from-scratch 0.1.0

data/cookbooks/user/Rakefile

@@ -0,0 +1,21 @@
+#!/usr/bin/env rake
+require 'rake/testtask'
+require 'foodcritic'
+
+Rake::TestTask.new do |t|
+  t.test_files = FileList['test/unit/**/*_spec.rb']
+  t.verbose = true
+end
+
+FoodCritic::Rake::LintTask.new do |t|
+  t.options = { :tags => ['~FC048'], :fail_tags => ['any'] }
+end
+
+begin
+  require 'kitchen/rake_tasks'
+  Kitchen::RakeTasks.new
+rescue LoadError
+  puts ">>>>> Kitchen gem not loaded, omitting tasks" unless ENV['CI']
+end
+
+task :default => [:foodcritic, :test]

data/cookbooks/user/attributes/default.rb

@@ -0,0 +1,50 @@
+#
+# Cookbook Name:: user
+# Attributes:: default
+#
+# Author:: Fletcher Nichol <fnichol@nichol.ca>
+#
+# Copyright 2011, Fletcher Nichol
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+case platform
+when 'debian','ubuntu','redhat','centos','amazon','scientific','fedora','freebsd','suse'
+  default['user']['home_root']      = "/home"
+  default['user']['default_shell']  = "/bin/bash"
+when 'openbsd'
+  default['user']['home_root']      = "/home"
+  default['user']['default_shell']  = "/bin/ksh"
+when 'mac_os_x', 'mac_os_x_server'
+  default['user']['home_root']      = "/Users"
+  default['user']['default_shell']  = "/bin/bash"
+when 'omnios'
+  default['user']['home_root']      = "/export/home"
+  default['user']['default_shell']  = "/bin/bash"
+else
+  default['user']['home_root']      = "/home"
+  default['user']['default_shell']  = nil
+end
+
+default['user']['home_dir_mode'] = '2755'
+
+default['user']['manage_home']        = "true"
+default['user']['create_user_group']  = "true"
+default['user']['ssh_keygen']         = "true"
+default['user']['non_unique']         = "false"
+
+default['user']['data_bag_name']        = "users"
+default['user']['user_array_node_attr'] = "users"
+
+default[default['user']['user_array_node_attr']] = []

data/cookbooks/user/libraries/matchers.rb

@@ -0,0 +1,26 @@
+if defined?(ChefSpec)
+  if Gem::Version.new(ChefSpec::VERSION) < Gem::Version.new('4.1.0')
+    ChefSpec::Runner.define_runner_method :user_account
+  else
+    ChefSpec.define_matcher :user_account
+  end
+
+  def create_user_account(user)
+    ChefSpec::Matchers::ResourceMatcher.new(:user_account, :create, user)
+  end
+  def remove_user_account(user)
+    ChefSpec::Matchers::ResourceMatcher.new(:user_account, :remove, user)
+  end
+  def modify_user_account(user)
+    ChefSpec::Matchers::ResourceMatcher.new(:user_account, :modify, user)
+  end
+  def manage_user_account(user)
+    ChefSpec::Matchers::ResourceMatcher.new(:user_account, :manage, user)
+  end
+  def lock_user_account(user)
+    ChefSpec::Matchers::ResourceMatcher.new(:user_account, :lock, user)
+  end
+  def unlock_user_account(user)
+    ChefSpec::Matchers::ResourceMatcher.new(:user_account, :unlock, user)
+  end
+end

