mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Ipa sudorule/add deny options (#7415)
* Introduce options to include 'deny' commands and command groups * Adding Changelog fragment * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> * Update changelogs/fragments/add-ipa-sudorule-deny-cmd.yml Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/ipa_sudorule.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/ipa_sudorule.py Co-authored-by: Felix Fontein <felix@fontein.de> --------- Co-authored-by: Ris Adams <ris@risadams.com> Co-authored-by: Felix Fontein <felix@fontein.de>
This commit is contained in:
parent
f8d8f691bc
commit
df66885fa4
2 changed files with 40 additions and 0 deletions
2
changelogs/fragments/add-ipa-sudorule-deny-cmd.yml
Normal file
2
changelogs/fragments/add-ipa-sudorule-deny-cmd.yml
Normal file
|
@ -0,0 +1,2 @@
|
|||
minor_changes:
|
||||
- ipa_sudorule - adds options to include denied commands or command groups (https://github.com/ansible-collections/community.general/pull/7415).
|
|
@ -47,6 +47,22 @@ options:
|
|||
type: list
|
||||
elements: str
|
||||
version_added: 2.0.0
|
||||
deny_cmd:
|
||||
description:
|
||||
- List of denied commands assigned to the rule.
|
||||
- If an empty list is passed all commands will be removed from the rule.
|
||||
- If option is omitted commands will not be checked or changed.
|
||||
type: list
|
||||
elements: str
|
||||
version_added: 8.1.0
|
||||
deny_cmdgroup:
|
||||
description:
|
||||
- List of denied command groups assigned to the rule.
|
||||
- If an empty list is passed all command groups will be removed from the rule.
|
||||
- If option is omitted command groups will not be checked or changed.
|
||||
type: list
|
||||
elements: str
|
||||
version_added: 8.1.0
|
||||
description:
|
||||
description:
|
||||
- Description of the sudo rule.
|
||||
|
@ -246,6 +262,12 @@ class SudoRuleIPAClient(IPAClient):
|
|||
def sudorule_add_allow_command_group(self, name, item):
|
||||
return self._post_json(method='sudorule_add_allow_command', name=name, item={'sudocmdgroup': item})
|
||||
|
||||
def sudorule_add_deny_command(self, name, item):
|
||||
return self._post_json(method='sudorule_add_deny_command', name=name, item={'sudocmd': item})
|
||||
|
||||
def sudorule_add_deny_command_group(self, name, item):
|
||||
return self._post_json(method='sudorule_add_deny_command', name=name, item={'sudocmdgroup': item})
|
||||
|
||||
def sudorule_remove_allow_command(self, name, item):
|
||||
return self._post_json(method='sudorule_remove_allow_command', name=name, item=item)
|
||||
|
||||
|
@ -303,6 +325,8 @@ def ensure(module, client):
|
|||
cmd = module.params['cmd']
|
||||
cmdgroup = module.params['cmdgroup']
|
||||
cmdcategory = module.params['cmdcategory']
|
||||
deny_cmd = module.params['deny_cmd']
|
||||
deny_cmdgroup = module.params['deny_cmdgroup']
|
||||
host = module.params['host']
|
||||
hostcategory = module.params['hostcategory']
|
||||
hostgroup = module.params['hostgroup']
|
||||
|
@ -359,6 +383,16 @@ def ensure(module, client):
|
|||
if not module.check_mode:
|
||||
client.sudorule_add_allow_command_group(name=name, item=cmdgroup)
|
||||
|
||||
if deny_cmd is not None:
|
||||
changed = category_changed(module, client, 'cmdcategory', ipa_sudorule) or changed
|
||||
if not module.check_mode:
|
||||
client.sudorule_add_deny_command(name=name, item=deny_cmd)
|
||||
|
||||
if deny_cmdgroup is not None:
|
||||
changed = category_changed(module, client, 'cmdcategory', ipa_sudorule) or changed
|
||||
if not module.check_mode:
|
||||
client.sudorule_add_deny_command_group(name=name, item=deny_cmdgroup)
|
||||
|
||||
if runasusercategory is not None:
|
||||
changed = category_changed(module, client, 'iparunasusercategory', ipa_sudorule) or changed
|
||||
|
||||
|
@ -433,6 +467,8 @@ def main():
|
|||
cmdgroup=dict(type='list', elements='str'),
|
||||
cmdcategory=dict(type='str', choices=['all']),
|
||||
cn=dict(type='str', required=True, aliases=['name']),
|
||||
deny_cmd=dict(type='list', elements='str'),
|
||||
deny_cmdgroup=dict(type='list', elements='str'),
|
||||
description=dict(type='str'),
|
||||
host=dict(type='list', elements='str'),
|
||||
hostcategory=dict(type='str', choices=['all']),
|
||||
|
@ -447,7 +483,9 @@ def main():
|
|||
runasextusers=dict(type='list', elements='str'))
|
||||
module = AnsibleModule(argument_spec=argument_spec,
|
||||
mutually_exclusive=[['cmdcategory', 'cmd'],
|
||||
['cmdcategory', 'deny_cmd'],
|
||||
['cmdcategory', 'cmdgroup'],
|
||||
['cmdcategory', 'deny_cmdgroup'],
|
||||
['hostcategory', 'host'],
|
||||
['hostcategory', 'hostgroup'],
|
||||
['usercategory', 'user'],
|
||||
|
|
Loading…
Reference in a new issue