Merge pull request #142 from IMBArator/policykit-settings

make AdminIdentity configureable per user

Author: noelmcloughlin

pillar.example

@@ -55,6 +55,8 @@ users:
       - ALL=(otheruser) /usr/bin/script.sh
     sudo_defaults:
       - '!requiretty'
+    # enable polkitadmin to make user an AdminIdentity for polkit
+    polkitadmin: True
     shell: /bin/bash
     remove_groups: False
     prime_group:

users/init.sls

@@ -3,6 +3,7 @@
 {% set used_sudo = [] %}
 {% set used_googleauth = [] %}
 {% set used_user_files = [] %}
+{% set used_polkit = [] %}
 
 {% for group, setting in salt['pillar.get']('groups', {}).items() %}
 {%   if setting.absent is defined and setting.absent or setting.get('state', "present") == 'absent' %}
@@ -38,9 +39,12 @@ users_group_present_{{ group }}:
 {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}
 {%- do used_user_files.append(1) %}
 {%- endif %}
+{%- if user.get('polkitadmin', False) == True %}
+{%- do used_polkit.append(1)  %}
+{%- endif %}
 {%- endfor %}
 
-{%- if used_sudo or used_googleauth or used_user_files %}
+{%- if used_sudo or used_googleauth or used_user_files or used_polkit %}
 include:
 {%- if used_sudo %}
   - users.sudo
@@ -51,6 +55,9 @@ include:
 {%- if used_user_files %}
   - users.user_files
 {%- endif %}
+{%- if used_polkit %}
+  - users.polkit
+{%- endif %}
 {%- endif %}
 
 {% for name, user in pillar.get('users', {}).items()

users/map.jinja

@@ -27,7 +27,9 @@
     'bash_package': 'bash',
     'sudo_package': 'sudo',
     'googleauth_package': 'libpam-google-authenticator',
-    },
+    'polkit_dir': '/etc/polkit-1/localauthority.conf.d',
+    'polkit_defaults': 'unix-group:sudo;'
+  },
   'Gentoo': {
     'sudoers_dir': '/etc/sudoers.d',
     'sudoers_file': '/etc/sudoers',
@@ -82,6 +84,8 @@
     'bash_package': 'bash',
     'sudo_package': 'sudo',
     'googleauth_package': 'libpam-google-authenticator',
+    'polkit_dir': '/etc/polkit-1/localauthority.conf.d',
+    'polkit_defaults': 'unix-group:sudo;'
     },
   }, merge=salt['pillar.get']('users-formula:lookup')),
   base='users',
@@ -90,4 +94,4 @@
 {% if grains.os == 'MacOS' %}
   {% set group = salt['cmd.run']("stat -f '%Sg' /dev/console") %}
   {% do users.update({'root_group': group,}) %}
-{% endif %}
+{% endif %}

users/polkit.sls

@@ -0,0 +1,31 @@
+{% from "users/map.jinja" import users with context %}
+{% set polkitusers = {} %}
+{% set polkitusers = {'value': ''} %}
+
+{% for name, user in pillar.get('users', {}).items() %}
+  {% if user.absent is not defined or not user.absent %}
+    {% if 'polkitadmin' in user and user['polkitadmin'] %}
+      {% do polkitusers.update({'value': polkitusers.value + 'unix-user:' + name + ';'}) %}
+    {% endif %}
+  {% endif %}
+{% endfor %}
+
+{% if polkitusers.value != '' %}
+users_{{ users.polkit_dir }}/99salt-users-formula.conf:
+  file.managed:
+    - replace: True
+    - onlyif: 'test -d {{ users.polkit_dir }}'
+    - name: {{ users.polkit_dir }}/99salt-users-formula.conf
+    - contents: |
+        ########################################################################
+        # File managed by Salt (users-formula).
+        # Your changes will be overwritten.
+        ########################################################################
+        #
+        [Configuration]
+        AdminIdentities={{ users.polkit_defaults }}{{ polkitusers.value }}
+{% else %}
+users_{{ users.polkit_dir }}/99salt-users-formula.conf_delete:
+  file.absent:
+    - name: {{ users.polkit_dir }}/99salt-users-formula.conf
+{% endif %}