ipaprivilege: Allow execution of plugin in client host.

Update privilege README file and add tests for executing plugin with
`ipaapi_context` set to `client`.

A new test playbook can be found at:

    tests/privilege/test_privilege_client_context.yml

The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.

README-privilege.md

@@ -133,6 +133,7 @@ Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin`. | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node. | no
+`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
 `name` \| `cn` | The list of privilege name strings. | yes
 `description` | Privilege description. | no
 `rename` \| `new_name` | Rename the privilege object. | no

tests/privilege/test_privilege.yml

 ---
 - name: Test privilege
-  hosts: ipaserver
+  hosts: "{{ ipa_test_host | default('ipaserver') }}"
   become: true
 
   tasks:
@@ -10,6 +10,7 @@
   - name: Ensure privilege "Broad Privilege" is absent
     ipaprivilege:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name:
       - Broad Privilege
       - DNS Privilege
@@ -22,6 +23,7 @@
   - name: Ensure privilege Broad Privilege is present
     ipaprivilege:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: Broad Privilege
       description: Broad Privilege
     register: result
@@ -30,6 +32,7 @@
   - name: Ensure privilege Broad Privilege is present again
     ipaprivilege:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: Broad Privilege
       description: Broad Privilege
     register: result
@@ -38,6 +41,7 @@
   - name: Change privilege Broad Privilege description
     ipaprivilege:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: Broad Privilege
       description: Broad Privilege description
     register: result
@@ -46,6 +50,7 @@
   - name: Ensure privilege Broad Privilege has permissions
     ipaprivilege:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: Broad Privilege
       permission:
       - "Write IPA Configuration"
@@ -58,6 +63,7 @@
   - name: Ensure privilege Broad Privilege has permissions, again
     ipaprivilege:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: Broad Privilege
       permission:
       - "Write IPA Configuration"
@@ -70,6 +76,7 @@
   - name: Ensure privilege Broad Privilege member permission "Write IPA Configuration" is absent
     ipaprivilege:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: Broad Privilege
       permission:
       - "Write IPA Configuration"
@@ -81,6 +88,7 @@
   - name: Ensure privilege Broad Privilege member permission "Write IPA Configuration" is absent again
     ipaprivilege:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: Broad Privilege
       permission:
       - "Write IPA Configuration"
@@ -92,6 +100,7 @@
   - name: Ensure privilege Broad Privilege is absent
     ipaprivilege:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: Broad Privilege
       state: absent
     register: result
@@ -100,6 +109,7 @@
   - name: Ensure privilege Broad Privilege is present
     ipaprivilege:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: Broad Privilege
     register: result
     failed_when: not result.changed or result.failed
@@ -107,6 +117,7 @@
   - name: Ensure privilege Broad Privilege is renamed to "DNS Privilege"
     ipaprivilege:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: Broad Privilege
       rename: DNS Privilege
       state: renamed
@@ -116,6 +127,7 @@
   - name: Ensure privilege Broad Privilege cannot be renamed, because it does not exist.
     ipaprivilege:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: Broad Privilege
       rename: DNS Privilege
       state: renamed
@@ -125,6 +137,7 @@
   - name: Ensure privilege cannot be renamed to the same name.
     ipaprivilege:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: DNS Privilege
       rename: DNS Privilege
       state: renamed
@@ -134,6 +147,7 @@
   - name: Ensure privilege cannot be renamed to the same name.
     ipaprivilege:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: DNS Privilege
       rename: DNS Privilege
       state: renamed
@@ -143,12 +157,14 @@
   - name: Ensure "Broad Privilege" is absent.
     ipaprivilege:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: Broad Privilege
       state: absent
 
   - name: Ensure privilege Broad Privilege is created with permission. (issue 529)
     ipaprivilege:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: Broad Privilege
       permission:
       - "Write IPA Configuration"
@@ -158,6 +174,7 @@
   - name: Ensure privilege Broad Privilege is created with permission, again. (issue 529)
     ipaprivilege:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: Broad Privilege
       permission:
       - "Write IPA Configuration"
@@ -169,6 +186,7 @@
   - name: Ensure privilege testing privileges are absent
     ipaprivilege:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name:
       - Broad Privilege
       - DNS Privilege

tests/privilege/test_privilege_client_context.yml

+---
+- name: Test privilege
+  hosts: ipaclients, ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Include FreeIPA facts.
+    include_tasks: ../env_freeipa_facts.yml
+
+  # Test will only be executed if host is not a server.
+  - name: Execute with server context in the client.
+    ipaprivilege:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: server
+      name: ThisShouldNotWork
+    register: result
+    failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*"))
+    when: ipa_host_is_client
+
+# Import basic module tests, and execute with ipa_context set to 'client'.
+# If ipaclients is set, it will be executed using the client, if not,
+# ipaserver will be used.
+#
+# With this setup, tests can be executed against an IPA client, against
+# an IPA server using "client" context, and ensure that tests are executed
+# in upstream CI.
+
+- name: Test privilege using client context, in client host.
+  import_playbook: test_privilege.yml
+  when: groups['ipaclients']
+  vars:
+    ipa_test_host: ipaclients
+
+- name: Test privilege using client context, in server host.
+  import_playbook: test_privilege.yml
+  when: groups['ipaclients'] is not defined or not groups['ipaclients']
+