Refactor Ansible macros for PAM

linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml

@@ -3,170 +3,11 @@
 # strategy = configure
 # complexity = low
 # disruption = medium
+
 {{{ ansible_instantiate_variables("var_password_pam_unix_rounds") }}}
 
-{{% if product in ["sle12", "sle15"] %}}
-    {{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}}
+{{% if product in ["sle15", "sle12"] %}}
+{{{ ansible_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'sufficient', 'pam_unix.so', 'rounds', '{{ var_password_pam_unix_rounds }}', '') }}}
 {{% else %}}
-    {{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}}
+{{{ ansible_ensure_pam_module_configuration('/etc/pam.d/password-auth', 'password', 'sufficient', 'pam_unix.so', 'rounds', '{{ var_password_pam_unix_rounds }}', '') }}}
 {{% endif %}}
-
-
-- name: Check for existing rounds parameter
-  ansible.builtin.lineinfile:
-    path: {{{ pam_passwd_file_path }}}
-    create: no
-    regexp: '^password.*pam_unix.so.*rounds='
-    state: absent
-  check_mode: true
-  changed_when: false
-  register: result_pam_unix_rounds_present
-
-- name: Check if system relies on authselect
-  ansible.builtin.stat:
-    path: /usr/bin/authselect
-  register: result_authselect_present
-
-- name: "Remediation where authselect tool is present"
-  block:
-    - name: Check the integrity of the current authselect profile
-      ansible.builtin.command:
-        cmd: authselect check
-      register: result_authselect_check_cmd
-      changed_when: false
-      ignore_errors: true
-
-    - name: Informative message based on the authselect integrity check result
-      ansible.builtin.assert:
-        that:
-          - result_authselect_check_cmd is success
-        fail_msg:
-        - authselect integrity check failed. Remediation aborted!
-        - This remediation could not be applied because the authselect profile is not intact.
-        - It is not recommended to manually edit the PAM files when authselect is available.
-        - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
-        success_msg:
-        - authselect integrity check passed
-
-    - name: Get authselect current profile
-      ansible.builtin.shell:
-        cmd: authselect current -r | awk '{ print $1 }'
-      register: result_authselect_profile
-      changed_when: false
-      when:
-        - result_authselect_check_cmd is success
-
-    - name: Define the current authselect profile as a local fact
-      ansible.builtin.set_fact:
-        authselect_current_profile: "{{ result_authselect_profile.stdout }}"
-        authselect_custom_profile: "{{ result_authselect_profile.stdout }}"
-      when:
-        - result_authselect_profile is not skipped
-        - result_authselect_profile.stdout is match("custom/")
-
-    - name: Define the new authselect custom profile as a local fact
-      ansible.builtin.set_fact:
-        authselect_current_profile: "{{ result_authselect_profile.stdout }}"
-        authselect_custom_profile: "custom/hardening"
-      when:
-        - result_authselect_profile is not skipped
-        - result_authselect_profile.stdout is not match("custom/")
-
-    - name: Get authselect current features to also enable them in the custom profile
-      ansible.builtin.shell:
-        cmd: authselect current | tail -n+3 | awk '{ print $2 }'
-      register: result_authselect_features
-      changed_when: false
-      when:
-        - result_authselect_profile is not skipped
-        - authselect_current_profile is not match("custom/")
-
-    - name: Check if any custom profile with the same name was already created in the past
-      ansible.builtin.stat:
-        path: /etc/authselect/{{ authselect_custom_profile }}
-      register: result_authselect_custom_profile_present
-      changed_when: false
-      when:
-        - authselect_current_profile is not match("custom/")
-
-    - name: Create a custom profile based on the current profile
-      ansible.builtin.command:
-        cmd: authselect create-profile hardening -b sssd
-      when:
-        - result_authselect_check_cmd is success
-        - authselect_current_profile is not match("custom/")
-        - not result_authselect_custom_profile_present.stat.exists
-
-    - name: Ensure the desired rounds value is updated in the custom profile
-      ansible.builtin.replace:
-        dest: "/etc/authselect/{{ authselect_custom_profile }}/password-auth"
-        regexp: '(^\s*password.*pam_unix.so.*rounds=)(\S+)(.*)$'
-        replace: '\g<1>{{ var_password_pam_unix_rounds }}\g<3>'
-      when:
-        - result_authselect_profile is not skipped
-        - result_pam_unix_rounds_present.found == 1
-
-    - name: Ensure the rounds parameter is included in the custom profile
-      ansible.builtin.replace:
-        dest: "/etc/authselect/{{ authselect_custom_profile }}/password-auth"
-        regexp: '(^\s*password.*pam_unix.so.*)(?! rounds=\S+)(.*)$'
-        replace: '\g<1> \g<2> rounds={{ var_password_pam_unix_rounds }}'
-      when:
-        - result_authselect_profile is not skipped
-        - result_pam_unix_rounds_present.found == 0
-
-    - name: Ensure a backup of current authselect profile before selecting the custom profile
-      ansible.builtin.command:
-        cmd: authselect apply-changes -b --backup=before-rounds-hardening.backup
-      when:
-        - result_authselect_check_cmd is success
-        - result_authselect_profile is not skipped
-        - authselect_current_profile is not match("custom/")
-        - authselect_custom_profile is not match(authselect_current_profile)
-
-    - name: Ensure the custom profile is selected
-      ansible.builtin.command:
-        cmd: authselect select {{ authselect_custom_profile }} --force
-      register: result_pam_authselect_select_profile
-      when:
-        - result_authselect_check_cmd is success
-        - result_authselect_profile is not skipped
-        - authselect_current_profile is not match("custom/")
-        - authselect_custom_profile is not match(authselect_current_profile)
-
-    - name: Restore the authselect features in the custom profile
-      ansible.builtin.command:
-        cmd: authselect enable-feature {{ item }}
-      loop: "{{ result_authselect_features.stdout_lines }}"
-      when:
-        - result_authselect_profile is not skipped
-        - result_authselect_features is not skipped
-        - result_pam_authselect_select_profile is not skipped
-
-    - name: Ensure the custom profile changes are applied
-      ansible.builtin.command:
-        cmd: authselect apply-changes -b --backup=after-rounds-hardening.backup
-      when:
-        - result_authselect_check_cmd is success
-        - result_authselect_profile is not skipped
-  when:
-  - result_authselect_present.stat.exists
-
-# For systems without authselect
-- name: "Remediation where authselect tool is not present and PAM files are directly edited"
-  block:
-    - name: Ensure the desired rounds value is updated in the custom profile
-      ansible.builtin.replace:
-        dest: {{{ pam_passwd_file_path }}}
-        regexp: '(^\s*password.*pam_unix.so.*rounds=)(\S+)(.*)$'
-        replace: '\g<1>{{ var_password_pam_unix_rounds }}\g<3>'
-
-    - name: Ensure the remember parameter is included in the custom profile
-      ansible.builtin.replace:
-        dest: {{{ pam_passwd_file_path }}}
-        regexp: '(^\s*password.*pam_unix.so.*)(?! rounds=\S+)(.*)$'
-        replace: '\g<1> \g<2> rounds={{ var_password_pam_unix_rounds }}'
-      when:
-        - result_pam_unix_rounds_present.found == 0
-  when:
-    - not result_authselect_present.stat.exists