test_ad_common.c revision 63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger/*
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger Authors:
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger Jakub Hrozek <jhrozek@redhat.com>
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger Copyright (C) 2013 Red Hat
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger SSSD tests: AD access control filter tests
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger
802014878b7383de536e4fa0ceced1bce3217eadDaniel Couto Vale This program is free software; you can redistribute it and/or modify
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger it under the terms of the GNU General Public License as published by
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger the Free Software Foundation; either version 3 of the License, or
e2586f58230ac2938db5ee91191108988b206e2fEugen Kuksa (at your option) any later version.
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger
492757fbefce7e6aee4a7515983a44d19a542ccchardik This program is distributed in the hope that it will be useful,
7daf1bcad83f7bcb6f4e1076f925664bbd2d4f36hardik but WITHOUT ANY WARRANTY; without even the implied warranty of
492757fbefce7e6aee4a7515983a44d19a542ccchardik MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
7daf1bcad83f7bcb6f4e1076f925664bbd2d4f36hardik GNU General Public License for more details.
ea882c814a23a8acf059ae9e0e49e7a35ddba148hardik
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger You should have received a copy of the GNU General Public License
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger along with this program. If not, see <http://www.gnu.org/licenses/>.
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger*/
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger#include <talloc.h>
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger#include <tevent.h>
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger#include <errno.h>
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger#include <popt.h>
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger#include <unistd.h>
d6cf50ae9519bdb5252081061b3d6a7e0ccde20bEugen Kuksa#include <sys/types.h>
d6cf50ae9519bdb5252081061b3d6a7e0ccde20bEugen Kuksa#include <ifaddrs.h>
d6cf50ae9519bdb5252081061b3d6a7e0ccde20bEugen Kuksa#include <arpa/inet.h>
d6cf50ae9519bdb5252081061b3d6a7e0ccde20bEugen Kuksa
d6cf50ae9519bdb5252081061b3d6a7e0ccde20bEugen Kuksa#include "providers/ad/ad_pac.h"
d6cf50ae9519bdb5252081061b3d6a7e0ccde20bEugen Kuksa#include "util/crypto/sss_crypto.h"
d6cf50ae9519bdb5252081061b3d6a7e0ccde20bEugen Kuksa#include "util/util_sss_idmap.h"
d6cf50ae9519bdb5252081061b3d6a7e0ccde20bEugen Kuksa
54e3222dbd97122749ba5bac2a10d9d6ba1a2283Eugen Kuksa/* In order to access opaque types */
d6cf50ae9519bdb5252081061b3d6a7e0ccde20bEugen Kuksa#include "providers/ad/ad_common.c"
d6cf50ae9519bdb5252081061b3d6a7e0ccde20bEugen Kuksa
d6cf50ae9519bdb5252081061b3d6a7e0ccde20bEugen Kuksa#include "tests/cmocka/common_mock.h"
d6cf50ae9519bdb5252081061b3d6a7e0ccde20bEugen Kuksa#include "tests/cmocka/common_mock_krb5.h"
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger#define DOMNAME "domname"
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger#define SUBDOMNAME "sub."DOMNAME
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger#define REALMNAME DOMNAME
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger#define HOST_NAME "ad."REALMNAME
7e1eade6e5b88f9a1efa7d3cef366d973ddc1ee4Eugen Kuksa
7e1eade6e5b88f9a1efa7d3cef366d973ddc1ee4Eugen Kuksa#define TESTS_PATH "tp_" BASE_FILE_STEM
7e1eade6e5b88f9a1efa7d3cef366d973ddc1ee4Eugen Kuksa#define TEST_AUTHID "host/"HOST_NAME
7e1eade6e5b88f9a1efa7d3cef366d973ddc1ee4Eugen Kuksa#define KEYTAB_TEST_PRINC TEST_AUTHID"@"REALMNAME
cf6b6be762502d02736a68d9c94fa3cc9977e474Tim Reddehase#define KEYTAB_PATH TESTS_PATH"/keytab_test.keytab"
cf6b6be762502d02736a68d9c94fa3cc9977e474Tim Reddehase
cf6b6be762502d02736a68d9c94fa3cc9977e474Tim Reddehase#define ONEWAY_DOMNAME "ONEWAY"
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger#define ONEWAY_HOST_NAME "ad."ONEWAY_DOMNAME
