Пример #1
0
    def setUp(self):
        self.system_auth_string = """#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth      \trequired\tpam_env.so
auth      \tsufficient\tpam_unix.so nullok try_first_pass
auth      \trequisite\tpam_succeed_if.so uid
auth      \trequired\tpam_deny.so
auth      \tsufficient\tpam_rootok.so

account   \trequired\tpam_unix.so
account   \tsufficient\tpam_localuser.so
account   \tsufficient\tpam_succeed_if.so uid
account		[success=1 default=ignore] \
\t\t\t\tpam_succeed_if.so user = vagrant use_uid quiet
account   \trequired\tpam_permit.so
account   \trequired\tpam_access.so listsep=,
session   \tinclude\tsystem-auth

password  \trequisite\tpam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password  \tsufficient\tpam_unix.so sha512 shadow nullok try_first_pass use_authtok
password  \trequired\tpam_deny.so

session   \toptional\tpam_keyinit.so revoke
session   \trequired\tpam_limits.so
-session  \toptional\tpam_systemd.so
session   \t[success=1 default=ignore]\tpam_succeed_if.so service in crond quiet use_uid
session   \t[success=1 test=me default=ignore]\tpam_succeed_if.so service in crond quiet use_uid
session   \trequired\tpam_unix.so
@include  \tcommon-auth
@include  \tcommon-account
@include  \tcommon-session"""

        self.pamd = PamdService()
        self.pamd.load_rules_from_string(self.system_auth_string)
Пример #2
0
    def setUp(self):
        self.system_auth_string = """#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth      	required	pam_env.so
auth      	sufficient	pam_unix.so nullok try_first_pass
auth      	requisite	pam_succeed_if.so uid
auth      	required	pam_deny.so

account   	required	pam_unix.so
account   	sufficient	pam_localuser.so
account   	sufficient	pam_succeed_if.so uid
account   	required	pam_permit.so

password  	requisite	pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password  	sufficient	pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password  	required	pam_deny.so

session   	optional	pam_keyinit.so revoke
session   	required	pam_limits.so
-session  	optional	pam_systemd.so
session   	[success=1 default=ignore]	pam_succeed_if.so service in crond quiet use_uid
session   	[success=1 test=me default=ignore]	pam_succeed_if.so service in crond quiet use_uid
session   	required	pam_unix.so"""

        self.pamd = PamdService()
        self.pamd.load_rules_from_string(self.system_auth_string)
Пример #3
0
 def test_insert_before_first_rule_simple(self):
     simple_service = PamdService(self.simple_system_auth_string)
     self.assertTrue(
         simple_service.insert_before('auth',
                                      'required',
                                      'pam_env.so',
                                      new_type='account',
                                      new_control='required',
                                      new_path='pam_limits.so'))
Пример #4
0
    def setUp(self):
        self.system_auth_string = """#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth      	required	pam_env.so
auth      	sufficient	pam_unix.so nullok try_first_pass
auth      	requisite	pam_succeed_if.so uid
auth      	required	pam_deny.so

account   	required	pam_unix.so
account   	sufficient	pam_localuser.so
account   	sufficient	pam_succeed_if.so uid
account   	required	pam_permit.so

password  	requisite	pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password  	sufficient	pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password  	required	pam_deny.so

session   	optional	pam_keyinit.so revoke
session   	required	pam_limits.so
-session  	optional	pam_systemd.so
session   	[success=1 default=ignore]	pam_succeed_if.so service in crond quiet use_uid
session   	[success=1 test=me default=ignore]	pam_succeed_if.so service in crond quiet use_uid
session   	required	pam_unix.so"""

        self.pamd = PamdService()
        self.pamd.load_rules_from_string(self.system_auth_string)
Пример #5
0
    def setUp(self):
        self.system_auth_string = """#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth      \trequired\tpam_env.so
auth      \tsufficient\tpam_unix.so nullok try_first_pass
auth      \trequisite\tpam_succeed_if.so uid
auth      \trequired\tpam_deny.so
auth      \tsufficient\tpam_rootok.so

account   \trequired\tpam_unix.so
account   \tsufficient\tpam_localuser.so
account   \tsufficient\tpam_succeed_if.so uid
account		[success=1 default=ignore] \
\t\t\t\tpam_succeed_if.so user = vagrant use_uid quiet
account   \trequired\tpam_permit.so
account   \trequired\tpam_access.so listsep=,
session   \tinclude\tsystem-auth

password  \trequisite\tpam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password  \tsufficient\tpam_unix.so sha512 shadow nullok try_first_pass use_authtok
password  \trequired\tpam_deny.so

