Project

General

Profile

« Previous | Next » 

Revision 7aaae85d

Added by Félix DALLIDET over 6 years ago

Fixes #11308: make a dsc user_technique

View differences:

maintained-techniques
systemSettings/userManagement/userManagement/6.0
systemSettings/userManagement/userManagement/7.0
systemSettings/userManagement/userManagement/7.1
systemSettings/userManagement/userManagement/8.0
scripts/check-techniques.sh
fi
# Check that techniques do not contain $()
${REPOSITORY_PATH}/scripts/technique-files -l -i -f '*.cf' -f '*.st' "${REPOSITORY_PATH}" | while read filename
${REPOSITORY_PATH}/scripts/technique-files -l -i -f '*.cf' -f '*.st' -s 'echo {}|grep -v ".ps1.st$"' "${REPOSITORY_PATH}" | while read filename
do
if grep '$(' "${filename}" >/dev/null; then
echo "The file ${filename} contains deprecated \$() syntax"
techniques/systemSettings/userManagement/userManagement/8.0/changelog
-- Benoit PECCATTE <benoit.peccatte@normation.com> Tue Sep 9 08:17:55 CEST 2014
* Version 4.0
** Rewrite with normal ordering and {}
-- Benoît Peccatte <benoit.peccatte@normation.com> Thu Oct 2 10:00:32 CEST 2014
* Version 5.0
** Handle gid/uid at user creation
-- Benoît Peccatte <benoit.peccatte@normation.com> Fri Oct 17 14:10:43 CEST 2014
* Version 6.0
** Use rudder_common_report instead of reports:
-- Nicolas Charles <nicolas.charles@normation.com> Fri Jul 15 15:50:00 CEST 2016
* Version 7.0
** Add AIX support
-- Nicolas Charles <nicolas.charles@normation.com> Fri Jul 22 15:41:00 CEST 2016
* Version 7.1
** Add an option to move the home directory
-- Felix Dallidet <felix.dallidet@normation.com> Thu Aug 17 16:14:11 2017
* Version 8.0
** make a linux and windows compatible user technique
techniques/systemSettings/userManagement/userManagement/8.0/metadata.xml
<!--
Copyright 2017 Normation SAS
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, Version 3.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
-->
<TECHNIQUE name="Users">
<DESCRIPTION>This technique manages the target host(s) users.
It will ensure that the defined users are present on the system.</DESCRIPTION>
<MULTIINSTANCE>true</MULTIINSTANCE>
<COMPATIBLE>
<OS version=">= 4 (Etch)">Debian</OS>
<OS version=">= 4 (Nahant)">RHEL / CentOS</OS>
<OS version=">= 10 SP1 (Agama Lizard)">SuSE LES / DES / OpenSuSE</OS>
<OS version=">= 2008">Windows</OS>
<OS version=">= 5.3">AIX</OS>
<AGENT version=">= 3.6.0">cfengine-community</AGENT>
</COMPATIBLE>
<AGENT type="dsc">
<BUNDLES>
<NAME>check_usergroup_user_parameters</NAME>
</BUNDLES>
<TMLS>
<TML name="userManagement.ps1">
<OUTPATH>userManagement/userManagement/8.0/userManagement.ps1</OUTPATH>
</TML>
</TMLS>
</AGENT>
<AGENT type="cfengine-community">
<BUNDLES>
<NAME>check_usergroup_user_parameters</NAME>
</BUNDLES>
<TMLS>
<TML name="userManagement"/>
</TMLS>
</AGENT>
<SYSTEMVARS>
<NAME>NOVA</NAME>
</SYSTEMVARS>
<TRACKINGVARIABLE>
<SAMESIZEAS>USERGROUP_USER_LOGIN</SAMESIZEAS>
</TRACKINGVARIABLE>
<SECTIONS>
<!-- users section , index 1 -->
<SECTION name="Users" multivalued="true" component="true" componentKey="USERGROUP_USER_LOGIN">
<INPUT>
<NAME>USERGROUP_USER_LOGIN</NAME>
<DESCRIPTION>Login name for this account</DESCRIPTION>
</INPUT>
<SELECT1>
<NAME>USERGROUP_USER_ACTION</NAME>
<DESCRIPTION>Policy to apply on this account</DESCRIPTION>
<ITEM>
<LABEL>Create / update</LABEL>
<VALUE>add</VALUE>
</ITEM>
<ITEM>
<LABEL>Remove</LABEL>
<VALUE>remove</VALUE>
</ITEM>
<ITEM>
<LABEL>Check only (account should exist)</LABEL>
<VALUE>checkhere</VALUE>
</ITEM>
<ITEM>
<LABEL>Check only (account should not exist)</LABEL>
<VALUE>checknothere</VALUE>
</ITEM>
<CONSTRAINT>
<DEFAULT>add</DEFAULT>
</CONSTRAINT>
</SELECT1>
<SELECT1>
<NAME>USERGROUP_USER_PASSWORD_POLICY</NAME>
<DESCRIPTION>How often do you want to want to check the password</DESCRIPTION>
<ITEM>
<LABEL>At account creation</LABEL>
<VALUE>oneshot</VALUE>
</ITEM>
<ITEM>
<LABEL>Everytime</LABEL>
<VALUE>everytime</VALUE>
</ITEM>
<CONSTRAINT>
<DEFAULT>everytime</DEFAULT>
</CONSTRAINT>
</SELECT1>
<SECTION name="Password" multivalued="false" component="true" componentKey="USERGROUP_USER_LOGIN">
<INPUT>
<NAME>USERGROUP_USER_PASSWORD</NAME>
<DESCRIPTION>Password for this account</DESCRIPTION>
<LONGDESCRIPTION>Windows agent only supports "clear text" entries at the moment</LONGDESCRIPTION>
<CONSTRAINT>
<MAYBEEMPTY>true</MAYBEEMPTY>
<TYPE>masterPassword</TYPE>
<PASSWORDHASH>linux-shadow-md5,linux-shadow-sha256,linux-shadow-sha512,plain</PASSWORDHASH>
<!--
Tell that master password must create other variables derived from the user input from
that one. The master variable will be created using the hashes defined here, and the derived
variable(s) will be automatically created using other equivalent hashes for the target OS.
