Merge pull request #5756 from victormlg/useringroup

ENT-12721: Added a new policy function useringroup

Author: olehermanse

examples/useringroup.cf

@@ -0,0 +1,23 @@
+#+begin_src cfengine3
+body common control 
+{
+    bundlesequence => { "example" };
+}
+bundle agent example
+{
+    classes:
+        "root_in_root" expression => useringroup("root", "root");
+
+    reports:
+        root_in_root::
+            "root is indeed in the root group";
+        !root_in_root::
+            "something went wrong";
+}
+#+end_src
+#############################################################################
+#+begin_src example_output
+#@ ```
+#@ R: root is indeed in the root group
+#@ ```
+#+end_src

libpromises/cf3.defs.h

@@ -73,6 +73,11 @@
 #define SECONDS_PER_WEEK (7 * SECONDS_PER_DAY)
 #define SECONDS_PER_YEAR (365 * SECONDS_PER_DAY)
 
+/* Max size of the 'passwd' string in the getpwuid_r() function,
+ * man:getpwuid_r(3) says that this value "Should be more than enough". */
+#define GETPW_R_SIZE_MAX 16384
+#define GETGR_R_SIZE_MAX 16384  /* same for group name */
+
 /* Long-term monitoring constants */
 
 #define HOURS_PER_SHIFT 6

libpromises/evalfunction.c

@@ -1367,6 +1367,75 @@ static FnCallResult FnCallGetGid(ARG_UNUSED EvalContext *ctx, ARG_UNUSED const P
 #endif
 }
 
+/*********************************************************************/ 
+
+static FnCallResult no_entry(int ret, const FnCall *fp, const char *group_name, bool is_user_db)
+{
+    assert(fp != NULL);
+
+    const char *entry_type = is_user_db ? "user" : "group";
+    const char *db_type = is_user_db ? "passwd" : "group";
+    if (ret == 0 || ret == ENOENT || ret == ESRCH || ret == EBADF || ret == EPERM)
+    {
+        Log(LOG_LEVEL_DEBUG, "Couldn't find %s '%s' in %s database", entry_type, group_name, db_type);
+        return FnReturnContext(false);
+    }
+    const char *const error_msg = GetErrorStrFromCode(ret);
+    Log(LOG_LEVEL_ERR, "Couldn't open %s database in function '%s': %s", db_type, fp->name, error_msg);
+    return FnFailure();
+}
+
+static FnCallResult FnCallUserInGroup(ARG_UNUSED EvalContext *ctx, ARG_UNUSED const Policy *policy, const FnCall *fp, const Rlist *finalargs)
+{
+    assert(fp != NULL);
+    assert(finalargs != NULL);
+#ifdef _WIN32
+    Log(LOG_LEVEL_ERR, "Function '%s' is POSIX specific", fp->name);
+    return FnFailure();  
+#else
+
+    const char *user_name = RlistScalarValue(finalargs);
+    const char *group_name = RlistScalarValue(finalargs->next);
+    assert(group_name != NULL); // Guaranteed by parser
+
+    int ret;
+
+    // Check secondary group. This is what we expect the user to check for, thus it comes first.
+    struct group grp;
+    struct group *grent;
+    char gr_buf[GETGR_R_SIZE_MAX] = {0};
+    ret = getgrnam_r(group_name, &grp, gr_buf, GETGR_R_SIZE_MAX, &grent);
+    
+    if (grent == NULL)
+    {
+        // Group does not exist at all, so cannot be
+        // primary or secondary group of user
+        return no_entry(ret, fp, group_name, false);
+    }
+    while (grent->gr_mem[0] != NULL)
+    {
+        if (StringEqual(grent->gr_mem[0], user_name))
+        {
+            return FnReturnContext(true);
+        }
+        grent->gr_mem++;
+    }
+
+    // Check primary group
+    struct passwd pwd;
+    struct passwd *pwent;
+    char pw_buf[GETPW_R_SIZE_MAX] = {0};
+    ret = getpwnam_r(user_name, &pwd, pw_buf, GETPW_R_SIZE_MAX, &pwent);
+
+    if (pwent == NULL)
+    {
+        return no_entry(ret, fp, user_name, true);
+    }
+    return FnReturnContext(grent->gr_gid == pwent->pw_gid);
+    
+#endif
+}
+
 /*********************************************************************/
 
 static FnCallResult FnCallHandlerHash(ARG_UNUSED EvalContext *ctx, ARG_UNUSED const Policy *policy, ARG_UNUSED const FnCall *fp, const Rlist *finalargs)
@@ -9885,6 +9954,13 @@ static const FnCallArg GETUID_ARGS[] =
     {NULL, CF_DATA_TYPE_NONE, NULL}
 };
 
+static const FnCallArg USERINGROUP_ARGS[] =
+{
+    {CF_ANYSTRING, CF_DATA_TYPE_STRING, "User name"},
+    {CF_ANYSTRING, CF_DATA_TYPE_STRING, "Group name"},
+    {NULL, CF_DATA_TYPE_NONE, NULL}
+};
+
 static const FnCallArg GETUSERINFO_ARGS[] =
 {
     {CF_ANYSTRING, CF_DATA_TYPE_STRING, "User name in text"},
@@ -10936,7 +11012,9 @@ const FnCallType CF_FNCALL_TYPES[] =
     FnCallTypeNew("randomint", CF_DATA_TYPE_INT, RANDOMINT_ARGS, &FnCallRandomInt, "Generate a random integer between the given limits, excluding the upper",
                   FNCALL_OPTION_NONE, FNCALL_CATEGORY_DATA, SYNTAX_STATUS_NORMAL),
     FnCallTypeNew("hash_to_int", CF_DATA_TYPE_INT, HASH_TO_INT_ARGS, &FnCallHashToInt, "Generate an integer in given range based on string hash",
-              FNCALL_OPTION_NONE, FNCALL_CATEGORY_DATA, SYNTAX_STATUS_NORMAL),
+                  FNCALL_OPTION_NONE, FNCALL_CATEGORY_DATA, SYNTAX_STATUS_NORMAL),
+    FnCallTypeNew("useringroup", CF_DATA_TYPE_CONTEXT, USERINGROUP_ARGS, &FnCallUserInGroup, "Checks whether a user is in a group",
+                  FNCALL_OPTION_NONE, FNCALL_CATEGORY_DATA, SYNTAX_STATUS_NORMAL),
 
     FnCallTypeNew("string", CF_DATA_TYPE_STRING, STRING_ARGS, &FnCallString, "Convert argument to string",
                   FNCALL_OPTION_NONE, FNCALL_CATEGORY_DATA, SYNTAX_STATUS_NORMAL),

libpromises/unix.c

@@ -33,10 +33,6 @@
 
 #ifndef __MINGW32__
 
-/* Max size of the 'passwd' string in the getpwuid_r() function,
- * man:getpwuid_r(3) says that this value "Should be more than enough". */
-#define GETPW_R_SIZE_MAX 16384
-#define GETGR_R_SIZE_MAX 16384  /* same for group name */
 
 static bool IsProcessRunning(pid_t pid);