in src/oslogin_utils.cc [1360:1416]
bool AuthorizeUser(const char *user_name, struct AuthOptions opts, string *user_response) {
bool users_file_exists, sudoers_exists;
string email, users_filename, sudoers_filename;
users_file_exists = sudoers_exists = false;
if (!ValidateUserName(user_name)) {
return false;
}
// Call MDS "users?username=" endpoint.
if (!MDSGetUser(user_name, opts.security_key, user_response)) {
return false;
}
if (!ParseJsonToEmail(*user_response, &email) || email.empty()) {
return false;
}
users_filename = kUsersDir;
users_filename.append(user_name);
users_file_exists = FileExists(users_filename.c_str());
if (!ApplyPolicy(user_name, email, "login", opts)) {
// Couldn't apply "login" policy for user in question, log it and deny.
SysLogErr("Could not grant access to organization user: %s.", user_name);
if (users_file_exists) {
remove(users_filename.c_str());
}
return false;
}
if (!users_file_exists && !CreateGoogleUserFile(users_filename)) {
// If we can't create users file we can't grant access, log it and deny.
SysLogErr("Failed to create user's file.");
return false;
}
sudoers_filename = kSudoersDir;
sudoers_filename.append(user_name);
sudoers_exists = FileExists(sudoers_filename.c_str());
if (ApplyPolicy(user_name, email, "adminLogin", opts)) {
// Best effort creating sudoers file, if we fail log it and grant access.
if (!sudoers_exists && !CreateGoogleSudoersFile(sudoers_filename, user_name)) {
SysLogErr("Could not grant sudo permissions to organization user %s."
" Sudoers file %s is not writable.", user_name, sudoers_filename.c_str());
}
} else {
remove(sudoers_filename.c_str());
if (opts.admin_policy_required) {
return false;
}
}
return true;
}