def ensure_role_with_members_is_present(module, name, res_find, action): """Define commands to ensure member are present for action `role`.""" commands = [] _members = module.params_get_lowercase("privilege") if _members: add_list, del_list = gen_add_del_lists( _members, result_get_value_lowercase(res_find, "memberof_privilege")) if add_list: commands.append( [name, "role_add_privilege", { "privilege": add_list }]) if action == "role" and del_list: commands.append( [name, "role_remove_privilege", { "privilege": del_list }]) add_members = {} del_members = {} for key in ["user", "group", "hostgroup"]: _members = module.params_get_lowercase(key) if _members is not None: add_list, del_list = gen_add_del_lists( _members, result_get_value_lowercase(res_find, "member_%s" % key)) if add_list: add_members[key] = add_list if del_list: del_members[key] = del_list # ensure hosts are FQDN. _members = get_member_host_with_fqdn_lowercase(module, "host") if _members: add_list, del_list = gen_add_del_lists(_members, res_find.get('member_host')) if add_list: add_members["host"] = add_list if del_list: del_members["host"] = del_list (add_services, del_services) = gen_services_add_del_lists(module, "service", res_find, "member_service") if add_services: add_members["service"] = add_services if del_services: del_members["service"] = del_services if add_members: commands.append([name, "role_add_member", add_members]) # Only remove members if ensuring role, not acting on members. if action == "role" and del_members: commands.append([name, "role_remove_member", del_members]) return commands
def ensure_role_with_members_is_present(module, name, res_find, action): """Define commands to ensure member are present for action `role`.""" commands = [] privilege_add, privilege_del = gen_add_del_lists( module_params_get(module, "privilege"), res_find.get('memberof_privilege', [])) if privilege_add: commands.append( [name, "role_add_privilege", { "privilege": privilege_add }]) if action == "role" and privilege_del: commands.append( [name, "role_remove_privilege", { "privilege": privilege_del }]) add_members = {} del_members = {} for key in ["user", "group", "host", "hostgroup"]: add_list, del_list = gen_add_del_lists( module_params_get(module, key), res_find.get('member_%s' % key, [])) if add_list: add_members[key] = add_list if del_list: del_members[key] = [to_text(item) for item in del_list] service = [ to_text(svc) if '@' in svc else ('%s@%s' % (svc, api_get_realm())) for svc in (module_params_get(module, 'service') or []) ] existing = [str(svc) for svc in res_find.get('member_service', [])] add_list, del_list = gen_add_del_lists(service, existing) if add_list: add_members['service'] = add_list if del_list: del_members['service'] = [to_text(item) for item in del_list] if add_members: commands.append([name, "role_add_member", add_members]) # Only remove members if ensuring role, not acting on members. if action == "role" and del_members: commands.append([name, "role_remove_member", del_members]) return commands
def gen_services_add_del_lists(module, mod_member, res_find, res_member): """Generate add/del lists for service principals.""" add_list, del_list = None, None _services = get_service_param(module, mod_member) if _services is not None: _existing = result_get_value_lowercase(res_find, res_member) add_list, del_list = gen_add_del_lists(_services.keys(), _existing) if add_list: add_list = [_services[key] for key in add_list] if del_list: del_list = [to_text(item) for item in del_list] return add_list, del_list
def main(): ansible_module = IPAAnsibleModule( argument_spec=dict( # general inclusive=dict(type="list", aliases=["automemberinclusiveregex"], default=None, options=dict( key=dict(type="str", required=True), expression=dict(type="str", required=True) ), elements="dict", required=False), exclusive=dict(type="list", aliases=["automemberexclusiveregex"], default=None, options=dict( key=dict(type="str", required=True), expression=dict(type="str", required=True) ), elements="dict", required=False), name=dict(type="list", aliases=["cn"], default=None, required=False), description=dict(type="str", default=None), automember_type=dict(type='str', required=False, choices=['group', 'hostgroup']), no_wait=dict(type="bool", default=None), default_group=dict(type="str", default=None), action=dict(type="str", default="automember", choices=["member", "automember"]), state=dict(type="str", default="present", choices=["present", "absent", "rebuilt", "orphans_removed"]), users=dict(type="list", default=None), hosts=dict(type="list", default=None), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general names = ansible_module.params_get("name") if names is None: names = [] # present description = ansible_module.params_get("description") # conditions inclusive = ansible_module.params_get("inclusive") exclusive = ansible_module.params_get("exclusive") # no_wait for rebuilt no_wait = ansible_module.params_get("no_wait") # default_group default_group = ansible_module.params_get("default_group") # action action = ansible_module.params_get("action") # state state = ansible_module.params_get("state") # grouping/type automember_type = ansible_module.params_get("automember_type") rebuild_users = ansible_module.params_get("users") rebuild_hosts = ansible_module.params_get("hosts") # Check parameters invalid = [] if state in ["rebuilt", "orphans_removed"]: invalid = ["name", "description", "exclusive", "inclusive", "default_group"] if action == "member": ansible_module.fail_json( msg="'action=member' is not usable with state '%s'" % state) if state == "rebuilt": if automember_type == "group" and rebuild_hosts is not None: ansible_module.fail_json( msg="state %s: hosts can not be set when type is '%s'" % (state, automember_type)) if automember_type == "hostgroup" and rebuild_users is not None: ansible_module.fail_json( msg="state %s: users can not be set when type is '%s'" % (state, automember_type)) elif state == "orphans_removed": invalid.extend(["users", "hosts"]) if not automember_type: ansible_module.fail_json( msg="'automember_type' is required unless state: rebuilt") else: if default_group is not None: for param in ["name", "exclusive", "inclusive", "users", "hosts" "no_wait"]: if ansible_module.params.get(param) is not None: msg = "Cannot use {0} together with default_group" ansible_module.fail_json(msg=msg.format(param)) if action == "member": ansible_module.fail_json( msg="Cannot use default_group with action:member") if state == "absent": ansible_module.fail_json( msg="Cannot use default_group with state:absent") else: invalid = ["users", "hosts", "no_wait"] if not automember_type: ansible_module.fail_json( msg="'automember_type' is required.") ansible_module.params_fail_used_invalid(invalid, state, action) # Init changed = False exit_args = {} res_find = None with ansible_module.ipa_connect(): commands = [] for name in names: # Make sure automember rule exists res_find = find_automember(ansible_module, name, automember_type) # Check inclusive and exclusive conditions if inclusive is not None or exclusive is not None: # automember_type is either "group" or "hostgorup" if automember_type == "group": _type = u"user" elif automember_type == "hostgroup": _type = u"host" else: ansible_module.fail_json( msg="Bad automember type '%s'" % automember_type) try: aciattrs = ansible_module.ipa_command( "json_metadata", _type, {} )['objects'][_type]['aciattrs'] except Exception as ex: ansible_module.fail_json( msg="%s: %s: %s" % ("json_metadata", _type, str(ex))) check_condition_keys(ansible_module, inclusive, aciattrs) check_condition_keys(ansible_module, exclusive, aciattrs) # Create command if state == 'present': args = gen_args(description, automember_type) if action == "automember": if res_find is not None: if not compare_args_ipa(ansible_module, args, res_find, ignore=['type']): commands.append([name, 'automember_mod', args]) else: commands.append([name, 'automember_add', args]) res_find = {} if inclusive is not None: inclusive_add, inclusive_del = gen_add_del_lists( transform_conditions(inclusive), res_find.get("automemberinclusiveregex", []) ) else: inclusive_add, inclusive_del = [], [] if exclusive is not None: exclusive_add, exclusive_del = gen_add_del_lists( transform_conditions(exclusive), res_find.get("automemberexclusiveregex", []) ) else: exclusive_add, exclusive_del = [], [] elif action == "member": if res_find is None: ansible_module.fail_json( msg="No automember '%s'" % name) inclusive_add = transform_conditions(inclusive or []) inclusive_del = [] exclusive_add = transform_conditions(exclusive or []) exclusive_del = [] for _inclusive in inclusive_add: key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, inclusiveregex=regex) commands.append([name, 'automember_add_condition', condition_args]) for _inclusive in inclusive_del: key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, inclusiveregex=regex) commands.append([name, 'automember_remove_condition', condition_args]) for _exclusive in exclusive_add: key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, exclusiveregex=regex) commands.append([name, 'automember_add_condition', condition_args]) for _exclusive in exclusive_del: key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, exclusiveregex=regex) commands.append([name, 'automember_remove_condition', condition_args]) elif state == 'absent': if action == "automember": if res_find is not None: commands.append([name, 'automember_del', {'type': automember_type}]) elif action == "member": if res_find is None: ansible_module.fail_json( msg="No automember '%s'" % name) if inclusive is not None: for _inclusive in transform_conditions(inclusive): key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, inclusiveregex=regex) commands.append( [name, 'automember_remove_condition', condition_args]) if exclusive is not None: for _exclusive in transform_conditions(exclusive): key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, exclusiveregex=regex) commands.append([name, 'automember_remove_condition', condition_args]) if len(names) == 0: if state == "rebuilt": args = gen_rebuild_args(automember_type, rebuild_users, rebuild_hosts, no_wait) commands.append([None, 'automember_rebuild', args]) elif state == "orphans_removed": res_find = find_automember_orphans(ansible_module, automember_type) if res_find["count"] > 0: commands.append([None, 'automember_find_orphans', {'type': automember_type, 'remove': True}]) elif default_group is not None and state == "present": res_find = find_automember_default_group(ansible_module, automember_type) if default_group == "": if isinstance(res_find["automemberdefaultgroup"], list): commands.append([None, 'automember_default_group_remove', {'type': automember_type}]) else: dn_default_group = [DN(('cn', default_group), ('cn', '%ss' % automember_type), ('cn', 'accounts'), ansible_module.ipa_get_basedn())] if repr(res_find["automemberdefaultgroup"]) != \ repr(dn_default_group): commands.append( [None, 'automember_default_group_set', {'type': automember_type, 'automemberdefaultgroup': default_group}]) else: ansible_module.fail_json(msg="Invalid operation") # Execute commands changed = ansible_module.execute_ipa_commands(commands) # result["failed"] is used only for INCLUDE_RE, EXCLUDE_RE # if entries could not be added that are already there and # if entries could not be removed that are not there. # All other issues like invalid attributes etc. are handled # as exceptions. Therefore the error section is not here as # in other modules. # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), gid=dict(type="int", aliases=["gidnumber"], default=None), nonposix=dict(required=False, type='bool', default=None), external=dict(required=False, type='bool', default=None), posix=dict(required=False, type='bool', default=None), nomembers=dict(required=False, type='bool', default=None), user=dict(required=False, type='list', default=None), group=dict(required=False, type='list', default=None), service=dict(required=False, type='list', default=None), membermanager_user=dict(required=False, type='list', default=None), membermanager_group=dict(required=False, type='list', default=None), externalmember=dict( required=False, type='list', default=None, aliases=["ipaexternalmember", "external_member"]), action=dict(type="str", default="group", choices=["member", "group"]), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), mutually_exclusive=[['posix', 'nonposix']], supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get( ansible_module, "ipaadmin_principal", ) ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present description = module_params_get(ansible_module, "description") gid = module_params_get(ansible_module, "gid") nonposix = module_params_get(ansible_module, "nonposix") external = module_params_get(ansible_module, "external") posix = module_params_get(ansible_module, "posix") nomembers = module_params_get(ansible_module, "nomembers") user = module_params_get(ansible_module, "user") group = module_params_get(ansible_module, "group") service = module_params_get(ansible_module, "service") membermanager_user = module_params_get(ansible_module, "membermanager_user") membermanager_group = module_params_get(ansible_module, "membermanager_group") externalmember = module_params_get(ansible_module, "externalmember") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one group can be added at a time.") if action == "member": invalid = [ "description", "gid", "posix", "nonposix", "external", "nomembers" ] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (x, action)) if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = [ "description", "gid", "posix", "nonposix", "external", "nomembers" ] if action == "group": invalid.extend(["user", "group", "service", "externalmember"]) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() has_add_member_service = api_check_param("group_add_member", "service") if service is not None and not has_add_member_service: ansible_module.fail_json( msg="Managing a service as part of a group is not supported " "by your IPA version") has_add_membermanager = api_check_command("group_add_member_manager") if ((membermanager_user is not None or membermanager_group is not None) and not has_add_membermanager): ansible_module.fail_json( msg="Managing a membermanager user or group is not supported " "by your IPA version") commands = [] for name in names: # Make sure group exists res_find = find_group(ansible_module, name) # Create command if state == "present": # Can't change an existing posix group check_objectclass_args(ansible_module, res_find, nonposix, posix, external) # Generate args args = gen_args(description, gid, nomembers) if action == "group": # Found the group if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if should_modify_group(ansible_module, res_find, args, nonposix, posix, external): if (posix or (nonposix is not None and not nonposix)): args['posix'] = True if external: args['external'] = True commands.append([name, "group_mod", args]) else: if nonposix or (posix is not None and not posix): args['nonposix'] = True if external: args['external'] = True commands.append([name, "group_add", args]) # Set res_find dict for next step res_find = {} # if we just created/modified the group, update res_find res_find.setdefault("objectclass", []) if external and not is_external_group(res_find): res_find["objectclass"].append("ipaexternalgroup") if posix and not is_posix_group(res_find): res_find["objectclass"].append("posixgroup") member_args = gen_member_args(user, group, service, externalmember) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists user_add, user_del = gen_add_del_lists( user, res_find.get("member_user")) group_add, group_del = gen_add_del_lists( group, res_find.get("member_group")) service_add, service_del = gen_add_del_lists( service, res_find.get("member_service")) (externalmember_add, externalmember_del) = gen_add_del_lists( externalmember, res_find.get("member_external")) # setup member args for add/remove members. add_member_args = { "user": user_add, "group": group_add, } del_member_args = { "user": user_del, "group": group_del, } if has_add_member_service: add_member_args["service"] = service_add del_member_args["service"] = service_del if is_external_group(res_find): add_member_args["ipaexternalmember"] = \ externalmember_add del_member_args["ipaexternalmember"] = \ externalmember_del elif externalmember or external: ansible_module.fail_json( msg="Cannot add external members to a " "non-external group.") # Add members add_members = any([ user_add, group_add, service_add, externalmember_add ]) if add_members: commands.append( [name, "group_add_member", add_member_args]) # Remove members remove_members = any([ user_del, group_del, service_del, externalmember_del ]) if remove_members: commands.append( [name, "group_remove_member", del_member_args]) membermanager_user_add, membermanager_user_del = \ gen_add_del_lists( membermanager_user, res_find.get("membermanager_user") ) membermanager_group_add, membermanager_group_del = \ gen_add_del_lists( membermanager_group, res_find.get("membermanager_group") ) if has_add_membermanager: # Add membermanager users and groups if len(membermanager_user_add) > 0 or \ len(membermanager_group_add) > 0: commands.append([ name, "group_add_member_manager", { "user": membermanager_user_add, "group": membermanager_group_add, } ]) # Remove member manager if len(membermanager_user_del) > 0 or \ len(membermanager_group_del) > 0: commands.append([ name, "group_remove_member_manager", { "user": membermanager_user_del, "group": membermanager_group_del, } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No group '%s'" % name) add_member_args = { "user": user, "group": group, } if has_add_member_service: add_member_args["service"] = service if is_external_group(res_find): add_member_args["ipaexternalmember"] = externalmember elif externalmember: ansible_module.fail_json( msg="Cannot add external members to a " "non-external group.") if any([user, group, service, externalmember]): commands.append( [name, "group_add_member", add_member_args]) if has_add_membermanager: # Add membermanager users and groups if membermanager_user is not None or \ membermanager_group is not None: commands.append([ name, "group_add_member_manager", { "user": membermanager_user, "group": membermanager_group, } ]) elif state == "absent": if action == "group": if res_find is not None: commands.append([name, "group_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No group '%s'" % name) del_member_args = { "user": user, "group": group, } if has_add_member_service: del_member_args["service"] = service if is_external_group(res_find): del_member_args["ipaexternalmember"] = externalmember elif externalmember: ansible_module.fail_json( msg="Cannot add external members to a " "non-external group.") if any([user, group, service, externalmember]): commands.append( [name, "group_remove_member", del_member_args]) if has_add_membermanager: # Remove membermanager users and groups if membermanager_user is not None or \ membermanager_group is not None: commands.append([ name, "group_remove_member_manager", { "user": membermanager_user, "group": membermanager_group, } ]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. errors = [] for failed_item in result.get("failed", []): failed = result["failed"][failed_item] for member_type in failed: for member, failure in failed[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append("%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = init_ansible_module() # Get parameters # general names = ansible_module.params_get("name") # service attributes principal = ansible_module.params_get("principal") certificate = ansible_module.params_get("certificate") pac_type = ansible_module.params_get("pac_type", allow_empty_string=True) auth_ind = ansible_module.params_get("auth_ind", allow_empty_string=True) skip_host_check = ansible_module.params_get("skip_host_check") force = ansible_module.params_get("force") requires_pre_auth = ansible_module.params_get("requires_pre_auth") ok_as_delegate = ansible_module.params_get("ok_as_delegate") ok_to_auth_as_delegate = ansible_module.params_get( "ok_to_auth_as_delegate") smb = ansible_module.params_get("smb") netbiosname = ansible_module.params_get("netbiosname") host = ansible_module.params_get("host") delete_continue = ansible_module.params_get("delete_continue") # action action = ansible_module.params_get("action") # state state = ansible_module.params_get("state") # check parameters check_parameters(ansible_module, state, action, names) # Init changed = False exit_args = {} # Connect to IPA API with ansible_module.ipa_connect(): has_skip_host_check = ansible_module.ipa_command_param_exists( "service_add", "skip_host_check") if skip_host_check and not has_skip_host_check: ansible_module.fail_json( msg="Skipping host check is not supported by your IPA version") commands = [] keytab_members = ["user", "group", "host", "hostgroup"] for name in names: res_find = find_service(ansible_module, name) res_principals = [] keytab = { "retrieve": { "allow": {k: [] for k in keytab_members}, "disallow": {k: [] for k in keytab_members}, }, "create": { "allow": {k: [] for k in keytab_members}, "disallow": {k: [] for k in keytab_members}, }, } certificate_add, certificate_del = [], [] host_add, host_del = [], [] principal_add, principal_del = [], [] if principal and res_find: # When comparing principals to the existing ones, # the REALM is needded, and are added here for those # that do not have it. principal = [ p if "@" in p else "%s@%s" % (p, api_get_realm()) for p in principal ] principal = list(set(principal)) # Create list of existing principal aliases as strings # to compare with provided ones. canonicalname = { to_text(p) for p in res_find.get("krbcanonicalname", []) } res_principals = [ to_text(elem) for elem in res_find.get("krbprincipalname", []) ] res_principals = list(set(res_principals) - canonicalname) if state == "present": if action == "service": args = gen_args(pac_type, auth_ind, skip_host_check, force, requires_pre_auth, ok_as_delegate, ok_to_auth_as_delegate) if not has_skip_host_check and 'skip_host_check' in args: del args['skip_host_check'] if smb: if res_find is None: _name = "cifs/" + name res_find = find_service(ansible_module, _name) if res_find is None: _args = gen_args_smb(netbiosname, ok_as_delegate, ok_to_auth_as_delegate) commands.append( [name, 'service_add_smb', _args]) res_find = {} # service_add_smb will prefix 'name' with # "cifs/", so we will need to change it here, # so that service_mod, if called later, works. name = _name if res_find is None: commands.append([name, 'service_add', args]) # Use an empty res_find to manage members res_find = {} else: for remove in ['skip_host_check', 'force']: if remove in args: del args[remove] if ("ipakrbauthzdata" in args and (args.get("ipakrbauthzdata", [""]) == res_find.get( "ipakrbauthzdata", [""]))): del args["ipakrbauthzdata"] if ("krbprincipalauthind" in args and (args.get("krbprincipalauthind", [""]) == res_find.get("krbprincipalauthind", [""]))): del args["krbprincipalauthind"] if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "service_mod", args]) # Manage members certificate_add, certificate_del = gen_add_del_lists( certificate, res_find.get("usercertificate")) host_add, host_del = gen_add_del_lists( host, res_find.get('managedby_host')) principal_add, principal_del = gen_add_del_lists( principal, res_principals) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No service '%s'" % name) certificate_add = gen_add_list( certificate, res_find.get("usercertificate")) host_add = gen_add_list(host, res_find.get('managedby_host')) principal_add = gen_add_list(principal, res_principals) # get keytab management lists for any 'action'. for perm in ["create", "retrieve"]: oper = "write" if perm == "create" else "read" for key in ["user", "group", "host", "hostgroup"]: add_list, del_list = (gen_add_del_lists( ansible_module.params_get("allow_%s_keytab_%s" % (perm, key)), res_find.get('ipaallowedtoperform_%s_keys_%s' % (oper, key)))) keytab[perm]["allow"][key] = add_list # Only remove members if action is 'service' if action == "service": keytab[perm]["disallow"][key] = del_list elif state == "absent": if action == "service": if res_find is not None: args = {'continue': delete_continue} commands.append([name, 'service_del', args]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No service '%s'" % name) principal_del = gen_intersection_list( principal, res_principals) certificate_del = gen_intersection_list( certificate, res_find.get("usercertificate")) host_del = gen_intersection_list( host, res_find.get("managedby_host")) for perm in ["create", "retrieve"]: oper = "write" if perm == "create" else "read" for key in ["user", "group", "host", "hostgroup"]: res_param = ('ipaallowedtoperform_%s_keys_%s' % (oper, key)) module_params = ansible_module.params_get( "allow_%s_keytab_%s" % (perm, key)) existing = res_find.get(res_param) del_list = (gen_intersection_list( module_params, existing)) keytab[perm]["disallow"][key] = del_list elif state == "disabled": if action == "service": if res_find is not None: has_cert = bool(res_find.get('usercertificate')) has_keytab = res_find.get('has_keytab', False) if has_cert or has_keytab: commands.append([name, 'service_disable', {}]) else: ansible_module.fail_json( msg="Invalid action '%s' for state '%s'" % (action, state)) # Members are not managed when disabling service. # Continue with next 'name'. continue else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Manage members if principal_add: commands.append([ name, "service_add_principal", { "krbprincipalname": principal_add } ]) if principal_del: commands.append([ name, "service_remove_principal", { "krbprincipalname": principal_del } ]) if certificate_add: commands.append([ name, "service_add_cert", { "usercertificate": certificate_add } ]) if certificate_del: commands.append([ name, "service_remove_cert", { "usercertificate": certificate_del } ]) if host_add: commands.append([name, "service_add_host", {"host": host_add}]) if host_del: commands.append( [name, "service_remove_host", { "host": host_del }]) # manage keytab permissions. for perm in ["create", "retrieve"]: for mode in ["allow", "disallow"]: for key in ["user", "group", "host", "hostgroup"]: if keytab[perm][mode][key]: commands.append([ name, "service_%s_%s_keytab" % (mode, perm), keytab[perm][mode] ]) break # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands changed = ansible_module.execute_ipa_commands( commands, fail_on_member_errors=True) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present right=dict(type="list", aliases=["ipapermright"], default=None, required=False, choices=[ "read", "search", "compare", "write", "add", "delete", "all" ]), attrs=dict(type="list", default=None, required=False), # Note: bindtype has a default of permission for Adds. bindtype=dict(type="str", aliases=["ipapermbindruletype"], default=None, require=False, choices=["permission", "all", "anonymous", "self"]), subtree=dict(type="str", aliases=["ipapermlocation"], default=None, required=False), extra_target_filter=dict(type="list", aliases=["filter", "extratargetfilter"], default=None, required=False), rawfilter=dict(type="list", aliases=["ipapermtargetfilter"], default=None, required=False), target=dict(type="str", aliases=["ipapermtarget"], default=None, required=False), targetto=dict(type="str", aliases=["ipapermtargetto"], default=None, required=False), targetfrom=dict(type="str", aliases=["ipapermtargetfrom"], default=None, required=False), memberof=dict(type="list", default=None, required=False), targetgroup=dict(type="str", default=None, required=False), object_type=dict(type="str", aliases=["type"], default=None, required=False), no_members=dict(type=bool, default=None, require=False), rename=dict(type="str", default=None, required=False), privilege=dict(type="list", default=None, required=False), action=dict(type="str", default="permission", choices=["member", "permission"]), # state state=dict(type="str", default="present", choices=["present", "absent", "renamed"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present right = module_params_get(ansible_module, "right") attrs = module_params_get(ansible_module, "attrs") bindtype = module_params_get(ansible_module, "bindtype") subtree = module_params_get(ansible_module, "subtree") extra_target_filter = module_params_get(ansible_module, "extra_target_filter") rawfilter = module_params_get(ansible_module, "rawfilter") target = module_params_get(ansible_module, "target") targetto = module_params_get(ansible_module, "targetto") targetfrom = module_params_get(ansible_module, "targetfrom") memberof = module_params_get(ansible_module, "memberof") targetgroup = module_params_get(ansible_module, "targetgroup") object_type = module_params_get(ansible_module, "object_type") no_members = module_params_get(ansible_module, "no_members") rename = module_params_get(ansible_module, "rename") privilege = module_params_get(ansible_module, "privilege") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters invalid = [] if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one permission can be added at a time.") if action == "member": invalid = [ "right", "attrs", "bindtype", "subtree", "extra_target_filter", "rawfilter", "target", "targetto", "targetfrom", "memberof", "targetgroup", "object_type", "rename" ] if state == "renamed": if len(names) != 1: ansible_module.fail_json( msg="Only one permission can be renamed at a time.") if action == "member": ansible_module.fail_json(msg="Member Privileges cannot be renamed") invalid = [ "right", "attrs", "bindtype", "subtree", "extra_target_filter", "rawfilter", "target", "targetto", "targetfrom", "memberof", "targetgroup", "object_type", "no_members" ] if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = [ "right", "attrs", "bindtype", "subtree", "extra_target_filter", "rawfilter", "target", "targetto", "targetfrom", "memberof", "targetgroup", "object_type", "no_members", "rename" ] if action == "permission": invalid.append("privilege") for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s' and state '%s'" % (x, action, state)) if bindtype == "self" and api_check_ipa_version("<", "4.8.7"): ansible_module.fail_json( msg="Bindtype 'self' is not supported by your IPA version.") # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure permission exists res_find = find_permission(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(right, attrs, bindtype, subtree, extra_target_filter, rawfilter, target, targetto, targetfrom, memberof, targetgroup, object_type, no_members, rename) no_members_value = False if no_members is not None: no_members_value = no_members if action == "permission": # Found the permission if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "permission_mod", args]) else: commands.append([name, "permission_add", args]) member_args = gen_member_args(privilege) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists privilege_add, privilege_del = gen_add_del_lists( privilege, res_find.get("member_privilege")) # Add members if len(privilege_add) > 0: commands.append([ name, "permission_add_member", { "privilege": privilege_add, "no_members": no_members_value } ]) # Remove members if len(privilege_del) > 0: commands.append([ name, "permission_remove_member", { "privilege": privilege_del, "no_members": no_members_value } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No permission '%s'" % name) if privilege is None: ansible_module.fail_json(msg="No privilege given") commands.append([ name, "permission_add_member", { "privilege": privilege, "no_members": no_members_value } ]) else: ansible_module.fail_json(msg="Unknown action '%s'" % action) elif state == "renamed": if action == "permission": # Generate args # Note: Only valid arg for rename is rename. args = gen_args(right, attrs, bindtype, subtree, extra_target_filter, rawfilter, target, targetto, targetfrom, memberof, targetgroup, object_type, no_members, rename) # Found the permission if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "permission_mod", args]) else: ansible_module.fail_json( msg="Permission not found, cannot rename") else: ansible_module.fail_json(msg="Unknown action '%s'" % action) elif state == "absent": if action == "permission": if res_find is not None: commands.append([name, "permission_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No permission '%s'" % name) if privilege is None: ansible_module.fail_json(msg="No privilege given") commands.append([ name, "permission_remove_member", { "privilege": privilege, } ]) else: ansible_module.fail_json(msg="Unknown state '%s'" % state) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. errors = [] for failed_item in result.get("failed", []): failed = result["failed"][failed_item] for member_type in failed: for member, failure in failed[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append("%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # generalgroups ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), description=dict(required=False, type="str", default=None), vault_type=dict(type="str", aliases=["ipavaulttype"], default=None, required=False, choices=["standard", "symmetric", "asymmetric"]), vault_public_key=dict(type="str", required=False, default=None, aliases=['ipavaultpublickey', 'public_key']), vault_public_key_file=dict(type="str", required=False, default=None, aliases=['public_key_file']), vault_private_key=dict( type="str", required=False, default=None, no_log=True, aliases=['ipavaultprivatekey', 'private_key']), vault_private_key_file=dict(type="str", required=False, default=None, aliases=['private_key_file']), vault_salt=dict(type="str", required=False, default=None, aliases=['ipavaultsalt', 'salt']), username=dict(type="str", required=False, default=None, aliases=['user']), service=dict(type="str", required=False, default=None), shared=dict(type="bool", required=False, default=None), users=dict(required=False, type='list', default=None), groups=dict(required=False, type='list', default=None), services=dict(required=False, type='list', default=None), owners=dict(required=False, type='list', default=None, aliases=['ownerusers']), ownergroups=dict(required=False, type='list', default=None), ownerservices=dict(required=False, type='list', default=None), vault_data=dict(type="str", required=False, default=None, no_log=True, aliases=['ipavaultdata', 'data']), datafile_in=dict(type="str", required=False, default=None, aliases=['in']), datafile_out=dict(type="str", required=False, default=None, aliases=['out']), vault_password=dict( type="str", required=False, default=None, no_log=True, aliases=['ipavaultpassword', 'password', "old_password"]), vault_password_file=dict( type="str", required=False, default=None, no_log=False, aliases=['password_file', "old_password_file"]), new_password=dict(type="str", required=False, default=None, no_log=True), new_password_file=dict(type="str", required=False, default=None, no_log=False), # state action=dict(type="str", default="vault", choices=["vault", "data", "member"]), state=dict(type="str", default="present", choices=["present", "absent", "retrieved"]), ), supports_check_mode=True, mutually_exclusive=[['username', 'service', 'shared'], ['datafile_in', 'vault_data'], ['new_password', 'new_password_file'], ['vault_password', 'vault_password_file'], ['vault_public_key', 'vault_public_key_file']], ) ansible_module._ansible_debug = True # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present description = module_params_get(ansible_module, "description") username = module_params_get(ansible_module, "username") service = module_params_get(ansible_module, "service") shared = module_params_get(ansible_module, "shared") users = module_params_get(ansible_module, "users") groups = module_params_get(ansible_module, "groups") services = module_params_get(ansible_module, "services") owners = module_params_get(ansible_module, "owners") ownergroups = module_params_get(ansible_module, "ownergroups") ownerservices = module_params_get(ansible_module, "ownerservices") vault_type = module_params_get(ansible_module, "vault_type") salt = module_params_get(ansible_module, "vault_salt") password = module_params_get(ansible_module, "vault_password") password_file = module_params_get(ansible_module, "vault_password_file") new_password = module_params_get(ansible_module, "new_password") new_password_file = module_params_get(ansible_module, "new_password_file") public_key = module_params_get(ansible_module, "vault_public_key") public_key_file = module_params_get(ansible_module, "vault_public_key_file") private_key = module_params_get(ansible_module, "vault_private_key") private_key_file = module_params_get(ansible_module, "vault_private_key_file") vault_data = module_params_get(ansible_module, "vault_data") datafile_in = module_params_get(ansible_module, "datafile_in") datafile_out = module_params_get(ansible_module, "datafile_out") action = module_params_get(ansible_module, "action") state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one vault can be added at a time.") elif state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") elif state == "retrieved": if len(names) != 1: ansible_module.fail_json( msg="Only one vault can be retrieved at a time.") else: ansible_module.fail_json(msg="Invalid state '%s'" % state) check_parameters(ansible_module, state, action, description, username, service, shared, users, groups, services, owners, ownergroups, ownerservices, vault_type, salt, password, password_file, public_key, public_key_file, private_key, private_key_file, vault_data, datafile_in, datafile_out, new_password, new_password_file) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) # Need to set krb5 ccache name, due to context='ansible-freeipa' if ccache_name is not None: os.environ["KRB5CCNAME"] = ccache_name api_connect(context='ansible-freeipa') commands = [] for name in names: # Make sure vault exists res_find = find_vault(ansible_module, name, username, service, shared) # Generate args args = gen_args(description, username, service, shared, vault_type, salt, password, password_file, public_key, public_key_file, vault_data, datafile_in, datafile_out) pwdargs = None # Set default vault_type if needed. if vault_type is None and vault_data is not None: if res_find is not None: res_vault_type = res_find.get('ipavaulttype')[0] args['ipavaulttype'] = vault_type = res_vault_type else: args['ipavaulttype'] = vault_type = u"symmetric" # Create command if state == "present": # verify data encription args check_encryption_params( ansible_module, state, action, vault_type, salt, password, password_file, public_key, public_key_file, private_key, private_key_file, vault_data, datafile_in, datafile_out, new_password, new_password_file, res_find) # Found the vault if action == "vault": if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "vault_mod_internal", args]) else: if vault_type == 'symmetric' \ and 'ipavaultsalt' not in args: args['ipavaultsalt'] = os.urandom(32) commands.append([name, "vault_add_internal", args]) if vault_type != 'standard' and vault_data is None: vault_data = '' # Set res_find to empty dict for next steps res_find = {} # Generate adittion and removal lists user_add, user_del = \ gen_add_del_lists(users, res_find.get('member_user', [])) group_add, group_del = \ gen_add_del_lists(groups, res_find.get('member_group', [])) service_add, service_del = \ gen_add_del_lists(services, res_find.get('member_service', [])) owner_add, owner_del = \ gen_add_del_lists(owners, res_find.get('owner_user', [])) ownergroups_add, ownergroups_del = \ gen_add_del_lists(ownergroups, res_find.get('owner_group', [])) ownerservice_add, ownerservice_del = \ gen_add_del_lists(ownerservices, res_find.get('owner_service', [])) # Add users and groups user_add_args = gen_member_args(args, user_add, group_add, service_add) if user_add_args is not None: commands.append( [name, 'vault_add_member', user_add_args]) # Remove users and groups user_del_args = gen_member_args(args, user_del, group_del, service_del) if user_del_args is not None: commands.append( [name, 'vault_remove_member', user_del_args]) # Add owner users and groups owner_add_args = gen_member_args(args, owner_add, ownergroups_add, ownerservice_add) if owner_add_args is not None: commands.append( [name, 'vault_add_owner', owner_add_args]) # Remove owner users and groups owner_del_args = gen_member_args(args, owner_del, ownergroups_del, ownerservice_del) if owner_del_args is not None: commands.append( [name, 'vault_remove_owner', owner_del_args]) elif action in "member": # Add users and groups if any([users, groups, services]): user_args = gen_member_args(args, users, groups, services) commands.append([name, 'vault_add_member', user_args]) if any([owners, ownergroups, ownerservices]): owner_args = gen_member_args(args, owners, ownergroups, ownerservices) commands.append([name, 'vault_add_owner', owner_args]) pwdargs = data_storage_args(args, vault_data, password, password_file, private_key, private_key_file, datafile_in, datafile_out) if any([vault_data, datafile_in]): commands.append([name, "vault_archive", pwdargs]) cmds = change_password(ansible_module, res_find, password, password_file, new_password, new_password_file) commands.extend(cmds) elif state == "retrieved": if res_find is None: ansible_module.fail_json( msg="Vault `%s` not found to retrieve data." % name) # verify data encription args check_encryption_params( ansible_module, state, action, vault_type, salt, password, password_file, public_key, public_key_file, private_key, private_key_file, vault_data, datafile_in, datafile_out, new_password, new_password_file, res_find) pwdargs = data_storage_args(args, vault_data, password, password_file, private_key, private_key_file, datafile_in, datafile_out) if 'data' in pwdargs: del pwdargs['data'] commands.append([name, "vault_retrieve", pwdargs]) elif state == "absent": if 'ipavaulttype' in args: del args['ipavaulttype'] if action == "vault": if res_find is not None: commands.append([name, "vault_del", args]) elif action == "member": # remove users and groups if any([users, groups, services]): user_args = gen_member_args(args, users, groups, services) commands.append( [name, 'vault_remove_member', user_args]) if any([owners, ownergroups, ownerservices]): owner_args = gen_member_args(args, owners, ownergroups, ownerservices) commands.append( [name, 'vault_remove_owner', owner_args]) else: ansible_module.fail_json( msg="Invalid action '%s' for state '%s'" % (action, state)) else: ansible_module.fail_json(msg="Unknown state '%s'" % state) # Execute commands errors = [] for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if command == 'vault_archive': changed = 'Archived data into' in result['summary'] elif command == 'vault_retrieve': if 'result' not in result: raise Exception("No result obtained.") if "data" in result["result"]: data_return = exit_args.setdefault("vault", {}) data_return["data"] = result["result"]["data"] else: if not datafile_out: raise Exception("No data retrieved.") changed = False else: if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except EmptyModlist: result = {} except Exception as exception: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(exception))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. if "failed" in result and len(result["failed"]) > 0: for item in result["failed"]: failed_item = result["failed"][item] for member_type in failed_item: for member, failure in failed_item[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append( "%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as exception: ansible_module.fail_json(msg=str(exception)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), inclusive=dict(type="list", aliases=["automemberinclusiveregex"], default=None, options=dict( key=dict(type="str", required=True), expression=dict(type="str", required=True) ), elements="dict", required=False), exclusive=dict(type="list", aliases=[ "automemberexclusiveregex"], default=None, options=dict( key=dict(type="str", required=True), expression=dict(type="str", required=True) ), elements="dict", required=False), name=dict(type="list", aliases=["cn"], default=None, required=True), description=dict(type="str", default=None), automember_type=dict(type='str', required=False, choices=['group', 'hostgroup']), action=dict(type="str", default="automember", choices=["member", "automember"]), state=dict(type="str", default="present", choices=["present", "absent", "rebuild"]), users=dict(type="list", default=None), hosts=dict(type="list", default=None), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = ansible_module.params.get("ipaadmin_principal") ipaadmin_password = ansible_module.params.get("ipaadmin_password") names = ansible_module.params.get("name") # present description = ansible_module.params.get("description") # conditions inclusive = ansible_module.params.get("inclusive") exclusive = ansible_module.params.get("exclusive") # action action = ansible_module.params.get("action") # state state = ansible_module.params.get("state") # grouping/type automember_type = ansible_module.params.get("automember_type") rebuild_users = ansible_module.params.get("users") rebuild_hosts = ansible_module.params.get("hosts") if (rebuild_hosts or rebuild_users) and state != "rebuild": ansible_module.fail_json( msg="'hosts' and 'users' are only valid with state: rebuild") if not automember_type and state != "rebuild": ansible_module.fail_json( msg="'automember_type' is required unless state: rebuild") # Init changed = False exit_args = {} ccache_dir = None ccache_name = None res_find = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure automember rule exists res_find = find_automember(ansible_module, name, automember_type) # Check inclusive and exclusive conditions if inclusive is not None or exclusive is not None: # automember_type is either "group" or "hostgorup" if automember_type == "group": _type = "user" elif automember_type == "hostgroup": _type = "host" else: ansible_module.fail_json( msg="Bad automember type '%s'" % automember_type) try: aciattrs = api_command( ansible_module, "json_metadata", to_text(_type), {} )['objects'][_type]['aciattrs'] except Exception as ex: ansible_module.fail_json( msg="%s: %s: %s" % ("json_metadata", _type, str(ex))) check_condition_keys(ansible_module, inclusive, aciattrs) check_condition_keys(ansible_module, exclusive, aciattrs) # Create command if state == 'present': args = gen_args(description, automember_type) if action == "automember": if res_find is not None: if not compare_args_ipa(ansible_module, args, res_find, ignore=['type']): commands.append([name, 'automember_mod', args]) else: commands.append([name, 'automember_add', args]) res_find = {} inclusive_add, inclusive_del = gen_add_del_lists( transform_conditions(inclusive or []), res_find.get("automemberinclusiveregex", []) ) exclusive_add, exclusive_del = gen_add_del_lists( transform_conditions(exclusive or []), res_find.get("automemberexclusiveregex", []) ) elif action == "member": if res_find is None: ansible_module.fail_json( msg="No automember '%s'" % name) inclusive_add = transform_conditions(inclusive or []) inclusive_del = [] exclusive_add = transform_conditions(exclusive or []) exclusive_del = [] for _inclusive in inclusive_add: key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, inclusiveregex=regex) commands.append([name, 'automember_add_condition', condition_args]) for _inclusive in inclusive_del: key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, inclusiveregex=regex) commands.append([name, 'automember_remove_condition', condition_args]) for _exclusive in exclusive_add: key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, exclusiveregex=regex) commands.append([name, 'automember_add_condition', condition_args]) for _exclusive in exclusive_del: key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, exclusiveregex=regex) commands.append([name, 'automember_remove_condition', condition_args]) elif state == 'absent': if action == "automember": if res_find is not None: commands.append([name, 'automember_del', {'type': to_text(automember_type)}]) elif action == "member": if res_find is None: ansible_module.fail_json( msg="No automember '%s'" % name) if inclusive is not None: for _inclusive in transform_conditions(inclusive): key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, inclusiveregex=regex) commands.append( [name, 'automember_remove_condition', condition_args]) if exclusive is not None: for _exclusive in transform_conditions(exclusive): key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, exclusiveregex=regex) commands.append([name, 'automember_remove_condition', condition_args]) elif state == "rebuild": if automember_type: commands.append([None, 'automember_rebuild', {"type": to_text(automember_type)}]) if rebuild_users: commands.append([None, 'automember_rebuild', {"users": [ to_text(_u) for _u in rebuild_users]}]) if rebuild_hosts: commands.append([None, 'automember_rebuild', {"hosts": [ to_text(_h) for _h in rebuild_hosts]}]) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) for name, command, args in commands: try: if name is None: result = api_command_no_name(ansible_module, command, args) else: result = api_command(ansible_module, command, to_text(name), args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as ex: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(ex))) # result["failed"] is used only for INCLUDE_RE, EXCLUDE_RE # if entries could not be added that are already there and # it entries could not be removed that are not there. # All other issues like invalid attributes etc. are handled # as exceptions. Therefore the error section is not here as # in other modules. except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = init_ansible_module() # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # service attributes principal = module_params_get(ansible_module, "principal") certificate = module_params_get(ansible_module, "certificate") pac_type = module_params_get(ansible_module, "pac_type") auth_ind = module_params_get(ansible_module, "auth_ind") skip_host_check = module_params_get(ansible_module, "skip_host_check") force = module_params_get(ansible_module, "force") requires_pre_auth = module_params_get(ansible_module, "requires_pre_auth") ok_as_delegate = module_params_get(ansible_module, "ok_as_delegate") ok_to_auth_as_delegate = module_params_get(ansible_module, "ok_to_auth_as_delegate") smb = module_params_get(ansible_module, "smb") netbiosname = module_params_get(ansible_module, "netbiosname") host = module_params_get(ansible_module, "host") allow_create_keytab_user = module_params_get(ansible_module, "allow_create_keytab_user") allow_create_keytab_group = module_params_get(ansible_module, "allow_create_keytab_group") allow_create_keytab_host = module_params_get(ansible_module, "allow_create_keytab_host") allow_create_keytab_hostgroup = module_params_get( ansible_module, "allow_create_keytab_hostgroup") allow_retrieve_keytab_user = module_params_get( ansible_module, "allow_retrieve_keytab_user") allow_retrieve_keytab_group = module_params_get( ansible_module, "allow_retrieve_keytab_group") allow_retrieve_keytab_host = module_params_get( ansible_module, "allow_retrieve_keytab_host") allow_retrieve_keytab_hostgroup = module_params_get( ansible_module, "allow_retrieve_keytab_hostgroup") delete_continue = module_params_get(ansible_module, "delete_continue") # action action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # check parameters check_parameters(ansible_module, state, action, names, vars()) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() has_skip_host_check = api_check_param("service_add", "skip_host_check") if skip_host_check and not has_skip_host_check: ansible_module.fail_json( msg="Skipping host check is not supported by your IPA version") commands = [] for name in names: res_find = find_service(ansible_module, name, netbiosname) if state == "present": # if service exists, 'smb' cannot be used. if action == "service": args = gen_args(pac_type, auth_ind, skip_host_check, force, requires_pre_auth, ok_as_delegate, ok_to_auth_as_delegate) if not has_skip_host_check and 'skip_host_check' in args: del args['skip_host_check'] if res_find is None: if smb: if netbiosname is not None: args['ipantflatname'] = netbiosname commands.append([name, 'service_add_smb', args]) else: commands.append([name, 'service_add', args]) certificate_add = certificate or [] certificate_del = [] host_add = host or [] host_del = [] principal_add = principal or [] principal_del = [] allow_create_keytab_user_add = \ allow_create_keytab_user or [] allow_create_keytab_user_del = [] allow_create_keytab_group_add = \ allow_create_keytab_group or [] allow_create_keytab_group_del = [] allow_create_keytab_host_add = \ allow_create_keytab_host or [] allow_create_keytab_host_del = [] allow_create_keytab_hostgroup_add = \ allow_create_keytab_hostgroup or [] allow_create_keytab_hostgroup_del = [] allow_retrieve_keytab_user_add = \ allow_retrieve_keytab_user or [] allow_retrieve_keytab_user_del = [] allow_retrieve_keytab_group_add = \ allow_retrieve_keytab_group or [] allow_retrieve_keytab_group_del = [] allow_retrieve_keytab_host_add = \ allow_retrieve_keytab_host or [] allow_retrieve_keytab_host_del = [] allow_retrieve_keytab_hostgroup_add = \ allow_retrieve_keytab_hostgroup or [] allow_retrieve_keytab_hostgroup_del = [] else: for remove in ['skip_host_check', 'force']: if remove in args: del args[remove] if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "service_mod", args]) certificate_add, certificate_del = gen_add_del_lists( certificate, res_find.get("usercertificate")) host_add, host_del = gen_add_del_lists( host, res_find.get('managedby_host', [])) principal_add, principal_del = gen_add_del_lists( principal, res_find.get("principal")) (allow_create_keytab_user_add, allow_create_keytab_user_del) = \ gen_add_del_lists( allow_create_keytab_user, res_find.get( 'ipaallowedtoperform_write_keys_user', [])) (allow_retrieve_keytab_user_add, allow_retrieve_keytab_user_del) = \ gen_add_del_lists( allow_retrieve_keytab_user, res_find.get( 'ipaallowedtoperform_read_keys_user', [])) (allow_create_keytab_group_add, allow_create_keytab_group_del) = \ gen_add_del_lists( allow_create_keytab_group, res_find.get( 'ipaallowedtoperform_write_keys_group', [])) (allow_retrieve_keytab_group_add, allow_retrieve_keytab_group_del) = \ gen_add_del_lists( allow_retrieve_keytab_group, res_find.get( 'ipaallowedtoperform_read_keys_group', [])) (allow_create_keytab_host_add, allow_create_keytab_host_del) = \ gen_add_del_lists( allow_create_keytab_host, res_find.get( 'ipaallowedtoperform_write_keys_host', [])) (allow_retrieve_keytab_host_add, allow_retrieve_keytab_host_del) = \ gen_add_del_lists( allow_retrieve_keytab_host, res_find.get( 'ipaallowedtoperform_read_keys_host', [])) (allow_create_keytab_hostgroup_add, allow_create_keytab_hostgroup_del) = \ gen_add_del_lists( allow_create_keytab_hostgroup, res_find.get( 'ipaallowedtoperform_write_keys_hostgroup', [])) (allow_retrieve_keytab_hostgroup_add, allow_retrieve_keytab_hostgroup_del) = \ gen_add_del_lists( allow_retrieve_keytab_hostgroup, res_find.get( 'ipaallowedtoperform_read_keys_hostgroup', [])) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No service '%s'" % name) existing = res_find.get('usercertificate', []) if certificate is None: certificate_add = [] else: certificate_add = [ c for c in certificate if c not in existing ] certificate_del = [] host_add = host or [] host_del = [] principal_add = principal or [] principal_del = [] allow_create_keytab_user_add = \ allow_create_keytab_user or [] allow_create_keytab_user_del = [] allow_create_keytab_group_add = \ allow_create_keytab_group or [] allow_create_keytab_group_del = [] allow_create_keytab_host_add = \ allow_create_keytab_host or [] allow_create_keytab_host_del = [] allow_create_keytab_hostgroup_add = \ allow_create_keytab_hostgroup or [] allow_create_keytab_hostgroup_del = [] allow_retrieve_keytab_user_add = \ allow_retrieve_keytab_user or [] allow_retrieve_keytab_user_del = [] allow_retrieve_keytab_group_add = \ allow_retrieve_keytab_group or [] allow_retrieve_keytab_group_del = [] allow_retrieve_keytab_host_add = \ allow_retrieve_keytab_host or [] allow_retrieve_keytab_host_del = [] allow_retrieve_keytab_hostgroup_add = \ allow_retrieve_keytab_hostgroup or [] allow_retrieve_keytab_hostgroup_del = [] # Add principals for _principal in principal_add: commands.append([ name, "service_add_principal", { "krbprincipalname": _principal, } ]) # Remove principals for _principal in principal_del: commands.append([ name, "service_remove_principal", { "krbprincipalname": _principal, } ]) for _certificate in certificate_add: commands.append([ name, "service_add_cert", { "usercertificate": _certificate, } ]) # Remove certificates for _certificate in certificate_del: commands.append([ name, "service_remove_cert", { "usercertificate": _certificate, } ]) # Add hosts. if host is not None and len(host) > 0 and len(host_add) > 0: commands.append( [name, "service_add_host", { "host": host_add }]) # Remove hosts if host is not None and len(host) > 0 and len(host_del) > 0: commands.append( [name, "service_remove_host", { "host": host_del }]) # Allow create keytab if len(allow_create_keytab_user_add) > 0 or \ len(allow_create_keytab_group_add) > 0 or \ len(allow_create_keytab_host_add) > 0 or \ len(allow_create_keytab_hostgroup_add) > 0: commands.append([ name, "service_allow_create_keytab", { 'user': allow_create_keytab_user_add, 'group': allow_create_keytab_group_add, 'host': allow_create_keytab_host_add, 'hostgroup': allow_create_keytab_hostgroup_add } ]) # Disallow create keytab if len(allow_create_keytab_user_del) > 0 or \ len(allow_create_keytab_group_del) > 0 or \ len(allow_create_keytab_host_del) > 0 or \ len(allow_create_keytab_hostgroup_del) > 0: commands.append([ name, "service_disallow_create_keytab", { 'user': allow_create_keytab_user_del, 'group': allow_create_keytab_group_del, 'host': allow_create_keytab_host_del, 'hostgroup': allow_create_keytab_hostgroup_del } ]) # Allow retrieve keytab if len(allow_retrieve_keytab_user_add) > 0 or \ len(allow_retrieve_keytab_group_add) > 0 or \ len(allow_retrieve_keytab_host_add) > 0 or \ len(allow_retrieve_keytab_hostgroup_add) > 0: commands.append([ name, "service_allow_retrieve_keytab", { 'user': allow_retrieve_keytab_user_add, 'group': allow_retrieve_keytab_group_add, 'host': allow_retrieve_keytab_host_add, 'hostgroup': allow_retrieve_keytab_hostgroup_add } ]) # Disllow retrieve keytab if len(allow_retrieve_keytab_user_del) > 0 or \ len(allow_retrieve_keytab_group_del) > 0 or \ len(allow_retrieve_keytab_host_del) > 0 or \ len(allow_retrieve_keytab_hostgroup_del) > 0: commands.append([ name, "service_disallow_retrieve_keytab", { 'user': allow_retrieve_keytab_user_del, 'group': allow_retrieve_keytab_group_del, 'host': allow_retrieve_keytab_host_del, 'hostgroup': allow_retrieve_keytab_hostgroup_del } ]) elif state == "absent": if action == "service": if res_find is not None: args = {'continue': True if delete_continue else False} commands.append([name, 'service_del', args]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No service '%s'" % name) # Remove principals if principal is not None: for _principal in principal: commands.append([ name, "service_remove_principal", { "krbprincipalname": _principal, } ]) # Remove certificates if certificate is not None: existing = res_find.get('usercertificate', []) for _certificate in certificate: if _certificate in existing: commands.append([ name, "service_remove_cert", { "usercertificate": _certificate, } ]) # Add hosts if host is not None: commands.append( [name, "service_remove_host", { "host": host }]) # Allow create keytab if allow_create_keytab_user is not None or \ allow_create_keytab_group is not None or \ allow_create_keytab_host is not None or \ allow_create_keytab_hostgroup is not None: commands.append([ name, "service_disallow_create_keytab", { 'user': allow_create_keytab_user, 'group': allow_create_keytab_group, 'host': allow_create_keytab_host, 'hostgroup': allow_create_keytab_hostgroup } ]) # Allow retriev keytab if allow_retrieve_keytab_user is not None or \ allow_retrieve_keytab_group is not None or \ allow_retrieve_keytab_host is not None or \ allow_retrieve_keytab_hostgroup is not None: commands.append([ name, "service_disallow_retrieve_keytab", { 'user': allow_retrieve_keytab_user, 'group': allow_retrieve_keytab_group, 'host': allow_retrieve_keytab_host, 'hostgroup': allow_retrieve_keytab_hostgroup } ]) elif state == "disabled": if action == "service": if res_find is not None: has_cert = bool(res_find.get('usercertificate')) has_keytab = res_find.get('has_keytab', False) if has_cert or has_keytab: commands.append([name, 'service_disable', {}]) else: ansible_module.fail_json( msg="Invalid action '%s' for state '%s'" % (action, state)) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands errors = [] for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as ex: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(ex))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. if "failed" in result and len(result["failed"]) > 0: for item in result["failed"]: failed_item = result["failed"][item] for member_type in failed_item: for member, failure in failed_item[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append( "%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as ex: ansible_module.fail_json(msg=str(ex)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = IPAAnsibleModule( argument_spec=dict( # general name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), usercategory=dict(type="str", default=None, aliases=["usercat"], choices=["all", ""]), hostcategory=dict(type="str", default=None, aliases=["hostcat"], choices=["all", ""]), servicecategory=dict(type="str", default=None, aliases=["servicecat"], choices=["all", ""]), nomembers=dict(required=False, type='bool', default=None), host=dict(required=False, type='list', default=None), hostgroup=dict(required=False, type='list', default=None), hbacsvc=dict(required=False, type='list', default=None), hbacsvcgroup=dict(required=False, type='list', default=None), user=dict(required=False, type='list', default=None), group=dict(required=False, type='list', default=None), action=dict(type="str", default="hbacrule", choices=["member", "hbacrule"]), # state state=dict(type="str", default="present", choices=["present", "absent", "enabled", "disabled"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general names = ansible_module.params_get("name") # present description = ansible_module.params_get("description") usercategory = ansible_module.params_get("usercategory") hostcategory = ansible_module.params_get("hostcategory") servicecategory = ansible_module.params_get("servicecategory") nomembers = ansible_module.params_get("nomembers") host = ansible_module.params_get_lowercase("host") hostgroup = ansible_module.params_get_lowercase("hostgroup") hbacsvc = ansible_module.params_get_lowercase("hbacsvc") hbacsvcgroup = ansible_module.params_get_lowercase("hbacsvcgroup") user = ansible_module.params_get_lowercase("user") group = ansible_module.params_get_lowercase("group") action = ansible_module.params_get("action") # state state = ansible_module.params_get("state") # Check parameters invalid = [] if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one hbacrule can be added at a time.") if action == "member": invalid = [ "description", "usercategory", "hostcategory", "servicecategory", "nomembers" ] else: if hostcategory == 'all' and any([host, hostgroup]): ansible_module.fail_json( msg="Hosts cannot be added when host category='all'") if usercategory == 'all' and any([user, group]): ansible_module.fail_json( msg="Users cannot be added when user category='all'") if servicecategory == 'all' and any([hbacsvc, hbacsvcgroup]): ansible_module.fail_json( msg="Services cannot be added when service category='all'") elif state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = [ "description", "usercategory", "hostcategory", "servicecategory", "nomembers" ] if action == "hbacrule": invalid.extend([ "host", "hostgroup", "hbacsvc", "hbacsvcgroup", "user", "group" ]) elif state in ["enabled", "disabled"]: if len(names) < 1: ansible_module.fail_json(msg="No name given.") if action == "member": ansible_module.fail_json( msg="Action member can not be used with states enabled and " "disabled") invalid = [ "description", "usercategory", "hostcategory", "servicecategory", "nomembers", "host", "hostgroup", "hbacsvc", "hbacsvcgroup", "user", "group" ] else: ansible_module.fail_json(msg="Invalid state '%s'" % state) ansible_module.params_fail_used_invalid(invalid, state, action) # Init changed = False exit_args = {} # Connect to IPA API with ansible_module.ipa_connect(): # Get default domain default_domain = ansible_module.ipa_get_domain() # Ensure fqdn host names, use default domain for simple names if host is not None: _host = [ensure_fqdn(x, default_domain).lower() for x in host] host = _host commands = [] for name in names: # Make sure hbacrule exists res_find = find_hbacrule(ansible_module, name) host_add, host_del = [], [] hostgroup_add, hostgroup_del = [], [] hbacsvc_add, hbacsvc_del = [], [] hbacsvcgroup_add, hbacsvcgroup_del = [], [] user_add, user_del = [], [] group_add, group_del = [], [] # Create command if state == "present": # Generate args args = gen_args(description, usercategory, hostcategory, servicecategory, nomembers) if action == "hbacrule": # Found the hbacrule if res_find is not None: # Remove usercategory, hostcategory and # servicecategory from args if "" and category # not in res_find (needed for idempotency) if "usercategory" in args and \ args["usercategory"] == "" and \ "usercategory" not in res_find: del args["usercategory"] if "hostcategory" in args and \ args["hostcategory"] == "" and \ "hostcategory" not in res_find: del args["hostcategory"] if "servicecategory" in args and \ args["servicecategory"] == "" and \ "servicecategory" not in res_find: del args["servicecategory"] # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "hbacrule_mod", args]) else: commands.append([name, "hbacrule_add", args]) # Set res_find to empty dict for next step res_find = {} # Generate addition and removal lists if host is not None: host_add, host_del = gen_add_del_lists( host, res_find.get("memberhost_host")) if hostgroup is not None: hostgroup_add, hostgroup_del = gen_add_del_lists( hostgroup, res_find.get("memberhost_hostgroup")) if hbacsvc is not None: hbacsvc_add, hbacsvc_del = gen_add_del_lists( hbacsvc, res_find.get("memberservice_hbacsvc")) if hbacsvcgroup is not None: hbacsvcgroup_add, hbacsvcgroup_del = gen_add_del_lists( hbacsvcgroup, res_find.get("memberservice_hbacsvcgroup")) if user is not None: user_add, user_del = gen_add_del_lists( user, res_find.get("memberuser_user")) if group is not None: group_add, group_del = gen_add_del_lists( group, res_find.get("memberuser_group")) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No hbacrule '%s'" % name) # Generate add lists for host, hostgroup and # res_find to only try to add hosts and hostgroups # that not in hbacrule already if host: host_add = gen_add_list( host, res_find.get("memberhost_host")) if hostgroup: hostgroup_add = gen_add_list( hostgroup, res_find.get("memberhost_hostgroup")) # Generate add lists for hbacsvc, hbacsvcgroup and # res_find to only try to add hbacsvcs and hbacsvcgroups # that not in hbacrule already if hbacsvc: hbacsvc_add = gen_add_list( hbacsvc, res_find.get("memberservice_hbacsvc")) if hbacsvcgroup: hbacsvcgroup_add = gen_add_list( hbacsvcgroup, res_find.get("memberservice_hbacsvcgroup")) # Generate add lists for user, group and # res_find to only try to add users and groups # that not in hbacrule already if user: user_add = gen_add_list( user, res_find.get("memberuser_user")) if group: group_add = gen_add_list( group, res_find.get("memberuser_group")) elif state == "absent": if action == "hbacrule": if res_find is not None: commands.append([name, "hbacrule_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No hbacrule '%s'" % name) # Generate intersection lists for host, hostgroup and # res_find to only try to remove hosts and hostgroups # that are in hbacrule if host: if "memberhost_host" in res_find: host_del = gen_intersection_list( host, res_find["memberhost_host"]) if hostgroup: if "memberhost_hostgroup" in res_find: hostgroup_del = gen_intersection_list( hostgroup, res_find["memberhost_hostgroup"]) # Generate intersection lists for hbacsvc, hbacsvcgroup # and res_find to only try to remove hbacsvcs and # hbacsvcgroups that are in hbacrule if hbacsvc: if "memberservice_hbacsvc" in res_find: hbacsvc_del = gen_intersection_list( hbacsvc, res_find["memberservice_hbacsvc"]) if hbacsvcgroup: if "memberservice_hbacsvcgroup" in res_find: hbacsvcgroup_del = gen_intersection_list( hbacsvcgroup, res_find["memberservice_hbacsvcgroup"]) # Generate intersection lists for user, group and # res_find to only try to remove users and groups # that are in hbacrule if user: if "memberuser_user" in res_find: user_del = gen_intersection_list( user, res_find["memberuser_user"]) if group: if "memberuser_group" in res_find: group_del = gen_intersection_list( group, res_find["memberuser_group"]) elif state == "enabled": if res_find is None: ansible_module.fail_json(msg="No hbacrule '%s'" % name) # hbacrule_enable is not failing on an enabled hbacrule # Therefore it is needed to have a look at the ipaenabledflag # in res_find. if "ipaenabledflag" not in res_find or \ res_find["ipaenabledflag"][0] != "TRUE": commands.append([name, "hbacrule_enable", {}]) elif state == "disabled": if res_find is None: ansible_module.fail_json(msg="No hbacrule '%s'" % name) # hbacrule_disable is not failing on an disabled hbacrule # Therefore it is needed to have a look at the ipaenabledflag # in res_find. if "ipaenabledflag" not in res_find or \ res_find["ipaenabledflag"][0] != "FALSE": commands.append([name, "hbacrule_disable", {}]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Manage HBAC rule members. # Add hosts and hostgroups if len(host_add) > 0 or len(hostgroup_add) > 0: commands.append([ name, "hbacrule_add_host", { "host": host_add, "hostgroup": hostgroup_add, } ]) # Remove hosts and hostgroups if len(host_del) > 0 or len(hostgroup_del) > 0: commands.append([ name, "hbacrule_remove_host", { "host": host_del, "hostgroup": hostgroup_del, } ]) # Add hbacsvcs and hbacsvcgroups if len(hbacsvc_add) > 0 or len(hbacsvcgroup_add) > 0: commands.append([ name, "hbacrule_add_service", { "hbacsvc": hbacsvc_add, "hbacsvcgroup": hbacsvcgroup_add, } ]) # Remove hbacsvcs and hbacsvcgroups if len(hbacsvc_del) > 0 or len(hbacsvcgroup_del) > 0: commands.append([ name, "hbacrule_remove_service", { "hbacsvc": hbacsvc_del, "hbacsvcgroup": hbacsvcgroup_del, } ]) # Add users and groups if len(user_add) > 0 or len(group_add) > 0: commands.append([ name, "hbacrule_add_user", { "user": user_add, "group": group_add, } ]) # Remove users and groups if len(user_del) > 0 or len(group_del) > 0: commands.append([ name, "hbacrule_remove_user", { "user": user_del, "group": group_del, } ]) # Execute commands changed = ansible_module.execute_ipa_commands( commands, fail_on_member_errors=True) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = IPAAnsibleModule( argument_spec=dict( # general name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), nomembers=dict(required=False, type='bool', default=None), hbacsvc=dict(required=False, type='list', default=None), action=dict(type="str", default="hbacsvcgroup", choices=["member", "hbacsvcgroup"]), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general names = ansible_module.params_get("name") # present description = ansible_module.params_get("description") nomembers = ansible_module.params_get("nomembers") hbacsvc = ansible_module.params_get_lowercase("hbacsvc") action = ansible_module.params_get("action") # state state = ansible_module.params_get("state") # Check parameters invalid = [] if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one hbacsvcgroup can be added at a time.") if action == "member": invalid = ["description", "nomembers"] if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "nomembers"] if action == "hbacsvcgroup": invalid.extend(["hbacsvc"]) ansible_module.params_fail_used_invalid(invalid, state, action) # Init changed = False exit_args = {} # Connect to IPA API with ansible_module.ipa_connect(): commands = [] for name in names: # Make sure hbacsvcgroup exists res_find = find_hbacsvcgroup(ansible_module, name) hbacsvc_add, hbacsvc_del = [], [] # Create command if state == "present": # Generate args args = gen_args(description, nomembers) if action == "hbacsvcgroup": # Found the hbacsvcgroup if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "hbacsvcgroup_mod", args]) else: commands.append([name, "hbacsvcgroup_add", args]) # Set res_find to empty dict for next step res_find = {} member_args = gen_member_args(hbacsvc) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists if hbacsvc is not None: hbacsvc_add, hbacsvc_del = gen_add_del_lists( hbacsvc, res_find.get("member_hbacsvc")) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No hbacsvcgroup '%s'" % name) # Ensure members are present if hbacsvc: hbacsvc_add = gen_add_list( hbacsvc, res_find.get("member_hbacsvc")) elif state == "absent": if action == "hbacsvcgroup": if res_find is not None: commands.append([name, "hbacsvcgroup_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No hbacsvcgroup '%s'" % name) # Ensure members are absent if hbacsvc: hbacsvc_del = gen_intersection_list( hbacsvc, res_find.get("member_hbacsvc")) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Manage members if len(hbacsvc_add) > 0: commands.append([ name, "hbacsvcgroup_add_member", { "hbacsvc": hbacsvc_add } ]) # Remove members if len(hbacsvc_del) > 0: commands.append([ name, "hbacsvcgroup_remove_member", { "hbacsvc": hbacsvc_del } ]) # Execute commands changed = ansible_module.execute_ipa_commands(commands, result_handler) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), gid=dict(type="int", aliases=["gidnumber"], default=None), nonposix=dict(required=False, type='bool', default=None), external=dict(required=False, type='bool', default=None), nomembers=dict(required=False, type='bool', default=None), user=dict(required=False, type='list', default=None), group=dict(required=False, type='list', default=None), service=dict(required=False, type='list', default=None), action=dict(type="str", default="group", choices=["member", "group"]), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get( ansible_module, "ipaadmin_principal", ) ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present description = module_params_get(ansible_module, "description") gid = module_params_get(ansible_module, "gid") nonposix = module_params_get(ansible_module, "nonposix") external = module_params_get(ansible_module, "external") nomembers = module_params_get(ansible_module, "nomembers") user = module_params_get(ansible_module, "user") group = module_params_get(ansible_module, "group") service = module_params_get(ansible_module, "service") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one group can be added at a time.") if action == "member": invalid = [ "description", "gid", "nonposix", "external", "nomembers" ] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (x, action)) if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "gid", "nonposix", "external", "nomembers"] if action == "group": invalid.extend(["user", "group", "service"]) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() has_add_member_service = api_check_param("group_add_member", "service") if service is not None and not has_add_member_service: ansible_module.fail_json( msg="Managing a service as part of a group is not supported " "by your IPA version") commands = [] for name in names: # Make sure group exists res_find = find_group(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description, gid, nonposix, external, nomembers) if action == "group": # Found the group if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "group_mod", args]) else: commands.append([name, "group_add", args]) # Set res_find to empty dict for next step res_find = {} member_args = gen_member_args(user, group, service) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists user_add, user_del = gen_add_del_lists( user, res_find.get("member_user")) group_add, group_del = gen_add_del_lists( group, res_find.get("member_group")) service_add, service_del = gen_add_del_lists( service, res_find.get("member_service")) if has_add_member_service: # Add members if len(user_add) > 0 or len(group_add) > 0 or \ len(service_add) > 0: commands.append([ name, "group_add_member", { "user": user_add, "group": group_add, "service": service_add, } ]) # Remove members if len(user_del) > 0 or len(group_del) > 0 or \ len(service_del) > 0: commands.append([ name, "group_remove_member", { "user": user_del, "group": group_del, "service": service_del, } ]) else: # Add members if len(user_add) > 0 or len(group_add) > 0: commands.append([ name, "group_add_member", { "user": user_add, "group": group_add, } ]) # Remove members if len(user_del) > 0 or len(group_del) > 0: commands.append([ name, "group_remove_member", { "user": user_del, "group": group_del, } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No group '%s'" % name) if has_add_member_service: commands.append([ name, "group_add_member", { "user": user, "group": group, "service": service, } ]) else: commands.append([ name, "group_add_member", { "user": user, "group": group, } ]) elif state == "absent": if action == "group": if res_find is not None: commands.append([name, "group_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No group '%s'" % name) commands.append([ name, "group_remove_member", { "user": user, "group": group, "service": service, } ]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. errors = [] if "failed" in result and len(result["failed"]) > 0: for item in result["failed"]: failed_item = result["failed"][item] for member_type in failed_item: for member, failure in failed_item[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append( "%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = IPAAnsibleModule( argument_spec=dict( # general name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), nomembers=dict(required=False, type='bool', default=None), host=dict(required=False, type='list', default=None), hostgroup=dict(required=False, type='list', default=None), membermanager_user=dict(required=False, type='list', default=None), membermanager_group=dict(required=False, type='list', default=None), rename=dict(required=False, type='str', default=None, aliases=["new_name"]), action=dict(type="str", default="hostgroup", choices=["member", "hostgroup"]), # state state=dict(type="str", default="present", choices=["present", "absent", "renamed"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general names = ansible_module.params_get("name") # present description = ansible_module.params_get("description") nomembers = ansible_module.params_get("nomembers") host = ansible_module.params_get("host") hostgroup = ansible_module.params_get("hostgroup") membermanager_user = ansible_module.params_get("membermanager_user") membermanager_group = ansible_module.params_get("membermanager_group") rename = ansible_module.params_get("rename") action = ansible_module.params_get("action") # state state = ansible_module.params_get("state") # Check parameters invalid = [] if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one hostgroup can be added at a time.") invalid = ["rename"] if action == "member": invalid.extend(["description", "nomembers"]) if state == "renamed": if len(names) != 1: ansible_module.fail_json( msg="Only one hostgroup can be added at a time.") if action == "member": ansible_module.fail_json( msg="Action '%s' can not be used with state '%s'" % (action, state)) invalid = [ "description", "nomembers", "host", "hostgroup", "membermanager_user", "membermanager_group" ] if state == "absent": if len(names) < 1: ansible_module.fail_json( msg="No name given.") invalid = ["description", "nomembers", "rename"] if action == "hostgroup": invalid.extend(["host", "hostgroup"]) ansible_module.params_fail_used_invalid(invalid, state, action) # Init changed = False exit_args = {} # Connect to IPA API with ansible_module.ipa_connect(): has_add_membermanager = ansible_module.ipa_command_exists( "hostgroup_add_member_manager") if ((membermanager_user is not None or membermanager_group is not None) and not has_add_membermanager): ansible_module.fail_json( msg="Managing a membermanager user or group is not supported " "by your IPA version" ) has_mod_rename = ansible_module.ipa_command_param_exists( "hostgroup_mod", "rename") if not has_mod_rename and rename is not None: ansible_module.fail_json( msg="Renaming hostgroups is not supported by your IPA version") # If hosts are given, ensure that the hosts are FQDN and also # lowercase to be able to do a proper comparison to exising hosts # in the hostgroup. # Fixes #666 (ipahostgroup not idempotent and with error) if host is not None: default_domain = ansible_module.ipa_get_domain() host = [ensure_fqdn(_host, default_domain).lower() for _host in host] commands = [] for name in names: # Make sure hostgroup exists res_find = find_hostgroup(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description, nomembers, rename) if action == "hostgroup": # Found the hostgroup if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "hostgroup_mod", args]) else: commands.append([name, "hostgroup_add", args]) # Set res_find to empty dict for next step res_find = {} member_args = gen_member_args(host, hostgroup) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists host_add, host_del = gen_add_del_lists( host, res_find.get("member_host")) hostgroup_add, hostgroup_del = gen_add_del_lists( hostgroup, res_find.get("member_hostgroup")) # Add members if len(host_add) > 0 or len(hostgroup_add) > 0: commands.append([name, "hostgroup_add_member", { "host": host_add, "hostgroup": hostgroup_add, }]) # Remove members if len(host_del) > 0 or len(hostgroup_del) > 0: commands.append([name, "hostgroup_remove_member", { "host": host_del, "hostgroup": hostgroup_del, }]) membermanager_user_add, membermanager_user_del = \ gen_add_del_lists( membermanager_user, res_find.get("membermanager_user") ) membermanager_group_add, membermanager_group_del = \ gen_add_del_lists( membermanager_group, res_find.get("membermanager_group") ) if has_add_membermanager: # Add membermanager users and groups if len(membermanager_user_add) > 0 or \ len(membermanager_group_add) > 0: commands.append( [name, "hostgroup_add_member_manager", { "user": membermanager_user_add, "group": membermanager_group_add, }] ) # Remove member manager if len(membermanager_user_del) > 0 or \ len(membermanager_group_del) > 0: commands.append( [name, "hostgroup_remove_member_manager", { "user": membermanager_user_del, "group": membermanager_group_del, }] ) elif action == "member": if res_find is None: ansible_module.fail_json( msg="No hostgroup '%s'" % name) # Reduce add lists for member_host and member_hostgroup, # to new entries only that are not in res_find. if host is not None and "member_host" in res_find: host = gen_add_list(host, res_find["member_host"]) if hostgroup is not None \ and "member_hostgroup" in res_find: hostgroup = gen_add_list( hostgroup, res_find["member_hostgroup"]) # Ensure members are present commands.append([name, "hostgroup_add_member", { "host": host, "hostgroup": hostgroup, }]) if has_add_membermanager: # Reduce add list for membermanager_user and # membermanager_group to new entries only that are # not in res_find. if membermanager_user is not None \ and "membermanager_user" in res_find: membermanager_user = gen_add_list( membermanager_user, res_find["membermanager_user"]) if membermanager_group is not None \ and "membermanager_group" in res_find: membermanager_group = gen_add_list( membermanager_group, res_find["membermanager_group"]) # Add membermanager users and groups if membermanager_user is not None or \ membermanager_group is not None: commands.append( [name, "hostgroup_add_member_manager", { "user": membermanager_user, "group": membermanager_group, }] ) elif state == "renamed": if res_find is not None: if rename != name: commands.append( [name, "hostgroup_mod", {"rename": rename}] ) else: # If a hostgroup with the desired name exists, do nothing. new_find = find_hostgroup(ansible_module, rename) if new_find is None: # Fail only if the either hostsgroups do not exist. ansible_module.fail_json( msg="Attribute `rename` can not be used, unless " "hostgroup exists." ) elif state == "absent": if action == "hostgroup": if res_find is not None: commands.append([name, "hostgroup_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json( msg="No hostgroup '%s'" % name) # Reduce del lists of member_host and member_hostgroup, # to the entries only that are in res_find. if host is not None: host = gen_intersection_list( host, res_find.get("member_host")) if hostgroup is not None: hostgroup = gen_intersection_list( hostgroup, res_find.get("member_hostgroup")) # Ensure members are absent commands.append([name, "hostgroup_remove_member", { "host": host, "hostgroup": hostgroup, }]) if has_add_membermanager: # Reduce del lists of membermanager_user and # membermanager_group to the entries only that are # in res_find. if membermanager_user is not None: membermanager_user = gen_intersection_list( membermanager_user, res_find.get("membermanager_user")) if membermanager_group is not None: membermanager_group = gen_intersection_list( membermanager_group, res_find.get("membermanager_group")) # Remove membermanager users and groups if membermanager_user is not None or \ membermanager_group is not None: commands.append( [name, "hostgroup_remove_member_manager", { "user": membermanager_user, "group": membermanager_group, }] ) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands changed = ansible_module.execute_ipa_commands( commands, fail_on_member_errors=True) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = IPAAnsibleModule( argument_spec=dict( # general name=dict(type="list", aliases=["cn"], default=None, required=True), # present principal=dict(required=False, type='list', default=None), target=dict(required=False, type='list', aliases=["servicedelegationtarget"], default=None), action=dict(type="str", default="servicedelegationrule", choices=["member", "servicedelegationrule"]), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general names = ansible_module.params_get("name") # present principal = ansible_module.params_get("principal") target = ansible_module.params_get("target") action = ansible_module.params_get("action") # state state = ansible_module.params_get("state") # Check parameters invalid = [] if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one servicedelegationrule can be added at a time.") if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") if action == "servicedelegationrule": invalid = ["principal", "target"] ansible_module.params_fail_used_invalid(invalid, state, action) # Init membertarget = "ipaallowedtarget_servicedelegationtarget" changed = False exit_args = {} # Connect to IPA API with ansible_module.ipa_connect(): # Normalize principals if principal: principal = servicedelegation_normalize_principals( ansible_module, principal, state == "present") if target and state == "present": check_targets(ansible_module, target) commands = [] principal_add = principal_del = [] target_add = target_del = [] for name in names: # Make sure servicedelegationrule exists res_find = find_servicedelegationrule(ansible_module, name) # Create command if state == "present": if action == "servicedelegationrule": # A servicedelegationrule does not have normal options. # There is no servicedelegationtarget-mod command. # Principal members are handled with the _add_member and # _remove_member commands further down. if res_find is None: commands.append([name, "servicedelegationrule_add", {}]) res_find = {} # Generate addition and removal lists for principal principal_add, principal_del = gen_add_del_lists( principal, res_find.get("memberprincipal")) # Generate addition and removal lists for target target_add, target_del = gen_add_del_lists( target, res_find.get(membertarget)) elif action == "member": if res_find is None: ansible_module.fail_json( msg="No servicedelegationrule '%s'" % name) # Reduce add lists for principal # to new entries only that are not in res_find. if principal is not None and \ "memberprincipal" in res_find: principal_add = gen_add_list( principal, res_find["memberprincipal"]) else: principal_add = principal # Reduce add lists for target # to new entries only that are not in res_find. if target is not None and membertarget in res_find: target_add = gen_add_list( target, res_find[membertarget]) else: target_add = target elif state == "absent": if action == "servicedelegationrule": if res_find is not None: commands.append([name, "servicedelegationrule_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json( msg="No servicedelegationrule '%s'" % name) # Reduce del lists of principals to the entries only # that are in res_find. if principal is not None: principal_del = gen_intersection_list( principal, res_find.get("memberprincipal")) else: principal_del = principal # Reduce del lists of targets to the entries only # that are in res_find. if target is not None: target_del = gen_intersection_list( target, res_find.get(membertarget)) else: target_del = target else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Handle members # Add principal members if principal_add is not None and len(principal_add) > 0: commands.append( [name, "servicedelegationtarget_add_member", { "principal": principal_add, }]) # Remove principal members if principal_del is not None and len(principal_del) > 0: commands.append( [name, "servicedelegationtarget_remove_member", { "principal": principal_del, }]) # Add target members if target_add is not None and len(target_add) > 0: commands.append( [name, "servicedelegationrule_add_target", { "servicedelegationtarget": target_add, }]) # Remove target members if target_del is not None and len(target_del) > 0: commands.append( [name, "servicedelegationrule_remove_target", { "servicedelegationtarget": target_del, }]) # Execute commands changed = ansible_module.execute_ipa_commands( commands, fail_on_member_errors=True) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = IPAAnsibleModule( argument_spec=dict( # general name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), gid=dict(type="int", aliases=["gidnumber"], default=None), nonposix=dict(required=False, type='bool', default=None), external=dict(required=False, type='bool', default=None), posix=dict(required=False, type='bool', default=None), nomembers=dict(required=False, type='bool', default=None), user=dict(required=False, type='list', default=None), group=dict(required=False, type='list', default=None), service=dict(required=False, type='list', default=None), membermanager_user=dict(required=False, type='list', default=None), membermanager_group=dict(required=False, type='list', default=None), externalmember=dict( required=False, type='list', default=None, aliases=["ipaexternalmember", "external_member"]), action=dict(type="str", default="group", choices=["member", "group"]), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), # It does not make sense to set posix, nonposix or external at the # same time mutually_exclusive=[['posix', 'nonposix', 'external']], supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general names = ansible_module.params_get("name") # present description = ansible_module.params_get("description") gid = ansible_module.params_get("gid") nonposix = ansible_module.params_get("nonposix") external = ansible_module.params_get("external") posix = ansible_module.params_get("posix") nomembers = ansible_module.params_get("nomembers") user = ansible_module.params_get("user") group = ansible_module.params_get("group") # Services are not case sensitive service = ansible_module.params_get_lowercase("service") membermanager_user = ansible_module.params_get("membermanager_user") membermanager_group = ansible_module.params_get("membermanager_group") externalmember = ansible_module.params_get("externalmember") action = ansible_module.params_get("action") # state state = ansible_module.params_get("state") # Check parameters invalid = [] if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one group can be added at a time.") if action == "member": invalid = [ "description", "gid", "posix", "nonposix", "external", "nomembers" ] if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = [ "description", "gid", "posix", "nonposix", "external", "nomembers" ] if action == "group": invalid.extend(["user", "group", "service", "externalmember"]) ansible_module.params_fail_used_invalid(invalid, state, action) if external is False: ansible_module.fail_json(msg="group can not be non-external") # Init changed = False exit_args = {} # If nonposix is used, set posix as not nonposix if nonposix is not None: posix = not nonposix # Connect to IPA API with ansible_module.ipa_connect(): has_add_member_service = ansible_module.ipa_command_param_exists( "group_add_member", "service") if service is not None and not has_add_member_service: ansible_module.fail_json( msg="Managing a service as part of a group is not supported " "by your IPA version") has_add_membermanager = ansible_module.ipa_command_exists( "group_add_member_manager") if ((membermanager_user is not None or membermanager_group is not None) and not has_add_membermanager): ansible_module.fail_json( msg="Managing a membermanager user or group is not supported " "by your IPA version") commands = [] for name in names: # Make sure group exists res_find = find_group(ansible_module, name) user_add, user_del = [], [] group_add, group_del = [], [] service_add, service_del = [], [] externalmember_add, externalmember_del = [], [] membermanager_user_add, membermanager_user_del = [], [] membermanager_group_add, membermanager_group_del = [], [] # Create command if state == "present": # Can't change an existing posix group check_objectclass_args(ansible_module, res_find, posix, external) # Generate args args = gen_args(description, gid, nomembers) if action == "group": # Found the group if res_find is not None: # For all settings in args, check if there are # different settings in the find result. # If yes: modify # Also if it is a modification from nonposix to posix # or nonposix to external. if not compare_args_ipa( ansible_module, args, res_find) or ( not is_posix_group(res_find) and not is_external_group(res_find) and (posix or external)): if posix: args['posix'] = True if external: args['external'] = True commands.append([name, "group_mod", args]) else: if posix is not None and not posix: args['nonposix'] = True if external: args['external'] = True commands.append([name, "group_add", args]) # Set res_find dict for next step res_find = {} # if we just created/modified the group, update res_find res_find.setdefault("objectclass", []) if external and not is_external_group(res_find): res_find["objectclass"].append("ipaexternalgroup") if posix and not is_posix_group(res_find): res_find["objectclass"].append("posixgroup") member_args = gen_member_args(user, group, service, externalmember) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists user_add, user_del = gen_add_del_lists( user, res_find.get("member_user")) group_add, group_del = gen_add_del_lists( group, res_find.get("member_group")) service_add, service_del = gen_add_del_lists( service, res_find.get("member_service")) (externalmember_add, externalmember_del) = gen_add_del_lists( externalmember, res_find.get("member_external")) membermanager_user_add, membermanager_user_del = \ gen_add_del_lists( membermanager_user, res_find.get("membermanager_user") ) membermanager_group_add, membermanager_group_del = \ gen_add_del_lists( membermanager_group, res_find.get("membermanager_group") ) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No group '%s'" % name) # Reduce add lists for member_user, member_group, # member_service and member_external to new entries # only that are not in res_find. user_add = gen_add_list(user, res_find.get("member_user")) group_add = gen_add_list(group, res_find.get("member_group")) service_add = gen_add_list(service, res_find.get("member_service")) externalmember_add = gen_add_list( externalmember, res_find.get("member_external")) membermanager_user_add = gen_add_list( membermanager_user, res_find.get("membermanager_user")) membermanager_group_add = gen_add_list( membermanager_group, res_find.get("membermanager_group")) elif state == "absent": if action == "group": if res_find is not None: commands.append([name, "group_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No group '%s'" % name) if not is_external_group(res_find) and externalmember: ansible_module.fail_json( msg="Cannot add external members to a " "non-external group.") user_del = gen_intersection_list( user, res_find.get("member_user")) group_del = gen_intersection_list( group, res_find.get("member_group")) service_del = gen_intersection_list( service, res_find.get("member_service")) externalmember_del = gen_intersection_list( externalmember, res_find.get("member_external")) membermanager_user_del = gen_intersection_list( membermanager_user, res_find.get("membermanager_user")) membermanager_group_del = gen_intersection_list( membermanager_group, res_find.get("membermanager_group")) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # manage members # setup member args for add/remove members. add_member_args = { "user": user_add, "group": group_add, } del_member_args = { "user": user_del, "group": group_del, } if has_add_member_service: add_member_args["service"] = service_add del_member_args["service"] = service_del if is_external_group(res_find): add_member_args["ipaexternalmember"] = \ externalmember_add del_member_args["ipaexternalmember"] = \ externalmember_del elif externalmember or external: ansible_module.fail_json( msg="Cannot add external members to a " "non-external group.") # Add members add_members = any( [user_add, group_add, service_add, externalmember_add]) if add_members: commands.append([name, "group_add_member", add_member_args]) # Remove members remove_members = any( [user_del, group_del, service_del, externalmember_del]) if remove_members: commands.append([name, "group_remove_member", del_member_args]) # manage membermanager members if has_add_membermanager: # Add membermanager users and groups if any([membermanager_user_add, membermanager_group_add]): commands.append([ name, "group_add_member_manager", { "user": membermanager_user_add, "group": membermanager_group_add, } ]) # Remove member manager if any([membermanager_user_del, membermanager_group_del]): commands.append([ name, "group_remove_member_manager", { "user": membermanager_user_del, "group": membermanager_group_del, } ]) # Execute commands changed = ansible_module.execute_ipa_commands( commands, fail_on_member_errors=True) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = IPAAnsibleModule( argument_spec=dict( # general name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(required=False, type="str", default=None), usercategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['usercat']), hostcategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['hostcat']), nomembers=dict(required=False, type='bool', default=None), host=dict(required=False, type='list', default=None), hostgroup=dict(required=False, type='list', default=None), user=dict(required=False, type='list', default=None), group=dict(required=False, type='list', default=None), allow_sudocmd=dict(required=False, type="list", default=None), deny_sudocmd=dict(required=False, type="list", default=None), allow_sudocmdgroup=dict(required=False, type="list", default=None), deny_sudocmdgroup=dict(required=False, type="list", default=None), cmdcategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['cmdcat']), runasusercategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['runasusercat']), runasgroupcategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['runasgroupcat']), runasuser=dict(required=False, type="list", default=None), runasgroup=dict(required=False, type="list", default=None), order=dict(type="int", required=False, aliases=['sudoorder']), sudooption=dict(required=False, type='list', default=None, aliases=["options"]), action=dict(type="str", default="sudorule", choices=["member", "sudorule"]), # state state=dict(type="str", default="present", choices=["present", "absent", "enabled", "disabled"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general names = ansible_module.params_get("name") # present # The 'noqa' variables are not used here, but required for vars(). # The use of 'noqa' ensures flake8 does not complain about them. description = ansible_module.params_get("description") # noqa cmdcategory = ansible_module.params_get('cmdcategory') # noqa usercategory = ansible_module.params_get("usercategory") # noqa hostcategory = ansible_module.params_get("hostcategory") # noqa runasusercategory = ansible_module.params_get( # noqa "runasusercategory") runasgroupcategory = ansible_module.params_get( # noqa "runasgroupcategory") hostcategory = ansible_module.params_get("hostcategory") # noqa nomembers = ansible_module.params_get("nomembers") # noqa host = ansible_module.params_get("host") hostgroup = ansible_module.params_get("hostgroup") user = ansible_module.params_get("user") group = ansible_module.params_get("group") allow_sudocmd = ansible_module.params_get('allow_sudocmd') allow_sudocmdgroup = ansible_module.params_get('allow_sudocmdgroup') deny_sudocmd = ansible_module.params_get('deny_sudocmd') deny_sudocmdgroup = ansible_module.params_get('deny_sudocmdgroup') sudooption = ansible_module.params_get("sudooption") order = ansible_module.params_get("order") runasuser = ansible_module.params_get("runasuser") runasgroup = ansible_module.params_get("runasgroup") action = ansible_module.params_get("action") # state state = ansible_module.params_get("state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one sudorule can be added at a time.") if action == "member": invalid = ["description", "usercategory", "hostcategory", "cmdcategory", "runasusercategory", "runasgroupcategory", "order", "nomembers"] for arg in invalid: if arg in vars() and vars()[arg] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (arg, action)) else: if hostcategory == 'all' and any([host, hostgroup]): ansible_module.fail_json( msg="Hosts cannot be added when host category='all'") if usercategory == 'all' and any([user, group]): ansible_module.fail_json( msg="Users cannot be added when user category='all'") if cmdcategory == 'all' \ and any([allow_sudocmd, allow_sudocmdgroup]): ansible_module.fail_json( msg="Commands cannot be added when command category='all'") elif state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "usercategory", "hostcategory", "cmdcategory", "runasusercategory", "runasgroupcategory", "nomembers", "order"] if action == "sudorule": invalid.extend(["host", "hostgroup", "user", "group", "runasuser", "runasgroup", "allow_sudocmd", "allow_sudocmdgroup", "deny_sudocmd", "deny_sudocmdgroup", "sudooption"]) for arg in invalid: if vars()[arg] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (arg, state)) elif state in ["enabled", "disabled"]: if len(names) < 1: ansible_module.fail_json(msg="No name given.") if action == "member": ansible_module.fail_json( msg="Action member can not be used with states enabled and " "disabled") invalid = ["description", "usercategory", "hostcategory", "cmdcategory", "runasusercategory", "runasgroupcategory", "nomembers", "nomembers", "host", "hostgroup", "user", "group", "allow_sudocmd", "allow_sudocmdgroup", "deny_sudocmd", "deny_sudocmdgroup", "runasuser", "runasgroup", "order", "sudooption"] for arg in invalid: if vars()[arg] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (arg, state)) else: ansible_module.fail_json(msg="Invalid state '%s'" % state) # Init changed = False exit_args = {} # Connect to IPA API with ansible_module.ipa_connect(): commands = [] for name in names: # Make sure sudorule exists res_find = find_sudorule(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description, usercategory, hostcategory, cmdcategory, runasusercategory, runasgroupcategory, order, nomembers) if action == "sudorule": # Found the sudorule if res_find is not None: # Remove empty usercategory, hostcategory, # cmdcaterory, runasusercategory and hostcategory # from args if "" and if the category is not in the # sudorule. The empty string is used to reset the # category. if "usercategory" in args \ and args["usercategory"] == "" \ and "usercategory" not in res_find: del args["usercategory"] if "hostcategory" in args \ and args["hostcategory"] == "" \ and "hostcategory" not in res_find: del args["hostcategory"] if "cmdcategory" in args \ and args["cmdcategory"] == "" \ and "cmdcategory" not in res_find: del args["cmdcategory"] if "ipasudorunasusercategory" in args \ and args["ipasudorunasusercategory"] == "" \ and "ipasudorunasusercategory" not in res_find: del args["ipasudorunasusercategory"] if "ipasudorunasgroupcategory" in args \ and args["ipasudorunasgroupcategory"] == "" \ and "ipasudorunasgroupcategory" not in res_find: del args["ipasudorunasgroupcategory"] # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "sudorule_mod", args]) else: commands.append([name, "sudorule_add", args]) # Set res_find to empty dict for next step res_find = {} # Generate addition and removal lists host_add, host_del = gen_add_del_lists( host, res_find.get('memberhost_host', [])) hostgroup_add, hostgroup_del = gen_add_del_lists( hostgroup, res_find.get('memberhost_hostgroup', [])) user_add, user_del = gen_add_del_lists( user, res_find.get('memberuser_user', [])) group_add, group_del = gen_add_del_lists( group, res_find.get('memberuser_group', [])) allow_cmd_add, allow_cmd_del = gen_add_del_lists( allow_sudocmd, res_find.get('memberallowcmd_sudocmd', [])) allow_cmdgroup_add, allow_cmdgroup_del = gen_add_del_lists( allow_sudocmdgroup, res_find.get('memberallowcmd_sudocmdgroup', [])) deny_cmd_add, deny_cmd_del = gen_add_del_lists( deny_sudocmd, res_find.get('memberdenycmd_sudocmd', [])) deny_cmdgroup_add, deny_cmdgroup_del = gen_add_del_lists( deny_sudocmdgroup, res_find.get('memberdenycmd_sudocmdgroup', [])) sudooption_add, sudooption_del = gen_add_del_lists( sudooption, res_find.get('ipasudoopt', [])) runasuser_add, runasuser_del = gen_add_del_lists( runasuser, res_find.get('ipasudorunas_user', [])) runasgroup_add, runasgroup_del = gen_add_del_lists( runasgroup, res_find.get('ipasudorunas_group', [])) # Add hosts and hostgroups if len(host_add) > 0 or len(hostgroup_add) > 0: commands.append([name, "sudorule_add_host", { "host": host_add, "hostgroup": hostgroup_add, }]) # Remove hosts and hostgroups if len(host_del) > 0 or len(hostgroup_del) > 0: commands.append([name, "sudorule_remove_host", { "host": host_del, "hostgroup": hostgroup_del, }]) # Add users and groups if len(user_add) > 0 or len(group_add) > 0: commands.append([name, "sudorule_add_user", { "user": user_add, "group": group_add, }]) # Remove users and groups if len(user_del) > 0 or len(group_del) > 0: commands.append([name, "sudorule_remove_user", { "user": user_del, "group": group_del, }]) # Add commands allowed if len(allow_cmd_add) > 0 or len(allow_cmdgroup_add) > 0: commands.append([name, "sudorule_add_allow_command", {"sudocmd": allow_cmd_add, "sudocmdgroup": allow_cmdgroup_add, }]) if len(allow_cmd_del) > 0 or len(allow_cmdgroup_del) > 0: commands.append([name, "sudorule_remove_allow_command", {"sudocmd": allow_cmd_del, "sudocmdgroup": allow_cmdgroup_del }]) # Add commands denied if len(deny_cmd_add) > 0 or len(deny_cmdgroup_add) > 0: commands.append([name, "sudorule_add_deny_command", {"sudocmd": deny_cmd_add, "sudocmdgroup": deny_cmdgroup_add, }]) if len(deny_cmd_del) > 0 or len(deny_cmdgroup_del) > 0: commands.append([name, "sudorule_remove_deny_command", {"sudocmd": deny_cmd_del, "sudocmdgroup": deny_cmdgroup_del }]) # Add RunAS Users if len(runasuser_add) > 0: commands.append([name, "sudorule_add_runasuser", {"user": runasuser_add}]) # Remove RunAS Users if len(runasuser_del) > 0: commands.append([name, "sudorule_remove_runasuser", {"user": runasuser_del}]) # Add RunAS Groups if len(runasgroup_add) > 0: commands.append([name, "sudorule_add_runasgroup", {"group": runasgroup_add}]) # Remove RunAS Groups if len(runasgroup_del) > 0: commands.append([name, "sudorule_remove_runasgroup", {"group": runasgroup_del}]) # Add sudo options for sudoopt in sudooption_add: commands.append([name, "sudorule_add_option", {"ipasudoopt": sudoopt}]) # Remove sudo options for sudoopt in sudooption_del: commands.append([name, "sudorule_remove_option", {"ipasudoopt": sudoopt}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No sudorule '%s'" % name) # Generate add lists for host, hostgroup, user, group, # allow_sudocmd, allow_sudocmdgroup, deny_sudocmd, # deny_sudocmdgroup, sudooption, runasuser, runasgroup # and res_find to only try to add the items that not in # the sudorule already if host is not None and \ "memberhost_host" in res_find: host = gen_add_list( host, res_find["memberhost_host"]) if hostgroup is not None and \ "memberhost_hostgroup" in res_find: hostgroup = gen_add_list( hostgroup, res_find["memberhost_hostgroup"]) if user is not None and \ "memberuser_user" in res_find: user = gen_add_list( user, res_find["memberuser_user"]) if group is not None and \ "memberuser_group" in res_find: group = gen_add_list( group, res_find["memberuser_group"]) if allow_sudocmd is not None and \ "memberallowcmd_sudocmd" in res_find: allow_sudocmd = gen_add_list( allow_sudocmd, res_find["memberallowcmd_sudocmd"]) if allow_sudocmdgroup is not None and \ "memberallowcmd_sudocmdgroup" in res_find: allow_sudocmdgroup = gen_add_list( allow_sudocmdgroup, res_find["memberallowcmd_sudocmdgroup"]) if deny_sudocmd is not None and \ "memberdenycmd_sudocmd" in res_find: deny_sudocmd = gen_add_list( deny_sudocmd, res_find["memberdenycmd_sudocmd"]) if deny_sudocmdgroup is not None and \ "memberdenycmd_sudocmdgroup" in res_find: deny_sudocmdgroup = gen_add_list( deny_sudocmdgroup, res_find["memberdenycmd_sudocmdgroup"]) if sudooption is not None and \ "ipasudoopt" in res_find: sudooption = gen_add_list( sudooption, res_find["ipasudoopt"]) if runasuser is not None and \ "ipasudorunas_user" in res_find: runasuser = gen_add_list( runasuser, res_find["ipasudorunas_user"]) if runasgroup is not None and \ "ipasudorunasgroup_group" in res_find: runasgroup = gen_add_list( runasgroup, res_find["ipasudorunasgroup_group"]) # Add hosts and hostgroups if host is not None or hostgroup is not None: commands.append([name, "sudorule_add_host", { "host": host, "hostgroup": hostgroup, }]) # Add users and groups if user is not None or group is not None: commands.append([name, "sudorule_add_user", { "user": user, "group": group, }]) # Add commands if allow_sudocmd is not None \ or allow_sudocmdgroup is not None: commands.append([name, "sudorule_add_allow_command", {"sudocmd": allow_sudocmd, "sudocmdgroup": allow_sudocmdgroup, }]) # Add commands if deny_sudocmd is not None \ or deny_sudocmdgroup is not None: commands.append([name, "sudorule_add_deny_command", {"sudocmd": deny_sudocmd, "sudocmdgroup": deny_sudocmdgroup, }]) # Add RunAS Users if runasuser is not None and len(runasuser) > 0: commands.append([name, "sudorule_add_runasuser", {"user": runasuser}]) # Add RunAS Groups if runasgroup is not None and len(runasgroup) > 0: commands.append([name, "sudorule_add_runasgroup", {"group": runasgroup}]) # Add options if sudooption is not None: existing_opts = res_find.get('ipasudoopt', []) for sudoopt in sudooption: if sudoopt not in existing_opts: commands.append([name, "sudorule_add_option", {"ipasudoopt": sudoopt}]) elif state == "absent": if action == "sudorule": if res_find is not None: commands.append([name, "sudorule_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No sudorule '%s'" % name) # Generate intersection lists for host, hostgroup, user, # group, allow_sudocmd, allow_sudocmdgroup, deny_sudocmd # deny_sudocmdgroup, sudooption, runasuser, runasgroup # and res_find to only try to remove the items that are # in sudorule if host is not None: if "memberhost_host" in res_find: host = gen_intersection_list( host, res_find["memberhost_host"]) else: host = None if hostgroup is not None: if "memberhost_hostgroup" in res_find: hostgroup = gen_intersection_list( hostgroup, res_find["memberhost_hostgroup"]) else: hostgroup = None if user is not None: if "memberuser_user" in res_find: user = gen_intersection_list( user, res_find["memberuser_user"]) else: user = None if group is not None: if "memberuser_group" in res_find: group = gen_intersection_list( group, res_find["memberuser_group"]) else: group = None if allow_sudocmd is not None: if "memberallowcmd_sudocmd" in res_find: allow_sudocmd = gen_intersection_list( allow_sudocmd, res_find["memberallowcmd_sudocmd"]) else: allow_sudocmd = None if allow_sudocmdgroup is not None: if "memberallowcmd_sudocmdgroup" in res_find: allow_sudocmdgroup = gen_intersection_list( allow_sudocmdgroup, res_find["memberallowcmd_sudocmdgroup"]) else: allow_sudocmdgroup = None if deny_sudocmd is not None: if "memberdenycmd_sudocmd" in res_find: deny_sudocmd = gen_intersection_list( deny_sudocmd, res_find["memberdenycmd_sudocmd"]) else: deny_sudocmd = None if deny_sudocmdgroup is not None: if "memberdenycmd_sudocmdgroup" in res_find: deny_sudocmdgroup = gen_intersection_list( deny_sudocmdgroup, res_find["memberdenycmd_sudocmdgroup"]) else: deny_sudocmdgroup = None if sudooption is not None: if "ipasudoopt" in res_find: sudooption = gen_intersection_list( sudooption, res_find["ipasudoopt"]) else: sudooption = None if runasuser is not None: if "ipasudorunas_user" in res_find: runasuser = gen_intersection_list( runasuser, res_find["ipasudorunas_user"]) else: runasuser = None if