From 322c2804fc51dceb550e4d731ed728bcc04ac459 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 23 Jun 2021 12:39:48 -0400
Subject: [PATCH] add support for managing users that can ssh to a node via key

---
 pillar/users/init.sls       |   2 +
 pillar/users/pillar.example |  19 ++++++
 pillar/users/pillar.usage   |  20 ++++++
 salt/users/init.sls         | 117 ++++++++++++++++++++++++++++++++++++
 4 files changed, 158 insertions(+)
 create mode 100644 pillar/users/init.sls
 create mode 100644 pillar/users/pillar.example
 create mode 100644 pillar/users/pillar.usage
 create mode 100644 salt/users/init.sls

diff --git a/pillar/users/init.sls b/pillar/users/init.sls
new file mode 100644
index 000000000..857929025
--- /dev/null
+++ b/pillar/users/init.sls
@@ -0,0 +1,2 @@
+# users pillar goes here
+users:
diff --git a/pillar/users/pillar.example b/pillar/users/pillar.example
new file mode 100644
index 000000000..836a8615f
--- /dev/null
+++ b/pillar/users/pillar.example
@@ -0,0 +1,19 @@
+users:
+  sclapton:
+    # required fields
+    status: present
+    # node_access determines which node types the user can access.
+    # this can either be by grains.role or by final part of the minion id after the _
+    node_access:
+      - standalone
+      - searchnode
+    # optional fields
+    - fullname: Stevie Claptoon
+    - uid: 1001
+    - gid: 1001
+    - homephone: does not have a phone
+    groups:
+      - mygroup1
+      - mygroup2
+      - wheel # give sudo access
+      
diff --git a/pillar/users/pillar.usage b/pillar/users/pillar.usage
new file mode 100644
index 000000000..a870a1866
--- /dev/null
+++ b/pillar/users/pillar.usage
@@ -0,0 +1,20 @@
+users:
+  sclapton:
+    # required fields
+    status: <present | absent>
+    # node_access determines which node types the user can access.
+    # this can either be by grains.role or by final part of the minion id after the _
+    node_access:
+      - standalone
+      - searchnode
+    # optional fields
+    - fullname: <string>
+    - uid: <integer>
+    - gid: <integer>
+    - roomnumber: <string>
+    - workphone: <string>
+    - homephone: <string>
+    groups:
+      - <string>
+      - <string>
+      - wheel # give sudo access
diff --git a/salt/users/init.sls b/salt/users/init.sls
new file mode 100644
index 000000000..2f6f44c03
--- /dev/null
+++ b/salt/users/init.sls
@@ -0,0 +1,117 @@
+# The creation of a user will require a pub key placed in /opt/so/saltstack/local/salt/users/authorized_keys/<username>
+
+# If a user is changed from present to absent, their usergroup will be removed, but any additional usergroups that were created
+# for that user will remain.
+
+{% for username, userdeets in pillar.get('users', {}).items() %}
+  {% if 'status' in userdeets %}
+    {% if userdeets.status == 'absent' %}
+
+remove_user_{{username}}:
+  user.absent:
+    - name: {{ username }}
+    {% if 'purge' in userdeets %}
+    - purge: {{ userdeets.purge }}
+    {% endif %}
+    - force: True
+
+  {% elif userdeets.status == 'present' %}
+
+    {% if 'node_access' in userdeets %}
+      {% if grains.role in userdeets.node_access or grains.id.split('_')|last in userdeets.node_access %}
+
+{% for group in userdeets.get('groups', []) %}
+add_user_groups_{{username}}_{{group}}:
+  group.present:
+    - name: {{ group }}
+    {% if group == 'sudo' %}
+    - system: True
+    {% endif %}
+{% endfor %}
+
+add_user_{{username}}:
+  user.present:
+    - name: {{ username }}
+    - home: {{ userdeets.get('home', "/home/%s" % username) }}
+    - shell: {{ userdeets.get('shell', '/bin/bash') }}
+    - usergroup: True
+
+        {% if 'fullname' in userdeets %}
+    - fullname: {{ userdeets.fullname }}
+        {% endif %}
+
+        {% if 'uid' in userdeets %}
+    - uid: {{ userdeets.uid }}
+        {% endif %}
+
+        {% if 'gid' in userdeets %}
+    - gid: {{ userdeets.gid }}
+        {% endif %}
+
+        {% if 'roomnumber' in userdeets %}
+    - roomnumber: {{ userdeets.roomnumber }}
+        {% endif %}
+
+        {% if 'workphone' in userdeets %}
+    - workphone: {{ userdeets.workphone }}
+        {% endif %}
+
+        {% if 'homephone' in userdeets %}
+    - homephone: {{ userdeets.homephone }}
+        {% endif %}
+
+        {% if 'groups' in userdeets %}
+    - groups:
+          {% for group in userdeets.groups %}
+      - {{ group }}
+          {% endfor %}
+    - require:
+          {% for group in userdeets.groups %}
+      - group: {{ group }}
+          {% endfor %}
+        {% endif %}
+
+{{username}}_authorized_keys:
+  file.managed:
+    - name: /home/{{username}}/.ssh/authorized_keys
+    - source: salt://users/authorized_keys/{{username}}
+    - user: {{username}}
+    - group: {{username}}
+    - mode: 644
+    - show_diff: False
+    - makedirs: True
+    - require:
+      - user: add_user_{{username}}
+      {% for group in userdeets.get('groups', []) %}
+      - group: {{ group }}
+      {% endfor %}
+
+      {% endif %}
+    {% endif %}
+
+  {% else %}
+
+unknown_status_or_password_not_provided_for_user_{{username}}:
+  test.fail_without_changes:
+    - comment: "Verify status is 'present' or 'absent' and a password is provided for {{username}} in the users pillar."
+
+    {% endif %}
+
+  {% else %}
+
+status_not_provided_for_user_{{username}}:
+  test.fail_without_changes:
+    - comment: "Status should be 'present' or 'absent'."
+
+  {% endif %}
+{% endfor %}
+
+disable_wheel_pwd_required:
+  file.comment:
+    - name: /etc/sudoers
+    - regex: "%wheel\\s+ALL=\\(ALL\\)\\s+ALL"
+
+allow_wheel_no_pwd:
+  file.uncomment:
+    - name: /etc/sudoers
+    - regex: "%wheel\\s+ALL=\\(ALL\\)\\s+NOPASSWD: ALL"