Merge pull request #851 from rjeffman/dnszone_fix_bool_behavior

Fix handling of boolean values for FreeIPA 4.9.10+

plugins/module_utils/ansible_freeipa_module.py

@@ -29,7 +29,7 @@ __all__ = ["gssapi", "netaddr", "api", "ipalib_errors", "Env",
            "DEFAULT_CONFIG", "LDAP_GENERALIZED_TIME_FORMAT",
            "kinit_password", "kinit_keytab", "run", "DN", "VERSION",
            "paths", "get_credentials_if_valid", "Encoding",
-           "load_pem_x509_certificate", "DNSName"]
+           "load_pem_x509_certificate", "DNSName", "getargspec"]
 
 import sys
 
@@ -48,7 +48,28 @@ else:
     import gssapi
     from datetime import datetime
     from contextlib import contextmanager
-    import inspect
+
+    # Import getargspec from inspect or provide own getargspec for
+    # Python 2 compatibility with Python 3.11+.
+    try:
+        from inspect import getargspec
+    except ImportError:
+        from collections import namedtuple
+        from inspect import getfullargspec
+
+        # The code is copied from Python 3.10 inspect.py
+        # Authors: Ka-Ping Yee <ping@lfw.org>
+        #          Yury Selivanov <yselivanov@sprymix.com>
+        ArgSpec = namedtuple('ArgSpec', 'args varargs keywords defaults')
+
+        def getargspec(func):
+            args, varargs, varkw, defaults, kwonlyargs, _kwonlydefaults, \
+                ann = getfullargspec(func)
+            if kwonlyargs or ann:
+                raise ValueError(
+                    "Function has keyword-only parameters or annotations"
+                    ", use inspect.signature() API which can support them")
+            return ArgSpec(args, varargs, varkw, defaults)
 
     # ansible-freeipa requires locale to be C, IPA requires utf-8.
     os.environ["LANGUAGE"] = "C"
@@ -67,9 +88,15 @@ else:
                 """
                 Split a version string A.B.C, into a tuple.
 
-                This will not work for `rc`, `dev` or similar version string.
+                This will not work for `rc`, `dev` or similar.
                 """
-                return tuple(re.split("[-_.]", version_str))  # noqa: W605
+                try:
+                    _version = tuple(
+                        (int(x) for x in re.split("[-_.]", version_str))
+                    )
+                except ValueError:
+                    _version = tuple(re.split("[-_.]", version_str))
+                return _version
 
     from ipalib import api
     from ipalib import errors as ipalib_errors  # noqa
@@ -845,7 +872,10 @@ else:
                 # Check if param_name is actually a param
                 if param_name in self.ansible_module.params:
                     value = self.ansible_module.params_get(param_name)
-                    if isinstance(value, bool):
+                    if (
+                        self.ansible_module.ipa_check_version("<", "4.9.10")
+                        and isinstance(value, bool)
+                    ):
                         value = "TRUE" if value else "FALSE"
 
                 # Since param wasn't a param check if it's a method name
@@ -1228,7 +1258,7 @@ else:
             elif result_handler is not None:
                 if "errors" not in handlers_user_args:
                     # pylint: disable=deprecated-method
-                    argspec = inspect.getargspec(result_handler)
+                    argspec = getargspec(result_handler)
                     if "errors" in argspec.args:
                         handlers_user_args["errors"] = _errors
 

plugins/modules/ipaconfig.py

@@ -441,7 +441,11 @@ def main():
                     elif (
                         isinstance(value, (tuple, list)) and arg_type == "bool"
                     ):
-                        exit_args[k] = (value[0] == "TRUE")
+                        # FreeIPA 4.9.10+ and 4.10 use proper mapping for
+                        # boolean values, so we need to convert it to str
+                        # for comparison.
+                        # See: https://github.com/freeipa/freeipa/pull/6294
+                        exit_args[k] = (str(value[0]).upper() == "TRUE")
                     else:
                         if arg_type not in type_map:
                             raise ValueError(

plugins/modules/ipadnsforwardzone.py

@@ -344,7 +344,13 @@ def main():
 
             if state in ['enabled', 'disabled']:
                 if existing_resource is not None:
-                    is_enabled = existing_resource["idnszoneactive"][0]
+                    # FreeIPA 4.9.10+ and 4.10 use proper mapping for
+                    # boolean values, so we need to convert it to str
+                    # for comparison.
+                    # See: https://github.com/freeipa/freeipa/pull/6294
+                    is_enabled = (
+                        str(existing_resource["idnszoneactive"][0]).upper()
+                    )
                 else:
                     ansible_module.fail_json(
                         msg="dnsforwardzone '%s' not found." % (name))

