Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package google-guest-oslogin for
openSUSE:Factory checked in at 2023-05-10 16:18:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/google-guest-oslogin (Old)
and /work/SRC/openSUSE:Factory/.google-guest-oslogin.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "google-guest-oslogin"
Wed May 10 16:18:01 2023 rev:18 rq:1085769 version:20230502.00
Changes:
--------
---
/work/SRC/openSUSE:Factory/google-guest-oslogin/google-guest-oslogin.changes
2023-02-28 14:24:13.191561711 +0100
+++
/work/SRC/openSUSE:Factory/.google-guest-oslogin.new.1533/google-guest-oslogin.changes
2023-05-10 16:18:03.150807190 +0200
@@ -1,0 +2,19 @@
+Tue May 9 08:10:07 UTC 2023 - John Paul Adrian Glaubitz
<[email protected]>
+
+- Update to version 20230502.00
+ * Improve the URL in 2fa prompt (#104)
+- from version 20230406.02
+ * Check open files (#101)
+- from version 20230406.01
+ * Initialize variables (#100)
+ * Fix formatting (#102)
+- from version 20230406.00
+ * PAM cleanup: remove duplicates (#97)
+- from version 20230405.00
+ * NSS cleanup (#98)
+- from version 20230403.01
+ * Cleanup Makefiles (#95)
+- from version 20230403.00
+ * Add anandadalton to the owners list (#96)
+
+-------------------------------------------------------------------
Old:
----
google-guest-oslogin-20230217.00.tar.gz
New:
----
google-guest-oslogin-20230502.00.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ google-guest-oslogin.spec ++++++
--- /var/tmp/diff_new_pack.Awa036/_old 2023-05-10 16:18:04.630815946 +0200
+++ /var/tmp/diff_new_pack.Awa036/_new 2023-05-10 16:18:04.634815969 +0200
@@ -19,7 +19,7 @@
%{!?_pam_moduledir: %define _pam_moduledir %{_pamdir}}
Name: google-guest-oslogin
-Version: 20230217.00
+Version: 20230502.00
Release: 0
Summary: Google Cloud Guest OS Login
License: Apache-2.0
++++++ google-guest-oslogin-20230217.00.tar.gz ->
google-guest-oslogin-20230502.00.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20230217.00/Makefile
new/guest-oslogin-20230502.00/Makefile
--- old/guest-oslogin-20230217.00/Makefile 2023-02-17 02:36:35.000000000
+0100
+++ new/guest-oslogin-20230502.00/Makefile 2023-05-02 20:42:44.000000000
+0200
@@ -1,20 +1,42 @@
-all install :
+.PHONY: all clean install
+.PHONY: prowbuild prowtest
+.PHONY: alltests non_network_tests network_tests
+
+.DEFAULT_GOAL := all
+
+all install:
$(MAKE) -C src $@
-alltests non_network_tests network_tests :
+alltests non_network_tests network_tests:
$(MAKE) -C test $@
-clean :
+clean:
$(MAKE) -C src clean
$(MAKE) -C test clean
+ rm -f debian_deps debian_build_deps debian_test_deps
+ rm -f rhel_deps rhel_build_deps
+
+prowbuild: debian_build_deps all
-prowbuild : debian_deps all
+prowtest: debian_deps non_network_tests
+ mv -f test/test_detail.xml ${ARTIFACTS}/junit.xml
-prowtest : debian_deps non_network_tests
- mv test/test_detail.xml ${ARTIFACTS}/junit.xml
+debian_deps: debian_build_deps debian_test_deps
+ touch $@
-debian_deps :
+debian_build_deps:
apt-get -y install g++ libcurl4-openssl-dev libjson-c-dev libpam-dev \
- googletest && touch $@
+ && touch $@
-.PHONY : all clean install prowbuild prowtest alltests non_network_tests
network_tests
+debian_test_deps:
+ apt-get -y install googletest \
+ && touch $@
+
+rhel_deps: rhel_build_deps
+ touch $@
+
+rhel_build_deps:
+ dnf config-manager --set-enabled crb \
+ && dnf install -y policycoreutils gcc-c++ boost-devel libcurl-devel \
+ json-c-devel pam-devel policycoreutils \
+ && touch $@
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20230217.00/OWNERS
new/guest-oslogin-20230502.00/OWNERS
--- old/guest-oslogin-20230217.00/OWNERS 2023-02-17 02:36:35.000000000
+0100
+++ new/guest-oslogin-20230502.00/OWNERS 2023-05-02 20:42:44.000000000
+0200
@@ -2,6 +2,7 @@
# See the OWNERS docs at https://go.k8s.io/owners
approvers:
+ - anandadalton
- bkatyl
- chaitanyakulkarni28
- dorileo
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20230217.00/src/Makefile
new/guest-oslogin-20230502.00/src/Makefile
--- old/guest-oslogin-20230217.00/src/Makefile 2023-02-17 02:36:35.000000000
+0100
+++ new/guest-oslogin-20230502.00/src/Makefile 2023-05-02 20:42:44.000000000
+0200
@@ -32,38 +32,39 @@
BINARIES = google_oslogin_nss_cache google_authorized_keys
google_authorized_keys_sk
-all : $(NSS_OSLOGIN) $(NSS_CACHE_OSLOGIN) $(PAM_LOGIN) $(PAM_ADMIN) $(BINARIES)
+.PHONY: all clean install
+.DEFAULT_GOAL := all
-clean :
+all: $(NSS_OSLOGIN) $(NSS_CACHE_OSLOGIN) $(PAM_LOGIN) $(PAM_ADMIN) $(BINARIES)
+
+clean:
rm -f $(BINARIES)