data/cookbooks/user/metadata.json

@@ -0,0 +1,46 @@
+{
+  "name": "user",
+  "description": "A convenient Chef LWRP to manage user accounts and SSH keys (this is not the opscode users cookbook)",
+  "long_description": "# <a name=\"title\"></a> User Chef Cookbook\n\n[![Build Status](https://secure.travis-ci.org/fnichol/chef-user.png?branch=master)](http://travis-ci.org/fnichol/chef-user)\n\n## <a name=\"description\"></a> Description\n\nA convenient Chef LWRP to manage user accounts and SSH keys. This is **not**\nthe Opscode *users* cookbook.\n\n* Website: http://fnichol.github.io/chef-user/\n* Opscode Community Site: http://community.opscode.com/cookbooks/user\n* Source Code: https://github.com/fnichol/chef-user\n\n## <a name=\"usage\"></a> Usage\n\nSimply include this cookbook as a dependency in `metadata.rb` and the `user_account`\nresource will be available. Example:\n\n    # In your_cookbook/metadata.rb\n    depends 'user'\n\n    # In your_cookbook/recipes/default.rb\n    user_account 'hsolo' do\n        ssh_keygen true\n    end\n\nTo use `recipe[user::data_bag]`, include it in your run\\_list and have a\ndata bag called `\"users\"` with an item like the following:\n\n    {\n      \"id\"        : \"hsolo\",\n      \"comment\"   : \"Han Solo\",\n      \"home\"      : \"/opt/hoth/hsolo\",\n      \"groups\"    : [\"admin\", \"www-data\"],\n      \"ssh_keys\"  : [\"123...\", \"456...\"]\n    }\n\nor a user to be removed:\n\n    {\n      \"id\"      : \"lando\",\n      \"action\"  : \"remove\"\n    }\n\nIf you have a username containing a period, use a dash in the data bag item\nand set a `username` attribute:\n\n    {\n      \"id\"        : \"luke-skywalker\",\n      \"username\"  : \"luke.skywalker\",\n      \"action\"    : [\"create\", \"lock\"]\n    }\n\nThe data bag recipe will iterate through a list of usernames defined in\n`node['users']` (by default) and attempt to pull in the user's information\nfrom the data bag item. In other words, having:\n\n    node['users'] = ['hsolo', 'lando', 'luke.skywalker']\n\nwill set up the `hsolo` user information and not use the `lando` user\ninformation.\n\n## <a name=\"requirements\"></a> Requirements\n\n### <a name=\"requirements-chef\"></a> Chef\n\nTested on 0.10.8 but newer and older version should work just fine. File an\n[issue][issues] if this isn't the case.\n\n### <a name=\"requirements-platform\"></a> Platform\n\nThe following platforms have been tested with this cookbook, meaning that the\nrecipes run on these platforms without error:\n\n* ubuntu\n* debian\n* mac_os_x\n\n### <a name=\"requirements-cookbooks\"></a> Cookbooks\n\nThere are **no** external cookbook dependencies.\n\n## <a name=\"installation\"></a> Installation\n\nDepending on the situation and use case there are several ways to install\nthis cookbook. All the methods listed below assume a tagged version release\nis the target, but omit the tags to get the head of development. A valid\nChef repository structure like the [Opscode repo][chef_repo] is also assumed.