From 02a147cf6bf9ec8c1b648e97307129333e84a051 Mon Sep 17 00:00:00 2001 From: Jan Pazdziora Date: Mon, 16 Jul 2018 23:53:42 +0200 Subject: Test Require pam-account and AuthBasicProvider PAM in CI. --- tests/Dockerfile | 2 ++ tests/auth.cgi | 10 ++++++++++ tests/auth.conf | 19 +++++++++++++++++++ tests/config.sh | 15 +++++++++++++++ tests/pam-exec | 28 ++++++++++++++++++++++++++++ tests/pam-web | 2 ++ tests/run.sh | 20 ++++++++++++++++++++ 7 files changed, 96 insertions(+) create mode 100755 tests/auth.cgi create mode 100644 tests/auth.conf create mode 100755 tests/config.sh create mode 100755 tests/pam-exec create mode 100644 tests/pam-web create mode 100755 tests/run.sh (limited to 'tests') diff --git a/tests/Dockerfile b/tests/Dockerfile index c488964..69ebf93 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -2,3 +2,5 @@ FROM registry.fedoraproject.org/fedora COPY . /src/ WORKDIR /src RUN tests/build.sh +RUN tests/config.sh +ENTRYPOINT [ "/usr/sbin/httpd", "-DFOREGROUND" ] diff --git a/tests/auth.cgi b/tests/auth.cgi new file mode 100755 index 0000000..3f4be25 --- /dev/null +++ b/tests/auth.cgi @@ -0,0 +1,10 @@ +#!/bin/bash + +echo "Content-Type: text/plain" +echo "Pragma: no-cache" +echo +if [ -n "$REMOTE_USER" ] ; then + echo "User $REMOTE_USER." +else + echo "Not authenticated." +fi diff --git a/tests/auth.conf b/tests/auth.conf new file mode 100644 index 0000000..25975c5 --- /dev/null +++ b/tests/auth.conf @@ -0,0 +1,19 @@ +LoadModule authnz_pam_module modules/mod_authnz_pam.so + +ScriptAlias /authz /var/www/cgi-bin/auth.cgi + + AuthType Basic + AuthName "private area" + AuthBasicProvider file + AuthUserFile /etc/htpasswd + Require pam-account web + + +ScriptAlias /authn /var/www/cgi-bin/auth.cgi + + AuthType Basic + AuthName "private area" + AuthBasicProvider PAM + AuthPAMService web + Require valid-user + diff --git a/tests/config.sh b/tests/config.sh new file mode 100755 index 0000000..6de8697 --- /dev/null +++ b/tests/config.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e +set -x + +sed -i 's/^MaxClients.*/MaxClients 1/' /etc/httpd/conf/httpd.conf +mkdir -p /etc/pam-auth +cp -p tests/auth.cgi /var/www/cgi-bin/auth.cgi +cp -p tests/pam-exec /usr/bin/pam-exec +cp tests/pam-web /etc/pam.d/web +chmod a+x /var/log/httpd +touch /var/log/httpd/pam_exec.log +chown apache /var/log/httpd/pam_exec.log +cp tests/auth.conf /etc/httpd/conf.d/ +htpasswd -bc /etc/htpasswd alice Tajnost diff --git a/tests/pam-exec b/tests/pam-exec new file mode 100755 index 0000000..775ae49 --- /dev/null +++ b/tests/pam-exec @@ -0,0 +1,28 @@ +#!/bin/bash + +echo "$0: $PAM_TYPE $PAM_USER" + +if [ "$PAM_TYPE" == 'auth' ] || [ "$PAM_TYPE" == 'account' ] ; then + PAM_FILE="/etc/pam-auth/$PAM_USER" + if ! [ -f $PAM_FILE ] ; then + echo "No [$PAM_FILE] for user [$PAM_USER]" >&2 + exit 2 + fi + if [ $PAM_TYPE == 'account' ] ; then + # For account check, existing file is enough to allow access + echo "$0: account [$PAM_USER] ok" + exit 0 + fi + + # For auth, we compare the passwords + read PASSWORD + read CHECK_PASSWORD < $PAM_FILE + if [ "$PASSWORD" == "$CHECK_PASSWORD" ] ; then + echo "$0: auth [$PAM_USER] ok" + exit 0 + fi + echo "Provided password [$PASSWORD] does not match expected [$CHECK_PASSWORD]" >&2 + exit 3 +fi +echo "Unsupported PAM_TYPE [$PAM_TYPE]" >&2 +exit 4 diff --git a/tests/pam-web b/tests/pam-web new file mode 100644 index 0000000..48d806d --- /dev/null +++ b/tests/pam-web @@ -0,0 +1,2 @@ +auth optional pam_exec.so debug expose_authtok log=/var/log/httpd/pam_exec.log /usr/bin/pam-exec +account required pam_exec.so debug log=/var/log/httpd/pam_exec.log /usr/bin/pam-exec diff --git a/tests/run.sh b/tests/run.sh new file mode 100755 index 0000000..0239907 --- /dev/null +++ b/tests/run.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +set -e +set -x + +echo "Testing Require pam-account" +curl -s -D /dev/stdout -o /dev/null http://localhost/authz | tee /dev/stderr | grep 401 +curl -u alice:Tajnost -s -D /dev/stdout -o /dev/null http://localhost/authz | tee /dev/stderr | grep 401 +touch /etc/pam-auth/alice +curl -u alice:Tajnost -s http://localhost/authz | tee /dev/stderr | grep 'User alice' + +echo "Testing AuthBasicProvider PAM" +curl -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 +curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 +touch /etc/pam-auth/bob +curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 +echo Secret > /etc/pam-auth/bob +curl -u bob:Secret -s http://localhost/authn | tee /dev/stderr | grep 'User bob' +echo Secret2 > /etc/pam-auth/bob +curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 -- cgit