Don't check if username matches the requested username

It's the broker's responsibility to do that and authd doesn't know which usernames the provider considers equal, for example if they are case-sensitive or not.
ubuntu · Sep 4, 2024 · e91ab76 · e91ab76
1 parent 5e33826
commit e91ab76
Show file tree

Hide file tree

Showing 12 changed files with 16 additions and 629 deletions.
diff --git a/internal/brokers/broker.go b/internal/brokers/broker.go
@@ -194,11 +194,7 @@ func (b Broker) IsAuthenticated(ctx context.Context, sessionID, authenticationDa
 			return "", "", err
 		}
 
-		b.ongoingUserRequestsMu.Lock()
-		selectedUsername := b.ongoingUserRequests[sessionID]
-		b.ongoingUserRequestsMu.Unlock()
-
-		u, err := validateUserInfoAndGenerateIDs(selectedUsername, info)
+		u, err := validateUserInfoAndGenerateIDs(info)
 		if err != nil {
 			return "", "", err
 		}
@@ -362,16 +358,15 @@ func unmarshalUserInfo(rawMsg json.RawMessage) (userInfo, error) {
 }
 
 // validateUserInfoAndGenerateIDs checks if the specified userinfo is valid and generates the UID and GIDs.
-func validateUserInfoAndGenerateIDs(selectedUsername string, uInfo userInfo) (user users.UserInfo, err error) {
+func validateUserInfoAndGenerateIDs(uInfo userInfo) (user users.UserInfo, err error) {
 	defer decorate.OnError(&err, "provided userinfo is invalid")
 
-	// Validate username
+	// Validate username. We don't want to check here if it matches the username from the request, because it's the
+	// broker's responsibility to do that and we don't know which usernames the provider considers equal, for example if
+	// they are case-sensitive or not.
 	if uInfo.Name == "" {
 		return users.UserInfo{}, fmt.Errorf("empty username")
 	}
-	if uInfo.Name != selectedUsername {
-		return users.UserInfo{}, fmt.Errorf("username %q does not match the selected username %q", uInfo.Name, selectedUsername)
-	}
 
 	// Validate home and shell directories
 	if !filepath.IsAbs(filepath.Clean(uInfo.Dir)) {

diff --git a/internal/brokers/broker_test.go b/internal/brokers/broker_test.go
@@ -219,6 +219,7 @@ func TestIsAuthenticated(t *testing.T) {
 		"No error when auth.Next and no data":                              {sessionID: "IA_next"},
 		"No error when broker returns userinfo with empty gecos":           {sessionID: "IA_info_empty_gecos"},
 		"No error when broker returns userinfo with group with empty UGID": {sessionID: "IA_info_empty_ugid"},
+		"No error when broker returns userinfo with mismatching username":  {sessionID: "IA_info_mismatching_user_name"},
 
 		// broker errors
 		"Error when authenticating":                                           {sessionID: "IA_error"},
@@ -227,7 +228,6 @@ func TestIsAuthenticated(t *testing.T) {
 		"Error when broker returns invalid access":                            {sessionID: "IA_invalid_access"},
 		"Error when broker returns invalid userinfo":                          {sessionID: "IA_invalid_userinfo"},
 		"Error when broker returns userinfo with empty username":              {sessionID: "IA_info_empty_user_name"},
-		"Error when broker returns userinfo with mismatching username":        {sessionID: "IA_info_mismatching_user_name"},
 		"Error when broker returns userinfo with empty group name":            {sessionID: "IA_info_empty_group_name"},
 		"Error when broker returns userinfo with empty UUID":                  {sessionID: "IA_info_empty_uuid"},
 		"Error when broker returns userinfo with invalid homedir":             {sessionID: "IA_info_invalid_home"},

