[Bug 404183] Add user purge option to uamlite

purge_expired_users option was added to uamlite chart to allow purging of old user accounts and the data in their home directories. Addressed a corner case where the user could lose system access by specifying ssh key(s) only for the built-in account. Change-Id: Iccfc914eea219521a290c2b5949ccc2d40d8dbb6
2018-04-10 01:20:11 +00:00 · 2018-04-10 01:20:11 +00:00 · e9d71dedb0
commit e9d71dedb0
parent 73e7437b9b
3 changed files with 59 additions and 9 deletions
--- a/divingbell/templates/bin/_uamlite.sh.tpl
+++ b/divingbell/templates/bin/_uamlite.sh.tpl
@ -95,12 +95,20 @@ add_sshkeys(){
        (rm "${sshkey_file}" && die "Error setting ownership on ${sshkey_dir}")
      log.INFO "User '${user_name}' has had SSH keys deployed: ${user_sshkeys}"
    fi
-    custom_sshkeys_present=true
+
+    # In the event that the user specifies ssh keys for the built-in account and
+    # no others, do not expire the built-in account
+    if [ "${user_name}" != "${builtin_acct}" ]; then
+      expire_builtin_acct=true
+    fi
  fi

 }

 {{- if hasKey .Values.conf "uamlite" }}
+{{- if hasKey .Values.conf.uamlite "purge_expired_users" }}
+purge_expired_users={{ .Values.conf.uamlite.purge_expired_users | quote }}
+{{- end }}
 {{- if hasKey .Values.conf.uamlite "users" }}
 {{- range $item := .Values.conf.uamlite.users }}
  {{- range $key, $value := . }}
@ -126,8 +134,14 @@ if [ -n "$(getent passwd | grep ${keyword} | cut -d':' -f1)" ]; then
  IFS=$'\n'
  for user in ${revert_list}; do
    # We expire rather than delete the user to maintain local UID FS consistency
-    usermod --expiredate 1 ${user}
-    log.INFO "User '${user}' has been disabled (expired)"
+    # unless purge is explicity requested (remove user and user home dir).
+    if [ "${purge_expired_users}" = "true" ]; then
+      deluser ${user} --remove-home
+      log.INFO "User '${user}' and home directory have been purged."
+    else
+      usermod --expiredate 1 ${user}
+      log.INFO "User '${user}' has been disabled (expired)"
+    fi
  done
  unset IFS
 fi
@ -149,7 +163,7 @@ fi
 if [ -n "${builtin_acct}" ] && [ -n "$(getent passwd ${builtin_acct})" ]; then
  # Disable built-in account as long as there was at least one account defined
  # in this chart with a ssh key present
-  if [ "${custom_sshkeys_present}" = "true" ]; then
+  if [ "${expire_builtin_acct}" = "true" ]; then
    if [ "$(chage -l ${builtin_acct} | grep 'Account expires' | cut -d':' -f2 |
          tr -d '[:space:]')" = "never" ]; then
      usermod --expiredate 1 ${builtin_acct}
--- a/divingbell/tools/gate/test.sh
+++ b/divingbell/tools/gate/test.sh
@ -511,11 +511,24 @@ _test_user_enabled(){
    test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
            tr -d '[:space:]')" = "never"
  else
-    # If the user exists, verify it's not non-expiring
-    if [ -n "$(getent passwd $username)" ]; then
-      test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
-              tr -d '[:space:]')" != "never"
-    fi
+    # Verify user is not non-expiring
+    getent passwd $username >& /dev/null
+    test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
+            tr -d '[:space:]')" != "never"
+  fi
+}
+
+_test_user_purged(){
+  username=$1
+
+  # Verify user is no longer defined
+  getent passwd $username >& /dev/null && \
+    echo "Error: User '$username' exists, but was expected it to be purged" && \
+    return 1
+
+  if [ -d /home/$username ]; then
+    echo "Error: User '$username' home dir exists; expected it to be purged"
+    return 1
  fi
 }

@ -631,6 +644,19 @@ test_uamlite(){
  _test_user_enabled ${USERNAME4} false
  _test_sudo_enabled ${USERNAME4} false
  echo '[SUCCESS] uamlite test3 passed successfully' >> "${TEST_RESULTS}"
+
+  # Test purge users flag
+  overrides_yaml=${LOGS_SUBDIR}/${FUNCNAME}-set3.yaml
+  echo "conf:
+  uamlite:
+    purge_expired_users: true" > "${overrides_yaml}"
+  install_base "--values=${overrides_yaml}"
+  get_container_status uamlite
+  _test_user_purged ${USERNAME1}
+  _test_user_purged ${USERNAME2}
+  _test_user_purged ${USERNAME3}
+  _test_user_purged ${USERNAME4}
+  echo '[SUCCESS] uamlite test4 passed successfully' >> "${TEST_RESULTS}"
 }

 # test daemonset value overrides for hosts and labels
--- a/docs/source/index.rst
+++ b/docs/source/index.rst
@ -120,6 +120,7 @@ access. Ex::

    conf:
      uamlite:
+        purge_expired_users: false
        users:
        - user_name: testuser
          user_sudo: True
@ -127,6 +128,15 @@ access. Ex::
          - ssh-rsa AAAAB3N... key1-comment
          - ssh-rsa AAAAVY6... key2-comment

+An update to the chart with revmoed users will result in those user's accounts
+being expired, preventing those users any access through those accounts. This
+does not delete their home directory or any other files, and provides UID
+consistency in the event the same account gets re-added later, and they regain
+access to their files again.
+
+However, if it is desired to purge expired and removed accounts and their home
+directories, this may be done by the ``purge_expired_users`` option to ``true``.
+
 Node specific configurations
 ----------------------------