Skip to content
Snippets Groups Projects
Verified Commit f2190c07 authored by Nik | Klampfradler's avatar Nik | Klampfradler
Browse files

[PAM] Move persisting access otken to setcred()

parent fe5f80b5
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 54 additions and 6 deletions
src/pam.rs
+ 54
6
View file @ f2190c07
......@@ -50,6 +50,8 @@ struct PamOidc;
impl PamServiceModule for PamOidc {
fn authenticate(pamh: Pam, _: PamFlag, argv: Vec<String>) -> PamError {
let conf = pam_sm_prepare(&argv);
debug!("[PAM] authenticate called");
if conf.get_str("pam.flow").unwrap() == "password" {
debug!("Starting Resource Owner Password Credentials OAuth flow");
......@@ -104,17 +106,15 @@ impl PamServiceModule for PamOidc {
// 1. ...mark getpwnam unsafe (prevent cache code from calling it)
set_is_getpwnam_safe(false);
// 2. ...store the access token in memory
// 2. ...store the access token in memory, so the NSS part can use it
// on re-entry through getpwnam
get_context_user().set_access_token(t.clone(), false, false).ok();
// 3. ...call getpwnam ourselves without having the cache object locked
let passwd = getpwnam_safe(username.to_string());
if passwd.is_ok() {
// 4. ...if getpwnam was successful, store the token again (this time,
// modulo other errors, it will go through to $HOME)
// 4. ...if getpwnam was successful, store the result for context user;
// setcred() will pick it up and write to /run and/or $HOME
get_context_user().set_passwd(passwd.unwrap());
let persist_run = conf.get_bool("pam.persist_token.run").unwrap();
let persist_home = conf.get_bool("pam.persist_token.home").unwrap();
get_context_user().set_access_token(t.clone(), persist_run, persist_home).ok();
}
// 5. ...unlock getpwnam again (somewhat unnecessary)
set_is_getpwnam_safe(true);
......@@ -133,6 +133,7 @@ impl PamServiceModule for PamOidc {
fn acct_mgmt(pamh: Pam, _: PamFlag, argv: Vec<String>) -> PamError {
let conf = pam_sm_prepare(&argv);
debug!("[PAM] acct_mgmt called");
if conf.get_str("pam.urls.authz").unwrap_or_default() == "" {
info!("Authorization endpoint not set, granting access by default");
......@@ -172,6 +173,53 @@ impl PamServiceModule for PamOidc {
}
}
}
fn setcred(pamh: Pam, flag: PamFlag, argv: Vec<String>) -> PamError {
let conf = pam_sm_prepare(&argv);
debug!("[PAM] setcred called");
let persist_run = conf.get_bool("pam.persist_token.run").unwrap();
let persist_home = conf.get_bool("pam.persist_token.home").unwrap();
let token = match get_context_user().get_access_token() {
Some(t) => t,
None => {
error!("Access token not yet known, cannot persist");
return PamError::CRED_UNAVAIL;
}
};
let res;
if matches!(flag, PamFlag::ESTABLISH_CRED) {
set_is_getpwnam_safe(false);
let token =
res = match get_context_user().set_access_token(token.clone(), persist_run, persist_home) {
Ok(_) => {
debug!("Successfully set credentials");
PamError::SUCCESS
},
Err(e) => {
error!("Failed setting credentials: {}", e);
PamError::CRED_ERR
}
};
set_is_getpwnam_safe(true);
} else if matches!(flag, PamFlag::DELETE_CRED) {
// FIXME Implement in UserInfo class
res = PamError::SERVICE_ERR;
} else if matches!(flag, PamFlag::REINITIALIZE_CRED) {
// FIXME Implement
res = PamError::SERVICE_ERR;
} else if matches!(flag, PamFlag::REFRESH_CRED) {
// FIXME Implement in UserInfo class (probably)
res = PamError::SERVICE_ERR;
} else {
error!("setcred called with unexpected flag");
res = PamError::SERVICE_ERR;
}
res
}
}
pam_module!(PamOidc);
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment