Ansible macro for PAM more robust for variables

There are PAM related rules where more than one control is allowed for an specific PAM module. In this case, an Ansible variable is passed to the macro including filters, such as in rule accounts_password_pam_pwhistory_remember_password_auth. The respective macros were updated to properly deal with these cases.
ComplianceAsCode · Jul 10, 2024 · 4376311 · 4376311
1 parent 6e8295a
commit 4376311
Showing 1 changed file with 19 additions and 7 deletions.
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
@@ -1421,10 +1421,14 @@ Part of the grub2_bootloader_argument_absent template.
 
 #}}
 {{%- macro ansible_ensure_pam_module_line(pam_file, group, control, module, after_match='') -%}}
+- name: '{{{ rule_title }}} - Define a fact for control already filtered in case filters are used'
+  ansible.builtin.set_fact:
+    pam_module_control: "{{{ control }}}"
+
 - name: '{{{ rule_title }}} - Check if expected PAM module line is present in {{{ pam_file }}}'
   ansible.builtin.lineinfile:
     path: "{{{ pam_file }}}"
-    regexp: ^\s*{{{ group }}}\s+{{ '{{{ control }}}' | regex_escape() }}\s+{{{ module }}}\s*.*
+    regexp: ^\s*{{{ group }}}\s+{{ pam_module_control | regex_escape() }}\s+{{{ module }}}\s*.*
     state: absent
   check_mode: yes
   changed_when: false
@@ -1445,7 +1449,7 @@ Part of the grub2_bootloader_argument_absent template.
       ansible.builtin.replace:
         dest: "{{{ pam_file }}}"
         regexp: '^(\s*{{{ group }}}\s+).*(\b{{{ module }}}.*)'
-        replace: '\1{{{ control }}} \2'
+        replace: "\1{{ pam_module_control }} \2"
       register: result_pam_module_edit
       when:
         - result_pam_line_other_control_present.found == 1
@@ -1456,7 +1460,7 @@ Part of the grub2_bootloader_argument_absent template.
         {{%- if after_match != '' %}}
         insertafter: {{{ after_match }}}
         {{%- endif %}}
-        line: {{{ group }}}    {{{ control }}}    {{{ module }}}
+        line: "{{{ group }}}    {{ pam_module_control }}    {{{ module }}}"
       register: result_pam_module_add
       when:
         - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found > 1
@@ -1496,10 +1500,14 @@ Part of the grub2_bootloader_argument_absent template.
 {{%- macro ansible_ensure_pam_module_option(pam_file, group, control, module, option, value='', after_match='') -%}}
 {{{ ansible_ensure_pam_module_line(pam_file, group, control, module, after_match) }}}
 
+- name: '{{{ rule_title }}} - Define a fact for control already filtered in case filters are used'
+  ansible.builtin.set_fact:
+    pam_module_control: "{{{ control }}}"
+
 - name: '{{{ rule_title }}} - Check if the required PAM module option is present in {{{ pam_file }}}'
   ansible.builtin.lineinfile:
     path: "{{{ pam_file }}}"
-    regexp: ^\s*{{{ group }}}\s+{{ '{{{ control }}}' | regex_escape() }}\s+{{{ module }}}\s*.*\s{{{ option }}}\b
+    regexp: ^\s*{{{ group }}}\s+{{ pam_module_control | regex_escape() }}\s+{{{ module }}}\s*.*\s{{{ option }}}\b
     state: absent
   check_mode: true
   changed_when: false
@@ -1509,7 +1517,7 @@ Part of the grub2_bootloader_argument_absent template.
   ansible.builtin.lineinfile:
     path: "{{{ pam_file }}}"
     backrefs: true
-    regexp: ^(\s*{{{ group }}}\s+{{ '{{{ control }}}' | regex_escape() }}\s+{{{ module }}}.*)
+    regexp: ^(\s*{{{ group }}}\s+{{ pam_module_control | regex_escape() }}\s+{{{ module }}}.*)
     {{%- if value == '' %}}
     line: \1 {{{ option }}}
     {{%- else %}}
@@ -1525,7 +1533,7 @@ Part of the grub2_bootloader_argument_absent template.
   ansible.builtin.lineinfile:
     path: "{{{ pam_file }}}"
     backrefs: true
-    regexp: ^(\s*{{{ group }}}\s+{{ '{{{ control }}}' | regex_escape() }}\s+{{{ module }}}\s+.*)({{{ option }}})=[0-9a-zA-Z]+\s*(.*)
+    regexp: ^(\s*{{{ group }}}\s+{{ pam_module_control | regex_escape() }}\s+{{{ module }}}\s+.*)({{{ option }}})=[0-9a-zA-Z]+\s*(.*)
     line: \1\2={{{ value }}} \3
   register: result_pam_{{{ rule_id }}}_edit
   when:
@@ -1550,13 +1558,17 @@ Part of the grub2_bootloader_argument_absent template.
 
 #}}
 {{%- macro ansible_remove_pam_module_option(pam_file, group, control, module, option) -%}}
+- name: '{{{ rule_title }}} - Define a fact for control already filtered in case filters are used'
+  ansible.builtin.set_fact:
+    pam_module_control: "{{{ control }}}"
+
 - name: '{{{ rule_title }}} - Ensure the "{{{ option }}}" option from "{{{ module }}}" is not present in {{{ pam_file }}}'
   ansible.builtin.replace:
     dest: "{{{ pam_file }}}"
     {{%- if control == '' %}}
     regexp: (.*{{{ group }}}.*{{{ module }}}.*)\b{{{ option }}}\b=?[0-9a-zA-Z]*(.*)
     {{%- else %}}
-    regexp: (.*{{{ group }}}.*{{ '{{{ control }}}' | regex_escape() }}.*{{{ module }}}.*)\b{{{ option }}}\b=?[0-9a-zA-Z]*(.*)
+    regexp: (.*{{{ group }}}.*{{ pam_module_control | regex_escape() }}.*{{{ module }}}.*)\b{{{ option }}}\b=?[0-9a-zA-Z]*(.*)
     {{%- endif %}}
     replace: '\1\2'
   register: result_pam_option_removal