From 6cd3a340994cc588a4d153ffbd62796384eb7e2c Mon Sep 17 00:00:00 2001
From: Achilleas Koutsou <achilleas@koutsou.net>
Date: Mon, 5 Sep 2022 23:15:50 +0200
Subject: [PATCH] image: add users and groups to edge/iot raw images

---
 internal/distro/fedora/images.go       |  3 +++
 internal/distro/rhel8/pipelines.go     | 24 +++++++++++++++++++-----
 internal/distro/rhel9/pipelines.go     | 24 +++++++++++++++++++-----
 internal/image/ostree_raw.go           |  6 ++++++
 internal/manifest/commit_deployment.go |  5 ++++-
 5 files changed, 51 insertions(+), 11 deletions(-)

diff --git a/internal/distro/fedora/images.go b/internal/distro/fedora/images.go
index b2ce13076..bf9d59aa3 100644
--- a/internal/distro/fedora/images.go
+++ b/internal/distro/fedora/images.go
@@ -285,6 +285,9 @@ func iotRawImage(workload workload.Workload,
 
 	img := image.NewOSTreeRawImage()
 
+	img.Users = users.UsersFromBP(customizations.GetUsers())
+	img.Groups = users.GroupsFromBP(customizations.GetGroups())
+
 	img.KernelOptionsAppend = []string{"modprobe.blacklist=vc4"}
 	img.Keyboard = "us"
 	img.Locale = "C.UTF-8"
diff --git a/internal/distro/rhel8/pipelines.go b/internal/distro/rhel8/pipelines.go
index 9e664ddf6..012d1c64e 100644
--- a/internal/distro/rhel8/pipelines.go
+++ b/internal/distro/rhel8/pipelines.go
@@ -13,6 +13,7 @@ import (
 	"github.com/osbuild/osbuild-composer/internal/distro"
 	"github.com/osbuild/osbuild-composer/internal/osbuild"
 	"github.com/osbuild/osbuild-composer/internal/rpmmd"
+	"github.com/osbuild/osbuild-composer/internal/users"
 )
 
 func qcow2Pipelines(t *imageType, customizations *blueprint.Customizations, options distro.ImageOptions, repos []rpmmd.RepoConfig, packageSetSpecs map[string][]rpmmd.PackageSpec, containers []container.Spec, rng *rand.Rand) ([]osbuild.Pipeline, error) {
@@ -348,7 +349,7 @@ func edgeContainerPipelines(t *imageType, customizations *blueprint.Customizatio
 	return pipelines, nil
 }
 
-func edgeImagePipelines(t *imageType, filename string, options distro.ImageOptions, rng *rand.Rand) ([]osbuild.Pipeline, string, error) {
+func edgeImagePipelines(t *imageType, customizations *blueprint.Customizations, filename string, options distro.ImageOptions, rng *rand.Rand) ([]osbuild.Pipeline, string, error) {
 	pipelines := make([]osbuild.Pipeline, 0)
 	ostreeRepoPath := "/ostree/repo"
 	imgName := "image.raw"
@@ -359,7 +360,7 @@ func edgeImagePipelines(t *imageType, filename string, options distro.ImageOptio
 	}
 
 	// prepare ostree deployment tree
-	treePipeline := ostreeDeployPipeline(t, partitionTable, ostreeRepoPath, nil, "", rng, options)
+	treePipeline := ostreeDeployPipeline(t, partitionTable, ostreeRepoPath, nil, "", rng, customizations, options)
 	pipelines = append(pipelines, *treePipeline)
 
 	// make raw image from tree
@@ -380,7 +381,7 @@ func edgeRawImagePipelines(t *imageType, customizations *blueprint.Customization
 	imgName := t.filename
 
 	// create the raw image
-	imagePipelines, _, err := edgeImagePipelines(t, imgName, options, rng)
+	imagePipelines, _, err := edgeImagePipelines(t, customizations, imgName, options, rng)
 	if err != nil {
 		return nil, err
 	}
@@ -813,7 +814,7 @@ func edgeSimplifiedInstallerPipelines(t *imageType, customizations *blueprint.Cu
 	installDevice := customizations.GetInstallationDevice()
 
