def test_PAM_has_unknown_module__false():
pam = get_config('''
auth sufficient pam_unix.so
auth sufficient pam_sss.so
auth required pam_deny.so
''')
obj = PAM(pam)
assert not obj.has_unknown_module(['pam_unix', 'pam_sss', 'pam_deny'])
def test_PAM_has_unknown_module__empty():
pam = get_config('''
auth sufficient pam_unix.so
auth sufficient pam_sss.so
auth required pam_deny.so
''')
obj = PAM(pam)
assert obj.has_unknown_module([])
def test_PAM_has__false():
pam = get_config('''
auth sufficient pam_unix.so
auth sufficient pam_sss.so
auth required pam_deny.so
''')
obj = PAM(pam)
assert not obj.has('pam_winbind')
def test_PAM_has_unknown_module__true():
pam = get_config('''
auth sufficient pam_unix.so
auth sufficient pam_sss.so
auth required pam_deny.so
session pam_ecryptfs.so
''')
obj = PAM(pam)
assert obj.has_unknown_module(['pam_unix', 'pam_sss', 'pam_deny'])
def test_PAM_has__true():
pam = get_config('''
auth sufficient pam_unix.so
auth sufficient pam_sss.so
auth required pam_deny.so
''')
obj = PAM(pam)
assert obj.has('pam_unix')
assert obj.has('pam_sss')
assert obj.has('pam_deny')
def test_PAM_parse():
pam = get_config('''
auth sufficient pam_unix.so
auth sufficient pam_sss.so
auth required pam_deny.so
''')
obj = PAM('')
modules = obj.parse(pam)
assert len(modules) == 3
assert 'pam_unix' in modules
assert 'pam_sss' in modules
assert 'pam_deny' in modules
def test_AuthselectScannerLibrary_step_detect_if_confirmation_is_required__badlink(
mock_getmtime, mock_isfile, mock_islink, mock_readlink):
obj = AuthselectScannerLibrary([], Authconfig(''), DConf(''), PAM(''), '')
mock_isfile.return_value = True
mock_islink.return_value = True
mock_readlink.return_value = ''
assert obj.step_detect_if_confirmation_is_required()
def test_AuthselectScannerLibrary_process__features(mock_confirm,
mock_service):
pam = get_config('''
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200
auth sufficient pam_unix.so
auth sufficient pam_sss.so
auth required pam_deny.so
''')
nsswitch = get_config('''
passwd: files sss systemd
group: files sss systemd
sudoers: files sss
''')
obj = AuthselectScannerLibrary(
['pam_unix', 'pam_sss', 'pam_deny', 'pam_faillock'], Authconfig(''),
DConf(''), PAM(pam), nsswitch)
mock_confirm.return_value = True
mock_service.return_value = False
authselect = obj.process()
assert authselect.profile == 'sssd'
assert len(authselect.features) == 2
assert 'with-faillock' in authselect.features
assert 'with-sudo' in authselect.features
assert authselect.confirm
def test_AuthselectScannerLibrary_step_detect_winbind_features__krb5():
ac = get_config('''
WINBINDKRB5=yes
''')
obj = AuthselectScannerLibrary([], Authconfig(ac), DConf(''), PAM(''), '')
features = obj.step_detect_winbind_features('winbind')
assert features == ['with-krb5']
def test_AuthselectScannerLibrary_step_detect_winbind_features__wrong_profile(
):
ac = get_config('''
WINBINDKRB5=yes
''')
obj = AuthselectScannerLibrary([], Authconfig(ac), DConf(''), PAM(''), '')
features = obj.step_detect_winbind_features('sssd')
assert not features
def test_AuthselectScannerLibrary_step_detect_profile__nis(mock_service):
pam = get_config('''
auth sufficient pam_unix.so
auth required pam_deny.so
''')
obj = AuthselectScannerLibrary([], Authconfig(''), DConf(''), PAM(pam), '')
mock_service.return_value = True
assert obj.step_detect_profile() == 'nis'
def test_AuthselectScannerLibrary_step_detect_features__mkhomedir_oddjob():
pam = get_config('''
auth sufficient pam_unix.so
auth sufficient pam_sss.so
auth required pam_deny.so
session optional pam_oddjob_mkhomedir.so umask=0077
''')
obj = AuthselectScannerLibrary([], Authconfig(''), DConf(''), PAM(pam), '')
assert obj.step_detect_features() == ['with-mkhomedir']
def test_AuthselectScannerLibrary_step_detect_features__access():
pam = get_config('''
auth sufficient pam_unix.so
auth sufficient pam_sss.so
auth required pam_deny.so
account required pam_access.so
''')
