From 0e6781edc75176bc91761482b7a6924e39162bf1 Mon Sep 17 00:00:00 2001 From: Nicolas Charles Date: Wed, 17 Apr 2024 14:20:36 +0200 Subject: [PATCH 1/3] Refs #24735: Initial commit for Users Technique to support update only if exists --- maintained-techniques | 1 + .../userManagement/10/changelog | 30 + .../userManagement/10/metadata.xml | 214 ++++ .../userManagement/10/userManagement.ps1.st | 118 +++ .../userManagement/10/userManagement.st | 960 ++++++++++++++++++ 5 files changed, 1323 insertions(+) create mode 100644 techniques/systemSettings/userManagement/userManagement/10/changelog create mode 100644 techniques/systemSettings/userManagement/userManagement/10/metadata.xml create mode 100644 techniques/systemSettings/userManagement/userManagement/10/userManagement.ps1.st create mode 100644 techniques/systemSettings/userManagement/userManagement/10/userManagement.st diff --git a/maintained-techniques b/maintained-techniques index a8b366ab1..c74871ca5 100644 --- a/maintained-techniques +++ b/maintained-techniques @@ -47,3 +47,4 @@ systemSettings/userManagement/groupManagement/5.1 systemSettings/userManagement/sudoParameters/3.2 systemSettings/userManagement/userManagement/9.0 systemSettings/userManagement/userManagement/9.1 +systemSettings/userManagement/userManagement/10 diff --git a/techniques/systemSettings/userManagement/userManagement/10/changelog b/techniques/systemSettings/userManagement/userManagement/10/changelog new file mode 100644 index 000000000..e3cda75e0 --- /dev/null +++ b/techniques/systemSettings/userManagement/userManagement/10/changelog @@ -0,0 +1,30 @@ + -- Benoit PECCATTE Tue Sep 9 08:17:55 CEST 2014 + * Version 4.0 + ** Rewrite with normal ordering and {} + -- Benoît Peccatte Thu Oct 2 10:00:32 CEST 2014 + * Version 5.0 + ** Handle gid/uid at user creation + -- Benoît Peccatte Fri Oct 17 14:10:43 CEST 2014 + * Version 6.0 + ** Use rudder_common_report instead of reports: + -- Nicolas Charles Fri Jul 15 15:50:00 CEST 2016 + * Version 7.0 + ** Add AIX support + -- Nicolas Charles Fri Jul 22 15:41:00 CEST 2016 + * Version 7.1 + ** Add an option to move the home directory + -- Felix Dallidet Thu Aug 17 16:14:11 2017 + * Version 8.0 + ** make a linux and windows compatible user technique + -- Nicolas Charles Wed Oct 18 11:45:50 2017 + * Version 8.1 + ** Add an option to force gid + -- Nicolas Charles Tue Jun 5 17:06:21 2018 + * Version 9.0 + ** Port to multi-versionned format + -- Nicolas Charles Tue Jun 5 17:27:21 2023 + * Version 9.1 + ** Add option to set secondary group + -- Nicolas Charles Wed Ap 17 14:19:00 2024 + * Version 10.0 + ** Add option to update only, use generic methods diff --git a/techniques/systemSettings/userManagement/userManagement/10/metadata.xml b/techniques/systemSettings/userManagement/userManagement/10/metadata.xml new file mode 100644 index 000000000..9d38fdc6e --- /dev/null +++ b/techniques/systemSettings/userManagement/userManagement/10/metadata.xml @@ -0,0 +1,214 @@ + + + This technique manages the target host(s) users. + It will ensure that the defined users are present on the system. + true + separated + + + + check_usergroup_user_parameters_RudderUniqueID + + + + + + + + + check_usergroup_user_parameters_RudderUniqueID + + + + + + + + USERGROUP_USER_LOGIN + + + + +
+ + USERGROUP_USER_LOGIN + Login name for this account + + [^,]+ + + + + USERGROUP_USER_ACTION + Policy to apply on this account + + + add + + + + remove + + + + checkhere + + + + checknothere + + + add + + + + USERGROUP_USER_PASSWORD_POLICY + How often do you want to check the password + + + oneshot + + + + everytime + + + everytime + + +
+ + USERGROUP_USER_PASSWORD + Password for this account + Windows agent only supports "clear text" entries at the moment + + true + masterPassword + linux-shadow-md5,linux-shadow-sha256,linux-shadow-sha512,plain + + AIX + + +
+
+ + USERGROUP_USER_GROUP + Primary group for this user (name or number) + On UNIX systems, this group will be applied on this user as the primary group + + true + + + + USERGROUP_FORCE_USER_GROUP + Enforce the primary group of the user + If set to everytime, the user primary group will be checked or updated even if the user alreay exists. The primary group needs to be a GID (and not a group name) + + + false + + + + true + + + false + + + + USERGROUP_USER_SECONDARY_GROUPS + Secondary groups name for this user, comma separated + On UNIX systems, ensure that the user belongs to the list of groups, as secondary groups + + true + + + + USERGROUP_FORCE_USER_SECONDARY_GROUPS + Enforce the secondary groups of the user + If set to exclusive, the user will belong exactly to the list of secondary groups, otherwise, it may also be in other groups + + + false + + + + true + + + false + + + + USERGROUP_USER_NAME + Full name for this account + + true + + + + USERGROUP_USER_SHELL + Shell for this account + Will be used only on UNIX systems + + /bin/bash + + + + USERGROUP_USER_UID + User ID (enforced at user creation only) + Numeric user id, only on UNIX systems + + true + + + + USERGROUP_USER_HOME_PERSONNALIZE + Use the default home directory + If not checked, it will set the defined home directory if "Policy to apply to this account" if "Create/Update" + + boolean + true + + + + USERGROUP_USER_HOME_MOVE + Move the content of previous home directory to the defined one + If checked, it will move the existing home directory to the defined one if they don't match + + boolean + false + + + + USERGROUP_USER_HOME + Home directory, if not default + + true + + +
+
+
+
+ + + diff --git a/techniques/systemSettings/userManagement/userManagement/10/userManagement.ps1.st b/techniques/systemSettings/userManagement/userManagement/10/userManagement.ps1.st new file mode 100644 index 000000000..16abb6997 --- /dev/null +++ b/techniques/systemSettings/userManagement/userManagement/10/userManagement.ps1.st @@ -0,0 +1,118 @@ +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-FileCopyrightText: 2021 Normation SAS + +function check_usergroup_user_parameters_&RudderUniqueID& { + [CmdletBinding()] + param ( + [parameter(Mandatory=$true)] [string]$reportId, + [parameter(Mandatory=$true)] [string]$techniqueName, + [Parameter(Mandatory = $true)] [Rudder.PolicyMode]$policyMode + ) + + + $localContext = [Rudder.Context]::new($techniqueName) + $localContext.merge($system_classes) + $trackingkey = @( + &TRACKINGKEY:{directiveId | + "&directiveId&" };separator=","& ) + + $logins = @( + &USERGROUP_USER_LOGIN:{login | + "&login&" };separator=","& ) + + $policies = @( + &USERGROUP_USER_ACTION:{policy | + "&policy&" };separator=","& ) + + $passwords = @( + &USERGROUP_USER_PASSWORD:{password | + "&password&" };separator=","& ) + + $password_policies = @( + &USERGROUP_USER_PASSWORD_POLICY:{password_policy | + "&password_policy&" };separator=","& ) + + $present = "add" + $absent = "remove" +#To REMOVE in the future + $check_present = "checkhere" + $check_absent = "checknothere" +#END + $componentName = "Users" + $homeSection = "Home directory" + $passwdSection = "Password" + $resultNAString = "Not applicable" + + $commonParams = @{ + TechniqueName = $techniqueName + ReportId = $reportId + PolicyMode = $policyMode + ClassPrefix = "user_management_&RudderUniqueID&" + } + + for ($i=0; $i -lt $trackingkey.length; $i++) { + $userParams = $commonParams + @{ + ComponentName = "Users" + ComponentKey = $logins[$i] + } + + if ($policies[$i] -eq $present) { + $methodCallPresent = User-Present -login $logins[$i] -PolicyMode $policyMode + $null = Compute-Method-Call -MethodCall $methodCallPresent @userParams + + $passwordParams = $commonParams + @{ + ComponentName = "Password" + ComponentKey = $logins[$i] + } + if ($Passwords[$i]) { + #Password defined + if ($password_policies[$i] -eq "everytime") { + #Checking password everytime + $methodCallPassword = User-Password-Clear -login $logins[$i] -password $passwords[$i] -PolicyMode $policyMode + $null = Compute-Method-Call -MethodCall $methodCallPassword @passwordParams + + } elseif ($password_policies[$i] -eq "oneshot") { + #Checking password at creation only + + if ($methodCallPresent.MethodStatus -eq [Rudder.MethodStatus]::Repaired) { + #User absent => setting password + $methodCallPassword = User-Password-Clear -login $logins[$i] -password $passwords[$i] -PolicyMode $policyMode + + $null = Compute-Method-Call -MethodCall $methodCallPassword @passwordParams + } else { + $null = Rudder-Report-NA @passwordParams -message "Password is not requested to be checked" + } + } + } else { + $null = Rudder-Report-NA @passwordParams -message "Not applicable, no password defined" + } + + } elseif ($policies[$i] -eq $absent) { + $methodCallPresent = User-Absent -login $logins[$i] -PolicyMode $policyMode + $null = Compute-Method-Call -MethodCall $methodCallPresent @userParams + +#To REMOVE in the future + } elseif ($policies[$i] -eq $check_present) { + $methodCallPresent = User-Present -login $logins[$i] -PolicyMode ([Rudder.PolicyMode]::Audit) + $null = Compute-Method-Call -MethodCall $methodCallPresent @userParams + } elseif ($policies[$i] -eq $check_absent) { + $methodCallPresent = User-Absent -login $logins[$i] -PolicyMode ([Rudder.PolicyMode]::Audit) + $null = Compute-Method-Call -MethodCall $methodCallPresent @userParams + } + + #Unix section reporting + $unixParams = $commonParams + @{ + ComponentName = "Home directory" + ComponentKey = $logins[$i] + } + $null = Rudder-Report-NA @unixParams -message "Not applicable on Windows" + + #Secondary group section reporting + $secondaryParams = $commonParams + @{ + ComponentName = "User secondary groups" + ComponentKey = $logins[$i] + } + $null = Rudder-Report-NA @secondaryParams -message "Not applicable on Windows" + } +} + diff --git a/techniques/systemSettings/userManagement/userManagement/10/userManagement.st b/techniques/systemSettings/userManagement/userManagement/10/userManagement.st new file mode 100644 index 000000000..c38797d3e --- /dev/null +++ b/techniques/systemSettings/userManagement/userManagement/10/userManagement.st @@ -0,0 +1,960 @@ +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-FileCopyrightText: 2021 Normation SAS + +########################################################################## +# User management Technique # +# # +# Objective : Apply user/group policies on the target host # +########################################################################## + +bundle agent check_usergroup_user_parameters_&RudderUniqueID& +{ + + vars: + + &USERGROUP_USER_LOGIN:{login |"usergroup_user_login[&i&]" string => "&login&"; +}& + + &USERGROUP_USER_GROUP:{group |"usergroup_user_groupname[&i&]" string => "&group&"; +}& + + &USERGROUP_FORCE_USER_GROUP:{force_group |"usergroup_force_user_groupname[&i&]" string => "&force_group&"; +}& + + &USERGROUP_USER_SECONDARY_GROUPS:{secgroup |"usergroup_user_secondary_groupsname[&i&]" string => "&secgroup&"; +}& + + &USERGROUP_FORCE_USER_SECONDARY_GROUPS:{force_group |"usergroup_force_user_secondary_groupsname[&i&]" string => "&force_group&"; +}& + + &USERGROUP_USER_NAME:{name |"usergroup_user_fullname[&i&]" string => "&name&"; +}& + + &USERGROUP_USER_PASSWORD:{password |"usergroup_user_password[&i&]" string => "&password&"; +}& + + &USERGROUP_USER_PASSWORD_AIX:{password |"usergroup_user_password_aix[&i&]" string => "&password&"; +}& + + &USERGROUP_USER_PASSWORD_POLICY:{passwordpol |"usergroup_user_password_policy[&i&]" string => "&passwordpol&"; +}& + + &USERGROUP_USER_ACTION:{action |"usergroup_user_action[&i&]" string => "&action&"; +}& + + &USERGROUP_USER_UID:{uid |"usergroup_user_uid[&i&]" string => "&uid&"; +}& + + &USERGROUP_USER_HOME_PERSONNALIZE:{homeperso |"usergroup_user_home_perso[&i&]" string => "&homeperso&"; +}& + + &USERGROUP_USER_HOME_MOVE:{homemove |"usergroup_user_home_move[&i&]" string => "&homemove&"; +}& + + &USERGROUP_USER_HOME:{home |"usergroup_user_home[&i&]" string => "&home&"; +}& + + &USERGROUP_USER_SHELL:{shell |"usergroup_user_shell[&i&]" string => "&shell&"; +}& + + &TRACKINGKEY:{directiveId |"usergroup_directive_id[&i&]" string => "&directiveId&"; +}& + + "usergroup_user_index" slist => getindices("usergroup_user_login"); + + # number of days since epoch + "now" int => now(); + "epoch_days_str" string => eval("${now}/86400", math, infix); + "epoch_days" int => int("${epoch_days_str}"); + + + any_2nd_pass:: + + # 1 - Options to use whether Fullname is defined or not + "nameopt[${usergroup_user_index}]" + string => "", + if => "usermanagement_user_nameempty_${usergroup_user_index}"; + + ## On UNIX + "nameopt[${usergroup_user_index}]" + string => "-c \"${usergroup_user_fullname[${usergroup_user_index}]}\"", + if => "!usermanagement_user_nameempty_${usergroup_user_index}"; + + ## Part of reports to return whether Fullname is defined or not + "repname[${usergroup_user_index}]" + string => "Without any defined full name", + if => "usermanagement_user_nameempty_${usergroup_user_index}"; + + "repname[${usergroup_user_index}]" + string => "${usergroup_user_fullname[${usergroup_user_index}]}", + if => "!usermanagement_user_nameempty_${usergroup_user_index}"; + + # 2 - On UNIX, choose between using no group name or using a custom one + "groupopt[${usergroup_user_index}]" + string => "", + if => and( "usermanagement_user_groupempty_${usergroup_user_index}", + "!usermanagement_user_force_user_in_group_${usergroup_user_index}" + ); + + "groupopt[${usergroup_user_index}]" + string => "-g ${usergroup_user_groupname[${usergroup_user_index}]}", + if => and( "!usermanagement_user_groupempty_${usergroup_user_index}", + "!usermanagement_user_force_user_in_group_${usergroup_user_index}" + ); + + "groupopt[${usergroup_user_index}]" + string => "-g ${usergroup_user_login[${usergroup_user_index}]}", + if => "usermanagement_user_force_user_in_group_${usergroup_user_index}"; + + # 3 - on UNIX force user id if provided + "useropt[${usergroup_user_index}]" + string => "", + if => "usermanagement_user_uid_empty_${usergroup_user_index}"; + + "useropt[${usergroup_user_index}]" + string => "-u ${usergroup_user_uid[${usergroup_user_index}]}", + if => "!usermanagement_user_uid_empty_${usergroup_user_index}"; + + # define inner class prefix of secondary group management + "args" slist => { "${login}", "${groups}", "${force}" }; + "inner_classprefix_secondary_group_${usergroup_user_index}" + string => canonify(string_head("user_secondary_groups_${usergroup_user_login[${usergroup_user_index}]}_${usergroup_user_secondary_groupsname[${usergroup_user_index}]}_${usergroup_force_user_secondary_groupsname[${usergroup_user_index}]}", 1000)), + if => "!usermanagement_user_secondary_groupsempty_${usergroup_user_index}"; + + any_2nd_pass.!pass2:: + + + "usermanagement_user_move_home_dir_from[${usergroup_user_index}]" string => execresult("${paths.grep} '^${usergroup_user_login[${usergroup_user_index}]}:' /etc/passwd | ${paths.cut} -d: -f6", "useshell"), + if => "usermanagement_user_exists_${usergroup_user_index}"; + + # Get