50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl Pavel Reichl <preichl@redhat.com>
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl Copyright (C) 2015 Red Hat
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl SSSD tests - sdap access
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl This program is free software; you can redistribute it and/or modify
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl it under the terms of the GNU General Public License as published by
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl the Free Software Foundation; either version 3 of the License, or
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl (at your option) any later version.
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl This program is distributed in the hope that it will be useful,
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl but WITHOUT ANY WARRANTY; without even the implied warranty of
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl GNU General Public License for more details.
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl You should have received a copy of the GNU General Public License
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl along with this program. If not, see <http://www.gnu.org/licenses/>.
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl/* linking against function from sdap_access.c module */
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichlextern bool nds_check_expired(const char *exp_time_str);
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiyextern errno_t sdap_access_rhost(struct ldb_message *user_entry, char *pam_rhost);
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichlstatic void nds_check_expired_wrap(void *in, void *_out)
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl *(bool*)_out = nds_check_expired((const char*)in);
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl tc = talloc_get_type(*state, struct expire_test_ctx);
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl assert_true(nds_check_expired(tc->invalid_longer_format));
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl assert_true(nds_check_expired(tc->invalid_format));
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl assert_false(nds_check_expired(tc->future_time));
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl /* changing time zone has no effect as time of expiration is in UTC */
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl expire_test_tz("GST+2", nds_check_expired_wrap, (void*)tc->future_time,
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl expire_test_tz("GST-2", nds_check_expired_wrap, (void*)tc->future_time,
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiystatic int test_sdap_access_rhost_setup(void **state)
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy struct test_sdap_access_rhost_ctx *test_ctx;
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy struct ldb_message *user_allow_all_deny_somehost;
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy struct ldb_message *user_allow_all_allow_somehost_deny_somehost;
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy test_ctx = talloc(mem_ctx, struct test_sdap_access_rhost_ctx);
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Setup empty user entry (with 0 entries for rhost) */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Setup user entry with allow somehost */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy user_allow_somehost = ldb_msg_new(test_ctx);
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Setup user entry with deny somehost */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy user_deny_somehost = ldb_msg_new(test_ctx);
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy "!somehost");
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Setup user entry with allow all */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Setup user entry with allow all and deny somehost */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy user_allow_all_deny_somehost = ldb_msg_new(test_ctx);
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy assert_non_null(user_allow_all_deny_somehost);
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy ldb_msg_add_string(user_allow_all_deny_somehost,
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy ldb_msg_add_string(user_allow_all_deny_somehost,
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy "!somehost");
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Setup user entry with allow all, allow somehost and deny somehost */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy user_allow_all_allow_somehost_deny_somehost = ldb_msg_new(test_ctx);
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy assert_non_null(user_allow_all_allow_somehost_deny_somehost);
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy ldb_msg_add_string(user_allow_all_allow_somehost_deny_somehost,
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy ldb_msg_add_string(user_allow_all_allow_somehost_deny_somehost,
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy "!somehost");
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy ldb_msg_add_string(user_allow_all_allow_somehost_deny_somehost,
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Setup test context */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy test_ctx->user_allow_somehost = user_allow_somehost;
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy test_ctx->user_deny_somehost = user_deny_somehost;
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy test_ctx->user_allow_all_deny_somehost = user_allow_all_deny_somehost;
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy test_ctx->user_allow_all_allow_somehost_deny_somehost = \
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy user_allow_all_allow_somehost_deny_somehost;
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiystatic int test_sdap_access_rhost_teardown(void **state)
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy struct test_sdap_access_rhost_ctx *test_ctx;
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy test_ctx = talloc_get_type(*state, struct test_sdap_access_rhost_ctx);
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiystatic void test_sdap_access_rhost(void **state)
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy struct test_sdap_access_rhost_ctx *test_ctx;
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy test_ctx = talloc_get_type(*state, struct test_sdap_access_rhost_ctx);
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy char pam_rhost_mock_somehost[] = "somehost";
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy char pam_rhost_mock_someotherhost[] = "someotherhost";
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Test both arguments as NULL */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy assert_int_equal(ERR_ACCESS_DENIED, ret); /* Expected access granted */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Test with user_entry == NULL and rhost == "somehost" */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy ret = sdap_access_rhost(NULL, pam_rhost_mock_somehost);
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy assert_int_equal(ERR_ACCESS_DENIED, ret); /* Expected access denied */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Test with user_no_rhost and rhost == NULL */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy ret = sdap_access_rhost(test_ctx->user_no_rhost, NULL);
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy assert_int_equal(EOK, ret); /* Expected access granted */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Test with user_no_rhost and rhost == "" (local access) */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy ret = sdap_access_rhost(test_ctx->user_no_rhost, pam_rhost_mock_empty);
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy assert_int_equal(EOK, ret); /* Expected access granted */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Test with user_no_rhost and rhost == "somehost" */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy ret = sdap_access_rhost(test_ctx->user_no_rhost, pam_rhost_mock_somehost);
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy assert_int_equal(ERR_ACCESS_DENIED, ret); /* Expected access denied */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Test with user_allow_somehost and rhost == "somehost" */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy ret = sdap_access_rhost(test_ctx->user_allow_somehost,
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy assert_int_equal(EOK, ret); /* Expected access allowed */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Test with user_deny_somehost and rhost == "somehost" */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy ret = sdap_access_rhost(test_ctx->user_deny_somehost,
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy assert_int_equal(ERR_ACCESS_DENIED, ret); /* Expected access denied */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Test with user_allow_all and rhost == "somehost" */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy ret = sdap_access_rhost(test_ctx->user_allow_all,
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy assert_int_equal(EOK, ret); /* Expected access allowed */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Test with user_allow_all_deny_somehost and rhost == "somehost" */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy ret = sdap_access_rhost(test_ctx->user_allow_all_deny_somehost,
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy assert_int_equal(ERR_ACCESS_DENIED, ret); /* Expected access denied */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Test with user_allow_all_allow_somehost_deny_somehost
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy * and rhost == "somehost" */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy test_ctx->user_allow_all_allow_somehost_deny_somehost,
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy assert_int_equal(ERR_ACCESS_DENIED, ret); /* Expected access denied */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Test with user_no_rhost and rhost == "someotherhost" */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy ret = sdap_access_rhost(test_ctx->user_no_rhost,
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy assert_int_equal(ERR_ACCESS_DENIED, ret); /* Expected access denied */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Test with user_allow_somehost and rhost == "someotherhost" */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy ret = sdap_access_rhost(test_ctx->user_allow_somehost,
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy assert_int_equal(ERR_ACCESS_DENIED, ret); /* Expected access denied */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Test with user_deny_somehost and rhost == "someotherhost" */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy ret = sdap_access_rhost(test_ctx->user_deny_somehost,
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy assert_int_equal(ERR_ACCESS_DENIED, ret); /* Expected access denied */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Test with user_allow_all and rhost == "someotherhost" */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy ret = sdap_access_rhost(test_ctx->user_allow_all,
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy assert_int_equal(EOK, ret); /* Expected access allowed */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Test with user_allow_all_deny_somehost and rhost == "someotherhost" */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy ret = sdap_access_rhost(test_ctx->user_allow_all_deny_somehost,
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy assert_int_equal(EOK, ret); /* Expected access allowed */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy /* Test with user_allow_all_allow_somehost_deny_somehost
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy * and rhost == "someotherhost" */
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy test_ctx->user_allow_all_allow_somehost_deny_somehost,
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy assert_int_equal(EOK, ret); /* Expected access allowed */
50b8a36b0932a510e825ed1ad8103f81ead2b7d8Pavel Reichl cmocka_unit_test_setup_teardown(test_nds_check_expire,
f34a8330c1615511795847b0a1454249d782db2aAlexey Kamenskiy cmocka_unit_test_setup_teardown(test_sdap_access_rhost,