diff options
| author | Marco Trevisan (Treviño) <[email protected]> | 2023-09-19 18:40:17 +0200 |
|---|---|---|
| committer | Marco Trevisan (Treviño) <[email protected]> | 2023-09-19 18:46:25 +0200 |
| commit | a22a1abf3ffe22cf7d763f1f4c5708b746ad3498 (patch) | |
| tree | 93d45aac6058b6f8eda30bfd3a8a56d106222f2f | |
| parent | 1cab6e699cc2486f7e1879b41a10b7b76806206b (diff) | |
transaction_test: Add root-less tests to check pam conversation
Use pam_succeed_if to make it implicitly ask for the user name and
verify that the provided one is correct.
This can safely run as user.
| -rw-r--r-- | test-services/succeed-if-user-test | 2 | ||||
| -rw-r--r-- | transaction_test.go | 46 |
2 files changed, 48 insertions, 0 deletions
diff --git a/test-services/succeed-if-user-test b/test-services/succeed-if-user-test new file mode 100644 index 0000000..17cf607 --- /dev/null +++ b/test-services/succeed-if-user-test @@ -0,0 +1,2 @@ +# Custom stack to deny permit, independent of the user name/pass +auth requisite pam_succeed_if.so user = testuser diff --git a/transaction_test.go b/transaction_test.go index 780c06c..c7bcd2e 100644 --- a/transaction_test.go +++ b/transaction_test.go @@ -244,6 +244,52 @@ func TestPAM_ConfDir_Deny(t *testing.T) { } } +func TestPAM_ConfDir_PromptForUserName(t *testing.T) { + c := Credentials{ + User: "testuser", + // the custom service only cares about correct user name. + Password: "wrongsecret", + } + tx, err := StartConfDir("succeed-if-user-test", "", c, "test-services") + if !CheckPamHasStartConfdir() { + if err == nil { + t.Fatalf("start should have errored out as pam_start_confdir is not available: %v", err) + } + // nothing else we do, we don't support it. + return + } + if err != nil { + t.Fatalf("start #error: %v", err) + } + err = tx.Authenticate(0) + if err != nil { + t.Fatalf("authenticate #error: %v", err) + } +} + +func TestPAM_ConfDir_WrongUserName(t *testing.T) { + c := Credentials{ + User: "wronguser", + Password: "wrongsecret", + } + tx, err := StartConfDir("succeed-if-user-test", "", c, "test-services") + if !CheckPamHasStartConfdir() { + if err == nil { + t.Fatalf("start should have errored out as pam_start_confdir is not available: %v", err) + } + // nothing else we do, we don't support it. + return + } + err = tx.Authenticate(0) + if err == nil { + t.Fatalf("authenticate #expected an error") + } + s := err.Error() + if len(s) == 0 { + t.Fatalf("error #expected an error message") + } +} + func TestItem(t *testing.T) { tx, _ := StartFunc("passwd", "test", func(s Style, msg string) (string, error) { return "", nil |