forked from pool/sssd
9ba0639961
CVE-2013-0287 (bnc#809153) (forwarded request 160207 from rhafer) OBS-URL: https://build.opensuse.org/request/show/160208 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=44
415 lines
16 KiB
Diff
415 lines
16 KiB
Diff
From e5f0ef211e81fcd7a87d5e37b0aadca50201c6d6 Mon Sep 17 00:00:00 2001
|
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
Date: Sun, 3 Mar 2013 21:43:44 +0100
|
|
Subject: Add unit tests for simple access test by groups
|
|
|
|
I realized that the current unit tests for the simple access provider
|
|
only tested the user directives. To have a baseline and be able to
|
|
detect new bugs in the upcoming patch, I implemented unit tests for the
|
|
group lists, too.
|
|
(cherry picked from commit 754b09b5444e6da88ed58d6deaed8b815e268b6b)
|
|
---
|
|
src/tests/simple_access-tests.c | 285 +++++++++++++++++++++++++++++++++++-----
|
|
1 file changed, 253 insertions(+), 32 deletions(-)
|
|
|
|
diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c
|
|
index c61814e..577c6d3 100644
|
|
--- a/src/tests/simple_access-tests.c
|
|
+++ b/src/tests/simple_access-tests.c
|
|
@@ -30,39 +30,152 @@
|
|
#include "providers/simple/simple_access.h"
|
|
#include "tests/common.h"
|
|
|
|
+#define TESTS_PATH "tests_simple_access"
|
|
+#define TEST_CONF_FILE "tests_conf.ldb"
|
|
+
|
|
const char *ulist_1[] = {"u1", "u2", NULL};
|
|
+const char *glist_1[] = {"g1", "g2", NULL};
|
|
+
|
|
+struct simple_test_ctx *test_ctx = NULL;
|
|
+
|
|
+struct simple_test_ctx {
|
|
+ struct sysdb_ctx *sysdb;
|
|
+ struct confdb_ctx *confdb;
|
|
|
|
-struct simple_ctx *ctx = NULL;
|
|
+ struct simple_ctx *ctx;
|
|
+};
|
|
|
|
void setup_simple(void)
|
|
{
|
|
- fail_unless(ctx == NULL, "Simple context already initialized.");
|
|
- ctx = talloc_zero(NULL, struct simple_ctx);
|
|
- fail_unless(ctx != NULL, "Cannot create simple context.");
|
|
-
|
|
- ctx->domain = talloc_zero(ctx, struct sss_domain_info);
|
|
- fail_unless(ctx != NULL, "Cannot create domain in simple context.");
|
|
- ctx->domain->case_sensitive = true;
|
|
+ errno_t ret;
|
|
+ char *conf_db;
|
|
+ const char *val[2];
|
|
+ val[1] = NULL;
|
|
+
|
|
+ /* Create tests directory if it doesn't exist */
|
|
+ /* (relative to current dir) */
|
|
+ ret = mkdir(TESTS_PATH, 0775);
|
|
+ fail_if(ret == -1 && errno != EEXIST,
|
|
+ "Could not create %s directory", TESTS_PATH);
|
|
+
|
|
+ fail_unless(test_ctx == NULL, "Simple context already initialized.");
|
|
+ test_ctx = talloc_zero(NULL, struct simple_test_ctx);
|
|
+ fail_unless(test_ctx != NULL, "Cannot create simple test context.");
|
|
+
|
|
+ test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx);
|
|
+ fail_unless(test_ctx->ctx != NULL, "Cannot create simple context.");
|
|
+
|
|
+ conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE);
|
|
+ fail_if(conf_db == NULL, "Out of memory, aborting!");
|
|
+ DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db));
|
|
+
|
|
+ /* Connect to the conf db */
|
|
+ ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db);
|
|
+ fail_if(ret != EOK, "Could not initialize connection to the confdb");
|
|
+
|
|
+ val[0] = "LOCAL";
|
|
+ ret = confdb_add_param(test_ctx->confdb, true,
|
|
+ "config/sssd", "domains", val);
|
|
+ fail_if(ret != EOK, "Could not initialize domains placeholder");
|
|
+
|
|
+ val[0] = "local";
|
|
+ ret = confdb_add_param(test_ctx->confdb, true,
|
|
+ "config/domain/LOCAL", "id_provider", val);
|
|
+ fail_if(ret != EOK, "Could not initialize provider");
|
|
+
|
|
+ val[0] = "TRUE";
|
|
+ ret = confdb_add_param(test_ctx->confdb, true,
|
|
