Skip to content

Add PAM module stub generator, modules implmentations and integration tests #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 24 commits into
base: master
Choose a base branch
from
Open

Add PAM module stub generator, modules implmentations and integration tests #13

wants to merge 24 commits into from

Conversation

@3v1n0
Copy link
Collaborator

@3v1n0 3v1n0 commented Oct 5, 2023
edited
Loading

For the way go-pam is structured it made easy to create pam applications, but most of the code can be useful also for implementing modules in go.

As per this:

  • Define ModuleTransaction struct that is similar to Transaction, but with less methods
  • Add a pam-moduler (github.com/msteinert/pam/cmd/pam-moduler) to generate pam-module cgo stubs
  • Add a go (simpler) implementation of pam_debug.so and test it
  • Add an interaction testing module that uses an unix socket to dialog with a loader and that can be instructed to perform any operation on module side
  • Add module methods to set/get module data, and to initiate text-based and binary conversations
  • Test all these cases via integration tests (the only way to do that, since we need a pam-module-side handler).

Keeping this as a draft for now as it requires some refactors that were part of #12, but also it may be adapted a bit if we want to change Transaction errors to be less prone to potential races.

@3v1n0 3v1n0 changed the title Draft: Add PAM module stub generator, modules implmentations and integration tests Add PAM module stub generator, modules implmentations and integration tests Oct 5, 2023
@3v1n0 3v1n0 marked this pull request as draft October 5, 2023 04:07
@3v1n0 3v1n0 force-pushed the pam-moduler branch 7 times, most recently from 65b004b to bceb1f8 Compare October 10, 2023 09:48
@3v1n0 3v1n0 mentioned this pull request Oct 12, 2023
Merged
@3v1n0
Copy link
Collaborator Author

3v1n0 commented Oct 12, 2023

This is now rebased on #15 instead as it makes few things better to handle.

@3v1n0 3v1n0 force-pushed the pam-moduler branch 16 times, most recently from 24bf30b to b3c9311 Compare October 14, 2023 04:59
@3v1n0 3v1n0 mentioned this pull request Oct 14, 2023
Merged
3v1n0 added 21 commits February 18, 2024 18:32
@3v1n0
transaction: Add a transaction base type to define more transaction k…
4b982c8 
…inds

A pam handler can be used both by a module and by an Application, go-pam
is meant to be used in the application side right now, but it can be
easily changed to also create modules.

This is the prerequisite work to support this.
@3v1n0
transaction: Add ModuleTransaction type and ModuleHandler interface
8cf5c51 
This allows to easily define go-handlers for module operations.

We need to expose few more types externally so that it's possible to
create the module transaction handler and return specific transaction
errors
@3v1n0
transaction: Properly handle nil bytes in binary transactions
22b9e81 
If returned binaries are nil, we should pass them as nil and not as an
empty bytes array.
@3v1n0
pam-moduler: Add first implementation of a Go PAM Module generator
959de37 
A PAM module can be generated using pam-moduler and implemented fully in
go without having to manually deal with the C setup.

Module can be compiled using go generate, so go:generate directives can be
used to make this process automatic, with a single go generate call as shown
in the example.
@3v1n0
transaction: Define C functions as unexported static inlines
75278e8 
This will make it easier to avoid exporting unexpected symbols to the
generated PAM libraries.

Also it makes less messy handling C code inside go files.
@3v1n0
transaction, moduler: Do not export PAM conv handler function to modules
4b61910 
This function is only needed when using go PAM for creating applications
so it's not something we expect to have exported to library modules.

To prevent this use an `asPamModule` tag to prevent compilation of
application-only features.
@3v1n0
transaction: Move PAM app side function only to app-transaction
c0be314 
In this way all these features not even compiled when creating modules,
avoiding generating unused code.
@3v1n0
moduler: Move module transaction invoke handling to transaction itself
1b09841 
So we can reduce the generated code and add more unit tests
@3v1n0
pam-moduler: Add test that generates a new debug module and verify it…
e9dffa7 
… works

We mimic what pam_debug.so does by default, by implementing a similar
module fully in go, generated using pam-moduler.

This requires various utilities to generate the module and run the tests
that are in a separate internal modules so that it can be shared between
multiple implementations
@3v1n0
tests: Add a module implementation with dynamic control from the app
5fbbb88 
In order to properly test the interaction of a module transaction from
the application point of view, we need to perform operation in the
module and ensure that the expected values are returned and handled

In order to do this, without using the PAM apis that we want to test,
use a simple trick:
 - Create an application that works as server using an unix socket
 - Create a module that connects to it
 - Pass the socket to the module via the module service file arguments
 - Add some basic protocol that allows the application to send a request
   and to the module to reply to that.
 - Use reflection and serialization to automatically call module methods
   and return the values to the application where we do the check
@3v1n0
module-transaction: Add GetUser() method that prompts an user if non-set
5f3c15c 
We can now finally test this properly both using a mock and through the
interactive module that will do the request for us in various conditions.
@3v1n0
module-transaction: Add support for setting/getting module data
13989bb 
Module data is data associated with a module handle that is available
for the whole module loading time so it can be used also during
different operations.