The accepted values for now are "AIX" and "LINUX" (or both, comma separated). The derived variable name will be the current name
postfixed with _AIX (or _LINUX)
A correspondance is made between hash algo listed above and the matching one on target OS:
Linux md5 crypt is mapped to AIX "smd5" version, Linux Sha-Crypt-256 is
mapped to AIX ssha256, and Linux Sha-Crypt-512 to AIX ssha512.
AIX ssha256 and ssha512 need the JCE PBKDF2WithHmacSHA256 / PBKDF2WithHmacSHA512.
Caution:
They are provided on Oracle Java 8 JVM standard installation, but NOT in Java 7 and some
other vendor versions.
In case these algo are not available, a fallback to AIX ssha1 (which uses
PBKDF2WithHmacSHA1) will be done. This hash scheme is also quite robust, but
if you want maximum security, you must use for Rudder a JVM which provides the higher
level algo, like Open JDK 8
-->
<AUTOSUBVARIABLES>AIX</AUTOSUBVARIABLES>
</CONSTRAINT>
</INPUT>
</SECTION>
<SECTION name="UNIX specific options" multivalued="false" component="true" componentKey="USERGROUP_USER_LOGIN" displayPriority="low">
<INPUT>
<NAME>USERGROUP_USER_GROUP</NAME>
<DESCRIPTION>Primary group for this user (name or number)</DESCRIPTION>
<LONGDESCRIPTION>On UNIX systems, this group will be applied on this user as the primary group (at creation only)</LONGDESCRIPTION>
<CONSTRAINT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</INPUT>
<INPUT>
<NAME>USERGROUP_USER_NAME</NAME>
<DESCRIPTION>Full name for this account</DESCRIPTION>
<CONSTRAINT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</INPUT>
<INPUT>
<NAME>USERGROUP_USER_SHELL</NAME>
<DESCRIPTION>Shell for this account</DESCRIPTION>
<LONGDESCRIPTION>Will be used only on UNIX systems</LONGDESCRIPTION>
<CONSTRAINT>
<DEFAULT>/bin/bash</DEFAULT>
</CONSTRAINT>
</INPUT>
<INPUT>
<NAME>USERGROUP_USER_UID</NAME>
<DESCRIPTION>User ID (enforced at user creation only)</DESCRIPTION>
<LONGDESCRIPTION>Numeric user id, only on UNIX systems</LONGDESCRIPTION>
<CONSTRAINT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</INPUT>
<INPUT>
<NAME>USERGROUP_USER_HOME_PERSONNALIZE</NAME>
<DESCRIPTION>Use the default home directory</DESCRIPTION>
<LONGDESCRIPTION>If not checked, it will set the defined home directory if "Policy to apply to this account" if "Create/Update"</LONGDESCRIPTION>
<CONSTRAINT>
<TYPE>boolean</TYPE>
<DEFAULT>true</DEFAULT>
</CONSTRAINT>
</INPUT>
<INPUT>
<NAME>USERGROUP_USER_HOME_MOVE</NAME>
<DESCRIPTION>Move the content of previous home directory to the defined one</DESCRIPTION>
<LONGDESCRIPTION>If checked, it will move the existing home directory to the defined one if they don't match</LONGDESCRIPTION>
<CONSTRAINT>
<TYPE>boolean</TYPE>
<DEFAULT>false</DEFAULT>
</CONSTRAINT>
</INPUT>
<INPUT>
<NAME>USERGROUP_USER_HOME</NAME>
<DESCRIPTION>Home directory, if not default</DESCRIPTION>
<CONSTRAINT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</INPUT>
</SECTION>
<SECTION name="Home directory" component="true" componentKey="USERGROUP_USER_LOGIN"/>
</SECTION>
</SECTIONS>
</TECHNIQUE>
techniques/systemSettings/userManagement/userManagement/8.0/userManagement.ps1.st
function check_usergroup_user_parameters {
[CmdletBinding()]
param (
[parameter(Mandatory=$true)] [string]$reportId,
[parameter(Mandatory=$true)] [string]$techniqueName,
[switch]$auditOnly
)
$trackingkey = @(
&TRACKINGKEY:{directiveId |
"&directiveId&" };separator=","& )
$logins = @(
&USERGROUP_USER_LOGIN:{login |
"&login&" };separator=","& )
$policies = @(
&USERGROUP_USER_ACTION:{policy |
"&policy&" };separator=","& )
$passwords = @(
&USERGROUP_USER_PASSWORD:{password |
"&password&" };separator=","& )
$password_policies = @(
&USERGROUP_USER_PASSWORD_POLICY:{password_policy |
"&password_policy&" };separator=","& )
$present = "add"
$absent = "remove"
#To REMOVE in the future
$check_present = "checkhere"
$check_absent = "checknothere"
#END
$componentName = "Users"
$unixSection = "UNIX specific options"
$homeSection = "Home directory"
$passwdSection = "Password"
$resultNAString = "Not applicable"
$local_classes = New-ClassContext
for ($i=0; $i -lt $trackingkey.length; $i++) {
if ($policies[$i] -eq $present) {
$local_classes = Merge-ClassContext $local_classes $(User-Present -login $logins[$i] -ReportId $trackingkey[$i] -TechniqueName $techniqueName -componentName $componentName -auditOnly:$auditOnly)
if ($Passwords[$i]) {
#Password defined
if ($password_policies[$i] -eq "everytime") {
#Checking password everytime
$local_classes = Merge-ClassContext $local_classes $(User-Password-Clear -login $logins[$i] -password $passwords[$i] -ReportId $trackingkey[$i] -componentName $passwdSection -TechniqueName $techniqueName -auditOnly:$auditOnly)
} elseif ($password_policies[$i] -eq "oneshot") {
#Checking password at creation only
$login_name = $logins[$i]
$class_name = "users_${login_name}_repaired"
write-host $class_name
if ($local_classes["classes"].contains($class_name)) {
#User absent => setting password
$local_classes = Merge-ClassContext $local_classes $(User-Password-Clear -login $logins[$i] -password $passwords[$i] -ReportId $trackingkey[$i] -componentName $passwdSection -TechniqueName $techniqueName -auditOnly:$auditOnly)
} else {
$state = [ComplianceStatus]::result_na
$classes = _rudder_common_report -TechniqueName $techniqueName -Status $state -ReportId $reportId -ComponentName $passwdSection -ComponentKey $logins[$i] -Message $resultNAString -report:$true
}
}
}
} elseif ($policies[$i] -eq $absent) {
$local_classes = Merge-ClassContext $local_classes $(User-Absent -login $logins[$i] -reportId $trackingkey[$i] -TechniqueName $techniqueName -componentName $componentName -auditOnly:$auditOnly)
#To REMOVE in the future
} elseif ($policies[$i] -eq $check_present) {
$reportString = "User ${logins[$i]} check_present"
$command = Invoke-Expression "NET USER $logins[$i] 2>\&1"
