From b4a6cf7190db05861577ca9effb7e13e92b8ee7c Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Mon, 31 Mar 2025 15:28:44 +0100
Subject: [PATCH] sys-auth/google-oslogin: Install soname symlinks and general
 tidy up

The missing soname symlinks were causing ldconfig to create them later,
breaking the sandbox. The upstream Makefile installs them for you, so
let's use it even though it needs some taming.

This adds the systemd timer to refresh the NSS cache. This seems
important, and I can't see any reason to omit it.

This also moves the binaries from /usr/libexec to /usr/bin. Upstream has
always put them in /usr/bin, and putting them elsewhere requires tweaks.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 .../sys-auth/google-oslogin/Manifest          |  2 +-
 .../files/60-flatcar-google-oslogin.conf      |  2 +-
 .../files/google-oslogin-pkg-config.patch     | 20 +++++
 ...var.patch => google-oslogin-var-lib.patch} | 17 +---
 .../sys-auth/google-oslogin/files/sshd_config |  2 +-
 .../google-oslogin-20200910.00-r3.ebuild      | 57 -------------
 .../google-oslogin-20200910.00-r4.ebuild      | 81 +++++++++++++++++++
 7 files changed, 108 insertions(+), 73 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/google-oslogin-pkg-config.patch
 rename sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/{0001-pam_module-use-var-lib-instead-of-var.patch => google-oslogin-var-lib.patch} (55%)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r4.ebuild

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest
index f1bedb2e82..f0f6c0f8e2 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest
@@ -1 +1 @@
-DIST 20200910.00.tar.gz 42599 BLAKE2B 6c2917f03277834e54050e5bf94943dc311c70e3150247b91cee5835b09fb197686788373ab8cdff4f3f8e4baa85dd515bcb22a99530475bd7c3991d1d272ece SHA512 575813becdd7046b9c5813f33aad440737df6d0fa1d9345f8f4340fda4bc348b27860231ed163196cf06609fd3311fe2bbf45486c260c45a0a38795a95f09834
+DIST guest-oslogin-20200910.00.tar.gz 42599 BLAKE2B 6c2917f03277834e54050e5bf94943dc311c70e3150247b91cee5835b09fb197686788373ab8cdff4f3f8e4baa85dd515bcb22a99530475bd7c3991d1d272ece SHA512 575813becdd7046b9c5813f33aad440737df6d0fa1d9345f8f4340fda4bc348b27860231ed163196cf06609fd3311fe2bbf45486c260c45a0a38795a95f09834
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf
index d9f62661bf..13806e51fa 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf
@@ -1,3 +1,3 @@
 # Needed for google oslogin
-AuthorizedKeysCommand /usr/libexec/google_authorized_keys
+AuthorizedKeysCommand /usr/bin/google_authorized_keys
 AuthorizedKeysCommandUser root
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/google-oslogin-pkg-config.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/google-oslogin-pkg-config.patch
new file mode 100644
index 0000000000..5ec931a8b1
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/google-oslogin-pkg-config.patch
@@ -0,0 +1,20 @@
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -1,14 +1,14 @@
+ SHELL = /bin/sh
+ TOPDIR = $(realpath ..)
+ 
+-CPPFLAGS = -Iinclude -I/usr/include/json-c
++CPPFLAGS := -Iinclude $(shell $(PKG_CONFIG) --cflags libcurl json-c pam)
+ FLAGS = -fPIC -Wall -g
+ CFLAGS = $(FLAGS) -Wstrict-prototypes
+ CXXFLAGS = $(FLAGS)
+ 
+ LDFLAGS = -shared -Wl,-soname,$(SONAME)
+-LDLIBS = -lcurl -ljson-c
+-PAMLIBS = -lpam $(LDLIBS)
++LDLIBS := $(shell $(PKG_CONFIG) --libs libcurl json-c)
++PAMLIBS := $(shell $(PKG_CONFIG) --libs pam) $(LDLIBS)
+ 
+ # Paths which should be overrideable.
+ 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/0001-pam_module-use-var-lib-instead-of-var.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/google-oslogin-var-lib.patch
similarity index 55%
rename from sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/0001-pam_module-use-var-lib-instead-of-var.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/google-oslogin-var-lib.patch
index 65fae86284..53542e80d6 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/0001-pam_module-use-var-lib-instead-of-var.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/google-oslogin-var-lib.patch
@@ -3,15 +3,8 @@ From: Andrew Jeddeloh <andrew.jeddeloh@coreos.com>
 Date: Fri, 6 Jul 2018 15:54:40 -0700
 Subject: [PATCH] pam_module: use /var/lib/ instead of /var
 
----
- guest-oslogin/src/pam/pam_oslogin_admin.cc | 2 +-
- guest-oslogin/src/pam/pam_oslogin_login.cc | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/guest-oslogin/src/pam/pam_oslogin_admin.cc b/guest-oslogin/src/pam/pam_oslogin_admin.cc
-index 04d0808..376916e 100644
---- a/guest-oslogin/src/pam/pam_oslogin_admin.cc
-+++ b/guest-oslogin/src/pam/pam_oslogin_admin.cc
+--- a/src/pam/pam_oslogin_admin.cc
++++ b/src/pam/pam_oslogin_admin.cc
 @@ -36,7 +36,7 @@ using oslogin_utils::ParseJsonToEmail;
  using oslogin_utils::UrlEncode;
  using oslogin_utils::kMetadataServerUrl;
@@ -21,10 +14,8 @@ index 04d0808..376916e 100644
  
