systemtests: prepare PAM tests for account checks

This adapts the two PAM tests to work correctly with the upcoming account checks. The test bconsole-pam will also check that authorization is checked correctly (which is not yet the case, so the test currently fails). (cherry picked from commit 21f80cc)
bareos · Mar 12, 2022 · a25a1fc · a25a1fc
1 parent a6b754f
commit a25a1fc
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 3 deletions.
diff --git a/systemtests/tests/bconsole-pam/bin/pam_exec_check.sh b/systemtests/tests/bconsole-pam/bin/pam_exec_check.sh
@@ -1,7 +1,7 @@
-#!/bin/sh
+#!/usr/bin/env bash
 #   BAREOS® - Backup Archiving REcovery Open Sourced
 #
-#   Copyright (C) 2019-2020 Bareos GmbH & Co. KG
+#   Copyright (C) 2019-2022 Bareos GmbH & Co. KG
 #
 #   This program is Free Software; you can redistribute it and/or
 #   modify it under the terms of version three of the GNU Affero General Public
@@ -60,8 +60,17 @@ RC_NOK=2
 echo "$0"
 #echo "current user: $USER ($UID)"
 
+if [ "$PAM_TYPE" = "account" ]; then
+  if [[ "${PAM_USER}" = *locked ]]; then
+    echo "User ${PAM_USER} is locked"
+    exit $RC_NOK
+  fi
+  echo "User ${PAM_USER} authorized"
+  exit $RC_OK
+fi
+
 if [ "$PAM_TYPE" != "auth" ]; then
-    echo "only pam type auth supported, not $PAM_TYPE"
+    echo "only pam types auth and account supported, not $PAM_TYPE"
     exit $RC_SKIP
 fi
 

diff --git a/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/user/user4locked.conf b/systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/user/user4locked.conf
@@ -0,0 +1,5 @@
+User {
+   # this user's account is invalidated through PAM
+   Name = "user4locked"
+   Profile = operator
+}
diff --git a/systemtests/tests/bconsole-pam/etc/pam.d/bareos.in b/systemtests/tests/bconsole-pam/etc/pam.d/bareos.in
@@ -2,3 +2,4 @@
 # PAM settings for service bareos.
 #
 auth        required     pam_exec.so  expose_authtok debug quiet log=@PROJECT_BINARY_DIR@/tests/@TEST_NAME@/log/pam_exec_check.log @PROJECT_BINARY_DIR@/tests/@TEST_NAME@/bin/pam_exec_check.sh
+account        required     pam_exec.so  expose_authtok debug quiet log=@PROJECT_BINARY_DIR@/tests/@TEST_NAME@/log/pam_exec_check.log @PROJECT_BINARY_DIR@/tests/@TEST_NAME@/bin/pam_exec_check.sh
diff --git a/systemtests/tests/bconsole-pam/etc/user4locked.cred b/systemtests/tests/bconsole-pam/etc/user4locked.cred
@@ -0,0 +1,2 @@
+user4locked
+user4locked
diff --git a/systemtests/tests/bconsole-pam/testrunner b/systemtests/tests/bconsole-pam/testrunner
@@ -132,6 +132,15 @@ if ! grep -q "Running Jobs:" "${tmp}"/log5.out; then
   exit 1
 fi
 
+if "${BAREOS_BCONSOLE_BINARY}" -c "${conf}" -p etc/user4locked.cred < "$tmp"/bconcmds >"${tmp}"/log7.out 2>"${tmp}"/err7.out; then
+  cat "${tmp}"/log7.out
+  cat "${tmp}"/err7.out
+  set_error "Login as user user4locked succeeded. This should NOT happen."
+  exit 1
+fi
+
+print_debug "OK: login as user4locked failed."
+
 
 if ! ${rscripts}/bareos-ctl-dir status >/dev/null; then
   set_error "Director does not run anymore. This should not happen."

diff --git a/systemtests/tests/python-pam/etc/pam.d/bareos.in b/systemtests/tests/python-pam/etc/pam.d/bareos.in
@@ -2,3 +2,4 @@
 # PAM settings for service bareos.
 #
 auth        required     pam_exec.so  expose_authtok debug quiet log=@PROJECT_BINARY_DIR@/tests/@TEST_NAME@/log/pam_exec_check.log @PROJECT_BINARY_DIR@/tests/@TEST_NAME@/bin/pam_exec_check.sh
+account     required     pam_permit.so