$TestResult = $LastExitCode -eq 0
if ($TestResult) {
#User exists
$state = [ComplianceStatus]::result_success
$classes = _rudder_common_report -TechniqueName $techniqueName -Status $state -ReportId $reportId -ComponentName $componentName -ComponentKey $logins[$i] -Message $reportString -report:$true
} else {
#User does not exists
$state = [ComplianceStatus]::result_error
$classes = _rudder_common_report -TechniqueName $techniqueName -Status $state -ReportId $reportId -ComponentName $componentName -ComponentKey $logins[$i] -Message $reportString -report:$true
}
} elseif ($policies[$i] -eq $check_absent) {
$reportString = "User ${logins[$i]} check_absent"
$command = Invoke-Expression "NET USER $logins[$i] 2>\&1"
$TestResult = $LastExitCode -eq 0
if ($TestResult) {
#User exists
$state = [ComplianceStatus]::result_error
$classes = _rudder_common_report -TechniqueName $techniqueName -Status $state -ReportId $reportId -ComponentName $componentName -ComponentKey $logins[$i] -Message $reportString -report:$true
} else {
#User does not exists
$state = [ComplianceStatus]::result_success
$classes = _rudder_common_report -TechniqueName $techniqueName -Status $state -ReportId $reportId -ComponentName $componentName -ComponentKey $logins[$i] -Message $reportString -report:$true
}
#END
}
#Unix section reporting
$state = [ComplianceStatus]::result_na
$classes = _rudder_common_report -TechniqueName $techniqueName -Status $state -ReportId $reportId -ComponentName $unixSection -ComponentKey $logins[$i] -Message $resultNAString -report:$true
$classes = _rudder_common_report -TechniqueName $techniqueName -Status $state -ReportId $reportId -ComponentName $homeSection -ComponentKey $logins[$i] -Message $resultNAString -report:$true
}
}
techniques/systemSettings/userManagement/userManagement/8.0/userManagement.st
#####################################################################################
# Copyright 2011-2016 Normation SAS
#####################################################################################
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, Version 3.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#####################################################################################
##########################################################################
# User management Technique #
# #
# Objective : Apply user/group policies on the target host #
##########################################################################
bundle agent check_usergroup_user_parameters
{
vars:
&USERGROUP_USER_LOGIN:{login |"usergroup_user_login[&i&]" string => "&login&";
}&
&USERGROUP_USER_GROUP:{group |"usergroup_user_groupname[&i&]" string => "&group&";
}&
&USERGROUP_USER_NAME:{name |"usergroup_user_fullname[&i&]" string => "&name&";
}&
&USERGROUP_USER_PASSWORD:{password |"usergroup_user_password[&i&]" string => "&password&";
}&
&USERGROUP_USER_PASSWORD_AIX:{password |"usergroup_user_password_aix[&i&]" string => "&password&";
}&
&USERGROUP_USER_PASSWORD_POLICY:{passwordpol |"usergroup_user_password_policy[&i&]" string => "&passwordpol&";
}&
&USERGROUP_USER_ACTION:{action |"usergroup_user_action[&i&]" string => "&action&";
}&
&USERGROUP_USER_UID:{uid |"usergroup_user_uid[&i&]" string => "&uid&";
}&
&USERGROUP_USER_HOME_PERSONNALIZE:{homeperso |"usergroup_user_home_perso[&i&]" string => "&homeperso&";
}&
&USERGROUP_USER_HOME_MOVE:{homemove |"usergroup_user_home_move[&i&]" string => "&homemove&";
}&
&USERGROUP_USER_HOME:{home |"usergroup_user_home[&i&]" string => "&home&";
}&
&USERGROUP_USER_SHELL:{shell |"usergroup_user_shell[&i&]" string => "&shell&";
}&
&TRACKINGKEY:{directiveId |"usergroup_directive_id[&i&]" string => "&directiveId&";
}&
"usergroup_user_index" slist => getindices("usergroup_user_login");
any_2nd_pass::
# 1 - Options to use whether Fullname is defined or not
"nameopt[${usergroup_user_index}]"
string => "",
ifvarclass => "usermanagement_user_nameempty_${usergroup_user_index}";
## On UNIX
"nameopt[${usergroup_user_index}]"
string => "-c \"${usergroup_user_fullname[${usergroup_user_index}]}\"",
ifvarclass => "!usermanagement_user_nameempty_${usergroup_user_index}.!windows";
## On Windows
"nameopt[${usergroup_user_index}]"
string => "/FULLNAME:\"${usergroup_user_fullname[${usergroup_user_index}]}\"",
ifvarclass => "!usermanagement_user_nameempty_${usergroup_user_index}.windows";
## Part of reports to return whether Fullname is defined or not
"repname[${usergroup_user_index}]"
string => "Without any defined full name",
ifvarclass => "usermanagement_user_nameempty_${usergroup_user_index}";
"repname[${usergroup_user_index}]"
string => "${usergroup_user_fullname[${usergroup_user_index}]}",
ifvarclass => "!usermanagement_user_nameempty_${usergroup_user_index}";
# 2 - On UNIX, choose between using no group name or using a custom one
"groupopt[${usergroup_user_index}]"
string => "",
ifvarclass => "usermanagement_user_groupempty_${usergroup_user_index}.!usermanagement_user_force_user_in_group_${usergroup_user_index}";
"groupopt[${usergroup_user_index}]"
string => "-g ${usergroup_user_groupname[${usergroup_user_index}]}",
ifvarclass => "!usermanagement_user_groupempty_${usergroup_user_index}.!usermanagement_user_force_user_in_group_${usergroup_user_index}";
"groupopt[${usergroup_user_index}]"
string => "-g ${usergroup_user_login[${usergroup_user_index}]}",
ifvarclass => "usermanagement_user_force_user_in_group_${usergroup_user_index}";
# 3 - on UNIX force user id if provided
"useropt[${usergroup_user_index}]"
string => "",
ifvarclass => "usermanagement_user_uid_empty_${usergroup_user_index}";
"useropt[${usergroup_user_index}]"
string => "-u ${usergroup_user_uid[${usergroup_user_index}]}",
ifvarclass => "!usermanagement_user_uid_empty_${usergroup_user_index}";
any_2nd_pass.!pass2.!windows::
"usermanagement_user_move_home_dir_from[${usergroup_user_index}]" string => execresult("${paths.grep} '^${usergroup_user_login[${usergroup_user_index}]}:' /etc/passwd | ${paths.cut} -d: -f6", "useshell"),
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}";
classes:
# Actions
"usermanagement_user_update_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","add");
"usermanagement_user_remove_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","remove");
"usermanagement_user_checkpres_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","checkhere");
"usermanagement_user_checkabs_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","checknothere");
"usermanagement_user_pershome_${usergroup_user_index}" not => strcmp("${usergroup_user_home_perso[${usergroup_user_index}]}","true");
"usermanagement_user_custom_home_no_variable_${usergroup_user_index}" not => isvariable("usergroup_user_home[${usergroup_user_index}]");
"usermanagement_user_custom_home_no_value_${usergroup_user_index}" expression => strcmp("", "usergroup_user_home[${usergroup_user_index}]");
"usermanagement_user_custom_home_defined_${usergroup_user_index}" expression => "!usermanagement_user_custom_home_no_variable_${usergroup_user_index}.!usermanagement_user_custom_home_no_value_${usergroup_user_index}";
# If we ask to personnalize home, but not define it, it is invalid
"usermanagement_user_home_pershome_invalid_${usergroup_user_index}" expression => "usermanagement_user_pershome_${usergroup_user_index}.!usermanagement_user_custom_home_defined_${usergroup_user_index}";
# Asked to move the home directory
"usermanagement_user_custom_home_move_${usergroup_user_index}" expression => strcmp("${usergroup_user_home_move[${usergroup_user_index}]}","true");
# The request to move home is valid: the path to move to is defined, and we asked to personalize
"usermanagement_user_custom_home_move_valid_${usergroup_user_index}" expression => "usermanagement_user_custom_home_move_${usergroup_user_index}.usermanagement_user_custom_home_defined_${usergroup_user_index}.usermanagement_user_pershome_${usergroup_user_index}";
"usermanagement_user_exists_${usergroup_user_index}" expression => userexists("${usergroup_user_login[${usergroup_user_index}]}");
"usermanagement_group_exists_${usergroup_user_index}" expression => groupexists("${usergroup_user_groupname[${usergroup_user_index}]}");
"usermanagement_user_pwoneshot_${usergroup_user_index}" expression => strcmp("${usergroup_user_password_policy[${usergroup_user_index}]}","oneshot");
"usermanagement_user_pweverytime_${usergroup_user_index}" expression => strcmp("${usergroup_user_password_policy[${usergroup_user_index}]}","everytime");
# with variables that are not unique, the emptyness detection is quite tricky
# either the variable is not defined, or the variable value is ""
"usermanagement_user_pw_no_variable_${usergroup_user_index}" not => isvariable("usergroup_user_password[${usergroup_user_index}]");
"usermanagement_user_pw_no_value_${usergroup_user_index}" expression => strcmp("", "${usergroup_user_password[${usergroup_user_index}]}");
"usermanagement_user_pwempty_${usergroup_user_index}" expression => "usermanagement_user_pw_no_variable_${usergroup_user_index}|usermanagement_user_pw_no_value_${usergroup_user_index}";
"usermanagement_user_name_no_variable_${usergroup_user_index}" not => isvariable("usergroup_user_fullname[${usergroup_user_index}]");
"usermanagement_user_name_no_value_${usergroup_user_index}" expression => strcmp("", "${usergroup_user_fullname[${usergroup_user_index}]}");
"usermanagement_user_nameempty_${usergroup_user_index}" expression => "usermanagement_user_name_no_variable_${usergroup_user_index}|usermanagement_user_name_no_value_${usergroup_user_index}";
"usermanagement_user_group_no_variable_${usergroup_user_index}" not => isvariable("usergroup_user_groupname[${usergroup_user_index}]");
"usermanagement_user_group_no_value_${usergroup_user_index}" expression => strcmp("", "${usergroup_user_groupname[${usergroup_user_index}]}");
"usermanagement_user_groupempty_${usergroup_user_index}" expression => "usermanagement_user_group_no_variable_${usergroup_user_index}|usermanagement_user_group_no_value_${usergroup_user_index}";
"usermanagement_user_uid_no_variable_${usergroup_user_index}" not => isvariable("usergroup_user_uid[${usergroup_user_index}]");
"usermanagement_user_uid_no_value_${usergroup_user_index}" expression => strcmp("", "${usergroup_user_uid[${usergroup_user_index}]}");
"usermanagement_user_uid_empty_${usergroup_user_index}" expression => "usermanagement_user_uid_no_variable_${usergroup_user_index}|usermanagement_user_uid_no_value_${usergroup_user_index}";
"usermanagement_user_groupmatchesname_${usergroup_user_index}" expression => strcmp("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_groupname[${usergroup_user_index}]}");
# Group doesn't exist and group name is defined
"usermanagement_user_group_definition_error_${usergroup_user_index}" expression => "(!usermanagement_group_exists_${usergroup_user_index}.usermanagement_user_groupmatchesname_${usergroup_user_index})|(!usermanagement_user_groupempty_${usergroup_user_index}.!usermanagement_group_exists_${usergroup_user_index})";
# check if user exists when enforcing ids
"usermanagement_uid_exists_${usergroup_user_index}" expression => userexists("${usergroup_user_uid[${usergroup_user_index}]}"),
ifvarclass => "!usermanagement_user_uid_empty_${usergroup_user_index}";
# UID is defined and already exists
"usermanagement_user_uid_definition_error_${usergroup_user_index}" expression => "!usermanagement_user_uid_empty_${usergroup_user_index}.usermanagement_uid_exists_${usergroup_user_index}";
