ipaservice: Add support for 'state: fetched'.

plugins/modules/ipaservice.py

@@ -148,14 +148,17 @@
  required: false
  default: True
  type: bool
+ fetch_param:
+ description: The fields to fetch with state=fetched
+ required: false
  action:
  description: Work on service or member level
  default: service
  choices: ["member", "service"]
  state:
  description: State to ensure
  default: present
- choices: ["present", "absent", "disabled"]
+ choices: ["present", "absent", "disabled", "fetched"]
 author:
  - Rafael Jeffman
 """
@@ -303,7 +306,12 @@ def check_parameters(module, state, action, names):
  'allow_retrieve_keytab_group', 'allow_retrieve_keytab_host',
  'allow_retrieve_keytab_hostgroup']
 
- if state == 'present':
+ if state == 'fetched':
+ if action != 'service':
+ module.fail_json(msg="Can only fetch if action is 'service'.")
+ invalid = ['delete_continue']
+
+ elif state == 'present':
  if len(names) != 1:
  module.fail_json(msg="Only one service can be added at a time.")
 
@@ -347,7 +355,7 @@ def init_ansible_module():
  argument_spec=dict(
  # general
  name=dict(type="list", aliases=["service"], default=None,
- required=True),
+ required=False),
  # service attributesstr
  certificate=dict(type="list", aliases=['usercertificate'],
  default=None, required=False),
@@ -392,14 +400,19 @@ def init_ansible_module():
  allow_retrieve_keytab_hostgroup=dict(
  type="list", required=False,
  aliases=['ipaallowedtoperform_read_keys_hostgroup']),
+ # fetched
+ fetch_param=dict(type="list", default=None,
+ choices=["all"].extend(ipa_param_mapping.keys()),
+ required=False),
+ # absent
  delete_continue=dict(type="bool", required=False,
  aliases=['continue']),
  # action
  action=dict(type="str", default="service",
  choices=["member", "service"]),
  # state
  state=dict(type="str", default="present",
- choices=["present", "absent", "disabled"]),
+ choices=["present", "absent", "disabled", "fetched"]),
  ),
  supports_check_mode=True,
  )
@@ -409,6 +422,20 @@ def init_ansible_module():
  return ansible_module
 
 
+ipa_param_mapping = {
+ "principal": "krbprincipalname",
+ "certificate": "usercertificate",
+ "pac_type": "ipakrbauthzdata",
+ "auth_ind": "krbprincipalauthind",
+ "requires_pre_auth": "ipakrbrequirespreauth",
+ "ok_as_delegate": "ipakrbokasdelegate",
+ "ok_to_auth_as_delegate": "ipakrboktoauthasdelegate",
+ "netbiosname": "ipantflatname",
+ "host": "managedby_host",
+ "service": "krbcanonicalname",
+}
+
+
 def main():
  ansible_module = init_ansible_module()
 
@@ -461,6 +488,35 @@ def main():
  commands = []
  keytab_members = ["user", "group", "host", "hostgroup"]
 
+ if state == "fetched":
+ encoding_fn = {
+ "usercertificate": encode_certificate
+ }
+ # set filter based on "name"
+ if names:
+ names = [
+ p.lower() if "@" in p
+ else "%s@%s".lower() % (p.lower(), api_get_realm().lower())
+ for p in names
+ ]
+
+ def object_filter(res):
+ return any(
+ (
+ to_text(svc).lower().startswith(n)
+ for svc in res["krbcanonicalname"] for n in names
+ )
+ )
+
+ # fetch objects
+ fetched = ansible_module.fetch_objects(
+ "service", ["service"], ipa_param_mapping,
+ object_filter, encoding_fn=encoding_fn
+ )
+ exit_args["services"] = fetched
+ ansible_module.exit_json(changed=False, service=exit_args)
+ names = []
+
  for name in names:
  res_find = find_service(ansible_module, name)
  res_principals = []

tests/service/test_service_fetched.yml

@@ -0,0 +1,112 @@
+---
+- name: Test ipaservice fetch
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - include_tasks: ../env_freeipa_facts.yml
+
+ - when: ipa_version is version('4.7.0', '>=')
+ block:
+ # SETUP
+ - name: Generate self-signed certificates.
+ shell:
+ cmd: |
+ openssl req -x509 -newkey rsa:2048 -days 365 -nodes -keyout "private{{ item }}.key" -out "cert{{ item }}.pem" -subj '/CN=test'
+ openssl x509 -outform der -in "cert{{ item }}.pem" -out "cert{{ item }}.der"
+ base64 "cert{{ item }}.der" -w5000 > "cert{{ item }}.b64"
+ with_items: [1, 2]
+ become: no
+ delegate_to: localhost
+
+ - name: Setup test environment
+ include_tasks: env_setup.yml
+
+ - name: Ensure service is present
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ name: "HTTP/{{ svc_fqdn }}"
+ pac_type:
+ - MS-PAC
+ - PAD
+ auth_ind: otp
+ skip_host_check: no
+ force: yes
+ requires_pre_auth: yes
+ ok_as_delegate: no
+ ok_to_auth_as_delegate: no
+ certificate:
+ - "{{ lookup('file', 'cert1.b64') }}"
+ register: result
+ failed_when: not result.changed or result.failed
+
+ # TESTS
+ - name: Fetch service information
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - DNS/fedsrv.ipa.test
+ fetch_param: all
+ state: fetched
+ register: result
+ failed_when: result.changed or result.failed
+
+ - name: Print fetched information
+ debug:
+ var: result
+
+ - name: Fetch service information
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ fetch_param:
+ - host
+ - principal
+ state: fetched
+ register: result
+ failed_when: result.changed or result.failed
+
+ - name: Print fetched information
+ debug:
+ var: result
+
+ - name: Fetch service information
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ state: fetched
+ register: result
+ failed_when: result.changed or result.failed
+
+ - name: Print fetched information
+ debug:
+ var: result
+
+ - name: Fetch service information
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - DNS/fedsrv.ipa.test
+ - http/fedsrv.ipa.test
+ - mysvc/fedsrv.ipa.test
+ fetch_param: all
+ state: fetched
+ register: result
+ failed_when: result.changed or result.failed
+
+ - name: Print fetched information
+ debug:
+ var: result
+
+ always:
+ # CLEANUP
+ - name: Cleanup test environment
+ include_tasks: env_cleanup.yml
+
+ - name: Remove certificate files.
+ shell:
+ cmd: rm -f "private{{ item }}.key" "cert{{ item }}.pem" "cert{{ item }}.der" "cert{{ item }}.b64"
+ with_items: [1, 2]
+ become: no
+ delegate_to: localhost
+ args:
+ warn: no # suppres warning for not using the `file` module.