current user gid (or name) to compare it with the setted on, if we need to force it + "user_current_gid[${usergroup_user_index}]" string => execresult("/usr/bin/id -g ${usergroup_user_login[${usergroup_user_index}]}", "noshell"), + if => and( "usermanagement_force_user_group_defined_${usergroup_user_index}", + "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_group_is_gid_${usergroup_user_index}" + ); + + "user_current_gid[${usergroup_user_index}]" string => execresult("/usr/bin/id -g -n ${usergroup_user_login[${usergroup_user_index}]}", "noshell"), + if => and( "usermanagement_force_user_group_defined_${usergroup_user_index}", + "usermanagement_user_exists_${usergroup_user_index}", + "!usermanagement_user_group_is_gid_${usergroup_user_index}" + ); + + + classes: + + # Actions + + "usermanagement_user_update_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","add"); + + "usermanagement_user_remove_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","remove"); + + "usermanagement_user_checkpres_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","checkhere"); + + "usermanagement_user_checkabs_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","checknothere"); + + "usermanagement_user_pershome_${usergroup_user_index}" not => strcmp("${usergroup_user_home_perso[${usergroup_user_index}]}","true"); + + "usermanagement_user_custom_home_no_variable_${usergroup_user_index}" not => isvariable("usergroup_user_home[${usergroup_user_index}]"); + "usermanagement_user_custom_home_no_value_${usergroup_user_index}" expression => strcmp("", "${usergroup_user_home[${usergroup_user_index}]}"); + "usermanagement_user_custom_home_defined_${usergroup_user_index}" expression => and( "!usermanagement_user_custom_home_no_variable_${usergroup_user_index}", + "!usermanagement_user_custom_home_no_value_${usergroup_user_index}" + ); + + # If we ask to personnalize home, but not define it, it is invalid + "usermanagement_user_home_pershome_invalid_${usergroup_user_index}" expression => and( "usermanagement_user_pershome_${usergroup_user_index}", + "!usermanagement_user_custom_home_defined_${usergroup_user_index}" + ); + + # Asked to move the home directory + "usermanagement_user_custom_home_move_${usergroup_user_index}" expression => strcmp("${usergroup_user_home_move[${usergroup_user_index}]}","true"); + + # The request to move home is valid: the path to move to is defined, and we asked to personalize + "usermanagement_user_custom_home_move_valid_${usergroup_user_index}" expression => and( "usermanagement_user_custom_home_move_${usergroup_user_index}", + "usermanagement_user_custom_home_defined_${usergroup_user_index}", + "usermanagement_user_pershome_${usergroup_user_index}" + ); + + "usermanagement_user_exists_${usergroup_user_index}" expression => userexists("${usergroup_user_login[${usergroup_user_index}]}"); + + "usermanagement_group_exists_${usergroup_user_index}" expression => groupexists("${usergroup_user_groupname[${usergroup_user_index}]}"); + + "usermanagement_user_pwoneshot_${usergroup_user_index}" expression => strcmp("${usergroup_user_password_policy[${usergroup_user_index}]}","oneshot"); + + "usermanagement_user_pweverytime_${usergroup_user_index}" expression => strcmp("${usergroup_user_password_policy[${usergroup_user_index}]}","everytime"); + + # with variables that are not unique, the emptyness detection is quite tricky + # either the variable is not defined, or the variable value is "" + "usermanagement_user_pw_no_variable_${usergroup_user_index}" not => isvariable("usergroup_user_password[${usergroup_user_index}]"); + "usermanagement_user_pw_no_value_${usergroup_user_index}" expression => strcmp("", "${usergroup_user_password[${usergroup_user_index}]}"); + "usermanagement_user_pwempty_${usergroup_user_index}" expression => or( "usermanagement_user_pw_no_variable_${usergroup_user_index}", + "usermanagement_user_pw_no_value_${usergroup_user_index}" + ); + + "usermanagement_user_name_no_variable_${usergroup_user_index}" not => isvariable("usergroup_user_fullname[${usergroup_user_index}]"); + "usermanagement_user_name_no_value_${usergroup_user_index}" expression => strcmp("", "${usergroup_user_fullname[${usergroup_user_index}]}"); + "usermanagement_user_nameempty_${usergroup_user_index}" expression => or( "usermanagement_user_name_no_variable_${usergroup_user_index}", + "usermanagement_user_name_no_value_${usergroup_user_index}" + ); + + "usermanagement_user_group_no_variable_${usergroup_user_index}" not => isvariable("usergroup_user_groupname[${usergroup_user_index}]"); + "usermanagement_user_group_no_value_${usergroup_user_index}" expression => strcmp("", "${usergroup_user_groupname[${usergroup_user_index}]}"); + "usermanagement_user_groupempty_${usergroup_user_index}" expression => or( "usermanagement_user_group_no_variable_${usergroup_user_index}", + "usermanagement_user_group_no_value_${usergroup_user_index}" + ); + + # check if user set a gid or a group name + "usermanagement_user_group_is_gid_${usergroup_user_index}" expression => regcmp("[0-9]+", "${usergroup_user_groupname[${usergroup_user_index}]}"), + if => "!usermanagement_user_groupempty_${usergroup_user_index}"; + + "usermanagement_force_user_group_${usergroup_user_index}" expression => strcmp("true", "${usergroup_force_user_groupname[${usergroup_user_index}]}"); + "usermanagement_force_user_group_defined_${usergroup_user_index}" expression => and( "usermanagement_force_user_group_${usergroup_user_index}", + "!usermanagement_user_groupempty_${usergroup_user_index}" + ); + # check if secondary groups are defined + "usermanagement_user_secondary_groups_no_variable_${usergroup_user_index}" not => isvariable("usergroup_user_secondary_groupsname[${usergroup_user_index}]"); + "usermanagement_user_secondary_groups_no_value_${usergroup_user_index}" expression => strcmp("", "${usergroup_user_secondary_groupsname[${usergroup_user_index}]}"); + "usermanagement_user_secondary_groupsempty_${usergroup_user_index}" expression => or( "usermanagement_user_secondary_groups_no_variable_${usergroup_user_index}", + "usermanagement_user_secondary_groups_no_value_${usergroup_user_index}" + ); + + "usermanagement_user_uid_no_variable_${usergroup_user_index}" not => isvariable("usergroup_user_uid[${usergroup_user_index}]"); + "usermanagement_user_uid_no_value_${usergroup_user_index}" expression => strcmp("", "${usergroup_user_uid[${usergroup_user_index}]}"); + "usermanagement_user_uid_empty_${usergroup_user_index}" expression => or( "usermanagement_user_uid_no_variable_${usergroup_user_index}", + "usermanagement_user_uid_no_value_${usergroup_user_index}" + ); + + "usermanagement_user_groupmatchesname_${usergroup_user_index}" expression => strcmp("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_groupname[${usergroup_user_index}]}"); + + # Group doesn't exist and group name is defined + "usermanagement_user_group_definition_error_${usergroup_user_index}" expression => or(and( "!usermanagement_group_exists_${usergroup_user_index}", + "usermanagement_user_groupmatchesname_${usergroup_user_index}" + ), + and( "!usermanagement_user_groupempty_${usergroup_user_index}", + "!usermanagement_group_exists_${usergroup_user_index}" + ) + ); + + # check if user exists when enforcing ids + "usermanagement_uid_exists_${usergroup_user_index}" expression => userexists("${usergroup_user_uid[${usergroup_user_index}]}"), + if => "!usermanagement_user_uid_empty_${usergroup_user_index}"; + + # UID is defined and already exists + "usermanagement_user_uid_definition_error_${usergroup_user_index}" expression => "!usermanagement_user_uid_empty_${usergroup_user_index}.usermanagement_uid_exists_${usergroup_user_index}"; + + # if we want to create a user, and a group with the username exists (no group name defined),then we need to force addition of user to that group (mandatory for debian and redhat, non mandatory for SLES) + "usermanagement_user_force_user_in_group_${usergroup_user_index}" expression => groupexists("${usergroup_user_login[${usergroup_user_index}]}"), + if => and( "usermanagement_user_groupempty_${usergroup_user_index}", + "!usermanagement_user_nameempty_${usergroup_user_index}" + ); + + # Class 'any' is executed before others classes defined. + # Same as 'any' but execution will be after all classes defined + "any_2nd_pass" expression => "any"; + "showtime" expression => isvariable("nameopt[1]"); + + showtime:: + # if defined, we can move the user home (because we know the previous value) + "usermanagement_user_current_home_defined_${usergroup_user_index}" expression => isvariable("usermanagement_user_move_home_dir_from[${usergroup_user_index}]"); + + # Must move the home if: + # - home is not the same as the defined home on the node for user + # - we asked to personnalize, and the values are valid + "usermanagement_user_current_home_is_invalid_${usergroup_user_index}" not => strcmp("${usermanagement_user_move_home_dir_from[${usergroup_user_index}]}", "${usergroup_user_home[${usergroup_user_index}]}"), + if => and( "usermanagement_user_current_home_defined_${usergroup_user_index}", + "usermanagement_user_pershome_${usergroup_user_index}", + "!usermanagement_user_home_pershome_invalid_${usergroup_user_index}" + ); + + # check if we need to change the user GID + # We need to change it if: + # usermanagement_force_user_group_defined and user_current_gid is different from usergroup_user_groupname + # if usermanagement_force_user_group but not usermanagement_force_user_group_defined, we'll need to report an error (cannot set to no group) + "usermanagement_user_current_group_is_invalid_${usergroup_user_index}" not => strcmp("${user_current_gid[${usergroup_user_index}]}", "${usergroup_user_groupname[${usergroup_user_index}]}"), + if => "usermanagement_force_user_group_defined_${usergroup_user_index}"; + + + any:: + "pass3" expression => "pass2"; + "pass2" expression => "pass1"; + "pass1" expression => "any"; + + files: + pass3:: + "/etc/passwd" + create => "false", + edit_line => set_user_fullname_&RudderUniqueID&("${usergroup_user_login[${usergroup_user_index}]}","${usergroup_user_index}","${usergroup_user_fullname[${usergroup_user_index}]}"), + edit_defaults => noempty_backup, + if => and( "usermanagement_user_update_${usergroup_user_index}", + "!usermanagement_user_nameempty_${usergroup_user_index}" + ); + + "/etc/passwd" + create => "false", + edit_line => set_user_fullname_&RudderUniqueID&("${usergroup_user_login[${usergroup_user_index}]}","${usergroup_user_index}","${usergroup_user_fullname[${usergroup_user_index}]}"), + edit_defaults => noempty_backup, + action => WarnOnly, + if => and( "usermanagement_user_checkpres_${usergroup_user_index}", + "!usermanagement_user_nameempty_${usergroup_user_index}" + ); + + "/etc/passwd" + create => "false", + edit_line => set_user_shell_&RudderUniqueID&("${usergroup_user_login[${usergroup_user_index}]}","${usergroup_user_index}","${usergroup_user_shell[${usergroup_user_index}]}"), + edit_defaults => noempty_backup, + if => "usermanagement_user_update_${usergroup_user_index}"; + + "/etc/passwd" + create => "false", + edit_line => set_user_shell_&RudderUniqueID&("${usergroup_user_login[${usergroup_user_index}]}","${usergroup_user_index}","${usergroup_user_shell[${usergroup_user_index}]}"), + edit_defaults => noempty_backup, + action => WarnOnly, + if => "usermanagement_user_checkpres_${usergroup_user_index}"; + + pass3.aix:: + # On AIX, if password is supplied and user must exist, then the second field needs to be a ! to allow login + "/etc/passwd" + create => "false", + edit_line => set_colon_field("${usergroup_user_login[${usergroup_user_index}]}", "2", "!"), + edit_defaults => noempty_backup, + classes => classes_generic("usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&"), + if => or( and( "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", + "usermanagement_user_pwoneshot_${usergroup_user_index}", + "!usermanagement_user_pwempty_${usergroup_user_index}" + ), + and( "usermanagement_user_update_${usergroup_user_index}", + "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_pweverytime_${usergroup_user_index}", + "!usermanagement_user_pwempty_${usergroup_user_index}" + ) + ); + + pass3.!aix:: + # Define password when user has already been created + "/etc/shadow" + create => "false", + edit_line => set_user_field("${usergroup_user_login[${usergroup_user_index}]}", 2, "${usergroup_user_password[${usergroup_user_index}]}"), + edit_defaults => noempty_backup, + classes => classes_generic("usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&"), + if => or( and( "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", + "usermanagement_user_pwoneshot_${usergroup_user_index}", + "!usermanagement_user_pwempty_${usergroup_user_index}" + ), + and( "usermanagement_user_update_${usergroup_user_index}", + "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_pweverytime_${usergroup_user_index}", + "!usermanagement_user_pwempty_${usergroup_user_index}" + ) + ); + + + # Define password update date if it has been changed + "/etc/shadow" + create => "false", + edit_line => set_user_field("${usergroup_user_login[${usergroup_user_index}]}", 3, "${epoch_days}"), + edit_defaults => noempty_backup, + if => "usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_repaired"; + + # Check password if we are in "check only (account should exist) + # Due to https://tracker.mender.io/browse/CFE-2424, if password is correct, no class is defined. Waiting for fix in the agent + "/etc/shadow" + create => "false", + edit_line => set_user_field("${usergroup_user_login[${usergroup_user_index}]}", 2, "${usergroup_user_password[${usergroup_user_index}]}"), + edit_defaults => noempty_backup, + action => WarnOnly, + classes => classes_generic("usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&"), + if => and( "!usermanagement_user_pwempty_${usergroup_user_index}", + "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_pweverytime_${usergroup_user_index}", + "usermanagement_user_checkpres_${usergroup_user_index}" + ); + + pass3.aix:: + "/etc/security/passwd" + create => "false", + edit_line => ncf_ensure_AIX_password("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_password_aix[${usergroup_user_index}]}"), + edit_defaults => noempty_backup, + classes => classes_generic("usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&"), + if => or( and( "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", + "usermanagement_user_pwoneshot_${usergroup_user_index}", + "!usermanagement_user_pwempty_${usergroup_user_index}" + ), + and( "usermanagement_user_update_${usergroup_user_index}", + "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_pweverytime_${usergroup_user_index}", + "!usermanagement_user_pwempty_${usergroup_user_index}" + ) + ); + + # set the last update date if password has been updated + "/etc/security/passwd" + create => "false", + edit_line => ncf_edit_lastupdate_AIX_password("${usergroup_user_login[${usergroup_user_index}]}"), + edit_defaults => noempty_backup, + if => and( "usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_repaired", + or( and( "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", + "usermanagement_user_pwoneshot_${usergroup_user_index}", + "!usermanagement_user_pwempty_${usergroup_user_index}" + ), + and( "usermanagement_user_update_${usergroup_user_index}", + "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_pweverytime_${usergroup_user_index}", + "!usermanagement_user_pwempty_${usergroup_user_index}" + ) + ) + ); + + + "/etc/security/passwd" + create => "false", + edit_line => ncf_ensure_AIX_password("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_password_aix[${usergroup_user_index}]}"), + edit_defaults => noempty_backup, + action => WarnOnly, + classes => classes_generic("usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&"), + if => and( "!usermanagement_user_pwempty_${usergroup_user_index}", + "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_pweverytime_${usergroup_user_index}", + "usermanagement_user_checkpres_${usergroup_user_index}" + ); + + + methods: + pass3.showtime:: + + ###################### + # set/check secondary groups + # if checkpres, then we are doing dry run only + ###################### + "force_dry_run_mode_${usergroup_user_login[${usergroup_user_index}]}_${usergroup_user_secondary_groupsname[${usergroup_user_index}]}" + usebundle => push_dry_run_mode("true"), + if => "usermanagement_user_checkpres_${usergroup_user_index}"; + "any" usebundle => _method_reporting_context("User secondary groups", "${usergroup_user_login[${usergroup_user_index}]}"); + + "${usergroup_user_secondary_groupsname[${usergroup_user_index}]}" + usebundle => user_secondary_groups("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_secondary_groupsname[${usergroup_user_index}]}", "${usergroup_force_user_secondary_groupsname[${usergroup_user_index}]}"), + if => "!usermanagement_user_secondary_groupsempty_${usergroup_user_index}.