session   \toptional\tpam_keyinit.so revoke
session   \trequired\tpam_limits.so
-session  \toptional\tpam_systemd.so
session   \t[success=1 default=ignore]\tpam_succeed_if.so service in crond quiet use_uid
session   \t[success=1 test=me default=ignore]\tpam_succeed_if.so service in crond quiet use_uid
session   \trequired\tpam_unix.so
@include  \tcommon-auth
@include  \tcommon-account
@include  \tcommon-session"""

        self.pamd = PamdService()
        self.pamd.load_rules_from_string(self.system_auth_string)
Пример #6
0
    def setUp(self):
        self.system_auth_string = """#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
@include   common-auth
@include   common-account
@include   common-session
auth       required pam_env.so
auth       sufficient pam_unix.so nullok try_first_pass
auth       requisite pam_succeed_if.so uid
auth       required pam_deny.so
# Test comment
auth       sufficient pam_rootok.so

account    required pam_unix.so
account    sufficient pam_localuser.so
account    sufficient pam_succeed_if.so uid
account		[success=1 default=ignore] \
    pam_succeed_if.so user = vagrant use_uid quiet
account    required pam_permit.so
account    required pam_access.so listsep=,
session    include system-auth

password   requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password   sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password   required pam_deny.so

session    optional pam_keyinit.so revoke
session    required pam_limits.so
-session   optional pam_systemd.so
session    [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session    [success=1 test=me default=ignore] pam_succeed_if.so service in crond quiet use_uid
session    required pam_unix.so"""

        self.simple_system_auth_string = """#%PAM-1.0
        auth       required pam_env.so
"""

        self.no_header_system_auth_string = """auth       required pam_env.so
auth       sufficient pam_unix.so nullok try_first_pass
auth       requisite pam_succeed_if.so uid
auth       required pam_deny.so
"""

        self.pamd = PamdService(self.system_auth_string)
Пример #7
0
class PamdServiceTestCase(unittest.TestCase):
    def setUp(self):
        self.system_auth_string = """#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth      \trequired\tpam_env.so
auth      \tsufficient\tpam_unix.so nullok try_first_pass
auth      \trequisite\tpam_succeed_if.so uid
auth      \trequired\tpam_deny.so
auth      \tsufficient\tpam_rootok.so

account   \trequired\tpam_unix.so
account   \tsufficient\tpam_localuser.so
account   \tsufficient\tpam_succeed_if.so uid
account		[success=1 default=ignore] \
\t\t\t\tpam_succeed_if.so user = vagrant use_uid quiet
account   \trequired\tpam_permit.so
account   \trequired\tpam_access.so listsep=,
session   \tinclude\tsystem-auth

password  \trequisite\tpam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password  \tsufficient\tpam_unix.so sha512 shadow nullok try_first_pass use_authtok
password  \trequired\tpam_deny.so

session   \toptional\tpam_keyinit.so revoke
session   \trequired\tpam_limits.so
-session  \toptional\tpam_systemd.so
session   \t[success=1 default=ignore]\tpam_succeed_if.so service in crond quiet use_uid
session   \t[success=1 test=me default=ignore]\tpam_succeed_if.so service in crond quiet use_uid
session   \trequired\tpam_unix.so
@include  \tcommon-auth
@include  \tcommon-account
@include  \tcommon-session"""

        self.pamd = PamdService()
        self.pamd.load_rules_from_string(self.system_auth_string)

