summaryrefslogtreecommitdiffstats
path: root/src/tests/cmocka/test_certmap.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/tests/cmocka/test_certmap.c')
-rw-r--r--src/tests/cmocka/test_certmap.c853
1 files changed, 853 insertions, 0 deletions
diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c
new file mode 100644
index 000000000..ab89db6ff
--- /dev/null
+++ b/src/tests/cmocka/test_certmap.c
@@ -0,0 +1,853 @@
+/*
+ SSSD
+
+ certmap - Tests for SSSD's certificate mapping library
+
+ Authors:
+ Sumit Bose <sbose@redhat.com>
+
+ Copyright (C) 2017 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <popt.h>
+
+#include "lib/certmap/sss_certmap.h"
+#include "lib/certmap/sss_certmap_int.h"
+
+#include "util/crypto/sss_crypto.h"
+
+#include "tests/cmocka/common_mock.h"
+#include "tests/common.h"
+
+struct priv_sss_debug {
+ int level;
+};
+
+void ext_debug(void *private, const char *file, long line, const char *function,
+ const char *format, ...)
+{
+ va_list ap;
+ struct priv_sss_debug *data = private;
+ int level = SSSDBG_OP_FAILURE;
+
+ if (data != NULL) {
+ level = data->level;
+ }
+
+ if (DEBUG_IS_SET(level)) {
+ va_start(ap, format);
+ sss_vdebug_fn(file, line, function, level, APPEND_LINE_FEED,
+ format, ap);
+ va_end(ap);
+ }
+}
+
+static void test_sss_certmap_init(void **state)
+{
+ int ret;
+ struct sss_certmap_ctx *ctx;
+
+ ret = sss_certmap_init(NULL, ext_debug, NULL, NULL);
+ assert_int_equal(ret, EINVAL);
+
+ ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx);
+ assert_int_equal(ret, EOK);
+
+ sss_certmap_free_ctx(ctx);
+}
+
+static struct sss_certmap_ctx *setup_prio(const int *l)
+{
+ int ret;
+ size_t c;
+ struct sss_certmap_ctx *ctx;
+
+ ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx);
+ assert_int_equal(ret, EOK);
+ assert_non_null(ctx);
+
+ for (c = 0; c < 10; c++) {
+ ret = sss_certmap_add_rule(ctx, l[c], NULL, NULL, NULL);
+ assert_int_equal(ret, EOK);
+ }
+
+ return ctx;
+}
+
+static void test_sss_certmap_add_rule(void **state)
+{
+ struct sss_certmap_ctx *ctx;
+ int i;
+ struct priority_list *p;
+ struct priority_list *last;
+ size_t c;
+
+ const int tests_a[][10] = {{0, 1, 2, 3, 4, 5, 6, 7, 8, 9},
+ {9, 8, 7, 6, 5, 4, 3, 2, 1, 0},
+ {1, 3, 5 ,7, 9, 0, 2, 4, 6, 8},
+ {0, 2, 4, 6, 8, 1, 3, 5, 7, 9},
+ {0, 0, 0, 0, 0, 0, 0, 0, 0, 0}};
+
+ const int tests_b[][10] = {{0, 0, 0, 0, 1, 1, 1, 2, 2, 2},
+ {2, 2, 2, 1, 1, 1, 0, 0, 0, 0},
+ {0, 1, 2, 0, 1, 2, 0, 1, 2, 0},
+ {0, 2, 1, 0, 2, 1, 0, 2, 1, 0},
+ {0, 1, 2, 0, 2, 1, 0, 0, 1, 2},
+ {0, 0, 0, 0, 0, 0, 0, 0, 0, 0}};
+
+ for (c = 0; tests_a[c][0] != 0 || tests_a[c][9] != 0; c++) {
+ ctx = setup_prio(tests_a[0]);
+ assert_non_null(ctx);
+ i = 0;
+ for (p = ctx->prio_list; p != NULL; p = p->next) {
+ assert_int_equal(i, p->priority);
+ assert_non_null(p->rule_list);
+ assert_int_equal(i, p->rule_list->priority);
+ assert_null(p->rule_list->prev);
+ assert_null(p->rule_list->next);
+ i++;
+ }
+
+ i = 9;
+ for (last = ctx->prio_list; last->next != NULL; last = last->next);
+ for (p = last; p != NULL; p = p->prev) {
+ assert_int_equal(i, p->priority);
+ assert_int_equal(i, p->rule_list->priority);
+ i--;
+ }
+
+ sss_certmap_free_ctx(ctx);
+ }
+ for (c = 0; tests_b[c][0] != 0 || tests_b[c][9] != 0; c++) {
+ ctx = setup_prio(tests_b[0]);
+ assert_non_null(ctx);
+ i = 0;
+ for (p = ctx->prio_list; p != NULL; p = p->next) {
+ assert_int_equal(i, p->priority);
+ assert_non_null(p->rule_list);
+ assert_int_equal(i, p->rule_list->priority);
+ assert_null(p->rule_list->prev);
+ assert_non_null(p->rule_list->next);
+ assert_ptr_equal(p->rule_list, p->rule_list->next->prev);
+ assert_non_null(p->rule_list->next->next);
+ assert_ptr_equal(p->rule_list->next,
+ p->rule_list->next->next->prev);
+ if (i == 0) {
+ assert_non_null(p->rule_list->next->next->next);
+ assert_ptr_equal(p->rule_list->next->next,
+ p->rule_list->next->next->next->prev);
+ assert_null(p->rule_list->next->next->next->next);
+ } else {
+ assert_null(p->rule_list->next->next->next);
+ }
+ i++;
+ }
+ sss_certmap_free_ctx(ctx);
+ }
+}
+
+static void test_sss_certmap_add_matching_rule(void **state)
+{
+ struct sss_certmap_ctx *ctx;
+ int ret;
+
+ ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx);
+ assert_int_equal(ret, EOK);
+ assert_non_null(ctx);
+ assert_null(ctx->prio_list);
+
+ ret = sss_certmap_add_rule(ctx, 1, "fsdf", NULL, NULL);
