Skip to content

Commit

Permalink
Merge branch 'branches/rudder/8.2'
Browse files Browse the repository at this point in the history
  • Loading branch information
Jenkins CI committed Dec 30, 2024
2 parents c44f6eb + ad1a006 commit c3403d5
Show file tree
Hide file tree
Showing 5 changed files with 951 additions and 0 deletions.
1 change: 1 addition & 0 deletions maintained-techniques
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,3 +47,4 @@ systemSettings/userManagement/groupManagement/5.1
systemSettings/userManagement/sudoParameters/3.2
systemSettings/userManagement/userManagement/9.0
systemSettings/userManagement/userManagement/9.1
systemSettings/userManagement/userManagement/10
30 changes: 30 additions & 0 deletions techniques/systemSettings/userManagement/userManagement/10/changelog
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
-- Benoit PECCATTE <benoit.peccatte@normation.com> Tue Sep 9 08:17:55 CEST 2014
* Version 4.0
** Rewrite with normal ordering and {}
-- Benoît Peccatte <benoit.peccatte@normation.com> Thu Oct 2 10:00:32 CEST 2014
* Version 5.0
** Handle gid/uid at user creation
-- Benoît Peccatte <benoit.peccatte@normation.com> Fri Oct 17 14:10:43 CEST 2014
* Version 6.0
** Use rudder_common_report instead of reports:
-- Nicolas Charles <nicolas.charles@normation.com> Fri Jul 15 15:50:00 CEST 2016
* Version 7.0
** Add AIX support
-- Nicolas Charles <nicolas.charles@normation.com> Fri Jul 22 15:41:00 CEST 2016
* Version 7.1
** Add an option to move the home directory
-- Felix Dallidet <felix.dallidet@normation.com> Thu Aug 17 16:14:11 2017
* Version 8.0
** make a linux and windows compatible user technique
-- Nicolas Charles <nicolas.charles@normation.com> Wed Oct 18 11:45:50 2017
* Version 8.1
** Add an option to force gid
-- Nicolas Charles <nicolas.charles@normation.com> Tue Jun 5 17:06:21 2018
* Version 9.0
** Port to multi-versionned format
-- Nicolas Charles <nicolas.charles@rudder.io> Tue Jun 5 17:27:21 2023
* Version 9.1
** Add option to set secondary group
-- Nicolas Charles <nicolas.charles@rudder.io> Wed Ap 17 14:19:00 2024
* Version 10.0
** Add option to update only, use generic methods
213 changes: 213 additions & 0 deletions techniques/systemSettings/userManagement/userManagement/10/metadata.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,213 @@

<TECHNIQUE name="Users">
<DESCRIPTION>This technique manages the target host(s) users.
It will ensure that the defined users are present on the system.</DESCRIPTION>
<MULTIINSTANCE>true</MULTIINSTANCE>
<POLICYGENERATION>separated</POLICYGENERATION>

<AGENT type="dsc">
<BUNDLES>
<NAME>check_usergroup_user_parameters_RudderUniqueID</NAME>
</BUNDLES>
<TMLS>
<TML name="userManagement.ps1"/>
</TMLS>
</AGENT>

<AGENT type="cfengine-community">
<BUNDLES>
<NAME>check_usergroup_user_parameters_RudderUniqueID</NAME>
</BUNDLES>
<TMLS>
<TML name="userManagement"/>
</TMLS>
</AGENT>

