Merge pull request #487 from rjeffman/ipagroup_add_idoverrideuser

Add support for managing idoverrideusers in ipagroup.
freeipa · Apr 29, 2022 · ba3fe74 · ba3fe74
2 parents b9151f3 + 099eb96
commit ba3fe74
Show file tree

Hide file tree

Showing 3 changed files with 144 additions and 5 deletions.
diff --git a/README-group.md b/README-group.md
@@ -166,6 +166,7 @@ Variable | Description | Required
 `membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
 `membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
 `externalmember` \| `ipaexternalmember`  \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. | no
+`idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up.| no
 `action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
 `state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
 

diff --git a/plugins/modules/ipagroup.py b/plugins/modules/ipagroup.py
@@ -97,6 +97,11 @@
     required: false
     type: list
     ailases: ["ipaexternalmember", "external_member"]
+  idoverrideuser:
+    description:
+    - User ID overrides to add
+    required: false
+    type: list
   action:
     description: Work on group or member level
     default: group
@@ -184,7 +189,7 @@
 from ansible.module_utils._text import to_text
 from ansible.module_utils.ansible_freeipa_module import \
     IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, \
-    gen_add_list, gen_intersection_list
+    gen_add_list, gen_intersection_list, api_check_param
 
 
 def find_group(module, name):
@@ -223,7 +228,7 @@ def gen_args(description, gid, nomembers):
     return _args
 
 
-def gen_member_args(user, group, service, externalmember):
+def gen_member_args(user, group, service, externalmember, idoverrideuser):
     _args = {}
     if user is not None:
         _args["member_user"] = user
@@ -233,6 +238,8 @@ def gen_member_args(user, group, service, externalmember):
         _args["member_service"] = service
     if externalmember is not None:
         _args["member_external"] = externalmember
+    if idoverrideuser is not None:
+        _args["member_idoverrideuser"] = idoverrideuser
 
     return _args
 
@@ -280,6 +287,7 @@ def main():
             user=dict(required=False, type='list', default=None),
             group=dict(required=False, type='list', default=None),
             service=dict(required=False, type='list', default=None),
+            idoverrideuser=dict(required=False, type='list', default=None),
             membermanager_user=dict(required=False, type='list', default=None),
             membermanager_group=dict(required=False, type='list',
                                      default=None),
@@ -312,6 +320,7 @@ def main():
     gid = ansible_module.params_get("gid")
     nonposix = ansible_module.params_get("nonposix")
     external = ansible_module.params_get("external")
+    idoverrideuser = ansible_module.params_get("idoverrideuser")
     posix = ansible_module.params_get("posix")
     nomembers = ansible_module.params_get("nomembers")
     user = ansible_module.params_get("user")
@@ -379,6 +388,13 @@ def main():
                 "by your IPA version"
             )
 
+        has_idoverrideuser = api_check_param(
+            "group_add_member", "idoverrideuser")
+        if idoverrideuser is not None and not has_idoverrideuser:
+            ansible_module.fail_json(
+                msg="Managing a idoverrideuser as part of a group is not "
+                "supported by your IPA version")
+
         commands = []
 
         for name in names:
@@ -389,6 +405,7 @@ def main():
             group_add, group_del = [], []
             service_add, service_del = [], []
             externalmember_add, externalmember_del = [], []
+            idoverrides_add, idoverrides_del = [], []
             membermanager_user_add, membermanager_user_del = [], []
             membermanager_group_add, membermanager_group_del = [], []
 
@@ -438,7 +455,7 @@ def main():
                         res_find["objectclass"].append("posixgroup")
 
                     member_args = gen_member_args(
-                        user, group, service, externalmember
+                        user, group, service, externalmember, idoverrideuser
                     )
                     if not compare_args_ipa(ansible_module, member_args,
                                             res_find):
@@ -456,6 +473,12 @@ def main():
                          externalmember_del) = gen_add_del_lists(
                             externalmember, res_find.get("member_external"))
 
+                        (idoverrides_add,
+                         idoverrides_del) = gen_add_del_lists(
+                            idoverrideuser,
+                            res_find.get("member_idoverrideuser")
+                        )
+
                     membermanager_user_add, membermanager_user_del = \
                         gen_add_del_lists(
                             membermanager_user,
@@ -483,6 +506,8 @@ def main():
                         service, res_find.get("member_service"))
                     externalmember_add = gen_add_list(
                         externalmember, res_find.get("member_external"))
+                    idoverrides_add = gen_add_list(
+                        idoverrideuser, res_find.get("member_idoverrideuser"))
 
                     membermanager_user_add = gen_add_list(
                         membermanager_user,
@@ -516,6 +541,8 @@ def main():
                         service, res_find.get("member_service"))
                     externalmember_del = gen_intersection_list(
                         externalmember, res_find.get("member_external"))
+                    idoverrides_del = gen_intersection_list(
+                        idoverrideuser, res_find.get("member_idoverrideuser"))
 
