From 29966fe8153460824f4c55b26f91c7182aeb1cf7 Mon Sep 17 00:00:00 2001
From: Alexander Sulfrian <asulfrian@zedat.fu-berlin.de>
Date: Sun, 16 Jan 2022 02:55:18 +0100
Subject: POSIXUsers: Add filters for supplementary gids

There are now separate filters for supplementary groups of a managed POSIXUser.
If neither a blacklist or a whitelist for the supplementary groups is set, it
will default to the same lists like the gid filters.
---
 src/lib/Bcfg2/Client/Tools/POSIXUsers.py | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/src/lib/Bcfg2/Client/Tools/POSIXUsers.py b/src/lib/Bcfg2/Client/Tools/POSIXUsers.py
index 40598541e..224119a79 100644
--- a/src/lib/Bcfg2/Client/Tools/POSIXUsers.py
+++ b/src/lib/Bcfg2/Client/Tools/POSIXUsers.py
@@ -26,6 +26,11 @@ class POSIXUsers(Bcfg2.Client.Tools.Tool):
             cf=('POSIXUsers', 'gid_whitelist'), default=[],
             type=uid_range_type,
             help="GID ranges the POSIXUsers tool will manage"),
+        Bcfg2.Options.Option(
+            cf=('POSIXUsers', 'supgid_whitelist'), default=[],
+            type=uid_range_type,
+            help="GID ranges for supplementary groups the POSIXUsers"
+                 "tool will manage"),
         Bcfg2.Options.Option(
             cf=('POSIXUsers', 'uid_blacklist'), default=[],
             type=uid_range_type,
@@ -33,7 +38,12 @@ class POSIXUsers(Bcfg2.Client.Tools.Tool):
         Bcfg2.Options.Option(
             cf=('POSIXUsers', 'gid_blacklist'), default=[],
             type=uid_range_type,
-            help="GID ranges the POSIXUsers tool will not manage")]
+            help="GID ranges the POSIXUsers tool will not manage"),
+        Bcfg2.Options.Option(
+            cf=('POSIXUsers', 'supgid_blacklist'), default=[],
+            type=uid_range_type,
+            help="GID ranges for supplementary groups the POSIXUsers"
+                 "tool will not manage")]
 
     __execs__ = ['/usr/sbin/useradd', '/usr/sbin/usermod', '/usr/sbin/userdel',
                  '/usr/sbin/groupadd', '/usr/sbin/groupmod',
@@ -58,10 +68,19 @@ class POSIXUsers(Bcfg2.Client.Tools.Tool):
         self.set_defaults = dict(POSIXUser=self.populate_user_entry,
                                  POSIXGroup=lambda g: g)
         self._existing = None
+
+        supgid_whitelist = Bcfg2.Options.setup.supgid_whitelist
+        supgid_blacklist = Bcfg2.Options.setup.supgid_blacklist
+        if supgid_whitelist is None and supgid_blacklist is None:
+            supgid_whitelist = Bcfg2.Options.setup.gid_whitelist
+            supgid_blacklist = Bcfg2.Options.setup.gid_blacklist
+
         self._whitelist = dict(POSIXUser=Bcfg2.Options.setup.uid_whitelist,
-                               POSIXGroup=Bcfg2.Options.setup.gid_whitelist)
+                               POSIXGroup=Bcfg2.Options.setup.gid_whitelist,
+                               POSIXSupGroup=supgid_whitelist)
         self._blacklist = dict(POSIXUser=Bcfg2.Options.setup.uid_blacklist,
-                               POSIXGroup=Bcfg2.Options.setup.gid_blacklist)
+                               POSIXGroup=Bcfg2.Options.setup.gid_blacklist,
+                               POSIXSupGroup=supgid_blacklist)
 
     @property
     def existing(self):
@@ -161,7 +180,7 @@ class POSIXUsers(Bcfg2.Client.Tools.Tool):
         given entry is a member of """
         return [g for g in self.existing['POSIXGroup'].values()
                 if entry.get("name") in g[3] and
-                self._in_managed_range('POSIXGroup', g[2])]
+                self._in_managed_range('POSIXSupGroup', g[2])]
 
     def VerifyPOSIXUser(self, entry, _):
         """ Verify a POSIXUser entry """
-- 
cgit v1.2.3-1-g7c22