Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package google-guest-oslogin for
openSUSE:Factory checked in at 2025-09-02 18:00:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/google-guest-oslogin (Old)
and /work/SRC/openSUSE:Factory/.google-guest-oslogin.new.1977 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "google-guest-oslogin"
Tue Sep 2 18:00:42 2025 rev:35 rq:1302435 version:20250821.00
Changes:
--------
---
/work/SRC/openSUSE:Factory/google-guest-oslogin/google-guest-oslogin.changes
2025-07-14 10:58:36.853823691 +0200
+++
/work/SRC/openSUSE:Factory/.google-guest-oslogin.new.1977/google-guest-oslogin.changes
2025-09-02 18:02:10.724221797 +0200
@@ -1,0 +2,8 @@
+Tue Sep 2 12:50:52 UTC 2025 - John Paul Adrian Glaubitz
<[email protected]>
+
+- Update to version 20250821.00
+ * Check policy uses adminLogin for cloud run (#165)
+- from version 20250807.00
+ * Extract the principal from certs when cloud_run enabled (#164)
+
+-------------------------------------------------------------------
Old:
----
google-guest-oslogin-20250710.00.tar.gz
New:
----
google-guest-oslogin-20250821.00.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ google-guest-oslogin.spec ++++++
--- /var/tmp/diff_new_pack.6SxSi5/_old 2025-09-02 18:02:11.220242638 +0200
+++ /var/tmp/diff_new_pack.6SxSi5/_new 2025-09-02 18:02:11.220242638 +0200
@@ -26,7 +26,7 @@
%{!?_pam_moduledir: %define _pam_moduledir %{_pamdir}}
Name: google-guest-oslogin
-Version: 20250710.00
+Version: 20250821.00
Release: 0
Summary: Google Cloud Guest OS Login
License: Apache-2.0
++++++ google-guest-oslogin-20250710.00.tar.gz ->
google-guest-oslogin-20250821.00.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-oslogin-20250710.00/src/authorized_principals/authorized_principals.cc
new/guest-oslogin-20250821.00/src/authorized_principals/authorized_principals.cc
---
old/guest-oslogin-20250710.00/src/authorized_principals/authorized_principals.cc
2025-07-10 23:41:52.000000000 +0200
+++
new/guest-oslogin-20250821.00/src/authorized_principals/authorized_principals.cc
2025-08-08 16:36:56.000000000 +0200
@@ -42,7 +42,7 @@
int main(int argc, char* argv[]) {
size_t fp_len;
- char *user_name, *cert, *fingerprint;
+ char *user_name, *cert, *fingerprint, *principal;
struct sigaction sig;
struct AuthOptions opts;
string user_response;
@@ -73,7 +73,7 @@
cert = argv[2];
if (argc == 4) {
- if(strcmp(argv[3], "--cloud_run") == 0) {
+ if (strcmp(argv[3], "--cloud_run") == 0) {
cloud_run = true;
} else {
SysLogErr("Invalid input argument %s. Exiting.", argv[3]);
@@ -81,7 +81,7 @@
}
}
- fp_len = FingerPrintFromBlob(cert, &fingerprint);
+ fp_len = FingerPrintFromBlob(cert, &fingerprint, &principal);
if (fp_len == 0) {
SysLogErr("Could not extract/parse fingerprint from certificate.");
goto fail;
@@ -90,8 +90,18 @@
opts.fingerprint = fingerprint;
opts.fp_len = fp_len;
- if (AuthorizeUser(user_name, opts, &user_response, cloud_run)) {
- cout << user_name << endl;
+ if (cloud_run) {
+ if (strcmp(user_name, "root") != 0) {
+ SysLogErr("Cloud Run only accepts the root user, get %s. Exiting",
user_name);
+ goto fail;
+ }
+ if (AuthorizeUser(principal, opts, &user_response, cloud_run)) {
+ cout << principal << endl;
+ }
+ } else {
+ if (AuthorizeUser(user_name, opts, &user_response, cloud_run)) {
+ cout << user_name << endl;
+ }
}
free(fingerprint);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-oslogin-20250710.00/src/include/oslogin_sshca.h
new/guest-oslogin-20250821.00/src/include/oslogin_sshca.h
--- old/guest-oslogin-20250710.00/src/include/oslogin_sshca.h 2025-07-10
23:41:52.000000000 +0200
+++ new/guest-oslogin-20250821.00/src/include/oslogin_sshca.h 2025-08-08
16:36:56.000000000 +0200
@@ -15,7 +15,7 @@
#ifndef _OSLOGIN_SSHCA_H_
#define _OSLOGIN_SSHCA_H_ 1
-#include "include/compat.h"
+#include "compat.h"
#include <ctype.h>
#include <security/pam_modules.h>
#include <stdlib.h>
@@ -44,7 +44,7 @@
namespace oslogin_sshca {
// The public interface - given a blob with a list of certificates we parse
each of
// them until we find the first fingerprint.
