From f7b08490d2490912d9c129abd8a62259c295f720 Mon Sep 17 00:00:00 2001
From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com>
Date: Wed, 6 Dec 2023 16:52:01 +0000
Subject: [PATCH] nomis: D1568: add support for user creation (#437)

* Add regular user functionality to users-and-groups role

* Add regular users to nomis-dev servers

* whitespace

* Commit changes made by code formatters

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
---
 .../environment_name_nomis_development.yml    |  4 +
 ansible/roles/users-and-groups/README.md      | 31 +++++--
 .../roles/users-and-groups/defaults/main.yml  | 29 ++++++-
 ansible/roles/users-and-groups/meta/main.yml  |  3 +
 .../users-and-groups/tasks/add-regular.yml    | 87 +++++++++++++++++++
 .../users-and-groups/tasks/add-system.yml     |  9 +-
 ansible/roles/users-and-groups/tasks/main.yml |  8 ++
 .../vars/hmpps-regular-groups.yml             | 22 +++++
 .../vars/hmpps-regular-users.yml              | 21 +++++
 9 files changed, 198 insertions(+), 16 deletions(-)
 create mode 100644 ansible/roles/users-and-groups/meta/main.yml
 create mode 100644 ansible/roles/users-and-groups/tasks/add-regular.yml
 create mode 100644 ansible/roles/users-and-groups/vars/hmpps-regular-groups.yml
 create mode 100644 ansible/roles/users-and-groups/vars/hmpps-regular-users.yml

diff --git a/ansible/group_vars/environment_name_nomis_development.yml b/ansible/group_vars/environment_name_nomis_development.yml
index 506fb05d1..33ee4af2a 100644
--- a/ansible/group_vars/environment_name_nomis_development.yml
+++ b/ansible/group_vars/environment_name_nomis_development.yml
@@ -9,6 +9,10 @@ dns_search_domains:
   - azure.noms.root
 PROD_SYSCON_WEB_RELEASE: DB_V11.2.1.1.219
 
+users_and_groups_regular:
+  - group: studio-webops
+  - group: syscon-nomis
+
 weblogic_additional_form_servers: []
 db_configs:
   qa11r:
diff --git a/ansible/roles/users-and-groups/README.md b/ansible/roles/users-and-groups/README.md
index efa3c734e..863e2b832 100644
--- a/ansible/roles/users-and-groups/README.md
+++ b/ansible/roles/users-and-groups/README.md
@@ -10,12 +10,8 @@ Define mapping between user to uid, and group to gid, in `vars/`. For example:
 - [default-system-gids.yml](/ansible/roles/users-and-groups/vars/default-system-gids.yml)
 - [default-system-uids.yml](/ansible/roles/users-and-groups/vars/default-system-uids.yml)
 
-A custom mapping can be created if necessary.  For example, create
-`vars/myapp-system-gids.yml` and `vars/myapp-system-uids.yml` and set
-
-```
-users_and_groups_system_vars_prefix: myapp
-```
+A custom mapping can be created if necessary for a given business unit or application.  For example, create
+`vars/hmpps-system-gids.yml` and `vars/hmpps-system-uids.yml` and set
 
