propellor/src/Propellor/Property/User.hs

module Propellor.Property.User where

import System.Posix

import Propellor

data Eep = YesReallyDeleteHome

accountFor :: UserName -> Property
accountFor user = check (isNothing <$> catchMaybeIO (homedir user)) $ cmdProperty "adduser"
	[ "--disabled-password"
	, "--gecos", ""
	, user
	]
	`describe` ("account for " ++ user)

-- | Removes user home directory!! Use with caution.
nuked :: UserName -> Eep -> Property
nuked user _ = check (isJust <$> catchMaybeIO (homedir user)) $ cmdProperty "userdel"
	[ "-r"
	, user
	]
	`describe` ("nuked user " ++ user)

-- | Only ensures that the user has some password set. It may or may
-- not be a password from the PrivData.
hasSomePassword :: UserName -> Property
hasSomePassword user = hasSomePassword' user hostContext

-- | While hasSomePassword uses the name of the host as context,
-- this allows specifying a different context. This is useful when
-- you want to use the same password on multiple hosts, for example.
hasSomePassword' :: IsContext c => UserName -> c -> Property
hasSomePassword' user context = check ((/= HasPassword) <$> getPasswordStatus user) $
	hasPassword' user context

-- | Ensures that a user's password is set to a password from the PrivData.
-- (Will change any existing password.)
--
-- A user's password can be stored in the PrivData in either of two forms;
-- the full cleartext <Password> or a <CryptPassword> hash. The latter
-- is obviously more secure.
hasPassword :: UserName -> Property
hasPassword user = hasPassword' user hostContext

hasPassword' :: IsContext c => UserName -> c -> Property
hasPassword' user context = go `requires` shadowConfig True
  where
	go = withSomePrivData [CryptPassword user, Password user] context $
		property (user ++ " has password") . setPassword

setPassword :: (((PrivDataField, PrivData) -> Propellor Result) -> Propellor Result) -> Propellor Result
setPassword getpassword = getpassword $ go
  where
	go (Password user, password) = set user password []
	go (CryptPassword user, hash) = set user hash ["--encrypted"]
	go (f, _) = error $ "Unexpected type of privdata: " ++ show f

	set user v ps = makeChange $ withHandle StdinHandle createProcessSuccess
		(proc "chpasswd" ps) $ \h -> do
			hPutStrLn h $ user ++ ":" ++ v
			hClose h

lockedPassword :: UserName -> Property
lockedPassword user = check (not <$> isLockedPassword user) $ cmdProperty "passwd"
	[ "--lock"
	, user
	]
	`describe` ("locked " ++ user ++ " password")

data PasswordStatus = NoPassword | LockedPassword | HasPassword
	deriving (Eq)

getPasswordStatus :: UserName -> IO PasswordStatus
getPasswordStatus user = parse . words <$> readProcess "passwd" ["-S", user]
  where
	parse (_:"L":_) = LockedPassword
	parse (_:"NP":_) = NoPassword
	parse (_:"P":_) = HasPassword
	parse _ = NoPassword

isLockedPassword :: UserName -> IO Bool
isLockedPassword user = (== LockedPassword) <$> getPasswordStatus user

homedir :: UserName -> IO FilePath
homedir user = homeDirectory <$> getUserEntryForName user

hasGroup :: UserName -> GroupName -> Property
hasGroup user group' = check test $ cmdProperty "adduser"
	[ user
	, group'
	]
	`describe` unwords ["user", user, "in group", group']
  where
	test = not . elem group' . words <$> readProcess "groups" [user]

-- | Controls whether shadow passwords are enabled or not.
shadowConfig :: Bool -> Property
shadowConfig True = check (not <$> shadowExists) $
	cmdProperty "shadowconfig" ["on"]
		`describe` "shadow passwords enabled"
shadowConfig False = check shadowExists $
	cmdProperty "shadowconfig" ["off"]
		`describe` "shadow passwords disabled"

shadowExists :: IO Bool
shadowExists = doesFileExist "/etc/shadow"
prepare for hackage 2014-03-31 03:37:54 +00:00			`module Propellor.Property.User where`
initial check-in too young to have a name 2014-03-30 03:10:52 +00:00
			`import System.Posix`

