pax_global_header00006660000000000000000000000064146234124050014513gustar00rootroot0000000000000052 comment=035d8906722422270a7869c2832c2b8e6001192a golang-github-msteinert-pam-2.0.0/000077500000000000000000000000001462341240500170245ustar00rootroot00000000000000golang-github-msteinert-pam-2.0.0/.clang-format000066400000000000000000000060341462341240500214020ustar00rootroot00000000000000# clang-format configuration file. For more information, see: # # https://clang.llvm.org/docs/ClangFormat.html # https://clang.llvm.org/docs/ClangFormatStyleOptions.html # --- AccessModifierOffset: -4 AlignAfterOpenBracket: Align AlignConsecutiveAssignments: false AlignConsecutiveDeclarations: false AlignEscapedNewlines: Left AlignOperands: true AlignTrailingComments: false AllowAllParametersOfDeclarationOnNextLine: false AllowShortBlocksOnASingleLine: false AllowShortCaseLabelsOnASingleLine: false AllowShortFunctionsOnASingleLine: None AllowShortIfStatementsOnASingleLine: false AllowShortLoopsOnASingleLine: false AlwaysBreakAfterDefinitionReturnType: None AlwaysBreakAfterReturnType: None AlwaysBreakBeforeMultilineStrings: false AlwaysBreakTemplateDeclarations: false BinPackArguments: true BinPackParameters: true BraceWrapping: AfterClass: false AfterControlStatement: false AfterEnum: false AfterFunction: true AfterNamespace: true AfterObjCDeclaration: false AfterStruct: false AfterUnion: false AfterExternBlock: false BeforeCatch: false BeforeElse: false IndentBraces: false SplitEmptyFunction: true SplitEmptyRecord: true SplitEmptyNamespace: true BreakBeforeBinaryOperators: None BreakBeforeBraces: Custom BreakBeforeInheritanceComma: false BreakBeforeTernaryOperators: true BreakConstructorInitializersBeforeComma: false BreakConstructorInitializers: BeforeComma BreakStringLiterals: false ColumnLimit: 120 CompactNamespaces: false ConstructorInitializerAllOnOneLineOrOnePerLine: false ConstructorInitializerIndentWidth: 8 ContinuationIndentWidth: 8 DerivePointerAlignment: false DisableFormat: false ExperimentalAutoDetectBinPacking: false FixNamespaceComments: false IncludeBlocks: Regroup IncludeCategories: - Regex: '^"(allez)/' Priority: 2 SortPriority: 2 CaseSensitive: true - Regex: '.*' Priority: 1 SortPriority: 0 IndentCaseLabels: false IndentGotoLabels: false IndentPPDirectives: None IndentWidth: 8 IndentWrappedFunctionNames: false KeepEmptyLinesAtTheStartOfBlocks: false MacroBlockBegin: '' MacroBlockEnd: '' MaxEmptyLinesToKeep: 1 NamespaceIndentation: None ObjCBinPackProtocolList: Auto ObjCBlockIndentWidth: 8 ObjCSpaceAfterProperty: true ObjCSpaceBeforeProtocolList: true # Taken from git's rules PenaltyBreakAssignment: 10 PenaltyBreakBeforeFirstCallParameter: 30 PenaltyBreakComment: 10 PenaltyBreakFirstLessLess: 0 PenaltyBreakString: 10 PenaltyExcessCharacter: 2 PenaltyReturnTypeOnItsOwnLine: 60 PointerAlignment: Right ReflowComments: false SortIncludes: true SortUsingDeclarations: false SpaceAfterCStyleCast: false SpaceAfterTemplateKeyword: true SpaceBeforeAssignmentOperators: true SpaceBeforeCtorInitializerColon: true SpaceBeforeInheritanceColon: true SpaceBeforeParens: ControlStatementsExceptForEachMacros SpaceBeforeRangeBasedForLoopColon: true SpaceInEmptyParentheses: false SpacesBeforeTrailingComments: 1 SpacesInAngles: false SpacesInContainerLiterals: false SpacesInCStyleCastParentheses: false SpacesInParentheses: false SpacesInSquareBrackets: false TabWidth: 8 UseTab: Always ... golang-github-msteinert-pam-2.0.0/.github/000077500000000000000000000000001462341240500203645ustar00rootroot00000000000000golang-github-msteinert-pam-2.0.0/.github/workflows/000077500000000000000000000000001462341240500224215ustar00rootroot00000000000000golang-github-msteinert-pam-2.0.0/.github/workflows/lint.yaml000066400000000000000000000007111462341240500242520ustar00rootroot00000000000000on: [push, pull_request] name: Lint permissions: contents: read jobs: golangci: name: lint runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: actions/setup-go@v4 with: go-version: '1.21' cache: false - name: Install PAM run: sudo apt install -y libpam-dev - name: golangci-lint uses: golangci/golangci-lint-action@v3 with: version: v1.54 golang-github-msteinert-pam-2.0.0/.github/workflows/test.yaml000066400000000000000000000014101462341240500242600ustar00rootroot00000000000000on: [push, pull_request] name: Test jobs: test: strategy: matrix: go-version: [1.20.x, 1.21.x] os: [ubuntu-latest] runs-on: ${{ matrix.os }} steps: - name: Install Go uses: actions/setup-go@v4 with: go-version: ${{ matrix.go-version }} - name: Install PAM run: sudo apt install -y libpam-dev - name: Add a test user run: sudo useradd -d /tmp/test -p '$1$Qd8H95T5$RYSZQeoFbEB.gS19zS99A0' -s /bin/false test - name: Checkout code uses: actions/checkout@v4 - name: Test run: sudo go test -v -cover -coverprofile=coverage.out ./... - name: Upload coverage reports to Codecov uses: codecov/codecov-action@v3 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} golang-github-msteinert-pam-2.0.0/.gitignore000066400000000000000000000000151462341240500210100ustar00rootroot00000000000000coverage.out golang-github-msteinert-pam-2.0.0/.golangci.yaml000066400000000000000000000031521462341240500215520ustar00rootroot00000000000000# This is for linting. To run it, please use: # golangci-lint run ${MODULE}/... [--fix] linters: # linters to run in addition to default ones enable: - dupl - durationcheck - errname - errorlint - exportloopref - forbidigo - forcetypeassert - gci - godot - gofmt - gosec - misspell - nakedret - nolintlint - revive - thelper - tparallel - unconvert - unparam - whitespace run: timeout: 5m # Get all linter issues, even if duplicated issues: exclude-use-default: false max-issues-per-linter: 0 max-same-issues: 0 fix: false # we don’t want this in CI exclude: # EXC0001 errcheck: most errors are in defer calls, which are safe to ignore and idiomatic Go (would be good to only ignore defer ones though) - 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*print(f|ln)?|os\.(Un)?Setenv|w\.Stop). is not checked' # EXC0008 gosec: duplicated of errcheck - (G104|G307) # EXC0010 gosec: False positive is triggered by 'src, err := ioutil.ReadFile(filename)' - Potential file inclusion via variable # We want named parameters even if unused, as they help better document the function - unused-parameter # Sometimes it is more readable it do a `if err:=a(); err != nil` tha simpy `return a()` - if-return nolintlint: require-explanation: true require-specific: true linters-settings: # Forbid the usage of deprecated ioutil and debug prints forbidigo: forbid: - ioutil\. - ^print.*$ # Never have naked return ever nakedret: max-func-lines: 1 golang-github-msteinert-pam-2.0.0/.travis.yml000066400000000000000000000011421462341240500211330ustar00rootroot00000000000000language: go go: - 1.8.x - 1.9.x - tip before_install: - sudo apt-get update -qq - sudo apt-get install -qq --no-install-recommends libpam0g-dev - sudo useradd -d /tmp/test -p '$1$Qd8H95T5$RYSZQeoFbEB.gS19zS99A0' -s /bin/false test - go get github.com/axw/gocov/gocov - go get github.com/mattn/goveralls - go get golang.org/x/tools/cmd/cover script: - sudo GOROOT=$GOROOT GOPATH=$GOPATH $(which go) test -v -covermode=count -coverprofile=coverage.out . - if [ "$TRAVIS_PULL_REQUEST" != "false" ]; then goveralls -coverprofile=coverage.out -service travis-ci -repotoken $REPO_TOKEN; fi golang-github-msteinert-pam-2.0.0/LICENSE000066400000000000000000000025011462341240500200270ustar00rootroot00000000000000Copyright 2011, krockot Copyright 2015, Michael Steinert All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. golang-github-msteinert-pam-2.0.0/README.md000066400000000000000000000016111462341240500203020ustar00rootroot00000000000000[![GoDoc](https://godoc.org/github.com/msteinert/pam?status.svg)](http://godoc.org/github.com/msteinert/pam) [![codecov](https://codecov.io/gh/msteinert/pam/graph/badge.svg?token=L1K3UTB065)](https://codecov.io/gh/msteinert/pam) [![Go Report Card](https://goreportcard.com/badge/github.com/msteinert/pam)](https://goreportcard.com/report/github.com/msteinert/pam) # Go PAM This is a Go wrapper for the PAM application API. ## Testing To run the full suite, the tests must be run as the root user. To setup your system for testing, create a user named "test" with the password "secret". For example: ``` $ sudo useradd test \ -d /tmp/test \ -p '$1$Qd8H95T5$RYSZQeoFbEB.gS19zS99A0' \ -s /bin/false ``` Then execute the tests: ``` $ sudo GOPATH=$GOPATH $(which go) test -v ``` [1]: http://godoc.org/github.com/msteinert/pam [2]: http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_ADG.html golang-github-msteinert-pam-2.0.0/errors.go000066400000000000000000000101141462341240500206640ustar00rootroot00000000000000package pam /* #include */ import "C" // Error is the Type for PAM Return types type Error int // Pam Return types const ( // OpenErr indicates a dlopen() failure when dynamically loading a // service module. ErrOpen Error = C.PAM_OPEN_ERR // ErrSymbol indicates a symbol not found. ErrSymbol Error = C.PAM_SYMBOL_ERR // ErrService indicates a error in service module. ErrService Error = C.PAM_SERVICE_ERR // ErrSystem indicates a system error. ErrSystem Error = C.PAM_SYSTEM_ERR // ErrBuf indicates a memory buffer error. ErrBuf Error = C.PAM_BUF_ERR // ErrPermDenied indicates a permission denied. ErrPermDenied Error = C.PAM_PERM_DENIED // ErrAuth indicates a authentication failure. ErrAuth Error = C.PAM_AUTH_ERR // ErrCredInsufficient indicates a can not access authentication data due to // insufficient credentials. ErrCredInsufficient Error = C.PAM_CRED_INSUFFICIENT // ErrAuthinfoUnavail indicates that the underlying authentication service // can not retrieve authentication information. ErrAuthinfoUnavail Error = C.PAM_AUTHINFO_UNAVAIL // ErrUserUnknown indicates a user not known to the underlying authentication // module. ErrUserUnknown Error = C.PAM_USER_UNKNOWN // ErrMaxtries indicates that an authentication service has maintained a retry // count which has been reached. No further retries should be attempted. ErrMaxtries Error = C.PAM_MAXTRIES // ErrNewAuthtokReqd indicates a new authentication token required. This is // normally returned if the machine security policies require that the // password should be changed because the password is nil or it has aged. ErrNewAuthtokReqd Error = C.PAM_NEW_AUTHTOK_REQD // ErrAcctExpired indicates that an user account has expired. ErrAcctExpired Error = C.PAM_ACCT_EXPIRED // ErrSession indicates a can not make/remove an entry for the // specified session. ErrSession Error = C.PAM_SESSION_ERR // ErrCredUnavail indicates that an underlying authentication service can not // retrieve user credentials. ErrCredUnavail Error = C.PAM_CRED_UNAVAIL // ErrCredExpired indicates that an user credentials expired. ErrCredExpired Error = C.PAM_CRED_EXPIRED // ErrCred indicates a failure setting user credentials. ErrCred Error = C.PAM_CRED_ERR // ErrNoModuleData indicates a no module specific data is present. ErrNoModuleData Error = C.PAM_NO_MODULE_DATA // ErrConv indicates a conversation error. ErrConv Error = C.PAM_CONV_ERR // ErrAuthtokErr indicates an authentication token manipulation error. ErrAuthtok Error = C.PAM_AUTHTOK_ERR // ErrAuthtokRecoveryErr indicates an authentication information cannot // be recovered. ErrAuthtokRecovery Error = C.PAM_AUTHTOK_RECOVERY_ERR // ErrAuthtokLockBusy indicates am authentication token lock busy. ErrAuthtokLockBusy