ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose Sumit Bose <sbose@redhat.com>
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose Copyright (C) 2015 Red Hat
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose SSSD tests: PAM responder tests
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose This program is free software; you can redistribute it and/or modify
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose it under the terms of the GNU General Public License as published by
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose the Free Software Foundation; either version 3 of the License, or
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose (at your option) any later version.
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose This program is distributed in the hope that it will be useful,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose but WITHOUT ANY WARRANTY; without even the implied warranty of
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose GNU General Public License for more details.
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose You should have received a copy of the GNU General Public License
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose along with this program. If not, see <http://www.gnu.org/licenses/>.
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose#include "tests/test_CA/SSSD_test_cert_x509_0001.h"
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose#include "tests/test_CA/SSSD_test_cert_x509_0002.h"
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose#define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17"
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose#define TEST_PROMPT "SSSD test cert 0001 - SSSD\nCN=SSSD test cert 0001,OU=SSSD test,O=SSSD"
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose#define TEST2_KEY_ID "5405842D56CF31F0BB025A695C5F3E907051C5B9"
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose#define TEST2_PROMPT "SSSD test cert 0002 - SSSD\nCN=SSSD test cert 0002,OU=SSSD test,O=SSSD"
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose/* Must be global because it is needed in some wrappers */
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose DEBUG(SSSDBG_FATAL_FAILURE, "Failed to create " NSS_DB_PATH ".\n");
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose ret = execlp("certutil", "certutil", "-N", "--empty-password", "-d",
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose DEBUG(SSSDBG_FATAL_FAILURE, "execl() failed.\n");
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose } else if (child_pid > 0) {
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose ret = execlp("certutil", "certutil", "-N", "--empty-password", "-d",
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose DEBUG(SSSDBG_FATAL_FAILURE, "execl() failed.\n");
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose } else if (child_pid > 0) {
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose DEBUG(SSSDBG_FATAL_FAILURE, "fopen() failed.\n");
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose ret = fprintf(fp, "library=libsoftokn3.so\nname=soft\n");
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n");
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/test_CA/p11_nssdb' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_BUILD_DIR);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n");
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose DEBUG(SSSDBG_FATAL_FAILURE, "fclose() failed.\n");
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose fp = fopen(NSS_DB_PATH_2CERTS"/pkcs11.txt", "w");
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose DEBUG(SSSDBG_FATAL_FAILURE, "fopen() failed.\n");
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose ret = fprintf(fp, "library=libsoftokn3.so\nname=soft\n");
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n");
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/test_CA/p11_nssdb_2certs' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_BUILD_DIR);
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n");
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose DEBUG(SSSDBG_FATAL_FAILURE, "fclose() failed.\n");
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "Failed to remove cert9.db.\n");
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "Failed to remove key4.db.\n");
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "Failed to remove pkcs11.db.\n");
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "Failed to remove " NSS_DB_PATH "\n");
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "Failed to remove cert9.db.\n");
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "Failed to remove key4.db.\n");
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "Failed to remove pkcs11.db.\n");
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "Failed to remove " NSS_DB_PATH "\n");
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_hash_create(pctx, 10, &pctx->id_table);
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek /* Two NULLs so that tests can just assign a const to the first slot
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek * should they need it. The code iterates until first NULL anyway
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek pctx->app_services = talloc_zero_array(pctx, char *, 2);
544a20de7667f05c1a406c4dea0706b0ab507430Sumit Bosestatic int add_confdb_params(struct sss_test_conf_param params[],
544a20de7667f05c1a406c4dea0706b0ab507430Sumit Bose ret = confdb_add_param(cdb, true, section, params[i].key, val);
544a20de7667f05c1a406c4dea0706b0ab507430Sumit Bosestatic int add_pam_params(struct sss_test_conf_param pam_params[],
544a20de7667f05c1a406c4dea0706b0ab507430Sumit Bose return add_confdb_params(pam_params, cdb, CONFDB_PAM_CONF_ENTRY);
544a20de7667f05c1a406c4dea0706b0ab507430Sumit Bosestatic int add_monitor_params(struct sss_test_conf_param monitor_params[],
544a20de7667f05c1a406c4dea0706b0ab507430Sumit Bose return add_confdb_params(monitor_params, cdb, CONFDB_MONITOR_CONF_ENTRY);
ab3c0e05d18616295afbd46acad1ca243b33861cMichal Židekvoid test_pam_setup(struct sss_test_conf_param dom_params[],
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx = talloc_zero(NULL, struct pam_test_ctx);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx->tctx = create_dom_test_ctx(pam_test_ctx, TESTS_PATH,
57c5ea8825c7179fd93382dbcbb07e828e5aec19René Genz /* FIXME - perhaps this should be folded into sssd_domain_init or strictly
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose * used together
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_names_init(pam_test_ctx, pam_test_ctx->tctx->confdb,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Initialize the PAM responder */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx->rctx = mock_rctx(pam_test_ctx, pam_test_ctx->tctx->ev,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx->rctx->cdb = pam_test_ctx->tctx->confdb;
