When searching for objects with *_show IPA API command, most plugins
were hiding errors other than "ipalib_errors.NotFound" by handling the
broad exception Exception instead.
This patch uses "ipalib_errors.NotFound" whenever "*_show" is used so
that the only exception handled is when an object is not found. Other
errors will not be handled making the module break as expected.
The parameter 'allow_empty_string' in 'module_params_get' is used to
allow an item in a list to be an empty string. The problem is that the
naming is misleading, as it is checking a list item rather than a
string.
This patch rename the parameter to 'allow_empty_list_item' so that it
more clearly refers to list itens instead of standalone strings, and do
not collide with future parameters that may test for empty strings which
are not part of lists.
Recent pylint versions warn against the use of an 'else' in a
'try-except' block if using a 'return' on the 'except' part is is the
idom used by ansible-freeipa when retrieving IPA data objects.
This change removes the usage of the 'else:' in such cases, and modify
the templates so that new modules do not have the same issue in the
future.
The parameter user_auth_type has been updated in FreeIPA. The choices
pkinit, hardened and idp have been missing and are now added.
An additional check was added to verify that the values of the
user_auth_type list are valid for the used IPA version.
Current behavior of ipaconfig mimics FreeIPA CLI and requires that
'enable_sid' is set to True every time add_sids or netbios_name are
used. It is sufficient that SID generation is enabled to use add_sids
and netbios_name, but the IPA API requires 'enable_sid' so that the
operations are executed.
This patch allows ansible-freeipa plugin ipaconfig to run 'add_sids' or
set 'netbios_name without requiring 'enable_sid' to be set on the
playbook.
If SID generation is enabled, 'add_sids' and 'netbios_name' can be used
without 'enable_sid: yes'. If SID generation is not enabled, an error
message will be raised if 'enable_sid: yes' is not used.
Ansible's fail_json() method required that the message paramater was
passed with a keyword parameter, rather than a positional one. Although
this seems to work with ansible-core 2.13+, it might not work with
previous versions of Ansible.
This patch fixes the behaviour for all supported Ansible versions.
ansible-test with ansible-2.14 is adding a lot of new tests to ensure
that the documentation section and the agument spec is complete. Needed
changes:
DOCUMENTATION section
- `module` tag needs to be correct
- `type: str` needs to be set for string parameters
- `type: int` needs to be set for integer parameters
- `type: list` needs to be set for list parameters
- `type: string` is not valid and needs to be replaced by `type: str`
- `elements: str` needs to be given for list of string parameters
- `authors` needs to be given with the github user also: `Name (@user)`
RETURN section
- `contains` needs to be used instead of `options` for dicts
- `type: str` needs to be set for string parameters
- `type: int` needs to be set for integer parameters
- `type: list` needs to be set for list parameters
- `elements: str` needs to be given for list of string parameters
- `description` needs to be correct
argument_spec
- `elements="str"` needs to be added to all list of string parameters
The `copyright` date is extended with `-2022`.
Since FreeIPA 4.9.8 the 'config_mod' command has parameters to enable
and configure SIDs, and set the Netbios name.
This patch adds the following parameters to ipaconfig plugin:
enable_sids: New users and groups automatically get a SID assigned
add_sids: Add SIDs for existing users and groups
netbios_name: NetBIOS name of the IPA domain
Both add_sids and netbios_name requires 'enable_sid: yes'.
'enable_sid' and 'netbios_name' are returned when querying IPA
configuration.
'add_sids' always generate SIDs for users and groups, so, muiltiple
executions of the playbook with 'add_sids: yes' will return 'changed',
even if users and groups SIDs are not modified.
A new test playbook is available:
tests/config/test_config_sid.yml
New examples playbooks are available:
playbooks/config/change-ipa-domain-netbios-name.yml
playbooks/config/generate-users-groups-sids.yml
Fixes: #781
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2069174
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2069184
FreeIPA 4.9.10+ and 4.10 use proper mapping for boolean values, and
only searching for "TRUE" does not work anymore.
This patch fix ipadnszone plugin and IPAParamMapping class handling
of boolean values.
The parameters user_auth_type, pac_type and configstring are allowing to
use "" to reset to the default value or for configstring to set an empty
list.
The new check in params_get is not allowing to use empty strings in lists,
therefore allow_empty_string=True had to be added to the call.
A test has been added to verify that the empty strings are supported and
working.
Additionally empty pac_type, user_auth_type and domain_resolution_order
have been added to exit_args as if they have not been set.
These are indent issues, one item per line for argument_specs items
containing options dicts and missing or overflow spaces for comments
and dict delimiters.
When retrieving IPA configuration using ipaconfig module, a few
variables were not returning, and some data had the wrong data format.
This patch fix both issues and apply some refactoring, as data was
being retrieved from IPA API in different places using different
methods.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
Added code to the ipa* plugins to support Ansible's check_mode, by
means of a clean exit before the execution of the actual list of
commands that would otherwise create/update/delete IPA servers
and/or its resources.
This patch add support for the attributes `maxtostname` and
`ca_renewal_master_server` attributes that were missing and
also provide a more complete set of tests.
plugins/modules/ipaconfig.py
The config module allows the user change global config settings.
The config module is as compatible as possible to the Ansible upstream
ipa_config module, but adds many extra variables.
Here is the documentation for the module:
README-config.md
