canonical · 3v1n0 · Jun 13, 2025 · Jun 13, 2025 · Jun 16, 2025 · Jun 16, 2025
diff --git a/internal/brokers/withexamples.go b/internal/brokers/withexamples.go
@@ -13,6 +13,9 @@ import (
 
 // useExampleBrokers starts a mock system bus and exports the examplebroker in it.
 func useExampleBrokers() (string, func(), error) {
+	if os.Getenv("AUTHD_EXAMPLE_BROKER_DISABLE") != "" {
+		return "", func() { /* Nothing to cleanup */ }, nil
+	}
 	busCleanup, err := testutils.StartSystemBusMock()
 	if err != nil {
 		return "", nil, err

diff --git a/internal/testutils/args.go b/internal/testutils/args.go
@@ -92,3 +92,9 @@ func SleepMultiplier() float64 {
 
 	return sleepMultiplier
 }
+
+// IsCI returns whether the test is running in CI environment.
+var IsCI = sync.OnceValue(func() bool {
+	_, ok := os.LookupEnv("GITHUB_ACTIONS")
+	return ok
+})
diff --git a/internal/users/db/bbolt/testutils.go b/internal/users/db/bbolt/testutils.go
@@ -4,6 +4,7 @@ package bbolt
 // They are not exported, and guarded by testing assertions.
 
 import (
+	"encoding/json"
 	"os"
 	"path/filepath"
 	"strings"
@@ -14,14 +15,26 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
-// We need to replace the current time by a deterministic time in the golden files to be able to compare them.
-// We use the first second of the year 2020 as a recognizable value (which is not the zero value).
-var redactedCurrentTime = "2020-01-01T00:00:00Z"
+const (
+	// We need to replace the current time by a deterministic time in the golden files to be able to compare them.
+	// We use the first second of the year 2020 as a recognizable value (which is not the zero value).
+	redactedCurrentTime = "2020-01-01T00:00:00Z"
+
+	// User homes can have an invalid prefix that we can adjust during tests.
+	redactedUserHome = "@HOME_BASE@"
+)
 
 // Z_ForTests_CreateDBFromYAML creates the database inside destDir and loads the src file content into it.
 //
 // nolint:revive,nolintlint // We want to use underscores in the function name here.
 func Z_ForTests_CreateDBFromYAML(src, destDir string) (err error) {
+	return Z_ForTests_CreateDBFromYAMLWithBaseHome(src, destDir, "")
+}
+
+// Z_ForTests_CreateDBFromYAMLWithBaseHome creates the database inside destDir and loads the src file content into it.
+//
+// nolint:revive,nolintlint // We want to use underscores in the function name here.
+func Z_ForTests_CreateDBFromYAMLWithBaseHome(src, destDir, baseHomeDir string) (err error) {
 	testsdetection.MustBeTesting()
 
 	src, err = filepath.Abs(src)
@@ -64,7 +77,26 @@ func Z_ForTests_CreateDBFromYAML(src, destDir string) (err error) {
 				if bucketName == userByIDBucketName || bucketName == userByNameBucketName {
 					// Replace the redacted time in the json value by a valid time.
 					val = strings.Replace(val, redactedCurrentTime, time.Now().Format(time.RFC3339), 1)
+
+					if baseHomeDir != "" {
+						var u UserDB
+						if err := json.Unmarshal([]byte(val), &u); err != nil {
+							return err
+						}
+
+						u.Dir = strings.ReplaceAll(u.Dir, redactedUserHome, baseHomeDir)
+						if err := os.MkdirAll(u.Dir, 0700); err != nil {
+							return err
+						}
+
+						v, err := json.Marshal(u)
+						if err != nil {
+							return err
+						}
+						val = string(v)
+					}
 				}
+
 				if err := bucket.Put([]byte(key), []byte(val)); err != nil {
 					panic("programming error: put called in a RO transaction")
 				}

