X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/864c3b0afd16c77e046f0072d8517d34c5a44792..refs/heads/19518-pam-access-check:/lib/controller/localdb/login_pam.go?ds=sidebyside

diff --git a/lib/controller/localdb/login_pam.go b/lib/controller/localdb/login_pam.go
index 237f900a83..4669122543 100644
--- a/lib/controller/localdb/login_pam.go
+++ b/lib/controller/localdb/login_pam.go
@@ -2,6 +2,8 @@
 //
 // SPDX-License-Identifier: AGPL-3.0
 
+//go:build !static
+
 package localdb
 
 import (
@@ -55,6 +57,7 @@ func (ctrl *pamLoginController) UserAuthenticate(ctx context.Context, opts arvad
 	if err != nil {
 		return arvados.APIClientAuthorization{}, err
 	}
+	// Check that the given credentials are valid.
 	err = tx.Authenticate(pam.DisallowNullAuthtok)
 	if err != nil {
 		err = fmt.Errorf("PAM: %s", err)
@@ -75,6 +78,15 @@ func (ctrl *pamLoginController) UserAuthenticate(ctx context.Context, opts arvad
 	if errorMessage != "" {
 		return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New(errorMessage), http.StatusUnauthorized)
 	}
+	// Check that the account/user is permitted to access this host.
+	err = tx.AcctMgmt(pam.DisallowNullAuthtok)
+	if err != nil {
+		err = fmt.Errorf("PAM: %s", err)
+		if errorMessage != "" {
+			err = fmt.Errorf("%s; %q", err, errorMessage)
+		}
+		return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(err, http.StatusUnauthorized)
+	}
 	user, err := tx.GetItem(pam.User)
 	if err != nil {
 		return arvados.APIClientAuthorization{}, err