diff options
author | Simon Rettberg | 2016-09-08 16:29:58 +0200 |
---|---|---|
committer | Simon Rettberg | 2016-09-08 16:29:58 +0200 |
commit | ae00d87b4564090b276ec2b0d7ae707b2527991e (patch) | |
tree | 41a4ae1df26c5daec047730cfa2c3f241bd5a8fa | |
parent | [pvs2] Support fetching remote pvs2.ini; honor exam mode, dedicated flag (diff) | |
download | tm-scripts-ae00d87b4564090b276ec2b0d7ae707b2527991e.tar.gz tm-scripts-ae00d87b4564090b276ec2b0d7ae707b2527991e.tar.xz tm-scripts-ae00d87b4564090b276ec2b0d7ae707b2527991e.zip |
[pam-bwidm] Create idp request with valid timestamp, don't pass password as command line argument
-rw-r--r-- | remote/modules/pam-bwidm/data/opt/openslx/bwidm_soap.xml | 30 | ||||
-rwxr-xr-x | remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm | 24 |
2 files changed, 29 insertions, 25 deletions
diff --git a/remote/modules/pam-bwidm/data/opt/openslx/bwidm_soap.xml b/remote/modules/pam-bwidm/data/opt/openslx/bwidm_soap.xml index ef2c9490..ed456f9c 100644 --- a/remote/modules/pam-bwidm/data/opt/openslx/bwidm_soap.xml +++ b/remote/modules/pam-bwidm/data/opt/openslx/bwidm_soap.xml @@ -1,22 +1,8 @@ -<SOAP-ENV:Envelope - xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" - xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" - xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" - xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"> - <SOAP-ENV:Header> - </SOAP-ENV:Header> - <SOAP-ENV:Body> - <samlp:AuthnRequest - ID="__RANDOM_STRING__2" - ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" - AssertionConsumerServiceURL="__AssertionConsumerUrl__" - IssueInstant="__2016-04-11T1:24:00Z__" - Version="2.0" - > - <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> - __REMOTE_ENTITY_ID__ - </saml:Issuer> - <samlp:NameIDPolicy AllowCreate="1"/> - </samlp:AuthnRequest> - </SOAP-ENV:Body> -</SOAP-ENV:Envelope> +<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"> + <S:Body> + <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://bwlp-masterserver.ruf.uni-freiburg.de/Shibboleth.sso/SAML2/ECP" ID="_ff000aafc030c5f0000dbf634b2f0000" IssueInstant="%TIMESTAMP%" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Version="2.0"> + <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://bwlp-masterserver.ruf.uni-freiburg.de/shibboleth</saml:Issuer> + <samlp:NameIDPolicy AllowCreate="1"/> + </samlp:AuthnRequest> + </S:Body> +</S:Envelope> diff --git a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm index 1ea5a8a8..ae62c7ee 100755 --- a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm +++ b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm @@ -133,18 +133,33 @@ readonly SOAP_ENVELOPE="/opt/openslx/bwidm_soap.xml" # now the pam-type specific part starts if [ "x$PAM_TYPE" == "xauth" ]; then + HA='Accept: text/html; application/vnd.paos+xml' + HP='PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' + CT='Content-Type: application/vnd.paos+xml; charset=utf-8' + NOW=$(date -u '+%Y-%m-%dT%H:%M:%SZ') + HOST=$(echo "${USER_ECP_URL}" | awk -F '/' '{print $3}') + REQUEST=$(sed "s/%TIMESTAMP%/${NOW}/g" "${SOAP_ENVELOPE}") + NETRC=$(mktemp -p /run/) + [ -z "$NETRC" ] && NETRC="/run/netrc_$$_${USER}_${RANDOM}.tmp" + touch "$NETRC" + chmod 0600 "$NETRC" # now we are ready to actually send the credentials to the IdP # to be sure everything is working as expected - # we will first send a wrong password (by repeating the given password) and expect a 401 - ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -d @"${SOAP_ENVELOPE}" -H "Content-Type: application/vnd.paos+xml" --basic -u "${USER_USERNAME}:${USER_PASSWORD}${USER_PASSWORD}" "$USER_ECP_URL") + # we will first send a wrong password and expect a 401 + echo "machine ${HOST} login ${USER_USERNAME} password ___invalid-INVALID++~" > "${NETRC}" + ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -d "${REQUEST}" -H "$CT" -H "$HP" -H "$HA" --basic --netrc-file "$NETRC" "$USER_ECP_URL") if [ "x$ret" != "x401" ]; then # this means something else is bad, just exit echo "False authentication attempt did not return 401 as expected but: $ret" + rm -- "${NETRC}" exit 7 fi # the fake auth call behaved as expected, do the actualy login - ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -d @"${SOAP_ENVELOPE}" -H "Content-Type: application/vnd.paos+xml" --basic -u "${USER_USERNAME}:${USER_PASSWORD}" "$USER_ECP_URL") + echo "machine ${HOST} login ${USER_USERNAME} password ${USER_PASSWORD}" > "${NETRC}" + ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -d "${REQUEST}" -H "$CT" -H "$HP" -H "$HA" --basic --netrc-file "$NETRC" "$USER_ECP_URL") + echo "machine ${HOST} login ${USER_USERNAME} password ********************" > "${NETRC}" # It should be a tmpfs but you never know + rm -- "${NETRC}" if [ "x$ret" == "x200" ]; then # auth succeeded, lets create a local user representing the bwIDM user @@ -194,5 +209,8 @@ if [ "x$mainret" == "x7" ]; then # exit code 7 is our marker to push the logfile to the sat slxlog --delete "pam-bwidm" "Internal error during bwIDM authentication" "${LOGFILE}" exit 1 +else + rm -- "${LOGFILE}" fi exit "${mainret}" + |