This package enables Google Cloud OS Login features on Google Compute Engine

instances.
The OS Login package has the following components:

- Authorized Keys Command to fetch SSH keys from the user's OS Login profile and
make them available to sshd.
- NSS Module provides support for making OS Login user and group information
available to the system, using NSS (Name Service Switch) functionality.
- PAM Module provides authorization and authentication support allowing the
system to use data stored in Google Cloud IAM permissions to control both, the
ability to log into an instance, and to perform operations as root (sudo).
- Utils provides common code to support the components listed above.

In addition to the main components, there are also utilities for packaging and
installing these components:

- bin contains a shell script for (de)activating the package components.

WWW: https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/google_compute_engine_oslogin

PR:		225014
Submitted by:	Helen Koike (maintainer)
Reviewed by:	mat
Differential Revision:	https://reviews.freebsd.org/D13811

10 files changed, 257 insertions, 0 deletions

diff --git a/sysutils/google-compute-engine-oslogin/Makefile b/sysutils/google-compute-engine-oslogin/Makefile
new file mode 100644
index 000000000000..e7e70c3c844d
--- /dev/null
+++ b/sysutils/google-compute-engine-oslogin/Makefile
@@ -0,0 +1,46 @@
+# $FreeBSD$
+
+PORTNAME=	google-compute-engine-oslogin
+DISTVERSION=	1.1.2
+CATEGORIES=	sysutils
+
+MAINTAINER=	helen.koike@collabora.com
+COMMENT=	OS Login Guest Environment for Google Compute Engine
+
+LICENSE=	APACHE20
+LICENSE_FILE=	${WRKSRC}/../LICENSE
+
+LIB_DEPENDS=	libcurl.so:ftp/curl \
+		libjson-c.so:devel/json-c
+RUN_DEPENDS=	gsed:textproc/gsed \
+		${LOCALBASE}/lib/pam_mkhomedir.so:security/pam_mkhomedir
+
+USES=		gmake
+USE_LDCONFIG=	yes
+USE_GCC=	any
+USE_GITHUB=	yes
+GH_ACCOUNT=	GoogleCloudPlatform
+GH_PROJECT=	compute-image-packages
+GH_TAGNAME=	20171213
+MAKE_ARGS=	JSON_INCLUDE_PATH=${LOCALBASE}/include/json-c \
+		BIN_INSTALL_PATH=/bin \
+		PAM_INSTALL_PATH=/lib \
+		AUTHKEYS_INSTALL_PATH=/bin \
+		NSS_LIBRARY_SONAME=nss_oslogin.so.1
+
+WRKSRC_SUBDIR=	google_compute_engine_oslogin
+
+PLIST_SUB=	DISTVERSION=${DISTVERSION}
+
+post-patch:
+	@${REINPLACE_CMD} -e 's|/etc/sudoers.d|${PREFIX}/etc/sudoers.d|g ; \
+		s|/usr/bin|${PREFIX}/bin|g' ${WRKSRC}/bin/google_oslogin_control
+
+post-install:
+	${LN} -sf libnss_${PORTNAME}-${DISTVERSION}.so ${STAGEDIR}${PREFIX}/lib/nss_oslogin.so.1
+	${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/google_authorized_keys \
+		${STAGEDIR}${PREFIX}/lib/libnss_google-compute-engine-oslogin-${DISTVERSION}.so \
+		${STAGEDIR}${PREFIX}/lib/pam_oslogin_admin.so \
+		${STAGEDIR}${PREFIX}/lib/pam_oslogin_login.so
+
+.include <bsd.port.mk>
diff --git a/sysutils/google-compute-engine-oslogin/distinfo b/sysutils/google-compute-engine-oslogin/distinfo
new file mode 100644
index 000000000000..218a7a9936b3
--- /dev/null
+++ b/sysutils/google-compute-engine-oslogin/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1514471176
+SHA256 (GoogleCloudPlatform-compute-image-packages-1.1.2-20171213_GH0.tar.gz) = 483d97c6d64cd7d9002247db63af8cb591e526a09ce52fd8d545c66da3ebb181
+SIZE (GoogleCloudPlatform-compute-image-packages-1.1.2-20171213_GH0.tar.gz) = 131055
diff --git a/sysutils/google-compute-engine-oslogin/files/patch-Makefile b/sysutils/google-compute-engine-oslogin/files/patch-Makefile
new file mode 100644