We use cgo handles to preserve the life of the go objects so any value
can be associated with a pam transaction.
@3v1n0
module-transaction: Add support for initiating PAM Conversations
bc34d3b 
Modules have the ability to start PAM conversations, so while the
transaction code can handle them we did not have a way to init them.
Yet.

So add some APIs allowing this, making it easier from the go side to
handle the conversations.

In this commit we only support text-based conversations, but code is
designed with the idea of supporting binary cases too.

Added the integration tests using the module that is now able to both
start conversation and handle them using Go only.
@3v1n0
module-transaction: Add support for binary conversations
ce46e15 
A module can now initiate a binary conversation decoding the native
pointer value as it wants.

Added tests to verify the main cases
@3v1n0
module-transaction: Do not allow parallel conversations by default
a047550 
Pam conversations per se may also run in parallel, but this implies that
the application supports this.

Since this normally not the case, do not create modules that may invoke
the pam conversations in parallel by default, adding a mutex to protect
such calls.
@3v1n0
github/test: Run tests with address sanitizer
3253288 
We have lots of cgo interaction here so better to check things fully.

This also requires manually checking for leaks, so add support for this.
@3v1n0
transaction: Add BinaryConversationFunc adapter
62b69f7
@3v1n0
transaction: Add support for using raw binary pointers conversation h…
5689405 
…andler

This requires the allocating function to provide a binary pointer that
will be free'd by the conversation handlers finalizers.

This is for a more advanced usage scenario where the binary conversion
may be handled manually.
@3v1n0
README: Update how to run tests
5c4d796
@3v1n0
ci: Show coverage for all packages
61621ce 
We have test utils in other packages that are not shown as tested, while
they definitely are.
@3v1n0
transaction: Fix typo in conversation doc
e182844
@StephenBrown2
Copy link

Any progress on this? Looks very promising.

@3v1n0
Copy link
Collaborator Author

3v1n0 commented May 6, 2025
edited
Loading

@StephenBrown2 I think we can basically merge this since it's something we've been using actively for some time in https://github.com/ubuntu/authd

However, there are also problems when the modules are strictly done in go, since the go runtime may break other imported modules (dead-locking in SSH as per its specific thread implementation), so it's probably safer to have a different approach:

  1. A dbus transaction, that implements the interface defined here
  2. A "simple" thin C module that uses it by using go module as program.

@StephenBrown2
Copy link

StephenBrown2 commented May 7, 2025
edited
Loading

Agreed, I've experience the dead-locking in SSH first-hand with my own PAM module implementation, and have found several work-arounds for that, including in pam_fscrypt, by comparing the PID value between the Auth and session Open calls, gravitational-teleport invokes runtime.LockOSThread() and pam-ussh calls runtime.GOMAXPROCS(1).

I wanted to see if I could write a PAM module that communicates with another local service via gRPC, and it looks like authd does just that. Do you do that via DBUS or the C wrapper during SSH authentication due to the forking issue?

@3v1n0
Copy link
Collaborator Author

3v1n0 commented May 7, 2025
edited
Loading

and have found several work-arounds for that, including in pam_fscrypt, by comparing the PID value between the Auth and session Open calls, gravitational-teleport invokes runtime.LockOSThread() and pam-ussh calls runtime.GOMAXPROCS(1)

Yeah, but google one is just avoiding the calls and it's really not a solution (and still may be affected), LockOSThread didn't really help us, same with process limitation as we still may end up being affected on re-entries (the same module may be "re-invoked" multiple times during the same transaction.

So, eventually we decided that it was too risky to put unknown go runtime behavior in the PAM applications (since it was not reliable and too versions-dependent), and just go simple with a C wrapper that:

  • Creates a local dbus server exposing the PAM APIs
  • Invokes a PAM application that is written in Go and follows interface of this very same PR but that uses a dbus implementation of the pam.ModuleTransaction defined in this PR

All the rest of the gRPC communication happens in go though, the C side only invokes actions in the go binary.

So we can have in the same code both a go-library (that we use in safe cases such as GDM) and a PAM-module client application that is invoked through the module.

We used DBus because it was the easier way to handle this from the C side (using GLib's Gio), given that we also want to support binary conversations, but in general it could have been using simple fd's or something like varlink.

The C-module is simple and generic enough that can be used by anyone else though. In fact I was considering including it in this repo too, although it's a bit complex to expose it well in a go world.

Thus the code of this PR this matters, since all the abstraction that is here can be used in both ways.

See also:

@StephenBrown2
Copy link

Thanks for the detailed description, that's a lot to think about. Sorry for slightly going off topic for this PR. Best wishes on getting it merged!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@msteinert msteinert Awaiting requested review from msteinert

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@3v1n0 @codecov-commenter @StephenBrown2