Skip to content

Commit

Permalink
ipahbacrule: Fix handling of hbacsvcgroup in members
Browse files Browse the repository at this point in the history 
FreeIPA provides a default hbacsvcgroup named "Sudo", with capital S,
that is different from every other hbacsvcgroup, which are all
represented by lower case letters.

As data from IPA API was not modified, this causes an idempotence error
when using different capitalization with the 'hbacsvcgroup' parameter.

This patch fixes the issue by using the CaseInsensitive comparator to
create the hbacsvcgroup list.

Tests were update to make sure a regression is not included in the
future.
  • Loading branch information
@rjeffman
rjeffman committed Dec 27, 2023
1 parent 3b59ba0 commit d8fa7e0
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 3 deletions.
6 changes: 4 additions & 2 deletions plugins/modules/ipahbacrule.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,7 @@

from ansible.module_utils.ansible_freeipa_module import \
IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, gen_add_list, \
gen_intersection_list, ListOf, Hostname
gen_intersection_list, ListOf, Hostname, CaseInsensitive


def find_hbacrule(module, name):
Expand Down Expand Up @@ -398,7 +398,9 @@ def main():

if hbacsvc is not None:
hbacsvc_add, hbacsvc_del = gen_add_del_lists(
hbacsvc, res_find.get("memberservice_hbacsvc"))
hbacsvc, res_find.get("memberservice_hbacsvc"),
attr_datatype=CaseInsensitive()
)

if hbacsvcgroup is not None:
hbacsvcgroup_add, hbacsvcgroup_del = gen_add_del_lists(
Expand Down
42 changes: 41 additions & 1 deletion tests/hbacrule/test_hbacrule_member_case_insensitive.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -468,11 +468,51 @@
register: result
failed_when: result.changed or result.failed

# Specifically test 'Sudo' and FreeIPA adds a "Sudo" hbacsvcgroup instead of "sudo"
- name: Ensure 'sudo' works as hbacsvcgroup.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: "test_sudo"
hbacsvcgroup:
- sudo
register: result
failed_when: not result.changed or result.failed

- name: Ensure 'sudo' works as hbacsvcgroup, again.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: "test_sudo"
hbacsvcgroup:
- sudo
register: result
failed_when: result.changed or result.failed

- name: Ensure 'sudo' works as hbacsvcgroup, action member.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: "test_sudo"
hbacsvcgroup:
- sudo
action: member
register: result
failed_when: result.changed or result.failed

- name: Ensure 'Sudo' works as hbacsvcgroup, action member.
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: "test_sudo"
hbacsvcgroup:
- Sudo
register: result
failed_when: result.changed or result.failed

always:
- name: Ensure test hbacrule is absent
ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: testrule
name:
- testrule
- test_sudo
state: absent

- name: Ensure test users are absent
Expand Down

0 comments on commit d8fa7e0

Please sign in to comment.