diff options
author | Liam Hopkins <liamh@google.com> | 2019-06-11 13:57:48 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-06-11 13:57:48 -0700 |
commit | e7cc083cfaace84516d9d5fb99881a154850d638 (patch) | |
tree | 5c66dee4c4e4606e4516a344b8a93f5534202266 /packages | |
parent | e7442e62d2f9aa4f1b841a588fc89ebd1d6e8a58 (diff) | |
download | google-compute-image-packages-e7cc083cfaace84516d9d5fb99881a154850d638.tar.gz |
Dir refactor (#788)
* Directory layout changes
* New Makefiles
* Update import paths
* Add gtest build
* Update references in README
* Address PR feedback
Diffstat (limited to 'packages')
-rw-r--r-- | packages/google-compute-engine-oslogin/Makefile | 94 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/README.md | 170 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/google_oslogin_control (renamed from packages/google-compute-engine-oslogin/bin/google_oslogin_control) | 0 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/man/nss-cache-oslogin.8 (renamed from packages/google-compute-engine-oslogin/nss_module/nss-cache-oslogin.8) | 0 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/man/nss-oslogin.8 (renamed from packages/google-compute-engine-oslogin/nss_module/nss-oslogin.8) | 0 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/selinux/Makefile (renamed from packages/google-compute-engine-oslogin/policy/Makefile) | 0 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/selinux/README.md (renamed from packages/google-compute-engine-oslogin/policy/README.md) | 0 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/selinux/oslogin.fc (renamed from packages/google-compute-engine-oslogin/policy/oslogin.fc) | 0 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/selinux/oslogin.pp (renamed from packages/google-compute-engine-oslogin/policy/oslogin.pp) | bin | 1798 -> 1798 bytes | |||
-rw-r--r-- | packages/google-compute-engine-oslogin/selinux/oslogin.te (renamed from packages/google-compute-engine-oslogin/policy/oslogin.te) | 0 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/src/Makefile | 85 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/src/authorized_keys/authorized_keys.cc (renamed from packages/google-compute-engine-oslogin/authorized_keys/authorized_keys.cc) | 2 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/src/cache_refresh/cache_refresh.cc (renamed from packages/google-compute-engine-oslogin/nss_cache/nss_cache.cc) | 4 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/src/include/compat.h (renamed from packages/google-compute-engine-oslogin/compat.h) | 0 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/src/include/nss_cache_oslogin.h (renamed from packages/google-compute-engine-oslogin/nss_module/nss_cache_oslogin.h) | 0 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/src/include/oslogin_utils.h (renamed from packages/google-compute-engine-oslogin/utils/oslogin_utils.h) | 0 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/src/nss/compat/getpwent_r.c (renamed from packages/google-compute-engine-oslogin/nss_module/compat/getpwent_r.c) | 0 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/src/nss/nss_cache_oslogin.c (renamed from packages/google-compute-engine-oslogin/nss_module/nss_cache_oslogin.c) | 4 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/src/nss/nss_oslogin.cc (renamed from packages/google-compute-engine-oslogin/nss_module/nss_oslogin.cc) | 4 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/src/pam/pam_oslogin_admin.cc (renamed from packages/google-compute-engine-oslogin/pam_module/pam_oslogin_admin.cc) | 4 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/src/pam/pam_oslogin_login.cc (renamed from packages/google-compute-engine-oslogin/pam_module/pam_oslogin_login.cc) | 4 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/src/utils.cc (renamed from packages/google-compute-engine-oslogin/utils/oslogin_utils.cc) | 4 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/test/Makefile | 34 | ||||
