From b55de021d866d2b08c1cccf3f14de57c8f70db2e Mon Sep 17 00:00:00 2001
From: Dan Wells <dbw2@calvin.edu>
Date: Tue, 5 Jan 2016 14:21:11 -0500
Subject: [PATCH] LP#1468422 Tighten AuthProxy argument requirements

Basically, if we aren't given a username, and we can't find a username
by barcode, give up immediately.  This helps simplify the rest of the
code a bit.

Signed-off-by: Dan Wells <dbw2@calvin.edu>
Signed-off-by: Bill Erickson <berickxx@gmail.com>
---
 .../lib/OpenILS/Application/AuthProxy.pm      | 21 ++++++++++---------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
index 023dbb960f..9ca5ea52d1 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
@@ -185,18 +185,19 @@ sub login {
             {flesh => 1, flesh_fields => {ac => ['usr']}}
         ])->[0];
 
-        $args->{username} = $card->usr->usrname if $card;
+        if ($card) {
+            $args->{username} = $card->usr->usrname;
+        } else { # must have or resolve to a username
+            return OpenILS::Event->new( 'LOGIN_FAILED' );
+        }
     }
 
     # check for possibility of brute-force attack
-    my $fail_count;
-    if ($args->{'username'}) {
-        $fail_count = $cache->get_cache('oils_auth_' . $args->{'username'} . '_count') || 0;
-        if ($fail_count >= $block_count) {
-            $logger->debug("AuthProxy found too many recent failures for '" . $args->{'username'} . "' : $fail_count, forcing failure state.");
-            $cache->put_cache('oils_auth_' . $args->{'username'} . '_count', ++$fail_count, $block_timeout);
-            return OpenILS::Event->new( 'LOGIN_FAILED' );
-        }
+    my $fail_count = $cache->get_cache('oils_auth_' . $args->{'username'} . '_count') || 0;
+    if ($fail_count >= $block_count) {
+        $logger->debug("AuthProxy found too many recent failures for '" . $args->{'username'} . "' : $fail_count, forcing failure state.");
+        $cache->put_cache('oils_auth_' . $args->{'username'} . '_count', ++$fail_count, $block_timeout);
+        return OpenILS::Event->new( 'LOGIN_FAILED' );
     }
 
     my @error_events;
@@ -241,7 +242,7 @@ sub login {
 
     # if we got this far, we failed
     # increment the brute force counter if 'native' didn't already
-    if ($args->{'username'} and !exists $authenticators_by_name{'native'}) {
+    if (!exists $authenticators_by_name{'native'}) {
         $cache->put_cache('oils_auth_' . $args->{'username'} . '_count', ++$fail_count, $block_timeout);
     }
     # TODO: send back some form of collected error events
-- 
2.43.2