"Fossies" - the Fresh Open Source Software Archive

Member "cfengine-3.15.4/tests/acceptance/17_users/unsafe/user_queries.cf.sub" (7 Jun 2021, 11929 Bytes) of package /linux/misc/cfengine-3.15.4.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "user_queries.cf.sub": 3.15.3_vs_3.15.4.

    1 bundle common user_tests
    2 {
    3   vars:
    4     !windows::
    5       "group1" string => "bin";
    6       "group2" string => "sys";
    7       "gid2" string => "3";
    8     redhat|suse.!suse_15::
    9       "gid1" string => "1";
   10     !redhat.(!suse|suse_15).!windows::
   11       "gid1" string => "2";
   12 
   13     windows::
   14       "group1" string => "Users";
   15       "group2" string => "Administrators";
   16 
   17     freebsd::
   18       "pw_path" string => "/usr/sbin/pw";
   19       "sudo_path" string => "/usr/local/bin/sudo";
   20     !freebsd::
   21       "pw_path" string => "";
   22       "sudo_path" string => "/usr/bin/sudo";
   23 
   24   classes:
   25     # On HPUX we use a sudo hack, which doesn't support '-u'.
   26     !windows.!hpux::
   27       "sudo_works" expression => "any";
   28 
   29     hpux::
   30       "passwords_in_shadow" expression => fileexists("/etc/shadow");
   31       "passwords_in_passwd" not => fileexists("/etc/shadow");
   32     freebsd::
   33       "passwords_in_shadow" expression => "!any";
   34       "passwords_in_passwd" expression => "!any";
   35       "passwords_in_master_passwd" expression => "any";
   36     windows|aix::
   37       "passwords_in_shadow" expression => "!any";
   38       "passwords_in_passwd" expression => "!any";
   39     !hpux.!windows.!aix.!freebsd::
   40       "passwords_in_shadow" expression => "any";
   41       "passwords_in_passwd" expression => "!any";
   42     windows|aix::
   43       "passwords_in_passwd_format" expression => "!any";
   44     !windows.!aix::
   45       "passwords_in_passwd_format" expression => "any";
   46 }
   47 
   48 bundle agent remove_stale_groups
   49 {
   50   # When we create a user and change its primary GID afterwards, its original
   51   # group may linger and cause problems later.
   52   commands:
   53     aix::
   54       "rmgroup johndoe"
   55         contain => in_shell;
   56     !aix::
   57       "$(user_tests.pw_path) groupdel johndoe"
   58         contain => in_shell;
   59 }
   60 
   61 bundle agent user_exists(user, true_class, false_class)
   62 {
   63   commands:
   64     !windows::
   65       "$(G.grep) '^$(user):' /etc/passwd"
   66         contain => no_output_shell,
   67         classes => on_success("$(true_class)", "$(false_class)");
   68   vars:
   69     windows::
   70       "output" string => execresult("net user $(user)", "useshell");
   71       "reg" string => escape("$(user)");
   72   classes:
   73     windows::
   74       "$(true_class)" expression => regcmp(".*$(reg).*", "$(output)"),
   75         scope => "namespace";
   76       "$(false_class)" not => regcmp(".*$(reg).*", "$(output)"),
   77         scope => "namespace";
   78 }
   79 
   80 bundle agent user_has_uid(user, uid, true_class, false_class)
   81 {
   82   commands:
   83     !windows::
   84       "$(G.grep) '^$(user):[^:]*:$(uid):' /etc/passwd"
   85         contain => no_output_shell,
   86         classes => on_success("$(true_class)", "$(false_class)");
   87 
   88   reports:
   89     windows::
   90       "Cannot check uid on Windows!";
   91 }
   92 
   93 bundle agent user_is_in_primary_group(user, group, true_class, false_class)
   94 {
   95   vars:
   96     !windows::
   97       "no" int => getfields("$(group):.*", "/etc/group", ":", "gid_number");
   98 
   99   commands:
  100     !windows::
  101       "$(G.grep) '^$(user):[^:]*:[^:]*:$(gid_number[3]):' /etc/passwd"
  102         contain => no_output_shell,
  103         classes => on_success("$(true_class)", "$(false_class)");
  104 
  105   methods:
  106     windows::
  107       "redirect" usebundle => user_is_in_secondary_group("$(user)", "$(group)", "$(true_class)", "$(false_class)");
  108 }
  109 
  110 bundle agent user_is_in_secondary_group(user, group, true_class, false_class)
  111 {
  112   commands:
  113     !windows::
  114       "$(G.egrep) '^$(group):[^:]*:[^:]*:[^:]*,?$(user)(,|$)' /etc/group"
  115         contain => no_output_shell,
  116         classes => on_success("$(true_class)", "$(false_class)");
  117 
  118   vars:
  119     windows::
  120       "output" string => execresult("net user $(user)", "useshell");
  121       "reg" string => escape("$(group)");
  122   classes:
  123     windows::
  124       "$(true_class)" expression => regcmp(".*Local Group Memberships *(\*[a-zA-Z0-9]* *)* *$(reg).*", "$(output)"),
  125         scope => "namespace";
  126       "$(false_class)" not => regcmp(".*Local Group Memberships *(\*[a-zA-Z0-9]* *)* *$(reg).*", "$(output)"),
  127         scope => "namespace";
  128 }
  129 
  130 bundle agent user_is_in_any_secondary_group(user, true_class, false_class)
  131 {
  132   commands:
  133     !windows::
  134       "$(G.egrep) '^[^:]*:[^:]*:[^:]*:[^:]*,?$(user)(,|$)' /etc/group"
  135         contain => no_output_shell,
