Merge pull request #779 from t-woerner/module_params_get_fail_empty_str_in_list

module_params_get*: Fail on empty string in string list parameters
2026-05-07 22:03:18 +00:00 · 2022-03-03 18:36:53 +05:30
parent d0402d7905 e30bcfd876
commit f0a71eda84
10 changed files with 529 additions and 19 deletions
--- a/plugins/module_utils/ansible_freeipa_module.py
+++ b/plugins/module_utils/ansible_freeipa_module.py
@@ -398,11 +398,32 @@ else:

        return value

-    def module_params_get(module, name):
-        return _afm_convert(module.params.get(name))
-
-    def module_params_get_lowercase(module, name):
+    def module_params_get(module, name, allow_empty_string=False):
        value = _afm_convert(module.params.get(name))
+
+        # Fail on empty strings in the list or if allow_empty_string is True
+        # if there is another entry in the list together with the empty
+        # string.
+        # Due to an issue in Ansible it is possible to use the empty string
+        # "" for lists with choices, even if the empty list is not part of
+        # the choices.
+        # Ansible issue https://github.com/ansible/ansible/issues/77108
+        if isinstance(value, list):
+            for val in value:
+                if isinstance(val, (str, unicode)) and not val:
+                    if not allow_empty_string:
+                        module.fail_json(
+                            msg="Parameter '%s' contains an empty string" %
+                            name)
+                    elif len(value) > 1:
+                        module.fail_json(
+                            msg="Parameter '%s' may not contain another "
+                            "entry together with an empty string" % name)
+
+        return value
+
+    def module_params_get_lowercase(module, name, allow_empty_string=False):
+        value = module_params_get(module, name, allow_empty_string)
        if isinstance(value, list):
            value = [v.lower() for v in value]
        if isinstance(value, (str, unicode)):
@@ -897,7 +918,7 @@ else:
                finally:
                    temp_kdestroy(ccache_dir, ccache_name)

-        def params_get(self, name):
+        def params_get(self, name, allow_empty_string=False):
            """
            Retrieve value set for module parameter.

@@ -905,11 +926,13 @@ else:
            ----------
            name: string
                The name of the parameter to retrieve.
+            allow_empty_string: bool
+                The parameter allowes to have empty strings in a list

            """
-            return module_params_get(self, name)
+            return module_params_get(self, name, allow_empty_string)

-        def params_get_lowercase(self, name):
+        def params_get_lowercase(self, name, allow_empty_string=False):
            """
            Retrieve value set for module parameter as lowercase, if not None.

@@ -917,9 +940,11 @@ else:
            ----------
            name: string
                The name of the parameter to retrieve.
+            allow_empty_string: bool
+                The parameter allowes to have empty strings in a list

            """
-            return module_params_get_lowercase(self, name)
+            return module_params_get_lowercase(self, name, allow_empty_string)

        def params_fail_used_invalid(self, invalid_params, state, action=None):
            """
--- a/plugins/modules/ipaconfig.py
+++ b/plugins/modules/ipaconfig.py
@@ -346,11 +346,13 @@ def main():
        "ca_renewal_master_server": "ca_renewal_master_server",
        "domain_resolution_order": "ipadomainresolutionorder"
    }
+    allow_empty_string = ["pac_type", "user_auth_type", "configstring"]
    reverse_field_map = {v: k for k, v in field_map.items()}

    params = {}
    for x in field_map:
-        val = ansible_module.params_get(x)
+        val = ansible_module.params_get(
+            x, allow_empty_string=(x in allow_empty_string))

        if val is not None:
            params[field_map.get(x, x)] = val
@@ -401,6 +403,10 @@ def main():
                k: v for k, v in params.items()
                if k not in result or result[k] != v
            }
+            # Remove empty string args from params if result arg is not set
+            for k in ["ipakrbauthzdata", "ipauserauthtype", "ipaconfigstring"]:
+                if k not in result and k in params and params[k] == [""]:
+                    del params[k]
            if params \
               and not compare_args_ipa(ansible_module, params, result):
                changed = True
@@ -441,6 +447,13 @@ def main():
                            raise ValueError(
                                "Unexpected attribute type: %s" % arg_type)
                        exit_args[k] = type_map[arg_type](value)
+            # Add empty pac_type and user_auth_type if they are not set
+            for key in ["pac_type", "user_auth_type"]:
+                if key not in exit_args:
+                    exit_args[key] = ""
+            # Add empty domain_resolution_order if it is not set
+            if "domain_resolution_order" not in exit_args:
+                exit_args["domain_resolution_order"] = []

