From 4229db1bbec16f7a8401acf296f97763d3f55c35 Mon Sep 17 00:00:00 2001
From: Gregory Furlong <gnfzdz@fzdz.io>
Date: Tue, 13 Dec 2022 17:27:59 -0500
Subject: [PATCH] Fix issue where interfaces could not be added to a zone when
 firewalld is offline. Resolves issue #357.

---
 plugins/modules/firewalld.py                  | 14 +--
 .../firewalld/tasks/interface_test_cases.yml  | 87 +++++++++++++++++++
 .../targets/firewalld/tasks/run_all_tests.yml |  3 +
 3 files changed, 97 insertions(+), 7 deletions(-)
 create mode 100644 tests/integration/targets/firewalld/tasks/interface_test_cases.yml

diff --git a/plugins/modules/firewalld.py b/plugins/modules/firewalld.py
index 39a3b18..960a42d 100644
--- a/plugins/modules/firewalld.py
+++ b/plugins/modules/firewalld.py
@@ -469,6 +469,7 @@ class InterfaceTransaction(FirewallTransaction):
                 old_zone_obj = self.fw.config.get_zone(zone)
                 if interface in old_zone_obj.interfaces:
                     iface_zone_objs.append(old_zone_obj)
+
             if len(iface_zone_objs) > 1:
                 # Even it shouldn't happen, it's actually possible that
                 # the same interface is in several zone XML files
@@ -478,18 +479,17 @@ class InterfaceTransaction(FirewallTransaction):
                         len(iface_zone_objs)
                     )
                 )
-            old_zone_obj = iface_zone_objs[0]
-            if old_zone_obj.name != self.zone:
-                old_zone_settings = FirewallClientZoneSettings(
-                    self.fw.config.get_zone_config(old_zone_obj)
-                )
+            elif len(iface_zone_objs) == 1 and iface_zone_objs[0].name != self.zone:
+                old_zone_obj = iface_zone_objs[0]
+                old_zone_config = self.fw.config.get_zone_config(old_zone_obj)
+                old_zone_settings = FirewallClientZoneSettings(list(old_zone_config))
                 old_zone_settings.removeInterface(interface)    # remove from old
                 self.fw.config.set_zone_config(
                     old_zone_obj,
                     old_zone_settings.settings
                 )
-                fw_settings.addInterface(interface)             # add to new
-                self.fw.config.set_zone_config(fw_zone, fw_settings.settings)
+            fw_settings.addInterface(interface)             # add to new
+            self.fw.config.set_zone_config(fw_zone, fw_settings.settings)
         else:
             old_zone_name = self.fw.config().getZoneOfInterface(interface)
             if old_zone_name != self.zone:
diff --git a/tests/integration/targets/firewalld/tasks/interface_test_cases.yml b/tests/integration/targets/firewalld/tasks/interface_test_cases.yml
new file mode 100644
index 0000000..e7130f7
--- /dev/null
+++ b/tests/integration/targets/firewalld/tasks/interface_test_cases.yml
@@ -0,0 +1,87 @@
+# Test playbook for the firewalld module - interface operations
+# (c) 2022, Gregory Furlong <gnfzdz@fzdz.io>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+- name: Validate adding interface
+  block:
+  - name: Add lo interface to trusted zone
+    ansible.posix.firewalld:
+      interface: lo
+      zone: trusted
+      permanent: Yes
+      state: enabled
+    register: result
+
+  - name: assert lo was added to trusted zone
+    assert:
+      that:
+      - result is changed
+
+  - name: Add lo interface to trusted zone (verify not changed)
+    ansible.posix.firewalld:
+      interface: lo
+      zone: trusted
+      permanent: Yes
+      state: enabled
+    register: result
+
+  - name: assert lo was added to trusted zone (verify not changed)
+    assert:
+      that:
+      - result is not changed
+
+- name: Validate moving interfaces
+  block:
+  - name: Move lo interface from trusted zone to internal zone
+    ansible.posix.firewalld:
+      interface: lo
+      zone: internal
+      permanent: Yes
+      state: enabled
+    register: result
+
+  - name: Assert lo was moved from trusted zone to internal zone
+    assert:
+      that:
+      - result is changed
+
+  - name: Move lo interface from trusted zone to internal zone (verify not changed)
+    ansible.posix.firewalld:
+      interface: lo
+      zone: internal
+      permanent: Yes
+      state: enabled
+    register: result
+
+  - name: assert lo was moved from trusted zone to internal zone (verify not changed)
+    assert:
+      that:
+      - result is not changed
+
+- name: Validate removing interface
+  block:
+  - name: Remove lo interface from internal zone
+    ansible.posix.firewalld:
+      interface: lo
+      zone: internal
+      permanent: Yes
+      state: disabled
+    register: result
+
+  - name: Assert lo interface was removed from internal zone
+    assert:
+      that:
+      - result is changed
+
+  - name: Remove lo interface from internal zone (verify not changed)
+    ansible.posix.firewalld:
+      interface: lo
+      zone: internal
+      permanent: Yes
+      state: disabled
+    register: result
+
+  - name: Assert lo interface was removed from internal zone (verify not changed)
+    assert:
+      that:
+      - result is not changed
diff --git a/tests/integration/targets/firewalld/tasks/run_all_tests.yml b/tests/integration/targets/firewalld/tasks/run_all_tests.yml
index 4270e89..b7540f3 100644
--- a/tests/integration/targets/firewalld/tasks/run_all_tests.yml
+++ b/tests/integration/targets/firewalld/tasks/run_all_tests.yml
@@ -21,3 +21,6 @@
 
 # firewalld port forwarding operation test cases
 - include_tasks: port_forward_test_cases.yml
+
+# firewalld interface operation test cases
+- include_tasks: interface_test_cases.yml