Error = C.PAM_AUTHTOK_LOCK_BUSY // ErrAuthtokDisableAging indicates an authentication token aging disabled. ErrAuthtokDisableAging Error = C.PAM_AUTHTOK_DISABLE_AGING // ErrTryAgain indicates a preliminary check by password service. ErrTryAgain Error = C.PAM_TRY_AGAIN // ErrIgnore indicates to ignore underlying account module regardless of // whether the control flag is required, optional, or sufficient. ErrIgnore Error = C.PAM_IGNORE // ErrAbort indicates a critical error (module fail now request). ErrAbort Error = C.PAM_ABORT // ErrAuthtokExpired indicates an user's authentication token has expired. ErrAuthtokExpired Error = C.PAM_AUTHTOK_EXPIRED // ErrModuleUnknown indicates a module is not known. ErrModuleUnknown Error = C.PAM_MODULE_UNKNOWN // ErrBadItem indicates a bad item passed to pam_*_item(). ErrBadItem Error = C.PAM_BAD_ITEM // ErrConvAgain indicates a conversation function is event driven and data // is not available yet. ErrConvAgain Error = C.PAM_CONV_AGAIN // ErrIncomplete indicates to please call this function again to complete // authentication stack. Before calling again, verify that conversation // is completed. ErrIncomplete Error = C.PAM_INCOMPLETE ) // Error returns the error message for the given status. func (status Error) Error() string { return C.GoString(C.pam_strerror(nil, C.int(status))) } golang-github-msteinert-pam-2.0.0/example_test.go000066400000000000000000000023561462341240500220530ustar00rootroot00000000000000package pam_test import ( "bufio" "errors" "fmt" "os" "github.com/msteinert/pam/v2" "golang.org/x/term" ) // This example uses the default PAM service to authenticate any users. This // should cause PAM to ask its conversation handler for a username and password // in sequence. func Example() { t, err := pam.StartFunc("passwd", "", func(s pam.Style, msg string) (string, error) { switch s { case pam.PromptEchoOff: fmt.Print(msg) pw, err := term.ReadPassword(int(os.Stdin.Fd())) if err != nil { return "", err } fmt.Println() return string(pw), nil case pam.PromptEchoOn: fmt.Print(msg) s := bufio.NewScanner(os.Stdin) s.Scan() return s.Text(), nil case pam.ErrorMsg: fmt.Fprintf(os.Stderr, "%s\n", msg) return "", nil case pam.TextInfo: fmt.Println(msg) return "", nil default: return "", errors.New("unrecognized message style") } }) if err != nil { fmt.Fprintf(os.Stderr, "start: %v\n", err) os.Exit(1) } defer func() { err := t.End() if err != nil { fmt.Fprintf(os.Stderr, "end: %v\n", err) os.Exit(1) } }() err = t.Authenticate(0) if err != nil { fmt.Fprintf(os.Stderr, "authenticate: %v\n", err) os.Exit(1) } fmt.Println("authentication succeeded!") } golang-github-msteinert-pam-2.0.0/go.mod000066400000000000000000000001731462341240500201330ustar00rootroot00000000000000module github.com/msteinert/pam/v2 go 1.20 require golang.org/x/term v0.6.0 require golang.org/x/sys v0.6.0 // indirect golang-github-msteinert-pam-2.0.0/go.sum000066400000000000000000000004601462341240500201570ustar00rootroot00000000000000golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang-github-msteinert-pam-2.0.0/test-services/000077500000000000000000000000001462341240500216245ustar00rootroot00000000000000golang-github-msteinert-pam-2.0.0/test-services/deny-service000066400000000000000000000001361462341240500241440ustar00rootroot00000000000000# Custom stack to deny permit, independent of the user name/pass auth requisite pam_deny.so golang-github-msteinert-pam-2.0.0/test-services/echo-service000066400000000000000000000002471462341240500241260ustar00rootroot00000000000000# Custom stack to always permit, independent of the user name/pass auth optional pam_echo.so This is an info message for user %u on %s auth required pam_permit.so golang-github-msteinert-pam-2.0.0/test-services/permit-service000066400000000000000000000001411462341240500245010ustar00rootroot00000000000000# Custom stack to always permit, independent of the user name/pass auth required pam_permit.so golang-github-msteinert-pam-2.0.0/test-services/succeed-if-user-test000066400000000000000000000001641462341240500255100ustar00rootroot00000000000000# Custom stack to deny permit, independent of the user name/pass auth requisite pam_succeed_if.so user = testuser golang-github-msteinert-pam-2.0.0/transaction.c000066400000000000000000000027231462341240500215210ustar00rootroot00000000000000#include "_cgo_export.h" #include #include #include #ifdef __sun #define PAM_CONST #else #define PAM_CONST const #endif int cb_pam_conv(int num_msg, PAM_CONST struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) { if (num_msg <= 0 || num_msg > PAM_MAX_NUM_MSG) return PAM_CONV_ERR; *resp = calloc(num_msg, sizeof **resp); if (!*resp) return PAM_BUF_ERR; for (size_t i = 0; i < num_msg; ++i) { struct cbPAMConv_return result = cbPAMConv(msg[i]->msg_style, (char *)msg[i]->msg, (uintptr_t)appdata_ptr); if (result.r1 != PAM_SUCCESS) goto error; (*resp)[i].resp = result.r0; } return PAM_SUCCESS; error: for (size_t i = 0; i < num_msg; ++i) { if ((*resp)[i].resp) { memset((*resp)[i].resp, 0, strlen((*resp)[i].resp)); free((*resp)[i].resp); } } memset(*resp, 0, num_msg * sizeof *resp); free(*resp); *resp = NULL; return PAM_CONV_ERR; } void init_pam_conv(struct pam_conv *conv, uintptr_t appdata) { conv->conv = cb_pam_conv; conv->appdata_ptr = (void *)appdata; } // pam_start_confdir is a recent PAM api to declare a confdir (mostly for // tests) weaken the linking dependency to detect if it’s present. int pam_start_confdir(const char *service_name, const char *user, const struct pam_conv *pam_conversation, const char *confdir, pam_handle_t **pamh) __attribute__((weak)); int check_pam_start_confdir(void) { if (pam_start_confdir == NULL) return 1; return 