From b2a979e5e66f463d9567165fa7a46a39a9e6ae18 Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Tue, 9 Oct 2018 10:46:43 +0200

Subject: [PATCH 46/47] tests: add PKCS#11 URI tests

Related to https://pagure.io/SSSD/sssd/issue/3814

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

(cherry picked from commit 4a22fb6bba6662ad628f6e17203e8ccf20eb9666)

---

 src/tests/cmocka/test_pam_srv.c | 120 ++++++++++++++++++++++++++++++++++++++++

 src/tests/test_CA/Makefile.am   |  16 +++++-

 2 files changed, 135 insertions(+), 1 deletion(-)

diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c

index 2b02ac27b7356c5bce9e11dae785ecdbddd31aa3..7fc9224e152b8c206faf5d0cd9b6778099c6605c 100644

--- a/src/tests/cmocka/test_pam_srv.c

+++ b/src/tests/cmocka/test_pam_srv.c

@@ -65,6 +65,7 @@

 #endif

 #define TEST_TOKEN_NAME "SSSD Test Token"

+#define TEST_TOKEN2_NAME "SSSD Test Token Number 2"

 #define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17"

 #ifdef HAVE_NSS

 #define TEST_MODULE_NAME "NSS-Internal"

@@ -961,6 +962,54 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,

     return EOK;

 }

+static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body,

+                                          size_t blen, enum response_type type,

+                                          const char *name)

+{

+    size_t rp = 0;

+    uint32_t val;

+    size_t check2_len = 0;

+    char const *check2_strings[] = { NULL,

+                                     TEST_TOKEN2_NAME,

+                                     TEST_MODULE_NAME,

+                                     TEST2_KEY_ID,

+                                     TEST2_PROMPT,

+                                     NULL };

+

+    assert_int_equal(status, 0);

+

+    check2_strings[0] = name;

+    check2_len = check_string_array_len(check2_strings);

+

+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);

+    assert_int_equal(val, pam_test_ctx->exp_pam_status);

+

+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);

+    assert_int_equal(val, 2);

+

+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);

+    assert_int_equal(val, SSS_PAM_DOMAIN_NAME);

+

+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);

+    assert_int_equal(val, 9);

+

+    assert_int_equal(*(body + rp + val - 1), 0);

+    assert_string_equal(body + rp, TEST_DOM_NAME);

+    rp += val;

+

+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);

+    assert_int_equal(val, type);

+

+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);

+    assert_int_equal(val, check2_len);

+

+    check_string_array(check2_strings, body, &rp);

+

+    assert_int_equal(rp, blen);

+

+    return EOK;

+}

+

 static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)

 {

     return test_pam_cert_check_ex(status, body, blen,

@@ -968,6 +1017,12 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)

                                   NULL);

 }

+static int test_pam_cert2_check(uint32_t status, uint8_t *body, size_t blen)

+{

+    return test_pam_cert2_token2_check_ex(status, body, blen, SSS_PAM_CERT_INFO,

+                                          "pamuser@"TEST_DOM_NAME);

+}

+

 static int test_pam_cert_check_auth_success(uint32_t status, uint8_t *body,

                                             size_t blen)

 {

@@ -2476,6 +2531,65 @@ void test_pam_cert_auth_2certs_one_mapping(void **state)

     assert_int_equal(ret, EOK);

 }

+void test_pam_cert_preauth_uri_token1(void **state)

+{

+    int ret;

+

+    struct sss_test_conf_param pam_params[] = {

+        { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token" },

+        { NULL, NULL },             /* Sentinel */

+    };

+

+    ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);

+    assert_int_equal(ret, EOK);

+    set_cert_auth_param(pam_test_ctx->pctx, CA_DB);

+    putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf"));

+

+    mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,

+                        test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);

+

+    will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);

+    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);

+

+    set_cmd_cb(test_pam_cert_check);

+    ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,

+                          pam_test_ctx->pam_cmds);

+    assert_int_equal(ret, EOK);

+

+    /* Wait until the test finishes with EOK */

+    ret = test_ev_loop(pam_test_ctx->tctx);

+    assert_int_equal(ret, EOK);

+}

+

+void test_pam_cert_preauth_uri_token2(void **state)

+{

+    int ret;

+

+    struct sss_test_conf_param pam_params[] = {

+        { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token%20Number%202" },

+        { NULL, NULL },             /* Sentinel */

+    };

+

+    ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);

+    assert_int_equal(ret, EOK);

+    set_cert_auth_param(pam_test_ctx->pctx, CA_DB);

+    putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf"));

+

+    mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,

+                        test_lookup_by_cert_cb, SSSD_TEST_CERT_0002, false);

+

+    will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);

+    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);

+

+    set_cmd_cb(test_pam_cert2_check);

+    ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,

+                          pam_test_ctx->pam_cmds);

+    assert_int_equal(ret, EOK);

+

+    /* Wait until the test finishes with EOK */

+    ret = test_ev_loop(pam_test_ctx->tctx);

+    assert_int_equal(ret, EOK);

+}

 void test_filter_response(void **state)

 {

@@ -2915,6 +3029,12 @@ int main(int argc, const char *argv[])

                                         pam_test_setup, pam_test_teardown),

         cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,

                                         pam_test_setup, pam_test_teardown),

+#ifndef HAVE_NSS

+        cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token1,

+                                        pam_test_setup, pam_test_teardown),

+        cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token2,

+                                        pam_test_setup, pam_test_teardown),

+#endif /* ! HAVE_NSS */

 #endif /* HAVE_TEST_CA */

         cmocka_unit_test_setup_teardown(test_filter_response,

diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am

index 1bce2c36633b2d1df65c29258f8ee163a4bfce9e..b574c76111560ba3fce453254e74c267fc680681 100644

--- a/src/tests/test_CA/Makefile.am

+++ b/src/tests/test_CA/Makefile.am

@@ -24,7 +24,7 @@ pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids)))

 if HAVE_NSS

 extra = p11_nssdb p11_nssdb_2certs

 else

-extra = softhsm2_none softhsm2_one softhsm2_two

+extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens

 endif

 # If openssl is run in parallel there might be conflicts with the serial

@@ -114,6 +114,20 @@ softhsm2_two.conf:

 	@echo "objectstore.backend = file" >> $@

 	@echo "slots.removable = true" >> $@

+softhsm2_2tokens: softhsm2_2tokens.conf

+	mkdir $@

+	SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token  --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free

+	GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login  --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token

+	GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login  --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token

+	SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token  --label "SSSD Test Token Number 2" --pin 654321 --so-pin 654321 --free

+	GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0002.pem --login  --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202

+	GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0002.pem --login  --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202

+

+softhsm2_2tokens.conf:

+	@echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_2tokens" > $@

+	@echo "objectstore.backend = file" >> $@

+	@echo "slots.removable = true" >> $@

+

 CLEANFILES = \

     index.txt  index.txt.attr \

     index.txt.attr.old  index.txt.old \

-- 

2.14.4