xref: /freebsd/contrib/pam-krb5/tests/module/pam-user-t.c (revision bf6873c5786e333d679a7838d28812febf479a8a) 
1 /*
2  * Tests for PAM_USER handling.
3  *
4  * This test case includes tests that require Kerberos to be configured and a
5  * username and password available, but which don't write a ticket cache
6  * (which requires additional work to test the cache ownership).
7  *
8  * Written by Russ Allbery <eagle@eyrie.org>
9  * Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
10  *
11  * SPDX-License-Identifier: BSD-3-clause or GPL-1+
12  */
13 
14 #include <config.h>
15 #include <portable/system.h>
16 
17 #include <tests/fakepam/script.h>
18 #include <tests/tap/kerberos.h>
19 #include <tests/tap/macros.h>
20 
21 
22 /*
23  * Callback to check that PAM_USER matches the desired value, passed in as the
24  * data parameter.
25  */
26 static void
check_pam_user(pam_handle_t * pamh,const struct script_config * config UNUSED,void * data)27 check_pam_user(pam_handle_t *pamh, const struct script_config *config UNUSED,
28                void *data)
29 {
30     int retval;
31     const char *name = NULL;
32     const char *expected = data;
33 
34     retval = pam_get_item(pamh, PAM_USER, (PAM_CONST void **) &name);
35     is_int(PAM_SUCCESS, retval, "Found PAM_USER");
36     is_string(expected, name, "...matching %s", expected);
37 }
38 
39 
40 int
main(void)41 main(void)
42 {
43     struct script_config config;
44     struct kerberos_config *krbconf;
45 
46     /* Load the Kerberos principal and password from a file. */
47     krbconf = kerberos_setup(TAP_KRB_NEEDS_PASSWORD);
48     memset(&config, 0, sizeof(config));
49     config.password = krbconf->password;
50     config.callback = check_pam_user;
51     config.extra[0] = krbconf->username;
52     config.extra[1] = krbconf->userprinc;
53 
54     /*
55      * Generate a testing krb5.conf file matching the realm of the Kerberos
56      * configuration so that canonicalization will work.
57      */
58     kerberos_generate_conf(krbconf->realm);
59 
60     /* Declare our plan. */
61     plan_lazy();
62 
63     /* Authentication without a realm.  No canonicalization. */
64     config.user = krbconf->username;
65     config.data = krbconf->username;
66     run_script("data/scripts/pam-user/update", &config);
67 
68     /* Authentication with the local realm.  Should be canonicalized. */
69     config.user = krbconf->userprinc;
70     run_script("data/scripts/pam-user/update", &config);
71 
72     /*
73      * Now, test again with user updates disabled.  The PAM_USER value should
74      * now not be canonicalized.
75      */
76     config.data = krbconf->userprinc;
77     run_script("data/scripts/pam-user/no-update", &config);
78 
79     return 0;
80 }
81