Restrict username characters to those allowed in Ubuntu/Debian

internal/brokers/broker.go

@@ -355,6 +355,9 @@ func validateUserInfo(uInfo types.UserInfo) (err error) {
 	if uInfo.Name == "" {
 		return errors.New("empty username")
 	}
+	if err := types.ValidateUsername(uInfo.Name); err != nil {
+		return err
+	}
 
 	// Validate home and shell directories
 	if !filepath.IsAbs(filepath.Clean(uInfo.Dir)) {

internal/brokers/broker_test.go

@@ -229,6 +229,7 @@ func TestIsAuthenticated(t *testing.T) {
 		"Error_when_broker_returns_invalid_access":                            {sessionID: "ia_invalid_access"},
 		"Error_when_broker_returns_invalid_userinfo":                          {sessionID: "ia_invalid_userinfo"},
 		"Error_when_broker_returns_userinfo_with_empty_username":              {sessionID: "ia_info_empty_user_name"},
+		"Error_when_broker_returns_userinfo_with_invalid_username":            {sessionID: "ia_info_invalid_username"},
 		"Error_when_broker_returns_userinfo_with_empty_group_name":            {sessionID: "ia_info_empty_group_name"},
 		"Error_when_broker_returns_userinfo_with_invalid_homedir":             {sessionID: "ia_info_invalid_home"},
 		"Error_when_broker_returns_userinfo_with_invalid_shell":               {sessionID: "ia_info_invalid_shell"},

internal/brokers/testdata/golden/TestIsAuthenticated/Adds_default_groups_even_if_broker_did_not_set_them

@@ -1,4 +1,4 @@
 FIRST CALL:
 	access: granted
-	data: {"Name":"ia_info_empty_groups@example.com","UID":0,"Gecos":"gecos for ia_info_empty_groups@example.com","Dir":"/home/ia_info_empty_groups@example.com","Shell":"/bin/sh/ia_info_empty_groups@example.com","Groups":[]}
+	data: {"Name":"ia_info_empty_groups","UID":0,"Gecos":"gecos for ia_info_empty_groups","Dir":"/home/ia_info_empty_groups","Shell":"/bin/sh/ia_info_empty_groups","Groups":[]}
 	err: <nil>

internal/brokers/testdata/golden/TestIsAuthenticated/Error_when_broker_returns_userinfo_with_invalid_username

@@ -0,0 +1,4 @@
+FIRST CALL:
+	access: 
+	data: 
+	err: provided userinfo is invalid: username "user@invalid-name" is not valid: it must match ^[a-z_][-a-z0-9_]*[$]?$

internal/brokers/testdata/golden/TestIsAuthenticated/Error_when_calling_IsAuthenticated_a_second_time_without_cancelling

@@ -1,6 +1,6 @@
 FIRST CALL:
 	access: granted
-	data: {"Name":"ia_second_call@example.com","UID":0,"Gecos":"gecos for ia_second_call@example.com","Dir":"/home/ia_second_call@example.com","Shell":"/bin/sh/ia_second_call@example.com","Groups":[{"Name":"group-ia_second_call@example.com","GID":null,"UGID":"ugid-ia_second_call@example.com"}]}
+	data: {"Name":"ia_second_call","UID":0,"Gecos":"gecos for ia_second_call","Dir":"/home/ia_second_call","Shell":"/bin/sh/ia_second_call","Groups":[{"Name":"group-ia_second_call","GID":null,"UGID":"ugid-ia_second_call"}]}
 	err: <nil>
 SECOND CALL:
 	access: 

internal/brokers/testdata/golden/TestIsAuthenticated/No_error_when_broker_returns_userinfo_with_empty_gecos

@@ -1,4 +1,4 @@
 FIRST CALL:
 	access: granted
-	data: {"Name":"ia_info_empty_gecos@example.com","UID":0,"Gecos":"","Dir":"/home/ia_info_empty_gecos@example.com","Shell":"/bin/sh/ia_info_empty_gecos@example.com","Groups":[{"Name":"group-ia_info_empty_gecos@example.com","GID":null,"UGID":"ugid-ia_info_empty_gecos@example.com"}]}
+	data: {"Name":"ia_info_empty_gecos","UID":0,"Gecos":"","Dir":"/home/ia_info_empty_gecos","Shell":"/bin/sh/ia_info_empty_gecos","Groups":[{"Name":"group-ia_info_empty_gecos","GID":null,"UGID":"ugid-ia_info_empty_gecos"}]}
 	err: <nil>

internal/brokers/testdata/golden/TestIsAuthenticated/No_error_when_broker_returns_userinfo_with_group_with_empty_UGID

