Merge pull request #14726 from Arden97/sssd_fails

Add default domain to SSSD related remediations and fix Fedora test failures

Author: Mab879

linux_os/guide/services/sssd/service_sssd_enabled/tests/common.sh

@@ -1,36 +1,16 @@
 # sssd.service needs /etc/sssd/sssd.conf to start
-if [ ! -f /etc/sssd/sssd.conf ]; then
-	cat << EOF > /etc/sssd/sssd.conf
-[sssd]
-config_file_version = 2
-services = nss, pam
-domains = example.com
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+{{{ bash_sssd_ensure_default_config("$SSSD_CONF", "$SSSD_CONF_DIR") }}}
 
-[domain/example.com]
-{{%- if ('rhel' in product or 'ol' in families) and product not in ['ol8', 'ol9', 'rhel8', 'rhel9']%}}
-id_provider = proxy
-proxy_lib_name = files
-local_auth_policy = only
-{{%- else %}}
-id_provider = files
-access_provider = simple
-simple_allow_users = user1, user2
+{{%- if ('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']%}}
+{{{ bash_ensure_ini_config("$SSSD_CONF $SSSD_CONF_DIR/*.conf", "pam", "pam_cert_auth", "True") }}}
 {{%- endif %}}
 
-[nss]
-filter_groups = root
-filter_users = root
-
-[pam]
-{{%- if ('rhel' in product or 'ol' in families) and product not in ['ol8', 'ol9', 'rhel8', 'rhel9']%}}
-pam_cert_auth = True
+{{%- if product in ["fedora"] or (('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']) %}}
+{{{ bash_package_install("sssd-proxy") }}}
+authselect select sssd with-smartcard
+chmod 0640 $SSSD_CONF
+{{%- else %}}
+chmod 0600 $SSSD_CONF
 {{%- endif %}}
-EOF
-	{{%- if ('rhel' in product or 'ol' in families) and product not in ['ol8', 'ol9', 'rhel8', 'rhel9']%}}
-	dnf install sssd-proxy -y
-	authselect select sssd with-smartcard
-	chmod 0640 /etc/sssd/sssd.conf
-	{{%- else %}}
-	chmod 0600 /etc/sssd/sssd.conf
-	{{%- endif %}}
-fi

linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml

@@ -5,25 +5,31 @@
 # disruption = medium
 {{{ ansible_instantiate_variables("var_sssd_certificate_verification_digest_function") }}}
 
-- name: Ensure that "certificate_verification" is not set in /etc/sssd/sssd.conf
+{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}}
+{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}}
+{{{ ansible_sssd_ensure_default_config(sssd_conf, sssd_conf_dir, rule_title) }}}
+
+{{{ ansible_install_sssd_proxy(rule_title) }}}
+
+- name: Ensure that "certificate_verification" is not set in {{{ sssd_conf }}}
   community.general.ini_file:
-      path: /etc/sssd/sssd.conf
+      path: {{{ sssd_conf }}}
       section: sssd
       option: certificate_verification
       state: absent
       mode: 0600
 
-- name: 'Ensure that "certificate_verification" is not set in  /etc/sssd/conf.d/*.conf'
+- name: 'Ensure that "certificate_verification" is not set in {{{ sssd_conf_dir }}}/*.conf'
   community.general.ini_file:
-      path: /etc/sssd/conf.d/*.conf
+      path: {{{ sssd_conf_dir }}}/*.conf
       section: sssd
       option: certificate_verification
       state: absent
       mode: 0600
 
 - name: Ensure that "certificate_verification" is set
   community.general.ini_file:
-      path: /etc/sssd/conf.d/certificate_verification.conf
+      path: {{{ sssd_conf_dir }}}/certificate_verification.conf
       section: sssd
       option: certificate_verification
       value: "ocsp_dgst={{ var_sssd_certificate_verification_digest_function }}"

linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh

@@ -11,8 +11,13 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
-MAIN_CONF="/etc/sssd/conf.d/certificate_verification.conf"
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+{{{ bash_sssd_ensure_default_config("$SSSD_CONF", "$SSSD_CONF_DIR") }}}
+{{{ bash_install_sssd_proxy() }}}
 
