From: Jeff Davis <jeff.davis@bc.libraries.coop> Date: Fri, 8 Feb 2019 21:59:14 +0000 (-0800) Subject: LP#1786552: optionally restrict auth_proxy login by home OU X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=c485b3dcac422ad11e0cdb9d74f674e8c9f9355c;p=evergreen%2Fequinox.git LP#1786552: optionally restrict auth_proxy login by home OU This adds a new restrict_by_home_ou setting to auth_proxy authenticator config. When enabled, if the login request includes an org param, the authenticator will refuse to authenticate a user unless their home OU matches or is a descendant of that org; login fails and auth_proxy proceeds to the next configured authenticator. Signed-off-by: Jeff Davis <jeff.davis@bc.libraries.coop> Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org> --- diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example index b0ed2553be..eb875b1116 100644 --- a/Open-ILS/examples/opensrf.xml.example +++ b/Open-ILS/examples/opensrf.xml.example @@ -555,6 +555,7 @@ vim:et:ts=4:sw=4: <unit>103</unit> <unit>104</unit> </org_units> + <restrict_by_home_ou>false</restrict_by_home_ou> </authenticator> --> <!-- 'native' is a proxied version of Evergreen's standard authentication --> diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm index 9b5198e4c7..d0fcbe7881 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm @@ -260,10 +260,14 @@ sub login { $logger->debug("Authenticated username '" . $args->{'username'} . "' has no Evergreen account, aborting"); return OpenILS::Event->new( 'LOGIN_FAILED' ); } else { - # TODO: verify that this authenticator is allowed to do auth - # for the specified username (i.e. if the authenticator is for - # Library A only, it shouldn't be able to do auth for - # Library B's users) + my $restrict_by_ou = $authenticator->{restrict_by_home_ou}; + if ($args->{org} and defined($restrict_by_ou) and $restrict_by_ou =~ /^t/i) { + my $descendants = $U->get_org_descendants($args->{org}); + unless (grep $user->[0]->home_ou, @$descendants) { + $logger->debug("Matching user does not belong to this org, aborting"); + return OpenILS::Event->new( 'LOGIN_FAILED' ); + } + } $args->{user_id} = $user->[0]->id; }