\n\n### <a name=\"installation-platform\"></a> From the Community Site\n\nTo install this cookbook from the Community Site, use the *knife* command:\n\n    knife cookbook site install user\n\n### <a name=\"installation-berkshelf\"></a> Using Berkshelf\n\n[Berkshelf][berkshelf] is a cookbook dependency manager and development\nworkflow assistant. To install Berkshelf:\n\n    cd chef-repo\n    gem install berkshelf\n    berks init\n\nTo use the Community Site version:\n\n    echo \"cookbook 'user'\" >> Berksfile\n    berks install\n\nOr to reference the Git version:\n\n    repo=\"fnichol/chef-user\"\n    latest_release=$(curl -s https://api.github.com/repos/$repo/git/refs/tags \\\n    | ruby -rjson -e '\n      j = JSON.parse(STDIN.read);\n      puts j.map { |t| t[\"ref\"].split(\"/\").last }.sort.last\n    ')\n    cat >> Berksfile <<END_OF_BERKSFILE\n    cookbook 'user',\n      :git => 'git://github.com/$repo.git', :branch => '$latest_release'\n    END_OF_BERKSFILE\n    berks install\n\n### <a name=\"installation-librarian\"></a> Using Librarian-Chef\n\n[Librarian-Chef][librarian] is a bundler for your Chef cookbooks.\nTo install Librarian-Chef:\n\n    cd chef-repo\n    gem install librarian\n    librarian-chef init\n\nTo use the Opscode platform version:\n\n    echo \"cookbook 'user'\" >> Cheffile\n    librarian-chef install\n\nOr to reference the Git version:\n\n    repo=\"fnichol/chef-user\"\n    latest_release=$(curl -s https://api.github.com/repos/$repo/git/refs/tags \\\n    | ruby -rjson -e '\n      j = JSON.parse(STDIN.read);\n      puts j.map { |t| t[\"ref\"].split(\"/\").last }.sort.last\n    ')\n    cat >> Cheffile <<END_OF_CHEFFILE\n    cookbook 'user',\n      :git => 'git://github.com/$repo.git', :ref => '$latest_release'\n    END_OF_CHEFFILE\n    librarian-chef install\n\n## <a name=\"recipes\"></a> Recipes\n\n### <a name=\"recipes-default\"></a> default\n\nThis recipe is a no-op and does nothing.\n\n### <a name=\"recipes-data-bag\"></a> data_bag\n\nProcesses a list of users with data drawn from a data bag. The default data bag\nis `users` and the list of user accounts to create on this node is set on\n`node['users']`.\n\n## <a name=\"attributes\"></a> Attributes\n\n### <a name=\"attributes-home-root\"></a> home_root\n\nThe default parent path of a user's home directory. Each resource can override\nthis value which varies by platform. Generally speaking, the default value is\n`\"/home\"`.\n\n### <a name=\"attributes-default-shell\"></a> default_shell\n\nThe default user shell given to a user. Each resource can override this value\nwhich varies by platform. Generally speaking, the default value is\n`\"/bin/bash\"`.\n\n### <a name=\"attributes-home-dir-mode\"></a> home_dir_mode\n\nThe default Unix permissions applied to a user's home directory.\n\nThe default is `\"2755\"`.\n\n### <a name=\"attributes-manage-home\"></a> manage_home\n\nWhether of not to manage the home directory of a user by default. Each resource\ncan override this value. The are 2 valid states:\n\n* `\"true\"`, `true`, or `\"yes\"`: will manage the user's home directory.\n* `\"false\"`, `false`, or `\"no\"`: will not manage the user's home directory.\n\nThe default is `true`.\n\n### <a name=\"attributes-non-unique\"></a> non_unique\n\nWhether of not to allow the creation of a user account with a duplicate UID.\nEach resource can override this value. The are 2 valid states:\n\n* `\"true\"`, `true`, or `\"yes\"`: will allow duplicate UIDs.\n* `\"false\"`, `false`, or `\"no\"`: will not allow duplicate UIDs.\n\nThe default is `false`.\n\n### <a name=\"attributes-create-user-group\"></a> create_group\n\nWhether or not to to create a group with the same name as the user by default.\nEach resource can override this value. The are 2 valid states:\n\n* `\"true\"`, `true`, or `\"yes\"`: will create a group for the user by default.\n* `\"false\"`, `false`, or `\"no\"`: will not create a group for the user by default.\n\nThe default is `true`.