diff options
Diffstat (limited to 'remote/modules')
| -rwxr-xr-x | remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm | 41 |
1 files changed, 33 insertions, 8 deletions
diff --git a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm index 62b99bbc..20970fad 100755 --- a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm +++ b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm @@ -6,10 +6,6 @@ # of supported IdPs and if one matches the user's organisation # we will try to authenticate against it. -# check if we are allowed to run -. /opt/openslx/config -[ -z "${SLX_BWIDM_AUTH}" -a "x${SLX_BWIDM_AUTH}" != "xyes" ] && echo "bwIDM login disabled in openslx-config." && exit 1 - # fix PATH as PAM clears it export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin" if ! busybox which curl; then @@ -17,6 +13,19 @@ if ! busybox which curl; then exit 1 fi +# redirect stdout/stderr to temporary logfile +readonly LOGFILE="$(mktemp)" + +# everything in a subshell in an effort to hide sensitive information +# from this script's environment +( +# redirect stdout and stderr to logfile +exec > "${LOGFILE}" 2>&1 + +# check if we are allowed to run +. /opt/openslx/config +[ -z "${SLX_BWIDM_AUTH}" -o "x${SLX_BWIDM_AUTH}" != "xyes" ] && echo "bwIDM login disabled in openslx-config." && exit 1 + # grab the password from stdin asap, since there is no garantee some tool just reads it if [ "x$PAM_TYPE" == "xauth" ]; then read USER_PASSWORD @@ -46,9 +55,11 @@ mkdir -p /run/openslx # check if we have a (non-zero bytes) cached copy of the list if [ ! -s "${IDP_QUERY_CACHE}" ]; then - if ! curl -k -o "/run/openslx/bwlp-idp" --connect-timeout 5 --max-time 15 "$IDP_QUERY_URL"; then + idpret="$(curl -w "%{http_code}" -k -o "${IDP_QUERY_CACHE}" --connect-timeout 5 --max-time 15 "$IDP_QUERY_URL")" + if [ "x$idpret" != "x200" ]; then echo "Could not download the list of identity providers from '$IDP_QUERY_URL'. Aborting." - exit 1 + rm -f "$IDP_QUERY_CACHE" + exit 7 fi fi # here we have the cache for sure, search for the given organisation's ECP URL @@ -102,8 +113,8 @@ if [ "x$PAM_TYPE" == "xauth" ]; then if [ "x$ret" != "x401" ]; then # this means something else is bad, just exit - echo "False authentication attempt did not return 401 but: $ret" - exit 1 + echo "False authentication attempt did not return 401 as expected but: $ret" + exit 7 fi # the fake auth call behaved as expected, do the actualy login ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -k -d @"${SOAP_ENVELOPPE}" -H "Content-Type: application/vnd.paos+xml" --basic -u "${USER_USERNAME}:${USER_PASSWORD}" "$USER_ECP_URL") @@ -130,6 +141,10 @@ if [ "x$PAM_TYPE" == "xauth" ]; then echo "$USER_USERNAME@$USER_ORGANISATION:x:${USER_UID}:${USER_GID}:$USER_USERNAME@$USER_ORGANISATION:/home/${USER_USERNAME}@${USER_ORGANISATION}:/bin/bash" >> /etc/passwd fi exit 0 + elif [ "x$ret" != "x401" ]; then + # not 200, not 401, some other kind of error occured, inform slx-admin + echo "Unexpected http response code for the login attempt: $ret" + exit 7 fi exit 1 fi @@ -145,3 +160,13 @@ fi # script should never get to the following line echo "$0 called for unsupported PAM_TYPE '$PAM_TYPE'. Aborting." exit 1 +) +## main script +mainret=$? +if [ "x$mainret" == "x7" ]; then + # exit code 7 is our marker to push the logfile to the sat + slxlog "pam-bwidm" "Internal error during bwIDM authentication" "${LOGFILE}" + rm -f -- "${LOGFILE}" + exit 1 +fi +exit $mainret |