# if we want to create a user, and a group with the username exists (no group name defined),then we need to force addition of user to that group (mandatory for debian and redhat, non mandatory for SLES)
"usermanagement_user_force_user_in_group_${usergroup_user_index}" expression => groupexists("${usergroup_user_login[${usergroup_user_index}]}"),
ifvarclass => "usermanagement_user_groupempty_${usergroup_user_index}.!usermanagement_user_nameempty_${usergroup_user_index}";
# Class 'any' is executed before others classes defined.
# Same as 'any' but execution will be after all classes defined
"any_2nd_pass" expression => "any";
"showtime" expression => isvariable("nameopt[1]");
showtime::
# if defined, we can move the user home (because we know the previous value)
"usermanagement_user_current_home_defined_${usergroup_user_index}" expression => isvariable("usermanagement_user_move_home_dir_from[${usergroup_user_index}]");
# Must move the home if:
# - home is not the same as the defined home on the node for user
# - we asked to personnalize, and the values are valid
"usermanagement_user_current_home_is_invalid_${usergroup_user_index}" not => strcmp("${usermanagement_user_move_home_dir_from[${usergroup_user_index}]}", "${usergroup_user_home[${usergroup_user_index}]}"),
ifvarclass => "usermanagement_user_current_home_defined_${usergroup_user_index}.usermanagement_user_pershome_${usergroup_user_index}.!usermanagement_user_home_pershome_invalid_${usergroup_user_index}";
any::
"pass3" expression => "pass2";
"pass2" expression => "pass1";
"pass1" expression => "any";
files:
!windows::
"/etc/passwd"
create => "false",
edit_line => set_user_fullname("${usergroup_user_login[${usergroup_user_index}]}","${usergroup_user_index}","${usergroup_user_fullname[${usergroup_user_index}]}"),
edit_defaults => noempty_backup,
ifvarclass => "usermanagement_user_update_${usergroup_user_index}.!usermanagement_user_nameempty_${usergroup_user_index}";
"/etc/passwd"
create => "false",
edit_line => set_user_fullname("${usergroup_user_login[${usergroup_user_index}]}","${usergroup_user_index}","${usergroup_user_fullname[${usergroup_user_index}]}"),
edit_defaults => noempty_backup,
action => WarnOnly,
ifvarclass => "usermanagement_user_checkpres_${usergroup_user_index}.!usermanagement_user_nameempty_${usergroup_user_index}";
aix::
# On AIX, if password is supplied and user must exist, then the second field needs to be a ! to allow login
"/etc/passwd"
create => "false",
edit_line => set_colon_field("${usergroup_user_login[${usergroup_user_index}]}", "2", "!"),
edit_defaults => noempty_backup,
classes => classes_generic("usermanagement_user_password_${usergroup_user_index}"),
ifvarclass => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_update_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})";
!windows.!aix::
# Define password when user has already been created
"/etc/shadow"
create => "false",
edit_line => set_user_field("${usergroup_user_login[${usergroup_user_index}]}", 2, "${usergroup_user_password[${usergroup_user_index}]}"),
edit_defaults => noempty_backup,
classes => classes_generic("usermanagement_user_password_${usergroup_user_index}"),
ifvarclass => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_update_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})";
# Check password if we are in "check only (account should exist)
# Due to https://tracker.mender.io/browse/CFE-2424, if password is correct, no class is defined. Waiting for fix in the agent
"/etc/shadow"
create => "false",
edit_line => set_user_field("${usergroup_user_login[${usergroup_user_index}]}", 2, "${usergroup_user_password[${usergroup_user_index}]}"),
edit_defaults => noempty_backup,
action => WarnOnly,
classes => classes_generic("usermanagement_user_password_${usergroup_user_index}"),
ifvarclass => "!usermanagement_user_pwempty_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.usermanagement_user_checkpres_${usergroup_user_index}";
aix::
"/etc/security/passwd"
create => "false",
edit_line => ncf_ensure_AIX_password("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_password_aix[${usergroup_user_index}]}"),
edit_defaults => noempty_backup,
classes => classes_generic("usermanagement_user_password_${usergroup_user_index}"),
ifvarclass => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_update_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})";
# set the last update date if password has been updated
"/etc/security/passwd"
create => "false",
edit_line => ncf_edit_lastupdate_AIX_password("${usergroup_user_login[${usergroup_user_index}]}"),
edit_defaults => noempty_backup,
ifvarclass => "usermanagement_user_password_${usergroup_user_index}_repaired.((usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_update_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index}))";
"/etc/security/passwd"
create => "false",
edit_line => ncf_ensure_AIX_password("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_password_aix[${usergroup_user_index}]}"),
edit_defaults => noempty_backup,
action => WarnOnly,
classes => classes_generic("usermanagement_user_password_${usergroup_user_index}"),
ifvarclass => "!usermanagement_user_pwempty_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.usermanagement_user_checkpres_${usergroup_user_index}";
methods:
windows::
# check user password
"check_user_password" usebundle => check_usergroup_user_parameters_windows_password("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_password[${usergroup_user_index}]}", "${usergroup_user_index}"),
ifvarclass => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_update_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})";
# check user fullname
"check_user_fullname" usebundle => check_usergroup_user_parameters_windows_fullname("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_fullname[${usergroup_user_index}]}", "${usergroup_user_action[${usergroup_user_index}]}", "${nameopt[${usergroup_user_index}]}", "${usergroup_user_index}"),
