Finalize pwfilesupport

.kitchen.yml

@@ -10,6 +10,7 @@ driver:
 provisioner:
   name: chef_zero
   require_chef_omnibus: true
+  data_bags_path: ./test/data_bags
   # client_rb:
   #   treat_deprecation_warnings_as_errors: true # WiP on some depends
 
@@ -49,7 +50,7 @@ suites:
   - centos-6
   - centos-6.6
   - centos-7
-  - centos-7.0
+  - centos-7.2
   - fedora-20
   - fedora-21
   - opensuse-12.3
@@ -61,3 +62,20 @@ suites:
 - name: attributes
   run_list:
   - recipe[dovecot_test::attributes]
+- name: create_pwfile
+  run_list:
+  - recipe[dovecot_test::create_pwfile]
+  excludes:
+  # tests are not working on older versions of dovecot
+  - centos-6.7
+  - debian-8.2
+  - ubuntu-12.04
+  - ubuntu-15.10
+  - ubuntu-16.04
+  - fedora-20
+  - fedora-21
+  - opensuse-12.3
+  - opensuse-13.2
+  - oraclelinux-6
+  - scientific-6.6
+

.rubocop.yml

@@ -4,3 +4,5 @@ AllCops:
   - vendor/**/*
 Metrics/ModuleLength:
   Max: 121
+Metrics/LineLength:
+  Max: 121

.travis.yml

@@ -26,6 +26,9 @@ env:
   - TESTS="integration[attributes-ubuntu-1510,verify]"
   - TESTS="integration[attributes-ubuntu-1604,verify]"
   - TESTS="integration[attributes-scientific-66,verify]"
+  - TESTS="integration[create-pwfile-centos-72,verify]"
+  - TESTS="integration[create-pwfile-debian-79,verify]"
+  - TESTS="integration[create-pwfile-ubuntu-14.04,verify]"
 
 before_install:
 - chef --version &> /dev/null || curl -L https://www.getchef.com/chef/install.sh | sudo bash -s -- -P chefdk -v 1.2.22

README.md

@@ -42,6 +42,7 @@ Table of Contents
   * [dovecot::ohai_plugin](#dovecotohai_plugin)
   * [dovecot::from_package](#dovecotfrom_package)
   * [dovecot::service](#dovecotservice)
+  * [dovecot::create_pwfile](#dovecotcreate_pwfile)
 * [Ohai Plugin](#ohai-plugin)
 * [Usage Examples](#usage-examples)
   * [Including in a Cookbook Recipe](#including-in-a-cookbook-recipe)
@@ -60,6 +61,7 @@ Table of Contents
     * [Quota-status Service Example](#quota-status-service-example)
     * [Quota-warning Service Example](#quota-warning-service-example)
   * [LDAP Example](#ldap-example)
+  * [Password File Example](#password-file-example)
   * [A Complete Example](#a-complete-example)
 * [Testing](#testing)
 * [Contributing](#contributing)
@@ -126,6 +128,9 @@ To see a more complete description of the attributes, go to the [Dovecot wiki2 c
 | `node['dovecot']['services']`                     | `{}`                       | Dovecot Services configuration as a hash of hashes ([see the examples below](#service-examples)). Supported services: anvil, director, imap-login, pop3-login, lmtp, imap, pop3, auth, auth-worker, dict, tcpwrap, managesieve-login managesieve, quota-status, quota-warning and doveadm.
 | `node['dovecot']['conf']['mail_plugins']`         | `[]`                       | Dovecot default enabled mail_plugins.
 | `node['dovecot']['ohai_plugin']['build-options']` | `true`                     | Whether to enable reading build options inside ohai plugin. Can be disabled to be lighter.
+| `node['dovecot']['databag_name']`              | `dovecot`                  | The databag to use.
+| `node['dovecot']['databag_users_item']`         | `users`                    | The databag item to use for User's database (Passwords).
+| `node['dovecot']['conf']['password_file']`      | `#{node['dovecot']['conf_path']}/password` | The Password file location
 
 ## Main Configuration Attributes
 
@@ -465,6 +470,14 @@ Installs the required packages. Used by the default recipe if `node['dovecot']['
 
 Configures the Dovecot service. Used by the default recipe.
 
+## dovecot::create_pwfile
+
+Creates and configures a password file from local mailboxes based on a data bag.
+
+
+* `node['dovecot']['databag_name']`: The Databag on which items are stored.
+* `node['dovecot']['databag_users_item']`: The databag item to use (under the databag set)
+
 Ohai Plugin
 ===========
 
@@ -895,6 +908,46 @@ node.default['dovecot']['conf']['ldap']['base'] = node['openldap']['basedn']
 include_recipe 'dovecot'
 ```
 
+## Password File Example
+
+This is an example how to use userdb password file.
+
+```ruby
+# Define databag and item inside Databag (default.conf)
+node.default['dovecot']'databag_name'] = 'dovecot'
+node.default['dovecot']['databag_users_item'] = 'users'
+
+# Attributes for userdb to function
+node.default['dovecot']['auth']['passwdfile'] = {
+ 'passdb' => {
+    'driver' => 'passwd-file',
+    'args'   => node['dovecot']['conf']['password_file']
+ },
+ 'userdb' => {
+    'driver' => 'passwd-file',
+    'args'  => "username_format=%u #{node['dovecot']['conf']['password_file']}",
+    'default_fields' => 'home=/var/dovecot/vmail/%d/%n'
+ }
+}
+
+
+#include this recipe on your
+include_recipe 'dovecot::pwfile-file'
+```
+
+Databag example.
+Two ways of defining an user example included
+
+```json
+{
+  "users": {
+    "dilan": "password1234",
+    "vassilis": [
+      "vassilis1234",null,null,null,null,null,null
+    ]
+  }
+}
+```
 ## A Complete Example
 
 This is a complete recipe example for installing and configuring Dovecot 2 to work with PostfixAdmin MySQL tables, including IMAP service:

attributes/conf_10_ssl.rb

@@ -21,11 +21,10 @@
 
 # conf.d/10-ssl.conf
 
-if node['platform_family'] == 'suse' && node['platform_version'].to_i < 13
-  default['dovecot']['conf']['ssl'] = false
-else
-  default['dovecot']['conf']['ssl'] = nil
-end
+default['dovecot']['conf']['ssl'] = \
+  if node['platform_family'] == 'suse' && node['platform_version'].to_i < 13
+    false
+  end
 
 case node['platform_family']
 when 'rhel', 'fedora'

attributes/conf_files.rb

@@ -23,6 +23,8 @@
 default['dovecot']['conf_files_user'] = 'root'
 default['dovecot']['conf_files_group'] = node['dovecot']['group']
 default['dovecot']['conf_files_mode'] = '00644'
+default['dovecot']['conf']['password_file'] = \
+  "#{node['dovecot']['conf_path']}/password"
 
 default['dovecot']['sensitive_files'] = %w(
   *.conf.ext

attributes/default.rb

@@ -34,3 +34,5 @@
 default['dovecot']['user'] = 'dovecot'
 default['dovecot']['group'] = node['dovecot']['user']
 default['dovecot']['user_homedir'] = node['dovecot']['lib_path']
+default['dovecot']['databag_name'] = 'dovecot'
+default['dovecot']['databag_users_item'] = 'users'

libraries/pwfile.rb

@@ -0,0 +1,103 @@
+# encoding: UTF-8
+#
+# Cookbook Name:: dovecot
+# Library:: Pwfile
+# Author:: Xabier de Zuazo (<xabier@zuazo.org>)
+# Copyright:: Copyright (c) 2013-2014 Onddo Labs, SL.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module DovecotCookbook
+  # Helper module to check password file and import it
+  module Pwfile
+    extend Chef::Mixin::ShellOut
+
+    def self.exists?(localdata)
+      true if ::File.exist?(localdata)
+    end
+
+    def self.file_to_hash(inputfile)
+      output_entries = {}
+      passwordfile = File.open(inputfile, File::RDONLY | File::CREAT, 640)
+      passwordfile.readlines.each do |line|
+        user, data = fileline_to_userdb_hash(line)
+        output_entries[user] = data
+      end
+      passwordfile.close
+      output_entries
+    end
+
+    def self.passfile_read(input)
+      # Returns Password file in userdb style hash and if exists
+      [file_to_hash(input), exists?(input)]
+    end
+
+    def self.fileline_to_userdb_hash(input)
+      # Returns a hash of details daken from the userdb file line
+      data = [nil] * 7
+      if input.strip.split(':').length == 2
+        user, data[0] = input.strip.split(':')
+      else
+        user = input.strip.split(':')[0]
+        data = input.strip.split(':')[1..7]
+      end
+      [user, data]
+    end
+
+    def self.dbentry_to_array(key, value)
+      # Returns an array with 8 values to use with user copy.
+      if value.is_a?(Array)
+        [key] + (value + ([nil] * (7 - value.size)))
+      else
+        [key, value] + ([nil] * 6)
+      end
+    end
+
+    def self.password_valid?(hashed_pw, plaintext_pw)
+      true unless shell_out(
+        "/usr/bin/doveadm pw -t '#{hashed_pw}' -p '#{plaintext_pw}'"
+      ).exitstatus != 0
+    end
+
+    def self.arrays_same?(array1, array2)
+      true if (array1 - array2).empty? && (array2 - array1).empty?
+    end
+
+    def self.encrypt_password(plaintextpass)
+      # Return the password generated by dovecot and remove newline
+      shell_out("/usr/bin/doveadm pw -s MD5 -p \
+                #{plaintextpass}").stdout.tr("\n", '')
