/*
Adds the authentication token to the user cache. The timeout for the
auth token is based on the type of login as well as (if type=='opac')
the org location id.
Returns the event that should be returned to the user.
Event must be freed
*/
static oilsEvent* oilsAuthHandleLoginOK( jsonObject* userObj, const char* uname,
const char* type, int orgloc, const char* workstation ) {
oilsEvent* response;
long timeout;
char* wsorg = jsonObjectToSimpleString(oilsFMGetObject(userObj, "ws_ou"));
if(wsorg) { /* if there is a workstation, use it for the timeout */
osrfLogDebug( OSRF_LOG_MARK,
"Auth session trying workstation id %d for auth timeout", atoi(wsorg));
timeout = oilsAuthGetTimeout( userObj, type, atoi(wsorg) );
free(wsorg);
} else {
osrfLogDebug( OSRF_LOG_MARK,
"Auth session trying org from param [%d] for auth timeout", orgloc );
timeout = oilsAuthGetTimeout( userObj, type, orgloc );
}
osrfLogDebug(OSRF_LOG_MARK, "Auth session timeout for %s: %ld", uname, timeout );
char* string = va_list_to_string(
"%d.%ld.%s", (long) getpid(), time(NULL), uname );
char* authToken = md5sum(string);
char* authKey = va_list_to_string(
"%s%s", OILS_AUTH_CACHE_PRFX, authToken );
const char* ws = (workstation) ? workstation : "";
osrfLogActivity(OSRF_LOG_MARK,
"successful login: username=%s, authtoken=%s, workstation=%s", uname, authToken, ws );
oilsFMSetString( userObj, "passwd", "" );
jsonObject* cacheObj = jsonParseFmt( "{\"authtime\": %ld}", timeout );
jsonObjectSetKey( cacheObj, "userobj", jsonObjectClone(userObj));
if( !strcmp( type, OILS_AUTH_PERSIST )) {
// Add entries for endtime and reset_interval, so that we can gracefully
// extend the session a bit if the user is active toward the end of the
// timeout originally specified.
time_t endtime = time( NULL ) + timeout;
jsonObjectSetKey( cacheObj, "endtime", jsonNewNumberObject( (double) endtime ) );
// Reset interval is hard-coded for now, but if we ever want to make it
// configurable, this is the place to do it:
jsonObjectSetKey( cacheObj, "reset_interval",
jsonNewNumberObject( (double) DEFAULT_RESET_INTERVAL ));
}
osrfCachePutObject( authKey, cacheObj, (time_t) timeout );
jsonObjectFree(cacheObj);
osrfLogInternal(OSRF_LOG_MARK, "oilsAuthHandleLoginOK(): Placed user object into cache");
jsonObject* payload = jsonParseFmt(
"{ \"authtoken\": \"%s\", \"authtime\": %ld }", authToken, timeout );
response = oilsNewEvent2( OSRF_LOG_MARK, OILS_EVENT_SUCCESS, payload );
free(string); free(authToken); free(authKey);
jsonObjectFree(payload);
return response;
}
/*
Adds the authentication token to the user cache. The timeout for the
auth token is based on the type of login as well as (if type=='opac')
the org location id.
Returns the event that should be returned to the user.
Event must be freed
*/
static oilsEvent* oilsAuthHandleLoginOK( osrfMethodContext* ctx, jsonObject* userObj, const char* uname,
const char* type, int orgloc, const char* workstation ) {
oilsEvent* response = NULL;
jsonObject* params = jsonNewObject(NULL);
jsonObjectSetKey(params, "user_id",
jsonNewNumberObject(oilsFMGetObjectId(userObj)));
jsonObjectSetKey(params,"org_unit", jsonNewNumberObject(orgloc));
jsonObjectSetKey(params, "login_type", jsonNewObject(type));
if (workstation)
jsonObjectSetKey(params, "workstation", jsonNewObject(workstation));
jsonObject* authEvt = oilsUtilsQuickReqCtx(
ctx,
"open-ils.auth_internal",
"open-ils.auth_internal.session.create", params);
jsonObjectFree(params);
if (authEvt) {
response = oilsNewEvent2(
OSRF_LOG_MARK,
jsonObjectGetString(jsonObjectGetKey(authEvt, "textcode")),
jsonObjectGetKey(authEvt, "payload") // cloned within Event
);
osrfLogActivity(OSRF_LOG_MARK,
"successful login: username=%s, authtoken=%s, workstation=%s",
uname,
jsonObjectGetString(
jsonObjectGetKeyConst(
jsonObjectGetKeyConst(authEvt, "payload"),
"authtoken"
)
),
workstation ? workstation : ""
);
jsonObjectFree(authEvt);
} else {
osrfLogError(OSRF_LOG_MARK,
"Error caching auth session in open-ils.auth_internal");
}
return response;
}
/**
@brief Introspect a specified method.
