def role_commands_for_name(module, state, action, name): """Define commands for the Role module.""" commands = [] rename = module.params_get("rename") res_find = find_role(module, name) if state == "present": args = gen_args(module) if action == "role": if res_find is None: if rename is not None: module.fail_json(msg="Cannot `rename` inexistent role.") commands.append([name, 'role_add', args]) res_find = {} else: if not compare_args_ipa(module, args, res_find): commands.append([name, 'role_mod', args]) if action == "member": if res_find is None: module.fail_json(msg="No role '%s'" % name) cmds = ensure_role_with_members_is_present( module, name, res_find, action ) commands.extend(cmds) if state == "absent" and res_find is not None: cmds = ensure_absent_state(module, name, action, res_find) commands.extend(cmds) return commands
def define_ipa_commands(self): name = self.params_get("name") state = self.params_get("state") location = self.params_get("location") desc = self.params_get("desc") for mapname in name: automountmap = self.get_automountmap(location, mapname) if state == "present": args = self.get_args(mapname, desc) if automountmap is None: self.commands.append([location, "automountmap_add", args]) else: if not compare_args_ipa(self, args, automountmap): self.commands.append( [location, "automountmap_mod", args]) if state == "absent": if automountmap is not None: self.commands.append([ location, "automountmap_del", { "automountmapname": [mapname] } ])
def define_ipa_commands(self): for zone_name in self.get_zone_names(): # Look for existing zone in IPA zone, is_zone_active = self.get_zone(zone_name) args = self.ipa_params.get_ipa_command_args(zone=zone) if self.ipa_params.state in ["present", "enabled", "disabled"]: if not zone: # Since the zone doesn't exist we just create it # with given args self.commands.append((zone_name, "dnszone_add", args)) is_zone_active = True # just_added = True else: # Zone already exist so we need to verify if given args # matches the current config. If not we updated it. if not compare_args_ipa(self, args, zone): self.commands.append((zone_name, "dnszone_mod", args)) if self.ipa_params.state == "enabled" and not is_zone_active: self.commands.append((zone_name, "dnszone_enable", {})) if self.ipa_params.state == "disabled" and is_zone_active: self.commands.append((zone_name, "dnszone_disable", {})) if self.ipa_params.state == "absent" and zone is not None: self.commands.append((zone_name, "dnszone_del", {}))
def should_modify_group(module, res_find, args, nonposix, posix, external): if not compare_args_ipa(module, args, res_find): return True if any([posix, nonposix]): set_posix = posix or (nonposix is not None and not nonposix) if set_posix and 'posixgroup' not in res_find['objectclass']: return True if 'ipaexternalgroup' not in res_find['objectclass'] and external: if 'posixgroup' not in res_find['objectclass']: return True return False
def should_modify_group(module, res_find, args, nonposix, posix, external): if not compare_args_ipa(module, args, res_find): return True if any([posix, nonposix]): set_posix = posix or (nonposix is not None and not nonposix) if set_posix and not is_posix_group(res_find): return True if not is_external_group(res_find) and external: if not is_posix_group(res_find): return True return False
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present right=dict(type="list", aliases=["ipapermright"], default=None, required=False, choices=[ "read", "search", "compare", "write", "add", "delete", "all" ]), attrs=dict(type="list", default=None, required=False), # Note: bindtype has a default of permission for Adds. bindtype=dict(type="str", aliases=["ipapermbindruletype"], default=None, require=False, choices=["permission", "all", "anonymous", "self"]), subtree=dict(type="str", aliases=["ipapermlocation"], default=None, required=False), extra_target_filter=dict(type="list", aliases=["filter", "extratargetfilter"], default=None, required=False), rawfilter=dict(type="list", aliases=["ipapermtargetfilter"], default=None, required=False), target=dict(type="str", aliases=["ipapermtarget"], default=None, required=False), targetto=dict(type="str", aliases=["ipapermtargetto"], default=None, required=False), targetfrom=dict(type="str", aliases=["ipapermtargetfrom"], default=None, required=False), memberof=dict(type="list", default=None, required=False), targetgroup=dict(type="str", default=None, required=False), object_type=dict(type="str", aliases=["type"], default=None, required=False), no_members=dict(type=bool, default=None, require=False), rename=dict(type="str", default=None, required=False), privilege=dict(type="list", default=None, required=False), action=dict(type="str", default="permission", choices=["member", "permission"]), # state state=dict(type="str", default="present", choices=["present", "absent", "renamed"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present right = module_params_get(ansible_module, "right") attrs = module_params_get(ansible_module, "attrs") bindtype = module_params_get(ansible_module, "bindtype") subtree = module_params_get(ansible_module, "subtree") extra_target_filter = module_params_get(ansible_module, "extra_target_filter") rawfilter = module_params_get(ansible_module, "rawfilter") target = module_params_get(ansible_module, "target") targetto = module_params_get(ansible_module, "targetto") targetfrom = module_params_get(ansible_module, "targetfrom") memberof = module_params_get(ansible_module, "memberof") targetgroup = module_params_get(ansible_module, "targetgroup") object_type = module_params_get(ansible_module, "object_type") no_members = module_params_get(ansible_module, "no_members") rename = module_params_get(ansible_module, "rename") privilege = module_params_get(ansible_module, "privilege") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters invalid = [] if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one permission can be added at a time.") if action == "member": invalid = [ "right", "attrs", "bindtype", "subtree", "extra_target_filter", "rawfilter", "target", "targetto", "targetfrom", "memberof", "targetgroup", "object_type", "rename" ] if state == "renamed": if len(names) != 1: ansible_module.fail_json( msg="Only one permission can be renamed at a time.") if action == "member": ansible_module.fail_json(msg="Member Privileges cannot be renamed") invalid = [ "right", "attrs", "bindtype", "subtree", "extra_target_filter", "rawfilter", "target", "targetto", "targetfrom", "memberof", "targetgroup", "object_type", "no_members" ] if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = [ "right", "attrs", "bindtype", "subtree", "extra_target_filter", "rawfilter", "target", "targetto", "targetfrom", "memberof", "targetgroup", "object_type", "no_members", "rename" ] if action == "permission": invalid.append("privilege") for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s' and state '%s'" % (x, action, state)) if bindtype == "self" and api_check_ipa_version("<", "4.8.7"): ansible_module.fail_json( msg="Bindtype 'self' is not supported by your IPA version.") # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure permission exists res_find = find_permission(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(right, attrs, bindtype, subtree, extra_target_filter, rawfilter, target, targetto, targetfrom, memberof, targetgroup, object_type, no_members, rename) no_members_value = False if no_members is not None: no_members_value = no_members if action == "permission": # Found the permission if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "permission_mod", args]) else: commands.append([name, "permission_add", args]) member_args = gen_member_args(privilege) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists privilege_add, privilege_del = gen_add_del_lists( privilege, res_find.get("member_privilege")) # Add members if len(privilege_add) > 0: commands.append([ name, "permission_add_member", { "privilege": privilege_add, "no_members": no_members_value } ]) # Remove members if len(privilege_del) > 0: commands.append([ name, "permission_remove_member", { "privilege": privilege_del, "no_members": no_members_value } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No permission '%s'" % name) if privilege is None: ansible_module.fail_json(msg="No privilege given") commands.append([ name, "permission_add_member", { "privilege": privilege, "no_members": no_members_value } ]) else: ansible_module.fail_json(msg="Unknown action '%s'" % action) elif state == "renamed": if action == "permission": # Generate args # Note: Only valid arg for rename is rename. args = gen_args(right, attrs, bindtype, subtree, extra_target_filter, rawfilter, target, targetto, targetfrom, memberof, targetgroup, object_type, no_members, rename) # Found the permission if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "permission_mod", args]) else: ansible_module.fail_json( msg="Permission not found, cannot rename") else: ansible_module.fail_json(msg="Unknown action '%s'" % action) elif state == "absent": if action == "permission": if res_find is not None: commands.append([name, "permission_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No permission '%s'" % name) if privilege is None: ansible_module.fail_json(msg="No privilege given") commands.append([ name, "permission_remove_member", { "privilege": privilege, } ]) else: ansible_module.fail_json(msg="Unknown state '%s'" % state) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. errors = [] for failed_item in result.get("failed", []): failed = result["failed"][failed_item] for member_type in failed: for member, failure in failed[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append("%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): forwarder_spec = dict(ip_address=dict(type=str, required=True), port=dict(type=int, required=False, default=None)) ansible_module = AnsibleModule(argument_spec=dict( # general ipaadmin_principal=dict(type='str', default='admin'), ipaadmin_password=dict(type='str', no_log=True), # dnsconfig forwarders=dict(type='list', default=None, required=False, options=dict(**forwarder_spec)), forward_policy=dict(type='str', required=False, default=None, choices=['only', 'first', 'none']), allow_sync_ptr=dict(type='bool', required=False, default=None), # general state=dict( type="str", default="present", choices=["present", "absent"]), )) ansible_module._ansible_debug = True # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") forwarders = module_params_get(ansible_module, 'forwarders') or [] forward_policy = module_params_get(ansible_module, 'forward_policy') allow_sync_ptr = module_params_get(ansible_module, 'allow_sync_ptr') state = module_params_get(ansible_module, 'state') # Check parameters. invalid = [] if state == 'absent': invalid = ['forward_policy', 'allow_sync_ptr'] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() res_find = find_dnsconfig(ansible_module) args = gen_args(ansible_module, state, res_find, forwarders, forward_policy, allow_sync_ptr) # Execute command only if configuration changes. if not compare_args_ipa(ansible_module, args, res_find): try: api_command_no_name(ansible_module, 'dnsconfig_mod', args) # If command did not fail, something changed. changed = True except Exception as e: msg = str(e) ansible_module.fail_json(msg="dnsconfig_mod: %s" % msg) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present location=dict(required=False, type='str', aliases=["ipalocation_location"], default=None), service_weight=dict(required=False, type='int', aliases=["ipaserviceweight"], default=None), hidden=dict(required=False, type='bool', default=None), no_members=dict(required=False, type='bool', default=None), # absent delete_continue=dict(required=False, type='bool', aliases=["continue"], default=None), ignore_topology_disconnect=dict(required=False, type='bool', default=None), ignore_last_of_role=dict(required=False, type='bool', default=None), force=dict(required=False, type='bool', default=None), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present location = module_params_get(ansible_module, "location") service_weight = module_params_get(ansible_module, "service_weight") # Service weight smaller than 0 leads to resetting service weight if service_weight is not None and \ (service_weight < -1 or service_weight > 65535): ansible_module.fail_json( msg="service_weight %d is out of range [-1 .. 65535]" % service_weight) if service_weight == -1: service_weight = "" hidden = module_params_get(ansible_module, "hidden") no_members = module_params_get(ansible_module, "no_members") # absent delete_continue = module_params_get(ansible_module, "delete_continue") ignore_topology_disconnect = module_params_get( ansible_module, "ignore_topology_disconnect") ignore_last_of_role = module_params_get(ansible_module, "ignore_last_of_role") force = module_params_get(ansible_module, "force") # state state = module_params_get(ansible_module, "state") # Check parameters invalid = [] if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one server can be ensured at a time.") invalid = ["delete_continue", "ignore_topology_disconnect", "ignore_last_of_role", "force"] if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["location", "service_weight", "hidden", "no_members"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure server exists res_find = find_server(ansible_module, name) # Generate args args = gen_args(location, service_weight, no_members, delete_continue, ignore_topology_disconnect, ignore_last_of_role, force) # Create command if state == "present": # Server not found if res_find is None: ansible_module.fail_json( msg="Server '%s' not found" % name) # Remove location from args if "" (transformed to None) # and "ipalocation_location" not in res_find for idempotency if "ipalocation_location" in args and \ args["ipalocation_location"] is None and \ "ipalocation_location" not in res_find: del args["ipalocation_location"] # Remove service weight from args if "" # and "ipaserviceweight" not in res_find for idempotency if "ipaserviceweight" in args and \ args["ipaserviceweight"] == "" and \ "ipaserviceweight" not in res_find: del args["ipaserviceweight"] # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "server_mod", args]) # hidden handling if hidden is not None: res_role_status = server_role_status(ansible_module, name) if "status" in res_role_status: # Fail if status is configured, it should be done # only in the installer if res_role_status["status"] == "configured": ansible_module.fail_json( msg="'%s' in configured state, " "unable to change state" % state) if hidden and res_role_status["status"] == "enabled": commands.append([name, "server_state", {"state": "hidden"}]) if not hidden and \ res_role_status["status"] == "hidden": commands.append([name, "server_state", {"state": "enabled"}]) elif state == "absent": if res_find is not None or force: commands.append([name, "server_del", args]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn", "service"], default=None, required=True), # present description=dict(type="str", default=None), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = ansible_module.params.get("ipaadmin_principal") ipaadmin_password = ansible_module.params.get("ipaadmin_password") names = ansible_module.params.get("name") # present description = ansible_module.params.get("description") # state state = ansible_module.params.get("state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one hbacsvc can be set at a time.") if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Try to find hbacsvc res_find = find_hbacsvc(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description) # Found the hbacsvc if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "hbacsvc_mod", args]) else: commands.append([name, "hbacsvc_add", args]) elif state == "absent": if res_find is not None: commands.append([name, "hbacsvc_del", {}]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands for name, command, args in commands: try: api_command(ansible_module, command, to_text(name), args) changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): forwarder_spec = dict(ip_address=dict(type=str, required=True), port=dict(type=int, required=False, default=None)) ansible_module = IPAAnsibleModule(argument_spec=dict( # dnsconfig forwarders=dict(type='list', default=None, required=False, options=dict(**forwarder_spec)), forward_policy=dict(type='str', required=False, default=None, choices=['only', 'first', 'none'], aliases=["forwardpolicy"]), allow_sync_ptr=dict(type='bool', required=False, default=None), # general action=dict( type="str", default="dnsconfig", choices=["member", "dnsconfig"]), state=dict( type="str", default="present", choices=["present", "absent"]), )) ansible_module._ansible_debug = True # dnsconfig forwarders = ansible_module.params_get('forwarders') or [] forward_policy = ansible_module.params_get('forward_policy') allow_sync_ptr = ansible_module.params_get('allow_sync_ptr') action = ansible_module.params_get('action') state = ansible_module.params_get('state') # Check parameters. invalid = [] if state == "present" and action == "member": invalid = ['forward_policy', 'allow_sync_ptr'] if state == 'absent': if action != "member": ansible_module.fail_json( msg="State 'absent' is only valid with action 'member'.") invalid = ['forward_policy', 'allow_sync_ptr'] ansible_module.params_fail_used_invalid(invalid, state) # Init changed = False # Connect to IPA API with ansible_module.ipa_connect(): res_find = find_dnsconfig(ansible_module) args = gen_args(ansible_module, state, action, res_find, forwarders, forward_policy, allow_sync_ptr) # Execute command only if configuration changes. if not compare_args_ipa(ansible_module, args, res_find): try: if not ansible_module.check_mode: ansible_module.ipa_command_no_name('dnsconfig_mod', args) # If command did not fail, something changed. changed = True except Exception as e: msg = str(e) ansible_module.fail_json(msg="dnsconfig_mod: %s" % msg) # Done ansible_module.exit_json(changed=changed)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), gid=dict(type="int", aliases=["gidnumber"], default=None), nonposix=dict(required=False, type='bool', default=None), external=dict(required=False, type='bool', default=None), posix=dict(required=False, type='bool', default=None), nomembers=dict(required=False, type='bool', default=None), user=dict(required=False, type='list', default=None), group=dict(required=False, type='list', default=None), service=dict(required=False, type='list', default=None), membermanager_user=dict(required=False, type='list', default=None), membermanager_group=dict(required=False, type='list', default=None), externalmember=dict( required=False, type='list', default=None, aliases=["ipaexternalmember", "external_member"]), action=dict(type="str", default="group", choices=["member", "group"]), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), mutually_exclusive=[['posix', 'nonposix']], supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get( ansible_module, "ipaadmin_principal", ) ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present description = module_params_get(ansible_module, "description") gid = module_params_get(ansible_module, "gid") nonposix = module_params_get(ansible_module, "nonposix") external = module_params_get(ansible_module, "external") posix = module_params_get(ansible_module, "posix") nomembers = module_params_get(ansible_module, "nomembers") user = module_params_get(ansible_module, "user") group = module_params_get(ansible_module, "group") service = module_params_get(ansible_module, "service") membermanager_user = module_params_get(ansible_module, "membermanager_user") membermanager_group = module_params_get(ansible_module, "membermanager_group") externalmember = module_params_get(ansible_module, "externalmember") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one group can be added at a time.") if action == "member": invalid = [ "description", "gid", "posix", "nonposix", "external", "nomembers" ] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (x, action)) if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = [ "description", "gid", "posix", "nonposix", "external", "nomembers" ] if action == "group": invalid.extend(["user", "group", "service", "externalmember"]) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() has_add_member_service = api_check_param("group_add_member", "service") if service is not None and not has_add_member_service: ansible_module.fail_json( msg="Managing a service as part of a group is not supported " "by your IPA version") has_add_membermanager = api_check_command("group_add_member_manager") if ((membermanager_user is not None or membermanager_group is not None) and not has_add_membermanager): ansible_module.fail_json( msg="Managing a membermanager user or group is not supported " "by your IPA version") commands = [] for name in names: # Make sure group exists res_find = find_group(ansible_module, name) # Create command if state == "present": # Can't change an existing posix group check_objectclass_args(ansible_module, res_find, nonposix, posix, external) # Generate args args = gen_args(description, gid, nomembers) if action == "group": # Found the group if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if should_modify_group(ansible_module, res_find, args, nonposix, posix, external): if (posix or (nonposix is not None and not nonposix)): args['posix'] = True if external: args['external'] = True commands.append([name, "group_mod", args]) else: if nonposix or (posix is not None and not posix): args['nonposix'] = True if external: args['external'] = True commands.append([name, "group_add", args]) # Set res_find dict for next step res_find = {} # if we just created/modified the group, update res_find res_find.setdefault("objectclass", []) if external and not is_external_group(res_find): res_find["objectclass"].append("ipaexternalgroup") if posix and not is_posix_group(res_find): res_find["objectclass"].append("posixgroup") member_args = gen_member_args(user, group, service, externalmember) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists user_add, user_del = gen_add_del_lists( user, res_find.get("member_user")) group_add, group_del = gen_add_del_lists( group, res_find.get("member_group")) service_add, service_del = gen_add_del_lists( service, res_find.get("member_service")) (externalmember_add, externalmember_del) = gen_add_del_lists( externalmember, res_find.get("member_external")) # setup member args for add/remove members. add_member_args = { "user": user_add, "group": group_add, } del_member_args = { "user": user_del, "group": group_del, } if has_add_member_service: add_member_args["service"] = service_add del_member_args["service"] = service_del if is_external_group(res_find): add_member_args["ipaexternalmember"] = \ externalmember_add del_member_args["ipaexternalmember"] = \ externalmember_del elif externalmember or external: ansible_module.fail_json( msg="Cannot add external members to a " "non-external group.") # Add members add_members = any([ user_add, group_add, service_add, externalmember_add ]) if add_members: commands.append( [name, "group_add_member", add_member_args]) # Remove members remove_members = any([ user_del, group_del, service_del, externalmember_del ]) if remove_members: commands.append( [name, "group_remove_member", del_member_args]) membermanager_user_add, membermanager_user_del = \ gen_add_del_lists( membermanager_user, res_find.get("membermanager_user") ) membermanager_group_add, membermanager_group_del = \ gen_add_del_lists( membermanager_group, res_find.get("membermanager_group") ) if has_add_membermanager: # Add membermanager users and groups if len(membermanager_user_add) > 0 or \ len(membermanager_group_add) > 0: commands.append([ name, "group_add_member_manager", { "user": membermanager_user_add, "group": membermanager_group_add, } ]) # Remove member manager if len(membermanager_user_del) > 0 or \ len(membermanager_group_del) > 0: commands.append([ name, "group_remove_member_manager", { "user": membermanager_user_del, "group": membermanager_group_del, } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No group '%s'" % name) add_member_args = { "user": user, "group": group, } if has_add_member_service: add_member_args["service"] = service if is_external_group(res_find): add_member_args["ipaexternalmember"] = externalmember elif externalmember: ansible_module.fail_json( msg="Cannot add external members to a " "non-external group.") if any([user, group, service, externalmember]): commands.append( [name, "group_add_member", add_member_args]) if has_add_membermanager: # Add membermanager users and groups if membermanager_user is not None or \ membermanager_group is not None: commands.append([ name, "group_add_member_manager", { "user": membermanager_user, "group": membermanager_group, } ]) elif state == "absent": if action == "group": if res_find is not None: commands.append([name, "group_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No group '%s'" % name) del_member_args = { "user": user, "group": group, } if has_add_member_service: del_member_args["service"] = service if is_external_group(res_find): del_member_args["ipaexternalmember"] = externalmember elif externalmember: ansible_module.fail_json( msg="Cannot add external members to a " "non-external group.") if any([user, group, service, externalmember]): commands.append( [name, "group_remove_member", del_member_args]) if has_add_membermanager: # Remove membermanager users and groups if membermanager_user is not None or \ membermanager_group is not None: commands.append([ name, "group_remove_member_manager", { "user": membermanager_user, "group": membermanager_group, } ]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. errors = [] for failed_item in result.get("failed", []): failed = result["failed"][failed_item] for member_type in failed: for member, failure in failed[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append("%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), usercategory=dict(type="str", default=None, aliases=["usercat"], choices=["all"]), hostcategory=dict(type="str", default=None, aliases=["hostcat"], choices=["all"]), servicecategory=dict(type="str", default=None, aliases=["servicecat"], choices=["all"]), nomembers=dict(required=False, type='bool', default=None), host=dict(required=False, type='list', default=None), hostgroup=dict(required=False, type='list', default=None), hbacsvc=dict(required=False, type='list', default=None), hbacsvcgroup=dict(required=False, type='list', default=None), user=dict(required=False, type='list', default=None), group=dict(required=False, type='list', default=None), action=dict(type="str", default="hbacrule", choices=["member", "hbacrule"]), # state state=dict(type="str", default="present", choices=["present", "absent", "enabled", "disabled"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present description = module_params_get(ansible_module, "description") usercategory = module_params_get(ansible_module, "usercategory") hostcategory = module_params_get(ansible_module, "hostcategory") servicecategory = module_params_get(ansible_module, "servicecategory") nomembers = module_params_get(ansible_module, "nomembers") host = module_params_get(ansible_module, "host") hostgroup = module_params_get(ansible_module, "hostgroup") hbacsvc = module_params_get(ansible_module, "hbacsvc") hbacsvcgroup = module_params_get(ansible_module, "hbacsvcgroup") user = module_params_get(ansible_module, "user") group = module_params_get(ansible_module, "group") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one hbacrule can be added at a time.") if action == "member": invalid = ["description", "usercategory", "hostcategory", "servicecategory", "nomembers"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (x, action)) elif state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "usercategory", "hostcategory", "servicecategory", "nomembers"] if action == "hbacrule": invalid.extend(["host", "hostgroup", "hbacsvc", "hbacsvcgroup", "user", "group"]) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) elif state in ["enabled", "disabled"]: if len(names) < 1: ansible_module.fail_json(msg="No name given.") if action == "member": ansible_module.fail_json( msg="Action member can not be used with states enabled and " "disabled") invalid = ["description", "usercategory", "hostcategory", "servicecategory", "nomembers", "host", "hostgroup", "hbacsvc", "hbacsvcgroup", "user", "group"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) else: ansible_module.fail_json(msg="Invalid state '%s'" % state) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure hbacrule exists res_find = find_hbacrule(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description, usercategory, hostcategory, servicecategory, nomembers) if action == "hbacrule": # Found the hbacrule if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "hbacrule_mod", args]) else: commands.append([name, "hbacrule_add", args]) # Set res_find to empty dict for next step res_find = {} # Generate addition and removal lists host_add, host_del = gen_add_del_lists( host, res_find.get("memberhost_host")) hostgroup_add, hostgroup_del = gen_add_del_lists( hostgroup, res_find.get("memberhost_hostgroup")) hbacsvc_add, hbacsvc_del = gen_add_del_lists( hbacsvc, res_find.get("memberservice_hbacsvc")) hbacsvcgroup_add, hbacsvcgroup_del = gen_add_del_lists( hbacsvcgroup, res_find.get("memberservice_hbacsvcgroup")) user_add, user_del = gen_add_del_lists( user, res_find.get("memberuser_user")) group_add, group_del = gen_add_del_lists( group, res_find.get("memberuser_group")) # Add hosts and hostgroups if len(host_add) > 0 or len(hostgroup_add) > 0: commands.append([name, "hbacrule_add_host", { "host": host_add, "hostgroup": hostgroup_add, }]) # Remove hosts and hostgroups if len(host_del) > 0 or len(hostgroup_del) > 0: commands.append([name, "hbacrule_remove_host", { "host": host_del, "hostgroup": hostgroup_del, }]) # Add hbacsvcs and hbacsvcgroups if len(hbacsvc_add) > 0 or len(hbacsvcgroup_add) > 0: commands.append([name, "hbacrule_add_service", { "hbacsvc": hbacsvc_add, "hbacsvcgroup": hbacsvcgroup_add, }]) # Remove hbacsvcs and hbacsvcgroups if len(hbacsvc_del) > 0 or len(hbacsvcgroup_del) > 0: commands.append([name, "hbacrule_remove_service", { "hbacsvc": hbacsvc_del, "hbacsvcgroup": hbacsvcgroup_del, }]) # Add users and groups if len(user_add) > 0 or len(group_add) > 0: commands.append([name, "hbacrule_add_user", { "user": user_add, "group": group_add, }]) # Remove users and groups if len(user_del) > 0 or len(group_del) > 0: commands.append([name, "hbacrule_remove_user", { "user": user_del, "group": group_del, }]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No hbacrule '%s'" % name) # Add hosts and hostgroups if host is not None or hostgroup is not None: commands.append([name, "hbacrule_add_host", { "host": host, "hostgroup": hostgroup, }]) # Add hbacsvcs and hbacsvcgroups if hbacsvc is not None or hbacsvcgroup is not None: commands.append([name, "hbacrule_add_service", { "hbacsvc": hbacsvc, "hbacsvcgroup": hbacsvcgroup, }]) # Add users and groups if user is not None or group is not None: commands.append([name, "hbacrule_add_user", { "user": user, "group": group, }]) elif state == "absent": if action == "hbacrule": if res_find is not None: commands.append([name, "hbacrule_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No hbacrule '%s'" % name) # Remove hosts and hostgroups if host is not None or hostgroup is not None: commands.append([name, "hbacrule_remove_host", { "host": host, "hostgroup": hostgroup, }]) # Remove hbacsvcs and hbacsvcgroups if hbacsvc is not None or hbacsvcgroup is not None: commands.append([name, "hbacrule_remove_service", { "hbacsvc": hbacsvc, "hbacsvcgroup": hbacsvcgroup, }]) # Remove users and groups if user is not None or group is not None: commands.append([name, "hbacrule_remove_user", { "user": user, "group": group, }]) elif state == "enabled": if res_find is None: ansible_module.fail_json(msg="No hbacrule '%s'" % name) # hbacrule_enable is not failing on an enabled hbacrule # Therefore it is needed to have a look at the ipaenabledflag # in res_find. if "ipaenabledflag" not in res_find or \ res_find["ipaenabledflag"][0] != "TRUE": commands.append([name, "hbacrule_enable", {}]) elif state == "disabled": if res_find is None: ansible_module.fail_json(msg="No hbacrule '%s'" % name) # hbacrule_disable is not failing on an disabled hbacrule # Therefore it is needed to have a look at the ipaenabledflag # in res_find. if "ipaenabledflag" not in res_find or \ res_find["ipaenabledflag"][0] != "FALSE": commands.append([name, "hbacrule_disable", {}]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands errors = [] for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. if "failed" in result and len(result["failed"]) > 0: for item in result["failed"]: failed_item = result["failed"][item] for member_type in failed_item: for member, failure in failed_item[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append("%s: %s %s: %s" % ( command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = IPAAnsibleModule( argument_spec=dict( # general name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(required=False, type='str', default=None), rename=dict( required=False, type='str', default=None, aliases=["new_name"], ), permission=dict(required=False, type='list', default=None), action=dict(type="str", default="privilege", choices=["member", "privilege"]), # state state=dict(type="str", default="present", choices=["present", "absent", "renamed"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general names = ansible_module.params_get("name") # present description = ansible_module.params_get("description") permission = ansible_module.params_get("permission") rename = ansible_module.params_get("rename") action = ansible_module.params_get("action") # state state = ansible_module.params_get("state") # Check parameters invalid = [] if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one privilege be added at a time.") if action == "member": invalid = ["description"] if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "rename"] if action == "privilege": invalid.append("permission") if state == "renamed": if len(names) != 1: ansible_module.fail_json( msg="Only one privilege be added at a time.") invalid = ["description", "permission"] if action != "privilege": ansible_module.fail_json( msg="Action '%s' can not be used with state '%s'" % (action, state)) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s' and state '%s'" % (x, action, state)) # Init changed = False exit_args = {} # Connect to IPA API with ansible_module.ipa_connect(): commands = [] for name in names: # Make sure privilege exists res_find = find_privilege(ansible_module, name) # Create command if state == "present": args = {} if description: args['description'] = description if action == "privilege": # Found the privilege if res_find is not None: res_cmp = { k: v for k, v in res_find.items() if k not in [ "objectclass", "cn", "dn", "memberof_permisssion" ] } # For all settings is args, check if there are # different settings in the find result. # If yes: modify if args and not compare_args_ipa( ansible_module, args, res_cmp): commands.append([name, "privilege_mod", args]) else: commands.append([name, "privilege_add", args]) res_find = {} member_args = {} if permission: member_args['permission'] = permission if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists permission_add, permission_del = gen_add_del_lists( permission, res_find.get("member_permission")) # Add members if len(permission_add) > 0: commands.append([ name, "privilege_add_permission", { "permission": permission_add, } ]) # Remove members if len(permission_del) > 0: commands.append([ name, "privilege_remove_permission", { "permission": permission_del } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No privilege '%s'" % name) if permission is None: ansible_module.fail_json(msg="No permission given") commands.append([ name, "privilege_add_permission", { "permission": permission } ]) elif state == "absent": if action == "privilege": if res_find is not None: commands.append([name, "privilege_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No privilege '%s'" % name) if permission is None: ansible_module.fail_json(msg="No permission given") commands.append([ name, "privilege_remove_permission", { "permission": permission, } ]) elif state == "renamed": if not rename: ansible_module.fail_json(msg="No rename value given.") if res_find is None: ansible_module.fail_json( msg="No privilege found to be renamed: '%s'" % (name)) if name != rename: commands.append( [name, "privilege_mod", { "rename": rename }]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands changed = ansible_module.execute_ipa_commands(commands, result_handler) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(required=False, type="str", default=None), usercategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['usercat']), hostcategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['hostcat']), nomembers=dict(required=False, type='bool', default=None), host=dict(required=False, type='list', default=None), hostgroup=dict(required=False, type='list', default=None), user=dict(required=False, type='list', default=None), group=dict(required=False, type='list', default=None), allow_sudocmd=dict(required=False, type="list", default=None), deny_sudocmd=dict(required=False, type="list", default=None), allow_sudocmdgroup=dict(required=False, type="list", default=None), deny_sudocmdgroup=dict(required=False, type="list", default=None), cmdcategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['cmdcat']), runasusercategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['runasusercat']), runasgroupcategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['runasgroupcat']), runasuser=dict(required=False, type="list", default=None), runasgroup=dict(required=False, type="list", default=None), order=dict(type="int", required=False, aliases=['sudoorder']), sudooption=dict(required=False, type='list', default=None, aliases=["options"]), action=dict(type="str", default="sudorule", choices=["member", "sudorule"]), # state state=dict(type="str", default="present", choices=["present", "absent", "enabled", "disabled"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present # The 'noqa' variables are not used here, but required for vars(). # The use of 'noqa' ensures flake8 does not complain about them. description = module_params_get(ansible_module, "description") # noqa cmdcategory = module_params_get(ansible_module, 'cmdcategory') # noqa usercategory = module_params_get(ansible_module, "usercategory") # noqa hostcategory = module_params_get(ansible_module, "hostcategory") # noqa runasusercategory = module_params_get(ansible_module, # noqa "runasusercategory") runasgroupcategory = module_params_get(ansible_module, # noqa "runasgroupcategory") hostcategory = module_params_get(ansible_module, "hostcategory") # noqa nomembers = module_params_get(ansible_module, "nomembers") # noqa host = module_params_get(ansible_module, "host") hostgroup = module_params_get(ansible_module, "hostgroup") user = module_params_get(ansible_module, "user") group = module_params_get(ansible_module, "group") allow_sudocmd = module_params_get(ansible_module, 'allow_sudocmd') allow_sudocmdgroup = module_params_get(ansible_module, 'allow_sudocmdgroup') deny_sudocmd = module_params_get(ansible_module, 'deny_sudocmd') deny_sudocmdgroup = module_params_get(ansible_module, 'deny_sudocmdgroup') sudooption = module_params_get(ansible_module, "sudooption") order = module_params_get(ansible_module, "order") runasuser = module_params_get(ansible_module, "runasuser") runasgroup = module_params_get(ansible_module, "runasgroup") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one sudorule can be added at a time.") if action == "member": invalid = ["description", "usercategory", "hostcategory", "cmdcategory", "runasusercategory", "runasgroupcategory", "order", "nomembers"] for arg in invalid: if arg in vars() and vars()[arg] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (arg, action)) else: if hostcategory == 'all' and any([host, hostgroup]): ansible_module.fail_json( msg="Hosts cannot be added when host category='all'") if usercategory == 'all' and any([user, group]): ansible_module.fail_json( msg="Users cannot be added when user category='all'") if cmdcategory == 'all' \ and any([allow_sudocmd, allow_sudocmdgroup]): ansible_module.fail_json( msg="Commands cannot be added when command category='all'") elif state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "usercategory", "hostcategory", "cmdcategory", "runasusercategory", "runasgroupcategory", "nomembers", "order"] if action == "sudorule": invalid.extend(["host", "hostgroup", "user", "group", "runasuser", "runasgroup", "allow_sudocmd", "allow_sudocmdgroup", "deny_sudocmd", "deny_sudocmdgroup", "sudooption"]) for arg in invalid: if vars()[arg] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (arg, state)) elif state in ["enabled", "disabled"]: if len(names) < 1: ansible_module.fail_json(msg="No name given.") if action == "member": ansible_module.fail_json( msg="Action member can not be used with states enabled and " "disabled") invalid = ["description", "usercategory", "hostcategory", "cmdcategory", "runasusercategory", "runasgroupcategory", "nomembers", "nomembers", "host", "hostgroup", "user", "group", "allow_sudocmd", "allow_sudocmdgroup", "deny_sudocmd", "deny_sudocmdgroup", "runasuser", "runasgroup", "order", "sudooption"] for arg in invalid: if vars()[arg] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (arg, state)) else: ansible_module.fail_json(msg="Invalid state '%s'" % state) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure sudorule exists res_find = find_sudorule(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description, usercategory, hostcategory, cmdcategory, runasusercategory, runasgroupcategory, order, nomembers) if action == "sudorule": # Found the sudorule if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "sudorule_mod", args]) else: commands.append([name, "sudorule_add", args]) # Set res_find to empty dict for next step res_find = {} # Generate addition and removal lists host_add, host_del = gen_add_del_lists( host, res_find.get('memberhost_host', [])) hostgroup_add, hostgroup_del = gen_add_del_lists( hostgroup, res_find.get('memberhost_hostgroup', [])) user_add, user_del = gen_add_del_lists( user, res_find.get('memberuser_user', [])) group_add, group_del = gen_add_del_lists( group, res_find.get('memberuser_group', [])) allow_cmd_add, allow_cmd_del = gen_add_del_lists( allow_sudocmd, res_find.get('memberallowcmd_sudocmd', [])) allow_cmdgroup_add, allow_cmdgroup_del = gen_add_del_lists( allow_sudocmdgroup, res_find.get('memberallowcmd_sudocmdgroup', [])) deny_cmd_add, deny_cmd_del = gen_add_del_lists( deny_sudocmd, res_find.get('memberdenycmd_sudocmd', [])) deny_cmdgroup_add, deny_cmdgroup_del = gen_add_del_lists( deny_sudocmdgroup, res_find.get('memberdenycmd_sudocmdgroup', [])) sudooption_add, sudooption_del = gen_add_del_lists( sudooption, res_find.get('ipasudoopt', [])) runasuser_add, runasuser_del = gen_add_del_lists( runasuser, res_find.get('ipasudorunas_user', [])) runasgroup_add, runasgroup_del = gen_add_del_lists( runasgroup, res_find.get('ipasudorunas_group', [])) # Add hosts and hostgroups if len(host_add) > 0 or len(hostgroup_add) > 0: commands.append([name, "sudorule_add_host", { "host": host_add, "hostgroup": hostgroup_add, }]) # Remove hosts and hostgroups if len(host_del) > 0 or len(hostgroup_del) > 0: commands.append([name, "sudorule_remove_host", { "host": host_del, "hostgroup": hostgroup_del, }]) # Add users and groups if len(user_add) > 0 or len(group_add) > 0: commands.append([name, "sudorule_add_user", { "user": user_add, "group": group_add, }]) # Remove users and groups if len(user_del) > 0 or len(group_del) > 0: commands.append([name, "sudorule_remove_user", { "user": user_del, "group": group_del, }]) # Add commands allowed if len(allow_cmd_add) > 0 or len(allow_cmdgroup_add) > 0: commands.append([name, "sudorule_add_allow_command", {"sudocmd": allow_cmd_add, "sudocmdgroup": allow_cmdgroup_add, }]) if len(allow_cmd_del) > 0 or len(allow_cmdgroup_del) > 0: commands.append([name, "sudorule_remove_allow_command", {"sudocmd": allow_cmd_del, "sudocmdgroup": allow_cmdgroup_del }]) # Add commands denied if len(deny_cmd_add) > 0 or len(deny_cmdgroup_add) > 0: commands.append([name, "sudorule_add_deny_command", {"sudocmd": deny_cmd_add, "sudocmdgroup": deny_cmdgroup_add, }]) if len(deny_cmd_del) > 0 or len(deny_cmdgroup_del) > 0: commands.append([name, "sudorule_remove_deny_command", {"sudocmd": deny_cmd_del, "sudocmdgroup": deny_cmdgroup_del }]) # Add RunAS Users if len(runasuser_add) > 0: commands.append([name, "sudorule_add_runasuser", {"user": runasuser_add}]) # Remove RunAS Users if len(runasuser_del) > 0: commands.append([name, "sudorule_remove_runasuser", {"user": runasuser_del}]) # Add RunAS Groups if len(runasgroup_add) > 0: commands.append([name, "sudorule_add_runasgroup", {"group": runasgroup_add}]) # Remove RunAS Groups if len(runasgroup_del) > 0: commands.append([name, "sudorule_remove_runasgroup", {"group": runasgroup_del}]) # Add sudo options for sudoopt in sudooption_add: commands.append([name, "sudorule_add_option", {"ipasudoopt": sudoopt}]) # Remove sudo options for sudoopt in sudooption_del: commands.append([name, "sudorule_remove_option", {"ipasudoopt": sudoopt}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No sudorule '%s'" % name) # Add hosts and hostgroups if host is not None or hostgroup is not None: commands.append([name, "sudorule_add_host", { "host": host, "hostgroup": hostgroup, }]) # Add users and groups if user is not None or group is not None: commands.append([name, "sudorule_add_user", { "user": user, "group": group, }]) # Add commands if allow_sudocmd is not None \ or allow_sudocmdgroup is not None: commands.append([name, "sudorule_add_allow_command", {"sudocmd": allow_sudocmd, "sudocmdgroup": allow_sudocmdgroup, }]) # Add commands if deny_sudocmd is not None \ or deny_sudocmdgroup is not None: commands.append([name, "sudorule_add_deny_command", {"sudocmd": deny_sudocmd, "sudocmdgroup": deny_sudocmdgroup, }]) # Add RunAS Users if runasuser is not None: commands.append([name, "sudorule_add_runasuser", {"user": runasuser}]) # Add RunAS Groups if runasgroup is not None: commands.append([name, "sudorule_add_runasgroup", {"group": runasgroup}]) # Add options if sudooption is not None: existing_opts = res_find.get('ipasudoopt', []) for sudoopt in sudooption: if sudoopt not in existing_opts: commands.append([name, "sudorule_add_option", {"ipasudoopt": sudoopt}]) elif state == "absent": if action == "sudorule": if res_find is not None: commands.append([name, "sudorule_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No sudorule '%s'" % name) # Remove hosts and hostgroups if host is not None or hostgroup is not None: commands.append([name, "sudorule_remove_host", { "host": host, "hostgroup": hostgroup, }]) # Remove users and groups if user is not None or group is not None: commands.append([name, "sudorule_remove_user", { "user": user, "group": group, }]) # Remove allow commands if allow_sudocmd is not None \ or allow_sudocmdgroup is not None: commands.append([name, "sudorule_remove_allow_command", {"sudocmd": allow_sudocmd, "sudocmdgroup": allow_sudocmdgroup }]) # Remove deny commands if deny_sudocmd is not None \ or deny_sudocmdgroup is not None: commands.append([name, "sudorule_remove_deny_command", {"sudocmd": deny_sudocmd, "sudocmdgroup": deny_sudocmdgroup }]) # Remove RunAS Users if runasuser is not None: commands.append([name, "sudorule_remove_runasuser", {"user": runasuser}]) # Remove RunAS Groups if runasgroup is not None: commands.append([name, "sudorule_remove_runasgroup", {"group": runasgroup}]) # Remove options if sudooption is not None: existing_opts = res_find.get('ipasudoopt', []) for sudoopt in sudooption: if sudoopt in existing_opts: commands.append([name, "sudorule_remove_option", {"ipasudoopt": sudoopt}]) elif state == "enabled": if res_find is None: ansible_module.fail_json(msg="No sudorule '%s'" % name) # sudorule_enable is not failing on an enabled sudorule # Therefore it is needed to have a look at the ipaenabledflag # in res_find. if "ipaenabledflag" not in res_find or \ res_find["ipaenabledflag"][0] != "TRUE": commands.append([name, "sudorule_enable", {}]) elif state == "disabled": if res_find is None: ansible_module.fail_json(msg="No sudorule '%s'" % name) # sudorule_disable is not failing on an disabled sudorule # Therefore it is needed to have a look at the ipaenabledflag # in res_find. if "ipaenabledflag" not in res_find or \ res_find["ipaenabledflag"][0] != "FALSE": commands.append([name, "sudorule_disable", {}]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands errors = [] for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as ex: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(ex))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. if "failed" in result and len(result["failed"]) > 0: for item in result["failed"]: failed_item = result["failed"][item] for member_type in failed_item: for member, failure in failed_item[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append("%s: %s %s: %s" % ( command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as ex: ansible_module.fail_json(msg=str(ex)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = IPAAnsibleModule( argument_spec=dict( # general name=dict(type="list", aliases=["cn"], default=None, required=True), # present location=dict(required=False, type='str', aliases=["ipalocation_location"], default=None), service_weight=dict(required=False, type='int', aliases=["ipaserviceweight"], default=None), hidden=dict(required=False, type='bool', default=None), no_members=dict(required=False, type='bool', default=None), # absent delete_continue=dict(required=False, type='bool', aliases=["continue"], default=None), ignore_topology_disconnect=dict(required=False, type='bool', default=None), ignore_last_of_role=dict(required=False, type='bool', default=None), force=dict(required=False, type='bool', default=None), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general names = ansible_module.params_get("name") # present location = ansible_module.params_get("location") service_weight = ansible_module.params_get("service_weight") # Service weight smaller than 0 leads to resetting service weight if service_weight is not None and \ (service_weight < -1 or service_weight > 65535): ansible_module.fail_json( msg="service_weight %d is out of range [-1 .. 