fix(kerberos): checking keytab is now working

The return code of grep was not checked so nothing was check. Use a module to check if keytab is working and reuse the same code used by "krb_keytab". The new check use the new "try_kinit" which supports checking multiple principals inside one keytab.
TOSIT-IO · Jul 6, 2024 · 59f44a8 · 59f44a8
1 parent c0550e9
commit 59f44a8
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 7 deletions.
diff --git a/plugins/modules/krb_check_keytab.py b/plugins/modules/krb_check_keytab.py
@@ -0,0 +1,49 @@
+#!/usr/bin/python
+# Copyright 2022 TOSIT.IO
+# SPDX-License-Identifier: Apache-2.0
+
+# -*- coding: utf-8 -*-
+
+# Make coding more python3-ish
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_native
+from ansible_collections.tosit.tdp.plugins.module_utils.kerberos import try_kinit
+
+def main():
+    argument_spec = dict(
+        kinit_bin=dict(type='path', default='kinit'),
+        kdestroy_bin=dict(type='path', default='kdestroy'),
+        principal=dict(type='list', elements='str', required=True),
+        path=dict(type='path', required=True),
+    )
+
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        add_file_common_args=True,
+        supports_check_mode=True,
+    )
+
+    kinit_bin = module.params['kinit_bin']
+    kdestroy_bin = module.params['kdestroy_bin']
+    principals = module.params['principal']
+    keytab_path = module.params['path']
+
+    try:
+        results = {
+            'changed': False,
+        }
+
+        if not try_kinit(module, kinit_bin, kdestroy_bin, principals, keytab_path):
+            raise RuntimeError("Keytab '{}' with principal '{}' is not working".format(keytab_path, principals))
+
+        module.exit_json(**results)
+
+    except Exception:
+        import traceback
+        module.fail_json(msg=to_native(traceback.format_exc()))
+
+if __name__ == '__main__':
+    main()
diff --git a/roles/utils/kerberos/tasks/check_secure_keytab.yml b/roles/utils/kerberos/tasks/check_secure_keytab.yml
@@ -2,14 +2,12 @@
 # SPDX-License-Identifier: Apache-2.0
 
 ---
-- name: Check kinit for {{ principal }}
-  ansible.builtin.shell: |
-    kinit -kt {{ keytabs_dir }}/{{ keytab }} {{ principal }}@{{ realm }} -c /tmp/check_keytab_cache
-    klist /tmp/check_keytab_cache | grep "Default principal: {{ principal }}@{{ realm }}"
-    rm -f /tmp/check_keytab_cache
-  changed_when: false
+- name: Check kinit with keytab {{ keytabs_dir }}/{{ keytab }}
+  tosit.tdp.krb_check_keytab:
+    principal: "{{ principal }}"
+    path: "{{ keytabs_dir }}/{{ keytab }}"
 
-- name: Set keytab permissions and ownership for {{ principal }}
+- name: Set keytab permissions and ownership for {{ keytabs_dir }}/{{ keytab }}
   ansible.builtin.file:
     path: "{{ keytabs_dir }}/{{ keytab }}"
     owner: "{{ user | default(omit) }}"