From 618eccc0f3219134cf45f0fedfe51ded8009d3f1 Mon Sep 17 00:00:00 2001
From: Alex Willmer <alex@moreati.org.uk>
Date: Tue, 19 Aug 2025 13:40:26 +0100
Subject: [PATCH] CI: Set macOS failed logins limit of mitogen test users to
 1000

refs #1315
---
 docs/changelog.rst                                    |  1 +
 tests/image_prep/_user_accounts.yml                   |  7 ++++++-
 .../image_prep/roles/user_policies/defaults/main.yml  |  2 ++
 tests/image_prep/roles/user_policies/tasks/main.yml   | 11 +++++++++++
 4 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 tests/image_prep/roles/user_policies/defaults/main.yml
 create mode 100644 tests/image_prep/roles/user_policies/tasks/main.yml

diff --git a/docs/changelog.rst b/docs/changelog.rst
index b0a3f562..7c36f987 100644
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -22,6 +22,7 @@ In progress (unreleased)
 ------------------------
 
 * :gh:issue:`1329` CI: Refactor and de-duplicate Github Actions workflow
+* :gh:issue:`1315` CI: macOS: Increase failed logins limit of test users
 
 
 v0.3.26 (2025-08-04)
diff --git a/tests/image_prep/_user_accounts.yml b/tests/image_prep/_user_accounts.yml
index bee89084..225d4a53 100644
--- a/tests/image_prep/_user_accounts.yml
+++ b/tests/image_prep/_user_accounts.yml
@@ -50,7 +50,10 @@
     mitogen_test_groups:
       - name: mitogen__group
       - name: mitogen__sudo_nopw
-  tasks:
+
+    user_policies_max_failed_logins: 1000
+    user_policies_users: "{{ all_users }}"
+  pre_tasks:
     - name: Disable non-localhost SSH for Mitogen users
       when: false
       blockinfile:
@@ -180,3 +183,5 @@
         validate: '/usr/sbin/visudo -cf %s'
       when:
         - ansible_virtualization_type != "docker"
+  roles:
+    - role: user_policies
diff --git a/tests/image_prep/roles/user_policies/defaults/main.yml b/tests/image_prep/roles/user_policies/defaults/main.yml
new file mode 100644
index 00000000..f80df944
--- /dev/null
+++ b/tests/image_prep/roles/user_policies/defaults/main.yml
@@ -0,0 +1,2 @@
+user_policies_max_failed_logins: 10
+user_policies_users: []
diff --git a/tests/image_prep/roles/user_policies/tasks/main.yml b/tests/image_prep/roles/user_policies/tasks/main.yml
new file mode 100644
index 00000000..89fff6bc
--- /dev/null
+++ b/tests/image_prep/roles/user_policies/tasks/main.yml
@@ -0,0 +1,11 @@
+- name: Set login attempts (macOS)
+  vars:
+    max_failed_logins: "{{ item.policies.max_failed_logins | default(user_policies_max_failed_logins) }}"
+  command: >
+    pwpolicy
+    -u '{{ item.name }}'
+    -setpolicy 'maxFailedLoginAttempts={{ max_failed_logins }}'
+  with_items: "{{ user_policies_users }}"
+  when:
+    - ansible_system == 'Darwin'
+  changed_when: true