login: T5972: add possibility to disable individual local user accounts

* set system login user <name> disable

3 files changed, 28 insertions, 6 deletions

diff --git a/interface-definitions/system_login.xml.in b/interface-definitions/system_login.xml.in
index 44e1a7a92..e94bb7219 100644
--- a/interface-definitions/system_login.xml.in
+++ b/interface-definitions/system_login.xml.in
@@ -172,6 +172,7 @@
                   </tagNode>
                 </children>
               </node>
+              #include <include/generic-disable-node.xml.i>
               <leafNode name="full-name">
                 <properties>
                   <help>Full name of the user (use quotes for names with spaces)</help>
diff --git a/smoketest/scripts/cli/test_system_login.py b/smoketest/scripts/cli/test_system_login.py
index 195b127a4..d93ad952f 100755
--- a/smoketest/scripts/cli/test_system_login.py
+++ b/smoketest/scripts/cli/test_system_login.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019-2023 VyOS maintainers and contributors
+# Copyright (C) 2019-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -15,12 +15,12 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import re
-import platform
 import unittest
 import paramiko
 
 from base_vyostest_shim import VyOSUnitTestSHIM
 
+from gzip import GzipFile
 from subprocess import Popen, PIPE
 from pwd import getpwall
 from time import sleep
@@ -98,8 +98,8 @@ class TestSystemLogin(VyOSUnitTestSHIM.TestCase):
         self.cli_commit()
 
         for user in users:
-            cmd = ['su','-', user]
-            proc = Popen(cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE)
+            tmp = ['su','-', user]
+            proc = Popen(tmp, stdin=PIPE, stdout=PIPE, stderr=PIPE)
             tmp = "{}\nuname -a".format(user)
             proc.stdin.write(tmp.encode())
             proc.stdin.flush()
@@ -109,6 +109,22 @@ class TestSystemLogin(VyOSUnitTestSHIM.TestCase):
             # b'Linux LR1.wue3 5.10.61-amd64-vyos #1 SMP Fri Aug 27 08:55:46 UTC 2021 x86_64 GNU/Linux\n'
             self.assertTrue(len(stdout) > 40)
 
+        locked_user = users[0]
+        # disable the first user in list
+        self.cli_set(base_path + ['user', locked_user, 'disable'])
+        self.cli_commit()
+        # check if account is locked
+        tmp = cmd(f'sudo passwd -S {locked_user}')
+        self.assertIn(f'{locked_user} L ', tmp)
+
+        # unlock account
+        self.cli_delete(base_path + ['user', locked_user, 'disable'])
+        self.cli_commit()
+        # check if account is unlocked
+        tmp = cmd(f'sudo passwd -S {locked_user}')
+        self.assertIn(f'{locked_user} P ', tmp)
+
+
     def test_system_login_otp(self):
         otp_user = 'otp-test_user'
         otp_password = 'SuperTestPassword'
@@ -148,8 +164,7 @@ class TestSystemLogin(VyOSUnitTestSHIM.TestCase):
 
     def test_radius_kernel_features(self):
         # T2886: RADIUS requires some Kernel options to be present
-        kernel = platform.release()
-        kernel_config = read_file(f'/boot/config-{kernel}')
+        kernel_config = GzipFile('/proc/config.gz').read().decode('UTF-8')
 
         # T2886 - RADIUS authentication - check for statically compiled options
         options = ['CONFIG_AUDIT', 'CONFIG_AUDITSYSCALL', 'CONFIG_AUDIT_ARCH']
diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py
index 3d16bdb4a..49306c894 100755
--- a/src/conf_mode/system_login.py
+++ b/src/conf_mode/system_login.py
@@ -367,6 +367,12 @@ def apply(login):
                 if os.path.exists(f'{home_dir}/.google_authenticator'):
                     os.remove(f'{home_dir}/.google_authenticator')
 
+            # Lock/Unlock local user account
+            lock_unlock = '--unlock'
+            if 'disable' in user_config:
+                lock_unlock = '--lock'
+            cmd(f'usermod {lock_unlock} {user}')
+
     if 'rm_users' in login:
         for user in login['rm_users']:
             try: