__nextcloud_user: new parameters to prevent changes to the user

This adds new parameters `--only-setup` and `--keep-*` to prevent
certain parameters to be changed in Nextcloud. This will not apply to
the setup.

type/__nextcloud_user/gencode-remote

@@ -52,7 +52,7 @@ SHELL
     fi
 
     # save that use user will be created and no further steps are required
-    occ_created="yes"
+    ignore_config="yes"
 }
 
 # Checks if the key-value exists on the remote side. Only matches first-level
@@ -136,84 +136,99 @@ if [ "$state_is" != "$state_should" ]; then
     esac
 fi
 
+# Check if the user should not be modified further from the initial setup.
+if [ -f "$__object/parameter/only-setup" ]; then
+    ignore_config="yes"
+fi
+
 
 # Check if some user configuration should be changed
 # do not run this code if the user will be created in the previous code
-if [ "$state_should" != "absent" ] && [ "$occ_created" != "yes" ]; then
-    # Check if the display name is correct if someone is set
-    if [ -f "$__object/parameter/displayname" ]; then
-        displayname="$(cat "$__object/parameter/displayname")"
-        if ! match_param display_name "$displayname"; then
-            cat <<SHELL
+if [ "$state_should" != "absent" ] && [ "$ignore_config" != "yes" ]; then
+    if ! [ -f "$__object/parameter/keep-displayname" ]; then
+        # Check if the display name is correct if someone is set
+        if [ -f "$__object/parameter/displayname" ]; then
+            displayname="$(cat "$__object/parameter/displayname")"
+            if ! match_param display_name "$displayname"; then
+                cat <<SHELL
 su -s /bin/sh -l "$www_user" -- -e <<'SU'
 cd '$cloud'
 php -r 'define("OC_CONSOLE",1); require_once(__DIR__."/lib/base.php");
         \\OC::\$server->getUserSession()->getManager()->get("$user")->setDisplayName("$displayname")
-          or die("Couldn'\''t modify $user display name! Maybe unsupported or already set ..".PHP_EOL);'
+          or print("Couldn'\''t modify $user display name! Maybe unsupported or already set ..".PHP_EOL)
+            and die(1);'
 SU
 SHELL
+            fi
+        fi
+        # the display name can not be unset
+    fi
+
+    if ! [ -f "$__object/paramter/keep-email" ]; then
+        # Check if the email address is correct
+        if [ -f "$__object/parameter/email" ]; then
+            email="$(cat "$__object/parameter/email")"
+            if ! match_param email "$email"; then
+                occ user:setting -- "'$user'" settings email "'$email'"
+            fi
+        else
+            # remove if it doesn't exist
+            if ! match_param email ""; then
+                occ user:setting --delete -- "'$user'" settings email
+            fi
         fi
     fi
 
-    # Check if the email address is correct
-    if [ -f "$__object/parameter/email" ]; then
-        email="$(cat "$__object/parameter/email")"
-        if ! match_param email "$email"; then
-            occ user:setting -- "'$user'" settings email "'$email'"
-        fi
-    else
-        # remove if it doesn't exist
-        if ! match_param email ""; then
-            occ user:setting --delete -- "'$user'" settings email
-        fi
-    fi
-
-    # Check state of the password
-    # explorer handles missing passwords already
-    if [ "$(cat "$__object/explorer/password")" = "mismatched" ]; then
-        cat <<SHELL
+    if ! [ -f "$__object/parameter/keep-password" ]; then
+        # Check state of the password
+        # explorer handles missing passwords already
+        if [ "$(cat "$__object/explorer/password")" = "mismatched" ]; then
+            cat <<SHELL
 su -s /bin/sh -l "$www_user" -- -e <<'SU'
 cd '$cloud'
 export OC_PASS='$(cat "$__object/parameter/password")'
 php occ --no-interaction --no-ansi user:resetpassword --password-from-env -- '$user'
 SU
 SHELL
+        fi
     fi
 
 
-    # Handle the user groups
-    # extract all groups set by remote
-    mkdir -p "$__object/files"
-    # check the spaces before the value to match all sub-categories
-    awk '/^  -/{start=0} start{print $2} $0 == "  - groups:"{start=1}' \
-        "$__object/explorer/user" > "$__object/files/explorer_groups"
+    if ! [ -f "$__object/parameter/keep-groups" ]; then
+        # Handle the user groups
+        # extract all groups set by remote
+        mkdir -p "$__object/files"
+        # check the spaces before the value to match all sub-categories
+        awk '/^  -/{start=0} start{print $2} $0 == "  - groups:"{start=1}' \
+            "$__object/explorer/user" > "$__object/files/explorer_groups"
 
