1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
* Cleaner, more pythonic, shorter, easier to maintain

* Added validation
This commit is contained in:
Ken Evensen 2018-05-23 09:24:54 -04:00 committed by Adam Miller
parent a3cfe0d72f
commit fabce98104
2 changed files with 744 additions and 572 deletions

View file

@ -1,6 +1,6 @@
#!/usr/bin/python #!/usr/bin/python
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# (c) 2017, Kenneth D. Evensen <kevensen@redhat.com> # (c) 2017, Kenneth D. Evensen <kdevensen@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
@ -89,6 +89,14 @@ options:
default: /etc/pam.d/ default: /etc/pam.d/
description: description:
- This is the path to the PAM service files - This is the path to the PAM service files
backup:
description:
- Create a backup file including the timestamp information so you can
get the original file back if you somehow clobbered it incorrectly.
type: bool
default: 'no'
version_added: '2.6'
""" """
EXAMPLES = """ EXAMPLES = """
@ -157,7 +165,8 @@ EXAMPLES = """
- name: Remove specific arguments from a rule - name: Remove specific arguments from a rule
pamd: pamd:
name: system-auth name: system-auth
type: session control='[success=1 default=ignore]' type: session
control: '[success=1 default=ignore]'
module_path: pam_succeed_if.so module_path: pam_succeed_if.so
module_arguments: crond,quiet module_arguments: crond,quiet
state: args_absent state: args_absent
@ -221,13 +230,14 @@ change_count:
returned: success returned: success
version_added: 2.4 version_added: 2.4
new_rule: new_rule:
description: The changes to the rule description: The changes to the rule. This was available in Ansible version 2.4 and 2.5. It was removed in 2.6.
type: string type: string
sample: None None None sha512 shadow try_first_pass use_authtok sample: None None None sha512 shadow try_first_pass use_authtok
returned: success returned: success
version_added: 2.4 version_added: 2.4
updated_rule_(n): updated_rule_(n):
description: The rule(s) that was/were changed description: The rule(s) that was/were changed. This is only available in
Ansible version 2.4 and was removed in 2.5.
type: string type: string
sample: sample:
- password sufficient pam_unix.so sha512 shadow try_first_pass - password sufficient pam_unix.so sha512 shadow try_first_pass
@ -250,346 +260,418 @@ dest:
returned: success returned: success
type: string type: string
sample: "/etc/pam.d/system-auth" sample: "/etc/pam.d/system-auth"
backupdest:
description:
- "The file name of the the backup file, if created."
returned: success
type: string
version_added: 2.6
... ...
''' '''
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils._text import to_native
import os import os
import re import re
import time from tempfile import NamedTemporaryFile
from datetime import datetime
# The PamdRule class encapsulates a rule in a pam.d service RULE_REGEX = re.compile(r"""(?P<rule_type>auth|account|session|password)\s+
class PamdRule(object): (?P<control>\[.*\]|\S*)\s+
(?P<path>\S*)\s?
(?P<args>.*)""", re.X)
def __init__(self, rule_type,
rule_control, rule_module_path,
rule_module_args=None):
class PamdLine(object):
def __init__(self, line):
self.line = line
self.prev = None
self.next = None
# Method to check if a rule matches the type, control and path.
def matches(self, rule_type, rule_control, rule_path, rule_args=None):
return False
def __str__(self):
return str(self.line)
class PamdComment(PamdLine):
def __init__(self, line):
super(PamdComment, self).__init__(line)
@property
def is_valid(self):
if self.line.startswith('#'):
return True
return False
class PamdInclude(PamdLine):
def __init__(self, line):
super(PamdInclude, self).__init__(line)
@property
def is_valid(self):
if self.line.startswith('@include'):
return True
return False
class PamdRule(PamdLine):
valid_types = ['account', 'auth', 'password', 'session']
valid_simple_controls = ['required', 'requisite', 'sufficicent', 'optional', 'include', 'substack']
valid_control_values = ['success', 'open_err', 'symbol_err', 'service_err', 'system_err', 'buf_err',
'perm_denied', 'auth_err', 'cred_insufficient', 'authinfo_unavail', 'user_unknown',
'maxtries', 'new_authtok_reqd', 'acct_expired', 'session_err', 'cred_unavail',
'cred_expired', 'cred_err', 'no_module_data', 'conv_err', 'authtok_err',
'authtok_recover_err', 'authtok_lock_busy', 'authtok_disable_aging', 'try_again',
'ignore', 'abort', 'authtok_expired', 'module_unknown', 'bad_item', 'conv_again',
'incomplete', 'default']
valid_control_actions = ['ignore', 'bad', 'die', 'ok', 'done', 'reset']
def __init__(self, rule_type, rule_control, rule_path, rule_args=None):
self._control = None
self._args = None
self.rule_type = rule_type self.rule_type = rule_type
self.rule_control = rule_control self.rule_control = rule_control
self.rule_module_path = rule_module_path
try: self.rule_path = rule_path
if (rule_module_args is not None and self.rule_args = rule_args
type(rule_module_args) is list):
self.rule_module_args = rule_module_args # Method to check if a rule matches the type, control and path.
elif (rule_module_args is not None and def matches(self, rule_type, rule_control, rule_path, rule_args=None):
type(rule_module_args) is str): if (rule_type == self.rule_type and
self.rule_module_args = rule_module_args.split() rule_control == self.rule_control and
except AttributeError: rule_path == self.rule_path):
self.rule_module_args = [] return True
return False
@classmethod @classmethod
def rulefromstring(cls, stringline): def rule_from_string(cls, line):
pattern = None match = RULE_REGEX.search(line)
return cls(match.group('rule_type'), match.group('control'), match.group('path'), match.group('args'))
rule_type = ''
rule_control = ''
rule_module_path = ''
rule_module_args = ''
complicated = False
if '[' in stringline:
pattern = re.compile(
r"""([\-A-Za-z0-9_]+)\s* # Rule Type
\[([A-Za-z0-9_=\s]+)\]\s* # Rule Control
([A-Za-z0-9/_\-\.]+)\s* # Rule Path
([A-Za-z0-9,_=<>\-\s\./]*)""", # Rule Args
re.X)
complicated = True
else:
pattern = re.compile(
r"""([@\-A-Za-z0-9_]+)\s* # Rule Type
([A-Za-z0-9_\-]+)\s* # Rule Control
([A-Za-z0-9/_\-\.]*)\s* # Rule Path
([A-Za-z0-9,_=<>\-\s\./]*)""", # Rule Args
re.X)
result = pattern.match(stringline)
rule_type = result.group(1)
if complicated:
rule_control = '[' + result.group(2) + ']'
else:
rule_control = result.group(2)
rule_module_path = result.group(3)
if result.group(4) is not None:
rule_module_args = result.group(4)
return cls(rule_type, rule_control, rule_module_path, rule_module_args)
def get_module_args_as_string(self):
try:
if self.rule_module_args is not None:
return ' '.join(self.rule_module_args)
except AttributeError:
pass
return ''
def __str__(self): def __str__(self):
return "%-10s\t%s\t%s %s" % (self.rule_type, if self.rule_args:
self.rule_control, return '{0: <11}{1} {2} {3}'.format(self.rule_type, self.rule_control, self.rule_path, ' '.join(self.rule_args))
self.rule_module_path, return '{0: <11}{1} {2}'.format(self.rule_type, self.rule_control, self.rule_path)
self.get_module_args_as_string())
@property
def rule_control(self):
if isinstance(self._control, list):
return '[' + ' '.join(self._control) + ']'
return self._control
@rule_control.setter
def rule_control(self, control):
if control.startswith('['):
control = control.replace(' = ', '=').replace('[', '').replace(']', '')
self._control = control.split(' ')
else:
self._control = control
@property
def rule_args(self):
if not self._args:
return []
return self._args
@rule_args.setter
def rule_args(self, args):
if isinstance(args, str):
args = args.replace(" = ", "=")
self._args = args.split(" ")
else:
self._args = args
@property
def line(self):
return str(self)
@classmethod
def is_action_unsigned_int(cls, string_num):
number = 0
try:
number = int(string_num)
except ValueError:
return False
if number >= 0:
return True
return False
def validate(self):
# Validate the rule type
if self.rule_type not in PamdRule.valid_types:
return False, "Rule type, " + self.rule_type + ", is not valid in rule " + self.line
# Validate the rule control
if isinstance(self.rule_control, str) and self.rule_control not in PamdRule.valid_simple_controls:
return False, "Rule control, " + self.rule_control + ", is not valid in rule " + self.line
elif isinstance(self.rule_control, list):
for control in self.rule_control:
value, action = control.split("=")
if value not in PamdRule.valid_control_values:
return False, "Rule control value, " + value + ", is not valid in rule " + self.line
if action not in PamdRule.valid_control_actions and not PamdRule.is_action_unsigned_int(action):
return False, "Rule control action, " + action + ", is not valid in rule " + self.line
# TODO: Validate path
return True, "Rule is valid " + self.line
# PamdService encapsulates an entire service and contains one or more rules # PamdService encapsulates an entire service and contains one or more rules. It seems the best way is to do this
