* test: enable user test for alpine
* Disable user home update tests
* Disable some more tests which are not applicable for Alpine
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
When a user doesn't exist and user module is used to create the user and the
homedir, adduser is called which parses HOME_MODE from /etc/login.defs, and when
not set calculates the mode from UMASK from the same file.
When a user already exists without homedir, and the user module is used to add a
home dir, it incorrectly ignores HOME_MODE, resulting in a world-readable home
dir when UMASK is not set. This is for example the case in Debian trixie and
later, and likely Ubuntu 25.04 and later.
Signed-off-by: Lee Garrett <lgarrett@rocketjump.eu>
Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>
Co-authored-by: Abhijeet Kasurde <akasurde@redhat.com>
* integrity tests: Tag (destructive) root tests as such
- apt_key needs root to touch the apt key database
- debconf needs root to change debconf values of system packages
- gathering writes to /etc/ansible/*, writeable only to root
- group creates system groups
- noexec mounts/umounts a ramdisk
- systemd requires root to start/stop services
Mark all except noexec as "destructive" as they change the state of the system.
* integration test cron requires root, as it calls setup_cron
* integration test dpkg_selection runs dpkg as root
* integration test facts_linux_network requires root
It adds/removes IP addresses from network interfaces, requiring root for that.
* integration test package requires root
installs/removes system packages
* Integration test service requires root
Creates/starts/stops/removes systemd services
* integration test user requires root to create users
* integration tests using setup_test_user require root
---------
Co-authored-by: Lee Garrett <lgarrett@rocketjump.eu>
The timezone support module was used only for changing the timezone in the user module integration tests.
Changing the timezone for the tests is unecessarily complex for the purpose of asserting proper parsing of user expiration times.
* dont warn about using a yescrypt hash as password
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
* add changelog
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
* add yescrypt test
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---------
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
* Check if skeleton is /dev/null while creating home folder
* Add test for linux
Co-authored-by: Holger Dörner <h.doerner@bitexpert.de>
Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>
* allow inputting 0 for password_expire_{min|max}
0 is meaningful for min days (any time)
0 is technically valid for max_days
* add test for setting both min and max expiry
* [0] return result of execute_command from set_password_expire*
* [1] better return for set_password_expire
* [2] handle returns from set_password_expire*
* only set password expiry if user exists
* collect return-handling code
* combine password min and max into one execution
* handle case where spwd is not present like on macOS and FreeBSD
Co-authored-by: Sam Doran <sdoran@redhat.com>
* Don't use output_dir in user tests
* Move blockinfile tests from using output_dir to depending on setup_remote_tmp_dir
* Don't use output_dir in git tests
* Don't use output_dir in uri tests
Always use create_homedir when we are asked to create a home directory
in the User class. Don't use the -m and -k parameters from
useradd / luseradd as they behave differently with respect to
preexisting home directories. Instead always specify -M to ensure
that useradd / luseradd do not try to create the home directory.
This does not change potential different behaviours in child classes
of the User class.
Consider the new umask option from #73821 in create_homedir as well as
we do not let luseradd / useradd create the home directory any longer.
* Add umask option to user module
* Fail on setting both umask and local: True
* Add integration test
* Add changelog
* Run integration tests only if HOME_MODE is not set
* Run integration tests only on Linux
Co-authored-by: Matt Clay <matt@mystile.com>
Do the right thing on Linux when password lock and a password hash are provided by writing
out the password hash prepended by the appropriate lock string rather than using -U and -L.
This is the correct way to set and lock the account in one command.
On BSD, run separate commands as appropriate since locking and setting the password cannot
be done in a single action.
FreeBSD requires running several commands to get the account in the desired state. As a result,
the rc, output, and error from all commands need to be combined and evaluated so an accurate
and complete summary can be given at the end of module execution.
* Improve integration tests to cover this scenario.
* Break up user integration tests into smaller files
* Properly lock account when creating a new account and password is supplied
* Simplify rc collection in FreeBSD class
Since the _handle_lock() method was added, the rc would be set to None, which could make
task change reporting incorrect. My first attempt to solve this used a set and was a bit too
complicated. Simplify it my comparing the rc from _handle_lock() and the current value of rc.
* Improve the Linux password hash and locking behavior
If password lock and hash are provided, set the hash and lock the account by using a password
hash since -L cannot be used with -p.
* Ensure -U and -L are not combined with -p since they are mutually exclusive to usermod.
* Clarify password_lock behavior.
The luseradd / lusermod commands do not support the -e option. Set
the expiry time in this case via lchage after the user was
created / modified.
Fixes: #71942
In Python3 math.floor returns an integer whereas Python2 returns a float.
Hence always convert the result of math.floor to an int to ensure that
lexpires is an integer.
Move local expires tests in a separate file and import the tasks to the
main.yml to keep main.yml smaller.
* Start of alpine testing
* More updates
* Add forgotten file
* remove debug
* Add alpine3
* equal
* group 4
* group 4
* group 5
* Try to decrease test length
* libuser only available in testing
* Remove debug
* Make loops target work on hosts without gnu date
* Enable alpine testing
* ci_complete
* Don't specify uid for creating test user
* ci_complete
* Re-sort docker completion
* use newer container image
* ci_complete
* fix indentation
Co-authored-by: Matt Clay <matt@mystile.com>
Co-authored-by: Matt Clay <matt@mystile.com>
self._get_user_property returns a string, so when doing a comparison
using this value, cast the second variable to a string so that the
comparison behaves correctly
* Add changelog
* Add to_text import
* Add integration test
On OpenBSD, 13 asterisk characters as a password hash, marks the
account as disabled. Otherwise daily(8) script which executes
security(8) will email operator about not properly locked accounts.
Before the diff, we see following warning:
> [WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work properly.
After the diff, warning is gone.
Fixes#60307.
This bug was introduced in commit d2edf1d435
("User - Create parent directories if they do not exist in the specified
home path (#51043)") and did not make it into any releases.
If the 'local' parameter of the 'user' Ansible module is enabled, and
the user has been found in the local user database, don't emit
a warning, because this is an expected outcome.
Add changelog and integration tests
Co-authored-by: drybed <drybjed@gmail.com>
* Create a user home directory if it has parents that do not exist
The useradd command line tool does not create parent directories. Check if the specified home path has parents that do not exist. If so, create them prior to running useradd, then set the proper permission on the created directory.
Add tests
Signed-off-by: Sam Doran <sdoran@redhat.com>
* Use dict for default user group in tests
Signed-off-by: Sam Doran <sdoran@redhat.com>
* Fix tests
Signed-off-by: Sam Doran <sdoran@redhat.com>
The output of pw.getpwnam() does not distinbuish between local and remote accounts. It will return a result if an account exists locally or in the directory. When local is set to True in the task parameters, look through the local password database explicitly.
* Ensure luseradd is present for tests
* Add docs and warnings about local mode
Martin Krizek