add external user support to ipa_group module (#5897)

* add external user support to ipa_group module

* add changelog

* fix style errors

* remove trailing whitespace

* Update plugins/modules/ipa_group.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/modules/ipa_group.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/modules/ipa_group.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/modules/ipa_group.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update changelogs/fragments/5897-ipa_group-add-external-users.yml

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/modules/ipa_group.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/modules/ipa_group.py

Co-authored-by: Felix Fontein <felix@fontein.de>

---------

Co-authored-by: Yuriy Halytskyy <yuriy.halytskyy@nesi.org.nz>
Co-authored-by: Felix Fontein <felix@fontein.de>

changelogs/fragments/5897-ipa_group-add-external-users.yml

@@ -0,0 +1,2 @@
+minor_changes:
+  - ipa_group - allow to add and remove external users with the ``external_user`` option (https://github.com/ansible-collections/community.general/pull/5897).

plugins/modules/ipa_group.py

@@ -64,6 +64,17 @@ options:
     - If option is omitted assigned users will not be checked or changed.
     type: list
     elements: str
+  external_user:
+    description:
+    - List of external users assigned to this group.
+    - Behaves identically to I(user) with respect to I(append) attribute.
+    - List entries can be in C(DOMAIN\\username) or SID format.
+    - Unless SIDs are provided, the module will always attempt to make changes even if the group already has all the users.
+      This is because only SIDs are returned by IPA query.
+    - I(external=true) is needed for this option to work.
+    type: list
+    elements: str
+    version_added: 6.3.0
   state:
     description:
     - State to ensure
@@ -116,6 +127,28 @@ EXAMPLES = r'''
     ipa_user: admin
     ipa_pass: topsecret
 
+- name: Add external user to a group
+  community.general.ipa_group:
+   name: developers
+   external: true
+   append: true
+   external_user:
+   - S-1-5-21-123-1234-12345-63421
+   ipa_host: ipa.example.com
+   ipa_user: admin
+   ipa_pass: topsecret
+
+- name: Add a user from MYDOMAIN
+  community.general.ipa_group:
+   name: developers
+   external: true
+   append: true
+   external_user:
+   - MYDOMAIN\\john
+   ipa_host: ipa.example.com
+   ipa_user: admin
+   ipa_pass: topsecret
+
 - name: Ensure group is absent
   community.general.ipa_group:
     name: sysops
@@ -164,6 +197,9 @@ class GroupIPAClient(IPAClient):
     def group_add_member_user(self, name, item):
         return self.group_add_member(name=name, item={'user': item})
 
+    def group_add_member_externaluser(self, name, item):
+        return self.group_add_member(name=name, item={'ipaexternalmember': item})
+
     def group_remove_member(self, name, item):
         return self._post_json(method='group_remove_member', name=name, item=item)
 
@@ -173,6 +209,9 @@ class GroupIPAClient(IPAClient):
     def group_remove_member_user(self, name, item):
         return self.group_remove_member(name=name, item={'user': item})
 
+    def group_remove_member_externaluser(self, name, item):
+        return self.group_remove_member(name=name, item={'ipaexternalmember': item})
+
 
 def get_group_dict(description=None, external=None, gid=None, nonposix=None):
     group = {}
@@ -208,12 +247,19 @@ def ensure(module, client):
     name = module.params['cn']
     group = module.params['group']
     user = module.params['user']
+    external = module.params['external']
+    external_user = module.params['external_user']
     append = module.params['append']
 
-    module_group = get_group_dict(description=module.params['description'], external=module.params['external'],
+    module_group = get_group_dict(description=module.params['description'],
-                                  gid=module.params['gidnumber'], nonposix=module.params['nonposix'])
+                                  external=external,
+                                  gid=module.params['gidnumber'],
+                                  nonposix=module.params['nonposix'])
     ipa_group = client.group_find(name=name)
 
+    if (not (external or external_user is None)):
+        module.fail_json("external_user can only be set if external = True")
+
     changed = False
     if state == 'present':
         if not ipa_group:
@@ -242,6 +288,11 @@ def ensure(module, client):
                                             client.group_remove_member_user,
                                             append=append) or changed
 
+        if external_user is not None:
+            changed = client.modify_if_diff(name, ipa_group.get('ipaexternalmember', []), external_user,
+                                            client.group_add_member_externaluser,
+                                            client.group_remove_member_externaluser,
+                                            append=append) or changed
     else:
         if ipa_group:
             changed = True
@@ -256,6 +307,7 @@ def main():
     argument_spec.update(cn=dict(type='str', required=True, aliases=['name']),
                          description=dict(type='str'),
                          external=dict(type='bool'),
+                         external_user=dict(type='list', elements='str'),
                          gidnumber=dict(type='str', aliases=['gid']),
                          group=dict(type='list', elements='str'),
                          nonposix=dict(type='bool'),