141 lines
4.3 KiB
YAML
141 lines
4.3 KiB
YAML
|
- name: Test password lock
|
||
|
when: ansible_facts.system in ['FreeBSD', 'OpenBSD', 'Linux']
|
||
|
block:
|
||
|
- name: Remove ansibulluser
|
||
|
user:
|
||
|
name: ansibulluser
|
||
|
state: absent
|
||
|
remove: yes
|
||
|
|
||
|
- name: Create ansibulluser with password
|
||
|
user:
|
||
|
name: ansibulluser
|
||
|
password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS."
|
||
|
|
||
|
- name: Lock account without password parameter
|
||
|
user:
|
||
|
name: ansibulluser
|
||
|
password_lock: yes
|
||
|
register: password_lock_1
|
||
|
|
||
|
- name: Lock account without password parameter again
|
||
|
user:
|
||
|
name: ansibulluser
|
||
|
password_lock: yes
|
||
|
register: password_lock_2
|
||
|
|
||
|
- name: Unlock account without password parameter
|
||
|
user:
|
||
|
name: ansibulluser
|
||
|
password_lock: no
|
||
|
register: password_lock_3
|
||
|
|
||
|
- name: Unlock account without password parameter again
|
||
|
user:
|
||
|
name: ansibulluser
|
||
|
password_lock: no
|
||
|
register: password_lock_4
|
||
|
|
||
|
- name: Lock account with password parameter
|
||
|
user:
|
||
|
name: ansibulluser
|
||
|
password_lock: yes
|
||
|
password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS."
|
||
|
register: password_lock_5
|
||
|
|
||
|
- name: Lock account with password parameter again
|
||
|
user:
|
||
|
name: ansibulluser
|
||
|
password_lock: yes
|
||
|
password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS."
|
||
|
register: password_lock_6
|
||
|
|
||
|
- name: Unlock account with password parameter
|
||
|
user:
|
||
|
name: ansibulluser
|
||
|
password_lock: no
|
||
|
password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS."
|
||
|
register: password_lock_7
|
||
|
|
||
|
- name: Unlock account with password parameter again
|
||
|
user:
|
||
|
name: ansibulluser
|
||
|
password_lock: no
|
||
|
password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS."
|
||
|
register: password_lock_8
|
||
|
|
||
|
- name: Ensure task reported changes appropriately
|
||
|
assert:
|
||
|
msg: The password_lock tasks did not make changes appropriately
|
||
|
that:
|
||
|
- password_lock_1 is changed
|
||
|
- password_lock_2 is not changed
|
||
|
- password_lock_3 is changed
|
||
|
- password_lock_4 is not changed
|
||
|
- password_lock_5 is changed
|
||
|
- password_lock_6 is not changed
|
||
|
- password_lock_7 is changed
|
||
|
- password_lock_8 is not changed
|
||
|
|
||
|
- name: Lock account
|
||
|
user:
|
||
|
name: ansibulluser
|
||
|
password_lock: yes
|
||
|
|
||
|
- name: Verify account lock for BSD
|
||
|
when: ansible_facts.system in ['FreeBSD', 'OpenBSD']
|
||
|
block:
|
||
|
- name: BSD | Get account status
|
||
|
shell: "{{ status_command[ansible_facts['system']] }}"
|
||
|
register: account_status_locked
|
||
|
|
||
|
- name: Unlock account
|
||
|
user:
|
||
|
name: ansibulluser
|
||
|
password_lock: no
|
||
|
|
||
|
- name: BSD | Get account status
|
||
|
shell: "{{ status_command[ansible_facts['system']] }}"
|
||
|
register: account_status_unlocked
|
||
|
|
||
|
- name: FreeBSD | Ensure account is locked
|
||
|
assert:
|
||
|
that:
|
||
|
- "'LOCKED' in account_status_locked.stdout"
|
||
|
- "'LOCKED' not in account_status_unlocked.stdout"
|
||
|
when: ansible_facts['system'] == 'FreeBSD'
|
||
|
|
||
|
- name: Verify account lock for Linux
|
||
|
when: ansible_facts.system == 'Linux'
|
||
|
block:
|
||
|
- name: LINUX | Get account status
|
||
|
getent:
|
||
|
database: shadow
|
||
|
key: ansibulluser
|
||
|
|
||
|
- name: LINUX | Ensure account is locked
|
||
|
assert:
|
||
|
that:
|
||
|
- getent_shadow['ansibulluser'][0].startswith('!')
|
||
|
|
||
|
- name: Unlock account
|
||
|
user:
|
||
|
name: ansibulluser
|
||
|
password_lock: no
|
||
|
|
||
|
- name: LINUX | Get account status
|
||
|
getent:
|
||
|
database: shadow
|
||
|
key: ansibulluser
|
||
|
|
||
|
- name: LINUX | Ensure account is unlocked
|
||
|
assert:
|
||
|
that:
|
||
|
- not getent_shadow['ansibulluser'][0].startswith('!')
|
||
|
|
||
|
always:
|
||
|
- name: Unlock account
|
||
|
user:
|
||
|
name: ansibulluser
|
||
|
password_lock: no
|