URL: https://github.com/SSSD/sssd/pull/141 Author: fidencio Title: #141: PAM: Use cache_req_user_by_name_*() Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/141/head:pr141 git checkout pr141
From e771e8137364732395d2ed94c3f760d8801e6d0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Thu, 2 Feb 2017 13:06:30 +0100 Subject: [PATCH 1/3] CACHE_REQ: Add cache_req_data_set_bypass_cache() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As the PAM responder doesn't use the cache in the same way as the other responders do, this function is needed to be sure we just check in case the user is found in our in-memory hash-table, which means the initgroups was done in a very short interval, otherwise we just go to the Data Provider directly. Related: https://fedorahosted.org/sssd/ticket/1126 Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com> --- src/responder/common/cache_req/cache_req.h | 4 ++++ src/responder/common/cache_req/cache_req_data.c | 7 +++++++ src/responder/common/cache_req/cache_req_private.h | 2 ++ src/responder/common/cache_req/cache_req_search.c | 2 +- 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h index 7700091..6f9743f 100644 --- a/src/responder/common/cache_req/cache_req.h +++ b/src/responder/common/cache_req/cache_req.h @@ -103,6 +103,10 @@ cache_req_data_svc(TALLOC_CTX *mem_ctx, const char *protocol, uint16_t port); +void +cache_req_data_set_bypass_cache(struct cache_req_data *data, + bool bypass_cache); + /* Output data. */ struct cache_req_result { diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c index d056478..20f5602 100644 --- a/src/responder/common/cache_req/cache_req_data.c +++ b/src/responder/common/cache_req/cache_req_data.c @@ -318,3 +318,10 @@ cache_req_data_svc(TALLOC_CTX *mem_ctx, return cache_req_data_create(mem_ctx, type, &input); } + +void +cache_req_data_set_bypass_cache(struct cache_req_data *data, + bool bypass_cache) +{ + data->bypass_cache = bypass_cache; +} diff --git a/src/responder/common/cache_req/cache_req_private.h b/src/responder/common/cache_req/cache_req_private.h index e79fe86..4c5b01a 100644 --- a/src/responder/common/cache_req/cache_req_private.h +++ b/src/responder/common/cache_req/cache_req_private.h @@ -88,6 +88,8 @@ struct cache_req_data { struct cache_req_cased_name protocol; uint16_t port; } svc; + + bool bypass_cache; }; struct tevent_req * diff --git a/src/responder/common/cache_req/cache_req_search.c b/src/responder/common/cache_req/cache_req_search.c index aabff38..1c4d066 100644 --- a/src/responder/common/cache_req/cache_req_search.c +++ b/src/responder/common/cache_req/cache_req_search.c @@ -278,7 +278,7 @@ cache_req_search_send(TALLOC_CTX *mem_ctx, */ state->result = NULL; status = CACHE_OBJECT_MISSING; - if (!cr->plugin->bypass_cache) { + if (!cr->plugin->bypass_cache && !cr->data->bypass_cache) { ret = cache_req_search_cache(state, cr, &state->result); if (ret != EOK && ret != ENOENT) { goto done; From efd409f8b4fc785976c8988fc662ca594b9e0aee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Thu, 2 Feb 2017 13:19:18 +0100 Subject: [PATCH 2/3] PAM: Use cache_req to perform initgroups lookups MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PAM responder has been already taking advantage of the cache_req interface, so this patch is just is just replacing some code that performs initgroups lookups by using cache_req to do so. Resolves: https://fedorahosted.org/sssd/ticket/1126 Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com> --- src/responder/pam/pamsrv_cmd.c | 361 +++++++---------------------------------- 1 file changed, 63 insertions(+), 298 deletions(-) diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index e73a819..f158f29 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1016,43 +1016,9 @@ static void pam_handle_cached_login(struct pam_auth_req *preq, int ret, static void pam_forwarder_cb(struct tevent_req *req); static void pam_forwarder_cert_cb(struct tevent_req *req); -static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, - const char *err_msg, void *ptr); static int pam_check_user_search(struct pam_auth_req *preq); static int pam_check_user_done(struct pam_auth_req *preq, int ret); -static errno_t pam_cmd_assume_upn(struct pam_auth_req *preq) -{ - int ret; - - if (!preq->pd->name_is_upn - && preq->pd->logon_name != NULL - && strchr(preq->pd->logon_name, '@') != NULL) { - DEBUG(SSSDBG_TRACE_ALL, - "No entry found so far, trying UPN/email lookup with [%s].