diff --git a/lib/puppet/provider/aixobject.rb b/lib/puppet/provider/aixobject.rb index d98e36b18..dcb3bff78 100755 --- a/lib/puppet/provider/aixobject.rb +++ b/lib/puppet/provider/aixobject.rb @@ -1,400 +1,411 @@ # # Common code for AIX providers # # Author:: Hector Rivas Gandara # # class Puppet::Provider::AixObject < Puppet::Provider desc "User management for AIX! Users are managed with mkuser, rmuser, chuser, lsuser" # Constants # Loadable AIX I/A module for users and groups. By default we manage compat. # TODO:: add a type parameter to change this class << self attr_accessor :ia_module end # The real provider must implement these functions. def lscmd(value=@resource[:name]) raise Puppet::Error, "Method not defined #{@resource.class.name} #{@resource.name}: #{detail}" end def lscmd(value=@resource[:name]) raise Puppet::Error, "Method not defined #{@resource.class.name} #{@resource.name}: #{detail}" end def addcmd(extra_attrs = []) raise Puppet::Error, "Method not defined #{@resource.class.name} #{@resource.name}: #{detail}" end def modifycmd(attributes_hash) raise Puppet::Error, "Method not defined #{@resource.class.name} #{@resource.name}: #{detail}" end def deletecmd raise Puppet::Error, "Method not defined #{@resource.class.name} #{@resource.name}: #{detail}" end # Valid attributes to be managed by this provider. # It is a list of hashes # :aix_attr AIX command attribute name # :puppet_prop Puppet propertie name # :to Optional. Method name that adapts puppet property to aix command value. # :from Optional. Method to adapt aix command line value to puppet property. Optional class << self attr_accessor :attribute_mapping end def self.attribute_mapping_to if ! @attribute_mapping_to @attribute_mapping_to = {} attribute_mapping.each { |elem| attribute_mapping_to[elem[:puppet_prop]] = { :key => elem[:aix_attr], :method => elem[:to] } } end @attribute_mapping_to end def self.attribute_mapping_from if ! @attribute_mapping_from @attribute_mapping_from = {} attribute_mapping.each { |elem| attribute_mapping_from[elem[:aix_attr]] = { :key => elem[:puppet_prop], :method => elem[:from] } } end @attribute_mapping_from end # This functions translates a key and value using the given mapping. # Mapping can be nil (no translation) or a hash with this format # {:key => new_key, :method => translate_method} # It returns a list [key, value] def translate_attr(key, value, mapping) return [key, value] unless mapping return nil unless mapping[key] if mapping[key][:method] new_value = method(mapping[key][:method]).call(value) else new_value = value end [mapping[key][:key], new_value] end # Gets the given command line argument for the given key, value and mapping. def get_arg(key, value, mapping) arg = nil if ret = self.translate_attr(key, val, mapping) new_key = ret[0] new_val = ret[1] # Arrays are separated by commas if new_val.is_a? Array value = new_val.join(",") else value = new_val.to_s end # Get the needed argument if mapping[key][:to_arg] arg = method(mapping[key][:to_arg]).call(new_key, value) else arg = (new_key.to_s + "=" + value ) end end return arg end # Reads and attribute. # Here we implement the default behaviour. # Subclasses must reimplement this. def load_attribute(key, value, mapping, objectinfo) if mapping.nil? objectinfo[key] = value elsif mapping[key].nil? # is not present in mapping, ignore it. true elsif mapping[key][:method].nil? objectinfo[mapping[key][:key]] = value elsif objectinfo[mapping[key][:key]] = method(mapping[key][:method]).call(value) end return objectinfo end def get_arguments(key, value, mapping, objectinfo) if mapping.nil? new_key = key new_value = value elsif mapping[key].nil? # is not present in mapping, ignore it. new_key = nil new_value = nil elsif mapping[key][:method].nil? new_key = mapping[key][:key] new_value = value elsif new_key = mapping[key][:key] new_value = method(mapping[key][:method]).call(value) end # convert it to string if new_value.is_a? Array new_value = new_value.join(",") else new_value = new_value.to_s end if new_key return [ "#{new_key}=#{new_value}" ] else return [] end end # Convert the provider properties to AIX command arguments (string) # This function will translate each value/key and generate the argument. # By default, arguments are created as aix_key=aix_value def hash2args(hash, mapping=self.class.attribute_mapping_to) return "" unless hash arg_list = [] hash.each {|key, val| arg_list += self.get_arguments(key, val, mapping, hash) } arg_list end # Parse AIX command attributes in a format of space separated of key=value # pairs: "uid=100 groups=a,b,c" # It returns and return provider hash. # # If a mapping is provided, the keys are translated as defined in the # mapping hash. Only values included in mapping will be added # NOTE: it will ignore the items not including '=' def parse_attr_list(str, mapping=self.class.attribute_mapping_from) properties = {} attrs = [] if !str or (attrs = str.split()).empty? return nil end attrs.each { |i| if i.include? "=" # Ignore if it does not include '=' (key_str, val) = i.split('=') # Check the key if !key_str or key_str.empty? info "Empty key in string 'i'?" continue end - key = key_str.downcase.to_sym + key = key_str.to_sym properties = self.load_attribute(key, val, mapping, properties) end } properties.empty? ? nil : properties end # Parse AIX colon separated list of attributes, using given list of keys # to name the attributes. This function is useful to parse the output # of commands like lsfs -c: # #MountPoint:Device:Vfs:Nodename:Type:Size:Options:AutoMount:Acct # /:/dev/hd4:jfs2::bootfs:557056:rw:yes:no # /home:/dev/hd1:jfs2:::2129920:rw:yes:no # /usr:/dev/hd2:jfs2::bootfs:9797632:rw:yes:no # # If a mapping is provided, the keys are translated as defined in the # mapping hash. Only values included in mapping will be added # NOTE: it will ignore the items not including '=' def parse_colon_list(str, key_list, mapping=self.class.attribute_mapping_from) properties = {} attrs = [] if !str or (attrs = str.split(':')).empty? return nil end attrs.each { |val| key = key_list.shift.downcase.to_sym properties = self.load_attribute(key, val, mapping, properties) } properties.empty? ? nil : properties end # Default parsing function for colon separated list or attributte list # (key=val pairs). It will choose the method depending of the first line. # For the colon separated list it will: # 1. Get keys from first line. # 2. Parse next line. - def parse_command_output(output) + def parse_command_output(output, mapping=self.class.attribute_mapping_from) lines = output.split("\n") # if it begins with #something:... is a colon separated list. if lines[0] =~ /^#.*:/ - self.parse_colon_list(lines[1], lines[0][1..-1].split(':')) + self.parse_colon_list(lines[1], lines[0][1..-1].split(':'), mapping) else - self.parse_attr_list(lines[0]) + self.parse_attr_list(lines[0], mapping) end end # Retrieve what we can about our object def getinfo(refresh = false) if @objectinfo.nil? or refresh == true # Execute lsuser, split all attributes and add them to a dict. begin + output = execute(self.lscmd) @objectinfo = self.parse_command_output(execute(self.lscmd)) + # All attributtes without translation + @objectosinfo = self.parse_command_output(execute(self.lscmd), nil) rescue Puppet::ExecutionFailure => detail # Print error if needed. FIXME: Do not check the user here. Puppet.debug "aix.getinfo(): Could not find #{@resource.class.name} #{@resource.name}: #{detail}" end end @objectinfo end + # Retrieve what we can about our object, without translate the values. + def getosinfo(refresh = false) + if @objectosinfo .nil? or refresh == true + getinfo(refresh) + end + @objectosinfo + end + + # List all elements of given type. It works for colon separated commands and # list commands. def list_all names = [] begin output = execute(self.lsallcmd()).split('\n') (output.select{ |l| l != /^#/ }).each { |v| name = v.split(/[ :]/) names << name if not name.empty? } rescue Puppet::ExecutionFailure => detail # Print error if needed Puppet.debug "aix.list_all(): Could not get all resources of type #{@resource.class.name}: #{detail}" end names end #------------- # Provider API # ------------ # Clear out the cached values. def flush @property_hash.clear if @property_hash @objectinfo.clear if @objectinfo end # Check that the user exists def exists? !!getinfo(true) # !! => converts to bool end #- **ensure** # The basic state that the object should be in. Valid values are # `present`, `absent`, `role`. # From ensurable: exists?, create, delete def ensure if exists? :present else :absent end end # Return all existing instances # The method for returning a list of provider instances. Note that it returns # providers, preferably with values already filled in, not resources. def self.instances objects=[] self.list_all().each { |entry| objects << new(:name => entry, :ensure => :present) } objects end def create if exists? info "already exists" # The object already exists return nil end begin execute(self.addcmd) rescue Puppet::ExecutionFailure => detail raise Puppet::Error, "Could not create #{@resource.class.name} #{@resource.name}: #{detail}" end end def delete unless exists? info "already absent" # the object already doesn't exist return nil end begin execute(self.deletecmd) rescue Puppet::ExecutionFailure => detail raise Puppet::Error, "Could not delete #{@resource.class.name} #{@resource.name}: #{detail}" end end #-------------------------------- # Call this method when the object is initialized, # create getter/setter methods for each property our resource type supports. # If setter or getter already defined it will not be overwritten def self.mk_resource_methods [resource_type.validproperties, resource_type.parameters].flatten.each do |prop| next if prop == :ensure define_method(prop) { get(prop) || :absent} unless public_method_defined?(prop) define_method(prop.to_s + "=") { |*vals| set(prop, *vals) } unless public_method_defined?(prop.to_s + "=") end end # # Define the needed getters and setters as soon as we know the resource type def self.resource_type=(resource_type) super mk_resource_methods end # Retrieve a specific value by name. def get(param) (hash = getinfo(false)) ? hash[param] : nil end # Set a property. def set(param, value) @property_hash[symbolize(param)] = value if getinfo().nil? - # This is weird... + # This is weird... raise Puppet::Error, "Trying to update parameter '#{param}' to '#{value}' for a resource that does not exists #{@resource.class.name} #{@resource.name}: #{detail}" end if value == getinfo()[param.to_sym] return end #self.class.validate(param, value) - if cmd = modifycmd({param =>value}) begin execute(cmd) rescue Puppet::ExecutionFailure => detail raise Puppet::Error, "Could not set #{param} on #{@resource.class.name}[#{@resource.name}]: #{detail}" end end # Refresh de info. hash = getinfo(true) end def initialize(resource) super @objectinfo = nil # FIXME: Initiallize this properly. self.class.ia_module="compat" end end diff --git a/lib/puppet/provider/group/aix.rb b/lib/puppet/provider/group/aix.rb index 6ae16b529..ceb889840 100755 --- a/lib/puppet/provider/group/aix.rb +++ b/lib/puppet/provider/group/aix.rb @@ -1,80 +1,142 @@ # # Group Puppet provider for AIX. It uses standard commands to manage groups: # mkgroup, rmgroup, lsgroup, chgroup # # Author:: Hector Rivas Gandara # require 'puppet/provider/aixobject' Puppet::Type.type(:group).provide :aix, :parent => Puppet::Provider::AixObject do desc "Group management for AIX! Users are managed with mkgroup, rmgroup, lsgroup, chgroup" - # Constants - # Default extra attributes to add when element is created - # registry=compat: Needed if you are using LDAP by default. - @DEFAULT_EXTRA_ATTRS = [ "registry=compat", ] - - - # This will the the default provider for this platform + # This will the the default provider for this platform defaultfor :operatingsystem => :aix confine :operatingsystem => :aix # Provider features + has_features :manages_aix_lam has_features :manages_members # Commands that manage the element commands :list => "/usr/sbin/lsgroup" commands :add => "/usr/bin/mkgroup" commands :delete => "/usr/sbin/rmgroup" commands :modify => "/usr/bin/chgroup" + # Group attributes to ignore + def self.attribute_ignore + [] + end + # AIX attributes to properties mapping. # # Valid attributes to be managed by this provider. # It is a list with of hash # :aix_attr AIX command attribute name # :puppet_prop Puppet propertie name # :to Method to adapt puppet property to aix command value. Optional. # :from Method to adapt aix command value to puppet property. Optional self.attribute_mapping = [ #:name => :name, {:aix_attr => :id, :puppet_prop => :gid }, {:aix_attr => :users, :puppet_prop => :members, :from => :users_from_attr}, ] #-------------- # Command lines + + def get_ia_module_args + if @resource[:ia_load_module] + ["-R", @resource[:ia_load_module].to_s] + else + [] + end + end + + def lscmd(value=@resource[:name]) - [self.class.command(:list), "-R", self.class.ia_module , value] + [self.class.command(:list)] + + self.get_ia_module_args + + [ value] end def lsallcmd() lscmd("ALL") end def addcmd(extra_attrs = []) # Here we use the @resource.to_hash to get the list of provided parameters # Puppet does not call to self.