diff --git a/.gitignore b/.gitignore index d0f17ac..c2ec50e 100644 --- a/.gitignore +++ b/.gitignore @@ -42,3 +42,4 @@ Makefile.in test.conf __pycache__/ Vagrantfile +.isort.cfg diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 87d595d..beb9e40 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,4 +1,5 @@ -include: +--- +include: - project: "mirrors/duo_unix_ci" ref: "master" file: ".gitlab-ci.yml" diff --git a/CHANGES b/CHANGES index 8684b11..c7fce33 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +duo_unix-1.12.0: +- Switched from BSON to JSON as a data interchange format +- Switched from Cram to python `unittest` for testing + duo_unix-1.11.5: - Added support for Debian 11 - Removed support for Debian 8 diff --git a/README.md b/README.md index 514eae1..03326f9 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ Install the necessary third party libraries. - Debian based Systems ``` -$ sudo apt-get install autoconf libtool libpam-dev libssl-dev +$ sudo apt-get install autoconf libtool libpam-dev libssl-dev make ``` - RHEL based systems @@ -98,28 +98,31 @@ To run all the automated tests simply run ``` $ make check ``` - -To run an individual test +To run an individual test file ``` $ cd tests/ -$ python cram.py login_duo-1.t +$ python test_login_duo.py ``` - -### Cram Tests - -For Duo Unix we use [Cram](https://bitheap.org/cram/) to do our testing. Each test file typically starts by creating a mock duo service. After we create that service we list commands followed by the expected output of that command. -If the output matches, then the cram test passes. If not, it fails. - -Example passing test +To run an individual test suite ``` -$ echo "Hello World" -Hello World +$ cd tests/ +$ python test_login_duo.py TestLoginDuoConfig ``` -Example failing test +To run an individual test case ``` -$ echo "Hello World" -Goodbye World +$ cd tests/ +$ python test_login_duo.py TestLoginDuoConfig.test_empty_args ``` + +### Python Tests + +For Duo Unix we use the python `unittest` library to do our testing. Each suite +typically starts by creating a mock duo service. After we create that service +we perform a series of tests to verify that this software is working as +expected. Although we use the `unittest` library these are not truely "unit tests" +as manage subprocesses and generally employ blackbox testing. The true "unit tests" +for Duo Unix are the unity tests. + ### Testing with coverage To generate coverate reports you'll need to compile Duo Unix with the `--with-coverage` options. Please note that in order to view HTML version of the coverage reports you'll also need to @@ -132,7 +135,6 @@ $ ./configure --with-coverage --with-pam $ ./collect_coverage.sh $ $BROWSER coverage/pam_duo.html ``` -``` Note that configuring Duo Unix --with-coverage disables any compiler optimizations to allow the profiler to better match executed instructions with lines of code. diff --git a/collect_coverage.sh b/collect_coverage.sh new file mode 100755 index 0000000..f956343 --- /dev/null +++ b/collect_coverage.sh @@ -0,0 +1,80 @@ +#!/bin/bash +# Run this at the root of a Duo Unix directory that has been compiled with coverage +# reporting turned on + +if ! [ -x "$(command -v gcovr)" ]; then + echo "Missing gcovr. Please pip install" + exit 1 +fi + +mkdir -p coverage + +# This section is necessary because otherwise coverage files are created with a +# file mode of 0100 (due to an issue with linking to compat) which causes +# errors. To "get ahead of this" we are creating the coverage files and setting +# their file mode to 700 this allows us to have full coverage and avoid errors. + +mkdir -p tests/.libs +GCDA_FILES=( + "/vagrant/pam_duo/.libs/pam_duo_private.gcda" + "/vagrant/pam_duo/.libs/pam_duo.gcda" + "/vagrant/tests/testpam.gcda" + "/vagrant/tests/.libs/testpam_preload.gcda" + "/vagrant/pam_duo/.libs/pam_duo_private.gcda" + "/vagrant/pam_duo/.libs/pam_duo.gcda" + "/vagrant/tests/testpam.gcda" + "/vagrant/tests/.libs/testpam_preload.gcda" + "/vagrant/lib/.libs/http_parser.gcda" + "/vagrant/lib/.libs/bson.gcda" + "/vagrant/lib/.libs/urlenc.gcda" + "/vagrant/lib/.libs/ini.gcda" + "/vagrant/lib/.libs/https.gcda" + "/vagrant/lib/.libs/duo.gcda" +) + +for i in "${GCDA_FILES[@]}"; do + rm -f "$i"; touch "$i"; chmod 700 "$i" +done + +# end weird permission hacking + +make check +gcovr --xml-pretty --exclude-unreachable-branches --print-summary -o coverage/coverage.xml --root . + +if [ -f pam_duo/pam_duo.gcno ]; then + ( + cd pam_duo || return + gcov pam_duo.c -o .libs + gcovr --txt + gcovr --html-details pam_duo.html + rm -f .libs/*.gcda + ) + mv pam_duo/*.{css,html} coverage +else + echo "No coverage information found for pam_duo.c" +fi +if [ -f login_duo/login_duo.gcno ]; then + ( + cd login_duo || return + gcov login_duo.c + gcovr --txt + gcovr --html-details login_duo.html + gcovr --xml-pretty --exclude-unreachable-branches --print-summary -o login_duo.xml --root ${CI_PROJECT_DIR} + rm -f *.gcda + ) +mv login_duo/*.{css,html} coverage +else + echo "No coverage information found for login_duo.c" +fi +if [ -f lib/duo.gcno ]; then + ( + cd lib || return + gcov duo.c -o .libs + gcovr --txt + gcovr --html-details duo.html + rm -f .libs/*.gcda + ) + mv lib/*.{css,html} coverage +else + echo "No coverage information found for duo.c" +fi diff --git a/configure.ac b/configure.ac index 2e6fece..5ffded2 100644 --- a/configure.ac +++ b/configure.ac @@ -7,7 +7,7 @@ AC_PREREQ(2.65) # Package, version, bug report address AC_INIT([duo_unix], - [1.11.5], + [1.12.0], [support@duosecurity.com]) # Tells autoconf where to find necessary build scripts and macros. @@ -60,6 +60,7 @@ case "$host_os" in ;; *aix*) AC_MSG_NOTICE([-fstack-protector disabled on AIX]) + CFLAGS="$CFLAGS -Wl,-lm" has_stack_protector=no IS_AIX=yes ;; diff --git a/lib/Makefile.am b/lib/Makefile.am index 65299ff..adae01f 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -4,7 +4,7 @@ noinst_LTLIBRARIES = libduo.la libduo_la_SOURCES = bson.h bson.c cacert.h duo.c \ http_parser.h http_parser.c https.h https.c ini.h ini.c \ - urlenc.h urlenc.c util.c + urlenc.h urlenc.c util.c parson.h parson.c libduo_la_LIBADD = @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ # http://sourceware.org/autobook/autobook/autobook_91.html libduo_la_LDFLAGS = -no-undefined -version-info 3:0:0 -export-symbols-regex '^duo_' diff --git a/lib/duo.c b/lib/duo.c index 3b45c8c..18db8d4 100644 --- a/lib/duo.c +++ b/lib/duo.c @@ -31,8 +31,8 @@ #include #include "util.h" -#include "bson.h" #include "duo.h" +#include "parson.h" #include "duo_private.h" #include "ini.h" #include "urlenc.h" @@ -153,16 +153,17 @@ duo_close(struct duo_ctx *ctx) duo_reset(ctx); free(ctx->host); + // We need to add 1 here for the terminating \0 byte which strlen doesn't include if (ctx->ikey != NULL) { - duo_zero_free(ctx->ikey, strlen(ctx->ikey)); + duo_zero_free(ctx->ikey, strlen(ctx->ikey) + 1); ctx->ikey = NULL; } if (ctx->skey != NULL) { - duo_zero_free(ctx->skey, strlen(ctx->skey)); + duo_zero_free(ctx->skey, strlen(ctx->skey) + 1); ctx->skey = NULL; } if (ctx->useragent != NULL) { - duo_zero_free(ctx->useragent, strlen(ctx->useragent)); + duo_zero_free(ctx->useragent, strlen(ctx->useragent) + 1); ctx->useragent = NULL; } @@ -282,46 +283,62 @@ int _duo_add_failmode_param(struct duo_ctx *ctx, const int failmode) return duo_add_optional_param(ctx, "failmode", failmode_str); } -#define _BSON_FIND(ctx, it, obj, name, type) do { \ - if (bson_find(it, obj, name, ctx->body_len) != type) { \ - _duo_seterr(ctx, "BSON missing valid '%s'", name); \ - return (DUO_SERVER_ERROR); \ - } \ -} while (0) +#define _JSON_FIND_OBJECT(out_obj, in_obj, name, json_value) do { \ + out_obj = json_object_get_object(in_obj, name); \ + if (out_obj == NULL) { \ + _duo_seterr(ctx, "JSON missing valid '%s'", name); \ + _JSON_VALUE_FREE(json_value); \ + return (DUO_SERVER_ERROR); \ + } \ +} while(0) + +#define _JSON_FIND_STRING(buf, json_obj, name, json_value) do { \ + buf = json_object_get_string(json_obj, name); \ + if (buf == NULL) { \ + _duo_seterr(ctx, "JSON missing valid '%s'", name); \ + _JSON_VALUE_FREE(json_value); \ + return (DUO_SERVER_ERROR); \ + } \ +} while(0) + +# define _JSON_VALUE_FREE(value) do { \ + json_value_free(value); \ + value = NULL; \ +} while(0) static duo_code_t -_duo_bson_response(struct duo_ctx *ctx, bson *resp) -{ - bson obj; - bson_iterator it; - duo_code_t ret; - const char *p; - int code; - - bson_init(&obj, (char *)ctx->body, 0); +_duo_json_response(struct duo_ctx *ctx) { + JSON_Value *json; + JSON_Object *json_obj; + char *p; + int code = DUO_SERVER_ERROR; - ret = DUO_SERVER_ERROR; - if (ctx->body_len <= 0 || bson_size(&obj) > ctx->body_len) { - _duo_seterr(ctx, "invalid BSON response"); - return (ret); + json = json_parse_string(ctx->body); + if(json == NULL) { + _duo_seterr(ctx, "invalid JSON response"); + return (DUO_SERVER_ERROR); } - _BSON_FIND(ctx, &it, &obj, "stat", bson_string); - p = bson_iterator_string(&it); + json_obj = json_value_get_object(json); + _JSON_FIND_STRING(p, json_obj, "stat", json); if (strcasecmp(p, "OK") == 0) { - _BSON_FIND(ctx, &it, &obj, "response", bson_object); - if (resp) { - bson_iterator_subobject(&it, resp); + code = DUO_OK; + } + if (strcasecmp(p, "FAIL") == 0) { + char *message; + code = json_object_get_number(json_obj, "code"); + // json_object_get_number will return 0 if "code" not found + if (code == 0) { + _duo_seterr(ctx, "JSON missing valid 'code'"); + _JSON_VALUE_FREE(json); + return (DUO_SERVER_ERROR); } - ret = DUO_OK; - } else if (strcasecmp(p, "FAIL") == 0) { - _BSON_FIND(ctx, &it, &obj, "code", bson_int); - code = bson_iterator_int(&it); - _BSON_FIND(ctx, &it, &obj, "message", bson_string); - _duo_seterr(ctx, "%d: %s", code, bson_iterator_string(&it)); - ret = DUO_FAIL; + _JSON_FIND_STRING(message, json_obj, "message", json); + _duo_seterr(ctx, "%d: %s", code, message); + code = DUO_FAIL; } - return (ret); + _JSON_VALUE_FREE(json); + return code; } static duo_code_t @@ -382,12 +399,13 @@ duo_geterr(struct duo_ctx *ctx) } duo_code_t -_duo_preauth(struct duo_ctx *ctx, bson *obj, const char *username, +_duo_preauth(struct duo_ctx *ctx, const char *username, const char *client_ip, const int failmode) { - bson_iterator it; duo_code_t ret; const char *p; + JSON_Value *json; + JSON_Object *json_obj; /* Check preauth result */ if (duo_add_param(ctx, "user", username) != DUO_OK) { @@ -406,111 +424,139 @@ _duo_preauth(struct duo_ctx *ctx, bson *obj, const char *username, return (DUO_LIB_ERROR); } - if ((ret = duo_call(ctx, "POST", DUO_API_VERSION "/preauth.bson", ctx->https_timeout)) != DUO_OK || - (ret = _duo_bson_response(ctx, obj)) != DUO_OK) { + if ((ret = duo_call(ctx, "POST", DUO_API_VERSION "/preauth.json", ctx->https_timeout)) != DUO_OK || + (ret = _duo_json_response(ctx)) != DUO_OK) + { return (ret); } - _BSON_FIND(ctx, &it, obj, "result", bson_string); - p = bson_iterator_string(&it); - if (strcasecmp(p, "auth") != 0) { - _BSON_FIND(ctx, &it, obj, "status", bson_string); + json = json_parse_string(ctx->body); + json_obj = json_value_get_object(json); + JSON_Object *response; + _JSON_FIND_OBJECT(response, json_obj, "response", json); + _JSON_FIND_STRING(p, response, "result", json); + if (p == NULL) { + _duo_seterr(ctx, "JSON invalid 'result': %s", p); + ret = DUO_SERVER_ERROR; + } else if (strcasecmp(p, "auth") != 0) { + char *output; + _JSON_FIND_STRING(output, response, "status", json); if (strcasecmp(p, "allow") == 0) { - _duo_seterr(ctx, "%s", bson_iterator_string(&it)); + _duo_seterr(ctx, "%s", output); ret = DUO_OK; } else if (strcasecmp(p, "deny") == 0) { - _duo_seterr(ctx, "%s", bson_iterator_string(&it)); + _duo_seterr(ctx, "%s", output); if (ctx->conv_status != NULL) { - ctx->conv_status(ctx->conv_arg, - bson_iterator_string(&it)); + ctx->conv_status(ctx->conv_arg, output); } ret = DUO_ABORT; } else if (strcasecmp(p, "enroll") == 0) { if (ctx->conv_status != NULL) { - ctx->conv_status(ctx->conv_arg, - bson_iterator_string(&it)); + ctx->conv_status(ctx->conv_arg, output); } _duo_seterr(ctx, "User enrollment required"); ret = DUO_ABORT; } else { - _duo_seterr(ctx, "BSON invalid 'result': %s", p); + _duo_seterr(ctx, "JSON invalid 'result': %s", p); ret = DUO_SERVER_ERROR; } - return (ret); + } else { + ret = DUO_CONTINUE; } - return (DUO_CONTINUE); + _JSON_VALUE_FREE(json); + return (ret); } duo_code_t -_duo_prompt(struct duo_ctx *ctx, bson *obj, int flags, char *buf, - size_t sz, const char **p) +_duo_prompt(struct duo_ctx *ctx, int flags, char *buf, + size_t sz, char *p, size_t sp) { - bson_iterator it; char *pos, *passcode; passcode = getenv(DUO_ENV_VAR_NAME); if ((flags & DUO_FLAG_ENV) && (passcode != NULL)) { - *p = passcode; + if (strlcpy(p, passcode, sp) >= sp) { + return (DUO_LIB_ERROR); + } if (ctx->conv_status != NULL) { ctx->conv_status(ctx->conv_arg, ENV_VAR_MSG); } + return (DUO_CONTINUE); } else if ((flags & DUO_FLAG_AUTO) != 0) { /* Find default OOB factor for automatic login */ - _BSON_FIND(ctx, &it, obj, "factors", bson_object); - bson_iterator_subobject(&it, obj); - - if (bson_find(&it, obj, "default", ctx->body_len) != bson_string) { - _duo_seterr(ctx, "No default factor found for automatic login"); - return (DUO_ABORT); - } - *p = bson_iterator_string(&it); + JSON_Value *json = json_parse_string(ctx->body); + JSON_Object *json_obj = json_value_get_object(json); + JSON_Object *response; + JSON_Object *factors; + _JSON_FIND_OBJECT(response, json_obj, "response", json); + _JSON_FIND_OBJECT(factors, response, "factors", json); + + const char* default_factor; + _JSON_FIND_STRING(default_factor, factors, "default", json); if (ctx->conv_status) { - if ((pos = strstr(*p, "push"))) { + if ((pos = strstr(default_factor, "push"))) { ctx->conv_status(ctx->conv_arg, AUTOPUSH_MSG); - } else if ((pos = strstr(*p, "phone"))) { + } else if ((pos = strstr(default_factor, "phone"))) { ctx->conv_status(ctx->conv_arg, AUTOPHONE_MSG); } else { ctx->conv_status(ctx->conv_arg, AUTODEFAULT_MSG); } } + if (strlcpy(p, default_factor, sp) >= sp) { + _JSON_VALUE_FREE(json); + return (DUO_LIB_ERROR); + } else { + _JSON_VALUE_FREE(json); + return (DUO_CONTINUE); + } } else { /* Prompt user for factor choice / token */ if (ctx->conv_prompt == NULL) { _duo_seterr(ctx, "No prompt function set"); return (DUO_CLIENT_ERROR); } - _BSON_FIND(ctx, &it, obj, "prompt", bson_string); - *p = bson_iterator_string(&it); + JSON_Value *json = json_parse_string(ctx->body); + JSON_Object *json_obj = json_value_get_object(json); + JSON_Object *response; + _JSON_FIND_OBJECT(response, json_obj, "response", json); + + const char* prompt; + _JSON_FIND_STRING(prompt, response, "prompt", json); - if (ctx->conv_prompt(ctx->conv_arg, *p, buf, sz) == NULL) { + if (ctx->conv_prompt(ctx->conv_arg, prompt, buf, sz) == NULL) { _duo_seterr(ctx, "Error gathering user response"); + _JSON_VALUE_FREE(json); return (DUO_ABORT); } strtok(buf, "\r\n"); - _BSON_FIND(ctx, &it, obj, "factors", bson_object); - bson_iterator_subobject(&it, obj); + JSON_Object *factors; + _JSON_FIND_OBJECT(factors, response, "factors", json); - if (bson_find(&it, obj, buf, ctx->body_len) == bson_string) { - *p = bson_iterator_string(&it); - } else { - *p = buf; + // buf might not exist in factors JSON_Object, like if the user input + // a passcode + const char *factor_str = json_object_get_string(factors, buf); + if (factor_str == NULL) { + factor_str = buf; + } + if (strlcpy(p, factor_str, sp) >= sp) { + _JSON_VALUE_FREE(json); + return (DUO_LIB_ERROR); } + _JSON_VALUE_FREE(json); + return (DUO_CONTINUE); } - return (DUO_CONTINUE); } duo_code_t duo_login(struct duo_ctx *ctx, const char *username, const char *client_ip, int flags, const char *command, const int failmode) { - bson obj; - bson_iterator it; duo_code_t ret; char buf[256]; char *pushinfo = NULL; - const char *p; + char p[256]; int i; const char *local_ip; @@ -520,7 +566,7 @@ duo_login(struct duo_ctx *ctx, const char *username, } /* Check preauth status */ - if ((ret = _duo_preauth(ctx, &obj, username, client_ip, failmode)) != DUO_CONTINUE) { + if ((ret = _duo_preauth(ctx, username, client_ip, failmode)) != DUO_CONTINUE) { if(ret == DUO_SERVER_ERROR || ret == DUO_CONN_ERROR || ret == DUO_CLIENT_ERROR) { return (failmode == DUO_FAIL_SAFE) ? (DUO_FAIL_SAFE_ALLOW) : (DUO_FAIL_SECURE_DENY); } @@ -528,7 +574,7 @@ duo_login(struct duo_ctx *ctx, const char *username, } /* Handle factor selection */ - if ((ret = _duo_prompt(ctx, &obj, flags, buf, sizeof(buf), &p)) != DUO_CONTINUE) { + if ((ret = _duo_prompt(ctx, flags, buf, sizeof(buf), p, sizeof(p))) != DUO_CONTINUE) { return (ret); } @@ -563,36 +609,48 @@ duo_login(struct duo_ctx *ctx, const char *username, * the call is asynchronous, because async calls should return * immediately. */ - if ((ret = duo_call(ctx, "POST", DUO_API_VERSION "/auth.bson", + if ((ret = duo_call(ctx, "POST", DUO_API_VERSION "/auth.json", flags & DUO_FLAG_SYNC ? DUO_NO_TIMEOUT : ctx->https_timeout)) != DUO_OK || - (ret = _duo_bson_response(ctx, &obj)) != DUO_OK) { + (ret = _duo_json_response(ctx)) != DUO_OK) { return (ret); } /* Handle sync status */ if ((flags & DUO_FLAG_SYNC) != 0) { - _BSON_FIND(ctx, &it, &obj, "status", bson_string); + JSON_Value *json = json_parse_string(ctx->body); + JSON_Object *json_obj = json_value_get_object(json); + JSON_Object *json_response; + _JSON_FIND_OBJECT(json_response, json_obj, "response", json); + const char *status; + _JSON_FIND_STRING(status, json_response, "status", json); if (ctx->conv_status != NULL) { ctx->conv_status(ctx->conv_arg, - bson_iterator_string(&it)); + status); } - _BSON_FIND(ctx, &it, &obj, "result", bson_string); - p = bson_iterator_string(&it); + const char* result; + _JSON_FIND_STRING(result, json_response, "result", json); - if (strcasecmp(p, "allow") == 0) { + if (strcasecmp(result, "allow") == 0) { ret = DUO_OK; - } else if (strcasecmp(p, "deny") == 0) { + } else if (strcasecmp(result, "deny") == 0) { ret = DUO_FAIL; } else { - _duo_seterr(ctx, "BSON invalid 'result': %s", p); + _duo_seterr(ctx, "JSON invalid 'result': %s", result); ret = DUO_SERVER_ERROR; } + _JSON_VALUE_FREE(json); return (ret); } /* Async status - long-poll on txid */ - _BSON_FIND(ctx, &it, &obj, "txid", bson_string); - p = bson_iterator_string(&it); - if (strlcpy(buf, p, sizeof(buf)) >= sizeof(buf)) { + JSON_Value *json = json_parse_string(ctx->body); + JSON_Object *json_obj = json_value_get_object(json); + JSON_Object *json_response; + _JSON_FIND_OBJECT(json_response, json_obj, "response", json); + + const char* txid; + _JSON_FIND_STRING(txid, json_response, "txid", json); + if (strlcpy(buf, txid, sizeof(buf)) >= sizeof(buf)) { + _JSON_VALUE_FREE(json); return (DUO_LIB_ERROR); } /* XXX newline between prompt and async status lines */ @@ -604,30 +662,39 @@ duo_login(struct duo_ctx *ctx, const char *username, for (i = 0; i < 20; i++) { if ((ret = duo_add_param(ctx, "txid", buf)) != DUO_OK || (ret = duo_call(ctx, "GET", - DUO_API_VERSION "/status.bson", DUO_NO_TIMEOUT)) != DUO_OK || - (ret = _duo_bson_response(ctx, &obj)) != DUO_OK) { + DUO_API_VERSION "/status.json", DUO_NO_TIMEOUT)) != DUO_OK || + (ret = _duo_json_response(ctx)) != DUO_OK) { break; } - if (bson_find(&it, &obj, "status", ctx->body_len) == bson_string) { + + JSON_Value *json_new = json_parse_string(ctx->body); + JSON_Object *json_obj_new = json_value_get_object(json_new); + JSON_Object *json_response_new; + _JSON_FIND_OBJECT(json_response_new, json_obj_new, "response", json); + const char *status_json_obj; + _JSON_FIND_STRING(status_json_obj, json_response_new, "status", json); + if (status_json_obj != NULL) { if (ctx->conv_status != NULL) { - ctx->conv_status(ctx->conv_arg, - bson_iterator_string(&it)); + ctx->conv_status(ctx->conv_arg, status_json_obj); } } - if (bson_find(&it, &obj, "result", ctx->body_len) == bson_string) { - p = bson_iterator_string(&it); - if (strcasecmp(p, "allow") == 0) { + //We might not have 'result' defined but we don't want to quit the program + //if it's not in our object yet + const char* result = json_object_get_string(json_response_new, "result"); + if (result != NULL) { + if (strcasecmp(result, "allow") == 0) { ret = DUO_OK; - } else if (strcasecmp(p, "deny") == 0) { + } else if (strcasecmp(result, "deny") == 0) { ret = DUO_FAIL; } else { - _duo_seterr(ctx, "BSON invalid 'result': %s", - p); + _duo_seterr(ctx, "JSON invalid 'result': %s", + result); ret = DUO_SERVER_ERROR; } break; } } + _JSON_VALUE_FREE(json); return (ret); } diff --git a/lib/https.c b/lib/https.c index d3429e4..003935e 100644 --- a/lib/https.c +++ b/lib/https.c @@ -714,9 +714,11 @@ https_send(struct https_request *req, const char *method, const char *uri, while (BIO_flush(req->cbio) != 1) { if ((n = _BIO_wait(req->cbio, -1)) != 1) { ctx.errstr = n ? _SSL_strerror() : "Write timed out"; + free(qs); return (HTTPS_ERR_SERVER); } } + free(qs); return (HTTPS_OK); } diff --git a/lib/parson.c b/lib/parson.c new file mode 100644 index 0000000..617ce5e --- /dev/null +++ b/lib/parson.c @@ -0,0 +1,2424 @@ +/* + SPDX-License-Identifier: MIT + + Parson 1.2.1 ( http://kgabis.github.com/parson/ ) + Copyright (c) 2012 - 2021 Krzysztof Gabis + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +*/ +#ifdef _MSC_VER +#ifndef _CRT_SECURE_NO_WARNINGS +#define _CRT_SECURE_NO_WARNINGS +#endif /* _CRT_SECURE_NO_WARNINGS */ +#endif /* _MSC_VER */ + +#include "parson.h" + +#define PARSON_IMPL_VERSION_MAJOR 1 +#define PARSON_IMPL_VERSION_MINOR 2 +#define PARSON_IMPL_VERSION_PATCH 1 + +#if (PARSON_VERSION_MAJOR != PARSON_IMPL_VERSION_MAJOR)\ +|| (PARSON_VERSION_MINOR != PARSON_IMPL_VERSION_MINOR)\ +|| (PARSON_VERSION_PATCH != PARSON_IMPL_VERSION_PATCH) +#error "parson version mismatch between parson.c and parson.h" +#endif + +#include +#include +#include +#include +#include +#include + +/* Apparently sscanf is not implemented in some "standard" libraries, so don't use it, if you + * don't have to. */ +#ifdef sscanf +#undef sscanf +#define sscanf THINK_TWICE_ABOUT_USING_SSCANF +#endif + +/* strcpy is unsafe */ +#ifdef strcpy +#undef strcpy +#endif +#define strcpy USE_MEMCPY_INSTEAD_OF_STRCPY + +#define STARTING_CAPACITY 16 +#define MAX_NESTING 2048 + +#define FLOAT_FORMAT "%1.17g" /* do not increase precision without incresing NUM_BUF_SIZE */ +#define NUM_BUF_SIZE 64 /* double printed with "%1.17g" shouldn't be longer than 25 bytes so let's be paranoid and use 64 */ + +#define SIZEOF_TOKEN(a) (sizeof(a) - 1) +#define SKIP_CHAR(str) ((*str)++) +#define SKIP_WHITESPACES(str) while (isspace((unsigned char)(**str))) { SKIP_CHAR(str); } +#define MAX(a, b) ((a) > (b) ? (a) : (b)) + +#undef malloc +#undef free + +#if defined(isnan) && defined(isinf) +#define IS_NUMBER_INVALID(x) (isnan((x)) || isinf((x))) +#else +#define IS_NUMBER_INVALID(x) (((x) * 0.0) != 0.0) +#endif + +#define OBJECT_INVALID_IX ((size_t)-1) + +static JSON_Malloc_Function parson_malloc = malloc; +static JSON_Free_Function parson_free = free; + +static int parson_escape_slashes = 1; + +#define IS_CONT(b) (((unsigned char)(b) & 0xC0) == 0x80) /* is utf-8 continuation byte */ + +typedef int parson_bool_t; + +#define PARSON_TRUE 1 +#define PARSON_FALSE 0 + +typedef struct json_string { + char *chars; + size_t length; +} JSON_String; + +/* Type definitions */ +typedef union json_value_value { + JSON_String string; + double number; + JSON_Object *object; + JSON_Array *array; + int boolean; + int null; +} JSON_Value_Value; + +struct json_value_t { + JSON_Value *parent; + JSON_Value_Type type; + JSON_Value_Value value; +}; + +struct json_object_t { + JSON_Value *wrapping_value; + size_t *cells; + unsigned long *hashes; + char **names; + JSON_Value **values; + size_t *cell_ixs; + size_t count; + size_t item_capacity; + size_t cell_capacity; +}; + +struct json_array_t { + JSON_Value *wrapping_value; + JSON_Value **items; + size_t count; + size_t capacity; +}; + +/* Various */ +static char * read_file(const char *filename); +static void remove_comments(char *string, const char *start_token, const char *end_token); +static char * parson_strndup(const char *string, size_t n); +static char * parson_strdup(const char *string); +static int hex_char_to_int(char c); +static JSON_Status parse_utf16_hex(const char *string, unsigned int *result); +static int num_bytes_in_utf8_sequence(unsigned char c); +static JSON_Status verify_utf8_sequence(const unsigned char *string, int *len); +static parson_bool_t is_valid_utf8(const char *string, size_t string_len); +static parson_bool_t is_decimal(const char *string, size_t length); +static unsigned long hash_string(const char *string, size_t n); + +/* JSON Object */ +static JSON_Object * json_object_make(JSON_Value *wrapping_value); +static JSON_Status json_object_init(JSON_Object *object, size_t capacity); +static void json_object_deinit(JSON_Object *object, parson_bool_t free_keys, parson_bool_t free_values); +static JSON_Status json_object_grow_and_rehash(JSON_Object *object); +static size_t json_object_get_cell_ix(const JSON_Object *object, const char *key, size_t key_len, unsigned long hash, parson_bool_t *out_found); +static JSON_Status json_object_add(JSON_Object *object, char *name, JSON_Value *value); +static JSON_Value * json_object_getn_value(const JSON_Object *object, const char *name, size_t name_len); +static JSON_Status json_object_remove_internal(JSON_Object *object, const char *name, parson_bool_t free_value); +static JSON_Status json_object_dotremove_internal(JSON_Object *object, const char *name, parson_bool_t free_value); +static void json_object_free(JSON_Object *object); + +/* JSON Array */ +static JSON_Array * json_array_make(JSON_Value *wrapping_value); +static JSON_Status json_array_add(JSON_Array *array, JSON_Value *value); +static JSON_Status json_array_resize(JSON_Array *array, size_t new_capacity); +static void json_array_free(JSON_Array *array); + +/* JSON Value */ +static JSON_Value * json_value_init_string_no_copy(char *string, size_t length); +static const JSON_String * json_value_get_string_desc(const JSON_Value *value); + +/* Parser */ +static JSON_Status skip_quotes(const char **string); +static JSON_Status parse_utf16(const char **unprocessed, char **processed); +static char * process_string(const char *input, size_t input_len, size_t *output_len); +static char * get_quoted_string(const char **string, size_t *output_string_len); +static JSON_Value * parse_object_value(const char **string, size_t nesting); +static JSON_Value * parse_array_value(const char **string, size_t nesting); +static JSON_Value * parse_string_value(const char **string); +static JSON_Value * parse_boolean_value(const char **string); +static JSON_Value * parse_number_value(const char **string); +static JSON_Value * parse_null_value(const char **string); +static JSON_Value * parse_value(const char **string, size_t nesting); + +/* Serialization */ +static int json_serialize_to_buffer_r(const JSON_Value *value, char *buf, int level, parson_bool_t is_pretty, char *num_buf); +static int json_serialize_string(const char *string, size_t len, char *buf); +static int append_indent(char *buf, int level); +static int append_string(char *buf, const char *string); + +/* Various */ +static char * read_file(const char * filename) { + FILE *fp = fopen(filename, "r"); + size_t size_to_read = 0; + size_t size_read = 0; + long pos; + char *file_contents; + if (!fp) { + return NULL; + } + fseek(fp, 0L, SEEK_END); + pos = ftell(fp); + if (pos < 0) { + fclose(fp); + return NULL; + } + size_to_read = pos; + rewind(fp); + file_contents = (char*)parson_malloc(sizeof(char) * (size_to_read + 1)); + if (!file_contents) { + fclose(fp); + return NULL; + } + size_read = fread(file_contents, 1, size_to_read, fp); + if (size_read == 0 || ferror(fp)) { + fclose(fp); + parson_free(file_contents); + return NULL; + } + fclose(fp); + file_contents[size_read] = '\0'; + return file_contents; +} + +static void remove_comments(char *string, const char *start_token, const char *end_token) { + parson_bool_t in_string = PARSON_FALSE, escaped = PARSON_FALSE; + size_t i; + char *ptr = NULL, current_char; + size_t start_token_len = strlen(start_token); + size_t end_token_len = strlen(end_token); + if (start_token_len == 0 || end_token_len == 0) { + return; + } + while ((current_char = *string) != '\0') { + if (current_char == '\\' && !escaped) { + escaped = PARSON_TRUE; + string++; + continue; + } else if (current_char == '\"' && !escaped) { + in_string = !in_string; + } else if (!in_string && strncmp(string, start_token, start_token_len) == 0) { + for(i = 0; i < start_token_len; i++) { + string[i] = ' '; + } + string = string + start_token_len; + ptr = strstr(string, end_token); + if (!ptr) { + return; + } + for (i = 0; i < (ptr - string) + end_token_len; i++) { + string[i] = ' '; + } + string = ptr + end_token_len - 1; + } + escaped = PARSON_FALSE; + string++; + } +} + +static char * parson_strndup(const char *string, size_t n) { + /* We expect the caller has validated that 'n' fits within the input buffer. */ + char *output_string = (char*)parson_malloc(n + 1); + if (!output_string) { + return NULL; + } + output_string[n] = '\0'; + memcpy(output_string, string, n); + return output_string; +} + +static char * parson_strdup(const char *string) { + return parson_strndup(string, strlen(string)); +} + +static int hex_char_to_int(char c) { + if (c >= '0' && c <= '9') { + return c - '0'; + } else if (c >= 'a' && c <= 'f') { + return c - 'a' + 10; + } else if (c >= 'A' && c <= 'F') { + return c - 'A' + 10; + } + return -1; +} + +static JSON_Status parse_utf16_hex(const char *s, unsigned int *result) { + int x1, x2, x3, x4; + if (s[0] == '\0' || s[1] == '\0' || s[2] == '\0' || s[3] == '\0') { + return JSONFailure; + } + x1 = hex_char_to_int(s[0]); + x2 = hex_char_to_int(s[1]); + x3 = hex_char_to_int(s[2]); + x4 = hex_char_to_int(s[3]); + if (x1 == -1 || x2 == -1 || x3 == -1 || x4 == -1) { + return JSONFailure; + } + *result = (unsigned int)((x1 << 12) | (x2 << 8) | (x3 << 4) | x4); + return JSONSuccess; +} + +static int num_bytes_in_utf8_sequence(unsigned char c) { + if (c == 0xC0 || c == 0xC1 || c > 0xF4 || IS_CONT(c)) { + return 0; + } else if ((c & 0x80) == 0) { /* 0xxxxxxx */ + return 1; + } else if ((c & 0xE0) == 0xC0) { /* 110xxxxx */ + return 2; + } else if ((c & 0xF0) == 0xE0) { /* 1110xxxx */ + return 3; + } else if ((c & 0xF8) == 0xF0) { /* 11110xxx */ + return 4; + } + return 0; /* won't happen */ +} + +static JSON_Status verify_utf8_sequence(const unsigned char *string, int *len) { + unsigned int cp = 0; + *len = num_bytes_in_utf8_sequence(string[0]); + + if (*len == 1) { + cp = string[0]; + } else if (*len == 2 && IS_CONT(string[1])) { + cp = string[0] & 0x1F; + cp = (cp << 6) | (string[1] & 0x3F); + } else if (*len == 3 && IS_CONT(string[1]) && IS_CONT(string[2])) { + cp = ((unsigned char)string[0]) & 0xF; + cp = (cp << 6) | (string[1] & 0x3F); + cp = (cp << 6) | (string[2] & 0x3F); + } else if (*len == 4 && IS_CONT(string[1]) && IS_CONT(string[2]) && IS_CONT(string[3])) { + cp = string[0] & 0x7; + cp = (cp << 6) | (string[1] & 0x3F); + cp = (cp << 6) | (string[2] & 0x3F); + cp = (cp << 6) | (string[3] & 0x3F); + } else { + return JSONFailure; + } + + /* overlong encodings */ + if ((cp < 0x80 && *len > 1) || + (cp < 0x800 && *len > 2) || + (cp < 0x10000 && *len > 3)) { + return JSONFailure; + } + + /* invalid unicode */ + if (cp > 0x10FFFF) { + return JSONFailure; + } + + /* surrogate halves */ + if (cp >= 0xD800 && cp <= 0xDFFF) { + return JSONFailure; + } + + return JSONSuccess; +} + +static int is_valid_utf8(const char *string, size_t string_len) { + int len = 0; + const char *string_end = string + string_len; + while (string < string_end) { + if (verify_utf8_sequence((const unsigned char*)string, &len) != JSONSuccess) { + return PARSON_FALSE; + } + string += len; + } + return PARSON_TRUE; +} + +static parson_bool_t is_decimal(const char *string, size_t length) { + if (length > 1 && string[0] == '0' && string[1] != '.') { + return PARSON_FALSE; + } + if (length > 2 && !strncmp(string, "-0", 2) && string[2] != '.') { + return PARSON_FALSE; + } + while (length--) { + if (strchr("xX", string[length])) { + return PARSON_FALSE; + } + } + return PARSON_TRUE; +} + +static unsigned long hash_string(const char *string, size_t n) { +#ifdef PARSON_FORCE_HASH_COLLISIONS + (void)string; + (void)n; + return 0; +#else + unsigned long hash = 5381; + unsigned char c; + size_t i = 0; + for (i = 0; i < n; i++) { + c = string[i]; + if (c == '\0') { + break; + } + hash = ((hash << 5) + hash) + c; /* hash * 33 + c */ + } + return hash; +#endif +} + +/* JSON Object */ +static JSON_Object * json_object_make(JSON_Value *wrapping_value) { + JSON_Status res = JSONFailure; + JSON_Object *new_obj = (JSON_Object*)parson_malloc(sizeof(JSON_Object)); + if (new_obj == NULL) { + return NULL; + } + new_obj->wrapping_value = wrapping_value; + res = json_object_init(new_obj, 0); + if (res != JSONSuccess) { + parson_free(new_obj); + return NULL; + } + return new_obj; +} + +static JSON_Status json_object_init(JSON_Object *object, size_t capacity) { + unsigned int i = 0; + + object->cells = NULL; + object->names = NULL; + object->values = NULL; + object->cell_ixs = NULL; + object->hashes = NULL; + + object->count = 0; + object->cell_capacity = capacity; + object->item_capacity = (unsigned int)(capacity * 0.7f); + + if (capacity == 0) { + return JSONSuccess; + } + + object->cells = (size_t*)parson_malloc(object->cell_capacity * sizeof(*object->cells)); + object->names = (char**)parson_malloc(object->item_capacity * sizeof(*object->names)); + object->values = (JSON_Value**)parson_malloc(object->item_capacity * sizeof(*object->values)); + object->cell_ixs = (size_t*)parson_malloc(object->item_capacity * sizeof(*object->cell_ixs)); + object->hashes = (unsigned long*)parson_malloc(object->item_capacity * sizeof(*object->hashes)); + if (object->cells == NULL + || object->names == NULL + || object->values == NULL + || object->cell_ixs == NULL + || object->hashes == NULL) { + goto error; + } + for (i = 0; i < object->cell_capacity; i++) { + object->cells[i] = OBJECT_INVALID_IX; + } + return JSONSuccess; +error: + parson_free(object->cells); + parson_free(object->names); + parson_free(object->values); + parson_free(object->cell_ixs); + parson_free(object->hashes); + return JSONFailure; +} + +static void json_object_deinit(JSON_Object *object, parson_bool_t free_keys, parson_bool_t free_values) { + unsigned int i = 0; + for (i = 0; i < object->count; i++) { + if (free_keys) { + parson_free(object->names[i]); + } + if (free_values) { + json_value_free(object->values[i]); + } + } + + object->count = 0; + object->item_capacity = 0; + object->cell_capacity = 0; + + parson_free(object->cells); + parson_free(object->names); + parson_free(object->values); + parson_free(object->cell_ixs); + parson_free(object->hashes); + + object->cells = NULL; + object->names = NULL; + object->values = NULL; + object->cell_ixs = NULL; + object->hashes = NULL; +} + +static JSON_Status json_object_grow_and_rehash(JSON_Object *object) { + JSON_Value *wrapping_value = NULL; + JSON_Object new_object; + char *key = NULL; + JSON_Value *value = NULL; + unsigned int i = 0; + size_t new_capacity = MAX(object->cell_capacity * 2, STARTING_CAPACITY); + JSON_Status res = json_object_init(&new_object, new_capacity); + if (res != JSONSuccess) { + return JSONFailure; + } + + wrapping_value = json_object_get_wrapping_value(object); + new_object.wrapping_value = wrapping_value; + + for (i = 0; i < object->count; i++) { + key = object->names[i]; + value = object->values[i]; + res = json_object_add(&new_object, key, value); + if (res != JSONSuccess) { + json_object_deinit(&new_object, PARSON_FALSE, PARSON_FALSE); + return JSONFailure; + } + value->parent = wrapping_value; + } + json_object_deinit(object, PARSON_FALSE, PARSON_FALSE); + *object = new_object; + return JSONSuccess; +} + +static size_t json_object_get_cell_ix(const JSON_Object *object, const char *key, size_t key_len, unsigned long hash, parson_bool_t *out_found) { + size_t cell_ix = hash & (object->cell_capacity - 1); + size_t cell = 0; + size_t ix = 0; + unsigned int i = 0; + unsigned long hash_to_check = 0; + const char *key_to_check = NULL; + size_t key_to_check_len = 0; + + *out_found = PARSON_FALSE; + + for (i = 0; i < object->cell_capacity; i++) { + ix = (cell_ix + i) & (object->cell_capacity - 1); + cell = object->cells[ix]; + if (cell == OBJECT_INVALID_IX) { + return ix; + } + hash_to_check = object->hashes[cell]; + if (hash != hash_to_check) { + continue; + } + key_to_check = object->names[cell]; + key_to_check_len = strlen(key_to_check); + if (key_to_check_len == key_len && strncmp(key, key_to_check, key_len) == 0) { + *out_found = PARSON_TRUE; + return ix; + } + } + return OBJECT_INVALID_IX; +} + +static JSON_Status json_object_add(JSON_Object *object, char *name, JSON_Value *value) { + unsigned long hash = 0; + parson_bool_t found = PARSON_FALSE; + size_t cell_ix = 0; + JSON_Status res = JSONFailure; + + if (!object || !name || !value) { + return JSONFailure; + } + + hash = hash_string(name, strlen(name)); + found = PARSON_FALSE; + cell_ix = json_object_get_cell_ix(object, name, strlen(name), hash, &found); + if (found) { + return JSONFailure; + } + + if (object->count >= object->item_capacity) { + res = json_object_grow_and_rehash(object); + if (res != JSONSuccess) { + return JSONFailure; + } + cell_ix = json_object_get_cell_ix(object, name, strlen(name), hash, &found); + } + + object->names[object->count] = name; + object->cells[cell_ix] = object->count; + object->values[object->count] = value; + object->cell_ixs[object->count] = cell_ix; + object->hashes[object->count] = hash; + object->count++; + value->parent = json_object_get_wrapping_value(object); + + return JSONSuccess; +} + +static JSON_Value * json_object_getn_value(const JSON_Object *object, const char *name, size_t name_len) { + unsigned long hash = 0; + parson_bool_t found = PARSON_FALSE; + unsigned long cell_ix = 0; + size_t item_ix = 0; + if (!object || !name) { + return NULL; + } + hash = hash_string(name, name_len); + found = PARSON_FALSE; + cell_ix = json_object_get_cell_ix(object, name, name_len, hash, &found); + if (!found) { + return NULL; + } + item_ix = object->cells[cell_ix]; + return object->values[item_ix]; +} + +static JSON_Status json_object_remove_internal(JSON_Object *object, const char *name, parson_bool_t free_value) { + unsigned long hash = 0; + parson_bool_t found = PARSON_FALSE; + size_t cell = 0; + size_t item_ix = 0; + size_t last_item_ix = 0; + size_t i = 0; + size_t j = 0; + size_t x = 0; + size_t k = 0; + JSON_Value *val = NULL; + + if (object == NULL) { + return JSONFailure; + } + + hash = hash_string(name, strlen(name)); + found = PARSON_FALSE; + cell = json_object_get_cell_ix(object, name, strlen(name), hash, &found); + if (!found) { + return JSONFailure; + } + + item_ix = object->cells[cell]; + if (free_value) { + val = object->values[item_ix]; + json_value_free(val); + val = NULL; + } + + parson_free(object->names[item_ix]); + last_item_ix = object->count - 1; + if (item_ix < last_item_ix) { + object->names[item_ix] = object->names[last_item_ix]; + object->values[item_ix] = object->values[last_item_ix]; + object->cell_ixs[item_ix] = object->cell_ixs[last_item_ix]; + object->hashes[item_ix] = object->hashes[last_item_ix]; + object->cells[object->cell_ixs[item_ix]] = item_ix; + } + object->count--; + + i = cell; + j = i; + for (x = 0; x < (object->cell_capacity - 1); x++) { + j = (j + 1) & (object->cell_capacity - 1); + if (object->cells[j] == OBJECT_INVALID_IX) { + break; + } + k = object->hashes[object->cells[j]] & (object->cell_capacity - 1); + if ((j > i && (k <= i || k > j)) + || (j < i && (k <= i && k > j))) { + object->cell_ixs[object->cells[j]] = i; + object->cells[i] = object->cells[j]; + i = j; + } + } + object->cells[i] = OBJECT_INVALID_IX; + return JSONSuccess; +} + +static JSON_Status json_object_dotremove_internal(JSON_Object *object, const char *name, parson_bool_t free_value) { + JSON_Value *temp_value = NULL; + JSON_Object *temp_object = NULL; + const char *dot_pos = strchr(name, '.'); + if (!dot_pos) { + return json_object_remove_internal(object, name, free_value); + } + temp_value = json_object_getn_value(object, name, dot_pos - name); + if (json_value_get_type(temp_value) != JSONObject) { + return JSONFailure; + } + temp_object = json_value_get_object(temp_value); + return json_object_dotremove_internal(temp_object, dot_pos + 1, free_value); +} + +static void json_object_free(JSON_Object *object) { + json_object_deinit(object, PARSON_TRUE, PARSON_TRUE); + parson_free(object); +} + +/* JSON Array */ +static JSON_Array * json_array_make(JSON_Value *wrapping_value) { + JSON_Array *new_array = (JSON_Array*)parson_malloc(sizeof(JSON_Array)); + if (new_array == NULL) { + return NULL; + } + new_array->wrapping_value = wrapping_value; + new_array->items = (JSON_Value**)NULL; + new_array->capacity = 0; + new_array->count = 0; + return new_array; +} + +static JSON_Status json_array_add(JSON_Array *array, JSON_Value *value) { + if (array->count >= array->capacity) { + size_t new_capacity = MAX(array->capacity * 2, STARTING_CAPACITY); + if (json_array_resize(array, new_capacity) != JSONSuccess) { + return JSONFailure; + } + } + value->parent = json_array_get_wrapping_value(array); + array->items[array->count] = value; + array->count++; + return JSONSuccess; +} + +static JSON_Status json_array_resize(JSON_Array *array, size_t new_capacity) { + JSON_Value **new_items = NULL; + if (new_capacity == 0) { + return JSONFailure; + } + new_items = (JSON_Value**)parson_malloc(new_capacity * sizeof(JSON_Value*)); + if (new_items == NULL) { + return JSONFailure; + } + if (array->items != NULL && array->count > 0) { + memcpy(new_items, array->items, array->count * sizeof(JSON_Value*)); + } + parson_free(array->items); + array->items = new_items; + array->capacity = new_capacity; + return JSONSuccess; +} + +static void json_array_free(JSON_Array *array) { + size_t i; + for (i = 0; i < array->count; i++) { + json_value_free(array->items[i]); + } + parson_free(array->items); + parson_free(array); +} + +/* JSON Value */ +static JSON_Value * json_value_init_string_no_copy(char *string, size_t length) { + JSON_Value *new_value = (JSON_Value*)parson_malloc(sizeof(JSON_Value)); + if (!new_value) { + return NULL; + } + new_value->parent = NULL; + new_value->type = JSONString; + new_value->value.string.chars = string; + new_value->value.string.length = length; + return new_value; +} + +/* Parser */ +static JSON_Status skip_quotes(const char **string) { + if (**string != '\"') { + return JSONFailure; + } + SKIP_CHAR(string); + while (**string != '\"') { + if (**string == '\0') { + return JSONFailure; + } else if (**string == '\\') { + SKIP_CHAR(string); + if (**string == '\0') { + return JSONFailure; + } + } + SKIP_CHAR(string); + } + SKIP_CHAR(string); + return JSONSuccess; +} + +static JSON_Status parse_utf16(const char **unprocessed, char **processed) { + unsigned int cp, lead, trail; + char *processed_ptr = *processed; + const char *unprocessed_ptr = *unprocessed; + JSON_Status status = JSONFailure; + unprocessed_ptr++; /* skips u */ + status = parse_utf16_hex(unprocessed_ptr, &cp); + if (status != JSONSuccess) { + return JSONFailure; + } + if (cp < 0x80) { + processed_ptr[0] = (char)cp; /* 0xxxxxxx */ + } else if (cp < 0x800) { + processed_ptr[0] = ((cp >> 6) & 0x1F) | 0xC0; /* 110xxxxx */ + processed_ptr[1] = ((cp) & 0x3F) | 0x80; /* 10xxxxxx */ + processed_ptr += 1; + } else if (cp < 0xD800 || cp > 0xDFFF) { + processed_ptr[0] = ((cp >> 12) & 0x0F) | 0xE0; /* 1110xxxx */ + processed_ptr[1] = ((cp >> 6) & 0x3F) | 0x80; /* 10xxxxxx */ + processed_ptr[2] = ((cp) & 0x3F) | 0x80; /* 10xxxxxx */ + processed_ptr += 2; + } else if (cp >= 0xD800 && cp <= 0xDBFF) { /* lead surrogate (0xD800..0xDBFF) */ + lead = cp; + unprocessed_ptr += 4; /* should always be within the buffer, otherwise previous sscanf would fail */ + if (*unprocessed_ptr++ != '\\' || *unprocessed_ptr++ != 'u') { + return JSONFailure; + } + status = parse_utf16_hex(unprocessed_ptr, &trail); + if (status != JSONSuccess || trail < 0xDC00 || trail > 0xDFFF) { /* valid trail surrogate? (0xDC00..0xDFFF) */ + return JSONFailure; + } + cp = ((((lead - 0xD800) & 0x3FF) << 10) | ((trail - 0xDC00) & 0x3FF)) + 0x010000; + processed_ptr[0] = (((cp >> 18) & 0x07) | 0xF0); /* 11110xxx */ + processed_ptr[1] = (((cp >> 12) & 0x3F) | 0x80); /* 10xxxxxx */ + processed_ptr[2] = (((cp >> 6) & 0x3F) | 0x80); /* 10xxxxxx */ + processed_ptr[3] = (((cp) & 0x3F) | 0x80); /* 10xxxxxx */ + processed_ptr += 3; + } else { /* trail surrogate before lead surrogate */ + return JSONFailure; + } + unprocessed_ptr += 3; + *processed = processed_ptr; + *unprocessed = unprocessed_ptr; + return JSONSuccess; +} + + +/* Copies and processes passed string up to supplied length. +Example: "\u006Corem ipsum" -> lorem ipsum */ +static char* process_string(const char *input, size_t input_len, size_t *output_len) { + const char *input_ptr = input; + size_t initial_size = (input_len + 1) * sizeof(char); + size_t final_size = 0; + char *output = NULL, *output_ptr = NULL, *resized_output = NULL; + output = (char*)parson_malloc(initial_size); + if (output == NULL) { + goto error; + } + output_ptr = output; + while ((*input_ptr != '\0') && (size_t)(input_ptr - input) < input_len) { + if (*input_ptr == '\\') { + input_ptr++; + switch (*input_ptr) { + case '\"': *output_ptr = '\"'; break; + case '\\': *output_ptr = '\\'; break; + case '/': *output_ptr = '/'; break; + case 'b': *output_ptr = '\b'; break; + case 'f': *output_ptr = '\f'; break; + case 'n': *output_ptr = '\n'; break; + case 'r': *output_ptr = '\r'; break; + case 't': *output_ptr = '\t'; break; + case 'u': + if (parse_utf16(&input_ptr, &output_ptr) != JSONSuccess) { + goto error; + } + break; + default: + goto error; + } + } else if ((unsigned char)*input_ptr < 0x20) { + goto error; /* 0x00-0x19 are invalid characters for json string (http://www.ietf.org/rfc/rfc4627.txt) */ + } else { + *output_ptr = *input_ptr; + } + output_ptr++; + input_ptr++; + } + *output_ptr = '\0'; + /* resize to new length */ + final_size = (size_t)(output_ptr-output) + 1; + /* todo: don't resize if final_size == initial_size */ + resized_output = (char*)parson_malloc(final_size); + if (resized_output == NULL) { + goto error; + } + memcpy(resized_output, output, final_size); + *output_len = final_size - 1; + parson_free(output); + return resized_output; +error: + parson_free(output); + return NULL; +} + +/* Return processed contents of a string between quotes and + skips passed argument to a matching quote. */ +static char * get_quoted_string(const char **string, size_t *output_string_len) { + const char *string_start = *string; + size_t input_string_len = 0; + JSON_Status status = skip_quotes(string); + if (status != JSONSuccess) { + return NULL; + } + input_string_len = *string - string_start - 2; /* length without quotes */ + return process_string(string_start + 1, input_string_len, output_string_len); +} + +static JSON_Value * parse_value(const char **string, size_t nesting) { + if (nesting > MAX_NESTING) { + return NULL; + } + SKIP_WHITESPACES(string); + switch (**string) { + case '{': + return parse_object_value(string, nesting + 1); + case '[': + return parse_array_value(string, nesting + 1); + case '\"': + return parse_string_value(string); + case 'f': case 't': + return parse_boolean_value(string); + case '-': + case '0': case '1': case '2': case '3': case '4': + case '5': case '6': case '7': case '8': case '9': + return parse_number_value(string); + case 'n': + return parse_null_value(string); + default: + return NULL; + } +} + +static JSON_Value * parse_object_value(const char **string, size_t nesting) { + JSON_Status status = JSONFailure; + JSON_Value *output_value = NULL, *new_value = NULL; + JSON_Object *output_object = NULL; + char *new_key = NULL; + + output_value = json_value_init_object(); + if (output_value == NULL) { + return NULL; + } + if (**string != '{') { + json_value_free(output_value); + return NULL; + } + output_object = json_value_get_object(output_value); + SKIP_CHAR(string); + SKIP_WHITESPACES(string); + if (**string == '}') { /* empty object */ + SKIP_CHAR(string); + return output_value; + } + while (**string != '\0') { + size_t key_len = 0; + new_key = get_quoted_string(string, &key_len); + /* We do not support key names with embedded \0 chars */ + if (!new_key) { + json_value_free(output_value); + return NULL; + } + if (key_len != strlen(new_key)) { + parson_free(new_key); + json_value_free(output_value); + return NULL; + } + SKIP_WHITESPACES(string); + if (**string != ':') { + parson_free(new_key); + json_value_free(output_value); + return NULL; + } + SKIP_CHAR(string); + new_value = parse_value(string, nesting); + if (new_value == NULL) { + parson_free(new_key); + json_value_free(output_value); + return NULL; + } + status = json_object_add(output_object, new_key, new_value); + if (status != JSONSuccess) { + parson_free(new_key); + json_value_free(new_value); + json_value_free(output_value); + return NULL; + } + SKIP_WHITESPACES(string); + if (**string != ',') { + break; + } + SKIP_CHAR(string); + SKIP_WHITESPACES(string); + } + SKIP_WHITESPACES(string); + if (**string != '}') { + json_value_free(output_value); + return NULL; + } + SKIP_CHAR(string); + return output_value; +} + +static JSON_Value * parse_array_value(const char **string, size_t nesting) { + JSON_Value *output_value = NULL, *new_array_value = NULL; + JSON_Array *output_array = NULL; + output_value = json_value_init_array(); + if (output_value == NULL) { + return NULL; + } + if (**string != '[') { + json_value_free(output_value); + return NULL; + } + output_array = json_value_get_array(output_value); + SKIP_CHAR(string); + SKIP_WHITESPACES(string); + if (**string == ']') { /* empty array */ + SKIP_CHAR(string); + return output_value; + } + while (**string != '\0') { + new_array_value = parse_value(string, nesting); + if (new_array_value == NULL) { + json_value_free(output_value); + return NULL; + } + if (json_array_add(output_array, new_array_value) != JSONSuccess) { + json_value_free(new_array_value); + json_value_free(output_value); + return NULL; + } + SKIP_WHITESPACES(string); + if (**string != ',') { + break; + } + SKIP_CHAR(string); + SKIP_WHITESPACES(string); + } + SKIP_WHITESPACES(string); + if (**string != ']' || /* Trim array after parsing is over */ + json_array_resize(output_array, json_array_get_count(output_array)) != JSONSuccess) { + json_value_free(output_value); + return NULL; + } + SKIP_CHAR(string); + return output_value; +} + +static JSON_Value * parse_string_value(const char **string) { + JSON_Value *value = NULL; + size_t new_string_len = 0; + char *new_string = get_quoted_string(string, &new_string_len); + if (new_string == NULL) { + return NULL; + } + value = json_value_init_string_no_copy(new_string, new_string_len); + if (value == NULL) { + parson_free(new_string); + return NULL; + } + return value; +} + +static JSON_Value * parse_boolean_value(const char **string) { + size_t true_token_size = SIZEOF_TOKEN("true"); + size_t false_token_size = SIZEOF_TOKEN("false"); + if (strncmp("true", *string, true_token_size) == 0) { + *string += true_token_size; + return json_value_init_boolean(1); + } else if (strncmp("false", *string, false_token_size) == 0) { + *string += false_token_size; + return json_value_init_boolean(0); + } + return NULL; +} + +static JSON_Value * parse_number_value(const char **string) { + char *end; + double number = 0; + errno = 0; + number = strtod(*string, &end); + if (errno == ERANGE && (number <= -HUGE_VAL || number >= HUGE_VAL)) { + return NULL; + } + if ((errno && errno != ERANGE) || !is_decimal(*string, end - *string)) { + return NULL; + } + *string = end; + return json_value_init_number(number); +} + +static JSON_Value * parse_null_value(const char **string) { + size_t token_size = SIZEOF_TOKEN("null"); + if (strncmp("null", *string, token_size) == 0) { + *string += token_size; + return json_value_init_null(); + } + return NULL; +} + +/* Serialization */ +#define APPEND_STRING(str) do { written = append_string(buf, (str));\ + if (written < 0) { return -1; }\ + if (buf != NULL) { buf += written; }\ + written_total += written; } while(0) + +#define APPEND_INDENT(level) do { written = append_indent(buf, (level));\ + if (written < 0) { return -1; }\ + if (buf != NULL) { buf += written; }\ + written_total += written; } while(0) + +static int json_serialize_to_buffer_r(const JSON_Value *value, char *buf, int level, parson_bool_t is_pretty, char *num_buf) +{ + const char *key = NULL, *string = NULL; + JSON_Value *temp_value = NULL; + JSON_Array *array = NULL; + JSON_Object *object = NULL; + size_t i = 0, count = 0; + double num = 0.0; + int written = -1, written_total = 0; + size_t len = 0; + + switch (json_value_get_type(value)) { + case JSONArray: + array = json_value_get_array(value); + count = json_array_get_count(array); + APPEND_STRING("["); + if (count > 0 && is_pretty) { + APPEND_STRING("\n"); + } + for (i = 0; i < count; i++) { + if (is_pretty) { + APPEND_INDENT(level+1); + } + temp_value = json_array_get_value(array, i); + written = json_serialize_to_buffer_r(temp_value, buf, level+1, is_pretty, num_buf); + if (written < 0) { + return -1; + } + if (buf != NULL) { + buf += written; + } + written_total += written; + if (i < (count - 1)) { + APPEND_STRING(","); + } + if (is_pretty) { + APPEND_STRING("\n"); + } + } + if (count > 0 && is_pretty) { + APPEND_INDENT(level); + } + APPEND_STRING("]"); + return written_total; + case JSONObject: + object = json_value_get_object(value); + count = json_object_get_count(object); + APPEND_STRING("{"); + if (count > 0 && is_pretty) { + APPEND_STRING("\n"); + } + for (i = 0; i < count; i++) { + key = json_object_get_name(object, i); + if (key == NULL) { + return -1; + } + if (is_pretty) { + APPEND_INDENT(level+1); + } + /* We do not support key names with embedded \0 chars */ + written = json_serialize_string(key, strlen(key), buf); + if (written < 0) { + return -1; + } + if (buf != NULL) { + buf += written; + } + written_total += written; + APPEND_STRING(":"); + if (is_pretty) { + APPEND_STRING(" "); + } + temp_value = json_object_get_value_at(object, i); + written = json_serialize_to_buffer_r(temp_value, buf, level+1, is_pretty, num_buf); + if (written < 0) { + return -1; + } + if (buf != NULL) { + buf += written; + } + written_total += written; + if (i < (count - 1)) { + APPEND_STRING(","); + } + if (is_pretty) { + APPEND_STRING("\n"); + } + } + if (count > 0 && is_pretty) { + APPEND_INDENT(level); + } + APPEND_STRING("}"); + return written_total; + case JSONString: + string = json_value_get_string(value); + if (string == NULL) { + return -1; + } + len = json_value_get_string_len(value); + written = json_serialize_string(string, len, buf); + if (written < 0) { + return -1; + } + if (buf != NULL) { + buf += written; + } + written_total += written; + return written_total; + case JSONBoolean: + if (json_value_get_boolean(value)) { + APPEND_STRING("true"); + } else { + APPEND_STRING("false"); + } + return written_total; + case JSONNumber: + num = json_value_get_number(value); + if (buf != NULL) { + num_buf = buf; + } + written = sprintf(num_buf, FLOAT_FORMAT, num); + if (written < 0) { + return -1; + } + if (buf != NULL) { + buf += written; + } + written_total += written; + return written_total; + case JSONNull: + APPEND_STRING("null"); + return written_total; + case JSONError: + return -1; + default: + return -1; + } +} + +static int json_serialize_string(const char *string, size_t len, char *buf) { + size_t i = 0; + char c = '\0'; + int written = -1, written_total = 0; + APPEND_STRING("\""); + for (i = 0; i < len; i++) { + c = string[i]; + switch (c) { + case '\"': APPEND_STRING("\\\""); break; + case '\\': APPEND_STRING("\\\\"); break; + case '\b': APPEND_STRING("\\b"); break; + case '\f': APPEND_STRING("\\f"); break; + case '\n': APPEND_STRING("\\n"); break; + case '\r': APPEND_STRING("\\r"); break; + case '\t': APPEND_STRING("\\t"); break; + case '\x00': APPEND_STRING("\\u0000"); break; + case '\x01': APPEND_STRING("\\u0001"); break; + case '\x02': APPEND_STRING("\\u0002"); break; + case '\x03': APPEND_STRING("\\u0003"); break; + case '\x04': APPEND_STRING("\\u0004"); break; + case '\x05': APPEND_STRING("\\u0005"); break; + case '\x06': APPEND_STRING("\\u0006"); break; + case '\x07': APPEND_STRING("\\u0007"); break; + /* '\x08' duplicate: '\b' */ + /* '\x09' duplicate: '\t' */ + /* '\x0a' duplicate: '\n' */ + case '\x0b': APPEND_STRING("\\u000b"); break; + /* '\x0c' duplicate: '\f' */ + /* '\x0d' duplicate: '\r' */ + case '\x0e': APPEND_STRING("\\u000e"); break; + case '\x0f': APPEND_STRING("\\u000f"); break; + case '\x10': APPEND_STRING("\\u0010"); break; + case '\x11': APPEND_STRING("\\u0011"); break; + case '\x12': APPEND_STRING("\\u0012"); break; + case '\x13': APPEND_STRING("\\u0013"); break; + case '\x14': APPEND_STRING("\\u0014"); break; + case '\x15': APPEND_STRING("\\u0015"); break; + case '\x16': APPEND_STRING("\\u0016"); break; + case '\x17': APPEND_STRING("\\u0017"); break; + case '\x18': APPEND_STRING("\\u0018"); break; + case '\x19': APPEND_STRING("\\u0019"); break; + case '\x1a': APPEND_STRING("\\u001a"); break; + case '\x1b': APPEND_STRING("\\u001b"); break; + case '\x1c': APPEND_STRING("\\u001c"); break; + case '\x1d': APPEND_STRING("\\u001d"); break; + case '\x1e': APPEND_STRING("\\u001e"); break; + case '\x1f': APPEND_STRING("\\u001f"); break; + case '/': + if (parson_escape_slashes) { + APPEND_STRING("\\/"); /* to make json embeddable in xml\/html */ + } else { + APPEND_STRING("/"); + } + break; + default: + if (buf != NULL) { + buf[0] = c; + buf += 1; + } + written_total += 1; + break; + } + } + APPEND_STRING("\""); + return written_total; +} + +static int append_indent(char *buf, int level) { + int i; + int written = -1, written_total = 0; + for (i = 0; i < level; i++) { + APPEND_STRING(" "); + } + return written_total; +} + +static int append_string(char *buf, const char *string) { + if (buf == NULL) { + return (int)strlen(string); + } + return sprintf(buf, "%s", string); +} + +#undef APPEND_STRING +#undef APPEND_INDENT + +/* Parser API */ +JSON_Value * json_parse_file(const char *filename) { + char *file_contents = read_file(filename); + JSON_Value *output_value = NULL; + if (file_contents == NULL) { + return NULL; + } + output_value = json_parse_string(file_contents); + parson_free(file_contents); + return output_value; +} + +JSON_Value * json_parse_file_with_comments(const char *filename) { + char *file_contents = read_file(filename); + JSON_Value *output_value = NULL; + if (file_contents == NULL) { + return NULL; + } + output_value = json_parse_string_with_comments(file_contents); + parson_free(file_contents); + return output_value; +} + +JSON_Value * json_parse_string(const char *string) { + if (string == NULL) { + return NULL; + } + if (string[0] == '\xEF' && string[1] == '\xBB' && string[2] == '\xBF') { + string = string + 3; /* Support for UTF-8 BOM */ + } + return parse_value((const char**)&string, 0); +} + +JSON_Value * json_parse_string_with_comments(const char *string) { + JSON_Value *result = NULL; + char *string_mutable_copy = NULL, *string_mutable_copy_ptr = NULL; + string_mutable_copy = parson_strdup(string); + if (string_mutable_copy == NULL) { + return NULL; + } + remove_comments(string_mutable_copy, "/*", "*/"); + remove_comments(string_mutable_copy, "//", "\n"); + string_mutable_copy_ptr = string_mutable_copy; + result = parse_value((const char**)&string_mutable_copy_ptr, 0); + parson_free(string_mutable_copy); + return result; +} + +/* JSON Object API */ + +JSON_Value * json_object_get_value(const JSON_Object *object, const char *name) { + if (object == NULL || name == NULL) { + return NULL; + } + return json_object_getn_value(object, name, strlen(name)); +} + +const char * json_object_get_string(const JSON_Object *object, const char *name) { + return json_value_get_string(json_object_get_value(object, name)); +} + +size_t json_object_get_string_len(const JSON_Object *object, const char *name) { + return json_value_get_string_len(json_object_get_value(object, name)); +} + +double json_object_get_number(const JSON_Object *object, const char *name) { + return json_value_get_number(json_object_get_value(object, name)); +} + +JSON_Object * json_object_get_object(const JSON_Object *object, const char *name) { + return json_value_get_object(json_object_get_value(object, name)); +} + +JSON_Array * json_object_get_array(const JSON_Object *object, const char *name) { + return json_value_get_array(json_object_get_value(object, name)); +} + +int json_object_get_boolean(const JSON_Object *object, const char *name) { + return json_value_get_boolean(json_object_get_value(object, name)); +} + +JSON_Value * json_object_dotget_value(const JSON_Object *object, const char *name) { + const char *dot_position = strchr(name, '.'); + if (!dot_position) { + return json_object_get_value(object, name); + } + object = json_value_get_object(json_object_getn_value(object, name, dot_position - name)); + return json_object_dotget_value(object, dot_position + 1); +} + +const char * json_object_dotget_string(const JSON_Object *object, const char *name) { + return json_value_get_string(json_object_dotget_value(object, name)); +} + +size_t json_object_dotget_string_len(const JSON_Object *object, const char *name) { + return json_value_get_string_len(json_object_dotget_value(object, name)); +} + +double json_object_dotget_number(const JSON_Object *object, const char *name) { + return json_value_get_number(json_object_dotget_value(object, name)); +} + +JSON_Object * json_object_dotget_object(const JSON_Object *object, const char *name) { + return json_value_get_object(json_object_dotget_value(object, name)); +} + +JSON_Array * json_object_dotget_array(const JSON_Object *object, const char *name) { + return json_value_get_array(json_object_dotget_value(object, name)); +} + +int json_object_dotget_boolean(const JSON_Object *object, const char *name) { + return json_value_get_boolean(json_object_dotget_value(object, name)); +} + +size_t json_object_get_count(const JSON_Object *object) { + return object ? object->count : 0; +} + +const char * json_object_get_name(const JSON_Object *object, size_t index) { + if (object == NULL || index >= json_object_get_count(object)) { + return NULL; + } + return object->names[index]; +} + +JSON_Value * json_object_get_value_at(const JSON_Object *object, size_t index) { + if (object == NULL || index >= json_object_get_count(object)) { + return NULL; + } + return object->values[index]; +} + +JSON_Value *json_object_get_wrapping_value(const JSON_Object *object) { + if (!object) { + return NULL; + } + return object->wrapping_value; +} + +int json_object_has_value (const JSON_Object *object, const char *name) { + return json_object_get_value(object, name) != NULL; +} + +int json_object_has_value_of_type(const JSON_Object *object, const char *name, JSON_Value_Type type) { + JSON_Value *val = json_object_get_value(object, name); + return val != NULL && json_value_get_type(val) == type; +} + +int json_object_dothas_value (const JSON_Object *object, const char *name) { + return json_object_dotget_value(object, name) != NULL; +} + +int json_object_dothas_value_of_type(const JSON_Object *object, const char *name, JSON_Value_Type type) { + JSON_Value *val = json_object_dotget_value(object, name); + return val != NULL && json_value_get_type(val) == type; +} + +/* JSON Array API */ +JSON_Value * json_array_get_value(const JSON_Array *array, size_t index) { + if (array == NULL || index >= json_array_get_count(array)) { + return NULL; + } + return array->items[index]; +} + +const char * json_array_get_string(const JSON_Array *array, size_t index) { + return json_value_get_string(json_array_get_value(array, index)); +} + +size_t json_array_get_string_len(const JSON_Array *array, size_t index) { + return json_value_get_string_len(json_array_get_value(array, index)); +} + +double json_array_get_number(const JSON_Array *array, size_t index) { + return json_value_get_number(json_array_get_value(array, index)); +} + +JSON_Object * json_array_get_object(const JSON_Array *array, size_t index) { + return json_value_get_object(json_array_get_value(array, index)); +} + +JSON_Array * json_array_get_array(const JSON_Array *array, size_t index) { + return json_value_get_array(json_array_get_value(array, index)); +} + +int json_array_get_boolean(const JSON_Array *array, size_t index) { + return json_value_get_boolean(json_array_get_value(array, index)); +} + +size_t json_array_get_count(const JSON_Array *array) { + return array ? array->count : 0; +} + +JSON_Value * json_array_get_wrapping_value(const JSON_Array *array) { + if (!array) { + return NULL; + } + return array->wrapping_value; +} + +/* JSON Value API */ +JSON_Value_Type json_value_get_type(const JSON_Value *value) { + return value ? value->type : JSONError; +} + +JSON_Object * json_value_get_object(const JSON_Value *value) { + return json_value_get_type(value) == JSONObject ? value->value.object : NULL; +} + +JSON_Array * json_value_get_array(const JSON_Value *value) { + return json_value_get_type(value) == JSONArray ? value->value.array : NULL; +} + +static const JSON_String * json_value_get_string_desc(const JSON_Value *value) { + return json_value_get_type(value) == JSONString ? &value->value.string : NULL; +} + +const char * json_value_get_string(const JSON_Value *value) { + const JSON_String *str = json_value_get_string_desc(value); + return str ? str->chars : NULL; +} + +size_t json_value_get_string_len(const JSON_Value *value) { + const JSON_String *str = json_value_get_string_desc(value); + return str ? str->length : 0; +} + +double json_value_get_number(const JSON_Value *value) { + return json_value_get_type(value) == JSONNumber ? value->value.number : 0; +} + +int json_value_get_boolean(const JSON_Value *value) { + return json_value_get_type(value) == JSONBoolean ? value->value.boolean : -1; +} + +JSON_Value * json_value_get_parent (const JSON_Value *value) { + return value ? value->parent : NULL; +} + +void json_value_free(JSON_Value *value) { + switch (json_value_get_type(value)) { + case JSONObject: + json_object_free(value->value.object); + break; + case JSONString: + parson_free(value->value.string.chars); + break; + case JSONArray: + json_array_free(value->value.array); + break; + default: + break; + } + parson_free(value); +} + +JSON_Value * json_value_init_object(void) { + JSON_Value *new_value = (JSON_Value*)parson_malloc(sizeof(JSON_Value)); + if (!new_value) { + return NULL; + } + new_value->parent = NULL; + new_value->type = JSONObject; + new_value->value.object = json_object_make(new_value); + if (!new_value->value.object) { + parson_free(new_value); + return NULL; + } + return new_value; +} + +JSON_Value * json_value_init_array(void) { + JSON_Value *new_value = (JSON_Value*)parson_malloc(sizeof(JSON_Value)); + if (!new_value) { + return NULL; + } + new_value->parent = NULL; + new_value->type = JSONArray; + new_value->value.array = json_array_make(new_value); + if (!new_value->value.array) { + parson_free(new_value); + return NULL; + } + return new_value; +} + +JSON_Value * json_value_init_string(const char *string) { + if (string == NULL) { + return NULL; + } + return json_value_init_string_with_len(string, strlen(string)); +} + +JSON_Value * json_value_init_string_with_len(const char *string, size_t length) { + char *copy = NULL; + JSON_Value *value; + if (string == NULL) { + return NULL; + } + if (!is_valid_utf8(string, length)) { + return NULL; + } + copy = parson_strndup(string, length); + if (copy == NULL) { + return NULL; + } + value = json_value_init_string_no_copy(copy, length); + if (value == NULL) { + parson_free(copy); + } + return value; +} + +JSON_Value * json_value_init_number(double number) { + JSON_Value *new_value = NULL; + if (IS_NUMBER_INVALID(number)) { + return NULL; + } + new_value = (JSON_Value*)parson_malloc(sizeof(JSON_Value)); + if (new_value == NULL) { + return NULL; + } + new_value->parent = NULL; + new_value->type = JSONNumber; + new_value->value.number = number; + return new_value; +} + +JSON_Value * json_value_init_boolean(int boolean) { + JSON_Value *new_value = (JSON_Value*)parson_malloc(sizeof(JSON_Value)); + if (!new_value) { + return NULL; + } + new_value->parent = NULL; + new_value->type = JSONBoolean; + new_value->value.boolean = boolean ? 1 : 0; + return new_value; +} + +JSON_Value * json_value_init_null(void) { + JSON_Value *new_value = (JSON_Value*)parson_malloc(sizeof(JSON_Value)); + if (!new_value) { + return NULL; + } + new_value->parent = NULL; + new_value->type = JSONNull; + return new_value; +} + +JSON_Value * json_value_deep_copy(const JSON_Value *value) { + size_t i = 0; + JSON_Value *return_value = NULL, *temp_value_copy = NULL, *temp_value = NULL; + const JSON_String *temp_string = NULL; + const char *temp_key = NULL; + char *temp_string_copy = NULL; + JSON_Array *temp_array = NULL, *temp_array_copy = NULL; + JSON_Object *temp_object = NULL, *temp_object_copy = NULL; + JSON_Status res = JSONFailure; + char *key_copy = NULL; + + switch (json_value_get_type(value)) { + case JSONArray: + temp_array = json_value_get_array(value); + return_value = json_value_init_array(); + if (return_value == NULL) { + return NULL; + } + temp_array_copy = json_value_get_array(return_value); + for (i = 0; i < json_array_get_count(temp_array); i++) { + temp_value = json_array_get_value(temp_array, i); + temp_value_copy = json_value_deep_copy(temp_value); + if (temp_value_copy == NULL) { + json_value_free(return_value); + return NULL; + } + if (json_array_add(temp_array_copy, temp_value_copy) != JSONSuccess) { + json_value_free(return_value); + json_value_free(temp_value_copy); + return NULL; + } + } + return return_value; + case JSONObject: + temp_object = json_value_get_object(value); + return_value = json_value_init_object(); + if (!return_value) { + return NULL; + } + temp_object_copy = json_value_get_object(return_value); + for (i = 0; i < json_object_get_count(temp_object); i++) { + temp_key = json_object_get_name(temp_object, i); + temp_value = json_object_get_value(temp_object, temp_key); + temp_value_copy = json_value_deep_copy(temp_value); + if (!temp_value_copy) { + json_value_free(return_value); + return NULL; + } + key_copy = parson_strdup(temp_key); + if (!key_copy) { + json_value_free(temp_value_copy); + json_value_free(return_value); + return NULL; + } + res = json_object_add(temp_object_copy, key_copy, temp_value_copy); + if (res != JSONSuccess) { + parson_free(key_copy); + json_value_free(temp_value_copy); + json_value_free(return_value); + return NULL; + } + } + return return_value; + case JSONBoolean: + return json_value_init_boolean(json_value_get_boolean(value)); + case JSONNumber: + return json_value_init_number(json_value_get_number(value)); + case JSONString: + temp_string = json_value_get_string_desc(value); + if (temp_string == NULL) { + return NULL; + } + temp_string_copy = parson_strndup(temp_string->chars, temp_string->length); + if (temp_string_copy == NULL) { + return NULL; + } + return_value = json_value_init_string_no_copy(temp_string_copy, temp_string->length); + if (return_value == NULL) { + parson_free(temp_string_copy); + } + return return_value; + case JSONNull: + return json_value_init_null(); + case JSONError: + return NULL; + default: + return NULL; + } +} + +size_t json_serialization_size(const JSON_Value *value) { + char num_buf[NUM_BUF_SIZE]; /* recursively allocating buffer on stack is a bad idea, so let's do it only once */ + int res = json_serialize_to_buffer_r(value, NULL, 0, PARSON_FALSE, num_buf); + return res < 0 ? 