[pam-bwidm] minor cleanup

3 files changed, 33 insertions, 46 deletions

diff --git a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm
index 869e92a9..179d61d8 100755
--- a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm
+++ b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm
@@ -8,13 +8,16 @@
 
 # fix PATH as PAM clears it
 export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin"
-if ! busybox which curl; then
-	echo "'curl' missing. This script won't work without it."
+if ! busybox which curl || ! busybox which mktemp; then
+	echo "'curl/mktemp' missing. This script won't work without it."
 	exit 1
 fi
 
 # redirect stdout/stderr to temporary logfile
 readonly LOGFILE="$(mktemp)"
+# URL to query masterserver for IDPs
+readonly IDP_QUERY_URL="https://bwlp-masterserver.ruf.uni-freiburg.de/webif/pam.php"
+readonly IDP_QUERY_CACHE="/run/openslx/bwlp-idp"
 
 # everything in a subshell in an effort to hide sensitive information
 # from this script's environment
@@ -27,8 +30,9 @@ exec > "${LOGFILE}" 2>&1
 [ -z "${SLX_BWIDM_AUTH}" -o "x${SLX_BWIDM_AUTH}" != "xyes" ] && echo "bwIDM login disabled in openslx-config." && exit 1
 
 # grab the password from stdin asap, since there is no garantee some tool just reads it
+unset USER_PASSWORD
 if [ "x$PAM_TYPE" == "xauth" ]; then
-	read USER_PASSWORD
+	read -r USER_PASSWORD > /dev/null 2>&1
 	readonly USER_PASSWORD
 	[ -z "$USER_PASSWORD" ] && echo "No password given." && exit 1
 fi
@@ -43,14 +47,12 @@ fi
 # valid username, we can already split it here
 readonly USER_USERNAME="${PAM_USER%@*}"
 readonly USER_ORGANISATION="${PAM_USER#*@}"
-[ -z "$USER_ORGANISATION" ] && echo "Could not parse organisation from given username: ${PAM_USER}. Aborting." && exit 1
+[ -z "$USER_ORGANISATION" ] && echo "Could not parse organisation from given login: ${PAM_USER}. Aborting." && exit 1
+[ -z "$USER_USERNAME" ] && echo "Could not parse user from given login: ${PAM_USER}. Aborting." && exit 1
 
 # The given username is valid. Now we get the list of IdPs from the bwlp masterserver
 # and try to find the user's organisation
 
-# URL to query masterserver for IDPs
-readonly IDP_QUERY_URL="https://bwlp-masterserver.ruf.uni-freiburg.de/webif/pam.php"
-readonly IDP_QUERY_CACHE="/run/openslx/bwlp-idp"
 mkdir -p /run/openslx
 
 # check if we have a (non-zero bytes) cached copy of the list
@@ -58,12 +60,11 @@ if [ ! -s "${IDP_QUERY_CACHE}" ]; then
 	idpret="$(curl -w "%{http_code}" -k -o "${IDP_QUERY_CACHE}" --connect-timeout 5 --max-time 15 "$IDP_QUERY_URL")"
 	if [ "x$idpret" != "x200" ]; then
 		echo "Could not download the list of identity providers from '$IDP_QUERY_URL'. Aborting."
-		rm -f "$IDP_QUERY_CACHE"
+		rm -f -- "$IDP_QUERY_CACHE"
 		exit 7
 	fi
 fi
 # here we have the cache for sure, search for the given organisation's ECP URL
-USER_ECP_URL=""
 USER_ECP_URL="$(awk -v idp="${USER_ORGANISATION}" -F '=' '{if($1==idp) print $2}' < "$IDP_QUERY_CACHE")"
 [ -z "$USER_ECP_URL" ] && echo "Could not determine ECP URL for '${USER_ORGANISATION}'" && exit 1
 
