macadmin 0.0.4

data/lib/macadmin/dslocal/group.rb

@@ -0,0 +1,82 @@
+module MacAdmin
+  
+  # Group
+  # - creates and manages Mac OS X User Groups
+  # - params: :name, :realname, :gid
+  class Group < DSLocalRecord
+    
+    MIN_GID = 501
+    
+    def initialize(args)
+      @member_class = User  unless defined? @member_class
+      @group_class  = Group unless defined? @group_class
+      super args
+    end
+    
+    # Examine the object's users array for "member"
+    # - single param: the name of a user (String)
+    def has_user?(member)
+      self[:users].member? member
+    end
+    
+    # Add a member to the object's users array
+    # - single param: the name of a user (String)
+    def add_user(member)
+      user = @member_class.new :name => member, :node => self.node
+      raise unless user.exists?
+      self[:users] << member
+      self[:users].uniq!
+    end
+    
+    # Remove a member from the object's users array
+    # - single param: the name of a user (String)
+    def rm_user(member)
+      self[:users].delete member
+    end
+    
+    # Examine the object's groupmembers array for "member"
+    # - single param: the name of a group (String)
+    def has_groupmember?(member)
+      group = @group_class.new :name => member, :node => self.node
+      return false unless group.exists?
+      self[:groupmembers].member? group.generateduid.first
+    end
+    
+    # Add a member to the object's groupmembers array
+    # - single param: the name of a group (String)    
+    def add_groupmember(member)
+      group = @group_class.new :name => member, :node => self.node
+      raise unless group.exists?
+      self[:groupmembers] << group.generateduid.first 
+      self[:groupmembers].uniq!
+    end
+    
+    # Remove a member from the object's groupmembers array
+    # - single param: the name of a group (String)
+    def rm_groupmember(member)
+      group = @group_class.new :name => member, :node => self.node
+      return nil unless group.exists?
+      self[:groupmembers].delete group.generateduid.first
+    end
+    
+    private
+    
+    # Handle required but unspecified record attributes
+    # - generates missing attributes
+    # - changes are merged into the composite record
+    def defaults(data)
+      records = all_records(@node)
+      next_gid = next_id(MIN_GID, get_all_attribs_of_type(:gid, records))
+      defaults = {
+        'realname' => ["#{data['name'].first.capitalize}"],
+        'gid'   => ["#{next_gid}"],
+        'passwd'  => ['*'],
+        'groupmembers' => [],
+        'users' => [],
+      }
+      super defaults.merge(data)
+    end
+    
+  end
+  
+end

