arvados-login-sync 2.0.4 → 2.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a68f9e7cdad5787087bc8e8b9658b8d935e0c45e805b4a2e9cd4f7991d12523b
-  data.tar.gz: b179bdfdd8a8d171d0922935418f3ee5418340b1c8f1f9af87080803c301dfa8
+  metadata.gz: 1649de19adca3150f2b8a12cebb2526e091e6a7bcee92950c5f928def0f7251e
+  data.tar.gz: eae88fada46a855bb0e97106416bbe404f2cc45ac3a0e52e726fabb1559a2949
 SHA512:
-  metadata.gz: 9bd46ea7cba87a45e905633b3004a39a79153fd2ca7a0a0b7ada29169d7a78979e142ea6048f4c76ae793fbbf5a20e854ad13b479a39e97d121481faace2dc20
-  data.tar.gz: 316f986a8b493430c7e8de4c172c5bc36e5a8f85961f4b83ee0cd5a2093abe0fd85f45a24d9be444e20d40053b5433a96f6687d348b971d33ccf0fea2a9eb27d
+  metadata.gz: 88ee48dee0be319e3048e33eb7da27d52f4d05105a2318ca732eb0e9bb9831139063caeedcdb45f2fcbb8f3de373e335de041aadf63d44f06ddcfbd917c72112
+  data.tar.gz: 66104002ae2b2fff08c9563f117c3bcec6c2c606544887ada281661f7bbc69e47d7c448d64bc0ba7cb77a082a0f87cb9b86427e72b9ffda9e9fa92c7b83c6535

data/bin/arvados-login-sync

@@ -9,6 +9,7 @@ require 'arvados'
 require 'etc'
 require 'fileutils'
 require 'yaml'
+require 'optparse'
 
 req_envs = %w(ARVADOS_API_HOST ARVADOS_API_TOKEN ARVADOS_VIRTUAL_MACHINE_UUID)
 req_envs.each do |k|
@@ -17,26 +18,33 @@ req_envs.each do |k|
   end
 end
 
-exclusive_mode = ARGV.index("--exclusive")
+options = {}
+OptionParser.new do |parser|
+  parser.on('--exclusive', 'Manage SSH keys file exclusively.')
+  parser.on('--rotate-tokens', 'Always create new user tokens. Usually needed with --token-lifetime.')
+  parser.on('--skip-missing-users', "Don't try to create any local accounts.")
+  parser.on('--token-lifetime SECONDS', 'Create user tokens that expire after SECONDS.', Integer)
+end.parse!(into: options)
+
 exclusive_banner = "#######################################################################################
 #  THIS FILE IS MANAGED BY #{$0} -- CHANGES WILL BE OVERWRITTEN  #
 #######################################################################################\n\n"
 start_banner = "### BEGIN Arvados-managed keys -- changes between markers will be overwritten\n"
 end_banner = "### END Arvados-managed keys -- changes between markers will be overwritten\n"
 
-# Don't try to create any local accounts
-skip_missing_users = ARGV.index("--skip-missing-users")
-
 keys = ''
 
 begin
   arv = Arvados.new({ :suppress_ssl_warnings => false })
+  logincluster_arv = Arvados.new({ :api_host => (ENV['LOGINCLUSTER_ARVADOS_API_HOST'] || ENV['ARVADOS_API_HOST']),
+                                   :api_token => (ENV['LOGINCLUSTER_ARVADOS_API_TOKEN'] || ENV['ARVADOS_API_TOKEN']),
+                      :suppress_ssl_warnings => false })
 
   vm_uuid = ENV['ARVADOS_VIRTUAL_MACHINE_UUID']
 
   logins = arv.virtual_machine.logins(:uuid => vm_uuid)[:items]
   logins = [] if logins.nil?
-  logins = logins.reject { |l| l[:username].nil? or l[:hostname].nil? or l[:public_key].nil? or l[:virtual_machine_uuid] != vm_uuid }
+  logins = logins.reject { |l| l[:username].nil? or l[:hostname].nil? or l[:virtual_machine_uuid] != vm_uuid }
 
   # No system users
   uid_min = 1000
@@ -61,7 +69,7 @@ begin
       begin
         pwnam[l[:username]] = Etc.getpwnam(l[:username])
       rescue
-        if skip_missing_users
+        if options[:"skip-missing-users"]
           STDERR.puts "Account #{l[:username]} not found. Skipping"
           true
         end
@@ -79,48 +87,77 @@ begin
   logins.each do |l|
     keys[l[:username]] = Array.new() if not keys.has_key?(l[:username])
     key = l[:public_key]
-    # Handle putty-style ssh public keys
-    key.sub!(/^(Comment: "r[^\n]*\n)(.*)$/m,'ssh-rsa \2 \1')
-    key.sub!(/^(Comment: "d[^\n]*\n)(.*)$/m,'ssh-dss \2 \1')
-    key.gsub!(/\n/,'')
-    key.strip
-
-    keys[l[:username]].push(key) if not keys[l[:username]].include?(key)
+    if !key.nil?
+      # Handle putty-style ssh public keys
+      key.sub!(/^(Comment: "r[^\n]*\n)(.*)$/m,'ssh-rsa \2 \1')
+      key.sub!(/^(Comment: "d[^\n]*\n)(.*)$/m,'ssh-dss \2 \1')
+      key.gsub!(/\n/,'')
+      key.strip
+
+      keys[l[:username]].push(key) if not keys[l[:username]].include?(key)
+    end
   end
 
   seen = Hash.new()
-  devnull = open("/dev/null", "w")
+
+  current_user_groups = Hash.new
+  while (ent = Etc.getgrent()) do
+    ent.mem.each do |member|
+      current_user_groups[member] ||= Array.new
+      current_user_groups[member].push ent.name
+    end
+  end
+  Etc.endgrent()
 
   logins.each do |l|
     next if seen[l[:username]]
     seen[l[:username]] = true
 
