RubyGems - arvados-login-sync - Versions diffs - 2.6.3 → 2.7.1 - Mend

arvados-login-sync 2.6.3 → 2.7.1

Files changed (3) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 051af26b13fc808c8fc6da81ec2d42948c38c660e072c04b4a4945c462bc7e1f
-  data.tar.gz: 8169f9968940af3d08186738592b88ea19fb67ed3b630c127c6ea91798878e56
+  metadata.gz: c9b0950157ae5cff15171e2c96d7fd5bbdf4684a7fd2bac988a5f772abffb42e
+  data.tar.gz: 89dde3501d31d77bd5c5400abbc159b4f0d7bf0101239292b156cb0b9b7269d5
 SHA512:
-  metadata.gz: 39951b7f294e5e4a926ac0286f23487804b47c8e1665eda866f0a04163d04e148eded1de600ad1c1af5528f221d1e7f601604fe2a173501b17ac2badf3919a74
-  data.tar.gz: dc8fabfa2b5ba4134171eefc8c2c35cce94267911f2ce2015ded656eea9742a0a58fa3c735ae232834677f0c843559767dddb0a1d2d61e40852471edf5a94def
+  metadata.gz: 9e93ed77b495997e94bb662d8de19e19bd27867a882180598ae0d863cd0d2a13f1dbae8f9696f7a25a30db69509982948fc55ca21dac91ea006e1a8f36ebc78f
+  data.tar.gz: 193c3497f9cbab45f1170d3ea86ad832bacfb400fe965c375002d937972e66492eaaf896e76faeb6cee11068f9daf1e16300d93ce96af2ead21ceae6b020e9f8

data/bin/arvados-login-sync CHANGED Viewed

@@ -12,6 +12,18 @@ require 'yaml'
 require 'optparse'
 require 'open3'
+def ensure_dir(path, mode, owner, group)
+  begin
+    Dir.mkdir(path, mode)
+  rescue Errno::EEXIST
+    # No change needed
+    false
+  else
+    FileUtils.chown(owner, group, path)
+    true
+  end
+end
 req_envs = %w(ARVADOS_API_HOST ARVADOS_API_TOKEN ARVADOS_VIRTUAL_MACHINE_UUID)
 req_envs.each do |k|
   unless ENV[k]
@@ -34,6 +46,15 @@ exclusive_banner = "############################################################
 start_banner = "### BEGIN Arvados-managed keys -- changes between markers will be overwritten\n"
 end_banner = "### END Arvados-managed keys -- changes between markers will be overwritten\n"
+actions = {
+  # These names correspond to the names in the cluster Users configuration.
+  # Managing everything was the original behavior.
+  SyncUserAccounts: true,
+  SyncUserGroups: true,
+  SyncUserSSHKeys: true,
+  SyncUserAPITokens: true,
+}
 keys = ''
 begin
@@ -45,6 +66,17 @@ begin
   logincluster_host = ENV['ARVADOS_API_HOST']
   logincluster_name = arv.cluster_config['Login']['LoginCluster'] or ''
+  # Requiring the fuse group was previous hardcoded behavior
+  minimum_groups = arv.cluster_config['Users']['SyncRequiredGroups'] || ['fuse']
+  ignored_groups = arv.cluster_config['Users']['SyncIgnoredGroups'] || []
+  (minimum_groups & ignored_groups).each do |group_name|
+    STDERR.puts "WARNING: #{group_name} is listed in both SyncRequiredGroups and SyncIgnoredGroups. It will be ignored."
+  end
+  actions.each_pair do |key, default|
+    actions[key] = arv.cluster_config['Users'].fetch(key.to_s, default)
+  end
   if logincluster_name != '' and logincluster_name != arv.cluster_config['ClusterID']
     logincluster_host = arv.cluster_config['RemoteClusters'][logincluster_name]['Host']
   end
@@ -112,11 +144,12 @@ begin
   seen = Hash.new()
-  current_user_groups = Hash.new
+  all_groups = []
+  current_user_groups = Hash.new { |hash, key| hash[key] = [] }
   while (ent = Etc.getgrent()) do
+    all_groups << ent.name
     ent.mem.each do |member|
-      current_user_groups[member] ||= Array.new
-      current_user_groups[member].push ent.name
+      current_user_groups[member] << ent.name
     end
   end
   Etc.endgrent()
@@ -128,6 +161,10 @@ begin
     username = l[:username]
     unless pwnam[l[:username]]
+      unless actions[:SyncUserAccounts]
+        STDERR.puts "User #{username} does not exist and SyncUserAccounts=false. Skipping."
+        next
+      end
       STDERR.puts "Creating account #{l[:username]}"
       # Create new user
       out, st = Open3.capture2e("useradd", "-m",
@@ -146,15 +183,21 @@ begin
       end
     end
-    existing_groups = current_user_groups[username] || []
-    groups = l[:groups] || []
-    # Adding users to the FUSE group has long been hardcoded behavior.
