systemtest: add bconsole-pam

core/cmake/BareosFindAllLibraries.cmake

@@ -75,6 +75,8 @@ BareosFindLibrary("gtest")
 BareosFindLibrary("gtest_main")
 BareosFindLibrary("gmock")
 
+BareosFindLibrary("pam_wrapper")
+
 if (${HAVE_CAP})
    SET(HAVE_LIBCAP 1)
 endif()

systemtests/CMakeLists.txt

@@ -157,7 +157,6 @@ foreach(CURRENT_FILE ${ALL_FILES})
   # MESSAGE(STATUS "moved  ${scripts}/${TARGET_FILE}")
 endforeach()
 
-
 set(tests_dir ${PROJECT_BINARY_DIR}/tests)
 set(SYSTEM_TESTS
   backup-bareos-test
@@ -170,6 +169,26 @@ set(SYSTEM_TESTS
   copy-remote-bscan
 )
 
+IF(PAM_WRAPPER_LIBRARIES)
+    find_program(PAMTESTER pamtester)
+    IF(PAMTESTER)
+        set(ENV{PAM_WRAPPER_LIBRARIES} "${PAM_WRAPPER_LIBRARIES}")
+        execute_process(
+            COMMAND           "${CMAKE_BINARY_DIR}/systemtests/tests/bconsole-pam/bin/check_pam_exec_available.sh"
+            WORKING_DIRECTORY "${CMAKE_BINARY_DIR}/systemtests/tests/bconsole-pam/"
+            RESULT_VARIABLE   PAM_EXEC_AVAILABLE_RC
+        )
+        IF(${PAM_EXEC_AVAILABLE_RC} EQUAL "0")
+            set(PAM_EXEC_FOUND TRUE)
+            list(APPEND SYSTEM_TESTS "bconsole-pam")
+        ENDIF()
+
+        MESSAGE( STATUS "PAM_EXEC_FOUND:     " ${PAM_EXEC_FOUND} )
+
+    ENDIF()
+ENDIF()
+
+
 set(BASEPORT 42001)
 
 foreach(TEST_NAME ${SYSTEM_TESTS})

systemtests/environment.in

@@ -54,3 +54,5 @@ export tmp
 export db_name=@db_name@
 export db_password=@db_password@
 export db_user=@db_user@
+
+export PAM_WRAPPER_LIBRARIES=@PAM_WRAPPER_LIBRARIES@

systemtests/tests/bconsole-pam/bin/check_pam_exec_available.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+
+#
+# Verify that our test pam configuration works.
+# It uses
+# * pam_wrapper  to redirect PAM to our test environemnt, using a specific service file
+# * pamtester    to test PAM without the need to run Bareos
+# * pam_exec.so  is defined in the bareos PAM service file.
+#                It is configured to accept all logins where USERNAME = PASSWORD.
+#
+
+set -e
+set -u
+
+export PAM_WRAPPER=1
+export PAM_WRAPPER_SERVICE_DIR=etc/pam.d/bareos
+
+if ! [ -e "${PAM_WRAPPER_SERVICE_DIR}" ]; then
+    echo "PAM service file ${PAM_WRAPPER_SERVICE_DIR} not found"
+    exit 1
+fi
+
+# DEBUG
+#export PAM_WRAPPER_DEBUGLEVEL=4
+
+# PAM_WRAPPER creates extra environments in /tmp/pam.*/
+
+# PAM_WRAPPER_LIBRARIES will be set my cmake
+USERNAME="user"
+PASSWORD="user"
+echo "$PASSWORD" | LD_PRELOAD=${PAM_WRAPPER_LIBRARIES} pamtester bareos "$USERNAME" authenticate
+
+exit $?

systemtests/tests/bconsole-pam/bin/pam_exec_check.sh

@@ -0,0 +1,75 @@
+#!/bin/sh
+
+# auth optional pam_exec.so expose_authtok debug log=/tmp/pam.log /usr/bin/sc_pam_wlan.sh
+
+# called by:
+# auth    optional     pam_exec.so expose_authtok /usr/bin/sc_pam_wlan.sh
+
+# pam_exec options:
+#   debug
+#   expose_authtok
+#     During authentication the calling command can read the password from stdin(3).
+#     (PAM_TYPE=auth only)
+#   log=file
+#     The output of the command is appended to file
+#   type=type
+#     Only run the command if the module type matches the given type.
+#   stdout
+#     Per default the output of the executed command is written to /dev/null. 
+#     With this option, the stdout output of the executed command is redirected 
+#     to the calling application. 
+#     It's in the responsibility of this application what happens with the output. 
+#     The log option is ignored.
+#  quiet
+#    Per default pam_exec.so will echo the exit status of the external command 
+#    if it fails. Specifying this option will suppress the message.
+#  seteuid
+#    Per default pam_exec.so will execute the external command 
+#    with the real user ID of the calling process. 
+#    Specifying this option means the command is run with the effective user ID.
+
+# PAM_TYPE:
+#   "auth"
+#   ...
+#   "open_session"
+#   "close_session"
+
+RC_OK=0
+RC_SKIP=1
+RC_NOK=2
+
+echo "$0"
+#echo "current user: $USER ($UID)"
+
+if [ "$PAM_TYPE" != "auth" ]; then
+    echo "only pam type auth supported, not $PAM_TYPE"
+    exit $RC_SKIP
+fi
+
+echo "PAM settings:"
+echo "User:             $PAM_USER"
+echo "Ruser:            $PAM_RUSER"
+echo "Rhost:            $PAM_RHOST"
+echo "Service:          $PAM_SERVICE"
+echo "TTY:              $PAM_TTY"
+
+USERNAME="$PAM_USER"
+# This does not work in PAM environment
+# if [ -z "$PAM_USER" ]; then
+#   read -p "PE Login: " USERNAME
+# fi
+
+
+read -p "PE Passwort: " PASSWORD
+
+
+if [ "$USERNAME" = "$PASSWORD" ]; then
+  echo "grant access for $USERNAME"
+  RC=$RC_OK
+else
+  echo "deny access for $USERNAME"
+  RC=$RC_NOK
+fi
+
+exit $RC
+

systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/catalog/MyCatalog.conf.in

@@ -0,0 +1,8 @@
+Catalog {
+  Name = MyCatalog
+  #dbdriver = "@DEFAULT_DB_TYPE@"
+  dbdriver = "XXX_REPLACE_WITH_DATABASE_DRIVER_XXX"
+  dbname = "@db_name@"
+  dbuser = "@db_user@"
+  dbpassword = "@db_password@"
+}

systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/client/bareos-fd.conf.in

@@ -0,0 +1,7 @@
+Client {
+  Name = bareos-fd
+  Description = "Client resource of the Director itself."
+  Address = localhost
+  Password = "@fd_password@"          # password for FileDaemon
+  FD PORT = @fd_port@
+}

systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/console/pam.conf

@@ -0,0 +1,6 @@
+Console {
+   Name = "PamConsole"
+   Password = "secret"
+   UsePamAuthentication = yes
+}
+

systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/director/bareos-dir.conf.in

@@ -0,0 +1,27 @@
+Director {                            # define myself
+  Name = bareos-dir
+  QueryFile = "@scriptdir@/query.sql"
+  Maximum Concurrent Jobs = 10
+  Password = "@dir_password@"         # Console password
+  Messages = Daemon
+  Auditing = yes
+
+  # Enable the Heartbeat if you experience connection losses
+  # (eg. because of your router or firewall configuration).
+  # Additionally the Heartbeat can be enabled in bareos-sd and bareos-fd.
+  #
+  # Heartbeat Interval = 1 min
+
+  # remove comment in next line to load dynamic backends from specified directory
+  Backend Directory = @backenddir@
+
+  # remove comment from "Plugin Directory" to load plugins from specified directory.
+  # if "Plugin Names" is defined, only the specified plugins will be loaded,
+  # otherwise all director plugins (*-dir.so) from the "Plugin Directory".
+  #
+  # Plugin Directory = "@plugindir@"
+  # Plugin Names = ""
+  Working Directory =  "@working_dir@"
+  Pid Directory =  "@piddir@"
+  DirPort = @dir_port@
+}

systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/fileset/Catalog.conf.in