plugins/modules/ipadnszone.py

@@ -418,7 +418,11 @@ class DNSZoneModule(IPAAnsibleModule):
             is_zone_active = False
         else:
             zone = response["result"]
-            is_zone_active = "TRUE" in zone.get("idnszoneactive")
+            # FreeIPA 4.9.10+ and 4.10 use proper mapping for boolean vaalues.
+            # See: https://github.com/freeipa/freeipa/pull/6294
+            is_zone_active = (
+                str(zone.get("idnszoneactive")[0]).upper() == "TRUE"
+            )
 
         return zone, is_zone_active
 

plugins/modules/ipahbacrule.py

@@ -472,18 +472,26 @@ def main():
                 # hbacrule_enable is not failing on an enabled hbacrule
                 # Therefore it is needed to have a look at the ipaenabledflag
                 # in res_find.
-                if "ipaenabledflag" not in res_find or \
-                   res_find["ipaenabledflag"][0] != "TRUE":
+                # FreeIPA 4.9.10+ and 4.10 use proper mapping for
+                # boolean values, so we need to convert it to str
+                # for comparison.
+                # See: https://github.com/freeipa/freeipa/pull/6294
+                enabled_flag = str(res_find.get("ipaenabledflag", [False])[0])
+                if enabled_flag.upper() != "TRUE":
                     commands.append([name, "hbacrule_enable", {}])
 
             elif state == "disabled":
                 if res_find is None:
                     ansible_module.fail_json(msg="No hbacrule '%s'" % name)
-                # hbacrule_disable is not failing on an disabled hbacrule
+                # hbacrule_disable is not failing on an enabled hbacrule
                 # Therefore it is needed to have a look at the ipaenabledflag
                 # in res_find.
-                if "ipaenabledflag" not in res_find or \
-                   res_find["ipaenabledflag"][0] != "FALSE":
+                # FreeIPA 4.9.10+ and 4.10 use proper mapping for
+                # boolean values, so we need to convert it to str
+                # for comparison.
+                # See: https://github.com/freeipa/freeipa/pull/6294
+                enabled_flag = str(res_find.get("ipaenabledflag", [False])[0])
+                if enabled_flag.upper() != "FALSE":
                     commands.append([name, "hbacrule_disable", {}])
 
             else:

plugins/modules/ipasudorule.py

@@ -656,8 +656,12 @@ def main():
                 # sudorule_enable is not failing on an enabled sudorule
                 # Therefore it is needed to have a look at the ipaenabledflag
                 # in res_find.
-                if "ipaenabledflag" not in res_find or \
-                   res_find["ipaenabledflag"][0] != "TRUE":
+                # FreeIPA 4.9.10+ and 4.10 use proper mapping for
+                # boolean values, so we need to convert it to str
+                # for comparison.
+                # See: https://github.com/freeipa/freeipa/pull/6294
+                enabled_flag = str(res_find.get("ipaenabledflag", [False])[0])
+                if enabled_flag.upper() != "TRUE":
                     commands.append([name, "sudorule_enable", {}])
 
             elif state == "disabled":
@@ -666,8 +670,12 @@ def main():
                 # sudorule_disable is not failing on an disabled sudorule
                 # Therefore it is needed to have a look at the ipaenabledflag
                 # in res_find.
-                if "ipaenabledflag" not in res_find or \
-                   res_find["ipaenabledflag"][0] != "FALSE":
+                # FreeIPA 4.9.10+ and 4.10 use proper mapping for
+                # boolean values, so we need to convert it to str
+                # for comparison.
+                # See: https://github.com/freeipa/freeipa/pull/6294
+                enabled_flag = str(res_find.get("ipaenabledflag", [False])[0])
+                if enabled_flag.upper() != "FALSE":
                     commands.append([name, "sudorule_disable", {}])
 
             else:

roles/ipaclient/library/ipaclient_api.py

@@ -75,7 +75,6 @@ subject_base:
 '''
 
 import os
-import inspect
 
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_client import (
@@ -83,7 +82,7 @@ from ansible.module_utils.ansible_ipa_client import (
     paths, x509, NUM_VERSION, serialization, certdb, api,
     delete_persistent_client_session_data, write_tmp_file,
     ipa_generate_password, CalledProcessError, errors, disable_ra, DN,
-    CLIENT_INSTALL_ERROR, logger
+    CLIENT_INSTALL_ERROR, logger, getargspec
 )
 
 
@@ -134,7 +133,7 @@ def main():
         # Add CA certs to a temporary NSS database
         try:
             # pylint: disable=deprecated-method
-            argspec = inspect.getargspec(tmp_db.create_db)
+            argspec = getargspec(tmp_db.create_db)
             # pylint: enable=deprecated-method
             if "password_filename" not in argspec.args:
                 tmp_db.create_db()

roles/ipaclient/library/ipaclient_setup_nis.py

@@ -57,11 +57,10 @@ EXAMPLES = '''
 RETURN = '''
 '''
 
-import inspect
-
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_client import (
-    setup_logging, options, sysrestore, paths, configure_nisdomain
+    setup_logging, options, sysrestore, paths, configure_nisdomain,
+    getargspec
 )
 
 
@@ -83,7 +82,7 @@ def main():
     statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
 
     # pylint: disable=deprecated-method
-    argspec = inspect.getargspec(configure_nisdomain)
+    argspec = getargspec(configure_nisdomain)
     # pylint: enable=deprecated-method
     if "statestore" not in argspec.args:
         # NUM_VERSION < 40500:

roles/ipaclient/library/ipaclient_setup_nss.py

@@ -141,7 +141,6 @@ RETURN = '''
 
 import os
 import time
-import inspect
 
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_client import (
@@ -151,7 +150,7 @@ from ansible.module_utils.ansible_ipa_client import (
     get_certs_from_ldap, DN, certstore, x509, logger, certdb,
     CalledProcessError, tasks, client_dns, configure_certmonger, services,
     update_ssh_keys, save_state, configure_ldap_conf, configure_nslcd_conf,
-    configure_openldap_conf, hardcode_ldap_server
+    configure_openldap_conf, hardcode_ldap_server, getargspec
 )
 
 
@@ -323,7 +322,7 @@ def main():
             pass
 
         # pylint: disable=deprecated-method
-        argspec_save_state = inspect.getargspec(save_state)
+        argspec_save_state = getargspec(save_state)
 
         # Name Server Caching Daemon. Disable for SSSD, use otherwise
         # (if installed)
@@ -387,7 +386,7 @@ def main():
         if not options.no_ac:
             # Modify nsswitch/pam stack
             # pylint: disable=deprecated-method
-            argspec = inspect.getargspec(tasks.modify_nsswitch_pam_stack)
+            argspec = getargspec(tasks.modify_nsswitch_pam_stack)
             if "sudo" in argspec.args:
                 tasks.modify_nsswitch_pam_stack(
                     sssd=options.sssd,

roles/ipaclient/library/ipaclient_setup_ntp.py

@@ -66,13 +66,11 @@ EXAMPLES = '''
 RETURN = '''
 '''
 
-import inspect
-
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_client import (
     setup_logging,
     options, sysrestore, paths, sync_time, logger, ipadiscovery,
-    timeconf
+    timeconf, getargspec
 )
 
 
@@ -114,7 +112,7 @@ def main():
         if options.conf_ntp:
             # Attempt to configure and sync time with NTP server (chrony).
             # pylint: disable=deprecated-method
-            argspec = inspect.getargspec(sync_time)
+            argspec = getargspec(sync_time)
             # pylint: enable=deprecated-method
             if "options" not in argspec.args:
                 synced_ntp = sync_time(options.ntp_servers, options.ntp_pool,

roles/ipaclient/library/ipaclient_test.py

@@ -197,7 +197,6 @@ nosssd_files:
 
 import os
 import socket
-import inspect
 
 try:
     from ansible.module_utils.six.moves.configparser import RawConfigParser
@@ -212,7 +211,7 @@ from ansible.module_utils.ansible_ipa_client import (
     CLIENT_INSTALL_ERROR, tasks, check_ldap_conf, timeconf, constants,
     validate_hostname, nssldap_exists, gssapi, remove_file,
     check_ip_addresses, ipadiscovery, print_port_conf_info,
-    IPA_PYTHON_VERSION
+    IPA_PYTHON_VERSION, getargspec
 )
 
 
@@ -344,7 +343,7 @@ def main():
 
         if options.realm_name:
             # pylint: disable=deprecated-method
-            argspec = inspect.getargspec(validate_domain_name)
+            argspec = getargspec(validate_domain_name)
             if "entity" in argspec.args:
                 # NUM_VERSION >= 40690:
                 validate_domain_name(options.realm_name, entity="realm")

roles/ipaclient/module_utils/ansible_ipa_client.py

@@ -46,7 +46,7 @@ __all__ = ["gssapi", "version", "ipadiscovery", "api", "errors", "x509",
            "configure_nslcd_conf", "configure_ssh_config",
            "configure_sshd_config", "configure_automount",
            "configure_firefox", "sync_time", "check_ldap_conf",
-           "sssd_enable_ifp"]
+           "sssd_enable_ifp", "getargspec"]
 
