Browse code
checks requester user name
Greg Wiley authored on 02/05/2017 17:41:40Showing 4 changed files
| ... | ... |
@@ -57,7 +57,7 @@ int impl::authenticate (const pam_request &request) |
| 57 | 57 |
{
|
| 58 | 58 |
conversation_result input (conversation_.initiate (request)); |
| 59 | 59 |
|
| 60 |
- int auth_result = validator_.validate (input.user_name, |
|
| 60 |
+ int auth_result = validator_.validate ("", input.user_name,
|
|
| 61 | 61 |
input.token) ? PAM_SUCCESS : PAM_AUTH_ERR; |
| 62 | 62 |
|
| 63 | 63 |
logger_.log (auth_result, input.user_name, input.token); |
| ... | ... |
@@ -26,10 +26,15 @@ public: |
| 26 | 26 |
const user_token_supplier user_token_supplier) : |
| 27 | 27 |
directory_ (directory), |
| 28 | 28 |
user_token_supplier_ (user_token_supplier) {}
|
| 29 |
- bool validate (const std::string &user_name, |
|
| 29 |
+ bool validate (const std::string &requester_user_name, |
|
| 30 |
+ const std::string &authorizer_user_name, |
|
| 30 | 31 |
const std::string &token) |
| 31 | 32 |
{
|
| 32 |
- std::vector<user> found_user = directory_.find_user (user_name); |
|
| 33 |
+ std::vector<user> found_user = directory_.find_user (authorizer_user_name); |
|
| 34 |
+ |
|
| 35 |
+ if (requester_user_name == authorizer_user_name) {
|
|
| 36 |
+ return false; |
|
| 37 |
+ } |
|
| 33 | 38 |
|
| 34 | 39 |
if (found_user.empty()) {
|
| 35 | 40 |
return false; |
| ... | ... |
@@ -22,8 +22,9 @@ class validator_ifc |
| 22 | 22 |
{
|
| 23 | 23 |
public: |
| 24 | 24 |
virtual ~validator_ifc() {}
|
| 25 |
- virtual bool validate (const std::string &user_name, |
|
| 26 |
- const std::string &token) |
|
| 25 |
+ virtual bool validate (const std::string &requester_user_name, |
|
| 26 |
+ const std::string &authorizer_user_name, |
|
| 27 |
+ const std::string &authorizer_token) |
|
| 27 | 28 |
{
|
| 28 | 29 |
return false; |
| 29 | 30 |
} |
| ... | ... |
@@ -38,9 +39,9 @@ public: |
| 38 | 39 |
(delegate) {}
|
| 39 | 40 |
validator() : validator (std::shared_ptr<validator_ifc> |
| 40 | 41 |
(new validator_ifc)) {}
|
| 41 |
- bool validate (const std::string &user_name, const std::string &token) |
|
| 42 |
+ bool validate (const std::string &requester_user_name, const std::string &authorizer_user_name, const std::string &authorizer_token) |
|
| 42 | 43 |
{
|
| 43 |
- return delegate_->validate (user_name, token); |
|
| 44 |
+ return delegate_->validate (requester_user_name, authorizer_user_name, authorizer_token); |
|
| 44 | 45 |
} |
| 45 | 46 |
static validator create (const directory &directory, |
| 46 | 47 |
const user_token_supplier &token_supplier); |
| ... | ... |
@@ -70,7 +70,7 @@ bool validator_validates() |
| 70 | 70 |
validator validator = validator::create (directory, user_token_supplier); |
| 71 | 71 |
|
| 72 | 72 |
// when |
| 73 |
- bool actual = validator.validate (user_name, token); |
|
| 73 |
+ bool actual = validator.validate ("requester", user_name, token);
|
|
| 74 | 74 |
|
| 75 | 75 |
// then |
| 76 | 76 |
check (actual, "should be valid"); |
| ... | ... |
@@ -88,7 +88,7 @@ bool validator_fails_unknown_user() |
| 88 | 88 |
validator validator = validator::create (directory, user_token_supplier); |
| 89 | 89 |
|
| 90 | 90 |
// when |
| 91 |
- bool actual = validator.validate ("notuser", token);
|
|
| 91 |
+ bool actual = validator.validate ("requester", "notuser", token);
|
|
| 92 | 92 |
|
| 93 | 93 |
// then |
| 94 | 94 |
check (!actual, "should not be valid"); |
| ... | ... |
@@ -106,13 +106,32 @@ bool validator_fails_incorrect_token() |
| 106 | 106 |
validator validator = validator::create (directory, user_token_supplier); |
| 107 | 107 |
|
| 108 | 108 |
// when |
| 109 |
- bool actual = validator.validate (user_name, "token"); |
|
| 109 |
+ bool actual = validator.validate ("requester", user_name, "token");
|
|
| 110 | 110 |
|
| 111 | 111 |
// then |
| 112 | 112 |
check (!actual, "should not be valid"); |
| 113 | 113 |
succeed(); |
| 114 | 114 |
} |
| 115 | 115 |
|
| 116 |
+bool validator_fails_with_own_token() {
|
|
| 117 |
+ // given |
|
| 118 |
+ std::string requester_user_name("requester");
|
|
| 119 |
+ std::string authorizer_user_name(requester_user_name); |
|
| 120 |
+ std::string authorizer_token("token");
|
|
| 121 |
+ directory directory (share (new fake_directory (authorizer_user_name))); |
|
| 122 |
+ user_token_supplier user_token_supplier (share (new |
|
| 123 |
+ fake_user_token_supplier(authorizer_token))); |
|
| 124 |
+ validator validator = validator::create (directory, user_token_supplier); |
|
| 125 |
+ |
|
| 126 |
+ // when |
|
| 127 |
+ bool actual = validator.validate (requester_user_name, authorizer_user_name, authorizer_token); |
|
| 128 |
+ |
|
| 129 |
+ // then |
|
| 130 |
+ check(!actual, "should not be valid"); |
|
| 131 |
+ succeed(); |
|
| 132 |
+ |
|
| 133 |
+} |
|
| 134 |
+ |
|
| 116 | 135 |
RESET_VARS_START |
| 117 | 136 |
RESET_VARS_END |
| 118 | 137 |
|
| ... | ... |
@@ -121,6 +140,7 @@ bool run_tests() |
| 121 | 140 |
test (validator_validates); |
| 122 | 141 |
test (validator_fails_unknown_user); |
| 123 | 142 |
test (validator_fails_incorrect_token); |
| 143 |
+ test (validator_fails_with_own_token); |
|
| 124 | 144 |
succeed(); |
| 125 | 145 |
} |
| 126 | 146 |
|