data/lib/macadmin/dslocal/user.rb

@@ -0,0 +1,113 @@
+module MacAdmin
+  
+  # User
+  # - creates and manages Mac OS X User accounts
+  # - params: :name, :realname, :password, :uid, :gid, :shell, :home, :comment
+  class User < DSLocalRecord
+    
+    MIN_UID = 501
+    
+    # Override parent initialization
+    # - capture the password if it exists
+    # - if there's no password object param, try to get one
+    # - shoehorn the password into the User record
+    def initialize(args)
+      if args.respond_to?(:keys)
+        @password = args.delete(:password)
+      end
+      super(args)
+      if @password
+        self.send(:password=)
+      else
+        @password = ShadowHash.create_from_user_record(self)
+      end
+    end
+    
+    # Generic setter
+    # - Accepts a ShadowHash object
+    # - delegates the storage operation to the ShadowHash object itself
+    def password=(password = @password)
+      error = 'Argument was not a ShadowHash object'
+      unless password.nil? or password.respond_to? :password
+        raise ArgumentError.new(error)
+      end
+      @password = password
+      @password.send(:store, self) unless @password.nil?
+    end
+    
+    # Generic getter
+    # - Returns Ruby Hash representation of the User's password
+    def password
+      return nil unless @password
+      @password.password
+    end
+    
+    # Legacy user records are determined by SHA1 password type
+    # - returns boolean
+    def legacy?
+      @password.is_a? SaltedSHA1
+    end
+    
+    # Does the specified resource already exist?
+    # - overrides parent method; required for Legacy users
+    # - checks the password if SHA1 and kicks up to parent
+    def exists?
+      if self.legacy?
+        password_on_disk = SaltedSHA1.create_from_shadowhash_file self.generateduid[0]
+        return false unless password_on_disk
+        return false unless password_on_disk.password.eql? @password.password
+      end
+      super
+    end
+    
+    # Create the record
+    # - overrides parent method; required for Legacy users
+    # - creates the password if SHA1 and kicks up to parent
+    def create(file=@file)
+      if self.legacy?
+        return unless @password.send(:to_file, self)        
+      end
+      super
+    end
+    
+    # Delete the record
+    # - overrides parent method; required for Legacy users
+    # - destroys the password if SHA1 and kicks up to parent
+    def destroy(file=@file)
+      if self.legacy?
+        return unless @password.send(:rm_file, self)        
+      end
+      super
+    end
+    
+    # Return a Puppet style resource manifest
+    # - need to find a sensible way of doing this
+    # - need to move this method into the Parent class
+    def to_puppet
+      puts "not implemented"
+    end
+    
+    private
+    
+    # Handle required but unspecified record attributes
+    # - generates missing attributes
+    # - changes are merged into the composite record
+    def defaults(data)
+      records = all_records(@node)
+      next_uid = next_id(MIN_UID, get_all_attribs_of_type(:uid, records))
+      defaults = {
+        'realname' => ["#{data['name'].first}"],
+        'uid' => ["#{next_uid}"], 
+        'home'  => ["/Users/#{data['name'].first}"],
+        'shell' => ['/bin/bash'],
+        'gid'   => ['20'],
+        'passwd'  => ['********'],
+        'comment' => [''],
+      }
+      super defaults.merge(data)
+    end
+    
+  end
+  
+end
+

