fixup! ipasudorule: Add support for batch mode and multiple sudorules

rjeffman · Nov 12, 2024 · 177fa50 · 177fa50
1 parent bb42267
commit 177fa50
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 20 deletions.
diff --git a/README-sudorule.md b/README-sudorule.md
@@ -157,7 +157,9 @@ Variable | Description | Required
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
 `ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
-`name` \| `cn` | The list of sudorule name strings. | yes
+`name` \| `cn` | The list of sudorule name strings. | no
+`sudorules` | The list of sudorule dicts. Each `sudorule` dict entry can contain sudorule variables.<br>There is one required option in the `sudorule` dict:| no
+&nbsp; | `name` - The sudorule name string of the entry. | yes
 `description` | The sudorule description string. | no
 `usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
 `hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no

diff --git a/plugins/modules/ipasudorule.py b/plugins/modules/ipasudorule.py
@@ -370,7 +370,7 @@
 from ansible.module_utils.ansible_freeipa_module import \
     IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, gen_add_list, \
     gen_intersection_list, api_get_domain, ensure_fqdn, netaddr, to_text, \
-    convert_param_value_to_lowercase, EntryFactory
+    ipalib_errors, convert_param_value_to_lowercase, EntryFactory
 
 
 def find_sudorule(module, name):
@@ -380,7 +380,7 @@ def find_sudorule(module, name):
 
     try:
         _result = module.ipa_command("sudorule_show", name, _args)
-    except Exception:  # pylint: disable=broad-except
+    except ipalib_errors.NotFound:
         return None
     return _result["result"]
 
@@ -590,7 +590,7 @@ def main():
     # Factory parameters
     params = {
         "name": {"aliases": ["cn"]},
-        "description": None,
+        "description": {},
         "cmdcategory": {"aliases": ["cmdcat"]},
         "usercategory": {"aliases": ["usercat"]},
         "hostcategory": {"aliases": ["hostcat"]},
@@ -601,16 +601,16 @@ def main():
         "hostmask": {"convert": [convert_list_of_hostmask]},
         "user": {"convert": [convert_param_value_to_lowercase]},
         "group": {"convert": [convert_param_value_to_lowercase]},
-        "allow_sudocmd": None,
+        "allow_sudocmd": {},
         "allow_sudocmdgroup": {"convert": [convert_param_value_to_lowercase]},
-        "deny_sudocmd": None,
+        "deny_sudocmd": {},
         "deny_sudocmdgroup": {"convert": [convert_param_value_to_lowercase]},
         "sudooption": {"aliases": ["option"]},
         "order": {"aliases": ["sudoorder"]},
         "runasuser": {"convert": [convert_param_value_to_lowercase]},
         "runasuser_group": {"convert": [convert_param_value_to_lowercase]},
         "runasgroup": {"convert": [convert_param_value_to_lowercase]},
-        "nomembers": None,
+        "nomembers": {},
     }
 
     # Connect to IPA API

diff --git a/tests/sudorule/test_sudorules.yml b/tests/sudorule/test_sudorules.yml
@@ -111,7 +111,7 @@
       register: result
       failed_when: result.changed or result.failed
 
-    - name: Remove testrule1 and testrule2
+    - name: Ensure testrule1 and testrule2 are absent
       ipasudorule:
         sudorules:
           - name: testrule1
@@ -120,7 +120,7 @@
       register: result
       failed_when: not result.changed or result.failed
 
-    - name: Remove testrule1 and testrule2, again
+    - name: Ensure testrule1 and testrule2 are absent, again
       ipasudorule:
         sudorules:
           - name: testrule1
@@ -129,7 +129,7 @@
       register: result
       failed_when: result.changed or result.failed
 
-    - name: Check allhosts and allcommands sudorules are still present
+    - name: Ensure allhosts and allcommands sudorules are still present
       ipasudorule:
         sudorules:
           - name: allhosts
@@ -178,7 +178,7 @@
       register: result
       failed_when: not result.changed or result.failed
 
-    - name: Ensure sudorules with parameters are not modified again
+    - name: Ensure sudorules with parameters are modified again
       ipasudorule:
         sudorules:
           - name: testrule1
@@ -191,7 +191,7 @@
       register: result
       failed_when: result.changed or result.failed
 
-    - name: Ensure sudorules can be modified through members
+    - name: Ensure sudorules members can be modified
       ipasudorule:
         sudorules:
           - name: testrule1
@@ -205,7 +205,7 @@
       register: result
       failed_when: not result.changed or result.failed
 
-    - name: Ensure sudorules cannot be modified through members, again
+    - name: Ensure sudorules members can modified, again
       ipasudorule:
         sudorules:
           - name: testrule1
@@ -221,7 +221,7 @@
       register: result
       failed_when: result.changed or result.failed
 
-    - name: Ensure sudorules members can be removed
+    - name: Ensure sudorules members are absent
       ipasudorule:
         sudorules:
           - name: testrule1
@@ -235,7 +235,7 @@
       register: result
       failed_when: not result.changed or result.failed
 
-    - name: Ensure sudorules members cannot be removed, again
+    - name: Ensure sudorules members are absent, again
       ipasudorule:
         sudorules:
           - name: testrule1
@@ -249,7 +249,7 @@
       register: result
       failed_when: result.changed or result.failed
 
-    - name: Ensure testrule1 and testrule2 are still present, with proper attributes
+    - name: Ensure testrule1 and testrule2 are present, with proper attributes
       ipasudorule:
         sudorules:
           - name: testrule1
@@ -262,7 +262,7 @@
       register: result
       failed_when: result.changed or result.failed
 
-    - name: Ensure testrule1 and testrule2 can be disabled
+    - name: Ensure testrule1 and testrule2 are disabled
       ipasudorule:
         sudorules:
           - name: testrule1
@@ -271,7 +271,7 @@
       register: result
       failed_when: not result.changed or result.failed
 
-    - name: Ensure testrule1 and testrule2 cannot be disabled, again
+    - name: Ensure testrule1 and testrule2 are disabled, again
       ipasudorule:
         sudorules:
           - name: testrule1
@@ -280,7 +280,7 @@
       register: result
       failed_when: result.changed or result.failed
 
-    - name: Ensure testrule1 and testrule2 can be enabled
+    - name: Ensure testrule1 and testrule2 are enabled
       ipasudorule:
         sudorules:
           - name: testrule1
@@ -289,7 +289,7 @@
       register: result
       failed_when: not result.changed or result.failed
 
-    - name: Ensure testrule1 and testrule2 cannot be enabled, again
+    - name: Ensure testrule1 and testrule2 are enabled, again
       ipasudorule:
         sudorules:
           - name: testrule1