From: Jeff Davis <jeff.davis@bc.libraries.coop>
Date: Fri, 8 Feb 2019 21:59:14 +0000 (-0800)
Subject: LP#1786552: optionally restrict auth_proxy login by home OU
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=c485b3dcac422ad11e0cdb9d74f674e8c9f9355c;p=evergreen%2Fequinox.git

LP#1786552: optionally restrict auth_proxy login by home OU

This adds a new restrict_by_home_ou setting to auth_proxy authenticator
config.  When enabled, if the login request includes an org param, the
authenticator will refuse to authenticate a user unless their home OU
matches or is a descendant of that org; login fails and auth_proxy
proceeds to the next configured authenticator.

Signed-off-by: Jeff Davis <jeff.davis@bc.libraries.coop>
Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
---

diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example
index b0ed2553be..eb875b1116 100644
--- a/Open-ILS/examples/opensrf.xml.example
+++ b/Open-ILS/examples/opensrf.xml.example
@@ -555,6 +555,7 @@ vim:et:ts=4:sw=4:
                                 <unit>103</unit>
                                 <unit>104</unit>
                             </org_units>
+                            <restrict_by_home_ou>false</restrict_by_home_ou>
                         </authenticator>
                         -->
                         <!-- 'native' is a proxied version of Evergreen's standard authentication -->
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
index 9b5198e4c7..d0fcbe7881 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
@@ -260,10 +260,14 @@ sub login {
                     $logger->debug("Authenticated username '" . $args->{'username'} . "' has no Evergreen account, aborting");
                     return OpenILS::Event->new( 'LOGIN_FAILED' );
                 } else {
-                    # TODO: verify that this authenticator is allowed to do auth
-                    # for the specified username (i.e. if the authenticator is for
-                    # Library A only, it shouldn't be able to do auth for
-                    # Library B's users)
+                    my $restrict_by_ou = $authenticator->{restrict_by_home_ou};
+                    if ($args->{org} and defined($restrict_by_ou) and $restrict_by_ou =~ /^t/i) {
+                        my $descendants = $U->get_org_descendants($args->{org});
+                        unless (grep $user->[0]->home_ou, @$descendants) {
+                            $logger->debug("Matching user does not belong to this org, aborting");
+                            return OpenILS::Event->new( 'LOGIN_FAILED' );
+                        }
+                    }
                     $args->{user_id} = $user->[0]->id;
                 }