websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 4.0.5

Browse Source
This commit is contained in:
Mario Fetka
2021-07-25 07:50:50 +02:00
parent 8ff3be4216
commit 3bfaa6e020
2049 changed files with 317193 additions and 1632423 deletions
Download Patch File Download Diff File Expand all files Collapse all files

459
daemons/ipa-kdb/tests/ipa_kdb_tests.c
View File

@@ -1,40 +1,51 @@
/*
Authors:
Sumit Bose <sbose@redhat.com>
/** BEGIN COPYRIGHT BLOCK
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Additional permission under GPLv3 section 7:
*
* In the following paragraph, "GPL" means the GNU General Public
* License, version 3 or any later version, and "Non-GPL Code" means
* code that is governed neither by the GPL nor a license
* compatible with the GPL.
*
* You may link the code of this Program with Non-GPL Code and convey
* linked combinations including the two, provided that such Non-GPL
* Code only links to the code of this Program through those well
* defined interfaces identified in the file named EXCEPTION found in
* the source code files (the "Approved Interfaces"). The files of
* Non-GPL Code may instantiate templates or use macros or inline
* functions from the Approved Interfaces without causing the resulting
* work to be covered by the GPL. Only the copyright holders of this
* Program may make changes or additions to the list of Approved
* Interfaces.
*
* Authors:
* Sumit Bose <sbose@redhat.com>
*
* Copyright (C) 2013 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
Copyright (C) 2015 Red Hat
ipa-kdb tests
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <errno.h>
#include <check.h>
#include <stdlib.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <setjmp.h>
#include <cmocka.h>
#include <krb5/krb5.h>
#include <kdb.h>
#include <talloc.h>
#include "gen_ndr/ndr_krb5pac.h"
#include "gen_ndr/netlogon.h"
#include "ipa_kdb.h"
#include "ipa_kdb_mspac_private.h"
#include "ipa-kdb/ipa_kdb.h"
#define NFS_PRINC_STRING "nfs/fully.qualified.host.name@REALM.NAME"
#define NON_NFS_PRINC_STRING "abcdef/fully.qualified.host.name@REALM.NAME"
@@ -60,249 +71,10 @@ int krb5_klog_syslog(int l, const char *format, ...)
return 0;
}
struct test_ctx {
krb5_context krb5_ctx;
};
#define DOMAIN_NAME "my.domain"
#define REALM "MY.DOMAIN"
#define REALM_LEN (sizeof(REALM) - 1)
#define FLAT_NAME "MYDOM"
#define DOM_SID "S-1-5-21-1-2-3"
#define DOM_SID_TRUST "S-1-5-21-4-5-6"
#define BLACKLIST_SID "S-1-5-1"
static int setup(void **state)
{
int ret;
krb5_context krb5_ctx;
krb5_error_code kerr;
struct ipadb_context *ipa_ctx;
struct test_ctx *test_ctx;
kerr = krb5_init_context(&krb5_ctx);
assert_int_equal(kerr, 0);
kerr = krb5_set_default_realm(krb5_ctx, "EXAMPLE.COM");
assert_int_equal(kerr, 0);
kerr = krb5_db_setup_lib_handle(krb5_ctx);
assert_int_equal(kerr, 0);
ipa_ctx = calloc(1, sizeof(struct ipadb_context));
assert_non_null(ipa_ctx);
ipa_ctx->mspac = calloc(1, sizeof(struct ipadb_mspac));
assert_non_null(ipa_ctx->mspac);
/* make sure data is not read from LDAP */
ipa_ctx->mspac->last_update = time(NULL) - 1;
ret = string_to_sid(DOM_SID, &ipa_ctx->mspac->domsid);
assert_int_equal(ret, 0);
ipa_ctx->mspac->num_trusts = 1;
ipa_ctx->mspac->trusts = calloc(1, sizeof(struct ipadb_adtrusts));
assert_non_null(ipa_ctx->mspac->trusts);
ipa_ctx->mspac->trusts[0].domain_name = strdup(DOMAIN_NAME);
assert_non_null(ipa_ctx->mspac->trusts[0].domain_name);
ipa_ctx->mspac->trusts[0].flat_name = strdup(FLAT_NAME);
assert_non_null(ipa_ctx->mspac->trusts[0].flat_name);
ipa_ctx->mspac->trusts[0].domain_sid = strdup(DOM_SID_TRUST);
assert_non_null(ipa_ctx->mspac->trusts[0].domain_sid);
ret = string_to_sid(DOM_SID_TRUST, &ipa_ctx->mspac->trusts[0].domsid);
assert_int_equal(ret, 0);
