Set Authselect agruments after run in Security module

adamkankovsky · adamkankovsky · commit 1aa42d17739b · 2025-11-04T16:37:24.000+01:00
Ensure authselect arguments are always persisted in the generated
kickstart (KS) file, including when configuration is performed manually.
By only running the fingerprint configuration when no KS authselect options are present,
we avoid overriding user-supplied settings and keep the output KS consistent and reproducible.

Resolves: RHEL-85175
diff --git a/pyanaconda/modules/security/installation.py b/pyanaconda/modules/security/installation.py
@@ -24,6 +24,7 @@
 from pyanaconda.core.configuration.anaconda import conf
 from pyanaconda.core.constants import PAYLOAD_TYPE_DNF
 from pyanaconda.core.path import join_paths, make_directories
+from pyanaconda.modules.common.constants.services import SECURITY
 from pyanaconda.modules.common.errors.installation import SecurityInstallationError
 from pyanaconda.modules.common.task import Task
 from pyanaconda.modules.security.constants import SELinuxMode
@@ -443,6 +444,10 @@ def run(self):
             required=False
         )
 
+        security_proxy = SECURITY.get_proxy()
+        security_proxy.Authselect = AUTHSELECT_ARGS
+        log.debug("Authselect kickstart set to: %s", AUTHSELECT_ARGS)
+
 
 class ConfigureAuthselectTask(Task):
     """Installation task for Authselect configuration."""
diff --git a/pyanaconda/modules/security/security.py b/pyanaconda/modules/security/security.py
@@ -33,7 +33,6 @@
 from pyanaconda.modules.security.certificates import CertificatesModule
 from pyanaconda.modules.security.constants import SELinuxMode
 from pyanaconda.modules.security.installation import (
-    AUTHSELECT_ARGS,
     ConfigureAuthselectTask,
     ConfigureFingerprintAuthTask,
     ConfigureFIPSTask,
@@ -113,8 +112,6 @@ def setup_kickstart(self, data):
 
         if self.authselect:
             data.authselect.authselect = " ".join(self.authselect)
-        elif self.fingerprint_auth_enabled:
-            data.authselect.authselect = " ".join(AUTHSELECT_ARGS)
 
         if self.realm.name:
             data.realm.join_realm = self.realm.name
@@ -287,17 +284,32 @@ def install_with_tasks(self):
 
         :returns: list of installation tasks
         """
-        return [
-            ConfigureSELinuxTask(
-                sysroot=conf.target.system_root,
-                selinux_mode=self.selinux
-            ),
-            ConfigureFingerprintAuthTask(
-                sysroot=conf.target.system_root,
-                fingerprint_auth_enabled=self.fingerprint_auth_enabled
-            ),
-            ConfigureAuthselectTask(
-                sysroot=conf.target.system_root,
-                authselect_options=self.authselect
+        tasks = []
+
+        # 1) SELinux first
+        tasks.append(
+            ConfigureSELinuxTask(sysroot=conf.target.system_root, selinux_mode=self.selinux)
+        )
+
+        # 2) Fingerprint vs Authselect
+        if self.fingerprint_auth_enabled and not self.authselect:
+            log.debug("No KS authselect args; enqueue ConfigureFingerprintAuthTask.")
+            tasks.append(
+                ConfigureFingerprintAuthTask(
+                    sysroot=conf.target.system_root,
+                    fingerprint_auth_enabled=self.fingerprint_auth_enabled,
+                )
             )
-        ]
+        elif self.authselect:
+            log.debug(
+                "KS authselect present %s; enqueue ConfigureAuthselectTask.", self.authselect
+            )
+            tasks.append(
+                ConfigureAuthselectTask(
+                    sysroot=conf.target.system_root, authselect_options=self.authselect
+                )
+            )
+        else:
+            log.debug("No fingerprint (without args) and no KS authselect; nothing to configure.")
+
+        return tasks
diff --git a/tests/unit_tests/pyanaconda_tests/modules/security/test_module_security.py b/tests/unit_tests/pyanaconda_tests/modules/security/test_module_security.py
@@ -22,6 +22,7 @@
 import unittest
 from contextlib import contextmanager
 from textwrap import dedent
+from types import SimpleNamespace
 from unittest.mock import patch
 
 import pytest
@@ -36,6 +37,7 @@
 from pyanaconda.modules.common.structures.requirement import Requirement
 from pyanaconda.modules.security.constants import SELinuxMode
 from pyanaconda.modules.security.installation import (
+    AUTHSELECT_ARGS,
     AUTHSELECT_TOOL_PATH,
     PAM_SO_64_PATH,
     PAM_SO_PATH,
@@ -159,6 +161,22 @@ def test_authselect_kickstart(self):
         """
         self._test_kickstart(ks_in, ks_out)
 
+    def test_kickstart_contains_authselect_when_module_property_is_set(self):
+        self.security_interface.Authselect = [
+            "select",
+            "sssd",
+            "with-fingerprint",
+            "with-silent-lastlog",
+            "--force",
+        ]
+
+        ks_in = ""
+        ks_out = """
+        # System authorization information
+        authselect select sssd with-fingerprint with-silent-lastlog --force
+        """
+        self._test_kickstart(ks_in, ks_out)
+
     def test_realm_kickstart(self):
         """Test the realm command."""
         ks_in = """
@@ -232,17 +250,6 @@ def test_certificates_kickstart(self):
         """
         self._test_kickstart(ks_in, ks_out)
 