\n\n### <a name=\"attributes-ssh-keygen\"></a> ssh_keygen\n\nWhether or not to generate an SSH keypair for the user by default. Each\nresource can override this value. There are 2 valid states:\n\n* `\"true\"`, `true`, or `\"yes\"`: will generate an SSH keypair when the account\n  is created.\n* `\"false\"`, `false`, or `\"no\"`: will not generate an SSH keypair when the account\n  is created.\n\nThe default is `true`.\n\n### <a name=\"attributes-data-bag-name\"></a> data_bag_name\n\nThe data bag name containing a group of user account information. This is used\nby the `data_bag` recipe to use as a database of user accounts.\n\nThe default is `\"users\"`.\n\n### <a name=\"attributes-user-array-node-attr\"></a> user_array_node_attr\n\nThe node attributes containing an array of users to be managed. If a nested\nhash in the node's attributes is required, then use a `/` between subhashes.\nFor example, if the users' array is stored in `node['system']['accounts']`),\nthen set `node['user']['user_array_node_attr']` to `\"system/accounts\"`.\n\nThe default is `\"users\"`.\n\n## <a name=\"lwrps\"></a> Resources and Providers\n\n### <a name=\"lwrps-ua\"></a> user_account\n\n**Note:** in order to use the `password` attribute, you must have the\n[ruby-shadow gem][ruby-shadow_gem] installed. On Debian/Ubuntu you can get\nthis by installing the \"libshadow-ruby1.8\" package.\n\n### <a name=\"lwrps-ua-actions\"></a> Actions\n\n<table>\n  <thead>\n    <tr>\n      <th>Action</th>\n      <th>Description</th>\n      <th>Default</th>\n    </tr>\n  </thead>\n  <tbody>\n    <tr>\n      <td>create</td>\n      <td>\n        Create the user, its home directory, <code>.ssh/authorized_keys</code>,\n        and <code>.ssh/{id_rsa,id_rsa.pub}</code>.\n      </td>\n      <td>Yes</td>\n    </tr>\n    <tr>\n      <td>remove</td>\n      <td>Remove the user account.</td>\n      <td>&nbsp;</td>\n    </tr>\n    <tr>\n      <td>modify</td>\n      <td>Modify the user account.</td>\n      <td>&nbsp;</td>\n    </tr>\n    <tr>\n      <td>manage</td>\n      <td>Manage the user account.</td>\n      <td>&nbsp;</td>\n    </tr>\n    <tr>\n      <td>lock</td>\n      <td>Lock the user's password.</td>\n      <td>&nbsp;</td>\n    </tr>\n    <tr>\n      <td>unlock</td>\n      <td>Unlock the user's password.</td>\n      <td>&nbsp;</td>\n    </tr>\n  </tbody>\n</table>\n\n### <a name=\"lwrps-ua-attributes\"></a> Attributes\n\n<table>\n  <thead>\n    <tr>\n      <th>Attribute</th>\n      <th>Description</th>\n      <th>Default Value</th>\n    </tr>\n  </thead>\n  <tbody>\n    <tr>\n      <td>username</td>\n      <td><b>Name attribute:</b> The name of the user.</td>\n      <td><code>nil</code></td>\n    </tr>\n    <tr>\n      <td>comment</td>\n      <td>Gecos/Comment field.</td>\n      <td><code>nil</code></td>\n    </tr>\n    <tr>\n      <td>uid</td>\n      <td>The numeric user id.</td>\n      <td><code>nil</code></td>\n    </tr>\n    <tr>\n      <td>gid</td>\n      <td>The primary group id.</td>\n      <td><code>nil</code></td>\n    </tr>\n    <tr>\n      <td>groups</td>\n      <td>Array of other groups this user should be a member of.</td>\n      <td><code>nil</code></td>\n    </tr>\n    <tr>\n      <td>home</td>\n      <td>Home directory location.</td>\n      <td><code>\"#{node['user']['home_root']}/#{username}</code></td>\n    </tr>\n    <tr>\n      <td>shell</td>\n      <td>The login shell.</td>\n      <td><code>node['user']['default_shell']</code></td>\n    </tr>\n    <tr>\n      <td>password</td>\n      <td>Shadow hash of password.</td>\n      <td><code>nil</code></td>\n    </tr>\n    <tr>\n      <td>system_user</td>\n      <td>Whether or not to create a system user.