From 62c3afc81dce857d385edebfa09835359358b7c9 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 6 Oct 2021 15:45:35 -0400
Subject: [PATCH] Migrate users from locked to inactive during soup

---
 salt/common/tools/sbin/so-user | 20 +++++++++++++++++++-
 salt/common/tools/sbin/soup    |  3 +++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user
index 5471cf932..7ef23ca9b 100755
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -385,6 +385,19 @@ EOF
   fi
 }
 
+function migrateLockedUsers() {
+  # This is a migration function to convert locked users from prior to 2.3.90
+  # to inactive users using the newer Kratos functionality. This should only
+  # find locked users once.
+  lockedEmails=$(curl -s http://localhost:4434/identities | jq -r '.[] | select(.traits.status == "locked") | .traits.email')
+  if [[ -n "$lockedEmails" ]]; then
+    echo "Disabling locked users..."
+    for email in $lockedEmails; do
+      updateStatus "$email" locked
+    done
+  fi
+}
+
 function updateStatus() {
   email=$1
   status=$2
@@ -398,7 +411,7 @@ function updateStatus() {
   schemaId=$(echo "$response" | jq -r .schema_id)
 
   # Capture traits and remove obsolete 'status' trait if exists
-  traitBlock=$(echo "$response" | jq -r .traits | grep -v "\"status\":")
+  traitBlock=$(echo "$response" | jq -c .traits | sed -re 's/,?"status":".*?"//')
 
   state="active"
   if [[ "$status" == "locked" ]]; then
@@ -545,6 +558,11 @@ case "${operation}" in
     echo "Password is acceptable"
     ;;
 
+  "migrate")
+    migrateLockedUsers
+    echo "User migration complete"
+    ;;
+
   *)
     fail "Unsupported operation: $operation"
     ;;
diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup
index caea21866..98c641b6d 100755
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -1037,6 +1037,9 @@ main() {
     echo "Checking sudoers file."
     check_sudoers
 
+    echo "Checking for necessary user migrations."
+    so-user migrate
+
     if [[ -n $lsl_msg ]]; then
       case $lsl_msg in
         'distributed')