Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package google-guest-oslogin for
openSUSE:Factory checked in at 2022-08-03 21:16:59
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/google-guest-oslogin (Old)
and /work/SRC/openSUSE:Factory/.google-guest-oslogin.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "google-guest-oslogin"
Wed Aug 3 21:16:59 2022 rev:16 rq:992567 version:20220721.00
Changes:
--------
---
/work/SRC/openSUSE:Factory/google-guest-oslogin/google-guest-oslogin.changes
2022-05-05 23:07:08.321613122 +0200
+++
/work/SRC/openSUSE:Factory/.google-guest-oslogin.new.1533/google-guest-oslogin.changes
2022-08-03 21:17:17.067534418 +0200
@@ -1,0 +2,10 @@
+Wed Aug 3 10:25:32 UTC 2022 - John Paul Adrian Glaubitz
<[email protected]>
+
+- Update to version 20220721.00 (bsc#1202100, bsc#1202101)
+ * prune outdated info from readme (#86)
+- from version 20220714.00
+ * strip json-c version symbol (#84)
+- from version 20220622.00
+ * pam login: split conditions for logging (#83)
+
+-------------------------------------------------------------------
Old:
----
google-guest-oslogin-20220324.00.tar.gz
New:
----
google-guest-oslogin-20220721.00.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ google-guest-oslogin.spec ++++++
--- /var/tmp/diff_new_pack.2jBHgD/_old 2022-08-03 21:17:17.583535773 +0200
+++ /var/tmp/diff_new_pack.2jBHgD/_new 2022-08-03 21:17:17.591535794 +0200
@@ -19,7 +19,7 @@
%{!?_pam_moduledir: %define _pam_moduledir %{_pamdir}}
Name: google-guest-oslogin
-Version: 20220324.00
+Version: 20220721.00
Release: 0
Summary: Google Cloud Guest OS Login
License: Apache-2.0
++++++ google-guest-oslogin-20220324.00.tar.gz ->
google-guest-oslogin-20220721.00.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20220324.00/README.md
new/guest-oslogin-20220721.00/README.md
--- old/guest-oslogin-20220324.00/README.md 2022-01-13 23:21:03.000000000
+0100
+++ new/guest-oslogin-20220721.00/README.md 2022-07-22 01:39:47.000000000
+0200
@@ -11,11 +11,8 @@
* [NSS Modules](#nss-modules)
* [PAM Modules](#pam-modules)
* [Utilities](#Utilities)
- * [Control Script](#control-script)
* [SELinux Policy](#selinux-policy)
* [Source Packages](#source-packages)
- * [DEB](#deb)
- * [RPM](#rpm)
## Overview
@@ -136,21 +133,6 @@
## Utilities
-#### Control Script
-
-The `google_oslogin_control` shell script activates or deactivates the OS Login
-features. It is invoked by the google accounts daemon. The control file
performs
-the following tasks:
-
-* Adds (or removes) AuthorizedKeysCommand and AuthorizedKeysCommandUser lines
- to (from) `sshd_config` and restarts sshd.
-* Adds (or removes) `oslogin` and `cache_oslogin` to (from) `nsswitch.conf`.
-* Adds (or removes) the `account` entries to (from) the PAM sshd config. Also
- adds (or removes) the `pam_mkhomedir.so` module to automatically create the
- home directory for an OS Login user.
-* Creates (or deletes) the `/var/google-sudoers.d/` directory, and a file
- called `google-oslogin` in `/etc/sudoers.d/` that includes the directory.
-
#### SELinux Policy
The `selinux` directory contains `.te` (type enforcement) and `.fc` (file
@@ -167,54 +149,3 @@
* CentOS/RHEL 7
Files for these packages are in the `packaging/` directory.
-
-#### DEB
-
-_Note: the `packaging/setup_deb.sh` script performs these steps, but is not
-production quality._
-
-1. Install build dependencies:
- ```
- sudo apt-get -y install make g++ libcurl4-openssl-dev libjson-c-dev
libpam-dev
- ```
-1. Install deb creation tools:
- ```
- sudo apt-get -y install debhelper devscripts build-essential
- ```
-1. Create a compressed tar file named
- `google-compute-engine-oslogin_M.M.R.orig.tar.gz` using the files in this
- directory, excluding the `packaging` directory (where M.M.R is the version
- number).
-1. In a separate directory, extract the `.orig.tar.gz` file and copy the
- `debian` directory into the top level.
-1. To build the package, run the command
- ```
- debuild -us -uc
- ```
-
-#### RPM
-
-_Note: the `packaging/setup_rpm.sh` script performs these steps, but is not
-production quality._
-
-1. Install build dependencies:
- ```
- sudo yum -y install make gcc-c++ libcurl-devel json-c json-c-devel
pam-devel policycoreutils-python
- ```
-1. Install rpm creation tools:
- ```
- sudo yum -y install rpmdevtools
- ```
-1. Create a compressed tar file named
- `google-compute-engine-oslogin_M.M.R.orig.tar.gz` using the files in this
- directory, excluding the `packaging` directory (where M.M.R is the version
- number).
