Include indirect membership and canonicalize hosts during HBAC rules testing
    
    When users and hosts are included into groups indirectly, make sure that
    during HBAC test e fill in all indirect groups properly into an HBAC request.
    
    Also, if hosts provided for test are not specified fully, canonicalize them
    using IPA domain.
    
    This makes possible following requests:
    ipa hbactest --user foobar --srchost vm-101 --host vm-101 --service sshd
    
    Request to evaluate:
     <user <name foobar groups [hbacusers,ipausers]>
      service <name sshd groups []>
      targethost <name vm-101.ipa.local groups []>
      srchost <name vm-101.ipa.local groups []>
     >
    
    Fixes:
    https://fedorahosted.org/freeipa/ticket/1862
    https://fedorahosted.org/freeipa/ticket/1949