From 1bda288e96238f91bd84fa2a9ad85bcd2cae10bb Mon Sep 17 00:00:00 2001
From: Carmen Rata <carmen.rata@windriver.com>
Date: Fri, 28 Apr 2023 14:47:17 +0000
Subject: [PATCH] Add "sys_protected" argument to LDAP playbook

This commit adds "sys_protected" optional argument to LDAP playbook
"manage_local_ldap_account.yml". The new argument automates adding
an ldap user to the "sys_protected" group at creation time.
Supported values for the "sys_protected" argument are "yes" and "no",
"no" being the default value.

Test Plan:
PASS: Debian image gets successfully installed in AIO-SX system.
PASS: Configure "secure-inventory" configuration for a standalone
system.
PASS: Successful ldap user creation with membership in "sys_protected"
group, using argument "sys_protected=yes".
PASS: Execute LDAP playbook to create a user with no membership in
"sys_protected" group, using argument "sys_protected=no"
PASS: Execute LDAP playbook to create a user with no membership in
"sys_protected" group without setting argument "sys_protected" to
verify the default value.
PASS: Configure "secure-inventory" configuration for a DC system.
PASS: Test "sys_protected" argument usage for LDAP playbook in a DC
system by creating an ldap user in a "sys_protected" group, both on
the system controller and on a subcloud.

Story: 2010589
Task: 47908

Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
Change-Id: I4d487e70b4b1ace3c5b08a7ae10595b4accc2b51
---
 .../manage-local-ldap-account/inventory-EXAMPLE   | 15 +++++++++++----
 .../src/playbooks/manage_local_ldap_account.yml   |  4 ++++
 .../common/add-hosts/tasks/main.yml               |  1 +
 .../create-account/tasks/main.yml                 |  6 +++++-
 .../create-keystone-account/tasks/main.yml        |  5 +++++
 5 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/examples/manage-local-ldap-account/inventory-EXAMPLE b/examples/manage-local-ldap-account/inventory-EXAMPLE
index e7c496142..69ff50e04 100644
--- a/examples/manage-local-ldap-account/inventory-EXAMPLE
+++ b/examples/manage-local-ldap-account/inventory-EXAMPLE
@@ -15,14 +15,14 @@
 # file. Then run the ansible-playbook command with --ask-vault-pass parameter:
 #
 # ansible-playbook --inventory inventory-secure --ask-vault-pass \
-# --extra-vars='user_id=JohnDoo' \
+# --extra-vars='user_id=JohnDoe' \
 # /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
 #
 # If you wish to use different values for password_change_period and
 # password_warning_period parameters follow the sample below:
 #
 # ansible-playbook --inventory inventory-secure --ask-vault-pass \
-# --extra-vars='user_id=JohnDoo password_change_period=120 \
+# --extra-vars='user_id=JohnDoe password_change_period=120 \
 # password_warning_period=1' \
 # /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
 #
@@ -30,7 +30,14 @@
 # variable to yes:
 #
 # ansible-playbook --inventory inventory-secure --ask-vault-pass \
-# --extra-vars='user_id=JohnDoo sudo_permission=yes' \
+# --extra-vars='user_id=JohnDoe sudo_permission=yes' \
+# /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
+#
+# If you wish to add users to sys_protected group, set sys_protected
+# variable to yes:
+#
+# ansible-playbook --inventory inventory-secure --ask-vault-pass \
+# --extra-vars='user_id=JohnDoe sys_protected=yes' \
 # /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
 #
 # If you wish to delete an existing user account (e.g. na-admin):
@@ -45,4 +52,4 @@ ansible_password=<my-common-sysadmin-password>
 ansible_become_pass=<my-common-sysadmin-password>
 
 [systemcontroller]
-systemcontroller-0 ansible_host=127.0.0.1
\ No newline at end of file
+systemcontroller-0 ansible_host=127.0.0.1
diff --git a/playbookconfig/src/playbooks/manage_local_ldap_account.yml b/playbookconfig/src/playbooks/manage_local_ldap_account.yml
index 24ca27dc0..49ea7c737 100644
--- a/playbookconfig/src/playbooks/manage_local_ldap_account.yml
+++ b/playbookconfig/src/playbooks/manage_local_ldap_account.yml
@@ -114,6 +114,10 @@
     set_fact:
       in_sudo_permission: "{{ true if sudo_permission is defined and sudo_permission | bool else false }}"
 
+  - name: Set sys_protected flag fact upfront
+    set_fact:
+      in_sys_protected: "{{ true if sys_protected is defined and sys_protected | bool else false }}"
+
 - hosts: systemcontroller
   gather_facts: no
 
diff --git a/playbookconfig/src/playbooks/roles/manage-local-ldap-account/common/add-hosts/tasks/main.yml b/playbookconfig/src/playbooks/roles/manage-local-ldap-account/common/add-hosts/tasks/main.yml
index fbb818011..44e10683e 100644
--- a/playbookconfig/src/playbooks/roles/manage-local-ldap-account/common/add-hosts/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/manage-local-ldap-account/common/add-hosts/tasks/main.yml
@@ -14,6 +14,7 @@
     ansible_ssh_common_args:
       '-o ProxyCommand="sshpass -p {{ ansible_password }} ssh -W [%h]:%p -q {{ ansible_user }}@{{ ansible_host }}"'
     in_sudo_permission: "{{ in_sudo_permission }}"
+    in_sys_protected: "{{ in_sys_protected }}"
     in_mode: "{{ in_mode }}"
     in_user_password: "{{ in_user_password if in_mode == 'create' else '' }}"
     in_user_role: "{{ in_user_role if in_mode == 'create' else '' }}"
diff --git a/playbookconfig/src/playbooks/roles/manage-local-ldap-account/create-account/tasks/main.yml b/playbookconfig/src/playbooks/roles/manage-local-ldap-account/create-account/tasks/main.yml
index 904c28150..68611cc27 100644
--- a/playbookconfig/src/playbooks/roles/manage-local-ldap-account/create-account/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/manage-local-ldap-account/create-account/tasks/main.yml
@@ -18,9 +18,13 @@
     set_fact:
       sudo_param: "{{ '--sudo' if in_sudo_permission else '' }}"
 
+  - name: Set sys_protected_param if external variable sys_protected is true
+    set_fact:
+      sys_protected_param: "{{ '--secondgroup sys_protected' if in_sys_protected else '' }}"
+
   - name: Create LDAP user {{ in_user_id }}
     shell: >-
-      ldapusersetup -u {{ in_user_id }} {{ sudo_param }} --secondgroup sys_protected --passmax
+      ldapusersetup -u {{ in_user_id }} {{ sudo_param }} {{ sys_protected_param }} --passmax
       {{ password_change_period }} --passwarning {{ password_warning_period }}
     become: yes
 
diff --git a/playbookconfig/src/playbooks/roles/manage-local-ldap-account/create-keystone-account/tasks/main.yml b/playbookconfig/src/playbooks/roles/manage-local-ldap-account/create-keystone-account/tasks/main.yml
index 5858acdd0..8731ab92f 100644
--- a/playbookconfig/src/playbooks/roles/manage-local-ldap-account/create-keystone-account/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/manage-local-ldap-account/create-keystone-account/tasks/main.yml
@@ -69,6 +69,11 @@
   become: yes
   when: in_sudo_permission
 
+- name: Add LDAP user to 'sys_protected' group
+  command: usermod -a -G sys_protected {{ in_user_id }}
+  become: yes
+  when: in_sys_protected
+
 - name: Retrieve LDAP user groups
   command: groups {{ in_user_id }}
   register: user_groups