</td>\n      <td><code>false</code></td>\n    </tr>\n    <tr>\n      <td>manage_home</td>\n      <td>Whether or not to manage the home directory.</td>\n      <td><code>true</code></td>\n    </tr>\n    <tr>\n      <td>non_unique</td>\n      <td>Whether or not to allow the creation of a user account with a duplicate UID.</td>\n      <td><code>false</code></td>\n    </tr>\n    <tr>\n      <td>create_group</td>\n      <td>\n        Whether or not to to create a group with the same name as the user.\n      </td>\n      <td><code>node['user']['create_group']</code></td>\n    </tr>\n    <tr>\n      <td>ssh_keys</td>\n      <td>\n        A <b>String</b> or <b>Array</b> of SSH public keys to populate the\n        user's <code>.ssh/authorized_keys</code> file.\n      </td>\n      <td><code>[]</code></td>\n    </tr>\n    <tr>\n      <td>ssh_keygen</td>\n      <td>Whether or not to generate an SSH keypair for the user.</td>\n      <td><code>node['user']['ssh_keygen']</code></td>\n    </tr>\n    <tr>\n      <td>groups</td>\n      <td>An Array of groups to which to add the user.</td>\n      <td><code>[]</code></td>\n    </tr>\n  </tbody>\n</table>\n\n#### <a name=\"lwrps-ua-examples\"></a> Examples\n\n##### Creating a User Account\n\n    user_account 'hsolo' do\n      comment   'Han Solo'\n      ssh_keys  ['3dc348d9af8027df7b9c...', '2154d3734d609eb5c452...']\n      home      '/opt/hoth/hsolo'\n    end\n\n##### Creating and Locking a User Account\n\n    user_account 'lando' do\n      action  [:create, :lock]\n    end\n\n##### Removing a User account\n\n    user_account 'obiwan' do\n      action  :remove\n    end\n\n## <a name=\"development\"></a> Development\n\n* Source hosted at [GitHub][repo]\n* Report issues/Questions/Feature requests on [GitHub Issues][issues]\n\nPull requests are very welcome! Make sure your patches are well tested.\nIdeally create a topic branch for every separate change you make.\n\n## <a name=\"license\"></a> License and Author\n\nAuthor:: [Fletcher Nichol][fnichol] (<fnichol@nichol.ca>) [![endorse](http://api.coderwall.com/fnichol/endorsecount.png)](http://coderwall.com/fnichol)\n\nCopyright 2011, Fletcher Nichol\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n\n[berkshelf]:      http://berkshelf.com/\n[chef_repo]:    https://github.com/opscode/chef-repo\n[cheffile]:     https://github.com/applicationsonline/librarian/blob/master/lib/librarian/chef/templates/Cheffile\n[kgc]:          https://github.com/websterclay/knife-github-cookbooks#readme\n[librarian]:    https://github.com/applicationsonline/librarian#readme\n[ruby-shadow_gem]:  https://rubygems.org/gems/ruby-shadow\n\n[repo]:         https://github.com/fnichol/chef-user\n[issues]:       https://github.com/fnichol/chef-user/issues\n",
+  "maintainer": "Fletcher Nichol",
+  "maintainer_email": "fnichol@nichol.ca",
+  "license": "Apache 2.0",
+  "platforms": {
+    "ubuntu": ">= 0.0.0",
+    "debian": ">= 0.0.0",
+    "mac_os_x": ">= 0.0.0",
+    "suse": ">= 0.0.0",
+    "omnios": ">= 0.0.0"
+  },
+  "dependencies": {
+
+  },
+  "recommendations": {
+
+  },
+  "suggestions": {
+
+  },
+  "conflicting": {
+
+  },
+  "providing": {
+
+  },
+  "replacing": {
+
+  },
+  "attributes": {
+
+  },
+  "groupings": {
+
+  },
+  "recipes": {
+    "user": "This recipe is a no-op and does nothing.",
+    "user::data_bag": "Processes a list of users with data drawn from a data bag."
+  },
+  "version": "0.4.2",
+  "source_url": "",
+  "issues_url": ""
+}