find . -type f \( -iname '*.o' -o -iname '*.so' \) -delete
-.PHONY : all clean install
-
# NSS modules.
-$(NSS_OSLOGIN) : SONAME = $(NSS_OSLOGIN_SONAME)
-$(NSS_OSLOGIN) : nss/nss_oslogin.o oslogin_utils.o
+$(NSS_OSLOGIN): SONAME = $(NSS_OSLOGIN_SONAME)
+$(NSS_OSLOGIN): nss/nss_oslogin.o oslogin_utils.o
$(CXX) $(CXXFLAGS) $(CPPFLAGS) $(LDFLAGS) $^ -o $@ $(LDLIBS)
-$(NSS_CACHE_OSLOGIN) : SONAME = $(NSS_CACHE_OSLOGIN_SONAME)
-$(NSS_CACHE_OSLOGIN) : nss/nss_cache_oslogin.o nss/compat/getpwent_r.o
oslogin_utils.o
+$(NSS_CACHE_OSLOGIN): SONAME = $(NSS_CACHE_OSLOGIN_SONAME)
+$(NSS_CACHE_OSLOGIN): nss/nss_cache_oslogin.o nss/compat/getpwent_r.o
oslogin_utils.o
$(CXX) $(CXXFLAGS) $(CPPFLAGS) $(LDFLAGS) $^ -o $@ $(LDLIBS)
# PAM modules
-$(PAM_LOGIN) : pam/pam_oslogin_login.o oslogin_utils.o
+$(PAM_LOGIN): pam/pam_oslogin_login.o oslogin_utils.o
$(CXX) $(CXXFLAGS) $(CPPFLAGS) -shared $^ -o $@ $(PAMLIBS)
-$(PAM_ADMIN) : pam/pam_oslogin_admin.o oslogin_utils.o
+$(PAM_ADMIN): pam/pam_oslogin_admin.o oslogin_utils.o
$(CXX) $(CXXFLAGS) $(CPPFLAGS) -shared $^ -o $@ $(PAMLIBS)
# Utilities.
-google_authorized_keys : authorized_keys/authorized_keys.o oslogin_utils.o
+google_authorized_keys: authorized_keys/authorized_keys.o oslogin_utils.o
$(CXX) $(CXXFLAGS) $(CPPFLAGS) $^ -o $@ $(LDLIBS)
-google_authorized_keys_sk : authorized_keys/authorized_keys_sk.o
oslogin_utils.o
+google_authorized_keys_sk: authorized_keys/authorized_keys_sk.o oslogin_utils.o
$(CXX) $(CXXFLAGS) $(CPPFLAGS) $^ -o $@ $(LDLIBS)
google_oslogin_nss_cache: cache_refresh/cache_refresh.o oslogin_utils.o
@@ -85,8 +86,8 @@
install -m 0755 -t $(DESTDIR)$(BINDIR) $(BINARIES)
# Manpages
install -m 0644 -t $(DESTDIR)$(MANDIR)/man8 $(TOPDIR)/man/nss-oslogin.8
$(TOPDIR)/man/nss-cache-oslogin.8
- gzip -9 $(DESTDIR)$(MANDIR)/man8/nss-oslogin.8
- gzip -9 $(DESTDIR)$(MANDIR)/man8/nss-cache-oslogin.8
+ gzip -9f $(DESTDIR)$(MANDIR)/man8/nss-oslogin.8
+ gzip -9f $(DESTDIR)$(MANDIR)/man8/nss-cache-oslogin.8
ln -sf nss-oslogin.8.gz
$(DESTDIR)$(MANDIR)/man8/$(NSS_OSLOGIN_SONAME).8.gz
ln -sf nss-cache-oslogin.8.gz
$(DESTDIR)$(MANDIR)/man8/$(NSS_CACHE_OSLOGIN_SONAME).8.gz
ifdef INSTALL_SELINUX
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-oslogin-20230217.00/src/include/oslogin_utils.h
new/guest-oslogin-20230502.00/src/include/oslogin_utils.h
--- old/guest-oslogin-20230217.00/src/include/oslogin_utils.h 2023-02-17
02:36:35.000000000 +0100
+++ new/guest-oslogin-20230502.00/src/include/oslogin_utils.h 2023-05-02
20:42:44.000000000 +0200
@@ -220,11 +220,6 @@
// Parses a JSON users response, storing results in a provided string vector.
bool ParseJsonToUsers(const string& json, std::vector<string>* users);
-// Adds users and associated array of char* to provided buffer and store
pointer
-// to array in result.gr_mem.
-bool AddUsersToGroup(std::vector<string> users, struct group* result,
- BufferManager* buf, int* errnop);
-
// Gets group matching name.
