Blob Blame History Raw
From 6155a267d399d111706c4496c3877e216936c3b2 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Sep 2018 22:26:21 +0200
Subject: [PATCH 19/19] intg: add Smartcard authentication tests

Two test for Smartcard authentication of a local user, i.e. a user
managed by the files provider, are added. One for a successful
authentication, the other for a failed authentication with a wrong PIN.

Related to https://pagure.io/SSSD/sssd/issue/3500

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 657f3b89bca9adfb13f0867c91f1d76845d2d6dd)
---
 configure.ac                         |   1 +
 contrib/ci/deps.sh                   |   2 +
 contrib/sssd.spec.in                 |   1 +
 src/external/cwrap.m4                |   5 ++
 src/external/intgcheck.m4            |   1 +
 src/tests/intg/Makefile.am           |  24 ++++++-
 src/tests/intg/test_pam_responder.py | 131 ++++++++++++++++++++++++++++++++---
 7 files changed, 155 insertions(+), 10 deletions(-)

diff --git a/configure.ac b/configure.ac
index 1aac65f4d85b9974adc5ba3e5196b00be5d279f1..891610e14490a4e78e1e95e63c18d9c6a9a8afb4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -488,6 +488,7 @@ AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x])
 AM_CHECK_CMOCKA
 AM_CHECK_UID_WRAPPER
 AM_CHECK_NSS_WRAPPER
+AM_CHECK_PAM_WRAPPER
 AM_CHECK_TEST_CA
 
 # Check if the user wants SSSD to be compiled with systemtap probes
diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh
index 5906e5332ba99ce137174f3630e269b8c561f996..c04c7aab03f78185d96000142a71001ab52a66a7 100644
--- a/contrib/ci/deps.sh
+++ b/contrib/ci/deps.sh
@@ -46,6 +46,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
         pyldb
         rpm-build
         uid_wrapper
+        pam_wrapper
         python-requests
         curl-devel
         krb5-server
@@ -117,6 +118,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
         fakeroot
         libnss-wrapper
         libuid-wrapper
+        libpam-wrapper
         python-pytest
         python-ldap
         python-ldb
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 5ebd51f41f60cfdcd1d65c1c58dea4b296fd1ed1..26fae6d68dbe4d14f85ddf34bb4871bc34db3b3d 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -237,6 +237,7 @@ BuildRequires: selinux-policy-targeted
 BuildRequires: libcmocka-devel >= 1.0.0
 BuildRequires: uid_wrapper
 BuildRequires: nss_wrapper
+BuildRequires: pam_wrapper
 
 # Test CA requires openssl independent if SSSD is build with NSS or openssl,
 # openssh is needed for ssh-keygen and NSS builds need nss-tools for certutil.
diff --git a/src/external/cwrap.m4 b/src/external/cwrap.m4
index b8489cc765f34f3bc6ad4e4b7e69626f6ea8060e..6e3487c13f734e311a2262b0f71495167489c710 100644
--- a/src/external/cwrap.m4
+++ b/src/external/cwrap.m4
@@ -28,3 +28,8 @@ AC_DEFUN([AM_CHECK_NSS_WRAPPER],
 [
     AM_CHECK_WRAPPER(nss_wrapper, HAVE_NSS_WRAPPER)
 ])
+
+AC_DEFUN([AM_CHECK_PAM_WRAPPER],
+[
+    AM_CHECK_WRAPPER(pam_wrapper, HAVE_PAM_WRAPPER)
+])
diff --git a/src/external/intgcheck.m4 b/src/external/intgcheck.m4
index 60a7bf306ddefd748cf9bac62d3767e7512b6d64..c14f66978b8087586cf1c5ac2d60a07e4f90d45d 100644
--- a/src/external/intgcheck.m4
+++ b/src/external/intgcheck.m4
@@ -22,6 +22,7 @@ AC_DEFUN([SSS_ENABLE_INTGCHECK_REQS], [
     if test x"$enable_intgcheck_reqs" = xyes; then
         SSS_INTGCHECK_REQ([HAVE_UID_WRAPPER], [uid_wrapper])
         SSS_INTGCHECK_REQ([HAVE_NSS_WRAPPER], [nss_wrapper])
+        SSS_INTGCHECK_REQ([HAVE_PAM_WRAPPER], [pam_wrapper])
         SSS_INTGCHECK_REQ([HAVE_SLAPD], [slapd])
         SSS_INTGCHECK_REQ([HAVE_LDAPMODIFY], [ldapmodify])
         SSS_INTGCHECK_REQ([HAVE_FAKEROOT], [fakeroot])
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 6f7605bd4edbf26ef3ce97acea74fc92216eede9..bb3a7f01ae4f79fa05cd661993e8f9872ecd0450 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -105,13 +105,29 @@ passwd: root
 group:
 	echo "root:x:0:" > $@
 
