static int oilsAuthInitUsernameHandler(
osrfMethodContext* ctx, const char* username, const char* nonce) {
osrfLogInfo(OSRF_LOG_MARK,
"User logging in with username %s", username);
int user_id = -1;
jsonObject* resp = NULL; // free
jsonObject* user_obj = oilsUtilsFetchUserByUsername(ctx, username); // free
if (user_obj && user_obj->type != JSON_NULL)
user_id = oilsFMGetObjectId(user_obj);
jsonObjectFree(user_obj); // NULL OK
char* seed = oilsAuthBuildInitCache(user_id, username, "username", nonce);
resp = jsonNewObject(seed);
free(seed);
osrfAppRespondComplete(ctx, resp);
jsonObjectFree(resp);
return 0;
}
/**
@brief Implement the "complete" method.
@param ctx The method context.
@return -1 upon error; zero if successful, and if a STATUS message has been sent to the
client to indicate completion; a positive integer if successful but no such STATUS
message has been sent.
Method parameters:
- a hash with some combination of the following elements:
- "username"
- "barcode"
- "password" (hashed with the cached seed; not plaintext)
- "type"
- "org"
- "workstation"
The password is required. Either a username or a barcode must also be present.
Return to client: Intermediate authentication seed.
Validate the password, using the username if available, or the barcode if not. The
user must be active, and not barred from logging on. The barcode, if used for
authentication, must be active as well. The workstation, if specified, must be valid.
Upon deciding whether to allow the logon, return a corresponding event to the client.
*/
int oilsAuthComplete( osrfMethodContext* ctx ) {
OSRF_METHOD_VERIFY_CONTEXT(ctx);
const jsonObject* args = jsonObjectGetIndex(ctx->params, 0);
const char* uname = jsonObjectGetString(jsonObjectGetKeyConst(args, "username"));
const char* password = jsonObjectGetString(jsonObjectGetKeyConst(args, "password"));
const char* type = jsonObjectGetString(jsonObjectGetKeyConst(args, "type"));
int orgloc = (int) jsonObjectGetNumber(jsonObjectGetKeyConst(args, "org"));
const char* workstation = jsonObjectGetString(jsonObjectGetKeyConst(args, "workstation"));
const char* barcode = jsonObjectGetString(jsonObjectGetKeyConst(args, "barcode"));
const char* ws = (workstation) ? workstation : "";
if( !type )
type = OILS_AUTH_STAFF;
if( !( (uname || barcode) && password) ) {
return osrfAppRequestRespondException( ctx->session, ctx->request,
"username/barcode and password required for method: %s", ctx->method->name );
}
oilsEvent* response = NULL;
jsonObject* userObj = NULL;
int card_active = 1; // boolean; assume active until proven otherwise
// Fetch a row from the actor.usr table, by username if available,
// or by barcode if not.
if(uname) {
userObj = oilsUtilsFetchUserByUsername( uname );
if( userObj && JSON_NULL == userObj->type ) {
jsonObjectFree( userObj );
userObj = NULL; // username not found
}
}
else if(barcode) {
// Read from actor.card by barcode
osrfLogInfo( OSRF_LOG_MARK, "Fetching user by barcode %s", barcode );
jsonObject* params = jsonParseFmt("{\"barcode\":\"%s\"}", barcode);
jsonObject* card = oilsUtilsQuickReq(
"open-ils.cstore", "open-ils.cstore.direct.actor.card.search", params );
jsonObjectFree( params );
if( card && card->type != JSON_NULL ) {
// Determine whether the card is active
char* card_active_str = oilsFMGetString( card, "active" );
card_active = oilsUtilsIsDBTrue( card_active_str );
free( card_active_str );
// Look up the user who owns the card
char* userid = oilsFMGetString( card, "usr" );
jsonObjectFree( card );
params = jsonParseFmt( "[%s]", userid );
free( userid );
userObj = oilsUtilsQuickReq(
"open-ils.cstore", "open-ils.cstore.direct.actor.user.retrieve", params );
jsonObjectFree( params );
if( userObj && JSON_NULL == userObj->type ) {
// user not found (shouldn't happen, due to foreign key)
jsonObjectFree( userObj );
userObj = NULL;
}
}
}
if(!userObj) {
response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
osrfLogInfo(OSRF_LOG_MARK, "failed login: username=%s, barcode=%s, workstation=%s",
uname, (barcode ? barcode : "(none)"), ws );
osrfAppRespondComplete( ctx, oilsEventToJSON(response) );
oilsEventFree(response);
return 0; // No such user
}
// Such a user exists. Now see if he or she has the right credentials.