 import sys
 
@@ -110,10 +110,31 @@ else:
         # IPA version >= 4.4
 
         # import sys
-        import inspect
         import gssapi
         import logging
 
+        # Import getargspec from inspect or provide own getargspec for
+        # Python 2 compatibility with Python 3.11+.
+        try:
+            from inspect import getargspec
+        except ImportError:
+            from collections import namedtuple
+            from inspect import getfullargspec
+
+            # The code is copied from Python 3.10 inspect.py
+            # Authors: Ka-Ping Yee <ping@lfw.org>
+            #          Yury Selivanov <yselivanov@sprymix.com>
+            ArgSpec = namedtuple('ArgSpec', 'args varargs keywords defaults')
+
+            def getargspec(func):
+                args, varargs, varkw, defaults, kwonlyargs, _kwonlydefaults, \
+                    ann = getfullargspec(func)
+                if kwonlyargs or ann:
+                    raise ValueError(
+                        "Function has keyword-only parameters or annotations"
+                        ", use inspect.signature() API which can support them")
+                return ArgSpec(args, varargs, varkw, defaults)
+
         from ipapython import version
         try:
             from ipaclient.install import ipadiscovery
@@ -200,7 +221,7 @@ else:
             sys.path.remove(temp_dir)
 
             # pylint: disable=deprecated-method
-            argspec = inspect.getargspec(
+            argspec = getargspec(
                 ipa_client_install.configure_krb5_conf)
             if argspec.keywords is None:
                 def configure_krb5_conf(
@@ -240,7 +261,7 @@ else:
             create_ipa_nssdb = certdb.create_ipa_nssdb
 
             argspec = \
-                inspect.getargspec(ipa_client_install.configure_nisdomain)
+                getargspec(ipa_client_install.configure_nisdomain)
             if len(argspec.args) == 3:
                 configure_nisdomain = ipa_client_install.configure_nisdomain
             else:

roles/ipareplica/library/ipareplica_custodia_import_dm_password.py

@@ -96,13 +96,13 @@ RETURN = '''
 '''
 
 import os
-import inspect
 
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_replica import (
     AnsibleModuleLog, setup_logging, installer, DN, paths,
     gen_env_boostrap_finalize_core, constants, api_bootstrap_finalize,
-    gen_ReplicaConfig, gen_remote_api, redirect_stdout, custodiainstance
+    gen_ReplicaConfig, gen_remote_api, redirect_stdout, custodiainstance,
+    getargspec
 )
 
 
@@ -200,7 +200,7 @@ def main():
         ansible_log.debug("-- CUSTODIA IMPORT DM PASSWORD --")
 
         # pylint: disable=deprecated-method
-        argspec = inspect.getargspec(custodia.import_dm_password)
+        argspec = getargspec(custodia.import_dm_password)
         # pylint: enable=deprecated-method
         if "master_host_name" in argspec.args:
             custodia.import_dm_password(config.master_host_name)

roles/ipareplica/library/ipareplica_prepare.py

@@ -351,6 +351,12 @@ def main():
     options.server = ansible_module.params.get('server')
     options.skip_conncheck = ansible_module.params.get('skip_conncheck')
 
+    # random serial numbers are master_only, therefore setting to False
+    options.random_serial_numbers = False
+    # options._random_serial_numbers is generated by ca.install_check and
+    # later used by ca.install in the _setup_ca module.
+    options._random_serial_numbers = False
+
     # init #
 
     fstore = sysrestore.FileStore(paths.SYSRESTORE)
@@ -838,6 +844,7 @@ def main():
         _http_ca_cert=http_ca_cert,
         _pkinit_pkcs12_info=pkinit_pkcs12_info,
         _pkinit_ca_cert=pkinit_ca_cert,
+        _random_serial_numbers=options._random_serial_numbers,
         no_dnssec_validation=options.no_dnssec_validation,
         config_setup_ca=config.setup_ca,
         config_master_host_name=config.master_host_name,

roles/ipareplica/library/ipareplica_setup_ca.py

@@ -85,6 +85,9 @@ options:
   _subject_base:
     description: The installer _subject_base setting
     required: no
+  _random_serial_numbers:
+    description: The installer _random_serial_numbers setting
+    required: yes
   dirman_password:
     description: Directory Manager (master) password
     required: no
@@ -144,6 +147,7 @@ def main():
             _top_dir=dict(required=True),
             _ca_subject=dict(required=True),
             _subject_base=dict(required=True),
+            _random_serial_numbers=dict(required=True),
             dirman_password=dict(required=True, no_log=True),
             config_setup_ca=dict(required=True, type='bool'),
             config_master_host_name=dict(required=True),
@@ -190,6 +194,8 @@ def main():
     options._subject_base = ansible_module.params.get('_subject_base')
     if options._subject_base is not None:
         options._subject_base = DN(options._subject_base)
+    options._random_serial_numbers = ansible_module.params.get(
+        '_random_serial_numbers')
     dirman_password = ansible_module.params.get('dirman_password')
     config_setup_ca = ansible_module.params.get('config_setup_ca')
     config_master_host_name = ansible_module.params.get(