@param ctx Pointer to the method context.
@param method Pointer to the osrfMethod for the specified method.
@param resp Pointer to the jsonObject into which method information will be placed.
Treating the @a resp object as a JSON_HASH, insert entries for various bits of information
about the specified method.
*/
static void _osrfAppSetIntrospectMethod( osrfMethodContext* ctx, const osrfMethod* method,
jsonObject* resp ) {
if(!(ctx && resp)) return;
jsonObjectSetKey(resp, "api_name", jsonNewObject(method->name));
jsonObjectSetKey(resp, "method", jsonNewObject(method->symbol));
jsonObjectSetKey(resp, "service", jsonNewObject(ctx->session->remote_service));
jsonObjectSetKey(resp, "notes", jsonNewObject(method->notes));
jsonObjectSetKey(resp, "argc", jsonNewNumberObject(method->argc));
jsonObjectSetKey(resp, "sysmethod",
jsonNewNumberObject( (method->options & OSRF_METHOD_SYSTEM) ? 1 : 0 ));
jsonObjectSetKey(resp, "atomic",
jsonNewNumberObject( (method->options & OSRF_METHOD_ATOMIC) ? 1 : 0 ));
jsonObjectSetKey(resp, "cachable",
jsonNewNumberObject( (method->options & OSRF_METHOD_CACHABLE) ? 1 : 0 ));
}
/**
Resets the auth login timeout
@return The event object, OILS_EVENT_SUCCESS, or OILS_EVENT_NO_SESSION
*/
static oilsEvent* _oilsAuthResetTimeout( const char* authToken ) {
if(!authToken) return NULL;
oilsEvent* evt = NULL;
time_t timeout;
osrfLogDebug(OSRF_LOG_MARK, "Resetting auth timeout for session %s", authToken);
char* key = va_list_to_string("%s%s", OILS_AUTH_CACHE_PRFX, authToken );
jsonObject* cacheObj = osrfCacheGetObject( key );
if(!cacheObj) {
osrfLogInfo(OSRF_LOG_MARK, "No user in the cache exists with key %s", key);
evt = oilsNewEvent(OSRF_LOG_MARK, OILS_EVENT_NO_SESSION);
} else {
// Determine a new timeout value
jsonObject* endtime_obj = jsonObjectGetKey( cacheObj, "endtime" );
if( endtime_obj ) {
// Extend the current endtime by a fixed amount
time_t endtime = (time_t) jsonObjectGetNumber( endtime_obj );
int reset_interval = DEFAULT_RESET_INTERVAL;
const jsonObject* reset_interval_obj = jsonObjectGetKeyConst(
cacheObj, "reset_interval" );
if( reset_interval_obj ) {
reset_interval = (int) jsonObjectGetNumber( reset_interval_obj );
if( reset_interval <= 0 )
reset_interval = DEFAULT_RESET_INTERVAL;
}
time_t now = time( NULL );
time_t new_endtime = now + reset_interval;
if( new_endtime > endtime ) {
// Keep the session alive a little longer
jsonObjectSetNumber( endtime_obj, (double) new_endtime );
timeout = reset_interval;
osrfCachePutObject( key, cacheObj, timeout );
} else {
// The session isn't close to expiring, so don't reset anything.
// Just report the time remaining.
timeout = endtime - now;
}
} else {
// Reapply the existing timeout from the current time
timeout = (time_t) jsonObjectGetNumber( jsonObjectGetKeyConst( cacheObj, "authtime"));
osrfCachePutObject( key, cacheObj, timeout );
}
jsonObject* payload = jsonNewNumberObject( (double) timeout );
evt = oilsNewEvent2(OSRF_LOG_MARK, OILS_EVENT_SUCCESS, payload);
jsonObjectFree(payload);
jsonObjectFree(cacheObj);
}
free(key);
return evt;
}
static int oilsAuthLoginVerifyPassword(const osrfMethodContext* ctx,
int user_id, const char* username, const char* password) {
// build the cache key
growing_buffer* gb = buffer_init(64); // free me
buffer_add(gb, OILS_AUTH_CACHE_PRFX);
buffer_add(gb, username);
buffer_add(gb, OILS_AUTH_COUNT_SFFX);
char* countkey = buffer_release(gb); // free me
jsonObject* countobject = osrfCacheGetObject(countkey); // free me
long failcount = 0;
if (countobject) {
failcount = (long) jsonObjectGetNumber(countobject);
if (failcount >= _oilsAuthBlockCount) {
// User is blocked. Don't waste any more CPU cycles on them.
osrfLogInfo(OSRF_LOG_MARK,
"oilsAuth found too many recent failures for '%s' : %i, "
"forcing failure state.", username, failcount);
jsonObjectFree(countobject);
free(countkey);
return 0;
}
}
int verified = oilsAuthLoginCheckPassword(user_id, password);
if (!verified) { // login failed. increment failure counter.
failcount++;
if (countobject) {
// append to existing counter
jsonObjectSetNumber(countobject, failcount);
} else {
// first failure, create a new counter
countobject = jsonNewNumberObject((double) failcount);
}
osrfCachePutObject(countkey, countobject, _oilsAuthBlockTimeout);
}
jsonObjectFree(countobject); // NULL OK
free(countkey);
return verified;
}
/**
@brief Implement the "init" method.
@param ctx The method context.
@return Zero if successful, or -1 if not.
Method parameters:
- username
- nonce : optional login seed (string) provided by the caller which
is added to the auth init cache to differentiate between logins
using the same username and thus avoiding cache collisions for
near-simultaneous logins.
Return to client: Intermediate authentication seed.
Combine the username with a timestamp and process ID, and take an md5 hash of the result.
Store the hash in memcache, with a key based on the username. Then return the hash to
the client.
However: if the username includes one or more embedded blank spaces, return a dummy
hash without storing anything in memcache. The dummy will never match a stored hash, so
any attempt to authenticate with it will fail.
*/
int oilsAuthInit( osrfMethodContext* ctx ) {
OSRF_METHOD_VERIFY_CONTEXT(ctx);
char* username = jsonObjectToSimpleString( jsonObjectGetIndex(ctx->params, 0) );
const char* nonce = jsonObjectGetString(jsonObjectGetIndex(ctx->params, 1));
if (!nonce) nonce = "";
if( username ) {
jsonObject* resp;
if( strchr( username, ' ' ) ) {
// Embedded spaces are not allowed in a username. Use "x" as a dummy
// seed. It will never be a valid seed because 'x' is not a hex digit.
resp = jsonNewObject( "x" );
} else {
// Build a key and a seed; store them in memcache.
char* key = va_list_to_string( "%s%s%s", OILS_AUTH_CACHE_PRFX, username, nonce );
char* countkey = va_list_to_string( "%s%s%s", OILS_AUTH_CACHE_PRFX, username, OILS_AUTH_COUNT_SFFX );
char* seed = md5sum( "%d.%ld.%s.%s", (int) time(NULL), (long) getpid(), username, nonce );
jsonObject* countobject = osrfCacheGetObject( countkey );
if(!countobject) {
countobject = jsonNewNumberObject( (double) 0 );
}
osrfCachePutString( key, seed, _oilsAuthSeedTimeout );
osrfCachePutObject( countkey, countobject, _oilsAuthBlockTimeout );
osrfLogDebug( OSRF_LOG_MARK, "oilsAuthInit(): has seed %s and key %s", seed, key );
// Build a returnable object containing the seed.
resp = jsonNewObject( seed );
free( seed );
free( key );
free( countkey );
jsonObjectFree( countobject );
}
// Return the seed to the client.
osrfAppRespondComplete( ctx, resp );
jsonObjectFree(resp);
free(username);
return 0;
}
return -1; // Error: no username parameter
}
/**
* Fetches the user object from the database and updates the user object in
* the cache object, which then has to be re-inserted into the cache.
* User object is retrieved inside a transaction to avoid replication issues.
*/
static int _oilsAuthReloadUser(jsonObject* cacheObj) {
int reqid, userId;
osrfAppSession* session;
osrfMessage* omsg;
jsonObject *param, *userObj, *newUserObj = NULL;
userObj = jsonObjectGetKey( cacheObj, "userobj" );
userId = oilsFMGetObjectId( userObj );
session = osrfAppSessionClientInit( "open-ils.cstore" );
osrfAppSessionConnect(session);
reqid = osrfAppSessionSendRequest(session, NULL, "open-ils.cstore.transaction.begin", 1);
omsg = osrfAppSessionRequestRecv(session, reqid, 60);
if(omsg) {
osrfMessageFree(omsg);
param = jsonNewNumberObject(userId);
reqid = osrfAppSessionSendRequest(session, param, "open-ils.cstore.direct.actor.user.retrieve", 1);
omsg = osrfAppSessionRequestRecv(session, reqid, 60);
jsonObjectFree(param);
if(omsg) {
newUserObj = jsonObjectClone( osrfMessageGetResult(omsg) );
osrfMessageFree(omsg);
reqid = osrfAppSessionSendRequest(session, NULL, "open-ils.cstore.transaction.rollback", 1);
omsg = osrfAppSessionRequestRecv(session, reqid, 60);
osrfMessageFree(omsg);
}
}
osrfAppSessionFree(session); // calls disconnect internally
if(newUserObj) {
// ws_ou and wsid are ephemeral and need to be manually propagated
// oilsFMSetString dupe()'s internally, no need to clone the string
oilsFMSetString(newUserObj, "wsid", oilsFMGetStringConst(userObj, "wsid"));
oilsFMSetString(newUserObj, "ws_ou", oilsFMGetStringConst(userObj, "ws_ou"));
jsonObjectRemoveKey(cacheObj, "userobj"); // this also frees the old user object
jsonObjectSetKey(cacheObj, "userobj", newUserObj);
return 1;
}
osrfLogError(OSRF_LOG_MARK, "Error retrieving user %d from database", userId);
return 0;
}
/**
* Returns true if the provided password is correct.