-    # Add/Remove groups not set via the parameter
-    if [ -s "$__object/parameter/group" ]; then
-        # Get all groups to remove
-        grep -Fxv -f "$__object/parameter/group" \
-            "$__object/files/explorer_groups" > "$__object/files/group.del" || true
-        # Get all groups to add
-        grep -Fxv -f "$__object/files/explorer_groups" \
-            "$__object/parameter/group" > "$__object/files/group.add" || true
+        # Add/Remove groups not set via the parameter
+        if [ -s "$__object/parameter/group" ]; then
+            # Get all groups to remove
+            grep -Fxv -f "$__object/parameter/group" \
+                "$__object/files/explorer_groups" > "$__object/files/group.del" || true
+            # Get all groups to add
+            grep -Fxv -f "$__object/files/explorer_groups" \
+                "$__object/parameter/group" > "$__object/files/group.add" || true
 
-    # No user groups at all if nothing wanted by the user
-    else
-        # remove all groups to stay inline with the user parameter
-        cp "$__object/files/explorer_groups" "$__object/files/group.del"
-    fi
+        # No user groups at all if nothing wanted by the user
+        else
+            # remove all groups to stay inline with the user parameter
+            cp "$__object/files/explorer_groups" "$__object/files/group.del"
+        fi
 
-    # Remove all groups not exist anymore
-    if [ -s "$__object/files/group.del" ]; then
-        while read -r GROUP; do
-            occ group:removeuser "'$GROUP'" "'$user'"
-        done < "$__object/files/group.del"
-    fi
+        # Remove all groups not exist anymore
+        if [ -s "$__object/files/group.del" ]; then
+            while read -r GROUP; do
+                occ group:removeuser "'$GROUP'" "'$user'"
+            done < "$__object/files/group.del"
+        fi
 
-    # Add all existing groups
-    if [ -s "$__object/files/group.add" ]; then
-        while read -r GROUP; do
-            occ group:adduser "'$GROUP'" "'$user'"
-        done < "$__object/files/group.add"
+        # Add all existing groups
+        if [ -s "$__object/files/group.add" ]; then
+            while read -r GROUP; do
+                occ group:adduser "'$GROUP'" "'$user'"
+            done < "$__object/files/group.add"
+        fi
     fi
 fi

type/__nextcloud_user/man.rst

@@ -9,6 +9,10 @@ cdist-type__nextcloud_user - Setup a Nextcloud user
 DESCRIPTION
 -----------
 It manages a single Nextcloud user given by the object id or parameter `--user`.
+This type can create and manage most properties of the Nextcloud user. If you
+only want to setup the user, but want that the user will take full control over
+all settings (so cdist will not touch the user anymore), use the parameter
+`--only-setup` or `--keep-*` for special parameters.
 
 
 REQUIRED PARAMETERS
@@ -44,13 +48,21 @@ www-user
     webserver and cli execution. As default, `www-data` will be used.
 
 displayname
-    The display name the user should have.
+    The display name the user should have. As the display name can not be unset
+    or set to empty, this type will ignore the display name if this parameter
+    is not set. Setting the parameter to an empty string leads to an error from
+    the Nextcloud side.
 
 email
-    The email address of the Nextcloud user.
+    The email address of the Nextcloud user. Will be unset if no parameter
+    given.
 
 password
-    The password of the Nextcloud user.
+    The password of the Nextcloud user. If the password not match, the new
+    password will be set to the user. If no password is given, it will not
+    touch the current password. **A password is required for the user setup!**
+    If you do not want to modify the user password, set a password via this
+    parameter and set the parameter `--keep-password`.
 
 quota
     TBA.
@@ -60,6 +72,40 @@ group
     user will be removed from every group he is in.
 
 
+BOOLEAN PARAMETERS
+------------------
+only-setup
+    Only provisioning the user if he does not exist. Do not touch the user if
+    he already exists (except to enforce the given state).
+
+keep-displayname
+    Do not touch the display name of the user if he is already set up. This
+    will avoid to delete the user-set value because it does not match with the
+    predefined state. If the parameter `--displayname` is set despite of this
+    parameter, it will be used in the user setup if he does not already exist.
+
+keep-email
+    Do not touch the email attributes of the user if he is already set up. This
+    will avoid to delete the user-set value because it does not match with the
+    predefined state. If the parameter `--email` is set despite of this
+    parameter, it will be used in the user setup if he does not already exist.
+
+keep-password
+    Do not touch the password if the user is already set up. This will avoid to
+    delete user-set passwords because they do not match with the predefined
+    state. If the parameter `--password` is set despite of this parameter, it
+    will be used in the user setup if he does not already exists.
+
+keep-quota
+    TBA.
+
+keep-groups
+    Do not touch the user groups if the user is already set up. This will avoid
+    to delete group assosiactions not defined via cdist. If the parameter
+    `--group` is set despite of this parameter, it will be used in the user
+    setup if he does not already exists.
+
+
 MESSAGES
 --------
 created

type/__nextcloud_user/parameter/boolean

@@ -0,0 +1,6 @@
+only-setup
+keep-displayname
+keep-email
+keep-password
+keep-quota
+keep-groups