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger#define ONEWAY_KEYTAB_PATH TESTS_PATH"/oneway_test.keytab"
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger#define ONEWAY_AUTHID "host/"ONEWAY_HOST_NAME
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger#define ONEWAY_TEST_PRINC ONEWAY_AUTHID"@"ONEWAY_DOMNAME
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger#define TESTS_PATH "tp_" BASE_FILE_STEM
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger#define TEST_CONF_DB "test_ad_sysdb.ldb"
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger#define TEST_ID_PROVIDER "ad"
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger#define TEST_DOM1_NAME "test_sysdb_subdomains_1"
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger#define TEST_DOM2_NAME "child2.test_sysdb_subdomains_2"
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger#define TEST_USER "test_user"
736e78aff9e67436c35d4835c24fca667f3cadf3Julian Kornberger
555b7fd96768daf9592e7ddbd4217d784b08e451henning muellerstatic bool call_real_sasl_options;
e5b8591fc3e19ccd4a33757ebcabff27b4ca01ceEugen Kuksa
e5b8591fc3e19ccd4a33757ebcabff27b4ca01ceEugen Kuksaconst char *domains[] = { TEST_DOM1_NAME,
e5b8591fc3e19ccd4a33757ebcabff27b4ca01ceEugen Kuksa TEST_DOM2_NAME,
e5b8591fc3e19ccd4a33757ebcabff27b4ca01ceEugen Kuksa NULL };
e5b8591fc3e19ccd4a33757ebcabff27b4ca01ceEugen Kuksastruct ad_sysdb_test_ctx {
e5b8591fc3e19ccd4a33757ebcabff27b4ca01ceEugen Kuksa struct sss_test_ctx *tctx;
583cfb88a9eb83c4e7691eb3dbd66247b643229fEugen Kuksa};
e5b8591fc3e19ccd4a33757ebcabff27b4ca01ceEugen Kuksa
e5b8591fc3e19ccd4a33757ebcabff27b4ca01ceEugen Kuksastatic int test_ad_sysdb_setup(void **state)
e5b8591fc3e19ccd4a33757ebcabff27b4ca01ceEugen Kuksa{
e5b8591fc3e19ccd4a33757ebcabff27b4ca01ceEugen Kuksa struct ad_sysdb_test_ctx *test_ctx;
250e5c1ec05ffb6d1b933f913c3c65934b206957Eugen Kuksa struct sss_test_conf_param params[] = {
250e5c1ec05ffb6d1b933f913c3c65934b206957Eugen Kuksa { NULL, NULL }, /* Sentinel */
2f0eba71c311b096362f3603d17addad30213c4dEugen Kuksa };
e5b8591fc3e19ccd4a33757ebcabff27b4ca01ceEugen Kuksa
815d84cbac89ad1cb14135028f3fea1d1d44a75fEugen Kuksa assert_true(leak_check_setup());
815d84cbac89ad1cb14135028f3fea1d1d44a75fEugen Kuksa
815d84cbac89ad1cb14135028f3fea1d1d44a75fEugen Kuksa test_ctx = talloc_zero(global_talloc_context,
815d84cbac89ad1cb14135028f3fea1d1d44a75fEugen Kuksa struct ad_sysdb_test_ctx);
815d84cbac89ad1cb14135028f3fea1d1d44a75fEugen Kuksa assert_non_null(test_ctx);
815d84cbac89ad1cb14135028f3fea1d1d44a75fEugen Kuksa
815d84cbac89ad1cb14135028f3fea1d1d44a75fEugen Kuksa test_dom_suite_setup(TESTS_PATH);
815d84cbac89ad1cb14135028f3fea1d1d44a75fEugen Kuksa
b27c7f227c8516589a2bd127c0f74338cf56f0b2Julian Kornberger test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH,
b27c7f227c8516589a2bd127c0f74338cf56f0b2Julian Kornberger TEST_CONF_DB, domains,
402d5f74ba78451acf2ccda16b41398535028a3bEugen Kuksa TEST_ID_PROVIDER, params);
cf5a6d3745ac43a950c2315b07a1713bae300a97Tim Reddehase assert_non_null(test_ctx->tctx);
cf5a6d3745ac43a950c2315b07a1713bae300a97Tim Reddehase
cf5a6d3745ac43a950c2315b07a1713bae300a97Tim Reddehase *state = test_ctx;
2244a7dffeed06ee129d0c94648c6a47615a7a0aEugen Kuksa return 0;
2244a7dffeed06ee129d0c94648c6a47615a7a0aEugen Kuksa}
2244a7dffeed06ee129d0c94648c6a47615a7a0aEugen Kuksa
2244a7dffeed06ee129d0c94648c6a47615a7a0aEugen Kuksastatic int test_ad_sysdb_teardown(void **state)
2244a7dffeed06ee129d0c94648c6a47615a7a0aEugen Kuksa{
2244a7dffeed06ee129d0c94648c6a47615a7a0aEugen Kuksa struct ad_sysdb_test_ctx *test_ctx =
2244a7dffeed06ee129d0c94648c6a47615a7a0aEugen Kuksa talloc_get_type(*state, struct ad_sysdb_test_ctx);
b27c7f227c8516589a2bd127c0f74338cf56f0b2Julian Kornberger
555b7fd96768daf9592e7ddbd4217d784b08e451henning mueller test_multidom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, domains);
555b7fd96768daf9592e7ddbd4217d784b08e451henning mueller talloc_free(test_ctx);
555b7fd96768daf9592e7ddbd4217d784b08e451henning mueller assert_true(leak_check_teardown());
555b7fd96768daf9592e7ddbd4217d784b08e451henning mueller return 0;
555b7fd96768daf9592e7ddbd4217d784b08e451henning mueller}
555b7fd96768daf9592e7ddbd4217d784b08e451henning mueller
7b8fe34340b2727bb31fe0be67fdf684e47c3609Tim Reddehasestatic void test_check_if_pac_is_available(void **state)
7b8fe34340b2727bb31fe0be67fdf684e47c3609Tim Reddehase{
1cbb38d1d07f559b4a1c012a4833513053716007Daniel Couto Vale int ret;
1cbb38d1d07f559b4a1c012a4833513053716007Daniel Couto Vale struct ad_sysdb_test_ctx *test_ctx =
7cd362a86385a020b8c674cf9199771ae3267359henning mueller talloc_get_type(*state, struct ad_sysdb_test_ctx);
7cd362a86385a020b8c674cf9199771ae3267359henning mueller struct be_acct_req *ar;
291d5c781e5ce4a7c15cfb16fa4a800177135b3ehenning mueller struct ldb_message *msg = NULL;
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski struct sysdb_attrs *attrs;
2635b9bca67d93aec1bed63d10d5f92fefce06e7Till Mossakowski
0c07cc350bdb8afe9b01b4340b33d89500a43106Till Mossakowski ret = check_if_pac_is_available(NULL, NULL, NULL, NULL);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski assert_int_equal(ret, EINVAL);
0c07cc350bdb8afe9b01b4340b33d89500a43106Till Mossakowski
0c07cc350bdb8afe9b01b4340b33d89500a43106Till Mossakowski ar = talloc_zero(test_ctx, struct be_acct_req);
0c07cc350bdb8afe9b01b4340b33d89500a43106Till Mossakowski assert_non_null(ar);
2635b9bca67d93aec1bed63d10d5f92fefce06e7Till Mossakowski
2635b9bca67d93aec1bed63d10d5f92fefce06e7Till Mossakowski ret = check_if_pac_is_available(test_ctx, test_ctx->tctx->dom, ar, &msg);
2635b9bca67d93aec1bed63d10d5f92fefce06e7Till Mossakowski assert_int_equal(ret, EINVAL);
2635b9bca67d93aec1bed63d10d5f92fefce06e7Till Mossakowski
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski ar->filter_type = BE_FILTER_NAME;
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski ar->filter_value = discard_const(TEST_USER);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski ret = check_if_pac_is_available(test_ctx, test_ctx->tctx->dom, ar, &msg);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski assert_int_equal(ret, ENOENT);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski ret = sysdb_add_user(test_ctx->tctx->dom, TEST_USER, 123, 456, NULL, NULL,
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski NULL, NULL, NULL, 0, 0);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski assert_int_equal(ret, EOK);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski ret = check_if_pac_is_available(test_ctx, test_ctx->tctx->dom, ar, &msg);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski assert_int_equal(ret, ENOENT);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski attrs = sysdb_new_attrs(test_ctx);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski assert_non_null(attrs);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski ret = sysdb_attrs_add_string(attrs, SYSDB_PAC_BLOB, "pac");
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski assert_int_equal(ret, EOK);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski ret = sysdb_set_user_attr(test_ctx->tctx->dom, TEST_USER, attrs,
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski SYSDB_MOD_REP);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski /* PAC available but too old */
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski ret = check_if_pac_is_available(test_ctx, test_ctx->tctx->dom, ar, &msg);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski assert_int_equal(ret, ENOENT);
5ad93833caec560945adbce7b6f1342ef731ae83henning mueller
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski talloc_free(attrs);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski attrs = sysdb_new_attrs(test_ctx);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski assert_non_null(attrs);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski
0c07cc350bdb8afe9b01b4340b33d89500a43106Till Mossakowski ret = sysdb_attrs_add_time_t(attrs, SYSDB_PAC_BLOB_EXPIRE, 123);
0c07cc350bdb8afe9b01b4340b33d89500a43106Till Mossakowski assert_int_equal(ret, EOK);
0c07cc350bdb8afe9b01b4340b33d89500a43106Till Mossakowski
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski ret = sysdb_set_user_attr(test_ctx->tctx->dom, TEST_USER, attrs,
