From 3a46859c3d4ceb36a2fffad2c3a818400cf090d5 2024-03-03 19:16:27
From: Branko Majic <branko@majic.rs>
Date: 2024-03-03 19:16:27
Subject: [PATCH] MAR-192: Apply PAM configuration changes immediatelly for consistency purposes.

---

diff --git a/roles/common/molecule/default/tests/test_default.py b/roles/common/molecule/default/tests/test_default.py
index 9bdc107f561ba4fb34bc2f41cfe0f247b6a445c2..ce477074b3049a85dfe88123912b224990ac15b9 100644
--- a/roles/common/molecule/default/tests/test_default.py
+++ b/roles/common/molecule/default/tests/test_default.py
@@ -247,7 +247,7 @@ def test_pipreqcheck_virtualenv(host):
         assert virtualenv_activate.is_file
         assert virtualenv_activate.user == 'pipreqcheck'
         assert virtualenv_activate.group == 'pipreqcheck'
-        assert virtualenv_activate.mode == 0o644
+        assert virtualenv_activate.mode == 0o640
 
 
 def test_pipreqcheck_virtualenv_prompt(host):
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index c459b176cf7ea40efb5116245018972b493ae571..ab4fa0a2b80304d422687dc8dfc30108daa69210 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -45,9 +45,19 @@
     owner: root
     group: root
     mode: 0644
+  register: pam_umask
   notify:
     - Update PAM configuration
 
+- name: Update PAM configuration  # noqa 503
+  # [503] Tasks that run when changed should likely be handlers
+  #   In order to have consistent behaviour during the first and
+  #   subsequent playbook runs, make sure the PAM configuration is
+  #   updated immediatelly. This way any files created by commands etc
+  #   should end-up with correct permissions straight away.
+  command: "/usr/sbin/pam-auth-update --package"
+  when: pam_umask.changed
+
 - name: Set login UMASK
   lineinfile:
     dest: "/etc/login.defs"
diff --git a/roles/wsgi_website/molecule/default/tests/test_default.py b/roles/wsgi_website/molecule/default/tests/test_default.py
index df5cff86bd00359d851af8581badf9c957cde93c..5f22dbc172463e437bb209690d06be2fea9df9b5 100644
--- a/roles/wsgi_website/molecule/default/tests/test_default.py
+++ b/roles/wsgi_website/molecule/default/tests/test_default.py
@@ -225,7 +225,7 @@ def test_python_virtualenv_created(host, virtualenv_dir, expected_owner, expecte
         assert virtualenv_activate.is_file
         assert virtualenv_activate.user == expected_owner
         assert virtualenv_activate.group == expected_group
-        assert virtualenv_activate.mode == 0o644
+        assert virtualenv_activate.mode == 0o640
 
 
 @pytest.mark.parametrize("project_file, expected_owner, expected_group", [