Many module member attributes must be handled in a case insensitive
manner. To ease handling these cases, a function and a method to get
the module parameters converted to lowercase is provided.
This patch adds support for configuring IPA API connection use of
LDAP cache. It adds a new variable 'ipaapi_ldap_cache' to the base
module, and provides the variable documentation in its doc fragment.
This change adds a keyword parameter to api_connect() which can be
used to configure IPA API connection, for example, controlling the
use of LDAP cache, by passing 'ldap_cache' as an argument.
Also, IPAAnsibleModule is modified to automatically filter all
parameters of the module starting with 'ipaapi_' to be used as
arguments to configure api_connect(). The argument name will have
the same name as the module parameter with 'ipaapi_' stripped off.
Almost all modules require an algorithm ta validade if the user
provided arguments for the playbook are valid for the requested
state and/or action.
This patch provides a function that tests if any of a list of
arguments were set, and fail with a standardized message, making
all modules fail in the same way.
Add a new configuration variable, `ipaapi_context` to IPAAnsibleModule
base specs, accepting only 'server' or 'client' values.
By using this variable, an user can select the environment context in
which the module will execute, server or client. This change will allow
configuration of the server without requiring login access (e.g. `ssh`)
to the server.
The default behavior is to use a `server` context, but this behavior
can be modified by the plugin, if it sets the `context` parameter when
connecting to IPA API.
In the provided example for the class documentation, the parameters
passed to the `ipa_command` method were wrong, as a single list was
used instead of a parameter list.
The staticmethod member_error_handler is handing the default member
related failures that can occur for modules with member support.
This can simply be enabled with fail_on_member_errors=True for
execute_ipa_commands.
An exception handler is also now usable with execute_ipa_commands. In
addition to the the exception it is also getting the same user defined
arguments that the result_handler is getting.
handle_result has been renamed in result_handler and handle_result_user_args
has been renamed to handlers_user_args.
Additionally the errors list does not need to be defined in the module.
The method execute_ipa_commands is doing this internally and is also
adding error: error to handlers_user_args if the handler is having errors
in the argspec and errors is not yet set in handlers_user_args.
Tests have been added to make sure that no user args for the handler
have been set without an own result or exception handler. Also the use of
fail_on_member_errors together with a result_andler is leading to an
error.
Moved ipamodule_base_spec into IPAAnsibleModule.
This simplifies to add addtitional base vars to derived classes without
the need to dusplicae the code to extend argument_spec.
Removed execute_api_command.
This is not used anymore.
Removed get_ipamodule_base_vars.
This is not used anymore.
Removed self.ipaadmin_* and self.ccache_* from IPAAnsibleModule.__init__
These are not used and therefore can be removed.
execute_ipa_commands executes IPA API commands from the given command
list. With the handle_result and handle_result_user_args it is possible
to have a handling of the result return by the ipa commands for example
to return passwords.
Parameters
commands: list of string tuple
The list of commands in the form (name, command and args)
For commands that do not require a 'name', None needs be
used.
handle_result: function
The user function to handle results of the single commands
handle_result_user_args: dict (user args mapping)
The user args to pass to handle_result function
Example (ipauser module)
def handle_result(result, command, name, args, exit_args):
if "random" in args and command in ["user_add", "user_mod"] \
and "randompassword" in result["result"]:
exit_args.setdefault(name, {})["randompassword"] = \
result["result"]["randompassword"]
exit_args = {}
changed = module.execute_ipa_commands(commands, handle_result,
exit_args=exit_args)
if len(names) == 1:
ansible_module.exit_json(changed=changed,
user=exit_args[names[0]])
else:
ansible_module.exit_json(changed=changed, user=exit_args)
By making IPAAnsibleModule the base class of FreeIPABaseModule, instead
of AnsibleModule, some methods on FreeIPABaseModule can be removed and
suport for commom parameters in modules using the older class can use
the same commom parameters (ipaadmin_principal and ipaadmin_password)
as the other parameters. This will also allow easier deprecation of
FreeIPABaseModule, which is hard to maintain.
To be able to use IPAAnsibleModule as the base class, it was moved
within the file, to position before FreeIPABaseModule declaration.
