summaryrefslogtreecommitdiffstats
path: root/src/tests/cmocka/test_pam_srv.c
Commit message (Collapse)AuthorAgeFilesLines
* PAM: Add application servicesJakub Hrozek2017-03-301-4/+163
| | | | | | | | | | | | Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new PAM responder option 'pam_app_services'. This option can hold a list of PAM services that are allowed to contact the application non-POSIX domains. These services are NOT allowed to contact any of the POSIX domains. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: always store the certificate from the requestSumit Bose2017-03-231-3/+3
| | | | | | | | | | Store the certificate used to lookup a user as mapped attribute in the cached user object. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* PAM: allow muliple users mapped to a certificateSumit Bose2017-03-101-0/+84
| | | | | | Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* TESTS: Adapt pam-srv-tests to deal with cache_req related changesFabiano Fidêncio2017-03-031-23/+53
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Similar to what happened for nss-srv-tests, there were a few kind of changes required to fix the tests breakage caused by the last commit. 1) For tests including no user, no changes was required. 2) As we call an equivalent to "get by name" command, a name is parsed with sss_parse_inp and the returned value is now mocked. 3) For the "cache_auth_success*" tests we set pam_test_ctx->tctx->done to false after adding the password to the cache, since the code now contains tevent calls and without it only the first request proceeds into tevent_loop in test_ev_loop(), as the first finished request sets done to true. 4) As the user certificate is added as a result of calling sss_dp_account_recv and the certificate value is read by the certificate lookup, we have to, in case a certificate lookup callback is set, call mock_account_recv() for the certificate before going through the mock_account_recv() for the initgroup. 5) If no logon name is given, then the user is looked by certificates first. Since there's a matching user, the upcoming lookup by name will find the user entry. However, since the looked ip data is up to date the dp response has to be mocked and the second argument of mock_input_pam_cert() cannot be NULL but must match the user name. 6) Add a new attribute to mock_input_pam_cert() that represents whether the backend is contacted only once. It's needed because in test_pam_cert_auth() the backend is contacted first to check whether it can handle smartcard authenticatiom, but before that there's a lookup. Since the first mocked reply already adds the certificate to the user entry, the lookup by certificate will already find the user in the cache and no second lookup is needed. Co-Author: Pavel Březina <pbrezina@redhat.com> Co-Author: Sumit Bose <sbose@redhat.com> Resolves: https://fedorahosted.org/sssd/ticket/1126 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* p11: return name of PKCS#11 module and key id to pam_sssSumit Bose2017-02-231-2/+31
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: forward Smartcard credentials to backendsSumit Bose2017-02-231-1/+15
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: use sentinel error code in PAM testsSumit Bose2017-02-231-1/+3
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: add pam_response_filter optionSumit Bose2016-11-021-7/+142
| | | | | | | | | Currently the main use-case for this new option is to not set the KRB5CCNAME environment varible for services like 'sudo-i'. Resolves https://fedorahosted.org/sssd/ticket/2296 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: add a test for filter_responses()Sumit Bose2016-11-021-0/+52
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* p11: return a fully-qualified nameSumit Bose2016-09-161-8/+8
| | | | | | Related to https://fedorahosted.org/sssd/ticket/3165 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* p11: only set PKCS11_LOGIN_TOKEN_NAME if gdm-smartcard is usedSumit Bose2016-09-161-12/+77
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/3165 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: Use qualified names internally in the PAM responderJakub Hrozek2016-07-071-28/+73
| | | | | | | The name is converted from whatever we receive on input to the internal format before processing the data further. Reviewed-by: Sumit Bose <sbose@redhat.com>
* TESTS: Start fixing the PAM responder tests for fully qualified names in sysdbMichal Zidek2016-07-071-11/+21
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Responders: Make the client context more genericSimo Sorce2016-06-291-3/+10
| | | | | | | | | | | | | | | This is useufl to allow reusing the responder code with other protocols. Store protocol data and responder state data behind opaque pointers and use tallog_get_type to check they are of the right type. This also allows to store per responder state_ctx so that, for example, the autofs responder does not have to carry useless variables used only by the nss responder. Resolves: https://fedorahosted.org/sssd/ticket/2918 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* pam-srv-tests: Fix warning unused-functionLukas Slebodnik2016-06-171-0/+2
