|
 |
5fca41 |
From abfba08af067f70b736108310c3e55534ef7085e Mon Sep 17 00:00:00 2001
|
|
|
5fca41 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
5fca41 |
Date: Fri, 29 Mar 2019 10:38:50 +0100
|
|
|
5fca41 |
Subject: [PATCH 21/21] intg: add test for password prompt configuration
|
|
|
5fca41 |
|
|
|
5fca41 |
Related to Related to https://pagure.io/SSSD/sssd/issue/3264
|
|
|
5fca41 |
|
|
|
5fca41 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
5fca41 |
(cherry picked with fixes from commit 45efba71befd96c8e9fe0a51fc300cafa93bd703)
|
|
|
5fca41 |
---
|
|
|
5fca41 |
src/tests/intg/Makefile.am | 32 +++++-
|
|
|
5fca41 |
src/tests/intg/test_pam_responder.py | 154 ++++++++++++++++++++++++++-
|
|
|
5fca41 |
2 files changed, 184 insertions(+), 2 deletions(-)
|
|
|
5fca41 |
|
|
|
5fca41 |
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
|
|
5fca41 |
index 91dc86a4f..884c903b6 100644
|
|
|
5fca41 |
--- a/src/tests/intg/Makefile.am
|
|
|
5fca41 |
+++ b/src/tests/intg/Makefile.am
|
|
|
5fca41 |
@@ -105,13 +105,36 @@ passwd: root
|
|
|
5fca41 |
group:
|
|
|
5fca41 |
echo "root:x:0:" > $@
|
|
|
5fca41 |
|
|
|
5fca41 |
+PAM_SERVICE_DIR=pam_service_dir
|
|
|
5fca41 |
+pam_sss_service:
|
|
|
5fca41 |
+ $(MKDIR_P) $(PAM_SERVICE_DIR)
|
|
|
5fca41 |
+ echo "auth required $(DESTDIR)$(pammoddir)/pam_sss.so" > $(PAM_SERVICE_DIR)/$@
|
|
|
5fca41 |
+ echo "account required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
|
5fca41 |
+ echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
|
5fca41 |
+ echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+pam_sss_alt_service:
|
|
|
5fca41 |
+ $(MKDIR_P) $(PAM_SERVICE_DIR)
|
|
|
5fca41 |
+ echo "auth required $(DESTDIR)$(pammoddir)/pam_sss.so" > $(PAM_SERVICE_DIR)/$@
|
|
|
5fca41 |
+ echo "account required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
|
5fca41 |
+ echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
|
5fca41 |
+ echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
|
5fca41 |
+
|
|
|
5fca41 |
CLEANFILES=config.py config.pyc passwd group
|
|
|
5fca41 |
|
|
|
5fca41 |
clean-local:
|
|
|
5fca41 |
rm -Rf root
|
|
|
5fca41 |
rm -f $(builddir)/cwrap-dbus-system.conf
|
|
|
5fca41 |
|
|
|
5fca41 |
-intgcheck-installed: config.py passwd group
|
|
|
5fca41 |
+if HAVE_NSS
|
|
|
5fca41 |
+PAM_CERT_DB_PATH="sql:$(DESTDIR)$(sysconfdir)/pki/nssdb"
|
|
|
5fca41 |
+SOFTHSM2_CONF=""
|
|
|
5fca41 |
+else
|
|
|
5fca41 |
+PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
|
|
|
5fca41 |
+SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
|
|
|
5fca41 |
+endif
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service
|
|
|
5fca41 |
pipepath="$(DESTDIR)$(pipepath)"; \
|
|
|
5fca41 |
if test $${#pipepath} -gt 80; then \
|
|
|
5fca41 |
echo "error: Pipe directory path too long," \
|
|
|
5fca41 |
@@ -126,16 +149,23 @@ intgcheck-installed: config.py passwd group
|
|
|
5fca41 |
PATH="$$(dirname -- $(SLAPD)):$$PATH" \
|
|
|
5fca41 |
PATH="$(DESTDIR)$(sbindir):$(DESTDIR)$(bindir):$$PATH" \
|
|
|
5fca41 |
PATH="$$PATH:$(abs_builddir):$(abs_srcdir)" \
|
|
|
5fca41 |
+ LANG=C \
|
|
|
5fca41 |
PYTHONPATH="$(abs_builddir):$(abs_srcdir)" \
|
|
|
5fca41 |
LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \
|
|
|
5fca41 |
NON_WRAPPED_UID=$$(id -u) \
|
|
|
5fca41 |
LD_PRELOAD="$(libdir)/getsockopt_wrapper.so:$$nss_wrapper:$$uid_wrapper" \
|
|
|
5fca41 |
+ LD_LIBRARY_PATH="$$LD_LIBRARY_PATH:$(DESTDIR)$(nsslibdir)" \
|
|
|
5fca41 |
NSS_WRAPPER_PASSWD="$(abs_builddir)/passwd" \
|
|
|
5fca41 |
NSS_WRAPPER_GROUP="$(abs_builddir)/group" \
|
|
|
5fca41 |
NSS_WRAPPER_MODULE_SO_PATH="$(DESTDIR)$(nsslibdir)/libnss_sss.so.2" \
|
|
|
5fca41 |
NSS_WRAPPER_MODULE_FN_PREFIX="sss" \
|
|
|
5fca41 |
UID_WRAPPER=1 \
|
|
|
5fca41 |
UID_WRAPPER_ROOT=1 \
|
|
|
5fca41 |
+ PAM_WRAPPER=0 \
|
|
|
5fca41 |
+ PAM_WRAPPER_SERVICE_DIR="$(abs_builddir)/$(PAM_SERVICE_DIR)" \
|
|
|
5fca41 |
+ PAM_WRAPPER_PATH=$$(pkg-config --libs pam_wrapper) \
|
|
|
5fca41 |