# as a doubly linked list.
class PamdService(object): class PamdService(object):
def __init__(self, ansible=None): def __init__(self, content):
self._head = None
self._tail = None
for line in content.splitlines():
if line.lstrip().startswith('#'):
pamd_line = PamdComment(line)
elif line.lstrip().startswith('@include'):
pamd_line = PamdInclude(line)
elif line == '':
pamd_line = PamdLine(line)
else:
pamd_line = PamdRule.rule_from_string(line)
if ansible is not None: self.append(pamd_line)
self.check = ansible.check_mode
self.check = False
self.ansible = ansible
self.preamble = []
self.rules = []
self.fname = None
if ansible is not None:
self.path = self.ansible.params["path"]
self.name = self.ansible.params["name"]
def load_rules_from_file(self): def append(self, pamd_line):
self.fname = os.path.join(self.path, self.name) if self._head is None:
stringline = '' self._head = self._tail = pamd_line
try: else:
for line in open(self.fname, 'r'): pamd_line.prev = self._tail
stringline += line.rstrip().lstrip() pamd_line.next = None
stringline += '\n' self._tail.next = pamd_line
self.load_rules_from_string(stringline.replace("\\\n", "")) self._tail = pamd_line
except IOError as e: def remove(self, rule_type, rule_control, rule_path):
self.ansible.fail_json(msg='Unable to open/read PAM module \ current_line = self._head
file %s with error %s. And line %s' % changed = 0
(self.fname, to_native(e), stringline))
def load_rules_from_string(self, stringvalue): while current_line is not None:
for line in stringvalue.splitlines(): if current_line.matches(rule_type, rule_control, rule_path):
stringline = line.rstrip() if current_line.prev is not None:
if line.startswith('#') and not line.isspace(): current_line.prev.next = current_line.next
self.preamble.append(line.rstrip()) current_line.next.prev = current_line.prev
elif (not line.startswith('#') and else:
not line.isspace() and self._head = current_line.next
len(line) != 0): current_line.next.prev = None
try: changed += 1
self.ansible.log(msg="Creating rule from string %s" % stringline)
except AttributeError:
pass
self.rules.append(PamdRule.rulefromstring(stringline))
def write(self): current_line = current_line.next
if self.fname is None: return changed
self.fname = self.path + "/" + self.name
# If the file is a symbollic link, we'll write to the source.
pamd_file = os.path.realpath(self.fname)
temp_file = "/tmp/" + self.name + "_" + time.strftime("%y%m%d%H%M%S")
try:
f = open(temp_file, 'w')
f.write(str(self))
f.close()
except IOError:
self.ansible.fail_json(msg='Unable to create temporary \
file %s' % self.temp_file)
self.ansible.atomic_move(temp_file, pamd_file) def get(self, rule_type, rule_control, rule_path):
lines = []
current_line = self._head
while current_line is not None:
if isinstance(current_line, PamdRule) and current_line.matches(rule_type, rule_control, rule_path):
lines.append(current_line)
current_line = current_line.next
return lines
def has_rule(self, rule_type, rule_control, rule_path):
if self.get(rule_type, rule_control, rule_path):
return True
return False
def update_rule(self, rule_type, rule_control, rule_path,
new_type=None, new_control=None, new_path=None, new_args=None):
# Get a list of rules we want to change
rules_to_find = self.get(rule_type, rule_control, rule_path)
for current_rule in rules_to_find:
if new_type:
current_rule.rule_type = new_type
if new_control:
current_rule.rule_control = new_control
if new_path:
current_rule.rule_path = new_path
if new_args:
if isinstance(new_args, str):
new_args = new_args.replace(" = ", "=")
new_args = new_args.split(' ')
current_rule.rule_args = new_args
return len(rules_to_find)
def insert_before(self, rule_type, rule_control, rule_path,
new_type=None, new_control=None, new_path=None, new_args=None):
# Get a list of rules we want to change
rules_to_find = self.get(rule_type, rule_control, rule_path)
changed = 0
# There are two cases to consider.
# 1. The new rule doesn't exist before the existing rule
# 2. The new rule exists
for current_rule in rules_to_find:
# Create a new rule
new_rule = PamdRule(new_type, new_control, new_path, new_args)
# First we'll get the previous rule.
previous_rule = current_rule.prev
# Next we may have to loop backwards if the previous line is a comment. If it
# is, we'll get the previous "rule's" previous.
while previous_rule is not None and isinstance(previous_rule, PamdComment):
previous_rule = previous_rule.prev
# Next we'll see if the previous rule matches what we are trying to insert.
if previous_rule is not None and not previous_rule.matches(new_type, new_control, new_path):
# First set the original previous rule's next to the new_rule
previous_rule.next = new_rule
# Second, set the new_rule's previous to the original previous
new_rule.prev = previous_rule
# Third, set the new rule's next to the current rule
new_rule.next = current_rule
# Fourth, set the current rule's previous to the new_rule
current_rule.prev = new_rule
changed += 1
# Handle the case where it is the first rule in the list.
elif previous_rule is None:
# This is the case where the current rule is not only the first rule
# but the first line as well. So we set the head to the new rule
if current_rule.prev is None:
self._head = new_rule
# This case would occur if the previous line was a comment.
else:
current_rule.prev.next = new_rule
new_rule.prev = current_rule.prev
new_rule.next = current_rule
current_rule.prev = new_rule
changed += 1
return changed
def insert_after(self, rule_type, rule_control, rule_path,
new_type=None, new_control=None, new_path=None, new_args=None):
# Get a list of rules we want to change
rules_to_find = self.get(rule_type, rule_control, rule_path)