-    groups << "fuse"
-    groups << username
-    groups.select! { |g| Etc.getgrnam(g) rescue false }
+    user_gid = pwnam[username].gid
+    homedir = pwnam[l[:username]].dir
+    if !File.exist?(homedir)
+      STDERR.puts "Cannot set up user #{username} because their home directory #{homedir} does not exist. Skipping."
+      next
+    end
+    if actions[:SyncUserGroups]
+      have_groups = current_user_groups[username] - ignored_groups
+      want_groups = l[:groups] || []
+      want_groups |= minimum_groups
+      want_groups -= ignored_groups
+      want_groups &= all_groups
-    groups.each do |addgroup|
-      if existing_groups.index(addgroup).nil?
+      (want_groups - have_groups).each do |addgroup|
         # User should be in group, but isn't, so add them.
         STDERR.puts "Add user #{username} to #{addgroup} group"
         out, st = Open3.capture2e("usermod", "-aG", addgroup, username)
@@ -162,10 +205,8 @@ begin
           STDERR.puts "Failed to add #{username} to #{addgroup} group:\n#{out}"
         end
       end
-    end
-    existing_groups.each do |removegroup|
-      if groups.index(removegroup).nil?
+      (have_groups - want_groups).each do |removegroup|
         # User is in a group, but shouldn't be, so remove them.
         STDERR.puts "Remove user #{username} from #{removegroup} group"
         out, st = Open3.capture2e("gpasswd", "-d", username, removegroup)
@@ -175,96 +216,86 @@ begin
       end
     end
-    homedir = pwnam[l[:username]].dir
-    userdotssh = File.join(homedir, ".ssh")
-    Dir.mkdir(userdotssh) if !File.exist?(userdotssh)
+    if actions[:SyncUserSSHKeys]
+      userdotssh = File.join(homedir, ".ssh")
+      ensure_dir(userdotssh, 0700, username, user_gid)
-    newkeys = "###\n###\n" + keys[l[:username]].join("\n") + "\n###\n###\n"
+      newkeys = "###\n###\n" + keys[l[:username]].join("\n") + "\n###\n###\n"
-    keysfile = File.join(userdotssh, "authorized_keys")
+      keysfile = File.join(userdotssh, "authorized_keys")
+      begin
+        oldkeys = File.read(keysfile)
+      rescue Errno::ENOENT
+        oldkeys = ""
+      end
-    if File.exist?(keysfile)
-      oldkeys = IO::read(keysfile)
-    else
-      oldkeys = ""
-    end
+      if options[:exclusive]
+        newkeys = exclusive_banner + newkeys
+      elsif oldkeys.start_with?(exclusive_banner)
+        newkeys = start_banner + newkeys + end_banner
+      elsif (m = /^(.*?\n|)#{start_banner}(.*?\n|)#{end_banner}(.*)/m.match(oldkeys))
+        newkeys = m[1] + start_banner + newkeys + end_banner + m[3]
+      else
+        newkeys = start_banner + newkeys + end_banner + oldkeys
+      end
-    if options[:exclusive]
-      newkeys = exclusive_banner + newkeys
-    elsif oldkeys.start_with?(exclusive_banner)
-      newkeys = start_banner + newkeys + end_banner
-    elsif (m = /^(.*?\n|)#{start_banner}(.*?\n|)#{end_banner}(.*)/m.match(oldkeys))
-      newkeys = m[1] + start_banner + newkeys + end_banner + m[3]
-    else
-      newkeys = start_banner + newkeys + end_banner + oldkeys
+      if oldkeys != newkeys then
+        File.open(keysfile, 'w', 0600) do |f|
+          f.write(newkeys)
+        end
+        FileUtils.chown(username, user_gid, keysfile)
+      end
     end
-    if oldkeys != newkeys then
-      f = File.new(keysfile, 'w')
-      f.write(newkeys)
-      f.close()
-    end
+    if actions[:SyncUserAPITokens]
+      userdotconfig = File.join(homedir, ".config")
+      ensure_dir(userdotconfig, 0755, username, user_gid)
+      configarvados = File.join(userdotconfig, "arvados")
+      ensure_dir(configarvados, 0700, username, user_gid)
-    userdotconfig = File.join(homedir, ".config")
-    if !File.exist?(userdotconfig)
-      Dir.mkdir(userdotconfig)
-    end
+      tokenfile = File.join(configarvados, "settings.conf")
-    configarvados = File.join(userdotconfig, "arvados")
-    Dir.mkdir(configarvados) if !File.exist?(configarvados)
-    tokenfile = File.join(configarvados, "settings.conf")
-    begin
-      STDERR.puts "Processing #{tokenfile} ..." if debug
-      newToken = false
-      if File.exist?(tokenfile)
-        # check if the token is still valid
-        myToken = ENV["ARVADOS_API_TOKEN"]
-        userEnv = IO::read(tokenfile)
-        if (m = /^ARVADOS_API_TOKEN=(.*?\n)/m.match(userEnv))
-          begin
-            tmp_arv = Arvados.new({ :api_host => logincluster_host,
-                                    :api_token => (m[1]),
-                                    :suppress_ssl_warnings => false })
-            tmp_arv.user.current
-          rescue Arvados::TransactionFailedError => e
-            if e.to_s =~ /401 Unauthorized/
-              STDERR.puts "Account #{l[:username]} token not valid, creating new token."
