diff --git a/login_duo/login_duo.c b/login_duo/login_duo.c index 4842b36f..a54e4a2a 100644 --- a/login_duo/login_duo.c +++ b/login_duo/login_duo.c @@ -201,6 +201,7 @@ do_auth(struct login_ctx *ctx, const char *cmd) close_config(&cfg); return (EXIT_FAILURE); } else if (matched == 0) { + duo_syslog(LOG_INFO, "User %s bypassed Duo 2FA due to user's UNIX group", duouser); close_config(&cfg); return (EXIT_SUCCESS); } diff --git a/pam_duo/pam_duo.c b/pam_duo/pam_duo.c index 68e6a553..bc836ebd 100644 --- a/pam_duo/pam_duo.c +++ b/pam_duo/pam_duo.c @@ -219,6 +219,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int pam_flags, close_config(&cfg); return (PAM_SERVICE_ERR); } else if (matched == 0) { + duo_syslog(LOG_INFO, "User %s bypassed Duo 2FA due to user's UNIX group", user); close_config(&cfg); return (PAM_SUCCESS); } diff --git a/tests/Makefile.am b/tests/Makefile.am index a4d2e539..1d223220 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -2,7 +2,7 @@ TESTS_ENVIRONMENT = env BUILDDIR=$(abs_top_builddir) $(PYTHON) $(top_srcdir)/tes # Preserve ordering; login_duo-0.t does some setup TESTS = login_duo-0.t login_duo-1.t login_duo-2.t login_duo-3.t login_duo-4.t login_duo-5.t login_duo-6.t login_duo-7.t -TESTS += groups-0.t groups-1.t mocklogin_duo-0.t mocklogin_duo-1.t util-0.t test_crypto-0.t +TESTS += groups-0.t groups-1.t groups-2.t mocklogin_duo-0.t mocklogin_duo-1.t util-0.t test_crypto-0.t PAM_TESTS = pam_duo-0.t pam_duo-1.t pam_duo-2.t pam_duo-3.t pam_duo-4.t pam_duo-5.t pam_duo-6.t pam_duo-7.t check_LTLIBRARIES = libgroups_preload.la diff --git a/tests/groups-0.t b/tests/groups-0.t index 650ead12..60bb8928 100644 --- a/tests/groups-0.t +++ b/tests/groups-0.t @@ -16,12 +16,6 @@ users only: match users $ env UID=1002 ./groups.py -d -c confs/mockduo_users.conf -f preauth-allow true [4] Skipped Duo login for 'preauth-allow': you rock -users only: skip users - $ env UID=1003 ./groups.py -d -c confs/mockduo_users.conf -f preauth-allow echo SKIP - SKIP - $ env UID=1004 ./groups.py -d -c confs/mockduo_users.conf -f preauth-allow echo SKIP - SKIP - users or admins: match users ==> primary group $ env UID=1001 ./groups.py -d -c confs/mockduo_users_admins.conf -f preauth-allow true @@ -34,24 +28,7 @@ users or admins: match users $ env UID=1003 ./groups.py -d -c confs/mockduo_users_admins.conf -f preauth-allow true [4] Skipped Duo login for 'preauth-allow': you rock -users or admins: skip users - $ env UID=1004 ./groups.py -d -c confs/mockduo_users_admins.conf -f preauth-allow echo SKIP - SKIP - admins and not users: match admins $ env UID=1003 ./groups.py -d -c confs/mockduo_admins_no_users.conf -f preauth-allow true [4] Skipped Duo login for 'preauth-allow': you rock -admins and not users: skip users - $ env UID=1000 ./groups.py -d -c confs/mockduo_admins_no_users.conf -f preauth-allow echo SKIP - SKIP - $ env UID=1001 ./groups.py -d -c confs/mockduo_admins_no_users.conf -f preauth-allow echo SKIP - SKIP - $ env UID=1002 ./groups.py -d -c confs/mockduo_admins_no_users.conf -f preauth-allow echo SKIP - SKIP - $ env UID=1004 ./groups.py -d -c