ipa_ctx->mspac->trusts[0].len_sid_blacklist_incoming = 1;
ipa_ctx->mspac->trusts[0].sid_blacklist_incoming = calloc(
ipa_ctx->mspac->trusts[0].len_sid_blacklist_incoming,
sizeof(struct dom_sid));
assert_non_null(ipa_ctx->mspac->trusts[0].sid_blacklist_incoming);
ret = string_to_sid(BLACKLIST_SID,
&ipa_ctx->mspac->trusts[0].sid_blacklist_incoming[0]);
assert_int_equal(ret, 0);
ipa_ctx->kcontext = krb5_ctx;
kerr = krb5_db_set_context(krb5_ctx, ipa_ctx);
assert_int_equal(kerr, 0);
test_ctx = talloc(NULL, struct test_ctx);
assert_non_null(test_ctx);
test_ctx->krb5_ctx = krb5_ctx;
*state = test_ctx;
return 0;
}
static int teardown(void **state)
{
struct test_ctx *test_ctx;
struct ipadb_context *ipa_ctx;
test_ctx = (struct test_ctx *) *state;
ipa_ctx = ipadb_get_context(test_ctx->krb5_ctx);
assert_non_null(ipa_ctx);
ipadb_mspac_struct_free(&ipa_ctx->mspac);
krb5_db_fini(test_ctx->krb5_ctx);
krb5_free_context(test_ctx->krb5_ctx);
talloc_free(test_ctx);
return 0;
}
extern krb5_error_code filter_logon_info(krb5_context context,
TALLOC_CTX *memctx,
krb5_data realm,
struct PAC_LOGON_INFO_CTR *info);
void test_filter_logon_info(void **state)
{
krb5_error_code kerr;
krb5_data realm = {KV5M_DATA, REALM_LEN, REALM};
struct test_ctx *test_ctx;
struct PAC_LOGON_INFO_CTR *info;
int ret;
struct dom_sid dom_sid;
size_t c;
size_t d;
test_ctx = (struct test_ctx *) *state;
info = talloc_zero(test_ctx, struct PAC_LOGON_INFO_CTR);
assert_non_null(info);
info->info = talloc_zero(info, struct PAC_LOGON_INFO);
assert_non_null(info->info);
/* wrong flat name */
info->info->info3.base.logon_domain.string = talloc_strdup(info->info,
"WRONG");
assert_non_null(info->info->info3.base.logon_domain.string);
kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
assert_int_equal(kerr, EINVAL);
info->info->info3.base.logon_domain.string = talloc_strdup(info->info,
FLAT_NAME);
assert_non_null(info->info->info3.base.logon_domain.string);
/* missing domain SID */
kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
assert_int_equal(kerr, EINVAL);
/* wrong domain SID */
ret = string_to_sid("S-1-5-21-1-1-1", &dom_sid);
assert_int_equal(ret, 0);
info->info->info3.base.domain_sid = &dom_sid;
kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
assert_int_equal(kerr, EINVAL);
/* matching domain SID */
ret = string_to_sid(DOM_SID_TRUST, &dom_sid);
assert_int_equal(ret, 0);
info->info->info3.base.domain_sid = &dom_sid;
kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
assert_int_equal(kerr, 0);
/* empty SIDs */
info->info->info3.sidcount = 3;
info->info->info3.sids = talloc_zero_array(info->info,
struct netr_SidAttr,
info->info->info3.sidcount);
assert_non_null(info->info->info3.sids);
for(c = 0; c < info->info->info3.sidcount; c++) {
info->info->info3.sids[c].sid = talloc_zero(info->info->info3.sids,
struct dom_sid2);
assert_non_null(info->info->info3.sids[c].sid);
}
kerr = filter_logon_info(test_ctx->krb5_ctx, NULL, realm, info);
assert_int_equal(kerr, 0);
assert_int_equal(info->info->info3.sidcount, 3);
struct test_data {
size_t sidcount;
const char *sids[3];
size_t exp_sidcount;
const char *exp_sids[3];
} test_data[] = {
/* only allowed SIDs */
{3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"},
3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"}},
/* last SID filtered */
{3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", BLACKLIST_SID"-1002"},
2, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001"}},
/* center SID filtered */
{3, {DOM_SID_TRUST"-1000", BLACKLIST_SID"-1001", DOM_SID_TRUST"-1002"},
2, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1002"}},
/* first SID filtered */
{3, {BLACKLIST_SID"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"},
2, {DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"}},
