From: Nick Porter <nick@portercomputing.co.uk>
Date: Mon, 10 Jul 2023 13:42:40 +0000 (+0100)
Subject: Improve TACACS tests
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ee15b3f8190c4bf90e3f08cc7547c32303070ffe;p=thirdparty%2Ffreeradius-server.git

Improve TACACS tests

Move authentication tests into `authenticate` sections and add test of
ASCII auth to excercise Authentication-Continue
---

diff --git a/src/tests/tacacs/authenticate_ascii.out b/src/tests/tacacs/authenticate_ascii.out
new file mode 100644
index 00000000000..1d8f5f92562
--- /dev/null
+++ b/src/tests/tacacs/authenticate_ascii.out
@@ -0,0 +1,3 @@
+status: PASS
+data: b'Authentication-Data'
+server_msg: b'ASCII authentication accepted'
diff --git a/src/tests/tacacs/authenticate_ascii.txt b/src/tests/tacacs/authenticate_ascii.txt
new file mode 100644
index 00000000000..b705aa887f1
--- /dev/null
+++ b/src/tests/tacacs/authenticate_ascii.txt
@@ -0,0 +1,3 @@
+#
+#	ARGV: -t ascii -u tapioca authenticate -p queijo
+#
diff --git a/src/tests/tacacs/config/radiusd.conf b/src/tests/tacacs/config/radiusd.conf
index a9b04ade5d2..b66b0ff3b62 100644
--- a/src/tests/tacacs/config/radiusd.conf
+++ b/src/tests/tacacs/config/radiusd.conf
@@ -112,15 +112,42 @@ server test {
 	}
 
  	recv Authentication-Start {
- 		if (&User-Name == "tapioca") {
+		ok
+	}
+
+	authenticate PAP {
+		if (&User-Name == 'tapioca' && &User-Password == 'queijo') {
 			&reply.Server-Message := "Authentication-Start accepted"
+			ok
+		} else {
+			&reply.Server-Message := "Authentication-Start failed for %{User-Name}"
+			reject
+		}
+	}
 
-			&control.Auth-Type := Accept
+	authenticate ASCII {
+		#
+		#  If we don't have all the required data, request it.
+		#
+		if (!&User-Name) {
+			&reply.Packet-Type := Authentication-GetUser
+			handled
+		}
+		if (!&User-Password) {
+			&reply.Packet-Type := Authentication-GetPass
+			handled
+		}
 
- 		} else {
-			&reply.Server-Message := "Authentication-Start failed for %{User-Name}"
+		#
+		#  Now we have the data perform authentication
+		#
+		if (&User-Name == 'tapioca' && &User-Password == 'queijo') {
+			&reply.Server-Message := "ASCII authentication accepted"
+			ok
+		} else {
+			&reply.Server-Message := "ASCII authentication failed for %{User-Name}"
 			reject
- 		}
+		}
 	}
 
 	send Authentication-Pass {
@@ -132,15 +159,19 @@ server test {
 	}
 
 	recv Authentication-Continue {
- 		if (&User-Name == "tapioca") {
-			&reply.Server-Message := "Authentication-Cont accepted"
-
-			&control.Auth-Type := Accept
+		&control.Auth-Type := ASCII
 
- 		} else {
-			&reply.Server-Message := "Authentication-Cont failed for %{User-Name}"
-			reject
- 		}
+		#
+		#  Fill the next missing attribute from User-Message
+		#
+		if (!&User-Name) {
+			&User-Name := &User-Message
+			handled
+		}
+		if (!&User-Password) {
+			&User-Password := &User-Message
+			handled
+		}
 	}
 
 	recv Authorization-Request {