(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_checkpres_${usergroup_user_index})", + comment => "Set secondary groups if they are defined on user ${usergroup_user_login[${usergroup_user_index}]}"; + + "remove_force_dry_run_mode_${usergroup_user_login[${usergroup_user_index}]}_${usergroup_user_secondary_groupsname[${usergroup_user_index}]}" + usebundle => pop_dry_run_mode(), + if => "usermanagement_user_checkpres_${usergroup_user_index}"; + + # reporting (cannot be done by the method as it may be in dry run) + "report_${usergroup_user_index}" usebundle => rudder_common_reports_generic_index("userGroupManagement", "${inner_classprefix_secondary_group_${usergroup_user_index}}", "${usergroup_directive_id[${usergroup_user_index}]}", "User secondary groups", "${usergroup_user_login[${usergroup_user_index}]}", "Secondary groups for user ${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_index}}"), + if => "!usermanagement_user_secondary_groupsempty_${usergroup_user_index}.(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_checkpres_${usergroup_user_index})"; + + + # no secondary group has been set + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "User secondary groups", "${usergroup_user_login[${usergroup_user_index}]}", "No secondary groups defined for user", "${usergroup_user_index}"), + if => "usermanagement_user_secondary_groupsempty_${usergroup_user_index}.(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_checkpres_${usergroup_user_index})"; + + # only deletion, or check should not exist + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "User secondary groups", "${usergroup_user_login[${usergroup_user_index}]}", "User secondary groups are not checked in this mode", "${usergroup_user_index}"), + if => "!usermanagement_user_update_${usergroup_user_index}.!usermanagement_user_checkpres_${usergroup_user_index}"; + + ############################# + # Only reporting after that # + + # Add user + ## Does exist (Success), and gid not requested to be changed + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is already present on the system", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}", + "!usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", + "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_kept", + "!usermanagement_force_user_group_${usergroup_user_index}", + or( "usermanagement_user_nameempty_${usergroup_user_index}", + "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_kept" + ) + ); + + ## Does exist (Success), and gid already correct + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is already present on the system", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}", + "!usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", + "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_kept", + "usermanagement_force_user_group_defined_${usergroup_user_index}", + "!usermanagement_user_current_group_is_invalid_${usergroup_user_index}", + or( "usermanagement_user_nameempty_${usergroup_user_index}", + "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_kept" + ) + ); + + + ## Does exist (Success), with a wrong gid + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is already present on the system, but had the wrong gid", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}", + "!usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", + "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_kept", + "usermanagement_force_user_group_defined_${usergroup_user_index}", + "usermanagement_user_gid_change_${usergroup_user_index}_&RudderUniqueID&_repaired", + or( "usermanagement_user_nameempty_${usergroup_user_index}", + "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_kept" + ) + ); + + + ## Seems to exist with a wrong Full Name (Repaired) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) had a wrong fullname", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}", + "!usermanagement_user_nameempty_${usergroup_user_index}", + "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_repaired", + "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_kept" + ); + + ## Seems to exist with a wrong Shell (Repaired) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) had a wrong shell", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}", + "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_repaired", + not( or( "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_repaired", + "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_error" + ) + ) + ); + + ## Seems to exist with a wrong Full Name and Shell (Repaired) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) had a wrong fullname and shell", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}", + "!usermanagement_user_nameempty_${usergroup_user_index}", + "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_repaired", + "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_repaired" + ); + + + ## Error in audit mode + ## Seems to exist with a wrong Full Name (Error) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, but does not have the right fullname", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}", + "!usermanagement_user_nameempty_${usergroup_user_index}", + "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_error", + "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_kept" + ); + + ## Seems to exist with a wrong Shell (Error) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, but does not have the right shell", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}", + "!usermanagement_user_nameempty_${usergroup_user_index}", + "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_error", + "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_kept" + ); + + ## Seems to exist with a wrong Shell and wrong Full Name (Error) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, but does not have the right fullname not shell", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}", + "!usermanagement_user_nameempty_${usergroup_user_index}", + "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_error", + "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_error" + ); + + + ## Does not exist (Error) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is not present on the system, which violates the presence policy", "${usergroup_user_index}"), + if => and( "!usermanagement_user_exists_${usergroup_user_index}", + or( "usermanagement_user_checkpres_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}" + ) + ); + + + ## Seems to exist with a wrong Shell (Error) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, but does not have the right shell", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}", + "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_error", + or( and( "!usermanagement_user_nameempty_${usergroup_user_index}", + "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_kept" + ), + "usermanagement_user_nameempty_${usergroup_user_index}" + ) + ); + + + ## Added (Repaired) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) has been added to the system", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}", + "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired" + ); + + ## Error + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be added to the system", "${usergroup_user_index}"), + if => and( "!usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}", + "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_error", + not("dry_run|global_dry_run") + ); + + ## Could not be added, for the default path was not selected, but the custom one was not defined + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be added to the system because the default home directory was not selected, but the custom path was not specified", "${usergroup_user_index}"), + if => and( "!usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}", + "usermanagement_user_pershome_${usergroup_user_index}", + "!usermanagement_user_custom_home_defined_${usergroup_user_index}" + ); + + ## Could not be added, as a custom group was asked for and did not exist on the system + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be added to the system because the custom group \"${usergroup_user_groupname[${usergroup_user_index}]}\" does not exist", "${usergroup_user_index}"), + if => and( "usermanagement_user_update_${usergroup_user_index}", + "!usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_group_definition_error_${usergroup_user_index}" + ); + + ## Could not be added, as a custom uid was asked for and did exist on the system + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be added to the system because the custom uid \"${usergroup_user_uid[${usergroup_user_index}]}\" already exists", "${usergroup_user_index}"), + if => and( "usermanagement_user_update_${usergroup_user_index}", + "!usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_uid_definition_error_${usergroup_user_index}" + ); + + ## Could not set the gid, as it was requested, but with no gid provided + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not have its gid updated because it was not provided", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}", + "usermanagement_force_user_group_${usergroup_user_index}", + "usermanagement_user_groupempty_${usergroup_user_index}" + ); + + ## Does exist with a wrong gid that could not be repaired + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is already present on the system, but with wrong gid that cannot be fixed", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}", + "!usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", + "usermanagement_force_user_group_defined_${usergroup_user_index}", + "usermanagement_user_gid_change_${usergroup_user_index}_&RudderUniqueID&_error", + or( "usermanagement_user_nameempty_${usergroup_user_index}", + "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_kept" + ) + ); + + + # Remove user + ## Does not exist (Success) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) does not exist, as required", "${usergroup_user_index}"), + if => and( "!usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_remove_${usergroup_user_index}" + ); + + ## Removed (Repaired) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) has been removed from the system", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_remove_${usergroup_user_index}", + "usermanagement_login_remove_${usergroup_user_index}_&RudderUniqueID&_repaired" + ); + + ## Error + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be removed from the system", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_remove_${usergroup_user_index}", + "usermanagement_login_remove_${usergroup_user_index}_&RudderUniqueID&_error" + ); + + # Check user not exists + ## Does not exist (Success) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is not present on the system, which is in accordance with the non presence policy", "${usergroup_user_index}"), + if => and( "!usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_checkabs_${usergroup_user_index}" + ); + + ## Does exist (Error) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, which violates the non presence policy", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_checkabs_${usergroup_user_index}" + ); + + # Check user exists + ## Does exist (Success) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, which is in conformance with the presence policy", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_checkpres_${usergroup_user_index}", + "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_kept", + or( "usermanagement_user_nameempty_${usergroup_user_index}", + "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_kept" + ) + ); + + ## Seems to exist with a wrong Full Name (Error) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, but does not have the right fullname", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_checkpres_${usergroup_user_index}", + "!usermanagement_user_nameempty_${usergroup_user_index}", + "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_kept", + or( "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_repaired", + "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_error" + ) + ); + + ## Seems to exist with a wrong Shell (Error) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, but does not have the right shell", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_checkpres_${usergroup_user_index}", + or( "usermanagement_user_nameempty_${usergroup_user_index}", + "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_kept" + ), + or( "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_repaired", + "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_error" + ) + ); + + ## Seems to exist with a wrong Shell and wrong Full Name (Error) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, but does not have