-    def test_kickstart_authselect_merges_with_fingerprint(self):
-        self.security_interface.FingerprintAuthEnabled = True
-
-        ks_in = ""
-        ks_out = """
-        # System authorization information
-        authselect enable-feature with-fingerprint
-        """
-
-        self._test_kickstart(ks_in, ks_out)
-
     @patch_dbus_publish_object
     def test_realm_discover_default(self, publisher):
         """Test module in default state with realm discover task."""
@@ -270,21 +277,13 @@ def test_install_with_tasks_default(self, publisher):
         """Test InstallWithTasks."""
         task_classes = [
             ConfigureSELinuxTask,
-            ConfigureFingerprintAuthTask,
-            ConfigureAuthselectTask,
         ]
         task_paths = self.security_interface.InstallWithTasks()
         task_objs = check_task_creation_list(task_paths, publisher, task_classes)
 
         # ConfigureSELinuxTask
         obj = task_objs[0]
         assert obj.implementation._selinux_mode == SELinuxMode.DEFAULT
-        # ConfigureFingerprintAuthTask
-        obj = task_objs[1]
-        assert obj.implementation._fingerprint_auth_enabled is False
-        # ConfigureAuthselectTask
-        obj = task_objs[2]
-        assert obj.implementation._authselect_options == []
 
     @patch_dbus_publish_object
     def test_realm_join_default(self, publisher):
@@ -312,9 +311,9 @@ def test_install_with_tasks_configured(self, publisher):
         self.security_interface.Authselect = authselect
         self.security_interface.FingerprintAuthEnabled = fingerprint
 
+        # We have ks args => no fingerprint task
         task_classes = [
             ConfigureSELinuxTask,
-            ConfigureFingerprintAuthTask,
             ConfigureAuthselectTask,
         ]
         task_paths = self.security_interface.InstallWithTasks()
@@ -323,13 +322,30 @@ def test_install_with_tasks_configured(self, publisher):
         # ConfigureSELinuxTask
         obj = task_objs[0]
         assert obj.implementation._selinux_mode == SELinuxMode.PERMISSIVE
-        # ConfigureFingerprintAuthTask
-        obj = task_objs[1]
-        assert obj.implementation._fingerprint_auth_enabled == fingerprint
         # ConfigureAuthselectTask
-        obj = task_objs[2]
+        obj = task_objs[1]
         assert obj.implementation._authselect_options == authselect
 
+    @patch_dbus_publish_object
+    def test_install_with_tasks_fingerprint_only(self, publisher):
+        """When fingerprint is enabled and KS authselect is empty, enqueue fingerprint task."""
+        self.security_interface.FingerprintAuthEnabled = True
+        self.security_interface.Authselect = []
+
+        task_classes = [
+            ConfigureSELinuxTask,
+            ConfigureFingerprintAuthTask,
+        ]
+        task_paths = self.security_interface.InstallWithTasks()
+        task_objs = check_task_creation_list(task_paths, publisher, task_classes)
+
+        # ConfigureSELinuxTask
+        obj = task_objs[0]
+        assert obj.implementation._selinux_mode == SELinuxMode.DEFAULT
+        # ConfigureFingerprintAuthTask
+        obj = task_objs[1]
+        assert obj.implementation._fingerprint_auth_enabled is True
+
     @patch_dbus_publish_object
     def test_realm_join_configured(self, publisher):
         """Test module in configured state with realm join task."""
@@ -888,9 +904,12 @@ def test_realm_join_not_discovered(self, execWithRedirect):
             # check if the realm command invocation looks right
             execWithRedirect.assert_not_called()
 
-    @patch('pyanaconda.core.util.execWithRedirect')
-    def test_configure_fingerprint_auth_task(self, execWithRedirect):
-        """Test the configure fingerprint task."""
+    @patch("pyanaconda.modules.security.installation.SECURITY.get_proxy")
+    @patch("pyanaconda.core.util.execWithRedirect")
+    def test_configure_fingerprint_auth_task(self, execWithRedirect, get_proxy):
+        proxy = SimpleNamespace(Authselect=[])
+        get_proxy.return_value = proxy
+
         with tempfile.TemporaryDirectory() as sysroot:
 
             authselect_dir = os.path.normpath(sysroot + os.path.dirname(AUTHSELECT_TOOL_PATH))
@@ -925,6 +944,7 @@ def test_configure_fingerprint_auth_task(self, execWithRedirect):
 
             # Authselect command and pam library are there
             execWithRedirect.reset_mock()
+            proxy.Authselect = []
             os.mknod(pam_so_path)
             os.mknod(authselect_path)
             task = ConfigureFingerprintAuthTask(
@@ -934,14 +954,16 @@ def test_configure_fingerprint_auth_task(self, execWithRedirect):
             task.run()
             execWithRedirect.assert_called_once_with(
                 AUTHSELECT_TOOL_PATH,
-                ["enable-feature", "with-fingerprint"],
+                AUTHSELECT_ARGS,
                 root=sysroot
             )
+            assert proxy.Authselect == AUTHSELECT_ARGS
             os.remove(pam_so_path)
             os.remove(authselect_path)
 
             # Authselect command and pam library are there
             execWithRedirect.reset_mock()
+            proxy.Authselect = []
             os.mknod(pam_so_64_path)
             os.mknod(authselect_path)
             task = ConfigureFingerprintAuthTask(
@@ -951,9 +973,10 @@ def test_configure_fingerprint_auth_task(self, execWithRedirect):
             task.run()
             execWithRedirect.assert_called_once_with(
                 AUTHSELECT_TOOL_PATH,
-                ["enable-feature", "with-fingerprint"],
+                AUTHSELECT_ARGS,
                 root=sysroot
             )
+            assert proxy.Authselect == AUTHSELECT_ARGS
             os.remove(pam_so_64_path)
             os.remove(authselect_path)
 
