From 34a24eac7747596ae97b346013ae7216bcded785 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
Date: Fri, 4 Dec 2020 21:33:35 +0100
Subject: [PATCH] tests/pam: Ensure that we ignore verify events before
 VerifyStart has completed

We had a race that was causing the events to be handled even if we were
not ready to accept them, causing a potential non-authentication.

So simulate this case, by sending a 'verify-match' event before we
started the verification and ensure that we ignore it.
---
 tests/pam/test_pam_fprintd.py | 38 +++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 mode change 100644 => 100755 tests/pam/test_pam_fprintd.py

diff --git a/tests/pam/test_pam_fprintd.py b/tests/pam/test_pam_fprintd.py
old mode 100644
new mode 100755
index 4398608..1462eb5
--- a/tests/pam/test_pam_fprintd.py
+++ b/tests/pam/test_pam_fprintd.py
@@ -161,6 +161,44 @@ class TestPamFprintd(dbusmock.DBusTestCase):
         tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rv=PAM_USER_UNKNOWN)
         res = pypamtest.run_pamtest("toto", "fprintd-pam-test", [tc], [ 'unused' ])
 
+    def test_pam_fprintd_blocks_unexpected_auth(self):
+        self.setup_device()
+        script = [
+            ( 'verify-match', True, -500 ), # This one is sent before VerifyStart has completed
+            ( 'verify-no-match', True, 1 ),
+            ( 'verify-no-match', True, 1 ),
+            ( 'verify-no-match', True, 1 ),
+        ]
+        self.device_mock.SetVerifyScript(script)
+
+        tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rv=PAM_MAXTRIES)
+        res = pypamtest.run_pamtest("toto", "fprintd-pam-test", [tc], [ 'unused' ])
+
+        self.assertRegex(res.info[0], r'Swipe your left little finger across the fingerprint reader')
+        self.assertEqual(len(res.errors), 3)
+        self.assertRegex(res.errors[0], r'Failed to match fingerprint')
+        self.assertRegex(res.errors[0], r'Failed to match fingerprint')
+        self.assertRegex(res.errors[0], r'Failed to match fingerprint')
+
+    def test_pam_fprintd_blocks_unexpected_auth2(self):
+        self.setup_device()
+        script = [
+            ( 'verify-no-match', True, 1 ),
+            ( 'verify-match', True, -500 ), # This one is sent before VerifyStart has completed
+            ( 'verify-no-match', True, 1 ),
+            ( 'verify-no-match', True, 1 ),
+        ]
+        self.device_mock.SetVerifyScript(script)
+
+        tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rv=PAM_MAXTRIES)
+        res = pypamtest.run_pamtest("toto", "fprintd-pam-test", [tc], [ 'unused' ])
+
+        self.assertRegex(res.info[0], r'Swipe your left little finger across the fingerprint reader')
+        self.assertEqual(len(res.errors), 3)
+        self.assertRegex(res.errors[0], r'Failed to match fingerprint')
+        self.assertRegex(res.errors[0], r'Failed to match fingerprint')
+        self.assertRegex(res.errors[0], r'Failed to match fingerprint')
+
     def test_pam_fprintd_dual_reader_auth(self):
         device_path = self.obj_fprintd_mock.AddDevice('FDO Sandpaper Reader', 3, 'press')
         sandpaper_device_mock = self.dbus_con.get_object('net.reactivated.Fprint', device_path)