From 45efba71befd96c8e9fe0a51fc300cafa93bd703 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Apr 01 2019 20:40:44 +0000 Subject: intg: add test for password prompt configuration Related to Related to https://pagure.io/SSSD/sssd/issue/3264 Reviewed-by: Jakub Hrozek --- diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am index 25093b5..2aa1566 100644 --- a/src/tests/intg/Makefile.am +++ b/src/tests/intg/Makefile.am @@ -113,6 +113,13 @@ pam_sss_service: echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@ echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@ +pam_sss_alt_service: + $(MKDIR_P) $(PAM_SERVICE_DIR) + echo "auth required $(DESTDIR)$(pammoddir)/pam_sss.so" > $(PAM_SERVICE_DIR)/$@ + echo "account required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@ + echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@ + echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@ + pam_sss_sc_required: $(MKDIR_P) $(PAM_SERVICE_DIR) echo "auth required $(DESTDIR)$(pammoddir)/pam_sss.so require_cert_auth retry=1" > $(PAM_SERVICE_DIR)/$@ @@ -141,7 +148,7 @@ PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem" SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf" endif -intgcheck-installed: config.py passwd group pam_sss_service pam_sss_sc_required pam_sss_try_sc +intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service pam_sss_sc_required pam_sss_try_sc pipepath="$(DESTDIR)$(pipepath)"; \ if test $${#pipepath} -gt 80; then \ echo "error: Pipe directory path too long," \ diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py index d1ad9af..8e1fcf1 100644 --- a/src/tests/intg/test_pam_responder.py +++ b/src/tests/intg/test_pam_responder.py @@ -30,12 +30,82 @@ import time import shutil import config +import intg.ds_openldap import pytest from intg.util import unindent from intg.files_ops import passwd_ops_setup +LDAP_BASE_DN = "dc=example,dc=com" + + +@pytest.fixture(scope="module") +def ad_inst(request): + """Fake AD server instance fixture""" + instance = intg.ds_openldap.FakeAD( + config.PREFIX, 10389, LDAP_BASE_DN, + "cn=admin", "Secret123" + ) + + try: + instance.setup() + except: + instance.teardown() + raise + request.addfinalizer(instance.teardown) + return instance + + +@pytest.fixture(scope="module") +def ldap_conn(request, ad_inst): + """LDAP server connection fixture""" + ldap_conn = ad_inst.bind() + ldap_conn.ad_inst = ad_inst + request.addfinalizer(ldap_conn.unbind_s) + return ldap_conn + + +def format_basic_conf(ldap_conn): + """Format a basic SSSD configuration""" + return unindent("""\ + [sssd] + domains = FakeAD + services = pam, nss + + [nss] + + [pam] + debug_level = 10 + + [domain/FakeAD] + debug_level = 10 + ldap_search_base = {ldap_conn.ad_inst.base_dn} + ldap_referrals = false + + id_provider = ldap + auth_provider = ldap + chpass_provider = ldap + access_provider = ldap + + ldap_uri = {ldap_conn.ad_inst.ldap_url} + ldap_default_bind_dn = {ldap_conn.ad_inst.admin_dn} + ldap_default_authtok_type = password + ldap_default_authtok = {ldap_conn.ad_inst.admin_pw} + + ldap_schema = ad + ldap_id_mapping = true + ldap_idmap_default_domain_sid = S-1-5-21-1305200397-2901131868-73388776 + case_sensitive = False + + [prompting/password] + password_prompt = My global prompt + + [prompting/password/pam_sss_alt_service] + password_prompt = My alt service prompt + """).format(**locals()) + + USER1 = dict(name='user1', passwd='x', uid=10001, gid=20001, gecos='User for tests', dir='/home/user1', @@ -221,6 +291,66 @@ def test_preauth_indicator(simple_pam_cert_auth): @pytest.fixture +def pam_prompting_config(request, ldap_conn): + """Setup SSSD with PAM prompting config""" + conf = format_basic_conf(ldap_conn) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_password_prompting_config_global(ldap_conn, pam_prompting_config, + env_for_sssctl): + """Check global change of the password prompt""" + + sssctl = subprocess.Popen(["sssctl", "user-checks", "user1_dom1-19661", + "--action=auth", "--service=pam_sss_service"], + universal_newlines=True, + env=env_for_sssctl, stdin=subprocess.PIPE, + stdout=subprocess.PIPE, stderr=subprocess.PIPE) + + try: + out, err = sssctl.communicate(input="111") + except: + sssctl.kill() + out, err = sssctl.communicate() + + sssctl.stdin.close() + sssctl.stdout.close() + + if sssctl.wait() != 0: + raise Exception("sssctl failed") + + assert err.find("My global prompt") != -1 + + +def test_password_prompting_config_srv(ldap_conn, pam_prompting_config, + env_for_sssctl): + """Check change of the password prompt for dedicated service""" + + sssctl = subprocess.Popen(["sssctl", "user-checks", "user1_dom1-19661", + "--action=auth", + "--service=pam_sss_alt_service"], + universal_newlines=True, + env=env_for_sssctl, stdin=subprocess.PIPE, + stdout=subprocess.PIPE, stderr=subprocess.PIPE) + + try: + out, err = sssctl.communicate(input="111") + except: + sssctl.kill() + out, err = sssctl.communicate() + + sssctl.stdin.close() + sssctl.stdout.close() + + if sssctl.wait() != 0: + raise Exception("sssctl failed") + + assert err.find("My alt service prompt") != -1 + + +@pytest.fixture def env_for_sssctl(request): pwrap_runtimedir = os.getenv("PAM_WRAPPER_SERVICE_DIR") if pwrap_runtimedir is None: