__nextcloud_user: new parameters to prevent changes to the user

This adds new parameters `--only-setup` and `--keep-*` to prevent
certain parameters to be changed in Nextcloud. This will not apply to
the setup.
This commit is contained in:
matze 2020-10-31 09:47:38 +01:00
parent 635f03f527
commit 82283d0b1c
3 changed files with 125 additions and 58 deletions

View file

@ -52,7 +52,7 @@ SHELL
fi fi
# save that use user will be created and no further steps are required # save that use user will be created and no further steps are required
occ_created="yes" ignore_config="yes"
} }
# Checks if the key-value exists on the remote side. Only matches first-level # Checks if the key-value exists on the remote side. Only matches first-level
@ -136,84 +136,99 @@ if [ "$state_is" != "$state_should" ]; then
esac esac
fi fi
# Check if the user should not be modified further from the initial setup.
if [ -f "$__object/parameter/only-setup" ]; then
ignore_config="yes"
fi
# Check if some user configuration should be changed # Check if some user configuration should be changed
# do not run this code if the user will be created in the previous code # do not run this code if the user will be created in the previous code
if [ "$state_should" != "absent" ] && [ "$occ_created" != "yes" ]; then if [ "$state_should" != "absent" ] && [ "$ignore_config" != "yes" ]; then
# Check if the display name is correct if someone is set if ! [ -f "$__object/parameter/keep-displayname" ]; then
if [ -f "$__object/parameter/displayname" ]; then # Check if the display name is correct if someone is set
displayname="$(cat "$__object/parameter/displayname")" if [ -f "$__object/parameter/displayname" ]; then
if ! match_param display_name "$displayname"; then displayname="$(cat "$__object/parameter/displayname")"
cat <<SHELL if ! match_param display_name "$displayname"; then
cat <<SHELL
su -s /bin/sh -l "$www_user" -- -e <<'SU' su -s /bin/sh -l "$www_user" -- -e <<'SU'
cd '$cloud' cd '$cloud'
php -r 'define("OC_CONSOLE",1); require_once(__DIR__."/lib/base.php"); php -r 'define("OC_CONSOLE",1); require_once(__DIR__."/lib/base.php");
\\OC::\$server->getUserSession()->getManager()->get("$user")->setDisplayName("$displayname") \\OC::\$server->getUserSession()->getManager()->get("$user")->setDisplayName("$displayname")
or die("Couldn'\''t modify $user display name! Maybe unsupported or already set ..".PHP_EOL);' or print("Couldn'\''t modify $user display name! Maybe unsupported or already set ..".PHP_EOL)
and die(1);'
SU SU
SHELL SHELL
fi
fi
# the display name can not be unset
fi
if ! [ -f "$__object/paramter/keep-email" ]; then
# Check if the email address is correct
if [ -f "$__object/parameter/email" ]; then
email="$(cat "$__object/parameter/email")"
if ! match_param email "$email"; then
occ user:setting -- "'$user'" settings email "'$email'"
fi
else
# remove if it doesn't exist
if ! match_param email ""; then
occ user:setting --delete -- "'$user'" settings email
fi
fi fi
fi fi
# Check if the email address is correct if ! [ -f "$__object/parameter/keep-password" ]; then
if [ -f "$__object/parameter/email" ]; then # Check state of the password
email="$(cat "$__object/parameter/email")" # explorer handles missing passwords already
if ! match_param email "$email"; then if [ "$(cat "$__object/explorer/password")" = "mismatched" ]; then
occ user:setting -- "'$user'" settings email "'$email'" cat <<SHELL
fi
else
# remove if it doesn't exist
if ! match_param email ""; then
occ user:setting --delete -- "'$user'" settings email
fi
fi
# Check state of the password
# explorer handles missing passwords already
if [ "$(cat "$__object/explorer/password")" = "mismatched" ]; then
cat <<SHELL
su -s /bin/sh -l "$www_user" -- -e <<'SU' su -s /bin/sh -l "$www_user" -- -e <<'SU'
cd '$cloud' cd '$cloud'
export OC_PASS='$(cat "$__object/parameter/password")' export OC_PASS='$(cat "$__object/parameter/password")'
php occ --no-interaction --no-ansi user:resetpassword --password-from-env -- '$user' php occ --no-interaction --no-ansi user:resetpassword --password-from-env -- '$user'
SU SU
SHELL SHELL
fi
fi fi
# Handle the user groups if ! [ -f "$__object/parameter/keep-groups" ]; then
# extract all groups set by remote # Handle the user groups
mkdir -p "$__object/files" # extract all groups set by remote
# check the spaces before the value to match all sub-categories mkdir -p "$__object/files"
awk '/^ -/{start=0} start{print $2} $0 == " - groups:"{start=1}' \ # check the spaces before the value to match all sub-categories
"$__object/explorer/user" > "$__object/files/explorer_groups" awk '/^ -/{start=0} start{print $2} $0 == " - groups:"{start=1}' \
"$__object/explorer/user" > "$__object/files/explorer_groups"
# Add/Remove groups not set via the parameter # Add/Remove groups not set via the parameter
if [ -s "$__object/parameter/group" ]; then if [ -s "$__object/parameter/group" ]; then
# Get all groups to remove # Get all groups to remove
grep -Fxv -f "$__object/parameter/group" \ grep -Fxv -f "$__object/parameter/group" \
"$__object/files/explorer_groups" > "$__object/files/group.del" || true "$__object/files/explorer_groups" > "$__object/files/group.del" || true
# Get all groups to add # Get all groups to add
grep -Fxv -f "$__object/files/explorer_groups" \ grep -Fxv -f "$__object/files/explorer_groups" \
"$__object/parameter/group" > "$__object/files/group.add" || true "$__object/parameter/group" > "$__object/files/group.add" || true
# No user groups at all if nothing wanted by the user # No user groups at all if nothing wanted by the user
else else
# remove all groups to stay inline with the user parameter # remove all groups to stay inline with the user parameter
cp "$__object/files/explorer_groups" "$__object/files/group.del" cp "$__object/files/explorer_groups" "$__object/files/group.del"
fi fi
# Remove all groups not exist anymore # Remove all groups not exist anymore
if [ -s "$__object/files/group.del" ]; then if [ -s "$__object/files/group.del" ]; then
while read -r GROUP; do while read -r GROUP; do
occ group:removeuser "'$GROUP'" "'$user'" occ group:removeuser "'$GROUP'" "'$user'"
done < "$__object/files/group.del" done < "$__object/files/group.del"
fi fi
# Add all existing groups # Add all existing groups
if [ -s "$__object/files/group.add" ]; then if [ -s "$__object/files/group.add" ]; then
while read -r GROUP; do while read -r GROUP; do
occ group:adduser "'$GROUP'" "'$user'" occ group:adduser "'$GROUP'" "'$user'"
done < "$__object/files/group.add" done < "$__object/files/group.add"
fi
fi fi
fi fi