0 : (size_t)(res) + 1; +} + +JSON_Status json_serialize_to_buffer(const JSON_Value *value, char *buf, size_t buf_size_in_bytes) { + int written = -1; + size_t needed_size_in_bytes = json_serialization_size(value); + if (needed_size_in_bytes == 0 || buf_size_in_bytes < needed_size_in_bytes) { + return JSONFailure; + } + written = json_serialize_to_buffer_r(value, buf, 0, PARSON_FALSE, NULL); + if (written < 0) { + return JSONFailure; + } + return JSONSuccess; +} + +JSON_Status json_serialize_to_file(const JSON_Value *value, const char *filename) { + JSON_Status return_code = JSONSuccess; + FILE *fp = NULL; + char *serialized_string = json_serialize_to_string(value); + if (serialized_string == NULL) { + return JSONFailure; + } + fp = fopen(filename, "w"); + if (fp == NULL) { + json_free_serialized_string(serialized_string); + return JSONFailure; + } + if (fputs(serialized_string, fp) == EOF) { + return_code = JSONFailure; + } + if (fclose(fp) == EOF) { + return_code = JSONFailure; + } + json_free_serialized_string(serialized_string); + return return_code; +} + +char * json_serialize_to_string(const JSON_Value *value) { + JSON_Status serialization_result = JSONFailure; + size_t buf_size_bytes = json_serialization_size(value); + char *buf = NULL; + if (buf_size_bytes == 0) { + return NULL; + } + buf = (char*)parson_malloc(buf_size_bytes); + if (buf == NULL) { + return NULL; + } + serialization_result = json_serialize_to_buffer(value, buf, buf_size_bytes); + if (serialization_result != JSONSuccess) { + json_free_serialized_string(buf); + return NULL; + } + return buf; +} + +size_t json_serialization_size_pretty(const JSON_Value *value) { + char num_buf[NUM_BUF_SIZE]; /* recursively allocating buffer on stack is a bad idea, so let's do it only once */ + int res = json_serialize_to_buffer_r(value, NULL, 0, PARSON_TRUE, num_buf); + return res < 0 ? 0 : (size_t)(res) + 1; +} + +JSON_Status json_serialize_to_buffer_pretty(const JSON_Value *value, char *buf, size_t buf_size_in_bytes) { + int written = -1; + size_t needed_size_in_bytes = json_serialization_size_pretty(value); + if (needed_size_in_bytes == 0 || buf_size_in_bytes < needed_size_in_bytes) { + return JSONFailure; + } + written = json_serialize_to_buffer_r(value, buf, 0, PARSON_TRUE, NULL); + if (written < 0) { + return JSONFailure; + } + return JSONSuccess; +} + +JSON_Status json_serialize_to_file_pretty(const JSON_Value *value, const char *filename) { + JSON_Status return_code = JSONSuccess; + FILE *fp = NULL; + char *serialized_string = json_serialize_to_string_pretty(value); + if (serialized_string == NULL) { + return JSONFailure; + } + fp = fopen(filename, "w"); + if (fp == NULL) { + json_free_serialized_string(serialized_string); + return JSONFailure; + } + if (fputs(serialized_string, fp) == EOF) { + return_code = JSONFailure; + } + if (fclose(fp) == EOF) { + return_code = JSONFailure; + } + json_free_serialized_string(serialized_string); + return return_code; +} + +char * json_serialize_to_string_pretty(const JSON_Value *value) { + JSON_Status serialization_result = JSONFailure; + size_t buf_size_bytes = json_serialization_size_pretty(value); + char *buf = NULL; + if (buf_size_bytes == 0) { + return NULL; + } + buf = (char*)parson_malloc(buf_size_bytes); + if (buf == NULL) { + return NULL; + } + serialization_result = json_serialize_to_buffer_pretty(value, buf, buf_size_bytes); + if (serialization_result != JSONSuccess) { + json_free_serialized_string(buf); + return NULL; + } + return buf; +} + +void json_free_serialized_string(char *string) { + parson_free(string); +} + +JSON_Status json_array_remove(JSON_Array *array, size_t ix) { + size_t to_move_bytes = 0; + if (array == NULL || ix >= json_array_get_count(array)) { + return JSONFailure; + } + json_value_free(json_array_get_value(array, ix)); + to_move_bytes = (json_array_get_count(array) - 1 - ix) * sizeof(JSON_Value*); + memmove(array->items + ix, array->items + ix + 1, to_move_bytes); + array->count -= 1; + return JSONSuccess; +} + +JSON_Status json_array_replace_value(JSON_Array *array, size_t ix, JSON_Value *value) { + if (array == NULL || value == NULL || value->parent != NULL || ix >= json_array_get_count(array)) { + return JSONFailure; + } + json_value_free(json_array_get_value(array, ix)); + value->parent = json_array_get_wrapping_value(array); + array->items[ix] = value; + return JSONSuccess; +} + +JSON_Status json_array_replace_string(JSON_Array *array, size_t i, const char* string) { + JSON_Value *value = json_value_init_string(string); + if (value == NULL) { + return JSONFailure; + } + if (json_array_replace_value(array, i, value) != JSONSuccess) { + json_value_free(value); + return JSONFailure; + } + return JSONSuccess; +} + +JSON_Status json_array_replace_string_with_len(JSON_Array *array, size_t i, const char *string, size_t len) { + JSON_Value *value = json_value_init_string_with_len(string, len); + if (value == NULL) { + return JSONFailure; + } + if (json_array_replace_value(array, i, value) != JSONSuccess) { + json_value_free(value); + return JSONFailure; + } + return JSONSuccess; +} + +JSON_Status json_array_replace_number(JSON_Array *array, size_t i, double number) { + JSON_Value *value = json_value_init_number(number); + if (value == NULL) { + return JSONFailure; + } + if (json_array_replace_value(array, i, value) != JSONSuccess) { + json_value_free(value); + return JSONFailure; + } + return JSONSuccess; +} + +JSON_Status json_array_replace_boolean(JSON_Array *array, size_t i, int boolean) { + JSON_Value *value = json_value_init_boolean(boolean); + if (value == NULL) { + return JSONFailure; + } + if (json_array_replace_value(array, i, value) != JSONSuccess) { + json_value_free(value); + return JSONFailure; + } + return JSONSuccess; +} + +JSON_Status json_array_replace_null(JSON_Array *array, size_t i) { + JSON_Value *value = json_value_init_null(); + if (value == NULL) { + return JSONFailure; + } + if (json_array_replace_value(array, i, value) != JSONSuccess) { + json_value_free(value); + return JSONFailure; + } + return JSONSuccess; +} + +JSON_Status json_array_clear(JSON_Array *array) { + size_t i = 0; + if (array == NULL) { + return JSONFailure; + } + for (i = 0; i < json_array_get_count(array); i++) { + json_value_free(json_array_get_value(array, i)); + } + array->count = 0; + return JSONSuccess; +} + +JSON_Status json_array_append_value(JSON_Array *array, JSON_Value *value) { + if (array == NULL || value == NULL || value->parent != NULL) { + return JSONFailure; + } + return json_array_add(array, value); +} + +JSON_Status json_array_append_string(JSON_Array *array, const char *string) { + JSON_Value *value = json_value_init_string(string); + if (value == NULL) { + return JSONFailure; + } + if (json_array_append_value(array, value) != JSONSuccess) { + json_value_free(value); + return JSONFailure; + } + return JSONSuccess; +} + +JSON_Status json_array_append_string_with_len(JSON_Array *array, const char *string, size_t len) { + JSON_Value *value = json_value_init_string_with_len(string, len); + if (value == NULL) { + return JSONFailure; + } + if (json_array_append_value(array, value) != JSONSuccess) { + json_value_free(value); + return JSONFailure; + } + return JSONSuccess; +} + +JSON_Status json_array_append_number(JSON_Array *array, double number) { + JSON_Value *value = json_value_init_number(number); + if (value == NULL) { + return JSONFailure; + } + if (json_array_append_value(array, value) != JSONSuccess) { + json_value_free(value); + return JSONFailure; + } + return JSONSuccess; +} + +JSON_Status json_array_append_boolean(JSON_Array *array, int boolean) { + JSON_Value *value = json_value_init_boolean(boolean); + if (value == NULL) { + return JSONFailure; + } + if (json_array_append_value(array, value) != JSONSuccess) { + json_value_free(value); + return JSONFailure; + } + return JSONSuccess; +} + +JSON_Status json_array_append_null(JSON_Array *array) { + JSON_Value *value = json_value_init_null(); + if (value == NULL) { + return JSONFailure; + } + if (json_array_append_value(array, value) != JSONSuccess) { + json_value_free(value); + return JSONFailure; + } + return JSONSuccess; +} + +JSON_Status json_object_set_value(JSON_Object *object, const char *name, JSON_Value *value) { + unsigned long hash = 0; + parson_bool_t found = PARSON_FALSE; + size_t cell_ix = 0; + size_t item_ix = 0; + JSON_Value *old_value = NULL; + char *key_copy = NULL; + + if (!object || !name || !value || value->parent) { + return JSONFailure; + } + hash = hash_string(name, strlen(name)); + found = PARSON_FALSE; + cell_ix = json_object_get_cell_ix(object, name, strlen(name), hash, &found); + if (found) { + item_ix = object->cells[cell_ix]; + old_value = object->values[item_ix]; + json_value_free(old_value); + object->values[item_ix] = value; + value->parent = json_object_get_wrapping_value(object); + return JSONSuccess; + } + if (object->count >= object->item_capacity) { + JSON_Status res = json_object_grow_and_rehash(object); + if (res != JSONSuccess) { + return JSONFailure; + } + cell_ix = json_object_get_cell_ix(object, name, strlen(name), hash, &found); + } + key_copy = parson_strdup(name); + if (!key_copy) { + return JSONFailure; + } + object->names[object->count] = key_copy; + object->cells[cell_ix] = object->count; + object->values[object->count] = value; + object->cell_ixs[object->count] = cell_ix; + object->hashes[object->count] = hash; + object->count++; + value->parent = json_object_get_wrapping_value(object); + return JSONSuccess; +} + +JSON_Status json_object_set_string(JSON_Object *object, const char *name, const char *string) { + JSON_Value *value = json_value_init_string(string); + JSON_Status status = json_object_set_value(object, name, value); + if (status != JSONSuccess) { + json_value_free(value); + } + return status; +} + +JSON_Status json_object_set_string_with_len(JSON_Object *object, const char *name, const char *string, size_t len) { + JSON_Value *value = json_value_init_string_with_len(string, len); + JSON_Status status = json_object_set_value(object, name, value); + if (status != JSONSuccess) { + json_value_free(value); + } + return status; +} + +JSON_Status json_object_set_number(JSON_Object *object, const char *name, double number) { + JSON_Value *value = json_value_init_number(number); + JSON_Status status = json_object_set_value(object, name, value); + if (status != JSONSuccess) { + json_value_free(value); + } + return status; +} + +JSON_Status json_object_set_boolean(JSON_Object *object, const char *name, int boolean) { + JSON_Value *value = json_value_init_boolean(boolean); + JSON_Status status = json_object_set_value(object, name, value); + if (status != JSONSuccess) { + json_value_free(value); + } + return status; +} + +JSON_Status json_object_set_null(JSON_Object *object, const char *name) { + JSON_Value *value = json_value_init_null(); + JSON_Status status = json_object_set_value(object, name, value); + if (status != JSONSuccess) { + json_value_free(value); + } + return status; +} + +JSON_Status json_object_dotset_value(JSON_Object *object, const char *name, JSON_Value *value) { + const char *dot_pos = NULL; + JSON_Value *temp_value = NULL, *new_value = NULL; + JSON_Object *temp_object = NULL, *new_object = NULL; + JSON_Status status = JSONFailure; + size_t name_len = 0; + char *name_copy = NULL; + + if (object == NULL || name == NULL || value == NULL) { + return JSONFailure; + } + dot_pos = strchr(name, '.'); + if (dot_pos == NULL) { + return json_object_set_value(object, name, value); + } + name_len = dot_pos - name; + temp_value = json_object_getn_value(object, name, name_len); + if (temp_value) { + /* Don't overwrite existing non-object (unlike json_object_set_value, but it shouldn't be changed at this point) */ + if (json_value_get_type(temp_value) != JSONObject) { + return JSONFailure; + } + temp_object = json_value_get_object(temp_value); + return json_object_dotset_value(temp_object, dot_pos + 1, value); + } + new_value = json_value_init_object(); + if (new_value == NULL) { + return JSONFailure; + } + new_object = json_value_get_object(new_value); + status = json_object_dotset_value(new_object, dot_pos + 1, value); + if (status != JSONSuccess) { + json_value_free(new_value); + return JSONFailure; + } + name_copy = parson_strndup(name, name_len); + if (!name_copy) { + json_object_dotremove_internal(new_object, dot_pos + 1, 0); + json_value_free(new_value); + return JSONFailure; + } + status = json_object_add(object, name_copy, new_value); + if (status != JSONSuccess) { + parson_free(name_copy); + json_object_dotremove_internal(new_object, dot_pos + 1, 0); + json_value_free(new_value); + return JSONFailure; + } + return JSONSuccess; +} + +JSON_Status json_object_dotset_string(JSON_Object *object, const char *name, const char *string) { + JSON_Value *value = json_value_init_string(string); + if (value == NULL) { + return JSONFailure; + } + if (json_object_dotset_value(object, name, value) != JSONSuccess) { + json_value_free(value); + return JSONFailure; + } + return JSONSuccess; +} + +JSON_Status json_object_dotset_string_with_len(JSON_Object *object, const char *name, const char *string, size_t len) { + JSON_Value *value = json_value_init_string_with_len(string, len); + if (value == NULL) { + return JSONFailure; + } + if (json_object_dotset_value(object, name, value) != JSONSuccess) { + json_value_free(value); + return JSONFailure; + } + return JSONSuccess; +} + +JSON_Status json_object_dotset_number(JSON_Object *object, const char *name, double number) { + JSON_Value *value = json_value_init_number(number); + if (value == NULL) { + return JSONFailure; + } + if (json_object_dotset_value(object, name, value) != JSONSuccess) { + json_value_free(value); + return JSONFailure; + } + return JSONSuccess; +} + +JSON_Status json_object_dotset_boolean(JSON_Object *object, const char *name, int boolean) { + JSON_Value *value = json_value_init_boolean(boolean); + if (value == NULL) { + return JSONFailure; + } + if (json_object_dotset_value(object, name, value) != JSONSuccess) { + json_value_free(value); + return JSONFailure; + } + return JSONSuccess; +} + +JSON_Status json_object_dotset_null(JSON_Object *object, const char *name) { + JSON_Value *value = json_value_init_null(); + if (value == NULL) { + return JSONFailure; + } + if (json_object_dotset_value(object, name, value) != JSONSuccess) { + json_value_free(value); + return JSONFailure; + } + return JSONSuccess; +} + +JSON_Status json_object_remove(JSON_Object *object, const char *name) { + return json_object_remove_internal(object, name, PARSON_TRUE); +} + +JSON_Status json_object_dotremove(JSON_Object *object, const char *name) { + return json_object_dotremove_internal(object, name, PARSON_TRUE); +} + +JSON_Status json_object_clear(JSON_Object *object) { + size_t i = 0; + if (object == NULL) { + return JSONFailure; + } + for (i = 0; i < json_object_get_count(object); i++) { + parson_free(object->names[i]); + json_value_free(object->values[i]); + } + object->count = 0; + return JSONSuccess; +} + +JSON_Status json_validate(const JSON_Value *schema, const JSON_Value *value) { + JSON_Value *temp_schema_value = NULL, *temp_value = NULL; + JSON_Array *schema_array = NULL, *value_array = NULL; + JSON_Object *schema_object = NULL, *value_object = NULL; + JSON_Value_Type schema_type = JSONError, value_type = JSONError; + const char *key = NULL; + size_t i = 0, count = 0; + if (schema == NULL || value == NULL) { + return JSONFailure; + } + schema_type = json_value_get_type(schema); + value_type = json_value_get_type(value); + if (schema_type != value_type && schema_type != JSONNull) { /* null represents all values */ + return JSONFailure; + } + switch (schema_type) { + case JSONArray: + schema_array = json_value_get_array(schema); + value_array = json_value_get_array(value); + count = json_array_get_count(schema_array); + if (count == 0) { + return JSONSuccess; /* Empty array allows all types */ + } + /* Get first value from array, rest is ignored */ + temp_schema_value = json_array_get_value(schema_array, 0); + for (i = 0; i < json_array_get_count(value_array); i++) { + temp_value = json_array_get_value(value_array, i); + if (json_validate(temp_schema_value, temp_value) != JSONSuccess) { + return JSONFailure; + } + } + return JSONSuccess; + case JSONObject: + schema_object = json_value_get_object(schema); + value_object = json_value_get_object(value); + count = json_object_get_count(schema_object); + if (count == 0) { + return JSONSuccess; /* Empty object allows all objects */ + } else if (json_object_get_count(value_object) < count) { + return JSONFailure; /* Tested object mustn't have less name-value pairs than schema */ + } + for (i = 0; i < count; i++) { + key = json_object_get_name(schema_object, i); + temp_schema_value = json_object_get_value(schema_object, key); + temp_value = json_object_get_value(value_object, key); + if (temp_value == NULL) { + return JSONFailure; + } + if (json_validate(temp_schema_value, temp_value) != JSONSuccess) { + return JSONFailure; + } + } + return JSONSuccess; + case JSONString: case JSONNumber: case JSONBoolean: case JSONNull: + return JSONSuccess; /* equality already tested before switch */ + case JSONError: default: + return JSONFailure; + } +} + +int json_value_equals(const JSON_Value *a, const JSON_Value *b) { + JSON_Object *a_object = NULL, *b_object = NULL; + JSON_Array *a_array = NULL, *b_array = NULL; + const JSON_String *a_string = NULL, *b_string = NULL; + const char *key = NULL; + size_t a_count = 0, b_count = 0, i = 0; + JSON_Value_Type a_type, b_type; + a_type = json_value_get_type(a); + b_type = json_value_get_type(b); + if (a_type != b_type) { + return PARSON_FALSE; + } + switch (a_type) { + case JSONArray: + a_array = json_value_get_array(a); + b_array = json_value_get_array(b); + a_count = json_array_get_count(a_array); + b_count = json_array_get_count(b_array); + if (a_count != b_count) { + return PARSON_FALSE; + } + for (i = 0; i < a_count; i++) { + if (!json_value_equals(json_array_get_value(a_array, i), + json_array_get_value(b_array, i))) { + return PARSON_FALSE; + } + } + return PARSON_TRUE; + case JSONObject: + a_object = json_value_get_object(a); + b_object = json_value_get_object(b); + a_count = json_object_get_count(a_object); + b_count = json_object_get_count(b_object); + if (a_count != b_count) { + return PARSON_FALSE; + } + for (i = 0; i < a_count; i++) { + key = json_object_get_name(a_object, i); + if (!json_value_equals(json_object_get_value(a_object, key), + json_object_get_value(b_object, key))) { + return PARSON_FALSE; + } + } + return PARSON_TRUE; + case JSONString: + a_string = json_value_get_string_desc(a); + b_string = json_value_get_string_desc(b); + if (a_string == NULL || b_string == NULL) { + return PARSON_FALSE; /* shouldn't happen */ + } + return a_string->length == b_string->length && + memcmp(a_string->chars, b_string->chars, a_string->length) == 0; + case JSONBoolean: + return json_value_get_boolean(a) == json_value_get_boolean(b); + case JSONNumber: + return fabs(json_value_get_number(a) - json_value_get_number(b)) < 0.000001; /* EPSILON */ + case JSONError: + return PARSON_TRUE; + case JSONNull: + return PARSON_TRUE; + default: + return PARSON_TRUE; + } +} + +JSON_Value_Type json_type(const JSON_Value *value) { + return json_value_get_type(value); +} + +JSON_Object * json_object (const JSON_Value *value) { + return json_value_get_object(value); +} + +JSON_Array * json_array(const JSON_Value *value) { + return json_value_get_array(value); +} + +const char * json_string(const JSON_Value *value) { + return json_value_get_string(value); +} + +size_t json_string_len(const JSON_Value *value) { + return json_value_get_string_len(value); +} + +double json_number(const JSON_Value *value) { + return json_value_get_number(value); +} + +int json_boolean(const JSON_Value *value) { + return json_value_get_boolean(value); +} + +void json_set_allocation_functions(JSON_Malloc_Function malloc_fun, JSON_Free_Function free_fun) { + parson_malloc = malloc_fun; + parson_free = free_fun; +} + +void json_set_escape_slashes(int escape_slashes) { + parson_escape_slashes = escape_slashes; +} diff --git a/lib/parson.h b/lib/parson.h new file mode 100644 index 0000000..beeca4c --- /dev/null +++ b/lib/parson.h @@ -0,0 +1,256 @@ +/* + SPDX-License-Identifier: MIT + + Parson 1.2.1 ( http://kgabis.github.com/parson/ ) + Copyright (c) 2012 - 2021 Krzysztof Gabis + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +*/ + +#ifndef parson_parson_h +#define parson_parson_h + +#ifdef __cplusplus +extern "C" +{ +#endif + +#define PARSON_VERSION_MAJOR 1 +#define PARSON_VERSION_MINOR 2 +#define PARSON_VERSION_PATCH 1 + +#define PARSON_VERSION_STRING "1.2.1" + +#include /* size_t */ + +/* Types and enums */ +typedef struct json_object_t JSON_Object; +typedef struct json_array_t JSON_Array; +typedef struct json_value_t JSON_Value; + +enum json_value_type { + JSONError = -1, + JSONNull = 1, + JSONString = 2, + JSONNumber = 3, + JSONObject = 4, + JSONArray = 5, + JSONBoolean = 6 +}; +typedef int JSON_Value_Type; + +enum json_result_t { + JSONSuccess = 0, + JSONFailure = -1 +}; +typedef int JSON_Status; + +typedef void * (*JSON_Malloc_Function)(size_t); +typedef void (*JSON_Free_Function)(void *); + +/* Call only once, before calling any other function from parson API. If not called, malloc and free + from stdlib will be used for all allocations */ +void json_set_allocation_functions(JSON_Malloc_Function malloc_fun, JSON_Free_Function free_fun); + +/* Sets if slashes should be escaped or not when serializing JSON. By default slashes are escaped. + This function sets a global setting and is not thread safe. */ +void json_set_escape_slashes(int escape_slashes); + +/* Parses first JSON value in a file, returns NULL in case of error */ +JSON_Value * json_parse_file(const char *filename); + +/* Parses first JSON value in a file and ignores comments (/ * * / and //), + returns NULL in case of error */ +JSON_Value * json_parse_file_with_comments(const char *filename); + +/* Parses first JSON value in a string, returns NULL in case of error */ +JSON_Value * json_parse_string(const char *string); + +/* Parses first JSON value in a string and ignores comments (/ * * / and //), + returns NULL in case of error */ +JSON_Value * json_parse_string_with_comments(const char *string); + +/* Serialization */ +size_t json_serialization_size(const JSON_Value *value); /* returns 0 on fail */ +JSON_Status json_serialize_to_buffer(const JSON_Value *value, char *buf, size_t buf_size_in_bytes); +JSON_Status json_serialize_to_file(const JSON_Value *value, const char *filename); +char * json_serialize_to_string(const JSON_Value *value); + +/* Pretty serialization */ +size_t json_serialization_size_pretty(const JSON_Value *value); /* returns 0 on fail */ +JSON_Status json_serialize_to_buffer_pretty(const JSON_Value *value, char *buf, size_t buf_size_in_bytes); +JSON_Status json_serialize_to_file_pretty(const JSON_Value *value, const char *filename); +char * json_serialize_to_string_pretty(const JSON_Value *value); + +void json_free_serialized_string(char *string); /* frees string from json_serialize_to_string and json_serialize_to_string_pretty */ + +/* Comparing */ +int json_value_equals(const JSON_Value *a, const JSON_Value *b); + +/* Validation + This is *NOT* JSON Schema. It validates json by checking if object have identically + named fields with matching types. + For example schema {"name":"", "age":0} will validate + {"name":"Joe", "age":25} and {"name":"Joe", "age":25, "gender":"m"}, + but not {"name":"Joe"} or {"name":"Joe", "age":"Cucumber"}. + In case of arrays, only first value in schema is checked against all values in tested array. + Empty objects ({}) validate all objects, empty arrays ([]) validate all arrays, + null validates values of every type. + */ +JSON_Status json_validate(const JSON_Value *schema, const JSON_Value *value); + +/* + * JSON Object + */ +JSON_Value * json_object_get_value (const JSON_Object *object, const char *name); +const char * json_object_get_string (const JSON_Object *object, const char *name); +size_t json_object_get_string_len(const JSON_Object *object, const char *name); /* doesn't account for last null character */ +JSON_Object * json_object_get_object (const JSON_Object *object, const char *name); +JSON_Array * json_object_get_array (const JSON_Object *object, const char *name); +double json_object_get_number (const JSON_Object *object, const char *name); /* returns 0 on fail */ +int json_object_get_boolean(const JSON_Object *object, const char *name); /* returns -1 on fail */ + +/* dotget functions enable addressing values with dot notation in nested objects, + just like in structs or c++/java/c# objects (e.g. objectA.objectB.value). + Because valid names in JSON can contain dots, some values may be inaccessible + this way. */ +JSON_Value * json_object_dotget_value (const JSON_Object *object, const char *name); +const char * json_object_dotget_string (const JSON_Object *object, const char *name); +size_t json_object_dotget_string_len(const JSON_Object *object, const char *name); /* doesn't account for last null character */ +JSON_Object * json_object_dotget_object (const JSON_Object *object, const char *name); +JSON_Array * json_object_dotget_array (const JSON_Object *object, const char *name); +double json_object_dotget_number (const JSON_Object *object, const char *name); /* returns 0 on fail */ +int json_object_dotget_boolean(const JSON_Object *object, const char *name); /* returns -1 on fail */ + +/* Functions to get available names */ +size_t json_object_get_count (const JSON_Object *object); +const char * json_object_get_name (const JSON_Object *object, size_t index); +JSON_Value * json_object_get_value_at(const JSON_Object *object, size_t index); +JSON_Value * json_object_get_wrapping_value(const JSON_Object *object); + +/* Functions to check if object has a value with a specific name. Returned value is 1 if object has + * a value and 0 if it doesn't. dothas functions behave exactly like dotget functions. */ +int json_object_has_value (const JSON_Object *object, const char *name); +int json_object_has_value_of_type(const JSON_Object *object, const char *name, JSON_Value_Type type); + +int json_object_dothas_value (const JSON_Object *object, const char *name); +int json_object_dothas_value_of_type(const JSON_Object *object, const char *name, JSON_Value_Type type); + +/* Creates new name-value pair or frees and replaces old value with a new one. + * json_object_set_value does not copy passed value so it shouldn't be freed afterwards. */ +JSON_Status json_object_set_value(JSON_Object *object, const char *name, JSON_Value *value); +JSON_Status json_object_set_string(JSON_Object *object, const char *name, const char *string); +JSON_Status json_object_set_string_with_len(JSON_Object *object, const char *name, const char *string, size_t len); /* length shouldn't include last null character */ +JSON_Status json_object_set_number(JSON_Object *object, const char *name, double number); +JSON_Status json_object_set_boolean(JSON_Object *object, const char *name, int boolean); +JSON_Status json_object_set_null(JSON_Object *object, const char *name); + +/* Works like dotget functions, but creates whole hierarchy if necessary. + * json_object_dotset_value does not copy passed value so it shouldn't be freed afterwards. */ +JSON_Status json_object_dotset_value(JSON_Object *object, const char *name, JSON_Value *value); +JSON_Status json_object_dotset_string(JSON_Object *object, const char *name, const char *string); +JSON_Status json_object_dotset_string_with_len(JSON_Object *object, const char *name, const char *string, size_t len); /* length shouldn't include last null character */ +JSON_Status json_object_dotset_number(JSON_Object *object, const char *name, double number); +JSON_Status json_object_dotset_boolean(JSON_Object *object, const char *name, int boolean); +JSON_Status json_object_dotset_null(JSON_Object *object, const char *name); + +/* Frees and removes name-value pair */ +JSON_Status json_object_remove(JSON_Object *object, const char *name); + +/* Works like dotget function, but removes name-value pair only on exact match. */ +JSON_Status json_object_dotremove(JSON_Object *object, const char *key); + +/* Removes all name-value pairs in object */ +JSON_Status json_object_clear(JSON_Object *object); + +/* + *JSON Array + */ +JSON_Value * json_array_get_value (const JSON_Array *array, size_t index); +const char * json_array_get_string (const JSON_Array *array, size_t index); +size_t json_array_get_string_len(const JSON_Array *array, size_t index); /* doesn't account for last null character */ +JSON_Object * json_array_get_object (const JSON_Array *array, size_t index); +JSON_Array * json_array_get_array (const JSON_Array *array, size_t index); +double json_array_get_number (const JSON_Array *array, size_t index); /* returns 0 on fail */ +int json_array_get_boolean(const JSON_Array *array, size_t index); /* returns -1 on fail */ +size_t json_array_get_count (const JSON_Array *array); +JSON_Value * json_array_get_wrapping_value(const JSON_Array *array); + +/* Frees and removes value at given index, does nothing and returns JSONFailure if index doesn't exist. + * Order of values in array may change during execution. */ +JSON_Status json_array_remove(JSON_Array *array, size_t i); + +/* Frees and removes from array value at given index and replaces it with given one. + * Does nothing and returns JSONFailure if index doesn't exist. + * json_array_replace_value does not copy passed value so it shouldn't be freed afterwards. */ +JSON_Status json_array_replace_value(JSON_Array *array, size_t i, JSON_Value *value); +JSON_Status json_array_replace_string(JSON_Array *array, size_t i, const char* string); +JSON_Status json_array_replace_string_with_len(JSON_Array *array, size_t i, const char *string, size_t len); /* length shouldn't include last null character */ +JSON_Status json_array_replace_number(JSON_Array *array, size_t i, double number); +JSON_Status json_array_replace_boolean(JSON_Array *array, size_t i, int boolean); +JSON_Status json_array_replace_null(JSON_Array *array, size_t i); + +/* Frees and removes all values from array */ +JSON_Status json_array_clear(JSON_Array *array); + +/* Appends new value at the end of array. + * json_array_append_value does not copy passed value so it shouldn't be freed afterwards. */ +JSON_Status json_array_append_value(JSON_Array *array, JSON_Value *value); +JSON_Status json_array_append_string(JSON_Array *array, const char *string); +JSON_Status json_array_append_string_with_len(JSON_Array *array, const char *string, size_t len); /* length shouldn't include last null character */ +JSON_Status json_array_append_number(JSON_Array *array, double number); +JSON_Status json_array_append_boolean(JSON_Array *array, int boolean); +JSON_Status json_array_append_null(JSON_Array *array); + +/* + *JSON Value + */ +JSON_Value * json_value_init_object (void); +JSON_Value * json_value_init_array (void); +JSON_Value * json_value_init_string (const char *string); /* copies passed string */ +JSON_Value * json_value_init_string_with_len(const char *string, size_t length); /* copies passed string, length shouldn't include last null character */ +JSON_Value * json_value_init_number (double number); +JSON_Value * json_value_init_boolean(int boolean); +JSON_Value * json_value_init_null (void); +JSON_Value * json_value_deep_copy (const JSON_Value *value); +void json_value_free (JSON_Value *value); + +JSON_Value_Type json_value_get_type (const JSON_Value *value); +JSON_Object * json_value_get_object (const JSON_Value *value); +JSON_Array * json_value_get_array (const JSON_Value *value); +const char * json_value_get_string (const JSON_Value *value); +size_t json_value_get_string_len(const JSON_Value *value); /* doesn't account for last null character */ +double json_value_get_number (const JSON_Value *value); +int json_value_get_boolean(const JSON_Value *value); +JSON_Value * json_value_get_parent (const JSON_Value *value); + +/* Same as above, but shorter */ +JSON_Value_Type json_type (const JSON_Value *value); +JSON_Object * json_object (const JSON_Value *value); +JSON_Array * json_array (const JSON_Value *value); +const char * json_string (const JSON_Value *value); +size_t json_string_len(const JSON_Value *value); /* doesn't account for last null character */ +double json_number (const JSON_Value *value); +int json_boolean(const JSON_Value *value); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/tests/Makefile.am b/tests/Makefile.am index 1d22322..2f01e61 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -1,9 +1,7 @@ -TESTS_ENVIRONMENT = env BUILDDIR=$(abs_top_builddir) $(PYTHON) $(top_srcdir)/tests/cram.py +TESTS_ENVIRONMENT = env BUILDDIR=$(abs_top_builddir) $(PYTHON) -# Preserve ordering; login_duo-0.t does some setup -TESTS = login_duo-0.t login_duo-1.t login_duo-2.t login_duo-3.t login_duo-4.t login_duo-5.t login_duo-6.t login_duo-7.t -TESTS += groups-0.t groups-1.t groups-2.t mocklogin_duo-0.t mocklogin_duo-1.t util-0.t test_crypto-0.t -PAM_TESTS = pam_duo-0.t pam_duo-1.t pam_duo-2.t pam_duo-3.t pam_duo-4.t pam_duo-5.t pam_duo-6.t pam_duo-7.t +TESTS = test_login_duo.py test_crypto.py test_duo_split_at.py +PAM_TESTS = test_pam_duo.py check_LTLIBRARIES = libgroups_preload.la libgroups_preload_la_SOURCES = groups_preload.c @@ -24,4 +22,4 @@ check_PROGRAMS = testpam testpam_LDADD = -lpam endif -EXTRA_DIST = bson/codec.py bson/__init__.py certs confs cram.py fips_scanner.sh is_fips_supported.sh groups.py login_duo.py mockduo.py mocklogin_duo.py paths.py pexpect.py testpam.py $(TESTS) $(PAM_TESTS) +EXTRA_DIST = bson/codec.py bson/__init__.py certs confs cram.py fips_scanner.sh is_fips_supported.sh groups.py login_duo.py mockduo.py mocklogin_duo.py paths.py pexpect.py testpam.py $(TESTS) $(PAM_TESTS) common_suites.py mockduo_context.py config.py diff --git a/tests/common_suites.py b/tests/common_suites.py new file mode 100644 index 0000000..ff68207 --- /dev/null +++ b/tests/common_suites.py @@ -0,0 +1,704 @@ +import os +import subprocess +import unittest + +import pexpect +from config import ( + BAD_CORRUPT_CONF, + BAD_CORRUPT_SECURE_CONF, + BAD_EMPTY_CONF, + BAD_HEADER_CONF, + BAD_MISSING_VALUES_CONF, + MOCKDUO_AUTOPUSH, + MOCKDUO_AUTOPUSH_SECURE, + MOCKDUO_BADKEYS, + MOCKDUO_BADKEYS_FAILSECURE, + MOCKDUO_CONF, + MOCKDUO_EXTRA_SPACE, + MOCKDUO_FAILSECURE, + MOCKDUO_FAILSECURE_BAD_CERT, + MOCKDUO_FALLBACK, + MOCKDUO_FIPS, + MOCKDUO_NOVERIFY, + MOCKDUO_PROMPTS_1, + MOCKDUO_PROXY, + TESTCONF, + TempConfig, +) +from mockduo_context import NORMAL_CERT, SELFSIGNED_CERT, WRONGHOST_CERT, MockDuo + +TESTDIR = os.path.realpath(os.path.dirname(__file__)) + + +def fips_available(): + returncode = subprocess.call( + [os.path.join(TESTDIR, "is_fips_supported.sh")], + stdout=subprocess.PIPE, + ) + return returncode == 0 + + +class CommonTestCase(unittest.TestCase): + def call_binary(self, *args, **kwargs): + raise NotImplementedError + + +# suite class just prevents the inner test cases from being run +class CommonSuites: + class Configuration(CommonTestCase): + def test_missing_config_file(self): + """Missing conf file""" + result = self.call_binary(["-d", "-c", "/nonexistent", "true"]) + self.assertRegexpMatches( + result["stderr"][0], + r"Couldn't open /nonexistent: No such file or directory", + ) + + def test_bad_permissions_on_conf_file(self): + """Bad permissions on conf file""" + with TempConfig(TESTCONF) as temp: + os.chmod(temp.name, 0o644) + result = self.call_binary(["-d", "-c", temp.name, "true"]) + self.assertRegexpMatches( + result["stderr"][0], + "{name} must be readable only by user '.*'".format(name=temp.name), + ) + + def test_bad_configuration_files(self): + """Bad configuration files""" + for config in [ + BAD_EMPTY_CONF, + BAD_HEADER_CONF, + BAD_MISSING_VALUES_CONF, + ]: + with TempConfig(config) as temp: + result = self.call_binary(["-d", "-c", temp.name, "true"]) + self.assertRegexpMatches( + result["stderr"][0], + "Missing host, ikey, or skey in {name}".format(name=temp.name), + ) + + def test_corrupt_configuration_file_failsafe(self): + with TempConfig(BAD_CORRUPT_CONF) as temp: + result = self.call_binary(["-d", "-c", temp.name, "true"]) + self.assertRegexpMatches( + result["stderr"][0], "Parse error in {name}".format(name=temp.name) + ) + self.assertEqual(result["returncode"], 0) + + def test_corrupt_configuration_file_failsecure(self): + with TempConfig(BAD_CORRUPT_SECURE_CONF) as temp: + result = self.call_binary(["-d", "-c", temp.name, "true"]) + self.assertRegexpMatches( + result["stderr"][0], "Parse error in {name}".format(name=temp.name) + ) + self.assertEqual(result["returncode"], 1) + + class DuoDown(CommonTestCase): + def test_mockduo_down(self): + """mockduo down""" + with TempConfig(TESTCONF) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "whatever", "true"] + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Failsafe Duo login for 'whatever'.*: Couldn't connect to .* Failed to connect", + ) + + def test_down_fail_secure(self): + """Test that binary fails secure if Duo is down""" + # Weirdly this requires a bad cert. I think this may have been caused by some + # file path confusion in the original cram test + with TempConfig(MOCKDUO_FAILSECURE_BAD_CERT) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "whatever", "true"] + ) + self.assertRegexpMatches( + result["stderr"][0], r"Couldn't open Duo API handle for .*" + ) + self.assertEqual(result["returncode"], 1) + + class DuoSelfSignedCert(CommonTestCase): + def run(self, result=None): + with MockDuo(SELFSIGNED_CERT): + return super(CommonSuites.DuoSelfSignedCert, self).run(result) + + def test_invalid_cert(self): + """Invalid cert""" + for config in [MOCKDUO_CONF, MOCKDUO_FAILSECURE]: + with TempConfig(config) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "whatever", "true"] + ) + self.assertRegexpMatches( + result["stderr"][0], + r"{failmode} Duo login for .* Couldn't connect to .*: certificate verify failed".format( + failmode=config.failmode_as_prefix() + ), + ) + if config.get("failmode", None) == "secure": + self.assertEqual(result["returncode"], 1) + + def test_self_signed_with_noverify(self): + """With noverify""" + with TempConfig(MOCKDUO_NOVERIFY) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "preauth-allow", "true"] + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Skipped Duo login for 'preauth-allow'.*: preauth-allowed", + ) + + class DuoBadCN(CommonTestCase): + def run(self, result=None): + with MockDuo(WRONGHOST_CERT): + return super(CommonSuites.DuoBadCN, self).run(result) + + def test_wrong_hostname(self): + """Wrong hostname""" + for config in [MOCKDUO_CONF, MOCKDUO_FAILSECURE]: + with TempConfig(config) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "whatever", "true"] + ) + self.assertRegexpMatches( + result["stderr"][0], + r"{failmode} Duo login for .*: Couldn't connect to .*: Certificate name validation failed".format( + failmode=config.failmode_as_prefix() + ), + ) + if config.get("failmode", None) == "secure": + self.assertEqual(result["returncode"], 1) + + def test_failsecure(self): + """Test wrong hostname with fail secure""" + with TempConfig(MOCKDUO_FAILSECURE) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "whatever", "true"] + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Failsecure Duo login for .*: Couldn't connect to .*: Certificate name validation failed", + ) + + def test_noverify(self): + """Test wrong hostname with noverify""" + with TempConfig(MOCKDUO_NOVERIFY) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "preauth-allow", "true"] + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Skipped Duo login for 'preauth-allow'.*: preauth-allowed", + ) + + class WithValidCert(CommonTestCase): + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(CommonSuites.WithValidCert, self).run(result) + + def test_http_server_abort_errors(self): + for code in ["400", "402", "403", "404"]: + for config in [MOCKDUO_CONF, MOCKDUO_FAILSECURE, MOCKDUO_AUTOPUSH]: + with TempConfig(config) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", code, "true"] + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Aborted Duo login for '{code}'.*: HTTP {code}".format( + code=code + ), + ) + + def test_http_server_failmode_errors(self): + for code in ["500", "501", "502", "503", "504"]: + for config in [MOCKDUO_CONF, MOCKDUO_AUTOPUSH, MOCKDUO_FAILSECURE]: + with TempConfig(config) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", code, "true"] + ) + self.assertRegexpMatches( + result["stderr"][0], + r"{failmode} Duo login for '{code}'.*: HTTP {code}".format( + failmode=config.failmode_as_prefix(), code=code + ), + ) + + def test_http_server_invalid_credentials_error(self): + code = "401" + for config in [MOCKDUO_CONF, MOCKDUO_AUTOPUSH, MOCKDUO_FAILSECURE]: + with TempConfig(config) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", code, "true"] + ) + self.assertRegexpMatches( + result["stderr"][0], + r"{failmode} Duo login for '{code}'.*: Invalid ikey or skey".format( + failmode=config.failmode_as_prefix(), code=code + ), + ) + + def test_with_bad_keys(self): + for config in [MOCKDUO_BADKEYS, MOCKDUO_BADKEYS_FAILSECURE]: + with TempConfig(config) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "whatever", "true"] + ) + self.assertRegexpMatches( + result["stderr"][0], + r"{failmode} Duo login for .*: Invalid ikey or skey".format( + failmode=config.failmode_as_prefix() + ), + ) + if config.get("failmode", None) == "secure": + self.assertEqual(result["returncode"], 1) + + class PreauthStates(CommonTestCase): + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(CommonSuites.PreauthStates, self).run(result) + + def check_preauth_state(self, user, message, prefix=None): + for config in [MOCKDUO_CONF, MOCKDUO_FAILSECURE]: + with TempConfig(config) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", user, "true"] + ) + self.assertRegexpMatches( + result["stderr"][0], + r"{prefix} Duo login for '{user}'.*{message}".format( + prefix=prefix if prefix else config.failmode_as_prefix(), + user=user, + message=message, + ), + ) + + def test_preauth_ok_missing_response(self): + self.check_preauth_state( + "preauth-ok-missing_response", "JSON missing valid 'response'" + ) + + def test_preauth_fail_missing_response(self): + self.check_preauth_state( + "preauth-fail-missing_response", "JSON missing valid 'code'" + ) + + def test_preauth_bad_stat(self): + self.check_preauth_state("preauth-bad-stat", "") + + def test_preauth_fail(self): + self.check_preauth_state( + "preauth-fail", "1000: Pre-authentication failed", prefix="Failed" + ) + + def test_preauth_deny(self): + self.check_preauth_state("preauth-deny", "preauth-denied", prefix="Aborted") + + def test_preauth_allow(self): + self.check_preauth_state( + "preauth-allow", "preauth-allowed", prefix="Skipped" + ) + + def test_preauth_allow_bad_response(self): + self.check_preauth_state( + "preauth-allow-bad_response", "JSON missing valid 'status'" + ) + + class Hosts(CommonTestCase): + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(CommonSuites.Hosts, self).run(result) + + def check_host_reporting(self, host): + with TempConfig(MOCKDUO_CONF) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "preauth-allow", "-h", host, "true"] + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Skipped Duo login for 'preauth-allow' from {host}: preauth-allowed".format( + host=host + ), + ) + + def test_host_names(self): + for host in [ + "1.2.3.4", + "XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:AAA.BBB.CCC.DDD", + "nowhere", + '"%s"', + '"!@#$%^&*()_+<>{}|;\'"', + ]: + self.check_host_reporting(host) + + class HTTPProxy(CommonTestCase): + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(CommonSuites.HTTPProxy, self).run(result) + + def test_with_no_http_proxy(self): + with TempConfig(MOCKDUO_CONF) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "preauth-allow", "true"], + env={}, + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Skipped Duo login for 'preauth-allow'.*: preauth-allowed", + ) + + def test_with_broadcast_proxy(self): + with TempConfig(MOCKDUO_CONF) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "preauth-allow", "true"], + env={"http_proxy": "0.0.0.0"}, + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Skipped Duo login for 'preauth-allow'.*: preauth-allowed", + ) + + with TempConfig(MOCKDUO_PROXY) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "preauth-allow", "true"], + env={"http_proxy": "0.0.0.0"}, + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Failsafe Duo login for .*: Couldn't connect to localhost:4443: Failed to connect", + ) + + class GetHostname(CommonTestCase): + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(CommonSuites.GetHostname, self).run(result) + + def test_getting_hostname(self): + config = MOCKDUO_CONF + with TempConfig(config) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "hostname", "true"], + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Aborted Duo login for 'hostname': correct hostname", + ) + if config.get("failmode", None) == "secure": + self.assertEqual(result["returncode"], 1) + + class FIPS(CommonTestCase): + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(CommonSuites.FIPS, self).run(result) + + @unittest.skipIf( + fips_available() is False, reason="Fips is not supported on this platform" + ) + def test_fips_login(self): + with TempConfig(MOCKDUO_FIPS) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "preauth-allow", "true"], + timeout=10, + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Skipped Duo login for 'preauth-allow'.*: preauth-allowed", + ) + + @unittest.skipIf( + fips_available() is True, reason="Fips is supported on this platform" + ) + def test_fips_unavailable(self): + with TempConfig(MOCKDUO_FIPS) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "preauth-allow", "true"], + ) + self.assertRegexpMatches( + result["stderr"][0], + "FIPS mode flag specified, but OpenSSL not built with FIPS support. Failing the auth.", + ) + + class PreauthFailures(CommonTestCase): + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(CommonSuites.PreauthFailures, self).run(result) + + def test_failmode_preauth_fail(self): + for config in [MOCKDUO_AUTOPUSH, MOCKDUO_AUTOPUSH_SECURE]: + with TempConfig(config) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "auth_timeout", "true"], + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Error in Duo login for 'auth_timeout': HTTP 500", + ) + + def test_failopen_report(self): + with TempConfig(MOCKDUO_CONF) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "failopen", "true"], + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Aborted Duo login for 'failopen': correct failmode", + ) + + def test_failclosed_report(self): + with TempConfig(MOCKDUO_FAILSECURE) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "failclosed", "true"], + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Aborted Duo login for 'failclosed': correct failmode", + ) + + def test_enroll(self): + with TempConfig(MOCKDUO_CONF) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "enroll", "true"], + ) + self.assertRegexpMatches( + result["stderr"][0], + r"User enrollment required", + ) + + class Env(CommonTestCase): + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(CommonSuites.Env, self).run(result) + + def test_fallback_and_uid(self): + with TempConfig(MOCKDUO_FALLBACK) as temp: + result = self.call_binary( + [ + "-d", + "-c", + temp.name, + "-f", + "preauth-allow", + "-h", + "BADHOST", + "true", + ], + env={ + "FALLBACK": "1", + "UID": "1001", + }, + timeout=15, + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Skipped Duo login for 'preauth-allow'.