-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pamd: fixes for multiple issues #47695
pamd: fixes for multiple issues #47695
Conversation
…ion in update_rule()
…regex to capture complex args
… on complex bracketed arguments
Hi @shepdelacreme, thank you for submitting this pull-request! |
cc @defionscode |
shipit |
@jamescassell if you have a moment to take a peek, maybe kick the tires and add a "shipit" comment, we can get this in quicker, same goes for @mskymoore |
cc @kevensen |
I'll take a good look a soon as I can... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a few comments. Would be good to see some integration tests. Perhaps wholesale lift/shift the pamd tasks from the various STIG roles into an integration test.
Also, would be easier to review if you use '--fixup' commits, then autosquash those to make each commit a logical change as shown on github.
lib/ansible/modules/system/pamd.py
Outdated
if isinstance(new_args, str): | ||
new_args = new_args.replace(" = ", "=") | ||
new_args = new_args.split(' ') | ||
if(current_rule.rule_args is not new_args): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is not
vs !=
? I may not be polished enough on my python...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is
tests identity =
tests equality. These if statements would always test true because current_rule.rule_args
and new_args
are two different objects. Using !=
tests for equality of what is contained in each variable not if the two vars are pointing to the same spot in memory.
lib/ansible/modules/system/pamd.py
Outdated
no_eq_new_args.add(new_arg) | ||
else: | ||
pair = new_arg.split("=") | ||
new_args_d[pair[0]] = pair[1] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this handle the case where there may be multiple instances of =
within an arg?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This code was changed in a later commit.
lib/ansible/modules/system/pamd.py
Outdated
# Return empty list if we have no args to parse | ||
if not module_arguments: | ||
return [] | ||
elif not module_arguments[0]: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does this check for?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When parse_module_arguments
is used from within the PamdRule
class to parse out the arguments in an existing rule in a pamd file it can potentially send nothing if there are no matches.
This checks for the cases where the passed in args are None
, and empty list []
and the second one checks for a list with a single empty item. i.e ['']
and then returns early.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks like it checks that the first element is empty, but not that there is a single element...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The first part of the if handles module_arguments is:
- an empty string
- an empty list
- None
The second part of the if handles module_arguments is:
- a list with a single empty item ['']
I can add a check like isinstance(module_arguments, list) and len(module_arguments) == 1 and not module_arguments[0]
if that is preferable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, and that would narrow it down to one if
statement.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah that's probably more defensive given UserError
, it could be possible, though probably not that likely that there would be some array [None,'foo', 'bar']
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think it narrows it down to a single if
since module_arguments
can be an empty string or None
and if it is we still want to return []
which the first if
covers. My change for this would look like
if not module_arguments:
return []
elif isinstance(module_arguments, list) and len(module_arguments) == 1 and not module_arguments[0]:
return []
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack. Looks like a good change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean, you could do an or
but that might break pep8 on line length, I dont care either way, the major thing for me was just being defensive about index 0 potentially being a None
value AND not the only index.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah my preference is for shorter/simpler if tests. I'll update this. I wonder if I can make a suggested change to myself and apply it hehe.
Co-Authored-By: shepdelacreme <shepdelacreme@users.noreply.github.com>
@jamescassell Thanks for the thorough review. And yes I agree integration tests here are 💯 needed. The unit tests for it are good but they didn't catch the issues the module had and I believe integration tests would have. |
Sweet, I'll open a new issue about adding an integration test. |
* pamd: fixes for multiple issues (#47695) * Providing fix for #47083 in pamd.py * Providing fix for #47197 * Fixing pep8 errors * update regex to account for leading dash and VALID_TYPES with dashes as well * use a results dictionary and clean up unnecessary items * remove unnessecary return value. action is already reported in invocation output * make naming consistent across action returns * fix comparison so it checks equality instead of identity and indentation in update_rule() * make sure file always has EOF newline * updated regex to skip spacing between path and args and add rule arg regex to capture complex args * new module argument parsing code in function and DRY changes * remove unused has_rule method on PamdService class * fix error in parse_module_arguments() * updated args_present action to make it handle key value args and fail on complex bracketed arguments * pep8 and other fixes so units still work * suggested change - make version removed 2.8 Co-Authored-By: shepdelacreme <shepdelacreme@users.noreply.github.com> * add more error proof test to if statement (cherry picked from commit ef690e9) * add changelog fragment for backport * add action return value back for backport
* Providing fix for ansible#47083 in pamd.py * Providing fix for ansible#47197 * Fixing pep8 errors * update regex to account for leading dash and VALID_TYPES with dashes as well * use a results dictionary and clean up unnecessary items * remove unnessecary return value. action is already reported in invocation output * make naming consistent across action returns * fix comparison so it checks equality instead of identity and indentation in update_rule() * make sure file always has EOF newline * updated regex to skip spacing between path and args and add rule arg regex to capture complex args * new module argument parsing code in function and DRY changes * remove unused has_rule method on PamdService class * fix error in parse_module_arguments() * updated args_present action to make it handle key value args and fail on complex bracketed arguments * pep8 and other fixes so units still work * suggested change - make version removed 2.8 Co-Authored-By: shepdelacreme <shepdelacreme@users.noreply.github.com> * add more error proof test to if statement
SUMMARY
Provides fixes for a multitude of issues in the pamd module. This PR supersedes #47420 and includes changes from #47178
For #47418:
['account', '-account', 'auth', '-auth', 'password', '-password', 'session', '-session']
For #47083
See changes from @mskymoore to fix update_rule() idempotence issue
For #47197
See changes from #47178 for add_module_arguments() idempotence and duplicate argument issue. Also cleaned up and simplified the logic and forced
args_present
action to fail if a complex argument (a complex argument is defined in the spec as argument within square brackets) is passed in that we can't handle with this function (users is notified to useupdated
action instead.Fixes #47418
Fixes #47083
Fixes #47197
ISSUE TYPE
COMPONENT NAME
pamd
ANSIBLE VERSION
Also tested with
2.7.0
anddevel
ADDITIONAL INFORMATION
See #47418
See #47083
See #47197
See #47178