From d0c0c8bf18fb416e2b76ee4b29c1644d34fb3746 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
Date: Tue, 19 Sep 2023 18:17:54 +0200
Subject: tests: Move services to a subdirectory

It makes it cleaner to handle, plus it allows adding more.

Also rename the `my-service` to something more self-explanatory.
---
 my-service                   | 2 --
 test-services/permit-service | 2 ++
 transaction_test.go          | 1 +
 3 files changed, 3 insertions(+), 2 deletions(-)
 delete mode 100644 my-service
 create mode 100644 test-services/permit-service

diff --git a/my-service b/my-service
deleted file mode 100644
index 2dfbc5a..0000000
--- a/my-service
+++ /dev/null
@@ -1,2 +0,0 @@
-# Custom stack to always permit, independent of the user name/pass
-auth	required			pam_permit.so
diff --git a/test-services/permit-service b/test-services/permit-service
new file mode 100644
index 0000000..2dfbc5a
--- /dev/null
+++ b/test-services/permit-service
@@ -0,0 +1,2 @@
+# Custom stack to always permit, independent of the user name/pass
+auth	required			pam_permit.so
diff --git a/transaction_test.go b/transaction_test.go
index c56edf2..2d24a37 100644
--- a/transaction_test.go
+++ b/transaction_test.go
@@ -176,6 +176,7 @@ func TestPAM_ConfDir(t *testing.T) {
 		Password: "wrongsecret",
 	}
 	tx, err := StartConfDir("my-service", "test", c, ".")
+	tx, err := StartConfDir("permit-service", u.Username, c, "test-services")
 	if !CheckPamHasStartConfdir() {
 		if err == nil {
 			t.Fatalf("start should have errored out as pam_start_confdir is not available: %v", err)
-- 
cgit v1.2.3


From ca3e79e6055a0ac8e68903036973493007e497fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
Date: Tue, 19 Sep 2023 18:18:56 +0200
Subject: transaction_test: Enable conf-dir tests without root

They don't require the `test` user nor being ran as root
---
 transaction_test.go | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/transaction_test.go b/transaction_test.go
index 2d24a37..acf7053 100644
--- a/transaction_test.go
+++ b/transaction_test.go
@@ -168,14 +168,10 @@ func TestPAM_007(t *testing.T) {
 
 func TestPAM_ConfDir(t *testing.T) {
 	u, _ := user.Current()
-	if u.Uid != "0" {
-		t.Skip("run this test as root")
-	}
 	c := Credentials{
 		// the custom service always permits even with wrong password.
 		Password: "wrongsecret",
 	}
-	tx, err := StartConfDir("my-service", "test", c, ".")
 	tx, err := StartConfDir("permit-service", u.Username, c, "test-services")
 	if !CheckPamHasStartConfdir() {
 		if err == nil {
@@ -195,13 +191,10 @@ func TestPAM_ConfDir(t *testing.T) {
 
 func TestPAM_ConfDir_FailNoServiceOrUnsupported(t *testing.T) {
 	u, _ := user.Current()
-	if u.Uid != "0" {
-		t.Skip("run this test as root")
-	}
 	c := Credentials{
 		Password: "secret",
 	}
-	_, err := StartConfDir("does-not-exists", "test", c, ".")
+	_, err := StartConfDir("does-not-exists", u.Username, c, ".")
 	if err == nil {
 		t.Fatalf("authenticate #expected an error")
 	}
-- 
cgit v1.2.3


From 1cab6e699cc2486f7e1879b41a10b7b76806206b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
Date: Tue, 19 Sep 2023 18:21:03 +0200
Subject: transaction_test: Add more authentication tests to run as user

So that it's possible also to verify an info text conversation
---
 test-services/deny-service |  2 ++
 test-services/echo-service |  3 +++
 transaction_test.go        | 40 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 45 insertions(+)
 create mode 100644 test-services/deny-service
 create mode 100644 test-services/echo-service

diff --git a/test-services/deny-service b/test-services/deny-service
new file mode 100644
index 0000000..c73363a
--- /dev/null
+++ b/test-services/deny-service
@@ -0,0 +1,2 @@
+# Custom stack to deny permit, independent of the user name/pass
+auth	requisite			pam_deny.so
diff --git a/test-services/echo-service b/test-services/echo-service
new file mode 100644
index 0000000..1734a00
--- /dev/null
+++ b/test-services/echo-service
@@ -0,0 +1,3 @@
+# Custom stack to always permit, independent of the user name/pass
+auth	optional			pam_echo.so This is an info message for user %u on %s
+auth	required			pam_permit.so
diff --git a/transaction_test.go b/transaction_test.go
index acf7053..780c06c 100644
--- a/transaction_test.go
+++ b/transaction_test.go
@@ -204,6 +204,46 @@ func TestPAM_ConfDir_FailNoServiceOrUnsupported(t *testing.T) {
 	}
 }
 