-rw-r--r-- | packages/google-compute-engine-oslogin/test/oslogin_utils_test.cc (renamed from packages/google-compute-engine-oslogin/utils/oslogin_utils_test.cc) | 2 | ||||
-rwxr-xr-x | packages/google-compute-engine-oslogin/utils/run_tests.sh | 19 |
25 files changed, 229 insertions, 201 deletions
diff --git a/packages/google-compute-engine-oslogin/Makefile b/packages/google-compute-engine-oslogin/Makefile index 67400cd..b22c16f 100644 --- a/packages/google-compute-engine-oslogin/Makefile +++ b/packages/google-compute-engine-oslogin/Makefile @@ -1,89 +1,19 @@ -SHELL = /bin/sh +all install : + $(MAKE) -C src $@ -VERSION = 1.5.3 - -CPPFLAGS = -I/usr/include/json-c -CXXFLAGS = -fPIC -Wall -g -CFLAGS = $(CXXFLAGS) -Wstrict-prototypes - -LDFLAGS = -shared -Wl,-soname,$(SONAME) -LDLIBS = -lcurl -ljson-c -PAMLIBS = -lpam $(LDLIBS) - -# Paths which should be overrideable. - -PREFIX = /usr -LIBDIR = $(PREFIX)/lib -BINDIR = $(PREFIX)/bin -PAMDIR = $(LIBDIR)/security -MANDIR = /usr/share/man - -NSS_OSLOGIN_SONAME = libnss_oslogin.so.2 -NSS_CACHE_OSLOGIN_SONAME = libnss_cache_oslogin.so.2 - -NSS_OSLOGIN = nss_module/libnss_oslogin-$(VERSION).so -NSS_CACHE_OSLOGIN = nss_module/libnss_cache_oslogin-$(VERSION).so - -PAM_LOGIN = pam_module/pam_oslogin_login.so -PAM_ADMIN = pam_module/pam_oslogin_admin.so - -BINARIES = google_oslogin_nss_cache google_authorized_keys bin/google_oslogin_control - -all : $(NSS_OSLOGIN) $(NSS_CACHE_OSLOGIN) $(PAM_LOGIN) $(PAM_ADMIN) $(BINARIES) +tests : + $(MAKE) -C test $@ clean : - rm -f */*.o */*.so google_oslogin_nss_cache google_authorized_keys - -.PHONY : all clean install - -# NSS modules. - -$(NSS_OSLOGIN) : SONAME = $(NSS_OSLOGIN_SONAME) -$(NSS_OSLOGIN) : nss_module/nss_oslogin.o utils/oslogin_utils.o - $(CXX) $(CXXFLAGS) $(CPPFLAGS) $(LDFLAGS) $^ -o $@ $(LDLIBS) - -$(NSS_CACHE_OSLOGIN) : SONAME = $(NSS_CACHE_OSLOGIN_SONAME) -$(NSS_CACHE_OSLOGIN) : nss_module/nss_cache_oslogin.o nss_module/compat/getpwent_r.o utils/oslogin_utils.o - $(CXX) $(CXXFLAGS) $(CPPFLAGS) $(LDFLAGS) $^ -o $@ $(LDLIBS) - -# PAM modules - -$(PAM_LOGIN) : pam_module/pam_oslogin_login.o utils/oslogin_utils.o - $(CXX) $(CXXFLAGS) $(CPPFLAGS) -shared $^ -o $@ $(PAMLIBS) - -$(PAM_ADMIN) : pam_module/pam_oslogin_admin.o utils/oslogin_utils.o - $(CXX) $(CXXFLAGS) $(CPPFLAGS) -shared $^ -o $@ $(PAMLIBS) - -# Utilities. - -google_authorized_keys : authorized_keys/authorized_keys.o utils/oslogin_utils.o - $(CXX) $(CXXFLAGS) $(CPPFLAGS) $^ -o $@ $(LDLIBS) - -google_oslogin_nss_cache: nss_cache/nss_cache.o utils/oslogin_utils.o - $(CXX) $(CXXFLAGS) $(CPPFLAGS) $^ -o $@ $(LDLIBS) + $(MAKE) -C src clean + $(MAKE) -C test clean -# Define these to add dependency on header files. +prowbuild : debian_deps all -utils/oslogin_utils.o : utils/oslogin_utils.cc utils/oslogin_utils.h +prowtest : debian_deps tests -nss_module/nss_cache_oslogin.o : nss_module/nss_cache_oslogin.c nss_module/nss_cache_oslogin.h +debian_deps : + sudo apt-get -y install g++ libcurl4-openssl-dev libjson-c-dev libpam-dev \ + googletest && touch $@ -install: all - install -d $(DESTDIR)$(LIBDIR) - install -d $(DESTDIR)$(PAMDIR) - install -d $(DESTDIR)$(BINDIR) - install -d $(DESTDIR)$(MANDIR)/man8 - install -m 0644 -t $(DESTDIR)$(LIBDIR) $(NSS_OSLOGIN) $(NSS_CACHE_OSLOGIN) - install -m 0644 -t $(DESTDIR)$(PAMDIR) $(PAM_ADMIN) $(PAM_LOGIN) - install -m 0755 -t $(DESTDIR)$(BINDIR) $(BINARIES) - install -m 0644 -t $(DESTDIR)$(MANDIR)/man8 nss_module/nss-oslogin.8 nss_module/nss-cache-oslogin.8 - gzip -9 $(DESTDIR)$(MANDIR)/man8/nss-oslogin.8 - gzip -9 $(DESTDIR)$(MANDIR)/man8/nss-cache-oslogin.8 - ln -sf nss-oslogin.8.gz $(DESTDIR)$(MANDIR)/man8/$(NSS_OSLOGIN_SONAME).8.gz - ln -sf nss-cache-oslogin.8.gz $(DESTDIR)$(MANDIR)/man8/$(NSS_CACHE_OSLOGIN_SONAME).8.gz - ln -sf $(notdir $(NSS_OSLOGIN)) $(DESTDIR)$(LIBDIR)/$(NSS_OSLOGIN_SONAME) - ln -sf $(notdir $(NSS_CACHE_OSLOGIN)) $(DESTDIR)$(LIBDIR)/$(NSS_CACHE_OSLOGIN_SONAME) -ifdef INSTALL_SELINUX - install -d $(DESTDIR)/usr/share/selinux/packages - install -m 0644 -t $(DESTDIR)/usr/share/selinux/packages policy/oslogin.pp -endif +.PHONY : all clean install prowbuild prowtest diff --git a/packages/google-compute-engine-oslogin/README.md b/packages/google-compute-engine-oslogin/README.md index 6f967c5..4acc31e 100644 --- a/packages/google-compute-engine-oslogin/README.md +++ b/packages/google-compute-engine-oslogin/README.md @@ -1,76 +1,73 @@ ## OS Login Guest Environment for Google Compute Engine -This package enables Google Cloud OS Login features on Google Compute Engine -instances. +This repository contains the system components responsible for providing Google +Cloud OS Login features on Google Compute Engine instances. **Table of Contents** * [Overview](#overview) * [Components](#components) * [Authorized Keys Command](#authorized-keys-command) - * [NSS Module](#nss-module) - * [PAM Module](#pam-module) - * [Utils](#utils) -* [Utility Directories](#utility-directories) - * [bin](#bin) - * [packaging](#packaging) - * [policy](#policy) + * [NSS Modules](#nss-modules) + * [PAM Modules](#pam-modules) +* [Utilities](#Utilities) + * [Control Script](#control-script) + * [SELinux Policy](#selinux-policy) * [Source Packages](#source-packages) * [DEB](#deb) * [RPM](#rpm) -* [Version Updates](#version-updates) ## Overview -The OS Login package has the following components: +The OS Login Guest Environment consists of the following main components: -* **Authorized Keys Command** to fetch SSH keys from the user's OS Login - profile and make them available to sshd. -* **NSS Module** provides support for making OS Login user and group +* **Authorized Keys Command** which provides SSH keys from the user's OS Login + profile to sshd for authenticating users at login. +* **NSS Modules** which provide support for making OS Login user and group information available to the system, using NSS (Name Service Switch) functionality. -* **PAM Module** provides authorization and authentication support allowing - the system to use data stored in Google Cloud IAM permissions to control - both, the ability to log into an instance, and to perform operations as root - (sudo). -* **Utils** provides common code to support the components listed above. - -In addition to the main components, there are also utilities for packaging and -installing these components: - -* **bin** contains a shell script for activating/deactivating the package - components. -* **packaging** contains files used to generate `.deb` and `.rpm` packages for - the OS Login components. -* **policy** contains SELinux "type enforcement" files for configuring SELinux - on CentOS/RHEL systems. +* **PAM Modules** which provide authorization (and authentication if + two-factor support is enabled) support allowing the system to use Google + Cloud IAM permissions to control the ability to log into an instance or to + perform operations as root (via `sudo`). + +In addition to the main components, there are also the following utilities: + +* **google_oslogin_control** is a shell script for activating/deactivating the + OS Login components. +* **google_oslogin_nss_cache** is a utility for updating the local user and + group cache. +* **selinux** contains SELinux policy definition files and a compiled policy + package for configuring SELinux to support OS Login. + +The **packaging** directory also contains files used to generate `.deb` and +`.rpm` packages for the OS Login components. ## Components #### Authorized Keys Command The `google_authorized_keys` binary is designed to be used with the sshd -[AuthorizedKeysCommand](https://linux.die.net/man/5/sshd_config) option in -`sshd_config`. It does the following: +`AuthorizedKeysCommand` option in [sshd_config(5)](https://linux.die.net/man/5/sshd_config). +It does the following: -* Reads the user's profile information from the metadata server. +* Reads the user's profile information from the metadata server: ``` http://metadata.google.internal/computeMetadata/v1/oslogin/users?username=<username> ``` -* Checks to make sure that the user is authorized to log in. +* Checks to make sure that the user is