Commit graph

31 commits

Author SHA1 Message Date
kucharskim
1dea661ce8 Allow 13 asterisk characters in password field without warning (#54893)
On OpenBSD, 13 asterisk characters as a password hash, marks the
account as disabled. Otherwise daily(8) script which executes
security(8) will email operator about not properly locked accounts.

Before the diff, we see following warning:

> [WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work properly.

After the diff, warning is gone.
2019-09-04 11:49:16 -04:00
Sam Doran
c485a1b91e
Fix sanity tests based on newer version of shellcheck (#60423)
- change egrep to grep -E
- store exit codes and check them directly
- ignore SC1091
2019-08-12 16:24:28 -04:00
Marius Gedminas
c71622b31a user: createhome=no home=/no/such/dir (#60310)
Fixes #60307.

This bug was introduced in commit d2edf1d435
("User - Create parent directories if they do not exist in the specified
home path (#51043)") and did not make it into any releases.
2019-08-12 10:37:45 -04:00
Maciej Delmanowski
75be309242 Don't warn if local user is found in user database (#56838)
If the 'local' parameter of the 'user' Ansible module is enabled, and
the user has been found in the local user database, don't emit
a warning, because this is an expected outcome.

Add changelog and integration tests

Co-authored-by: drybed <drybjed@gmail.com>
2019-07-31 12:14:22 -04:00
Sam Doran
8edad83ae0
User - make groups and append mutually exclusive with local (#59309)
* Update intigration tests
2019-07-19 16:05:15 -04:00
Sam Doran
d2edf1d435 User - Create parent directories if they do not exist in the specified home path (#51043)
* Create a user home directory if it has parents that do not exist

The useradd command line tool does not create parent directories. Check if the specified home path has parents that do not exist. If so, create them prior to running useradd, then set the proper permission on the created directory.

Add tests

Signed-off-by: Sam Doran <sdoran@redhat.com>

* Use dict for default user group in tests

Signed-off-by: Sam Doran <sdoran@redhat.com>

* Fix tests

Signed-off-by: Sam Doran <sdoran@redhat.com>
2019-07-18 10:19:11 -04:00
Sam Doran
20ad120829 Omit -A and -G options in local mode since luseradd does not support these (#55401)
Add integration tests
2019-06-27 14:46:38 -04:00
Sam Doran
b4e83642c8
Properly reset timezone in user test when it was originally n/a (#55389) 2019-04-16 14:12:13 -04:00
Matt Clay
8d96af2df5
Use correct python for -c invocations in tests. (#54577)
* Use correct python for -c invocations in tests.
* Only set releasever when available.
2019-03-29 01:19:51 -07:00
Sam Doran
1e595493d9
User module - Check local database when local is specified in the task (#51088)
The output of pw.getpwnam() does not distinbuish between local and remote accounts. It will return a result if an account exists locally or in the directory. When local is set to True in the task parameters, look through the local password database explicitly.

* Ensure luseradd is present for tests
* Add docs and warnings about local mode
2019-03-14 22:16:53 -04:00
Matt Clay
687279c7bd Set user expires on FreeBSD using UTC. (#52276) 2019-02-18 09:59:13 -05:00
Matt Clay
d2a7cc0b9f Fix integration tests to support remote hosts. 2019-01-24 19:57:04 -08:00
Strahinja Kustudic
eb8294e6d9 Fix create home dir fallback (#49262)
When a user home dir is not created with `useradd`, the home dir will now
be created with umask from /etc/login.defs. Also fixed a bug in which
after a local user is deleted, and the same user exists in the central
user management system, the module would create that user's home.
2019-01-14 16:01:26 -05:00
Christopher Gadd
f75a84e382 make password locking in user module idempotent (#43671)
* Simplify logic and add FreeBSD & NetBSD

* Remove incorrect flag for lock and unlock on FreeBSD

* Add tests and changelog


Co-authored-by: Chris Gadd <gaddman@email.com>
2018-11-08 21:29:38 -05:00
Martin Krizek
41dfc5162f user: fix removing the expiry time when it's 0 (#47115)
* user: fix removing the expiry time when it's 0

* Improve tests and add changelog

Co-authored-by: Martin Krizek <martin.krizek@gmail.com>
2018-11-07 16:44:34 -05:00
Sam Doran
066af3b6ca
User module - allow bang and exclamation in password field without warning (#46498)
* Allow bang and exclamation without warning

Allow the password field to be ! or * without warning when using this feature to create accounts that are locked.

Add documentation  and tests to cover this.

* Use set() rather than braces for Python 2.6
2018-11-05 16:35:10 -05:00
Martin Krizek
a0aa53d1a1 user: do not pass ssh_key_passphrase on cmdline
CVE-2018-16837

Co-authored-by: Toshio Kuratomi <a.badger@gmail.com>
2018-10-22 14:00:55 -04:00
Sam Doran
df335d91b0
Properly un expire account on creation (#44174)
When creating a new account, check to see if the expiration parameter is negative and pass in the appropriate parameter. Since the negative integer passed into expires is converted to time.struct_time which in turn gets converted to a formatted time string when passed to the underlying command, a -1 or large negative number would result in passing a date before 1970-01-01 to the underlying command.

