tests: Add an actual integration test

martinpitt · martinpitt · commit 13bf2dd44166 · 2025-06-06T14:15:51.000+02:00
tests_default.yml doesn't actually do anything other than making sure
that the role succees. It does not have any assertions.

Add tests_all_settings.yml based on examples/playbook_with_vars.yml
which validates that the role has the desired effect.

This uncovers a bug that the custom authselect policy is not applied
properly.
diff --git a/tests/tests_all_settings.yml b/tests/tests_all_settings.yml
@@ -0,0 +1,70 @@
+# SPDX-License-Identifier: MIT
+---
+- name: Test role with all settings
+  hosts: all
+
+  tasks:
+    - name: Run the role
+      include_role:
+        name: linux-system-roles.pam_pwd
+      vars:
+        # /etc/security/pwquality.conf settings
+        pam_pwd_minlen: "12"
+        pam_pwd_dcredit: "-1"
+        pam_pwd_ucredit: "-2"
+        pam_pwd_lcredit: "-3"
+        pam_pwd_ocredit: "-4"
+        pam_pwd_minclass: "4"
+
+        # PAM config settings
+        pam_pwd_history: "10"
+        pam_pwd_enforce_root: "enforce_for_root"
+
+        # /etc/security/faillock.conf settings
+        pam_pwd_deny: "5"
+        pam_pwd_unlock_time: "300"
+
+    - name: Get custom settings from pwquality.conf
+      command: sed -n '/^# BEGIN ANSIBLE MANAGED BLOCK/,/^END ANSIBLE MANAGED BLOCK/ p' /etc/security/pwquality.conf
+      register: pwquality_conf
+      changed_when: false
+
+    - name: Check pwquality.conf settings
+      assert:
+        that:
+          - "'minlen = 12' in pwquality_conf.stdout_lines"
+          - "'dcredit = -1' in pwquality_conf.stdout_lines"
+          - "'ucredit = -2' in pwquality_conf.stdout_lines"
+          - "'lcredit = -3' in pwquality_conf.stdout_lines"
+          - "'ocredit = -4' in pwquality_conf.stdout_lines"
+          - "'minclass = 4' in pwquality_conf.stdout_lines"
+
+    - name: Read PAM config files
+      command: "cat {{ item }}"
+      register: pam_conf
+      changed_when: false
+      loop:
+        # settings should be in our custom policy
+        - /etc/authselect/custom/password-policy/password-auth
+        - /etc/authselect/custom/password-policy/system-auth
+        # /etc/pam.d/* are authselect symlinks, also check the effective end result
+        - /etc/pam.d/password-auth
+        - /etc/pam.d/system-auth
+
+    - name: Verify PAM config file settings
+      assert:
+        that:
+          - item.stdout is search('pam_pwhistory.so.*remember=10')
+          - item.stdout is search('pam_pwquality.so.*enforce_for_root')
+      loop: "{{ pam_conf.results }}"
+
+    - name: Get faillock.conf settings
+      command: cat /etc/security/faillock.conf
+      register: faillock_conf
+      changed_when: false
+
+    - name: Check faillock.conf settings
+      assert:
+        that:
+          - "'deny=5' in faillock_conf.stdout_lines"
+          - "'unlock_time=300' in faillock_conf.stdout_lines"