the right fullname not shell", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_checkpres_${usergroup_user_index}", + "!usermanagement_user_nameempty_${usergroup_user_index}", + or( "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_repaired", + "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_error" + ), + or( "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_repaired", + "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_error" + ) + ); + + + ### Password handling + "any" usebundle => rudder_common_reports_generic_index("userGroupManagement", "usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) password", "${usergroup_user_index}"), + if => not("usermanagement_user_checkpres_${usergroup_user_index}"); + + ## Password handling in check only + "any" usebundle => rudder_common_reports_generic_index("userGroupManagement", "usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "The check of password for user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) ", "${usergroup_user_index}"), + if => "usermanagement_user_checkpres_${usergroup_user_index}"; + + ## Change not needed (Success) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) password change is not required", "${usergroup_user_index}"), + if => and( and( "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_kept", + "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_repaired", + "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_error" + ), + or( + "usermanagement_user_pwempty_${usergroup_user_index}", + "usermanagement_user_remove_${usergroup_user_index}", + and( "usermanagement_user_pwoneshot_${usergroup_user_index}", + "usermanagement_user_exists_${usergroup_user_index}" + ), + and( "usermanagement_user_update_${usergroup_user_index}", + "!usermanagement_user_exists_${usergroup_user_index}", + or( "usermanagement_user_group_definition_error_${usergroup_user_index}", + "usermanagement_user_uid_definition_error_${usergroup_user_index}" + ) + ) + ) + ); + + + ## Change not needed (N/A) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) password change is not required", "${usergroup_user_index}"), + if => or( and( and( "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_kept", + "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_repaired", + "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_error" + ), + or( "usermanagement_user_checkpres_${usergroup_user_index}.usermanagement_user_pwoneshot_${usergroup_user_index}", + "usermanagement_user_checkpres_${usergroup_user_index}.!usermanagement_user_exists_${usergroup_user_index}" + ) + ), + "usermanagement_user_checkabs_${usergroup_user_index}" + ); + + ## Error when no password class defined and not in a previous N/A or Success case + # This huge statement is built from three previous password reports: + # (no class _reached defined).!(change not needed Success).!(change not needed N/A) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) password could not be verified", "${usergroup_user_index}"), + if => and( "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_reached", + not( or( and( and( "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_kept", + "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_repaired", + "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_error" + ), + or( "usermanagement_user_checkpres_${usergroup_user_index}.usermanagement_user_pwoneshot_${usergroup_user_index}", + "usermanagement_user_checkpres_${usergroup_user_index}.!usermanagement_user_exists_${usergroup_user_index}" + ) + ) + ) + ), + not( and( and( "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_kept", + "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_repaired", + "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_error" + ), + or( + "usermanagement_user_pwempty_${usergroup_user_index}", + "usermanagement_user_remove_${usergroup_user_index}", + and( "usermanagement_user_pwoneshot_${usergroup_user_index}", + "usermanagement_user_exists_${usergroup_user_index}" + ), + and( "usermanagement_user_update_${usergroup_user_index}", + "!usermanagement_user_exists_${usergroup_user_index}", + or( "usermanagement_user_group_definition_error_${usergroup_user_index}", + "usermanagement_user_uid_definition_error_${usergroup_user_index}" + ) + ) + ) + ) + ) + ); + + + # Homedir management + ## In case of user to remove or to check absent, this is a result_na + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} should not be present, it doesn't need to have its home directory checked", "${usergroup_user_index}"), + if => or( "usermanagement_user_remove_${usergroup_user_index}", + "usermanagement_user_checkabs_${usergroup_user_index}" + ); + + ## In case of check user present or update, but with default home, this is result_na + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} doesn't need to have its home directory checked", "${usergroup_user_index}"), + if => and( "!usermanagement_user_pershome_${usergroup_user_index}", + or( "usermanagement_user_update_${usergroup_user_index}", + "usermanagement_user_checkpres_${usergroup_user_index}" + ) + ); + + ## In case of check user present or update, but the home is already correct, this is success + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory is valid", "${usergroup_user_index}"), + if => and( "usermanagement_user_pershome_${usergroup_user_index}", + "!usermanagement_user_home_pershome_invalid_${usergroup_user_index}", + "!usermanagement_user_current_home_is_invalid_${usergroup_user_index}", + or( "usermanagement_user_update_${usergroup_user_index}", + "usermanagement_user_checkpres_${usergroup_user_index}" + ) + ); + + ## In case of check user present or update, but the custome home directory is not valid + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The given home directory for user ${usergroup_user_login[${usergroup_user_index}]} is invalid", "${usergroup_user_index}"), + if => and( "usermanagement_user_pershome_${usergroup_user_index}", + "usermanagement_user_home_pershome_invalid_${usergroup_user_index}", + or( "usermanagement_user_update_${usergroup_user_index}", + "usermanagement_user_checkpres_${usergroup_user_index}" + ) + ); + + ## In case of update, but the home was not correct, and could be changed, this is repaired + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory was changed (but not moved)", "${usergroup_user_index}"), + if => and( "usermanagement_user_pershome_${usergroup_user_index}", + "usermanagement_user_current_home_is_invalid_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}", + or( "usermanagement_login_home_change_${usergroup_user_index}_&RudderUniqueID&_repaired", + "!usermanagement_login_home_change_${usergroup_user_index}_&RudderUniqueID&_error" + ) + ); + + ## In case of update, but the home was not correct, and could not be changed, this is error + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory could not be changed", "${usergroup_user_index}"), + if => and( "usermanagement_user_pershome_${usergroup_user_index}", + "usermanagement_login_home_change_${usergroup_user_index}_&RudderUniqueID&_error", + "usermanagement_user_current_home_is_invalid_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}" + ); + + ## In case of update, but the home was not correct, and could be moved, this is repaired + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory was moved", "${usergroup_user_index}"), + if => and( "usermanagement_user_pershome_${usergroup_user_index}", + "usermanagement_login_home_move_${usergroup_user_index}_&RudderUniqueID&_repaired", + "!usermanagement_login_home_move_${usergroup_user_index}_&RudderUniqueID&_error", + "usermanagement_user_current_home_is_invalid_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}" + ); + + ## In case of update, but the home was not correct, and could not be moved, this is error + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory could not be moved", "${usergroup_user_index}"), + if => and( "usermanagement_user_pershome_${usergroup_user_index}", + "usermanagement_login_home_move_${usergroup_user_index}_&RudderUniqueID&_error", + "usermanagement_user_current_home_is_invalid_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}" + ); + + ## In case of check only, and the home was not correct, this is error + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory was invalid", "${usergroup_user_index}"), + if => and( "usermanagement_user_pershome_${usergroup_user_index}", + "usermanagement_user_current_home_is_invalid_${usergroup_user_index}", + "usermanagement_user_checkpres_${usergroup_user_index}" + ); + + commands: + showtime:: + + "/usr/sbin/useradd" + args => "${useropt[${usergroup_user_index}]} ${groupopt[${usergroup_user_index}]} -m ${nameopt[${usergroup_user_index}]} -s ${usergroup_user_shell[${usergroup_user_index}]} ${usergroup_user_login[${usergroup_user_index}]}", + classes => cf2_if_else("usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_error"), + comment => "Create the user", + if => and( "!usermanagement_user_uid_definition_error_${usergroup_user_index}", + "!usermanagement_user_group_definition_error_${usergroup_user_index}", + "!usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}", + "!usermanagement_user_pershome_${usergroup_user_index}" + ); + + "/usr/sbin/useradd" + args => "${useropt[${usergroup_user_index}]} ${groupopt[${usergroup_user_index}]} -m ${nameopt[${usergroup_user_index}]} -s ${usergroup_user_shell[${usergroup_user_index}]} -d ${usergroup_user_home[${usergroup_user_index}]} ${usergroup_user_login[${usergroup_user_index}]}", + classes => cf2_if_else("usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_error"), + comment => "Create the user with a custom home directory", + if => and( "!usermanagement_user_uid_definition_error_${usergroup_user_index}", + "!usermanagement_user_group_definition_error_${usergroup_user_index}", + "!usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_update_${usergroup_user_index}", + "usermanagement_user_pershome_${usergroup_user_index}", + "usermanagement_user_custom_home_defined_${usergroup_user_index}" + ); + + "/usr/sbin/userdel" + args => "${usergroup_user_login[${usergroup_user_index}]}", + classes => cf2_if_else("usermanagement_login_remove_${usergroup_user_index}_&RudderUniqueID&_repaired", "usermanagement_login_remove_${usergroup_user_index}_&RudderUniqueID&_error"), + comment => "Delete the user ${usergroup_user_login[${usergroup_user_index}]}", + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_remove_${usergroup_user_index}" + ); + + # Change user home dir + ## Move the home dir + "/usr/sbin/usermod" + args => "-d ${usergroup_user_home[${usergroup_user_index}]} -m ${usergroup_user_login[${usergroup_user_index}]}", + classes => cf2_if_else("usermanagement_login_home_move_${usergroup_user_index}_&RudderUniqueID&_repaired", "usermanagement_login_home_move_${usergroup_user_index}_&RudderUniqueID&_error"), + comment => "Change home directory (move it)", + if => and( "usermanagement_user_update_${usergroup_user_index}", + "usermanagement_user_current_home_is_invalid_${usergroup_user_index}", + "usermanagement_user_custom_home_move_valid_${usergroup_user_index}" + ); + + ## Doesn't move the home dir + "/usr/sbin/usermod" + args => "-d ${usergroup_user_home[${usergroup_user_index}]} ${usergroup_user_login[${usergroup_user_index}]}", + classes => cf2_if_else("usermanagement_login_home_change_${usergroup_user_index}_&RudderUniqueID&_repaired", "usermanagement_login_home_change_${usergroup_user_index}_&RudderUniqueID&_error"), + comment => "Change home directory definition for user (doesn't move files)", + if => and( "usermanagement_user_update_${usergroup_user_index}", + "usermanagement_user_current_home_is_invalid_${usergroup_user_index}", + "!usermanagement_user_custom_home_move_${usergroup_user_index}" + ); + + ## Change the user gid if necessary + "/usr/sbin/usermod" + args => "-g ${usergroup_user_groupname[${usergroup_user_index}]} ${usergroup_user_login[${usergroup_user_index}]}", + classes => classes_generic("usermanagement_user_gid_change_${usergroup_user_index}_&RudderUniqueID&"), + comment => "Change user gid for user ${usergroup_user_login[${usergroup_user_index}]}", + if => and( "usermanagement_user_update_${usergroup_user_index}", + "usermanagement_user_current_group_is_invalid_${usergroup_user_index}" + ); + +} + +bundle edit_line set_user_fullname_&RudderUniqueID&(user,user_index,fullname) +{ + field_edits: + "${user}:.*" + # Edit GECOS on /etc/passwd + edit_field => col(":", "5", "${fullname}", "set"), + classes => classes_generic("usermanagement_fullname_edit_${user_index}_&RudderUniqueID&"); + +} + +bundle edit_line set_user_shell_&RudderUniqueID&(user,user_index,shell) +{ + field_edits: + "${user}:.*" + # Edit shell on /etc/passwd + edit_field => col(":", "7", "${shell}", "set"), + classes => classes_generic("usermanagement_shell_edit_${user_index}_&RudderUniqueID&"); +} + From 6bd1db4e92bb9c6000c59ca6954b3114213c6ead Mon Sep 17 00:00:00 2001 From: Nicolas Charles Date: Sat, 9 Nov 2024 16:03:22 +0100 Subject: [PATCH 2/3] fixup! Work in progress Fixes #24735: Add an option to \"update only\" user in the Users technique Fixes #24735: Add an option to \"update only\" user in the Users technique Fixes #24735: Add an option to \"update only\" user in the Users technique Fixes #24735: Add an option to \"update only\" user in the Users technique Fixes #24735: Add an option to \"update only\" user in the Users technique --- .../userManagement/10/metadata.xml | 211 +++-- .../userManagement/10/userManagement.ps1.st | 58 +- .../userManagement/10/userManagement.st | 819 +++++------------- 3 files changed, 368 insertions(+), 720 deletions(-) diff --git a/techniques/systemSettings/userManagement/userManagement/10/metadata.xml b/techniques/systemSettings/userManagement/userManagement/10/metadata.xml index 9d38fdc6e..4871b0bbd 100644 --- a/techniques/systemSettings/userManagement/userManagement/10/metadata.xml +++ b/techniques/systemSettings/userManagement/userManagement/10/metadata.xml @@ -49,12 +49,8 @@ remove - - checkhere - - - - checknothere + + updateonly add @@ -108,106 +104,109 @@
-