+ assert_int_equal(ret, EINVAL);
+ assert_null(ctx->prio_list);
+
+ ret = sss_certmap_add_rule(ctx, 1, "FDSF:fsdf", NULL, NULL);
+ assert_int_equal(ret, ESRCH);
+ assert_null(ctx->prio_list);
+
+ ret = sss_certmap_add_rule(ctx, 1, "<rgerge>", NULL, NULL);
+ assert_int_equal(ret, EINVAL);
+ assert_null(ctx->prio_list);
+
+ ret = sss_certmap_add_rule(ctx, 1, "KRB5:<rgerge>", NULL, NULL);
+ assert_int_equal(ret, EINVAL);
+ assert_null(ctx->prio_list);
+
+ ret = sss_certmap_add_rule(ctx, 1, "<ISSUER>", NULL, NULL);
+ assert_int_equal(ret, EINVAL);
+ assert_null(ctx->prio_list);
+
+ ret = sss_certmap_add_rule(ctx, 1, "<SUBJECT>", NULL, NULL);
+ assert_int_equal(ret, EINVAL);
+ assert_null(ctx->prio_list);
+
+ ret = sss_certmap_add_rule(ctx, 1, "<KU>", NULL, NULL);
+ assert_int_equal(ret, EINVAL);
+ assert_null(ctx->prio_list);
+
+ ret = sss_certmap_add_rule(ctx, 1, "<KU>ddqwdq", NULL, NULL);
+ assert_int_equal(ret, EINVAL);
+ assert_null(ctx->prio_list);
+
+ ret = sss_certmap_add_rule(ctx, 1, "<KU>digitalSignature,dddq", NULL, NULL);
+ assert_int_equal(ret, EINVAL);
+ assert_null(ctx->prio_list);
+
+
+ ret = sss_certmap_add_rule(ctx, 1, "<EKU>", NULL, NULL);
+ assert_int_equal(ret, EINVAL);
+ assert_null(ctx->prio_list);
+
+ ret = sss_certmap_add_rule(ctx, 1, "<EKU>dwqwqw", NULL, NULL);
+ assert_int_equal(ret, EINVAL);
+ assert_null(ctx->prio_list);
+
+ ret = sss_certmap_add_rule(ctx, 1, "<EKU>.", NULL, NULL);
+ assert_int_equal(ret, EINVAL);
+ assert_null(ctx->prio_list);
+
+ ret = sss_certmap_add_rule(ctx, 1, "<EKU>.1.2.3", NULL, NULL);
+ assert_int_equal(ret, EINVAL);
+ assert_null(ctx->prio_list);
+
+ ret = sss_certmap_add_rule(ctx, 1, "<EKU>1.2.3.", NULL, NULL);
+ assert_int_equal(ret, EINVAL);
+ assert_null(ctx->prio_list);
+
+ ret = sss_certmap_add_rule(ctx, 1, "<EKU>1.a.3", NULL, NULL);
+ assert_int_equal(ret, EINVAL);
+ assert_null(ctx->prio_list);
+
+ ret = sss_certmap_add_rule(ctx, 1, "<ISSUER>a", NULL, NULL);
+ assert_int_equal(ret, 0);
+ assert_non_null(ctx->prio_list);
+ assert_non_null(ctx->prio_list->rule_list);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule);
+ assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r,
+ relation_and);
+ assert_null(ctx->prio_list->rule_list->parsed_match_rule->subject);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->issuer);
+ assert_string_equal("a",
+ ctx->prio_list->rule_list->parsed_match_rule->issuer->val);
+ talloc_free(ctx);
+
+ ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx);
+ assert_int_equal(ret, EOK);
+ assert_non_null(ctx);
+ assert_null(ctx->prio_list);
+ ret = sss_certmap_add_rule(ctx, 1, "&&<ISSUER>a", NULL, NULL);
+ assert_int_equal(ret, 0);
+ assert_non_null(ctx->prio_list);
+ assert_non_null(ctx->prio_list->rule_list);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule);
+ assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r,
+ relation_and);
+ assert_null(ctx->prio_list->rule_list->parsed_match_rule->subject);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->issuer);
+ assert_string_equal("a",
+ ctx->prio_list->rule_list->parsed_match_rule->issuer->val);
+ talloc_free(ctx);
+
+ ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx);
+ assert_int_equal(ret, EOK);
+ assert_non_null(ctx);
+ assert_null(ctx->prio_list);
+ ret = sss_certmap_add_rule(ctx, 1, "KRB5:||<ISSUER>a", NULL, NULL);
+ assert_int_equal(ret, 0);
+ assert_non_null(ctx->prio_list);
+ assert_non_null(ctx->prio_list->rule_list);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule);
+ assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r,
+ relation_or);
+ assert_null(ctx->prio_list->rule_list->parsed_match_rule->subject);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->issuer);
+ assert_string_equal("a",
+ ctx->prio_list->rule_list->parsed_match_rule->issuer->val);
+ talloc_free(ctx);
+
+ ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx);
+ assert_int_equal(ret, EOK);
+ assert_non_null(ctx);
+ assert_null(ctx->prio_list);
+ ret = sss_certmap_add_rule(ctx, 1, "KRB5:<ISSUER>a<SUBJECT>b", NULL, NULL);
+ assert_int_equal(ret, 0);
+ assert_non_null(ctx->prio_list);
+ assert_non_null(ctx->prio_list->rule_list);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule);
+ assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r,
+ relation_and);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->subject);
+ assert_string_equal("b",
