Add FreeIPA modules (#3247)
* Add FreeIPA modules * Update version_added from 2.2 to 2.3 * ipa_*: Use Python 2.4 syntax to concatenate strings * ipa_*: Replace 'except Exception as e' with 'e = get_exception()' * ipa_*: import simplejson if json can't be imported * ipa_hbacrule: Fix: 'SyntaxError' on Python 2.4 * ipa_sudorule: Fix: 'SyntaxError' on Python 2.4 * ipa_*: Fix 'SyntaxError' on Python 2.4 * ipa_*: Import get_exception from ansible.module_utils.pycompat24 * Add FreeIPA modules * Update version_added from 2.2 to 2.3 * ipa_*: Fix 'SyntaxError' on Python 2.4 * ipa_*: Replace Python requests by ansible.module_utils.url * ipa_*: Replace Python requests by ansible.module_utils.url * ipa_*: Add option validate_certs * ipa_*: Remove requests from Ansible module documentation requirements * ipa_sudorule: Remove unnecessary empty line * ipa_sudorule: Remove markdown code from example * ipa_group: Add choices of state option * ipa_host: Rename options nshostlocation to ns_host_location, nshardwareplatform to ns_hardware_platform, nsosversion to ns_os_version, macaddress to mac_address and usercertificate to user_certificate and add aliases to be backward compatible
This commit is contained in:
parent
cc95bc4935
commit
32fef233f2
10 changed files with 3479 additions and 0 deletions
0
lib/ansible/modules/extras/identity/ipa/__init__.py
Normal file
0
lib/ansible/modules/extras/identity/ipa/__init__.py
Normal file
384
lib/ansible/modules/extras/identity/ipa/ipa_group.py
Normal file
384
lib/ansible/modules/extras/identity/ipa/ipa_group.py
Normal file
|
@ -0,0 +1,384 @@
|
|||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
DOCUMENTATION = '''
|
||||
---
|
||||
module: ipa_group
|
||||
author: Thomas Krahn (@Nosmoht)
|
||||
short_description: Manage FreeIPA group
|
||||
description:
|
||||
- Add, modify and delete group within IPA server
|
||||
options:
|
||||
cn:
|
||||
description:
|
||||
- Canonical name.
|
||||
- Can not be changed as it is the unique identifier.
|
||||
required: true
|
||||
aliases: ['name']
|
||||
external:
|
||||
description:
|
||||
- Allow adding external non-IPA members from trusted domains.
|
||||
required: false
|
||||
gidnumber:
|
||||
description:
|
||||
- GID (use this option to set it manually).
|
||||
required: false
|
||||
group:
|
||||
description:
|
||||
- List of group names assigned to this group.
|
||||
- If an empty list is passed all groups will be removed from this group.
|
||||
- If option is omitted assigned groups will not be checked or changed.
|
||||
- Groups that are already assigned but not passed will be removed.
|
||||
nonposix:
|
||||
description:
|
||||
- Create as a non-POSIX group.
|
||||
required: false
|
||||
user:
|
||||
description:
|
||||
- List of user names assigned to this group.
|
||||
- If an empty list is passed all users will be removed from this group.
|
||||
- If option is omitted assigned users will not be checked or changed.
|
||||
- Users that are already assigned but not passed will be removed.
|
||||
state:
|
||||
description:
|
||||
- State to ensure
|
||||
required: false
|
||||
default: "present"
|
||||
choices: ["present", "absent"]
|
||||
ipa_port:
|
||||
description: Port of IPA server
|
||||
required: false
|
||||
default: 443
|
||||
ipa_host:
|
||||
description: IP or hostname of IPA server
|
||||
required: false
|
||||
default: "ipa.example.com"
|
||||
ipa_user:
|
||||
description: Administrative account used on IPA server
|
||||
required: false
|
||||
default: "admin"
|
||||
ipa_pass:
|
||||
description: Password of administrative user
|
||||
required: true
|
||||
ipa_prot:
|
||||
description: Protocol used by IPA server
|
||||
required: false
|
||||
default: "https"
|
||||
choices: ["http", "https"]
|
||||
validate_certs:
|
||||
description:
|
||||
- This only applies if C(ipa_prot) is I(https).
|
||||
- If set to C(no), the SSL certificates will not be validated.
|
||||
- This should only set to C(no) used on personally controlled sites using self-signed certificates.
|
||||
required: false
|
||||
default: true
|
||||
version_added: "2.3"
|
||||
requirements:
|
||||
- json
|
||||
'''
|
||||
|
||||
EXAMPLES = '''
|
||||
# Ensure group is present
|
||||
- ipa_group:
|
||||
name: oinstall
|
||||
gidnumber: 54321
|
||||
state: present
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
|
||||
# Ensure that groups sysops and appops are assigned to ops but no other group
|
||||
- ipa_group:
|
||||
name: ops
|
||||
group:
|
||||
- sysops
|
||||
- appops
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
|
||||
# Ensure that users linus and larry are assign to the group, but no other user
|
||||
- ipa_group:
|
||||
name: sysops
|
||||
user:
|
||||
- linus
|
||||
- larry
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
|
||||
# Ensure group is absent
|
||||
- ipa_group:
|
||||
name: sysops
|
||||
state: absent
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
'''
|
||||
|
||||
RETURN = '''
|
||||
group:
|
||||
description: Group as returned by IPA API
|
||||
returned: always
|
||||
type: dict
|
||||
'''
|
||||
|
||||
try:
|
||||
import json
|
||||
except ImportError:
|
||||
import simplejson as json
|
||||
|
||||
|
||||
class IPAClient:
|
||||
def __init__(self, module, host, port, protocol):
|
||||
self.host = host
|
||||
self.port = port
|
||||
self.protocol = protocol
|
||||
self.module = module
|
||||
self.headers = None
|
||||
|
||||
def get_base_url(self):
|
||||
return '%s://%s/ipa' % (self.protocol, self.host)
|
||||
|
||||
def get_json_url(self):
|
||||
return '%s/session/json' % self.get_base_url()
|
||||
|
||||
def login(self, username, password):
|
||||
url = '%s/session/login_password' % self.get_base_url()
|
||||
data = 'user=%s&password=%s' % (username, password)
|
||||
headers = {'referer': self.get_base_url(),
|
||||
'Content-Type': 'application/x-www-form-urlencoded',
|
||||
'Accept': 'text/plain'}
|
||||
try:
|
||||
resp, info = fetch_url(module=self.module, url=url, data=data, headers=headers)
|
||||
status_code = info['status']
|
||||
if status_code not in [200, 201, 204]:
|
||||
self._fail('login', info['body'])
|
||||
|
||||
self.headers = {'referer': self.get_base_url(),
|
||||
'Content-Type': 'application/json',
|
||||
'Accept': 'application/json',
|
||||
'Cookie': resp.info().getheader('Set-Cookie')}
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
self._fail('login', str(e))
|
||||
|
||||
def _fail(self, msg, e):
|
||||
if 'message' in e:
|
||||
err_string = e.get('message')
|
||||
else:
|
||||
err_string = e
|
||||
self.module.fail_json(msg='%s: %s' % (msg, err_string))
|
||||
|
||||
def _post_json(self, method, name, item=None):
|
||||
if item is None:
|
||||
item = {}
|
||||
url = '%s/session/json' % self.get_base_url()
|
||||
data = {'method': method, 'params': [[name], item]}
|
||||
try:
|
||||
resp, info = fetch_url(module=self.module, url=url, data=json.dumps(data), headers=self.headers)
|
||||
status_code = info['status']
|
||||
if status_code not in [200, 201, 204]:
|
||||
self._fail(method, info['body'])
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
self._fail('post %s' % method, str(e))
|
||||
|
||||
resp = json.loads(resp.read())
|
||||
err = resp.get('error')
|
||||
if err is not None:
|
||||
self._fail('repsonse %s' % method, err)
|
||||
|
||||
if 'result' in resp:
|
||||
result = resp.get('result')
|
||||
if 'result' in result:
|
||||
result = result.get('result')
|
||||
if isinstance(result, list):
|
||||
if len(result) > 0:
|
||||
return result[0]
|
||||
return result
|
||||
return None
|
||||
|
||||
def group_find(self, name):
|
||||
return self._post_json(method='group_find', name=None, item={'all': True, 'cn': name})
|
||||
|
||||
def group_add(self, name, item):
|
||||
return self._post_json(method='group_add', name=name, item=item)
|
||||
|
||||
def group_mod(self, name, item):
|
||||
return self._post_json(method='group_mod', name=name, item=item)
|
||||
|
||||
def group_del(self, name):
|
||||
return self._post_json(method='group_del', name=name)
|
||||
|
||||
def group_add_member(self, name, item):
|
||||
return self._post_json(method='group_add_member', name=name, item=item)
|
||||
|
||||
def group_add_member_group(self, name, item):
|
||||
return self.group_add_member(name=name, item={'group': item})
|
||||
|
||||
def group_add_member_user(self, name, item):
|
||||
return self.group_add_member(name=name, item={'user': item})
|
||||
|
||||
def group_remove_member(self, name, item):
|
||||
return self._post_json(method='group_remove_member', name=name, item=item)
|
||||
|
||||
def group_remove_member_group(self, name, item):
|
||||
return self.group_remove_member(name=name, item={'group': item})
|
||||
|
||||
def group_remove_member_user(self, name, item):
|
||||
return self.group_remove_member(name=name, item={'user': item})
|
||||
|
||||
|
||||
def get_group_dict(description=None, external=None, gid=None, nonposix=None):
|
||||
group = {}
|
||||
if description is not None:
|
||||
group['description'] = description
|
||||
if external is not None:
|
||||
group['external'] = external
|
||||
if gid is not None:
|
||||
group['gidnumber'] = gid
|
||||
if nonposix is not None:
|
||||
group['nonposix'] = nonposix
|
||||
return group
|
||||
|
||||
|
||||
def get_group_diff(ipa_group, module_group):
|
||||
data = []
|
||||
# With group_add attribute nonposix is passed, whereas with group_mod only posix can be passed.
|
||||
if 'nonposix' in module_group:
|
||||
# Only non-posix groups can be changed to posix
|
||||
if not module_group['nonposix'] and ipa_group.get('nonposix'):
|
||||
module_group['posix'] = True
|
||||
del module_group['nonposix']
|
||||
|
||||
for key in module_group.keys():
|
||||
module_value = module_group.get(key, None)
|
||||
ipa_value = ipa_group.get(key, None)
|
||||
if isinstance(ipa_value, list) and not isinstance(module_value, list):
|
||||
module_value = [module_value]
|
||||
if isinstance(ipa_value, list) and isinstance(module_value, list):
|
||||
ipa_value = sorted(ipa_value)
|
||||
module_value = sorted(module_value)
|
||||
if ipa_value != module_value:
|
||||
data.append(key)
|
||||
return data
|
||||
|
||||
|
||||
def modify_if_diff(module, name, ipa_list, module_list, add_method, remove_method):
|
||||
changed = False
|
||||
diff = list(set(ipa_list) - set(module_list))
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
remove_method(name=name, item=diff)
|
||||
|
||||
diff = list(set(module_list) - set(ipa_list))
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
add_method(name=name, item=diff)
|
||||
|
||||
return changed
|
||||
|
||||
|
||||
def ensure(module, client):
|
||||
state = module.params['state']
|
||||
name = module.params['name']
|
||||
group = module.params['group']
|
||||
user = module.params['user']
|
||||
|
||||
module_group = get_group_dict(description=module.params['description'], external=module.params['external'],
|
||||
gid=module.params['gidnumber'], nonposix=module.params['nonposix'])
|
||||
ipa_group = client.group_find(name=name)
|
||||
|
||||
changed = False
|
||||
if state == 'present':
|
||||
if not ipa_group:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
ipa_group = client.group_add(name, item=module_group)
|
||||
else:
|
||||
diff = get_group_diff(ipa_group, module_group)
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
data = {}
|
||||
for key in diff:
|
||||
data[key] = module_group.get(key)
|
||||
client.group_mod(name=name, item=data)
|
||||
|
||||
if group is not None:
|
||||
changed = modify_if_diff(module, name, ipa_group.get('member_group', []), group,
|
||||
client.group_add_member_group,
|
||||
client.group_remove_member_group) or changed
|
||||
|
||||
if user is not None:
|
||||
changed = modify_if_diff(module, name, ipa_group.get('member_user', []), user,
|
||||
client.group_add_member_user,
|
||||
client.group_remove_member_user) or changed
|
||||
|
||||
else:
|
||||
if ipa_group:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
client.group_del(name)
|
||||
|
||||
return changed, client.group_find(name=name)
|
||||
|
||||
|
||||
def main():
|
||||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
cn=dict(type='str', required=True, aliases=['name']),
|
||||
description=dict(type='str', required=False),
|
||||
external=dict(type='bool', required=False),
|
||||
gidnumber=dict(type='str', required=False, aliases=['gid']),
|
||||
group=dict(type='list', required=False),
|
||||
nonposix=dict(type='bool', required=False),
|
||||
state=dict(type='str', required=False, default='present', choices=['present', 'absent']),
|
||||
user=dict(type='list', required=False),
|
||||
ipa_prot=dict(type='str', required=False, default='https', choices=['http', 'https']),
|
||||
ipa_host=dict(type='str', required=False, default='ipa.example.com'),
|
||||
ipa_port=dict(type='int', required=False, default=443),
|
||||
ipa_user=dict(type='str', required=False, default='admin'),
|
||||
ipa_pass=dict(type='str', required=True, no_log=True),
|
||||
validate_certs=dict(type='bool', required=False, default=True),
|
||||
),
|
||||
supports_check_mode=True,
|
||||
)
|
||||
|
||||
client = IPAClient(module=module,
|
||||
host=module.params['ipa_host'],
|
||||
port=module.params['ipa_port'],
|
||||
protocol=module.params['ipa_prot'])
|
||||
try:
|
||||
client.login(username=module.params['ipa_user'],
|
||||
password=module.params['ipa_pass'])
|
||||
changed, group = ensure(module, client)
|
||||
module.exit_json(changed=changed, group=group)
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
module.fail_json(msg=str(e))
|
||||
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
from ansible.module_utils.pycompat24 import get_exception
|
||||
from ansible.module_utils.urls import fetch_url
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
479
lib/ansible/modules/extras/identity/ipa/ipa_hbacrule.py
Normal file
479
lib/ansible/modules/extras/identity/ipa/ipa_hbacrule.py
Normal file
|
@ -0,0 +1,479 @@
|
|||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
DOCUMENTATION = '''
|
||||
---
|
||||
module: ipa_hbacrule
|
||||
author: Thomas Krahn (@Nosmoht)
|
||||
short_description: Manage FreeIPA HBAC rule
|
||||
description:
|
||||
- Add, modify or delete an IPA HBAC rule using IPA API.
|
||||
options:
|
||||
cn:
|
||||
description:
|
||||
- Canonical name.
|
||||
- Can not be changed as it is the unique identifier.
|
||||
required: true
|
||||
aliases: ["name"]
|
||||
description:
|
||||
description: Description
|
||||
required: false
|
||||
host:
|
||||
description:
|
||||
- List of host names to assign.
|
||||
- If an empty list is passed all hosts will be removed from the rule.
|
||||
- If option is omitted hosts will not be checked or changed.
|
||||
required: false
|
||||
hostcategory:
|
||||
description: Host category
|
||||
required: false
|
||||
choices: ['all']
|
||||
hostgroup:
|
||||
description:
|
||||
- List of hostgroup names to assign.
|
||||
- If an empty list is passed all hostgroups will be removed. from the rule
|
||||
- If option is omitted hostgroups will not be checked or changed.
|
||||
service:
|
||||
description:
|
||||
- List of service names to assign.
|
||||
- If an empty list is passed all services will be removed from the rule.
|
||||
- If option is omitted services will not be checked or changed.
