summaryrefslogtreecommitdiffstats
path: root/ansible_collections/community/general/plugins/modules/syspatch.py
blob: c90ef0d227fddbaec11517713b7af6a84d6d9326 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
#!/usr/bin/python
# -*- coding: utf-8 -*-

# Copyright (c) 2019-2020, Andrew Klaus <andrewklaus@gmail.com>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later

from __future__ import (absolute_import, division, print_function)
__metaclass__ = type

DOCUMENTATION = r'''
---
module: syspatch

short_description: Manage OpenBSD system patches


description:
    - "Manage OpenBSD system patches using syspatch."

extends_documentation_fragment:
    - community.general.attributes

attributes:
    check_mode:
        support: full
    diff_mode:
        support: none

options:
    revert:
        description:
            - Revert system patches.
        type: str
        choices: [ all, one ]

author:
    - Andrew Klaus (@precurse)
'''

EXAMPLES = '''
- name: Apply all available system patches
  community.general.syspatch:

- name: Revert last patch
  community.general.syspatch:
    revert: one

- name: Revert all patches
  community.general.syspatch:
    revert: all

# NOTE: You can reboot automatically if a patch requires it:
- name: Apply all patches and store result
  community.general.syspatch:
  register: syspatch

- name: Reboot if patch requires it
  ansible.builtin.reboot:
  when: syspatch.reboot_needed
'''

RETURN = r'''
rc:
  description: The command return code (0 means success)
  returned: always
  type: int
stdout:
  description: syspatch standard output.
  returned: always
  type: str
  sample: "001_rip6cksum"
stderr:
  description: syspatch standard error.
  returned: always
  type: str
  sample: "syspatch: need root privileges"
reboot_needed:
  description: Whether or not a reboot is required after an update.
  returned: always
  type: bool
  sample: true
'''

from ansible.module_utils.basic import AnsibleModule


def run_module():
    # define available arguments/parameters a user can pass to the module
    module_args = dict(
        revert=dict(type='str', choices=['all', 'one'])
    )

    module = AnsibleModule(
        argument_spec=module_args,
        supports_check_mode=True,
    )

    result = syspatch_run(module)

    module.exit_json(**result)


def syspatch_run(module):
    cmd = module.get_bin_path('syspatch', True)
    changed = False
    reboot_needed = False
    warnings = []

    # Set safe defaults for run_flag and check_flag
    run_flag = ['-c']
    check_flag = ['-c']
    if module.params['revert']:
        check_flag = ['-l']

        if module.params['revert'] == 'all':
            run_flag = ['-R']
        else:
            run_flag = ['-r']
    else:
        check_flag = ['-c']
        run_flag = []

    # Run check command
    rc, out, err = module.run_command([cmd] + check_flag)

    if rc != 0:
        module.fail_json(msg="Command %s failed rc=%d, out=%s, err=%s" % (cmd, rc, out, err))

    if len(out) > 0:
        # Changes pending
        change_pending = True
    else:
        # No changes pending
        change_pending = False

    if module.check_mode:
        changed = change_pending
    elif change_pending:
        rc, out, err = module.run_command([cmd] + run_flag)

        # Workaround syspatch ln bug:
        # http://openbsd-archive.7691.n7.nabble.com/Warning-applying-latest-syspatch-td354250.html
        if rc != 0 and err != 'ln: /usr/X11R6/bin/X: No such file or directory\n':
            module.fail_json(msg="Command %s failed rc=%d, out=%s, err=%s" % (cmd, rc, out, err))
        elif out.lower().find('create unique kernel') >= 0:
            # Kernel update applied
            reboot_needed = True
        elif out.lower().find('syspatch updated itself') >= 0:
            warnings.append('Syspatch was updated. Please run syspatch again.')

        # If no stdout, then warn user
        if len(out) == 0:
            warnings.append('syspatch had suggested changes, but stdout was empty.')

        changed = True
    else:
        changed = False

    return dict(
        changed=changed,
        reboot_needed=reboot_needed,
        rc=rc,
        stderr=err,
        stdout=out,
        warnings=warnings
    )


def main():
    run_module()


if __name__ == '__main__':
    main()