Use lowercase usernames (#723)

All the brokers we currently support (msentraid and google) use
case-insensitive usernames. Currently, logging in with a username which
differs in upper or lowercase from the username in the broker results
in an authentication failure. We want to fix that.

The easiest way to do that is to convert all usernames to lowercase
before storing them in our database or passing them to the broker, and
also convert the Name argument of GetPassdByName to lowercase before
querying the database.

If we (or anyone else) ever wants to add a broker for a provider which
does *not* use case-insensitive usernames, we will have to revisit this
and decide whether we want to support that.

Review and merge together with
ubuntu/authd-oidc-brokers#314

Closes #530, #531 
UDENG-4518
UDENG-4519
UDENG-6636
UDENG-6822

Author: 3v1n0

.github/workflows/qa.yaml

@@ -24,6 +24,8 @@ env:
     libpwquality-dev
 
   test_apt_deps: >-
+    apparmor-profiles
+    bubblewrap
     cracklib-runtime
     git-delta
     openssh-client
@@ -155,6 +157,10 @@ jobs:
 
           # The integration tests build the NSS crate, so we need the cargo build dependencies in order to run them.
           sudo apt install -y ${{ env.apt_deps }} ${{ env.protobuf_compilers}} ${{ env.test_apt_deps }}
+
+          # Load the apparmor profile for bubblewrap.
+          sudo ln -s /usr/share/apparmor/extra-profiles/bwrap-userns-restrict /etc/apparmor.d/
+          sudo apparmor_parser /etc/apparmor.d/bwrap-userns-restrict
       - name: Install PAM and GLib debug symbols
         run: |
           set -eu

cmd/authd/daemon/migration.go

@@ -69,7 +69,7 @@ func maybeMigrateBBoltToSQLite(dbDir string) (migrated bool, err error) {
 		return false, nil
 	}
 
-	if err := db.MigrateData(dbDir); err != nil {
+	if err := db.MigrateFromBBoltToSQLite(dbDir); err != nil {
 		return false, fmt.Errorf("failed to migrate data: %w", err)
 	}
 

cmd/authd/daemon/testdata/golden/TestMaybeMigrateBBoltToSQLite/Migration_if_bbolt_exists_and_sqlite_does_not_exist

@@ -61,3 +61,4 @@ users_to_groups:
       gid: 44444
     - uid: 4444
       gid: 99999
+schema_version: 1

debian/control

@@ -3,6 +3,7 @@ Section: admin
 Priority: optional
 Maintainer: Ubuntu Developers <[email protected]>
 Build-Depends: debhelper-compat (= 13),
+               bubblewrap <!nocheck>,
                cracklib-runtime <!nocheck>,
                dbus <!nocheck>,
                dh-apport,

examplebroker/users.go

@@ -12,6 +12,8 @@ var (
 		"user1":               {Password: "goodpass"},
 		"user2":               {Password: "goodpass"},
 		"user3":               {Password: "goodpass"},
+		"user-ssh":            {Password: "goodpass"},
+		"user-ssh2":           {Password: "goodpass"},
 		"user-mfa":            {Password: "goodpass"},
 		"user-mfa-with-reset": {Password: "goodpass"},
 		"user-needs-reset":    {Password: "goodpass"},

internal/brokers/broker_test.go

@@ -105,13 +105,13 @@ func TestGetAuthenticationModes(t *testing.T) {
 		"Get_authentication_modes_and_generate_validators":                                         {sessionID: "success", supportedUILayouts: []string{"required-entry", "optional-entry"}},
 		"Get_authentication_modes_and_generate_validator_ignoring_whitespaces_in_supported_values": {sessionID: "success", supportedUILayouts: []string{"layout-with-spaces"}},
 		"Get_authentication_modes_and_ignores_invalid_UI_layout":                                   {sessionID: "success", supportedUILayouts: []string{"required-entry", "missing-type"}},
-		"Get_multiple_authentication_modes_and_generate_validators":                                {sessionID: "GAM_multiple_modes", supportedUILayouts: []string{"required-entry", "optional-entry"}},
+		"Get_multiple_authentication_modes_and_generate_validators":                                {sessionID: "gam_multiple_modes", supportedUILayouts: []string{"required-entry", "optional-entry"}},
 
-		"Does_not_error_out_when_no_authentication_modes_are_returned": {sessionID: "GAM_empty"},
+		"Does_not_error_out_when_no_authentication_modes_are_returned": {sessionID: "gam_empty"},
 
