[PR #12137/5d62edc6 backport][stable-13] pamd: handle non-PAM lines in authselect profile files (#12145)

pamd: handle non-PAM lines in authselect profile files (#12137) * fix(pamd): handle non-PAM lines in authselect profile files * test(pamd): add test for authselect directive lines * feat(changelog): add fragment for PR 12137 --------- (cherry picked from commit 5d62edc673) Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-11 18:45:34 +00:00 · 2026-05-31 00:05:03 +02:00 · 2026-05-31 00:05:03 +02:00 · 9821ff20c4
commit 9821ff20c4
parent 3b5eb565fb
3 changed files with 19 additions and 1 deletions
--- a/changelogs/fragments/12137-pamd-authselect.yml
+++ b/changelogs/fragments/12137-pamd-authselect.yml
@ -0,0 +1,4 @@
+bugfixes:
+  - "pamd - handle non-PAM lines such as authselect template directives without crashing
+    (https://github.com/ansible-collections/community.general/issues/5850,
+    https://github.com/ansible-collections/community.general/pull/12137)."
--- a/plugins/modules/pamd.py
+++ b/plugins/modules/pamd.py
@ -348,6 +348,8 @@ class PamdRule(PamdLine):
    @classmethod
    def rule_from_string(cls, line):
        rule_match = RULE_REGEX.search(line)
+        if rule_match is None:
+            return None
        rule_args = parse_module_arguments(rule_match.group("args"))
        return cls(rule_match.group("rule_type"), rule_match.group("control"), rule_match.group("path"), rule_args)

@ -432,7 +434,7 @@ class PamdService:
            elif line.strip() == "":
                pamd_line = PamdEmptyLine(line)
            else:
-                pamd_line = PamdRule.rule_from_string(line)
+                pamd_line = PamdRule.rule_from_string(line) or PamdLine(line)

            self.append(pamd_line)

--- a/tests/unit/plugins/modules/test_pamd.py
+++ b/tests/unit/plugins/modules/test_pamd.py
@ -142,6 +142,13 @@ session    required pam_unix.so"""
 auth       sufficient pam_unix.so nullok try_first_pass
 auth       requisite pam_succeed_if.so uid
 auth       required pam_deny.so
+"""
+
+        self.authselect_system_auth_string = """{imply "with-smartcard" if "with-smartcard-required"}
+auth        required                                     pam_env.so
+auth        required                                     pam_faildelay.so delay=2000000
+password    sufficient                                   pam_unix.so yescrypt shadow use_authtok
+password    required                                     pam_deny.so
 """

        self.pamd = PamdService(self.system_auth_string)
@ -158,6 +165,11 @@ auth       required pam_deny.so
    def test_doesnt_have_rule(self):
        self.assertFalse(self.pamd.has_rule("account", "requisite", "pam_permit.so"))

+    def test_authselect_directive_line_does_not_crash(self):
+        pamd = PamdService(self.authselect_system_auth_string)
+        self.assertTrue(pamd.has_rule("password", "sufficient", "pam_unix.so"))
+        self.assertIn('{imply "with-smartcard" if "with-smartcard-required"}', str(pamd))
+
    # Test Update
    def test_update_rule_type(self):
        self.assertTrue(self.pamd.update_rule("session", "optional", "pam_keyinit.so", new_type="account"))