ab3c0e05d18616295afbd46acad1ca243b33861cMichal Židek ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
544a20de7667f05c1a406c4dea0706b0ab507430Sumit Bose ret = add_monitor_params(monitor_params, pam_test_ctx->rctx->cdb);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Create client context */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx->cctx = mock_cctx(pam_test_ctx, pam_test_ctx->rctx);
4f3a9d837a55b49448eca3c713c85a406207e523Simo Sorce prctx->cli_protocol_version = register_cli_protocol_version();
2b62d5a414b8b7dba4f714dc5033e28dc4b1f4feJakub Hrozek "wronguser",
2b62d5a414b8b7dba4f714dc5033e28dc4b1f4feJakub Hrozek assert_non_null(pam_test_ctx->wrong_user_fqdn);
82c5971fafe6063a90289ebba08035fc49ae8590Sumit Bose /* integer values cannot be set by pam_params */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Prime the cache with a valid user */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Add entry to the initgr cache to make sure no initgr request is sent to
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose * the backend */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = pam_initgr_cache_set(pam_test_ctx->pctx->rctx->ev,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose /* Prime the cache with a user for wrong matches */
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose /* Add entry to the initgr cache to make sure no initgr request is sent to
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose * the backend */
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose ret = pam_initgr_cache_set(pam_test_ctx->pctx->rctx->ev,
544a20de7667f05c1a406c4dea0706b0ab507430Sumit Bose test_pam_setup(dom_params, pam_params, monitor_params, state);
aa35995ef056aa8ae052a47c62c6750b7adf065eSumit Bosestatic int pam_test_setup_no_verification(void **state)
aa35995ef056aa8ae052a47c62c6750b7adf065eSumit Bose { "certificate_verification", "no_verification" },
aa35995ef056aa8ae052a47c62c6750b7adf065eSumit Bose test_pam_setup(dom_params, pam_params, monitor_params, state);
ef045ad7616667e5d824d9ac326b461f9bb1d8cfLukas Slebodnik#endif /* HAVE_NSS */
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose#endif /* HAVE_TEST_CA */
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl { "cached_auth_timeout", CACHED_AUTH_TIMEOUT_STR },
544a20de7667f05c1a406c4dea0706b0ab507430Sumit Bose test_pam_setup(dom_params, pam_params, monitor_params, state);
2b62d5a414b8b7dba4f714dc5033e28dc4b1f4feJakub Hrozek ret = sysdb_delete_user(pam_test_ctx->tctx->dom,
2b62d5a414b8b7dba4f714dc5033e28dc4b1f4feJakub Hrozek ret = sysdb_delete_user(pam_test_ctx->tctx->dom,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosetypedef int (*cmd_cb_fn_t)(uint32_t, uint8_t *, size_t);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Boseint __real_read_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosevoid __real_sss_packet_get_body(struct sss_packet *packet,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosevoid __wrap_sss_packet_get_body(struct sss_packet *packet,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose enum sss_test_wrapper_call wtype = sss_mock_type(enum sss_test_wrapper_call);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose return __real_sss_packet_get_body(packet, body, blen);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosevoid __real_sss_packet_get_body(struct sss_packet *packet,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosevoid __wrap_sss_cmd_done(struct cli_ctx *cctx, void *freectx)
4f3a9d837a55b49448eca3c713c85a406207e523Simo Sorce prctx = talloc_get_type(cctx->protocol_ctx, struct cli_protocol);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose __real_sss_packet_get_body(packet, &body, &blen);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx->tctx->error = check_cb(sss_packet_get_status(packet),
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Boseenum sss_cli_command __wrap_sss_packet_get_cmd(struct sss_packet *packet)
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Boseint __wrap_sss_cmd_send_empty(struct cli_ctx *cctx, TALLOC_CTX *freectx)
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Boseint __wrap_pam_dp_send_req(struct pam_auth_req *preq, int timeout)
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Set expected status */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose preq->pd->pam_status = pam_test_ctx->exp_pam_status;
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozekstatic void mock_input_pam_ex(TALLOC_CTX *mem_ctx,
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek const char *name,
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek const char *pwd,
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek const char *fa2,
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek const char *svc,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_auth_pack_2fa_blob(pwd, 0, fa2, 0, NULL, 0, &needed_size);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_auth_pack_2fa_blob(pwd, 0, fa2, 0, authtok,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pi.pam_authtok_size = strlen(pi.pam_authtok) + 1;
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pi.pam_service_size = strlen(pi.pam_service) + 1;
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, buf_size);
29d063505c07127f7747405b1a61d8f782673645Sumit Bose ret = sss_parse_internal_fqname(mem_ctx, name, &s_name, &dom);
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek const char *name,
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek const char *pwd,
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek const char *fa2)
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek return mock_input_pam_ex(mem_ctx, name, pwd, fa2, NULL, true);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bosestatic void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name,
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose ret = sss_auth_pack_sc_blob(pin, 0, token_name, 0, module_name, 0,
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose ret = sss_auth_pack_sc_blob(pin, 0, token_name, 0, module_name, 0,
71cd9f98150577224559bdc12c53c01ce6f2c3d9Sumit Bose pi.pam_service = service == NULL ? "login" : service;
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose pi.pam_service_size = strlen(pi.pam_service) + 1;
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose will_return(__wrap_sss_packet_get_body, buf_size);
5aaaf081765b3f23e1518b5f299c289afb9d3f13Fabiano Fidêncio mock_account_recv(0, 0, NULL, acct_cb, discard_const(cert));
5aaaf081765b3f23e1518b5f299c289afb9d3f13Fabiano Fidêncio if (!(only_one_provider_call && already_mocked)) {
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosestatic int test_pam_simple_check(uint32_t status, uint8_t *body, size_t blen)
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose assert_int_equal(val, pam_test_ctx->exp_pam_status);
