Added logging that tells who has bypassed Duo because of their user g… (

duosecurity#151)

* Added logging that tells who has bypassed Duo because of their user group

* Fixed groups-1.t tests

login_duo/login_duo.c

@@ -201,6 +201,7 @@ do_auth(struct login_ctx *ctx, const char *cmd)
         close_config(&cfg);
         return (EXIT_FAILURE);
     } else if (matched == 0) {
+        duo_syslog(LOG_INFO, "User %s bypassed Duo 2FA due to user's UNIX group", duouser);
         close_config(&cfg);
         return (EXIT_SUCCESS);
     }

pam_duo/pam_duo.c

@@ -219,6 +219,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int pam_flags,
         close_config(&cfg);
         return (PAM_SERVICE_ERR);
     } else if (matched == 0) {
+        duo_syslog(LOG_INFO, "User %s bypassed Duo 2FA due to user's UNIX group", user);
         close_config(&cfg);
         return (PAM_SUCCESS);
     }

tests/Makefile.am

@@ -2,7 +2,7 @@ TESTS_ENVIRONMENT = env BUILDDIR=$(abs_top_builddir) $(PYTHON) $(top_srcdir)/tes
 
 # Preserve ordering; login_duo-0.t does some setup
 TESTS = login_duo-0.t login_duo-1.t login_duo-2.t login_duo-3.t login_duo-4.t login_duo-5.t login_duo-6.t login_duo-7.t
-TESTS += groups-0.t groups-1.t mocklogin_duo-0.t mocklogin_duo-1.t util-0.t test_crypto-0.t
+TESTS += groups-0.t groups-1.t groups-2.t mocklogin_duo-0.t mocklogin_duo-1.t util-0.t test_crypto-0.t
 PAM_TESTS = pam_duo-0.t pam_duo-1.t pam_duo-2.t pam_duo-3.t pam_duo-4.t pam_duo-5.t pam_duo-6.t pam_duo-7.t
 
 check_LTLIBRARIES = libgroups_preload.la

tests/groups-0.t

@@ -16,12 +16,6 @@ users only: match users
   $ env UID=1002 ./groups.py -d -c confs/mockduo_users.conf -f preauth-allow true
   [4] Skipped Duo login for 'preauth-allow': you rock
 
-users only: skip users
-  $ env UID=1003 ./groups.py -d -c confs/mockduo_users.conf -f preauth-allow echo SKIP
-  SKIP
-  $ env UID=1004 ./groups.py -d -c confs/mockduo_users.conf -f preauth-allow echo SKIP
-  SKIP
-
 users or admins: match users
 ==> primary group
   $ env UID=1001 ./groups.py -d -c confs/mockduo_users_admins.conf -f preauth-allow true
@@ -34,24 +28,7 @@ users or admins: match users
   $ env UID=1003 ./groups.py -d -c confs/mockduo_users_admins.conf -f preauth-allow true
   [4] Skipped Duo login for 'preauth-allow': you rock
 
-users or admins: skip users
-  $ env UID=1004 ./groups.py -d -c confs/mockduo_users_admins.conf -f preauth-allow echo SKIP
-  SKIP
-
 admins and not users: match admins
   $ env UID=1003 ./groups.py -d -c confs/mockduo_admins_no_users.conf -f preauth-allow true
   [4] Skipped Duo login for 'preauth-allow': you rock
 
-admins and not users: skip users
-  $ env UID=1000 ./groups.py -d -c confs/mockduo_admins_no_users.conf -f preauth-allow echo SKIP
-  SKIP
-  $ env UID=1001 ./groups.py -d -c confs/mockduo_admins_no_users.conf -f preauth-allow echo SKIP
-  SKIP
-  $ env UID=1002 ./groups.py -d -c confs/mockduo_admins_no_users.conf -f preauth-allow echo SKIP
-  SKIP
-  $ env UID=1004 ./groups.py -d -c confs/mockduo_admins_no_users.conf -f preauth-allow echo SKIP
-  SKIP
-
-non-existent shell
-  $ env UID=1005 ./groups.py -d -c confs/mockduo_users.conf -f noshell echo SKIP
-  SKIP

tests/groups-1.t

@@ -6,14 +6,26 @@ mockduo with valid cert
   $ trap 'exec kill $MOCKPID >/dev/null 2>&1' EXIT
   $ sleep 1
 
-match groups with spaces
-  $ env UID=1001 ./groups.py -d -c confs/mockduo_space_users.conf -f preauth-allow true
-  [4] Skipped Duo login for 'preauth-allow': you rock
+users only: bypass users 
+  $ env UID=1003 ./groups.py -d -c confs/mockduo_users.conf -f preauth-allow true
+  [6] User preauth-allow bypassed Duo 2FA due to user's UNIX group
+  $ env UID=1004 ./groups.py -d -c confs/mockduo_users.conf -f preauth-allow true
+  [6] User preauth-allow bypassed Duo 2FA due to user's UNIX group
 
-match groups with backslash
-  $ env UID=1004 ./groups.py -d -c confs/mockduo_space_users.conf -f preauth-allow true
-  [4] Skipped Duo login for 'preauth-allow': you rock
+users or admins: bypass users 
+  $ env UID=1004 ./groups.py -d -c confs/mockduo_users_admins.conf -f preauth-allow true
+  [6] User preauth-allow bypassed Duo 2FA due to user's UNIX group
 
-match groups without spaces
-  $ env UID=1002 ./groups.py -d -c confs/mockduo_space_users.conf -f preauth-allow true
-  [4] Skipped Duo login for 'preauth-allow': you rock
+admins and not users: bypass users 
+  $ env UID=1000 ./groups.py -d -c confs/mockduo_admins_no_users.conf -f preauth-allow true
+  [6] User preauth-allow bypassed Duo 2FA due to user's UNIX group
+  $ env UID=1001 ./groups.py -d -c confs/mockduo_admins_no_users.conf -f preauth-allow true
+  [6] User preauth-allow bypassed Duo 2FA due to user's UNIX group
+  $ env UID=1002 ./groups.py -d -c confs/mockduo_admins_no_users.conf -f preauth-allow true
+  [6] User preauth-allow bypassed Duo 2FA due to user's UNIX group
+  $ env UID=1004 ./groups.py -d -c confs/mockduo_admins_no_users.conf -f preauth-allow true
+  [6] User preauth-allow bypassed Duo 2FA due to user's UNIX group
+
+non-existent shell
+  $ env UID=1005 ./groups.py -d -c confs/mockduo_users.conf -f noshell true
+  [6] User noshell bypassed Duo 2FA due to user's UNIX group

tests/groups-2.t

@@ -0,0 +1,19 @@
+mockduo with valid cert
+
+  $ cd ${TESTDIR}
+  $ python mockduo.py certs/mockduo.pem >/dev/null 2>&1 &
+  $ MOCKPID=$!
+  $ trap 'exec kill $MOCKPID >/dev/null 2>&1' EXIT
+  $ sleep 1
+
+match groups with spaces
+  $ env UID=1001 ./groups.py -d -c confs/mockduo_space_users.conf -f preauth-allow true
+  [4] Skipped Duo login for 'preauth-allow': you rock
+
+match groups with backslash
+  $ env UID=1004 ./groups.py -d -c confs/mockduo_space_users.conf -f preauth-allow true
+  [4] Skipped Duo login for 'preauth-allow': you rock
+
+match groups without spaces
+  $ env UID=1002 ./groups.py -d -c confs/mockduo_space_users.conf -f preauth-allow true
+  [4] Skipped Duo login for 'preauth-allow': you rock