From c485b3dcac422ad11e0cdb9d74f674e8c9f9355c Mon Sep 17 00:00:00 2001
From: Jeff Davis <jeff.davis@bc.libraries.coop>
Date: Fri, 8 Feb 2019 13:59:14 -0800
Subject: [PATCH] LP#1786552: optionally restrict auth_proxy login by home OU

This adds a new restrict_by_home_ou setting to auth_proxy authenticator
config.  When enabled, if the login request includes an org param, the
authenticator will refuse to authenticate a user unless their home OU
matches or is a descendant of that org; login fails and auth_proxy
proceeds to the next configured authenticator.

Signed-off-by: Jeff Davis <jeff.davis@bc.libraries.coop>
Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
---
 Open-ILS/examples/opensrf.xml.example                |  1 +
 .../perlmods/lib/OpenILS/Application/AuthProxy.pm    | 12 ++++++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example
index b0ed2553be..eb875b1116 100644
--- a/Open-ILS/examples/opensrf.xml.example
+++ b/Open-ILS/examples/opensrf.xml.example
@@ -555,6 +555,7 @@ vim:et:ts=4:sw=4:
                                 <unit>103</unit>
                                 <unit>104</unit>
                             </org_units>
+                            <restrict_by_home_ou>false</restrict_by_home_ou>
                         </authenticator>
                         -->
                         <!-- 'native' is a proxied version of Evergreen's standard authentication -->
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
index 9b5198e4c7..d0fcbe7881 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
@@ -260,10 +260,14 @@ sub login {
                     $logger->debug("Authenticated username '" . $args->{'username'} . "' has no Evergreen account, aborting");
                     return OpenILS::Event->new( 'LOGIN_FAILED' );
                 } else {
-                    # TODO: verify that this authenticator is allowed to do auth
-                    # for the specified username (i.e. if the authenticator is for
-                    # Library A only, it shouldn't be able to do auth for
-                    # Library B's users)
+                    my $restrict_by_ou = $authenticator->{restrict_by_home_ou};
+                    if ($args->{org} and defined($restrict_by_ou) and $restrict_by_ou =~ /^t/i) {
+                        my $descendants = $U->get_org_descendants($args->{org});
+                        unless (grep $user->[0]->home_ou, @$descendants) {
+                            $logger->debug("Matching user does not belong to this org, aborting");
+                            return OpenILS::Event->new( 'LOGIN_FAILED' );
+                        }
+                    }
                     $args->{user_id} = $user->[0]->id;
                 }
 
-- 
2.43.2