TESTS: Adapt pam-srv-tests to deal with cache_req related changes

Similar to what happened for nss-srv-tests, there were a few kind of
changes required to fix the tests breakage caused by the last commit.

1) For tests including no user, no changes was required.

2) As we call an equivalent to "get by name" command, a name is parsed
with sss_parse_inp and the returned value is now mocked.

3) For the "cache_auth_success*" tests we set pam_test_ctx->tctx->done
to false after adding the password to the cache, since the code now
contains tevent calls and without it only the first request proceeds
into tevent_loop in test_ev_loop(), as the first finished request sets
done to true.

4) As the user certificate is added as a result of calling
sss_dp_account_recv and the certificate value is read by the certificate
lookup, we have to, in case a certificate lookup callback is set, call
mock_account_recv() for the certificate before going through the
mock_account_recv() for the initgroup.

5) If no logon name is given, then the user is looked by certificates
first. Since there's a matching user, the upcoming lookup by name will
find the user entry. However, since the looked ip data is up to date the
dp response has to be mocked and the second argument of
mock_input_pam_cert() cannot be NULL but must match the user name.

6) Add a new attribute to mock_input_pam_cert() that represents whether
the backend is contacted only once. It's needed because in
test_pam_cert_auth() the backend is contacted first to check whether it
can handle smartcard authenticatiom, but before that there's a lookup.
Since the first mocked reply already adds the certificate to the user
entry, the lookup by certificate will already find the user in the cache
and no second lookup is needed.

Co-Author: Pavel Březina <pbrezina@redhat.com>
Co-Author: Sumit Bose <sbose@redhat.com>

Resolves:
https://fedorahosted.org/sssd/ticket/1126

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

1 files changed, 53 insertions, 23 deletions

diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index cbc1d0367..958599a42 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -557,16 +557,22 @@ static void mock_input_pam(TALLOC_CTX *mem_ctx, const char *name,
     will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
     will_return(__wrap_sss_packet_get_body, buf);
     will_return(__wrap_sss_packet_get_body, buf_size);
+
+    mock_parse_inp(name, NULL, EOK);
+    mock_account_recv_simple();
 }
 
 static void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name,
-                                const char *pin, const char *service)
+                                const char *pin, const char *service,
+                                acct_cb_t acct_cb, const char *cert,
+                                bool only_one_provider_call)
 {
     size_t buf_size;
     uint8_t *m_buf;
     uint8_t *buf;
     struct pam_items pi = { 0 };
     int ret;
+    bool already_mocked = false;
 
     if (name != NULL) {
         pi.pam_user = name;
@@ -603,6 +609,18 @@ static void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name,
     will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
     will_return(__wrap_sss_packet_get_body, buf);
     will_return(__wrap_sss_packet_get_body, buf_size);
+
+    if (acct_cb != NULL) {
+        mock_account_recv(0, 0, NULL, acct_cb, discard_const(cert));
+        already_mocked = true;
+    }
+
+    if (name != NULL) {
+        mock_parse_inp(name, NULL, EOK);
+        if (!(only_one_provider_call && already_mocked)) {
+            mock_account_recv_simple();
+        }
+    }
 }
 
 static int test_pam_simple_check(uint32_t status, uint8_t *body, size_t blen)
@@ -1051,6 +1069,8 @@ void test_pam_cached_auth_success(void **state)
     /* Reset before next call */
     pam_test_ctx->provider_contacted = false;
 
+    pam_test_ctx->tctx->done = false;
+
     common_test_pam_cached_auth("12345");
 
     /* Back end should not be contacted */
@@ -1137,6 +1157,8 @@ void test_pam_cached_auth_success_combined_pw_with_cached_2fa(void **state)
     /* Reset before next call */
     pam_test_ctx->provider_contacted = false;
 
+    pam_test_ctx->tctx->done = false;
+
     common_test_pam_cached_auth("12345678");
 
     assert_false(pam_test_ctx->provider_contacted);
@@ -1519,7 +1541,7 @@ void test_pam_preauth_no_logon_name(void **state)
 {
     int ret;
 
