Merge pull request #14659 from ggbecker/fix-14600

Fix authselect remediation with multiple features

Author: Mab879

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/correct_value_with_features.pass.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = authselect,pam
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
+# remediation = ansible
+
+authselect create-profile test_profile -b sssd
+authselect select "custom/test_profile" --force
+
+# Enable multiple features to test the scenario where "authselect current --raw"
+# returns a string with spaces (e.g., "custom/test_profile with-faillock with-fingerprint")
+authselect enable-feature with-faillock
+authselect enable-feature with-fingerprint
+
+authselect apply-changes

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/no_faillock_with_other_features.fail.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+# packages = authselect,pam
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
+
+authselect create-profile test_profile -b sssd
+authselect select "custom/test_profile" --force
+
+# Enable other features but not with-faillock to simulate a system
+# that has authselect configured with features, but missing the required faillock
+authselect enable-feature with-fingerprint
+authselect enable-feature with-silent-lastlog
+
+authselect apply-changes

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/sssd_profile_with_features.pass.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+# packages = authselect,pam
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
+
+# Simulate a real RHEL system with sssd profile and multiple features enabled
+# This is the scenario reported in issue #14600 where "authselect current --raw"
+# returns "sssd with-fingerprint with-silent-lastlog"
+authselect select sssd --force
+authselect enable-feature with-faillock
+authselect enable-feature with-fingerprint
+authselect enable-feature with-silent-lastlog
+
+authselect apply-changes

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/sssd_single_feature_no_faillock.fail.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+# packages = authselect,pam
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
+
+# Test with sssd profile and one feature (not faillock) enabled
+# This simulates a system where "authselect current --raw" returns "sssd with-fingerprint"
+authselect select sssd --force
+authselect enable-feature with-fingerprint
+
+authselect apply-changes

shared/macros/10-ansible.jinja

@@ -944,9 +944,15 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
 
 #}}
 {{% macro ansible_authselect_force_reselect(rule_title=None) -%}}
+- name: '{{{ rule_title }}} - Get current authselect profile'
+  ansible.builtin.command:
+    cmd: authselect current --raw
+  register: authselect_current_profile
+  changed_when: false
+
 - name: '{{{ rule_title }}} - Force reselect authselect profile'
-  ansible.builtin.shell:
-    cmd: authselect select "$(authselect current --raw)" --force
+  ansible.builtin.command:
+    cmd: "authselect select {{ authselect_current_profile.stdout }} --force"
 {{%- endmacro %}}
 
 {{#

shared/macros/10-bash.jinja

@@ -2484,7 +2484,8 @@ fi
 
 #}}
 {{% macro bash_authselect_force_reselect() -%}}
-authselect select "$(authselect current --raw)" --force
+read -ra authselect_args < <(authselect current --raw)
+authselect select "${authselect_args[@]}" --force
 {{%- endmacro %}}