    def test_update_rule_type(self):
        old_rule = PamdRule.rulefromstring('auth      	required	pam_env.so')
        new_rule = PamdRule.rulefromstring('session      	required	pam_env.so')
        update_rule(self.pamd, old_rule, new_rule)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_update_rule_control_simple(self):
        old_rule = PamdRule.rulefromstring('auth      	required	pam_env.so')
        new_rule = PamdRule.rulefromstring('auth      	sufficent	pam_env.so')
        update_rule(self.pamd, old_rule, new_rule)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_update_rule_control_complex(self):
        old_rule = PamdRule.rulefromstring(
            'session   	[success=1 default=ignore]	pam_succeed_if.so service in crond quiet use_uid'
        )
        new_rule = PamdRule.rulefromstring(
            'session   	[success=2 test=me default=ignore]	pam_succeed_if.so service in crond quiet use_uid'
        )
        update_rule(self.pamd, old_rule, new_rule)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_update_rule_control_more_complex(self):
        old_rule = PamdRule.rulefromstring(
            'session   	[success=1 test=me default=ignore]	pam_succeed_if.so service in crond quiet use_uid'
        )
        new_rule = PamdRule.rulefromstring(
            'session   	[success=2 test=me default=ignore]	pam_succeed_if.so service in crond quiet use_uid'
        )
        update_rule(self.pamd, old_rule, new_rule)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_update_rule_module_path(self):
        old_rule = PamdRule.rulefromstring('auth      	required	pam_env.so')
        new_rule = PamdRule.rulefromstring(
            'session      	required	pam_limits.so')
        update_rule(self.pamd, old_rule, new_rule)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_update_rule_module_path_slash(self):
        old_rule = PamdRule.rulefromstring('auth      	required	pam_env.so')
        new_rule = PamdRule.rulefromstring(
            'auth      	required	/lib64/security/pam_duo.so')
        update_rule(self.pamd, old_rule, new_rule)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_update_rule_module_args(self):
        old_rule = PamdRule.rulefromstring(
            'auth      	sufficient	pam_unix.so nullok try_first_pass')
        new_rule = PamdRule.rulefromstring(
            'auth      	sufficient	pam_unix.so uid uid')
        update_rule(self.pamd, old_rule, new_rule)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_update_first_three(self):
        old_rule = PamdRule.rulefromstring('auth      	required	pam_env.so')
        new_rule = PamdRule.rulefromstring('one      	two	three')
        update_rule(self.pamd, old_rule, new_rule)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_update_first_three_with_module_args(self):
        old_rule = PamdRule.rulefromstring(
            'auth      	sufficient	pam_unix.so nullok try_first_pass')
        new_rule = PamdRule.rulefromstring('one      	two	three')
        update_rule(self.pamd, old_rule, new_rule)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_update_all_four(self):
        old_rule = PamdRule.rulefromstring(
            'auth      	sufficient	pam_unix.so nullok try_first_pass')
        new_rule = PamdRule.rulefromstring('one      	two	three four five')
        update_rule(self.pamd, old_rule, new_rule)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_insert_before_rule(self):
        old_rule = PamdRule.rulefromstring('account   	required	pam_unix.so')
        new_rule = PamdRule.rulefromstring('account   	required	pam_permit.so')
        insert_before_rule(self.pamd, old_rule, new_rule)
        line_to_test = str(new_rule).rstrip()
        line_to_test += '\n'
        line_to_test += str(old_rule).rstrip()
        self.assertIn(line_to_test, str(self.pamd))

    def test_insert_after_rule(self):
        old_rule = PamdRule.rulefromstring('account   	required	pam_unix.so')
        new_rule = PamdRule.rulefromstring(
            'account   	required	pam_permit.so arg1 arg2 arg3')
        insert_after_rule(self.pamd, old_rule, new_rule)
        line_to_test = str(old_rule).rstrip()
        line_to_test += '\n'
        line_to_test += str(new_rule).rstrip()
        self.assertIn(line_to_test, str(self.pamd))

    def test_insert_after_rule_another(self):
        old_rule = PamdRule.rulefromstring('auth   	sufficient	pam_rootok.so')
        new_rule = PamdRule.rulefromstring(
            'auth   	required	pam_wheel.so use_id')
        insert_after_rule(self.pamd, old_rule, new_rule)
        line_to_test = str(old_rule).rstrip()
        line_to_test += '\n'
        line_to_test += str(new_rule).rstrip()
        self.assertIn(line_to_test, str(self.pamd))

    def test_insert_after_rule_last_rule(self):
        old_rule = PamdRule.rulefromstring('session   	required	pam_unix.so')
        new_rule = PamdRule.rulefromstring(
            'session   	required	pam_permit.so arg1 arg2 arg3')
        insert_after_rule(self.pamd, old_rule, new_rule)
        line_to_test = str(old_rule).rstrip()
        line_to_test += '\n'
        line_to_test += str(new_rule).rstrip()
        self.assertIn(line_to_test, str(self.pamd))

    def test_remove_module_arguments_one(self):
        old_rule = PamdRule.rulefromstring(
            'auth      	sufficient	pam_unix.so nullok try_first_pass')
        new_rule = PamdRule.rulefromstring(
            'auth      	sufficient	pam_unix.so try_first_pass')
        args_to_remove = ['nullok']
        remove_module_arguments(self.pamd, old_rule, args_to_remove)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_remove_module_arguments_two(self):
        old_rule = PamdRule.rulefromstring(
            'session   	[success=1 default=ignore]	pam_succeed_if.so service in crond quiet use_uid'
        )
        new_rule = PamdRule.rulefromstring(
            'session   	[success=1 default=ignore]	pam_succeed_if.so in quiet use_uid'
        )
        args_to_remove = ['service', 'crond']
        remove_module_arguments(self.pamd, old_rule, args_to_remove)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_add_module_arguments_where_none_existed(self):
        old_rule = PamdRule.rulefromstring('account   	required	pam_unix.so')
        new_rule = PamdRule.rulefromstring(
            'account   	required	pam_unix.so arg1 arg2= arg3=arg3')
        args_to_add = ['arg1', 'arg2=', 'arg3=arg3']
        add_module_arguments(self.pamd, old_rule, args_to_add)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))

    def test_add_module_arguments_where_some_existed(self):
        old_rule = PamdRule.rulefromstring(
            'auth      	sufficient	pam_unix.so nullok try_first_pass')
        new_rule = PamdRule.rulefromstring(
            'auth      	sufficient	pam_unix.so nullok try_first_pass arg1 arg2= arg3=arg3'
        )
        args_to_add = ['arg1', 'arg2=', 'arg3=arg3']
        add_module_arguments(self.pamd, old_rule, args_to_add)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))

    def test_remove_rule(self):
        old_rule = PamdRule.rulefromstring('account   	required	pam_unix.so')
        remove_rule(self.pamd, old_rule)
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_add_module_args_with_string(self):
        old_rule = PamdRule.rulefromstring(
            "account     required    pam_access.so")
        new_rule = PamdRule.rulefromstring(
            "account     required    pam_access.so listsep=,")
        args_to_add = ['listsep=,']
        add_module_arguments(self.pamd, old_rule, args_to_add)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
Пример #8
0
class PamdServiceTestCase(unittest.TestCase):
    def setUp(self):
        self.system_auth_string = """#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth      	required	pam_env.so
auth      	sufficient	pam_unix.so nullok try_first_pass
auth      	requisite	pam_succeed_if.so uid
auth      	required	pam_deny.so

account   	required	pam_unix.so
account   	sufficient	pam_localuser.so
account   	sufficient	pam_succeed_if.so uid
account   	required	pam_permit.so

password  	requisite	pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password  	sufficient	pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password  	required	pam_deny.so

session   	optional	pam_keyinit.so revoke
session   	required	pam_limits.so
-session  	optional	pam_systemd.so
session   	[success=1 default=ignore]	pam_succeed_if.so service in crond quiet use_uid
session   	[success=1 test=me default=ignore]	pam_succeed_if.so service in crond quiet use_uid
session   	required	pam_unix.so"""

        self.pamd = PamdService()
        self.pamd.load_rules_from_string(self.system_auth_string)

    def test_load_rule_from_string(self):

        self.assertEqual(self.system_auth_string, str(self.pamd))

    def test_update_rule_type(self):
        old_rule = PamdRule.rulefromstring('auth      	required	pam_env.so')
        new_rule = PamdRule.rulefromstring('session      	required	pam_env.so')
        update_rule(self.pamd, old_rule, new_rule)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_update_rule_control_simple(self):
        old_rule = PamdRule.rulefromstring('auth      	required	pam_env.so')
        new_rule = PamdRule.rulefromstring('auth      	sufficent	pam_env.so')
        update_rule(self.pamd, old_rule, new_rule)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_update_rule_control_complex(self):
        old_rule = PamdRule.rulefromstring('session   	[success=1 default=ignore]	pam_succeed_if.so service in crond quiet use_uid')
        new_rule = PamdRule.rulefromstring('session   	[success=2 test=me default=ignore]	pam_succeed_if.so service in crond quiet use_uid')
        update_rule(self.pamd, old_rule, new_rule)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_update_rule_control_more_complex(self):
        old_rule = PamdRule.rulefromstring('session   	[success=1 test=me default=ignore]	pam_succeed_if.so service in crond quiet use_uid')
        new_rule = PamdRule.rulefromstring('session   	[success=2 test=me default=ignore]	pam_succeed_if.so service in crond quiet use_uid')
        update_rule(self.pamd, old_rule, new_rule)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_update_rule_module_path(self):
        old_rule = PamdRule.rulefromstring('auth      	required	pam_env.so')
        new_rule = PamdRule.rulefromstring('session      	required	pam_limits.so')
        update_rule(self.pamd, old_rule, new_rule)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_update_rule_module_args(self):
        old_rule = PamdRule.rulefromstring('auth      	sufficient	pam_unix.so nullok try_first_pass')
        new_rule = PamdRule.rulefromstring('auth      	sufficient	pam_unix.so uid uid')
        update_rule(self.pamd, old_rule, new_rule)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_update_first_three(self):
        old_rule = PamdRule.rulefromstring('auth      	required	pam_env.so')
        new_rule = PamdRule.rulefromstring('one      	two	three')
        update_rule(self.pamd, old_rule, new_rule)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_update_first_three_with_module_args(self):
        old_rule = PamdRule.rulefromstring('auth      	sufficient	pam_unix.so nullok try_first_pass')
        new_rule = PamdRule.rulefromstring('one      	two	three')
        update_rule(self.pamd, old_rule, new_rule)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_update_all_four(self):
        old_rule = PamdRule.rulefromstring('auth      	sufficient	pam_unix.so nullok try_first_pass')
        new_rule = PamdRule.rulefromstring('one      	two	three four five')
        update_rule(self.pamd, old_rule, new_rule)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_insert_before_rule(self):
        old_rule = PamdRule.rulefromstring('account   	required	pam_unix.so')
        new_rule = PamdRule.rulefromstring('account   	required	pam_permit.so')
        insert_before_rule(self.pamd, old_rule, new_rule)
        line_to_test = str(new_rule).rstrip()
        line_to_test += '\n'
        line_to_test += str(old_rule).rstrip()
        self.assertIn(line_to_test, str(self.pamd))

