PAM: allow muliple users mapped to a certificate

Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
author: Sumit Bose <sbose@redhat.com> 2017-02-16 13:20:20 +0100
committer: Lukas Slebodnik <lslebodn@redhat.com> 2017-03-10 22:20:14 +0100
commit: 16c9d63d96ce8dc7517ae16502e9ec72d6a58d6c (patch)
tree: 76a01403c86b429d7e67da66e896cf1d86af59d3 /src/tests
parent: ef55b0e470a8fbcf6e6d0a55883145e02a907842 (diff)
download: sssd-16c9d63d96ce8dc7517ae16502e9ec72d6a58d6c.tar.gz
sssd-16c9d63d96ce8dc7517ae16502e9ec72d6a58d6c.tar.xz
sssd-16c9d63d96ce8dc7517ae16502e9ec72d6a58d6c.zip
1 files changed, 84 insertions, 0 deletions
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index 958599a42..ae2e555f7 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -1612,6 +1612,38 @@ static int test_lookup_by_cert_cb(void *pvt)
     return EOK;
 }
 
+static int test_lookup_by_cert_double_cb(void *pvt)
+{
+    int ret;
+    struct sysdb_attrs *attrs;
+    unsigned char *der = NULL;
+    size_t der_size;
+
+    if (pvt != NULL) {
+
+        ret = test_lookup_by_cert_cb(pvt);
+        assert_int_equal(ret, EOK);
+
+        attrs = sysdb_new_attrs(pam_test_ctx);
+        assert_non_null(attrs);
+
+        der = sss_base64_decode(pam_test_ctx, pvt, &der_size);
+        assert_non_null(der);
+
+        ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);
+        talloc_free(der);
+        assert_int_equal(ret, EOK);
+
+        ret = sysdb_set_user_attr(pam_test_ctx->tctx->dom,
+                                  pam_test_ctx->wrong_user_fqdn,
+                                  attrs,
+                                  LDB_FLAG_MOD_ADD);
+        assert_int_equal(ret, EOK);
+    }
+
+    return EOK;
+}
+
 static int test_lookup_by_cert_wrong_user_cb(void *pvt)
 {
     int ret;
@@ -1760,6 +1792,28 @@ void test_pam_preauth_cert_no_logon_name(void **state)
     assert_int_equal(ret, EOK);
 }
 
+void test_pam_preauth_cert_no_logon_name_double_cert(void **state)
+{
+    int ret;
+
+    set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
+
+    mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL,
+                        test_lookup_by_cert_double_cb, TEST_TOKEN_CERT, false);
+
+    will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
+    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+    set_cmd_cb(test_pam_creds_insufficient_check);
+    ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
+                          pam_test_ctx->pam_cmds);
+    assert_int_equal(ret, EOK);
+
+    /* Wait until the test finishes with EOK */
+    ret = test_ev_loop(pam_test_ctx->tctx);
+    assert_int_equal(ret, EOK);
+}
+
 void test_pam_preauth_no_cert_no_logon_name(void **state)
 {
     int ret;
@@ -1835,6 +1889,31 @@ void test_pam_cert_auth(void **state)
     assert_int_equal(ret, EOK);
 }
 
+void test_pam_cert_auth_double_cert(void **state)
+{
+    int ret;
+
+    set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
+
+    mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", NULL,
+                        test_lookup_by_cert_double_cb, TEST_TOKEN_CERT, true);
+
+    will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
+    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+    /* Assume backend cannot handle Smartcard credentials */
+    pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
+
+    set_cmd_cb(test_pam_simple_check_success);
+    ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
+                          pam_test_ctx->pam_cmds);
+    assert_int_equal(ret, EOK);
+
+    /* Wait until the test finishes with EOK */
+    ret = test_ev_loop(pam_test_ctx->tctx);
+    assert_int_equal(ret, EOK);
+}
+
 void test_filter_response(void **state)
 {
     int ret;
@@ -2118,6 +2197,9 @@ int main(int argc, const char *argv[])
                                         pam_test_setup, pam_test_teardown),
         cmocka_unit_test_setup_teardown(test_pam_preauth_cert_no_logon_name,
                                         pam_test_setup, pam_test_teardown),
+        cmocka_unit_test_setup_teardown(
+                                test_pam_preauth_cert_no_logon_name_double_cert,
+                                pam_test_setup, pam_test_teardown),
         cmocka_unit_test_setup_teardown(test_pam_preauth_no_cert_no_logon_name,
                                         pam_test_setup, pam_test_teardown),
         cmocka_unit_test_setup_teardown(
@@ -2128,6 +2210,8 @@ int main(int argc, const char *argv[])
         cmocka_unit_test_setup_teardown(test_pam_cert_auth,
                                         pam_test_setup_no_verification,
                                         pam_test_teardown),
+        cmocka_unit_test_setup_teardown(test_pam_cert_auth_double_cert,
+                                        pam_test_setup, pam_test_teardown),
 #endif /* HAVE_NSS */
 
         cmocka_unit_test_setup_teardown(test_filter_response,
author	Sumit Bose <sbose@redhat.com>	2017-02-16 13:20:20 +0100
committer	Lukas Slebodnik <lslebodn@redhat.com>	2017-03-10 22:20:14 +0100
commit	16c9d63d96ce8dc7517ae16502e9ec72d6a58d6c (patch)
tree	76a01403c86b429d7e67da66e896cf1d86af59d3 /src/tests
parent	ef55b0e470a8fbcf6e6d0a55883145e02a907842 (diff)
download	sssd-16c9d63d96ce8dc7517ae16502e9ec72d6a58d6c.tar.gz sssd-16c9d63d96ce8dc7517ae16502e9ec72d6a58d6c.tar.xz sssd-16c9d63d96ce8dc7517ae16502e9ec72d6a58d6c.zip