bool GetGroupByName(string name, struct group* grp, BufferManager* buf, int*
errnop);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20230217.00/src/nss/new_nss_oslogin.c
new/guest-oslogin-20230502.00/src/nss/new_nss_oslogin.c
--- old/guest-oslogin-20230217.00/src/nss/new_nss_oslogin.c 2023-02-17
02:36:35.000000000 +0100
+++ new/guest-oslogin-20230502.00/src/nss/new_nss_oslogin.c 2023-05-02
20:42:44.000000000 +0200
@@ -77,7 +77,8 @@
fprintf (stderr, __VA_ARGS__); \
} while(0)
-int parsepasswd(char *str, struct passwd *result, char *buffer, size_t buflen)
{
+int
+parsepasswd(char *str, struct passwd *result, char *buffer, size_t buflen) {
int fields[PW_END+1] = {0};
fields[PW_END] = strlen(str)+1;
@@ -109,7 +110,8 @@
return 0;
}
-int parsegroup(char *str, struct group *result, char *buffer, size_t buflen) {
+int
+parsegroup(char *str, struct group *result, char *buffer, size_t buflen) {
int fields[GR_END+1] = {0};
int members[MAX_GR_MEM] = {0};
int i, field, len;
@@ -179,7 +181,8 @@
struct Buffer pwbuf;
struct Buffer grbuf;
-int dial(struct Buffer *const buffer) {
+int
+dial(struct Buffer *const buffer) {
if (buffer->socket != 0) {
return 0;
}
@@ -199,7 +202,8 @@
return 0;
}
-int recvline(struct Buffer *const buffer) {
+int
+recvline(struct Buffer *const buffer) {
int res = 0;
ssize_t recvlen, new_size = 0;
fd_set fds;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-oslogin-20230217.00/src/nss/nss_cache_oslogin.c
new/guest-oslogin-20230502.00/src/nss/nss_cache_oslogin.c
--- old/guest-oslogin-20230217.00/src/nss/nss_cache_oslogin.c 2023-02-17
02:36:35.000000000 +0100
+++ new/guest-oslogin-20230502.00/src/nss/nss_cache_oslogin.c 2023-05-02
20:42:44.000000000 +0200
@@ -46,8 +46,8 @@
* so that our caller knows to try again with a bigger buffer.
*/
-static inline enum nss_status _nss_cache_oslogin_ent_bad_return_code(
- int errnoval) {
+static inline enum nss_status
+_nss_cache_oslogin_ent_bad_return_code(int errnoval) {
enum nss_status ret;
switch (errnoval) {
@@ -70,7 +70,8 @@
// _nss_cache_oslogin_setpwent_locked()
// Internal setup routine
-static enum nss_status _nss_cache_oslogin_setpwent_locked(void) {
+static enum nss_status
+_nss_cache_oslogin_setpwent_locked(void) {
DEBUG("%s %s\n", "Opening", OSLOGIN_PASSWD_CACHE_PATH);
if (p_file) {
fclose(p_file);
@@ -89,7 +90,8 @@
// Called by NSS to open the passwd file
// 'stayopen' parameter is ignored.
-enum nss_status _nss_cache_oslogin_setpwent(int stayopen) {
+enum nss_status
+_nss_cache_oslogin_setpwent(int stayopen) {
enum nss_status ret;
NSS_CACHE_OSLOGIN_LOCK();
ret = _nss_cache_oslogin_setpwent_locked();
@@ -100,7 +102,8 @@
// _nss_cache_oslogin_endpwent_locked()
// Internal close routine
-static enum nss_status _nss_cache_oslogin_endpwent_locked(void) {
+static enum nss_status
+_nss_cache_oslogin_endpwent_locked(void) {
DEBUG("Closing %s\n", OSLOGIN_PASSWD_CACHE_PATH);
if (p_file) {
fclose(p_file);
@@ -112,7 +115,8 @@
// _nss_cache_oslogin_endpwent()
// Called by NSS to close the passwd file
-enum nss_status _nss_cache_oslogin_endpwent(void) {
+enum nss_status
+_nss_cache_oslogin_endpwent(void) {
enum nss_status ret;
NSS_CACHE_OSLOGIN_LOCK();
ret = _nss_cache_oslogin_endpwent_locked();
@@ -123,8 +127,9 @@
// _nss_cache_oslogin_getpwent_r_locked()
// Called internally to return the next entry from the passwd file
-static enum nss_status _nss_cache_oslogin_getpwent_r_locked(
- struct passwd *result, char *buffer, size_t buflen, int *errnop) {
+static enum nss_status
+_nss_cache_oslogin_getpwent_r_locked(struct passwd *result, char *buffer,
+ size_t buflen, int *errnop) {
enum nss_status ret = NSS_STATUS_SUCCESS;
if (p_file == NULL) {
@@ -150,9 +155,9 @@
// _nss_cache_oslogin_getpwent_r()
// Called by NSS to look up next entry in passwd file
-enum nss_status _nss_cache_oslogin_getpwent_r(struct passwd *result,
- char *buffer, size_t buflen,
- int *errnop) {
+enum nss_status
+_nss_cache_oslogin_getpwent_r(struct passwd *result,
+ char *buffer, size_t buflen, int *errnop) {
enum nss_status ret;
NSS_CACHE_OSLOGIN_LOCK();
ret = _nss_cache_oslogin_getpwent_r_locked(result, buffer, buflen, errnop);
@@ -163,9 +168,9 @@
// _nss_cache_oslogin_getpwuid_r()
// Find a user account by uid
-enum nss_status _nss_cache_oslogin_getpwuid_r(uid_t uid, struct passwd *result,
- char *buffer, size_t buflen,
- int *errnop) {
+enum nss_status
+_nss_cache_oslogin_getpwuid_r(uid_t uid, struct passwd *result,
+ char *buffer, size_t buflen, int *errnop) {
enum nss_status ret;
NSS_CACHE_OSLOGIN_LOCK();
@@ -187,10 +192,9 @@
// _nss_cache_oslogin_getpwnam_r()
// Find a user account by name
-enum nss_status _nss_cache_oslogin_getpwnam_r(const char *name,
- struct passwd *result,
- char *buffer, size_t buflen,
- int *errnop) {
+enum nss_status
+_nss_cache_oslogin_getpwnam_r(const char *name, struct passwd *result,
+ char *buffer, size_t buflen, int *errnop) {
enum nss_status ret;
NSS_CACHE_OSLOGIN_LOCK();
@@ -211,7 +215,8 @@
// _nss_cache_oslogin_setgrent_locked()
// Internal setup routine
-static enum nss_status _nss_cache_oslogin_setgrent_locked(void) {
+static enum nss_status
+_nss_cache_oslogin_setgrent_locked(void) {
if (g_file) {
fclose(g_file);
}
@@ -229,7 +234,8 @@
// Called by NSS to open the group file
// 'stayopen' parameter is ignored.
-enum nss_status _nss_cache_oslogin_setgrent(int stayopen) {
+enum nss_status
+_nss_cache_oslogin_setgrent(int stayopen) {
enum nss_status ret;
NSS_CACHE_OSLOGIN_LOCK();
ret = _nss_cache_oslogin_setgrent_locked();
@@ -240,7 +246,8 @@
// _nss_cache_oslogin_endgrent_locked()
// Internal close routine
-static enum nss_status _nss_cache_oslogin_endgrent_locked(void) {
+static enum nss_status
+_nss_cache_oslogin_endgrent_locked(void) {
DEBUG("%s %s\n", "Closing", OSLOGIN_GROUP_CACHE_PATH);
if (g_file) {
fclose(g_file);
@@ -252,7 +259,8 @@
// _nss_cache_oslogin_endgrent()
// Called by NSS to close the group file
-enum nss_status _nss_cache_oslogin_endgrent(void) {
+enum nss_status
+_nss_cache_oslogin_endgrent(void) {
enum nss_status ret;
NSS_CACHE_OSLOGIN_LOCK();
ret = _nss_cache_oslogin_endgrent_locked();
@@ -263,9 +271,9 @@
// _nss_cache_oslogin_getgrent_r_locked()
// Called internally to return the next entry from the group file
-static enum nss_status _nss_cache_oslogin_getgrent_r_locked(struct group
*result,
- char *buffer, size_t
buflen,
- int *errnop) {
+static enum nss_status
+_nss_cache_oslogin_getgrent_r_locked(struct group *result,
+ char *buffer, size_t buflen, int *errnop)
{
enum nss_status ret = NSS_STATUS_SUCCESS;
if (g_file == NULL) {
@@ -303,8 +311,9 @@
// _nss_cache_oslogin_getgrent_r()
// Called by NSS to look up next entry in group file
-enum nss_status _nss_cache_oslogin_getgrent_r(struct group *result, char
*buffer,
- size_t buflen, int *errnop) {
+enum nss_status
+_nss_cache_oslogin_getgrent_r(struct group *result, char *buffer,
+ size_t buflen, int *errnop) {
enum nss_status ret;
NSS_CACHE_OSLOGIN_LOCK();
ret = _nss_cache_oslogin_getgrent_r_locked(result, buffer, buflen, errnop);
@@ -315,9 +324,9 @@
// _nss_cache_oslogin_getgrgid_r()
// Find a group by gid
-enum nss_status _nss_cache_oslogin_getgrgid_r(gid_t gid, struct group *result,
- char *buffer, size_t buflen,
- int *errnop) {
+enum nss_status
+_nss_cache_oslogin_getgrgid_r(gid_t gid, struct group *result,
+ char *buffer, size_t buflen, int *errnop) {
enum nss_status ret;
// First check for user whose UID matches requested GID, for self-groups.
@@ -367,9 +376,9 @@
// _nss_cache_oslogin_getgrnam_r()
// Find a group by name
-enum nss_status _nss_cache_oslogin_getgrnam_r(const char *name, struct group
*result,
- char *buffer, size_t buflen,
- int *errnop) {
+enum nss_status
+_nss_cache_oslogin_getgrnam_r(const char *name, struct group *result,
+ char *buffer, size_t buflen, int *errnop) {
enum nss_status ret;
// First check for user whose name matches request, for self-groups.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20230217.00/src/nss/nss_oslogin.cc
new/guest-oslogin-20230502.00/src/nss/nss_oslogin.cc
--- old/guest-oslogin-20230217.00/src/nss/nss_oslogin.cc 2023-02-17
02:36:35.000000000 +0100
+++ new/guest-oslogin-20230502.00/src/nss/nss_oslogin.cc 2023-05-02
20:42:44.000000000 +0200
@@ -50,19 +50,21 @@
extern "C" {
// Get a passwd entry by id.
-enum nss_status _nss_oslogin_getpwuid_r(uid_t uid, struct passwd *result,
- char *buffer, size_t buflen,
- int *errnop) {
+enum nss_status
+_nss_oslogin_getpwuid_r(uid_t uid, struct passwd *result,
+ char *buffer, size_t buflen, int *errnop) {
BufferManager buffer_manager(buffer, buflen);
std::stringstream url;
url << kMetadataServerUrl << "users?uid=" << uid;
+
string response;
long http_code = 0;
- if (!HttpGet(url.str(), &response, &http_code) || http_code != 200 ||
- response.empty()) {
+ if (!HttpGet(url.str(), &response, &http_code) ||
+ http_code != 200 || response.empty()) {
*errnop = ENOENT;
return NSS_STATUS_NOTFOUND;
}
+
if (!ParseJsonToPasswd(response, result, &buffer_manager, errnop)) {
if (*errnop == EINVAL) {
openlog("nss_oslogin", LOG_PID, LOG_USER);
@@ -76,19 +78,21 @@
}
// Get a passwd entry by name.
-enum nss_status _nss_oslogin_getpwnam_r(const char *name, struct passwd
*result,
- char *buffer, size_t buflen,
- int *errnop) {
+enum nss_status
+_nss_oslogin_getpwnam_r(const char *name, struct passwd *result,
+ char *buffer, size_t buflen, int *errnop) {
BufferManager buffer_manager(buffer, buflen);
std::stringstream url;
url << kMetadataServerUrl << "users?username=" << UrlEncode(name);
+
string response;
long http_code = 0;
- if (!HttpGet(url.str(), &response, &http_code) || http_code != 200 ||
- response.empty()) {
+ if (!HttpGet(url.str(), &response, &http_code) ||
+ http_code != 200 || response.empty()) {
*errnop = ENOENT;
return NSS_STATUS_NOTFOUND;
}
+
if (!ParseJsonToPasswd(response, result, &buffer_manager, errnop)) {
if (*errnop == EINVAL) {
openlog("nss_oslogin", LOG_PID, LOG_USER);
@@ -103,8 +107,9 @@
// Look for OS Login user with uid matching the requested gid, and craft a
// self-group for it.