\n", - preq->pd->logon_name); - /* Assuming Kerberos principal */ - preq->domain = preq->cctx->rctx->domains; - preq->check_provider = - NEED_CHECK_PROVIDER(preq->domain->provider); - preq->pd->user = talloc_strdup(preq->pd, preq->pd->logon_name); - if (preq->pd->user == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); - return ENOMEM; - } - preq->pd->name_is_upn = true; - preq->pd->domain = NULL; - - ret = pam_check_user_search(preq); - if (ret == EOK) { - pam_dom_forwarder(preq); - } - return EOK; - } - - return ENOENT; -} - /* TODO: we should probably return some sort of cookie that is set in the * PAM_ENVIRONMENT, so that we can save performing some calls and cache @@ -1348,11 +1314,6 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) preq->check_provider = NEED_CHECK_PROVIDER(preq->domain->provider); ret = pam_check_user_search(preq); - if (ret == EOK) { - pam_dom_forwarder(preq); - } else if (ret == ENOENT) { - ret = pam_cmd_assume_upn(preq); - } done: return pam_check_user_done(preq, ret); @@ -1392,9 +1353,6 @@ static void pam_forwarder_cert_cb(struct tevent_req *req) ret = ENOENT; } else { ret = pam_check_user_search(preq); - if (ret == EOK) { - pam_dom_forwarder(preq); - } } } @@ -1476,9 +1434,6 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req) } ret = pam_check_user_search(preq); - if (ret == EOK) { - pam_dom_forwarder(preq); - } done: pam_check_user_done(preq, ret); @@ -1538,11 +1493,6 @@ static void pam_forwarder_cb(struct tevent_req *req) } ret = pam_check_user_search(preq); - if (ret == EOK) { - pam_dom_forwarder(preq); - } else if (ret == ENOENT) { - ret = pam_cmd_assume_upn(preq); - } done: pam_check_user_done(preq, ret); @@ -1551,233 +1501,90 @@ static void pam_forwarder_cb(struct tevent_req *req) static void pam_dp_send_acct_req_done(struct tevent_req *req); static int pam_check_user_search(struct pam_auth_req *preq) { - struct sss_domain_info *dom = preq->domain; - char *name = NULL; - time_t cacheExpire; int ret; struct tevent_req *dpreq; - struct dp_callback_ctx *cb_ctx; - struct pam_ctx *pctx = - talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); - static const char *user_attrs[] = SYSDB_PW_ATTRS; - struct ldb_message *msg; - struct ldb_result *res; - const char *sysdb_name; - - while (dom) { - /* if it is a domainless search, skip domains that require fully - * qualified names instead */ - while (dom && !preq->pd->domain && !preq->pd->name_is_upn - && dom->fqnames) { - dom = get_next_domain(dom, 0); - } - - if (!dom) break; - - if (dom != preq->domain) { - /* make sure we reset the check_provider flag when we check - * a new domain */ - preq->check_provider = NEED_CHECK_PROVIDER(dom->provider); - } - - /* make sure to update the preq if we changed domain */ - preq->domain = dom; - - talloc_free(name); - - name = sss_resp_create_fqname(preq, pctx->rctx, dom, - preq->pd->name_is_upn, - preq->pd->user); - if (name == NULL) { - return ENOMEM; - } - - /* Refresh the user's cache entry on any PAM query - * We put a timeout in the client context so that we limit - * the number of updates within a reasonable timeout - */ - if (preq->check_provider) { - ret = pam_initgr_check_timeout(pctx->id_table, - preq->pd->logon_name); - if (ret != EOK - && ret != ENOENT) { - DEBUG(SSSDBG_OP_FAILURE, - "Could not look up initgroup timout\n"); - return EIO; - } else if (ret == ENOENT) { - /* Call provider first */ - break; - } - /* Entry is still valid, get it from the sysdb */ - } - - DEBUG(SSSDBG_CONF_SETTINGS, "Requesting info for [%s]\n", name); - - if (dom->sysdb == NULL) { - DEBUG(SSSDBG_FATAL_FAILURE, - "Fatal: Sysdb CTX not found for this domain!\n"); - preq->pd->pam_status = PAM_SYSTEM_ERR; - return EFAULT; - } - - if (preq->pd->name_is_upn) { - ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs, &msg); - if (ret == EOK) { - /* Since sysdb_search_user_by_upn() searches the whole cache we - * have to set the domain so that it matches the result. */ - sysdb_name = ldb_msg_find_attr_as_string(msg, - SYSDB_NAME, NULL); - if (sysdb_name == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cached entry has no name.\n"); - return EINVAL; - } - preq->domain = find_domain_by_object_name( - get_domains_head(dom), - sysdb_name); - if (preq->domain == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Cannot find matching domain for [%s].\n", - sysdb_name); - return EINVAL; - } - } - } else { - ret = sysdb_getpwnam_with_views(preq, dom, name, &res); - if (res->count > 1) { - DEBUG(SSSDBG_FATAL_FAILURE, - "getpwnam call returned more than one result !?!\n"); - sss_log(SSS_LOG_ERR, - "More users have the same name [%s@%s] in SSSD cache. " - "SSSD will not work correctly.\n", - name, dom->name); - return ENOENT; - } else if (res->count == 0) { - ret = ENOENT; - } else { - msg = res->msgs[0]; - } - } - if (ret != EOK && ret != ENOENT) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Failed to make request to our cache!\n"); - return EIO; - } - - if (ret == ENOENT) { - if (preq->check_provider == false) { - /* set negative cache only if not result of cache check */ - ret = sss_ncache_set_user(pctx->rctx->ncache, - false, dom, preq->pd->user); - if (ret != EOK) { - /* Should not be fatal, just slower next time */ - DEBUG(SSSDBG_MINOR_FAILURE, - "Cannot set ncache for [%s@%s]\n", name, - dom->name); - } - } - - /* if a multidomain search, try with next */ - if (!preq->pd->domain) { - dom = get_next_domain(dom, 0); - continue; - } - - DEBUG(SSSDBG_OP_FAILURE, "No results for getpwnam call\n"); - - /* TODO: store negative cache ? */ - - return ENOENT; - } - - /* One result found */ - - /* if we need to check the remote account go on */ - if (preq->check_provider) { - cacheExpire = ldb_msg_find_attr_as_uint64(msg, - SYSDB_CACHE_EXPIRE, 0); - if (cacheExpire < time(NULL)) { - break; - } - } - - DEBUG(SSSDBG_TRACE_FUNC, - "Returning info for user [%s@%s]\n", name, dom->name); + struct pam_ctx *pctx; + struct cache_req_data *data; - /* We might have searched by alias. Pass on the primary name */ - ret = pd_set_primary_name(msg, preq->pd); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "Could not canonicalize username\n"); - return ret; - } + data = cache_req_data_name(preq, + CACHE_REQ_INITGROUPS, + preq->pd->logon_name); - return EOK; + pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); + ret = pam_initgr_check_timeout(pctx->id_table, + preq->pd->logon_name); + if (ret == EOK) { + /* Entry is still valid, force to lookup in the cache first */ + cache_req_data_set_bypass_cache(data, false); + } else if (ret == ENOENT) { + /* Call the data provider first */ + cache_req_data_set_bypass_cache(data, true); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Could not look up initgroup timout\n"); + return EIO; } - if (!dom) { - /* Ensure that we don't try to check a provider without a domain, - * since this will cause a NULL-dereference below. - */ - preq->check_provider = false; + dpreq = cache_req_send(preq, + preq->cctx->rctx->ev, + preq->cctx->rctx, + preq->cctx->rctx->ncache, + 0, + preq->pd->domain, + data); + if (!dpreq) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Out of memory sending data provider request\n"); + return