+ ctx->prio_list->rule_list->parsed_match_rule->subject->val);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->issuer);
+ assert_string_equal("a",
+ ctx->prio_list->rule_list->parsed_match_rule->issuer->val);
+ talloc_free(ctx);
+
+ ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx);
+ assert_int_equal(ret, EOK);
+ assert_non_null(ctx);
+ assert_null(ctx->prio_list);
+ ret = sss_certmap_add_rule(ctx, 1000,
+ "KRB5:<ISSUER>a<SUBJECT>b<ISSUER>c<SUBJECT>d",
+ NULL, NULL);
+ assert_int_equal(ret, 0);
+ assert_non_null(ctx->prio_list);
+ assert_non_null(ctx->prio_list->rule_list);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule);
+ assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r,
+ relation_and);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->subject);
+ assert_string_equal("d",
+ ctx->prio_list->rule_list->parsed_match_rule->subject->val);
+ assert_string_equal("b",
+ ctx->prio_list->rule_list->parsed_match_rule->subject->next->val);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->issuer);
+ assert_string_equal("c",
+ ctx->prio_list->rule_list->parsed_match_rule->issuer->val);
+ assert_string_equal("a",
+ ctx->prio_list->rule_list->parsed_match_rule->issuer->next->val);
+
+ ret = sss_certmap_add_rule(ctx, 99,
+ "KRB5:<ISSUER>a<SUBJECT>b"
+ "<KU>dataEncipherment,cRLSign<ISSUER>c"
+ "<SUBJECT>d",
+ NULL, NULL);
+ assert_int_equal(ret, 0);
+ assert_non_null(ctx->prio_list);
+ assert_non_null(ctx->prio_list->rule_list);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule);
+ assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r,
+ relation_and);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->subject);
+ assert_string_equal("d",
+ ctx->prio_list->rule_list->parsed_match_rule->subject->val);
+ assert_string_equal("b",
+ ctx->prio_list->rule_list->parsed_match_rule->subject->next->val);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->issuer);
+ assert_string_equal("c",
+ ctx->prio_list->rule_list->parsed_match_rule->issuer->val);
+ assert_string_equal("a",
+ ctx->prio_list->rule_list->parsed_match_rule->issuer->next->val);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->ku);
+ assert_int_equal(SSS_KU_CRL_SIGN|SSS_KU_DATA_ENCIPHERMENT,
+ ctx->prio_list->rule_list->parsed_match_rule->ku->ku);
+
+ ret = sss_certmap_add_rule(ctx, 98,
+ "KRB5:<ISSUER>a<SUBJECT>b"
+ "<KU>dataEncipherment,cRLSign<ISSUER>c"
+ "<EKU>clientAuth,emailProtection"
+ "<SUBJECT>d",
+ NULL, NULL);
+ assert_int_equal(ret, 0);
+ assert_non_null(ctx->prio_list);
+ assert_non_null(ctx->prio_list->rule_list);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule);
+ assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r,
+ relation_and);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->subject);
+ assert_string_equal("d",
+ ctx->prio_list->rule_list->parsed_match_rule->subject->val);
+ assert_string_equal("b",
+ ctx->prio_list->rule_list->parsed_match_rule->subject->next->val);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->issuer);
+ assert_string_equal("c",
+ ctx->prio_list->rule_list->parsed_match_rule->issuer->val);
+ assert_string_equal("a",
+ ctx->prio_list->rule_list->parsed_match_rule->issuer->next->val);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->ku);
+ assert_int_equal(SSS_KU_CRL_SIGN|SSS_KU_DATA_ENCIPHERMENT,
+ ctx->prio_list->rule_list->parsed_match_rule->ku->ku);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->eku);
+ assert_true(string_in_list("1.3.6.1.5.5.7.3.2",
+ discard_const(
+ ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list),
+ true));
+ assert_true(string_in_list("1.3.6.1.5.5.7.3.4",
+ discard_const(
+ ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list),
+ true));
+ assert_null(
+ ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list[2]);
+
+ ret = sss_certmap_add_rule(ctx, 97,
+ "KRB5:<EKU>clientAuth,1.2.3,emailProtection",
+ NULL, NULL);
+ assert_int_equal(ret, 0);
+ assert_non_null(ctx->prio_list);
+ assert_non_null(ctx->prio_list->rule_list);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule);
+ assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r,
+ relation_and);
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->eku);
+ assert_true(string_in_list("1.3.6.1.5.5.7.3.2",
+ discard_const(
+ ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list),
+ true));
