xref: /freebsd/contrib/pam-krb5/tests/module/realm-t.c (revision ee3960cba1068e12fb032a68c46d74841d9edab3) 
1 /*
2  * Authentication tests for realm support in pam-krb5.
3  *
4  * Test the realm and user_realm option in the PAM configuration, which is
5  * special in several ways since it influences krb5.conf parsing and is read
6  * out of order in the initial configuration.
7  *
8  * Written by Russ Allbery <eagle@eyrie.org>
9  * Copyright 2020 Russ Allbery <eagle@eyrie.org>
10  * Copyright 2011-2012
11  *     The Board of Trustees of the Leland Stanford Junior University
12  *
13  * SPDX-License-Identifier: BSD-3-clause or GPL-1+
14  */
15 
16 #include <config.h>
17 #include <portable/krb5.h>
18 #include <portable/system.h>
19 
20 #include <pwd.h>
21 
22 #include <tests/fakepam/pam.h>
23 #include <tests/fakepam/script.h>
24 #include <tests/tap/basic.h>
25 #include <tests/tap/kerberos.h>
26 #include <tests/tap/string.h>
27 
28 
29 int
30 main(void)
31 {
32     struct script_config config;
33     struct kerberos_config *krbconf;
34     struct passwd pwd;
35     FILE *file;
36     char *k5login;
37 
38     /* Load the Kerberos principal and password from a file. */
39     krbconf = kerberos_setup(TAP_KRB_NEEDS_PASSWORD);
40     memset(&config, 0, sizeof(config));
41     config.user = krbconf->username;
42     config.authtok = krbconf->password;
43 
44     /* Don't keep track of the tests in each script. */
45     plan_lazy();
46 
47     /* Start with a nonexistent default realm for authentication failure. */
48     kerberos_generate_conf("bogus.example.com");
49     config.extra[0] = "bogus.example.com";
50     run_script("data/scripts/realm/fail-no-realm", &config);
51     run_script("data/scripts/realm/fail-no-realm-debug", &config);
52 
53     /* Running a script that sets realm properly should pass. */
54     config.extra[0] = krbconf->realm;
55     run_script("data/scripts/realm/pass-realm", &config);
56 
57     /* Setting user_realm should continue to fail due to no .k5login file. */
58     run_script("data/scripts/realm/fail-user-realm", &config);
59 
60     /* If we add a .k5login file for the user, user_realm should work. */
61     pwd.pw_name = krbconf->username;
62     pwd.pw_uid = getuid();
63     pwd.pw_gid = getgid();
64     pwd.pw_dir = test_tmpdir();
65     pam_set_pwd(&pwd);
66     basprintf(&k5login, "%s/.k5login", pwd.pw_dir);
67     file = fopen(k5login, "w");
68     if (file == NULL)
69         sysbail("cannot create %s", k5login);
70     if (fprintf(file, "%s\n", krbconf->userprinc) < 0)
71         sysbail("cannot write to %s", k5login);
72     if (fclose(file) < 0)
73         sysbail("cannot flush %s", k5login);
74     run_script("data/scripts/realm/pass-user-realm", &config);
75     pam_set_pwd(NULL);
76     unlink(k5login);
77     free(k5login);
78     test_tmpdir_free(pwd.pw_dir);
79 
80     /* Switch to the correct realm, but set the wrong realm in PAM. */
81     kerberos_generate_conf(krbconf->realm);
82     config.extra[0] = "bogus.example.com";
83     run_script("data/scripts/realm/fail-realm", &config);
84     run_script("data/scripts/realm/fail-bad-user-realm", &config);
85 
86     return 0;
87 }
88