diff options
Diffstat (limited to 'remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm')
-rwxr-xr-x | remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm index 1ea5a8a8..ae62c7ee 100755 --- a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm +++ b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm @@ -133,18 +133,33 @@ readonly SOAP_ENVELOPE="/opt/openslx/bwidm_soap.xml" # now the pam-type specific part starts if [ "x$PAM_TYPE" == "xauth" ]; then + HA='Accept: text/html; application/vnd.paos+xml' + HP='PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' + CT='Content-Type: application/vnd.paos+xml; charset=utf-8' + NOW=$(date -u '+%Y-%m-%dT%H:%M:%SZ') + HOST=$(echo "${USER_ECP_URL}" | awk -F '/' '{print $3}') + REQUEST=$(sed "s/%TIMESTAMP%/${NOW}/g" "${SOAP_ENVELOPE}") + NETRC=$(mktemp -p /run/) + [ -z "$NETRC" ] && NETRC="/run/netrc_$$_${USER}_${RANDOM}.tmp" + touch "$NETRC" + chmod 0600 "$NETRC" # now we are ready to actually send the credentials to the IdP # to be sure everything is working as expected - # we will first send a wrong password (by repeating the given password) and expect a 401 - ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -d @"${SOAP_ENVELOPE}" -H "Content-Type: application/vnd.paos+xml" --basic -u "${USER_USERNAME}:${USER_PASSWORD}${USER_PASSWORD}" "$USER_ECP_URL") + # we will first send a wrong password and expect a 401 + echo "machine ${HOST} login ${USER_USERNAME} password ___invalid-INVALID++~" > "${NETRC}" + ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -d "${REQUEST}" -H "$CT" -H "$HP" -H "$HA" --basic --netrc-file "$NETRC" "$USER_ECP_URL") if [ "x$ret" != "x401" ]; then # this means something else is bad, just exit echo "False authentication attempt did not return 401 as expected but: $ret" + rm -- "${NETRC}" exit 7 fi # the fake auth call behaved as expected, do the actualy login - ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -d @"${SOAP_ENVELOPE}" -H "Content-Type: application/vnd.paos+xml" --basic -u "${USER_USERNAME}:${USER_PASSWORD}" "$USER_ECP_URL") + echo "machine ${HOST} login ${USER_USERNAME} password ${USER_PASSWORD}" > "${NETRC}" + ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -d "${REQUEST}" -H "$CT" -H "$HP" -H "$HA" --basic --netrc-file "$NETRC" "$USER_ECP_URL") + echo "machine ${HOST} login ${USER_USERNAME} password ********************" > "${NETRC}" # It should be a tmpfs but you never know + rm -- "${NETRC}" if [ "x$ret" == "x200" ]; then # auth succeeded, lets create a local user representing the bwIDM user @@ -194,5 +209,8 @@ if [ "x$mainret" == "x7" ]; then # exit code 7 is our marker to push the logfile to the sat slxlog --delete "pam-bwidm" "Internal error during bwIDM authentication" "${LOGFILE}" exit 1 +else + rm -- "${LOGFILE}" fi exit "${mainret}" + |