    # Done
    ansible_module.exit_json(changed=changed, config=exit_args)
--- a/plugins/modules/ipahost.py
+++ b/plugins/modules/ipahost.py
@@ -764,7 +764,7 @@ def main():
    mac_address = ansible_module.params_get("mac_address")
    sshpubkey = ansible_module.params_get("sshpubkey")
    userclass = ansible_module.params_get("userclass")
-    auth_ind = ansible_module.params_get("auth_ind")
+    auth_ind = ansible_module.params_get("auth_ind", allow_empty_string=True)
    requires_pre_auth = ansible_module.params_get("requires_pre_auth")
    ok_as_delegate = ansible_module.params_get("ok_as_delegate")
    ok_to_auth_as_delegate = ansible_module.params_get(
--- a/plugins/modules/ipaservice.py
+++ b/plugins/modules/ipaservice.py
@@ -50,13 +50,13 @@ options:
  pac_type:
    description: Supported PAC type.
    required: false
-    choices: ["MS-PAC", "PAD", "NONE"]
+    choices: ["MS-PAC", "PAD", "NONE", ""]
    type: list
    aliases: ["pac_type", "ipakrbauthzdata"]
  auth_ind:
    description: Defines a whitelist for Authentication Indicators.
    required: false
-    choices: ["otp", "radius", "pkinit", "hardened"]
+    choices: ["otp", "radius", "pkinit", "hardened", ""]
    aliases: ["krbprincipalauthind"]
  skip_host_check:
    description: Skip checking if host object exists.
@@ -356,7 +356,7 @@ def init_ansible_module():
            smb=dict(type="bool", required=False),
            netbiosname=dict(type="str", required=False),
            pac_type=dict(type="list", aliases=["ipakrbauthzdata"],
-                          choices=["MS-PAC", "PAD", "NONE"]),
+                          choices=["MS-PAC", "PAD", "NONE", ""]),
            auth_ind=dict(type="list",
                          aliases=["krbprincipalauthind"],
                          choices=["otp", "radius", "pkinit", "hardened", ""]),
@@ -420,8 +420,8 @@ def main():
    # service attributes
    principal = ansible_module.params_get("principal")
    certificate = ansible_module.params_get("certificate")
-    pac_type = ansible_module.params_get("pac_type")
-    auth_ind = ansible_module.params_get("auth_ind")
+    pac_type = ansible_module.params_get("pac_type", allow_empty_string=True)
+    auth_ind = ansible_module.params_get("auth_ind", allow_empty_string=True)
    skip_host_check = ansible_module.params_get("skip_host_check")
    force = ansible_module.params_get("force")
    requires_pre_auth = ansible_module.params_get("requires_pre_auth")
@@ -537,6 +537,15 @@ def main():
                            if remove in args:
                                del args[remove]

+                        if (
+                            "ipakrbauthzdata" in args
+                            and (
+                                args.get("ipakrbauthzdata", [""]) ==
+                                res_find.get("ipakrbauthzdata", [""])
+                            )
+                        ):
+                            del args["ipakrbauthzdata"]
+
                        if (
                            "krbprincipalauthind" in args
                            and (
--- a/plugins/modules/ipauser.py
+++ b/plugins/modules/ipauser.py
@@ -892,8 +892,10 @@ def main():
    title = ansible_module.params_get("title")
    manager = ansible_module.params_get("manager")
    carlicense = ansible_module.params_get("carlicense")
-    sshpubkey = ansible_module.params_get("sshpubkey")
-    userauthtype = ansible_module.params_get("userauthtype")
+    sshpubkey = ansible_module.params_get("sshpubkey",
+                                          allow_empty_string=True)
+    userauthtype = ansible_module.params_get("userauthtype",
+                                             allow_empty_string=True)
    userclass = ansible_module.params_get("userclass")
    radius = ansible_module.params_get("radius")
    radiususer = ansible_module.params_get("radiususer")
@@ -1101,6 +1103,13 @@ def main():
                        if "noprivate" in args:
                            del args["noprivate"]

+                        # Ignore sshpubkey if it is empty (for resetting)
+                        # and not set in for the user
+                        if "ipasshpubkey" not in res_find and \
+                           "ipasshpubkey" in args and \
+                           args["ipasshpubkey"] == ['']:
+                            del args["ipasshpubkey"]
+
                        # Ignore userauthtype if it is empty (for resetting)
                        # and not set in for the user
                        if "ipauserauthtype" not in res_find and \