search

ansible-collections / community.general

Ansible Community General Collection
https://galaxy.ansible.com/ui/repo/published/community/general/
GNU General Public License v3.0
813 stars 1.49k forks source link

IPA modules does not seem to catch "failed" error messages #1239

Open riton opened 3 years ago

riton commented 3 years ago
SUMMARY

I'm trying to add a new usergroup member to an ipa_sudorule using GSSAPI auth. This is working fine.

The problem occured when I've tried to add a usergroup usergroup_that_does_NOT_exist to my my sudo rule. This is expected to fail, since usergroup usergroup_that_does_NOT_exist does not exist on the FreeIPA server.

Problem is that the current version of the community.general.ipa_sudorule does not catch this error, since the FreeIPA HTTP response code is 200, despite of the error.

FreeIPA API response contains a failed element that contains details of the error.

Example of such a (truncated) response:

{
  "result": {
    "failed": {
      "memberuser": {
        "group": [
          [
            "usergroup_that_does_NOT_exist",
            "no matching entry found"
          ]
        ],
        "user": []
      }
    },
    "completed": 0,
    "messages": [
      {...}
    ]
  }
}

Note: The problem is the same if the user has insufficient privileges. The error goes unnoticed.

ISSUE TYPE
COMPONENT NAME

community.general.ipa_sudorule, but I think that the problem resides in IPAClient._post_json error detection logic.

ANSIBLE VERSION
ansible 2.10.3
  config file = /home/user/.ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/python-virtualenv/lib/python3.8/site-packages/ansible
  executable location = /home/user/python-virtualenv/bin/ansible
  python version = 3.8.5 (default, Jul 28 2020, 12:59:40) [GCC 9.3.0]
CONFIGURATION
HOST_KEY_CHECKING(/home/user/.ansible.cfg) = False
OS / ENVIRONMENT
{
  "os": {
    "architecture": "amd64",
    "distro": {
      "codename": "focal",
      "description": "Ubuntu 20.04.1 LTS",
      "id": "Ubuntu",
      "release": {
        "full": "20.04",
        "major": "20.04"
      }
    },
    "family": "Debian",
    "hardware": "x86_64",
    "name": "Ubuntu",
    "release": {
      "full": "20.04",
      "major": "20.04"
    },
    "selinux": {
      "enabled": false
    }
  }
}

FreeIPA Server

-------------------------------------------
IPA server version 4.6.4. API version 2.230
-------------------------------------------
STEPS TO REPRODUCE
---
- hosts: localhost
  become: false
  gather_facts: false

  tasks:
  - community.general.ipa_sudorule:
      name: 'dummy_sudorule'
      state: 'present'
      description: 'Dummy sudo rule for bug report'
      hostgroup: 'dummy-hostgroup'
      cmdcategory: 'all'
      runasgroupcategory: 'all'
      runasusercategory: 'all'
      sudoopt:
        - 'NOPASSWD'
      user: []
      usergroup: ['usergroup_that_does_NOT_exist']
      ipa_host: 'freeipa_server.example.org'
EXPECTED RESULTS

Task execution should fail.

ACTUAL RESULTS

No error is detected if:

I guess that this bug is present in other modules since it may involve the error detection logic of the FreeIPA API.

ansibullbot commented 3 years ago

Files identified in the description: None

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

riton commented 3 years ago

My current tests shows that a very naive:

 if 'result' in resp:
     result = resp.get('result')
     if 'failed' in result:
         self._fail("part of the request has failed", str(result.get('failed')))

in module_utils/ipa.py is enough to catch such errors. I don't really know if this is enough since I'm still trying to find a good documentation of the FreeIPA API that documents the failed attribute in the different API versions. This document seems like a good start and references the failed field.