/
user.go
457 lines (411 loc) · 12 KB
/
user.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
// Mgmt
// Copyright (C) 2013-2021+ James Shubin and the project contributors
// Written by James Shubin <james@shubin.ca> and the project contributors
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package resources
import (
"fmt"
"io/ioutil"
"os/exec"
"os/user"
"sort"
"strconv"
"strings"
"syscall"
"github.com/purpleidea/mgmt/engine"
"github.com/purpleidea/mgmt/engine/traits"
"github.com/purpleidea/mgmt/recwatch"
"github.com/purpleidea/mgmt/util/errwrap"
)
func init() {
engine.RegisterResource("user", func() engine.Res { return &UserRes{} })
}
const passwdFile = "/etc/passwd"
// UserRes is a user account resource.
type UserRes struct {
traits.Base // add the base methods without re-implementation
traits.Edgeable
init *engine.Init
State string `yaml:"state"` // state: exists, absent
UID *uint32 `yaml:"uid"` // uid must be unique unless AllowDuplicateUID is true
GID *uint32 `yaml:"gid"` // gid of the user's primary group
Group *string `yaml:"group"` // name of the user's primary group
Groups []string `yaml:"groups"` // list of supplemental groups
HomeDir *string `yaml:"homedir"` // path to the user's home directory
AllowDuplicateUID bool `yaml:"allowduplicateuid"` // allow duplicate uid
recWatcher *recwatch.RecWatcher
}
// Default returns some sensible defaults for this resource.
func (obj *UserRes) Default() engine.Res {
return &UserRes{}
}
// Validate if the params passed in are valid data.
func (obj *UserRes) Validate() error {
const whitelist string = "_abcdefghijklmnopqrstuvwxyz0123456789"
if obj.State != "exists" && obj.State != "absent" {
return fmt.Errorf("state must be 'exists' or 'absent'")
}
if obj.GID != nil && obj.Group != nil {
return fmt.Errorf("cannot use both GID and Group")
}
if obj.Group != nil {
if *obj.Group == "" {
return fmt.Errorf("group cannot be empty string")
}
for _, char := range *obj.Group {
if !strings.Contains(whitelist, string(char)) {
return fmt.Errorf("group contains invalid character(s)")
}
}
}
if obj.Groups != nil {
for _, group := range obj.Groups {
if group == "" {
return fmt.Errorf("group cannot be empty string")
}
for _, char := range group {
if !strings.Contains(whitelist, string(char)) {
return fmt.Errorf("groups list contains invalid character(s)")
}
}
}
}
return nil
}
// Init runs some startup code for this resource.
func (obj *UserRes) Init(init *engine.Init) error {
obj.init = init // save for later
return nil
}
// Close is run by the engine to clean up after the resource is done.
func (obj *UserRes) Close() error {
return nil
}
// Watch is the primary listener for this resource and it outputs events.
func (obj *UserRes) Watch() error {
var err error
obj.recWatcher, err = recwatch.NewRecWatcher(passwdFile, false)
if err != nil {
return err
}
defer obj.recWatcher.Close()
obj.init.Running() // when started, notify engine that we're running
var send = false // send event?
for {
if obj.init.Debug {
obj.init.Logf("Watching: %s", passwdFile) // attempting to watch...
}
select {
case event, ok := <-obj.recWatcher.Events():
if !ok { // channel shutdown
return nil
}
if err := event.Error; err != nil {
return errwrap.Wrapf(err, "Unknown %s watcher error", obj)
}
if obj.init.Debug { // don't access event.Body if event.Error isn't nil
obj.init.Logf("Event(%s): %v", event.Body.Name, event.Body.Op)
}
send = true
case <-obj.init.Done: // closed by the engine to signal shutdown
return nil
}
// do all our event sending all together to avoid duplicate msgs
if send {
send = false
obj.init.Event() // notify engine of an event (this can block)
}
}
}
// CheckApply method for User resource.
