pam_succeed_if: add unit test

Cover previous changes with unit test.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

2 files changed, 91 insertions, 1 deletions

diff --git a/modules/pam_succeed_if/Makefile.am b/modules/pam_succeed_if/Makefile.am
index 335a31f9..8b31b7e6 100644
--- a/modules/pam_succeed_if/Makefile.am
+++ b/modules/pam_succeed_if/Makefile.am
@@ -12,7 +12,7 @@ dist_man_MANS = pam_succeed_if.8
 endif
 XMLS = README.xml pam_succeed_if.8.xml
 dist_check_SCRIPTS = tst-pam_succeed_if
-TESTS = $(dist_check_SCRIPTS)
+TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS)
 
 securelibdir = $(SECUREDIR)
 if HAVE_VENDORDIR
@@ -31,6 +31,9 @@ endif
 securelib_LTLIBRARIES = pam_succeed_if.la
 pam_succeed_if_la_LIBADD = $(top_builddir)/libpam/libpam.la
 
+check_PROGRAMS = tst-pam_succeed_if-retval
+tst_pam_succeed_if_retval_LDADD = $(top_builddir)/libpam/libpam.la
+
 if ENABLE_REGENERATE_MAN
 dist_noinst_DATA = README
 -include $(top_builddir)/Make.xml.rules
diff --git a/modules/pam_succeed_if/tst-pam_succeed_if-retval.c b/modules/pam_succeed_if/tst-pam_succeed_if-retval.c
new file mode 100644
index 00000000..d5f1fd1c
--- /dev/null
+++ b/modules/pam_succeed_if/tst-pam_succeed_if-retval.c
@@ -0,0 +1,87 @@
+/*
+ * Check pam_succeed_if return values.
+ *
+ * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org>
+ * Copyright (c) 2024 Tobias Stoeckmann <tobias@stoeckmann.org>
+ */
+
+#include "test_assert.h"
+
+#include <limits.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <security/pam_appl.h>
+
+#define MODULE_NAME "pam_succeed_if"
+#define TEST_NAME "tst-" MODULE_NAME "-retval"
+
+static const char service_file[] = TEST_NAME ".service";
+static const char user_name[] = "name";
+static struct pam_conv conv;
+
+int
+main(void)
+{
+	pam_handle_t *pamh = NULL;
+	FILE *fp;
+	char cwd[PATH_MAX];
+
+	ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd)));
+
+	ASSERT_NE(NULL, fp = fopen(service_file, "w"));
+	ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n"
+			     "auth required %s/.libs/%s.so user = name\n"
+			     "account required %s/.libs/%s.so user notin a:b\n"
+			     "password required %s/.libs/%s.so user in x:name\n"
+			     "session required %s/.libs/%s.so rhost eq 0\n",
+			     cwd, MODULE_NAME,
+			     cwd, MODULE_NAME,
+			     cwd, MODULE_NAME,
+			     cwd, MODULE_NAME));
+	ASSERT_EQ(0, fclose(fp));
+
+	ASSERT_EQ(PAM_SUCCESS,
+		  pam_start_confdir(service_file, user_name, &conv, ".", &pamh));
+	ASSERT_NE(NULL, pamh);
+	ASSERT_EQ(PAM_SUCCESS, pam_set_item(pamh, PAM_RHOST, "0"));
+
+	ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0));
+	ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, 0));
+	ASSERT_EQ(PAM_SUCCESS, pam_chauthtok(pamh, 0));
+	ASSERT_EQ(PAM_SUCCESS, pam_open_session(pamh, 0));
+	ASSERT_EQ(PAM_SUCCESS, pam_close_session(pamh, 0));
+	ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0));
+	pamh = NULL;
+
+	ASSERT_EQ(0, unlink(service_file));
+
+	/* test some illegal conditions */
+	ASSERT_NE(NULL, fp = fopen(service_file, "w"));
+	ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n"
+			     "auth required %s/.libs/%s.so user eq name\n"
+			     "account required %s/.libs/%s.so user in a:b\n"
+			     "password required %s/.libs/%s.so user notin x:name\n"
+			     "session required %s/.libs/%s.so rhost eq []\n",
+			     cwd, MODULE_NAME,
+			     cwd, MODULE_NAME,
+			     cwd, MODULE_NAME,
+			     cwd, MODULE_NAME));
+	ASSERT_EQ(0, fclose(fp));
+
+	ASSERT_EQ(PAM_SUCCESS,
+		  pam_start_confdir(service_file, user_name, &conv, ".", &pamh));
+	ASSERT_NE(NULL, pamh);
+
+	ASSERT_EQ(PAM_SERVICE_ERR, pam_authenticate(pamh, 0));
+	ASSERT_EQ(PAM_AUTH_ERR, pam_acct_mgmt(pamh, 0));
+	ASSERT_EQ(PAM_AUTH_ERR, pam_chauthtok(pamh, 0));
+	ASSERT_EQ(PAM_SERVICE_ERR, pam_open_session(pamh, 0));
+	ASSERT_EQ(PAM_SERVICE_ERR, pam_close_session(pamh, 0));
+	ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0));
+	pamh = NULL;
+
+	ASSERT_EQ(0, unlink(service_file));
+
+	return 0;
+}