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski SYSDB_MOD_REP);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski /* PAC available but still too old */
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski ret = check_if_pac_is_available(test_ctx, test_ctx->tctx->dom, ar, &msg);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski assert_int_equal(ret, ENOENT);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski talloc_free(attrs);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski attrs = sysdb_new_attrs(test_ctx);
291d5c781e5ce4a7c15cfb16fa4a800177135b3ehenning mueller assert_non_null(attrs);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski ret = sysdb_attrs_add_time_t(attrs, SYSDB_PAC_BLOB_EXPIRE, time(NULL) + 10);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski assert_int_equal(ret, EOK);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski ret = sysdb_set_user_attr(test_ctx->tctx->dom, TEST_USER, attrs,
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski SYSDB_MOD_REP);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski /* PAC available but still too old */
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski ret = check_if_pac_is_available(test_ctx, test_ctx->tctx->dom, ar, &msg);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski assert_int_equal(ret, EOK);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski assert_non_null(msg);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski assert_string_equal(ldb_msg_find_attr_as_string(msg, SYSDB_NAME, "x"),
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski TEST_USER);
1543bf02d52779c4bc29f75de1de4d14636d0e47Till Mossakowski
talloc_free(attrs);
talloc_free(ar);
}
#define TEST_PAC_BASE64 \
"BQAAAAAAAAABAAAA6AEAAFgAAAAAAAAACgAAABAAAABAAgAAAA" \
"AAAAwAAAA4AAAAUAIAAAAAAAAGAAAAFAAAAIgCAAAAAAAABwAA" \
"ABQAAACgAgAAAAAAAAEQCADMzMzM2AEAAAAAAAAAAAIA2hr35p" \
"Ji0QH/////////f/////////9/4veKrwAP0AHit/TZyQ/QAf//" \
"//////9/BgAGAAQAAgAGAAYACAACAAAAAAAMAAIAAAAAABAAAg" \
"AAAAAAFAACAAAAAAAYAAIATwAAAFAEAAABAgAABQAAABwAAgAg" \
"AAAAAAAAAAAAAAAAAAAAAAAAABIAFAAgAAIABAAGACQAAgAoAA" \
"IAAAAAAAAAAAAQAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAEAAAAsAAIAAAAAAAAAAAAAAAAAAwAAAAAAAAADAAAAdA" \
"B1ADEAAAADAAAAAAAAAAMAAAB0ACAAdQAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"UAAAD9ogAABwAAAAECAAAHAAAAXAQAAAcAAABWBAAABwAAAImm" \
"AAAHAAAACgAAAAAAAAAJAAAAQQBEAC0AUwBFAFIAVgBFAFIAAA" \
"ADAAAAAAAAAAIAAABBAEQABAAAAAEEAAAAAAAFFQAAAPgSE9xH" \
"8xx2Ry8u1wEAAAAwAAIABwAAAAUAAAABBQAAAAAABRUAAAApyU" \
"/ZwjzDeDZVh/hUBAAAgD5SqNxk0QEGAHQAdQAxABgAEAAQACgA" \
"AAAAAAAAAAB0AHUAMQBAAGEAZAAuAGQAZQB2AGUAbABBAEQALg" \
"BEAEUAVgBFAEwAdv///4yBQZ5ZQnp3qwj2lKGcd0UAAAAAdv//" \
"/39fn4UneD5l6YxP8w/U0coAAAAA"
static void test_ad_get_data_from_pac(void **state)
{
int ret;
struct PAC_LOGON_INFO *logon_info;
uint8_t *test_pac_blob;
size_t test_pac_blob_size;
struct ad_common_test_ctx *test_ctx = talloc_get_type(*state,
struct ad_common_test_ctx);
test_pac_blob = sss_base64_decode(test_ctx, TEST_PAC_BASE64,
&test_pac_blob_size);
assert_non_null(test_pac_blob_size);
ret = ad_get_data_from_pac(test_ctx, test_pac_blob, test_pac_blob_size,
&logon_info);
assert_int_equal(ret, EOK);
assert_non_null(logon_info);
assert_string_equal(logon_info->info3.base.account_name.string, "tu1");
assert_string_equal(logon_info->info3.base.full_name.string, "t u");
assert_int_equal(logon_info->info3.base.rid, 1104);
assert_int_equal(logon_info->info3.base.primary_gid, 513);
assert_int_equal(logon_info->info3.base.groups.count, 5);
assert_string_equal(logon_info->info3.base.logon_domain.string, "AD");
assert_int_equal(logon_info->info3.sidcount, 1);
talloc_free(test_pac_blob);
talloc_free(logon_info);
}
static void test_ad_get_sids_from_pac(void **state)
{
int ret;
struct PAC_LOGON_INFO *logon_info;
uint8_t *test_pac_blob;
size_t test_pac_blob_size;
char *user_sid;
char *primary_group_sid;
size_t num_sids;
char **sid_list;
struct sss_idmap_ctx *idmap_ctx;
enum idmap_error_code err;
size_t c;
size_t s;
const char *sid_check_list[] = { "S-1-5-21-3692237560-1981608775-3610128199-513",
"S-1-5-21-3692237560-1981608775-3610128199-1110",
