X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/7407f41105f8000bb3908d41a31daaf3a30d9440..ab832f5a22db3debbd13cacbee9cf69d68d7075c:/lib/controller/localdb/login_pam.go

diff --git a/lib/controller/localdb/login_pam.go b/lib/controller/localdb/login_pam.go
index 2447713a2c..4669122543 100644
--- a/lib/controller/localdb/login_pam.go
+++ b/lib/controller/localdb/login_pam.go
@@ -2,6 +2,8 @@
 //
 // SPDX-License-Identifier: AGPL-3.0
 
+//go:build !static
+
 package localdb
 
 import (
@@ -20,12 +22,12 @@ import (
 )
 
 type pamLoginController struct {
-	Cluster    *arvados.Cluster
-	RailsProxy *railsProxy
+	Cluster *arvados.Cluster
+	Parent  *Conn
 }
 
 func (ctrl *pamLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
-	return noopLogout(ctrl.Cluster, opts)
+	return logout(ctx, ctrl.Cluster, opts)
 }
 
 func (ctrl *pamLoginController) Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) {
@@ -55,6 +57,7 @@ func (ctrl *pamLoginController) UserAuthenticate(ctx context.Context, opts arvad
 	if err != nil {
 		return arvados.APIClientAuthorization{}, err
 	}
+	// Check that the given credentials are valid.
 	err = tx.Authenticate(pam.DisallowNullAuthtok)
 	if err != nil {
 		err = fmt.Errorf("PAM: %s", err)
@@ -75,6 +78,15 @@ func (ctrl *pamLoginController) UserAuthenticate(ctx context.Context, opts arvad
 	if errorMessage != "" {
 		return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New(errorMessage), http.StatusUnauthorized)
 	}
+	// Check that the account/user is permitted to access this host.
+	err = tx.AcctMgmt(pam.DisallowNullAuthtok)
+	if err != nil {
+		err = fmt.Errorf("PAM: %s", err)
+		if errorMessage != "" {
+			err = fmt.Errorf("%s; %q", err, errorMessage)
+		}
+		return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(err, http.StatusUnauthorized)
+	}
 	user, err := tx.GetItem(pam.User)
 	if err != nil {
 		return arvados.APIClientAuthorization{}, err
@@ -87,7 +99,7 @@ func (ctrl *pamLoginController) UserAuthenticate(ctx context.Context, opts arvad
 		"user":  user,
 		"email": email,
 	}).Debug("pam authentication succeeded")
-	return createAPIClientAuthorization(ctx, ctrl.RailsProxy, ctrl.Cluster.SystemRootToken, rpc.UserSessionAuthInfo{
+	return ctrl.Parent.CreateAPIClientAuthorization(ctx, ctrl.Cluster.SystemRootToken, rpc.UserSessionAuthInfo{
 		Username: user,
 		Email:    email,
 	})