From b2a979e5e66f463d9567165fa7a46a39a9e6ae18 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 9 Oct 2018 10:46:43 +0200 Subject: [PATCH 46/47] tests: add PKCS#11 URI tests Related to https://pagure.io/SSSD/sssd/issue/3814 Reviewed-by: Jakub Hrozek (cherry picked from commit 4a22fb6bba6662ad628f6e17203e8ccf20eb9666) --- src/tests/cmocka/test_pam_srv.c | 120 ++++++++++++++++++++++++++++++++++++++++ src/tests/test_CA/Makefile.am | 16 +++++- 2 files changed, 135 insertions(+), 1 deletion(-) diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c index 2b02ac27b7356c5bce9e11dae785ecdbddd31aa3..7fc9224e152b8c206faf5d0cd9b6778099c6605c 100644 --- a/src/tests/cmocka/test_pam_srv.c +++ b/src/tests/cmocka/test_pam_srv.c @@ -65,6 +65,7 @@ #endif #define TEST_TOKEN_NAME "SSSD Test Token" +#define TEST_TOKEN2_NAME "SSSD Test Token Number 2" #define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17" #ifdef HAVE_NSS #define TEST_MODULE_NAME "NSS-Internal" @@ -961,6 +962,54 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen, return EOK; } +static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body, + size_t blen, enum response_type type, + const char *name) +{ + size_t rp = 0; + uint32_t val; + size_t check2_len = 0; + char const *check2_strings[] = { NULL, + TEST_TOKEN2_NAME, + TEST_MODULE_NAME, + TEST2_KEY_ID, + TEST2_PROMPT, + NULL }; + + assert_int_equal(status, 0); + + check2_strings[0] = name; + check2_len = check_string_array_len(check2_strings); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, pam_test_ctx->exp_pam_status); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, 2); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, SSS_PAM_DOMAIN_NAME); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, 9); + + assert_int_equal(*(body + rp + val - 1), 0); + assert_string_equal(body + rp, TEST_DOM_NAME); + rp += val; + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, type); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, check2_len); + + check_string_array(check2_strings, body, &rp); + + assert_int_equal(rp, blen); + + return EOK; +} + static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen) { return test_pam_cert_check_ex(status, body, blen, @@ -968,6 +1017,12 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen) NULL); } +static int test_pam_cert2_check(uint32_t status, uint8_t *body, size_t blen) +{ + return test_pam_cert2_token2_check_ex(status, body, blen, SSS_PAM_CERT_INFO, + "pamuser@"TEST_DOM_NAME); +} + static int test_pam_cert_check_auth_success(uint32_t status, uint8_t *body, size_t blen) { @@ -2476,6 +2531,65 @@ void test_pam_cert_auth_2certs_one_mapping(void **state) assert_int_equal(ret, EOK); } +void test_pam_cert_preauth_uri_token1(void **state) +{ + int ret; + + struct sss_test_conf_param pam_params[] = { + { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token" }, + { NULL, NULL }, /* Sentinel */ + }; + + ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf")); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, + test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_cert_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_cert_preauth_uri_token2(void **state) +{ + int ret; + + struct sss_test_conf_param pam_params[] = { + { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token%20Number%202" }, + { NULL, NULL }, /* Sentinel */ + }; + + ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf")); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, + test_lookup_by_cert_cb, SSSD_TEST_CERT_0002, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_cert2_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} void test_filter_response(void **state) { @@ -2915,6 +3029,12 @@ int main(int argc, const char *argv[]) pam_test_setup, pam_test_teardown), cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id, pam_test_setup, pam_test_teardown), +#ifndef HAVE_NSS + cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token1, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token2, + pam_test_setup, pam_test_teardown), +#endif /* ! HAVE_NSS */ #endif /* HAVE_TEST_CA */ cmocka_unit_test_setup_teardown(test_filter_response, diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am index 1bce2c36633b2d1df65c29258f8ee163a4bfce9e..b574c76111560ba3fce453254e74c267fc680681 100644 --- a/src/tests/test_CA/Makefile.am +++ b/src/tests/test_CA/Makefile.am @@ -24,7 +24,7 @@ pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids))) if HAVE_NSS extra = p11_nssdb p11_nssdb_2certs else -extra = softhsm2_none softhsm2_one softhsm2_two +extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens endif # If openssl is run in parallel there might be conflicts with the serial @@ -114,6 +114,20 @@ softhsm2_two.conf: @echo "objectstore.backend = file" >> $@ @echo "slots.removable = true" >> $@ +softhsm2_2tokens: softhsm2_2tokens.conf + mkdir $@ + SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free + GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token + GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token + SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token Number 2" --pin 654321 --so-pin 654321 --free + GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0002.pem --login --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202 + GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0002.pem --login --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202 + +softhsm2_2tokens.conf: + @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_2tokens" > $@ + @echo "objectstore.backend = file" >> $@ + @echo "slots.removable = true" >> $@ + CLEANFILES = \ index.txt index.txt.attr \ index.txt.attr.old index.txt.old \ -- 2.14.4