-              newToken = true
-            else
-              raise
+      begin
+        STDERR.puts "Processing #{tokenfile} ..." if debug
+        newToken = false
+        if File.exist?(tokenfile)
+          # check if the token is still valid
+          myToken = ENV["ARVADOS_API_TOKEN"]
+          userEnv = File.read(tokenfile)
+          if (m = /^ARVADOS_API_TOKEN=(.*?\n)/m.match(userEnv))
+            begin
+              tmp_arv = Arvados.new({ :api_host => logincluster_host,
+                                      :api_token => (m[1]),
+                                      :suppress_ssl_warnings => false })
+              tmp_arv.user.current
+            rescue Arvados::TransactionFailedError => e
+              if e.to_s =~ /401 Unauthorized/
+                STDERR.puts "Account #{l[:username]} token not valid, creating new token."
+                newToken = true
+              else
+                raise
+              end
             end
           end
+        elsif !File.exist?(tokenfile) || options[:"rotate-tokens"]
+          STDERR.puts "Account #{l[:username]} token file not found, creating new token."
+          newToken = true
         end
-      elsif !File.exist?(tokenfile) || options[:"rotate-tokens"]
-        STDERR.puts "Account #{l[:username]} token file not found, creating new token."
-        newToken = true
-      end
-      if newToken
-        aca_params = {owner_uuid: l[:user_uuid], api_client_id: 0}
-        if options[:"token-lifetime"] && options[:"token-lifetime"] > 0
-          aca_params.merge!(expires_at: (Time.now + options[:"token-lifetime"]))
+        if newToken
+          aca_params = {owner_uuid: l[:user_uuid], api_client_id: 0}
+          if options[:"token-lifetime"] && options[:"token-lifetime"] > 0
+            aca_params.merge!(expires_at: (Time.now + options[:"token-lifetime"]))
+          end
+          user_token = logincluster_arv.api_client_authorization.create(api_client_authorization: aca_params)
+          File.open(tokenfile, 'w', 0600) do |f|
+            f.write("ARVADOS_API_HOST=#{ENV['ARVADOS_API_HOST']}\n")
+            f.write("ARVADOS_API_TOKEN=v2/#{user_token[:uuid]}/#{user_token[:api_token]}\n")
+          end
+          FileUtils.chown(username, user_gid, tokenfile)
         end
-        user_token = logincluster_arv.api_client_authorization.create(api_client_authorization: aca_params)
-        f = File.new(tokenfile, 'w')
-        f.write("ARVADOS_API_HOST=#{ENV['ARVADOS_API_HOST']}\n")
-        f.write("ARVADOS_API_TOKEN=v2/#{user_token[:uuid]}/#{user_token[:api_token]}\n")
-        f.close()
+      rescue => e
+        STDERR.puts "Error setting token for #{l[:username]}: #{e}"
       end
-    rescue => e
-      STDERR.puts "Error setting token for #{l[:username]}: #{e}"
-    end
-    FileUtils.chown_R(l[:username], nil, userdotssh)
-    FileUtils.chown_R(l[:username], nil, userdotconfig)
-    File.chmod(0700, userdotssh)
-    File.chmod(0700, userdotconfig)
-    File.chmod(0700, configarvados)
-    File.chmod(0750, homedir)
-    File.chmod(0600, keysfile)
-    if File.exist?(tokenfile)
-      File.chmod(0600, tokenfile)
     end
   end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: arvados-login-sync
 version: !ruby/object:Gem::Version
-  version: 2.6.3
+  version: 2.7.1
 platform: ruby
 authors:
 - Arvados Authors
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-10-13 00:00:00.000000000 Z
+date: 2023-06-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: arvados
@@ -79,7 +79,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0.12'
 description: Creates and updates local login accounts for Arvados users. Built from
-  git commit 83974ae9df4060f7aaa6bba61997404a2a7405b2
+  git commit b5dad64d1faa5063482db0d33d22805912abdda6
 email: packaging@arvados.org
 executables:
 - arvados-login-sync