c0971b7e39
- Resolves: upstream#3821 - crash related to sbus_router_destructor()
- Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref
- Resolves: upstream#3819 - sssd only sets the SELinux login context if it
differs from the default
- Resolves: upstream#3807 - The sbus codegen script relies on "python" which
might not be available on all distributions
- Resolves: upstream#3820 - sudo: search with lower cased name for case
insensitive domains
- Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from
an allow-any default to a deny-any default when it
can't find any GPOs to apply to a user login.
- Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort
startup
- Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11
also for local account authentication
- Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup
- Resolves: upstream#3826 - Remove references of sss_user/group/add/del
commands in man pages since local provider is
deprecated
- Resolves: upstream#3827 - SSSD should log to syslog if a domain is not
started due to a misconfiguration
- Resolves: upstream#3830 - Printing incorrect information about domain with
sssctl utility
- Resolves: upstream#3489 - p11_child should work wit openssl1.0+
- Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary
changes in nsswitch.conf
- Resovles: upstream#3650 - RFE: Require smartcard authentication
- Resolves: upstream#3334 - sssctl config-check does not check any special
characters in domain name of domain section
- Resolves: upstream#3849 - Files: The files provider always enumerates
which causes duplicate when running getent passwd
- Related: upstream#3855 - session not recording for local user when groups
defined
- Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb
- Related: upstream#3493 - Remove the pysss.local interface
210 lines
8.5 KiB
Diff
210 lines
8.5 KiB
Diff
From 4a22fb6bba6662ad628f6e17203e8ccf20eb9666 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Tue, 9 Oct 2018 10:46:43 +0200
|
|
Subject: [PATCH 68/83] tests: add PKCS#11 URI tests
|
|
|
|
Related to https://pagure.io/SSSD/sssd/issue/3814
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
---
|
|
src/tests/cmocka/test_pam_srv.c | 120 ++++++++++++++++++++++++++++++++++++++++
|
|
src/tests/test_CA/Makefile.am | 16 +++++-
|
|
2 files changed, 135 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
|
|
index 2b02ac2..7fc9224 100644
|
|
--- a/src/tests/cmocka/test_pam_srv.c
|
|
+++ b/src/tests/cmocka/test_pam_srv.c
|
|
@@ -65,6 +65,7 @@
|
|
#endif
|
|
|
|
#define TEST_TOKEN_NAME "SSSD Test Token"
|
|
+#define TEST_TOKEN2_NAME "SSSD Test Token Number 2"
|
|
#define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17"
|
|
#ifdef HAVE_NSS
|
|
#define TEST_MODULE_NAME "NSS-Internal"
|
|
@@ -961,6 +962,54 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
|
|
return EOK;
|
|
}
|
|
|
|
+static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body,
|
|
+ size_t blen, enum response_type type,
|
|
+ const char *name)
|
|
+{
|
|
+ size_t rp = 0;
|
|
+ uint32_t val;
|
|
+ size_t check2_len = 0;
|
|
+ char const *check2_strings[] = { NULL,
|
|
+ TEST_TOKEN2_NAME,
|
|
+ TEST_MODULE_NAME,
|
|
+ TEST2_KEY_ID,
|
|
+ TEST2_PROMPT,
|
|
+ NULL };
|
|
+
|
|
+ assert_int_equal(status, 0);
|
|
+
|
|
+ check2_strings[0] = name;
|
|
+ check2_len = check_string_array_len(check2_strings);
|
|
+
|
|
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
+ assert_int_equal(val, pam_test_ctx->exp_pam_status);
|
|
+
|
|
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
+ assert_int_equal(val, 2);
|
|
+
|
|
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
+ assert_int_equal(val, SSS_PAM_DOMAIN_NAME);
|
|
+
|
|
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
+ assert_int_equal(val, 9);
|
|
+
|
|
+ assert_int_equal(*(body + rp + val - 1), 0);
|
|
+ assert_string_equal(body + rp, TEST_DOM_NAME);
|
|
+ rp += val;
|
|
+
|
|
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
+ assert_int_equal(val, type);
|
|
+
|
|
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
+ assert_int_equal(val, check2_len);
|
|
+
|
|
+ check_string_array(check2_strings, body, &rp);
|
|
+
|
|
+ assert_int_equal(rp, blen);
|
|
+
|
|
+ return EOK;
|
|
+}
|
|
+
|
|
static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
|
|
{
|
|
return test_pam_cert_check_ex(status, body, blen,
|
|
@@ -968,6 +1017,12 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
|
|
NULL);
|
|
}
|
|
|
|
+static int test_pam_cert2_check(uint32_t status, uint8_t *body, size_t blen)
|
|
+{
|
|
