From d5cde45cd88a30c6a4af145d1e24b913ddcd20e2 Mon Sep 17 00:00:00 2001
From: James Valleroy <jvalleroy@mailbox.org>
Date: Sat, 24 Jun 2023 19:35:02 -0400
Subject: [PATCH] users: Add diagnostic checks for nsswitch config

Tests:
- Reconfigure libnss-ldapd and disable passwd, group, shadow. Confirm
  that diagnostics are failing.

- Reconfigure libnss-ldapd and enable passwd, group, shadow. Confirm
  that diagnostics are passed.

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Use augeas Nsswitch lens]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
---
 plinth/modules/users/__init__.py | 34 ++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/plinth/modules/users/__init__.py b/plinth/modules/users/__init__.py
index 54532680d..5be7435dd 100644
--- a/plinth/modules/users/__init__.py
+++ b/plinth/modules/users/__init__.py
@@ -4,6 +4,7 @@
 import grp
 import subprocess
 
+import augeas
 from django.utils.text import format_lazy
 from django.utils.translation import gettext_lazy as _
 
@@ -95,6 +96,8 @@ class UsersApp(app_module.App):
         results.append(_diagnose_nslcd_config(config, 'base', 'dc=thisbox'))
         results.append(_diagnose_nslcd_config(config, 'sasl_mech', 'EXTERNAL'))
 
+        results.extend(_diagnose_nsswitch_config())
+
         return results
 
     def setup(self, old_version):
@@ -137,6 +140,37 @@ def _diagnose_nslcd_config(config, key, value):
     return [testname, result]
 
 
+def _diagnose_nsswitch_config():
+    """Diagnose that Name Service Switch is configured to use LDAP."""
+    nsswitch_conf = '/etc/nsswitch.conf'
+    aug = augeas.Augeas(flags=augeas.Augeas.NO_LOAD +
+                        augeas.Augeas.NO_MODL_AUTOLOAD)
+    aug.transform('Nsswitch', nsswitch_conf)
+    aug.set('/augeas/context', '/files' + nsswitch_conf)
+    aug.load()
+
+    results = []
+    for database in ['passwd', 'group', 'shadow']:
+        result = 'failed'
+        for match in aug.match('database'):
+            if aug.get(match) != database:
+                continue
+
+            for service_match in aug.match(match + '/service'):
+                if 'ldap' == aug.get(service_match):
+                    result = 'passed'
+                    break
+
+            break
+
+        template = _('Check nsswitch config "{database}"')
+        testname = format_lazy(template, database=database)
+
+        results.append([testname, result])
+
+    return results
+
+
 def get_last_admin_user():
     """If there is only one admin user return its name else return None."""
     admin_users = privileged.get_group_users('admin')