-{{{ bash_ensure_ini_config("$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "sssd", "certificate_verification", "ocsp_dgst=$var_sssd_certificate_verification_digest_function") }}}
+MAIN_CONF="$SSSD_CONF_DIR/certificate_verification.conf"
+
+{{{ bash_ensure_ini_config("$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf", "sssd", "certificate_verification", "ocsp_dgst=$var_sssd_certificate_verification_digest_function") }}}
 
 umask $OLD_UMASK

linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml

@@ -4,14 +4,20 @@
 # complexity = low
 # disruption = medium
 
-- name: {{{ rule_title }}} - Find all the conf files inside the /etc/sssd/conf.d/ directory
+{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}}
+{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}}
+{{{ ansible_sssd_ensure_default_config(sssd_conf, sssd_conf_dir, rule_title) }}}
+
+{{{ ansible_install_sssd_proxy(rule_title) }}}
+
+- name: {{{ rule_title }}} - Find all the conf files inside the {{{ sssd_conf_dir }}} directory
   ansible.builtin.find:
     paths:
-    - "/etc/sssd/conf.d/"
+    - "{{{ sssd_conf_dir }}}"
     patterns: "*.conf"
   register: sssd_conf_d_files
 
-- name: {{{ rule_title }}} - Modify lines in files in the /etc/sssd/conf.d/ directory
+- name: {{{ rule_title }}} - Modify lines in files in the {{{ sssd_conf_dir }}} directory
   ansible.builtin.replace:
     path: "{{ item }}"
     regexp: '^(\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*services\s*=(?!.*\bpam\b).*)$'
@@ -20,32 +26,32 @@
   register: modify_lines_sssd_conf_d_files
   when: sssd_conf_d_files.matched is defined and sssd_conf_d_files.matched >= 1
 
-- name: {{{ rule_title }}} - Find /etc/sssd/sssd.conf
+- name: {{{ rule_title }}} - Find {{{ sssd_conf }}}
   ansible.builtin.stat:
-    path: /etc/sssd/sssd.conf
+    path: {{{ sssd_conf }}}
   register: sssd_conf_file
 
-- name: {{{ rule_title }}} - Modify lines in /etc/sssd/sssd.conf
+- name: {{{ rule_title }}} - Modify lines in {{{ sssd_conf }}}
   ansible.builtin.replace:
-    path: "/etc/sssd/sssd.conf"
+    path: "{{{ sssd_conf }}}"
     regexp: '^(\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*services\s*=(?!.*\bpam\b).*)$'
     replace: '\1,pam'
   register: modify_lines_sssd_conf_file
   when: sssd_conf_file.stat.exists
 
-- name: {{{ rule_title }}} - Find services key in /etc/sssd/sssd.conf
+- name: {{{ rule_title }}} - Find services key in {{{ sssd_conf }}}
   ansible.builtin.replace:
-    path: "/etc/sssd/sssd.conf"
+    path: "{{{ sssd_conf }}}"
     regexp: '^\s*\[sssd\][^\[\]]*?(?:\n(?!\[)[^\n]*?services\s*=)+'
     replace: ''
   changed_when: false
   check_mode: true
   register: sssd_conf_file_services
   when: sssd_conf_file.stat.exists
 
-- name: {{{ rule_title }}} - Insert entry to /etc/sssd/sssd.conf
+- name: {{{ rule_title }}} - Insert entry to {{{ sssd_conf }}}
   community.general.ini_file:
-    path: /etc/sssd/sssd.conf
+    path: {{{ sssd_conf }}}
     section: sssd
     option: services
     value: pam

linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh

@@ -1,23 +1,19 @@
 # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_almalinux,multi_platform_ubuntu
 
 
-
 # sssd configuration files must be created with 600 permissions if they don't exist
 # otherwise the sssd module fails to start
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
 SSSD_CONF="/etc/sssd/sssd.conf"
-SSSD_CONF_DIR="/etc/sssd/conf.d/*.conf"
-
-if [ ! -f "$SSSD_CONF" ] && [ ! -f "$SSSD_CONF_DIR" ]; then
-    mkdir -p /etc/sssd
-    touch "$SSSD_CONF"
-fi
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+{{{ bash_sssd_ensure_default_config("$SSSD_CONF", "$SSSD_CONF_DIR") }}}
+{{{ bash_install_sssd_proxy() }}}
 
 # Flag to check if there is already services with pam
 service_already_exist=false
-for f in $SSSD_CONF $SSSD_CONF_DIR; do
+for f in $SSSD_CONF $SSSD_CONF_DIR/*.conf; do
 	if [ ! -e "$f" ]; then
 		continue
 	fi
@@ -39,13 +35,7 @@ done
 
