Automatic testing of pam modules

rozelak at volny.cz rozelak at volny.cz
Mon Jun 23 14:17:27 UTC 2008 

Hello,

"Linux-PAM test" - something like this exists? If so, it is great! Where
it can be found? I have looked into PAM tar, and I found some tests
there. However, I think they are rather focused on testing the PAM library
itself - I did not find there anything which could help with testing
of a PAM module. Have I overlooked something? Trying google, I only
found something on 'http://www.linuxfromscratch.org/blfs/view/svn/postlfs/linux-pam.html',
which, however, is again about testing the basic PAM library. Moreover,
there is a note that "The test suite will not provide meaningful results
until the package has been installed and minimally configured", which,
again, is not what I originally thought about. But maybe I did not search
properly, so if you could give more information about what you mean
by "Linux-PAM test suite", it will help a lot.

I will try to describe in details what I was originally looking for.
It could be split into two parts - the first is unit-test framework
for PAM module developers, and the second is an environment for automatised
PAM configuration testing. On the basis of my short experience with
pam-module development, I look for something like:


1. Unit-test framework tied to PAM:

I could be extension of e.g. CUnit (or CxxUnit for the development in
C++), or project like those. Unfortunately, it is impossible to write
unit tests for those functions which need to work with functions provided
by PAM due to the need of 'pam_handle_t' structure. Therefore, some
extension of a unit test framework is necessary in order to initialise
pam_handle_t structure in set_up()-like methods in unit-test. Also methods
allowing to define values returned by other functions accessible by
PAM module (e.g. pam_get_user()) would be very useful.

When building a test suite, the module would be linked together with
unit-test framework library, PAM extension of the library and a main()
to build an executable. Optionally, a main() could be predefined, and
methods with test to execute should only be "registered" within the
main.


2. overall test environment:

It is similar to what 'pamtester' does, but little more extended. The
PAM module developed would be linked against a library behaving as the
regular PAM library, cooperating with the 'pamtester' program (it might
be a regular PAM library, but allowing to read pam.d configs from user-defined
path, not the one used by system then).

Developer could be able to define a sequence simulating some critical
behaviour, like 'user XY tries to log into system but does not exist
there', '... is not authenticated', '... logs-in in successfully', etc.
(or maybe just simple 'permission allowed/denied'?). In this way, a
sequence of actions could be defined in a script and the result (ret
value of the tester?) could be tested. Different conditions and settings
could be tested by the definition of different module config files (e.g.
different pam.d directories).


----
Both those frameworks should work (be able to be used) INDEPENDENTLY
on system PAM configuration (i.e. config in /etc/pam.d), and configured
locally in a directory, where a module is developed.

Is this what you meant by 'Linux-PAM test suite'? 


Thank you very much,
Dan


On Thursday 19 of June 2008, Thorsten Kukuk wrote:
> Hello,
>
> On Thu, Jun 19, rozelak at volny.cz wrote:
> > Hallo,
> >
> > I would like to ask more deeply about the most painless pam-module
> > > > testing possibilities. I suppose the use of 'pamtester' app (thanks
> > for
> > > > recommendation!) as the highest level front-end. To summarise, the
> > > > following steps must be carried out:
> >
> > - build PAM library with user specified paths, in order not to affect
> > > > PAM used by the system (it should not be a problem)
> > - build pamtester linked with the PAM library created (also no problem)
> > > > - write a script(s) which will call pamtester simulating different
> > > > conditions of use
> >
> >
> > Now my problem is, how to AUTOMATICALLY simulate authentication
> > fails/successes for different users, e.g. to simulate the n-times
> > > > successful login of user XY, than some its fails, then attempt of
> > > > unprivileged users AB, CD, EF, than successes for XY again, ....
> > (all
> > > > with different delays between individual attempts, etc.).
>
> Maybe you should take a look at the Linux-PAM test suite?
>
>   Thorsten

More information about the Pam-list mailing list