From a9b23ffac32c9ac3b4fac1f60658d3b08b0c93e3 Mon Sep 17 00:00:00 2001 From: Jake Chen Date: Thu, 18 Jun 2020 13:05:28 +0800 Subject: Harden the test, show that auth is not enough and that account is run. --- tests/config.sh | 1 + tests/pam-exec | 20 +++++++++++++------- tests/run.sh | 4 +++- 3 files changed, 17 insertions(+), 8 deletions(-) (limited to 'tests') diff --git a/tests/config.sh b/tests/config.sh index 6a16991..2dd1323 100755 --- a/tests/config.sh +++ b/tests/config.sh @@ -5,6 +5,7 @@ set -x sed -i 's/^MaxClients.*/MaxClients 1/' /etc/httpd/conf/httpd.conf mkdir -p /etc/pam-auth +mkdir -p /etc/pam-account cp -p tests/auth.cgi /var/www/cgi-bin/auth.cgi cp -p tests/pam-exec /usr/bin/pam-exec cp tests/pam-web /etc/pam.d/web diff --git a/tests/pam-exec b/tests/pam-exec index 775ae49..81b3d12 100755 --- a/tests/pam-exec +++ b/tests/pam-exec @@ -2,18 +2,12 @@ echo "$0: $PAM_TYPE $PAM_USER" -if [ "$PAM_TYPE" == 'auth' ] || [ "$PAM_TYPE" == 'account' ] ; then +if [ "$PAM_TYPE" == 'auth' ] ; then PAM_FILE="/etc/pam-auth/$PAM_USER" if ! [ -f $PAM_FILE ] ; then echo "No [$PAM_FILE] for user [$PAM_USER]" >&2 exit 2 fi - if [ $PAM_TYPE == 'account' ] ; then - # For account check, existing file is enough to allow access - echo "$0: account [$PAM_USER] ok" - exit 0 - fi - # For auth, we compare the passwords read PASSWORD read CHECK_PASSWORD < $PAM_FILE @@ -24,5 +18,17 @@ if [ "$PAM_TYPE" == 'auth' ] || [ "$PAM_TYPE" == 'account' ] ; then echo "Provided password [$PASSWORD] does not match expected [$CHECK_PASSWORD]" >&2 exit 3 fi + +if [ "$PAM_TYPE" == 'account' ] ; then + PAM_FILE="/etc/pam-account/$PAM_USER" + if ! [ -f $PAM_FILE ] ; then + echo "No [$PAM_FILE] for user [$PAM_USER]" >&2 + exit 2 + fi + # For account check, existing file is enough to allow access + echo "$0: account [$PAM_USER] ok" + exit 0 +fi + echo "Unsupported PAM_TYPE [$PAM_TYPE]" >&2 exit 4 diff --git a/tests/run.sh b/tests/run.sh index a1cbbab..5a2e291 100755 --- a/tests/run.sh +++ b/tests/run.sh @@ -16,7 +16,7 @@ rm -f /etc/pam-auth/* echo "Testing Require pam-account" curl -s -D /dev/stdout -o /dev/null http://localhost/authz | tee /dev/stderr | grep 401 curl -u alice:Tajnost -s -D /dev/stdout -o /dev/null http://localhost/authz | tee /dev/stderr | grep 401 -touch /etc/pam-auth/alice +touch /etc/pam-account/alice curl -u alice:Tajnost -s http://localhost/authz | tee /dev/stderr | grep 'User alice' echo "Testing AuthBasicProvider PAM" @@ -25,6 +25,8 @@ curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee / touch /etc/pam-auth/bob curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 echo Secret > /etc/pam-auth/bob +curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 +touch /etc/pam-account/bob curl -u bob:Secret -s http://localhost/authn | tee /dev/stderr | grep 'User bob' echo Secret2 > /etc/pam-auth/bob curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 -- cgit