-int FingerPrintFromBlob(const char *blob, char **fingerprint);
+int FingerPrintFromBlob(const char *blob, char **fingerprint, char
**principal);
}
#endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20250710.00/src/oslogin_sshca.cc
new/guest-oslogin-20250821.00/src/oslogin_sshca.cc
--- old/guest-oslogin-20250710.00/src/oslogin_sshca.cc 2025-07-10
23:41:52.000000000 +0200
+++ new/guest-oslogin-20250821.00/src/oslogin_sshca.cc 2025-08-08
16:36:56.000000000 +0200
@@ -145,10 +145,10 @@
return 0;
}
-static int GetExtension(const char *key, size_t k_len, char **exts) {
+static int GetExtension(const char *key, size_t k_len, char **exts, char
**principal) {
SSHCertType* impl = NULL;
- size_t n_len, t_len, tmp_exts_len, ret = -1;
- char *tmp_exts, *tmp_head, *type, *key_b64, *head;
+ size_t n_len, t_len, tmp_exts_len, tmp_prin_len, ret = -1;
+ char *tmp_exts, *tmp_prin, *tmp_head, *type, *key_b64, *head;
head = tmp_head = NULL;
@@ -203,9 +203,15 @@
goto out;
}
- // Skip valid principals.
- if (GetString(&key_b64, &n_len, NULL, NULL) < 0) {
- SysLogErr("Failed to skip cert's \"valid principals\" field.");
+ // Extract valid principals.
+ if (GetString(&key_b64, &n_len, &tmp_prin, &tmp_prin_len) < 0) {
+ SysLogErr("Failed to extract cert's \"valid principals\" field.");
+ goto out;
+ }
+
+ // The field principal is a self described/sized buffer. Ignore the length
of principal as it is not needed.
+ if (GetString(&tmp_prin, &tmp_prin_len, principal, NULL) < 0) {
+ SysLogErr("Failed to read principal.");
goto out;
}
@@ -261,11 +267,11 @@
return strlen(*out);
}
-static int GetByoidFingerPrint(const char *blob, char **fingerprint) {
+static int GetByoidFingerPrint(const char *blob, char **fingerprint, char
**principal) {
size_t f_len, exts_len = -1;
char *exts = NULL;
- exts_len = GetExtension(blob, strlen(blob), &exts);
+ exts_len = GetExtension(blob, strlen(blob), &exts, principal);
if (exts_len < 0) {
SysLogErr("Could not parse/extract extension from SSH CA cert.");
goto out;
@@ -283,7 +289,7 @@
return f_len;
}
-int FingerPrintFromBlob(const char *blob, char **fingerprint) {
+int FingerPrintFromBlob(const char *blob, char **fingerprint, char **
principal) {
if (blob == NULL || strlen(blob) == 0) {
SysLogErr("Could not parse/extract fingerprint from SSH CA cert's
extension: \"blob\" is empty.");
return 0;
@@ -294,7 +300,11 @@
return 0;
}
- return GetByoidFingerPrint(blob, fingerprint);
+ if (principal == NULL) {
+ SysLogErr("Could not parse/extract pincipal from SSH CA cert:
\"principal\" is NULL.");
+ }
+
+ return GetByoidFingerPrint(blob, fingerprint, principal);
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20250710.00/src/oslogin_utils.cc
new/guest-oslogin-20250821.00/src/oslogin_utils.cc
--- old/guest-oslogin-20250710.00/src/oslogin_utils.cc 2025-07-10
23:41:52.000000000 +0200
+++ new/guest-oslogin-20250821.00/src/oslogin_utils.cc 2025-08-08
16:36:56.000000000 +0200
@@ -1376,6 +1376,15 @@
return false;
}
+ // Only check adminLogin for cloud run. Skip file creations.
+ if (cloud_run) {
+ bool result = ApplyPolicy(user_name, email, "adminLogin", opts);
+ if (!result) {
+ SysLogErr("Could not grant root access to organization user: %s.",
user_name);
+ }
+ return result;
+ }
+
users_filename = kUsersDir;
users_filename.append(user_name);
users_file_exists = FileExists(users_filename.c_str());
@@ -1383,17 +1392,12 @@
if (!ApplyPolicy(user_name, email, "login", opts)) {
// Couldn't apply "login" policy for user in question, log it and deny.
