MDBF-807 - Setup for PAM tests in buildbot

- configure install builders to perform PAM tests. RPM and DEB. - migrate pam test script from old - bb: - no need to create a new user. We have buildbot user. - PAM v1 & v2 are configured and the auth is tested with the buildbot user. - the user should not be able to login after the plugin is uninstalled - perform MTR pam test in suite=plugins
MariaDB · Oct 22, 2024 · 5c201f3 · 5c201f3
1 parent f57b9ea
commit 5c201f3
Show file tree

Hide file tree

Showing 2 changed files with 117 additions and 1 deletion.
diff --git a/master-libvirt/master.cfg b/master-libvirt/master.cfg
@@ -119,6 +119,20 @@ def getRpmInstallStep():
         command=["./rpm-install.sh"],
     )
 
+def getPAMTestStep():
+    return Test(
+        name="PAM",
+        haltOnFailure=True,
+        description=["testing", "PAM"],
+        descriptionDone=["test", "PAM"],
+        env=envFromProperties(
+            [
+                "systemdCapability",
+            ]
+        ),
+        command=["./pam-test.sh"],
+    )
+
 def getDebGaleraStep(port):
     def if_run_galera_test(step):
         if step.getProperty("sst_mode") == "off":
@@ -235,7 +249,8 @@ def getMajorVersionStep():
 f_deb_install = util.BuildFactory()
 f_deb_install.addStep(getScript("deb-install.sh"))
 f_deb_install.addStep(getDebInstallStep())
-f_deb_install.addStep(getScript("deb-galera.sh"))
+f_deb_install.addStep(getScript("pam-test.sh"))
+f_deb_install.addStep(getPAMTestStep())
 
 ## f_deb_upgrade
 f_deb_upgrade = util.BuildFactory()
@@ -246,7 +261,9 @@ f_deb_upgrade.addStep(getDebUpgradeStep())
 ## f_rpm_install
 f_rpm_install = util.BuildFactory()
 f_rpm_install.addStep(getScript("rpm-install.sh"))
+f_deb_install.addStep(getScript("pam-test.sh"))
 f_rpm_install.addStep(getRpmInstallStep())
+f_rpm_install.addStep(getPAMTestStep())
 
 ## f_rpm_upgrade
 f_rpm_upgrade = util.BuildFactory()

diff --git a/scripts/pam-test.sh b/scripts/pam-test.sh
@@ -0,0 +1,99 @@
+#!/usr/bin/env bash
+
+set -e
+
+# load common functions
+# shellcheck disable=SC1091
+. ./bash_lib.sh
+
+bb_print_env
+
+if ! which mysql ; then
+  bb_log_err "This step assumes that MariaDB has already been installed"
+  exit 1
+fi
+
+control_mariadb_server restart
+
+set +e
+
+res=0
+
+#----------------
+# Basic pam_unix
+#----------------
+
+set -e
+
+sudo tee /etc/pam.d/mariadb <<EOF
+auth required pam_unix.so audit
+account required pam_unix.so audit
+EOF
+
+# PAM v2
+
+sudo mysql -e "INSTALL SONAME 'auth_pam'; CREATE USER 'buildbot'@'localhost' IDENTIFIED VIA pam USING 'mariadb'"
+if ! mysql -ubuildbot -ptest -e "SHOW GRANTS" ; then
+  res=1
+  bb_log_err "Authentication with PAM v2 (pam_unix) failed" 
+fi
+sudo mysql -e "UNINSTALL SONAME 'auth_pam'"
+if mysql -ubuildbot -ptest -e "SHOW GRANTS" > /dev/null 2>&1 ; then
+  res=1
+  bb_log_err "User authenticated via PAM v2 (pam_unix) could still connect after uninstalling plugin"
+fi
+
+if [ "$res" == "0" ] ; then
+  bb_log_info "PAM v2 Authentication test successful" 
+fi
+
+# PAM v1
+
+sudo mysql -e "INSTALL SONAME 'auth_pam_v1'"
+
+set +e
+sudo groupadd shadow
+sudo usermod -a -G shadow mysql
+sudo chown root:shadow /etc/shadow
+sudo chmod g+r /etc/shadow
+set -e
+
+control_mariadb_server restart
+
+if ! mysql -ubuildbot -ptest -e "SHOW GRANTS" ; then
+  res=1
+  bb_log_err "Authentication with PAM v1 (pam_unix) failed"
+fi
+sudo mysql -e "UNINSTALL SONAME 'auth_pam_v1'"
+if mysql -ubuildbot -ptest -e "SHOW GRANTS" > /dev/null 2>&1 ; then
+  res=1
+  bb_log_err "User authenticated via PAM v1 (pam_unix) could still connect after uninstalling plugin"
+fi
+
+if [ "$res" == "0" ] ; then
+  bb_log_info "PAM v1 Authentication test successful" 
+fi
+
+#----------------
+# MTR
+#----------------
+
+cd /usr/share/mysql-test || cd /usr/share/mariadb-test || cd /usr/share/mysql/mysql-test || cd /usr/share/mariadb/mariadb-test
+
+if test -f suite/plugins/pam/pam_mariadb_mtr.so; then
+  for p in /lib*/security /lib*/*/security ; do
+    test -f "$p/pam_unix.so" && sudo cp -v suite/plugins/pam/pam_mariadb_mtr.so "$p"/
+  done
+  sudo cp -v suite/plugins/pam/mariadb_mtr /etc/pam.d/
+fi
+
+if ! sudo su -s /bin/sh -c "perl mysql-test-run.pl --verbose-restart --force --vardir=/dev/shm/var_pam --suite=plugins --do-test=pam" mysql ; then
+  res=1
+  bb_log_err "MTR PAM tests failed" 
+fi
+
+set +e
+
+if [ "$res" != "0" ] ; then
+  exit $res
+fi