                     membermanager_user_del = gen_intersection_list(
                         membermanager_user, res_find.get("membermanager_user"))
@@ -532,10 +559,16 @@ def main():
                 "user": user_add,
                 "group": group_add,
             }
+
             del_member_args = {
                 "user": user_del,
                 "group": group_del,
             }
+
+            if has_idoverrideuser:
+                add_member_args["idoverrideuser"] = idoverrides_add
+                del_member_args["idoverrideuser"] = idoverrides_del
+
             if has_add_member_service:
                 add_member_args["service"] = service_add
                 del_member_args["service"] = service_del
@@ -550,15 +583,16 @@ def main():
                     msg="Cannot add external members to a "
                         "non-external group."
                 )
+
             # Add members
-            add_members = any([user_add, group_add,
+            add_members = any([user_add, group_add, idoverrides_add,
                                service_add, externalmember_add])
             if add_members:
                 commands.append(
                     [name, "group_add_member", add_member_args]
                 )
             # Remove members
-            remove_members = any([user_del, group_del,
+            remove_members = any([user_del, group_del, idoverrides_del,
                                   service_del, externalmember_del])
             if remove_members:
                 commands.append(

diff --git a/tests/group/test_group_idoverrideuser.yml b/tests/group/test_group_idoverrideuser.yml
@@ -0,0 +1,104 @@
+---
+- name: Test group
+  hosts: ipaserver
+  become: yes
+  gather_facts: yes
+
+  vars:
+      ad_user: "{{ test_ad_user | default('AD\\aduser') }}"
+      ad_domain: "{{ test_ad_domain | default('ad.ipa.test') }}"
+
+  tasks:
+    - include_tasks: ../env_freeipa_facts.yml
+
+    - block:
+      - name: Create idoverrideuser.
+        shell: |
+          kinit -c idoverride_cache admin <<< SomeADMINpassword
+          ipa idoverrideuser-add "Default Trust View" {{ ad_user }}
+          kdestroy -A -q -c idoverride_cache
+
+      - name: Remove testing groups.
+        ipagroup:
+          ipaadmin_password: SomeADMINpassword
+          name:
+          - idovergroup
+          state: absent
+
+      - name: Add group with idoverrideuser.
+        ipagroup:
+          ipaadmin_password: SomeADMINpassword
+          name: idovergroup
+          idoverrideuser: "{{ ad_user }}"
+        register: result
+        failed_when: result.failed or not result.changed
+
+      - name: Add group with idoverrideuser, again.
+        ipagroup:
+          ipaadmin_password: SomeADMINpassword
+          name: idovergroup
+          idoverrideuser: "{{ ad_user }}"
+        register: result
+        failed_when: result.failed or result.changed
+
+      - name: Remove idoverrideuser member.
+        ipagroup:
+          ipaadmin_password: SomeADMINpassword
+          name: idovergroup
+          idoverrideuser: "{{ ad_user }}"
+          action: member
+          state: absent
+        register: result
+        failed_when: result.failed or not result.changed
+
+      - name: Remove idoverrideuser member, again.
+        ipagroup:
+          ipaadmin_password: SomeADMINpassword
+          name: idovergroup
+          idoverrideuser: "{{ ad_user }}"
+          action: member
+          state: absent
+        register: result
+        failed_when: result.failed or result.changed
+
+      - name: Add idoverrideuser member.
+        ipagroup:
+          ipaadmin_password: SomeADMINpassword
+          name: idovergroup
+          idoverrideuser: "{{ ad_user }}"
+          action: member
+        register: result
+        failed_when: result.failed or not result.changed
+
+      - name: Add idoverrideuser member, again.
+        ipagroup:
+          ipaadmin_password: SomeADMINpassword
+          name: idovergroup
+          idoverrideuser: "{{ ad_user }}"
+          action: member
+        register: result
+        failed_when: result.failed or result.changed
+
+      - name: Cleanup idoverrideuser member.
+        ipagroup:
+          ipaadmin_password: SomeADMINpassword
+          name: idovergroup
+          idoverrideuser: "{{ ad_user }}"
+          state: absent
+
+      - name: Remove testing groups.
+        ipagroup:
+          ipaadmin_password: SomeADMINpassword
+          name:
+          - idovergroup
+          state: absent
+
+      always:
+      - name: Remove idoverrideuser.
+        shell: |
+          kinit -c idoverride_cache admin <<< SomeADMINpassword
+          ipa idoverrideuser-del "Default Trust View" {{ ad_user }}
+          kdestroy -A -q -c idoverride_cache
+        when:
+
+      when: ipa_version is version("4.8.7", ">=")  and trust_test_is_supported | default(false)