"S-1-5-21-3692237560-1981608775-3610128199-1116",
"S-1-5-21-3692237560-1981608775-3610128199-41725",
"S-1-5-21-3692237560-1981608775-3610128199-42633",
"S-1-5-21-3645884713-2026060994-4169618742-1108",
NULL };
struct ad_common_test_ctx *test_ctx = talloc_get_type(*state,
struct ad_common_test_ctx);
err = sss_idmap_init(sss_idmap_talloc, test_ctx, sss_idmap_talloc_free,
&idmap_ctx);
assert_int_equal(err, IDMAP_SUCCESS);
test_pac_blob = sss_base64_decode(test_ctx, TEST_PAC_BASE64,
&test_pac_blob_size);
assert_non_null(test_pac_blob_size);
ret = ad_get_data_from_pac(test_ctx, test_pac_blob, test_pac_blob_size,
&logon_info);
assert_int_equal(ret, EOK);
ret = ad_get_sids_from_pac(test_ctx, idmap_ctx, logon_info, &user_sid,
&primary_group_sid, &num_sids, &sid_list);
assert_int_equal(ret, EOK);
assert_string_equal(user_sid,
"S-1-5-21-3692237560-1981608775-3610128199-1104");
assert_string_equal(primary_group_sid,
"S-1-5-21-3692237560-1981608775-3610128199-513");
assert_int_equal(num_sids, 6);
for (c = 0; sid_check_list[c] != NULL; c++) {
for (s = 0; s < num_sids; s++) {
if (strcmp(sid_check_list[c], sid_list[s]) == 0) {
break;
}
}
if (s == num_sids) {
fail_msg("SID [%s] not found in SID list.", sid_check_list[c]);
}
}
talloc_free(test_pac_blob);
talloc_free(logon_info);
talloc_free(user_sid);
talloc_free(primary_group_sid);
talloc_free(sid_list);
sss_idmap_free(idmap_ctx);
}
static void test_ad_get_pac_data_from_user_entry(void **state)
{
int ret;
struct ldb_message *user_msg;
struct ldb_val val;
struct ad_common_test_ctx *test_ctx = talloc_get_type(*state,
struct ad_common_test_ctx);
struct sss_idmap_ctx *idmap_ctx;
enum idmap_error_code err;
char *username;
char *user_sid;
char *primary_group_sid;
size_t num_sids;
char **sid_list;
size_t c;
size_t s;
const char *sid_check_list[] = { "S-1-5-21-3692237560-1981608775-3610128199-513",
"S-1-5-21-3692237560-1981608775-3610128199-1110",
"S-1-5-21-3692237560-1981608775-3610128199-1116",
"S-1-5-21-3692237560-1981608775-3610128199-41725",
"S-1-5-21-3692237560-1981608775-3610128199-42633",
"S-1-5-21-3645884713-2026060994-4169618742-1108",
NULL };
err = sss_idmap_init(sss_idmap_talloc, test_ctx, sss_idmap_talloc_free,
&idmap_ctx);
assert_int_equal(err, IDMAP_SUCCESS);
user_msg = ldb_msg_new(test_ctx);
assert_non_null(user_msg);
ret = ldb_msg_add_string(user_msg, SYSDB_NAME, "username");
assert_int_equal(ret, EOK);
ret = ldb_msg_add_string(user_msg, SYSDB_OBJECTCLASS, "user");
assert_int_equal(ret, EOK);
ret = ldb_msg_add_string(user_msg, SYSDB_PAC_BLOB_EXPIRE, "12345");
assert_int_equal(ret, EOK);
val.data = sss_base64_decode(test_ctx, TEST_PAC_BASE64, &val.length);
ret = ldb_msg_add_value(user_msg, SYSDB_PAC_BLOB, &val, NULL);
assert_int_equal(ret, EOK);
ret = ad_get_pac_data_from_user_entry(test_ctx, user_msg, idmap_ctx,
&username, &user_sid,
&primary_group_sid, &num_sids,
&sid_list);
assert_int_equal(ret, EOK);
assert_string_equal(username, "username");
assert_string_equal(user_sid,
"S-1-5-21-3692237560-1981608775-3610128199-1104");
assert_string_equal(primary_group_sid,
"S-1-5-21-3692237560-1981608775-3610128199-513");
assert_int_equal(num_sids, 6);
for (c = 0; sid_check_list[c] != NULL; c++) {
for (s = 0; s < num_sids; s++) {
if (strcmp(sid_check_list[c], sid_list[s]) == 0) {
break;
}
}
if (s == num_sids) {
fail_msg("SID [%s] not found in SID list.", sid_check_list[c]);
}
}
talloc_free(username);
talloc_free(user_sid);
talloc_free(primary_group_sid);
talloc_free(sid_list);
talloc_free(val.data);
talloc_free(user_msg);
sss_idmap_free(idmap_ctx);
}
krb5_error_code __wrap_krb5_kt_default(krb5_context context, krb5_keytab *id)
{
return krb5_kt_resolve(context, KEYTAB_PATH, id);
}
struct ad_common_test_ctx {
struct ad_id_ctx *ad_ctx;
struct ad_id_ctx *subdom_ad_ctx;
struct sss_domain_info *dom;
struct sss_domain_info *subdom;
};
static void test_ad_create_default_options(void **state)
{
struct ad_options *ad_options;
const char *s;
ad_options = ad_create_default_options(global_talloc_context);
assert_non_null(ad_options->basic);
/* Not too much to test here except some defaults */
s = dp_opt_get_string(ad_options->basic, AD_DOMAIN);