+ assert_true(string_in_list("1.3.6.1.5.5.7.3.4",
+ discard_const(
+ ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list),
+ true));
+ assert_true(string_in_list("1.2.3",
+ discard_const(
+ ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list),
+ true));
+ assert_null(
+ ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list[3]);
+
+ talloc_free(ctx);
+}
+
+const uint8_t test_cert_der[] = {
+0x30, 0x82, 0x04, 0x09, 0x30, 0x82, 0x02, 0xf1, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x09,
+0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30,
+0x34, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x09, 0x49, 0x50, 0x41, 0x2e,
+0x44, 0x45, 0x56, 0x45, 0x4c, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x15,
+0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68,
+0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x34, 0x32, 0x38, 0x31,
+0x30, 0x32, 0x31, 0x31, 0x31, 0x5a, 0x17, 0x0d, 0x31, 0x37, 0x30, 0x34, 0x32, 0x38, 0x31, 0x30,
+0x32, 0x31, 0x31, 0x31, 0x5a, 0x30, 0x32, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0a,
+0x0c, 0x09, 0x49, 0x50, 0x41, 0x2e, 0x44, 0x45, 0x56, 0x45, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06,
+0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x69, 0x70, 0x61, 0x2d, 0x64, 0x65, 0x76, 0x65, 0x6c, 0x2e,
+0x69, 0x70, 0x61, 0x2e, 0x64, 0x65, 0x76, 0x65, 0x6c, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,
+0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
+0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xb2, 0x32, 0x92, 0xab, 0x47, 0xb8,
+0x0c, 0x13, 0x54, 0x4a, 0x1f, 0x1e, 0x29, 0x06, 0xff, 0xd0, 0x50, 0xcb, 0xf7, 0x5f, 0x79, 0x91,
+0x65, 0xb1, 0x39, 0x01, 0x83, 0x6a, 0xad, 0x9e, 0x77, 0x3b, 0xf3, 0x0d, 0xd7, 0xb9, 0xf6, 0xdc,
+0x9e, 0x4a, 0x49, 0xa7, 0xd0, 0x66, 0x72, 0xcc, 0xbf, 0x77, 0xd6, 0xde, 0xa9, 0xfe, 0x67, 0x96,
+0xcc, 0x49, 0xf1, 0x37, 0x23, 0x2e, 0xc4, 0x50, 0xf4, 0xeb, 0xba, 0x62, 0xd4, 0x23, 0x4d, 0xf3,
+0x37, 0x38, 0x82, 0xee, 0x3b, 0x3f, 0x2c, 0xd0, 0x80, 0x9b, 0x17, 0xaa, 0x9b, 0xeb, 0xa6, 0xdd,
+0xf6, 0x15, 0xff, 0x06, 0xb2, 0xce, 0xff, 0xdf, 0x8a, 0x9e, 0x95, 0x85, 0x49, 0x1f, 0x84, 0xfd,
+0x81, 0x26, 0xce, 0x06, 0x32, 0x0d, 0x36, 0xca, 0x7c, 0x15, 0x81, 0x68, 0x6b, 0x8f, 0x3e, 0xb3,
+0xa2, 0xfc, 0xae, 0xaf, 0xc2, 0x44, 0x58, 0x15, 0x95, 0x40, 0xfc, 0x56, 0x19, 0x91, 0x80, 0xed,
+0x42, 0x11, 0x66, 0x04, 0xef, 0x3c, 0xe0, 0x76, 0x33, 0x4b, 0x83, 0xfa, 0x7e, 0xb4, 0x47, 0xdc,
+0xfb, 0xed, 0x46, 0xa5, 0x8d, 0x0a, 0x66, 0x87, 0xa5, 0xef, 0x7b, 0x74, 0x62, 0xac, 0xbe, 0x73,
+0x36, 0xc9, 0xb4, 0xfe, 0x20, 0xc4, 0x81, 0xf3, 0xfe, 0x78, 0x19, 0xa8, 0xd0, 0xaf, 0x7f, 0x81,
+0x72, 0x24, 0x61, 0xd9, 0x76, 0x93, 0xe3, 0x0b, 0xd2, 0x4f, 0x19, 0x17, 0x33, 0x57, 0xd4, 0x82,
+0xb0, 0xf1, 0xa8, 0x03, 0xf6, 0x01, 0x99, 0xa9, 0xb8, 0x8c, 0x83, 0xc9, 0xba, 0x19, 0x87, 0xea,
+0xd6, 0x3b, 0x06, 0xeb, 0x4c, 0xf7, 0xf1, 0xe5, 0x28, 0xa9, 0x10, 0xb6, 0x46, 0xde, 0xe1, 0xe1,
+0x3f, 0xc1, 0xcc, 0x72, 0xbe, 0x2a, 0x43, 0xc6, 0xf6, 0xd0, 0xb5, 0xa0, 0xc4, 0x24, 0x6e, 0x4f,
+0xbd, 0xec, 0x22, 0x8a, 0x07, 0x11, 0x3d, 0xf9, 0xd3, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
+0x82, 0x01, 0x26, 0x30, 0x82, 0x01, 0x22, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18,
+0x30, 0x16, 0x80, 0x14, 0xf2, 0x9d, 0x42, 0x4e, 0x0f, 0xc4, 0x48, 0x25, 0x58, 0x2f, 0x1c, 0xce,
+0x0f, 0xa1, 0x3f, 0x22, 0xc8, 0x55, 0xc8, 0x91, 0x30, 0x3b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
+0x05, 0x07, 0x01, 0x01, 0x04, 0x2f, 0x30, 0x2d, 0x30, 0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
+0x05, 0x07, 0x30, 0x01, 0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x69, 0x70, 0x61,
+0x2d, 0x63, 0x61, 0x2e, 0x69, 0x70, 0x61, 0x2e, 0x64, 0x65, 0x76, 0x65, 0x6c, 0x2f, 0x63, 0x61,
+0x2f, 0x6f, 0x63, 0x73, 0x70, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04,
+0x04, 0x03, 0x02, 0x04, 0xf0, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14,
+0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
+0x05, 0x07, 0x03, 0x02, 0x30, 0x74, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x6d, 0x30, 0x6b, 0x30,
+0x69, 0xa0, 0x31, 0xa0, 0x2f, 0x86, 0x2d, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x69, 0x70,
+0x61, 0x2d, 0x63, 0x61, 0x2e, 0x69, 0x70, 0x61, 0x2e, 0x64, 0x65, 0x76, 0x65, 0x6c, 0x2f, 0x69,
+0x70, 0x61, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x4d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x43, 0x52, 0x4c,
