Line data Source code
1 : /*
2 : Authors:
3 : Jakub Hrozek <jhrozek@redhat.com>
4 :
5 : Copyright (C) 2015 Red Hat
6 :
7 : SSSD tests: IPA subdomain server utils tests
8 :
9 : This program is free software; you can redistribute it and/or modify
10 : it under the terms of the GNU General Public License as published by
11 : the Free Software Foundation; either version 3 of the License, or
12 : (at your option) any later version.
13 :
14 : This program is distributed in the hope that it will be useful,
15 : but WITHOUT ANY WARRANTY; without even the implied warranty of
16 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 : GNU General Public License for more details.
18 :
19 : You should have received a copy of the GNU General Public License
20 : along with this program. If not, see <http://www.gnu.org/licenses/>.
21 : */
22 :
23 : #include <talloc.h>
24 : #include <tevent.h>
25 : #include <errno.h>
26 : #include <popt.h>
27 : #include <stdlib.h>
28 :
29 : #include <sys/types.h>
30 : #include <ifaddrs.h>
31 : #include <arpa/inet.h>
32 :
33 : #define TESTS_PATH "tp_" BASE_FILE_STEM
34 :
35 : #include "providers/ipa/ipa_subdomains.h"
36 : #include "providers/ipa/ipa_opts.h"
37 : #include "providers/data_provider.h"
38 : #include "tests/cmocka/common_mock.h"
39 : #include "tests/cmocka/common_mock_resp.h"
40 : #include "tests/cmocka/common_mock_krb5.h"
41 : #include "tests/cmocka/common_mock_sdap.h"
42 : #include "tests/cmocka/common_mock_be.h"
43 :
44 : #define DOM_REALM "DOM.MAIN"
45 : #define HOSTNAME "ipaserver.dom.main"
46 : #define DOM_FLAT "DOM"
47 :
48 : #define TEST_AUTHID "host/"HOSTNAME
49 : #define KEYTAB_TEST_PRINC TEST_AUTHID"@"DOM_REALM
50 : #define KEYTAB_PATH TEST_DIR"/"TESTS_PATH"/keytab_test.keytab"
51 :
52 : #define SUBDOM_NAME "twoway.subdom.test"
53 : #define SUBDOM_REALM "TWOWAY.SUBDOM.TEST"
54 : #define SUBDOM_FLAT "TWOWAY"
55 : #define SUBDOM_SID "S-1-2-3"
56 :
57 : #define CHILD_NAME "child."SUBDOM_NAME
58 : #define CHILD_REALM "CHILD."SUBDOM_REALM
59 : #define CHILD_FLAT "CHILD"
60 : #define CHILD_SID "S-1-2-3-4"
61 :
62 : #define TEST_CONF_DB "test_ipa_subdom_server.ldb"
63 : #define TEST_DOM_NAME "ipa_subdom_server_test"
64 : #define TEST_ID_PROVIDER "ipa"
65 :
66 : #define ONEWAY_KEYTAB TEST_DIR"/"TESTS_PATH"/"SUBDOM_REALM".keytab"
67 : #define ONEWAY_PRINC DOM_FLAT"$"
68 : #define ONEWAY_AUTHID ONEWAY_PRINC"@"SUBDOM_REALM
69 :
70 : static bool global_rename_called;
71 :
72 4 : krb5_error_code __wrap_krb5_kt_default(krb5_context context, krb5_keytab *id)
73 : {
74 4 : return krb5_kt_resolve(context, KEYTAB_PATH, id);
75 : }
76 :
77 2 : static void create_dummy_keytab(const char *dummy_kt)
78 : {
79 : errno_t ret;
80 :
81 2 : assert_non_null(dummy_kt);
82 2 : mock_keytab_with_contents(global_talloc_context,
83 : dummy_kt, ONEWAY_AUTHID);
84 :
85 2 : ret = access(dummy_kt, R_OK);
86 2 : assert_int_equal(ret, 0);
87 2 : }
88 :
89 0 : static int wrap_exec(void)
90 : {
91 : const char *test_kt;
92 : const char *fail_creating_kt;
93 :
94 0 : test_kt = getenv("TEST_KT_ENV");
95 0 : if (test_kt == NULL) {
96 0 : _exit(1);
97 : }
98 0 : unsetenv("TEST_KT_ENV");
99 :
100 0 : fail_creating_kt = getenv("KT_CREATE_FAIL");
101 0 : if (fail_creating_kt != NULL) {
102 0 : _exit(1);
103 : }
104 :
105 0 : create_dummy_keytab(test_kt);
106 0 : _exit(0);
107 :
108 : return 1; /* Should not happen */
109 : }
110 :
111 0 : int __wrap_execle(const char *path, const char *arg, ...)
112 : {
113 0 : return wrap_exec();
114 : }
115 :
116 0 : int __wrap_execve(const char *path, const char *arg, ...)