-enum nss_status getselfgrgid(gid_t gid, struct group *grp,
- char *buf, size_t buflen, int *errnop) {
+enum nss_status
+getselfgrgid(gid_t gid, struct group *grp, char *buf,
+ size_t buflen, int *errnop) {
BufferManager buffer_manager(buf, buflen);
// Look for a matching user in cache.
@@ -142,38 +147,43 @@
// Look for matching user in backend.
std::stringstream url;
url << kMetadataServerUrl << "users?uid=" << gid;
+
string response;
long http_code = 0;
- if (!HttpGet(url.str(), &response, &http_code) || http_code != 200 ||
- response.empty()) {
+ if (!HttpGet(url.str(), &response, &http_code) ||
+ http_code != 200 || response.empty()) {
return NSS_STATUS_NOTFOUND;
}
+
struct passwd result;
- if (!ParseJsonToPasswd(response, &result, &buffer_manager, errnop))
+ if (!ParseJsonToPasswd(response, &result, &buffer_manager, errnop)) {
return NSS_STATUS_NOTFOUND;
+ }
- if (result.pw_gid != result.pw_uid)
+ if (result.pw_gid != result.pw_uid) {
return NSS_STATUS_NOTFOUND;
-
+ }
// Set the group name to the name of the matching user.
- if (!buffer_manager.AppendString(result.pw_name, &grp->gr_name, errnop))
+ if (!buffer_manager.AppendString(result.pw_name, &grp->gr_name, errnop)) {
return *errnop == ERANGE ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
+ }
grp->gr_gid = result.pw_uid;
// Create a list of only the matching user and add to members list.
std::vector<string> members;
members.push_back(string(result.pw_name));
- if (!AddUsersToGroup(members, grp, &buffer_manager, errnop))
+ if (!AddUsersToGroup(members, grp, &buffer_manager, errnop)) {
return *errnop == ERANGE ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
-
+ }
return NSS_STATUS_SUCCESS;
}
// Look for OS Login user with name matching the requested name, and craft a
// self-group for it.
-enum nss_status getselfgrnam(const char* name, struct group *grp,
- char *buf, size_t buflen, int *errnop) {
+enum nss_status
+getselfgrnam(const char* name, struct group *grp,
+ char *buf, size_t buflen, int *errnop) {
BufferManager buffer_manager(buf, buflen);
// Look for a matching user in cache.
@@ -207,42 +217,48 @@
// Look for matching user in backend.
std::stringstream url;
url << kMetadataServerUrl << "users?username=" << UrlEncode(string(name));
+
string response;
long http_code = 0;
- if (!HttpGet(url.str(), &response, &http_code) || http_code != 200 ||
- response.empty()) {
+ if (!HttpGet(url.str(), &response, &http_code) ||
+ http_code != 200 || response.empty()) {
return NSS_STATUS_NOTFOUND;
}
+
struct passwd result;
- if (!ParseJsonToPasswd(response, &result, &buffer_manager, errnop))
+ if (!ParseJsonToPasswd(response, &result, &buffer_manager, errnop)) {
return NSS_STATUS_NOTFOUND;
+ }
- if (result.pw_gid != result.pw_uid)
+ if (result.pw_gid != result.pw_uid) {
return NSS_STATUS_NOTFOUND;
-
+ }
// Set the group name to the name of the matching user.
- if (!buffer_manager.AppendString(result.pw_name, &grp->gr_name, errnop))
+ if (!buffer_manager.AppendString(result.pw_name, &grp->gr_name, errnop)) {
return *errnop == ERANGE ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
+ }
grp->gr_gid = result.pw_uid;
// Create a list of only the matching user and add to members list.
std::vector<string> members;
members.push_back(string(result.pw_name));
- if (!AddUsersToGroup(members, grp, &buffer_manager, errnop))
+ if (!AddUsersToGroup(members, grp, &buffer_manager, errnop)) {
return *errnop == ERANGE ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
-
+ }
return NSS_STATUS_SUCCESS;
}
// _nss_olosing_getgrgid_r()
// Get a group entry by id.
-enum nss_status _nss_oslogin_getgrgid_r(gid_t gid, struct group *grp, char
*buf,
- size_t buflen, int *errnop) {
+enum nss_status
+_nss_oslogin_getgrgid_r(gid_t gid, struct group *grp, char *buf,
+ size_t buflen, int *errnop) {
// If there is no cache file, we will assume there are no groups.
- if (access(OSLOGIN_GROUP_CACHE_PATH, R_OK) != 0)
+ if (access(OSLOGIN_GROUP_CACHE_PATH, R_OK) != 0) {
return getselfgrgid(gid, grp, buf, buflen, errnop);
+ }
memset(grp, 0, sizeof(struct group));
BufferManager buffer_manager(buf, buflen);
@@ -254,23 +270,26 @@
}
std::vector<string> users;
- if (!GetUsersForGroup(grp->gr_name, &users, errnop))
+ if (!GetUsersForGroup(grp->gr_name, &users, errnop)) {
return *errnop == ERANGE ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
+ }
- if (!users.empty() && !AddUsersToGroup(users, grp, &buffer_manager, errnop))
+ if (!users.empty() && !AddUsersToGroup(users, grp, &buffer_manager, errnop))
{
return *errnop == ERANGE ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
-
+ }
return NSS_STATUS_SUCCESS;
}
// _nss_oslogin_getgrnam_r()
// Get a group entry by name.
