Add pam package conditional for UBTU-20-010065

Author: dexterle

linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/ansible/shared.yml

@@ -7,16 +7,52 @@
 - name: Package facts
   package_facts:
 
+- name: Check if cert_policy entry exists in /etc/pam_pkcs11/pam_pkcs11.conf
+  shell: grep "cert_policy" /etc/pam_pkcs11/pam_pkcs11.conf | wc -l
+  register: cert_policy_count
+  changed_when: false
+  when:
+    {{% if 'sle' in product %}}
+    - "'pam_pkcs11' in ansible_facts.packages"
+    {{% else %}}
+    - "'libpam-pkcs11' in ansible_facts.packages"
+    {{% endif %}}
+
+- name: Add cert_policy entry if none exist in /etc/pam_pkcs11/pam_pkcs11.conf
+  lineinfile:
+    path: /etc/pam_pkcs11/pam_pkcs11.conf
+    line: 'cert_policy = ca,signature,ocsp_on;'
+    create: true
+  when:
+    - (cert_policy_count.stdout | int) == 0
+    {{% if 'sle' in product %}}
+    - "'pam_pkcs11' in ansible_facts.packages"
+    {{% else %}}
+    - "'libpam-pkcs11' in ansible_facts.packages"
+    {{% endif %}}
+
 - name: Replace 'none' from cert_policy
   replace:
     path: /etc/pam_pkcs11/pam_pkcs11.conf
     regexp: (^\s*cert_policy\s*=\s*)none\s*;(\s*$)
     replace: \g<1>ocsp_on,ca,signature;\g<2>
-  when: "'pam_pkcs11' in ansible_facts.packages"
+  when:
+    {{% if 'sle' in product %}}
+    - "'pam_pkcs11' in ansible_facts.packages"
+    {{% else %}}
+    - "'libpam-pkcs11' in ansible_facts.packages"
+    {{% endif %}}
+
 
 - name: Add 'ocsp_on' parameter for cert_policy in /etc/pam_pkcs11/pam_pkcs11.conf
   replace:
     path: /etc/pam_pkcs11/pam_pkcs11.conf
     regexp: (^\s*cert_policy\s*=\s*)(?!.*ocsp_on)(.*)
     replace: \g<1>ocsp_on,\g<2>
-  when: "'pam_pkcs11' in ansible_facts.packages"
+  when:
+    {{% if 'sle' in product %}}
+    - "'pam_pkcs11' in ansible_facts.packages"
+    {{% else %}}
+    - "'libpam-pkcs11' in ansible_facts.packages"
+    {{% endif %}}
+