pam/native-module: Detach the instructions from the prompt

In native modules the prompt should be only the text shown on the
field, while the rest of information should be exposed as PAM info
messages.

Do this to ensure that both all PAM implementations we care about (ssh
and polkit) keep a reasonable UI.

pam/integration-tests/native_test.go

@@ -34,10 +34,11 @@ func TestNativeAuthenticate(t *testing.T) {
 		},
 		"Authenticate user with mfa": {
 			tape:         "mfa_auth",
-			tapeSettings: []tapeSetting{{vhsHeight, 700}},
+			tapeSettings: []tapeSetting{{vhsHeight, 800}},
 		},
 		"Authenticate user with form mode with button": {
-			tape: "form_with_button",
+			tape:         "form_with_button",
+			tapeSettings: []tapeSetting{{vhsHeight, 600}},
 		},
 		"Authenticate user with qr code": {
 			tape:          "qr_code",
@@ -46,23 +47,23 @@ func TestNativeAuthenticate(t *testing.T) {
 		},
 		"Authenticate user with qr code in a TTY": {
 			tape:         "qr_code",
-			tapeSettings: []tapeSetting{{vhsHeight, 3500}},
+			tapeSettings: []tapeSetting{{vhsHeight, 3700}},
 			clientOptions: clientOptions{
 				PamUser: "user-integration-qr-code-tty",
 				Term:    "linux",
 			},
 		},
 		"Authenticate user with qr code in a TTY session": {
 			tape:         "qr_code",
-			tapeSettings: []tapeSetting{{vhsHeight, 3500}},
+			tapeSettings: []tapeSetting{{vhsHeight, 3700}},
 			clientOptions: clientOptions{
 				PamUser: "user-integration-qr-code-tty-session",
 				Term:    "xterm-256color", SessionType: "tty",
 			},
 		},
 		"Authenticate user with qr code in screen": {
 			tape:         "qr_code",
-			tapeSettings: []tapeSetting{{vhsHeight, 3500}},
+			tapeSettings: []tapeSetting{{vhsHeight, 3700}},
 			clientOptions: clientOptions{
 				PamUser: "user-integration-qr-code-screen",
 				Term:    "screen",
@@ -98,14 +99,14 @@ func TestNativeAuthenticate(t *testing.T) {
 		},
 		"Authenticate user switching auth mode": {
 			tape:         "switch_auth_mode",
-			tapeSettings: []tapeSetting{{vhsHeight, 2350}},
+			tapeSettings: []tapeSetting{{vhsHeight, 3000}},
 		},
 		"Authenticate user switching username": {
 			tape: "switch_username",
 		},
 		"Authenticate user switching to local broker": {
 			tape:         "switch_local_broker",
-			tapeSettings: []tapeSetting{{vhsHeight, 600}},
+			tapeSettings: []tapeSetting{{vhsHeight, 700}},
 		},
 		"Authenticate user and add it to local group": {
 			tape: "local_group",
@@ -152,7 +153,8 @@ func TestNativeAuthenticate(t *testing.T) {
 		},
 
 		"Deny authentication if max attempts reached": {
-			tape: "max_attempts",
+			tape:         "max_attempts",
+			tapeSettings: []tapeSetting{{vhsHeight, 700}},
 		},
 		"Deny authentication if user does not exist": {
 			tape: "unexistent_user",
@@ -167,7 +169,7 @@ func TestNativeAuthenticate(t *testing.T) {
 
 		"Prevent preset user from switching username": {
 			tape:          "switch_preset_username",
-			tapeSettings:  []tapeSetting{{vhsHeight, 700}},
+			tapeSettings:  []tapeSetting{{vhsHeight, 800}},
 			clientOptions: clientOptions{PamUser: "user-integration-pam-preset"},
 		},
 
@@ -247,7 +249,7 @@ func TestNativeChangeAuthTok(t *testing.T) {
 		},
 		"Change passwd after MFA auth": {
 			tape:         "passwd_mfa",
-			tapeSettings: []tapeSetting{{vhsHeight, 900}},
+			tapeSettings: []tapeSetting{{vhsHeight, 1100}},
 		},
 
 		"Retry if new password is rejected by broker": {
@@ -266,7 +268,8 @@ func TestNativeChangeAuthTok(t *testing.T) {
 		},
 
 		"Prevent change password if auth fails": {
-			tape: "passwd_auth_fail",
+			tape:         "passwd_auth_fail",
+			tapeSettings: []tapeSetting{{vhsHeight, 700}},
 		},
 		"Prevent change password if user does not exist": {
 			tape: "passwd_unexistent_user",

pam/integration-tests/testdata/TestNativeAuthenticate/golden/authenticate_user_and_accept_password_reset