authorized to log in: ``` http://metadata.google.internal/computeMetadata/v1/oslogin/authorize?email=<user_email>&policy=login ``` * If the check is successful, returns the SSH keys associated with the user - for use by sshd. + for use by sshd. Otherwise, exits with an error code. -#### NSS Module +#### NSS Modules -The `nss_oslogin` module is built and installed in the appropriate `lib` -directory as a shared object with the name `libnss_oslogin.so.2`. The module is -then activated by an `oslogin` entry in `/etc/nsswitch.conf`. The NSS module -supports looking up `passwd` entries from the metadata server via -`getent passwd`. +`libnss_oslogin.so` and `libnss_cache_oslogin.so` are NSS service modules which +make OS Login users and groups available for use on the local system. The module +is activated by adding `oslogin` and `cache_oslogin` entries for services in +[nsswitch.conf(5)](https://linux.die.net/man/5/nsswitch.conf). * To return a list of all users, the NSS module queries: ``` @@ -78,47 +75,59 @@ supports looking up `passwd` entries from the metadata server via ``` * To look up a user by username, the NSS module queries: ``` - http://metadata.google.internal/computeMetadata/v1/oslogin/users?username=<username + http://metadata.google.internal/computeMetadata/v1/oslogin/users?username=<username> ``` * To look up a user by UID, the NSS module queries: ``` http://metadata.google.internal/computeMetadata/v1/oslogin/users?uid=<uid> ``` -#### PAM Module +#### PAM Modules -The `pam_module` directory contains two modules used by Linux PAM (Pluggable -Authentication Modules). +`pam_oslogin_login.so` is a PAM module which determines whether a given user is +allowed to SSH into an instance. -The first module, `pam_oslogin_login.so`, determines whether a given user is -allowed to SSH into an instance. It is activated by adding an -`account requisite` line to the PAM sshd config file and does the following: +It is activated by adding an entry for the account group to the PAM service +config for sshd as: + ``` + account requisite pam_oslogin_login.so + ``` -* Retrieves the user's profile information from the metadata server. +This module: + +* Retrieves the user's profile information from the metadata server: ``` http://metadata.google.internal/computeMetadata/v1/oslogin/users?username=<username> ``` -* If the user has OS Login profile information (as opposed to a local user - account), confirms whether the user has permissions to SSH into the - instance. +* If the user does not have OS Login profile information it is passed on to + the system authentication modules to be processed as a local user. +* Otherwise, the module confirms whether the user has permissions to SSH into + the instance: ``` http://metadata.google.internal/computeMetadata/v1/oslogin/authorize?email=<user_email>&policy=login ``` -* If the user is a local user account or is authorized, PAM returns a success - message and SSH can proceed. Otherwise, PAM returns a denied message and the - SSH check will fail. +* If the user is authorized, PAM returns a success message and SSH can + proceed. Otherwise, PAM returns a denied message and the SSH check will + fail. + +`pam_oslogin_admin.so` is a PAM module which determines whether a given user +should have admin (sudo) permissions on the instance. -The second module, `pam_oslogin_admin.so`, determines whether a given user -should have admin (sudo) permissions on the instance. It is activated by adding -an `account optional` line to the PAM sshd config file and does the following: +It is activated by adding an entry for the `account` group to the PAM service +config for sshd config as: + ``` + account optional pam_oslogin_admin.so + ``` + +This module: * Retrieves the user's profile information from the metadata server. ``` http://metadata.google.internal/computeMetadata/v1/oslogin/users?username=<username> ``` -* If the user is a local user account, the module exits with success. -* If the user is an OS Login user, the module perform an authorization check - to determine if the user has admin permissions. +* If the user is not an OS Login user (a local user account), the module + returns success. +* Otherwise, the module determines if the user has admin permissions: ``` http://metadata.google.internal/computeMetadata/v1/oslogin/authorize?email=<user_email>&policy=adminLogin ``` @@ -127,49 +136,40 @@ an `account optional` line to the PAM sshd config file and does the following: * If the authorization check fails for admin permissions, the file is removed from `/var/google-sudoers.d/` if it exists. -#### Utils - -`oslogin_utils` contains common functions for making HTTP calls, -interacting with the metadata server, and for parsing JSON objects. +## Utilities -## Utility Directories +#### Control Script -#### bin - -The `bin` directory contains a shell script called `google_oslogin_control` that -activates or deactivates the OS Login features. It is called in the pre and post -install scripts in the `.deb` and `.rpm` packages. The control file performs the -following tasks: +The `google_oslogin_control` shell script activates or deactivates the OS Login +features. It is invoked by the google accounts daemon. The control file performs +the following tasks: * Adds (or removes) AuthorizedKeysCommand and AuthorizedKeysCommandUser lines to (from) `sshd_config` and restarts sshd. -* Adds (or removes) `oslogin` to (from) `nsswitch.conf`. +* Adds (or removes) `oslogin` and `cache_oslogin` to (from) `nsswitch.conf`. * Adds (or removes) the `account` entries to (from) the PAM sshd config. Also adds (or removes) the `pam_mkhomedir.so` module to automatically create the home directory for an OS Login user. * Creates (or deletes) the `/var/google-sudoers.d/` directory, and a file called `google-oslogin` in `/etc/sudoers.d/` that includes the directory. -#### packaging - -The `packaging` directory contains files for creating `.deb` and `.rpm` -packages. See [Source Packages](#source-packages) for details. +#### SELinux Policy -#### policy - -The `policy` directory contains `.te` (type enforcement) files used by SELinux -to give the OS Login features the appropriate SELinux permissions. These are -compiled using `checkmodule` and `semodule_package` to create an `oslogin.pp` -that is intstalled in the appropriate SELinux directory. +The `selinux` directory contains `.te` (type enforcement) and `.fc` (file +context) files used by SELinux to give the OS Login features the appropriate +SELinux permissions. These are compiled using `checkmodule` and +`semodule_package` to create an policy package `oslogin.pp`. ## Source Packages There is currently support for creating packages for the following distros: -* Debian 8 + * Debian 9 * CentOS/RHEL 6 * CentOS/RHEL 7 +Files for these packages are in the `packaging/` directory. + #### DEB _Note: the `packaging/setup_deb.sh` script performs these steps, but is not @@ -188,9 +188,7 @@ production quality._ directory, excluding the `packaging` directory (where M.M.R is the version number). 1. In a separate directory, extract the `.orig.tar.gz` file and copy the - appropriate `debian` directory into the top level. (e.g. When working on - Debian 8, copy the `debian8` directory to a directory named `debian` within - the code directory.) + `debian` directory into the top level. 1. To build the package, run the command ``` debuild -us -uc diff --git a/packages/google-compute-engine-oslogin/bin/google_oslogin_control b/packages/google-compute-engine-oslogin/google_oslogin_control index 3690564..3690564 100644 --- a/packages/google-compute-engine-oslogin/bin/google_oslogin_control +++ b/packages/google-compute-engine-oslogin/google_oslogin_control diff --git a/packages/google-compute-engine-oslogin/nss_module/nss-cache-oslogin.8 b/packages/google-compute-engine-oslogin/man/nss-cache-oslogin.8 index aaf4f8e..aaf4f8e 100644 --- a/packages/google-compute-engine-oslogin/nss_module/nss-cache-oslogin.8 +++ b/packages/google-compute-engine-oslogin/man/nss-cache-oslogin.8 diff --git a/packages/google-compute-engine-oslogin/nss_module/nss-oslogin.8 b/packages/google-compute-engine-oslogin/man/nss-oslogin.8 index 3f4c763..3f4c763 100644 --- a/packages/google-compute-engine-oslogin/nss_module/nss-oslogin.8 +++ b/packages/google-compute-engine-oslogin/man/nss-oslogin.8 diff --git a/packages/google-compute-engine-oslogin/policy/Makefile b/packages/google-compute-engine-oslogin/selinux/Makefile index c858c9d..c858c9d 100644 --- a/packages/google-compute-engine-oslogin/policy/Makefile +++ b/packages/google-compute-engine-oslogin/selinux/Makefile diff --git a/packages/google-compute-engine-oslogin/policy/README.md b/packages/google-compute-engine-oslogin/selinux/README.md index b2cc5a9..b2cc5a9 100644 --- a/packages/google-compute-engine-oslogin/policy/README.md +++ b/packages/google-compute-engine-oslogin/selinux/README.md diff --git a/packages/google-compute-engine-oslogin/policy/oslogin.fc b/packages/google-compute-engine-oslogin/selinux/oslogin.fc index 3e70358..3e70358 100644 --- a/packages/google-compute-engine-oslogin/policy/oslogin.fc +++ b/packages/google-compute-engine-oslogin/selinux/oslogin.fc diff --git a/packages/google-compute-engine-oslogin/policy/oslogin.pp b/packages/google-compute-engine-oslogin/selinux/oslogin.pp Binary files differindex 6ec6ed0..6ec6ed0 100644 --- a/packages/google-compute-engine-oslogin/policy/oslogin.pp +++ b/packages/google-compute-engine-oslogin/selinux/oslogin.pp diff --git a/packages/google-compute-engine-oslogin/policy/oslogin.te b/packages/google-compute-engine-oslogin/selinux/oslogin.te index 381f769..381f769 100644 --- a/packages/google-compute-engine-oslogin/policy/oslogin.te +++ b/packages/google-compute-engine-oslogin/selinux/oslogin.te diff --git a/packages/google-compute-engine-oslogin/src/Makefile b/packages/google-compute-engine-oslogin/src/Makefile new file mode 100644 index 0000000..46f93e9 --- /dev/null +++ b/packages/google-compute-engine-oslogin/src/Makefile @@ -0,0 +1,85 @@ +SHELL = /bin/sh +TOPDIR = $(realpath ..) + +VERSION = 1.5.3 + +CPPFLAGS = -Iinclude -I/usr/include/json-c +CXXFLAGS = -fPIC -Wall -g +CFLAGS = $(CXXFLAGS) -Wstrict-prototypes + +LDFLAGS = -shared -Wl,-soname,$(SONAME) +LDLIBS = -lcurl -ljson-c +PAMLIBS = -lpam $(LDLIBS) + +# Paths which should be overrideable. + +PREFIX = /usr +LIBDIR = $(PREFIX)/lib +BINDIR = $(PREFIX)/bin +PAMDIR = $(LIBDIR)/security +MANDIR = /usr/share/man + +NSS_OSLOGIN_SONAME = libnss_oslogin.so.2 +NSS_CACHE_OSLOGIN_SONAME = libnss_cache_oslogin.so.2 + +NSS_OSLOGIN = libnss_oslogin-$(VERSION).so +NSS_CACHE_OSLOGIN = libnss_cache_oslogin-$(VERSION).so + +PAM_LOGIN = pam_oslogin_login.so +PAM_ADMIN = pam_oslogin_admin.so + +BINARIES = google_oslogin_nss_cache google_authorized_keys + +all : $(NSS_OSLOGIN) $(NSS_CACHE_OSLOGIN) $(PAM_LOGIN) $(PAM_ADMIN) $(BINARIES) + +clean : + rm -f $(BINARIES) + find . -type f \( -iname '*.o' -o -iname '*.so' \) -delete + +.PHONY : all clean install + +# NSS modules. + +$(NSS_OSLOGIN) : SONAME = $(NSS_OSLOGIN_SONAME) +$(NSS_OSLOGIN) : nss/nss_oslogin.o utils.o + $(CXX) $(CXXFLAGS) $(CPPFLAGS) $(LDFLAGS) $^ -o $@ $(LDLIBS) + +$(NSS_CACHE_OSLOGIN) : SONAME = $(NSS_CACHE_OSLOGIN_SONAME) +$(NSS_CACHE_OSLOGIN) : nss/nss_cache_oslogin.o nss/compat/getpwent_r.o utils.o + $(CXX) $(CXXFLAGS) $(CPPFLAGS) $(LDFLAGS) $^ -o $@ $(LDLIBS) + +# PAM modules + +$(PAM_LOGIN) : pam/pam_oslogin_login.o utils.o + $(CXX) $(CXXFLAGS) $(CPPFLAGS) -shared $^ -o $@ $(PAMLIBS) + +$(PAM_ADMIN) : pam/pam_oslogin_admin.o utils.o + $(CXX) $(CXXFLAGS) $(CPPFLAGS) -shared $^ -o $@ $(PAMLIBS) + +# Utilities. + +google_authorized_keys : authorized_keys/authorized_keys.o utils.o + $(CXX) $(CXXFLAGS) $(CPPFLAGS) $^ -o $@ $(LDLIBS) + +google_oslogin_nss_cache: cache_refresh/cache_refresh.o utils.o + $(CXX) $(CXXFLAGS) $(CPPFLAGS) $^ -o $@ $(LDLIBS) + +install: all + install -d $(DESTDIR)$(LIBDIR) + install -d $(DESTDIR)$(PAMDIR) + install -d $(DESTDIR)$(BINDIR) + install -d $(DESTDIR)$(MANDIR)/man8 + install -m 0644 -t $(DESTDIR)$(LIBDIR) $(NSS_OSLOGIN) $(NSS_CACHE_OSLOGIN) + ln -sf $(NSS_OSLOGIN) $(DESTDIR)$(LIBDIR)/$(NSS_OSLOGIN_SONAME) + ln -sf $(NSS_CACHE_OSLOGIN) $(DESTDIR)$(LIBDIR)/$(NSS_CACHE_OSLOGIN_SONAME) + install -m 0644 -t $(DESTDIR)$(PAMDIR) $(PAM_ADMIN) $(PAM_LOGIN) + install -m 0755 -t $(DESTDIR)$(BINDIR) $(BINARIES) $(TOPDIR)/google_oslogin_control + install -m 0644 -t $(DESTDIR)$(MANDIR)/man8 $(TOPDIR)/man/nss-oslogin.8 $(TOPDIR)/man/nss-cache-oslogin.8 + gzip -9 $(DESTDIR)$(MANDIR)/man8/nss-oslogin.8 + gzip -9 $(DESTDIR)$(MANDIR)/man8/nss-cache-oslogin.8 + ln -sf nss-oslogin.8.gz $(DESTDIR)$(MANDIR)/man8/$(NSS_OSLOGIN_SONAME).8.gz + ln -sf nss-cache-oslogin.8.gz $(DESTDIR)$(MANDIR)/man8/$(NSS_CACHE_OSLOGIN_SONAME).8.gz +ifdef INSTALL_SELINUX + install -d $(DESTDIR)/usr/share/selinux/packages + install -m 0644 -t $(DESTDIR)/usr/share/selinux/packages $(TOPDIR)/selinux/oslogin.pp +endif diff --git a/packages/google-compute-engine-oslogin/authorized_keys/authorized_keys.cc b/packages/google-compute-engine-oslogin/src/authorized_keys/authorized_keys.cc index 24d1b26..3eda59c 100644 --- a/packages/google-compute-engine-oslogin/authorized_keys/authorized_keys.cc +++ b/packages/google-compute-engine-oslogin/src/authorized_keys/authorized_keys.cc @@ -16,7 +16,7 @@ #include <sstream> #include <string> -#include "../utils/oslogin_utils.h" +#include <oslogin_utils.h> using std::cout; using std::endl; diff --git a/packages/google-compute-engine-oslogin/nss_cache/nss_cache.cc b/packages/google-compute-engine-oslogin/src/cache_refresh/cache_refresh.cc index 79e1c8f..bc4a10c 100644 --- a/packages/google-compute-engine-oslogin/nss_cache/nss_cache.cc +++ b/packages/google-compute-engine-oslogin/src/cache_refresh/cache_refresh.cc @@ -23,8 +23,8 @@ #include <fstream> -#include "../compat.h" -#include "../utils/oslogin_utils.h" +#include <compat.h> +#include <oslogin_utils.h> using oslogin_utils::BufferManager; diff --git a/packages/google-compute-engine-oslogin/compat.h b/packages/google-compute-engine-oslogin/src/include/compat.h index 84a1a6f..84a1a6f 100644 --- a/packages/google-compute-engine-oslogin/compat.h +++ b/packages/google-compute-engine-oslogin/src/include/compat.h diff --git a/packages/google-compute-engine-oslogin/nss_module/nss_cache_oslogin.h b/packages/google-compute-engine-oslogin/src/include/nss_cache_oslogin.h index 25c7274..25c7274 100644 --- a/packages/google-compute-engine-oslogin/nss_module/nss_cache_oslogin.h +++ b/packages/google-compute-engine-oslogin/src/include/nss_cache_oslogin.h diff --git a/packages/google-compute-engine-oslogin/utils/oslogin_utils.h b/packages/google-compute-engine-oslogin/src/include/oslogin_utils.h index 6cd2024..6cd2024 100644 --- a/packages/google-compute-engine-oslogin/utils/oslogin_utils.h +++ b/packages/google-compute-engine-oslogin/src/include/oslogin_utils.h diff --git a/packages/google-compute-engine-oslogin/nss_module/compat/getpwent_r.c b/packages/google-compute-engine-oslogin/src/nss/compat/getpwent_r.c index b1be6fc..b1be6fc 100644 --- a/packages/google-compute-engine-oslogin/nss_module/compat/getpwent_r.c +++ b/packages/google-compute-engine-oslogin/src/nss/compat/getpwent_r.c diff --git a/packages/google-compute-engine-oslogin/nss_module/nss_cache_oslogin.c b/packages/google-compute-engine-oslogin/src/nss/nss_cache_oslogin.c index 28f0e0d..ed66a9a 100644 --- a/packages/google-compute-engine-oslogin/nss_module/nss_cache_oslogin.c +++ b/packages/google-compute-engine-oslogin/src/nss/nss_cache_oslogin.c @@ -14,8 +14,8 @@ // An NSS module which adds supports for file /etc/oslogin_passwd.cache -#include "nss_cache_oslogin.h" -#include "../compat.h" +#include <nss_cache_oslogin.h> +#include <compat.h> #include <sys/mman.h> diff --git a/packages/google-compute-engine-oslogin/nss_module/nss_oslogin.cc b/packages/google-compute-engine-oslogin/src/nss/nss_oslogin.cc index 01ca25a..2f6245a 100644 --- a/packages/google-compute-engine-oslogin/nss_module/nss_oslogin.cc +++ b/packages/google-compute-engine-oslogin/src/nss/nss_oslogin.cc @@ -26,8 +26,8 @@ #include <sstream> #include <string> -#include "../compat.h" -#include "../utils/oslogin_utils.h" +#include <compat.h> +#include <oslogin_utils.h> using std::string; diff --git a/packages/google-compute-engine-oslogin/pam_module/pam_oslogin_admin.cc b/packages/google-compute-engine-oslogin/src/pam/pam_oslogin_admin.cc index d711d80..27abe53 100644 --- a/packages/google-compute-engine-oslogin/pam_module/pam_oslogin_admin.cc +++ b/packages/google-compute-engine-oslogin/src/pam/pam_oslogin_admin.cc @@ -25,8 +25,8 @@ #include <sstream> #include <string> -#include "../compat.h" -#include "../utils/oslogin_utils.h" +#include <compat.h> +#include <oslogin_utils.h> using std::string; diff --git a/packages/google-compute-engine-oslogin/pam_module/pam_oslogin_login.cc b/packages/google-compute-engine-oslogin/src/pam/pam_oslogin_login.cc index 0c31aa8..8ddec7b 100644 --- a/packages/google-compute-engine-oslogin/pam_module/pam_oslogin_login.cc +++ b/packages/google-compute-engine-oslogin/src/pam/pam_oslogin_login.cc @@ -26,8 +26,8 @@ #include <string> #include <map> -#include "../compat.h" -#include "../utils/oslogin_utils.h" +#include <compat.h> +#include <oslogin_utils.h> using oslogin_utils::ContinueSession; using oslogin_utils::GetUser; diff --git a/packages/google-compute-engine-oslogin/utils/oslogin_utils.cc b/packages/google-compute-engine-oslogin/src/utils.cc index 0ec4c8b..95f6c0b 100644 --- a/packages/google-compute-engine-oslogin/utils/oslogin_utils.cc +++ b/packages/google-compute-engine-oslogin/src/utils.cc @@ -34,8 +34,8 @@ #define Regex boost #endif -#include "oslogin_utils.h" -#include "../compat.h" +#include <oslogin_utils.h> +#include <compat.h> using std::string; diff --git a/packages/google-compute-engine-oslogin/test/Makefile b/packages/google-compute-engine-oslogin/test/Makefile new file mode 100644 index 0000000..83d23fd --- /dev/null +++ b/packages/google-compute-engine-oslogin/test/Makefile @@ -0,0 +1,34 @@ +TOPDIR = $(realpath ..) + +CPPFLAGS += -I$(TOPDIR)/src/include -I/usr/include/json-c +CXXFLAGS += -g -Wall -Wextra -std=c++11 +LDLIBS = -lcurl -ljson-c -lpthread + +all : test_runner non_network_tests + +clean : + rm -f test_runner *.o + +gtest-all.o : $(GTEST_DIR)/src/gtest-all.cc + $(CXX) $(CXXFLAGS) -isystem $(GTEST)/include -I$(GTEST) $(CPPFLAGS) -c $^ + +test_runner : oslogin_utils_test.o $(TOPDIR)/src/utils.o gtest-all.o + $(CXX) $(CXXFLAGS) $(CPPFLAGS) $^ -o $@ $(LDLIBS) + +non_network_tests : test_runner + ./test_runner --gtest_filter=*-FindGroupTest.*:GetUsersForGroupTest.* + +network_tests : test_runner ping reset + ./test_runner --gtest_filter=FindGroupTest.*:GetUsersForGroupTest.* + +# run as $ make tests GTESTARGS="--gtest_filter=FindGroupTest.*" +tests : test_runner + ./test_runner ${GTESTARGS} + +ping : + nc -vzw2 metadata.google.internal 80 >/dev/null 2>&1 + +reset : + curl -Ss http://metadata.google.internal/reset >/dev/null 2>&1 + +.PHONY : all clean tests ping reset gtest prowtest diff --git a/packages/google-compute-engine-oslogin/utils/oslogin_utils_test.cc b/packages/google-compute-engine-oslogin/test/oslogin_utils_test.cc index ecc4c11..657b4e1 100644 --- a/packages/google-compute-engine-oslogin/utils/oslogin_utils_test.cc +++ b/packages/google-compute-engine-oslogin/test/oslogin_utils_test.cc @@ -13,7 +13,7 @@ // limitations under the License. // Requires libgtest-dev and gtest compiled and installed. -#include "oslogin_utils.h" +#include <oslogin_utils.h> #include <errno.h> #include <gtest/gtest.h> diff --git a/packages/google-compute-engine-oslogin/utils/run_tests.sh b/packages/google-compute-engine-oslogin/utils/run_tests.sh deleted file mode 100755 index 83adcdc..0000000 --- a/packages/google-compute-engine-oslogin/utils/run_tests.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash -# Copyright 2017 Google Inc. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Unit tests require gtest to be installed. -g++ -o test_runner oslogin_utils_test.cc oslogin_utils.cc -I/usr/include/json-c -lcurl -ljson-c -lgtest -lpthread -./test_runner -rm ./test_runner |