117 : {
118 0 : return wrap_exec();
119 : }
120 :
121 : errno_t __real_sss_unique_filename(TALLOC_CTX *owner, char *path_tmpl);
122 :
123 9 : errno_t __wrap_sss_unique_filename(TALLOC_CTX *owner, char *path_tmpl)
124 : {
125 : int ret;
126 : int sret;
127 :
128 9 : ret = __real_sss_unique_filename(owner, path_tmpl);
129 9 : if (ret == EOK) {
130 :
131 9 : sret = setenv("TEST_KT_ENV", path_tmpl, 1);
132 9 : assert_int_equal(sret, 0);
133 : }
134 9 : return ret;
135 : }
136 :
137 : int __real_rename(const char *old, const char *new);
138 :
139 6 : int __wrap_rename(const char *old, const char *new)
140 : {
141 6 : global_rename_called = true;
142 6 : return __real_rename(old, new);
143 : }
144 :
145 : struct trust_test_ctx {
146 : struct sss_test_ctx *tctx;
147 : struct be_ctx *be_ctx;
148 :
149 : struct ipa_id_ctx *ipa_ctx;
150 : bool expect_rename;
151 : };
152 :
153 7 : static struct ipa_id_ctx *mock_ipa_ctx(TALLOC_CTX *mem_ctx,
154 : struct be_ctx *be_ctx,
155 : struct sss_test_ctx *tctx,
156 : const char *krb5_realm,
157 : const char *hostname)
158 : {
159 : struct ipa_id_ctx *ipa_ctx;
160 : errno_t ret;
161 :
162 7 : ipa_ctx = talloc_zero(mem_ctx, struct ipa_id_ctx);
163 7 : assert_non_null(ipa_ctx);
164 :
165 7 : ipa_ctx->ipa_options = talloc_zero(ipa_ctx, struct ipa_options);
166 7 : assert_non_null(ipa_ctx->ipa_options);
167 :
168 7 : ipa_ctx->ipa_options->id = talloc_zero(ipa_ctx->ipa_options,
169 : struct sdap_options);
170 7 : assert_non_null(ipa_ctx->ipa_options->id);
171 :
172 7 : ret = sdap_copy_map(ipa_ctx->ipa_options->id,
173 : ipa_user_map,
174 : SDAP_OPTS_USER,
175 7 : &ipa_ctx->ipa_options->id->user_map);
176 7 : assert_int_equal(ret, ERR_OK);
177 :
178 14 : ret = dp_get_options(ipa_ctx->ipa_options->id,
179 : tctx->confdb,
180 7 : tctx->conf_dom_path,
181 : ipa_def_ldap_opts,
182 : SDAP_OPTS_BASIC,
183 7 : &ipa_ctx->ipa_options->id->basic);
184 7 : assert_int_equal(ret, EOK);
185 :
186 14 : ret = dp_get_options(ipa_ctx->ipa_options->basic,
187 : tctx->confdb,
188 7 : tctx->conf_dom_path,
189 : ipa_basic_opts,
190 : IPA_OPTS_BASIC,
191 7 : &ipa_ctx->ipa_options->basic);
192 7 : assert_int_equal(ret, EOK);
193 :
194 7 : ret = dp_opt_set_string(ipa_ctx->ipa_options->basic,
195 : IPA_KRB5_REALM, krb5_realm);
196 7 : assert_int_equal(ret, EOK);
197 :
198 7 : ret = dp_opt_set_string(ipa_ctx->ipa_options->basic,
199 : IPA_HOSTNAME, hostname);
200 7 : assert_int_equal(ret, EOK);
201 :
202 7 : ret = dp_opt_set_bool(ipa_ctx->ipa_options->basic,
203 : IPA_SERVER_MODE, true);
204 7 : assert_int_equal(ret, EOK);
205 :
206 7 : ipa_ctx->sdap_id_ctx = mock_sdap_id_ctx(ipa_ctx, be_ctx,
207 7 : ipa_ctx->ipa_options->id);
208 7 : assert_non_null(ipa_ctx->sdap_id_ctx);
209 :
210 7 : return ipa_ctx;
211 : }
212 :
213 7 : static struct ipa_server_mode_ctx *mock_server_mode(TALLOC_CTX *mem_ctx)
214 : {
215 : struct ipa_server_mode_ctx *server_mode;
216 :
217 7 : server_mode = talloc_zero(mem_ctx, struct ipa_server_mode_ctx);
218 7 : assert_non_null(server_mode);
219 :
220 7 : server_mode->hostname = HOSTNAME;
221 7 : server_mode->realm = DOM_REALM;
222 :
223 7 : return server_mode;
224 : }
225 :
226 7 : static void add_test_subdomains(struct trust_test_ctx *test_ctx,
227 : uint32_t direction)
228 : {
229 : errno_t
230 :
231 : /* Add two subdomains */
232 7 : ret = sysdb_subdomain_store(test_ctx->tctx->sysdb,
233 : SUBDOM_NAME, SUBDOM_REALM,
234 : NULL, SUBDOM_SID,
235 : true, false, SUBDOM_REALM,
236 : direction);
237 7 : assert_int_equal(ret, EOK);
238 :
239 7 : ret = sysdb_subdomain_store(test_ctx->tctx->sysdb,
240 : CHILD_NAME, CHILD_REALM,
241 : CHILD_FLAT, CHILD_SID,
242 : true, false, SUBDOM_REALM,
243 : direction);
244 7 : assert_int_equal(ret, EOK);
245 :
246 7 : ret = sysdb_update_subdomains(test_ctx->tctx->dom);
247 7 : assert_int_equal(ret, EOK);
248 :