+func TestPAM_ConfDir_InfoMessage(t *testing.T) {
+	u, _ := user.Current()
+	var infoText string
+	tx, err := StartConfDir("echo-service", u.Username,
+		ConversationFunc(func(s Style, msg string) (string, error) {
+			switch s {
+			case TextInfo:
+				infoText = msg
+				return "", nil
+			}
+			return "", errors.New("unexpected")
+		}), "test-services")
+	if err != nil {
+		t.Fatalf("start #error: %v", err)
+	}
+	err = tx.Authenticate(0)
+	if err != nil {
+		t.Fatalf("authenticate #error: %v", err)
+	}
+	if infoText != "This is an info message for user " + u.Username + " on echo-service" {
+		t.Fatalf("Unexpected info message: %v", infoText)
+	}
+}
+
+func TestPAM_ConfDir_Deny(t *testing.T) {
+	u, _ := user.Current()
+	tx, err := StartConfDir("deny-service", u.Username, Credentials{}, "test-services")
+	if err != nil {
+		t.Fatalf("start #error: %v", err)
+	}
+	err = tx.Authenticate(0)
+	if err == nil {
+		t.Fatalf("authenticate #expected an error")
+	}
+	s := err.Error()
+	if len(s) == 0 {
+		t.Fatalf("error #expected an error message")
+	}
+}
+
 func TestItem(t *testing.T) {
 	tx, _ := StartFunc("passwd", "test", func(s Style, msg string) (string, error) {
 		return "", nil
-- 
cgit v1.2.3


From a22a1abf3ffe22cf7d763f1f4c5708b746ad3498 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
Date: Tue, 19 Sep 2023 18:40:17 +0200
Subject: transaction_test: Add root-less tests to check pam conversation

Use pam_succeed_if to make it implicitly ask for the user name and
verify that the provided one is correct.

This can safely run as user.
---
 test-services/succeed-if-user-test |  2 ++
 transaction_test.go                | 46 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 test-services/succeed-if-user-test

diff --git a/test-services/succeed-if-user-test b/test-services/succeed-if-user-test
new file mode 100644
index 0000000..17cf607
--- /dev/null
+++ b/test-services/succeed-if-user-test
@@ -0,0 +1,2 @@
+# Custom stack to deny permit, independent of the user name/pass
+auth	requisite			pam_succeed_if.so user = testuser
diff --git a/transaction_test.go b/transaction_test.go
index 780c06c..c7bcd2e 100644
--- a/transaction_test.go
+++ b/transaction_test.go
@@ -244,6 +244,52 @@ func TestPAM_ConfDir_Deny(t *testing.T) {
 	}
 }
 
+func TestPAM_ConfDir_PromptForUserName(t *testing.T) {
+	c := Credentials{
+		User: "testuser",
+		// the custom service only cares about correct user name.
+		Password: "wrongsecret",
+	}
+	tx, err := StartConfDir("succeed-if-user-test", "", c, "test-services")
+	if !CheckPamHasStartConfdir() {
+		if err == nil {
+			t.Fatalf("start should have errored out as pam_start_confdir is not available: %v", err)
+		}
+		// nothing else we do, we don't support it.
+		return
+	}
+	if err != nil {
+		t.Fatalf("start #error: %v", err)
+	}
+	err = tx.Authenticate(0)
+	if err != nil {
+		t.Fatalf("authenticate #error: %v", err)
+	}
+}
+
+func TestPAM_ConfDir_WrongUserName(t *testing.T) {
+	c := Credentials{
+		User: "wronguser",
+		Password: "wrongsecret",
+	}
+	tx, err := StartConfDir("succeed-if-user-test", "", c, "test-services")
+	if !CheckPamHasStartConfdir() {
+		if err == nil {
+			t.Fatalf("start should have errored out as pam_start_confdir is not available: %v", err)
+		}
+		// nothing else we do, we don't support it.
+		return
+	}
+	err = tx.Authenticate(0)
+	if err == nil {
+		t.Fatalf("authenticate #expected an error")
+	}
+	s := err.Error()
+	if len(s) == 0 {
+		t.Fatalf("error #expected an error message")
+	}
+}
+
 func TestItem(t *testing.T) {
 	tx, _ := StartFunc("passwd", "test", func(s Style, msg string) (string, error) {
 		return "", nil
-- 
cgit v1.2.3