= method if it does not exists. # # It gets an extra list of arguments to add to the user. - [self.class.command(:add), "-R", self.class.ia_module ]+ + [self.class.command(:add) ] + + self.get_ia_module_args + self.hash2args(@resource.to_hash) + extra_attrs + [@resource[:name]] end - def modifycmd(hash = property_hash) - [self.class.command(:modify), "-R", self.class.ia_module ]+ - self.hash2args(hash) + [@resource[:name]] + def modifycmd(hash = property_hash, translate=true) + if translate + args = self.hash2args(hash) + else + args = self.hash2args(hash, nil) + end + return nil if args.empty? + + [self.class.command(:modify)] + + self.get_ia_module_args + + args + [@resource[:name]] end def deletecmd - [self.class.command(:delete),"-R", self.class.ia_module, @resource[:name]] + [self.class.command(:delete)] + + self.get_ia_module_args + + [@resource[:name]] + end + + + def get_arguments(key, value, mapping, objectinfo) + # In the case of attributes, return a list of key=vlaue + if key == :attributes + raise Puppet::Error, "Attributes must be a list of pairs key=value on #{@resource.class.name}[#{@resource.name}]" \ + unless value and value.is_a? Hash + return value.select { |k,v| true }.map { |pair| pair.join("=") } + end + super(key, value, mapping, objectinfo) end # Force convert users it a list. def users_from_attr(value) (value.is_a? String) ? value.split(',') : value end + def filter_attributes(hash) + # Return only not managed attributtes. + hash.select { + |k,v| !self.class.attribute_mapping_from.include?(k) and + !self.class.attribute_ignore.include?(k) + }.inject({}) { + |hash, array| hash[array[0]] = array[1]; hash + } + end + + def attributes + filter_attributes(getosinfo(refresh = false)) + end + + def attributes=(attr_hash) + #self.class.validate(param, value) + param = :attributes + cmd = modifycmd({param => filter_attributes(attr_hash)}, false) + if cmd + begin + execute(cmd) + rescue Puppet::ExecutionFailure => detail + raise Puppet::Error, "Could not set #{param} on #{@resource.class.name}[#{@resource.name}]: #{detail}" + end + end + end + + end diff --git a/lib/puppet/provider/user/aix.rb b/lib/puppet/provider/user/aix.rb index 06dfd5240..c231da816 100755 --- a/lib/puppet/provider/user/aix.rb +++ b/lib/puppet/provider/user/aix.rb @@ -1,299 +1,351 @@ -# -# User Puppet provider for AIX. It uses standar commands to manage users: -# mkuser, rmuser, lsuser, chuser -# -# Notes: -# - AIX users can have expiry date defined with minute granularity, -# but puppet does not allow it. There is a ticket open for that (#5431) -# - AIX maximum password age is in WEEKs, not days -# - I force the compat IA module. -# -# See http://projects.puppetlabs.com/projects/puppet/wiki/Development_Provider_Development -# for more information -# -# Author:: Hector Rivas Gandara -# -# TODO:: -# - Add new AIX specific attributes, specilly registry and SYSTEM. -# -require 'puppet/provider/aixobject' -require 'tempfile' -require 'date' - -Puppet::Type.type(:user).provide :aix, :parent => Puppet::Provider::AixObject do - desc "User management for AIX! Users are managed with mkuser, rmuser, chuser, lsuser" - - # Constants - # Default extra attributes to add when element is created - # registry=compat SYSTEM=compat: Needed if you are using LDAP by default. - @DEFAULT_EXTRA_ATTRS = [ "registry=compat", "SYSTEM=compat" ] - - # This will the the default provider for this platform - defaultfor :operatingsystem => :aix - confine :operatingsystem => :aix - - # Commands that manage the element - commands :list => "/usr/sbin/lsuser" - commands :add => "/usr/bin/mkuser" - commands :delete => "/usr/sbin/rmuser" - commands :modify => "/usr/bin/chuser" - - commands :lsgroup => "/usr/sbin/lsgroup" - commands :chpasswd => "/bin/chpasswd" - - # Provider features - has_features :manages_homedir, :manages_passwords - has_features :manages_expiry, :manages_password_age - - # Attribute verification (TODO) - #verify :gid, "GID must be an string or int of a valid group" do |value| - # value.is_a? String || value.is_a? Integer - #end - # - #verify :groups, "Groups must be comma-separated" do |value| - # value !~ /\s/ - #end - - # AIX attributes to properties mapping. - # - # Valid attributes to be managed by this provider. - # It is a list with of hash - # :aix_attr AIX command attribute name - # :puppet_prop Puppet propertie name - # :to Method to adapt puppet property to aix command value. Optional. - # :from Method to adapt aix command value to puppet property. Optional - self.attribute_mapping = [ - #:name => :name, - {:aix_attr => :pgrp, :puppet_prop => :gid, - :to => :gid_to_attr, :from => :gid_from_attr}, - {:aix_attr => :id, :puppet_prop => :uid}, - {:aix_attr => :groups, :puppet_prop => :groups}, - {:aix_attr => :home, :puppet_prop => :home}, - {:aix_attr => :shell, :puppet_prop => :shell}, - {:aix_attr => :expires, :puppet_prop => :expiry, - :to => :expiry_to_attr, :from => :expiry_from_attr}, - {:aix_attr => :maxage, :puppet_prop => :password_max_age}, - {:aix_attr => :minage, :puppet_prop => :password_min_age}, - ] - - #-------------- - # Command lines - - def lsgroupscmd(value=@resource[:name]) - [command(:lsgroup),"-R", self.class.ia_module, "-a", "id", value] - end - - def lscmd(value=@resource[:name]) - [self.class.command(:list), "-R", self.class.ia_module , value] - end - - def lsallcmd() - lscmd("ALL") - end - - def addcmd(extra_attrs = []) - # Here we use the @resource.to_hash to get the list of provided parameters - # Puppet does not call to self.