pam: Use pam.ModuleTransaction to implement pam module #89
Conversation
3v1n0
force-pushed
the
use-pam-moduler
branch
4 times, most recently
from
87f38eb
to
0435964
Compare
There was a problem hiding this comment.
Hey @3v1n0! I tried to explain as much as possible the reasons behind the changes related to idiomatic Go, so I hope everything is clear. I'm not an expert on PAM behavior, so if I missed or misunderstood something, feel free to let me know in the comments.
I'm still a bit unsure about switching what we already implemented ourselves to an external dependency (as it pulls a lot of weight that I'm not sure we need), but we can discuss it.
3v1n0
force-pushed
the
use-pam-moduler
branch
2 times, most recently
from
e6d13b2
to
0d94233
Compare
Thanks, I'm still attached to some C-isms, so happy to learn! :)
So, what we had implemented so far was just a tiny bit of what we actually need to perform everything we care about (some of the wip code is stashed here), but the current code needed still various C implementations and was very hard to test, so I decided that:
So basically my goal was to have a library that allowed us to do everything we need, especially in the GDM and pure-PAM (e.g. ssh) modes without having to care how the low-level implementation is done, assuming that is fully tested. |
3v1n0
force-pushed
the
use-pam-moduler
branch
from
0d94233
to
45e7096
Compare
There was a problem hiding this comment.
Hey @3v1n0, thanks for addressing the comments and for explaining some others in which I misunderstood the purpose of the changes. I have another request and, even though it's a single comment, it's a big (and also very important) one. If you're unsure how to move on with the table-testing approach, we can talk more about it in the specific comment, MM or HO.
Also, please avoid resolving the comments yourself, if possible. The comments are very useful for the reviewer to navigate through what was requested and to see if they were addressed or not. What we do normally is for the PR author to react with a 👍 on the comment if it was addressed or to discuss the change a bit more on the comment itself before deciding how (and if) to address it. After everything is addressed and discussed, you can re-request the review so the reviewer can take another look at the changes. Here's a short PR as an example: #58.
3v1n0
force-pushed
the
use-pam-moduler
branch
2 times, most recently
from
7775d8d
to
f95e0b8
Compare
There was a problem hiding this comment.
Hey @3v1n0, I appreciate you taking the time to address the comments and discuss them. Thanks!
We are not quite there yet, though. I feel like the table tests can be improved quite a bit, as right now they are a bit confusing and hard to read. I wrote more details in the specific comment. Hopefully, it's clearer.
3v1n0
force-pushed
the
use-pam-moduler
branch
5 times, most recently
from
b6f3d32
to
4f6ea76
Compare
3v1n0
force-pushed
the
use-pam-moduler
branch
2 times, most recently
from
eba2215
to
1a24037
Compare
3v1n0
force-pushed
the
use-pam-moduler
branch
from
1a24037
to
01576be
Compare
3v1n0
force-pushed
the
use-pam-moduler
branch
3 times, most recently
from
8d48626
to
eed3ab5
Compare
I rebase on the same base all the times, since that's the way everywhere else things happen, but let me know if you prefer me to push |
Also normally in such cases the way to do is to do is use the And since I'm not never rebasing against a newer
|
The issue with the |
You can manually provide the sha from your previous review, but no worries... I'll go with fixups. |
3v1n0
force-pushed
the
use-pam-moduler
branch
from
e0de288
to
dd6c830
Compare
|
So... I've finally got some upstream reviews on msteinert/pam#15 and so I also updated the branch here, this also implied renaming Changes are in the fixups and are quite minimal at the end. |
3v1n0
force-pushed
the
use-pam-moduler
branch
from
8855148
to
465ac7f
Compare
See, we are not that foreign or make unreasonable requests ;) |
didrocks
dismissed
their stale review
Trusting the other reviews and no time to rereview myself.
Avoid doing all the C manual work inside authd pam, but handle this in a separate library that handles this all and comes with fully tested operations. We could so mock the ModuleTransaction here if we want so that we can make things more testable as they are now. As per this change, the module can be simply be generated with: go generate -C pam
Instead of using our own types for return status, let's just use pam.StatusError to return more complex error values back to the user
We used to store the authentication ID as global value, but pam can handle this natively now, allowing us to store it as module data.
We have a base interface that the pam.ModuleTransaction should implement and so use and pass this interface instead of relying on the actual module transaction implementation, so that we can mock it. As per this introduce a new dummy implementation for it that can be used in local tests
As per this, do not define main() as an actual function when we're generating the module, to avoid adding unwanted code in the library.
PAM code is using CGO quite a lot, so run tests using address sanitizer to catch memory issues and leaks
ASAN in go does not catch memory leaks properly at the end of the test program execution, so force this using a wrapper function that is called when each test is completed.
3v1n0
force-pushed
the
use-pam-moduler
branch
from
7d01515
to
c974f78
Compare
Re-implement the PAM module bootstrap code by using pam-go and in particular the code proposed at msteinert/pam#13
That allows us to have a more tested and testable base. Also it will be a prerequisite for the gdm implementation and a pure-PAM protocol implementation.
The module can now generated by just using
go generate -C pamthat would generate in two steps both the go-glue code and the library itself.See single commits for further details.
UDENG-1647, UDENG-1604