@@ -63,7 +63,7 @@ int impl::authenticate (const pam_request &request)

     auto requester_user_name = sessions_.user_name (request);

     int auth_result = validator_.validate (requester_user_name, input.user_name,

-                                           input.token) ? PAM_SUCCESS : PAM_AUTH_ERR;

+                                           input.token, input.reason) ? PAM_SUCCESS : PAM_AUTH_ERR;

     logger_.log (auth_result, requester_user_name, input.user_name,

                  input.token);

@@ -116,12 +116,13 @@ private:

     std::string requester_;

     std::string authorizer_;

     std::string token_;

+    std::string reason_;

 public:

     fake_validator (const std::string &requester, const std::string &authorizer,

-                    const std::string &token): requester_ (requester), authorizer_ (authorizer),

-        token_ (token) {}

+                    const std::string &token, const std::string &reason): requester_ (requester), authorizer_ (authorizer),

+        token_ (token), reason_(reason) {}

     bool validate (const std::string &requester, const std::string &authorizer,

-                   const std::string &token)

+                   const std::string &token, const std::string &reason)

     {

         return requester_ == requester && authorizer_ == authorizer

                && token_ == token;

@@ -155,8 +156,9 @@ int authenticate_validates_with_received_token()

     std::string requester ("requester");

     std::string authorizer ("authorizer");

     std::string token ("token");

+    std::string reason("reason");

     use_validator (configuration, new fake_validator (requester, authorizer,

-                   token));

+                   token, reason));

     use_conversation (configuration, new fake_conversation (authorizer, token));

     use_sessions (configuration, new fake_sessions (requester));

     dual_control dc (dual_control::create (configuration));

@@ -177,7 +179,7 @@ int authenticate_fails_with_wrong_user()

     dual_control_configuration configuration;

     std::string token ("token");

     use_validator (configuration, new fake_validator ("requester", "user",

-                   token));

+                   token, "reason"));

     use_conversation (configuration, new fake_conversation ("wrong user",

                       token));

     dual_control dc (dual_control::create (configuration));

@@ -197,7 +199,7 @@ int authenticate_fails_with_wrong_token()

     std::string requester ("requester");

     std::string authorizer ("authorizer");

     use_validator (configuration, new fake_validator (requester, authorizer,

-                   "token"));

+                   "token", "reason"));

     use_conversation (configuration, new fake_conversation (authorizer,

                       "wrong token"));

     dual_control dc (dual_control::create (configuration));

@@ -217,8 +219,9 @@ int logs_authentication()

     std::string requester ("requester");

     std::string authorizer ("authorizer");

     std::string token ("token");

+    std::string reason("reason");

     use_validator (configuration, new fake_validator (requester, authorizer,

-                   token));

+                   token, reason));

     use_conversation (configuration, new fake_conversation (authorizer, token));

     use_sessions (configuration, new fake_sessions (requester));

     mock_logger *test_logger;

@@ -247,8 +250,9 @@ int logs_authentication_failure()

     std::string requester ("requester");

     std::string authorizer ("authorizer");

     std::string token ("token");

+    std::string reason ("reason");

     use_validator (configuration, new fake_validator (requester, authorizer,

-                   "not the received token"));

+                   "not the received token", reason));

     use_conversation (configuration, new fake_conversation (authorizer, token));

     use_sessions (configuration, new fake_sessions (requester));

     mock_logger *test_logger;

@@ -28,10 +28,14 @@ public:

         tokens_ (tokens) {}

     bool validate (const std::string &requester_user_name,

                    const std::string &authorizer_user_name,

-                   const std::string &token) override

+                   const std::string &token, const std::string &reason) override

     {

         std::vector<user> found_user = directory_.find_user (authorizer_user_name);

+        if (reason.empty()) {

+            return false;

+        }

+

         if (requester_user_name.empty()) {

             return false;

         }

@@ -24,7 +24,8 @@ public:

     virtual ~validator_ifc() {}

     virtual bool validate (const std::string &requester_user_name,

                            const std::string &authorizer_user_name,

-                           const std::string &authorizer_token)

+                           const std::string &authorizer_token,

+                           const std::string &reason)

     {

         return false;

     }

@@ -41,10 +42,11 @@ public:

                                  (new validator_ifc)) {}

     bool validate (const std::string &requester_user_name,

                    const std::string &authorizer_user_name,

-                   const std::string &authorizer_token)

+                   const std::string &authorizer_token,

+                   const std::string &reason)

     {

         return delegate_->validate (requester_user_name, authorizer_user_name,

-                                    authorizer_token);

+                                    authorizer_token, reason);

     }

     static validator create (const directory &directory,

                              const tokens &token_supplier);

@@ -70,7 +70,7 @@ bool validator_validates()

     validator validator = validator::create (directory, tokens);

     // when

-    bool actual = validator.validate ("requester", user_name, token);

+    bool actual = validator.validate ("requester", user_name, token, "reason");

     // then

     check (actual, "should be valid");

@@ -88,7 +88,7 @@ bool validator_fails_unknown_user()

     validator validator = validator::create (directory, tokens);

     // when

-    bool actual = validator.validate ("requester", "notuser", token);

+    bool actual = validator.validate ("requester", "notuser", token, "reason");

     // then

     check (!actual, "should not be valid");

@@ -106,7 +106,7 @@ bool validator_fails_incorrect_token()

     validator validator = validator::create (directory, tokens);

     // when

-    bool actual = validator.validate ("requester", user_name, "token");

+    bool actual = validator.validate ("requester", user_name, "token", "reason");

     // then

     check (!actual, "should not be valid");

@@ -126,7 +126,7 @@ bool validator_fails_with_own_token()

     // when

     bool actual = validator.validate (requester_user_name, authorizer_user_name,

-                                      authorizer_token);

+                                      authorizer_token, "reason");

     // then

     check (!actual, "should not be valid");

@@ -147,12 +147,31 @@ bool validator_fails_with_unknown_requester()

     // when

     bool actual = validator.validate (requester_user_name, authorizer_user_name,

-                                      authorizer_token);

+                                      authorizer_token, "reason");

     // then

     check (!actual, "should not be valid");

     succeed();

+}

+

+bool validator_fails_on_empty_reason() {

+    //given

+    std::string requester_user_name ("");

+    std::string authorizer_user_name ("authorizer");

+    std::string authorizer_token ("token");

+    std::string reason;

+    directory directory (share (new fake_directory (authorizer_user_name)));

+    tokens tokens (share (new

+                          fake_tokens (authorizer_token)));

+    validator validator = validator::create (directory, tokens);

+    //when

+    bool actual = validator.validate (requester_user_name, authorizer_user_name,

+                                      authorizer_token, reason);

+

+    //then

+    check(!actual, "should not be valid");

+    succeed();

 }

 bool run_tests()

@@ -162,6 +181,7 @@ bool run_tests()

     test (validator_fails_incorrect_token);

     test (validator_fails_with_own_token);

     test (validator_fails_with_unknown_requester);

+    test (validator_fails_on_empty_reason);

     succeed();

 }