  136         classes => on_success("$(true_class)", "$(false_class)");
  137 
  138   vars:
  139     windows::
  140       "output" string => execresult("net user $(user)", "useshell");
  141   classes:
  142     windows::
  143       "$(true_class)" expression => regcmp(".*Local Group Memberships *\*None.*", "$(output)"),
  144         scope => "namespace";
  145       "$(false_class)" not => regcmp(".*Local Group Memberships *\*None.*", "$(output)"),
  146         scope => "namespace";
  147 }
  148 
  149 bundle agent user_has_home_dir(user, home_dir, true_class, false_class)
  150 {
  151   commands:
  152     !windows::
  153       "$(G.grep) '^$(user):[^:]*:[^:]*:[^:]*:[^:]*:$(home_dir):' /etc/passwd"
  154         contain => no_output_shell,
  155         classes => on_success("$(true_class)", "$(false_class)");
  156 
  157   vars:
  158     windows::
  159       "output" string => execresult("net user $(user)", "useshell");
  160       "reg" string => escape("$(home_dir)");
  161   classes:
  162     windows::
  163       "$(true_class)" expression => regcmp(".*Home directory *$(reg).*", "$(output)"),
  164         scope => "namespace";
  165       "$(false_class)" not => regcmp(".*Home directory *$(reg).*", "$(output)"),
  166         scope => "namespace";
  167 }
  168 
  169 bundle agent user_has_shell(user, shell, true_class, false_class)
  170 {
  171   commands:
  172     !windows::
  173       "$(G.grep) '^$(user):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:$(shell)$' /etc/passwd"
  174         contain => no_output_shell,
  175         classes => on_success("$(true_class)", "$(false_class)");
  176 
  177   reports:
  178     windows::
  179       "Cannot check shell on Windows!";
  180 }
  181 
  182 bundle agent user_has_description(user, description, true_class, false_class)
  183 {
  184   commands:
  185     !windows::
  186       "$(G.grep) '^$(user):[^:]*:[^:]*:[^:]*:$(description):' /etc/passwd"
  187         contain => no_output_shell,
  188         classes => on_success("$(true_class)", "$(false_class)");
  189 
  190   vars:
  191     windows::
  192       "output" string => execresult("net user $(user)", "useshell");
  193   classes:
  194     windows::
  195       "$(true_class)" expression => regcmp(".*Full Name *$(description).*", "$(output)"),
  196         scope => "namespace";
  197       "$(false_class)" not => regcmp(".*Full Name *$(description).*", "$(output)"),
  198         scope => "namespace";
  199 }
  200 
  201 bundle agent user_has_password(user, password, true_class, false_class)
  202 {
  203   reports:
  204     !windows::
  205       "Cannot test password on Unix!";
  206 
  207   classes:
  208     windows.has_psexec::
  209       "$(true_class)" expression => returnszero("$(G.psexec) -u $(user) -p $(password) $(sys.cf_agent) -h", "noshell"),
  210         scope => "namespace";
  211       "$(false_class)" not => returnszero("$(G.psexec) -u $(user) -p $(password) $(sys.cf_agent) -h", "noshell"),
  212         scope => "namespace";
  213   reports:
  214     windows.!has_psexec::
  215       "Need PsExec.exe tool from PSTools to test password!";
  216 }
  217 
  218 bundle agent user_has_password_hash(user, hash, true_class, false_class)
  219 {
  220   vars:
  221     !aix::
  222       "escaped_hash" string => escape("$(hash)");
  223     aix::
  224       "user_hash" string => execresult("$(this.promise_dirname)/aix_get_shadow_field.pl password $(user)", "useshell");
  225     passwords_in_passwd::
  226       "passwd_file" string => "/etc/passwd";
  227     passwords_in_shadow::
  228       "passwd_file" string => "/etc/shadow";
  229     passwords_in_master_passwd::
  230       "passwd_file" string => "/etc/master.passwd";
  231 
  232   classes:
  233     aix::
  234       "$(true_class)" expression => strcmp($(hash), $(user_hash)),
  235         scope => "namespace";
  236       "$(false_class)" not => strcmp($(hash), $(user_hash)),
  237         scope => "namespace";
  238 
  239   commands:
  240     passwords_in_passwd_format::
  241       "$(G.grep) '^$(user):$(escaped_hash):' $(passwd_file)"
  242         contain => no_output_shell,
  243         classes => on_success("$(true_class)", "$(false_class)");
  244 
  245   reports:
  246     windows::
  247       "Cannot test password hash on Windows!";
  248 }
  249 
  250 bundle agent user_get_password_hash(user)
  251 {
  252   vars:
  253     passwords_in_passwd::
  254       "passwd_file" string => "/etc/passwd";
  255     passwords_in_shadow::
  256       "passwd_file" string => "/etc/shadow";
  257     passwords_in_passwd_format::
  258       "hash" string => execresult("$(G.grep) '^$(user):' $(passwd_file) | $(G.sed) -e 's/[^:]*:\([^:]*\):.*/\1/'", "useshell");
  259     aix::
  260       "hash" string => execresult("$(this.promise_dirname)/aix_get_shadow_field.pl password $(user)", "useshell");
  261 
  262   reports:
  263     windows::
  264       "Cannot get password hash on Windows!";
  265 }
  266 
  267 bundle agent user_is_locked(user, true_class, false_class)
  268 {
  269   vars:
  270     solaris::
  271       # Solaris doesn't support expiry date properly (see users promise code).
