account PAM interface calls acct_mgmt function in handler

ethho · ethho · commit d2e9cc6b9712 · 2024-02-23T13:14:24.000-06:00
diff --git a/pam-oidc/src/lib.rs b/pam-oidc/src/lib.rs
@@ -148,23 +148,29 @@ impl PamServiceModule for PamCustom {
     }
 
     fn chauthtok(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {
+        info!("chauthtok called.");
         PamError::SUCCESS
     }
 
     fn open_session(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {
+        info!("open_session called.");
         PamError::SUCCESS
     }
 
     fn close_session(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {
+        info!("close_session called.");
         PamError::SUCCESS
     }
 
     fn setcred(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {
+        info!("setcred called.");
         PamError::SUCCESS
     }
 
     fn acct_mgmt(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {
+        info!("acct_mgmt called.");
         PamError::SUCCESS
+        // PamError::USER_UNKNOWN
     }
 }
 
diff --git a/tests/test.sh b/tests/test.sh
@@ -1,46 +1,13 @@
 #!/bin/bash
 
-# set -a && . .env && ./tests/test.sh mariadb && set +a
-# set -a && . .env && ./tests/test.sh percona && set +a
-
-mariadb() {
-    set -e
-    ROOT_PASSWORD=simple
-    docker rm -f database
-    docker run --name database -de MYSQL_ROOT_PASSWORD=${ROOT_PASSWORD} mariadb:10.7 # does not work with latest and non-v1
-    until docker exec -it database mysql -h 127.0.0.1 -uroot -p${ROOT_PASSWORD} -e "SELECT 1;" 1>/dev/null
-    do
-        echo waiting...
-        sleep 5
-    done
-    docker exec -it database mysql -uroot -p${ROOT_PASSWORD} -e "INSTALL SONAME 'auth_pam_v1';"
-    docker cp ./config/service_example database:/etc/pam.d/oidc
-    docker cp ./pam-oidc/target/debug/libpam_oidc.so database:/lib/x86_64-linux-gnu/security/libpam_oidc.so
-    docker exec -it database mkdir /etc/datajoint
-    docker cp ./config/libpam_oidc.yaml database:/etc/datajoint/
-    docker exec -it database mysql -uroot -p${ROOT_PASSWORD} -e "CREATE USER '${DJ_AUTH_USER}'@'%' IDENTIFIED VIA pam USING 'oidc';"
-    docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -p${DJ_AUTH_PASSWORD} -e "SELECT 'delegated to oidc' as login;"
-    docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -p${DJ_AUTH_PASSWORD} -e "SELECT 'delegated to oidc' as login;"
-    docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -pdeny -e "SELECT 'delegated to oidc' as login;"
-}
-
-percona() {
-    set -e
-    ROOT_PASSWORD=simple
-    docker rm -f database
-    docker run --name database -de MYSQL_ROOT_PASSWORD=${ROOT_PASSWORD} --entrypoint bash percona:8 -c "echo 'plugin_load_add = auth_pam.so' >> /etc/my.cnf && /docker-entrypoint.sh mysqld"
-    until docker exec -it database mysql -h 127.0.0.1 -uroot -p${ROOT_PASSWORD} -e "SELECT 1;" 1>/dev/null
-    do
-        echo waiting...
-        sleep 5
-    done
-    docker cp ./config/service_example database:/etc/pam.d/oidc
-    docker cp ./pam-oidc/target/debug/libpam_oidc.so database:/usr/lib64/security/libpam_oidc.so
-    docker exec -itu root database mkdir /etc/datajoint
-    docker cp ./config/libpam_oidc.yaml database:/etc/datajoint/
-    docker exec -it database mysql -uroot -p${ROOT_PASSWORD} -e "CREATE USER '${DJ_AUTH_USER}'@'%' IDENTIFIED WITH auth_pam AS 'oidc';"
-    docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -p${DJ_AUTH_PASSWORD} -e "SELECT 'delegated to oidc' as login;"
-    docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -p${DJ_AUTH_PASSWORD} -e "SELECT 'delegated to oidc' as login;"
-    docker exec -it database mysql -h 127.0.0.1 -u${DJ_AUTH_USER} -pdeny -e "SELECT 'delegated to oidc' as login;"
-}
-
+# Usage:
+# ./tests/test.sh '<demouser_password>'
+
+docker compose up --build -d --wait percona
+docker compose exec percona mysql -hlocalhost -uroot -ppassword -e "CREATE USER 'demouser'@'%' IDENTIFIED WITH auth_pam AS 'oidc';"
+docker compose exec percona mysql -hlocalhost -uroot -ppassword -e "SHOW PLUGINS;" | grep auth_pam
+docker compose exec percona mysql -hlocalhost -udemouser -p"$1" -e "SELECT 1;" || echo "Failed to authenticate with real password"
+docker compose exec percona mysql -hlocalhost -udemouser -p'bogus_password' -e "SELECT 1;" || echo "Failed to authenticate for bogus password"
+sleep 3
+docker compose logs percona
+docker compose down

Original file line number	Diff line number	Diff line change
`@@ -148,23 +148,29 @@ impl PamServiceModule for PamCustom {`
`148`	`148`	`}`
`149`	`149`
`150`	`150`	`fn chauthtok(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {`
	`151`	`+ info!("chauthtok called.");`
`151`	`152`	`PamError::SUCCESS`
`152`	`153`	`}`
`153`	`154`
`154`	`155`	`fn open_session(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {`
	`156`	`+ info!("open_session called.");`
`155`	`157`	`PamError::SUCCESS`
`156`	`158`	`}`
`157`	`159`
`158`	`160`	`fn close_session(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {`
	`161`	`+ info!("close_session called.");`
`159`	`162`	`PamError::SUCCESS`
`160`	`163`	`}`
`161`	`164`
`162`	`165`	`fn setcred(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {`
	`166`	`+ info!("setcred called.");`
`163`	`167`	`PamError::SUCCESS`
`164`	`168`	`}`
`165`	`169`
`166`	`170`	`fn acct_mgmt(_pamh: Pam, _flags: PamFlags, _args: Vec<String>) -> PamError {`
	`171`	`+ info!("acct_mgmt called.");`
`167`	`172`	`PamError::SUCCESS`
	`173`	`+ // PamError::USER_UNKNOWN`
`168`	`174`	`}`
`169`	`175`	`}`
`170`	`176`