0; } golang-github-msteinert-pam-2.0.0/transaction.go000066400000000000000000000321671462341240500217110ustar00rootroot00000000000000// Package pam provides a wrapper for the PAM application API. package pam //#cgo CFLAGS: -Wall -std=c99 //#cgo LDFLAGS: -lpam // //#include //#include //#include // //#ifdef PAM_BINARY_PROMPT //#define BINARY_PROMPT_IS_SUPPORTED 1 //#else //#include //#define PAM_BINARY_PROMPT INT_MAX //#define BINARY_PROMPT_IS_SUPPORTED 0 //#endif // //void init_pam_conv(struct pam_conv *conv, uintptr_t); //int pam_start_confdir(const char *service_name, const char *user, const struct pam_conv *pam_conversation, const char *confdir, pam_handle_t **pamh) __attribute__ ((weak)); //int check_pam_start_confdir(void); import "C" import ( "fmt" "runtime/cgo" "strings" "sync/atomic" "unsafe" ) // success indicates a successful function return. const success = C.PAM_SUCCESS // Style is the type of message that the conversation handler should display. type Style int // Coversation handler style types. const ( // PromptEchoOff indicates the conversation handler should obtain a // string without echoing any text. PromptEchoOff Style = C.PAM_PROMPT_ECHO_OFF // PromptEchoOn indicates the conversation handler should obtain a // string while echoing text. PromptEchoOn Style = C.PAM_PROMPT_ECHO_ON // ErrorMsg indicates the conversation handler should display an // error message. ErrorMsg Style = C.PAM_ERROR_MSG // TextInfo indicates the conversation handler should display some // text. TextInfo Style = C.PAM_TEXT_INFO // BinaryPrompt indicates the conversation handler that should implement // the private binary protocol BinaryPrompt Style = C.PAM_BINARY_PROMPT ) // ConversationHandler is an interface for objects that can be used as // conversation callbacks during PAM authentication. type ConversationHandler interface { // RespondPAM receives a message style and a message string. If the // message Style is PromptEchoOff or PromptEchoOn then the function // should return a response string. RespondPAM(Style, string) (string, error) } // BinaryPointer exposes the type used for the data in a binary conversation // it represents a pointer to data that is produced by the module and that // must be parsed depending on the protocol in use type BinaryPointer unsafe.Pointer // BinaryConversationHandler is an interface for objects that can be used as // conversation callbacks during PAM authentication if binary protocol is going // to be supported. type BinaryConversationHandler interface { ConversationHandler // RespondPAMBinary receives a pointer to the binary message. It's up to // the receiver to parse it according to the protocol specifications. // The function can return a byte array that will passed as pointer back // to the module. RespondPAMBinary(BinaryPointer) ([]byte, error) } // ConversationFunc is an adapter to allow the use of ordinary functions as // conversation callbacks. type ConversationFunc func(Style, string) (string, error) // RespondPAM is a conversation callback adapter. func (f ConversationFunc) RespondPAM(s Style, msg string) (string, error) { return f(s, msg) } // cbPAMConv is a wrapper for the conversation callback function. // //export cbPAMConv func cbPAMConv(s C.int, msg *C.char, c C.uintptr_t) (*C.char, C.int) { var r string var err error v := cgo.Handle(c).Value() style := Style(s) var handler ConversationHandler switch cb := v.(type) { case BinaryConversationHandler: if style == BinaryPrompt { bytes, err := cb.RespondPAMBinary(BinaryPointer(msg)) if err != nil { return nil, C.int(ErrConv) } return (*C.char)(C.CBytes(bytes)), success } handler = cb case ConversationHandler: if style == BinaryPrompt { return nil, C.int(ErrConv) } handler = cb } if handler == nil { return nil, C.int(ErrConv) } r, err = handler.RespondPAM(style, C.GoString(msg)) if err != nil { return nil, C.int(ErrConv) } return C.CString(r), success } // Transaction is the application's handle for a PAM transaction. type Transaction struct { handle *C.pam_handle_t conv *C.struct_pam_conv lastStatus atomic.Int32 c cgo.Handle } // End cleans up the PAM handle and deletes the callback function. // It must be called when done with the transaction. func (t *Transaction) End() error { handle := atomic.SwapPointer((*unsafe.Pointer)(unsafe.Pointer(&t.handle)), nil) if handle == nil { return nil } defer t.c.Delete() return t.handlePamStatus(C.pam_end((*C.pam_handle_t)(handle), C.int(t.lastStatus.Load()))) } // Allows to call pam functions managing return status func (t *Transaction) handlePamStatus(cStatus C.int) error { t.lastStatus.Store(int32(cStatus)) if status := Error(cStatus); status != success { return status } return nil } // Start initiates a new PAM transaction. Service is treated identically to // how pam_start treats it internally. // // All application calls to PAM begin with Start*. The returned // transaction provides an interface to the remainder of the API. // // It's responsibility of the Transaction owner to release all the resources // allocated underneath by PAM by calling End() once done. // // It's not advised to End the transaction using a runtime.SetFinalizer unless // you're absolutely sure that your stack is multi-thread friendly (normally it // is not!) and using a LockOSThread/UnlockOSThread pair. func Start(service, user string, handler ConversationHandler) (*Transaction, error) { return start(service, user, handler, "") } // StartFunc registers the handler func as a conversation handler and starts // the transaction (see Start() documentation). func StartFunc(service, user string, handler func(Style, string) (string, error)) (*Transaction, error) { return start(service, user, ConversationFunc(handler), "") } // StartConfDir initiates a new PAM transaction. Service