changed = 0
# There are two cases to consider.
# 1. The new rule doesn't exist after the existing rule
# 2. The new rule exists
for current_rule in rules_to_find:
# First we'll get the next rule.
next_rule = current_rule.next
# Next we may have to loop forwards if the next line is a comment. If it
# is, we'll get the next "rule's" next.
while next_rule is not None and isinstance(next_rule, PamdComment):
next_rule = next_rule.next
# First we create a new rule
new_rule = PamdRule(new_type, new_control, new_path, new_args)
if next_rule is not None and not next_rule.matches(new_type, new_control, new_path):
# If the previous rule doesn't match we'll insert our new rule.
# Second set the original next rule's previuous to the new_rule
next_rule.prev = new_rule
# Third, set the new_rule's next to the original next rule
new_rule.next = next_rule
# Fourth, set the new rule's previous to the current rule
new_rule.prev = current_rule
# Fifth, set the current rule's next to the new_rule
current_rule.next = new_rule
changed += 1
# This is the case where the current_rule is the last in the list
elif next_rule is None:
new_rule.prev = self._tail
new_rule.next = None
self._tail.next = new_rule
self._tail = new_rule
current_rule.next = new_rule
changed += 1
return changed
def add_module_arguments(self, rule_type, rule_control, rule_path, args_to_add):
# Get a list of rules we want to change
rules_to_find = self.get(rule_type, rule_control, rule_path)
changed = 0
for current_rule in rules_to_find:
if isinstance(args_to_add, str):
args_to_add = args_to_add.replace(" = ", "=")
args_to_add = args_to_add.split(' ')
if not args_to_add:
args_to_add = []
# Create a list of new args that aren't already present
new_args = [arg for arg in args_to_add if arg not in current_rule.rule_args]
# If there aren't any new args to add, we'll move on to the next rule
if not new_args:
continue
current_rule.rule_args = current_rule.rule_args + new_args
changed += 1
return changed
def remove_module_arguments(self, rule_type, rule_control, rule_path, args_to_remove):
# Get a list of rules we want to change
rules_to_find = self.get(rule_type, rule_control, rule_path)
changed = 0
for current_rule in rules_to_find:
if isinstance(args_to_remove, str):
args_to_remove = args_to_remove.replace(" = ", "=")
args_to_remove = args_to_remove.split(' ')
if not args_to_remove:
args_to_remove = []
# Let's check to see if there are any args to remove by finding the intersection
# of the rule's current args and the args_to_remove lists
if not list(set(current_rule.rule_args) & set(args_to_remove)):
continue
# There are args to remove, so we create a list of new_args absent the args
# to remove.
current_rule.rule_args = [arg for arg in current_rule.rule_args if arg not in args_to_remove]
changed += 1
return changed
def validate(self):
current_line = self._head
while current_line is not None:
if not current_line.is_valid()[0]:
return current_line.is_valid()
current_line = current_line.next
return True, "Module is valid"
def __str__(self): def __str__(self):
stringvalue = '' lines = []
previous_rule = None current_line = self._head
for amble in self.preamble:
stringvalue += amble
stringvalue += '\n'
for rule in self.rules: while current_line is not None:
if (previous_rule is not None and lines.append(str(current_line))
(previous_rule.rule_type.replace('-', '') != current_line = current_line.next
rule.rule_type.replace('-', ''))):
stringvalue += '\n'
stringvalue += str(rule).rstrip()
stringvalue += '\n'
previous_rule = rule
if stringvalue.endswith('\n'): if lines[1].startswith("# Updated by Ansible"):
stringvalue = stringvalue[:-1] lines.pop(1)
return stringvalue lines.insert(1, "# Updated by Ansible - " + datetime.now().isoformat())
return '\n'.join(lines)
def update_rule(service, old_rule, new_rule):
changed = False
change_count = 0
result = {'action': 'update_rule'}
for rule in service.rules:
if (old_rule.rule_type == rule.rule_type and
old_rule.rule_control == rule.rule_control and
old_rule.rule_module_path == rule.rule_module_path):
if (new_rule.rule_type is not None and
new_rule.rule_type != rule.rule_type):
rule.rule_type = new_rule.rule_type
changed = True
if (new_rule.rule_control is not None and
new_rule.rule_control != rule.rule_control):
rule.rule_control = new_rule.rule_control
changed = True
if (new_rule.rule_module_path is not None and
new_rule.rule_module_path != rule.rule_module_path):
rule.rule_module_path = new_rule.rule_module_path
changed = True
try:
if (new_rule.rule_module_args is not None and
new_rule.get_module_args_as_string() !=
rule.get_module_args_as_string()):
rule.rule_module_args = new_rule.rule_module_args
changed = True
except AttributeError:
pass
if changed:
result['updated_rule_' + str(change_count)] = str(rule)
result['new_rule'] = str(new_rule)
change_count += 1
result['change_count'] = change_count
return changed, result
def insert_before_rule(service, old_rule, new_rule):
index = 0
change_count = 0
result = {'action':
'insert_before_rule'}
changed = False
for rule in service.rules:
if (old_rule.rule_type == rule.rule_type and
old_rule.rule_control == rule.rule_control and
old_rule.rule_module_path == rule.rule_module_path):
if index == 0:
service.rules.insert(0, new_rule)
changed = True
elif (new_rule.rule_type != service.rules[index - 1].rule_type or
new_rule.rule_control !=
service.rules[index - 1].rule_control or
new_rule.rule_module_path !=
service.rules[index - 1].rule_module_path):
service.rules.insert(index, new_rule)
changed = True
if changed:
result['new_rule'] = str(new_rule)
result['before_rule_' + str(change_count)] = str(rule)
change_count += 1
index += 1
result['change_count'] = change_count
return changed, result
def insert_after_rule(service, old_rule, new_rule):
index = 0
change_count = 0
result = {'action': 'insert_after_rule'}
changed = False
for rule in service.rules:
if (old_rule.rule_type == rule.rule_type and
old_rule.rule_control == rule.rule_control and
old_rule.rule_module_path == rule.rule_module_path):
if (index == len(service.rules) - 1):
service.rules.insert(len(service.rules), new_rule)
changed = True
elif (new_rule.rule_type != service.rules[index + 1].rule_type or
new_rule.rule_control !=
service.rules[index + 1].rule_control or
new_rule.rule_module_path !=
service.rules[index + 1].rule_module_path):
service.rules.insert(index + 1, new_rule)
changed = True
if changed:
result['new_rule'] = str(new_rule)
result['after_rule_' + str(change_count)] = str(rule)
change_count += 1
index += 1
result['change_count'] = change_count
return changed, result
def remove_module_arguments(service, old_rule, module_args):
result = {'action': 'args_absent'}
changed = False
change_count = 0
for rule in service.rules:
if (old_rule.rule_type == rule.rule_type and
old_rule.rule_control == rule.rule_control and
old_rule.rule_module_path == rule.rule_module_path):
for arg_to_remove in module_args:
for arg in rule.rule_module_args:
