#!/usr/bin/expect -- # test_pamcmds.expect - test script to check output of PAM commands # # Copyright (C) 2011, 2012, 2013 Arthur de Jong # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA # 02110-1301 USA # basic configuration set timeout 5 log_file -a -noappend test_pamcmds.log log_user 0 # basic error handling proc abort {} { global expect_out send_user "\n\ntest_pamcmds.expect: ERROR found:\n" send_user "$expect_out(buffer)\n" exit 1 } # function for resetting the password proc reset_password {} { global expect_out send_user "test_pamcmds.expect: resetting passwd...\n" spawn passwd vsefcovic expect { "LDAP administrator password" { send "test\r"; exp_continue } -regexp "(New|Retype new)( UNIX)? password:" { send "test\r"; exp_continue } "password updated successfully" {} "passwd: all authentication tokens updated successfully." {} "Invalid credentials" abort "Authentication token manipulation error" abort "passwd: Sorry, `passwd' can only change passwords for local or NIS users." { send_user "test_pamcmds.expect: passwd not using PAM\n" exit 77 } default abort } #close } # find source directory if { ! [info exists ::env(srcdir) ] } { set env(srcdir) "." } # ensure that we are running as root if { [exec id -u] != "0" } { send_user "test_pamcmds.expect: not running as root\n" exit 77 } # ensure that we are running in the test environment spawn $env(srcdir)/testenv.sh check expect eof catch wait result if { [lindex $result 3] } { send_user "test_pamcmds.expect: not running in test environment\n" exit 77 } # ensure that a correct password is set reset_password # start a shell as nobody send_user "test_pamcmds.expect: start shell...\n" spawn su - nobody -s /bin/sh expect "\$ " # function to do login, expecting OK result proc test_login_ok {uid passwd} { send "su - $uid -s /bin/sh\r" expect "Password:" send "$passwd\r" expect { "su: warning: cannot change directory" { exp_continue } "\$ " {} "su: incorrect password" abort default abort } # test whether we are really logged in send "id\r" expect { -regexp "uid=\[0-9\]*\\($uid\\)" {} "\$ " abort default abort } expect "\$ " } # function to do login, expecting FAIL result proc test_login_authfail {uid passwd} { send "su - $uid -s /bin/sh\r" expect "Password:" send "$passwd\r" expect { "su: Authentication failure" {} "su: incorrect password" {} "\$ " abort default abort } expect "\$ " } # function to do login, expecting FAIL result proc test_login_unknown {uid passwd} { send "su - $uid -s /bin/sh\r" expect { "Password:" { send "$passwd\r"; exp_continue } "Unknown id" {} "No passwd entry for user" {} "user $uid does not exist" {} "\$ " abort default abort } expect "\$ " } # test incorrect password send_user "test_pamcmds.expect: testing incorrect password...\n" test_login_authfail vsefcovic wrongpassword # test correct password send_user "test_pamcmds.expect: testing correct password...\n" test_login_ok vsefcovic test # change password using incorrect old password send_user "test_pamcmds.expect: testing password change with incorrect password...\n" send "passwd\r" expect { -nocase "password:" { send "wrongpassword\r" } "\$ " abort default abort } expect { -regexp "(New|Retype new)( UNIX)? password:" { send "DuhevOlNoz5\r"; exp_continue } "password changed" abort "all authentication tokens updated successfully." abort "Invalid credentials" {} "Authentication token manipulation error" {} "\$ " abort } expect "\$ " # change the password using the correct old password send_user "test_pamcmds.expect: testing password change with correct password...\n" send "passwd\r" expect { -nocase "password:" { send "test\r" } "\$ " abort default abort } expect { -regexp "(New|Retype new)( UNIX)? password:" { send "DuhevOlNoz5\r"; exp_continue } "password updated successfully" {} "all authentication tokens updated successfully." {} "Invalid credentials" abort "Authentication token manipulation error" abort "\$ " abort } expect "\$ " # exist shell (back to nobody) send "exit\r" expect "\$ " # logging in with the old password should fail now send_user "test_pamcmds.expect: testing old password...\n" test_login_authfail vsefcovic test # test correct password send_user "test_pamcmds.expect: testing new password...\n" test_login_ok vsefcovic DuhevOlNoz5 # test invalid username send_user "test_pamcmds.expect: testing with unknown username...\n" test_login_unknown foo anypassword # test login as root with incorrect password send_user "test_pamcmds.expect: testing with root...\n" test_login_authfail root anypassword # test login as nobody with incorrect password send_user "test_pamcmds.expect: testing with nobody...\n" test_login_authfail nobody anypassword # close the shell (first log off vsefcovic) send "exit\r" expect "\$ " send "exit\r" expect { eof {} "\$ " abort timeout abort } # ensure that a correct password is set reset_password send_user "test_pamcmds.expect: everyting OK\n" exit 0