1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
|
/** BEGIN COPYRIGHT BLOCK
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Additional permission under GPLv3 section 7:
*
* In the following paragraph, "GPL" means the GNU General Public
* License, version 3 or any later version, and "Non-GPL Code" means
* code that is governed neither by the GPL nor a license
* compatible with the GPL.
*
* You may link the code of this Program with Non-GPL Code and convey
* linked combinations including the two, provided that such Non-GPL
* Code only links to the code of this Program through those well
* defined interfaces identified in the file named EXCEPTION found in
* the source code files (the "Approved Interfaces"). The files of
* Non-GPL Code may instantiate templates or use macros or inline
* functions from the Approved Interfaces without causing the resulting
* work to be covered by the GPL. Only the copyright holders of this
* Program may make changes or additions to the list of Approved
* Interfaces.
*
* Authors:
* Sumit Bose <sbose@redhat.com>
*
* Copyright (C) 2013 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
#include <check.h>
#include <stdlib.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdbool.h>
#include <krb5/krb5.h>
#include <kdb.h>
#include "ipa-kdb/ipa_kdb.h"
#define NFS_PRINC_STRING "nfs/fully.qualified.host.name@REALM.NAME"
#define NON_NFS_PRINC_STRING "abcdef/fully.qualified.host.name@REALM.NAME"
int krb5_klog_syslog(int l, const char *format, ...)
{
va_list ap;
char *s = NULL;
int ret;
va_start(ap, format);
ret = vasprintf(&s, format, ap);
va_end(ap);
if (ret < 0) {
/* ENOMEM */
return -1;
}
fprintf(stderr, "%s\n", s);
free(s);
return 0;
}
extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
bool *with_pac, bool *with_pad);
START_TEST(test_get_authz_data_types)
{
bool with_pac;
bool with_pad;
krb5_db_entry *entry;
struct ipadb_e_data *ied;
size_t c;
char *ad_none_only[] = {"NONE", NULL};
char *ad_pad_only[] = {"PAD", NULL};
char *ad_pac_only[] = {"MS-PAC", NULL};
char *ad_illegal_only[] = {"abc", NULL};
char *ad_pac_and_pad[] = {"MS-PAC", "PAD", NULL};
char *ad_pac_and_none[] = {"MS-PAC", "NONE", NULL};
char *ad_none_and_pad[] = {"NONE", "PAD", NULL};
char *ad_global_pac_nfs_none[] = {"MS-PAC", "nfs:NONE", NULL};
char *ad_global_pac_nfs_pad[] = {"MS-PAC", "nfs:PAD", NULL};
krb5_context krb5_ctx;
krb5_error_code kerr;
struct ipadb_context *ipa_ctx;
krb5_principal nfs_princ;
krb5_principal non_nfs_princ;
get_authz_data_types(NULL, NULL, NULL, NULL);
with_pad = true;
get_authz_data_types(NULL, NULL, NULL, &with_pad);
fail_unless(!with_pad, "with_pad not false with NULL inuput.");
with_pac = true;
get_authz_data_types(NULL, NULL, &with_pac, NULL);
fail_unless(!with_pac, "with_pac not false with NULL inuput.");
with_pad = true;
with_pac = true;
get_authz_data_types(NULL, NULL, &with_pac, &with_pad);
fail_unless(!with_pad, "with_pad not false with NULL inuput.");
fail_unless(!with_pac, "with_pac not false with NULL inuput.");
entry = calloc(1, sizeof(krb5_db_entry));
fail_unless(entry != NULL, "calloc krb5_db_entry failed.");
ied = calloc(1, sizeof(struct ipadb_e_data));
fail_unless(ied != NULL, "calloc struct ipadb_e_data failed.");
entry->e_data = (void *) ied;
kerr = krb5_init_context(&krb5_ctx);
fail_unless(kerr == 0, "krb5_init_context failed.");
kerr = krb5_db_setup_lib_handle(krb5_ctx);
fail_unless(kerr == 0, "krb5_db_setup_lib_handle failed.\n");
ipa_ctx = calloc(1, sizeof(struct ipadb_context));
fail_unless(ipa_ctx != NULL, "calloc failed.\n");
ipa_ctx->kcontext = krb5_ctx;
kerr = krb5_db_set_context(krb5_ctx, ipa_ctx);
fail_unless(kerr == 0, "krb5_db_set_context failed.\n");
kerr = krb5_parse_name(krb5_ctx, NFS_PRINC_STRING, &nfs_princ);
fail_unless(kerr == 0, "krb5_parse_name failed.");
kerr = krb5_parse_name(krb5_ctx, NON_NFS_PRINC_STRING, &non_nfs_princ);
fail_unless(kerr == 0, "krb5_parse_name failed.");
struct test_set {
char **authz_data;
char **global_authz_data;
krb5_principal princ;
bool exp_with_pac;
bool exp_with_pad;
const char *err_msg;
} test_set[] = {
{ad_none_only, NULL, NULL, false, false, "with only NONE in entry"},
{ad_pac_only, NULL, NULL, true, false, "with only MS-PAC in entry"},
{ad_pad_only, NULL, NULL, false, true, "with only PAD in entry"},
{ad_illegal_only, NULL, NULL, false, false, "with only an invalid value in entry"},
{ad_pac_and_pad, NULL, NULL, true, true, "with MS-PAC and PAD in entry"},
{ad_pac_and_none, NULL, NULL, false, false, "with MS-PAC and NONE in entry"},
{ad_none_and_pad, NULL, NULL, false, false, "with NONE and PAD in entry"},
{NULL, ad_none_only, NULL, false, false, "with only NONE in global config"},
{NULL, ad_pac_only, NULL, true, false, "with only MS-PAC in global config"},
{NULL, ad_pad_only, NULL, false, true, "with only PAD in global config"},
{NULL, ad_illegal_only, NULL, false, false, "with only an invalid value in global config"},
{NULL, ad_pac_and_pad, NULL, true, true, "with MS-PAC and PAD in global config"},
{NULL, ad_pac_and_none, NULL, false, false, "with MS-PAC and NONE in global config"},
{NULL, ad_none_and_pad, NULL, false, false, "with NONE and PAD in global entry"},
{NULL, ad_global_pac_nfs_none, NULL, true, false, "with NULL principal and PAC and nfs:NONE in global entry"},
{NULL, ad_global_pac_nfs_none, nfs_princ, false, false, "with nfs principal and PAC and nfs:NONE in global entry"},
{NULL, ad_global_pac_nfs_none, non_nfs_princ, true, false, "with non-nfs principal and PAC and nfs:NONE in global entry"},
{NULL, ad_global_pac_nfs_pad, NULL, true, false, "with NULL principal and PAC and nfs:PAD in global entry"},
{NULL, ad_global_pac_nfs_pad, nfs_princ, false, true, "with nfs principal and PAC and nfs:PAD in global entry"},
{NULL, ad_global_pac_nfs_pad, non_nfs_princ, true, false, "with non-nfs principal and PAC and nfs:PAD in global entry"},
{ad_none_only, ad_pac_only, NULL, false, false, "with NONE overriding PAC in global entry"},
{ad_pad_only, ad_pac_only, NULL, false, true, "with PAC overriding PAC in global entry"},
{ad_illegal_only, ad_pac_only, NULL, false, false, "with invalid value overriding PAC in global entry"},
{ad_pac_and_pad, ad_pac_only, NULL, true, true, "with PAC and PAD overriding PAC in global entry"},
{ad_none_and_pad, ad_pac_only, NULL, false, false, "with NONE and PAD overriding PAC in global entry"},
{NULL, NULL, NULL, false, false, NULL}
};
for (c = 0; test_set[c].authz_data != NULL ||
test_set[c].global_authz_data != NULL; c++) {
ied->authz_data = test_set[c].authz_data;
ipa_ctx->authz_data = test_set[c].global_authz_data;
entry->princ = test_set[c].princ;
get_authz_data_types(krb5_ctx, entry, &with_pac, &with_pad);
fail_unless(with_pad == test_set[c].exp_with_pad, "with_pad not %s %s.",
test_set[c].exp_with_pad ? "true" : "false",
test_set[c].err_msg);
fail_unless(with_pac == test_set[c].exp_with_pac, "with_pac not %s %s.",
test_set[c].exp_with_pac ? "true" : "false",
test_set[c].err_msg);
}
krb5_free_principal(krb5_ctx, nfs_princ);
krb5_free_principal(krb5_ctx, non_nfs_princ);
krb5_db_fini(krb5_ctx);
krb5_free_context(krb5_ctx);
}
END_TEST
Suite * ipa_kdb_suite(void)
{
Suite *s = suite_create("IPA kdb");
TCase *tc_helper = tcase_create("Helper functions");
tcase_add_test(tc_helper, test_get_authz_data_types);
suite_add_tcase(s, tc_helper);
return s;
}
int main(void)
{
int number_failed;
Suite *s = ipa_kdb_suite ();
SRunner *sr = srunner_create (s);
srunner_run_all (sr, CK_VERBOSE);
number_failed = srunner_ntests_failed (sr);
srunner_free (sr);
return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
}
|