xref: /freebsd/contrib/pam-krb5/tests/module/alt-auth-t.c (revision bf6873c5786e333d679a7838d28812febf479a8a) 
1*bf6873c5SCy Schubert /*
2*bf6873c5SCy Schubert  * Tests for the alt_auth_map functionality in libpam-krb5.
3*bf6873c5SCy Schubert  *
4*bf6873c5SCy Schubert  * This test case tests the variations of the alt_auth_map functionality for
5*bf6873c5SCy Schubert  * both authentication and account management.  It requires a Kerberos
6*bf6873c5SCy Schubert  * configuration, but does not attempt to save a session ticket cache (to
7*bf6873c5SCy Schubert  * avoid requiring user configuration).
8*bf6873c5SCy Schubert  *
9*bf6873c5SCy Schubert  * Written by Russ Allbery <eagle@eyrie.org>
10*bf6873c5SCy Schubert  * Copyright 2020 Russ Allbery <eagle@eyrie.org>
11*bf6873c5SCy Schubert  * Copyright 2012
12*bf6873c5SCy Schubert  *     The Board of Trustees of the Leland Stanford Junior University
13*bf6873c5SCy Schubert  *
14*bf6873c5SCy Schubert  * SPDX-License-Identifier: BSD-3-clause or GPL-1+
15*bf6873c5SCy Schubert  */
16*bf6873c5SCy Schubert 
17*bf6873c5SCy Schubert #include <config.h>
18*bf6873c5SCy Schubert #include <portable/system.h>
19*bf6873c5SCy Schubert 
20*bf6873c5SCy Schubert #include <tests/fakepam/script.h>
21*bf6873c5SCy Schubert #include <tests/tap/kerberos.h>
22*bf6873c5SCy Schubert #include <tests/tap/process.h>
23*bf6873c5SCy Schubert #include <tests/tap/string.h>
24*bf6873c5SCy Schubert 
25*bf6873c5SCy Schubert 
26*bf6873c5SCy Schubert int
main(void)27*bf6873c5SCy Schubert main(void)
28*bf6873c5SCy Schubert {
29*bf6873c5SCy Schubert     struct script_config config;
30*bf6873c5SCy Schubert     struct kerberos_config *krbconf;
31*bf6873c5SCy Schubert     char *user;
32*bf6873c5SCy Schubert 
33*bf6873c5SCy Schubert     /*
34*bf6873c5SCy Schubert      * Load the Kerberos principal and password from a file, but set the
35*bf6873c5SCy Schubert      * principal as extra[0] and use something else bogus as the user.  We
36*bf6873c5SCy Schubert      * want to test that alt_auth_map works when there's no relationship
37*bf6873c5SCy Schubert      * between the mapped principal and the user.
38*bf6873c5SCy Schubert      */
39*bf6873c5SCy Schubert     krbconf = kerberos_setup(TAP_KRB_NEEDS_PASSWORD);
40*bf6873c5SCy Schubert     memset(&config, 0, sizeof(config));
41*bf6873c5SCy Schubert     config.user = "bogus-nonexistent-account";
42*bf6873c5SCy Schubert     config.authtok = krbconf->password;
43*bf6873c5SCy Schubert     config.extra[0] = krbconf->username;
44*bf6873c5SCy Schubert     config.extra[1] = krbconf->userprinc;
45*bf6873c5SCy Schubert 
46*bf6873c5SCy Schubert     /*
47*bf6873c5SCy Schubert      * Generate a testing krb5.conf file with a nonexistent default realm so
48*bf6873c5SCy Schubert      * that we can be sure that our principals will stay fully-qualified in
49*bf6873c5SCy Schubert      * the logs.
50*bf6873c5SCy Schubert      */
51*bf6873c5SCy Schubert     kerberos_generate_conf("bogus.example.com");
52*bf6873c5SCy Schubert     config.extra[2] = "bogus.example.com";
53*bf6873c5SCy Schubert 
54*bf6873c5SCy Schubert     /* Test without password prompting. */
55*bf6873c5SCy Schubert     plan_lazy();
56*bf6873c5SCy Schubert     run_script("data/scripts/alt-auth/basic", &config);
57*bf6873c5SCy Schubert     run_script("data/scripts/alt-auth/basic-debug", &config);
58*bf6873c5SCy Schubert     run_script("data/scripts/alt-auth/fail", &config);
59*bf6873c5SCy Schubert     run_script("data/scripts/alt-auth/fail-debug", &config);
60*bf6873c5SCy Schubert     run_script("data/scripts/alt-auth/force", &config);
61*bf6873c5SCy Schubert     run_script("data/scripts/alt-auth/only", &config);
62*bf6873c5SCy Schubert 
63*bf6873c5SCy Schubert     /*
64*bf6873c5SCy Schubert      * If the alternate account exists but the password is incorrect, we
65*bf6873c5SCy Schubert      * should not fall back to the regular account.  Test with debug so that
66*bf6873c5SCy Schubert      * we don't need two principals configured.