@@ -1,4 +1,4 @@
 FIRST CALL:
 	access: granted
-	data: {"Name":"ia_info_empty_ugid@example.com","UID":0,"Gecos":"gecos for ia_info_empty_ugid@example.com","Dir":"/home/ia_info_empty_ugid@example.com","Shell":"/bin/sh/ia_info_empty_ugid@example.com","Groups":[{"Name":"group-ia_info_empty_ugid@example.com","GID":null,"UGID":""}]}
+	data: {"Name":"ia_info_empty_ugid","UID":0,"Gecos":"gecos for ia_info_empty_ugid","Dir":"/home/ia_info_empty_ugid","Shell":"/bin/sh/ia_info_empty_ugid","Groups":[{"Name":"group-ia_info_empty_ugid","GID":null,"UGID":""}]}
 	err: <nil>

internal/brokers/testdata/golden/TestIsAuthenticated/No_error_when_broker_returns_userinfo_with_mismatching_username

@@ -1,4 +1,4 @@
 FIRST CALL:
 	access: granted
-	data: {"Name":"different_username@example.com","UID":0,"Gecos":"gecos for ia_info_mismatching_user_name@example.com","Dir":"/home/ia_info_mismatching_user_name@example.com","Shell":"/bin/sh/ia_info_mismatching_user_name@example.com","Groups":[{"Name":"group-ia_info_mismatching_user_name@example.com","GID":null,"UGID":"ugid-ia_info_mismatching_user_name@example.com"}]}
+	data: {"Name":"different_username","UID":0,"Gecos":"gecos for ia_info_mismatching_user_name","Dir":"/home/ia_info_mismatching_user_name","Shell":"/bin/sh/ia_info_mismatching_user_name","Groups":[{"Name":"group-ia_info_mismatching_user_name","GID":null,"UGID":"ugid-ia_info_mismatching_user_name"}]}
 	err: <nil>

internal/brokers/testdata/golden/TestIsAuthenticated/Successfully_authenticate

@@ -1,4 +1,4 @@
 FIRST CALL:
 	access: granted
-	data: {"Name":"success@example.com","UID":0,"Gecos":"gecos for success@example.com","Dir":"/home/success@example.com","Shell":"/bin/sh/success@example.com","Groups":[{"Name":"group-success@example.com","GID":null,"UGID":"ugid-success@example.com"}]}
+	data: {"Name":"success","UID":0,"Gecos":"gecos for success","Dir":"/home/success","Shell":"/bin/sh/success","Groups":[{"Name":"group-success","GID":null,"UGID":"ugid-success"}]}
 	err: <nil>

internal/brokers/testdata/golden/TestIsAuthenticated/Successfully_authenticate_after_cancelling_first_call

@@ -4,5 +4,5 @@ FIRST CALL:
 	err: <nil>
 SECOND CALL:
 	access: granted
-	data: {"Name":"ia_second_call@example.com","UID":0,"Gecos":"gecos for ia_second_call@example.com","Dir":"/home/ia_second_call@example.com","Shell":"/bin/sh/ia_second_call@example.com","Groups":[{"Name":"group-ia_second_call@example.com","GID":null,"UGID":"ugid-ia_second_call@example.com"}]}
+	data: {"Name":"ia_second_call","UID":0,"Gecos":"gecos for ia_second_call","Dir":"/home/ia_second_call","Shell":"/bin/sh/ia_second_call","Groups":[{"Name":"group-ia_second_call","GID":null,"UGID":"ugid-ia_second_call"}]}
 	err: <nil>

internal/brokers/testdata/golden/TestUserPreCheck/Successfully_pre-check_user

@@ -1,9 +1,9 @@
 {
-		"name": "user-pre-check@example.com",
+		"name": "user-pre-check",
 		"uuid": "",
-		"gecos": "gecos for user-pre-check@example.com",
-		"dir": "/home/user-pre-check@example.com",
-		"shell": "/bin/sh/user-pre-check@example.com",
-		"avatar": "avatar for user-pre-check@example.com",
-		"groups": [ {"name": "group-user-pre-check@example.com", "ugid": "ugid-user-pre-check@example.com"} ]
+		"gecos": "gecos for user-pre-check",
+		"dir": "/home/user-pre-check",
+		"shell": "/bin/sh/user-pre-check",
+		"avatar": "avatar for user-pre-check",
+		"groups": [ {"name": "group-user-pre-check", "ugid": "ugid-user-pre-check"} ]
 	}

internal/services/pam/pam_test.go

@@ -456,6 +456,7 @@ func TestIsAuthenticated(t *testing.T) {
 		"Error_when_broker_returns_invalid_access":          {username: "ia_invalid_access@example.com"},
 		"Error_when_broker_returns_invalid_data":            {username: "ia_invalid_data@example.com"},
 		"Error_when_broker_returns_invalid_userinfo":        {username: "ia_invalid_userinfo@example.com"},
+		"Error_when_broker_returns_invalid_username":        {username: "ia_info_invalid_username@example.com"},
 		"Error_when_calling_second_time_without_cancelling": {username: "ia_second_call@example.com", secondCall: true},
 
 		// local group error

internal/services/pam/testdata/TestIsAuthenticated/cache-with-locked-user.db

@@ -1,9 +1,9 @@
 users:
-    - name: locked@example.com
+    - name: locked
       uid: 1111
       gid: 11111
       gecos: gecos for other user
-      dir: /home/locked@example.com
+      dir: /home/locked
       shell: /bin/bash
       broker_id: broker-id
       locked: true

internal/services/pam/testdata/TestIsAuthenticated/valid.group

@@ -1,6 +1,6 @@
-localgroup1:x:41:otheruser@example.com,success_with_local_groups@example.com,otheruser2@example.com
-localgroup2:x:42:success_with_local_groups@example.com
-localgroup3:x:43:otheruser2@example.com
-localgroup4:x:44:otheruser2@example.com
-cloudgroup1:x:9998:otheruser3@example.com
-cloudgroup2:x:9999:otheruser4@example.com
+localgroup1:x:41:otheruser,success_with_local_groups,otheruser2
+localgroup2:x:42:success_with_local_groups
+localgroup3:x:43:otheruser2
+localgroup4:x:44:otheruser2
+cloudgroup1:x:9998:otheruser3
+cloudgroup2:x:9999:otheruser4

internal/services/pam/testdata/golden/TestIDGeneration/Generate_ID/cache.db

@@ -1,17 +1,17 @@
 users:
-    - name: success@example.com
+    - name: success
       uid: 1111
       gid: 1111
-      gecos: gecos for success@example.com
-      dir: /home/success@example.com
-      shell: /bin/sh/success@example.com
+      gecos: gecos for success
+      dir: /home/success
+      shell: /bin/sh/success
 groups:
-    - name: success@example.com
+    - name: success
       gid: 1111
-      ugid: success@example.com
-    - name: group-success@example.com
+      ugid: success
+    - name: group-success
       gid: 22222
-      ugid: ugid-success@example.com
+      ugid: ugid-success
 users_to_groups:
     - uid: 1111
       gid: 1111

internal/services/pam/testdata/golden/TestIsAuthenticated/Error_on_updating_local_groups_with_unexisting_file/IsAuthenticated

@@ -1,4 +1,4 @@
 FIRST CALL:
 	access: 
 	msg: 
-	err: failed to update user "success_with_local_groups@example.com": could not update local groups for user "success_with_local_groups@example.com": could not fetch existing local group: open : no such file or directory
+	err: failed to update user "success_with_local_groups": could not update local groups for user "success_with_local_groups": could not fetch existing local group: open : no such file or directory

internal/services/pam/testdata/golden/TestIsAuthenticated/Error_on_updating_local_groups_with_unexisting_file/cache.db

@@ -1,17 +1,17 @@
 users:
-    - name: success_with_local_groups@example.com
+    - name: success_with_local_groups
       uid: 1111
       gid: 1111
-      gecos: gecos for success_with_local_groups@example.com
-      dir: /home/success_with_local_groups@example.com
-      shell: /bin/sh/success_with_local_groups@example.com
+      gecos: gecos for success_with_local_groups
+      dir: /home/success_with_local_groups
+      shell: /bin/sh/success_with_local_groups
 groups:
-    - name: success_with_local_groups@example.com
+    - name: success_with_local_groups
       gid: 1111
-      ugid: success_with_local_groups@example.com
-    - name: group-success_with_local_groups@example.com
+      ugid: success_with_local_groups
+    - name: group-success_with_local_groups
       gid: 22222
-      ugid: ugid-success_with_local_groups@example.com
+      ugid: ugid-success_with_local_groups
 users_to_groups:
     - uid: 1111
       gid: 1111

internal/services/pam/testdata/golden/TestIsAuthenticated/Error_when_broker_returns_invalid_username/IsAuthenticated