assert_null(s);
assert_non_null(ad_options->id);
talloc_free(ad_options);
}
static int test_ad_common_setup(void **state)
{
struct ad_common_test_ctx *test_ctx;
test_dom_suite_setup(TESTS_PATH);
assert_true(leak_check_setup());
test_ctx = talloc_zero(global_talloc_context, struct ad_common_test_ctx);
assert_non_null(test_ctx);
test_ctx->dom = talloc_zero(test_ctx, struct sss_domain_info);
assert_non_null(test_ctx->dom);
test_ctx->dom->name = discard_const(DOMNAME);
test_ctx->subdom = talloc_zero(test_ctx, struct sss_domain_info);
assert_non_null(test_ctx->subdom);
test_ctx->subdom->name = discard_const(SUBDOMNAME);
test_ctx->subdom->parent = test_ctx->dom;
test_ctx->ad_ctx = talloc_zero(test_ctx, struct ad_id_ctx);
assert_non_null(test_ctx->ad_ctx);
check_leaks_push(test_ctx);
*state = test_ctx;
return 0;
}
static int test_ad_common_teardown(void **state)
{
int ret;
struct ad_common_test_ctx *test_ctx = talloc_get_type(*state,
struct ad_common_test_ctx);
assert_non_null(test_ctx);
assert_true(check_leaks_pop(test_ctx) == true);
talloc_free(test_ctx);
assert_true(leak_check_teardown());
ret = rmdir(TESTS_PATH);
assert_return_code(ret, errno);
return 0;
}
static void test_ad_create_1way_trust_options(void **state)
{
struct ad_common_test_ctx *test_ctx = talloc_get_type(*state,
struct ad_common_test_ctx);
const char *s;
call_real_sasl_options = true;
/* Make sure this is not the keytab that __wrap_krb5_kt_default uses */
mock_keytab_with_contents(test_ctx, ONEWAY_KEYTAB_PATH, ONEWAY_TEST_PRINC);
test_ctx->ad_ctx->ad_options = ad_create_1way_trust_options(
test_ctx->ad_ctx,
ONEWAY_DOMNAME,
ONEWAY_HOST_NAME,
ONEWAY_KEYTAB_PATH,
ONEWAY_AUTHID);
assert_non_null(test_ctx->ad_ctx->ad_options);
assert_int_equal(test_ctx->ad_ctx->ad_options->id->schema_type,
SDAP_SCHEMA_AD);
s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->basic,
AD_KRB5_REALM);
assert_non_null(s);
assert_string_equal(s, ONEWAY_DOMNAME);
s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->basic,
AD_DOMAIN);
assert_non_null(s);
assert_string_equal(s, ONEWAY_DOMNAME);
s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->basic,
AD_HOSTNAME);
assert_non_null(s);
assert_string_equal(s, ONEWAY_HOST_NAME);
s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->basic,
AD_KEYTAB);
assert_non_null(s);
assert_string_equal(s, ONEWAY_KEYTAB_PATH);
s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic,
SDAP_KRB5_KEYTAB);
assert_non_null(s);
s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic,
SDAP_SASL_REALM);
assert_non_null(s);
assert_string_equal(s, ONEWAY_DOMNAME);
s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic,
SDAP_KRB5_REALM);
assert_non_null(s);
assert_string_equal(s, ONEWAY_DOMNAME);
s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic,
SDAP_SASL_AUTHID);
assert_non_null(s);
assert_string_equal(s, ONEWAY_AUTHID);
talloc_free(test_ctx->ad_ctx->ad_options);
unlink(ONEWAY_KEYTAB_PATH);
}
static void test_ad_create_2way_trust_options(void **state)
{
struct ad_common_test_ctx *test_ctx = talloc_get_type(*state,
struct ad_common_test_ctx);
const char *s;
call_real_sasl_options = true;
mock_keytab_with_contents(test_ctx, KEYTAB_PATH, KEYTAB_TEST_PRINC);
test_ctx->ad_ctx->ad_options = ad_create_2way_trust_options(
test_ctx->ad_ctx,
REALMNAME,
DOMNAME,
HOST_NAME);
assert_non_null(test_ctx->ad_ctx->ad_options);
assert_int_equal(test_ctx->ad_ctx->ad_options->id->schema_type,
SDAP_SCHEMA_AD);
s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->basic,
AD_KRB5_REALM);
assert_non_null(s);
assert_string_equal(s, REALMNAME);
s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->basic,
AD_DOMAIN);
assert_non_null(s);
assert_string_equal(s, DOMNAME);
s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->basic,
AD_HOSTNAME);
assert_non_null(s);
assert_string_equal(s, HOST_NAME);
s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic,
SDAP_KRB5_KEYTAB);
assert_null(s); /* This is the system keytab */
s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic,
SDAP_SASL_REALM);
assert_non_null(s);
assert_string_equal(s, REALMNAME);
s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic,
SDAP_KRB5_REALM);