This patch also modifies IPAAnsibleModule by:
* removing usage of `self` in methods not requiring it, turning
the methods into @statimethod;
* adding comments to all the methods in IPAAnsibleModule, which
makes it easier to understand what the individual methods do,
and what their parameters represent.
This class is an extended version of the Ansible Module that provides
IPA specific methods to simplify module generation.
Simple example:
from ansible.module_utils.ansible_freeipa_module import \
IPAAnsibleModule
def main():
ansible_module = IPAAnsibleModule(
argument_spec=dict(
name=dict(type="str", aliases=["cn"], default=None),
state=dict(type="str", default="present",
choices=["present", "absent"]),
),
)
# Get parameters
name = ansible_module.params_get("name")
state = ansible_module.params_get("state")
# Connect to IPA API
with ansible_module.ipa_connect():
# Execute command
if state == "present":
ansible_module.ipa_command(["command_add", name, {}])
else:
ansible_module.ipa_command(["command_del", name, {}])
# Done
ansible_module.exit_json(changed=True)
if __name__ == "__main__":
main()
This PR sets pylint to version 2.10.2 in all linter actions, and
fixes code in plugins so that this version new checks are either
satisfied or ignored if needed.
There are common parameters in all modules like ipaadmin_principal and
ipaadmin_password. As this list of common parameters will be extended
soon, there is a need to reduce the code and documentation duplicates.
A ModuleDocFragment is added to provide the module documentation for the
common parameters. This is used in the modules with
extends_documentation_fragment.
ansible_freeipa_module has additional ipamodule_base_spec and
get_ipamodule_base_vars. ipamodule_base_spec extends argument_spec in
the module and get_ipamodule_base_vars is used to return a dict
containing the common parameters.
Single hostnames can be used for hbacrule_add_host and will match fqdn
in IPA internally. Simple host names have to be extended to be FQDN to
be able to compare them for _host_add and _host_remove.
Two new functions have been added to ansible_freeipa_module:
- api_get_domain - Get the domain from the api
- ensure_fqdn - Extend a single name with the domain
This fixes#617 - hbacrule_add_host: already a member
All ansible-freeipa modules should support 'check_mode: yes', but
the support for creating modules with this was absent in the base
class.
This patch adds such support, to use it, 'supports_check_mode=True'
must be passed to the constructor when creating the module object.
The new argument ignore has been added to compare_args_ipa to ignore
attributes while comparing attributes of the user args and the object
args returned from IPA find or show command.
This code is using changes from
- Wolskie in PR #392
- jake2184 in PR #486
Two new functions have been added for member management in plugins:
gen_add_list(user_list, res_list)
Generate the add list for addition of new members.
gen_intersection_list(user_list, res_list)
Generate the intersection list for removal of existing members.
gen_add_list should be used to add new members with action: members and
state: present. It is returning the difference of the user and res list
if the user list is not None.
gen_intersection_list should be used to remove existing members with
action: members and state: absent. It is returning the intersection of
the user and res list if the user list is not None.
There is a new server management module placed in the plugins folder:
plugins/modules/ipaserver.py
The server module allows to ensure presence and absence of servers. The
module requires an existing server, the deployment of a new server can
not be done with the module.
DNSName has been added to ansible_freeipa_module in plugins/module_utils
as this is used for locations.
Here is the documentation for the module:
README-server.md
New example playbooks have been added:
playbooks/server/server-absent-continue.yml
playbooks/server/server-absent-force.yml
playbooks/server/server-absent-ignore_last_of_role.yml
playbooks/server/server-absent-ignore_topology_disconnect.yml
playbooks/server/server-absent.yml
playbooks/server/server-hidden.yml
playbooks/server/server-location.yml
playbooks/server/server-no-location.yml
playbooks/server/server-no-service-weight.yml
playbooks/server/server-not-hidden.yml
playbooks/server/server-present.yml
playbooks/server/server-service-weight.yml
New tests for the module:
tests/server/test_server.yml
Change in module_utils/ansible_freeipa_module:
DNSName is imported from ipapython.dnsutil and also added to __all__
There were no test for the arguments of compare_args_ipa() to check
if they were `None`, and they were used in contexts where `None`
would raise exceptions.
A test was added to return `False` if only one of the parameters is
`None`, and `True` if both are None.