- - USERGROUP_USER_GROUP - Primary group for this user (name or number) - On UNIX systems, this group will be applied on this user as the primary group - - true - - - - USERGROUP_FORCE_USER_GROUP - Enforce the primary group of the user - If set to everytime, the user primary group will be checked or updated even if the user alreay exists. The primary group needs to be a GID (and not a group name) - - - false - - - - true - - - false - - - - USERGROUP_USER_SECONDARY_GROUPS - Secondary groups name for this user, comma separated - On UNIX systems, ensure that the user belongs to the list of groups, as secondary groups - - true - - - - USERGROUP_FORCE_USER_SECONDARY_GROUPS - Enforce the secondary groups of the user - If set to exclusive, the user will belong exactly to the list of secondary groups, otherwise, it may also be in other groups - - - false - - - - true - - - false - - - - USERGROUP_USER_NAME - Full name for this account - - true - - - - USERGROUP_USER_SHELL - Shell for this account - Will be used only on UNIX systems - - /bin/bash - - - - USERGROUP_USER_UID - User ID (enforced at user creation only) - Numeric user id, only on UNIX systems - - true - - - - USERGROUP_USER_HOME_PERSONNALIZE - Use the default home directory - If not checked, it will set the defined home directory if "Policy to apply to this account" if "Create/Update" - - boolean - true - - - - USERGROUP_USER_HOME_MOVE - Move the content of previous home directory to the defined one - If checked, it will move the existing home directory to the defined one if they don't match - - boolean - false - - - - USERGROUP_USER_HOME - Home directory, if not default - - true - - -
-
-
+
+ + USERGROUP_USER_GROUP + Primary group for this user (name or number) + On UNIX systems, this group will be applied on this user as the primary group + + true + + + + USERGROUP_FORCE_USER_GROUP + Enforce the primary group of the user + If set to everytime, the user primary group will be checked or updated even if the user alreay exists. The primary group needs to be a GID (and not a group name) + + + false + + + + true + + + false + + + + USERGROUP_USER_SECONDARY_GROUPS + Secondary groups name for this user, comma separated + On UNIX systems, ensure that the user belongs to the list of groups, as secondary groups + + true + + + + USERGROUP_FORCE_USER_SECONDARY_GROUPS + Enforce the secondary groups of the user + If set to exclusive, the user will belong exactly to the list of secondary groups, otherwise, it may also be in other groups + + + false + + + + true + + + false + + + + USERGROUP_USER_NAME + Full name for this account + + true + + + + USERGROUP_USER_SHELL + Shell for this account + Will be used only on UNIX systems + + /bin/bash + + + + USERGROUP_USER_UID + User ID (enforced at user creation only) + Numeric user id, only on UNIX systems + + true + + + + USERGROUP_USER_HOME_PERSONNALIZE + Use the default home directory + If not checked, it will set the defined home directory if "Policy to apply to this account" if "Create/Update" + + boolean + true + + + + USERGROUP_USER_HOME_MOVE + Move the content of previous home directory to the defined one + If checked, it will move the existing home directory to the defined one if they don't match + + boolean + false + + + + USERGROUP_USER_HOME + Home directory, if not default + + true + + +
+
+
+
+
+
diff --git a/techniques/systemSettings/userManagement/userManagement/10/userManagement.ps1.st b/techniques/systemSettings/userManagement/userManagement/10/userManagement.ps1.st index 16abb6997..6eee5f29a 100644 --- a/techniques/systemSettings/userManagement/userManagement/10/userManagement.ps1.st +++ b/techniques/systemSettings/userManagement/userManagement/10/userManagement.ps1.st @@ -34,10 +34,8 @@ function check_usergroup_user_parameters_&RudderUniqueID& { $present = "add" $absent = "remove" -#To REMOVE in the future - $check_present = "checkhere" - $check_absent = "checknothere" -#END + $updateIfExists = "updateonly" + $componentName = "Users" $homeSection = "Home directory" $passwdSection = "Password" @@ -55,15 +53,22 @@ function check_usergroup_user_parameters_&RudderUniqueID& { ComponentName = "Users" ComponentKey = $logins[$i] } + $passwordParams = $commonParams + @{ + ComponentName = "Password" + ComponentKey = $logins[$i] + } + # check if user exists + $global:lastExitCode = $null + # Test if user already exists + $login = $logins[$i] + Invoke-Expression "NET USER ${login} 2>&1" | Out-Null + $userExists = $LastExitCode -eq 0 + - if ($policies[$i] -eq $present) { + if ( ($policies[$i] -eq $present) -or ($userExists -and ($policies[$i] -eq $updateIfExists) ) ) { $methodCallPresent = User-Present -login $logins[$i] -PolicyMode $policyMode $null = Compute-Method-Call -MethodCall $methodCallPresent @userParams - $passwordParams = $commonParams + @{ - ComponentName = "Password" - ComponentKey = $logins[$i] - } if ($Passwords[$i]) { #Password defined if ($password_policies[$i] -eq "everytime") { @@ -91,23 +96,36 @@ function check_usergroup_user_parameters_&RudderUniqueID& { $methodCallPresent = User-Absent -login $logins[$i] -PolicyMode $policyMode $null = Compute-Method-Call -MethodCall $methodCallPresent @userParams -#To REMOVE in the future - } elseif ($policies[$i] -eq $check_present) { - $methodCallPresent = User-Present -login $logins[$i] -PolicyMode ([Rudder.PolicyMode]::Audit) - $null = Compute-Method-Call -MethodCall $methodCallPresent @userParams - } elseif ($policies[$i] -eq $check_absent) { - $methodCallPresent = User-Absent -login $logins[$i] -PolicyMode ([Rudder.PolicyMode]::Audit) - $null = Compute-Method-Call -MethodCall $methodCallPresent @userParams + } elseif ( (-not $userExists) -and ($policies[$i] -eq $updateIfExists) ) { + $null = Rudder-Report-NA @userParams -message "User does not exists" + $null = Rudder-Report-NA @passwordParams -message "User does not exists" } #Unix section reporting - $unixParams = $commonParams + @{ - ComponentName = "Home directory" + $primaryGroup = $commonParams + @{ + ComponentName = "User primary group" + ComponentKey = $logins[$i] + } + $null = Rudder-Report-NA @primaryGroup -message "Not applicable on Windows" + + $userFullName = $commonParams + @{ + ComponentName = "User full name" + ComponentKey = $logins[$i] + } + $null = Rudder-Report-NA @userFullName -message "Not applicable on Windows" + + $userDefaultShell = $commonParams + @{ + ComponentName = "User default shell" + ComponentKey = $logins[$i] + } + $null = Rudder-Report-NA @userDefaultShell -message "Not applicable on Windows" + + $homeDirectory = $commonParams + @{ + ComponentName = "Home Directory" ComponentKey = $logins[$i] } - $null = Rudder-Report-NA @unixParams -message "Not applicable on Windows" + $null = Rudder-Report-NA @homeDirectory -message "Not applicable on Windows" - #Secondary group section reporting $secondaryParams = $commonParams + @{ ComponentName = "User secondary groups" ComponentKey = $logins[$i] diff --git a/techniques/systemSettings/userManagement/userManagement/10/userManagement.st b/techniques/systemSettings/userManagement/userManagement/10/userManagement.st index c38797d3e..40e5a93f6 100644 --- a/techniques/systemSettings/userManagement/userManagement/10/userManagement.st +++ b/techniques/systemSettings/userManagement/userManagement/10/userManagement.st @@ -127,32 +127,29 @@ bundle agent check_usergroup_user_parameters_&RudderUniqueID& "usermanagement_user_move_home_dir_from[${usergroup_user_index}]" string => execresult("${paths.grep} '^${usergroup_user_login[${usergroup_user_index}]}:' /etc/passwd | ${paths.cut} -d: -f6", "useshell"), if => "usermanagement_user_exists_${usergroup_user_index}"; - # Get current user gid (or name) to compare it with the setted on, if we need to force it - "user_current_gid[${usergroup_user_index}]" string => execresult("/usr/bin/id -g ${usergroup_user_login[${usergroup_user_index}]}", "noshell"), - if => and( "usermanagement_force_user_group_defined_${usergroup_user_index}", - "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_group_is_gid_${usergroup_user_index}" - ); - - "user_current_gid[${usergroup_user_index}]" string => execresult("/usr/bin/id -g -n ${usergroup_user_login[${usergroup_user_index}]}", "noshell"), - if => and( "usermanagement_force_user_group_defined_${usergroup_user_index}", - "usermanagement_user_exists_${usergroup_user_index}", - "!usermanagement_user_group_is_gid_${usergroup_user_index}" - ); - - classes: + !pass1:: + # detect first if the user exist + "usermanagement_user_exists_${usergroup_user_index}" expression => userexists("${usergroup_user_login[${usergroup_user_index}]}"); - # Actions - - "usermanagement_user_update_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","add"); - - "usermanagement_user_remove_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","remove"); - - "usermanagement_user_checkpres_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","checkhere"); - - "usermanagement_user_checkabs_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","checknothere"); + "usermanagement_user_add_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","add"); + "usermanagement_user_updateonly_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","updateonly"); + "usermanagement_user_remove_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","remove"); + + # If we ask to update only and user don't exist, then we won't do anything + "usermanagement_user_skipall_${usergroup_user_index}" expression => and("!usermanagement_user_exists_${usergroup_user_index}", "usermanagement_user_updateonly_${usergroup_user_index}"); + "usermanagement_user_create_${usergroup_user_index}" expression => and("!usermanagement_user_exists_${usergroup_user_index}", "usermanagement_user_add_${usergroup_user_index}"); + "usermanagement_user_update_${usergroup_user_index}" expression => and( + "usermanagement_user_exists_${usergroup_user_index}", + or( + "usermanagement_user_add_${usergroup_user_index}", + "usermanagement_user_updateonly_${usergroup_user_index}" + ) + ); + # Actions + any:: + # NOTE: usergroup_user_home_perso is true when we use the default home, and thus usermanagement_user_pershome_ is true when we don't want tu use the default home "usermanagement_user_pershome_${usergroup_user_index}" not => strcmp("${usergroup_user_home_perso[${usergroup_user_index}]}","true"); "usermanagement_user_custom_home_no_variable_${usergroup_user_index}" not => isvariable("usergroup_user_home[${usergroup_user_index}]"); @@ -175,7 +172,7 @@ bundle agent check_usergroup_user_parameters_&RudderUniqueID& "usermanagement_user_pershome_${usergroup_user_index}" ); - "usermanagement_user_exists_${usergroup_user_index}" expression => userexists("${usergroup_user_login[${usergroup_user_index}]}"); + "usermanagement_group_exists_${usergroup_user_index}" expression => groupexists("${usergroup_user_groupname[${usergroup_user_index}]}"); @@ -203,10 +200,6 @@ bundle agent check_usergroup_user_parameters_&RudderUniqueID& "usermanagement_user_group_no_value_${usergroup_user_index}" ); - # check if user set a gid or a group name - "usermanagement_user_group_is_gid_${usergroup_user_index}" expression => regcmp("[0-9]+", "${usergroup_user_groupname[${usergroup_user_index}]}"), - if => "!usermanagement_user_groupempty_${usergroup_user_index}"; - "usermanagement_force_user_group_${usergroup_user_index}" expression => strcmp("true", "${usergroup_force_user_groupname[${usergroup_user_index}]}"); "usermanagement_force_user_group_defined_${usergroup_user_index}" expression => and( "usermanagement_force_user_group_${usergroup_user_index}", "!usermanagement_user_groupempty_${usergroup_user_index}" @@ -266,569 +259,153 @@ bundle agent check_usergroup_user_parameters_&RudderUniqueID& "!usermanagement_user_home_pershome_invalid_${usergroup_user_index}" ); - # check if we need to change the user GID - # We need to change it if: - # usermanagement_force_user_group_defined and user_current_gid is different from usergroup_user_groupname - # if usermanagement_force_user_group but not usermanagement_force_user_group_defined, we'll need to report an error (cannot set to no group) - "usermanagement_user_current_group_is_invalid_${usergroup_user_index}" not => strcmp("${user_current_gid[${usergroup_user_index}]}", "${usergroup_user_groupname[${usergroup_user_index}]}"), - if => "usermanagement_force_user_group_defined_${usergroup_user_index}"; - + pass2:: + # create classes for the reporting (error case mostly) + "usermanagement_user_creation_failed_${usergroup_user_index}" expression => + and( "!usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_create_${usergroup_user_index}", + or ( + "usermanagement_user_group_definition_error_${usergroup_user_index}", + "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_error" + ) + ); any:: "pass3" expression => "pass2"; "pass2" expression => "pass1"; "pass1" expression => "any"; - files: + methods: pass3:: - "/etc/passwd" - create => "false", - edit_line => set_user_fullname_&RudderUniqueID&("${usergroup_user_login[${usergroup_user_index}]}","${usergroup_user_index}","${usergroup_user_fullname[${usergroup_user_index}]}"), - edit_defaults => noempty_backup, - if => and( "usermanagement_user_update_${usergroup_user_index}", - "!usermanagement_user_nameempty_${usergroup_user_index}" - ); - - "/etc/passwd" - create => "false", - edit_line => set_user_fullname_&RudderUniqueID&("${usergroup_user_login[${usergroup_user_index}]}","${usergroup_user_index}","${usergroup_user_fullname[${usergroup_user_index}]}"), - edit_defaults => noempty_backup, - action => WarnOnly, - if => and( "usermanagement_user_checkpres_${usergroup_user_index}", - "!usermanagement_user_nameempty_${usergroup_user_index}" - ); - - "/etc/passwd" - create => "false", - edit_line => set_user_shell_&RudderUniqueID&("${usergroup_user_login[${usergroup_user_index}]}","${usergroup_user_index}","${usergroup_user_shell[${usergroup_user_index}]}"), - edit_defaults => noempty_backup, + # Creation is done in the commands: section + + ##################### + # Update user section + ##################### + "en_&RudderUniqueID&" usebundle => enable_reporting; + + ############### + # User deletion (only case with user method) + "any" usebundle => _method_reporting_context("Users", "${usergroup_user_login[${usergroup_user_index}]}"); + "${usergroup_user_login[${usergroup_user_index}]}" + usebundle => user_absent("${usergroup_user_login[${usergroup_user_index}]}"), + if => "usermanagement_user_remove_${usergroup_user_index}"; + + + ############### + # Primary group + "any" usebundle => _method_reporting_context("User primary group", "${usergroup_user_login[${usergroup_user_index}]}"); + "${usergroup_user_login[${usergroup_user_index}]}" + usebundle => user_primary_group("${usergroup_user_login[${usergroup_user_index}]}", ${usergroup_user_groupname[${usergroup_user_index}]}), + if => "usermanagement_user_update_${usergroup_user_index}.usermanagement_force_user_group_defined_${usergroup_user_index}"; + + # no primary group has been set + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "User primary group", "${usergroup_user_login[${usergroup_user_index}]}", "No primary group defined for user", "${usergroup_user_index}"), + if => "usermanagement_user_update_${usergroup_user_index}.!usermanagement_force_user_group_defined_${usergroup_user_index}"; + + # Don't exist and in update only or deletion + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "User primary group", "${usergroup_user_login[${usergroup_user_index}]}", "User primary group is not checked in this mode", "${usergroup_user_index}"), + if => "usermanagement_user_skipall_${usergroup_user_index}|usermanagement_user_remove_${usergroup_user_index}"; + + # Couldn't create the user + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "User primary group", "${usergroup_user_login[${usergroup_user_index}]}", "User could not be created", "${usergroup_user_index}"), + if => "usermanagement_user_creation_failed_${usergroup_user_index}"; + + # User created + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "User primary group", "${usergroup_user_login[${usergroup_user_index}]}", "User ${usergroup_user_login[${usergroup_user_index}]} has been created", "${usergroup_user_index}"), + if => "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired"; + ############### + # Password + # Note: the password should also be checked at creation, because otherwise it won't be set at 1st run + "any" usebundle => _method_reporting_context("Password", "${usergroup_user_login[${usergroup_user_index}]}"); + "${usergroup_user_login[${usergroup_user_index}]}" + usebundle => user_password_hash("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_password[${usergroup_user_index}]}"), #TODO check if changes the age + if => "linux.