diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2013-02-23 10:44:54 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-04-15 15:15:48 +0200 |
commit | 5925e134b87e79e60177b5861ec2a67b659aaa27 (patch) | |
tree | 1a1b59f96dc4fbf1d3ca13bdf5e6129a90871859 /src/tests | |
parent | deb9c70038fe998c81939d784262147709d3fe09 (diff) | |
download | sssd-5925e134b87e79e60177b5861ec2a67b659aaa27.tar.gz sssd-5925e134b87e79e60177b5861ec2a67b659aaa27.tar.xz sssd-5925e134b87e79e60177b5861ec2a67b659aaa27.zip |
Resolve GIDs in the simple access provider
Changes the simple access provider's interface to be asynchronous. When
the simple access provider encounters a group that has gid, but no
meaningful name, it attempts to resolve the name using the
be_file_account_request function.
Some providers (like the AD provider) might perform initgroups
without resolving the group names. In order for the simple access
provider to work correctly, we need to resolve the groups before
performing the access check. In AD provider, the situation is
even more tricky b/c the groups HAVE name, but their name
attribute is set to SID and they are set as non-POSIX
Diffstat (limited to 'src/tests')
-rw-r--r-- | src/tests/simple_access-tests.c | 361 |
1 files changed, 261 insertions, 100 deletions
diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c index 577c6d334..ab2612db8 100644 --- a/src/tests/simple_access-tests.c +++ b/src/tests/simple_access-tests.c @@ -27,6 +27,7 @@ #include <check.h> #include "confdb/confdb.h" +#include "db/sysdb_private.h" #include "providers/simple/simple_access.h" #include "tests/common.h" @@ -35,16 +36,40 @@ const char *ulist_1[] = {"u1", "u2", NULL}; const char *glist_1[] = {"g1", "g2", NULL}; +const char *glist_1_case[] = {"G1", "G2", NULL}; struct simple_test_ctx *test_ctx = NULL; struct simple_test_ctx { struct sysdb_ctx *sysdb; struct confdb_ctx *confdb; + struct tevent_context *ev; + bool done; + int error; + bool access_granted; struct simple_ctx *ctx; }; +static int test_loop(struct simple_test_ctx *tctx) +{ + while (!tctx->done) + tevent_loop_once(tctx->ev); + + return tctx->error; +} + +static void simple_access_check_done(struct tevent_req *req) +{ + struct simple_test_ctx *tctx = + tevent_req_callback_data(req, struct simple_test_ctx); + + + tctx->error = simple_access_check_recv(req, &tctx->access_granted); + talloc_free(req); + tctx->done = true; +} + void setup_simple(void) { errno_t ret; @@ -52,19 +77,22 @@ void setup_simple(void) const char *val[2]; val[1] = NULL; - /* Create tests directory if it doesn't exist */ - /* (relative to current dir) */ - ret = mkdir(TESTS_PATH, 0775); - fail_if(ret == -1 && errno != EEXIST, - "Could not create %s directory", TESTS_PATH); - fail_unless(test_ctx == NULL, "Simple context already initialized."); test_ctx = talloc_zero(NULL, struct simple_test_ctx); fail_unless(test_ctx != NULL, "Cannot create simple test context."); + test_ctx->ev = tevent_context_init(test_ctx); + fail_unless(test_ctx->ev != NULL, "Cannot create tevent context."); + test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx); fail_unless(test_ctx->ctx != NULL, "Cannot create simple context."); + /* Create tests directory if it doesn't exist */ + /* (relative to current dir) */ + ret = mkdir(TESTS_PATH, 0775); + fail_if(ret == -1 && errno != EEXIST, + "Could not create %s directory", TESTS_PATH); + conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE); fail_if(conf_db == NULL, "Out of memory, aborting!"); DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db)); @@ -98,6 +126,7 @@ void setup_simple(void) &test_ctx->ctx->domain, &test_ctx->ctx->sysdb); fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret); test_ctx->ctx->domain->case_sensitive = true; + test_ctx->ctx->sysdb->mpg = false; /* Simulate an LDAP domain better */ } void teardown_simple(void) @@ -117,18 +146,22 @@ void setup_simple_group(void) /* Add test users u1 and u2 that would be members of test groups * g1 and g2 respectively */ + ret = sysdb_add_group(test_ctx->ctx->sysdb, + "pvt", 999, NULL, 0, 0); + fail_if(ret != EOK, "Could not add private group"); + ret = sysdb_store_user(test_ctx->ctx->sysdb, - "u1", NULL, 123, 0, "u1", "/home/u1", + "u1", NULL, 123, 999, "u1", "/home/u1", "/bin/bash", NULL, NULL, NULL, -1, 0); fail_if(ret != EOK, "Could not add u1"); ret = sysdb_store_user(test_ctx->ctx->sysdb, - "u2", NULL, 456, 0, "u1", "/home/u1", + "u2", NULL, 456, 999, "u1", "/home/u1", "/bin/bash", NULL, NULL, NULL, -1, 0); fail_if(ret != EOK, "Could not add u2"); ret = sysdb_store_user(test_ctx->ctx->sysdb, - "u3", NULL, 789, 0, "u1", "/home/u1", + "u3", NULL, 789, 999, "u1", "/home/u1", "/bin/bash", NULL, NULL, NULL, -1, 0); fail_if(ret != EOK, "Could not add u3"); @@ -163,190 +196,317 @@ void teardown_simple_group(void) fail_if(ret != EOK, "Could not delete g1"); ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g2", 0); fail_if(ret != EOK, "Could not delete g2"); + ret = sysdb_delete_group(test_ctx->ctx->sysdb, "pvt", 0); + fail_if(ret != EOK, "Could not delete pvt"); teardown_simple(); } START_TEST(test_both_empty) { - int ret; - bool access_granted = false; + struct tevent_req *req; test_ctx->ctx->allow_users = NULL; test_ctx->ctx->deny_users = NULL; - ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == true, "Access denied " - "while both lists are empty."); + req = simple_access_check_send(test_ctx, test_ctx->ev, + test_ctx->ctx, "u1"); + fail_unless(test_ctx != NULL, "Cannot create request\n"); + tevent_req_set_callback(req, simple_access_check_done, test_ctx); + + test_loop(test_ctx); + + fail_unless(test_ctx->error == EOK, "access_simple_check failed."); + fail_unless(test_ctx->access_granted == true, + "Access denied while both lists are empty."); } END_TEST START_TEST(test_allow_empty) { - int ret; - bool access_granted = true; + struct tevent_req *req; test_ctx->ctx->allow_users = NULL; test_ctx->ctx->deny_users = discard_const(ulist_1); - ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == false, "Access granted " - "while user is in deny list."); + req = simple_access_check_send(test_ctx, test_ctx->ev, + test_ctx->ctx, "u1"); + fail_unless(test_ctx != NULL, "Cannot create request\n"); + tevent_req_set_callback(req, simple_access_check_done, test_ctx); + + test_loop(test_ctx); + test_ctx->done = false; + + fail_unless(test_ctx->error == EOK, "access_simple_check failed."); + fail_unless(test_ctx->access_granted == false, + "Access granted while user is in deny list."); - ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == true, "Access denied " - "while user is not in deny list."); + req = simple_access_check_send(test_ctx, test_ctx->ev, + test_ctx->ctx, "u3"); + fail_unless(test_ctx != NULL, "Cannot create request\n"); + tevent_req_set_callback(req, simple_access_check_done, test_ctx); + + test_loop(test_ctx); + + fail_unless(test_ctx->error == EOK, "access_simple_check failed."); + fail_unless(test_ctx->access_granted == true, + "Access denied while user is not in deny list."); } END_TEST START_TEST(test_deny_empty) { - int ret; - bool access_granted = false; + struct tevent_req *req; test_ctx->ctx->allow_users = discard_const(ulist_1); test_ctx->ctx->deny_users = NULL; - ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == true, "Access denied " - "while user is in allow list."); + req = simple_access_check_send(test_ctx, test_ctx->ev, + test_ctx->ctx, "u1"); + fail_unless(test_ctx != NULL, "Cannot create request\n"); + tevent_req_set_callback(req, simple_access_check_done, test_ctx); + + test_loop(test_ctx); + test_ctx->done = false; + + fail_unless(test_ctx->error == EOK, "access_simple_check failed."); + fail_unless(test_ctx->access_granted == true, + "Access denied while user is in allow list."); - ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == false, "Access granted " - "while user is not in allow list."); + req = simple_access_check_send(test_ctx, test_ctx->ev, + test_ctx->ctx, "u3"); + fail_unless(test_ctx != NULL, "Cannot create request\n"); + tevent_req_set_callback(req, simple_access_check_done, test_ctx); + + test_loop(test_ctx); + + fail_unless(test_ctx->error == EOK, "access_simple_check failed."); + fail_unless(test_ctx->access_granted == false, + "Access granted while user is not in allow list."); } END_TEST START_TEST(test_both_set) { - int ret; - bool access_granted = false; + struct tevent_req *req; test_ctx->ctx->allow_users = discard_const(ulist_1); test_ctx->ctx->deny_users = discard_const(ulist_1); - ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == false, "Access granted " - "while user is in deny list."); + req = simple_access_check_send(test_ctx, test_ctx->ev, + test_ctx->ctx, "u1"); + fail_unless(test_ctx != NULL, "Cannot create request\n"); + tevent_req_set_callback(req, simple_access_check_done, test_ctx); + + test_loop(test_ctx); + test_ctx->done = false; + + fail_unless(test_ctx->error == EOK, "access_simple_check failed."); + fail_unless(test_ctx->access_granted == false, + "Access granted while user is in deny list."); - ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == false, "Access granted " - "while user is not in allow list."); + req = simple_access_check_send(test_ctx, test_ctx->ev, + test_ctx->ctx, "u3"); + fail_unless(test_ctx != NULL, "Cannot create request\n"); + tevent_req_set_callback(req, simple_access_check_done, test_ctx); + + test_loop(test_ctx); + + fail_unless(test_ctx->error == EOK, "access_simple_check failed."); + fail_unless(test_ctx->access_granted == false, + "Access granted while user is not in allow list."); } END_TEST START_TEST(test_case) { - int ret; - bool access_granted = false; + struct tevent_req *req; test_ctx->ctx->allow_users = discard_const(ulist_1); test_ctx->ctx->deny_users = NULL; - ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == false, "Access granted " - "for user with different case " - "in case-sensitive domain"); + req = simple_access_check_send(test_ctx, test_ctx->ev, + test_ctx->ctx, "U1"); + fail_unless(test_ctx != NULL, "Cannot create request\n"); + tevent_req_set_callback(req, simple_access_check_done, test_ctx); + + test_loop(test_ctx); + test_ctx->done = false; + + fail_unless(test_ctx->error == EOK, "access_simple_check failed."); + fail_unless(test_ctx->access_granted == false, + "Access granted for user with different case " + "in case-sensitive domain"); test_ctx->ctx->domain->case_sensitive = false; - ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == true, "Access denied " - "for user with different case " - "in case-insensitive domain"); + req = simple_access_check_send(test_ctx, test_ctx->ev, + test_ctx->ctx, "U1"); + fail_unless(test_ctx != NULL, "Cannot create request\n"); + tevent_req_set_callback(req, simple_access_check_done, test_ctx); + + test_loop(test_ctx); + test_ctx->done = false; + + fail_unless(test_ctx->error == EOK, "access_simple_check failed."); + fail_unless(test_ctx->access_granted == true, + "Access denied for user with different case " + "in case-sensitive domain"); +} +END_TEST + +START_TEST(test_unknown_user) +{ + struct tevent_req *req; + + test_ctx->ctx->allow_users = discard_const(ulist_1); + test_ctx->ctx->deny_users = NULL; + + req = simple_access_check_send(test_ctx, test_ctx->ev, + test_ctx->ctx, "foo"); + fail_unless(test_ctx != NULL, "Cannot create request\n"); + tevent_req_set_callback(req, simple_access_check_done, test_ctx); + + test_loop(test_ctx); + test_ctx->done = false; + + fail_unless(test_ctx->error == EOK, "access_simple_check failed."); + fail_unless(test_ctx->access_granted == false, + "Access granted for user not present in domain"); } END_TEST + START_TEST(test_group_allow_empty) { - int ret; - bool access_granted = true; + struct tevent_req *req; test_ctx->ctx->allow_groups = NULL; test_ctx->ctx->deny_groups = discard_const(glist_1); - ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == false, "Access granted " - "while group is in deny list."); + req = simple_access_check_send(test_ctx, test_ctx->ev, + test_ctx->ctx, "u1"); + fail_unless(test_ctx != NULL, "Cannot create request\n"); + tevent_req_set_callback(req, simple_access_check_done, test_ctx); + + test_loop(test_ctx); + test_ctx->done = false; - ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == true, "Access denied " - "while group is not in deny list."); + fail_unless(test_ctx->error == EOK, "access_simple_check failed."); + fail_unless(test_ctx->access_granted == false, + "Access granted while group is in deny list."); + + req = simple_access_check_send(test_ctx, test_ctx->ev, + test_ctx->ctx, "u3"); + fail_unless(test_ctx != NULL, "Cannot create request\n"); + tevent_req_set_callback(req, simple_access_check_done, test_ctx); + + test_loop(test_ctx); + + fail_unless(test_ctx->error == EOK, "access_simple_check failed."); + fail_unless(test_ctx->access_granted == true, + "Access denied while group is not in deny list."); } END_TEST START_TEST(test_group_deny_empty) { - int ret; - bool access_granted = false; + struct tevent_req *req; test_ctx->ctx->allow_groups = discard_const(glist_1); test_ctx->ctx->deny_groups = NULL; - ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == true, "Access denied " - "while group is in allow list."); + req = simple_access_check_send(test_ctx, test_ctx->ev, + test_ctx->ctx, "u1"); + fail_unless(test_ctx != NULL, "Cannot create request\n"); + tevent_req_set_callback(req, simple_access_check_done, test_ctx); + + test_loop(test_ctx); + test_ctx->done = false; - ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == false, "Access granted " - "while group is not in allow list."); + fail_unless(test_ctx->error == EOK, "access_simple_check failed."); + fail_unless(test_ctx->access_granted == true, + "Access denied while user is in allow list."); + + req = simple_access_check_send(test_ctx, test_ctx->ev, + test_ctx->ctx, "u3"); + fail_unless(test_ctx != NULL, "Cannot create request\n"); + tevent_req_set_callback(req, simple_access_check_done, test_ctx); + + test_loop(test_ctx); + + fail_unless(test_ctx->error == EOK, "access_simple_check failed."); + fail_unless(test_ctx->access_granted == false, + "Access granted while user is not in allow list."); } END_TEST START_TEST(test_group_both_set) { - int ret; - bool access_granted = false; + struct tevent_req *req; test_ctx->ctx->allow_groups = discard_const(ulist_1); test_ctx->ctx->deny_groups = discard_const(ulist_1); - ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == false, "Access granted " - "while group is in deny list."); + req = simple_access_check_send(test_ctx, test_ctx->ev, + test_ctx->ctx, "u1"); + fail_unless(test_ctx != NULL, "Cannot create request\n"); + tevent_req_set_callback(req, simple_access_check_done, test_ctx); + + test_loop(test_ctx); + test_ctx->done = false; - ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == false, "Access granted " - "while group is not in allow list."); + fail_unless(test_ctx->error == EOK, "access_simple_check failed."); + fail_unless(test_ctx->access_granted == false, + "Access granted while user is in deny list."); + + req = simple_access_check_send(test_ctx, test_ctx->ev, + test_ctx->ctx, "u3"); + fail_unless(test_ctx != NULL, "Cannot create request\n"); + tevent_req_set_callback(req, simple_access_check_done, test_ctx); + + test_loop(test_ctx); + + fail_unless(test_ctx->error == EOK, "access_simple_check failed."); + fail_unless(test_ctx->access_granted == false, + "Access granted while user is not in allow list."); } END_TEST START_TEST(test_group_case) { - int ret; - bool access_granted = false; + struct tevent_req *req; - test_ctx->ctx->allow_groups = discard_const(ulist_1); + test_ctx->ctx->allow_groups = discard_const(glist_1_case); test_ctx->ctx->deny_groups = NULL; - ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == false, "Access granted " - "for group with different case " - "in case-sensitive domain"); + req = simple_access_check_send(test_ctx, test_ctx->ev, + test_ctx->ctx, "U1"); + fail_unless(test_ctx != NULL, "Cannot create request\n"); + tevent_req_set_callback(req, simple_access_check_done, test_ctx); + + test_loop(test_ctx); + test_ctx->done = false; + + fail_unless(test_ctx->error == EOK, "access_simple_check failed."); + fail_unless(test_ctx->access_granted == false, + "Access granted for user with different case " + "in case-sensitive domain"); test_ctx->ctx->domain->case_sensitive = false; - ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == true, "Access denied " - "for group with different case " - "in case-insensitive domain"); + req = simple_access_check_send(test_ctx, test_ctx->ev, + test_ctx->ctx, "U1"); + fail_unless(test_ctx != NULL, "Cannot create request\n"); + tevent_req_set_callback(req, simple_access_check_done, test_ctx); + + test_loop(test_ctx); + test_ctx->done = false; + + fail_unless(test_ctx->error == EOK, "access_simple_check failed."); + fail_unless(test_ctx->access_granted == true, + "Access denied for user with different case " + "in case-sensitive domain"); } END_TEST @@ -361,6 +521,7 @@ Suite *access_simple_suite (void) tcase_add_test(tc_allow_deny, test_deny_empty); tcase_add_test(tc_allow_deny, test_both_set); tcase_add_test(tc_allow_deny, test_case); + tcase_add_test(tc_allow_deny, test_unknown_user); suite_add_tcase(s, tc_allow_deny); TCase *tc_grp_allow_deny = tcase_create("group allow/deny"); |