roles/ipareplica/library/ipareplica_setup_ds.py

@@ -149,7 +149,6 @@ RETURN = '''
 '''
 
 import os
-import inspect
 
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_replica import (
@@ -157,7 +156,8 @@ from ansible.module_utils.ansible_ipa_replica import (
     ansible_module_get_parsed_ip_addresses,
     gen_env_boostrap_finalize_core, constants, api_bootstrap_finalize,
     gen_ReplicaConfig, gen_remote_api, redirect_stdout, ipaldap,
-    install_replica_ds, install_dns_records, ntpinstance, ScriptError
+    install_replica_ds, install_dns_records, ntpinstance, ScriptError,
+    getargspec
 )
 
 
@@ -317,7 +317,7 @@ def main():
         # Configure dirsrv
         with redirect_stdout(ansible_log):
             # pylint: disable=deprecated-method
-            argspec = inspect.getargspec(install_replica_ds)
+            argspec = getargspec(install_replica_ds)
             # pylint: enable=deprecated-method
             if "promote" in argspec.args:
                 ds = install_replica_ds(config, options, ca_enabled,
@@ -343,7 +343,7 @@ def main():
         # pylint: enable=deprecated-method
         # Always try to install DNS records
         # pylint: disable=deprecated-method
-        argspec = inspect.getargspec(install_dns_records)
+        argspec = getargspec(install_dns_records)
         # pylint: enable=deprecated-method
         if "fstore" not in argspec.args:
             install_dns_records(config, options, remote_api)

roles/ipareplica/library/ipareplica_setup_http.py

@@ -90,14 +90,13 @@ RETURN = '''
 '''
 
 import os
-import inspect
 
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_replica import (
     AnsibleModuleLog, setup_logging, installer, DN, paths, sysrestore,
     gen_env_boostrap_finalize_core, constants, api_bootstrap_finalize,
     gen_ReplicaConfig, gen_remote_api, api, redirect_stdout, create_ipa_conf,
-    install_http
+    install_http, getargspec
 )
 
 
@@ -203,7 +202,7 @@ def main():
                         master=config.master_host_name)
 
         # pylint: disable=deprecated-method
-        argspec = inspect.getargspec(install_http)
+        argspec = getargspec(install_http)
         # pylint: enable=deprecated-method
         if "promote" in argspec.args:
             install_http(

roles/ipareplica/library/ipareplica_setup_krb.py

@@ -78,13 +78,12 @@ RETURN = '''
 '''
 
 import os
-import inspect
 
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_replica import (
     AnsibleModuleLog, setup_logging, installer, DN, paths, sysrestore,
     gen_env_boostrap_finalize_core, constants, api_bootstrap_finalize,
-    gen_ReplicaConfig, api, redirect_stdout, install_krb
+    gen_ReplicaConfig, api, redirect_stdout, install_krb, getargspec
 )
 
 
@@ -162,7 +161,7 @@ def main():
 
     with redirect_stdout(ansible_log):
         # pylint: disable=deprecated-method
-        argspec = inspect.getargspec(install_krb)
+        argspec = getargspec(install_krb)
         # pylint: enable=deprecated-method
         if "promote" in argspec.args:
             install_krb(

roles/ipareplica/library/ipareplica_test.py

@@ -136,7 +136,6 @@ RETURN = '''
 '''
 
 import os
-import inspect
 
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_replica import (
@@ -144,7 +143,7 @@ from ansible.module_utils.ansible_ipa_replica import (
     ansible_module_get_parsed_ip_addresses, service,
     redirect_stdout, create_ipa_conf, ipautil,
     x509, validate_domain_name, common_check,
-    IPA_PYTHON_VERSION
+    IPA_PYTHON_VERSION, getargspec
 )
 