(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_create_${usergroup_user_index}).usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index}"; + "${usergroup_user_login[${usergroup_user_index}]}" + usebundle => user_password_hash("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_password_aix[${usergroup_user_index}]}"), #TODO check if changes the age + if => "aix.(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_create_${usergroup_user_index}).usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index}"; + + # no password supplied + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "No password defined for user", "${usergroup_user_index}"), + if => "usermanagement_user_update_${usergroup_user_index}.usermanagement_user_pwempty_${usergroup_user_index}"; + + # password not checked everytime + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "Password only checked at creation", "${usergroup_user_index}"), + if => "usermanagement_user_update_${usergroup_user_index}.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index}"; + + # In update only or deletion + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "User password is not checked in this mode", "${usergroup_user_index}"), + if => "usermanagement_user_skipall_${usergroup_user_index}|usermanagement_user_remove_${usergroup_user_index}"; + + # Couldn't create the user + # this is an error, but we don't want to duplicate the report from the test of password in the actual call by the GM + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "User could not be created", "${usergroup_user_index}"), + if => "usermanagement_user_creation_failed_${usergroup_user_index}.(!(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_create_${usergroup_user_index}).usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})"; + + ################ + # User full name + "any" usebundle => _method_reporting_context("User full name", "${usergroup_user_login[${usergroup_user_index}]}"); + "${usergroup_user_login[${usergroup_user_index}]}" + usebundle => user_fullname("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_fullname[${usergroup_user_index}]}"), + if => "usermanagement_user_update_${usergroup_user_index}.!usermanagement_user_nameempty_${usergroup_user_index}"; + + # no full name has been set + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "User full name", "${usergroup_user_login[${usergroup_user_index}]}", "No full name defined for user", "${usergroup_user_index}"), + if => "usermanagement_user_update_${usergroup_user_index}.usermanagement_user_nameempty_${usergroup_user_index}"; + + # Don't exist and in update only or deletion + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "User full name", "${usergroup_user_login[${usergroup_user_index}]}", "Full name is not checked in this mode", "${usergroup_user_index}"), + if => "usermanagement_user_skipall_${usergroup_user_index}|usermanagement_user_remove_${usergroup_user_index}"; + + # Couldn't create the user + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "User full name", "${usergroup_user_login[${usergroup_user_index}]}", "User could not be created", "${usergroup_user_index}"), + if => "usermanagement_user_creation_failed_${usergroup_user_index}"; + + # User created + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "User full name", "${usergroup_user_login[${usergroup_user_index}]}", "User ${usergroup_user_login[${usergroup_user_index}]} has been created", "${usergroup_user_index}"), + if => "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired"; + ############### + # Default shell + "any" usebundle => _method_reporting_context("User default shell", "${usergroup_user_login[${usergroup_user_index}]}"); + "${usergroup_user_login[${usergroup_user_index}]}" + usebundle => user_shell("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_shell[${usergroup_user_index}]}"), if => "usermanagement_user_update_${usergroup_user_index}"; - "/etc/passwd" - create => "false", - edit_line => set_user_shell_&RudderUniqueID&("${usergroup_user_login[${usergroup_user_index}]}","${usergroup_user_index}","${usergroup_user_shell[${usergroup_user_index}]}"), - edit_defaults => noempty_backup, - action => WarnOnly, - if => "usermanagement_user_checkpres_${usergroup_user_index}"; - - pass3.aix:: - # On AIX, if password is supplied and user must exist, then the second field needs to be a ! to allow login - "/etc/passwd" - create => "false", - edit_line => set_colon_field("${usergroup_user_login[${usergroup_user_index}]}", "2", "!"), - edit_defaults => noempty_backup, - classes => classes_generic("usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&"), - if => or( and( "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", - "usermanagement_user_pwoneshot_${usergroup_user_index}", - "!usermanagement_user_pwempty_${usergroup_user_index}" - ), - and( "usermanagement_user_update_${usergroup_user_index}", - "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_pweverytime_${usergroup_user_index}", - "!usermanagement_user_pwempty_${usergroup_user_index}" - ) - ); - - pass3.!aix:: - # Define password when user has already been created - "/etc/shadow" - create => "false", - edit_line => set_user_field("${usergroup_user_login[${usergroup_user_index}]}", 2, "${usergroup_user_password[${usergroup_user_index}]}"), - edit_defaults => noempty_backup, - classes => classes_generic("usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&"), - if => or( and( "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", - "usermanagement_user_pwoneshot_${usergroup_user_index}", - "!usermanagement_user_pwempty_${usergroup_user_index}" - ), - and( "usermanagement_user_update_${usergroup_user_index}", - "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_pweverytime_${usergroup_user_index}", - "!usermanagement_user_pwempty_${usergroup_user_index}" - ) - ); - - - # Define password update date if it has been changed - "/etc/shadow" - create => "false", - edit_line => set_user_field("${usergroup_user_login[${usergroup_user_index}]}", 3, "${epoch_days}"), - edit_defaults => noempty_backup, - if => "usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_repaired"; - - # Check password if we are in "check only (account should exist) - # Due to https://tracker.mender.io/browse/CFE-2424, if password is correct, no class is defined. Waiting for fix in the agent - "/etc/shadow" - create => "false", - edit_line => set_user_field("${usergroup_user_login[${usergroup_user_index}]}", 2, "${usergroup_user_password[${usergroup_user_index}]}"), - edit_defaults => noempty_backup, - action => WarnOnly, - classes => classes_generic("usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&"), - if => and( "!usermanagement_user_pwempty_${usergroup_user_index}", - "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_pweverytime_${usergroup_user_index}", - "usermanagement_user_checkpres_${usergroup_user_index}" - ); - - pass3.aix:: - "/etc/security/passwd" - create => "false", - edit_line => ncf_ensure_AIX_password("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_password_aix[${usergroup_user_index}]}"), - edit_defaults => noempty_backup, - classes => classes_generic("usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&"), - if => or( and( "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", - "usermanagement_user_pwoneshot_${usergroup_user_index}", - "!usermanagement_user_pwempty_${usergroup_user_index}" - ), - and( "usermanagement_user_update_${usergroup_user_index}", - "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_pweverytime_${usergroup_user_index}", - "!usermanagement_user_pwempty_${usergroup_user_index}" - ) - ); - - # set the last update date if password has been updated - "/etc/security/passwd" - create => "false", - edit_line => ncf_edit_lastupdate_AIX_password("${usergroup_user_login[${usergroup_user_index}]}"), - edit_defaults => noempty_backup, - if => and( "usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_repaired", - or( and( "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", - "usermanagement_user_pwoneshot_${usergroup_user_index}", - "!usermanagement_user_pwempty_${usergroup_user_index}" - ), - and( "usermanagement_user_update_${usergroup_user_index}", - "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_pweverytime_${usergroup_user_index}", - "!usermanagement_user_pwempty_${usergroup_user_index}" - ) - ) - ); - - - "/etc/security/passwd" - create => "false", - edit_line => ncf_ensure_AIX_password("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_password_aix[${usergroup_user_index}]}"), - edit_defaults => noempty_backup, - action => WarnOnly, - classes => classes_generic("usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&"), - if => and( "!usermanagement_user_pwempty_${usergroup_user_index}", - "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_pweverytime_${usergroup_user_index}", - "usermanagement_user_checkpres_${usergroup_user_index}" - ); - - - methods: - pass3.showtime:: - - ###################### - # set/check secondary groups - # if checkpres, then we are doing dry run only - ###################### - "force_dry_run_mode_${usergroup_user_login[${usergroup_user_index}]}_${usergroup_user_secondary_groupsname[${usergroup_user_index}]}" - usebundle => push_dry_run_mode("true"), - if => "usermanagement_user_checkpres_${usergroup_user_index}"; - "any" usebundle => _method_reporting_context("User secondary groups", "${usergroup_user_login[${usergroup_user_index}]}"); - - "${usergroup_user_secondary_groupsname[${usergroup_user_index}]}" - usebundle => user_secondary_groups("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_secondary_groupsname[${usergroup_user_index}]}", "${usergroup_force_user_secondary_groupsname[${usergroup_user_index}]}"), - if => "!usermanagement_user_secondary_groupsempty_${usergroup_user_index}.(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_checkpres_${usergroup_user_index})", - comment => "Set secondary groups if they are defined on user ${usergroup_user_login[${usergroup_user_index}]}"; - - "remove_force_dry_run_mode_${usergroup_user_login[${usergroup_user_index}]}_${usergroup_user_secondary_groupsname[${usergroup_user_index}]}" - usebundle => pop_dry_run_mode(), - if => "usermanagement_user_checkpres_${usergroup_user_index}"; - - # reporting (cannot be done by the method as it may be in dry run) - "report_${usergroup_user_index}" usebundle => rudder_common_reports_generic_index("userGroupManagement", "${inner_classprefix_secondary_group_${usergroup_user_index}}", "${usergroup_directive_id[${usergroup_user_index}]}", "User secondary groups", "${usergroup_user_login[${usergroup_user_index}]}", "Secondary groups for user ${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_index}}"), - if => "!usermanagement_user_secondary_groupsempty_${usergroup_user_index}.(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_checkpres_${usergroup_user_index})"; - - - # no secondary group has been set - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "User secondary groups", "${usergroup_user_login[${usergroup_user_index}]}", "No secondary groups defined for user", "${usergroup_user_index}"), - if => "usermanagement_user_secondary_groupsempty_${usergroup_user_index}.(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_checkpres_${usergroup_user_index})"; - - # only deletion, or check should not exist - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "User secondary groups", "${usergroup_user_login[${usergroup_user_index}]}", "User secondary groups are not checked in this mode", "${usergroup_user_index}"), - if => "!usermanagement_user_update_${usergroup_user_index}.!usermanagement_user_checkpres_${usergroup_user_index}"; - - ############################# - # Only reporting after that # - - # Add user - ## Does exist (Success), and gid not requested to be changed - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is already present on the system", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_update_${usergroup_user_index}", - "!usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", - "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_kept", - "!usermanagement_force_user_group_${usergroup_user_index}", - or( "usermanagement_user_nameempty_${usergroup_user_index}", - "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_kept" - ) - ); - - ## Does exist (Success), and gid already correct - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is already present on the system", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_update_${usergroup_user_index}", - "!usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", - "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_kept", - "usermanagement_force_user_group_defined_${usergroup_user_index}", - "!usermanagement_user_current_group_is_invalid_${usergroup_user_index}", - or( "usermanagement_user_nameempty_${usergroup_user_index}", - "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_kept" - ) - ); - - - ## Does exist (Success), with a wrong gid - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is already present on the system, but had the wrong gid", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_update_${usergroup_user_index}", - "!usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", - "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_kept", - "usermanagement_force_user_group_defined_${usergroup_user_index}", - "usermanagement_user_gid_change_${usergroup_user_index}_&RudderUniqueID&_repaired", - or( "usermanagement_user_nameempty_${usergroup_user_index}", - "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_kept" - ) - ); - - - ## Seems to exist with a wrong Full Name (Repaired) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) had a wrong fullname", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_update_${usergroup_user_index}", - "!usermanagement_user_nameempty_${usergroup_user_index}", - "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_repaired", - "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_kept" - ); - - ## Seems to exist with a wrong Shell (Repaired) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) had a wrong shell", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_update_${usergroup_user_index}", - "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_repaired", - not( or( "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_repaired", - "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_error" - ) - ) - ); - - ## Seems to exist with a wrong Full Name and Shell (Repaired) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) had a wrong fullname and shell", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_update_${usergroup_user_index}", - "!usermanagement_user_nameempty_${usergroup_user_index}", - "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_repaired", - "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_repaired" - ); - - - ## Error in audit mode - ## Seems to exist with a wrong Full Name (Error) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, but does not have the right fullname", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_update_${usergroup_user_index}", - "!usermanagement_user_nameempty_${usergroup_user_index}", - "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_error", - "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_kept" - ); - - ## Seems to exist with a wrong Shell (Error) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, but does not have the right shell", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_update_${usergroup_user_index}", - "!usermanagement_user_nameempty_${usergroup_user_index}", - "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_error", - "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_kept" - ); - - ## Seems to exist with a wrong Shell and wrong Full Name (Error) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, but does not have the right fullname not shell", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_update_${usergroup_user_index}", - "!usermanagement_user_nameempty_${usergroup_user_index}", - "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_error", - "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_error" - ); - - - ## Does not exist (Error) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is not present on the system, which violates the presence policy", "${usergroup_user_index}"), - if => and( "!usermanagement_user_exists_${usergroup_user_index}", - or( "usermanagement_user_checkpres_${usergroup_user_index}", - "usermanagement_user_update_${usergroup_user_index}" - ) - ); - - - ## Seems to exist with a wrong Shell (Error) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, but does not have the right shell", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_update_${usergroup_user_index}", - "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_error", - or( and( "!usermanagement_user_nameempty_${usergroup_user_index}", - "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_kept" - ), - "usermanagement_user_nameempty_${usergroup_user_index}" - ) - ); - - - ## Added (Repaired) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) has been added to the system", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_update_${usergroup_user_index}", - "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired" - ); - - ## Error - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be added to the system", "${usergroup_user_index}"), - if => and( "!usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_update_${usergroup_user_index}", - "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_error", - not("dry_run|global_dry_run") - ); - - ## Could not be added, for the default path was not selected, but the custom one was not defined - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be added to the system because the default home directory was not selected, but the custom path was not specified", "${usergroup_user_index}"), - if => and( "!usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_update_${usergroup_user_index}", - "usermanagement_user_pershome_${usergroup_user_index}", - "!usermanagement_user_custom_home_defined_${usergroup_user_index}" - ); - - ## Could not be added, as a custom group was asked for and did not exist on the system - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be added to the system because the custom group \"${usergroup_user_groupname[${usergroup_user_index}]}\" does not exist", "${usergroup_user_index}"), - if => and( "usermanagement_user_update_${usergroup_user_index}", - "!usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_group_definition_error_${usergroup_user_index}" - ); - - ## Could not be added, as a custom uid was asked for and did exist on the system - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be added to the system because the custom uid \"${usergroup_user_uid[${usergroup_user_index}]}\" already exists", "${usergroup_user_index}"), - if => and( "usermanagement_user_update_${usergroup_user_index}", - "!usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_uid_definition_error_${usergroup_user_index}" - ); - - ## Could not set the gid, as it was requested, but with no gid provided - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not have its gid updated because it was not provided", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_update_${usergroup_user_index}", - "usermanagement_force_user_group_${usergroup_user_index}", - "usermanagement_user_groupempty_${usergroup_user_index}" - ); - - ## Does exist with a wrong gid that could not be repaired - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is already present on the system, but with wrong gid that cannot be fixed", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_update_${usergroup_user_index}", - "!usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", - "usermanagement_force_user_group_defined_${usergroup_user_index}", - "usermanagement_user_gid_change_${usergroup_user_index}_&RudderUniqueID&_error", - or( "usermanagement_user_nameempty_${usergroup_user_index}", - "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_kept" - ) - ); - - - # Remove user - ## Does not exist (Success) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) does not exist, as required", "${usergroup_user_index}"), - if => and( "!usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_remove_${usergroup_user_index}" - ); - - ## Removed (Repaired) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) has been removed from the system", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_remove_${usergroup_user_index}", - "usermanagement_login_remove_${usergroup_user_index}_&RudderUniqueID&_repaired" - ); - - ## Error - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be removed from the system", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_remove_${usergroup_user_index}", - "usermanagement_login_remove_${usergroup_user_index}_&RudderUniqueID&_error" - ); - - # Check user not exists - ## Does not exist (Success) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is not present on the system, which is in accordance with the non presence policy", "${usergroup_user_index}"), - if => and( "!usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_checkabs_${usergroup_user_index}" - ); - - ## Does exist (Error) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, which violates the non presence policy", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_checkabs_${usergroup_user_index}" - ); - - # Check user exists - ## Does exist (Success) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, which is in conformance with the presence policy", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_checkpres_${usergroup_user_index}", - "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_kept", - or( "usermanagement_user_nameempty_${usergroup_user_index}", - "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_kept" - ) - ); - - ## Seems to exist with a wrong Full Name (Error) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, but does not have the right fullname", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_checkpres_${usergroup_user_index}", - "!usermanagement_user_nameempty_${usergroup_user_index}", - "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_kept", - or( "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_repaired", - "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_error" - ) - ); - - ## Seems to exist with a wrong Shell (Error) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, but does not have the right shell", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_checkpres_${usergroup_user_index}", - or( "usermanagement_user_nameempty_${usergroup_user_index}", - "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_kept" - ), - or( "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_repaired", - "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_error" - ) - ); - - ## Seems to exist with a wrong Shell and wrong Full Name (Error) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, but does not have the right fullname not shell", "${usergroup_user_index}"), - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_checkpres_${usergroup_user_index}", - "!usermanagement_user_nameempty_${usergroup_user_index}", - or( "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_repaired", - "usermanagement_fullname_edit_${usergroup_user_index}_&RudderUniqueID&_error" - ), - or( "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_repaired", - "usermanagement_shell_edit_${usergroup_user_index}_&RudderUniqueID&_error" - ) - ); - - - ### Password handling - "any" usebundle => rudder_common_reports_generic_index("userGroupManagement", "usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) password", "${usergroup_user_index}"), - if => not("usermanagement_user_checkpres_${usergroup_user_index}"); - - ## Password handling in check only - "any" usebundle => rudder_common_reports_generic_index("userGroupManagement", "usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "The check of password for user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) ", "${usergroup_user_index}"), - if => "usermanagement_user_checkpres_${usergroup_user_index}"; - - ## Change not needed (Success) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) password change is not required", "${usergroup_user_index}"), - if => and( and( "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_kept", - "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_repaired", - "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_error" - ), - or( - "usermanagement_user_pwempty_${usergroup_user_index}", - "usermanagement_user_remove_${usergroup_user_index}", - and( "usermanagement_user_pwoneshot_${usergroup_user_index}", - "usermanagement_user_exists_${usergroup_user_index}" - ), - and( "usermanagement_user_update_${usergroup_user_index}", - "!usermanagement_user_exists_${usergroup_user_index}", - or( "usermanagement_user_group_definition_error_${usergroup_user_index}", - "usermanagement_user_uid_definition_error_${usergroup_user_index}" - ) - ) - ) - ); - - - ## Change not needed (N/A) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) password change is not required", "${usergroup_user_index}"), - if => or( and( and( "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_kept", - "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_repaired", - "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_error" - ), - or( "usermanagement_user_checkpres_${usergroup_user_index}.usermanagement_user_pwoneshot_${usergroup_user_index}", - "usermanagement_user_checkpres_${usergroup_user_index}.!usermanagement_user_exists_${usergroup_user_index}" - ) - ), - "usermanagement_user_checkabs_${usergroup_user_index}" - ); - - ## Error when no password class defined and not in a previous N/A or Success case - # This huge statement is built from three previous password reports: - # (no class _reached defined).!(change not needed Success).!(change not needed N/A) - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) password could not be verified", "${usergroup_user_index}"), - if => and( "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_reached", - not( or( and( and( "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_kept", - "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_repaired", - "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_error" - ), - or( "usermanagement_user_checkpres_${usergroup_user_index}.usermanagement_user_pwoneshot_${usergroup_user_index}", - "usermanagement_user_checkpres_${usergroup_user_index}.!usermanagement_user_exists_${usergroup_user_index}" - ) - ) - ) - ), - not( and( and( "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_kept", - "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_repaired", - "!usermanagement_user_password_${usergroup_user_index}_&RudderUniqueID&_error" - ), - or( - "usermanagement_user_pwempty_${usergroup_user_index}", - "usermanagement_user_remove_${usergroup_user_index}", - and( "usermanagement_user_pwoneshot_${usergroup_user_index}", - "usermanagement_user_exists_${usergroup_user_index}" - ), - and( "usermanagement_user_update_${usergroup_user_index}", - "!usermanagement_user_exists_${usergroup_user_index}", - or( "usermanagement_user_group_definition_error_${usergroup_user_index}", - "usermanagement_user_uid_definition_error_${usergroup_user_index}" - ) - ) - ) - ) - ) - ); - - - # Homedir management - ## In case of user to remove or to check absent, this is a result_na + # Don't exist and in update only or deletion + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "User default shell", "${usergroup_user_login[${usergroup_user_index}]}", "User default shell is not checked in this mode", "${usergroup_user_index}"), + if => "usermanagement_user_skipall_${usergroup_user_index}|usermanagement_user_remove_${usergroup_user_index}"; + + # Couldn't create the user + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "User default shell", "${usergroup_user_login[${usergroup_user_index}]}", "User could not be created", "${usergroup_user_index}"), + if => "usermanagement_user_creation_failed_${usergroup_user_index}"; + + # User created + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "User default shell", "${usergroup_user_login[${usergroup_user_index}]}", "User ${usergroup_user_login[${usergroup_user_index}]} has been created", "${usergroup_user_index}"), + if => "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired"; + ############### + # Home directory + # This is a specific case - as