Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

added password prompt support for machinectl #4849

Merged
merged 5 commits into from
Jul 8, 2022
Merged

added password prompt support for machinectl #4849

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3204fb0
added password prompt support for machinectl
Louis9902 Jun 17, 2022
bd48f3f
include review comments
Louis9902 Jun 18, 2022
979d40a
fix yaml doc with leftover bracket
Louis9902 Jun 18, 2022
e1cc9a2
include review comments 2
Louis9902 Jun 18, 2022
911230e
move regex compile to global scope
Louis9902 Jun 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions changelogs/fragments/4849-add-password-prompt-support-for-machinectl.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
minor_changes:
- machinectl become plugin - can now be used with a password from another user than root, if a polkit rule is present (https://github.com/ansible-collections/community.general/pull/4849).
42 changes: 42 additions & 0 deletions plugins/become/machinectl.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,15 +66,45 @@
ini:
- section: machinectl_become_plugin
key: password
notes:
- When not using this plugin with user C(root), it only works correctly with a polkit rule which will alter
the behaviour of machinectl. This rule must alter the prompt behaviour to ask directly for the user credentials,
if the user is allowed to perform the action (take a look at the examples section).
If such a rule is not present the plugin only work if it is used in context with the root user,
because then no further prompt will be shown by machinectl.
'''

EXAMPLES = r'''
# A polkit rule needed to use the module with a non-root user.
# See the Notes section for details.
60-machinectl-fast-user-auth.rules: |
Louis9902 marked this conversation as resolved.
Show resolved Hide resolved
polkit.addRule(function(action, subject) {
if(action.id == "org.freedesktop.machine1.host-shell" && subject.isInGroup("wheel")) {
return polkit.Result.AUTH_SELF_KEEP;
}
});
'''

from re import compile as re_compile

from ansible.plugins.become import BecomeBase
from ansible.module_utils._text import to_bytes


class BecomeModule(BecomeBase):

name = 'community.general.machinectl'

prompt = 'Password: '
fail = ('==== AUTHENTICATION FAILED ====',)
success = ('==== AUTHENTICATION COMPLETE ====',)

@staticmethod
def remove_ansi_codes(line):
# taken from https://stackoverflow.com/a/38662876/9531111
ansi_escape = re_compile(to_bytes(r'(?:\x1B[@-_]|[\x80-\x9F])[0-?]*[ -/]*[@-~]'))
Louis9902 marked this conversation as resolved.
Show resolved Hide resolved
return ansi_escape.sub(b"", line)

def build_become_command(self, cmd, shell):
super(BecomeModule, self).build_become_command(cmd, shell)

Expand All @@ -86,3 +116,15 @@ def build_become_command(self, cmd, shell):
flags = self.get_option('become_flags')
user = self.get_option('become_user')
return '%s -q shell %s %s@ %s' % (become, flags, user, cmd)

def check_success(self, b_output):
b_output = self.remove_ansi_codes(b_output)
return super().check_success(b_output)

def check_incorrect_password(self, b_output):
b_output = self.remove_ansi_codes(b_output)
return super().check_incorrect_password(b_output)

def check_missing_password(self, b_output):
b_output = self.remove_ansi_codes(b_output)
return super().check_missing_password(b_output)