 # If there was no service in [sssd], add it to first config
 if [ "$service_already_exist" = false ]; then
-    for f in $SSSD_CONF $SSSD_CONF_DIR; do
-        cat << EOF >> "$f"
-[sssd]
-services = pam
-EOF
-        break
-    done
+{{{ bash_ensure_ini_config("$SSSD_CONF $SSSD_CONF_DIR/*.conf", "sssd", "services", "pam") }}}
 fi
 
 umask $OLD_UMASK

linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml

@@ -3,44 +3,28 @@
 # strategy = configure
 # complexity = low
 # disruption = medium
-- name: "Test for domain group"
-  ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
-  register: test_grep_domain
-  failed_when: false
-  changed_when: False
-  check_mode: no
+{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}}
+{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}}
+{{{ ansible_sssd_ensure_default_config(sssd_conf, sssd_conf_dir, rule_title) }}}
 
-- name: "Add default domain group (if no domain there)"
-  community.general.ini_file:
-    path: /etc/sssd/sssd.conf
-    section: "{{ item.section }}"
-    option: "{{ item.option }}"
-    value: "{{ item.value }}"
-    create: yes
-    mode: 0600
-  with_items:
-    - { section: sssd, option: domains, value: default}
-    - { section: domain/default, option: id_provider, value: files }
-  when:
-    - test_grep_domain.stdout is defined
-    - test_grep_domain.stdout | length < 1
+{{{ ansible_install_sssd_proxy(rule_title) }}}
 
 - name: "Enable Smartcards in SSSD"
   community.general.ini_file:
-    dest: /etc/sssd/sssd.conf
+    path: {{{ sssd_conf }}}
     section: pam
     option: pam_cert_auth
     value: 'True'
     create: yes
     mode: 0600
 
-- name: Find all the conf files inside /etc/sssd/conf.d/
+- name: Find all the conf files inside {{{ sssd_conf_dir }}}
   ansible.builtin.find:
-    paths: "/etc/sssd/conf.d/"
+    paths: "{{{ sssd_conf_dir }}}"
     patterns: "*.conf"
   register: sssd_conf_d_files
 
-- name: Fix pam_cert_auth configuration in /etc/sssd/conf.d/
+- name: Fix pam_cert_auth configuration in {{{ sssd_conf_dir }}}
   ansible.builtin.replace:
     path: "{{ item.path }}"
     regexp: '[^#]*pam_cert_auth.*'

linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh

@@ -9,7 +9,12 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
-{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "pam", "pam_cert_auth", "True") }}}
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+{{{ bash_sssd_ensure_default_config("$SSSD_CONF", "$SSSD_CONF_DIR") }}}
+{{{ bash_install_sssd_proxy() }}}
+
+{{{ bash_ensure_ini_config("$SSSD_CONF $SSSD_CONF_DIR/*.conf", "pam", "pam_cert_auth", "True") }}}
 
 umask $OLD_UMASK
 

linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_false.fail.sh

@@ -2,6 +2,10 @@
 # packages = sssd
 # platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4,multi_platform_ubuntu
 
-SSSD_FILE="/etc/sssd/sssd.conf"
-echo "[pam]" > $SSSD_FILE
-echo "pam_cert_auth = False" >> $SSSD_FILE
+{{% if product in ["fedora", "ol8", "ol9"] or 'rhel' in product %}}
+authselect select sssd --force
+{{% endif %}}
+
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+{{{ bash_ensure_ini_config("$SSSD_CONF $SSSD_CONF_DIR/*.conf", "pam", "pam_cert_auth", "False") }}}

linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing.fail.sh

@@ -2,5 +2,9 @@
 # packages = sssd
 # platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4,multi_platform_ubuntu
 
+{{% if product in ["fedora", "ol8", "ol9"] or 'rhel' in product %}}
+authselect select sssd --force
+{{% endif %}}
+
 SSSD_FILE="/etc/sssd/sssd.conf"
 echo "[pam]" > $SSSD_FILE

linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_file.fail.sh

@@ -2,5 +2,9 @@
 # packages = sssd
 # platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4,multi_platform_ubuntu
 
+{{% if product in ["fedora", "ol8", "ol9"] or 'rhel' in product %}}
+authselect select sssd --force
+{{% endif %}}
+
 SSSD_FILE="/etc/sssd/sssd.conf"
 rm -f $SSSD_FILE