Line data Source code
1 : /*
2 : SSSD
3 :
4 : Authors:
5 : Stephen Gallagher <sgallagh@redhat.com>
6 :
7 : Copyright (C) 2011 Red Hat
8 :
9 : This program is free software; you can redistribute it and/or modify
10 : it under the terms of the GNU General Public License as published by
11 : the Free Software Foundation; either version 3 of the License, or
12 : (at your option) any later version.
13 :
14 : This program is distributed in the hope that it will be useful,
15 : but WITHOUT ANY WARRANTY; without even the implied warranty of
16 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 : GNU General Public License for more details.
18 :
19 : You should have received a copy of the GNU General Public License
20 : along with this program. If not, see <http://www.gnu.org/licenses/>.
21 : */
22 : #include <stdlib.h>
23 : #include <check.h>
24 : #include <unistd.h>
25 : #include <sys/types.h>
26 : #include <sys/stat.h>
27 : #include <talloc.h>
28 :
29 : #include "tests/common_check.h"
30 : #include "providers/ipa/ipa_hbac.h"
31 :
32 : #define HBAC_TEST_USER "testuser"
33 : #define HBAC_TEST_INVALID_USER "nosuchuser"
34 :
35 : #define HBAC_TEST_GROUP1 "testgroup1"
36 : #define HBAC_TEST_GROUP2 "testgroup2"
37 : #define HBAC_TEST_INVALID_GROUP "nosuchgroup"
38 :
39 : #define HBAC_TEST_SERVICE "testservice"
40 : #define HBAC_TEST_INVALID_SERVICE "nosuchservice"
41 :
42 : #define HBAC_TEST_SERVICEGROUP1 "login_services"
43 : #define HBAC_TEST_SERVICEGROUP2 "all_services"
44 : #define HBAC_TEST_INVALID_SERVICEGROUP "nosuchservicegroup"
45 :
46 : #define HBAC_TEST_SRCHOST "client.example.com"
47 : #define HBAC_TEST_INVALID_SRCHOST "nosuchsrchost"
48 :
49 : #define HBAC_TEST_SRCHOSTGROUP1 "site_hosts"
50 : #define HBAC_TEST_SRCHOSTGROUP2 "corp_hosts"
51 : #define HBAC_TEST_INVALID_SRCHOSTGROUP "nosuchsrchostgroup"
52 :
53 :
54 : /* These don't make sense for a user/group/service but they do the job and
55 : * every one is from a different codepage */
56 : /* Latin Extended A - "Czech" */
57 : const uint8_t user_utf8_lowcase[] = { 0xC4, 0x8D, 'e', 'c', 'h', 0x0 };
58 : const uint8_t user_utf8_upcase[] = { 0xC4, 0x8C, 'e', 'c', 'h', 0x0 };
59 : const uint8_t user_utf8_lowcase_neg[] = { 0xC4, 0x8E, 'e', 'c', 'h', 0x0 };
60 : /* Latin 1 Supplement - "Munchen" */
61 : const uint8_t service_utf8_lowcase[] = { 'm', 0xC3, 0xBC, 'n', 'c', 'h', 'e', 'n', 0x0 };
62 : const uint8_t service_utf8_upcase[] = { 'M', 0xC3, 0x9C, 'N', 'C', 'H', 'E', 'N', 0x0 };
63 : /* Greek - "AlphaBetaGamma" */
64 : const uint8_t srchost_utf8_lowcase[] = { 0xCE, 0xB1, 0xCE, 0xB2, 0xCE, 0xB3, 0x0 };
65 : const uint8_t srchost_utf8_upcase[] = { 0xCE, 0x91, 0xCE, 0x92, 0xCE, 0x93, 0x0 };
66 : /* Turkish "capital I" and "dotless i" */
67 : const uint8_t user_lowcase_tr[] = { 0xC4, 0xB1, 0x0 };
68 : const uint8_t user_upcase_tr[] = { 0x49, 0x0 };
69 :
70 8 : static void get_allow_all_rule(TALLOC_CTX *mem_ctx,
71 : struct hbac_rule **allow_rule)
72 : {
73 : struct hbac_rule *rule;
74 : /* Create a rule that ALLOWs all services, users and
75 : * remote hosts.
