Add more unit tests for mqauth plugin and address memory issue (#684)

RamSubbarao · GitHub Enterprise · commit ff621309b911 · 2024-07-18T20:52:42.000+05:30
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## 9.4.0.0-r3 (2024-07)
 
 * Fix to diable FIPS mode for `runmqakm` key store generation, when FIPS is not enabled
+* Fix APAR IT46430
 
 ## 9.4.0.0 (2024-06)
 
diff --git a/authservice/mqsimpleauth/.gitignore b/authservice/mqsimpleauth/.gitignore
@@ -0,0 +1,2 @@
+/testSecret*
+/*.log
diff --git a/authservice/mqsimpleauth/src/mqAdminPassword b/authservice/mqsimpleauth/src/mqAdminPassword
@@ -1 +1 @@
-passw0rd
+fred:$2y$05$3Fp9
diff --git a/authservice/mqsimpleauth/src/simpleauth.c b/authservice/mqsimpleauth/src/simpleauth.c
@@ -23,18 +23,20 @@ limitations under the License.
 #include "simpleauth.h"
 #include <linux/limits.h>
 
+const char *_mq_app_secret_file = MQ_APP_SECRET_FILE_DEFAULT;
+const char *_mq_admin_secret_file = MQ_ADMIN_SECRET_FILE_DEFAULT;
+
 // Check if the user is valid
-int simpleauth_authenticate_user(char *user, char *password)
+int simpleauth_authenticate_user(const char *const user, const char *const password)
 {
   int result = -1;
 
   if (simpleauth_valid_user(user))
   {
-    char *pwd = getSecretForUser(user);
+    char *pwd = get_secret_for_user(user);
     if (pwd != NULL)
     {     
-      int pwdCheck = strcmp(pwd, password);
-      if (pwdCheck == 0)
+      if (strcmp(pwd, password) == 0)
       {
         log_debugf("Correct password supplied. user=%s", user);
         result = SIMPLEAUTH_VALID;
@@ -44,10 +46,12 @@ int simpleauth_authenticate_user(char *user, char *password)
         log_debugf("Incorrect password supplied. user=%s", user);
         result = SIMPLEAUTH_INVALID_PASSWORD;
       }
+      memset(pwd, 0, strlen(pwd));
       free(pwd);
     }
     else
     {
+      log_debugf("Failed to get secret for user '%s'", user);
       result = SIMPLEAUTH_INVALID_PASSWORD;
     }
   }
@@ -59,81 +63,88 @@ int simpleauth_authenticate_user(char *user, char *password)
   return result;
 }
 
-bool simpleauth_valid_user(char *user)
+bool simpleauth_valid_user(const char *const user)
 {
   bool valid = false;
-  if ((strcmp(user, APP_USER_NAME)==0 || strcmp(user, ADMIN_USER_NAME)==0))
+  if ((strcmp(user, APP_USER_NAME) == 0 || strcmp(user, ADMIN_USER_NAME) == 0))
   {
     valid = true;
   }
   return valid;
 }
 
-char *getSecretForUser(char *user)
+/**
+ * get_secret_for_user will return a char* containing the credential for the given user
+ * the credential is read from the filesystem if the relevant file exists and an environment
+ * variable if not
+ *
+ * The caller is responsible for clearing then freeing memory
+ */
+char *get_secret_for_user(const char *const user)
 {
   if (0 == strcmp(user, APP_USER_NAME))
   {
-    char *secret = readSecret(MQ_APP_SECRET_FILE);
+    char *secret = read_secret(_mq_app_secret_file);
     if (secret != NULL)
     {
       return secret;
     }
     else
     {
-      char* envValue = getenv("MQ_APP_PASSWORD");
-      if (envValue != NULL)
+      const char *pwdFromEnv = getenv("MQ_APP_PASSWORD");
+      if (pwdFromEnv != NULL)
       {
         log_infof("Environment variable MQ_APP_PASSWORD is deprecated, use secrets to set the passwords");
-        char* pwdFromEnv = strdup(envValue);
-        return pwdFromEnv;
-      }
-      else
-      {
-        return NULL;
       }
+      return strdup(pwdFromEnv);
     }
-  } else if (0 == strcmp(user, ADMIN_USER_NAME))
+  } 
+  else if (0 == strcmp(user, ADMIN_USER_NAME))
   {
-      char *secret = readSecret(MQ_ADMIN_SECRET_FILE);
+      char *secret = read_secret(_mq_admin_secret_file);
       if (secret != NULL)
       {
         return secret;
       }
       else
       {
-        char* envValue =  getenv("MQ_ADMIN_PASSWORD");
-        if (envValue != NULL)
+        const char *pwdFromEnv = getenv("MQ_ADMIN_PASSWORD");
+        if (pwdFromEnv != NULL)
         {
           log_infof("Environment variable MQ_ADMIN_PASSWORD is deprecated, use secrets to set the passwords");
-          // Get the value of environment variable and store it as a copy to free up the memory
-          char* pwdFromEnv = strdup(envValue);
-          return pwdFromEnv;
         }
-        else 
-        {
-          return NULL;
-        }
-      }
+        return strdup(pwdFromEnv);
+     }
   }
   else
   {
     return NULL;
   }
 }
 
