- name: Test password lock when: ansible_facts.system in ['FreeBSD', 'OpenBSD', 'Linux'] block: - name: Remove ansibulluser user: name: ansibulluser state: absent remove: yes - name: Create ansibulluser with password user: name: ansibulluser password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS." - name: Lock account without password parameter user: name: ansibulluser password_lock: yes register: password_lock_1 - name: Lock account without password parameter again user: name: ansibulluser password_lock: yes register: password_lock_2 - name: Unlock account without password parameter user: name: ansibulluser password_lock: no register: password_lock_3 - name: Unlock account without password parameter again user: name: ansibulluser password_lock: no register: password_lock_4 - name: Lock account with password parameter user: name: ansibulluser password_lock: yes password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS." register: password_lock_5 - name: Lock account with password parameter again user: name: ansibulluser password_lock: yes password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS." register: password_lock_6 - name: Unlock account with password parameter user: name: ansibulluser password_lock: no password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS." register: password_lock_7 - name: Unlock account with password parameter again user: name: ansibulluser password_lock: no password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS." register: password_lock_8 - name: Ensure task reported changes appropriately assert: msg: The password_lock tasks did not make changes appropriately that: - password_lock_1 is changed - password_lock_2 is not changed - password_lock_3 is changed - password_lock_4 is not changed - password_lock_5 is changed - password_lock_6 is not changed - password_lock_7 is changed - password_lock_8 is not changed - name: Lock account user: name: ansibulluser password_lock: yes - name: Verify account lock for BSD when: ansible_facts.system in ['FreeBSD', 'OpenBSD'] block: - name: BSD | Get account status shell: "{{ status_command[ansible_facts['system']] }}" register: account_status_locked - name: Unlock account user: name: ansibulluser password_lock: no - name: BSD | Get account status shell: "{{ status_command[ansible_facts['system']] }}" register: account_status_unlocked - name: FreeBSD | Ensure account is locked assert: that: - "'LOCKED' in account_status_locked.stdout" - "'LOCKED' not in account_status_unlocked.stdout" when: ansible_facts['system'] == 'FreeBSD' - name: Verify account lock for Linux when: ansible_facts.system == 'Linux' block: - name: LINUX | Get account status getent: database: shadow key: ansibulluser - name: LINUX | Ensure account is locked assert: that: - getent_shadow['ansibulluser'][0].startswith('!') - name: Unlock account user: name: ansibulluser password_lock: no - name: LINUX | Get account status getent: database: shadow key: ansibulluser - name: LINUX | Ensure account is unlocked assert: that: - not getent_shadow['ansibulluser'][0].startswith('!') always: - name: Unlock account user: name: ansibulluser password_lock: no