 
@@ -287,7 +286,7 @@ def main():
     # create_ipa_conf has the additional master argument.
     change_master_for_certmonger = False
     # pylint: disable=deprecated-method
-    argspec = inspect.getargspec(create_ipa_conf)
+    argspec = getargspec(create_ipa_conf)
     # pylint: enable=deprecated-method
     if "master" in argspec.args:
         change_master_for_certmonger = True
@@ -421,7 +420,7 @@ def main():
     try:
         with redirect_stdout(ansible_log):
             # pylint: disable=deprecated-method
-            argspec = inspect.getargspec(common_check)
+            argspec = getargspec(common_check)
             # pylint: enable=deprecated-method
             if "skip_mem_check" in argspec.args:
                 common_check(options.no_ntp, options.skip_mem_check,

roles/ipareplica/module_utils/ansible_ipa_replica.py

@@ -46,7 +46,7 @@ __all__ = ["contextlib", "dnsexception", "dnsresolver", "dnsreversename",
            "common_check", "current_domain_level",
            "check_domain_level_is_supported", "promotion_check_ipa_domain",
            "SSSDConfig", "CalledProcessError", "timeconf", "ntpinstance",
-           "dnsname", "kernel_keyring", "krbinstance"]
+           "dnsname", "kernel_keyring", "krbinstance", "getargspec"]
 
 import sys
 
@@ -59,6 +59,28 @@ else:
     import logging
     from contextlib import contextmanager as contextlib_contextmanager
 
+    # Import getargspec from inspect or provide own getargspec for
+    # Python 2 compatibility with Python 3.11+.
+    try:
+        from inspect import getargspec
+    except ImportError:
+        from collections import namedtuple
+        from inspect import getfullargspec
+
+        # The code is copied from Python 3.10 inspect.py
+        # Authors: Ka-Ping Yee <ping@lfw.org>
+        #          Yury Selivanov <yselivanov@sprymix.com>
+        ArgSpec = namedtuple('ArgSpec', 'args varargs keywords defaults')
+
+        def getargspec(func):
+            args, varargs, varkw, defaults, kwonlyargs, _kwonlydefaults, \
+                ann = getfullargspec(func)
+            if kwonlyargs or ann:
+                raise ValueError(
+                    "Function has keyword-only parameters or annotations"
+                    ", use inspect.signature() API which can support them")
+            return ArgSpec(args, varargs, varkw, defaults)
+
     from ipapython.version import NUM_VERSION, VERSION
 
     if NUM_VERSION < 30201:

roles/ipareplica/tasks/install.yml

@@ -557,6 +557,7 @@
       _subject_base: "{{ result_ipareplica_prepare._subject_base }}"
       _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}"
       _top_dir: "{{ result_ipareplica_prepare._top_dir }}"
+      _random_serial_numbers: "{{ result_ipareplica_prepare._random_serial_numbers }}"
       dirman_password: "{{ ipareplica_dirman_password }}"
       config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
       config_master_host_name:

roles/ipaserver/library/ipaserver_prepare.py

@@ -213,6 +213,8 @@ def main():
 
             # additional
             setup_ca=dict(required=False, type='bool', default=False),
+            random_serial_numbers=dict(required=False, type='bool',
+                                       default=False),
             _hostname_overridden=dict(required=False, type='bool',
                                       default=False),
         ),
@@ -225,9 +227,11 @@ def main():
 
     # initialize return values for flake ############################
 
-    # These are set by ca.install_check
+    # These are set by ca.install_check and need to be passed to ca.install
+    # in the _setup_ca module and also some others.
     options._subject_base = None
     options._ca_subject = None
+    options._random_serial_numbers = None
 
     # set values ####################################################
 
@@ -277,6 +281,8 @@ def main():
     options.netbios_name = ansible_module.params.get('netbios_name')
     # additional
     options.setup_ca = ansible_module.params.get('setup_ca')
+    options.random_serial_numbers = ansible_module.params.get(
+        'random_serial_numbers')
     options._host_name_overridden = ansible_module.params.get(
         '_hostname_overridden')
     options.kasp_db_file = None
@@ -405,6 +411,7 @@ def main():
         _subject_base=options._subject_base,
         ca_subject=options.ca_subject,
         _ca_subject=options._ca_subject,
+        _random_serial_numbers=options._random_serial_numbers,
         # dns
         reverse_zones=options.reverse_zones,
         forward_policy=options.forward_policy,

roles/ipaserver/library/ipaserver_setup_ca.py

@@ -132,6 +132,9 @@ options:
   ca_signing_algorithm:
     description: Signing algorithm of the IPA CA certificate
     required: yes
+  _random_serial_numbers:
+    description: The installer _random_serial_numbers setting
+    required: yes
   reverse_zones:
     description: The reverse DNS zones to use
     required: yes
@@ -204,6 +207,7 @@ def main():
             ca_subject=dict(required=False),
             _ca_subject=dict(required=False),
             ca_signing_algorithm=dict(required=False),
+            _random_serial_numbers=dict(required=True),
             # dns
             reverse_zones=dict(required=False, type='list', default=[]),
             no_reverse=dict(required=False, type='bool', default=False),
@@ -259,6 +263,8 @@ def main():
     options._ca_subject = ansible_module.params.get('_ca_subject')
     options.ca_signing_algorithm = ansible_module.params.get(
         'ca_signing_algorithm')
+    options._random_serial_numbers = ansible_module.params.get(
+        '_random_serial_numbers')
     # dns
     options.reverse_zones = ansible_module.params.get('reverse_zones')
     options.no_reverse = ansible_module.params.get('no_reverse')

roles/ipaserver/library/ipaserver_setup_ntp.py

@@ -53,12 +53,11 @@ EXAMPLES = '''
 RETURN = '''
 '''
 
