2017-03-14 16:34:10 +01:00
|
|
|
package Lemonldap::NG::Portal::Auth::PAM;
|
|
|
|
|
|
|
|
use strict;
|
|
|
|
use Mouse;
|
|
|
|
use Authen::PAM;
|
|
|
|
use Lemonldap::NG::Portal::Main::Constants qw(
|
|
|
|
PE_BADCREDENTIALS
|
|
|
|
PE_ERROR
|
|
|
|
PE_OK
|
|
|
|
);
|
|
|
|
|
|
|
|
extends qw(Lemonldap::NG::Portal::Auth::_WebForm);
|
|
|
|
|
2019-02-12 18:21:38 +01:00
|
|
|
our $VERSION = '2.1.0';
|
2017-03-14 16:34:10 +01:00
|
|
|
|
|
|
|
# INITIALIZATION
|
|
|
|
|
|
|
|
has service => (
|
|
|
|
is => 'rw',
|
2017-03-27 18:51:18 +02:00
|
|
|
lazy => 1,
|
2017-03-14 16:34:10 +01:00
|
|
|
default => sub {
|
|
|
|
return $_[0]->{conf}->{pamService} || 'login';
|
|
|
|
}
|
|
|
|
);
|
|
|
|
|
|
|
|
# RUNNING METHODS
|
|
|
|
|
|
|
|
sub authenticate {
|
|
|
|
my ( $self, $req ) = @_;
|
|
|
|
no strict 'subs';
|
|
|
|
|
|
|
|
# Handler to dial with Authen::PAM
|
|
|
|
my $handler = sub {
|
|
|
|
my @response = ();
|
|
|
|
|
|
|
|
while (@_) {
|
|
|
|
my $code = shift;
|
|
|
|
my $msg = shift;
|
|
|
|
my $res;
|
|
|
|
|
|
|
|
if ( $code == PAM_PROMPT_ECHO_ON ) {
|
|
|
|
$res = $req->user;
|
|
|
|
}
|
|
|
|
|
|
|
|
elsif ( $code == PAM_PROMPT_ECHO_OFF ) {
|
2018-07-05 22:56:16 +02:00
|
|
|
$res = $req->data->{password};
|
2017-03-14 16:34:10 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
push( @response, PAM_SUCCESS, $res );
|
|
|
|
}
|
|
|
|
|
|
|
|
return ( @response, PAM_SUCCESS );
|
|
|
|
};
|
|
|
|
|
|
|
|
# Launch PAM service
|
|
|
|
my $pam = Authen::PAM->new( $self->service, $req->user, $handler );
|
|
|
|
unless ( ref $pam ) {
|
|
|
|
$self->logger->error(
|
|
|
|
'PAM failed: ' . Authen::PAM->pam_strerror($pam) );
|
|
|
|
return PE_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
# Check for authentication and authorization
|
|
|
|
foreach my $sub (qw(pam_authenticate pam_acct_mgmt)) {
|
|
|
|
my $res = $pam->$sub;
|
|
|
|
unless ( $res == PAM_SUCCESS ) {
|
|
|
|
$self->userLogger->warn( "PAM failed to authenticate $req->{user}: "
|
|
|
|
. $pam->pam_strerror($res) );
|
2017-03-14 17:52:11 +01:00
|
|
|
$self->setSecurity($req);
|
2017-03-14 16:34:10 +01:00
|
|
|
return PE_BADCREDENTIALS;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
$self->userLogger->notice("Good PAM authentication for $req->{user}");
|
2019-04-05 22:58:48 +02:00
|
|
|
PE_OK;
|
2017-03-14 16:34:10 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
sub setAuthSessionInfo {
|
|
|
|
my ( $self, $req ) = @_;
|
|
|
|
$req->sessionInfo->{authenticationLevel} = $self->conf->{pamAuthnLevel};
|
|
|
|
PE_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
sub authLogout {
|
|
|
|
PE_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
1;
|