#!/usr/bin/python
# -*- coding: utf-8 -*-

# Copyright: (c) 2017, Kenneth D. Evensen <kdevensen@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)

from __future__ import (absolute_import, division, print_function)
__metaclass__ = type


DOCUMENTATION = r'''
module: pamd
author:
    - Kenneth D. Evensen (@kevensen)
short_description: Manage PAM Modules
description:
  - Edit PAM service's type, control, module path and module arguments.
  - In order for a PAM rule to be modified, the type, control and
    module_path must match an existing rule. See man(5) pam.d for details.
notes:
  - This module does not handle authselect profiles.
options:
  name:
    description:
      - The name generally refers to the PAM service file to
        change, for example system-auth.
    type: str
    required: true
  type:
    description:
      - The type of the PAM rule being modified.
      - The C(type), C(control) and C(module_path) all must match a rule to be modified.
    type: str
    required: true
    choices: [ account, -account, auth, -auth, password, -password, session, -session ]
  control:
    description:
      - The control of the PAM rule being modified.
      - This may be a complicated control with brackets. If this is the case, be
        sure to put "[bracketed controls]" in quotes.
      - The C(type), C(control) and C(module_path) all must match a rule to be modified.
    type: str
    required: true
  module_path:
    description:
      - The module path of the PAM rule being modified.
      - The C(type), C(control) and C(module_path) all must match a rule to be modified.
    type: str
    required: true
  new_type:
    description:
    - The new type to assign to the new rule.
    type: str
    choices: [ account, -account, auth, -auth, password, -password, session, -session ]
  new_control:
    description:
    - The new control to assign to the new rule.
    type: str
  new_module_path:
    description:
    - The new module path to be assigned to the new rule.
    type: str
  module_arguments:
    description:
    - When state is C(updated), the module_arguments will replace existing module_arguments.
    - When state is C(args_absent) args matching those listed in module_arguments will be removed.
    - When state is C(args_present) any args listed in module_arguments are added if
      missing from the existing rule.
    - Furthermore, if the module argument takes a value denoted by C(=),
      the value will be changed to that specified in module_arguments.
    type: list
    elements: str
  state:
    description:
    - The default of C(updated) will modify an existing rule if type,
      control and module_path all match an existing rule.
    - With C(before), the new rule will be inserted before a rule matching type,
      control and module_path.
    - Similarly, with C(after), the new rule will be inserted after an existing rulematching type,
      control and module_path.
    - With either C(before) or C(after) new_type, new_control, and new_module_path must all be specified.
    - If state is C(args_absent) or C(args_present), new_type, new_control, and new_module_path will be ignored.
    - State C(absent) will remove the rule.  The 'absent' state was added in Ansible 2.4.
    type: str
    choices: [ absent, before, after, args_absent, args_present, updated ]
    default: updated
  path:
    description:
    - This is the path to the PAM service files.
    type: path
    default: /etc/pam.d
  backup:
     description:
       - Create a backup file including the timestamp information so you can
         get the original file back if you somehow clobbered it incorrectly.
     type: bool
     default: no
'''

EXAMPLES = r'''
- name: Update pamd rule's control in /etc/pam.d/system-auth
  community.general.pamd:
    name: system-auth
    type: auth
    control: required
    module_path: pam_faillock.so
    new_control: sufficient

- name: Update pamd rule's complex control in /etc/pam.d/system-auth
  community.general.pamd:
    name: system-auth
    type: session
    control: '[success=1 default=ignore]'
    module_path: pam_succeed_if.so
    new_control: '[success=2 default=ignore]'

- name: Insert a new rule before an existing rule
  community.general.pamd:
    name: system-auth
    type: auth
    control: required
    module_path: pam_faillock.so
    new_type: auth
    new_control: sufficient
    new_module_path: pam_faillock.so
    state: before

- name: Insert a new rule pam_wheel.so with argument 'use_uid' after an \
        existing rule pam_rootok.so
  community.general.pamd:
    name: su
    type: auth
    control: sufficient
    module_path: pam_rootok.so
    new_type: auth
    new_control: required
    new_module_path: pam_wheel.so
    module_arguments: 'use_uid'
    state: after

- name: Remove module arguments from an existing rule
  community.general.pamd:
    name: system-auth
    type: auth
    control: required
    module_path: pam_faillock.so
    module_arguments: ''
    state: updated

