#!/usr/bin/env ruby require 'rubygems' require 'pp' require 'arvados' require 'etc' require 'fileutils' require 'yaml' # This script does the actual account/key management on disk for the shell machine(s). # # Ward Vandewege # Default is development production = ARGV[0] == "production" ENV["RAILS_ENV"] = "development" ENV["RAILS_ENV"] = "production" if production DEBUG = 1 # load and merge in the environment-specific application config info # if present, overriding base config parameters as specified path = File.dirname(__FILE__) + '/config/arvados-clients.yml' if File.exists?(path) then cp_config = YAML.load_file(path)[ENV['RAILS_ENV']] else puts "Please create a\n " + File.dirname(__FILE__) + "/config/arvados-clients.yml\n file" exit 1 end shell_hostname = cp_config['arvados_shell_hostname'] ENV['ARVADOS_API_HOST'] = cp_config['arvados_api_host'] ENV['ARVADOS_API_TOKEN'] = cp_config['arvados_api_token'] keys = '' seen = Hash.new begin uids = Hash[Etc.to_enum(:passwd).map { |ent| [ent.name, ent.uid] }] gids = Hash[Etc.to_enum(:group).map { |ent| [ent.name, ent.gid] }] arv = Arvados.new( { :suppress_ssl_warnings => false } ) begin logins = arv.virtual_machine.get_all_logins(limit: 10000, uuid: cp_config['vm_uuid'])[:items] rescue logins = arv.virtual_machine.logins(:uuid => cp_config['vm_uuid'])[:items] end logins = [] if logins.nil? logins = logins.reject { |l| l[:username].nil? or l[:hostname].nil? or l[:public_key].nil? or l[:hostname] != shell_hostname } # No system users uid_min = 1000 open("/etc/login.defs", encoding: "utf-8") do |login_defs| login_defs.each_line do |line| next unless match = /^UID_MIN\s+(\S+)$/.match(line) if match[1].start_with?("0x") base = 16 elsif match[1].start_with?("0") base = 8 else base = 10 end new_uid_min = match[1].to_i(base) uid_min = new_uid_min if (new_uid_min > 0) end end logins.reject! { |l| (uids[l[:username]] || 65535) < uid_min } keys = Hash.new() # Collect all keys logins.each do |l| keys[l[:username]] = Array.new() if not keys.has_key?(l[:username]) key = l[:public_key] # Handle putty-style ssh public keys key.sub!(/^(Comment: "r[^\n]*\n)(.*)$/m,'ssh-rsa \2 \1') key.sub!(/^(Comment: "d[^\n]*\n)(.*)$/m,'ssh-dss \2 \1') key.gsub!(/\n/,'') key.strip keys[l[:username]].push(key) if not keys[l[:username]].include?(key) end seen = Hash.new() devnull = open("/dev/null", "w") logins.each do |l| next if seen[l[:username]] seen[l[:username]] = true if not seen.has_key?(l[:username]) @homedir = "/home/#{l[:username]}" unless uids[l[:username]] STDERR.puts "Creating account #{l[:username]}" groups = l[:groups] || [] # Adding users to the FUSE group has long been hardcoded behavior. groups << "fuse" groups.select! { |name| gids[name] } # Create new user next unless system("/usr/sbin/useradd", "-m", "-c", l[:username], "-s", "/bin/bash", "-G", groups.join(","), l[:username], out: devnull) end # Create .ssh directory if necessary userdotssh = File.join(@homedir, ".ssh") Dir.mkdir(userdotssh) if !File.exists?(userdotssh) @key = "####################################################################################### # THIS FILE IS MANAGED BY #{$0} -- CHANGES WILL BE OVERWRITTEN # #######################################################################################\n\n" @key += keys[l[:username]].join("\n") + "\n" userauthkeys = File.join(userdotssh, "authorized_keys") if !File.exists?(userauthkeys) or IO::read(userauthkeys) != @key then f = File.new(userauthkeys, 'w') f.write(@key) f.close() end FileUtils.chown_R(l[:username], l[:username], userdotssh) File.chmod(0700, userdotssh) File.chmod(0750, @homedir) end devnull.close rescue Exception => bang puts "Error: " + bang.to_s puts bang.backtrace.join("\n") exit 1 end