X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/521e8ecf4ac93ac27c7bec97601c246e391daf43..fb96637bf76fe8779e7a7e58f052b8f55ed76f4f:/lib/controller/localdb/login_pam.go

diff --git a/lib/controller/localdb/login_pam.go b/lib/controller/localdb/login_pam.go
index be90cb3d14..237f900a83 100644
--- a/lib/controller/localdb/login_pam.go
+++ b/lib/controller/localdb/login_pam.go
@@ -9,12 +9,10 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"net/url"
 	"strings"
 
 	"git.arvados.org/arvados.git/lib/controller/rpc"
 	"git.arvados.org/arvados.git/sdk/go/arvados"
-	"git.arvados.org/arvados.git/sdk/go/auth"
 	"git.arvados.org/arvados.git/sdk/go/ctxlog"
 	"git.arvados.org/arvados.git/sdk/go/httpserver"
 	"github.com/msteinert/pam"
@@ -22,12 +20,12 @@ import (
 )
 
 type pamLoginController struct {
-	Cluster    *arvados.Cluster
-	RailsProxy *railsProxy
+	Cluster *arvados.Cluster
+	Parent  *Conn
 }
 
 func (ctrl *pamLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
-	return noopLogout(ctrl.Cluster, opts)
+	return logout(ctx, ctrl.Cluster, opts)
 }
 
 func (ctrl *pamLoginController) Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) {
@@ -36,7 +34,8 @@ func (ctrl *pamLoginController) Login(ctx context.Context, opts arvados.LoginOpt
 
 func (ctrl *pamLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
 	errorMessage := ""
-	tx, err := pam.StartFunc(ctrl.Cluster.Login.PAMService, opts.Username, func(style pam.Style, message string) (string, error) {
+	sentPassword := false
+	tx, err := pam.StartFunc(ctrl.Cluster.Login.PAM.Service, opts.Username, func(style pam.Style, message string) (string, error) {
 		ctxlog.FromContext(ctx).Debugf("pam conversation: style=%v message=%q", style, message)
 		switch style {
 		case pam.ErrorMsg:
@@ -47,6 +46,7 @@ func (ctrl *pamLoginController) UserAuthenticate(ctx context.Context, opts arvad
 			ctxlog.FromContext(ctx).WithField("Message", message).Info("pam.TextInfo")
 			return "", nil
 		case pam.PromptEchoOn, pam.PromptEchoOff:
+			sentPassword = true
 			return opts.Password, nil
 		default:
 			return "", fmt.Errorf("unrecognized message style %d", style)
@@ -57,6 +57,19 @@ func (ctrl *pamLoginController) UserAuthenticate(ctx context.Context, opts arvad
 	}
 	err = tx.Authenticate(pam.DisallowNullAuthtok)
 	if err != nil {
+		err = fmt.Errorf("PAM: %s", err)
+		if errorMessage != "" {
+			// Perhaps the error message in the
+			// conversation is helpful.
+			err = fmt.Errorf("%s; %q", err, errorMessage)
+		}
+		if sentPassword {
+			err = fmt.Errorf("%s (with username %q and password)", err, opts.Username)
+		} else {
+			// This might hint that the username was
+			// invalid.
+			err = fmt.Errorf("%s (with username %q; password was never requested by PAM service)", err, opts.Username)
+		}
 		return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(err, http.StatusUnauthorized)
 	}
 	if errorMessage != "" {
@@ -67,27 +80,15 @@ func (ctrl *pamLoginController) UserAuthenticate(ctx context.Context, opts arvad
 		return arvados.APIClientAuthorization{}, err
 	}
 	email := user
-	if domain := ctrl.Cluster.Login.PAMDefaultEmailDomain; domain != "" && !strings.Contains(email, "@") {
+	if domain := ctrl.Cluster.Login.PAM.DefaultEmailDomain; domain != "" && !strings.Contains(email, "@") {
 		email = email + "@" + domain
 	}
-	ctxlog.FromContext(ctx).WithFields(logrus.Fields{"user": user, "email": email}).Debug("pam authentication succeeded")
-	ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{ctrl.Cluster.SystemRootToken}})
-	resp, err := ctrl.RailsProxy.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{
-		// Send a fake ReturnTo value instead of the caller's
-		// opts.ReturnTo. We won't follow the resulting
-		// redirect target anyway.
-		ReturnTo: ",https://none.invalid",
-		AuthInfo: rpc.UserSessionAuthInfo{
-			Username: user,
-			Email:    email,
-		},
+	ctxlog.FromContext(ctx).WithFields(logrus.Fields{
+		"user":  user,
+		"email": email,
+	}).Debug("pam authentication succeeded")
+	return ctrl.Parent.CreateAPIClientAuthorization(ctx, ctrl.Cluster.SystemRootToken, rpc.UserSessionAuthInfo{
+		Username: user,
+		Email:    email,
 	})
-	if err != nil {
-		return arvados.APIClientAuthorization{}, err
-	}
-	target, err := url.Parse(resp.RedirectLocation)
-	if err != nil {
-		return arvados.APIClientAuthorization{}, err
-	}
-	return arvados.APIClientAuthorization{APIToken: target.Query().Get("api_token")}, err
 }