 	// create the raw image
-	imagePipelines, imgPipelineName, err := edgeImagePipelines(t, imgName, options, rng)
+	imagePipelines, imgPipelineName, err := edgeImagePipelines(t, customizations, imgName, options, rng)
 	if err != nil {
 		return nil, err
 	}
@@ -963,6 +964,7 @@ func ostreeDeployPipeline(
 	kernel *blueprint.KernelCustomization,
 	kernelVer string,
 	rng *rand.Rand,
+	c *blueprint.Customizations,
 	options distro.ImageOptions,
 ) *osbuild.Pipeline {
 
@@ -1030,7 +1032,19 @@ func ostreeDeployPipeline(
 	}
 	p.AddStage(osbuild.NewFSTabStage(fstabOptions))
 
-	// TODO: Add users?
+	if bpUsers := c.GetUsers(); len(bpUsers) > 0 {
+		usersStage, err := osbuild.GenUsersStage(users.UsersFromBP(bpUsers), false)
+		if err != nil {
+			panic(err)
+		}
+		usersStage.MountOSTree(osname, options.OSTree.Ref, 0)
+		p.AddStage(usersStage)
+	}
+	if bpGroups := c.GetGroups(); len(bpGroups) > 0 {
+		groupsStage := osbuild.GenGroupsStage(users.GroupsFromBP(bpGroups))
+		groupsStage.MountOSTree(osname, options.OSTree.Ref, 0)
+		p.AddStage(groupsStage)
+	}
 
 	p.AddStage(bootloaderConfigStage(t, *pt, kernel, kernelVer, true, true))
 
diff --git a/internal/distro/rhel9/pipelines.go b/internal/distro/rhel9/pipelines.go
index 4e7a67203..49ad056c6 100644
--- a/internal/distro/rhel9/pipelines.go
+++ b/internal/distro/rhel9/pipelines.go
@@ -14,6 +14,7 @@ import (
 	"github.com/osbuild/osbuild-composer/internal/distro"
 	"github.com/osbuild/osbuild-composer/internal/osbuild"
 	"github.com/osbuild/osbuild-composer/internal/rpmmd"
+	"github.com/osbuild/osbuild-composer/internal/users"
 )
 
 func qcow2Pipelines(t *imageType, customizations *blueprint.Customizations, options distro.ImageOptions, repos []rpmmd.RepoConfig, packageSetSpecs map[string][]rpmmd.PackageSpec, containers []container.Spec, rng *rand.Rand) ([]osbuild.Pipeline, error) {
@@ -340,7 +341,7 @@ func edgeContainerPipelines(t *imageType, customizations *blueprint.Customizatio
 	return pipelines, nil
 }
 
-func edgeImagePipelines(t *imageType, filename string, options distro.ImageOptions, rng *rand.Rand) ([]osbuild.Pipeline, string, error) {
+func edgeImagePipelines(t *imageType, customizations *blueprint.Customizations, filename string, options distro.ImageOptions, rng *rand.Rand) ([]osbuild.Pipeline, string, error) {
 	pipelines := make([]osbuild.Pipeline, 0)
 	ostreeRepoPath := "/ostree/repo"
 	imgName := "image.raw"
@@ -351,7 +352,7 @@ func edgeImagePipelines(t *imageType, filename string, options distro.ImageOptio
 	}
 
 	// prepare ostree deployment tree
-	treePipeline := ostreeDeployPipeline(t, partitionTable, ostreeRepoPath, rng, options)
+	treePipeline := ostreeDeployPipeline(t, partitionTable, ostreeRepoPath, rng, customizations, options)
 	pipelines = append(pipelines, *treePipeline)
 
 	// make raw image from tree
@@ -372,7 +373,7 @@ func edgeRawImagePipelines(t *imageType, customizations *blueprint.Customization
 	imgName := t.filename
 
 	// create the raw image
-	imagePipelines, _, err := edgeImagePipelines(t, imgName, options, rng)
+	imagePipelines, _, err := edgeImagePipelines(t, customizations, imgName, options, rng)
 	if err != nil {
 		return nil, err
 	}
@@ -812,7 +813,7 @@ func edgeSimplifiedInstallerPipelines(t *imageType, customizations *blueprint.Cu
 	installDevice := customizations.GetInstallationDevice()
 
