Open-ILS/src/c-apps/oils_auth.c

   1 #include "opensrf/osrf_app_session.h"
   2 #include "opensrf/osrf_application.h"
   3 #include "opensrf/osrf_settings.h"
   4 #include "objson/object.h"
   5 #include "opensrf/log.h"
   6 #include "oils_utils.h"
   7 #include "oils_constants.h"
   8 #include "oils_event.h"
   9
  10 #define OILS_AUTH_CACHE_PRFX "oils_auth_"
  11
  12 #define MODULENAME "open-ils.auth"
  13
  14 #define OILS_AUTH_OPAC "opac"
  15 #define OILS_AUTH_STAFF "staff"
  16 #define OILS_AUTH_TEMP "temp"
  17
  18 int osrfAppInitialize();
  19 int osrfAppChildInit();
  20
  21 int __oilsAuthOPACTimeout = 0;
  22 int __oilsAuthStaffTimeout = 0;
  23 int __oilsAuthOverrideTimeout = 0;
  24
  25
  26 int osrfAppInitialize() {
  27
  28         osrfLogInfo(OSRF_LOG_MARK, "Initializing Auth Server...");
  29
  30         osrfAppRegisterMethod(
  31                 MODULENAME,
  32                 "open-ils.auth.authenticate.init",
  33                 "oilsAuthInit",
  34                 "Start the authentication process and returns the intermediate authentication seed"
  35                 " PARAMS( username )", 1, 0 );
  36
  37         osrfAppRegisterMethod(
  38                 MODULENAME,
  39                 "open-ils.auth.authenticate.complete",
  40                 "oilsAuthComplete",
  41                 "Completes the authentication process.  Returns an object like so: "
  42                 "{authtoken : <token>, authtime:<time>}, where authtoken is the login "
  43                 "tokena and authtime is the number of seconds the session will be active"
  44                 "PARAMS(username, md5sum( seed + password ), type, org_id ) "
  45                 "type can be one of 'opac','staff', or 'temp' and it defaults to 'staff' "
  46                 "org_id is the location at which the login should be considered "
  47                 "active for login timeout purposes"     , 1, 0 );
  48
  49         osrfAppRegisterMethod(
  50                 MODULENAME,
  51                 "open-ils.auth.session.retrieve",
  52                 "oilsAuthSessionRetrieve",
  53                 "Pass in the auth token and this retrieves the user object.  The auth "
  54                 "timeout is reset when this call is made "
  55                 "Returns the user object (password blanked) for the given login session "
  56                 "PARAMS( authToken )", 1, 0 );
  57
  58         osrfAppRegisterMethod(
  59                 MODULENAME,
  60                 "open-ils.auth.session.delete",
  61                 "oilsAuthSessionDelete",
  62                 "Destroys the given login session "
  63                 "PARAMS( authToken )",  1, 0 );
  64
  65         osrfAppRegisterMethod(
  66                 MODULENAME,
  67                 "open-ils.auth.session.reset_timeout",
  68                 "oilsAuthResetTimeout",
  69                 "Resets the login timeout for the given session "
  70                 "Returns an ILS Event with payload = session_timeout of session "
  71                 "is found, otherwise returns the NO_SESSION event"
  72                 "PARAMS( authToken )", 1, 0 );
  73
  74         return 0;
  75 }
  76
  77 int osrfAppChildInit() {
  78         return 0;
  79 }
  80
  81 int oilsAuthInit( osrfMethodContext* ctx ) {
  82         OSRF_METHOD_VERIFY_CONTEXT(ctx);
  83
  84         jsonObject* resp;
  85
  86         char* username = NULL;
  87         char* seed              = NULL;
  88         char* md5seed   = NULL;
  89         char* key               = NULL;
  90
  91         if( (username = jsonObjectToSimpleString(jsonObjectGetIndex(ctx->params, 0))) ) {
  92
  93                 if( strchr( username, ' ' ) ) {
  94
  95                         /* spaces are not allowed */
  96                         resp = jsonNewObject("x");       /* 'x' will never be a valid seed */
  97                         osrfAppRespondComplete( ctx, resp );
  98
  99                 } else {
 100
 101                         seed = va_list_to_string( "%d.%d.%s", time(NULL), getpid(), username );
 102                         key = va_list_to_string( "%s%s", OILS_AUTH_CACHE_PRFX, username );
 103
 104                         md5seed = md5sum(seed);
 105                         osrfCachePutString( key, md5seed, 30 );
 106
 107                         osrfLogDebug( OSRF_LOG_MARK, "oilsAuthInit(): has seed %s and key %s", md5seed, key );
 108
 109                         resp = jsonNewObject(md5seed);
 110                         osrfAppRespondComplete( ctx, resp );
 111
 112                         free(seed);
 113                         free(md5seed);
 114                         free(key);
 115                         free(username);
 116                 }
 117
 118                 jsonObjectFree(resp);
 119                 return 0;
 120         }
 121
 122         return -1;
 123 }
 124
 125 /** Verifies that the user has permission to login with the
 126  * given type.  If the permission fails, an oilsEvent is returned
 127  * to the caller.
