From 3241db378301b3d507e928776d5e3e511c38a998 Mon Sep 17 00:00:00 2001
From: Peter Amstutz <peter.amstutz@curii.com>
Date: Wed, 2 Sep 2020 18:08:43 -0400
Subject: [PATCH] 16689: add/remove users from groups to sync with Arvados

Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz@curii.com>
---
 services/login-sync/bin/arvados-login-sync | 48 +++++++++++++++++-----
 1 file changed, 37 insertions(+), 11 deletions(-)

diff --git a/services/login-sync/bin/arvados-login-sync b/services/login-sync/bin/arvados-login-sync
index 61260990c9..9152b29336 100755
--- a/services/login-sync/bin/arvados-login-sync
+++ b/services/login-sync/bin/arvados-login-sync
@@ -91,36 +91,63 @@ begin
   end
 
   seen = Hash.new()
-  devnull = open("/dev/null", "w")
+
+  current_user_groups = Hash.new
+  while (ent = Etc.getgrent()) do
+    ent.mem.each do |member|
+      current_user_groups[member] ||= Array.new
+      current_user_groups[member].push ent.name
+    end
+  end
+  Etc.endgrent()
 
   logins.each do |l|
     next if seen[l[:username]]
     seen[l[:username]] = true
 
+    username = l[:username]
+
     unless pwnam[l[:username]]
       STDERR.puts "Creating account #{l[:username]}"
-      groups = l[:groups] || []
-      # Adding users to the FUSE group has long been hardcoded behavior.
-      groups << "fuse"
-      groups.select! { |g| Etc.getgrnam(g) rescue false }
       # Create new user
       unless system("useradd", "-m",
-                "-c", l[:username],
+                "-c", username,
                 "-s", "/bin/bash",
-                "-G", groups.join(","),
-                l[:username],
-                out: devnull)
+                username)
         STDERR.puts "Account creation failed for #{l[:username]}: #{$?}"
         next
       end
       begin
-        pwnam[l[:username]] = Etc.getpwnam(l[:username])
+        pwnam[username] = Etc.getpwnam(username)
       rescue => e
         STDERR.puts "Created account but then getpwnam() failed for #{l[:username]}: #{e}"
         raise
       end
     end
 
+    existing_groups = current_user_groups[username] || []
+    groups = l[:groups] || []
+    # Adding users to the FUSE group has long been hardcoded behavior.
+    groups << "fuse"
+    groups << username
+    groups.select! { |g| Etc.getgrnam(g) rescue false }
+
+    groups.each do |addgroup|
+      if existing_groups.index(addgroup).nil?
+        # User should be in group, but isn't, so add them.
+        STDERR.puts "Add user #{username} to #{addgroup} group"
+        system("adduser", username, addgroup)
+      end
+    end
+
+    existing_groups.each do |removegroup|
+      if groups.index(removegroup).nil?
+        # User is in a group, but shouldn't be, so remove them.
+        STDERR.puts "Remove user #{username} from #{removegroup} group"
+        system("deluser", username, removegroup)
+      end
+    end
+
     homedir = pwnam[l[:username]].dir
     userdotssh = File.join(homedir, ".ssh")
     Dir.mkdir(userdotssh) if !File.exist?(userdotssh)
@@ -184,7 +211,6 @@ begin
     File.chmod(0700, configarvados)
   end
 
-  devnull.close
 rescue Exception => bang
   puts "Error: " + bang.to_s
   puts bang.backtrace.join("\n")
-- 
2.30.2