-import inspect
-
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_server import (
     AnsibleModuleLog, setup_logging, options, sysrestore, paths,
-    redirect_stdout, time_service, sync_time, ntpinstance, timeconf
+    redirect_stdout, time_service, sync_time, ntpinstance, timeconf,
+    getargspec
 )
 
 
@@ -94,7 +93,7 @@ def main():
         ansible_module.log("Synchronizing time")
 
         # pylint: disable=deprecated-method
-        argspec = inspect.getargspec(sync_time)
+        argspec = getargspec(sync_time)
         # pylint: enable=deprecated-method
         if "options" not in argspec.args:
             synced_ntp = sync_time(options.ntp_servers, options.ntp_pool,

roles/ipaserver/library/ipaserver_test.py

@@ -212,7 +212,6 @@ RETURN = '''
 
 import os
 import sys
-import inspect
 import random
 from shutil import copyfile
 
@@ -226,7 +225,7 @@ from ansible.module_utils.ansible_ipa_server import (
     read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance,
     check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError,
     validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION,
-    encode_certificate, check_available_memory
+    encode_certificate, check_available_memory, getargspec
 )
 from ansible.module_utils import six
 
@@ -944,7 +943,7 @@ def main():
         realm_name = options.realm_name.upper()
 
     # pylint: disable=deprecated-method
-    argspec = inspect.getargspec(validate_domain_name)
+    argspec = getargspec(validate_domain_name)
     # pylint: enable=deprecated-method
     if "entity" in argspec.args:
         # NUM_VERSION >= 40690:

roles/ipaserver/module_utils/ansible_ipa_server.py

@@ -41,7 +41,7 @@ __all__ = ["IPAChangeConf", "certmonger", "sysrestore", "root_logger",
            "adtrustinstance", "IPAAPI_USER", "sync_time", "PKIIniLoader",
            "default_subject_base", "default_ca_subject_dn",
            "check_ldap_conf", "encode_certificate", "decode_certificate",
-           "check_available_memory"]
+           "check_available_memory", "getargspec"]
 
 import sys
 
@@ -58,6 +58,28 @@ else:
     from ansible.module_utils import six
     import base64
 
+    # Import getargspec from inspect or provide own getargspec for
+    # Python 2 compatibility with Python 3.11+.
+    try:
+        from inspect import getargspec
+    except ImportError:
+        from collections import namedtuple
+        from inspect import getfullargspec
+
+        # The code is copied from Python 3.10 inspect.py
+        # Authors: Ka-Ping Yee <ping@lfw.org>
+        #          Yury Selivanov <yselivanov@sprymix.com>
+        ArgSpec = namedtuple('ArgSpec', 'args varargs keywords defaults')
+
+        def getargspec(func):
+            args, varargs, varkw, defaults, kwonlyargs, _kwonlydefaults, \
+                ann = getfullargspec(func)
+            if kwonlyargs or ann:
+                raise ValueError(
+                    "Function has keyword-only parameters or annotations"
+                    ", use inspect.signature() API which can support them")
+            return ArgSpec(args, varargs, varkw, defaults)
+
     from ipapython.version import NUM_VERSION, VERSION
 
     if NUM_VERSION < 30201:

roles/ipaserver/tasks/copy_external_cert.yml

@@ -11,4 +11,4 @@
     force: yes
 - name: Install - Extend ipaserver_external_cert_files with "/root/{{ item | basename }}"
   set_fact:
-    ipaserver_external_cert_files: "{{ ipaserver_external_cert_files }} + [ '/root/{{ item | basename }}' ]"
+    ipaserver_external_cert_files: "{{ ipaserver_external_cert_files + [ '/root/' + (item | basename) ] }}"

roles/ipaserver/tasks/install.yml

@@ -191,6 +191,7 @@
       secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}"
       ### additional ###
       setup_ca: "{{ result_ipaserver_test.setup_ca }}"
+      random_serial_numbers: no
       _hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}"
     register: result_ipaserver_prepare
 