76 : */
77 8 : rule = talloc_zero(mem_ctx, struct hbac_rule);
78 8 : fail_if (rule == NULL);
79 :
80 8 : rule->enabled = true;
81 :
82 8 : rule->services = talloc_zero(rule, struct hbac_rule_element);
83 8 : fail_if (rule->services == NULL);
84 8 : rule->services->category = HBAC_CATEGORY_ALL;
85 8 : rule->services->names = NULL;
86 8 : rule->services->groups = NULL;
87 :
88 8 : rule->users = talloc_zero(rule, struct hbac_rule_element);
89 8 : fail_if (rule->users == NULL);
90 8 : rule->users->category = HBAC_CATEGORY_ALL;
91 8 : rule->users->names = NULL;
92 8 : rule->users->groups = NULL;
93 :
94 8 : rule->targethosts = talloc_zero(rule, struct hbac_rule_element);
95 8 : fail_if (rule->targethosts == NULL);
96 8 : rule->targethosts->category = HBAC_CATEGORY_ALL;
97 8 : rule->targethosts->names = NULL;
98 8 : rule->targethosts->groups = NULL;
99 :
100 8 : rule->srchosts = talloc_zero(rule, struct hbac_rule_element);
101 8 : fail_if (rule->srchosts == NULL);
102 8 : rule->srchosts->category = HBAC_CATEGORY_ALL;
103 8 : rule->srchosts->names = NULL;
104 8 : rule->srchosts->groups = NULL;
105 :
106 8 : *allow_rule = rule;
107 8 : }
108 :
109 8 : static void get_test_user(TALLOC_CTX *mem_ctx,
110 : struct hbac_request_element **user)
111 : {
112 : struct hbac_request_element *new_user;
113 :
114 8 : new_user = talloc_zero(mem_ctx, struct hbac_request_element);
115 8 : fail_if (new_user == NULL);
116 :
117 8 : new_user->name = talloc_strdup(new_user, HBAC_TEST_USER);
118 8 : fail_if(new_user->name == NULL);
119 :
120 8 : new_user->groups = talloc_array(new_user, const char *, 3);
121 8 : fail_if(new_user->groups == NULL);
122 :
123 8 : new_user->groups[0] = talloc_strdup(new_user->groups, HBAC_TEST_GROUP1);
124 8 : fail_if(new_user->groups[0] == NULL);
125 :
126 8 : new_user->groups[1] = talloc_strdup(new_user->groups, HBAC_TEST_GROUP2);
127 8 : fail_if(new_user->groups[1] == NULL);
128 :
129 8 : new_user->groups[2] = NULL;
130 :
131 8 : *user = new_user;
132 8 : }
133 :
134 8 : static void get_test_service(TALLOC_CTX *mem_ctx,
135 : struct hbac_request_element **service)
136 : {
137 : struct hbac_request_element *new_service;
138 :
139 8 : new_service = talloc_zero(mem_ctx, struct hbac_request_element);
140 8 : fail_if (new_service == NULL);
141 :
142 8 : new_service->name = talloc_strdup(new_service, HBAC_TEST_SERVICE);
143 8 : fail_if(new_service->name == NULL);
144 :
145 8 : new_service->groups = talloc_array(new_service, const char *, 3);
146 8 : fail_if(new_service->groups == NULL);
147 :
148 8 : new_service->groups[0] = talloc_strdup(new_service->groups, HBAC_TEST_SERVICEGROUP1);
149 8 : fail_if(new_service->groups[0] == NULL);
150 :
151 8 : new_service->groups[1] = talloc_strdup(new_service->groups, HBAC_TEST_SERVICEGROUP2);
152 8 : fail_if(new_service->groups[1] == NULL);
153 :
154 8 : new_service->groups[2] = NULL;
155 :
156 8 : *service = new_service;
157 8 : }
158 :
159 8 : static void get_test_srchost(TALLOC_CTX *mem_ctx,
160 : struct hbac_request_element **srchost)
161 : {
162 : struct hbac_request_element *new_srchost;
163 :
164 8 : new_srchost = talloc_zero(mem_ctx, struct hbac_request_element);
165 8 : fail_if (new_srchost == NULL);
166 :
167 8 : new_srchost->name = talloc_strdup(new_srchost, HBAC_TEST_SRCHOST);
168 8 : fail_if(new_srchost->name == NULL);
169 :
170 8 : new_srchost->groups = talloc_array(new_srchost, const char *, 3);
171 8 : fail_if(new_srchost->groups == NULL);
172 :
173 8 : new_srchost->groups[0] = talloc_strdup(new_srchost->groups,
174 : HBAC_TEST_SRCHOSTGROUP1);
175 8 : fail_if(new_srchost->groups[0] == NULL);
176 :
177 8 : new_srchost->groups[1] = talloc_strdup(new_srchost->groups,
178 : HBAC_TEST_SRCHOSTGROUP2);
179 8 : fail_if(new_srchost->groups[1] == NULL);
180 :
181 8 : new_srchost->groups[2] = NULL;
182 :
183 8 : *srchost = new_srchost;
184 8 : }
185 :
186 1 : START_TEST(ipa_hbac_test_allow_all)
187 : {
188 : enum hbac_eval_result result;
189 : TALLOC_CTX *test_ctx;
