Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(pam/nativemodel): Add native PAM interface support #314

Merged
merged 16 commits into from
Jun 27, 2024
Merged

feat(pam/nativemodel): Add native PAM interface support #314

merged 16 commits into from
Jun 27, 2024

Conversation

3v1n0
Copy link
Collaborator

@3v1n0 3v1n0 commented Apr 16, 2024
edited
Loading

It allows to work with any pam client, regardless they're supporting
authd or not (including polkit and ssh)

UDENG-2289
UDENG-3127

Closes: #380

@3v1n0 3v1n0 force-pushed the pam-native-interface branch 2 times, most recently from 95e4ed0 to ed9880d Compare April 16, 2024 13:37
@3v1n0 3v1n0 mentioned this pull request Apr 16, 2024
Merged
denisonbarbosa added a commit that referenced this pull request Apr 18, 2024
@denisonbarbosa
fix(pam): Start broker and user selection only if required, without t…
4daf3d3 
…ouching terminal (#316)

Ensure that terminal output is not touched unless we really need to.

This is something that is also required for #314 so having it earlier
would help that PR too.

UDENG-2608
@codecov-commenter
Copy link

codecov-commenter commented Jun 5, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 70.46263% with 166 lines in your changes missing coverage. Please review.

Project coverage is 84.16%. Comparing base (ca9b3a0) to head (09dede8).

Files Patch % Lines
pam/internal/adapter/nativemodel.go 67.50% 100 Missing and 43 partials ⚠️
pam/pam.go 40.00% 8 Missing and 4 partials ⚠️
pam/main-cli.go 79.48% 6 Missing and 2 partials ⚠️
pam/internal/adapter/utils.go 83.33% 1 Missing and 1 partial ⚠️
examplebroker/broker.go 75.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #314      +/-   ##
==========================================
- Coverage   85.24%   84.16%   -1.09%     
==========================================
  Files          76       77       +1     
  Lines        6161     6673     +512     
  Branches       75       75              
==========================================
+ Hits         5252     5616     +364     
- Misses        644      740      +96     
- Partials      265      317      +52

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@3v1n0 3v1n0 force-pushed the pam-native-interface branch 6 times, most recently from aa10a36 to 717dbf0 Compare June 19, 2024 22:08
@3v1n0
Copy link
Collaborator Author

3v1n0 commented Jun 19, 2024

Ok, this should be open for business now.

Sorry for the big diff, but I've basically replicated all the tests we had for the CLI for this interface, so that we can ensure we keep consistency between the two (a part the differences due to the obvious technological aspects).
So go by commit to review.

We have various duplicates in the tests setups now, but I'll address those in another PR.

The model per se is not big at all and it should be quite simple.

@3v1n0 3v1n0 marked this pull request as ready for review June 19, 2024 22:27
@3v1n0 3v1n0 requested a review from a team as a code owner June 19, 2024 22:27
denisonbarbosa
denisonbarbosa requested changes Jun 24, 2024
View reviewed changes
Copy link
Member

@denisonbarbosa denisonbarbosa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some suggestions and questions, but it's looking really good. Well done!

I'll do another pass after the rebasing.

pam/internal/adapter/nativemodel.go Outdated Show resolved Hide resolved
pam/internal/adapter/nativemodel.go Outdated Show resolved Hide resolved
pam/internal/adapter/nativemodel.go Outdated Show resolved Hide resolved
pam/internal/adapter/nativemodel.go Outdated Show resolved Hide resolved
pam/internal/adapter/nativemodel.go Outdated Show resolved Hide resolved
pam/internal/adapter/nativemodel.go Outdated Show resolved Hide resolved
@3v1n0 3v1n0 force-pushed the pam-native-interface branch 3 times, most recently from fe8946e to 3a10d33 Compare June 25, 2024 04:21
denisonbarbosa
denisonbarbosa requested changes Jun 26, 2024
View reviewed changes
pam/internal/adapter/nativemodel.go Outdated Show resolved Hide resolved
pam/internal/adapter/authentication.go Outdated Show resolved Hide resolved
pam/internal/adapter/newpasswordmodel.go Show resolved Hide resolved
@3v1n0
pam: Use default log handler when pam.Silent is used and logging to file
961e028 
In case we're logging to a file, we are not bothering PAM output, so
let's continue using the default handler
@3v1n0
pam: Move initialization of options for PAM in headless mode to share…
8209ce5 
…d file

These are used both by tests and actual PAM model, so expose this in a
single place to be reused without repetitions
@3v1n0
pam/authentication: Request stage change before starting authentication
24dff3f 
We were managing this from model, but this happened also on error, so
let's instead do the stage change only if authentication has been
started
@3v1n0
pam/integration-tests: Add test to check if password has not been cha…
95e6833 
…nged
@3v1n0
pam/integration-tests: Rename cli integration test file to be less ge…
dad1a52 
…neric
@3v1n0
pam/integration-tests: Rename optional pw reset tape to be closer to …
e9ad851 
…what it does

The tape doesn't really reset the password, it only skips the request so
rename it accordingly, so that we can add an actual test that accepts
the request
@3v1n0
pam/integration-tests: Rename test to make the outcome clearer
9310aa4 
In this test we were switching to local broker, but that's not something
that was explicitly stated so do it
@3v1n0
pam/integration-tests: Move CLI tapes to a subfolder
1bcf3dc 
We're going to add more types, so let's organize them better
@3v1n0
pam/authentication: Handle new password check logic in a global place
782b82f 
This makes easier to handle the logic in other UIs without having them
to keep track of the state or of the previous password themselves
@3v1n0
pam: Add PAM native model implementation
51ac6ad 
It allows to work with any pam client, regardless they're supporting
authd or not
@3v1n0
pam/main-cli: Allow to enable simple conversation handler
0a9cb81 
It allows us to use more complex stacks where normal PAM input is
required
@3v1n0
services/permissions/testutils: Only consider the suffix of the user …
23a2336 
…error message

When replacing the user ID with XXXX's we may not be able to replace the
content fully when the string is wrapped.

So just consider the final part of the string.

See https://github.com/ubuntu/authd/actions/runs/9588429219/job/26440434186
@denisonbarbosa denisonbarbosa requested review from didrocks and removed request for didrocks June 26, 2024 14:12
denisonbarbosa
denisonbarbosa approved these changes Jun 26, 2024
View reviewed changes
Copy link
Member

@denisonbarbosa denisonbarbosa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mind rebasing everything and applying the fixups before we request another set of eyes to take a look?

@3v1n0
pam/integration-tests: Add native PAM client integration tests
fb81097 
Reusing the same test cases of the CLI client, tuned to work with the
simpler UI that PAM provides
@3v1n0
pam/integration-tests: Run passwd_unexisting_user tape with CLI
1c81238 
We had this tape in the repository, but it wasn't used, so actually use
it
@3v1n0
pam/integration-tests: Add TestNativeChangeAuthTok tests
d02e993 
Repeat the tests we have for the CLI interface in the PAM native
interface too
@3v1n0
examplebroker: Include code in label if the qrcode UI doesn't support it
09dede8
@3v1n0
Copy link
Collaborator Author

3v1n0 commented Jun 26, 2024

Do you mind rebasing everything and applying the fixups before we request another set of eyes to take a look?

Yeah, that's done. Thanks for your comments.

@3v1n0 3v1n0 merged commit 5a30665 into ubuntu:main Jun 27, 2024
5 checks passed
@3v1n0 3v1n0 mentioned this pull request Jun 27, 2024
Merged
3v1n0 added a commit that referenced this pull request Jun 27, 2024
@3v1n0
pam/nativemodel: Fix typo on auth selection screen due to strings joi…
aee4467 
…ning (#400)

Related to #314
3v1n0 added a commit to 3v1n0/authd that referenced this pull request Jun 27, 2024
@3v1n0
pam/integration-tests/native: Add qrcode tests for different qrcode t…
6292798 
…ypes

This was intended to be part of ubuntu#314 but it got lost when merging with ubuntu#393
@3v1n0 3v1n0 mentioned this pull request Jun 27, 2024
Merged
didrocks added a commit that referenced this pull request Jun 28, 2024
@didrocks
maint(pam/integration-tests): Add native QRCode tests and ensure they…
05ca163 
… run as different users (#401)

Some tests changes that were supposed part of #314 and got lost due to
pre-merging of #393

But I also will use those assumptions in an upcoming branch.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@denisonbarbosa denisonbarbosa denisonbarbosa approved these changes

@didrocks didrocks Awaiting requested review from didrocks

@GabrielNagy GabrielNagy Awaiting requested review from GabrielNagy

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ssh or polkit: regenerating the QR code twice in a row fails
3 participants
@3v1n0 @codecov-commenter @denisonbarbosa