Merge branch 'tmp-warn-in-password-auth' into 'master'

config: error when multiple password authentication methods are present

See merge request openconnect/ocserv!205

src/config.c

@@ -194,6 +194,21 @@ static auth_types_st avail_auth_types[] =
 #endif
 };
 
+static void check_for_duplicate_password_auth(struct perm_cfg_st *config, const char *vhostname, unsigned type)
+{
+	unsigned i;
+
+	if (type & AUTH_TYPE_USERNAME_PASS) {
+		for (i=0;i<MAX_AUTH_METHODS;i++) {
+			if (config->auth[i].enabled == 0)
+				break;
+			if (config->auth[i].type & AUTH_TYPE_USERNAME_PASS) {
+				fprintf(stderr, ERRSTR"%s: you cannot mix multiple password authentication methods\n", vhostname);
+				exit(1);
+			}
+		}
+	}
+}
 
 static void figure_auth_funcs(void *pool, const char *vhostname,
 			      struct perm_cfg_st *config, char **auth, unsigned auth_size,
@@ -260,6 +275,7 @@ static void figure_auth_funcs(void *pool, const char *vhostname,
 					config->auth[x].name = talloc_strdup(pool, avail_auth_types[i].name);
 					fprintf(stderr, NOTESTR"%s: enabling '%s' as authentication method\n", vhostname, avail_auth_types[i].name);
 
+					check_for_duplicate_password_auth(config, vhostname, avail_auth_types[i].type);
 					config->auth[x].amod = avail_auth_types[i].mod;
 					config->auth[x].type |= avail_auth_types[i].type;
 					config->auth[x].enabled = 1;

tests/Makefile.am

@@ -96,7 +96,7 @@ dist_check_SCRIPTS += test-pass test-pass-cert test-cert test-group-pass \
 	test-enc-key test-sighup-key-change test-get-cert test-san-cert \
 	test-gssapi test-pass-opt-cert test-cert-opt-pass test-gssapi-opt-pass \
 	test-gssapi-opt-cert haproxy-auth test-maintenance \
-	test-group-name flowcontrol banner
+	test-group-name flowcontrol banner invalid-configs
 
 if HAVE_CWRAP_PAM
 dist_check_SCRIPTS += test-pam test-pam-noauth

tests/invalid-configs

@@ -0,0 +1,85 @@
+#!/bin/sh
+#
+# Copyright (C) 2013 Nikos Mavrogiannopoulos
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+SERV="${SERV:-../src/ocserv}"
+srcdir=${srcdir:-.}
+PIDFILE=ocserv-pid.$$.tmp
+PORT=3492
+NO_NEED_ROOT=1
+
+. `dirname $0`/common.sh
+
+echo "Testing whether invalid configurations fail as expected... "
+
+# plain + pam (primary)
+update_config test1.config
+
+echo "auth = pam" >> ${CONFIG}
+
+timeout 10 ${SERV} -d 1 -p ${PIDFILE} -f -c ${CONFIG}
+
+if test $? != 0 && test $? != 124;then
+	echo "Command failed as expected"
+else
+	exit 1
+fi
+
+# plain + pam (alt)
+update_config test1.config
+
+echo "enable-auth = pam" >> ${CONFIG}
+
+timeout 10 ${SERV} -d 1 -p ${PIDFILE} -f -c ${CONFIG}
+
+if test $? != 0 && test $? != 124;then
+	echo "Command failed as expected"
+else
+	exit 1
+fi
+
+# plain + radius (primary)
+update_config test1.config
+
+echo "auth = \"radius[config=${srcdir}/data/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=ocserv1]\"" >> ${CONFIG}
+
+timeout 10 ${SERV} -d 1 -p ${PIDFILE} -f -c ${CONFIG}
+
+if test $? != 0 && test $? != 124;then
+	echo "Command failed as expected"
+else
+	exit 1
+fi
+
+# plain + radius (alternative)
+update_config test1.config
+
+echo "enable-auth = \"radius[config=${srcdir}/data/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=ocserv1]\"" >> ${CONFIG}
+
+timeout 10 ${SERV} -d 1 -p ${PIDFILE} -f -c ${CONFIG}
+
+if test $? != 0 && test $? != 124;then
+	echo "Command failed as expected"
+else
+	exit 1
+fi
+
+rm -f ${CONFIG} ${PIDFILE}
+
+exit 0