 	// create the raw image
-	imagePipelines, imgPipelineName, err := edgeImagePipelines(t, imgName, options, rng)
+	imagePipelines, imgPipelineName, err := edgeImagePipelines(t, customizations, imgName, options, rng)
 	if err != nil {
 		return nil, err
 	}
@@ -958,6 +959,7 @@ func ostreeDeployPipeline(
 	pt *disk.PartitionTable,
 	repoPath string,
 	rng *rand.Rand,
+	c *blueprint.Customizations,
 	options distro.ImageOptions,
 ) *osbuild.Pipeline {
 
@@ -1025,7 +1027,19 @@ func ostreeDeployPipeline(
 	}
 	p.AddStage(osbuild.NewFSTabStage(fstabOptions))
 
-	// TODO: Add users?
+	if bpUsers := c.GetUsers(); len(bpUsers) > 0 {
+		usersStage, err := osbuild.GenUsersStage(users.UsersFromBP(bpUsers), false)
+		if err != nil {
+			panic(err)
+		}
+		usersStage.MountOSTree(osname, options.OSTree.Ref, 0)
+		p.AddStage(usersStage)
+	}
+	if bpGroups := c.GetGroups(); len(bpGroups) > 0 {
+		groupsStage := osbuild.GenGroupsStage(users.GroupsFromBP(bpGroups))
+		groupsStage.MountOSTree(osname, options.OSTree.Ref, 0)
+		p.AddStage(groupsStage)
+	}
 
 	p.AddStage(bootloaderConfigStage(t, *pt, "", true, true))
 
diff --git a/internal/image/ostree_raw.go b/internal/image/ostree_raw.go
index 1b906cc9f..db5390891 100644
--- a/internal/image/ostree_raw.go
+++ b/internal/image/ostree_raw.go
@@ -10,6 +10,7 @@ import (
 	"github.com/osbuild/osbuild-composer/internal/platform"
 	"github.com/osbuild/osbuild-composer/internal/rpmmd"
 	"github.com/osbuild/osbuild-composer/internal/runner"
+	"github.com/osbuild/osbuild-composer/internal/users"
 	"github.com/osbuild/osbuild-composer/internal/workload"
 )
 
@@ -20,6 +21,9 @@ type OSTreeRawImage struct {
 	Workload       workload.Workload
 	PartitionTable *disk.PartitionTable
 
+	Users  []users.User
+	Groups []users.Group
+
 	OSTreeURL    string
 	OSTreeRef    string
 	OSTreeCommit string
@@ -53,6 +57,8 @@ func (img *OSTreeRawImage) InstantiateManifest(m *manifest.Manifest,
 	osPipeline.KernelOptionsAppend = img.KernelOptionsAppend
 	osPipeline.Keyboard = img.Keyboard
 	osPipeline.Locale = img.Locale
+	osPipeline.Users = img.Users
+	osPipeline.Groups = img.Groups
 
 	imagePipeline := manifest.NewRawOStreeImage(m, buildPipeline, img.Platform, osPipeline)
 
diff --git a/internal/manifest/commit_deployment.go b/internal/manifest/commit_deployment.go
index 5ed4267b1..928651ae9 100644
--- a/internal/manifest/commit_deployment.go
+++ b/internal/manifest/commit_deployment.go
@@ -166,11 +166,14 @@ func (p *OSTreeDeployment) serialize() osbuild.Pipeline {
 		if err != nil {
 			panic("password encryption failed")
 		}
+		usersStage.MountOSTree(p.osName, p.osTreeRef, 0)
 		pipeline.AddStage(usersStage)
 	}
 
 	if len(p.Groups) > 0 {
-		pipeline.AddStage(osbuild.GenGroupsStage(p.Groups))
+		grpStage := osbuild.GenGroupsStage(p.Groups)
+		grpStage.MountOSTree(p.osName, p.osTreeRef, 0)
+		pipeline.AddStage(grpStage)
 	}
 
 	// if no root password is set, lock the root account