-
-
Notifications
You must be signed in to change notification settings - Fork 217
/
manage.rb
189 lines (171 loc) · 6.37 KB
/
manage.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
#
# Cookbook:: users
# Resources:: manage
#
# Copyright:: 2011-2017, Eric G. Wolfe
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# :data_bag is the object to search
# :search_group is the groups name to search for, defaults to resource name
# :group_name is the string name of the group to create, defaults to resource name
# :group_id is the numeric id of the group to create, default is to allow the OS to pick next
# :cookbook is the name of the cookbook that the authorized_keys template should be found in
property :data_bag, String, default: 'users'
property :search_group, String, name_property: true
property :group_name, String, name_property: true
property :group_id, Integer
property :cookbook, String, default: 'users'
property :manage_nfs_home_dirs, [true, false], default: true
action :create do
users_groups = {}
users_groups[new_resource.group_name] = []
search(new_resource.data_bag, "groups:#{new_resource.search_group} AND NOT action:remove") do |u|
u['username'] ||= u['id']
u['groups'].each do |g|
users_groups[g] = [] unless users_groups.key?(g)
users_groups[g] << u['username']
end
# Set home to location in data bag,
# or a reasonable default ($home_basedir/$user).
home_dir = (u['home'] ? u['home'] : "#{home_basedir}/#{u['username']}")
# check whether home dir is null
manage_home = !(home_dir == '/dev/null')
# The user block will fail if the group does not yet exist.
# See the -g option limitations in man 8 useradd for an explanation.
# This should correct that without breaking functionality.
group u['username'] do # ~FC022
case node['platform_family']
when 'mac_os_x'
gid validate_id(u['gid']) unless gid_used?(validate_id(u['gid'])) || new_resource.group_name == u['username']
else
gid validate_id(u['gid'])
end
only_if { u['gid'] && u['gid'].is_a?(Numeric) }
end
# Create user object.
# Do NOT try to manage null home directories.
user u['username'] do
uid validate_id(u['uid'])
gid validate_id(u['gid']) if u['gid']
shell shell_is_valid?(u['shell']) ? u['shell'] : '/bin/sh'
comment u['comment']
password u['password'] if u['password']
salt u['salt'] if u['salt']
iterations u['iterations'] if u['iterations']
manage_home manage_home
home home_dir
action u['action'] if u['action']
end
if manage_home_files?(home_dir, u['username'])
Chef::Log.debug("Managing home files for #{u['username']}")
directory "#{home_dir}/.ssh" do
recursive true
owner u['uid'] ? validate_id(u['uid']) : u['username']
group validate_id(u['gid']) if u['gid']
mode '0700'
only_if { !!(u['ssh_keys'] || u['ssh_private_key'] || u['ssh_public_key']) }
end
# loop over the keys and if we have a URL we should add each key
# from the url response and append it to the list of keys
ssh_keys = []
if u['ssh_keys']
Array(u['ssh_keys']).each do |key|
if key.start_with?('https')
ssh_keys += keys_from_url(key)
else
ssh_keys << key
end
end
end
# use the keyfile defined in the databag or fallback to the standard file in the home dir
key_file = u['authorized_keys_file'] || "#{home_dir}/.ssh/authorized_keys"
template key_file do # ~FC022
source 'authorized_keys.erb'
cookbook new_resource.cookbook
owner u['uid'] ? validate_id(u['uid']) : u['username']
group validate_id(u['gid']) if u['gid']
mode '0600'
sensitive true
# ssh_keys should be a combination of u['ssh_keys'] and any keys
# returned from a specified URL
variables ssh_keys: ssh_keys
only_if { !!(u['ssh_keys']) }
end
if u['ssh_private_key']
key_type = u['ssh_private_key'].include?('BEGIN RSA PRIVATE KEY') ? 'rsa' : 'dsa'
template "#{home_dir}/.ssh/id_#{key_type}" do
source 'private_key.erb'
cookbook new_resource.cookbook
owner u['uid'] ? validate_id(u['uid']) : u['username']
group validate_id(u['gid']) if u['gid']
mode '0400'
variables private_key: u['ssh_private_key']
end
end
if u['ssh_public_key']
key_type = u['ssh_public_key'].include?('ssh-rsa') ? 'rsa' : 'dsa'
template "#{home_dir}/.ssh/id_#{key_type}.pub" do
source 'public_key.pub.erb'
cookbook new_resource.cookbook
owner u['uid'] ? validate_id(u['uid']) : u['username']
group validate_id(u['gid']) if u['gid']
mode '0400'
variables public_key: u['ssh_public_key']
end
end
else
Chef::Log.debug("Not managing home files for #{u['username']}")
end
end
# Populating users to appropriates groups
users_groups.each do |g, u|
group g do
members u
append true
action :manage # Do nothing if group doesn't exist
end unless g == new_resource.group_name # Dealing with managed group later
end
group new_resource.group_name do
case node['platform_family']
when 'mac_os_x'
gid new_resource.group_id unless gid_used?(new_resource.group_id)
else
gid new_resource.group_id
end
members users_groups[new_resource.group_name]
end
end
action :remove do
search(new_resource.data_bag, "groups:#{new_resource.search_group} AND action:remove") do |rm_user|
user rm_user['username'] ||= rm_user['id'] do
action :remove
force rm_user['force'] ||= false
end
end
end
action_class do
include ::Users::Helpers
include ::Users::OsxHelper
def manage_home_files?(home_dir, _user)
# Don't manage home dir if it's NFS mount
# and manage_nfs_home_dirs is disabled
if home_dir == '/dev/null'
false
elsif fs_remote?(home_dir)
new_resource.manage_nfs_home_dirs ? true : false
else
true
end
end
end