ENOMEM; } - if (preq->check_provider) { - - /* dont loop forever :-) */ - preq->check_provider = false; - - dpreq = sss_dp_get_account_send(preq, preq->cctx->rctx, - dom, false, SSS_DP_INITGROUPS, name, 0, - preq->pd->name_is_upn ? EXTRA_NAME_IS_UPN : NULL); - if (!dpreq) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Out of memory sending data provider request\n"); - return ENOMEM; - } + tevent_req_set_callback(dpreq, pam_dp_send_acct_req_done, preq); - cb_ctx = talloc_zero(preq, struct dp_callback_ctx); - if(!cb_ctx) { - talloc_zfree(dpreq); - return ENOMEM; - } - - cb_ctx->callback = pam_check_user_dp_callback; - cb_ctx->ptr = preq; - cb_ctx->cctx = preq->cctx; - cb_ctx->mem_ctx = preq; - - tevent_req_set_callback(dpreq, pam_dp_send_acct_req_done, cb_ctx); - - /* tell caller we are in an async call */ - return EAGAIN; - } - - DEBUG(SSSDBG_MINOR_FAILURE, - "No matching domain found for [%s], fail!\n", preq->pd->user); - return ENOENT; + /* tell caller we are in an async call */ + return EAGAIN; } static void pam_dp_send_acct_req_done(struct tevent_req *req) { - struct dp_callback_ctx *cb_ctx = - tevent_req_callback_data(req, struct dp_callback_ctx); + struct cache_req_result *result; + struct pam_auth_req *preq; + struct pam_ctx *pctx; + int ret; - errno_t ret; - dbus_uint16_t err_maj; - dbus_uint32_t err_min; - char *err_msg; + preq = tevent_req_callback_data(req, struct pam_auth_req); + pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); - ret = sss_dp_get_account_recv(cb_ctx->mem_ctx, req, - &err_maj, &err_min, - &err_msg); + ret = cache_req_single_domain_recv(preq, req, &result); talloc_zfree(req); - if (ret != EOK) { + if (ret != EOK && ret != ENOENT) { DEBUG(SSSDBG_CRIT_FAILURE, "Fatal error, killing connection!\n"); - talloc_free(cb_ctx->cctx); + talloc_zfree(preq->cctx); return; } - cb_ctx->callback(err_maj, err_min, err_msg, cb_ctx->ptr); + if (ret == EOK) { + pd_set_primary_name(result->msgs[0], preq->pd); + preq->domain = result->domain; + + ret = pam_initgr_cache_set(pctx->rctx->ev, + pctx->id_table, + preq->pd->logon_name, + pctx->id_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not save initgr timestamp." + "Proceeding with PAM actions\n"); + } + + pam_dom_forwarder(preq); + } + + ret = pam_check_user_done(preq, ret); + if (ret != EOK) { + preq->pd->pam_status = PAM_SYSTEM_ERR; + pam_reply(preq); + } } static int pam_check_user_done(struct pam_auth_req *preq, int ret) @@ -1809,48 +1616,6 @@ static int pam_check_user_done(struct pam_auth_req *preq, int ret) return EOK; } -static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, - const char *err_msg, void *ptr) -{ - struct pam_auth_req *preq = talloc_get_type(ptr, struct pam_auth_req); - int ret; - struct pam_ctx *pctx = - talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); - - if (err_maj) { - DEBUG(SSSDBG_OP_FAILURE, - "Unable to get information from Data Provider\n" - "Error: %u, %u, %s\n", - (unsigned int)err_maj, (unsigned int)err_min, err_msg); - } - - ret = pam_check_user_search(preq); - if (ret == EOK) { - /* Make sure we don't go to the ID provider too often */ - ret = pam_initgr_cache_set(pctx->rctx->ev, pctx->id_table, - preq->pd->logon_name, pctx->id_timeout); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "Could not save initgr timestamp. " - "Proceeding with PAM actions\n"); - /* This is non-fatal, we'll just end up going to the - * data provider again next time. - */ - } - - pam_dom_forwarder(preq); - } else if (ret == ENOENT) { - ret = pam_cmd_assume_upn(preq); - } - - ret = pam_check_user_done(preq, ret); - - if (ret) { - preq->pd->pam_status = PAM_SYSTEM_ERR; - pam_reply(preq); - } -} - static errno_t pam_is_last_online_login_fresh(struct sss_domain_info *domain, const char* user, int cached_auth_timeout, From 11223a624ca043415944f27001d4e3e0ec506e43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Mon, 6 Feb 2017 11:05:16 +0100 Subject: [PATCH 3/3] TESTS: Adapt pam-srv-tests to deal with cache_req related changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Similar to what happened for nss-srv-tests, there were a few kind of changes required to fix the tests breakage caused by the last commit. 