Initial __nextcloud_user type

This type setup and updates a nextcloud user account. Currently not
finished yet, but should work in all cases.
This commit is contained in:
matze 2020-10-30 19:14:24 +01:00
parent 072ca37720
commit b0ed6b2f18
8 changed files with 338 additions and 0 deletions

View file

@ -0,0 +1,49 @@
#!/bin/sh
# __nextcloud/explorer/password
# Checks if the given password is working by hacking somehow into the nextcloud
# php libary.
#
# Outputs:
# - "noop" if no password given as parameter
# - "matched" if the given parameter matched the password
# - "mismatched" if the given parameter did not matched
# - "" if no nextcloud directory could be detected
# Check if the password exists, else this is nonsense
password="$__object/parameter/password"
if [ -f "$password" ]; then
password="$(cat "$password")"
else
# no password to compare - it's managed by someone other
echo noop
exit
fi
# Get parameters
user="$__object/parameter/user"
if [ -f "$user" ]; then
user="$(cat "$user")"
else
user="$__object_id"
fi
cloud="$(cat "$__object/parameter/cloud")"
www_user="$(cat "$__object/parameter/www-user")"
# Check if there exists the installation
if [ -d "$cloud" ]; then
# if those files exist, everything should be good
if [ -f "$cloud/occ" ] && [ -f "$cloud/config/config.php" ]; then
# Output the information from the custom php
# change the user to be on the safe side if something is written
su -s /bin/sh -l "$www_user" -- -e <<SU
cd '$cloud'
pw='$password' \
php -r 'define("OC_CONSOLE",1); require_once(__DIR__."/lib/base.php");
print(\\OC::\$server->getUserSession()->getManager()->checkPasswordNoLogging("$user", getenv("pw")) ? "matched" : "mismatched");'
SU
fi
fi

View file

@ -0,0 +1,39 @@
#!/bin/sh -e
# __nextcloud_user/explorer/user
# Outputs the raw nextcloud command output of the given user
# Parameters
user="$__object/parameter/user"
if [ -f "$user" ]; then
user="$(cat "$user")"
else
user="$__object_id"
fi
cloud="$(cat "$__object/parameter/cloud")"
www_user="$(cat "$__object/parameter/www-user")"
# Check if there exists the installation
if [ -d "$cloud" ]; then
# if those files exist, everything should be good
if [ -f "$cloud/occ" ] && [ -f "$cloud/config/config.php" ]; then
# Content could be gathered through php code directly, too. This can
# be done if more parameters are required than user:info will output
# or if there will be too much fuzz in the output.
# Output the information of the user
# type will abort if explorer is empty, not if occ aborts
su -s /bin/sh -l "$www_user" -- -e <<SU
cd '$cloud'
# Check if the user exists before the later command will produce an error
if php -r 'define("OC_CONSOLE",1); require_once(__DIR__."/lib/base.php");
exit(\\OC::\$server->getUserSession()->getManager()->userExists("$user") ? 0 : 1);'
then
php occ --no-interaction --no-ansi --output=plain user:info '$user'
fi
SU
fi
fi

View file

@ -0,0 +1,239 @@
#!/bin/sh -e
# __nextcloud_user/gencode-remote
# Call the nextcloud occ script as the designed user. Maybe this can be a bit
# more effictive with user switching, but currently the easiest way of doing
# it.
#
# All arguments are directly passed to occ (injection alarm ;-) )
occ() {
# su creates a new shell, so it does not affect the current session
# will not use -q as it supresses errors, too
cat << SHELL
su -s /bin/sh -l "$www_user" -- -e <<'SU'
cd '$cloud' && php occ --no-interaction --no-ansi $@
SU
SHELL
}
# Creates the output for the nextcloud command to create a user. Takes all
# required parameters from existing variables.
occ_create() {
cat <<SHELL
su -s /bin/sh -l "$www_user" -- -e <<SU
cd '$cloud'
SHELL
create_args=""
if [ -f "$__object/parameter/password" ]; then
printf "export OC_PASS='%s'\n" "$(cat "$__object/parameter/password")"
create_args="$create_args --password-from-env"
fi
if [ -f "$__object/parameter/displayname" ]; then
create_args="$create_args --display-name '$(cat "$__object/parameter/displayname")'"
fi
# groups
if [ -f "$__object/parameter/group" ]; then
while read -r GROUP; do
create_args="$create_args --group '$GROUP'"
done < "$__object/parameter/group"
fi
cat <<SHELL
php occ --no-interaction --no-ansi user:add $create_args -- '$user'
SU
SHELL
# add email if set - not doable via the create command
if [ -f "$__object/parameter/email" ]; then
occ user:setting -- "'$user'" settings email "'$(cat "$__object/parameter/email")'"
fi
# save that use user will be created and no further steps are required
occ_created="yes"
}
# Checks if the key-value exists on the remote side. Only matches first-level
# parameters; not checking deeper levers.
#
# Arguments:
# 1: the key
# 2: the value
#
# Return-Code:
# 0: matched the key-value
# 1: not matched
match_param() {
# first level intend two spaces
if grep -q -Fx " - $1: $2" "$__object/explorer/user"; then
return 0
else
return 1
fi
}
# Get parameters
user="$__object/parameter/user"
if [ -f "$user" ]; then
user="$(cat "$user")"
else
user="$__object_id"
fi
if [ -s "$__object/explorer/user" ]; then
if match_param enabled true; then
state_is="enabled"
else
state_is="disabled"
fi
else
state_is="absent"
fi
state_should="$(cat "$__object/parameter/state")"
cloud="$(cat "$__object/parameter/cloud")"
www_user="$(cat "$__object/parameter/www-user")"
# Check if the state changes
if [ "$state_is" != "$state_should" ]; then
# check what to do
case "$state_should" in
enabled)
if [ "$state_is" = "disabled" ]; then
occ user:enable "'$user'"
echo enabled >> "$__messages_out"
else
occ_create
echo created >> "$__messages_out"
fi
;;
disabled)
if [ "$state_is" = "absent" ]; then
occ_create
echo created >> "$__messages_out"
fi
occ user:disable "'$user'"
echo disabled >> "$__messages_out"
;;
present)
if [ "$state_is" = "absent" ]; then
occ_create
echo created >> "$__messages_out"
fi
# else, everything is ok
;;
absent)
occ user:delete "'$user'"
echo removed >> "$__messages_out"
;;
esac
fi
# Check if some user configuration should be changed
# do not run this code if the user will be created in the previous code
if [ "$state_should" != "absent" ] && [ "$occ_created" != "yes" ]; then
# Check if the display name is correct if someone is set
if [ -f "$__object/parameter/displayname" ]; then
displayname="$(cat "$__object/parameter/displayname")"
if ! match_param display_name "$displayname"; then
cat <<SHELL
su -s /bin/sh -l "$www_user" -- -e <<'SU'
cd '$cloud'
php -r 'define("OC_CONSOLE",1); require_once(__DIR__."/lib/base.php");
\\OC::\$server->getUserSession()->getManager()->get("$user")->setDisplayName("$displayname")
or die("Couldn'\''t modify $user display name! Maybe unsupported or already set ..".PHP_EOL);'
SU
SHELL
fi
fi
# Check if the email address is correct
if [ -f "$__object/parameter/email" ]; then
email="$(cat "$__object/parameter/email")"
if ! match_param email "$email"; then
occ user:setting -- "'$user'" settings email "'$email'"
fi
else
# remove if it doesn't exist
if ! match_param email ""; then
occ user:setting --delete -- "'$user'" settings email
fi
fi
# Check state of the password
# explorer handles missing passwords already
if [ "$(cat "$__object/explorer/password")" = "mismatched" ]; then
cat <<SHELL
su -s /bin/sh -l "$www_user" -- -e <<'SU'
cd '$cloud'
export OC_PASS='$(cat "$__object/parameter/password")'
php occ --no-interaction --no-ansi user:resetpassword --password-from-env -- '$user'
SU
SHELL
fi
# Handle the user groups
# extract all groups set by remote
mkdir -p "$__object/files"
# check the spaces before the value to match all sub-categories
awk '/^ -/{start=0} start{print $2} $0 == " - groups:"{start=1}' \
"$__object/explorer/user" > "$__object/files/explorer_groups"
# Add/Remove groups not set via the parameter
if [ -s "$__object/parameter/group" ]; then
# Get all groups to remove
grep -Fxv -f "$__object/parameter/group" \
"$__object/files/explorer_groups" > "$__object/files/group.del" || true
# Get all groups to add
grep -Fxv -f "$__object/files/explorer_groups" \
"$__object/parameter/group" > "$__object/files/group.add" || true
# No user groups at all if nothing wanted by the user
else
# remove all groups to stay inline with the user parameter
cp "$__object/files/explorer_groups" "$__object/files/group.del"
fi
# Remove all groups not exist anymore
if [ -s "$__object/files/group.del" ]; then
while read -r GROUP; do
cat <<SHELL
su -s /bin/sh -l "$www_user" -- -e <<'SU'
cd '$cloud'
php -r 'define("OC_CONSOLE",1); require_once(__DIR__."/lib/base.php");
\$group = \\OC::\$server->getGroupManager()->get("$GROUP");
\$user = \\OC::\$server->getUserSession()->getManager()->get("$user");
if (\$group === NULL || \$user === NULL)
die("Can'\''t delete $user from group $GROUP! User or group doesn'\''t exist in nextcloud!".PHP_EOL);
\$group->removeUser(\$user);'
SU
SHELL
done < "$__object/files/group.del"
fi
# Add all existing groups
if [ -s "$__object/files/group.add" ]; then
while read -r GROUP; do
cat <<SHELL
su -s /bin/sh -l "$www_user" -- -e <<'SU'
cd '$cloud'
php -r 'define("OC_CONSOLE",1); require_once(__DIR__."/lib/base.php");
\$group = \\OC::\$server->getGroupManager()->get("$GROUP");
\$user = \\OC::\$server->getUserSession()->getManager()->get("$user");
if (\$group === NULL || \$user === NULL)
die("Can'\''t delete $user from group $GROUP! User or group doesn'\''t exist in nextcloud!".PHP_EOL);
\$group->addUser(\$user);'
SU
SHELL
done < "$__object/files/group.add"
fi
fi

View file

@ -0,0 +1 @@
present

View file

@ -0,0 +1 @@
www-data

View file

@ -0,0 +1,7 @@
user
www-user
state
displayname
email
password
quota

View file

@ -0,0 +1 @@
group

View file

@ -0,0 +1 @@
cloud