diff --git a/...a/TestIsAuthenticated/golden/error_when_broker_returns_userinfo_with_mismatching_username b/...a/TestIsAuthenticated/golden/error_when_broker_returns_userinfo_with_mismatching_username
diff --git a/...estIsAuthenticated/golden/no_error_when_broker_returns_userinfo_with_mismatching_username b/...estIsAuthenticated/golden/no_error_when_broker_returns_userinfo_with_mismatching_username
@@ -0,0 +1,4 @@
+FIRST CALL:
+	access: granted
+	data: {"Name":"different_username","UID":83626,"Gecos":"gecos for IA_info_mismatching_user_name","Dir":"/home/IA_info_mismatching_user_name","Shell":"/bin/sh/IA_info_mismatching_user_name","Groups":[{"Name":"different_username","GID":83626},{"Name":"group-IA_info_mismatching_user_name","GID":92849}]}
+	err: <nil>
diff --git a/internal/services/pam/pam_test.go b/internal/services/pam/pam_test.go
@@ -437,13 +437,12 @@ func TestIsAuthenticated(t *testing.T) {
 		"Error when there is no broker":                          {sessionID: "invalid-session"},
 
 		// broker errors
-		"Error when authenticating":                                          {username: "IA_error"},
-		"Error on empty data even if granted":                                {username: "IA_empty_data"},
-		"Error when broker returns invalid access":                           {username: "IA_invalid_access"},
-		"Error when broker returns invalid data":                             {username: "IA_invalid_data"},
-		"Error when broker returns invalid userinfo":                         {username: "IA_invalid_userinfo"},
-		"Error when broker returns username different than the one selected": {username: "IA_info_mismatching_user_name"},
-		"Error when calling second time without cancelling":                  {username: "IA_second_call", secondCall: true},
+		"Error when authenticating":                         {username: "IA_error"},
+		"Error on empty data even if granted":               {username: "IA_empty_data"},
+		"Error when broker returns invalid access":          {username: "IA_invalid_access"},
+		"Error when broker returns invalid data":            {username: "IA_invalid_data"},
+		"Error when broker returns invalid userinfo":        {username: "IA_invalid_userinfo"},
+		"Error when calling second time without cancelling": {username: "IA_second_call", secondCall: true},
 
 		// local group error
 		"Error on updating local groups with unexisting file": {username: "success_with_local_groups", localGroupsFile: "does_not_exists.group"},

diff --git a/...golden/error_when_broker_returns_username_different_than_the_one_selected/IsAuthenticated b/...golden/error_when_broker_returns_username_different_than_the_one_selected/IsAuthenticated
diff --git a/...icated/golden/error_when_broker_returns_username_different_than_the_one_selected/cache.db b/...icated/golden/error_when_broker_returns_username_different_than_the_one_selected/cache.db
diff --git a/pam/integration-tests/cli_test.go b/pam/integration-tests/cli_test.go
@@ -65,7 +65,6 @@ func TestCLIAuthenticate(t *testing.T) {
 
 		"Deny authentication if max attempts reached":                         {tape: "max_attempts"},
 		"Deny authentication if user does not exist":                          {tape: "unexistent_user"},
-		"Deny authentication if usernames dont match":                         {tape: "mismatch_username"},
 		"Deny authentication if newpassword does not match required criteria": {tape: "bad_password"},
 
 		"Exit authd if local broker is selected": {tape: "local_broker"},

diff --git a/pam/integration-tests/native_test.go b/pam/integration-tests/native_test.go
@@ -66,7 +66,6 @@ func TestNativeAuthenticate(t *testing.T) {
 
 		"Deny authentication if max attempts reached":                         {tape: "max_attempts"},
 		"Deny authentication if user does not exist":                          {tape: "unexistent_user"},
-		"Deny authentication if usernames dont match":                         {tape: "mismatch_username"},
 		"Deny authentication if newpassword does not match required criteria": {tape: "bad_password"},
 
 		"Exit authd if local broker is selected":                                    {tape: "local_broker"},

diff --git a/...ion-tests/testdata/TestCLIAuthenticate/golden/deny_authentication_if_usernames_dont_match b/...ion-tests/testdata/TestCLIAuthenticate/golden/deny_authentication_if_usernames_dont_match