is treated identically to // how pam_start treats it internally. // confdir allows to define where all pam services are defined. This is used to provide // custom paths for tests. // // All application calls to PAM begin with Start*. The returned // transaction provides an interface to the remainder of the API. // // It's responsibility of the Transaction owner to release all the resources // allocated underneath by PAM by calling End() once done. // // It's not advised to End the transaction using a runtime.SetFinalizer unless // you're absolutely sure that your stack is multi-thread friendly (normally it // is not!) and using a LockOSThread/UnlockOSThread pair. func StartConfDir(service, user string, handler ConversationHandler, confDir string) (*Transaction, error) { if !CheckPamHasStartConfdir() { return nil, fmt.Errorf( "%w: StartConfDir was used, but the pam version on the system is not recent enough", ErrSystem) } return start(service, user, handler, confDir) } func start(service, user string, handler ConversationHandler, confDir string) (*Transaction, error) { switch handler.(type) { case BinaryConversationHandler: if !CheckPamHasBinaryProtocol() { return nil, fmt.Errorf("%w: BinaryConversationHandler was used, but it is not supported by this platform", ErrSystem) } } t := &Transaction{ conv: &C.struct_pam_conv{}, c: cgo.NewHandle(handler), } C.init_pam_conv(t.conv, C.uintptr_t(t.c)) s := C.CString(service) defer C.free(unsafe.Pointer(s)) var u *C.char if len(user) != 0 { u = C.CString(user) defer C.free(unsafe.Pointer(u)) } var err error if confDir == "" { err = t.handlePamStatus(C.pam_start(s, u, t.conv, &t.handle)) } else { c := C.CString(confDir) defer C.free(unsafe.Pointer(c)) err = t.handlePamStatus(C.pam_start_confdir(s, u, t.conv, c, &t.handle)) } if err != nil { var _ = t.End() return nil, err } return t, nil } // Item is a an PAM information type. type Item int // PAM Item types. const ( // Service is the name which identifies the PAM stack. Service Item = C.PAM_SERVICE // User identifies the username identity used by a service. User Item = C.PAM_USER // Tty is the terminal name. Tty Item = C.PAM_TTY // Rhost is the requesting host name. Rhost Item = C.PAM_RHOST // Authtok is the currently active authentication token. Authtok Item = C.PAM_AUTHTOK // Oldauthtok is the old authentication token. Oldauthtok Item = C.PAM_OLDAUTHTOK // Ruser is the requesting user name. Ruser Item = C.PAM_RUSER // UserPrompt is the string use to prompt for a username. UserPrompt Item = C.PAM_USER_PROMPT // FailDelay is the app supplied function to override failure delays. FailDelay Item = C.PAM_FAIL_DELAY // Xdisplay is the X display name Xdisplay Item = C.PAM_XDISPLAY // Xauthdata is the X server authentication data. Xauthdata Item = C.PAM_XAUTHDATA // AuthtokType is the type for pam_get_authtok AuthtokType Item = C.PAM_AUTHTOK_TYPE ) // SetItem sets a PAM information item. func (t *Transaction) SetItem(i Item, item string) error { cs := unsafe.Pointer(C.CString(item)) defer C.free(cs) return t.handlePamStatus(C.pam_set_item(t.handle, C.int(i), cs)) } // GetItem retrieves a PAM information item. func (t *Transaction) GetItem(i Item) (string, error) { var s unsafe.Pointer err := t.handlePamStatus(C.pam_get_item(t.handle, C.int(i), &s)) if err != nil { return "", err } return C.GoString((*C.char)(s)), nil } // Flags are inputs to various PAM functions than be combined with a bitwise // or. Refer to the official PAM documentation for which flags are accepted // by which functions. type Flags int // PAM Flag types. const ( // Silent indicates that no messages should be emitted. Silent Flags = C.PAM_SILENT // DisallowNullAuthtok indicates that authorization should fail // if the user does not have a registered authentication token. DisallowNullAuthtok Flags = C.PAM_DISALLOW_NULL_AUTHTOK // EstablishCred indicates that credentials should be established // for the user. EstablishCred Flags = C.PAM_ESTABLISH_CRED // DeleteCred indicates that credentials should be deleted. DeleteCred Flags = C.PAM_DELETE_CRED // ReinitializeCred indicates that credentials should be fully // reinitialized. ReinitializeCred Flags = C.PAM_REINITIALIZE_CRED // RefreshCred indicates that the lifetime of existing credentials // should be extended. RefreshCred Flags = C.PAM_REFRESH_CRED // ChangeExpiredAuthtok indicates that the authentication token // should be changed if it has expired. ChangeExpiredAuthtok Flags = C.PAM_CHANGE_EXPIRED_AUTHTOK ) // Authenticate is used to authenticate the user. // // Valid flags: Silent, DisallowNullAuthtok func (t *Transaction) Authenticate(f Flags) error { return t.handlePamStatus(C.pam_authenticate(t.handle, C.int(f))) } // SetCred is used to establish, maintain and delete the credentials of a // user. // // Valid flags: EstablishCred, DeleteCred, ReinitializeCred, RefreshCred func (t *Transaction) SetCred(f Flags) error { return t.handlePamStatus(C.pam_setcred(t.handle, C.int(f))) } // AcctMgmt is used to determine if the user's account is valid. // // Valid flags: Silent, DisallowNullAuthtok func (t *Transaction) AcctMgmt(f Flags) error { return t.handlePamStatus(C.pam_acct_mgmt(t.handle, C.int(f))) } // ChangeAuthTok is used to change the authentication token. // // Valid flags: Silent, ChangeExpiredAuthtok func (t *Transaction) ChangeAuthTok(f Flags) error { return t.handlePamStatus(C.pam_chauthtok(t.handle, C.int(f))) } // OpenSession sets up a user session for an authenticated user. // // Valid flags: Slient func (t *Transaction) OpenSession(f Flags) error { return t.handlePamStatus(C.pam_open_session(t.handle, C.int(f))) } // CloseSession closes a previously opened session. // // Valid flags: Silent func (t *Transaction) CloseSession(f Flags) error { return t.handlePamStatus(C.pam_close_session(t.handle, C.int(f))) } // PutEnv adds or changes the value of PAM environment variables. // // NAME=value will set a variable to a value. // NAME= will set a variable to an empty value. // NAME (without an "=") will delete a variable. func (t *Transaction) PutEnv(nameval string) error { cs := C.CString(nameval) defer C.free(unsafe.Pointer(cs)) return t.handlePamStatus(C.pam_putenv(t.handle, cs)) } // GetEnv is used to retrieve a PAM environment variable. func (t *Transaction) GetEnv(name string) string { cs := C.CString(name) defer C.free(unsafe.Pointer(cs)) value := C.pam_getenv(t.handle, cs) if value == nil { return "" } return C.GoString(value) } func next(p **C.char) **C.char { return (**C.char)(unsafe.Pointer(uintptr(unsafe.Pointer(p)) + unsafe.Sizeof(p))) } // GetEnvList returns a copy of the PAM environment as a map. func (t *Transaction) GetEnvList() (map[string]string, error) { env := make(map[string]string) p := C.pam_getenvlist(t.handle) if p == nil { t.lastStatus.Store(int32(ErrBuf)) return nil, ErrBuf } t.lastStatus.Store(success) for q := p; *q != nil; q = next(q) { chunks := strings.SplitN(C.GoString(*q), "=", 2) if len(chunks) == 2 { env[chunks[0]] = chunks[1] } C.free(unsafe.Pointer(*q)) } C.free(unsafe.Pointer(p)) return env, nil } // CheckPamHasStartConfdir return if pam on system supports pam_system_confdir func CheckPamHasStartConfdir() bool { return C.check_pam_start_confdir() == 0 } // CheckPamHasBinaryProtocol return if pam on system supports PAM_BINARY_PROMPT func CheckPamHasBinaryProtocol() bool { return C.BINARY_PROMPT_IS_SUPPORTED != 0 } golang-github-msteinert-pam-2.0.0/transaction_test.go000066400000000000000000000405661462341240500227520ustar00rootroot00000000000000package pam import ( "errors" "fmt" "os" "os/user" "path/filepath" "runtime" "sync/atomic" "testing" "time" "unsafe" ) func maybeEndTransaction(t *testing.T, tx *Transaction) { t.Helper() if tx == nil { return } err := tx.End() if err != nil { t.Fatalf("end #error: %v", err) } } func ensureTransactionEnds(t *testing.T, tx *Transaction) { t.Helper() runtime.SetFinalizer(tx, func(tx *Transaction) { // #nosec:G103 - the pointer conversion is checked. handle := atomic.LoadPointer((*unsafe.Pointer)(unsafe.Pointer(&tx.handle))) if handle == nil { return } t.Fatalf("transaction has not been finalized") }) } func TestPAM_001(t *testing.T) { u, _ := user.Current() if u.Uid != "0" { t.Skip("run this test as root") } p := "secret" tx, err := StartFunc("", "test", func(s Style, msg string) (string, error) { return p, nil }) ensureTransactionEnds(t, tx) defer maybeEndTransaction(t, tx) if err != nil { t.Fatalf("start #error: %v", err) } err = tx.Authenticate(0) if err != nil { t.Fatalf("authenticate #error: %v", err) } err = tx.AcctMgmt(Silent) if err != nil { t.Fatalf("acct_mgmt #error: %v", err) } err = tx.SetCred(Silent | EstablishCred) if err != nil { t.Fatalf("setcred #error: %v", err) } } func TestPAM_002(t *testing.T) { u, _ := user.Current() if u.Uid != "0" { t.Skip("run this test as root") } tx, err := StartFunc("", "", func(s Style, msg string) (string, error) { switch s { case PromptEchoOn: return "test", nil case PromptEchoOff: return "secret", nil } return "", errors.New("unexpected") }) ensureTransactionEnds(t, tx) defer maybeEndTransaction(t, tx) if err != nil { t.Fatalf("start #error: %v", err) } err = tx.Authenticate(0) if err != nil { t.Fatalf("authenticate #error: %v", err) } } type Credentials struct { User string Password string } func (c Credentials) RespondPAM(s Style, msg string) (string, error) { switch s { case PromptEchoOn: return c.User, nil case PromptEchoOff: return c.Password, nil } return "", errors.New("unexpected") } func TestPAM_003(t *testing.T) { u, _ := user.Current() if u.Uid != "0" { t.Skip("run this test as root") } c := Credentials{ User: "test", Password: "secret", } tx, err := Start("", "", c) ensureTransactionEnds(t, tx) defer maybeEndTransaction(t, tx) if err != nil { t.Fatalf("start #error: %v", err) } err = tx.Authenticate(0) if err != nil { t.Fatalf("authenticate #error: %v", err) } } func TestPAM_004(t *testing.T) { u, _ := user.Current() if u.Uid != "0" { t.Skip("run this test as root") } c := Credentials{ Password: "secret", } tx, err := Start("", "test", c) ensureTransactionEnds(t, tx) defer maybeEndTransaction(t, tx) if err != nil { t.Fatalf("start #error: %v", err) } err = tx.Authenticate(0) if err != nil { t.Fatalf("authenticate #error: %v", err) } } func TestPAM_005(t *testing.T) { u, _ := user.Current() if u.Uid != "0" { t.Skip("run this test as root") } tx, err := StartFunc("passwd", "test", func(s Style, msg string) (string, error) { return "secret", nil }) ensureTransactionEnds(t, tx) defer maybeEndTransaction(t, tx) if err != nil { t.Fatalf("start #error: %v", err) } service, err := tx.GetItem(Service) if err != nil { t.Fatalf("GetItem #error: %v", err) } if service != "passwd" { t.Fatalf("Unexpected service: %v", service) } err = tx.ChangeAuthTok(Silent) if err != nil { t.Fatalf("chauthtok #error: %v", err) } } func TestPAM_006(t *testing.T) { u, _ := user.Current() if u.Uid != "0" { t.Skip("run this test as root") } tx, err := StartFunc("passwd", u.Username, func(s Style, msg string) (string, error) { return "secret", nil }) ensureTransactionEnds(t, tx) defer maybeEndTransaction(t, tx) if err != nil { t.Fatalf("start #error: %v", err) } err = tx.OpenSession(Silent) if err != nil { t.Fatalf("open_session #error: %v", err) } err = tx.CloseSession(Silent) if err != nil { t.Fatalf("close_session #error: %v", err) } } func TestPAM_007(t *testing.T) { u, _ := user.Current() if u.Uid != "0" { t.Skip("run this test