-enum nss_status _nss_oslogin_getgrnam_r(const char *name, struct group *grp,
- char *buf, size_t buflen, int *errnop)
{
+enum nss_status
+_nss_oslogin_getgrnam_r(const char *name, struct group *grp,
+ char *buf, size_t buflen, int *errnop) {
// If there is no cache file, we will assume there are no groups.
- if (access(OSLOGIN_GROUP_CACHE_PATH, R_OK) != 0)
+ if (access(OSLOGIN_GROUP_CACHE_PATH, R_OK) != 0) {
return getselfgrnam(name, grp, buf, buflen, errnop);
+ }
memset(grp, 0, sizeof(struct group));
BufferManager buffer_manager(buf, buflen);
@@ -282,26 +301,28 @@
}
std::vector<string> users;
- if (!GetUsersForGroup(grp->gr_name, &users, errnop))
+ if (!GetUsersForGroup(grp->gr_name, &users, errnop)) {
return *errnop == ERANGE ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
+ }
- if (!users.empty() && !AddUsersToGroup(users, grp, &buffer_manager, errnop))
+ if (!users.empty() && !AddUsersToGroup(users, grp, &buffer_manager, errnop))
{
return *errnop == ERANGE ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
-
+ }
return NSS_STATUS_SUCCESS;
}
// _nss_cache_oslogin_initgroups_dyn()
// Initialize groups for new session.
-enum nss_status _nss_oslogin_initgroups_dyn(const char *user, gid_t skipgroup,
- long int *start, long int *size,
- gid_t **groupsp, long int limit,
- int *errnop) {
+enum nss_status
+_nss_oslogin_initgroups_dyn(const char *user, gid_t skipgroup, long int *start,
+ long int *size, gid_t **groupsp,
+ long int limit, int *errnop) {
// check if user exists in local passwd DB
FILE *p_file = fopen(PASSWD_PATH, "re");
- if (p_file == NULL)
+ if (p_file == NULL) {
return NSS_STATUS_NOTFOUND;
+ }
struct passwd *userp;
while ((userp = fgetpwent(p_file)) != NULL) {
@@ -386,4 +407,5 @@
(void *)_nss_oslogin_getgrgid_r}, )
NSS_REGISTER_METHODS(methods)
+
} // extern "C"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20230217.00/src/oslogin_utils.cc
new/guest-oslogin-20230502.00/src/oslogin_utils.cc
--- old/guest-oslogin-20230217.00/src/oslogin_utils.cc 2023-02-17
02:36:35.000000000 +0100
+++ new/guest-oslogin-20230502.00/src/oslogin_utils.cc 2023-05-02
20:42:44.000000000 +0200
@@ -17,7 +17,6 @@
#include <errno.h>
#include <grp.h>
#include <json.h>
-#include <grp.h>
#include <nss.h>
#include <stdio.h>
#include <stdlib.h>
@@ -91,6 +90,7 @@
: cache_size_(cache_size),
entry_cache_(cache_size),
page_token_(""),
+ index_(0),
on_last_page_(false) {}
void NssCache::Reset() {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-oslogin-20230217.00/src/pam/pam_oslogin_admin.cc
new/guest-oslogin-20230502.00/src/pam/pam_oslogin_admin.cc
--- old/guest-oslogin-20230217.00/src/pam/pam_oslogin_admin.cc 2023-02-17
02:36:35.000000000 +0100
+++ new/guest-oslogin-20230502.00/src/pam/pam_oslogin_admin.cc 2023-05-02
20:42:44.000000000 +0200
@@ -43,12 +43,13 @@
extern "C" {
-PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
- const char **argv) {
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const char** argv) {
// The return value for this module should generally be ignored. By default
we
// will return PAM_SUCCESS.
int pam_result = PAM_SUCCESS;
const char *user_name;
+
if ((pam_result = pam_get_user(pamh, &user_name, NULL)) != PAM_SUCCESS) {
PAM_SYSLOG(pamh, LOG_INFO, "Could not get pam user.");
return pam_result;
@@ -77,7 +78,7 @@
filename.append(user_name);
struct stat buffer;
bool file_exists = !stat(filename.c_str(), &buffer);
- long http_code;
+ long http_code = 0;
if (HttpGet(url.str(), &response, &http_code) && http_code == 200 &&
ParseJsonToSuccess(response)) {
if (!file_exists) {
@@ -86,11 +87,21 @@
user_name);
std::ofstream sudoers_file;
sudoers_file.open(filename.c_str());
- sudoers_file << user_name << " ALL=(ALL) NOPASSWD: ALL"
- << "\n";
- sudoers_file.close();
- chown(filename.c_str(), 0, 0);
- chmod(filename.c_str(), S_IRUSR | S_IRGRP);
+ // OS Login directories are created by another product, guest-agent
+ //
https://github.com/GoogleCloudPlatform/guest-agent/blob/56988fa888b46dc0796a958929dceed460f7a3e8/google_guest_agent/oslogin.go#L344
+ // We should be sure a file is opened for writing
+ if (sudoers_file.is_open()) {
+ sudoers_file << user_name << " ALL=(ALL) NOPASSWD: ALL\n";
+ sudoers_file.close();
+
+ chown(filename.c_str(), 0, 0);
+ chmod(filename.c_str(), S_IRUSR | S_IRGRP);
+ } else {
+ PAM_SYSLOG(pamh, LOG_INFO,
+ "Could not grant sudo permissions to organization user
%s."
+ " Sudoers file %s is not writable.",
+ user_name, filename.c_str());
+ }
}
} else if (file_exists) {
remove(filename.c_str());
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-oslogin-20230217.00/src/pam/pam_oslogin_login.cc
new/guest-oslogin-20230502.00/src/pam/pam_oslogin_login.cc
--- old/guest-oslogin-20230217.00/src/pam/pam_oslogin_login.cc 2023-02-17
02:36:35.000000000 +0100
+++ new/guest-oslogin-20230502.00/src/pam/pam_oslogin_login.cc 2023-05-02
20:42:44.000000000 +0200
@@ -45,9 +45,11 @@
static const char kUsersDir[] = "/var/google-users.d/";
extern "C" {
-PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
- const char **argv) {
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const char** argv) {
const char *user_name;
+
if (pam_get_user(pamh, &user_name, NULL) != PAM_SUCCESS) {
PAM_SYSLOG(pamh, LOG_INFO, "Could not get pam user.");
return PAM_AUTH_ERR;
@@ -69,7 +71,8 @@
std::string response;
long http_code = 0;
- if (!HttpGet(url.str(), &response, &http_code) || response.empty() ||
http_code != 200) {
+ if (!HttpGet(url.str(), &response, &http_code) || response.empty()
+ || http_code != 200) {
if (http_code == 404) {
// This module is only consulted for OS Login users.
return PAM_IGNORE;
@@ -90,41 +93,63 @@
}
url.str("");
- url << kMetadataServerUrl << "authorize?email=" << UrlEncode(email) <<
"&policy=login";
+ url << kMetadataServerUrl << "authorize?email=" << UrlEncode(email)
+ << "&policy=login";
+
if (!HttpGet(url.str(), &response, &http_code)) {
- PAM_SYSLOG(pamh, LOG_INFO, "Failed to validate organization user %s has
login permission.", user_name);
+ PAM_SYSLOG(pamh, LOG_INFO, "Failed to validate organization user %s "
+ "has login permission.", user_name);
return PAM_PERM_DENIED;
}
+
if (http_code != 200) {
- PAM_SYSLOG(pamh, LOG_INFO,
- "Failed to validate organization user %s has login permission, got
HTTP response code %d.",
- user_name, http_code);
+ PAM_SYSLOG(pamh, LOG_INFO, "Failed to validate organization user %s has "
+ "login permission, got HTTP response code %d.",
+ user_name, http_code);
return PAM_PERM_DENIED;
}
+
if (!ParseJsonToSuccess(response)) {
- PAM_SYSLOG(pamh, LOG_INFO, "Organization user %s does not have login
permission.", user_name);
+ PAM_SYSLOG(pamh, LOG_INFO, "Organization user %s does not have login "
+ "permission.", user_name);
if (file_exists) {
remove(users_filename.c_str());
}
return PAM_PERM_DENIED;
}
- PAM_SYSLOG(pamh, LOG_INFO, "Organization user %s has login permission.",
user_name);
+ PAM_SYSLOG(pamh, LOG_INFO, "Organization user %s has login permission.",
+ user_name);
if (!file_exists) {
- std::ofstream users_file(users_filename.c_str());
- chown(users_filename.c_str(), 0, 0);
- chmod(users_filename.c_str(), S_IRUSR | S_IWUSR | S_IRGRP);
+ std::ofstream users_file;
+ users_file.open(users_filename.c_str());
+ // OS Login directories are created by another product, guest-agent
+ //
https://github.com/GoogleCloudPlatform/guest-agent/blob/56988fa888b46dc0796a958929dceed460f7a3e8/google_guest_agent/oslogin.go#L344
+ // We should be sure a file is opened for writing
+ if (users_file.is_open()) {
+ // this is only for creating an empty file
+ users_file.close();
+
+ chown(users_filename.c_str(), 0, 0);
+ chmod(users_filename.c_str(), S_IRUSR | S_IWUSR | S_IRGRP);
+ } else {
+ PAM_SYSLOG(pamh, LOG_INFO,
+ "Could not create a user's file %s", users_filename.c_str());
+ }
}
return PAM_SUCCESS;
}
-PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const
char **argv) {
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t* pamh, int flags, int argc, const char** argv) {
return PAM_SUCCESS;
}
-PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc,
const char **argv)
-{
- const char* user_name;
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t* pamh, int flags, int argc,
+ const char** argv) {
+ const char *user_name;
+
if (pam_get_user(pamh, &user_name, NULL) != PAM_SUCCESS) {
PAM_SYSLOG(pamh, LOG_INFO, "Could not get pam user.");
return PAM_PERM_DENIED;
@@ -153,14 +178,16 @@
response = "";
if (!StartSession(email, &response)) {
- PAM_SYSLOG(pamh, LOG_ERR, "Bad response from the two-factor start session
request: %s",
+ PAM_SYSLOG(pamh, LOG_ERR, "Bad response from the two-factor start session "
+ "request: %s",
response.empty() ? "empty response" : response.c_str());
return PAM_PERM_DENIED;
}
std::string status;
if (!ParseJsonToKey(response, "status", &status)) {
- PAM_SYSLOG(pamh, LOG_ERR, "Failed to parse status from start session
response");
+ PAM_SYSLOG(pamh, LOG_ERR, "Failed to parse status from start session "
+ "response");
return PAM_PERM_DENIED;
}
@@ -175,7 +202,8 @@
std::vector<oslogin_utils::Challenge> challenges;
if (!ParseJsonToChallenges(response, &challenges)) {
- PAM_SYSLOG(pamh, LOG_ERR, "Failed to parse challenge values from JSON
response");
+ PAM_SYSLOG(pamh, LOG_ERR, "Failed to parse challenge values from "
+ "JSON response");
return PAM_PERM_DENIED;
}
@@ -191,12 +219,14 @@
std::stringstream prompt;
prompt << "Please choose from the available authentication methods: ";
for(vector<oslogin_utils::Challenge>::size_type i = 0;
- i != challenges.size(); ++i)
+ i != challenges.size(); ++i) {
prompt << "\n" << i+1 << ": " << user_prompts[challenges[i].type];
+ }
prompt << "\n\nEnter the number for the authentication method to use: ";
char *choice = NULL;
- if (pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &choice, "%s",
prompt.str().c_str()) != PAM_SUCCESS) {
+ if (pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &choice, "%s",
+ prompt.str().c_str()) != PAM_SUCCESS) {
pam_error(pamh, "Unable to get user input");
return PAM_PERM_DENIED;
}
@@ -206,6 +236,7 @@
pam_error(pamh, "Error parsing user input");
return PAM_PERM_DENIED;
}
+
if (size_t(choicei) > challenges.size() || choicei <= 0) {
pam_error(pamh, "Invalid option");
return PAM_PERM_DENIED;
@@ -218,21 +249,23 @@
if (challenge.status != "READY") {
// Call continueSession with the START_ALTERNATE flag.