|
||||
servicecategory:
|
||||
description: Service category
|
||||
required: false
|
||||
choices: ['all']
|
||||
servicegroup:
|
||||
description:
|
||||
- List of service group names to assign.
|
||||
- If an empty list is passed all assigned service groups will be removed from the rule.
|
||||
- If option is omitted service groups will not be checked or changed.
|
||||
sourcehost:
|
||||
description:
|
||||
- List of source host names to assign.
|
||||
- If an empty list if passed all assigned source hosts will be removed from the rule.
|
||||
- If option is omitted source hosts will not be checked or changed.
|
||||
sourcehostcategory:
|
||||
description: Source host category
|
||||
required: false
|
||||
choices: ['all']
|
||||
sourcehostgroup:
|
||||
description:
|
||||
- List of source host group names to assign.
|
||||
- If an empty list if passed all assigned source host groups will be removed from the rule.
|
||||
- If option is omitted source host groups will not be checked or changed.
|
||||
state:
|
||||
description: State to ensure
|
||||
required: false
|
||||
default: "present"
|
||||
choices: ["present", "absent", "enabled", "disabled"]
|
||||
user:
|
||||
description:
|
||||
- List of user names to assign.
|
||||
- If an empty list if passed all assigned users will be removed from the rule.
|
||||
- If option is omitted users will not be checked or changed.
|
||||
usercategory:
|
||||
description: User category
|
||||
required: false
|
||||
choices: ['all']
|
||||
usergroup:
|
||||
description:
|
||||
- List of user group names to assign.
|
||||
- If an empty list if passed all assigned user groups will be removed from the rule.
|
||||
- If option is omitted user groups will not be checked or changed.
|
||||
ipa_port:
|
||||
description: Port of IPA server
|
||||
required: false
|
||||
default: 443
|
||||
ipa_host:
|
||||
description: IP or hostname of IPA server
|
||||
required: false
|
||||
default: "ipa.example.com"
|
||||
ipa_user:
|
||||
description: Administrative account used on IPA server
|
||||
required: false
|
||||
default: "admin"
|
||||
ipa_pass:
|
||||
description: Password of administrative user
|
||||
required: true
|
||||
ipa_prot:
|
||||
description: Protocol used by IPA server
|
||||
required: false
|
||||
default: "https"
|
||||
choices: ["http", "https"]
|
||||
validate_certs:
|
||||
description:
|
||||
- This only applies if C(ipa_prot) is I(https).
|
||||
- If set to C(no), the SSL certificates will not be validated.
|
||||
- This should only set to C(no) used on personally controlled sites using self-signed certificates.
|
||||
required: false
|
||||
default: true
|
||||
version_added: "2.3"
|
||||
requirements:
|
||||
- json
|
||||
'''
|
||||
|
||||
EXAMPLES = '''
|
||||
# Ensure rule to allow all users to access any host from any host
|
||||
- ipa_hbacrule:
|
||||
name: allow_all
|
||||
description: Allow all users to access any host from any host
|
||||
hostcategory: all
|
||||
servicecategory: all
|
||||
usercategory: all
|
||||
state: present
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
|
||||
# Ensure rule with certain limitations
|
||||
- ipa_hbacrule:
|
||||
name: allow_all_developers_access_to_db
|
||||
description: Allow all developers to access any database from any host
|
||||
hostgroup:
|
||||
- db-server
|
||||
usergroup:
|
||||
- developers
|
||||
state: present
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
|
||||
# Ensure rule is absent
|
||||
- ipa_hbacrule:
|
||||
name: rule_to_be_deleted
|
||||
state: absent
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
'''
|
||||
|
||||
RETURN = '''
|
||||
hbacrule:
|
||||
description: HBAC rule as returned by IPA API.
|
||||
returned: always
|
||||
type: dict
|
||||
'''
|
||||
|
||||
try:
|
||||
import json
|
||||
except ImportError:
|
||||
import simplejson as json
|
||||
|
||||
|
||||
class IPAClient:
|
||||
def __init__(self, module, host, port, protocol):
|
||||
self.host = host
|
||||
self.port = port
|
||||
self.protocol = protocol
|
||||
self.module = module
|
||||
self.headers = None
|
||||
|
||||
def get_base_url(self):
|
||||
return '%s://%s/ipa' % (self.protocol, self.host)
|
||||
|
||||
def get_json_url(self):
|
||||
return '%s/session/json' % self.get_base_url()
|
||||
|
||||
def login(self, username, password):
|
||||
url = '%s/session/login_password' % self.get_base_url()
|
||||
data = 'user=%s&password=%s' % (username, password)
|
||||
headers = {'referer': self.get_base_url(),
|
||||
'Content-Type': 'application/x-www-form-urlencoded',
|
||||
'Accept': 'text/plain'}
|
||||
try:
|
||||
resp, info = fetch_url(module=self.module, url=url, data=data, headers=headers)
|
||||
status_code = info['status']
|
||||
if status_code not in [200, 201, 204]:
|
||||
self._fail('login', info['body'])
|
||||
|
||||
self.headers = {'referer': self.get_base_url(),
|
||||
'Content-Type': 'application/json',
|
||||
'Accept': 'application/json',
|
||||
'Cookie': resp.info().getheader('Set-Cookie')}
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
self._fail('login', str(e))
|
||||
|
||||
def _fail(self, msg, e):
|
||||
if 'message' in e:
|
||||
err_string = e.get('message')
|
||||
else:
|
||||
err_string = e
|
||||
self.module.fail_json(msg='%s: %s' % (msg, err_string))
|
||||
|
||||
def _post_json(self, method, name, item=None):
|
||||
if item is None:
|
||||
item = {}
|
||||
url = '%s/session/json' % self.get_base_url()
|
||||
data = {'method': method, 'params': [[name], item]}
|
||||
try:
|
||||
resp, info = fetch_url(module=self.module, url=url, data=json.dumps(data), headers=self.headers)
|
||||
status_code = info['status']
|
||||
if status_code not in [200, 201, 204]:
|
||||
self._fail(method, info['body'])
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
self._fail('post %s' % method, str(e))
|
||||
|
||||
resp = json.loads(resp.read())
|
||||
err = resp.get('error')
|
||||
if err is not None:
|
||||
self._fail('repsonse %s' % method, err)
|
||||
|
||||
if 'result' in resp:
|
||||
result = resp.get('result')
|
||||
if 'result' in result:
|
||||
result = result.get('result')
|
||||
if isinstance(result, list):
|
||||
if len(result) > 0:
|
||||
return result[0]
|
||||
return result
|
||||
return None
|
||||
|
||||
def hbacrule_find(self, name):
|
||||
return self._post_json(method='hbacrule_find', name=None, item={'all': True, 'cn': name})
|
||||
|
||||
def hbacrule_add(self, name, item):
|
||||
return self._post_json(method='hbacrule_add', name=name, item=item)
|
||||
|
||||
def hbacrule_mod(self, name, item):
|
||||
return self._post_json(method='hbacrule_mod', name=name, item=item)
|
||||
|
||||
def hbacrule_del(self, name):
|
||||
return self._post_json(method='hbacrule_del', name=name)
|
||||
|
||||
def hbacrule_add_host(self, name, item):
|
||||
return self._post_json(method='hbacrule_add_host', name=name, item=item)
|
||||
|
||||
def hbacrule_remove_host(self, name, item):
|
||||
return self._post_json(method='hbacrule_remove_host', name=name, item=item)
|
||||
|
||||
def hbacrule_add_service(self, name, item):
|
||||
return self._post_json(method='hbacrule_add_service', name=name, item=item)
|
||||
|
||||
def hbacrule_remove_service(self, name, item):
|
||||
return self._post_json(method='hbacrule_remove_service', name=name, item=item)
|
||||
|
||||
def hbacrule_add_user(self, name, item):
|
||||
return self._post_json(method='hbacrule_add_user', name=name, item=item)
|
||||
|
||||
def hbacrule_remove_user(self, name, item):
|
||||
return self._post_json(method='hbacrule_remove_user', name=name, item=item)
|
||||
|
||||
def hbacrule_add_sourcehost(self, name, item):
|
||||
return self._post_json(method='hbacrule_add_sourcehost', name=name, item=item)
|
||||
|
||||
def hbacrule_remove_sourcehost(self, name, item):
|
||||
return self._post_json(method='hbacrule_remove_sourcehost', name=name, item=item)
|
||||
|
||||
|
||||
def get_hbacrule_dict(description=None, hostcategory=None, ipaenabledflag=None, servicecategory=None,
|
||||
sourcehostcategory=None,
|
||||
usercategory=None):
|
||||
data = {}
|
||||
if description is not None:
|
||||
data['description'] = description
|
||||
if hostcategory is not None:
|
||||
data['hostcategory'] = hostcategory
|
||||
if ipaenabledflag is not None:
|
||||
data['ipaenabledflag'] = ipaenabledflag
|
||||
if servicecategory is not None:
|
||||
data['servicecategory'] = servicecategory
|
||||
if sourcehostcategory is not None:
|
||||
data['sourcehostcategory'] = sourcehostcategory
|
||||
if usercategory is not None:
|
||||
data['usercategory'] = usercategory
|
||||
return data
|
||||
|
||||
|
||||
def get_hbcarule_diff(ipa_hbcarule, module_hbcarule):
|
||||
data = []
|
||||
for key in module_hbcarule.keys():
|
||||
module_value = module_hbcarule.get(key, None)
|
||||
ipa_value = ipa_hbcarule.get(key, None)
|
||||
if isinstance(ipa_value, list) and not isinstance(module_value, list):
|
||||
module_value = [module_value]
|
||||
if isinstance(ipa_value, list) and isinstance(module_value, list):
|
||||
ipa_value = sorted(ipa_value)
|
||||
module_value = sorted(module_value)
|
||||
if ipa_value != module_value:
|
||||
data.append(key)
|
||||
return data
|
||||
|
||||
|
||||
def modify_if_diff(module, name, ipa_list, module_list, add_method, remove_method, item):
|
||||
changed = False
|
||||
diff = list(set(ipa_list) - set(module_list))
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
remove_method(name=name, item={item: diff})
|
||||
|
||||
diff = list(set(module_list) - set(ipa_list))
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
add_method(name=name, item={item: diff})
|
||||
|
||||
return changed
|
||||
|
||||
|
||||
def ensure(module, client):
|
||||
name = module.params['name']
|
||||
state = module.params['state']
|
||||
|
||||
if state in ['present', 'enabled']:
|
||||
ipaenabledflag = 'TRUE'
|
||||
else:
|
||||
ipaenabledflag = 'NO'
|
||||
|
||||
host = module.params['host']
|
||||
hostcategory = module.params['hostcategory']
|
||||
hostgroup = module.params['hostgroup']
|
||||
service = module.params['service']
|
||||
servicecategory = module.params['servicecategory']
|
||||
servicegroup = module.params['servicegroup']
|
||||
sourcehost = module.params['sourcehost']
|
||||
sourcehostcategory = module.params['sourcehostcategory']
|
||||
sourcehostgroup = module.params['sourcehostgroup']
|
||||
user = module.params['user']
|
||||
usercategory = module.params['usercategory']
|
||||
usergroup = module.params['usergroup']
|
||||
|
||||
module_hbacrule = get_hbacrule_dict(description=module.params['description'],
|
||||
hostcategory=hostcategory,
|
||||
ipaenabledflag=ipaenabledflag,
|
||||
servicecategory=servicecategory,
|
||||
sourcehostcategory=sourcehostcategory,
|
||||
usercategory=usercategory)
|
||||
ipa_hbacrule = client.hbacrule_find(name=name)
|
||||
|
||||
changed = False
|
||||
if state in ['present', 'enabled', 'disabled']:
|
||||
if not ipa_hbacrule:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
ipa_hbacrule = client.hbacrule_add(name=name, item=module_hbacrule)
|
||||
else:
|
||||
diff = get_hbcarule_diff(ipa_hbacrule, module_hbacrule)
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
data = {}
|
||||
for key in diff:
|
||||
data[key] = module_hbacrule.get(key)
|
||||
client.hbacrule_mod(name=name, item=data)
|
||||
|
||||
if host is not None:
|
||||
changed = modify_if_diff(module, name, ipa_hbacrule.get('memberhost_host', []), host,
|
||||
client.hbacrule_add_host,
|
||||
client.hbacrule_remove_host, 'host') or changed
|
||||
|
||||
if hostgroup is not None:
|
||||
changed = modify_if_diff(module, name, ipa_hbacrule.get('memberhost_hostgroup', []), hostgroup,
|
||||
client.hbacrule_add_host,
|
||||
client.hbacrule_remove_host, 'hostgroup') or changed
|
||||
|
||||
if service is not None:
|
||||
changed = modify_if_diff(module, name, ipa_hbacrule.get('memberservice_hbacsvc', []), service,
|
||||
client.hbacrule_add_service,
|
||||
client.hbacrule_remove_service, 'hbacsvc') or changed
|
||||
|
||||
if servicegroup is not None:
|
||||
changed = modify_if_diff(module, name, ipa_hbacrule.get('memberservice_hbacsvcgroup', []),
|
||||
servicegroup,
|
||||
client.hbacrule_add_service,
|
||||
client.hbacrule_remove_service, 'hbacsvcgroup') or changed
|
||||
|
||||
if sourcehost is not None:
|
||||
changed = modify_if_diff(module, name, ipa_hbacrule.get('sourcehost_host', []), sourcehost,
|
||||
client.hbacrule_add_sourcehost,
|
||||
client.hbacrule_remove_sourcehost, 'host') or changed
|
||||
|
||||
if sourcehostgroup is not None:
|
||||
changed = modify_if_diff(module, name, ipa_hbacrule.get('sourcehost_group', []), sourcehostgroup,
|
||||
client.hbacrule_add_sourcehost,
|
||||
client.hbacrule_remove_sourcehost, 'hostgroup') or changed
|
||||
|
||||
if user is not None:
|
||||
changed = modify_if_diff(module, name, ipa_hbacrule.get('memberuser_user', []), user,
|
||||
client.hbacrule_add_user,
|
||||
client.hbacrule_remove_user, 'user') or changed
|
||||
|
||||
if usergroup is not None:
|
||||
changed = modify_if_diff(module, name, ipa_hbacrule.get('memberuser_group', []), usergroup,
|
||||
client.hbacrule_add_user,
|
||||
client.hbacrule_remove_user, 'group') or changed
|
||||
else:
|
||||
if ipa_hbacrule:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
client.hbacrule_del(name=name)
|
||||
|
||||
return changed, client.hbacrule_find(name=name)
|
||||
|
||||
|
||||
def main():
|
||||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
cn=dict(type='str', required=True, aliases=['name']),
|
||||
description=dict(type='str', required=False),
|
||||
host=dict(type='list', required=False),
|
||||
hostcategory=dict(type='str', required=False, choices=['all']),
|
||||
hostgroup=dict(type='list', required=False),
|
||||
service=dict(type='list', required=False),
|
||||
servicecategory=dict(type='str', required=False, choices=['all']),
|
||||
servicegroup=dict(type='list', required=False),
|
||||
sourcehost=dict(type='list', required=False),
|
||||
sourcehostcategory=dict(type='str', required=False, choices=['all']),
|
||||
sourcehostgroup=dict(type='list', required=False),
|
||||
state=dict(type='str', required=False, default='present',
|
||||
choices=['present', 'absent', 'enabled', 'disabled']),
|
||||
user=dict(type='list', required=False),
|
||||
usercategory=dict(type='str', required=False, choices=['all']),
|
||||
usergroup=dict(type='list', required=False),
|
||||
ipa_prot=dict(type='str', required=False, default='https', choices=['http', 'https']),
|
||||
ipa_host=dict(type='str', required=False, default='ipa.example.com'),
|
||||
ipa_port=dict(type='int', required=False, default=443),
|
||||
ipa_user=dict(type='str', required=False, default='admin'),
|
||||
ipa_pass=dict(type='str', required=True, no_log=True),
|
||||
validate_certs=dict(type='bool', required=False, default=True),
|
||||
),
|
||||
supports_check_mode=True,
|
||||
)
|
||||
|
||||
client = IPAClient(module=module,
|
||||
host=module.params['ipa_host'],
|
||||
port=module.params['ipa_port'],
|
||||
protocol=module.params['ipa_prot'])
|
||||
|
||||
try:
|
||||
client.login(username=module.params['ipa_user'],
|
||||
password=module.params['ipa_pass'])
|
||||
changed, hbacrule = ensure(module, client)
|
||||
module.exit_json(changed=changed, hbacrule=hbacrule)
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
module.fail_json(msg=str(e))
|
||||
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
from ansible.module_utils.pycompat24 import get_exception
|
||||
from ansible.module_utils.urls import fetch_url
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
378
lib/ansible/modules/extras/identity/ipa/ipa_host.py
Normal file
378
lib/ansible/modules/extras/identity/ipa/ipa_host.py
Normal file
|
@ -0,0 +1,378 @@
|
|||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
DOCUMENTATION = '''
|
||||
---
|
||||
module: ipa_host
|
||||
short_description: Manage FreeIPA host
|
||||
description:
|
||||
- Add, modify and delete an IPA host using IPA API
|
||||
options:
|
||||
fqdn:
|
||||
description:
|
||||
- Full qualified domain name.
