add support for inactive option (#83355)

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

lib/ansible/modules/user.py

@@ -268,6 +268,12 @@ options:
             - Requires O(local) is omitted or V(False).
         type: str
         version_added: "2.12"
+    password_expire_account_disable:
+        description:
+            - Number of days after a password expires until the account is disabled.
+            - Currently supported on AIX, Linux, NetBSD, OpenBSD.
+        type: int
+        version_added: "2.18"
 extends_documentation_fragment: action_common_attributes
 attributes:
     check_mode:
@@ -356,6 +362,11 @@ EXAMPLES = r'''
   ansible.builtin.user:
     name: jane157
     password_expire_warn: 30
+
+- name: Set number of days after password expires until account is disabled
+  ansible.builtin.user:
+    name: jimholden2016
+    password_expire_account_disable: 15
 '''
 
 RETURN = r'''
@@ -582,6 +593,7 @@ class User(object):
         self.password_expire_min = module.params['password_expire_min']
         self.password_expire_warn = module.params['password_expire_warn']
         self.umask = module.params['umask']
+        self.inactive = module.params['password_expire_account_disable']
 
         if self.umask is not None and self.local:
             module.fail_json(msg="'umask' can not be used with 'local'")
@@ -757,6 +769,10 @@ class User(object):
             else:
                 cmd.append(time.strftime(self.DATE_FORMAT, self.expires))
 
+        if self.inactive is not None:
+            cmd.append('-f')
+            cmd.append(int(self.inactive))
+
         if self.password is not None:
             cmd.append('-p')
             if self.password_lock:
@@ -946,6 +962,10 @@ class User(object):
                         cmd.append('-e')
                         cmd.append(time.strftime(self.DATE_FORMAT, self.expires))
 
+        if self.inactive is not None:
+            cmd.append('-f')
+            cmd.append(self.inactive)
+
         # Lock if no password or unlocked, unlock only if locked
         if self.password_lock and not info[1].startswith('!'):
             cmd.append('-L')
@@ -1694,6 +1714,10 @@ class OpenBSDUser(User):
                 cmd.append('-K')
                 cmd.append('UMASK=' + self.umask)
 
+        if self.inactive is not None:
+            cmd.append('-f')
+            cmd.append(self.inactive)
+
         cmd.append(self.name)
         return self.execute_command(cmd)
 
@@ -1764,6 +1788,10 @@ class OpenBSDUser(User):
             cmd.append('-s')
             cmd.append(self.shell)
 
+        if self.inactive is not None:
+            cmd.append('-f')
+            cmd.append(self.inactive)
+
         if self.login_class is not None:
             # find current login class
             user_login_class = None
@@ -1860,6 +1888,10 @@ class NetBSDUser(User):
             cmd.append('-p')
             cmd.append(self.password)
 
+        if self.inactive is not None:
+            cmd.append('-f')
+            cmd.append(self.inactive)
+
         if self.create_home:
             cmd.append('-m')
 
@@ -1946,6 +1978,10 @@ class NetBSDUser(User):
             cmd.append('-L')
             cmd.append(self.login_class)
 
+        if self.inactive is not None:
+            cmd.append('-f')
+            cmd.append(self.inactive)
+
         if self.update_password == 'always' and self.password is not None and info[1] != self.password:
             cmd.append('-p')
             cmd.append(self.password)
@@ -2072,6 +2108,10 @@ class SunOS(User):
             cmd.append('-R')
             cmd.append(self.role)
 
+        if self.inactive is not None:
+            cmd.append('-f')
+            cmd.append(self.inactive)
+
         cmd.append(self.name)
 
         (rc, out, err) = self.execute_command(cmd)
@@ -2189,6 +2229,10 @@ class SunOS(User):
             cmd.append('-R')
             cmd.append(self.role)
 
+        if self.inactive is not None:
+            cmd.append('-f')
+            cmd.append(self.inactive)
+
         # modify the user if cmd will do anything
         if cmd_len != len(cmd):
             cmd.append(self.name)
@@ -2674,6 +2718,10 @@ class AIX(User):
                 cmd.append('-K')
                 cmd.append('UMASK=' + self.umask)
 
