dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0021-intg-add-test-for-password-prompt-configuration.patch

841ac7
From abfba08af067f70b736108310c3e55534ef7085e Mon Sep 17 00:00:00 2001
841ac7
From: Sumit Bose <sbose@redhat.com>
841ac7
Date: Fri, 29 Mar 2019 10:38:50 +0100
841ac7
Subject: [PATCH 21/21] intg: add test for password prompt configuration
841ac7
841ac7
Related to Related to https://pagure.io/SSSD/sssd/issue/3264
841ac7
841ac7
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
841ac7
(cherry picked with fixes from commit 45efba71befd96c8e9fe0a51fc300cafa93bd703)
841ac7
---
841ac7
 src/tests/intg/Makefile.am           |  32 +++++-
841ac7
 src/tests/intg/test_pam_responder.py | 154 ++++++++++++++++++++++++++-
841ac7
 2 files changed, 184 insertions(+), 2 deletions(-)
841ac7
841ac7
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
841ac7
index 91dc86a4f..884c903b6 100644
841ac7
--- a/src/tests/intg/Makefile.am
841ac7
+++ b/src/tests/intg/Makefile.am
841ac7
@@ -105,13 +105,36 @@ passwd: root
841ac7
 group:
841ac7
 	echo "root:x:0:" > $@
841ac7
 
841ac7
+PAM_SERVICE_DIR=pam_service_dir
841ac7
+pam_sss_service:
841ac7
+	$(MKDIR_P) $(PAM_SERVICE_DIR)
841ac7
+	echo "auth     required       $(DESTDIR)$(pammoddir)/pam_sss.so"  > $(PAM_SERVICE_DIR)/$@
841ac7
+	echo "account  required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
841ac7
+	echo "password required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
841ac7
+	echo "session  required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
841ac7
+
841ac7
+pam_sss_alt_service:
841ac7
+	$(MKDIR_P) $(PAM_SERVICE_DIR)
841ac7
+	echo "auth     required       $(DESTDIR)$(pammoddir)/pam_sss.so"  > $(PAM_SERVICE_DIR)/$@
841ac7
+	echo "account  required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
841ac7
+	echo "password required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
841ac7
+	echo "session  required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
841ac7
+
841ac7
 CLEANFILES=config.py config.pyc passwd group
841ac7
 
841ac7
 clean-local:
841ac7
 	rm -Rf root
841ac7
 	rm -f $(builddir)/cwrap-dbus-system.conf
841ac7
 
841ac7
-intgcheck-installed: config.py passwd group
841ac7
+if HAVE_NSS
841ac7
+PAM_CERT_DB_PATH="sql:$(DESTDIR)$(sysconfdir)/pki/nssdb"
841ac7
+SOFTHSM2_CONF=""
841ac7
+else
841ac7
+PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
841ac7
+SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
841ac7
+endif
841ac7
+
841ac7
+intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service
841ac7
 	pipepath="$(DESTDIR)$(pipepath)"; \
841ac7
 	if test $${#pipepath} -gt 80; then \
841ac7
 	    echo "error: Pipe directory path too long," \
841ac7
@@ -126,16 +149,23 @@ intgcheck-installed: config.py passwd group
841ac7
 	PATH="$$(dirname -- $(SLAPD)):$$PATH" \
841ac7
 	PATH="$(DESTDIR)$(sbindir):$(DESTDIR)$(bindir):$$PATH" \
841ac7
 	PATH="$$PATH:$(abs_builddir):$(abs_srcdir)" \
841ac7
+	LANG=C \
841ac7
 	PYTHONPATH="$(abs_builddir):$(abs_srcdir)" \
841ac7
 	LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \
841ac7
 	NON_WRAPPED_UID=$$(id -u) \
841ac7
 	LD_PRELOAD="$(libdir)/getsockopt_wrapper.so:$$nss_wrapper:$$uid_wrapper" \
841ac7
+	LD_LIBRARY_PATH="$$LD_LIBRARY_PATH:$(DESTDIR)$(nsslibdir)" \
841ac7
 	NSS_WRAPPER_PASSWD="$(abs_builddir)/passwd" \
841ac7
 	NSS_WRAPPER_GROUP="$(abs_builddir)/group" \
841ac7
 	NSS_WRAPPER_MODULE_SO_PATH="$(DESTDIR)$(nsslibdir)/libnss_sss.so.2" \
841ac7
 	NSS_WRAPPER_MODULE_FN_PREFIX="sss" \
841ac7
 	UID_WRAPPER=1 \
841ac7
 	UID_WRAPPER_ROOT=1 \
841ac7
+	PAM_WRAPPER=0 \
841ac7
+	PAM_WRAPPER_SERVICE_DIR="$(abs_builddir)/$(PAM_SERVICE_DIR)" \
841ac7
+	PAM_WRAPPER_PATH=$$(pkg-config --libs pam_wrapper) \
841ac7
+	PAM_CERT_DB_PATH=$(PAM_CERT_DB_PATH) \
841ac7
+	SOFTHSM2_CONF=$(SOFTHSM2_CONF) \
841ac7
 	DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \
841ac7
 	DBUS_SESSION_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/fake_socket" \
841ac7
 	DBUS_SYSTEM_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/system_bus_socket" \
841ac7
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
841ac7
index cf6fff2db..7e5828dde 100644
841ac7
--- a/src/tests/intg/test_pam_responder.py
841ac7
+++ b/src/tests/intg/test_pam_responder.py
841ac7
@@ -30,9 +30,84 @@ import time
841ac7
 import pytest
841ac7
 