as root") } tx, err := StartFunc("", "test", func(s Style, msg string) (string, error) { return "", errors.New("Sorry, it didn't work") }) ensureTransactionEnds(t, tx) defer maybeEndTransaction(t, tx) if err != nil { t.Fatalf("start #error: %v", err) } err = tx.Authenticate(0) if err == nil { t.Fatalf("authenticate #expected an error") } s := err.Error() if len(s) == 0 { t.Fatalf("error #expected an error message") } if !errors.Is(err, ErrAuth) { t.Fatalf("error #unexpected error %v", err) } } func TestPAM_ConfDir(t *testing.T) { u, _ := user.Current() c := Credentials{ // the custom service always permits even with wrong password. Password: "wrongsecret", } tx, err := StartConfDir("permit-service", u.Username, c, "test-services") defer func() { if tx != nil { _ = tx.End() } }() if !CheckPamHasStartConfdir() { if err == nil { t.Fatalf("start should have errored out as pam_start_confdir is not available: %v", err) } // nothing else we do, we don't support it. return } service, err := tx.GetItem(Service) if err != nil { t.Fatalf("GetItem #error: %v", err) } if service != "permit-service" { t.Fatalf("Unexpected service: %v", service) } if err != nil { t.Fatalf("start #error: %v", err) } err = tx.Authenticate(0) if err != nil { t.Fatalf("authenticate #error: %v", err) } } func TestPAM_ConfDir_FailNoServiceOrUnsupported(t *testing.T) { if !CheckPamHasStartConfdir() { t.Skip("this requires PAM with Conf dir support") } u, _ := user.Current() c := Credentials{ Password: "secret", } tx, err := StartConfDir("does-not-exists", u.Username, c, ".") if err == nil { t.Fatalf("authenticate #expected an error") } if tx != nil { t.Fatalf("authenticate #unexpected transaction") } s := err.Error() if len(s) == 0 { t.Fatalf("error #expected an error message") } var pamErr Error if !errors.As(err, &pamErr) { t.Fatalf("error #unexpected type: %#v", err) } if pamErr != ErrAbort { t.Fatalf("error #unexpected status: %v", pamErr) } } func TestPAM_ConfDir_InfoMessage(t *testing.T) { u, _ := user.Current() var infoText string tx, err := StartConfDir("echo-service", u.Username, ConversationFunc(func(s Style, msg string) (string, error) { switch s { case TextInfo: infoText = msg return "", nil } return "", errors.New("unexpected") }), "test-services") ensureTransactionEnds(t, tx) defer maybeEndTransaction(t, tx) if err != nil { t.Fatalf("start #error: %v", err) } service, err := tx.GetItem(Service) if err != nil { t.Fatalf("GetItem #error: %v", err) } if service != "echo-service" { t.Fatalf("Unexpected service: %v", service) } err = tx.Authenticate(0) if err != nil { t.Fatalf("authenticate #error: %v", err) } if infoText != "This is an info message for user "+u.Username+" on echo-service" { t.Fatalf("Unexpected info message: %v", infoText) } } func TestPAM_ConfDir_Deny(t *testing.T) { if !CheckPamHasStartConfdir() { t.Skip("this requires PAM with Conf dir support") } u, _ := user.Current() tx, err := StartConfDir("deny-service", u.Username, Credentials{}, "test-services") ensureTransactionEnds(t, tx) defer maybeEndTransaction(t, tx) if err != nil { t.Fatalf("start #error: %v", err) } service, err := tx.GetItem(Service) if err != nil { t.Fatalf("GetItem #error: %v", err) } if service != "deny-service" { t.Fatalf("Unexpected service: %v", service) } err = tx.Authenticate(0) if err == nil { t.Fatalf("authenticate #expected an error") } s := err.Error() if len(s) == 0 { t.Fatalf("error #expected an error message") } if !errors.Is(err, ErrAuth) { t.Fatalf("error #unexpected error %v", err) } } func TestPAM_ConfDir_PromptForUserName(t *testing.T) { c := Credentials{ User: "testuser", // the custom service only cares about correct user name. Password: "wrongsecret", } tx, err := StartConfDir("succeed-if-user-test", "", c, "test-services") ensureTransactionEnds(t, tx) defer maybeEndTransaction(t, tx) if !CheckPamHasStartConfdir() { if err == nil { t.Fatalf("start should have errored out as pam_start_confdir is not available: %v", err) } // nothing else we do, we don't support it. return } if err != nil { t.Fatalf("start #error: %v", err) } err = tx.Authenticate(0) if err != nil { t.Fatalf("authenticate #error: %v", err) } } func TestPAM_ConfDir_WrongUserName(t *testing.T) { c := Credentials{ User: "wronguser", Password: "wrongsecret", } tx, err := StartConfDir("succeed-if-user-test", "", c, "test-services") ensureTransactionEnds(t, tx) defer maybeEndTransaction(t, tx) if !CheckPamHasStartConfdir() { if err == nil { t.Fatalf("start should have errored out as pam_start_confdir is not available: %v", err) } // nothing else we do, we don't support it. return } err = tx.Authenticate(0) if err == nil { t.Fatalf("authenticate #expected an error") } s := err.Error() if len(s) == 0 { t.Fatalf("error #expected an error message") } if !errors.Is(err, ErrAuth) { t.Fatalf("error #unexpected error %v", err) } } func TestItem(t *testing.T) { tx, err := StartFunc("passwd", "test", func(s Style, msg string) (string, error) { return "", nil }) ensureTransactionEnds(t, tx) defer maybeEndTransaction(t, tx) if err != nil { t.Fatalf("start #error: %v", err) } s, err := tx.GetItem(Service) if err != nil { t.Fatalf("getitem #error: %v", err) } if s != "passwd" { t.Fatalf("getitem #error: expected passwd, got %v", s) } s, err = tx.GetItem(User) if err != nil { t.Fatalf("getitem #error: %v", err) } if s != "test" { t.Fatalf("getitem #error: expected test, got %v", s) } err = tx.SetItem(User, "root") if err != nil { t.Fatalf("setitem #error: %v", err) } s, err = tx.GetItem(User) if err != nil { t.Fatalf("getitem #error: %v", err) } if s != "root" { t.Fatalf("getitem #error: expected root, got %v", s) } } func TestEnv(t *testing.T) { tx, err := StartFunc("", "", func(s Style, msg