Skip to content

Commit

Permalink
account PAM interface calls acct_mgmt function in handler
Browse files Browse the repository at this point in the history
  • Loading branch information
@ethho
ethho committed Feb 23, 2024
1 parent 880d0f7 commit d2e9cc6
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 44 deletions.
6 changes: 6 additions & 0 deletions pam-oidc/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,23 +148,29 @@ impl PamServiceModule for PamCustom {
}

fn chauthtok(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {
info!("chauthtok called.");
PamError::SUCCESS
}

fn open_session(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {
info!("open_session called.");
PamError::SUCCESS
}

fn close_session(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {
info!("close_session called.");
PamError::SUCCESS
}

fn setcred(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {
info!("setcred called.");
PamError::SUCCESS
}

fn acct_mgmt(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {
info!("acct_mgmt called.");
PamError::SUCCESS
// PamError::USER_UNKNOWN
}
}

Expand Down
55 changes: 11 additions & 44 deletions tests/test.sh
View file
Original file line number Diff line number Diff line change
@@ -1,46 +1,13 @@
#!/bin/bash

# set -a && . .env && ./tests/test.sh mariadb && set +a
# set -a && . .env && ./tests/test.sh percona && set +a

mariadb() {
set -e
ROOT_PASSWORD=simple
docker rm -f database
docker run --name database -de MYSQL_ROOT_PASSWORD=${ROOT_PASSWORD} mariadb:10.7 # does not work with latest and non-v1
until docker exec -it database mysql -h 127.0.0.1 -uroot -p${ROOT_PASSWORD} -e "SELECT 1;" 1>/dev/null
do
echo waiting...
sleep 5
done
docker exec -it database mysql -uroot -p${ROOT_PASSWORD} -e "INSTALL SONAME 'auth_pam_v1';"
docker cp ./config/service_example database:/etc/pam.d/oidc
docker cp ./pam-oidc/target/debug/libpam_oidc.so database:/lib/x86_64-linux-gnu/security/libpam_oidc.so
docker exec -it database mkdir /etc/datajoint
docker cp ./config/libpam_oidc.yaml database:/etc/datajoint/
docker exec -it database mysql -uroot -p${ROOT_PASSWORD} -e "CREATE USER '${DJ_AUTH_USER}'@'%' IDENTIFIED VIA pam USING 'oidc';"
docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -p${DJ_AUTH_PASSWORD} -e "SELECT 'delegated to oidc' as login;"
docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -p${DJ_AUTH_PASSWORD} -e "SELECT 'delegated to oidc' as login;"
docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -pdeny -e "SELECT 'delegated to oidc' as login;"
}

percona() {
set -e
ROOT_PASSWORD=simple
docker rm -f database
docker run --name database -de MYSQL_ROOT_PASSWORD=${ROOT_PASSWORD} --entrypoint bash percona:8 -c "echo 'plugin_load_add = auth_pam.so' >> /etc/my.cnf && /docker-entrypoint.sh mysqld"
until docker exec -it database mysql -h 127.0.0.1 -uroot -p${ROOT_PASSWORD} -e "SELECT 1;" 1>/dev/null
do
echo waiting...
sleep 5
done
docker cp ./config/service_example database:/etc/pam.d/oidc
docker cp ./pam-oidc/target/debug/libpam_oidc.so database:/usr/lib64/security/libpam_oidc.so
docker exec -itu root database mkdir /etc/datajoint
docker cp ./config/libpam_oidc.yaml database:/etc/datajoint/
docker exec -it database mysql -uroot -p${ROOT_PASSWORD} -e "CREATE USER '${DJ_AUTH_USER}'@'%' IDENTIFIED WITH auth_pam AS 'oidc';"
docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -p${DJ_AUTH_PASSWORD} -e "SELECT 'delegated to oidc' as login;"
docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -p${DJ_AUTH_PASSWORD} -e "SELECT 'delegated to oidc' as login;"
docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -pdeny -e "SELECT 'delegated to oidc' as login;"
}

# Usage:
# ./tests/test.sh '<demouser_password>'

docker compose up --build -d --wait percona
docker compose exec percona mysql -hlocalhost -uroot -ppassword -e "CREATE USER 'demouser'@'%' IDENTIFIED WITH auth_pam AS 'oidc';"
docker compose exec percona mysql -hlocalhost -uroot -ppassword -e "SHOW PLUGINS;" | grep auth_pam
docker compose exec percona mysql -hlocalhost -udemouser -p"$1" -e "SELECT 1;" || echo "Failed to authenticate with real password"
docker compose exec percona mysql -hlocalhost -udemouser -p'bogus_password' -e "SELECT 1;" || echo "Failed to authenticate for bogus password"
sleep 3
docker compose logs percona
docker compose down

0 comments on commit d2e9cc6

Please sign in to comment.