d86224608ff60ec5cc7e7cbf9e53d8a04e083530Sumit Bose#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
71cd9f98150577224559bdc12c53c01ce6f2c3d9Sumit Bosestatic int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose assert_int_equal(val, pam_test_ctx->exp_pam_status);
d86224608ff60ec5cc7e7cbf9e53d8a04e083530Sumit Bose assert_int_equal(val, (strlen(PKCS11_LOGIN_TOKEN_ENV_NAME "=")
d86224608ff60ec5cc7e7cbf9e53d8a04e083530Sumit Bose PKCS11_LOGIN_TOKEN_ENV_NAME "=" TEST_TOKEN_NAME);
ead25e32c52c8c2f5fd9abd179e9e81de58f9ca3Sumit Bose assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME)
3649b959709f1ab187092f054d4aace0798c98faSumit Bose assert_int_equal(*(body + rp + sizeof("pamuser@"TEST_DOM_NAME) - 1), 0);
3649b959709f1ab187092f054d4aace0798c98faSumit Bose assert_string_equal(body + rp, "pamuser@"TEST_DOM_NAME);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
ead25e32c52c8c2f5fd9abd179e9e81de58f9ca3Sumit Bose assert_int_equal(*(body + rp + sizeof(TEST_MODULE_NAME) - 1), 0);
ead25e32c52c8c2f5fd9abd179e9e81de58f9ca3Sumit Bose assert_string_equal(body + rp, TEST_MODULE_NAME);
ead25e32c52c8c2f5fd9abd179e9e81de58f9ca3Sumit Bose assert_int_equal(*(body + rp + sizeof(TEST_KEY_ID) - 1), 0);
57cefea8305a57c1c0491afb739813b7f17d5a25Sumit Bose assert_int_equal(*(body + rp + sizeof(TEST_PROMPT) - 1), 0);
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bosestatic int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose const char *name2)
71cd9f98150577224559bdc12c53c01ce6f2c3d9Sumit Bose assert_int_equal(val, pam_test_ctx->exp_pam_status);
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose assert_int_equal(*(body + rp + strlen(name)), 0);
71cd9f98150577224559bdc12c53c01ce6f2c3d9Sumit Bose assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
ead25e32c52c8c2f5fd9abd179e9e81de58f9ca3Sumit Bose assert_int_equal(*(body + rp + sizeof(TEST_MODULE_NAME) - 1), 0);
ead25e32c52c8c2f5fd9abd179e9e81de58f9ca3Sumit Bose assert_string_equal(body + rp, TEST_MODULE_NAME);
ead25e32c52c8c2f5fd9abd179e9e81de58f9ca3Sumit Bose assert_int_equal(*(body + rp + sizeof(TEST_KEY_ID) - 1), 0);
57cefea8305a57c1c0491afb739813b7f17d5a25Sumit Bose assert_int_equal(*(body + rp + sizeof(TEST_PROMPT) - 1), 0);
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose assert_int_equal(*(body + rp + strlen(name)), 0);
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose assert_int_equal(*(body + rp + sizeof(TEST_MODULE_NAME) - 1), 0);
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose assert_string_equal(body + rp, TEST_MODULE_NAME);
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose assert_int_equal(*(body + rp + sizeof(TEST2_KEY_ID) - 1), 0);
57cefea8305a57c1c0491afb739813b7f17d5a25Sumit Bose assert_int_equal(*(body + rp + sizeof(TEST2_PROMPT) - 1), 0);
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bosestatic int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose return test_pam_cert_check_ex(status, body, blen,
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bosestatic int test_pam_cert_check_auth_success(uint32_t status, uint8_t *body,
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose assert_int_equal(pam_test_ctx->exp_pam_status, PAM_BAD_ITEM);
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose return test_pam_cert_check_ex(status, body, blen,
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bosestatic int test_pam_cert_check_with_hint(uint32_t status, uint8_t *body,
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose return test_pam_cert_check_ex(status, body, blen,
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bosestatic int test_pam_cert_check_with_hint_no_user(uint32_t status, uint8_t *body,
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose return test_pam_cert_check_ex(status, body, blen,
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bosestatic int test_pam_cert_check_2certs(uint32_t status, uint8_t *body,
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose return test_pam_cert_check_ex(status, body, blen,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosestatic int test_pam_offline_chauthtok_check(uint32_t status,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose assert_int_equal(val, pam_test_ctx->exp_pam_status);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose assert_int_equal(val, SSS_PAM_USER_INFO_OFFLINE_CHPASS);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosestatic int test_pam_failed_offline_auth_check(uint32_t status, uint8_t *body,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose return test_pam_simple_check(status, body, blen);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosestatic int test_pam_successful_offline_auth_check(uint32_t status,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose return test_pam_simple_check(status, body, blen);
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichlstatic int test_pam_successful_cached_auth_check(uint32_t status,
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl return test_pam_simple_check(status, body, blen);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosestatic int test_pam_wrong_pw_offline_auth_check(uint32_t status,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose return test_pam_simple_check(status, body, blen);
82c5971fafe6063a90289ebba08035fc49ae8590Sumit Bosestatic int test_pam_simple_check_success(uint32_t status,
82c5971fafe6063a90289ebba08035fc49ae8590Sumit Bose return test_pam_simple_check(status, body, blen);
2e76b32e74abedb23665808bacc73cafd1097c37Sumit Bosestatic int test_pam_creds_insufficient_check(uint32_t status,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bosestatic int test_pam_user_unknown_check(uint32_t status,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_SETCRED);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_SETCRED,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_ACCT_MGMT);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_ACCT_MGMT,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_OPEN_SESSION);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
254f3898cc9fb9d76e12d72a2955906c49748e6dSumit Bose /* make sure pam_status is not touched by setting it to a value which is
254f3898cc9fb9d76e12d72a2955906c49748e6dSumit Bose * not used by SSSD. */
254f3898cc9fb9d76e12d72a2955906c49748e6dSumit Bose pam_test_ctx->exp_pam_status = _PAM_RETURN_VALUES;
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_OPEN_SESSION,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_CLOSE_SESSION);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_CLOSE_SESSION,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_CHAUTHTOK);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_CHAUTHTOK,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_CHAUTHTOK_PRELIM);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_CHAUTHTOK_PRELIM,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl/* Cached on-line authentication */
