Vh!9ddlmZmZmZeZdZdZdZddl Z ddl Z ddl Z ddl m Z ddlmZmZddlmZGd d eZ dd Zd Zdd ZdZdZedk(reyy))absolute_importdivisionprint_functiona module: ipa_user author: Thomas Krahn (@Nosmoht) short_description: Manage FreeIPA users description: - Add, modify and delete user within IPA server. attributes: check_mode: support: full diff_mode: support: none options: displayname: description: Display name. type: str update_password: description: - Set password for a user. type: str default: 'always' choices: [always, on_create] givenname: description: - First name. - If user does not exist and O(state=present), the usage of O(givenname) is required. type: str krbpasswordexpiration: description: - Date at which the user password will expire. - In the format YYYYMMddHHmmss. - For example V(20180121182022) will expire on 21 January 2018 at 18:20:22. type: str loginshell: description: Login shell. type: str mail: description: - List of mail addresses assigned to the user. - If an empty list is passed all assigned email addresses will be deleted. - If None is passed email addresses will not be checked or changed. type: list elements: str password: description: - Password for a user. - Will not be set for an existing user unless O(update_password=always), which is the default. type: str sn: description: - Surname. - If user does not exist and O(state=present), the usage of O(sn) is required. type: str sshpubkey: description: - List of public SSH key. - If an empty list is passed all assigned public keys will be deleted. - If None is passed SSH public keys will not be checked or changed. type: list elements: str state: description: State to ensure. default: "present" choices: ["absent", "disabled", "enabled", "present"] type: str telephonenumber: description: - List of telephone numbers assigned to the user. - If an empty list is passed all assigned telephone numbers will be deleted. - If None is passed telephone numbers will not be checked or changed. type: list elements: str title: description: Title. type: str uid: description: Uid of the user. required: true aliases: ["name"] type: str uidnumber: description: - Account Settings UID/Posix User ID number. type: str gidnumber: description: - Posix Group ID. type: str homedirectory: description: - Default home directory of the user. type: str version_added: '0.2.0' userauthtype: description: - The authentication type to use for the user. - To remove all authentication types from the user, use an empty list V([]). - The choice V(idp) and V(passkey) has been added in community.general 8.1.0. choices: ["password", "radius", "otp", "pkinit", "hardened", "idp", "passkey"] type: list elements: str version_added: '1.2.0' extends_documentation_fragment: - community.general.ipa.documentation - community.general.attributes requirements: - base64 - hashlib a - name: Ensure pinky is present and always reset password community.general.ipa_user: name: pinky state: present krbpasswordexpiration: 20200119235959 givenname: Pinky sn: Acme mail: - pinky@acme.com telephonenumber: - '+555123456' sshpubkey: - ssh-rsa .... - ssh-dsa .... uidnumber: '1001' gidnumber: '100' homedirectory: /home/pinky ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret - name: Ensure brain is absent community.general.ipa_user: name: brain state: absent ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret - name: Ensure pinky is present but don't reset password if already exists community.general.ipa_user: name: pinky state: present givenname: Pinky sn: Acme password: zounds ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret update_password: on_create - name: Ensure pinky is present and using one time password and RADIUS authentication community.general.ipa_user: name: pinky state: present userauthtype: - otp - radius ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret zS user: description: User as returned by IPA API. returned: always type: dict N) AnsibleModule) IPAClientipa_argument_spec) to_nativecBeZdZfdZdZdZdZdZdZdZ xZ S) UserIPAClientc2tt| ||||yN)superr __init__)selfmodulehostportprotocol __class__s n/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/community/general/plugins/modules/ipa_user.pyrzUserIPAClient.