- name: Replace all module arguments in an existing rule
  community.general.pamd:
    name: system-auth
    type: auth
    control: required
    module_path: pam_faillock.so
    module_arguments: 'preauth
        silent
        deny=3
        unlock_time=604800
        fail_interval=900'
    state: updated

- name: Remove specific arguments from a rule
  community.general.pamd:
    name: system-auth
    type: session
    control: '[success=1 default=ignore]'
    module_path: pam_succeed_if.so
    module_arguments: crond,quiet
    state: args_absent

- name: Ensure specific arguments are present in a rule
  community.general.pamd:
    name: system-auth
    type: session
    control: '[success=1 default=ignore]'
    module_path: pam_succeed_if.so
    module_arguments: crond,quiet
    state: args_present

- name: Ensure specific arguments are present in a rule (alternative)
  community.general.pamd:
    name: system-auth
    type: session
    control: '[success=1 default=ignore]'
    module_path: pam_succeed_if.so
    module_arguments:
    - crond
    - quiet
    state: args_present

- name: Module arguments requiring commas must be listed as a Yaml list
  community.general.pamd:
    name: special-module
    type: account
    control: required
    module_path: pam_access.so
    module_arguments:
    - listsep=,
    state: args_present

- name: Update specific argument value in a rule
  community.general.pamd:
    name: system-auth
    type: auth
    control: required
    module_path: pam_faillock.so
    module_arguments: 'fail_interval=300'
    state: args_present

- name: Add pam common-auth rule for duo
  community.general.pamd:
    name: common-auth
    new_type: auth
    new_control: '[success=1 default=ignore]'
    new_module_path: '/lib64/security/pam_duo.so'
    state: after
    type: auth
    module_path: pam_sss.so
    control: 'requisite'
'''

RETURN = r'''
change_count:
    description: How many rules were changed.
    type: int
    sample: 1
    returned: success
new_rule:
    description: The changes to the rule.  This was available in Ansible 2.4 and Ansible 2.5.  It was removed in Ansible 2.6.
    type: str
    sample: None      None None sha512 shadow try_first_pass use_authtok
    returned: success
updated_rule_(n):
    description: The rule(s) that was/were changed.  This is only available in
      Ansible 2.4 and was removed in Ansible 2.5.
    type: str
    sample:
    - password      sufficient  pam_unix.so sha512 shadow try_first_pass
      use_authtok
    returned: success
action:
    description:
    - "That action that was taken and is one of: update_rule,
      insert_before_rule, insert_after_rule, args_present, args_absent,
      absent. This was available in Ansible 2.4 and removed in Ansible 2.8"
    returned: always
    type: str
    sample: "update_rule"
dest:
    description:
    - "Path to pam.d service that was changed.  This is only available in
      Ansible 2.3 and was removed in Ansible 2.4."
    returned: success
    type: str
    sample: "/etc/pam.d/system-auth"
backupdest:
    description:
    - "The file name of the backup file, if created."
    returned: success
    type: str
...
'''


from ansible.module_utils.basic import AnsibleModule
import os
import re
from tempfile import NamedTemporaryFile
from datetime import datetime


RULE_REGEX = re.compile(r"""(?P<rule_type>-?(?:auth|account|session|password))\s+
                        (?P<control>\[.*\]|\S*)\s+
                        (?P<path>\S*)\s*
                        (?P<args>.*)\s*""", re.X)

RULE_ARG_REGEX = re.compile(r"""(\[.*\]|\S*)""")

VALID_TYPES = ['account', '-account', 'auth', '-auth', 'password', '-password', 'session', '-session']


class PamdLine(object):

    def __init__(self, line):
        self.line = line
        self.prev = None
        self.next = None

    @property
    def is_valid(self):
        if self.line.strip() == '':
            return True
        return False

    def validate(self):
        if not self.is_valid:
            return False, "Rule is not valid " + self.line
        return True, "Rule is valid " + self.line

    # Method to check if a rule matches the type, control and path.
    def matches(self, rule_type, rule_control, rule_path, rule_args=None):
        return False

    def __str__(self):
        return str(self.line)


class PamdEmptyLine(PamdLine):
    pass


class PamdComment(PamdLine):

    def __init__(self, line):
        super(PamdComment, self).__init__(line)

    @property
    def is_valid(self):
        if self.line.startswith('#'):
            return True
        return False


class PamdInclude(PamdLine):
    def __init__(self, line):
        super(PamdInclude, self).__init__(line)

