2 # Copyright (C) The Arvados Authors. All rights reserved.
4 # SPDX-License-Identifier: AGPL-3.0
13 req_envs = %w(ARVADOS_API_HOST ARVADOS_API_TOKEN ARVADOS_VIRTUAL_MACHINE_UUID)
16 abort "Fatal: These environment vars must be set: #{req_envs}"
20 exclusive_mode = ARGV.index("--exclusive")
21 exclusive_banner = "#######################################################################################
22 # THIS FILE IS MANAGED BY #{$0} -- CHANGES WILL BE OVERWRITTEN #
23 #######################################################################################\n\n"
24 start_banner = "### BEGIN Arvados-managed keys -- changes between markers will be overwritten\n"
25 end_banner = "### END Arvados-managed keys -- changes between markers will be overwritten\n"
27 # Don't try to create any local accounts
28 skip_missing_users = ARGV.index("--skip-missing-users")
33 arv = Arvados.new({ :suppress_ssl_warnings => false })
35 vm_uuid = ENV['ARVADOS_VIRTUAL_MACHINE_UUID']
37 logins = arv.virtual_machine.logins(:uuid => vm_uuid)[:items]
38 logins = [] if logins.nil?
39 logins = logins.reject { |l| l[:username].nil? or l[:hostname].nil? or l[:virtual_machine_uuid] != vm_uuid }
43 open("/etc/login.defs", encoding: "utf-8") do |login_defs|
44 login_defs.each_line do |line|
45 next unless match = /^UID_MIN\s+(\S+)$/.match(line)
46 if match[1].start_with?("0x")
48 elsif match[1].start_with?("0")
53 new_uid_min = match[1].to_i(base)
54 uid_min = new_uid_min if (new_uid_min > 0)
60 if not pwnam[l[:username]]
62 pwnam[l[:username]] = Etc.getpwnam(l[:username])
65 STDERR.puts "Account #{l[:username]} not found. Skipping"
69 if pwnam[l[:username]].uid < uid_min
70 STDERR.puts "Account #{l[:username]} uid #{pwnam[l[:username]].uid} < uid_min #{uid_min}. Skipping"
80 keys[l[:username]] = Array.new() if not keys.has_key?(l[:username])
83 # Handle putty-style ssh public keys
84 key.sub!(/^(Comment: "r[^\n]*\n)(.*)$/m,'ssh-rsa \2 \1')
85 key.sub!(/^(Comment: "d[^\n]*\n)(.*)$/m,'ssh-dss \2 \1')
89 keys[l[:username]].push(key) if not keys[l[:username]].include?(key)
94 devnull = open("/dev/null", "w")
97 next if seen[l[:username]]
98 seen[l[:username]] = true
100 unless pwnam[l[:username]]
101 STDERR.puts "Creating account #{l[:username]}"
102 groups = l[:groups] || []
103 # Adding users to the FUSE group has long been hardcoded behavior.
105 groups.select! { |g| Etc.getgrnam(g) rescue false }
107 unless system("useradd", "-m",
110 "-G", groups.join(","),
113 STDERR.puts "Account creation failed for #{l[:username]}: #{$?}"
117 pwnam[l[:username]] = Etc.getpwnam(l[:username])
119 STDERR.puts "Created account but then getpwnam() failed for #{l[:username]}: #{e}"
124 homedir = pwnam[l[:username]].dir
125 userdotssh = File.join(homedir, ".ssh")
126 Dir.mkdir(userdotssh) if !File.exist?(userdotssh)
128 newkeys = "###\n###\n" + keys[l[:username]].join("\n") + "\n###\n###\n"
130 keysfile = File.join(userdotssh, "authorized_keys")
132 if File.exist?(keysfile)
133 oldkeys = IO::read(keysfile)
139 newkeys = exclusive_banner + newkeys
140 elsif oldkeys.start_with?(exclusive_banner)
141 newkeys = start_banner + newkeys + end_banner
142 elsif (m = /^(.*?\n|)#{start_banner}(.*?\n|)#{end_banner}(.*)/m.match(oldkeys))
143 newkeys = m[1] + start_banner + newkeys + end_banner + m[3]
145 newkeys = start_banner + newkeys + end_banner + oldkeys
148 if oldkeys != newkeys then
149 f = File.new(keysfile, 'w')
154 userdotconfig = File.join(homedir, ".config")
155 if !File.exist?(userdotconfig)
156 Dir.mkdir(userdotconfig)
159 configarvados = File.join(userdotconfig, "arvados")
160 Dir.mkdir(configarvados) if !File.exist?(configarvados)
162 tokenfile = File.join(configarvados, "settings.conf")
165 if !File.exist?(tokenfile)
166 user_token = arv.api_client_authorization.create(api_client_authorization: {owner_uuid: l[:user_uuid], api_client_id: 0})
167 f = File.new(tokenfile, 'w')
168 f.write("ARVADOS_API_HOST=#{ENV['ARVADOS_API_HOST']}\n")
169 f.write("ARVADOS_API_TOKEN=v2/#{user_token[:uuid]}/#{user_token[:api_token]}\n")
173 STDERR.puts "Error setting token for #{l[:username]}: #{e}"
176 FileUtils.chown_R(l[:username], nil, userdotssh)
177 FileUtils.chown_R(l[:username], nil, userdotconfig)
178 File.chmod(0700, userdotssh)
179 File.chmod(0700, userdotconfig)
180 File.chmod(0700, configarvados)
181 File.chmod(0750, homedir)
182 File.chmod(0600, keysfile)
183 if File.exist?(tokenfile)
184 File.chmod(0600, tokenfile)
189 rescue Exception => bang
190 puts "Error: " + bang.to_s
191 puts bang.backtrace.join("\n")