stages/org.osbuild.users: Add force password reset option

Add the force_password_reset field to the users option in the org.osbuild.users stage. This option forces the user to change their password on first login.
2024-03-28 11:11:17 -04:00 · 2024-03-28 11:11:17 -04:00 · b722bef9cb
commit b722bef9cb
parent 2a17756f45
2 changed files with 8 additions and 0 deletions
--- a/stages/org.osbuild.users
+++ b/stages/org.osbuild.users
@ -110,6 +110,7 @@ def main(tree, options):
        shell = user_options.get("shell")
        password = user_options.get("password")
        expiredate = user_options.get("expiredate")
+        force_password_reset = user_options.get("force_password_reset", False)

        passwd = getpwnam(tree, name)
        if passwd is not None:
@ -125,6 +126,9 @@ def main(tree, options):
        else:
            useradd(tree, name, uid, gid, groups, description, home, shell, password, expiredate)

+        if force_password_reset:
+            subprocess.run(["chroot", tree, "passwd", "--expire", name], check=True)
+
        # following maintains backwards compatibility for handling a single ssh key
        key = user_options.get("key")   # Public SSH key
        keys = user_options.get("keys", [])  # Additional public SSH keys
--- a/stages/org.osbuild.users.meta.json
+++ b/stages/org.osbuild.users.meta.json
@ -66,6 +66,10 @@
                "expiredate": {
                  "description": "The date on which the user account will be disabled. This date is represented as a number of days since January 1st, 1970.",
                  "type": "integer"
+                },
+                "force_password_reset": {
+                  "description": "Force this user to change their password on first login",
+                  "type": "boolean"
                }
              }
            }