[ARVADOS] created: 2dd5e12d5cd92fbc746bb1d3e30dfba3e871fd72

Git user git at public.curoverse.com
Tue Oct 18 08:35:20 EDT 2016 

        at  2dd5e12d5cd92fbc746bb1d3e30dfba3e871fd72 (commit)


commit 2dd5e12d5cd92fbc746bb1d3e30dfba3e871fd72
Author: Tom Clegg <tom at curoverse.com>
Date:   Tue Oct 18 08:35:13 2016 -0400

    10232: Own just a section of authorized_keys instead of clobbering the whole thing, unless --xclusive flag given

diff --git a/services/login-sync/bin/arvados-login-sync b/services/login-sync/bin/arvados-login-sync
index b25ed94..89f6b03 100755
--- a/services/login-sync/bin/arvados-login-sync
+++ b/services/login-sync/bin/arvados-login-sync
@@ -14,6 +14,13 @@ req_envs.each do |k|
   end
 end
 
+exclusive_mode = ARGV.index("--exclusive")
+exclusive_banner = "#######################################################################################
+#  THIS FILE IS MANAGED BY #{$0} -- CHANGES WILL BE OVERWRITTEN  #
+#######################################################################################\n\n"
+start_banner = "### BEGIN Arvados-managed keys -- changes between markers will be overwritten\n"
+end_banner = "### END Arvados-managed keys -- changes between markers will be overwritten\n"
+
 keys = ''
 
 seen = Hash.new
@@ -87,20 +94,34 @@ begin
     @homedir = Etc.getpwnam(l[:username]).dir
     userdotssh = File.join(@homedir, ".ssh")
     Dir.mkdir(userdotssh) if !File.exists?(userdotssh)
-    @key = "#######################################################################################
-#  THIS FILE IS MANAGED BY #{$0} -- CHANGES WILL BE OVERWRITTEN  #
-#######################################################################################\n\n"
-    @key += keys[l[:username]].join("\n") + "\n"
-    userauthkeys = File.join(userdotssh, "authorized_keys")
-    if !File.exists?(userauthkeys) or IO::read(userauthkeys) != @key then
-      f = File.new(userauthkeys, 'w')
-      f.write(@key)
+    newkeys = keys[l[:username]].join("\n") + "\n"
+    keysfile = File.join(userdotssh, "authorized_keys")
+
+    if File.exists?(keysfile)
+      oldkeys = IO::read(keysfile)
+    else
+      oldkeys = ""
+    end
+
+    if exclusive_mode
+      newkeys = exclusive_banner + newkeys
+    elsif oldkeys.start_with?(exclusive_banner)
+      newkeys = start_banner + newkeys + end_banner
+    elsif (m = /^(.*?\n|)#{start_banner}(.*?\n|)#{end_banner}(.*)/m.match(oldkeys))
+      newkeys = m[1] + start_banner + newkeys + end_banner + m[3]
+    else
+      newkeys = start_banner + newkeys + end_banner + oldkeys
+    end
+
+    if oldkeys != newkeys then
+      f = File.new(keysfile, 'w')
+      f.write(newkeys)
       f.close()
     end
     FileUtils.chown_R(l[:username], nil, userdotssh)
     File.chmod(0700, userdotssh)
     File.chmod(0750, @homedir)
-    File.chmod(0600, userauthkeys)
+    File.chmod(0600, keysfile)
   end
 
   devnull.close

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list