diff options
| author | Simon Rettberg | 2024-06-26 15:44:09 +0200 |
|---|---|---|
| committer | Simon Rettberg | 2024-06-26 15:44:09 +0200 |
| commit | d70fd4c992ded8b5bc94b7ad230b5e54888ba900 (patch) | |
| tree | 007ee03a71e4119cefd0fd747f7429d0e0ed7ed9 /core/modules | |
| parent | [hardware-stats] Include iproute2's ip for --json (diff) | |
| download | mltk-d70fd4c992ded8b5bc94b7ad230b5e54888ba900.tar.gz mltk-d70fd4c992ded8b5bc94b7ad230b5e54888ba900.tar.xz mltk-d70fd4c992ded8b5bc94b7ad230b5e54888ba900.zip | |
[pam-bwidm] Validate organization suffix for browser/qrcode login
This allows using a whitelist of specific IdPs to allow login from.
Diffstat (limited to 'core/modules')
| -rwxr-xr-x | core/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/core/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm b/core/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm index 63787309..4d994dbb 100755 --- a/core/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm +++ b/core/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm @@ -181,6 +181,7 @@ auth_user() { local cret="$(curl \ --silent \ --connect-timeout 5 \ + --retry 3 \ --max-time 15 \ --output "$ret" \ --data "$REQUEST" \ @@ -270,11 +271,19 @@ write_user_data() { if [ "$PAM_TYPE" = "auth" ]; then ##### Browser if [ "$mode" = "browser" ]; then + # Check if suffix is allowed org + if [ -d "/opt/openslx/pam/shibboleth/whitelist" ] \ + && ! grep -Fxqi "$USER_ORGANISATION" /opt/openslx/pam/shibboleth/whitelist/*.suffix; then + echo "Organization '$USER_ORGANISATION' not allowed to log in" + exit 1 + fi + # Validate with server token="${USER_PASSWORD#shib=}" if [ "${#USER_PASSWORD}" -gt 18 ] && [ "${USER_PASSWORD}" != "$token" ]; then nc="$(curl \ --silent \ --connect-timeout 5 \ + --retry 3 \ --max-time 15 \ --data-urlencode "token=${token}" \ "${IDP_QUERY_URL}?action=verify" |