<TRACKINGVARIABLE>
<SAMESIZEAS>USERGROUP_USER_LOGIN</SAMESIZEAS>
</TRACKINGVARIABLE>

<SECTIONS>
<!-- users section , index 1 -->
<SECTION name="Users" multivalued="true" component="true" componentKey="USERGROUP_USER_LOGIN">
<INPUT>
<NAME>USERGROUP_USER_LOGIN</NAME>
<DESCRIPTION>Login name for this account</DESCRIPTION>
<CONSTRAINT>
<REGEX error="User login with comma are not supported.">[^,]+</REGEX>
</CONSTRAINT>
</INPUT>
<SELECT1>
<NAME>USERGROUP_USER_ACTION</NAME>
<DESCRIPTION>Policy to apply on this account</DESCRIPTION>
<ITEM>
<LABEL>Create / update</LABEL>
<VALUE>add</VALUE>
</ITEM>
<ITEM>
<LABEL>Remove</LABEL>
<VALUE>remove</VALUE>
</ITEM>
<ITEM>
<LABEL>Update only if exists</LABEL>
<VALUE>updateonly</VALUE>
</ITEM>
<CONSTRAINT>
<DEFAULT>add</DEFAULT>
</CONSTRAINT>
</SELECT1>
<SELECT1>
<NAME>USERGROUP_USER_PASSWORD_POLICY</NAME>
<DESCRIPTION>How often do you want to check the password</DESCRIPTION>
<ITEM>
<LABEL>At account creation</LABEL>
<VALUE>oneshot</VALUE>
</ITEM>
<ITEM>
<LABEL>Everytime</LABEL>
<VALUE>everytime</VALUE>
</ITEM>
<CONSTRAINT>
<DEFAULT>everytime</DEFAULT>
</CONSTRAINT>
</SELECT1>
<SECTION name="Password" multivalued="false" component="true" componentKey="USERGROUP_USER_LOGIN">
<INPUT>
<NAME>USERGROUP_USER_PASSWORD</NAME>
<DESCRIPTION>Password for this account</DESCRIPTION>
<LONGDESCRIPTION>Windows agent only supports "clear text" entries at the moment</LONGDESCRIPTION>
<CONSTRAINT>
<MAYBEEMPTY>true</MAYBEEMPTY>
<TYPE>masterPassword</TYPE>
<PASSWORDHASH>linux-shadow-md5,linux-shadow-sha256,linux-shadow-sha512,plain</PASSWORDHASH>
<!--
Tell that master password must create other variables derived from the user input from
that one. The master variable will be created using the hashes defined here, and the derived
variable(s) will be automatically created using other equivalent hashes for the target OS.
The accepted values for now are "AIX" and "LINUX" (or both, comma separated). The derived variable name will be the current name
postfixed with _AIX (or _LINUX)
A correspondance is made between hash algo listed above and the matching one on target OS:
Linux md5 crypt is mapped to AIX "smd5" version, Linux Sha-Crypt-256 is
mapped to AIX ssha256, and Linux Sha-Crypt-512 to AIX ssha512.
AIX ssha256 and ssha512 need the JCE PBKDF2WithHmacSHA256 / PBKDF2WithHmacSHA512.
Caution:
They are provided on Oracle Java 8 JVM standard installation, but NOT in Java 7 and some
other vendor versions.
In case these algo are not available, a fallback to AIX ssha1 (which uses
PBKDF2WithHmacSHA1) will be done. This hash scheme is also quite robust, but
if you want maximum security, you must use for Rudder a JVM which provides the higher
level algo, like Open JDK 8
-->
<AUTOSUBVARIABLES>AIX</AUTOSUBVARIABLES>
</CONSTRAINT>
</INPUT>
</SECTION>
<SECTION name="UNIX specific options" multivalued="false" componentKey="USERGROUP_USER_LOGIN">
<INPUT>
<NAME>USERGROUP_USER_GROUP</NAME>
<DESCRIPTION>Primary group for this user (name or number)</DESCRIPTION>
<LONGDESCRIPTION>On UNIX systems, this group will be applied on this user as the primary group</LONGDESCRIPTION>
<CONSTRAINT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</INPUT>
<SELECT1>
<NAME>USERGROUP_FORCE_USER_GROUP</NAME>
<DESCRIPTION>Enforce the primary group of the user</DESCRIPTION>
<LONGDESCRIPTION>If set to everytime, the user primary group will be checked or updated even if the user alreay exists. The primary group needs to be a GID (and not a group name)</LONGDESCRIPTION>
<ITEM>
<LABEL>At account creation</LABEL>
<VALUE>false</VALUE>
</ITEM>
<ITEM>
<LABEL>Everytime</LABEL>
<VALUE>true</VALUE>
</ITEM>
<CONSTRAINT>
<DEFAULT>false</DEFAULT>
</CONSTRAINT>
</SELECT1>
<INPUT>
<NAME>USERGROUP_USER_SECONDARY_GROUPS</NAME>
<DESCRIPTION>Secondary groups name for this user, comma separated</DESCRIPTION>
<LONGDESCRIPTION>On UNIX systems, ensure that the user belongs to the list of groups, as secondary groups</LONGDESCRIPTION>
<CONSTRAINT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</INPUT>
<SELECT1>
<NAME>USERGROUP_FORCE_USER_SECONDARY_GROUPS</NAME>
<DESCRIPTION>Enforce the secondary groups of the user</DESCRIPTION>
<LONGDESCRIPTION>If set to exclusive, the user will belong exactly to the list of secondary groups, otherwise, it may also be in other groups</LONGDESCRIPTION>
<ITEM>
<LABEL>Included</LABEL>
<VALUE>false</VALUE>
</ITEM>
<ITEM>
<LABEL>Exclusive</LABEL>
<VALUE>true</VALUE>
</ITEM>
<CONSTRAINT>
<DEFAULT>false</DEFAULT>
</CONSTRAINT>
</SELECT1>
<INPUT>
<NAME>USERGROUP_USER_NAME</NAME>
<DESCRIPTION>Full name for this account</DESCRIPTION>
<CONSTRAINT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</INPUT>
<INPUT>
<NAME>USERGROUP_USER_SHELL</NAME>
<DESCRIPTION>Shell for this account</DESCRIPTION>
<LONGDESCRIPTION>Will be used only on UNIX systems</LONGDESCRIPTION>
<CONSTRAINT>
<DEFAULT>/bin/bash</DEFAULT>
</CONSTRAINT>
</INPUT>
<INPUT>
<NAME>USERGROUP_USER_UID</NAME>
<DESCRIPTION>User ID (enforced at user creation only)</DESCRIPTION>
<LONGDESCRIPTION>Numeric user id, only on UNIX systems</LONGDESCRIPTION>
<CONSTRAINT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</INPUT>
<INPUT>
<NAME>USERGROUP_USER_HOME_PERSONNALIZE</NAME>
<DESCRIPTION>Use the default home directory</DESCRIPTION>
<LONGDESCRIPTION>If not checked, it will set the defined home directory if "Policy to apply to this account" if "Create/Update"</LONGDESCRIPTION>
<CONSTRAINT>
<TYPE>boolean</TYPE>
<DEFAULT>true</DEFAULT>
</CONSTRAINT>
</INPUT>
<INPUT>
<NAME>USERGROUP_USER_HOME_MOVE</NAME>
<DESCRIPTION>Move the content of previous home directory to the defined one</DESCRIPTION>
<LONGDESCRIPTION>If checked, it will move the existing home directory to the defined one if they don't match</LONGDESCRIPTION>
<CONSTRAINT>
<TYPE>boolean</TYPE>
<DEFAULT>false</DEFAULT>
</CONSTRAINT>
</INPUT>
<INPUT>
<NAME>USERGROUP_USER_HOME</NAME>
<DESCRIPTION>Home directory, if not default</DESCRIPTION>
<CONSTRAINT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</INPUT>
</SECTION>
<SECTION name="User primary group" multivalued="false" component="true" componentKey="USERGROUP_USER_LOGIN"/>
<SECTION name="User full name" multivalued="false" component="true" componentKey="USERGROUP_USER_LOGIN"/>
<SECTION name="User default shell" multivalued="false" component="true" componentKey="USERGROUP_USER_LOGIN"/>
<SECTION name="Home directory" component="true" componentKey="USERGROUP_USER_LOGIN"/>
<SECTION name="User secondary groups" component="true" componentKey="USERGROUP_USER_LOGIN"/>
</SECTION>
</SECTIONS>