int passOK = -1;
if(uname)
passOK = oilsAuthVerifyPassword( ctx, userObj, uname, password );
else if (barcode)
passOK = oilsAuthVerifyPassword( ctx, userObj, barcode, password );
if( passOK < 0 ) {
jsonObjectFree(userObj);
return passOK;
}
// See if the account is active
char* active = oilsFMGetString(userObj, "active");
if( !oilsUtilsIsDBTrue(active) ) {
if( passOK )
response = oilsNewEvent( OSRF_LOG_MARK, "PATRON_INACTIVE" );
else
response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
osrfAppRespondComplete( ctx, oilsEventToJSON(response) );
oilsEventFree(response);
jsonObjectFree(userObj);
free(active);
return 0;
}
free(active);
osrfLogInfo( OSRF_LOG_MARK, "Fetching card by barcode %s", barcode );
if( !card_active ) {
osrfLogInfo( OSRF_LOG_MARK, "barcode %s is not active, returning event", barcode );
response = oilsNewEvent( OSRF_LOG_MARK, "PATRON_CARD_INACTIVE" );
osrfAppRespondComplete( ctx, oilsEventToJSON( response ) );
oilsEventFree( response );
jsonObjectFree( userObj );
return 0;
}
// See if the user is even allowed to log in
if( oilsAuthCheckLoginPerm( ctx, userObj, type ) == -1 ) {
jsonObjectFree(userObj);
return 0;
}
// If a workstation is defined, add the workstation info
if( workstation != NULL ) {
osrfLogDebug(OSRF_LOG_MARK, "Workstation is %s", workstation);
response = oilsAuthVerifyWorkstation( ctx, userObj, workstation );
if(response) {
jsonObjectFree(userObj);
osrfAppRespondComplete( ctx, oilsEventToJSON(response) );
oilsEventFree(response);
return 0;
}
} else {
// Otherwise, use the home org as the workstation org on the user
char* orgid = oilsFMGetString(userObj, "home_ou");
oilsFMSetString(userObj, "ws_ou", orgid);
free(orgid);
}
char* freeable_uname = NULL;
if(!uname) {
uname = freeable_uname = oilsFMGetString( userObj, "usrname" );
}
if( passOK ) {
response = oilsAuthHandleLoginOK( userObj, uname, type, orgloc, workstation );
} else {
response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
osrfLogInfo(OSRF_LOG_MARK, "failed login: username=%s, barcode=%s, workstation=%s",
uname, (barcode ? barcode : "(none)"), ws );
}
jsonObjectFree(userObj);
osrfAppRespondComplete( ctx, oilsEventToJSON(response) );
oilsEventFree(response);
if(freeable_uname)
free(freeable_uname);
return 0;
}
int oilsAuthLogin(osrfMethodContext* ctx) {
OSRF_METHOD_VERIFY_CONTEXT(ctx);
const jsonObject* args = jsonObjectGetIndex(ctx->params, 0);
const char* username = jsonObjectGetString(jsonObjectGetKeyConst(args, "username"));
const char* identifier = jsonObjectGetString(jsonObjectGetKeyConst(args, "identifier"));
const char* password = jsonObjectGetString(jsonObjectGetKeyConst(args, "password"));
const char* type = jsonObjectGetString(jsonObjectGetKeyConst(args, "type"));
int orgloc = (int) jsonObjectGetNumber(jsonObjectGetKeyConst(args, "org"));
const char* workstation = jsonObjectGetString(jsonObjectGetKeyConst(args, "workstation"));
const char* barcode = jsonObjectGetString(jsonObjectGetKeyConst(args, "barcode"));
const char* ewho = jsonObjectGetString(jsonObjectGetKeyConst(args, "agent"));
const char* ws = (workstation) ? workstation : "";
if (!type) type = OILS_AUTH_STAFF;
jsonObject* userObj = NULL; // free me
oilsEvent* response = NULL; // free me
/* Use __FILE__, harmless_line_number for creating
* OILS_EVENT_AUTH_FAILED events (instead of OSRF_LOG_MARK) to avoid
* giving away information about why an authentication attempt failed.