 128  * @return -1 if the permission check failed, 0 if ther permission
 129  * is granted
 130  */
 131 int oilsAuthCheckLoginPerm(
 132                 osrfMethodContext* ctx, jsonObject* userObj, char* type ) {
 133
 134         if(!(userObj && type)) return -1;
 135         oilsEvent* perm = NULL;
 136
 137         if(!strcasecmp(type, OILS_AUTH_OPAC)) {
 138                 char* permissions[] = { "OPAC_LOGIN" };
 139                 perm = oilsUtilsCheckPerms( oilsFMGetObjectId( userObj ), -1, permissions, 1 );
 140
 141         } else if(!strcasecmp(type, OILS_AUTH_STAFF)) {
 142                 char* permissions[] = { "STAFF_LOGIN" };
 143                 perm = oilsUtilsCheckPerms( oilsFMGetObjectId( userObj ), -1, permissions, 1 );
 144
 145         } else if(!strcasecmp(type, OILS_AUTH_TEMP)) {
 146                 char* permissions[] = { "STAFF_LOGIN" };
 147                 perm = oilsUtilsCheckPerms( oilsFMGetObjectId( userObj ), -1, permissions, 1 );
 148         }
 149
 150         if(perm) {
 151                 osrfAppRespondComplete( ctx, oilsEventToJSON(perm) );
 152                 oilsEventFree(perm);
 153                 return -1;
 154         }
 155
 156         return 0;
 157 }
 158
 159 /**
 160  * Returns 1 if the password provided matches the user's real password
 161  * Returns 0 otherwise
 162  * Returns -1 on error
 163  */
 164 int oilsAuthVerifyPassword(
 165                 osrfMethodContext* ctx, jsonObject* userObj, char* uname, char* password ) {
 166
 167         int ret = 0;
 168         char* realPassword = oilsFMGetString( userObj, "passwd" ); /**/
 169         char* seed = osrfCacheGetString( "%s%s", OILS_AUTH_CACHE_PRFX, uname ); /**/
 170
 171         if(!seed) {
 172                 return osrfAppRequestRespondException( ctx->session,
 173                         ctx->request, "No authentication seed found. "
 174                         "open-ils.auth.authenticate.init must be called first");
 175         }
 176
 177         osrfLogDebug(OSRF_LOG_MARK,  "oilsAuth retrieved seed from cache: %s", seed );
 178         char* maskedPw = md5sum( "%s%s", seed, realPassword );
 179         if(!maskedPw) return -1;
 180         osrfLogDebug(OSRF_LOG_MARK,  "oilsAuth generated masked password %s. "
 181                         "Testing against provided password %s", maskedPw, password );
 182
 183         if( !strcmp( maskedPw, password ) ) ret = 1;
 184
 185         free(realPassword);
 186         free(seed);
 187         free(maskedPw);
 188
 189         return ret;
 190 }
 191
 192 /**
 193  * Calculates the login timeout
 194  * 1. If orgloc is 1 or greater and has a timeout specified as an
 195  * org unit setting, it is used
 196  * 2. If orgloc is not valid, we check the org unit auth timeout
 197  * setting for the home org unit of the user logging in
 198  * 3. If that setting is not defined, we use the configured defaults
 199  */
