From 7300288761fb269dfcef316a8e79a4e48ae77c12 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Mon, 5 Sep 2016 20:44:02 +0200
Subject: [pam-bwidm] Support organization filtering

---
 .../pam-bwidm/data/opt/openslx/scripts/pam_bwidm   | 44 +++++++++++++++++-----
 1 file changed, 35 insertions(+), 9 deletions(-)

diff --git a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm
index 69a0b657..1ea5a8a8 100755
--- a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm
+++ b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm
@@ -8,6 +8,15 @@
 
 # fix PATH as PAM clears it
 export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin"
+
+# grab the password from stdin asap, since there is no guarantee some tool just reads it
+unset USER_PASSWORD
+if [ "x$PAM_TYPE" == "xauth" ]; then
+	read -r USER_PASSWORD > /dev/null 2>&1
+	readonly USER_PASSWORD
+	[ -z "$USER_PASSWORD" ] && echo "No password given." && exit 1
+fi
+
 if ! busybox which curl || ! busybox which mktemp; then
 	echo "'curl/mktemp' missing. This script won't work without it."
 	exit 1
@@ -27,14 +36,16 @@ exec > "${LOGFILE}" 2>&1
 
 # check if we are allowed to run
 . /opt/openslx/config
-[ -z "${SLX_BWIDM_AUTH}" -o "x${SLX_BWIDM_AUTH}" != "xyes" ] && echo "bwIDM login disabled in openslx-config." && exit 1
-
-# grab the password from stdin asap, since there is no garantee some tool just reads it
-unset USER_PASSWORD
-if [ "x$PAM_TYPE" == "xauth" ]; then
-	read -r USER_PASSWORD > /dev/null 2>&1
-	readonly USER_PASSWORD
-	[ -z "$USER_PASSWORD" ] && echo "No password given." && exit 1
+if [ "x${SLX_BWIDM_AUTH}" = "xyes" ]; then
+	: # Allow everything
+elif [ "x${SLX_BWIDM_AUTH}" = "xselective"  ]; then
+	if [ -z "${SLX_BWIDM_ORGS}" ]; then
+		echo "bwIDM selective mode with empty org list - exiting"
+		exit 1
+	fi
+else
+	echo "bwIDM login disabled in openslx-config."
+	exit 1
 fi
 
 # sanity check on PAM_USER: contains '@'?
@@ -50,6 +61,21 @@ readonly USER_ORGANISATION="${PAM_USER#*@}"
 [ -z "$USER_ORGANISATION" ] && echo "Could not parse organisation from given login: ${PAM_USER}. Aborting." && exit 1
 [ -z "$USER_USERNAME" ] && echo "Could not parse user from given login: ${PAM_USER}. Aborting." && exit 1
 
+# Check if we're in selective mode and if so, whether the user's organization is whitelisted
+if [ "x${SLX_BWIDM_AUTH}" = "xselective" ]; then
+	FOUND=
+	for org in ${SLX_BWIDM_ORGS}; do
+		if [ "x$org" = "x$USER_ORGANISATION" ]; then
+			FOUND=ya
+			break
+		fi
+	done
+	if [ -z "$FOUND" ]; then
+		echo "bwIDM organization $USER_ORGANISATION not in whitelist, abort"
+		exit 1
+	fi
+fi
+
 # The given username is valid. Now we get the list of IdPs from the bwlp masterserver
 # and try to find the user's organisation
 
@@ -76,7 +102,7 @@ USER_ECP_URL="$(awk -v idp="${USER_ORGANISATION}" -F '=' '{if($1==idp) print $2}
 # now create the bwidm group: find the first free GID from 1000 "downwards" to 100
 BWIDM_GROUP="$(getent group bwidm)"
 if [ -z "$BWIDM_GROUP" ]; then
-	BWIDM_GID=1000
+	BWIDM_GID=999
 	while [ "$BWIDM_GID" -gt 100 ]; do
 		getent group "$BWIDM_GID" || break
 		let BWIDM_GID--
-- 
cgit v1.2.3-55-g7522