
- AllowNThash
- "KDC:Disable Lockout"
register: result
failed_when: result.changed or result.failed
- name: Ensure config with empty configstring
ipaconfig:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
configstring: ""
register: result
failed_when: not result.changed or result.failed
- name: Ensure config with empty configstring, again
ipaconfig:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
configstring: ""
register: result
failed_when: result.changed or result.failed
# REVERT TO PREVIOUS CONFIG
- name: Reset to previous pac_type and user_auth_type
ipaconfig:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
pac_type: '{{ previousconfig.config.pac_type }}'
user_auth_type: '{{ previousconfig.config.user_auth_type }}'
configstring: '{{ previousconfig.config.configstring }}'

86
tests/host/test_host_empty_string_params.yml Normal file
View File

@@ -0,0 +1,86 @@
---
- name: Test host
hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: yes
gather_facts: yes
tasks:
- name: Get Domain from server name
set_fact:
ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
when: ipaserver_domain is not defined
- name: Set host1_fqdn .. host6_fqdn
set_fact:
host1_fqdn: "{{ 'host1.' + ipaserver_domain }}"
# CLEANUP TEST ITEMS
- name: Ensure host "{{ host1_fqdn }}" absent
ipahost:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "{{ host1_fqdn }}"
state: absent
# CREATE TEST ITEMS
- name: Ensure host "{{ host1_fqdn }}" present
ipahost:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "{{ host1_fqdn }}"
force: yes
register: result
failed_when: not result.changed or result.failed
# TESTS
- name: Ensure host "{{ host1_fqdn }}" present with auth_ind otp and radius
ipahost:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "{{ host1_fqdn }}"
auth_ind:
- otp
- radius
register: result
failed_when: not result.changed or result.failed
- name: Ensure host "{{ host1_fqdn }}" present with auth_ind otp and radius, again
ipahost:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "{{ host1_fqdn }}"
auth_ind:
- otp
- radius
register: result
failed_when: result.changed or result.failed
- name: Ensure host "{{ host1_fqdn }}" present with empty auth_ind
ipahost:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "{{ host1_fqdn }}"
auth_ind: ""
register: result
failed_when: not result.changed or result.failed
- name: Ensure host "{{ host1_fqdn }}" present with empty auth_ind, again
ipahost:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "{{ host1_fqdn }}"
auth_ind: ""
register: result
failed_when: result.changed or result.failed
# CLEANUP TEST ITEMS
- name: Ensure host "{{ host1_fqdn }}" absent
ipahost:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "{{ host1_fqdn }}"
state: absent

110
tests/service/test_service_empty_string_params.yml Normal file
View File

@@ -0,0 +1,110 @@
---
- name: Test service
hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: yes
gather_facts: yes
tasks:
# CLEANUP TEST ITEMS
- name: Ensure service "test-service/{{ ansible_facts['fqdn'] }}" is absent.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "test-service/{{ ansible_facts['fqdn'] }}"
continue: yes
state: absent
# CREATE TEST ITEMS
- name: Ensure service "test-service/{{ ansible_facts['fqdn'] }}" is present
ipaservice:
ipaadmin_password: SomeADMINpassword
name: "test-service/{{ ansible_facts['fqdn'] }}"
register: result
failed_when: not result.changed or result.failed
# TESTS
- name: Ensure service "test-service/{{ ansible_facts['fqdn'] }}" is present with pac_type MS-PAC and PAD
ipaservice:
ipaadmin_password: SomeADMINpassword
name: "test-service/{{ ansible_facts['fqdn'] }}"
pac_type:
- MS-PAC
- PAD
register: result
failed_when: not result.changed or result.failed
- name: Ensure service "test-service/{{ ansible_facts['fqdn'] }}" is present with pac_type MS-PAC and PAD, again
ipaservice:
ipaadmin_password: SomeADMINpassword
name: "test-service/{{ ansible_facts['fqdn'] }}"
pac_type:
- MS-PAC
- PAD
register: result
failed_when: result.changed or result.failed
- name: Ensure service "test-service/{{ ansible_facts['fqdn'] }}" is present with empty pac_type
ipaservice:
ipaadmin_password: SomeADMINpassword
name: "test-service/{{ ansible_facts['fqdn'] }}"
pac_type: ""
register: result
failed_when: not result.changed or result.failed
- name: Ensure service "test-service/{{ ansible_facts['fqdn'] }}" is present with empty pac_type, again
ipaservice:
ipaadmin_password: SomeADMINpassword
name: "test-service/{{ ansible_facts['fqdn'] }}"
pac_type: ""
register: result
failed_when: result.changed or result.failed
- name: Ensure service "test-service/{{ ansible_facts['fqdn'] }}" is present with auth_ind otp and radius
ipaservice:
ipaadmin_password: SomeADMINpassword
name: "test-service/{{ ansible_facts['fqdn'] }}"
auth_ind:
- otp
- radius
register: result
failed_when: not result.changed or result.failed
- name: Ensure service "test-service/{{ ansible_facts['fqdn'] }}" is present with auth_ind otp and radius, again
ipaservice:
ipaadmin_password: SomeADMINpassword
name: "test-service/{{ ansible_facts['fqdn'] }}"
auth_ind:
- otp
- radius
register: result
failed_when: result.changed or result.failed
- name: Ensure service "test-service/{{ ansible_facts['fqdn'] }}" is present with empty auth_ind
ipaservice:
ipaadmin_password: SomeADMINpassword
name: "test-service/{{ ansible_facts['fqdn'] }}"
auth_ind: ""
register: result
failed_when: not result.changed or result.failed
- name: Ensure service "test-service/{{ ansible_facts['fqdn'] }}" is present with empty auth_ind, again
ipaservice:
ipaadmin_password: SomeADMINpassword
name: "test-service/{{ ansible_facts['fqdn'] }}"
auth_ind: ""
register: result
failed_when: result.changed or result.failed
# CLEANUP TEST ITEMS
- name: Ensure service "test-service/{{ ansible_facts['fqdn'] }}" is absent.
ipaservice:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: "test-service/{{ ansible_facts['fqdn'] }}"
continue: yes
state: absent

115
tests/user/test_user_empty_string_params.yml Normal file
View File

@@ -0,0 +1,115 @@
---
- name: Test user
hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: true
gather_facts: false
tasks:
# CLEANUP TEST ITEMS
- name: Ensure user testuser absent
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
state: absent
# CREATE TEST ITEMS
- name: Ensure user testuser present
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
first: test
last: user
register: result
failed_when: not result.changed or result.failed
# TESTS
- name: Ensure user testuser present with userauthtype password,radius,otp
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
userauthtype: password,radius,otp
register: result
failed_when: not result.changed or result.failed
- name: Ensure user testuser present with userauthtype password,radius,otp, again
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
userauthtype: password,radius,otp
register: result
failed_when: result.changed or result.failed
- name: Ensure user testuser present with empty userauthtype
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
userauthtype: ""
register: result
failed_when: not result.changed or result.failed
- name: Ensure user testuser present with empty userauthtype, again
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
userauthtype: ""
register: result
failed_when: result.changed or result.failed
- name: Ensure user testuser present with sshpubkey
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
sshpubkey:
# yamllint disable-line rule:line-length
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCqmVDpEX5gnSjKuv97AyzOhaUMMKz8ahOA3GY77tVC4o68KNgMCmDSEG1/kOIaElngNLaCha3p/2iAcU9Bi1tLKUlm2bbO5NHNwHfRxY/3cJtq+/7D1vxJzqThYwI4F9vr1WxyY2+mMTv3pXbfAJoR8Mu06XaEY5PDetlDKjHLuNWF+/O7ZU8PsULTa1dJZFrtXeFpmUoLoGxQBvlrlcPI1zDciCSU24t27Zan5Py2l5QchyI7yhCyMM77KDtj5+AFVpmkb9+zq50rYJAyFVeyUvwjzErvQrKJzYpA0NyBp7vskWbt36M16/M/LxEK7HA6mkcakO3ESWx5MT1LAjvdlnxbWG3787MxweHXuB8CZU+9bZPFBaJ+VQtOfJ7I8eH0S16moPC4ak8FlcFvOH8ERDPWLFDqfy09yaZ7bVIF0//5ZI7Nf3YDe3S7GrBX5ieYuECyP6UNkTx9BRsAQeVvXEc6otzB7iCSnYBMGUGzCqeigoAWaVQUONsSR3Uatks= pinky@ipaserver.el81.local # noqa 204
register: result
failed_when: not result.changed or result.failed
- name: Ensure user testuser present with sshpubkey, again
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
sshpubkey:
# yamllint disable-line rule:line-length
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCqmVDpEX5gnSjKuv97AyzOhaUMMKz8ahOA3GY77tVC4o68KNgMCmDSEG1/kOIaElngNLaCha3p/2iAcU9Bi1tLKUlm2bbO5NHNwHfRxY/3cJtq+/7D1vxJzqThYwI4F9vr1WxyY2+mMTv3pXbfAJoR8Mu06XaEY5PDetlDKjHLuNWF+/O7ZU8PsULTa1dJZFrtXeFpmUoLoGxQBvlrlcPI1zDciCSU24t27Zan5Py2l5QchyI7yhCyMM77KDtj5+AFVpmkb9+zq50rYJAyFVeyUvwjzErvQrKJzYpA0NyBp7vskWbt36M16/M/LxEK7HA6mkcakO3ESWx5MT1LAjvdlnxbWG3787MxweHXuB8CZU+9bZPFBaJ+VQtOfJ7I8eH0S16moPC4ak8FlcFvOH8ERDPWLFDqfy09yaZ7bVIF0//5ZI7Nf3YDe3S7GrBX5ieYuECyP6UNkTx9BRsAQeVvXEc6otzB7iCSnYBMGUGzCqeigoAWaVQUONsSR3Uatks= pinky@ipaserver.el81.local # noqa 204
register: result
failed_when: result.changed or result.failed
- name: Ensure user testuser present with empty sshpubkey
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
sshpubkey: ""
register: result
failed_when: not result.changed or result.failed
- name: Ensure user testuser present with empty sshpubkey, again
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
sshpubkey: ""
register: result
failed_when: result.changed or result.failed
# CLEANUP TEST ITEMS
- name: Ensure user testuser absent
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testuser
state: absent