|
||||
- Can not be changed as it is the unique identifier.
|
||||
required: true
|
||||
aliases: ["name"]
|
||||
description:
|
||||
description:
|
||||
- A description of this host.
|
||||
required: false
|
||||
force:
|
||||
description:
|
||||
- Force host name even if not in DNS.
|
||||
required: false
|
||||
ip_address:
|
||||
description:
|
||||
- Add the host to DNS with this IP address.
|
||||
required: false
|
||||
mac_address:
|
||||
description:
|
||||
- List of Hardware MAC address(es) off this host.
|
||||
- If option is omitted MAC addresses will not be checked or changed.
|
||||
- If an empty list is passed all assigned MAC addresses will be removed.
|
||||
- MAC addresses that are already assigned but not passed will be removed.
|
||||
required: false
|
||||
aliases: ["macaddress"]
|
||||
ns_host_location:
|
||||
description:
|
||||
- Host location (e.g. "Lab 2")
|
||||
required: false
|
||||
aliases: ["nshostlocation"]
|
||||
ns_hardware_platform:
|
||||
description:
|
||||
- Host hardware platform (e.g. "Lenovo T61")
|
||||
required: false
|
||||
aliases: ["nshardwareplatform"]
|
||||
ns_os_version:
|
||||
description:
|
||||
- Host operating system and version (e.g. "Fedora 9")
|
||||
required: false
|
||||
aliases: ["nsosversion"]
|
||||
user_certificate:
|
||||
description:
|
||||
- List of Base-64 encoded server certificates.
|
||||
- If option is ommitted certificates will not be checked or changed.
|
||||
- If an emtpy list is passed all assigned certificates will be removed.
|
||||
- Certificates already assigned but not passed will be removed.
|
||||
required: false
|
||||
aliases: ["usercertificate"]
|
||||
state:
|
||||
description: State to ensure
|
||||
required: false
|
||||
default: present
|
||||
choices: ["present", "absent", "disabled"]
|
||||
ipa_port:
|
||||
description: Port of IPA server
|
||||
required: false
|
||||
default: 443
|
||||
ipa_host:
|
||||
description: IP or hostname of IPA server
|
||||
required: false
|
||||
default: ipa.example.com
|
||||
ipa_user:
|
||||
description: Administrative account used on IPA server
|
||||
required: false
|
||||
default: admin
|
||||
ipa_pass:
|
||||
description: Password of administrative user
|
||||
required: true
|
||||
ipa_prot:
|
||||
description: Protocol used by IPA server
|
||||
required: false
|
||||
default: https
|
||||
choices: ["http", "https"]
|
||||
validate_certs:
|
||||
description:
|
||||
- This only applies if C(ipa_prot) is I(https).
|
||||
- If set to C(no), the SSL certificates will not be validated.
|
||||
- This should only set to C(no) used on personally controlled sites using self-signed certificates.
|
||||
required: false
|
||||
default: true
|
||||
version_added: "2.3"
|
||||
requirements:
|
||||
- json
|
||||
'''
|
||||
|
||||
EXAMPLES = '''
|
||||
# Ensure host is present
|
||||
- ipa_host:
|
||||
name: host01.example.com
|
||||
description: Example host
|
||||
ip_address: 192.168.0.123
|
||||
ns_host_location: Lab
|
||||
ns_os_version: CentOS 7
|
||||
ns_hardware_platform: Lenovo T61
|
||||
mac_address:
|
||||
- "08:00:27:E3:B1:2D"
|
||||
- "52:54:00:BD:97:1E"
|
||||
state: present
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
|
||||
# Ensure host is disabled
|
||||
- ipa_host:
|
||||
name: host01.example.com
|
||||
state: disabled
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
|
||||
# Ensure that all user certificates are removed
|
||||
- ipa_host:
|
||||
name: host01.example.com
|
||||
user_certificate: []
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
|
||||
# Ensure host is absent
|
||||
- ipa_host:
|
||||
name: host01.example.com
|
||||
state: absent
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
'''
|
||||
|
||||
RETURN = '''
|
||||
host:
|
||||
description: Host as returned by IPA API.
|
||||
returned: always
|
||||
type: dict
|
||||
host_diff:
|
||||
description: List of options that differ and would be changed
|
||||
returned: if check mode and a difference is found
|
||||
type: list
|
||||
'''
|
||||
|
||||
try:
|
||||
import json
|
||||
except ImportError:
|
||||
import simplejson as json
|
||||
|
||||
|
||||
class IPAClient:
|
||||
def __init__(self, module, host, port, protocol):
|
||||
self.host = host
|
||||
self.port = port
|
||||
self.protocol = protocol
|
||||
self.module = module
|
||||
self.headers = None
|
||||
|
||||
def get_base_url(self):
|
||||
return '%s://%s/ipa' % (self.protocol, self.host)
|
||||
|
||||
def get_json_url(self):
|
||||
return '%s/session/json' % self.get_base_url()
|
||||
|
||||
def login(self, username, password):
|
||||
url = '%s/session/login_password' % self.get_base_url()
|
||||
data = 'user=%s&password=%s' % (username, password)
|
||||
headers = {'referer': self.get_base_url(),
|
||||
'Content-Type': 'application/x-www-form-urlencoded',
|
||||
'Accept': 'text/plain'}
|
||||
try:
|
||||
resp, info = fetch_url(module=self.module, url=url, data=data, headers=headers)
|
||||
status_code = info['status']
|
||||
if status_code not in [200, 201, 204]:
|
||||
self._fail('login', info['body'])
|
||||
|
||||
self.headers = {'referer': self.get_base_url(),
|
||||
'Content-Type': 'application/json',
|
||||
'Accept': 'application/json',
|
||||
'Cookie': resp.info().getheader('Set-Cookie')}
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
self._fail('login', str(e))
|
||||
|
||||
def _fail(self, msg, e):
|
||||
if 'message' in e:
|
||||
err_string = e.get('message')
|
||||
else:
|
||||
err_string = e
|
||||
self.module.fail_json(msg='%s: %s' % (msg, err_string))
|
||||
|
||||
def _post_json(self, method, name, item=None):
|
||||
if item is None:
|
||||
item = {}
|
||||
url = '%s/session/json' % self.get_base_url()
|
||||
data = {'method': method, 'params': [[name], item]}
|
||||
try:
|
||||
resp, info = fetch_url(module=self.module, url=url, data=json.dumps(data), headers=self.headers)
|
||||
status_code = info['status']
|
||||
if status_code not in [200, 201, 204]:
|
||||
self._fail(method, info['body'])
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
self._fail('post %s' % method, str(e))
|
||||
|
||||
resp = json.loads(resp.read())
|
||||
err = resp.get('error')
|
||||
if err is not None:
|
||||
self._fail('repsonse %s' % method, err)
|
||||
|
||||
if 'result' in resp:
|
||||
result = resp.get('result')
|
||||
if 'result' in result:
|
||||
result = result.get('result')
|
||||
if isinstance(result, list):
|
||||
if len(result) > 0:
|
||||
return result[0]
|
||||
return result
|
||||
return None
|
||||
|
||||
def host_find(self, name):
|
||||
return self._post_json(method='host_find', name=None, item={'all': True, 'fqdn': name})
|
||||
|
||||
def host_add(self, name, host):
|
||||
return self._post_json(method='host_add', name=name, item=host)
|
||||
|
||||
def host_mod(self, name, host):
|
||||
return self._post_json(method='host_mod', name=name, item=host)
|
||||
|
||||
def host_del(self, name):
|
||||
return self._post_json(method='host_del', name=name)
|
||||
|
||||
def host_disable(self, name):
|
||||
return self._post_json(method='host_disable', name=name)
|
||||
|
||||
|
||||
def get_host_dict(description=None, force=None, ip_address=None, ns_host_location=None, ns_hardware_platform=None,
|
||||
ns_os_version=None, user_certificate=None, mac_address=None):
|
||||
data = {}
|
||||
if description is not None:
|
||||
data['description'] = description
|
||||
if force is not None:
|
||||
data['force'] = force
|
||||
if ip_address is not None:
|
||||
data['ip_address'] = ip_address
|
||||
if ns_host_location is not None:
|
||||
data['nshostlocation'] = ns_host_location
|
||||
if ns_hardware_platform is not None:
|
||||
data['nshardwareplatform'] = ns_hardware_platform
|
||||
if ns_os_version is not None:
|
||||
data['nsosversion'] = ns_os_version
|
||||
if user_certificate is not None:
|
||||
data['usercertificate'] = [{"__base64__": item} for item in user_certificate]
|
||||
if mac_address is not None:
|
||||
data['macaddress'] = mac_address
|
||||
return data
|
||||
|
||||
|
||||
def get_host_diff(ipa_host, module_host):
|
||||
non_updateable_keys = ['force', 'ip_address']
|
||||
data = []
|
||||
for key in non_updateable_keys:
|
||||
if key in module_host:
|
||||
del module_host[key]
|
||||
for key in module_host.keys():
|
||||
ipa_value = ipa_host.get(key, None)
|
||||
module_value = module_host.get(key, None)
|
||||
if isinstance(ipa_value, list) and not isinstance(module_value, list):
|
||||
module_value = [module_value]
|
||||
if isinstance(ipa_value, list) and isinstance(module_value, list):
|
||||
ipa_value = sorted(ipa_value)
|
||||
module_value = sorted(module_value)
|
||||
if ipa_value != module_value:
|
||||
data.append(key)
|
||||
return data
|
||||
|
||||
|
||||
def ensure(module, client):
|
||||
name = module.params['name']
|
||||
state = module.params['state']
|
||||
|
||||
ipa_host = client.host_find(name=name)
|
||||
module_host = get_host_dict(description=module.params['description'],
|
||||
force=module.params['force'], ip_address=module.params['ip_address'],
|
||||
ns_host_location=module.params['ns_host_location'],
|
||||
ns_hardware_platform=module.params['ns_hardware_platform'],
|
||||
ns_os_version=module.params['ns_os_version'],
|
||||
user_certificate=module.params['user_certificate'],
|
||||
mac_address=module.params['mac_address'])
|
||||
changed = False
|
||||
if state in ['present', 'enabled', 'disabled']:
|
||||
if not ipa_host:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
client.host_add(name=name, host=module_host)
|
||||
else:
|
||||
diff = get_host_diff(ipa_host, module_host)
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
data = {}
|
||||
for key in diff:
|
||||
data[key] = module_host.get(key)
|
||||
client.host_mod(name=name, host=data)
|
||||
|
||||
else:
|
||||
if ipa_host:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
client.host_del(name=name)
|
||||
|
||||
return changed, client.host_find(name=name)
|
||||
|
||||
|
||||
def main():
|
||||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
description=dict(type='str', required=False),
|
||||
fqdn=dict(type='str', required=True, aliases=['name']),
|
||||
force=dict(type='bool', required=False),
|
||||
ip_address=dict(type='str', required=False),
|
||||
ns_host_location=dict(type='str', required=False, aliases=['nshostlocation']),
|
||||
ns_hardware_platform=dict(type='str', required=False, aliases=['nshardwareplatform']),
|
||||
ns_os_version=dict(type='str', required=False, aliases=['nsosversion']),
|
||||
user_certificate=dict(type='list', required=False, aliases=['usercertificate']),
|
||||
mac_address=dict(type='list', required=False, aliases=['macaddress']),
|
||||
state=dict(type='str', required=False, default='present',
|
||||
choices=['present', 'absent', 'enabled', 'disabled']),
|
||||
ipa_prot=dict(type='str', required=False, default='https', choices=['http', 'https']),
|
||||
ipa_host=dict(type='str', required=False, default='ipa.example.com'),
|
||||
ipa_port=dict(type='int', required=False, default=443),
|
||||
ipa_user=dict(type='str', required=False, default='admin'),
|
||||
ipa_pass=dict(type='str', required=True, no_log=True),
|
||||
validate_certs=dict(type='bool', required=False, default=True),
|
||||
),
|
||||
supports_check_mode=True,
|
||||
)
|
||||
|
||||
client = IPAClient(module=module,
|
||||
host=module.params['ipa_host'],
|
||||
port=module.params['ipa_port'],
|
||||
protocol=module.params['ipa_prot'])
|
||||
|
||||
try:
|
||||
client.login(username=module.params['ipa_user'],
|
||||
password=module.params['ipa_pass'])
|
||||
changed, host = ensure(module, client)
|
||||
module.exit_json(changed=changed, host=host)
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
module.fail_json(msg=str(e))
|
||||
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
from ansible.module_utils.pycompat24 import get_exception
|
||||
from ansible.module_utils.urls import fetch_url
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
343
lib/ansible/modules/extras/identity/ipa/ipa_hostgroup.py
Normal file
343
lib/ansible/modules/extras/identity/ipa/ipa_hostgroup.py
Normal file
|
@ -0,0 +1,343 @@
|
|||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
DOCUMENTATION = '''
|
||||
---
|
||||
module: ipa_hostgroup
|
||||
short_description: Manage FreeIPA host-group
|
||||
description:
|
||||
- Add, modify and delete an IPA host-group using IPA API
|
||||
options:
|
||||
cn:
|
||||
description:
|
||||
- Name of host-group.
|
||||
- Can not be changed as it is the unique identifier.
|
||||
required: true
|
||||
aliases: ["name"]
|
||||
description:
|
||||
description:
|
||||
- Description
|
||||
required: false
|
||||
host:
|
||||
description:
|
||||
- List of hosts that belong to the host-group.
|
||||
- If an empty list is passed all hosts will be removed from the group.
|
||||
- If option is omitted hosts will not be checked or changed.
|
||||
- If option is passed all assigned hosts that are not passed will be unassigned from the group.
|
||||
required: false
|
||||
hostgroup:
|
||||
description:
|
||||
- List of host-groups than belong to that host-group.
|
||||
- If an empty list is passed all host-groups will be removed from the group.
|
||||
- If option is omitted host-groups will not be checked or changed.
|
||||
- If option is passed all assigned hostgroups that are not passed will be unassigned from the group.
|
||||
required: false
|
||||
state:
|
||||
description:
|
||||
- State to ensure.
