If the repository is setup in a way that master branch is not available
for comparing the current HEAD against it, the comparison will fail and
not module/role will be scheduled for testing.

This patch forces fetching 'master' from ansible-freeipa repository,
allowing the comparison to be performed.

upstream CI: run PR tests only for affected plugins

ipaserver/ipareplica: Add isatty method to AnsibleModuleLog

In some cases ipa code is using sys.stdout.isatty. As stdout is mapped
to AnsibleModuleLog this call will lead in a traceback as it was not
defined.

The staticmethod isatty has been added to AnsibleModuleLog in ipaserver
role module_utils/ansible_ipa_server.py and in ipareplica role
module_utils/ansible_ipa_repica.py.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2120415
       ansible-freeipa Replica Install Setup DNS fails
Fixes: #251 - 'AnsibleModuleLog' object has no attribute 'isatty'
Fixes: #117 - 'AnsibleModuleLog' object has no attribute 'isatty'

The current workflow for bug fixing or new enhancements in
ansible-freeipa includes running Ansible playbooks tests for all the
available plugins for every pull request, even for contained
modifications.

This patch creates a new workflow for pull requests where only the
affected plugins are tested in the PR. Changes that might affect other
parts of the code will trigger tests for the parts affected.

A utility script, utils/filter_tests, is used to set the variables
IPA_ENABLED_MODULES and IPA_ENABLED_TESTS before executing the tests,
effectively limiting which tests are executed. The script uses the
python plugin 'utils/filter_plugins.py' which lists all test modules
that should be executed for a list of modified source files.

Tests are selected for execution based on the plugin name. For example,
a change to 'plugins/modules/ipalocation.py' would trigger all playbook
tests under 'tests/location'. If a test playbook is modified, it is
scheduled to be executed. Changes to any file under
'plugins/module_utils' will force the execution of all tests, since any
module might be affected by that change.

The nature of the change is not evaluated, so a simple typo fix of a
comment in a file under 'plugins/module_utils' would still schedule all
test playbooks to be executed.

For roles, any file changed under the role directory would set the role
to be included in the tests. Playbook tests for roles must be created
under 'tests/<rolename>_role', where role name in the name of the role
without 'ipa', for example, the 'ipabackup' role test playbooks would
be stored under 'tests/backup_role'.

Since there is the possibility that the list of tests to be executed
might be less than the number of tests groups used (3), a new pytest
dependency was added, pytest-custom_exit_code, so that having no tests
to run isn't a test failure.

A new pipeline on Azure needs to be created to use the new test script.

This patch adds support for IPA_ENABLED_* and IPA_DISABLED_* environment
variables as existing global configuration for the tests.

The plugin pytest-split-tests is used to split the tests in several
groups so that the tests can be executed in parallel is upstream CI.

The issue is thet pytest-split-tests last release was more that a
year ago, upstream developers have not been responsive, and there is
a bug when the number of tests to be executed by a group is zero.
The patch to fix this issue has been open for a year.

This patch deprecates the use of pytest-split-tests, changing the
plugin used to split the tests to pytest-split, which is actively
mainatined.

Run tests locally with upstream CI images.

ipaserver: Add missing idstart check

The idstart needs to be larger than UID_MAX or GID_MAX from /etc/login.defs.
This is "Require idstart to be larger than UID_MAX" for freeipa.

Fixes: #896 (Invalid RID/SID SSSD backtrace after deployment)

This patch allows local execution of playbook tests using ustream CI
testing images. Either 'podman' or 'docker' can be used to execute the
tests.

ipaserver: ipaclient part does not need to install packages

fedora rawhide: Temporarily disable failing DNS tests

upstream CI: Fix list evaluation in IPA_ENABLED/IPA_DISABLED tests

Some DNS tests have been disabled for Fedora latest, but not for Fedora
Rawhide. Therefore these tests are filin still in nighty:

- dnsforwardzone
- test_dnsconfig_forwarders_ports

The client part installation is checking for the client packages. These
packages are part of the server packages that have been installed with
the server role and therefore the task is not needed.

This is helping to reduce the deployment time of a server.

Fix short_description flag in plugins, role modules and templates

Before "short description" was used in most plugins, modules and also
in the new module templates.

ansible-doc was therefore not showing the short description. To fix the
issue the flag was renamed to short_description instead.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2121362
       'ansible-doc' -l lists most idm modules as 'UNDOCUMENTED'

When enabling or disabling multiple tests, a comma separated list must
be used, but current code is using a colon to split the list.

This patch fixes this behavior.

