From 3fbb737589cf2fbc62b1ed753b510ca9f372f137 Mon Sep 17 00:00:00 2001
From: Andrew Jeddeloh <andrew.jeddeloh@coreos.com>
Date: Tue, 3 Jul 2018 10:20:25 -0700
Subject: [PATCH] coreos-base/oem-gce: enable oslogin

Enable google cloud oslogin. Use a one-shot systemd unit with
ConditionFirstBoot to enable oslogin by flipping some symlinks to
oslogin specific ones. Don't do anything if the user has modified one of
the files.
---
 .../coreos-base/oem-gce/files/base/base.ign   | 14 ++++++++-
 .../oem-gce/files/bin/enable-oslogin          | 29 +++++++++++++++++++
 .../units/oem-gce-enable-oslogin.service      | 14 +++++++++
 ...0327-r1.ebuild => oem-gce-20180823.ebuild} |  2 ++
 4 files changed, 58 insertions(+), 1 deletion(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin
 create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/oem-gce-enable-oslogin.service
 rename sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/{oem-gce-20170327-r1.ebuild => oem-gce-20180823.ebuild} (89%)

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/base/base.ign b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/base/base.ign
index 911b4ce30f..ee30505752 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/base/base.ign
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/base/base.ign
@@ -1,6 +1,6 @@
 {
   "ignition": {
-    "version": "2.1.0"
+    "version": "2.2.0"
   },
   "storage": {
     "files": [
@@ -12,6 +12,14 @@
         },
         "mode": 292
       },
+      {
+        "filesystem": "root",
+        "path": "/etc/systemd/system/oem-gce-enable-oslogin.service",
+        "contents": {
+          "source": "oem:///units/oem-gce-enable-oslogin.service"
+        },
+        "mode": 292
+      },
       {
         "filesystem": "root",
         "path": "/etc/hosts",
@@ -39,6 +47,10 @@
       {
         "name": "oem-gce.service",
         "enabled": true
+      },
+      {
+        "name": "oem-gce-enable-oslogin.service",
+        "enabled": true
       }
     ]
   }
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin
new file mode 100644
index 0000000000..9830d34951
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin
@@ -0,0 +1,29 @@
+#!/usr/bin/bash
+
+# Verify all the config files were not touched by the user. Do not try to
+# enable oslogin if the user has messed with them
+
+if [ -e '/etc/pam.d/sshd' ]; then
+	echo '/etc/pam.d/sshd already exists. Not enabling OS Login'
+	exit 0
+fi
+
+if [ "$(readlink -f /etc/nsswitch.conf)" != '/usr/share/baselayout/nsswitch.conf' ]; then
+	echo '/etc/nsswitch.conf is not a symlink to /usr/share/baselayout/nsswitch.conf. Not enabling OS Login'
+	exit 0
+fi
+
+if [ "$(readlink -f /etc/ssh/sshd_config)" != '/usr/share/ssh/sshd_config' ]; then
+	echo '/etc/ssh/sshd_config is not a symlink to /usr/share/ssh/sshd_config. Not enabling OS Login'
+	exit 0
+fi
+
+# Actually start enabling things. Die if we fail.
+set -e
+
+mkdir -m 0750 -p '/var/lib/google-sudoers.d'
+mkdir -m 0750 -p '/var/lib/google-users.d'
+ln -f -s '/usr/share/google-oslogin/pam_sshd' '/etc/pam.d/sshd'
+ln -f -s '/usr/share/google-oslogin/nsswitch.conf' '/etc/nsswitch.conf'
+ln -f -s '/usr/share/google-oslogin/sshd_config' '/etc/ssh/sshd_config'
+ln -f -s '/usr/share/google-oslogin/oslogin-sudoers' '/etc/sudoers.d/oslogin-sudoers'
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/oem-gce-enable-oslogin.service b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/oem-gce-enable-oslogin.service
new file mode 100644
index 0000000000..ae2e1ffca3
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/oem-gce-enable-oslogin.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Enable GCE OS Login
+After=local-fs.target
+ConditionFirstBoot=true
+Before=sshd.service
+Before=sshd.socket
+
+[Service]
+Type=oneshot
+
+ExecStart=/usr/share/oem/bin/enable-oslogin
+
+[Install]
+WantedBy=sysinit.target
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20170327-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823.ebuild
similarity index 89%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20170327-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823.ebuild
index 8959442026..51cbe03839 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20170327-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823.ebuild
@@ -27,4 +27,6 @@ src_install() {
 	doins -r "${FILESDIR}/base"
 	doins -r "${FILESDIR}/files"
 	doins -r "${FILESDIR}/units"
+	exeinto "/usr/share/oem/bin"
+	doexe "${FILESDIR}/bin/enable-oslogin"
 }