190 : struct hbac_rule **rules;
191 : struct hbac_eval_req *eval_req;
192 1 : struct hbac_info *info = NULL;
193 : bool is_valid;
194 : uint32_t missing_attrs;
195 :
196 1 : test_ctx = talloc_new(global_talloc_context);
197 :
198 : /* Create a request */
199 1 : eval_req = talloc_zero(test_ctx, struct hbac_eval_req);
200 1 : fail_if (eval_req == NULL);
201 :
202 1 : get_test_user(eval_req, &eval_req->user);
203 1 : get_test_service(eval_req, &eval_req->service);
204 1 : get_test_srchost(eval_req, &eval_req->srchost);
205 :
206 : /* Create the rules to evaluate against */
207 1 : rules = talloc_array(test_ctx, struct hbac_rule *, 2);
208 1 : fail_if (rules == NULL);
209 :
210 1 : get_allow_all_rule(rules, &rules[0]);
211 1 : rules[0]->name = talloc_strdup(rules[0], "Allow All");
212 1 : fail_if(rules[0]->name == NULL);
213 1 : rules[1] = NULL;
214 :
215 : /* Validate this rule */
216 1 : is_valid = hbac_rule_is_complete(rules[0], &missing_attrs);
217 1 : fail_unless(is_valid);
218 1 : fail_unless(missing_attrs == 0);
219 :
220 : /* Evaluate the rules */
221 1 : result = hbac_evaluate(rules, eval_req, &info);
222 1 : fail_unless(result == HBAC_EVAL_ALLOW,
223 : "Expected [%s], got [%s]; "
224 : "Error: [%s]",
225 : hbac_result_string(HBAC_EVAL_ALLOW),
226 : hbac_result_string(result),
227 : info ? hbac_error_string(info->code):"Unknown");
228 1 : hbac_free_info(info);
229 1 : info = NULL;
230 1 : talloc_free(test_ctx);
231 : }
232 1 : END_TEST
233 :
234 1 : START_TEST(ipa_hbac_test_allow_user)
235 : {
236 : enum hbac_eval_result result;
237 : TALLOC_CTX *test_ctx;
238 : struct hbac_rule **rules;
239 : struct hbac_eval_req *eval_req;
240 1 : struct hbac_info *info = NULL;
241 : bool is_valid;
242 : uint32_t missing_attrs;
243 :
244 1 : test_ctx = talloc_new(global_talloc_context);
245 :
246 : /* Create a request */
247 1 : eval_req = talloc_zero(test_ctx, struct hbac_eval_req);
248 1 : fail_if (eval_req == NULL);
249 :
250 1 : get_test_user(eval_req, &eval_req->user);
251 1 : get_test_service(eval_req, &eval_req->service);
252 1 : get_test_srchost(eval_req, &eval_req->srchost);
253 :
254 : /* Create the rules to evaluate against */
255 1 : rules = talloc_array(test_ctx, struct hbac_rule *, 2);
256 1 : fail_if (rules == NULL);
257 :
258 1 : get_allow_all_rule(rules, &rules[0]);
259 :
260 : /* Modify the rule to allow only a specific user */
261 1 : rules[0]->name = talloc_strdup(rules[0], "Allow user");
262 1 : fail_if(rules[0]->name == NULL);
263 1 : rules[0]->users->category = HBAC_CATEGORY_NULL;
264 :
265 1 : rules[0]->users->names = talloc_array(rules[0], const char *, 2);
266 1 : fail_if(rules[0]->users->names == NULL);
267 :
268 1 : rules[0]->users->names[0] = HBAC_TEST_USER;
269 1 : rules[0]->users->names[1] = NULL;
270 :
271 1 : rules[1] = NULL;
272 :
273 : /* Validate this rule */
274 1 : is_valid = hbac_rule_is_complete(rules[0], &missing_attrs);
275 1 : fail_unless(is_valid);
276 1 : fail_unless(missing_attrs == 0);
277 :
278 : /* Evaluate the rules */
279 1 : result = hbac_evaluate(rules, eval_req, &info);
280 1 : fail_unless(result == HBAC_EVAL_ALLOW,
281 : "Expected [%s], got [%s]; "
282 : "Error: [%s]",
283 : hbac_result_string(HBAC_EVAL_ALLOW),
284 : hbac_result_string(result),
285 : info ? hbac_error_string(info->code):"Unknown");
286 1 : hbac_free_info(info);
287 1 : info = NULL;
288 :
289 : /* Negative test */
290 1 : rules[0]->users->names[0] = HBAC_TEST_INVALID_USER;
291 :
292 : /* Validate this rule */
293 1 : is_valid = hbac_rule_is_complete(rules[0], &missing_attrs);
294 1 : fail_unless(is_valid);
295 1 : fail_unless(missing_attrs == 0);
296 :
297 : /* Evaluate the rules */
298 1 : result = hbac_evaluate(rules, eval_req, &info);
299 1 : fail_unless(result == HBAC_EVAL_DENY,
300 : "Expected [%s], got [%s]; "
301 : "Error: [%s]",
302 : hbac_result_string(HBAC_EVAL_DENY),
303 : hbac_result_string(result),
304 : info ? hbac_error_string(info->code):"Unknown");