confs/mockduo_admins_no_users.conf -f preauth-allow echo SKIP - SKIP - -non-existent shell - $ env UID=1005 ./groups.py -d -c confs/mockduo_users.conf -f noshell echo SKIP - SKIP diff --git a/tests/groups-1.t b/tests/groups-1.t index 9f74d4c0..a646d8dc 100644 --- a/tests/groups-1.t +++ b/tests/groups-1.t @@ -6,14 +6,26 @@ mockduo with valid cert $ trap 'exec kill $MOCKPID >/dev/null 2>&1' EXIT $ sleep 1 -match groups with spaces - $ env UID=1001 ./groups.py -d -c confs/mockduo_space_users.conf -f preauth-allow true - [4] Skipped Duo login for 'preauth-allow': you rock +users only: bypass users + $ env UID=1003 ./groups.py -d -c confs/mockduo_users.conf -f preauth-allow true + [6] User preauth-allow bypassed Duo 2FA due to user's UNIX group + $ env UID=1004 ./groups.py -d -c confs/mockduo_users.conf -f preauth-allow true + [6] User preauth-allow bypassed Duo 2FA due to user's UNIX group -match groups with backslash - $ env UID=1004 ./groups.py -d -c confs/mockduo_space_users.conf -f preauth-allow true - [4] Skipped Duo login for 'preauth-allow': you rock +users or admins: bypass users + $ env UID=1004 ./groups.py -d -c confs/mockduo_users_admins.conf -f preauth-allow true + [6] User preauth-allow bypassed Duo 2FA due to user's UNIX group -match groups without spaces - $ env UID=1002 ./groups.py -d -c confs/mockduo_space_users.conf -f preauth-allow true - [4] Skipped Duo login for 'preauth-allow': you rock +admins and not users: bypass users + $ env UID=1000 ./groups.py -d -c confs/mockduo_admins_no_users.conf -f preauth-allow true + [6] User preauth-allow bypassed Duo 2FA due to user's UNIX group + $ env UID=1001 ./groups.py -d -c confs/mockduo_admins_no_users.conf -f preauth-allow true + [6] User preauth-allow bypassed Duo 2FA due to user's UNIX group + $ env UID=1002 ./groups.py -d -c confs/mockduo_admins_no_users.conf -f preauth-allow true + [6] User preauth-allow bypassed Duo 2FA due to user's UNIX group + $ env UID=1004 ./groups.py -d -c confs/mockduo_admins_no_users.conf -f preauth-allow true + [6] User preauth-allow bypassed Duo 2FA due to user's UNIX group + +non-existent shell + $ env UID=1005 ./groups.py -d -c confs/mockduo_users.conf -f noshell true + [6] User noshell bypassed Duo 2FA due to user's UNIX group diff --git a/tests/groups-2.t b/tests/groups-2.t new file mode 100644 index 00000000..9f74d4c0 --- /dev/null +++ b/tests/groups-2.t @@ -0,0 +1,19 @@ +mockduo with valid cert + + $ cd ${TESTDIR} + $ python mockduo.py certs/mockduo.pem >/dev/null 2>&1 & + $ MOCKPID=$! + $ trap 'exec kill $MOCKPID >/dev/null 2>&1' EXIT + $ sleep 1 + +match groups with spaces + $ env UID=1001 ./groups.py -d -c confs/mockduo_space_users.conf -f preauth-allow true + [4] Skipped Duo login for 'preauth-allow': you rock + +match groups with backslash + $ env UID=1004 ./groups.py -d -c confs/mockduo_space_users.conf -f preauth-allow true + [4] Skipped Duo login for 'preauth-allow': you rock + +match groups without spaces + $ env UID=1002 ./groups.py -d -c confs/mockduo_space_users.conf -f preauth-allow true + [4] Skipped Duo login for 'preauth-allow': you rock