summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Estabrook <jestabro@vyos.io>2024-02-17 19:10:58 -0600
committerGitHub <noreply@github.com>2024-02-17 19:10:58 -0600
commit3230d09c292c89eddd34e33fda9570042e92e1fd (patch)
treee07054babc9379e70cc8e49432b4f01f3dc36d08
parent64f5195abb899b9dc9ce9d7b96c59d5faabf6c0a (diff)
parentd6b02f6e3619de39a77403e4bb1bb684ee5ce3c3 (diff)
downloadvyos-1x-3230d09c292c89eddd34e33fda9570042e92e1fd.tar.gz
vyos-1x-3230d09c292c89eddd34e33fda9570042e92e1fd.zip
Merge pull request #3023 from vyos/mergify/bp/sagitta/pr-3019
login: T5972: add possibility to disable individual local user accounts (backport #3019)
-rw-r--r--interface-definitions/system_login.xml.in1
-rwxr-xr-xsmoketest/scripts/cli/test_system_login.py27
-rwxr-xr-xsrc/conf_mode/system_login.py6
3 files changed, 28 insertions, 6 deletions
diff --git a/interface-definitions/system_login.xml.in b/interface-definitions/system_login.xml.in
index 672c4afc8..a59f54005 100644
--- a/interface-definitions/system_login.xml.in
+++ b/interface-definitions/system_login.xml.in
@@ -172,6 +172,7 @@
</tagNode>
</children>
</node>
+ #include <include/generic-disable-node.xml.i>
<leafNode name="full-name">
<properties>
<help>Full name of the user (use quotes for names with spaces)</help>
diff --git a/smoketest/scripts/cli/test_system_login.py b/smoketest/scripts/cli/test_system_login.py
index 195b127a4..d93ad952f 100755
--- a/smoketest/scripts/cli/test_system_login.py
+++ b/smoketest/scripts/cli/test_system_login.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2019-2023 VyOS maintainers and contributors
+# Copyright (C) 2019-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -15,12 +15,12 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import re
-import platform
import unittest
import paramiko
from base_vyostest_shim import VyOSUnitTestSHIM
+from gzip import GzipFile
from subprocess import Popen, PIPE
from pwd import getpwall
from time import sleep
@@ -98,8 +98,8 @@ class TestSystemLogin(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
for user in users:
- cmd = ['su','-', user]
- proc = Popen(cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE)
+ tmp = ['su','-', user]
+ proc = Popen(tmp, stdin=PIPE, stdout=PIPE, stderr=PIPE)
tmp = "{}\nuname -a".format(user)
proc.stdin.write(tmp.encode())
proc.stdin.flush()
@@ -109,6 +109,22 @@ class TestSystemLogin(VyOSUnitTestSHIM.TestCase):
# b'Linux LR1.wue3 5.10.61-amd64-vyos #1 SMP Fri Aug 27 08:55:46 UTC 2021 x86_64 GNU/Linux\n'
self.assertTrue(len(stdout) > 40)
+ locked_user = users[0]
+ # disable the first user in list
+ self.cli_set(base_path + ['user', locked_user, 'disable'])
+ self.cli_commit()
+ # check if account is locked
+ tmp = cmd(f'sudo passwd -S {locked_user}')
+ self.assertIn(f'{locked_user} L ', tmp)
+
+ # unlock account
+ self.cli_delete(base_path + ['user', locked_user, 'disable'])
+ self.cli_commit()
+ # check if account is unlocked
+ tmp = cmd(f'sudo passwd -S {locked_user}')
+ self.assertIn(f'{locked_user} P ', tmp)
+
+
def test_system_login_otp(self):
otp_user = 'otp-test_user'
otp_password = 'SuperTestPassword'
@@ -148,8 +164,7 @@ class TestSystemLogin(VyOSUnitTestSHIM.TestCase):
def test_radius_kernel_features(self):
# T2886: RADIUS requires some Kernel options to be present
- kernel = platform.release()
- kernel_config = read_file(f'/boot/config-{kernel}')
+ kernel_config = GzipFile('/proc/config.gz').read().decode('UTF-8')
# T2886 - RADIUS authentication - check for statically compiled options
options = ['CONFIG_AUDIT', 'CONFIG_AUDITSYSCALL', 'CONFIG_AUDIT_ARCH']
diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py
index 30e823bd4..cff0c5039 100755
--- a/src/conf_mode/system_login.py
+++ b/src/conf_mode/system_login.py
@@ -367,6 +367,12 @@ def apply(login):
if os.path.exists(f'{home_dir}/.google_authenticator'):
os.remove(f'{home_dir}/.google_authenticator')
+ # Lock/Unlock local user account
+ lock_unlock = '--unlock'
+ if 'disable' in user_config:
+ lock_unlock = '--lock'
+ cmd(f'usermod {lock_unlock} {user}')
+
if 'rm_users' in login:
for user in login['rm_users']:
try: