1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
|
require_relative '../../../puppet/provider/nameservice/objectadd'
require 'date'
require_relative '../../../puppet/util/libuser'
require 'time'
require_relative '../../../puppet/error'
Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameService::ObjectAdd do
desc "User management via `useradd` and its ilk. Note that you will need to
install Ruby's shadow password library (often known as `ruby-libshadow`)
if you wish to manage user passwords.
To use the `forcelocal` parameter, you need to install the `libuser` package (providing
`/usr/sbin/lgroupadd` and `/usr/sbin/luseradd`)."
commands :add => "useradd", :delete => "userdel", :modify => "usermod", :password => "chage", :chpasswd => "chpasswd"
options :home, :flag => "-d", :method => :dir
options :comment, :method => :gecos
options :groups, :flag => "-G"
options :password_min_age, :flag => "-m", :method => :sp_min
options :password_max_age, :flag => "-M", :method => :sp_max
options :password_warn_days, :flag => "-W", :method => :sp_warn
options :password, :method => :sp_pwdp
options :expiry, :method => :sp_expire,
:munge => proc { |value|
if value == :absent
if Puppet.runtime[:facter].value(:operatingsystem)=='SLES' && Puppet.runtime[:facter].value(:operatingsystemmajrelease) == "11"
-1
else
''
end
else
case Puppet.runtime[:facter].value(:operatingsystem)
when 'Solaris'
# Solaris uses %m/%d/%Y for useradd/usermod
expiry_year, expiry_month, expiry_day = value.split('-')
[expiry_month, expiry_day, expiry_year].join('/')
else
value
end
end
},
:unmunge => proc { |value|
if value == -1
:absent
else
# Expiry is days after 1970-01-01
(Date.new(1970,1,1) + value).strftime('%Y-%m-%d')
end
}
optional_commands :localadd => "luseradd", :localdelete => "luserdel", :localmodify => "lusermod", :localpassword => "lchage"
has_feature :manages_local_users_and_groups if Puppet.features.libuser?
def exists?
return !!localuid if @resource.forcelocal?
super
end
def uid
return localuid if @resource.forcelocal?
get(:uid)
end
def gid
return localgid if @resource.forcelocal?
get(:gid)
end
def comment
return localcomment if @resource.forcelocal?
get(:comment)
end
def shell
return localshell if @resource.forcelocal?
get(:shell)
end
def home
return localhome if @resource.forcelocal?
get(:home)
end
def groups
return localgroups if @resource.forcelocal?
super
end
def finduser(key, value)
passwd_file = '/etc/passwd'
passwd_keys = [:account, :password, :uid, :gid, :gecos, :directory, :shell]
unless @users
unless Puppet::FileSystem.exist?(passwd_file)
raise Puppet::Error.new("Forcelocal set for user resource '#{resource[:name]}', but #{passwd_file} does not exist")
end
@users = []
Puppet::FileSystem.each_line(passwd_file) do |line|
user = line.chomp.split(':')
@users << Hash[passwd_keys.zip(user)]
end
end
@users.find { |param| param[key] == value } || false
end
def local_username
finduser(:uid, @resource.uid)
end
def localuid
user = finduser(:account, resource[:name])
return user[:uid] if user
false
end
def localgid
user = finduser(:account, resource[:name])
if user
begin
return Integer(user[:gid])
rescue ArgumentError
Puppet.debug("Non-numeric GID found in /etc/passwd for user #{resource[:name]}")
return user[:gid]
end
end
false
end
def localcomment
user = finduser(:account, resource[:name])
user[:gecos]
end
def localshell
user = finduser(:account, resource[:name])
user[:shell]
end
def localhome
user = finduser(:account, resource[:name])
user[:directory]
end
def localgroups
@groups_of ||= {}
group_file = '/etc/group'
user = resource[:name]
return @groups_of[user] if @groups_of[user]
@groups_of[user] = []
unless Puppet::FileSystem.exist?(group_file)
raise Puppet::Error.new("Forcelocal set for user resource '#{user}', but #{group_file} does not exist")
end
Puppet::FileSystem.each_line(group_file) do |line|
data = line.chomp.split(':')
if !data.empty? && data.last.split(',').include?(user)
@groups_of[user] << data.first
end
end
@groups_of[user]
end
def shell=(value)
check_valid_shell
set(:shell, value)
end
def groups=(value)
set(:groups, value)
end
def password=(value)
user = @resource[:name]
tempfile = Tempfile.new('puppet', :encoding => Encoding::UTF_8)
begin
# Puppet execute does not support strings as input, only files.
# The password is expected to be in an encrypted format given -e is specified:
tempfile << "#{user}:#{value}\n"
tempfile.flush
# Options '-e' use encrypted password
# Must receive "user:enc_password" as input
# command, arguments = {:failonfail => true, :combine => true}
cmd = [command(:chpasswd), '-e']
execute_options = {
:failonfail => false,
:combine => true,
:stdinfile => tempfile.path,
:sensitive => has_sensitive_data?
