def connect_to_api(module): """Connect to the IPA API.""" ipaadmin_principal = module_params_get(module, "ipaadmin_principal") ipaadmin_password = module_params_get(module, "ipaadmin_password") ccache_dir = None ccache_name = None if not valid_creds(module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() return ccache_dir, ccache_name
def verify_credentials(module): """Ensure there are valid Kerberos credentials.""" ccache_dir = None ccache_name = None ipaadmin_principal = module_params_get(module, "ipaadmin_principal") ipaadmin_password = module_params_get(module, "ipaadmin_password") if not valid_creds(module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) return (ccache_dir, ccache_name)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["sudocmd"], default=None, required=True), # present description=dict(type="str", default=None), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = ansible_module.params.get("ipaadmin_principal") ipaadmin_password = ansible_module.params.get("ipaadmin_password") names = ansible_module.params.get("name") # present description = ansible_module.params.get("description") # state state = ansible_module.params.get("state") # Check parameters if state == "absent": invalid = ["description"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure hostgroup exists res_find = find_sudocmd(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description) if res_find is not None: # For all settings in args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "sudocmd_mod", args]) else: commands.append([name, "sudocmd_add", args]) # Set res_find to empty dict for next step res_find = {} elif state == "absent": if res_find is not None: commands.append([name, "sudocmd_del", {}]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, to_text(name), args) # Check if any changes were made by any command if command == 'sudocmd_del': changed |= "Deleted" in result['summary'] elif command == 'sudocmd_add': changed |= "Added" in result['summary'] except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), inclusive=dict(type="list", aliases=["automemberinclusiveregex"], default=None), exclusive=dict(type="list", aliases=["automemberexclusiveregex"], default=None), name=dict(type="list", aliases=["cn"], default=None, required=True), description=dict(type="str", default=None), automember_type=dict(type='str', required=False, choices=['group', 'hostgroup']), action=dict(type="str", default="service", choices=["member", "service"]), state=dict(type="str", default="present", choices=["present", "absent", "rebuild"]), users=dict(type="list", default=None), hosts=dict(type="list", default=None), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = ansible_module.params.get("ipaadmin_principal") ipaadmin_password = ansible_module.params.get("ipaadmin_password") names = ansible_module.params.get("name") # present description = ansible_module.params.get("description") # conditions inclusive = ansible_module.params.get("inclusive") exclusive = ansible_module.params.get("exclusive") # action action = ansible_module.params.get("action") # state state = ansible_module.params.get("state") # grouping/type automember_type = ansible_module.params.get("automember_type") rebuild_users = ansible_module.params.get("users") rebuild_hosts = ansible_module.params.get("hosts") if (rebuild_hosts or rebuild_users) and state != "rebuild": ansible_module.fail_json( msg="'hosts' and 'users' are only valid with state: rebuild") if not automember_type and state != "rebuild": ansible_module.fail_json( msg="'automember_type' is required unless state: rebuild") # Init changed = False exit_args = {} ccache_dir = None ccache_name = None res_find = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure automember rule exists res_find = find_automember(ansible_module, name, automember_type) # Create command if state == 'present': args = gen_args(description, automember_type) if action == "service": if res_find is not None: if not compare_args_ipa( ansible_module, args, res_find, ignore=['type']): commands.append([name, 'automember_mod', args]) else: commands.append([name, 'automember_add', args]) res_find = {} inclusive_add, inclusive_del = gen_add_del_lists( transform_conditions(inclusive or []), res_find.get("automemberinclusiveregex", [])) exclusive_add, exclusive_del = gen_add_del_lists( transform_conditions(exclusive or []), res_find.get("automemberexclusiveregex", [])) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No service '%s'" % name) inclusive_add = transform_conditions(inclusive or []) inclusive_del = [] exclusive_add = transform_conditions(exclusive or []) exclusive_del = [] for _inclusive in inclusive_add: key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args(automember_type, key, inclusiveregex=regex) commands.append( [name, 'automember_add_condition', condition_args]) for _inclusive in inclusive_del: key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args(automember_type, key, inclusiveregex=regex) commands.append( [name, 'automember_remove_condition', condition_args]) for _exclusive in exclusive_add: key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args(automember_type, key, exclusiveregex=regex) commands.append( [name, 'automember_add_condition', condition_args]) for _exclusive in exclusive_del: key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args(automember_type, key, exclusiveregex=regex) commands.append( [name, 'automember_remove_condition', condition_args]) elif state == 'absent': if action == "service": if res_find is not None: commands.append([ name, 'automember_del', { 'type': to_text(automember_type) } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No service '%s'" % name) if inclusive is not None: for _inclusive in transform_conditions(inclusive): key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, inclusiveregex=regex) commands.append([ name, 'automember_remove_condition', condition_args ]) if exclusive is not None: for _exclusive in transform_conditions(exclusive): key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, exclusiveregex=regex) commands.append([ name, 'automember_remove_condition', condition_args ]) elif state == "rebuild": if automember_type: commands.append([ None, 'automember_rebuild', { "type": to_text(automember_type) } ]) if rebuild_users: commands.append([ None, 'automember_rebuild', { "users": [to_text(_u) for _u in rebuild_users] } ]) if rebuild_hosts: commands.append([ None, 'automember_rebuild', { "hosts": [to_text(_h) for _h in rebuild_hosts] } ]) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) errors = [] for name, command, args in commands: try: if name is None: result = api_command_no_name(ansible_module, command, args) else: result = api_command(ansible_module, command, to_text(name), args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as ex: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(ex))) # Get all errors if "failed" in result and len(result["failed"]) > 0: for item in result["failed"]: failed_item = result["failed"][item] for member_type in failed_item: for member, failure in failed_item[member_type]: errors.append( "%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), forwarders=dict(type="list", default=None, required=False, aliases=["idnsforwarders"], elements='dict', options=dict( ip_address=dict(type='str', required=True), port=dict(type='int', required=False, default=None), )), forwardpolicy=dict(type='str', aliases=["idnsforwardpolicy"], required=False, choices=['only', 'first', 'none']), skip_overlap_check=dict(type='bool', required=False), permission=dict(type='bool', required=False, aliases=['managedby']), action=dict(type="str", default="dnsforwardzone", choices=["member", "dnsforwardzone"]), # state state=dict(type='str', default='present', choices=['present', 'absent', 'enabled', 'disabled']), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") action = module_params_get(ansible_module, "action") forwarders = forwarder_list(module_params_get(ansible_module, "forwarders")) forwardpolicy = module_params_get(ansible_module, "forwardpolicy") skip_overlap_check = module_params_get(ansible_module, "skip_overlap_check") permission = module_params_get(ansible_module, "permission") state = module_params_get(ansible_module, "state") if state == 'present' and len(names) != 1: ansible_module.fail_json( msg="Only one dnsforwardzone can be added at a time.") if state == 'absent' and len(names) < 1: ansible_module.fail_json(msg="No name given.") # absent stae means delete if the action is NOT member but update if it is # if action is member then update an exisiting resource # and if action is not member then create a resource if state == "absent" and action == "dnsforwardzone": operation = "del" elif action == "member": operation = "update" else: operation = "add" if state in ["enabled", "disabled"]: if action == "member": ansible_module.fail_json( msg="Action `member` cannot be used with state `%s`" % (state)) invalid = [ "forwarders", "forwardpolicy", "skip_overlap_check", "permission" ] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s', state `%s`" % (x, action, state)) wants_enable = (state == "enabled") if operation == "del": invalid = [ "forwarders", "forwardpolicy", "skip_overlap_check", "permission" ] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s', state `%s`" % (x, action, state)) changed = False exit_args = {} args = {} ccache_dir = None ccache_name = None is_enabled = "IGNORE" try: # we need to determine 3 variables # args = the values we want to change/set # command = the ipa api command to call del, add, or mod # is_enabled = is the current resource enabled (True) # disabled (False) and do we care (IGNORE) if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() for name in names: commands = [] command = None # Make sure forwardzone exists existing_resource = find_dnsforwardzone(ansible_module, name) # validate parameters if state == 'present': if existing_resource is None and not forwarders: ansible_module.fail_json(msg='No forwarders specified.') if existing_resource is None: if operation == "add": # does not exist but should be present # determine args args = gen_args(forwarders, forwardpolicy, skip_overlap_check) # set command command = "dnsforwardzone_add" # enabled or disabled? elif operation == "update": # does not exist and is updating # trying to update something that doesn't exist, so error ansible_module.fail_json( msg="dnsforwardzone '%s' not found." % (name)) elif operation == "del": # there's nothnig to do. continue else: # existing_resource is not None if state != "absent": if forwarders: forwarders = list( set(existing_resource["idnsforwarders"] + forwarders)) else: if forwarders: forwarders = list( set(existing_resource["idnsforwarders"]) - set(forwarders)) if operation == "add": # exists and should be present, has it changed? # determine args args = gen_args(forwarders, forwardpolicy, skip_overlap_check) if 'skip_overlap_check' in args: del args['skip_overlap_check'] # set command if not compare_args_ipa(ansible_module, args, existing_resource): command = "dnsforwardzone_mod" elif operation == "del": # exists but should be absent # set command command = "dnsforwardzone_del" args = {} elif operation == "update": # exists and is updating # calculate the new forwarders and mod args = gen_args(forwarders, forwardpolicy, skip_overlap_check) if "skip_overlap_check" in args: del args['skip_overlap_check'] # command if not compare_args_ipa(ansible_module, args, existing_resource): command = "dnsforwardzone_mod" if state in ['enabled', 'disabled']: if existing_resource is not None: is_enabled = existing_resource["idnszoneactive"][0] else: ansible_module.fail_json( msg="dnsforwardzone '%s' not found." % (name)) # does the enabled state match what we want (if we care) if is_enabled != "IGNORE": if wants_enable and is_enabled != "TRUE": commands.append([name, "dnsforwardzone_enable", {}]) elif not wants_enable and is_enabled != "FALSE": commands.append([name, "dnsforwardzone_disable", {}]) # if command is set... if command is not None: commands.append([name, command, args]) if permission is not None: if existing_resource is None: managedby = None else: managedby = existing_resource.get('managedby', None) if permission and managedby is None: commands.append( [name, 'dnsforwardzone_add_permission', {}]) elif not permission and managedby is not None: commands.append( [name, 'dnsforwardzone_remove_permission', {}]) for name, command, args in commands: api_command(ansible_module, command, name, args) changed = True except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, dnsforwardzone=exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), nomembers=dict(required=False, type='bool', default=None), host=dict(required=False, type='list', default=None), hostgroup=dict(required=False, type='list', default=None), membermanager_user=dict(required=False, type='list', default=None), membermanager_group=dict(required=False, type='list', default=None), rename=dict(required=False, type='str', default=None, aliases=["new_name"]), action=dict(type="str", default="hostgroup", choices=["member", "hostgroup"]), # state state=dict(type="str", default="present", choices=["present", "absent", "renamed"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present description = module_params_get(ansible_module, "description") nomembers = module_params_get(ansible_module, "nomembers") host = module_params_get(ansible_module, "host") hostgroup = module_params_get(ansible_module, "hostgroup") membermanager_user = module_params_get(ansible_module, "membermanager_user") membermanager_group = module_params_get(ansible_module, "membermanager_group") rename = module_params_get(ansible_module, "rename") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one hostgroup can be added at a time.") invalid = ["rename"] if action == "member": invalid.extend(["description", "nomembers"]) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (x, action)) if state == "renamed": if len(names) != 1: ansible_module.fail_json( msg="Only one hostgroup can be added at a time.") if action == "member": ansible_module.fail_json( msg="Action '%s' can not be used with state '%s'" % (action, state)) invalid = [ "description", "nomembers", "host", "hostgroup", "membermanager_user", "membermanager_group" ] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "nomembers", "rename"] if action == "hostgroup": invalid.extend(["host", "hostgroup"]) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() has_add_membermanager = api_check_command( "hostgroup_add_member_manager") if ((membermanager_user is not None or membermanager_group is not None) and not has_add_membermanager): ansible_module.fail_json( msg="Managing a membermanager user or group is not supported " "by your IPA version") has_mod_rename = api_check_param("hostgroup_mod", "rename") if not has_mod_rename and rename is not None: ansible_module.fail_json( msg="Renaming hostgroups is not supported by your IPA version") commands = [] for name in names: # Make sure hostgroup exists res_find = find_hostgroup(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description, nomembers, rename) if action == "hostgroup": # Found the hostgroup if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "hostgroup_mod", args]) else: commands.append([name, "hostgroup_add", args]) # Set res_find to empty dict for next step res_find = {} member_args = gen_member_args(host, hostgroup) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists host_add, host_del = gen_add_del_lists( host, res_find.get("member_host")) hostgroup_add, hostgroup_del = gen_add_del_lists( hostgroup, res_find.get("member_hostgroup")) # Add members if len(host_add) > 0 or len(hostgroup_add) > 0: commands.append([ name, "hostgroup_add_member", { "host": host_add, "hostgroup": hostgroup_add, } ]) # Remove members if len(host_del) > 0 or len(hostgroup_del) > 0: commands.append([ name, "hostgroup_remove_member", { "host": host_del, "hostgroup": hostgroup_del, } ]) membermanager_user_add, membermanager_user_del = \ gen_add_del_lists( membermanager_user, res_find.get("membermanager_user") ) membermanager_group_add, membermanager_group_del = \ gen_add_del_lists( membermanager_group, res_find.get("membermanager_group") ) if has_add_membermanager: # Add membermanager users and groups if len(membermanager_user_add) > 0 or \ len(membermanager_group_add) > 0: commands.append([ name, "hostgroup_add_member_manager", { "user": membermanager_user_add, "group": membermanager_group_add, } ]) # Remove member manager if len(membermanager_user_del) > 0 or \ len(membermanager_group_del) > 0: commands.append([ name, "hostgroup_remove_member_manager", { "user": membermanager_user_del, "group": membermanager_group_del, } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No