so-user and salt-relay updates for user management

salt/common/tools/sbin/so-user

@@ -11,29 +11,106 @@ source $(dirname $0)/so-common
 
 DEFAULT_ROLE=analyst
 
-if [[ $# -lt 1 || $# -gt 3 ]]; then
-  echo "Usage: $0 <operation> [email] [role]"
-  echo ""
-  echo " where <operation> is one of the following:"
-  echo ""
-  echo "     list: Lists all user email addresses currently defined in the identity system"
-  echo "      add: Adds a new user to the identity system; requires 'email' parameter, while 'role' parameter is optional and defaults to $DEFAULT_ROLE"
-  echo "  addrole: Grants a role to an existing user; requires 'email' and 'role' parameters"
-  echo "  delrole: Removes a role from an existing user; requires 'email' and 'role' parameters"
-  echo "   update: Updates a user's password and disables MFA; requires 'email' parameter"
-  echo "   enable: Enables a user; requires 'email' parameter"
-  echo "  disable: Disables a user; requires 'email' parameter"
-  echo " validate: Validates that the given email address and password are acceptable; requires 'email' parameter"
-  echo " valemail: Validates that the given email address is acceptable; requires 'email' parameter"
-  echo "  valpass: Validates that a password is acceptable"
-  echo ""
-  echo " Note that the password can be piped into STDIN to avoid prompting for it"
+function usage() {
+  cat <<USAGE_EOF
+  Usage: $0 <operation> [supporting parameters]"
+  
+  where <operation> is one of the following:"
+  
+      list: Lists all user email addresses currently defined in the identity system"
+  
+       add: Adds a new user to the identity system"
+            Required parameters: "
+              --email <email>"
+            Optional parameters: "
+              --role <role>             (defaults to $DEFAULT_ROLE)"
+              --firstName <firstName>   (defaults to blank)"
+              --lastName <lastName>     (defaults to blank)"
+              --note <note>             (defaults to blank)"
+  
+   addrole: Grants a role to an existing user"
+            Required parameters: "
+              --email <email>"
+              --role <role>"
+  
+   delrole: Removes a role from an existing user"
+            Required parameters: "
+              --email <email>"
+              --role <role>"
+  
+  password: Updates a user's password and disables MFA"
+            Required parameters: "
+              --email <email>"
+  
+    profile: Updates a user's profile information"
+            Required parameters: "
+              --email <email>"
+            Optional parameters: "
+              --role <role>             (defaults to $DEFAULT_ROLE)"
+              --firstName <firstName>   (defaults to blank)"
+              --lastName <lastName>     (defaults to blank)"
+              --note <note>             (defaults to blank)"
+  
+    enable: Enables a user"
+            Required parameters: "
+              --email <email>"
+  
+   disable: Disables a user"
+            Required parameters: "
+              --email <email>"
+  
+  validate: Validates that the given email address and password are acceptable"
+            Required parameters: "
+              --email <email>"
+  
+  valemail: Validates that the given email address is acceptable; requires 'email' parameter"
+            Required parameters: "
+              --email <email>"
+  
+   valpass: Validates that a password is acceptable"
+  
+  Note that the password can be piped into STDIN to avoid prompting for it"
+USAGE_EOF
   exit 1
+}
+
+if [[ $# -lt 1 || $1 == --help || $1 == -h || $1 == -? || $1 == --h ]]; then
+  usage
 fi
 
 operation=$1
-email=$2
-role=$3
+shift
+
+while [[ $# -gt 0 ]]; do
+  param=$1
+  shift
+  case "$param" in
+    --email)
+      email=$1
+      shift
+      ;;
+    --role)
+      role=$1
+      shift
+      ;;
+    --firstName)
+      firstName=$1
+      shift
+      ;;
+    --lastName) 
+      lastName=$1
+      shift
+      ;;
+    --note) 
+      note=$1
+      shift
+      ;;
+    *) 
+      echo "Encountered unexpected parameter: $param"
+      usage
+      ;;
+  esac
+done
 
 kratosUrl=${KRATOS_URL:-http://127.0.0.1:4434/admin}
 databasePath=${KRATOS_DB_PATH:-/opt/so/conf/kratos/db/db.sqlite}
@@ -369,11 +446,19 @@ function adjustUserRole() {
 function createUser() {
   email=$1
   role=$2
+  firstName=$3
+  lastName=$4
+  note=$5
 
   now=$(date -u +%FT%TZ)
   addUserJson=$(cat <<EOF
 {
-  "traits": {"email":"${email}"},
+  "traits": {
+    "email": "${email}",
+    "firstName": "${firstName}",
+    "lastName": "${lastName}",
+    "note": "${note}"
+  },
   "schema_id": "default"
 }
 EOF
@@ -432,7 +517,7 @@ function updateStatus() {
   [[ $? != 0 ]] && fail "Unable to update user"
 }
 
-function updateUser() {
+function updateUserPassword() {
   email=$1
 
   identityId=$(findIdByEmail "$email")
@@ -441,6 +526,25 @@ function updateUser() {
   updatePassword "$identityId"
 }
 
+function updateUserProfile() {
+  email=$1
+
+  identityId=$(findIdByEmail "$email")
+  [[ ${identityId} == "" ]] && fail "User not found"
+
+  response=$(curl -Ss -L "${kratosUrl}/identities/$identityId")
+  [[ $? != 0 ]] && fail "Unable to communicate with Kratos"
+
+  schemaId=$(echo "$response" | jq -r .schema_id)
+  state=$(echo "$response" | jq -r .state)
+  
+  traitBlock="{\"email\":\"$email\",\"firstName\":\"$firstName\",\"lastName\":\"$lastName\",\"note\":\"$note\"}"
+
+  body="{ \"schema_id\": \"$schemaId\", \"state\": \"$state\", \"traits\": $traitBlock }"
+  response=$(curl -fSsL -XPUT -H "Content-Type: application/json" "${kratosUrl}/identities/$identityId" -d "$body")
+  [[ $? != 0 ]] && fail "Unable to update user"
+}
+
 function deleteUser() {
   email=$1
 
@@ -464,7 +568,7 @@ case "${operation}" in
     lock
     validateEmail "$email"
     updatePassword
-    createUser "$email" "${role:-$DEFAULT_ROLE}"
+    createUser "$email" "${role:-$DEFAULT_ROLE}" "${firstName}" "${lastName}" "${note}"
     syncAll
     echo "Successfully added new user to SOC"
     check_container fleet && echo "$password" | so-fleet-user-add "$email"
@@ -500,14 +604,23 @@ case "${operation}" in
     echo "Successfully removed role from user"
     ;;
 
-  "update")
+  "password")
     verifyEnvironment
     [[ "$email" == "" ]] && fail "Email address must be provided"
 
     lock
-    updateUser "$email"
+    updateUserPassword "$email"
     syncAll
-    echo "Successfully updated user"
+    echo "Successfully updated user password"
+    ;;
+
+  "profile")
+    verifyEnvironment
+    [[ "$email" == "" ]] && fail "Email address must be provided"
+
+    lock
+    updateUserProfile "$email"
+    echo "Successfully updated user profile"
     ;;
 
   "enable")
@@ -571,6 +684,7 @@ case "${operation}" in
 
   *)
     fail "Unsupported operation: $operation"
+    usage
     ;;
 esac
 

salt/common/tools/sbin/so-user-add

@@ -1,2 +1,2 @@
 #!/bin/bash
-so-user add $*
+so-user add --email $1

salt/common/tools/sbin/so-user-disable

@@ -1,2 +1,2 @@
 #!/bin/bash
-so-user disable $*
+so-user disable --email $1

salt/common/tools/sbin/so-user-enable

@@ -1,2 +1,2 @@
 #!/bin/bash
-so-user enable $*
+so-user enable --email $1