From 02a147cf6bf9ec8c1b648e97307129333e84a051 Mon Sep 17 00:00:00 2001 From: Jan Pazdziora Date: Mon, 16 Jul 2018 23:53:42 +0200 Subject: Test Require pam-account and AuthBasicProvider PAM in CI. --- .cirrus.yml | 5 ++++- .travis.yml | 14 ++++++++------ tests/Dockerfile | 2 ++ tests/auth.cgi | 10 ++++++++++ tests/auth.conf | 19 +++++++++++++++++++ tests/config.sh | 15 +++++++++++++++ tests/pam-exec | 28 ++++++++++++++++++++++++++++ tests/pam-web | 2 ++ tests/run.sh | 20 ++++++++++++++++++++ 9 files changed, 108 insertions(+), 7 deletions(-) create mode 100755 tests/auth.cgi create mode 100644 tests/auth.conf create mode 100755 tests/config.sh create mode 100755 tests/pam-exec create mode 100644 tests/pam-web create mode 100755 tests/run.sh diff --git a/.cirrus.yml b/.cirrus.yml index 01c7994..d4bac4a 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -5,4 +5,7 @@ test_task: image: registry.fedoraproject.org/fedora:latest image: centos:centos7 image: centos:centos6 - test_script: tests/build.sh + build_script: tests/build.sh + config_script: tests/config.sh + run_httpd_background_script: /usr/sbin/httpd -DFOREGROUND + test_script: tests/run.sh diff --git a/.travis.yml b/.travis.yml index e00cb75..756e443 100644 --- a/.travis.yml +++ b/.travis.yml @@ -8,17 +8,17 @@ services: install: true stages: -- build-rpm +- build-and-test matrix: include: - - stage: build-rpm + - stage: build-and-test env: fedora=rawhide - - stage: build-rpm + - stage: build-and-test env: fedora=28 - - stage: build-rpm + - stage: build-and-test env: centos=centos7 - - stage: build-rpm + - stage: build-and-test env: centos=centos6 before_script: @@ -26,4 +26,6 @@ before_script: - if test -n "$centos" ; then sed -i "s#^FROM.*#FROM centos:$centos#" tests/Dockerfile ; fi script: -- docker build -f tests/Dockerfile . +- docker build -t mod_authnz_pam -f tests/Dockerfile . +- docker run --name mod_authnz_pam --rm -d mod_authnz_pam +- docker exec mod_authnz_pam tests/run.sh diff --git a/tests/Dockerfile b/tests/Dockerfile index c488964..69ebf93 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -2,3 +2,5 @@ FROM registry.fedoraproject.org/fedora COPY . /src/ WORKDIR /src RUN tests/build.sh +RUN tests/config.sh +ENTRYPOINT [ "/usr/sbin/httpd", "-DFOREGROUND" ] diff --git a/tests/auth.cgi b/tests/auth.cgi new file mode 100755 index 0000000..3f4be25 --- /dev/null +++ b/tests/auth.cgi @@ -0,0 +1,10 @@ +#!/bin/bash + +echo "Content-Type: text/plain" +echo "Pragma: no-cache" +echo +if [ -n "$REMOTE_USER" ] ; then + echo "User $REMOTE_USER." +else + echo "Not authenticated." +fi diff --git a/tests/auth.conf b/tests/auth.conf new file mode 100644 index 0000000..25975c5 --- /dev/null +++ b/tests/auth.conf @@ -0,0 +1,19 @@ +LoadModule authnz_pam_module modules/mod_authnz_pam.so + +ScriptAlias /authz /var/www/cgi-bin/auth.cgi + + AuthType Basic + AuthName "private area" + AuthBasicProvider file + AuthUserFile /etc/htpasswd + Require pam-account web + + +ScriptAlias /authn /var/www/cgi-bin/auth.cgi + + AuthType Basic + AuthName "private area" + AuthBasicProvider PAM + AuthPAMService web + Require valid-user + diff --git a/tests/config.sh b/tests/config.sh new file mode 100755 index 0000000..6de8697 --- /dev/null +++ b/tests/config.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e +set -x + +sed -i 's/^MaxClients.*/MaxClients 1/' /etc/httpd/conf/httpd.conf +mkdir -p /etc/pam-auth +cp -p tests/auth.cgi /var/www/cgi-bin/auth.cgi +cp -p tests/pam-exec /usr/bin/pam-exec +cp tests/pam-web /etc/pam.d/web +chmod a+x /var/log/httpd +touch /var/log/httpd/pam_exec.log +chown apache /var/log/httpd/pam_exec.log +cp tests/auth.conf /etc/httpd/conf.d/ +htpasswd -bc /etc/htpasswd alice Tajnost diff --git a/tests/pam-exec b/tests/pam-exec new file mode 100755 index 0000000..775ae49 --- /dev/null +++ b/tests/pam-exec @@ -0,0 +1,28 @@ +#!/bin/bash + +echo "$0: $PAM_TYPE $PAM_USER" + +if [ "$PAM_TYPE" == 'auth' ] || [ "$PAM_TYPE" == 'account' ] ; then + PAM_FILE="/etc/pam-auth/$PAM_USER" + if ! [ -f $PAM_FILE ] ; then + echo "No [$PAM_FILE] for user [$PAM_USER]" >&2 + exit 2 + fi + if [ $PAM_TYPE == 'account' ] ; then + # For account check, existing file is enough to allow access + echo "$0: account [$PAM_USER] ok" + exit 0 + fi + + # For auth, we compare the passwords + read PASSWORD + read CHECK_PASSWORD < $PAM_FILE + if [ "$PASSWORD" == "$CHECK_PASSWORD" ] ; then + echo "$0: auth [$PAM_USER] ok" + exit 0 + fi + echo "Provided password [$PASSWORD] does not match expected [$CHECK_PASSWORD]" >&2 + exit 3 +fi +echo "Unsupported PAM_TYPE [$PAM_TYPE]" >&2 +exit 4 diff --git a/tests/pam-web b/tests/pam-web new file mode 100644 index 0000000..48d806d --- /dev/null +++ b/tests/pam-web @@ -0,0 +1,2 @@ +auth optional pam_exec.so debug expose_authtok log=/var/log/httpd/pam_exec.log /usr/bin/pam-exec +account required pam_exec.so debug log=/var/log/httpd/pam_exec.log /usr/bin/pam-exec diff --git a/tests/run.sh b/tests/run.sh new file mode 100755 index 0000000..0239907 --- /dev/null +++ b/tests/run.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +set -e +set -x + +echo "Testing Require pam-account" +curl -s -D /dev/stdout -o /dev/null http://localhost/authz | tee /dev/stderr | grep 401 +curl -u alice:Tajnost -s -D /dev/stdout -o /dev/null http://localhost/authz | tee /dev/stderr | grep 401 +touch /etc/pam-auth/alice +curl -u alice:Tajnost -s http://localhost/authz | tee /dev/stderr | grep 'User alice' + +echo "Testing AuthBasicProvider PAM" +curl -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 +curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 +touch /etc/pam-auth/bob +curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 +echo Secret > /etc/pam-auth/bob +curl -u bob:Secret -s http://localhost/authn | tee /dev/stderr | grep 'User bob' +echo Secret2 > /etc/pam-auth/bob +curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 -- cgit