|
||||
required: false
|
||||
default: "present"
|
||||
choices: ["present", "absent"]
|
||||
ipa_port:
|
||||
description: Port of IPA server
|
||||
required: false
|
||||
default: 443
|
||||
ipa_host:
|
||||
description: IP or hostname of IPA server
|
||||
required: false
|
||||
default: "ipa.example.com"
|
||||
ipa_user:
|
||||
description: Administrative account used on IPA server
|
||||
required: false
|
||||
default: "admin"
|
||||
ipa_pass:
|
||||
description: Password of administrative user
|
||||
required: true
|
||||
ipa_prot:
|
||||
description: Protocol used by IPA server
|
||||
required: false
|
||||
default: "https"
|
||||
choices: ["http", "https"]
|
||||
validate_certs:
|
||||
description:
|
||||
- This only applies if C(ipa_prot) is I(https).
|
||||
- If set to C(no), the SSL certificates will not be validated.
|
||||
- This should only set to C(no) used on personally controlled sites using self-signed certificates.
|
||||
required: false
|
||||
default: true
|
||||
version_added: "2.3"
|
||||
requirements:
|
||||
- json
|
||||
'''
|
||||
|
||||
EXAMPLES = '''
|
||||
# Ensure host-group databases is present
|
||||
- ipa_hostgroup:
|
||||
name: databases
|
||||
state: present
|
||||
host:
|
||||
- db.example.com
|
||||
hostgroup:
|
||||
- mysql-server
|
||||
- oracle-server
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
|
||||
# Ensure host-group databases is absent
|
||||
- ipa_hostgroup:
|
||||
name: databases
|
||||
state: absent
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
'''
|
||||
|
||||
RETURN = '''
|
||||
hostgroup:
|
||||
description: Hostgroup as returned by IPA API.
|
||||
returned: always
|
||||
type: dict
|
||||
'''
|
||||
|
||||
try:
|
||||
import json
|
||||
except ImportError:
|
||||
import simplejson as json
|
||||
|
||||
|
||||
class IPAClient:
|
||||
def __init__(self, module, host, port, protocol):
|
||||
self.host = host
|
||||
self.port = port
|
||||
self.protocol = protocol
|
||||
self.module = module
|
||||
self.headers = None
|
||||
|
||||
def get_base_url(self):
|
||||
return '%s://%s/ipa' % (self.protocol, self.host)
|
||||
|
||||
def get_json_url(self):
|
||||
return '%s/session/json' % self.get_base_url()
|
||||
|
||||
def login(self, username, password):
|
||||
url = '%s/session/login_password' % self.get_base_url()
|
||||
data = 'user=%s&password=%s' % (username, password)
|
||||
headers = {'referer': self.get_base_url(),
|
||||
'Content-Type': 'application/x-www-form-urlencoded',
|
||||
'Accept': 'text/plain'}
|
||||
try:
|
||||
resp, info = fetch_url(module=self.module, url=url, data=data, headers=headers)
|
||||
status_code = info['status']
|
||||
if status_code not in [200, 201, 204]:
|
||||
self._fail('login', info['body'])
|
||||
|
||||
self.headers = {'referer': self.get_base_url(),
|
||||
'Content-Type': 'application/json',
|
||||
'Accept': 'application/json',
|
||||
'Cookie': resp.info().getheader('Set-Cookie')}
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
self._fail('login', str(e))
|
||||
|
||||
def _fail(self, msg, e):
|
||||
if 'message' in e:
|
||||
err_string = e.get('message')
|
||||
else:
|
||||
err_string = e
|
||||
self.module.fail_json(msg='%s: %s' % (msg, err_string))
|
||||
|
||||
def _post_json(self, method, name, item=None):
|
||||
if item is None:
|
||||
item = {}
|
||||
url = '%s/session/json' % self.get_base_url()
|
||||
data = {'method': method, 'params': [[name], item]}
|
||||
try:
|
||||
resp, info = fetch_url(module=self.module, url=url, data=json.dumps(data), headers=self.headers)
|
||||
status_code = info['status']
|
||||
if status_code not in [200, 201, 204]:
|
||||
self._fail(method, info['body'])
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
self._fail('post %s' % method, str(e))
|
||||
|
||||
resp = json.loads(resp.read())
|
||||
err = resp.get('error')
|
||||
if err is not None:
|
||||
self._fail('repsonse %s' % method, err)
|
||||
|
||||
if 'result' in resp:
|
||||
result = resp.get('result')
|
||||
if 'result' in result:
|
||||
result = result.get('result')
|
||||
if isinstance(result, list):
|
||||
if len(result) > 0:
|
||||
return result[0]
|
||||
return result
|
||||
return None
|
||||
|
||||
def hostgroup_find(self, name):
|
||||
return self._post_json(method='hostgroup_find', name=None, item={'all': True, 'cn': name})
|
||||
|
||||
def hostgroup_add(self, name, item):
|
||||
return self._post_json(method='hostgroup_add', name=name, item=item)
|
||||
|
||||
def hostgroup_mod(self, name, item):
|
||||
return self._post_json(method='hostgroup_mod', name=name, item=item)
|
||||
|
||||
def hostgroup_del(self, name):
|
||||
return self._post_json(method='hostgroup_del', name=name)
|
||||
|
||||
def hostgroup_add_member(self, name, item):
|
||||
return self._post_json(method='hostgroup_add_member', name=name, item=item)
|
||||
|
||||
def hostgroup_add_host(self, name, item):
|
||||
return self.hostgroup_add_member(name=name, item={'host': item})
|
||||
|
||||
def hostgroup_add_hostgroup(self, name, item):
|
||||
return self.hostgroup_add_member(name=name, item={'hostgroup': item})
|
||||
|
||||
def hostgroup_remove_member(self, name, item):
|
||||
return self._post_json(method='hostgroup_remove_member', name=name, item=item)
|
||||
|
||||
def hostgroup_remove_host(self, name, item):
|
||||
return self.hostgroup_remove_member(name=name, item={'host': item})
|
||||
|
||||
def hostgroup_remove_hostgroup(self, name, item):
|
||||
return self.hostgroup_remove_member(name=name, item={'hostgroup': item})
|
||||
|
||||
|
||||
def get_hostgroup_dict(description=None):
|
||||
data = {}
|
||||
if description is not None:
|
||||
data['description'] = description
|
||||
return data
|
||||
|
||||
|
||||
def get_hostgroup_diff(ipa_hostgroup, module_hostgroup):
|
||||
data = []
|
||||
for key in module_hostgroup.keys():
|
||||
ipa_value = ipa_hostgroup.get(key, None)
|
||||
module_value = module_hostgroup.get(key, None)
|
||||
if isinstance(ipa_value, list) and not isinstance(module_value, list):
|
||||
module_value = [module_value]
|
||||
if isinstance(ipa_value, list) and isinstance(module_value, list):
|
||||
ipa_value = sorted(ipa_value)
|
||||
module_value = sorted(module_value)
|
||||
if ipa_value != module_value:
|
||||
data.append(key)
|
||||
return data
|
||||
|
||||
|
||||
def modify_if_diff(module, name, ipa_list, module_list, add_method, remove_method):
|
||||
changed = False
|
||||
diff = list(set(ipa_list) - set(module_list))
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
remove_method(name=name, item=diff)
|
||||
|
||||
diff = list(set(module_list) - set(ipa_list))
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
add_method(name=name, item=diff)
|
||||
return changed
|
||||
|
||||
|
||||
def ensure(module, client):
|
||||
name = module.params['name']
|
||||
state = module.params['state']
|
||||
host = module.params['host']
|
||||
hostgroup = module.params['hostgroup']
|
||||
|
||||
ipa_hostgroup = client.hostgroup_find(name=name)
|
||||
module_hostgroup = get_hostgroup_dict(description=module.params['description'])
|
||||
|
||||
changed = False
|
||||
if state == 'present':
|
||||
if not ipa_hostgroup:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
ipa_hostgroup = client.hostgroup_add(name=name, item=module_hostgroup)
|
||||
else:
|
||||
diff = get_hostgroup_diff(ipa_hostgroup, module_hostgroup)
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
data = {}
|
||||
for key in diff:
|
||||
data[key] = module_hostgroup.get(key)
|
||||
client.hostgroup_mod(name=name, item=data)
|
||||
|
||||
if host is not None:
|
||||
changed = modify_if_diff(module, name, ipa_hostgroup.get('member_host', []), host,
|
||||
client.hostgroup_add_host, client.hostgroup_remove_host) or changed
|
||||
|
||||
if hostgroup is not None:
|
||||
changed = modify_if_diff(module, name, ipa_hostgroup.get('member_hostgroup', []), hostgroup,
|
||||
client.hostgroup_add_hostgroup, client.hostgroup_remove_hostgroup) or changed
|
||||
|
||||
else:
|
||||
if ipa_hostgroup:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
client.hostgroup_del(name=name)
|
||||
|
||||
return changed, client.hostgroup_find(name=name)
|
||||
|
||||
|
||||
def main():
|
||||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
cn=dict(type='str', required=True, aliases=['name']),
|
||||
description=dict(type='str', required=False),
|
||||
host=dict(type='list', required=False),
|
||||
hostgroup=dict(type='list', required=False),
|
||||
state=dict(type='str', required=False, default='present',
|
||||
choices=['present', 'absent', 'enabled', 'disabled']),
|
||||
ipa_prot=dict(type='str', required=False, default='https', choices=['http', 'https']),
|
||||
ipa_host=dict(type='str', required=False, default='ipa.example.com'),
|
||||
ipa_port=dict(type='int', required=False, default=443),
|
||||
ipa_user=dict(type='str', required=False, default='admin'),
|
||||
ipa_pass=dict(type='str', required=True, no_log=True),
|
||||
validate_certs=dict(type='bool', required=False, default=True),
|
||||
),
|
||||
supports_check_mode=True,
|
||||
)
|
||||
|
||||
client = IPAClient(module=module,
|
||||
host=module.params['ipa_host'],
|
||||
port=module.params['ipa_port'],
|
||||
protocol=module.params['ipa_prot'])
|
||||
|
||||
try:
|
||||
client.login(username=module.params['ipa_user'],
|
||||
password=module.params['ipa_pass'])
|
||||
changed, hostgroup = ensure(module, client)
|
||||
module.exit_json(changed=changed, hostgroup=hostgroup)
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
module.fail_json(msg=str(e))
|
||||
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
from ansible.module_utils.pycompat24 import get_exception
|
||||
from ansible.module_utils.urls import fetch_url
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
411
lib/ansible/modules/extras/identity/ipa/ipa_role.py
Normal file
411
lib/ansible/modules/extras/identity/ipa/ipa_role.py
Normal file
|
@ -0,0 +1,411 @@
|
|||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
DOCUMENTATION = '''
|
||||
---
|
||||
module: ipa_role
|
||||
short_description: Manage FreeIPA role
|
||||
description:
|
||||
- Add, modify and delete a role within FreeIPA server using FreeIPA API
|
||||
options:
|
||||
cn:
|
||||
description:
|
||||
- Role name.
|
||||
- Can not be changed as it is the unique identifier.
|
||||
required: true
|
||||
aliases: ['name']
|
||||
description:
|
||||
description:
|
||||
- A description of this role-group.
|
||||
required: false
|
||||
group:
|
||||
description:
|
||||
- List of group names assign to this role.
|
||||
- If an empty list is passed all assigned groups will be unassigned from the role.
|
||||
- If option is omitted groups will not be checked or changed.
|
||||
- If option is passed all assigned groups that are not passed will be unassigned from the role.
|
||||
host:
|
||||
description:
|
||||
- List of host names to assign.
|
||||
- If an empty list is passed all assigned hosts will be unassigned from the role.
|
||||
- If option is omitted hosts will not be checked or changed.
|
||||
- If option is passed all assigned hosts that are not passed will be unassigned from the role.
|
||||
required: false
|
||||
hostgroup:
|
||||
description:
|
||||
- List of host group names to assign.
|
||||
- If an empty list is passed all assigned host groups will be removed from the role.
|
||||
- If option is omitted host groups will not be checked or changed.
|
||||
- If option is passed all assigned hostgroups that are not passed will be unassigned from the role.
|
||||
required: false
|
||||
service:
|
||||
description:
|
||||
- List of service names to assign.
|
||||
- If an empty list is passed all assigned services will be removed from the role.
|
||||
- If option is omitted services will not be checked or changed.
|
||||
- If option is passed all assigned services that are not passed will be removed from the role.
|
||||
required: false
|
||||
state:
|
||||
description: State to ensure
|
||||
required: false
|
||||
default: "present"
|
||||
choices: ["present", "absent"]
|
||||
user:
|
||||
description:
|
||||
- List of user names to assign.
|
||||
- If an empty list is passed all assigned users will be removed from the role.
|
||||
- If option is omitted users will not be checked or changed.
|
||||
required: false
|
||||
ipa_port:
|
||||
description: Port of IPA server
|
||||
required: false
|
||||
default: 443
|
||||
ipa_host:
|
||||
description: IP or hostname of IPA server
|
||||
required: false
|
||||
default: "ipa.example.com"
|
||||
ipa_user:
|
||||
description: Administrative account used on IPA server
|
||||
required: false
|
||||
default: "admin"
|
||||
ipa_pass:
|
||||
description: Password of administrative user
|
||||
required: true
|
||||
ipa_prot:
|
||||
description: Protocol used by IPA server
|
||||
required: false
|
||||
default: "https"
|
||||
choices: ["http", "https"]
|
||||
validate_certs:
|
||||
description:
|
||||
- This only applies if C(ipa_prot) is I(https).
|
||||
- If set to C(no), the SSL certificates will not be validated.
|
||||
- This should only set to C(no) used on personally controlled sites using self-signed certificates.
|
||||
required: false
|
||||
default: true
|
||||
version_added: "2.3"
|
||||
requirements:
|
||||
- json
|
||||
'''
|
||||
|
||||
EXAMPLES = '''
|
||||
# Ensure role is present
|
||||
- ipa_role:
|
||||
name: dba
|
||||
description: Database Administrators
|
||||
state: present
|
||||
user:
|
||||
- pinky
|
||||
- brain
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
|
||||
# Ensure role with certain details
|
||||
- ipa_role:
|
||||
name: another-role
|
||||
description: Just another role
|
||||
group:
|
||||
- editors
|
||||
host:
|
||||
- host01.example.com
|
||||
hostgroup:
|
||||
- hostgroup01
|
||||
service:
|
||||
- service01
|
||||
|
||||
# Ensure role is absent
|
||||
- ipa_role:
|
||||
name: dba
|
||||
state: absent
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
'''
|
||||
|
||||
RETURN = '''
|
||||
role:
|
||||
description: Role as returned by IPA API.