@@ -3,52 +3,61 @@ Username:
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK} force_native_client=true
 Username: user-can-reset2
-== Provider selection (enter 'r' to go back to user selection) ==
+== Provider selection ==
   1. local
   2. ExampleBroker
+Or enter 'r' to go back to user selection
 Choose your provider:
 >
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK} force_native_client=true
 Username: user-can-reset2
-== Provider selection (enter 'r' to go back to user selection) ==
+== Provider selection ==
   1. local
   2. ExampleBroker
+Or enter 'r' to go back to user selection
 Choose your provider:
 > 2
+== Password authentication ==
 Enter 'r' to cancel the request and go back to select the authentication method
 Gimme your password:
 >
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK} force_native_client=true
 Username: user-can-reset2
-== Provider selection (enter 'r' to go back to user selection) ==
+== Provider selection ==
   1. local
   2. ExampleBroker
+Or enter 'r' to go back to user selection
 Choose your provider:
 > 2
+== Password authentication ==
 Enter 'r' to cancel the request and go back to select the authentication method
 Gimme your password:
 >
-== Password Update (enter 'r' to go back to choose the provider) ==
+== Password Update ==
   1. Proceed with password update
   2. Skip
+Or enter 'r' to go back to choose the provider
 Choose action:
 >
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK} force_native_client=true
 Username: user-can-reset2
-== Provider selection (enter 'r' to go back to user selection) ==
+== Provider selection ==
   1. local
   2. ExampleBroker
+Or enter 'r' to go back to user selection
 Choose your provider:
 > 2
+== Password authentication ==
 Enter 'r' to cancel the request and go back to select the authentication method
 Gimme your password:
 >
-== Password Update (enter 'r' to go back to choose the provider) ==
+== Password Update ==
   1. Proceed with password update
   2. Skip
+Or enter 'r' to go back to choose the provider
 Choose action:
 > 1
 Enter your new password (3 days until mandatory) (or enter 'r' to go back to choose the provider
@@ -57,17 +66,20 @@ Enter your new password (3 days until mandatory) (or enter 'r' to go back to cho
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK} force_native_client=true
 Username: user-can-reset2
-== Provider selection (enter 'r' to go back to user selection) ==
+== Provider selection ==
   1. local
   2. ExampleBroker
+Or enter 'r' to go back to user selection
 Choose your provider:
 > 2
+== Password authentication ==
 Enter 'r' to cancel the request and go back to select the authentication method
 Gimme your password:
 >
-== Password Update (enter 'r' to go back to choose the provider) ==
+== Password Update ==
   1. Proceed with password update
   2. Skip
+Or enter 'r' to go back to choose the provider
 Choose action:
 > 1
 Enter your new password (3 days until mandatory) (or enter 'r' to go back to choose the provider
@@ -78,17 +90,20 @@ Confirm password (or enter 'r' to go back to choose the provider):
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK} force_native_client=true
 Username: user-can-reset2
-== Provider selection (enter 'r' to go back to user selection) ==
+== Provider selection ==
   1. local
   2. ExampleBroker
+Or enter 'r' to go back to user selection
 Choose your provider:
 > 2
+== Password authentication ==
 Enter 'r' to cancel the request and go back to select the authentication method
 Gimme your password:
 >
-== Password Update (enter 'r' to go back to choose the provider) ==
+== Password Update ==
   1. Proceed with password update
   2. Skip
+Or enter 'r' to go back to choose the provider
 Choose action:
 > 1
 Enter your new password (3 days until mandatory) (or enter 'r' to go back to choose the provider
@@ -102,17 +117,20 @@ PAM AcctMgmt() exited with success
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK} force_native_client=true
 Username: user-can-reset2
-== Provider selection (enter 'r' to go back to user selection) ==
+== Provider selection ==
   1. local
   2. ExampleBroker
+Or enter 'r' to go back to user selection
 Choose your provider:
 > 2
+== Password authentication ==
 Enter 'r' to cancel the request and go back to select the authentication method
 Gimme your password:
 >
-== Password Update (enter 'r' to go back to choose the provider) ==
+== Password Update ==
   1. Proceed with password update
   2. Skip
+Or enter 'r' to go back to choose the provider
 Choose action:
 > 1
 Enter your new password (3 days until mandatory) (or enter 'r' to go back to choose the provider
@@ -127,17 +145,20 @@ PAM AcctMgmt() exited with success
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK} force_native_client=true
 Username: user-can-reset2
-== Provider selection (enter 'r' to go back to user selection) ==
+== Provider selection ==
   1. local
   2. ExampleBroker
+Or enter 'r' to go back to user selection
 Choose your provider:
 > 2
+== Password authentication ==
 Enter 'r' to cancel the request and go back to select the authentication method
 Gimme your password:
 >
-== Password Update (enter 'r' to go back to choose the provider) ==
+== Password Update ==
   1. Proceed with password update
   2. Skip
+Or enter 'r' to go back to choose the provider
 Choose action:
 > 1
 Enter your new password (3 days until mandatory) (or enter 'r' to go back to choose the provider

pam/integration-tests/testdata/TestNativeAuthenticate/golden/authenticate_user_and_add_it_to_local_group

@@ -6,30 +6,35 @@ Username: user-local-groups
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK} force_native_client=true
 Username: user-local-groups
-== Provider selection (enter 'r' to go back to user selection) ==
+== Provider selection ==
   1. local
   2. ExampleBroker
+Or enter 'r' to go back to user selection
 Choose your provider:
 >
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK} force_native_client=true
 Username: user-local-groups
-== Provider selection (enter 'r' to go back to user selection) ==
+== Provider selection ==
   1. local
   2. ExampleBroker
+Or enter 'r' to go back to user selection
 Choose your provider:
 > 2
+== Password authentication ==
 Enter 'r' to cancel the request and go back to select the authentication method
 Gimme your password:
 >
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK} force_native_client=true
 Username: user-local-groups
-== Provider selection (enter 'r' to go back to user selection) ==
+== Provider selection ==
   1. local
   2. ExampleBroker
+Or enter 'r' to go back to user selection
 Choose your provider:
 > 2
+== Password authentication ==
 Enter 'r' to cancel the request and go back to select the authentication method
 Gimme your password:
 >
@@ -39,11 +44,13 @@ PAM AcctMgmt() exited with success
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK} force_native_client=true
 Username: user-local-groups
-== Provider selection (enter 'r' to go back to user selection) ==
+== Provider selection ==
   1. local
   2. ExampleBroker
+Or enter 'r' to go back to user selection
 Choose your provider:
 > 2
+== Password authentication ==
 Enter 'r' to cancel the request and go back to select the authentication method
 Gimme your password:
 >