Merge pull request #876 from t-woerner/ipareplica_do_not_overwrite_ipaclient_no_ntp_for_client_part_deployment

ipareplica: Do not overwrite ipaclient_no_ntp for client part deployment

ipauser: Add note on attributes 'first' and 'last' requirements

upstream CI: enable/disable tests based on test image

Attributes 'first' and 'last' are required if user does not exist, but
current documentation doesn't make it clear. This patch adds a note on
both attributes to make clear the cases where the attribute is required

Since test configuration can vary in different scenarios (test images)
this patch adds a script to list the scenarios configuration, and a
step to the playbook test jobs to display the scenario configuration.

Currently, all tests are scheduled to execution, even those that are
not executed due to being absent from the list of enabled tests
configured in the IPA_ENABLED_* variables. The tests that are not
executed are marked 'skipped'.

This patch change this behavior by not scheduling tests that are not
configured to be executed. It means that tests not the IPA_DISABLED_*
lists are not skipped anymore, but not scheduled to be executed. If
any test is in IPA_ENABLED_* lists, only those tests are marked for
execution. A side effect is that there is no visual feedback on which
tests were not executed, as disabled tests are not evaluated anymore.

Also, when IPA_SERVER_HOST was not set, all tests were skipped, but
an error should raised in this case, as there are no hosts to run the
tests against.

This patch modifies this behavior to fail the test with an exception if
IPA_SERVER_HOST is not set.

Sometimes, mostly due do differences in package versions, there are
some tests that fail on a single distribution which cannot be fixed
by ansible-freeipa, requiring that the offending package is fixed.

To keep tests running succesfully we have options to disable the
failing tests, but this changes are globally applied, meaning that, by
disabling a test, it is disable in all tested distributions.

This patch allows tests to be enabled or disabled for a specific
distribution, by setting the configuration on the 'variable' template
for the specific testing scenario.

ipasudorule: Fix usage of 'action' and 'state' in examples.

Some examples in ipasudorule were using `action: enabled` when it
should've been `state: enabled`. The examples were fixed.

The NTP server chrony was always enabled and set up due to overwriting
the parameter ipaclient_no_ntp for the client part deployment.

For IPA deployments up to 4.6 no_ntp was always used for the client
part deployment in ipa-replica-install. But afterwards ntp was
configured in the replica deployment part if no_ntp was not set.

The ipareplica roles always relied on the client for setting up the NTP
server but overwrote the setting for the client deployment part. This
did not result in a failure to enable the chrony server in RHEL and Fedora
based distributions as NTP server was always required by the ipa-server
package.

Fixes: #871 (ipa-replica-install with no-ntp is ignored)

ipavault: Fix missing whitespace after keyword issue

ipareplica: ipareplica_setup_adtrust fails while updating ipaNTFlatName

flake8 reports an issue in ipavault:

  plugins/modules/ipavault.py:528:20: E275 missing whitespace after keyword

The missing whitespace has been added: "and not(" -> "and not ("

The internal parameter sid_generation_always is generated in
ipareplica_test to enable SID generation if ipareplica_setup_adtrust is
not enabled.

This parameter was not used for ipareplica_prepare though, therefore
adtrust.install_check was not executed and did not set the attribute
adtrust.netbios_name. As a result adtrust.netbios_name was None and the
try to use this as the new NetBIOS domain name failed with an
INVALID_SYNTAX error in adtrustinstance while executing
ipareplica_setup_adtrust.

This issue only occurs if SIDs are not enabled in the domain yet for
example with an old deployment.

ipaclient: Removed invalid call `logger.info()`

ipaserver/ipareplica: Always generate SIDs

- Call was responsible for a `TypeError` exception
- Call was not useful (already followed by a proper `logger.warning` call)

Should fix issue #865: https://github.com/freeipa/ansible-freeipa/issues/865

The SID is always generated in the command line installers in newer IPA
versions. This also needs to be done in the ipaserver and ipareplica roles.

For the IPA versions that are supporting this, the adtrust setup is always
executed to generated the SIDs, but only configures AD trust if
ipaserver_setup_adtrust or ipareplica_setup_adtrust is also enabled. A
check has been added to ipaserver_test and ipareplica_test to only enable
the SID generation for the IPA versions supporting this.

This is related to https://pagure.io/freeipa/8995

Fixes:
- https://bugzilla.redhat.com/show_bug.cgi?id=2110478
- https://bugzilla.redhat.com/show_bug.cgi?id=2110491

ipaserver,ipareplica: Fix Random Serial Numbers always enabled

ipadnsconfig: Fix boolean values comparison

The option _random_serial_numbers was using with the wrong type in
ipaserver_setup_ca.py and ipareplica_setup_ca.py. Therefore RSN was
always enabled.

Fixes:
- https://bugzilla.redhat.com/show_bug.cgi?id=2110523
- https://bugzilla.redhat.com/show_bug.cgi?id=2110526