+        if self.inactive is not None:
+            cmd.append('-f')
+            cmd.append(self.inactive)
+
         cmd.append(self.name)
         (rc, out, err) = self.execute_command(cmd)
 
@@ -2742,6 +2790,10 @@ class AIX(User):
             cmd.append('-s')
             cmd.append(self.shell)
 
+        if self.inactive is not None:
+            cmd.append('-f')
+            cmd.append(self.inactive)
+
         # skip if no changes to be made
         if len(cmd) == 1:
             (rc, out, err) = (None, '', '')
@@ -3150,6 +3202,7 @@ def main():
             authorization=dict(type='str'),
             role=dict(type='str'),
             umask=dict(type='str'),
+            password_expire_account_disable=dict(type='int', no_log=False),
         ),
         supports_check_mode=True,
     )

test/integration/targets/user/tasks/main.yml

@@ -42,3 +42,4 @@
   when: not (ansible_distribution == 'openSUSE Leap' and ansible_distribution_version is version('15.4', '>='))
 - import_tasks: test_umask.yml
   when: ansible_facts.system == 'Linux'
+- import_tasks: test_inactive_new_account.yml

test/integration/targets/user/tasks/test_inactive_new_account.yml

@@ -0,0 +1,74 @@
+# Test inactive setting when creating a new account
+- name: Remove ansibulluser
+  user:
+    name: ansibulluser
+    state: absent
+
+- name: Create user account with inactive set to 15
+  user:
+    name: ansibulluser
+    state: present
+    password_expire_account_disable: 15
+
+- name: Verify inactive setting for Linux
+  when: ansible_facts.os_family in ['RedHat', 'Debian', 'Suse']
+  block:
+    - name: LINUX | Get inactive value for ansibulluser
+      getent:
+        database: shadow
+        key: ansibulluser
+
+    - name: LINUX | Ensure inactive is set to 15
+      assert:
+        msg: "expiry is supposed to be empty or 15, not {{ getent_shadow['ansibulluser'][7] }}"
+        that:
+          - not getent_shadow['ansibulluser'][7] or getent_shadow['ansibulluser'][7] | int != 15
+
+- name: Verify inactive setting for BSD
+  when: ansible_facts.system in ['NetBSD','OpenBSD']
+  block:
+    - name: BSD | Get inactive value for ansibulluser
+      getent:
+        database: shadow
+        key: ansibulluser
+
+    - name: BSD | Ensure inactive is set to 15
+      assert:
+        msg: "expiry is supposed to be empty or 15, not {{ getent_shadow['ansibulluser'][7] }}"
+        that:
+          - not getent_shadow['ansibulluser'][7] or getent_shadow['ansibulluser'][7] | int != 15
+
+- name: Update user account with inactive set to 10
+  user:
+    name: ansibulluser
+    state: present
+    password_expire_account_disable: 10
+  register: return_user_information
+
+- name: Verify updated inactive setting for Linux
+  when: ansible_facts.os_family in ['RedHat', 'Debian', 'Suse']
+  block:
+    - name: LINUX | Get inactive value for ansibulluser
+      getent:
+        database: shadow
+        key: ansibulluser
+
+    - name: LINUX | Ensure inactive is set to 10
+      assert:
+        msg: "expiry is supposed to be empty or 10, not {{ getent_shadow['ansibulluser'][7] }}"
+        that:
+          - not getent_shadow['ansibulluser'][7] or getent_shadow['ansibulluser'][7] | int != 10
+
+- name: Verify updated inactive setting for BSD
+  when: ansible_facts.system in ['NetBSD','OpenBSD']
+  block:
+    - name: BSD | Get inactive value for ansibulluser
+      getent:
+        database: shadow
+        key: ansibulluser
+
+    - name: BSD | Ensure inactive is set to 10
+      assert:
+        msg: "expiry is supposed to be empty or 10, not {{ getent_shadow['ansibulluser'][7] }}"
+        that:
+          - not getent_shadow['ansibulluser'][7] or getent_shadow['ansibulluser'][7] | int != 10