-char *readSecret(char* secret)
+/**
+ * read_secret will return a char* containing the credential read from the filesystem for the given user
+ *
+ * The caller is responsible for clearing then freeing memory
+ */
+char *read_secret(const char *const secret)
 {
   FILE *fp = fopen(secret, "r");
-  const size_t line_size = 1024;
   if (fp)
   {
+    const int line_size = MAX_PASSWORD_LENGTH + 1;
     char *pwd = malloc(line_size);
-    char *result = fgets(pwd, line_size, fp);
+    char *result;
+    result = fgets(pwd, line_size, fp);
+    fclose(fp);
     if (result == NULL)
+    {
+      memset(pwd, 0, line_size);
+      free(pwd);
       return NULL;
-
-    fclose(fp);
-    return pwd;
+    }
+    result[strcspn(result, "\r\n")] = 0;
+    return result;
   }
   else
   {
diff --git a/authservice/mqsimpleauth/src/simpleauth.h b/authservice/mqsimpleauth/src/simpleauth.h
@@ -20,10 +20,14 @@ limitations under the License.
 #define SIMPLEAUTH_VALID 0
 #define SIMPLEAUTH_INVALID_USER 1
 #define SIMPLEAUTH_INVALID_PASSWORD 2
-#define MQ_APP_SECRET_FILE "/run/secrets/mqAppPassword"
-#define MQ_ADMIN_SECRET_FILE "/run/secrets/mqAdminPassword"
+#define MQ_APP_SECRET_FILE_DEFAULT "/run/secrets/mqAppPassword"
+#define MQ_ADMIN_SECRET_FILE_DEFAULT "/run/secrets/mqAdminPassword"
 #define APP_USER_NAME "app"
 #define ADMIN_USER_NAME "admin"
+#define MAX_PASSWORD_LENGTH 256
+
+extern const char *_mq_app_secret_file;
+extern const char *_mq_admin_secret_file;
 
 /**
  * Authenticate a user, based on the supplied file name.
@@ -32,27 +36,27 @@ limitations under the License.
  * @param password the password of the user
  * @return SIMPLEAUTH_VALID, SIMPLEAUTH_INVALID_USER or SIMPLEAUTH_INVALID_PASSWORD
  */
-int simpleauth_authenticate_user(char *user, char *password);
+int simpleauth_authenticate_user(const char *const user, const char *const password);
 
 /**
  * Validate that a user exists in the password file.
  *
  * @param user the user name to validate
  */
-bool simpleauth_valid_user(char *user);
+bool simpleauth_valid_user(const char *const user);
 
 /**
  * Get the secret of the UserId.
  *
  * @param user the user name to validate
  */
-char *getSecretForUser(char *user);
+char *get_secret_for_user(const char *const user);
 
 /**
  * Get the secret of the UserId.
  *
  * @param secret path for the secret file
 */
-char *readSecret(char* secret);
+char *read_secret(const char *const secret);
 
