From d2e9cc6b9712896bb1b18bd2fd0c131bc5e673fd Mon Sep 17 00:00:00 2001 From: Ethan Ho <53266718+ethho@users.noreply.github.com> Date: Fri, 23 Feb 2024 13:14:24 -0600 Subject: [PATCH] account PAM interface calls acct_mgmt function in handler --- pam-oidc/src/lib.rs | 6 +++++ tests/test.sh | 55 +++++++++------------------------------------ 2 files changed, 17 insertions(+), 44 deletions(-) diff --git a/pam-oidc/src/lib.rs b/pam-oidc/src/lib.rs index 66663e7..1ca5c2b 100644 --- a/pam-oidc/src/lib.rs +++ b/pam-oidc/src/lib.rs @@ -148,23 +148,29 @@ impl PamServiceModule for PamCustom { } fn chauthtok(_pamh: Pam, _flags: PamFlags, _args: Vec) -> PamError { + info!("chauthtok called."); PamError::SUCCESS } fn open_session(_pamh: Pam, _flags: PamFlags, _args: Vec) -> PamError { + info!("open_session called."); PamError::SUCCESS } fn close_session(_pamh: Pam, _flags: PamFlags, _args: Vec) -> PamError { + info!("close_session called."); PamError::SUCCESS } fn setcred(_pamh: Pam, _flags: PamFlags, _args: Vec) -> PamError { + info!("setcred called."); PamError::SUCCESS } fn acct_mgmt(_pamh: Pam, _flags: PamFlags, _args: Vec) -> PamError { + info!("acct_mgmt called."); PamError::SUCCESS + // PamError::USER_UNKNOWN } } diff --git a/tests/test.sh b/tests/test.sh index 8057e37..1bb77cb 100755 --- a/tests/test.sh +++ b/tests/test.sh @@ -1,46 +1,13 @@ #!/bin/bash -# set -a && . .env && ./tests/test.sh mariadb && set +a -# set -a && . .env && ./tests/test.sh percona && set +a - -mariadb() { - set -e - ROOT_PASSWORD=simple - docker rm -f database - docker run --name database -de MYSQL_ROOT_PASSWORD=${ROOT_PASSWORD} mariadb:10.7 # does not work with latest and non-v1 - until docker exec -it database mysql -h 127.0.0.1 -uroot -p${ROOT_PASSWORD} -e "SELECT 1;" 1>/dev/null - do - echo waiting... - sleep 5 - done - docker exec -it database mysql -uroot -p${ROOT_PASSWORD} -e "INSTALL SONAME 'auth_pam_v1';" - docker cp ./config/service_example database:/etc/pam.d/oidc - docker cp ./pam-oidc/target/debug/libpam_oidc.so database:/lib/x86_64-linux-gnu/security/libpam_oidc.so - docker exec -it database mkdir /etc/datajoint - docker cp ./config/libpam_oidc.yaml database:/etc/datajoint/ - docker exec -it database mysql -uroot -p${ROOT_PASSWORD} -e "CREATE USER '${DJ_AUTH_USER}'@'%' IDENTIFIED VIA pam USING 'oidc';" - docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -p${DJ_AUTH_PASSWORD} -e "SELECT 'delegated to oidc' as login;" - docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -p${DJ_AUTH_PASSWORD} -e "SELECT 'delegated to oidc' as login;" - docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -pdeny -e "SELECT 'delegated to oidc' as login;" -} - -percona() { - set -e - ROOT_PASSWORD=simple - docker rm -f database - docker run --name database -de MYSQL_ROOT_PASSWORD=${ROOT_PASSWORD} --entrypoint bash percona:8 -c "echo 'plugin_load_add = auth_pam.so' >> /etc/my.cnf && /docker-entrypoint.sh mysqld" - until docker exec -it database mysql -h 127.0.0.1 -uroot -p${ROOT_PASSWORD} -e "SELECT 1;" 1>/dev/null - do - echo waiting... - sleep 5 - done - docker cp ./config/service_example database:/etc/pam.d/oidc - docker cp ./pam-oidc/target/debug/libpam_oidc.so database:/usr/lib64/security/libpam_oidc.so - docker exec -itu root database mkdir /etc/datajoint - docker cp ./config/libpam_oidc.yaml database:/etc/datajoint/ - docker exec -it database mysql -uroot -p${ROOT_PASSWORD} -e "CREATE USER '${DJ_AUTH_USER}'@'%' IDENTIFIED WITH auth_pam AS 'oidc';" - docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -p${DJ_AUTH_PASSWORD} -e "SELECT 'delegated to oidc' as login;" - docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -p${DJ_AUTH_PASSWORD} -e "SELECT 'delegated to oidc' as login;" - docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -pdeny -e "SELECT 'delegated to oidc' as login;" -} - +# Usage: +# ./tests/test.sh '' + +docker compose up --build -d --wait percona +docker compose exec percona mysql -hlocalhost -uroot -ppassword -e "CREATE USER 'demouser'@'%' IDENTIFIED WITH auth_pam AS 'oidc';" +docker compose exec percona mysql -hlocalhost -uroot -ppassword -e "SHOW PLUGINS;" | grep auth_pam +docker compose exec percona mysql -hlocalhost -udemouser -p"$1" -e "SELECT 1;" || echo "Failed to authenticate with real password" +docker compose exec percona mysql -hlocalhost -udemouser -p'bogus_password' -e "SELECT 1;" || echo "Failed to authenticate for bogus password" +sleep 3 +docker compose logs percona +docker compose down \ No newline at end of file