ipaconfig: Validate emaildomain

When setting the default email domain, there was no validation on the
provide value. Using ipapython.validate.Email applies the same
validation method as implemented in IPA.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>

plugins/module_utils/ansible_freeipa_module.py

@@ -33,7 +33,7 @@ __all__ = ["DEBUG_COMMAND_ALL", "DEBUG_COMMAND_LIST",
            "paths", "tasks", "get_credentials_if_valid", "Encoding",
            "DNSName", "getargspec", "certificate_loader",
            "write_certificate_list", "boolean", "template_str",
-           "urlparse", "normalize_sshpubkey"]
+           "urlparse", "normalize_sshpubkey", "Email"]
 
 DEBUG_COMMAND_ALL = 0b1111
 # Print the while command list:
@@ -116,6 +116,7 @@ try:
     from ipalib.krb_utils import get_credentials_if_valid
     from ipapython.dnsutil import DNSName
     from ipapython import kerberos
+    from ipapython.ipavalidate import Email
 
     try:
         from ipalib.x509 import Encoding

plugins/modules/ipaconfig.py

@@ -344,7 +344,7 @@ config:
 
 
 from ansible.module_utils.ansible_freeipa_module import \
-    IPAAnsibleModule, compare_args_ipa, ipalib_errors
+    IPAAnsibleModule, compare_args_ipa, ipalib_errors, Email
 
 
 def config_show(module):
@@ -515,6 +515,13 @@ def main():
                 msg="Argument '%s' must be between %d and %d."
                     % (arg, minimum, maximum))
 
+    # verify email domain
+    emaildomain = params.get("ipadefaultemaildomain", None)
+    if emaildomain:
+        if not Email("test@{0}".format(emaildomain)):
+            ansible_module.fail_json(
+                msg="Invalid 'emaildomain' value: %s" % emaildomain)
+
     changed = False
     exit_args = {}
 

roles/ipaclient/library/ipaclient_setup_nss.py

@@ -279,7 +279,6 @@ def main():
     options.no_sssd = False
     options.sssd = not options.no_sssd
     options.no_ac = False
-    options.dns_over_tls = False
     nosssd_files = module.params.get('nosssd_files')
     selinux_works = module.params.get('selinux_works')
     krb_name = module.params.get('krb_name')
@@ -377,12 +376,7 @@ def main():
             ssh_config_dir = paths.SSH_CONFIG_DIR
         else:
             ssh_config_dir = services.knownservices.sshd.get_config_dir()
-        argspec_update_ssh_keys = getargspec(update_ssh_keys)
+        update_ssh_keys(hostname, ssh_config_dir, options.create_sshfp)
-        # Hotfix for https://github.com/freeipa/freeipa/pull/7343
-        if "options" in argspec_update_ssh_keys.args:
-            update_ssh_keys(hostname, ssh_config_dir, options, cli_server[0])
-        else:
-            update_ssh_keys(hostname, ssh_config_dir, options.create_sshfp)
 
         try:
             os.remove(CCACHE_FILE)

roles/ipareplica/module_utils/ansible_ipa_replica.py

@@ -331,13 +331,6 @@ options.add_agents = False
 # ServerReplicaInstall
 options.subject_base = None
 options.ca_subject = None
-
-# Hotfix for https://github.com/freeipa/freeipa/pull/7343
-options.dns_over_tls = False
-options.dns_over_tls_key = None
-options.dns_over_tls_cert = None
-options.dot_forwarders = None
-options.dns_policy = None
 # pylint: enable=attribute-defined-outside-init
 
 

roles/ipaserver/module_utils/ansible_ipa_server.py

@@ -354,13 +354,6 @@ options.add_agents = False
 # no_msdcs is deprecated
 options.no_msdcs = False
 
-# Hotfix for https://github.com/freeipa/freeipa/pull/7343
-options.dns_over_tls = False
-options.dns_over_tls_key = None
-options.dns_over_tls_cert = None
-options.dot_forwarders = None
-options.dns_policy = None
-
 # For pylint
 options.external_cert_files = None
 options.dirsrv_cert_files = None

tests/config/test_config.yml

@@ -34,6 +34,16 @@
           ipaapi_context: "{{ ipa_context | default(omit) }}"
           emaildomain: ipa.test
 
+      - name: Ensure the default e-mail domain cannot be set to an invalid email domain.
+        ipaconfig:
+          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
+          emaildomain: invalid@emaildomain
+        register: invalid_emaildomain
+        failed_when:
+          invalid_emaildomain.changed
+          or not (invalid_emaildomain.failed and "Invalid 'emaildomain' value:" in invalid_emaildomain.msg)
+
       - name: Set default shell to '/bin/sh'
         ipaconfig:
           ipaadmin_password: SomeADMINpassword