= method if it does not exists. - # - # It gets an extra list of arguments to add to the user. - [self.class.command(:add), "-R", self.class.ia_module ]+ - self.hash2args(@resource.to_hash) + - extra_attrs + [@resource[:name]] - end - - def modifycmd(hash = property_hash) - [self.class.command(:modify), "-R", self.class.ia_module ]+ - self.hash2args(hash) + [@resource[:name]] - end - - def deletecmd - [self.class.command(:delete),"-R", self.class.ia_module, @resource[:name]] - end - - #-------------- - # We overwrite the create function to change the password after creation. - def create - super - # Reset the password if needed - self.password = @resource[:password] if @resource[:password] - end - - - # Get the groupname from its id - def self.groupname_by_id(gid) - groupname=nil - execute(lsgroupscmd("ALL")).each { |entry| - attrs = self.parse_attr_list(entry, nil) - if attrs and attrs.include? :id and gid == attrs[:id].to_i - groupname = entry.split(" ")[0] - end - } - groupname - end - - # Get the groupname from its id - def groupid_by_name(groupname) - attrs = self.parse_attr_list(execute(lsgroupscmd(groupname)).split("\n")[0], nil) - attrs ? attrs[:id].to_i : nil - end - - # Check that a group exists and is valid - def verify_group(value) - if value.is_a? Integer or value.is_a? Fixnum - groupname = self.groupname_by_id(value) - raise ArgumentError, "AIX group must be a valid existing group" unless groupname - else - raise ArgumentError, "AIX group must be a valid existing group" unless groupid_by_name(value) - groupname = value - end - groupname - end - - # The user's primary group. Can be specified numerically or by name. - def gid_to_attr(value) - verify_group(value) - end - - def gid_from_attr(value) - groupid_by_name(value) - end - - # The expiry date for this user. Must be provided in - # a zero padded YYYY-MM-DD HH:MM format - def expiry_to_attr(value) - # For chuser the expires parameter is a 10-character string in the MMDDhhmmyy format - # that is,"%m%d%H%M%y" - newdate = '0' - if value.is_a? String and value!="0000-00-00" - d = DateTime.parse(value, "%Y-%m-%d %H:%M") - newdate = d.strftime("%m%d%H%M%y") - end - newdate - end - - def expiry_from_attr(value) - if value =~ /(..)(..)(..)(..)(..)/ - #d= DateTime.parse("20#{$5}-#{$1}-#{$2} #{$3}:#{$4}") - #expiry_date = d.strftime("%Y-%m-%d %H:%M") - #expiry_date = d.strftime("%Y-%m-%d") - expiry_date = "20#{$5}-#{$1}-#{$2}" - else - Puppet.warn("Could not convert AIX expires date '#{value}' on #{@resource.class.name}[#{@resource.name}]") \ - unless value == '0' - expiry_date = :absent - end - expiry_date - end - - #-------------------------------- - # Getter and Setter - # When the provider is initialized, create getter/setter methods for each - # property our resource type supports. - # If setter or getter already defined it will not be overwritten - - #- **password** - # The user's password, in whatever encrypted format the local machine - # requires. Be sure to enclose any value that includes a dollar sign ($) - # in single quotes ('). Requires features manages_passwords. - # - # Retrieve the password parsing directly the /etc/security/passwd - def password - password = :absent - user = @resource[:name] - f = File.open("/etc/security/passwd", 'r') - # Skip to the user - f.each { |l| break if l =~ /^#{user}:\s*$/ } - if ! f.eof? - f.each { |l| - # If there is a new user stanza, stop - break if l =~ /^\S*:\s*$/ - # If the password= entry is found, return it - if l =~ /^\s*password\s*=\s*(.*)$/ - password = $1; break; - end - } - end - f.close() - return password - end - - def password=(value) - user = @resource[:name] - - # Puppet execute does not support strings as input, only files. - tmpfile = Tempfile.new('puppet_#{user}_pw') - tmpfile << "#{user}:#{value}\n" - tmpfile.close() - - # Options '-e', '-c', use encrypted password and clear flags - # Must receibe "user:enc_password" as input - # command, arguments = {:failonfail => true, :combine => true} - cmd = [self.class.command(:chpasswd),"-R", self.class.ia_module, - '-e', '-c', user] - begin - execute(cmd, {:failonfail => true, :combine => true, :stdinfile => tmpfile.path }) - rescue Puppet::ExecutionFailure => detail - raise Puppet::Error, "Could not set #{param} on #{@resource.class.name}[#{@resource.name}]: #{detail}" - ensure - tmpfile.delete() - end - end - - #- **comment** - # A description of the user. Generally is a user's full name. - #def comment=(value) - #end - # - #def comment - #end - # UNSUPPORTED - #- **profile_membership** - # Whether specified roles should be treated as the only roles - # of which the user is a member or whether they should merely - # be treated as the minimum membership list. Valid values are - # `inclusive`, `minimum`. - # UNSUPPORTED - #- **profiles** - # The profiles the user has. Multiple profiles should be - # specified as an array. Requires features manages_solaris_rbac. - # UNSUPPORTED - #- **project** - # The name of the project associated with a user Requires features - # manages_solaris_rbac. - # UNSUPPORTED - #- **role_membership** - # Whether specified roles should be treated as the only roles - # of which the user is a member or whether they should merely - # be treated as the minimum membership list. Valid values are - # `inclusive`, `minimum`. - # UNSUPPORTED - #- **roles** - # The roles the user has. Multiple roles should be - # specified as an array. Requires features manages_solaris_rbac. - # UNSUPPORTED - #- **key_membership** - # Whether specified key value pairs should be treated as the only - # attributes - # of the user or whether they should merely - # be treated as the minimum list. Valid values are `inclusive`, - # `minimum`. - # UNSUPPORTED - #- **keys** - # Specify user attributes in an array of keyvalue pairs Requires features - # manages_solaris_rbac. - # UNSUPPORTED - #- **allowdupe** - # Whether to allow duplicate UIDs. Valid values are `true`, `false`. - # UNSUPPORTED - #- **auths** - # The auths the user has. Multiple auths should be - # specified as an array. Requires features manages_solaris_rbac. - # UNSUPPORTED - #- **auth_membership** - # Whether specified auths should be treated as the only auths - # of which the user is a member or whether they should merely - # be treated as the minimum membership list. Valid values are - # `inclusive`, `minimum`. - # UNSUPPORTED - -end +# +# User Puppet provider for AIX. It uses standar commands