From f1e3db3aebb8bb2df71ae7d065b873ada17bec1c Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Tue, 14 Nov 2023 16:55:04 +0100
Subject: [PATCH] Use check for empty string

Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
 defaults/main.yml           | 10 +++++++---
 examples/minimal.yml        |  6 ++++++
 tasks/enable.yml            | 13 ++++++-------
 templates/fapolicyd.conf.j2 | 13 ++++---------
 4 files changed, 23 insertions(+), 19 deletions(-)
 create mode 100644 examples/minimal.yml

diff --git a/defaults/main.yml b/defaults/main.yml
index 500e852..b2f18c6 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -8,17 +8,21 @@ fapolicyd_setup_enable_service: false
 
 # trust list for fapolicyd configuration file
 # default "rpmdb,file"
-fapolicyd_setup_trust: null
+fapolicyd_setup_trust: "{{ '' if ansible_facts.distribution_version is
+                          version('8.2', '<=') else 'rpmdb,file' }}"
 
 # set integrity
 # default "none"
 # can be "none", "size", "sha256", "ima"
 # in case of ima, kernel's IMA has to be setup correctly
-fapolicyd_setup_integrity: null
+fapolicyd_setup_integrity: "{{ '' if ansible_facts.distribution_version is
+                          version('8.3', '<=') else 'none' }}"
 
 # set permissive mode
 fapolicyd_setup_permissive: false
 
 # fapolicyd trust file managament
 # list of trusted files
-fapolicyd_add_trusted_file: []
+
+fapolicyd_add_trusted_file: "{{ '' if ansible_facts.distribution_version is
+                            version('8.2', '<=') else [] }}"
diff --git a/examples/minimal.yml b/examples/minimal.yml
new file mode 100644
index 0000000..10c5760
--- /dev/null
+++ b/examples/minimal.yml
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: MIT
+---
+- name: Minimal fapolicyd role invocation
+  hosts: all
+  roles:
+    - linux-system-roles.fapolicyd
diff --git a/tasks/enable.yml b/tasks/enable.yml
index 24d2639..01dd9bc 100644
--- a/tasks/enable.yml
+++ b/tasks/enable.yml
@@ -6,7 +6,7 @@
       on EL version < 8.3
   ignore_errors: true
   when:
-    - fapolicyd_setup_trust is not none
+    - fapolicyd_setup_trust | length > 0
     - ansible_facts.distribution_version is version("8.2", "<=")
   register: __failed_check_trust
 
@@ -17,7 +17,7 @@
       on EL version < 8.4
   ignore_errors: true
   when:
-    - fapolicyd_setup_integrity is not none
+    - fapolicyd_setup_integrity | length > 0
     - ansible_facts.distribution_version is version("8.3", "<=")
   register: __failed_check_integrity
 
@@ -28,7 +28,7 @@
       on EL version < 8.4
   ignore_errors: true
   when:
-    - fapolicyd_add_trusted_file is not none
+    - fapolicyd_add_trusted_file | length > 0
     - ansible_facts.distribution_version is version("8.3", "<=")
   register: __failed_check_trusted_file
 
@@ -67,17 +67,16 @@
 
 - name: Trustdb cleanup
   command: fapolicyd-cli --file delete /
-  when: fapolicyd_add_trusted_file is not none
+  when: ansible_facts.distribution_version is version("8.3", ">=")
   changed_when: true
   failed_when: false
 
 - name: Add file to trustdb
-  command: fapolicyd-cli --file add "{{ item | quote }}"
+  command: fapolicyd-cli --file add {{ item | quote }}
   loop: "{{ (fapolicyd_add_trusted_file is string) |
     ternary([fapolicyd_add_trusted_file], fapolicyd_add_trusted_file) }}"
   when:
-    - fapolicyd_add_trusted_file is string or
-      fapolicyd_add_trusted_file | length > 0
+    - fapolicyd_add_trusted_file | length > 0
     - ansible_facts.distribution_version is version("8.3", ">=")
   changed_when: true
 
diff --git a/templates/fapolicyd.conf.j2 b/templates/fapolicyd.conf.j2
index 368ac85..4d1d93a 100644
--- a/templates/fapolicyd.conf.j2
+++ b/templates/fapolicyd.conf.j2
@@ -19,19 +19,14 @@ obj_cache_size = 8191
 watch_fs = ext2,ext3,ext4,tmpfs,xfs,vfat,iso9660,btrfs
 {% endif %}
 
-{% if fapolicyd_setup_trust is not none
-  or ansible_facts.distribution_version is version("8.3", ">=") %}
-trust = {{ (fapolicyd_setup_trust is not none) | ternary(fapolicyd_setup_trust, "rpmdb,file") }}
+{% if fapolicyd_setup_trust | length > 0 %}
+trust = {{ fapolicyd_setup_trust }}
 {% endif %}
 
 {% if ansible_facts.distribution_version is version("8.3", ">=") %}
 syslog_format = rule,dec,perm,auid,pid,exe,:,path,ftype,trust
 {% endif %}
 
-{% if fapolicyd_setup_integrity is not none
-  or ansible_facts.distribution_version is version("8.4", ">=") %}
-integrity = {{ (fapolicyd_setup_integrity is not none) | ternary(fapolicyd_setup_integrity, "none") }}
+{% if fapolicyd_setup_integrity | length > 0 %}
+integrity = {{ fapolicyd_setup_integrity }}
 {% endif %}
-
-#rpm_sha256_only = 0
-#allow_filesystem_mark = 0