-1. In a separate location, create a directory called `rpmbuild` and a
- subdirectory called `SOURCES`. Copy the `.orig.tar.gz` file into the
- `SOURCES` directory.
-1. Copy the `SPECS` directory from the `rpmbuild` directory here into the
- `rpmbuild` directory you created.
-1. To build the package, run the command:
- ```
- rpmbuild --define "_topdir /path/to/rpmbuild" -ba
/path/to/rpmbuild/SPECS/google-compute-engine-oslogin.spec
- ```
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20220324.00/find-requires
new/guest-oslogin-20220721.00/find-requires
--- old/guest-oslogin-20220324.00/find-requires 1970-01-01 01:00:00.000000000
+0100
+++ new/guest-oslogin-20220721.00/find-requires 2022-07-22 01:39:47.000000000
+0200
@@ -0,0 +1,16 @@
+#!/usr/bin/perl -w
+use strict;
+use IPC::Open2;
+
+# This quick script will run the native find-requires (first parameter)
+# and then strip out packages we don't want listed.
+
+open2(\*IN, \*OUT, @ARGV);
+print OUT while (<STDIN>);
+close(OUT);
+my $list = join('', <IN>);
+
+# Apply my filter(s):
+$list =~ s/^.*JSONC.*//mg;
+
+print $list;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-oslogin-20220324.00/packaging/google-compute-engine-oslogin.spec
new/guest-oslogin-20220721.00/packaging/google-compute-engine-oslogin.spec
--- old/guest-oslogin-20220324.00/packaging/google-compute-engine-oslogin.spec
2022-01-13 23:21:03.000000000 +0100
+++ new/guest-oslogin-20220721.00/packaging/google-compute-engine-oslogin.spec
2022-07-22 01:39:47.000000000 +0200
@@ -44,11 +44,15 @@
for Google Compute Engine.
%global debug_package %{nil}
+%global _use_internal_dependency_generator 0
+%global __find_requires_orig %{__find_requires}
+%define __find_requires %{_builddir}/%{?buildsubdir}/find-requires
%{__find_requires_orig}
%prep
%setup
%build
+chmod +x find-requires
make %{?_smp_mflags} LDLIBS="-lcurl -ljson-c -lboost_regex"
%install
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-oslogin-20220324.00/src/pam/pam_oslogin_login.cc
new/guest-oslogin-20220721.00/src/pam/pam_oslogin_login.cc
--- old/guest-oslogin-20220324.00/src/pam/pam_oslogin_login.cc 2022-01-13
23:21:03.000000000 +0100
+++ new/guest-oslogin-20220721.00/src/pam/pam_oslogin_login.cc 2022-07-22
01:39:47.000000000 +0200
@@ -69,8 +69,7 @@
std::string response;
long http_code = 0;
- if (!HttpGet(url.str(), &response, &http_code) || response.empty() ||
- http_code != 200) {
+ if (!HttpGet(url.str(), &response, &http_code) || response.empty() ||
http_code != 200) {
if (http_code == 404) {
// This module is only consulted for OS Login users.
return PAM_IGNORE;
@@ -91,38 +90,39 @@
}
url.str("");
- url << kMetadataServerUrl << "authorize?email=" << UrlEncode(email)
- << "&policy=login";
- if (HttpGet(url.str(), &response, &http_code) && http_code == 200 &&
- ParseJsonToSuccess(response)) {
- if (!file_exists) {
- std::ofstream users_file(users_filename.c_str());
- chown(users_filename.c_str(), 0, 0);
- chmod(users_filename.c_str(), S_IRUSR | S_IWUSR | S_IRGRP);
- }
- PAM_SYSLOG(pamh, LOG_INFO,
- "Organization user %s has login permission.",
- user_name);
- return PAM_SUCCESS;
- } else {
+ url << kMetadataServerUrl << "authorize?email=" << UrlEncode(email) <<
"&policy=login";
+ if (!HttpGet(url.str(), &response, &http_code)) {
+ PAM_SYSLOG(pamh, LOG_INFO, "Failed to validate organization user %s has
login permission.", user_name);
+ return PAM_PERM_DENIED;
+ }
+ if (http_code != 200) {
+ PAM_SYSLOG(pamh, LOG_INFO,
+ "Failed to validate organization user %s has login permission, got
HTTP response code %d.",
+ user_name, http_code);
+ return PAM_PERM_DENIED;
+ }
+ if (!ParseJsonToSuccess(response)) {
+ PAM_SYSLOG(pamh, LOG_INFO, "Organization user %s does not have login
permission.", user_name);
if (file_exists) {
remove(users_filename.c_str());
}
- PAM_SYSLOG(pamh, LOG_INFO,
- "Organization user %s does not have login permission.",
- user_name);
-
return PAM_PERM_DENIED;
}
+
+ PAM_SYSLOG(pamh, LOG_INFO, "Organization user %s has login permission.",
user_name);
+ if (!file_exists) {
