1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
15 "git.arvados.org/arvados.git/lib/controller/rpc"
16 "git.arvados.org/arvados.git/sdk/go/arvados"
17 "git.arvados.org/arvados.git/sdk/go/auth"
18 "git.arvados.org/arvados.git/sdk/go/ctxlog"
19 "git.arvados.org/arvados.git/sdk/go/httpserver"
20 "github.com/msteinert/pam"
21 "github.com/sirupsen/logrus"
24 type pamLoginController struct {
25 Cluster *arvados.Cluster
26 RailsProxy *railsProxy
29 func (ctrl *pamLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
30 return noopLogout(ctrl.Cluster, opts)
33 func (ctrl *pamLoginController) Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) {
34 return arvados.LoginResponse{}, errors.New("interactive login is not available")
37 func (ctrl *pamLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
40 tx, err := pam.StartFunc(ctrl.Cluster.Login.PAMService, opts.Username, func(style pam.Style, message string) (string, error) {
41 ctxlog.FromContext(ctx).Debugf("pam conversation: style=%v message=%q", style, message)
44 ctxlog.FromContext(ctx).WithField("Message", message).Info("pam.ErrorMsg")
45 errorMessage = message
48 ctxlog.FromContext(ctx).WithField("Message", message).Info("pam.TextInfo")
50 case pam.PromptEchoOn, pam.PromptEchoOff:
52 return opts.Password, nil
54 return "", fmt.Errorf("unrecognized message style %d", style)
58 return arvados.APIClientAuthorization{}, err
60 err = tx.Authenticate(pam.DisallowNullAuthtok)
62 err = fmt.Errorf("PAM: %s", err)
63 if errorMessage != "" {
64 // Perhaps the error message in the
65 // conversation is helpful.
66 err = fmt.Errorf("%s; %q", err, errorMessage)
69 err = fmt.Errorf("%s (with username %q and password)", err, opts.Username)
71 // This might hint that the username was
73 err = fmt.Errorf("%s (with username %q; password was never requested by PAM service)", err, opts.Username)
75 return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(err, http.StatusUnauthorized)
77 if errorMessage != "" {
78 return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New(errorMessage), http.StatusUnauthorized)
80 user, err := tx.GetItem(pam.User)
82 return arvados.APIClientAuthorization{}, err
85 if domain := ctrl.Cluster.Login.PAMDefaultEmailDomain; domain != "" && !strings.Contains(email, "@") {
86 email = email + "@" + domain
88 ctxlog.FromContext(ctx).WithFields(logrus.Fields{"user": user, "email": email}).Debug("pam authentication succeeded")
89 ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{ctrl.Cluster.SystemRootToken}})
90 resp, err := ctrl.RailsProxy.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{
91 // Send a fake ReturnTo value instead of the caller's
92 // opts.ReturnTo. We won't follow the resulting
93 // redirect target anyway.
94 ReturnTo: ",https://none.invalid",
95 AuthInfo: rpc.UserSessionAuthInfo{
101 return arvados.APIClientAuthorization{}, err
103 target, err := url.Parse(resp.RedirectLocation)
105 return arvados.APIClientAuthorization{}, err
107 token := target.Query().Get("api_token")
108 return ctrl.RailsProxy.APIClientAuthorizationCurrent(auth.NewContext(ctx, auth.NewCredentials(token)), arvados.GetOptions{})