data/cookbooks/user/providers/account.rb

@@ -0,0 +1,212 @@
+#
+# Cookbook Name:: user
+# Provider:: account
+#
+# Author:: Fletcher Nichol <fnichol@nichol.ca>
+#
+# Copyright 2011, Fletcher Nichol
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+require "chef/resource"
+
+use_inline_resources
+
+def whyrun_supported?
+  true
+end
+
+def load_current_resource
+  @my_home = new_resource.home ||
+    "#{node['user']['home_root']}/#{new_resource.username}"
+  @my_shell = new_resource.shell || node['user']['default_shell']
+  @manage_home = bool(new_resource.manage_home, node['user']['manage_home'])
+  @non_unique = bool(new_resource.non_unique, node['user']['non_unique'])
+  @create_group = bool(new_resource.create_group, node['user']['create_group'])
+  @ssh_keygen = bool(new_resource.ssh_keygen, node['user']['ssh_keygen'])
+end
+
+action :create do # ~FC017: LWRP does not notify when updated
+  user_resource             :create
+  home_dir_resource         :create
+  authorized_keys_resource  :create
+  keygen_resource           :create
+end
+
+action :remove do # ~FC017: LWRP does not notify when updated
+  # Removing a user will also remove all the other file based resources.
+  # By only removing the user it will make this action idempotent.
+  user_resource             :remove
+end
+
+action :modify do # ~FC017: LWRP does not notify when updated
+  user_resource             :modify
+  home_dir_resource         :create
+  authorized_keys_resource  :create
+  keygen_resource           :create
+end
+
+action :manage do # ~FC017: LWRP does not notify when updated
+  user_resource             :manage
+  home_dir_resource         :create
+  authorized_keys_resource  :create
+  keygen_resource           :create
+end
+
+action :lock do # ~FC017: LWRP does not notify when updated
+  user_resource             :lock
+  home_dir_resource         :create
+  authorized_keys_resource  :create
+  keygen_resource           :create
+end
+
+action :unlock do # ~FC017: LWRP does not notify when updated
+  user_resource             :unlock
+  home_dir_resource         :create
+  authorized_keys_resource  :create
+  keygen_resource           :create
+end
+
+private
+
+def bool(resource_val, default_val)
+  if resource_val.nil?
+    normalize_bool(default_val)
+  else
+    normalize_bool(resource_val)
+  end
+end
+
+def normalize_bool(val)
+  case val
+  when 'no','false',false then false
+  else true
+  end
+end
+
+def user_resource(exec_action)
+  # avoid variable scoping issues in resource block
+  my_home, my_shell, manage_home, non_unique = @my_home, @my_shell, @manage_home, @non_unique
+  my_dir = ::File.dirname(my_home)
+
+  r = directory "#{my_home} parent directory" do
+    path my_dir
+    recursive true
+    action    :nothing
+  end
+  r.run_action(:create) unless exec_action == :delete
+  new_resource.updated_by_last_action(true) if r.updated_by_last_action?
+
+  r = user new_resource.username do
+    comment   new_resource.comment  if new_resource.comment
+    uid       new_resource.uid      if new_resource.uid
+    gid       new_resource.gid      if new_resource.gid
+    home      my_home               if my_home
+    shell     my_shell              if my_shell
+    password  new_resource.password if new_resource.password
+    system    new_resource.system_user # ~FC048: Prefer Mixlib::ShellOut
+    supports  :manage_home => manage_home, :non_unique => non_unique
+    action    :nothing
+  end
+  r.run_action(exec_action)
+  new_resource.updated_by_last_action(true) if r.updated_by_last_action?
+
+  # fixes CHEF-1699
+  Etc.endgrent
+end
+
+def home_dir_resource(exec_action)
+  # avoid variable scoping issues in resource block
+  my_home = @my_home
+  r = directory my_home do
+    path        my_home
+    owner       new_resource.username
+    group       Etc.getpwnam(new_resource.username).gid
+    mode        node['user']['home_dir_mode']
+    recursive   true
+    action      :nothing
+  end
+  r.run_action(exec_action)
+  new_resource.updated_by_last_action(true) if r.updated_by_last_action?
+end
+
+def home_ssh_dir_resource(exec_action)
+  # avoid variable scoping issues in resource block
+  my_home = @my_home
+  r = directory "#{my_home}/.ssh" do
+    path        "#{my_home}/.ssh"
+    owner       new_resource.username
+    group       Etc.getpwnam(new_resource.username).gid
+    mode        '0700'
+    recursive   true
+    action      :nothing
+  end
+  r.run_action(exec_action)
+  new_resource.updated_by_last_action(true) if r.updated_by_last_action?
+end
+
+
+def authorized_keys_resource(exec_action)
+  # avoid variable scoping issues in resource block
+  ssh_keys = Array(new_resource.ssh_keys)
+  unless ssh_keys.empty?
+    home_ssh_dir_resource(exec_action)
+
+    r = template "#{@my_home}/.ssh/authorized_keys" do
+      cookbook    'user'
+      source      'authorized_keys.erb'
+      owner       new_resource.username
+      group       Etc.getpwnam(new_resource.username).gid
+      mode        '0600'
+      variables   :user     => new_resource.username,
+        :ssh_keys => ssh_keys,
+        :fqdn     => node['fqdn']
+      action      :nothing
+    end
+
+    r.run_action(exec_action)
+    new_resource.updated_by_last_action(true) if r.updated_by_last_action?
+  end
+end
+
+def keygen_resource(exec_action)
+  # avoid variable scoping issues in resource block
+  fqdn, my_home = node['fqdn'], @my_home
+
+  e = execute "create ssh keypair for #{new_resource.username}" do
+    cwd       my_home
+    user      new_resource.username
+    command   <<-KEYGEN.gsub(/^ +/, '')
+      ssh-keygen -t rsa -f #{my_home}/.ssh/id_rsa -N '' \
+        -C '#{new_resource.username}@#{fqdn}-#{Time.now.strftime('%FT%T%z')}'
+      chmod 0600 #{my_home}/.ssh/id_rsa
+      chmod 0644 #{my_home}/.ssh/id_rsa.pub
+    KEYGEN
+    action    :nothing
+
+    creates   "#{my_home}/.ssh/id_rsa"
+  end
+  home_ssh_dir_resource(exec_action)
+  e.run_action(:run) if @ssh_keygen && exec_action == :create
+  new_resource.updated_by_last_action(true) if e.updated_by_last_action?
+
+  if exec_action == :delete then
+    ["#{@my_home}/.ssh/id_rsa", "#{@my_home}/.ssh/id_rsa.pub"].each do |keyfile|
+      r = file keyfile do
+        backup  false
+        action :delete
+      end
+      new_resource.updated_by_last_action(true) if r.updated_by_last_action?
+    end
+  end
+end