runasgroup is not None: if "ipasudorunasgroup_group" in res_find: runasgroup = gen_intersection_list( runasgroup, res_find["ipasudorunasgroup_group"]) else: runasgroup = None # Remove hosts and hostgroups if host is not None or hostgroup is not None: commands.append([name, "sudorule_remove_host", { "host": host, "hostgroup": hostgroup, }]) # Remove users and groups if user is not None or group is not None: commands.append([name, "sudorule_remove_user", { "user": user, "group": group, }]) # Remove allow commands if allow_sudocmd is not None \ or allow_sudocmdgroup is not None: commands.append([name, "sudorule_remove_allow_command", {"sudocmd": allow_sudocmd, "sudocmdgroup": allow_sudocmdgroup }]) # Remove deny commands if deny_sudocmd is not None \ or deny_sudocmdgroup is not None: commands.append([name, "sudorule_remove_deny_command", {"sudocmd": deny_sudocmd, "sudocmdgroup": deny_sudocmdgroup }]) # Remove RunAS Users if runasuser is not None: commands.append([name, "sudorule_remove_runasuser", {"user": runasuser}]) # Remove RunAS Groups if runasgroup is not None: commands.append([name, "sudorule_remove_runasgroup", {"group": runasgroup}]) # Remove options if sudooption is not None: existing_opts = res_find.get('ipasudoopt', []) for sudoopt in sudooption: if sudoopt in existing_opts: commands.append([name, "sudorule_remove_option", {"ipasudoopt": sudoopt}]) elif state == "enabled": if res_find is None: ansible_module.fail_json(msg="No sudorule '%s'" % name) # sudorule_enable is not failing on an enabled sudorule # Therefore it is needed to have a look at the ipaenabledflag # in res_find. if "ipaenabledflag" not in res_find or \ res_find["ipaenabledflag"][0] != "TRUE": commands.append([name, "sudorule_enable", {}]) elif state == "disabled": if res_find is None: ansible_module.fail_json(msg="No sudorule '%s'" % name) # sudorule_disable is not failing on an disabled sudorule # Therefore it is needed to have a look at the ipaenabledflag # in res_find. if "ipaenabledflag" not in res_find or \ res_find["ipaenabledflag"][0] != "FALSE": commands.append([name, "sudorule_disable", {}]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands changed = ansible_module.execute_ipa_commands( commands, fail_on_member_errors=True) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(required=False, type='str', default=None), rename=dict( required=False, type='str', default=None, aliases=["new_name"], ), permission=dict(required=False, type='list', default=None), action=dict(type="str", default="privilege", choices=["member", "privilege"]), # state state=dict(type="str", default="present", choices=["present", "absent", "renamed"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present description = module_params_get(ansible_module, "description") permission = module_params_get(ansible_module, "permission") rename = module_params_get(ansible_module, "rename") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters invalid = [] if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one privilege be added at a time.") if action == "member": invalid = ["description"] if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "rename"] if action == "privilege": invalid.append("permission") if state == "renamed": if len(names) != 1: ansible_module.fail_json( msg="Only one privilege be added at a time.") invalid = ["description", "permission"] if action != "privilege": ansible_module.fail_json( msg="Action '%s' can not be used with state '%s'" % (action, state)) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s' and state '%s'" % (x, action, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure privilege exists res_find = find_privilege(ansible_module, name) # Create command if state == "present": args = {} if description: args['description'] = description if action == "privilege": # Found the privilege if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "privilege_mod", args]) else: commands.append([name, "privilege_add", args]) member_args = {} if permission: member_args['permission'] = permission if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists permission_add, permission_del = gen_add_del_lists( permission, res_find.get("member_permission")) # Add members if len(permission_add) > 0: commands.append([ name, "privilege_add_permission", { "permission": permission_add, } ]) # Remove members if len(permission_del) > 0: commands.append([ name, "privilege_remove_permission", { "permission": permission_del } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No privilege '%s'" % name) if permission is None: ansible_module.fail_json(msg="No permission given") commands.append([ name, "privilege_add_permission", { "permission": permission } ]) elif state == "absent": if action == "privilege": if res_find is not None: commands.append([name, "privilege_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No privilege '%s'" % name) if permission is None: ansible_module.fail_json(msg="No permission given") commands.append([ name, "privilege_remove_permission", { "permission": permission, } ]) elif state == "renamed": if not rename: ansible_module.fail_json(msg="No rename value given.") if res_find is None: ansible_module.fail_json( msg="No privilege found to be renamed: '%s'" % (name)) if name != rename: commands.append( [name, "privilege_mod", { "rename": rename }]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. errors = [] for failed_item in result.get("failed", []): failed = result["failed"][failed_item] for member_type in failed: for member, failure in failed[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append("%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), nomembers=dict(required=False, type='bool', default=None), sudocmd=dict(required=False, type='list', default=None), action=dict(type="str", default="sudocmdgroup", choices=["member", "sudocmdgroup"]), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = ansible_module.params.get("ipaadmin_principal") ipaadmin_password = ansible_module.params.get("ipaadmin_password") names = ansible_module.params.get("name") # present description = ansible_module.params.get("description") nomembers = ansible_module.params.get("nomembers") sudocmd = ansible_module.params.get("sudocmd") action = ansible_module.params.get("action") # state state = ansible_module.params.get("state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one sudocmdgroup can be added at a time.") if action == "member": invalid = ["description", "nomembers"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (x, action)) if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "nomembers"] if action == "sudocmdgroup": invalid.extend(["sudocmd"]) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure hostgroup exists res_find = find_sudocmdgroup(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description, nomembers) if action == "sudocmdgroup": # Found the hostgroup if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "sudocmdgroup_mod", args]) else: commands.append([name, "sudocmdgroup_add", args]) # Set res_find to empty dict for next step res_find = {} member_args = gen_member_args(sudocmd) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists sudocmd_add, sudocmd_del = \ gen_add_del_lists( sudocmd, res_find.get("member_sudocmd")) # Add members if len(sudocmd_add) > 0: commands.append([ name, "sudocmdgroup_add_member", { "sudocmd": [to_text(c) for c in sudocmd_add] } ]) # Remove members if len(sudocmd_del) > 0: commands.append([ name, "sudocmdgroup_remove_member", { "sudocmd": [to_text(c) for c in sudocmd_del] } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No sudocmdgroup '%s'" % name) # Ensure members are present commands.append([ name, "sudocmdgroup_add_member", { "sudocmd": [to_text(c) for c in sudocmd] } ]) elif state == "absent": if action == "sudocmdgroup": if res_find is not None: commands.append([name, "sudocmdgroup_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No sudocmdgroup '%s'" % name) # Ensure members are absent commands.append([ name, "sudocmdgroup_remove_member", { "sudocmd": [to_text(c) for c in sudocmd] } ]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, to_text(name), args) if action == "member": if "completed" in result and result["completed"] > 0: changed = True else: if command == "sudocmdgroup_del": changed |= "Deleted" in result['summary'] elif command == "sudocmdgroup_add": changed |= "Added" in result['summary'] except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. errors = [] if "failed" in result and "member" in result["failed"]: failed = result["failed"]["member"] for member_type in failed: for member, failure in failed[member_type]: if "already a member" not in failure \ and "not a member" not in failure: errors.append( "%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(required=False, type="str", default=None), usercategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['usercat']), hostcategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['hostcat']), nomembers=dict(required=False, type='bool', default=None), host=dict(required=False, type='list', default=None), hostgroup=dict(required=False, type='list', default=None), user=dict(required=False, type='list', default=None), group=dict(required=False, type='list', default=None), allow_sudocmd=dict(required=False, type="list", default=None), deny_sudocmd=dict(required=False, type="list", default=None), allow_sudocmdgroup=dict(required=False, type="list", default=None), deny_sudocmdgroup=dict(required=False, type="list", default=None), cmdcategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['cmdcat']), runasusercategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['runasusercat']), runasgroupcategory=dict(required=False, type="str", default=None, choices=["all", ""], aliases=['runasgroupcat']), runasuser=dict(required=False, type="list", default=None), runasgroup=dict(required=False, type="list", default=None), order=dict(type="int", required=False, aliases=['sudoorder']), sudooption=dict(required=False, type='list', default=None, aliases=["options"]), action=dict(type="str", default="sudorule", choices=["member", "sudorule"]), # state state=dict(type="str", default="present", choices=["present", "absent", "enabled", "disabled"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present # The 'noqa' variables are not used here, but required for vars(). # The use of 'noqa' ensures flake8 does not complain about them. description = module_params_get(ansible_module, "description") # noqa cmdcategory = module_params_get(ansible_module, 'cmdcategory') # noqa usercategory = module_params_get(ansible_module, "usercategory") # noqa hostcategory = module_params_get(ansible_module, "hostcategory") # noqa runasusercategory = module_params_get(ansible_module, # noqa "runasusercategory") runasgroupcategory = module_params_get(ansible_module, # noqa "runasgroupcategory") hostcategory = module_params_get(ansible_module, "hostcategory") # noqa nomembers = module_params_get(ansible_module, "nomembers") # noqa host = module_params_get(ansible_module, "host") hostgroup = module_params_get(ansible_module, "hostgroup") user = module_params_get(ansible_module, "user") group = module_params_get(ansible_module, "group") allow_sudocmd = module_params_get(ansible_module, 'allow_sudocmd') allow_sudocmdgroup = module_params_get(ansible_module, 'allow_sudocmdgroup') deny_sudocmd = module_params_get(ansible_module, 'deny_sudocmd') deny_sudocmdgroup = module_params_get(ansible_module, 'deny_sudocmdgroup') sudooption = module_params_get(ansible_module, "sudooption") order = module_params_get(ansible_module, "order") runasuser = module_params_get(ansible_module, "runasuser") runasgroup = module_params_get(ansible_module, "runasgroup") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one sudorule can be added at a time.") if action == "member": invalid = ["description", "usercategory", "hostcategory", "cmdcategory", "runasusercategory", "runasgroupcategory", "order", "nomembers"] for arg in invalid: if arg in vars() and vars()[arg] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (arg, action)) else: if hostcategory == 'all' and any([host, hostgroup]): ansible_module.fail_json( msg="Hosts cannot be added when host category='all'") if usercategory == 'all' and any([user, group]): ansible_module.fail_json( msg="Users cannot be added when user category='all'") if cmdcategory == 'all' \ and any([allow_sudocmd, allow_sudocmdgroup]): ansible_module.fail_json( msg="Commands cannot be added when command category='all'") elif state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "usercategory", "hostcategory", "cmdcategory", "runasusercategory", "runasgroupcategory", "nomembers", "order"] if action == "sudorule": invalid.extend(["host", "hostgroup", "user", "group", "runasuser", "runasgroup", "allow_sudocmd", "allow_sudocmdgroup", "deny_sudocmd", "deny_sudocmdgroup", "sudooption"]) for arg in invalid: if vars()[arg] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (arg, state)) elif state in ["enabled", "disabled"]: if len(names) < 1: ansible_module.fail_json(msg="No name given.") if action == "member": ansible_module.fail_json( msg="Action member can not be used with states enabled and " "disabled") invalid = ["description", "usercategory", "hostcategory", "cmdcategory", "runasusercategory", "runasgroupcategory", "nomembers", "nomembers", "host", "hostgroup", "user", "group", "allow_sudocmd", "allow_sudocmdgroup", "deny_sudocmd", "deny_sudocmdgroup", "runasuser", "runasgroup", "order", "sudooption"] for arg in invalid: if vars()[arg] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (arg, state)) else: ansible_module.fail_json(msg="Invalid state '%s'" % state) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure sudorule exists res_find = find_sudorule(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description, usercategory, hostcategory, cmdcategory, runasusercategory, runasgroupcategory, order, nomembers) if action == "sudorule": # Found the sudorule if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "sudorule_mod", args]) else: commands.append([name, "sudorule_add", args]) # Set res_find to empty dict for next step res_find = {} # Generate addition and removal lists host_add, host_del = gen_add_del_lists( host, res_find.get('memberhost_host', [])) hostgroup_add, hostgroup_del = gen_add_del_lists( hostgroup, res_find.get('memberhost_hostgroup', [])) user_add, user_del = gen_add_del_lists( user, res_find.get('memberuser_user', [])) group_add, group_del = gen_add_del_lists( group, res_find.get('memberuser_group', [])) allow_cmd_add, allow_cmd_del = gen_add_del_lists( allow_sudocmd, res_find.get('memberallowcmd_sudocmd', [])) allow_cmdgroup_add, allow_cmdgroup_del = gen_add_del_lists( allow_sudocmdgroup, res_find.get('memberallowcmd_sudocmdgroup', [])) deny_cmd_add, deny_cmd_del = gen_add_del_lists( deny_sudocmd, res_find.get('memberdenycmd_sudocmd', [])) deny_cmdgroup_add, deny_cmdgroup_del = gen_add_del_lists( deny_sudocmdgroup, res_find.get('memberdenycmd_sudocmdgroup', [])) sudooption_add, sudooption_del = gen_add_del_lists( sudooption, res_find.get('ipasudoopt', [])) runasuser_add, runasuser_del = gen_add_del_lists( runasuser, res_find.get('ipasudorunas_user', [])) runasgroup_add, runasgroup_del = gen_add_del_lists( runasgroup, res_find.get('ipasudorunas_group', [])) # Add hosts and hostgroups if len(host_add) > 0 or len(hostgroup_add) > 0: commands.append([name, "sudorule_add_host", { "host": host_add, "hostgroup": hostgroup_add, }]) # Remove hosts and hostgroups if len(host_del) > 0 or len(hostgroup_del) > 0: commands.append([name, "sudorule_remove_host", { "host": host_del, "hostgroup": hostgroup_del, }]) # Add users and groups if len(user_add) > 0 or len(group_add) > 0: commands.append([name, "sudorule_add_user", { "user": user_add, "group": group_add, }]) # Remove users and groups if len(user_del) > 0 or len(group_del) > 0: commands.append([name, "sudorule_remove_user", { "user": user_del, "group": group_del, }]) # Add commands allowed if len(allow_cmd_add) > 0 or len(allow_cmdgroup_add) > 0: commands.append([name, "sudorule_add_allow_command", {"sudocmd": allow_cmd_add, "sudocmdgroup": allow_cmdgroup_add, }]) if len(allow_cmd_del) > 0 or len(allow_cmdgroup_del) > 0: commands.append([name, "sudorule_remove_allow_command", {"sudocmd": allow_cmd_del, "sudocmdgroup": allow_cmdgroup_del }]) # Add commands denied if len(deny_cmd_add) > 0 or len(deny_cmdgroup_add) > 0: commands.append([name, "sudorule_add_deny_command", {"sudocmd": deny_cmd_add, "sudocmdgroup": deny_cmdgroup_add, }]) if len(deny_cmd_del) > 0 or len(deny_cmdgroup_del) > 0: commands.append([name, "sudorule_remove_deny_command", {"sudocmd": deny_cmd_del, "sudocmdgroup": deny_cmdgroup_del }]) # Add RunAS Users if len(runasuser_add) > 0: commands.append([name, "sudorule_add_runasuser", {"user": runasuser_add}]) # Remove RunAS Users if len(runasuser_del) > 0: commands.append([name, "sudorule_remove_runasuser", {"user": runasuser_del}]) # Add RunAS Groups if len(runasgroup_add) > 0: commands.append([name, "sudorule_add_runasgroup", {"group": runasgroup_add}]) # Remove RunAS Groups if len(runasgroup_del) > 0: commands.append([name, "sudorule_remove_runasgroup", {"group": runasgroup_del}]) # Add sudo options for sudoopt in sudooption_add: commands.append([name, "sudorule_add_option", {"ipasudoopt": sudoopt}]) # Remove sudo options for sudoopt in sudooption_del: commands.append([name, "sudorule_remove_option", {"ipasudoopt": sudoopt}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No sudorule '%s'" % name) # Add hosts and hostgroups if host is not None or hostgroup is not None: commands.append([name, "sudorule_add_host", { "host": host, "hostgroup": hostgroup, }]) # Add users and groups if user is not None or group is not None: commands.append([name, "sudorule_add_user", { "user": user, "group": group, }]) # Add commands if allow_sudocmd is not None \ or allow_sudocmdgroup is not None: commands.append([name, "sudorule_add_allow_command", {"sudocmd": allow_sudocmd, "sudocmdgroup": allow_sudocmdgroup, }]) # Add commands if deny_sudocmd is not None \ or deny_sudocmdgroup is not None: commands.append([name, "sudorule_add_deny_command", {"sudocmd": deny_sudocmd, "sudocmdgroup": deny_sudocmdgroup, }]) # Add RunAS Users if runasuser is not None: commands.append([name, "sudorule_add_runasuser", {"user": runasuser}]) # Add RunAS Groups if runasgroup is not None: commands.append([name, "sudorule_add_runasgroup", {"group": runasgroup}]) # Add options if sudooption is not None: existing_opts = res_find.get('ipasudoopt', []) for sudoopt in sudooption: if sudoopt not in existing_opts: commands.append([name, "sudorule_add_option", {"ipasudoopt": sudoopt}]) elif state == "absent": if action == "sudorule": if res_find is not None: commands.append([name, "sudorule_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No sudorule '%s'" % name) # Remove hosts and hostgroups if host is not None or hostgroup is not None: commands.append([name, "sudorule_remove_host", { "host": host, "hostgroup": hostgroup, }]) # Remove users and groups if user is not None or group is not None: commands.append([name, "sudorule_remove_user", { "user": user, "group": group, }]) # Remove allow commands if allow_sudocmd is not None \ or allow_sudocmdgroup is not None: commands.append([name, "sudorule_remove_allow_command", {"sudocmd": allow_sudocmd, "sudocmdgroup": allow_sudocmdgroup }]) # Remove deny commands if deny_sudocmd is not None \ or deny_sudocmdgroup is not None: commands.append([name, "sudorule_remove_deny_command", {"sudocmd": deny_sudocmd, "sudocmdgroup": deny_sudocmdgroup }]) # Remove RunAS Users if runasuser is not None: commands.append([name, "sudorule_remove_runasuser", {"user": runasuser}]) # Remove RunAS Groups if runasgroup is not None: commands.append([name, "sudorule_remove_runasgroup", {"group": runasgroup}]) # Remove options if sudooption is not None: existing_opts = res_find.get('ipasudoopt', []) for sudoopt in sudooption: if sudoopt in existing_opts: commands.append([name, "sudorule_remove_option", {"ipasudoopt": sudoopt}]) elif state == "enabled": if res_find is None: ansible_module.fail_json(msg="No sudorule '%s'" % name) # sudorule_enable is not failing on an enabled sudorule # Therefore it is needed to have a look at the ipaenabledflag # in res_find. if "ipaenabledflag" not in res_find or \ res_find["ipaenabledflag"][0] != "TRUE": commands.append([name, "sudorule_enable", {}]) elif state == "disabled": if res_find is None: ansible_module.fail_json(msg="No sudorule '%s'" % name) # sudorule_disable is not failing on an disabled sudorule # Therefore it is needed to have a look at the ipaenabledflag # in res_find. if "ipaenabledflag" not in res_find or \ res_find["ipaenabledflag"][0] != "FALSE": commands.append([name, "sudorule_disable", {}]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands errors = [] for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as ex: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(ex))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. if "failed" in result and len(result["failed"]) > 0: for item in result["failed"]: failed_item = result["failed"][item] for member_type in failed_item: for member, failure in failed_item[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append("%s: %s %s: %s" % ( command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as ex: ansible_module.fail_json(msg=str(ex)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = init_ansible_module() # Get parameters # general names = ansible_module.params_get("name") # service attributes principal = ansible_module.params_get("principal") certificate = ansible_module.params_get("certificate") pac_type = ansible_module.params_get("pac_type") auth_ind = ansible_module.params_get("auth_ind") skip_host_check = ansible_module.params_get("skip_host_check") force = ansible_module.params_get("force") requires_pre_auth = ansible_module.params_get("requires_pre_auth") ok_as_delegate = ansible_module.params_get("ok_as_delegate") ok_to_auth_as_delegate = ansible_module.params_get( "ok_to_auth_as_delegate") smb = ansible_module.params_get("smb") netbiosname = ansible_module.params_get("netbiosname") host = ansible_module.params_get("host") allow_create_keytab_user = ansible_module.params_get( "allow_create_keytab_user") allow_create_keytab_group = ansible_module.params_get( "allow_create_keytab_group") allow_create_keytab_host = ansible_module.params_get( "allow_create_keytab_host") allow_create_keytab_hostgroup = ansible_module.params_get( "allow_create_keytab_hostgroup") allow_retrieve_keytab_user = ansible_module.params_get( "allow_retrieve_keytab_user") allow_retrieve_keytab_group = ansible_module.params_get( "allow_retrieve_keytab_group") allow_retrieve_keytab_host = ansible_module.params_get( "allow_retrieve_keytab_host") allow_retrieve_keytab_hostgroup = ansible_module.params_get( "allow_retrieve_keytab_hostgroup") delete_continue = ansible_module.params_get("delete_continue") # action action = ansible_module.params_get("action") # state state = ansible_module.params_get("state") # check parameters check_parameters(ansible_module, state, action, names, vars()) # Init changed = False exit_args = {} # Connect to IPA API with ansible_module.ipa_connect(): has_skip_host_check = ansible_module.ipa_command_param_exists( "service_add", "skip_host_check") if skip_host_check and not has_skip_host_check: ansible_module.fail_json( msg="Skipping host check is not supported by your IPA version") commands = [] for name in names: res_find = find_service(ansible_module, name) if state == "present": if action == "service": args = gen_args(pac_type, auth_ind, skip_host_check, force, requires_pre_auth, ok_as_delegate, ok_to_auth_as_delegate) if not has_skip_host_check and 'skip_host_check' in args: del args['skip_host_check'] if smb: if res_find is None: _name = "cifs/" + name res_find = find_service(ansible_module, _name) if res_find is None: _args = gen_args_smb(netbiosname, ok_as_delegate, ok_to_auth_as_delegate) commands.append( [name, 'service_add_smb', _args]) res_find = {} # service_add_smb will prefix 'name' with # "cifs/", so we will need to change it here, # so that service_mod, if called later, works. name = _name if res_find is None: commands.append([name, 'service_add', args]) certificate_add = certificate or [] certificate_del = [] host_add = host or [] host_del = [] principal_add = principal or [] principal_del = [] allow_create_keytab_user_add = \ allow_create_keytab_user or [] allow_create_keytab_user_del = [] allow_create_keytab_group_add = \ allow_create_keytab_group or [] allow_create_keytab_group_del = [] allow_create_keytab_host_add = \ allow_create_keytab_host or [] allow_create_keytab_host_del = [] allow_create_keytab_hostgroup_add = \ allow_create_keytab_hostgroup or [] allow_create_keytab_hostgroup_del = [] allow_retrieve_keytab_user_add = \ allow_retrieve_keytab_user or [] allow_retrieve_keytab_user_del = [] allow_retrieve_keytab_group_add = \ allow_retrieve_keytab_group or [] allow_retrieve_keytab_group_del = [] allow_retrieve_keytab_host_add = \ allow_retrieve_keytab_host or [] allow_retrieve_keytab_host_del = [] allow_retrieve_keytab_hostgroup_add = \ allow_retrieve_keytab_hostgroup or [] allow_retrieve_keytab_hostgroup_del = [] else: for remove in ['skip_host_check', 'force']: if remove in args: del args[remove] if ("krbprincipalauthind" in args and (args.get("krbprincipalauthind", [""]) == res_find.get("krbprincipalauthind", [""]))): del args["krbprincipalauthind"] if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "service_mod", args]) certificate_add, certificate_del = gen_add_del_lists( certificate, res_find.get("usercertificate")) host_add, host_del = gen_add_del_lists( host, res_find.get('managedby_host', [])) principal_add, principal_del = gen_add_del_lists( principal, res_find.get("principal")) (allow_create_keytab_user_add, allow_create_keytab_user_del) = \ gen_add_del_lists( allow_create_keytab_user, res_find.get( 'ipaallowedtoperform_write_keys_user', [])) (allow_retrieve_keytab_user_add, allow_retrieve_keytab_user_del) = \ gen_add_del_lists( allow_retrieve_keytab_user, res_find.get( 'ipaallowedtoperform_read_keys_user', [])) (allow_create_keytab_group_add, allow_create_keytab_group_del) = \ gen_add_del_lists( allow_create_keytab_group, res_find.get( 'ipaallowedtoperform_write_keys_group', [])) (allow_retrieve_keytab_group_add, allow_retrieve_keytab_group_del) = \ gen_add_del_lists( allow_retrieve_keytab_group, res_find.get( 'ipaallowedtoperform_read_keys_group', [])) (allow_create_keytab_host_add, allow_create_keytab_host_del) = \ gen_add_del_lists( allow_create_keytab_host, res_find.get( 'ipaallowedtoperform_write_keys_host', [])) (allow_retrieve_keytab_host_add, allow_retrieve_keytab_host_del) = \ gen_add_del_lists( allow_retrieve_keytab_host, res_find.get( 'ipaallowedtoperform_read_keys_host', [])) (allow_create_keytab_hostgroup_add, allow_create_keytab_hostgroup_del) = \ gen_add_del_lists( allow_create_keytab_hostgroup, res_find.get( 'ipaallowedtoperform_write_keys_hostgroup', [])) (allow_retrieve_keytab_hostgroup_add, allow_retrieve_keytab_hostgroup_del) = \ gen_add_del_lists( allow_retrieve_keytab_hostgroup, res_find.get( 'ipaallowedtoperform_read_keys_hostgroup', [])) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No service '%s'" % name) existing = res_find.get('usercertificate', []) if certificate is None: certificate_add = [] else: certificate_add = [ c for c in certificate if c not in existing ] certificate_del = [] host_add = host or [] host_del = [] principal_add = principal or [] principal_del = [] allow_create_keytab_user_add = \ allow_create_keytab_user or [] allow_create_keytab_user_del = [] allow_create_keytab_group_add = \ allow_create_keytab_group or [] allow_create_keytab_group_del = [] allow_create_keytab_host_add = \ allow_create_keytab_host or [] allow_create_keytab_host_del = [] allow_create_keytab_hostgroup_add = \ allow_create_keytab_hostgroup or [] allow_create_keytab_hostgroup_del = [] allow_retrieve_keytab_user_add = \ allow_retrieve_keytab_user or [] allow_retrieve_keytab_user_del = [] allow_retrieve_keytab_group_add = \ allow_retrieve_keytab_group or [] allow_retrieve_keytab_group_del = [] allow_retrieve_keytab_host_add = \ allow_retrieve_keytab_host or [] allow_retrieve_keytab_host_del = [] allow_retrieve_keytab_hostgroup_add = \ allow_retrieve_keytab_hostgroup or [] allow_retrieve_keytab_hostgroup_del = [] # Add principals for _principal in principal_add: commands.append([ name, "service_add_principal", { "krbprincipalname": _principal, } ]) # Remove principals for _principal in principal_del: commands.append([ name, "service_remove_principal", { "krbprincipalname": _principal, } ]) for _certificate in certificate_add: commands.append([ name, "service_add_cert", { "usercertificate": _certificate, } ]) # Remove certificates for _certificate in certificate_del: commands.append([ name, "service_remove_cert", { "usercertificate": _certificate, } ]) # Add hosts. if host is not None and len(host) > 0 and len(host_add) > 0: commands.append( [name, "service_add_host", { "host": host_add }]) # Remove hosts if host is not None and len(host) > 0 and len(host_del) > 0: commands.append( [name, "service_remove_host", { "host": host_del }]) # Allow create keytab if len(allow_create_keytab_user_add) > 0 or \ len(allow_create_keytab_group_add) > 0 or \ len(allow_create_keytab_host_add) > 0 or \ len(allow_create_keytab_hostgroup_add) > 0: commands.append([ name, "service_allow_create_keytab", { 'user': allow_create_keytab_user_add, 'group': allow_create_keytab_group_add, 'host': allow_create_keytab_host_add, 'hostgroup': allow_create_keytab_hostgroup_add } ]) # Disallow create keytab if len(allow_create_keytab_user_del) > 0 or \ len(allow_create_keytab_group_del) > 0 or \ len(allow_create_keytab_host_del) > 0 or \ len(allow_create_keytab_hostgroup_del) > 0: commands.append([ name, "service_disallow_create_keytab", { 'user': allow_create_keytab_user_del, 'group': allow_create_keytab_group_del, 'host': allow_create_keytab_host_del, 'hostgroup': allow_create_keytab_hostgroup_del } ]) # Allow retrieve keytab if len(allow_retrieve_keytab_user_add) > 0 or \ len(allow_retrieve_keytab_group_add) > 0 or \ len(allow_retrieve_keytab_host_add) > 0 or \ len(allow_retrieve_keytab_hostgroup_add) > 0: commands.append([ name, "service_allow_retrieve_keytab", { 'user': allow_retrieve_keytab_user_add, 'group': allow_retrieve_keytab_group_add, 'host': allow_retrieve_keytab_host_add, 'hostgroup': allow_retrieve_keytab_hostgroup_add } ]) # Disllow retrieve keytab if len(allow_retrieve_keytab_user_del) > 0 or \ len(allow_retrieve_keytab_group_del) > 0 or \ len(allow_retrieve_keytab_host_del) > 0 or \ len(allow_retrieve_keytab_hostgroup_del) > 0: commands.append([ name, "service_disallow_retrieve_keytab", { 'user': allow_retrieve_keytab_user_del, 'group': allow_retrieve_keytab_group_del, 'host': allow_retrieve_keytab_host_del, 'hostgroup': allow_retrieve_keytab_hostgroup_del } ]) elif state == "absent": if action == "service": if res_find is not None: args = {'continue': delete_continue} commands.append([name, 'service_del', args]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No service '%s'" % name) # Remove principals if principal is not None: for _principal in principal: commands.append([ name, "service_remove_principal", { "krbprincipalname": _principal, } ]) # Remove certificates if certificate is not None: existing = res_find.get('usercertificate', []) for _certificate in certificate: if _certificate in existing: commands.append([ name, "service_remove_cert", { "usercertificate": _certificate, } ]) # Add hosts if host is not None: commands.append( [name, "service_remove_host", { "host": host }]) # Allow create keytab if allow_create_keytab_user is not None or \ allow_create_keytab_group is not None or \ allow_create_keytab_host is not None or \ allow_create_keytab_hostgroup is not None: commands.append([ name, "service_disallow_create_keytab", { 'user': allow_create_keytab_user, 'group': allow_create_keytab_group, 'host': allow_create_keytab_host, 'hostgroup': allow_create_keytab_hostgroup } ]) # Allow retriev keytab if allow_retrieve_keytab_user is not None or \ allow_retrieve_keytab_group is not None or \ allow_retrieve_keytab_host is not None or \ allow_retrieve_keytab_hostgroup is not None: commands.append([ name, "service_disallow_retrieve_keytab", { 'user': allow_retrieve_keytab_user, 'group': allow_retrieve_keytab_group, 'host': allow_retrieve_keytab_host, 'hostgroup': allow_retrieve_keytab_hostgroup } ]) elif state == "disabled": if action == "service": if res_find is not None: has_cert = bool(res_find.get('usercertificate')) has_keytab = res_find.get('has_keytab', False) if has_cert or has_keytab: commands.append([name, 'service_disable', {}]) else: ansible_module.fail_json( msg="Invalid action '%s' for state '%s'" % (action, state)) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands changed = ansible_module.execute_ipa_commands(commands, result_handler) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = IPAAnsibleModule( argument_spec=dict( # general name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(required=False, type='str', default=None), rename=dict( required=False, type='str', default=None, aliases=["new_name"], ), permission=dict(required=False, type='list', default=None), action=dict(type="str", default="privilege", choices=["member", "privilege"]), # state state=dict(type="str", default="present", choices=["present", "absent", "renamed"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general names = ansible_module.params_get("name") # present description = ansible_module.params_get("description") permission = ansible_module.params_get("permission") rename = ansible_module.params_get("rename") action = ansible_module.params_get("action") # state state = ansible_module.params_get("state") # Check parameters invalid = [] if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one privilege be added at a time.") if action == "member": invalid = ["description"] if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "rename"] if action == "privilege": invalid.append("permission") if state == "renamed": if len(names) != 1: ansible_module.fail_json( msg="Only one privilege be added at a time.") invalid = ["description", "permission"] if action != "privilege": ansible_module.fail_json( msg="Action '%s' can not be used with state '%s'" % (action, state)) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s' and state '%s'" % (x, action, state)) # Init changed = False exit_args = {} # Connect to IPA API with ansible_module.ipa_connect(): commands = [] for name in names: # Make sure privilege exists res_find = find_privilege(ansible_module, name) # Create command if state == "present": args = {} if description: args['description'] = description if action == "privilege": # Found the privilege if res_find is not None: res_cmp = { k: v for k, v in res_find.items() if k not in [ "objectclass", "cn", "dn", "memberof_permisssion" ] } # For all settings is args, check if there are # different settings in the find result. # If yes: modify if args and not compare_args_ipa( ansible_module, args, res_cmp): commands.append([name, "privilege_mod", args]) else: commands.append([name, "privilege_add", args]) res_find = {} member_args = {} if permission: member_args['permission'] = permission if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists permission_add, permission_del = gen_add_del_lists( permission, res_find.get("member_permission")) # Add members if len(permission_add) > 0: commands.append([ name, "privilege_add_permission", { "permission": permission_add, } ]) # Remove members if len(permission_del) > 0: commands.append([ name, "privilege_remove_permission", { "permission": permission_del } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No privilege '%s'" % name) if permission is None: ansible_module.fail_json(msg="No permission given") commands.append([ name, "privilege_add_permission", { "permission": permission } ]) elif state == "absent": if action == "privilege": if res_find is not None: commands.append([name, "privilege_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No privilege '%s'" % name) if permission is None: ansible_module.fail_json(msg="No permission given") commands.append([ name, "privilege_remove_permission", { "permission": permission, } ]) elif state == "renamed": if not rename: ansible_module.fail_json(msg="No rename value given.") if res_find is None: ansible_module.fail_json( msg="No privilege found to be renamed: '%s'" % (name)) if name != rename: commands.append( [name, "privilege_mod", { "rename": rename }]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands changed = ansible_module.execute_ipa_commands(commands, result_handler) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), nomembers=dict(required=False, type='bool', default=None), host=dict(required=False, type='list', default=None), hostgroup=dict(required=False, type='list', default=None), membermanager_user=dict(required=False, type='list', default=None), membermanager_group=dict(required=False, type='list', default=None), rename=dict(required=False, type='str', default=None, aliases=["new_name"]), action=dict(type="str", default="hostgroup", choices=["member", "hostgroup"]), # state state=dict(type="str", default="present", choices=["present", "absent", "renamed"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present description = module_params_get(ansible_module, "description") nomembers = module_params_get(ansible_module, "nomembers") host = module_params_get(ansible_module, "host") hostgroup = module_params_get(ansible_module, "hostgroup") membermanager_user = module_params_get(ansible_module, "membermanager_user") membermanager_group = module_params_get(ansible_module, "membermanager_group") rename = module_params_get(ansible_module, "rename") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one hostgroup can be added at a time.") invalid = ["rename"] if action == "member": invalid.extend(["description", "nomembers"]) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (x, action)) if state == "renamed": if len(names) != 1: ansible_module.fail_json( msg="Only one hostgroup can be added at a time.") if action == "member": ansible_module.fail_json( msg="Action '%s' can not be used with state '%s'" % (action, state)) invalid = [ "description", "nomembers", "host", "hostgroup", "membermanager_user", "membermanager_group" ] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "nomembers", "rename"] if action == "hostgroup": invalid.extend(["host", "hostgroup"]) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() has_add_membermanager = api_check_command( "hostgroup_add_member_manager") if ((membermanager_user is not None or membermanager_group is not None) and not has_add_membermanager): ansible_module.fail_json( msg="Managing a membermanager user or group is not supported " "by your IPA version") has_mod_rename = api_check_param("hostgroup_mod", "rename") if not has_mod_rename and rename is not None: ansible_module.fail_json( msg="Renaming hostgroups is not supported by your IPA version") commands = [] for name in names: # Make sure hostgroup exists res_find = find_hostgroup(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description, nomembers, rename) if action == "hostgroup": # Found the hostgroup if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "hostgroup_mod", args]) else: commands.append([name, "hostgroup_add", args]) # Set res_find to empty dict for next step res_find = {} member_args = gen_member_args(host, hostgroup) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists host_add, host_del = gen_add_del_lists( host, res_find.get("member_host")) hostgroup_add, hostgroup_del = gen_add_del_lists( hostgroup, res_find.get("member_hostgroup")) # Add members if len(host_add) > 0 or len(hostgroup_add) > 0: commands.append([ name, "hostgroup_add_member", { "host": host_add, "hostgroup": hostgroup_add, } ]) # Remove members if len(host_del) > 0 or len(hostgroup_del) > 0: commands.append([ name, "hostgroup_remove_member", { "host": host_del, "hostgroup": hostgroup_del, } ]) membermanager_user_add, membermanager_user_del = \ gen_add_del_lists( membermanager_user, res_find.get("membermanager_user") ) membermanager_group_add, membermanager_group_del = \ gen_add_del_lists( membermanager_group, res_find.get("membermanager_group") ) if has_add_membermanager: # Add membermanager users and groups if len(membermanager_user_add) > 0 or \ len(membermanager_group_add) > 0: commands.append([ name, "hostgroup_add_member_manager", { "user": membermanager_user_add, "group": membermanager_group_add, } ]) # Remove member manager if len(membermanager_user_del) > 0 or \ len(membermanager_group_del) > 0: commands.append([ name, "hostgroup_remove_member_manager", { "user": membermanager_user_del, "group": membermanager_group_del, } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No hostgroup '%s'" % name) # Ensure members are present commands.append([ name, "hostgroup_add_member", { "host": host, "hostgroup": hostgroup, } ]) if has_add_membermanager: # Add membermanager users and groups if membermanager_user is not None or \ membermanager_group is not None: commands.append([ name, "hostgroup_add_member_manager", { "user": membermanager_user, "group": membermanager_group, } ]) elif state == "renamed": if res_find is not None: if rename != name: commands.append( [name, "hostgroup_mod", { "rename": rename }]) else: # If a hostgroup with the desired name exists, do nothing. new_find = find_hostgroup(ansible_module, rename) if new_find is None: # Fail only if the either hostsgroups do not exist. ansible_module.fail_json( msg="Attribute `rename` can not be used, unless " "hostgroup exists.") elif state == "absent": if action == "hostgroup": if res_find is not None: commands.append([name, "hostgroup_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No hostgroup '%s'" % name) # Ensure members are absent commands.append([ name, "hostgroup_remove_member", { "host": host, "hostgroup": hostgroup, } ]) if has_add_membermanager: # Remove membermanager users and groups if membermanager_user is not None or \ membermanager_group is not None: commands.append([ name, "hostgroup_remove_member_manager", { "user": membermanager_user, "group": membermanager_group, } ]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. errors = [] for failed_item in result.get("failed", []): failed = result["failed"][failed_item] for member_type in failed: for member, failure in failed[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append("%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), name=dict(type="list", aliases=["cn"], default=None, required=True), # present description=dict(type="str", default=None), usercategory=dict(type="str", default=None, aliases=["usercat"], choices=["all"]), hostcategory=dict(type="str", default=None, aliases=["hostcat"], choices=["all"]), servicecategory=dict(type="str", default=None, aliases=["servicecat"], choices=["all"]), nomembers=dict(required=False, type='bool', default=None), host=dict(required=False, type='list', default=None), hostgroup=dict(required=False, type='list', default=None), hbacsvc=dict(required=False, type='list', default=None), hbacsvcgroup=dict(required=False, type='list', default=None), user=dict(required=False, type='list', default=None), group=dict(required=False, type='list', default=None), action=dict(type="str", default="hbacrule", choices=["member", "hbacrule"]), # state state=dict(type="str", default="present", choices=["present", "absent", "enabled", "disabled"]), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = module_params_get(ansible_module, "ipaadmin_principal") ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password") names = module_params_get(ansible_module, "name") # present description = module_params_get(ansible_module, "description") usercategory = module_params_get(ansible_module, "usercategory") hostcategory = module_params_get(ansible_module, "hostcategory") servicecategory = module_params_get(ansible_module, "servicecategory") nomembers = module_params_get(ansible_module, "nomembers") host = module_params_get(ansible_module, "host") hostgroup = module_params_get(ansible_module, "hostgroup") hbacsvc = module_params_get(ansible_module, "hbacsvc") hbacsvcgroup = module_params_get(ansible_module, "hbacsvcgroup") user = module_params_get(ansible_module, "user") group = module_params_get(ansible_module, "group") action = module_params_get(ansible_module, "action") # state state = module_params_get(ansible_module, "state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one hbacrule can be added at a time.") if action == "member": invalid = ["description", "usercategory", "hostcategory", "servicecategory", "nomembers"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " "'%s'" % (x, action)) elif state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "usercategory", "hostcategory", "servicecategory", "nomembers"] if action == "hbacrule": invalid.extend(["host", "hostgroup", "hbacsvc", "hbacsvcgroup", "user", "group"]) for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) elif state in ["enabled", "disabled"]: if len(names) < 1: ansible_module.fail_json(msg="No name given.") if action == "member": ansible_module.fail_json( msg="Action member can not be used with states enabled and " "disabled") invalid = ["description", "usercategory", "hostcategory", "servicecategory", "nomembers", "host", "hostgroup", "hbacsvc", "hbacsvcgroup", "user", "group"] for x in invalid: if vars()[x] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % (x, state)) else: ansible_module.fail_json(msg="Invalid state '%s'" % state) # Init changed = False exit_args = {} ccache_dir = None ccache_name = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure hbacrule exists res_find = find_hbacrule(ansible_module, name) # Create command if state == "present": # Generate args args = gen_args(description, usercategory, hostcategory, servicecategory, nomembers) if action == "hbacrule": # Found the hbacrule if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "hbacrule_mod", args]) else: commands.append([name, "hbacrule_add", args]) # Set res_find to empty dict for next step res_find = {} # Generate addition and removal lists host_add, host_del = gen_add_del_lists( host, res_find.get("memberhost_host")) hostgroup_add, hostgroup_del = gen_add_del_lists( hostgroup, res_find.get("memberhost_hostgroup")) hbacsvc_add, hbacsvc_del = gen_add_del_lists( hbacsvc, res_find.get("memberservice_hbacsvc")) hbacsvcgroup_add, hbacsvcgroup_del = gen_add_del_lists( hbacsvcgroup, res_find.get("memberservice_hbacsvcgroup")) user_add, user_del = gen_add_del_lists( user, res_find.get("memberuser_user")) group_add, group_del = gen_add_del_lists( group, res_find.get("memberuser_group")) # Add hosts and hostgroups if len(host_add) > 0 or len(hostgroup_add) > 0: commands.append([name, "hbacrule_add_host", { "host": host_add, "hostgroup": hostgroup_add, }]) # Remove hosts and hostgroups if len(host_del) > 0 or len(hostgroup_del) > 0: commands.append([name, "hbacrule_remove_host", { "host": host_del, "hostgroup": hostgroup_del, }]) # Add hbacsvcs and hbacsvcgroups if len(hbacsvc_add) > 0 or len(hbacsvcgroup_add) > 0: commands.append([name, "hbacrule_add_service", { "hbacsvc": hbacsvc_add, "hbacsvcgroup": hbacsvcgroup_add, }]) # Remove hbacsvcs and hbacsvcgroups if len(hbacsvc_del) > 0 or len(hbacsvcgroup_del) > 0: commands.append([name, "hbacrule_remove_service", { "hbacsvc": hbacsvc_del, "hbacsvcgroup": hbacsvcgroup_del, }]) # Add users and groups if len(user_add) > 0 or len(group_add) > 0: commands.append([name, "hbacrule_add_user", { "user": user_add, "group": group_add, }]) # Remove users and groups if len(user_del) > 0 or len(group_del) > 0: commands.append([name, "hbacrule_remove_user", { "user": user_del, "group": group_del, }]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No hbacrule '%s'" % name) # Add hosts and hostgroups if host is not None or hostgroup is not None: commands.append([name, "hbacrule_add_host", { "host": host, "hostgroup": hostgroup, }]) # Add hbacsvcs and hbacsvcgroups if hbacsvc is not None or hbacsvcgroup is not None: commands.append([name, "hbacrule_add_service", { "hbacsvc": hbacsvc, "hbacsvcgroup": hbacsvcgroup, }]) # Add users and groups if user is not None or group is not None: commands.append([name, "hbacrule_add_user", { "user": user, "group": group, }]) elif state == "absent": if action == "hbacrule": if res_find is not None: commands.append([name, "hbacrule_del", {}]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No hbacrule '%s'" % name) # Remove hosts and hostgroups if host is not None or hostgroup is not None: commands.append([name, "hbacrule_remove_host", { "host": host, "hostgroup": hostgroup, }]) # Remove hbacsvcs and hbacsvcgroups if hbacsvc is not None or hbacsvcgroup is not None: commands.append([name, "hbacrule_remove_service", { "hbacsvc": hbacsvc, "hbacsvcgroup": hbacsvcgroup, }]) # Remove users and groups if user is not None or group is not None: commands.append([name, "hbacrule_remove_user", { "user": user, "group": group, }]) elif state == "enabled": if res_find is None: ansible_module.fail_json(msg="No hbacrule '%s'" % name) # hbacrule_enable is not failing on an enabled hbacrule # Therefore it is needed to have a look at the ipaenabledflag # in res_find. if "ipaenabledflag" not in res_find or \ res_find["ipaenabledflag"][0] != "TRUE": commands.append([name, "hbacrule_enable", {}]) elif state == "disabled": if res_find is None: ansible_module.fail_json(msg="No hbacrule '%s'" % name) # hbacrule_disable is not failing on an disabled hbacrule # Therefore it is needed to have a look at the ipaenabledflag # in res_find. if "ipaenabledflag" not in res_find or \ res_find["ipaenabledflag"][0] != "FALSE": commands.append([name, "hbacrule_disable", {}]) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Execute commands errors = [] for name, command, args in commands: try: result = api_command(ansible_module, command, name, args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as e: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(e))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. if "failed" in result and len(result["failed"]) > 0: for item in result["failed"]: failed_item = result["failed"][item] for member_type in failed_item: for member, failure in failed_item[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append("%s: %s %s: %s" % ( command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)
def main(): ansible_module = IPAAnsibleModule( argument_spec=dict( # generalgroups name=dict(type="list", aliases=["cn"], default=None, required=True), description=dict(required=False, type="str", default=None), vault_type=dict(type="str", aliases=["ipavaulttype"], default=None, required=False, choices=["standard", "symmetric", "asymmetric"]), vault_public_key=dict( type="str", required=False, default=None, aliases=['ipavaultpublickey', 'public_key', 'new_public_key']), vault_public_key_file=dict( type="str", required=False, default=None, aliases=['public_key_file', 'new_public_key_file']), vault_private_key=dict( type="str", required=False, default=None, no_log=True, aliases=['ipavaultprivatekey', 'private_key']), vault_private_key_file=dict(type="str", required=False, default=None, aliases=['private_key_file']), vault_salt=dict(type="str", required=False, default=None, aliases=['ipavaultsalt', 'salt']), username=dict(type="str", required=False, default=None, aliases=['user']), service=dict(type="str", required=False, default=None), shared=dict(type="bool", required=False, default=None), users=dict(required=False, type='list', default=None), groups=dict(required=False, type='list', default=None), services=dict(required=False, type='list', default=None), owners=dict(required=False, type='list', default=None, aliases=['ownerusers']), ownergroups=dict(required=False, type='list', default=None), ownerservices=dict(required=False, type='list', default=None), vault_data=dict(type="str", required=False, default=None, no_log=True, aliases=['ipavaultdata', 'data']), datafile_in=dict(type="str", required=False, default=None, aliases=['in']), datafile_out=dict(type="str", required=False, default=None, aliases=['out']), vault_password=dict( type="str", required=False, default=None, no_log=True, aliases=['ipavaultpassword', 'password', "old_password"]), vault_password_file=dict( type="str", required=False, default=None, no_log=False, aliases=['password_file', "old_password_file"]), new_password=dict(type="str", required=False, default=None, no_log=True), new_password_file=dict(type="str", required=False, default=None, no_log=False), # state action=dict(type="str", default="vault", choices=["vault", "data", "member"]), state=dict(type="str", default="present", choices=["present", "absent", "retrieved"]), ), supports_check_mode=True, mutually_exclusive=[['username', 'service', 'shared'], ['datafile_in', 'vault_data'], ['new_password', 'new_password_file'], ['vault_password', 'vault_password_file'], ['vault_public_key', 'vault_public_key_file']], ) ansible_module._ansible_debug = True # general names = ansible_module.params_get("name") # present description = ansible_module.params_get("description") username = ansible_module.params_get("username") service = ansible_module.params_get("service") shared = ansible_module.params_get("shared") users = ansible_module.params_get("users") groups = ansible_module.params_get("groups") services = ansible_module.params_get("services") owners = ansible_module.params_get("owners") ownergroups = ansible_module.params_get("ownergroups") ownerservices = ansible_module.params_get("ownerservices") vault_type = ansible_module.params_get("vault_type") salt = ansible_module.params_get("vault_salt") password = ansible_module.params_get("vault_password") password_file = ansible_module.params_get("vault_password_file") new_password = ansible_module.params_get("new_password") new_password_file = ansible_module.params_get("new_password_file") public_key = ansible_module.params_get("vault_public_key") public_key_file = ansible_module.params_get("vault_public_key_file") private_key = ansible_module.params_get("vault_private_key") private_key_file = ansible_module.params_get("vault_private_key_file") vault_data = ansible_module.params_get("vault_data") datafile_in = ansible_module.params_get("datafile_in") datafile_out = ansible_module.params_get("datafile_out") action = ansible_module.params_get("action") state = ansible_module.params_get("state") # Check parameters if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one vault can be added at a time.") elif state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") elif state == "retrieved": if len(names) != 1: ansible_module.fail_json( msg="Only one vault can be retrieved at a time.") else: ansible_module.fail_json(msg="Invalid state '%s'" % state) check_parameters(ansible_module, state, action, description, username, service, shared, users, groups, services, owners, ownergroups, ownerservices, vault_type, salt, password, password_file, public_key, public_key_file, private_key, private_key_file, vault_data, datafile_in, datafile_out, new_password, new_password_file) # Init changed = False exit_args = {} with ansible_module.ipa_connect(context='ansible-freeipa') as ccache_name: if ccache_name is not None: os.environ["KRB5CCNAME"] = ccache_name commands = [] for name in names: # Make sure vault exists res_find = find_vault(ansible_module, name, username, service, shared) # Set default vault_type if needed. res_type = res_find.get('ipavaulttype')[0] if res_find else None if vault_type is None: vault_type = res_type if res_find is not None else u"symmetric" # Generate args args = gen_args(description, username, service, shared, vault_type, salt, public_key, public_key_file) pwdargs = None # Create command if state == "present": # verify data encription args check_encryption_params( ansible_module, state, action, vault_type, salt, password, password_file, public_key, public_key_file, private_key, private_key_file, vault_data, datafile_in, datafile_out, new_password, new_password_file, res_find) change_passwd = any([ new_password, new_password_file, (private_key or private_key_file) and (public_key or public_key_file) ]) if action == "vault": # Found the vault if res_find is not None: arg_type = args.get("ipavaulttype") modified = not compare_args_ipa( ansible_module, args, res_find) if arg_type != res_type or change_passwd: stargs = data_storage_args( res_type, args, vault_data, password, password_file, private_key, private_key_file, datafile_in, datafile_out) stored = get_stored_data(ansible_module, res_find, stargs) if stored: vault_data = \ (stored or b"").decode("utf-8") remove_attrs = { "symmetric": ["private_key", "public_key"], "asymmetric": ["password", "ipavaultsalt"], "standard": [ "private_key", "public_key", "password", "ipavaultsalt" ], } for attr in remove_attrs.get(arg_type, []): if attr in args: del args[attr] if vault_type == 'symmetric': if 'ipavaultsalt' not in args: args['ipavaultsalt'] = os.urandom(32) else: args['ipavaultsalt'] = b'' if modified: commands.append([name, "vault_mod_internal", args]) else: if vault_type == 'symmetric' \ and 'ipavaultsalt' not in args: args['ipavaultsalt'] = os.urandom(32) commands.append([name, "vault_add_internal", args]) if vault_type != 'standard' and vault_data is None: vault_data = '' # Set res_find to empty dict for next steps res_find = {} # Generate adittion and removal lists user_add, user_del = \ gen_add_del_lists(users, res_find.get('member_user', [])) group_add, group_del = \ gen_add_del_lists(groups, res_find.get('member_group', [])) service_add, service_del = \ gen_add_del_lists(services, res_find.get('member_service', [])) owner_add, owner_del = \ gen_add_del_lists(owners, res_find.get('owner_user', [])) ownergroups_add, ownergroups_del = \ gen_add_del_lists(ownergroups, res_find.get('owner_group', [])) ownerservice_add, ownerservice_del = \ gen_add_del_lists(ownerservices, res_find.get('owner_service', [])) # Add users and groups user_add_args = gen_member_args(args, user_add, group_add, service_add) if user_add_args is not None: commands.append( [name, 'vault_add_member', user_add_args]) # Remove users and groups user_del_args = gen_member_args(args, user_del, group_del, service_del) if user_del_args is not None: commands.append( [name, 'vault_remove_member', user_del_args]) # Add owner users and groups owner_add_args = gen_member_args(args, owner_add, ownergroups_add, ownerservice_add) if owner_add_args is not None: commands.append( [name, 'vault_add_owner', owner_add_args]) # Remove owner users and groups owner_del_args = gen_member_args(args, owner_del, ownergroups_del, ownerservice_del) if owner_del_args is not None: commands.append( [name, 'vault_remove_owner', owner_del_args]) elif action in "member": # Add users and groups if any([users, groups, services]): user_args = gen_member_args(args, users, groups, services) commands.append([name, 'vault_add_member', user_args]) if any([owners, ownergroups, ownerservices]): owner_args = gen_member_args(args, owners, ownergroups, ownerservices) commands.append([name, 'vault_add_owner', owner_args]) if any([vault_data, datafile_in]): if change_passwd: pwdargs = data_storage_args(vault_type, args, vault_data, new_password, new_password_file, private_key, private_key_file, datafile_in, datafile_out) else: pwdargs = data_storage_args(vault_type, args, vault_data, password, password_file, private_key, private_key_file, datafile_in, datafile_out) pwdargs['override_password'] = True pwdargs.pop("private_key", None) pwdargs.pop("private_key_file", None) commands.append([name, "vault_archive", pwdargs]) elif state == "retrieved": if res_find is None: ansible_module.fail_json( msg="Vault `%s` not found to retrieve data." % name) # verify data encription args check_encryption_params( ansible_module, state, action, vault_type, salt, password, password_file, public_key, public_key_file, private_key, private_key_file, vault_data, datafile_in, datafile_out, new_password, new_password_file, res_find) pwdargs = data_storage_args(res_find["ipavaulttype"][0], args, vault_data, password, password_file, private_key, private_key_file, datafile_in, datafile_out) if 'data' in pwdargs: del pwdargs['data'] commands.append([name, "vault_retrieve", pwdargs]) elif state == "absent": if 'ipavaulttype' in args: del args['ipavaulttype'] if action == "vault": if res_find is not None: remove = ['ipavaultsalt', 'ipavaultpublickey'] args = { k: v for k, v in args.items() if k not in remove } commands.append([name, "vault_del", args]) elif action == "member": # remove users and groups if any([users, groups, services]): user_args = gen_member_args(args, users, groups, services) commands.append( [name, 'vault_remove_member', user_args]) if any([owners, ownergroups, ownerservices]): owner_args = gen_member_args(args, owners, ownergroups, ownerservices) commands.append( [name, 'vault_remove_owner', owner_args]) else: ansible_module.fail_json( msg="Invalid action '%s' for state '%s'" % (action, state)) else: ansible_module.fail_json(msg="Unknown state '%s'" % state) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) # Execute commands errors = [] for name, command, args in commands: try: result = ansible_module.ipa_command(command, name, args) if command == 'vault_archive': changed = 'Archived data into' in result['summary'] elif command == 'vault_retrieve': if 'result' not in result: raise Exception("No result obtained.") if "data" in result["result"]: data_return = exit_args.setdefault("vault", {}) data_return["data"] = result["result"]["data"] else: if not datafile_out: raise Exception("No data retrieved.") changed = False else: if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except ipalib_errors.EmptyModlist: result = {} except Exception as exception: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(exception))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. if "failed" in result and len(result["failed"]) > 0: for item in result["failed"]: failed_item = result["failed"][item] for member_type in failed_item: for member, failure in failed_item[member_type]: if "already a member" in failure \ or "not a member" in failure: continue errors.append( "%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) # Done # exit_raw_json is a replacement for ansible_module.exit_json that # does not mask the output. exit_raw_json(ansible_module, changed=changed, **exit_args)
def main(): ansible_module = AnsibleModule( argument_spec=dict( # general ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_password=dict(type="str", required=False, no_log=True), inclusive=dict(type="list", aliases=["automemberinclusiveregex"], default=None), exclusive=dict(type="list", aliases=["automemberexclusiveregex"], default=None), name=dict(type="list", aliases=["cn"], default=None, required=True), description=dict(type="str", default=None), automember_type=dict(type='str', required=False, choices=['group', 'hostgroup']), action=dict(type="str", default="service", choices=["member", "service"]), state=dict(type="str", default="present", choices=["present", "absent", "rebuild"]), users=dict(type="list", default=None), hosts=dict(type="list", default=None), ), supports_check_mode=True, ) ansible_module._ansible_debug = True # Get parameters # general ipaadmin_principal = ansible_module.params.get("ipaadmin_principal") ipaadmin_password = ansible_module.params.get("ipaadmin_password") names = ansible_module.params.get("name") # present description = ansible_module.params.get("description") # conditions inclusive = ansible_module.params.get("inclusive") exclusive = ansible_module.params.get("exclusive") # action action = ansible_module.params.get("action") # state state = ansible_module.params.get("state") # grouping/type automember_type = ansible_module.params.get("automember_type") rebuild_users = ansible_module.params.get("users") rebuild_hosts = ansible_module.params.get("hosts") if (rebuild_hosts or rebuild_users) and state != "rebuild": ansible_module.fail_json( msg="'hosts' and 'users' are only valid with state: rebuild") if not automember_type and state != "rebuild": ansible_module.fail_json( msg="'automember_type' is required unless state: rebuild") # Init changed = False exit_args = {} ccache_dir = None ccache_name = None res_find = None try: if not valid_creds(ansible_module, ipaadmin_principal): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() commands = [] for name in names: # Make sure automember rule exists res_find = find_automember(ansible_module, name, automember_type) # Create command if state == 'present': args = gen_args(description, automember_type) if action == "service": if res_find is not None: if not compare_args_ipa( ansible_module, args, res_find, ignore=['type']): commands.append([name, 'automember_mod', args]) else: commands.append([name, 'automember_add', args]) res_find = {} inclusive_add, inclusive_del = gen_add_del_lists( transform_conditions(inclusive or []), res_find.get("automemberinclusiveregex", [])) exclusive_add, exclusive_del = gen_add_del_lists( transform_conditions(exclusive or []), res_find.get("automemberexclusiveregex", [])) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No service '%s'" % name) inclusive_add = transform_conditions(inclusive or []) inclusive_del = [] exclusive_add = transform_conditions(exclusive or []) exclusive_del = [] for _inclusive in inclusive_add: key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args(automember_type, key, inclusiveregex=regex) commands.append( [name, 'automember_add_condition', condition_args]) for _inclusive in inclusive_del: key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args(automember_type, key, inclusiveregex=regex) commands.append( [name, 'automember_remove_condition', condition_args]) for _exclusive in exclusive_add: key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args(automember_type, key, exclusiveregex=regex) commands.append( [name, 'automember_add_condition', condition_args]) for _exclusive in exclusive_del: key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args(automember_type, key, exclusiveregex=regex) commands.append( [name, 'automember_remove_condition', condition_args]) elif state == 'absent': if action == "service": if res_find is not None: commands.append([ name, 'automember_del', { 'type': to_text(automember_type) } ]) elif action == "member": if res_find is None: ansible_module.fail_json(msg="No service '%s'" % name) if inclusive is not None: for _inclusive in transform_conditions(inclusive): key, regex = _inclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, inclusiveregex=regex) commands.append([ name, 'automember_remove_condition', condition_args ]) if exclusive is not None: for _exclusive in transform_conditions(exclusive): key, regex = _exclusive.split("=", 1) condition_args = gen_condition_args( automember_type, key, exclusiveregex=regex) commands.append([ name, 'automember_remove_condition', condition_args ]) elif state == "rebuild": if automember_type: commands.append([ None, 'automember_rebuild', { "type": to_text(automember_type) } ]) if rebuild_users: commands.append([ None, 'automember_rebuild', { "users": [to_text(_u) for _u in rebuild_users] } ]) if rebuild_hosts: commands.append([ None, 'automember_rebuild', { "hosts": [to_text(_h) for _h in rebuild_hosts] } ]) # Check mode exit if ansible_module.check_mode: ansible_module.exit_json(changed=len(commands) > 0, **exit_args) errors = [] for name, command, args in commands: try: if name is None: result = api_command_no_name(ansible_module, command, args) else: result = api_command(ansible_module, command, to_text(name), args) if "completed" in result: if result["completed"] > 0: changed = True else: changed = True except Exception as ex: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, str(ex))) # Get all errors if "failed" in result and len(result["failed"]) > 0: for item in result["failed"]: failed_item = result["failed"][item] for member_type in failed_item: for member, failure in failed_item[member_type]: errors.append( "%s: %s %s: %s" % (command, member_type, member, failure)) if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) except Exception as e: ansible_module.fail_json(msg=str(e)) finally: temp_kdestroy(ccache_dir, ccache_name) # Done ansible_module.exit_json(changed=changed, **exit_args)