 #endif
diff --git a/authservice/mqsimpleauth/src/simpleauth_test.c b/authservice/mqsimpleauth/src/simpleauth_test.c
diff --git a/authservice/mqsimpleauth/src/simpleauth_test.h b/authservice/mqsimpleauth/src/simpleauth_test.h

Original file line number	Diff line number	Diff line change
`@@ -23,18 +23,20 @@ limitations under the License.`
`23`	`23`	`#include "simpleauth.h"`
`24`	`24`	`#include <linux/limits.h>`
`25`	`25`
	`26`	`+const char *_mq_app_secret_file = MQ_APP_SECRET_FILE_DEFAULT;`
	`27`	`+const char *_mq_admin_secret_file = MQ_ADMIN_SECRET_FILE_DEFAULT;`
	`28`	`+`
`26`	`29`	`// Check if the user is valid`
`27`		`-int simpleauth_authenticate_user(char user, char password)`
	`30`	`+int simpleauth_authenticate_user(const char const user, const char const password)`
`28`	`31`	`{`
`29`	`32`	`int result = -1;`
`30`	`33`
`31`	`34`	`if (simpleauth_valid_user(user))`
`32`	`35`	`{`
`33`		`- char *pwd = getSecretForUser(user);`
	`36`	`+ char *pwd = get_secret_for_user(user);`
`34`	`37`	`if (pwd != NULL)`
`35`	`38`	`{`
`36`		`- int pwdCheck = strcmp(pwd, password);`
`37`		`- if (pwdCheck == 0)`
	`39`	`+ if (strcmp(pwd, password) == 0)`
`38`	`40`	`{`
`39`	`41`	`log_debugf("Correct password supplied. user=%s", user);`
`40`	`42`	`result = SIMPLEAUTH_VALID;`
`@@ -44,10 +46,12 @@ int simpleauth_authenticate_user(char user, char password)`
`44`	`46`	`log_debugf("Incorrect password supplied. user=%s", user);`
`45`	`47`	`result = SIMPLEAUTH_INVALID_PASSWORD;`
`46`	`48`	`}`
	`49`	`+ memset(pwd, 0, strlen(pwd));`
`47`	`50`	`free(pwd);`
`48`	`51`	`}`
`49`	`52`	`else`
`50`	`53`	`{`
	`54`	`+ log_debugf("Failed to get secret for user '%s'", user);`
`51`	`55`	`result = SIMPLEAUTH_INVALID_PASSWORD;`
`52`	`56`	`}`
`53`	`57`	`}`
`@@ -59,81 +63,88 @@ int simpleauth_authenticate_user(char user, char password)`
`59`	`63`	`return result;`
`60`	`64`	`}`
`61`	`65`
`62`		`-bool simpleauth_valid_user(char *user)`
	`66`	`+bool simpleauth_valid_user(const char *const user)`
`63`	`67`	`{`
`64`	`68`	`bool valid = false;`
`65`		`- if ((strcmp(user, APP_USER_NAME)==0 \|\| strcmp(user, ADMIN_USER_NAME)==0))`
	`69`	`+ if ((strcmp(user, APP_USER_NAME) == 0 \|\| strcmp(user, ADMIN_USER_NAME) == 0))`
`66`	`70`	`{`
`67`	`71`	`valid = true;`
`68`	`72`	`}`
`69`	`73`	`return valid;`
`70`	`74`	`}`
`71`	`75`
`72`		`-char getSecretForUser(char user)`
	`76`	`+/**`
	`77`	`+ * get_secret_for_user will return a char* containing the credential for the given user`
	`78`	`+ * the credential is read from the filesystem if the relevant file exists and an environment`
	`79`	`+ * variable if not`
	`80`	`+ *`
	`81`	`+ * The caller is responsible for clearing then freeing memory`
	`82`	`+ */`
	`83`	`+char get_secret_for_user(const char const user)`
`73`	`84`	`{`
`74`	`85`	`if (0 == strcmp(user, APP_USER_NAME))`
`75`	`86`	`{`
`76`		`- char *secret = readSecret(MQ_APP_SECRET_FILE);`