*: preauth-allowed", + ) + + def test_ssh_connection_host(self): + with TempConfig(MOCKDUO_CONF) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "preauth-allow", "true"], + env={ + "SSH_CONNECTION": "1.2.3.4", + }, + ) + self.assertRegexpMatches( + result["stderr"][0], + r" Skipped Duo login for 'preauth-allow'", + ) + + def test_configuration_with_extra_space(self): + with TempConfig(MOCKDUO_EXTRA_SPACE) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "preauth-allow", "true"] + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Skipped Duo login for 'preauth-allow'.*: preauth-allowed", + ) + + class Interactive(CommonTestCase): + PROMPT_REGEX = ".* or option \(1-4\): $" + PROMPT_TEXT = [ + "Duo login for foobar", + "Choose or lose:", + " 1. Push 1", + " 2. Phone 1", + " 3. SMS 1 (deny)", + " 4. Phone 2 (deny)", + "Passcode or option (1-4): ", + ] + + def assertOutputEqual(self, output, expected): + processed_output = [line for line in output.split("\r\n") if line != ""] + self.assertListEqual(processed_output, expected) + + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(CommonSuites.Interactive, self).run(result) + + def three_failed_inputs(self, config): + with TempConfig(config) as temp: + process = self.call_binary( + ["-d", "-c", temp.name, "-f", "foobar", "echo", "SUCCESS"], + ) + self.assertEqual( + process.expect(CommonSuites.Interactive.PROMPT_REGEX, timeout=10), 0 + ) + self.assertOutputEqual( + process.match.group(0), CommonSuites.Interactive.PROMPT_TEXT + ) + process.sendline("123456") + self.assertEqual( + process.expect(CommonSuites.Interactive.PROMPT_REGEX, timeout=1), 0 + ) + self.assertOutputEqual( + process.match.group(0), + [ + "123456", + "Invalid passcode, please try again.", + "[4] Failed Duo login for 'foobar'", + ] + + CommonSuites.Interactive.PROMPT_TEXT, + ) + process.sendline("wefawefgoiagj3rj") + self.assertEqual( + process.expect(CommonSuites.Interactive.PROMPT_REGEX, timeout=1), 0 + ) + self.assertOutputEqual( + process.match.group(0), + [ + "wefawefgoiagj3rj", + "Invalid passcode, please try again.", + "[4] Failed Duo login for 'foobar'", + ] + + CommonSuites.Interactive.PROMPT_TEXT, + ) + process.sendline("A" * 500) + self.assertEqual(process.expect(pexpect.EOF), 0) + self.maxDiff = None + self.assertOutputEqual( + process.before, + [ + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", + "[3] Error in Duo login for 'foobar'", + ], + ) + + def menu_options(self, config): + with TempConfig(config) as temp: + process = self.call_binary( + ["-d", "-c", temp.name, "-f", "foobar", "true"], + ) + self.assertEqual( + process.expect(CommonSuites.Interactive.PROMPT_REGEX, timeout=10), 0 + ) + self.assertOutputEqual( + process.match.group(0), CommonSuites.Interactive.PROMPT_TEXT + ) + process.sendline("3") + self.assertEqual( + process.expect(CommonSuites.Interactive.PROMPT_REGEX, timeout=5), 0 + ) + self.assertOutputEqual( + process.match.group(0), + [ + "3", + "New SMS passcodes sent", + "[4] Failed Duo login for 'foobar'", + ] + + CommonSuites.Interactive.PROMPT_TEXT, + ) + process.sendline("4") + self.assertEqual( + process.expect(CommonSuites.Interactive.PROMPT_REGEX, timeout=5), 0 + ) + self.assertOutputEqual( + process.match.group(0), + [ + "4", + "Dialing XXX-XXX-5678...", + "Answered. Press '#' on your phone to log in.", + "Authentication timed out.", + "[4] Failed Duo login for 'foobar'", + ] + + CommonSuites.Interactive.PROMPT_TEXT, + ) + process.sendline("1") + self.assertEqual(process.expect(pexpect.EOF), 0) + self.assertOutputEqual( + process.before, + [ + "1", + "Pushed a login request to your phone.", + "Success. Logging you in...", + "[6] Successful Duo login for 'foobar'", + ], + ) + + def menu_success(self, config): + with TempConfig(config) as temp: + process = self.call_binary( + ["-d", "-c", temp.name, "-f", "foobar", "true"], + ) + # This is here to prevent race conditions with character entry + process.expect(CommonSuites.Interactive.PROMPT_REGEX, timeout=10) + process.sendline("2") + self.assertEqual(process.expect(pexpect.EOF), 0) + self.assertOutputEqual( + process.before, + [ + "2", + "Dialing XXX-XXX-1234...", + "Answered. Press '#' on your phone to log in.", + "Success. Logging you in...", + "[6] Successful Duo login for 'foobar'", + ], + ) + + def test_three_failed_inputs(self): + self.three_failed_inputs(MOCKDUO_CONF) + + @unittest.skipIf( + fips_available() is False, reason="Fips is not supported on this platform" + ) + def test_fips_three_failed_inputs(self): + self.three_failed_inputs(MOCKDUO_FIPS) + + def test_menu_options(self): + self.menu_options(MOCKDUO_CONF) + self.menu_success(MOCKDUO_CONF) + + @unittest.skipIf( + fips_available() is False, reason="Fips is not supported on this platform" + ) + def test_fips_menu_options(self): + self.menu_options(MOCKDUO_FIPS) + self.menu_success(MOCKDUO_FIPS) + + def test_autopush_nomenu(self): + with TempConfig(MOCKDUO_AUTOPUSH) as temp: + process = self.call_binary( + ["-d", "-c", temp.name, "-f", "foobar", "true"], + ) + self.assertEqual( + process.expect("Autopushing login request to phone...", timeout=10), + 0, + ) + + class InvalidBSON(CommonTestCase): + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(CommonSuites.InvalidBSON, self).run(result) + + def test_basic_invalid_json(self): + with TempConfig(MOCKDUO_CONF) as temp: + result = self.call_binary( + ["-d", "-c", temp.name, "-f", "bad-json", "true"], + ) + self.assertRegexpMatches( + result["stderr"][0], + r"invalid JSON response", + ) diff --git a/tests/config.py b/tests/config.py new file mode 100644 index 0000000..55df18f --- /dev/null +++ b/tests/config.py @@ -0,0 +1,325 @@ +#!/usr/bin/env python +from tempfile import NamedTemporaryFile +from textwrap import dedent + + +class DuoUnixConfig(dict): + def __str__(self): + config = dedent( + """ + [duo]\n + """ + ) + for key in self: + config += "{key} = {value}\n".format(key=key, value=self[key]) + return config + + def failmode_as_prefix(self): + failmode = self.get("failmode", "safe") + if failmode == "safe" or failmode is None: + return "Failsafe" + if failmode == "secure": + return "Failsecure" + else: + return "Unknown" + + +# Referred to as "duo.conf" in cram testing +TESTCONF = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", +) + +# Referred to as "bad-corrupt.conf" in cram testing +BAD_CORRUPT_CONF = """ +[duo] +ikey = +skey = +host = +q3598pjg9jajaf +""" +BAD_CORRUPT_SECURE_CONF = """ +[duo] +failmode=secure +ikey = +skey = +host = +q3598pjg9jajaf +""" + + +# Referred to as "bad-header_only.conf" in cram testing +BAD_HEADER_CONF = """ +[duo] +""" + +# Referred to as "bad-empty.conf" in cram testing +BAD_EMPTY_CONF = """ +""" + +# Referred to as "bad-missing_values.conf" in cram testing +BAD_MISSING_VALUES_CONF = """ +[duo] +ikey = +skey = +host = +""" + +# Referred to as "mockduo_failsecure.conf" +MOCKDUO_FAILSECURE = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + failmode="secure", +) + +MOCKDUO_FAILSECURE_BAD_CERT = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="nonexistent/ca.pem", + failmode="secure", +) + +# Referred to as "mockduo.conf" +MOCKDUO_CONF = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", +) + +# Referred to as "mockduo_noverify.conf" +MOCKDUO_NOVERIFY = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + noverify="1", +) + +# Referred to as "mockduo_autopush.conf" +MOCKDUO_AUTOPUSH = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + autopush="yes", + prompts="1", +) + +# Referred to as "mockduo_badkeys.conf" +MOCKDUO_BADKEYS = DuoUnixConfig( + ikey="foo", + skey="bar", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", +) + +MOCKDUO_BADKEYS_FAILSECURE = DuoUnixConfig( + ikey="foo", + skey="bar", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + failmode="secure", +) + +# Referred to as "mockduo_fallback.conf" in cram tests +MOCKDUO_FALLBACK = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + fallback_local_ip="yes", +) + +# Referred to as "mockduo_proxy.conf" in cram tests +MOCKDUO_PROXY = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + http_proxy="http://localhost:8888/", +) + +MOCKDUO_FIPS = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + dev_fips_mode="true", + cafile="certs/mockduo-ca.pem", + noverify="1", +) + +# Referred to as "duo.conf" in the cram tests +DUO_CONF = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", +) + +# Referred to as "mockduo_prompts_1.conf" in cram tests +MOCKDUO_PROMPTS_1 = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + autopush="yes", + prompts="1", +) + + +# Refered to as "mockduo_prompts_default.conf" in cram tests +MOCKDUO_PROMPTS_DEFAULT = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + autopush="true", +) + +# Referred to as "mockduo_autopush_secure.conf" in cram tests +MOCKDUO_AUTOPUSH_SECURE = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + autopush="yes", + prompts="1", + failmode="secure", +) + +MOCKDUO_GECOS_SEND_UNPARSED = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + send_gecos="true", +) + +MOCKDUO_GECOS_DEPRECATED_PARSE_FLAG = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + gecos_parsed="true", +) + +MOCKDUO_GECOS_DEFAULT_DELIM_6_POS = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + gecos_username_pos="6", +) + +MOCKDUO_GECOS_SLASH_DELIM_3_POS = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + gecos_delim="/", + gecos_username_pos="3", +) + +MOCKDUO_GECOS_LONG_DELIM = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + gecos_delim=",,", +) + +MOCKDUO_GECOS_INVALID_DELIM_COLON = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + gecos_delim=":", +) + +MOCKDUO_GECOS_INVALID_DELIM_PUNC = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + gecos_delim="a", +) + + +MOCKDUO_GECOS_INVALID_DELIM_WHITESPACE = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + gecos_delim=" ", +) + +MOCKDUO_GECOS_INVALID_POS = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + gecos_username_pos="-1", +) + +# Referred to as "mockduo_users.conf" +MOCKDUO_USERS = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + groups="users", +) + +MOCKDUO_USERS_ADMINS = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + group="users,admin", +) + + +MOCKDUO_ADMINS_NO_USERS = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + group="admin,!users", +) + +MOTD_CONF = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + motd="yes", +) + +MOCKDUO_EXTRA_SPACE = """ +[duo] +ikey = DIXYZV6YM8IFYVWBINCA +skey = + yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo +host = localhost:4443 +cafile = certs/mockduo-ca.pem + ; This comment shouldn't break Duo +""" + + +class TempConfig(object): + def __init__(self, config_data): + self.config_data = str(config_data) + self.temp_file = None + + def __enter__(self): + self.temp_file = NamedTemporaryFile() + self.temp_file.write(self.config_data.encode("utf8")) + self.temp_file.flush() + return self.temp_file + + def __exit__(self, type, value, traceback): + self.temp_file.close() diff --git a/tests/fips_scanner.sh b/tests/fips_scanner.sh index 94ea500..dade83a 100755 --- a/tests/fips_scanner.sh +++ b/tests/fips_scanner.sh @@ -125,15 +125,17 @@ CIPHER_LIST=("AES_set_encrypt_key" echo -e "Checking for low-level cipher calls" echo -e "===================================\n" +EXITCODE=0 + #Exclude files that are being used to search for anything not fips compliant #Unless excluded, these files will also be scanned and trigger false positives errorFile="fips_scanner.sh.err" fipsScanner="fips_scanner.sh" testCrypto="test_crypto-0*" for cipher in ${CIPHER_LIST[@]} ; do - echo "Scanning for cipher function: ${cipher}" if grep -R ${cipher} ${DIR} --exclude={$fipsScanner,$testCrypto,$errorFile} ; then - echo -e "\e[92mFound potential calls for ${cipher}\e[0m" + echo "Found potential calls for ${cipher}" + EXITCODE=1 fi done @@ -157,8 +159,10 @@ DIGEST_LIST=("SHA1_Init" echo -e "\nChecking for low-level digest calls" echo -e "===================================\n" for digest in ${DIGEST_LIST[@]} ; do - echo "Scanning for cipher function: ${digest}" if grep -R ${digest} ${DIR} --exclude={$fipsScanner,$testCrypto,$errorFile} ; then - echo -e "\e[92mFound potential calls for ${digest}\e[0m" + echo "Found potential calls for ${digest}" + EXITCODE=1 fi done + +exit $EXITCODE diff --git a/tests/groups_preload.c b/tests/groups_preload.c index bc3c281..4ed8ed4 100644 --- a/tests/groups_preload.c +++ b/tests/groups_preload.c @@ -10,6 +10,9 @@ #include #include #include +#include + +FILE *(*_fopen)(const char* filename, const char* mode); static struct passwd _passwd[6] = { { "user1", "*", 1000, 1000, .pw_gecos = "gecos", .pw_dir = "/", @@ -104,6 +107,18 @@ getgrent(void) return (&_groups[_group_ptr++]); } +FILE * +fopen(const char *filename, const char *mode) +{ + _fopen = dlsym(RTLD_NEXT, "fopen"); + if (strcmp(filename, "/etc/motd") == 0) { + return (*_fopen)("/tmp/duomotdtest", mode); + } + else { + return (*_fopen)(filename, mode); + } +} + int #ifdef __APPLE__ getgrouplist(const char *user, int group, int *groups, int *ngroups) diff --git a/tests/login_duo_preload.c b/tests/login_duo_preload.c index 58cf543..d44d6c3 100644 --- a/tests/login_duo_preload.c +++ b/tests/login_duo_preload.c @@ -21,10 +21,24 @@ int (*_sys_poll)(struct pollfd *fds, nfds_t nfds, int timeout); int (*_sys_connect)(int sockfd, const struct sockaddr *addr, socklen_t addrlen); int (*_sys_getaddrinfo)(const char *node, const char *service, const struct addrinfo *hints, struct addrinfo **res); char *(*_sys_inet_ntoa)(struct in_addr in); +struct passwd *(*_getpwnam)(const char* name); +FILE *(*_fopen)(const char* filename, const char* mode); -static struct passwd _passwd[1] = { +static struct passwd _passwd[11] = { + { "sshd", "*", 1000, 100, .pw_gecos = "gecos", .pw_dir = "/", + .pw_shell = "/bin/sh" }, { "user1", "*", 1001, 100, .pw_gecos = "gecos", .pw_dir = "/", .pw_shell = "/bin/sh" }, + { "gecos/6", "*", 1010, 100, .pw_gecos = "1/2/3/4/5/gecos_user_gecos_field6", .pw_dir = "/", .pw_shell = "/bin/sh" }, + { "gecos/3", "*", 1011, 100, .pw_gecos = "1/2/gecos_user_gecos_field3/4/5/6", .pw_dir = "/", .pw_shell = "/bin/sh" }, + { "gecos,6", "*", 1012, 100, .pw_gecos = "1,2,3,4,5,gecos_user_gecos_field6", .pw_dir = "/", .pw_shell = "/bin/sh" }, + { "gecos,3", "*", 1013, 100, .pw_gecos = "1,2,gecos_user_gecos_field3,4,5,6", .pw_dir = "/", .pw_shell = "/bin/sh" }, + { "fullgecos", "*", 1014, 100, .pw_gecos = "full_gecos_field", .pw_dir = "/", .pw_shell = "/bin/sh" }, + { "noshell", "*", 1015, 100, .pw_gecos = "full_gecos_field", .pw_dir = "/", .pw_shell = NULL}, + { "emptygecos", "*", 1016, 100, .pw_gecos = "", .pw_dir = "/", .pw_shell = "/bin/sh" }, + { "slashshell", "*", 1017, 100, .pw_gecos = "full_gecos_field", .pw_dir = "/", .pw_shell = "/usr/bin/echo"}, + { "preauth-allow", "*", 1018, 100, .pw_gecos = "gecos", .pw_dir = "/", + .pw_shell = "/bin/sh" }, }; int @@ -106,7 +120,9 @@ getuid(void) uid_t geteuid(void) { - return (getuid()); + char *p = getenv("EUID"); + + return (p ? atoi(p) : getuid()); } struct passwd * @@ -115,9 +131,43 @@ getpwuid(uid_t uid) int i; for (i = 0; i < sizeof(_passwd) / sizeof(_passwd[0]); i++) { - if (_passwd[i].pw_uid == uid) - return (&_passwd[i]); + if (_passwd[i].pw_uid == uid) { + // we have to copy the pw_gecos field because it might be modified + // by `duo_split_at` which casues a segfault if we leave it as a + // constant literal + _passwd[i].pw_gecos = strdup(_passwd[i].pw_gecos); + return (&_passwd[i]); + } } errno = ENOENT; return (NULL); } + +struct passwd * +getpwnam(const char *name) +{ + char *u = getenv("NO_PRIVSEP_USER"); + int i; + if(u) { + return NULL; + } + for (i = 0; i < sizeof(_passwd) / sizeof(_passwd[0]); i++) { + if (strcmp(_passwd[i].pw_name, name) == 0) { + return (&_passwd[i]); + } + } + _getpwnam = dlsym(RTLD_NEXT, "getpwnam"); + return (*_getpwnam)(name); +} + +FILE * +fopen(const char *filename, const char *mode) +{ + _fopen = dlsym(RTLD_NEXT, "fopen"); + if (strcmp(filename, "/etc/motd") == 0) { + return (*_fopen)("/tmp/duomotdtest", mode); + } + else { + return (*_fopen)(filename, mode); + } +} diff --git a/tests/mockduo.py b/tests/mockduo.py index a901bf8..f67b4db 100755 --- a/tests/mockduo.py +++ b/tests/mockduo.py @@ -1,116 +1,126 @@ #!/usr/bin/env python -import BaseHTTPServer import cgi -import bson +import json + +import BaseHTTPServer + try: from hashlib import sha1 except ImportError: import sha as sha1 + import hmac import os +import socket import ssl import sys import time import urllib -import socket -IKEY = 'DIXYZV6YM8IFYVWBINCA' -SKEY = 'yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo' +IKEY = "DIXYZV6YM8IFYVWBINCA" +SKEY = "yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo" # Used to check if the FQDN is set to either the ipv4 or ipv6 address -IPV6_LOOPBACK_ADDR = '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa' -IPV4_LOOPBACK_ADDR = '1.0.0.127.in-addr.arpa' +IPV6_LOOPBACK_ADDR = ( + "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" +) +IPV4_LOOPBACK_ADDR = "1.0.0.127.in-addr.arpa" tx_msgs = { - 'txPUSH1': [ '0:Pushed a login request to your phone.', - '1:Success. Logging you in...' ], - 'txVOICE1': [ '0:Dialing XXX-XXX-1234...', - "1:Answered. Press '#' on your phone to log in.", - '1:Success. Logging you in...' ], - 'txSMSREFRESH1': [ '0:New SMS passcodes sent' ], - 'txVOICE2': [ '0:Dialing XXX-XXX-5678...', - "1:Answered. Press '#' on your phone to log in.", - '2:Authentication timed out.' ], - } + "txPUSH1": [ + "0:Pushed a login request to your phone.", + "1:Success. Logging you in...", + ], + "txVOICE1": [ + "0:Dialing XXX-XXX-1234...", + "1:Answered. Press '#' on your phone to log in.", + "1:Success. Logging you in...", + ], + "txSMSREFRESH1": ["0:New SMS passcodes sent"], + "txVOICE2": [ + "0:Dialing XXX-XXX-5678...", + "1:Answered. Press '#' on your phone to log in.", + "2:Authentication timed out.", + ], +} + class MockDuoHandler(BaseHTTPServer.BaseHTTPRequestHandler): - server_version = 'MockDuo/1.0' - protocol_version = 'HTTP/1.1' + server_version = "MockDuo/1.0" + protocol_version = "HTTP/1.1" def _verify_sig(self): - authz = self.headers['Authorization'].split()[1].decode('base64') - ikey, sig = authz.split(':') + authz = self.headers["Authorization"].split()[1].decode("base64") + ikey, sig = authz.split(":") if ikey != IKEY: return False - - canon = [ self.method, - self.headers['Host'].split(':')[0].lower(), - self.path ] + + canon = [self.method, self.headers["Host"].split(":")[0].lower(), self.path] l = [] for k in sorted(self.args.keys()): - l.append('%s=%s' % (urllib.quote(k, '~'), - urllib.quote(self.args[k], '~'))) - canon.append('&'.join(l)) - h = hmac.new(SKEY, '\n'.join(canon), sha1) - + l.append("%s=%s" % (urllib.quote(k, "~"), urllib.quote(self.args[k], "~"))) + canon.append("&".join(l)) + h = hmac.new(SKEY, "\n".join(canon), sha1) + return sig == h.hexdigest() - def _get_args(self): - if self.method == 'POST': - env = { 'REQUEST_METHOD': 'POST', - 'CONTENT_TYPE': self.headers['Content-Type'] } - fs = cgi.FieldStorage(fp=self.rfile, headers=self.headers, - environ=env) + def _get_args(self): + if self.method == "POST": + env = { + "REQUEST_METHOD": "POST", + "CONTENT_TYPE": self.headers["Content-Type"], + } + fs = cgi.FieldStorage(fp=self.rfile, headers=self.headers, environ=env) args = {} for k in fs.keys(): args[k] = fs[k].value else: args = dict(cgi.parse_qsl(self.qs)) - print 'got %s %s args: %s' % (self.method, self.path, args) + print "got %s %s args: %s" % (self.method, self.path, args) return args def _get_tx_response(self, txid, async): last = True if txid not in tx_msgs: - secs, msg = 0, 'Invalid passcode, please try again.' + secs, msg = 0, "Invalid passcode, please try again." elif async: - secs, msg = tx_msgs[txid].pop(0).split(':', 1) + secs, msg = tx_msgs[txid].pop(0).split(":", 1) last = not tx_msgs[txid] else: - secs, msg = tx_msgs[txid][-1].split(':', 1) - - if msg.startswith('Success'): - rsp = { 'result': 'allow', 'status': msg } + secs, msg = tx_msgs[txid][-1].split(":", 1) + + if msg.startswith("Success"): + rsp = {"result": "allow", "status": msg} elif async and not last: - rsp = { 'status': msg } + rsp = {"status": msg} else: - rsp = { 'result': 'deny', 'status': msg } + rsp = {"result": "deny", "status": msg} time.sleep(int(secs)) return rsp - def _send(self, code, buf=''): + def _send(self, code, buf=""): self.send_response(code) self.send_header("Content-length", str(len(buf))) if buf: - self.send_header("Content-type", "application/bson") + self.send_header("Content-type", "application/json") self.end_headers() self.wfile.write(buf) else: self.end_headers() - + def do_GET(self): - self.method = 'GET' - self.path, self.qs = self.path.split('?', 1) + self.method = "GET" + self.path, self.qs = self.path.split("?", 1) self.args = self._get_args() - + if not self._verify_sig(): return self._send(401) - - ret = { 'stat': 'OK' } - - if self.path == '/rest/v1/status.bson': - ret['response'] = self._get_tx_response(self.args['txid'], 1) - buf = bson.dumps(ret) + + ret = {"stat": "OK"} + + if self.path == "/rest/v1/status.json": + ret["response"] = self._get_tx_response(self.args["txid"], 1) + buf = json.dumps(ret) return self._send(200, buf) self._send(404) @@ -118,122 +128,145 @@ def do_GET(self): def hostname_check(self, hostname): domain_fqdn = socket.getfqdn().lower() if hostname == domain_fqdn.lower() or hostname == socket.gethostname().lower(): - return True - #Check if socket.getfqdn() is the loopback address for ipv4 or ipv6 then check the hostname of the machine + return True + # Check if socket.getfqdn() is the loopback address for ipv4 or ipv6 then check the hostname of the machine if domain_fqdn == IPV6_LOOPBACK_ADDR or domain_fqdn == IPV4_LOOPBACK_ADDR: if hostname == socket.gethostbyaddr(socket.gethostname())[0].lower(): return True - return False + return False def do_POST(self): - self.method = 'POST' + self.method = "POST" self.args = self._get_args() - + buf = None + if not self._verify_sig(): return self._send(401) - + try: - return self._send(int(self.args['user'])) + return self._send(int(self.args["user"])) except: - ret = { 'stat': 'OK' } - - if self.path == '/rest/v1/preauth.bson': - if self.args['user'] == 'preauth-ok-missing_response': + ret = {"stat": "OK"} + + if self.path == "/rest/v1/preauth.json": + if self.args["user"] == "preauth-ok-missing_response": pass - elif self.args['user'] == 'preauth-fail-missing_response': - ret['stat'] = 'FAIL' - elif self.args['user'] == 'preauth-bad-stat': - ret['stat'] = 'BAD_STATUS' - elif self.args['user'] == 'preauth-fail': - ret = { 'stat': 'FAIL', 'code': 1000, 'message': 'Pre-authentication failed' } - elif self.args['user'] == 'preauth-deny': - ret['response'] = { 'result': 'deny', 'status': 'preauth-denied' } - elif self.args['user'] == 'preauth-allow': - ret['response'] = { 'result': 'allow', 'status': 'preauth-allowed' } - elif self.args['user'] == 