From a4f2a629571a181360068272efd8cef3f44c5b65 Mon Sep 17 00:00:00 2001
From: Jeff Davis <jeff.davis@bc.libraries.coop>
Date: Fri, 8 Feb 2019 17:25:55 -0800
Subject: [PATCH] LP#1715396: optionally run auth_proxy for specified orgs only

Signed-off-by: Jeff Davis <jeff.davis@bc.libraries.coop>
---
 Open-ILS/examples/opensrf.xml.example                  |  1 +
 .../src/perlmods/lib/OpenILS/Application/AuthProxy.pm  | 18 +++++++++++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example
index 156562b82b..1f6dac57db 100644
--- a/Open-ILS/examples/opensrf.xml.example
+++ b/Open-ILS/examples/opensrf.xml.example
@@ -554,6 +554,7 @@ vim:et:ts=4:sw=4:
                                 <unit>103</unit>
                                 <unit>104</unit>
                             </org_units>
+                            <restrict_to_orgs>false</restrict_to_orgs>
                         </authenticator>
                         -->
                         <!-- 'native' is a proxied version of Evergreen's standard authentication -->
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
index 1f7832c653..56581255f4 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
@@ -213,12 +213,24 @@ sub login {
 
     foreach my $authenticator (@$auths) {
         # skip authenticators specified for a different login type
-        # or org unit id
         if ($authenticator->login_types and $args->{'type'}) {
             next unless grep(/^(all|$args->{'type'})$/, @{$authenticator->{'login_types'}});
         }
-        if ($authenticator->org_units and $args->{'org'}) {
-            next unless grep(/^(all|$args->{'org'})$/, @{$authenticator->{'org_units'}});
+
+        if ($authenticator->org_units) {
+            if ($args->{'org'}) {
+                # We have a context org. Skip this authenticator unless it's
+                # configured to run for that org.
+                next unless grep(/^(all|$args->{'org'})$/, @{$authenticator->{'org_units'}});
+            } else {
+                # By default, when we don't have a context org, configured org
+                # units are ignored and we run this authenticator for everybody.
+                # But if restrict_to_orgs is enabled, we should skip this
+                # authenticator (unless it runs for all orgs).
+                if (exists $authenticator->{restrict_to_orgs} and $authenticator->{restrict_to_orgs} =~ /^t/i) {
+                    next unless grep(/^all$/, @{$authenticator->{'org_units'}});
+                }
+            }
         }
 
         my $event;
-- 
2.11.0