go
/
msteinert-go-pam
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Releases Activity

transaction_test: Add root-less tests to check pam conversation 

Use pam_succeed_if to make it implicitly ask for the user name and
verify that the provided one is correct.

This can safely run as user.
This commit is contained in:
Marco Trevisan (Treviño) 2023-09-19 18:40:17 +02:00
parent 1cab6e699c
commit a22a1abf3f
2 changed files with 48 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
test-services/succeed-if-user-test Normal file
View File

@ -0,0 +1,2 @@
# Custom stack to deny permit, independent of the user name/pass
auth requisite pam_succeed_if.so user = testuser

46
transaction_test.go
View File

@ -244,6 +244,52 @@ func TestPAM_ConfDir_Deny(t *testing.T) {
}
}
func TestPAM_ConfDir_PromptForUserName(t *testing.T) {
c := Credentials{
User: "testuser",
// the custom service only cares about correct user name.
Password: "wrongsecret",
}
tx, err := StartConfDir("succeed-if-user-test", "", c, "test-services")
if !CheckPamHasStartConfdir() {
if err == nil {
t.Fatalf("start should have errored out as pam_start_confdir is not available: %v", err)
}
// nothing else we do, we don't support it.
return
}
if err != nil {
t.Fatalf("start #error: %v", err)
}
err = tx.Authenticate(0)
if err != nil {
t.Fatalf("authenticate #error: %v", err)
}
}
func TestPAM_ConfDir_WrongUserName(t *testing.T) {
c := Credentials{
User: "wronguser",
Password: "wrongsecret",
}
tx, err := StartConfDir("succeed-if-user-test", "", c, "test-services")
if !CheckPamHasStartConfdir() {
if err == nil {
t.Fatalf("start should have errored out as pam_start_confdir is not available: %v", err)
}
// nothing else we do, we don't support it.
return
}
err = tx.Authenticate(0)
if err == nil {
t.Fatalf("authenticate #expected an error")
}
s := err.Error()
if len(s) == 0 {
t.Fatalf("error #expected an error message")
}
}
func TestItem(t *testing.T) {
tx, _ := StartFunc("passwd", "test", func(s Style, msg string) (string, error) {
return "", nil