 200 double oilsAuthGetTimeout( jsonObject* userObj, char* type, double orgloc ) {
 201
 202         if(!__oilsAuthOPACTimeout) { /* Load the default timeouts */
 203
 204                 __oilsAuthOPACTimeout =
 205                         jsonObjectGetNumber(
 206                                 osrf_settings_host_value_object(
 207                                         "/apps/open-ils.auth/app_settings/default_timeout/opac"));
 208
 209                 __oilsAuthStaffTimeout =
 210                         jsonObjectGetNumber(
 211                                 osrf_settings_host_value_object(
 212                                         "/apps/open-ils.auth/app_settings/default_timeout/staff" ));
 213
 214                 __oilsAuthOverrideTimeout =
 215                         jsonObjectGetNumber(
 216                                 osrf_settings_host_value_object(
 217                                         "/apps/open-ils.auth/app_settings/default_timeout/temp" ));
 218
 219
 220                 osrfLogInfo(OSRF_LOG_MARK, "Set default auth timetouts: opac => %d : staff => %d : temp => %d",
 221                                 __oilsAuthOPACTimeout, __oilsAuthStaffTimeout, __oilsAuthOverrideTimeout );
 222         }
 223
 224         char* setting = NULL;
 225
 226         double home_ou = jsonObjectGetNumber( oilsFMGetObject( userObj, "home_ou" ) );
 227         if(orgloc < 1) orgloc = (int) home_ou;
 228
 229         if(!strcmp(type, OILS_AUTH_OPAC))
 230                 setting = OILS_ORG_SETTING_OPAC_TIMEOUT;
 231         else if(!strcmp(type, OILS_AUTH_STAFF))
 232                 setting = OILS_ORG_SETTING_STAFF_TIMEOUT;
 233         else if(!strcmp(type, OILS_AUTH_TEMP))
 234                 setting = OILS_ORG_SETTING_TEMP_TIMEOUT;
 235
 236         char* timeout = oilsUtilsFetchOrgSetting( orgloc, setting );
 237
 238         if(!timeout) {
 239                 if( orgloc != home_ou ) {
 240                         osrfLogDebug(OSRF_LOG_MARK, "Auth timeout not defined for org %d, "
 241                                                                 "trying home_ou %d", orgloc, home_ou );
 242                         timeout = oilsUtilsFetchOrgSetting( (int) home_ou, setting );
 243                 }
 244                 if(!timeout) {
 245                         if(!strcmp(type, OILS_AUTH_STAFF)) return __oilsAuthStaffTimeout;
 246                         if(!strcmp(type, OILS_AUTH_TEMP)) return __oilsAuthOverrideTimeout;
 247                         return __oilsAuthOPACTimeout;
 248                 }
 249         }
 250
 251         double t = atof(timeout);
 252         free(timeout);
 253         return t ;
 254 }
 255
 256 /* Adds the authentication token to the user cache.  The timeout for the
 257  * auth token is based on the type of login as well as (if type=='opac')
 258  * the org location id.
 259  * Returns the event that should be returned to the user.
 260  * Event must be freed
 261  */
 262 oilsEvent* oilsAuthHandleLoginOK(
 263                 jsonObject* userObj, char* uname, char* type, double orgloc ) {
 264
 265         oilsEvent* response;
 266         osrfLogActivity(OSRF_LOG_MARK,  "User %s successfully logged in", uname );
 267
 268         double timeout;
 269         char* wsorg = jsonObjectToSimpleString(oilsFMGetObject(userObj, "ws_ou"));
 270         if(wsorg) { /* if there is a workstation, use it for the timeout */
 271                 osrfLogDebug( OSRF_LOG_MARK,
 272                                 "Auth session trying workstation id %d for auth timeout", atoi(wsorg));
 273                 timeout = oilsAuthGetTimeout( userObj, type, atoi(wsorg) );
 274                 free(wsorg);
 275         } else {
 276                 osrfLogDebug( OSRF_LOG_MARK,
 277                                 "Auth session trying org from param [%d] for auth timeout", orgloc );
 278                 timeout = oilsAuthGetTimeout( userObj, type, orgloc );
 279         }
 280         osrfLogDebug(OSRF_LOG_MARK, "Auth session timeout for %s: %lf", uname, timeout );
 281
 282         char* string = va_list_to_string(
 283                         "%d.%d.%s", getpid(), time(NULL), uname );
 284         char* authToken = md5sum(string);
 285         char* authKey = va_list_to_string(
 286                         "%s%s", OILS_AUTH_CACHE_PRFX, authToken );
 287
 288         oilsFMSetString( userObj, "passwd", "" );
 289         jsonObject* cacheObj = jsonParseString("{\"authtime\": %lf}", timeout);
 290         jsonObjectSetKey( cacheObj, "userobj", jsonObjectClone(userObj));
 291
 292         osrfCachePutObject( authKey, cacheObj, timeout );
 293         jsonObjectFree(cacheObj);
 294         osrfLogInternal(OSRF_LOG_MARK, "oilsAuthComplete(): Placed user object into cache");
 295         jsonObject* payload = jsonParseString(
 296                 "{ \"authtoken\": \"%s\", \"authtime\": %lf }", authToken, timeout );
 297
 298         response = oilsNewEvent2( OSRF_LOG_MARK, OILS_EVENT_SUCCESS, payload );
 299         free(string); free(authToken); free(authKey);
 300         jsonObjectFree(payload);
 301
 302         return response;
 303 }
 304
 305 oilsEvent* oilsAuthVerifyWorkstation(
 306                 osrfMethodContext* ctx, jsonObject* userObj, char* ws ) {
 307         osrfLogInfo(OSRF_LOG_MARK, "Attaching workstation to user at login: %s", ws);
 308         jsonObject* workstation = oilsUtilsFetchWorkstationByName(ws);
 309         if(!workstation) return oilsNewEvent(OSRF_LOG_MARK, "WORKSTATION_NOT_FOUND");
 310         long wsid = oilsFMGetObjectId(workstation);
 311         LONG_TO_STRING(wsid);
 312         char* orgid = oilsFMGetString(workstation, "owning_lib");
 313         oilsFMSetString(userObj, "wsid", LONGSTR);
 314         oilsFMSetString(userObj, "ws_ou", orgid);
 315         free(orgid);
 316         return NULL;
 317 }
 318
 319
 320
 321 /* see if the card used to login is marked as barred */
 322 static oilsEvent* oilsAuthCheckCard( osrfMethodContext* ctx, jsonObject* userObj, char* barcode) {
 323         if(!(ctx && userObj && barcode)) return NULL;
 324         osrfLogDebug(OSRF_LOG_MARK, "Checking to see if barcode %s is active", barcode);
 325
 326         jsonObject* params = jsonParseString("{\"barcode\":\"%s\"}", barcode);
 327         jsonObject* card = oilsUtilsQuickReq(
 328                 "open-ils.cstore", "open-ils.cstore.direct.actor.card.search", params );
 329
 330         char* active = oilsFMGetString(card, "active");
 331         if( ! oilsUtilsIsDBTrue(active) ) {
 332                 osrfLogInfo(OSRF_LOG_MARK, "barcode %s is not active, returning event", barcode);
 333                 return oilsNewEvent(OSRF_LOG_MARK, "PATRON_CARD_INACTIVE");
 334         }
 335         return NULL;
 336 }
 337
 338
 339
 340 int oilsAuthComplete( osrfMethodContext* ctx ) {
 341         OSRF_METHOD_VERIFY_CONTEXT(ctx);
 342
 343         jsonObject* args                = jsonObjectGetIndex(ctx->params, 0);
 344
 345         char* uname                             = jsonObjectGetString(jsonObjectGetKey(args, "username"));
