fix: use correct spacing before tags

[richm]

Cause: The space before user spec tags was handled incorrectly.

Consequence: If you specified selinux_type and selinux_role, there was no
space before the tag, and sudo would issue an error trying to parse the
generated file.

Fix: Ensure the generated sudoers uses correct spacing before the tags.

Result: Users can specify selinux_type and selinux_role and have a correctly
formatted sudoers.

Signed-off-by: Rich Megginson rmeggins@redhat.com

Summary by CodeRabbit

• Changes

  • Updated sudoers template formatting to improve output whitespace handling.

• Tests

  • Added test coverage for SELinux type and role configurations in sudoers management.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds SELinux type and role tags support to the sudo role's sudoers template with test coverage. The template's whitespace control was updated for the optional tags block, a test playbook was created to validate the feature, and a golden sudoers file captures the expected output format.

Changes

SELinux tags support

Layer / File(s)	Summary
Template whitespace control for tags line templates/sudoers.j2	Updated the Jinja2 conditional that renders the {{ spec.tags | join(":") }}: line to adjust trailing whitespace and newline trimming.
Test playbook and expected output for SELinux tags tests/tests_selinux_tags.yml, tests/files/tests_selinux_tags_cloud_init.ok	Added test playbook that configures user specifications with unconfined SELinux context and NOPASSWD tags, renders the sudoers output via the role, and asserts it matches the golden file containing the expected maintuser rule format.

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Format	⚠️ Warning	PR description lacks required template sections. Missing "Enhancement:" or "Feature:", "Reason:", and "Result:" headers required by .github/pull_request_template.md.	Reformat PR description to follow template: Enhancement: [what changed], Reason: [why needed], Result: [outcome], plus optional Issue Tracker Tickets section.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'fix: use correct spacing before tags' follows Conventional Commits format with valid 'fix' type and clearly describes the main change in the changeset.
Description check	✅ Passed	The PR description provides clear context about the cause, consequence, fix, and result, though it does not follow the provided template structure with sections like 'Enhancement', 'Reason', and 'Result' headings.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[richm]

fixes #67

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@36574a0). Learn more about missing BASE report.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #123   +/-   ##
=======================================
  Coverage        ?   47.76%           
=======================================
  Files           ?        2           
  Lines           ?      381           
  Branches        ?        0           
=======================================
  Hits            ?      182           
  Misses          ?      199           
  Partials        ?        0           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/tests_selinux_tags.yml`:
- Around line 6-95: Update tests/tests_selinux_tags.yml to add a negative
assertion and an idempotence run: after the first "Run the role" and the "Check
cloud-init users sudoers include" step, add a task that asserts the malformed
no-space SELinux/tag pattern is absent from the generated file (use
__sudo_test_path = /etc/sudoers.d/90-cloud-init-users and e.g. a grep/assert
task to ensure a pattern like "NOPASSWDunconfined_t" does not exist), then
invoke the same include_tasks used earlier (tasks/run_role_with_clear_facts.yml
with the same vars: sudo_rewrite_default_sudoers_file,
sudo_remove_unauthorized_included_files, sudo_sudoers_files) to perform an
idempotence pass and re-run the existing "Check cloud-init users sudoers
include" (include_tasks: tasks/assert_files_identical.yml with __sudo_ok_path
and __sudo_test_path) to verify no failures or changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 560cc5af-5b40-4de3-aa33-2f8c72a62273

📥 Commits

Reviewing files that changed from the base of the PR and between 36574a0 and 3d77cd8.

📒 Files selected for processing (3)

• templates/sudoers.j2
• tests/files/tests_selinux_tags_cloud_init.ok
• tests/tests_selinux_tags.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add explicit failure-path and idempotence checks to this test.

This playbook currently validates only the success path once. Please add a negative assertion (e.g., malformed no-space SELinux/tag pattern must be absent) and an idempotence pass (run the same role invocation again and verify no failure/regression).

As per coding guidelines, tests/tests_*.yml: "Tests should verify both success and failure scenarios" and "Tests should be idempotent - running twice should not cause failures".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/tests_selinux_tags.yml` around lines 6 - 95, Update
tests/tests_selinux_tags.yml to add a negative assertion and an idempotence run:
after the first "Run the role" and the "Check cloud-init users sudoers include"
step, add a task that asserts the malformed no-space SELinux/tag pattern is
absent from the generated file (use __sudo_test_path =
/etc/sudoers.d/90-cloud-init-users and e.g. a grep/assert task to ensure a
pattern like "NOPASSWDunconfined_t" does not exist), then invoke the same
include_tasks used earlier (tasks/run_role_with_clear_facts.yml with the same
vars: sudo_rewrite_default_sudoers_file,
sudo_remove_unauthorized_included_files, sudo_sudoers_files) to perform an
idempotence pass and re-run the existing "Check cloud-init users sudoers
include" (include_tasks: tasks/assert_files_identical.yml with __sudo_ok_path
and __sudo_test_path) to verify no failures or changes.

[richm]

[citest]