-    mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
+    mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, false);
 
     will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
     will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1546,7 +1568,7 @@ void test_pam_preauth_cert_nocert(void **state)
 
     set_cert_auth_param(pam_test_ctx->pctx, "/no/path");
 
-    mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
+    mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, false);
 
     will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
     will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1625,11 +1647,11 @@ void test_pam_preauth_cert_nomatch(void **state)
 
     set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
 
-    mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
+    mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL,
+                        test_lookup_by_cert_cb, NULL, false);
 
     will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
     will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-    mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb, NULL);
 
     set_cmd_cb(test_pam_simple_check);
     ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
@@ -1647,12 +1669,11 @@ void test_pam_preauth_cert_match(void **state)
 
     set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
 
-    mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
+    mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL,
+                        test_lookup_by_cert_cb, TEST_TOKEN_CERT, false);
 
     will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
     will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-    mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb,
-                      discard_const(TEST_TOKEN_CERT));
 
     set_cmd_cb(test_pam_cert_check);
     ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
@@ -1671,12 +1692,11 @@ void test_pam_preauth_cert_match_gdm_smartcard(void **state)
 
     set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
 
-    mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, "gdm-smartcard");
+    mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, "gdm-smartcard",
+                        test_lookup_by_cert_cb, TEST_TOKEN_CERT, false);
 
     will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
     will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-    mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb,
-                      discard_const(TEST_TOKEN_CERT));
 
     set_cmd_cb(test_pam_cert_check_gdm_smartcard);
     ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
@@ -1694,12 +1714,12 @@ void test_pam_preauth_cert_match_wrong_user(void **state)
 
     set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
 
-    mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
+    mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL,
+                        test_lookup_by_cert_wrong_user_cb,
+                        TEST_TOKEN_CERT, false);
 
     will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
     will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-    mock_account_recv(0, 0, NULL, test_lookup_by_cert_wrong_user_cb,
-                      discard_const(TEST_TOKEN_CERT));
 
     set_cmd_cb(test_pam_simple_check);
     ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
@@ -1718,12 +1738,17 @@ void test_pam_preauth_cert_no_logon_name(void **state)
 
     set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
 
-    mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
+    /* If no logon name is given the user is looked by certificate first.
+     * Since there is a matching user the upcoming lookup by name will find
+     * the user entry. But since we force the lookup by name to go to the
+     * backend to make sure the group-membership data is up to date the
+     * backend response has to be mocked twice and the second argument of
+     * mock_input_pam_cert cannot be NULL but must match the user name. */
+    mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL,
+                        test_lookup_by_cert_cb, TEST_TOKEN_CERT, false);
 
     will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
     will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-    mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb,
-                      discard_const(TEST_TOKEN_CERT));
 
     set_cmd_cb(test_pam_cert_check);
     ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
@@ -1741,7 +1766,7 @@ void test_pam_preauth_no_cert_no_logon_name(void **state)
 
     set_cert_auth_param(pam_test_ctx->pctx, "/no/path");
 
-    mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
+    mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, false);
 
     will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
     will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1762,11 +1787,11 @@ void test_pam_preauth_cert_no_logon_name_no_match(void **state)
 
     set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
 
-    mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
+    mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL,
+                        test_lookup_by_cert_cb, NULL, false);
 
     will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
     will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-    mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb, NULL);
 
     set_cmd_cb(test_pam_user_unknown_check);
     ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
@@ -1784,12 +1809,17 @@ void test_pam_cert_auth(void **state)
 
     set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
 
-    mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", NULL);
+    /* Here the last option must be set to true because the backend is only
+     * connected once. During authentication the backend is connected first to
+     * see if it can handle Smartcard authentication, but before that the user
+     * is looked up. Since the first mocked reply already adds the certificate
+     * to the user entry the lookup by certificate will already find the user
+     * in the cache and no second request to the backend is needed. */
+    mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", NULL,
+                        test_lookup_by_cert_cb, TEST_TOKEN_CERT, true);
 
     will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
     will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-    mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb,
-                      discard_const(TEST_TOKEN_CERT));
 
     /* Assume backend cannot handle Smartcard credentials */
     pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;