Some test failures requires more information than just the playbook
simple output. By increasing verbosity, the used parameters and the
failed line will be visible in the test error report, making it easier
to identify, reproduce and fix the issue.

Add support for 'idp' and 'idp_user_id' to ipauser plugin.

FreeIPA 4.10.0 is required for both attributes.

Indirect maps were not supported by ansible-freeipa ipaautomountmap.
This patch adds support for adding indirect automount maps using the
"parent" and "mount" parameters, if the map do not yet exist. An
existing map cannot be modified.

The "parent" parameter must match an existing automount map, and the
"mount" parameter is required if "parent" is used.

A new example playbook can be found at:

    playbooks/automount/automount-map-indirect-map.yml

A new test playbook was added to test the feature:

    tests/automount/test_automountmap_indirect.yml

Since FreeIPA version 4.8.0 ipauser has support for smb-logon-script,
smb-profile-path, smb-home-dir, and smb-home-drive drive attributes.

On FreeIPA, these attributes are only available when modifying a user,
so if the user defined in the playbook does not exist, two calls to IPA
API are executed, a 'user_add' followed by a 'user_mod'.
(see https://github.com/freeipa/freeipa/blob/master/doc/designs/adtrust/samba-domain-controller.md

A new example playbook can be found at:

     playbooks/user/smb-attributes.yml

A new test playbook can be found at:

     tests/user/test_user_smb_attrs.yml

'virtualenv' is an external dependency with the same purpose of Python's
'venv' module. This patch removes the external dependency in favor of
the readily available package.

ipauser plugin was missing user parameter "street".

Tests were updated to reflect the new parameter.

Modified handling of boolean values by using Ansible's 'boolean()' check
function so that a string can be used and either a bool value is
accepted or an empty string.

As the error message was changed to use the same Ansible message, tests
were also updated.

This patch adds a new parameter to ipauser, 'gecos', which can be used
to set the 'gecos' field of an IPA user. The default behavior of
automatically set the GECOS field to "<first> <last>" is not modified,
it is only possible to change the field to a custom value.

No validation on the value provided is done, as it is with FreeIPA.

ansible-core 2.15 has been released on May 15th, 2023, and version 2.12
has reached EOL on May 22nd, 2023.

This patch updates the ansible-core versions used on upstream CI tests
to reflect Ansible's new releases.

The maxsequence test was testing maxrepeat. Therefore the typo reported
with https://github.com/freeipa/ansible-freeipa/pull/1081 was never
seen.

The test has been fixed.

There is a new certificate management module placed in the plugins
folder:

    plugins/modules/ipacert.py

The certificate module allows to request, revoke, release and retrieve
certificates for users, hosts and services.

Here is the documentation for the module:

    README-cert.md

New example playbooks have been added:

    playbooks/cert/cert-hold.yml
    playbooks/cert/cert-release.yml
    playbooks/cert/cert-request-host.yml
    playbooks/cert/cert-request-service.yml
    playbooks/cert/cert-request-user.yml
    playbooks/cert/cert-retrieve.yml
    playbooks/cert/cert-revoke.yml

New tests for the module can be found at:

    tests/cert/test_cert_client_context.yml
    tests/cert/test_cert_host.yml
    tests/cert/test_cert_service.yml
    tests/cert/test_cert_user.yml

The module has been co-authored by Sam Morris (@yrro) and Rafael
Guterres Jeffman (@rjeffman).

The tests test_services_absent.yml, test_services_present.yml and
test_services_present_slice.yml have been updated to use in memory data
for testing instead of loading json files. This made is simpler to use
variables from the playbook for example for fqdn host names.

New tests for certificates with and without trailing new lines have been
added for single service and multiple service handling.

Adding an option to create multiple services in one go.
Adding tests (present/absent/without_skip_host_check)

Copied from PR #1054

Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>

The tests under 'tests/pytests' were a POC to bring tests that evaluate
the result of playbook execution on the IPA environment. This is
currently only implemented for dnszone tests, and similar test coverage
is obtained with other tests.

As there is an ongoing issue with Ansible's docker pluging
("the connection plugin 'docker' was not found"), which is stil under
investigation, by removing the pytest tests we'll remove the consistent
failures currently seen on upstream CI, and will not loose test
coverage, specially if we take into account downstream tests.

Also, a new version for the pytests will be available once multihost
testing is implemented for upstream.

The version requirement for requests need to be quoted not to lead into
a pip install command issue.

This is related to PR #1089 (Pin requests to < 2.29 temporarily)

Automatic field numbering specification is not allowed by ansible-test.

ansible requires to either use "#!/bin/bash -eu" or "#!/bin/bash -eux"
for bash shebangs.

The old ignore file ignore-2.12.txt is not needed and used anymore. The
new files ignore-2.13.txt and ignore-2.14.txt are empty after
ansible-lint made nearly all ignores disallowed.

All the newly disallowed ignores need to be fixed.