assert_non_null(s);
assert_string_equal(s, REALMNAME);
s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic,
SDAP_SASL_AUTHID);
assert_non_null(s);
assert_string_equal(s, TEST_AUTHID);
talloc_free(test_ctx->ad_ctx->ad_options);
unlink(KEYTAB_PATH);
}
static int
test_ldap_conn_setup(void **state)
{
struct ad_common_test_ctx *test_ctx;
errno_t ret;
struct sdap_domain *sdom;
struct ad_id_ctx *ad_ctx;
struct ad_id_ctx *subdom_ad_ctx;
struct sdap_id_conn_ctx *subdom_ldap_ctx;
ret = test_ad_common_setup((void **) &test_ctx);
assert_int_equal(ret, EOK);
mock_keytab_with_contents(test_ctx, KEYTAB_PATH, KEYTAB_TEST_PRINC);
ad_ctx = test_ctx->ad_ctx;
ad_ctx->ad_options = ad_create_2way_trust_options(ad_ctx,
REALMNAME,
DOMNAME,
HOST_NAME);
assert_non_null(ad_ctx->ad_options);
ad_ctx->gc_ctx = talloc_zero(ad_ctx, struct sdap_id_conn_ctx);
assert_non_null(ad_ctx->gc_ctx);
ad_ctx->ldap_ctx = talloc_zero(ad_ctx, struct sdap_id_conn_ctx);
assert_non_null(ad_ctx->ldap_ctx);
ad_ctx->sdap_id_ctx = talloc_zero(ad_ctx, struct sdap_id_ctx);
assert_non_null(ad_ctx->sdap_id_ctx);
ad_ctx->sdap_id_ctx->opts = talloc_zero(ad_ctx->sdap_id_ctx,
struct sdap_options);
assert_non_null(ad_ctx->sdap_id_ctx->opts);
ret = sdap_domain_add(ad_ctx->sdap_id_ctx->opts, test_ctx->dom, &sdom);
assert_int_equal(ret, EOK);
sdom->pvt = ad_ctx;
subdom_ad_ctx = talloc_zero(test_ctx, struct ad_id_ctx);
assert_non_null(subdom_ad_ctx);
subdom_ldap_ctx = talloc_zero(subdom_ad_ctx, struct sdap_id_conn_ctx);
assert_non_null(subdom_ldap_ctx);
subdom_ad_ctx->ldap_ctx = subdom_ldap_ctx;
ret = sdap_domain_add(ad_ctx->sdap_id_ctx->opts, test_ctx->subdom, &sdom);
assert_int_equal(ret, EOK);
sdom->pvt = subdom_ad_ctx;
test_ctx->subdom_ad_ctx = subdom_ad_ctx;
*state = test_ctx;
return 0;
}
static int
test_ldap_conn_teardown(void **state)
{
struct ad_common_test_ctx *test_ctx = talloc_get_type(*state,
struct ad_common_test_ctx);
assert_non_null(test_ctx);
unlink(KEYTAB_PATH);
talloc_free(test_ctx->subdom_ad_ctx);
talloc_free(test_ctx->ad_ctx->ad_options);
talloc_free(test_ctx->ad_ctx->gc_ctx);
talloc_free(test_ctx->ad_ctx->ldap_ctx);
talloc_free(test_ctx->ad_ctx->sdap_id_ctx);
test_ad_common_teardown((void **) &test_ctx);
return 0;
}
errno_t
__real_sdap_set_sasl_options(struct sdap_options *id_opts,
char *default_primary,
char *default_realm,
const char *keytab_path);
errno_t
__wrap_sdap_set_sasl_options(struct sdap_options *id_opts,
char *default_primary,
char *default_realm,
const char *keytab_path)
{
/* Pretend SASL is fine */
if (call_real_sasl_options == true) {
return __real_sdap_set_sasl_options(id_opts,
default_primary,
default_realm,
keytab_path);
}
return EOK;
}
void test_ad_get_dom_ldap_conn(void **state)
{
struct sdap_id_conn_ctx *conn;
struct ad_common_test_ctx *test_ctx = talloc_get_type(*state,
struct ad_common_test_ctx);
assert_non_null(test_ctx);
conn = ad_get_dom_ldap_conn(test_ctx->ad_ctx, test_ctx->dom);
assert_true(conn == test_ctx->ad_ctx->ldap_ctx);
conn = ad_get_dom_ldap_conn(test_ctx->ad_ctx, test_ctx->subdom);
assert_true(conn == test_ctx->subdom_ad_ctx->ldap_ctx);
}
void test_gc_conn_list(void **state)
{
struct sdap_id_conn_ctx **conn_list;
struct ad_common_test_ctx *test_ctx = talloc_get_type(*state,
struct ad_common_test_ctx);
assert_non_null(test_ctx);
assert_true(dp_opt_get_bool(test_ctx->ad_ctx->ad_options->basic,
AD_ENABLE_GC));
conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->dom);
assert_non_null(conn_list);
assert_true(conn_list[0] == test_ctx->ad_ctx->gc_ctx);
/* If there is a fallback, we should ignore the offline mode */
assert_true(conn_list[0]->ignore_mark_offline);
assert_true(conn_list[1] == test_ctx->ad_ctx->ldap_ctx);
assert_false(conn_list[1]->ignore_mark_offline);
assert_null(conn_list[2]);
talloc_free(conn_list);
conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->subdom);
assert_non_null(conn_list);
assert_true(conn_list[0] == test_ctx->ad_ctx->gc_ctx);
assert_true(conn_list[0]->ignore_mark_offline);
assert_true(conn_list[1] == test_ctx->subdom_ad_ctx->ldap_ctx);
/* Subdomain error should not set the backend offline! */
assert_true(conn_list[1]->ignore_mark_offline);