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichlstatic void common_test_pam_cached_auth(const char *pwd)
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl mock_input_pam(pam_test_ctx, "pamuser", pwd, NULL);
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl set_cmd_cb(test_pam_successful_cached_auth_check);
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl /* Wait until the test finishes with EOK */
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl /* Back end should be contacted */
2b62d5a414b8b7dba4f714dc5033e28dc4b1f4feJakub Hrozek ret = sysdb_cache_password(pam_test_ctx->tctx->dom,
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl /* Reset before next call */
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl /* Back end should not be contacted */
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl assert_false(pam_test_ctx->provider_contacted);
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichlvoid test_pam_cached_auth_wrong_pw(void **state)
2b62d5a414b8b7dba4f714dc5033e28dc4b1f4feJakub Hrozek ret = sysdb_cache_password(pam_test_ctx->tctx->dom,
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl ret = pam_set_last_online_auth_with_curr_token(pam_test_ctx->tctx->dom,
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl /* Back end should be contacted */
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl/* test cached_auth_timeout option */
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichlvoid test_pam_cached_auth_opt_timeout(void **state)
2b62d5a414b8b7dba4f714dc5033e28dc4b1f4feJakub Hrozek ret = sysdb_cache_password(pam_test_ctx->tctx->dom,
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl last_online = time(NULL) - CACHED_AUTH_TIMEOUT - 1;
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl ret = pam_set_last_online_auth_with_curr_token(pam_test_ctx->tctx->dom,
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl /* Back end should be contacted */
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl/* too long since last on-line authentication */
2b62d5a414b8b7dba4f714dc5033e28dc4b1f4feJakub Hrozek ret = sysdb_cache_password(pam_test_ctx->tctx->dom,
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl ret = pam_set_last_online_auth_with_curr_token(pam_test_ctx->tctx->dom,
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl /* Back end should be contacted */
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichlvoid test_pam_cached_auth_success_combined_pw_with_cached_2fa(void **state)
2b62d5a414b8b7dba4f714dc5033e28dc4b1f4feJakub Hrozek ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom,
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl /* Reset before next call */
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl assert_false(pam_test_ctx->provider_contacted);
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichlvoid test_pam_cached_auth_failed_combined_pw_with_cached_2fa(void **state)
2b62d5a414b8b7dba4f714dc5033e28dc4b1f4feJakub Hrozek ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom,
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl ret = pam_set_last_online_auth_with_curr_token(pam_test_ctx->tctx->dom,
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl/* Off-line authentication */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", "12345", NULL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL;
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
29071a9e2df823a2cdc13cea996ece1c996e1172Michal Zidek ret = sysdb_cache_password(pam_test_ctx->tctx->dom,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", "12345", NULL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL;
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose set_cmd_cb(test_pam_successful_offline_auth_check);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
2b62d5a414b8b7dba4f714dc5033e28dc4b1f4feJakub Hrozek ret = sysdb_cache_password(pam_test_ctx->tctx->dom,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", "11111", NULL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL;
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose set_cmd_cb(test_pam_wrong_pw_offline_auth_check);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosevoid test_pam_offline_auth_success_2fa(void **state)
29071a9e2df823a2cdc13cea996ece1c996e1172Michal Zidek ret = sysdb_cache_password(pam_test_ctx->tctx->dom,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", "12345", "abcde");
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL;
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose set_cmd_cb(test_pam_successful_offline_auth_check);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosevoid test_pam_offline_auth_failed_2fa(void **state)
29071a9e2df823a2cdc13cea996ece1c996e1172Michal Zidek ret = sysdb_cache_password(pam_test_ctx->tctx->dom,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", "11111", "abcde");
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL;
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose set_cmd_cb(test_pam_wrong_pw_offline_auth_check);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosevoid test_pam_offline_auth_success_2fa_with_cached_2fa(void **state)
29071a9e2df823a2cdc13cea996ece1c996e1172Michal Zidek ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", "12345", "abcde");
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL;
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose set_cmd_cb(test_pam_successful_offline_auth_check);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosevoid test_pam_offline_auth_failed_2fa_with_cached_2fa(void **state)
29071a9e2df823a2cdc13cea996ece1c996e1172Michal Zidek ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", "11111", "abcde");
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL;
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose set_cmd_cb(test_pam_wrong_pw_offline_auth_check);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosevoid test_pam_offline_auth_success_pw_with_cached_2fa(void **state)
29071a9e2df823a2cdc13cea996ece1c996e1172Michal Zidek ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", "12345", NULL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL;
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose set_cmd_cb(test_pam_successful_offline_auth_check);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosevoid test_pam_offline_auth_failed_pw_with_cached_2fa(void **state)
29071a9e2df823a2cdc13cea996ece1c996e1172Michal Zidek ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", "11111", NULL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL;
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose set_cmd_cb(test_pam_wrong_pw_offline_auth_check);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosevoid test_pam_offline_auth_success_combined_pw_with_cached_2fa(void **state)
29071a9e2df823a2cdc13cea996ece1c996e1172Michal Zidek ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", "12345678abcde", NULL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL;