if arg == arg_to_remove:
rule.rule_module_args.remove(arg)
changed = True
result['removed_arg_' + str(change_count)] = arg
result['from_rule_' + str(change_count)] = str(rule)
change_count += 1
result['change_count'] = change_count
return changed, result
def add_module_arguments(service, old_rule, module_args):
result = {'action': 'args_present'}
changed = False
change_count = 0
for rule in service.rules:
if (old_rule.rule_type == rule.rule_type and
old_rule.rule_control == rule.rule_control and
old_rule.rule_module_path == rule.rule_module_path):
for arg_to_add in module_args:
if "=" in arg_to_add:
pre_string = arg_to_add[:arg_to_add.index('=') + 1]
indicies = [i for i, arg
in enumerate(rule.rule_module_args)
if arg.startswith(pre_string)]
if len(indicies) == 0:
rule.rule_module_args.append(arg_to_add)
changed = True
result['added_arg_' + str(change_count)] = arg_to_add
result['to_rule_' + str(change_count)] = str(rule)
change_count += 1
else:
for i in indicies:
if rule.rule_module_args[i] != arg_to_add:
rule.rule_module_args[i] = arg_to_add
changed = True
result['updated_arg_' +
str(change_count)] = arg_to_add
result['in_rule_' +
str(change_count)] = str(rule)
change_count += 1
elif arg_to_add not in rule.rule_module_args:
rule.rule_module_args.append(arg_to_add)
changed = True
result['added_arg_' + str(change_count)] = arg_to_add
result['to_rule_' + str(change_count)] = str(rule)
change_count += 1
result['change_count'] = change_count
return changed, result
def remove_rule(service, old_rule):
result = {'action': 'absent'}
changed = False
change_count = 0
for rule in service.rules:
if (old_rule.rule_type == rule.rule_type and
old_rule.rule_control == rule.rule_control and
old_rule.rule_module_path == rule.rule_module_path):
service.rules.remove(rule)
changed = True
return changed, result
def main(): def main():
@ -611,7 +693,8 @@ def main():
state=dict(required=False, default="updated", state=dict(required=False, default="updated",
choices=['before', 'after', 'updated', choices=['before', 'after', 'updated',
'args_absent', 'args_present', 'absent']), 'args_absent', 'args_present', 'absent']),
path=dict(required=False, default='/etc/pam.d', type='str') path=dict(required=False, default='/etc/pam.d', type='str'),
backup=dict(default=False, type='bool')
), ),
supports_check_mode=True, supports_check_mode=True,
required_if=[ required_if=[
@ -626,66 +709,77 @@ def main():
] ]
) )
content = str()
fname = os.path.join(module.params["path"], module.params["name"])
backupdest = ""
# Open the file and read the content or fail
try:
with open(fname, 'r') as service_file_obj:
content = service_file_obj.read()
except IOError as e:
# If unable to read the file, fail out
module.fail_json(msg='Unable to open/read PAM module \
file %s with error %s.' %
(fname, str(e)))
service = module.params['name'] # Assuming we didnt fail, create the service
old_type = module.params['type'] service = PamdService(content)
old_control = module.params['control'] # Set the action
old_module_path = module.params['module_path'] action = module.params['state']
new_type = module.params['new_type'] # Take action
new_control = module.params['new_control'] if action == 'updated':
new_module_path = module.params['new_module_path'] changes = service.update_rule(module.params['type'], module.params['control'], module.params['module_path'],
module.params['new_type'], module.params['new_control'], module.params['new_module_path'],
module.params['module_arguments'])
elif action == 'before':
changes = service.insert_before(module.params['type'], module.params['control'], module.params['module_path'],
module.params['new_type'], module.params['new_control'], module.params['new_module_path'],
module.params['module_arguments'])
elif action == 'after':
changes = service.insert_after(module.params['type'], module.params['control'], module.params['module_path'],
module.params['new_type'], module.params['new_control'], module.params['new_module_path'],
module.params['module_arguments'])
elif action == 'args_absent':
changes = service.remove_module_arguments(module.params['type'], module.params['control'], module.params['module_path'],
module.params['module_arguments'])
elif action == 'args_present':
changes = service.add_module_arguments(module.params['type'], module.params['control'], module.params['module_path'],
module.params['module_arguments'])
elif action == 'absent':
changes = service.remove(module.params['type'], module.params['control'], module.params['module_path'])
module_arguments = module.params['module_arguments'] valid, msg = service.validate()
state = module.params['state']
path = module.params['path'] # If the module is not valid (meaning one of the rules is invalid), we will fail
if not valid:
module.fail_json(msg=msg)
pamd = PamdService(module) # If not check mode and something changed, backup the original if necessary then write out the file or fail
pamd.load_rules_from_file() if not module.check_mode and changes > 0:
pamd_file = os.path.realpath(fname)
# First, create a backup if desired.
if module.params['backup']:
backupdest = module.backup_local(fname)
print("BACKUP DEST", backupdest)
try:
temp_file = NamedTemporaryFile(mode='w')
with open(temp_file.name, 'w') as fd:
fd.write(str(service))
old_rule = PamdRule(old_type, except IOError:
old_control, module.fail_json(msg='Unable to create temporary \
old_module_path) file %s' % temp_file)
new_rule = PamdRule(new_type,
new_control,
new_module_path,
module_arguments)
if state == 'updated': module.atomic_move(temp_file.name, pamd_file)
change, result = update_rule(pamd,
old_rule,
new_rule)
elif state == 'before':
change, result = insert_before_rule(pamd,
old_rule,
new_rule)
elif state == 'after':
change, result = insert_after_rule(pamd,
old_rule,
new_rule)
elif state == 'args_absent':
change, result = remove_module_arguments(pamd,
old_rule,
module_arguments)
elif state == 'args_present':
change, result = add_module_arguments(pamd,
old_rule,
module_arguments)
elif state == 'absent':
change, result = remove_rule(pamd,
old_rule)
if not module.check_mode and change:
pamd.write()
facts = {} facts = {}
facts['pamd'] = {'changed': change, 'result': result} facts['pamd'] = {'changed': changes > 0,
'change_count': changes,
module.params['dest'] = pamd.fname 'action': action,
'backupdest': backupdest}
module.exit_json(changed=change, ansible_facts=facts)
module.exit_json(changed=changes > 0, ansible_facts=facts)
if __name__ == '__main__': if __name__ == '__main__':
main() main()

View file

@ -1,92 +1,98 @@
from __future__ import (absolute_import, division, print_function)
from ansible.compat.tests import unittest from ansible.compat.tests import unittest
from ansible.modules.system.pamd import PamdRule
from ansible.modules.system.pamd import PamdService
from ansible.modules.system.pamd import update_rule
from ansible.modules.system.pamd import insert_before_rule
from ansible.modules.system.pamd import insert_after_rule