    @property
    def is_valid(self):
        if self.line.startswith('@include'):
            return True
        return False


class PamdRule(PamdLine):

    valid_simple_controls = ['required', 'requisite', 'sufficient', 'optional', 'include', 'substack', 'definitive']
    valid_control_values = ['success', 'open_err', 'symbol_err', 'service_err', 'system_err', 'buf_err',
                            'perm_denied', 'auth_err', 'cred_insufficient', 'authinfo_unavail', 'user_unknown',
                            'maxtries', 'new_authtok_reqd', 'acct_expired', 'session_err', 'cred_unavail',
                            'cred_expired', 'cred_err', 'no_module_data', 'conv_err', 'authtok_err',
                            'authtok_recover_err', 'authtok_lock_busy', 'authtok_disable_aging', 'try_again',
                            'ignore', 'abort', 'authtok_expired', 'module_unknown', 'bad_item', 'conv_again',
                            'incomplete', 'default']
    valid_control_actions = ['ignore', 'bad', 'die', 'ok', 'done', 'reset']

    def __init__(self, rule_type, rule_control, rule_path, rule_args=None):
        self.prev = None
        self.next = None
        self._control = None
        self._args = None
        self.rule_type = rule_type
        self.rule_control = rule_control

        self.rule_path = rule_path
        self.rule_args = rule_args

    # Method to check if a rule matches the type, control and path.
    def matches(self, rule_type, rule_control, rule_path, rule_args=None):
        if (rule_type == self.rule_type and
                rule_control == self.rule_control and
                rule_path == self.rule_path):
            return True
        return False

    @classmethod
    def rule_from_string(cls, line):
        rule_match = RULE_REGEX.search(line)
        rule_args = parse_module_arguments(rule_match.group('args'))
        return cls(rule_match.group('rule_type'), rule_match.group('control'), rule_match.group('path'), rule_args)

    def __str__(self):
        if self.rule_args:
            return '{0: <11}{1} {2} {3}'.format(self.rule_type, self.rule_control, self.rule_path, ' '.join(self.rule_args))
        return '{0: <11}{1} {2}'.format(self.rule_type, self.rule_control, self.rule_path)

    @property
    def rule_control(self):
        if isinstance(self._control, list):
            return '[' + ' '.join(self._control) + ']'
        return self._control

    @rule_control.setter
    def rule_control(self, control):
        if control.startswith('['):
            control = control.replace(' = ', '=').replace('[', '').replace(']', '')
            self._control = control.split(' ')
        else:
            self._control = control

    @property
    def rule_args(self):
        if not self._args:
            return []
        return self._args

    @rule_args.setter
    def rule_args(self, args):
        self._args = parse_module_arguments(args)

    @property
    def line(self):
        return str(self)

    @classmethod
    def is_action_unsigned_int(cls, string_num):
        number = 0
        try:
            number = int(string_num)
        except ValueError:
            return False

        if number >= 0:
            return True
        return False

    @property
    def is_valid(self):
        return self.validate()[0]

    def validate(self):
        # Validate the rule type
        if self.rule_type not in VALID_TYPES:
            return False, "Rule type, " + self.rule_type + ", is not valid in rule " + self.line
        # Validate the rule control
        if isinstance(self._control, str) and self.rule_control not in PamdRule.valid_simple_controls:
            return False, "Rule control, " + self.rule_control + ", is not valid in rule " + self.line
        elif isinstance(self._control, list):
            for control in self._control:
                value, action = control.split("=")
                if value not in PamdRule.valid_control_values:
                    return False, "Rule control value, " + value + ", is not valid in rule " + self.line
                if action not in PamdRule.valid_control_actions and not PamdRule.is_action_unsigned_int(action):
                    return False, "Rule control action, " + action + ", is not valid in rule " + self.line

        # TODO: Validate path

        return True, "Rule is valid " + self.line


# PamdService encapsulates an entire service and contains one or more rules.  It seems the best way is to do this
# as a doubly linked list.
class PamdService(object):

    def __init__(self, content):
        self._head = None
        self._tail = None
        for line in content.splitlines():
            if line.lstrip().startswith('#'):
                pamd_line = PamdComment(line)
            elif line.lstrip().startswith('@include'):
                pamd_line = PamdInclude(line)
            elif line.strip() == '':
                pamd_line = PamdEmptyLine(line)
            else:
                pamd_line = PamdRule.rule_from_string(line)

            self.append(pamd_line)