+ "config/domain/LOCAL", "enumerate", val);
|
|
+ fail_if(ret != EOK, "Could not initialize LOCAL domain");
|
|
+
|
|
+ val[0] = "TRUE";
|
|
+ ret = confdb_add_param(test_ctx->confdb, true,
|
|
+ "config/domain/LOCAL", "cache_credentials", val);
|
|
+ fail_if(ret != EOK, "Could not initialize LOCAL domain");
|
|
+
|
|
+ ret = sysdb_init_domain_and_sysdb(test_ctx, test_ctx->confdb, "local",
|
|
+ TESTS_PATH,
|
|
+ &test_ctx->ctx->domain, &test_ctx->ctx->sysdb);
|
|
+ fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret);
|
|
+ test_ctx->ctx->domain->case_sensitive = true;
|
|
}
|
|
|
|
void teardown_simple(void)
|
|
{
|
|
int ret;
|
|
- fail_unless(ctx != NULL, "Simple context already freed.");
|
|
- ret = talloc_free(ctx);
|
|
- ctx = NULL;
|
|
+ fail_unless(test_ctx != NULL, "Simple context already freed.");
|
|
+ ret = talloc_free(test_ctx);
|
|
+ test_ctx = NULL;
|
|
fail_unless(ret == 0, "Connot free simple context.");
|
|
}
|
|
|
|
+void setup_simple_group(void)
|
|
+{
|
|
+ errno_t ret;
|
|
+
|
|
+ setup_simple();
|
|
+
|
|
+ /* Add test users u1 and u2 that would be members of test groups
|
|
+ * g1 and g2 respectively */
|
|
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
|
|
+ "u1", NULL, 123, 0, "u1", "/home/u1",
|
|
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
|
|
+ fail_if(ret != EOK, "Could not add u1");
|
|
+
|
|
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
|
|
+ "u2", NULL, 456, 0, "u1", "/home/u1",
|
|
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
|
|
+ fail_if(ret != EOK, "Could not add u2");
|
|
+
|
|
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
|
|
+ "u3", NULL, 789, 0, "u1", "/home/u1",
|
|
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
|
|
+ fail_if(ret != EOK, "Could not add u3");
|
|
+
|
|
+ ret = sysdb_add_group(test_ctx->ctx->sysdb,
|
|
+ "g1", 321, NULL, 0, 0);
|
|
+ fail_if(ret != EOK, "Could not add g1");
|
|
+
|
|
+ ret = sysdb_add_group(test_ctx->ctx->sysdb,
|
|
+ "g2", 654, NULL, 0, 0);
|
|
+ fail_if(ret != EOK, "Could not add g2");
|
|
+
|
|
+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
|
|
+ "g1", "u1", SYSDB_MEMBER_USER);
|
|
+ fail_if(ret != EOK, "Could not add u1 to g1");
|
|
+
|
|
+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
|
|
+ "g2", "u2", SYSDB_MEMBER_USER);
|
|
+ fail_if(ret != EOK, "Could not add u2 to g2");
|
|
+}
|
|
+
|
|
+void teardown_simple_group(void)
|
|
+{
|
|
+ errno_t ret;
|
|
+
|
|
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u1", 0);
|
|
+ fail_if(ret != EOK, "Could not delete u1");
|
|
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u2", 0);
|
|
+ fail_if(ret != EOK, "Could not delete u2");
|
|
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u3", 0);
|
|
+ fail_if(ret != EOK, "Could not delete u3");
|
|
+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g1", 0);
|
|
+ fail_if(ret != EOK, "Could not delete g1");
|
|
+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g2", 0);
|
|
+ fail_if(ret != EOK, "Could not delete g2");
|
|
+
|
|
+ teardown_simple();
|
|
+}
|
|
+
|
|
START_TEST(test_both_empty)
|
|
{
|
|
int ret;
|
|
bool access_granted = false;
|
|
|
|
- ctx->allow_users = NULL;
|
|
- ctx->deny_users = NULL;
|
|
+ test_ctx->ctx->allow_users = NULL;
|
|
+ test_ctx->ctx->deny_users = NULL;
|
|
|
|
- ret = simple_access_check(ctx, "u1", &access_granted);
|
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
|
fail_unless(access_granted == true, "Access denied "
|
|
"while both lists are empty.");
|
|
@@ -74,15 +187,15 @@ START_TEST(test_allow_empty)
|
|
int ret;
|
|
bool access_granted = true;
|
|
|
|
