From b019076dd3593f53342c119b3a6241758cac7b65 Mon Sep 17 00:00:00 2001 From: billwanjohi Date: Mon, 29 Sep 2014 22:42:28 +0000 Subject: [PATCH] user: add expired state ported from https://github.com/ansible/ansible/pull/6303 It's very useful and routine to disable a *nix user. I implemented expired instead of locked because this prevents any use of the account, safer than just preventing password-based authentication. I have tests [1], but since none of the suite came along with the core modules, I'm unsure how to submit them. [1] https://github.com/billwanjohi/ansible/blob/add_locked_state/test/integration/roles/test_user/tasks/main.yml --- lib/ansible/modules/system/user.py | 62 +++++++++++++++++++++++++++--- 1 file changed, 57 insertions(+), 5 deletions(-) diff --git a/lib/ansible/modules/system/user.py b/lib/ansible/modules/system/user.py index d5602f9cb60..79e29a61a02 100644 --- a/lib/ansible/modules/system/user.py +++ b/lib/ansible/modules/system/user.py @@ -84,10 +84,12 @@ options: state: required: false default: "present" - choices: [ present, absent ] + choices: [ present, absent, expired ] description: - - Whether the account should exist. When C(absent), removes - the user account. + - Whether the account should exist, and whether it is expired. + When C(absent), removes the user account. + When C(expired), the user will not be able to login through any means. + Expired state is only implemented for Linux. createhome: required: false default: "yes" @@ -327,6 +329,10 @@ class User(object): cmd.append('-s') cmd.append(self.shell) + if self.state == 'expired': + cmd.append('--expiredate') + cmd.append('1') + if self.password is not None: cmd.append('-p') cmd.append(self.password) @@ -433,6 +439,10 @@ class User(object): cmd.append('-s') cmd.append(self.shell) + if self.state == 'expired': + cmd.append('--expiredate') + cmd.append('1') + if self.update_password == 'always' and self.password is not None and info[1] != self.password: cmd.append('-p') cmd.append(self.password) @@ -703,6 +713,10 @@ class FreeBsdUser(User): cmd.append('-L') cmd.append(self.login_class) + if self.state == 'expired': + cmd.append('-e') + cmd.append('1970-01-01') + # system cannot be handled currently - should we error if its requested? # create the user (rc, out, err) = self.execute_command(cmd) @@ -787,6 +801,10 @@ class FreeBsdUser(User): new_groups = groups | set(current_groups) cmd.append(','.join(new_groups)) + if self.state == 'expired': + cmd.append('-e') + cmd.append('1970-01-01') + # modify the user if cmd will do anything if cmd_len != len(cmd): (rc, out, err) = self.execute_command(cmd) @@ -863,6 +881,10 @@ class OpenBSDUser(User): cmd.append('-L') cmd.append(self.login_class) + if self.state == 'expired': + cmd.append('-e') + cmd.append('1') + if self.password is not None: cmd.append('-p') cmd.append(self.password) @@ -957,6 +979,10 @@ class OpenBSDUser(User): cmd.append('-L') cmd.append(self.login_class) + if self.state == 'expired': + cmd.append('-e') + cmd.append('1') + if self.update_password == 'always' and self.password is not None and info[1] != self.password: cmd.append('-p') cmd.append(self.password) @@ -1030,6 +1056,10 @@ class NetBSDUser(User): cmd.append('-L') cmd.append(self.login_class) + if self.state == 'expired': + cmd.append('-e') + cmd.append('1') + if self.password is not None: cmd.append('-p') cmd.append(self.password) @@ -1112,6 +1142,10 @@ class NetBSDUser(User): cmd.append('-L') cmd.append(self.login_class) + if self.state == 'expired': + cmd.append('-e') + cmd.append('1') + if self.update_password == 'always' and self.password is not None and info[1] != self.password: cmd.append('-p') cmd.append(self.password) @@ -1189,6 +1223,10 @@ class SunOS(User): if self.createhome: cmd.append('-m') + if self.state == 'expired': + cmd.append('-e') + cmd.append('1/1/70') + cmd.append(self.name) if self.module.check_mode: @@ -1273,6 +1311,10 @@ class SunOS(User): cmd.append('-s') cmd.append(self.shell) + if self.state == 'expired': + cmd.append('-e') + cmd.append('1/1/70') + if self.module.check_mode: return (0, '', '') else: @@ -1362,6 +1404,10 @@ class AIX(User): if self.createhome: cmd.append('-m') + if self.state == 'expired': + cmd.append('-e') + cmd.append('0101000070') + cmd.append(self.name) (rc, out, err) = self.execute_command(cmd) @@ -1431,6 +1477,9 @@ class AIX(User): cmd.append('-s') cmd.append(self.shell) + if self.state == 'expired': + cmd.append('-e') + cmd.append('0101000070') # skip if no changes to be made if len(cmd) == 1: @@ -1468,7 +1517,7 @@ def main(): } module = AnsibleModule( argument_spec = dict( - state=dict(default='present', choices=['present', 'absent'], type='str'), + state=dict(default='present', choices=['present', 'absent', 'expired'], type='str'), name=dict(required=True, aliases=['user'], type='str'), uid=dict(default=None, type='str'), non_unique=dict(default='no', type='bool'), @@ -1523,7 +1572,10 @@ def main(): module.fail_json(name=user.name, msg=err, rc=rc) result['force'] = user.force result['remove'] = user.remove - elif user.state == 'present': + elif user.state == 'expired' and user.platform != 'Generic': + module.fail_json(name=user.state, + msg='expired state not yet support for {0} platform'.format(user.platform)) + elif user.state == 'present' or user.state == 'expired': if not user.user_exists(): if module.check_mode: module.exit_json(changed=True)