    def test_insert_after_rule(self):
        old_rule = PamdRule.rulefromstring('account   	required	pam_unix.so')
        new_rule = PamdRule.rulefromstring('account   	required	pam_permit.so arg1 arg2 arg3')
        insert_after_rule(self.pamd, old_rule, new_rule)
        line_to_test = str(old_rule).rstrip()
        line_to_test += '\n'
        line_to_test += str(new_rule).rstrip()
        self.assertIn(line_to_test, str(self.pamd))

    def test_remove_module_arguments_one(self):
        old_rule = PamdRule.rulefromstring('auth      	sufficient	pam_unix.so nullok try_first_pass')
        new_rule = PamdRule.rulefromstring('auth      	sufficient	pam_unix.so try_first_pass')
        args_to_remove = ['nullok']
        remove_module_arguments(self.pamd, old_rule, args_to_remove)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_remove_module_arguments_two(self):
        old_rule = PamdRule.rulefromstring('session   	[success=1 default=ignore]	pam_succeed_if.so service in crond quiet use_uid')
        new_rule = PamdRule.rulefromstring('session   	[success=1 default=ignore]	pam_succeed_if.so in quiet use_uid')
        args_to_remove = ['service', 'crond']
        remove_module_arguments(self.pamd, old_rule, args_to_remove)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))

    def test_add_module_arguments_where_none_existed(self):
        old_rule = PamdRule.rulefromstring('account   	required	pam_unix.so')
        new_rule = PamdRule.rulefromstring('account   	required	pam_unix.so arg1 arg2= arg3=arg3')
        args_to_add = ['arg1', 'arg2=', 'arg3=arg3']
        add_module_arguments(self.pamd, old_rule, args_to_add)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))

    def test_add_module_arguments_where_some_existed(self):
        old_rule = PamdRule.rulefromstring('auth      	sufficient	pam_unix.so nullok try_first_pass')
        new_rule = PamdRule.rulefromstring('auth      	sufficient	pam_unix.so nullok try_first_pass arg1 arg2= arg3=arg3')
        args_to_add = ['arg1', 'arg2=', 'arg3=arg3']
        add_module_arguments(self.pamd, old_rule, args_to_add)
        self.assertIn(str(new_rule).rstrip(), str(self.pamd))

    def test_remove_rule(self):
        old_rule = PamdRule.rulefromstring('account   	required	pam_unix.so')
        remove_rule(self.pamd, old_rule)
        self.assertNotIn(str(old_rule).rstrip(), str(self.pamd))
Пример #9
0
class PamdServiceTestCase(unittest.TestCase):
    def setUp(self):
        self.system_auth_string = """#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
@include   common-auth
@include   common-account
@include   common-session
auth       required pam_env.so
auth       sufficient pam_unix.so nullok try_first_pass
auth       requisite pam_succeed_if.so uid
auth       required pam_deny.so
# Test comment
auth       sufficient pam_rootok.so

account    required pam_unix.so
account    sufficient pam_localuser.so
account    sufficient pam_succeed_if.so uid
account		[success=1 default=ignore] \
    pam_succeed_if.so user = vagrant use_uid quiet
account    required pam_permit.so
account    required pam_access.so listsep=,
session    include system-auth

password   requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password   sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password   required pam_deny.so

session    optional pam_keyinit.so revoke
session    required pam_limits.so
-session   optional pam_systemd.so
session    [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session    [success=1 test=me default=ignore] pam_succeed_if.so service in crond quiet use_uid
session    required pam_unix.so"""

        self.simple_system_auth_string = """#%PAM-1.0
        auth       required pam_env.so
"""

        self.pamd = PamdService(self.system_auth_string)

    def test_properly_parsed(self):
        num_lines = len(self.system_auth_string.splitlines()) + 1
        num_lines_processed = len(str(self.pamd).splitlines())
        self.assertEqual(num_lines, num_lines_processed)

    def test_has_rule(self):
        self.assertTrue(
            self.pamd.has_rule('account', 'required', 'pam_permit.so'))
        self.assertTrue(
            self.pamd.has_rule('account', '[success=1 default=ignore]',
                               'pam_succeed_if.so'))

    def test_doesnt_have_rule(self):
        self.assertFalse(
            self.pamd.has_rule('account', 'requisite', 'pam_permit.so'))