index 000000000000..f80e5295bef8
--- /dev/null
+++ b/sysutils/google-compute-engine-oslogin/files/patch-Makefile
@@ -0,0 +1,11 @@
+--- Makefile.orig	2017-12-13 23:47:59 UTC
++++ Makefile
+@@ -15,7 +15,7 @@ AUTHKEYS_INSTALL_PATH = /usr/bin
+ JSON_INCLUDE_PATH = /usr/include/json-c
+ INCLUDE_FLAGS = -I$(JSON_INCLUDE_PATH)
+ 
+-CXX = g++
++CXX ?= g++
+ CXXFLAGS += -fPIC# -Wall
+ PAMFLAGS = $(LDFLAGS) $(INCLUDE_FLAGS) -shared
+ NSSFLAGS = $(LDFLAGS) $(INCLUDE_FLAGS) -shared -Wl,-soname,$(NSS_LIBRARY_SONAME)
diff --git a/sysutils/google-compute-engine-oslogin/files/patch-bin_google__oslogin__control b/sysutils/google-compute-engine-oslogin/files/patch-bin_google__oslogin__control
new file mode 100644
index 000000000000..4a7122951497
--- /dev/null
+++ b/sysutils/google-compute-engine-oslogin/files/patch-bin_google__oslogin__control
@@ -0,0 +1,51 @@
+--- bin/google_oslogin_control.orig	2017-12-13 23:47:59 UTC
++++ bin/google_oslogin_control
+@@ -65,29 +65,31 @@ overwrite_file() {
+ 
+ remove_from_config() {
+   config=$1
+-  sed -i "/${added_comment}/,+1d" ${config}.new
++  gsed -i "/${added_comment}/,+1d" ${config}.new
+ }
+ 
+ remove_from_nss_config() {
+-  sed -i '/^passwd:/ s/ oslogin//' ${nss_config}.new
++  gsed -i '/^passwd:/ s/ oslogin//' ${nss_config}.new
+ }
+ 
+ add_to_sshd_config() {
+   remove_from_config ${sshd_config}
+-  sed -i "\$a${added_comment}\n${sshd_command}" ${sshd_config}.new
+-  sed -i "\$a${added_comment}\n${sshd_user}" ${sshd_config}.new
++  gsed -i "\$a${added_comment}\n${sshd_command}" ${sshd_config}.new
++  gsed -i "\$a${added_comment}\n${sshd_user}" ${sshd_config}.new
+ }
+ 
+ add_to_nss_config() {
+   remove_from_nss_config
+-  sed -i '/^passwd:/ s/$/ oslogin/' ${nss_config}.new
++  gsed -i '/^passwd:/ s/$/ oslogin/' ${nss_config}.new
++  # Replace compat by files (as compat cannot be used with other sources)
++  gsed -i '/^passwd:/ s/compat/files/' ${nss_config}.new
+ }
+ 
+ add_to_pam_config() {
+   remove_from_config ${pam_config}
+-  sed -i "/account.*pam_nologin.so/ a${added_comment}\n${pam_admin}" ${pam_config}.new
+-  sed -i "/account.*pam_nologin.so/ a${added_comment}\n${pam_login}" ${pam_config}.new
+-  sed -i "/pam_loginuid.so/ a${added_comment}\n${pam_homedir}" ${pam_config}.new
++  gsed -i "/account.*pam_nologin.so/ a${added_comment}\n${pam_admin}" ${pam_config}.new
++  gsed -i "/account.*pam_nologin.so/ a${added_comment}\n${pam_login}" ${pam_config}.new
++  gsed -i "/session.*pam_permit.so/ a${added_comment}\n${pam_homedir}" ${pam_config}.new
+ }
+ 
+ restart_service() {
+@@ -100,7 +102,7 @@ restart_service() {
+     fi
+   fi
+   if which service > /dev/null 2>&1; then
+-    if service --status-all | grep -Fq ${service}; then
++    if service -e | grep -Fq ${service}; then
+       echo "Restarting ${service}."
+       service ${service} restart
+       return $?
diff --git a/sysutils/google-compute-engine-oslogin/files/patch-nss__module_nss__oslogin.cc b/sysutils/google-compute-engine-oslogin/files/patch-nss__module_nss__oslogin.cc
new file mode 100644
index 000000000000..14e17802d6a3
--- /dev/null
+++ b/sysutils/google-compute-engine-oslogin/files/patch-nss__module_nss__oslogin.cc
@@ -0,0 +1,38 @@
+--- nss_module/nss_oslogin.cc.orig	2017-12-13 23:47:59 UTC
++++ nss_module/nss_oslogin.cc
+@@ -16,6 +16,7 @@
+ #include <errno.h>
+ #include <grp.h>
+ #include <nss.h>
++#include <nsswitch.h>
+ #include <pthread.h>
+ #include <pwd.h>
+ #include <sys/types.h>
