From badd52c8049b9695ccf37d8175aa0c245f0c0148 Mon Sep 17 00:00:00 2001
From: Samveen <samveen@samveen.in>
Date: Tue, 27 Feb 2024 08:46:31 +0530
Subject: [PATCH] Add ability to create usergroup based policy rules

This implements feature request #1848

Signed-off-by: Samveen <samveen@samveen.in>
---
 perl-xCAT/xCAT/Utils.pm            | 20 ++++++++++++++++++++
 xCAT-server/lib/perl/xCAT/xcatd.pm |  8 +++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/perl-xCAT/xCAT/Utils.pm b/perl-xCAT/xCAT/Utils.pm
index bb3827a160..d207cc3a12 100644
--- a/perl-xCAT/xCAT/Utils.pm
+++ b/perl-xCAT/xCAT/Utils.pm
@@ -4987,6 +4987,26 @@ sub natural_sort_cmp($$) {
 
 #--------------------------------------------------------------------------------
 
+=head3  groups
+      Pure perl implementation of /bin/groups
+=cut
+
+#--------------------------------------------------------------------------------
+sub groups($) {
+    my ($name)=@_;
+    my @list;
+    my $n=(getpwnam($name))[3];
+    @list=((getgrgid($n))[0]);
+    while (my @l=getgrent()) {
+        if ($l[3] && $l[3] ne "" && $l[3] =~ /$name/) {
+            push @list, $l[0];
+        }
+    }
+    endgrent();
+}
+
+#--------------------------------------------------------------------------------
+
 =head3  console_sleep
       A wrap for sleep subroutine, if goconserver is used, just exit immidiately
       as goconserver has its own sleep mechanism.
diff --git a/xCAT-server/lib/perl/xCAT/xcatd.pm b/xCAT-server/lib/perl/xCAT/xcatd.pm
index bfe235174a..532242c4d8 100644
--- a/xCAT-server/lib/perl/xCAT/xcatd.pm
+++ b/xCAT-server/lib/perl/xCAT/xcatd.pm
@@ -105,11 +105,17 @@ sub validate {
         }
     }
 
+    # Get groups for peername
+    my $usergroups = xCAT::Utils->groups($peername);
+
   RULE: foreach $rule (@sortedpolicies) {
         if ($rule->{name} and $rule->{name} ne '*') {
 
             #TODO: more complex matching (lists, wildcards)
-            next unless ($peername and $peername eq $rule->{name});
+	    if (!$usergroups or index($usergroups,$rule->{name}) < 0) {
+		# If the user's group is empty, or usergroups doesn't contain rule name then...
+                next unless ($peername and $peername eq $rule->{name});
+	    }
         }
         if ($rule->{name} and $rule->{name} eq '*') { #a name is required, but can be any name whatsoever....
             next unless ($peername);