+ return test_pam_cert2_token2_check_ex(status, body, blen, SSS_PAM_CERT_INFO,
|
|
+ "pamuser@"TEST_DOM_NAME);
|
|
+}
|
|
+
|
|
static int test_pam_cert_check_auth_success(uint32_t status, uint8_t *body,
|
|
size_t blen)
|
|
{
|
|
@@ -2476,6 +2531,65 @@ void test_pam_cert_auth_2certs_one_mapping(void **state)
|
|
assert_int_equal(ret, EOK);
|
|
}
|
|
|
|
+void test_pam_cert_preauth_uri_token1(void **state)
|
|
+{
|
|
+ int ret;
|
|
+
|
|
+ struct sss_test_conf_param pam_params[] = {
|
|
+ { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token" },
|
|
+ { NULL, NULL }, /* Sentinel */
|
|
+ };
|
|
+
|
|
+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
|
|
+ assert_int_equal(ret, EOK);
|
|
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
|
|
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf"));
|
|
+
|
|
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
|
|
+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);
|
|
+
|
|
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
+
|
|
+ set_cmd_cb(test_pam_cert_check);
|
|
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
|
|
+ pam_test_ctx->pam_cmds);
|
|
+ assert_int_equal(ret, EOK);
|
|
+
|
|
+ /* Wait until the test finishes with EOK */
|
|
+ ret = test_ev_loop(pam_test_ctx->tctx);
|
|
+ assert_int_equal(ret, EOK);
|
|
+}
|
|
+
|
|
+void test_pam_cert_preauth_uri_token2(void **state)
|
|
+{
|
|
+ int ret;
|
|
+
|
|
+ struct sss_test_conf_param pam_params[] = {
|
|
+ { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token%20Number%202" },
|
|
+ { NULL, NULL }, /* Sentinel */
|
|
+ };
|
|
+
|
|
+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
|
|
+ assert_int_equal(ret, EOK);
|
|
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
|
|
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf"));
|
|
+
|
|
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
|
|
+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0002, false);
|
|
+
|
|
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
+
|
|
+ set_cmd_cb(test_pam_cert2_check);
|
|
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
|
|
+ pam_test_ctx->pam_cmds);
|
|
+ assert_int_equal(ret, EOK);
|
|
+
|
|
+ /* Wait until the test finishes with EOK */
|
|
+ ret = test_ev_loop(pam_test_ctx->tctx);
|
|
+ assert_int_equal(ret, EOK);
|
|
+}
|
|
|
|
void test_filter_response(void **state)
|
|
{
|
|
@@ -2915,6 +3029,12 @@ int main(int argc, const char *argv[])
|
|
pam_test_setup, pam_test_teardown),
|
|
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
|
|
pam_test_setup, pam_test_teardown),
|
|
+#ifndef HAVE_NSS
|
|
+ cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token1,
|
|
+ pam_test_setup, pam_test_teardown),
|
|
+ cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token2,
|
|
+ pam_test_setup, pam_test_teardown),
|
|
+#endif /* ! HAVE_NSS */
|
|
#endif /* HAVE_TEST_CA */
|
|
|
|
cmocka_unit_test_setup_teardown(test_filter_response,
|
|
diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
|
|
index 1bce2c3..b574c76 100644
|
|
--- a/src/tests/test_CA/Makefile.am
|
|
+++ b/src/tests/test_CA/Makefile.am
|
|
@@ -24,7 +24,7 @@ pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids)))
|
|
if HAVE_NSS
|
|
extra = p11_nssdb p11_nssdb_2certs
|
|
else
|
|
-extra = softhsm2_none softhsm2_one softhsm2_two
|
|
+extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens
|
|
endif
|
|
|
|
# If openssl is run in parallel there might be conflicts with the serial
|
|
@@ -114,6 +114,20 @@ softhsm2_two.conf:
|
|
@echo "objectstore.backend = file" >> $@
|
|
@echo "slots.removable = true" >> $@
|
|
|
|
+softhsm2_2tokens: softhsm2_2tokens.conf
|
|
+ mkdir $@
|
|
+ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free
|
|
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token
|
|
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token
|
|
+ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token Number 2" --pin 654321 --so-pin 654321 --free
|
|
+ GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0002.pem --login --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202
|
|
+ GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0002.pem --login --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202
|
|
+
|
|
+softhsm2_2tokens.conf:
|
|
+ @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_2tokens" > $@
|
|
+ @echo "objectstore.backend = file" >> $@
|
|
+ @echo "slots.removable = true" >> $@
|
|
+
|
|
CLEANFILES = \
|
|
index.txt index.txt.attr \
|
|
index.txt.attr.old index.txt.old \
|
|
--
|
|
2.9.5
|
|
|