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose set_cmd_cb(test_pam_successful_offline_auth_check);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosevoid test_pam_offline_auth_failed_combined_pw_with_cached_2fa(void **state)
29071a9e2df823a2cdc13cea996ece1c996e1172Michal Zidek ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", "11111111abcde", NULL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL;
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose set_cmd_cb(test_pam_wrong_pw_offline_auth_check);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosevoid test_pam_offline_auth_failed_wrong_2fa_size_with_cached_2fa(void **state)
29071a9e2df823a2cdc13cea996ece1c996e1172Michal Zidek ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", "12345678abcd", NULL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL;
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose set_cmd_cb(test_pam_wrong_pw_offline_auth_check);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bosevoid test_pam_offline_chauthtok_prelim(void **state)
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_CHAUTHTOK_PRELIM);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL;
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_CHAUTHTOK_PRELIM,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_CHAUTHTOK);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL;
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_CHAUTHTOK,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Wait until the test finishes with EOK */
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
2e76b32e74abedb23665808bacc73cafd1097c37Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
2e76b32e74abedb23665808bacc73cafd1097c37Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
2e76b32e74abedb23665808bacc73cafd1097c37Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
2e76b32e74abedb23665808bacc73cafd1097c37Sumit Bose /* Wait until the test finishes with EOK */
29d063505c07127f7747405b1a61d8f782673645Sumit Bosevoid test_pam_auth_no_upn_logon_name(void **state)
29d063505c07127f7747405b1a61d8f782673645Sumit Bose ret = sysdb_cache_password(pam_test_ctx->tctx->dom,
29d063505c07127f7747405b1a61d8f782673645Sumit Bose mock_input_pam_ex(pam_test_ctx, "upn@"TEST_DOM_NAME, "12345", NULL, NULL,
29d063505c07127f7747405b1a61d8f782673645Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
29d063505c07127f7747405b1a61d8f782673645Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
29d063505c07127f7747405b1a61d8f782673645Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
29d063505c07127f7747405b1a61d8f782673645Sumit Bose /* Wait until the test finishes with EOK */
29d063505c07127f7747405b1a61d8f782673645Sumit Bose ret = sysdb_cache_password(pam_test_ctx->tctx->dom,
29d063505c07127f7747405b1a61d8f782673645Sumit Bose ret = sysdb_attrs_add_string(attrs, SYSDB_UPN, "upn@"TEST_DOM_NAME);
29d063505c07127f7747405b1a61d8f782673645Sumit Bose ret = sysdb_set_user_attr(pam_test_ctx->tctx->dom,
29d063505c07127f7747405b1a61d8f782673645Sumit Bose mock_input_pam_ex(pam_test_ctx, "upn@"TEST_DOM_NAME, "12345", NULL, NULL,
29d063505c07127f7747405b1a61d8f782673645Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
29d063505c07127f7747405b1a61d8f782673645Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
29d063505c07127f7747405b1a61d8f782673645Sumit Bose set_cmd_cb(test_pam_successful_offline_auth_check);
29d063505c07127f7747405b1a61d8f782673645Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
29d063505c07127f7747405b1a61d8f782673645Sumit Bose /* Wait until the test finishes with EOK */
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bosestatic void set_cert_auth_param(struct pam_ctx *pctx, const char *dbpath)
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose pam_test_ctx->pctx->nss_db = discard_const(dbpath);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose set_cert_auth_param(pam_test_ctx->pctx, "/no/path");
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose /* Wait until the test finishes with EOK */
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose der = sss_base64_decode(pam_test_ctx, pvt, &der_size);
81c564a0692aa4b719af2219f52894e6cd4bdf9fSumit Bose ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size);
2b62d5a414b8b7dba4f714dc5033e28dc4b1f4feJakub Hrozek ret = sysdb_set_user_attr(pam_test_ctx->tctx->dom,
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bosestatic int test_lookup_by_cert_cb_2nd_cert_same_user(void *pvt)
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose der = sss_base64_decode(pam_test_ctx, SSSD_TEST_CERT_0002, &der_size);
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size);
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose ret = sysdb_set_user_attr(pam_test_ctx->tctx->dom,
16c9d63d96ce8dc7517ae16502e9ec72d6a58d6cSumit Bosestatic int test_lookup_by_cert_double_cb(void *pvt)
16c9d63d96ce8dc7517ae16502e9ec72d6a58d6cSumit Bose der = sss_base64_decode(pam_test_ctx, pvt, &der_size);
81c564a0692aa4b719af2219f52894e6cd4bdf9fSumit Bose ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size);
16c9d63d96ce8dc7517ae16502e9ec72d6a58d6cSumit Bose ret = sysdb_set_user_attr(pam_test_ctx->tctx->dom,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bosestatic int test_lookup_by_cert_wrong_user_cb(void *pvt)
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose der = sss_base64_decode(pam_test_ctx, pvt, &der_size);
81c564a0692aa4b719af2219f52894e6cd4bdf9fSumit Bose ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size);
2b62d5a414b8b7dba4f714dc5033e28dc4b1f4feJakub Hrozek ret = sysdb_set_user_attr(pam_test_ctx->tctx->dom,
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose /* Wait until the test finishes with EOK */
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose /* Wait until the test finishes with EOK */
71cd9f98150577224559bdc12c53c01ce6f2c3d9Sumit Bose/* Test if PKCS11_LOGIN_TOKEN_NAME is added for the gdm-smartcard service */
71cd9f98150577224559bdc12c53c01ce6f2c3d9Sumit Bosevoid test_pam_preauth_cert_match_gdm_smartcard(void **state)
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL,
71cd9f98150577224559bdc12c53c01ce6f2c3d9Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
71cd9f98150577224559bdc12c53c01ce6f2c3d9Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
71cd9f98150577224559bdc12c53c01ce6f2c3d9Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
71cd9f98150577224559bdc12c53c01ce6f2c3d9Sumit Bose /* Wait until the test finishes with EOK */
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bosevoid test_pam_preauth_cert_match_wrong_user(void **state)
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose /* Wait until the test finishes with EOK */
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bosevoid test_pam_preauth_cert_no_logon_name(void **state)
5aaaf081765b3f23e1518b5f299c289afb9d3f13Fabiano Fidêncio /* If no logon name is given the user is looked by certificate first.
