c0971b7e39
- Resolves: upstream#3821 - crash related to sbus_router_destructor() - Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref - Resolves: upstream#3819 - sssd only sets the SELinux login context if it differs from the default - Resolves: upstream#3807 - The sbus codegen script relies on "python" which might not be available on all distributions - Resolves: upstream#3820 - sudo: search with lower cased name for case insensitive domains - Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login. - Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort startup - Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11 also for local account authentication - Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup - Resolves: upstream#3826 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated - Resolves: upstream#3827 - SSSD should log to syslog if a domain is not started due to a misconfiguration - Resolves: upstream#3830 - Printing incorrect information about domain with sssctl utility - Resolves: upstream#3489 - p11_child should work wit openssl1.0+ - Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary changes in nsswitch.conf - Resovles: upstream#3650 - RFE: Require smartcard authentication - Resolves: upstream#3334 - sssctl config-check does not check any special characters in domain name of domain section - Resolves: upstream#3849 - Files: The files provider always enumerates which causes duplicate when running getent passwd - Related: upstream#3855 - session not recording for local user when groups defined - Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb - Related: upstream#3493 - Remove the pysss.local interface
331 lines
11 KiB
Diff
331 lines
11 KiB
Diff
From 657f3b89bca9adfb13f0867c91f1d76845d2d6dd Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Fri, 7 Sep 2018 22:26:21 +0200
|
|
Subject: [PATCH 37/83] intg: add Smartcard authentication tests
|
|
|
|
Two test for Smartcard authentication of a local user, i.e. a user
|
|
managed by the files provider, are added. One for a successful
|
|
authentication, the other for a failed authentication with a wrong PIN.
|
|
|
|
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
---
|
|
configure.ac | 1 +
|
|
contrib/ci/deps.sh | 2 +
|
|
contrib/sssd.spec.in | 1 +
|
|
src/external/cwrap.m4 | 5 ++
|
|
src/external/intgcheck.m4 | 1 +
|
|
src/tests/intg/Makefile.am | 24 ++++++-
|
|
src/tests/intg/test_pam_responder.py | 131 ++++++++++++++++++++++++++++++++---
|
|
7 files changed, 155 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/configure.ac b/configure.ac
|
|
index bb18ad4..5816b04 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -495,6 +495,7 @@ AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x])