305 1 : hbac_free_info(info);
306 1 : info = NULL;
307 :
308 1 : talloc_free(test_ctx);
309 : }
310 1 : END_TEST
311 :
312 1 : START_TEST(ipa_hbac_test_allow_utf8)
313 : {
314 : enum hbac_eval_result result;
315 : TALLOC_CTX *test_ctx;
316 : struct hbac_rule **rules;
317 : struct hbac_eval_req *eval_req;
318 1 : struct hbac_info *info = NULL;
319 : bool is_valid;
320 : uint32_t missing_attrs;
321 :
322 1 : test_ctx = talloc_new(global_talloc_context);
323 :
324 : /* Create a request */
325 1 : eval_req = talloc_zero(test_ctx, struct hbac_eval_req);
326 1 : fail_if (eval_req == NULL);
327 :
328 1 : get_test_user(eval_req, &eval_req->user);
329 1 : get_test_service(eval_req, &eval_req->service);
330 1 : get_test_srchost(eval_req, &eval_req->srchost);
331 :
332 : /* Override the with UTF8 values */
333 1 : eval_req->user->name = (const char *) &user_utf8_lowcase;
334 1 : eval_req->srchost->name = (const char *) &srchost_utf8_lowcase;
335 1 : eval_req->service->name = (const char *) &service_utf8_lowcase;
336 :
337 : /* Create the rules to evaluate against */
338 1 : rules = talloc_array(test_ctx, struct hbac_rule *, 2);
339 1 : fail_if (rules == NULL);
340 :
341 1 : get_allow_all_rule(rules, &rules[0]);
342 :
343 1 : rules[0]->name = talloc_strdup(rules[0], "Allow user");
344 1 : fail_if(rules[0]->name == NULL);
345 1 : rules[0]->users->category = HBAC_CATEGORY_NULL;
346 :
347 : /* Modify the rule to allow only a specific user */
348 1 : rules[0]->users->names = talloc_array(rules[0], const char *, 2);
349 1 : fail_if(rules[0]->users->names == NULL);
350 :
351 1 : rules[0]->users->names[0] = (const char *) &user_utf8_upcase;
352 1 : rules[0]->users->names[1] = NULL;
353 :
354 : /* Modify the rule to allow only a specific service */
355 1 : rules[0]->services->category = HBAC_CATEGORY_NULL;
356 :
357 1 : rules[0]->services->names = talloc_array(rules[0], const char *, 2);
358 1 : fail_if(rules[0]->services->names == NULL);
359 :
360 1 : rules[0]->services->names[0] = (const char *) &service_utf8_upcase;
361 1 : rules[0]->services->names[1] = NULL;
362 :
363 : /* Modify the rule to allow only a specific service */
364 1 : rules[0]->srchosts->category = HBAC_CATEGORY_NULL;
365 :
366 1 : rules[0]->srchosts->names = talloc_array(rules[0], const char *, 2);
367 1 : fail_if(rules[0]->services->names == NULL);
368 :
369 1 : rules[0]->srchosts->names[0] = (const char *) &srchost_utf8_upcase;
370 1 : rules[0]->srchosts->names[1] = NULL;
371 :
372 1 : rules[1] = NULL;
373 :
374 : /* Validate this rule */
375 1 : is_valid = hbac_rule_is_complete(rules[0], &missing_attrs);
376 1 : fail_unless(is_valid);
377 1 : fail_unless(missing_attrs == 0);
378 :
379 : /* Evaluate the rules */
380 1 : result = hbac_evaluate(rules, eval_req, &info);
381 1 : fail_unless(result == HBAC_EVAL_ALLOW,
382 : "Expected [%s], got [%s]; "
383 : "Error: [%s]",
384 : hbac_result_string(HBAC_EVAL_ALLOW),
385 : hbac_result_string(result),
386 : info ? hbac_error_string(info->code):"Unknown");
387 1 : hbac_free_info(info);
388 1 : info = NULL;
389 :
390 :
391 : /* Negative test - a different letter */
392 1 : rules[0]->users->names[0] = (const char *) &user_utf8_lowcase_neg;
393 :
394 : /* Evaluate the rules */
395 1 : result = hbac_evaluate(rules, eval_req, &info);
396 1 : fail_unless(result == HBAC_EVAL_DENY,
397 : "Expected [%s], got [%s]; "
398 : "Error: [%s]",
399 : hbac_result_string(HBAC_EVAL_DENY),
400 : hbac_result_string(result),
401 : info ? hbac_error_string(info->code):"Unknown");
402 1 : hbac_free_info(info);
403 1 : info = NULL;
404 :
405 : /* Negative test - Turkish dotless i. We cannot know that capital I
406 : * casefolds into dotless i unless we know the language is Turkish */
407 1 : eval_req->user->name = (const char *) &user_lowcase_tr;
408 1 : rules[0]->users->names[0] = (const char *) &user_upcase_tr;
409 :
410 : /* Validate this rule */
411 1 : is_valid = hbac_rule_is_complete(rules[0], &missing_attrs);
412 1 : fail_unless(is_valid);