more prep for hackage 2014-03-31 03:55:59 +00:00			`import Propellor`
initial check-in too young to have a name 2014-03-30 03:10:52 +00:00
tweaks 2014-03-30 20:53:31 +00:00			`data Eep = YesReallyDeleteHome`

various improvements 2014-04-01 20:58:11 +00:00			`accountFor :: UserName -> Property`
propellor spin 2014-04-13 06:28:40 +00:00			`accountFor user = check (isNothing <$> catchMaybeIO (homedir user)) $ cmdProperty "adduser"`
more prep for hackage 2014-03-31 03:55:59 +00:00			`[ "--disabled-password"`
			`, "--gecos", ""`
			`, user`
initial check-in too young to have a name 2014-03-30 03:10:52 +00:00			`]`
propellor spin 2014-04-01 21:03:03 +00:00			`describe` ("account for " ++ user)
initial check-in too young to have a name 2014-03-30 03:10:52 +00:00
various improvements 2014-04-01 20:58:11 +00:00			`-- \| Removes user home directory!! Use with caution.`
tweaks 2014-03-30 20:53:31 +00:00			`nuked :: UserName -> Eep -> Property`
propellor spin 2014-04-13 06:28:40 +00:00			`nuked user _ = check (isJust <$> catchMaybeIO (homedir user)) $ cmdProperty "userdel"`
more prep for hackage 2014-03-31 03:55:59 +00:00			`[ "-r"`
			`, user`
password locking 2014-03-30 04:17:44 +00:00			`]`
better descriptions for properties 2014-03-30 19:53:35 +00:00			`describe` ("nuked user " ++ user)
password locking 2014-03-30 04:17:44 +00:00
various improvements 2014-04-01 20:58:11 +00:00			`-- \| Only ensures that the user has some password set. It may or may`
support for crypted passwords in privdata * Added CryptPassword to PrivDataField, for password hashes as produced by crypt(3). * User.hasPassword and User.hasSomePassword will now use either a CryptPassword or a Password from privdata, depending on which is set. 2014-12-14 19:24:10 +00:00			`-- not be a password from the PrivData.`
hasSomePassword and hasPassword now default to using the name of the host as the Context for the password. To specify a different context, use hasSomePassword' and hasPassword' (API change) 2014-11-23 20:39:49 +00:00			`hasSomePassword :: UserName -> Property`
Fixed privdata introspection for User.hasPassword and User.hasSomePassword This is not a complete fix for the problem that Info doen't propigate from the called property when code does something like: do hostname <- asks hostName ensureProperty $ foo hostname Instead, I just eliminated the need to implement hasPassword that way, by making the PrivData Info use a HostContext which automatically gets the right hostname passed to it. All other uses of withPrivData don't have the problem. It's still possible for the user to run into the problem if they write something like the above, where foo is a property that uses privdata. However, all properties that take a Context now also accept a HostContext, so it's at least less likely the user needs to write that. 2014-12-07 18:57:35 +00:00			`hasSomePassword user = hasSomePassword' user hostContext`
propellor spin 2014-07-06 19:56:56 +00:00
hasSomePassword and hasPassword now default to using the name of the host as the Context for the password. To specify a different context, use hasSomePassword' and hasPassword' (API change) 2014-11-23 20:39:49 +00:00			`-- \| While hasSomePassword uses the name of the host as context,`
			`-- this allows specifying a different context. This is useful when`
			`-- you want to use the same password on multiple hosts, for example.`
Fixed privdata introspection for User.hasPassword and User.hasSomePassword This is not a complete fix for the problem that Info doen't propigate from the called property when code does something like: do hostname <- asks hostName ensureProperty $ foo hostname Instead, I just eliminated the need to implement hasPassword that way, by making the PrivData Info use a HostContext which automatically gets the right hostname passed to it. All other uses of withPrivData don't have the problem. It's still possible for the user to run into the problem if they write something like the above, where foo is a property that uses privdata. However, all properties that take a Context now also accept a HostContext, so it's at least less likely the user needs to write that. 2014-12-07 18:57:35 +00:00			`hasSomePassword' :: IsContext c => UserName -> c -> Property`
hasSomePassword and hasPassword now default to using the name of the host as the Context for the password. To specify a different context, use hasSomePassword' and hasPassword' (API change) 2014-11-23 20:39:49 +00:00			`hasSomePassword' user context = check ((/= HasPassword) <$> getPasswordStatus user) $`
			`hasPassword' user context`

support for crypted passwords in privdata * Added CryptPassword to PrivDataField, for password hashes as produced by crypt(3). * User.hasPassword and User.hasSomePassword will now use either a CryptPassword or a Password from privdata, depending on which is set. 2014-12-14 19:24:10 +00:00			`-- \| Ensures that a user's password is set to a password from the PrivData.`
hasSomePassword and hasPassword now default to using the name of the host as the Context for the password. To specify a different context, use hasSomePassword' and hasPassword' (API change) 2014-11-23 20:39:49 +00:00			`-- (Will change any existing password.)`
support for crypted passwords in privdata * Added CryptPassword to PrivDataField, for password hashes as produced by crypt(3). * User.hasPassword and User.hasSomePassword will now use either a CryptPassword or a Password from privdata, depending on which is set. 2014-12-14 19:24:10 +00:00			`--`
			`-- A user's password can be stored in the PrivData in either of two forms;`
			`-- the full cleartext <Password> or a <CryptPassword> hash. The latter`
			`-- is obviously more secure.`
hasSomePassword and hasPassword now default to using the name of the host as the Context for the password. To specify a different context, use hasSomePassword' and hasPassword' (API change) 2014-11-23 20:39:49 +00:00			`hasPassword :: UserName -> Property`
Fixed privdata introspection for User.hasPassword and User.hasSomePassword This is not a complete fix for the problem that Info doen't propigate from the called property when code does something like: do hostname <- asks hostName ensureProperty $ foo hostname Instead, I just eliminated the need to implement hasPassword that way, by making the PrivData Info use a HostContext which automatically gets the right hostname passed to it. All other uses of withPrivData don't have the problem. It's still possible for the user to run into the problem if they write something like the above, where foo is a property that uses privdata. However, all properties that take a Context now also accept a HostContext, so it's at least less likely the user needs to write that. 2014-12-07 18:57:35 +00:00			`hasPassword user = hasPassword' user hostContext`
hasSomePassword and hasPassword now default to using the name of the host as the Context for the password. To specify a different context, use hasSomePassword' and hasPassword' (API change) 2014-11-23 20:39:49 +00:00
Fixed privdata introspection for User.hasPassword and User.hasSomePassword This is not a complete fix for the problem that Info doen't propigate from the called property when code does something like: do hostname <- asks hostName ensureProperty $ foo hostname Instead, I just eliminated the need to implement hasPassword that way, by making the PrivData Info use a HostContext which automatically gets the right hostname passed to it. All other uses of withPrivData don't have the problem. It's still possible for the user to run into the problem if they write something like the above, where foo is a property that uses privdata. However, all properties that take a Context now also accept a HostContext, so it's at least less likely the user needs to write that. 2014-12-07 18:57:35 +00:00			`hasPassword' :: IsContext c => UserName -> c -> Property`
hasSomePassword and hasPassword now check to make sure shadow passwords are enabled. 2014-12-05 20:33:23 +00:00			hasPassword' user context = go `requires` shadowConfig True
			`where`
support for crypted passwords in privdata * Added CryptPassword to PrivDataField, for password hashes as produced by crypt(3). * User.hasPassword and User.hasSomePassword will now use either a CryptPassword or a Password from privdata, depending on which is set. 2014-12-14 19:24:10 +00:00			`go = withSomePrivData [CryptPassword user, Password user] context $`
			`property (user ++ " has password") . setPassword`
Fixed privdata introspection for User.hasPassword and User.hasSomePassword This is not a complete fix for the problem that Info doen't propigate from the called property when code does something like: do hostname <- asks hostName ensureProperty $ foo hostname Instead, I just eliminated the need to implement hasPassword that way, by making the PrivData Info use a HostContext which automatically gets the right hostname passed to it. All other uses of withPrivData don't have the problem. It's still possible for the user to run into the problem if they write something like the above, where foo is a property that uses privdata. However, all properties that take a Context now also accept a HostContext, so it's at least less likely the user needs to write that. 2014-12-07 18:57:35 +00:00
support for crypted passwords in privdata * Added CryptPassword to PrivDataField, for password hashes as produced by crypt(3). * User.hasPassword and User.hasSomePassword will now use either a CryptPassword or a Password from privdata, depending on which is set. 2014-12-14 19:24:10 +00:00			`setPassword :: (((PrivDataField, PrivData) -> Propellor Result) -> Propellor Result) -> Propellor Result`
			`setPassword getpassword = getpassword $ go`
			`where`
			`go (Password user, password) = set user password []`
			`go (CryptPassword user, hash) = set user hash ["--encrypted"]`
			`go (f, _) = error $ "Unexpected type of privdata: " ++ show f`

