DEV-421: Debug error message

config/mysql-any-password

@@ -0,0 +1,3 @@
+#%PAM-1.0
+auth        required    pam_permit.so
+#account     required    pam_permit.so

config/service_example

@@ -1,2 +1,2 @@
-auth sufficient libpam_oidc.so /etc/datajoint/libpam_oidc.yaml
-account optional libpam_oidc.so
+auth required libpam_oidc.so /etc/datajoint/libpam_oidc.yaml
+account optional libpam_oidc.so /etc/datajoint/libpam_oidc.yaml

docker/builder.dockerfile

@@ -8,12 +8,18 @@ RUN \
 ENV RUSTFLAGS="-C target-feature=-crt-static"
 WORKDIR /tmp/pam-oauth2
 COPY pam-oidc /tmp/pam-oauth2/pam-oidc
+# RUN \
+# 	cd pam-oidc && \
+# 	rustup target add x86_64-unknown-linux-gnu && \
+# 	rustup target add x86_64-unknown-linux-musl && \
+# 	rustup show && \
+# 	cargo build --release --target x86_64-unknown-linux-musl && \
+# 	cargo build --release --target x86_64-unknown-linux-gnu && \
+# 	cp target/x86_64-unknown-linux-musl/release/libpam_oidc.so /tmp/pam-oauth2/libpam_oidc_musl.so && \
+# 	cp target/x86_64-unknown-linux-gnu/release/libpam_oidc.so /tmp/pam-oauth2/libpam_oidc_gnu.so
 RUN \
 	cd pam-oidc && \
 	rustup target add x86_64-unknown-linux-gnu && \
-	rustup target add x86_64-unknown-linux-musl && \
 	rustup show && \
-	cargo build --release --target x86_64-unknown-linux-musl && \
-	cargo build --release --target x86_64-unknown-linux-gnu && \
-	cp target/x86_64-unknown-linux-musl/release/libpam_oidc.so /tmp/pam-oauth2/libpam_oidc_musl.so && \
-	cp target/x86_64-unknown-linux-gnu/release/libpam_oidc.so /tmp/pam-oauth2/libpam_oidc_gnu.so
+	cargo build --target x86_64-unknown-linux-gnu && \
+	cp target/x86_64-unknown-linux-gnu/debug/libpam_oidc.so /tmp/pam-oauth2/libpam_oidc_gnu.so

docker/percona.dockerfile

@@ -12,7 +12,9 @@ RUN \
 
 # https://www.percona.com/blog/getting-percona-pam-to-work-with-percona-server-its-client-apps/
 RUN \
-	chgrp mysql /etc/shadow && \
+	groupadd shadow && \
+	usermod -a -G shadow mysql && \
+	chown root:shadow /etc/shadow && \
 	chmod g+r /etc/shadow && \
 	useradd ap_user && \
 	echo "ap_user:password" | chpasswd
@@ -22,4 +24,5 @@ USER mysql:mysql
 COPY --from=builder /tmp/pam-oauth2/libpam_oidc_gnu.so /usr/lib64/security/libpam_oidc.so
 RUN echo 'plugin_load_add = auth_pam.so' >> /etc/my.cnf
 COPY config/pam_unix /etc/pam.d/mysqld
+COPY config/mysql-any-password /etc/pam.d/mysql-any-password
 COPY config/service_example /etc/pam.d/oidc

pam-oidc/src/lib.rs

@@ -148,23 +148,50 @@ impl PamServiceModule for PamCustom {
     }
 
     fn chauthtok(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {
+        info!("chauthtok called.");
         PamError::SUCCESS
     }
 
     fn open_session(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {
+        info!("open_session called.");
         PamError::SUCCESS
     }
 
     fn close_session(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {
+        info!("close_session called.");
         PamError::SUCCESS
     }
 
     fn setcred(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {
+        info!("setcred called.");
         PamError::SUCCESS
     }
 
     fn acct_mgmt(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {
-        PamError::SUCCESS
+        info!("acct_mgmt called.");
+        info!("_args: {:?}", _args);
+        info!("_flags: {:?}", _flags);
+        let config_file = &_args[0];
+        let config: AppConfig = match load_config(config_file) {
+            Some(c) => c,
+            None => {
+                error!("Error loading config file at '{}'.", config_file);
+                return PamError::AUTH_ERR;
+            }
+        };
+
+        if config.account_succeed == "success" {
+            PamError::SUCCESS
+        } else if config.account_succeed == "user_unknown" {
+            PamError::USER_UNKNOWN
+        } else if config.account_succeed == "auth_err" {
+            PamError::AUTH_ERR
+        } else if config.account_succeed == "ignore" {
+            PamError::IGNORE
+        } else {
+            PamError::AUTH_ERR
+        }
+
     }
 }
 