413 1 : fail_unless(missing_attrs == 0);
414 :
415 : /* Evaluate the rules */
416 1 : result = hbac_evaluate(rules, eval_req, &info);
417 1 : fail_unless(result == HBAC_EVAL_DENY,
418 : "Expected [%s], got [%s]; "
419 : "Error: [%s]",
420 : hbac_result_string(HBAC_EVAL_DENY),
421 : hbac_result_string(result),
422 : info ? hbac_error_string(info->code):"Unknown");
423 1 : hbac_free_info(info);
424 1 : info = NULL;
425 :
426 1 : talloc_free(test_ctx);
427 : }
428 1 : END_TEST
429 :
430 1 : START_TEST(ipa_hbac_test_allow_group)
431 : {
432 : enum hbac_eval_result result;
433 : TALLOC_CTX *test_ctx;
434 : struct hbac_rule **rules;
435 : struct hbac_eval_req *eval_req;
436 1 : struct hbac_info *info = NULL;
437 : bool is_valid;
438 : uint32_t missing_attrs;
439 :
440 1 : test_ctx = talloc_new(global_talloc_context);
441 :
442 : /* Create a request */
443 1 : eval_req = talloc_zero(test_ctx, struct hbac_eval_req);
444 1 : fail_if (eval_req == NULL);
445 :
446 1 : get_test_user(eval_req, &eval_req->user);
447 1 : get_test_service(eval_req, &eval_req->service);
448 1 : get_test_srchost(eval_req, &eval_req->srchost);
449 :
450 : /* Create the rules to evaluate against */
451 1 : rules = talloc_array(test_ctx, struct hbac_rule *, 2);
452 1 : fail_if (rules == NULL);
453 :
454 1 : get_allow_all_rule(rules, &rules[0]);
455 :
456 : /* Modify the rule to allow only a group of users */
457 1 : rules[0]->name = talloc_strdup(rules[0], "Allow group");
458 1 : fail_if(rules[0]->name == NULL);
459 1 : rules[0]->users->category = HBAC_CATEGORY_NULL;
460 :
461 1 : rules[0]->users->names = NULL;
462 1 : rules[0]->users->groups = talloc_array(rules[0], const char *, 2);
463 1 : fail_if(rules[0]->users->groups == NULL);
464 :
465 1 : rules[0]->users->groups[0] = HBAC_TEST_GROUP1;
466 1 : rules[0]->users->groups[1] = NULL;
467 :
468 1 : rules[1] = NULL;
469 :
470 : /* Validate this rule */
471 1 : is_valid = hbac_rule_is_complete(rules[0], &missing_attrs);
472 1 : fail_unless(is_valid);
473 1 : fail_unless(missing_attrs == 0);
474 :
475 : /* Evaluate the rules */
476 1 : result = hbac_evaluate(rules, eval_req, &info);
477 1 : fail_unless(result == HBAC_EVAL_ALLOW,
478 : "Expected [%s], got [%s]; "
479 : "Error: [%s]",
480 : hbac_result_string(HBAC_EVAL_ALLOW),
481 : hbac_result_string(result),
482 : info ? hbac_error_string(info->code):"Unknown");
483 1 : hbac_free_info(info);
484 1 : info = NULL;
485 :
486 : /* Negative test */
487 1 : rules[0]->users->groups[0] = HBAC_TEST_INVALID_GROUP;
488 :
489 : /* Validate this rule */
490 1 : is_valid = hbac_rule_is_complete(rules[0], &missing_attrs);
491 1 : fail_unless(is_valid);
492 1 : fail_unless(missing_attrs == 0);
493 :
494 : /* Evaluate the rules */
495 1 : result = hbac_evaluate(rules, eval_req, &info);
496 1 : fail_unless(result == HBAC_EVAL_DENY,
497 : "Expected [%s], got [%s]; "
498 : "Error: [%s]",
499 : hbac_result_string(HBAC_EVAL_DENY),
500 : hbac_result_string(result),
501 : info ? hbac_error_string(info->code):"Unknown");
502 1 : hbac_free_info(info);
503 1 : info = NULL;
504 :
505 1 : talloc_free(test_ctx);
506 : }
507 1 : END_TEST
508 :
509 1 : START_TEST(ipa_hbac_test_allow_svc)
510 : {
511 : enum hbac_eval_result result;
512 : TALLOC_CTX *test_ctx;
513 : struct hbac_rule **rules;
514 : struct hbac_eval_req *eval_req;
515 1 : struct hbac_info *info = NULL;
516 : bool is_valid;
517 : uint32_t missing_attrs;
518 :
519 1 : test_ctx = talloc_new(global_talloc_context);
520 :
521 : /* Create a request */
522 1 : eval_req = talloc_zero(test_ctx, struct hbac_eval_req);
523 1 : fail_if (eval_req == NULL);
524 :
525 1 : get_test_user(eval_req, &eval_req->user);
526 1 : get_test_service(eval_req, &eval_req->service);
527 1 : get_test_srchost(eval_req, &eval_req->srchost);
528 :
529 : /* Create the rules to evaluate against */
530 1 : rules = talloc_array(test_ctx, struct hbac_rule *, 2);
531 1 : fail_if (rules == NULL);
532 :
533 1 : get_allow_all_rule(rules, &rules[0]);
534 :
535 : /* Modify the rule to allow only a specific service */
536 1 : rules[0]->name = talloc_strdup(rules[0], "Allow service");
537 1 : fail_if(rules[0]->name == NULL);
538 1 : rules[0]->services->category = HBAC_CATEGORY_NULL;
539 :
540 1 : rules[0]->services->names = talloc_array(rules[0], const char *, 2);
541 1 : fail_if(rules[0]->services->names == NULL);
542 :
543 1 : rules[0]->services->names[0] = HBAC_TEST_SERVICE;
544 1 : rules[0]->services->names[1] = NULL;
545 :
546 1 : rules[1] = NULL;
547 :
548 : /* Validate this rule */
549 1 : is_valid = hbac_rule_is_complete(rules[0], &missing_attrs);
550 1 : fail_unless(is_valid);
551 1 : fail_unless(missing_attrs == 0);
552 :
553 : /* Evaluate the rules */
554 1 : result = hbac_evaluate(rules, eval_req, &info);
555 1 : fail_unless(result == HBAC_EVAL_ALLOW,
556 : "Expected [%s], got [%s]; "
557 : "Error: [%s]",
558 : hbac_result_string(HBAC_EVAL_ALLOW),
559 : hbac_result_string(result),
560 : info ? hbac_error_string(info->code):"Unknown");
561 1 : hbac_free_info(info);
562 1 : info = NULL;
563 :
564 : /* Negative test */
565 1 : rules[0]->services->names[0] = HBAC_TEST_INVALID_SERVICE;
566 :
567 : /* Validate this rule */
568 1 : is_valid = hbac_rule_is_complete(rules[0], &missing_attrs);
569 1 : fail_unless(is_valid);
570 1 : fail_unless(missing_attrs == 0);
571 :
572 : /* Evaluate the rules */
573 1 : result = hbac_evaluate(rules, eval_req, &info);
574 1 : fail_unless(result == HBAC_EVAL_DENY,
575 : "Expected [%s], got [%s]; "
576 : "Error: [%s]",
577 : hbac_result_string(HBAC_EVAL_DENY),
578 : hbac_result_string(result),
579 : info ? hbac_error_string(info->code):"Unknown");
580 1 : hbac_free_info(info);
581 1 : info = NULL;
582 :
583 1 : talloc_free(test_ctx);
584 : }
585 1 : END_TEST
586 :
587 1 : START_TEST(ipa_hbac_test_allow_svcgroup)
588 : {
589 : enum hbac_eval_result result;
590 : TALLOC_CTX *test_ctx;
591 : struct hbac_rule **rules;
592 : struct hbac_eval_req *eval_req;
593 1 : struct hbac_info *info = NULL;
594 : bool is_valid;
595 : uint32_t missing_attrs;
596 :
597 1 : test_ctx = talloc_new(global_talloc_context);
598 :
599 : /* Create a request */
600 1 : eval_req = talloc_zero(test_ctx, struct hbac_eval_req);
601 1 : fail_if (eval_req == NULL);
602 :
603 1 : get_test_user(eval_req, &eval_req->user);
604 1 : get_test_service(eval_req, &eval_req->service);
605 1 : get_test_srchost(eval_req, &eval_req->srchost);
606 :
607 : /* Create the rules to evaluate against */
608 1 : rules = talloc_array(test_ctx, struct hbac_rule *, 2);
609 1 : fail_if (rules == NULL);
610 :
611 1 : get_allow_all_rule(rules, &rules[0]);
612 :
613 : /* Modify the rule to allow only a group of users */
614 1 : rules[0]->name = talloc_strdup(rules[0], "Allow servicegroup");
615 1 : fail_if(rules[0]->name == NULL);
616 1 : rules[0]->services->category = HBAC_CATEGORY_NULL;
617 :
618 1 : rules[0]->services->names = NULL;
619 1 : rules[0]->services->groups = talloc_array(rules[0], const char *, 2);
620 1 : fail_if(rules[0]->services->groups == NULL);
621 :
622 1 : rules[0]->services->groups[0] = HBAC_TEST_SERVICEGROUP1;
623 1 : rules[0]->services->groups[1] = NULL;
624 :
625 1 : rules[1] = NULL;
626 :
627 : /* Validate this rule */
628 1 : is_valid = hbac_rule_is_complete(rules[0], &missing_attrs);
629 1 : fail_unless(is_valid);
630 1 : fail_unless(missing_attrs == 0);
631 :
632 : /* Evaluate the rules */
633 1 : result = hbac_evaluate(rules, eval_req, &info);
634 1 : fail_unless(result == HBAC_EVAL_ALLOW,
635 : "Expected [%s], got [%s]; "
636 : "Error: [%s]",
637 : hbac_result_string(HBAC_EVAL_ALLOW),
638 : hbac_result_string(result),
639 : info ? hbac_error_string(info->code):"Unknown");
640 1 : hbac_free_info(info);
641 1 : info = NULL;
642 :
643 : /* Negative test */
644 1 : rules[0]->services->groups[0] = HBAC_TEST_INVALID_SERVICEGROUP;
645 :
646 : /* Validate this rule */
647 1 : is_valid = hbac_rule_is_complete(rules[0], &missing_attrs);