841ac7
 import config
841ac7
-
841ac7
+import shutil
841ac7
 from util import unindent
841ac7
 
841ac7
+import intg.ds_openldap
841ac7
+
841ac7
+import pytest
841ac7
+
841ac7
+from intg.util import unindent
841ac7
+from intg.files_ops import passwd_ops_setup
841ac7
+
841ac7
+LDAP_BASE_DN = "dc=example,dc=com"
841ac7
+
841ac7
+
841ac7
+@pytest.fixture(scope="module")
841ac7
+def ad_inst(request):
841ac7
+    """Fake AD server instance fixture"""
841ac7
+    instance = intg.ds_openldap.FakeAD(
841ac7
+        config.PREFIX, 10389, LDAP_BASE_DN,
841ac7
+        "cn=admin", "Secret123"
841ac7
+    )
841ac7
+
841ac7
+    try:
841ac7
+        instance.setup()
841ac7
+    except:
841ac7
+        instance.teardown()
841ac7
+        raise
841ac7
+    request.addfinalizer(instance.teardown)
841ac7
+    return instance
841ac7
+
841ac7
+
841ac7
+@pytest.fixture(scope="module")
841ac7
+def ldap_conn(request, ad_inst):
841ac7
+    """LDAP server connection fixture"""
841ac7
+    ldap_conn = ad_inst.bind()
841ac7
+    ldap_conn.ad_inst = ad_inst
841ac7
+    request.addfinalizer(ldap_conn.unbind_s)
841ac7
+    return ldap_conn
841ac7
+
841ac7
+
841ac7
+def format_basic_conf(ldap_conn):
841ac7
+    """Format a basic SSSD configuration"""
841ac7
+    return unindent("""\
841ac7
+        [sssd]
841ac7
+        domains = FakeAD
841ac7
+        services = pam, nss
841ac7
+
841ac7
+        [nss]
841ac7
+
841ac7
+        [pam]
841ac7
+        debug_level = 10
841ac7
+
841ac7
+        [domain/FakeAD]
841ac7
+        debug_level = 10
841ac7
+        ldap_search_base = {ldap_conn.ad_inst.base_dn}
841ac7
+        ldap_referrals = false
841ac7
+
841ac7
+        id_provider = ldap
841ac7
+        auth_provider = ldap
841ac7
+        chpass_provider = ldap
841ac7
+        access_provider = ldap
841ac7
+
841ac7
+        ldap_uri = {ldap_conn.ad_inst.ldap_url}
841ac7
+        ldap_default_bind_dn = {ldap_conn.ad_inst.admin_dn}
841ac7
+        ldap_default_authtok_type = password
841ac7
+        ldap_default_authtok = {ldap_conn.ad_inst.admin_pw}
841ac7
+
841ac7
+        ldap_schema = ad
841ac7
+        ldap_id_mapping = true
841ac7
+        ldap_idmap_default_domain_sid = S-1-5-21-1305200397-2901131868-73388776
841ac7
+        case_sensitive = False
841ac7
+
841ac7
+        [prompting/password]
841ac7
+        password_prompt = My global prompt
841ac7
+
841ac7
+        [prompting/password/pam_sss_alt_service]
841ac7
+        password_prompt = My alt service prompt
841ac7
+    """).format(**locals())
841ac7
+
841ac7
 
841ac7
 def format_pam_cert_auth_conf():
841ac7
     """Format a basic SSSD configuration"""
841ac7
@@ -79,6 +154,8 @@ def create_conf_fixture(request, contents):
841ac7
 