    # Test Update
    def test_update_rule_type(self):
        self.assertTrue(
            self.pamd.update_rule('session',
                                  'optional',
                                  'pam_keyinit.so',
                                  new_type='account'))
        self.assertTrue(
            self.pamd.has_rule('account', 'optional', 'pam_keyinit.so'))
        test_rule = PamdRule('account', 'optional', 'pam_keyinit.so', 'revoke')
        self.assertIn(str(test_rule), str(self.pamd))

    def test_update_rule_that_doesnt_exist(self):
        self.assertFalse(
            self.pamd.update_rule('blah', 'blah', 'blah', new_type='account'))
        self.assertFalse(self.pamd.has_rule('blah', 'blah', 'blah'))
        test_rule = PamdRule('blah', 'blah', 'blah', 'account')
        self.assertNotIn(str(test_rule), str(self.pamd))

    def test_update_rule_type_two(self):
        self.assertTrue(
            self.pamd.update_rule('session',
                                  '[success=1 default=ignore]',
                                  'pam_succeed_if.so',
                                  new_type='account'))
        self.assertTrue(
            self.pamd.has_rule('account', '[success=1 default=ignore]',
                               'pam_succeed_if.so'))
        test_rule = PamdRule('account', '[success=1 default=ignore]',
                             'pam_succeed_if.so')
        self.assertIn(str(test_rule), str(self.pamd))

    def test_update_rule_control_simple(self):
        self.assertTrue(
            self.pamd.update_rule('session',
                                  'optional',
                                  'pam_keyinit.so',
                                  new_control='required'))
        self.assertTrue(
            self.pamd.has_rule('session', 'required', 'pam_keyinit.so'))
        test_rule = PamdRule('session', 'required', 'pam_keyinit.so')
        self.assertIn(str(test_rule), str(self.pamd))

    def test_update_rule_control_complex(self):
        self.assertTrue(
            self.pamd.update_rule(
                'session',
                '[success=1 default=ignore]',
                'pam_succeed_if.so',
                new_control='[success=2 test=me default=ignore]'))
        self.assertTrue(
            self.pamd.has_rule('session', '[success=2 test=me default=ignore]',
                               'pam_succeed_if.so'))
        test_rule = PamdRule('session', '[success=2 test=me default=ignore]',
                             'pam_succeed_if.so')
        self.assertIn(str(test_rule), str(self.pamd))

    def test_update_rule_control_more_complex(self):

        self.assertTrue(
            self.pamd.update_rule(
                'session',
                '[success=1 test=me default=ignore]',
                'pam_succeed_if.so',
                new_control='[success=2 test=me default=ignore]'))
        self.assertTrue(
            self.pamd.has_rule('session', '[success=2 test=me default=ignore]',
                               'pam_succeed_if.so'))
        test_rule = PamdRule('session', '[success=2 test=me default=ignore]',
                             'pam_succeed_if.so')
        self.assertIn(str(test_rule), str(self.pamd))

    def test_update_rule_module_path(self):
        self.assertTrue(
            self.pamd.update_rule('auth',
                                  'required',
                                  'pam_env.so',
                                  new_path='pam_limits.so'))
        self.assertTrue(self.pamd.has_rule('auth', 'required',
                                           'pam_limits.so'))

    def test_update_rule_module_path_slash(self):
        self.assertTrue(
            self.pamd.update_rule('auth',
                                  'required',
                                  'pam_env.so',
                                  new_path='/lib64/security/pam_duo.so'))
        self.assertTrue(
            self.pamd.has_rule('auth', 'required',
                               '/lib64/security/pam_duo.so'))

    def test_update_rule_module_args(self):
        self.assertTrue(
            self.pamd.update_rule('auth',
                                  'sufficient',
                                  'pam_unix.so',
                                  new_args='uid uid'))
        test_rule = PamdRule('auth', 'sufficient', 'pam_unix.so', 'uid uid')
        self.assertIn(str(test_rule), str(self.pamd))

