mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-10 16:57:00 +08:00
config: error when multiple password authentication methods are present
This prevents starting a server with an invalid configuration. Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This commit is contained in:
Nikos Mavrogiannopoulos
16
src/config.c
16
src/config.c
@@ -194,6 +194,21 @@ static auth_types_st avail_auth_types[] =
|
||||
#endif
|
||||
};
|
||||
|
||||
static void check_for_duplicate_password_auth(struct perm_cfg_st *config, const char *vhostname, unsigned type)
|
||||
{
|
||||
unsigned i;
|
||||
|
||||
if (type & AUTH_TYPE_USERNAME_PASS) {
|
||||
for (i=0;i<MAX_AUTH_METHODS;i++) {
|
||||
if (config->auth[i].enabled == 0)
|
||||
break;
|
||||
if (config->auth[i].type & AUTH_TYPE_USERNAME_PASS) {
|
||||
fprintf(stderr, ERRSTR"%s: you cannot mix multiple password authentication methods\n", vhostname);
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void figure_auth_funcs(void *pool, const char *vhostname,
|
||||
struct perm_cfg_st *config, char **auth, unsigned auth_size,
|
||||
@@ -260,6 +275,7 @@ static void figure_auth_funcs(void *pool, const char *vhostname,
|
||||
config->auth[x].name = talloc_strdup(pool, avail_auth_types[i].name);
|
||||
fprintf(stderr, NOTESTR"%s: enabling '%s' as authentication method\n", vhostname, avail_auth_types[i].name);
|
||||
|
||||
check_for_duplicate_password_auth(config, vhostname, avail_auth_types[i].type);
|
||||
config->auth[x].amod = avail_auth_types[i].mod;
|
||||
config->auth[x].type |= avail_auth_types[i].type;
|
||||
config->auth[x].enabled = 1;
|
||||
|
||||
@@ -96,7 +96,7 @@ dist_check_SCRIPTS += test-pass test-pass-cert test-cert test-group-pass \
|
||||
test-enc-key test-sighup-key-change test-get-cert test-san-cert \
|
||||
test-gssapi test-pass-opt-cert test-cert-opt-pass test-gssapi-opt-pass \
|
||||
test-gssapi-opt-cert haproxy-auth test-maintenance \
|
||||
test-group-name flowcontrol banner
|
||||
test-group-name flowcontrol banner invalid-configs
|
||||
|
||||
if HAVE_CWRAP_PAM
|
||||
dist_check_SCRIPTS += test-pam test-pam-noauth
|
||||
|
||||
85
tests/invalid-configs
Executable file
85
tests/invalid-configs
Executable file
@@ -0,0 +1,85 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Copyright (C) 2013 Nikos Mavrogiannopoulos
|
||||
#
|
||||
# This file is part of ocserv.
|
||||
#
|
||||
# ocserv is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by the
|
||||
# Free Software Foundation; either version 2 of the License, or (at
|
||||
# your option) any later version.
|
||||
#
|
||||
# ocserv is distributed in the hope that it will be useful, but
|
||||
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
# General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with GnuTLS; if not, write to the Free Software Foundation,
|
||||
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
|
||||
SERV="${SERV:-../src/ocserv}"
|
||||
srcdir=${srcdir:-.}
|
||||
PIDFILE=ocserv-pid.$$.tmp
|
||||
PORT=3492
|
||||
NO_NEED_ROOT=1
|
||||
|
||||
. `dirname $0`/common.sh
|
||||
|
||||
echo "Testing whether invalid configurations fail as expected... "
|
||||
|
||||
# plain + pam (primary)
|
||||
update_config test1.config
|
||||
|
||||
echo "auth = pam" >> ${CONFIG}
|
||||
|
||||
timeout 10 ${SERV} -d 1 -p ${PIDFILE} -f -c ${CONFIG}
|
||||
|
||||
if test $? != 0 && test $? != 124;then
|
||||
echo "Command failed as expected"
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# plain + pam (alt)
|
||||
update_config test1.config
|
||||
|
||||
echo "enable-auth = pam" >> ${CONFIG}
|
||||
|
||||
timeout 10 ${SERV} -d 1 -p ${PIDFILE} -f -c ${CONFIG}
|
||||
|
||||
if test $? != 0 && test $? != 124;then
|
||||
echo "Command failed as expected"
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# plain + radius (primary)
|
||||
update_config test1.config
|
||||
|
||||
echo "auth = \"radius[config=${srcdir}/data/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=ocserv1]\"" >> ${CONFIG}
|
||||
|
||||
timeout 10 ${SERV} -d 1 -p ${PIDFILE} -f -c ${CONFIG}
|
||||
|
||||
if test $? != 0 && test $? != 124;then
|
||||
echo "Command failed as expected"
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# plain + radius (alternative)
|
||||
update_config test1.config
|
||||
|
||||
echo "enable-auth = \"radius[config=${srcdir}/data/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=ocserv1]\"" >> ${CONFIG}
|
||||
|
||||
timeout 10 ${SERV} -d 1 -p ${PIDFILE} -f -c ${CONFIG}
|
||||
|
||||
if test $? != 0 && test $? != 124;then
|
||||
echo "Command failed as expected"
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
rm -f ${CONFIG} ${PIDFILE}
|
||||
|
||||
exit 0
|
||||
Reference in New Issue
Block a user