841ac7
 def create_sssd_process():
841ac7
     """Start the SSSD process"""
841ac7
+    os.environ["SSS_FILES_PASSWD"] = os.environ["NSS_WRAPPER_PASSWD"]
841ac7
+    os.environ["SSS_FILES_GROUP"] = os.environ["NSS_WRAPPER_GROUP"]
841ac7
     if subprocess.call(["sssd", "-D", "-f"]) != 0:
841ac7
         raise Exception("sssd start failed")
841ac7
 
841ac7
@@ -129,3 +206,78 @@ def test_preauth_indicator(simple_pam_cert_auth):
841ac7
     """Check if preauth indicator file is created"""
841ac7
     statinfo = os.stat(config.PUBCONF_PATH + "/pam_preauth_available")
841ac7
     assert stat.S_ISREG(statinfo.st_mode)
841ac7
+
841ac7
+
841ac7
+@pytest.fixture
841ac7
+def pam_prompting_config(request, ldap_conn):
841ac7
+    """Setup SSSD with PAM prompting config"""
841ac7
+    conf = format_basic_conf(ldap_conn)
841ac7
+    create_conf_fixture(request, conf)
841ac7
+    create_sssd_fixture(request)
841ac7
+    return None
841ac7
+
841ac7
+
841ac7
+def test_password_prompting_config_global(ldap_conn, pam_prompting_config,
841ac7
+                                          env_for_sssctl):
841ac7
+    """Check global change of the password prompt"""
841ac7
+
841ac7
+    sssctl = subprocess.Popen(["sssctl", "user-checks", "user1_dom1-19661",
841ac7
+                               "--action=auth", "--service=pam_sss_service"],
841ac7
+                              universal_newlines=True,
841ac7
+                              env=env_for_sssctl, stdin=subprocess.PIPE,
841ac7
+                              stdout=subprocess.PIPE, stderr=subprocess.PIPE)
841ac7
+
841ac7
+    try:
841ac7
+        out, err = sssctl.communicate(input="111")
841ac7
+    except:
841ac7
+        sssctl.kill()
841ac7
+        out, err = sssctl.communicate()
841ac7
+
841ac7
+    sssctl.stdin.close()
841ac7
+    sssctl.stdout.close()
841ac7
+
841ac7
+    if sssctl.wait() != 0:
841ac7
+        raise Exception("sssctl failed")
841ac7
+
841ac7
+    assert err.find("My global prompt") != -1
841ac7
+
841ac7
+
841ac7
+def test_password_prompting_config_srv(ldap_conn, pam_prompting_config,
841ac7
+                                       env_for_sssctl):
841ac7
+    """Check change of the password prompt for dedicated service"""
841ac7
+
841ac7
+    sssctl = subprocess.Popen(["sssctl", "user-checks", "user1_dom1-19661",
841ac7
+                               "--action=auth",
841ac7
+                               "--service=pam_sss_alt_service"],
841ac7
+                              universal_newlines=True,
841ac7
+                              env=env_for_sssctl, stdin=subprocess.PIPE,
841ac7
+                              stdout=subprocess.PIPE, stderr=subprocess.PIPE)
841ac7
+
841ac7
+    try:
841ac7
+        out, err = sssctl.communicate(input="111")
841ac7
+    except:
841ac7
+        sssctl.kill()
841ac7
+        out, err = sssctl.communicate()
841ac7
+
841ac7
+    sssctl.stdin.close()
841ac7
+    sssctl.stdout.close()
841ac7
+
841ac7
+    if sssctl.wait() != 0:
841ac7
+        raise Exception("sssctl failed")
841ac7
+
841ac7
+    assert err.find("My alt service prompt") != -1
841ac7
+
841ac7
+
841ac7
+@pytest.fixture
841ac7
+def env_for_sssctl(request):
841ac7
+    pwrap_runtimedir = os.getenv("PAM_WRAPPER_SERVICE_DIR")
841ac7
+    if pwrap_runtimedir is None:
841ac7
+        raise ValueError("The PAM_WRAPPER_SERVICE_DIR variable is unset\n")
841ac7
+
841ac7
+    env_for_sssctl = os.environ.copy()
841ac7
+    env_for_sssctl['PAM_WRAPPER'] = "1"
841ac7
+    env_for_sssctl['SSSD_INTG_PEER_UID'] = "0"
841ac7
+    env_for_sssctl['SSSD_INTG_PEER_GID'] = "0"
841ac7
+    env_for_sssctl['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
841ac7
+
841ac7
+    return env_for_sssctl
841ac7
-- 
841ac7
2.19.1
841ac7