* Turn the password into the nested md5 hash required of migrated
* passwords, then check the password in the DB.
*/
static int oilsAuthLoginCheckPassword(int user_id, const char* password) {
growing_buffer* gb = buffer_init(33); // free me 1
char* salt = oilsAuthGetSalt(user_id); // free me 2
char* passhash = md5sum(password); // free me 3
buffer_add(gb, salt); // gb strdup's internally
buffer_add(gb, passhash);
free(salt); // free 2
free(passhash); // free 3
// salt + md5(password)
passhash = buffer_release(gb); // free 1 ; free me 4
char* finalpass = md5sum(passhash); // free me 5
free(passhash); // free 4
jsonObject *arr = jsonNewObjectType(JSON_ARRAY);
jsonObjectPush(arr, jsonNewObject("actor.verify_passwd"));
jsonObjectPush(arr, jsonNewNumberObject((long) user_id));
jsonObjectPush(arr, jsonNewObject("main"));
jsonObjectPush(arr, jsonNewObject(finalpass));
jsonObject *params = jsonNewObjectType(JSON_HASH); // free me 6
jsonObjectSetKey(params, "from", arr);
free(finalpass); // free 5
jsonObject* verify_obj = // free
oilsUtilsCStoreReq("open-ils.cstore.json_query", params);
jsonObjectFree(params); // free 6
if (!verify_obj) return 0; // error
int verified = oilsUtilsIsDBTrue(
jsonObjectGetString(
jsonObjectGetKeyConst(verify_obj, "actor.verify_passwd")
)
);
jsonObjectFree(verify_obj);
return verified;
}
// ident is either a username or barcode
// Returns the init seed -> requires free();
static char* oilsAuthBuildInitCache(
int user_id, const char* ident, const char* ident_type, const char* nonce) {
char* cache_key = va_list_to_string(
"%s%s%s", OILS_AUTH_CACHE_PRFX, ident, nonce);
char* count_key = va_list_to_string(
"%s%s%s", OILS_AUTH_CACHE_PRFX, ident, OILS_AUTH_COUNT_SFFX);
char* auth_seed;
if (user_id == -1) {
// user does not exist. Use a dummy seed
auth_seed = strdup("x");
} else {
auth_seed = oilsAuthGetSalt(user_id);
}
jsonObject* seed_object = jsonParseFmt(
"{\"%s\":\"%s\",\"user_id\":%d,\"seed\":\"%s\"}",
ident_type, ident, user_id, auth_seed);
jsonObject* count_object = osrfCacheGetObject(count_key);
if(!count_object) {
count_object = jsonNewNumberObject((double) 0);
}
osrfCachePutObject(cache_key, seed_object, _oilsAuthSeedTimeout);
if (user_id != -1) {
// Only track login counts for existing users, since a
// login for a nonexistent user will never succeed anyway.
osrfCachePutObject(count_key, count_object, _oilsAuthBlockTimeout);
}
osrfLogDebug(OSRF_LOG_MARK,
"oilsAuthInit(): has seed %s and key %s", auth_seed, cache_key);
free(cache_key);
free(count_key);
jsonObjectFree(count_object);
jsonObjectFree(seed_object);
return auth_seed;
}
static void characterHandler(void *parser, const xmlChar *ch, int len) {
char data[len+1];
strncpy(data, (char*) ch, len);
data[len] = '\0';
osrfXMLGatewayParser* p = (osrfXMLGatewayParser*) parser;
if(p->inString) {
appendChild(p, jsonNewObject(data));
p->inString = 0;
return;
}
if(p->inNumber) {
appendChild(p, jsonNewNumberObject(atof(data)));
p->inNumber = 0;
return;
}
}
int osrfMathRun( osrfMethodContext* ctx ) {
if( osrfMethodVerifyContext( ctx ) ) {
osrfLogError( OSRF_LOG_MARK, "Invalid method context" );
return -1;
}
const jsonObject* x = jsonObjectGetIndex(ctx->params, 0);
const jsonObject* y = jsonObjectGetIndex(ctx->params, 1);
if( x && y ) {
char* a = jsonObjectToSimpleString(x);
char* b = jsonObjectToSimpleString(y);
if( a && b ) {
double i = strtod(a, NULL);
double j = strtod(b, NULL);
double r = 0;
if(!strcmp(ctx->method->name, "add")) r = i + j;
if(!strcmp(ctx->method->name, "sub")) r = i - j;
if(!strcmp(ctx->method->name, "mult")) r = i * j;
if(!strcmp(ctx->method->name, "div")) r = i / j;
jsonObject* resp = jsonNewNumberObject(r);
osrfAppRespondComplete( ctx, resp );
jsonObjectFree(resp);
free(a); free(b);
return 0;
}
else {
if(a) free(a);
if(b) free(b);
}
}
return -1;
}
static void speedTest() {
/* creates a giant json object, generating JSON strings
* of subobjects as it goes. */
int i,k;
int count = 50;
