Add new role: logon policy for ad user

Lists hosts where Active Directory users have been granted log on
permission.

README.md

@@ -51,6 +51,8 @@ The One Identity Safeguard Authentication Services Ansible Collection, referred
 
 * [`logon_policy_for_unix_host role`](roles/logon_policy_for_unix_host/README.md): Identifies the Active Directory users that have been explicitly granted log on permissions for the Unix hosts.
 
+* [`logon_policy_for_ad_user role`](roles/logon_policy_for_ad_user/README.md): Identifies the hosts where Active Directory users have been granted log on permission.
+
 ## Installation
 
 ### Prerequisites

examples/README.md

@@ -70,3 +70,7 @@ The [`ad_group_conflicts`](run_ad_group_conflicts.yml) role example shows use of
 
 The [`logon_policy_for_unix_host`](run_logon_policy_for_unix_host.yml) role example shows use of the `logon_policy_for_unix_host` role in an Ansbile playbook.  The variables most likely to be overriden have been included in this playbook for your convenience even though many are still set to their default values.
 
+## `logon_policy_for_ad_user` Role Example
+
+The [`logon_policy_for_ad_user`](run_logon_policy_for_ad_user.yml) role example shows use of the `logon_policy_for_ad_user` role in an Ansbile playbook.  The variables most likely to be overriden have been included in this playbook for your convenience even though many are still set to their default values.
+

examples/run_logon_policy_for_ad_user.yml

@@ -0,0 +1,21 @@
+---
+
+- hosts: all
+  gather_facts: false
+
+  # The variables you would most likely want/need to override have been included
+  vars:
+
+    # Report parameters
+    logon_policy_for_ad_user_user_name: ''
+
+    # Facts
+    logon_policy_for_ad_user_facts_generate: true
+
+    # Reports
+    logon_policy_for_ad_user_reports_generate: true
+    logon_policy_for_ad_user_reports_backup: false
+
+  roles:
+    - name: oneidentity.authentication_services.logon_policy_for_ad_user
+

plugins/filter/logon_policy_for_ad_user_filters.py

@@ -0,0 +1,104 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# ------------------------------------------------------------------------------
+# Copyright (c) 2022, One Identity LLC
+# File: logon_policy_for_ad_user_filters.py
+# Desc: Ansible filters for logon_policy_for_ad_user role
+# Auth: Laszlo Nagy
+# Note:
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Imports
+# ------------------------------------------------------------------------------
+
+# Future module imports for consistency across Python versions
+from __future__ import absolute_import, division, print_function
+
+# Want classes to be new type for consistency across Python versions
+__metaclass__ = type
+
+from ansible.errors import AnsibleFilterError
+
+
+# ------------------------------------------------------------------------------
+# Helper functions
+# ------------------------------------------------------------------------------
+
+# ------------------------------------------------------------------------------
+def get_logon_policy_for_ad_user(logon_policy_for_unix_hosts):
+    """
+    Example of logon_policy_for_unix_hosts:
+    {
+        "192.168.56.101": [
+            [
+                "QASDEV\\eripley",
+                "VAS",
+                "1003",
+                "10001",
+                "Ellen Ripley",
+                "/home/eripley",
+                "/bin/bash"
+            ],
+            [
+                "QASDEV\\smartbela",
+                "VAS",
+                "1371126438",
+                "1000",
+                "Bela Smart",
+                "/home/smartbela",
+                "/bin/bash"
+            ]
+        ],
+        "192.168.56.103": [
+            [
+                "QASDEV\\eripley",
+                "VAS",
+                "1003",
+                "10001",
+                "Ellen Ripley",
+                "/home/eripley",
+                "/bin/bash"
+            ],
+            [
+                "QASDEV\\senior",
+                "VAS",
+                "1234567",
+                "1000",
+                "Senior",
+                "/home/Senior",
+                "/bin/bash"
+            ]
+        ]
+    }
+    """
+
+    users = {}
+    for host in logon_policy_for_unix_hosts:
+        users_allowed = logon_policy_for_unix_hosts[host]
+        for user in users_allowed:
+            if user[0] not in users:
+                users.update({user[0]: {'user': user, 'hosts': [host]} })
+            else:
+                users[user[0]]['hosts'].append(host)
+
+    return users
+
+
+# ------------------------------------------------------------------------------
+# Classes
+# ------------------------------------------------------------------------------
+
+# ------------------------------------------------------------------------------
+class FilterModule(object):
+    """
+    logon_policy_for_ad_user role jinja2 filters
+    """
+
+    def filters(self):
+        filters = {
+            'logonpolicyforaduser': get_logon_policy_for_ad_user
+        }
+        return filters

plugins/modules/get_logon_policy_for_unix_host.py

@@ -34,6 +34,12 @@
     vastool list users-allowed command.
 