'preauth-allow-bad_response': - ret['response'] = { 'result': 'allow', 'xxx': 'preauth-allowed-bad-response' } - elif (self.args['user'] == 'hostname'): - if (self.hostname_check(self.args['hostname'].lower())): - ret['response'] = { 'result': 'deny', 'status': 'correct hostname' } + elif self.args["user"] == "preauth-fail-missing_response": + ret["stat"] = "FAIL" + elif self.args["user"] == "preauth-bad-stat": + ret["stat"] = "BAD_STATUS" + elif self.args["user"] == "preauth-fail": + ret = { + "stat": "FAIL", + "code": 1000, + "message": "Pre-authentication failed", + } + elif self.args["user"] == "preauth-deny": + ret["response"] = {"result": "deny", "status": "preauth-denied"} + elif self.args["user"] == "preauth-allow": + ret["response"] = {"result": "allow", "status": "preauth-allowed"} + elif self.args["user"] == "preauth-allow-bad_response": + ret["response"] = { + "result": "allow", + "xxx": "preauth-allowed-bad-response", + } + elif self.args["user"] == "hostname": + if self.hostname_check(self.args["hostname"].lower()): + ret["response"] = {"result": "deny", "status": "correct hostname"} else: - response = "hostname recieved: " + self.args['hostname'] + " found: " + socket.getfqdn() - ret['response'] = { 'result': 'deny', 'status': response } - elif self.args['user'] == 'failopen': - if self.args['failmode'] == 'open': - ret['response'] = { 'result': 'deny', 'status': 'correct failmode' } + response = ( + "hostname recieved: " + + self.args["hostname"] + + " found: " + + socket.getfqdn() + ) + ret["response"] = {"result": "deny", "status": response} + elif self.args["user"] == "failopen": + if self.args["failmode"] == "open": + ret["response"] = {"result": "deny", "status": "correct failmode"} else: - ret['response'] = { 'result': 'deny', 'status': 'incorrect failmode' } - elif self.args['user'] == 'failclosed': - if self.args['failmode'] == 'closed': - ret['response'] = { 'result': 'deny', 'status': 'correct failmode' } + ret["response"] = {"result": "deny", "status": "incorrect failmode"} + elif self.args["user"] == "failclosed": + if self.args["failmode"] == "closed": + ret["response"] = {"result": "deny", "status": "correct failmode"} else: - ret['response'] = { 'result': 'deny', 'status': 'incorrect failmode' } - elif self.args['user'] == 'gecos_user_gecos_field6': - ret['response'] = { 'result': 'allow', 'status': 'gecos-user-gecos-field6-allowed' } - elif self.args['user'] == 'gecos_user_gecos_field3': - ret['response'] = { 'result': 'allow', 'status': 'gecos-user-gecos-field3-allowed' } - elif self.args['user'] == 'full_gecos_field': - ret['response'] = { 'result': 'allow', 'status': 'full-gecos-field' } - elif self.args['user'] == 'gecos/6': - ret['response'] = { 'result': 'allow', 'status': 'gecos/6' } + ret["response"] = {"result": "deny", "status": "incorrect failmode"} + elif self.args["user"] == "gecos_user_gecos_field6": + ret["response"] = { + "result": "allow", + "status": "gecos-user-gecos-field6-allowed", + } + elif self.args["user"] == "gecos_user_gecos_field3": + ret["response"] = { + "result": "allow", + "status": "gecos-user-gecos-field3-allowed", + } + elif self.args["user"] == "full_gecos_field": + ret["response"] = {"result": "allow", "status": "full-gecos-field"} + elif self.args["user"] == "gecos/6": + ret["response"] = {"result": "allow", "status": "gecos/6"} + elif self.args["user"] == "enroll": + ret["response"] = {"result": "enroll", "status": "please enroll"} + elif self.args["user"] == "bad-json": + buf = b"" else: - ret['response'] = { - 'result': 'auth', - 'prompt': 'Duo login for %s\n\n' % self.args['user'] + \ - 'Choose or lose:\n\n' + \ - ' 1. Push 1\n 2. Phone 1\n' + \ - ' 3. SMS 1 (deny)\n 4. Phone 2 (deny)\n\n' + \ - 'Passcode or option (1-4): ', - 'factors': { - 'default': 'push1', - '1': 'push1', - '2': 'voice1', - '3': 'smsrefresh1', - '4': 'voice2', - } - } - elif self.path == '/rest/v1/auth.bson': - if self.args['factor'] == 'auto': - txid = 'tx' + self.args['auto'].upper() - if self.args['user'] == 'pam_prompt': - ret['response'] = { 'txid': 'wrongFactor1' } - elif self.args['async'] == '1': - ret['response'] = { 'txid': txid } + ret["response"] = { + "result": "auth", + "prompt": "Duo login for %s\n\n" % self.args["user"] + + "Choose or lose:\n\n" + + " 1. Push 1\n 2. Phone 1\n" + + " 3. SMS 1 (deny)\n 4. Phone 2 (deny)\n\n" + + "Passcode or option (1-4): ", + "factors": { + "default": "push1", + "1": "push1", + "2": "voice1", + "3": "smsrefresh1", + "4": "voice2", + }, + } + elif self.path == "/rest/v1/auth.json": + if self.args["factor"] == "auto": + txid = "tx" + self.args["auto"].upper() + if self.args["user"] == "pam_prompt": + ret["response"] = {"txid": "wrongFactor1"} + elif self.args["async"] == "1": + ret["response"] = {"txid": txid} else: - ret['response'] = self._get_tx_response(txid, 0) + ret["response"] = self._get_tx_response(txid, 0) else: - ret['response'] = { 'result': 'deny', - 'status': 'no %s' % self.args['factor'] } - if (self.args['user'] == 'auth_timeout'): + ret["response"] = { + "result": "deny", + "status": "no %s" % self.args["factor"], + } + if self.args["user"] == "auth_timeout": return self._send(500) else: return self._send(404) - buf = bson.dumps(ret) - + if buf is None: + buf = json.dumps(ret) + return self._send(200, buf) + def main(): port = 4443 - host = 'localhost' + host = "localhost" if len(sys.argv) == 1: - cafile = os.path.realpath('%s/certs/mockduo.pem' % - os.path.dirname(__file__)) + cafile = os.path.realpath("%s/certs/mockduo.pem" % os.path.dirname(__file__)) elif len(sys.argv) == 2: cafile = sys.argv[1] else: - print >>sys.stderr, 'Usage: %s [certfile]\n' % sys.argv[0] + print >> sys.stderr, "Usage: %s [certfile]\n" % sys.argv[0] sys.exit(1) - + httpd = BaseHTTPServer.HTTPServer((host, port), MockDuoHandler) - httpd.socket = ssl.wrap_socket( - httpd.socket, - certfile=cafile, - server_side=True - ) + httpd.socket = ssl.wrap_socket(httpd.socket, certfile=cafile, server_side=True) httpd.serve_forever() - -if __name__ == '__main__': + + +if __name__ == "__main__": main() diff --git a/tests/mockduo_context.py b/tests/mockduo_context.py new file mode 100644 index 0000000..43f0d94 --- /dev/null +++ b/tests/mockduo_context.py @@ -0,0 +1,100 @@ +import os +import socket +import subprocess +import time + +from paths import topbuilddir + +TESTDIR = os.path.realpath(os.path.dirname(__file__)) + +WRONGHOST_CERT = os.path.join(TESTDIR, "certs", "mockduo-wronghost.pem") +NORMAL_CERT = os.path.join(TESTDIR, "certs", "mockduo.pem") +SELFSIGNED_CERT = os.path.join(TESTDIR, "certs", "selfsigned.pem") + + +def port_open(ip, port): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + try: + s.connect((ip, int(port))) + s.shutdown(2) + return True + except: + return False + + +class MockDuoException(Exception): + def __init__(self, returncode, cmd, stderr, stdout): + self.returncode = returncode + self.cmd = cmd + self.stderr = stderr + self.stdout = stdout + + def __str__(self): + if self.stderr: + stderr_output = "STDERR:\n{stderr}".format(stderr=self.stderr) + else: + stderr_output = "" + + if self.stdout: + stdout_output = "STDOUT:\n{stdout}".format(stdout=self.stdout) + else: + stdout_output = "" + + return "Command: '{cmd}' returned non-zero exit code: {returncode}\n{stdout}{stderr}".format( + cmd=self.cmd, + returncode=self.returncode, + stderr=stderr_output, + stdout=stdout_output, + ) + + +class MockDuoTimeoutException(MockDuoException): + def __str__(self): + return ( + "Timeout starting MockDuo\n" + + super(MockDuoTimeoutException, self).__str__() + ) + + +class MockDuo: + def __init__(self, cert=NORMAL_CERT): + self.cert = cert + self.cmd = ["python", os.path.join(TESTDIR, "mockduo.py"), self.cert] + self.process = None + + def __enter__(self): + self.process = subprocess.Popen( + self.cmd, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + ) + + # wait a couple of seconds max for the local server to start + for i in range(0, 80): + if port_open("127.0.0.1", 4443): + break + time.sleep(0.05) + else: + raise MockDuoTimeoutException( + returncode=None, + cmd=self.cmd, + stderr=self.process.stderr.read(), + stdout=self.process.stdout.read(), + ) + + time.sleep(0.3) + return self.process + + def __exit__(self, type, value, traceback): + returncode = self.process.poll() + if returncode is None: + self.process.terminate() + return + + if returncode != 0: + raise MockDuoException( + returncode=returncode, + cmd=self.cmd, + stderr=self.process.stderr.read(), + stdout=self.process.stdout.read(), + ) diff --git a/tests/test_crypto.py b/tests/test_crypto.py new file mode 100755 index 0000000..395eafe --- /dev/null +++ b/tests/test_crypto.py @@ -0,0 +1,27 @@ +#!/usr/bin/env python +import os +import subprocess +import unittest + +from paths import topbuilddir + +TESTDIR = os.path.realpath(os.path.dirname(__file__)) + + +class TestCrypto(unittest.TestCase): + def test_crypto(self): + process = subprocess.Popen( + [os.path.join(TESTDIR, "fips_scanner.sh")], stdout=subprocess.PIPE + ) + (stdout, stderr) = process.communicate() + self.assertEqual( + process.returncode, + 0, + "ERROR: Found potential non-FIPS compliant calls:\n{stdout}".format( + stdout=stdout + ), + ) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/test_duo_split_at.py b/tests/test_duo_split_at.py new file mode 100755 index 0000000..139a027 --- /dev/null +++ b/tests/test_duo_split_at.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python +import os +import subprocess +import unittest + +from paths import topbuilddir + +BUILDDIR = topbuilddir + + +def testutil_duo_split_at(args): + return subprocess.check_output( + [os.path.join(BUILDDIR, "lib", "testutil_duo_split_at")] + args + ).strip() + + +class TestDuoSplitAt(unittest.TestCase): + def test_basic(self): + self.assertEqual(testutil_duo_split_at(["foo/bar/baz", "/", "1", "bar"]), "OK") + + def test_first(self): + self.assertEqual(testutil_duo_split_at(["foo/bar/baz", "/", "0", "foo"]), "OK") + + def test_last(self): + self.assertEqual(testutil_duo_split_at(["foo/bar/baz", "/", "2", "baz"]), "OK") + + def test_too_many(self): + self.assertEqual( + testutil_duo_split_at(["foo/bar/baz", "/", "100", "NULL"]), "OK" + ) + + def test_no_delimiter(self): + self.assertEqual(testutil_duo_split_at(["foo", "/", "1", "NULL"]), "OK") + + def test_starts_with_delimiter(self): + self.assertEqual(testutil_duo_split_at(["/foo/bar/baz", "/", "0", ""]), "OK") + + def test_ends_with_delimiter(self): + self.assertEqual(testutil_duo_split_at(["foo/bar/baz/", "/", "3", ""]), "OK") + + def test_empty(self): + self.assertEqual(testutil_duo_split_at(["", "/", "0", ""]), "OK") + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/test_login_duo.py b/tests/test_login_duo.py new file mode 100755 index 0000000..604f3d7 --- /dev/null +++ b/tests/test_login_duo.py @@ -0,0 +1,690 @@ +#!/usr/bin/env python +import os +import subprocess +import sys +import time +import unittest +from tempfile import NamedTemporaryFile + +import pexpect +from common_suites import NORMAL_CERT, CommonSuites, fips_available +from config import ( + MOCKDUO_ADMINS_NO_USERS, + MOCKDUO_AUTOPUSH, + MOCKDUO_CONF, + MOCKDUO_FIPS, + MOCKDUO_GECOS_DEFAULT_DELIM_6_POS, + MOCKDUO_GECOS_DEPRECATED_PARSE_FLAG, + MOCKDUO_GECOS_INVALID_DELIM_COLON, + MOCKDUO_GECOS_INVALID_DELIM_PUNC, + MOCKDUO_GECOS_INVALID_DELIM_WHITESPACE, + MOCKDUO_GECOS_INVALID_POS, + MOCKDUO_GECOS_LONG_DELIM, + MOCKDUO_GECOS_SEND_UNPARSED, + MOCKDUO_GECOS_SLASH_DELIM_3_POS, + MOCKDUO_USERS, + MOCKDUO_USERS_ADMINS, + MOTD_CONF, + DuoUnixConfig, + TempConfig, +) +from mockduo_context import MockDuo +from paths import topbuilddir + +BUILDDIR = topbuilddir +TESTDIR = os.path.realpath(os.path.dirname(__file__)) + + +class LoginDuoTimeoutException(Exception): + def __init__(self, message="", stdout=None, stderr=None): + self.message = message + self.stdout = stdout + self.stderr = stderr + + def __str__(self): + if self.stderr: + stderr_output = "STDERR:\n{stderr}".format(stderr=self.stderr) + else: + stderr_output = "" + + if self.stdout: + stdout_output = "STDOUT:\n{stdout}".format(stdout=self.stdout) + else: + stdout_output = "" + + return "Timeout waiting for 'login_duo' to execute\n{message}\n{stdout}\n{stderr}".format( + mesage=self.message, + stderr=stderr_output, + stdout=stdout_output, + ) + + +def login_duo_interactive(args, env=None, preload_script=""): + if env is None: + env = {} + + excluded_keys = ["SSH_CONNECTION", "FALLBACK", "UID", "http_proxy", "TIMEOUT"] + env_passthrough = { + key: os.environ[key] for key in os.environ if key not in excluded_keys + } + env_passthrough.update(env) + + if preload_script != "": + login_duo_path = "python" + args = [preload_script] + args + else: + login_duo_path = os.path.join(BUILDDIR, "login_duo", "login_duo") + + process = pexpect.spawn(login_duo_path, args, cwd=TESTDIR, env=env_passthrough) + return process + + +def login_duo(args, env=None, timeout=10, preload_script=""): + """Runs the login_duo binary in various ways + args: the list of arguments to pass through to either login_duo or login_duo.py + + env: list of environment variables to pass to login_duo + + timeout: how long to allow login_duo or login_duo.py to run before raising an exception + + preload_script: whether or not to use a wrapping script to allow the caller to load + a custom preload library for mocking out certain parts of login_duo + """ + if env is None: + env = {} + + if preload_script != "": + login_duo_path = ["python", preload_script] + else: + login_duo_path = [os.path.join(BUILDDIR, "login_duo", "login_duo")] + + excluded_keys = ["SSH_CONNECTION", "FALLBACK", "UID", "http_proxy", "TIMEOUT"] + env_passthrough = { + key: os.environ[key] for key in os.environ if key not in excluded_keys + } + env_passthrough.update(env) + + process = subprocess.Popen( + login_duo_path + args, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + stdin=subprocess.PIPE, + cwd=TESTDIR, + close_fds=True, + env=env_passthrough, + ) + + # Try to gracefully handle the case where we get a prompt + for i in range(0, int(timeout // 0.05)): + process.poll() + if process.returncode is not None: + break + time.sleep(0.05) + else: + (stdout, stderr) = process.communicate(input="1\r\n") + raise LoginDuoTimeoutException( + "login_duo unexpectedly blocked for user input", stdout, stderr + ) + + return { + "returncode": process.returncode, + "stdout": process.stdout.read().split(b"\n"), + "stderr": process.stderr.read().split(b"\n"), + } + + +class TestLoginDuoConfigs(CommonSuites.Configuration): + def call_binary(self, *args): + return login_duo(*args) + + +class TestLoginDuoDown(CommonSuites.DuoDown): + def call_binary(self, *args): + return login_duo(*args) + + +class TestLoginDuoSelfSignedCert(CommonSuites.DuoSelfSignedCert): + def call_binary(self, *args): + return login_duo(*args) + + +class TestLoginDuoBadCN(CommonSuites.DuoBadCN): + def call_binary(self, *args): + return login_duo(*args) + + +class TestMockDuoWithValidCert(CommonSuites.WithValidCert): + def call_binary(self, *args): + return login_duo(*args) + + +class TestLoginDuoPreauthStates(CommonSuites.PreauthStates): + def call_binary(self, *args): + return login_duo(*args) + + +class TestLoginDuoHosts(CommonSuites.Hosts): + def call_binary(self, *args): + return login_duo(*args) + + +class TestLoginDuoHTTPProxy(CommonSuites.HTTPProxy): + def call_binary(self, *args, **kwargs): + return login_duo(*args) + + +class TestLoginDuoGetHostname(CommonSuites.GetHostname): + def call_binary(self, *args): + return login_duo(*args) + + +class TestLoginDuoFIPS(CommonSuites.FIPS): + def call_binary(self, *args, **kwargs): + return login_duo(*args, **kwargs) + + +class TestLoginDuoPreauthFailures(CommonSuites.PreauthFailures): + def call_binary(self, *args): + return login_duo(*args) + + +class TestLoginBSON(CommonSuites.InvalidBSON): + def call_binary(self, *args, **kwargs): + return login_duo(*args, **kwargs) + + +class TestLoginDuoConfig(unittest.TestCase): + def test_empty_args(self): + """Test to see how login_duo handles an empty string argument (we do need a valid argument also)""" + result = login_duo(["", "-h"]) + self.assertRegexpMatches( + result["stderr"][0], ".*login_duo: option requires an argument.*" + ) + self.assertEqual( + result["stderr"][1], + "Usage: login_duo [-v] [-c config] [-d] [-f duouser] [-h host] [prog [args...]]", + ) + self.assertEqual(result["returncode"], 1) + + def test_help_output(self): + """Basic help output""" + result = login_duo(["-h"]) + self.assertRegexpMatches( + result["stderr"][0], ".*login_duo: option requires an argument.*" + ) + self.assertEqual( + result["stderr"][1], + "Usage: login_duo [-v] [-c config] [-d] [-f duouser] [-h host] [prog [args...]]", + ) + self.assertEqual(result["returncode"], 1) + + def test_version_output(self): + """Check version output""" + result = login_duo(["-v"]) + self.assertRegexpMatches(result["stderr"][0], "login_duo \d+\.\d+.\d+") + + +class TestLoginDuoEnv(CommonSuites.Env): + def call_binary(self, *args, **kwargs): + return login_duo(*args) + + +class TestLoginDuoSpecificEnv(unittest.TestCase): + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(TestLoginDuoSpecificEnv, self).run(result) + + def test_missing_uid(self): + with TempConfig(MOCKDUO_CONF) as temp: + result = login_duo( + ["-d", "-c", temp.name, "-f", "timeout", "true"], + env={ + "TIMEOUT": "1", + }, + preload_script=os.path.join(TESTDIR, "login_duo.py"), + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Who are you?", + ) + + def test_command_from_env(self): + with TempConfig(MOCKDUO_CONF) as temp: + result = login_duo( + ["-d", "-c", temp.name, "-f", "preauth-allow"], + env={ + "UID": "1001", + "SSH_ORIGINAL_COMMAND": "echo 'hello'", + }, + preload_script=os.path.join(TESTDIR, "login_duo.py"), + ) + self.assertRegexpMatches( + result["stdout"][0], + r"hello", + ) + + def test_env_factor(self): + config = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + accept_env_factor="yes", + ) + + with TempConfig(config) as temp: + process = login_duo_interactive( + ["-d", "-c", temp.name, "-f", "whatever", "echo", "SUCCESS"], + env={ + "UID": "1001", + "DUO_PASSCODE": "push1", + }, + ) + self.assertEqual(process.expect("SUCCESS", timeout=10), 0) + + +class TestLoginDuoUIDMismatch(unittest.TestCase): + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(TestLoginDuoUIDMismatch, self).run(result) + + def test_nonroot(self): + with TempConfig(MOCKDUO_CONF) as temp: + result = login_duo( + ["-d", "-c", temp.name, "-f", "preauth-allow"], + env={ + "EUID": "1002", + "UID": "1001", + }, + preload_script=os.path.join(TESTDIR, "login_duo.py"), + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Only root may specify -c or -f", + ) + + def test_sync(self): + with TempConfig(MOCKDUO_CONF) as temp: + result = login_duo( + ["-d", "-c", temp.name, "-f", "whatever", "true"], + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Successful Duo login for 'whatever'", + ) + + def test_unprivileged(self): + with TempConfig(MOCKDUO_CONF) as temp: + result = login_duo( + ["-d"], + env={ + "EUID": "1000", + "UID": "1001", + }, + preload_script=os.path.join(TESTDIR, "login_duo.py"), + timeout=10, + ) + self.assertRegexpMatches( + result["stderr"][0], + r"couldn't drop privileges:", + ) + + def test_privsep_user_not_found(self): + with TempConfig(MOCKDUO_CONF) as temp: + result = login_duo( + ["-d"], + env={ + "EUID": "0", + "UID": "1001", + "NO_PRIVSEP_USER": "1", + }, + preload_script=os.path.join(TESTDIR, "login_duo.py"), + timeout=10, + ) + self.assertRegexpMatches( + result["stderr"][0], + r"User .* not found", + ) + + +class TestLoginDuoTimeout(unittest.TestCase): + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(TestLoginDuoTimeout, self).run(result) + + def test_connection_timeout(self): + with TempConfig(MOCKDUO_CONF) as temp: + result = login_duo( + ["-d", "-c", temp.name, "-f", "timeout", "true"], + env={ + "UID": "1001", + "TIMEOUT": "1", + }, + preload_script=os.path.join(TESTDIR, "login_duo.py"), + timeout=10, + ) + for line in result["stderr"][:3]: + self.assertEqual(line, "Attempting connection") + self.assertRegexpMatches( + result["stderr"][3], + r"Failsafe Duo login for 'timeout': Couldn't connect to localhost:4443: Failed to connect", + ) + + +class TestLoginDuoShell(unittest.TestCase): + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(TestLoginDuoShell, self).run(result) + + def test_default_shell(self): + """Test that we fallback to /bin/sh if there is no shell specified for the user""" + with TempConfig(MOCKDUO_AUTOPUSH) as temp: + process = login_duo_interactive( + ["-d", "-c", temp.name], + env={"PS1": "$ ", "UID": "1015"}, + preload_script=os.path.join(TESTDIR, "login_duo.py"), + ) + # this double escaping is needed to check for a literal "$" + self.assertEqual(process.expect("\\$", timeout=10), 0) + + def test_shell_as_command(self): + with TempConfig(MOCKDUO_AUTOPUSH) as temp: + process = login_duo_interactive( + ["-d", "-c", temp.name, "echo", "SUCCESS"], + env={"PS1": "> ", "UID": "1017"}, + preload_script=os.path.join(TESTDIR, "login_duo.py"), + ) + self.assertEqual(process.expect("-c echo SUCCESS", timeout=10), 0) + + +class TestLoginDuoGroups(unittest.TestCase): + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(TestLoginDuoGroups, self).run(result) + + def test_users_only_match_users(self): + for uid in range(1000, 1003): + with TempConfig(MOCKDUO_USERS) as temp: + result = login_duo( + ["-d", "-c", temp.name, "-f", "preauth-allow", "true"], + env={ + "UID": str(uid), + }, + preload_script=os.path.join(TESTDIR, "groups.py"), + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Skipped Duo login for 'preauth-allow': preauth-allowed", + ) + + def test_users_or_admins_match_users(self): + for uid in range(1000, 1004): + with TempConfig(MOCKDUO_USERS_ADMINS) as temp: + result = login_duo( + ["-d", "-c", temp.name, "-f", "preauth-allow", "true"], + env={ + "UID": str(uid), + }, + preload_script=os.path.join(TESTDIR, "groups.py"), + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Skipped Duo login for 'preauth-allow': preauth-allowed", + ) + + def test_admins_and_not_users_match_admins(self): + with TempConfig(MOCKDUO_ADMINS_NO_USERS) as temp: + result = login_duo( + ["-d", "-c", temp.name, "-f", "preauth-allow", "true"], + env={ + "UID": "1003", + }, + preload_script=os.path.join(TESTDIR, "groups.py"), + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Skipped Duo login for 'preauth-allow': preauth-allowed", + ) + + def test_users_bypass(self): + with TempConfig(MOCKDUO_USERS) as temp: + result = login_duo( + ["-d", "-c", temp.name, "-f", "preauth-allow", "true"], + env={"UID": "1004"}, + preload_script=os.path.join(TESTDIR, "groups.py"), + ) + self.assertRegexpMatches( + result["stderr"][0], + r"User preauth-allow bypassed Duo 2FA due to user's UNIX group", + ) + + +class TestLoginDuoInteractive(CommonSuites.Interactive): + def call_binary(self, *args, **kwargs): + return login_duo_interactive(*args, **kwargs) + + +class TestLoginDuoGECOS(unittest.TestCase): + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(TestLoginDuoGECOS, self).run(result) + + def test_gecos_field_unparsed(self): + with TempConfig(MOCKDUO_GECOS_SEND_UNPARSED) as temp: + result = login_duo( + ["-d", "-c", temp.name, "true"], + env={"UID": "1010"}, + preload_script=os.path.join(TESTDIR, "login_duo.py"), + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Successful Duo login for '1/2/3/4/5/gecos_user_gecos_field6'", + ) + + def test_deprecated_gecos_parsed_flag(self): + with TempConfig(MOCKDUO_GECOS_DEPRECATED_PARSE_FLAG) as temp: + result = login_duo( + ["-d", "-c", temp.name, "true"], + env={"UID": "1010"}, + preload_script=os.path.join(TESTDIR, "login_duo.py"), + ) + self.assertRegexpMatches( + result["stderr"][0], + r"The