Merge branch 'bug_8566/usermanagement_technique_doesn_t_do_anything_o…

…n_windows_on_version_5_and_6_pr' into branches/rudder/2.11
Normation · Jul 6, 2016 · 18c2f07 · 18c2f07
2 parents 82b6519 + 296f0ca
commit 18c2f07
Show file tree

Hide file tree

Showing 4 changed files with 119 additions and 8 deletions.
diff --git a/techniques/systemSettings/userManagement/userManagement/5.0/metadata.xml b/techniques/systemSettings/userManagement/userManagement/5.0/metadata.xml
@@ -29,6 +29,7 @@ It is intended to check the user parameters on the target host.
     <OS version=">= 4 (Etch)">Debian</OS>
     <OS version=">= 4 (Nahant)">RHEL / CentOS</OS>
     <OS version=">= 10 SP1 (Agama Lizard)">SuSE LES / DES / OpenSuSE</OS>
+    <OS version=">= 2008">Windows</OS>
     <AGENT version=">= 3.1.5">cfengine-community</AGENT>
   </COMPATIBLE>
 
@@ -40,6 +41,10 @@ It is intended to check the user parameters on the target host.
     <TML name="userManagement"/>
   </TMLS>
 
+  <SYSTEMVARS>
+    <NAME>NOVA</NAME>
+  </SYSTEMVARS>
+
   <TRACKINGVARIABLE>
     <SAMESIZEAS>USERGROUP_USER_LOGIN</SAMESIZEAS>
   </TRACKINGVARIABLE>

diff --git a/techniques/systemSettings/userManagement/userManagement/5.0/userManagement.st b/techniques/systemSettings/userManagement/userManagement/5.0/userManagement.st
@@ -170,7 +170,7 @@ bundle agent check_usergroup_user_parameters
       "showtime" expression => isvariable("nameopt[1]");
 
   files:
-
+   !windows::
       "/etc/passwd"
         create => "false",
         edit_line => set_user_fullname("${usergroup_user_login[${usergroup_user_index}]}","${usergroup_user_index}","${usergroup_user_fullname[${usergroup_user_index}]}"),
@@ -192,6 +192,16 @@ bundle agent check_usergroup_user_parameters
         classes    => kept_if_else("usermanagement_user_password_ok_${usergroup_user_index}", "usermanagement_user_password_repaired_${usergroup_user_index}", "usermanagement_user_password_failed_${usergroup_user_index}"),
         ifvarclass => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_update_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})";
 
+  methods:
+    windows::
+      # check user password
+      "check_user_password" usebundle => check_usergroup_user_parameters_windows_password("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_password[${usergroup_user_index}]}", "${usergroup_user_index}"),
+        ifvarclass                    => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_update_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})";
+
+      # check user fullname
+      "check_user_fullname" usebundle => check_usergroup_user_parameters_windows_fullname("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_fullname[${usergroup_user_index}]}", "${usergroup_user_action[${usergroup_user_index}]}", "${nameopt[${usergroup_user_index}]}", "${usergroup_user_index}"),
+        ifvarclass                    => "(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_checkpres_${usergroup_user_index}).!usermanagement_user_nameempty_${usergroup_user_index}";
+
   commands:
 
 &if(NOVA)&
@@ -209,9 +219,6 @@ bundle agent check_usergroup_user_parameters
         comment => "Delete the user ${usergroup_user_login[${usergroup_user_index}]}",
         ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_remove_${usergroup_user_index}";
 
-      "\"${sys.winsysdir}\net.exe\""
-        args => "USER ${usergroup_user_login[${usergroup_user_index}]} ${usergroup_user_password[${usergroup_user_index}]}",
-        ifvarclass => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})";
 &endif&
 
     linux.showtime::
@@ -330,3 +337,47 @@ bundle edit_line set_user_fullname(user,user_index,fullname)
         classes => kept_if_else("usermanagement_fullname_edit_${user_index}_kept","usermanagement_fullname_edit_${user_index}_repaired","usermanagement_fullname_edit_${user_index}_error");
 
 }
+
+# Bundle to check the full name of a user on windows
+# Takes the user login, the expected fullname, the action (checkhere for not editing), the FULLNAME set attribute for net.exe and the index for reporting
+bundle agent check_usergroup_user_parameters_windows_fullname(user, fullname, usergroup_user_action, nameopt, usergroup_user_index) {
+  vars:
+      "current_fullname" string => execresult("Get-WMIObject Win32_UserAccount | where Name -eq  '${user}' | ForEach { write-host $_.FullName }", "powershell");
+
+  classes:
+      "usermanagement_user_checkpres" expression => strcmp("${usergroup_user_action}","checkhere");
+      "user_valid"                    expression => strcmp("${current_fullname}", "${fullname}");
+
+  methods:
+    user_valid::
+      "already_correct" usebundle => _classes_success("usermanagement_fullname_edit_${usergroup_user_index}");
+
+    !user_valid.usermanagement_user_checkpres::
+      # fullname is not valid, but don't request to change it
+      "invalid_user"    usebundle => _classes_failure("usermanagement_fullname_edit_${usergroup_user_index}");
+
+  commands:
+    # if user is invalid, and we want to enforce fullname:
+    !user_valid.!usermanagement_user_checkpres::
+      "\"${sys.winsysdir}\net.exe\""
+          args => "USER ${user} ${nameopt}",
+          classes => classes_generic("usermanagement_fullname_edit_${usergroup_user_index}");
+}
+
+# Enforce user password
+# takes the user login, the expected password (clear text), and the index for reports
+bundle agent check_usergroup_user_parameters_windows_password(user, password, usergroup_user_index) {
+  vars:
+   "password_valid" string => execresult("Add-Type -AssemblyName System.DirectoryServices.AccountManagement; $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('machine', $env:COMPUTERNAME); $DS.ValidateCredentials('${user}', '${password}')", "powershell");
+
+
+  classes:
+      "usermanagement_user_password_ok_${usergroup_user_index}" expression => strcmp("True", "${password_valid}"),
+        scope => "namespace";
+
+  commands:
+      "\"${sys.winsysdir}\net.exe\""
+            args    => "USER ${user} ${password}",
+         classes    => kept_if_else("usermanagement_user_password_ok_${usergroup_user_index}", "usermanagement_user_password_repaired_${usergroup_user_index}", "usermanagement_user_password_failed_${usergroup_user_index}"),
+         ifvarclass => "!usermanagement_user_password_ok_${usergroup_user_index}";
+}
diff --git a/techniques/systemSettings/userManagement/userManagement/6.0/metadata.xml b/techniques/systemSettings/userManagement/userManagement/6.0/metadata.xml
@@ -29,6 +29,7 @@ It is intended to check the user parameters on the target host.
     <OS version=">= 4 (Etch)">Debian</OS>
     <OS version=">= 4 (Nahant)">RHEL / CentOS</OS>
     <OS version=">= 10 SP1 (Agama Lizard)">SuSE LES / DES / OpenSuSE</OS>
+    <OS version=">= 2008">Windows</OS>
     <AGENT version=">= 3.1.5">cfengine-community</AGENT>
   </COMPATIBLE>
 
@@ -40,6 +41,10 @@ It is intended to check the user parameters on the target host.
     <TML name="userManagement"/>
   </TMLS>
 
+  <SYSTEMVARS>
+    <NAME>NOVA</NAME>
+  </SYSTEMVARS>
+
   <TRACKINGVARIABLE>
     <SAMESIZEAS>USERGROUP_USER_LOGIN</SAMESIZEAS>
   </TRACKINGVARIABLE>

diff --git a/techniques/systemSettings/userManagement/userManagement/6.0/userManagement.st b/techniques/systemSettings/userManagement/userManagement/6.0/userManagement.st
@@ -175,7 +175,7 @@ bundle agent check_usergroup_user_parameters
       "pass1" expression => "any";
 
   files:
-
+    !windows::
       "/etc/passwd"
         create => "false",
         edit_line => set_user_fullname("${usergroup_user_login[${usergroup_user_index}]}","${usergroup_user_index}","${usergroup_user_fullname[${usergroup_user_index}]}"),
@@ -198,6 +198,14 @@ bundle agent check_usergroup_user_parameters
         ifvarclass => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_update_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})";
 
