So far a datetime object was created for the expiration dates
krbpasswordexpiration and krbprincipalexpiration. This resulted in also
sending these objects to the API. With this change, the dates are
converted into strings using the LDAP_GENERALIZED_TIME_FORMAT defined in
ipalib.constants. This way only strings are used with the IPA API.
A new function has been added to ansible_freeipa_module:
- date_string: Convert datetime to gernalized time format string
This fuction is used on the result of user_show to convert the
expiration dates to the gernalized time format string.
The existing function date_format in ansible_freeipa_module has been
renamed to convert_date and fixed in the way that it also uses
date_string to return a gernalized time format string and not a
datetime object. This function was only used in the ipauser module so
far.
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
New versions of pylint ignore Python 2 functions and types, evaluating
'unicode' as "undefined". ansible-freeipa will always define 'unicode'
when running under Python 3, and it is always defined under Python 2.
This patch fixes these false positives.
The use of the batch command is enabled for execute_ipa_commands.
Additionally keeponly is set to ["randompassword"] as this is the only
parameter that is used from the data returned from the commands.
These are manager, principal, certificate and certmapdata.
The result_handler function has been adapted and the exception_handler
function has been removed.
A new function has been added:
convert_certificate
FreeIPA suports renaming user objects with the CLI parameter "rename",
and this parameter was missing in ansible-freeipa ipauser module.
This patch adds support for a new state 'renamed' and the 'rename'
parameter.
Tests were updated to cope with the changes.
Related to RHBZ#2234379, RHBZ#2234380
Fixes#1103
The parameter 'allow_empty_string' in 'module_params_get' is used to
allow an item in a list to be an empty string. The problem is that the
naming is misleading, as it is checking a list item rather than a
string.
This patch rename the parameter to 'allow_empty_list_item' so that it
more clearly refers to list itens instead of standalone strings, and do
not collide with future parameters that may test for empty strings which
are not part of lists.
If a playbook to ensure the existence of a user contains 'random:false'
and 'update_password: always' is executed twice, the second execution
will raise an exception due to "No modifications to perform", as there
is actually nothing to modify.
The fix for the issue is to remove 'random' if it is not set to true, as
setting it to 'false' would have no effect on the user object.
Related: https://issues.redhat.com/browse/RHEL-4934
The parameter user_auth_type has been updated in FreeIPA. The choices
pkinit, hardened and idp have been missing and are now added.
An additional check was added to verify that the values of the
user_auth_type list are valid for the used IPA version.
Since FreeIPA version 4.8.0 ipauser has support for smb-logon-script,
smb-profile-path, smb-home-dir, and smb-home-drive drive attributes.
On FreeIPA, these attributes are only available when modifying a user,
so if the user defined in the playbook does not exist, two calls to IPA
API are executed, a 'user_add' followed by a 'user_mod'.
(see https://github.com/freeipa/freeipa/blob/master/doc/designs/adtrust/samba-domain-controller.md
A new example playbook can be found at:
playbooks/user/smb-attributes.yml
A new test playbook can be found at:
tests/user/test_user_smb_attrs.yml
This patch adds a new parameter to ipauser, 'gecos', which can be used
to set the 'gecos' field of an IPA user. The default behavior of
automatically set the GECOS field to "<first> <last>" is not modified,
it is only possible to change the field to a custom value.
No validation on the value provided is done, as it is with FreeIPA.
The way how randompasswords are returned by the ipauser module depends
so far on the number of users that are handled by the module.
This is unexpected if for example a json file is provided with the users
parameter. As it might be unknown how many users are in the json file,
this behaviour is unexpected. The return should not vary in this case.