65535]" % service_weight) if service_weight == -1: service_weight = "" hidden = ansible_module.params_get("hidden") no_members = ansible_module.params_get("no_members") # absent delete_continue = ansible_module.params_get("delete_continue") ignore_topology_disconnect = ansible_module.params_get( "ignore_topology_disconnect") ignore_last_of_role = ansible_module.params_get("ignore_last_of_role") force = ansible_module.params_get("force") # state state = ansible_module.params_get("state") # Check parameters invalid = [] if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one server can be ensured at a time.") invalid = [ "delete_continue", "ignore_topology_disconnect", "ignore_last_of_role", "force" ] if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["location", "service_weight", "hidden", "no_members"] ansible_module.params_fail_used_invalid(invalid, state) # Init changed = False exit_args = {} # Connect to IPA API with ansible_module.ipa_connect(): commands = [] for name in names: # Make sure server exists res_find = find_server(ansible_module, name) # Generate args args = gen_args(location, service_weight, no_members, delete_continue, ignore_topology_disconnect, ignore_last_of_role, force) # Create command if state == "present": # Server not found if res_find is None: ansible_module.fail_json(msg="Server '%s' not found" % name) # Remove location from args if "" (transformed to None) # and "ipalocation_location" not in res_find for idempotency if "ipalocation_location" in args and \ args["ipalocation_location"] is None and \ "ipalocation_location" not in res_find: del args["ipalocation_location"] # Remove service weight from args if "" # and "ipaserviceweight" not in res_find for idempotency if "ipaserviceweight" in args and \ args["ipaserviceweight"] == "" and \ "ipaserviceweight" not in res_find: del args["ipaserviceweight"] # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "server_mod", args]) # hidden handling if hidden is not None: res_role_status = server_role_status(ansible_module, name) if "status" in res_role_status: # Fail if status is configured, it should be done # only in the installer if res_role_status["status"] == "configured": ansible_module.fail_json( msg="'%s' in configured state, " "unable to change state" % state) if hidden and res_role_status["status"] == "enabled": commands.append( [name, "server_state", { "state": "hidden" }]) if not hidden and \ res_role_status["status"] == "hidden": commands.append( [name, "server_state", { "state": "enabled" }]) elif state == "absent": if res_find is not None or force: commands.append([name, "server_del", args]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands changed = ansible_module.execute_ipa_commands(commands) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = init_ansible_module() # Get parameters # general names = ansible_module.params_get("name") # service attributes principal = ansible_module.params_get("principal") certificate = ansible_module.params_get("certificate") pac_type = ansible_module.params_get("pac_type") auth_ind = ansible_module.params_get("auth_ind") skip_host_check = ansible_module.params_get("skip_host_check") force = ansible_module.params_get("force") requires_pre_auth = ansible_module.params_get("requires_pre_auth") ok_as_delegate = ansible_module.params_get("ok_as_delegate") ok_to_auth_as_delegate = ansible_module.params_get( "ok_to_auth_as_delegate") smb = ansible_module.params_get("smb") netbiosname = ansible_module.params_get("netbiosname") host = ansible_module.params_get("host") allow_create_keytab_user = ansible_module.params_get( "allow_create_keytab_user") allow_create_keytab_group = ansible_module.params_get( "allow_create_keytab_group") allow_create_keytab_host = ansible_module.params_get( "allow_create_keytab_host") allow_create_keytab_hostgroup = ansible_module.params_get( "allow_create_keytab_hostgroup") allow_retrieve_keytab_user = ansible_module.params_get( "allow_retrieve_keytab_user") allow_retrieve_keytab_group = ansible_module.params_get( "allow_retrieve_keytab_group") allow_retrieve_keytab_host = ansible_module.params_get( "allow_retrieve_keytab_host") allow_retrieve_keytab_hostgroup = ansible_module.params_get( "allow_retrieve_keytab_hostgroup") delete_continue = ansible_module.params_get("delete_continue") # action action = ansible_module.params_get("action") # state state = ansible_module.params_get("state") # check parameters check_parameters(ansible_module, state, action, names, vars()) # Init changed = False exit_args = {} # Connect to IPA API with ansible_module.ipa_connect(): has_skip_host_check = ansible_module.ipa_command_param_exists( "service_add", "skip_host_check") if skip_host_check and not has_skip_host_check: ansible_module.fail_json( msg="Skipping host check is not supported by your IPA version") commands = [] for name in names: res_find = find_service(ansible_module, name) if state == "present": if action == "service": args = gen_args(pac_type, auth_ind, skip_host_check, force, requires_pre_auth, ok_as_delegate, ok_to_auth_as_delegate) if not has_skip_host_check and 'skip_host_check' in args: del args['skip_host_check'] if smb: if res_find is None: _name = "cifs/" + name res_find = find_service(ansible_module, _name) if res_find is None: _args = gen_args_smb(netbiosname, ok_as_delegate, ok_to_auth_as_delegate) commands.append( [name, 'service_add_smb', _args]) res_find = {} # service_add_smb will prefix 'name' with # "cifs/", so we will need to change it here, # so that service_mod, if called later, works. name = _name if res_find is None: commands.append([name, 'service_add', args]) certificate_add = certificate or [] certificate_del = [] host_add = host or [] host_del = [] principal_add = principal or [] principal_del = [] allow_create_keytab_user_add = \ allow_create_keytab_user or [] allow_create_keytab_user_del = [] allow_create_keytab_group_add = \ allow_create_keytab_group or [] allow_create_keytab_group_del = [] allow_create_keytab_host_add = \ allow_create_keytab_host or [] allow_create_keytab_host_del = [] allow_create_keytab_hostgroup_add = \ allow_create_keytab_hostgroup or [] allow_create_keytab_hostgroup_del = [] allow_retrieve_keytab_user_add = \ allow_retrieve_keytab_user or [] allow_retrieve_keytab_user_del = [] allow_retrieve_keytab_group_add = \ allow_retrieve_keytab_group or [] allow_retrieve_keytab_group_del = [] allow_retrieve_keytab_host_add = \ allow_retrieve_keytab_host or [] allow_retrieve_keytab_host_del = [] allow_retrieve_keytab_hostgroup_add = \ allow_retrieve_keytab_hostgroup or [] allow_retrieve_keytab_hostgroup_del = [] else: for remove in ['skip_host_check', 'force']: if remove in args: del args[remove] if ("krbprincipalauthind" in args and (args.get("krbprincipalauthind", [""]) == res_find.get("krbprincipalauthind", [""]))): del args["krbprincipalauthind"] if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "service_mod", args]) certificate_add, certificate_del = gen_add_del_lists( certificate, res_find.get("usercertificate")) host_add, host_del = gen_add_del_lists( host, res_find.get('managedby_host', [])) principal_add, principal_del = gen_add_del_lists( principal, res_find.get("principal")) (allow_create_keytab_user_add, allow_create_keytab_user_del) = \ gen_add_del_lists( allow_create_keytab_user, res_find.get( 'ipaallowedtoperform_write_keys_user', [])) (allow_retrieve_keytab_user_add, allow_retrieve_keytab_user_del) = \ gen_add_del_lists( allow_retrieve_keytab_user, res_find.get( 'ipaallowedtoperform_read_keys_user', [])) (allow_create_keytab_group_add, allow_create_keytab_group_del) = \ gen_add_del_lists( allow_create_keytab_group, res_find.get( 'ipaallowedtoperform_write_keys_group', [])) (allow_retrieve_keytab_group_add, allow_retrieve_keytab_group_del) = \ gen_add_del_lists( allow_retrieve_keytab_group, res_find.get( 'ipaallowedtoperform_read_keys_group', [])) (allow_create_keytab_host_add, allow_create_keytab_host_del) = \ gen_add_del_lists( allow_create_keytab_host, res_find.get( 'ipaallowedtoperform_write_keys_host', [])) (allow_retrieve_keytab_host_add, allow_retrieve_keytab_host_del) = \ gen_add_del_lists( allow_retrieve_keytab_host, res_find.get( 'ipaallowedtoperform_read_keys_host', [])) (allow_create_keytab_hostgroup_add, allow_create_keytab_hostgroup_del) = \ gen_add_del_lists( allow_create_keytab_hostgroup, res_find.get( 'ipaallowedtoperform_write_keys_hostgroup', [])) (allow_retrieve_keytab_hostgroup_add, allow_retrieve_keytab_hostgroup_del) = \ gen_add_del_lists( allow_retrieve_keytab_hostgroup, res_find.get( 'ipaallowedtoperform_read_keys_hostgroup', [])) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No service '%s'" % name) existing = res_find.get('usercertificate', []) if certificate is None: certificate_add = [] else: certificate_add = [ c for c in certificate if c not in existing ] certificate_del = [] host_add = host or [] host_del = [] principal_add = principal or [] principal_del = [] allow_create_keytab_user_add = \ allow_create_keytab_user or [] allow_create_keytab_user_del = [] allow_create_keytab_group_add = \ allow_create_keytab_group or [] allow_create_keytab_group_del = [] allow_create_keytab_host_add = \ allow_create_keytab_host or [] allow_create_keytab_host_del = [] allow_create_keytab_hostgroup_add = \ allow_create_keytab_hostgroup or [] allow_create_keytab_hostgroup_del = [] allow_retrieve_keytab_user_add = \ allow_retrieve_keytab_user or [] allow_retrieve_keytab_user_del = [] allow_retrieve_keytab_group_add = \ allow_retrieve_keytab_group or [] allow_retrieve_keytab_group_del = [] allow_retrieve_keytab_host_add = \ allow_retrieve_keytab_host or [] allow_retrieve_keytab_host_del = [] allow_retrieve_keytab_hostgroup_add = \ allow_retrieve_keytab_hostgroup or [] allow_retrieve_keytab_hostgroup_del = [] # Add principals for _principal in principal_add: commands.append([ name, "service_add_principal", { "krbprincipalname": _principal, } ]) # Remove principals for _principal in principal_del: commands.append([ name, "service_remove_principal", { "krbprincipalname": _principal, } ]) for _certificate in certificate_add: commands.append([ name, "service_add_cert", { "usercertificate": _certificate, } ]) # Remove certificates for _certificate in certificate_del: commands.append([ name, "service_remove_cert", { "usercertificate": _certificate, } ]) # Add hosts. if host is not None and len(host) > 0 and len(host_add) > 0: commands.append( [name, "service_add_host", { "host": host_add }]) # Remove hosts if host is not None and len(host) > 0 and len(host_del) > 0: commands.append( [name, "service_remove_host", { "host": host_del }]) # Allow create keytab if len(allow_create_keytab_user_add) > 0 or \ len(allow_create_keytab_group_add) > 0 or \ len(allow_create_keytab_host_add) > 0 or \ len(allow_create_keytab_hostgroup_add) > 0: commands.append([ name, "service_allow_create_keytab", { 'user': allow_create_keytab_user_add, 'group': allow_create_keytab_group_add, 'host': allow_create_keytab_host_add, 'hostgroup': allow_create_keytab_hostgroup_add } ]) # Disallow create keytab if len(allow_create_keytab_user_del) > 0 or \ len(allow_create_keytab_group_del) > 0 or \ len(allow_create_keytab_host_del) > 0 or \ len(allow_create_keytab_hostgroup_del) > 0: commands.append([ name, "service_disallow_create_keytab", { 'user': allow_create_keytab_user_del, 'group': allow_create_keytab_group_del, 'host': allow_create_keytab_host_del, 'hostgroup': allow_create_keytab_hostgroup_del } ]) # Allow retrieve keytab if len(allow_retrieve_keytab_user_add) > 0 or \ len(allow_retrieve_keytab_group_add) > 0 or \ len(allow_retrieve_keytab_host_add) > 0 or \ len(allow_retrieve_keytab_hostgroup_add) > 0: commands.append([ name, "service_allow_retrieve_keytab", { 'user': allow_retrieve_keytab_user_add, 'group': allow_retrieve_keytab_group_add, 'host': allow_retrieve_keytab_host_add, 'hostgroup': allow_retrieve_keytab_hostgroup_add } ]) # Disllow retrieve keytab if len(allow_retrieve_keytab_user_del) > 0 or \ len(allow_retrieve_keytab_group_del) > 0 or \ len(allow_retrieve_keytab_host_del) > 0 or \ len(allow_retrieve_keytab_hostgroup_del) > 0: commands.append([ name, "service_disallow_retrieve_keytab", { 'user': allow_retrieve_keytab_user_del, 'group': allow_retrieve_keytab_group_del, 'host': allow_retrieve_keytab_host_del, 'hostgroup': allow_retrieve_keytab_hostgroup_del } ]) elif state == "absent": if action == "service": if res_find is not None: args = {'continue': delete_continue} commands.append([name, 'service_del', args]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No service '%s'" % name) # Remove principals if principal is not None: for _principal in principal: commands.append([ name, "service_remove_principal", { "krbprincipalname": _principal, } ]) # Remove certificates if certificate is not None: existing = res_find.get('usercertificate', []) for _certificate in certificate: if _certificate in existing: commands.append([ name, "service_remove_cert", { "usercertificate": _certificate, } ]) # Add hosts if host is not None: commands.append( [name, "service_remove_host", { "host": host }]) # Allow create keytab if allow_create_keytab_user is not None or \ allow_create_keytab_group is not None or \ allow_create_keytab_host is not None or \ allow_create_keytab_hostgroup is not None: commands.append([ name, "service_disallow_create_keytab", { 'user': allow_create_keytab_user, 'group': allow_create_keytab_group, 'host': allow_create_keytab_host, 'hostgroup': allow_create_keytab_hostgroup } ]) # Allow retriev keytab if allow_retrieve_keytab_user is not None or \ allow_retrieve_keytab_group is not None or \ allow_retrieve_keytab_host is not None or \ allow_retrieve_keytab_hostgroup is not None: commands.append([ name, "service_disallow_retrieve_keytab", { 'user': allow_retrieve_keytab_user, 'group': allow_retrieve_keytab_group, 'host': allow_retrieve_keytab_host, 'hostgroup': allow_retrieve_keytab_hostgroup } ]) elif state == "disabled": if action == "service": if res_find is not None: has_cert = bool(res_find.get('usercertificate')) has_keytab = res_find.get('has_keytab', False) if has_cert or has_keytab: commands.append([name, 'service_disable', {}]) else: ansible_module.fail_json( msg="Invalid action '%s' for state '%s'" % (action, state)) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands changed = ansible_module.execute_ipa_commands(commands, result_handler) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), nomembers=dict(required=False, type='bool', default=None), sudocmdgroup=dict(required=False, type='list', default=None), sudocmd=dict(required=False, type='list', default=None), action=dict(type="str", default="sudocmdgroup", choices=["member", "sudocmdgroup"]), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = ansible_module.params.get("ipaadmin_principal") ipaadmin_password = ansible_module.params.get("ipaadmin_password") names = ansible_module.params.get("name") # present description = ansible_module.params.get("description") nomembers = ansible_module.params.get("nomembers") sudocmdgroup = ansible_module.params.get("sudocmdgroup") sudocmd = ansible_module.params.get("sudocmd") action = ansible_module.params.get("action") # state state = ansible_module.params.get("state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one sudocmdgroup can be added at a time.") if action == "member": invalid = ["description", "nomembers"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (x, action)) if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "nomembers"] if action == "sudocmdgroup": invalid.extend(["sudocmd"]) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure hostgroup exists res_find = find_sudocmdgroup(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description, nomembers) if action == "sudocmdgroup": # Found the hostgroup if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "sudocmdgroup_mod", args]) else: commands.append([name, "sudocmdgroup_add", args]) # Set res_find to empty dict for next step res_find = {} member_args = gen_member_args(sudocmd) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists sudocmdgroup_add = list( set(sudocmdgroup or []) - set(res_find.get("member_sudocmdgroup", []))) sudocmdgroup_del = list( set(res_find.get("member_sudocmdgroup", [])) - set(sudocmdgroup or [])) # Add members if len(sudocmdgroup_add) > 0: commands.append([ name, "sudocmdgroup_add_member", { "sudocmd": [to_text(c) for c in sudocmdgroup_add] } ]) # Remove members if len(sudocmdgroup_del) > 0: commands.append([ name, "sudocmdgroup_remove_member", { "sudocmd": [to_text(c) for c in sudocmdgroup_del] } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No sudocmdgroup '%s'" % name) # Ensure members are present commands.append([ name, "sudocmdgroup_add_member", { "sudocmd": [to_text(c) for c in sudocmd] } ]) elif state == "absent": if action == "sudocmdgroup": if res_find is not None: commands.append([name, "sudocmdgroup_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No sudocmdgroup '%s'" % name) # Ensure members are absent commands.append([ name, "sudocmdgroup_remove_member", { "sudocmd": [to_text(c) for c in sudocmd] } ]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, to_text(name), args) if action == "member": if "completed" in result and result["completed"] > 0: changed = True else: if command == "sudocmdgroup_del": changed |= "Deleted" in result['summary'] elif command == "sudocmdgroup_add": changed |= "Added" in result['summary'] except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. errors = [] if "failed" in result and "member" in result["failed"]: failed = result["failed"]["member"] for member_type in failed: for member, failure in failed[member_type]: if "already a member" not in failure \ and "not a member" not in failure: errors.append( "%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = IPAAnsibleModule( argument_spec=dict( # general inclusive=dict(type="list", aliases=["automemberinclusiveregex"], default=None, options=dict( key=dict(type="str", required=True), expression=dict(type="str", required=True) ), elements="dict", required=False), exclusive=dict(type="list", aliases=["automemberexclusiveregex"], default=None, options=dict( key=dict(type="str", required=True), expression=dict(type="str", required=True) ), elements="dict", required=False), name=dict(type="list", aliases=["cn"], default=None, required=False), description=dict(type="str", default=None), automember_type=dict(type='str', required=False, choices=['group', 'hostgroup']), no_wait=dict(type="bool", default=None), default_group=dict(type="str", default=None), action=dict(type="str", default="automember", choices=["member", "automember"]), state=dict(type="str", default="present", choices=["present", "absent", "rebuilt", "orphans_removed"]), users=dict(type="list", default=None), hosts=dict(type="list", default=None), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general names = ansible_module.params_get("name") if names is None: names = [] # present description = ansible_module.params_get("description") # conditions inclusive = ansible_module.params_get("inclusive") exclusive = ansible_module.params_get("exclusive") # no_wait for rebuilt no_wait = ansible_module.params_get("no_wait") # default_group default_group = ansible_module.params_get("default_group") # action action = ansible_module.params_get("action") # state state = ansible_module.params_get("state") # grouping/type automember_type = ansible_module.params_get("automember_type") rebuild_users = ansible_module.params_get("users") rebuild_hosts = ansible_module.params_get("hosts") # Check parameters invalid = [] if state in ["rebuilt", "orphans_removed"]: invalid = ["name", "description", "exclusive", "inclusive", "default_group"] if action == "member": ansible_module.fail_json( msg="'action=member' is not usable with state '%s'" % state) if state == "rebuilt": if automember_type == "group" and rebuild_hosts is not None: ansible_module.fail_json( msg="state %s: hosts can not be set when type is '%s'" % (state, automember_type)) if automember_type == "hostgroup" and rebuild_users is not None: ansible_module.fail_json( msg="state %s: users can not be set when type is '%s'" % (state, automember_type)) elif state == "orphans_removed": invalid.extend(["users", "hosts"]) if not automember_type: ansible_module.fail_json( msg="'automember_type' is required unless state: rebuilt") else: if default_group is not None: for param in ["name", "exclusive", "inclusive", "users", "hosts" "no_wait"]: if ansible_module.params.get(param) is not None: msg = "Cannot use {0} together with default_group" ansible_module.fail_json(msg=msg.format(param)) if action == "member": ansible_module.fail_json( msg="Cannot use default_group with action:member") if state == "absent": ansible_module.fail_json( msg="Cannot use default_group with state:absent") else: invalid = ["users", "hosts", "no_wait"] if not automember_type: ansible_module.fail_json( msg="'automember_type' is required.") ansible_module.params_fail_used_invalid(invalid, state, action) # Init changed = False exit_args = {} res_find = None with ansible_module.ipa_connect(): commands = [] for name in names: # Make sure automember rule exists res_find = find_automember(ansible_module, name, automember_type) # Check inclusive and exclusive conditions if inclusive is not None or exclusive is not None: # automember_type is either "group" or "hostgorup" if automember_type == "group": _type = u"user" elif automember_type == "hostgroup": _type = u"host" else: ansible_module.fail_json( msg="Bad automember type '%s'" % automember_type) try: aciattrs = ansible_module.ipa_command( "json_metadata", _type, {} )['objects'][_type]['aciattrs'] except Exception as ex: ansible_module.fail_json( msg="%s: %s: %s" % ("json_metadata", _type, str(ex))) check_condition_keys(ansible_module, inclusive, aciattrs) check_condition_keys(ansible_module, exclusive, aciattrs) # Create command if state == 'present': args = gen_args(description, automember_type) if action == "automember": if res_find is not None: if not compare_args_ipa(ansible_module, args, res_find, ignore=['type']): commands.append([name, 'automember_mod', args]) else: commands.append([name, 'automember_add', args]) res_find = {} if inclusive is not None: inclusive_add, inclusive_del = gen_add_del_lists( transform_conditions(inclusive), res_find.get("automemberinclusiveregex", []) ) else: inclusive_add, inclusive_del = [], [] if exclusive is not None: exclusive_add, exclusive_del = gen_add_del_lists( transform_conditions(exclusive), res_find.get("automemberexclusiveregex", []) ) else: exclusive_add, exclusive_del = [], [] elif action == "member": if res_find is None: ansible_module.fail_json( msg="No automember '%s'" % name) inclusive_add = transform_conditions(inclusive or []) inclusive_del = [] exclusive_add = transform_conditions(exclusive or []) exclusive_del = [] for _inclusive in inclusive_add: key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, inclusiveregex=regex) commands.append([name, 'automember_add_condition', condition_args]) for _inclusive in inclusive_del: key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, inclusiveregex=regex) commands.append([name, 'automember_remove_condition', condition_args]) for _exclusive in exclusive_add: key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, exclusiveregex=regex) commands.append([name, 'automember_add_condition', condition_args]) for _exclusive in exclusive_del: key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, exclusiveregex=regex) commands.append([name, 'automember_remove_condition', condition_args]) elif state == 'absent': if action == "automember": if res_find is not None: commands.append([name, 'automember_del', {'type': automember_type}]) elif action == "member": if res_find is None: ansible_module.fail_json( msg="No automember '%s'" % name) if inclusive is not None: for _inclusive in transform_conditions(inclusive): key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, inclusiveregex=regex) commands.append( [name, 'automember_remove_condition', condition_args]) if exclusive is not None: for _exclusive in transform_conditions(exclusive): key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, exclusiveregex=regex) commands.append([name, 'automember_remove_condition', condition_args]) if len(names) == 0: if state == "rebuilt": args = gen_rebuild_args(automember_type, rebuild_users, rebuild_hosts, no_wait) commands.append([None, 'automember_rebuild', args]) elif state == "orphans_removed": res_find = find_automember_orphans(ansible_module, automember_type) if res_find["count"] > 0: commands.append([None, 'automember_find_orphans', {'type': automember_type, 'remove': True}]) elif default_group is not None and state == "present": res_find = find_automember_default_group(ansible_module, automember_type) if default_group == "": if isinstance(res_find["automemberdefaultgroup"], list): commands.append([None, 'automember_default_group_remove', {'type': automember_type}]) else: dn_default_group = [DN(('cn', default_group), ('cn', '%ss' % automember_type), ('cn', 'accounts'), ansible_module.ipa_get_basedn())] if repr(res_find["automemberdefaultgroup"]) != \ repr(dn_default_group): commands.append( [None, 'automember_default_group_set', {'type': automember_type, 'automemberdefaultgroup': default_group}]) else: ansible_module.fail_json(msg="Invalid operation") # Execute commands changed = ansible_module.execute_ipa_commands(commands) # result["failed"] is used only for INCLUDE_RE, EXCLUDE_RE # if entries could not be added that are already there and # if entries could not be removed that are not there. # All other issues like invalid attributes etc. are handled # as exceptions. Therefore the error section is not here as # in other modules. # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = IPAAnsibleModule( argument_spec=dict( # general name=dict(type="list", aliases=["sudocmd"], default=None, required=True), # present description=dict(type="str", default=None), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general names = ansible_module.params_get("name") # present description = ansible_module.params_get("description") # state state = ansible_module.params_get("state") # Check parameters if state == "absent": invalid = ["description"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} # Connect to IPA API with ansible_module.ipa_connect(): commands = [] for name in names: # Make sure hostgroup exists res_find = find_sudocmd(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description) if res_find is not None: # For all settings in args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "sudocmd_mod", args]) else: commands.append([name, "sudocmd_add", args]) # Set res_find to empty dict for next step res_find = {} elif state == "absent": if res_find is not None: commands.append([name, "sudocmd_del", {}]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) changed = ansible_module.execute_ipa_commands(commands) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = init_ansible_module() # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # service attributes principal = module_params_get(ansible_module, "principal") certificate = module_params_get(ansible_module, "certificate") pac_type = module_params_get(ansible_module, "pac_type") auth_ind = module_params_get(ansible_module, "auth_ind") skip_host_check = module_params_get(ansible_module, "skip_host_check") force = module_params_get(ansible_module, "force") requires_pre_auth = module_params_get(ansible_module, "requires_pre_auth") ok_as_delegate = module_params_get(ansible_module, "ok_as_delegate") ok_to_auth_as_delegate = module_params_get(ansible_module, "ok_to_auth_as_delegate") smb = module_params_get(ansible_module, "smb") netbiosname = module_params_get(ansible_module, "netbiosname") host = module_params_get(ansible_module, "host") allow_create_keytab_user = module_params_get(ansible_module, "allow_create_keytab_user") allow_create_keytab_group = module_params_get(ansible_module, "allow_create_keytab_group") allow_create_keytab_host = module_params_get(ansible_module, "allow_create_keytab_host") allow_create_keytab_hostgroup = module_params_get( ansible_module, "allow_create_keytab_hostgroup") allow_retrieve_keytab_user = module_params_get( ansible_module, "allow_retrieve_keytab_user") allow_retrieve_keytab_group = module_params_get( ansible_module, "allow_retrieve_keytab_group") allow_retrieve_keytab_host = module_params_get( ansible_module, "allow_retrieve_keytab_host") allow_retrieve_keytab_hostgroup = module_params_get( ansible_module, "allow_retrieve_keytab_hostgroup") delete_continue = module_params_get(ansible_module, "delete_continue") # action action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # check parameters check_parameters(ansible_module, state, action, names, vars()) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() has_skip_host_check = api_check_param("service_add", "skip_host_check") if skip_host_check and not has_skip_host_check: ansible_module.fail_json( msg="Skipping host check is not supported by your IPA version") commands = [] for name in names: res_find = find_service(ansible_module, name, netbiosname) if state == "present": # if service exists, 'smb' cannot be used. if action == "service": args = gen_args(pac_type, auth_ind, skip_host_check, force, requires_pre_auth, ok_as_delegate, ok_to_auth_as_delegate) if not has_skip_host_check and 'skip_host_check' in args: del args['skip_host_check'] if res_find is None: if smb: if netbiosname is not None: args['ipantflatname'] = netbiosname commands.append([name, 'service_add_smb', args]) else: commands.append([name, 'service_add', args]) certificate_add = certificate or [] certificate_del = [] host_add = host or [] host_del = [] principal_add = principal or [] principal_del = [] allow_create_keytab_user_add = \ allow_create_keytab_user or [] allow_create_keytab_user_del = [] allow_create_keytab_group_add = \ allow_create_keytab_group or [] allow_create_keytab_group_del = [] allow_create_keytab_host_add = \ allow_create_keytab_host or [] allow_create_keytab_host_del = [] allow_create_keytab_hostgroup_add = \ allow_create_keytab_hostgroup or [] allow_create_keytab_hostgroup_del = [] allow_retrieve_keytab_user_add = \ allow_retrieve_keytab_user or [] allow_retrieve_keytab_user_del = [] allow_retrieve_keytab_group_add = \ allow_retrieve_keytab_group or [] allow_retrieve_keytab_group_del = [] allow_retrieve_keytab_host_add = \ allow_retrieve_keytab_host or [] allow_retrieve_keytab_host_del = [] allow_retrieve_keytab_hostgroup_add = \ allow_retrieve_keytab_hostgroup or [] allow_retrieve_keytab_hostgroup_del = [] else: for remove in ['skip_host_check', 'force']: if remove in args: del args[remove] if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "service_mod", args]) certificate_add, certificate_del = gen_add_del_lists( certificate, res_find.get("usercertificate")) host_add, host_del = gen_add_del_lists( host, res_find.get('managedby_host', [])) principal_add, principal_del = gen_add_del_lists( principal, res_find.get("principal")) (allow_create_keytab_user_add, allow_create_keytab_user_del) = \ gen_add_del_lists( allow_create_keytab_user, res_find.get( 'ipaallowedtoperform_write_keys_user', [])) (allow_retrieve_keytab_user_add, allow_retrieve_keytab_user_del) = \ gen_add_del_lists( allow_retrieve_keytab_user, res_find.get( 'ipaallowedtoperform_read_keys_user', [])) (allow_create_keytab_group_add, allow_create_keytab_group_del) = \ gen_add_del_lists( allow_create_keytab_group, res_find.get( 'ipaallowedtoperform_write_keys_group', [])) (allow_retrieve_keytab_group_add, allow_retrieve_keytab_group_del) = \ gen_add_del_lists( allow_retrieve_keytab_group, res_find.get( 'ipaallowedtoperform_read_keys_group', [])) (allow_create_keytab_host_add, allow_create_keytab_host_del) = \ gen_add_del_lists( allow_create_keytab_host, res_find.get( 'ipaallowedtoperform_write_keys_host', [])) (allow_retrieve_keytab_host_add, allow_retrieve_keytab_host_del) = \ gen_add_del_lists( allow_retrieve_keytab_host, res_find.get( 'ipaallowedtoperform_read_keys_host', [])) (allow_create_keytab_hostgroup_add, allow_create_keytab_hostgroup_del) = \ gen_add_del_lists( allow_create_keytab_hostgroup, res_find.get( 'ipaallowedtoperform_write_keys_hostgroup', [])) (allow_retrieve_keytab_hostgroup_add, allow_retrieve_keytab_hostgroup_del) = \ gen_add_del_lists( allow_retrieve_keytab_hostgroup, res_find.get( 'ipaallowedtoperform_read_keys_hostgroup', [])) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No service '%s'" % name) existing = res_find.get('usercertificate', []) if certificate is None: certificate_add = [] else: certificate_add = [ c for c in certificate if c not in existing ] certificate_del = [] host_add = host or [] host_del = [] principal_add = principal or [] principal_del = [] allow_create_keytab_user_add = \ allow_create_keytab_user or [] allow_create_keytab_user_del = [] allow_create_keytab_group_add = \ allow_create_keytab_group or [] allow_create_keytab_group_del = [] allow_create_keytab_host_add = \ allow_create_keytab_host or [] allow_create_keytab_host_del = [] allow_create_keytab_hostgroup_add = \ allow_create_keytab_hostgroup or [] allow_create_keytab_hostgroup_del = [] allow_retrieve_keytab_user_add = \ allow_retrieve_keytab_user or [] allow_retrieve_keytab_user_del = [] allow_retrieve_keytab_group_add = \ allow_retrieve_keytab_group or [] allow_retrieve_keytab_group_del = [] allow_retrieve_keytab_host_add = \ allow_retrieve_keytab_host or [] allow_retrieve_keytab_host_del = [] allow_retrieve_keytab_hostgroup_add = \ allow_retrieve_keytab_hostgroup or [] allow_retrieve_keytab_hostgroup_del = [] # Add principals for _principal in principal_add: commands.append([ name, "service_add_principal", { "krbprincipalname": _principal, } ]) # Remove principals for _principal in principal_del: commands.append([ name, "service_remove_principal", { "krbprincipalname": _principal, } ]) for _certificate in certificate_add: commands.append([ name, "service_add_cert", { "usercertificate": _certificate, } ]) # Remove certificates for _certificate in certificate_del: commands.append([ name, "service_remove_cert", { "usercertificate": _certificate, } ]) # Add hosts. if host is not None and len(host) > 0 and len(host_add) > 0: commands.append( [name, "service_add_host", { "host": host_add }]) # Remove hosts if host is not None and len(host) > 0 and len(host_del) > 0: commands.append( [name, "service_remove_host", { "host": host_del }]) # Allow create keytab if len(allow_create_keytab_user_add) > 0 or \ len(allow_create_keytab_group_add) > 0 or \ len(allow_create_keytab_host_add) > 0 or \ len(allow_create_keytab_hostgroup_add) > 0: commands.append([ name, "service_allow_create_keytab", { 'user': allow_create_keytab_user_add, 'group': allow_create_keytab_group_add, 'host': allow_create_keytab_host_add, 'hostgroup': allow_create_keytab_hostgroup_add } ]) # Disallow create keytab if len(allow_create_keytab_user_del) > 0 or \ len(allow_create_keytab_group_del) > 0 or \ len(allow_create_keytab_host_del) > 0 or \ len(allow_create_keytab_hostgroup_del) > 0: commands.append([ name, "service_disallow_create_keytab", { 'user': allow_create_keytab_user_del, 'group': allow_create_keytab_group_del, 'host': allow_create_keytab_host_del, 'hostgroup': allow_create_keytab_hostgroup_del } ]) # Allow retrieve keytab if len(allow_retrieve_keytab_user_add) > 0 or \ len(allow_retrieve_keytab_group_add) > 0 or \ len(allow_retrieve_keytab_host_add) > 0 or \ len(allow_retrieve_keytab_hostgroup_add) > 0: commands.append([ name, "service_allow_retrieve_keytab", { 'user': allow_retrieve_keytab_user_add, 'group': allow_retrieve_keytab_group_add, 'host': allow_retrieve_keytab_host_add, 'hostgroup': allow_retrieve_keytab_hostgroup_add } ]) # Disllow retrieve keytab if len(allow_retrieve_keytab_user_del) > 0 or \ len(allow_retrieve_keytab_group_del) > 0 or \ len(allow_retrieve_keytab_host_del) > 0 or \ len(allow_retrieve_keytab_hostgroup_del) > 0: commands.append([ name, "service_disallow_retrieve_keytab", { 'user': allow_retrieve_keytab_user_del, 'group': allow_retrieve_keytab_group_del, 'host': allow_retrieve_keytab_host_del, 'hostgroup': allow_retrieve_keytab_hostgroup_del } ]) elif state == "absent": if action == "service": if res_find is not None: args = {'continue': True if delete_continue else False} commands.append([name, 'service_del', args]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No service '%s'" % name) # Remove principals if principal is not None: for _principal in principal: commands.append([ name, "service_remove_principal", { "krbprincipalname": _principal, } ]) # Remove certificates if certificate is not None: existing = res_find.get('usercertificate', []) for _certificate in certificate: if _certificate in existing: commands.append([ name, "service_remove_cert", { "usercertificate": _certificate, } ]) # Add hosts if host is not None: commands.append( [name, "service_remove_host", { "host": host }]) # Allow create keytab if allow_create_keytab_user is not None or \ allow_create_keytab_group is not None or \ allow_create_keytab_host is not None or \ allow_create_keytab_hostgroup is not None: commands.append([ name, "service_disallow_create_keytab", { 'user': allow_create_keytab_user, 'group': allow_create_keytab_group, 'host': allow_create_keytab_host, 'hostgroup': allow_create_keytab_hostgroup } ]) # Allow retriev keytab if allow_retrieve_keytab_user is not None or \ allow_retrieve_keytab_group is not None or \ allow_retrieve_keytab_host is not None or \ allow_retrieve_keytab_hostgroup is not None: commands.append([ name, "service_disallow_retrieve_keytab", { 'user': allow_retrieve_keytab_user, 'group': allow_retrieve_keytab_group, 'host': allow_retrieve_keytab_host, 'hostgroup': allow_retrieve_keytab_hostgroup } ]) elif state == "disabled": if action == "service": if res_find is not None: has_cert = bool(res_find.get('usercertificate')) has_keytab = res_find.get('has_keytab', False) if has_cert or has_keytab: commands.append([name, 'service_disable', {}]) else: ansible_module.fail_json( msg="Invalid action '%s' for state '%s'" % (action, state)) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands errors = [] for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as ex: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(ex))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. if "failed" in result and len(result["failed"]) > 0: for item in result["failed"]: failed_item = result["failed"][item] for member_type in failed_item: for member, failure in failed_item[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append( "%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as ex: ansible_module.fail_json(msg=str(ex)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # generalgroups ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), description=dict(required=False, type="str", default=None), vault_type=dict(type="str", aliases=["ipavaulttype"], default=None, required=False, choices=["standard", "symmetric", "asymmetric"]), vault_public_key=dict(type="str", required=False, default=None, aliases=['ipavaultpublickey', 'public_key']), vault_public_key_file=dict(type="str", required=False, default=None, aliases=['public_key_file']), vault_private_key=dict( type="str", required=False, default=None, no_log=True, aliases=['ipavaultprivatekey', 'private_key']), vault_private_key_file=dict(type="str", required=False, default=None, aliases=['private_key_file']), vault_salt=dict(type="str", required=False, default=None, aliases=['ipavaultsalt', 'salt']), username=dict(type="str", required=False, default=None, aliases=['user']), service=dict(type="str", required=False, default=None), shared=dict(type="bool", required=False, default=None), users=dict(required=False, type='list', default=None), groups=dict(required=False, type='list', default=None), services=dict(required=False, type='list', default=None), owners=dict(required=False, type='list', default=None, aliases=['ownerusers']), ownergroups=dict(required=False, type='list', default=None), ownerservices=dict(required=False, type='list', default=None), vault_data=dict(type="str", required=False, default=None, no_log=True, aliases=['ipavaultdata', 'data']), datafile_in=dict(type="str", required=False, default=None, aliases=['in']), datafile_out=dict(type="str", required=False, default=None, aliases=['out']), vault_password=dict( type="str", required=False, default=None, no_log=True, aliases=['ipavaultpassword', 'password', "old_password"]), vault_password_file=dict( type="str", required=False, default=None, no_log=False, aliases=['password_file', "old_password_file"]), new_password=dict(type="str", required=False, default=None, no_log=True), new_password_file=dict(type="str", required=False, default=None, no_log=False), # state action=dict(type="str", default="vault", choices=["vault", "data", "member"]), state=dict(type="str", default="present", choices=["present", "absent", "retrieved"]), ), supports_check_mode=True, mutually_exclusive=[['username', 'service', 'shared'], ['datafile_in', 'vault_data'], ['new_password', 'new_password_file'], ['vault_password', 'vault_password_file'], ['vault_public_key', 'vault_public_key_file']], ) ansible_module._ansible_debug = True # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present description = module_params_get(ansible_module, "description") username = module_params_get(ansible_module, "username") service = module_params_get(ansible_module, "service") shared = module_params_get(ansible_module, "shared") users = module_params_get(ansible_module, "users") groups = module_params_get(ansible_module, "groups") services = module_params_get(ansible_module, "services") owners = module_params_get(ansible_module, "owners") ownergroups = module_params_get(ansible_module, "ownergroups") ownerservices = module_params_get(ansible_module, "ownerservices") vault_type = module_params_get(ansible_module, "vault_type") salt = module_params_get(ansible_module, "vault_salt") password = module_params_get(ansible_module, "vault_password") password_file = module_params_get(ansible_module, "vault_password_file") new_password = module_params_get(ansible_module, "new_password") new_password_file = module_params_get(ansible_module, "new_password_file") public_key = module_params_get(ansible_module, "vault_public_key") public_key_file = module_params_get(ansible_module, "vault_public_key_file") private_key = module_params_get(ansible_module, "vault_private_key") private_key_file = module_params_get(ansible_module, "vault_private_key_file") vault_data = module_params_get(ansible_module, "vault_data") datafile_in = module_params_get(ansible_module, "datafile_in") datafile_out = module_params_get(ansible_module, "datafile_out") action = module_params_get(ansible_module, "action") state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one vault can be added at a time.") elif state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") elif state == "retrieved": if len(names) != 1: ansible_module.fail_json( msg="Only one vault can be retrieved at a time.") else: ansible_module.fail_json(msg="Invalid state '%s'" % state) check_parameters(ansible_module, state, action, description, username, service, shared, users, groups, services, owners, ownergroups, ownerservices, vault_type, salt, password, password_file, public_key, public_key_file, private_key, private_key_file, vault_data, datafile_in, datafile_out, new_password, new_password_file) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) # Need to set krb5 ccache name, due to context='ansible-freeipa' if ccache_name is not None: os.environ["KRB5CCNAME"] = ccache_name api_connect(context='ansible-freeipa') commands = [] for name in names: # Make sure vault exists res_find = find_vault(ansible_module, name, username, service, shared) # Generate args args = gen_args(description, username, service, shared, vault_type, salt, password, password_file, public_key, public_key_file, vault_data, datafile_in, datafile_out) pwdargs = None # Set default vault_type if needed. if vault_type is None and vault_data is not None: if res_find is not None: res_vault_type = res_find.get('ipavaulttype')[0] args['ipavaulttype'] = vault_type = res_vault_type else: args['ipavaulttype'] = vault_type = u"symmetric" # Create command if state == "present": # verify data encription args check_encryption_params( ansible_module, state, action, vault_type, salt, password, password_file, public_key, public_key_file, private_key, private_key_file, vault_data, datafile_in, datafile_out, new_password, new_password_file, res_find) # Found the vault if action == "vault": if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "vault_mod_internal", args]) else: if vault_type == 'symmetric' \ and 'ipavaultsalt' not in args: args['ipavaultsalt'] = os.urandom(32) commands.append([name, "vault_add_internal", args]) if vault_type != 'standard' and vault_data is None: vault_data = '' # Set res_find to empty dict for next steps res_find = {} # Generate adittion and removal lists user_add, user_del = \ gen_add_del_lists(users, res_find.get('member_user', [])) group_add, group_del = \ gen_add_del_lists(groups, res_find.get('member_group', [])) service_add, service_del = \ gen_add_del_lists(services, res_find.get('member_service', [])) owner_add, owner_del = \ gen_add_del_lists(owners, res_find.get('owner_user', [])) ownergroups_add, ownergroups_del = \ gen_add_del_lists(ownergroups, res_find.get('owner_group', [])) ownerservice_add, ownerservice_del = \ gen_add_del_lists(ownerservices, res_find.get('owner_service', [])) # Add users and groups user_add_args = gen_member_args(args, user_add, group_add, service_add) if user_add_args is not None: commands.append( [name, 'vault_add_member', user_add_args]) # Remove users and groups user_del_args = gen_member_args(args, user_del, group_del, service_del) if user_del_args is not None: commands.append( [name, 'vault_remove_member', user_del_args]) # Add owner users and groups owner_add_args = gen_member_args(args, owner_add, ownergroups_add, ownerservice_add) if owner_add_args is not None: commands.append( [name, 'vault_add_owner', owner_add_args]) # Remove owner users and groups owner_del_args = gen_member_args(args, owner_del, ownergroups_del, ownerservice_del) if owner_del_args is not None: commands.append( [name, 'vault_remove_owner', owner_del_args]) elif action in "member": # Add users and groups if any([users, groups, services]): user_args = gen_member_args(args, users, groups, services) commands.append([name, 'vault_add_member', user_args]) if any([owners, ownergroups, ownerservices]): owner_args = gen_member_args(args, owners, ownergroups, ownerservices) commands.append([name, 'vault_add_owner', owner_args]) pwdargs = data_storage_args(args, vault_data, password, password_file, private_key, private_key_file, datafile_in, datafile_out) if any([vault_data, datafile_in]): commands.append([name, "vault_archive", pwdargs]) cmds = change_password(ansible_module, res_find, password, password_file, new_password, new_password_file) commands.extend(cmds) elif state == "retrieved": if res_find is None: ansible_module.fail_json( msg="Vault `%s` not found to retrieve data." % name) # verify data encription args check_encryption_params( ansible_module, state, action, vault_type, salt, password, password_file, public_key, public_key_file, private_key, private_key_file, vault_data, datafile_in, datafile_out, new_password, new_password_file, res_find) pwdargs = data_storage_args(args, vault_data, password, password_file, private_key, private_key_file, datafile_in, datafile_out) if 'data' in pwdargs: del pwdargs['data'] commands.append([name, "vault_retrieve", pwdargs]) elif state == "absent": if 'ipavaulttype' in args: del args['ipavaulttype'] if action == "vault": if res_find is not None: commands.append([name, "vault_del", args]) elif action == "member": # remove users and groups if any([users, groups, services]): user_args = gen_member_args(args, users, groups, services) commands.append( [name, 'vault_remove_member', user_args]) if any([owners, ownergroups, ownerservices]): owner_args = gen_member_args(args, owners, ownergroups, ownerservices) commands.append( [name, 'vault_remove_owner', owner_args]) else: ansible_module.fail_json( msg="Invalid action '%s' for state '%s'" % (action, state)) else: ansible_module.fail_json(msg="Unknown state '%s'" % state) # Execute commands errors = [] for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if command == 'vault_archive': changed = 'Archived data into' in result['summary'] elif command == 'vault_retrieve': if 'result' not in result: raise Exception("No result obtained.") if "data" in result["result"]: data_return = exit_args.setdefault("vault", {}) data_return["data"] = result["result"]["data"] else: if not datafile_out: raise Exception("No data retrieved.") changed = False else: if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except EmptyModlist: result = {} except Exception as exception: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(exception))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. if "failed" in result and len(result["failed"]) > 0: for item in result["failed"]: failed_item = result["failed"][item] for member_type in failed_item: for member, failure in failed_item[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append( "%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as exception: ansible_module.fail_json(msg=str(exception)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = IPAAnsibleModule( argument_spec=dict( # general name=dict(type="list", aliases=["cn"], default=None, required=False), # present maxlife=dict(type="int", aliases=["krbmaxpwdlife"], default=None), minlife=dict(type="int", aliases=["krbminpwdlife"], default=None), history=dict(type="int", aliases=["krbpwdhistorylength"], default=None), minclasses=dict(type="int", aliases=["krbpwdmindiffchars"], default=None), minlength=dict(type="int", aliases=["krbpwdminlength"], default=None), priority=dict(type="int", aliases=["cospriority"], default=None), maxfail=dict(type="int", aliases=["krbpwdmaxfailure"], default=None), failinterval=dict(type="int", aliases=["krbpwdfailurecountinterval"], default=None), lockouttime=dict(type="int", aliases=["krbpwdlockoutduration"], default=None), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general names = ansible_module.params_get("name") # present maxlife = ansible_module.params_get("maxlife") minlife = ansible_module.params_get("minlife") history = ansible_module.params_get("history") minclasses = ansible_module.params_get("minclasses") minlength = ansible_module.params_get("minlength") priority = ansible_module.params_get("priority") maxfail = ansible_module.params_get("maxfail") failinterval = ansible_module.params_get("failinterval") lockouttime = ansible_module.params_get("lockouttime") # state state = ansible_module.params_get("state") # Check parameters if names is None: names = [u"global_policy"] if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one pwpolicy can be set at a time.") if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") if "global_policy" in names: ansible_module.fail_json( msg="'global_policy' can not be made absent.") invalid = [ "maxlife", "minlife", "history", "minclasses", "minlength", "priority", "maxfail", "failinterval", "lockouttime" ] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} with ansible_module.ipa_connect(): commands = [] for name in names: # Try to find pwpolicy res_find = find_pwpolicy(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(maxlife, minlife, history, minclasses, minlength, priority, maxfail, failinterval, lockouttime) # Found the pwpolicy if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "pwpolicy_mod", args]) else: commands.append([name, "pwpolicy_add", args]) elif state == "absent": if res_find is not None: commands.append([name, "pwpolicy_del", {}]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands changed = ansible_module.execute_ipa_commands(commands) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["aciname"], default=None, required=True), # present permission=dict(required=False, type='list', aliases=["permissions"], default=None), attribute=dict(required=False, type='list', aliases=["attrs"], default=None), membergroup=dict(type="str", aliases=["memberof"], default=None), group=dict(type="str", default=None), action=dict(type="str", default="delegation", choices=["member", "delegation"]), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present permission = module_params_get(ansible_module, "permission") attribute = module_params_get(ansible_module, "attribute") membergroup = module_params_get(ansible_module, "membergroup") group = module_params_get(ansible_module, "group") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one delegation be added at a time.") if action == "member": invalid = ["permission", "membergroup", "group"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s' and state '%s'" % (x, action, state)) if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["permission", "membergroup", "group"] if action == "delegation": invalid.append("attribute") for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s' and state '%s'" % (x, action, state)) if permission is not None: perm = [p for p in permission if p not in ("read", "write")] if perm: ansible_module.fail_json(msg="Invalid permission '%s'" % perm) if len(set(permission)) != len(permission): ansible_module.fail_json( msg="Invalid permission '%s', items are not unique" % repr(permission)) if attribute is not None: if len(set(attribute)) != len(attribute): ansible_module.fail_json( msg="Invalid attribute '%s', items are not unique" % repr(attribute)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure delegation exists res_find = find_delegation(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(permission, attribute, membergroup, group) if action == "delegation": # Found the delegation if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "delegation_mod", args]) else: commands.append([name, "delegation_add", args]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No delegation '%s'" % name) if attribute is None: ansible_module.fail_json(msg="No attributes given") # New attribute list (add given ones to find result) # Make list with unique entries attrs = list(set(list(res_find["attrs"]) + attribute)) if len(attrs) > len(res_find["attrs"]): commands.append( [name, "delegation_mod", { "attrs": attrs }]) elif state == "absent": if action == "delegation": if res_find is not None: commands.append([name, "delegation_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No delegation '%s'" % name) if attribute is None: ansible_module.fail_json(msg="No attributes given") # New attribute list (remove given ones from find result) # Make list with unique entries attrs = list(set(res_find["attrs"]) - set(attribute)) if len(attrs) < 1: ansible_module.fail_json( msg="At minimum one attribute is needed.") # Entries New number of attributes is smaller if len(attrs) < len(res_find["attrs"]): commands.append( [name, "delegation_mod", { "attrs": attrs }]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = IPAAnsibleModule( argument_spec=dict( name=dict(type="list", aliases=["idnsname"], default=None, required=True), # present description=dict(required=False, type='str', default=None), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general names = ansible_module.params_get("name") # present description = ansible_module.params_get("description") # state state = ansible_module.params_get("state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one location be added at a time.") if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} # Connect to IPA API with ansible_module.ipa_connect(): commands = [] for name in names: # Make sure location exists res_find = find_location(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description) # Found the location if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "location_mod", args]) else: commands.append([name, "location_add", args]) elif state == "absent": if res_find is not None: commands.append([name, "location_del", {}]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands changed = ansible_module.execute_ipa_commands(commands) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), nomembers=dict(required=False, type='bool', default=None), host=dict(required=False, type='list', default=None), hostgroup=dict(required=False, type='list', default=None), membermanager_user=dict(required=False, type='list', default=None), membermanager_group=dict(required=False, type='list', default=None), rename=dict(required=False, type='str', default=None, aliases=["new_name"]), action=dict(type="str", default="hostgroup", choices=["member", "hostgroup"]), # state state=dict(type="str", default="present", choices=["present", "absent", "renamed"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present description = module_params_get(ansible_module, "description") nomembers = module_params_get(ansible_module, "nomembers") host = module_params_get(ansible_module, "host") hostgroup = module_params_get(ansible_module, "hostgroup") membermanager_user = module_params_get(ansible_module, "membermanager_user") membermanager_group = module_params_get(ansible_module, "membermanager_group") rename = module_params_get(ansible_module, "rename") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one hostgroup can be added at a time.") invalid = ["rename"] if action == "member": invalid.extend(["description", "nomembers"]) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (x, action)) if state == "renamed": if len(names) != 1: ansible_module.fail_json( msg="Only one hostgroup can be added at a time.") if action == "member": ansible_module.fail_json( msg="Action '%s' can not be used with state '%s'" % (action, state)) invalid = [ "description", "nomembers", "host", "hostgroup", "membermanager_user", "membermanager_group" ] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "nomembers", "rename"] if action == "hostgroup": invalid.extend(["host", "hostgroup"]) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() has_add_membermanager = api_check_command( "hostgroup_add_member_manager") if ((membermanager_user is not None or membermanager_group is not None) and not has_add_membermanager): ansible_module.fail_json( msg="Managing a membermanager user or group is not supported " "by your IPA version") has_mod_rename = api_check_param("hostgroup_mod", "rename") if not has_mod_rename and rename is not None: ansible_module.fail_json( msg="Renaming hostgroups is not supported by your IPA version") commands = [] for name in names: # Make sure hostgroup exists res_find = find_hostgroup(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description, nomembers, rename) if action == "hostgroup": # Found the hostgroup if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "hostgroup_mod", args]) else: commands.append([name, "hostgroup_add", args]) # Set res_find to empty dict for next step res_find = {} member_args = gen_member_args(host, hostgroup) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists host_add, host_del = gen_add_del_lists( host, res_find.get("member_host")) hostgroup_add, hostgroup_del = gen_add_del_lists( hostgroup, res_find.get("member_hostgroup")) # Add members if len(host_add) > 0 or len(hostgroup_add) > 0: commands.append([ name, "hostgroup_add_member", { "host": host_add, "hostgroup": hostgroup_add, } ]) # Remove members if len(host_del) > 0 or len(hostgroup_del) > 0: commands.append([ name, "hostgroup_remove_member", { "host": host_del, "hostgroup": hostgroup_del, } ]) membermanager_user_add, membermanager_user_del = \ gen_add_del_lists( membermanager_user, res_find.get("membermanager_user") ) membermanager_group_add, membermanager_group_del = \ gen_add_del_lists( membermanager_group, res_find.get("membermanager_group") ) if has_add_membermanager: # Add membermanager users and groups if len(membermanager_user_add) > 0 or \ len(membermanager_group_add) > 0: commands.append([ name, "hostgroup_add_member_manager", { "user": membermanager_user_add, "group": membermanager_group_add, } ]) # Remove member manager if len(membermanager_user_del) > 0 or \ len(membermanager_group_del) > 0: commands.append([ name, "hostgroup_remove_member_manager", { "user": membermanager_user_del, "group": membermanager_group_del, } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No hostgroup '%s'" % name) # Ensure members are present commands.append([ name, "hostgroup_add_member", { "host": host, "hostgroup": hostgroup, } ]) if has_add_membermanager: # Add membermanager users and groups if membermanager_user is not None or \ membermanager_group is not None: commands.append([ name, "hostgroup_add_member_manager", { "user": membermanager_user, "group": membermanager_group, } ]) elif state == "renamed": if res_find is not None: if rename != name: commands.append( [name, "hostgroup_mod", { "rename": rename }]) else: # If a hostgroup with the desired name exists, do nothing. new_find = find_hostgroup(ansible_module, rename) if new_find is None: # Fail only if the either hostsgroups do not exist. ansible_module.fail_json( msg="Attribute `rename` can not be used, unless " "hostgroup exists.") elif state == "absent": if action == "hostgroup": if res_find is not None: commands.append([name, "hostgroup_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No hostgroup '%s'" % name) # Ensure members are absent commands.append([ name, "hostgroup_remove_member", { "host": host, "hostgroup": hostgroup, } ]) if has_add_membermanager: # Remove membermanager users and groups if membermanager_user is not None or \ membermanager_group is not None: commands.append([ name, "hostgroup_remove_member_manager", { "user": membermanager_user, "group": membermanager_group, } ]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. errors = [] for failed_item in result.get("failed", []): failed = result["failed"][failed_item] for member_type in failed: for member, failure in failed[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append("%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["sudocmd"], default=None, required=True), # present description=dict(type="str", default=None), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = ansible_module.params.get("ipaadmin_principal") ipaadmin_password = ansible_module.params.get("ipaadmin_password") names = ansible_module.params.get("name") # present description = ansible_module.params.get("description") # state state = ansible_module.params.get("state") # Check parameters if state == "absent": invalid = ["description"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure hostgroup exists res_find = find_sudocmd(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description) if res_find is not None: # For all settings in args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "sudocmd_mod", args]) else: commands.append([name, "sudocmd_add", args]) # Set res_find to empty dict for next step res_find = {} elif state == "absent": if res_find is not None: commands.append([name, "sudocmd_del", {}]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, to_text(name), args) # Check if any changes were made by any command if command == 'sudocmd_del': changed |= "Deleted" in result['summary'] elif command == 'sudocmd_add': changed |= "Added" in result['summary'] except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), forwarders=dict(type="list", default=None, required=False, aliases=["idnsforwarders"], elements='dict', options=dict( ip_address=dict(type='str', required=True), port=dict(type='int', required=False, default=None), )), forwardpolicy=dict(type='str', aliases=["idnsforwardpolicy"], required=False, choices=['only', 'first', 'none']), skip_overlap_check=dict(type='bool', required=False), permission=dict(type='bool', required=False, aliases=['managedby']), action=dict(type="str", default="dnsforwardzone", choices=["member", "dnsforwardzone"]), # state state=dict(type='str', default='present', choices=['present', 'absent', 'enabled', 'disabled']), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") action = module_params_get(ansible_module, "action") forwarders = forwarder_list(module_params_get(ansible_module, "forwarders")) forwardpolicy = module_params_get(ansible_module, "forwardpolicy") skip_overlap_check = module_params_get(ansible_module, "skip_overlap_check") permission = module_params_get(ansible_module, "permission") state = module_params_get(ansible_module, "state") if state == 'present' and len(names) != 1: ansible_module.fail_json( msg="Only one dnsforwardzone can be added at a time.") if state == 'absent' and len(names) < 1: ansible_module.fail_json(msg="No name given.") # absent stae means delete if the action is NOT member but update if it is # if action is member then update an exisiting resource # and if action is not member then create a resource if state == "absent" and action == "dnsforwardzone": operation = "del" elif action == "member": operation = "update" else: operation = "add" if state in ["enabled", "disabled"]: if action == "member": ansible_module.fail_json( msg="Action `member` cannot be used with state `%s`" % (state)) invalid = [ "forwarders", "forwardpolicy", "skip_overlap_check", "permission" ] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s', state `%s`" % (x, action, state)) wants_enable = (state == "enabled") if operation == "del": invalid = [ "forwarders", "forwardpolicy", "skip_overlap_check", "permission" ] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s', state `%s`" % (x, action, state)) changed = False exit_args = {} args = {} ccache_dir = None ccache_name = None is_enabled = "IGNORE" try: # we need to determine 3 variables # args = the values we want to change/set # command = the ipa api command to call del, add, or mod # is_enabled = is the current resource enabled (True) # disabled (False) and do we care (IGNORE) if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() for name in names: commands = [] command = None # Make sure forwardzone exists existing_resource = find_dnsforwardzone(ansible_module, name) # validate parameters if state == 'present': if existing_resource is None and not forwarders: ansible_module.fail_json(msg='No forwarders specified.') if existing_resource is None: if operation == "add": # does not exist but should be present # determine args args = gen_args(forwarders, forwardpolicy, skip_overlap_check) # set command command = "dnsforwardzone_add" # enabled or disabled? elif operation == "update": # does not exist and is updating # trying to update something that doesn't exist, so error ansible_module.fail_json( msg="dnsforwardzone '%s' not found." % (name)) elif operation == "del": # there's nothnig to do. continue else: # existing_resource is not None if state != "absent": if forwarders: forwarders = list( set(existing_resource["idnsforwarders"] + forwarders)) else: if forwarders: forwarders = list( set(existing_resource["idnsforwarders"]) - set(forwarders)) if operation == "add": # exists and should be present, has it changed? # determine args args = gen_args(forwarders, forwardpolicy, skip_overlap_check) if 'skip_overlap_check' in args: del args['skip_overlap_check'] # set command if not compare_args_ipa(ansible_module, args, existing_resource): command = "dnsforwardzone_mod" elif operation == "del": # exists but should be absent # set command command = "dnsforwardzone_del" args = {} elif operation == "update": # exists and is updating # calculate the new forwarders and mod args = gen_args(forwarders, forwardpolicy, skip_overlap_check) if "skip_overlap_check" in args: del args['skip_overlap_check'] # command if not compare_args_ipa(ansible_module, args, existing_resource): command = "dnsforwardzone_mod" if state in ['enabled', 'disabled']: if existing_resource is not None: is_enabled = existing_resource["idnszoneactive"][0] else: ansible_module.fail_json( msg="dnsforwardzone '%s' not found." % (name)) # does the enabled state match what we want (if we care) if is_enabled != "IGNORE": if wants_enable and is_enabled != "TRUE": commands.append([name, "dnsforwardzone_enable", {}]) elif not wants_enable and is_enabled != "FALSE": commands.append([name, "dnsforwardzone_disable", {}]) # if command is set... if command is not None: commands.append([name, command, args]) if permission is not None: if existing_resource is None: managedby = None else: managedby = existing_resource.get('managedby', None) if permission and managedby is None: commands.append( [name, 'dnsforwardzone_add_permission', {}]) elif not permission and managedby is not None: commands.append( [name, 'dnsforwardzone_remove_permission', {}]) for name, command, args in commands: api_command(ansible_module, command, name, args) changed = True except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, dnsforwardzone=exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), gid=dict(type="int", aliases=["gidnumber"], default=None), nonposix=dict(required=False, type='bool', default=None), external=dict(required=False, type='bool', default=None), nomembers=dict(required=False, type='bool', default=None), user=dict(required=False, type='list', default=None), group=dict(required=False, type='list', default=None), service=dict(required=False, type='list', default=None), action=dict(type="str", default="group", choices=["member", "group"]), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get( ansible_module, "ipaadmin_principal", ) ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present description = module_params_get(ansible_module, "description") gid = module_params_get(ansible_module, "gid") nonposix = module_params_get(ansible_module, "nonposix") external = module_params_get(ansible_module, "external") nomembers = module_params_get(ansible_module, "nomembers") user = module_params_get(ansible_module, "user") group = module_params_get(ansible_module, "group") service = module_params_get(ansible_module, "service") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one group can be added at a time.") if action == "member": invalid = [ "description", "gid", "nonposix", "external", "nomembers" ] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (x, action)) if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "gid", "nonposix", "external", "nomembers"] if action == "group": invalid.extend(["user", "group", "service"]) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() has_add_member_service = api_check_param("group_add_member", "service") if service is not None and not has_add_member_service: ansible_module.fail_json( msg="Managing a service as part of a group is not supported " "by your IPA version") commands = [] for name in names: # Make sure group exists res_find = find_group(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description, gid, nonposix, external, nomembers) if action == "group": # Found the group if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "group_mod", args]) else: commands.append([name, "group_add", args]) # Set res_find to empty dict for next step res_find = {} member_args = gen_member_args(user, group, service) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists user_add = list( set(user or []) - set(res_find.get("member_user", []))) user_del = list( set(res_find.get("member_user", [])) - set(user or [])) group_add = list( set(group or []) - set(res_find.get("member_group", []))) group_del = list( set(res_find.get("member_group", [])) - set(group or [])) service_add = list( set(service or []) - set(res_find.get("member_service", []))) service_del = list( set(res_find.get("member_service", [])) - set(service or [])) if has_add_member_service: # Add members if len(user_add) > 0 or len(group_add) > 0 or \ len(service_add) > 0: commands.append([ name, "group_add_member", { "user": user_add, "group": group_add, "service": service_add, } ]) # Remove members if len(user_del) > 0 or len(group_del) > 0 or \ len(service_del) > 0: commands.append([ name, "group_remove_member", { "user": user_del, "group": group_del, "service": service_del, } ]) else: # Add members if len(user_add) > 0 or len(group_add) > 0: commands.append([ name, "group_add_member", { "user": user_add, "group": group_add, } ]) # Remove members if len(user_del) > 0 or len(group_del) > 0: commands.append([ name, "group_remove_member", { "user": user_del, "group": group_del, } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No group '%s'" % name) if has_add_member_service: commands.append([ name, "group_add_member", { "user": user, "group": group, "service": service, } ]) else: commands.append([ name, "group_add_member", { "user": user, "group": group, } ]) elif state == "absent": if action == "group": if res_find is not None: commands.append([name, "group_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No group '%s'" % name) commands.append([ name, "group_remove_member", { "user": user, "group": group, "service": service, } ]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. errors = [] if "failed" in result and len(result["failed"]) > 0: for item in result["failed"]: failed_item = result["failed"][item] for member_type in failed_item: for member, failure in failed_item[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append( "%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = IPAAnsibleModule( argument_spec=dict( # generalgroups