data/lib/macadmin/mcx.rb

@@ -0,0 +1,227 @@
+module MacAdmin
+  
+  # MCX
+  # - methods and classes mixed into MacAdmin::DSLocalRecord for managing MCX policy 
+  module MCX
+    
+    # Policy
+    # - document format for mcx_export
+    class Policy
+      
+      MANIFESTS = '/System/Library/CoreServices/ManagedClient.app/Contents/Resources'
+      
+      def initialize(mcx_settings)
+        @documents = mcx_settings
+        @policy = process_documents(@documents)
+      end
+      
+      # Dump the document in a human-readable format
+      def to_plist
+        @policy.to_plist({:plist_format => CFPropertyList::List::FORMAT_XML, :formatted => true})
+      end
+      
+      private
+      
+      # Process each of the domain documents 
+      def process_documents(documents)
+        documents.inject({}) do |dict, doc|
+          plist = CFPropertyList::List.new(:data => doc)
+          native = CFPropertyList.native_types(plist.value)
+          native['mcx_application_data'].inject({}) do |result, (domain, domain_dict)|
+            dict[domain] = process_domain(domain, domain_dict)
+            dict
+          end
+        end
+      end
+      
+      # Process the domain preference document
+      # - flattens and reformats the domain document into constituent keys
+      def process_domain(domain, domain_dict)
+        manifest = "#{MANIFESTS}/#{domain}.manifest/Contents/Resources/#{domain}.manifest"
+        upk_subkeys = load_upk_subkeys(manifest)
+        domain_dict.inject({}) do |result, (enforcement, enforcement_array)|
+          enforcement_array.inject({}) do |hash, dict|
+            state = dict.include?('mcx_data_timestamp') ? 'once' : 'often'
+            state = 'always' if enforcement.eql? 'Forced'
+            dict['mcx_preference_settings'].each do |name, value|
+              result[name] = { 'state' => state, 'value' => value }
+              if upk_subkeys
+                upk = get_upk_info(name, state, upk_subkeys)
+                result[name]['upk'] = get_upk_info(name, state, upk_subkeys) if upk
+              end
+              result
+            end
+          end
+          result
+        end
+      end
+      
+      # Load the domain's preference manifest and return the UPK subkeys
+      # - returns Array
+      def load_upk_subkeys(manifest)
+        upk_subkeys = []
+        if File.exists? manifest
+          plist = CFPropertyList::List.new(:file => manifest)
+          native = CFPropertyList.native_types(plist.value)
+          upk_subkeys = native['pfm_subkeys'].select do |dict|
+            if dict['pfm_type'].eql? 'union policy'
+              dict
+            end
+          end
+        end
+        upk_subkeys
+      end
+      
+      # Determine the most appropriate UPK keys for the given preference
+      # - returns Hash
+      def get_upk_info(name, state, upk_subkeys)
+        info = nil
+        if upk_subkeys
+          results = upk_subkeys.inject({}) do |results, dict|
+            if dict['pfm_upk_input_keys'].include? name
+              results[dict['pfm_upk_output_name']] = dict
+            end
+            results
+          end
+          if results
+            if results.size > 1
+              if state.eql? 'always'
+                results = results.select { |k,v| v if k =~ /-managed\z/ }
+                info = results.flatten.last
+              else
+                results = results.select { |k,v| v if k =~ /\Auser\z/ }
+                info = results.flatten.last
+              end
+            else
+              info = results.first
+            end
+          end
+        end
+        if info
+          upk = { 'mcx_input_key_names' => info['pfm_upk_input_keys'],
+            'mcx_output_key_name' => info['pfm_upk_output_name'],
+            'mcx_remove_duplicates' => info['pfm_remove_duplicates']
+          }
+          return upk
+        end
+        nil
+      end
+      
+    end
+    
+    # EmbeddedDocument
+    # - domain level MCX document suitable for storage in the record's mcx_settings array
+    class EmbeddedDocument
+      
+      attr_reader :document
+      
+      def initialize(domain, content)
+        @document = { 'mcx_application_data' => {} }
+        @domain  = domain
+        @content = process(content)
+      end
+      
+      def formatted
+        @document.to_plist({:plist_format => CFPropertyList::List::FORMAT_XML, :formatted => true})
+      end
+      
+      def escaped
+        CGI.escapeHTML @document.to_plist({:plist_format => CFPropertyList::List::FORMAT_XML, :formatted => true})
+      end
+      
+      private
+      
+      def process(content)
+        @document['mcx_application_data'][@domain] = {}
+        content.each do |pref_name, pref_dict|
+          state = pref_dict['state']
+          enforcement = (state.eql?('always') ? 'Forced' : 'Set-Once')
+          @document['mcx_application_data'][@domain][enforcement] ||= [{}]
+          if pref_dict['upk']
+            @document['mcx_application_data'][@domain][enforcement][0]['mcx_union_policy_keys'] ||= []
+            @document['mcx_application_data'][@domain][enforcement][0]['mcx_union_policy_keys'] << pref_dict['upk']
+          end
+          @document['mcx_application_data'][@domain][enforcement][0]['mcx_preference_settings'] ||= {}
+          @document['mcx_application_data'][@domain][enforcement][0]['mcx_preference_settings'][pref_name] = pref_dict['value']
+          if state.eql? 'once'
+            @document['mcx_application_data'][@domain][enforcement][0]['mcx_data_timestamp'] = CFPropertyList::CFDate.parse_date(Time.now.utc.xmlschema)
+          end
+        end
+      end
+      
+    end
+    
+    # Settings
+    # - class representing the structure of the mcx_settings array
+    class Settings
+      
+      attr_reader :domains
+      
+      XML_TAG = '^<\?xml\sversion="1\.0"\sencoding="UTF-8"\?>'
+      
+      class << self
+        def init_with_file(path)
+          content = load_plist(path)
+          self.new(content)
+        end
+      end
+      
+      def initialize(content, type=:data)
+        type = :file unless content =~ /#{XML_TAG}/
+        plist = CFPropertyList::List.new(type => content)
+        native = CFPropertyList.native_types(plist.value)
+        @domains = []
+        @content = process(native)
+      end
+      
+      private
+      
+      def process(content)
+        content.each do |domain_name, domain_dict|
+          doc = EmbeddedDocument.new domain_name, domain_dict
+          @domains << doc.formatted
+        end
+      end
+      
+    end
+    
+    # Import MCX Content and apply it to the current object
+    # - accepts a single parameter: path to Plist file containing exported MCX policy or a string of XML content representing the MCX policy
+    # - re-formats the imported MCX for storage on the record and adds the two require attributes: mcx_flags and mcx_settings
+    # - current implmentation replaces policy wholesale (no append)
+    def mcx_import(content, append=false)
+      settings = Settings.new content
+      mcx_flags = { 'has_mcx_settings' => true }
+      mcx_flags = mcx_flags.to_plist({:plist_format => CFPropertyList::List::FORMAT_XML, :formatted => true})
+      self['mcx_flags'] = [CFPropertyList::Blob.new(mcx_flags)]
+      self['mcx_settings'] = settings.domains
+    end
+    alias :mcximport :mcx_import
+    
+    # Export the MCX preferences for the record
+    def mcx_export
+      doc = Policy.new self['mcx_settings']
+      doc.to_plist
+    end
+    alias :mcxexport :mcx_export
+    
+    # Pretty print the contents of the record's mcx_settings array
+    def pretty_mcx
+      self['mcx_settings'].collect { |doc| CGI.unescapeHTML doc }
+    end
+    
+    # Does the object have any MCX policy?
+    def has_mcx?
+      self.has_key? 'mcx_settings' and self['mcx_settings'].is_a? Array and not self['mcx_settings'].empty?
+    end
+    
+    # Remove all MCX policy from the object
+    def mcx_delete
+      self.delete('mcx_flags')
+      self.delete('mcx_settings')
+    end
+    alias :mcxdelete :mcx_delete
+    
+  end
+  
+end

