From 5e734e847eb1cbd72e9e8cb592fbe49eef30eef0 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Tue, 7 Apr 2020 18:29:51 -0300
Subject: [PATCH] Fixes removal of `all` from HBAC rule categories.

This patch allows the removal of option `all` from user, host, and
service categories, by allowing an empty string as a valid choice
for each option.
---
 README-hbacrule.md                          |   6 +-
 plugins/modules/ipahbacrule.py              |  12 +-
 tests/hbacrule/test_hbacrule_categories.yml | 117 ++++++++++++++++++++
 3 files changed, 126 insertions(+), 9 deletions(-)
 create mode 100644 tests/hbacrule/test_hbacrule_categories.yml

diff --git a/README-hbacrule.md b/README-hbacrule.md
index d14692f9..a1b69877 100644
--- a/README-hbacrule.md
+++ b/README-hbacrule.md
@@ -138,9 +138,9 @@ Variable | Description | Required
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | The list of hbacrule name strings. | yes
 `description` | The hbacrule description string. | no
-`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all"] | no
-`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all"] | no
-`servicecategory` \| `servicecat` | HBAC service category the rule applies to. Choices: ["all"] | no
+`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
+`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
+`servicecategory` \| `servicecat` | HBAC service category the rule applies to. Choices: ["all", ""] | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `host` | List of host name strings assigned to this hbacrule. | no
 `hostgroup` | List of host group name strings assigned to this hbacrule. | no
diff --git a/plugins/modules/ipahbacrule.py b/plugins/modules/ipahbacrule.py
index fd0ce238..a0187fa0 100644
--- a/plugins/modules/ipahbacrule.py
+++ b/plugins/modules/ipahbacrule.py
@@ -49,17 +49,17 @@ options:
     description: User category the rule applies to
     required: false
     aliases: ["usercat"]
-    choices: ["all"]
+    choices: ["all", ""]
   hostcategory:
     description: Host category the rule applies to
     required: false
     aliases: ["hostcat"]
-    choices: ["all"]
+    choices: ["all", ""]
   servicecategory:
     description: Service category the rule applies to
     required: false
     aliases: ["servicecat"]
-    choices: ["all"]
+    choices: ["all", ""]
   nomembers:
     description: Suppress processing of membership attributes
     required: false
@@ -208,11 +208,11 @@ def main():
             # present
             description=dict(type="str", default=None),
             usercategory=dict(type="str", default=None,
-                              aliases=["usercat"], choices=["all"]),
+                              aliases=["usercat"], choices=["all", ""]),
             hostcategory=dict(type="str", default=None,
-                              aliases=["hostcat"], choices=["all"]),
+                              aliases=["hostcat"], choices=["all", ""]),
             servicecategory=dict(type="str", default=None,
-                                 aliases=["servicecat"], choices=["all"]),
+                                 aliases=["servicecat"], choices=["all", ""]),
             nomembers=dict(required=False, type='bool', default=None),
             host=dict(required=False, type='list', default=None),
             hostgroup=dict(required=False, type='list', default=None),
diff --git a/tests/hbacrule/test_hbacrule_categories.yml b/tests/hbacrule/test_hbacrule_categories.yml
new file mode 100644
index 00000000..5f1934bc
--- /dev/null
+++ b/tests/hbacrule/test_hbacrule_categories.yml
@@ -0,0 +1,117 @@
+---
+- name: Test HBAC rule user category
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+
+  - name: Ensure HBAC rules are absent
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name:
+      - testrule
+      state: absent
+
+  - name: Ensure HBAC rule is present, with usercategory 'all'
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule
+      usercategory: all
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure HBAC rule is present, with usercategory 'all', again.
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule
+      usercategory: all
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure HBAC rule is present, with no usercategory.
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule
+      usercategory: ""
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure HBAC rule is present, with no usercategory, again.
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule
+      usercategory: ""
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure HBAC rule is present, with hostcategory 'all'
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule
+      hostcategory: all
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure HBAC rule is present, with hostcategory 'all', again.
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule
+      hostcategory: all
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure HBAC rule is present, with no hostcategory.
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule
+      hostcategory: ""
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure HBAC rule is present, with no hostcategory, again.
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule
+      hostcategory: ""
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure HBAC rule is present, with servicecategory 'all'
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule
+      servicecategory: all
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure HBAC rule is present, with servicecategory 'all', again.
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule
+      servicecategory: all
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure HBAC rule is present, with no servicecategory.
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule
+      servicecategory: ""
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure HBAC rule is present, with no servicecategory, again.
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule
+      servicecategory: ""
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure HBAC rules are absent
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name:
+      - testrule
+      state: absent
-- 
GitLab