char buf[16];
char* jsonString;
jsonObject* array;
jsonObject* dupe;
jsonObject* hash = jsonNewObject(NULL);
for(i = 0; i < count; i++) {
snprintf(buf, sizeof(buf), "key_%d", i);
array = jsonNewObject(NULL);
for(k = 0; k < count + i; k++) {
jsonObjectPush(array, jsonNewNumberObject(k));
jsonObjectPush(array, jsonNewObject(NULL));
jsonObjectPush(array, jsonNewObjectFmt("str %d-%d", i, k));
}
jsonObjectSetKey(hash, buf, array);
jsonString = jsonObjectToJSON(hash);
printf("%s\n\n", jsonString);
dupe = jsonParse(jsonString);
jsonObjectFree(dupe);
free(jsonString);
}
jsonObjectFree(hash);
}
int oilsAuthLogin(osrfMethodContext* ctx) {
OSRF_METHOD_VERIFY_CONTEXT(ctx);
const jsonObject* args = jsonObjectGetIndex(ctx->params, 0);
const char* username = jsonObjectGetString(jsonObjectGetKeyConst(args, "username"));
const char* identifier = jsonObjectGetString(jsonObjectGetKeyConst(args, "identifier"));
const char* password = jsonObjectGetString(jsonObjectGetKeyConst(args, "password"));
const char* type = jsonObjectGetString(jsonObjectGetKeyConst(args, "type"));
int orgloc = (int) jsonObjectGetNumber(jsonObjectGetKeyConst(args, "org"));
const char* workstation = jsonObjectGetString(jsonObjectGetKeyConst(args, "workstation"));
const char* barcode = jsonObjectGetString(jsonObjectGetKeyConst(args, "barcode"));
const char* ewho = jsonObjectGetString(jsonObjectGetKeyConst(args, "agent"));
const char* ws = (workstation) ? workstation : "";
if (!type) type = OILS_AUTH_STAFF;
jsonObject* userObj = NULL; // free me
oilsEvent* response = NULL; // free me
/* Use __FILE__, harmless_line_number for creating
* OILS_EVENT_AUTH_FAILED events (instead of OSRF_LOG_MARK) to avoid
* giving away information about why an authentication attempt failed.
*/
int harmless_line_number = __LINE__;
// translate a generic identifier into a username or barcode if necessary.
if (identifier && !username && !barcode) {
if (oilsAuthIdentIsBarcode(identifier, orgloc)) {
barcode = identifier;
} else {
username = identifier;
}
}
if (username) {
barcode = NULL; // avoid superfluous identifiers
userObj = oilsUtilsFetchUserByUsername(ctx, username);
} else if (barcode) {
userObj = oilsUtilsFetchUserByBarcode(ctx, barcode);
} else {
// not enough params
return osrfAppRequestRespondException(ctx->session, ctx->request,
"username/barcode and password required for method: %s",
ctx->method->name);
}
if (!userObj) { // user not found.
response = oilsNewEvent(
__FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED);
osrfAppRespondComplete(ctx, oilsEventToJSON(response));
oilsEventFree(response); // frees event JSON
return 0;
}
long user_id = oilsFMGetObjectId(userObj);
// username is freed when userObj is freed.
// From here we can use the username as the generic identifier
// since it's guaranteed to have a value.
if (!username) username = oilsFMGetStringConst(userObj, "usrname");
// See if the user is allowed to login.
jsonObject* params = jsonNewObject(NULL);
jsonObjectSetKey(params, "user_id", jsonNewNumberObject(user_id));
jsonObjectSetKey(params,"org_unit", jsonNewNumberObject(orgloc));
jsonObjectSetKey(params, "login_type", jsonNewObject(type));
if (barcode) jsonObjectSetKey(params, "barcode", jsonNewObject(barcode));
jsonObject* authEvt = oilsUtilsQuickReqCtx( // freed after password test
ctx,
"open-ils.auth_internal",
"open-ils.auth_internal.user.validate", params);
jsonObjectFree(params);
if (!authEvt) { // unknown error
jsonObjectFree(userObj);
return -1;
}
const char* authEvtCode =
jsonObjectGetString(jsonObjectGetKey(authEvt, "textcode"));
if (!strcmp(authEvtCode, OILS_EVENT_AUTH_FAILED)) {
// Received the generic login failure event.
osrfLogInfo(OSRF_LOG_MARK,
"failed login: username=%s, barcode=%s, workstation=%s",
username, (barcode ? barcode : "(none)"), ws);
response = oilsNewEvent(
__FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED);
}
if (!response && // user exists and is not barred, etc.
!oilsAuthLoginVerifyPassword(ctx, user_id, username, password)) {
// User provided the wrong password or is blocked from too
// many previous login failures.
response = oilsNewEvent(
__FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED);
osrfLogInfo(OSRF_LOG_MARK,
"failed login: username=%s, barcode=%s, workstation=%s",
username, (barcode ? barcode : "(none)"), ws );
}
// Below here, we know the password check succeeded if no response
// object is present.
if (!response && (
!strcmp(authEvtCode, "PATRON_INACTIVE") ||
!strcmp(authEvtCode, "PATRON_CARD_INACTIVE"))) {
// Patron and/or card is inactive but the correct password
// was provided. Alert the caller to the inactive-ness.
response = oilsNewEvent2(
OSRF_LOG_MARK, authEvtCode,
jsonObjectGetKey(authEvt, "payload") // cloned within Event
);
}
if (!response && strcmp(authEvtCode, OILS_EVENT_SUCCESS)) {
// Validate API returned an unexpected non-success event.
// To be safe, treat this as a generic login failure.
response = oilsNewEvent(
__FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED);
}
if (!response) {
// password OK and no other events have prevented login completion.
char* ewhat = "login";
if (0 == strcmp(ctx->method->name, "open-ils.auth.authenticate.verify")) {
response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_SUCCESS );
ewhat = "verify";
} else {
response = oilsAuthHandleLoginOK(
ctx, userObj, username, type, orgloc, workstation);
}
oilsUtilsTrackUserActivity(
ctx,
oilsFMGetObjectId(userObj),
ewho, ewhat,
osrfAppSessionGetIngress()
);
}
// reply
osrfAppRespondComplete(ctx, oilsEventToJSON(response));
// clean up
oilsEventFree(response);
jsonObjectFree(userObj);
jsonObjectFree(authEvt);
return 0;
}
/**
@brief Implement the "complete" method.
@param ctx The method context.
@return -1 upon error; zero if successful, and if a STATUS message has been sent to the
client to indicate completion; a positive integer if successful but no such STATUS
message has been sent.
Method parameters:
- a hash with some combination of the following elements:
- "username"
- "barcode"
- "password" (hashed with the cached seed; not plaintext)
- "type"
- "org"
- "workstation"
- "agent" (what software/interface/3rd-party is making the request)
- "nonce" optional login seed to differentiate logins using the same username.
The password is required. Either a username or a barcode must also be present.
Return to client: Intermediate authentication seed.
Validate the password, using the username if available, or the barcode if not. The
user must be active, and not barred from logging on. The barcode, if used for
authentication, must be active as well. The workstation, if specified, must be valid.
Upon deciding whether to allow the logon, return a corresponding event to the client.
*/
int oilsAuthComplete( osrfMethodContext* ctx ) {
OSRF_METHOD_VERIFY_CONTEXT(ctx);
const jsonObject* args = jsonObjectGetIndex(ctx->params, 0);
const char* uname = jsonObjectGetString(jsonObjectGetKeyConst(args, "username"));
const char* identifier = jsonObjectGetString(jsonObjectGetKeyConst(args, "identifier"));
const char* password = jsonObjectGetString(jsonObjectGetKeyConst(args, "password"));
const char* type = jsonObjectGetString(jsonObjectGetKeyConst(args, "type"));
int orgloc = (int) jsonObjectGetNumber(jsonObjectGetKeyConst(args, "org"));
const char* workstation = jsonObjectGetString(jsonObjectGetKeyConst(args, "workstation"));
const char* barcode = jsonObjectGetString(jsonObjectGetKeyConst(args, "barcode"));
const char* ewho = jsonObjectGetString(jsonObjectGetKeyConst(args, "agent"));
const char* nonce = jsonObjectGetString(jsonObjectGetKeyConst(args, "nonce"));
const char* ws = (workstation) ? workstation : "";
if (!nonce) nonce = "";
// we no longer care how the identifier reaches us,
// as long as we have one.
if (!identifier) {
if (uname) {
identifier = uname;
} else if (barcode) {
identifier = barcode;
}
}
if (!identifier) {
return osrfAppRequestRespondException(ctx->session, ctx->request,
"username/barcode and password required for method: %s",
ctx->method->name);
}
osrfLogInfo(OSRF_LOG_MARK,
"Patron completing authentication with identifer %s", identifier);
/* Use __FILE__, harmless_line_number for creating
* OILS_EVENT_AUTH_FAILED events (instead of OSRF_LOG_MARK) to avoid
* giving away information about why an authentication attempt failed.
