puppet 0.24.6 → 0.24.7

data/lib/puppet/provider/mcx/mcxcontent.rb

@@ -0,0 +1,201 @@
+#--
+# Copyright (C) 2008 Jeffrey J McCune.
+
+# This program and entire repository is free software; you can
+# redistribute it and/or modify it under the terms of the GNU 
+# General Public License as published by the Free Software 
+# Foundation; either version 2 of the License, or any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+
+# Author: Jeff McCune <mccune.jeff@gmail.com>
+
+require 'tempfile'
+
+Puppet::Type.type(:mcx).provide :mcxcontent, :parent => Puppet::Provider do
+
+    desc "MCX Settings management using DirectoryService on OS X.
+
+  This provider manages the entire MCXSettings attribute available
+  to some directory services nodes.  This management is 'all or nothing'
+  in that discrete application domain key value pairs are not managed
+  by this provider.
+
+  It is recommended to use WorkGroup Manager to configure Users, Groups,
+  Computers, or ComputerLists, then use 'ralsh mcx' to generate a puppet
+  manifest from the resulting configuration.
+
+  Original Author: Jeff McCune (mccune.jeff@gmail.com)
+
+"
+
+    # This provides a mapping of puppet types to DirectoryService
+    # type strings.
+    TypeMap = {
+        :user => "Users",
+        :group => "Groups",
+        :computer => "Computers",
+        :computerlist => "ComputerLists",
+    }
+
+    class MCXContentProviderException < Exception
+
+    end
+
+    commands :dscl => "/usr/bin/dscl"
+    confine :operatingsystem => :darwin
+    defaultfor :operatingsystem => :darwin
+
+    # self.instances is all important.
+    # This is the only class method, it returns
+    # an array of instances of this class.
+    def self.instances
+        mcx_list = []
+        for ds_type in TypeMap.keys
+            ds_path = "/Local/Default/#{TypeMap[ds_type]}"
+            output = dscl 'localhost', '-list', ds_path
+            member_list = output.split
+            for ds_name in member_list
+                content = mcxexport(ds_type, ds_name)
+                if content.empty?
+                    Puppet.debug "/#{TypeMap[ds_type]}/#{ds_name} has no MCX data."
+                else 
+                    # This node has MCX data.
+                    rsrc = self.new(:name => "/#{TypeMap[ds_type]}/#{ds_name}",
+                                 :ds_type => ds_type,
+                                 :ds_name => ds_name,
+                                 :content => content)
+                    mcx_list << rsrc
+                end
+            end
+        end
+        return mcx_list
+    end
+
+    private
+
+    # mcxexport is used by instances, and therefore
+    # a class method.
+    def self.mcxexport(ds_type, ds_name)
+        ds_t = TypeMap[ds_type]
+        ds_n = ds_name.to_s
+        ds_path = "/Local/Default/#{ds_t}/#{ds_n}"
+        dscl 'localhost', '-mcxexport', ds_path
+    end
+
+    def mcximport(ds_type, ds_name, val)
+        ds_t = TypeMap[ds_type]
+        ds_n = ds_name.to_s
+        ds_path = "/Local/Default/#{ds_t}/#{ds_name}"
+
+        tmp = Tempfile.new('puppet_mcx')
+        begin
+            tmp << val
+            tmp.flush
+            dscl 'localhost', '-mcximport', ds_path, tmp.path
+        ensure
+            tmp.close
+            tmp.unlink
+        end
+    end
+
+    # Given the resource name string, parse ds_type out.
+    def parse_type(name)
+        tmp = name.split('/')[1]
+        if ! tmp.is_a? String
+            raise MCXContentProviderException,
+            "Coult not parse ds_type from resource name '#{name}'.  Specify with ds_type parameter."
+        end
+        # De-pluralize and downcase.
+        tmp = tmp.chop.downcase.to_sym
+        if not TypeMap.keys.member? tmp
+            raise MCXContentProviderException,
+            "Coult not parse ds_type from resource name '#{name}'.  Specify with ds_type parameter."
+        end
+        return tmp
+    end
+
+    # Given the resource name string, parse ds_name out.
+    def parse_name(name)
+        ds_name = name.split('/')[2]
+        if ! ds_name.is_a? String
+            raise MCXContentProviderException,
+            "Could not parse ds_name from resource name '#{name}'.  Specify with ds_name parameter."
+        end
+        return ds_name
+    end
+
+    # Gather ds_type and ds_name from resource or
+    # parse it out of the name.
+    # This is a private instance method, not a class method.
+    def get_dsparams
+        ds_type = resource[:ds_type]
+        if ds_type.nil?
+            ds_type = parse_type(resource[:name])
+        end
+        raise MCXContentProviderException unless TypeMap.keys.include? ds_type.to_sym
+
+        ds_name = resource[:ds_name]
+        if ds_name.nil?
+            ds_name = parse_name(resource[:name])
+        end
+
+        rval = {
+            :ds_type => ds_type.to_sym,
+            :ds_name => ds_name,
+        }
+
+        return rval
+
+    end
+
+    public
+
+    def create
+        self.content=(resource[:content])
+    end
+
+    def destroy
+        ds_parms = get_dsparams
+        ds_t = TypeMap[ds_parms[:ds_type]]
+        ds_n = ds_parms[:ds_name].to_s
+        ds_path = "/Local/Default/#{ds_t}/#{ds_n}"
+
+        dscl 'localhost', '-mcxdelete', ds_path
+    end
+
+    def exists?
+        # JJM Just re-use the content method and see if it's empty.
+        begin
+            mcx = content
+        rescue Puppet::ExecutionFailure => e
+            return false
+        end
+        has_mcx = ! mcx.empty?
+        return has_mcx
+    end
+
+    def content
+        ds_parms = get_dsparams
+        mcx = self.class.mcxexport(ds_parms[:ds_type],
+                                   ds_parms[:ds_name])
+        return mcx
+    end
+
+    def content=(value)
+        # dscl localhost -mcximport
+        ds_parms = get_dsparams
+        mcx = mcximport(ds_parms[:ds_type],
+                        ds_parms[:ds_name],
+                        resource[:content])
+        return mcx
+    end
+
+end

data/lib/puppet/provider/nameservice/directoryservice.rb

@@ -14,6 +14,8 @@
 
 require 'puppet'
 require 'puppet/provider/nameservice'
+require 'facter/util/plist'
+
 
 class Puppet::Provider::NameService
 class DirectoryService < Puppet::Provider::NameService
@@ -26,6 +28,7 @@ class DirectoryService < Puppet::Provider::NameService
         attr_writer :ds_path
     end
 
+    
     # JJM 2007-07-24: Not yet sure what initvars() does.  I saw it in netinfo.rb
     # I do know, however, that it makes methods "work"  =)
     # e.g. addcmd isn't available if this method call isn't present.
@@ -36,9 +39,9 @@ class DirectoryService < Puppet::Provider::NameService
     initvars()
     
     commands :dscl => "/usr/bin/dscl"
+    commands :dseditgroup => "/usr/sbin/dseditgroup"
     confine :operatingsystem => :darwin
-    # JJM FIXME: This will need to be the default around October 2007.
-    # defaultfor :operatingsystem => :darwin
+    defaultfor :operatingsystem => :darwin
 
 
     # JJM 2007-07-25: This map is used to map NameService attributes to their
@@ -55,6 +58,10 @@ class DirectoryService < Puppet::Provider::NameService
         'UniqueID' => :uid,
         'RealName' => :comment,
         'Password' => :password,
+        'GeneratedUID' => :guid,
+        'IPAddress'    => :ip_address,
+        'ENetAddress'  => :en_address,
+        'GroupMembership' => :members,
     }
     # JJM The same table as above, inverted.
     @@ns_to_ds_attribute_map = {
@@ -65,16 +72,19 @@ class DirectoryService < Puppet::Provider::NameService
         :uid => 'UniqueID',
         :comment => 'RealName',
         :password => 'Password',
+        :guid => 'GeneratedUID',
+        :en_address => 'ENetAddress',
+        :ip_address => 'IPAddress',
+        :members => 'GroupMembership',
     }
     
+    @@password_hash_dir = "/var/db/shadow/hash"
+    
     def self.instances
         # JJM Class method that provides an array of instance objects of this
         #     type.
-        
         # JJM: Properties are dependent on the Puppet::Type we're managine.
         type_property_array = [:name] + @resource_type.validproperties
-        # JJM: No sense reporting the password.  It's hashed.
-        type_property_array.delete(:password) if type_property_array.include? :password
         
         # Create a new instance of this Puppet::Type for each object present
         #    on the system.
@@ -119,7 +129,7 @@ class DirectoryService < Puppet::Provider::NameService
         
         all_present_str_array = list_all_present()
         
-        # JJM: Return nil if the named object isn't present.
+        # NBK: shortcut the process if the resource is missing
         return nil unless all_present_str_array.include? resource_name
         
         dscl_vector = get_exec_preamble("-read", resource_name)
@@ -132,44 +142,37 @@ class DirectoryService < Puppet::Provider::NameService
         # JJM: We need a new hash to return back to our caller.
         attribute_hash = Hash.new
         
-        # JJM: First, the output string goes into an array.
-        #      Then, the each array element is split
-        #      If you want to figure out what this is doing, I suggest
-        #      ruby-debug, and stepping through it.
-        dscl_output.split("\n").each do |line|
-            # JJM: Split the attribute name and the list of values.
-            ds_attribute, ds_values_string = line.split(':')
-
-            # Split sets the values to nil if there's nothing after the :
-            ds_values_string ||= ""
-            
-            # JJM: skip this attribute line if the Puppet::Type doesn't care about it.
+        dscl_plist = Plist.parse_xml(dscl_output)
+        dscl_plist.keys().each do |key|
+            ds_attribute = key.sub("dsAttrTypeStandard:", "")
             next unless (@@ds_to_ns_attribute_map.keys.include?(ds_attribute) and type_properties.include? @@ds_to_ns_attribute_map[ds_attribute])
-
-            # JJM: We asked dscl to output url encoded values so we're able
-            #     to machine parse on whitespace.  We need to urldecode:
-            #     " Jeff%20McCune John%20Doe " => ["Jeff McCune", "John Doe"]
-            ds_value_array = ds_values_string.scan(/[^\s]+/).collect do |v|
-                url_decoded_value = CGI::unescape v
-                if url_decoded_value =~ /^[-0-9]+$/
-                    url_decoded_value.to_i
-                else                
-                    url_decoded_value
-                end
+            ds_value = dscl_plist[key]
+            case @@ds_to_ns_attribute_map[ds_attribute]
+                when :members: 
+                    ds_value = ds_value # only members uses arrays so far
+                when :gid, :uid:
+                    # OS X stores objects like uid/gid as strings.
+                    # Try casting to an integer for these cases to be
+                    # consistent with the other providers and the group type
+                    # validation
+                    begin
+                        ds_value = Integer(ds_value[0])
+                    rescue ArgumentError
+                        ds_value = ds_value[0]
+                    end
+                else ds_value = ds_value[0]
             end
-            
-            # JJM: Finally, we're able to build up our attribute hash.
-            #    Remember, the hash is keyed by NameService attribute names,
-            #    not DirectoryService attribute names.
-            # NOTE: We're also sort of cheating here...  DirectoryService
-            #   is robust enough to allow multiple values for almost every
-            #   attribute in the system.  Traditional NameService things
-            #   really don't handle this case, so we'll always pull thet first
-            #   value returned from DirectoryService.
-            #   THERE MAY BE AN ORDERING ISSUE HERE, but I think it's ok...
-            attribute_hash[@@ds_to_ns_attribute_map[ds_attribute]] = ds_value_array[0]
+            attribute_hash[@@ds_to_ns_attribute_map[ds_attribute]] = ds_value
+        end
+        
+        # NBK: need to read the existing password here as it's not actually
+        # stored in the user record. It is stored at a path that involves the
+        # UUID of the user record for non-Mobile local acccounts.    
+        # Mobile Accounts are out of scope for this provider for now
+        if @resource_type.validproperties.include?(:password)
+            attribute_hash[:password] = self.get_password(attribute_hash[:guid])
         end
-        return attribute_hash
+        return attribute_hash    
     end
     
     def self.get_exec_preamble(ds_action, resource_name = nil)
@@ -181,7 +184,7 @@ class DirectoryService < Puppet::Provider::NameService
         #     We EXPECT name to be @resource[:name] when called from an instance object.
 
