From 654de563dcf291454ad5ebb5116bb88a118f0ceb Mon Sep 17 00:00:00 2001 From: Russ Magee Date: Tue, 18 Feb 2020 10:53:04 -0800 Subject: [PATCH] auth.go: AuthCtx added to structure mockable entities for testing Signed-off-by: Russ Magee --- auth.go | 47 ++++++++++++++++++++++++++++++----------------- auth_test.go | 32 +++++++++++++++++++++++--------- xsd/xsd.go | 6 +++--- 3 files changed, 56 insertions(+), 29 deletions(-) diff --git a/auth.go b/auth.go index f62b328..8fe59e3 100644 --- a/auth.go +++ b/auth.go @@ -26,15 +26,25 @@ import ( passlib "gopkg.in/hlandau/passlib.v1" ) +type AuthCtx struct { + reader func(string) ([]byte, error) // eg. ioutil.ReadFile() + userlookup func(string) (*user.User, error) // eg. os/user.Lookup() +} + +func NewAuthCtx(/*reader func(string) ([]byte, error), userlookup func(string) (*user.User, error)*/) (ret *AuthCtx) { + ret = &AuthCtx{ioutil.ReadFile, user.Lookup} + return +} + // --------- System passwd/shadow auth routine(s) -------------- // Verify a password against system standard shadow file // Note auxilliary fields for expiry policy are *not* inspected. -func VerifyPass(reader func(string) ([]byte, error), user, password string) (bool, error) { - if reader == nil { - reader = ioutil.ReadFile // dependency injection hides that this is required +func VerifyPass(ctx *AuthCtx, user, password string) (bool, error) { + if ctx.reader == nil { + ctx.reader = ioutil.ReadFile // dependency injection hides that this is required } passlib.UseDefaults(passlib.Defaults20180601) - pwFileData, e := reader("/etc/shadow") + pwFileData, e := ctx.reader("/etc/shadow") if e != nil { return false, e } @@ -73,11 +83,14 @@ func VerifyPass(reader func(string) ([]byte, error), user, password string) (boo // This checks /etc/xs.passwd for auth info, and system /etc/passwd // to cross-check the user actually exists. // nolint: gocyclo -func AuthUserByPasswd(reader func(string) ([]byte, error), userlookup func(string) (*user.User, error), username string, auth string, fname string) (valid bool, allowedCmds string) { - if reader == nil { - reader = ioutil.ReadFile // dependency injection hides that this is required +func AuthUserByPasswd(ctx *AuthCtx, username string, auth string, fname string) (valid bool, allowedCmds string) { + if ctx.reader == nil { + ctx.reader = ioutil.ReadFile // dependency injection hides that this is required } - b, e := reader(fname) // nolint: gosec + if ctx.userlookup == nil { + ctx.userlookup = user.Lookup // again for dependency injection as dep is now hidden + } + b, e := ctx.reader(fname) // nolint: gosec if e != nil { valid = false log.Printf("ERROR: Cannot read %s!\n", fname) @@ -121,7 +134,7 @@ func AuthUserByPasswd(reader func(string) ([]byte, error), userlookup func(strin r = nil runtime.GC() - _, userErr := userlookup(username) + _, userErr := ctx.userlookup(username) if userErr != nil { valid = false } @@ -135,21 +148,21 @@ func AuthUserByPasswd(reader func(string) ([]byte, error), userlookup func(strin // via the -g option. // The function also check system /etc/passwd to cross-check the user // actually exists. -func AuthUserByToken(reader func(string) ([]byte, error), userlookup func(string) (*user.User, error), username string, connhostname string, auth string) (valid bool) { - if reader == nil { - reader = ioutil.ReadFile // dependency injection hides that this is required +func AuthUserByToken(ctx *AuthCtx, username string, connhostname string, auth string) (valid bool) { + if ctx.reader == nil { + ctx.reader = ioutil.ReadFile // dependency injection hides that this is required } - if userlookup == nil { - userlookup = user.Lookup // again for dependency injection as dep is now hidden + if ctx.userlookup == nil { + ctx.userlookup = user.Lookup // again for dependency injection as dep is now hidden } auth = strings.TrimSpace(auth) - u, ue := userlookup(username) + u, ue := ctx.userlookup(username) if ue != nil { return false } - b, e := reader(fmt.Sprintf("%s/.xs_id", u.HomeDir)) + b, e := ctx.reader(fmt.Sprintf("%s/.xs_id", u.HomeDir)) if e != nil { log.Printf("INFO: Cannot read %s/.xs_id\n", u.HomeDir) return false @@ -176,7 +189,7 @@ func AuthUserByToken(reader func(string) ([]byte, error), userlookup func(string break } } - _, userErr := userlookup(username) + _, userErr := ctx.userlookup(username) if userErr != nil { valid = false } diff --git a/auth_test.go b/auth_test.go index 2d90e33..3672607 100644 --- a/auth_test.go +++ b/auth_test.go @@ -31,6 +31,11 @@ disableduser:!:18310::::::` readfile_arg_f string ) +func newMockAuthCtx(reader func(string) ([]byte, error), userlookup