Initial __nextcloud_user type

This type setup and updates a nextcloud user account. Currently not finished yet, but should work in all cases.
2020-10-30 19:14:24 +01:00 · 2020-10-30 19:14:24 +01:00 · b0ed6b2f18
parent 072ca37720
commit b0ed6b2f18
8 changed files with 338 additions and 0 deletions
--- a/type/__nextcloud_user/explorer/password
+++ b/type/__nextcloud_user/explorer/password
@ -0,0 +1,49 @@
+#!/bin/sh
+# __nextcloud/explorer/password
+
+# Checks if the given password is working by hacking somehow into the nextcloud
+# php libary.
+#
+# Outputs:
+#  - "noop" if no password given as parameter
+#  - "matched" if the given parameter matched the password
+#  - "mismatched" if the given parameter did not matched
+#  - "" if no nextcloud directory could be detected
+
+
+# Check if the password exists, else this is nonsense
+password="$__object/parameter/password"
+if [ -f "$password" ]; then
+    password="$(cat "$password")"
+else
+    # no password to compare - it's managed by someone other
+    echo noop
+    exit
+fi
+
+# Get parameters
+user="$__object/parameter/user"
+if [ -f "$user" ]; then
+    user="$(cat "$user")"
+else
+    user="$__object_id"
+fi
+cloud="$(cat "$__object/parameter/cloud")"
+www_user="$(cat "$__object/parameter/www-user")"
+
+
+
+# Check if there exists the installation
+if [ -d "$cloud" ]; then
+    # if those files exist, everything should be good
+    if [ -f "$cloud/occ" ] && [ -f "$cloud/config/config.php" ]; then
+        # Output the information from the custom php
+        # change the user to be on the safe side if something is written
+        su -s /bin/sh -l "$www_user" -- -e <<SU
+cd '$cloud'
+pw='$password' \
+php -r 'define("OC_CONSOLE",1); require_once(__DIR__."/lib/base.php");
+        print(\\OC::\$server->getUserSession()->getManager()->checkPasswordNoLogging("$user", getenv("pw")) ? "matched" : "mismatched");'
+SU
+    fi
+fi
--- a/type/__nextcloud_user/explorer/user
+++ b/type/__nextcloud_user/explorer/user
@ -0,0 +1,39 @@
+#!/bin/sh -e
+# __nextcloud_user/explorer/user
+
+# Outputs the raw nextcloud command output of the given user
+
+
+# Parameters
+user="$__object/parameter/user"
+if [ -f "$user" ]; then
+    user="$(cat "$user")"
+else
+    user="$__object_id"
+fi
+cloud="$(cat "$__object/parameter/cloud")"
+www_user="$(cat "$__object/parameter/www-user")"
+
+
+# Check if there exists the installation
+if [ -d "$cloud" ]; then
+    # if those files exist, everything should be good
+    if [ -f "$cloud/occ" ] && [ -f "$cloud/config/config.php" ]; then
+        # Content could be gathered through php code directly, too. This can
+        # be done if more parameters are required than user:info will output
+        # or if there will be too much fuzz in the output.
+
+        # Output the information of the user
+        # type will abort if explorer is empty, not if occ aborts
+        su -s /bin/sh -l "$www_user" -- -e <<SU
+cd '$cloud'
+
+# Check if the user exists before the later command will produce an error
+if php -r 'define("OC_CONSOLE",1); require_once(__DIR__."/lib/base.php");
+           exit(\\OC::\$server->getUserSession()->getManager()->userExists("$user") ? 0 : 1);'
+then
+    php occ --no-interaction --no-ansi --output=plain user:info '$user'
+fi
+SU
+    fi
+fi
--- a/type/__nextcloud_user/gencode-remote
+++ b/type/__nextcloud_user/gencode-remote
@ -0,0 +1,239 @@
+#!/bin/sh -e
+# __nextcloud_user/gencode-remote
+
+
+# Call the nextcloud occ script as the designed user. Maybe this can be a bit
+# more effictive with user switching, but currently the easiest way of doing
+# it.
+#
+# All arguments are directly passed to occ (injection alarm ;-) )
+occ() {
+    # su creates a new shell, so it does not affect the current session
+    #  will not use -q as it supresses errors, too
+    cat << SHELL
+su -s /bin/sh -l "$www_user" -- -e <<'SU'
+cd '$cloud' && php occ --no-interaction --no-ansi $@
+SU
+SHELL
+}
+
+# Creates the output for the nextcloud command to create a user. Takes all
+# required parameters from existing variables.