+0x2e, 0x62, 0x69, 0x6e, 0xa2, 0x34, 0xa4, 0x32, 0x30, 0x30, 0x31, 0x0e, 0x30, 0x0c, 0x06, 0x03,
+0x55, 0x04, 0x0a, 0x0c, 0x05, 0x69, 0x70, 0x61, 0x63, 0x61, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03,
+0x55, 0x04, 0x03, 0x0c, 0x15, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
+0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
+0x0e, 0x04, 0x16, 0x04, 0x14, 0x2d, 0x2b, 0x3f, 0xcb, 0xf5, 0xb2, 0xff, 0x32, 0x2c, 0xa8, 0xc2,
+0x1c, 0xdd, 0xbd, 0x8c, 0x80, 0x1e, 0xdd, 0x31, 0x82, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x9a, 0x47, 0x2e,
+0x50, 0xa7, 0x4d, 0x1d, 0x53, 0x0f, 0xc9, 0x71, 0x42, 0x0c, 0xe5, 0xda, 0x7d, 0x49, 0x64, 0xe7,
+0xab, 0xc8, 0xdf, 0xdf, 0x02, 0xc1, 0x87, 0xd1, 0x5b, 0xde, 0xda, 0x6f, 0x2b, 0xe4, 0xf0, 0xbe,
+0xba, 0x09, 0xdf, 0x02, 0x85, 0x0b, 0x8a, 0xe6, 0x9b, 0x06, 0x7d, 0x69, 0x38, 0x6c, 0x72, 0xff,
+0x4c, 0x7b, 0x2a, 0x0d, 0x3f, 0x23, 0x2f, 0x16, 0x46, 0xff, 0x05, 0x93, 0xb0, 0xea, 0x24, 0x28,
+0xd7, 0x12, 0xa1, 0x57, 0xb8, 0x59, 0x19, 0x25, 0xf3, 0x43, 0x0a, 0xd3, 0xfd, 0x0f, 0x37, 0x8d,
+0xb8, 0xca, 0x15, 0xe7, 0x48, 0x8a, 0xa0, 0xc7, 0xc7, 0x4b, 0x7f, 0x01, 0x3c, 0x58, 0xd7, 0x37,
+0xe5, 0xff, 0x7d, 0x2b, 0x01, 0xac, 0x0d, 0x9f, 0x51, 0x6a, 0xe5, 0x40, 0x24, 0xe6, 0x5e, 0x55,
+0x0d, 0xf7, 0xb8, 0x2f, 0x42, 0xac, 0x6d, 0xe5, 0x29, 0x6b, 0xc6, 0x0b, 0xa4, 0xbf, 0x19, 0xbd,
+0x39, 0x27, 0xee, 0xfe, 0xc5, 0xb3, 0xdb, 0x62, 0xd4, 0xbe, 0xd2, 0x47, 0xba, 0x96, 0x30, 0x5a,
+0xfd, 0x62, 0x00, 0xb8, 0x27, 0x5d, 0x2f, 0x3a, 0x94, 0x0b, 0x95, 0x35, 0x85, 0x40, 0x2c, 0xbc,
+0x67, 0xdf, 0x8a, 0xf9, 0xf1, 0x7b, 0x19, 0x96, 0x3e, 0x42, 0x48, 0x13, 0x23, 0x04, 0x95, 0xa9,
+0x6b, 0x11, 0x33, 0x81, 0x47, 0x5a, 0x83, 0x72, 0xf6, 0x20, 0xfa, 0x8e, 0x41, 0x7b, 0x8f, 0x77,
+0x47, 0x7c, 0xc7, 0x5d, 0x46, 0xf4, 0x4f, 0xfd, 0x81, 0x0a, 0xae, 0x39, 0x27, 0xb6, 0x6a, 0x26,
+0x63, 0xb1, 0xd3, 0xbf, 0x55, 0x83, 0x82, 0x9b, 0x36, 0x6c, 0x33, 0x64, 0x0f, 0x50, 0xc0, 0x55,
+0x94, 0x13, 0xc3, 0x85, 0xf4, 0xd5, 0x71, 0x65, 0xd0, 0xc0, 0xdd, 0xfc, 0xe6, 0xec, 0x9c, 0x5b,
+0xf0, 0x11, 0xb5, 0x2c, 0xf3, 0x48, 0xc1, 0x36, 0x8c, 0xa2, 0x96, 0x48, 0x84};
+
+void test_sss_cert_get_content(void **state)
+{
+ int ret;
+ struct sss_cert_content *content;
+
+ ret = sss_cert_get_content(NULL, test_cert_der, sizeof(test_cert_der),
+ &content);
+ assert_int_equal(ret , 0);
+ assert_non_null(content);
+ assert_non_null(content->issuer_str);
+ assert_string_equal(content->issuer_str, "CN=Certificate Authority,O=IPA.DEVEL");
+ assert_non_null(content->subject_str);
+ assert_string_equal(content->subject_str, "CN=ipa-devel.ipa.devel,O=IPA.DEVEL");
+ assert_int_equal(content->key_usage, SSS_KU_DIGITAL_SIGNATURE
+ |SSS_KU_NON_REPUDIATION
+ |SSS_KU_KEY_ENCIPHERMENT
+ |SSS_KU_DATA_ENCIPHERMENT);
+ assert_non_null(content->extended_key_usage_oids);
+ assert_non_null(content->extended_key_usage_oids[0]);
+ assert_true(string_in_list("1.3.6.1.5.5.7.3.1",
+ discard_const(content->extended_key_usage_oids), true));
+ assert_true(string_in_list("1.3.6.1.5.5.7.3.2",
+ discard_const(content->extended_key_usage_oids), true));
+ assert_null(content->extended_key_usage_oids[2]);
+ assert_int_equal(content->cert_der_size, sizeof(test_cert_der));
+ assert_memory_equal(content->cert_der, test_cert_der, sizeof(test_cert_der));
+
+ assert_non_null(content->issuer_rdn_list);
+ assert_string_equal(content->issuer_rdn_list[0], "O=IPA.DEVEL");
+ assert_string_equal(content->issuer_rdn_list[1], "CN=Certificate Authority");
+ assert_null(content->issuer_rdn_list[2]);
+
+ assert_non_null(content->subject_rdn_list);
+ assert_string_equal(content->subject_rdn_list[0], "O=IPA.DEVEL");
+ assert_string_equal(content->subject_rdn_list[1], "CN=ipa-devel.ipa.devel");
+ assert_null(content->subject_rdn_list[2]);
+
+
+ talloc_free(content);
+}
+
+static void test_sss_certmap_match_cert(void **state)
+{
+ struct sss_certmap_ctx *ctx;
+ int ret;
+
+ ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx);
+ assert_int_equal(ret, EOK);
+ assert_non_null(ctx);
+ assert_null(ctx->prio_list);
+
+ ret = sss_certmap_add_rule(ctx, 1, "KRB5:<ISSUER>xyz<SUBJECT>xyz",
+ NULL, NULL);
+ assert_int_equal(ret, EOK);
+
+ ret = sss_certmap_match_cert(ctx, discard_const(test_cert_der),
+ sizeof(test_cert_der));
+ assert_int_equal(ret, ENOENT);
+
+ ret = sss_certmap_add_rule(ctx, 1,
+ "KRB5:<ISSUER>CN=Certificate Authority,O=IPA.DEVEL",