 346         char* password                  = jsonObjectGetString(jsonObjectGetKey(args, "password"));
 347         char* type                              = jsonObjectGetString(jsonObjectGetKey(args, "type"));
 348         double orgloc                   = jsonObjectGetNumber(jsonObjectGetKey(args, "org"));
 349         char* workstation               = jsonObjectGetString(jsonObjectGetKey(args, "workstation"));
 350         char* barcode                   = jsonObjectToSimpleString(jsonObjectGetKey(args, "barcode"));
 351
 352
 353         if(!type) type = OILS_AUTH_STAFF;
 354
 355         if( !( (uname || barcode) && password) ) {
 356                 free(barcode);
 357                 return osrfAppRequestRespondException( ctx->session, ctx->request,
 358                         "username/barocode and password required for method: %s", ctx->method->name );
 359         }
 360
 361         oilsEvent* response = NULL;
 362         jsonObject* userObj = NULL;
 363
 364         if(uname) userObj = oilsUtilsFetchUserByUsername( uname );
 365         else if(barcode) userObj = oilsUtilsFetchUserByBarcode( barcode );
 366
 367         if(!userObj) {
 368                 response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
 369                 osrfAppRespondComplete( ctx, oilsEventToJSON(response) );
 370                 oilsEventFree(response);
 371                 free(barcode);
 372                 return 0;
 373         }
 374
 375         /* check to see if the user is allowed to login */
 376         if( oilsAuthCheckLoginPerm( ctx, userObj, type ) == -1 ) {
 377                 jsonObjectFree(userObj);
 378                 free(barcode);
 379                 return 0;
 380         }
 381
 382         osrfLogDebug(OSRF_LOG_MARK, "BARCODE = %s", barcode);
 383         if( barcode && (response = oilsAuthCheckCard( ctx, userObj, barcode )) ) {
 384                 osrfAppRespondComplete( ctx, oilsEventToJSON(response) );
 385                 oilsEventFree(response);
 386                 free(barcode);
 387                 return 0;
 388         }
 389
 390
 391         int passOK = -1;
 392         if(uname) passOK = oilsAuthVerifyPassword( ctx, userObj, uname, password );
 393         else if (barcode)
 394                 passOK = oilsAuthVerifyPassword( ctx, userObj, barcode, password );
 395
 396         if( passOK < 0 ) {
 397                 free(barcode);
 398                 return passOK;
 399         }
 400
 401         /* if a workstation is defined, flesh the user with the workstation info */
 402         if( workstation != NULL ) {
 403                 osrfLogDebug(OSRF_LOG_MARK, "Workstation is %s", workstation);
 404                 response = oilsAuthVerifyWorkstation( ctx, userObj, workstation );
 405                 if(response) {
 406                         jsonObjectFree(userObj);
 407                         osrfAppRespondComplete( ctx, oilsEventToJSON(response) );
 408                         oilsEventFree(response);
 409                         free(barcode);
 410                         return 0;
 411                 }
 412
 413         } else {
 414                 /* otherwise, use the home org as the workstation org on the user */
 415                 char* orgid = oilsFMGetString(userObj, "home_ou");
 416                 oilsFMSetString(userObj, "ws_ou", orgid);
 417                 free(orgid);
 418         }
 419
 420         if( passOK ) {
 421                 response = oilsAuthHandleLoginOK( userObj, uname, type, orgloc );
 422
 423         } else {
 424                 response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
 425                 osrfLogInfo(OSRF_LOG_MARK,  "Login failed for for %s", uname );
 426         }
 427
 428         jsonObjectFree(userObj);
 429         osrfAppRespondComplete( ctx, oilsEventToJSON(response) );
 430         oilsEventFree(response);
 431         free(barcode);
 432
 433         return 0;
 434 }
 435
 436
 437
 438 int oilsAuthSessionDelete( osrfMethodContext* ctx ) {
 439         OSRF_METHOD_VERIFY_CONTEXT(ctx);