 		// broker errors
-		"Error_when_getting_authentication_modes": {sessionID: "GAM_error", wantErr: true},
-		"Error_when_broker_returns_invalid_modes": {sessionID: "GAM_invalid", wantErr: true},
+		"Error_when_getting_authentication_modes": {sessionID: "gam_error", wantErr: true},
+		"Error_when_broker_returns_invalid_modes": {sessionID: "gam_invalid", wantErr: true},
 	}
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
@@ -153,23 +153,23 @@ func TestSelectAuthenticationMode(t *testing.T) {
 
 		wantErr bool
 	}{
-		"Successfully_select_mode_with_required_value":         {sessionID: "SAM_success_required_entry"},
-		"Successfully_select_mode_with_optional_value":         {sessionID: "SAM_success_optional_entry", supportedUILayouts: []string{"optional-entry"}},
-		"Successfully_select_mode_with_missing_optional_value": {sessionID: "SAM_missing_optional_entry", supportedUILayouts: []string{"optional-entry"}},
+		"Successfully_select_mode_with_required_value":         {sessionID: "sam_success_required_entry"},
+		"Successfully_select_mode_with_optional_value":         {sessionID: "sam_success_optional_entry", supportedUILayouts: []string{"optional-entry"}},
+		"Successfully_select_mode_with_missing_optional_value": {sessionID: "sam_missing_optional_entry", supportedUILayouts: []string{"optional-entry"}},
 
 		// broker errors
-		"Error_when_selecting_invalid_auth_mode":              {sessionID: "SAM_error", wantErr: true},
+		"Error_when_selecting_invalid_auth_mode":              {sessionID: "sam_error", wantErr: true},
 		"Error_when_no_validators_were_generated_for_session": {sessionID: "no-validators", wantErr: true},
 
 		/* Layout errors */
-		"Error_when_returns_no_layout":                          {sessionID: "SAM_no_layout", wantErr: true},
-		"Error_when_returns_empty_layout":                       {sessionID: "SAM_empty_layout", wantErr: true},
-		"Error_when_returns_layout_with_no_type":                {sessionID: "SAM_no_layout_type", wantErr: true},
-		"Error_when_returns_layout_with_invalid_type":           {sessionID: "SAM_invalid_layout_type", wantErr: true},
-		"Error_when_returns_layout_without_required_value":      {sessionID: "SAM_missing_required_entry", wantErr: true},
-		"Error_when_returns_layout_with_unknown_field":          {sessionID: "SAM_unknown_field", wantErr: true},
-		"Error_when_returns_layout_with_invalid_required_value": {sessionID: "SAM_invalid_required_entry", wantErr: true},
-		"Error_when_returns_layout_with_invalid_optional_value": {sessionID: "SAM_invalid_optional_entry", wantErr: true},
+		"Error_when_returns_no_layout":                          {sessionID: "sam_no_layout", wantErr: true},
+		"Error_when_returns_empty_layout":                       {sessionID: "sam_empty_layout", wantErr: true},
+		"Error_when_returns_layout_with_no_type":                {sessionID: "sam_no_layout_type", wantErr: true},
+		"Error_when_returns_layout_with_invalid_type":           {sessionID: "sam_invalid_layout_type", wantErr: true},
+		"Error_when_returns_layout_without_required_value":      {sessionID: "sam_missing_required_entry", wantErr: true},
+		"Error_when_returns_layout_with_unknown_field":          {sessionID: "sam_unknown_field", wantErr: true},
+		"Error_when_returns_layout_with_invalid_required_value": {sessionID: "sam_invalid_required_entry", wantErr: true},
+		"Error_when_returns_layout_with_invalid_optional_value": {sessionID: "sam_invalid_optional_entry", wantErr: true},
 	}
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
@@ -213,30 +213,30 @@ func TestIsAuthenticated(t *testing.T) {
 		cancelFirstCall bool
 	}{
 		"Successfully_authenticate":                                        {sessionID: "success"},
-		"Successfully_authenticate_after_cancelling_first_call":            {sessionID: "IA_second_call", secondCall: true},
-		"Denies_authentication_when_broker_times_out":                      {sessionID: "IA_timeout"},
-		"Adds_default_groups_even_if_broker_did_not_set_them":              {sessionID: "IA_info_empty_groups"},
-		"No_error_when_auth.Next_and_no_data":                              {sessionID: "IA_next"},
-		"No_error_when_auth.Next_and_message":                              {sessionID: "IA_next_with_data"},
-		"No_error_when_broker_returns_userinfo_with_empty_gecos":           {sessionID: "IA_info_empty_gecos"},
-		"No_error_when_broker_returns_userinfo_with_group_with_empty_UGID": {sessionID: "IA_info_empty_ugid"},
-		"No_error_when_broker_returns_userinfo_with_mismatching_username":  {sessionID: "IA_info_mismatching_user_name"},
+		"Successfully_authenticate_after_cancelling_first_call":            {sessionID: "ia_second_call", secondCall: true},
+		"Denies_authentication_when_broker_times_out":                      {sessionID: "ia_timeout"},
+		"Adds_default_groups_even_if_broker_did_not_set_them":              {sessionID: "ia_info_empty_groups"},
+		"No_error_when_auth.Next_and_no_data":                              {sessionID: "ia_next"},
+		"No_error_when_auth.Next_and_message":                              {sessionID: "ia_next_with_data"},
+		"No_error_when_broker_returns_userinfo_with_empty_gecos":           {sessionID: "ia_info_empty_gecos"},
+		"No_error_when_broker_returns_userinfo_with_group_with_empty_UGID": {sessionID: "ia_info_empty_ugid"},
+		"No_error_when_broker_returns_userinfo_with_mismatching_username":  {sessionID: "ia_info_mismatching_user_name"},
 
