diff options
| author | Jake Chen <jakechenTW@gmail.com> | 2020-06-18 13:05:28 +0800 |
|---|---|---|
| committer | Jan Pazdziora <jpazdziora@redhat.com> | 2020-07-08 23:14:59 +0200 |
| commit | a9b23ffac32c9ac3b4fac1f60658d3b08b0c93e3 (patch) | |
| tree | 695beba0c908ba2bc451825870b7f445267863bc | |
| parent | 3f25ee81d6730e15db5bee68361a290c2a42a45d (diff) | |
| download | mod_authnz_pam-a9b23ffac32c9ac3b4fac1f60658d3b08b0c93e3.tar.gz mod_authnz_pam-a9b23ffac32c9ac3b4fac1f60658d3b08b0c93e3.tar.xz mod_authnz_pam-a9b23ffac32c9ac3b4fac1f60658d3b08b0c93e3.zip | |
Harden the test, show that auth is not enough and that account is run.
| -rwxr-xr-x | tests/config.sh | 1 | ||||
| -rwxr-xr-x | tests/pam-exec | 20 | ||||
| -rwxr-xr-x | tests/run.sh | 4 |
3 files changed, 17 insertions, 8 deletions
diff --git a/tests/config.sh b/tests/config.sh index 6a16991..2dd1323 100755 --- a/tests/config.sh +++ b/tests/config.sh @@ -5,6 +5,7 @@ set -x sed -i 's/^MaxClients.*/MaxClients 1/' /etc/httpd/conf/httpd.conf mkdir -p /etc/pam-auth +mkdir -p /etc/pam-account cp -p tests/auth.cgi /var/www/cgi-bin/auth.cgi cp -p tests/pam-exec /usr/bin/pam-exec cp tests/pam-web /etc/pam.d/web diff --git a/tests/pam-exec b/tests/pam-exec index 775ae49..81b3d12 100755 --- a/tests/pam-exec +++ b/tests/pam-exec @@ -2,18 +2,12 @@ echo "$0: $PAM_TYPE $PAM_USER" -if [ "$PAM_TYPE" == 'auth' ] || [ "$PAM_TYPE" == 'account' ] ; then +if [ "$PAM_TYPE" == 'auth' ] ; then PAM_FILE="/etc/pam-auth/$PAM_USER" if ! [ -f $PAM_FILE ] ; then echo "No [$PAM_FILE] for user [$PAM_USER]" >&2 exit 2 fi - if [ $PAM_TYPE == 'account' ] ; then - # For account check, existing file is enough to allow access - echo "$0: account [$PAM_USER] ok" - exit 0 - fi - # For auth, we compare the passwords read PASSWORD read CHECK_PASSWORD < $PAM_FILE @@ -24,5 +18,17 @@ if [ "$PAM_TYPE" == 'auth' ] || [ "$PAM_TYPE" == 'account' ] ; then echo "Provided password [$PASSWORD] does not match expected [$CHECK_PASSWORD]" >&2 exit 3 fi + +if [ "$PAM_TYPE" == 'account' ] ; then + PAM_FILE="/etc/pam-account/$PAM_USER" + if ! [ -f $PAM_FILE ] ; then + echo "No [$PAM_FILE] for user [$PAM_USER]" >&2 + exit 2 + fi + # For account check, existing file is enough to allow access + echo "$0: account [$PAM_USER] ok" + exit 0 +fi + echo "Unsupported PAM_TYPE [$PAM_TYPE]" >&2 exit 4 diff --git a/tests/run.sh b/tests/run.sh index a1cbbab..5a2e291 100755 --- a/tests/run.sh +++ b/tests/run.sh @@ -16,7 +16,7 @@ rm -f /etc/pam-auth/* echo "Testing Require pam-account" curl -s -D /dev/stdout -o /dev/null http://localhost/authz | tee /dev/stderr | grep 401 curl -u alice:Tajnost -s -D /dev/stdout -o /dev/null http://localhost/authz | tee /dev/stderr | grep 401 -touch /etc/pam-auth/alice +touch /etc/pam-account/alice curl -u alice:Tajnost -s http://localhost/authz | tee /dev/stderr | grep 'User alice' echo "Testing AuthBasicProvider PAM" @@ -25,6 +25,8 @@ curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee / touch /etc/pam-auth/bob curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 echo Secret > /etc/pam-auth/bob +curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 +touch /etc/pam-account/bob curl -u bob:Secret -s http://localhost/authn | tee /dev/stderr | grep 'User bob' echo Secret2 > /etc/pam-auth/bob curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 |