[Bug 404183] Add user purge option to uamlite

purge_expired_users option was added to uamlite chart to allow purging of old
user accounts and the data in their home directories.

Addressed a corner case where the user could lose system access by specifying
ssh key(s) only for the built-in account.

Change-Id: Iccfc914eea219521a290c2b5949ccc2d40d8dbb6

divingbell/templates/bin/_uamlite.sh.tpl

@@ -95,12 +95,20 @@ add_sshkeys(){
         (rm "${sshkey_file}" && die "Error setting ownership on ${sshkey_dir}")
       log.INFO "User '${user_name}' has had SSH keys deployed: ${user_sshkeys}"
     fi
-    custom_sshkeys_present=true
+
+    # In the event that the user specifies ssh keys for the built-in account and
+    # no others, do not expire the built-in account
+    if [ "${user_name}" != "${builtin_acct}" ]; then
+      expire_builtin_acct=true
+    fi
   fi
 
 }
 
 {{- if hasKey .Values.conf "uamlite" }}
+{{- if hasKey .Values.conf.uamlite "purge_expired_users" }}
+purge_expired_users={{ .Values.conf.uamlite.purge_expired_users | quote }}
+{{- end }}
 {{- if hasKey .Values.conf.uamlite "users" }}
 {{- range $item := .Values.conf.uamlite.users }}
   {{- range $key, $value := . }}
@@ -126,8 +134,14 @@ if [ -n "$(getent passwd | grep ${keyword} | cut -d':' -f1)" ]; then
   IFS=$'\n'
   for user in ${revert_list}; do
     # We expire rather than delete the user to maintain local UID FS consistency
-    usermod --expiredate 1 ${user}
+    # unless purge is explicity requested (remove user and user home dir).
-    log.INFO "User '${user}' has been disabled (expired)"
+    if [ "${purge_expired_users}" = "true" ]; then
+      deluser ${user} --remove-home
+      log.INFO "User '${user}' and home directory have been purged."
+    else
+      usermod --expiredate 1 ${user}
+      log.INFO "User '${user}' has been disabled (expired)"
+    fi
   done
   unset IFS
 fi
@@ -149,7 +163,7 @@ fi
 if [ -n "${builtin_acct}" ] && [ -n "$(getent passwd ${builtin_acct})" ]; then
   # Disable built-in account as long as there was at least one account defined
   # in this chart with a ssh key present
-  if [ "${custom_sshkeys_present}" = "true" ]; then
+  if [ "${expire_builtin_acct}" = "true" ]; then
     if [ "$(chage -l ${builtin_acct} | grep 'Account expires' | cut -d':' -f2 |
           tr -d '[:space:]')" = "never" ]; then
       usermod --expiredate 1 ${builtin_acct}

divingbell/tools/gate/test.sh

@@ -511,11 +511,24 @@ _test_user_enabled(){
     test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
             tr -d '[:space:]')" = "never"
   else
-    # If the user exists, verify it's not non-expiring
+    # Verify user is not non-expiring
-    if [ -n "$(getent passwd $username)" ]; then
+    getent passwd $username >& /dev/null
-      test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
+    test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
-              tr -d '[:space:]')" != "never"
+            tr -d '[:space:]')" != "never"
-    fi
+  fi
+}
+
+_test_user_purged(){
+  username=$1
+
+  # Verify user is no longer defined
+  getent passwd $username >& /dev/null && \
+    echo "Error: User '$username' exists, but was expected it to be purged" && \
+    return 1
+
+  if [ -d /home/$username ]; then
+    echo "Error: User '$username' home dir exists; expected it to be purged"
+    return 1
   fi
 }
 
@@ -631,6 +644,19 @@ test_uamlite(){
   _test_user_enabled ${USERNAME4} false
   _test_sudo_enabled ${USERNAME4} false
   echo '[SUCCESS] uamlite test3 passed successfully' >> "${TEST_RESULTS}"
+
+  # Test purge users flag
+  overrides_yaml=${LOGS_SUBDIR}/${FUNCNAME}-set3.yaml
+  echo "conf:
+  uamlite:
+    purge_expired_users: true" > "${overrides_yaml}"
+  install_base "--values=${overrides_yaml}"
+  get_container_status uamlite
+  _test_user_purged ${USERNAME1}
+  _test_user_purged ${USERNAME2}
+  _test_user_purged ${USERNAME3}
+  _test_user_purged ${USERNAME4}
+  echo '[SUCCESS] uamlite test4 passed successfully' >> "${TEST_RESULTS}"
 }
 
 # test daemonset value overrides for hosts and labels

docs/source/index.rst

@@ -120,6 +120,7 @@ access. Ex::
 
     conf:
       uamlite:
+        purge_expired_users: false
         users:
         - user_name: testuser
           user_sudo: True
@@ -127,6 +128,15 @@ access. Ex::
           - ssh-rsa AAAAB3N... key1-comment
           - ssh-rsa AAAAVY6... key2-comment
 
+An update to the chart with revmoed users will result in those user's accounts
+being expired, preventing those users any access through those accounts. This
+does not delete their home directory or any other files, and provides UID
+consistency in the event the same account gets re-added later, and they regain
+access to their files again.
+
+However, if it is desired to purge expired and removed accounts and their home
+directories, this may be done by the ``purge_expired_users`` option to ``true``.
+
 Node specific configurations
 ----------------------------