string) (string, error) { return "", nil }) ensureTransactionEnds(t, tx) defer maybeEndTransaction(t, tx) if err != nil { t.Fatalf("start #error: %v", err) } m, err := tx.GetEnvList() if err != nil { t.Fatalf("getenvlist #error: %v", err) } n := len(m) if n != 0 { t.Fatalf("putenv #error: expected 0 items, got %v", n) } vals := []string{ "VAL1=1", "VAL2=2", "VAL3=3", } for _, s := range vals { err = tx.PutEnv(s) if err != nil { t.Fatalf("putenv #error: %v", err) } } s := tx.GetEnv("VAL0") if s != "" { t.Fatalf("getenv #error: expected \"\", got %v", s) } s = tx.GetEnv("VAL1") if s != "1" { t.Fatalf("getenv #error: expected 1, got %v", s) } s = tx.GetEnv("VAL2") if s != "2" { t.Fatalf("getenv #error: expected 2, got %v", s) } s = tx.GetEnv("VAL3") if s != "3" { t.Fatalf("getenv #error: expected 3, got %v", s) } m, err = tx.GetEnvList() if err != nil { t.Fatalf("getenvlist #error: %v", err) } n = len(m) if n != 3 { t.Fatalf("getenvlist #error: expected 3 items, got %v", n) } if m["VAL1"] != "1" { t.Fatalf("getenvlist #error: expected 1, got %v", m["VAL1"]) } if m["VAL2"] != "2" { t.Fatalf("getenvlist #error: expected 2, got %v", m["VAL1"]) } if m["VAL3"] != "3" { t.Fatalf("getenvlist #error: expected 3, got %v", m["VAL1"]) } } func Test_Error(t *testing.T) { t.Parallel() if !CheckPamHasStartConfdir() { t.Skip("this requires PAM with Conf dir support") } statuses := map[string]error{ "success": nil, "open_err": ErrOpen, "symbol_err": ErrSymbol, "service_err": ErrService, "system_err": ErrSystem, "buf_err": ErrBuf, "perm_denied": ErrPermDenied, "auth_err": ErrAuth, "cred_insufficient": ErrCredInsufficient, "authinfo_unavail": ErrAuthinfoUnavail, "user_unknown": ErrUserUnknown, "maxtries": ErrMaxtries, "new_authtok_reqd": ErrNewAuthtokReqd, "acct_expired": ErrAcctExpired, "session_err": ErrSession, "cred_unavail": ErrCredUnavail, "cred_expired": ErrCredExpired, "cred_err": ErrCred, "no_module_data": ErrNoModuleData, "conv_err": ErrConv, "authtok_err": ErrAuthtok, "authtok_recover_err": ErrAuthtokRecovery, "authtok_lock_busy": ErrAuthtokLockBusy, "authtok_disable_aging": ErrAuthtokDisableAging, "try_again": ErrTryAgain, "ignore": nil, /* Ignore can't be returned */ "abort": ErrAbort, "authtok_expired": ErrAuthtokExpired, "module_unknown": ErrModuleUnknown, "bad_item": ErrBadItem, "conv_again": ErrConvAgain, "incomplete": ErrIncomplete, } type Action int const ( account Action = iota + 1 auth password session ) actions := map[string]Action{ "account": account, "auth": auth, "password": password, "session": session, } c := Credentials{} servicePath := t.TempDir() for ret, expected := range statuses { ret := ret expected := expected for actionName, action := range actions { actionName := actionName action := action t.Run(fmt.Sprintf("%s %s", ret, actionName), func(t *testing.T) { t.Parallel() serviceName := ret + "-" + actionName serviceFile := filepath.Join(servicePath, serviceName) contents := fmt.Sprintf("%[1]s requisite pam_debug.so "+ "auth=%[2]s cred=%[2]s acct=%[2]s prechauthtok=%[2]s "+ "chauthtok=%[2]s open_session=%[2]s close_session=%[2]s\n"+ "%[1]s requisite pam_permit.so\n", actionName, ret) if err := os.WriteFile(serviceFile, []byte(contents), 0600); err != nil { t.Fatalf("can't create service file %v: %v", serviceFile, err) } tx, err := StartConfDir(serviceName, "user", c, servicePath) ensureTransactionEnds(t, tx) defer maybeEndTransaction(t, tx) if err != nil { t.Fatalf("start #error: %v", err) } switch action { case account: err = tx.AcctMgmt(0) case auth: err = tx.Authenticate(0) case password: err = tx.ChangeAuthTok(0) case session: err = tx.OpenSession(0) } if !errors.Is(err, expected) { t.Fatalf("error #unexpected status %#v vs %#v", err, expected) } if err != nil { var status Error if !errors.As(err, &status) || err.Error() != status.Error() { t.Fatalf("error #unexpected status %#v vs %#v", err.Error(), status.Error()) } } }) } } } func Test_Finalizer(t *testing.T) { if !CheckPamHasStartConfdir() { t.Skip("this requires PAM with Conf dir support") } func() { tx, err := StartConfDir("permit-service", "", nil, "test-services") ensureTransactionEnds(t, tx) defer maybeEndTransaction(t, tx) if err != nil { t.Fatalf("start #error: %v", err) } }() runtime.GC() // sleep to switch to finalizer goroutine time.Sleep(5 * time.Millisecond) } func TestFailure_001(t *testing.T) { tx := Transaction{} _, err := tx.GetEnvList() if err == nil { t.Fatalf("getenvlist #expected an error") } } func TestFailure_002(t *testing.T) { tx := Transaction{} err := tx.PutEnv("") if err == nil { t.Fatalf("getenvlist #expected an error") } } func TestFailure_003(t *testing.T) { tx := Transaction{} err := tx.CloseSession(0) if err == nil { t.Fatalf("getenvlist #expected an error") } } func TestFailure_004(t *testing.T) { tx := Transaction{} err := tx.OpenSession(0) if err == nil { t.Fatalf("getenvlist #expected an error") } } func TestFailure_005(t *testing.T) { tx := Transaction{} err := tx.ChangeAuthTok(0) if err == nil { t.Fatalf("getenvlist #expected an error") } } func TestFailure_006(t *testing.T) { tx := Transaction{} err := tx.AcctMgmt(0) if err == nil { t.Fatalf("getenvlist #expected an error") } } func TestFailure_007(t *testing.T) { tx := Transaction{} err := tx.SetCred(0) if err == nil { t.Fatalf("getenvlist #expected an error") } } func TestFailure_008(t *testing.T) { tx := Transaction{} err := tx.SetItem(User, "test") if err == nil { t.Fatalf("getenvlist #expected an error") } } func TestFailure_009(t *testing.T) { tx := Transaction{} _, err := tx.GetItem(User) if err == nil { t.Fatalf("getenvlist #expected an error") } } func TestFailure_010(t *testing.T) { tx := Transaction{} err := tx.End() if err != nil { t.Fatalf("end #unexpected error %v", err) } }