[pam-bwidm] Create idp request with valid timestamp, don't pass password as command line argument

author: Simon Rettberg 2016-09-08 16:29:58 +0200
committer: Simon Rettberg 2016-09-08 16:29:58 +0200
commit: ae00d87b4564090b276ec2b0d7ae707b2527991e (patch)
tree: 41a4ae1df26c5daec047730cfa2c3f241bd5a8fa
parent: [pvs2] Support fetching remote pvs2.ini; honor exam mode, dedicated flag (diff)
download: tm-scripts-ae00d87b4564090b276ec2b0d7ae707b2527991e.tar.gz
tm-scripts-ae00d87b4564090b276ec2b0d7ae707b2527991e.tar.xz
tm-scripts-ae00d87b4564090b276ec2b0d7ae707b2527991e.zip
2 files changed, 29 insertions, 25 deletions
diff --git a/remote/modules/pam-bwidm/data/opt/openslx/bwidm_soap.xml b/remote/modules/pam-bwidm/data/opt/openslx/bwidm_soap.xml
index ef2c9490..ed456f9c 100644
--- a/remote/modules/pam-bwidm/data/opt/openslx/bwidm_soap.xml
+++ b/remote/modules/pam-bwidm/data/opt/openslx/bwidm_soap.xml
@@ -1,22 +1,8 @@
-<SOAP-ENV:Envelope 
-    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
-    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
-    xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp">
-    <SOAP-ENV:Header>
-     </SOAP-ENV:Header>
-     <SOAP-ENV:Body> 
-        <samlp:AuthnRequest
-		ID="__RANDOM_STRING__2" 
-		ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
-		AssertionConsumerServiceURL="__AssertionConsumerUrl__"
-		IssueInstant="__2016-04-11T1:24:00Z__"
-		Version="2.0"
-	>
-	<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
-		__REMOTE_ENTITY_ID__
-	</saml:Issuer>
-	<samlp:NameIDPolicy AllowCreate="1"/>
-	</samlp:AuthnRequest>       
-     </SOAP-ENV:Body> 
-</SOAP-ENV:Envelope>
+<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
+  <S:Body>
+    <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://bwlp-masterserver.ruf.uni-freiburg.de/Shibboleth.sso/SAML2/ECP" ID="_ff000aafc030c5f0000dbf634b2f0000" IssueInstant="%TIMESTAMP%" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Version="2.0">
+      <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://bwlp-masterserver.ruf.uni-freiburg.de/shibboleth</saml:Issuer>
+      <samlp:NameIDPolicy AllowCreate="1"/>
+    </samlp:AuthnRequest>
+  </S:Body>
+</S:Envelope>
diff --git a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm
index 1ea5a8a8..ae62c7ee 100755
--- a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm
+++ b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm
@@ -133,18 +133,33 @@ readonly SOAP_ENVELOPE="/opt/openslx/bwidm_soap.xml"
 
 # now the pam-type specific part starts
 if [ "x$PAM_TYPE" == "xauth" ]; then
+	HA='Accept: text/html; application/vnd.paos+xml'
+	HP='PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"'
+	CT='Content-Type: application/vnd.paos+xml; charset=utf-8'
+	NOW=$(date -u '+%Y-%m-%dT%H:%M:%SZ')
+	HOST=$(echo "${USER_ECP_URL}" | awk -F '/' '{print $3}')
+	REQUEST=$(sed "s/%TIMESTAMP%/${NOW}/g" "${SOAP_ENVELOPE}")
+	NETRC=$(mktemp -p /run/)
+	[ -z "$NETRC" ] && NETRC="/run/netrc_$$_${USER}_${RANDOM}.tmp"
+	touch "$NETRC"
+	chmod 0600 "$NETRC"
 	# now we are ready to actually send the credentials to the IdP
 	# to be sure everything is working as expected
-	# we will first send a wrong password (by repeating the given password) and expect a 401
-	ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -d @"${SOAP_ENVELOPE}" -H "Content-Type: application/vnd.paos+xml" --basic -u "${USER_USERNAME}:${USER_PASSWORD}${USER_PASSWORD}" "$USER_ECP_URL")
+	# we will first send a wrong password and expect a 401
+	echo "machine ${HOST} login ${USER_USERNAME} password ___invalid-INVALID++~" > "${NETRC}"
+	ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -d "${REQUEST}" -H "$CT" -H "$HP" -H "$HA" --basic --netrc-file "$NETRC" "$USER_ECP_URL")
 
 	if [ "x$ret" != "x401" ]; then
 		# this means something else is bad, just exit
 		echo "False authentication attempt did not return 401 as expected but: $ret"
+		rm -- "${NETRC}"
 		exit 7
 	fi
 	# the fake auth call behaved as expected, do the actualy login
-	ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -d @"${SOAP_ENVELOPE}" -H "Content-Type: application/vnd.paos+xml" --basic -u "${USER_USERNAME}:${USER_PASSWORD}" "$USER_ECP_URL")
+	echo "machine ${HOST} login ${USER_USERNAME} password ${USER_PASSWORD}" > "${NETRC}"
+	ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -d "${REQUEST}" -H "$CT" -H "$HP" -H "$HA" --basic --netrc-file "$NETRC" "$USER_ECP_URL")
+	echo "machine ${HOST} login ${USER_USERNAME} password ********************" > "${NETRC}" # It should be a tmpfs but you never know
+	rm -- "${NETRC}"
 	
 	if [ "x$ret" == "x200" ]; then
 		# auth succeeded, lets create a local user representing the bwIDM user
@@ -194,5 +209,8 @@ if [ "x$mainret" == "x7" ]; then
 	# exit code 7 is our marker to push the logfile to the sat
 	slxlog --delete "pam-bwidm" "Internal error during bwIDM authentication" "${LOGFILE}"
 	exit 1
+else
+	rm -- "${LOGFILE}"
 fi
 exit "${mainret}"
+
author	Simon Rettberg	2016-09-08 16:29:58 +0200
committer	Simon Rettberg	2016-09-08 16:29:58 +0200
commit	ae00d87b4564090b276ec2b0d7ae707b2527991e (patch)
tree	41a4ae1df26c5daec047730cfa2c3f241bd5a8fa
parent	[pvs2] Support fetching remote pvs2.ini; honor exam mode, dedicated flag (diff)
download	tm-scripts-ae00d87b4564090b276ec2b0d7ae707b2527991e.tar.gz tm-scripts-ae00d87b4564090b276ec2b0d7ae707b2527991e.tar.xz tm-scripts-ae00d87b4564090b276ec2b0d7ae707b2527991e.zip