hostgroup '%s'" % name) # Ensure members are present commands.append([ name, "hostgroup_add_member", { "host": host, "hostgroup": hostgroup, } ]) if has_add_membermanager: # Add membermanager users and groups if membermanager_user is not None or \ membermanager_group is not None: commands.append([ name, "hostgroup_add_member_manager", { "user": membermanager_user, "group": membermanager_group, } ]) elif state == "renamed": if res_find is not None: if rename != name: commands.append( [name, "hostgroup_mod", { "rename": rename }]) else: # If a hostgroup with the desired name exists, do nothing. new_find = find_hostgroup(ansible_module, rename) if new_find is None: # Fail only if the either hostsgroups do not exist. ansible_module.fail_json( msg="Attribute `rename` can not be used, unless " "hostgroup exists.") elif state == "absent": if action == "hostgroup": if res_find is not None: commands.append([name, "hostgroup_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No hostgroup '%s'" % name) # Ensure members are absent commands.append([ name, "hostgroup_remove_member", { "host": host, "hostgroup": hostgroup, } ]) if has_add_membermanager: # Remove membermanager users and groups if membermanager_user is not None or \ membermanager_group is not None: commands.append([ name, "hostgroup_remove_member_manager", { "user": membermanager_user, "group": membermanager_group, } ]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. errors = [] for failed_item in result.get("failed", []): failed = result["failed"][failed_item] for member_type in failed: for member, failure in failed[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append("%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present location=dict(required=False, type='str', aliases=["ipalocation_location"], default=None), service_weight=dict(required=False, type='int', aliases=["ipaserviceweight"], default=None), hidden=dict(required=False, type='bool', default=None), no_members=dict(required=False, type='bool', default=None), # absent delete_continue=dict(required=False, type='bool', aliases=["continue"], default=None), ignore_topology_disconnect=dict(required=False, type='bool', default=None), ignore_last_of_role=dict(required=False, type='bool', default=None), force=dict(required=False, type='bool', default=None), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present location = module_params_get(ansible_module, "location") service_weight = module_params_get(ansible_module, "service_weight") # Service weight smaller than 0 leads to resetting service weight if service_weight is not None and \ (service_weight < -1 or service_weight > 65535): ansible_module.fail_json( msg="service_weight %d is out of range [-1 .. 65535]" % service_weight) if service_weight == -1: service_weight = "" hidden = module_params_get(ansible_module, "hidden") no_members = module_params_get(ansible_module, "no_members") # absent delete_continue = module_params_get(ansible_module, "delete_continue") ignore_topology_disconnect = module_params_get( ansible_module, "ignore_topology_disconnect") ignore_last_of_role = module_params_get(ansible_module, "ignore_last_of_role") force = module_params_get(ansible_module, "force") # state state = module_params_get(ansible_module, "state") # Check parameters invalid = [] if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one server can be ensured at a time.") invalid = ["delete_continue", "ignore_topology_disconnect", "ignore_last_of_role", "force"] if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["location", "service_weight", "hidden", "no_members"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure server exists res_find = find_server(ansible_module, name) # Generate args args = gen_args(location, service_weight, no_members, delete_continue, ignore_topology_disconnect, ignore_last_of_role, force) # Create command if state == "present": # Server not found if res_find is None: ansible_module.fail_json( msg="Server '%s' not found" % name) # Remove location from args if "" (transformed to None) # and "ipalocation_location" not in res_find for idempotency if "ipalocation_location" in args and \ args["ipalocation_location"] is None and \ "ipalocation_location" not in res_find: del args["ipalocation_location"] # Remove service weight from args if "" # and "ipaserviceweight" not in res_find for idempotency if "ipaserviceweight" in args and \ args["ipaserviceweight"] == "" and \ "ipaserviceweight" not in res_find: del args["ipaserviceweight"] # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "server_mod", args]) # hidden handling if hidden is not None: res_role_status = server_role_status(ansible_module, name) if "status" in res_role_status: # Fail if status is configured, it should be done # only in the installer if res_role_status["status"] == "configured": ansible_module.fail_json( msg="'%s' in configured state, " "unable to change state" % state) if hidden and res_role_status["status"] == "enabled": commands.append([name, "server_state", {"state": "hidden"}]) if not hidden and \ res_role_status["status"] == "hidden": commands.append([name, "server_state", {"state": "enabled"}]) elif state == "absent": if res_find is not None or force: commands.append([name, "server_del", args]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn", "service"], default=None, required=True), # present description=dict(type="str", default=None), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = ansible_module.params.get("ipaadmin_principal") ipaadmin_password = ansible_module.params.get("ipaadmin_password") names = ansible_module.params.get("name") # present description = ansible_module.params.get("description") # state state = ansible_module.params.get("state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one hbacsvc can be set at a time.") if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Try to find hbacsvc res_find = find_hbacsvc(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description) # Found the hbacsvc if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "hbacsvc_mod", args]) else: commands.append([name, "hbacsvc_add", args]) elif state == "absent": if res_find is not None: commands.append([name, "hbacsvc_del", {}]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands for name, command, args in commands: try: api_command(ansible_module, command, to_text(name), args) changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), inclusive=dict(type="list", aliases=["automemberinclusiveregex"], default=None, options=dict( key=dict(type="str", required=True), expression=dict(type="str", required=True) ), elements="dict", required=False), exclusive=dict(type="list", aliases=[ "automemberexclusiveregex"], default=None, options=dict( key=dict(type="str", required=True), expression=dict(type="str", required=True) ), elements="dict", required=False), name=dict(type="list", aliases=["cn"], default=None, required=True), description=dict(type="str", default=None), automember_type=dict(type='str', required=False, choices=['group', 'hostgroup']), action=dict(type="str", default="automember", choices=["member", "automember"]), state=dict(type="str", default="present", choices=["present", "absent", "rebuild"]), users=dict(type="list", default=None), hosts=dict(type="list", default=None), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = ansible_module.params.get("ipaadmin_principal") ipaadmin_password = ansible_module.params.get("ipaadmin_password") names = ansible_module.params.get("name") # present description = ansible_module.params.get("description") # conditions inclusive = ansible_module.params.get("inclusive") exclusive = ansible_module.params.get("exclusive") # action action = ansible_module.params.get("action") # state state = ansible_module.params.get("state") # grouping/type automember_type = ansible_module.params.get("automember_type") rebuild_users = ansible_module.params.get("users") rebuild_hosts = ansible_module.params.get("hosts") if (rebuild_hosts or rebuild_users) and state != "rebuild": ansible_module.fail_json( msg="'hosts' and 'users' are only valid with state: rebuild") if not automember_type and state != "rebuild": ansible_module.fail_json( msg="'automember_type' is required unless state: rebuild") # Init changed = False exit_args = {} ccache_dir = None ccache_name = None res_find = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure automember rule exists res_find = find_automember(ansible_module, name, automember_type) # Check inclusive and exclusive conditions if inclusive is not None or exclusive is not None: # automember_type is either "group" or "hostgorup" if automember_type == "group": _type = "user" elif automember_type == "hostgroup": _type = "host" else: ansible_module.fail_json( msg="Bad automember type '%s'" % automember_type) try: aciattrs = api_command( ansible_module, "json_metadata", to_text(_type), {} )['objects'][_type]['aciattrs'] except Exception as ex: ansible_module.fail_json( msg="%s: %s: %s" % ("json_metadata", _type, str(ex))) check_condition_keys(ansible_module, inclusive, aciattrs) check_condition_keys(ansible_module, exclusive, aciattrs) # Create command if state == 'present': args = gen_args(description, automember_type) if action == "automember": if res_find is not None: if not compare_args_ipa(ansible_module, args, res_find, ignore=['type']): commands.append([name, 'automember_mod', args]) else: commands.append([name, 'automember_add', args]) res_find = {} inclusive_add, inclusive_del = gen_add_del_lists( transform_conditions(inclusive or []), res_find.get("automemberinclusiveregex", []) ) exclusive_add, exclusive_del = gen_add_del_lists( transform_conditions(exclusive or []), res_find.get("automemberexclusiveregex", []) ) elif action == "member": if res_find is None: ansible_module.fail_json( msg="No automember '%s'" % name) inclusive_add = transform_conditions(inclusive or []) inclusive_del = [] exclusive_add = transform_conditions(exclusive or []) exclusive_del = [] for _inclusive in inclusive_add: key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, inclusiveregex=regex) commands.append([name, 'automember_add_condition', condition_args]) for _inclusive in inclusive_del: key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, inclusiveregex=regex) commands.append([name, 'automember_remove_condition', condition_args]) for _exclusive in exclusive_add: key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, exclusiveregex=regex) commands.append([name, 'automember_add_condition', condition_args]) for _exclusive in exclusive_del: key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, exclusiveregex=regex) commands.append([name, 'automember_remove_condition', condition_args]) elif state == 'absent': if action == "automember": if res_find is not None: commands.append([name, 'automember_del', {'type': to_text(automember_type)}]) elif action == "member": if res_find is None: ansible_module.fail_json( msg="No automember '%s'" % name) if inclusive is not None: for _inclusive in transform_conditions(inclusive): key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, inclusiveregex=regex) commands.append( [name, 'automember_remove_condition', condition_args]) if exclusive is not None: for _exclusive in transform_conditions(exclusive): key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, exclusiveregex=regex) commands.append([name, 'automember_remove_condition', condition_args]) elif state == "rebuild": if automember_type: commands.append([None, 'automember_rebuild', {"type": to_text(automember_type)}]) if rebuild_users: commands.append([None, 'automember_rebuild', {"users": [ to_text(_u) for _u in rebuild_users]}]) if rebuild_hosts: commands.append([None, 'automember_rebuild', {"hosts": [ to_text(_h) for _h in rebuild_hosts]}]) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) for name, command, args in commands: try: if name is None: result = api_command_no_name(ansible_module, command, args) else: result = api_command(ansible_module, command, to_text(name), args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as ex: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(ex))) # result["failed"] is used only for INCLUDE_RE, EXCLUDE_RE # if entries could not be added that are already there and # it entries could not be removed that are not there. # All other issues like invalid attributes etc. are handled # as exceptions. Therefore the error section is not here as # in other modules. except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(required=False, type='str', default=None), rename=dict( required=False, type='str', default=None, aliases=["new_name"], ), permission=dict(required=False, type='list', default=None), action=dict(type="str", default="privilege", choices=["member", "privilege"]), # state state=dict(type="str", default="present", choices=["present", "absent", "renamed"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present description = module_params_get(ansible_module, "description") permission = module_params_get(ansible_module, "permission") rename = module_params_get(ansible_module, "rename") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters invalid = [] if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one privilege be added at a time.") if action == "member": invalid = ["description"] if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "rename"] if action == "privilege": invalid.append("permission") if state == "renamed": if len(names) != 1: ansible_module.fail_json( msg="Only one privilege be added at a time.") invalid = ["description", "permission"] if action != "privilege": ansible_module.fail_json( msg="Action '%s' can not be used with state '%s'" % (action, state)) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s' and state '%s'" % (x, action, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure privilege exists res_find = find_privilege(ansible_module, name) # Create command if state == "present": args = {} if description: args['description'] = description if action == "privilege": # Found the privilege if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "privilege_mod", args]) else: commands.append([name, "privilege_add", args]) member_args = {} if permission: member_args['permission'] = permission if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists permission_add, permission_del = gen_add_del_lists( permission, res_find.get("member_permission")) # Add members if len(permission_add) > 0: commands.append([ name, "privilege_add_permission", { "permission": permission_add, } ]) # Remove members if len(permission_del) > 0: commands.append([ name, "privilege_remove_permission", { "permission": permission_del } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No privilege '%s'" % name) if permission is None: ansible_module.fail_json(msg="No permission given") commands.append([ name, "privilege_add_permission", { "permission": permission } ]) elif state == "absent": if action == "privilege": if res_find is not None: commands.append([name, "privilege_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No privilege '%s'" % name) if permission is None: ansible_module.fail_json(msg="No permission given") commands.append([ name, "privilege_remove_permission", { "permission": permission, } ]) elif state == "renamed": if not rename: ansible_module.fail_json(msg="No rename value given.") if res_find is None: ansible_module.fail_json( msg="No privilege found to be renamed: '%s'" % (name)) if name != rename: commands.append( [name, "privilege_mod", { "rename": rename }]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. errors = [] for failed_item in result.get("failed", []): failed = result["failed"][failed_item] for member_type in failed: for member, failure in failed[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append("%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", no_log=True), name=dict(type="list", aliases=["fqdn"], default=None, required=True), # present description=dict(type="str", default=None), locality=dict(type="str", default=None), location=dict(type="str", aliases=["ns_host_location"], default=None), platform=dict(type="str", aliases=["ns_hardware_platform"], default=None), os=dict(type="str", aliases=["ns_os_version"], default=None), password=dict(type="str", aliases=["user_password", "userpassword"], default=None, no_log=True), random=dict(type="bool", aliases=["random_password"], default=None), # certificate (usercertificate) mac_address=dict(type="list", aliases=["macaddress"], default=None), # sshpubkey=dict(type="str", aliases=["ipasshpubkey"], # default=None), # class # auth_ind # requires_pre_auth # ok_as_delegate # ok_to_auth_as_delegate force=dict(type='bool', default=None), reverse=dict(type='bool', default=True), ip_address=dict(type="str", aliases=["ipaddress"], default=None), # no_members # for update: # krbprincipalname update_dns=dict(type="bool", aliases=["updatedns"], default=None), update_password=dict(type='str', default=None, choices=['always', 'on_create']), # absent # continue # disabled # state state=dict(type="str", default="present", choices=["present", "absent", "disabled"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = ansible_module.params.get("ipaadmin_principal") ipaadmin_password = ansible_module.params.get("ipaadmin_password") names = ansible_module.params.get("name") # present description = ansible_module.params.get("description") locality = ansible_module.params.get("locality") location = ansible_module.params.get("location") platform = ansible_module.params.get("platform") os = ansible_module.params.get("os") password = ansible_module.params.get("password") random = ansible_module.params.get("random") mac_address = ansible_module.params.get("mac_address") force = ansible_module.params.get("force") reverse = ansible_module.params.get("reverse") ip_address = ansible_module.params.get("ip_address") update_dns = ansible_module.params.get("update_dns") update_password = ansible_module.params.get("update_password") # absent # disabled # state state = ansible_module.params.get("state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one host can be added at a time.") if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") for x in [ "description", "password", "random", "mac_address", "force", "ip_address", "update_password" ]: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) if update_password is None: update_password = "******" # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure host exists res_find = find_host(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description, force, locality, location, platform, os, password, random, mac_address, ip_address, update_dns, reverse) # Found the host if res_find is not None: # Ignore password with update_password == on_create if update_password == "on_create" and \ "userpassword" in args: del args["userpassword"] # Ignore force, ip_address and no_reverse for mod for x in ["force", "ip_address", "no_reverse"]: if x in args: del args[x] # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "host_mod", args]) else: commands.append([name, "host_add", args]) elif state == "absent": if res_find is not None: commands.append([name, "host_del", {}]) elif state == "disabled": if res_find is not None: res_show = show_host(ansible_module, name) if res_show["has_keytab"]: commands.append([name, "host_disable", {}]) else: raise ValueError("No host '%s'" % name) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands for name, command, args in commands: try: api_command(ansible_module, command, to_text(name), args) changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), realm=dict(type="str", default=None, required=True), # state state=dict(type="str", default="present", choices=["present", "absent"]), # present trust_type=dict(type="str", default="ad", required=False), admin=dict(type="str", default=None, required=False), password=dict(type="str", default=None, required=False, no_log=True), server=dict(type="str", default=None, required=False), trust_secret=dict(type="str", default=None, required=False, no_log=True), base_id=dict(type="int", default=None, required=False), range_size=dict(type="int", default=200000, required=False), range_type=dict(type="str", default="ipa-ad-trust", required=False, choices=["ipa-ad-trust-posix", "ipa-ad-trust"]), two_way=dict(type="bool", default=False, required=False), external=dict(type="bool", default=False, required=False), ), mutually_exclusive=[["trust_secret", "admin"]], required_together=[["admin", "password"]], supports_check_mode=True) ansible_module._ansible_debug = True # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") realm = module_params_get(ansible_module, "realm") # state state = module_params_get(ansible_module, "state") # trust trust_type = module_params_get(ansible_module, "trust_type") admin = module_params_get(ansible_module, "admin") password = module_params_get(ansible_module, "password") server = module_params_get(ansible_module, "server") trust_secret = module_params_get(ansible_module, "trust_secret") base_id = module_params_get(ansible_module, "base_id") range_size = module_params_get(ansible_module, "range_size") range_type = module_params_get(ansible_module, "range_type") two_way = module_params_get(ansible_module, "two_way") external = module_params_get(ansible_module, "external") changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() res_find = find_trust(ansible_module, realm) if state == "absent": if res_find is not None: if not ansible_module.check_mode: del_trust(ansible_module, realm) changed = True elif res_find is None: if admin is None and trust_secret is None: ansible_module.fail_json( msg="one of admin or trust_secret is required when state " "is present") else: args = gen_args(trust_type, admin, password, server, trust_secret, base_id, range_size, range_type, two_way, external) if not ansible_module.check_mode: add_trust(ansible_module, realm, args) changed = True except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), maxusername=dict(type="int", required=False, aliases=['ipamaxusernamelength']), maxhostname=dict(type="int", required=False, aliases=['ipamaxhostnamelength']), homedirectory=dict(type="str", required=False, aliases=['ipahomesrootdir']), defaultshell=dict(type="str", required=False, aliases=['ipadefaultloginshell', 'loginshell']), defaultgroup=dict(type="str", required=False, aliases=['ipadefaultprimarygroup']), emaildomain=dict(type="str", required=False, aliases=['ipadefaultemaildomain']), searchtimelimit=dict(type="int", required=False, aliases=['ipasearchtimelimit']), searchrecordslimit=dict(type="int", required=False, aliases=['ipasearchrecordslimit']), usersearch=dict(type="list", required=False, aliases=['ipausersearchfields']), groupsearch=dict(type="list", required=False, aliases=['ipagroupsearchfields']), enable_migration=dict(type="bool", required=False, aliases=['ipamigrationenabled']), groupobjectclasses=dict(type="list", required=False, aliases=['ipagroupobjectclasses']), userobjectclasses=dict(type="list", required=False, aliases=['ipauserobjectclasses']), pwdexpnotify=dict(type="int", required=False, aliases=['ipapwdexpadvnotify']), configstring=dict(type="list", required=False, aliases=['ipaconfigstring'], choices=[ "AllowNThash", "KDC:Disable Last Success", "KDC:Disable Lockout", "KDC:Disable Default Preauth for SPNs", "" ]), # noqa E128 selinuxusermaporder=dict(type="list", required=False, aliases=['ipaselinuxusermaporder']), selinuxusermapdefault=dict(type="str", required=False, aliases=['ipaselinuxusermapdefault']), pac_type=dict(type="list", required=False, aliases=["ipakrbauthzdata"], choices=["MS-PAC", "PAD", "nfs:NONE", ""]), user_auth_type=dict( type="list", required=False, choices=["password", "radius", "otp", "disabled", ""], aliases=["ipauserauthtype"]), ca_renewal_master_server=dict(type="str", required=False), domain_resolution_order=dict(type="list", required=False, aliases=["ipadomainresolutionorder" ])), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") field_map = { "maxusername": "******", "maxhostname": "ipamaxhostnamelength", "homedirectory": "ipahomesrootdir", "defaultshell": "ipadefaultloginshell", "defaultgroup": "ipadefaultprimarygroup", "emaildomain": "ipadefaultemaildomain", "searchtimelimit": "ipasearchtimelimit", "searchrecordslimit": "ipasearchrecordslimit", "usersearch": "ipausersearchfields", "groupsearch": "ipagroupsearchfields", "enable_migration": "ipamigrationenabled", "groupobjectclasses": "ipagroupobjectclasses", "userobjectclasses": "ipauserobjectclasses", "pwdexpnotify": "ipapwdexpadvnotify", "configstring": "ipaconfigstring", "selinuxusermaporder": "ipaselinuxusermaporder", "selinuxusermapdefault": "ipaselinuxusermapdefault", "pac_type": "ipakrbauthzdata", "user_auth_type": "ipauserauthtype", "ca_renewal_master_server": "ca_renewal_master_server", "domain_resolution_order": "ipadomainresolutionorder" } reverse_field_map = {v: k for k, v in field_map.items()} params = {} for x in field_map.keys(): val = module_params_get(ansible_module, x) if val is not None: params[field_map.get(x, x)] = val if params.get("ipamigrationenabled") is not None: params["ipamigrationenabled"] = \ str(params["ipamigrationenabled"]).upper() if params.get("ipaselinuxusermaporder", None): params["ipaselinuxusermaporder"] = \ "$".join(params["ipaselinuxusermaporder"]) if params.get("ipadomainresolutionorder", None): params["ipadomainresolutionorder"] = \ ":".join(params["ipadomainresolutionorder"]) if params.get("ipausersearchfields", None): params["ipausersearchfields"] = \ ",".join(params["ipausersearchfields"]) if params.get("ipagroupsearchfields", None): params["ipagroupsearchfields"] = \ ",".join(params["ipagroupsearchfields"]) # verify limits on INT values. args_with_limits = [ ("ipamaxusernamelength", 1, 255), ("ipamaxhostnamelength", 64, 255), ("ipasearchtimelimit", -1, 2147483647), ("ipasearchrecordslimit", -1, 2147483647), ("ipapwdexpadvnotify", 0, 2147483647), ] for arg, min, max in args_with_limits: if arg in params and (params[arg] > max or params[arg] < min): ansible_module.fail_json( msg="Argument '%s' must be between %d and %d." % (arg, min, max)) changed = False exit_args = {} ccache_dir = None ccache_name = None res_show = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() if params: res_show = config_show(ansible_module) params = { k: v for k, v in params.items() if k not in res_show or res_show[k] != v } if params \ and not compare_args_ipa(ansible_module, params, res_show): changed = True if not ansible_module.check_mode: api_command_no_name(ansible_module, "config_mod", params) else: rawresult = api_command_no_name(ansible_module, "config_show", {}) result = rawresult['result'] del result['dn'] for key, v in result.items(): k = reverse_field_map.get(key, key) if ansible_module.argument_spec.get(k): if k == 'ipaselinuxusermaporder': exit_args['ipaselinuxusermaporder'] = \ result.get(key)[0].split('$') elif k == 'domain_resolution_order': exit_args['domain_resolution_order'] = \ result.get(key)[0].split('$') elif k == 'usersearch': exit_args['usersearch'] = \ result.get(key)[0].split(',') elif k == 'groupsearch': exit_args['groupsearch'] = \ result.get(key)[0].split(',') elif isinstance(v, str) and \ ansible_module.argument_spec[k]['type'] == "list": exit_args[k] = [v] elif isinstance(v, list) and \ ansible_module.argument_spec[k]['type'] == "str": exit_args[k] = ",".join(v) elif isinstance(v, list) and \ ansible_module.argument_spec[k]['type'] == "int": exit_args[k] = ",".join(v) elif isinstance(v, list) and \ ansible_module.argument_spec[k]['type'] == "bool": exit_args[k] = (v[0] == "TRUE") else: exit_args[k] = v except ipalib.errors.EmptyModlist: changed = False except Exception as e: ansible_module.fail_json(msg="%s %s" % (params, str(e))) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, config=exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), gid=dict(type="int", aliases=["gidnumber"], default=None), nonposix=dict(required=False, type='bool', default=None), external=dict(required=False, type='bool', default=None), nomembers=dict(required=False, type='bool', default=None), user=dict(required=False, type='list', default=None), group=dict(required=False, type='list', default=None), service=dict(required=False, type='list', default=None), action=dict(type="str", default="group", choices=["member", "group"]), # state state=dict(type="str", default="present", choices=[ "present", "absent", "member_present", "member_absent" ]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = ansible_module.params.get("ipaadmin_principal") ipaadmin_password = ansible_module.params.get("ipaadmin_password") names = ansible_module.params.get("name") # present description = ansible_module.params.get("description") gid = ansible_module.params.get("gid") nonposix = ansible_module.params.get("nonposix") external = ansible_module.params.get("external") nomembers = ansible_module.params.get("nomembers") user = ansible_module.params.get("user") group = ansible_module.params.get("group") service = ansible_module.params.get("service") action = ansible_module.params.get("action") # state state = ansible_module.params.get("state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Onle one group can be added at a time.") if action == "member": invalid = [ "description", "gid", "nonposix", "external", "nomembers" ] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (x, action)) if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "gid", "nonposix", "external", "nomembers"] if action == "group": invalid.extend(["user", "group", "service"]) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure group exists res_find = find_group(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description, gid, nonposix, external, nomembers) if action == "group": # Found the group if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "group_mod", args]) else: commands.append([name, "group_add", args]) # Set res_find to empty dict for next step res_find = {} member_args = gen_member_args(user, group, service) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists user_add = list( set(user or []) - set(res_find.get("member_user", []))) user_del = list( set(res_find.get("member_user", [])) - set(user or [])) group_add = list( set(group or []) - set(res_find.get("member_group", []))) group_del = list( set(res_find.get("member_group", [])) - set(group or [])) service_add = list( set(service or []) - set(res_find.get("member_service", []))) service_del = list( set(res_find.get("member_service", [])) - set(service or [])) # Add members if len(user_add) > 0 or len(group_add) > 0 or \ len(service_add) > 0: commands.append([ name, "group_add_member", { "user": user_add, "group": group_add, "service": service_add, } ]) # Remove members if len(user_del) > 0 or len(group_del) > 0 or \ len(service_del) > 0: commands.append([ name, "group_remove_member", { "user": user_del, "group": group_del, "service": service_del, } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No group '%s'" % name) user_add = list( set(user or []) - set(res_find.get("member_user", []))) group_add = list( set(group or []) - set(res_find.get("member_group", []))) service_add = list( set(service or []) - set(res_find.get("member_service", []))) # Add members if len(user_add) > 0 or len(group_add) > 0 or \ len(service_add) > 0: commands.append([ name, "group_add_member", { "user": user, "group": group, "service": service, } ]) elif state == "absent": if action == "group": if res_find is not None: commands.append([name, "group_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No group '%s'" % name) # Remove intersection member user_del = list( set(user or []) & set(res_find.get("member_user", []))) group_del = list( set(group or []) & set(res_find.get("member_group", []))) service_del = list( set(service or []) & set(res_find.get("member_service", []))) # Remove members if len(user_del) > 0 or len(group_del) > 0 or \ len(service_del) > 0: commands.append([ name, "group_remove_member", { "user": user, "group": group, "service": service, } ]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands for name, command, args in commands: try: api_command(ansible_module, command, to_text(name), args) changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["login"], default=None, required=True), # present first=dict(type="str", aliases=["givenname"], default=None), last=dict(type="str", default=None), fullname=dict(type="str", aliases=["cn"], default=None), displayname=dict(type="str", default=None), homedir=dict(type="str", default=None), shell=dict(type="str", aliases=["loginshell"], default=None), email=dict(type="list", default=None), principalname=dict(type="str", aliases=["krbprincipalname"], default=None), passwordexpiration=dict(type="str", aliases=["krbpasswordexpiration"], default=None), password=dict(type="str", default=None, no_log=True), uid=dict(type="int", aliases=["uidnumber"], default=None), gid=dict(type="int", aliases=["gidnumber"], default=None), phone=dict(type="list", aliases=["telephonenumber"], default=None), title=dict(type="str", default=None), # sshpubkey=dict(type="list", aliases=["ipasshpubkey"], # default=None), update_password=dict(type='str', default=None, choices=['always', 'on_create']), # deleted preserve=dict(required=False, type='bool', default=None), # state state=dict(type="str", default="present", choices=[ "present", "absent", "enabled", "disabled", "unlocked", "undeleted" ]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = ansible_module.params.get("ipaadmin_principal") ipaadmin_password = ansible_module.params.get("ipaadmin_password") names = ansible_module.params.get("name") # present first = ansible_module.params.get("first") last = ansible_module.params.get("last") fullname = ansible_module.params.get("fullname") displayname = ansible_module.params.get("displayname") homedir = ansible_module.params.get("homedir") shell = ansible_module.params.get("shell") emails = ansible_module.params.get("email") principalname = ansible_module.params.get("principalname") passwordexpiration = ansible_module.params.get("passwordexpiration") if passwordexpiration is not None: if passwordexpiration[:-1] != "Z": passwordexpiration = "%sZ" % passwordexpiration passwordexpiration = date_format(passwordexpiration) password = ansible_module.params.get("password") uid = ansible_module.params.get("uid") gid = ansible_module.params.get("gid") phones = ansible_module.params.get("phone") title = ansible_module.params.get("title") sshpubkey = ansible_module.params.get("sshpubkey") update_password = ansible_module.params.get("update_password") # deleted preserve = ansible_module.params.get("preserve") # state state = ansible_module.params.get("state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one user can be added at a time.") if first is None: ansible_module.fail_json(msg="First name is needed") if last is None: ansible_module.fail_json(msg="Last name is needed") if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") for x in [ "first", "last", "fullname", "displayname", "homedir", "shell", "emails", "principalname", "passwordexpiration", "password", "uid", "gid", "phones", "title", "sshpubkey", "update_password" ]: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) else: if preserve is not None: ansible_module.fail_json( msg="Preserve is only possible for state=absent") if update_password is None: update_password = "******" # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure user exists res_find = find_user(ansible_module, name) # Also search for preserved user res_find_preserved = find_user(ansible_module, name, preserved=True) # Create command if state == "present": # Generate args args = gen_args(first, last, fullname, displayname, homedir, shell, emails, principalname, passwordexpiration, password, uid, gid, phones, title, sshpubkey) # Also check preserved users if res_find is None and res_find_preserved is not None: res_find = res_find_preserved # Found the user if res_find is not None: # Ignore password with update_password == on_create if update_password == "on_create" and \ "userpassword" in args: del args["userpassword"] # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "user_mod", args]) else: commands.append([name, "user_add", args]) elif state == "absent": # Also check preserved users if res_find is None and res_find_preserved is not None: res_find = res_find_preserved if res_find is not None: args = {} if preserve is not None: args["preserve"] = preserve commands.append([name, "user_del", args]) elif state == "undeleted": if res_find_preserved is not None: commands.append([name, "user_undel", {}]) else: raise ValueError("No preserved user '%s'" % name) elif state == "enabled": if res_find is not None: if res_find["nsaccountlock"]: commands.append([name, "user_enable", {}]) else: raise ValueError("No disabled user '%s'" % name) elif state == "disabled": if res_find is not None: if not res_find["nsaccountlock"]: commands.append([name, "user_disable", {}]) else: raise ValueError("No user '%s'" % name) elif state == "unlocked": if res_find is not None: commands.append([name, "user_unlock", {}]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands for name, command, args in commands: try: api_command(ansible_module, command, to_text(name), args) changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), gid=dict(type="int", aliases=["gidnumber"], default=None), nonposix=dict(required=False, type='bool', default=None), external=dict(required=False, type='bool', default=None), nomembers=dict(required=False, type='bool', default=None), user=dict(required=False, type='list', default=None), group=dict(required=False, type='list', default=None), service=dict(required=False, type='list', default=None), action=dict(type="str", default="group", choices=["member", "group"]), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get( ansible_module, "ipaadmin_principal", ) ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present description = module_params_get(ansible_module, "description") gid = module_params_get(ansible_module, "gid") nonposix = module_params_get(ansible_module, "nonposix") external = module_params_get(ansible_module, "external") nomembers = module_params_get(ansible_module, "nomembers") user = module_params_get(ansible_module, "user") group = module_params_get(ansible_module, "group") service = module_params_get(ansible_module, "service") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one group can be added at a time.") if action == "member": invalid = [ "description", "gid", "nonposix", "external", "nomembers" ] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (x, action)) if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "gid", "nonposix", "external", "nomembers"] if action == "group": invalid.extend(["user", "group", "service"]) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() has_add_member_service = api_check_param("group_add_member", "service") if service is not None and not has_add_member_service: ansible_module.fail_json( msg="Managing a service as part of a group is not supported " "by your IPA version") commands = [] for name in names: # Make sure group exists res_find = find_group(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description, gid, nonposix, external, nomembers) if action == "group": # Found the group if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "group_mod", args]) else: commands.append([name, "group_add", args]) # Set res_find to empty dict for next step res_find = {} member_args = gen_member_args(user, group, service) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists user_add = list( set(user or []) - set(res_find.get("member_user", []))) user_del = list( set(res_find.get("member_user", [])) - set(user or [])) group_add = list( set(group or []) - set(res_find.get("member_group", []))) group_del = list( set(res_find.get("member_group", [])) - set(group or [])) service_add = list( set(service or []) - set(res_find.get("member_service", []))) service_del = list( set(res_find.get("member_service", [])) - set(service or [])) if has_add_member_service: # Add members if len(user_add) > 0 or len(group_add) > 0 or \ len(service_add) > 0: commands.append([ name, "group_add_member", { "user": user_add, "group": group_add, "service": service_add, } ]) # Remove members if len(user_del) > 0 or len(group_del) > 0 or \ len(service_del) > 0: commands.append([ name, "group_remove_member", { "user": user_del, "group": group_del, "service": service_del, } ]) else: # Add members if len(user_add) > 0 or len(group_add) > 0: commands.append([ name, "group_add_member", { "user": user_add, "group": group_add, } ]) # Remove members if len(user_del) > 0 or len(group_del) > 0: commands.append([ name, "group_remove_member", { "user": user_del, "group": group_del, } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No group '%s'" % name) if has_add_member_service: commands.append([ name, "group_add_member", { "user": user, "group": group, "service": service, } ]) else: commands.append([ name, "group_add_member", { "user": user, "group": group, } ]) elif state == "absent": if action == "group": if res_find is not None: commands.append([name, "group_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No group '%s'" % name) commands.append([ name, "group_remove_member", { "user": user, "group": group, "service": service, } ]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. errors = [] if "failed" in result and len(result["failed"]) > 0: for item in result["failed"]: failed_item = result["failed"][item] for member_type in failed_item: for member, failure in failed_item[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append( "%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( principal=dict(type="str", default="admin"), password=dict(type="str", required=False, no_log=True), suffix=dict(choices=["domain", "ca", "domain+ca"], required=True), name=dict(type="str", aliases=["cn"], default=None), left=dict(type="str", aliases=["leftnode"], default=None), right=dict(type="str", aliases=["rightnode"], default=None), direction=dict(type="str", default=None, choices=["left-to-right", "right-to-left"]), state=dict(type="str", default="present", choices=[ "present", "absent", "enabled", "disabled", "reinitialized", "checked" ]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters principal = ansible_module.params.get("principal") password = ansible_module.params.get("password") suffixes = ansible_module.params.get("suffix") name = ansible_module.params.get("name") left = ansible_module.params.get("left") right = ansible_module.params.get("right") direction = ansible_module.params.get("direction") state = ansible_module.params.get("state") # Check parameters if state != "reinitialized" and direction is not None: ansible_module.fail_json( msg="Direction is not supported in this mode.") # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(principal): ccache_dir, ccache_name = temp_kinit(principal, password) api_connect() commands = [] for suffix in suffixes.split("+"): # Create command if state in ["present", "enabled"]: # Make sure topology segment exists if left is None or right is None: ansible_module.fail_json( msg="Left and right need to be set.") args = { "iparepltoposegmentleftnode": to_text(left), "iparepltoposegmentrightnode": to_text(right), } if name is not None: args["cn"] = to_text(name) res_left_right = find_left_right(ansible_module, suffix, left, right) if res_left_right is not None: if name is not None and \ res_left_right["cn"][0] != to_text(name): ansible_module.fail_json( msg="Left and right nodes already used with " "different name (cn) '%s'" % res_left_right["cn"]) # Left and right nodes and also the name can not be # changed for key in [ "iparepltoposegmentleftnode", "iparepltoposegmentrightnode" ]: if key in args: del args[key] if len(args) > 1: # cn needs to be in args always commands.append(["topologysegment_mod", args]) # else: Nothing to change else: if name is None: args["cn"] = to_text("%s-to-%s" % (left, right)) commands.append(["topologysegment_add", args]) elif state in ["absent", "disabled"]: # Make sure topology segment does not exist res_find = find_left_right_cn(ansible_module, suffix, left, right, name) if res_find is not None: # Found either given name or found name from left and right # node args = {"cn": res_find["cn"][0]} commands.append(["topologysegment_del", args]) elif state == "checked": # Check if topology segment does exists res_find = find_left_right_cn(ansible_module, suffix, left, right, name) if res_find is not None: # Found either given name or found name from left and right # node exit_args.setdefault("found", []).append(suffix) else: # Not found exit_args.setdefault("not-found", []).append(suffix) elif state == "reinitialized": # Reinitialize segment if direction not in ["left-to-right", "right-to-left"]: ansible_module.fail_json(msg="Unknown direction '%s'" % direction) res_find = find_left_right_cn(ansible_module, suffix, left, right, name) if res_find is not None: # Found either given name or found name from left and right # node args = {"cn": res_find["cn"][0]} if direction == "left-to-right": args["left"] = True elif direction == "right-to-left": args["right"] = True commands.append(["topologysegment_reinitialize", args]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute command for command, args in commands: result = api_command(ansible_module, command, to_text(suffix), args) changed = True except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(required=False, type="str", default=None), usercategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['usercat']), hostcategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['hostcat']), nomembers=dict(required=False, type='bool', default=None), host=dict(required=False, type='list', default=None), hostgroup=dict(required=False, type='list', default=None), user=dict(required=False, type='list', default=None), group=dict(required=False, type='list', default=None), allow_sudocmd=dict(required=False, type="list", default=None), deny_sudocmd=dict(required=False, type="list", default=None), allow_sudocmdgroup=dict(required=False, type="list", default=None), deny_sudocmdgroup=dict(required=False, type="list", default=None), cmdcategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['cmdcat']), runasusercategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['runasusercat']), runasgroupcategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['runasgroupcat']), runasuser=dict(required=False, type="list", default=None), runasgroup=dict(required=False, type="list", default=None), order=dict(type="int", required=False, aliases=['sudoorder']), sudooption=dict(required=False, type='list', default=None, aliases=["options"]), action=dict(type="str", default="sudorule", choices=["member", "sudorule"]), # state state=dict(type="str", default="present", choices=["present", "absent", "enabled", "disabled"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present # The 'noqa' variables are not used here, but required for vars(). # The use of 'noqa' ensures flake8 does not complain about them. description = module_params_get(ansible_module, "description") # noqa cmdcategory = module_params_get(ansible_module, 'cmdcategory') # noqa usercategory = module_params_get(ansible_module, "usercategory") # noqa hostcategory = module_params_get(ansible_module, "hostcategory") # noqa runasusercategory = module_params_get(ansible_module, # noqa "runasusercategory") runasgroupcategory = module_params_get(ansible_module, # noqa "runasgroupcategory") hostcategory = module_params_get(ansible_module, "hostcategory") # noqa nomembers = module_params_get(ansible_module, "nomembers") # noqa host = module_params_get(ansible_module, "host") hostgroup = module_params_get(ansible_module, "hostgroup") user = module_params_get(ansible_module, "user") group = module_params_get(ansible_module, "group") allow_sudocmd = module_params_get(ansible_module, 'allow_sudocmd') allow_sudocmdgroup = module_params_get(ansible_module, 'allow_sudocmdgroup') deny_sudocmd = module_params_get(ansible_module, 'deny_sudocmd') deny_sudocmdgroup = module_params_get(ansible_module, 'deny_sudocmdgroup') sudooption = module_params_get(ansible_module, "sudooption") order = module_params_get(ansible_module, "order") runasuser = module_params_get(ansible_module, "runasuser") runasgroup = module_params_get(ansible_module, "runasgroup") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one sudorule can be added at a time.") if action == "member": invalid = ["description", "usercategory", "hostcategory", "cmdcategory", "runasusercategory", "runasgroupcategory", "order", "nomembers"] for arg in invalid: if arg in vars() and vars()[arg] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (arg, action)) else: if hostcategory == 'all' and any([host, hostgroup]): ansible_module.fail_json( msg="Hosts cannot be added when host category='all'") if usercategory == 'all' and any([user, group]): ansible_module.fail_json( msg="Users cannot be added when user category='all'") if cmdcategory == 'all' \ and any([allow_sudocmd, allow_sudocmdgroup]): ansible_module.fail_json( msg="Commands cannot be added when command category='all'") elif state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "usercategory", "hostcategory", "cmdcategory", "runasusercategory", "runasgroupcategory", "nomembers", "order"] if action == "sudorule": invalid.extend(["host", "hostgroup", "user", "group", "runasuser", "runasgroup", "allow_sudocmd", "allow_sudocmdgroup", "deny_sudocmd", "deny_sudocmdgroup", "sudooption"]) for arg in invalid: if vars()[arg] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (arg, state)) elif state in ["enabled", "disabled"]: if len(names) < 1: ansible_module.fail_json(msg="No name given.") if action == "member": ansible_module.fail_json( msg="Action member can not be used with states enabled and " "disabled") invalid = ["description", "usercategory", "hostcategory", "cmdcategory", "runasusercategory", "runasgroupcategory", "nomembers", "nomembers", "host", "hostgroup", "user", "group", "allow_sudocmd", "allow_sudocmdgroup", "deny_sudocmd", "deny_sudocmdgroup", "runasuser", "runasgroup", "order", "sudooption"] for arg in invalid: if vars()[arg] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (arg, state)) else: ansible_module.fail_json(msg="Invalid state '%s'" % state) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure sudorule exists res_find = find_sudorule(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description, usercategory, hostcategory, cmdcategory, runasusercategory, runasgroupcategory, order, nomembers) if action == "sudorule": # Found the sudorule if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "sudorule_mod", args]) else: commands.append([name, "sudorule_add", args]) # Set res_find to empty dict for next step res_find = {} # Generate addition and removal lists host_add, host_del = gen_add_del_lists( host, res_find.get('memberhost_host', [])) hostgroup_add, hostgroup_del = gen_add_del_lists( hostgroup, res_find.get('memberhost_hostgroup', [])) user_add, user_del = gen_add_del_lists( user, res_find.get('memberuser_user', [])) group_add, group_del = gen_add_del_lists( group, res_find.get('memberuser_group', [])) allow_cmd_add, allow_cmd_del = gen_add_del_lists( allow_sudocmd, res_find.get('memberallowcmd_sudocmd', [])) allow_cmdgroup_add, allow_cmdgroup_del = gen_add_del_lists( allow_sudocmdgroup, res_find.get('memberallowcmd_sudocmdgroup', [])) deny_cmd_add, deny_cmd_del = gen_add_del_lists( deny_sudocmd, res_find.get('memberdenycmd_sudocmd', [])) deny_cmdgroup_add, deny_cmdgroup_del = gen_add_del_lists( deny_sudocmdgroup, res_find.get('memberdenycmd_sudocmdgroup', [])) sudooption_add, sudooption_del = gen_add_del_lists( sudooption, res_find.get('ipasudoopt', [])) runasuser_add, runasuser_del = gen_add_del_lists( runasuser, res_find.get('ipasudorunas_user', [])) runasgroup_add, runasgroup_del = gen_add_del_lists( runasgroup, res_find.get('ipasudorunas_group', [])) # Add hosts and hostgroups if len(host_add) > 0 or len(hostgroup_add) > 0: commands.append([name, "sudorule_add_host", { "host": host_add, "hostgroup": hostgroup_add, }]) # Remove hosts and hostgroups if len(host_del) > 0 or len(hostgroup_del) > 0: commands.append([name, "sudorule_remove_host", { "host": host_del, "hostgroup": hostgroup_del, }]) # Add users and groups if len(user_add) > 0 or len(group_add) > 0: commands.append([name, "sudorule_add_user", { "user": user_add, "group": group_add, }]) # Remove users and groups if len(user_del) > 0 or len(group_del) > 0: commands.append([name, "sudorule_remove_user", { "user": user_del, "group": group_del, }]) # Add commands allowed if len(allow_cmd_add) > 0 or len(allow_cmdgroup_add) > 0: commands.append([name, "sudorule_add_allow_command", {"sudocmd": allow_cmd_add, "sudocmdgroup": allow_cmdgroup_add, }]) if len(allow_cmd_del) > 0 or len(allow_cmdgroup_del) > 0: commands.append([name, "sudorule_remove_allow_command", {"sudocmd": allow_cmd_del, "sudocmdgroup": allow_cmdgroup_del }]) # Add commands denied if len(deny_cmd_add) > 0 or len(deny_cmdgroup_add) > 0: commands.append([name, "sudorule_add_deny_command", {"sudocmd": deny_cmd_add, "sudocmdgroup": deny_cmdgroup_add, }]) if len(deny_cmd_del) > 0 or len(deny_cmdgroup_del) > 0: commands.append([name, "sudorule_remove_deny_command", {"sudocmd": deny_cmd_del, "sudocmdgroup": deny_cmdgroup_del }]) # Add RunAS Users if len(runasuser_add) > 0: commands.append([name, "sudorule_add_runasuser", {"user": runasuser_add}]) # Remove RunAS Users if len(runasuser_del) > 0: commands.append([name, "sudorule_remove_runasuser", {"user": runasuser_del}]) # Add RunAS Groups if len(runasgroup_add) > 0: commands.append([name, "sudorule_add_runasgroup", {"group": runasgroup_add}]) # Remove RunAS Groups if len(runasgroup_del) > 0: commands.append([name, "sudorule_remove_runasgroup", {"group": runasgroup_del}]) # Add sudo options for sudoopt in sudooption_add: commands.append([name, "sudorule_add_option", {"ipasudoopt": sudoopt}]) # Remove sudo options for sudoopt in sudooption_del: commands.append([name, "sudorule_remove_option", {"ipasudoopt": sudoopt}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No sudorule '%s'" % name) # Add hosts and hostgroups if host is not None or hostgroup is not None: commands.append([name, "sudorule_add_host", { "host": host, "hostgroup": hostgroup, }]) # Add users and groups if user is not None or group is not None: commands.append([name, "sudorule_add_user", { "user": user, "group": group, }]) # Add commands if allow_sudocmd is not None \ or allow_sudocmdgroup is not None: commands.append([name, "sudorule_add_allow_command", {"sudocmd": allow_sudocmd, "sudocmdgroup": allow_sudocmdgroup, }]) # Add commands if deny_sudocmd is not None \ or deny_sudocmdgroup is not None: commands.append([name, "sudorule_add_deny_command", {"sudocmd": deny_sudocmd, "sudocmdgroup": deny_sudocmdgroup, }]) # Add RunAS Users if runasuser is not None: commands.append([name, "sudorule_add_runasuser", {"user": runasuser}]) # Add RunAS Groups if runasgroup is not None: commands.append([name, "sudorule_add_runasgroup", {"group": runasgroup}]) # Add options if sudooption is not None: existing_opts = res_find.get('ipasudoopt', []) for sudoopt in sudooption: if sudoopt not in existing_opts: commands.append([name, "sudorule_add_option", {"ipasudoopt": sudoopt}]) elif state == "absent": if action == "sudorule": if res_find is not None: commands.append([name, "sudorule_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No sudorule '%s'" % name) # Remove hosts and hostgroups if host is not None or hostgroup is not None: commands.append([name, "sudorule_remove_host", { "host": host, "hostgroup": hostgroup, }]) # Remove users and groups if user is not None or group is not None: commands.append([name, "sudorule_remove_user", { "user": user, "group": group, }]) # Remove allow commands if allow_sudocmd is not None \ or allow_sudocmdgroup is not None: commands.append([name, "sudorule_remove_allow_command", {"sudocmd": allow_sudocmd, "sudocmdgroup": allow_sudocmdgroup }]) # Remove deny commands if deny_sudocmd is not None \ or deny_sudocmdgroup is not None: commands.append([name, "sudorule_remove_deny_command", {"sudocmd": deny_sudocmd, "sudocmdgroup": deny_sudocmdgroup }]) # Remove RunAS Users if runasuser is not None: commands.append([name, "sudorule_remove_runasuser", {"user": runasuser}]) # Remove RunAS Groups if runasgroup is not None: commands.append([name, "sudorule_remove_runasgroup", {"group": runasgroup}]) # Remove options if sudooption is not None: existing_opts = res_find.get('ipasudoopt', []) for sudoopt in sudooption: if sudoopt in existing_opts: commands.append([name, "sudorule_remove_option", {"ipasudoopt": sudoopt}]) elif state == "enabled": if res_find is None: ansible_module.fail_json(msg="No sudorule '%s'" % name) # sudorule_enable is not failing on an enabled sudorule # Therefore it is needed to have a look at the ipaenabledflag # in res_find. if "ipaenabledflag" not in res_find or \ res_find["ipaenabledflag"][0] != "TRUE": commands.append([name, "sudorule_enable", {}]) elif state == "disabled": if res_find is None: ansible_module.fail_json(msg="No sudorule '%s'" % name) # sudorule_disable is not failing on an disabled sudorule # Therefore it is needed to have a look at the ipaenabledflag # in res_find. if "ipaenabledflag" not in res_find or \ res_find["ipaenabledflag"][0] != "FALSE": commands.append([name, "sudorule_disable", {}]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands errors = [] for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as ex: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(ex))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. if "failed" in result and len(result["failed"]) > 0: for item in result["failed"]: failed_item = result["failed"][item] for member_type in failed_item: for member, failure in failed_item[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append("%s: %s %s: %s" % ( command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as ex: ansible_module.fail_json(msg=str(ex)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), nomembers=dict(required=False, type='bool', default=None), sudocmdgroup=dict(required=False, type='list', default=None), sudocmd=dict(required=False, type='list', default=None), action=dict(type="str", default="sudocmdgroup", choices=["member", "sudocmdgroup"]), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = ansible_module.params.get("ipaadmin_principal") ipaadmin_password = ansible_module.params.get("ipaadmin_password") names = ansible_module.params.get("name") # present description = ansible_module.params.get("description") nomembers = ansible_module.params.get("nomembers") sudocmdgroup = ansible_module.params.get("sudocmdgroup") sudocmd = ansible_module.params.get("sudocmd") action = ansible_module.params.get("action") # state state = ansible_module.params.get("state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one sudocmdgroup can be added at a time.") if action == "member": invalid = ["description", "nomembers"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (x, action)) if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "nomembers"] if action == "sudocmdgroup": invalid.extend(["sudocmd"]) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure hostgroup exists res_find = find_sudocmdgroup(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description, nomembers) if action == "sudocmdgroup": # Found the hostgroup if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "sudocmdgroup_mod", args]) else: commands.append([name, "sudocmdgroup_add", args]) # Set res_find to empty dict for next step res_find = {} member_args = gen_member_args(sudocmd) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists sudocmdgroup_add = list( set(sudocmdgroup or []) - set(res_find.get("member_sudocmdgroup", []))) sudocmdgroup_del = list( set(res_find.get("member_sudocmdgroup", [])) - set(sudocmdgroup or [])) # Add members if len(sudocmdgroup_add) > 0: commands.append([ name, "sudocmdgroup_add_member", { "sudocmd": [to_text(c) for c in sudocmdgroup_add] } ]) # Remove members if len(sudocmdgroup_del) > 0: commands.append([ name, "sudocmdgroup_remove_member", { "sudocmd": [to_text(c) for c in sudocmdgroup_del] } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No sudocmdgroup '%s'" % name) # Ensure members are present commands.append([ name, "sudocmdgroup_add_member", { "sudocmd": [to_text(c) for c in sudocmd] } ]) elif state == "absent": if action == "sudocmdgroup": if res_find is not None: commands.append([name, "sudocmdgroup_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No sudocmdgroup '%s'" % name) # Ensure members are absent commands.append([ name, "sudocmdgroup_remove_member", { "sudocmd": [to_text(c) for c in sudocmd] } ]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, to_text(name), args) if action == "member": if "completed" in result and result["completed"] > 0: changed = True else: if command == "sudocmdgroup_del": changed |= "Deleted" in result['summary'] elif command == "sudocmdgroup_add": changed |= "Added" in result['summary'] except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. errors = [] if "failed" in result and "member" in result["failed"]: failed = result["failed"]["member"] for member_type in failed: for member, failure in failed[member_type]: if "already a member" not in failure \ and "not a member" not in failure: errors.append( "%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=False), # present maxlife=dict(type="int", aliases=["krbmaxpwdlife"], default=None), minlife=dict(type="int", aliases=["krbminpwdlife"], default=None), history=dict(type="int", aliases=["krbpwdhistorylength"], default=None), minclasses=dict(type="int", aliases=["krbpwdmindiffchars"], default=None), minlength=dict(type="int", aliases=["krbpwdminlength"], default=None), priority=dict(type="int", aliases=["cospriority"], default=None), maxfail=dict(type="int", aliases=["krbpwdmaxfailure"], default=None), failinterval=dict(type="int", aliases=["krbpwdfailurecountinterval"], default=None), lockouttime=dict(type="int", aliases=["krbpwdlockoutduration"], default=None), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = ansible_module.params.get("ipaadmin_principal") ipaadmin_password = ansible_module.params.get("ipaadmin_password") names = ansible_module.params.get("name") # present maxlife = ansible_module.params.get("maxlife") minlife = ansible_module.params.get("minlife") history = ansible_module.params.get("history") minclasses = ansible_module.params.get("minclasses") minlength = ansible_module.params.get("minlength") priority = ansible_module.params.get("priority") maxfail = ansible_module.params.get("maxfail") failinterval = ansible_module.params.get("failinterval") lockouttime = ansible_module.params.get("lockouttime") # state state = ansible_module.params.get("state") # Check parameters if names is None: names = ["global_policy"] if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one pwpolicy can be set at a time.") if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") if "global_policy" in names: ansible_module.fail_json( msg="'global_policy' can not be made absent.") invalid = ["maxlife", "minlife", "history", "minclasses", "minlength", "priority", "maxfail", "failinterval", "lockouttime"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Try to find pwpolicy res_find = find_pwpolicy(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(maxlife, minlife, history, minclasses, minlength, priority, maxfail, failinterval, lockouttime) # Found the pwpolicy if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "pwpolicy_mod", args]) else: commands.append([name, "pwpolicy_add", args]) elif state == "absent": if res_find is not None: commands.append([name, "pwpolicy_del", {}]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands for name, command, args in commands: try: api_command(ansible_module, command, to_text(name), args) changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # generalgroups ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), description=dict(required=False, type="str", default=None), vault_type=dict(type="str", aliases=["ipavaulttype"], default=None, required=False, choices=["standard", "symmetric", "asymmetric"]), vault_public_key=dict(type="str", required=False, default=None, aliases=['ipavaultpublickey', 'public_key']), vault_public_key_file=dict(type="str", required=False, default=None, aliases=['public_key_file']), vault_private_key=dict( type="str", required=False, default=None, no_log=True, aliases=['ipavaultprivatekey', 'private_key']), vault_private_key_file=dict(type="str", required=False, default=None, aliases=['private_key_file']), vault_salt=dict(type="str", required=False, default=None, aliases=['ipavaultsalt', 'salt']), username=dict(type="str", required=False, default=None, aliases=['user']), service=dict(type="str", required=False, default=None), shared=dict(type="bool", required=False, default=None), users=dict(required=False, type='list', default=None), groups=dict(required=False, type='list', default=None), services=dict(required=False, type='list', default=None), owners=dict(required=False, type='list', default=None, aliases=['ownerusers']), ownergroups=dict(required=False, type='list', default=None), ownerservices=dict(required=False, type='list', default=None), vault_data=dict(type="str", required=False, default=None, no_log=True, aliases=['ipavaultdata', 'data']), datafile_in=dict(type="str", required=False, default=None, aliases=['in']), datafile_out=dict(type="str", required=False, default=None, aliases=['out']), vault_password=dict( type="str", required=False, default=None, no_log=True, aliases=['ipavaultpassword', 'password', "old_password"]), vault_password_file=dict( type="str", required=False, default=None, no_log=False, aliases=['password_file', "old_password_file"]), new_password=dict(type="str", required=False, default=None, no_log=True), new_password_file=dict(type="str", required=False, default=None, no_log=False), # state action=dict(type="str", default="vault", choices=["vault", "data", "member"]), state=dict(type="str", default="present", choices=["present", "absent", "retrieved"]), ), supports_check_mode=True, mutually_exclusive=[['username', 'service', 'shared'], ['datafile_in', 'vault_data'], ['new_password', 'new_password_file'], ['vault_password', 'vault_password_file'], ['vault_public_key', 'vault_public_key_file']], ) ansible_module._ansible_debug = True # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present description = module_params_get(ansible_module, "description") username = module_params_get(ansible_module, "username") service = module_params_get(ansible_module, "service") shared = module_params_get(ansible_module, "shared") users = module_params_get(ansible_module, "users") groups = module_params_get(ansible_module, "groups") services = module_params_get(ansible_module, "services") owners = module_params_get(ansible_module, "owners") ownergroups = module_params_get(ansible_module, "ownergroups") ownerservices = module_params_get(ansible_module, "ownerservices") vault_type = module_params_get(ansible_module, "vault_type") salt = module_params_get(ansible_module, "vault_salt") password = module_params_get(ansible_module, "vault_password") password_file = module_params_get(ansible_module, "vault_password_file") new_password = module_params_get(ansible_module, "new_password") new_password_file = module_params_get(ansible_module, "new_password_file") public_key = module_params_get(ansible_module, "vault_public_key") public_key_file = module_params_get(ansible_module, "vault_public_key_file") private_key = module_params_get(ansible_module, "vault_private_key") private_key_file = module_params_get(ansible_module, "vault_private_key_file") vault_data = module_params_get(ansible_module, "vault_data") datafile_in = module_params_get(ansible_module, "datafile_in") datafile_out = module_params_get(ansible_module, "datafile_out") action = module_params_get(ansible_module, "action") state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one vault can be added at a time.") elif state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") elif state == "retrieved": if len(names) != 1: ansible_module.fail_json( msg="Only one vault can be retrieved at a time.") else: ansible_module.fail_json(msg="Invalid state '%s'" % state) check_parameters(ansible_module, state, action, description, username, service, shared, users, groups, services, owners, ownergroups, ownerservices, vault_type, salt, password, password_file, public_key, public_key_file, private_key, private_key_file, vault_data, datafile_in, datafile_out, new_password, new_password_file) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) # Need to set krb5 ccache name, due to context='ansible-freeipa' if ccache_name is not None: os.environ["KRB5CCNAME"] = ccache_name api_connect(context='ansible-freeipa') commands = [] for name in names: # Make sure vault exists res_find = find_vault(ansible_module, name, username, service, shared) # Generate args args = gen_args(description, username, service, shared, vault_type, salt, password, password_file, public_key, public_key_file, vault_data, datafile_in, datafile_out) pwdargs = None # Set default vault_type if needed. if vault_type is None and vault_data is not None: if res_find is not None: res_vault_type = res_find.get('ipavaulttype')[0] args['ipavaulttype'] = vault_type = res_vault_type else: args['ipavaulttype'] = vault_type = u"symmetric" # Create command if state == "present": # verify data encription args check_encryption_params( ansible_module, state, action, vault_type, salt, password, password_file, public_key, public_key_file, private_key, private_key_file, vault_data, datafile_in, datafile_out, new_password, new_password_file, res_find) # Found the vault if action == "vault": if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "vault_mod_internal", args]) else: if vault_type == 'symmetric' \ and 'ipavaultsalt' not in args: args['ipavaultsalt'] = os.urandom(32) commands.append([name, "vault_add_internal", args]) if vault_type != 'standard' and vault_data is None: vault_data = '' # Set res_find to empty dict for next steps res_find = {} # Generate adittion and removal lists user_add, user_del = \ gen_add_del_lists(users, res_find.get('member_user', [])) group_add, group_del = \ gen_add_del_lists(groups, res_find.get('member_group', [])) service_add, service_del = \ gen_add_del_lists(services, res_find.get('member_service', [])) owner_add, owner_del = \ gen_add_del_lists(owners, res_find.get('owner_user', [])) ownergroups_add, ownergroups_del = \ gen_add_del_lists(ownergroups, res_find.get('owner_group', [])) ownerservice_add, ownerservice_del = \ gen_add_del_lists(ownerservices, res_find.get('owner_service', [])) # Add users and groups user_add_args = gen_member_args(args, user_add, group_add, service_add) if user_add_args is not None: commands.append( [name, 'vault_add_member', user_add_args]) # Remove users and groups user_del_args = gen_member_args(args, user_del, group_del, service_del) if user_del_args is not None: commands.append( [name, 'vault_remove_member', user_del_args]) # Add owner users and groups owner_add_args = gen_member_args(args, owner_add, ownergroups_add, ownerservice_add) if owner_add_args is not None: commands.append( [name, 'vault_add_owner', owner_add_args]) # Remove owner users and groups owner_del_args = gen_member_args(args, owner_del, ownergroups_del, ownerservice_del) if owner_del_args is not None: commands.append( [name, 'vault_remove_owner', owner_del_args]) elif action in "member": # Add users and groups if any([users, groups, services]): user_args = gen_member_args(args, users, groups, services) commands.append([name, 'vault_add_member', user_args]) if any([owners, ownergroups, ownerservices]): owner_args = gen_member_args(args, owners, ownergroups, ownerservices) commands.append([name, 'vault_add_owner', owner_args]) pwdargs = data_storage_args(args, vault_data, password, password_file, private_key, private_key_file, datafile_in, datafile_out) if any([vault_data, datafile_in]): commands.append([name, "vault_archive", pwdargs]) cmds = change_password(ansible_module, res_find, password, password_file, new_password, new_password_file) commands.extend(cmds) elif state == "retrieved": if res_find is None: ansible_module.fail_json( msg="Vault `%s` not found to retrieve data." % name) # verify data encription args check_encryption_params( ansible_module, state, action, vault_type, salt, password, password_file, public_key, public_key_file, private_key, private_key_file, vault_data, datafile_in, datafile_out, new_password, new_password_file, res_find) pwdargs = data_storage_args(args, vault_data, password, password_file, private_key, private_key_file, datafile_in, datafile_out) if 'data' in pwdargs: del pwdargs['data'] commands.append([name, "vault_retrieve", pwdargs]) elif state == "absent": if 'ipavaulttype' in args: del args['ipavaulttype'] if action == "vault": if res_find is not None: commands.append([name, "vault_del", args]) elif action == "member": # remove users and groups if any([users, groups, services]): user_args = gen_member_args(args, users, groups, services) commands.append( [name, 'vault_remove_member', user_args]) if any([owners, ownergroups, ownerservices]): owner_args = gen_member_args(args, owners, ownergroups, ownerservices) commands.append( [name, 'vault_remove_owner', owner_args]) else: ansible_module.fail_json( msg="Invalid action '%s' for state '%s'" % (action, state)) else: ansible_module.fail_json(msg="Unknown state '%s'" % state) # Execute commands errors = [] for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if command == 'vault_archive': changed = 'Archived data into' in result['summary'] elif command == 'vault_retrieve': if 'result' not in result: raise Exception("No result obtained.") if "data" in result["result"]: data_return = exit_args.setdefault("vault", {}) data_return["data"] = result["result"]["data"] else: if not datafile_out: raise Exception("No data retrieved.") changed = False else: if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except EmptyModlist: result = {} except Exception as exception: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(exception))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. if "failed" in result and len(result["failed"]) > 0: for item in result["failed"]: failed_item = result["failed"][item] for member_type in failed_item: for member, failure in failed_item[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append( "%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as exception: ansible_module.fail_json(msg=str(exception)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), usercategory=dict(type="str", default=None, aliases=["usercat"], choices=["all"]), hostcategory=dict(type="str", default=None, aliases=["hostcat"], choices=["all"]), servicecategory=dict(type="str", default=None, aliases=["servicecat"], choices=["all"]), nomembers=dict(required=False, type='bool', default=None), host=dict(required=False, type='list', default=None), hostgroup=dict(required=False, type='list', default=None), hbacsvc=dict(required=False, type='list', default=None), hbacsvcgroup=dict(required=False, type='list', default=None), user=dict(required=False, type='list', default=None), group=dict(required=False, type='list', default=None), action=dict(type="str", default="hbacrule", choices=["member", "hbacrule"]), # state state=dict(type="str", default="present", choices=["present", "absent", "enabled", "disabled"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present description = module_params_get(ansible_module, "description") usercategory = module_params_get(ansible_module, "usercategory") hostcategory = module_params_get(ansible_module, "hostcategory") servicecategory = module_params_get(ansible_module, "servicecategory") nomembers = module_params_get(ansible_module, "nomembers") host = module_params_get(ansible_module, "host") hostgroup = module_params_get(ansible_module, "hostgroup") hbacsvc = module_params_get(ansible_module, "hbacsvc") hbacsvcgroup = module_params_get(ansible_module, "hbacsvcgroup") user = module_params_get(ansible_module, "user") group = module_params_get(ansible_module, "group") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one hbacrule can be added at a time.") if action == "member": invalid = ["description", "usercategory", "hostcategory", "servicecategory", "nomembers"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (x, action)) elif state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "usercategory", "hostcategory", "servicecategory", "nomembers"] if action == "hbacrule": invalid.extend(["host", "hostgroup", "hbacsvc", "hbacsvcgroup", "user", "group"]) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) elif state in ["enabled", "disabled"]: if len(names) < 1: ansible_module.fail_json(msg="No name given.") if action == "member": ansible_module.fail_json( msg="Action member can not be used with states enabled and " "disabled") invalid = ["description", "usercategory", "hostcategory", "servicecategory", "nomembers", "host", "hostgroup", "hbacsvc", "hbacsvcgroup", "user", "group"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) else: ansible_module.fail_json(msg="Invalid state '%s'" % state) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure hbacrule exists res_find = find_hbacrule(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description, usercategory, hostcategory, servicecategory, nomembers) if action == "hbacrule": # Found the hbacrule if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "hbacrule_mod", args]) else: commands.append([name, "hbacrule_add", args]) # Set res_find to empty dict for next step res_find = {} # Generate addition and removal lists host_add, host_del = gen_add_del_lists( host, res_find.get("memberhost_host")) hostgroup_add, hostgroup_del = gen_add_del_lists( hostgroup, res_find.get("memberhost_hostgroup")) hbacsvc_add, hbacsvc_del = gen_add_del_lists( hbacsvc, res_find.get("memberservice_hbacsvc")) hbacsvcgroup_add, hbacsvcgroup_del = gen_add_del_lists( hbacsvcgroup, res_find.get("memberservice_hbacsvcgroup")) user_add, user_del = gen_add_del_lists( user, res_find.get("memberuser_user")) group_add, group_del = gen_add_del_lists( group, res_find.get("memberuser_group")) # Add hosts and hostgroups if len(host_add) > 0 or len(hostgroup_add) > 0: commands.append([name, "hbacrule_add_host", { "host": host_add, "hostgroup": hostgroup_add, }]) # Remove hosts and hostgroups if len(host_del) > 0 or len(hostgroup_del) > 0: commands.append([name, "hbacrule_remove_host", { "host": host_del, "hostgroup": hostgroup_del, }]) # Add hbacsvcs and hbacsvcgroups if len(hbacsvc_add) > 0 or len(hbacsvcgroup_add) > 0: commands.append([name, "hbacrule_add_service", { "hbacsvc": hbacsvc_add, "hbacsvcgroup": hbacsvcgroup_add, }]) # Remove hbacsvcs and hbacsvcgroups if len(hbacsvc_del) > 0 or len(hbacsvcgroup_del) > 0: commands.append([name, "hbacrule_remove_service", { "hbacsvc": hbacsvc_del, "hbacsvcgroup": hbacsvcgroup_del, }]) # Add users and groups if len(user_add) > 0 or len(group_add) > 0: commands.append([name, "hbacrule_add_user", { "user": user_add, "group": group_add, }]) # Remove users and groups if len(user_del) > 0 or len(group_del) > 0: commands.append([name, "hbacrule_remove_user", { "user": user_del, "group": group_del, }]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No hbacrule '%s'" % name) # Add hosts and hostgroups if host is not None or hostgroup is not None: commands.append([name, "hbacrule_add_host", { "host": host, "hostgroup": hostgroup, }]) # Add hbacsvcs and hbacsvcgroups if hbacsvc is not None or hbacsvcgroup is not None: commands.append([name, "hbacrule_add_service", { "hbacsvc": hbacsvc, "hbacsvcgroup": hbacsvcgroup, }]) # Add users and groups if user is not None or group is not None: commands.append([name, "hbacrule_add_user", { "user": user, "group": group, }]) elif state == "absent": if action == "hbacrule": if res_find is not None: commands.append([name, "hbacrule_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No hbacrule '%s'" % name) # Remove hosts and hostgroups if host is not None or hostgroup is not None: commands.append([name, "hbacrule_remove_host", { "host": host, "hostgroup": hostgroup, }]) # Remove hbacsvcs and hbacsvcgroups if hbacsvc is not None or hbacsvcgroup is not None: commands.append([name, "hbacrule_remove_service", { "hbacsvc": hbacsvc, "hbacsvcgroup": hbacsvcgroup, }]) # Remove users and groups if user is not None or group is not None: commands.append([name, "hbacrule_remove_user", { "user": user, "group": group, }]) elif state == "enabled": if res_find is None: ansible_module.fail_json(msg="No hbacrule '%s'" % name) # hbacrule_enable is not failing on an enabled hbacrule # Therefore it is needed to have a look at the ipaenabledflag # in res_find. if "ipaenabledflag" not in res_find or \ res_find["ipaenabledflag"][0] != "TRUE": commands.append([name, "hbacrule_enable", {}]) elif state == "disabled": if res_find is None: ansible_module.fail_json(msg="No hbacrule '%s'" % name) # hbacrule_disable is not failing on an disabled hbacrule # Therefore it is needed to have a look at the ipaenabledflag # in res_find. if "ipaenabledflag" not in res_find or \ res_find["ipaenabledflag"][0] != "FALSE": commands.append([name, "hbacrule_disable", {}]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands errors = [] for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. if "failed" in result and len(result["failed"]) > 0: for item in result["failed"]: failed_item = result["failed"][item] for member_type in failed_item: for member, failure in failed_item[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append("%s: %s %s: %s" % ( command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["aciname"], default=None, required=True), # present permission=dict(required=False, type='list', aliases=["permissions"], default=None), attribute=dict(required=False, type='list', aliases=["attrs"], default=None), membergroup=dict(type="str", aliases=["memberof"], default=None), group=dict(type="str", default=None), action=dict(type="str", default="delegation", choices=["member", "delegation"]), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present permission = module_params_get(ansible_module, "permission") attribute = module_params_get(ansible_module, "attribute") membergroup = module_params_get(ansible_module, "membergroup") group = module_params_get(ansible_module, "group") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one delegation be added at a time.") if action == "member": invalid = ["permission", "membergroup", "group"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s' and state '%s'" % (x, action, state)) if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["permission", "membergroup", "group"] if action == "delegation": invalid.append("attribute") for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s' and state '%s'" % (x, action, state)) if permission is not None: perm = [p for p in permission if p not in ("read", "write")] if perm: ansible_module.fail_json(msg="Invalid permission '%s'" % perm) if len(set(permission)) != len(permission): ansible_module.fail_json( msg="Invalid permission '%s', items are not unique" % repr(permission)) if attribute is not None: if len(set(attribute)) != len(attribute): ansible_module.fail_json( msg="Invalid attribute '%s', items are not unique" % repr(attribute)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure delegation exists res_find = find_delegation(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(permission, attribute, membergroup, group) if action == "delegation": # Found the delegation if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "delegation_mod", args]) else: commands.append([name, "delegation_add", args]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No delegation '%s'" % name) if attribute is None: ansible_module.fail_json(msg="No attributes given") # New attribute list (add given ones to find result) # Make list with unique entries attrs = list(set(list(res_find["attrs"]) + attribute)) if len(attrs) > len(res_find["attrs"]): commands.append( [name, "delegation_mod", { "attrs": attrs }]) elif state == "absent": if action == "delegation": if res_find is not None: commands.append([name, "delegation_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No delegation '%s'" % name) if attribute is None: ansible_module.fail_json(msg="No attributes given") # New attribute list (remove given ones from find result) # Make list with unique entries attrs = list(set(res_find["attrs"]) - set(attribute)) if len(attrs) < 1: ansible_module.fail_json( msg="At minimum one attribute is needed.") # Entries New number of attributes is smaller if len(attrs) < len(res_find["attrs"]): commands.append( [name, "delegation_mod", { "attrs": attrs }]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), gid=dict(type="int", aliases=["gidnumber"], default=None), nonposix=dict(required=False, type='bool', default=None), external=dict(required=False, type='bool', default=None), posix=dict(required=False, type='bool', default=None), nomembers=dict(required=False, type='bool', default=None), user=dict(required=False, type='list', default=None), group=dict(required=False, type='list', default=None), service=dict(required=False, type='list', default=None), membermanager_user=dict(required=False, type='list', default=None), membermanager_group=dict(required=False, type='list', default=None), externalmember=dict( required=False, type='list', default=None, aliases=["ipaexternalmember", "external_member"]), action=dict(type="str", default="group", choices=["member", "group"]), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), mutually_exclusive=[['posix', 'nonposix']], supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get( ansible_module, "ipaadmin_principal", ) ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present description = module_params_get(ansible_module, "description") gid = module_params_get(ansible_module, "gid") nonposix = module_params_get(ansible_module, "nonposix") external = module_params_get(ansible_module, "external") posix = module_params_get(ansible_module, "posix") nomembers = module_params_get(ansible_module, "nomembers") user = module_params_get(ansible_module, "user") group = module_params_get(ansible_module, "group") service = module_params_get(ansible_module, "service") membermanager_user = module_params_get(ansible_module, "membermanager_user") membermanager_group = module_params_get(ansible_module, "membermanager_group") externalmember = module_params_get(ansible_module, "externalmember") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one group can be added at a time.") if action == "member": invalid = [ "description", "gid", "posix", "nonposix", "external", "nomembers" ] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (x, action)) if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = [ "description", "gid", "posix", "nonposix", "external", "nomembers" ] if action == "group": invalid.extend(["user", "group", "service", "externalmember"]) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() has_add_member_service = api_check_param("group_add_member", "service") if service is not None and not has_add_member_service: ansible_module.fail_json( msg="Managing a service as part of a group is not supported " "by your IPA version") has_add_membermanager = api_check_command("group_add_member_manager") if ((membermanager_user is not None or membermanager_group is not None) and not has_add_membermanager): ansible_module.fail_json( msg="Managing a membermanager user or group is not supported " "by your IPA version") commands = [] for name in names: # Make sure group exists res_find = find_group(ansible_module, name) # Create command if state == "present": # Can't change an existing posix group check_objectclass_args(ansible_module, res_find, nonposix, posix, external) # Generate args args = gen_args(description, gid, nomembers) if action == "group": # Found the group if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if should_modify_group(ansible_module, res_find, args, nonposix, posix, external): if (posix or (nonposix is not None and not nonposix)): args['posix'] = True if external: args['external'] = True commands.append([name, "group_mod", args]) else: if nonposix or (posix is not None and not posix): args['nonposix'] = True if external: args['external'] = True commands.append([name, "group_add", args]) # Set res_find dict for next step res_find = {} # if we just created/modified the group, update res_find res_find.setdefault("objectclass", []) if external and not is_external_group(res_find): res_find["objectclass"].append("ipaexternalgroup") if posix and not is_posix_group(res_find): res_find["objectclass"].append("posixgroup") member_args = gen_member_args(user, group, service, externalmember) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists user_add, user_del = gen_add_del_lists( user, res_find.get("member_user")) group_add, group_del = gen_add_del_lists( group, res_find.get("member_group")) service_add, service_del = gen_add_del_lists( service, res_find.get("member_service")) (externalmember_add, externalmember_del) = gen_add_del_lists( externalmember, res_find.get("member_external")) # setup member args for add/remove members. add_member_args = { "user": user_add, "group": group_add, } del_member_args = { "user": user_del, "group": group_del, } if has_add_member_service: add_member_args["service"] = service_add del_member_args["service"] = service_del if is_external_group(res_find): add_member_args["ipaexternalmember"] = \ externalmember_add del_member_args["ipaexternalmember"] = \ externalmember_del elif externalmember or external: ansible_module.fail_json( msg="Cannot add external members to a " "non-external group.") # Add members add_members = any([ user_add, group_add, service_add, externalmember_add ]) if add_members: commands.append( [name, "group_add_member", add_member_args]) # Remove members remove_members = any([ user_del, group_del, service_del, externalmember_del ]) if remove_members: commands.append( [name, "group_remove_member", del_member_args]) membermanager_user_add, membermanager_user_del = \ gen_add_del_lists( membermanager_user, res_find.get("membermanager_user") ) membermanager_group_add, membermanager_group_del = \ gen_add_del_lists( membermanager_group, res_find.get("membermanager_group") ) if has_add_membermanager: # Add membermanager users and groups if len(membermanager_user_add) > 0 or \ len(membermanager_group_add) > 0: commands.append([ name, "group_add_member_manager", { "user": membermanager_user_add, "group": membermanager_group_add, } ]) # Remove member manager if len(membermanager_user_del) > 0 or \ len(membermanager_group_del) > 0: commands.append([ name, "group_remove_member_manager", { "user": membermanager_user_del, "group": membermanager_group_del, } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No group '%s'" % name) add_member_args = { "user": user, "group": group, } if has_add_member_service: add_member_args["service"] = service if is_external_group(res_find): add_member_args["ipaexternalmember"] = externalmember elif externalmember: ansible_module.fail_json( msg="Cannot add external members to a " "non-external group.") if any([user, group, service, externalmember]): commands.append( [name, "group_add_member", add_member_args]) if has_add_membermanager: # Add membermanager users and groups if membermanager_user is not None or \ membermanager_group is not None: commands.append([ name, "group_add_member_manager", { "user": membermanager_user, "group": membermanager_group, } ]) elif state == "absent": if action == "group": if res_find is not None: commands.append([name, "group_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No group '%s'" % name) del_member_args = { "user": user, "group": group, } if has_add_member_service: del_member_args["service"] = service if is_external_group(res_find): del_member_args["ipaexternalmember"] = externalmember elif externalmember: ansible_module.fail_json( msg="Cannot add external members to a " "non-external group.") if any([user, group, service, externalmember]): commands.append( [name, "group_remove_member", del_member_args]) if has_add_membermanager: # Remove membermanager users and groups if membermanager_user is not None or \ membermanager_group is not None: commands.append([ name, "group_remove_member_manager", { "user": membermanager_user, "group": membermanager_group, } ]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. errors = [] for failed_item in result.get("failed", []): failed = result["failed"][failed_item] for member_type in failed: for member, failure in failed[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append("%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): forwarder_spec = dict(ip_address=dict(type=str, required=True), port=dict(type=int, required=False, default=None)) ansible_module = AnsibleModule(argument_spec=dict( # general ipaadmin_principal=dict(type='str', default='admin'), ipaadmin_password=dict(type='str', no_log=True), # dnsconfig forwarders=dict(type='list', default=None, required=False, options=dict(**forwarder_spec)), forward_policy=dict(type='str', required=False, default=None, choices=['only', 'first', 'none']), allow_sync_ptr=dict(type='bool', required=False, default=None), # general state=dict( type="str", default="present", choices=["present", "absent"]), )) ansible_module._ansible_debug = True # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") forwarders = module_params_get(ansible_module, 'forwarders') or [] forward_policy = module_params_get(ansible_module, 'forward_policy') allow_sync_ptr = module_params_get(ansible_module, 'allow_sync_ptr') state = module_params_get(ansible_module, 'state') # Check parameters. invalid = [] if state == 'absent': invalid = ['forward_policy', 'allow_sync_ptr'] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() res_find = find_dnsconfig(ansible_module) args = gen_args(ansible_module, state, res_find, forwarders, forward_policy, allow_sync_ptr) # Execute command only if configuration changes. if not compare_args_ipa(ansible_module, args, res_find): try: api_command_no_name(ansible_module, 'dnsconfig_mod', args) # If command did not fail, something changed. changed = True except Exception as e: msg = str(e) ansible_module.fail_json(msg="dnsconfig_mod: %s" % msg) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed)
def main(): ansible_module = init_ansible_module() # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # service attributes principal = module_params_get(ansible_module, "principal") certificate = module_params_get(ansible_module, "certificate") pac_type = module_params_get(ansible_module, "pac_type") auth_ind = module_params_get(ansible_module, "auth_ind") skip_host_check = module_params_get(ansible_module, "skip_host_check") force = module_params_get(ansible_module, "force") requires_pre_auth = module_params_get(ansible_module, "requires_pre_auth") ok_as_delegate = module_params_get(ansible_module, "ok_as_delegate") ok_to_auth_as_delegate = module_params_get(ansible_module, "ok_to_auth_as_delegate") smb = module_params_get(ansible_module, "smb") netbiosname = module_params_get(ansible_module, "netbiosname") host = module_params_get(ansible_module, "host") allow_create_keytab_user = module_params_get(ansible_module, "allow_create_keytab_user") allow_create_keytab_group = module_params_get(ansible_module, "allow_create_keytab_group") allow_create_keytab_host = module_params_get(ansible_module, "allow_create_keytab_host") allow_create_keytab_hostgroup = module_params_get( ansible_module, "allow_create_keytab_hostgroup") allow_retrieve_keytab_user = module_params_get( ansible_module, "allow_retrieve_keytab_user") allow_retrieve_keytab_group = module_params_get( ansible_module, "allow_retrieve_keytab_group") allow_retrieve_keytab_host = module_params_get( ansible_module, "allow_retrieve_keytab_host") allow_retrieve_keytab_hostgroup = module_params_get( ansible_module, "allow_retrieve_keytab_hostgroup") delete_continue = module_params_get(ansible_module, "delete_continue") # action action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # check parameters check_parameters(ansible_module, state, action, names, vars()) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() has_skip_host_check = api_check_param("service_add", "skip_host_check") if skip_host_check and not has_skip_host_check: ansible_module.fail_json( msg="Skipping host check is not supported by your IPA version") commands = [] for name in names: res_find = find_service(ansible_module, name, netbiosname) if state == "present": # if service exists, 'smb' cannot be used. if action == "service": args = gen_args(pac_type, auth_ind, skip_host_check, force, requires_pre_auth, ok_as_delegate, ok_to_auth_as_delegate) if not has_skip_host_check and 'skip_host_check' in args: del args['skip_host_check'] if res_find is None: if smb: if netbiosname is not None: args['ipantflatname'] = netbiosname commands.append([name, 'service_add_smb', args]) else: commands.append([name, 'service_add', args]) certificate_add = certificate or [] certificate_del = [] host_add = host or [] host_del = [] principal_add = principal or [] principal_del = [] allow_create_keytab_user_add = \ allow_create_keytab_user or [] allow_create_keytab_user_del = [] allow_create_keytab_group_add = \ allow_create_keytab_group or [] allow_create_keytab_group_del = [] allow_create_keytab_host_add = \ allow_create_keytab_host or [] allow_create_keytab_host_del = [] allow_create_keytab_hostgroup_add = \ allow_create_keytab_hostgroup or [] allow_create_keytab_hostgroup_del = [] allow_retrieve_keytab_user_add = \ allow_retrieve_keytab_user or [] allow_retrieve_keytab_user_del = [] allow_retrieve_keytab_group_add = \ allow_retrieve_keytab_group or [] allow_retrieve_keytab_group_del = [] allow_retrieve_keytab_host_add = \ allow_retrieve_keytab_host or [] allow_retrieve_keytab_host_del = [] allow_retrieve_keytab_hostgroup_add = \ allow_retrieve_keytab_hostgroup or [] allow_retrieve_keytab_hostgroup_del = [] else: for remove in ['skip_host_check', 'force']: if remove in args: del args[remove] if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "service_mod", args]) certificate_add, certificate_del = gen_add_del_lists( certificate, res_find.get("usercertificate")) host_add, host_del = gen_add_del_lists( host, res_find.get('managedby_host', [])) principal_add, principal_del = gen_add_del_lists( principal, res_find.get("principal")) (allow_create_keytab_user_add, allow_create_keytab_user_del) = \ gen_add_del_lists( allow_create_keytab_user, res_find.get( 'ipaallowedtoperform_write_keys_user', [])) (allow_retrieve_keytab_user_add, allow_retrieve_keytab_user_del) = \ gen_add_del_lists( allow_retrieve_keytab_user, res_find.get( 'ipaallowedtoperform_read_keys_user', [])) (allow_create_keytab_group_add, allow_create_keytab_group_del) = \ gen_add_del_lists( allow_create_keytab_group, res_find.get( 'ipaallowedtoperform_write_keys_group', [])) (allow_retrieve_keytab_group_add, allow_retrieve_keytab_group_del) = \ gen_add_del_lists( allow_retrieve_keytab_group, res_find.get( 'ipaallowedtoperform_read_keys_group', [])) (allow_create_keytab_host_add, allow_create_keytab_host_del) = \ gen_add_del_lists( allow_create_keytab_host, res_find.get( 'ipaallowedtoperform_write_keys_host', [])) (allow_retrieve_keytab_host_add, allow_retrieve_keytab_host_del) = \ gen_add_del_lists( allow_retrieve_keytab_host, res_find.get( 'ipaallowedtoperform_read_keys_host', [])) (allow_create_keytab_hostgroup_add, allow_create_keytab_hostgroup_del) = \ gen_add_del_lists( allow_create_keytab_hostgroup, res_find.get( 'ipaallowedtoperform_write_keys_hostgroup', [])) (allow_retrieve_keytab_hostgroup_add, allow_retrieve_keytab_hostgroup_del) = \ gen_add_del_lists( allow_retrieve_keytab_hostgroup, res_find.get( 'ipaallowedtoperform_read_keys_hostgroup', [])) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No service '%s'" % name) existing = res_find.get('usercertificate', []) if certificate is None: certificate_add = [] else: certificate_add = [ c for c in certificate if c not in existing ] certificate_del = [] host_add = host or [] host_del = [] principal_add = principal or [] principal_del = [] allow_create_keytab_user_add = \ allow_create_keytab_user or [] allow_create_keytab_user_del = [] allow_create_keytab_group_add = \ allow_create_keytab_group or [] allow_create_keytab_group_del = [] allow_create_keytab_host_add = \ allow_create_keytab_host or [] allow_create_keytab_host_del = [] allow_create_keytab_hostgroup_add = \ allow_create_keytab_hostgroup or [] allow_create_keytab_hostgroup_del = [] allow_retrieve_keytab_user_add = \ allow_retrieve_keytab_user or [] allow_retrieve_keytab_user_del = [] allow_retrieve_keytab_group_add = \ allow_retrieve_keytab_group or [] allow_retrieve_keytab_group_del = [] allow_retrieve_keytab_host_add = \ allow_retrieve_keytab_host or [] allow_retrieve_keytab_host_del = [] allow_retrieve_keytab_hostgroup_add = \ allow_retrieve_keytab_hostgroup or [] allow_retrieve_keytab_hostgroup_del = [] # Add principals for _principal in principal_add: commands.append([ name, "service_add_principal", { "krbprincipalname": _principal, } ]) # Remove principals for _principal in principal_del: commands.append([ name, "service_remove_principal", { "krbprincipalname": _principal, } ]) for _certificate in certificate_add: commands.append([ name, "service_add_cert", { "usercertificate": _certificate, } ]) # Remove certificates for _certificate in certificate_del: commands.append([ name, "service_remove_cert", { "usercertificate": _certificate, } ]) # Add hosts. if host is not None and len(host) > 0 and len(host_add) > 0: commands.append( [name, "service_add_host", { "host": host_add }]) # Remove hosts if host is not None and len(host) > 0 and len(host_del) > 0: commands.append( [name, "service_remove_host", { "host": host_del }]) # Allow create keytab if len(allow_create_keytab_user_add) > 0 or \ len(allow_create_keytab_group_add) > 0 or \ len(allow_create_keytab_host_add) > 0 or \ len(allow_create_keytab_hostgroup_add) > 0: commands.append([ name, "service_allow_create_keytab", { 'user': allow_create_keytab_user_add, 'group': allow_create_keytab_group_add, 'host': allow_create_keytab_host_add, 'hostgroup': allow_create_keytab_hostgroup_add } ]) # Disallow create keytab if len(allow_create_keytab_user_del) > 0 or \ len(allow_create_keytab_group_del) > 0 or \ len(allow_create_keytab_host_del) > 0 or \ len(allow_create_keytab_hostgroup_del) > 0: commands.append([ name, "service_disallow_create_keytab", { 'user': allow_create_keytab_user_del, 'group': allow_create_keytab_group_del, 'host': allow_create_keytab_host_del, 'hostgroup': allow_create_keytab_hostgroup_del } ]) # Allow retrieve keytab if len(allow_retrieve_keytab_user_add) > 0 or \ len(allow_retrieve_keytab_group_add) > 0 or \ len(allow_retrieve_keytab_host_add) > 0 or \ len(allow_retrieve_keytab_hostgroup_add) > 0: commands.append([ name, "service_allow_retrieve_keytab", { 'user': allow_retrieve_keytab_user_add, 'group': allow_retrieve_keytab_group_add, 'host': allow_retrieve_keytab_host_add, 'hostgroup': allow_retrieve_keytab_hostgroup_add } ]) # Disllow retrieve keytab if len(allow_retrieve_keytab_user_del) > 0 or \ len(allow_retrieve_keytab_group_del) > 0 or \ len(allow_retrieve_keytab_host_del) > 0 or \ len(allow_retrieve_keytab_hostgroup_del) > 0: commands.append([ name, "service_disallow_retrieve_keytab", { 'user': allow_retrieve_keytab_user_del, 'group': allow_retrieve_keytab_group_del, 'host': allow_retrieve_keytab_host_del, 'hostgroup': allow_retrieve_keytab_hostgroup_del } ]) elif state == "absent": if action == "service": if res_find is not None: args = {'continue': True if delete_continue else False} commands.append([name, 'service_del', args]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No service '%s'" % name) # Remove principals if principal is not None: for _principal in principal: commands.append([ name, "service_remove_principal", { "krbprincipalname": _principal, } ]) # Remove certificates if certificate is not None: existing = res_find.get('usercertificate', []) for _certificate in certificate: if _certificate in existing: commands.append([ name, "service_remove_cert", { "usercertificate": _certificate, } ]) # Add hosts if host is not None: commands.append( [name, "service_remove_host", { "host": host }]) # Allow create keytab if allow_create_keytab_user is not None or \ allow_create_keytab_group is not None or \ allow_create_keytab_host is not None or \ allow_create_keytab_hostgroup is not None: commands.append([ name, "service_disallow_create_keytab", { 'user': allow_create_keytab_user, 'group': allow_create_keytab_group, 'host': allow_create_keytab_host, 'hostgroup': allow_create_keytab_hostgroup } ]) # Allow retriev keytab if allow_retrieve_keytab_user is not None or \ allow_retrieve_keytab_group is not None or \ allow_retrieve_keytab_host is not None or \ allow_retrieve_keytab_hostgroup is not None: commands.append([ name, "service_disallow_retrieve_keytab", { 'user': allow_retrieve_keytab_user, 'group': allow_retrieve_keytab_group, 'host': allow_retrieve_keytab_host, 'hostgroup': allow_retrieve_keytab_hostgroup } ]) elif state == "disabled": if action == "service": if res_find is not None: has_cert = bool(res_find.get('usercertificate')) has_keytab = res_find.get('has_keytab', False) if has_cert or has_keytab: commands.append([name, 'service_disable', {}]) else: ansible_module.fail_json( msg="Invalid action '%s' for state '%s'" % (action, state)) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands errors = [] for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as ex: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(ex))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. if "failed" in result and len(result["failed"]) > 0: for item in result["failed"]: failed_item = result["failed"][item] for member_type in failed_item: for member, failure in failed_item[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append( "%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as ex: ansible_module.fail_json(msg=str(ex)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present right=dict(type="list", aliases=["ipapermright"], default=None, required=False, choices=[ "read", "search", "compare", "write", "add", "delete", "all" ]), attrs=dict(type="list", default=None, required=False), # Note: bindtype has a default of permission for Adds. bindtype=dict(type="str", aliases=["ipapermbindruletype"], default=None, require=False, choices=["permission", "all", "anonymous", "self"]), subtree=dict(type="str", aliases=["ipapermlocation"], default=None, required=False), extra_target_filter=dict(type="list", aliases=["filter", "extratargetfilter"], default=None, required=False), rawfilter=dict(type="list", aliases=["ipapermtargetfilter"], default=None, required=False), target=dict(type="str", aliases=["ipapermtarget"], default=None, required=False), targetto=dict(type="str", aliases=["ipapermtargetto"], default=None, required=False), targetfrom=dict(type="str", aliases=["ipapermtargetfrom"], default=None, required=False), memberof=dict(type="list", default=None, required=False), targetgroup=dict(type="str", default=None, required=False), object_type=dict(type="str", aliases=["type"], default=None, required=False), no_members=dict(type=bool, default=None, require=False), rename=dict(type="str", default=None, required=False), privilege=dict(type="list", default=None, required=False), action=dict(type="str", default="permission", choices=["member", "permission"]), # state state=dict(type="str", default="present", choices=["present", "absent", "renamed"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present right = module_params_get(ansible_module, "right") attrs = module_params_get(ansible_module, "attrs") bindtype = module_params_get(ansible_module, "bindtype") subtree = module_params_get(ansible_module, "subtree") extra_target_filter = module_params_get(ansible_module, "extra_target_filter") rawfilter = module_params_get(ansible_module, "rawfilter") target = module_params_get(ansible_module, "target") targetto = module_params_get(ansible_module, "targetto") targetfrom = module_params_get(ansible_module, "targetfrom") memberof = module_params_get(ansible_module, "memberof") targetgroup = module_params_get(ansible_module, "targetgroup") object_type = module_params_get(ansible_module, "object_type") no_members = module_params_get(ansible_module, "no_members") rename = module_params_get(ansible_module, "rename") privilege = module_params_get(ansible_module, "privilege") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters invalid = [] if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one permission can be added at a time.") if action == "member": invalid = [ "right", "attrs", "bindtype", "subtree", "extra_target_filter", "rawfilter", "target", "targetto", "targetfrom", "memberof", "targetgroup", "object_type", "rename" ] if state == "renamed": if len(names) != 1: ansible_module.fail_json( msg="Only one permission can be renamed at a time.") if action == "member": ansible_module.fail_json(msg="Member Privileges cannot be renamed") invalid = [ "right", "attrs", "bindtype", "subtree", "extra_target_filter", "rawfilter", "target", "targetto", "targetfrom", "memberof", "targetgroup", "object_type", "no_members" ] if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = [ "right", "attrs", "bindtype", "subtree", "extra_target_filter", "rawfilter", "target", "targetto", "targetfrom", "memberof", "targetgroup", "object_type", "no_members", "rename" ] if action == "permission": invalid.append("privilege") for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s' and state '%s'" % (x, action, state)) if bindtype == "self" and api_check_ipa_version("<", "4.8.7"): ansible_module.fail_json( msg="Bindtype 'self' is not supported by your IPA version.") # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure permission exists res_find = find_permission(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(right, attrs, bindtype, subtree, extra_target_filter, rawfilter, target, targetto, targetfrom, memberof, targetgroup, object_type, no_members, rename) no_members_value = False if no_members is not None: no_members_value = no_members if action == "permission": # Found the permission if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "permission_mod", args]) else: commands.append([name, "permission_add", args]) member_args = gen_member_args(privilege) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists privilege_add, privilege_del = gen_add_del_lists( privilege, res_find.get("member_privilege")) # Add members if len(privilege_add) > 0: commands.append([ name, "permission_add_member", { "privilege": privilege_add, "no_members": no_members_value } ]) # Remove members if len(privilege_del) > 0: commands.append([ name, "permission_remove_member", { "privilege": privilege_del, "no_members": no_members_value } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No permission '%s'" % name) if privilege is None: ansible_module.fail_json(msg="No privilege given") commands.append([ name, "permission_add_member", { "privilege": privilege, "no_members": no_members_value } ]) else: ansible_module.fail_json(msg="Unknown action '%s'" % action) elif state == "renamed": if action == "permission": # Generate args # Note: Only valid arg for rename is rename. args = gen_args(right, attrs, bindtype, subtree, extra_target_filter, rawfilter, target, targetto, targetfrom, memberof, targetgroup, object_type, no_members, rename) # Found the permission if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "permission_mod", args]) else: ansible_module.fail_json( msg="Permission not found, cannot rename") else: ansible_module.fail_json(msg="Unknown action '%s'" % action) elif state == "absent": if action == "permission": if res_find is not None: commands.append([name, "permission_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No permission '%s'" % name) if privilege is None: ansible_module.fail_json(msg="No privilege given") commands.append([ name, "permission_remove_member", { "privilege": privilege, } ]) else: ansible_module.fail_json(msg="Unknown state '%s'" % state) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. errors = [] for failed_item in result.get("failed", []): failed = result["failed"][failed_item] for member_type in failed: for member, failure in failed[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append("%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="str", aliases=["cn"], default=None, required=True), forwarders=dict(type='list', aliases=["idnsforwarders"], required=False), forwardpolicy=dict(type='str', aliases=["idnsforwardpolicy"], required=False, choices=['only', 'first', 'none']), skip_overlap_check=dict(type='bool', required=False), action=dict(type="str", default="dnsforwardzone", choices=["member", "dnsforwardzone"]), # state state=dict(type='str', default='present', choices=['present', 'absent', 'enabled', 'disabled']), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") name = module_params_get(ansible_module, "name") action = module_params_get(ansible_module, "action") forwarders = module_params_get(ansible_module, "forwarders") forwardpolicy = module_params_get(ansible_module, "forwardpolicy") skip_overlap_check = module_params_get(ansible_module, "skip_overlap_check") state = module_params_get(ansible_module, "state") # absent stae means delete if the action is NOT member but update if it is # if action is member then update an exisiting resource # and if action is not member then create a resource if state == "absent" and action == "dnsforwardzone": operation = "del" elif action == "member": operation = "update" else: operation = "add" if state == "disabled": wants_enable = False else: wants_enable = True if operation == "del": invalid = ["forwarders", "forwardpolicy", "skip_overlap_check"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (x, action)) changed = False exit_args = {} args = {} ccache_dir = None ccache_name = None is_enabled = "IGNORE" try: # we need to determine 3 variables # args = the values we want to change/set # command = the ipa api command to call del, add, or mod # is_enabled = is the current resource enabled (True) # disabled (False) and do we care (IGNORE) if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() # Make sure forwardzone exists existing_resource = find_dnsforwardzone(ansible_module, name) if existing_resource is None and operation == "update": # does not exist and is updating # trying to update something that doesn't exist, so error ansible_module.fail_json(msg="""dnsforwardzone '%s' is not valid""" % (name)) elif existing_resource is None and operation == "del": # does not exists and should be absent # set command command = None # enabled or disabled? is_enabled = "IGNORE" elif existing_resource is not None and operation == "del": # exists but should be absent # set command command = "dnsforwardzone_del" # enabled or disabled? is_enabled = "IGNORE" elif forwarders is None: # forwarders are not defined its not a delete, update state? # set command command = None # enabled or disabled? if existing_resource is not None: is_enabled = existing_resource["idnszoneactive"][0] else: is_enabled = "IGNORE" elif existing_resource is not None and operation == "update": # exists and is updating # calculate the new forwarders and mod # determine args if state != "absent": forwarders = list( set(existing_resource["idnsforwarders"] + forwarders)) else: forwarders = list( set(existing_resource["idnsforwarders"]) - set(forwarders)) args = gen_args(forwarders, forwardpolicy, skip_overlap_check) if skip_overlap_check is not None: del args['skip_overlap_check'] # command if not compare_args_ipa(ansible_module, args, existing_resource): command = "dnsforwardzone_mod" else: command = None # enabled or disabled? is_enabled = existing_resource["idnszoneactive"][0] elif existing_resource is None and operation == "add": # does not exist but should be present # determine args args = gen_args(forwarders, forwardpolicy, skip_overlap_check) # set command command = "dnsforwardzone_add" # enabled or disabled? is_enabled = "TRUE" elif existing_resource is not None and operation == "add": # exists and should be present, has it changed? # determine args args = gen_args(forwarders, forwardpolicy, skip_overlap_check) if skip_overlap_check is not None: del args['skip_overlap_check'] # set command if not compare_args_ipa(ansible_module, args, existing_resource): command = "dnsforwardzone_mod" else: command = None # enabled or disabled? is_enabled = existing_resource["idnszoneactive"][0] # if command is set then run it with the args if command is not None: api_command(ansible_module, command, name, args) changed = True # does the enabled state match what we want (if we care) if is_enabled != "IGNORE": if wants_enable and is_enabled != "TRUE": api_command(ansible_module, "dnsforwardzone_enable", name, {}) changed = True elif not wants_enable and is_enabled != "FALSE": api_command(ansible_module, "dnsforwardzone_disable", name, {}) changed = True except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, dnsforwardzone=exit_args)