67*bf6873c5SCy Schubert      */
68*bf6873c5SCy Schubert     config.authtok = "bogus incorrect password";
69*bf6873c5SCy Schubert     run_script("data/scripts/alt-auth/force-fail-debug", &config);
70*bf6873c5SCy Schubert 
71*bf6873c5SCy Schubert     /*
72*bf6873c5SCy Schubert      * Switch to our correct user (but wrong realm) realm to test username
73*bf6873c5SCy Schubert      * mapping to a different realm.
74*bf6873c5SCy Schubert      */
75*bf6873c5SCy Schubert     config.authtok = krbconf->password;
76*bf6873c5SCy Schubert     config.user = krbconf->username;
77*bf6873c5SCy Schubert     config.extra[2] = krbconf->realm;
78*bf6873c5SCy Schubert     run_script("data/scripts/alt-auth/username-map", &config);
79*bf6873c5SCy Schubert 
80*bf6873c5SCy Schubert     /*
81*bf6873c5SCy Schubert      * Split the username into two parts, one in the PAM configuration and one
82*bf6873c5SCy Schubert      * in the real username, so that we can test interpolation of the username
83*bf6873c5SCy Schubert      * when %s isn't the first token.
84*bf6873c5SCy Schubert      */
85*bf6873c5SCy Schubert     config.user = &krbconf->username[1];
86*bf6873c5SCy Schubert     user = bstrndup(krbconf->username, 1);
87*bf6873c5SCy Schubert     config.extra[3] = user;
88*bf6873c5SCy Schubert     run_script("data/scripts/alt-auth/username-map-prefix", &config);
89*bf6873c5SCy Schubert     free(user);
90*bf6873c5SCy Schubert     config.extra[3] = NULL;
91*bf6873c5SCy Schubert 
92*bf6873c5SCy Schubert     /*
93*bf6873c5SCy Schubert      * Ensure that we don't add the realm of the authentication username when
94*bf6873c5SCy Schubert      * the alt_auth_map already includes a realm.
95*bf6873c5SCy Schubert      */
96*bf6873c5SCy Schubert     basprintf(&user, "%s@foo.example.com", krbconf->username);
97*bf6873c5SCy Schubert     config.user = user;
98*bf6873c5SCy Schubert     diag("re-running username-map with fully-qualified PAM user");
99*bf6873c5SCy Schubert     run_script("data/scripts/alt-auth/username-map", &config);
100*bf6873c5SCy Schubert     free(user);
101*bf6873c5SCy Schubert 
102*bf6873c5SCy Schubert     /*
103*bf6873c5SCy Schubert      * Add the password and make the user match our authentication principal,
104*bf6873c5SCy Schubert      * and then test fallback to normal authentication when alternative
105*bf6873c5SCy Schubert      * authentication fails.
106*bf6873c5SCy Schubert      */
107*bf6873c5SCy Schubert     config.user = krbconf->userprinc;
108*bf6873c5SCy Schubert     config.password = krbconf->password;
109*bf6873c5SCy Schubert     config.extra[2] = krbconf->realm;
110*bf6873c5SCy Schubert     run_script("data/scripts/alt-auth/fallback", &config);
111*bf6873c5SCy Schubert     run_script("data/scripts/alt-auth/fallback-debug", &config);
112*bf6873c5SCy Schubert     run_script("data/scripts/alt-auth/fallback-realm", &config);
113*bf6873c5SCy Schubert     run_script("data/scripts/alt-auth/force-fallback", &config);
114*bf6873c5SCy Schubert     run_script("data/scripts/alt-auth/only-fail", &config);
115*bf6873c5SCy Schubert 
116*bf6873c5SCy Schubert     return 0;
117*bf6873c5SCy Schubert }
118