+ std::ofstream users_file(users_filename.c_str());
+ chown(users_filename.c_str(), 0, 0);
+ chmod(users_filename.c_str(), S_IRUSR | S_IWUSR | S_IRGRP);
+ }
+ return PAM_SUCCESS;
}
-PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh, int flags, int argc,
- const char **argv) {
+PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const
char **argv) {
return PAM_SUCCESS;
}
-PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags,
- int argc, const char **argv)
+PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc,
const char **argv)
{
const char* user_name;
if (pam_get_user(pamh, &user_name, NULL) != PAM_SUCCESS) {
@@ -153,16 +153,14 @@
response = "";
if (!StartSession(email, &response)) {
- PAM_SYSLOG(pamh, LOG_ERR,
- "Bad response from the two-factor start session request: %s",
+ PAM_SYSLOG(pamh, LOG_ERR, "Bad response from the two-factor start session
request: %s",
response.empty() ? "empty response" : response.c_str());
return PAM_PERM_DENIED;
}
std::string status;
if (!ParseJsonToKey(response, "status", &status)) {
- PAM_SYSLOG(pamh, LOG_ERR,
- "Failed to parse status from start session response");
+ PAM_SYSLOG(pamh, LOG_ERR, "Failed to parse status from start session
response");
return PAM_PERM_DENIED;
}
@@ -177,8 +175,7 @@
std::vector<oslogin_utils::Challenge> challenges;
if (!ParseJsonToChallenges(response, &challenges)) {
- PAM_SYSLOG(pamh, LOG_ERR,
- "Failed to parse challenge values from JSON response");
+ PAM_SYSLOG(pamh, LOG_ERR, "Failed to parse challenge values from JSON
response");
return PAM_PERM_DENIED;
}
@@ -186,8 +183,7 @@
user_prompts[AUTHZEN] = "Google phone prompt";
user_prompts[TOTP] = "Security code from Google Authenticator application";
user_prompts[INTERNAL_TWO_FACTOR] = "Security code from security key";
- user_prompts[IDV_PREREGISTERED_PHONE] =
- "Voice or text message verification code";
+ user_prompts[IDV_PREREGISTERED_PHONE] = "Voice or text message verification
code";
user_prompts[SECURITY_KEY_OTP] = "Security code from a security key";
oslogin_utils::Challenge challenge;
@@ -200,8 +196,7 @@
prompt << "\n\nEnter the number for the authentication method to use: ";
char *choice = NULL;
- if (pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &choice, "%s",
- prompt.str().c_str()) != PAM_SUCCESS) {
+ if (pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &choice, "%s",
prompt.str().c_str()) != PAM_SUCCESS) {
pam_error(pamh, "Unable to get user input");
return PAM_PERM_DENIED;
}
@@ -223,8 +218,7 @@
if (challenge.status != "READY") {
// Call continueSession with the START_ALTERNATE flag.
if (!ContinueSession(true, email, "", session_id, challenge, &response)) {
- PAM_SYSLOG(pamh, LOG_ERR,
- "Bad response from two-factor continue session request: %s",
+ PAM_SYSLOG(pamh, LOG_ERR, "Bad response from two-factor continue session
request: %s",
response.empty() ? "empty response" : response.c_str());
return PAM_PERM_DENIED;
}
@@ -232,8 +226,7 @@
char* user_token = NULL;
if (challenge.type == INTERNAL_TWO_FACTOR) {
- if (pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &user_token,
- "Enter your security code: ") != PAM_SUCCESS) {
+ if (pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &user_token, "Enter your security
code: ") != PAM_SUCCESS) {
pam_error(pamh, "Unable to get user input");
return PAM_PERM_DENIED;
}
@@ -269,16 +262,13 @@
return PAM_PERM_DENIED;
}
- if (!ContinueSession(false, email, user_token, session_id, challenge,
- &response)) {
- PAM_SYSLOG(pamh, LOG_ERR,
- "Bad response from two-factor continue session request: %s",
+ if (!ContinueSession(false, email, user_token, session_id, challenge,
&response)) {
+ PAM_SYSLOG(pamh, LOG_ERR, "Bad response from two-factor continue session
request: %s",
response.empty() ? "empty response" : response.c_str());
return PAM_PERM_DENIED;
}
- if (!ParseJsonToKey(response, "status", &status)
- || status != "AUTHENTICATED") {
+ if (!ParseJsonToKey(response, "status", &status) || status !=
"AUTHENTICATED") {
if (ParseJsonToKey(response, "rejectionReason", &status) &&
!status.empty()) {
pam_error(pamh, status.c_str());
}