  extern "C" {
  
-diff --git a/guest-oslogin/src/pam/pam_oslogin_login.cc b/guest-oslogin/src/pam/pam_oslogin_login.cc
-index 9e708f4..428600b 100644
---- a/guest-oslogin/src/pam/pam_oslogin_login.cc
-+++ b/guest-oslogin/src/pam/pam_oslogin_login.cc
+--- a/src/pam/pam_oslogin_login.cc
++++ b/src/pam/pam_oslogin_login.cc
 @@ -36,7 +36,7 @@ using oslogin_utils::ParseJsonToEmail;
  using oslogin_utils::UrlEncode;
  using oslogin_utils::kMetadataServerUrl;
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config
index 7b51b214e4..59b661f9f0 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config
@@ -9,7 +9,7 @@ UsePAM yes
 PrintLastLog no # handled by PAM
 PrintMotd no # handled by PAM
 # Needed for google oslogin
-AuthorizedKeysCommand /usr/libexec/google_authorized_keys
+AuthorizedKeysCommand /usr/bin/google_authorized_keys
 AuthorizedKeysCommandUser root
 # Temporarily accept ssh-rsa algorithm for openssh >= 8.8,
 # until most ssh clients could deprecate ssh-rsa.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild
deleted file mode 100644
index 679e0c0b3a..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild
+++ /dev/null
@@ -1,57 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-DESCRIPTION="Components to support Google Cloud OS Login. This contains bits that belong in USR"
-HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-oslogin"
-SRC_URI="https://github.com/GoogleCloudPlatform/guest-oslogin/archive/${PV}.tar.gz"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="amd64"
-IUSE=""
-
-inherit pam toolchain-funcs
-
-DEPEND="
-	net-misc/curl[ssl]
-	dev-libs/json-c
-	sys-libs/pam
-"
-
-RDEPEND="${DEPEND}"
-
-S=${WORKDIR}/guest-oslogin-${PV}/
-
-src_prepare() {
-	eapply -p2 "$FILESDIR/0001-pam_module-use-var-lib-instead-of-var.patch"
-	default
-}
-
-src_compile() {
-	emake CC="$(tc-getCC)" CXX="$(tc-getCXX)" \
-            VERSION=${PV} \
-            JSON_INCLUDE_PATH="${SYSROOT%/}/usr/include/json-c"
-}
-
-src_install() {
-	dolib.so src/libnss_cache_oslogin-${PV}.so
-	dolib.so src/libnss_oslogin-${PV}.so
-
-	exeinto /usr/libexec
-	doexe src/google_authorized_keys
-	doexe src/google_oslogin_nss_cache
-
-	dopammod src/pam_oslogin_admin.so
-	dopammod src/pam_oslogin_login.so
-
-	# config files the base Ignition config will create links to
-	insinto /usr/share/google-oslogin
-	doins "${FILESDIR}/sshd_config"
-	doins "${FILESDIR}/60-flatcar-google-oslogin.conf"
-	doins "${FILESDIR}/nsswitch.conf"
-	doins "${FILESDIR}/pam_sshd"
-	doins "${FILESDIR}/oslogin-sudoers"
-	doins "${FILESDIR}/group.conf"
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r4.ebuild
new file mode 100644
index 0000000000..0602182066
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r4.ebuild
@@ -0,0 +1,81 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+MY_P="guest-oslogin-${PV}"
+DESCRIPTION="Components to support Google Cloud OS Login. This contains bits that belong in USR"
+HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-oslogin"
+SRC_URI="https://github.com/GoogleCloudPlatform/guest-oslogin/archive/${PV}.tar.gz -> ${MY_P}.tar.gz"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="amd64"
+IUSE="systemd"
+
+inherit pam systemd toolchain-funcs
+
+DEPEND="
+	net-misc/curl[ssl]
+	dev-libs/json-c:=
+	sys-libs/pam
+"
+
+RDEPEND="
+	${DEPEND}
+	systemd? ( sys-apps/systemd )
+	!systemd? ( virtual/cron )
+"
+
+BDEPEND="
+	virtual/pkgconfig
+"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-var-lib.patch
+	"${FILESDIR}"/${PN}-pkg-config.patch
+)
+
+my_emake() {
+	emake \
+		VERSION="${PV}" \
+		PKG_CONFIG="$(tc-getPKG_CONFIG)" \
+		"${@}"
+}
+
+src_compile() {
+	my_emake \
+		CC="$(tc-getCC)" \
+		CXX="$(tc-getCXX)"
+}
+
+src_install() {
+	my_emake \
+		DESTDIR="${D}" \
+		PREFIX="${EPREFIX}/usr" \
+		BINDIR="\$(PREFIX)/bin" \
+		CRONDIR="${EPREFIX}/etc/cron.d" \
+		LIBDIR="\$(PREFIX)/$(get_libdir)" \
+		MANDIR="\$(PREFIX)/share/man" \
+		PAMDIR="$(getpam_mod_dir)" \
+		PRESETDIR="$(systemd_get_systempresetdir)" \
+		SYSTEMDDIR="$(systemd_get_systemunitdir)" \
+		INSTALL_CRON=$(usex !systemd 1 '') \
+		install
+
+	# Flatcar doesn't need this script.
+	rm "${ED}"/usr/bin/google_oslogin_control || die
+
+	# man pages need fixing up for Gentoo QA but Flatcar drops them anyway.
+	rm -r "${ED}"/usr/share/man || die
+
+	# config files the base Ignition config will create links to
+	insinto /usr/share/google-oslogin
+	doins "${FILESDIR}/sshd_config"
+	doins "${FILESDIR}/60-flatcar-google-oslogin.conf"
+	doins "${FILESDIR}/nsswitch.conf"
+	doins "${FILESDIR}/pam_sshd"
+	doins "${FILESDIR}/oslogin-sudoers"
+	doins "${FILESDIR}/group.conf"
+}