From 55880c04aed49711c71b745c3f29125b26899c1a Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 18 Sep 2023 13:37:43 +0200 Subject: [PATCH] intg: use file and proxy provider in PAM responder test All Smartcard authentication related tests are run now with the proxy provider and the deprecated files provider. If the files provider will be removed the tests can be removed by reverting this patch. --- src/tests/intg/test_pam_responder.py | 49 +++++++++++++++++++++------- 1 file changed, 37 insertions(+), 12 deletions(-) diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py index e56502e9479..9387b938646 100644 --- a/src/tests/intg/test_pam_responder.py +++ b/src/tests/intg/test_pam_responder.py @@ -38,6 +38,25 @@ LDAP_BASE_DN = "dc=example,dc=com" +def provider_list(): + if os.environ['FILES_PROVIDER'] == "enabled": + return ('files', 'proxy') + else: + # The comma is required to indicate a list with the string 'proxy' as + # only item, without it the string 'proxy' will be interpreted as list + # with five letters. + return ('proxy',) + + +class provider_switch: + def __init__(self, p): + if p == 'files': + self.p = "id_provider = files\nfallback_to_nss = False\nlocal_auth_policy = enable:smartcard\n" + elif p == 'proxy': + self.p = "id_provider = proxy\nlocal_auth_policy = only\nproxy_lib_name = call\n" + else: + self.p = none + @pytest.fixture(scope="module") def ad_inst(request): @@ -116,7 +135,7 @@ def format_basic_conf(ldap_conn): shell='/bin/bash') -def format_pam_cert_auth_conf(config): +def format_pam_cert_auth_conf(config, provider): """Format a basic SSSD configuration""" return unindent("""\ [sssd] @@ -140,16 +159,14 @@ def format_pam_cert_auth_conf(config): [domain/auth_only] debug_level = 10 - id_provider = proxy - local_auth_policy = only - proxy_lib_name = call + {provider.p} [certmap/auth_only/user1] matchrule = .*CN=SSSD test cert 0001.* """).format(**locals()) -def format_pam_cert_auth_conf_name_format(config): +def format_pam_cert_auth_conf_name_format(config, provider): """Format SSSD configuration with full_name_format""" return unindent("""\ [sssd] @@ -175,9 +192,7 @@ def format_pam_cert_auth_conf_name_format(config): use_fully_qualified_names = True full_name_format = %2$s\\%1$s debug_level = 10 - id_provider = proxy - local_auth_policy = only - proxy_lib_name = call + {provider.p} [certmap/auth_only/user1] matchrule = .*CN=SSSD test cert 0001.* @@ -331,7 +346,7 @@ def create_sssd_fixture(request, krb5_conf_path=None): def simple_pam_cert_auth(request, passwd_ops_setup): """Setup SSSD with pam_cert_auth=True""" config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH'] - conf = format_pam_cert_auth_conf(config) + conf = format_pam_cert_auth_conf(config, provider_switch(request.param)) create_conf_fixture(request, conf) create_sssd_fixture(request) passwd_ops_setup.useradd(**USER1) @@ -347,7 +362,7 @@ def simple_pam_cert_auth_no_cert(request, passwd_ops_setup): old_softhsm2_conf = os.environ['SOFTHSM2_CONF'] del os.environ['SOFTHSM2_CONF'] - conf = format_pam_cert_auth_conf(config) + conf = format_pam_cert_auth_conf(config, provider_switch(request.param)) create_conf_fixture(request, conf) create_sssd_fixture(request) @@ -363,14 +378,14 @@ def simple_pam_cert_auth_no_cert(request, passwd_ops_setup): def simple_pam_cert_auth_name_format(request, passwd_ops_setup): """Setup SSSD with pam_cert_auth=True and full_name_format""" config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH'] - conf = format_pam_cert_auth_conf_name_format(config) + conf = format_pam_cert_auth_conf_name_format(config, provider_switch(request.param)) create_conf_fixture(request, conf) create_sssd_fixture(request) passwd_ops_setup.useradd(**USER1) passwd_ops_setup.useradd(**USER2) return None - +@pytest.mark.parametrize('simple_pam_cert_auth', provider_list(), indirect=True) def test_preauth_indicator(simple_pam_cert_auth): """Check if preauth indicator file is created""" statinfo = os.stat(config.PUBCONF_PATH + "/pam_preauth_available") @@ -452,6 +467,7 @@ def env_for_sssctl(request): return env_for_sssctl +@pytest.mark.parametrize('simple_pam_cert_auth', provider_list(), indirect=True) def test_sc_auth_wrong_pin(simple_pam_cert_auth, env_for_sssctl): sssctl = subprocess.Popen(["sssctl", "user-checks", "user1", @@ -476,6 +492,7 @@ def test_sc_auth_wrong_pin(simple_pam_cert_auth, env_for_sssctl): "Authentication failure") != -1 +@pytest.mark.parametrize('simple_pam_cert_auth', provider_list(), indirect=True) def test_sc_auth(simple_pam_cert_auth, env_for_sssctl): sssctl = subprocess.Popen(["sssctl", "user-checks", "user1", @@ -499,6 +516,7 @@ def test_sc_auth(simple_pam_cert_auth, env_for_sssctl): assert err.find("pam_authenticate for user [user1]: Success") != -1 +@pytest.mark.parametrize('simple_pam_cert_auth', provider_list(), indirect=True) def test_require_sc_auth(simple_pam_cert_auth, env_for_sssctl): sssctl = subprocess.Popen(["sssctl", "user-checks", "user1", @@ -523,6 +541,7 @@ def test_require_sc_auth(simple_pam_cert_auth, env_for_sssctl): assert err.find("pam_authenticate for user [user1]: Success") != -1 +@pytest.mark.parametrize('simple_pam_cert_auth_no_cert', provider_list(), indirect=True) def test_require_sc_auth_no_cert(simple_pam_cert_auth_no_cert, env_for_sssctl): # We have to wait about 20s before the command returns because there will @@ -558,6 +577,7 @@ def test_require_sc_auth_no_cert(simple_pam_cert_auth_no_cert, env_for_sssctl): "service cannot retrieve authentication info") != -1 +@pytest.mark.parametrize('simple_pam_cert_auth', provider_list(), indirect=True) def test_try_sc_auth_no_map(simple_pam_cert_auth, env_for_sssctl): sssctl = subprocess.Popen(["sssctl", "user-checks", "user2", @@ -583,6 +603,7 @@ def test_try_sc_auth_no_map(simple_pam_cert_auth, env_for_sssctl): "service cannot retrieve authentication info") != -1 +@pytest.mark.parametrize('simple_pam_cert_auth', provider_list(), indirect=True) def test_try_sc_auth(simple_pam_cert_auth, env_for_sssctl): sssctl = subprocess.Popen(["sssctl", "user-checks", "user1", @@ -607,6 +628,7 @@ def test_try_sc_auth(simple_pam_cert_auth, env_for_sssctl): assert err.find("pam_authenticate for user [user1]: Success") != -1 +@pytest.mark.parametrize('simple_pam_cert_auth', provider_list(), indirect=True) def test_try_sc_auth_root(simple_pam_cert_auth, env_for_sssctl): """ Make sure pam_sss returns PAM_AUTHINFO_UNAVAIL even for root if @@ -635,6 +657,7 @@ def test_try_sc_auth_root(simple_pam_cert_auth, env_for_sssctl): "service cannot retrieve authentication info") != -1 +@pytest.mark.parametrize('simple_pam_cert_auth', provider_list(), indirect=True) def test_sc_auth_missing_name(simple_pam_cert_auth, env_for_sssctl): """ Test pam_sss allow_missing_name feature. @@ -662,6 +685,7 @@ def test_sc_auth_missing_name(simple_pam_cert_auth, env_for_sssctl): assert err.find("pam_authenticate for user [user1]: Success") != -1 +@pytest.mark.parametrize('simple_pam_cert_auth', provider_list(), indirect=True) def test_sc_auth_missing_name_whitespace(simple_pam_cert_auth, env_for_sssctl): """ Test pam_sss allow_missing_name feature. @@ -689,6 +713,7 @@ def test_sc_auth_missing_name_whitespace(simple_pam_cert_auth, env_for_sssctl): assert err.find("pam_authenticate for user [user1]: Success") != -1 +@pytest.mark.parametrize('simple_pam_cert_auth_name_format', provider_list(), indirect=True) def test_sc_auth_name_format(simple_pam_cert_auth_name_format, env_for_sssctl): """ Test that full_name_format is respected with pam_sss allow_missing_name