obj = AuthselectScannerLibrary([], Authconfig(''), DConf(''), PAM(pam), '')
assert obj.step_detect_features() == ['with-pamaccess']
def test_AuthselectScannerLibrary_step_detect_features__fingerprint():
pam = get_config('''
auth sufficient pam_unix.so
auth sufficient pam_sss.so
auth sufficient pam_fprintd.so
auth required pam_deny.so
''')
obj = AuthselectScannerLibrary([], Authconfig(''), DConf(''), PAM(pam), '')
assert obj.step_detect_features() == ['with-fingerprint']
def test_AuthselectScannerLibrary_step_detect_features__faillock():
pam = get_config('''
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200
auth sufficient pam_unix.so
auth sufficient pam_sss.so
auth required pam_deny.so
''')
obj = AuthselectScannerLibrary([], Authconfig(''), DConf(''), PAM(pam), '')
assert obj.step_detect_features() == ['with-faillock']
def test_RemoveOldPAMModulesScannerLibrary_process__none():
pam = get_config('''
auth sufficient pam_unix.so
auth sufficient pam_sss.so
auth required pam_deny.so
''')
obj = RemoveOldPAMModulesScannerLibrary(PAM(pam))
model = obj.process()
assert not model.modules
def test_AuthselectScannerLibrary_step_detect_sssd_features__sudo():
nsswitch = get_config('''
passwd: files sss systemd
group: files sss systemd
sudoers: files sss
''')
obj = AuthselectScannerLibrary([], Authconfig(''), DConf(''), PAM(''),
nsswitch)
features = obj.step_detect_sssd_features('sssd')
assert features == ['with-sudo']
def process(self):
# Load configuration
ac = Authconfig(read_file('/etc/sysconfig/authconfig'))
dconf = DConf(read_file('/etc/dconf/db/distro.d/10-authconfig'))
pam = PAM.from_system_configuration()
nsswitch = read_file("/etc/nsswitch.conf")
scanner = AuthselectScannerLibrary(self.known_modules, ac, dconf, pam,
nsswitch)
self.produce(scanner.process())
def test_AuthselectScannerLibrary_step_detect_sssd_features__wrong_profile():
nsswitch = get_config('''
passwd: files sss systemd
group: files sss systemd
sudoers: files sss
''')
obj = AuthselectScannerLibrary([], Authconfig(''), DConf(''), PAM(''),
nsswitch)
features = obj.step_detect_sssd_features('winbind')
assert not features
def test_AuthselectScannerLibrary_step_detect_profile__sssd_winbind(
mock_service):
pam = get_config('''
auth sufficient pam_unix.so
auth sufficient pam_winbind.so
auth sufficient pam_sss.so
auth required pam_deny.so
''')
obj = AuthselectScannerLibrary([], Authconfig(''), DConf(''), PAM(pam), '')
mock_service.return_value = False
assert obj.step_detect_profile() is None
def test_AuthselectScannerLibrary_step_detect_sssd_features__smartcard():
pam = get_config('''
auth sufficient pam_unix.so
auth sufficient pam_sss.so
auth required pam_deny.so
''')
ac = get_config('''
USESMARTCARD=yes
''')
obj = AuthselectScannerLibrary([], Authconfig(ac), DConf(''), PAM(pam), '')
features = obj.step_detect_sssd_features('sssd')
assert features == ['with-smartcard']
def test_RemoveOldPAMModulesScannerLibrary_process__all():
pam = get_config('''
auth sufficient pam_unix.so
auth sufficient pam_krb5.so
auth sufficient pam_pkcs11.so
auth sufficient pam_sss.so
auth required pam_deny.so
''')
obj = RemoveOldPAMModulesScannerLibrary(PAM(pam))
model = obj.process()
assert len(model.modules) == 2
assert 'pam_krb5' in model.modules
assert 'pam_pkcs11' in model.modules
def test_AuthselectScannerLibrary_process__simple(mock_confirm, mock_service):
pam = get_config('''
auth sufficient pam_unix.so
auth sufficient pam_sss.so
auth required pam_deny.so
''')
obj = AuthselectScannerLibrary(['pam_unix', 'pam_sss', 'pam_deny'],
Authconfig(''), DConf(''), PAM(pam), '')
mock_confirm.return_value = True
mock_service.return_value = False
authselect = obj.process()
assert authselect.profile == 'sssd'
assert not authselect.features
assert authselect.confirm
def test_AuthselectScannerLibrary_step_detect_if_confirmation_is_required__pass(
mock_getmtime, mock_isfile, mock_islink, mock_readlink):
def my_getmtime(path):