ifvarclass => "(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_checkpres_${usergroup_user_index}).!usermanagement_user_nameempty_${usergroup_user_index}";
pass3.showtime::
# Add user
## Does exist (Success)
"any" usebundle => rudder_common_report("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is already present on the system"),
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.!usermanagement_login_add_${usergroup_user_index}_repaired.(usermanagement_user_nameempty_${usergroup_user_index}|usermanagement_fullname_edit_${usergroup_user_index}_kept)";
## Seems to exist with a wrong Full Name (Repaired)
"any" usebundle => rudder_common_report("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) had a wrong fullname"),
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.!usermanagement_user_nameempty_${usergroup_user_index}.(usermanagement_fullname_edit_${usergroup_user_index}_repaired|usermanagement_fullname_edit_${usergroup_user_index}_error)";
## Added (Repaired)
"any" usebundle => rudder_common_report("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) has been added to the system"),
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.usermanagement_login_add_${usergroup_user_index}_repaired";
## Error
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be added to the system"),
ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.usermanagement_login_add_${usergroup_user_index}_error";
## Could not be added, for the default path was not selected, but the custom one was not defined
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be added to the system because the default home directory was not selected, but the custom path was not specified"),
ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.usermanagement_user_pershome_${usergroup_user_index}.!usermanagement_user_custom_home_defined_${usergroup_user_index}";
## Could not be added, as a custom group was asked for and did not exist on the system
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be added to the system because the custom group \"${usergroup_user_groupname[${usergroup_user_index}]}\" does not exist"),
ifvarclass => "usermanagement_user_update_${usergroup_user_index}.!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_group_definition_error_${usergroup_user_index}";
## Could not be added, as a custom uid was asked for and did exist on the system
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be added to the system because the custom uid \"${usergroup_user_uid[${usergroup_user_index}]}\" already exists"),
ifvarclass => "usermanagement_user_update_${usergroup_user_index}.!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_uid_definition_error_${usergroup_user_index}";
# Remove user
## Does not exist (Success)
"any" usebundle => rudder_common_report("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) does not exist, as required"),
ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_remove_${usergroup_user_index}";
## Removed (Repaired)
"any" usebundle => rudder_common_report("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) has been removed from the system"),
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_remove_${usergroup_user_index}.usermanagement_login_remove_${usergroup_user_index}_repaired";
## Error
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be removed from the system"),
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_remove_${usergroup_user_index}.usermanagement_login_remove_${usergroup_user_index}_error";
# Check user not exists
## Does not exist (Success)
"any" usebundle => rudder_common_report("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is not present on the system, which is in accordance with the non presence policy"),
ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_checkabs_${usergroup_user_index}";
## Does exist (Error)
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, which violates the non presence policy"),
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_checkabs_${usergroup_user_index}";
# Check user exists
## Does exist (Success)
"any" usebundle => rudder_common_report("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, which is in conformance with the presence policy"),
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_checkpres_${usergroup_user_index}.(usermanagement_user_nameempty_${usergroup_user_index}|usermanagement_fullname_edit_${usergroup_user_index}_kept)";
## Seems to exist with a wrong Full Name (Error)
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, but does not have the right fullname"),
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_checkpres_${usergroup_user_index}.!usermanagement_user_nameempty_${usergroup_user_index}.(usermanagement_fullname_edit_${usergroup_user_index}_repaired|usermanagement_fullname_edit_${usergroup_user_index}_error)";
## Does not exist (Error)
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is not present on the system, which violates the presence policy"),
ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_checkpres_${usergroup_user_index}";
# Password handling
"any" usebundle => rudder_common_reports_generic_index("userGroupManagement", "usermanagement_user_password_${usergroup_user_index}", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) password", "${usergroup_user_index}"),
ifvarclass => "!usermanagement_user_checkpres_${usergroup_user_index}";
# Password handling in check only
"any" usebundle => rudder_common_reports_generic_index("userGroupManagement", "usermanagement_user_password_${usergroup_user_index}", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "The check of password for user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) ", "${usergroup_user_index}"),