/* first and last SID filtered */
{3, {BLACKLIST_SID"-1000", DOM_SID_TRUST"-1001", BLACKLIST_SID"-1002"},
1, {DOM_SID_TRUST"-1001"}},
/* two SIDs in a rwo filtered */
{3, {BLACKLIST_SID"-1000", BLACKLIST_SID"-1001", DOM_SID_TRUST"-1002"},
1, {DOM_SID_TRUST"-1002"}},
/* all SIDs filtered*/
{3, {BLACKLIST_SID"-1000", BLACKLIST_SID"-1001", BLACKLIST_SID"-1002"},
0, {}},
{0, {}, 0 , {}}
};
for (c = 0; test_data[c].sidcount != 0; c++) {
talloc_free(info->info->info3.sids);
info->info->info3.sidcount = test_data[c].sidcount;
info->info->info3.sids = talloc_zero_array(info->info,
struct netr_SidAttr,
info->info->info3.sidcount);
assert_non_null(info->info->info3.sids);
for(d = 0; d < info->info->info3.sidcount; d++) {
info->info->info3.sids[d].sid = talloc_zero(info->info->info3.sids,
struct dom_sid2);
assert_non_null(info->info->info3.sids[d].sid);
}
for (d = 0; d < info->info->info3.sidcount; d++) {
ret = string_to_sid(test_data[c].sids[d],
info->info->info3.sids[d].sid);
assert_int_equal(ret, 0);
}
kerr = filter_logon_info(test_ctx->krb5_ctx, NULL, realm, info);
assert_int_equal(kerr, 0);
assert_int_equal(info->info->info3.sidcount, test_data[c].exp_sidcount);
if (test_data[c].exp_sidcount == 0) {
assert_null(info->info->info3.sids);
} else {
for (d = 0; d < test_data[c].exp_sidcount; d++) {
assert_string_equal(test_data[c].exp_sids[d],
dom_sid_string(info->info->info3.sids,
info->info->info3.sids[d].sid));
}
}
}
talloc_free(info);
}
extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
bool *with_pac, bool *with_pad);
void test_get_authz_data_types(void **state)
START_TEST(test_get_authz_data_types)
{
bool with_pac;
bool with_pad;
@@ -318,45 +90,50 @@ void test_get_authz_data_types(void **state)
char *ad_none_and_pad[] = {"NONE", "PAD", NULL};
char *ad_global_pac_nfs_none[] = {"MS-PAC", "nfs:NONE", NULL};
char *ad_global_pac_nfs_pad[] = {"MS-PAC", "nfs:PAD", NULL};
krb5_context krb5_ctx;
krb5_error_code kerr;
struct ipadb_context *ipa_ctx;
krb5_principal nfs_princ;
krb5_principal non_nfs_princ;
struct test_ctx *test_ctx;
test_ctx = (struct test_ctx *) *state;
ipa_ctx = ipadb_get_context(test_ctx->krb5_ctx);
assert_non_null(ipa_ctx);
get_authz_data_types(NULL, NULL, NULL, NULL);
with_pad = true;
get_authz_data_types(NULL, NULL, NULL, &with_pad);
assert_false(with_pad);
fail_unless(!with_pad, "with_pad not false with NULL inuput.");
with_pac = true;
get_authz_data_types(NULL, NULL, &with_pac, NULL);
assert_false(with_pad);
fail_unless(!with_pac, "with_pac not false with NULL inuput.");
with_pad = true;
with_pac = true;
get_authz_data_types(NULL, NULL, &with_pac, &with_pad);
assert_false(with_pac);
assert_false(with_pad);
fail_unless(!with_pad, "with_pad not false with NULL inuput.");
fail_unless(!with_pac, "with_pac not false with NULL inuput.");
entry = calloc(1, sizeof(krb5_db_entry));
assert_non_null(entry);
fail_unless(entry != NULL, "calloc krb5_db_entry failed.");
ied = calloc(1, sizeof(struct ipadb_e_data));
assert_non_null(ied);
fail_unless(ied != NULL, "calloc struct ipadb_e_data failed.");
entry->e_data = (void *) ied;
kerr = krb5_parse_name(test_ctx->krb5_ctx, NFS_PRINC_STRING, &nfs_princ);
assert_int_equal(kerr, 0);
kerr = krb5_init_context(&krb5_ctx);
fail_unless(kerr == 0, "krb5_init_context failed.");
kerr = krb5_db_setup_lib_handle(krb5_ctx);
fail_unless(kerr == 0, "krb5_db_setup_lib_handle failed.\n");
ipa_ctx = calloc(1, sizeof(struct ipadb_context));
fail_unless(ipa_ctx != NULL, "calloc failed.\n");
ipa_ctx->kcontext = krb5_ctx;
kerr = krb5_db_set_context(krb5_ctx, ipa_ctx);
fail_unless(kerr == 0, "krb5_db_set_context failed.\n");
kerr = krb5_parse_name(test_ctx->krb5_ctx, NON_NFS_PRINC_STRING,
&non_nfs_princ);
assert_int_equal(kerr, 0);
kerr = krb5_parse_name(krb5_ctx, NFS_PRINC_STRING, &nfs_princ);