 options:
+    user_name:
+        description:
+            - Return only the specified user or all users?
+        type: str
+        required: false
+        default: ''
     facts:
         description:
             - Generate Ansible facts?
@@ -110,6 +116,7 @@
 # ------------------------------------------------------------------------------
 
 # Arg choices and defaults
+USER_NAME_DEFAULT = ''
 FACTS_DEFAULT = True
 FACTS_VERBOSE_DEFAULT = True
 FACTS_KEY_DEFAULT = 'get_logon_policy_for_unix_host_facts_key'
@@ -127,6 +134,11 @@ def run_module():
 
     # Module argument info
     module_args = {
+            'user_name': {
+                'type': 'str',
+                'required': False,
+                'default': USER_NAME_DEFAULT
+            },
             'facts': {
                 'type': 'bool',
                 'required': False,
@@ -178,6 +190,7 @@ def run_normal(params, result):
     users_allowed = []
 
     # Parameters
+    user_name = params['user_name'] if params['user_name'] else USER_NAME_DEFAULT
     facts = params['facts']
     facts_key = params['facts_key'] if params['facts_key'] else FACTS_KEY_DEFAULT
 
@@ -190,6 +203,9 @@ def run_normal(params, result):
         if err is None:
             err, users_allowed = run_vastool_list_users_allowed()
 
+        if user_name:
+            users_allowed = [user for user in users_allowed if user[0] == user_name]
+
     except Exception:
         tb = traceback.format_exc()
         err = str(tb)

roles/logon_policy_for_ad_user/README.md

@@ -0,0 +1,97 @@
+# `logon_policy_for_ad_user` Role
+
+The `logon_policy_for_ad_user` role creates CSV and HTML reports that list the hosts where Active Directory users have been granted log on permission.
+
+## Variables
+
+All of the variables shown below have a default value but can be overridden to suit your environment.  Variable overriding can be done in playbooks, inventories, from the command line using the `-e` switch with the `ansible-playbook` command, or from Ansible Tower and AWX.  See [Ansbile documentation](https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html) for further information.
+
+### Report parameters
+
+* `logon_policy_for_ad_user_user_name`: An Active Directory user can be specified in the following format: DOMAIN\SamAccountName.  For example: EXAMPLE\jason.  Reports will be generated for the specified user.  If no user is specified then the reports will be generated for all Active Directory users who have been granted log on permission.
+
+    Default value is:
+    ```yaml
+    logon_policy_for_ad_user_user_name: ''
+    ```
+
+### Facts generation
+
+Facts generation variable defaults for all roles are set by variables in the [`common`](../common/README.md) role and can be overriden for all roles by setting the appropriate [`common`](../common/README.md) role variable.  See [common role facts generation variables](../common/README.md#facts-generation) in the [`common`](../common/README.md) role.
+
+* `logon_policy_for_ad_user_facts_generate` enables facts generation.  Implicitely enabled if `logon_policy_for_ad_user_reports_generate` is set.
+
+    Default value is:
+    ```yaml
+    logon_policy_for_ad_user_facts_generate: "{{ facts_generate }}"
+    ```
+
+### Report generation
+
+Report generation variable defaults for all roles are set by variables in the [`common`](../common/README.md) role and can be overriden for all roles by setting the appropriate [`common`](../common/README.md) role variable.  See [common role report generation variables](../common/README.md#report-generation) in the [`common`](../common/README.md) role.
+
+* `logon_policy_for_ad_user_reports_generate` enables report generation.  Reports are generated at the end of a `logon_policy_for_ad_user` run for all hosts.
+
+    Default value is: 
+    ```yaml
+    logon_policy_for_ad_user_reports_generate: "{{ reports_generate }}"
+    ```
+
+* `logon_policy_for_ad_user_reports_backup` enables backup of prior reports by renaming them with the date and time they were generated so that the latest reports do not override the previous reports.
+
+    Default value is: 
+    ```yaml
+    logon_policy_for_ad_user_reports_backup: "{{ reports_backup }}"
+
+    ```
+
+* `logon_policy_for_ad_user_reports_host` sets the host on which the reports should be generated.
+
+    Default value is: 
+    ```yaml
+    logon_policy_for_ad_user_reports_host: "{{ reports_host }}"
+    ```
+
+* `logon_policy_for_ad_user_reports` is a list of dictionaries that define the reports to be generated.  The default value creates a CSV and HTML report using the templates included with the `logon_policy_for_ad_user` role.
+
+  Default value is:
+    ```yaml
+    logon_policy_for_ad_user_reports:
+      - src:  logon_policy_for_ad_user_report.csv.j2
+        dest: logon_policy_for_ad_user_report.csv
+      - src:  logon_policy_for_ad_user_report.html.j2
+        dest: logon_policy_for_ad_user_report.html
+    ```
+
+  The `src` key for each list entry is the report template file on the Ansible control node.  With a relative path Ansible will look in the `logon_policy_for_ad_user` role `template` directory.  Use a absolute path to speciy templates located elsewhere on the Ansible control node.
+
+  The `dest` key for each list entry is the report file on the machine specified in `logon_policy_for_ad_user_reports_host`.  If `logon_policy_for_ad_user_reports_host` is set to the Ansible control node a relative path can be used and it will be relative to the directory from which the playbook is run.  For other hosts, an absolute path must be used.  In either case the containing directory must exist.
+
+## Usage
+
+Below is a sample playbook using the `logon_policy_for_ad_user` role.
+
+```yaml
+---
+
+- hosts: all
+  gather_facts: false
+
+  # The variables you would most likely want/need to override have been included
+  vars:
+
+    # Report parameters
+    logon_policy_for_ad_user_user_name: ''
+
+    # Facts
+    logon_policy_for_ad_user_facts_generate: true
+
+    # Reports
+    logon_policy_for_ad_user_reports_generate: true
+    logon_policy_for_ad_user_reports_backup: false
+
+  roles:
+    - name: oneidentity.authentication_services.logon_policy_for_ad_user
+```
+
+For a copy of this and other sample playbooks see [examples](../../examples/README.md)

