fix nxos_snmp_user issues (#39760)

* fix nxos_snmp_user issues

* shipppable fix

lib/ansible/modules/network/nxos/nxos_snmp_user.py

@@ -42,7 +42,15 @@ options:
     group:
         description:
             - Group to which the user will belong to.
-        required: true
+              If state = present, and the user is existing,
+              the group is added to the user. If the user
+              is not existing, user entry is created with this
+              group argument.
+              If state = absent, only the group is removed from the
+              user entry. However, to maintain backward compatibility,
+              if the existing user belongs to only one group, and if
+              group argument is same as the existing user's group,
+              then the user entry also is deleted.
     authentication:
         description:
             - Authentication parameters for the user.
@@ -50,9 +58,11 @@ options:
     pwd:
         description:
             - Authentication password when using md5 or sha.
+              This is not idempotent
     privacy:
         description:
             - Privacy password for the user.
+              This is not idempotent
     encrypt:
         description:
             - Enables AES-128 bit encryption when using privacy password.
@@ -148,8 +158,18 @@ def get_snmp_user(user, module):
             privkey = 'priv'
             grpkey = 'group'
 
-        resource_table = body[0][tablekey][rowkey]
+        rt = body[0][tablekey][rowkey]
-        resource['user'] = str(resource_table['user'])
+        # on some older platforms, all groups except the 1st one
+        # are in list elements by themselves and they are
+        # indexed by 'user'. This is due to a platform bug.
+        # Get first element if rt is a list due to the bug
+        # or if there is no bug, parse rt directly
+        if isinstance(rt, list):
+            resource_table = rt[0]
+        else:
+            resource_table = rt
+
+        resource['user'] = user
         resource['authentication'] = str(resource_table[authkey]).strip()
         encrypt = str(resource_table[privkey]).strip()
         if encrypt.startswith('aes'):
@@ -166,6 +186,15 @@ def get_snmp_user(user, module):
         except TypeError:
             groups.append(str(group_table[grpkey]).strip())
 
+        # Now for the platform bug case, get the groups
+        if isinstance(rt, list):
+            # remove 1st element from the list as this is parsed already
+            rt.pop(0)
+            # iterate through other elements indexed by
+            # 'user' and add it to groups.
+            for each in rt:
+                groups.append(each['user'].strip())
+
         resource['group'] = groups
 
     except (KeyError, AttributeError, IndexError, TypeError):
@@ -174,22 +203,23 @@ def get_snmp_user(user, module):
     return resource
 
 
-def remove_snmp_user(user):
+def remove_snmp_user(user, group=None):
-    return ['no snmp-server user {0}'.format(user)]
+    if group:
+        return ['no snmp-server user {0} {1}'.format(user, group)]
+    else:
+        return ['no snmp-server user {0}'.format(user)]
 
 
-def config_snmp_user(proposed, user, reset, new):
+def config_snmp_user(proposed, user, reset):
-    if reset and not new:
+    if reset:
         commands = remove_snmp_user(user)
     else:
         commands = []
 
-    group = proposed.get('group', None)
+    if proposed.get('group'):
-
-    cmd = ''
-
-    if group:
         cmd = 'snmp-server user {0} {group}'.format(user, **proposed)
+    else:
+        cmd = 'snmp-server user {0}'.format(user)
 
     auth = proposed.get('authentication', None)
     pwd = proposed.get('pwd', None)
@@ -214,7 +244,7 @@ def config_snmp_user(proposed, user, reset, new):
 def main():
     argument_spec = dict(
         user=dict(required=True, type='str'),
-        group=dict(type='str', required=True),
+        group=dict(type='str'),
         pwd=dict(type='str'),
         privacy=dict(type='str'),
         authentication=dict(choices=['md5', 'sha']),
@@ -251,19 +281,28 @@ def main():
 
     existing = get_snmp_user(user, module)
 