 440
 441         char* authToken = jsonObjectGetString( jsonObjectGetIndex(ctx->params, 0) );
 442         jsonObject* resp = NULL;
 443
 444         if( authToken ) {
 445                 osrfLogDebug(OSRF_LOG_MARK, "Removing auth session: %s", authToken );
 446                 char* key = va_list_to_string("%s%s", OILS_AUTH_CACHE_PRFX, authToken ); /**/
 447                 osrfCacheRemove(key);
 448                 resp = jsonNewObject(authToken); /**/
 449                 free(key);
 450         }
 451
 452         osrfAppRespondComplete( ctx, resp );
 453         jsonObjectFree(resp);
 454         return 0;
 455 }
 456
 457 /** Resets the auth login timeout
 458  * @return The event object, OILS_EVENT_SUCCESS, or OILS_EVENT_NO_SESSION
 459  */
 460 oilsEvent*  _oilsAuthResetTimeout( char* authToken ) {
 461         if(!authToken) return NULL;
 462
 463         oilsEvent* evt = NULL;
 464         double timeout;
 465
 466         osrfLogDebug(OSRF_LOG_MARK, "Resetting auth timeout for session %s", authToken);
 467         char* key = va_list_to_string("%s%s", OILS_AUTH_CACHE_PRFX, authToken );
 468         jsonObject* cacheObj = osrfCacheGetObject( key );
 469
 470         if(!cacheObj) {
 471                 osrfLogError(OSRF_LOG_MARK, "No user in the cache exists with key %s", key);
 472                 evt = oilsNewEvent(OSRF_LOG_MARK, OILS_EVENT_NO_SESSION);
 473
 474         } else {
 475
 476                 timeout = jsonObjectGetNumber( jsonObjectGetKey( cacheObj, "authtime"));
 477                 osrfCacheSetExpire( timeout, key );
 478                 jsonObject* payload = jsonNewNumberObject(timeout);
 479                 evt = oilsNewEvent2(OSRF_LOG_MARK, OILS_EVENT_SUCCESS, payload);
 480                 jsonObjectFree(payload);
 481                 jsonObjectFree(cacheObj);
 482         }
 483
 484         free(key);
 485         return evt;
 486 }
 487
 488 int oilsAuthResetTimeout( osrfMethodContext* ctx ) {
 489         OSRF_METHOD_VERIFY_CONTEXT(ctx);
 490         char* authToken = jsonObjectGetString( jsonObjectGetIndex(ctx->params, 0));
 491         oilsEvent* evt = _oilsAuthResetTimeout(authToken);
 492         osrfAppRespondComplete( ctx, oilsEventToJSON(evt) );
 493         oilsEventFree(evt);
 494         return 0;
 495 }
 496
 497
 498 int oilsAuthSessionRetrieve( osrfMethodContext* ctx ) {
 499         OSRF_METHOD_VERIFY_CONTEXT(ctx);
 500
 501         char* authToken = jsonObjectGetString( jsonObjectGetIndex(ctx->params, 0));
 502         jsonObject* cacheObj = NULL;
 503         oilsEvent* evt = NULL;
 504
 505         if( authToken ){
 506
 507                 evt = _oilsAuthResetTimeout(authToken);
 508
 509                 if( evt && strcmp(evt->event, OILS_EVENT_SUCCESS) ) {
 510                         osrfAppRespondComplete( ctx, oilsEventToJSON(evt) );
 511                         oilsEventFree(evt);
 512
 513                 } else {
 514
 515                         osrfLogDebug(OSRF_LOG_MARK, "Retrieving auth session: %s", authToken);
 516                         char* key = va_list_to_string("%s%s", OILS_AUTH_CACHE_PRFX, authToken );
 517                         cacheObj = osrfCacheGetObject( key );
 518                         if(cacheObj) {
 519                                 osrfAppRespondComplete( ctx, jsonObjectGetKey( cacheObj, "userobj"));
 520                                 jsonObjectFree(cacheObj);
 521                         } else {
 522                                 oilsEvent* evt = oilsNewEvent(OSRF_LOG_MARK, OILS_EVENT_NO_SESSION);
 523                                 osrfAppRespondComplete( ctx, oilsEventToJSON(evt) ); /* should be event.. */
 524                                 oilsEventFree(evt);
 525                         }
 526                         free(key);
 527                 }
 528
 529         } else {
 530
 531                 evt = oilsNewEvent(OSRF_LOG_MARK, OILS_EVENT_NO_SESSION);
 532                 osrfAppRespondComplete( ctx, oilsEventToJSON(evt) );
 533                 oilsEventFree(evt);
 534         }
 535
 536         return 0;
 537 }
 538
 539
 540