}
output = execute(cmd, execute_options)
rescue => detail
tempfile.close
tempfile.delete
raise Puppet::Error, "Could not set password on #{@resource.class.name}[#{@resource.name}]: #{detail}", detail.backtrace
end
# chpasswd can return 1, even on success (at least on AIX 6.1); empty output
# indicates success
raise Puppet::ExecutionFailure, "chpasswd said #{output}" if output != ''
end
verify :gid, "GID must be an integer" do |value|
value.is_a? Integer
end
verify :groups, "Groups must be comma-separated" do |value|
value !~ /\s/
end
has_features :manages_homedir, :allows_duplicates, :manages_expiry
has_features :system_users unless %w{HP-UX Solaris}.include? Puppet.runtime[:facter].value(:operatingsystem)
has_features :manages_passwords, :manages_password_age if Puppet.features.libshadow?
has_features :manages_shell
def check_allow_dup
# We have to manually check for duplicates when using libuser
# because by default duplicates are allowed. This check is
# to ensure consistent behaviour of the useradd provider when
# using both useradd and luseradd
if (!@resource.allowdupe?) && @resource.forcelocal?
if @resource.should(:uid) && finduser(:uid, @resource.should(:uid).to_s)
raise(Puppet::Error, "UID #{@resource.should(:uid)} already exists, use allowdupe to force user creation")
end
elsif @resource.allowdupe? && (!@resource.forcelocal?)
return ["-o"]
end
[]
end
def check_valid_shell
unless File.exist?(@resource.should(:shell))
raise(Puppet::Error, "Shell #{@resource.should(:shell)} must exist")
end
unless File.executable?(@resource.should(:shell).to_s)
raise(Puppet::Error, "Shell #{@resource.should(:shell)} must be executable")
end
end
def check_manage_home
cmd = []
if @resource.managehome?
# libuser does not implement the -m flag
cmd << "-m" unless @resource.forcelocal?
else
osfamily = Puppet.runtime[:facter].value(:osfamily)
osversion = Puppet.runtime[:facter].value(:operatingsystemmajrelease).to_i
# SLES 11 uses pwdutils instead of shadow, which does not have -M
# Solaris and OpenBSD use different useradd flavors
unless osfamily =~ /Solaris|OpenBSD/ || osfamily == 'Suse' && osversion <= 11
cmd << "-M"
end
end
cmd
end
def check_system_users
if self.class.system_users? && resource.system?
["-r"]
else
[]
end
end
# Add properties and flags but skipping password related properties due to
# security risks
def add_properties
cmd = []
# validproperties is a list of properties in undefined order
# sort them to have a predictable command line in tests
Puppet::Type.type(:user).validproperties.sort.each do |property|
value = get_value_for_property(property)
next if value.nil? || property == :password
# the value needs to be quoted, mostly because -c might
# have spaces in it
cmd << flag(property) << munge(property, value)
end
cmd
end
def get_value_for_property(property)
return nil if property == :ensure
return nil if property_manages_password_age?(property)
return nil if property == :groups and @resource.forcelocal?
return nil if property == :expiry and @resource.forcelocal?
value = @resource.should(property)
return nil if !value || value == ""
value
end
def has_sensitive_data?(property = nil)
#Check for sensitive values?
properties = property ? [property] : Puppet::Type.type(:user).validproperties
properties.any? do |prop|
p = @resource.parameter(prop)
p && p.respond_to?(:is_sensitive) && p.is_sensitive
end
end
def addcmd
if @resource.forcelocal?
cmd = [command(:localadd)]
@custom_environment = Puppet::Util::Libuser.getenv
else
cmd = [command(:add)]
end
if (!@resource.should(:gid)) && Puppet::Util.gid(@resource[:name])
cmd += ["-g", @resource[:name]]
end
cmd += add_properties
cmd += check_allow_dup
cmd += check_manage_home
cmd += check_system_users
cmd << @resource[:name]
end
def modifycmd(param, value)
if @resource.forcelocal?
case param
when :groups, :expiry
cmd = [command(:modify)]
else
cmd = [command(property_manages_password_age?(param) ? :localpassword : :localmodify)]
end
@custom_environment = Puppet::Util::Libuser.getenv
else
cmd = [command(property_manages_password_age?(param) ? :password : :modify)]
end
cmd << flag(param) << value
cmd += check_allow_dup if param == :uid
cmd << @resource[:name]
cmd
end
def deletecmd
if @resource.forcelocal?
cmd = [command(:localdelete)]
@custom_environment = Puppet::Util::Libuser.getenv
else
cmd = [command(:delete)]
end
# Solaris `userdel -r` will fail if the homedir does not exist.
if @resource.managehome? && (('Solaris' != Puppet.runtime[:facter].value(:operatingsystem)) || Dir.exist?(Dir.home(@resource[:name])))
cmd << '-r'
end
cmd << @resource[:name]
end
def passcmd
if @resource.forcelocal?
cmd = command(:localpassword)
@custom_environment = Puppet::Util::Libuser.getenv
else
cmd = command(:password)
end
age_limits = [:password_min_age, :password_max_age, :password_warn_days].select { |property| @resource.should(property) }
if age_limits.empty?
nil
else
[cmd, age_limits.collect { |property| [flag(property), @resource.should(property)]}, @resource[:name]].flatten
end
end
[:expiry, :password_min_age, :password_max_age, :password_warn_days, :password].each do |shadow_property|
define_method(shadow_property) do
if Puppet.features.libshadow?
ent = Shadow::Passwd.getspnam(@canonical_name)
if ent
method = self.class.option(shadow_property, :method)
return unmunge(shadow_property, ent.send(method))
end
end
:absent
end
end
def create
if @resource[:shell]
check_valid_shell
end
super
if @resource.forcelocal?
set(:groups, @resource[:groups]) if self.groups?
set(:expiry, @resource[:expiry]) if @resource[:expiry]
end
set(:password, @resource[:password]) if @resource[:password]
end
def groups?
!!@resource[:groups]
end
def property_manages_password_age?(property)
property.to_s =~ /password_.+_age|password_warn_days/
end
end
|
