PAM: add pam_response_filter option

Currently the main use-case for this new option is to not set the KRB5CCNAME environment varible for services like 'sudo-i'. Resolves https://fedorahosted.org/sssd/ticket/2296 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
author: Sumit Bose <sbose@redhat.com> 2016-10-20 18:40:01 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2016-11-02 11:30:20 +0100
commit: ce43f710c9638fbbeae077559cd7514370a10c0c (patch)
tree: 05864e3aa032e64c376de3acd48d62085a094c2f /src/tests
parent: c8fe1d922b254aa92e74f428135ada3c8bde87a1 (diff)
download: sssd-ce43f710c9638fbbeae077559cd7514370a10c0c.tar.gz
sssd-ce43f710c9638fbbeae077559cd7514370a10c0c.tar.xz
sssd-ce43f710c9638fbbeae077559cd7514370a10c0c.zip
1 files changed, 142 insertions, 7 deletions
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index 41d177233..3b8327eb3 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -1766,9 +1766,11 @@ void test_filter_response(void **state)
     struct pam_data *pd;
     uint8_t offline_auth_data[(sizeof(uint32_t) + sizeof(int64_t))];
     uint32_t info_type;
+    char *env;
 
     struct sss_test_conf_param pam_params[] = {
         { CONFDB_PAM_VERBOSITY, "1" },
+        { CONFDB_PAM_RESPONSE_FILTER, NULL },
         { NULL, NULL },             /* Sentinel */
     };
 
@@ -1778,6 +1780,15 @@ void test_filter_response(void **state)
     pd = talloc_zero(pam_test_ctx, struct pam_data);
     assert_non_null(pd);
 
+    pd->service = discard_const("MyService");
+
+    env = talloc_asprintf(pd, "%s=%s", "MyEnv", "abcdef");
+    assert_non_null(env);
+
+    ret = pam_add_response(pd, SSS_PAM_ENV_ITEM,
+                           strlen(env) + 1, (uint8_t *) env);
+    assert_int_equal(ret, EOK);
+
     info_type = SSS_PAM_USER_INFO_OFFLINE_AUTH;
     memset(offline_auth_data, 0, sizeof(offline_auth_data));
     memcpy(offline_auth_data, &info_type, sizeof(uint32_t));
@@ -1785,27 +1796,151 @@ void test_filter_response(void **state)
                            sizeof(offline_auth_data), offline_auth_data);
     assert_int_equal(ret, EOK);
 
-    ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list);
+    /* pd->resp_list points to the SSS_PAM_USER_INFO and pd->resp_list->next
+     * to the SSS_PAM_ENV_ITEM message. */
+
+
+    /* Test CONFDB_PAM_VERBOSITY option */
+    ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
     assert_int_equal(ret, EOK);
     assert_true(pd->resp_list->do_not_send_to_client);
+    assert_false(pd->resp_list->next->do_not_send_to_client);
+
+    /* SSS_PAM_USER_INFO_OFFLINE_AUTH message will only be shown with
+     * pam_verbosity 2 or above if cache password never expires. */
+    pam_params[0].value = "2";
+    ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+    assert_int_equal(ret, EOK);
+
+    ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
+    assert_int_equal(ret, EOK);
+    assert_false(pd->resp_list->do_not_send_to_client);
+    assert_false(pd->resp_list->next->do_not_send_to_client);
 
     pam_params[0].value = "0";
     ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
     assert_int_equal(ret, EOK);
 
-    ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list);
+    ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
     assert_int_equal(ret, EOK);
     assert_true(pd->resp_list->do_not_send_to_client);
+    assert_false(pd->resp_list->next->do_not_send_to_client);
 
-    /* SSS_PAM_USER_INFO_OFFLINE_AUTH message will only be shown with
-     * pam_verbosity 2 or above if cache password never expires. */
-    pam_params[0].value = "2";
+    /* Test CONFDB_PAM_RESPONSE_FILTER option */
+    pam_params[1].value = "NoSuchOption";
     ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
     assert_int_equal(ret, EOK);
 