	`87`	`+ char *secret = read_secret(_mq_app_secret_file);`
`77`	`88`	`if (secret != NULL)`
`78`	`89`	`{`
`79`	`90`	`return secret;`
`80`	`91`	`}`
`81`	`92`	`else`
`82`	`93`	`{`
`83`		`- char* envValue = getenv("MQ_APP_PASSWORD");`
`84`		`- if (envValue != NULL)`
	`94`	`+ const char *pwdFromEnv = getenv("MQ_APP_PASSWORD");`
	`95`	`+ if (pwdFromEnv != NULL)`
`85`	`96`	`{`
`86`	`97`	`log_infof("Environment variable MQ_APP_PASSWORD is deprecated, use secrets to set the passwords");`
`87`		`- char* pwdFromEnv = strdup(envValue);`
`88`		`- return pwdFromEnv;`
`89`		`- }`
`90`		`- else`
`91`		`- {`
`92`		`- return NULL;`
`93`	`98`	`}`
	`99`	`+ return strdup(pwdFromEnv);`
`94`	`100`	`}`
`95`		`- } else if (0 == strcmp(user, ADMIN_USER_NAME))`
	`101`	`+ }`
	`102`	`+ else if (0 == strcmp(user, ADMIN_USER_NAME))`
`96`	`103`	`{`
`97`		`- char *secret = readSecret(MQ_ADMIN_SECRET_FILE);`
	`104`	`+ char *secret = read_secret(_mq_admin_secret_file);`
`98`	`105`	`if (secret != NULL)`
`99`	`106`	`{`
`100`	`107`	`return secret;`
`101`	`108`	`}`
`102`	`109`	`else`
`103`	`110`	`{`
`104`		`- char* envValue = getenv("MQ_ADMIN_PASSWORD");`
`105`		`- if (envValue != NULL)`
	`111`	`+ const char *pwdFromEnv = getenv("MQ_ADMIN_PASSWORD");`
	`112`	`+ if (pwdFromEnv != NULL)`
`106`	`113`	`{`
`107`	`114`	`log_infof("Environment variable MQ_ADMIN_PASSWORD is deprecated, use secrets to set the passwords");`
`108`		`- // Get the value of environment variable and store it as a copy to free up the memory`
`109`		`- char* pwdFromEnv = strdup(envValue);`
`110`		`- return pwdFromEnv;`
`111`	`115`	`}`
`112`		`- else`
`113`		`- {`
`114`		`- return NULL;`
`115`		`- }`
`116`		`- }`
	`116`	`+ return strdup(pwdFromEnv);`
	`117`	`+ }`
`117`	`118`	`}`
`118`	`119`	`else`
`119`	`120`	`{`
`120`	`121`	`return NULL;`
`121`	`122`	`}`
`122`	`123`	`}`
`123`	`124`
`124`		`-char readSecret(char secret)`
	`125`	`+/**`
	`126`	`+ * read_secret will return a char* containing the credential read from the filesystem for the given user`
	`127`	`+ *`
	`128`	`+ * The caller is responsible for clearing then freeing memory`
	`129`	`+ */`
	`130`	`+char read_secret(const char const secret)`
`125`	`131`	`{`
`126`	`132`	`FILE *fp = fopen(secret, "r");`
`127`		`- const size_t line_size = 1024;`
`128`	`133`	`if (fp)`
`129`	`134`	`{`
	`135`	`+ const int line_size = MAX_PASSWORD_LENGTH + 1;`
`130`	`136`	`char *pwd = malloc(line_size);`
`131`		`- char *result = fgets(pwd, line_size, fp);`
	`137`	`+ char *result;`
	`138`	`+ result = fgets(pwd, line_size, fp);`
	`139`	`+ fclose(fp);`
`132`	`140`	`if (result == NULL)`
	`141`	`+ {`
	`142`	`+ memset(pwd, 0, line_size);`
	`143`	`+ free(pwd);`
`133`	`144`	`return NULL;`
`134`		`-`
`135`		`- fclose(fp);`
`136`		`- return pwd;`
	`145`	`+ }`
	`146`	`+ result[strcspn(result, "\r\n")] = 0;`
	`147`	`+ return result;`
`137`	`148`	`}`
`138`	`149`	`else`
`139`	`150`	`{`