Fix test issues

ComplianceAsCode · Jan 14, 2025 · 2a15dc8 · 2a15dc8
1 parent c1b0b0a
commit 2a15dc8
Show file tree

Hide file tree

Showing 7 changed files with 168 additions and 5 deletions.
diff --git a/...unts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml b/...unts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml
@@ -10,14 +10,33 @@
   </definition>
 
   <ind:textfilecontent54_test id="test_password_pam_unix_use_authtok" version="1"
-    check="all" check_existence="at_least_one_exists"
+    check="all" check_existence="any_exist"
     comment="use_authtok is configured in pam unix in common_password file">
     <ind:object object_ref="obj_test_use_authtok" />
+    <ind:state state_ref="ste_test_use_authtok" />
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_test_use_authtok" version="1">
+    <set>
+      <object_reference>obj_test_use_authtok_password_lines_except_first</object_reference>
+      <filter action="include">ste_test_use_authtok_pam_unix_lines</filter>
+    </set>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="ste_test_use_authtok" version="1">
+      <ind:subexpression operation="pattern match">^[^#\n\r]+[ \t]+pam_unix\.so[ \t]+[^#\n\r]+use_authtok.*$</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+  <!-- Get all password lines except the first line. This is to avoid matching a pam_unix
+  line on the top of the stack, which does not need use_authtok to pass -->
+  <ind:textfilecontent54_object id="obj_test_use_authtok_password_lines_except_first" version="1">
     <ind:filepath>{{{ accounts_password_pam_unix_file }}}</ind:filepath>
-    <ind:pattern operation="pattern match">^[ \t]*password[ \t]+([^\n\r]+)[\n\r]+[ \t]*password[ \t]+([^#\n\r]+)[ \t]+pam_unix\.so[ \t]+([^#\n\r]+[ \t]+)?use_authtok.*$</ind:pattern>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
+    <ind:pattern operation="pattern match">^[ \t]*password[ \t]+(.+)$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">2</ind:instance>
   </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="ste_test_use_authtok_pam_unix_lines" version="1">
+      <ind:subexpression operation="pattern match">^[^#\n\r]+[ \t]+pam_unix\.so.*$</ind:subexpression>
+  </ind:textfilecontent54_state>
+
 </def-group>
diff --git a/...m/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_common.sh b/...m/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_common.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+# remove all pam-auth-update configs which update the
+# primary password block and create a config with well defined
+# high priority to ensure correct stacking of our module
+grep -il "Password-Type: Primary" /usr/share/pam-configs/* | grep -v "/unix$" | xargs rm -f
+
+cat << EOF > /usr/share/pam-configs/cac_test_echo
+Name: Echo
+Default: yes
+Priority: 10000
+Password-Type: Primary
+Password:
+        password optional pam_echo.so
+Password-Initial:
+        password optional pam_echo.so
+EOF
diff --git a/...sword_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values.fail.sh b/...sword_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values.fail.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+config_file=/usr/share/pam-configs/tmpunix
+
+# lower priority to ensure the config is below the cac_test_echo
+# on the stack, thus using the "Password:" configuration
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 1024
+Conflicts: unix
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt 
+        [success=end default=ignore]    pam_unix.so obscure try_first_pass yescrypt 
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt 
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/...word_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values2.fail.sh b/...word_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values2.fail.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+config_file=/usr/share/pam-configs/tmpunix
+
+# lower priority to ensure the config is below the cac_test_echo
+# on the stack, thus using the "Password:" configuration
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 1024
+Conflicts: unix
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure try_first_pass yescrypt 
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt 
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt 
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/...t_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh b/...t_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh
@@ -1,12 +1,17 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 
+source ubuntu_common.sh
+
 config_file=/usr/share/pam-configs/tmpunix
 
+# lower priority to ensure the config is below the cac_test_echo
+# on the stack, thus using the "Password:" configuration
 cat << EOF > "$config_file"
 Name: Unix authentication
 Default: yes
-Priority: 0
+Priority: 1024
+Conflicts: unix
 Auth-Type: Primary
 Auth:
         [success=end default=ignore]    pam_unix.so try_first_pass

diff --git a/...t_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh b/...t_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh
@@ -1,12 +1,17 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 
+source ubuntu_common.sh
+
 config_file=/usr/share/pam-configs/tmpunix
 
+# lower priority to ensure the config is below the cac_test_echo
+# on the stack, thus using the "Password:" configuration
 cat << EOF > "$config_file"
 Name: Unix authentication
 Default: yes
 Priority: 1024
+Conflicts: unix
 Auth-Type: Primary
 Auth:
         [success=end default=ignore]    pam_unix.so try_first_pass
@@ -29,5 +34,5 @@ Password-Initial:
         [success=end default=ignore]    pam_unix.so obscure yescrypt 
 EOF
 
-DEBIAN_FRONTEND=noninteractive pam-auth-update --remove unix --enable tmpunix
+DEBIAN_FRONTEND=noninteractive pam-auth-update
 rm "$config_file"
diff --git a/...rd_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value_initial.pass.sh b/...rd_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value_initial.pass.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+config_file=/usr/share/pam-configs/tmpunix
+
+# higher priority to ensure the config is above the cac_test_echo
+# on the stack, thus using the "Password-Initial:" configuration
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 1000000
+Conflicts: unix
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure try_first_pass yescrypt 
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt 
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"