pamd: fixes for multiple issues #47695
Conversation
…ion in update_rule()
…regex to capture complex args
… on complex bracketed arguments
|
Hi @shepdelacreme, thank you for submitting this pull-request! |
ansibot
added
affects_2.8
|
cc @defionscode |
|
shipit |
|
@jamescassell if you have a moment to take a peek, maybe kick the tires and add a "shipit" comment, we can get this in quicker, same goes for @mskymoore |
|
cc @kevensen |
|
I'll take a good look a soon as I can... |
There was a problem hiding this comment.
Added a few comments. Would be good to see some integration tests. Perhaps wholesale lift/shift the pamd tasks from the various STIG roles into an integration test.
Also, would be easier to review if you use '--fixup' commits, then autosquash those to make each commit a logical change as shown on github.
lib/ansible/modules/system/pamd.py
Outdated
| if isinstance(new_args, str): | ||
| new_args = new_args.replace(" = ", "=") | ||
| new_args = new_args.split(' ') | ||
| if(current_rule.rule_args is not new_args): |
There was a problem hiding this comment.
is not vs !=? I may not be polished enough on my python...
There was a problem hiding this comment.
is tests identity = tests equality. These if statements would always test true because current_rule.rule_args and new_args are two different objects. Using != tests for equality of what is contained in each variable not if the two vars are pointing to the same spot in memory.
lib/ansible/modules/system/pamd.py
Outdated
| no_eq_new_args.add(new_arg) | ||
| else: | ||
| pair = new_arg.split("=") | ||
| new_args_d[pair[0]] = pair[1] |
There was a problem hiding this comment.
Does this handle the case where there may be multiple instances of = within an arg?
There was a problem hiding this comment.
This code was changed in a later commit.
lib/ansible/modules/system/pamd.py
Outdated
| # Return empty list if we have no args to parse | ||
| if not module_arguments: | ||
| return [] | ||
| elif not module_arguments[0]: |
There was a problem hiding this comment.
What does this check for?
There was a problem hiding this comment.
When parse_module_arguments is used from within the PamdRule class to parse out the arguments in an existing rule in a pamd file it can potentially send nothing if there are no matches.
This checks for the cases where the passed in args are None, and empty list [] and the second one checks for a list with a single empty item. i.e [''] and then returns early.
There was a problem hiding this comment.
looks like it checks that the first element is empty, but not that there is a single element...
There was a problem hiding this comment.
The first part of the if handles module_arguments is:
- an empty string
- an empty list
- None
The second part of the if handles module_arguments is:
- a list with a single empty item ['']
I can add a check like isinstance(module_arguments, list) and len(module_arguments) == 1 and not module_arguments[0] if that is preferable.
There was a problem hiding this comment.
Yes, and that would narrow it down to one ifstatement.
There was a problem hiding this comment.
Yeah that's probably more defensive given UserError, it could be possible, though probably not that likely that there would be some array [None,'foo', 'bar']
There was a problem hiding this comment.
I don't think it narrows it down to a single if since module_arguments can be an empty string or None and if it is we still want to return [] which the first if covers. My change for this would look like
if not module_arguments:
return []
elif isinstance(module_arguments, list) and len(module_arguments) == 1 and not module_arguments[0]:
return []There was a problem hiding this comment.
Ack. Looks like a good change.
There was a problem hiding this comment.
I mean, you could do an or but that might break pep8 on line length, I dont care either way, the major thing for me was just being defensive about index 0 potentially being a None value AND not the only index.
There was a problem hiding this comment.
Yeah my preference is for shorter/simpler if tests. I'll update this. I wonder if I can make a suggested change to myself and apply it hehe.
Co-Authored-By: shepdelacreme <shepdelacreme@users.noreply.github.com>
|
@jamescassell Thanks for the thorough review. And yes I agree integration tests here are 💯 needed. The unit tests for it are good but they didn't catch the issues the module had and I believe integration tests would have. |
|
Sweet, I'll open a new issue about adding an integration test. |
jborean93
removed
the
needs_triage
* pamd: fixes for multiple issues (#47695) * Providing fix for #47083 in pamd.py * Providing fix for #47197 * Fixing pep8 errors * update regex to account for leading dash and VALID_TYPES with dashes as well * use a results dictionary and clean up unnecessary items * remove unnessecary return value. action is already reported in invocation output * make naming consistent across action returns * fix comparison so it checks equality instead of identity and indentation in update_rule() * make sure file always has EOF newline * updated regex to skip spacing between path and args and add rule arg regex to capture complex args * new module argument parsing code in function and DRY changes * remove unused has_rule method on PamdService class * fix error in parse_module_arguments() * updated args_present action to make it handle key value args and fail on complex bracketed arguments * pep8 and other fixes so units still work * suggested change - make version removed 2.8 Co-Authored-By: shepdelacreme <shepdelacreme@users.noreply.github.com> * add more error proof test to if statement (cherry picked from commit ef690e9) * add changelog fragment for backport * add action return value back for backport
* Providing fix for ansible#47083 in pamd.py * Providing fix for ansible#47197 * Fixing pep8 errors * update regex to account for leading dash and VALID_TYPES with dashes as well * use a results dictionary and clean up unnecessary items * remove unnessecary return value. action is already reported in invocation output * make naming consistent across action returns * fix comparison so it checks equality instead of identity and indentation in update_rule() * make sure file always has EOF newline * updated regex to skip spacing between path and args and add rule arg regex to capture complex args * new module argument parsing code in function and DRY changes * remove unused has_rule method on PamdService class * fix error in parse_module_arguments() * updated args_present action to make it handle key value args and fail on complex bracketed arguments * pep8 and other fixes so units still work * suggested change - make version removed 2.8 Co-Authored-By: shepdelacreme <shepdelacreme@users.noreply.github.com> * add more error proof test to if statement
SUMMARY
Provides fixes for a multitude of issues in the pamd module. This PR supersedes #47420 and includes changes from #47178
For #47418:
['account', '-account', 'auth', '-auth', 'password', '-password', 'session', '-session']For #47083
See changes from @mskymoore to fix update_rule() idempotence issue
For #47197
See changes from #47178 for add_module_arguments() idempotence and duplicate argument issue. Also cleaned up and simplified the logic and forced
args_presentaction to fail if a complex argument (a complex argument is defined in the spec as argument within square brackets) is passed in that we can't handle with this function (users is notified to useupdatedaction instead.Fixes #47418
Fixes #47083
Fixes #47197
ISSUE TYPE
COMPONENT NAME
pamd
ANSIBLE VERSION
Also tested with
2.7.0anddevelADDITIONAL INFORMATION
See #47418
See #47083
See #47197
See #47178