249 7 : }
250 :
251 2 : static void add_test_2way_subdomains(struct trust_test_ctx *test_ctx)
252 : {
253 2 : return add_test_subdomains(test_ctx, 0x1 | 0x2);
254 : }
255 :
256 5 : static void add_test_1way_subdomains(struct trust_test_ctx *test_ctx)
257 : {
258 5 : return add_test_subdomains(test_ctx, 0x1);
259 : }
260 :
261 7 : static int test_ipa_server_create_trusts_setup(void **state)
262 : {
263 : errno_t ret;
264 : struct trust_test_ctx *test_ctx;
265 7 : struct sss_test_conf_param params[] = {
266 : { NULL, NULL }, /* Sentinel */
267 : };
268 :
269 7 : test_ctx = talloc_zero(NULL,
270 : struct trust_test_ctx);
271 7 : assert_non_null(test_ctx);
272 :
273 7 : test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH,
274 : TEST_CONF_DB, TEST_DOM_NAME,
275 : TEST_ID_PROVIDER, params);
276 7 : assert_non_null(test_ctx->tctx);
277 7 : test_ctx->tctx->dom->flat_name = discard_const(DOM_FLAT);
278 7 : test_ctx->tctx->dom->realm = discard_const(DOM_REALM);
279 :
280 7 : test_ctx->be_ctx = mock_be_ctx(test_ctx, test_ctx->tctx);
281 7 : assert_non_null(test_ctx->be_ctx);
282 :
283 7 : test_ctx->ipa_ctx = mock_ipa_ctx(test_ctx, test_ctx->be_ctx, test_ctx->tctx,
284 : DOM_REALM, HOSTNAME);
285 7 : assert_non_null(test_ctx->tctx);
286 :
287 7 : test_ctx->ipa_ctx->server_mode = mock_server_mode(test_ctx->ipa_ctx);
288 7 : assert_non_null(test_ctx->ipa_ctx->server_mode);
289 :
290 7 : ret = be_init_failover(test_ctx->be_ctx);
291 7 : assert_int_equal(ret, EOK);
292 :
293 7 : mock_keytab_with_contents(test_ctx, KEYTAB_PATH, KEYTAB_TEST_PRINC);
294 :
295 7 : global_rename_called = false;
296 :
297 7 : *state = test_ctx;
298 7 : return 0;
299 : }
300 :
301 7 : static int test_ipa_server_create_trusts_teardown(void **state)
302 : {
303 7 : struct trust_test_ctx *test_ctx =
304 7 : talloc_get_type(*state, struct trust_test_ctx);
305 : errno_t ret;
306 :
307 7 : ret = unlink(KEYTAB_PATH);
308 7 : assert_int_equal(ret, 0);
309 :
310 7 : unlink(ONEWAY_KEYTAB);
311 : /* Ignore failures */
312 :
313 : /* If a test needs this variable, it should be set again in
314 : * each test
315 : */
316 7 : unsetenv("KT_CREATE_FAIL");
317 :
318 7 : talloc_free(test_ctx);
319 7 : return 0;
320 : }
321 :
322 : static void test_ipa_server_create_trusts_none(struct tevent_req *req);
323 : static void test_ipa_server_create_trusts_twoway(struct tevent_req *req);
324 :
325 1 : static void test_ipa_server_create_trusts(void **state)
326 : {
327 1 : struct trust_test_ctx *test_ctx =
328 1 : talloc_get_type(*state, struct trust_test_ctx);
329 : struct tevent_req *req;
330 : errno_t ret;
331 :
332 2 : req = ipa_server_create_trusts_send(test_ctx,
333 1 : test_ctx->tctx->ev,
334 : test_ctx->be_ctx,
335 : test_ctx->ipa_ctx,
336 1 : test_ctx->be_ctx->domain);
337 1 : assert_non_null(req);
338 :
339 1 : tevent_req_set_callback(req, test_ipa_server_create_trusts_none, test_ctx);
340 :
341 1 : ret = test_ev_loop(test_ctx->tctx);
342 1 : assert_int_equal(ret, ERR_OK);
343 1 : }
344 :
345 1 : static void test_ipa_server_create_trusts_none(struct tevent_req *req)
346 : {
347 1 : struct trust_test_ctx *test_ctx = \
348 1 : tevent_req_callback_data(req, struct trust_test_ctx);
349 : errno_t ret;
350 :
351 1 : ret = ipa_server_create_trusts_recv(req);
352 1 : talloc_zfree(req);
353 1 : assert_int_equal(ret, EOK);
354 :
355 : /* Add two subdomains */
356 1 : add_test_2way_subdomains(test_ctx);
357 :
358 2 : req = ipa_server_create_trusts_send(test_ctx,
359 1 : test_ctx->tctx->ev,
360 : test_ctx->be_ctx,
361 : test_ctx->ipa_ctx,
362 1 : test_ctx->be_ctx->domain);
363 1 : assert_non_null(req);
364 :
365 1 : tevent_req_set_callback(req, test_ipa_server_create_trusts_twoway, test_ctx);
366 :
367 1 : }
368 :
369 11 : static void assert_trust_object(struct ipa_ad_server_ctx *trust,
370 : const char *dom_name,
371 : const char *dom_realm,