*/
int harmless_line_number = __LINE__;
if( !type )
type = OILS_AUTH_STAFF;
oilsEvent* response = NULL; // free
jsonObject* userObj = NULL; // free
char* cache_key = va_list_to_string(
"%s%s%s", OILS_AUTH_CACHE_PRFX, identifier, nonce);
jsonObject* cacheObj = osrfCacheGetObject(cache_key); // free
if (!cacheObj) {
return osrfAppRequestRespondException(ctx->session,
ctx->request, "No authentication seed found. "
"open-ils.auth.authenticate.init must be called first "
" (check that memcached is running and can be connected to) "
);
}
int user_id = jsonObjectGetNumber(
jsonObjectGetKeyConst(cacheObj, "user_id"));
if (user_id == -1) {
// User was not found during init. Clean up and exit early.
response = oilsNewEvent(
__FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED);
osrfAppRespondComplete(ctx, oilsEventToJSON(response));
oilsEventFree(response); // frees event JSON
osrfCacheRemove(cache_key);
jsonObjectFree(cacheObj);
return 0;
}
jsonObject* param = jsonNewNumberObject(user_id); // free
userObj = oilsUtilsCStoreReqCtx(
ctx, "open-ils.cstore.direct.actor.user.retrieve", param);
jsonObjectFree(param);
char* freeable_uname = NULL;
if (!uname) {
uname = freeable_uname = oilsFMGetString(userObj, "usrname");
}
// See if the user is allowed to login.
jsonObject* params = jsonNewObject(NULL);
jsonObjectSetKey(params, "user_id",
jsonNewNumberObject(oilsFMGetObjectId(userObj)));
jsonObjectSetKey(params,"org_unit", jsonNewNumberObject(orgloc));
jsonObjectSetKey(params, "login_type", jsonNewObject(type));
if (barcode) jsonObjectSetKey(params, "barcode", jsonNewObject(barcode));
jsonObject* authEvt = oilsUtilsQuickReqCtx( // freed after password test
ctx,
"open-ils.auth_internal",
"open-ils.auth_internal.user.validate", params);
jsonObjectFree(params);
if (!authEvt) {
// Something went seriously wrong. Get outta here before
// we start segfaulting.
jsonObjectFree(userObj);
if(freeable_uname) free(freeable_uname);
return -1;
}
const char* authEvtCode =
jsonObjectGetString(jsonObjectGetKey(authEvt, "textcode"));
if (!strcmp(authEvtCode, OILS_EVENT_AUTH_FAILED)) {
// Received the generic login failure event.
osrfLogInfo(OSRF_LOG_MARK,
"failed login: username=%s, barcode=%s, workstation=%s",
uname, (barcode ? barcode : "(none)"), ws);
response = oilsNewEvent(
__FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED);
}
int passOK = 0;
if (!response) {
// User exists and is not barred, etc. Test the password.
passOK = oilsAuthVerifyPassword(
ctx, user_id, identifier, password, nonce);
if (!passOK) {
// Password check failed. Return generic login failure.
response = oilsNewEvent(
__FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED);
osrfLogInfo(OSRF_LOG_MARK,
"failed login: username=%s, barcode=%s, workstation=%s",
uname, (barcode ? barcode : "(none)"), ws );
}
}
// Below here, we know the password check succeeded if no response
// object is present.
if (!response && (
!strcmp(authEvtCode, "PATRON_INACTIVE") ||
!strcmp(authEvtCode, "PATRON_CARD_INACTIVE"))) {
// Patron and/or card is inactive but the correct password
// was provided. Alert the caller to the inactive-ness.
response = oilsNewEvent2(
OSRF_LOG_MARK, authEvtCode,
jsonObjectGetKey(authEvt, "payload") // cloned within Event
);
}
if (!response && strcmp(authEvtCode, OILS_EVENT_SUCCESS)) {
// Validate API returned an unexpected non-success event.
// To be safe, treat this as a generic login failure.
response = oilsNewEvent(
__FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED);
}
if (!response) {
// password OK and no other events have prevented login completion.
char* ewhat = "login";
if (0 == strcmp(ctx->method->name, "open-ils.auth.authenticate.verify")) {
response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_SUCCESS );
ewhat = "verify";
} else {
response = oilsAuthHandleLoginOK(
ctx, userObj, uname, type, orgloc, workstation);
}
oilsUtilsTrackUserActivity(
ctx,
oilsFMGetObjectId(userObj),
ewho, ewhat,
osrfAppSessionGetIngress()
);
}
// reply
osrfAppRespondComplete(ctx, oilsEventToJSON(response));
// clean up
oilsEventFree(response);
jsonObjectFree(userObj);
jsonObjectFree(authEvt);
jsonObjectFree(cacheObj);
if(freeable_uname)
free(freeable_uname);
return 0;
}
/**
@brief Implement the session create method
@param ctx The method context.
@return -1 upon error; zero if successful, and if a STATUS message has
been sent to the client to indicate completion; a positive integer if
successful but no such STATUS message has been sent.
Method parameters:
- a hash with some combination of the following elements:
- "user_id" -- actor.usr (au) ID for the user to cache.
- "org_unit" -- actor.org_unit (aou) ID representing the physical
location / context used for timeout, etc. settings.
- "login_type" -- login type (opac, staff, temp, persist)
- "workstation" -- workstation name
*/
int oilsAuthInternalCreateSession(osrfMethodContext* ctx) {
OSRF_METHOD_VERIFY_CONTEXT(ctx);
const jsonObject* args = jsonObjectGetIndex(ctx->params, 0);
const char* user_id = jsonObjectGetString(jsonObjectGetKeyConst(args, "user_id"));
const char* login_type = jsonObjectGetString(jsonObjectGetKeyConst(args, "login_type"));
const char* workstation = jsonObjectGetString(jsonObjectGetKeyConst(args, "workstation"));
int org_unit = jsonObjectGetNumber(jsonObjectGetKeyConst(args, "org_unit"));
if ( !(user_id && login_type) ) {
return osrfAppRequestRespondException( ctx->session, ctx->request,
"Missing parameters for method: %s", ctx->method->name );
}
oilsEvent* response = NULL;
// fetch the user object
jsonObject* idParam = jsonNewNumberStringObject(user_id);
jsonObject* userObj = oilsUtilsCStoreReqCtx(
ctx, "open-ils.cstore.direct.actor.user.retrieve", idParam);
jsonObjectFree(idParam);
if (!userObj) {
return osrfAppRequestRespondException(ctx->session,
ctx->request, "No user found with ID %s", user_id);
}
// If a workstation is defined, add the workstation info
if (workstation) {
response = oilsAuthVerifyWorkstation(ctx, userObj, workstation);
if (response) { // invalid workstation.
jsonObjectFree(userObj);
osrfAppRespondComplete(ctx, oilsEventToJSON(response));
oilsEventFree(response);
return 0;
} else { // workstation OK.
// The worksation org unit supersedes any org unit value
// provided via the API. oilsAuthVerifyWorkstation() sets the
// ws_ou value to the WS owning lib. A value is guaranteed.
org_unit = atoi(oilsFMGetStringConst(userObj, "ws_ou"));
}
} else { // no workstation
// For backwards compatibility, when no workstation is provided, use
// the users's home org as its workstation org unit, regardless of
// any API-level org unit value provided.
const char* orgid = oilsFMGetStringConst(userObj, "home_ou");
oilsFMSetString(userObj, "ws_ou", orgid);
// The context org unit defaults to the user's home library when
// no workstation is used and no API-level value is provided.
if (org_unit < 1) org_unit = atoi(orgid);
}
// determine the auth/cache timeout
long timeout = oilsAuthGetTimeout(userObj, login_type, org_unit);
char* string = va_list_to_string("%d.%ld.%ld",
(long) getpid(), time(NULL), oilsFMGetObjectId(userObj));
char* authToken = md5sum(string);
char* authKey = va_list_to_string(
"%s%s", OILS_AUTH_CACHE_PRFX, authToken);
oilsFMSetString(userObj, "passwd", "");
jsonObject* cacheObj = jsonParseFmt("{\"authtime\": %ld}", timeout);
jsonObjectSetKey(cacheObj, "userobj", jsonObjectClone(userObj));
if( !strcmp(login_type, OILS_AUTH_PERSIST)) {
// Add entries for endtime and reset_interval, so that we can gracefully
// extend the session a bit if the user is active toward the end of the
// timeout originally specified.
time_t endtime = time( NULL ) + timeout;
jsonObjectSetKey(cacheObj, "endtime",
jsonNewNumberObject( (double) endtime ));
// Reset interval is hard-coded for now, but if we ever want to make it
// configurable, this is the place to do it:
jsonObjectSetKey(cacheObj, "reset_interval",
jsonNewNumberObject( (double) DEFAULT_RESET_INTERVAL));
}
osrfCachePutObject(authKey, cacheObj, (time_t) timeout);
jsonObjectFree(cacheObj);
jsonObject* payload = jsonParseFmt(
"{\"authtoken\": \"%s\", \"authtime\": %ld}", authToken, timeout);
response = oilsNewEvent2(OSRF_LOG_MARK, OILS_EVENT_SUCCESS, payload);
free(string); free(authToken); free(authKey);
jsonObjectFree(payload);
jsonObjectFree(userObj);
osrfAppRespondComplete(ctx, oilsEventToJSON(response));
oilsEventFree(response);
return 0;
}