from ansible.modules.system.pamd import remove_module_arguments
from ansible.modules.system.pamd import add_module_arguments
from ansible.modules.system.pamd import remove_rule
import re from ansible.modules.system.pamd import PamdRule
from ansible.modules.system.pamd import PamdLine
from ansible.modules.system.pamd import PamdComment
from ansible.modules.system.pamd import PamdInclude
from ansible.modules.system.pamd import PamdService
class PamdLineTestCase(unittest.TestCase):
def setUp(self):
self.pamd_line = PamdLine("This is a test")
def test_line(self):
self.assertEqual("This is a test", str(self.pamd_line))
def test_matches(self):
self.assertFalse(self.pamd_line.matches("test", "matches", "foo", "bar"))
class PamdIncludeTestCase(unittest.TestCase):
def setUp(self):
self.good_include = PamdInclude("@include foobar")
self.bad_include = PamdInclude("include foobar")
def test_line(self):
self.assertEqual("@include foobar", str(self.good_include))
def test_matches(self):
self.assertFalse(self.good_include.matches("something", "something", "dark", "side"))
def test_valid(self):
self.assertTrue(self.good_include.is_valid)
self.assertFalse(self.bad_include.is_valid)
class PamdCommentTestCase(unittest.TestCase):
def setUp(self):
self.good_comment = PamdComment("# This is a test comment")
self.bad_comment = PamdComment("This is a bad test comment")
def test_line(self):
self.assertEqual("# This is a test comment", str(self.good_comment))
def test_matches(self):
self.assertFalse(self.good_comment.matches("test", "matches", "foo", "bar"))
def test_valid(self):
self.assertTrue(self.good_comment.is_valid)
self.assertFalse(self.bad_comment.is_valid)
class PamdRuleTestCase(unittest.TestCase): class PamdRuleTestCase(unittest.TestCase):
def setUp(self):
self.rule = PamdRule('account', 'optional', 'pam_keyinit.so', 'revoke')
def test_simple(self): def test_type(self):
simple = "auth required pam_env.so".rstrip() self.assertEqual(self.rule.rule_type, 'account')
module = PamdRule.rulefromstring(stringline=simple)
module_string = re.sub(' +', ' ', str(module).replace('\t', ' '))
self.assertEqual(simple, module_string.rstrip())
self.assertEqual('', module.get_module_args_as_string())
def test_simple_more(self): def test_control(self):
simple = "auth required pam_tally2.so deny=5 onerr=fail".rstrip() self.assertEqual(self.rule.rule_control, 'optional')
module = PamdRule.rulefromstring(stringline=simple) self.assertEqual(self.rule._control, 'optional')
module_string = re.sub(' +', ' ', str(module).replace('\t', ' '))
self.assertEqual(simple, module_string.rstrip())
self.assertEqual('deny=5 onerr=fail',
module.get_module_args_as_string())
def test_complicated_rule(self): def test_path(self):
complicated = "-auth [default=1 success=ok] pam_localuser.so".rstrip() self.assertEqual(self.rule.rule_path, 'pam_keyinit.so')
module = PamdRule.rulefromstring(stringline=complicated)
module_string = re.sub(' +', ' ', str(module).replace('\t', ' '))
self.assertEqual(complicated, module_string.rstrip())
self.assertEqual('', module.get_module_args_as_string())
def test_more_complicated_rule(self): def test_args(self):
complicated = "auth" self.assertEqual(self.rule.rule_args, ['revoke'])
complicated += " [success=done ignore=ignore default=die]"
complicated += " pam_unix.so"
complicated += " try_first_pass".rstrip()
module = PamdRule.rulefromstring(stringline=complicated)
module_string = re.sub(' +', ' ', str(module).replace('\t', ' '))
self.assertEqual(complicated, module_string.rstrip())
self.assertEqual('try_first_pass', module.get_module_args_as_string())
def test_rule_with_arg(self): def test_valid(self):
line = "account optional pam_echo.so file=/etc/lockout.txt" self.assertTrue(self.rule.validate()[0])
module = PamdRule.rulefromstring(stringline=line)
self.assertEqual(module.rule_type, 'account')
self.assertEqual(module.rule_control, 'optional')
self.assertEqual(module.rule_module_path, 'pam_echo.so')
self.assertEqual(module.rule_module_args, ['file=/etc/lockout.txt'])
def test_rule_with_args(self):
line = "account optional pam_echo.so file1=/etc/lockout1.txt file2=/etc/lockout2.txt"
module = PamdRule.rulefromstring(stringline=line)
self.assertEqual(module.rule_type, 'account')
self.assertEqual(module.rule_control, 'optional')
self.assertEqual(module.rule_module_path, 'pam_echo.so')
self.assertEqual(module.rule_module_args, ['file1=/etc/lockout1.txt', 'file2=/etc/lockout2.txt'])
def test_less_than_in_args(self): class PamdRuleBadValidationTestCase(unittest.TestCase):
rule = "auth requisite pam_succeed_if.so uid >= 1025 quiet_success" def setUp(self):
module = PamdRule.rulefromstring(stringline=rule) self.bad_type = PamdRule('foobar', 'optional', 'pam_keyinit.so', 'revoke')
module_string = re.sub(' +', ' ', str(module).replace('\t', ' ')) self.bad_control_simple = PamdRule('account', 'foobar', 'pam_keyinit.so', 'revoke')
self.assertEqual(rule, module_string.rstrip()) self.bad_control_value = PamdRule('account', '[foobar=1 default=ignore]', 'pam_keyinit.so', 'revoke')
self.assertEqual('uid >= 1025 quiet_success', module.get_module_args_as_string()) self.bad_control_action = PamdRule('account', '[success=1 default=foobar]', 'pam_keyinit.so', 'revoke')
def test_trailing_comma(self): def test_validate_bad_type(self):
rule = "account required pam_access.so listsep=," self.assertFalse(self.bad_type.validate()[0])
module = PamdRule.rulefromstring(stringline=rule)
module_string = re.sub(' +', ' ', str(module).replace('\t', ' '))
self.assertEqual(rule, module_string.rstrip())
def test_slash_in_args(self): def test_validate_bad_control_simple(self):
rule = "auth sufficient /lib64/security/pam_duo.so".rstrip() self.assertFalse(self.bad_control_simple.validate()[0])
module = PamdRule.rulefromstring(stringline=rule)
module_string = re.sub(' +', ' ', str(module).replace('\t', ' '))
self.assertEqual(rule, module_string.rstrip())
self.assertEqual('', module.get_module_args_as_string())
def test_slash_in_args_more(self): def test_validate_bad_control_value(self):
rule = "auth [success=1 default=ignore] /lib64/security/pam_duo.so".rstrip() self.assertFalse(self.bad_control_value.validate()[0])
module = PamdRule.rulefromstring(stringline=rule)
module_string = re.sub(' +', ' ', str(module).replace('\t', ' ')) def test_validate_bad_control_action(self):
self.assertEqual(rule, module_string.rstrip()) self.assertFalse(self.bad_control_action.validate()[0])
self.assertEqual('', module.get_module_args_as_string())
class PamdServiceTestCase(unittest.TestCase): class PamdServiceTestCase(unittest.TestCase):
@ -94,182 +100,254 @@ class PamdServiceTestCase(unittest.TestCase):
self.system_auth_string = """#%PAM-1.0 self.system_auth_string = """#%PAM-1.0
# This file is auto-generated. # This file is auto-generated.
# User changes will be destroyed the next time authconfig is run. # User changes will be destroyed the next time authconfig is run.