data/cookbooks/user/recipes/data_bag.rb

@@ -0,0 +1,59 @@
+#
+# Cookbook Name:: user
+# Recipe:: data_bag
+#
+# Copyright 2011, Fletcher Nichol
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+bag = node['user']['data_bag_name']
+
+# Fetch the user array from the node's attribute hash. If a subhash is
+# desired (ex. node['base']['user_accounts']), then set:
+#
+#     node['user']['user_array_node_attr'] = "base/user_accounts"
+user_array = node
+node['user']['user_array_node_attr'].split("/").each do |hash_key|
+  user_array = user_array.send(:[], hash_key)
+end
+
+groups = {}
+
+# only manage the subset of users defined
+Array(user_array).each do |i|
+  u = data_bag_item(bag, i.gsub(/[.]/, '-'))
+  username = u['username'] || u['id']
+
+  user_account username do
+    %w{comment uid gid home shell password system_user manage_home create_group
+        ssh_keys ssh_keygen non_unique}.each do |attr|
+      send(attr, u[attr]) if u[attr]
+    end
+    action Array(u['action']).map { |a| a.to_sym } if u['action']
+  end
+
+  unless u['groups'].nil? || u['action'] == 'remove'
+    u['groups'].each do |groupname|
+      groups[groupname] = [] unless groups[groupname]
+      groups[groupname] += [username]
+    end
+  end
+end
+
+groups.each do |groupname, users|
+  group groupname do
+    members users
+    append true
+  end
+end

data/cookbooks/user/recipes/default.rb

@@ -0,0 +1,18 @@
+#
+# Cookbook Name:: user
+# Recipe:: default
+#
+# Copyright 2011, Fletcher Nichol
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#

data/cookbooks/user/resources/account.rb

@@ -0,0 +1,41 @@
+#
+# Cookbook Name:: user
+# Resource:: account
+#
+# Author:: Fletcher Nichol <fnichol@nichol.ca>
+#
+# Copyright 2011, Fletcher Nichol
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+actions :create, :remove, :modify, :manage, :lock, :unlock
+
+attribute :username,      :kind_of => String, :name_attribute => true
+attribute :comment,       :kind_of => String
+attribute :uid,           :kind_of => [String,Integer]
+attribute :gid,           :kind_of => [String,Integer]
+attribute :home,          :kind_of => String
+attribute :shell,         :kind_of => String
+attribute :password,      :kind_of => String
+attribute :system_user,   :default => false
+attribute :manage_home,   :default => nil
+attribute :non_unique,    :default => nil
+attribute :create_group,  :default => nil
+attribute :ssh_keys,      :kind_of => [Array,String], :default => []
+attribute :ssh_keygen,    :default => nil
+
+def initialize(*args)
+  super
+  @action = :create
+end