# Make sysconfig file younger then other files.
if path == '/etc/sysconfig/authconfig':
return 200
return 100
obj = AuthselectScannerLibrary([], Authconfig(''), DConf(''), PAM(''), '')
mock_isfile.return_value = True
mock_islink.return_value = True
mock_readlink.side_effect = '{}-ac'.format
mock_getmtime.side_effect = my_getmtime
assert not obj.step_detect_if_confirmation_is_required()
def test_AuthselectScannerLibrary_step_detect_sssd_features__smartcard_lock():
pam = get_config('''
auth sufficient pam_unix.so
auth sufficient pam_sss.so
auth required pam_deny.so
''')
dconf = get_config('''
[org/gnome/settings-daemon/peripherals/smartcard]
removal-action='lock-screen'
''')
obj = AuthselectScannerLibrary([], Authconfig(''), DConf(dconf), PAM(pam),
'')
features = obj.step_detect_sssd_features('sssd')
assert features == ['with-smartcard-lock-on-removal']
def test_AuthselectScannerLibrary_process__unknown_module(
mock_confirm, mock_service):
pam = get_config('''
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200
auth sufficient pam_unix.so
auth sufficient pam_sss.so
auth required pam_deny.so
''')
obj = AuthselectScannerLibrary(['pam_unix', 'pam_sss', 'pam_deny'],
Authconfig(''), DConf(''), PAM(pam), '')
mock_confirm.return_value = True
mock_service.return_value = False
authselect = obj.process()
assert authselect.profile is None
assert not authselect.features
assert authselect.confirm
def test_AuthselectScannerLibrary_step_detect_features__all():
pam = get_config('''
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200
auth sufficient pam_unix.so
auth sufficient pam_sss.so
auth sufficient pam_fprintd.so
auth required pam_deny.so
account required pam_access.so
session optional pam_oddjob_mkhomedir.so umask=0077
''')
obj = AuthselectScannerLibrary([], Authconfig(''), DConf(''), PAM(pam), '')
features = obj.step_detect_features()
assert len(features) == 4
assert 'with-faillock' in features
assert 'with-fingerprint' in features
assert 'with-pamaccess' in features
assert 'with-mkhomedir' in features
def test_AuthselectScannerLibrary_step_detect_sssd_features__pkcs11():
pam = get_config('''
auth sufficient pam_unix.so
auth sufficient pam_pkcs11.so
auth sufficient pam_sss.so
auth required pam_deny.so
''')
ac = get_config('''
USESMARTCARD=yes
FORCESMARTCARD=yes
''')
dconf = get_config('''
[org/gnome/settings-daemon/peripherals/smartcard]
removal-action='lock-screen'
''')
obj = AuthselectScannerLibrary([], Authconfig(ac), DConf(dconf), PAM(pam),
'')
features = obj.step_detect_sssd_features('sssd')
assert not features
def process(self):
pam = PAM.from_system_configuration()
scanner = RemoveOldPAMModulesScannerLibrary(pam)
self.produce(scanner.process())
def test_AuthselectScannerLibrary_step_detect_profile__None(mock_service):
obj = AuthselectScannerLibrary([], Authconfig(''), DConf(''), PAM(''), '')
mock_service.return_value = False
assert obj.step_detect_profile() is None
