From 4015073a7fc2ff1c3d1b46bb4409775ccc55114a Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Wed, 27 Dec 2023 19:19:51 -0300
Subject: [PATCH] ipahbacrule: Fix handling of hbacsvcgroup in members

FreeIPA provides a default hbacsvcgroup named "Sudo", with capital S,
that is different from every other hbacsvcgroup, which are all
represented by lower case letters.

As data from IPA API was not modified, this causes an idempotence error
when using different capitalization with the 'hbacsvcgroup' parameter.

This patch fixes the issue by using the CaseInsensitive comparator to
create the hbacsvcgroup list.

Tests were update to make sure a regression is not included in the
future.
---
 plugins/modules/ipahbacrule.py                |  6 ++-
 .../test_hbacrule_member_case_insensitive.yml | 42 ++++++++++++++++++-
 2 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/plugins/modules/ipahbacrule.py b/plugins/modules/ipahbacrule.py
index 04a2b5d824..160903cf21 100644
--- a/plugins/modules/ipahbacrule.py
+++ b/plugins/modules/ipahbacrule.py
@@ -171,7 +171,7 @@
 
 from ansible.module_utils.ansible_freeipa_module import \
     IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, gen_add_list, \
-    gen_intersection_list, ListOf, Hostname
+    gen_intersection_list, ListOf, Hostname, CaseInsensitive
 
 
 def find_hbacrule(module, name):
@@ -398,7 +398,9 @@ def main():
 
                     if hbacsvc is not None:
                         hbacsvc_add, hbacsvc_del = gen_add_del_lists(
-                            hbacsvc, res_find.get("memberservice_hbacsvc"))
+                            hbacsvc, res_find.get("memberservice_hbacsvc"),
+                            attr_datatype=CaseInsensitive()
+                        )
 
                     if hbacsvcgroup is not None:
                         hbacsvcgroup_add, hbacsvcgroup_del = gen_add_del_lists(
diff --git a/tests/hbacrule/test_hbacrule_member_case_insensitive.yml b/tests/hbacrule/test_hbacrule_member_case_insensitive.yml
index 59eaed7961..cca0f8be85 100644
--- a/tests/hbacrule/test_hbacrule_member_case_insensitive.yml
+++ b/tests/hbacrule/test_hbacrule_member_case_insensitive.yml
@@ -468,11 +468,51 @@
         register: result
         failed_when: result.changed or result.failed
 
+      # Specifically test 'Sudo' and FreeIPA adds a "Sudo" hbacsvcgroup instead of "sudo"
+      - name: Ensure 'sudo' works as hbacsvcgroup.
+        ipahbacrule:
+          ipaadmin_password: SomeADMINpassword
+          name: "test_sudo"
+          hbacsvcgroup:
+          - sudo
+        register: result
+        failed_when: not result.changed or result.failed
+
+      - name: Ensure 'sudo' works as hbacsvcgroup, again.
+        ipahbacrule:
+          ipaadmin_password: SomeADMINpassword
+          name: "test_sudo"
+          hbacsvcgroup:
+          - sudo
+        register: result
+        failed_when: result.changed or result.failed
+
+      - name: Ensure 'sudo' works as hbacsvcgroup, action member.
+        ipahbacrule:
+          ipaadmin_password: SomeADMINpassword
+          name: "test_sudo"
+          hbacsvcgroup:
+          - sudo
+          action: member
+        register: result
+        failed_when: result.changed or result.failed
+
+      - name: Ensure 'Sudo' works as hbacsvcgroup, action member.
+        ipahbacrule:
+          ipaadmin_password: SomeADMINpassword
+          name: "test_sudo"
+          hbacsvcgroup:
+          - Sudo
+        register: result
+        failed_when: result.changed or result.failed
+
     always:
       - name: Ensure test hbacrule is absent
         ipahbacrule:
           ipaadmin_password: SomeADMINpassword
-          name: testrule
+          name:
+            - testrule
+            - test_sudo
           state: absent
 
       - name: Ensure test users are absent