  272       "expiry_date" string => "";
  273     !solaris::
  274       # Expiry date should be something non-empty.
  275       "expiry_date" string => "[^:]";
  276     aix::
  277       "user_hash" string => execresult("$(this.promise_dirname)/aix_get_shadow_field.pl password $(user)", "useshell");
  278 
  279   classes:
  280     aix::
  281       "$(true_class)" expression => regcmp("!.*", $(user_hash)),
  282         scope => "namespace";
  283       "$(false_class)" not => regcmp("!.*", $(user_hash)),
  284         scope => "namespace";
  285 
  286   commands:
  287     passwords_in_shadow::
  288       # Notice the [^:] without * at the end. That field (expiry) should be *something*.
  289       "$(G.grep) '^$(user):![^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:$(expiry_date)[^:]*:' /etc/shadow"
  290         contain => no_output_shell,
  291         classes => on_success("$(true_class)", "$(false_class)");
  292     passwords_in_passwd::
  293       "$(G.grep) '^$(user):![^:]*:' /etc/passwd"
  294         contain => no_output_shell,
  295         classes => on_success("$(true_class)", "$(false_class)");
  296 
  297   vars:
  298     windows::
  299       "output" string => execresult("net user $(user)", "useshell");
  300   classes:
  301     windows::
  302       "$(true_class)" expression => regcmp(".*Account active *No.*", "$(output)"),
  303         scope => "namespace";
  304       "$(false_class)" not => regcmp(".*Account active *No.*", "$(output)"),
  305         scope => "namespace";
  306 }
  307 
  308 bundle agent user_is_unlocked(user, true_class, false_class)
  309 {
  310   vars:
  311     aix::
  312       "user_hash" string => execresult("$(this.promise_dirname)/aix_get_shadow_field.pl password $(user)", "useshell");
  313 
  314   classes:
  315     aix::
  316       "$(true_class)" not => regcmp("!.*", $(user_hash)),
  317         scope => "namespace";
  318       "$(false_class)" expression => regcmp("!.*", $(user_hash)),
  319         scope => "namespace";
  320 
  321   commands:
  322     passwords_in_shadow::
  323       # Notice the field at the end. That field (expiry) should be gone or zero.
  324       "$(G.egrep) '^$(user):[^:!]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:(:|0:)' /etc/shadow"
  325         contain => no_output_shell,
  326         classes => on_success("$(true_class)", "$(false_class)");
  327     passwords_in_passwd::
  328       "$(G.grep) '^$(user):[^:!]*:' /etc/passwd"
  329         contain => no_output_shell,
  330         classes => on_success("$(true_class)", "$(false_class)");
  331 
  332   vars:
  333     windows::
  334       "output" string => execresult("net user $(user)", "useshell");
  335   classes:
  336     windows::
  337       "$(true_class)" expression => regcmp(".*Account active *Yes.*", "$(output)"),
  338         scope => "namespace";
  339       "$(false_class)" not => regcmp(".*Account active *Yes.*", "$(output)"),
  340         scope => "namespace";
  341 }
  342 
  343 # Some platforms add a flag that forces the user to change the password.
  344 bundle agent user_does_not_need_password_update(user, true_class, false_class)
  345 {
  346   vars:
  347     aix::
  348       "flags" string => execresult("$(this.promise_dirname)/aix_get_shadow_field.pl flags $(user)", "useshell");
  349 
  350   classes:
  351     aix::
  352       "$(true_class)" not => regcmp(".*ADMCHG.*", "$(flags)"),
  353         scope => "namespace";
  354       "$(false_class)" expression => regcmp(".*ADMCHG.*", "$(flags)"),
  355         scope => "namespace";
  356 
  357     !aix::
  358       "$(true_class)" expression => "any",
  359         scope => "namespace";
  360 }
  361 
  362 body classes on_success(true_class, false_class)
  363 {
  364   promise_repaired => { "$(true_class)" };
  365   repair_failed    => { "$(false_class)" };
  366   cancel_notkept   => { "$(true_class)" };
  367   cancel_repaired  => { "$(false_class)" };
  368 }
  369 
  370 body contain no_output_shell
  371 {
  372   no_output => "true";
  373   useshell => "useshell";
  374 }