@@ -0,0 +1,4 @@
+FIRST CALL:
+	access: 
+	msg: 
+	err: provided userinfo is invalid: username "user@invalid-name" is not valid: it must match ^[a-z_][-a-z0-9_]*[$]?$

internal/services/pam/testdata/golden/TestIsAuthenticated/Error_when_broker_returns_invalid_username/cache.db

@@ -0,0 +1,4 @@
+users: []
+groups: []
+users_to_groups: []
+schema_version: 2

internal/services/pam/testdata/golden/TestIsAuthenticated/Error_when_calling_second_time_without_cancelling/cache.db

@@ -1,17 +1,17 @@
 users:
-    - name: ia_second_call@example.com
+    - name: ia_second_call
       uid: 1111
       gid: 1111
-      gecos: gecos for ia_second_call@example.com
-      dir: /home/ia_second_call@example.com
-      shell: /bin/sh/ia_second_call@example.com
+      gecos: gecos for ia_second_call
+      dir: /home/ia_second_call
+      shell: /bin/sh/ia_second_call
 groups:
-    - name: ia_second_call@example.com
+    - name: ia_second_call
       gid: 1111
-      ugid: ia_second_call@example.com
-    - name: group-ia_second_call@example.com
+      ugid: ia_second_call
+    - name: group-ia_second_call
       gid: 22222
-      ugid: ugid-ia_second_call@example.com
+      ugid: ugid-ia_second_call
 users_to_groups:
     - uid: 1111
       gid: 1111

internal/services/pam/testdata/golden/TestIsAuthenticated/Error_when_user_is_locked/IsAuthenticated

@@ -1,4 +1,4 @@
 FIRST CALL:
 	access: 
 	msg: 
-	err: permission denied: user locked@example.com is locked
+	err: permission denied: user locked is locked

internal/services/pam/testdata/golden/TestIsAuthenticated/Error_when_user_is_locked/cache.db

@@ -1,9 +1,9 @@
 users:
-    - name: locked@example.com
+    - name: locked
       uid: 1111
       gid: 11111
       gecos: gecos for other user
-      dir: /home/locked@example.com
+      dir: /home/locked
       shell: /bin/bash
       broker_id: broker-id
       locked: true

internal/services/pam/testdata/golden/TestIsAuthenticated/Successfully_authenticate/cache.db

@@ -1,17 +1,17 @@
 users:
-    - name: success@example.com
+    - name: success
       uid: 1111
       gid: 1111
-      gecos: gecos for success@example.com
-      dir: /home/success@example.com
-      shell: /bin/sh/success@example.com
+      gecos: gecos for success
+      dir: /home/success
+      shell: /bin/sh/success
 groups:
-    - name: success@example.com
+    - name: success
       gid: 1111
-      ugid: success@example.com
-    - name: group-success@example.com
+      ugid: success
+    - name: group-success
       gid: 22222
-      ugid: ugid-success@example.com
+      ugid: ugid-success
 users_to_groups:
     - uid: 1111
       gid: 1111

internal/services/pam/testdata/golden/TestIsAuthenticated/Successfully_authenticate_if_first_call_is_canceled/cache.db

@@ -1,17 +1,17 @@
 users:
-    - name: ia_second_call@example.com
+    - name: ia_second_call
       uid: 1111
       gid: 1111
-      gecos: gecos for ia_second_call@example.com
-      dir: /home/ia_second_call@example.com
-      shell: /bin/sh/ia_second_call@example.com
+      gecos: gecos for ia_second_call
+      dir: /home/ia_second_call
+      shell: /bin/sh/ia_second_call
 groups:
-    - name: ia_second_call@example.com
+    - name: ia_second_call
       gid: 1111
-      ugid: ia_second_call@example.com
-    - name: group-ia_second_call@example.com
+      ugid: ia_second_call
+    - name: group-ia_second_call
       gid: 22222
-      ugid: ugid-ia_second_call@example.com
+      ugid: ugid-ia_second_call
 users_to_groups:
     - uid: 1111
       gid: 1111

internal/services/pam/testdata/golden/TestIsAuthenticated/Successfully_authenticate_user_with_uppercase/cache.db

@@ -1,17 +1,17 @@
 users:
-    - name: success@example.com
+    - name: success
       uid: 1111
       gid: 1111
-      gecos: gecos for success@example.com
-      dir: /home/success@example.com
-      shell: /bin/sh/success@example.com
+      gecos: gecos for success
+      dir: /home/success
+      shell: /bin/sh/success
 groups:
-    - name: success@example.com
+    - name: success
       gid: 1111
-      ugid: success@example.com
-    - name: group-success@example.com
+      ugid: success
+    - name: group-success
       gid: 22222
-      ugid: ugid-success@example.com
+      ugid: ugid-success
 users_to_groups:
     - uid: 1111
       gid: 1111

internal/services/pam/testdata/golden/TestIsAuthenticated/Successfully_authenticate_with_groups_with_uppercase/cache.db

@@ -1,17 +1,17 @@
 users:
-    - name: success_with_uppercase_groups@example.com
+    - name: success_with_uppercase_groups
       uid: 1111
       gid: 1111
-      gecos: gecos for success_with_uppercase_groups@example.com
-      dir: /home/success_with_uppercase_groups@example.com
-      shell: /bin/sh/success_with_uppercase_groups@example.com
+      gecos: gecos for success_with_uppercase_groups
+      dir: /home/success_with_uppercase_groups
+      shell: /bin/sh/success_with_uppercase_groups
 groups:
-    - name: success_with_uppercase_groups@example.com
+    - name: success_with_uppercase_groups
       gid: 1111
-      ugid: success_with_uppercase_groups@example.com
-    - name: group-success_with_uppercase_groups@example.com
+      ugid: success_with_uppercase_groups
+    - name: group-success_with_uppercase_groups
       gid: 22222
-      ugid: ugid-success_with_uppercase_groups@example.com
+      ugid: ugid-success_with_uppercase_groups
     - name: group1
       gid: 33333
       ugid: "12345678"

internal/services/pam/testdata/golden/TestIsAuthenticated/Update_existing_DB_on_success/cache.db

@@ -1,10 +1,10 @@
 users:
-    - name: success@example.com
+    - name: success
       uid: 1111
       gid: 1111
-      gecos: gecos for success@example.com
-      dir: /home/success@example.com
-      shell: /bin/sh/success@example.com
+      gecos: gecos for success
+      dir: /home/success
+      shell: /bin/sh/success
     - name: otheruser@example.com
       uid: 77777
       gid: 88888
@@ -13,20 +13,17 @@ users:
       shell: /bin/sh/otheruser
       broker_id: broker-id
 groups:
-    - name: success@example.com
+    - name: success
       gid: 1111
-      ugid: success@example.com
-    - name: group-success@example.com
-      gid: 22222
-      ugid: ugid-success@example.com
+      ugid: success
     - name: group-success
       gid: 88888
       ugid: ugid-success
 users_to_groups:
     - uid: 1111
       gid: 1111
     - uid: 1111
-      gid: 22222
+      gid: 88888
     - uid: 77777
       gid: 88888
 schema_version: 2

internal/services/pam/testdata/golden/TestIsAuthenticated/Update_local_groups.group

@@ -1,6 +1,6 @@
-localgroup1:x:41:otheruser@example.com,success_with_local_groups@example.com,otheruser2@example.com
-localgroup2:x:42:success_with_local_groups@example.com
-localgroup3:x:43:otheruser2@example.com,success_with_local_groups@example.com
-localgroup4:x:44:otheruser2@example.com
-cloudgroup1:x:9998:otheruser3@example.com
-cloudgroup2:x:9999:otheruser4@example.com
+localgroup1:x:41:otheruser,success_with_local_groups,otheruser2
+localgroup2:x:42:success_with_local_groups
+localgroup3:x:43:otheruser2,success_with_local_groups
+localgroup4:x:44:otheruser2
+cloudgroup1:x:9998:otheruser3
+cloudgroup2:x:9999:otheruser4

internal/services/pam/testdata/golden/TestIsAuthenticated/Update_local_groups.group.backup

@@ -1,6 +1,6 @@
-localgroup1:x:41:otheruser@example.com,success_with_local_groups@example.com,otheruser2@example.com
-localgroup2:x:42:success_with_local_groups@example.com
-localgroup3:x:43:otheruser2@example.com
-localgroup4:x:44:otheruser2@example.com
-cloudgroup1:x:9998:otheruser3@example.com
-cloudgroup2:x:9999:otheruser4@example.com
+localgroup1:x:41:otheruser,success_with_local_groups,otheruser2
+localgroup2:x:42:success_with_local_groups
+localgroup3:x:43:otheruser2
+localgroup4:x:44:otheruser2
+cloudgroup1:x:9998:otheruser3
+cloudgroup2:x:9999:otheruser4