Blame SOURCES/ansible-freeipa-1.6.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132997.patch

e788bc
diff -up ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml.ipaconfig_sid ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml
e788bc
--- ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml.ipaconfig_sid	2022-10-07 17:12:51.172335899 +0200
e788bc
+++ ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml	2022-10-07 17:12:51.172335899 +0200
e788bc
@@ -0,0 +1,12 @@
e788bc
+---
e788bc
+- name: Playbook to change IPA domain netbios name
e788bc
+  hosts: ipaserver
e788bc
+  become: no
e788bc
+  gather_facts: no
e788bc
+
e788bc
+  tasks:
e788bc
+    - name: Set IPA domain netbios name
e788bc
+      ipaconfig:
e788bc
+        ipaadmin_password: SomeADMINpassword
e788bc
+        enable_sid: yes
e788bc
+        netbios_name: IPADOM
e788bc
diff -up ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml.ipaconfig_sid ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml
e788bc
--- ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml.ipaconfig_sid	2022-10-07 17:12:51.172335899 +0200
e788bc
+++ ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml	2022-10-07 17:12:51.172335899 +0200
e788bc
@@ -0,0 +1,12 @@
e788bc
+---
e788bc
+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
e788bc
+  hosts: ipaserver
e788bc
+  become: no
e788bc
+  gather_facts: no
e788bc
+
e788bc
+  tasks:
e788bc
+    - name: Enable SID and generate users and groups SIDS
e788bc
+      ipaconfig:
e788bc
+        ipaadmin_password: SomeADMINpassword
e788bc
+        enable_sid: yes
e788bc
+        add_sids: yes
e788bc
diff -up ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py.ipaconfig_sid ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py
e788bc
--- ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py.ipaconfig_sid	2022-01-27 14:05:04.000000000 +0100
e788bc
+++ ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py	2022-10-07 17:18:43.193785596 +0200
e788bc
@@ -148,6 +148,24 @@ options:
e788bc
         required: false
e788bc
         type: list
e788bc
         aliases: ["ipadomainresolutionorder"]
e788bc
+    enable_sid:
e788bc
+        description: >
e788bc
+          New users and groups automatically get a SID assigned.
e788bc
+          Requires IPA 4.9.8+.
e788bc
+        required: false
e788bc
+        type: bool
e788bc
+    netbios_name:
e788bc
+        description: >
e788bc
+          NetBIOS name of the IPA domain.
e788bc
+          Requires IPA 4.9.8+ and 'enable_sid: yes'.
e788bc
+        required: false
e788bc
+        type: string
e788bc
+    add_sids:
e788bc
+        description: >
e788bc
+          Add SIDs for existing users and groups.
e788bc
+          Requires IPA 4.9.8+ and 'enable_sid: yes'.
e788bc
+        required: false
e788bc
+        type: bool
e788bc
 '''
e788bc
 
e788bc
 EXAMPLES = '''
e788bc
@@ -169,6 +187,24 @@ EXAMPLES = '''
e788bc
         ipaadmin_password: SomeADMINpassword
e788bc
         defaultshell: /bin/bash
e788bc
         maxusername: 64
e788bc
+
e788bc
+- name: Playbook to enable SID and generate users and groups SIDs
e788bc
+  hosts: ipaserver
e788bc
+  tasks:
e788bc
+    - name: Enable SID and generate users and groups SIDS
e788bc
+      ipaconfig:
e788bc
+        ipaadmin_password: SomeADMINpassword
e788bc
+        enable_sid: yes
e788bc
+        add_sids: yes
e788bc
+
e788bc
+- name: Playbook to change IPA domain netbios name
e788bc
+  hosts: ipaserver
e788bc
+  tasks:
e788bc
+    - name: Enable SID and generate users and groups SIDS
e788bc
+      ipaconfig:
e788bc
+        ipaadmin_password: SomeADMINpassword
e788bc
+        enable_sid: yes
e788bc
+        netbios_name: IPADOM
e788bc
 '''
e788bc
 