372 : const char *sid,
373 : const char *keytab,
374 : const char *authid,
375 : const char *sdap_realm)
376 : {
377 : const char *s;
378 :
379 11 : assert_non_null(trust);
380 11 : assert_non_null(trust->dom);
381 11 : assert_string_equal(trust->dom->name, dom_name);
382 11 : assert_string_equal(trust->dom->domain_id, sid);
383 :
384 11 : s = dp_opt_get_string(trust->ad_id_ctx->ad_options->basic,
385 : AD_KRB5_REALM);
386 11 : if (dom_realm != NULL) {
387 11 : assert_non_null(s);
388 11 : assert_string_equal(s, dom_realm);
389 : } else {
390 0 : assert_null(s);
391 : }
392 :
393 11 : s = dp_opt_get_string(trust->ad_id_ctx->ad_options->basic,
394 : AD_DOMAIN);
395 11 : if (dom_name != NULL) {
396 11 : assert_non_null(s);
397 11 : assert_string_equal(s, dom_name);
398 : } else {
399 0 : assert_null(s);
400 : }
401 :
402 : /* the system keytab is always used with two-way trusts */
403 11 : s = dp_opt_get_string(trust->ad_id_ctx->ad_options->id->basic,
404 : SDAP_KRB5_KEYTAB);
405 11 : if (keytab != NULL) {
406 6 : assert_non_null(s);
407 6 : assert_string_equal(s, keytab);
408 : } else {
409 5 : assert_null(s);
410 : }
411 :
412 11 : s = dp_opt_get_string(trust->ad_id_ctx->ad_options->id->basic,
413 : SDAP_SASL_REALM);
414 11 : if (sdap_realm != NULL) {
415 11 : assert_non_null(s);
416 11 : assert_string_equal(s, sdap_realm);
417 : } else {
418 0 : assert_null(s);
419 : }
420 :
421 11 : s = dp_opt_get_string(trust->ad_id_ctx->ad_options->id->basic,
422 : SDAP_SASL_AUTHID);
423 11 : if (authid != NULL) {
424 11 : assert_non_null(s);
425 11 : assert_string_equal(s, authid);
426 : } else {
427 0 : assert_null(s);
428 : }
429 11 : }
430 :
431 1 : static void test_ipa_server_create_trusts_twoway(struct tevent_req *req)
432 : {
433 1 : struct trust_test_ctx *test_ctx = \
434 1 : tevent_req_callback_data(req, struct trust_test_ctx);
435 : errno_t ret;
436 : struct sss_domain_info *child_dom;
437 :
438 1 : ret = ipa_server_create_trusts_recv(req);
439 1 : talloc_zfree(req);
440 1 : assert_int_equal(ret, EOK);
441 :
442 : /* Trust object should be around now */
443 1 : assert_non_null(test_ctx->ipa_ctx->server_mode->trusts);
444 :
445 : /* Two-way trusts should use the system realm */
446 1 : assert_trust_object(test_ctx->ipa_ctx->server_mode->trusts,
447 : CHILD_NAME,
448 : DOM_REALM,
449 : CHILD_SID,
450 : NULL,
451 : TEST_AUTHID,
452 : DOM_REALM);
453 :
454 1 : assert_non_null(test_ctx->ipa_ctx->server_mode->trusts->next);
455 :
456 1 : assert_trust_object(test_ctx->ipa_ctx->server_mode->trusts->next,
457 : SUBDOM_NAME,
458 : DOM_REALM,
459 : SUBDOM_SID,
460 : NULL,
461 : TEST_AUTHID,
462 : DOM_REALM);
463 :
464 : /* No more trust objects */
465 1 : assert_null(test_ctx->ipa_ctx->server_mode->trusts->next->next);
466 :
467 1 : ret = sysdb_subdomain_delete(test_ctx->tctx->sysdb, CHILD_NAME);
468 1 : assert_int_equal(ret, EOK);
469 :
470 1 : child_dom = find_domain_by_name(test_ctx->be_ctx->domain, CHILD_NAME, true);
471 1 : assert_non_null(child_dom);
472 :
473 1 : ipa_ad_subdom_remove(test_ctx->be_ctx, test_ctx->ipa_ctx, child_dom);
474 :
475 1 : assert_trust_object(test_ctx->ipa_ctx->server_mode->trusts,
476 : SUBDOM_NAME,
477 : DOM_REALM,
478 : SUBDOM_SID,
479 : NULL,
480 : TEST_AUTHID,
481 : DOM_REALM);
482 1 : assert_null(test_ctx->ipa_ctx->server_mode->trusts->next);
483 :
484 1 : test_ev_done(test_ctx->tctx, EOK);
485 1 : }
486 :
487 : static void
488 2 : ipa_server_init_done(struct tevent_context *ev,
489 : struct tevent_timer *te,
490 : struct timeval tv, void *pvt)
491 : {
492 2 : struct trust_test_ctx *test_ctx =
493 : talloc_get_type(pvt, struct trust_test_ctx);
494 :
495 2 : test_ctx->tctx->done = true;
496 2 : }
497 :
498 1 : static void test_ipa_server_trust_init(void **state)
499 : {
500 1 : struct trust_test_ctx *test_ctx =