View file

@ -9,6 +9,10 @@ cdist-type__nextcloud_user - Setup a Nextcloud user
DESCRIPTION DESCRIPTION
----------- -----------
It manages a single Nextcloud user given by the object id or parameter `--user`. It manages a single Nextcloud user given by the object id or parameter `--user`.
This type can create and manage most properties of the Nextcloud user. If you
only want to setup the user, but want that the user will take full control over
all settings (so cdist will not touch the user anymore), use the parameter
`--only-setup` or `--keep-*` for special parameters.
REQUIRED PARAMETERS REQUIRED PARAMETERS
@ -44,13 +48,21 @@ www-user
webserver and cli execution. As default, `www-data` will be used. webserver and cli execution. As default, `www-data` will be used.
displayname displayname
The display name the user should have. The display name the user should have. As the display name can not be unset
or set to empty, this type will ignore the display name if this parameter
is not set. Setting the parameter to an empty string leads to an error from
the Nextcloud side.
email email
The email address of the Nextcloud user. The email address of the Nextcloud user. Will be unset if no parameter
given.
password password
The password of the Nextcloud user. The password of the Nextcloud user. If the password not match, the new
password will be set to the user. If no password is given, it will not
touch the current password. **A password is required for the user setup!**
If you do not want to modify the user password, set a password via this
parameter and set the parameter `--keep-password`.
quota quota
TBA. TBA.
@ -60,6 +72,40 @@ group
user will be removed from every group he is in. user will be removed from every group he is in.
BOOLEAN PARAMETERS
------------------
only-setup
Only provisioning the user if he does not exist. Do not touch the user if
he already exists (except to enforce the given state).
keep-displayname
Do not touch the display name of the user if he is already set up. This
will avoid to delete the user-set value because it does not match with the
predefined state. If the parameter `--displayname` is set despite of this
parameter, it will be used in the user setup if he does not already exist.
keep-email
Do not touch the email attributes of the user if he is already set up. This
will avoid to delete the user-set value because it does not match with the
predefined state. If the parameter `--email` is set despite of this
parameter, it will be used in the user setup if he does not already exist.
keep-password
Do not touch the password if the user is already set up. This will avoid to
delete user-set passwords because they do not match with the predefined
state. If the parameter `--password` is set despite of this parameter, it
will be used in the user setup if he does not already exists.
keep-quota
TBA.
keep-groups
Do not touch the user groups if the user is already set up. This will avoid
to delete group assosiactions not defined via cdist. If the parameter
`--group` is set despite of this parameter, it will be used in the user
setup if he does not already exists.
MESSAGES MESSAGES
-------- --------
created created

View file

@ -0,0 +1,6 @@
only-setup
keep-displayname
keep-email
keep-password
keep-quota
keep-groups