-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(PAM&NSS): Generate U(G)ID based on username and update UserPreChe…
…ck to return complete user info from broker (#430) We used to generate the IDs based on the UU(G)IDs and the broker name. This meant we could only get the right value after the user authenticated at least once. For cases like SSH, where the user needs to be pre-checked if it doesn't exist locally, the user info would be cached and the dummy ID would be used throughout the whole process instead of the ID generated after authentication. Changing the generation to consider only the username and moving it to the internal/users package means we can return the right UID when pre-checking the user through NSS, avoiding mismatching issues later in the stack. UDENG-3528
- Loading branch information
Showing
29 changed files
with
245 additions
and
99 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...s/testdata/TestIsAuthenticated/golden/adds_default_groups_even_if_broker_did_not_set_them
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
FIRST CALL: | ||
access: granted | ||
data: {"Name":"TestIsAuthenticated/Adds_default_groups_even_if_broker_did_not_set_them_separator_IA_info_empty_groups","UID":98803,"Gecos":"gecos for IA_info_empty_groups","Dir":"/home/IA_info_empty_groups","Shell":"/bin/sh/IA_info_empty_groups","Groups":[{"Name":"TestIsAuthenticated/Adds_default_groups_even_if_broker_did_not_set_them_separator_IA_info_empty_groups","GID":98803}]} | ||
data: {"Name":"TestIsAuthenticated/Adds_default_groups_even_if_broker_did_not_set_them_separator_IA_info_empty_groups","UID":66266,"Gecos":"gecos for IA_info_empty_groups","Dir":"/home/IA_info_empty_groups","Shell":"/bin/sh/IA_info_empty_groups","Groups":[{"Name":"TestIsAuthenticated/Adds_default_groups_even_if_broker_did_not_set_them_separator_IA_info_empty_groups","GID":66266}]} | ||
err: <nil> |
2 changes: 1 addition & 1 deletion
2
...sAuthenticated/golden/error_when_calling_isauthenticated_a_second_time_without_cancelling
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...estdata/TestIsAuthenticated/golden/no_error_when_broker_returns_userinfo_with_empty_gecos
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
FIRST CALL: | ||
access: granted | ||
data: {"Name":"TestIsAuthenticated/No_error_when_broker_returns_userinfo_with_empty_gecos_separator_IA_info_empty_gecos","UID":92651,"Gecos":"","Dir":"/home/IA_info_empty_gecos","Shell":"/bin/sh/IA_info_empty_gecos","Groups":[{"Name":"TestIsAuthenticated/No_error_when_broker_returns_userinfo_with_empty_gecos_separator_IA_info_empty_gecos","GID":92651},{"Name":"group-IA_info_empty_gecos","GID":92357}]} | ||
data: {"Name":"TestIsAuthenticated/No_error_when_broker_returns_userinfo_with_empty_gecos_separator_IA_info_empty_gecos","UID":89715,"Gecos":"","Dir":"/home/IA_info_empty_gecos","Shell":"/bin/sh/IA_info_empty_gecos","Groups":[{"Name":"TestIsAuthenticated/No_error_when_broker_returns_userinfo_with_empty_gecos_separator_IA_info_empty_gecos","GID":89715},{"Name":"group-IA_info_empty_gecos","GID":96794}]} | ||
err: <nil> |
2 changes: 1 addition & 1 deletion
2
...stIsAuthenticated/golden/no_error_when_broker_returns_userinfo_with_group_with_empty_ugid
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
FIRST CALL: | ||
access: granted | ||
data: {"Name":"TestIsAuthenticated/No_error_when_broker_returns_userinfo_with_group_with_empty_UGID_separator_IA_info_empty_ugid","UID":88158,"Gecos":"gecos for IA_info_empty_ugid","Dir":"/home/IA_info_empty_ugid","Shell":"/bin/sh/IA_info_empty_ugid","Groups":[{"Name":"TestIsAuthenticated/No_error_when_broker_returns_userinfo_with_group_with_empty_UGID_separator_IA_info_empty_ugid","GID":88158},{"Name":"group-IA_info_empty_ugid","GID":null}]} | ||
data: {"Name":"TestIsAuthenticated/No_error_when_broker_returns_userinfo_with_group_with_empty_UGID_separator_IA_info_empty_ugid","UID":91342,"Gecos":"gecos for IA_info_empty_ugid","Dir":"/home/IA_info_empty_ugid","Shell":"/bin/sh/IA_info_empty_ugid","Groups":[{"Name":"TestIsAuthenticated/No_error_when_broker_returns_userinfo_with_group_with_empty_UGID_separator_IA_info_empty_ugid","GID":91342},{"Name":"group-IA_info_empty_ugid","GID":null}]} | ||
err: <nil> |
2 changes: 1 addition & 1 deletion
2
internal/brokers/testdata/TestIsAuthenticated/golden/successfully_authenticate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
FIRST CALL: | ||
access: granted | ||
data: {"Name":"TestIsAuthenticated/Successfully_authenticate_separator_success","UID":82162,"Gecos":"gecos for success","Dir":"/home/success","Shell":"/bin/sh/success","Groups":[{"Name":"TestIsAuthenticated/Successfully_authenticate_separator_success","GID":82162},{"Name":"group-success","GID":81868}]} | ||