   methods:
+    windows::
+      # check user password
+      "check_user_password" usebundle => check_usergroup_user_parameters_windows_password("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_password[${usergroup_user_index}]}", "${usergroup_user_index}"),
+        ifvarclass                    => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_update_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})";
+
+      # check user fullname
+      "check_user_fullname" usebundle => check_usergroup_user_parameters_windows_fullname("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_fullname[${usergroup_user_index}]}", "${usergroup_user_action[${usergroup_user_index}]}", "${nameopt[${usergroup_user_index}]}", "${usergroup_user_index}"),
+        ifvarclass                    => "(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_checkpres_${usergroup_user_index}).!usermanagement_user_nameempty_${usergroup_user_index}";
 
     pass3.((linux|windows).showtime)::
 
@@ -299,9 +307,6 @@ bundle agent check_usergroup_user_parameters
         comment => "Delete the user ${usergroup_user_login[${usergroup_user_index}]}",
         ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_remove_${usergroup_user_index}";
 
-      "\"${sys.winsysdir}\net.exe\""
-        args => "USER ${usergroup_user_login[${usergroup_user_index}]} ${usergroup_user_password[${usergroup_user_index}]}",
-        ifvarclass => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})";
 &endif&
 
     linux.showtime::
@@ -335,3 +340,48 @@ bundle edit_line set_user_fullname(user,user_index,fullname)
         classes => kept_if_else("usermanagement_fullname_edit_${user_index}_kept","usermanagement_fullname_edit_${user_index}_repaired","usermanagement_fullname_edit_${user_index}_error");
 
 }
+
+# Bundle to check the full name of a user on windows
+# Takes the user login, the expected fullname, the action (checkhere for not editing), the FULLNAME set attribute for net.exe and the index for reporting
+bundle agent check_usergroup_user_parameters_windows_fullname(user, fullname, usergroup_user_action, nameopt, usergroup_user_index) {
+  vars:
+      "current_fullname" string => execresult("Get-WMIObject Win32_UserAccount | where Name -eq  '${user}' | ForEach { write-host $_.FullName }", "powershell");
+
+  classes:
+      "usermanagement_user_checkpres" expression => strcmp("${usergroup_user_action}","checkhere");
+      "user_valid"                    expression => strcmp("${current_fullname}", "${fullname}");
+
+  methods:
+    user_valid::
+      "already_correct" usebundle => _classes_success("usermanagement_fullname_edit_${usergroup_user_index}");
+
+    !user_valid.usermanagement_user_checkpres::
+      # fullname is not valid, but don't request to change it
+      "invalid_user"    usebundle => _classes_failure("usermanagement_fullname_edit_${usergroup_user_index}");
+
+  commands:
+    # if user is invalid, and we want to enforce fullname:
+    !user_valid.!usermanagement_user_checkpres::
+      "\"${sys.winsysdir}\net.exe\""
+          args    => "USER ${user} ${nameopt}",
+          classes => classes_generic("usermanagement_fullname_edit_${usergroup_user_index}");
+}
+
+# Enforce user password
+# takes the user login, the expected password (clear text), and the index for reports
+bundle agent check_usergroup_user_parameters_windows_password(user, password, usergroup_user_index) {
+  vars:
+   "password_valid" string => execresult("Add-Type -AssemblyName System.DirectoryServices.AccountManagement; $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('machine', $env:COMPUTERNAME); $DS.ValidateCredentials('${user}', '${password}')", "powershell");
+
+
+  classes:
+      "usermanagement_user_password_ok_${usergroup_user_index}" expression => strcmp("True", "${password_valid}"),
+        scope => "namespace";
+
+  commands:
+      "\"${sys.winsysdir}\net.exe\""
+            args    => "USER ${user} ${password}",
+         classes    => kept_if_else("usermanagement_user_password_ok_${usergroup_user_index}", "usermanagement_user_password_repaired_${usergroup_user_index}", "usermanagement_user_password_failed_${usergroup_user_index}"),
+         ifvarclass => "!usermanagement_user_password_ok_${usergroup_user_index}";
+
+}