501 1 : talloc_get_type(*state, struct trust_test_ctx);
502 : errno_t ret;
503 : struct tevent_timer *timeout_handler;
504 : struct timeval tv;
505 :
506 1 : add_test_2way_subdomains(test_ctx);
507 :
508 1 : ret = ipa_ad_subdom_init(test_ctx->be_ctx, test_ctx->ipa_ctx);
509 1 : assert_int_equal(ret, EOK);
510 :
511 1 : tv = tevent_timeval_current_ofs(1, 0);
512 1 : timeout_handler = tevent_add_timer(test_ctx->tctx->ev, test_ctx, tv,
513 : ipa_server_init_done, test_ctx);
514 1 : assert_non_null(timeout_handler);
515 :
516 1 : ret = test_ev_loop(test_ctx->tctx);
517 1 : assert_int_equal(ret, ERR_OK);
518 :
519 1 : assert_non_null(test_ctx->ipa_ctx->server_mode->trusts);
520 :
521 : /* Trust object should be around now */
522 1 : assert_non_null(test_ctx->ipa_ctx->server_mode->trusts);
523 :
524 : /* Two-way trusts should use the system realm */
525 1 : assert_trust_object(test_ctx->ipa_ctx->server_mode->trusts,
526 : CHILD_NAME,
527 : DOM_REALM,
528 : CHILD_SID,
529 : NULL,
530 : TEST_AUTHID,
531 : DOM_REALM);
532 :
533 1 : assert_non_null(test_ctx->ipa_ctx->server_mode->trusts->next);
534 :
535 1 : assert_trust_object(test_ctx->ipa_ctx->server_mode->trusts->next,
536 : SUBDOM_NAME,
537 : DOM_REALM,
538 : SUBDOM_SID,
539 : NULL,
540 : TEST_AUTHID,
541 : DOM_REALM);
542 :
543 : /* No more trust objects */
544 1 : assert_null(test_ctx->ipa_ctx->server_mode->trusts->next->next);
545 1 : }
546 :
547 : struct dir_test_ctx {
548 : struct ldb_context *ldb;
549 : struct sysdb_attrs *tdo;
550 : };
551 :
552 5 : static int test_get_trust_direction_setup(void **state)
553 : {
554 : struct dir_test_ctx *test_ctx;
555 :
556 5 : test_ctx = talloc_zero(global_talloc_context,
557 : struct dir_test_ctx);
558 5 : assert_non_null(test_ctx);
559 :
560 5 : test_ctx->ldb = ldb_init(test_ctx, NULL);
561 5 : assert_non_null(test_ctx->ldb);
562 :
563 5 : test_ctx->tdo = sysdb_new_attrs(test_ctx);
564 5 : assert_non_null(test_ctx->tdo);
565 :
566 5 : *state = test_ctx;
567 5 : return 0;
568 : }
569 :
570 5 : static int test_get_trust_direction_teardown(void **state)
571 : {
572 5 : struct dir_test_ctx *test_ctx =
573 5 : talloc_get_type(*state, struct dir_test_ctx);
574 :
575 5 : talloc_free(test_ctx);
576 5 : return 0;
577 : }
578 :
579 : /* These are stupid tests, but test real data */
580 3 : static void test_trust_dir_getset(struct dir_test_ctx *test_ctx,
581 : uint32_t dir_in)
582 : {
583 : errno_t ret;
584 : uint32_t dir;
585 :
586 3 : ret = sysdb_attrs_add_uint32(test_ctx->tdo, IPA_TRUST_DIRECTION, dir_in);
587 3 : assert_int_equal(ret, EOK);
588 :
589 3 : ret = ipa_server_get_trust_direction(test_ctx->tdo, test_ctx->ldb, &dir);
590 3 : assert_int_equal(ret, EOK);
591 3 : assert_int_equal(dir, dir_in);
592 3 : }
593 :
594 1 : static void test_get_trust_direction_inbound(void **state)
595 : {
596 1 : struct dir_test_ctx *test_ctx =
597 1 : talloc_get_type(*state, struct dir_test_ctx);
598 :
599 1 : test_trust_dir_getset(test_ctx, 0x1);
600 1 : }
601 :
602 1 : static void test_get_trust_direction_outbound(void **state)
603 : {
604 1 : struct dir_test_ctx *test_ctx =
605 1 : talloc_get_type(*state, struct dir_test_ctx);
606 :
607 1 : test_trust_dir_getset(test_ctx, 0x2);
608 1 : }
609 :
610 1 : static void test_get_trust_direction_twoway(void **state)
611 : {
612 1 : struct dir_test_ctx *test_ctx =
613 1 : talloc_get_type(*state, struct dir_test_ctx);
614 :
615 1 : test_trust_dir_getset(test_ctx, 0x1 | 0x2);
616 1 : }
617 :
618 1 : static void test_get_trust_direction_notset_root(void **state)
619 : {
620 : errno_t ret;
621 : uint32_t dir;
622 1 : struct dir_test_ctx *test_ctx =
623 1 : talloc_get_type(*state, struct dir_test_ctx);
624 :
625 1 : ret = sysdb_attrs_add_string(test_ctx->tdo, SYSDB_ORIG_DN,
626 : "cn=AD.DOM,cn=ad,cn=trusts,dc=example,dc=com");
627 1 : assert_int_equal(ret, EOK);
628 :