SysLogErr("Could not grant access to organization user: %s.", user_name);
- if (users_file_exists && !cloud_run) {
+ if (users_file_exists) {
remove(users_filename.c_str());
}
return false;
}
- // skip file creations for cloud run.
- if (cloud_run) {
- return true;
- }
-
if (!users_file_exists && !CreateGoogleUserFile(users_filename)) {
// If we can't create users file we can't grant access, log it and deny.
SysLogErr("Failed to create user's file.");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20250710.00/test/oslogin_sshca_test.cc
new/guest-oslogin-20250821.00/test/oslogin_sshca_test.cc
--- old/guest-oslogin-20250710.00/test/oslogin_sshca_test.cc 2025-07-10
23:41:52.000000000 +0200
+++ new/guest-oslogin-20250821.00/test/oslogin_sshca_test.cc 2025-08-08
16:36:56.000000000 +0200
@@ -346,49 +346,57 @@
TEST(SSHCATests, TestValidSingleExtCert) {
struct {
const char *key;
+ const char *principal;
} *iter, tests[] = {
- {VALID_RSA_SINGLE_EXT},
- {VALID_RSA_MULTI_EXT},
- {VALID_RSA_MULTI_EQUAL_EXT},
- {VALID_DSA_SINGLE_EXT},
- {VALID_DSA_MULTI_EXT},
- {VALID_ECDSA_SINGLE_EXT},
- {VALID_ECDSA_MULTI_EXT},
- {VALID_ED25519_SINGLE_EXT},
- {VALID_ED25519_MULTI_EXT},
- { NULL },
+ {VALID_RSA_SINGLE_EXT, "[email protected]"},
+ {VALID_RSA_MULTI_EXT, "[email protected]"},
+ {VALID_RSA_MULTI_EQUAL_EXT, "fakey"},
+ {VALID_DSA_SINGLE_EXT, "[email protected]"},
+ {VALID_DSA_MULTI_EXT, "[email protected]"},
+ {VALID_ECDSA_SINGLE_EXT, "pantheon.sitar.mig"},
+ {VALID_ECDSA_MULTI_EXT, "[email protected]"},
+ {VALID_ED25519_SINGLE_EXT, "[email protected]"},
+ {VALID_ED25519_MULTI_EXT, "[email protected]"},
+ { NULL, NULL,},
};
for (iter = tests; iter->key != NULL; iter++) {
- char *fingerprint = NULL;
- size_t len = FingerPrintFromBlob(iter->key, &fingerprint);
+ char *fingerprint, *principal;
+ fingerprint = principal = NULL;
+ size_t len = FingerPrintFromBlob(iter->key, &fingerprint, &principal);
ASSERT_GT(len, 0);
ASSERT_STREQ(fingerprint, "b86db4ca-09fd-429e-b121-a12799614032");
+ ASSERT_STREQ(principal, iter->principal);
free(fingerprint);
+ free(principal);
}
}
TEST(SSHCATests, TestInvalidNoFpCert) {
struct {
const char *key;
+ const char *principal;
} *iter, tests[] = {
- {INVALID_DSA_NO_FP},
- {INVALID_DSA_NON_CERT},
- {INVALID_ED25519_NO_FP},
- {INVALID_ED25519_NON_CERT},
- {INVALID_RSA_NO_FP},
- {INVALID_RSA_NON_CERT},
- {INVALID_ECDSA_NO_FP},
- {INVALID_ECDSA_NON_CERT},
- { NULL },
+ {INVALID_DSA_NO_FP, "[email protected]"},
+ {INVALID_DSA_NON_CERT, NULL},
+ {INVALID_ED25519_NO_FP, "[email protected]"},
+ {INVALID_ED25519_NON_CERT, NULL},
+ {INVALID_RSA_NO_FP, "[email protected]"},
+ {INVALID_RSA_NON_CERT, NULL},
+ {INVALID_ECDSA_NO_FP, "[email protected]"},
+ {INVALID_ECDSA_NON_CERT, NULL},
+ { NULL, NULL},
};
for (iter = tests; iter->key != NULL; iter++) {
- char *fingerprint = NULL;
- size_t len = FingerPrintFromBlob(iter->key, &fingerprint);
+ char *fingerprint, *principal;
+ fingerprint = principal = NULL;
+ size_t len = FingerPrintFromBlob(iter->key, &fingerprint, &principal);
ASSERT_EQ(len, 0);
ASSERT_STREQ(fingerprint, NULL);
+ ASSERT_STREQ(principal, iter->principal);
free(fingerprint);
+ free(principal);
}
}
