Merge pull request #7 from 3v1n0/rootless-tests

tests: Add more tests on PAM conversations that can run as user
author: Mike Steinert <[email protected]> 2023-09-20 08:46:09 -0500
committer: GitHub <[email protected]> 2023-09-20 08:46:09 -0500
commit: 718a0b9debcb8031d1f03b438e885b5bacd72202 (patch)
tree: 93d45aac6058b6f8eda30bfd3a8a56d106222f2f
parent: 5253f659f39e53933241047250d12d92aa173192 (diff)
parent: a22a1abf3ffe22cf7d763f1f4c5708b746ad3498 (diff)
5 files changed, 95 insertions, 8 deletions
diff --git a/test-services/deny-service b/test-services/deny-service
new file mode 100644
index 0000000..c73363a
--- /dev/null
+++ b/test-services/deny-service
@@ -0,0 +1,2 @@
+# Custom stack to deny permit, independent of the user name/pass
+auth	requisite			pam_deny.so
diff --git a/test-services/echo-service b/test-services/echo-service
new file mode 100644
index 0000000..1734a00
--- /dev/null
+++ b/test-services/echo-service
@@ -0,0 +1,3 @@
+# Custom stack to always permit, independent of the user name/pass
+auth	optional			pam_echo.so This is an info message for user %u on %s
+auth	required			pam_permit.so
diff --git a/my-service b/test-services/permit-service
index 2dfbc5a..2dfbc5a 100644
--- a/my-service
+++ b/test-services/permit-service
diff --git a/test-services/succeed-if-user-test b/test-services/succeed-if-user-test
new file mode 100644
index 0000000..17cf607
--- /dev/null
+++ b/test-services/succeed-if-user-test
@@ -0,0 +1,2 @@
+# Custom stack to deny permit, independent of the user name/pass
+auth	requisite			pam_succeed_if.so user = testuser
diff --git a/transaction_test.go b/transaction_test.go
index c56edf2..c7bcd2e 100644
--- a/transaction_test.go
+++ b/transaction_test.go
@@ -168,14 +168,11 @@ func TestPAM_007(t *testing.T) {
 
 func TestPAM_ConfDir(t *testing.T) {
 	u, _ := user.Current()
-	if u.Uid != "0" {
-		t.Skip("run this test as root")
-	}
 	c := Credentials{
 		// the custom service always permits even with wrong password.
 		Password: "wrongsecret",
 	}
-	tx, err := StartConfDir("my-service", "test", c, ".")
+	tx, err := StartConfDir("permit-service", u.Username, c, "test-services")
 	if !CheckPamHasStartConfdir() {
 		if err == nil {
 			t.Fatalf("start should have errored out as pam_start_confdir is not available: %v", err)
@@ -194,13 +191,96 @@ func TestPAM_ConfDir(t *testing.T) {
 
 func TestPAM_ConfDir_FailNoServiceOrUnsupported(t *testing.T) {
 	u, _ := user.Current()
-	if u.Uid != "0" {
-		t.Skip("run this test as root")
-	}
 	c := Credentials{
 		Password: "secret",
 	}
-	_, err := StartConfDir("does-not-exists", "test", c, ".")
+	_, err := StartConfDir("does-not-exists", u.Username, c, ".")
+	if err == nil {
+		t.Fatalf("authenticate #expected an error")
+	}
+	s := err.Error()
+	if len(s) == 0 {
+		t.Fatalf("error #expected an error message")
+	}
+}
+
+func TestPAM_ConfDir_InfoMessage(t *testing.T) {
+	u, _ := user.Current()
+	var infoText string
+	tx, err := StartConfDir("echo-service", u.Username,
+		ConversationFunc(func(s Style, msg string) (string, error) {
+			switch s {
+			case TextInfo:
+				infoText = msg
+				return "", nil
+			}
+			return "", errors.New("unexpected")
+		}), "test-services")
+	if err != nil {
+		t.Fatalf("start #error: %v", err)
+	}
+	err = tx.Authenticate(0)
+	if err != nil {
+		t.Fatalf("authenticate #error: %v", err)
+	}
+	if infoText != "This is an info message for user " + u.Username + " on echo-service" {
+		t.Fatalf("Unexpected info message: %v", infoText)
+	}
+}
+
+func TestPAM_ConfDir_Deny(t *testing.T) {
+	u, _ := user.Current()
+	tx, err := StartConfDir("deny-service", u.Username, Credentials{}, "test-services")
+	if err != nil {
+		t.Fatalf("start #error: %v", err)
+	}
+	err = tx.Authenticate(0)
+	if err == nil {
+		t.Fatalf("authenticate #expected an error")
+	}
+	s := err.Error()
+	if len(s) == 0 {
+		t.Fatalf("error #expected an error message")
+	}
+}
+
+func TestPAM_ConfDir_PromptForUserName(t *testing.T) {
+	c := Credentials{
+		User: "testuser",
+		// the custom service only cares about correct user name.
+		Password: "wrongsecret",
+	}
+	tx, err := StartConfDir("succeed-if-user-test", "", c, "test-services")
+	if !CheckPamHasStartConfdir() {
+		if err == nil {
+			t.Fatalf("start should have errored out as pam_start_confdir is not available: %v", err)
+		}
+		// nothing else we do, we don't support it.
+		return
+	}
+	if err != nil {
+		t.Fatalf("start #error: %v", err)
+	}
+	err = tx.Authenticate(0)
+	if err != nil {
+		t.Fatalf("authenticate #error: %v", err)
+	}
+}
+
+func TestPAM_ConfDir_WrongUserName(t *testing.T) {
+	c := Credentials{
+		User: "wronguser",
+		Password: "wrongsecret",
+	}
+	tx, err := StartConfDir("succeed-if-user-test", "", c, "test-services")
+	if !CheckPamHasStartConfdir() {
+		if err == nil {
+			t.Fatalf("start should have errored out as pam_start_confdir is not available: %v", err)
+		}
+		// nothing else we do, we don't support it.
+		return
+	}
+	err = tx.Authenticate(0)
 	if err == nil {
 		t.Fatalf("authenticate #expected an error")
 	}
author	Mike Steinert <[email protected]>	2023-09-20 08:46:09 -0500
committer	GitHub <[email protected]>	2023-09-20 08:46:09 -0500
commit	718a0b9debcb8031d1f03b438e885b5bacd72202 (patch)
tree	93d45aac6058b6f8eda30bfd3a8a56d106222f2f
parent	5253f659f39e53933241047250d12d92aa173192 (diff)
parent	a22a1abf3ffe22cf7d763f1f4c5708b746ad3498 (diff)