        test_rule = PamdRule('auth', 'sufficient', 'pam_unix.so',
                             'nullok try_first_pass')
        self.assertNotIn(str(test_rule), str(self.pamd))

    def test_update_first_three(self):
        self.assertTrue(
            self.pamd.update_rule('auth',
                                  'required',
                                  'pam_env.so',
                                  new_type='one',
                                  new_control='two',
                                  new_path='three'))
        self.assertTrue(self.pamd.has_rule('one', 'two', 'three'))

    def test_update_first_three_with_module_args(self):
        self.assertTrue(
            self.pamd.update_rule('auth',
                                  'sufficient',
                                  'pam_unix.so',
                                  new_type='one',
                                  new_control='two',
                                  new_path='three'))
        self.assertTrue(self.pamd.has_rule('one', 'two', 'three'))
        test_rule = PamdRule('one', 'two', 'three')
        self.assertIn(str(test_rule), str(self.pamd))
        self.assertIn(str(test_rule), str(self.pamd))

    def test_update_all_four(self):
        self.assertTrue(
            self.pamd.update_rule('auth',
                                  'sufficient',
                                  'pam_unix.so',
                                  new_type='one',
                                  new_control='two',
                                  new_path='three',
                                  new_args='four five'))
        test_rule = PamdRule('one', 'two', 'three', 'four five')
        self.assertIn(str(test_rule), str(self.pamd))

        test_rule = PamdRule('auth', 'sufficient', 'pam_unix.so',
                             'nullok try_first_pass')
        self.assertNotIn(str(test_rule), str(self.pamd))

    def test_update_rule_with_slash(self):
        self.assertTrue(
            self.pamd.update_rule('account',
                                  '[success=1 default=ignore]',
                                  'pam_succeed_if.so',
                                  new_type='session',
                                  new_path='pam_access.so'))
        test_rule = PamdRule('session', '[success=1 default=ignore]',
                             'pam_access.so')
        self.assertIn(str(test_rule), str(self.pamd))

    # Insert Before
    def test_insert_before_rule(self):

        count = self.pamd.insert_before('account',
                                        'required',
                                        'pam_access.so',
                                        new_type='account',
                                        new_control='required',
                                        new_path='pam_limits.so')
        self.assertEqual(count, 1)

        rules = self.pamd.get("account", "required", "pam_access.so")
        for current_rule in rules:
            self.assertTrue(
                current_rule.prev.matches("account", "required",
                                          "pam_limits.so"))

    def test_insert_before_rule_where_rule_doesnt_exist(self):

        count = self.pamd.insert_before('account',
                                        'sufficient',
                                        'pam_access.so',
                                        new_type='account',
                                        new_control='required',
                                        new_path='pam_limits.so')
        self.assertFalse(count)

    def test_insert_before_rule_with_args(self):
        self.assertTrue(
            self.pamd.insert_before('account',
                                    'required',
                                    'pam_access.so',
                                    new_type='account',
                                    new_control='required',
                                    new_path='pam_limits.so',
                                    new_args='uid'))

        rules = self.pamd.get("account", "required", "pam_access.so")
        for current_rule in rules:
            self.assertTrue(
                current_rule.prev.matches("account", "required",
                                          "pam_limits.so", 'uid'))

    def test_insert_before_rule_test_duplicates(self):
        self.assertTrue(
            self.pamd.insert_before('account',
                                    'required',
                                    'pam_access.so',
                                    new_type='account',
                                    new_control='required',
                                    new_path='pam_limits.so'))

        self.pamd.insert_before('account',
                                'required',
                                'pam_access.so',
                                new_type='account',
                                new_control='required',
                                new_path='pam_limits.so')

        rules = self.pamd.get("account", "required", "pam_access.so")
        for current_rule in rules:
            previous_rule = current_rule.prev
            self.assertTrue(
                previous_rule.matches("account", "required", "pam_limits.so"))
            self.assertFalse(
                previous_rule.prev.matches("account", "required",
                                           "pam_limits.so"))

    def test_insert_before_first_rule(self):
        self.assertTrue(
            self.pamd.insert_before('auth',
                                    'required',
                                    'pam_env.so',
                                    new_type='account',
                                    new_control='required',
                                    new_path='pam_limits.so'))

    def test_insert_before_first_rule_simple(self):
        simple_service = PamdService(self.simple_system_auth_string)
        self.assertTrue(
            simple_service.insert_before('auth',
                                         'required',
                                         'pam_env.so',
                                         new_type='account',
                                         new_control='required',
                                         new_path='pam_limits.so'))