+ NULL, NULL);
+ assert_int_equal(ret, EOK);
+
+ ret = sss_certmap_match_cert(ctx, discard_const(test_cert_der),
+ sizeof(test_cert_der));
+ assert_int_equal(ret, 0);
+
+ sss_certmap_free_ctx(ctx);
+}
+
+static void test_sss_certmap_add_mapping_rule(void **state)
+{
+ struct sss_certmap_ctx *ctx;
+ int ret;
+
+ ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx);
+ assert_int_equal(ret, EOK);
+ assert_non_null(ctx);
+ assert_null(ctx->prio_list);
+
+ ret = sss_certmap_add_rule(ctx, 1, NULL, "FWEAWEF:fwefwe", NULL);
+ assert_int_equal(ret, ESRCH);
+
+ ret = sss_certmap_add_rule(ctx, 1, NULL, "LDAP:abc", NULL);
+ assert_int_equal(ret, 0);
+ assert_non_null(ctx->prio_list);
+ assert_non_null(ctx->prio_list->rule_list);
+ assert_non_null(ctx->prio_list->rule_list->parsed_mapping_rule);
+ assert_non_null(ctx->prio_list->rule_list->parsed_mapping_rule->list);
+ assert_int_equal(comp_string,
+ ctx->prio_list->rule_list->parsed_mapping_rule->list->type);
+ assert_string_equal("abc",
+ ctx->prio_list->rule_list->parsed_mapping_rule->list->val);
+ talloc_free(ctx);
+
+ ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx);
+ assert_int_equal(ret, EOK);
+ assert_non_null(ctx);
+ assert_null(ctx->prio_list);
+ ret = sss_certmap_add_rule(ctx, 1, NULL, "LDAP:abc{issuer_dn}", NULL);
+ assert_int_equal(ret, 0);
+ assert_non_null(ctx->prio_list);
+ assert_non_null(ctx->prio_list->rule_list);
+ assert_non_null(ctx->prio_list->rule_list->parsed_mapping_rule);
+ assert_non_null(ctx->prio_list->rule_list->parsed_mapping_rule->list);
+ assert_int_equal(comp_string,
+ ctx->prio_list->rule_list->parsed_mapping_rule->list->type);
+ assert_string_equal("abc",
+ ctx->prio_list->rule_list->parsed_mapping_rule->list->val);
+ assert_int_equal(comp_template,
+ ctx->prio_list->rule_list->parsed_mapping_rule->list->next->type);
+ assert_string_equal("issuer_dn",
+ ctx->prio_list->rule_list->parsed_mapping_rule->list->next->val);
+ talloc_free(ctx);
+
+ ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx);
+ assert_int_equal(ret, EOK);
+ assert_non_null(ctx);
+ assert_null(ctx->prio_list);
+ ret = sss_certmap_add_rule(ctx, 1, NULL, "{issuer_dn}a:b{{c}}", NULL);
+ assert_int_equal(ret, 0);
+ assert_non_null(ctx->prio_list);
+ assert_non_null(ctx->prio_list->rule_list);
+ assert_non_null(ctx->prio_list->rule_list->parsed_mapping_rule);
+ assert_non_null(ctx->prio_list->rule_list->parsed_mapping_rule->list);
+ assert_int_equal(comp_template,
+ ctx->prio_list->rule_list->parsed_mapping_rule->list->type);
+ assert_string_equal("issuer_dn",
+ ctx->prio_list->rule_list->parsed_mapping_rule->list->val);
+ assert_int_equal(comp_string,
+ ctx->prio_list->rule_list->parsed_mapping_rule->list->next->type);
+ assert_string_equal("a:b{c}",
+ ctx->prio_list->rule_list->parsed_mapping_rule->list->next->val);
+ talloc_free(ctx);
+
+ ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx);
+ assert_int_equal(ret, EOK);
+ assert_non_null(ctx);
+ assert_null(ctx->prio_list);
+ ret = sss_certmap_add_rule(ctx, 1, NULL, "LDAP:{issuer_dn}{subject_dn}",
+ NULL);
+ assert_int_equal(ret, 0);
+ assert_non_null(ctx->prio_list);
+ assert_non_null(ctx->prio_list->rule_list);
+ assert_non_null(ctx->prio_list->rule_list->parsed_mapping_rule);
+ assert_non_null(ctx->prio_list->rule_list->parsed_mapping_rule->list);
+ assert_int_equal(comp_template,
+ ctx->prio_list->rule_list->parsed_mapping_rule->list->type);
+ assert_string_equal("issuer_dn",
+ ctx->prio_list->rule_list->parsed_mapping_rule->list->val);
+ assert_int_equal(comp_template,
+ ctx->prio_list->rule_list->parsed_mapping_rule->list->next->type);
+ assert_string_equal("subject_dn",
+ ctx->prio_list->rule_list->parsed_mapping_rule->list->next->val);
+ talloc_free(ctx);
+}
+
+#define TEST_CERT_BIN \
+ "\\30\\82\\04\\09\\30\\82\\02\\f1\\a0\\03\\02\\01\\02\\02\\01\\09" \
+ "\\30\\0d\\06\\09\\2a\\86\\48\\86\\f7\\0d\\01\\01\\0b\\05\\00\\30" \
+ "\\34\\31\\12\\30\\10\\06\\03\\55\\04\\0a\\0c\\09\\49\\50\\41\\2e" \
+ "\\44\\45\\56\\45\\4c\\31\\1e\\30\\1c\\06\\03\\55\\04\\03\\0c\\15" \
+ "\\43\\65\\72\\74\\69\\66\\69\\63\\61\\74\\65\\20\\41\\75\\74\\68" \
+ "\\6f\\72\\69\\74\\79\\30\\1e\\17\\0d\\31\\35\\30\\34\\32\\38\\31" \
+ "\\30\\32\\31\\31\\31\\5a\\17\\0d\\31\\37\\30\\34\\32\\38\\31\\30" \
+ "\\32\\31\\31\\31\\5a\\30\\32\\31\\12\\30\\10\\06\\03\\55\\04\\0a" \
