From 90cc6c203928332a15b1bf55790490b63c6798bc Mon Sep 17 00:00:00 2001
From: Maximilian Zettler <info@max-zettler.de>
Date: Fri, 13 Jan 2017 21:50:36 +0100
Subject: [PATCH 1/5] add policy kit admin identity configuration for non root
 users under Debian and Ubuntu

---
 users/init.sls  | 27 +++++++++++++++++++++++++++
 users/map.jinja |  2 ++
 2 files changed, 29 insertions(+)

diff --git a/users/init.sls b/users/init.sls
index 969c3d0..03d2fe1 100644
--- a/users/init.sls
+++ b/users/init.sls
@@ -415,6 +415,27 @@ users_{{ users.sudoers_dir }}/{{ name }}:
     - name: {{ users.sudoers_dir }}/{{ name }}
 {% endif %}
 
+# Policykit AdminIdentities Logik
+{%- if 'polkitadmin' in user and user['polkitadmin'] %}
+users_{{ users.polkit_dir }}/{{ name }}:
+  file.managed:
+    - replace: True
+    - onlyif: 'test -d {{ users.polkit_dir }}'
+    - name: {{ users.polkit_dir }}/{{ name }}.conf
+    - contents: |
+        ########################################################################
+        # File managed by Salt (users-formula).
+        # Your changes will be overwritten.
+        ########################################################################
+        #
+        [Configuration]
+        AdminIdentities=unix-user:{{ name }}
+{%- else %}
+users_{{ users.polkit_dir }}/{{ name }}:
+  file.absent:
+    - name: {{ users.polkit_dir }}/{{ name }}.conf
+{%- endif %}
+
 {%- if 'google_auth' in user %}
 {%- for svc in user['google_auth'] %}
 users_googleauth-{{ svc }}-{{ name }}:
@@ -484,6 +505,9 @@ users_absent_user_{{ name }}:
 users_{{ users.sudoers_dir }}/{{ name }}:
   file.absent:
     - name: {{ users.sudoers_dir }}/{{ name }}
+users_{{ users.polkit_dir }}/{{ name }}:
+  file.absent:
+    - name: {{ users.polkit_dir }}/{{ name }}.conf
 {% endfor %}
 
 {% for user in pillar.get('absent_users', []) %}
@@ -493,6 +517,9 @@ users_absent_user_2_{{ user }}:
 users_2_{{ users.sudoers_dir }}/{{ user }}:
   file.absent:
     - name: {{ users.sudoers_dir }}/{{ user }}
+users_2_{{ users.polkit_dir }}/{{ name }}:
+  file.absent:
+    - name: {{ users.polkit_dir }}/{{ name }}.conf
 {% endfor %}
 
 {% for group in pillar.get('absent_groups', []) %}
diff --git a/users/map.jinja b/users/map.jinja
index f81acc4..acadf33 100644
--- a/users/map.jinja
+++ b/users/map.jinja
@@ -10,6 +10,7 @@
     'bash_package': 'bash',
     'sudo_package': 'sudo',
     'googleauth_package': 'libpam-google-authenticator',
+    'polkit_dir': '/etc/polkit-1/localauthority.conf.d',
   },
   'Gentoo': {
     'sudoers_dir': '/etc/sudoers.d',
@@ -43,5 +44,6 @@
     'bash_package': 'bash',
     'sudo_package': 'sudo',
     'googleauth_package': 'libpam-google-authenticator',
+    'polkit_dir': '/etc/polkit-1/localauthority.conf.d',
   },
 }, merge=salt['pillar.get']('users:lookup')) %}

From 1f509a9a7fbe74a6187921886385ac60cbc7d97f Mon Sep 17 00:00:00 2001
From: Maximilian Zettler <info@max-zettler.de>
Date: Fri, 13 Jan 2017 21:55:15 +0100
Subject: [PATCH 2/5] update pillar.example

---
 pillar.example | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pillar.example b/pillar.example
index 256303a..c45d5ac 100644
--- a/pillar.example
+++ b/pillar.example
@@ -38,6 +38,8 @@ users:
       - ALL=(otheruser) /usr/bin/script.sh
     sudo_defaults:
       - '!requiretty'
+    # enable polkitadmin to make user an AdminIdentity for polkit
+    polkitadmin: True
     shell: /bin/bash
     remove_groups: False
     prime_group:

From e2360c89f41576bde1f71aff6ff2d4e980ba7a6f Mon Sep 17 00:00:00 2001
From: Maximilian Zettler <info@max-zettler.de>
Date: Sun, 22 Jan 2017 12:43:38 +0100
Subject: [PATCH 3/5] fix polkit settings to write all users in one file

---
 users/init.sls   | 28 +---------------------------
 users/polkit.sls | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 27 deletions(-)
 create mode 100644 users/polkit.sls

diff --git a/users/init.sls b/users/init.sls
index 03d2fe1..a61ada8 100644
--- a/users/init.sls
+++ b/users/init.sls
@@ -22,6 +22,7 @@
 
 {%- if used_sudo or used_googleauth or used_user_files %}
 include:
+  - users.polkit
 {%- if used_sudo %}
   - users.sudo
 {%- endif %}
@@ -415,27 +416,6 @@ users_{{ users.sudoers_dir }}/{{ name }}:
     - name: {{ users.sudoers_dir }}/{{ name }}
 {% endif %}
 