gecos_parsed configuration item for Duo Unix is deprecated and no longer has any effect. Use gecos_delim and gecos_username_pos instead", + ) + self.assertRegexpMatches( + result["stderr"][1], + "Skipped Duo login for 'gecos/6': gecos/6", + ) + + def test_gecos_delimiter_default_position_6(self): + with TempConfig(MOCKDUO_GECOS_DEFAULT_DELIM_6_POS) as temp: + result = login_duo( + ["-d", "-c", temp.name, "true"], + env={"UID": "1012"}, + preload_script=os.path.join(TESTDIR, "login_duo.py"), + ) + self.assertRegexpMatches( + result["stderr"][0], + "Skipped Duo login for 'gecos_user_gecos_field6': gecos-user-gecos-field6-allowed", + ) + + def test_gecos_delimiter_slash_position_3(self): + with TempConfig(MOCKDUO_GECOS_SLASH_DELIM_3_POS) as temp: + result = login_duo( + ["-d", "-c", temp.name, "true"], + env={"UID": "1011"}, + preload_script=os.path.join(TESTDIR, "login_duo.py"), + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Skipped Duo login for 'gecos_user_gecos_field3': gecos-user-gecos-field3-allowed", + ) + + def test_gecos_parsing_error(self): + with TempConfig(MOCKDUO_GECOS_SLASH_DELIM_3_POS) as temp: + result = login_duo( + ["-d", "-c", temp.name, "true"], + env={"UID": "1012"}, + preload_script=os.path.join(TESTDIR, "login_duo.py"), + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Could not parse GECOS field", + ) + + def test_gecos_empty(self): + with TempConfig(MOCKDUO_GECOS_SEND_UNPARSED) as temp: + result = login_duo( + ["-d", "-c", temp.name, "true"], + env={"UID": "1016"}, + preload_script=os.path.join(TESTDIR, "login_duo.py"), + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Empty GECOS field", + ) + + def test_gecos_invalid_delimiter_length(self): + with TempConfig(MOCKDUO_GECOS_LONG_DELIM) as temp: + result = login_duo( + ["-d", "-c", temp.name, "true"], + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Invalid character option length. Character fields must be 1 character long: ',,'", + ) + self.assertRegexpMatches( + result["stderr"][1], + r"Invalid login_duo option: 'gecos_delim'", + ) + self.assertRegexpMatches( + result["stderr"][2], + r"Parse error in {config}, line \d+".format(config=temp.name), + ) + + def test_invalid_delimiter_value(self): + for config in [ + MOCKDUO_GECOS_INVALID_DELIM_COLON, + MOCKDUO_GECOS_INVALID_DELIM_PUNC, + ]: + with TempConfig(config) as temp: + result = login_duo( + ["-d", "-c", temp.name, "true"], + ) + self.assertEquals( + result["stderr"][0], + "Invalid gecos_delim '{delim}' (delimiter must be punctuation other than ':')".format( + delim=config["gecos_delim"] + ), + ) + self.assertRegexpMatches( + result["stderr"][1], + r"Invalid login_duo option: 'gecos_delim'", + ) + self.assertRegexpMatches( + result["stderr"][2], + r"Parse error in {config}, line \d+".format(config=temp.name), + ) + + def test_invalid_delimiter_value_whitespace(self): + with TempConfig(MOCKDUO_GECOS_INVALID_DELIM_WHITESPACE) as temp: + result = login_duo( + ["-d", "-c", temp.name, "true"], + ) + self.assertEquals( + result["stderr"][0], + "Invalid character option length. Character fields must be 1 character long: ''", + ) + self.assertRegexpMatches( + result["stderr"][1], + r"Invalid login_duo option: 'gecos_delim'", + ) + self.assertRegexpMatches( + result["stderr"][2], + r"Parse error in {config}, line \d+".format(config=temp.name), + ) + + def test_invalid_pos_value(self): + with TempConfig(MOCKDUO_GECOS_INVALID_POS) as temp: + result = login_duo( + ["-d", "-c", temp.name, "true"], + ) + self.assertEquals( + result["stderr"][0], + "Gecos position starts at 1", + ) + self.assertRegexpMatches( + result["stderr"][1], + r"Invalid login_duo option: 'gecos_username_pos'", + ) + self.assertRegexpMatches( + result["stderr"][2], + r"Parse error in {config}, line \d+".format(config=temp.name), + ) + + +@unittest.skipIf( + sys.platform == "darwin" or sys.platform == "sunos5", + reason="MOTD testing not available on Mac and Solaris", +) +class TestMOTD(unittest.TestCase): + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(TestMOTD, self).run(result) + + def test_motd(self): + with TempConfig(MOTD_CONF) as temp: + test_motd = "test_string" + with open("/tmp/duomotdtest", "w") as fh: + fh.write("{motd}\n".format(motd=test_motd)) + + process = login_duo_interactive( + ["-d", "-c", temp.name, "-f", "whatever", "echo", "SUCCESS"], + env={ + "UID": "1001", + }, + preload_script=os.path.join(TESTDIR, "login_duo.py"), + ) + process.sendline("1") + self.assertEqual(process.expect("test_string", timeout=10), 0) + + def test_motd_with_ssh_command(self): + with TempConfig(MOTD_CONF) as temp: + test_motd = "test_string" + with open("/tmp/duomotdtest", "w") as fh: + fh.write("{motd}\n".format(motd=test_motd)) + + process = login_duo_interactive( + ["-d", "-c", temp.name, "-f", "whatever", "echo", "SUCCESS"], + env={"UID": "1001", "SSH_ORIGINAL_COMMAND": "ls"}, + preload_script=os.path.join(TESTDIR, "login_duo.py"), + ) + process.sendline("1") + self.assertEqual(process.expect([test_motd, pexpect.EOF], timeout=5), 1) + + def test_motd_users_bypass(self): + bypass_config = DuoUnixConfig( + ikey="DIXYZV6YM8IFYVWBINCA", + skey="yWHSMhWucAcp7qvuH3HWTaSaKABs8Gaddiv1NIRo", + host="localhost:4443", + cafile="certs/mockduo-ca.pem", + groups="users", + motd="yes", + ) + + with TempConfig(bypass_config) as temp: + process = login_duo_interactive( + ["-d", "-c", temp.name, "-f", "preauth-allow", "echo", "SUCCESS"], + env={ + "UID": "1004", + }, + preload_script=os.path.join(TESTDIR, "groups.py"), + ) + process.sendline("1") + self.assertEqual(process.expect("test_string", timeout=10), 0) + self.assertEqual(process.expect("SUCCESS", timeout=10), 0) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/test_pam_duo.py b/tests/test_pam_duo.py new file mode 100755 index 0000000..92abb5b --- /dev/null +++ b/tests/test_pam_duo.py @@ -0,0 +1,429 @@ +#!/usr/bin/env python +import getpass +import os +import subprocess +import time +import unittest + +import pexpect +from common_suites import NORMAL_CERT, CommonSuites +from config import ( + MOCKDUO_CONF, + MOCKDUO_GECOS_DEFAULT_DELIM_6_POS, + MOCKDUO_GECOS_DEPRECATED_PARSE_FLAG, + MOCKDUO_GECOS_INVALID_DELIM_COLON, + MOCKDUO_GECOS_INVALID_DELIM_PUNC, + MOCKDUO_GECOS_INVALID_DELIM_WHITESPACE, + MOCKDUO_GECOS_INVALID_POS, + MOCKDUO_GECOS_LONG_DELIM, + MOCKDUO_GECOS_SEND_UNPARSED, + MOCKDUO_GECOS_SLASH_DELIM_3_POS, + MOCKDUO_PROMPTS_1, + MOCKDUO_PROMPTS_DEFAULT, + TempConfig, +) +from mockduo_context import MockDuo +from paths import topbuilddir +from testpam import TempPamConfig, testpam + +TESTDIR = os.path.realpath(os.path.dirname(__file__)) + + +class PamDuoTimeoutException(Exception): + def __init__(self, stdout=None, stderr=None): + self.stdout = stdout + self.stderr = stderr + + def __str__(self): + if self.stderr: + stderr_output = "STDERR:\n{stderr}".format(stderr=self.stderr) + else: + stderr_output = "" + + if self.stdout: + stdout_output = "STDOUT:\n{stdout}".format(stdout=self.stdout) + else: + stdout_output = "" + + return "Timeout waiting for 'pam_duo' to execute\n{stdout}\n{stderr}".format( + stderr=stderr_output, + stdout=stdout_output, + ) + + +def pam_duo_interactive(args, env={}, timeout=2): + pam_duo_path = os.path.join(TESTDIR, "testpam.py") + # we don't want to accidentally grab these from the calling environment + excluded_keys = ["SSH_CONNECTION", "FALLBACK", "UID", "http_proxy", "TIMEOUT"] + env_passthrough = { + key: os.environ[key] for key in os.environ if key not in excluded_keys + } + env_passthrough.update(env) + + process = pexpect.spawn( + pam_duo_path, + args, + cwd=TESTDIR, + env=env_passthrough, + ) + return process + + +def pam_duo(args, env={}, timeout=2): + pam_duo_path = [os.path.join(TESTDIR, "testpam.py")] + # we don't want to accidentally grab these from the calling environment + excluded_keys = ["SSH_CONNECTION", "FALLBACK", "UID", "http_proxy", "TIMEOUT"] + env_passthrough = { + key: os.environ[key] for key in os.environ if key not in excluded_keys + } + env_passthrough.update(env) + + process = subprocess.Popen( + pam_duo_path + args, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + stdin=subprocess.PIPE, + cwd=TESTDIR, + close_fds=True, + env=env_passthrough, + ) + + # Try to gracefully handle the case where we get a prompt + for i in range(0, int(timeout // 0.05)): + process.poll() + if process.returncode is not None: + break + time.sleep(0.05) + else: + (stdout, stderr) = process.communicate(input=b"1\r\n") + raise PamDuoTimeoutException(stdout, stderr) + + return { + "returncode": process.returncode, + "stdout": process.stdout.read().split(b"\n"), + "stderr": process.stderr.read().split(b"\n"), + } + + +class TestPamDuoHelp(unittest.TestCase): + def test_help(self): + result = pam_duo(["-h"]) + self.assertRegexpMatches( + result["stderr"][0], + r"Usage: .*/tests/testpam.py \[-d\] \[-c config\] \[-f user\] \[-h host\]", + ) + + +class TestPamDuoConfigs(CommonSuites.Configuration): + def call_binary(self, *args): + return pam_duo(*args) + + +class TestPamDuoDown(CommonSuites.DuoDown): + def call_binary(self, *args): + return pam_duo(*args) + + +class TestPamSelfSignedCerts(CommonSuites.DuoSelfSignedCert): + def call_binary(self, *args): + return pam_duo(*args) + + +class TestPamDuoBadCN(CommonSuites.DuoBadCN): + def call_binary(self, *args): + return pam_duo(*args) + + +class TestPamValidCerts(CommonSuites.WithValidCert): + def call_binary(self, *args): + return pam_duo(*args) + + +class TestPamPreauthStates(CommonSuites.PreauthStates): + def call_binary(self, *args): + return pam_duo(*args) + + +class TestPamHosts(CommonSuites.Hosts): + def call_binary(self, *args, **kwargs): + return pam_duo(timeout=15, *args, **kwargs) + + +class TestPamHTTPProxy(CommonSuites.HTTPProxy): + def call_binary(self, *args, **kwargs): + return pam_duo(*args, **kwargs) + + +class TestPamFIPS(CommonSuites.FIPS): + def call_binary(self, *args, **kwargs): + return pam_duo(*args, **kwargs) + + +class TestPamGetHostname(CommonSuites.GetHostname): + def call_binary(self, *args, **kwargs): + return pam_duo(*args, **kwargs) + + +class TestPamBSON(CommonSuites.InvalidBSON): + def call_binary(self, *args, **kwargs): + return pam_duo(*args, **kwargs) + + +class TestPamPrompts(unittest.TestCase): + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(TestPamPrompts, self).run(result) + + def test_max_prompts_equals_one(self): + with TempConfig(MOCKDUO_PROMPTS_1) as temp: + result = pam_duo(["-d", "-f", "pam_prompt", "-c", temp.name, "true"]) + self.assertRegexpMatches( + result["stderr"][0], "Failed Duo login for 'pam_prompt'" + ) + self.assertRegexpMatches( + result["stdout"][0], "Autopushing login request to phone..." + ) + self.assertRegexpMatches( + result["stdout"][1], "Invalid passcode, please try again." + ) + + def test_max_prompts_equals_maximum(self): + with TempConfig(MOCKDUO_PROMPTS_DEFAULT) as temp: + result = pam_duo(["-d", "-f", "pam_prompt", "-c", temp.name, "true"]) + for i in range(0, 3): + self.assertRegexpMatches( + result["stderr"][i], "Failed Duo login for 'pam_prompt'" + ) + + for i in range(0, 6, 2): + self.assertRegexpMatches( + result["stdout"][i], "Autopushing login request to phone..." + ) + self.assertRegexpMatches( + result["stdout"][i + 1], "Invalid passcode, please try again." + ) + + +class TestPamEnv(CommonSuites.Env): + def call_binary(self, *args, **kwargs): + return pam_duo(*args, **kwargs) + + +class TestPamSpecificEnv(unittest.TestCase): + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(TestPamSpecificEnv, self).run(result) + + def test_no_user(self): + with TempConfig(MOCKDUO_CONF) as temp: + result = pam_duo(["-d", "-c", temp.name], env={"NO_USER": "1"}) + self.assertEqual(result["returncode"], 1) + + def test_su_service_bad_user(self): + """Test that we return user unknown if we can't find the calling user""" + with TempConfig(MOCKDUO_CONF) as temp: + result = pam_duo( + ["-d", "-c", temp.name], + env={"PAM_SERVICE": "su", "NO_USER": "1"}, + ) + self.assertEqual(result["returncode"], 1) + + +class TestPamPreauthFailures(CommonSuites.PreauthFailures): + def call_binary(self, *args): + return pam_duo(*args) + + +class TestPamDuoInteractive(CommonSuites.Interactive): + def call_binary(self, *args, **kwargs): + return pam_duo_interactive(*args, **kwargs) + + def test_su_service(self): + """Test that the -f option is ignored if the service is Su""" + with TempConfig(MOCKDUO_CONF) as temp: + process = self.call_binary( + ["-d", "-c", temp.name, "-f", "foobar", "true"], + env={"PAM_SERVICE": "su"}, + ) + # This is here to prevent race conditions with character entry + process.expect(CommonSuites.Interactive.PROMPT_REGEX, timeout=10) + process.sendline("2") + self.assertEqual(process.expect(pexpect.EOF), 0) + user = getpass.getuser() + self.assertOutputEqual( + process.before, + [ + "2", + "Dialing XXX-XXX-1234...", + "Answered. Press '#' on your phone to log in.", + "Success. Logging you in...", + "[6] Successful Duo login for '{user}'".format(user=user), + ], + ) + + +class TestPamdConf(unittest.TestCase): + def test_invalid_argument(self): + with TempConfig(MOCKDUO_CONF) as duo_config: + pamd_conf = "auth required {libpath}/pam_duo.so conf={duo_config_path} notanarg".format( + libpath=os.path.join(topbuilddir, "pam_duo", ".libs"), + duo_config_path=duo_config.name, + ) + with TempPamConfig(pamd_conf) as pam_config: + process = testpam( + ["-d", "-c", duo_config.name, "-f", "whatever"], pam_config.name + ) + self.assertEqual(process.returncode, 1) + + +class TestPamGECOS(unittest.TestCase): + def run(self, result=None): + with MockDuo(NORMAL_CERT): + return super(TestPamGECOS, self).run(result) + + def test_gecos_field_unparsed(self): + with TempConfig(MOCKDUO_GECOS_SEND_UNPARSED) as temp: + result = pam_duo( + ["-d", "-c", temp.name, "-f", "fullgecos", "true"], + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Skipped Duo login for 'full_gecos_field': full-gecos-field", + ) + + def test_deprecated_gecos_parsed_flag(self): + with TempConfig(MOCKDUO_GECOS_DEPRECATED_PARSE_FLAG) as temp: + result = pam_duo( + ["-d", "-c", temp.name, "-f", "gecos/6", "true"], + ) + self.assertRegexpMatches( + result["stderr"][0], + r"The gecos_parsed configuration item for Duo Unix is deprecated and no longer has any effect. Use gecos_delim and gecos_username_pos instead", + ) + self.assertRegexpMatches( + result["stderr"][1], + "Skipped Duo login for 'gecos/6': gecos/6", + ) + + def test_gecos_delimiter_default_position_6(self): + with TempConfig(MOCKDUO_GECOS_DEFAULT_DELIM_6_POS) as temp: + result = pam_duo( + ["-d", "-c", temp.name, "-f", "gecos,6", "true"], + ) + self.assertRegexpMatches( + result["stderr"][0], + "Skipped Duo login for 'gecos_user_gecos_field6': gecos-user-gecos-field6-allowed", + ) + + def test_gecos_delimiter_slash_position_3(self): + with TempConfig(MOCKDUO_GECOS_SLASH_DELIM_3_POS) as temp: + result = pam_duo( + ["-d", "-c", temp.name, "-f", "gecos/3", "true"], + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Skipped Duo login for 'gecos_user_gecos_field3': gecos-user-gecos-field3-allowed", + ) + + def test_gecos_invalid_delimiter_length(self): + with TempConfig(MOCKDUO_GECOS_LONG_DELIM) as temp: + result = pam_duo( + ["-d", "-c", temp.name, "true"], + ) + self.assertRegexpMatches( + result["stderr"][0], + r"Invalid character option length. Character fields must be 1 character long: ',,'", + ) + self.assertRegexpMatches( + result["stderr"][1], + r"Invalid pam_duo option: 'gecos_delim'", + ) + self.assertRegexpMatches( + result["stderr"][2], + r"Parse error in {config}, line \d+".format(config=temp.name), + ) + + def test_invalid_delimiter_value_colon(self): + for config in [ + MOCKDUO_GECOS_INVALID_DELIM_COLON, + MOCKDUO_GECOS_INVALID_DELIM_PUNC, + ]: + with TempConfig(config) as temp: + result = pam_duo( + ["-d", "-c", temp.name, "true"], + ) + self.assertEquals( + result["stderr"][0], + "Invalid gecos_delim '{delim}' (delimiter must be punctuation other than ':')".format( + delim=config["gecos_delim"] + ), + ) + self.assertRegexpMatches( + result["stderr"][1], + r"Invalid pam_duo option: 'gecos_delim'", + ) + self.assertRegexpMatches( + result["stderr"][2], + r"Parse error in {config}, line \d+".format(config=temp.name), + ) + + def test_invalid_delimiter_value_whitespace(self): + with TempConfig(MOCKDUO_GECOS_INVALID_DELIM_WHITESPACE) as temp: + result = pam_duo( + ["-d", "-c", temp.name, "true"], + ) + self.assertEquals( + result["stderr"][0], + "Invalid character option length. Character fields must be 1 character long: ''", + ) + self.assertRegexpMatches( + result["stderr"][1], + r"Invalid pam_duo option: 'gecos_delim'", + ) + self.assertRegexpMatches( + result["stderr"][2], + r"Parse error in {config}, line \d+".format(config=temp.name), + ) + + def test_invalid_pos_value(self): + with TempConfig(MOCKDUO_GECOS_INVALID_POS) as temp: + result = pam_duo( + ["-d", "-c", temp.name, "true"], + ) + self.assertEquals( + result["stderr"][0], + "Gecos position starts at 1", + ) + self.assertRegexpMatches( + result["stderr"][1], + r"Invalid pam_duo option: 'gecos_username_pos'", + ) + self.assertRegexpMatches( + result["stderr"][2], + r"Parse error in {config}, line \d+".format(config=temp.name), + ) + + def test_gecos_parsing_error(self): + with TempConfig(MOCKDUO_GECOS_SLASH_DELIM_3_POS) as temp: + process = pam_duo_interactive( + ["-d", "-c", temp.name, "-f", "gecos,3"], + ) + self.assertEqual(process.expect("Could not parse GECOS field"), 0) + + def test_gecos_only_delim(self): + with TempConfig(MOCKDUO_GECOS_DEFAULT_DELIM_6_POS) as temp: + process = pam_duo_interactive( + ["-d", "-c", temp.name, "-f", "onlydelim"], + ) + self.assertEqual(process.expect("Could not parse GECOS field"), 0) + + def test_gecos_empty(self): + with TempConfig(MOCKDUO_GECOS_SEND_UNPARSED) as temp: + process = pam_duo_interactive( + ["-d", "-c", temp.name, "-f", "emptygecos"], + ) + self.assertEqual(process.expect("Empty GECOS field"), 0) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/testpam.c b/tests/testpam.c index b80de2f..74a9709 100644 --- a/tests/testpam.c +++ b/tests/testpam.c @@ -88,6 +88,12 @@ die(pam_handle_t *pamh, int errnum) exit(EXIT_FAILURE); } +static char* +service_name() { + char *t = getenv("PAM_SERVICE"); + return (t ? t : "testpam"); +} + int main(int argc, char *argv[]) { @@ -103,7 +109,7 @@ main(int argc, char *argv[]) if (argc > 2) host = argv[2]; - if ((ret = pam_start("testpam", user, &conv, &pamh)) != PAM_SUCCESS) { + if ((ret = pam_start(service_name(), user, &conv, &pamh)) != PAM_SUCCESS) { die(pamh, ret); } if (host != NULL) { diff --git a/tests/testpam.py b/tests/testpam.py index 19b4757..2b094c9 100755 --- a/tests/testpam.py +++ b/tests/testpam.py @@ -1,71 +1,94 @@ #!/usr/bin/env python +import argparse import getopt import getpass import os +import platform import subprocess import sys import tempfile -import platform import paths # login_duo-compatible wrapper to pam_duo + def usage(): - print >>sys.stderr, 'Usage: %s [-d] [-c config] [-f user] [-h host]' % \ - sys.argv[0] + print >>sys.stderr, "Usage: %s [-d] [-c config] [-f user] [-h host]" % sys.argv[0] sys.exit(1) - + + +class TempPamConfig(object): + def __init__(self, config): + self.config = config + self.file = None + + def __enter__(self): + self.file = tempfile.NamedTemporaryFile() + if sys.platform == "sunos5": + self.file.write("testpam ") + self.file.write(self.config) + self.file.flush() + return self.file + + def __exit__(self, type, value, traceback): + self.file.close() + + +def testpam(args, config_file_name, env_overrides=None): + env = os.environ.copy() + env["PAM_CONF"] = config_file_name + + if env_overrides: + env.update(env_overrides) + + if sys.platform == "darwin": + env["DYLD_LIBRARY_PATH"] = paths.topbuilddir + "/lib/.libs" + env["DYLD_INSERT_LIBRARIES"] = paths.build + "/.libs/libtestpam_preload.dylib" + env["DYLD_FORCE_FLAT_NAMESPACE"] = "1" + elif sys.platform == "sunos5": + architecture = {"32bit": "32", "64bit": "64"}[platform.architecture()[0]] + env["LD_PRELOAD_" + architecture] = paths.build + "/.libs/libtestpam_preload.so" + else: + env["LD_PRELOAD"] = paths.build + "/.libs/libtestpam_preload.so" + + testpam_path = [os.path.join(paths.build, "testpam")] + p = subprocess.Popen(testpam_path + args, env=env) + p.wait() + return p + + def main(): try: - opts, args = getopt.getopt(sys.argv[1:], 'dc:f:h:') + opts, args = getopt.getopt(sys.argv[1:], "dc:f:h:") except getopt.GetoptError: usage() - opt_conf = '/etc/duo/pam_duo.conf' + opt_conf = "/etc/duo/pam_duo.conf" opt_user = getpass.getuser() opt_host = None - + for o, a in opts: - if o == '-c': + if o == "-c": opt_conf = a - elif o == '-f': + elif o == "-f": opt_user = a - elif o == '-h': + elif o == "-h": opt_host = a - args = [ paths.build + '/testpam', opt_user ] + args = [opt_user] if opt_host: args.append(opt_host) - - f = tempfile.NamedTemporaryFile() - #f = open('/tmp/pam.conf', 'w') - if sys.platform == 'sunos5': - f.write('testpam ') - f.write('auth required %s/pam_duo.so conf=%s debug' % - (paths.topbuilddir + '/pam_duo/.libs', opt_conf)) - f.flush() - - env = os.environ.copy() - env['PAM_CONF'] = f.name - - if sys.platform == 'darwin': - env['DYLD_LIBRARY_PATH'] = paths.topbuilddir + '/lib/.libs' - env['DYLD_INSERT_LIBRARIES'] = paths.build + \ - '/.libs/libtestpam_preload.dylib' - env['DYLD_FORCE_FLAT_NAMESPACE'] = '1' - elif sys.platform == 'sunos5': - architecture = {'32bit': '32', '64bit': '64'}[platform.architecture()[0]] - env['LD_PRELOAD_' + architecture] = paths.build + '/.libs/libtestpam_preload.so' - else: - env['LD_PRELOAD'] = paths.build + '/.libs/libtestpam_preload.so' - - p = subprocess.Popen(args, env=env) - p.wait() - f.close() - - sys.exit(p.returncode) -if __name__ == '__main__': + config = "auth required {libpath}/pam_duo.so conf={duo_config_path} debug".format( + libpath=paths.topbuilddir + "/pam_duo/.libs", duo_config_path=opt_conf + ) + with TempPamConfig(config) as config_file: + process = testpam(args, config_file.name) + + sys.exit(process.returncode) + + +if __name__ == "__main__": main() diff --git a/tests/testpam_preload.c b/tests/testpam_preload.c index fb60efc..562d750 100644 --- a/tests/testpam_preload.c +++ b/tests/testpam_preload.c @@ -33,6 +33,7 @@ int (*_sys_open64)(const char *pathname, int flags, ...); FILE *(*_sys_fopen)(const char *filename, const char *mode); FILE *(*_sys_fopen64)(const char *filename, const char *mode); char *(*_sys_inet_ntoa)(struct in_addr in); +struct passwd *(* _getpwuid)(uid_t uid); void modify_gecos(const char *username, struct passwd *pass); @@ -71,7 +72,7 @@ _preload_init(void) const char * _replace(const char *filename) { - if (strcmp(filename, "/etc/pam.d/testpam") == 0 || + if (strncmp(filename, "/etc/pam.d/", 10) == 0 || strcmp(filename, "/etc/pam.conf") == 0) { return (getenv("PAM_CONF")); } @@ -134,12 +135,37 @@ modify_gecos(const char *username, struct passwd *pass) pass->pw_gecos = strdup("1,2,gecos_user_gecos_field3,4,5,6"); } else if (strcmp(username, "fullgecos") == 0) { pass->pw_gecos = strdup("full_gecos_field"); + } else if (strcmp(username, "fullgecos") == 0) { + pass->pw_gecos = strdup("full_gecos_field"); + } else if (strcmp(username, "emptygecos") == 0) { + pass->pw_gecos = strdup(""); + } else if (strcmp(username, "onlydelim") == 0) { + pass->pw_gecos = strdup(",,,,,,,"); + } +} + +struct passwd * +getpwuid(uid_t uid) +{ + char *t = getenv("NO_USER"); + if(t) { + return NULL; + } + else { + _getpwuid = dlsym(RTLD_NEXT, "getpwuid"); + return (*_getpwuid)(uid); } } + struct passwd * getpwnam(const char *name) { + char *t = getenv("NO_USER"); + if(t) { + return NULL; + } + // Tests rely on the username being correctly set. static char username[1024]; strncpy(username, name, 1024);