func (obj *UserRes) CheckApply(apply bool) (bool, error) {
obj.init.Logf("CheckApply(%t)", apply)
var exists = true
usr, err := user.Lookup(obj.Name())
if err != nil {
if _, ok := err.(user.UnknownUserError); !ok {
return false, errwrap.Wrapf(err, "error looking up user")
}
exists = false
}
if obj.AllowDuplicateUID == false && obj.UID != nil {
existingUID, err := user.LookupId(strconv.Itoa(int(*obj.UID)))
if err != nil {
if _, ok := err.(user.UnknownUserIdError); !ok {
return false, errwrap.Wrapf(err, "error looking up UID")
}
} else if existingUID.Username != obj.Name() {
return false, fmt.Errorf("the requested UID is already taken")
}
}
if obj.State == "absent" && !exists {
return true, nil
}
if usercheck := true; exists && obj.State == "exists" {
intUID, err := strconv.Atoi(usr.Uid)
if err != nil {
return false, errwrap.Wrapf(err, "error casting UID to int")
}
intGID, err := strconv.Atoi(usr.Gid)
if err != nil {
return false, errwrap.Wrapf(err, "error casting GID to int")
}
if obj.UID != nil && int(*obj.UID) != intUID {
usercheck = false
}
if obj.GID != nil && int(*obj.GID) != intGID {
usercheck = false
}
if obj.HomeDir != nil && *obj.HomeDir != usr.HomeDir {
usercheck = false
}
if usercheck {
return true, nil
}
}
if !apply {
return false, nil
}
var cmdName string
var args []string
if obj.State == "exists" {
if exists {
cmdName = "usermod"
obj.init.Logf("Modifying user: %s", obj.Name())
} else {
cmdName = "useradd"
obj.init.Logf("Adding user: %s", obj.Name())
}
if obj.AllowDuplicateUID {
args = append(args, "--non-unique")
}
if obj.UID != nil {
args = append(args, "-u", fmt.Sprintf("%d", *obj.UID))
}
if obj.GID != nil {
args = append(args, "-g", fmt.Sprintf("%d", *obj.GID))
}
if obj.Group != nil {
args = append(args, "-g", *obj.Group)
}
if obj.Groups != nil {
args = append(args, "-G", strings.Join(obj.Groups, ","))
}
if obj.HomeDir != nil {
args = append(args, "-d", *obj.HomeDir)
}
}
if obj.State == "absent" {
cmdName = "userdel"
obj.init.Logf("Deleting user: %s", obj.Name())
}
args = append(args, obj.Name())
cmd := exec.Command(cmdName, args...)
cmd.SysProcAttr = &syscall.SysProcAttr{
Setpgid: true,
Pgid: 0,
}
// open a pipe to get error messages from os/exec
stderr, err := cmd.StderrPipe()
if err != nil {
return false, errwrap.Wrapf(err, "failed to initialize stderr pipe")
}
// start the command
if err := cmd.Start(); err != nil {
return false, errwrap.Wrapf(err, "cmd failed to start")
}
// capture any error messages
slurp, err := ioutil.ReadAll(stderr)
if err != nil {
return false, errwrap.Wrapf(err, "error slurping error message")
}
// wait until cmd exits and return error message if any
if err := cmd.Wait(); err != nil {
return false, errwrap.Wrapf(err, "%s", slurp)
}
return false, nil
}
// Cmp compares two resources and returns an error if they are not equivalent.
func (obj *UserRes) Cmp(r engine.Res) error {
// we can only compare UserRes to others of the same resource kind
res, ok := r.(*UserRes)
if !ok {
return fmt.Errorf("not a %s", obj.Kind())
}
if obj.State != res.State {
return fmt.Errorf("the State differs")
}
if (obj.UID == nil) != (res.UID == nil) {
return fmt.Errorf("the UID differs")
}
if obj.UID != nil && res.UID != nil {
if *obj.UID != *res.UID {
return fmt.Errorf("the UID differs")
}
}
if (obj.GID == nil) != (res.GID == nil) {
return fmt.Errorf("the GID differs")
}
if obj.GID != nil && res.GID != nil {
if *obj.GID != *res.GID {
return fmt.Errorf("the GID differs")
}
}
if (obj.Groups == nil) != (res.Groups == nil) {
return fmt.Errorf("the Group differs")
}
if obj.Groups != nil && res.Groups != nil {
if len(obj.Groups) != len(res.Groups) {
return fmt.Errorf("the Group differs")
}
objGroups := obj.Groups
resGroups := res.Groups
sort.Strings(objGroups)
sort.Strings(resGroups)
for i := range objGroups {
if objGroups[i] != resGroups[i] {
return fmt.Errorf("the Group differs at index: %d", i)
}
}
}
if (obj.HomeDir == nil) != (res.HomeDir == nil) {
return fmt.Errorf("the HomeDirs differs")
}
if obj.HomeDir != nil && res.HomeDir != nil {
if *obj.HomeDir != *res.HomeDir {
return fmt.Errorf("the HomeDir differs")
}
}
if obj.AllowDuplicateUID != res.AllowDuplicateUID {
return fmt.Errorf("the AllowDuplicateUID differs")
}
return nil
}
// UserUID is the UID struct for UserRes.