+occ_create() {
+    cat <<SHELL
+su -s /bin/sh -l "$www_user" -- -e <<SU
+cd '$cloud'
+SHELL
+    create_args=""
+
+    if [ -f "$__object/parameter/password" ]; then
+        printf "export OC_PASS='%s'\n" "$(cat "$__object/parameter/password")"
+        create_args="$create_args --password-from-env"
+    fi
+    if [ -f "$__object/parameter/displayname" ]; then
+        create_args="$create_args --display-name '$(cat "$__object/parameter/displayname")'"
+    fi
+
+    # groups
+    if [ -f "$__object/parameter/group" ]; then
+        while read -r GROUP; do
+            create_args="$create_args --group '$GROUP'"
+        done < "$__object/parameter/group"
+    fi
+
+    cat <<SHELL
+php occ --no-interaction --no-ansi user:add $create_args -- '$user'
+SU
+SHELL
+
+    # add email if set - not doable via the create command
+    if [ -f "$__object/parameter/email" ]; then
+        occ user:setting -- "'$user'" settings email "'$(cat "$__object/parameter/email")'"
+    fi
+
+    # save that use user will be created and no further steps are required
+    occ_created="yes"
+}
+
+# Checks if the key-value exists on the remote side. Only matches first-level
+# parameters; not checking deeper levers.
+#
+# Arguments:
+#  1: the key
+#  2: the value
+#
+# Return-Code:
+#  0: matched the key-value
+#  1: not matched
+match_param() {
+    # first level intend two spaces
+    if grep -q -Fx "  - $1: $2" "$__object/explorer/user"; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+
+# Get parameters
+user="$__object/parameter/user"
+if [ -f "$user" ]; then
+    user="$(cat "$user")"
+else
+    user="$__object_id"
+fi
+if [ -s "$__object/explorer/user" ]; then
+    if match_param enabled true; then
+        state_is="enabled"
+    else
+        state_is="disabled"
+    fi
+else
+    state_is="absent"
+fi
+
+state_should="$(cat "$__object/parameter/state")"
+cloud="$(cat "$__object/parameter/cloud")"
+www_user="$(cat "$__object/parameter/www-user")"
+
+
+# Check if the state changes
+if [ "$state_is" != "$state_should" ]; then
+    # check what to do
+    case "$state_should" in
+        enabled)
+            if [ "$state_is" = "disabled" ]; then
+                occ user:enable "'$user'"
+                echo enabled >> "$__messages_out"
+            else
+                occ_create
+                echo created >> "$__messages_out"
+            fi
+            ;;
+
+        disabled)
+            if [ "$state_is" = "absent" ]; then
+                occ_create
+                echo created >> "$__messages_out"
+            fi
+
+            occ user:disable "'$user'"
+            echo disabled >> "$__messages_out"
+            ;;
+
+        present)
+            if [ "$state_is" = "absent" ]; then
+                occ_create
+                echo created >> "$__messages_out"
+            fi
+            # else, everything is ok
+            ;;
+
+        absent)
+            occ user:delete "'$user'"
+            echo removed >> "$__messages_out"
+            ;;
+    esac
+fi
+
+
+# Check if some user configuration should be changed
+# do not run this code if the user will be created in the previous code
+if [ "$state_should" != "absent" ] && [ "$occ_created" != "yes" ]; then
+    # Check if the display name is correct if someone is set
+    if [ -f "$__object/parameter/displayname" ]; then
+        displayname="$(cat "$__object/parameter/displayname")"
+        if ! match_param display_name "$displayname"; then
+            cat <<SHELL
+su -s /bin/sh -l "$www_user" -- -e <<'SU'
+cd '$cloud'
+php -r 'define("OC_CONSOLE",1); require_once(__DIR__."/lib/base.php");
+        \\OC::\$server->getUserSession()->getManager()->get("$user")->setDisplayName("$displayname")
+          or die("Couldn'\''t modify $user display name! Maybe unsupported or already set ..".PHP_EOL);'
+SU
+SHELL
+        fi
+    fi
+