-    ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list);
+    ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
     assert_int_equal(ret, EOK);
-    assert_false(pd->resp_list->do_not_send_to_client);
+    assert_true(pd->resp_list->do_not_send_to_client);
+    assert_false(pd->resp_list->next->do_not_send_to_client);
+
+    pam_params[1].value = "ENV"; /* filter all environment variables */
+                                 /* for all services */
+    ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+    assert_int_equal(ret, EOK);
+
+    ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
+    assert_int_equal(ret, EOK);
+    assert_true(pd->resp_list->do_not_send_to_client);
+    assert_true(pd->resp_list->next->do_not_send_to_client);
+
+    pam_params[1].value = "ENV:"; /* filter all environment variables */
+    ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+    assert_int_equal(ret, EOK);
+
+    ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
+    assert_int_equal(ret, EOK);
+    assert_true(pd->resp_list->do_not_send_to_client);
+    assert_true(pd->resp_list->next->do_not_send_to_client);
+
+    pam_params[1].value = "ENV::"; /* filter all environment variables */
+    ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+    assert_int_equal(ret, EOK);
+
+    ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
+    assert_int_equal(ret, EOK);
+    assert_true(pd->resp_list->do_not_send_to_client);
+    assert_true(pd->resp_list->next->do_not_send_to_client);
+
+    pam_params[1].value = "ENV:abc:"; /* variable name does not match */
+    ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+    assert_int_equal(ret, EOK);
+
+    ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
+    assert_int_equal(ret, EOK);
+    assert_true(pd->resp_list->do_not_send_to_client);
+    assert_false(pd->resp_list->next->do_not_send_to_client);
+
+    pam_params[1].value = "ENV:abc:MyService"; /* variable name does not match */
+    ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+    assert_int_equal(ret, EOK);
+
+    ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
+    assert_int_equal(ret, EOK);
+    assert_true(pd->resp_list->do_not_send_to_client);
+    assert_false(pd->resp_list->next->do_not_send_to_client);
+
+    pam_params[1].value = "ENV::abc"; /* service name does not match */
+    ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+    assert_int_equal(ret, EOK);
+
+    ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
+    assert_int_equal(ret, EOK);
+    assert_true(pd->resp_list->do_not_send_to_client);
+    assert_false(pd->resp_list->next->do_not_send_to_client);
+
+    /* service name does not match */
+    pam_params[1].value = "ENV:MyEnv:abc";
+    ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+    assert_int_equal(ret, EOK);
+
+    ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
+    assert_int_equal(ret, EOK);
+    assert_true(pd->resp_list->do_not_send_to_client);
+    assert_false(pd->resp_list->next->do_not_send_to_client);
+
+    pam_params[1].value = "ENV:MyEnv"; /* match */
+    ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+    assert_int_equal(ret, EOK);
+
+    ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
+    assert_int_equal(ret, EOK);
+    assert_true(pd->resp_list->do_not_send_to_client);
+    assert_true(pd->resp_list->next->do_not_send_to_client);
+
+    pam_params[1].value = "ENV:MyEnv:"; /* match */
+    ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+    assert_int_equal(ret, EOK);
+
+    ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
+    assert_int_equal(ret, EOK);
+    assert_true(pd->resp_list->do_not_send_to_client);
+    assert_true(pd->resp_list->next->do_not_send_to_client);
+
+    pam_params[1].value = "ENV:MyEnv:MyService"; /* match */
+    ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+    assert_int_equal(ret, EOK);
+
+    ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
+    assert_int_equal(ret, EOK);
+    assert_true(pd->resp_list->do_not_send_to_client);
+    assert_true(pd->resp_list->next->do_not_send_to_client);
+
+    /* multiple rules with a match */
+    pam_params[1].value = "ENV:abc:def, "
+                          "ENV:MyEnv:MyService, "
+                          "ENV:stu:xyz";
+    ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+    assert_int_equal(ret, EOK);
+
+    ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
+    assert_int_equal(ret, EOK);
+    assert_true(pd->resp_list->do_not_send_to_client);
+    assert_true(pd->resp_list->next->do_not_send_to_client);
+
+    talloc_free(pd);
 }
 
 int main(int argc, const char *argv[])
author	Sumit Bose <sbose@redhat.com>	2016-10-20 18:40:01 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2016-11-02 11:30:20 +0100
commit	ce43f710c9638fbbeae077559cd7514370a10c0c (patch)
tree	05864e3aa032e64c376de3acd48d62085a094c2f /src/tests
parent	c8fe1d922b254aa92e74f428135ada3c8bde87a1 (diff)
download	sssd-ce43f710c9638fbbeae077559cd7514370a10c0c.tar.gz sssd-ce43f710c9638fbbeae077559cd7514370a10c0c.tar.xz sssd-ce43f710c9638fbbeae077559cd7514370a10c0c.zip