auth \trequired\tpam_env.so @include common-auth
auth \tsufficient\tpam_unix.so nullok try_first_pass @include common-account
auth \trequisite\tpam_succeed_if.so uid @include common-session
auth \trequired\tpam_deny.so auth required pam_env.so
auth \tsufficient\tpam_rootok.so auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid
auth required pam_deny.so
# Test comment
auth sufficient pam_rootok.so
account \trequired\tpam_unix.so account required pam_unix.so
account \tsufficient\tpam_localuser.so account sufficient pam_localuser.so
account \tsufficient\tpam_succeed_if.so uid account sufficient pam_succeed_if.so uid
account [success=1 default=ignore] \ account [success=1 default=ignore] \
\t\t\t\tpam_succeed_if.so user = vagrant use_uid quiet pam_succeed_if.so user = vagrant use_uid quiet
account \trequired\tpam_permit.so account required pam_permit.so
account \trequired\tpam_access.so listsep=, account required pam_access.so listsep=,
session \tinclude\tsystem-auth session include system-auth
password \trequisite\tpam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password \tsufficient\tpam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password \trequired\tpam_deny.so password required pam_deny.so
session \toptional\tpam_keyinit.so revoke session optional pam_keyinit.so revoke
session \trequired\tpam_limits.so session required pam_limits.so
-session \toptional\tpam_systemd.so -session optional pam_systemd.so
session \t[success=1 default=ignore]\tpam_succeed_if.so service in crond quiet use_uid session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session \t[success=1 test=me default=ignore]\tpam_succeed_if.so service in crond quiet use_uid session [success=1 test=me default=ignore] pam_succeed_if.so service in crond quiet use_uid
session \trequired\tpam_unix.so session required pam_unix.so"""
@include \tcommon-auth
@include \tcommon-account
@include \tcommon-session"""
self.pamd = PamdService() self.simple_system_auth_string = """#%PAM-1.0
self.pamd.load_rules_from_string(self.system_auth_string) auth required pam_env.so
"""
self.pamd = PamdService(self.system_auth_string)
def test_properly_parsed(self):
num_lines = len(self.system_auth_string.splitlines()) + 1
num_lines_processed = len(str(self.pamd).splitlines())
self.assertEqual(num_lines, num_lines_processed)
def test_has_rule(self):
self.assertTrue(self.pamd.has_rule('account', 'required', 'pam_permit.so'))
self.assertTrue(self.pamd.has_rule('account', '[success=1 default=ignore]', 'pam_succeed_if.so'))
def test_doesnt_have_rule(self):
self.assertFalse(self.pamd.has_rule('account', 'requisite', 'pam_permit.so'))
# Test Update
def test_update_rule_type(self): def test_update_rule_type(self):
old_rule = PamdRule.rulefromstring('auth required pam_env.so') self.assertTrue(self.pamd.update_rule('session', 'optional', 'pam_keyinit.so', new_type='account'))
new_rule = PamdRule.rulefromstring('session required pam_env.so') self.assertTrue(self.pamd.has_rule('account', 'optional', 'pam_keyinit.so'))
update_rule(self.pamd, old_rule, new_rule) test_rule = PamdRule('account', 'optional', 'pam_keyinit.so', 'revoke')
self.assertIn(str(new_rule).rstrip(), str(self.pamd)) self.assertIn(str(test_rule), str(self.pamd))
self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))
def test_update_rule_that_doesnt_exist(self):
self.assertFalse(self.pamd.update_rule('blah', 'blah', 'blah', new_type='account'))
self.assertFalse(self.pamd.has_rule('blah', 'blah', 'blah'))
test_rule = PamdRule('blah', 'blah', 'blah', 'account')
self.assertNotIn(str(test_rule), str(self.pamd))
def test_update_rule_type_two(self):
self.assertTrue(self.pamd.update_rule('session', '[success=1 default=ignore]', 'pam_succeed_if.so', new_type='account'))
self.assertTrue(self.pamd.has_rule('account', '[success=1 default=ignore]', 'pam_succeed_if.so'))
test_rule = PamdRule('account', '[success=1 default=ignore]', 'pam_succeed_if.so')
self.assertIn(str(test_rule), str(self.pamd))
def test_update_rule_control_simple(self): def test_update_rule_control_simple(self):
old_rule = PamdRule.rulefromstring('auth required pam_env.so') self.assertTrue(self.pamd.update_rule('session', 'optional', 'pam_keyinit.so', new_control='required'))
new_rule = PamdRule.rulefromstring('auth sufficent pam_env.so') self.assertTrue(self.pamd.has_rule('session', 'required', 'pam_keyinit.so'))
update_rule(self.pamd, old_rule, new_rule) test_rule = PamdRule('session', 'required', 'pam_keyinit.so')
self.assertIn(str(new_rule).rstrip(), str(self.pamd)) self.assertIn(str(test_rule), str(self.pamd))
self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))
def test_update_rule_control_complex(self): def test_update_rule_control_complex(self):
old_rule = PamdRule.rulefromstring('session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid') self.assertTrue(self.pamd.update_rule('session',
new_rule = PamdRule.rulefromstring('session [success=2 test=me default=ignore] pam_succeed_if.so service in crond quiet use_uid') '[success=1 default=ignore]',
update_rule(self.pamd, old_rule, new_rule) 'pam_succeed_if.so',
self.assertIn(str(new_rule).rstrip(), str(self.pamd)) new_control='[success=2 test=me default=ignore]'))
self.assertNotIn(str(old_rule).rstrip(), str(self.pamd)) self.assertTrue(self.pamd.has_rule('session', '[success=2 test=me default=ignore]', 'pam_succeed_if.so'))
test_rule = PamdRule('session', '[success=2 test=me default=ignore]', 'pam_succeed_if.so')
self.assertIn(str(test_rule), str(self.pamd))
def test_update_rule_control_more_complex(self): def test_update_rule_control_more_complex(self):
old_rule = PamdRule.rulefromstring('session [success=1 test=me default=ignore] pam_succeed_if.so service in crond quiet use_uid')
new_rule = PamdRule.rulefromstring('session [success=2 test=me default=ignore] pam_succeed_if.so service in crond quiet use_uid') self.assertTrue(self.pamd.update_rule('session',
update_rule(self.pamd, old_rule, new_rule) '[success=1 test=me default=ignore]',
self.assertIn(str(new_rule).rstrip(), str(self.pamd)) 'pam_succeed_if.so',
self.assertNotIn(str(old_rule).rstrip(), str(self.pamd)) new_control='[success=2 test=me default=ignore]'))
self.assertTrue(self.pamd.has_rule('session', '[success=2 test=me default=ignore]', 'pam_succeed_if.so'))
test_rule = PamdRule('session', '[success=2 test=me default=ignore]', 'pam_succeed_if.so')
self.assertIn(str(test_rule), str(self.pamd))
def test_update_rule_module_path(self): def test_update_rule_module_path(self):
old_rule = PamdRule.rulefromstring('auth required pam_env.so') self.assertTrue(self.pamd.update_rule('auth', 'required', 'pam_env.so', new_path='pam_limits.so'))
new_rule = PamdRule.rulefromstring('session required pam_limits.so') self.assertTrue(self.pamd.has_rule('auth', 'required', 'pam_limits.so'))
update_rule(self.pamd, old_rule, new_rule)
self.assertIn(str(new_rule).rstrip(), str(self.pamd))
self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))
def test_update_rule_module_path_slash(self): def test_update_rule_module_path_slash(self):
old_rule = PamdRule.rulefromstring('auth required pam_env.so') self.assertTrue(self.pamd.update_rule('auth', 'required', 'pam_env.so', new_path='/lib64/security/pam_duo.so'))
new_rule = PamdRule.rulefromstring('auth required /lib64/security/pam_duo.so') self.assertTrue(self.pamd.has_rule('auth', 'required', '/lib64/security/pam_duo.so'))
update_rule(self.pamd, old_rule, new_rule)
self.assertIn(str(new_rule).rstrip(), str(self.pamd))
self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))
def test_update_rule_module_args(self): def test_update_rule_module_args(self):
old_rule = PamdRule.rulefromstring('auth sufficient pam_unix.so nullok try_first_pass') self.assertTrue(self.pamd.update_rule('auth', 'sufficient', 'pam_unix.so', new_args='uid uid'))
new_rule = PamdRule.rulefromstring('auth sufficient pam_unix.so uid uid') test_rule = PamdRule('auth', 'sufficient', 'pam_unix.so', 'uid uid')
update_rule(self.pamd, old_rule, new_rule) self.assertIn(str(test_rule), str(self.pamd))
self.assertIn(str(new_rule).rstrip(), str(self.pamd))
self.assertNotIn(str(old_rule).rstrip(), str(self.pamd)) test_rule = PamdRule('auth', 'sufficient', 'pam_unix.so', 'nullok try_first_pass')
self.assertNotIn(str(test_rule), str(self.pamd))
def test_update_first_three(self): def test_update_first_three(self):
old_rule = PamdRule.rulefromstring('auth required pam_env.so') self.assertTrue(self.pamd.update_rule('auth', 'required', 'pam_env.so',
new_rule = PamdRule.rulefromstring('one two three') new_type='one', new_control='two', new_path='three'))
update_rule(self.pamd, old_rule, new_rule) self.assertTrue(self.pamd.has_rule('one', 'two', 'three'))
self.assertIn(str(new_rule).rstrip(), str(self.pamd))
self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))
def test_update_first_three_with_module_args(self): def test_update_first_three_with_module_args(self):
old_rule = PamdRule.rulefromstring('auth sufficient pam_unix.so nullok try_first_pass') self.assertTrue(self.pamd.update_rule('auth', 'sufficient', 'pam_unix.so',
new_rule = PamdRule.rulefromstring('one two three') new_type='one', new_control='two', new_path='three'))
update_rule(self.pamd, old_rule, new_rule) self.assertTrue(self.pamd.has_rule('one', 'two', 'three'))
self.assertIn(str(new_rule).rstrip(), str(self.pamd)) test_rule = PamdRule('one', 'two', 'three')
self.assertNotIn(str(old_rule).rstrip(), str(self.pamd)) self.assertIn(str(test_rule), str(self.pamd))
self.assertIn(str(test_rule), str(self.pamd))
def test_update_all_four(self): def test_update_all_four(self):
old_rule = PamdRule.rulefromstring('auth sufficient pam_unix.so nullok try_first_pass') self.assertTrue(self.pamd.update_rule('auth', 'sufficient', 'pam_unix.so',
new_rule = PamdRule.rulefromstring('one two three four five') new_type='one', new_control='two', new_path='three',
update_rule(self.pamd, old_rule, new_rule) new_args='four five'))
self.assertIn(str(new_rule).rstrip(), str(self.pamd)) test_rule = PamdRule('one', 'two', 'three', 'four five')
self.assertNotIn(str(old_rule).rstrip(), str(self.pamd)) self.assertIn(str(test_rule), str(self.pamd))
test_rule = PamdRule('auth', 'sufficient', 'pam_unix.so', 'nullok try_first_pass')
self.assertNotIn(str(test_rule), str(self.pamd))
def test_update_rule_with_slash(self):
self.assertTrue(self.pamd.update_rule('account', '[success=1 default=ignore]', 'pam_succeed_if.so',
new_type='session', new_path='pam_access.so'))
test_rule = PamdRule('session', '[success=1 default=ignore]', 'pam_access.so')
self.assertIn(str(test_rule), str(self.pamd))
# Insert Before
def test_insert_before_rule(self): def test_insert_before_rule(self):
old_rule = PamdRule.rulefromstring('account required pam_unix.so')
new_rule = PamdRule.rulefromstring('account required pam_permit.so')
insert_before_rule(self.pamd, old_rule, new_rule)
line_to_test = str(new_rule).rstrip()
line_to_test += '\n'
line_to_test += str(old_rule).rstrip()
self.assertIn(line_to_test, str(self.pamd))
count = self.pamd.insert_before('account', 'required', 'pam_access.so',
new_type='account', new_control='required', new_path='pam_limits.so')
self.assertEqual(count, 1)
rules = self.pamd.get("account", "required", "pam_access.so")
for current_rule in rules:
self.assertTrue(current_rule.prev.matches("account", "required", "pam_limits.so"))
def test_insert_before_rule_where_rule_doesnt_exist(self):
count = self.pamd.insert_before('account', 'sufficient', 'pam_access.so',
new_type='account', new_control='required', new_path='pam_limits.so')
self.assertFalse(count)
def test_insert_before_rule_with_args(self):
self.assertTrue(self.pamd.insert_before('account', 'required', 'pam_access.so',
new_type='account', new_control='required', new_path='pam_limits.so',
new_args='uid'))
rules = self.pamd.get("account", "required", "pam_access.so")
for current_rule in rules:
self.assertTrue(current_rule.prev.matches("account", "required", "pam_limits.so", 'uid'))
def test_insert_before_rule_test_duplicates(self):
self.assertTrue(self.pamd.insert_before('account', 'required', 'pam_access.so',
new_type='account', new_control='required', new_path='pam_limits.so'))
self.pamd.insert_before('account', 'required', 'pam_access.so',
new_type='account', new_control='required', new_path='pam_limits.so')
rules = self.pamd.get("account", "required", "pam_access.so")
for current_rule in rules:
previous_rule = current_rule.prev
self.assertTrue(previous_rule.matches("account", "required", "pam_limits.so"))
self.assertFalse(previous_rule.prev.matches("account", "required", "pam_limits.so"))
def test_insert_before_first_rule(self):
self.assertTrue(self.pamd.insert_before('auth', 'required', 'pam_env.so',
new_type='account', new_control='required', new_path='pam_limits.so'))
def test_insert_before_first_rule_simple(self):
simple_service = PamdService(self.simple_system_auth_string)
self.assertTrue(simple_service.insert_before('auth', 'required', 'pam_env.so',
new_type='account', new_control='required', new_path='pam_limits.so'))
# Insert After
def test_insert_after_rule(self): def test_insert_after_rule(self):