|
||||
returned: always
|
||||
type: dict
|
||||
'''
|
||||
|
||||
try:
|
||||
import json
|
||||
except ImportError:
|
||||
import simplejson as json
|
||||
|
||||
|
||||
class IPAClient:
|
||||
def __init__(self, module, host, port, protocol):
|
||||
self.host = host
|
||||
self.port = port
|
||||
self.protocol = protocol
|
||||
self.module = module
|
||||
self.headers = None
|
||||
|
||||
def get_base_url(self):
|
||||
return '%s://%s/ipa' % (self.protocol, self.host)
|
||||
|
||||
def get_json_url(self):
|
||||
return '%s/session/json' % self.get_base_url()
|
||||
|
||||
def login(self, username, password):
|
||||
url = '%s/session/login_password' % self.get_base_url()
|
||||
data = 'user=%s&password=%s' % (username, password)
|
||||
headers = {'referer': self.get_base_url(),
|
||||
'Content-Type': 'application/x-www-form-urlencoded',
|
||||
'Accept': 'text/plain'}
|
||||
try:
|
||||
resp, info = fetch_url(module=self.module, url=url, data=data, headers=headers)
|
||||
status_code = info['status']
|
||||
if status_code not in [200, 201, 204]:
|
||||
self._fail('login', info['body'])
|
||||
|
||||
self.headers = {'referer': self.get_base_url(),
|
||||
'Content-Type': 'application/json',
|
||||
'Accept': 'application/json',
|
||||
'Cookie': resp.info().getheader('Set-Cookie')}
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
self._fail('login', str(e))
|
||||
|
||||
def _fail(self, msg, e):
|
||||
if 'message' in e:
|
||||
err_string = e.get('message')
|
||||
else:
|
||||
err_string = e
|
||||
self.module.fail_json(msg='%s: %s' % (msg, err_string))
|
||||
|
||||
def _post_json(self, method, name, item=None):
|
||||
if item is None:
|
||||
item = {}
|
||||
url = '%s/session/json' % self.get_base_url()
|
||||
data = {'method': method, 'params': [[name], item]}
|
||||
try:
|
||||
resp, info = fetch_url(module=self.module, url=url, data=json.dumps(data), headers=self.headers)
|
||||
status_code = info['status']
|
||||
if status_code not in [200, 201, 204]:
|
||||
self._fail(method, info['body'])
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
self._fail('post %s' % method, str(e))
|
||||
|
||||
resp = json.loads(resp.read())
|
||||
err = resp.get('error')
|
||||
if err is not None:
|
||||
self._fail('repsonse %s' % method, err)
|
||||
|
||||
if 'result' in resp:
|
||||
result = resp.get('result')
|
||||
if 'result' in result:
|
||||
result = result.get('result')
|
||||
if isinstance(result, list):
|
||||
if len(result) > 0:
|
||||
return result[0]
|
||||
return result
|
||||
return None
|
||||
|
||||
def role_find(self, name):
|
||||
return self._post_json(method='role_find', name=None, item={'all': True, 'cn': name})
|
||||
|
||||
def role_add(self, name, item):
|
||||
return self._post_json(method='role_add', name=name, item=item)
|
||||
|
||||
def role_mod(self, name, item):
|
||||
return self._post_json(method='role_mod', name=name, item=item)
|
||||
|
||||
def role_del(self, name):
|
||||
return self._post_json(method='role_del', name=name)
|
||||
|
||||
def role_add_member(self, name, item):
|
||||
return self._post_json(method='role_add_member', name=name, item=item)
|
||||
|
||||
def role_add_group(self, name, item):
|
||||
return self.role_add_member(name=name, item={'group': item})
|
||||
|
||||
def role_add_host(self, name, item):
|
||||
return self.role_add_member(name=name, item={'host': item})
|
||||
|
||||
def role_add_hostgroup(self, name, item):
|
||||
return self.role_add_member(name=name, item={'hostgroup': item})
|
||||
|
||||
def role_add_service(self, name, item):
|
||||
return self.role_add_member(name=name, item={'service': item})
|
||||
|
||||
def role_add_user(self, name, item):
|
||||
return self.role_add_member(name=name, item={'user': item})
|
||||
|
||||
def role_remove_member(self, name, item):
|
||||
return self._post_json(method='role_remove_member', name=name, item=item)
|
||||
|
||||
def role_remove_group(self, name, item):
|
||||
return self.role_remove_member(name=name, item={'group': item})
|
||||
|
||||
def role_remove_host(self, name, item):
|
||||
return self.role_remove_member(name=name, item={'host': item})
|
||||
|
||||
def role_remove_hostgroup(self, name, item):
|
||||
return self.role_remove_member(name=name, item={'hostgroup': item})
|
||||
|
||||
def role_remove_service(self, name, item):
|
||||
return self.role_remove_member(name=name, item={'service': item})
|
||||
|
||||
def role_remove_user(self, name, item):
|
||||
return self.role_remove_member(name=name, item={'user': item})
|
||||
|
||||
|
||||
def get_role_dict(description=None):
|
||||
data = {}
|
||||
if description is not None:
|
||||
data['description'] = description
|
||||
return data
|
||||
|
||||
|
||||
def get_role_diff(ipa_role, module_role):
|
||||
data = []
|
||||
for key in module_role.keys():
|
||||
module_value = module_role.get(key, None)
|
||||
ipa_value = ipa_role.get(key, None)
|
||||
if isinstance(ipa_value, list) and not isinstance(module_value, list):
|
||||
module_value = [module_value]
|
||||
if isinstance(ipa_value, list) and isinstance(module_value, list):
|
||||
ipa_value = sorted(ipa_value)
|
||||
module_value = sorted(module_value)
|
||||
if ipa_value != module_value:
|
||||
data.append(key)
|
||||
return data
|
||||
|
||||
|
||||
def modify_if_diff(module, name, ipa_list, module_list, add_method, remove_method):
|
||||
changed = False
|
||||
diff = list(set(ipa_list) - set(module_list))
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
remove_method(name=name, item=diff)
|
||||
|
||||
diff = list(set(module_list) - set(ipa_list))
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
add_method(name=name, item=diff)
|
||||
return changed
|
||||
|
||||
|
||||
def ensure(module, client):
|
||||
state = module.params['state']
|
||||
name = module.params['name']
|
||||
group = module.params['group']
|
||||
host = module.params['host']
|
||||
hostgroup = module.params['hostgroup']
|
||||
service = module.params['service']
|
||||
user = module.params['user']
|
||||
|
||||
module_role = get_role_dict(description=module.params['description'])
|
||||
ipa_role = client.role_find(name=name)
|
||||
|
||||
changed = False
|
||||
if state == 'present':
|
||||
if not ipa_role:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
ipa_role = client.role_add(name=name, item=module_role)
|
||||
else:
|
||||
diff = get_role_diff(ipa_role=ipa_role, module_role=module_role)
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
data = {}
|
||||
for key in diff:
|
||||
data[key] = module_role.get(key)
|
||||
client.role_mod(name=name, item=data)
|
||||
|
||||
if group is not None:
|
||||
changed = modify_if_diff(module, name, ipa_role.get('member_group', []), group,
|
||||
client.role_add_group,
|
||||
client.role_remove_group) or changed
|
||||
|
||||
if host is not None:
|
||||
changed = modify_if_diff(module, name, ipa_role.get('member_host', []), host,
|
||||
client.role_add_host,
|
||||
client.role_remove_host) or changed
|
||||
|
||||
if hostgroup is not None:
|
||||
changed = modify_if_diff(module, name, ipa_role.get('member_hostgroup', []), hostgroup,
|
||||
client.role_add_hostgroup,
|
||||
client.role_remove_hostgroup) or changed
|
||||
|
||||
if service is not None:
|
||||
changed = modify_if_diff(module, name, ipa_role.get('member_service', []), service,
|
||||
client.role_add_service,
|
||||
client.role_remove_service) or changed
|
||||
if user is not None:
|
||||
changed = modify_if_diff(module, name, ipa_role.get('member_user', []), user,
|
||||
client.role_add_user,
|
||||
client.role_remove_user) or changed
|
||||
else:
|
||||
if ipa_role:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
client.role_del(name)
|
||||
|
||||
return changed, client.role_find(name=name)
|
||||
|
||||
|
||||
def main():
|
||||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
cn=dict(type='str', required=True, aliases=['name']),
|
||||
description=dict(type='str', required=False),
|
||||
group=dict(type='list', required=False),
|
||||
host=dict(type='list', required=False),
|
||||
hostgroup=dict(type='list', required=False),
|
||||
service=dict(type='list', required=False),
|
||||
state=dict(type='str', required=False, default='present', choices=['present', 'absent']),
|
||||
user=dict(type='list', required=False),
|
||||
ipa_prot=dict(type='str', required=False, default='https', choices=['http', 'https']),
|
||||
ipa_host=dict(type='str', required=False, default='ipa.example.com'),
|
||||
ipa_port=dict(type='int', required=False, default=443),
|
||||
ipa_user=dict(type='str', required=False, default='admin'),
|
||||
ipa_pass=dict(type='str', required=True, no_log=True),
|
||||
validate_certs=dict(type='bool', required=False, default=True),
|
||||
),
|
||||
supports_check_mode=True,
|
||||
)
|
||||
|
||||
client = IPAClient(module=module,
|
||||
host=module.params['ipa_host'],
|
||||
port=module.params['ipa_port'],
|
||||
protocol=module.params['ipa_prot'])
|
||||
|
||||
try:
|
||||
client.login(username=module.params['ipa_user'],
|
||||
password=module.params['ipa_pass'])
|
||||
changed, role = ensure(module, client)
|
||||
module.exit_json(changed=changed, role=role)
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
module.fail_json(msg=str(e))
|
||||
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
from ansible.module_utils.pycompat24 import get_exception
|
||||
from ansible.module_utils.urls import fetch_url
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
275
lib/ansible/modules/extras/identity/ipa/ipa_sudocmd.py
Normal file
275
lib/ansible/modules/extras/identity/ipa/ipa_sudocmd.py
Normal file
|
@ -0,0 +1,275 @@
|
|||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
DOCUMENTATION = '''
|
||||
---
|
||||
module: ipa_sudocmd
|
||||
author: Thomas Krahn (@Nosmoht)
|
||||
short_description: Manage FreeIPA sudo command
|
||||
description:
|
||||
- Add, modify or delete sudo command within FreeIPA server using FreeIPA API.
|
||||
options:
|
||||
sudocmd:
|
||||
description:
|
||||
- Sudo Command.
|
||||
aliases: ['name']
|
||||
required: true
|
||||
description:
|
||||
description:
|
||||
- A description of this command.
|
||||
required: false
|
||||
state:
|
||||
description: State to ensure
|
||||
required: false
|
||||
default: present
|
||||
choices: ['present', 'absent']
|
||||
ipa_port:
|
||||
description: Port of IPA server
|
||||
required: false
|
||||
default: 443
|
||||
ipa_host:
|
||||
description: IP or hostname of IPA server
|
||||
required: false
|
||||
default: "ipa.example.com"
|
||||
ipa_user:
|
||||
description: Administrative account used on IPA server
|
||||
required: false
|
||||
default: "admin"
|
||||
ipa_pass:
|
||||
description: Password of administrative user
|
||||
required: true
|
||||
ipa_prot:
|
||||
description: Protocol used by IPA server
|
||||
required: false
|
||||
default: "https"
|
||||
choices: ["http", "https"]
|
||||
validate_certs:
|
||||
description:
|
||||
- This only applies if C(ipa_prot) is I(https).
|
||||
- If set to C(no), the SSL certificates will not be validated.
|
||||
- This should only set to C(no) used on personally controlled sites using self-signed certificates.
|
||||
required: false
|
||||
default: true
|
||||
version_added: "2.3"
|
||||
requirements:
|
||||
- json
|
||||
'''
|
||||
|
||||
EXAMPLES = '''
|
||||
# Ensure sudo command exists
|
||||
- ipa_sudocmd:
|
||||
name: su
|
||||
description: Allow to run su via sudo
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
|
||||
# Ensure sudo command does not exist
|
||||
- ipa_sudocmd:
|
||||
name: su
|
||||
state: absent
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
'''
|
||||
|
||||
RETURN = '''
|
||||
sudocmd:
|
||||
description: Sudo command as return from IPA API
|
||||
returned: always
|
||||
type: dict
|
||||
'''
|
||||
|
||||
try:
|
||||
import json
|
||||
except ImportError:
|
||||
import simplejson as json
|
||||
|
||||
|
||||
class IPAClient:
|
||||
def __init__(self, module, host, port, protocol):
|
||||
self.host = host
|
||||
self.port = port
|
||||
self.protocol = protocol
|
||||
self.module = module
|
||||
self.headers = None
|
||||
|
||||
def get_base_url(self):
|
||||
return '%s://%s/ipa' % (self.protocol, self.host)
|
||||
|
||||
def get_json_url(self):
|
||||
return '%s/session/json' % self.get_base_url()
|
||||
|
||||
def login(self, username, password):
|
||||
url = '%s/session/login_password' % self.get_base_url()
|
||||
data = 'user=%s&password=%s' % (username, password)
|
||||
headers = {'referer': self.get_base_url(),
|
||||
'Content-Type': 'application/x-www-form-urlencoded',
|
||||
'Accept': 'text/plain'}
|
||||
try:
|
||||
resp, info = fetch_url(module=self.module, url=url, data=data, headers=headers)
|
||||
status_code = info['status']
|
||||
if status_code not in [200, 201, 204]:
|
||||
self._fail('login', info['body'])
|
||||
|
||||
self.headers = {'referer': self.get_base_url(),
|
||||
'Content-Type': 'application/json',
|
||||
'Accept': 'application/json',
|
||||
'Cookie': resp.info().getheader('Set-Cookie')}
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
self._fail('login', str(e))
|
||||
|
||||
def _fail(self, msg, e):
|
||||
if 'message' in e:
|
||||
err_string = e.get('message')
|
||||
else:
|
||||
err_string = e
|
||||
self.module.fail_json(msg='%s: %s' % (msg, err_string))
|
||||
|
||||
def _post_json(self, method, name, item=None):
|
||||
if item is None:
|
||||
item = {}
|
||||
url = '%s/session/json' % self.get_base_url()
|
||||
data = {'method': method, 'params': [[name], item]}
|
||||
try:
|
||||
resp, info = fetch_url(module=self.module, url=url, data=json.dumps(data), headers=self.headers)
|
||||
status_code = info['status']
|
||||
if status_code not in [200, 201, 204]:
|
||||
self._fail(method, info['body'])
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
self._fail('post %s' % method, str(e))
|
||||
|
||||
resp = json.loads(resp.read())
|
||||
err = resp.get('error')
|
||||
if err is not None:
|
||||
self._fail('repsonse %s' % method, err)
|
||||
|
||||
if 'result' in resp:
|
||||
result = resp.get('result')
|
||||
if 'result' in result:
|
||||
result = result.get('result')
|
||||
if isinstance(result, list):
|
||||
if len(result) > 0:
|
||||
return result[0]
|
||||
return result
|
||||
return None
|
||||
|
||||
def sudocmd_find(self, name):
|
||||
return self._post_json(method='sudocmd_find', name=None, item={'all': True, 'sudocmd': name})
|
||||
|
||||
def sudocmd_add(self, name, item):
|
||||
return self._post_json(method='sudocmd_add', name=name, item=item)
|
||||
|
||||
def sudocmd_mod(self, name, item):
|
||||
return self._post_json(method='sudocmd_mod', name=name, item=item)
|
||||
|
||||
def sudocmd_del(self, name):
|
||||
return self._post_json(method='sudocmd_del', name=name)
|
||||
|
||||
|
||||
def get_sudocmd_dict(description=None):
|
||||
data = {}
|
||||
if description is not None:
|
||||
data['description'] = description
|
||||
return data
|
||||
|
||||
|
||||
def get_sudocmd_diff(ipa_sudocmd, module_sudocmd):
|
||||
data = []
|
||||
for key in module_sudocmd.keys():
|
||||
module_value = module_sudocmd.get(key, None)
|
||||
ipa_value = ipa_sudocmd.get(key, None)
|
||||
if isinstance(ipa_value, list) and not isinstance(module_value, list):
|
||||
module_value = [module_value]
|
||||
if isinstance(ipa_value, list) and isinstance(module_value, list):
|
||||
ipa_value = sorted(ipa_value)
|
||||
module_value = sorted(module_value)
|
||||
if ipa_value != module_value:
|
||||
data.append(key)
|
||||
return data
|
||||
|
||||
|
||||
def ensure(module, client):
|
||||
name = module.params['sudocmd']
|
||||
state = module.params['state']
|
||||
|
||||
module_sudocmd = get_sudocmd_dict(description=module.params['description'])
|
||||
ipa_sudocmd = client.sudocmd_find(name=name)
|
||||
|
||||
changed = False
|
||||
if state == 'present':
|
||||
if not ipa_sudocmd:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
client.sudocmd_add(name=name, item=module_sudocmd)
|
||||
else:
|
||||
diff = get_sudocmd_diff(ipa_sudocmd, module_sudocmd)
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
data = {}
|
||||
for key in diff:
|
||||
data[key] = module_sudocmd.get(key)
|
||||
client.sudocmd_mod(name=name, item=data)
|
||||
else:
|
||||
if ipa_sudocmd:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
client.sudocmd_del(name=name)
|
||||
|
||||
return changed, client.sudocmd_find(name=name)
|
||||
|
||||
|
||||
def main():
|
||||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
description=dict(type='str', required=False),
|
||||
state=dict(type='str', required=False, default='present',
|
||||
choices=['present', 'absent', 'enabled', 'disabled']),
|
||||
sudocmd=dict(type='str', required=True, aliases=['name']),
|
||||
ipa_prot=dict(type='str', required=False, default='https', choices=['http', 'https']),
|
||||
ipa_host=dict(type='str', required=False, default='ipa.example.com'),
|
||||
ipa_port=dict(type='int', required=False, default=443),
|
||||
ipa_user=dict(type='str', required=False, default='admin'),
|
||||
ipa_pass=dict(type='str', required=True, no_log=True),
|
||||
validate_certs=dict(type='bool', required=False, default=True),
|
||||
),
|
||||
supports_check_mode=True,
|
||||
)
|
||||
|
||||
client = IPAClient(module=module,
|
||||
host=module.params['ipa_host'],
|
||||
port=module.params['ipa_port'],
|
||||
protocol=module.params['ipa_prot'])
|
||||
try:
|
||||
client.login(username=module.params['ipa_user'],
|
||||
password=module.params['ipa_pass'])
|
||||
changed, sudocmd = ensure(module, client)
|
||||
module.exit_json(changed=changed, sudocmd=sudocmd)
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
module.fail_json(msg=str(e))
|
||||
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
from ansible.module_utils.pycompat24 import get_exception
|
||||
from ansible.module_utils.urls import fetch_url
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
317
lib/ansible/modules/extras/identity/ipa/ipa_sudocmdgroup.py
Normal file
317
lib/ansible/modules/extras/identity/ipa/ipa_sudocmdgroup.py
Normal file
|
@ -0,0 +1,317 @@
|
|||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
DOCUMENTATION = '''
|
||||
---
|
||||
module: ipa_sudocmdgroup
|
||||
author: Thomas Krahn (@Nosmoht)
|
||||
short_description: Manage FreeIPA sudo command group
|
||||
description:
|
||||
- Add, modify or delete sudo command group within IPA server using IPA API.
