diff --git a/python/samba/tests/pam_winbind_setcred.py b/python/samba/tests/pam_winbind_setcred.py new file mode 100644 index 00000000000..055eac28fa3 --- /dev/null +++ b/python/samba/tests/pam_winbind_setcred.py @@ -0,0 +1,56 @@ +# Unix SMB/CIFS implementation. +# +# Copyright (C) 2022 Samuel Cabrero +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import samba.tests +import pypamtest +import os + +class PamChauthtokTests(samba.tests.TestCase): + def test_setcred_delete_cred(self): + domain = os.environ["DOMAIN"] + username = os.environ["USERNAME"] + password = os.environ["PASSWORD"] + + if domain != "": + unix_username = "%s/%s" % (domain, username) + else: + unix_username = "%s" % username + expected_rc = 0 # PAM_SUCCESS + + tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) + tc1 = pypamtest.TestCase(pypamtest.PAMTEST_GETENVLIST, expected_rc) + tc2 = pypamtest.TestCase(pypamtest.PAMTEST_KEEPHANDLE, expected_rc) + try: + res = pypamtest.run_pamtest(unix_username, "samba", [tc, tc1, tc2], [password]) + except pypamtest.PamTestError as e: + raise AssertionError(str(e)) + + self.assertTrue(res is not None) + + ccache = tc1.pam_env["KRB5CCNAME"] + ccache = ccache[ccache.index(":") + 1:] + self.assertTrue(os.path.exists(ccache)) + + handle = tc2.pam_handle + tc3 = pypamtest.TestCase(pypamtest.PAMTEST_SETCRED, expected_rc, pypamtest.PAMTEST_FLAG_DELETE_CRED) + try: + res = pypamtest.run_pamtest(unix_username, "samba", [tc3], handle=handle) + except pypamtest.PamTestError as e: + raise AssertionError(str(e)) + + self.assertFalse(os.path.exists(ccache)) diff --git a/python/samba/tests/test_pam_winbind_setcred.sh b/python/samba/tests/test_pam_winbind_setcred.sh new file mode 100755 index 00000000000..7d7acc25aec --- /dev/null +++ b/python/samba/tests/test_pam_winbind_setcred.sh @@ -0,0 +1,46 @@ +#!/bin/sh + +PYTHON="$1" +PAM_WRAPPER_SO_PATH="$2" +shift 2 + +DOMAIN="$1" +export DOMAIN +USERNAME="$2" +export USERNAME +PASSWORD="$3" +export PASSWORD +shift 3 + +PAM_OPTIONS="$1" +export PAM_OPTIONS +shift 1 + +PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper" + +pam_winbind="$BINDIR/plugins/pam_winbind.so" +service_dir="$SELFTEST_TMPDIR/pam_services" +service_file="$service_dir/samba" + +mkdir $service_dir +echo "auth required $pam_winbind debug debug_state $PAM_OPTIONS" > $service_file +echo "account required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file +echo "password required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file +echo "session required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file + +PAM_WRAPPER="1" +export PAM_WRAPPER +PAM_WRAPPER_SERVICE_DIR="$service_dir" +export PAM_WRAPPER_SERVICE_DIR +LD_PRELOAD="$LD_PRELOAD:$PAM_WRAPPER_SO_PATH" +export LD_PRELOAD + +PAM_WRAPPER_DEBUGLEVEL=${PAM_WRAPPER_DEBUGLEVEL:="3"} +export PAM_WRAPPER_DEBUGLEVEL + +PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_setcred +exit_code=$? + +rm -rf $service_dir + +exit $exit_code diff --git a/selftest/tests.py b/selftest/tests.py index e8b5ed013b0..19b07dfec27 100644 --- a/selftest/tests.py +++ b/selftest/tests.py @@ -382,6 +382,14 @@ if with_pam: "$DOMAIN", "alice", "Secret007", pam_options]) + description = "krb5" + pam_options = "'krb5_auth krb5_ccache_type=FILE:/tmp/krb5cc_pam_test_%u'" + plantestsuite("samba.tests.pam_winbind_setcred(domain+%s)" % description, "ad_dc:local", + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_setcred.sh"), + valgrindify(python), pam_wrapper_so_path, + "${DOMAIN}", "${DC_USERNAME}", "${DC_PASSWORD}", + pam_options]) + plantestsuite("samba.unittests.krb5samba", "none", [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])