+    end
+
+    def self.generate_userpass(input_creds, plaintextpass, updated, file_exists)
+      if !input_creds.nil? && file_exists == true
+        if password_valid?(
+          input_creds[0], plaintextpass
+        )
+          return [input_creds[0], updated]
+        end
+      end
+      [encrypt_password(plaintextpass), true]
+    end
+
+    def self.compile_users(databag_users, current_users, pwfile_exists, updated, credentials)
+      databag_users.each do |username, user_details|
+        current_user = dbentry_to_array(username, user_details)
+        current_user[1], updated = generate_userpass(current_users[username], current_user[1], updated, pwfile_exists)
+        credentials.push(current_user)
+      end
+      updated
+    end
+  end
+end

metadata.rb

@@ -27,7 +27,7 @@
 Installs and configures Dovecot, open source IMAP and POP3 email server.
 EOH
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version '3.2.0' # WiP
+version '3.2.0' # WIP
 
 if respond_to?(:source_url)
   source_url "https://github.com/zuazo/#{name}-cookbook"
@@ -55,6 +55,7 @@
        'Provides an Ohai plugin for reading dovecot install information.'
 recipe 'dovecot::from_package', 'Installs the required packages.'
 recipe 'dovecot::service', 'Configures the Dovecot service.'
+recipe 'dovecot::create_pwfile', 'Creates a userdb password file from databag.'
 
 attribute 'dovecot/install_from',
           display_name: 'dovecot install method',
@@ -79,6 +80,20 @@
           required: 'optional',
           default: '"dovecot"'
 
+attribute 'dovecot/databag_name',
+          display_name: 'Databag name',
+          description: 'The name of the databag to use',
+          type: 'string',
+          required: 'optional',
+          default: '"dovecot"'
+
+attribute 'dovecot/databag_users_item',
+          display_name: 'Databag users item name',
+          description: 'The name item to put the users in',
+          type: 'string',
+          required: 'optional',
+          default: '"users"'
+
 attribute 'dovecot/user_homedir',
           display_name: 'dovecot homedir',
           description: 'Dovecot system user home directory.',
@@ -122,6 +137,13 @@
           required: 'optional',
           default: '00644'
 
+attribute 'dovecot/conf/password_file',
+          display_name: 'path of password file',
+          description: 'The path and filename of the password file',
+          type: 'string',
+          required: 'optional',
+          default: 'node["dovecot"]["conf_path"]/password'
+
 attribute 'dovecot/sensitive_files',
           display_name: 'dovecot sensitve files',
           description:

recipes/create_pwfile.rb

@@ -0,0 +1,59 @@
+#
+# Cookbook Name:: dovecot
+# Recipe:: create_pwfile
+# Author:: Xabier de Zuazo (<xabier@zuazo.org>)
+# Copyright:: Copyright (c) 2013-2014 Onddo Labs, SL.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# The file credentials should be like:
+# user:password:uid:gid:(gecos):home:(shell):extra_fields
+# We ignore gecos and shell, all the others are included in the script but
+# uid,gid,home,extra_Fields can be nil
+# user:pass:<num>:<num>::<string>::<Extras string>
+
+# Predefined Variables
+credentials = []
+update_credentials = false
+
+ruby_block 'databag_to_dovecot_userdb' do
+  block do
+    passwd_file = node['dovecot']['conf']['password_file']
+    databag_users = data_bag_item(node['dovecot']['databag_name'], node['dovecot']['databag_users_item'])['users']
+
+    # Check if passwd file exists
+    local_creds, pwfile_exists = DovecotCookbook::Pwfile.passfile_read(passwd_file)
+    # Check if users on both passwd file and databag are the same
+    # if not, force credentials update
+    update_credentials = true unless DovecotCookbook::Pwfile.arrays_same?(databag_users.keys, local_creds.keys)
+    # Check if users has a changed password, if not change it and force update
+    update_credentials = DovecotCookbook::Pwfile.compile_users(databag_users,
+                                                               local_creds,
+                                                               pwfile_exists,
+                                                               update_credentials,
+                                                               credentials)
+  end
+  action :run
+end
+
+template node['dovecot']['conf']['password_file'] do
+  source 'password.erb'
+  owner node['dovecot']['user']
+  group node['dovecot']['group']
+  mode '0640'
+  variables(
+    credentials: credentials
+  )
+  only_if { update_credentials }
+end

templates/default/password.erb

@@ -0,0 +1,3 @@
+<%   @credentials.each do |user, password, uid, gid, gecos, homedir, shell, extra_fields| -%>
+<%=  user %>:<%= password %>:<%= uid %>:<%= gid %>::<%= homedir %>::<%= extra_fields %>
+<%   end -%>