This chamge makes the return simply depend on the use of the users
paramater. As soon as this parameter is used, the return will always be:
"user": { "<the user>": { "randompassword": "<the user random password>" } }
In the simply case with one user it will be still
"user": { "randompassword": "<the user random password>" }
Fixes: #1052 (ipauser should consitently return randompasswords when
used with users)
ansible-test with ansible-2.14 is adding a lot of new tests to ensure
that the documentation section and the agument spec is complete. Needed
changes:
DOCUMENTATION section
- `type: str` needs to be set for string parameters
- `type: list` needs to be set for list parameters
- `elements: str` needs to be given for list of string parameters
- `elements: dict` needs to be given for list of dict parameters
- `aliases` tag needs to match `argument_spec`
- `author` needs to be given with the github user also: `Name (@user)`
RETURN section
- `contains` needs to be used instead of `options` for dicts
- `type: str` needs to be used for string parameters
argument_spec
- `elements="str"` needs to be added to all list of string parameters
- `no_log=False` or `no_log=True` needs to be set for all parameters
that have `password` in the name
The `copyright` date is extended with `-2022`.
Note:
The alias "login" was used for "users" instead of "users"->"name".
"login" is an alias for "name" if "users" is not used.
Before "short description" was used in most plugins, modules and also
in the new module templates.
ansible-doc was therefore not showing the short description. To fix the
issue the flag was renamed to short_description instead.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2121362
'ansible-doc' -l lists most idm modules as 'UNDOCUMENTED'
Attributes 'first' and 'last' are required if user does not exist, but
current documentation doesn't make it clear. This patch adds a note on
both attributes to make clear the cases where the attribute is required
Due to a change in 'ansible_freeipa_module.compare_args_ipa', playbook
parameters using empty strings are correctly evaluated, and do not need
to be removed before comparison is performed.
A new test playbook, with tests for clearing attributes with an empty
string ("") is available at:
tests/user/test_user_empty_lists.yml
The parameters userauthtype and sshpubkey allowing to use "" to reset to
the default value.
The new check in params_get is not allowing to use empty strings in lists,
therefore allow_empty_string=True had to be added to the call.
A test has been added to verify that the empty strings are supported and
working. An idempotency issue with sshpubkey has been found with the test
and fixed additionally.
When ensuring states 'undeleted', 'enabled', 'disabled', and 'unlocked'
the error messages for an unexistent user were not consistent.
This change changes the message for all states to "No user '%s'."
When trying to ensure 'state: absent' with 'preserved: yes' in ipauser,
after the first execution the playbook would fail with "user is already
present". Similar idempotence issue would happen when 'state: undelete'
was used.
This PR fixes both issues, and improve tests for the states where user
is preserved, enabled and disabled. The 'find_user' function now uses
IPA API 'user_show' instead of 'user_find' so that only the requested
user is actually returned.
These are indent issues, one item per line for argument_specs items
containing options dicts and missing or overflow spaces for comments
and dict delimiters.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
The no_members parameter is added to args for the api command. But
no_members is never part of res_find from user-show, therefore this
parameter needs to be ignored in compare_args_ipa.
This is needed to prevent an error in the idempotency test where a
user is ensured again with the same settings.
Added code to the ipa* plugins to support Ansible's check_mode, by
means of a clean exit before the execution of the actual list of
commands that would otherwise create/update/delete IPA servers
and/or its resources.
ansible-doc is reporting several issues in modules. Most of them have benn
due to misspelled description key word or due to use of multi line text
without the | in the description line.
It was possible to have several entries for names with the hosts and users
lists. This resulted sometimes in errors but also unexpected changes. A new
check has been added to make sure that the names in the users and hosts
lists are unique.
New tests have been added to verify this in the existing files:
- tests/host/test_hosts.yml
- tests/user/test_users.yml
This patch fixes handling of password and public_key files, parameter
validation depending on vault type, usage of `salt` attribute and data
retrieval.
Tests were updated to reflect the changes.
New example playbooks are added:
playbooks/vault/vault-is-present-with-password-file.yml
playbooks/vault/vault-is-present-with-public-key-file.yml
playbooks/vault/retrive-data-asymmetric-vault.yml
playbooks/vault/retrive-data-symmetric-vault.yml