    def append(self, pamd_line):
        if self._head is None:
            self._head = self._tail = pamd_line
        else:
            pamd_line.prev = self._tail
            pamd_line.next = None
            self._tail.next = pamd_line
            self._tail = pamd_line

    def remove(self, rule_type, rule_control, rule_path):
        current_line = self._head
        changed = 0

        while current_line is not None:
            if current_line.matches(rule_type, rule_control, rule_path):
                if current_line.prev is not None:
                    current_line.prev.next = current_line.next
                    if current_line.next is not None:
                        current_line.next.prev = current_line.prev
                else:
                    self._head = current_line.next
                    current_line.next.prev = None
                changed += 1

            current_line = current_line.next
        return changed

    def get(self, rule_type, rule_control, rule_path):
        lines = []
        current_line = self._head
        while current_line is not None:

            if isinstance(current_line, PamdRule) and current_line.matches(rule_type, rule_control, rule_path):
                lines.append(current_line)

            current_line = current_line.next

        return lines

    def has_rule(self, rule_type, rule_control, rule_path):
        if self.get(rule_type, rule_control, rule_path):
            return True
        return False

    def update_rule(self, rule_type, rule_control, rule_path,
                    new_type=None, new_control=None, new_path=None, new_args=None):
        # Get a list of rules we want to change
        rules_to_find = self.get(rule_type, rule_control, rule_path)

        new_args = parse_module_arguments(new_args)

        changes = 0
        for current_rule in rules_to_find:
            rule_changed = False
            if new_type:
                if(current_rule.rule_type != new_type):
                    rule_changed = True
                    current_rule.rule_type = new_type
            if new_control:
                if(current_rule.rule_control != new_control):
                    rule_changed = True
                    current_rule.rule_control = new_control
            if new_path:
                if(current_rule.rule_path != new_path):
                    rule_changed = True
                    current_rule.rule_path = new_path
            if new_args:
                if(current_rule.rule_args != new_args):
                    rule_changed = True
                    current_rule.rule_args = new_args

            if rule_changed:
                changes += 1

        return changes

    def insert_before(self, rule_type, rule_control, rule_path,
                      new_type=None, new_control=None, new_path=None, new_args=None):
        # Get a list of rules we want to change
        rules_to_find = self.get(rule_type, rule_control, rule_path)
        changes = 0
        # There are two cases to consider.
        # 1. The new rule doesn't exist before the existing rule
        # 2. The new rule exists

        for current_rule in rules_to_find:
            # Create a new rule
            new_rule = PamdRule(new_type, new_control, new_path, new_args)
            # First we'll get the previous rule.
            previous_rule = current_rule.prev

            # Next we may have to loop backwards if the previous line is a comment.  If it
            # is, we'll get the previous "rule's" previous.
            while previous_rule is not None and isinstance(previous_rule, (PamdComment, PamdEmptyLine)):
                previous_rule = previous_rule.prev
            # Next we'll see if the previous rule matches what we are trying to insert.
            if previous_rule is not None and not previous_rule.matches(new_type, new_control, new_path):
                # First set the original previous rule's next to the new_rule
                previous_rule.next = new_rule
                # Second, set the new_rule's previous to the original previous
                new_rule.prev = previous_rule
                # Third, set the new rule's next to the current rule
                new_rule.next = current_rule
                # Fourth, set the current rule's previous to the new_rule
                current_rule.prev = new_rule

                changes += 1

            # Handle the case where it is the first rule in the list.
            elif previous_rule is None:
                # This is the case where the current rule is not only the first rule
                # but the first line as well.  So we set the head to the new rule
                if current_rule.prev is None:
                    self._head = new_rule
                # This case would occur if the previous line was a comment.
                else:
                    current_rule.prev.next = new_rule
                new_rule.prev = current_rule.prev
                new_rule.next = current_rule
                current_rule.prev = new_rule
                changes += 1

        return changes

    def insert_after(self, rule_type, rule_control, rule_path,
                     new_type=None, new_control=None, new_path=None, new_args=None):
        # Get a list of rules we want to change
        rules_to_find = self.get(rule_type, rule_control, rule_path)
        changes = 0
        # There are two cases to consider.
        # 1. The new rule doesn't exist after the existing rule
        # 2. The new rule exists
        for current_rule in rules_to_find:
            # First we'll get the next rule.
            next_rule = current_rule.next
            # Next we may have to loop forwards if the next line is a comment.  If it
            # is, we'll get the next "rule's" next.
            while next_rule is not None and isinstance(next_rule, (PamdComment, PamdEmptyLine)):
                next_rule = next_rule.next

            # First we create a new rule
            new_rule = PamdRule(new_type, new_control, new_path, new_args)
            if next_rule is not None and not next_rule.matches(new_type, new_control, new_path):
                # If the previous rule doesn't match we'll insert our new rule.

                # Second set the original next rule's previous to the new_rule
                next_rule.prev = new_rule
                # Third, set the new_rule's next to the original next rule
                new_rule.next = next_rule
                # Fourth, set the new rule's previous to the current rule
                new_rule.prev = current_rule
                # Fifth, set the current rule's next to the new_rule
                current_rule.next = new_rule

                changes += 1

            # This is the case where the current_rule is the last in the list
            elif next_rule is None:
                new_rule.prev = self._tail
                new_rule.next = None
                self._tail.next = new_rule
                self._tail = new_rule

                current_rule.next = new_rule
                changes += 1

        return changes

    def add_module_arguments(self, rule_type, rule_control, rule_path, args_to_add):
        # Get a list of rules we want to change
        rules_to_find = self.get(rule_type, rule_control, rule_path)

        args_to_add = parse_module_arguments(args_to_add)

        changes = 0

        for current_rule in rules_to_find:
            rule_changed = False

            # create some structures to evaluate the situation
            simple_new_args = set()
            key_value_new_args = dict()

            for arg in args_to_add:
                if arg.startswith("["):
                    continue
                elif "=" in arg:
                    key, value = arg.split("=")
                    key_value_new_args[key] = value
                else:
                    simple_new_args.add(arg)

            key_value_new_args_set = set(key_value_new_args)

            simple_current_args = set()
            key_value_current_args = dict()

            for arg in current_rule.rule_args:
                if arg.startswith("["):
                    continue
                elif "=" in arg:
                    key, value = arg.split("=")
                    key_value_current_args[key] = value
                else:
                    simple_current_args.add(arg)

            key_value_current_args_set = set(key_value_current_args)

            new_args_to_add = list()

            # Handle new simple arguments
            if simple_new_args.difference(simple_current_args):
                for arg in simple_new_args.difference(simple_current_args):
                    new_args_to_add.append(arg)

            # Handle new key value arguments
            if key_value_new_args_set.difference(key_value_current_args_set):
                for key in key_value_new_args_set.difference(key_value_current_args_set):
                    new_args_to_add.append(key + '=' + key_value_new_args[key])

            if new_args_to_add:
                current_rule.rule_args += new_args_to_add
                rule_changed = True

            # Handle existing key value arguments when value is not equal
            if key_value_new_args_set.intersection(key_value_current_args_set):
                for key in key_value_new_args_set.intersection(key_value_current_args_set):
                    if key_value_current_args[key] != key_value_new_args[key]:
                        arg_index = current_rule.rule_args.index(key + '=' + key_value_current_args[key])
                        current_rule.rule_args[arg_index] = str(key + '=' + key_value_new_args[key])
                        rule_changed = True

            if rule_changed:
                changes += 1

        return changes

    def remove_module_arguments(self, rule_type, rule_control, rule_path, args_to_remove):
        # Get a list of rules we want to change
        rules_to_find = self.get(rule_type, rule_control, rule_path)

        args_to_remove = parse_module_arguments(args_to_remove)

        changes = 0

        for current_rule in rules_to_find:
            if not args_to_remove:
                args_to_remove = []

            # Let's check to see if there are any args to remove by finding the intersection
            # of the rule's current args and the args_to_remove lists
            if not list(set(current_rule.rule_args) & set(args_to_remove)):
                continue

            # There are args to remove, so we create a list of new_args absent the args
            # to remove.
            current_rule.rule_args = [arg for arg in current_rule.rule_args if arg not in args_to_remove]

            changes += 1

        return changes

    def validate(self):
        current_line = self._head

        while current_line is not None:
            if not current_line.validate()[0]:
                return current_line.validate()
            current_line = current_line.next
        return True, "Module is valid"

    def __str__(self):
        lines = []
        current_line = self._head

        mark = "# Updated by Ansible - %s" % datetime.now().isoformat()
        while current_line is not None:
            lines.append(str(current_line))
            current_line = current_line.next

        if len(lines) <= 1:
            lines.insert(0, "")
            lines.insert(1, mark)
        else:
            if lines[1].startswith("# Updated by Ansible"):
                lines[1] = mark
            else:
                lines.insert(1, mark)