type UserUID struct {
engine.BaseUID
name string
uid *uint32
}
// IFF aka if and only if they are equivalent, return true. If not, false.
func (obj *UserUID) IFF(uid engine.ResUID) bool {
res, ok := uid.(*UserUID)
if !ok {
return false
}
if obj.uid != nil && res.uid != nil {
if *obj.uid != *res.uid {
return false
}
}
if obj.name != "" && res.name != "" {
if obj.name != res.name {
return false
}
}
return true
}
// UserResAutoEdges holds the state of the auto edge generator.
type UserResAutoEdges struct {
UIDs []engine.ResUID
pointer int
}
// AutoEdges returns edges from the user resource to each group found in its
// definition. The groups can be in any of the three applicable fields (GID,
// Group and Groups.) If the user exists, reversed ensures the edge goes from
// group to user, and if the user is absent the edge goes from user to group.
// This ensures that we don't add users to groups that don't exist or delete
// groups before we delete their members.
func (obj *UserRes) AutoEdges() (engine.AutoEdge, error) {
var result []engine.ResUID
var reversed bool
if obj.State == "exists" {
reversed = true
}
if obj.GID != nil {
result = append(result, &GroupUID{
BaseUID: engine.BaseUID{
Reversed: &reversed,
},
gid: obj.GID,
})
}
if obj.Group != nil {
result = append(result, &GroupUID{
BaseUID: engine.BaseUID{
Reversed: &reversed,
},
name: *obj.Group,
})
}
for _, group := range obj.Groups {
result = append(result, &GroupUID{
BaseUID: engine.BaseUID{
Reversed: &reversed,
},
name: group,
})
}
return &UserResAutoEdges{
UIDs: result,
pointer: 0,
}, nil
}
// Next returns the next automatic edge.
func (obj *UserResAutoEdges) Next() []engine.ResUID {
if len(obj.UIDs) == 0 {
return nil
}
value := obj.UIDs[obj.pointer]
obj.pointer++
return []engine.ResUID{value}
}
// Test gets results of the earlier Next() call, & returns if we should
// continue.
func (obj *UserResAutoEdges) Test(input []bool) bool {
if len(obj.UIDs) <= obj.pointer {
return false
}
if len(input) != 1 { // in case we get given bad data
panic(fmt.Sprintf("Expecting a single value!"))
}
return true // keep going
}
// UIDs includes all params to make a unique identification of this object. Most
// resources only return one, although some resources can return multiple.
func (obj *UserRes) UIDs() []engine.ResUID {
x := &UserUID{
BaseUID: engine.BaseUID{Name: obj.Name(), Kind: obj.Kind()},
name: obj.Name(),
uid: obj.UID,
}
return []engine.ResUID{x}
}
// UnmarshalYAML is the custom unmarshal handler for this struct. It is
// primarily useful for setting the defaults.
func (obj *UserRes) UnmarshalYAML(unmarshal func(interface{}) error) error {
type rawRes UserRes // indirection to avoid infinite recursion
def := obj.Default() // get the default
res, ok := def.(*UserRes) // put in the right format
if !ok {
return fmt.Errorf("could not convert to UserRes")
}
raw := rawRes(*res) // convert; the defaults go here
if err := unmarshal(&raw); err != nil {
return err
}
*obj = UserRes(raw) // restore from indirection with type conversion!
return nil
}