@@ -0,0 +1,11 @@
+FileSet {
+  Name = "Catalog"
+  Description = "Backup the catalog dump and Bareos configuration files."
+  Include {
+    Options {
+      signature = MD5
+    }
+    File = "@working_dir@/@db_name@.sql" # database dump
+    File = "@confdir@"                   # configuration
+  }
+}

systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/fileset/SelfTest.conf.in

@@ -0,0 +1,11 @@
+FileSet {
+  Name = "SelfTest"
+  Description = "fileset just to backup some files for selftest"
+  Include {
+    Options {
+      Signature = MD5 # calculate md5 checksum per file
+    }
+   #File = "@sbindir@"
+    File=<@tmpdir@/file-list
+  }
+}

systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/job/RestoreFiles.conf.in

@@ -0,0 +1,11 @@
+Job {
+  Name = "RestoreFiles"
+  Description = "Standard Restore template. Only one such job is needed for all standard Jobs/Clients/Storage ..."
+  Type = Restore
+  Client = bareos-fd
+  FileSet = SelfTest
+  Storage = File
+  Pool = Incremental
+  Messages = Standard
+  Where = @tmp@/bareos-restores
+}

systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/job/backup-bareos-fd.conf.in

@@ -0,0 +1,5 @@
+Job {
+  Name = "backup-bareos-fd"
+  JobDefs = "DefaultJob"
+  Client = "bareos-fd"
+}

systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/jobdefs/DefaultJob.conf.in

@@ -0,0 +1,15 @@
+JobDefs {
+  Name = "DefaultJob"
+  Type = Backup
+  Level = Incremental
+  Client = bareos-fd
+  FileSet = "SelfTest"
+  Storage = File
+  Messages = Standard
+  Pool = Incremental
+  Priority = 10
+  Write Bootstrap = "@working_dir@/%c.bsr"
+  Full Backup Pool = Full                  # write Full Backups into "Full" Pool
+  Differential Backup Pool = Differential  # write Diff Backups into "Differential" Pool
+  Incremental Backup Pool = Incremental    # write Incr Backups into "Incremental" Pool
+}

systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/messages/Daemon.conf.in

@@ -0,0 +1,7 @@
+Messages {
+  Name = Daemon
+  Description = "Message delivery for daemon messages (no job)."
+  console = all, !skipped, !saved, !audit
+  append = "@logdir@/bareos.log" = all, !skipped, !audit
+  append = "@logdir@/bareos-audit.log" = audit
+}

systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/messages/Standard.conf.in

@@ -0,0 +1,7 @@
+Messages {
+  Name = Standard
+  Description = "Reasonable message delivery -- send most everything to email address and to the console."
+  console = all, !skipped, !saved, !audit
+  append = "@logdir@/bareos.log" = all, !skipped, !saved, !audit
+  catalog = all, !skipped, !saved, !audit
+}

systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Differential.conf

@@ -0,0 +1,10 @@
+Pool {
+  Name = Differential
+  Pool Type = Backup
+  Recycle = yes                       # Bareos can automatically recycle Volumes
+  AutoPrune = yes                     # Prune expired volumes
+  Volume Retention = 90 days          # How long should the Differential Backups be kept? (#09)
+  Maximum Volume Bytes = 10G          # Limit Volume size to something reasonable
+  Maximum Volumes = 100               # Limit number of Volumes in Pool
+  Label Format = "Differential-"      # Volumes will be labeled "Differential-<volume-id>"
+}

systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Full.conf

@@ -0,0 +1,10 @@
+Pool {
+  Name = Full
+  Pool Type = Backup
+  Recycle = yes                       # Bareos can automatically recycle Volumes
+  AutoPrune = yes                     # Prune expired volumes
+  Volume Retention = 365 days         # How long should the Full Backups be kept? (#06)
+  Maximum Volume Bytes = 50G          # Limit Volume size to something reasonable
+  Maximum Volumes = 100               # Limit number of Volumes in Pool
+  Label Format = "Full-"              # Volumes will be labeled "Full-<volume-id>"
+}

systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Incremental.conf

@@ -0,0 +1,10 @@
+Pool {
+  Name = Incremental
+  Pool Type = Backup
+  Recycle = yes                       # Bareos can automatically recycle Volumes
+  AutoPrune = yes                     # Prune expired volumes
+  Volume Retention = 30 days          # How long should the Incremental Backups be kept?  (#12)
+  Maximum Volume Bytes = 1G           # Limit Volume size to something reasonable
+  Maximum Volumes = 100               # Limit number of Volumes in Pool
+  Label Format = "Incremental-"       # Volumes will be labeled "Incremental-<volume-id>"
+}

systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/pool/Scratch.conf

@@ -0,0 +1,4 @@
+Pool {
+  Name = Scratch
+  Pool Type = Scratch
+}

systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/profile/operator.conf

@@ -0,0 +1,18 @@
+Profile {
+   Name = operator
+   Description = "Profile allowing normal Bareos operations."
+
+   Command ACL = !.bvfs_clear_cache, !.exit, !.sql
+   Command ACL = !configure, !create, !delete, !purge, !prune, !sqlquery, !umount, !unmount
+   Command ACL = *all*
+
+   Catalog ACL = *all*
+   Client ACL = *all*
+   FileSet ACL = *all*
+   Job ACL = *all*
+   Plugin Options ACL = *all*
+   Pool ACL = *all*
+   Schedule ACL = *all*
+   Storage ACL = *all*
+   Where ACL = *all*
+}

systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/storage/File.conf.in

@@ -0,0 +1,8 @@
+Storage {
+  Name = File
+  Address = @hostname@                # N.B. Use a fully qualified name here (do not use "localhost" here).
+  Password = "@sd_password@"
+  Device = FileStorage
+  Media Type = File
+  SD Port = @sd_port@
+}

systemtests/tests/bconsole-pam/etc/bareos/bareos-dir.d/user/user1.conf

@@ -0,0 +1,6 @@
+User {
+   Name = "user1"
+   Password = "" # unsed because authenticated by PAM
+   Profile = operator
+}
+

systemtests/tests/bconsole-pam/etc/bareos/bconsole-default.conf.in

@@ -0,0 +1,10 @@
+#
+# Bareos User Agent (or Console) Configuration File
+#
+
+Director {
+  Name = @basename@-dir
+  DIRport = @dir_port@
+  address = @hostname@
+  Password = "@dir_password@"
+}

systemtests/tests/bconsole-pam/etc/bareos/bconsole.conf.in

@@ -0,0 +1,16 @@
+#
+# Bareos User Agent (or Console) Configuration File
+#
+
+Director {
+  Name = @basename@-dir
+  DIRport = @dir_port@
+  address = @hostname@
+  Password = ""
+}
+
+Console {
+  Name = PamConsole
+  Password = "secret"
+}
+

systemtests/tests/bconsole-pam/etc/pam.d/bareos.in

@@ -0,0 +1,5 @@
+#
+# PAM settings for service bareos.
+#
+auth        required     pam_exec.so  expose_authtok debug quiet log=@PROJECT_BINARY_DIR@/tests/@TEST_NAME@/log/pam_exec_check.log @PROJECT_BINARY_DIR@/tests/@TEST_NAME@/bin/pam_exec_check.sh
+

systemtests/tests/bconsole-pam/etc/user1.cred

@@ -0,0 +1,2 @@
+user1
+user1

systemtests/tests/bconsole-pam/etc/user2.cred

@@ -0,0 +1,2 @@
+user2
+wrongpassword