629 1 : ret = ipa_server_get_trust_direction(test_ctx->tdo, test_ctx->ldb, &dir);
630 1 : assert_int_equal(ret, EOK);
631 :
632 : /* With root domains we assume two-way trust */
633 1 : assert_int_equal(dir, 0x1 | 0x2);
634 1 : }
635 :
636 1 : static void test_get_trust_direction_notset_member(void **state)
637 : {
638 : errno_t ret;
639 : uint32_t dir;
640 1 : struct dir_test_ctx *test_ctx =
641 1 : talloc_get_type(*state, struct dir_test_ctx);
642 :
643 1 : ret = sysdb_attrs_add_string(test_ctx->tdo, SYSDB_ORIG_DN,
644 : "cn=SUB.AD.DOM,cn=AD.DOM,cn=ad,cn=trusts,dc=example,dc=com");
645 1 : assert_int_equal(ret, EOK);
646 :
647 1 : ret = ipa_server_get_trust_direction(test_ctx->tdo, test_ctx->ldb, &dir);
648 1 : assert_int_equal(ret, EOK);
649 :
650 : /* With members we set zero and take a look at the parent */
651 1 : assert_int_equal(dir, 0);
652 1 : }
653 :
654 : static void test_ipa_server_create_trusts_oneway(struct tevent_req *req);
655 :
656 1 : static void test_ipa_server_create_oneway(void **state)
657 : {
658 1 : struct trust_test_ctx *test_ctx =
659 1 : talloc_get_type(*state, struct trust_test_ctx);
660 : struct tevent_req *req;
661 : errno_t ret;
662 :
663 1 : add_test_1way_subdomains(test_ctx);
664 :
665 1 : ret = access(ONEWAY_KEYTAB, R_OK);
666 1 : assert_int_not_equal(ret, 0);
667 :
668 1 : assert_null(test_ctx->ipa_ctx->server_mode->trusts);
669 :
670 1 : test_ctx->expect_rename = true;
671 :
672 2 : req = ipa_server_create_trusts_send(test_ctx,
673 1 : test_ctx->tctx->ev,
674 : test_ctx->be_ctx,
675 : test_ctx->ipa_ctx,
676 1 : test_ctx->be_ctx->domain);
677 1 : assert_non_null(req);
678 :
679 1 : tevent_req_set_callback(req, test_ipa_server_create_trusts_oneway, test_ctx);
680 :
681 1 : ret = test_ev_loop(test_ctx->tctx);
682 1 : assert_int_equal(ret, ERR_OK);
683 1 : }
684 :
685 3 : static void test_ipa_server_create_trusts_oneway(struct tevent_req *req)
686 : {
687 3 : struct trust_test_ctx *test_ctx = \
688 3 : tevent_req_callback_data(req, struct trust_test_ctx);
689 : errno_t ret;
690 :
691 3 : ret = ipa_server_create_trusts_recv(req);
692 3 : talloc_zfree(req);
693 3 : assert_int_equal(ret, EOK);
694 :
695 3 : assert_true(test_ctx->expect_rename == global_rename_called);
696 :
697 3 : ret = access(ONEWAY_KEYTAB, R_OK);
698 3 : assert_int_equal(ret, 0);
699 :
700 : /* Trust object should be around now */
701 3 : assert_non_null(test_ctx->ipa_ctx->server_mode->trusts);
702 :
703 3 : assert_trust_object(
704 3 : test_ctx->ipa_ctx->server_mode->trusts,
705 : CHILD_NAME, /* AD domain name */
706 : CHILD_REALM, /* AD realm can be child if SDAP realm is parent's */
707 : CHILD_SID,
708 : ONEWAY_KEYTAB, /* Keytab shared with parent AD dom */
709 : ONEWAY_PRINC, /* Principal shared with parent AD dom */
710 : SUBDOM_REALM); /* SDAP realm must be AD root domain */
711 :
712 3 : assert_non_null(test_ctx->ipa_ctx->server_mode->trusts->next);
713 :
714 : /* Here all properties point to the AD domain */
715 3 : assert_trust_object(test_ctx->ipa_ctx->server_mode->trusts->next,
716 : SUBDOM_NAME,
717 : SUBDOM_REALM,
718 : SUBDOM_SID,
719 : ONEWAY_KEYTAB,
720 : ONEWAY_PRINC,
721 : SUBDOM_REALM);
722 :
723 3 : assert_null(test_ctx->ipa_ctx->server_mode->trusts->next->next);
724 3 : test_ev_done(test_ctx->tctx, EOK);
725 3 : }
726 :
727 1 : static void test_ipa_server_create_oneway_kt_exists(void **state)
728 : {
729 1 : struct trust_test_ctx *test_ctx =
730 1 : talloc_get_type(*state, struct trust_test_ctx);
731 : struct tevent_req *req;
732 : errno_t ret;
733 :
734 1 : add_test_1way_subdomains(test_ctx);
735 :
736 1 : create_dummy_keytab(ONEWAY_KEYTAB);
737 1 : ret = access(ONEWAY_KEYTAB, R_OK);
738 1 : assert_int_equal(ret, 0);
739 :
740 1 : test_ctx->expect_rename = true;
741 :
742 1 : assert_null(test_ctx->ipa_ctx->server_mode->trusts);
743 :
744 2 : req = ipa_server_create_trusts_send(test_ctx,
745 1 : test_ctx->tctx->ev,
746 : test_ctx->be_ctx,
747 : test_ctx->ipa_ctx,
748 1 : test_ctx->be_ctx->domain);
749 1 : assert_non_null(req);
750 :
751 1 : tevent_req_set_callback(req, test_ipa_server_create_trusts_oneway, test_ctx);
752 :
753 1 : ret = test_ev_loop(test_ctx->tctx);
754 1 : assert_int_equal(ret, ERR_OK);
755 1 : }
756 :
757 : /* Test scenario where a keytab already exists, but refresh fails. In this case,
758 : * sssd should attempt to reuse the previous keytab
759 : */
760 1 : static void test_ipa_server_create_oneway_kt_refresh_fallback(void **state)
761 : {
762 1 : struct trust_test_ctx *test_ctx =
763 1 : talloc_get_type(*state, struct trust_test_ctx);
764 : struct tevent_req *req;
765 : errno_t ret;
766 :
767 1 : add_test_1way_subdomains(test_ctx);
768 :
769 1 : create_dummy_keytab(ONEWAY_KEYTAB);
770 1 : ret = access(ONEWAY_KEYTAB, R_OK);
771 1 : assert_int_equal(ret, 0);
772 :
773 1 : setenv("KT_CREATE_FAIL", "1", 1);
774 1 : test_ctx->expect_rename = false;
775 :
776 1 : assert_null(test_ctx->ipa_ctx->server_mode->trusts);
777 :
778 2 : req = ipa_server_create_trusts_send(test_ctx,
779 1 : test_ctx->tctx->ev,
780 : test_ctx->be_ctx,
781 : test_ctx->ipa_ctx,
782 1 : test_ctx->be_ctx->domain);
783 1 : assert_non_null(req);
784 :
785 1 : tevent_req_set_callback(req, test_ipa_server_create_trusts_oneway, test_ctx);
786 :
787 1 : ret = test_ev_loop(test_ctx->tctx);
788 1 : assert_int_equal(ret, ERR_OK);
789 1 : }
790 :
791 : /* Tests case where there's no keytab and retrieving fails. Just fail the
792 : * request in that case
793 : */
794 : static void test_ipa_server_create_trusts_oneway_fail(struct tevent_req *req);
795 :
796 1 : static void test_ipa_server_create_oneway_kt_refresh_fail(void **state)
797 : {
798 1 : struct trust_test_ctx *test_ctx =
799 1 : talloc_get_type(*state, struct trust_test_ctx);
800 : struct tevent_req *req;
801 : errno_t ret;
802 :
803 1 : add_test_1way_subdomains(test_ctx);
804 :
805 1 : setenv("KT_CREATE_FAIL", "1", 1);
806 1 : test_ctx->expect_rename = false;
807 :
808 1 : assert_null(test_ctx->ipa_ctx->server_mode->trusts);
809 :
810 2 : req = ipa_server_create_trusts_send(test_ctx,
811 1 : test_ctx->tctx->ev,
812 : test_ctx->be_ctx,
813 : test_ctx->ipa_ctx,
814 1 : test_ctx->be_ctx->domain);
815 1 : assert_non_null(req);
816 :
817 1 : tevent_req_set_callback(req,
818 : test_ipa_server_create_trusts_oneway_fail,
819 : test_ctx);
820 :
821 1 : ret = test_ev_loop(test_ctx->tctx);
822 1 : assert_int_equal(ret, ERR_OK);
823 1 : }
824 :
825 1 : static void test_ipa_server_create_trusts_oneway_fail(struct tevent_req *req)
826 : {
827 1 : struct trust_test_ctx *test_ctx = \
828 1 : tevent_req_callback_data(req, struct trust_test_ctx);
829 : errno_t ret;
830 :
831 1 : ret = ipa_server_create_trusts_recv(req);
832 1 : assert_int_not_equal(ret, EOK);
833 :
834 1 : assert_true(test_ctx->expect_rename == global_rename_called);
835 :
836 1 : test_ev_done(test_ctx->tctx, EOK);
837 1 : }
838 :
839 1 : static void test_ipa_server_trust_oneway_init(void **state)
840 : {
841 1 : struct trust_test_ctx *test_ctx =
842 1 : talloc_get_type(*state, struct trust_test_ctx);
843 : errno_t ret;
844 : struct tevent_timer *timeout_handler;
845 : struct timeval tv;
846 :
847 1 : add_test_1way_subdomains(test_ctx);
848 :
849 1 : ret = ipa_ad_subdom_init(test_ctx->be_ctx, test_ctx->ipa_ctx);
850 1 : assert_int_equal(ret, EOK);
851 :
852 1 : tv = tevent_timeval_current_ofs(1, 0);
853 1 : timeout_handler = tevent_add_timer(test_ctx->tctx->ev, test_ctx, tv,
854 : ipa_server_init_done, test_ctx);
855 1 : assert_non_null(timeout_handler);
856 :
857 1 : ret = test_ev_loop(test_ctx->tctx);
858 1 : assert_int_equal(ret, ERR_OK);
859 :
860 1 : assert_non_null(test_ctx->ipa_ctx->server_mode->trusts);
861 1 : }
862 :