- ctx->allow_users = NULL;
|
|
- ctx->deny_users = discard_const(ulist_1);
|
|
+ test_ctx->ctx->allow_users = NULL;
|
|
+ test_ctx->ctx->deny_users = discard_const(ulist_1);
|
|
|
|
- ret = simple_access_check(ctx, "u1", &access_granted);
|
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
|
fail_unless(access_granted == false, "Access granted "
|
|
"while user is in deny list.");
|
|
|
|
- ret = simple_access_check(ctx, "u3", &access_granted);
|
|
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
|
fail_unless(access_granted == true, "Access denied "
|
|
"while user is not in deny list.");
|
|
@@ -94,15 +207,15 @@ START_TEST(test_deny_empty)
|
|
int ret;
|
|
bool access_granted = false;
|
|
|
|
- ctx->allow_users = discard_const(ulist_1);
|
|
- ctx->deny_users = NULL;
|
|
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
|
|
+ test_ctx->ctx->deny_users = NULL;
|
|
|
|
- ret = simple_access_check(ctx, "u1", &access_granted);
|
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
|
fail_unless(access_granted == true, "Access denied "
|
|
"while user is in allow list.");
|
|
|
|
- ret = simple_access_check(ctx, "u3", &access_granted);
|
|
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
|
fail_unless(access_granted == false, "Access granted "
|
|
"while user is not in allow list.");
|
|
@@ -114,15 +227,15 @@ START_TEST(test_both_set)
|
|
int ret;
|
|
bool access_granted = false;
|
|
|
|
- ctx->allow_users = discard_const(ulist_1);
|
|
- ctx->deny_users = discard_const(ulist_1);
|
|
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
|
|
+ test_ctx->ctx->deny_users = discard_const(ulist_1);
|
|
|
|
- ret = simple_access_check(ctx, "u1", &access_granted);
|
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
|
fail_unless(access_granted == false, "Access granted "
|
|
"while user is in deny list.");
|
|
|
|
- ret = simple_access_check(ctx, "u3", &access_granted);
|
|
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
|
fail_unless(access_granted == false, "Access granted "
|
|
"while user is not in allow list.");
|
|
@@ -134,18 +247,18 @@ START_TEST(test_case)
|
|
int ret;
|
|
bool access_granted = false;
|
|
|
|
- ctx->allow_users = discard_const(ulist_1);
|
|
- ctx->deny_users = NULL;
|
|
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
|
|
+ test_ctx->ctx->deny_users = NULL;
|
|
|
|
- ret = simple_access_check(ctx, "U1", &access_granted);
|
|
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
|
fail_unless(access_granted == false, "Access granted "
|
|
"for user with different case "
|
|
"in case-sensitive domain");
|
|
|
|
- ctx->domain->case_sensitive = false;
|
|
+ test_ctx->ctx->domain->case_sensitive = false;
|
|
|
|
- ret = simple_access_check(ctx, "U1", &access_granted);
|
|
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
|
fail_unless(access_granted == true, "Access denied "
|
|
"for user with different case "
|
|
@@ -153,11 +266,95 @@ START_TEST(test_case)
|
|
}
|
|
END_TEST
|
|
|
|
+START_TEST(test_group_allow_empty)
|
|
+{
|
|
+ int ret;
|
|
+ bool access_granted = true;
|
|
+
|
|
+ test_ctx->ctx->allow_groups = NULL;
|
|
+ test_ctx->ctx->deny_groups = discard_const(glist_1);
|
|
+
|
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
|
+ fail_unless(access_granted == false, "Access granted "
|
|
+ "while group is in deny list.");
|
|
+
|
|
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
|
+ fail_unless(access_granted == true, "Access denied "
|
|
+ "while group is not in deny list.");
|
|
+}
|
|
+END_TEST
|
|
+
|
|
+START_TEST(test_group_deny_empty)
|
|
+{
|
|
+ int ret;
|
|
+ bool access_granted = false;