roles/logon_policy_for_ad_user/defaults/main.yml

@@ -0,0 +1,38 @@
+---
+
+# Report parameters
+# ------------------------------------------------------------------------------
+
+logon_policy_for_ad_user_user_name: ''
+
+
+# Facts settings
+# ------------------------------------------------------------------------------
+
+logon_policy_for_ad_user_facts_generate: "{{ facts_generate }}"
+
+
+# Reports settings
+# ------------------------------------------------------------------------------
+
+logon_policy_for_ad_user_reports_generate: "{{ reports_generate }}"
+logon_policy_for_ad_user_reports_backup: "{{ reports_backup }}"
+
+# On which host should the reports be generated.
+# TODO: This has only been tested on the Ansible control node (127.0.0.1)
+logon_policy_for_ad_user_reports_host: "{{ reports_host }}"
+
+# List of reports to generate
+# src:  Is the report template file on the Ansible control node.
+#       With no or relative path Ansible will look in the logon_policy_for_ad_user role template directory.
+#       Full path to find the template files elsewhere on the Ansible control node.
+# dest: Is the destination file on the host (logon_policy_for_ad_user_reports_host.)
+#       With no or relative path when the destination is the Ansible control node.
+#       (logon_policy_for_ad_user_reports_host = 127.0.0.1) relative to the playbook directory.
+#       Full path for other locations or on other hosts.
+#       In either case the directory must already exist.
+logon_policy_for_ad_user_reports:
+  - src:  logon_policy_for_ad_user_report.csv.j2
+    dest: logon_policy_for_ad_user_report.csv
+  - src:  logon_policy_for_ad_user_report.html.j2
+    dest: logon_policy_for_ad_user_report.html

roles/logon_policy_for_ad_user/meta/main.yml

@@ -0,0 +1,66 @@
+---
+
+galaxy_info:
+
+  author: Laszlo Nagy <[email protected]>
+
+  company: One Identity
+
+  description: >
+    Identifies the hosts where Active Directory users have been granted log on permission.
+
+  issue_tracker_url: https://github.com/OneIdentity/ansible-authentication-services/issues
+
+  license: Apache-2.0
+
+  min_ansible_version: 2.9
+
+  #
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  platforms:
+  - name: Amazon
+    versions:
+    - all
+  - name: MacOSX
+    versions:
+    - 10.12
+    - 10.13
+    - 10.14
+    - 10.15
+  - name: EL
+    versions:
+    - all
+  - name: Debian
+    versions:
+    - all
+  - name: Fedora
+    versions:
+    - all
+  - name: FreeBSD
+    versions:
+    - all
+  - name: AIX
+    versions:
+    - 7.1
+    - 7.2
+  - name: opensuse
+    versions:
+    - all
+  - name: Solaris
+    versions:
+    - all
+  - name: SLES
+    versions:
+    - 11
+    - 12
+    - 15
+  - name: Ubuntu
+    versions:
+    - all
+
+  # galaxy_tags: []
+
+dependencies:
+  - role: common