[arvados] created: 2.1.0-2880-ga32ee4a08

git repository hosting git at public.arvados.org
Thu Sep 15 21:10:41 UTC 2022 

        at  a32ee4a0847c7b518df571925b588cb6ffe0762f (commit)


commit a32ee4a0847c7b518df571925b588cb6ffe0762f
Author: Tom Clegg <tom at curii.com>
Date:   Thu Sep 15 17:10:31 2022 -0400

    19518: Check account access permission during pam auth.
    
    Also fix test.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>

diff --git a/lib/controller/localdb/login_pam.go b/lib/controller/localdb/login_pam.go
index 14e0a582c..1730f2300 100644
--- a/lib/controller/localdb/login_pam.go
+++ b/lib/controller/localdb/login_pam.go
@@ -57,6 +57,7 @@ func (ctrl *pamLoginController) UserAuthenticate(ctx context.Context, opts arvad
 	if err != nil {
 		return arvados.APIClientAuthorization{}, err
 	}
+	// Check that the given credentials are valid.
 	err = tx.Authenticate(pam.DisallowNullAuthtok)
 	if err != nil {
 		err = fmt.Errorf("PAM: %s", err)
@@ -77,6 +78,11 @@ func (ctrl *pamLoginController) UserAuthenticate(ctx context.Context, opts arvad
 	if errorMessage != "" {
 		return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New(errorMessage), http.StatusUnauthorized)
 	}
+	// Check that the account/user is permitted to access this host.
+	err = tx.AcctMgmt(pam.DisallowNullAuthtok)
+	if err != nil {
+		return arvados.APIClientAuthorization{}, err
+	}
 	user, err := tx.GetItem(pam.User)
 	if err != nil {
 		return arvados.APIClientAuthorization{}, err
diff --git a/lib/controller/localdb/login_pam_test.go b/lib/controller/localdb/login_pam_test.go
index c5876bbfa..0282b566f 100644
--- a/lib/controller/localdb/login_pam_test.go
+++ b/lib/controller/localdb/login_pam_test.go
@@ -13,9 +13,11 @@ import (
 
 	"git.arvados.org/arvados.git/lib/config"
 	"git.arvados.org/arvados.git/lib/controller/rpc"
+	"git.arvados.org/arvados.git/lib/ctrlctx"
 	"git.arvados.org/arvados.git/sdk/go/arvados"
 	"git.arvados.org/arvados.git/sdk/go/arvadostest"
 	"git.arvados.org/arvados.git/sdk/go/ctxlog"
+	"github.com/jmoiron/sqlx"
 	check "gopkg.in/check.v1"
 )
 
@@ -25,6 +27,9 @@ type PamSuite struct {
 	cluster  *arvados.Cluster
 	ctrl     *pamLoginController
 	railsSpy *arvadostest.Proxy
+	db       *sqlx.DB
+	ctx      context.Context
+	rollback func() error
 }
 
 func (s *PamSuite) SetUpSuite(c *check.C) {
@@ -39,10 +44,24 @@ func (s *PamSuite) SetUpSuite(c *check.C) {
 		Cluster: s.cluster,
 		Parent:  &Conn{railsProxy: rpc.NewConn(s.cluster.ClusterID, s.railsSpy.URL, true, rpc.PassthroughTokenProvider)},
 	}
+	s.db = arvadostest.DB(c, s.cluster)
+}
+
+func (s *PamSuite) SetUpTest(c *check.C) {
+	tx, err := s.db.Beginx()
+	c.Assert(err, check.IsNil)
+	s.ctx = ctrlctx.NewWithTransaction(context.Background(), tx)
+	s.rollback = tx.Rollback
+}
+
+func (s *PamSuite) TearDownTest(c *check.C) {
+	if s.rollback != nil {
+		s.rollback()
+	}
 }
 
 func (s *PamSuite) TestLoginFailure(c *check.C) {
-	resp, err := s.ctrl.UserAuthenticate(context.Background(), arvados.UserAuthenticateOptions{
+	resp, err := s.ctrl.UserAuthenticate(s.ctx, arvados.UserAuthenticateOptions{
 		Username: "bogususername",
 		Password: "boguspassword",
 	})
@@ -57,6 +76,9 @@ func (s *PamSuite) TestLoginFailure(c *check.C) {
 // This test only runs if the ARVADOS_TEST_PAM_CREDENTIALS_FILE env
 // var is set. The credentials file should contain a valid username
 // and password, separated by \n.
+//
+// Depending on the host config, this test succeeds only if the test
+// credentials are for the same account being used to run tests.
 func (s *PamSuite) TestLoginSuccess(c *check.C) {
 	testCredsFile := os.Getenv("ARVADOS_TEST_PAM_CREDENTIALS_FILE")
 	if testCredsFile == "" {
@@ -69,7 +91,7 @@ func (s *PamSuite) TestLoginSuccess(c *check.C) {
 	c.Assert(len(lines), check.Equals, 2, check.Commentf("credentials file %s should contain \"username\\npassword\"", testCredsFile))
 	u, p := lines[0], lines[1]
 
-	resp, err := s.ctrl.UserAuthenticate(context.Background(), arvados.UserAuthenticateOptions{
+	resp, err := s.ctrl.UserAuthenticate(s.ctx, arvados.UserAuthenticateOptions{
 		Username: u,
 		Password: p,
 	})

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list