20497: Give brief instructions for reviewing subprocess output

[arvados.git] / lib / controller / localdb / login_pam.go

diff --git a/lib/controller/localdb/login_pam.go b/lib/controller/localdb/login_pam.go
index 538e3118edc839e0be355a6965de6da086b9ce9d..466912254310ce3590ca24bba78aff8dc815fa0b 100644 (file)
--- a/lib/controller/localdb/login_pam.go
+++ b/lib/controller/localdb/login_pam.go
@@ -2,6 +2,8 @@
 //
 // SPDX-License-Identifier: AGPL-3.0
 
+//go:build !static
+
 package localdb
 
 import (
@@ -20,12 +22,12 @@ import (
 )
 
 type pamLoginController struct {
-       Cluster    *arvados.Cluster
-       RailsProxy *railsProxy
+       Cluster *arvados.Cluster
+       Parent  *Conn
 }
 
 func (ctrl *pamLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
-       return noopLogout(ctrl.Cluster, opts)
+       return logout(ctx, ctrl.Cluster, opts)
 }
 
 func (ctrl *pamLoginController) Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) {
@@ -35,7 +37,7 @@ func (ctrl *pamLoginController) Login(ctx context.Context, opts arvados.LoginOpt
 func (ctrl *pamLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
        errorMessage := ""
        sentPassword := false
-       tx, err := pam.StartFunc(ctrl.Cluster.Login.PAMService, opts.Username, func(style pam.Style, message string) (string, error) {
+       tx, err := pam.StartFunc(ctrl.Cluster.Login.PAM.Service, opts.Username, func(style pam.Style, message string) (string, error) {
                ctxlog.FromContext(ctx).Debugf("pam conversation: style=%v message=%q", style, message)
                switch style {
                case pam.ErrorMsg:
@@ -55,6 +57,7 @@ func (ctrl *pamLoginController) UserAuthenticate(ctx context.Context, opts arvad
        if err != nil {
                return arvados.APIClientAuthorization{}, err
        }
+       // Check that the given credentials are valid.
        err = tx.Authenticate(pam.DisallowNullAuthtok)
        if err != nil {
                err = fmt.Errorf("PAM: %s", err)
@@ -75,19 +78,28 @@ func (ctrl *pamLoginController) UserAuthenticate(ctx context.Context, opts arvad
        if errorMessage != "" {
                return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New(errorMessage), http.StatusUnauthorized)
        }
+       // Check that the account/user is permitted to access this host.
+       err = tx.AcctMgmt(pam.DisallowNullAuthtok)
+       if err != nil {
+               err = fmt.Errorf("PAM: %s", err)
+               if errorMessage != "" {
+                       err = fmt.Errorf("%s; %q", err, errorMessage)
+               }
+               return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(err, http.StatusUnauthorized)
+       }
        user, err := tx.GetItem(pam.User)
        if err != nil {
                return arvados.APIClientAuthorization{}, err
        }
        email := user
-       if domain := ctrl.Cluster.Login.PAMDefaultEmailDomain; domain != "" && !strings.Contains(email, "@") {
+       if domain := ctrl.Cluster.Login.PAM.DefaultEmailDomain; domain != "" && !strings.Contains(email, "@") {
                email = email + "@" + domain
        }
        ctxlog.FromContext(ctx).WithFields(logrus.Fields{
                "user":  user,
                "email": email,
        }).Debug("pam authentication succeeded")
-       return createAPIClientAuthorization(ctx, ctrl.RailsProxy, ctrl.Cluster.SystemRootToken, rpc.UserSessionAuthInfo{
+       return ctrl.Parent.CreateAPIClientAuthorization(ctx, ctrl.Cluster.SystemRootToken, rpc.UserSessionAuthInfo{
                Username: user,
                Email:    email,
        })