Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions Sanity/test_certs.py
Original file line number Diff line number Diff line change
Expand Up @@ -29,21 +29,21 @@ def test_wrong_issuer_cert(local_user, sssd_db, user_shell, tmp_path):
- User can login with a password
"""

sssd_db.backup()
sssd_db.path.unlink()

run(['mkdir', tmp_path.joinpath("ca")])
BaseCA.factory(path=tmp_path.joinpath("ca"), create=True)
run(['restorecon', "-v", "/etc/sssd/pki/sssd_auth_ca_db.pem"])

with Authselect():
with local_user.card(insert=True):
sssd_db.backup()
sssd_db.path.unlink()

run(['mkdir', tmp_path.joinpath("ca")])
BaseCA.factory(path=tmp_path.joinpath("ca"), create=True)
run(['restorecon', "-v", "/etc/sssd/pki/sssd_auth_ca_db.pem"])

cmd = f'su {local_user.username} -c "whoami"'
user_shell.sendline(cmd)
user_shell.expect_exact(f"Password:")
user_shell.sendline(local_user.password)
user_shell.expect_exact(local_user.username)

sssd_db.restore()
run(['rm', "-rf", tmp_path.joinpath("ca")])
run(['restorecon', "-v", "/etc/sssd/pki/sssd_auth_ca_db.pem"])
sssd_db.restore()
run(['rm', "-rf", tmp_path.joinpath("ca")])
run(['restorecon', "-v", "/etc/sssd/pki/sssd_auth_ca_db.pem"])
42 changes: 21 additions & 21 deletions Sanity/test_smart_card_detection.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
import pytest

def test_modutil_token_info(local_user, root_shell):
"""Check that p11-kit module shows smart card information with modutil
command"""
Expand All @@ -8,38 +10,36 @@ def test_modutil_token_info(local_user, root_shell):
root_shell.sendline(cmd)
root_shell.expect_exact(uri)


def test_pam_services_config(local_user, root_shell, sssd):
@pytest.mark.parametrize("service,should_pass", [
("-su", False),
("+pam_cert_service", True)
])
def test_pam_services_config(
local_user, root_shell, sssd, service, should_pass
):
"""Test verifies that sssd configuration option pam_p11_allowed_services
works as expected for smart card authentication.
GitHub issue: https://github.com/SSSD/sssd/issues/3967"""
with open("/etc/pam.d/pam_cert_service", "w") as f:
f.write("auth\trequired\tpam_sss.so require_cert_auth\n")
with sssd(section="pam", key="pam_p11_allowed_services", value="-su") as sssd_conf:
with sssd(section="pam", key="pam_p11_allowed_services", value=service) as sssd_conf:
with local_user.card(insert=False) as sc:
cmd = "sssctl user-checks -a auth -s pam_cert_service " \
f"{local_user.username}"
root_shell.sendline(cmd)
fail = f"pam_authenticate for user [{local_user.username}]: " \
"Authentication service cannot retrieve authentication info"
root_shell.expect_exact("Please insert smart card")
sc.insert()
root_shell.expect_exact("Please (re)insert (different) Smartcard")
root_shell.sendline()
root_shell.expect_exact(fail)
sc.remove()

sssd_conf(section="pam",
key="pam_p11_allowed_services",
value="+pam_cert_service")

root_shell.sendline(cmd)
root_shell.expect_exact("Please insert smart card")
sc.insert()
root_shell.expect_exact(f"PIN for {local_user.username}:")
root_shell.sendline(local_user.pin)
root_shell.expect_exact(f"pam_authenticate for user "
f"[{local_user.username}]: Success")
if should_pass:
root_shell.expect_exact(f"PIN for {local_user.username}:")
root_shell.sendline(local_user.pin)
root_shell.expect_exact(f"pam_authenticate for user "
f"[{local_user.username}]: Success")
else:
fail = f"pam_authenticate for user [{local_user.username}]: " \
"Authentication service cannot retrieve authentication info"
root_shell.expect_exact("Please (re)insert (different) Smartcard")
root_shell.sendline()
root_shell.expect_exact(fail)


def test_physical_card_detection(local_user, root_shell):
Expand Down
8 changes: 4 additions & 4 deletions Sanity/test_ttylogin.py
Original file line number Diff line number Diff line change
Expand Up @@ -253,10 +253,10 @@ def test_login_sc_required(user, lock_on_removal):
- User is successfully logged in
"""
with Authselect(required=True, lock_on_removal=lock_on_removal):
login_shell = login_shell_factory(user.username)
login_shell.expect("Please insert smart card")

with user.card(insert=True):
with user.card as sc:
login_shell = login_shell_factory(user.username)
login_shell.expect("Please insert smart card")
sc.insert()
login_shell.expect(f"PIN for {user.username}:")
login_shell.sendline(user.pin)
login_shell.expect(user.username)
Expand Down
Loading