From 6b7fbfa7cc9368b4736da9c622a99f9b0b5956e8 Mon Sep 17 00:00:00 2001
From: Jonathan Bauer
Date: Wed, 20 Apr 2016 17:42:18 +0200
Subject: [pam-bwidm] stdout/stderr redirection + minor fixes

---
 .../pam-bwidm/data/opt/openslx/scripts/pam_bwidm   | 41 +++++++++++++++++-----
 1 file changed, 33 insertions(+), 8 deletions(-)

(limited to 'remote/modules')

diff --git a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm
index 62b99bbc..20970fad 100755
--- a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm
+++ b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm
@@ -6,10 +6,6 @@
 # of supported IdPs and if one matches the user's organisation
 # we will try to authenticate against it.
 
-# check if we are allowed to run
-. /opt/openslx/config
-[ -z "${SLX_BWIDM_AUTH}" -a "x${SLX_BWIDM_AUTH}" != "xyes" ] && echo "bwIDM login disabled in openslx-config." && exit 1
-
 # fix PATH as PAM clears it
 export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin"
 if ! busybox which curl; then
@@ -17,6 +13,19 @@ if ! busybox which curl; then
 	exit 1
 fi
 
+# redirect stdout/stderr to temporary logfile
+readonly LOGFILE="$(mktemp)"
+
+# everything in a subshell in an effort to hide sensitive information
+# from this script's environment
+(
+# redirect stdout and stderr to logfile
+exec > "${LOGFILE}" 2>&1
+
+# check if we are allowed to run
+. /opt/openslx/config
+[ -z "${SLX_BWIDM_AUTH}" -o "x${SLX_BWIDM_AUTH}" != "xyes" ] && echo "bwIDM login disabled in openslx-config." && exit 1
+
 # grab the password from stdin asap, since there is no garantee some tool just reads it
 if [ "x$PAM_TYPE" == "xauth" ]; then
 	read USER_PASSWORD
@@ -46,9 +55,11 @@ mkdir -p /run/openslx
 
 # check if we have a (non-zero bytes) cached copy of the list
 if [ ! -s "${IDP_QUERY_CACHE}" ]; then
-	if ! curl -k -o "/run/openslx/bwlp-idp" --connect-timeout 5 --max-time 15 "$IDP_QUERY_URL"; then
+	idpret="$(curl -w "%{http_code}" -k -o "${IDP_QUERY_CACHE}" --connect-timeout 5 --max-time 15 "$IDP_QUERY_URL")"
+	if [ "x$idpret" != "x200" ]; then
 		echo "Could not download the list of identity providers from '$IDP_QUERY_URL'. Aborting."
-		exit 1
+		rm -f "$IDP_QUERY_CACHE"
+		exit 7
 	fi
 fi
 # here we have the cache for sure, search for the given organisation's ECP URL
@@ -102,8 +113,8 @@ if [ "x$PAM_TYPE" == "xauth" ]; then
 
 	if [ "x$ret" != "x401" ]; then
 		# this means something else is bad, just exit
-		echo "False authentication attempt did not return 401 but: $ret"
-		exit 1
+		echo "False authentication attempt did not return 401 as expected but: $ret"
+		exit 7
 	fi
 	# the fake auth call behaved as expected, do the actualy login
 	ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -k -d @"${SOAP_ENVELOPPE}" -H "Content-Type: application/vnd.paos+xml" --basic -u "${USER_USERNAME}:${USER_PASSWORD}" "$USER_ECP_URL")
@@ -130,6 +141,10 @@ if [ "x$PAM_TYPE" == "xauth" ]; then
 			echo "$USER_USERNAME@$USER_ORGANISATION:x:${USER_UID}:${USER_GID}:$USER_USERNAME@$USER_ORGANISATION:/home/${USER_USERNAME}@${USER_ORGANISATION}:/bin/bash" >> /etc/passwd
 		fi
 		exit 0
+	elif [ "x$ret" != "x401" ]; then
+		# not 200, not 401, some other kind of error occured, inform slx-admin
+		echo "Unexpected http response code for the login attempt: $ret"
+		exit 7
 	fi
 	exit 1
 fi
@@ -145,3 +160,13 @@ fi
 # script should never get to the following line
 echo "$0 called for unsupported PAM_TYPE '$PAM_TYPE'. Aborting."
 exit 1
+)
+## main script
+mainret=$?
+if [ "x$mainret" == "x7" ]; then
+	# exit code 7 is our marker to push the logfile to the sat
+	slxlog "pam-bwidm" "Internal error during bwIDM authentication" "${LOGFILE}"
+	rm -f -- "${LOGFILE}"
+	exit 1
+fi
+exit $mainret
-- 
cgit v1.2.3-55-g7522