IPA translates exception messages and Ansible uses controller's
language to execute plugins on target hosts, and since ansible-freeipa
uses Exceptions messages to detect some errors and/or states, using any
language that has a translation for the required messages may cause the
plugin to misbehave.
This patch modifies ansible_freeipa_module in plugin/module_utils to
force the use of "C" as the language by setting the environment variable
LANGUAGE.
Tests were added to verify the correct behavior:
tests/environment/test_locale.yml
The first test will fail, if ansible_freeipa_module is not patched, with
the message:
host_show failed: nonexistent: host nicht gefunden
This issue is not present if the language selected does not provide
a translation for the eror message.
This patch does not fix encoding issues that might occur in certain
releases (e.g.: CentOS 8.3).
Fix#516
In FreeIPA CLI, The attributes `allow_query` and `allow_transfer` can
hold IPv4 or IPv6 address or network address, and the values `none` and
`any`.
This patch adds support for network addresses, `none` and `any`, which
were not supported.
Fix issue #475.
Some attribute values are only accepted for specific FreeIPA versions,
for example `self` for permission's `bindtype`. Although there are
options to check for command and parameter availability, there is no
check for verifying if a value should be accepted.
This patch add a function to evaluate the target FreeIPA host version,
by comparing a giver version to the current installed one.
The version evaluation uses Python packaging's version comparision,
which is compatible with PEP 440, if available. If not available, it
falls back to a string split, that will work for the most common cases,
but might fail for versions including strings with `rc` or `dev`, for
example.
Due to Ansible filtering out values in the output that might be match
values in sensible attributes that have `no_log` set, if a module need
to return data to the controller, it cannot rely on
`ansible_module.exit_json` if there is a chance that a partial match
may occur.
See: https://github.com/ansible/ansible/issues/71789
The change provided here uses the same implementation that is used on
Ansible's `AnsibleModule.exit_json`, without the data filtering layer,
so every attribute with be printed and, therefore, logged by Ansible.
This is needed for the Vault module, as we need to return values that
are explicit requested by the user and that might, at least partially,
match the values in attributes with `no_log` set.
Tests that reproduced the issue, and show it was fixed were provided
for all Vault types.
Modified support for processing result of IPA API commands so that
client code can define its own processing and add return values to
self.exit_args based on command result.
If a subclass need to process the result of IPA API commands it should
override the method `process_command_result`. The default implementation
will simply evaluate if `changed` should be true.
This PR allow ipadnszone module to ensure that multiple dns zones
are absent at once, to be consistent with other ansible-freeipa
modules.
To fix this issue, it was required that custom arguents must be
passed using keyword arguments so that `get_ipa_command_args()`
is kept generic.
When a fail_json is called a SystemExit exeception is raised.
Since the FreeIPABaseModule has an internal context manager to deal
with exceptions this ContextManager captures the SystemExit. After
dealing destroying the kinit session the SystemExit must be raised again
to allow the fail_json to work properly.
This function can be used to check if a command is available in the API.
This is used in ipauser module to check if user_add_certmapdata is available
in the API.
This function is needed to properly convert issuer and subject from a
certificate or the issuer and subject parameters in ipauser for certmapdata
to the data representation where the items in DN are reversed.
The function additionally provides a fallback solution for IPA < 4.5.
Certmapdata is not supported for IPA < 4.5, but the conversion is done
before the API version can be checked.
For certmapdata processing in ipauser it is needed to be able to load a cert
from a string given in the task to be able to get the issuer and subject of
the certificate. The format of the certifiacte here is lacking the markers
for the begin and end of the certificate. Therefore load_pem_x509_certificate
can not be used directly. Also in IPA < 4.5 it is needed to load the
certificate with load_certificate instead of load_pem_x509_certificate. The
function is implementing this properly.
Because of a missing check member attributes (for use with action: member)
are cleared when a non-member attribute is changed. The fix simply adds a
check for None (parameter not set) to gen_add_del_lists in
ansible_freeipa_module to make sure that the parameter is only changed if
it should be changed.
All places where the add and removal lists have been generated manually
have been changed to also use gen_add_del_lists.
Resolves: #252 (The "Manager" attribute is removed when updating any user
attribute)