to manage users: +# mkuser, rmuser, lsuser, chuser +# +# Notes: +# - AIX users can have expiry date defined with minute granularity, +# but puppet does not allow it. There is a ticket open for that (#5431) +# - AIX maximum password age is in WEEKs, not days +# - I force the compat IA module. +# +# See http://projects.puppetlabs.com/projects/puppet/wiki/Development_Provider_Development +# for more information +# +# Author:: Hector Rivas Gandara +# +require 'puppet/provider/aixobject' +require 'tempfile' +require 'date' + +Puppet::Type.type(:user).provide :aix, :parent => Puppet::Provider::AixObject do + desc "User management for AIX! Users are managed with mkuser, rmuser, chuser, lsuser" + + # This will the the default provider for this platform + defaultfor :operatingsystem => :aix + confine :operatingsystem => :aix + + # Commands that manage the element + commands :list => "/usr/sbin/lsuser" + commands :add => "/usr/bin/mkuser" + commands :delete => "/usr/sbin/rmuser" + commands :modify => "/usr/bin/chuser" + + commands :lsgroup => "/usr/sbin/lsgroup" + commands :chpasswd => "/bin/chpasswd" + + # Provider features + has_features :manages_aix_lam + has_features :manages_homedir, :manages_passwords + has_features :manages_expiry, :manages_password_age + + # Attribute verification (TODO) + #verify :gid, "GID must be an string or int of a valid group" do |value| + # value.is_a? String || value.is_a? Integer + #end + # + #verify :groups, "Groups must be comma-separated" do |value| + # value !~ /\s/ + #end + + # User attributes to ignore + def self.attribute_ignore + [] + end + + # AIX attributes to properties mapping. + # + # Valid attributes to be managed by this provider. + # It is a list with of hash + # :aix_attr AIX command attribute name + # :puppet_prop Puppet propertie name + # :to Method to adapt puppet property to aix command value. Optional. + # :from Method to adapt aix command value to puppet property. Optional + self.attribute_mapping = [ + #:name => :name, + {:aix_attr => :pgrp, :puppet_prop => :gid, + :to => :gid_to_attr, :from => :gid_from_attr}, + {:aix_attr => :id, :puppet_prop => :uid}, + {:aix_attr => :groups, :puppet_prop => :groups}, + {:aix_attr => :home, :puppet_prop => :home}, + {:aix_attr => :shell, :puppet_prop => :shell}, + {:aix_attr => :expires, :puppet_prop => :expiry, + :to => :expiry_to_attr, :from => :expiry_from_attr}, + {:aix_attr => :maxage, :puppet_prop => :password_max_age}, + {:aix_attr => :minage, :puppet_prop => :password_min_age}, + ] + + #-------------- + # Command lines + def get_ia_module_args + if @resource[:ia_load_module] + ["-R", @resource[:ia_load_module].to_s] + else + [] + end + end + + def lsgroupscmd(value=@resource[:name]) + [command(:lsgroup)] + + self.get_ia_module_args + + ["-a", "id", value] + end + + def lscmd(value=@resource[:name]) + [self.class.command(:list)] + self.get_ia_module_args + [ value] + end + + def lsallcmd() + lscmd("ALL") + end + + def addcmd(extra_attrs = []) + # Here we use the @resource.to_hash to get the list of provided parameters + # Puppet does not call to self.= method if it does not exists. + # + # It gets an extra list of arguments to add to the user. + [self.class.command(:add)] + self.get_ia_module_args + + self.hash2args(@resource.to_hash) + + extra_attrs + [@resource[:name]] + end + + # Get modify command + def modifycmd(hash = property_hash, translate=true) + if translate + args = self.hash2args(hash) + else + args = self.hash2args(hash, nil) + end + return nil if args.empty? + + [self.class.command(:modify)] + self.get_ia_module_args + + args + [@resource[:name]] + end + + def deletecmd + [self.class.command(:delete)] + self.get_ia_module_args + [@resource[:name]] + end + + #-------------- + # We overwrite the create function to change the password after creation. + def create + super + # Reset the password if needed + self.password = @resource[:password] if @resource[:password] + end + + + def get_arguments(key, value, mapping, objectinfo) + # In the case of attributes, return a list of key=vlaue + if key == :attributes + raise Puppet::Error, "Attributes must be a list of pairs key=value on #{@resource.class.name}[#{@resource.name}]" \ + unless value and value.is_a? Hash + return value.select { |k,v| true }.map { |pair| pair.join("=") } + end + super(key, value, mapping, objectinfo) + end + + # Get the groupname from its id + def self.groupname_by_id(gid) + groupname=nil + execute(lsgroupscmd("ALL")).each { |entry| + attrs = self.parse_attr_list(entry, nil) + if attrs and attrs.include? :id and gid == attrs[:id].to_i + groupname = entry.split(" ")[0] + end + } + groupname + end + + # Get the groupname from its id + def groupid_by_name(groupname) + attrs = self.parse_attr_list(execute(lsgroupscmd(groupname)).split("\n")[0], nil) + attrs ? attrs[:id].to_i : nil + end + + # Check that a group exists and is valid + def verify_group(value) + if value.is_a? Integer or value.is_a? Fixnum + groupname = self.groupname_by_id(value) + raise ArgumentError, "AIX group must be a valid existing group" unless groupname + else + raise ArgumentError, "AIX group must be a valid existing group" unless groupid_by_name(value) + groupname = value + end + groupname + end + + # The user's primary group. Can be specified numerically or by name. + def gid_to_attr(value) + verify_group(value) + end + + def gid_from_attr(value) + groupid_by_name(value) + end + + # The expiry date for this user. Must be provided in + # a zero padded YYYY-MM-DD HH:MM format + def expiry_to_attr(value) + # For chuser the expires parameter is a 10-character string in the MMDDhhmmyy format + # that is,"%m%d%H%M%y" + newdate = '0' + if value.is_a? String and value!="0000-00-00" + d = DateTime.parse(value, "%Y-%m-%d %H:%M") + newdate = d.strftime("%m%d%H%M%y") + end + newdate + end + + def expiry_from_attr(value) + if value =~ /(..)(..)(..)(..)(..)