|
||||
options:
|
||||
cn:
|
||||
description:
|
||||
- Sudo Command Group.
|
||||
aliases: ['name']
|
||||
required: true
|
||||
description:
|
||||
description:
|
||||
- Group description.
|
||||
state:
|
||||
description: State to ensure
|
||||
required: false
|
||||
default: present
|
||||
choices: ['present', 'absent']
|
||||
sudocmd:
|
||||
description:
|
||||
- List of sudo commands to assign to the group.
|
||||
- If an empty list is passed all assigned commands will be removed from the group.
|
||||
- If option is omitted sudo commands will not be checked or changed.
|
||||
required: false
|
||||
ipa_port:
|
||||
description: Port of IPA server
|
||||
required: false
|
||||
default: 443
|
||||
ipa_host:
|
||||
description: IP or hostname of IPA server
|
||||
required: false
|
||||
default: "ipa.example.com"
|
||||
ipa_user:
|
||||
description: Administrative account used on IPA server
|
||||
required: false
|
||||
default: "admin"
|
||||
ipa_pass:
|
||||
description: Password of administrative user
|
||||
required: true
|
||||
ipa_prot:
|
||||
description: Protocol used by IPA server
|
||||
required: false
|
||||
default: "https"
|
||||
choices: ["http", "https"]
|
||||
validate_certs:
|
||||
description:
|
||||
- This only applies if C(ipa_prot) is I(https).
|
||||
- If set to C(no), the SSL certificates will not be validated.
|
||||
- This should only set to C(no) used on personally controlled sites using self-signed certificates.
|
||||
required: false
|
||||
default: true
|
||||
version_added: "2.3"
|
||||
requirements:
|
||||
- json
|
||||
'''
|
||||
|
||||
EXAMPLES = '''
|
||||
- name: Ensure sudo command group exists
|
||||
ipa_sudocmdgroup:
|
||||
name: group01
|
||||
description: Group of important commands
|
||||
sudocmd:
|
||||
- su
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
|
||||
- name: Ensure sudo command group does not exists
|
||||
ipa_sudocmdgroup:
|
||||
name: group01
|
||||
state: absent
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
'''
|
||||
|
||||
RETURN = '''
|
||||
sudocmdgroup:
|
||||
description: Sudo command group as returned by IPA API
|
||||
returned: always
|
||||
type: dict
|
||||
'''
|
||||
|
||||
try:
|
||||
import json
|
||||
except ImportError:
|
||||
import simplejson as json
|
||||
|
||||
|
||||
class IPAClient:
|
||||
def __init__(self, module, host, port, protocol):
|
||||
self.host = host
|
||||
self.port = port
|
||||
self.protocol = protocol
|
||||
self.module = module
|
||||
self.headers = None
|
||||
|
||||
def get_base_url(self):
|
||||
return '%s://%s/ipa' % (self.protocol, self.host)
|
||||
|
||||
def get_json_url(self):
|
||||
return '%s/session/json' % self.get_base_url()
|
||||
|
||||
def login(self, username, password):
|
||||
url = '%s/session/login_password' % self.get_base_url()
|
||||
data = 'user=%s&password=%s' % (username, password)
|
||||
headers = {'referer': self.get_base_url(),
|
||||
'Content-Type': 'application/x-www-form-urlencoded',
|
||||
'Accept': 'text/plain'}
|
||||
try:
|
||||
resp, info = fetch_url(module=self.module, url=url, data=data, headers=headers)
|
||||
status_code = info['status']
|
||||
if status_code not in [200, 201, 204]:
|
||||
self._fail('login', info['body'])
|
||||
|
||||
self.headers = {'referer': self.get_base_url(),
|
||||
'Content-Type': 'application/json',
|
||||
'Accept': 'application/json',
|
||||
'Cookie': resp.info().getheader('Set-Cookie')}
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
self._fail('login', str(e))
|
||||
|
||||
def _fail(self, msg, e):
|
||||
if 'message' in e:
|
||||
err_string = e.get('message')
|
||||
else:
|
||||
err_string = e
|
||||
self.module.fail_json(msg='%s: %s' % (msg, err_string))
|
||||
|
||||
def _post_json(self, method, name, item=None):
|
||||
if item is None:
|
||||
item = {}
|
||||
url = '%s/session/json' % self.get_base_url()
|
||||
data = {'method': method, 'params': [[name], item]}
|
||||
try:
|
||||
resp, info = fetch_url(module=self.module, url=url, data=json.dumps(data), headers=self.headers)
|
||||
status_code = info['status']
|
||||
if status_code not in [200, 201, 204]:
|
||||
self._fail(method, info['body'])
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
self._fail('post %s' % method, str(e))
|
||||
|
||||
resp = json.loads(resp.read())
|
||||
err = resp.get('error')
|
||||
if err is not None:
|
||||
self._fail('repsonse %s' % method, err)
|
||||
|
||||
if 'result' in resp:
|
||||
result = resp.get('result')
|
||||
if 'result' in result:
|
||||
result = result.get('result')
|
||||
if isinstance(result, list):
|
||||
if len(result) > 0:
|
||||
return result[0]
|
||||
return result
|
||||
return None
|
||||
|
||||
def sudocmdgroup_find(self, name):
|
||||
return self._post_json(method='sudocmdgroup_find', name=None, item={'all': True, 'cn': name})
|
||||
|
||||
def sudocmdgroup_add(self, name, item):
|
||||
return self._post_json(method='sudocmdgroup_add', name=name, item=item)
|
||||
|
||||
def sudocmdgroup_mod(self, name, item):
|
||||
return self._post_json(method='sudocmdgroup_mod', name=name, item=item)
|
||||
|
||||
def sudocmdgroup_del(self, name):
|
||||
return self._post_json(method='sudocmdgroup_del', name=name)
|
||||
|
||||
def sudocmdgroup_add_member(self, name, item):
|
||||
return self._post_json(method='sudocmdgroup_add_member', name=name, item=item)
|
||||
|
||||
def sudocmdgroup_add_member_sudocmd(self, name, item):
|
||||
return self.sudocmdgroup_add_member(name=name, item={'sudocmd': item})
|
||||
|
||||
def sudocmdgroup_remove_member(self, name, item):
|
||||
return self._post_json(method='sudocmdgroup_remove_member', name=name, item=item)
|
||||
|
||||
def sudocmdgroup_remove_member_sudocmd(self, name, item):
|
||||
return self.sudocmdgroup_remove_member(name=name, item={'sudocmd': item})
|
||||
|
||||
|
||||
def get_sudocmdgroup_dict(description=None):
|
||||
data = {}
|
||||
if description is not None:
|
||||
data['description'] = description
|
||||
return data
|
||||
|
||||
|
||||
def modify_if_diff(module, name, ipa_list, module_list, add_method, remove_method):
|
||||
changed = False
|
||||
diff = list(set(ipa_list) - set(module_list))
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
remove_method(name=name, item=diff)
|
||||
|
||||
diff = list(set(module_list) - set(ipa_list))
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
add_method(name=name, item=diff)
|
||||
return changed
|
||||
|
||||
|
||||
def get_sudocmdgroup_diff(ipa_sudocmdgroup, module_sudocmdgroup):
|
||||
data = []
|
||||
for key in module_sudocmdgroup.keys():
|
||||
module_value = module_sudocmdgroup.get(key, None)
|
||||
ipa_value = ipa_sudocmdgroup.get(key, None)
|
||||
if isinstance(ipa_value, list) and not isinstance(module_value, list):
|
||||
module_value = [module_value]
|
||||
if isinstance(ipa_value, list) and isinstance(module_value, list):
|
||||
ipa_value = sorted(ipa_value)
|
||||
module_value = sorted(module_value)
|
||||
if ipa_value != module_value:
|
||||
data.append(key)
|
||||
return data
|
||||
|
||||
|
||||
def ensure(module, client):
|
||||
name = module.params['name']
|
||||
state = module.params['state']
|
||||
sudocmd = module.params['sudocmd']
|
||||
|
||||
module_sudocmdgroup = get_sudocmdgroup_dict(description=module.params['description'])
|
||||
ipa_sudocmdgroup = client.sudocmdgroup_find(name=name)
|
||||
|
||||
changed = False
|
||||
if state == 'present':
|
||||
if not ipa_sudocmdgroup:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
ipa_sudocmdgroup = client.sudocmdgroup_add(name=name, item=module_sudocmdgroup)
|
||||
else:
|
||||
diff = get_sudocmdgroup_diff(ipa_sudocmdgroup, module_sudocmdgroup)
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
data = {}
|
||||
for key in diff:
|
||||
data[key] = module_sudocmdgroup.get(key)
|
||||
client.sudocmdgroup_mod(name=name, item=data)
|
||||
|
||||
if sudocmd is not None:
|
||||
changed = modify_if_diff(module, name, ipa_sudocmdgroup.get('member_sudocmd', []), sudocmd,
|
||||
client.sudocmdgroup_add_member_sudocmd,
|
||||
client.sudocmdgroup_remove_member_sudocmd)
|
||||
else:
|
||||
if ipa_sudocmdgroup:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
client.sudocmdgroup_del(name=name)
|
||||
|
||||
return changed, client.sudocmdgroup_find(name=name)
|
||||
|
||||
|
||||
def main():
|
||||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
cn=dict(type='str', required=True, aliases=['name']),
|
||||
description=dict(type='str', required=False),
|
||||
state=dict(type='str', required=False, default='present',
|
||||
choices=['present', 'absent', 'enabled', 'disabled']),
|
||||
sudocmd=dict(type='list', required=False),
|
||||
ipa_prot=dict(type='str', required=False, default='https', choices=['http', 'https']),
|
||||
ipa_host=dict(type='str', required=False, default='ipa.example.com'),
|
||||
ipa_port=dict(type='int', required=False, default=443),
|
||||
ipa_user=dict(type='str', required=False, default='admin'),
|
||||
ipa_pass=dict(type='str', required=True, no_log=True),
|
||||
validate_certs=dict(type='bool', required=False, default=True),
|
||||
),
|
||||
supports_check_mode=True,
|
||||
)
|
||||
|
||||
client = IPAClient(module=module,
|
||||
host=module.params['ipa_host'],
|
||||
port=module.params['ipa_port'],
|
||||
protocol=module.params['ipa_prot'])
|
||||
try:
|
||||
client.login(username=module.params['ipa_user'],
|
||||
password=module.params['ipa_pass'])
|
||||
changed, sudocmdgroup = ensure(module, client)
|
||||
module.exit_json(changed=changed, sudorule=sudocmdgroup)
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
module.fail_json(msg=str(e))
|
||||
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
from ansible.module_utils.pycompat24 import get_exception
|
||||
from ansible.module_utils.urls import fetch_url
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
491
lib/ansible/modules/extras/identity/ipa/ipa_sudorule.py
Normal file
491
lib/ansible/modules/extras/identity/ipa/ipa_sudorule.py
Normal file
|
@ -0,0 +1,491 @@
|
|||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
DOCUMENTATION = '''
|
||||
---
|
||||
module: ipa_sudorule
|
||||
author: Thomas Krahn (@Nosmoht)
|
||||
short_description: Manage FreeIPA sudo rule
|
||||
description:
|
||||
- Add, modify or delete sudo rule within IPA server using IPA API.
|
||||
options:
|
||||
cn:
|
||||
description:
|
||||
- Canonical name.
|
||||
- Can not be changed as it is the unique identifier.
|
||||
required: true
|
||||
aliases: ['name']
|
||||
cmdcategory:
|
||||
description:
|
||||
- Command category the rule applies to.
|
||||
choices: ['all']
|
||||
required: false
|
||||
cmd:
|
||||
description:
|
||||
- List of commands assigned to the rule.
|
||||
- If an empty list is passed all commands will be removed from the rule.
|
||||
- If option is omitted commands will not be checked or changed.
|
||||
required: false
|
||||
host:
|
||||
description:
|
||||
- List of hosts assigned to the rule.
|
||||
- If an empty list is passed all hosts will be removed from the rule.
|
||||
- If option is omitted hosts will not be checked or changed.
|
||||
- Option C(hostcategory) must be omitted to assign hosts.
|
||||
required: false
|
||||
hostcategory:
|
||||
description:
|
||||
- Host category the rule applies to.
|
||||
- If 'all' is passed one must omit C(host) and C(hostgroup).
|
||||
- Option C(host) and C(hostgroup) must be omitted to assign 'all'.
|
||||
choices: ['all']
|
||||
required: false
|
||||
hostgroup:
|
||||
description:
|
||||
- List of host groups assigned to the rule.
|
||||
- If an empty list is passed all host groups will be removed from the rule.
|
||||
- If option is omitted host groups will not be checked or changed.
|
||||
- Option C(hostcategory) must be omitted to assign host groups.
|
||||
required: false
|
||||
user:
|
||||
description:
|
||||
- List of users assigned to the rule.
|
||||
- If an empty list is passed all users will be removed from the rule.
|
||||
- If option is omitted users will not be checked or changed.
|
||||
required: false
|
||||
usercategory:
|
||||
description:
|
||||
- User category the rule applies to.
|
||||
choices: ['all']
|
||||
required: false
|
||||
usergroup:
|
||||
description:
|
||||
- List of user groups assigned to the rule.
|
||||
- If an empty list is passed all user groups will be removed from the rule.
|
||||
- If option is omitted user groups will not be checked or changed.