| | | | | | | | | | | | | | If pam-srv-tests is not build with NSS support then certificate related test are not executed and therefore there is unused setup function pam_test_setup_no_verification. src/tests/cmocka/test_pam_srv.c:323:12: error: 'pam_test_setup_no_verification' defined but not used [-Werror=unused-function] static int pam_test_setup_no_verification(void **state) ^ Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* pam-srv-tests: Increase cached_auth_timeoutLukas Slebodnik2016-06-101-2/+2
| | | | | | | | | | | | | | The execution sysdb_cache_password_ex can be slow due to function s3crypt_sha512 and valgrind slowdown. Therefore 2 seconds timeout can be reached in possitive tests test_pam_cached_auth_success and test_pam_cached_auth_success_combined_pw_with_cached_2fa Resolves: https://fedorahosted.org/sssd/ticket/2994 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* p11: add PKCS11_LOGIN_TOKEN_NAME environment variableSumit Bose2016-06-091-1/+13
| | | | | | | The PKCS11_LOGIN_TOKEN_NAME environment variable is e.g. used by the Gnome Settings Daemon to determine the name of the token used for login. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* p11: add no_verification optionSumit Bose2016-06-091-0/+27
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* RESPONDER: Removing ncache from pam_ctxPetr Cech2016-05-111-3/+0
| | | | | | This patch switches ncache from pam_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* RESPONDER: Removing neg_timeout from nss responderPetr Cech2016-05-111-2/+0
| | | | | | | | | | Timeout of negative cahce is handled by internal negative cache context. This patch removes neg_timeout from struct nss_ctx. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* NEGCACHE: Adding timeout to struct sss_nc_ctxPetr Cech2016-05-111-1/+1
| | | | | | | | | | | | | | | | | | | It adds timeout of negative cache to handling struct sss_nc_ctx. There is one change in API of negatice cache: * int sss_ncache_init(TALLOC_CTX *memctx, uint32_t timeout, <----- new struct sss_nc_ctx **_ctx); There is also one new function in common/responder: * errno_t responder_get_neg_timeout_from_confdb(struct confdb_ctx *cdb, uint32_t *ncache_timeout); Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* pam-srv-tests: Reuse test directory for IO testsLukas Slebodnik2016-01-281-1/+1
| | | | | | | | | | This patch is related to commit 50c9d542e8bf641412debaa82a4dcf67ddb72258 "tests: Use unique name for TEST_PATH" It's better to do IO operation in common test directory to prevent conflict with other test (copy & paste errors) Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* p11: enable ocsp checksSumit Bose2015-11-261-8/+33
| | | | | | | | | | | This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* pam-srv-tests: Add UT for cached 'online' auth.Pavel Reichl2015-11-121-0/+188
| | | | | | | | | Extend PAM responder unit test to check 'online' cached authentication. Resolves: https://fedorahosted.org/sssd/ticket/2697 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* pam-srv-tests: split pam_test_setup() so it can be reusedPavel Reichl2015-11-121-15/+19
| | | | | | | | | | Split pam_test_setup() so domain and pam parameters can be easily set distinctly for each test. Resolves: https://fedorahosted.org/sssd/ticket/2697 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* pam-srv-tests: Change service nameSumit Bose2015-11-051-1/+1
| | | | | | | | | | | | It would be better to not use 'ssh' or 'sshd' here at all but something like 'pam_test_service' to indicate that it is a generic name. Because a default value should not lead to a code path which handles a special case. The general PAM responder test should not run through the 'sshd' case in pam_reply() only if the service is set explicitly to 'sshd' this features should be tests. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* PAM: only allow missing user name for certificate authenticationSumit Bose2015-10-021-0/+38
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2811 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* test_pam_srv: Run cert test only with NSSLukas Slebodnik2015-09-301-0/+3
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* tests: Set p11_child_timeout to 30 in testsMichal Židek2015-09-231-4/+31
| | | | | | | | | | | | Ticket: https://fedorahosted.org/sssd/ticket/2773 Add way to set pam specific options in pam_test_setup adn use it to set the p11_child_timeout value to 30. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>
* tests: Use unique name for TEST_PATHLukas Slebodnik2015-09-181-1/+1
| | | | | | | | | | | | | | We had a cases in patch where two tests were using the same TEST_PATH and therefore they were stepping each other to the same files which caused failures. These failures are not easy to reproduce. This patch uses macro BASE_FILE_STEM for unique name. It should prevent copy&paste problem resulting to intermittent failures. @see also https://www.gnu.org/software/make/manual/html_node/Automatic-Variables.html Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: add certificate support to PAM (pre-)auth requestsSumit Bose2015-07-311-2/+507
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Minor code improvementsPavel Reichl2015-07-061-1/+0
| | | | | | | | pam_helpers.h had to be included after util.h. Removed exara empty line. Fixed code alignment Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: add PAM responder unit testSumit Bose2015-05-081-0/+965
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>