648 1 : fail_unless(is_valid);
649 1 : fail_unless(missing_attrs == 0);
650 :
651 : /* Evaluate the rules */
652 1 : result = hbac_evaluate(rules, eval_req, &info);
653 1 : fail_unless(result == HBAC_EVAL_DENY,
654 : "Expected [%s], got [%s]; "
655 : "Error: [%s]",
656 : hbac_result_string(HBAC_EVAL_DENY),
657 : hbac_result_string(result),
658 : info ? hbac_error_string(info->code):"Unknown");
659 1 : hbac_free_info(info);
660 1 : info = NULL;
661 :
662 1 : talloc_free(test_ctx);
663 : }
664 1 : END_TEST
665 :
666 1 : START_TEST(ipa_hbac_test_allow_srchost)
667 : {
668 : enum hbac_eval_result result;
669 : TALLOC_CTX *test_ctx;
670 : struct hbac_rule **rules;
671 : struct hbac_eval_req *eval_req;
672 1 : struct hbac_info *info = NULL;
673 : bool is_valid;
674 : uint32_t missing_attrs;
675 :
676 1 : test_ctx = talloc_new(global_talloc_context);
677 :
678 : /* Create a request */
679 1 : eval_req = talloc_zero(test_ctx, struct hbac_eval_req);
680 1 : fail_if (eval_req == NULL);
681 :
682 1 : get_test_user(eval_req, &eval_req->user);
683 1 : get_test_service(eval_req, &eval_req->service);
684 1 : get_test_srchost(eval_req, &eval_req->srchost);
685 :
686 : /* Create the rules to evaluate against */
687 1 : rules = talloc_array(test_ctx, struct hbac_rule *, 2);
688 1 : fail_if (rules == NULL);
689 :
690 1 : get_allow_all_rule(rules, &rules[0]);
691 :
692 : /* Modify the rule to allow only a specific service */
693 1 : rules[0]->name = talloc_strdup(rules[0], "Allow srchost");
694 1 : fail_if(rules[0]->name == NULL);
695 1 : rules[0]->srchosts->category = HBAC_CATEGORY_NULL;
696 :
697 1 : rules[0]->srchosts->names = talloc_array(rules[0], const char *, 2);
698 1 : fail_if(rules[0]->srchosts->names == NULL);
699 :
700 1 : rules[0]->srchosts->names[0] = HBAC_TEST_SRCHOST;
701 1 : rules[0]->srchosts->names[1] = NULL;
702 :
703 1 : rules[1] = NULL;
704 :
705 : /* Validate this rule */
706 1 : is_valid = hbac_rule_is_complete(rules[0], &missing_attrs);
707 1 : fail_unless(is_valid);
708 1 : fail_unless(missing_attrs == 0);
709 :
710 : /* Evaluate the rules */
711 1 : result = hbac_evaluate(rules, eval_req, &info);
712 1 : fail_unless(result == HBAC_EVAL_ALLOW,
713 : "Expected [%s], got [%s]; "
714 : "Error: [%s]",
715 : hbac_result_string(HBAC_EVAL_ALLOW),
716 : hbac_result_string(result),
717 : info ? hbac_error_string(info->code):"Unknown");
718 1 : hbac_free_info(info);
719 1 : info = NULL;
720 :
721 : /* Negative test */
722 1 : rules[0]->srchosts->names[0] = HBAC_TEST_INVALID_SRCHOST;
723 :
724 : /* Validate this rule */
725 1 : is_valid = hbac_rule_is_complete(rules[0], &missing_attrs);
726 1 : fail_unless(is_valid);
727 1 : fail_unless(missing_attrs == 0);
728 :
729 : /* Evaluate the rules */
730 1 : result = hbac_evaluate(rules, eval_req, &info);
731 1 : fail_unless(result == HBAC_EVAL_DENY,
732 : "Expected [%s], got [%s]; "
733 : "Error: [%s]",
734 : hbac_result_string(HBAC_EVAL_DENY),
735 : hbac_result_string(result),
736 : info ? hbac_error_string(info->code):"Unknown");
737 1 : hbac_free_info(info);
738 1 : info = NULL;
739 :
740 1 : talloc_free(test_ctx);
741 : }
742 1 : END_TEST
743 :
744 1 : START_TEST(ipa_hbac_test_allow_srchostgroup)
745 : {
746 : enum hbac_eval_result result;
747 : TALLOC_CTX *test_ctx;
748 : struct hbac_rule **rules;
749 : struct hbac_eval_req *eval_req;
750 1 : struct hbac_info *info = NULL;
751 : bool is_valid;
752 : uint32_t missing_attrs;
753 :
754 1 : test_ctx = talloc_new(global_talloc_context);
755 :
756 : /* Create a request */
757 1 : eval_req = talloc_zero(test_ctx, struct hbac_eval_req);
758 1 : fail_if (eval_req == NULL);
759 :
760 1 : get_test_user(eval_req, &eval_req->user);
761 1 : get_test_service(eval_req, &eval_req->service);
762 1 : get_test_srchost(eval_req, &eval_req->srchost);
763 :
764 : /* Create the rules to evaluate against */
765 1 : rules = talloc_array(test_ctx, struct hbac_rule *, 2);
766 1 : fail_if (rules == NULL);
767 :