|
|
AM_CHECK_CMOCKA
|
|
AM_CHECK_UID_WRAPPER
|
|
AM_CHECK_NSS_WRAPPER
|
|
+AM_CHECK_PAM_WRAPPER
|
|
AM_CHECK_TEST_CA
|
|
|
|
# Check if the user wants SSSD to be compiled with systemtap probes
|
|
diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh
|
|
index 5906e53..c04c7aa 100644
|
|
--- a/contrib/ci/deps.sh
|
|
+++ b/contrib/ci/deps.sh
|
|
@@ -46,6 +46,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
|
|
pyldb
|
|
rpm-build
|
|
uid_wrapper
|
|
+ pam_wrapper
|
|
python-requests
|
|
curl-devel
|
|
krb5-server
|
|
@@ -117,6 +118,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
|
|
fakeroot
|
|
libnss-wrapper
|
|
libuid-wrapper
|
|
+ libpam-wrapper
|
|
python-pytest
|
|
python-ldap
|
|
python-ldb
|
|
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
|
index 5ebd51f..26fae6d 100644
|
|
--- a/contrib/sssd.spec.in
|
|
+++ b/contrib/sssd.spec.in
|
|
@@ -237,6 +237,7 @@ BuildRequires: selinux-policy-targeted
|
|
BuildRequires: libcmocka-devel >= 1.0.0
|
|
BuildRequires: uid_wrapper
|
|
BuildRequires: nss_wrapper
|
|
+BuildRequires: pam_wrapper
|
|
|
|
# Test CA requires openssl independent if SSSD is build with NSS or openssl,
|
|
# openssh is needed for ssh-keygen and NSS builds need nss-tools for certutil.
|
|
diff --git a/src/external/cwrap.m4 b/src/external/cwrap.m4
|
|
index b8489cc..6e3487c 100644
|
|
--- a/src/external/cwrap.m4
|
|
+++ b/src/external/cwrap.m4
|
|
@@ -28,3 +28,8 @@ AC_DEFUN([AM_CHECK_NSS_WRAPPER],
|
|
[
|
|
AM_CHECK_WRAPPER(nss_wrapper, HAVE_NSS_WRAPPER)
|
|
])
|
|
+
|
|
+AC_DEFUN([AM_CHECK_PAM_WRAPPER],
|
|
+[
|
|
+ AM_CHECK_WRAPPER(pam_wrapper, HAVE_PAM_WRAPPER)
|
|
+])
|
|
diff --git a/src/external/intgcheck.m4 b/src/external/intgcheck.m4
|
|
index 60a7bf3..c14f669 100644
|
|
--- a/src/external/intgcheck.m4
|
|
+++ b/src/external/intgcheck.m4
|
|
@@ -22,6 +22,7 @@ AC_DEFUN([SSS_ENABLE_INTGCHECK_REQS], [
|
|
if test x"$enable_intgcheck_reqs" = xyes; then
|
|
SSS_INTGCHECK_REQ([HAVE_UID_WRAPPER], [uid_wrapper])
|
|
SSS_INTGCHECK_REQ([HAVE_NSS_WRAPPER], [nss_wrapper])
|
|
+ SSS_INTGCHECK_REQ([HAVE_PAM_WRAPPER], [pam_wrapper])
|
|
SSS_INTGCHECK_REQ([HAVE_SLAPD], [slapd])
|
|
SSS_INTGCHECK_REQ([HAVE_LDAPMODIFY], [ldapmodify])
|
|
SSS_INTGCHECK_REQ([HAVE_FAKEROOT], [fakeroot])
|
|
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
|
index 6f7605b..bb3a7f0 100644
|
|
--- a/src/tests/intg/Makefile.am
|
|
+++ b/src/tests/intg/Makefile.am
|
|
@@ -105,13 +105,29 @@ passwd: root
|
|
group:
|
|
echo "root:x:0:" > $@
|
|
|
|
+PAM_SERVICE_DIR=pam_service_dir
|
|
+pam_sss_service:
|
|
+ $(MKDIR_P) $(PAM_SERVICE_DIR)
|
|
+ echo "auth required $(DESTDIR)$(pammoddir)/pam_sss.so" > $(PAM_SERVICE_DIR)/$@
|
|
+ echo "account required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
+ echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
+ echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
+
|
|
CLEANFILES=config.py config.pyc passwd group
|
|
|
|
clean-local:
|
|
rm -Rf root
|
|
rm -f $(builddir)/cwrap-dbus-system.conf
|
|
|
|
-intgcheck-installed: config.py passwd group
|
|
+if HAVE_NSS
|
|
+PAM_CERT_DB_PATH="sql:$(DESTDIR)$(sysconfdir)/pki/nssdb"
|
|
+SOFTHSM2_CONF=""
|
|
+else
|
|
+PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
|
|
+SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
|
|
+endif
|
|
+
|
|
+intgcheck-installed: config.py passwd group pam_sss_service
|
|
pipepath="$(DESTDIR)$(pipepath)"; \