func(string) (*user.User, error)) (ret *AuthCtx) { + ret = &AuthCtx{reader, userlookup} + return +} + func _mock_user_Lookup(username string) (*user.User, error) { username = userlookup_arg_u if username == "baduser" { @@ -64,8 +69,9 @@ func _mock_ioutil_ReadFileHasError(f string) ([]byte, error) { func TestVerifyPass(t *testing.T) { readfile_arg_f = "/etc/shadow" + ctx := newMockAuthCtx(_mock_ioutil_ReadFile, nil) for idx, rec := range testGoodUsers { - stat, e := VerifyPass(_mock_ioutil_ReadFile, rec.user, rec.passwd) + stat, e := VerifyPass(ctx, rec.user, rec.passwd) if rec.good && (!stat || e != nil) { t.Fatalf("failed %d\n", idx) } @@ -73,21 +79,24 @@ func TestVerifyPass(t *testing.T) { } func TestVerifyPassFailsOnEmptyFile(t *testing.T) { - stat, e := VerifyPass(_mock_ioutil_ReadFileEmpty, "johndoe", "sompass") + ctx := newMockAuthCtx(_mock_ioutil_ReadFileEmpty, nil) + stat, e := VerifyPass(ctx, "johndoe", "somepass") if stat || (e == nil) { t.Fatal("failed to fail w/empty file") } } func TestVerifyPassFailsOnFileError(t *testing.T) { - stat, e := VerifyPass(_mock_ioutil_ReadFileEmpty, "johndoe", "somepass") + ctx := newMockAuthCtx(_mock_ioutil_ReadFileEmpty, nil) + stat, e := VerifyPass(ctx, "johndoe", "somepass") if stat || (e == nil) { t.Fatal("failed to fail on ioutil.ReadFile error") } } func TestVerifyPassFailsOnDisabledEntry(t *testing.T) { - stat, e := VerifyPass(_mock_ioutil_ReadFileEmpty, "disableduser", "!") + ctx := newMockAuthCtx(_mock_ioutil_ReadFileEmpty, nil) + stat, e := VerifyPass(ctx, "disableduser", "!") if stat || (e == nil) { t.Fatal("failed to fail on disabled user entry") } @@ -96,38 +105,43 @@ func TestVerifyPassFailsOnDisabledEntry(t *testing.T) { //// func TestAuthUserByTokenFailsOnMissingEntryForHost(t *testing.T) { - stat := AuthUserByToken(_mock_ioutil_ReadFile, _mock_user_Lookup, "johndoe", "hostZ", "abcdefg") + ctx := newMockAuthCtx(_mock_ioutil_ReadFile, _mock_user_Lookup) + stat := AuthUserByToken(ctx, "johndoe", "hostZ", "abcdefg") if stat { t.Fatal("failed to fail on missing/mismatched host entry") } } func TestAuthUserByTokenFailsOnMissingEntryForUser(t *testing.T) { - stat := AuthUserByToken(_mock_ioutil_ReadFile, _mock_user_Lookup, "unkuser", "hostA", "abcdefg") + ctx := newMockAuthCtx(_mock_ioutil_ReadFile, _mock_user_Lookup) + stat := AuthUserByToken(ctx, "unkuser", "hostA", "abcdefg") if stat { t.Fatal("failed to fail on wrong user") } } func TestAuthUserByTokenFailsOnUserLookupFailure(t *testing.T) { + ctx := newMockAuthCtx(_mock_ioutil_ReadFile, _mock_user_Lookup) userlookup_arg_u = "baduser" - stat := AuthUserByToken(_mock_ioutil_ReadFile, _mock_user_Lookup, "johndoe", "hostA", "abcdefg") + stat := AuthUserByToken(ctx, "johndoe", "hostA", "abcdefg") if stat { t.Fatal("failed to fail with bad return from user.Lookup()") } } func TestAuthUserByTokenFailsOnMismatchedTokenForUser(t *testing.T) { - stat := AuthUserByToken(_mock_ioutil_ReadFile, _mock_user_Lookup, "johndoe", "hostA", "badtoken") + ctx := newMockAuthCtx(_mock_ioutil_ReadFile, _mock_user_Lookup) + stat := AuthUserByToken(ctx, "johndoe", "hostA", "badtoken") if stat { t.Fatal("failed to fail with valid user, bad token") } } func TestAuthUserByTokenSucceedsWithMatchedUserAndToken(t *testing.T) { + ctx := newMockAuthCtx(_mock_ioutil_ReadFile, _mock_user_Lookup) userlookup_arg_u = "johndoe" readfile_arg_f = "/.xs_id" - stat := AuthUserByToken(_mock_ioutil_ReadFile, _mock_user_Lookup, userlookup_arg_u, "hostA", "hostA:abcdefg") + stat := AuthUserByToken(ctx, userlookup_arg_u, "hostA", "hostA:abcdefg") if !stat { t.Fatal("failed with valid user and token") } diff --git a/xsd/xsd.go b/xsd/xsd.go index 528d094..e46c2a7 100755 --- a/xsd/xsd.go +++ b/xsd/xsd.go @@ -708,14 +708,14 @@ func main() { var valid bool var allowedCmds string // Currently unused - if xs.AuthUserByToken(ioutil.ReadFile, user.Lookup, string(rec.Who()), string(rec.ConnHost()), string(rec.AuthCookie(true))) { + if xs.AuthUserByToken(xs.NewAuthCtx(), string(rec.Who()), string(rec.ConnHost()), string(rec.AuthCookie(true))) { valid = true } else { if useSystemPasswd { //var passErr error - valid, _ /*passErr*/ = xs.VerifyPass(ioutil.ReadFile, string(rec.Who()), string(rec.AuthCookie(true))) + valid, _ /*passErr*/ = xs.VerifyPass(xs.NewAuthCtx(), string(rec.Who()), string(rec.AuthCookie(true))) } else { - valid, allowedCmds = xs.AuthUserByPasswd(ioutil.ReadFile, user.Lookup, string(rec.Who()), string(rec.AuthCookie(true)), "/etc/xs.passwd") + valid, allowedCmds = xs.AuthUserByPasswd(xs.NewAuthCtx(), string(rec.Who()), string(rec.AuthCookie(true)), "/etc/xs.passwd") } }