768 1 : get_allow_all_rule(rules, &rules[0]);
769 :
770 : /* Modify the rule to allow only a group of users */
771 1 : rules[0]->name = talloc_strdup(rules[0], "Allow srchostgroup");
772 1 : fail_if(rules[0]->name == NULL);
773 1 : rules[0]->srchosts->category = HBAC_CATEGORY_NULL;
774 :
775 1 : rules[0]->srchosts->names = NULL;
776 1 : rules[0]->srchosts->groups = talloc_array(rules[0], const char *, 2);
777 1 : fail_if(rules[0]->srchosts->groups == NULL);
778 :
779 1 : rules[0]->srchosts->groups[0] = HBAC_TEST_SRCHOSTGROUP1;
780 1 : rules[0]->srchosts->groups[1] = NULL;
781 :
782 1 : rules[1] = NULL;
783 :
784 : /* Validate this rule */
785 1 : is_valid = hbac_rule_is_complete(rules[0], &missing_attrs);
786 1 : fail_unless(is_valid);
787 1 : fail_unless(missing_attrs == 0);
788 :
789 : /* Evaluate the rules */
790 1 : result = hbac_evaluate(rules, eval_req, &info);
791 1 : fail_unless(result == HBAC_EVAL_ALLOW,
792 : "Expected [%s], got [%s]; "
793 : "Error: [%s]",
794 : hbac_result_string(HBAC_EVAL_ALLOW),
795 : hbac_result_string(result),
796 : info ? hbac_error_string(info->code):"Unknown");
797 1 : hbac_free_info(info);
798 1 : info = NULL;
799 :
800 : /* Negative test */
801 1 : rules[0]->srchosts->groups[0] = HBAC_TEST_INVALID_SRCHOSTGROUP;
802 :
803 : /* Validate this rule */
804 1 : is_valid = hbac_rule_is_complete(rules[0], &missing_attrs);
805 1 : fail_unless(is_valid);
806 1 : fail_unless(missing_attrs == 0);
807 :
808 : /* Evaluate the rules */
809 1 : result = hbac_evaluate(rules, eval_req, &info);
810 1 : fail_unless(result == HBAC_EVAL_DENY,
811 : "Expected [%s], got [%s]; "
812 : "Error: [%s]",
813 : hbac_result_string(HBAC_EVAL_DENY),
814 : hbac_result_string(result),
815 : info ? hbac_error_string(info->code):"Unknown");
816 1 : hbac_free_info(info);
817 1 : info = NULL;
818 :
819 1 : talloc_free(test_ctx);
820 : }
821 1 : END_TEST
822 :
823 1 : START_TEST(ipa_hbac_test_incomplete)
824 : {
825 : TALLOC_CTX *test_ctx;
826 : struct hbac_rule *rule;
827 : bool is_valid;
828 : uint32_t missing_attrs;
829 :
830 1 : test_ctx = talloc_new(global_talloc_context);
831 :
832 1 : rule = talloc_zero(test_ctx, struct hbac_rule);
833 :
834 : /* Validate this rule */
835 1 : is_valid = hbac_rule_is_complete(rule, &missing_attrs);
836 1 : fail_if(is_valid);
837 1 : fail_unless(missing_attrs | HBAC_RULE_ELEMENT_USERS);
838 1 : fail_unless(missing_attrs | HBAC_RULE_ELEMENT_SERVICES);
839 1 : fail_unless(missing_attrs | HBAC_RULE_ELEMENT_TARGETHOSTS);
840 1 : fail_unless(missing_attrs | HBAC_RULE_ELEMENT_SOURCEHOSTS);
841 :
842 1 : talloc_free(test_ctx);
843 : }
844 1 : END_TEST
845 :
846 1 : Suite *hbac_test_suite (void)
847 : {
848 1 : Suite *s = suite_create ("HBAC");
849 :
850 1 : TCase *tc_hbac = tcase_create("HBAC_rules");
851 1 : tcase_add_checked_fixture(tc_hbac,
852 : ck_leak_check_setup,
853 : ck_leak_check_teardown);
854 :
855 1 : tcase_add_test(tc_hbac, ipa_hbac_test_allow_all);
856 1 : tcase_add_test(tc_hbac, ipa_hbac_test_allow_user);
857 1 : tcase_add_test(tc_hbac, ipa_hbac_test_allow_group);
858 1 : tcase_add_test(tc_hbac, ipa_hbac_test_allow_svc);
859 1 : tcase_add_test(tc_hbac, ipa_hbac_test_allow_svcgroup);
860 1 : tcase_add_test(tc_hbac, ipa_hbac_test_allow_srchost);
861 1 : tcase_add_test(tc_hbac, ipa_hbac_test_allow_srchostgroup);
862 1 : tcase_add_test(tc_hbac, ipa_hbac_test_allow_utf8);
863 1 : tcase_add_test(tc_hbac, ipa_hbac_test_incomplete);
864 :
865 1 : suite_add_tcase(s, tc_hbac);
866 1 : return s;
867 : }
868 :
869 1 : int main(int argc, const char *argv[])
870 : {
871 : int number_failed;
872 :
873 1 : tests_set_cwd();
874 :
875 1 : Suite *s = hbac_test_suite();
876 1 : SRunner *sr = srunner_create(s);
877 :
878 : /* If CK_VERBOSITY is set, use that, otherwise it defaults to CK_NORMAL */
879 1 : srunner_run_all(sr, CK_ENV);
880 1 : number_failed = srunner_ntests_failed (sr);
881 1 : srunner_free (sr);
882 :
883 1 : return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
884 : }
|