|
|
if test $${#pipepath} -gt 80; then \
|
|
echo "error: Pipe directory path too long," \
|
|
@@ -131,12 +147,18 @@ intgcheck-installed: config.py passwd group
|
|
LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \
|
|
NON_WRAPPED_UID=$$(id -u) \
|
|
LD_PRELOAD="$(libdir)/getsockopt_wrapper.so:$$nss_wrapper:$$uid_wrapper" \
|
|
+ LD_LIBRARY_PATH="$$LD_LIBRARY_PATH:$(DESTDIR)$(nsslibdir)" \
|
|
NSS_WRAPPER_PASSWD="$(abs_builddir)/passwd" \
|
|
NSS_WRAPPER_GROUP="$(abs_builddir)/group" \
|
|
NSS_WRAPPER_MODULE_SO_PATH="$(DESTDIR)$(nsslibdir)/libnss_sss.so.2" \
|
|
NSS_WRAPPER_MODULE_FN_PREFIX="sss" \
|
|
UID_WRAPPER=1 \
|
|
UID_WRAPPER_ROOT=1 \
|
|
+ PAM_WRAPPER=0 \
|
|
+ PAM_WRAPPER_SERVICE_DIR="$(abs_builddir)/$(PAM_SERVICE_DIR)" \
|
|
+ PAM_WRAPPER_PATH=$$(pkg-config --libs pam_wrapper) \
|
|
+ PAM_CERT_DB_PATH=$(PAM_CERT_DB_PATH) \
|
|
+ SOFTHSM2_CONF=$(SOFTHSM2_CONF) \
|
|
DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \
|
|
DBUS_SESSION_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/fake_socket" \
|
|
DBUS_SYSTEM_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/system_bus_socket" \
|
|
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
|
|
index cf6fff2..c6d048c 100644
|
|
--- a/src/tests/intg/test_pam_responder.py
|
|
+++ b/src/tests/intg/test_pam_responder.py
|
|
@@ -27,31 +27,44 @@ import signal
|
|
import errno
|
|
import subprocess
|
|
import time
|
|
-import pytest
|
|
+import shutil
|
|
|
|
import config
|
|
|
|
-from util import unindent
|
|
+import pytest
|
|
+
|
|
+from intg.util import unindent
|
|
+from intg.files_ops import passwd_ops_setup
|
|
|
|
+USER1 = dict(name='user1', passwd='x', uid=10001, gid=20001,
|
|
+ gecos='User for tests',
|
|
+ dir='/home/user1',
|
|
+ shell='/bin/bash')
|
|
|
|
-def format_pam_cert_auth_conf():
|
|
+
|
|
+def format_pam_cert_auth_conf(config):
|
|
"""Format a basic SSSD configuration"""
|
|
return unindent("""\
|
|
[sssd]
|
|
+ debug_level = 10
|
|
domains = auth_only
|
|
- services = pam
|
|
+ services = pam, nss
|
|
|
|
[nss]
|
|
+ debug_level = 10
|
|
|
|
[pam]
|
|
pam_cert_auth = True
|
|
+ pam_p11_allowed_services = +pam_sss_service
|
|
+ pam_cert_db_path = {config.PAM_CERT_DB_PATH}
|
|
debug_level = 10
|
|
|
|
[domain/auth_only]
|
|
- id_provider = ldap
|
|
- auth_provider = ldap
|
|
- chpass_provider = ldap
|
|
- access_provider = ldap
|
|
+ debug_level = 10
|
|
+ id_provider = files
|
|
+
|
|
+ [certmap/auth_only/user1]
|
|
+ matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
|
|
""").format(**locals())
|
|
|
|
|
|
@@ -79,6 +92,8 @@ def create_conf_fixture(request, contents):
|
|
|
|
def create_sssd_process():
|
|
"""Start the SSSD process"""
|
|
+ os.environ["SSS_FILES_PASSWD"] = os.environ["NSS_WRAPPER_PASSWD"]
|
|
+ os.environ["SSS_FILES_GROUP"] = os.environ["NSS_WRAPPER_GROUP"]
|
|
if subprocess.call(["sssd", "-D", "-f"]) != 0:
|
|
raise Exception("sssd start failed")
|
|
|
|
@@ -116,12 +131,41 @@ def create_sssd_fixture(request):
|
|
request.addfinalizer(cleanup_sssd_process)
|
|
|
|
|
|
+def create_nssdb():
|
|
+ os.mkdir(config.SYSCONFDIR + "/pki")
|
|
+ os.mkdir(config.SYSCONFDIR + "/pki/nssdb")
|
|
+ if subprocess.call(["certutil", "-N", "-d",
|
|
+ "sql:" + config.SYSCONFDIR + "/pki/nssdb/",
|
|
+ "--empty-password"]) != 0:
|
|
+ raise Exception("certutil failed")
|
|
+
|
|
+ pkcs11_txt = open(config.SYSCONFDIR + "/pki/nssdb/pkcs11.txt", "w")