diff --git a/pam/integration-tests/cli_test.go b/pam/integration-tests/cli_test.go
@@ -38,6 +38,7 @@ func TestCLIAuthenticate(t *testing.T) {
 		socketPath         string
 		currentUserNotRoot bool
 		wantLocalGroups    bool
+		noConfiguredBroker bool
 		oldDB              string
 		stopDaemonAfter    time.Duration
 	}{
@@ -189,6 +190,9 @@ func TestCLIAuthenticate(t *testing.T) {
 		},
 		"Autoselect_local_broker_for_local_user": {
 			tape: "local_user",
+			tapeVariables: map[string]string{
+				vhsTapeUserVariable: "root",
+			},
 		},
 		"Autoselect_local_broker_for_local_user_preset": {
 			tape:          "local_user_preset",
@@ -221,6 +225,18 @@ func TestCLIAuthenticate(t *testing.T) {
 			tape:         "local_broker",
 			tapeSettings: []tapeSetting{{vhsHeight, 800}},
 		},
+		"Exit_authd_if_no_broker_is_configured": {
+			tape: "local_user",
+			tapeVariables: map[string]string{
+				vhsTapeUserVariable: vhsTestUserName(t, "no-broker"),
+			},
+			noConfiguredBroker: true,
+		},
+		"Exit_authd_if_no_broker_is_configured_with_preset_user": {
+			tape:               "local_user_preset",
+			clientOptions:      clientOptions{PamUser: vhsTestUserName(t, "no-broker")},
+			noConfiguredBroker: true,
+		},
 		"Exit_authd_if_user_sigints": {
 			tape: "sigint",
 		},
@@ -244,7 +260,8 @@ func TestCLIAuthenticate(t *testing.T) {
 			require.NoError(t, err, "Setup: symlinking the pam client")
 
 			var socketPath, gpasswdOutput, groupsFile, pidFile string
-			if tc.wantLocalGroups || tc.currentUserNotRoot || tc.stopDaemonAfter > 0 || tc.oldDB != "" {
+			if tc.wantLocalGroups || tc.currentUserNotRoot || tc.stopDaemonAfter > 0 ||
+				tc.noConfiguredBroker || tc.oldDB != "" {
 				// For the local groups tests we need to run authd again so that it has
 				// special environment that generates a fake gpasswd output for us to test.
 				// Similarly for the not-root tests authd has to run in a more restricted way.
@@ -253,9 +270,14 @@ func TestCLIAuthenticate(t *testing.T) {
 
 				pidFile = filepath.Join(outDir, "authd.pid")
 
+				env := useOldDatabaseEnv(t, tc.oldDB)
+				if tc.noConfiguredBroker {
+					env = append(env, "AUTHD_EXAMPLE_BROKER_DISABLE=1")
+				}
+
 				socketPath = runAuthd(t, gpasswdOutput, groupsFile, !tc.currentUserNotRoot,
 					testutils.WithPidFile(pidFile),
-					testutils.WithEnvironment(useOldDatabaseEnv(t, tc.oldDB)...))
+					testutils.WithEnvironment(env...))
 			} else {
 				socketPath, gpasswdOutput = sharedAuthd(t)
 			}

diff --git a/pam/integration-tests/helpers_test.go b/pam/integration-tests/helpers_test.go
@@ -564,7 +564,8 @@ func useOldDatabaseEnv(t *testing.T, oldDB string) []string {
 	oldDBDir, err := os.MkdirTemp(tempDir, "old-db-path")
 	require.NoError(t, err, "Cannot create db directory in %q", tempDir)
 
-	err = bbolt.Z_ForTests_CreateDBFromYAML(filepath.Join("testdata", "db", oldDB+".db.yaml"), oldDBDir)
+	err = bbolt.Z_ForTests_CreateDBFromYAMLWithBaseHome(
+		filepath.Join("testdata", "db", oldDB+".db.yaml"), oldDBDir, t.TempDir())
 	require.NoError(t, err, "Setup: creating old database")
 
 	return []string{fmt.Sprintf("AUTHD_INTEGRATIONTESTS_OLD_DB_DIR=%s", oldDBDir)}

diff --git a/pam/integration-tests/native_test.go b/pam/integration-tests/native_test.go
@@ -37,6 +37,7 @@ func TestNativeAuthenticate(t *testing.T) {
 		userSelection      bool
 		userSuffixSkip     bool
 		oldDB              string
+		noConfiguredBroker bool
 		wantLocalGroups    bool
 		wantSeparateDaemon bool
 		skipRunnerCheck    bool
@@ -305,11 +306,13 @@ func TestNativeAuthenticate(t *testing.T) {
 		"Autoselect_local_broker_for_local_user": {
 			tape:          "local_user",
 			userSelection: true,
+			tapeVariables: map[string]string{vhsTapeUserVariable: "root"},
 		},
 		"Autoselect_local_broker_for_local_user_on_polkit": {
 			tape:          "local_user",
 			userSelection: true,
 			clientOptions: clientOptions{PamServiceName: "polkit-1"},
+			tapeVariables: map[string]string{vhsTapeUserVariable: "root"},
 		},
 		"Autoselect_local_broker_for_local_user_preset": {
 			tape: "local_user_preset",
@@ -365,6 +368,27 @@ func TestNativeAuthenticate(t *testing.T) {
 				PamServiceName: "sshd",
 			},
 		},
+		"Exit_authd_if_no_broker_is_configured": {
+			tape: "local_user",
+			tapeVariables: map[string]string{
+				vhsTapeUserVariable: vhsTestUserName(t, "no-broker"),
+			},
+			userSelection:      true,
+			noConfiguredBroker: true,
+		},
+		"Exit_authd_if_no_broker_is_configured_with_preset_user": {
+			tape:               "local_user_preset",
+			clientOptions:      clientOptions{PamUser: vhsTestUserName(t, "no-broker")},
+			noConfiguredBroker: true,
+		},
+		"Exit_authd_if_no_broker_is_configured_with_preset_user_on_polkit": {
+			tape: "local_user_preset",
+			clientOptions: clientOptions{
+				PamServiceName: "polkit-1",
+				PamUser:        vhsTestUserName(t, "no-broker-polkit"),
+			},
+			noConfiguredBroker: true,
+		},
 		"Exit_if_user_is_not_pre-checked_on_custom_ssh_service_with_connection_env": {
 			tape: "local_ssh",
 			clientOptions: clientOptions{
@@ -403,7 +427,7 @@ func TestNativeAuthenticate(t *testing.T) {
 
 			var socketPath, gpasswdOutput, groupsFile, pidFile string
 			if tc.wantLocalGroups || tc.currentUserNotRoot || tc.wantSeparateDaemon ||
-				tc.oldDB != "" {
+				tc.noConfiguredBroker || tc.oldDB != "" {
 				// For the local groups tests we need to run authd again so that it has
 				// special environment that generates a fake gpasswd output for us to test.
 				// Similarly for the not-root tests authd has to run in a more restricted way.
@@ -412,9 +436,14 @@ func TestNativeAuthenticate(t *testing.T) {
 
 				pidFile = filepath.Join(outDir, "authd.pid")
 
+				env := useOldDatabaseEnv(t, tc.oldDB)
+				if tc.noConfiguredBroker {
+					env = append(env, "AUTHD_EXAMPLE_BROKER_DISABLE=1")
+				}
+
 				socketPath = runAuthd(t, gpasswdOutput, groupsFile, !tc.currentUserNotRoot,
 					testutils.WithPidFile(pidFile),
-					testutils.WithEnvironment(useOldDatabaseEnv(t, tc.oldDB)...))
+					testutils.WithEnvironment(env...))
 			} else {
 				socketPath, gpasswdOutput = sharedAuthd(t)
 			}