This had the opposite effect of creating an account with no expiration account resulting in a newly created account that was already expired, or just throwing an error on certain systems.
2018-08-23 12:29:33 -04:00
Sam Doran
00e7c020b2 Add backup feature to user module (#41854)
*  Add backup option

* Only backup shadow file when the OS has one

* Only backup shadow file for SunOS

* Update docs on backup feature

* Add changelog fragment

* Add tests for shadow backup

* Remove backup option, make it automatic

Remove the option to enable/disable backups and make it automatic. Add note to docs describing this behavior.

Change tests to account for new module behavior.

Change section name in changelog fragment since minor_features is not a valid section.
2018-08-15 16:22:26 -04:00
Zhikang Zhang
b20d903cc4 Give warning if user inputs not encrypted password to user module (#43615)
* Check the password format

Check the password format and notify user if they
input unencrypted password.

* Fix sanity error

* Add integration test

* Missed a task name

* Hard code the testing password

Since some testing platfrom has no passlib installed

* Add changelog fragment

* Rework some English sentences

* Fix a grammar mistake
2018-08-13 12:45:37 -04:00
Matt Clay
4e489d1be8
Update Shippable integration test groups. (#43118)
* Update Shippable integration test groups.
* Update integration test group aliases.
* Rebalance AWS and Azure tests with extra group.
* Rebalance Windows tests with another group.
2018-07-23 20:46:22 -07:00
Sam Doran
0ca61e9d87
Only report change when home directory is different on FreeBSD (#42865)
* Only report change when home directory is different

Add tests with home: parameter

Have to skip macOS for now since there is a bug when specifying the home directory path for an existing user that results in a module failure. That needs to be fixed in a separate PR.
2018-07-19 10:07:00 -04:00
Brian Coca
677fe1076d
User unexpire (#39758)
* Allow negative values to expires to unexpire a user

Fixes #20096

(cherry picked from commit 34f8080a19)
(cherry picked from commit 54619f70f4)
(cherry picked from commit 8c2fae27d6)
(cherry picked from commit db1a32f8ca)

* tweaked and normalized

 - also added tests, made checking resilient
2018-05-17 11:34:13 -04:00
Sam Doran
5a6bdef76b Only change expiration date if it is different (#38885)
* Only change expiration date if it is different

Modify user_info() method to also return the password expiration.
Compare current and desired expiration times and only change if they are different.

* Improve formatting on user tests

* Add integration test for expiration

* Add changelog fragment

* Improve integration test

Skip macOS and use getent module for validating expiration date.

* Fix expiration change for FreeBSD

* Don't use datetime since the total_seconds method isn't available on CentOS 6

* Use better name for expiration index field

Use separate tasks for verifying expiration date on BSD

* Use calendar.timegm() rather than time.mktime()

calendar.timegm() is the inverse of time.gmtime() and returns a timestamp in UTC not localtime
Add tests that change the system timezone away from UTC

* Mark tests as destructive and use test for change status

* Fix account expiration for FreeBSD

Use DATE_FORMAT when setting expiration date on FreeBSD. Previously the argument passed to -e was an integer of days since epoch when the account will expire which was inserted directly into master.passwd. This value is interpreted as seconds since epoch by the system, meaning the account expiration was actually set to a few hours past epoch.

Greatly simply comparing desired  and current expiration time by using the first three values of the struct_time tuple rather than doing a whole bunch of manipulations of the seconds since epoch.
2018-05-01 11:19:01 -04:00
Matt Clay
9599630976
Fixes for dnf and user integration tests. (#34603)
* Fix user test.
* Use `dnf` instead of `yum` in dnf test.
* Install correct version of rpmfluff for tests.
2018-01-08 16:36:53 -08:00
Matt Martz
4fe08441be Deprecate tests used as filters (#32361)
* Warn on tests used as filters

* Update docs, add aliases for tests that fit more gramatically with test syntax

* Fix rst formatting

* Add successful filter, alias of success

* Remove renamed_deprecation, it was overkill

* Make directory alias for is_dir

* Update tests to use proper jinja test syntax

* Update additional documentation, living outside of YAML files, to reflect proper jinja test syntax

* Add conversion script, porting guide updates, and changelog updates

* Update newly added uses of tests as filters

* No underscore variable

* Convert recent tests as filter changes to win_stat

* Fix some changes related to rebasing a few integration tests

* Make tests_as_filters_warning explicitly accept the name of the test, instead of inferring the name

* Add test for tests_as_filters_warning

* Update tests as filters in newly added/modified tests

* Address recent changes to several integration tests

* Address recent changes in cs_vpc
2017-11-27 17:58:08 -05:00
Reid Wahl
5f90169d73 modules/system/user.py: Change createhome to create_home (#30179) 2017-09-20 17:34:49 -07:00
Martin Krizek
32d6b1d0e0 user: fix default non-system user's shell on macOS 2017-09-19 18:11:22 -04:00
Matt Clay
496280858d Revert "Temporarily disable test which fails in group run."
This reverts commit 99d328976d.
2017-05-11 20:26:32 +08:00
Matt Clay
99d328976d Temporarily disable test which fails in group run. 2017-05-11 16:22:12 +08:00
jctanner
e9c2546ffe Add integration test targets for core supported modules (#24217)
A preliminary set of test targets for "core" supported module that had no independent tests. These will also help us ensure python3 compatibility for those modules and prevent future regressions.
2017-05-10 09:19:11 -04:00