/ + #d= DateTime.parse("20#{$5}-#{$1}-#{$2} #{$3}:#{$4}") + #expiry_date = d.strftime("%Y-%m-%d %H:%M") + #expiry_date = d.strftime("%Y-%m-%d") + expiry_date = "20#{$5}-#{$1}-#{$2}" + else + Puppet.warn("Could not convert AIX expires date '#{value}' on #{@resource.class.name}[#{@resource.name}]") \ + unless value == '0' + expiry_date = :absent + end + expiry_date + end + + #-------------------------------- + # Getter and Setter + # When the provider is initialized, create getter/setter methods for each + # property our resource type supports. + # If setter or getter already defined it will not be overwritten + + #- **password** + # The user's password, in whatever encrypted format the local machine + # requires. Be sure to enclose any value that includes a dollar sign ($) + # in single quotes ('). Requires features manages_passwords. + # + # Retrieve the password parsing directly the /etc/security/passwd + def password + password = :absent + user = @resource[:name] + f = File.open("/etc/security/passwd", 'r') + # Skip to the user + f.each { |l| break if l =~ /^#{user}:\s*$/ } + if ! f.eof? + f.each { |l| + # If there is a new user stanza, stop + break if l =~ /^\S*:\s*$/ + # If the password= entry is found, return it + if l =~ /^\s*password\s*=\s*(.*)$/ + password = $1; break; + end + } + end + f.close() + return password + end + + def password=(value) + user = @resource[:name] + + # Puppet execute does not support strings as input, only files. + tmpfile = Tempfile.new('puppet_#{user}_pw') + tmpfile << "#{user}:#{value}\n" + tmpfile.close() + + # Options '-e', '-c', use encrypted password and clear flags + # Must receibe "user:enc_password" as input + # command, arguments = {:failonfail => true, :combine => true} + cmd = [self.class.command(:chpasswd),"-R", self.class.ia_module, + '-e', '-c', user] + begin + execute(cmd, {:failonfail => true, :combine => true, :stdinfile => tmpfile.path }) + rescue Puppet::ExecutionFailure => detail + raise Puppet::Error, "Could not set #{param} on #{@resource.class.name}[#{@resource.name}]: #{detail}" + ensure + tmpfile.delete() + end + end + + def filter_attributes(hash) + # Return only not managed attributtes. + hash.select { + |k,v| !self.class.attribute_mapping_from.include?(k) and + !self.class.attribute_ignore.include?(k) + }.inject({}) { + |hash, array| hash[array[0]] = array[1]; hash + } + end + + def attributes + filter_attributes(getosinfo(refresh = false)) + end + + def attributes=(attr_hash) + #self.class.validate(param, value) + param = :attributes + cmd = modifycmd({param => filter_attributes(attr_hash)}, false) + if cmd + begin + execute(cmd) + rescue Puppet::ExecutionFailure => detail + raise Puppet::Error, "Could not set #{param} on #{@resource.class.name}[#{@resource.name}]: #{detail}" + end + end + end + + #- **comment** + # A description of the user. Generally is a user's full name. + #def comment=(value) + #end + # + #def comment + #end + # UNSUPPORTED + #- **profile_membership** + # Whether specified roles should be treated as the only roles + # of which the user is a member or whether they should merely + # be treated as the minimum membership list. Valid values are + # `inclusive`, `minimum`. + # UNSUPPORTED + #- **profiles** + # The profiles the user has. Multiple profiles should be + # specified as an array. Requires features manages_solaris_rbac. + # UNSUPPORTED + #- **project** + # The name of the project associated with a user Requires features + # manages_solaris_rbac. + # UNSUPPORTED + #- **role_membership** + # Whether specified roles should be treated as the only roles + # of which the user is a member or whether they should merely + # be treated as the minimum membership list. Valid values are + # `inclusive`, `minimum`. + # UNSUPPORTED + #- **roles** + # The roles the user has. Multiple roles should be + # specified as an array. Requires features manages_solaris_rbac. + # UNSUPPORTED + #- **key_membership** + # Whether specified key value pairs should be treated as the only + # attributes + # of the user or whether they should merely + # be treated as the minimum list. Valid values are `inclusive`, + # `minimum`. + # UNSUPPORTED + #- **keys** + # Specify user attributes in an array of keyvalue pairs Requires features + # manages_solaris_rbac. + # UNSUPPORTED + #- **allowdupe** + # Whether to allow duplicate UIDs. Valid values are `true`, `false`. + # UNSUPPORTED + #- **auths** + # The auths the user has. Multiple auths should be + # specified as an array. Requires features manages_solaris_rbac. + # UNSUPPORTED + #- **auth_membership** + # Whether specified auths should be treated as the only auths + # of which the user is a member or whether they should merely + # be treated as the minimum membership list. Valid values are + # `inclusive`, `minimum`. + # UNSUPPORTED + +end diff --git a/lib/puppet/type/group.rb b/lib/puppet/type/group.rb index cde1cfd65..aa96bd9c3 100755 --- a/lib/puppet/type/group.rb +++ b/lib/puppet/type/group.rb @@ -1,99 +1,135 @@ require 'etc' require 'facter' module Puppet newtype(:group) do @doc = "Manage groups. On most platforms this can only create groups. Group membership must be managed on individual users. On some platforms such as OS X, group membership is managed as an attribute of the group, not the user record. Providers must have the feature 'manages_members' to manage the 'members' property of a group record." feature :manages_members, "For directories where membership is an attribute of groups not users." + feature :manages_aix_lam, + "The provider can manage AIX Loadable Authentication Module (LAM) system." + ensurable do desc "Create or remove the group." newvalue(:present) do provider.create end newvalue(:absent) do provider.delete end end newproperty(:gid) do desc "The group ID. Must be specified numerically. If not specified, a number will be picked, which can result in ID differences across systems and thus is not recommended. The GID is picked according to local system standards." def retrieve provider.gid end def sync if self.should == :absent raise Puppet::DevError, "GID cannot be deleted" else provider.gid = self.should end end munge do |gid| case gid when String if gid =~ /^[-0-9]+$/ gid = Integer(gid) else self.fail "Invalid GID #{gid}" end when Symbol unless gid == :absent self.devfail "Invalid GID #{gid}" end end return gid end end newproperty(:members, :array_matching => :all, :required_features => :manages_members) do desc "The members of the group. For directory services where group membership is stored in the group objects, not the users." def change_to_s(currentvalue, newvalue) currentvalue = currentvalue.join(",") if currentvalue != :absent newvalue = newvalue.join(",") super(currentvalue, newvalue) end