5aaaf081765b3f23e1518b5f299c289afb9d3f13Fabiano Fidêncio * Since there is a matching user the upcoming lookup by name will find
5aaaf081765b3f23e1518b5f299c289afb9d3f13Fabiano Fidêncio * the user entry. But since we force the lookup by name to go to the
5aaaf081765b3f23e1518b5f299c289afb9d3f13Fabiano Fidêncio * backend to make sure the group-membership data is up to date the
89ff140d7ab92fce52d6730a7d27c8d73c7d9e4aSumit Bose * backend response has to be mocked twice.
89ff140d7ab92fce52d6730a7d27c8d73c7d9e4aSumit Bose * Additionally sss_parse_inp_recv() must be mocked because the cache
89ff140d7ab92fce52d6730a7d27c8d73c7d9e4aSumit Bose * request will be done with the username found by the certificate
89ff140d7ab92fce52d6730a7d27c8d73c7d9e4aSumit Bose * lookup. */
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL,
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose /* Wait until the test finishes with EOK */
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bosevoid test_pam_preauth_cert_no_logon_name_with_hint(void **state)
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose pam_test_ctx->rctx->domains->user_name_hint = true;
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose /* If no logon name is given the user is looked by certificate first.
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose * Since user name hint is enabled we do not have to search the user
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose * during pre-auth and there is no need for an extra mocked response as in
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose * test_pam_preauth_cert_no_logon_name. */
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL,
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose /* Wait until the test finishes with EOK */
16c9d63d96ce8dc7517ae16502e9ec72d6a58d6cSumit Bosevoid test_pam_preauth_cert_no_logon_name_double_cert(void **state)
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL,
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001,
16c9d63d96ce8dc7517ae16502e9ec72d6a58d6cSumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
16c9d63d96ce8dc7517ae16502e9ec72d6a58d6cSumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
16c9d63d96ce8dc7517ae16502e9ec72d6a58d6cSumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
16c9d63d96ce8dc7517ae16502e9ec72d6a58d6cSumit Bose /* Wait until the test finishes with EOK */
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bosevoid test_pam_preauth_cert_no_logon_name_double_cert_with_hint(void **state)
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose pam_test_ctx->rctx->domains->user_name_hint = true;
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL,
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001,
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose set_cmd_cb(test_pam_cert_check_with_hint_no_user);
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose /* Wait until the test finishes with EOK */
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bosevoid test_pam_preauth_no_cert_no_logon_name(void **state)
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose set_cert_auth_param(pam_test_ctx->pctx, "/no/path");
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose /* Wait until the test finishes with EOK */
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bosevoid test_pam_preauth_cert_no_logon_name_no_match(void **state)
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose /* Wait until the test finishes with EOK */
5aaaf081765b3f23e1518b5f299c289afb9d3f13Fabiano Fidêncio /* Here the last option must be set to true because the backend is only
5aaaf081765b3f23e1518b5f299c289afb9d3f13Fabiano Fidêncio * connected once. During authentication the backend is connected first to
5aaaf081765b3f23e1518b5f299c289afb9d3f13Fabiano Fidêncio * see if it can handle Smartcard authentication, but before that the user
5aaaf081765b3f23e1518b5f299c289afb9d3f13Fabiano Fidêncio * is looked up. Since the first mocked reply already adds the certificate
5aaaf081765b3f23e1518b5f299c289afb9d3f13Fabiano Fidêncio * to the user entry the lookup by certificate will already find the user
5aaaf081765b3f23e1518b5f299c289afb9d3f13Fabiano Fidêncio * in the cache and no second request to the backend is needed. */
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose "NSS-Internal",
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL,
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, true);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
82c5971fafe6063a90289ebba08035fc49ae8590Sumit Bose /* Assume backend cannot handle Smartcard credentials */
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose /* Wait until the test finishes with EOK */
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bosevoid test_pam_cert_auth_no_logon_name(void **state)
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose /* Here the last option must be set to true because the backend is only
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose * connected once. During authentication the backend is connected first to
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose * see if it can handle Smartcard authentication, but before that the user
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose * is looked up. Since the first mocked reply already adds the certificate
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose * to the user entry the lookup by certificate will already find the user
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose * in the cache and no second request to the backend is needed. */
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose mock_input_pam_cert(pam_test_ctx, NULL, "123456", "SSSD Test Token",
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose "NSS-Internal",
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL,
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, true);
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose /* Assume backend cannot handle Smartcard credentials */
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose /* Wait until the test finishes with EOK */
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bosevoid test_pam_cert_auth_no_logon_name_no_key_id(void **state)
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose /* Here the last option must be set to true because the backend is only
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose * connected once. During authentication the backend is connected first to
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose * see if it can handle Smartcard authentication, but before that the user
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose * is looked up. Since the first mocked reply already adds the certificate
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose * to the user entry the lookup by certificate will already find the user
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose * in the cache and no second request to the backend is needed. */
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose mock_input_pam_cert(pam_test_ctx, NULL, "123456", "SSSD Test Token",
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose /* Assume backend cannot handle Smartcard credentials */
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose /* Wait until the test finishes with EOK */
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose "NSS-Internal",
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL,
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001,
16c9d63d96ce8dc7517ae16502e9ec72d6a58d6cSumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
16c9d63d96ce8dc7517ae16502e9ec72d6a58d6cSumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