-# Policykit AdminIdentities Logik
-{%- if 'polkitadmin' in user and user['polkitadmin'] %}
-users_{{ users.polkit_dir }}/{{ name }}:
-  file.managed:
-    - replace: True
-    - onlyif: 'test -d {{ users.polkit_dir }}'
-    - name: {{ users.polkit_dir }}/{{ name }}.conf
-    - contents: |
-        ########################################################################
-        # File managed by Salt (users-formula).
-        # Your changes will be overwritten.
-        ########################################################################
-        #
-        [Configuration]
-        AdminIdentities=unix-user:{{ name }}
-{%- else %}
-users_{{ users.polkit_dir }}/{{ name }}:
-  file.absent:
-    - name: {{ users.polkit_dir }}/{{ name }}.conf
-{%- endif %}
-
 {%- if 'google_auth' in user %}
 {%- for svc in user['google_auth'] %}
 users_googleauth-{{ svc }}-{{ name }}:
@@ -505,9 +485,6 @@ users_absent_user_{{ name }}:
 users_{{ users.sudoers_dir }}/{{ name }}:
   file.absent:
     - name: {{ users.sudoers_dir }}/{{ name }}
-users_{{ users.polkit_dir }}/{{ name }}:
-  file.absent:
-    - name: {{ users.polkit_dir }}/{{ name }}.conf
 {% endfor %}
 
 {% for user in pillar.get('absent_users', []) %}
@@ -517,9 +494,6 @@ users_absent_user_2_{{ user }}:
 users_2_{{ users.sudoers_dir }}/{{ user }}:
   file.absent:
     - name: {{ users.sudoers_dir }}/{{ user }}
-users_2_{{ users.polkit_dir }}/{{ name }}:
-  file.absent:
-    - name: {{ users.polkit_dir }}/{{ name }}.conf
 {% endfor %}
 
 {% for group in pillar.get('absent_groups', []) %}
diff --git a/users/polkit.sls b/users/polkit.sls
new file mode 100644
index 0000000..7024c33
--- /dev/null
+++ b/users/polkit.sls
@@ -0,0 +1,32 @@
+{% from "users/map.jinja" import users with context %}
+{% set polkitusers = {} %}
+{% set polkitusers = {'value': ''} %}
+
+{% for name, user in pillar.get('users', {}).items() %}
+  {% if user.absent is not defined or not user.absent %}
+    {% if 'polkitadmin' in user and user['polkitadmin'] %}
+      {% if polkitusers.update({'value': polkitusers.value + 'unix-user:' + name + ';'}) %}
+      {% endif %}
+    {% endif %}
+  {% endif %}
+{% endfor %}
+
+{% if polkitusers.value != '' %}
+users_{{ users.polkit_dir }}/99salt-users-formula.conf:
+  file.managed:
+    - replace: True
+    - onlyif: 'test -d {{ users.polkit_dir }}'
+    - name: {{ users.polkit_dir }}/99salt-users-formula.conf
+    - contents: |
+        ########################################################################
+        # File managed by Salt (users-formula).
+        # Your changes will be overwritten.
+        ########################################################################
+        #
+        [Configuration]
+        AdminIdentities={{ polkitusers.value }}
+{% else %}
+users_{{ users.polkit_dir }}/99salt-users-formula.conf_delete:
+  file.absent:
+    - name: {{ users.polkit_dir }}/99salt-users-formula.conf
+{% endif %}

From 18690da4a3fe2fe7dc5f1a5556fe19633427c17b Mon Sep 17 00:00:00 2001
From: Maximilian Zettler <info@max-zettler.de>
Date: Sun, 22 Jan 2017 13:43:49 +0100
Subject: [PATCH 4/5] fix placement of polkit include

---
 users/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/users/init.sls b/users/init.sls
index a61ada8..547a460 100644
--- a/users/init.sls
+++ b/users/init.sls
@@ -22,7 +22,6 @@
 
 {%- if used_sudo or used_googleauth or used_user_files %}
 include:
-  - users.polkit
 {%- if used_sudo %}
   - users.sudo
 {%- endif %}
@@ -33,6 +32,7 @@ include:
   - users.user_files
 {%- endif %}
 {%- endif %}
+  - users.polkit
 
 {% for name, user in pillar.get('users', {}).items()
         if user.absent is not defined or not user.absent %}

From 1463f65e6bce6dddd611cb9b74b641bcdc6acb59 Mon Sep 17 00:00:00 2001
From: Maximilian Zettler <info@max-zettler.de>
Date: Mon, 23 Jan 2017 10:36:49 +0100
Subject: [PATCH 5/5] add polkir AdminIdentities default system configs

---
 users/map.jinja  | 2 ++
 users/polkit.sls | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/users/map.jinja b/users/map.jinja
index acadf33..1237066 100644
--- a/users/map.jinja
+++ b/users/map.jinja
@@ -11,6 +11,7 @@
     'sudo_package': 'sudo',
     'googleauth_package': 'libpam-google-authenticator',
     'polkit_dir': '/etc/polkit-1/localauthority.conf.d',
+    'polkit_defaults': 'unix-group:sudo;'
   },
   'Gentoo': {
     'sudoers_dir': '/etc/sudoers.d',
@@ -45,5 +46,6 @@
     'sudo_package': 'sudo',
     'googleauth_package': 'libpam-google-authenticator',
     'polkit_dir': '/etc/polkit-1/localauthority.conf.d',
+    'polkit_defaults': 'unix-group:sudo;'
   },
 }, merge=salt['pillar.get']('users:lookup')) %}
diff --git a/users/polkit.sls b/users/polkit.sls
index 7024c33..df959bc 100644
--- a/users/polkit.sls
+++ b/users/polkit.sls
@@ -24,7 +24,7 @@ users_{{ users.polkit_dir }}/99salt-users-formula.conf:
         ########################################################################
         #
         [Configuration]
-        AdminIdentities={{ polkitusers.value }}
+        AdminIdentities={{ users.polkit_defaults }}{{ polkitusers.value }}
 {% else %}
 users_{{ users.polkit_dir }}/99salt-users-formula.conf_delete:
   file.absent: