summaryrefslogtreecommitdiffstats
path: root/src/tests/cmocka/test_simple_access.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/tests/cmocka/test_simple_access.c')
-rw-r--r--src/tests/cmocka/test_simple_access.c440
1 files changed, 408 insertions, 32 deletions
diff --git a/src/tests/cmocka/test_simple_access.c b/src/tests/cmocka/test_simple_access.c
index f3b1e0bd8..428b2e25c 100644
--- a/src/tests/cmocka/test_simple_access.c
+++ b/src/tests/cmocka/test_simple_access.c
@@ -34,10 +34,6 @@
#define TEST_SUBDOM_NAME "test.subdomain"
#define TEST_ID_PROVIDER "ldap"
-const char *ulist_1[] = {"u1", "u2", NULL};
-const char *glist_1[] = {"g1", "g2", NULL};
-const char *glist_1_case[] = {"G1", "G2", NULL};
-
int sssm_simple_access_init(struct be_ctx *bectx, struct bet_ops **ops,
void **pvt_data);
@@ -166,42 +162,333 @@ static void simple_access_check_done(struct tevent_req *req)
simple_test_ctx->tctx->done = true;
}
+static void run_simple_access_check(struct simple_test_ctx *simple_test_ctx,
+ const char *username,
+ int expected_rv,
+ bool allow_access)
+{
+ int ret;
+ struct tevent_req *req;
+
+ simple_test_ctx->tctx->done = false;
+ req = simple_access_check_send(simple_test_ctx, simple_test_ctx->tctx->ev,
+ simple_test_ctx->ctx, username);
+ assert_non_null(req);
+ tevent_req_set_callback(req, simple_access_check_done, simple_test_ctx);
+
+ ret = test_ev_loop(simple_test_ctx->tctx);
+ assert_int_equal(ret, expected_rv);
+
+ /* otherwise the output is undefined */
+ if (expected_rv == EOK) {
+ assert_true(simple_test_ctx->access_granted == allow_access);
+ }
+}
+
static void test_both_empty(void **state)
{
errno_t ret;
- struct tevent_req *req;
struct simple_test_ctx *simple_test_ctx = \
talloc_get_type(*state, struct simple_test_ctx);
ret = setup_with_params(simple_test_ctx, simple_test_ctx->tctx->dom, NULL);
assert_int_equal(ret, EOK);
- req = simple_access_check_send(simple_test_ctx, simple_test_ctx->tctx->ev,
- simple_test_ctx->ctx, "u1");
- assert_non_null(req);
- tevent_req_set_callback(req, simple_access_check_done, simple_test_ctx);
+ run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, true);
+}
- ret = test_ev_loop(simple_test_ctx->tctx);
+static void test_allow_empty(void **state)
+{
+ errno_t ret;
+ struct simple_test_ctx *simple_test_ctx = \
+ talloc_get_type(*state, struct simple_test_ctx);
+ struct sss_test_conf_param params[] = {
+ { "simple_deny_users", "u1, u2" },
+ { NULL, NULL },
+ };
+
+ ret = setup_with_params(simple_test_ctx, simple_test_ctx->tctx->dom, params);
assert_int_equal(ret, EOK);
- assert_true(simple_test_ctx->access_granted);
+ run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, false);
+ run_simple_access_check(simple_test_ctx, "u3@simple_test", EOK, true);
+ run_simple_access_check(simple_test_ctx, "u1", ERR_WRONG_NAME_FORMAT, false);
}
-static void test_allow_empty(void **state)
+static void test_deny_empty(void **state)
+{
+ errno_t ret;
+ struct simple_test_ctx *simple_test_ctx = \
+ talloc_get_type(*state, struct simple_test_ctx);
+ struct sss_test_conf_param params[] = {
+ { "simple_allow_users", "u1, u2" },
+ { NULL, NULL },
+ };
+ ret = setup_with_params(simple_test_ctx, simple_test_ctx->tctx->dom, params);
+ assert_int_equal(ret, EOK);
+
+ run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, true);
+ run_simple_access_check(simple_test_ctx, "u3@simple_test", EOK, false);
+}
+
+static void test_both_set(void **state)
{
errno_t ret;
- struct tevent_req *req;
struct simple_test_ctx *simple_test_ctx = \
talloc_get_type(*state, struct simple_test_ctx);
struct sss_test_conf_param params[] = {
+ { "simple_allow_users", "u1, u2" },
{ "simple_deny_users", "u1, u2" },
+ { NULL, NULL },
+ };
+
+ ret = setup_with_params(simple_test_ctx,
+ simple_test_ctx->tctx->dom,
+ params);
+ assert_int_equal(ret, EOK);
+
+ run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, false);
+ run_simple_access_check(simple_test_ctx, "u3@simple_test", EOK, false);
+}
+
+static void test_deny_wrong_case(void **state)
+{
+ errno_t ret;
+ struct simple_test_ctx *simple_test_ctx = \
+ talloc_get_type(*state, struct simple_test_ctx);
+ struct sss_test_conf_param params[] = {
+ { "simple_allow_users", "u1, u2" },
+ { NULL, NULL },
+ };
+
+ ret = setup_with_params(simple_test_ctx,
+ simple_test_ctx->tctx->dom,
+ params);
+ assert_int_equal(ret, EOK);
+
+ run_simple_access_check(simple_test_ctx, "U1@simple_test", EOK, false);
+}
+
+static void test_allow_case_insensitive(void **state)
+{
+ errno_t ret;
+ struct simple_test_ctx *simple_test_ctx = \
+ talloc_get_type(*state, struct simple_test_ctx);
+ struct sss_test_conf_param params[] = {
+ { "simple_allow_users", "u1, u2" },
+ { NULL, NULL },
+ };
+
+ ret = setup_with_params(simple_test_ctx,
+ simple_test_ctx->tctx->dom,
+ params);
+ assert_int_equal(ret, EOK);
+
+ simple_test_ctx->tctx->dom->case_sensitive = false;
+ run_simple_access_check(simple_test_ctx, "U1@simple_test", EOK, true);
+}
+
+static void test_unknown_user(void **state)
+{
+ errno_t ret;
+ struct simple_test_ctx *simple_test_ctx = \
+ talloc_get_type(*state, struct simple_test_ctx);
+ struct sss_test_conf_param params[] = {
+ { "simple_allow_users", "u1, u2" },
+ { NULL, NULL },
+ };
+
+ ret = setup_with_params(simple_test_ctx,
+ simple_test_ctx->tctx->dom,
+ params);
+ assert_int_equal(ret, EOK);
+
+ run_simple_access_check(simple_test_ctx, "foo@simple_test", EOK, false);
+}
+
+static void test_space(void **state)
+{
+ errno_t ret;
+ struct simple_test_ctx *simple_test_ctx = \
+ talloc_get_type(*state, struct simple_test_ctx);
+ struct sss_test_conf_param params[] = {
+ { "simple_allow_users", "space user, another user@simple_test" },
+ { NULL, NULL },
+ };
+
+ ret = setup_with_params(simple_test_ctx, simple_test_ctx->tctx->dom, params);
+ assert_int_equal(ret, EOK);
+
+ run_simple_access_check(simple_test_ctx, "space user@simple_test", EOK, true);
+ run_simple_access_check(simple_test_ctx, "another user@simple_test", EOK, true);
+ run_simple_access_check(simple_test_ctx, "not allowed@simple_test", EOK, false);
+}
+
+static int simple_group_test_setup(void **state)
+{
+ int ret;
+ char *u1;
+ char *u2;
+ char *u3;
+ char *g1;
+ char *g2;
+ char *sp;
+ char *sp2;
+ char *pvt;
+ struct simple_test_ctx *test_ctx;
+
+ ret = simple_test_setup((void **) &test_ctx);
+ if (ret != EOK) {
+ return 1;
+ }
+
+ u1 = sss_create_internal_fqname(test_ctx, "u1",
+ test_ctx->be_ctx->domain->name);
+ u2 = sss_create_internal_fqname(test_ctx, "u2",
+ test_ctx->be_ctx->domain->name);
+ u3 = sss_create_internal_fqname(test_ctx, "u3",
+ test_ctx->be_ctx->domain->name);
+ g1 = sss_create_internal_fqname(test_ctx, "g1",
+ test_ctx->be_ctx->domain->name);
+ g2 = sss_create_internal_fqname(test_ctx, "g2",
+ test_ctx->be_ctx->domain->name);
+ sp = sss_create_internal_fqname(test_ctx, "space group",
+ test_ctx->be_ctx->domain->name);
+ sp2 = sss_create_internal_fqname(test_ctx, "another space",
+ test_ctx->be_ctx->domain->name);
+ pvt = sss_create_internal_fqname(test_ctx, "pvt",
+ test_ctx->be_ctx->domain->name);
+ if (u1 == NULL || u2 == NULL || u3 == NULL
+ || g1 == NULL || g2 == NULL || pvt == NULL
+ || sp == NULL || sp2 == NULL) {
+ return 1;
+ }
+
+ ret = sysdb_add_group(test_ctx->be_ctx->domain, pvt, 999, NULL, 0, 0);
+ if (ret != EOK) return 1;
+
+ ret = sysdb_store_user(test_ctx->be_ctx->domain,
+ u1, NULL, 123, 999, "u1", "/home/u1",
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
+ if (ret != EOK) return 1;
+
+ ret = sysdb_store_user(test_ctx->be_ctx->domain,
+ u2, NULL, 456, 999, "u1", "/home/u1",
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
+ if (ret != EOK) return 1;
+
+ ret = sysdb_store_user(test_ctx->be_ctx->domain,
+ u3, NULL, 789, 999, "u1", "/home/u1",
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
+ if (ret != EOK) return 1;
+
+ ret = sysdb_add_group(test_ctx->be_ctx->domain, g1, 321, NULL, 0, 0);
+ if (ret != EOK) return 1;
+
+ ret = sysdb_add_group(test_ctx->be_ctx->domain, g2, 654, NULL, 0, 0);
+ if (ret != EOK) return 1;
+
+ ret = sysdb_add_group(test_ctx->be_ctx->domain, sp, 1234, NULL, 0, 0);
+ if (ret != EOK) return 1;
+
+ ret = sysdb_add_group(test_ctx->be_ctx->domain, sp2, 5678, NULL, 0, 0);
+ if (ret != EOK) return 1;
+
+ ret = sysdb_add_group_member(test_ctx->be_ctx->domain,
+ g1, u1, SYSDB_MEMBER_USER, false);
+ if (ret != EOK) return 1;
+
+ ret = sysdb_add_group_member(test_ctx->be_ctx->domain,
+ sp, u1, SYSDB_MEMBER_USER, false);
+ if (ret != EOK) return 1;
+
+ ret = sysdb_add_group_member(test_ctx->be_ctx->domain,
+ g2, u2, SYSDB_MEMBER_USER, false);
+ if (ret != EOK) return 1;
+
+ ret = sysdb_add_group_member(test_ctx->be_ctx->domain,
+ sp2, u2, SYSDB_MEMBER_USER, false);
+ if (ret != EOK) return 1;
+
+ *state = test_ctx;
+ return 0;
+}
+
+static int simple_group_test_teardown(void **state)
+{
+ int ret;
+ char *u1;
+ char *u2;
+ char *u3;
+ char *g1;
+ char *g2;
+ char *sp;
+ char *sp2;
+ char *pvt;
+ struct simple_test_ctx *test_ctx = \
+ talloc_get_type(*state, struct simple_test_ctx);
+
+ u1 = sss_create_internal_fqname(test_ctx, "u1",
+ test_ctx->be_ctx->domain->name);
+ u2 = sss_create_internal_fqname(test_ctx, "u2",
+ test_ctx->be_ctx->domain->name);
+ u3 = sss_create_internal_fqname(test_ctx, "u3",
+ test_ctx->be_ctx->domain->name);
+ g1 = sss_create_internal_fqname(test_ctx, "g1",
+ test_ctx->be_ctx->domain->name);
+ g2 = sss_create_internal_fqname(test_ctx, "g2",
+ test_ctx->be_ctx->domain->name);
+ sp = sss_create_internal_fqname(test_ctx, "space group",
+ test_ctx->be_ctx->domain->name);
+ sp2 = sss_create_internal_fqname(test_ctx, "another space",
+ test_ctx->be_ctx->domain->name);
+ pvt = sss_create_internal_fqname(test_ctx, "pvt",
+ test_ctx->be_ctx->domain->name);
+ if (u1 == NULL || u2 == NULL || u3 == NULL
+ || g1 == NULL || g2 == NULL || pvt == NULL
+ || sp == NULL || sp2 == NULL) {
+ return 1;
+ }
+
+ ret = sysdb_delete_user(test_ctx->be_ctx->domain, u1, 0);
+ if (ret != EOK) return 1;
+ ret = sysdb_delete_user(test_ctx->be_ctx->domain, u2, 0);
+ if (ret != EOK) return 1;
+ ret = sysdb_delete_user(test_ctx->be_ctx->domain, u3, 0);
+ if (ret != EOK) return 1;
+ ret = sysdb_delete_group(test_ctx->be_ctx->domain, g1, 0);
+ if (ret != EOK) return 1;
+ ret = sysdb_delete_group(test_ctx->be_ctx->domain, g2, 0);
+ if (ret != EOK) return 1;
+ ret = sysdb_delete_group(test_ctx->be_ctx->domain, sp, 0);
+ if (ret != EOK) return 1;
+ ret = sysdb_delete_group(test_ctx->be_ctx->domain, sp2, 0);
+ if (ret != EOK) return 1;
+ ret = sysdb_delete_group(test_ctx->be_ctx->domain, pvt, 0);
+ if (ret != EOK) return 1;
+
+ /* make sure there are no leftovers from previous tests */
+ test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME);
+ talloc_free(test_ctx);
+ return 0;
+}
+
+static void test_group_allow_empty(void **state)
+{
+ errno_t ret;
+ struct tevent_req *req;
+ struct simple_test_ctx *simple_test_ctx = \
+ talloc_get_type(*state, struct simple_test_ctx);
+ struct sss_test_conf_param params[] = {
+ { "simple_deny_groups", "g1, g2" },
+ { NULL, NULL },
};
ret = setup_with_params(simple_test_ctx, simple_test_ctx->tctx->dom, params);
assert_int_equal(ret, EOK);
req = simple_access_check_send(simple_test_ctx, simple_test_ctx->tctx->ev,
- simple_test_ctx->ctx, "u1");
+ simple_test_ctx->ctx, "u1@simple_test");
assert_non_null(req);
tevent_req_set_callback(req, simple_access_check_done, simple_test_ctx);
@@ -210,9 +497,8 @@ static void test_allow_empty(void **state)
assert_false(simple_test_ctx->access_granted);
simple_test_ctx->tctx->done = false;
-
req = simple_access_check_send(simple_test_ctx, simple_test_ctx->tctx->ev,
- simple_test_ctx->ctx, "u3");
+ simple_test_ctx->ctx, "u3@simple_test");
assert_non_null(req);
tevent_req_set_callback(req, simple_access_check_done, simple_test_ctx);
@@ -221,38 +507,96 @@ static void test_allow_empty(void **state)
assert_true(simple_test_ctx->access_granted);
}
-static void test_deny_empty(void **state)
+static void test_group_deny_empty(void **state)
{
errno_t ret;
- struct tevent_req *req;
struct simple_test_ctx *simple_test_ctx = \
talloc_get_type(*state, struct simple_test_ctx);
struct sss_test_conf_param params[] = {
- { "simple_allow_users", "u1, u2" },
+ { "simple_allow_groups", "g1, g2" },
+ { NULL, NULL },
};
ret = setup_with_params(simple_test_ctx, simple_test_ctx->tctx->dom, params);
assert_int_equal(ret, EOK);
- req = simple_access_check_send(simple_test_ctx, simple_test_ctx->tctx->ev,
- simple_test_ctx->ctx, "u1");
- assert_non_null(req);
- tevent_req_set_callback(req, simple_access_check_done, simple_test_ctx);
+ run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, true);
+ run_simple_access_check(simple_test_ctx, "u3@simple_test", EOK, false);
+}
- ret = test_ev_loop(simple_test_ctx->tctx);
+static void test_group_both_set(void **state)
+{
+ errno_t ret;
+ struct simple_test_ctx *simple_test_ctx = \
+ talloc_get_type(*state, struct simple_test_ctx);
+ struct sss_test_conf_param params[] = {
+ { "simple_allow_groups", "g1, g2" },
+ { "simple_deny_groups", "g1, g2" },
+ { NULL, NULL },
+ };
+
+ ret = setup_with_params(simple_test_ctx, simple_test_ctx->tctx->dom, params);
+ assert_int_equal(ret, EOK);
+
+ run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, false);
+ run_simple_access_check(simple_test_ctx, "u3@simple_test", EOK, false);
+}
+
+static void test_group_deny_wrong_case(void **state)
+{
+ errno_t ret;
+ struct simple_test_ctx *simple_test_ctx = \
+ talloc_get_type(*state, struct simple_test_ctx);
+ struct sss_test_conf_param params[] = {
+ { "simple_allow_groups", "G1, G2" },
+ { NULL, NULL },
+ };
+
+ ret = setup_with_params(simple_test_ctx,
+ simple_test_ctx->tctx->dom,
+ params);
assert_int_equal(ret, EOK);
- assert_true(simple_test_ctx->access_granted);
+ run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, false);
+}
+
+static void test_group_allow_case_insensitive(void **state)
+{
+ errno_t ret;
+ struct simple_test_ctx *simple_test_ctx = \
+ talloc_get_type(*state, struct simple_test_ctx);
+ struct sss_test_conf_param params[] = {
+ { "simple_allow_groups", "G1, G2" },
+ { NULL, NULL },
+ };
+
+ ret = setup_with_params(simple_test_ctx,
+ simple_test_ctx->tctx->dom,
+ params);
+ assert_int_equal(ret, EOK);
+
+ /* Case-sensitive domain, wrong case */
simple_test_ctx->tctx->done = false;
+ simple_test_ctx->tctx->dom->case_sensitive = false;
+ run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, true);
+}
- req = simple_access_check_send(simple_test_ctx, simple_test_ctx->tctx->ev,
- simple_test_ctx->ctx, "u3");
- assert_non_null(req);
- tevent_req_set_callback(req, simple_access_check_done, simple_test_ctx);
+static void test_group_space(void **state)
+{
+ errno_t ret;
+ struct simple_test_ctx *simple_test_ctx = \
+ talloc_get_type(*state, struct simple_test_ctx);
+ struct sss_test_conf_param params[] = {
+ { "simple_allow_groups", "space group, another space@simple_test" },
+ { NULL, NULL },
+ };
- ret = test_ev_loop(simple_test_ctx->tctx);
+ ret = setup_with_params(simple_test_ctx, simple_test_ctx->tctx->dom, params);
assert_int_equal(ret, EOK);
- assert_false(simple_test_ctx->access_granted);
+
+ run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, true);
+ run_simple_access_check(simple_test_ctx, "u2@simple_test", EOK, true);
+ run_simple_access_check(simple_test_ctx, "u3@simple_test", EOK, false);
}
int main(int argc, const char *argv[])
@@ -270,7 +614,6 @@ int main(int argc, const char *argv[])
};
const struct CMUnitTest tests[] = {
- /* FIXME - group fixtures? */
cmocka_unit_test_setup_teardown(test_both_empty,
simple_test_setup,
simple_test_teardown),
@@ -280,6 +623,39 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(test_deny_empty,
simple_test_setup,
simple_test_teardown),
+ cmocka_unit_test_setup_teardown(test_both_set,
+ simple_test_setup,
+ simple_test_teardown),
+ cmocka_unit_test_setup_teardown(test_deny_wrong_case,
+ simple_test_setup,
+ simple_test_teardown),
+ cmocka_unit_test_setup_teardown(test_allow_case_insensitive,
+ simple_test_setup,
+ simple_test_teardown),
+ cmocka_unit_test_setup_teardown(test_unknown_user,
+ simple_test_setup,
+ simple_test_teardown),
+ cmocka_unit_test_setup_teardown(test_space,
+ simple_test_setup,
+ simple_test_teardown),
+ cmocka_unit_test_setup_teardown(test_group_allow_empty,
+ simple_group_test_setup,
+ simple_group_test_teardown),
+ cmocka_unit_test_setup_teardown(test_group_deny_empty,
+ simple_group_test_setup,
+ simple_group_test_teardown),
+ cmocka_unit_test_setup_teardown(test_group_both_set,
+ simple_group_test_setup,
+ simple_group_test_teardown),
+ cmocka_unit_test_setup_teardown(test_group_deny_wrong_case,
+ simple_group_test_setup,
+ simple_group_test_teardown),
+ cmocka_unit_test_setup_teardown(test_group_allow_case_insensitive,
+ simple_group_test_setup,
+ simple_group_test_teardown),
+ cmocka_unit_test_setup_teardown(test_group_space,
+ simple_group_test_setup,
+ simple_group_test_teardown),
};
/* Set debug level to invalid value so we can decide if -d 0 was used. */