|
|
+ pkcs11_txt.write("library=libsoftokn3.so\nname=soft\n" +
|
|
+ "parameters=configdir='sql:" + config.ABS_BUILDDIR +
|
|
+ "/../test_CA/p11_nssdb' " +
|
|
+ "dbSlotDescription='SSSD Test Slot' " +
|
|
+ "dbTokenDescription='SSSD Test Token' " +
|
|
+ "secmod='secmod.db' flags=readOnly)\n\n")
|
|
+ pkcs11_txt.close()
|
|
+
|
|
+
|
|
+def cleanup_nssdb():
|
|
+ shutil.rmtree(config.SYSCONFDIR + "/pki")
|
|
+
|
|
+
|
|
+def create_nssdb_fixture(request):
|
|
+ create_nssdb()
|
|
+ request.addfinalizer(cleanup_nssdb)
|
|
+
|
|
+
|
|
@pytest.fixture
|
|
def simple_pam_cert_auth(request):
|
|
"""Setup SSSD with pam_cert_auth=True"""
|
|
- conf = format_pam_cert_auth_conf()
|
|
+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
|
|
+ conf = format_pam_cert_auth_conf(config)
|
|
create_conf_fixture(request, conf)
|
|
create_sssd_fixture(request)
|
|
+ create_nssdb_fixture(request)
|
|
return None
|
|
|
|
|
|
@@ -129,3 +173,72 @@ def test_preauth_indicator(simple_pam_cert_auth):
|
|
"""Check if preauth indicator file is created"""
|
|
statinfo = os.stat(config.PUBCONF_PATH + "/pam_preauth_available")
|
|
assert stat.S_ISREG(statinfo.st_mode)
|
|
+
|
|
+
|
|
+@pytest.fixture
|
|
+def pam_wrapper_setup(request):
|
|
+ pwrap_runtimedir = os.getenv("PAM_WRAPPER_SERVICE_DIR")
|
|
+ if pwrap_runtimedir is None:
|
|
+ raise ValueError("The PAM_WRAPPER_SERVICE_DIR variable is unset\n")
|
|
+
|
|
+
|
|
+def test_sc_auth_wrong_pin(simple_pam_cert_auth, pam_wrapper_setup,
|
|
+ passwd_ops_setup):
|
|
+
|
|
+ passwd_ops_setup.useradd(**USER1)
|
|
+ current_env = os.environ.copy()
|
|
+ current_env['PAM_WRAPPER'] = "1"
|
|
+ current_env['SSSD_INTG_PEER_UID'] = "0"
|
|
+ current_env['SSSD_INTG_PEER_GID'] = "0"
|
|
+ current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
|
|
+
|
|
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
|
+ "--action=auth", "--service=pam_sss_service"],
|
|
+ universal_newlines=True,
|
|
+ env=current_env, stdin=subprocess.PIPE,
|
|
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
+
|
|
+ try:
|
|
+ out, err = sssctl.communicate(input="111")
|
|
+ except:
|
|
+ sssctl.kill()
|
|
+ out, err = sssctl.communicate()
|
|
+
|
|
+ sssctl.stdin.close()
|
|
+ sssctl.stdout.close()
|
|
+
|
|
+ if sssctl.wait() != 0:
|
|
+ raise Exception("sssctl failed")
|
|
+
|
|
+ assert err.find("pam_authenticate for user [user1]: " +
|
|
+ "Authentication failure") != -1
|
|
+
|
|
+
|
|
+def test_sc_auth(simple_pam_cert_auth, pam_wrapper_setup, passwd_ops_setup):
|
|
+
|
|
+ passwd_ops_setup.useradd(**USER1)
|
|
+ current_env = os.environ.copy()
|
|
+ current_env['PAM_WRAPPER'] = "1"
|
|
+ current_env['SSSD_INTG_PEER_UID'] = "0"
|
|
+ current_env['SSSD_INTG_PEER_GID'] = "0"
|
|
+ current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
|
|
+
|
|
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
|
+ "--action=auth", "--service=pam_sss_service"],
|
|
+ universal_newlines=True,
|
|
+ env=current_env, stdin=subprocess.PIPE,
|
|
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
+
|
|
+ try:
|
|
+ out, err = sssctl.communicate(input="123456")
|
|
+ except:
|
|
+ sssctl.kill()
|
|
+ out, err = sssctl.communicate()
|
|
+
|
|
+ sssctl.stdin.close()
|
|
+ sssctl.stdout.close()
|
|
+
|
|
+ if sssctl.wait() != 0:
|
|
+ raise Exception("sssctl failed")
|
|
+
|
|
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
|
|
--
|
|
2.9.5
|
|
|