user - allow local users with an expiry date to be created (ansible#7…

…2022) The luseradd / lusermod commands do not support the -e option. Set the expiry time in this case via lchage after the user was created / modified. Fixes: ansible#71942 In Python3 math.floor returns an integer whereas Python2 returns a float. Hence always convert the result of math.floor to an int to ensure that lexpires is an integer. Move local expires tests in a separate file and import the tasks to the main.yml to keep main.yml smaller. (cherry picked from commit a7170da)
rpluem-vf · Oct 2, 2020 · dbb364e · dbb364e
1 parent 9a1ca02
commit dbb364e
Show file tree

Hide file tree

Showing 4 changed files with 392 additions and 11 deletions.
diff --git a/changelogs/fragments/fix_ansible_issue_71942.yaml b/changelogs/fragments/fix_ansible_issue_71942.yaml
@@ -0,0 +1,5 @@
+bugfixes:
+  - >
+     user - Local users with an expiry date cannot be created as the ``luseradd`` /
+     ``lusermod`` commands do not support the ``-e`` option. Set the expiry time in
+     this case via ``lchage`` after the user was created / modified. (https://github.com/ansible/ansible/issues/71942)
diff --git a/lib/ansible/modules/system/user.py b/lib/ansible/modules/system/user.py
@@ -418,6 +418,7 @@
 import socket
 import subprocess
 import time
+import math
 
 from ansible.module_utils import distro
 from ansible.module_utils.basic import load_platform_subclass, AnsibleModule
@@ -577,6 +578,7 @@ def create_user_useradd(self):
 
         if self.local:
             command_name = 'luseradd'
+            lchage_cmd = self.module.get_bin_path('lchage', True)
         else:
             command_name = 'useradd'
 
@@ -643,7 +645,7 @@ def create_user_useradd(self):
             cmd.append('-s')
             cmd.append(self.shell)
 
-        if self.expires is not None:
+        if self.expires is not None and not self.local:
             cmd.append('-e')
             if self.expires < time.gmtime(0):
                 cmd.append('')
@@ -668,7 +670,24 @@ def create_user_useradd(self):
             cmd.append('-r')
 
         cmd.append(self.name)
-        return self.execute_command(cmd)
+
+        (rc, err, out) = self.execute_command(cmd)
+        if not self.local or rc != 0:
+            return (rc, err, out)
+
+        if self.expires is not None:
+            if self.expires < time.gmtime(0):
+                lexpires = -1
+            else:
+                # Convert seconds since Epoch to days since Epoch
+                lexpires = int(math.floor(self.module.params['expires'])) // 86400
+            (rc, _err, _out) = self.execute_command([lchage_cmd, '-E', to_native(lexpires), self.name])
+            out += _out
+            err += _err
+            if rc != 0:
+                return (rc, out, err)
+
+        return (rc, out, err)
 
     def _check_usermod_append(self):
         # check if this version of usermod can append groups
@@ -701,6 +720,8 @@ def modify_user_usermod(self):
 
         if self.local:
             command_name = 'lusermod'
+            lchage_cmd = self.module.get_bin_path('lchage', True)
+            lexpires = None
         else:
             command_name = 'usermod'
 
@@ -775,16 +796,23 @@ def modify_user_usermod(self):
 
             if self.expires < time.gmtime(0):
                 if current_expires >= 0:
-                    cmd.append('-e')
-                    cmd.append('')
+                    if self.local:
+                        lexpires = -1
+                    else:
+                        cmd.append('-e')
+                        cmd.append('')
             else:
                 # Convert days since Epoch to seconds since Epoch as struct_time
                 current_expire_date = time.gmtime(current_expires * 86400)
 
                 # Current expires is negative or we compare year, month, and day only
                 if current_expires < 0 or current_expire_date[:3] != self.expires[:3]:
-                    cmd.append('-e')
-                    cmd.append(time.strftime(self.DATE_FORMAT, self.expires))
+                    if self.local:
+                        # Convert seconds since Epoch to days since Epoch
+                        lexpires = int(math.floor(self.module.params['expires'])) // 86400
+                    else:
+                        cmd.append('-e')
+                        cmd.append(time.strftime(self.DATE_FORMAT, self.expires))
 
         # Lock if no password or unlocked, unlock only if locked
         if self.password_lock and not info[1].startswith('!'):
@@ -797,12 +825,24 @@ def modify_user_usermod(self):
             cmd.append('-p')
             cmd.append(self.password)
 
-        # skip if no changes to be made
-        if len(cmd) == 1:
-            return (None, '', '')
+        (rc, err, out) = (None, '', '')
 
-        cmd.append(self.name)
-        return self.execute_command(cmd)
+        # skip if no usermod changes to be made
+        if len(cmd) > 1:
+            cmd.append(self.name)
+            (rc, err, out) = self.execute_command(cmd)
+
+        if not self.local or not (rc is None or rc == 0):
+            return (rc, err, out)
+
+        if lexpires is not None:
+            (rc, _err, _out) = self.execute_command([lchage_cmd, '-E', to_native(lexpires), self.name])
+            out += _out
+            err += _err
+            if rc != 0:
+                return (rc, out, err)
+
+        return (rc, out, err)
 
     def group_exists(self, group):
         try: