summaryrefslogtreecommitdiffstats
path: root/test/integration/targets/user/tasks/test_password_lock.yml
blob: dde374ee0153271659b3f70e09c94827722e70b6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
- name: Test password lock
  when: ansible_facts.system in ['FreeBSD', 'OpenBSD', 'Linux']
  block:
    - name: Remove ansibulluser
      user:
        name: ansibulluser
        state: absent
        remove: yes

    - name: Create ansibulluser with password
      user:
        name: ansibulluser
        password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS."

    - name: Lock account without password parameter
      user:
        name: ansibulluser
        password_lock: yes
      register: password_lock_1

    - name: Lock account without password parameter again
      user:
        name: ansibulluser
        password_lock: yes
      register: password_lock_2

    - name: Unlock account without password parameter
      user:
        name: ansibulluser
        password_lock: no
      register: password_lock_3

    - name: Unlock account without password parameter again
      user:
        name: ansibulluser
        password_lock: no
      register: password_lock_4

    - name: Lock account with password parameter
      user:
        name: ansibulluser
        password_lock: yes
        password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS."
      register: password_lock_5

    - name: Lock account with password parameter again
      user:
        name: ansibulluser
        password_lock: yes
        password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS."
      register: password_lock_6

    - name: Unlock account with password parameter
      user:
        name: ansibulluser
        password_lock: no
        password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS."
      register: password_lock_7

    - name: Unlock account with password parameter again
      user:
        name: ansibulluser
        password_lock: no
        password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS."
      register: password_lock_8

    - name: Ensure task reported changes appropriately
      assert:
        msg: The password_lock tasks did not make changes appropriately
        that:
          - password_lock_1 is changed
          - password_lock_2 is not changed
          - password_lock_3 is changed
          - password_lock_4 is not changed
          - password_lock_5 is changed
          - password_lock_6 is not changed
          - password_lock_7 is changed
          - password_lock_8 is not changed

    - name: Lock account
      user:
        name: ansibulluser
        password_lock: yes

    - name: Verify account lock for BSD
      when: ansible_facts.system in ['FreeBSD', 'OpenBSD']
      block:
        - name: BSD | Get account status
          shell: "{{ status_command[ansible_facts['system']] }}"
          register: account_status_locked

        - name: Unlock account
          user:
            name: ansibulluser
            password_lock: no

        - name: BSD | Get account status
          shell: "{{ status_command[ansible_facts['system']] }}"
          register: account_status_unlocked

        - name: FreeBSD | Ensure account is locked
          assert:
            that:
              - "'LOCKED' in account_status_locked.stdout"
              - "'LOCKED' not in account_status_unlocked.stdout"
          when: ansible_facts['system'] == 'FreeBSD'

    - name: Verify account lock for Linux
      when: ansible_facts.system == 'Linux'
      block:
        - name: LINUX | Get account status
          getent:
            database: shadow
            key: ansibulluser

        - name: LINUX | Ensure account is locked
          assert:
            that:
              - getent_shadow['ansibulluser'][0].startswith('!')

        - name: Unlock account
          user:
            name: ansibulluser
            password_lock: no

        - name: LINUX | Get account status
          getent:
            database: shadow
            key: ansibulluser

        - name: LINUX | Ensure account is unlocked
          assert:
            that:
              - not getent_shadow['ansibulluser'][0].startswith('!')

  always:
    - name: Unlock account
      user:
        name: ansibulluser
        password_lock: no