    # Insert After
    def test_insert_after_rule(self):
        self.assertTrue(
            self.pamd.insert_after('account',
                                   'required',
                                   'pam_unix.so',
                                   new_type='account',
                                   new_control='required',
                                   new_path='pam_permit.so'))
        rules = self.pamd.get("account", "required", "pam_unix.so")
        for current_rule in rules:
            self.assertTrue(
                current_rule.next.matches("account", "required",
                                          "pam_permit.so"))

    def test_insert_after_rule_with_args(self):
        self.assertTrue(
            self.pamd.insert_after('account',
                                   'required',
                                   'pam_access.so',
                                   new_type='account',
                                   new_control='required',
                                   new_path='pam_permit.so',
                                   new_args='uid'))
        rules = self.pamd.get("account", "required", "pam_access.so")
        for current_rule in rules:
            self.assertTrue(
                current_rule.next.matches("account", "required",
                                          "pam_permit.so", "uid"))

    def test_insert_after_test_duplicates(self):
        self.assertTrue(
            self.pamd.insert_after('account',
                                   'required',
                                   'pam_access.so',
                                   new_type='account',
                                   new_control='required',
                                   new_path='pam_permit.so',
                                   new_args='uid'))
        self.assertFalse(
            self.pamd.insert_after('account',
                                   'required',
                                   'pam_access.so',
                                   new_type='account',
                                   new_control='required',
                                   new_path='pam_permit.so',
                                   new_args='uid'))

        rules = self.pamd.get("account", "required", "pam_access.so")
        for current_rule in rules:
            self.assertTrue(
                current_rule.next.matches("account", "required",
                                          "pam_permit.so", "uid"))
            self.assertFalse(
                current_rule.next.next.matches("account", "required",
                                               "pam_permit.so", "uid"))

    def test_insert_after_rule_last_rule(self):
        self.assertTrue(
            self.pamd.insert_after('session',
                                   'required',
                                   'pam_unix.so',
                                   new_type='account',
                                   new_control='required',
                                   new_path='pam_permit.so',
                                   new_args='uid'))
        rules = self.pamd.get("session", "required", "pam_unix.so")
        for current_rule in rules:
            self.assertTrue(
                current_rule.next.matches("account", "required",
                                          "pam_permit.so", "uid"))

    # Remove Module Arguments
    def test_remove_module_arguments_one(self):
        self.assertTrue(
            self.pamd.remove_module_arguments('auth', 'sufficient',
                                              'pam_unix.so', 'nullok'))

    def test_remove_module_arguments_one_list(self):
        self.assertTrue(
            self.pamd.remove_module_arguments('auth', 'sufficient',
                                              'pam_unix.so', ['nullok']))

    def test_remove_module_arguments_two(self):
        self.assertTrue(
            self.pamd.remove_module_arguments('session',
                                              '[success=1 default=ignore]',
                                              'pam_succeed_if.so',
                                              'service crond'))

    def test_remove_module_arguments_two_list(self):
        self.assertTrue(
            self.pamd.remove_module_arguments('session',
                                              '[success=1 default=ignore]',
                                              'pam_succeed_if.so',
                                              ['service', 'crond']))

    def test_remove_module_arguments_where_none_existed(self):
        self.assertTrue(
            self.pamd.add_module_arguments('session', 'required',
                                           'pam_limits.so',
                                           'arg1 arg2= arg3=arg3'))

    def test_add_module_arguments_where_none_existed(self):
        self.assertTrue(
            self.pamd.add_module_arguments('account', 'required',
                                           'pam_unix.so',
                                           'arg1 arg2= arg3=arg3'))

    def test_add_module_arguments_where_none_existed_list(self):
        self.assertTrue(
            self.pamd.add_module_arguments('account', 'required',
                                           'pam_unix.so',
                                           ['arg1', 'arg2=', 'arg3=arg3']))

    def test_add_module_arguments_where_some_existed(self):
        self.assertTrue(
            self.pamd.add_module_arguments('auth', 'sufficient', 'pam_unix.so',
                                           'arg1 arg2= arg3=arg3'))

    def test_remove_rule(self):
        self.assertTrue(self.pamd.remove('account', 'required', 'pam_unix.so'))
        test_rule = PamdRule('account', 'required', 'pam_unix.so')
        self.assertNotIn(str(test_rule), str(self.pamd))
Пример #10
0
 def test_remove_first_rule(self):
     no_header_service = PamdService(self.no_header_system_auth_string)
     self.assertTrue(
         no_header_service.remove('auth', 'required', 'pam_env.so'))
     test_rule = PamdRule('auth', 'required', 'pam_env.so')
     self.assertNotIn(str(test_rule), str(no_header_service))