From 52e85469f655d5af8432d4e20c3b22af6df40a3d Mon Sep 17 00:00:00 2001 From: Brian Lin Date: Thu, 23 Feb 2023 10:33:02 -0600 Subject: [PATCH 1/5] Update packaging for 0.1.2.chtc --- packaging/rpm/Dockerfile | 2 +- packaging/rpm/pamoauth2device.spec | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/packaging/rpm/Dockerfile b/packaging/rpm/Dockerfile index fab6cb0..892efc1 100644 --- a/packaging/rpm/Dockerfile +++ b/packaging/rpm/Dockerfile @@ -16,7 +16,7 @@ RUN groupadd builder \ USER builder # This version must be identical to the version in pamoauth2device.spec -ENV PACKAGE_VERSION=0.1 +ENV PACKAGE_VERSION=0.1.2.chtc WORKDIR /home/builder diff --git a/packaging/rpm/pamoauth2device.spec b/packaging/rpm/pamoauth2device.spec index 149a0f2..5d19e46 100644 --- a/packaging/rpm/pamoauth2device.spec +++ b/packaging/rpm/pamoauth2device.spec @@ -1,5 +1,5 @@ # pam_oauth2_device version -%define _version 0.1 +%define _version 0.1.2.chtc %define _lib /lib64 @@ -57,6 +57,9 @@ cp config_template.json ${RPM_BUILD_ROOT}%{_sysconfdir}/pam_oauth2_device/config %changelog +* Mon Aug 2 2021 Brian Bockelman - 0.1.2.chtc +- Add support for the device code flow for test.cilogon.org + * Thu Aug 13 2020 Will Furnell - 0.1 - Revamped completely for STFC use From 7a0aa6387a055d8531b8fca124d5ee3c2abb9dd6 Mon Sep 17 00:00:00 2001 From: Brian Lin Date: Wed, 22 Feb 2023 16:58:53 -0600 Subject: [PATCH 2/5] Allow the name claim to be configurable (INF-748) Tokens for ORCID have the full name in `gecos` and not `name` --- config_template.json | 1 + src/include/config.cpp | 1 + src/include/config.hpp | 1 + src/pam_oauth2_device.cpp | 8 +++++--- src/pam_oauth2_device.hpp | 1 + test/data/template_noldap.json | 3 ++- test/test_pam_oauth2_device.cpp | 2 ++ 7 files changed, 13 insertions(+), 4 deletions(-) diff --git a/config_template.json b/config_template.json index 7a08733..a59eb41 100644 --- a/config_template.json +++ b/config_template.json @@ -9,6 +9,7 @@ "token_endpoint": "https://provider.com/token", "userinfo_endpoint": "https://provider.com/userinfo", "username_attribute": "preferred_username", + "name_attribute": "name", "local_username_suffix": "" }, "ldap": { diff --git a/src/include/config.cpp b/src/include/config.cpp index 611bc4b..8a4b17d 100644 --- a/src/include/config.cpp +++ b/src/include/config.cpp @@ -19,6 +19,7 @@ void Config::load(const char *path) token_endpoint = j.at("oauth").at("token_endpoint").get(); userinfo_endpoint = j.at("oauth").at("userinfo_endpoint").get(); username_attribute = j.at("oauth").at("username_attribute").get(); + name_attribute = j.at("oauth").at("name_attribute").get(); local_username_suffix = j.at("oauth").at("local_username_suffix").get(); qr_error_correction_level = (j.find("qr") != j.end()) ? diff --git a/src/include/config.hpp b/src/include/config.hpp index ed1a7fc..df3a110 100644 --- a/src/include/config.hpp +++ b/src/include/config.hpp @@ -16,6 +16,7 @@ class Config token_endpoint, userinfo_endpoint, username_attribute, + name_attribute, ldap_host, ldap_basedn, ldap_user, diff --git a/src/pam_oauth2_device.cpp b/src/pam_oauth2_device.cpp index 4f2e8b8..20fb5a6 100644 --- a/src/pam_oauth2_device.cpp +++ b/src/pam_oauth2_device.cpp @@ -303,6 +303,7 @@ void get_userinfo(const Config &config, const char *userinfo_endpoint, const char *token, const char *username_attribute, + const char *name_attribute, Userinfo *userinfo) { CURL *curl; @@ -332,7 +333,7 @@ void get_userinfo(const Config &config, auto data = json::parse(readBuffer); userinfo->sub = data.at("sub"); userinfo->username = data.at(username_attribute); - userinfo->name = data.at("name"); + userinfo->name = data.at(name_attribute); userinfo->groups = data.at("groups").get>(); } catch (json::exception &e) @@ -535,8 +536,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons poll_for_token(config, config.client_id.c_str(), config.client_secret.c_str(), config.token_endpoint.c_str(), device_auth_response.device_code.c_str(), token); - get_userinfo(config, config.userinfo_endpoint.c_str(), token.c_str(), - config.username_attribute.c_str(), &userinfo); + get_userinfo(config, config.userinfo_endpoint.c_str(), token.c_str(), + config.username_attribute.c_str(), config.name_attribute.c_str(), + &userinfo); } catch (PamError &e) { diff --git a/src/pam_oauth2_device.hpp b/src/pam_oauth2_device.hpp index 0a94438..a863deb 100644 --- a/src/pam_oauth2_device.hpp +++ b/src/pam_oauth2_device.hpp @@ -37,6 +37,7 @@ void poll_for_token(const char *client_id, void get_userinfo(const char *userinfo_endpoint, const char *token, const char *username_attribute, + const char *name_attribute, Userinfo *userinfo); #endif // PAM_OAUTH2_DEVICE_HPP \ No newline at end of file diff --git a/test/data/template_noldap.json b/test/data/template_noldap.json index f6c47d6..798f3f4 100644 --- a/test/data/template_noldap.json +++ b/test/data/template_noldap.json @@ -8,7 +8,8 @@ "device_endpoint":"https://provider.com/devicecode", "token_endpoint": "https://provider.com/token", "userinfo_endpoint": "https://provider.com/userinfo", - "username_attribute": "preferred_username" + "username_attribute": "preferred_username", + "name_attribute": "name" }, "qr": { "error_correction_level": 0 diff --git a/test/test_pam_oauth2_device.cpp b/test/test_pam_oauth2_device.cpp index ecf81f5..9825a70 100644 --- a/test/test_pam_oauth2_device.cpp +++ b/test/test_pam_oauth2_device.cpp @@ -5,6 +5,7 @@ #define TOKEN_ENDPOINT "http://localhost:8042/token" #define USERINFO_ENDPOINT "http://localhost:8042/userinfo" #define USERNAME_ATTRIBUTE "preferred_username" +#define NAME_ATTRIBUTE "name" #define CLIENT_ID "client_id" #define CLIENT_SECRET "NDVmODY1ZDczMGIyMTM1MWFlYWM2NmYw" #define SCOPE "openid profile" @@ -46,6 +47,7 @@ TEST(PamTest, Userinfo) get_userinfo(USERINFO_ENDPOINT, ACCESS_TOKEN, USERNAME_ATTRIBUTE, + NAME_ATTRIBUTE, &userinfo); EXPECT_EQ(userinfo.sub, "YzQ4YWIzMzJhZjc5OWFkMzgwNmEwM2M5"); EXPECT_EQ(userinfo.username, "jdoe"); From c6884a3c1df143f5b3c7f3839284037377cda0ff Mon Sep 17 00:00:00 2001 From: Brian Lin Date: Mon, 7 Aug 2023 15:37:59 -0500 Subject: [PATCH 3/5] Bump version to 0.1.3.chtc --- packaging/rpm/Dockerfile | 2 +- packaging/rpm/pamoauth2device.spec | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/packaging/rpm/Dockerfile b/packaging/rpm/Dockerfile index 892efc1..baf193d 100644 --- a/packaging/rpm/Dockerfile +++ b/packaging/rpm/Dockerfile @@ -16,7 +16,7 @@ RUN groupadd builder \ USER builder # This version must be identical to the version in pamoauth2device.spec -ENV PACKAGE_VERSION=0.1.2.chtc +ENV PACKAGE_VERSION=0.1.3.chtc WORKDIR /home/builder diff --git a/packaging/rpm/pamoauth2device.spec b/packaging/rpm/pamoauth2device.spec index 5d19e46..d36888f 100644 --- a/packaging/rpm/pamoauth2device.spec +++ b/packaging/rpm/pamoauth2device.spec @@ -1,5 +1,5 @@ # pam_oauth2_device version -%define _version 0.1.2.chtc +%define _version 0.1.3.chtc %define _lib /lib64 @@ -57,6 +57,9 @@ cp config_template.json ${RPM_BUILD_ROOT}%{_sysconfdir}/pam_oauth2_device/config %changelog +* Mon Aug 7 2023 Brian Lin - 0.1.3.chtc +- Allow the name claim to be configurable (INF-748) + * Mon Aug 2 2021 Brian Bockelman - 0.1.2.chtc - Add support for the device code flow for test.cilogon.org From 914f89524aa1085fb1d1100827b674c64ba39a4c Mon Sep 17 00:00:00 2001 From: Brian Lin Date: Thu, 23 Feb 2023 11:45:09 -0600 Subject: [PATCH 4/5] Updating the package should not stomp on existing config --- packaging/rpm/pamoauth2device.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packaging/rpm/pamoauth2device.spec b/packaging/rpm/pamoauth2device.spec index d36888f..c7b1ace 100644 --- a/packaging/rpm/pamoauth2device.spec +++ b/packaging/rpm/pamoauth2device.spec @@ -53,7 +53,7 @@ cp config_template.json ${RPM_BUILD_ROOT}%{_sysconfdir}/pam_oauth2_device/config %files %doc LICENSE README.md %{_lib}/security/pam_oauth2_device.so -%{_sysconfdir}/pam_oauth2_device/config.json +%config(noreplace) %{_sysconfdir}/pam_oauth2_device/config.json %changelog From 3e4ce9a0eb7ef44676a8de91c88f28d63d2065d4 Mon Sep 17 00:00:00 2001 From: Brian Lin Date: Tue, 8 Aug 2023 12:05:04 -0500 Subject: [PATCH 5/5] Fix BrianB's email address Co-authored-by: Matyas Selmeci --- packaging/rpm/pamoauth2device.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packaging/rpm/pamoauth2device.spec b/packaging/rpm/pamoauth2device.spec index c7b1ace..aeef878 100644 --- a/packaging/rpm/pamoauth2device.spec +++ b/packaging/rpm/pamoauth2device.spec @@ -60,7 +60,7 @@ cp config_template.json ${RPM_BUILD_ROOT}%{_sysconfdir}/pam_oauth2_device/config * Mon Aug 7 2023 Brian Lin - 0.1.3.chtc - Allow the name claim to be configurable (INF-748) -* Mon Aug 2 2021 Brian Bockelman - 0.1.2.chtc +* Mon Aug 2 2021 Brian Bockelman - 0.1.2.chtc - Add support for the device code flow for test.cilogon.org * Thu Aug 13 2020 Will Furnell - 0.1