diff options
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 70 | ||||
-rw-r--r-- | src/tests/cmocka/test_pam_srv.c | 110 |
2 files changed, 141 insertions, 39 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 080cfafa7..49a05657e 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1414,7 +1414,7 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req) struct cache_req_result **results; struct pam_auth_req *preq = tevent_req_callback_data(req, struct pam_auth_req); - const char *cert_user; + const char *cert_user = NULL; ret = cache_req_recv(preq, req, &results); talloc_zfree(req); @@ -1439,35 +1439,55 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req) goto done; } - if (preq->cert_user_objs->count != 1) { - DEBUG(SSSDBG_CRIT_FAILURE, - "More than one user mapped to certificate.\n"); - /* TODO: send pam response to ask for a user name */ - ret = ERR_NO_CREDS; - goto done; - } - cert_user = ldb_msg_find_attr_as_string( + if (preq->cert_user_objs->count == 1) { + cert_user = ldb_msg_find_attr_as_string( preq->cert_user_objs->msgs[0], SYSDB_NAME, NULL); - if (cert_user == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Certificate user object has not name.\n"); - ret = ENOENT; - goto done; + if (cert_user == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Certificate user object has not name.\n"); + ret = ENOENT; + goto done; + } + + DEBUG(SSSDBG_FUNC_DATA, + "Found certificate user [%s].\n", cert_user); + + ret = sss_parse_name_for_domains(preq->pd, + preq->cctx->rctx->domains, + preq->cctx->rctx->default_domain, + cert_user, + &preq->pd->domain, + &preq->pd->user); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_parse_name_for_domains failed.\n"); + goto done; + } } - DEBUG(SSSDBG_FUNC_DATA, "Found certificate user [%s].\n", - cert_user); + if (preq->cctx->rctx->domains->user_name_hint) { + ret = add_pam_cert_response(preq->pd, cert_user, + preq->token_name, + preq->module_name, + preq->key_id, + SSS_PAM_CERT_INFO_WITH_HINT); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "add_pam_cert_response failed.\n"); + preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL; + } + ret = EOK; + preq->pd->pam_status = PAM_SUCCESS; + pam_reply(preq); + goto done; + } - ret = sss_parse_name_for_domains(preq->pd, - preq->cctx->rctx->domains, - preq->cctx->rctx->default_domain, - cert_user, - &preq->pd->domain, - &preq->pd->user); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "sss_parse_name_for_domains failed.\n"); + /* Without user name hints the certificate must map to single user + * if no login name was given */ + if (cert_user == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "More than one user mapped to certificate.\n"); + ret = ERR_NO_CREDS; goto done; } diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c index 35afbdd81..0f92f0541 100644 --- a/src/tests/cmocka/test_pam_srv.c +++ b/src/tests/cmocka/test_pam_srv.c @@ -747,7 +747,8 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body, return EOK; } -static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen) +static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen, + enum response_type type, const char *name) { size_t rp = 0; uint32_t val; @@ -758,30 +759,34 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen) assert_int_equal(val, pam_test_ctx->exp_pam_status); SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); - assert_int_equal(val, 2); + if (name == NULL || *name == '\0') { + assert_int_equal(val, 1); + } else { + assert_int_equal(val, 2); - SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); - assert_int_equal(val, SSS_PAM_DOMAIN_NAME); + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, SSS_PAM_DOMAIN_NAME); - SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); - assert_int_equal(val, 9); + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, 9); - assert_int_equal(*(body + rp + val - 1), 0); - assert_string_equal(body + rp, TEST_DOM_NAME); - rp += val; + assert_int_equal(*(body + rp + val - 1), 0); + assert_string_equal(body + rp, TEST_DOM_NAME); + rp += val; + } SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); - assert_int_equal(val, SSS_PAM_CERT_INFO); + assert_int_equal(val, type); SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); - assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME) + assert_int_equal(val, (strlen(name) + 1 + sizeof(TEST_TOKEN_NAME) + sizeof(TEST_MODULE_NAME) + sizeof(TEST_KEY_ID))); - assert_int_equal(*(body + rp + sizeof("pamuser@"TEST_DOM_NAME) - 1), 0); - assert_string_equal(body + rp, "pamuser@"TEST_DOM_NAME); - rp += sizeof("pamuser@"TEST_DOM_NAME); + assert_int_equal(*(body + rp + strlen(name)), 0); + assert_string_equal(body + rp, name); + rp += strlen(name) + 1; assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0); assert_string_equal(body + rp, TEST_TOKEN_NAME); @@ -800,6 +805,27 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen) return EOK; } +static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen) +{ + return test_pam_cert_check_ex(status, body, blen, + SSS_PAM_CERT_INFO, "pamuser@"TEST_DOM_NAME); +} + +static int test_pam_cert_check_with_hint(uint32_t status, uint8_t *body, + size_t blen) +{ + return test_pam_cert_check_ex(status, body, blen, + SSS_PAM_CERT_INFO_WITH_HINT, + "pamuser@"TEST_DOM_NAME); +} + +static int test_pam_cert_check_with_hint_no_user(uint32_t status, uint8_t *body, + size_t blen) +{ + return test_pam_cert_check_ex(status, body, blen, + SSS_PAM_CERT_INFO_WITH_HINT, ""); +} + static int test_pam_offline_chauthtok_check(uint32_t status, uint8_t *body, size_t blen) { @@ -1895,6 +1921,33 @@ void test_pam_preauth_cert_no_logon_name(void **state) assert_int_equal(ret, EOK); } +void test_pam_preauth_cert_no_logon_name_with_hint(void **state) +{ + int ret; + + set_cert_auth_param(pam_test_ctx->pctx, NSS_DB); + pam_test_ctx->rctx->domains->user_name_hint = true; + + /* If no logon name is given the user is looked by certificate first. + * Since user name hint is enabled we do not have to search the user + * during pre-auth and there is no need for an extra mocked response as in + * test_pam_preauth_cert_no_logon_name. */ + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, + test_lookup_by_cert_cb, TEST_TOKEN_CERT, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_cert_check_with_hint); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + void test_pam_preauth_cert_no_logon_name_double_cert(void **state) { int ret; @@ -1917,6 +1970,29 @@ void test_pam_preauth_cert_no_logon_name_double_cert(void **state) assert_int_equal(ret, EOK); } +void test_pam_preauth_cert_no_logon_name_double_cert_with_hint(void **state) +{ + int ret; + + set_cert_auth_param(pam_test_ctx->pctx, NSS_DB); + pam_test_ctx->rctx->domains->user_name_hint = true; + + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, + test_lookup_by_cert_double_cb, TEST_TOKEN_CERT, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_cert_check_with_hint_no_user); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + void test_pam_preauth_no_cert_no_logon_name(void **state) { int ret; @@ -2426,8 +2502,14 @@ int main(int argc, const char *argv[]) cmocka_unit_test_setup_teardown(test_pam_preauth_cert_no_logon_name, pam_test_setup, pam_test_teardown), cmocka_unit_test_setup_teardown( + test_pam_preauth_cert_no_logon_name_with_hint, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown( test_pam_preauth_cert_no_logon_name_double_cert, pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown( + test_pam_preauth_cert_no_logon_name_double_cert_with_hint, + pam_test_setup, pam_test_teardown), cmocka_unit_test_setup_teardown(test_pam_preauth_no_cert_no_logon_name, pam_test_setup, pam_test_teardown), cmocka_unit_test_setup_teardown( |