|
||||
required: false
|
||||
state:
|
||||
description: State to ensure
|
||||
required: false
|
||||
default: present
|
||||
choices: ['present', 'absent', 'enabled', 'disabled']
|
||||
ipa_port:
|
||||
description: Port of IPA server
|
||||
required: false
|
||||
default: 443
|
||||
ipa_host:
|
||||
description: IP or hostname of IPA server
|
||||
required: false
|
||||
default: "ipa.example.com"
|
||||
ipa_user:
|
||||
description: Administrative account used on IPA server
|
||||
required: false
|
||||
default: "admin"
|
||||
ipa_pass:
|
||||
description: Password of administrative user
|
||||
required: true
|
||||
ipa_prot:
|
||||
description: Protocol used by IPA server
|
||||
required: false
|
||||
default: "https"
|
||||
choices: ["http", "https"]
|
||||
validate_certs:
|
||||
description:
|
||||
- This only applies if C(ipa_prot) is I(https).
|
||||
- If set to C(no), the SSL certificates will not be validated.
|
||||
- This should only set to C(no) used on personally controlled sites using self-signed certificates.
|
||||
required: false
|
||||
default: true
|
||||
version_added: "2.3"
|
||||
requirements:
|
||||
- json
|
||||
'''
|
||||
|
||||
EXAMPLES = '''
|
||||
# Ensure sudo rule is present thats allows all every body to execute any command on any host without beeing asked for a password.
|
||||
- ipa_sudorule:
|
||||
name: sudo_all_nopasswd
|
||||
cmdcategory: all
|
||||
description: Allow to run every command with sudo without password
|
||||
hostcategory: all
|
||||
sudoopt:
|
||||
- '!authenticate'
|
||||
usercategory: all
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
# Ensure user group developers can run every command on host group db-server as well as on host db01.example.com.
|
||||
- ipa_sudorule:
|
||||
name: sudo_dev_dbserver
|
||||
description: Allow developers to run every command with sudo on all database server
|
||||
cmdcategory: all
|
||||
host:
|
||||
- db01.example.com
|
||||
hostgroup:
|
||||
- db-server
|
||||
sudoopt:
|
||||
- '!authenticate'
|
||||
usergroup:
|
||||
- developers
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
'''
|
||||
|
||||
RETURN = '''
|
||||
sudorule:
|
||||
description: Sudorule as returned by IPA
|
||||
returned: always
|
||||
type: dict
|
||||
'''
|
||||
|
||||
try:
|
||||
import json
|
||||
except ImportError:
|
||||
import simplejson as json
|
||||
|
||||
|
||||
class IPAClient:
|
||||
def __init__(self, module, host, port, protocol):
|
||||
self.host = host
|
||||
self.port = port
|
||||
self.protocol = protocol
|
||||
self.module = module
|
||||
self.headers = None
|
||||
|
||||
def get_base_url(self):
|
||||
return '%s://%s/ipa' % (self.protocol, self.host)
|
||||
|
||||
def get_json_url(self):
|
||||
return '%s/session/json' % self.get_base_url()
|
||||
|
||||
def login(self, username, password):
|
||||
url = '%s/session/login_password' % self.get_base_url()
|
||||
data = 'user=%s&password=%s' % (username, password)
|
||||
headers = {'referer': self.get_base_url(),
|
||||
'Content-Type': 'application/x-www-form-urlencoded',
|
||||
'Accept': 'text/plain'}
|
||||
try:
|
||||
resp, info = fetch_url(module=self.module, url=url, data=data, headers=headers)
|
||||
status_code = info['status']
|
||||
if status_code not in [200, 201, 204]:
|
||||
self._fail('login', info['body'])
|
||||
|
||||
self.headers = {'referer': self.get_base_url(),
|
||||
'Content-Type': 'application/json',
|
||||
'Accept': 'application/json',
|
||||
'Cookie': resp.info().getheader('Set-Cookie')}
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
self._fail('login', str(e))
|
||||
|
||||
def _fail(self, msg, e):
|
||||
if 'message' in e:
|
||||
err_string = e.get('message')
|
||||
else:
|
||||
err_string = e
|
||||
self.module.fail_json(msg='%s: %s' % (msg, err_string))
|
||||
|
||||
def _post_json(self, method, name, item=None):
|
||||
if item is None:
|
||||
item = {}
|
||||
url = '%s/session/json' % self.get_base_url()
|
||||
data = {'method': method, 'params': [[name], item]}
|
||||
try:
|
||||
resp, info = fetch_url(module=self.module, url=url, data=json.dumps(data), headers=self.headers)
|
||||
status_code = info['status']
|
||||
if status_code not in [200, 201, 204]:
|
||||
self._fail(method, info['body'])
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
self._fail('post %s' % method, str(e))
|
||||
|
||||
resp = json.loads(resp.read())
|
||||
err = resp.get('error')
|
||||
if err is not None:
|
||||
self._fail('repsonse %s' % method, err)
|
||||
|
||||
if 'result' in resp:
|
||||
result = resp.get('result')
|
||||
if 'result' in result:
|
||||
result = result.get('result')
|
||||
if isinstance(result, list):
|
||||
if len(result) > 0:
|
||||
return result[0]
|
||||
return result
|
||||
return None
|
||||
|
||||
def sudorule_find(self, name):
|
||||
return self._post_json(method='sudorule_find', name=None, item={'all': True, 'cn': name})
|
||||
|
||||
def sudorule_add(self, name, item):
|
||||
return self._post_json(method='sudorule_add', name=name, item=item)
|
||||
|
||||
def sudorule_mod(self, name, item):
|
||||
return self._post_json(method='sudorule_mod', name=name, item=item)
|
||||
|
||||
def sudorule_del(self, name):
|
||||
return self._post_json(method='sudorule_del', name=name)
|
||||
|
||||
def sudorule_add_option(self, name, item):
|
||||
return self._post_json(method='sudorule_add_option', name=name, item=item)
|
||||
|
||||
def sudorule_add_option_ipasudoopt(self, name, item):
|
||||
return self.sudorule_add_option(name=name, item={'ipasudoopt': item})
|
||||
|
||||
def sudorule_remove_option(self, name, item):
|
||||
return self._post_json(method='sudorule_remove_option', name=name, item=item)
|
||||
|
||||
def sudorule_remove_option_ipasudoopt(self, name, item):
|
||||
return self.sudorule_remove_option(name=name, item={'ipasudoopt': item})
|
||||
|
||||
def sudorule_add_host(self, name, item):
|
||||
return self._post_json(method='sudorule_add_host', name=name, item=item)
|
||||
|
||||
def sudorule_add_host_host(self, name, item):
|
||||
return self.sudorule_add_host(name=name, item={'host': item})
|
||||
|
||||
def sudorule_add_host_hostgroup(self, name, item):
|
||||
return self.sudorule_add_host(name=name, item={'hostgroup': item})
|
||||
|
||||
def sudorule_remove_host(self, name, item):
|
||||
return self._post_json(method='sudorule_remove_host', name=name, item=item)
|
||||
|
||||
def sudorule_remove_host_host(self, name, item):
|
||||
return self.sudorule_remove_host(name=name, item={'host': item})
|
||||
|
||||
def sudorule_remove_host_hostgroup(self, name, item):
|
||||
return self.sudorule_remove_host(name=name, item={'hostgroup': item})
|
||||
|
||||
def sudorule_add_allow_command(self, name, item):
|
||||
return self._post_json(method='sudorule_add_allow_command', name=name, item=item)
|
||||
|
||||
def sudorule_remove_allow_command(self, name, item):
|
||||
return self._post_json(method='sudorule_remove_allow_command', name=name, item=item)
|
||||
|
||||
def sudorule_add_user(self, name, item):
|
||||
return self._post_json(method='sudorule_add_user', name=name, item=item)
|
||||
|
||||
def sudorule_add_user_user(self, name, item):
|
||||
return self.sudorule_add_user(name=name, item={'user': item})
|
||||
|
||||
def sudorule_add_user_group(self, name, item):
|
||||
return self.sudorule_add_user(name=name, item={'group': item})
|
||||
|
||||
def sudorule_remove_user(self, name, item):
|
||||
return self._post_json(method='sudorule_remove_user', name=name, item=item)
|
||||
|
||||
def sudorule_remove_user_user(self, name, item):
|
||||
return self.sudorule_remove_user(name=name, item={'user': item})
|
||||
|
||||
def sudorule_remove_user_group(self, name, item):
|
||||
return self.sudorule_remove_user(name=name, item={'group': item})
|
||||
|
||||
|
||||
def get_sudorule_dict(cmdcategory=None, description=None, hostcategory=None, ipaenabledflag=None, usercategory=None):
|
||||
data = {}
|
||||
if cmdcategory is not None:
|
||||
data['cmdcategory'] = cmdcategory
|
||||
if description is not None:
|
||||
data['description'] = description
|
||||
if hostcategory is not None:
|
||||
data['hostcategory'] = hostcategory
|
||||
if ipaenabledflag is not None:
|
||||
data['ipaenabledflag'] = ipaenabledflag
|
||||
if usercategory is not None:
|
||||
data['usercategory'] = usercategory
|
||||
return data
|
||||
|
||||
|
||||
def get_sudorule_diff(ipa_sudorule, module_sudorule):
|
||||
data = []
|
||||
for key in module_sudorule.keys():
|
||||
module_value = module_sudorule.get(key, None)
|
||||
ipa_value = ipa_sudorule.get(key, None)
|
||||
if isinstance(ipa_value, list) and not isinstance(module_value, list):
|
||||
module_value = [module_value]
|
||||
if isinstance(ipa_value, list) and isinstance(module_value, list):
|
||||
ipa_value = sorted(ipa_value)
|
||||
module_value = sorted(module_value)
|
||||
if ipa_value != module_value:
|
||||
data.append(key)
|
||||
return data
|
||||
|
||||
|
||||
def modify_if_diff(module, name, ipa_list, module_list, add_method, remove_method):
|
||||
changed = False
|
||||
diff = list(set(ipa_list) - set(module_list))
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
for item in diff:
|
||||
remove_method(name=name, item=item)
|
||||
|
||||
diff = list(set(module_list) - set(ipa_list))
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
for item in diff:
|
||||
add_method(name=name, item=item)
|
||||
|
||||
return changed
|
||||
|
||||
|
||||
def category_changed(module, client, category_name, ipa_sudorule):
|
||||
if ipa_sudorule.get(category_name, None) == ['all']:
|
||||
if not module.check_mode:
|
||||
client.sudorule_mod(name=ipa_sudorule.get('cn'), item={category_name: None})
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
def ensure(module, client):
|
||||
state = module.params['state']
|
||||
name = module.params['name']
|
||||
cmd = module.params['cmd']
|
||||
cmdcategory = module.params['cmdcategory']
|
||||
host = module.params['host']
|
||||
hostcategory = module.params['hostcategory']
|
||||
hostgroup = module.params['hostgroup']
|
||||
|
||||
if state in ['present', 'enabled']:
|
||||
ipaenabledflag = 'TRUE'
|
||||
else:
|
||||
ipaenabledflag = 'NO'
|
||||
|
||||
sudoopt = module.params['sudoopt']
|
||||
user = module.params['user']
|
||||
usercategory = module.params['usercategory']
|
||||
usergroup = module.params['usergroup']
|
||||
|
||||
module_sudorule = get_sudorule_dict(cmdcategory=cmdcategory,
|
||||
description=module.params['description'],
|
||||
hostcategory=hostcategory,
|
||||
ipaenabledflag=ipaenabledflag,
|
||||
usercategory=usercategory)
|
||||
ipa_sudorule = client.sudorule_find(name=name)
|
||||
|
||||
changed = False
|
||||
if state in ['present', 'disabled', 'enabled']:
|
||||
if not ipa_sudorule:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
ipa_sudorule = client.sudorule_add(name=name, item=module_sudorule)
|
||||
else:
|
||||
diff = get_sudorule_diff(ipa_sudorule, module_sudorule)
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
if 'hostcategory' in diff:
|
||||
if ipa_sudorule.get('memberhost_host', None) is not None:
|
||||
client.sudorule_remove_host_host(name=name, item=ipa_sudorule.get('memberhost_host'))
|
||||
if ipa_sudorule.get('memberhost_hostgroup', None) is not None:
|
||||
client.sudorule_remove_host_hostgroup(name=name,
|
||||
item=ipa_sudorule.get('memberhost_hostgroup'))
|
||||
|
||||
client.sudorule_mod(name=name, item=module_sudorule)
|
||||
|
||||
if cmd is not None:
|
||||
changed = category_changed(module, client, 'cmdcategory', ipa_sudorule) or changed
|
||||
if not module.check_mode:
|
||||
client.sudorule_add_allow_command(name=name, item=cmd)
|
||||
|
||||
if host is not None:
|
||||
changed = category_changed(module, client, 'hostcategory', ipa_sudorule) or changed
|
||||
changed = modify_if_diff(module, name, ipa_sudorule.get('memberhost_host', []), host,
|
||||
client.sudorule_add_host_host,
|
||||
client.sudorule_remove_host_host) or changed
|
||||
|
||||
if hostgroup is not None:
|
||||
changed = category_changed(module, client, 'hostcategory', ipa_sudorule) or changed
|
||||
changed = modify_if_diff(module, name, ipa_sudorule.get('memberhost_hostgroup', []), hostgroup,
|
||||
client.sudorule_add_host_hostgroup,
|
||||
client.sudorule_remove_host_hostgroup) or changed
|
||||
if sudoopt is not None:
|
||||
changed = modify_if_diff(module, name, ipa_sudorule.get('ipasudoopt', []), sudoopt,
|
||||
client.sudorule_add_option_ipasudoopt,
|
||||
client.sudorule_remove_option_ipasudoopt) or changed
|
||||
if user is not None:
|
||||
changed = category_changed(module, client, 'usercategory', ipa_sudorule) or changed
|
||||
changed = modify_if_diff(module, name, ipa_sudorule.get('memberuser_user', []), user,
|
||||
client.sudorule_add_user_user,
|
||||
client.sudorule_remove_user_user) or changed
|
||||
if usergroup is not None:
|
||||
changed = category_changed(module, client, 'usercategory', ipa_sudorule) or changed
|
||||
changed = modify_if_diff(module, name, ipa_sudorule.get('memberuser_group', []), usergroup,
|
||||
client.sudorule_add_user_group,
|
||||
client.sudorule_remove_user_group) or changed
|
||||
else:
|
||||
if ipa_sudorule:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
client.sudorule_del(name)
|
||||
|
||||
return changed, client.sudorule_find(name)
|
||||
|
||||
|
||||
def main():
|
||||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
cmd=dict(type='list', required=False),
|
||||
cmdcategory=dict(type='str', required=False, choices=['all']),
|
||||
cn=dict(type='str', required=True, aliases=['name']),
|
||||
description=dict(type='str', required=False),
|
||||
host=dict(type='list', required=False),
|
||||
hostcategory=dict(type='str', required=False, choices=['all']),
|
||||
hostgroup=dict(type='list', required=False),
|
||||
sudoopt=dict(type='list', required=False),
|
||||
state=dict(type='str', required=False, default='present',
|
||||
choices=['present', 'absent', 'enabled', 'disabled']),
|
||||
user=dict(type='list', required=False),
|
||||
usercategory=dict(type='str', required=False, choices=['all']),
|
||||
usergroup=dict(type='list', required=False),
|
||||
ipa_prot=dict(type='str', required=False, default='https', choices=['http', 'https']),
|
||||
ipa_host=dict(type='str', required=False, default='ipa.example.com'),
|
||||
ipa_port=dict(type='int', required=False, default=443),
|
||||
ipa_user=dict(type='str', required=False, default='admin'),
|
||||
ipa_pass=dict(type='str', required=True, no_log=True),
|
||||
validate_certs=dict(type='bool', required=False, default=True),
|
||||
),
|
||||
mutually_exclusive=[['cmdcategory', 'cmd'],
|
||||
['hostcategory', 'host'],
|
||||
['hostcategory', 'hostgroup'],
|
||||
['usercategory', 'user'],
|
||||
['usercategory', 'usergroup']],
|
||||
supports_check_mode=True,
|
||||
)
|
||||
|
||||
client = IPAClient(module=module,
|
||||
host=module.params['ipa_host'],
|
||||
port=module.params['ipa_port'],
|
||||
protocol=module.params['ipa_prot'])
|
||||
try:
|
||||
client.login(username=module.params['ipa_user'],
|
||||
password=module.params['ipa_pass'])
|
||||
changed, sudorule = ensure(module, client)
|
||||
module.exit_json(changed=changed, sudorule=sudorule)
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
module.fail_json(msg=str(e))
|
||||
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
from ansible.module_utils.pycompat24 import get_exception
|
||||
from ansible.module_utils.urls import fetch_url
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
401
lib/ansible/modules/extras/identity/ipa/ipa_user.py
Normal file
401
lib/ansible/modules/extras/identity/ipa/ipa_user.py
Normal file
|
@ -0,0 +1,401 @@
|
|||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
DOCUMENTATION = '''
|
||||
---
|
||||
module: ipa_user
|
||||
short_description: Manage FreeIPA users
|
||||
description:
|
||||
- Add, modify and delete user within IPA server
|
||||
options:
|
||||
displayname:
|
||||
description: Display name
|
||||
required: false
|
||||
givenname:
|
||||
description: First name
|
||||
required: false
|
||||
loginshell:
|
||||
description: Login shell
|
||||
required: false
|
||||
mail:
|
||||
description:
|
||||
- List of mail addresses assigned to the user.
|
||||
- If an empty list is passed all assigned email addresses will be deleted.
|
||||
- If None is passed email addresses will not be checked or changed.
|
||||
required: false
|
||||
password:
|
||||
description:
|
||||
- Password
|
||||
required: false
|
||||
sn:
|
||||
description: Surname
|
||||
required: false
|
||||
sshpubkey:
|
||||
description:
|
||||
- List of public SSH key.
|
||||
- If an empty list is passed all assigned public keys will be deleted.
|
||||
- If None is passed SSH public keys will not be checked or changed.
|
||||
required: false
|
||||
state:
|
||||
description: State to ensure
|
||||
required: false
|
||||
default: "present"
|
||||
choices: ["present", "absent", "enabled", "disabled"]
|
||||
telephonenumber:
|
||||
description:
|
||||
- List of telephone numbers assigned to the user.
|
||||
- If an empty list is passed all assigned telephone numbers will be deleted.
|
||||
- If None is passed telephone numbers will not be checked or changed.
|
||||
required: false
|
||||
title:
|
||||
description: Title
|
||||
required: false
|
||||
uid:
|
||||
description: uid of the user
|
||||
required: true
|
||||
aliases: ["name"]
|
||||
ipa_port:
|
||||
description: Port of IPA server
|
||||
required: false
|
||||
default: 443
|
||||
ipa_host:
|
||||
description: IP or hostname of IPA server
|
||||
required: false
|
||||
default: "ipa.example.com"
|
||||
ipa_user:
|
||||
description: Administrative account used on IPA server
|
||||
required: false
|
||||
default: "admin"
|
||||
ipa_pass:
|
||||
description: Password of administrative user
|
||||
required: true
|
||||
ipa_prot:
|
||||
description: Protocol used by IPA server
|
||||
required: false
|
||||
default: "https"
|
||||
choices: ["http", "https"]
|
||||
validate_certs:
|
||||
description:
|
||||
- This only applies if C(ipa_prot) is I(https).
|
||||
- If set to C(no), the SSL certificates will not be validated.
|
||||
- This should only set to C(no) used on personally controlled sites using self-signed certificates.
|
||||
required: false
|
||||
default: true
|
||||
version_added: "2.3"
|
||||
requirements:
|
||||
- base64
|
||||
- hashlib
|
||||
- json
|
||||
'''
|
||||
|
||||
EXAMPLES = '''
|
||||
# Ensure pinky is present
|
||||
- ipa_user:
|
||||
name: pinky
|
||||
state: present
|
||||
givenname: Pinky
|
||||
sn: Acme
|
||||
mail:
|
||||
- pinky@acme.com
|
||||
telephonenumber:
|
||||
- '+555123456'
|
||||
sshpubkeyfp:
|
||||
- ssh-rsa ....
|
||||
- ssh-dsa ....
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
|
||||
# Ensure brain is absent
|
||||
- ipa_user:
|
||||
name: brain
|
||||
state: absent
|
||||
ipa_host: ipa.example.com
|
||||
ipa_user: admin
|
||||
ipa_pass: topsecret
|
||||
'''
|
||||
|
||||
RETURN = '''
|
||||
user:
|
||||
description: User as returned by IPA API
|
||||
returned: always
|
||||
type: dict
|
||||
'''
|
||||
|
||||
import base64
|
||||
import hashlib
|
||||
|
||||
try:
|
||||
import json
|
||||
except ImportError:
|
||||
import simplejson as json
|
||||
|
||||
|
||||
class IPAClient:
|
||||
def __init__(self, module, host, port, protocol):
|
||||
self.host = host
|
||||
self.port = port
|
||||
self.protocol = protocol
|
||||
self.module = module
|
||||
self.headers = None
|
||||
|
||||
def get_base_url(self):
|
||||
return '%s://%s/ipa' % (self.protocol, self.host)
|
||||
|
||||
def get_json_url(self):
|
||||
return '%s/session/json' % self.get_base_url()
|
||||
|
||||
def login(self, username, password):
|
||||
url = '%s/session/login_password' % self.get_base_url()
|
||||
data = 'user=%s&password=%s' % (username, password)
|
||||
headers = {'referer': self.get_base_url(),
|
||||
'Content-Type': 'application/x-www-form-urlencoded',
|
||||
'Accept': 'text/plain'}
|
||||
try:
|
||||
resp, info = fetch_url(module=self.module, url=url, data=data, headers=headers)
|
||||
status_code = info['status']
|
||||
if status_code not in [200, 201, 204]:
|
||||
self._fail('login', info['body'])
|
||||
|
||||
self.headers = {'referer': self.get_base_url(),
|
||||
'Content-Type': 'application/json',
|
||||
'Accept': 'application/json',
|
||||
'Cookie': resp.info().getheader('Set-Cookie')}
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
self._fail('login', str(e))
|
||||
|
||||
def _fail(self, msg, e):
|
||||
if 'message' in e:
|
||||
err_string = e.get('message')
|
||||
else:
|
||||
err_string = e
|
||||
self.module.fail_json(msg='%s: %s' % (msg, err_string))
|
||||
|
||||
def _post_json(self, method, name, item=None):
|
||||
if item is None:
|
||||
item = {}
|
||||
url = '%s/session/json' % self.get_base_url()
|
||||
data = {'method': method, 'params': [[name], item]}
|
||||
try:
|
||||
resp, info = fetch_url(module=self.module, url=url, data=json.dumps(data), headers=self.headers)
|
||||
status_code = info['status']
|
||||
if status_code not in [200, 201, 204]:
|
||||
self._fail(method, info['body'])
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
self._fail('post %s' % method, str(e))
|
||||
|
||||
resp = json.loads(resp.read())
|
||||
err = resp.get('error')
|
||||
if err is not None:
|
||||
self._fail('repsonse %s' % method, err)
|
||||
|
||||
if 'result' in resp:
|
||||
result = resp.get('result')
|
||||
if 'result' in result:
|
||||
result = result.get('result')
|
||||
if isinstance(result, list):
|
||||
if len(result) > 0:
|
||||
return result[0]
|
||||
return result
|
||||
return None
|
||||
|
||||
def user_find(self, name):
|
||||
return self._post_json(method='user_find', name=None, item={'all': True, 'uid': name})
|
||||
|
||||
def user_add(self, name, item):
|
||||
return self._post_json(method='user_add', name=name, item=item)
|
||||
|
||||
def user_mod(self, name, item):
|
||||
return self._post_json(method='user_mod', name=name, item=item)
|
||||
|
||||
def user_del(self, name):
|
||||
return self._post_json(method='user_del', name=name)
|
||||
|
||||
def user_disable(self, name):
|
||||
return self._post_json(method='user_disable', name=name)
|
||||
|
||||
def user_enable(self, name):
|
||||
return self._post_json(method='user_enable', name=name)
|
||||
|
||||
|
||||
def get_user_dict(givenname=None, loginshell=None, mail=None, nsaccountlock=False, sn=None, sshpubkey=None,
|
||||
telephonenumber=None,
|
||||
title=None):
|
||||
user = {}
|
||||
if givenname is not None:
|
||||
user['givenname'] = givenname
|
||||
if loginshell is not None:
|
||||
user['loginshell'] = loginshell
|
||||
if mail is not None:
|
||||
user['mail'] = mail
|
||||
user['nsaccountlock'] = nsaccountlock
|
||||
if sn is not None:
|
||||
user['sn'] = sn
|
||||
if sshpubkey is not None:
|
||||
user['ipasshpubkey'] = sshpubkey
|
||||
if telephonenumber is not None:
|
||||
user['telephonenumber'] = telephonenumber
|
||||
if title is not None:
|
||||
user['title'] = title
|
||||
|
||||
return user
|
||||
|
||||
|
||||
def get_user_diff(ipa_user, module_user):
|
||||
"""
|
||||
Return the keys of each dict whereas values are different. Unfortunately the IPA
|
||||
API returns everything as a list even if only a single value is possible.
|
||||
Therefore some more complexity is needed.
|
||||
The method will check if the value type of module_user.attr is not a list and
|
||||
create a list with that element if the same attribute in ipa_user is list. In this way i hope that the method
|
||||
must not be changed if the returned API dict is changed.
|
||||
:param ipa_user:
|
||||
:param module_user:
|
||||
:return:
|
||||
"""
|
||||
# return [item for item in module_user.keys() if module_user.get(item, None) != ipa_user.get(item, None)]
|
||||
result = []
|
||||
# sshpubkeyfp is the list of ssh key fingerprints. IPA doesn't return the keys itself but instead the fingerprints.
|
||||
# These are used for comparison.
|
||||
sshpubkey = None
|
||||
if 'ipasshpubkey' in module_user:
|
||||
module_user['sshpubkeyfp'] = [get_ssh_key_fingerprint(pubkey) for pubkey in module_user['ipasshpubkey']]
|
||||
# Remove the ipasshpubkey element as it is not returned from IPA but save it's value to be used later on
|
||||
sshpubkey = module_user['ipasshpubkey']
|
||||
del module_user['ipasshpubkey']
|
||||
for key in module_user.keys():
|
||||
mod_value = module_user.get(key, None)
|
||||
ipa_value = ipa_user.get(key, None)
|
||||
if isinstance(ipa_value, list) and not isinstance(mod_value, list):
|
||||
mod_value = [mod_value]
|
||||
if isinstance(ipa_value, list) and isinstance(mod_value, list):
|
||||
mod_value = sorted(mod_value)
|
||||
ipa_value = sorted(ipa_value)
|
||||
if mod_value != ipa_value:
|
||||
result.append(key)
|
||||
# If there are public keys, remove the fingerprints and add them back to the dict
|
||||
if sshpubkey is not None:
|
||||
del module_user['sshpubkeyfp']
|
||||
module_user['ipasshpubkey'] = sshpubkey
|
||||
return result
|
||||
|
||||
|
||||
def get_ssh_key_fingerprint(ssh_key):
|
||||
"""
|
||||
Return the public key fingerprint of a given public SSH key
|
||||
in format "FB:0C:AC:0A:07:94:5B:CE:75:6E:63:32:13:AD:AD:D7 (ssh-rsa)"
|
||||
:param ssh_key:
|
||||
:return:
|
||||
"""
|
||||
parts = ssh_key.strip().split()
|
||||
if len(parts) == 0:
|
||||
return None
|
||||
key_type = parts[0]
|
||||
key = base64.b64decode(parts[1].encode('ascii'))
|
||||
|
||||
fp_plain = hashlib.md5(key).hexdigest()
|
||||
return ':'.join(a + b for a, b in zip(fp_plain[::2], fp_plain[1::2])).upper() + ' (%s)' % key_type
|
||||
|
||||
|
||||
def ensure(module, client):
|
||||
state = module.params['state']
|
||||
name = module.params['name']
|
||||
nsaccountlock = state == 'disabled'
|
||||
|
||||
module_user = get_user_dict(givenname=module.params.get('givenname'), loginshell=module.params['loginshell'],
|
||||
mail=module.params['mail'], sn=module.params['sn'],
|
||||
sshpubkey=module.params['sshpubkey'], nsaccountlock=nsaccountlock,
|
||||
telephonenumber=module.params['telephonenumber'], title=module.params['title'])
|
||||
|
||||
ipa_user = client.user_find(name=name)
|
||||
|
||||
changed = False
|
||||
if state in ['present', 'enabled', 'disabled']:
|
||||
if not ipa_user:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
ipa_user = client.user_add(name=name, item=module_user)
|
||||
else:
|
||||
diff = get_user_diff(ipa_user, module_user)
|
||||
if len(diff) > 0:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
ipa_user = client.user_mod(name=name, item=module_user)
|
||||
else:
|
||||
if ipa_user:
|
||||
changed = True
|
||||
if not module.check_mode:
|
||||
client.user_del(name)
|
||||
|
||||
return changed, ipa_user
|
||||
|
||||
|
||||
def main():
|
||||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
displayname=dict(type='str', required=False),
|
||||
givenname=dict(type='str', required=False),
|
||||
loginshell=dict(type='str', required=False),
|
||||
mail=dict(type='list', required=False),
|
||||
sn=dict(type='str', required=False),
|
||||
uid=dict(type='str', required=True, aliases=['name']),
|
||||
password=dict(type='str', required=False, no_log=True),
|
||||
sshpubkey=dict(type='list', required=False),
|
||||
state=dict(type='str', required=False, default='present',
|
||||
choices=['present', 'absent', 'enabled', 'disabled']),
|
||||
telephonenumber=dict(type='list', required=False),
|
||||
title=dict(type='str', required=False),
|
||||
ipa_prot=dict(type='str', required=False, default='https', choices=['http', 'https']),
|
||||
ipa_host=dict(type='str', required=False, default='ipa.example.com'),
|
||||
ipa_port=dict(type='int', required=False, default=443),
|
||||
ipa_user=dict(type='str', required=False, default='admin'),
|
||||
ipa_pass=dict(type='str', required=True, no_log=True),
|
||||
validate_certs=dict(type='bool', required=False, default=True),
|
||||
),
|
||||
supports_check_mode=True,
|
||||
)
|
||||
|
||||
client = IPAClient(module=module,
|
||||
host=module.params['ipa_host'],
|
||||
port=module.params['ipa_port'],
|
||||
protocol=module.params['ipa_prot'])
|
||||
|
||||
# If sshpubkey is defined as None than module.params['sshpubkey'] is [None]. IPA itself returns None (not a list).
|
||||
# Therefore a small check here to replace list(None) by None. Otherwise get_user_diff() would return sshpubkey
|
||||
# as different which should be avoided.
|
||||
if module.params['sshpubkey'] is not None:
|
||||
if len(module.params['sshpubkey']) == 1 and module.params['sshpubkey'][0] is "":
|
||||
module.params['sshpubkey'] = None
|
||||
|
||||
try:
|
||||
client.login(username=module.params['ipa_user'],
|
||||
password=module.params['ipa_pass'])
|
||||
changed, user = ensure(module, client)
|
||||
module.exit_json(changed=changed, user=user)
|
||||
except Exception:
|
||||
e = get_exception()
|
||||
module.fail_json(msg=str(e))
|
||||
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
from ansible.module_utils.pycompat24 import get_exception
|
||||
from ansible.module_utils.urls import fetch_url
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
Loading…
Reference in a new issue