blob: 3b24f9b8453dc46b20cc00d18d8c365f5dec93d3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
#!/bin/bash
set -e
set -x
echo "Wait for the HTTP server to start ..."
for i in $( seq 1 10 ) ; do
if curl -s -o /dev/null http://localhost/ ; then
break
fi
sleep 3
done
cp /var/log/httpd/pam_exec.log /var/log/httpd/pam_exec.log.old
function next_log () { set +x
tail -c +$(( $( stat -c%s /var/log/httpd/pam_exec.log.old ) + 1 )) /var/log/httpd/pam_exec.log | sed 's/^/:: /'
# echo '###' >> /var/log/httpd/pam_exec.log
cp /var/log/httpd/pam_exec.log /var/log/httpd/pam_exec.log.old
set -x
}
rm -f /etc/pam-auth/*
echo "Testing Require pam-account"
curl -s -D /dev/stdout -o /dev/null http://localhost/authz | tee /dev/stderr | grep 401
curl -u alice:Tajnost -s -D /dev/stdout -o /dev/null http://localhost/authz | tee /dev/stderr | grep 401
touch /etc/pam-account/alice
curl -u alice:Tajnost -s http://localhost/authz | tee /dev/stderr | grep 'User alice'
echo "Testing AuthBasicProvider PAM"
curl -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
touch /etc/pam-auth/bob
curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
echo Secret > /etc/pam-auth/bob
curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
next_log > /dev/null
touch /etc/pam-account/bob
curl -u bob:Secret -s http://localhost/authn | tee /dev/stderr | grep 'User bob'
next_log | grep 'account .bob. ok' | wc -l | grep '^1$'
curl -u bob:Secret -s http://localhost/authnp | tee /dev/stderr | grep 'User bob'
next_log | grep 'account .bob. ok' | wc -l | grep '^2$'
curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authnp2 | tee /dev/stderr | grep 401
next_log | grep -E 'account .bob. ok|No ./etc/pam-account2/bob' | uniq | wc -l | grep '^2$'
touch /etc/pam-account2/bob
curl -u bob:Secret -s http://localhost/authnp | tee /dev/stderr | grep 'User bob'
next_log | grep 'account .bob. ok' | wc -l | grep '^2$'
echo Secret2 > /etc/pam-auth/bob
curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
curl -u userx:heslox -s http://localhost/authnp3 | tee /dev/stderr | grep 401
curl -u user1:heslox -s http://localhost/authnp3 | tee /dev/stderr | grep 401
curl -u user1:heslo1 -s http://localhost/authnp3 | tee /dev/stderr | grep 'User user1'
curl -u user1:heslo1 -s http://localhost/authnp4 | tee /dev/stderr | grep 'User user1'
chage -d $(date -d -2days +%Y-%m-%d) -M 1 user1
curl -u user1:heslo1 -s http://localhost/authnp3 | tee /dev/stderr | grep 401
curl -i -u user1:heslo1 -s 'http://localhost/authnp4?id=123&data=M%26M' | tee /dev/stderr | grep -F -e 'Location: http://localhost/fix-password?return=http%3a%2f%2flocalhost%2fauthnp4%3fid%3d123%26data%3dM%2526M&percent=%25&user=user1' -e 'HTTP/1.1 303 See Other' | wc -l | grep 2
curl -i -u user1:heslo1 -s 'http://localhost/authnp5?data=křížala' | tee /dev/stderr | grep -F -e 'Location: http://localhost/login?realm=ježek&return=http%3a%2f%2flocalhost%2fauthnp5%3fdata%3dk%c5%99%c3%ad%c5%beala' -e 'HTTP/1.1 307 Temporary Redirect' | wc -l | grep 2
chage -d $(date -d -2days +%Y-%m-%d) -M 3 user1
curl -u user1:heslo1 -s http://localhost/authnp3 | tee /dev/stderr | grep 'User user1'
curl -u user1:heslo1 -s http://localhost/authnp4 | tee /dev/stderr | grep 'User user1'
if rpm -ql httpd | grep mod_authn_socache ; then
echo "Testing AuthBasicProvider socache PAM + AuthnCacheProvideFor PAM"
rm /etc/pam-account/bob
curl -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401
echo Secret > /etc/pam-auth/bob
curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401
# rerun the same request, verify that passing auth did not store password into cache
curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401
touch /etc/pam-account/bob
curl -u bob:Secret -s http://localhost/authn-cached | tee /dev/stderr | grep 'User bob'
echo Secret2 > /etc/pam-auth/bob
curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
curl -u bob:Secret -s http://localhost/authn-cached | tee /dev/stderr | grep 'User bob'
sleep 11
curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401
fi
echo OK $0.
|
