Update nodejs, sudo and users cookbooks

cookbooks/users/CHANGELOG.md

@@ -2,6 +2,29 @@
 
 This file is used to list changes made in each version of the users cookbook.
 
+## 5.3.1 (2017-12-15)
+
+- Remove special case for freebsd in favor of later shell validity check
+
+## 5.3.0 (2017-12-07)
+
+- Add check if user shell exists
+- Verify the shell is allowed on AIX
+- Add AIX as a supported platform
+
+## 5.2.2 (2017-11-29)
+
+- Add home directory base for solaris
+
+## 5.2.1 (2017-10-31)
+
+- Make sure ssh_keys can be an array or a string by converting strings to an array if they're passed
+
+## 5.2.0 (2017-10-31)
+
+- Require Chef 12.7+ as 12.5 and 12.6 had bugs in their custom resource implementation
+- Allow fetching one or more ssh_keys from a url
+
 ## 5.1.0 (2017-05-30)
 
 - Keep ssh keys out of the chef logs

cookbooks/users/README.md

@@ -20,10 +20,11 @@ The following platforms have been tested with Test Kitchen:
 - openSUSE / SUSE Linux Enterprises
 - FreeBSD / OpenBSD
 - Mac OS X
+- AIX
 
 ### Chef
 
-- Chef 12.5+
+- Chef 12.7+
 
 ### Cookbooks
 
@@ -98,7 +99,7 @@ A sample user to remove from a system would like like:
 
 - `id`: _String_ specifies the username, as well as the data bag object id.
 - `password`: _String_ specifies the user's password.
-- `ssh_keys`: _Array_ an array of authorized keys that will be managed by Chef to the user's home directory in .ssh/authorized_keys
+- `ssh_keys`: _Array_ an array of authorized keys that will be managed by Chef to the user's home directory in `$HOME/.ssh/authorized_keys`. A key can include an `https` endpoint that returns a line seperated list of keys such as `https://github.com/$GITHUB_USERNAME.keys` this will retrieve all the keys and add it to the array and can be used with static keys as well as dynamic ones.
 - `groups`: _Array_ an array of groups that the user will be added to
 - `uid`: _Integer_ a unique identifier for the user
 - `shell`: _String_ the user's shell

cookbooks/users/libraries/helpers.rb

@@ -19,6 +19,41 @@ module Users
       fs_type(mount) == 'nfs' ? true : false
     end
 
+    def keys_from_url(url)
+      host = url.split('/')[0..2].join('/')
+      path = url.split('/')[3..-1].join('/')
+      begin
+        response = Chef::HTTP.new(host).get(path)
+        response.split("\n")
+      rescue Net::HTTPServerException => e
+        p "request: #{host}#{path}, error: #{e}"
+      end
+    end
+
+    # Determines if the user's shell is valid on the machine, otherwise
+    # returns the default of /bin/sh
+    #
+    # @return [String]
+    def shell_is_valid?(shell_path)
+      return false if shell_path.nil? || !File.exist?(shell_path)
+      # AIX is the only OS that has the concept of 'approved shells'
+      return true unless platform_family?('aix')
+
+      begin
+        File.open('/etc/security/login.cfg') do |f|
+          f.each_line do |l|
+            l.match(/^\s*shells\s*=\s*(.*)/) do |m|
+              return true if m[1].split(/\s*,\s*/).any? { |entry| entry.eql? shell_path }
+            end
+          end
+        end
+      rescue
+        return false
+      end
+
+      false
+    end
+
     # Validates passed id.
     #
     # @return [Numeric, String]
@@ -33,6 +68,8 @@ module Users
     def home_basedir
       if platform_family?('mac_os_x')
         '/Users'
+      elsif platform_family?('solaris2')
+        '/export/home'
       else
         '/home'
       end

cookbooks/users/resources/manage.rb

@@ -40,11 +40,6 @@ action :create do
       users_groups[g] << u['username']
     end
 
-    # Check if we need to prepend shell with /usr/local/?
-    if platform_family? 'freebsd'
-      u['shell'] = (!::File.exist?(u['shell']) && ::File.exist?("/usr/local#{u['shell']}") ? "/usr/local#{u['shell']}" : '/bin/sh')
-    end
-
     # Set home to location in data bag,
     # or a reasonable default ($home_basedir/$user).
     home_dir = (u['home'] ? u['home'] : "#{home_basedir}/#{u['username']}")
@@ -70,7 +65,7 @@ action :create do
     user u['username'] do
       uid validate_id(u['uid'])
       gid validate_id(u['gid']) if u['gid']
-      shell u['shell']
+      shell shell_is_valid?(u['shell']) ? u['shell'] : '/bin/sh'
       comment u['comment']
       password u['password'] if u['password']
       salt u['salt'] if u['salt']
@@ -91,6 +86,19 @@ action :create do
         only_if { !!(u['ssh_keys'] || u['ssh_private_key'] || u['ssh_public_key']) }
       end
 
+      # loop over the keys and if we have a URL we should add each key
+      # from the url response and append it to the list of keys
+      ssh_keys = []
+      if u['ssh_keys']
+        Array(u['ssh_keys']).each do |key|
+          if key.start_with?('https')
+            ssh_keys += keys_from_url(key)
+          else
+            ssh_keys << key
+          end
+        end
+      end
+
       template "#{home_dir}/.ssh/authorized_keys" do
         source 'authorized_keys.erb'
         cookbook new_resource.cookbook
@@ -98,7 +106,9 @@ action :create do
         group validate_id(u['gid']) if u['gid']
         mode '0600'
         sensitive true
-        variables ssh_keys: u['ssh_keys']
+        # ssh_keys should be a combination of u['ssh_keys'] and any keys
+        # returned from a specified URL
+        variables ssh_keys: ssh_keys
         only_if { !!(u['ssh_keys']) }
       end