1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-25 06:04:04 +03:00

selftest: Add a test for PamLogOff

This test also verifies the KRB5CCNAME environment variable is set after
a successful PAM authentication with Kerberos.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Samuel Cabrero 2021-06-18 09:22:39 +02:00 committed by Jeremy Allison
parent 3944b586d5
commit 5439ecf723
3 changed files with 110 additions and 0 deletions

View File

@ -0,0 +1,56 @@
# Unix SMB/CIFS implementation.
#
# Copyright (C) 2022 Samuel Cabrero <scabrero@samba.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import samba.tests
import pypamtest
import os
class PamChauthtokTests(samba.tests.TestCase):
def test_setcred_delete_cred(self):
domain = os.environ["DOMAIN"]
username = os.environ["USERNAME"]
password = os.environ["PASSWORD"]
if domain != "":
unix_username = "%s/%s" % (domain, username)
else:
unix_username = "%s" % username
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
tc1 = pypamtest.TestCase(pypamtest.PAMTEST_GETENVLIST, expected_rc)
tc2 = pypamtest.TestCase(pypamtest.PAMTEST_KEEPHANDLE, expected_rc)
try:
res = pypamtest.run_pamtest(unix_username, "samba", [tc, tc1, tc2], [password])
except pypamtest.PamTestError as e:
raise AssertionError(str(e))
self.assertTrue(res is not None)
ccache = tc1.pam_env["KRB5CCNAME"]
ccache = ccache[ccache.index(":") + 1:]
self.assertTrue(os.path.exists(ccache))
handle = tc2.pam_handle
tc3 = pypamtest.TestCase(pypamtest.PAMTEST_SETCRED, expected_rc, pypamtest.PAMTEST_FLAG_DELETE_CRED)
try:
res = pypamtest.run_pamtest(unix_username, "samba", [tc3], handle=handle)
except pypamtest.PamTestError as e:
raise AssertionError(str(e))
self.assertFalse(os.path.exists(ccache))

View File

@ -0,0 +1,46 @@
#!/bin/sh
PYTHON="$1"
PAM_WRAPPER_SO_PATH="$2"
shift 2
DOMAIN="$1"
export DOMAIN
USERNAME="$2"
export USERNAME
PASSWORD="$3"
export PASSWORD
shift 3
PAM_OPTIONS="$1"
export PAM_OPTIONS
shift 1
PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
pam_winbind="$BINDIR/plugins/pam_winbind.so"
service_dir="$SELFTEST_TMPDIR/pam_services"
service_file="$service_dir/samba"
mkdir $service_dir
echo "auth required $pam_winbind debug debug_state $PAM_OPTIONS" > $service_file
echo "account required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
echo "password required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
echo "session required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
PAM_WRAPPER="1"
export PAM_WRAPPER
PAM_WRAPPER_SERVICE_DIR="$service_dir"
export PAM_WRAPPER_SERVICE_DIR
LD_PRELOAD="$LD_PRELOAD:$PAM_WRAPPER_SO_PATH"
export LD_PRELOAD
PAM_WRAPPER_DEBUGLEVEL=${PAM_WRAPPER_DEBUGLEVEL:="3"}
export PAM_WRAPPER_DEBUGLEVEL
PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_setcred
exit_code=$?
rm -rf $service_dir
exit $exit_code

View File

@ -382,6 +382,14 @@ if with_pam:
"$DOMAIN", "alice", "Secret007", "$DOMAIN", "alice", "Secret007",
pam_options]) pam_options])
description = "krb5"
pam_options = "'krb5_auth krb5_ccache_type=FILE:/tmp/krb5cc_pam_test_%u'"
plantestsuite("samba.tests.pam_winbind_setcred(domain+%s)" % description, "ad_dc:local",
[os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_setcred.sh"),
valgrindify(python), pam_wrapper_so_path,
"${DOMAIN}", "${DC_USERNAME}", "${DC_PASSWORD}",
pam_options])
plantestsuite("samba.unittests.krb5samba", "none", plantestsuite("samba.unittests.krb5samba", "none",
[os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")]) [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])