__init__s mT+FD$Ic0|jddd|dS)N user_findT)alluidmethodnameitem _post_jsonrrs rrzUserIPAClient.user_findsk4X\C]^^rc*|jd||S)Nuser_addrr rrrs rr$zUserIPAClient.user_addjt$GGrc*|jd||S)Nuser_modrr r%s rr(zUserIPAClient.user_modr&rc(|jd|S)Nuser_delrrr r"s rr*zUserIPAClient.user_delsjt<r?r@rArBrC userauthtypeusers r get_user_dictrIs D)]((=(C $%%['\ V )D ~T (^""1  W +^%[%[ -_".  Krcd}d|vrLd}d|vr|ddddjdk(rd}|dDcgc]}t||c}|d<|d}|d=|j|| }||d=||d<|Scc}w) a) Return the keys of each dict whereas values are different. Unfortunately the IPA API returns everything as a list even if only a single value is possible. Therefore some more complexity is needed. The method will check if the value type of module_user.attr is not a list and create a list with that element if the same attribute in ipa_user is list. In this way I hope that the method must not be changed if the returned API dict is changed. :param ipa_user: :param module_user: :return: Nr=md5 sshpubkeyfprzSHA256:sha256)ipa_data module_data)upperget_ssh_key_fingerprintget_diff)clientipa_user module_userrF hash_algopubkeyresults r get_user_diffrZsI$ H $-)@)CBQ)G)M)M)OS\)\ I_jky_z%{U[&=fi&P%{ M"/  ' __hK_ HF  &&/ N# M&|sA2c |jjdd}t|dk(ry|d}tj|dj d}|dk(r`t j|j}djdt|ddd|dddDj}nk|d k(rftjt j|jjdj!d }d j#| }t|d krd|dS|d}d|d|dS)a Return the public key fingerprint of a given public SSH key in format "[fp] [comment] (ssh-rsa)" where fp is of the format: FB:0C:AC:0A:07:94:5B:CE:75:6E:63:32:13:AD:AD:D7 for md5 or SHA256:[base64] for sha256 Comments are assumed to be all characters past the second whitespace character in the sshpubkey string. :param ssh_key: :param hash_algo: :return: NrasciirK:c3,K|] \}}||zywr rE).0abs r z*get_ssh_key_fingerprint..2sODAq!a%OsrN=z SHA256:{fp})fpz () )stripsplitlenbase64 b64decodeencodehashlibrK hexdigestjoinziprQ b64encoderNdigestdecoderstripformat)ssh_keyrWpartskey_typekeyfp_plainkey_fpcomments rrRrRs% MMO ! !$ *E 5zQQxH   58??73 4CE;;s#--/OC1 x1~,NOOUUW h ##GNN3$7$>$>$@AHHQXXY\]%%%2 5zA~"H--(%w99rc<|jd}|jd}|dk(}t|jjd|jjd|jjd|jd|jd|jd |jd ||jd |jd |jd |jjd|jjd|jjd|jjd}|jjd}|j|}d}|dvr~|s%d}|jsj|j ||}||fS|dk(r|j ddt|||} t| dkDr!d}|js|j||}||fS|rd}|js|j|||fS)Nstaterdisabledr5r7r8r9r:r<rFr>r?passwordrArBrCrG)r5r7r8r9r:r<rFr;r>r?r@rArBrCrGupdate_password)rF)presentenabledrT)rr on_creater@r) paramsrIgetr check_moder$poprZrlr(r*) rrTrrr;rVrrUchangeddiffs rensurer=s MM' "E == DZ'MFMM,=,=m,L6O0PX^XeXefmXn-3]]:-F*0--*;*;K*HTZTaTaTeTefqTr.4mm.?.?.P-3]]->->~-N PKmm''(9:OT*HG 22G$$!??;?G H +-5 ;?D4y1}((%D{KH H  G$$% H rc$t}|jtdtdtddddgdtddtdtdd tdtdd d g tdtdtdd tdd tdd gdtdd tdtdtddgdt|d }t ||j d|j d|j d}|j d?t |j ddk(r$|j dddk(rd|j d< |j|j d|j dt||\}}|j||y#t$r8}|jt|tj Yd}~yd}~wwxYw)!Nstr)typealwaysrF)rdefaultchoicesno_log)rrlist)relementsTr)rrequiredaliasesr)rabsentrr)rrr)rradiusotppkinithardenedidppasskey)rrr)r5r8rr7r9r:r<rrArBrrFrr>r?rCrG) argument_specsupports_check_modeipa_hostipa_portipa_prot)rrrrrFr]rrUipa_pass)usernamer)rrH)msg exception)rupdatedictrr rrlloginr exit_json Exception fail_jsonr traceback format_exc)rrrTrrHes rmainrhs%'MTu%5#'U#3)-5(7?6M5:*<04u/M$(e$4"? e,!utfXN#'U#3#'U#3"&E$"?#'Ve#D# ,X Z)-6E)J#/'+'7&*3x'z'{,/35F& & j 9 & j 9$*MM*$=?F}}[!- v}}[) *a /FMM+4Nq4QUW4W)-FMM+ &M fmmJ7$mmJ7  9vv. t4 MYq\Y5I5I5KLLMs>AG H.H  H__main__)NNNNNFNNNNNNNNN)rN) __future__rrrr __metaclass__ DOCUMENTATIONEXAMPLESRETURNrmrpransible.module_utils.basicr>ansible_collections.community.general.plugins.module_utils.iparr+ansible.module_utils.common.text.convertersr r rIrZrRrrr0rErrrsA@ l \4 l 4gA@I@.\`[__c##LB:B(V-M` zFr