+@@ -150,4 +151,27 @@ int _nss_oslogin_getpwent_r(struct passw
+   }
+   return NSS_STATUS_SUCCESS;
+ }
++
++NSS_METHOD_PROTOTYPE(__nss_compat_getpwnam_r);
++NSS_METHOD_PROTOTYPE(__nss_compat_getpwuid_r);
++NSS_METHOD_PROTOTYPE(__nss_compat_getpwent_r);
++NSS_METHOD_PROTOTYPE(__nss_compat_setpwent);
++NSS_METHOD_PROTOTYPE(__nss_compat_endpwent);
++
++static ns_mtab methods[] = {
++    { NSDB_PASSWD, "getpwnam_r", __nss_compat_getpwnam_r, (void*)_nss_oslogin_getpwnam_r },
++    { NSDB_PASSWD, "getpwuid_r", __nss_compat_getpwuid_r, (void*)_nss_oslogin_getpwuid_r },
++    { NSDB_PASSWD, "getpwent_r", __nss_compat_getpwent_r, (void*)_nss_oslogin_getpwent_r },
++    { NSDB_PASSWD, "endpwent",   __nss_compat_endpwent,   (void*)_nss_oslogin_endpwent },
++    { NSDB_PASSWD, "setpwent",   __nss_compat_setpwent,   (void*)_nss_oslogin_setpwent },
++};
++
++ns_mtab *
++nss_module_register (const char *name, unsigned int *size,
++                     nss_module_unregister_fn *unregister)
++{
++    *size = sizeof (methods) / sizeof (methods[0]);
++    *unregister = NULL;
++    return (methods);
++}
+ }  // extern "C"
diff --git a/sysutils/google-compute-engine-oslogin/files/patch-pam__module_pam__oslogin__admin.cc b/sysutils/google-compute-engine-oslogin/files/patch-pam__module_pam__oslogin__admin.cc
new file mode 100644
index 000000000000..343d64a74838
--- /dev/null
+++ b/sysutils/google-compute-engine-oslogin/files/patch-pam__module_pam__oslogin__admin.cc
@@ -0,0 +1,28 @@
+--- pam_module/pam_oslogin_admin.cc.orig	2017-12-13 23:47:59 UTC
++++ pam_module/pam_oslogin_admin.cc
+@@ -14,7 +14,6 @@
+ 
+ #define PAM_SM_ACCOUNT
+ #include <security/pam_appl.h>
+-#include <security/pam_ext.h>
+ #include <security/pam_modules.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
+@@ -47,7 +46,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand
+   int pam_result = PAM_SUCCESS;
+   const char *user_name;
+   if ((pam_result = pam_get_user(pamh, &user_name, NULL)) != PAM_SUCCESS) {
+-    pam_syslog(pamh, LOG_INFO, "Could not get pam user.");
++    syslog(LOG_INFO, "Could not get pam user.");
+     return pam_result;
+   }
+   string str_user_name(user_name);
+@@ -77,7 +76,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand
+   if (HttpGet(url.str(), &response, &http_code) && http_code == 200 &&
+       ParseJsonToAuthorizeResponse(response)) {
+     if (!file_exists) {
+-      pam_syslog(pamh, LOG_INFO,
++      syslog(LOG_INFO,
+                  "Granting sudo permissions to organization user %s.",
+                  user_name);
+       std::ofstream sudoers_file;
diff --git a/sysutils/google-compute-engine-oslogin/files/patch-pam__module_pam__oslogin__login.cc b/sysutils/google-compute-engine-oslogin/files/patch-pam__module_pam__oslogin__login.cc
new file mode 100644
index 000000000000..08ce7062b08b
--- /dev/null
+++ b/sysutils/google-compute-engine-oslogin/files/patch-pam__module_pam__oslogin__login.cc
@@ -0,0 +1,37 @@
+--- pam_module/pam_oslogin_login.cc.orig	2017-12-13 23:47:59 UTC
++++ pam_module/pam_oslogin_login.cc
+@@ -14,7 +14,6 @@
+ 
+ #define PAM_SM_ACCOUNT
+ #include <security/pam_appl.h>
+-#include <security/pam_ext.h>
+ #include <security/pam_modules.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
+@@ -45,7 +44,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand
+   int pam_result = PAM_PERM_DENIED;
+   const char *user_name;
+   if ((pam_result = pam_get_user(pamh, &user_name, NULL)) != PAM_SUCCESS) {