 		// broker errors
-		"Error_when_authenticating":                                           {sessionID: "IA_error"},
-		"Error_on_empty_data_even_if_granted":                                 {sessionID: "IA_empty_data"},
-		"Error_when_broker_returns_invalid_data":                              {sessionID: "IA_invalid_data"},
-		"Error_when_broker_returns_invalid_access":                            {sessionID: "IA_invalid_access"},
-		"Error_when_broker_returns_invalid_userinfo":                          {sessionID: "IA_invalid_userinfo"},
-		"Error_when_broker_returns_userinfo_with_empty_username":              {sessionID: "IA_info_empty_user_name"},
-		"Error_when_broker_returns_userinfo_with_empty_group_name":            {sessionID: "IA_info_empty_group_name"},
-		"Error_when_broker_returns_userinfo_with_invalid_homedir":             {sessionID: "IA_info_invalid_home"},
-		"Error_when_broker_returns_userinfo_with_invalid_shell":               {sessionID: "IA_info_invalid_shell"},
-		"Error_when_broker_returns_invalid_data_on_auth.Next":                 {sessionID: "IA_next_with_invalid_data"},
-		"Error_when_broker_returns_data_on_auth.Cancelled":                    {sessionID: "IA_cancelled_with_data"},
-		"Error_when_broker_returns_no_data_on_auth.Denied":                    {sessionID: "IA_denied_without_data"},
-		"Error_when_broker_returns_no_data_on_auth.Retry":                     {sessionID: "IA_retry_without_data"},
-		"Error_when_calling_IsAuthenticated_a_second_time_without_cancelling": {sessionID: "IA_second_call", secondCall: true, cancelFirstCall: true},
+		"Error_when_authenticating":                                           {sessionID: "ia_error"},
+		"Error_on_empty_data_even_if_granted":                                 {sessionID: "ia_empty_data"},
+		"Error_when_broker_returns_invalid_data":                              {sessionID: "ia_invalid_data"},
+		"Error_when_broker_returns_invalid_access":                            {sessionID: "ia_invalid_access"},
+		"Error_when_broker_returns_invalid_userinfo":                          {sessionID: "ia_invalid_userinfo"},
+		"Error_when_broker_returns_userinfo_with_empty_username":              {sessionID: "ia_info_empty_user_name"},
+		"Error_when_broker_returns_userinfo_with_empty_group_name":            {sessionID: "ia_info_empty_group_name"},
+		"Error_when_broker_returns_userinfo_with_invalid_homedir":             {sessionID: "ia_info_invalid_home"},
+		"Error_when_broker_returns_userinfo_with_invalid_shell":               {sessionID: "ia_info_invalid_shell"},
+		"Error_when_broker_returns_invalid_data_on_auth.Next":                 {sessionID: "ia_next_with_invalid_data"},
+		"Error_when_broker_returns_data_on_auth.Cancelled":                    {sessionID: "ia_cancelled_with_data"},
+		"Error_when_broker_returns_no_data_on_auth.Denied":                    {sessionID: "ia_denied_without_data"},
+		"Error_when_broker_returns_no_data_on_auth.Retry":                     {sessionID: "ia_retry_without_data"},
+		"Error_when_calling_IsAuthenticated_a_second_time_without_cancelling": {sessionID: "ia_second_call", secondCall: true, cancelFirstCall: true},
 	}
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
@@ -289,8 +289,8 @@ func TestCancelIsAuthenticated(t *testing.T) {
 
 		wantAnswer string
 	}{
-		"Successfully_cancels_IsAuthenticated": {sessionID: "IA_wait", wantAnswer: auth.Cancelled},
-		"Call_returns_denied_if_not_cancelled": {sessionID: "IA_timeout", wantAnswer: auth.Denied},
+		"Successfully_cancels_IsAuthenticated": {sessionID: "ia_wait", wantAnswer: auth.Cancelled},
+		"Call_returns_denied_if_not_cancelled": {sessionID: "ia_timeout", wantAnswer: auth.Denied},
 	}
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
@@ -305,7 +305,7 @@ func TestCancelIsAuthenticated(t *testing.T) {
 			}()
 			defer cancel()
 
