Add check if user shell exists, and verify the shell is allowed on AIX

Signed-off-by: Scott Hain <[email protected]>

libraries/helpers.rb

@@ -30,6 +30,39 @@ def keys_from_url(url)
  end
  end
 
+ # Determines if the user's shell is valid on the machine, otherwise
+ # returns the default of /bin/sh
+ #
+ # @return [String]
+ def valid_shell(shell)
+ shell_exists = File.exist?(shell)
+ # A check to see if the shell exists on the system
+ if !shell_exists
+ log "Shell #{shell} not found - defaulting to /bin/sh"
+ return '/bin/sh'
+ else
+ # Disabling some rules because it really doesn't help the readablility
+ # of this section
+ # rubocop:disable Style/GuardClause
+ # rubocop:disable Style/IfInsideElse
+ if platform_family?('aix')
+ # On AIX a shell may exist but not be one of the 'approved' shells.
+ # There is no cli based tool to determine this, so we go directly to the
+ # source and use this nasty regex to extract all possible 'allowed' shells
+ # and verify based on equality. (if it doesn't exist it will return nil
+ # and drop through)
+ shell_avail = Mixlib::ShellOut.new("cat /etc/security/login.cfg | grep #{shell}").run_command
+ if (shell_avail.stdout.scan %r{([\/\w-]*)}).uniq.flatten.any? { |entry| entry.eql? shell }
+ return shell
+ else
+ return '/bin/sh'
+ end
+ else
+ return shell
+ end
+ end
+ end
+
  # Validates passed id.
  #
  # @return [Numeric, String]

resources/manage.rb

@@ -70,7 +70,7 @@
  user u['username'] do
  uid validate_id(u['uid'])
  gid validate_id(u['gid']) if u['gid']
- shell u['shell']
+ shell valid_shell(u['shell'])
  comment u['comment']
  password u['password'] if u['password']
  salt u['salt'] if u['salt']