-    if existing:
+    if state == 'present' and existing:
-        if group not in existing['group']:
+        if group:
-            existing['group'] = None
+            if group not in existing['group']:
+                existing['group'] = None
+            else:
+                existing['group'] = group
         else:
-            existing['group'] = group
+            existing['group'] = None
 
     commands = []
 
     if state == 'absent' and existing:
-        commands.append(remove_snmp_user(user))
+        if group:
+            if group in existing['group']:
+                if len(existing['group']) == 1:
+                    commands.append(remove_snmp_user(user))
+                else:
+                    commands.append(remove_snmp_user(user, group))
+        else:
+            commands.append(remove_snmp_user(user))
 
     elif state == 'present':
-        new = False
         reset = False
 
         args = dict(user=user, pwd=pwd, group=group, privacy=privacy,
@@ -273,7 +312,7 @@ def main():
         if not existing:
             if encrypt:
                 proposed['encrypt'] = 'aes-128'
-            commands.append(config_snmp_user(proposed, user, reset, new))
+            commands.append(config_snmp_user(proposed, user, reset))
 
         elif existing:
             if encrypt and not existing['encrypt'].startswith('aes'):
@@ -285,14 +324,12 @@ def main():
             if delta.get('pwd'):
                 delta['authentication'] = authentication
 
-            if delta:
-                delta['group'] = group
-
             if delta and encrypt:
                 delta['encrypt'] = 'aes-128'
 
-            command = config_snmp_user(delta, user, reset, new)
+            if delta:
-            commands.append(command)
+                command = config_snmp_user(delta, user, reset)
+                commands.append(command)
 
     cmds = flatten_list(commands)
     if cmds:

test/integration/targets/nxos_snmp_user/tests/common/sanity.yaml

@@ -3,41 +3,88 @@
 - debug: msg="Using provider={{ connection.transport }}"
   when: ansible_connection == "local"
 
-- name: Create snmp user
+- name: Remove snmp user
-  nxos_snmp_user: &create
-    user: ntc
-    group: network-operator
-    authentication: md5
-    pwd: N$tOpe%1
-    privacy: HelloU$er1
-    encrypt: true
-    provider: "{{ connection }}"
-  register: result
-
-- assert: &true
-    that:
-      - "result.changed == true"
-
-- name: delete snmp user
   nxos_snmp_user: &remove
     user: ntc
-    group: network-operator
-    authentication: md5
-    pwd: Testing1%
-    privacy: HelloU$er1
-    encrypt: true
     state: absent
     provider: "{{ connection }}"
-  register: result
 
-- assert: *true
+- pause:
+    seconds: 5
+
+- block:
+  - name: Create snmp user
+    nxos_snmp_user: &create
+      user: ntc
+      group: network-operator
+      authentication: md5
+      pwd: N$tOpe%1
+      privacy: HelloU$er1
+      encrypt: true
+      provider: "{{ connection }}"
+    register: result
+
+  - assert: &true
+      that:
+        - "result.changed == true"
+
+  - name: Add another group to user
+    nxos_snmp_user: &chg
+      user: ntc
+      group: network-admin
+      provider: "{{ connection }}"
+    register: result
+
+  - assert: *true
+
+  - name: "Check Idempotence"
+    nxos_snmp_user: *chg
+    register: result
+
+  - assert: &false
+      that:
+        - "result.changed == false"
+
+  - name: Remove group from user
+    nxos_snmp_user: &remg
+      user: ntc
+      group: network-admin
+      state: absent
+      provider: "{{ connection }}"
+    register: result
+
+  - assert: *true
+
+  - pause:
+      seconds: 5
+
+  - name: "Check Idempotence"
+    nxos_snmp_user: *remg
+    register: result
+
+  - assert: *false
+
+  - name: delete snmp user
+    nxos_snmp_user: &remove1
+      user: ntc
+      group: network-operator
+      state: absent
+      provider: "{{ connection }}"
+    register: result
+
+  - assert: *true
+
+  - pause:
+      seconds: 5
+
+  - name: "Remove Idempotence"
+    nxos_snmp_user: *remove1
+    register: result
 
-- name: "Remove Idempotence"
+  - assert: *false
-  nxos_snmp_user: *remove
-  register: result
 
-- assert: &false
+  always:
-    that:
+    - name: delete snmp user
-      - "result.changed == false"
+      nxos_snmp_user: *remove
 
 - debug: msg="END connection={{ ansible_connection }} nxos_snmp_user sanity test"