Detect when unix_chkpwd failure message is added

Author: FastAlien

src/auth_message_parser.rs

@@ -1,14 +1,41 @@
-const PAM_PREFIX: &str = "pam_unix";
-const PAM_PREFIX_LENGTH: usize = PAM_PREFIX.len();
-const AUTH_FAILURE_MESSAGE: &str = "authentication failure";
+pub struct AuthMessageParser {
+    patterns: Vec<AuthFailedMessagePattern>,
+}
+
+struct AuthFailedMessagePattern {
+    prefix: String,
+    message: String,
+}
+
+impl AuthMessageParser {
+    pub fn new() -> AuthMessageParser {
+        let pam_message = AuthFailedMessagePattern {
+            prefix: String::from("pam_unix"),
+            message: String::from("authentication failure"),
+        };
+        let unix_chkpwd_message = AuthFailedMessagePattern {
+            prefix: String::from("unix_chkpwd"),
+            message: String::from("password check failed"),
+        };
+        return AuthMessageParser {
+            patterns: vec![pam_message, unix_chkpwd_message],
+        };
+    }
 
-pub fn is_auth_failed_message(message: &str) -> bool {
-    return match message.find(PAM_PREFIX) {
-        None => false,
-        Some(pam_prefix_position) => {
-            message[pam_prefix_position + PAM_PREFIX_LENGTH..].contains(AUTH_FAILURE_MESSAGE)
+    pub fn is_auth_failed_message(&self, message: &str) -> bool {
+        for pattern in &self.patterns {
+            match message.find(&pattern.prefix) {
+                None => {}
+                Some(prefix_position) => {
+                    let message_after_prefix = &message[prefix_position + pattern.prefix.len()..];
+                    if message_after_prefix.contains(&pattern.message) {
+                        return true;
+                    }
+                }
+            };
         }
-    };
+        return false;
+    }
 }
 
 #[cfg(test)]

src/auth_message_parser.test.rs

@@ -1,13 +1,11 @@
-use crate::auth_message_parser::is_auth_failed_message;
+use crate::auth_message_parser::AuthMessageParser;
+use crate::test_utils::test_file::AUTH_FAILED_TEST_MESSAGES;
 
 #[test]
 fn when_message_is_auth_failed_message_then_returns_true() {
-    let messages = [
-        "2023-04-22T12:20:32.512681+02:00 workstation sudo: pam_unix(sudo:auth): authentication failure; logname=john uid=1000 euid=0 tty=/dev/pts/7 ruser=john rhost=  user=john",
-        "2023-04-22T12:22:53.157054+02:00 workstation kscreenlocker_greet: pam_unix(kde:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost=  user=john",
-    ];
-    for message in messages {
-        assert!(is_auth_failed_message(message));
+    let parser = AuthMessageParser::new();
+    for message in AUTH_FAILED_TEST_MESSAGES {
+        assert!(parser.is_auth_failed_message(message));
     }
 }
 
@@ -52,7 +50,8 @@ fn when_message_is_not_auth_failed_message_then_returns_false() {
 2024-02-10T14:34:24.371421+01:00 workstation sudo:   john : TTY=pts/3 ; PWD=/home/john ; USER=root ; COMMAND=/usr/bin/ls
 2024-02-10T14:34:24.372326+01:00 workstation sudo: pam_unix(sudo:session): session opened for user root(uid=0) by john(uid=1000)
 2024-02-10T14:34:24.374716+01:00 workstation sudo: pam_unix(sudo:session): session closed for user root";
+    let parser = AuthMessageParser::new();
     for message in messages.split('\n') {
-        assert!(!is_auth_failed_message(message));
+        assert!(!parser.is_auth_failed_message(message));
     }
 }

src/auth_monitor.rs

@@ -2,14 +2,15 @@ use std::error::Error;
 use std::time::{Duration, SystemTime};
 
 use crate::auth_file_watcher::AuthFileWatcher;
-use crate::auth_message_parser::is_auth_failed_message;
+use crate::auth_message_parser::AuthMessageParser;
 use crate::auth_monitor_options::AuthMonitorOptions;
 use crate::auth_monitor_params::AuthMonitorParams;
 
 pub struct AuthMonitor {
     failed_attempts: i32,
     options: AuthMonitorOptions,
     file_watcher: AuthFileWatcher,
+    auth_message_parser: AuthMessageParser,
     last_failed_auth: SystemTime,
 }
 
@@ -20,6 +21,7 @@ impl AuthMonitor {
             failed_attempts: 0,
             options: params.options,
             file_watcher: AuthFileWatcher::new(&params.filepath)?,
+            auth_message_parser: AuthMessageParser::new(),
             last_failed_auth: SystemTime::UNIX_EPOCH,
         });
     }
@@ -30,7 +32,7 @@ impl AuthMonitor {
         }
         let mut failed_attempts = 0;
         self.file_watcher.update(|line| {
-            if is_auth_failed_message(line) {
+            if self.auth_message_parser.is_auth_failed_message(line) {
                 failed_attempts += 1;
             }
         });

src/test_utils/test_file.rs

@@ -5,9 +5,10 @@ use std::sync::atomic::{AtomicUsize, Ordering};
 
 use chrono::Local;
 
-const AUTH_FAILED_TEST_MESSAGES: [&str; 2] = [
+pub const AUTH_FAILED_TEST_MESSAGES: [&str; 3] = [
     "workstation sudo: pam_unix(sudo:auth): authentication failure; logname=john uid=1000 euid=0 tty=/dev/pts/7 ruser=john rhost=  user=john",
     "workstation kscreenlocker_greet: pam_unix(kde:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost=  user=john",
+    "workstation unix_chkpwd[222793]: password check failed for user (john)"
 ];
 
 const OTHER_TEST_MESSAGES: [&str; 4] = [