16c9d63d96ce8dc7517ae16502e9ec72d6a58d6cSumit Bose /* Assume backend cannot handle Smartcard credentials */
16c9d63d96ce8dc7517ae16502e9ec72d6a58d6cSumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
16c9d63d96ce8dc7517ae16502e9ec72d6a58d6cSumit Bose /* Wait until the test finishes with EOK */
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bosevoid test_pam_cert_preauth_2certs_one_mapping(void **state)
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose set_cert_auth_param(pam_test_ctx->pctx, NSS_DB_2CERTS);
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose /* Wait until the test finishes with EOK */
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bosevoid test_pam_cert_preauth_2certs_two_mappings(void **state)
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose set_cert_auth_param(pam_test_ctx->pctx, NSS_DB_2CERTS);
0a8024af282b271ad2185f68703d9f4e766d2bdcSumit Bose mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose /* Wait until the test finishes with EOK */
c8fe1d922b254aa92e74f428135ada3c8bde87a1Sumit Bose uint8_t offline_auth_data[(sizeof(uint32_t) + sizeof(int64_t))];
c8fe1d922b254aa92e74f428135ada3c8bde87a1Sumit Bose ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose env = talloc_asprintf(pd, "%s=%s", "MyEnv", "abcdef");
c8fe1d922b254aa92e74f428135ada3c8bde87a1Sumit Bose memset(offline_auth_data, 0, sizeof(offline_auth_data));
c8fe1d922b254aa92e74f428135ada3c8bde87a1Sumit Bose memcpy(offline_auth_data, &info_type, sizeof(uint32_t));
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose /* pd->resp_list points to the SSS_PAM_USER_INFO and pd->resp_list->next
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose * to the SSS_PAM_ENV_ITEM message. */
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose /* Test CONFDB_PAM_VERBOSITY option */
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
c8fe1d922b254aa92e74f428135ada3c8bde87a1Sumit Bose assert_true(pd->resp_list->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_false(pd->resp_list->next->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose /* SSS_PAM_USER_INFO_OFFLINE_AUTH message will only be shown with
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose * pam_verbosity 2 or above if cache password never expires. */
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_false(pd->resp_list->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_false(pd->resp_list->next->do_not_send_to_client);
c8fe1d922b254aa92e74f428135ada3c8bde87a1Sumit Bose ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
c8fe1d922b254aa92e74f428135ada3c8bde87a1Sumit Bose assert_true(pd->resp_list->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_false(pd->resp_list->next->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose /* Test CONFDB_PAM_RESPONSE_FILTER option */
c8fe1d922b254aa92e74f428135ada3c8bde87a1Sumit Bose ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_true(pd->resp_list->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_false(pd->resp_list->next->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose pam_params[1].value = "ENV"; /* filter all environment variables */
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose /* for all services */
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_true(pd->resp_list->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_true(pd->resp_list->next->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose pam_params[1].value = "ENV:"; /* filter all environment variables */
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_true(pd->resp_list->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_true(pd->resp_list->next->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose pam_params[1].value = "ENV::"; /* filter all environment variables */
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_true(pd->resp_list->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_true(pd->resp_list->next->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose pam_params[1].value = "ENV:abc:"; /* variable name does not match */
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_true(pd->resp_list->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_false(pd->resp_list->next->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose pam_params[1].value = "ENV:abc:MyService"; /* variable name does not match */
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_true(pd->resp_list->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_false(pd->resp_list->next->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose pam_params[1].value = "ENV::abc"; /* service name does not match */
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_true(pd->resp_list->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_false(pd->resp_list->next->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose /* service name does not match */
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_true(pd->resp_list->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_false(pd->resp_list->next->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_true(pd->resp_list->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_true(pd->resp_list->next->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_true(pd->resp_list->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_true(pd->resp_list->next->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose pam_params[1].value = "ENV:MyEnv:MyService"; /* match */
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_true(pd->resp_list->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_true(pd->resp_list->next->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose /* multiple rules with a match */
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose "ENV:MyEnv:MyService, "
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose "ENV:stu:xyz";
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_true(pd->resp_list->do_not_send_to_client);
ce43f710c9638fbbeae077559cd7514370a10c0cSumit Bose assert_true(pd->resp_list->next->do_not_send_to_client);
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozekstatic int pam_test_setup_appsvc_posix_dom(void **state)
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek /* This config option is only read on startup, which is not executed
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek * in test, so we can't just pass in a param
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek pam_test_ctx->pctx->app_services[0] = discard_const("app_svc");
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek /* The domain is POSIX, the request will skip over it */
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek mock_input_pam_ex(pam_test_ctx, "pamuser", NULL, NULL, "app_svc", false);
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek pam_test_ctx->exp_pam_status = PAM_USER_UNKNOWN;
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek /* A different service than the app one can authenticate against a POSIX domain */
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek mock_input_pam_ex(pam_test_ctx, "pamuser", NULL, NULL, "not_app_svc", true);
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek /* Wait until the test finishes with EOK */
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozekstatic int pam_test_setup_appsvc_app_dom(void **state)
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek struct sss_test_conf_param monitor_params[] = {
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek test_pam_setup(dom_params, pam_params, monitor_params, state);
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek /* This config option is only read on startup, which is not executed