|
|
+
|
|
+ test_ctx->ctx->allow_groups = discard_const(glist_1);
|
|
+ test_ctx->ctx->deny_groups = NULL;
|
|
+
|
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
|
+ fail_unless(access_granted == true, "Access denied "
|
|
+ "while group is in allow list.");
|
|
+
|
|
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
|
+ fail_unless(access_granted == false, "Access granted "
|
|
+ "while group is not in allow list.");
|
|
+}
|
|
+END_TEST
|
|
+
|
|
+START_TEST(test_group_both_set)
|
|
+{
|
|
+ int ret;
|
|
+ bool access_granted = false;
|
|
+
|
|
+ test_ctx->ctx->allow_groups = discard_const(ulist_1);
|
|
+ test_ctx->ctx->deny_groups = discard_const(ulist_1);
|
|
+
|
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
|
+ fail_unless(access_granted == false, "Access granted "
|
|
+ "while group is in deny list.");
|
|
+
|
|
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
|
+ fail_unless(access_granted == false, "Access granted "
|
|
+ "while group is not in allow list.");
|
|
+}
|
|
+END_TEST
|
|
+
|
|
+START_TEST(test_group_case)
|
|
+{
|
|
+ int ret;
|
|
+ bool access_granted = false;
|
|
+
|
|
+ test_ctx->ctx->allow_groups = discard_const(ulist_1);
|
|
+ test_ctx->ctx->deny_groups = NULL;
|
|
+
|
|
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
|
+ fail_unless(access_granted == false, "Access granted "
|
|
+ "for group with different case "
|
|
+ "in case-sensitive domain");
|
|
+
|
|
+ test_ctx->ctx->domain->case_sensitive = false;
|
|
+
|
|
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
|
+ fail_unless(access_granted == true, "Access denied "
|
|
+ "for group with different case "
|
|
+ "in case-insensitive domain");
|
|
+}
|
|
+END_TEST
|
|
+
|
|
Suite *access_simple_suite (void)
|
|
{
|
|
Suite *s = suite_create("access_simple");
|
|
|
|
- TCase *tc_allow_deny = tcase_create("allow/deny");
|
|
+ TCase *tc_allow_deny = tcase_create("user allow/deny");
|
|
tcase_add_checked_fixture(tc_allow_deny, setup_simple, teardown_simple);
|
|
tcase_add_test(tc_allow_deny, test_both_empty);
|
|
tcase_add_test(tc_allow_deny, test_allow_empty);
|
|
@@ -166,6 +363,15 @@ Suite *access_simple_suite (void)
|
|
tcase_add_test(tc_allow_deny, test_case);
|
|
suite_add_tcase(s, tc_allow_deny);
|
|
|
|
+ TCase *tc_grp_allow_deny = tcase_create("group allow/deny");
|
|
+ tcase_add_checked_fixture(tc_grp_allow_deny,
|
|
+ setup_simple_group, teardown_simple_group);
|
|
+ tcase_add_test(tc_grp_allow_deny, test_group_allow_empty);
|
|
+ tcase_add_test(tc_grp_allow_deny, test_group_deny_empty);
|
|
+ tcase_add_test(tc_grp_allow_deny, test_group_both_set);
|
|
+ tcase_add_test(tc_grp_allow_deny, test_group_case);
|
|
+ suite_add_tcase(s, tc_grp_allow_deny);
|
|
+
|
|
return s;
|
|
}
|
|
|
|
@@ -174,6 +380,7 @@ int main(int argc, const char *argv[])
|
|
int opt;
|
|
poptContext pc;
|
|
int number_failed;
|
|
+ int ret;
|
|
|
|
struct poptOption long_options[] = {
|
|
POPT_AUTOHELP
|
|
@@ -205,6 +412,20 @@ int main(int argc, const char *argv[])
|
|
srunner_run_all(sr, CK_ENV);
|
|
number_failed = srunner_ntests_failed(sr);
|
|
srunner_free(sr);
|
|
+
|
|
+ ret = unlink(TESTS_PATH"/"TEST_CONF_FILE);
|
|
+ if (ret != EOK) {
|
|
+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
|
|
+ errno, strerror(errno));
|
|
+ return EXIT_FAILURE;
|
|
+ }
|
|
+ ret = unlink(TESTS_PATH"/"LOCAL_SYSDB_FILE);
|
|
+ if (ret != EOK) {
|
|
+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
|
|
+ errno, strerror(errno));
|
|
+ return EXIT_FAILURE;
|
|
+ }
|
|
+
|
|
return (number_failed==0 ? EXIT_SUCCESS : EXIT_FAILURE);
|
|
}
|
|
|
|
--
|
|
1.8.1.4
|
|
|