         # There are two ways to specify paths in 10.5.  See man dscl.
-        command_vector = [ command(:dscl), "-url", "." ]
+        command_vector = [ command(:dscl), "-plist", "." ]
         # JJM: The actual action to perform.  See "man dscl"
         #      Common actiosn: -create, -delete, -merge, -append, -passwd
         command_vector << ds_action
@@ -196,6 +199,52 @@ class DirectoryService < Puppet::Provider::NameService
         #       e.g. 'dscl / -create /Users/mccune'
         return command_vector
     end
+    
+    def self.set_password(resource_name, guid, password_hash)
+        password_hash_file = "#{@@password_hash_dir}/#{guid}"
+        begin
+            File.open(password_hash_file, 'w') { |f| f.write(password_hash)}
+        rescue Errno::EACCES => detail
+            raise Puppet::Error, "Could not write to password hash file: #{detail}"
+        end
+        
+        # NBK: For shadow hashes, the user AuthenticationAuthority must contain a value of
+        # ";ShadowHash;". The LKDC in 10.5 makes this more interesting though as it
+        # will dynamically generate ;Kerberosv5;;username@LKDC:SHA1 attributes if
+        # missing. Thus we make sure we only set ;ShadowHash; if it is missing, and
+        # we can do this with the merge command. This allows people to continue to
+        # use other custom AuthenticationAuthority attributes without stomping on them.
+        #
+        # There is a potential problem here in that we're only doing this when setting
+        # the password, and the attribute could get modified at other times while the 
+        # hash doesn't change and so this doesn't get called at all... but
+        # without switching all the other attributes to merge instead of create I can't
+        # see a simple enough solution for this that doesn't modify the user record
+        # every single time. This should be a rather rare edge case. (famous last words)
+        
+        dscl_vector = self.get_exec_preamble("-merge", resource_name)
+        dscl_vector << "AuthenticationAuthority" << ";ShadowHash;"
+        begin
+            dscl_output = execute(dscl_vector)
+        rescue Puppet::ExecutionFailure => detail
+            raise Puppet::Error, "Could not set AuthenticationAuthority."
+        end
+    end
+    
+    def self.get_password(guid)
+        password_hash = nil
+        password_hash_file = "#{@@password_hash_dir}/#{guid}"
+        # TODO: sort out error conditions?
+        if File.exists?(password_hash_file)
+            if not File.readable?(password_hash_file)
+                raise Puppet::Error("Could not read password hash file at #{password_hash_file} for #{@resource[:name]}")
+            end
+            f = File.new(password_hash_file)
+            password_hash = f.read
+            f.close
+          end
+        password_hash
+    end
 
     def ensure=(ensure_value)
         super
@@ -206,7 +255,6 @@ class DirectoryService < Puppet::Provider::NameService
         if ensure_value == :present
             @resource.class.validproperties.each do |name|
                 next if name == :ensure
-
                 # LAK: We use property.sync here rather than directly calling
                 # the settor method because the properties might do some kind
                 # of conversion.  In particular, the user gid property might
@@ -223,79 +271,130 @@ class DirectoryService < Puppet::Provider::NameService
     end
     
     def password=(passphrase)
-        # JJM: Setting the password is a special case.  We don't just
-        #      set the attribute because we need to update the password
-        #      databases.
-        # FIRST, make sure the AuthenticationAuthority is ;ShadowHash;  If
-        #  we don't do this, we don't get a shadow hash account.  ("Obviously...")
-        dscl_vector = self.class.get_exec_preamble("-create", @resource[:name])
-        dscl_vector << "AuthenticationAuthority" << ";ShadowHash;"
-        begin
-            dscl_output = execute(dscl_vector)
-        rescue Puppet::ExecutionFailure => detail
-            raise Puppet::Error, "Could not set AuthenticationAuthority."
-        end        
-        
-        # JJM: Second, we need to actually set the password.  dscl does
-        #   some magic, creating the proper hash for us based on the
-        #   AuthenticationAuthority attribute, set above.
-        dscl_vector = self.class.get_exec_preamble("-passwd", @resource[:name])
-        dscl_vector << passphrase
-        # JJM: Should we not log the password string?  This may be a security
-        #      risk...
-        begin
-            dscl_output = execute(dscl_vector)
-        rescue Puppet::ExecutionFailure => detail
-            raise Puppet::Error, "Could not set password using command vector: %{dscl_vector.inspect}"
-        end
+      exec_arg_vector = self.class.get_exec_preamble("-read", @resource.name)
+      exec_arg_vector << @@ns_to_ds_attribute_map[:guid]
+      begin
+          guid_output = execute(exec_arg_vector)
+          guid_plist = Plist.parse_xml(guid_output)
+          # Although GeneratedUID like all DirectoryService values can be multi-valued
+          # according to the schema, in practice user accounts cannot have multiple UUIDs
+          # otherwise Bad Things Happen, so we just deal with the first value.
+          guid = guid_plist["dsAttrTypeStandard:#{@@ns_to_ds_attribute_map[:guid]}"][0]
+          self.class.set_password(@resource.name, guid, passphrase)
+      rescue Puppet::ExecutionFailure => detail
+          raise Puppet::Error, "Could not set %s on %s[%s]: %s" % [param, @resource.class.name, @resource.name, detail]
+      end
     end
     
-    # JJM: nameservice.rb defines methods for each attribute of the type.
-    #   We implement these methods here, by implementing get() and set()
-    #   See the resource_type= method defined in nameservice.rb
-    #   I'm not sure what the implications are of doing things this way.
-    #   It was a bit difficult to sort out what was happening in my head,
-    #   but ruby-debug makes this process much more transparent.
-    #
-    def set(property, value)
-        # JJM: As it turns out, the set method defined in our parent class
-        #   is fine.  It just calls the modifycmd() method, which
-        #   I'll implement here.
-        super
-    end
+    # NBK: we override @parent.set as we need to execute a series of commands
+    # to deal with array values, rather than the single command nameservice.rb
+    # expects to be returned by modifycmd. Thus we don't bother defining modifycmd.
     
-    def get(param)
-        hash = getinfo(false)
-        if hash
-            return hash[param]
+    def set(param, value)
+        self.class.validate(param, value)
+        current_members = @property_value_cache_hash[:members]
+        if param == :members
+            # If we are meant to be authoritative for the group membership
+            # then remove all existing members who haven't been specified
+            # in the manifest.
+            if @resource[:auth_membership] and not current_members.nil?
+                remove_unwanted_members(current_members, value)
+             end
+             
+             # if they're not a member, make them one.
+             add_members(current_members, value)
         else
-            return :absent
+            exec_arg_vector = self.class.get_exec_preamble("-create", @resource[:name])
+            # JJM: The following line just maps the NS name to the DS name
+            #      e.g. { :uid => 'UniqueID' }
+            exec_arg_vector << @@ns_to_ds_attribute_map[symbolize(param)]
+            # JJM: The following line sends the actual value to set the property to
+            exec_arg_vector << value.to_s
+            begin
+                execute(exec_arg_vector)
+            rescue Puppet::ExecutionFailure => detail
+                raise Puppet::Error, "Could not set %s on %s[%s]: %s" % [param, @resource.class.name, @resource.name, detail]
+            end
         end
     end
     
-    def modifycmd(property, value)
-        # JJM: This method will assemble a exec vector which modifies
-        #    a single property and it's value using dscl.
-        # JJM: With /usr/bin/dscl, the -create option will destroy an
-        #      existing property record if it exists
+    # NBK: we override @parent.create as we need to execute a series of commands
+    # to create objects with dscl, rather than the single command nameservice.rb
+    # expects to be returned by addcmd. Thus we don't bother defining addcmd.
+    def create
+       if exists?
+            info "already exists"
+            # The object already exists
+            return nil
+        end
+        
+        # NBK: First we create the object with a known guid so we can set the contents
+        # of the password hash if required
+        # Shelling out sucks, but for a single use case it doesn't seem worth
+        # requiring people install a UUID library that doesn't come with the system.
+        # This should be revisited if Puppet starts managing UUIDs for other platform
+        # user records.
+        guid = %x{/usr/bin/uuidgen}.chomp
+        
         exec_arg_vector = self.class.get_exec_preamble("-create", @resource[:name])
-        # JJM: The following line just maps the NS name to the DS name
-        #      e.g. { :uid => 'UniqueID' }
-        exec_arg_vector << @@ns_to_ds_attribute_map[symbolize(property)]
-        # JJM: The following line sends the actual value to set the property to
-        exec_arg_vector << value.to_s
-        return exec_arg_vector
+        exec_arg_vector << @@ns_to_ds_attribute_map[:guid] << guid
+        begin
+          execute(exec_arg_vector)
+        rescue Puppet::ExecutionFailure => detail
+            raise Puppet::Error, "Could not set GeneratedUID for %s %s: %s" %
+                [@resource.class.name, @resource.name, detail]
+        end
+        
+        if value = @resource.should(:password) and value != ""
+          self.class.set_password(@resource[:name], guid, value)
+        end
+        
+        # Now we create all the standard properties
+        Puppet::Type.type(@resource.class.name).validproperties.each do |property|
+            next if property == :ensure
+            if value = @resource.should(property) and value != ""
+                if property == :members
+                    add_members(nil, value)
+                else
+                    exec_arg_vector = self.class.get_exec_preamble("-create", @resource[:name])
+                    exec_arg_vector << @@ns_to_ds_attribute_map[symbolize(property)]
+                    next if property == :password  # skip setting the password here
+                    exec_arg_vector << value.to_s
+                    begin
+                      execute(exec_arg_vector)
+                    rescue Puppet::ExecutionFailure => detail
+                        raise Puppet::Error, "Could not create %s %s: %s" %
+                            [@resource.class.name, @resource.name, detail]
+                    end
+                end
+            end
+        end
     end
     
-    def addcmd
-        # JJM 2007-07-24: 
-        #    - addcmd returns an array to be executed to create a new object.
-        #    - This method is probably being called from the
-        #      ensure= method in nameservice.rb, or here...
-        #    - This should only be called if the object doesn't exist.
-        # JJM: Blame nameservice.rb for the terse method name. =)
-        #
-        self.class.get_exec_preamble("-create", @resource[:name])
+    def remove_unwanted_members(current_members, new_members)
+        current_members.each do |member|
+            if not value.include?(member)
+                cmd = [:dseditgroup, "-o", "edit", "-n", ".", "-d", member, @resource[:name]]
+                begin
+                     execute(cmd)
+                rescue Puppet::ExecutionFailure => detail
+                     raise Puppet::Error, "Could not set %s on %s[%s]: %s" % [param, @resource.class.name, @resource.name, detail]
+                end
+             end
+         end
+    end
+    
+    def add_members(current_members, new_members)
+        new_members.each do |user|
+           if current_members.nil? or not current_members.include?(user)
+               cmd = [:dseditgroup, "-o", "edit", "-n", ".", "-a", user, @resource[:name]]
+               begin
+                    execute(cmd)
+               rescue Puppet::ExecutionFailure => detail
+                    raise Puppet::Error, "Could not set %s on %s[%s]: %s" % [param, @resource.class.name, @resource.name, detail]
+               end
+           end
+        end
     end
     
     def deletecmd
@@ -341,9 +440,13 @@ class DirectoryService < Puppet::Provider::NameService
             # list, then report on the remaining list. Pretty whacky, ehh?
             type_properties = [:name] + self.class.resource_type.validproperties
             type_properties.delete(:ensure) if type_properties.include? :ensure
+            type_properties << :guid  # append GeneratedUID so we just get the report here
             @property_value_cache_hash = self.class.single_report(@resource[:name], *type_properties)
+            [:uid, :gid].each do |param|
+                @property_value_cache_hash[param] = @property_value_cache_hash[param].to_i if @property_value_cache_hash and @property_value_cache_hash.include?(param)
+            end
         end
         return @property_value_cache_hash
     end
 end
-end
+end