talloc_free(conn_list);
dp_opt_set_bool(test_ctx->ad_ctx->ad_options->basic, AD_ENABLE_GC, false);
assert_false(dp_opt_get_bool(test_ctx->ad_ctx->ad_options->basic,
AD_ENABLE_GC));
conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->dom);
assert_non_null(conn_list);
assert_true(conn_list[0] == test_ctx->ad_ctx->ldap_ctx);
assert_false(conn_list[0]->ignore_mark_offline);
assert_null(conn_list[1]);
talloc_free(conn_list);
conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->subdom);
assert_non_null(conn_list);
assert_true(conn_list[0] == test_ctx->subdom_ad_ctx->ldap_ctx);
assert_true(conn_list[0]->ignore_mark_offline);
assert_null(conn_list[1]);
talloc_free(conn_list);
}
void test_ldap_conn_list(void **state)
{
struct sdap_id_conn_ctx **conn_list;
struct ad_common_test_ctx *test_ctx = talloc_get_type(*state,
struct ad_common_test_ctx);
assert_non_null(test_ctx);
conn_list = ad_ldap_conn_list(test_ctx,
test_ctx->ad_ctx,
test_ctx->dom);
assert_non_null(conn_list);
assert_true(conn_list[0] == test_ctx->ad_ctx->ldap_ctx);
assert_false(conn_list[0]->ignore_mark_offline);
assert_null(conn_list[1]);
talloc_free(conn_list);
conn_list = ad_ldap_conn_list(test_ctx,
test_ctx->ad_ctx,
test_ctx->subdom);
assert_non_null(conn_list);
assert_true(conn_list[0] == test_ctx->subdom_ad_ctx->ldap_ctx);
assert_true(conn_list[0]->ignore_mark_offline);
assert_null(conn_list[1]);
talloc_free(conn_list);
}
void test_user_conn_list(void **state)
{
struct sdap_id_conn_ctx **conn_list;
struct ad_common_test_ctx *test_ctx = talloc_get_type(*state,
struct ad_common_test_ctx);
assert_non_null(test_ctx);
conn_list = ad_user_conn_list(test_ctx->ad_ctx,
test_ctx->dom);
assert_non_null(conn_list);
assert_true(conn_list[0] == test_ctx->ad_ctx->ldap_ctx);
assert_false(conn_list[0]->ignore_mark_offline);
assert_null(conn_list[1]);
talloc_free(conn_list);
conn_list = ad_user_conn_list(test_ctx->ad_ctx,
test_ctx->subdom);
assert_non_null(conn_list);
assert_true(conn_list[0] == test_ctx->ad_ctx->gc_ctx);
assert_true(conn_list[0]->ignore_mark_offline);
assert_true(conn_list[1] == test_ctx->subdom_ad_ctx->ldap_ctx);
/* Subdomain error should not set the backend offline! */
assert_true(conn_list[1]->ignore_mark_offline);
talloc_free(conn_list);
}
int main(int argc, const char *argv[])
{
poptContext pc;
int opt;
int ret;
struct poptOption long_options[] = {
POPT_AUTOHELP
SSSD_DEBUG_OPTS
POPT_TABLEEND
};
const struct CMUnitTest tests[] = {
cmocka_unit_test(test_ad_create_default_options),
cmocka_unit_test_setup_teardown(test_ad_create_1way_trust_options,
test_ad_common_setup,
test_ad_common_teardown),
cmocka_unit_test_setup_teardown(test_ad_create_2way_trust_options,
test_ad_common_setup,
test_ad_common_teardown),
cmocka_unit_test_setup_teardown(test_ad_get_dom_ldap_conn,
test_ldap_conn_setup,
test_ldap_conn_teardown),
cmocka_unit_test_setup_teardown(test_gc_conn_list,
test_ldap_conn_setup,
test_ldap_conn_teardown),
cmocka_unit_test_setup_teardown(test_ldap_conn_list,
test_ldap_conn_setup,
test_ldap_conn_teardown),
cmocka_unit_test_setup_teardown(test_user_conn_list,
test_ldap_conn_setup,
test_ldap_conn_teardown),
cmocka_unit_test_setup_teardown(test_check_if_pac_is_available,
test_ad_sysdb_setup,
test_ad_sysdb_teardown),
cmocka_unit_test_setup_teardown(test_ad_get_data_from_pac,
test_ad_common_setup,
test_ad_common_teardown),
cmocka_unit_test_setup_teardown(test_ad_get_sids_from_pac,
test_ad_common_setup,
test_ad_common_teardown),
cmocka_unit_test_setup_teardown(test_ad_get_pac_data_from_user_entry,
test_ad_common_setup,
test_ad_common_teardown),
};
/* Set debug level to invalid value so we can deside if -d 0 was used. */
debug_level = SSSDBG_INVALID;
pc = poptGetContext(argv[0], argc, argv, long_options, 0);
while((opt = poptGetNextOpt(pc)) != -1) {
switch(opt) {
default:
fprintf(stderr, "\nInvalid option %s: %s\n\n",
poptBadOption(pc, 0), poptStrerror(opt));
poptPrintUsage(pc, stderr, 0);
return 1;
}
}
poptFreeContext(pc);
DEBUG_CLI_INIT(debug_level);
tests_set_cwd();
ret = cmocka_run_group_tests(tests, NULL, NULL);
#ifdef HAVE_NSS
/* Cleanup NSS and NSPR to make valgrind happy. */
nspr_nss_cleanup();
#endif
return ret;
}