@@ -76,11 +77,11 @@ USER_ECP_URL="$(awk -v idp="${USER_ORGANISATION}" -F '=' '{if($1==idp) print $2}
 BWIDM_GROUP="$(getent group bwidm)"
 if [ -z "$BWIDM_GROUP" ]; then
 	BWIDM_GID=1000
-	while [ $BWIDM_GID -gt 100 ]; do
-		getent group $BWIDM_GID || break
+	while [ "$BWIDM_GID" -gt 100 ]; do
+		getent group "$BWIDM_GID" || break
 		let BWIDM_GID--
 	done
-	if [ $BWIDM_GID -eq 100 ]; then
+	if [ "$BWIDM_GID" -eq 100 ]; then
 		# use demo's gid as a fallback
 		readonly BWIDM_GID="$(id -g "demo")"
 		[ -z "$BWIDM_GID" ] && echo "Could not determine the GID of 'demo'. Cannot use it as fallback. Aborting." && exit 1
@@ -100,16 +101,16 @@ if [ -z "$BWIDM_GID" ]; then
 fi
 readonly USER_GID="$BWIDM_GID"
 
-# path to the SOAP enveloppe we are gonna need soon
-readonly SOAP_ENVELOPPE="/opt/openslx/bwidm_soap.xml"
-[ ! -f "${SOAP_ENVELOPPE}" ] && echo "Failed to find the SOAP enveloppe at '${SOAP_ENVELOPPE}'. Aborting." && exit 1
+# path to the SOAP envelope we are gonna need soon
+readonly SOAP_ENVELOPE="/opt/openslx/bwidm_soap.xml"
+[ ! -f "${SOAP_ENVELOPE}" ] && echo "Failed to find the SOAP envelope at '${SOAP_ENVELOPE}'. Aborting." && exit 1
 
 # now the pam-type specific part starts
 if [ "x$PAM_TYPE" == "xauth" ]; then
 	# now we are ready to actually send the credentials to the IdP
 	# to be sure everything is working as expected
 	# we will first send a wrong password (by repeating the given password) and expect a 401
-	ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -k -d @"${SOAP_ENVELOPPE}" -H "Content-Type: application/vnd.paos+xml" --basic -u "${USER_USERNAME}:${USER_PASSWORD}${USER_PASSWORD}" "$USER_ECP_URL")
+	ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -k -d @"${SOAP_ENVELOPE}" -H "Content-Type: application/vnd.paos+xml" --basic -u "${USER_USERNAME}:${USER_PASSWORD}${USER_PASSWORD}" "$USER_ECP_URL")
 
 	if [ "x$ret" != "x401" ]; then
 		# this means something else is bad, just exit
@@ -117,28 +118,28 @@ if [ "x$PAM_TYPE" == "xauth" ]; then
 		exit 7
 	fi
 	# the fake auth call behaved as expected, do the actualy login
-	ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -k -d @"${SOAP_ENVELOPPE}" -H "Content-Type: application/vnd.paos+xml" --basic -u "${USER_USERNAME}:${USER_PASSWORD}" "$USER_ECP_URL")
+	ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -k -d @"${SOAP_ENVELOPE}" -H "Content-Type: application/vnd.paos+xml" --basic -u "${USER_USERNAME}:${USER_PASSWORD}" "$USER_ECP_URL")
 	
 	if [ "x$ret" == "x200" ]; then
 		# auth succeeded, lets create a local user representing the bwIDM user
 		echo "Login for '$USER_USERNAME' on '$USER_ORGANISATION' succeeded."
 		# create a random 6digit UID
 		LOOPS=0
-		while [ $LOOPS -lt 5 ]; do
+		while [ "$LOOPS" -lt 5 ]; do
 			USER_UID="$(( 100000 + $RANDOM ))"
-			# check existance of this UID, if its free, use it
+			# check existence of this UID, if its free, use it
 			getent passwd "$USER_UID" || break
 			let LOOPS++
 		done
-		if [ $LOOPS -eq 5 ]; then
+		if [ "$LOOPS" -eq 5 ]; then
 			# could not find an empty random 6-digit UID, so we will use demo's UID...
 			USER_UID="$(id -u demo)"
 			[ -z "$USER_UID" ] && echo "Could not use UID of 'demo' as a fallback, aborting..." && exit 1
 		fi
 
