propellor/Propellor/Property/User.hs

module Propellor.Property.User where

import System.Posix

import Propellor

data Eep = YesReallyDeleteHome

accountFor :: UserName -> Property
accountFor user = check (isNothing <$> homedir user) $ cmdProperty "adduser"
	[ "--disabled-password"
	, "--gecos", ""
	, user
	]
	`describe` ("ssh account " ++ user)

-- | Removes user home directory!! Use with caution.
nuked :: UserName -> Eep -> Property
nuked user _ = check (isJust <$> homedir user) $ cmdProperty "userdel"
	[ "-r"
	, user
	]
	`describe` ("nuked user " ++ user)

-- | Only ensures that the user has some password set. It may or may
-- not be the password from the PrivData.
hasSomePassword :: UserName -> Property
hasSomePassword user = check ((/= HasPassword) <$> getPasswordStatus user) $
	hasPassword user

hasPassword :: UserName -> Property
hasPassword user = Property (user ++ " has password") $
	withPrivData (Password user) $ \password -> makeChange $
		withHandle StdinHandle createProcessSuccess
			(proc "chpasswd" []) $ \h -> do
				hPutStrLn h $ user ++ ":" ++ password
				hClose h

lockedPassword :: UserName -> Property
lockedPassword user = check (not <$> isLockedPassword user) $ cmdProperty "passwd"
	[ "--lock"
	, user
	]
	`describe` ("locked " ++ user ++ " password")

data PasswordStatus = NoPassword | LockedPassword | HasPassword
	deriving (Eq)

getPasswordStatus :: UserName -> IO PasswordStatus
getPasswordStatus user = parse . words <$> readProcess "passwd" ["-S", user]
  where
	parse (_:"L":_) = LockedPassword
	parse (_:"NP":_) = NoPassword
	parse (_:"P":_) = HasPassword
	parse _ = NoPassword

isLockedPassword :: UserName -> IO Bool
isLockedPassword user = (== LockedPassword) <$> getPasswordStatus user

homedir :: UserName -> IO (Maybe FilePath)
homedir user = catchMaybeIO $ homeDirectory <$> getUserEntryForName user
prepare for hackage 2014-03-31 03:37:54 +00:00			`module Propellor.Property.User where`
initial check-in too young to have a name 2014-03-30 03:10:52 +00:00
			`import System.Posix`

more prep for hackage 2014-03-31 03:55:59 +00:00			`import Propellor`
initial check-in too young to have a name 2014-03-30 03:10:52 +00:00
tweaks 2014-03-30 20:53:31 +00:00			`data Eep = YesReallyDeleteHome`

various improvements 2014-04-01 20:58:11 +00:00			`accountFor :: UserName -> Property`
			`accountFor user = check (isNothing <$> homedir user) $ cmdProperty "adduser"`
more prep for hackage 2014-03-31 03:55:59 +00:00			`[ "--disabled-password"`
			`, "--gecos", ""`
			`, user`
initial check-in too young to have a name 2014-03-30 03:10:52 +00:00			`]`
better descriptions for properties 2014-03-30 19:53:35 +00:00			`describe` ("ssh account " ++ user)
initial check-in too young to have a name 2014-03-30 03:10:52 +00:00
various improvements 2014-04-01 20:58:11 +00:00			`-- \| Removes user home directory!! Use with caution.`
tweaks 2014-03-30 20:53:31 +00:00			`nuked :: UserName -> Eep -> Property`
			`nuked user _ = check (isJust <$> homedir user) $ cmdProperty "userdel"`
more prep for hackage 2014-03-31 03:55:59 +00:00			`[ "-r"`
			`, user`
password locking 2014-03-30 04:17:44 +00:00			`]`
better descriptions for properties 2014-03-30 19:53:35 +00:00			`describe` ("nuked user " ++ user)
password locking 2014-03-30 04:17:44 +00:00
various improvements 2014-04-01 20:58:11 +00:00			`-- \| Only ensures that the user has some password set. It may or may`
			`-- not be the password from the PrivData.`
propellor spin 2014-03-31 00:18:45 +00:00			`hasSomePassword :: UserName -> Property`
			`hasSomePassword user = check ((/= HasPassword) <$> getPasswordStatus user) $`
			`hasPassword user`

propellor spin 2014-03-30 23:22:10 +00:00			`hasPassword :: UserName -> Property`
			`hasPassword user = Property (user ++ " has password") $`
propellor spin 2014-03-30 23:10:32 +00:00			`withPrivData (Password user) $ \password -> makeChange $`
			`withHandle StdinHandle createProcessSuccess`
			`(proc "chpasswd" []) $ \h -> do`
			`hPutStrLn h $ user ++ ":" ++ password`
			`hClose h`

password locking 2014-03-30 04:17:44 +00:00			`lockedPassword :: UserName -> Property`
check if password is locked for idempotency sake 2014-03-30 05:57:10 +00:00			`lockedPassword user = check (not <$> isLockedPassword user) $ cmdProperty "passwd"`
more prep for hackage 2014-03-31 03:55:59 +00:00			`[ "--lock"`
			`, user`
password locking 2014-03-30 04:17:44 +00:00			`]`
better descriptions for properties 2014-03-30 19:53:35 +00:00			`describe` ("locked " ++ user ++ " password")
password locking 2014-03-30 04:17:44 +00:00
propellor spin 2014-03-31 00:18:45 +00:00			`data PasswordStatus = NoPassword \| LockedPassword \| HasPassword`
			`deriving (Eq)`

			`getPasswordStatus :: UserName -> IO PasswordStatus`
			`getPasswordStatus user = parse . words <$> readProcess "passwd" ["-S", user]`
check if password is locked for idempotency sake 2014-03-30 05:57:10 +00:00			`where`
propellor spin 2014-03-31 00:18:45 +00:00			`parse (_:"L":_) = LockedPassword`
			`parse (_:"NP":_) = NoPassword`
			`parse (_:"P":_) = HasPassword`
			`parse _ = NoPassword`

			`isLockedPassword :: UserName -> IO Bool`
			`isLockedPassword user = (== LockedPassword) <$> getPasswordStatus user`
check if password is locked for idempotency sake 2014-03-30 05:57:10 +00:00
initial check-in too young to have a name 2014-03-30 03:10:52 +00:00			`homedir :: UserName -> IO (Maybe FilePath)`
			`homedir user = catchMaybeIO $ homeDirectory <$> getUserEntryForName user`