On OpenBSD, 13 asterisk characters as a password hash, marks the
account as disabled. Otherwise daily(8) script which executes
security(8) will email operator about not properly locked accounts.
Before the diff, we see following warning:
> [WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work properly.
After the diff, warning is gone.
Fixes#60307.
This bug was introduced in commit d2edf1d435
("User - Create parent directories if they do not exist in the specified
home path (#51043)") and did not make it into any releases.
If the 'local' parameter of the 'user' Ansible module is enabled, and
the user has been found in the local user database, don't emit
a warning, because this is an expected outcome.
Add changelog and integration tests
Co-authored-by: drybed <drybjed@gmail.com>
* Create a user home directory if it has parents that do not exist
The useradd command line tool does not create parent directories. Check if the specified home path has parents that do not exist. If so, create them prior to running useradd, then set the proper permission on the created directory.
Add tests
Signed-off-by: Sam Doran <sdoran@redhat.com>
* Use dict for default user group in tests
Signed-off-by: Sam Doran <sdoran@redhat.com>
* Fix tests
Signed-off-by: Sam Doran <sdoran@redhat.com>
The output of pw.getpwnam() does not distinbuish between local and remote accounts. It will return a result if an account exists locally or in the directory. When local is set to True in the task parameters, look through the local password database explicitly.
* Ensure luseradd is present for tests
* Add docs and warnings about local mode
When a user home dir is not created with `useradd`, the home dir will now
be created with umask from /etc/login.defs. Also fixed a bug in which
after a local user is deleted, and the same user exists in the central
user management system, the module would create that user's home.
* Simplify logic and add FreeBSD & NetBSD
* Remove incorrect flag for lock and unlock on FreeBSD
* Add tests and changelog
Co-authored-by: Chris Gadd <gaddman@email.com>
* Allow bang and exclamation without warning
Allow the password field to be ! or * without warning when using this feature to create accounts that are locked.
Add documentation and tests to cover this.
* Use set() rather than braces for Python 2.6
When creating a new account, check to see if the expiration parameter is negative and pass in the appropriate parameter. Since the negative integer passed into expires is converted to time.struct_time which in turn gets converted to a formatted time string when passed to the underlying command, a -1 or large negative number would result in passing a date before 1970-01-01 to the underlying command.
This had the opposite effect of creating an account with no expiration account resulting in a newly created account that was already expired, or just throwing an error on certain systems.
* Add backup option
* Only backup shadow file when the OS has one
* Only backup shadow file for SunOS
* Update docs on backup feature
* Add changelog fragment
* Add tests for shadow backup
* Remove backup option, make it automatic
Remove the option to enable/disable backups and make it automatic. Add note to docs describing this behavior.
Change tests to account for new module behavior.
Change section name in changelog fragment since minor_features is not a valid section.
* Check the password format
Check the password format and notify user if they
input unencrypted password.
* Fix sanity error
* Add integration test
* Missed a task name
* Hard code the testing password
Since some testing platfrom has no passlib installed
* Add changelog fragment
* Rework some English sentences
* Fix a grammar mistake
* Only report change when home directory is different
Add tests with home: parameter
Have to skip macOS for now since there is a bug when specifying the home directory path for an existing user that results in a module failure. That needs to be fixed in a separate PR.
* Allow negative values to expires to unexpire a user
Fixes#20096
(cherry picked from commit 34f8080a19)
(cherry picked from commit 54619f70f4)
(cherry picked from commit 8c2fae27d6)
(cherry picked from commit db1a32f8ca)
* tweaked and normalized
- also added tests, made checking resilient
* Only change expiration date if it is different
Modify user_info() method to also return the password expiration.
Compare current and desired expiration times and only change if they are different.
* Improve formatting on user tests
* Add integration test for expiration
* Add changelog fragment
* Improve integration test
Skip macOS and use getent module for validating expiration date.
* Fix expiration change for FreeBSD
* Don't use datetime since the total_seconds method isn't available on CentOS 6
* Use better name for expiration index field
Use separate tasks for verifying expiration date on BSD
* Use calendar.timegm() rather than time.mktime()
calendar.timegm() is the inverse of time.gmtime() and returns a timestamp in UTC not localtime
Add tests that change the system timezone away from UTC
* Mark tests as destructive and use test for change status
* Fix account expiration for FreeBSD
Use DATE_FORMAT when setting expiration date on FreeBSD. Previously the argument passed to -e was an integer of days since epoch when the account will expire which was inserted directly into master.passwd. This value is interpreted as seconds since epoch by the system, meaning the account expiration was actually set to a few hours past epoch.
Greatly simply comparing desired and current expiration time by using the first three values of the struct_time tuple rather than doing a whole bunch of manipulations of the seconds since epoch.
* Warn on tests used as filters
* Update docs, add aliases for tests that fit more gramatically with test syntax
* Fix rst formatting
* Add successful filter, alias of success
* Remove renamed_deprecation, it was overkill
* Make directory alias for is_dir
* Update tests to use proper jinja test syntax
* Update additional documentation, living outside of YAML files, to reflect proper jinja test syntax
* Add conversion script, porting guide updates, and changelog updates
* Update newly added uses of tests as filters
* No underscore variable
* Convert recent tests as filter changes to win_stat
* Fix some changes related to rebasing a few integration tests
* Make tests_as_filters_warning explicitly accept the name of the test, instead of inferring the name
* Add test for tests_as_filters_warning
* Update tests as filters in newly added/modified tests
* Address recent changes to several integration tests
* Address recent changes in cs_vpc
A preliminary set of test targets for "core" supported module that had no independent tests. These will also help us ensure python3 compatibility for those modules and prevent future regressions.