+ "\\0c\\09\\49\\50\\41\\2e\\44\\45\\56\\45\\4c\\31\\1c\\30\\1a\\06" \
+ "\\03\\55\\04\\03\\0c\\13\\69\\70\\61\\2d\\64\\65\\76\\65\\6c\\2e" \
+ "\\69\\70\\61\\2e\\64\\65\\76\\65\\6c\\30\\82\\01\\22\\30\\0d\\06" \
+ "\\09\\2a\\86\\48\\86\\f7\\0d\\01\\01\\01\\05\\00\\03\\82\\01\\0f" \
+ "\\00\\30\\82\\01\\0a\\02\\82\\01\\01\\00\\b2\\32\\92\\ab\\47\\b8" \
+ "\\0c\\13\\54\\4a\\1f\\1e\\29\\06\\ff\\d0\\50\\cb\\f7\\5f\\79\\91" \
+ "\\65\\b1\\39\\01\\83\\6a\\ad\\9e\\77\\3b\\f3\\0d\\d7\\b9\\f6\\dc" \
+ "\\9e\\4a\\49\\a7\\d0\\66\\72\\cc\\bf\\77\\d6\\de\\a9\\fe\\67\\96" \
+ "\\cc\\49\\f1\\37\\23\\2e\\c4\\50\\f4\\eb\\ba\\62\\d4\\23\\4d\\f3" \
+ "\\37\\38\\82\\ee\\3b\\3f\\2c\\d0\\80\\9b\\17\\aa\\9b\\eb\\a6\\dd" \
+ "\\f6\\15\\ff\\06\\b2\\ce\\ff\\df\\8a\\9e\\95\\85\\49\\1f\\84\\fd" \
+ "\\81\\26\\ce\\06\\32\\0d\\36\\ca\\7c\\15\\81\\68\\6b\\8f\\3e\\b3" \
+ "\\a2\\fc\\ae\\af\\c2\\44\\58\\15\\95\\40\\fc\\56\\19\\91\\80\\ed" \
+ "\\42\\11\\66\\04\\ef\\3c\\e0\\76\\33\\4b\\83\\fa\\7e\\b4\\47\\dc" \
+ "\\fb\\ed\\46\\a5\\8d\\0a\\66\\87\\a5\\ef\\7b\\74\\62\\ac\\be\\73" \
+ "\\36\\c9\\b4\\fe\\20\\c4\\81\\f3\\fe\\78\\19\\a8\\d0\\af\\7f\\81" \
+ "\\72\\24\\61\\d9\\76\\93\\e3\\0b\\d2\\4f\\19\\17\\33\\57\\d4\\82" \
+ "\\b0\\f1\\a8\\03\\f6\\01\\99\\a9\\b8\\8c\\83\\c9\\ba\\19\\87\\ea" \
+ "\\d6\\3b\\06\\eb\\4c\\f7\\f1\\e5\\28\\a9\\10\\b6\\46\\de\\e1\\e1" \
+ "\\3f\\c1\\cc\\72\\be\\2a\\43\\c6\\f6\\d0\\b5\\a0\\c4\\24\\6e\\4f" \
+ "\\bd\\ec\\22\\8a\\07\\11\\3d\\f9\\d3\\15\\02\\03\\01\\00\\01\\a3" \
+ "\\82\\01\\26\\30\\82\\01\\22\\30\\1f\\06\\03\\55\\1d\\23\\04\\18" \
+ "\\30\\16\\80\\14\\f2\\9d\\42\\4e\\0f\\c4\\48\\25\\58\\2f\\1c\\ce" \
+ "\\0f\\a1\\3f\\22\\c8\\55\\c8\\91\\30\\3b\\06\\08\\2b\\06\\01\\05" \
+ "\\05\\07\\01\\01\\04\\2f\\30\\2d\\30\\2b\\06\\08\\2b\\06\\01\\05" \
+ "\\05\\07\\30\\01\\86\\1f\\68\\74\\74\\70\\3a\\2f\\2f\\69\\70\\61" \
+ "\\2d\\63\\61\\2e\\69\\70\\61\\2e\\64\\65\\76\\65\\6c\\2f\\63\\61" \
+ "\\2f\\6f\\63\\73\\70\\30\\0e\\06\\03\\55\\1d\\0f\\01\\01\\ff\\04" \
+ "\\04\\03\\02\\04\\f0\\30\\1d\\06\\03\\55\\1d\\25\\04\\16\\30\\14" \
+ "\\06\\08\\2b\\06\\01\\05\\05\\07\\03\\01\\06\\08\\2b\\06\\01\\05" \
+ "\\05\\07\\03\\02\\30\\74\\06\\03\\55\\1d\\1f\\04\\6d\\30\\6b\\30" \
+ "\\69\\a0\\31\\a0\\2f\\86\\2d\\68\\74\\74\\70\\3a\\2f\\2f\\69\\70" \
+ "\\61\\2d\\63\\61\\2e\\69\\70\\61\\2e\\64\\65\\76\\65\\6c\\2f\\69" \
+ "\\70\\61\\2f\\63\\72\\6c\\2f\\4d\\61\\73\\74\\65\\72\\43\\52\\4c" \
+ "\\2e\\62\\69\\6e\\a2\\34\\a4\\32\\30\\30\\31\\0e\\30\\0c\\06\\03" \
+ "\\55\\04\\0a\\0c\\05\\69\\70\\61\\63\\61\\31\\1e\\30\\1c\\06\\03" \
+ "\\55\\04\\03\\0c\\15\\43\\65\\72\\74\\69\\66\\69\\63\\61\\74\\65" \
+ "\\20\\41\\75\\74\\68\\6f\\72\\69\\74\\79\\30\\1d\\06\\03\\55\\1d" \
+ "\\0e\\04\\16\\04\\14\\2d\\2b\\3f\\cb\\f5\\b2\\ff\\32\\2c\\a8\\c2" \
+ "\\1c\\dd\\bd\\8c\\80\\1e\\dd\\31\\82\\30\\0d\\06\\09\\2a\\86\\48" \
+ "\\86\\f7\\0d\\01\\01\\0b\\05\\00\\03\\82\\01\\01\\00\\9a\\47\\2e" \
+ "\\50\\a7\\4d\\1d\\53\\0f\\c9\\71\\42\\0c\\e5\\da\\7d\\49\\64\\e7" \
+ "\\ab\\c8\\df\\df\\02\\c1\\87\\d1\\5b\\de\\da\\6f\\2b\\e4\\f0\\be" \
+ "\\ba\\09\\df\\02\\85\\0b\\8a\\e6\\9b\\06\\7d\\69\\38\\6c\\72\\ff" \
+ "\\4c\\7b\\2a\\0d\\3f\\23\\2f\\16\\46\\ff\\05\\93\\b0\\ea\\24\\28" \
+ "\\d7\\12\\a1\\57\\b8\\59\\19\\25\\f3\\43\\0a\\d3\\fd\\0f\\37\\8d" \
+ "\\b8\\ca\\15\\e7\\48\\8a\\a0\\c7\\c7\\4b\\7f\\01\\3c\\58\\d7\\37" \
+ "\\e5\\ff\\7d\\2b\\01\\ac\\0d\\9f\\51\\6a\\e5\\40\\24\\e6\\5e\\55" \
+ "\\0d\\f7\\b8\\2f\\42\\ac\\6d\\e5\\29\\6b\\c6\\0b\\a4\\bf\\19\\bd" \
+ "\\39\\27\\ee\\fe\\c5\\b3\\db\\62\\d4\\be\\d2\\47\\ba\\96\\30\\5a" \
+ "\\fd\\62\\00\\b8\\27\\5d\\2f\\3a\\94\\0b\\95\\35\\85\\40\\2c\\bc" \
+ "\\67\\df\\8a\\f9\\f1\\7b\\19\\96\\3e\\42\\48\\13\\23\\04\\95\\a9" \
+ "\\6b\\11\\33\\81\\47\\5a\\83\\72\\f6\\20\\fa\\8e\\41\\7b\\8f\\77" \
+ "\\47\\7c\\c7\\5d\\46\\f4\\4f\\fd\\81\\0a\\ae\\39\\27\\b6\\6a\\26" \
+ "\\63\\b1\\d3\\bf\\55\\83\\82\\9b\\36\\6c\\33\\64\\0f\\50\\c0\\55" \
+ "\\94\\13\\c3\\85\\f4\\d5\\71\\65\\d0\\c0\\dd\\fc\\e6\\ec\\9c\\5b" \
+ "\\f0\\11\\b5\\2c\\f3\\48\\c1\\36\\8c\\a2\\96\\48\\84"
+static void test_sss_certmap_get_search_filter(void **state)
+{
+ int ret;
+ struct sss_certmap_ctx *ctx;
+ char *filter;
+ char **domains;
+ const char *dom_list[] = {"test.dom", NULL};
+
+ ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx);
+ assert_int_equal(ret, EOK);
+ assert_non_null(ctx);
+ assert_null(ctx->prio_list);
+
+ ret = sss_certmap_add_rule(ctx, 100,