old_rule = PamdRule.rulefromstring('account required pam_unix.so') self.assertTrue(self.pamd.insert_after('account', 'required', 'pam_unix.so',
new_rule = PamdRule.rulefromstring('account required pam_permit.so arg1 arg2 arg3') new_type='account', new_control='required', new_path='pam_permit.so'))
insert_after_rule(self.pamd, old_rule, new_rule) rules = self.pamd.get("account", "required", "pam_unix.so")
line_to_test = str(old_rule).rstrip() for current_rule in rules:
line_to_test += '\n' self.assertTrue(current_rule.next.matches("account", "required", "pam_permit.so"))
line_to_test += str(new_rule).rstrip()
self.assertIn(line_to_test, str(self.pamd))
def test_insert_after_rule_another(self): def test_insert_after_rule_with_args(self):
old_rule = PamdRule.rulefromstring('auth sufficient pam_rootok.so') self.assertTrue(self.pamd.insert_after('account', 'required', 'pam_access.so',
new_rule = PamdRule.rulefromstring('auth required pam_wheel.so use_id') new_type='account', new_control='required', new_path='pam_permit.so',
insert_after_rule(self.pamd, old_rule, new_rule) new_args='uid'))
line_to_test = str(old_rule).rstrip() rules = self.pamd.get("account", "required", "pam_access.so")
line_to_test += '\n' for current_rule in rules:
line_to_test += str(new_rule).rstrip() self.assertTrue(current_rule.next.matches("account", "required", "pam_permit.so", "uid"))
self.assertIn(line_to_test, str(self.pamd))
def test_insert_after_test_duplicates(self):
self.assertTrue(self.pamd.insert_after('account', 'required', 'pam_access.so',
new_type='account', new_control='required', new_path='pam_permit.so',
new_args='uid'))
self.assertFalse(self.pamd.insert_after('account', 'required', 'pam_access.so',
new_type='account', new_control='required', new_path='pam_permit.so',
new_args='uid'))
rules = self.pamd.get("account", "required", "pam_access.so")
for current_rule in rules:
self.assertTrue(current_rule.next.matches("account", "required", "pam_permit.so", "uid"))
self.assertFalse(current_rule.next.next.matches("account", "required", "pam_permit.so", "uid"))
def test_insert_after_rule_last_rule(self): def test_insert_after_rule_last_rule(self):
old_rule = PamdRule.rulefromstring('session required pam_unix.so') self.assertTrue(self.pamd.insert_after('session', 'required', 'pam_unix.so',
new_rule = PamdRule.rulefromstring('session required pam_permit.so arg1 arg2 arg3') new_type='account', new_control='required', new_path='pam_permit.so',
insert_after_rule(self.pamd, old_rule, new_rule) new_args='uid'))
line_to_test = str(old_rule).rstrip() rules = self.pamd.get("session", "required", "pam_unix.so")
line_to_test += '\n' for current_rule in rules:
line_to_test += str(new_rule).rstrip() self.assertTrue(current_rule.next.matches("account", "required", "pam_permit.so", "uid"))
self.assertIn(line_to_test, str(self.pamd))
# Remove Module Arguments
def test_remove_module_arguments_one(self): def test_remove_module_arguments_one(self):
old_rule = PamdRule.rulefromstring('auth sufficient pam_unix.so nullok try_first_pass') self.assertTrue(self.pamd.remove_module_arguments('auth', 'sufficient', 'pam_unix.so', 'nullok'))
new_rule = PamdRule.rulefromstring('auth sufficient pam_unix.so try_first_pass')
args_to_remove = ['nullok'] def test_remove_module_arguments_one_list(self):
remove_module_arguments(self.pamd, old_rule, args_to_remove) self.assertTrue(self.pamd.remove_module_arguments('auth', 'sufficient', 'pam_unix.so', ['nullok']))
self.assertIn(str(new_rule).rstrip(), str(self.pamd))
self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))
def test_remove_module_arguments_two(self): def test_remove_module_arguments_two(self):
old_rule = PamdRule.rulefromstring('session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid') self.assertTrue(self.pamd.remove_module_arguments('session', '[success=1 default=ignore]', 'pam_succeed_if.so', 'service crond'))
new_rule = PamdRule.rulefromstring('session [success=1 default=ignore] pam_succeed_if.so in quiet use_uid')
args_to_remove = ['service', 'crond'] def test_remove_module_arguments_two_list(self):
remove_module_arguments(self.pamd, old_rule, args_to_remove) self.assertTrue(self.pamd.remove_module_arguments('session', '[success=1 default=ignore]', 'pam_succeed_if.so', ['service', 'crond']))
self.assertIn(str(new_rule).rstrip(), str(self.pamd))
self.assertNotIn(str(old_rule).rstrip(), str(self.pamd)) def test_remove_module_arguments_where_none_existed(self):
self.assertTrue(self.pamd.add_module_arguments('session', 'required', 'pam_limits.so', 'arg1 arg2= arg3=arg3'))
def test_add_module_arguments_where_none_existed(self): def test_add_module_arguments_where_none_existed(self):
old_rule = PamdRule.rulefromstring('account required pam_unix.so') self.assertTrue(self.pamd.add_module_arguments('account', 'required', 'pam_unix.so', 'arg1 arg2= arg3=arg3'))
new_rule = PamdRule.rulefromstring('account required pam_unix.so arg1 arg2= arg3=arg3')
args_to_add = ['arg1', 'arg2=', 'arg3=arg3'] def test_add_module_arguments_where_none_existed_list(self):
add_module_arguments(self.pamd, old_rule, args_to_add) self.assertTrue(self.pamd.add_module_arguments('account', 'required', 'pam_unix.so', ['arg1', 'arg2=', 'arg3=arg3']))
self.assertIn(str(new_rule).rstrip(), str(self.pamd))
def test_add_module_arguments_where_some_existed(self): def test_add_module_arguments_where_some_existed(self):
old_rule = PamdRule.rulefromstring('auth sufficient pam_unix.so nullok try_first_pass') self.assertTrue(self.pamd.add_module_arguments('auth', 'sufficient', 'pam_unix.so', 'arg1 arg2= arg3=arg3'))
new_rule = PamdRule.rulefromstring('auth sufficient pam_unix.so nullok try_first_pass arg1 arg2= arg3=arg3')
args_to_add = ['arg1', 'arg2=', 'arg3=arg3']
add_module_arguments(self.pamd, old_rule, args_to_add)
self.assertIn(str(new_rule).rstrip(), str(self.pamd))
def test_remove_rule(self): def test_remove_rule(self):
old_rule = PamdRule.rulefromstring('account required pam_unix.so') self.assertTrue(self.pamd.remove('account', 'required', 'pam_unix.so'))
remove_rule(self.pamd, old_rule) test_rule = PamdRule('account', 'required', 'pam_unix.so')
self.assertNotIn(str(old_rule).rstrip(), str(self.pamd)) self.assertNotIn(str(test_rule), str(self.pamd))
def test_add_module_args_with_string(self):
old_rule = PamdRule.rulefromstring("account required pam_access.so")
new_rule = PamdRule.rulefromstring("account required pam_access.so listsep=,")
args_to_add = ['listsep=,']
add_module_arguments(self.pamd, old_rule, args_to_add)
self.assertIn(str(new_rule).rstrip(), str(self.pamd))