e788bc
 RETURN = '''
e788bc
@@ -247,6 +283,14 @@ config:
e788bc
     domain_resolution_order:
e788bc
         description: list of domains used for short name qualification
e788bc
         returned: always
e788bc
+    enable_sid:
e788bc
+        description: >
e788bc
+          new users and groups automatically get a SID assigned.
e788bc
+          Requires IPA 4.9.8+.
e788bc
+        returned: always
e788bc
+    netbios_name:
e788bc
+        description: NetBIOS name of the IPA domain. Requires IPA 4.9.8+.
e788bc
+        returned: if enable_sid is True
e788bc
 '''
e788bc
 
e788bc
 
e788bc
@@ -260,6 +304,28 @@ def config_show(module):
e788bc
     return _result["result"]
e788bc
 
e788bc
 
e788bc
+def get_netbios_name(module):
e788bc
+    try:
e788bc
+        _result = module.ipa_command_no_name("trustconfig_show", {"all": True})
e788bc
+    except Exception:  # pylint: disable=broad-except
e788bc
+        return None
e788bc
+    else:
e788bc
+        return _result["result"]["ipantflatname"][0]
e788bc
+
e788bc
+
e788bc
+def is_enable_sid(module):
e788bc
+    """When 'enable-sid' is true admin user and admins group have SID set."""
e788bc
+    _result = module.ipa_command("user_show", "admin", {"all": True})
e788bc
+    sid = _result["result"].get("ipantsecurityidentifier", [""])
e788bc
+    if not sid[0].endswith("-500"):
e788bc
+        return False
e788bc
+    _result = module.ipa_command("group_show", "admins", {"all": True})
e788bc
+    sid = _result["result"].get("ipantsecurityidentifier", [""])
e788bc
+    if not sid[0].endswith("-512"):
e788bc
+        return False
e788bc
+    return True
e788bc
+
e788bc
+
e788bc
 def main():
e788bc
     ansible_module = IPAAnsibleModule(
e788bc
         argument_spec=dict(
e788bc
@@ -313,7 +379,10 @@ def main():
e788bc
                                 aliases=["ipauserauthtype"]),
e788bc
             ca_renewal_master_server=dict(type="str", required=False),
e788bc
             domain_resolution_order=dict(type="list", required=False,
e788bc
-                                         aliases=["ipadomainresolutionorder"])
e788bc
+                                         aliases=["ipadomainresolutionorder"]),
e788bc
+            enable_sid=dict(type="bool", required=False),
e788bc
+            add_sids=dict(type="bool", required=False),
e788bc
+            netbios_name=dict(type="str", required=False),
e788bc
         ),
e788bc
         supports_check_mode=True,
e788bc
     )
e788bc
@@ -344,7 +413,10 @@ def main():
e788bc
         "pac_type": "ipakrbauthzdata",
e788bc
         "user_auth_type": "ipauserauthtype",
e788bc
         "ca_renewal_master_server": "ca_renewal_master_server",
e788bc
-        "domain_resolution_order": "ipadomainresolutionorder"
e788bc
+        "domain_resolution_order": "ipadomainresolutionorder",
e788bc
+        "enable_sid": "enable_sid",
e788bc
+        "netbios_name": "netbios_name",
e788bc
+        "add_sids": "add_sids",
e788bc
     }
e788bc
     reverse_field_map = {v: k for k, v in field_map.items()}
e788bc
 
e788bc
@@ -392,11 +464,47 @@ def main():
e788bc
     changed = False
e788bc
     exit_args = {}
e788bc
 
e788bc
-    # Connect to IPA API
e788bc
-    with ansible_module.ipa_connect():
e788bc
+    # Connect to IPA API (enable-sid requires context == 'client')
e788bc
+    with ansible_module.ipa_connect(context="client"):
e788bc
+        has_enable_sid = ansible_module.ipa_command_param_exists(
e788bc
+            "config_mod", "enable_sid")
e788bc
 