+    # Check if the email address is correct
+    if [ -f "$__object/parameter/email" ]; then
+        email="$(cat "$__object/parameter/email")"
+        if ! match_param email "$email"; then
+            occ user:setting -- "'$user'" settings email "'$email'"
+        fi
+    else
+        # remove if it doesn't exist
+        if ! match_param email ""; then
+            occ user:setting --delete -- "'$user'" settings email
+        fi
+    fi
+
+    # Check state of the password
+    # explorer handles missing passwords already
+    if [ "$(cat "$__object/explorer/password")" = "mismatched" ]; then
+        cat <<SHELL
+su -s /bin/sh -l "$www_user" -- -e <<'SU'
+cd '$cloud'
+export OC_PASS='$(cat "$__object/parameter/password")'
+php occ --no-interaction --no-ansi user:resetpassword --password-from-env -- '$user'
+SU
+SHELL
+    fi
+
+
+    # Handle the user groups
+    # extract all groups set by remote
+    mkdir -p "$__object/files"
+    # check the spaces before the value to match all sub-categories
+    awk '/^  -/{start=0} start{print $2} $0 == "  - groups:"{start=1}' \
+        "$__object/explorer/user" > "$__object/files/explorer_groups"
+
+    # Add/Remove groups not set via the parameter
+    if [ -s "$__object/parameter/group" ]; then
+        # Get all groups to remove
+        grep -Fxv -f "$__object/parameter/group" \
+            "$__object/files/explorer_groups" > "$__object/files/group.del" || true
+        # Get all groups to add
+        grep -Fxv -f "$__object/files/explorer_groups" \
+            "$__object/parameter/group" > "$__object/files/group.add" || true
+
+    # No user groups at all if nothing wanted by the user
+    else
+        # remove all groups to stay inline with the user parameter
+        cp "$__object/files/explorer_groups" "$__object/files/group.del"
+    fi
+
+    # Remove all groups not exist anymore
+    if [ -s "$__object/files/group.del" ]; then
+        while read -r GROUP; do
+            cat <<SHELL
+su -s /bin/sh -l "$www_user" -- -e <<'SU'
+cd '$cloud'
+php -r 'define("OC_CONSOLE",1); require_once(__DIR__."/lib/base.php");
+        \$group = \\OC::\$server->getGroupManager()->get("$GROUP");
+        \$user = \\OC::\$server->getUserSession()->getManager()->get("$user");
+        if (\$group === NULL || \$user === NULL)
+            die("Can'\''t delete $user from group $GROUP! User or group doesn'\''t exist in nextcloud!".PHP_EOL);
+        \$group->removeUser(\$user);'
+SU
+SHELL
+        done < "$__object/files/group.del"
+    fi
+
+    # Add all existing groups
+    if [ -s "$__object/files/group.add" ]; then
+        while read -r GROUP; do
+            cat <<SHELL
+su -s /bin/sh -l "$www_user" -- -e <<'SU'
+cd '$cloud'
+php -r 'define("OC_CONSOLE",1); require_once(__DIR__."/lib/base.php");
+        \$group = \\OC::\$server->getGroupManager()->get("$GROUP");
+        \$user = \\OC::\$server->getUserSession()->getManager()->get("$user");
+        if (\$group === NULL || \$user === NULL)
+            die("Can'\''t delete $user from group $GROUP! User or group doesn'\''t exist in nextcloud!".PHP_EOL);
+        \$group->addUser(\$user);'
+SU
+SHELL
+        done < "$__object/files/group.add"
+    fi
+fi
--- a/type/__nextcloud_user/parameter/default/state
+++ b/type/__nextcloud_user/parameter/default/state
@ -0,0 +1 @@
+present
--- a/type/__nextcloud_user/parameter/default/www-user
+++ b/type/__nextcloud_user/parameter/default/www-user
@ -0,0 +1 @@
+www-data
--- a/type/__nextcloud_user/parameter/optional
+++ b/type/__nextcloud_user/parameter/optional
@ -0,0 +1,7 @@
+user
+www-user
+state
+displayname
+email
+password
+quota
--- a/type/__nextcloud_user/parameter/optional_multiple
+++ b/type/__nextcloud_user/parameter/optional_multiple
@ -0,0 +1 @@
+group
--- a/type/__nextcloud_user/parameter/required
+++ b/type/__nextcloud_user/parameter/required
@ -0,0 +1 @@
+cloud