@@ -195,6 +222,7 @@ struct AppConfig {
     token_min_size: i64,
     log_level: String,
     log_path: String,
+    account_succeed: String,
 }
 
 fn load_config(file: &str) -> Option<AppConfig> {
@@ -323,6 +351,17 @@ fn load_config(file: &str) -> Option<AppConfig> {
                 return None;
             }
         },
+        account_succeed: match contents[0]["account.succeed"].as_str() {
+            Some(s) => s.to_string(),
+            None => {
+                eprintln!(
+                    "[{}:{}] ERROR: Config file at '{file}' is missing 'account.succeed'.",
+                    file!(),
+                    line!()
+                );
+                return None;
+            }
+        },
     };
     Some(conf)
 }

tests/test.sh

@@ -1,46 +1,12 @@
 #!/bin/bash
 
-# set -a && . .env && ./tests/test.sh mariadb && set +a
-# set -a && . .env && ./tests/test.sh percona && set +a
-
-mariadb() {
-    set -e
-    ROOT_PASSWORD=simple
-    docker rm -f database
-    docker run --name database -de MYSQL_ROOT_PASSWORD=${ROOT_PASSWORD} mariadb:10.7 # does not work with latest and non-v1
-    until docker exec -it database mysql -h 127.0.0.1 -uroot -p${ROOT_PASSWORD} -e "SELECT 1;" 1>/dev/null
-    do
-        echo waiting...
-        sleep 5
-    done
-    docker exec -it database mysql -uroot -p${ROOT_PASSWORD} -e "INSTALL SONAME 'auth_pam_v1';"
-    docker cp ./config/service_example database:/etc/pam.d/oidc
-    docker cp ./pam-oidc/target/debug/libpam_oidc.so database:/lib/x86_64-linux-gnu/security/libpam_oidc.so
-    docker exec -it database mkdir /etc/datajoint
-    docker cp ./config/libpam_oidc.yaml database:/etc/datajoint/
-    docker exec -it database mysql -uroot -p${ROOT_PASSWORD} -e "CREATE USER '${DJ_AUTH_USER}'@'%' IDENTIFIED VIA pam USING 'oidc';"
-    docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -p${DJ_AUTH_PASSWORD} -e "SELECT 'delegated to oidc' as login;"
-    docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -p${DJ_AUTH_PASSWORD} -e "SELECT 'delegated to oidc' as login;"
-    docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -pdeny -e "SELECT 'delegated to oidc' as login;"
-}
-
-percona() {
-    set -e
-    ROOT_PASSWORD=simple
-    docker rm -f database
-    docker run --name database -de MYSQL_ROOT_PASSWORD=${ROOT_PASSWORD} --entrypoint bash percona:8 -c "echo 'plugin_load_add = auth_pam.so' >> /etc/my.cnf && /docker-entrypoint.sh mysqld"
-    until docker exec -it database mysql -h 127.0.0.1 -uroot -p${ROOT_PASSWORD} -e "SELECT 1;" 1>/dev/null
-    do
-        echo waiting...
-        sleep 5
-    done
-    docker cp ./config/service_example database:/etc/pam.d/oidc
-    docker cp ./pam-oidc/target/debug/libpam_oidc.so database:/usr/lib64/security/libpam_oidc.so
-    docker exec -itu root database mkdir /etc/datajoint
-    docker cp ./config/libpam_oidc.yaml database:/etc/datajoint/
-    docker exec -it database mysql -uroot -p${ROOT_PASSWORD} -e "CREATE USER '${DJ_AUTH_USER}'@'%' IDENTIFIED WITH auth_pam AS 'oidc';"
-    docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -p${DJ_AUTH_PASSWORD} -e "SELECT 'delegated to oidc' as login;"
-    docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -p${DJ_AUTH_PASSWORD} -e "SELECT 'delegated to oidc' as login;"
-    docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -pdeny -e "SELECT 'delegated to oidc' as login;"
-}
-
+# Usage:
+# ./tests/test.sh '<demouser_password>'
+
+docker compose up --build -d --wait percona
+docker compose exec percona mysql -hlocalhost -uroot -ppassword -e "CREATE USER 'demouser'@'%' IDENTIFIED WITH auth_pam AS 'mysql-any-password';"
+docker compose exec percona mysql -hlocalhost -udemouser -p"$1" --enable-cleartext-plugin -e "SELECT 1;" || echo "Failed to authenticate with real password"
+docker compose exec percona mysql -hlocalhost -udemouser -p'bogus_password' --enable-cleartext-plugin -e "SELECT 1;" || echo "Failed to authenticate for bogus password"
+sleep 3
+docker compose logs percona
+docker compose down