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek * in test, so we can't just pass in a param
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek pam_test_ctx->pctx->app_services[0] = discard_const("app_svc");
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek /* The domain is POSIX, the request will skip over it */
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek mock_input_pam_ex(pam_test_ctx, "pamuser", NULL, NULL, "app_svc", true);
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek /* Wait until the test finishes with EOK */
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek /* A different service than the app one can authenticate against a POSIX domain */
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek mock_input_pam_ex(pam_test_ctx, "pamuser", NULL, NULL, "not_app_svc", false);
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek pam_test_ctx->exp_pam_status = PAM_USER_UNKNOWN;
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose { "no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose _("Do not delete the test database after a test run"), NULL },
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose cmocka_unit_test_setup_teardown(test_pam_authenticate,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose cmocka_unit_test_setup_teardown(test_pam_setcreds,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose cmocka_unit_test_setup_teardown(test_pam_acct_mgmt,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose cmocka_unit_test_setup_teardown(test_pam_open_session,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose cmocka_unit_test_setup_teardown(test_pam_close_session,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose cmocka_unit_test_setup_teardown(test_pam_chauthtok,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose cmocka_unit_test_setup_teardown(test_pam_chauthtok_prelim,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose cmocka_unit_test_setup_teardown(test_pam_preauth,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose cmocka_unit_test_setup_teardown(test_pam_offline_auth_no_hash,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose cmocka_unit_test_setup_teardown(test_pam_offline_auth_success,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose cmocka_unit_test_setup_teardown(test_pam_offline_auth_wrong_pw,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose cmocka_unit_test_setup_teardown(test_pam_offline_auth_success_2fa,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose cmocka_unit_test_setup_teardown(test_pam_offline_auth_failed_2fa,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose test_pam_offline_auth_success_2fa_with_cached_2fa,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose test_pam_offline_auth_failed_2fa_with_cached_2fa,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose test_pam_offline_auth_success_pw_with_cached_2fa,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose test_pam_offline_auth_success_combined_pw_with_cached_2fa,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose test_pam_offline_auth_failed_combined_pw_with_cached_2fa,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose test_pam_offline_auth_failed_wrong_2fa_size_with_cached_2fa,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose cmocka_unit_test_setup_teardown(test_pam_offline_chauthtok_prelim,
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose cmocka_unit_test_setup_teardown(test_pam_offline_chauthtok,
2e76b32e74abedb23665808bacc73cafd1097c37Sumit Bose cmocka_unit_test_setup_teardown(test_pam_preauth_no_logon_name,
29d063505c07127f7747405b1a61d8f782673645Sumit Bose cmocka_unit_test_setup_teardown(test_pam_auth_no_upn_logon_name,
29d063505c07127f7747405b1a61d8f782673645Sumit Bose cmocka_unit_test_setup_teardown(test_pam_auth_upn_logon_name,
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl cmocka_unit_test_setup_teardown(test_pam_cached_auth_success,
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl cmocka_unit_test_setup_teardown(test_pam_cached_auth_wrong_pw,
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl cmocka_unit_test_setup_teardown(test_pam_cached_auth_opt_timeout,
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl cmocka_unit_test_setup_teardown(test_pam_cached_auth_timeout,
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl cmocka_unit_test_setup_teardown(test_pam_cached_auth_success_combined_pw_with_cached_2fa,
4b12be504e20173e0629835818e4db6a9617a9a4Pavel Reichl cmocka_unit_test_setup_teardown(test_pam_cached_auth_failed_combined_pw_with_cached_2fa,
f182ede719c4290f46f09af1191c5eec3da54503Lukas Slebodnik/* p11_child is not built without NSS */
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose cmocka_unit_test_setup_teardown(test_pam_preauth_cert_nocert,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose cmocka_unit_test_setup_teardown(test_pam_preauth_cert_nomatch,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match,
71cd9f98150577224559bdc12c53c01ce6f2c3d9Sumit Bose cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match_gdm_smartcard,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match_wrong_user,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose cmocka_unit_test_setup_teardown(test_pam_preauth_cert_no_logon_name,
32474fa2f0a6dc09386bab405fc3461cb3dd12acSumit Bose test_pam_preauth_cert_no_logon_name_double_cert_with_hint,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose cmocka_unit_test_setup_teardown(test_pam_preauth_no_cert_no_logon_name,
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose cmocka_unit_test_setup_teardown(test_pam_cert_auth,
aa35995ef056aa8ae052a47c62c6750b7adf065eSumit Bose cmocka_unit_test_setup_teardown(test_pam_cert_auth,
16c9d63d96ce8dc7517ae16502e9ec72d6a58d6cSumit Bose cmocka_unit_test_setup_teardown(test_pam_cert_auth_double_cert,
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose cmocka_unit_test_setup_teardown(test_pam_cert_preauth_2certs_one_mapping,
0bdd8800c16f39b8fe308d20694ad905c669dff3Sumit Bose cmocka_unit_test_setup_teardown(test_pam_cert_preauth_2certs_two_mappings,
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name,
fd6f4047b58686bd4057c9859c3c804a77b136d8Sumit Bose cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
f182ede719c4290f46f09af1191c5eec3da54503Lukas Slebodnik#endif /* HAVE_NSS */
0dc7f90667df6420bc9e93ae2c8bacd6ea148f0fSumit Bose#endif /* HAVE_TEST_CA */
c8fe1d922b254aa92e74f428135ada3c8bde87a1Sumit Bose cmocka_unit_test_setup_teardown(test_filter_response,
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek cmocka_unit_test_setup_teardown(test_appsvc_posix_dom,
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek cmocka_unit_test_setup_teardown(test_not_appsvc_posix_dom,
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek cmocka_unit_test_setup_teardown(test_appsvc_app_dom,
3e789aa0bd6b7bb6e62f91458b76753498030fb5Jakub Hrozek cmocka_unit_test_setup_teardown(test_not_appsvc_app_dom,
57c5ea8825c7179fd93382dbcbb07e828e5aec19René Genz /* Set debug level to invalid value so we can decide if -d 0 was used. */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose pc = poptGetContext(argv[0], argc, argv, long_options, 0);
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose /* Even though normally the tests should clean up after themselves
57c5ea8825c7179fd93382dbcbb07e828e5aec19René Genz * they might not after a failed run. Remove the old DB to be sure */
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose DEBUG(SSSDBG_FATAL_FAILURE, "setup_nss_db failed.\n");
ea422c7061072c125eb53b40d7f3ca444d886913Sumit Bose test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME);
57c5ea8825c7179fd93382dbcbb07e828e5aec19René Genz /* Cleanup NSS and NSPR to make Valgrind happy. */