name=dict(type="list", aliases=["cn"], default=None, required=True), description=dict(required=False, type="str", default=None), vault_type=dict(type="str", aliases=["ipavaulttype"], default=None, required=False, choices=["standard", "symmetric", "asymmetric"]), vault_public_key=dict( type="str", required=False, default=None, aliases=['ipavaultpublickey', 'public_key', 'new_public_key']), vault_public_key_file=dict( type="str", required=False, default=None, aliases=['public_key_file', 'new_public_key_file']), vault_private_key=dict( type="str", required=False, default=None, no_log=True, aliases=['ipavaultprivatekey', 'private_key']), vault_private_key_file=dict(type="str", required=False, default=None, aliases=['private_key_file']), vault_salt=dict(type="str", required=False, default=None, aliases=['ipavaultsalt', 'salt']), username=dict(type="str", required=False, default=None, aliases=['user']), service=dict(type="str", required=False, default=None), shared=dict(type="bool", required=False, default=None), users=dict(required=False, type='list', default=None), groups=dict(required=False, type='list', default=None), services=dict(required=False, type='list', default=None), owners=dict(required=False, type='list', default=None, aliases=['ownerusers']), ownergroups=dict(required=False, type='list', default=None), ownerservices=dict(required=False, type='list', default=None), vault_data=dict(type="str", required=False, default=None, no_log=True, aliases=['ipavaultdata', 'data']), datafile_in=dict(type="str", required=False, default=None, aliases=['in']), datafile_out=dict(type="str", required=False, default=None, aliases=['out']), vault_password=dict( type="str", required=False, default=None, no_log=True, aliases=['ipavaultpassword', 'password', "old_password"]), vault_password_file=dict( type="str", required=False, default=None, no_log=False, aliases=['password_file', "old_password_file"]), new_password=dict(type="str", required=False, default=None, no_log=True), new_password_file=dict(type="str", required=False, default=None, no_log=False), # state action=dict(type="str", default="vault", choices=["vault", "data", "member"]), state=dict(type="str", default="present", choices=["present", "absent", "retrieved"]), ), supports_check_mode=True, mutually_exclusive=[['username', 'service', 'shared'], ['datafile_in', 'vault_data'], ['new_password', 'new_password_file'], ['vault_password', 'vault_password_file'], ['vault_public_key', 'vault_public_key_file']], ) ansible_module._ansible_debug = True # general names = ansible_module.params_get("name") # present description = ansible_module.params_get("description") username = ansible_module.params_get("username") service = ansible_module.params_get("service") shared = ansible_module.params_get("shared") users = ansible_module.params_get("users") groups = ansible_module.params_get("groups") services = ansible_module.params_get("services") owners = ansible_module.params_get("owners") ownergroups = ansible_module.params_get("ownergroups") ownerservices = ansible_module.params_get("ownerservices") vault_type = ansible_module.params_get("vault_type") salt = ansible_module.params_get("vault_salt") password = ansible_module.params_get("vault_password") password_file = ansible_module.params_get("vault_password_file") new_password = ansible_module.params_get("new_password") new_password_file = ansible_module.params_get("new_password_file") public_key = ansible_module.params_get("vault_public_key") public_key_file = ansible_module.params_get("vault_public_key_file") private_key = ansible_module.params_get("vault_private_key") private_key_file = ansible_module.params_get("vault_private_key_file") vault_data = ansible_module.params_get("vault_data") datafile_in = ansible_module.params_get("datafile_in") datafile_out = ansible_module.params_get("datafile_out") action = ansible_module.params_get("action") state = ansible_module.params_get("state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one vault can be added at a time.") elif state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") elif state == "retrieved": if len(names) != 1: ansible_module.fail_json( msg="Only one vault can be retrieved at a time.") else: ansible_module.fail_json(msg="Invalid state '%s'" % state) check_parameters(ansible_module, state, action, description, username, service, shared, users, groups, services, owners, ownergroups, ownerservices, vault_type, salt, password, password_file, public_key, public_key_file, private_key, private_key_file, vault_data, datafile_in, datafile_out, new_password, new_password_file) # Init changed = False exit_args = {} with ansible_module.ipa_connect(context='ansible-freeipa') as ccache_name: if ccache_name is not None: os.environ["KRB5CCNAME"] = ccache_name commands = [] for name in names: # Make sure vault exists res_find = find_vault(ansible_module, name, username, service, shared) # Set default vault_type if needed. res_type = res_find.get('ipavaulttype')[0] if res_find else None if vault_type is None: vault_type = res_type if res_find is not None else u"symmetric" # Generate args args = gen_args(description, username, service, shared, vault_type, salt, public_key, public_key_file) pwdargs = None # Create command if state == "present": # verify data encription args check_encryption_params( ansible_module, state, action, vault_type, salt, password, password_file, public_key, public_key_file, private_key, private_key_file, vault_data, datafile_in, datafile_out, new_password, new_password_file, res_find) change_passwd = any([ new_password, new_password_file, (private_key or private_key_file) and (public_key or public_key_file) ]) if action == "vault": # Found the vault if res_find is not None: arg_type = args.get("ipavaulttype") modified = not compare_args_ipa( ansible_module, args, res_find) if arg_type != res_type or change_passwd: stargs = data_storage_args( res_type, args, vault_data, password, password_file, private_key, private_key_file, datafile_in, datafile_out) stored = get_stored_data(ansible_module, res_find, stargs) if stored: vault_data = \ (stored or b"").decode("utf-8") remove_attrs = { "symmetric": ["private_key", "public_key"], "asymmetric": ["password", "ipavaultsalt"], "standard": [ "private_key", "public_key", "password", "ipavaultsalt" ], } for attr in remove_attrs.get(arg_type, []): if attr in args: del args[attr] if vault_type == 'symmetric': if 'ipavaultsalt' not in args: args['ipavaultsalt'] = os.urandom(32) else: args['ipavaultsalt'] = b'' if modified: commands.append([name, "vault_mod_internal", args]) else: if vault_type == 'symmetric' \ and 'ipavaultsalt' not in args: args['ipavaultsalt'] = os.urandom(32) commands.append([name, "vault_add_internal", args]) if vault_type != 'standard' and vault_data is None: vault_data = '' # Set res_find to empty dict for next steps res_find = {} # Generate adittion and removal lists user_add, user_del = \ gen_add_del_lists(users, res_find.get('member_user', [])) group_add, group_del = \ gen_add_del_lists(groups, res_find.get('member_group', [])) service_add, service_del = \ gen_add_del_lists(services, res_find.get('member_service', [])) owner_add, owner_del = \ gen_add_del_lists(owners, res_find.get('owner_user', [])) ownergroups_add, ownergroups_del = \ gen_add_del_lists(ownergroups, res_find.get('owner_group', [])) ownerservice_add, ownerservice_del = \ gen_add_del_lists(ownerservices, res_find.get('owner_service', [])) # Add users and groups user_add_args = gen_member_args(args, user_add, group_add, service_add) if user_add_args is not None: commands.append( [name, 'vault_add_member', user_add_args]) # Remove users and groups user_del_args = gen_member_args(args, user_del, group_del, service_del) if user_del_args is not None: commands.append( [name, 'vault_remove_member', user_del_args]) # Add owner users and groups owner_add_args = gen_member_args(args, owner_add, ownergroups_add, ownerservice_add) if owner_add_args is not None: commands.append( [name, 'vault_add_owner', owner_add_args]) # Remove owner users and groups owner_del_args = gen_member_args(args, owner_del, ownergroups_del, ownerservice_del) if owner_del_args is not None: commands.append( [name, 'vault_remove_owner', owner_del_args]) elif action in "member": # Add users and groups if any([users, groups, services]): user_args = gen_member_args(args, users, groups, services) commands.append([name, 'vault_add_member', user_args]) if any([owners, ownergroups, ownerservices]): owner_args = gen_member_args(args, owners, ownergroups, ownerservices) commands.append([name, 'vault_add_owner', owner_args]) if any([vault_data, datafile_in]): if change_passwd: pwdargs = data_storage_args(vault_type, args, vault_data, new_password, new_password_file, private_key, private_key_file, datafile_in, datafile_out) else: pwdargs = data_storage_args(vault_type, args, vault_data, password, password_file, private_key, private_key_file, datafile_in, datafile_out) pwdargs['override_password'] = True pwdargs.pop("private_key", None) pwdargs.pop("private_key_file", None) commands.append([name, "vault_archive", pwdargs]) elif state == "retrieved": if res_find is None: ansible_module.fail_json( msg="Vault `%s` not found to retrieve data." % name) # verify data encription args check_encryption_params( ansible_module, state, action, vault_type, salt, password, password_file, public_key, public_key_file, private_key, private_key_file, vault_data, datafile_in, datafile_out, new_password, new_password_file, res_find) pwdargs = data_storage_args(res_find["ipavaulttype"][0], args, vault_data, password, password_file, private_key, private_key_file, datafile_in, datafile_out) if 'data' in pwdargs: del pwdargs['data'] commands.append([name, "vault_retrieve", pwdargs]) elif state == "absent": if 'ipavaulttype' in args: del args['ipavaulttype'] if action == "vault": if res_find is not None: remove = ['ipavaultsalt', 'ipavaultpublickey'] args = { k: v for k, v in args.items() if k not in remove } commands.append([name, "vault_del", args]) elif action == "member": # remove users and groups if any([users, groups, services]): user_args = gen_member_args(args, users, groups, services) commands.append( [name, 'vault_remove_member', user_args]) if any([owners, ownergroups, ownerservices]): owner_args = gen_member_args(args, owners, ownergroups, ownerservices) commands.append( [name, 'vault_remove_owner', owner_args]) else: ansible_module.fail_json( msg="Invalid action '%s' for state '%s'" % (action, state)) else: ansible_module.fail_json(msg="Unknown state '%s'" % state) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands errors = [] for name, command, args in commands: try: result = ansible_module.ipa_command(command, name, args) if command == 'vault_archive': changed = 'Archived data into' in result['summary'] elif command == 'vault_retrieve': if 'result' not in result: raise Exception("No result obtained.") if "data" in result["result"]: data_return = exit_args.setdefault("vault", {}) data_return["data"] = result["result"]["data"] else: if not datafile_out: raise Exception("No data retrieved.") changed = False else: if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except ipalib_errors.EmptyModlist: result = {} except Exception as exception: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(exception))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. if "failed" in result and len(result["failed"]) > 0: for item in result["failed"]: failed_item = result["failed"][item] for member_type in failed_item: for member, failure in failed_item[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append( "%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) # Done # exit_raw_json is a replacement for ansible_module.exit_json that # does not mask the output. exit_raw_json(ansible_module, changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), inclusive=dict(type="list", aliases=["automemberinclusiveregex"], default=None, options=dict( key=dict(type="str", required=True), expression=dict(type="str", required=True) ), elements="dict", required=False), exclusive=dict(type="list", aliases=[ "automemberexclusiveregex"], default=None, options=dict( key=dict(type="str", required=True), expression=dict(type="str", required=True) ), elements="dict", required=False), name=dict(type="list", aliases=["cn"], default=None, required=True), description=dict(type="str", default=None), automember_type=dict(type='str', required=False, choices=['group', 'hostgroup']), action=dict(type="str", default="automember", choices=["member", "automember"]), state=dict(type="str", default="present", choices=["present", "absent", "rebuild"]), users=dict(type="list", default=None), hosts=dict(type="list", default=None), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = ansible_module.params.get("ipaadmin_principal") ipaadmin_password = ansible_module.params.get("ipaadmin_password") names = ansible_module.params.get("name") # present description = ansible_module.params.get("description") # conditions inclusive = ansible_module.params.get("inclusive") exclusive = ansible_module.params.get("exclusive") # action action = ansible_module.params.get("action") # state state = ansible_module.params.get("state") # grouping/type automember_type = ansible_module.params.get("automember_type") rebuild_users = ansible_module.params.get("users") rebuild_hosts = ansible_module.params.get("hosts") if (rebuild_hosts or rebuild_users) and state != "rebuild": ansible_module.fail_json( msg="'hosts' and 'users' are only valid with state: rebuild") if not automember_type and state != "rebuild": ansible_module.fail_json( msg="'automember_type' is required unless state: rebuild") # Init changed = False exit_args = {} ccache_dir = None ccache_name = None res_find = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure automember rule exists res_find = find_automember(ansible_module, name, automember_type) # Check inclusive and exclusive conditions if inclusive is not None or exclusive is not None: # automember_type is either "group" or "hostgorup" if automember_type == "group": _type = "user" elif automember_type == "hostgroup": _type = "host" else: ansible_module.fail_json( msg="Bad automember type '%s'" % automember_type) try: aciattrs = api_command( ansible_module, "json_metadata", to_text(_type), {} )['objects'][_type]['aciattrs'] except Exception as ex: ansible_module.fail_json( msg="%s: %s: %s" % ("json_metadata", _type, str(ex))) check_condition_keys(ansible_module, inclusive, aciattrs) check_condition_keys(ansible_module, exclusive, aciattrs) # Create command if state == 'present': args = gen_args(description, automember_type) if action == "automember": if res_find is not None: if not compare_args_ipa(ansible_module, args, res_find, ignore=['type']): commands.append([name, 'automember_mod', args]) else: commands.append([name, 'automember_add', args]) res_find = {} inclusive_add, inclusive_del = gen_add_del_lists( transform_conditions(inclusive or []), res_find.get("automemberinclusiveregex", []) ) exclusive_add, exclusive_del = gen_add_del_lists( transform_conditions(exclusive or []), res_find.get("automemberexclusiveregex", []) ) elif action == "member": if res_find is None: ansible_module.fail_json( msg="No automember '%s'" % name) inclusive_add = transform_conditions(inclusive or []) inclusive_del = [] exclusive_add = transform_conditions(exclusive or []) exclusive_del = [] for _inclusive in inclusive_add: key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, inclusiveregex=regex) commands.append([name, 'automember_add_condition', condition_args]) for _inclusive in inclusive_del: key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, inclusiveregex=regex) commands.append([name, 'automember_remove_condition', condition_args]) for _exclusive in exclusive_add: key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, exclusiveregex=regex) commands.append([name, 'automember_add_condition', condition_args]) for _exclusive in exclusive_del: key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, exclusiveregex=regex) commands.append([name, 'automember_remove_condition', condition_args]) elif state == 'absent': if action == "automember": if res_find is not None: commands.append([name, 'automember_del', {'type': to_text(automember_type)}]) elif action == "member": if res_find is None: ansible_module.fail_json( msg="No automember '%s'" % name) if inclusive is not None: for _inclusive in transform_conditions(inclusive): key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, inclusiveregex=regex) commands.append( [name, 'automember_remove_condition', condition_args]) if exclusive is not None: for _exclusive in transform_conditions(exclusive): key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, exclusiveregex=regex) commands.append([name, 'automember_remove_condition', condition_args]) elif state == "rebuild": if automember_type: commands.append([None, 'automember_rebuild', {"type": to_text(automember_type)}]) if rebuild_users: commands.append([None, 'automember_rebuild', {"users": [ to_text(_u) for _u in rebuild_users]}]) if rebuild_hosts: commands.append([None, 'automember_rebuild', {"hosts": [ to_text(_h) for _h in rebuild_hosts]}]) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) for name, command, args in commands: try: if name is None: result = api_command_no_name(ansible_module, command, args) else: result = api_command(ansible_module, command, to_text(name), args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as ex: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(ex))) # result["failed"] is used only for INCLUDE_RE, EXCLUDE_RE # if entries could not be added that are already there and # it entries could not be removed that are not there. # All other issues like invalid attributes etc. are handled # as exceptions. Therefore the error section is not here as # in other modules. except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)