-			if tc.sessionID == "IA_wait" {
+			if tc.sessionID == "ia_wait" {
 				// Give some time for the IsAuthenticated routine to start.
 				time.Sleep(time.Second)
 				cancel()

internal/brokers/manager.go

@@ -132,6 +132,9 @@ func (m *Manager) SetDefaultBrokerForUser(brokerID, username string) error {
 		return fmt.Errorf("invalid broker: %v", err)
 	}
 
+	// authd uses lowercase usernames
+	username = strings.ToLower(username)
+
 	m.usersToBrokerMu.Lock()
 	defer m.usersToBrokerMu.Unlock()
 	m.usersToBroker[username] = broker

internal/brokers/manager_test.go

@@ -186,8 +186,8 @@ func TestNewSession(t *testing.T) {
 		"Successfully_start_a_new_session_with_the_correct_broker": {username: "success", configuredBrokers: []string{t.Name() + "_Broker1.conf", t.Name() + "_Broker2.conf"}},
 
 		"Error_when_broker_does_not_exist":           {brokerID: "does_not_exist", wantErr: true},
-		"Error_when_broker_does_not_provide_an_ID":   {username: "NS_no_id", wantErr: true},
-		"Error_when_starting_a_new_session":          {username: "NS_error", wantErr: true},
+		"Error_when_broker_does_not_provide_an_ID":   {username: "ns_no_id", wantErr: true},
+		"Error_when_starting_a_new_session":          {username: "ns_error", wantErr: true},
 		"Error_when_broker_is_not_available_on_dbus": {unavailableBroker: true, wantErr: true},
 	}
 	for name, tc := range tests {
@@ -270,7 +270,7 @@ func TestEndSession(t *testing.T) {
 		"Successfully_end_session_on_the_correct_broker": {sessionID: "success", configuredBrokers: []string{t.Name() + "_Broker1", t.Name() + "_Broker2"}},
 
 		"Error_when_broker_does_not_exist": {brokerID: "does not exist", sessionID: "dont matter", wantErr: true},
-		"Error_when_ending_session":        {sessionID: "ES_error", wantErr: true},
+		"Error_when_ending_session":        {sessionID: "es_error", wantErr: true},
 	}
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {

internal/brokers/testdata/golden/TestIsAuthenticated/Adds_default_groups_even_if_broker_did_not_set_them

@@ -1,4 +1,4 @@
 FIRST CALL:
 	access: granted
-	data: {"Name":"TestIsAuthenticated/Adds_default_groups_even_if_broker_did_not_set_them_separator_IA_info_empty_groups","UID":0,"Gecos":"gecos for IA_info_empty_groups","Dir":"/home/IA_info_empty_groups","Shell":"/bin/sh/IA_info_empty_groups","Groups":[]}
+	data: {"Name":"TestIsAuthenticated/Adds_default_groups_even_if_broker_did_not_set_them_separator_ia_info_empty_groups","UID":0,"Gecos":"gecos for ia_info_empty_groups","Dir":"/home/ia_info_empty_groups","Shell":"/bin/sh/ia_info_empty_groups","Groups":[]}
 	err: <nil>

internal/brokers/testdata/golden/TestIsAuthenticated/Error_when_calling_IsAuthenticated_a_second_time_without_cancelling

@@ -1,8 +1,8 @@
 FIRST CALL:
 	access: granted
-	data: {"Name":"TestIsAuthenticated/Error_when_calling_IsAuthenticated_a_second_time_without_cancelling_separator_IA_second_call","UID":0,"Gecos":"gecos for IA_second_call","Dir":"/home/IA_second_call","Shell":"/bin/sh/IA_second_call","Groups":[{"Name":"group-IA_second_call","GID":null,"UGID":"ugid-IA_second_call"}]}
+	data: {"Name":"TestIsAuthenticated/Error_when_calling_IsAuthenticated_a_second_time_without_cancelling_separator_ia_second_call","UID":0,"Gecos":"gecos for ia_second_call","Dir":"/home/ia_second_call","Shell":"/bin/sh/ia_second_call","Groups":[{"Name":"group-ia_second_call","GID":null,"UGID":"ugid-ia_second_call"}]}
 	err: <nil>
 SECOND CALL:
 	access: 
 	data: 
-	err: broker "TestIsAuthenticated": IsAuthenticated already running for session "TestIsAuthenticated/Error_when_calling_IsAuthenticated_a_second_time_without_cancelling_separator_IA_second_call"
+	err: broker "TestIsAuthenticated": IsAuthenticated already running for session "TestIsAuthenticated/Error_when_calling_IsAuthenticated_a_second_time_without_cancelling_separator_ia_second_call"