data: {"Name":"TestIsAuthenticated/Successfully_authenticate_separator_success","UID":71705,"Gecos":"gecos for success","Dir":"/home/success","Shell":"/bin/sh/success","Groups":[{"Name":"TestIsAuthenticated/Successfully_authenticate_separator_success","GID":71705},{"Name":"group-success","GID":73580}]} | ||
err: <nil> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9 changes: 9 additions & 0 deletions
9
internal/brokers/testdata/TestUserPreCheck/golden/successfully_pre-check_user
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
{ | ||
"name": "user-pre-check", | ||
"uuid": "uuid-user-pre-check", | ||
"gecos": "gecos for user-pre-check", | ||
"dir": "/home/user-pre-check", | ||
"shell": "/bin/sh/user-pre-check", | ||
"avatar": "avatar for user-pre-check", | ||
"groups": [ {"name": "group-user-pre-check", "ugid": "ugid-user-pre-check"} ] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 changes: 5 additions & 5 deletions
10
internal/services/nss/testdata/TestGetPasswdByName/golden/precheck_user_if_not_in_cache
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,7 @@ | ||
name: user-pre-check | ||
passwd: x | ||
uid: 4294967295 | ||
gid: 4294967295 | ||
gecos: "" | ||
homedir: "" | ||
shell: "" | ||
uid: 75590 | ||
gid: 75590 | ||
gecos: gecos for user-pre-check | ||
homedir: /home/user-pre-check | ||
shell: /bin/sh/user-pre-check |
7 changes: 7 additions & 0 deletions
7
...asswdByName/golden/prechecked_user_with_upper_cases_in_username_has_same_id_as_lower_case
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
name: User-Pre-Check | ||
passwd: x | ||
uid: 75590 | ||
gid: 75590 | ||
gecos: gecos for User-Pre-Check | ||
homedir: /home/User-Pre-Check | ||
shell: /bin/sh/User-Pre-Check |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 changes: 16 additions & 0 deletions
16
internal/services/pam/testdata/TestIDGeneration/golden/generate_id/cache.db
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
GroupByID: | ||
"73580": '{"Name":"group-success","GID":73580}' | ||
"94411": '{"Name":"TestIDGeneration_separator_success","GID":94411}' | ||
GroupByName: | ||
TestIDGeneration_separator_success: '{"Name":"TestIDGeneration_separator_success","GID":94411}' | ||
group-success: '{"Name":"group-success","GID":73580}' | ||
GroupToUsers: | ||
"73580": '{"GID":73580,"UIDs":[94411]}' | ||
"94411": '{"GID":94411,"UIDs":[94411]}' | ||
UserByID: | ||
"94411": '{"Name":"TestIDGeneration_separator_success","UID":94411,"GID":94411,"Gecos":"gecos for success","Dir":"/home/success","Shell":"/bin/sh/success","LastPwdChange":-1,"MaxPwdAge":-1,"PwdWarnPeriod":-1,"PwdInactivity":-1,"MinPwdAge":-1,"ExpirationDate":-1,"LastLogin":"ABCDETIME"}' | ||
UserByName: | ||
TestIDGeneration_separator_success: '{"Name":"TestIDGeneration_separator_success","UID":94411,"GID":94411,"Gecos":"gecos for success","Dir":"/home/success","Shell":"/bin/sh/success","LastPwdChange":-1,"MaxPwdAge":-1,"PwdWarnPeriod":-1,"PwdInactivity":-1,"MinPwdAge":-1,"ExpirationDate":-1,"LastLogin":"ABCDETIME"}' | ||
UserToBroker: {} | ||
UserToGroups: | ||
"94411": '{"UID":94411,"GIDs":[94411,73580]}' |
16 changes: 16 additions & 0 deletions
16
...ta/TestIDGeneration/golden/generates_same_id_if_user_has_upper_cases_in_username/cache.db
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
GroupByID: | ||
"73580": '{"Name":"group-SuCcEsS","GID":73580}' | ||
"94411": '{"Name":"TestIDGeneration_separator_SuCcEsS","GID":94411}' | ||
GroupByName: | ||
TestIDGeneration_separator_SuCcEsS: '{"Name":"TestIDGeneration_separator_SuCcEsS","GID":94411}' | ||
group-SuCcEsS: '{"Name":"group-SuCcEsS","GID":73580}' | ||
GroupToUsers: | ||
"73580": '{"GID":73580,"UIDs":[94411]}' | ||
"94411": '{"GID":94411,"UIDs":[94411]}' | ||
UserByID: | ||
"94411": '{"Name":"TestIDGeneration_separator_SuCcEsS","UID":94411,"GID":94411,"Gecos":"gecos for SuCcEsS","Dir":"/home/SuCcEsS","Shell":"/bin/sh/SuCcEsS","LastPwdChange":-1,"MaxPwdAge":-1,"PwdWarnPeriod":-1,"PwdInactivity":-1,"MinPwdAge":-1,"ExpirationDate":-1,"LastLogin":"ABCDETIME"}' | ||
UserByName: | ||
TestIDGeneration_separator_SuCcEsS: '{"Name":"TestIDGeneration_separator_SuCcEsS","UID":94411,"GID":94411,"Gecos":"gecos for SuCcEsS","Dir":"/home/SuCcEsS","Shell":"/bin/sh/SuCcEsS","LastPwdChange":-1,"MaxPwdAge":-1,"PwdWarnPeriod":-1,"PwdInactivity":-1,"MinPwdAge":-1,"ExpirationDate":-1,"LastLogin":"ABCDETIME"}' | ||
UserToBroker: {} | ||
UserToGroups: | ||
"94411": '{"UID":94411,"GIDs":[94411,73580]}' |
Oops, something went wrong.