diff --git a/README-sudorule.md b/README-sudorule.md index 81f0a5a6a3..750ee058cc 100644 --- a/README-sudorule.md +++ b/README-sudorule.md @@ -157,7 +157,9 @@ Variable | Description | Required `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no `ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no `ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no -`name` \| `cn` | The list of sudorule name strings. | yes +`name` \| `cn` | The list of sudorule name strings. | no +`sudorules` | The list of sudorule dicts. Each `sudorule` dict entry can contain sudorule variables.
There is one required option in the `sudorule` dict:| no +  | `name` - The sudorule name string of the entry. | yes `description` | The sudorule description string. | no `usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no `hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no diff --git a/plugins/modules/ipasudorule.py b/plugins/modules/ipasudorule.py index 9e914083de..e99813fa16 100644 --- a/plugins/modules/ipasudorule.py +++ b/plugins/modules/ipasudorule.py @@ -370,7 +370,7 @@ from ansible.module_utils.ansible_freeipa_module import \ IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, gen_add_list, \ gen_intersection_list, api_get_domain, ensure_fqdn, netaddr, to_text, \ - convert_param_value_to_lowercase, EntryFactory + ipalib_errors, convert_param_value_to_lowercase, EntryFactory def find_sudorule(module, name): @@ -380,7 +380,7 @@ def find_sudorule(module, name): try: _result = module.ipa_command("sudorule_show", name, _args) - except Exception: # pylint: disable=broad-except + except ipalib_errors.NotFound: return None return _result["result"] @@ -590,7 +590,7 @@ def main(): # Factory parameters params = { "name": {"aliases": ["cn"]}, - "description": None, + "description": {}, "cmdcategory": {"aliases": ["cmdcat"]}, "usercategory": {"aliases": ["usercat"]}, "hostcategory": {"aliases": ["hostcat"]}, @@ -601,16 +601,16 @@ def main(): "hostmask": {"convert": [convert_list_of_hostmask]}, "user": {"convert": [convert_param_value_to_lowercase]}, "group": {"convert": [convert_param_value_to_lowercase]}, - "allow_sudocmd": None, + "allow_sudocmd": {}, "allow_sudocmdgroup": {"convert": [convert_param_value_to_lowercase]}, - "deny_sudocmd": None, + "deny_sudocmd": {}, "deny_sudocmdgroup": {"convert": [convert_param_value_to_lowercase]}, "sudooption": {"aliases": ["option"]}, "order": {"aliases": ["sudoorder"]}, "runasuser": {"convert": [convert_param_value_to_lowercase]}, "runasuser_group": {"convert": [convert_param_value_to_lowercase]}, "runasgroup": {"convert": [convert_param_value_to_lowercase]}, - "nomembers": None, + "nomembers": {}, } # Connect to IPA API diff --git a/tests/sudorule/test_sudorules.yml b/tests/sudorule/test_sudorules.yml index e661850e7d..1c3dfa352d 100644 --- a/tests/sudorule/test_sudorules.yml +++ b/tests/sudorule/test_sudorules.yml @@ -111,7 +111,7 @@ register: result failed_when: result.changed or result.failed - - name: Remove testrule1 and testrule2 + - name: Ensure testrule1 and testrule2 are absent ipasudorule: sudorules: - name: testrule1 @@ -120,7 +120,7 @@ register: result failed_when: not result.changed or result.failed - - name: Remove testrule1 and testrule2, again + - name: Ensure testrule1 and testrule2 are absent, again ipasudorule: sudorules: - name: testrule1 @@ -129,7 +129,7 @@ register: result failed_when: result.changed or result.failed - - name: Check allhosts and allcommands sudorules are still present + - name: Ensure allhosts and allcommands sudorules are still present ipasudorule: sudorules: - name: allhosts @@ -178,7 +178,7 @@ register: result failed_when: not result.changed or result.failed - - name: Ensure sudorules with parameters are not modified again + - name: Ensure sudorules with parameters are modified again ipasudorule: sudorules: - name: testrule1 @@ -191,7 +191,7 @@ register: result failed_when: result.changed or result.failed - - name: Ensure sudorules can be modified through members + - name: Ensure sudorules members can be modified ipasudorule: sudorules: - name: testrule1 @@ -205,7 +205,7 @@ register: result failed_when: not result.changed or result.failed - - name: Ensure sudorules cannot be modified through members, again + - name: Ensure sudorules members can modified, again ipasudorule: sudorules: - name: testrule1 @@ -221,7 +221,7 @@ register: result failed_when: result.changed or result.failed - - name: Ensure sudorules members can be removed + - name: Ensure sudorules members are absent ipasudorule: sudorules: - name: testrule1 @@ -235,7 +235,7 @@ register: result failed_when: not result.changed or result.failed - - name: Ensure sudorules members cannot be removed, again + - name: Ensure sudorules members are absent, again ipasudorule: sudorules: - name: testrule1 @@ -249,7 +249,7 @@ register: result failed_when: result.changed or result.failed - - name: Ensure testrule1 and testrule2 are still present, with proper attributes + - name: Ensure testrule1 and testrule2 are present, with proper attributes ipasudorule: sudorules: - name: testrule1 @@ -262,7 +262,7 @@ register: result failed_when: result.changed or result.failed - - name: Ensure testrule1 and testrule2 can be disabled + - name: Ensure testrule1 and testrule2 are disabled ipasudorule: sudorules: - name: testrule1 @@ -271,7 +271,7 @@ register: result failed_when: not result.changed or result.failed - - name: Ensure testrule1 and testrule2 cannot be disabled, again + - name: Ensure testrule1 and testrule2 are disabled, again ipasudorule: sudorules: - name: testrule1 @@ -280,7 +280,7 @@ register: result failed_when: result.changed or result.failed - - name: Ensure testrule1 and testrule2 can be enabled + - name: Ensure testrule1 and testrule2 are enabled ipasudorule: sudorules: - name: testrule1 @@ -289,7 +289,7 @@ register: result failed_when: not result.changed or result.failed - - name: Ensure testrule1 and testrule2 cannot be enabled, again + - name: Ensure testrule1 and testrule2 are enabled, again ipasudorule: sudorules: - name: testrule1