ifvarclass => "usermanagement_user_checkpres_${usergroup_user_index}";
## Change not needed (Success)
"any" usebundle => rudder_common_report("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) password change is not required"),
ifvarclass => "((!usermanagement_user_password_${usergroup_user_index}_kept.!usermanagement_user_password_${usergroup_user_index}_repaired.!usermanagement_user_password_${usergroup_user_index}_error).((usermanagement_user_pwoneshot_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index})|usermanagement_user_pwempty_${usergroup_user_index}|(usermanagement_user_update_${usergroup_user_index}.!usermanagement_user_exists_${usergroup_user_index}.(usermanagement_user_group_definition_error_${usergroup_user_index}|usermanagement_user_uid_definition_error_${usergroup_user_index}))))|usermanagement_user_remove_${usergroup_user_index}";
## Change not needed (N/A)
"any" usebundle => rudder_common_report("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) password change is not required"),
ifvarclass => "(!usermanagement_user_password_${usergroup_user_index}_kept.!usermanagement_user_password_${usergroup_user_index}_repaired.!usermanagement_user_password_${usergroup_user_index}_error).((usermanagement_user_checkpres_${usergroup_user_index}.usermanagement_user_pwoneshot_${usergroup_user_index})|(usermanagement_user_checkpres_${usergroup_user_index}.!usermanagement_user_exists_${usergroup_user_index}))|usermanagement_user_checkabs_${usergroup_user_index}";
# Homedir management
## On Windows, we don't do the home part
"any" usebundle => rudder_common_report("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "Home directory are not enforced on Windows"),
ifvarclass => "windows";
## In case of user to remove or to check absent, this is a result_na
"any" usebundle => rudder_common_report("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} should not be present, it doesn't need to have its home directory checked"),
ifvarclass => "!windows.(usermanagement_user_remove_${usergroup_user_index}|usermanagement_user_checkabs_${usergroup_user_index})";
## In case of check user present or update, but with default home, this is result_na
"any" usebundle => rudder_common_report("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} doesn't need to have its home directory checked"),
ifvarclass => "!windows.(!usermanagement_user_pershome_${usergroup_user_index}.(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_checkpres_${usergroup_user_index}))";
## In case of check user present or update, but the home is already correct, this is success
"any" usebundle => rudder_common_report("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory is valid"),
ifvarclass => "!windows.(usermanagement_user_pershome_${usergroup_user_index}.!usermanagement_user_current_home_is_invalid_${usergroup_user_index}.(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_checkpres_${usergroup_user_index}))";
## In case of update, but the home was not correct, and could be changed, this is repaired
"any" usebundle => rudder_common_report("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory was changed (but not moved)"),
ifvarclass => "!windows.(usermanagement_user_pershome_${usergroup_user_index}.(usermanagement_login_home_change_${usergroup_user_index}_repaired.!usermanagement_login_home_change_${usergroup_user_index}_error).usermanagement_user_current_home_is_invalid_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index})";
## In case of update, but the home was not correct, and could not be changed, this is error
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory could not be changed"),
ifvarclass => "!windows.(usermanagement_user_pershome_${usergroup_user_index}.usermanagement_login_home_change_${usergroup_user_index}_error.usermanagement_user_current_home_is_invalid_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index})";
## In case of update, but the home was not correct, and could be moved, this is repaired
"any" usebundle => rudder_common_report("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory was moved"),
ifvarclass => "!windows.(usermanagement_user_pershome_${usergroup_user_index}.(usermanagement_login_home_move_${usergroup_user_index}_repaired.!usermanagement_login_home_move_${usergroup_user_index}_error).usermanagement_user_current_home_is_invalid_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index})";
## In case of update, but the home was not correct, and could not be moved, this is error
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory could not be moved"),
ifvarclass => "!windows.(usermanagement_user_pershome_${usergroup_user_index}.usermanagement_login_home_move_${usergroup_user_index}_error.usermanagement_user_current_home_is_invalid_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index})";
## In case of check only, and the home was not correct, this is error
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory was invalid"),
ifvarclass => "!windows.usermanagement_user_pershome_${usergroup_user_index}.usermanagement_user_current_home_is_invalid_${usergroup_user_index}.usermanagement_user_checkpres_${usergroup_user_index}";
commands:
&if(NOVA)&
windows.showtime::
"\"${sys.winsysdir}\net.exe\""
args => "USER ${usergroup_user_login[${usergroup_user_index}]} ${usergroup_user_password[${usergroup_user_index}]} /ADD ${nameopt[${usergroup_user_index}]}",
classes => cf2_if_else("usermanagement_login_add_${usergroup_user_index}_repaired", "usermanagement_login_add_${usergroup_user_index}_error"),
comment => "Create the user ${usergroup_user_login[${usergroup_user_index}]}",
ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}";
"\"${sys.winsysdir}\net.exe\""
args => "USER ${usergroup_user_login[${usergroup_user_index}]} /DELETE",