See https://github.com/ansible/ansible-lint/pull/3102

Due to https://github.com/docker/docker-py/issues/3113 requests need to
be pinned below 2.29 as a temporary solution.

The docker driver is not part of molecule 5.0.0 anymore.
molecule-plugins need to be installed to get the driver.

Adding an option `groups` to create multiple groups in one operation.
Adding tests (present/absent/external/nonposix) with server and
client context.
Simple example of `groups` option:
```
tasks:
- name: Ensure 2 groups are present
  ipagroup:
    ipaadmin_password: SomeADMINpassword
    groups:
    - name: group1
    - name: group2
```

Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>

Due to an API misbehaviour in FreeIPA, ipaexternalmembers need to be
treated differently than other group members parameters. Even an empty
array triggers all tests for external members, including the check for
installed dcerpc bindings.

Therefore ipagroup module has been changed to not set ipaexternalmember
to an empty list if there are no external members to be added or
removed.

The latest ansible-lint failes for the tasks that are using
"when: sid_disabled.changed" with the error
"Tasks that run when changed should likely be handlers.". As
these tasks are tests and it would not make sense to use handlers here,
the tasks have been marked as noqa 503.

The way how randompasswords are returned by the ipahost module depends
so far on the number of hosts that are handled by the module.

This is unexpected if for example a json file is provided with the hosts
parameter. As it might be unknown how many hosts are in the json file,
this behaviour is unexpected. The return should not vary in this case.

This chamge makes the return simply depend on the use of the hosts
paramater. As soon as this parameter is used, the return will always be:

"host": { "<the host>": { "randompassword": "<the host random password>" } }

In the simply case with one host it will be still

"host": { "randompassword": "<the host random password>" }

This change for ipahost is related to the ipauser PR #1053.

The way how randompasswords are returned by the ipauser module depends
so far on the number of users that are handled by the module.

This is unexpected if for example a json file is provided with the users
parameter. As it might be unknown how many users are in the json file,
this behaviour is unexpected. The return should not vary in this case.

This chamge makes the return simply depend on the use of the users
paramater. As soon as this parameter is used, the return will always be:

"user": { "<the user>": { "randompassword": "<the user random password>" } }

In the simply case with one user it will be still

"user": { "randompassword": "<the user random password>" }

Fixes: #1052 (ipauser should consitently return randompasswords when
              used with users)

A dangling 'when:' clause was failing anisble-lint tests as the task did
not match any valid schema. The dangling clause was removed, and the
usage of 'shell' was changed from free form to use the 'cmd' parameter.

In latest ansible-lint versions, the use of "blocks" has a required
order to be implemented. According to ansible-lint error mesage, the
order is name, when, block, rescue, always.

As not following this rule is now an error, this patch fixes all tests
for the 'key-order[task]' error.

ansible-lint is issuing an warning when using '# noqa 505' instead of
'#noqa missing-import' on playbooks. This patch changes all occurrences
of the tag to use the newer format.

Due to DNS issues and the increase number of tests, the timeout setting
used for upstream tests was being reached. As we still have room for
running the tests using Azure infrastructure, this patch increases the
timeout to 240 minutes (4h), per worker.

The pytest .yaml files have been rename to .yml to enable
build-galaxy-release to fix the prefix of the ansible-freeipa modules.

This replaces double spaces by single spaces, fixes spaces in slices,
adds spaces before brackets and fixes bracket placing in when clauses.

This change removes the space between join and (): "join ()" to "join()"

When clearing minimum length parameter, FreeIPA raises an error, and the
error is different when executing the playbook in server or client
context. Since the error message is evaluated in the text, both errors
must be accepted as "not a failure", since ansible-freeipa did the
correct call.

Once https://pagure.io/freeipa/issue/9297 is fixed, the test must be
updated to not accept any of these error messages.

All values for pwpolicy can be cleared with an empty string in IPA CLI,
and this behavior was missing in ansible-freeipa.

As of today, there is an issue in FreeIPA that does not allow clearing
'minlength' policy. The is is tracked by the FreeIPA project through
https://pagure.io/freeipa/issue/9297

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2150334

As we now have ansible-core 2.14 available through 'pip', the versions
used for testing on Azure should be 2.12, 2.13 and 2.14, as Ansible
keeps upstream support for the latest version plus the two previous
ones.

This patch update the version used in tests by increasing the version
used by 1 (MINOR).

yamllint is failing for unnamed tasks. All block and include_tasks tasks
are now named.

Patch fixes https://bugzilla.redhat.com/show_bug.cgi?id=2144724 which
depends on https://pagure.io/freeipa/issue/9284

.
Add comment why replacing `netgroup_show` with `netgroup_find`.

Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>

Some tasks used to setup Azure environment might fail to temporary
errors like timeouts and connection failures. Allowing the tasks to
retry a few times will allow the test to be correctly executed rather
than returning an error that is not related to the feature tested.