From 9cf18cae0e9e6c8482ab58f197f06e5280d75d71 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Wed, 2 Jul 2025 16:27:54 +0200
Subject: [PATCH] Solved default password bug

---
 cli/generate_users.py             | 14 ++++-------
 tests/unit/test_generate_users.py | 39 +++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+), 10 deletions(-)

diff --git a/cli/generate_users.py b/cli/generate_users.py
index 37344532..7c60e631 100644
--- a/cli/generate_users.py
+++ b/cli/generate_users.py
@@ -50,24 +50,18 @@ def build_users(defs, primary_domain, start_id, become_pwd):
         username = overrides.get('username', key)
         email = overrides.get('email', f"{username}@{primary_domain}")
         description = overrides.get('description')
-
+        password = overrides.get('password',become_pwd)
         # UID assignment
         if 'uid' in overrides:
             uid = overrides['uid']
         else:
             uid = allocate_free_id()
-
-        # GID assignment
-        if 'gid' in overrides:
-            gid = overrides['gid']
-        else:
-            # default GID to UID
-            gid = uid
+        gid = overrides.get('gid',uid)
 
         entry = {
             'username': username,
             'email':    email,
-            'password': become_pwd,
+            'password': password,
             'uid':      uid,
             'gid':      gid
         }
@@ -182,7 +176,7 @@ def parse_args():
 def main():
     args = parse_args()
     primary_domain = '{{ primary_domain }}'
-    become_pwd = '{{ ansible_become_password }}'
+    become_pwd = '{{ lookup("password", "/dev/null length=42 chars=ascii_letters,digits") }}'
 
     try:
         user_defs = load_user_defs(args.roles_dir)
diff --git a/tests/unit/test_generate_users.py b/tests/unit/test_generate_users.py
index 760f7b06..efaf488d 100644
--- a/tests/unit/test_generate_users.py
+++ b/tests/unit/test_generate_users.py
@@ -37,6 +37,45 @@ class TestGenerateUsers(unittest.TestCase):
         self.assertEqual(users['carol']['uid'], 1002)
         self.assertEqual(users['carol']['gid'], 1002)
 
+    def test_build_users_default_lookup_password(self):
+        """
+        When no 'password' override is provided,
+        the become_pwd lookup template string must be used as the password.
+        """
+        defs = {'frank': {}}
+        lookup_template = '{{ lookup("password", "/dev/null length=42 chars=ascii_letters,digits") }}'
+        users = generate_users.build_users(
+            defs=defs,
+            primary_domain='example.com',
+            start_id=1001,
+            become_pwd=lookup_template
+        )
+        self.assertEqual(
+            users['frank']['password'],
+            lookup_template,
+            "The lookup template string was not correctly applied as the default password"
+        )
+
+    def test_build_users_override_password(self):
+        """
+        When a 'password' override is provided,
+        that custom password must be used instead of become_pwd.
+        """
+        defs = {'eva': {'password': 'custompw'}}
+        lookup_template = '{{ lookup("password", "/dev/null length=42 chars=ascii_letters,digits") }}'
+        users = generate_users.build_users(
+            defs=defs,
+            primary_domain='example.com',
+            start_id=1001,
+            become_pwd=lookup_template
+        )
+        self.assertEqual(
+            users['eva']['password'],
+            'custompw',
+            "The override password was not correctly applied"
+        )
+
+
     def test_build_users_duplicate_override_uid(self):
         defs = {
             'u1': {'uid': 1001},