From 98260f9884fd265ea1037e3d58acf3cc50d2981a Mon Sep 17 00:00:00 2001
From: David Kretch <david.kretch@gmail.com>
Date: Wed, 13 Dec 2017 16:31:20 -0500
Subject: [PATCH] Fix pamd error when inserting a new rule at the end. Fixes
 #28487 (#28488)

* When inserting a new rule in `insert_after_rule`, check if the old rule is
the last rule, to avoid a list index out of range error when attempting to
access the next rule.
* Add a test for inserting a new rule after the last rule.
---
 lib/ansible/modules/system/pamd.py     | 5 ++++-
 test/units/modules/system/test_pamd.py | 9 +++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/ansible/modules/system/pamd.py b/lib/ansible/modules/system/pamd.py
index d22e335cb80..965a373e82b 100644
--- a/lib/ansible/modules/system/pamd.py
+++ b/lib/ansible/modules/system/pamd.py
@@ -483,7 +483,10 @@ def insert_after_rule(service, old_rule, new_rule):
         if (old_rule.rule_type == rule.rule_type and
                 old_rule.rule_control == rule.rule_control and
                 old_rule.rule_module_path == rule.rule_module_path):
-            if (new_rule.rule_type != service.rules[index + 1].rule_type or
+            if (index == len(service.rules) - 1):
+                service.rules.insert(len(service.rules), new_rule)
+                changed = True
+            elif (new_rule.rule_type != service.rules[index + 1].rule_type or
                     new_rule.rule_control !=
                     service.rules[index + 1].rule_control or
                     new_rule.rule_module_path !=
diff --git a/test/units/modules/system/test_pamd.py b/test/units/modules/system/test_pamd.py
index 6538193610f..3203210f4fa 100644
--- a/test/units/modules/system/test_pamd.py
+++ b/test/units/modules/system/test_pamd.py
@@ -191,6 +191,15 @@ session   \trequired\tpam_unix.so"""
         line_to_test += str(new_rule).rstrip()
         self.assertIn(line_to_test, str(self.pamd))
 
+    def test_insert_after_rule_last_rule(self):
+        old_rule = PamdRule.rulefromstring('session   	required	pam_unix.so')
+        new_rule = PamdRule.rulefromstring('session   	required	pam_permit.so arg1 arg2 arg3')
+        insert_after_rule(self.pamd, old_rule, new_rule)
+        line_to_test = str(old_rule).rstrip()
+        line_to_test += '\n'
+        line_to_test += str(new_rule).rstrip()
+        self.assertIn(line_to_test, str(self.pamd))
+
     def test_remove_module_arguments_one(self):
         old_rule = PamdRule.rulefromstring('auth      	sufficient	pam_unix.so nullok try_first_pass')
         new_rule = PamdRule.rulefromstring('auth      	sufficient	pam_unix.so try_first_pass')