        return '\n'.join(lines) + '\n'


def parse_module_arguments(module_arguments):
    # Return empty list if we have no args to parse
    if not module_arguments:
        return []
    elif isinstance(module_arguments, list) and len(module_arguments) == 1 and not module_arguments[0]:
        return []

    if not isinstance(module_arguments, list):
        module_arguments = [module_arguments]

    parsed_args = list()

    for arg in module_arguments:
        for item in filter(None, RULE_ARG_REGEX.findall(arg)):
            if not item.startswith("["):
                re.sub("\\s*=\\s*", "=", item)
            parsed_args.append(item)

    return parsed_args


def main():

    module = AnsibleModule(
        argument_spec=dict(
            name=dict(type='str', required=True),
            type=dict(type='str', required=True, choices=VALID_TYPES),
            control=dict(type='str', required=True),
            module_path=dict(type='str', required=True),
            new_type=dict(type='str', choices=VALID_TYPES),
            new_control=dict(type='str'),
            new_module_path=dict(type='str'),
            module_arguments=dict(type='list', elements='str'),
            state=dict(type='str', default='updated', choices=['absent', 'after', 'args_absent', 'args_present', 'before', 'updated']),
            path=dict(type='path', default='/etc/pam.d'),
            backup=dict(type='bool', default=False),
        ),
        supports_check_mode=True,
        required_if=[
            ("state", "args_present", ["module_arguments"]),
            ("state", "args_absent", ["module_arguments"]),
            ("state", "before", ["new_control", "new_type", "new_module_path"]),
            ("state", "after", ["new_control", "new_type", "new_module_path"]),
        ],
    )
    content = str()
    fname = os.path.join(module.params["path"], module.params["name"])

    # Open the file and read the content or fail
    try:
        with open(fname, 'r') as service_file_obj:
            content = service_file_obj.read()
    except IOError as e:
        # If unable to read the file, fail out
        module.fail_json(msg='Unable to open/read PAM module file %s with error %s.' % (fname, str(e)))

    # Assuming we didn't fail, create the service
    service = PamdService(content)
    # Set the action
    action = module.params['state']

    changes = 0

    # Take action
    if action == 'updated':
        changes = service.update_rule(module.params['type'], module.params['control'], module.params['module_path'],
                                      module.params['new_type'], module.params['new_control'], module.params['new_module_path'],
                                      module.params['module_arguments'])
    elif action == 'before':
        changes = service.insert_before(module.params['type'], module.params['control'], module.params['module_path'],
                                        module.params['new_type'], module.params['new_control'], module.params['new_module_path'],
                                        module.params['module_arguments'])
    elif action == 'after':
        changes = service.insert_after(module.params['type'], module.params['control'], module.params['module_path'],
                                       module.params['new_type'], module.params['new_control'], module.params['new_module_path'],
                                       module.params['module_arguments'])
    elif action == 'args_absent':
        changes = service.remove_module_arguments(module.params['type'], module.params['control'], module.params['module_path'],
                                                  module.params['module_arguments'])
    elif action == 'args_present':
        if [arg for arg in parse_module_arguments(module.params['module_arguments']) if arg.startswith("[")]:
            module.fail_json(msg="Unable to process bracketed '[' complex arguments with 'args_present'. Please use 'updated'.")

        changes = service.add_module_arguments(module.params['type'], module.params['control'], module.params['module_path'],
                                               module.params['module_arguments'])
    elif action == 'absent':
        changes = service.remove(module.params['type'], module.params['control'], module.params['module_path'])

    valid, msg = service.validate()

    # If the module is not valid (meaning one of the rules is invalid), we will fail
    if not valid:
        module.fail_json(msg=msg)

    result = dict(
        changed=(changes > 0),
        change_count=changes,
        backupdest='',
    )

    # If not check mode and something changed, backup the original if necessary then write out the file or fail
    if not module.check_mode and result['changed']:
        # First, create a backup if desired.
        if module.params['backup']:
            result['backupdest'] = module.backup_local(fname)
        try:
            temp_file = NamedTemporaryFile(mode='w', dir=module.tmpdir, delete=False)
            with open(temp_file.name, 'w') as fd:
                fd.write(str(service))

        except IOError:
            module.fail_json(msg='Unable to create temporary \
                                    file %s' % temp_file)

        module.atomic_move(temp_file.name, os.path.realpath(fname))

    module.exit_json(**result)


if __name__ == '__main__':
    main()