1) For tests including no user, no changed was required. 2) As we call an equivalent to "get by name" command, a name is parsed with sss_parse_inp and the returned value is now mocked. 3) For the "cache_auth_success*" tests we set pam_test_ctx->tctx->done to false after adding the password to the cache, since the code now contains tevent calls and without it only the first request proceeds into tevent_loop in test_ev_loop(), as the first finished request sets done to true. 4) As the user certificate is added as a result of calling sss_dp_account_recv and the certificate value is read by the certificate lookup, we have to, in case a certificate lookup callback is set, call mock_account_recv() for the certificate before going through the mock_account_recv() for the initgroup. Co-Author: Pavel Březina <pbrez...@redhat.com> Resolves: https://fedorahosted.org/sssd/ticket/1126 Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com> --- src/tests/cmocka/test_pam_srv.c | 59 +++++++++++++++++++++++++---------------- 1 file changed, 36 insertions(+), 23 deletions(-) diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c index 3b8327e..bc3b452 100644 --- a/src/tests/cmocka/test_pam_srv.c +++ b/src/tests/cmocka/test_pam_srv.c @@ -552,10 +552,14 @@ static void mock_input_pam(TALLOC_CTX *mem_ctx, const char *name, will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); will_return(__wrap_sss_packet_get_body, buf); will_return(__wrap_sss_packet_get_body, buf_size); + + mock_parse_inp(name, NULL, EOK); + mock_account_recv(0, 0, NULL, NULL, NULL); } static void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name, - const char *pin, const char *service) + const char *pin, const char *service, + acct_cb_t acct_cb, const char *cert) { size_t buf_size; uint8_t *m_buf; @@ -598,6 +602,15 @@ static void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name, will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); will_return(__wrap_sss_packet_get_body, buf); will_return(__wrap_sss_packet_get_body, buf_size); + + if (acct_cb != NULL) { + mock_account_recv(0, 0, NULL, acct_cb, discard_const(cert)); + } + + if (name != NULL) { + mock_parse_inp(name, NULL, EOK); + mock_account_recv(0, 0, NULL, NULL, NULL); + } } static int test_pam_simple_check(uint32_t status, uint8_t *body, size_t blen) @@ -1010,6 +1023,8 @@ void test_pam_cached_auth_success(void **state) /* Reset before next call */ pam_test_ctx->provider_contacted = false; + pam_test_ctx->tctx->done = false; + common_test_pam_cached_auth("12345"); /* Back end should not be contacted */ @@ -1096,6 +1111,8 @@ void test_pam_cached_auth_success_combined_pw_with_cached_2fa(void **state) /* Reset before next call */ pam_test_ctx->provider_contacted = false; + pam_test_ctx->tctx->done = false; + common_test_pam_cached_auth("12345678"); assert_false(pam_test_ctx->provider_contacted); @@ -1478,7 +1495,7 @@ void test_pam_preauth_no_logon_name(void **state) { int ret; - mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL); + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL); will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); @@ -1505,7 +1522,7 @@ void test_pam_preauth_cert_nocert(void **state) set_cert_auth_param(pam_test_ctx->pctx, "/no/path"); - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL); + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL); will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); @@ -1584,11 +1601,11 @@ void test_pam_preauth_cert_nomatch(void **state) set_cert_auth_param(pam_test_ctx->pctx, NSS_DB); - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL); + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, + test_lookup_by_cert_cb, NULL); will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); - mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb, NULL); set_cmd_cb(test_pam_simple_check); ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, @@ -1606,12 +1623,11 @@ void test_pam_preauth_cert_match(void **state) set_cert_auth_param(pam_test_ctx->pctx, NSS_DB); - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL); + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, + test_lookup_by_cert_cb, TEST_TOKEN_CERT); will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); - mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb, - discard_const(TEST_TOKEN_CERT)); set_cmd_cb(test_pam_cert_check); ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, @@ -1630,12 +1646,11 @@ void test_pam_preauth_cert_match_gdm_smartcard(void **state) set_cert_auth_param(pam_test_ctx->pctx, NSS_DB); - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, "gdm-smartcard"); + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, "gdm-smartcard", + test_lookup_by_cert_cb, TEST_TOKEN_CERT); will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); - mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb, - discard_const(TEST_TOKEN_CERT)); set_cmd_cb(test_pam_cert_check_gdm_smartcard); ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, @@ -1653,12 +1668,12 @@ void test_pam_preauth_cert_match_wrong_user(void **state) set_cert_auth_param(pam_test_ctx->pctx, NSS_DB); - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL); + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, + test_lookup_by_cert_wrong_user_cb, + TEST_TOKEN_CERT); will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); - mock_account_recv(0, 0, NULL, test_lookup_by_cert_wrong_user_cb, - discard_const(TEST_TOKEN_CERT)); set_cmd_cb(test_pam_simple_check); ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, @@ -1677,12 +1692,11 @@ void test_pam_preauth_cert_no_logon_name(void **state) set_cert_auth_param(pam_test_ctx->pctx, NSS_DB); - mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL); + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, + test_lookup_by_cert_cb, TEST_TOKEN_CERT); will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); - mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb, - discard_const(TEST_TOKEN_CERT)); set_cmd_cb(test_pam_cert_check); ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, @@ -1700,7 +1714,7 @@ void test_pam_preauth_no_cert_no_logon_name(void **state) set_cert_auth_param(pam_test_ctx->pctx, "/no/path"); - mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL); + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL); will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); @@ -1721,11 +1735,11 @@ void test_pam_preauth_cert_no_logon_name_no_match(void **state) set_cert_auth_param(pam_test_ctx->pctx, NSS_DB); - mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL); + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, + test_lookup_by_cert_cb, NULL); will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); - mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb, NULL); set_cmd_cb(test_pam_user_unknown_check); ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, @@ -1743,12 +1757,11 @@ void test_pam_cert_auth(void **state) set_cert_auth_param(pam_test_ctx->pctx, NSS_DB); - mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", NULL); + mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", NULL, + test_lookup_by_cert_cb, TEST_TOKEN_CERT); will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); - mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb, - discard_const(TEST_TOKEN_CERT)); set_cmd_cb(test_pam_simple_check); ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