+ "KRB5:<ISSUER>CN=Certificate Authority,O=IPA.DEVEL",
+ "LDAP:<I>{issuer_dn}<S>{subject_dn}", NULL);
+ assert_int_equal(ret, 0);
+
+ ret = sss_certmap_get_search_filter(ctx, discard_const(test_cert_der),
+ sizeof(test_cert_der),
+ &filter, &domains);
+ assert_int_equal(ret, 0);
+ assert_non_null(filter);
+ assert_string_equal(filter, "<I>CN=Certificate Authority,O=IPA.DEVEL"
+ "<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL");
+ assert_null(domains);
+
+ ret = sss_certmap_add_rule(ctx, 99,
+ "KRB5:<ISSUER>CN=Certificate Authority,O=IPA.DEVEL",
+ "LDAP:<I>{issuer_dn}<S>{subject_dn}", dom_list);
+ assert_int_equal(ret, 0);
+ ret = sss_certmap_get_search_filter(ctx, discard_const(test_cert_der),
+ sizeof(test_cert_der),
+ &filter, &domains);
+ assert_int_equal(ret, 0);
+ assert_non_null(filter);
+ assert_string_equal(filter, "<I>CN=Certificate Authority,O=IPA.DEVEL"
+ "<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL");
+ assert_non_null(domains);
+ assert_string_equal(domains[0], "test.dom");
+ assert_null(domains[1]);
+
+ ret = sss_certmap_add_rule(ctx, 98,
+ "KRB5:<ISSUER>CN=Certificate Authority,O=IPA.DEVEL",
+ "LDAP:userCertificate;binary={cert!bin}", dom_list);
+ assert_int_equal(ret, 0);
+ ret = sss_certmap_get_search_filter(ctx, discard_const(test_cert_der),
+ sizeof(test_cert_der),
+ &filter, &domains);
+ assert_int_equal(ret, 0);
+ assert_non_null(filter);
+ assert_string_equal(filter, "userCertificate;binary=" TEST_CERT_BIN);
+ assert_non_null(domains);
+ assert_string_equal(domains[0], "test.dom");
+ assert_null(domains[1]);
+
+ ret = sss_certmap_add_rule(ctx, 97,
+ "KRB5:<ISSUER>CN=Certificate Authority,O=IPA.DEVEL",
+ "LDAP:<I>{issuer_dn!x500}<S>{subject_dn}",
+ dom_list);
+ assert_int_equal(ret, 0);
+ ret = sss_certmap_get_search_filter(ctx, discard_const(test_cert_der),
+ sizeof(test_cert_der),
+ &filter, &domains);
+ assert_int_equal(ret, 0);
+ assert_non_null(filter);
+ assert_string_equal(filter, "<I>O=IPA.DEVEL,CN=Certificate Authority"
+ "<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL");
+ assert_non_null(domains);
+ assert_string_equal(domains[0], "test.dom");
+ assert_null(domains[1]);
+
+ ret = sss_certmap_add_rule(ctx, 96,
+ "KRB5:<ISSUER>CN=Certificate Authority,O=IPA.DEVEL",
+ "LDAP:<I>{issuer_dn!x500}<S>{subject_dn!x500}",
+ dom_list);
+ assert_int_equal(ret, 0);
+ ret = sss_certmap_get_search_filter(ctx, discard_const(test_cert_der),
+ sizeof(test_cert_der),
+ &filter, &domains);
+ assert_int_equal(ret, 0);
+ assert_non_null(filter);
+ assert_string_equal(filter, "<I>O=IPA.DEVEL,CN=Certificate Authority"
+ "<S>O=IPA.DEVEL,CN=ipa-devel.ipa.devel");
+ assert_non_null(domains);
+ assert_string_equal(domains[0], "test.dom");
+ assert_null(domains[1]);
+
+ ret = sss_certmap_add_rule(ctx, 95,
+ "KRB5:<ISSUER>CN=Certificate Authority,O=IPA.DEVEL",
+ NULL, NULL);
+ assert_int_equal(ret, 0);
+ ret = sss_certmap_get_search_filter(ctx, discard_const(test_cert_der),
+ sizeof(test_cert_der),
+ &filter, &domains);
+ assert_int_equal(ret, 0);
+ assert_non_null(filter);
+ assert_string_equal(filter, "userCertificate;binary=" TEST_CERT_BIN);
+ assert_null(domains);
+
+ sss_certmap_free_ctx(ctx);
+}
+
+int main(int argc, const char *argv[])
+{
+ int rv;
+ poptContext pc;
+ int opt;
+ struct poptOption long_options[] = {
+ POPT_AUTOHELP
+ SSSD_DEBUG_OPTS
+ POPT_TABLEEND
+ };
+
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test(test_sss_certmap_init),
+ cmocka_unit_test(test_sss_certmap_add_rule),
+ cmocka_unit_test(test_sss_certmap_add_matching_rule),
+ cmocka_unit_test(test_sss_cert_get_content),
+ cmocka_unit_test(test_sss_certmap_match_cert),
+ cmocka_unit_test(test_sss_certmap_add_mapping_rule),
+ cmocka_unit_test(test_sss_certmap_get_search_filter),
+ };
+
+ /* Set debug level to invalid value so we can deside if -d 0 was used. */
+ debug_level = SSSDBG_INVALID;
+
+ pc = poptGetContext(argv[0], argc, argv, long_options, 0);
+ while((opt = poptGetNextOpt(pc)) != -1) {
+ switch(opt) {
+ default:
+ fprintf(stderr, "\nInvalid option %s: %s\n\n",
+ poptBadOption(pc, 0), poptStrerror(opt));
+ poptPrintUsage(pc, stderr, 0);
+ return 1;
+ }
+ }
+ poptFreeContext(pc);
+
+ DEBUG_CLI_INIT(debug_level);
+
+ tests_set_cwd();
+ rv = cmocka_run_group_tests(tests, NULL, NULL);
+
+ return rv;
+}
generated by cgit (git 2.34.1) at 2024-09-26 20:19:05 +0000