Add Regression Test to Verify Password Preservation (#362)

elainezhao1 · web-flow · commit 9f4387864a86 · 2025-08-07T13:48:42.000-07:00
Adds a regression test to ensure that an existing user’s password is not cleared when the Password field is omitted in the configuration. tested locally <img width="1094" height="239" alt="image" src="https://github.com/user-attachments/assets/eb5cab6f-5402-40e2-8bdd-fdc4b9b02220" /> --- ### **Checklist** - [ ] Tests added/updated - [ ] Documentation updated (if needed) - [ ] Code conforms to style guidelines Signed-off-by: Elaine Zhao <elainezhao@microsoft.com>
diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeusers_test.go b/toolkit/tools/pkg/imagecustomizerlib/customizeusers_test.go
@@ -314,3 +314,64 @@ func verifyPassword(t *testing.T, encryptedPassword string, plainTextPassword st
 
 	return assert.Equal(t, encryptedPassword, strings.TrimSpace(reencryptedPassword))
 }
+
+func TestCustomizeImageUsersExitingUserPassword(t *testing.T) {
+	baseImage, _ := checkSkipForCustomizeDefaultImage(t)
+
+	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageUsersExitingUserPassword")
+
+	buildDir := filepath.Join(testTmpDir, "build")
+	outImageFilePath := filepath.Join(testTmpDir, "image.raw")
+
+	// Create an image with a user that has an initial password.
+	passwordValue := "pass"
+	configWithPassword := imagecustomizerapi.Config{
+		OS: &imagecustomizerapi.OS{
+			Users: []imagecustomizerapi.User{
+				{
+					Name: "testuser",
+					Password: &imagecustomizerapi.Password{
+						Type:  "plain-text",
+						Value: passwordValue,
+					},
+				},
+			},
+		},
+	}
+
+	err := CustomizeImage(t.Context(), buildDir, testDir, &configWithPassword, baseImage, nil, outImageFilePath, "raw",
+		false, "" /*packageSnapshotTime*/)
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	// Run customization again without providing a password.
+	configWithoutPassword := imagecustomizerapi.Config{
+		OS: &imagecustomizerapi.OS{
+			Users: []imagecustomizerapi.User{
+				{
+					Name:          "testuser",
+					SSHPublicKeys: []string{"ssh-rsa abc123"},
+				},
+			},
+		},
+	}
+
+	err = CustomizeImage(t.Context(), buildDir, testDir, &configWithoutPassword, outImageFilePath, nil, outImageFilePath, "raw",
+		false, "" /*packageSnapshotTime*/)
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	// Verify that password was not cleared.
+	imageConnection, err := connectToCoreEfiImage(buildDir, outImageFilePath)
+	if !assert.NoError(t, err) {
+		return
+	}
+	defer imageConnection.Close()
+
+	shadowEntry, err := userutils.GetShadowFileEntryForUser(imageConnection.Chroot().RootDir(), "testuser")
+	if assert.NoError(t, err) {
+		verifyPassword(t, shadowEntry.EncryptedPassword, passwordValue)
+	}
+}