+PAM_SERVICE_DIR=pam_service_dir
+pam_sss_service:
+	$(MKDIR_P) $(PAM_SERVICE_DIR)
+	echo "auth     required       $(DESTDIR)$(pammoddir)/pam_sss.so"  > $(PAM_SERVICE_DIR)/$@
+	echo "account  required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+	echo "password required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+	echo "session  required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+
 CLEANFILES=config.py config.pyc passwd group
 
 clean-local:
 	rm -Rf root
 	rm -f $(builddir)/cwrap-dbus-system.conf
 
-intgcheck-installed: config.py passwd group
+if HAVE_NSS
+PAM_CERT_DB_PATH="sql:$(DESTDIR)$(sysconfdir)/pki/nssdb"
+SOFTHSM2_CONF=""
+else
+PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
+SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
+endif
+
+intgcheck-installed: config.py passwd group pam_sss_service
 	pipepath="$(DESTDIR)$(pipepath)"; \
 	if test $${#pipepath} -gt 80; then \
 	    echo "error: Pipe directory path too long," \
@@ -131,12 +147,18 @@ intgcheck-installed: config.py passwd group
 	LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \
 	NON_WRAPPED_UID=$$(id -u) \
 	LD_PRELOAD="$(libdir)/getsockopt_wrapper.so:$$nss_wrapper:$$uid_wrapper" \
+	LD_LIBRARY_PATH="$$LD_LIBRARY_PATH:$(DESTDIR)$(nsslibdir)" \
 	NSS_WRAPPER_PASSWD="$(abs_builddir)/passwd" \
 	NSS_WRAPPER_GROUP="$(abs_builddir)/group" \
 	NSS_WRAPPER_MODULE_SO_PATH="$(DESTDIR)$(nsslibdir)/libnss_sss.so.2" \
 	NSS_WRAPPER_MODULE_FN_PREFIX="sss" \
 	UID_WRAPPER=1 \
 	UID_WRAPPER_ROOT=1 \
+	PAM_WRAPPER=0 \
+	PAM_WRAPPER_SERVICE_DIR="$(abs_builddir)/$(PAM_SERVICE_DIR)" \
+	PAM_WRAPPER_PATH=$$(pkg-config --libs pam_wrapper) \
+	PAM_CERT_DB_PATH=$(PAM_CERT_DB_PATH) \
+	SOFTHSM2_CONF=$(SOFTHSM2_CONF) \
 	DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \
 	DBUS_SESSION_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/fake_socket" \
 	DBUS_SYSTEM_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/system_bus_socket" \
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
index cf6fff2db7ba9c9c69e1dd9abe5663a02cedd72e..c6d048cd342838fe312287eaffff734e30ba9e1c 100644
--- a/src/tests/intg/test_pam_responder.py
+++ b/src/tests/intg/test_pam_responder.py
@@ -27,31 +27,44 @@ import signal
 import errno
 import subprocess
 import time
-import pytest
+import shutil
 
 import config
 
-from util import unindent
+import pytest
 
+from intg.util import unindent
+from intg.files_ops import passwd_ops_setup
 
-def format_pam_cert_auth_conf():
+USER1 = dict(name='user1', passwd='x', uid=10001, gid=20001,
+             gecos='User for tests',
+             dir='/home/user1',
+             shell='/bin/bash')
+
+
+def format_pam_cert_auth_conf(config):
     """Format a basic SSSD configuration"""
     return unindent("""\
         [sssd]
+        debug_level = 10
         domains = auth_only
-        services = pam
+        services = pam, nss
 
         [nss]
+        debug_level = 10
 
         [pam]
         pam_cert_auth = True
+        pam_p11_allowed_services = +pam_sss_service
+        pam_cert_db_path = {config.PAM_CERT_DB_PATH}
         debug_level = 10
 
         [domain/auth_only]
-        id_provider = ldap
-        auth_provider = ldap
-        chpass_provider = ldap
-        access_provider = ldap
+        debug_level = 10
+        id_provider = files
+
+        [certmap/auth_only/user1]
+        matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
     """).format(**locals())
 
 
@@ -79,6 +92,8 @@ def create_conf_fixture(request, contents):
 
 def create_sssd_process():
     """Start the SSSD process"""
+    os.environ["SSS_FILES_PASSWD"] = os.environ["NSS_WRAPPER_PASSWD"]
+    os.environ["SSS_FILES_GROUP"] = os.environ["NSS_WRAPPER_GROUP"]
     if subprocess.call(["sssd", "-D", "-f"]) != 0:
         raise Exception("sssd start failed")
 
@@ -116,12 +131,41 @@ def create_sssd_fixture(request):
     request.addfinalizer(cleanup_sssd_process)
 
 
+def create_nssdb():
+    os.mkdir(config.SYSCONFDIR + "/pki")
+    os.mkdir(config.SYSCONFDIR + "/pki/nssdb")
+    if subprocess.call(["certutil", "-N", "-d",
+                        "sql:" + config.SYSCONFDIR + "/pki/nssdb/",
+                        "--empty-password"]) != 0:
+        raise Exception("certutil failed")
+
+    pkcs11_txt = open(config.SYSCONFDIR + "/pki/nssdb/pkcs11.txt", "w")
+    pkcs11_txt.write("library=libsoftokn3.so\nname=soft\n" +
+                     "parameters=configdir='sql:" + config.ABS_BUILDDIR +
+                     "/../test_CA/p11_nssdb' " +
+                     "dbSlotDescription='SSSD Test Slot' " +
+                     "dbTokenDescription='SSSD Test Token' " +
+                     "secmod='secmod.db' flags=readOnly)\n\n")
+    pkcs11_txt.close()
+
+
+def cleanup_nssdb():
+    shutil.rmtree(config.SYSCONFDIR + "/pki")
+
+
+def create_nssdb_fixture(request):
+    create_nssdb()
+    request.addfinalizer(cleanup_nssdb)
+
+
 @pytest.fixture
 def simple_pam_cert_auth(request):
     """Setup SSSD with pam_cert_auth=True"""
-    conf = format_pam_cert_auth_conf()
+    config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
+    conf = format_pam_cert_auth_conf(config)
     create_conf_fixture(request, conf)
     create_sssd_fixture(request)
+    create_nssdb_fixture(request)
     return None
 
 
@@ -129,3 +173,72 @@ def test_preauth_indicator(simple_pam_cert_auth):
     """Check if preauth indicator file is created"""
     statinfo = os.stat(config.PUBCONF_PATH + "/pam_preauth_available")
     assert stat.S_ISREG(statinfo.st_mode)
+
+
+@pytest.fixture
+def pam_wrapper_setup(request):
+    pwrap_runtimedir = os.getenv("PAM_WRAPPER_SERVICE_DIR")
+    if pwrap_runtimedir is None:
+        raise ValueError("The PAM_WRAPPER_SERVICE_DIR variable is unset\n")
+
+
+def test_sc_auth_wrong_pin(simple_pam_cert_auth, pam_wrapper_setup,
+                           passwd_ops_setup):
+
+    passwd_ops_setup.useradd(**USER1)
+    current_env = os.environ.copy()
+    current_env['PAM_WRAPPER'] = "1"
+    current_env['SSSD_INTG_PEER_UID'] = "0"
+    current_env['SSSD_INTG_PEER_GID'] = "0"
+    current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
+
+    sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
+                               "--action=auth", "--service=pam_sss_service"],
+                              universal_newlines=True,
+                              env=current_env, stdin=subprocess.PIPE,
+                              stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+    try:
+        out, err = sssctl.communicate(input="111")
+    except:
+        sssctl.kill()
+        out, err = sssctl.communicate()
+
+    sssctl.stdin.close()
+    sssctl.stdout.close()
+
+    if sssctl.wait() != 0:
+        raise Exception("sssctl failed")
+
+    assert err.find("pam_authenticate for user [user1]: " +
+                    "Authentication failure") != -1
+
+
+def test_sc_auth(simple_pam_cert_auth, pam_wrapper_setup, passwd_ops_setup):
+
+    passwd_ops_setup.useradd(**USER1)
+    current_env = os.environ.copy()
+    current_env['PAM_WRAPPER'] = "1"
+    current_env['SSSD_INTG_PEER_UID'] = "0"
+    current_env['SSSD_INTG_PEER_GID'] = "0"
+    current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
+
+    sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
+                               "--action=auth", "--service=pam_sss_service"],
+                              universal_newlines=True,
+                              env=current_env, stdin=subprocess.PIPE,
+                              stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+    try:
+        out, err = sssctl.communicate(input="123456")
+    except:
+        sssctl.kill()
+        out, err = sssctl.communicate()
+
+    sssctl.stdin.close()
+    sssctl.stdout.close()
+
+    if sssctl.wait() != 0:
+        raise Exception("sssctl failed")
+
+    assert err.find("pam_authenticate for user [user1]: Success") != -1
-- 
2.14.4