@@ -298,6 +299,7 @@
       _ca_subject: "{{ result_ipaserver_prepare._ca_subject }}"
       ca_signing_algorithm: "{{ ipaserver_ca_signing_algorithm |
                                 default(omit) }}"
+      _random_serial_numbers: "{{ result_ipaserver_prepare._random_serial_numbers }}"
       reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
       no_reverse: "{{ ipaserver_no_reverse }}"
       auto_forwarders: "{{ ipaserver_auto_forwarders }}"

tests/pytests/dnszone/test_dnszone.py

@@ -64,18 +64,26 @@ class TestDNSZone(AnsibleFreeIPATestCase):
     def test_dnszone_disable(self):
         """TC-30: Disable DNS Zone."""
         zone26 = "26testzone.test"
-        self.check_details(["Active zone: TRUE"], "dnszone-find", [zone26])
+        self.check_details(
+            ["Active zone: (TRUE|True)"], "dnszone-find", [zone26]
+        )
         # Disable dns zone
         self.run_playbook(BASE_PATH + "dnszone_disable.yaml")
-        self.check_details(["Active zone: FALSE"], "dnszone-find", [zone26])
+        self.check_details(
+            ["Active zone: (FALSE|False)"], "dnszone-find", [zone26]
+        )
 
     def test_dnszone_enable(self):
         """TC-31: Enable DNS Zone."""
         zone26 = "26testzone.test"
-        self.check_details(["Active zone: FALSE"], "dnszone-find", [zone26])
+        self.check_details(
+            ["Active zone: (FALSE|False)"], "dnszone-find", [zone26]
+        )
         # Enable dns zone
         self.run_playbook(BASE_PATH + "dnszone_enable.yaml")
-        self.check_details(["Active zone: TRUE"], "dnszone-find", [zone26])
+        self.check_details(
+            ["Active zone: (TRUE|True)"], "dnszone-find", [zone26]
+        )
 
     def test_dnszone_name_from_ip(self):
         """TC-35: Add dns zone with reverse zone IP. Bug#1845056."""

tests/server/test_server.yml

@@ -10,7 +10,7 @@
   - block:
       - name: Get server name from hostname
         set_fact:
-          ipa_server_name: "{{ ansible_facts['hostname'].split('.')[0] }}"
+          ipa_server_name: "{{ ansible_facts['fqdn'].split('.')[0] }}"
     rescue:
       - name: Fallback to 'ipaserver'
         set_fact:
@@ -20,7 +20,7 @@
   - block:
       - name: Get domain name from hostname.
         set_fact:
-          ipaserver_domain: "{{ ansible_facts['hostname'].split('.')[0][1:] }}"
+          ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join('.') }}"
     rescue:
       - name: Fallback to 'ipa.test'
         set_fact:

tests/utils.py

@@ -21,6 +21,7 @@
 
 import os
 import pytest
+import re
 import subprocess
 import tempfile
 import testinfra
@@ -314,6 +315,10 @@ class AnsibleFreeIPATestCase(TestCase):
             expected_msg in result.stderr.decode("utf8")
         )
 
+    @staticmethod
+    def __is_text_on_data(text, data):
+        return re.search(text, data) is not None
+
     def check_details(self, expected_output, cmd, extra_cmds=None):
         cmd = "ipa " + cmd
         if extra_cmds:
@@ -322,10 +327,16 @@ class AnsibleFreeIPATestCase(TestCase):
         res = self.master.run(cmd)
         if res.rc != 0:
             for output in expected_output:
-                assert output in res.stderr
+                assert self.__is_text_on_data(output, res.stderr), (
+                    f"\n{'='*40}\nExpected: {output}\n{'='*40}\n"
+                    + f"Output:\n{res.stderr}{'='*40}\n"
+                )
         else:
             for output in expected_output:
-                assert output in res.stdout
+                assert self.__is_text_on_data(output, res.stdout), (
+                    f"\n{'='*40}\nExpected: {output}\n{'='*40}\n"
+                    + f"Output:\n{res.stdout}{'='*40}\n"
+                )
         kdestroy(self.master)
 
     def check_notexists(self, members, cmd, extra_cmds=None):
@@ -335,7 +346,10 @@ class AnsibleFreeIPATestCase(TestCase):
         kinit_admin(self.master)
         res = self.master.run(cmd)
         for member in members:
-            assert member not in res.stdout
+            assert not self.__is_text_on_data(member, res.stdout), (
+                f"\n{'='*40}\nExpected: {member}\n{'='*40}\n"
+                + f"Output:\n{res.stdout}{'='*40}\n"
+            )
         kdestroy(self.master)
 
     def mark_xfail_using_ansible_freeipa_version(self, version, reason):