classes => cf2_if_else("usermanagement_login_remove_${usergroup_user_index}_repaired", "usermanagement_login_remove_${usergroup_user_index}_error"),
comment => "Delete the user ${usergroup_user_login[${usergroup_user_index}]}",
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_remove_${usergroup_user_index}";
&endif&
!windows.showtime::
"/usr/sbin/useradd"
args => "${useropt[${usergroup_user_index}]} ${groupopt[${usergroup_user_index}]} -m ${nameopt[${usergroup_user_index}]} -s ${usergroup_user_shell[${usergroup_user_index}]} ${usergroup_user_login[${usergroup_user_index}]}",
classes => cf2_if_else("usermanagement_login_add_${usergroup_user_index}_repaired", "usermanagement_login_add_${usergroup_user_index}_error"),
comment => "Create the user",
ifvarclass => "!usermanagement_user_uid_definition_error_${usergroup_user_index}.!usermanagement_user_group_definition_error_${usergroup_user_index}.!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.!usermanagement_user_pershome_${usergroup_user_index}";
"/usr/sbin/useradd"
args => "${useropt[${usergroup_user_index}]} ${groupopt[${usergroup_user_index}]} -m ${nameopt[${usergroup_user_index}]} -s ${usergroup_user_shell[${usergroup_user_index}]} -d ${usergroup_user_home[${usergroup_user_index}]} ${usergroup_user_login[${usergroup_user_index}]}",
classes => cf2_if_else("usermanagement_login_add_${usergroup_user_index}_repaired", "usermanagement_login_add_${usergroup_user_index}_error"),
comment => "Create the user with a custom home directory",
ifvarclass => "!usermanagement_user_uid_definition_error_${usergroup_user_index}.!usermanagement_user_group_definition_error_${usergroup_user_index}.!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.usermanagement_user_pershome_${usergroup_user_index}.usermanagement_user_custom_home_defined_${usergroup_user_index}";
"/usr/sbin/userdel"
args => "${usergroup_user_login[${usergroup_user_index}]}",
classes => cf2_if_else("usermanagement_login_remove_${usergroup_user_index}_repaired", "usermanagement_login_remove_${usergroup_user_index}_error"),
comment => "Delete the user ${usergroup_user_login[${usergroup_user_index}]}",
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_remove_${usergroup_user_index}";
# Change user home dir
## Move the home dir
"/usr/sbin/usermod"
args => "-d ${usergroup_user_home[${usergroup_user_index}]} -m ${usergroup_user_login[${usergroup_user_index}]}",
classes => cf2_if_else("usermanagement_login_home_move_${usergroup_user_index}_repaired", "usermanagement_home_move_${usergroup_user_index}_error"),
comment => "Change home directory (move it)",
ifvarclass => "usermanagement_user_update_${usergroup_user_index}.usermanagement_user_current_home_is_invalid_${usergroup_user_index}.usermanagement_user_custom_home_move_valid_${usergroup_user_index}";
## Doesn't move the home dir
"/usr/sbin/usermod"
args => "-d ${usergroup_user_home[${usergroup_user_index}]} ${usergroup_user_login[${usergroup_user_index}]}",
classes => cf2_if_else("usermanagement_login_home_change_${usergroup_user_index}_repaired", "usermanagement_home_change_${usergroup_user_index}_error"),
comment => "Change home directory definition for user (doesn't move files)",
ifvarclass => "usermanagement_user_update_${usergroup_user_index}.usermanagement_user_current_home_is_invalid_${usergroup_user_index}.!usermanagement_user_custom_home_move_${usergroup_user_index}";
}
bundle edit_line set_user_fullname(user,user_index,fullname)
{
field_edits:
"${user}:.*"
# Edit GECOS on /etc/passwd
edit_field => col(":", "5", "${fullname}", "set"),
classes => classes_generic("usermanagement_fullname_edit_${user_index}");
}
# Bundle to check the full name of a user on windows
# Takes the user login, the expected fullname, the action (checkhere for not editing), the FULLNAME set attribute for net.exe and the index for reporting
bundle agent check_usergroup_user_parameters_windows_fullname(user, fullname, usergroup_user_action, nameopt, usergroup_user_index) {
vars:
"current_fullname" string => execresult("Get-WMIObject Win32_UserAccount | where Name -eq '${user}' | ForEach { write-host $_.FullName }", "powershell");
classes:
"usermanagement_user_checkpres" expression => strcmp("${usergroup_user_action}","checkhere");
"user_valid" expression => strcmp("${current_fullname}", "${fullname}");
methods:
user_valid::
"already_correct" usebundle => _classes_success("usermanagement_fullname_edit_${usergroup_user_index}");
!user_valid.usermanagement_user_checkpres::
# fullname is not valid, but don't request to change it
"invalid_user" usebundle => _classes_failure("usermanagement_fullname_edit_${usergroup_user_index}");
commands:
# if user is invalid, and we want to enforce fullname:
!user_valid.!usermanagement_user_checkpres::
"\"${sys.winsysdir}\net.exe\""
args => "USER ${user} ${nameopt}",
classes => classes_generic("usermanagement_fullname_edit_${usergroup_user_index}");
}
# Enforce user password
# takes the user login, the expected password (clear text), and the index for reports
bundle agent check_usergroup_user_parameters_windows_password(user, password, usergroup_user_index) {
vars:
"password_valid" string => execresult("Add-Type -AssemblyName System.DirectoryServices.AccountManagement; $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('machine', $env:COMPUTERNAME); $DS.ValidateCredentials('${user}', '${password}')", "powershell");
classes:
"usermanagement_user_password_${usergroup_user_index}_kept" expression => strcmp("True", "${password_valid}"),
scope => "namespace";
commands:
"\"${sys.winsysdir}\net.exe\""
args => "USER ${user} ${password}",
classes => classes_generic("usermanagement_user_password_${usergroup_user_index}"),
ifvarclass => "!usermanagement_user_password_${usergroup_user_index}_kept";
}

Also available in: Unified diff