</TECHNIQUE>
116 changes: 116 additions & 0 deletions techniques/systemSettings/userManagement/userManagement/10/userManagement.ps1.st
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
# SPDX-License-Identifier: GPL-3.0-or-later
# SPDX-FileCopyrightText: 2021 Normation SAS

function check_usergroup_user_parameters_&RudderUniqueID& {
[CmdletBinding()]
param (
[parameter(Mandatory=$true)] [string]$reportId,
[parameter(Mandatory=$true)] [string]$techniqueName,
[Parameter(Mandatory = $true)] [Rudder.PolicyMode]$policyMode
)


$localContext = [Rudder.Context]::new($techniqueName)
$localContext.merge($system_classes)
$trackingkey = @(
&TRACKINGKEY:{directiveId |
"&directiveId&" };separator=","& )

$logins = @(
&USERGROUP_USER_LOGIN:{login |
"&login&" };separator=","& )

$policies = @(
&USERGROUP_USER_ACTION:{policy |
"&policy&" };separator=","& )

$passwords = @(
&USERGROUP_USER_PASSWORD:{password |
"&password&" };separator=","& )

$password_policies = @(
&USERGROUP_USER_PASSWORD_POLICY:{password_policy |
"&password_policy&" };separator=","& )

$present = "add"
$absent = "remove"
$updateIfExists = "updateonly"

$componentName = "Users"
$homeSection = "Home directory"
$passwdSection = "Password"
$resultNAString = "Not applicable"

$commonParams = @{
TechniqueName = $techniqueName
ReportId = $reportId
PolicyMode = $policyMode
ClassPrefix = "user_management_&RudderUniqueID&"
}

for ($i=0; $i -lt $trackingkey.length; $i++) {
$userParams = $commonParams + @{
ComponentName = "Users"
ComponentKey = $logins[$i]
}
$passwordParams = $commonParams + @{
ComponentName = "Password"
ComponentKey = $logins[$i]
}
# check if user exists
$global:lastExitCode = $null
# Test if user already exists
$login = $logins[$i]
Invoke-Expression "NET USER ${login} 2>&1" | Out-Null
$userExists = $LastExitCode -eq 0


if ( ($policies[$i] -eq $present) -or ($userExists -and ($policies[$i] -eq $updateIfExists) ) ) {
$methodCallPresent = User-Present -login $logins[$i] -PolicyMode $policyMode
$null = Compute-Method-Call -MethodCall $methodCallPresent @userParams

if ($Passwords[$i]) {
#Password defined
if ($password_policies[$i] -eq "everytime") {
#Checking password everytime
$methodCallPassword = User-Password-Clear -login $logins[$i] -password $passwords[$i] -PolicyMode $policyMode
$null = Compute-Method-Call -MethodCall $methodCallPassword @passwordParams

} elseif ($password_policies[$i] -eq "oneshot") {
#Checking password at creation only

if ($methodCallPresent.MethodStatus -eq [Rudder.MethodStatus]::Repaired) {
#User absent => setting password
$methodCallPassword = User-Password-Clear -login $logins[$i] -password $passwords[$i] -PolicyMode $policyMode

$null = Compute-Method-Call -MethodCall $methodCallPassword @passwordParams
} else {
$null = Rudder-Report-NA @passwordParams -message "Password is not requested to be checked"
}
}
} else {
$null = Rudder-Report-NA @passwordParams -message "Not applicable, no password defined"
}

} elseif ($policies[$i] -eq $absent) {
$methodCallPresent = User-Absent -login $logins[$i] -PolicyMode $policyMode
$null = Compute-Method-Call -MethodCall $methodCallPresent @userParams

} elseif ( (-not $userExists) -and ($policies[$i] -eq $updateIfExists) ) {
$null = Rudder-Report-NA @userParams -message "User does not exists"
$null = Rudder-Report-NA @passwordParams -message "User does not exists"
}

#Unix section reporting
$naParams = $commonParams + @{
ComponentKey = $logins[$i]
Message = 'Not applicable on Windows'
}
$null = Rudder-Report-NA @naParams -ComponentName 'User primary group'
$null = Rudder-Report-NA @naParams -ComponentName 'User full name'
$null = Rudder-Report-NA @naParams -ComponentName 'User default shell'
$null = Rudder-Report-NA @naParams -ComponentName 'Home Directory'
$null = Rudder-Report-NA @naParams -ComponentName 'User secondary groups'
}
}

Loading

0 comments on commit c3403d5

Please sign in to comment.