19518: Check account access permission during pam auth.

[arvados.git] / lib / controller / localdb / login_pam.go

diff --git a/lib/controller/localdb/login_pam.go b/lib/controller/localdb/login_pam.go
index 237f900a83458b61e695ffe7e6808820419c2cea..466912254310ce3590ca24bba78aff8dc815fa0b 100644 (file)
--- a/lib/controller/localdb/login_pam.go
+++ b/lib/controller/localdb/login_pam.go
@@ -2,6 +2,8 @@
 //
 // SPDX-License-Identifier: AGPL-3.0
 
+//go:build !static
+
 package localdb
 
 import (
@@ -55,6 +57,7 @@ func (ctrl *pamLoginController) UserAuthenticate(ctx context.Context, opts arvad
        if err != nil {
                return arvados.APIClientAuthorization{}, err
        }
+       // Check that the given credentials are valid.
        err = tx.Authenticate(pam.DisallowNullAuthtok)
        if err != nil {
                err = fmt.Errorf("PAM: %s", err)
@@ -75,6 +78,15 @@ func (ctrl *pamLoginController) UserAuthenticate(ctx context.Context, opts arvad
        if errorMessage != "" {
                return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New(errorMessage), http.StatusUnauthorized)
        }
+       // Check that the account/user is permitted to access this host.
+       err = tx.AcctMgmt(pam.DisallowNullAuthtok)
+       if err != nil {
+               err = fmt.Errorf("PAM: %s", err)
+               if errorMessage != "" {
+                       err = fmt.Errorf("%s; %q", err, errorMessage)
+               }
+               return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(err, http.StatusUnauthorized)
+       }
        user, err := tx.GetItem(pam.User)
        if err != nil {
                return arvados.APIClientAuthorization{}, err