			`set user v ps = makeChange $ withHandle StdinHandle createProcessSuccess`
			`(proc "chpasswd" ps) $ \h -> do`
			`hPutStrLn h $ user ++ ":" ++ v`
Fixed privdata introspection for User.hasPassword and User.hasSomePassword This is not a complete fix for the problem that Info doen't propigate from the called property when code does something like: do hostname <- asks hostName ensureProperty $ foo hostname Instead, I just eliminated the need to implement hasPassword that way, by making the PrivData Info use a HostContext which automatically gets the right hostname passed to it. All other uses of withPrivData don't have the problem. It's still possible for the user to run into the problem if they write something like the above, where foo is a property that uses privdata. However, all properties that take a Context now also accept a HostContext, so it's at least less likely the user needs to write that. 2014-12-07 18:57:35 +00:00			`hClose h`
propellor spin 2014-03-30 23:10:32 +00:00
password locking 2014-03-30 04:17:44 +00:00			`lockedPassword :: UserName -> Property`
check if password is locked for idempotency sake 2014-03-30 05:57:10 +00:00			`lockedPassword user = check (not <$> isLockedPassword user) $ cmdProperty "passwd"`
more prep for hackage 2014-03-31 03:55:59 +00:00			`[ "--lock"`
			`, user`
password locking 2014-03-30 04:17:44 +00:00			`]`
better descriptions for properties 2014-03-30 19:53:35 +00:00			`describe` ("locked " ++ user ++ " password")
password locking 2014-03-30 04:17:44 +00:00
propellor spin 2014-03-31 00:18:45 +00:00			`data PasswordStatus = NoPassword \| LockedPassword \| HasPassword`
			`deriving (Eq)`

			`getPasswordStatus :: UserName -> IO PasswordStatus`
			`getPasswordStatus user = parse . words <$> readProcess "passwd" ["-S", user]`
check if password is locked for idempotency sake 2014-03-30 05:57:10 +00:00			`where`
propellor spin 2014-03-31 00:18:45 +00:00			`parse (_:"L":_) = LockedPassword`
			`parse (_:"NP":_) = NoPassword`
			`parse (_:"P":_) = HasPassword`
			`parse _ = NoPassword`

			`isLockedPassword :: UserName -> IO Bool`
			`isLockedPassword user = (== LockedPassword) <$> getPasswordStatus user`
check if password is locked for idempotency sake 2014-03-30 05:57:10 +00:00
propellor spin 2014-04-13 06:28:40 +00:00			`homedir :: UserName -> IO FilePath`
			`homedir user = homeDirectory <$> getUserEntryForName user`
User: hasGroup Signed-off-by: Félix Sipma <felix.sipma@no-log.org> 2014-11-23 17:25:39 +00:00
			`hasGroup :: UserName -> GroupName -> Property`
			`hasGroup user group' = check test $ cmdProperty "adduser"`
			`[ user`
			`, group'`
			`]`
			`describe` unwords ["user", user, "in group", group']
			`where`
preferred style 2014-11-23 18:37:37 +00:00			`test = not . elem group' . words <$> readProcess "groups" [user]`
more work on OS takeover 2014-12-04 21:11:15 +00:00
			`-- \| Controls whether shadow passwords are enabled or not.`
			`shadowConfig :: Bool -> Property`
			`shadowConfig True = check (not <$> shadowExists) $`
			`cmdProperty "shadowconfig" ["on"]`
			`describe` "shadow passwords enabled"
			`shadowConfig False = check shadowExists $`
			`cmdProperty "shadowconfig" ["off"]`
			`describe` "shadow passwords disabled"

			`shadowExists :: IO Bool`
			`shadowExists = doesFileExist "/etc/shadow"`