data/lib/macadmin/password.rb

@@ -0,0 +1,72 @@
+module MacAdmin
+  
+  # Password
+  # - module containing methods for converting a plain String into Mac OS X password hash
+  module Password
+    
+    require 'openssl'
+    require 'securerandom'
+    
+    extend self
+    
+    # Convert ASCII string to hex bytes
+    def convert_to_hex(string)
+      string.unpack('H*').first
+    end
+    
+    # Convert hex string to CFBlob
+    def convert_to_blob(hex)
+      ascii = hex.scan(/../).collect { |byte| byte.hex.chr }.join
+      CFPropertyList::Blob.new(ascii)
+    end
+    
+    # This method is only available in Mountain Lion or better
+    if MacAdmin::Common::MAC_OS_X_PRODUCT_VERSION > 10.7
+      
+      require "macadmin/password/crypto"
+      
+      # Creates a SaltedSHA512PBKDF2 password from String
+      # - single param: String
+      # - returns: SaltedSHA512PBKDF2
+      def salted_sha512_pbkdf2(password)
+        hash = salted_sha512_pbkdf2_from_string password
+        SaltedSHA512PBKDF2.new hash
+      end
+      
+    end
+    
+    # Creates a SaltedSHA512 password from String
+    # - single param: String
+    # - returns: SaltedSHA512
+    def salted_sha512(password)
+      salt = SecureRandom.random_bytes(4)
+      hash = Digest::SHA512.hexdigest(salt + password)
+      SaltedSHA512.new(convert_to_hex(salt) + hash)
+    end
+    
+    # Creates a SaltedSHA1 password from String
+    # - single param: String
+    # - returns: SaltedSHA1
+    def salted_sha1(password)
+      salt = SecureRandom.random_bytes(4)
+      hash = Digest::SHA1.hexdigest(salt + password)
+      SaltedSHA1.new((convert_to_hex(salt) + hash).upcase)
+    end
+    
+    # Create a platform appropriate password
+    # - single param: String
+    # - returns: SaltedSHA512PBKDF2 or SaltedSHA512 or SaltedSHA1 depending on platform
+    def apropos(password)
+      platform = MacAdmin::Common::MAC_OS_X_PRODUCT_VERSION
+      if platform >= 10.8
+        return salted_sha512_pbkdf2 password
+      elsif platform == 10.7
+        return salted_sha512 password
+      else
+        return salted_sha1 password
+      end
+    end
+    
+  end
+    
+end