end newparam(:auth_membership) do desc "whether the provider is authoritative for group membership." defaultto true end newparam(:name) do desc "The group name. While naming limitations vary by system, it is advisable to keep the name to the degenerate limitations, which is a maximum of 8 characters beginning with a letter." isnamevar end newparam(:allowdupe, :boolean => true) do desc "Whether to allow duplicate GIDs. This option does not work on FreeBSD (contract to the `pw` man page)." newvalues(:true, :false) defaultto false end + + newparam(:ia_load_module, :required_features => :manages_aix_lam) do + desc "The name of the I&A module to use to manage this user" + + defaultto "compat" + end + + newproperty(:attributes, :parent => Puppet::Property::KeyValue, :required_features => :manages_aix_lam) do + desc "Specify group AIX attributes in an array of keyvalue pairs" + + def membership + :attribute_membership + end + + def delimiter + " " + end + + validate do |value| + raise ArgumentError, "Attributes value pairs must be seperated by an =" unless value.include?("=") + end + end + + newparam(:attribute_membership) do + desc "Whether specified attribute value pairs should be treated as the only attributes + of the user or whether they should merely + be treated as the minimum list." + + newvalues(:inclusive, :minimum) + + defaultto :minimum + end + end end diff --git a/lib/puppet/type/user.rb b/lib/puppet/type/user.rb index 761d5d71b..b2cafadc0 100755 --- a/lib/puppet/type/user.rb +++ b/lib/puppet/type/user.rb @@ -1,438 +1,475 @@ require 'etc' require 'facter' require 'puppet/property/list' require 'puppet/property/ordered_list' require 'puppet/property/keyvalue' module Puppet newtype(:user) do @doc = "Manage users. This type is mostly built to manage system users, so it is lacking some features useful for managing normal users. This resource type uses the prescribed native tools for creating groups and generally uses POSIX APIs for retrieving information about them. It does not directly modify `/etc/passwd` or anything." feature :allows_duplicates, "The provider supports duplicate users with the same UID." feature :manages_homedir, "The provider can create and remove home directories." feature :manages_passwords, "The provider can modify user passwords, by accepting a password hash." feature :manages_password_age, "The provider can set age requirements and restrictions for passwords." feature :manages_solaris_rbac, "The provider can manage roles and normal users" feature :manages_expiry, "The provider can manage the expiry date for a user." + feature :manages_aix_lam, + "The provider can manage AIX Loadable Authentication Module (LAM) system." + newproperty(:ensure, :parent => Puppet::Property::Ensure) do newvalue(:present, :event => :user_created) do provider.create end newvalue(:absent, :event => :user_removed) do provider.delete end newvalue(:role, :event => :role_created, :required_features => :manages_solaris_rbac) do provider.create_role end desc "The basic state that the object should be in." # If they're talking about the thing at all, they generally want to # say it should exist. defaultto do if @resource.managed? :present else nil end end def retrieve if provider.exists? if provider.respond_to?(:is_role?) and provider.is_role? return :role else return :present end else return :absent end end end newproperty(:home) do desc "The home directory of the user. The directory must be created separately and is not currently checked for existence." end newproperty(:uid) do desc "The user ID. Must be specified numerically. For new users being created, if no user ID is specified then one will be chosen automatically, which will likely result in the same user having different IDs on different systems, which is not recommended. This is especially noteworthy if you use Puppet to manage the same user on both Darwin and other platforms, since Puppet does the ID generation for you on Darwin, but the tools do so on other platforms." munge do |value| case value when String if value =~ /^[-0-9]+$/ value = Integer(value) end end return value end end newproperty(:gid) do desc "The user's primary group. Can be specified numerically or by name." munge do |value| if value.is_a?(String) and value =~ /^[-0-9]+$/ Integer(value) else value end end def insync?(is) return true unless self.should # We know the 'is' is a number, so we need to convert the 'should' to a number, # too. @should.each do |value| return true if number = Puppet::Util.gid(value) and is == number end false end def sync found = false @should.each do |value| if number = Puppet::Util.gid(value) provider.gid = number found = true break end end fail "Could not find group(s) #{@should.join(",")}" unless found # Use the default event. end end newproperty(:comment) do desc "A description of the user. Generally is a user's full name." end newproperty(:shell) do desc "The user's login shell. The shell must exist and be executable." end newproperty(:password, :required_features => :manages_passwords) do desc "The user's password, in whatever encrypted format the local machine requires. Be sure to enclose any value that includes a dollar sign ($) in single quotes (\')." validate do |value| raise ArgumentError, "Passwords cannot include ':'" if value.is_a?(String) and value.include?(":") end def change_to_s(currentvalue, newvalue) if currentvalue == :absent return "created password" else return "changed password" end end end newproperty(:password_min_age, :required_features => :manages_password_age) do desc "The minimum amount of time in days a password must be used before it may be changed" munge do |value| case value when String Integer(value) else value end end validate do |value| if value.to_s !~ /^\d+$/ raise ArgumentError, "Password minimum age must be provided as a number" end end end newproperty(:password_max_age, :required_features => :manages_password_age) do desc "The maximum amount of time in days a password may be used before it must be changed" munge do |value| case value when String Integer(value) else value end end validate do |value| if value.to_s !