+ PAM_CERT_DB_PATH=$(PAM_CERT_DB_PATH) \
|
|
|
5fca41 |
+ SOFTHSM2_CONF=$(SOFTHSM2_CONF) \
|
|
|
5fca41 |
DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \
|
|
|
5fca41 |
DBUS_SESSION_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/fake_socket" \
|
|
|
5fca41 |
DBUS_SYSTEM_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/system_bus_socket" \
|
|
|
5fca41 |
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
|
|
|
5fca41 |
index cf6fff2db..7e5828dde 100644
|
|
|
5fca41 |
--- a/src/tests/intg/test_pam_responder.py
|
|
|
5fca41 |
+++ b/src/tests/intg/test_pam_responder.py
|
|
|
5fca41 |
@@ -30,9 +30,84 @@ import time
|
|
|
5fca41 |
import pytest
|
|
|
5fca41 |
|
|
|
5fca41 |
import config
|
|
|
5fca41 |
-
|
|
|
5fca41 |
+import shutil
|
|
|
5fca41 |
from util import unindent
|
|
|
5fca41 |
|
|
|
5fca41 |
+import intg.ds_openldap
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+import pytest
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+from intg.util import unindent
|
|
|
5fca41 |
+from intg.files_ops import passwd_ops_setup
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+LDAP_BASE_DN = "dc=example,dc=com"
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+@pytest.fixture(scope="module")
|
|
|
5fca41 |
+def ad_inst(request):
|
|
|
5fca41 |
+ """Fake AD server instance fixture"""
|
|
|
5fca41 |
+ instance = intg.ds_openldap.FakeAD(
|
|
|
5fca41 |
+ config.PREFIX, 10389, LDAP_BASE_DN,
|
|
|
5fca41 |
+ "cn=admin", "Secret123"
|
|
|
5fca41 |
+ )
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ try:
|
|
|
5fca41 |
+ instance.setup()
|
|
|
5fca41 |
+ except:
|
|
|
5fca41 |
+ instance.teardown()
|
|
|
5fca41 |
+ raise
|
|
|
5fca41 |
+ request.addfinalizer(instance.teardown)
|
|
|
5fca41 |
+ return instance
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+@pytest.fixture(scope="module")
|
|
|
5fca41 |
+def ldap_conn(request, ad_inst):
|
|
|
5fca41 |
+ """LDAP server connection fixture"""
|
|
|
5fca41 |
+ ldap_conn = ad_inst.bind()
|
|
|
5fca41 |
+ ldap_conn.ad_inst = ad_inst
|
|
|
5fca41 |
+ request.addfinalizer(ldap_conn.unbind_s)
|
|
|
5fca41 |
+ return ldap_conn
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+def format_basic_conf(ldap_conn):
|
|
|
5fca41 |
+ """Format a basic SSSD configuration"""
|
|
|
5fca41 |
+ return unindent("""\
|
|
|
5fca41 |
+ [sssd]
|
|
|
5fca41 |
+ domains = FakeAD
|
|
|
5fca41 |
+ services = pam, nss
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ [nss]
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ [pam]
|
|
|
5fca41 |
+ debug_level = 10
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ [domain/FakeAD]
|
|
|
5fca41 |
+ debug_level = 10
|
|
|
5fca41 |
+ ldap_search_base = {ldap_conn.ad_inst.base_dn}
|
|
|
5fca41 |
+ ldap_referrals = false
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ id_provider = ldap
|
|
|
5fca41 |
+ auth_provider = ldap
|
|
|
5fca41 |
+ chpass_provider = ldap
|
|
|
5fca41 |
+ access_provider = ldap
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ ldap_uri = {ldap_conn.ad_inst.ldap_url}
|
|
|
5fca41 |
+ ldap_default_bind_dn = {ldap_conn.ad_inst.admin_dn}
|
|
|
5fca41 |
+ ldap_default_authtok_type = password
|
|
|
5fca41 |
+ ldap_default_authtok = {ldap_conn.ad_inst.admin_pw}
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ ldap_schema = ad
|
|
|
5fca41 |
+ ldap_id_mapping = true
|
|
|
5fca41 |
+ ldap_idmap_default_domain_sid = S-1-5-21-1305200397-2901131868-73388776
|
|
|
5fca41 |
+ case_sensitive = False
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ [prompting/password]
|
|
|
5fca41 |
+ password_prompt = My global prompt
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ [prompting/password/pam_sss_alt_service]
|
|
|
5fca41 |
+ password_prompt = My alt service prompt
|
|
|
5fca41 |
+ """).format(**locals())
|
|
|
5fca41 |
+
|
|
|
5fca41 |
|
|
|
5fca41 |
def format_pam_cert_auth_conf():
|
|
|
5fca41 |
"""Format a basic SSSD configuration"""
|
|
|
5fca41 |
@@ -79,6 +154,8 @@ def create_conf_fixture(request, contents):
|
|
|
5fca41 |
|
|
|
5fca41 |
def create_sssd_process():
|
|
|
5fca41 |
"""Start the SSSD process"""
|
|
|
5fca41 |
+ os.environ["SSS_FILES_PASSWD"] = os.environ["NSS_WRAPPER_PASSWD"]
|
|
|
5fca41 |
+ os.environ["SSS_FILES_GROUP"] = os.environ["NSS_WRAPPER_GROUP"]
|
|
|
5fca41 |
if subprocess.call(["sssd", "-D", "-f"]) != 0:
|
|
|
5fca41 |
raise Exception("sssd start failed")
|
|
|
5fca41 |
|
|
|
5fca41 |
@@ -129,3 +206,78 @@ def test_preauth_indicator(simple_pam_cert_auth):
|
|
|
5fca41 |
"""Check if preauth indicator file is created"""
|
|
|
5fca41 |
statinfo = os.stat(config.PUBCONF_PATH + "/pam_preauth_available")
|
|
|
5fca41 |
assert stat.S_ISREG(statinfo.st_mode)
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+@pytest.fixture
|
|
|
5fca41 |
+def pam_prompting_config(request, ldap_conn):
|
|
|
5fca41 |
+ """Setup SSSD with PAM prompting config"""
|
|
|
5fca41 |
+ conf = format_basic_conf(ldap_conn)
|
|
|
5fca41 |
+ create_conf_fixture(request, conf)
|
|
|
5fca41 |
+ create_sssd_fixture(request)
|
|
|
5fca41 |
+ return None
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+def test_password_prompting_config_global(ldap_conn, pam_prompting_config,
|
|
|
5fca41 |
+ env_for_sssctl):
|
|
|
5fca41 |
+ """Check global change of the password prompt"""
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1_dom1-19661",
|
|
|
5fca41 |
+ "--action=auth", "--service=pam_sss_service"],
|
|
|
5fca41 |
+ universal_newlines=True,
|
|
|
5fca41 |
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
|
|
5fca41 |
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ try:
|
|
|
5fca41 |
+ out, err = sssctl.communicate(input="111")
|
|
|
5fca41 |
+ except:
|
|
|
5fca41 |
+ sssctl.kill()
|
|
|
5fca41 |
+ out, err = sssctl.communicate()
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ sssctl.stdin.close()
|
|
|
5fca41 |
+ sssctl.stdout.close()
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ if sssctl.wait() != 0:
|
|
|
5fca41 |
+ raise Exception("sssctl failed")
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ assert err.find("My global prompt") != -1
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+def test_password_prompting_config_srv(ldap_conn, pam_prompting_config,
|
|
|
5fca41 |
+ env_for_sssctl):
|
|
|
5fca41 |
+ """Check change of the password prompt for dedicated service"""
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1_dom1-19661",
|
|
|
5fca41 |
+ "--action=auth",
|
|
|
5fca41 |
+ "--service=pam_sss_alt_service"],
|
|
|
5fca41 |
+ universal_newlines=True,
|
|
|
5fca41 |
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
|
|
5fca41 |
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ try:
|
|
|
5fca41 |
+ out, err = sssctl.communicate(input="111")
|
|
|
5fca41 |
+ except:
|
|
|
5fca41 |
+ sssctl.kill()
|
|
|
5fca41 |
+ out, err = sssctl.communicate()
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ sssctl.stdin.close()
|
|
|
5fca41 |
+ sssctl.stdout.close()
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ if sssctl.wait() != 0:
|
|
|
5fca41 |
+ raise Exception("sssctl failed")
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ assert err.find("My alt service prompt") != -1
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+@pytest.fixture
|
|
|
5fca41 |
+def env_for_sssctl(request):
|
|
|
5fca41 |
+ pwrap_runtimedir = os.getenv("PAM_WRAPPER_SERVICE_DIR")
|
|
|
5fca41 |
+ if pwrap_runtimedir is None:
|
|
|
5fca41 |
+ raise ValueError("The PAM_WRAPPER_SERVICE_DIR variable is unset\n")
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ env_for_sssctl = os.environ.copy()
|
|
|
5fca41 |
+ env_for_sssctl['PAM_WRAPPER'] = "1"
|
|
|
5fca41 |
+ env_for_sssctl['SSSD_INTG_PEER_UID'] = "0"
|
|
|
5fca41 |
+ env_for_sssctl['SSSD_INTG_PEER_GID'] = "0"
|
|
|
5fca41 |
+ env_for_sssctl['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ return env_for_sssctl
|
|
|
5fca41 |
--
|
|
|
5fca41 |
2.19.1
|
|
|
5fca41 |
|