e788bc
         result = config_show(ansible_module)
e788bc
+
e788bc
         if params:
e788bc
+            netbios_name = params.get("netbios_name")
e788bc
+            if netbios_name:
e788bc
+                netbios_name = netbios_name.upper()
e788bc
+            add_sids = params.get("add_sids")
e788bc
+            enable_sid = params.get("enable_sid")
e788bc
+            required_sid = any([netbios_name, add_sids])
e788bc
+            if required_sid and not enable_sid:
e788bc
+                ansible_module.fail_json(
e788bc
+                    "'enable-sid: yes' required for 'netbios_name' "
e788bc
+                    "and 'add-sids'."
e788bc
+                )
e788bc
+            if enable_sid:
e788bc
+                if not has_enable_sid:
e788bc
+                    ansible_module.fail_json(
e788bc
+                        "This version of IPA does not support 'enable-sid'.")
e788bc
+                if (
e788bc
+                    netbios_name
e788bc
+                    and netbios_name == get_netbios_name(ansible_module)
e788bc
+                ):
e788bc
+                    del params["netbios_name"]
e788bc
+                    netbios_name = None
e788bc
+                if not add_sids and "add_sids" in params:
e788bc
+                    del params["add_sids"]
e788bc
+                if (
e788bc
+                    not any([netbios_name, add_sids])
e788bc
+                    and is_enable_sid(ansible_module)
e788bc
+                ):
e788bc
+                    del params["enable_sid"]
e788bc
+            else:
e788bc
+                for param in ["enable_sid", "netbios_name", "add_sids"]:
e788bc
+                    if param in params:
e788bc
+                        del params[params]
e788bc
+
e788bc
             params = {
e788bc
                 k: v for k, v in params.items()
e788bc
                 if k not in result or result[k] != v
e788bc
@@ -441,6 +549,10 @@ def main():
e788bc
                             raise ValueError(
e788bc
                                 "Unexpected attribute type: %s" % arg_type)
e788bc
                         exit_args[k] = type_map[arg_type](value)
e788bc
+            # Set enable_sid
e788bc
+            if has_enable_sid:
e788bc
+                exit_args["enable_sid"] = is_enable_sid(ansible_module)
e788bc
+                exit_args["netbios_name"] = get_netbios_name(ansible_module)
e788bc
 
e788bc
     # Done
e788bc
     ansible_module.exit_json(changed=changed, config=exit_args)
e788bc
diff -up ansible-freeipa-1.6.3/README-config.md.ipaconfig_sid ansible-freeipa-1.6.3/README-config.md
e788bc
--- ansible-freeipa-1.6.3/README-config.md.ipaconfig_sid	2022-01-27 14:05:04.000000000 +0100
e788bc
+++ ansible-freeipa-1.6.3/README-config.md	2022-10-07 17:12:51.172335899 +0200
e788bc
@@ -65,6 +65,9 @@ Example playbook to read config options:
e788bc
         maxusername: 64
e788bc
 ```
e788bc
 
e788bc
+
e788bc
+Example playbook to set global configuration options:
e788bc
+
e788bc
 ```yaml
e788bc
 ---
e788bc
 - name: Playbook to ensure some config options are set
e788bc
@@ -79,6 +82,40 @@ Example playbook to read config options:
e788bc
 ```
e788bc
 
e788bc
 
e788bc
+Example playbook to enable SID and generate users and groups SIDs:
e788bc
+
e788bc
+```yaml
e788bc
+---
e788bc
+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
e788bc
+  hosts: ipaserver
e788bc
+  become: no
e788bc
+  gather_facts: no
e788bc
+
e788bc
+  tasks:
e788bc
+    - name: Enable SID and generate users and groups SIDS
e788bc
+      ipaconfig:
e788bc
+        ipaadmin_password: SomeADMINpassword
e788bc
+        enable_sid: yes
e788bc
+        add_sids: yes
e788bc
+```
e788bc
+
e788bc
+Example playbook to change IPA domain NetBIOS name:
e788bc
+
e788bc
+```yaml
e788bc
+---
e788bc
+- name: Playbook to change IPA domain netbios name
e788bc
+  hosts: ipaserver
e788bc
+  become: no
e788bc
+  gather_facts: no
e788bc
+
e788bc
+  tasks:
e788bc
+    - name: Set IPA domain netbios name
e788bc
+      ipaconfig:
e788bc
+        ipaadmin_password: SomeADMINpassword
e788bc
+        enable_sid: yes
e788bc
+        netbios_name: IPADOM
e788bc
+```
e788bc
+
e788bc
 Variables
e788bc
 =========
e788bc
 
e788bc
@@ -111,6 +148,9 @@ Variable | Description | Required
e788bc
 `user_auth_type` \| `ipauserauthtype` |  set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
e788bc
 `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
e788bc
 `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
e788bc
+`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no
e788bc
+`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no
e788bc
+`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no
e788bc
 
e788bc
 
e788bc
 Return Values
e788bc
@@ -140,6 +180,8 @@ Variable | Description | Returned When
e788bc
   | `user_auth_type` |  
e788bc
   | `domain_resolution_order` |  
e788bc
   | `ca_renewal_master_server` |  
e788bc
+  | `enable_sid` |  
e788bc
+  | `netbios_name` |  
e788bc
 
e788bc
 All returned fields take the same form as their namesake input parameters
e788bc
 
e788bc
diff -up ansible-freeipa-1.6.3/tests/config/test_config_sid.yml.ipaconfig_sid ansible-freeipa-1.6.3/tests/config/test_config_sid.yml
e788bc
--- ansible-freeipa-1.6.3/tests/config/test_config_sid.yml.ipaconfig_sid	2022-10-07 17:12:51.172335899 +0200
e788bc
+++ ansible-freeipa-1.6.3/tests/config/test_config_sid.yml	2022-10-07 17:12:51.172335899 +0200
e788bc
@@ -0,0 +1,70 @@
e788bc
+---
e788bc
+- name: Test config
e788bc
+  hosts: "{{ ipa_test_host | default('ipaserver') }}"
e788bc
+  become: no
e788bc
+  gather_facts: no
e788bc
+
e788bc
+  tasks:
e788bc
+
e788bc
+  # GET CURRENT CONFIG
e788bc
+
e788bc
+  - name: Return current values of the global configuration options
e788bc
+    ipaconfig:
e788bc
+      ipaadmin_password: SomeADMINpassword
e788bc
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
e788bc
+    register: previous
e788bc
+
e788bc
+  # TESTS
e788bc
+  - block:
e788bc
+    - name: Ensure SID is enabled.
e788bc
+      ipaconfig:
e788bc
+        ipaadmin_password: SomeADMINpassword
e788bc
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
e788bc
+        enable_sid: yes
e788bc
+      register: result
e788bc
+      failed_when: result.failed or previous.config.enable_sid == result.changed
e788bc
+
e788bc
+    - name: Ensure SID is enabled, again.
e788bc
+      ipaconfig:
e788bc
+        ipaadmin_password: SomeADMINpassword
e788bc
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
e788bc
+        enable_sid: yes
e788bc
+      register: result
e788bc
+      failed_when: result.failed or result.changed
e788bc
+
e788bc
+    - name: Ensure netbios_name is "IPATESTPLAY"
e788bc
+      ipaconfig:
e788bc
+        ipaadmin_password: SomeADMINpassword
e788bc
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
e788bc
+        enable_sid: yes
e788bc
+        netbios_name: IPATESTPLAY
e788bc
+      register: result
e788bc
+      failed_when: result.failed or not result.changed
e788bc
+
e788bc
+    - name: Ensure netbios_name is "IPATESTPLAY", again
e788bc
+      ipaconfig:
e788bc
+        ipaadmin_password: SomeADMINpassword
e788bc
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
e788bc
+        enable_sid: yes
e788bc
+        netbios_name: IPATESTPLAY
e788bc
+      register: result
e788bc
+      failed_when: result.failed or result.changed
e788bc
+
e788bc
+    # add_sids is not idempotent as it always tries to generate the missing
e788bc
+    # SIDs for users and groups.
e788bc
+    - name: Add SIDs to users and groups.
e788bc
+      ipaconfig:
e788bc
+        ipaadmin_password: SomeADMINpassword
e788bc
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
e788bc
+        enable_sid: yes
e788bc
+        add_sids: yes
e788bc
+
e788bc
+    # REVERT TO PREVIOUS CONFIG
e788bc
+    always:
e788bc
+    # Once SID is enabled, it cannot be reverted.
e788bc
+    - name: Revert netbios_name to original configuration
e788bc
+      ipaconfig:
e788bc
+        ipaadmin_password: SomeADMINpassword
e788bc
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
e788bc
+        netbios_name: "{{ previous.config.netbios_name | default(omit) }}"
e788bc
+        enable_sid: yes