Work in progress

techniques/systemSettings/userManagement/userManagement/9.1/metadata.xml

@@ -133,6 +133,30 @@
           <DEFAULT>false</DEFAULT>
         </CONSTRAINT>
       </SELECT1>
+      <INPUT>
+        <NAME>USERGROUP_USER_SECONDARY_GROUPS</NAME>
+        <DESCRIPTION>Secondary groups name for this user, comma separated)</DESCRIPTION>
+        <LONGDESCRIPTION>On UNIX systems, ensure that the user belongs to the list of groups, as secondary groups</LONGDESCRIPTION>
+        <CONSTRAINT>
+          <MAYBEEMPTY>true</MAYBEEMPTY>
+        </CONSTRAINT>
+      </INPUT>
+      <SELECT1>
+        <NAME>USERGROUP_FORCE_USER_SECONDARY_GROUPS</NAME>
+        <DESCRIPTION>Enforce the secondary groups of the user</DESCRIPTION>
+        <LONGDESCRIPTION>If set to exactly, the user will belong exactly to the list of secondary groups, otherwise, it may also be in other groups</LONGDESCRIPTION>
+        <ITEM>
+          <LABEL>Included</LABEL>
+          <VALUE>false</VALUE>
+        </ITEM>
+        <ITEM>
+          <LABEL>Exactly</LABEL>
+          <VALUE>true</VALUE>
+        </ITEM>
+        <CONSTRAINT>
+          <DEFAULT>false</DEFAULT>
+        </CONSTRAINT>
+      </SELECT1>
       <INPUT>
         <NAME>USERGROUP_USER_NAME</NAME>
         <DESCRIPTION>Full name for this account</DESCRIPTION>
@@ -183,6 +207,7 @@
       </INPUT>
     </SECTION>
     <SECTION name="Home directory" component="true" componentKey="USERGROUP_USER_LOGIN"/>
+    <SECTION name="User secondary groups" component="true" componentKey="USERGROUP_USER_LOGIN"/>
     </SECTION>
   </SECTIONS>
 

techniques/systemSettings/userManagement/userManagement/9.1/userManagement.st

@@ -21,6 +21,12 @@ bundle agent check_usergroup_user_parameters_&RudderUniqueID&
     &USERGROUP_FORCE_USER_GROUP:{force_group |"usergroup_force_user_groupname[&i&]" string => "&force_group&";
 }&
 
+    &USERGROUP_USER_SECONDARY_GROUPS:{group |"usergroup_user_secondary_groupsname[&i&]" string => "&group&";
+}&
+
+    &USERGROUP_FORCE_USER_SECONDARY_GROUPS:{force_group |"usergroup_force_user_secondary_groupsname[&i&]" string => "&force_group&";
+}&
+
     &USERGROUP_USER_NAME:{name |"usergroup_user_fullname[&i&]" string => "&name&";
 }&
 
@@ -186,7 +192,6 @@ bundle agent check_usergroup_user_parameters_&RudderUniqueID&
                                                                                      "usermanagement_user_group_no_value_${usergroup_user_index}"
                                                                                    );
 
-
       # check if user set a gid or a group name
       "usermanagement_user_group_is_gid_${usergroup_user_index}"        expression => regcmp("[0-9]+", "${usergroup_user_groupname[${usergroup_user_index}]}"),
                                                                                 if => "!usermanagement_user_groupempty_${usergroup_user_index}";
@@ -195,13 +200,18 @@ bundle agent check_usergroup_user_parameters_&RudderUniqueID&
       "usermanagement_force_user_group_defined_${usergroup_user_index}" expression => and( "usermanagement_force_user_group_${usergroup_user_index}",
                                                                                            "!usermanagement_user_groupempty_${usergroup_user_index}"
                                                                                          );
-
-
+      # check if secondary groups are defined
+      "usermanagement_user_secondary_groups_no_variable_${usergroup_user_index}"     not => isvariable("usergroup_user_secondary_groupsname[${usergroup_user_index}]");
+      "usermanagement_user_secondary_groups_no_value_${usergroup_user_index}" expression => strcmp("", "${usergroup_user_secondary_groupsname[${usergroup_user_index}]}");
+      "usermanagement_user_secondary_groupsempty_${usergroup_user_index}"     expression => or( "usermanagement_user_secondary_groups_no_variable_${usergroup_user_index}",
+                                                                                                "usermanagement_user_secondary_groups_no_value_${usergroup_user_index}"
+                                                                                              );
+
       "usermanagement_user_uid_no_variable_${usergroup_user_index}"     not => isvariable("usergroup_user_uid[${usergroup_user_index}]");
       "usermanagement_user_uid_no_value_${usergroup_user_index}" expression => strcmp("", "${usergroup_user_uid[${usergroup_user_index}]}");
       "usermanagement_user_uid_empty_${usergroup_user_index}"    expression => or( "usermanagement_user_uid_no_variable_${usergroup_user_index}",
                                                                                    "usermanagement_user_uid_no_value_${usergroup_user_index}"
-                                                                                 );
+                                                                                  );
 
       "usermanagement_user_groupmatchesname_${usergroup_user_index}" expression => strcmp("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_groupname[${usergroup_user_index}]}");
 
@@ -390,6 +400,33 @@ bundle agent check_usergroup_user_parameters_&RudderUniqueID&
 
 
   methods:
+    pass2::
+      # set secondary groups
+      "en1" usebundle => enable_reporting; # we should not let the method do the reporting because checkpres does audit with non audit reporting :sob:
+      #if checkpres, then we are doing dry run only
+      "force_dry_run_mode_${usergroup_user_login[${usergroup_user_index}]}_${usergroup_user_secondary_groupsname[${usergroup_user_index}]}"
+            usebundle => push_dry_run_mode("true"),
+                   if => "usermanagement_user_checkpres_${usergroup_user_index}";
+      "any" usebundle => _method_reporting_context("User secondary groups", "${usergroup_user_login[${usergroup_user_index}]}");
+
+      "${usergroup_user_secondary_groupsname[${usergroup_user_index}]}"
+            usebundle => user_secondary_groups("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_secondary_groupsname[${usergroup_user_index}]}", "${usergroup_force_user_secondary_groupsname[${usergroup_user_index}]}"),
+                   if => "!usermanagement_user_secondary_groupsempty_${usergroup_user_index}.(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_checkpres_${usergroup_user_index})",
+              comment => "Set secondary groups if they are defined on user ${usergroup_user_login[${usergroup_user_index}]}";
+
+      "remove_force_dry_run_mode_${usergroup_user_login[${usergroup_user_index}]}_${usergroup_user_secondary_groupsname[${usergroup_user_index}]}"
+            usebundle => pop_dry_run_mode(),
+                   if => "usermanagement_user_checkpres_${usergroup_user_index}";
+
+      # no secondary group has been set
+      "any" usebundle  => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "User secondary groups", "${usergroup_user_login[${usergroup_user_index}]}", "No secondary groups defined for user", "${usergroup_user_index}"),
+                    if => "usermanagement_user_secondary_groupsempty_${usergroup_user_index}.(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_checkpres_${usergroup_user_index})";
+
+      # only deletion, or check should not exist
+      "any" usebundle  => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "User secondary groups", "${usergroup_user_login[${usergroup_user_index}]}", "User secondary groups are not checked in this mode", "${usergroup_user_index}"),
+                    if => "!usermanagement_user_update_${usergroup_user_index}.!usermanagement_user_checkpres_${usergroup_user_index}";
+
+                    
     pass3.showtime::
 
       # Add user