users

#!/bin/bash
#
#		/etc/rc.d/init.d/users
#
#		adding/deleting (disabling) users
#
# chkconfig: 02345 30 80
# description: adding/deleting (disabling) users
#

# Source function library.
. /etc/init.d/functions

manage=$(cat<<EOF
import boto
import boto.utils
import json
import os
import pwd
import ssl
import sys

userdata = json.loads(boto.utils.get_instance_userdata())

# we always succeed when there is nothing to do
if not ('security' in userdata and 'users' in userdata['security']):
	exit(0)

# Buckets with a . in their name do not have
# a valid ssl cert (*.s3.amazonaws.com)
# Create ssl context that does not validate certificates
if hasattr(ssl, '_create_unverified_context'):
	ssl._create_default_https_context = ssl._create_unverified_context
s3 = boto.connect_s3()
keys = s3.get_bucket(userdata['security']['bucket'], validate=False)
key = boto.s3.key.Key(keys)

if "provision" == sys.argv[1]:
	for username in userdata['security']['users']:
		user = userdata['security']['users'][username]

		sys.stdout.write(" {0}".format(username))
		os.system("/usr/sbin/adduser -c \"{0}\" -G {1} {2}".format(
											user['comment'],
											",".join(user['groups']),
											username))

		key.key = user['email']
		os.system("/bin/mkdir --mode=0755 -p /home/{0}/.ssh".format(username))
		key.get_contents_to_filename(
							"/home/{0}/.ssh/authorized_keys".format(username))
		os.system("chown -R {0}.{0} /home/{0}".format(username))
elif "remove" == sys.argv[1]:
	for username in userdata['security']['users']:
		user = userdata['security']['users'][username]

		sys.stdout.write(" {0}".format(username))
		os.system("/usr/sbin/userdel -fr {0}".format(username))
elif "update" == sys.argv[1]:
	for username in userdata['security']['users']:
		user = userdata['security']['users'][username]

		sys.stdout.write(" {0}".format(username))

		key.key = user['email']
		# also delete the file when it is gone
		try:
			key.exists()
			key.get_contents_to_filename(
							"/home/{0}/.ssh/authorized_keys".format(username))
		except:
			os.remove("/home/{0}/.ssh/authorized_keys".format(username))

		os.system("chown -R {0}.{0} /home/{0}".format(username))
else:
	pass

EOF
)

# for some reason it 'stops' on runlevel 6, so we ignore that one
runlevel=`runlevel`
if [ "3 6" == "${runlevel}" ]; then
	exit 0
fi

service=users

start() {
	echo -n "Provisioning ${service}: "

	/usr/bin/python -c "${manage}" provision
	provisioned=$?

	touch /var/lock/subsys/${service}
	return ${provisioned}
}		

stop() {
	echo -n "Removing ${service}: "

	/usr/bin/python -c "${manage}" remove
	removed=$?

	rm -f /var/lock/subsys/${service}
	return ${removed}
}

restart() {
	echo -n "Updating ${service}: "

	/usr/bin/python -c "${manage}" update
	updated=$?

	return ${updated}
}

case "$1" in
	start)
		echo "start"
		start
		echo
		;;
	stop)
		echo "stop"
		stop
		echo
		;;
	restart)
		echo "restart"
		restart
		echo
		;;
	*)
		echo "Usage: ${service} {start|stop|restart}"
		exit 1
		;;
esac
exit $?