+-    pam_syslog(pamh, LOG_INFO, "Could not get pam user.");
++    syslog(LOG_INFO, "Could not get pam user.");
+     return pam_result;
+   }
+   string str_user_name(user_name);
+@@ -88,7 +87,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand
+       chown(users_filename.c_str(), 0, 0);
+       chmod(users_filename.c_str(), S_IRUSR | S_IWUSR | S_IRGRP);
+     }
+-    pam_syslog(pamh, LOG_INFO,
++    syslog(LOG_INFO,
+                "Granting login permission for organization user %s.",
+                user_name);
+     pam_result = PAM_SUCCESS;
+@@ -96,7 +95,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand
+     if (file_exists) {
+       remove(users_filename.c_str());
+     }
+-    pam_syslog(pamh, LOG_INFO,
++    syslog(LOG_INFO,
+                "Denying login permission for organization user %s.", user_name);
+ 
+     pam_result = PAM_PERM_DENIED;
diff --git a/sysutils/google-compute-engine-oslogin/files/patch-utils_oslogin__utils.cc b/sysutils/google-compute-engine-oslogin/files/patch-utils_oslogin__utils.cc
new file mode 100644
index 000000000000..82830fc235d7
--- /dev/null
+++ b/sysutils/google-compute-engine-oslogin/files/patch-utils_oslogin__utils.cc
@@ -0,0 +1,18 @@
+--- utils/oslogin_utils.cc.orig	2017-12-13 23:47:59 UTC
++++ utils/oslogin_utils.cc
+@@ -218,7 +218,14 @@ bool ValidatePasswd(struct passwd* resul
+     }
+   }
+   if (strlen(result->pw_shell) == 0) {
+-    if (!buf->AppendString("/bin/bash", &result->pw_shell, errnop)) {
++    if (!buf->AppendString("/bin/sh", &result->pw_shell, errnop)) {
++      return false;
++    }
++  }
++
++  // If shell is set to /bin/bash, fallback to /bin/sh
++  if (strcmp(result->pw_shell, "/bin/bash") == 0 ) {
++    if (!buf->AppendString("/bin/sh", &result->pw_shell, errnop)) {
+       return false;
+     }
+   }
diff --git a/sysutils/google-compute-engine-oslogin/pkg-descr b/sysutils/google-compute-engine-oslogin/pkg-descr
new file mode 100644
index 000000000000..8cb83b3fec47
--- /dev/null
+++ b/sysutils/google-compute-engine-oslogin/pkg-descr
@@ -0,0 +1,19 @@
+This package enables Google Cloud OS Login features on Google Compute Engine
+instances.
+The OS Login package has the following components:
+
+- Authorized Keys Command to fetch SSH keys from the user's OS Login profile and
+make them available to sshd.
+- NSS Module provides support for making OS Login user and group information
+available to the system, using NSS (Name Service Switch) functionality.
+- PAM Module provides authorization and authentication support allowing the
+system to use data stored in Google Cloud IAM permissions to control both, the
+ability to log into an instance, and to perform operations as root (sudo).
+- Utils provides common code to support the components listed above.
+
+In addition to the main components, there are also utilities for packaging and
+installing these components:
+
+- bin contains a shell script for (de)activating the package components.
+
+WWW: https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/google_compute_engine_oslogin
diff --git a/sysutils/google-compute-engine-oslogin/pkg-plist b/sysutils/google-compute-engine-oslogin/pkg-plist
new file mode 100644
index 000000000000..52fa576559ea
--- /dev/null
+++ b/sysutils/google-compute-engine-oslogin/pkg-plist
@@ -0,0 +1,6 @@
+bin/google_authorized_keys
+bin/google_oslogin_control
+lib/libnss_google-compute-engine-oslogin-%%DISTVERSION%%.so
+lib/nss_oslogin.so.1
+lib/pam_oslogin_admin.so
+lib/pam_oslogin_login.so