+    username = l[:username]
+
     unless pwnam[l[:username]]
       STDERR.puts "Creating account #{l[:username]}"
-      groups = l[:groups] || []
-      # Adding users to the FUSE group has long been hardcoded behavior.
-      groups << "fuse"
-      groups.select! { |g| Etc.getgrnam(g) rescue false }
       # Create new user
       unless system("useradd", "-m",
-                "-c", l[:username],
+                "-c", username,
                 "-s", "/bin/bash",
-                "-G", groups.join(","),
-                l[:username],
-                out: devnull)
+                username)
         STDERR.puts "Account creation failed for #{l[:username]}: #{$?}"
         next
       end
       begin
-        pwnam[l[:username]] = Etc.getpwnam(l[:username])
+        pwnam[username] = Etc.getpwnam(username)
       rescue => e
         STDERR.puts "Created account but then getpwnam() failed for #{l[:username]}: #{e}"
         raise
       end
     end
 
-    @homedir = pwnam[l[:username]].dir
-    userdotssh = File.join(@homedir, ".ssh")
+    existing_groups = current_user_groups[username] || []
+    groups = l[:groups] || []
+    # Adding users to the FUSE group has long been hardcoded behavior.
+    groups << "fuse"
+    groups << username
+    groups.select! { |g| Etc.getgrnam(g) rescue false }
+
+    groups.each do |addgroup|
+      if existing_groups.index(addgroup).nil?
+        # User should be in group, but isn't, so add them.
+        STDERR.puts "Add user #{username} to #{addgroup} group"
+        system("adduser", username, addgroup)
+      end
+    end
+
+    existing_groups.each do |removegroup|
+      if groups.index(removegroup).nil?
+        # User is in a group, but shouldn't be, so remove them.
+        STDERR.puts "Remove user #{username} from #{removegroup} group"
+        system("deluser", username, removegroup)
+      end
+    end
+
+    homedir = pwnam[l[:username]].dir
+    userdotssh = File.join(homedir, ".ssh")
     Dir.mkdir(userdotssh) if !File.exist?(userdotssh)
 
     newkeys = "###\n###\n" + keys[l[:username]].join("\n") + "\n###\n###\n"
@@ -133,7 +170,7 @@ begin
       oldkeys = ""
     end
 
-    if exclusive_mode
+    if options[:exclusive]
       newkeys = exclusive_banner + newkeys
     elsif oldkeys.start_with?(exclusive_banner)
       newkeys = start_banner + newkeys + end_banner
@@ -148,13 +185,45 @@ begin
       f.write(newkeys)
       f.close()
     end
+
+    userdotconfig = File.join(homedir, ".config")
+    if !File.exist?(userdotconfig)
+      Dir.mkdir(userdotconfig)
+    end
+
+    configarvados = File.join(userdotconfig, "arvados")
+    Dir.mkdir(configarvados) if !File.exist?(configarvados)
+
+    tokenfile = File.join(configarvados, "settings.conf")
+
+    begin
+      if !File.exist?(tokenfile) || options[:"rotate-tokens"]
+        aca_params = {owner_uuid: l[:user_uuid], api_client_id: 0}
+        if options[:"token-lifetime"] && options[:"token-lifetime"] > 0
+          aca_params.merge!(expires_at: (Time.now + options[:"token-lifetime"]))
+        end
+        user_token = logincluster_arv.api_client_authorization.create(api_client_authorization: aca_params)
+        f = File.new(tokenfile, 'w')
+        f.write("ARVADOS_API_HOST=#{ENV['ARVADOS_API_HOST']}\n")
+        f.write("ARVADOS_API_TOKEN=v2/#{user_token[:uuid]}/#{user_token[:api_token]}\n")
+        f.close()
+      end
+    rescue => e
+      STDERR.puts "Error setting token for #{l[:username]}: #{e}"
+    end
+
     FileUtils.chown_R(l[:username], nil, userdotssh)
+    FileUtils.chown_R(l[:username], nil, userdotconfig)
     File.chmod(0700, userdotssh)
-    File.chmod(0750, @homedir)
+    File.chmod(0700, userdotconfig)
+    File.chmod(0700, configarvados)
+    File.chmod(0750, homedir)
     File.chmod(0600, keysfile)
+    if File.exist?(tokenfile)
+      File.chmod(0600, tokenfile)
+    end
   end
 
-  devnull.close
 rescue Exception => bang
   puts "Error: " + bang.to_s
   puts bang.backtrace.join("\n")

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: arvados-login-sync
 version: !ruby/object:Gem::Version
-  version: 2.0.4
+  version: 2.1.4
 platform: ruby
 authors:
 - Arvados Authors
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-13 00:00:00.000000000 Z
+date: 2021-04-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: arvados
@@ -16,20 +16,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.3.0
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.3.0
+        version: 1.3.3.20190320201707
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.3.0
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.3.0
+        version: 1.3.3.20190320201707
 - !ruby/object:Gem::Dependency
   name: launchy
   requirement: !ruby/object:Gem::Requirement
@@ -73,8 +67,8 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0.12'
 description: Creates and updates local login accounts for Arvados users. Built from
-  git commit 5f300020c51e8073a9cb6e45ee49991386244510
-email: gem-dev@curoverse.com
+  git commit 24b0875964b3eff98c12d1c135d8797efcfabfb2
+email: packaging@arvados.org
 executables:
 - arvados-login-sync
 extensions: []