Merge pull request #596 from freeipa/automember_verify_condition_keys

automember: Verify condition keys
Merge pull request #597 from t-woerner/add_meta_runtime.yml_for_galaxy
2026-03-27 13:53:06 +00:00 · 2021-07-13 11:16:05 -03:00 · 2021-07-13 10:23:00 -03:00 · 2021-07-13 14:58:26 +02:00 · 2021-07-13 09:12:30 -03:00 · 2021-07-13 17:39:30 +05:30
4 changed files with 90 additions and 0 deletions
--- a/README-automember.md
+++ b/README-automember.md
@@ -127,6 +127,7 @@ Variable | Description | Required
 `automember_type` | Grouping to which the rule applies. It can be one of `group`, `hostgroup`. | yes
 `inclusive` | List of dictionaries in the format of `{'key': attribute, 'expression': inclusive_regex}` | no
 `exclusive` | List of dictionaries in the format of `{'key': attribute, 'expression': exclusive_regex}` | no
+`action` | Work on automember or member level. It can be one of `member` or `automember` and defaults to `automember`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no


--- a/meta/runtime.yml
+++ b/meta/runtime.yml
@@ -0,0 +1 @@
+requires_ansible: ">=2.9"
--- a/plugins/modules/ipaautomember.py
+++ b/plugins/modules/ipaautomember.py
@@ -185,6 +185,15 @@ def transform_conditions(conditions):
    return transformed


+def check_condition_keys(ansible_module, conditions, aciattrs):
+    if conditions is None:
+        return
+    for condition in conditions:
+        if condition["key"] not in aciattrs:
+            ansible_module.fail_json(
+                msg="Invalid automember condition key '%s'" % condition["key"])
+
+
 def main():
    ansible_module = AnsibleModule(
        argument_spec=dict(
@@ -274,6 +283,28 @@ def main():
            # Make sure automember rule exists
            res_find = find_automember(ansible_module, name, automember_type)

+            # Check inclusive and exclusive conditions
+            if inclusive is not None or exclusive is not None:
+                # automember_type is either "group" or "hostgorup"
+                if automember_type == "group":
+                    _type = "user"
+                elif automember_type == "hostgroup":
+                    _type = "host"
+                else:
+                    ansible_module.fail_json(
+                        msg="Bad automember type '%s'" % automember_type)
+
+                try:
+                    aciattrs = api_command(
+                        ansible_module, "json_metadata", to_text(_type), {}
+                    )['objects'][_type]['aciattrs']
+                except Exception as ex:
+                    ansible_module.fail_json(
+                        msg="%s: %s: %s" % ("json_metadata", _type, str(ex)))
+
+                check_condition_keys(ansible_module, inclusive, aciattrs)
+                check_condition_keys(ansible_module, exclusive, aciattrs)
+
            # Create command
            if state == 'present':
                args = gen_args(description, automember_type)
--- a/tests/automember/test_automember.yml
+++ b/tests/automember/test_automember.yml
@@ -164,6 +164,34 @@
    register: result
    failed_when: result.changed or result.failed

+  - name: Ensure testgroup group automember conditions fails on invalid inclusive key
+    ipaautomember:
+      ipaadmin_principal: admin
+      ipaadmin_password: SomeADMINpassword
+      name: testgroup
+      automember_type: group
+      inclusive:
+        - key: cns
+          expression: 'foo'
+      action: member
+    register: result
+    failed_when: result.changed or not result.failed or
+                 "Invalid automember condition key 'cns'" not in result.msg
+
+  - name: Ensure testgroup group automember conditions fails on invalid exlusive key
+    ipaautomember:
+      ipaadmin_principal: admin
+      ipaadmin_password: SomeADMINpassword
+      name: testgroup
+      automember_type: group
+      exclusive:
+        - key: cns
+          expression: 'foo'
+      action: member
+    register: result
+    failed_when: result.changed or not result.failed or
+                 "Invalid automember condition key 'cns'" not in result.msg
+
  - name: Ensure testhostgroup hostgroup automember rule is present
    ipaautomember:
      ipaadmin_password: SomeADMINpassword
@@ -282,6 +310,35 @@
    register: result
    failed_when: result.changed or result.failed

+
+  - name: Ensure testhostgroup hostgroup automember conditions fails on invalid inclusive key
+    ipaautomember:
+      ipaadmin_principal: admin
+      ipaadmin_password: SomeADMINpassword
+      name: testhostgroup
+      automember_type: hostgroup
+      inclusive:
+        - key: cns
+          expression: 'foo'
+      action: member
+    register: result
+    failed_when: result.changed or not result.failed or
+                 "Invalid automember condition key 'cns'" not in result.msg
+
+  - name: Ensure testhostgroup hostgroup automember conditions fails on invalid exlusive key
+    ipaautomember:
+      ipaadmin_principal: admin
+      ipaadmin_password: SomeADMINpassword
+      name: testhostgroup
+      automember_type: hostgroup
+      exclusive:
+        - key: cns
+          expression: 'foo'
+      action: member
+    register: result
+    failed_when: result.changed or not result.failed or
+                 "Invalid automember condition key 'cns'" not in result.msg
+
  # CLEANUP TEST ITEMS

  - name: Ensure group testgroup is absent
Author	SHA1	Message	Date
Rafael Guterres Jeffman	0a1f289f3c	Merge pull request #596 from freeipa/automember_verify_condition_keys automember: Verify condition keys	2021-07-13 11:16:05 -03:00
Rafael Guterres Jeffman	949ad28b8c	Merge pull request #597 from t-woerner/add_meta_runtime.yml_for_galaxy New meta/runtime.yml for galaxy for requires_ansible	2021-07-13 10:23:00 -03:00
Thomas Woerner	382ee6ffa0	automember: Verify condition keys The automember_add_condition and automember_remove_condition commands are not verifying condition keys in all cases. This is for example not done in the removal case if a condition is not part of the automember rule. For consistent behaviour this needs to be done in the automember module now. The condition keys are verified with the user and group aciattrs returned by the API command json_metadata now. Related: RHBZ#1976926	2021-07-13 14:58:26 +02:00
Rafael Guterres Jeffman	1b70d8a0be	Merge pull request #595 from freeipa/ipaautomember_documantation_fix ipaautomember: Fix documentation.	2021-07-13 09:12:30 -03:00
Varun Mylaraiah	daf4aafb27	Update README-automember.md	2021-07-13 17:39:30 +05:30
Thomas Woerner	e1ad061a96	New meta/runtime.yml for galaxy for requires_ansible Galaxy now requires meta/runtime.yml to define requires_ansible. runtime.yml has been added with requires_ansible: ">=2.9"	2021-07-13 13:45:41 +02:00
Varun Mylaraiah	f785e8ba23	ipaautomember: Fix documentation. Missing variable "action" added in the automember module documentation.	2021-07-13 16:07:32 +05:30