diff options
| author | Sam Doran <sdoran@redhat.com> | 2021-01-11 14:11:26 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-11 13:11:26 -0600 |
| commit | b4b1bf993269e32056bc5d94c75641757df9d466 (patch) | |
| tree | cdc9530a2c28d3b2d63991be4260238fc6d60d4f /lib/ansible/modules | |
| parent | 6ba066fc9e0e403b0c705cd39c6af824c07ea8a0 (diff) | |
| download | ansible-b4b1bf993269e32056bc5d94c75641757df9d466.tar.gz | |
[stable-2.10] user - properly handle password and password lock when used together (#73016) (#73177)
Do the right thing on Linux when password lock and a password hash are provided by writing
out the password hash prepended by the appropriate lock string rather than using -U and -L.
This is the correct way to set and lock the account in one command.
On BSD, run separate commands as appropriate since locking and setting the password cannot
be done in a single action.
FreeBSD requires running several commands to get the account in the desired state. As a result,
the rc, output, and error from all commands need to be combined and evaluated so an accurate
and complete summary can be given at the end of module execution.
* Improve integration tests to cover this scenario.
* Break up user integration tests into smaller files
* Properly lock account when creating a new account and password is supplied
* Simplify rc collection in FreeBSD class
Since the _handle_lock() method was added, the rc would be set to None, which could make
task change reporting incorrect. My first attempt to solve this used a set and was a bit too
complicated. Simplify it my comparing the rc from _handle_lock() and the current value of rc.
* Improve the Linux password hash and locking behavior
If password lock and hash are provided, set the hash and lock the account by using a password
hash since -L cannot be used with -p.
* Ensure -U and -L are not combined with -p since they are mutually exclusive to usermod.
* Clarify password_lock behavior..
(cherry picked from commit 264e08f21a15213a4db76339888d3dfa2f2d6abb)
Co-authored-by: Sam Doran <sdoran@redhat.com>
Diffstat (limited to 'lib/ansible/modules')
| -rw-r--r-- | lib/ansible/modules/user.py | 104 |
1 files changed, 72 insertions, 32 deletions
diff --git a/lib/ansible/modules/user.py b/lib/ansible/modules/user.py index c57fadc99e..0e37cbf531 100644 --- a/lib/ansible/modules/user.py +++ b/lib/ansible/modules/user.py @@ -192,9 +192,10 @@ options: version_added: "1.9" password_lock: description: - - Lock the password (usermod -L, pw lock, usermod -C). - - BUT implementation differs on different platforms, this option does not always mean the user cannot login via other methods. - - This option does not disable the user, only lock the password. Do not change the password in the same task. + - Lock the password (C(usermod -L), C(usermod -U), C(pw lock)). + - Implementation differs by platform. This option does not always mean the user cannot login using other methods. + - This option does not disable the user, only lock the password. + - This must be set to C(False) in order to unlock a currently locked password. The absence of this parameter will not unlock a password. - Currently supported on Linux, FreeBSD, DragonFlyBSD, NetBSD, OpenBSD. type: bool version_added: "2.6" @@ -658,7 +659,10 @@ class User(object): if self.password is not None: cmd.append('-p') - cmd.append(self.password) + if self.password_lock: + cmd.append('!%s' % self.password) + else: + cmd.append(self.password) if self.create_home: if not self.local: @@ -844,9 +848,15 @@ class User(object): # usermod will refuse to unlock a user with no password, module shows 'changed' regardless cmd.append('-U') - if self.update_password == 'always' and self.password is not None and info[1] != self.password: + if self.update_password == 'always' and self.password is not None and info[1].lstrip('!') != self.password.lstrip('!'): + # Remove options that are mutually exclusive with -p + cmd = [c for c in cmd if c not in ['-U', '-L']] cmd.append('-p') - cmd.append(self.password) + if self.password_lock: + # Lock the account and set the hash in a single command + cmd.append('!%s' % self.password) + else: + cmd.append(self.password) (rc, out, err) = (None, '', '') @@ -1208,6 +1218,31 @@ class FreeBsdUser(User): SHADOWFILE_EXPIRE_INDEX = 6 DATE_FORMAT = '%d-%b-%Y' + def _handle_lock(self): + info = self.user_info() + if self.password_lock and not info[1].startswith('*LOCKED*'): + cmd = [ + self.module.get_bin_path('pw', True), + 'lock', + self.name + ] + if self.uid is not None and info[2] != int(self.uid): + cmd.append('-u') + cmd.append(self.uid) + return self.execute_command(cmd) + elif self.password_lock is False and info[1].startswith('*LOCKED*'): + cmd = [ + self.module.get_bin_path('pw', True), + 'unlock', + self.name + ] + if self.uid is not None and info[2] != int(self.uid): + cmd.append('-u') + cmd.append(self.uid) + return self.execute_command(cmd) + + return (None, '', '') + def remove_user(self): cmd = [ self.module.get_bin_path('pw', True), @@ -1279,6 +1314,7 @@ class FreeBsdUser(User): # system cannot be handled currently - should we error if its requested? # create the user (rc, out, err) = self.execute_command(cmd) + if rc is not None and rc != 0: self.module.fail_json(name=self.name, msg=err, rc=rc) @@ -1290,7 +1326,18 @@ class FreeBsdUser(User): self.password, self.name ] - return self.execute_command(cmd) + _rc, _out, _err = self.execute_command(cmd) + if rc is None: + rc = _rc + out += _out + err += _err + + # we have to lock/unlock the password in a distinct command + _rc, _out, _err = self._handle_lock() + if rc is None: + rc = _rc + out += _out + err += _err return (rc, out, err) @@ -1394,45 +1441,38 @@ class FreeBsdUser(User): cmd.append('-e') cmd.append(str(calendar.timegm(self.expires))) + (rc, out, err) = (None, '', '') + # modify the user if cmd will do anything if cmd_len != len(cmd): - (rc, out, err) = self.execute_command(cmd) + (rc, _out, _err) = self.execute_command(cmd) + out += _out + err += _err + if rc is not None and rc != 0: self.module.fail_json(name=self.name, msg=err, rc=rc) - else: - (rc, out, err) = (None, '', '') # we have to set the password in a second command - if self.update_password == 'always' and self.password is not None and info[1] != self.password: + if self.update_password == 'always' and self.password is not None and info[1].lstrip('*LOCKED*') != self.password.lstrip('*LOCKED*'): cmd = [ self.module.get_bin_path('chpass', True), '-p', self.password, self.name ] - return self.execute_command(cmd) + _rc, _out, _err = self.execute_command(cmd) + if rc is None: + rc = _rc + out += _out + err += _err # we have to lock/unlock the password in a distinct command - if self.password_lock and not info[1].startswith('*LOCKED*'): - cmd = [ - self.module.get_bin_path('pw', True), - 'lock', - self.name - ] - if self.uid is not None and info[2] != int(self.uid): - cmd.append('-u') - cmd.append(self.uid) - return self.execute_command(cmd) - elif self.password_lock is False and info[1].startswith('*LOCKED*'): - cmd = [ - self.module.get_bin_path('pw', True), - 'unlock', - self.name - ] - if self.uid is not None and info[2] != int(self.uid): - cmd.append('-u') - cmd.append(self.uid) - return self.execute_command(cmd) + _rc, _out, _err = self._handle_lock() + if rc is None: + rc = _rc + out += _out + err += _err + return (rc, out, err) |