the move is not handled by generic method + ## In case of user to remove this is a result_na "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} should not be present, it doesn't need to have its home directory checked", "${usergroup_user_index}"), - if => or( "usermanagement_user_remove_${usergroup_user_index}", - "usermanagement_user_checkabs_${usergroup_user_index}" - ); + if => "usermanagement_user_remove_${usergroup_user_index}"; - ## In case of check user present or update, but with default home, this is result_na + ## In case of user present or update, but with default home, this is result_na "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} doesn't need to have its home directory checked", "${usergroup_user_index}"), - if => and( "!usermanagement_user_pershome_${usergroup_user_index}", - or( "usermanagement_user_update_${usergroup_user_index}", - "usermanagement_user_checkpres_${usergroup_user_index}" - ) - ); + if => and( "!usermanagement_user_pershome_${usergroup_user_index}", "usermanagement_user_update_${usergroup_user_index}" ); ## In case of check user present or update, but the home is already correct, this is success "any" usebundle => rudder_common_report_index("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory is valid", "${usergroup_user_index}"), if => and( "usermanagement_user_pershome_${usergroup_user_index}", "!usermanagement_user_home_pershome_invalid_${usergroup_user_index}", "!usermanagement_user_current_home_is_invalid_${usergroup_user_index}", - or( "usermanagement_user_update_${usergroup_user_index}", - "usermanagement_user_checkpres_${usergroup_user_index}" - ) + "usermanagement_user_update_${usergroup_user_index}" ); ## In case of check user present or update, but the custome home directory is not valid "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The given home directory for user ${usergroup_user_login[${usergroup_user_index}]} is invalid", "${usergroup_user_index}"), if => and( "usermanagement_user_pershome_${usergroup_user_index}", "usermanagement_user_home_pershome_invalid_${usergroup_user_index}", - or( "usermanagement_user_update_${usergroup_user_index}", - "usermanagement_user_checkpres_${usergroup_user_index}" - ) + "usermanagement_user_update_${usergroup_user_index}" ); ## In case of update, but the home was not correct, and could be changed, this is repaired @@ -836,6 +413,7 @@ bundle agent check_usergroup_user_parameters_&RudderUniqueID& if => and( "usermanagement_user_pershome_${usergroup_user_index}", "usermanagement_user_current_home_is_invalid_${usergroup_user_index}", "usermanagement_user_update_${usergroup_user_index}", + "!usermanagement_user_custom_home_move_${usergroup_user_index}", or( "usermanagement_login_home_change_${usergroup_user_index}_&RudderUniqueID&_repaired", "!usermanagement_login_home_change_${usergroup_user_index}_&RudderUniqueID&_error" ) @@ -866,13 +444,84 @@ bundle agent check_usergroup_user_parameters_&RudderUniqueID& "usermanagement_user_update_${usergroup_user_index}" ); - ## In case of check only, and the home was not correct, this is error - "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory was invalid", "${usergroup_user_index}"), - if => and( "usermanagement_user_pershome_${usergroup_user_index}", - "usermanagement_user_current_home_is_invalid_${usergroup_user_index}", - "usermanagement_user_checkpres_${usergroup_user_index}" + # Couldn't create the user + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "User could not be created", "${usergroup_user_index}"), + if => "usermanagement_user_creation_failed_${usergroup_user_index}"; + + # User created + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "User ${usergroup_user_login[${usergroup_user_index}]} has been created", "${usergroup_user_index}"), + if => "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired"; + + # User doesn't exist and we are in update + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "User does not exist, not checking home directory", "${usergroup_user_index}"), + if => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_updateonly_${usergroup_user_index}"; + ############################ + # set/check secondary groups + "any" usebundle => _method_reporting_context("User secondary groups", "${usergroup_user_login[${usergroup_user_index}]}"); + + # Note: the secondary group should also be checked at creation, because otherwise it won't be set at 1st run + "${usergroup_user_secondary_groupsname[${usergroup_user_index}]}" + usebundle => user_secondary_groups("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_secondary_groupsname[${usergroup_user_index}]}", "${usergroup_force_user_secondary_groupsname[${usergroup_user_index}]}"), + if => "!usermanagement_user_secondary_groupsempty_${usergroup_user_index}.(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_create_${usergroup_user_index})", + comment => "Set secondary groups if they are defined on user ${usergroup_user_login[${usergroup_user_index}]}"; + + # no secondary group has been set + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "User secondary groups", "${usergroup_user_login[${usergroup_user_index}]}", "No secondary groups defined for user", "${usergroup_user_index}"), + if => "usermanagement_user_secondary_groupsempty_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}"; + + # Don't exist and in update only or deletion + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "User secondary groups", "${usergroup_user_login[${usergroup_user_index}]}", "User secondary groups are not checked in this mode", "${usergroup_user_index}"), + if => "usermanagement_user_skipall_${usergroup_user_index}|usermanagement_user_remove_${usergroup_user_index}"; + + # Couldn't create the user + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "User secondary groups", "${usergroup_user_login[${usergroup_user_index}]}", "User could not be created", "${usergroup_user_index}"), + if => "usermanagement_user_creation_failed_${usergroup_user_index}"; + + ############################# + # Only reporting after that # + + # Users + # Add user + ## Does exist (Success) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is already present on the system", "${usergroup_user_index}"), + if => and( "usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_create_${usergroup_user_index}", + "!usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", + "!usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_error" + ); + + ## Created (repaired) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) has been created on the system", "${usergroup_user_index}"), + if => and( "!usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_create_${usergroup_user_index}", + "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_repaired", + "!usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_error" + ); + + ## Failed to create (error) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be created on the system", "${usergroup_user_index}"), + if => and( "!usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_create_${usergroup_user_index}", + "usermanagement_login_add_${usergroup_user_index}_&RudderUniqueID&_error" + ); + + ## Wrong group, didn't even try to create (error) + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) can not be created as the group is invalid", "${usergroup_user_index}"), + if => and( "!usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_create_${usergroup_user_index}", + "usermanagement_user_group_definition_error_${usergroup_user_index}" ); + ## update only if exist - does not exist: NA + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is not present", "${usergroup_user_index}"), + if => and( "!usermanagement_user_exists_${usergroup_user_index}", + "usermanagement_user_updateonly_${usergroup_user_index}" + ); + + ## create/update only if exist - exist: success + "any" usebundle => rudder_common_report_index("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is already present on the system", "${usergroup_user_index}"), + if => "usermanagement_user_update_${usergroup_user_index}"; + commands: showtime:: @@ -882,8 +531,7 @@ bundle agent check_usergroup_user_parameters_&RudderUniqueID& comment => "Create the user", if => and( "!usermanagement_user_uid_definition_error_${usergroup_user_index}", "!usermanagement_user_group_definition_error_${usergroup_user_index}", - "!usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_update_${usergroup_user_index}", + "usermanagement_user_create_${usergroup_user_index}", "!usermanagement_user_pershome_${usergroup_user_index}" ); @@ -893,21 +541,13 @@ bundle agent check_usergroup_user_parameters_&RudderUniqueID& comment => "Create the user with a custom home directory", if => and( "!usermanagement_user_uid_definition_error_${usergroup_user_index}", "!usermanagement_user_group_definition_error_${usergroup_user_index}", - "!usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_update_${usergroup_user_index}", + "usermanagement_user_create_${usergroup_user_index}", "usermanagement_user_pershome_${usergroup_user_index}", "usermanagement_user_custom_home_defined_${usergroup_user_index}" ); - "/usr/sbin/userdel" - args => "${usergroup_user_login[${usergroup_user_index}]}", - classes => cf2_if_else("usermanagement_login_remove_${usergroup_user_index}_&RudderUniqueID&_repaired", "usermanagement_login_remove_${usergroup_user_index}_&RudderUniqueID&_error"), - comment => "Delete the user ${usergroup_user_login[${usergroup_user_index}]}", - if => and( "usermanagement_user_exists_${usergroup_user_index}", - "usermanagement_user_remove_${usergroup_user_index}" - ); - - # Change user home dir + ## Change user home dir + ## This cannot be done via the generic method because it is really a specific use case ## Move the home dir "/usr/sbin/usermod" args => "-d ${usergroup_user_home[${usergroup_user_index}]} -m ${usergroup_user_login[${usergroup_user_index}]}", @@ -928,15 +568,6 @@ bundle agent check_usergroup_user_parameters_&RudderUniqueID& "!usermanagement_user_custom_home_move_${usergroup_user_index}" ); - ## Change the user gid if necessary - "/usr/sbin/usermod" - args => "-g ${usergroup_user_groupname[${usergroup_user_index}]} ${usergroup_user_login[${usergroup_user_index}]}", - classes => classes_generic("usermanagement_user_gid_change_${usergroup_user_index}_&RudderUniqueID&"), - comment => "Change user gid for user ${usergroup_user_login[${usergroup_user_index}]}", - if => and( "usermanagement_user_update_${usergroup_user_index}", - "usermanagement_user_current_group_is_invalid_${usergroup_user_index}" - ); - } bundle edit_line set_user_fullname_&RudderUniqueID&(user,user_index,fullname) From fb8fa2a9e6d1b1150f73a570bb35093730a31f45 Mon Sep 17 00:00:00 2001 From: Nicolas Charles Date: Wed, 18 Dec 2024 16:33:51 +0100 Subject: [PATCH 3/3] fixup! fixup! Work in progress Fixes #24735: Add an option to \"update only\" user in the Users technique --- .../userManagement/10/userManagement.ps1.st | 34 ++++--------------- .../userManagement/10/userManagement.st | 4 +-- 2 files changed, 9 insertions(+), 29 deletions(-) diff --git a/techniques/systemSettings/userManagement/userManagement/10/userManagement.ps1.st b/techniques/systemSettings/userManagement/userManagement/10/userManagement.ps1.st index 6eee5f29a..d9c908b43 100644 --- a/techniques/systemSettings/userManagement/userManagement/10/userManagement.ps1.st +++ b/techniques/systemSettings/userManagement/userManagement/10/userManagement.ps1.st @@ -102,35 +102,15 @@ function check_usergroup_user_parameters_&RudderUniqueID& { } #Unix section reporting - $primaryGroup = $commonParams + @{ - ComponentName = "User primary group" + $naParams = $commonParams + @{ ComponentKey = $logins[$i] + Message = 'Not applicable on Windows' } - $null = Rudder-Report-NA @primaryGroup -message "Not applicable on Windows" - - $userFullName = $commonParams + @{ - ComponentName = "User full name" - ComponentKey = $logins[$i] - } - $null = Rudder-Report-NA @userFullName -message "Not applicable on Windows" - - $userDefaultShell = $commonParams + @{ - ComponentName = "User default shell" - ComponentKey = $logins[$i] - } - $null = Rudder-Report-NA @userDefaultShell -message "Not applicable on Windows" - - $homeDirectory = $commonParams + @{ - ComponentName = "Home Directory" - ComponentKey = $logins[$i] - } - $null = Rudder-Report-NA @homeDirectory -message "Not applicable on Windows" - - $secondaryParams = $commonParams + @{ - ComponentName = "User secondary groups" - ComponentKey = $logins[$i] - } - $null = Rudder-Report-NA @secondaryParams -message "Not applicable on Windows" + $null = Rudder-Report-NA @naParams -ComponentName 'User primary group' + $null = Rudder-Report-NA @naParams -ComponentName 'User full name' + $null = Rudder-Report-NA @naParams -ComponentName 'User default shell' + $null = Rudder-Report-NA @naParams -ComponentName 'Home Directory' + $null = Rudder-Report-NA @naParams -ComponentName 'User secondary groups' } } diff --git a/techniques/systemSettings/userManagement/userManagement/10/userManagement.st b/techniques/systemSettings/userManagement/userManagement/10/userManagement.st index 40e5a93f6..a002e239f 100644 --- a/techniques/systemSettings/userManagement/userManagement/10/userManagement.st +++ b/techniques/systemSettings/userManagement/userManagement/10/userManagement.st @@ -136,7 +136,7 @@ bundle agent check_usergroup_user_parameters_&RudderUniqueID& "usermanagement_user_updateonly_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","updateonly"); "usermanagement_user_remove_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","remove"); - # If we ask to update only and user don't exist, then we won't do anything + # If we ask to update only and user does not exist, then we won't do anything "usermanagement_user_skipall_${usergroup_user_index}" expression => and("!usermanagement_user_exists_${usergroup_user_index}", "usermanagement_user_updateonly_${usergroup_user_index}"); "usermanagement_user_create_${usergroup_user_index}" expression => and("!usermanagement_user_exists_${usergroup_user_index}", "usermanagement_user_add_${usergroup_user_index}"); "usermanagement_user_update_${usergroup_user_index}" expression => and( @@ -149,7 +149,7 @@ bundle agent check_usergroup_user_parameters_&RudderUniqueID& # Actions any:: - # NOTE: usergroup_user_home_perso is true when we use the default home, and thus usermanagement_user_pershome_ is true when we don't want tu use the default home + # NOTE: usergroup_user_home_perso is true when we use the default home, and thus usermanagement_user_pershome_ is true when we don't want to use the default home "usermanagement_user_pershome_${usergroup_user_index}" not => strcmp("${usergroup_user_home_perso[${usergroup_user_index}]}","true"); "usermanagement_user_custom_home_no_variable_${usergroup_user_index}" not => isvariable("usergroup_user_home[${usergroup_user_index}]");