863 1 : static void test_ipa_trust_dir2str(void **state)
864 : {
865 : /* Just make sure the caller can rely on getting a valid string.. */
866 1 : assert_non_null(ipa_trust_dir2str(0x00));
867 1 : assert_non_null(ipa_trust_dir2str(0x01));
868 1 : assert_non_null(ipa_trust_dir2str(0x02));
869 1 : assert_non_null(ipa_trust_dir2str(0x80));
870 1 : }
871 :
872 1 : int main(int argc, const char *argv[])
873 : {
874 : int rv;
875 1 : int no_cleanup = 0;
876 : poptContext pc;
877 : int opt;
878 7 : struct poptOption long_options[] = {
879 : POPT_AUTOHELP
880 5 : SSSD_DEBUG_OPTS
881 : { "no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0,
882 1 : _("Do not delete the test database after a test run"), NULL },
883 : POPT_TABLEEND
884 : };
885 :
886 1 : const struct CMUnitTest tests[] = {
887 : cmocka_unit_test(test_ipa_trust_dir2str),
888 :
889 : cmocka_unit_test_setup_teardown(test_ipa_server_create_oneway,
890 : test_ipa_server_create_trusts_setup,
891 : test_ipa_server_create_trusts_teardown),
892 : cmocka_unit_test_setup_teardown(test_ipa_server_create_oneway_kt_exists,
893 : test_ipa_server_create_trusts_setup,
894 : test_ipa_server_create_trusts_teardown),
895 : cmocka_unit_test_setup_teardown(test_ipa_server_create_oneway_kt_refresh_fallback,
896 : test_ipa_server_create_trusts_setup,
897 : test_ipa_server_create_trusts_teardown),
898 : cmocka_unit_test_setup_teardown(test_ipa_server_create_oneway_kt_refresh_fail,
899 : test_ipa_server_create_trusts_setup,
900 : test_ipa_server_create_trusts_teardown),
901 : cmocka_unit_test_setup_teardown(test_ipa_server_trust_oneway_init,
902 : test_ipa_server_create_trusts_setup,
903 : test_ipa_server_create_trusts_teardown),
904 :
905 : cmocka_unit_test_setup_teardown(test_ipa_server_trust_init,
906 : test_ipa_server_create_trusts_setup,
907 : test_ipa_server_create_trusts_teardown),
908 : cmocka_unit_test_setup_teardown(test_ipa_server_create_trusts,
909 : test_ipa_server_create_trusts_setup,
910 : test_ipa_server_create_trusts_teardown),
911 :
912 : cmocka_unit_test_setup_teardown(test_get_trust_direction_inbound,
913 : test_get_trust_direction_setup,
914 : test_get_trust_direction_teardown),
915 : cmocka_unit_test_setup_teardown(test_get_trust_direction_outbound,
916 : test_get_trust_direction_setup,
917 : test_get_trust_direction_teardown),
918 : cmocka_unit_test_setup_teardown(test_get_trust_direction_twoway,
919 : test_get_trust_direction_setup,
920 : test_get_trust_direction_teardown),
921 : cmocka_unit_test_setup_teardown(test_get_trust_direction_notset_root,
922 : test_get_trust_direction_setup,
923 : test_get_trust_direction_teardown),
924 : cmocka_unit_test_setup_teardown(test_get_trust_direction_notset_member,
925 : test_get_trust_direction_setup,
926 : test_get_trust_direction_teardown),
927 : };
928 :
929 : /* Set debug level to invalid value so we can deside if -d 0 was used. */
930 1 : debug_level = SSSDBG_INVALID;
931 :
932 1 : pc = poptGetContext(argv[0], argc, argv, long_options, 0);
933 1 : while((opt = poptGetNextOpt(pc)) != -1) {
934 : switch(opt) {
935 : default:
936 0 : fprintf(stderr, "\nInvalid option %s: %s\n\n",
937 : poptBadOption(pc, 0), poptStrerror(opt));
938 0 : poptPrintUsage(pc, stderr, 0);
939 0 : return 1;
940 : }
941 : }
942 1 : poptFreeContext(pc);
943 :
944 1 : DEBUG_CLI_INIT(debug_level);
945 :
946 : /* Even though normally the tests should clean up after themselves
947 : * they might not after a failed run. Remove the old db to be sure */
948 1 : tests_set_cwd();
949 1 : test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME);
950 1 : test_dom_suite_setup(TESTS_PATH);
951 :
952 1 : rv = cmocka_run_group_tests(tests, NULL, NULL);
953 1 : if (rv == 0 && !no_cleanup) {
954 1 : test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME);
955 : }
956 :
957 1 : return rv;
958 : }
|
