From 5ad50465474383a898690928778366a9919c1d22 Mon Sep 17 00:00:00 2001 From: CircuitCipher <3893074+CircuitCipher@users.noreply.github.com> Date: Fri, 6 Sep 2024 20:01:26 -0400 Subject: [PATCH] zabbix_authentication - fix inability to update passwd_check_rules (#1388) --- ...bbix-authentication-passwd-check-rules.yml | 3 ++ plugins/modules/zabbix_authentication.py | 12 ++--- .../targets/setup_zabbix/tasks/main.yml | 4 +- .../test_zabbix_authentication/tasks/main.yml | 1 + ...authentication_test_passwd_check_rules.yml | 52 +++++++++++++++++++ 5 files changed, 64 insertions(+), 8 deletions(-) create mode 100644 changelogs/fragments/fix-zabbix-authentication-passwd-check-rules.yml create mode 100644 tests/integration/targets/test_zabbix_authentication/tasks/zabbix_authentication_test_passwd_check_rules.yml diff --git a/changelogs/fragments/fix-zabbix-authentication-passwd-check-rules.yml b/changelogs/fragments/fix-zabbix-authentication-passwd-check-rules.yml new file mode 100644 index 000000000..73996dfc1 --- /dev/null +++ b/changelogs/fragments/fix-zabbix-authentication-passwd-check-rules.yml @@ -0,0 +1,3 @@ +bugfixes: + - zabbix_authentication - fix inability to update passwd_check_rules + - zabbix_authentication - fix inability to set passwd_check_rules to empty list diff --git a/plugins/modules/zabbix_authentication.py b/plugins/modules/zabbix_authentication.py index f8eaf8e19..cf8661688 100644 --- a/plugins/modules/zabbix_authentication.py +++ b/plugins/modules/zabbix_authentication.py @@ -615,7 +615,7 @@ def update_authentication( else: params["passwd_min_length"] = str(passwd_min_length) - if passwd_check_rules: + if passwd_check_rules is not None: passwd_check_rules_values = [ "contain_uppercase_and_lowercase_letters", "contain_digits", @@ -644,11 +644,11 @@ def update_authentication( msg="%s is invalid value for passwd_check_rules." % _passwd_check_rules_value ) - params[ - "passwd_check_rules" - ] += 2 ** zabbix_utils.helper_to_numeric_value( - passwd_check_rules_values, _passwd_check_rules_value - ) + params[ + "passwd_check_rules" + ] += 2 ** zabbix_utils.helper_to_numeric_value( + passwd_check_rules_values, _passwd_check_rules_value + ) params["passwd_check_rules"] = str(params["passwd_check_rules"]) diff --git a/tests/integration/targets/setup_zabbix/tasks/main.yml b/tests/integration/targets/setup_zabbix/tasks/main.yml index fd7f6a700..60937fc0b 100644 --- a/tests/integration/targets/setup_zabbix/tasks/main.yml +++ b/tests/integration/targets/setup_zabbix/tasks/main.yml @@ -50,8 +50,8 @@ status_code: 200 retries: 60 delay: 5 - until: check_login_result is defined and 'json' in check_login_result and 'result' in check_login_result.json - register: check_login_result + until: check_login_under64_result is defined and 'json' in check_login_under64_result and 'result' in check_login_under64_result.json + register: check_login_under64_result when: zabbix_version is version('6.4', '<') - name: check login to zabbix for Zabbix >= 6.4 diff --git a/tests/integration/targets/test_zabbix_authentication/tasks/main.yml b/tests/integration/targets/test_zabbix_authentication/tasks/main.yml index 37b1d2c9a..9f9ae4de8 100644 --- a/tests/integration/targets/test_zabbix_authentication/tasks/main.yml +++ b/tests/integration/targets/test_zabbix_authentication/tasks/main.yml @@ -1,6 +1,7 @@ --- - block: - include_tasks: zabbix_authentication_tests.yml + - include_tasks: zabbix_authentication_test_passwd_check_rules.yml always: - name: Cleanup diff --git a/tests/integration/targets/test_zabbix_authentication/tasks/zabbix_authentication_test_passwd_check_rules.yml b/tests/integration/targets/test_zabbix_authentication/tasks/zabbix_authentication_test_passwd_check_rules.yml new file mode 100644 index 000000000..0b1a36960 --- /dev/null +++ b/tests/integration/targets/test_zabbix_authentication/tasks/zabbix_authentication_test_passwd_check_rules.yml @@ -0,0 +1,52 @@ +--- +- name: Start with a known state with one rule enabled + community.zabbix.zabbix_authentication: + passwd_check_rules: "avoid_easy_to_guess" + +- name: Set the login result based on current zabbix version + set_fact: + login_result: "{{ check_login_under64_result if zabbix_version is version('6.4', '<') else check_login_result }}" + +- name: Get the authentication rules + ansible.builtin.uri: + url: "{{ zabbix_api_server_url }}/api_jsonrpc.php" + method: POST + body: + jsonrpc: "2.0" + method: "authentication.get" + params: {} + id: "1" + auth: "{{ login_result.json.result }}" + body_format: json + status_code: 200 + register: get_auth_result + +# Internally the value of 8 represents an "avoid_easy_to_guess" rule +- name: Assert that the passwd_check_rules is 8 (avoid_easy_to_guess) + ansible.builtin.assert: + that: + - get_auth_result.json.result.passwd_check_rules == "8" + +- name: Disable all password check rules + community.zabbix.zabbix_authentication: + passwd_check_rules: [] + +- name: Get the authentication rules + ansible.builtin.uri: + url: "{{ zabbix_api_server_url }}/api_jsonrpc.php" + method: POST + body: + jsonrpc: "2.0" + method: "authentication.get" + params: {} + id: "1" + auth: "{{ login_result.json.result }}" + body_format: json + status_code: 200 + register: get_auth_result + +# Internally the value of 0 represents an empty password check rule set +- name: Assert that the passwd_check_rules is empty + ansible.builtin.assert: + that: + - get_auth_result.json.result.passwd_check_rules == "0"