From f9ca07d7e1b2b5dae919d844562318dbadd8cce8 Mon Sep 17 00:00:00 2001 From: Dan Wells Date: Tue, 26 Jan 2016 14:22:21 -0500 Subject: [PATCH] LP#1468422 Use auth_internal.validate to shore up AuthProxy Even if a user has valid credentials in the external system, we should block them from logging in if their Evergreen account is out of sorts. Use the API designed for this. Signed-off-by: Dan Wells Signed-off-by: Bill Erickson --- .../perlmods/lib/OpenILS/Application/AuthProxy.pm | 56 ++++++++++++++-------- 1 file changed, 36 insertions(+), 20 deletions(-) diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm index 94bb2d1438..66a1b712c3 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm @@ -235,7 +235,38 @@ sub login { if (exists $event->{'payload'}) { # we have a complete native login return $event; } else { # create an EG session for the successful external login - return &_create_session($args); + # + # before we actually create the session, let's first check if + # Evergreen thinks this user is allowed to login + # + # (we do this *after* authentication to avoid any personal data + # leakage) + + # get the user id + my $user = $U->cstorereq( + "open-ils.cstore.direct.actor.user.search.atomic", + { usrname => $args->{'username'} } + ); + if (!$user->[0]) { + $logger->debug("Authenticated username '" . $args->{'username'} . "' has no Evergreen account, aborting"); + return OpenILS::Event->new( 'LOGIN_FAILED' ); + } else { + $args->{user_id} = $user->[0]->id; + } + + # validate the account + my $trimmed_args = { + user_id => $args->{user_id}, + login_type => $args->{type}, + org_unit => $args->{org} + }; + $event = &_auth_internal('user.validate', $trimmed_args); + if ($U->event_code($event)) { # non-zero = we didn't succeed + # can't recover from invalid user, return right away + return $event; + } else { # it's all good + return &_auth_internal('session.create', $trimmed_args); + } } } } @@ -249,27 +280,12 @@ sub login { return OpenILS::Event->new( 'LOGIN_FAILED' ); } -sub _create_session { - my $args = shift; - - my $user = $U->cstorereq( - "open-ils.cstore.direct.actor.user.search.atomic", - { usrname => $args->{'username'} } - ); - if (!$user->[0]) { - $logger->debug("Authenticated username '" . $args->{'username'} . "' has no Evergreen account, aborting"); - return OpenILS::Event->new( 'LOGIN_FAILED' ); - } else { - $args->{user_id} = $user->[0]->id; - } +sub _auth_internal { + my ($method, $args) = @_; my $response = OpenSRF::AppSession->create("open-ils.auth_internal")->request( - 'open-ils.auth_internal.session.create', - { - user_id => $args->{user_id}, - login_type => $args->{type}, - org_unit => $args->{org} - } + 'open-ils.auth_internal.'.$method, + $args )->gather(1); return OpenILS::Event->new( 'LOGIN_FAILED' ) -- 2.11.0