projects / working / Evergreen.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4340597)
auth_proxy: optionally restrict auth by home OU user/jeffdavis/auth_proxy_restrict_by_home_ou
authorJeff Davis <jeff.davis@bc.libraries.coop>
Fri, 8 Feb 2019 21:59:14 +0000 (13:59 -0800)
committerJeff Davis <jeff.davis@bc.libraries.coop>
Fri, 8 Feb 2019 21:59:14 +0000 (13:59 -0800)
This adds a new restrict_by_home_ou setting to auth_proxy.  When enabled,
if the login request includes an org param, auth_proxy will refuse to
authenticate a user unless their home OU matches or is a descendant of
that org.

Signed-off-by: Jeff Davis <jeff.davis@bc.libraries.coop>
Open-ILS/examples/opensrf.xml.example patch | blob | history
Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm patch | blob | history

diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example
index 156562b..7e4666f 100644 (file)
--- a/Open-ILS/examples/opensrf.xml.example
+++ b/Open-ILS/examples/opensrf.xml.example
@@ -554,6 +554,7 @@ vim:et:ts=4:sw=4:
                                 <unit>103</unit>
                                 <unit>104</unit>
                             </org_units>
+                            <restrict_by_home_ou>false</restrict_by_home_ou>
                         </authenticator>
                         -->
                         <!-- 'native' is a proxied version of Evergreen's standard authentication -->
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
index 1f7832c..761aeb3 100644 (file)
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
@@ -251,6 +251,14 @@ sub login {
                     $logger->debug("Authenticated username '" . $args->{'username'} . "' has no Evergreen account, aborting");
                     return OpenILS::Event->new( 'LOGIN_FAILED' );
                 } else {
+                    my $restrict_by_ou = $authenticator->{restrict_by_home_ou};
+                    if ($args->{org} and defined($restrict_by_ou) and $restrict_by_ou =~ /^t/i) {
+                        my $descendants = $U->get_org_descendants($args->{org});
+                        unless (grep $user->[0]->home_ou, @$descendants) {
+                            $logger->debug("Matching user does not belong to this org, aborting");
+                            return OpenILS::Event->new( 'LOGIN_FAILED' );
+                        }
+                    }
                     $args->{user_id} = $user->[0]->id;
                 }
 
Evergreen ILS