ipapermission: add version check for bind type 'self'

FreeIPA 4.8.7 has introduced bind type 'self' as a valid value, and
this PR adds checks so the module fails early if the value is used
with an unsupported version.

Tests and documentation have been updated to reflect the changes.

README-permission.md

@@ -141,7 +141,7 @@ Variable | Description | Required
 `name` \| `cn` | The permission name string. | yes
 `right` \| `ipapermright` | Rights to grant. It can be a list of one or more of `read`, `search`, `compare`, `write`, `add`, `delete`, and `all` default: `all` | no
 `attrs` | All attributes to which the permission applies | no
-`bindtype` \| `ipapermbindruletype` | Bind rule type. It can be one of `permission`, `all`, `self`, or `anonymous` defaults to `permission` for new permissions.| no
+`bindtype` \| `ipapermbindruletype` | Bind rule type. It can be one of `permission`, `all`, `self`, or `anonymous` defaults to `permission` for new permissions. Bind rule type `self` can only be used on IPA versions 4.8.7 or up.| no
 `subtree` \| `ipapermlocation` | Subtree to apply permissions to | no
 `filter` \| `extratargetfilter` | Extra target filter | no
 `rawfilter` \| `ipapermtargetfilter` | All target filters | no

plugins/modules/ipapermission.py

@@ -152,7 +152,8 @@ RETURN = """
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_freeipa_module import \
     temp_kinit, temp_kdestroy, valid_creds, api_connect, api_command, \
-    compare_args_ipa, module_params_get, gen_add_del_lists
+    compare_args_ipa, module_params_get, gen_add_del_lists, \
+    api_check_ipa_version
 import six
 
 if six.PY3:
@@ -336,6 +337,10 @@ def main():
                 msg="Argument '%s' can not be used with action "
                 "'%s' and state '%s'" % (x, action, state))
 
+    if bindtype == "self" and api_check_ipa_version("<", "4.8.7"):
+        ansible_module.fail_json(
+            msg="Bindtype 'self' is not supported by your IPA version.")
+
     # Init
 
     changed = False

tests/permission/test_permission.yml

@@ -4,13 +4,17 @@
   become: true
 
   tasks:
+  - include_tasks: ../env_freeipa_facts.yml
 
   # CLEANUP TEST ITEMS
 
   - name: Ensure permission perm-test-1 is absent
     ipapermission:
       ipaadmin_password: SomeADMINpassword
-      name: perm-test-1
+      name:
+      - perm-test-1
+      - perm-test-bindtype-test
+      - perm-test-renamed
       state: absent
 
   # TESTS
@@ -99,16 +103,35 @@
     register: result
     failed_when: result.changed or result.failed
 
-  # CLEANUP TEST ITEMS
+  - name: Ensure permission with bindtype 'self' is present, if IPA version >= 4.8.7
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-bindtype-test
+      bindtype: self
+      object_type: host
+      right: all
+    when: ipa_version is version('4.8.7', '>=')
+    register: result
+    failed_when: not result.changed or result.failed
 
-  - name: Ensure permission perm-test-1 is absent
+  - name: Fail to set permission perm-test-renamed bindtype to 'self', if IPA version < 4.8.7
     ipapermission:
       ipaadmin_password: SomeADMINpassword
-      name: perm-test-1
-      state: absent
+      name: perm-test-bindtype-test
+      bindtype: self
+      object_type: host
+      right: all
+    when: ipa_version is version('4.8.7', '<')
+    register: result
+    failed_when: not result.failed or "Bindtype 'self' is not supported by your IPA version." not in result.msg
 
-  - name: Ensure permission perm-test-renamed is absent
+  # CLEANUP TEST ITEMS
+
+  - name: Ensure permission perm-test-1 is absent
     ipapermission:
       ipaadmin_password: SomeADMINpassword
-      name: perm-test-renamed
+      name:
+      - perm-test-1
+      - perm-test-bindtype-test
+      - perm-test-renamed
       state: absent