Skip to content
This repository was archived by the owner on Dec 31, 2019. It is now read-only.

Use user data when returned by the federation provider #11

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Use user data when returned by the federation provider #11

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 12 additions & 5 deletions lib/security/cyclone_pam.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ def get_user_data(access_token):
return json.loads(response)


def check_whitelist(user_data, user, pamh):
def check_whitelist(user_data, user, pamh, allow_conversation=True):
"""
Check if the specified user is in the white list of allowed users
:param user: name of the user to login to
Expand All @@ -226,22 +226,25 @@ def check_whitelist(user_data, user, pamh):
with open(path) as data_file:
whitelist = json.load(data_file)
except IOError:
pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_ON, 'ERROR: Unknown user ' + user))
if allow_conversation:
pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_ON, 'ERROR: Unknown user ' + user))
return pamh.PAM_USER_UNKNOWN

if 'email' not in user_data and 'mail' in user_data.keys():
user_data['email'] = user_data['mail']

if 'email' not in user_data:
pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_ON,
'ERROR: Non existing mail parameter in the data provided by your institution'))
if allow_conversation:
pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_ON,
'ERROR: Non existing mail parameter in the data provided by your institution'))
return pamh.PAM_AUTHINFO_UNAVAIL

for email in whitelist['users']:
if email == str(user_data['email']):
return pamh.PAM_SUCCESS

pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_ON, 'ERROR: Your user cannot login as' + user))
if allow_conversation:
pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_ON, 'ERROR: Your user cannot login as' + user))
return pamh.PAM_USER_UNKNOWN


Expand All @@ -264,6 +267,10 @@ def pam_sm_authenticate(pamh, flags, argv):
pamh.conversation(pamh.Message(pamh.PAM_TEXT_INFO, 'User has been authenticated in eduGAIN network'))

# check with whitelist if user is valid
if 'dec_id_token' in response.keys():
direct_auth = check_whitelist(response['dec_id_token'], user, pamh, allow_conversation=False)
if direct_auth == pamh.PAM_SUCCESS:
return pamh.PAM_SUCCESS
return check_whitelist(get_user_data(response['access_token']), user, pamh)


Expand Down