*/
int harmless_line_number = __LINE__;
// translate a generic identifier into a username or barcode if necessary.
if (identifier && !username && !barcode) {
if (oilsAuthIdentIsBarcode(identifier, orgloc)) {
barcode = identifier;
} else {
username = identifier;
}
}
if (username) {
barcode = NULL; // avoid superfluous identifiers
userObj = oilsUtilsFetchUserByUsername(ctx, username);
} else if (barcode) {
userObj = oilsUtilsFetchUserByBarcode(ctx, barcode);
} else {
// not enough params
return osrfAppRequestRespondException(ctx->session, ctx->request,
"username/barcode and password required for method: %s",
ctx->method->name);
}
if (!userObj) { // user not found.
response = oilsNewEvent(
__FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED);
osrfAppRespondComplete(ctx, oilsEventToJSON(response));
oilsEventFree(response); // frees event JSON
return 0;
}
long user_id = oilsFMGetObjectId(userObj);
// username is freed when userObj is freed.
// From here we can use the username as the generic identifier
// since it's guaranteed to have a value.
if (!username) username = oilsFMGetStringConst(userObj, "usrname");
// See if the user is allowed to login.
jsonObject* params = jsonNewObject(NULL);
jsonObjectSetKey(params, "user_id", jsonNewNumberObject(user_id));
jsonObjectSetKey(params,"org_unit", jsonNewNumberObject(orgloc));
jsonObjectSetKey(params, "login_type", jsonNewObject(type));
if (barcode) jsonObjectSetKey(params, "barcode", jsonNewObject(barcode));
jsonObject* authEvt = oilsUtilsQuickReqCtx( // freed after password test
ctx,
"open-ils.auth_internal",
"open-ils.auth_internal.user.validate", params);
jsonObjectFree(params);
if (!authEvt) { // unknown error
jsonObjectFree(userObj);
return -1;
}
const char* authEvtCode =
jsonObjectGetString(jsonObjectGetKey(authEvt, "textcode"));
if (!strcmp(authEvtCode, OILS_EVENT_AUTH_FAILED)) {
// Received the generic login failure event.
osrfLogInfo(OSRF_LOG_MARK,
"failed login: username=%s, barcode=%s, workstation=%s",
username, (barcode ? barcode : "(none)"), ws);
response = oilsNewEvent(
__FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED);
}
if (!response && // user exists and is not barred, etc.
!oilsAuthLoginVerifyPassword(ctx, user_id, username, password)) {
// User provided the wrong password or is blocked from too
// many previous login failures.
response = oilsNewEvent(
__FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED);
osrfLogInfo(OSRF_LOG_MARK,
"failed login: username=%s, barcode=%s, workstation=%s",
username, (barcode ? barcode : "(none)"), ws );
}
// Below here, we know the password check succeeded if no response
// object is present.
if (!response && (
!strcmp(authEvtCode, "PATRON_INACTIVE") ||
!strcmp(authEvtCode, "PATRON_CARD_INACTIVE"))) {
// Patron and/or card is inactive but the correct password
// was provided. Alert the caller to the inactive-ness.
response = oilsNewEvent2(
OSRF_LOG_MARK, authEvtCode,
jsonObjectGetKey(authEvt, "payload") // cloned within Event
);
}
if (!response && strcmp(authEvtCode, OILS_EVENT_SUCCESS)) {
// Validate API returned an unexpected non-success event.
// To be safe, treat this as a generic login failure.
response = oilsNewEvent(
__FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED);
}
if (!response) {
// password OK and no other events have prevented login completion.
char* ewhat = "login";
if (0 == strcmp(ctx->method->name, "open-ils.auth.authenticate.verify")) {
response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_SUCCESS );
ewhat = "verify";
} else {
response = oilsAuthHandleLoginOK(
ctx, userObj, username, type, orgloc, workstation);
}
oilsUtilsTrackUserActivity(
ctx,
oilsFMGetObjectId(userObj),
ewho, ewhat,
osrfAppSessionGetIngress()
);
}
// reply
osrfAppRespondComplete(ctx, oilsEventToJSON(response));
// clean up
oilsEventFree(response);
jsonObjectFree(userObj);
jsonObjectFree(authEvt);
return 0;
}