if (!ContinueSession(true, email, "", session_id, challenge, &response)) {
- PAM_SYSLOG(pamh, LOG_ERR, "Bad response from two-factor continue session
request: %s",
+ PAM_SYSLOG(pamh, LOG_ERR, "Bad response from two-factor continue session
"
+ "request: %s",
response.empty() ? "empty response" : response.c_str());
return PAM_PERM_DENIED;
}
}
- char* user_token = NULL;
+ char *user_token = NULL;
if (challenge.type == INTERNAL_TWO_FACTOR) {
- if (pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &user_token, "Enter your security
code: ") != PAM_SUCCESS) {
+ if (pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &user_token,
+ "Enter your security code: ") != PAM_SUCCESS) {
pam_error(pamh, "Unable to get user input");
return PAM_PERM_DENIED;
}
} else if (challenge.type == SECURITY_KEY_OTP) {
if (pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &user_token,
- "Enter your security code by visiting g.co/sc: ") !=
PAM_SUCCESS) {
+ "Enter your security code by visiting https://g.co/sc: ") !=
PAM_SUCCESS) {
pam_error(pamh, "Unable to get user input");
return PAM_PERM_DENIED;
}
@@ -262,8 +295,10 @@
return PAM_PERM_DENIED;
}
- if (!ContinueSession(false, email, user_token, session_id, challenge,
&response)) {
- PAM_SYSLOG(pamh, LOG_ERR, "Bad response from two-factor continue session
request: %s",
+ if (!ContinueSession(false, email, user_token, session_id,
+ challenge, &response)) {
+ PAM_SYSLOG(pamh, LOG_ERR, "Bad response from two-factor continue "
+ "session request: %s",
response.empty() ? "empty response" : response.c_str());
return PAM_PERM_DENIED;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20230217.00/test/Makefile
new/guest-oslogin-20230502.00/test/Makefile
--- old/guest-oslogin-20230217.00/test/Makefile 2023-02-17 02:36:35.000000000
+0100
+++ new/guest-oslogin-20230502.00/test/Makefile 2023-05-02 20:42:44.000000000
+0200
@@ -10,38 +10,40 @@
CXXFLAGS += -g -Wall -Wextra -std=c++11
LDLIBS = -lcurl -ljson-c -lpthread
-all : test_runner new_test_runner non_network_tests
+.PHONY: all clean alltests ping reset
+.PHONY: gtest prowtest non_network_tests network_tests
+.DEFAULT_GOAL := all
+
+all: test_runner new_test_runner non_network_tests
clean :
- rm -f test_runner *.o
+ rm -f test_runner new_test_runner test_detail.xml *.o
-gtest-all.o : $(GTEST_DIR)/src/gtest-all.cc
+gtest-all.o: $(GTEST_DIR)/src/gtest-all.cc
$(CXX) $(CXXFLAGS) $(CPPFLAGS) -c $^
-test_runner : oslogin_utils_test.o $(TOPDIR)/src/oslogin_utils.o gtest-all.o
+test_runner: oslogin_utils_test.o $(TOPDIR)/src/oslogin_utils.o gtest-all.o
$(CXX) $(CXXFLAGS) $(CPPFLAGS) $^ -o $@ $(LDLIBS)
-new_test_runner : oslogin_test.o gtest-all.o
+new_test_runner: oslogin_test.o gtest-all.o
$(CXX) $(CXXFLAGS) $(CPPFLAGS) $^ -o $@ $(LDLIBS)
-new_tests : new_test_runner $(TOPDIR)/src/nss/new_nss_oslogin.c
+new_tests: new_test_runner $(TOPDIR)/src/nss/new_nss_oslogin.c
$(NEW_TEST_RUNNER) ${GTESTARGS}
-non_network_tests : test_runner new_test_runner
+non_network_tests: test_runner new_test_runner
$(TEST_RUNNER) --gtest_filter=*-GetGroupByTest.*:GetUsersForGroupTest.*
$(NEW_TEST_RUNNER) --gtest_filter=ParserTest.*
-network_tests : test_runner ping reset
+network_tests: test_runner ping reset
$(TEST_RUNNER) --gtest_filter=GetGroupByTest.*:GetUsersForGroupTest.*
# run as $ make tests GTESTARGS="--gtest_filter=GetGroupByTest.*"
-alltests : test_runner
+alltests: test_runner
$(TEST_RUNNER) ${GTESTARGS}
-ping :
+ping:
nc -vzw2 169.254.169.254 80 >/dev/null 2>&1
-reset :
+reset:
curl -Ss http://169.254.169.254/reset >/dev/null 2>&1
-
-.PHONY : all clean alltests ping reset gtest prowtest non_network_tests
network_tests