 		# we have a uid, gid, lets just create the local user now
-		if ! grep -q "$USER_USERNAME@$USER_ORGANISATION" /etc/passwd; then
-			echo "$USER_USERNAME@$USER_ORGANISATION:x:${USER_UID}:${USER_GID}:$USER_USERNAME@$USER_ORGANISATION:/home/${USER_USERNAME}@${USER_ORGANISATION}:/bin/bash" >> /etc/passwd
+		if ! grep -q "^${PAM_USER}:" /etc/passwd; then
+			echo "${PAM_USER}:x:${USER_UID}:${USER_GID}:${PAM_USER}:/home/${PAM_USER}:/bin/bash" >> /etc/passwd
 		fi
 		exit 0
 	elif [ "x$ret" != "x401" ]; then
@@ -169,4 +170,4 @@ if [ "x$mainret" == "x7" ]; then
 	( sleep 1; rm -f -- "${LOGFILE}" ) &
 	exit 1
 fi
-exit $mainret
+exit "${mainret}"
diff --git a/server/modules/pam-bwidm-freiburg/etc/pam.d/common-account b/server/modules/pam-bwidm-freiburg/etc/pam.d/common-account
index da270620..d8c9be5e 100644
--- a/server/modules/pam-bwidm-freiburg/etc/pam.d/common-account
+++ b/server/modules/pam-bwidm-freiburg/etc/pam.d/common-account
@@ -6,22 +6,14 @@
 # the central access policy for use on the system.  The default is to
 # only deny service to users whose accounts are expired in /etc/shadow.
 #
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules.  See
-# pam-auth-update(8) for details.
-#
 
 # here are the per-package modules (the "Primary" block)
-account [success=3 new_authtok_reqd=done default=ignore]	pam_exec.so quiet debug /opt/openslx/scripts/pam_bwidm
-account	[success=2 new_authtok_reqd=done default=ignore]	pam_unix.so use_first_pass
-account [success=1 new_authtok_reqd=done default=ignore]	pam_sss.so use_first_pass
+account	[success=3 new_authtok_reqd=done default=ignore]	pam_unix.so
+account	[success=2 new_authtok_reqd=done default=ignore]	pam_exec.so quiet /opt/openslx/scripts/pam_bwidm
+account [success=1 new_authtok_reqd=done default=ignore]	pam_sss.so
 # here's the fallback if no module succeeds
 account	requisite			pam_deny.so
 # prime the stack with a positive return value if there isn't one already;
 # this avoids us returning an error just because nothing sets a success code
 # since the modules above will each just jump around
 account	required			pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-# end of pam-auth-update config
diff --git a/server/modules/pam-bwidm-freiburg/etc/pam.d/common-auth b/server/modules/pam-bwidm-freiburg/etc/pam.d/common-auth
index dc10df3b..66185b71 100644
--- a/server/modules/pam-bwidm-freiburg/etc/pam.d/common-auth
+++ b/server/modules/pam-bwidm-freiburg/etc/pam.d/common-auth
@@ -7,23 +7,17 @@
 # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
 # traditional Unix authentication mechanisms.
 #
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules.  See
-# pam-auth-update(8) for details.
 
 # here are the per-package modules (the "Primary" block)
-auth	[success=4 default=ignore]	pam_exec.so quiet debug expose_authtok /opt/openslx/scripts/pam_bwidm 
-auth	[success=ok default=ignore]	pam_krb5.so minimum_uid=1000 try_first_pass
-auth	[success=2 default=ignore]	pam_unix.so try_first_pass
-auth	[success=1 default=ignore]	pam_sss.so use_first_pass
+auth	[success=6 default=ignore] pam_unix.so try_first_pass nodelay
+auth	[success=4 default=ignore] pam_exec.so quiet expose_authtok /opt/openslx/scripts/pam_bwidm
+auth	optional                   pam_krb5.so minimum_uid=1000 use_first_pass
+auth	[success=2 default=ignore] pam_sss.so use_first_pass
 # here's the fallback if no module succeeds
+auth  optional          pam_faildelay.so delay=2123123
 auth	requisite			pam_deny.so
-auth	optional			pam_script.so expose=1
+auth	optional          pam_script.so expose=1
 # prime the stack with a positive return value if there isn't one already;
 # this avoids us returning an error just because nothing sets a success code
 # since the modules above will each just jump around
 auth	required			pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-# end of pam-auth-update config