Browse code
checks requester user name
Greg Wiley authored on 02/05/2017 17:41:40
Showing 4 changed files
Showing 4 changed files
... | ... |
@@ -57,7 +57,7 @@ int impl::authenticate (const pam_request &request) |
57 | 57 |
{ |
58 | 58 |
conversation_result input (conversation_.initiate (request)); |
59 | 59 |
|
60 |
- int auth_result = validator_.validate (input.user_name, |
|
60 |
+ int auth_result = validator_.validate ("", input.user_name, |
|
61 | 61 |
input.token) ? PAM_SUCCESS : PAM_AUTH_ERR; |
62 | 62 |
|
63 | 63 |
logger_.log (auth_result, input.user_name, input.token); |
... | ... |
@@ -26,10 +26,15 @@ public: |
26 | 26 |
const user_token_supplier user_token_supplier) : |
27 | 27 |
directory_ (directory), |
28 | 28 |
user_token_supplier_ (user_token_supplier) {} |
29 |
- bool validate (const std::string &user_name, |
|
29 |
+ bool validate (const std::string &requester_user_name, |
|
30 |
+ const std::string &authorizer_user_name, |
|
30 | 31 |
const std::string &token) |
31 | 32 |
{ |
32 |
- std::vector<user> found_user = directory_.find_user (user_name); |
|
33 |
+ std::vector<user> found_user = directory_.find_user (authorizer_user_name); |
|
34 |
+ |
|
35 |
+ if (requester_user_name == authorizer_user_name) { |
|
36 |
+ return false; |
|
37 |
+ } |
|
33 | 38 |
|
34 | 39 |
if (found_user.empty()) { |
35 | 40 |
return false; |
... | ... |
@@ -22,8 +22,9 @@ class validator_ifc |
22 | 22 |
{ |
23 | 23 |
public: |
24 | 24 |
virtual ~validator_ifc() {} |
25 |
- virtual bool validate (const std::string &user_name, |
|
26 |
- const std::string &token) |
|
25 |
+ virtual bool validate (const std::string &requester_user_name, |
|
26 |
+ const std::string &authorizer_user_name, |
|
27 |
+ const std::string &authorizer_token) |
|
27 | 28 |
{ |
28 | 29 |
return false; |
29 | 30 |
} |
... | ... |
@@ -38,9 +39,9 @@ public: |
38 | 39 |
(delegate) {} |
39 | 40 |
validator() : validator (std::shared_ptr<validator_ifc> |
40 | 41 |
(new validator_ifc)) {} |
41 |
- bool validate (const std::string &user_name, const std::string &token) |
|
42 |
+ bool validate (const std::string &requester_user_name, const std::string &authorizer_user_name, const std::string &authorizer_token) |
|
42 | 43 |
{ |
43 |
- return delegate_->validate (user_name, token); |
|
44 |
+ return delegate_->validate (requester_user_name, authorizer_user_name, authorizer_token); |
|
44 | 45 |
} |
45 | 46 |
static validator create (const directory &directory, |
46 | 47 |
const user_token_supplier &token_supplier); |
... | ... |
@@ -70,7 +70,7 @@ bool validator_validates() |
70 | 70 |
validator validator = validator::create (directory, user_token_supplier); |
71 | 71 |
|
72 | 72 |
// when |
73 |
- bool actual = validator.validate (user_name, token); |
|
73 |
+ bool actual = validator.validate ("requester", user_name, token); |
|
74 | 74 |
|
75 | 75 |
// then |
76 | 76 |
check (actual, "should be valid"); |
... | ... |
@@ -88,7 +88,7 @@ bool validator_fails_unknown_user() |
88 | 88 |
validator validator = validator::create (directory, user_token_supplier); |
89 | 89 |
|
90 | 90 |
// when |
91 |
- bool actual = validator.validate ("notuser", token); |
|
91 |
+ bool actual = validator.validate ("requester", "notuser", token); |
|
92 | 92 |
|
93 | 93 |
// then |
94 | 94 |
check (!actual, "should not be valid"); |
... | ... |
@@ -106,13 +106,32 @@ bool validator_fails_incorrect_token() |
106 | 106 |
validator validator = validator::create (directory, user_token_supplier); |
107 | 107 |
|
108 | 108 |
// when |
109 |
- bool actual = validator.validate (user_name, "token"); |
|
109 |
+ bool actual = validator.validate ("requester", user_name, "token"); |
|
110 | 110 |
|
111 | 111 |
// then |
112 | 112 |
check (!actual, "should not be valid"); |
113 | 113 |
succeed(); |
114 | 114 |
} |
115 | 115 |
|
116 |
+bool validator_fails_with_own_token() { |
|
117 |
+ // given |
|
118 |
+ std::string requester_user_name("requester"); |
|
119 |
+ std::string authorizer_user_name(requester_user_name); |
|
120 |
+ std::string authorizer_token("token"); |
|
121 |
+ directory directory (share (new fake_directory (authorizer_user_name))); |
|
122 |
+ user_token_supplier user_token_supplier (share (new |
|
123 |
+ fake_user_token_supplier(authorizer_token))); |
|
124 |
+ validator validator = validator::create (directory, user_token_supplier); |
|
125 |
+ |
|
126 |
+ // when |
|
127 |
+ bool actual = validator.validate (requester_user_name, authorizer_user_name, authorizer_token); |
|
128 |
+ |
|
129 |
+ // then |
|
130 |
+ check(!actual, "should not be valid"); |
|
131 |
+ succeed(); |
|
132 |
+ |
|
133 |
+} |
|
134 |
+ |
|
116 | 135 |
RESET_VARS_START |
117 | 136 |
RESET_VARS_END |
118 | 137 |
|
... | ... |
@@ -121,6 +140,7 @@ bool run_tests() |
121 | 140 |
test (validator_validates); |
122 | 141 |
test (validator_fails_unknown_user); |
123 | 142 |
test (validator_fails_incorrect_token); |
143 |
+ test (validator_fails_with_own_token); |
|
124 | 144 |
succeed(); |
125 | 145 |
} |
126 | 146 |
|