ipa* deployment roles: Hotfix for dns_over_tls (Freeipa#7343)

This is a hotfix to allow deployments of clients, replicas and servers
with the dns_over_tls PR for freeipa: https://github.com/freeipa/freeipa/pull/7343/

ipaclient: client.update_ssh_keys has changed parameters,
options.dns_over_tls needs to be set for ipaclient_setup_nss.

ipareplica, ipaserver: Set new parameters globally in module_utils so
far: options.dns_over_tls, options.dns_over_tls_key, options.dns_over_tls_cert,
options.dot_forwarders and options.dns_policy.

The enablement for DNS over TLS for the deployment roles will be done later on.

ipagroup: Fix test for externalmember use in client context

The test has been changed with the management fix for AD objects. The
conditional was lacking brackets and therefore did not properly work.
The brackets have been added.

Related: https://issues.redhat.com/browse/RHEL-70023

ipagroup: Fix management of AD objects

Remove 'vars' files of unsupported distributions

This patch removes 'vars' files from roles for unsupported distributions
and change minimum supported Fedora to version 40+.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>

Update c10s image

As the official, non-development, CentOS 10 Stream image is available,
ansible-freeipa tests must use it instead of the centos-development one.

Current version of ansible-list pre-commit hook required changes in the
ansible-freeipa yamllint configuration and these changes triggered
issues in the current playbooks on roles and tests.

This patch adds the required changes to yaml lint configuration and
fixes the affected playbooks.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>

When using AD objects, a user expects to use the more human readable
form, like "user@ad.domain", but this impose some dificulties on
evaluating which object is being referenced as AD has several forms to
refer to the same object.

Each object is AD is identified uniquely by its SID, and this is the
identifier that IPA stores in its database. When managing AD objects,
IPA finds its SID and works with that value.

ansible-freeipa tried to process these objects using the human readable
values, and it cause idempontence error when ensuring the values were
present or modified, and, at least in some cases, prevented the objects
to be made absent, as the object list created didn't match the SID to
the value used as module parameter.

By using SID to process the AD objects in ipagroup, the addition or
removal of members works and idempotence of these members is ensured.

The only issue with thils approach is that it only works no server
nodes. In client nodes, the conversion to SID is not available and the
same issues that existed before will still be present.

Tests were updated to reflect these changes, a new test, specific to
idempotence issues of AD objects was added:

   tests/group/test_group_ad_users.yml

Resolves: https://issues.redhat.com/browse/RHEL-70023

tests/idoverrideuser: Fix client context test when running on client

When running test_idoverrideuser_client_context.yml on a client host, it
tried to run a task that does not have the required fields and fails
the test.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>

This patch improves tests/env_freeipa_facts.yml by ensuring
ipaserver_realm is set, making AD server availability discoverable, and
allowing playbooks to run with 'gather_facts: false' by gathering
minimal facts.

When managing AD objects the SID of the objects are stored in FreeIPA
database, but a user would still use the human readable values, like
"AD\\user" or "user@ad.domain". This can cause idempotence issues in
many cases, and prevent some actions to be performed, like ensure
absence of the object.

The methods added allow the conversion of one or multiple objects, and
will be used by any module that manages AD objects.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>

ipareplica: Pass ipareplica_ip_addresses to client deployment part

The IP addresses set with ipareplica_ip_addresses have not been passed
to ipaclient role for client deployment part. This resulted in not
setting the IP addresses.

The description for ipareplica_ip_addresses in the ipareplica README and
also the role modules was wrong and have been fixed to "List of IPA
replica IP addresses".

Related: https://pagure.io/freeipa/issue/7405

Resolves: https://github.com/freeipa/ansible-freeipa/issues/1244

ipagroup: Correctly handle externalmember in member actions

ipasudorule: Evaluate all members related to hosts and users

When handling users and hosts is ipasudorule we were missing nome entry
attributes returned from FreeIPA, which would cause the add/del lists to
be incorrectly generated.

By adding the proper lists, both attributes are handled correctly.

A new test to verify the fix is added:

    tests/sudorule/test_sudorule_user_host_external.yml

Fixes https://issues.redhat.com/browse/RHEL-68439

ipacert: Revoking with  removeFromCRL should be handled as cert release

utils/build-galaxy-release.sh: Do not create duplicates for role plugins

ansible-test sanity test "metaclass-boilerplate" fails now to recognize
the line "__metaclass__ = type" if there is a pylint disable comment
appended to the same line to not fail on using bad class naming.

The pylint disable comment has been moved to an extra preceding line and
an additional enable commend has been added after the metaclass line.

This change reduces the size of the Ansible collection and removes unused
files.

While creating the collection, the role plugins have been linked into the
global plugin folders, but a subsequent sed call replaced the links with
changed files. The original files have also been changed with another sed
call in the same way. This resulted in the duplication of the changed
files.

The plugins of the roles are now moved into the global plugin folders and
only changed there. The now empty plugin folders in the roles are
removed.

When creating the lists of external members, the attribute
'ipaexternalmember' also needs to be added to the list of external
members that are part of the group object for external groups.

A test to verify the correct behavior was added and the test suite for
group external members have been cleaned up with 'yes' values changed to
'true' and the use of module_defaults.

When a revoked certificate with reason 6 (certificateHold) is revoked
with reason 8 (removeFromCRL), the effect is that the certificate is
valid again, as it is the same procedure as 'state: release'.

This is, at least, the behavior with IPA CLI comands, which is
implemented by this patch.

A new test is added to verify this behavior:

    tests/cert/test_cert_remove_hold_with_removeFromCRL.yml

modules: Do not hide errors using IPA *_show command with Exception

Modify the plugin templates so that the code generated does not hide
errors when querying IPA wih *_show command by handlig only the exeption
where an object is not found.

When searching for objects with *_show IPA API command, most plugins
were hiding errors other than "ipalib_errors.NotFound" by handling the
broad exception Exception instead.

This patch uses "ipalib_errors.NotFound" whenever "*_show" is used so
that the only exception handled is when an object is not found. Other
errors will not be handled making the module break as expected.

infra/image: Use SYS_ADMIN capability for server deployment

This adds the capabilities SYS_ADMIN and SYSLOG to the container_create
call in build.sh as long as server deployment has been enabled.

The privileged option has been removed as it is no longer needed.

The hostnamectl-wrapper for the container has been removed as it is no
longer needed.

infra/image/dockerfile/c10s: Fix client part deployment for the server

infra/image/shcontainer: New container_copy and container_fetch

Change minimum Ansible version to 2.14

RHEL-9 is still using ansible-core 2.14.

The client part deployment fails in the configuration of NIS. The command
/usr/bin/nisdomainname is failing in a container in this task as the
container is not privileged.

The hostnamectl-wrapper is copied from the freeipa-container container
project to replace /usr/bin/nisdomainname in the container.

container_copy can be used to copy a file to the container,
container_fetch can be used to copy a file from the container.

For more information, please have a look at the podman-cp man page.

ipasudorule: Add support for batch mode and multiple sudorules