~ /^\d+$/ raise ArgumentError, "Password maximum age must be provided as a number" end end end newproperty(:groups, :parent => Puppet::Property::List) do desc "The groups of which the user is a member. The primary group should not be listed. Multiple groups should be specified as an array." validate do |value| if value =~ /^\d+$/ raise ArgumentError, "Group names must be provided, not numbers" end raise ArgumentError, "Group names must be provided as an array, not a comma-separated list" if value.include?(",") end end newparam(:name) do desc "User name. While limitations are determined for each operating system, it is generally a good idea to keep to the degenerate 8 characters, beginning with a letter." isnamevar end newparam(:membership) do desc "Whether specified groups should be treated as the only groups of which the user is a member or whether they should merely be treated as the minimum membership list." newvalues(:inclusive, :minimum) defaultto :minimum end newparam(:allowdupe, :boolean => true) do desc "Whether to allow duplicate UIDs." newvalues(:true, :false) defaultto false end newparam(:managehome, :boolean => true) do desc "Whether to manage the home directory when managing the user." newvalues(:true, :false) defaultto false validate do |val| if val.to_s == "true" raise ArgumentError, "User provider #{provider.class.name} can not manage home directories" unless provider.class.manages_homedir? end end end newproperty(:expiry, :required_features => :manages_expiry) do desc "The expiry date for this user. Must be provided in a zero padded YYYY-MM-DD format - e.g 2010-02-19." validate do |value| if value !~ /^\d{4}-\d{2}-\d{2}$/ raise ArgumentError, "Expiry dates must be YYYY-MM-DD" end end end # Autorequire the group, if it's around autorequire(:group) do autos = [] if obj = @parameters[:gid] and groups = obj.shouldorig groups = groups.collect { |group| if group =~ /^\d+$/ Integer(group) else group end } groups.each { |group| case group when Integer if resource = catalog.resources.find { |r| r.is_a?(Puppet::Type.type(:group)) and r.should(:gid) == group } autos << resource end else autos << group end } end if obj = @parameters[:groups] and groups = obj.should autos += groups.split(",") end autos end # Provide an external hook. Yay breaking out of APIs. def exists? provider.exists? end def retrieve absent = false properties.inject({}) { |prophash, property| current_value = :absent if absent prophash[property] = :absent else current_value = property.retrieve prophash[property] = current_value end if property.name == :ensure and current_value == :absent absent = true end prophash } end newproperty(:roles, :parent => Puppet::Property::List, :required_features => :manages_solaris_rbac) do desc "The roles the user has. Multiple roles should be specified as an array." def membership :role_membership end validate do |value| if value =~ /^\d+$/ raise ArgumentError, "Role names must be provided, not numbers" end raise ArgumentError, "Role names must be provided as an array, not a comma-separated list" if value.include?(",") end end #autorequire the roles that the user has autorequire(:user) do reqs = [] if roles_property = @parameters[:roles] and roles = roles_property.should reqs += roles.split(',') end reqs end newparam(:role_membership) do desc "Whether specified roles should be treated as the only roles of which the user is a member or whether they should merely be treated as the minimum membership list." newvalues(:inclusive, :minimum) defaultto :minimum end newproperty(:auths, :parent => Puppet::Property::List, :required_features => :manages_solaris_rbac) do desc "The auths the user has. Multiple auths should be specified as an array." def membership :auth_membership end validate do |value| if value =~ /^\d+$/ raise ArgumentError, "Auth names must be provided, not numbers" end raise ArgumentError, "Auth names must be provided as an array, not a comma-separated list" if value.include?(",") end end newparam(:auth_membership) do desc "Whether specified auths should be treated as the only auths of which the user is a member or whether they should merely be treated as the minimum membership list." newvalues(:inclusive, :minimum) defaultto :minimum end newproperty(:profiles, :parent => Puppet::Property::OrderedList, :required_features => :manages_solaris_rbac) do desc "The profiles the user has. Multiple profiles should be specified as an array." def membership :profile_membership end validate do |value| if value =~ /^\d+$/ raise ArgumentError, "Profile names must be provided, not numbers" end raise ArgumentError, "Profile names must be provided as an array, not a comma-separated list" if value.include?(",") end end newparam(:profile_membership) do desc "Whether specified roles should be treated as the only roles of which the user is a member or whether they should merely be treated as the minimum membership list." newvalues(:inclusive, :minimum) defaultto :minimum end newproperty(:keys, :parent => Puppet::Property::KeyValue, :required_features => :manages_solaris_rbac) do desc "Specify user attributes in an array of keyvalue pairs" def membership :key_membership end validate do |value| raise ArgumentError, "key value pairs must be seperated by an =" unless value.include?("=") end end newparam(:key_membership) do desc "Whether specified key value pairs should be treated as the only attributes of the user or whether they should merely be treated as the minimum list." newvalues(:inclusive, :minimum) defaultto :minimum end newproperty(:project, :required_features => :manages_solaris_rbac) do desc "The name of the project associated with a user" end + + newparam(:ia_load_module, :required_features => :manages_aix_lam) do + desc "The name of the I&A module to use to manage this user" + + defaultto "compat" + end + + newproperty(:attributes, :parent => Puppet::Property::KeyValue, :required_features => :manages_aix_lam) do + desc "Specify user AIX attributes in an array of keyvalue pairs" + + def membership + :attribute_membership + end + + def delimiter + " " + end + + validate do |value| + raise ArgumentError, "Attributes value pairs must be seperated by an =" unless value.include?("=") + end + end + + newparam(:attribute_membership) do + desc "Whether specified attribute value pairs should be treated as the only attributes + of the user or whether they should merely + be treated as the minimum list." + + newvalues(:inclusive, :minimum) + + defaultto :minimum + end + + end end