 ### Adding users and groups
 
@@ -55,6 +51,25 @@ Option 2. Import from another role
           - wheel
 ```
 
-## Non-System Users
+## Regular Users
+
+Users should add their ssh public keys to the relevant business unit vars file, e.g.
+Also assign a unique UID for consistency across servers. Suggest the username is set
+to the user's GitHub id.
+
+- [hmpps-regular-users.yml](/ansible/roles/users-and-groups/vars/hmpps-regular-users.yml)
+
+Define group details such as group membership in relevant business unit vars file, e.g.
 
-Not implemented yet.
+- [hmpps-regular-groups.yml](/ansible/roles/users-and-groups/vars/hmpps-regular-groups.yml)
+
+Suggest the group names follow GitHub group ids.
+
+Finally, define which users and groups to add by defining a variable in the relevant
+server-type or environment_name group vars, e.g.
+
+```
+users_and_groups_regular:
+  - group: studio-webops
+  - group: syscon-nomis
+```
diff --git a/ansible/roles/users-and-groups/defaults/main.yml b/ansible/roles/users-and-groups/defaults/main.yml
index 3fe2bbb1c..5453a3c43 100644
--- a/ansible/roles/users-and-groups/defaults/main.yml
+++ b/ansible/roles/users-and-groups/defaults/main.yml
@@ -1,10 +1,31 @@
 ---
-# Define which users to create using this variable.  Groups are automatically
-# created if they are referenced by a user. For example:
+# Define which system users to create using this variable.  Groups are
+# automatically created if they are referenced by a user. For example:
 # users_and_groups_system:
 # - { name: oracle, group: oinstall }
 # - { group: mygroup }  # if just a group required
 users_and_groups_system: []
 
-# override this to load a different uid/gid vars file
-users_and_groups_system_vars_prefix: "default"
+# Define which regular users to create using this variable.  Although you can
+# specify individual users in the same way as `users_and_groups_system`, it
+# is recommended just to specify group and all group members will be added.
+# users_and_groups_regular:
+# - group: studio-webops
+users_and_groups_regular: []
+
+# Override these in vars/
+system_uids: {} # username -> uid
+system_gids: {} # group -> gid
+regular_uids: {} # username -> uid
+regular_gids: {} # group -> gid
+regular_users_authorized_keys: {} # username -> key (multi-line string)
+regular_groups_additional_groups: {} # username -> groups
+regular_groups_members: {} # group -> list of usernames
+
+# Define which files to read in from /vars
+users_and_groups_system_vars_prefixes:
+  - "default"
+  - "{{ ec2.tags['business-unit'] | lower }}"
+users_and_groups_regular_vars_prefixes:
+  - "default"
+  - "{{ ec2.tags['business-unit'] | lower }}"
diff --git a/ansible/roles/users-and-groups/meta/main.yml b/ansible/roles/users-and-groups/meta/main.yml
new file mode 100644
index 000000000..4ff987c1c
--- /dev/null
+++ b/ansible/roles/users-and-groups/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: get-ec2-facts
diff --git a/ansible/roles/users-and-groups/tasks/add-regular.yml b/ansible/roles/users-and-groups/tasks/add-regular.yml
new file mode 100644
index 000000000..454580333
--- /dev/null
+++ b/ansible/roles/users-and-groups/tasks/add-regular.yml
@@ -0,0 +1,87 @@
+---
+# Note these tasks can also be used elsewhere via import_role
+
+- name: Include uid and gid vars
+  ansible.builtin.include_vars:
+    dir: vars
+    files_matching: "{{ item }}-regular-.*.yml$"
+  loop: "{{ users_and_groups_regular_vars_prefixes }}"
+
+- name: Calculate list of groups
+  ansible.builtin.set_fact:
+    regular_groups_1: "{{ users_and_groups_regular | map(attribute='group') }}"
+    regular_groups_2: "{{ users_and_groups_regular | selectattr('groups', 'defined') | map(attribute='groups') | flatten }}"
+
+- name: Add regular groups
+  ansible.builtin.group:
+    name: "{{ item }}"
+    state: present
+    system: no
+    gid: "{{ regular_gids[item]|default(omit) }}"
+  loop: "{{ (regular_groups_1 + regular_groups_2) | unique }}"
+
+- name: Calculate groups where we will add all members
+  ansible.builtin.set_fact:
+    regular_groups_for_adding_users: "{{ users_and_groups_regular | rejectattr('name', 'defined') | selectattr('group', 'defined') | map(attribute='group') }}"
+    users_regular: []
+
+- name: Add group members to user list fact
+  ansible.builtin.set_fact:
+    users_regular: "{{ users_regular + [{
+      'name': item.name,
+      'group': item.group,
+      'groups': item.groups|default([]) + regular_groups_additional_groups[item.group]|default([]),
+      'uid': item.uid | default(regular_uids[item.name]|default(omit)),
+      'create_home': item.create_home | default(true),
+      'home': item.home | default('/home/' + item.name),
+      'state': item.state | default('present'),
+      'authorized_keys': item.authorized_keys | default(regular_users_authorized_keys[item.name]|default(omit))
+      }] }}"
+  vars:
+    item:
+      group: "{{ loop_item[0].key }}"
+      name: "{{ loop_item[1] }}"
+  when: item.group in regular_groups_for_adding_users
+  loop_control:
+    loop_var: loop_item
+    label: "{{ item.name }}:{{ item.group }}"
+  loop: "{{ regular_groups_members | dict2items | subelements('value') }}"
+
+- name: Add regular users to user list fact
+  set_fact:
+    users_regular: "{{ users_regular + [{
+      'name': item.name,
+      'group': item.group,
+      'groups': item.groups|default([]) + regular_groups_additional_groups[item.group]|default([]),
+      'uid': item.uid | default(regular_uids[item.name]|default(omit)),
+      'create_home': item.create_home | default(true),
+      'home': item.home | default('/home/' + item.name),
+      'state': item.state | default('present'),
+      'authorized_keys': item.authorized_keys | default(regular_users_authorized_keys[item.name]|default(omit))
+      }] }}"
+  loop_control:
+    label: "{{ item.name }}"
+  loop: "{{ users_and_groups_regular | selectattr('name', 'defined') }}"
+
+- name: Update regular users
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    group: "{{ item.group }}"
+    groups: "{{ item.groups }}"
+    uid: "{{ item.uid|default(omit) }}"
+    create_home: "{{ item.create_home }}"
+    home: "{{ item.home }}"
+    state: "{{ item.state }}"
+    system: no
+  loop_control:
+    label: "{{ item.name }}:{{ item.group }}"
+  loop: "{{ users_regular }}"
+
+- name: Update authorized keys
+  ansible.posix.authorized_key:
+    user: "{{ item.name }}"
+    key: "{{ item.authorized_keys }}"
+  loop_control:
+    label: "{{ item.name }}"
+  loop: "{{ users_regular | rejectattr('state', 'equalto', 'absent') | selectattr('authorized_keys', 'defined') }}"
+  when: not ansible_check_mode
diff --git a/ansible/roles/users-and-groups/tasks/add-system.yml b/ansible/roles/users-and-groups/tasks/add-system.yml
index d8d4d7f1b..d9c5ec6ad 100644
--- a/ansible/roles/users-and-groups/tasks/add-system.yml
+++ b/ansible/roles/users-and-groups/tasks/add-system.yml
@@ -4,7 +4,8 @@
 - name: Include uid and gid vars
   ansible.builtin.include_vars:
     dir: vars
-    files_matching: "{{ users_and_groups_system_vars_prefix }}-system-.*.yml$"
+    files_matching: "{{ item }}-system-.*.yml$"
+  loop: "{{ users_and_groups_system_vars_prefixes }}"
 
 - name: Calculate list of groups
   ansible.builtin.set_fact:
@@ -16,15 +17,15 @@
     name: "{{ item }}"
     state: present
     system: yes
-    gid: "{{ system_gids[item] }}"
-  loop: "{{ (system_groups_1 + system_groups_2) | unique | intersect(system_gids.keys()) }}"
+    gid: "{{ system_gids[item]|default(omit) }}"
+  loop: "{{ (system_groups_1 + system_groups_2) | unique }}"
 
 - name: Add system users
   ansible.builtin.user:
     name: "{{ item.name }}"
     group: "{{ item.group }}"
     groups: "{{ item.groups | default([]) }}"
-    uid: "{{ item.uid | default(system_uids[item.name]) }}"
+    uid: "{{ item.uid | default(system_uids[item.name]|default(omit)) }}"
     create_home: "{{ item.create_home | default(true) }}"
     home: "{{ item.home | default('/home/' + item.name) }}"
     system: yes
diff --git a/ansible/roles/users-and-groups/tasks/main.yml b/ansible/roles/users-and-groups/tasks/main.yml
index 2c229700f..4c993484b 100644
--- a/ansible/roles/users-and-groups/tasks/main.yml
+++ b/ansible/roles/users-and-groups/tasks/main.yml
@@ -4,3 +4,11 @@
     - amibuild
     - ec2provision
     - ec2patch
+    - users-and-groups-system
+
+- import_tasks: add-regular.yml
+  tags:
+    - amibuild
+    - ec2provision
+    - ec2patch
+    - users-and-groups-regular
diff --git a/ansible/roles/users-and-groups/vars/hmpps-regular-groups.yml b/ansible/roles/users-and-groups/vars/hmpps-regular-groups.yml
new file mode 100644
index 000000000..0e87276f5
--- /dev/null
+++ b/ansible/roles/users-and-groups/vars/hmpps-regular-groups.yml
@@ -0,0 +1,22 @@
+# define all non-system groups in use in hmpps accounts here
+
+# define gid if you want consistency across servers
+regular_gids:
+  studio-webops: 2001
+  syscon-nomis: 2051
+
+# define any additional groups that team members should be added to
+regular_groups_additional_groups:
+  studio-webops:
+    - wheel
+  syscon-nomis:
+    - wheel
+
+# define members of each group
+regular_groups_members:
+  studio-webops:
+    - drobinson-moj
+    - Sandhya1874
+    - KarenMoss1510
+  syscon-nomis:
+    - vinnydigital
diff --git a/ansible/roles/users-and-groups/vars/hmpps-regular-users.yml b/ansible/roles/users-and-groups/vars/hmpps-regular-users.yml
new file mode 100644
index 000000000..67c70efd3
--- /dev/null
+++ b/ansible/roles/users-and-groups/vars/hmpps-regular-users.yml
@@ -0,0 +1,21 @@
+# Define UID/ssh keys for hmpps non-system users
+# NOTE: please do not commit email addresssed in authorized keys
+
+# define a UID if you want consistency across servers
+regular_uids:
+  drobinson-moj: 2001
+  Sandhya1874: 2002
+  KarenMoss1510: 2003
+  vinnydigital: 2051
+
+# please do not commit email addresses
+regular_users_authorized_keys:
+  drobinson-moj: |
+    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMmybIRrtx8sU+/7+d9s7RppiZv+UTgszC9Ed7NqOMYBI5D6lD32AJQmDgDvHWZtmt1PCq5SLkkrz8wVqKkKewTtsf7AZ8Nb8B2NBcKNvKeASgljE/cLpPm/zoRndID9qEsSfmZVYsp+C7QrS9O0PIUUDgnhZyN73LsAzRH3G2GSvoT4wvrHcftiMP6Cg9/Nc+JZZQ1SW8CTIOlvxSN3C0Rxw++WUIbwD2Hur9utMqHQvViR8GfAf7Du2YPwwgUEWYP7exC4e5YMyQbxEjVeKM/gF7KNygEeev4kpl0KMQw1vMF6IsXr6ffZygypIB/E7duCUnb50wwp3BdpLfEXthiul1+0z7OFnbCNejiC5GNShLV2UzwLCyVabQUTFbQnoHlSGHbtC6CCTYZei/l20djd1PDDhBCIViveZBM3vyv+APkEZwyE7/idy0wS4190dwpTJwVr6AmxgN9SBbv5BpXhlWZu628bo8tI9JoeXHistanfSi6xLmzRCLuRJeknE=
+  Sandhya1874: |
+    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5pf/PHML6OILGUS2BHuiE2sZwBFPMGC6A2Q3C3YKg+aIXK0ZqEdydQOmgnUFd/s639stoOo0iDfEyoqMVXjYvw17sEI0QTG6U0xOwoBlB4kOOmODVvhxqzSxL4YsUJFNLLkZa/zMym5keLj2+Aq8GYy0sw+4IFEC7OJwrHUW7ov/QZGJcVUs6S6A+2P2mdDVex2iGePR8Yzk0tf0ZP/ObGuEV+GSpBs5j0QtvYgwkBmYyzLfPPH/flkcCnUXIu8R07i0Es10GPO6s9XbdH31L9hMfiHNMcOtB2+mRMROkLzuIng5Pscvk7glutfxcZco9Bb2DO2DyTaPwAt8MDIBLVi5SYvWIeyhQXEBoOdUAiC57vas2eOsyfj6ETFNM+XMAcxt92drIJCp/SRloP1669EgRwbN0uWFtLGrKyLxOEJLm2E2o2K25WmwXzWZjlEUq2Hi31GenIEgYkzPOiTjZzh91PLcZwi3Iiej3FGQh38qcA5xd7ITbWv4RW8qaWaktaqDb4JlDgbDUHANFdyF/zhJAbBFNABy5L5plhPeGRmYYS1Yk1iIcg1DyqaZZQulsXYdpxqGiDtyn7mUjp3dx2AmX46ZbGWID1zRHAIjtPwq2VflH6a1ozwrQxJNZj50swxg1899r6p4cClgI5mtb6uTOYzcJKvoxPJdmGJ6hjQ==
+  KarenMoss1510: |
+    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDuy419UHR9kn5bsumNjC+vNzMvKjwZFE8KU6y0x5JguSBB4Vj4uM+gqNsVpdGRcV0EX9jCEZ7gVSIYyomOZazAMyguzj/tjxysMlSajlZ49+EXK0JLE6wcmF9W0vZ7SqR7T4afMOVOm78ixjZTGfkMuGXaue6QhfmP5HZXpkH8Y8KiYz/rj9ZHm1BMZv5101BWxHNLs70O7KG2e0AbcnsrEPmWr57tU7GCwBJUjaQZhpBKBe0fRWIZDQHsJ6t1Aia+KPN1uml+loIRl0Q7Onozk2JZn/G8N+FWOotxXHlb7Wbli1yZTcbCYD3jGqrrRdqIEIVJ8WpjGMh/aRe0GmTU4fwHuHadH7FjNMMAhnSxh0vuu/L29cq5YSCKnLpuBWQIYG+ousW9/cYuekfvaO5K4Uew1MupeAZOddRs7KQK+FgzByYIxH7aQRr8cICw+7oC2a54PRVyzGDL2nTIntLwXL0IQEsE/gbnFx1AwWov6i4z8yU1cLIQdz4vg/xlYHVj8bn0RgIPL8/S12MiSlo4NwcU4alrTYitPB6sGcHD3TrfG6mWGNS1mGoWfpLcnvS9wVH/6BYfqrPUeAGj5RIcfvRMEsVPE18dvyREzUnXOhKhHYf5O9oiW/HxerIJCGLIAhsPHVGe7YjAkZFbdNAyHskaiX/M2mF7FIVWTrTaXQ==
+    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID3gmEWJ3ar9iOmHWGdx9BXJB10ZksaKG3FRdr8qBVx9
+  vinnydigital: |
+    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMQFZK3svaYe8YTRx7B2pxYag/HZ1Zafbfqr0I7hbIbd