fail_unless(kerr == 0, "krb5_parse_name failed.");
kerr = krb5_parse_name(krb5_ctx, NON_NFS_PRINC_STRING, &non_nfs_princ);
fail_unless(kerr == 0, "krb5_parse_name failed.");
struct test_set {
char **authz_data;
@@ -401,94 +178,42 @@ void test_get_authz_data_types(void **state)
/* Set last_update to avoid LDAP lookups during tests */
ipa_ctx->config.last_update = time(NULL);
entry->princ = test_set[c].princ;
get_authz_data_types(test_ctx->krb5_ctx, entry, &with_pac, &with_pad);
assert_true(with_pad == test_set[c].exp_with_pad);
assert_true(with_pac == test_set[c].exp_with_pac);
/* test if global default are returned if there is no server entry */
if (test_set[c].authz_data == NULL && test_set[c].princ == NULL) {
get_authz_data_types(test_ctx->krb5_ctx, NULL, &with_pac,
&with_pad);
assert_true(with_pad == test_set[c].exp_with_pad);
assert_true(with_pac == test_set[c].exp_with_pac);
}
get_authz_data_types(krb5_ctx, entry, &with_pac, &with_pad);
fail_unless(with_pad == test_set[c].exp_with_pad, "with_pad not %s %s.",
test_set[c].exp_with_pad ? "true" : "false",
test_set[c].err_msg);
fail_unless(with_pac == test_set[c].exp_with_pac, "with_pac not %s %s.",
test_set[c].exp_with_pac ? "true" : "false",
test_set[c].err_msg);
}
free(ied);
free(entry);
krb5_free_principal(test_ctx->krb5_ctx, nfs_princ);
krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
krb5_free_principal(krb5_ctx, nfs_princ);
krb5_free_principal(krb5_ctx, non_nfs_princ);
krb5_db_fini(krb5_ctx);
krb5_free_context(krb5_ctx);
}
END_TEST
void test_string_to_sid(void **state)
Suite * ipa_kdb_suite(void)
{
int ret;
struct dom_sid sid;
struct dom_sid exp_sid = {1, 5, {0, 0, 0, 0, 0, 5},
{21, 2127521184, 1604012920, 1887927527, 72713,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0}};
Suite *s = suite_create("IPA kdb");
ret = string_to_sid(NULL, &sid);
assert_int_equal(ret, EINVAL);
TCase *tc_helper = tcase_create("Helper functions");
tcase_add_test(tc_helper, test_get_authz_data_types);
suite_add_tcase(s, tc_helper);
ret = string_to_sid("abc", &sid);
assert_int_equal(ret, EINVAL);
ret = string_to_sid("S-", &sid);
assert_int_equal(ret, EINVAL);
ret = string_to_sid("S-ABC", &sid);
assert_int_equal(ret, EINVAL);
ret = string_to_sid("S-123", &sid);
assert_int_equal(ret, EINVAL);
ret = string_to_sid("S-1-123-1-2-3-4-5-6-7-8-9-0-1-2-3-4-5-6", &sid);
assert_int_equal(ret, EINVAL);
ret = string_to_sid("S-1-5-21-2127521184-1604012920-1887927527-72713",
&sid);
assert_int_equal(ret, 0);
assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
return s;
}
void test_dom_sid_string(void **state)
int main(void)
{
struct test_ctx *test_ctx;
char *str_sid;
struct dom_sid test_sid = {1, 5, {0, 0, 0, 0, 0, 5},
{21, 2127521184, 1604012920, 1887927527, 72713,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0}};
int number_failed;
test_ctx = (struct test_ctx *) *state;
Suite *s = ipa_kdb_suite ();
SRunner *sr = srunner_create (s);
srunner_run_all (sr, CK_VERBOSE);
number_failed = srunner_ntests_failed (sr);
srunner_free (sr);
str_sid = dom_sid_string(test_ctx, NULL);
assert_null(str_sid);
str_sid = dom_sid_string(test_ctx, &test_sid);
assert_non_null(str_sid);
assert_string_equal(str_sid,
"S-1-5-21-2127521184-1604012920-1887927527-72713");
test_sid.num_auths = -3;
str_sid = dom_sid_string(test_ctx, &test_sid);
test_sid.num_auths = 16;
str_sid = dom_sid_string(test_ctx, &test_sid);
}
int main(int argc, const char *argv[])
{
const struct CMUnitTest tests[] = {
cmocka_unit_test_setup_teardown(test_get_authz_data_types,
setup, teardown),
cmocka_unit_test_setup_teardown(test_filter_logon_info,
setup, teardown),
cmocka_unit_test(test_string_to_sid),
cmocka_unit_test_setup_teardown(test_dom_sid_string,
setup, teardown),
};
return cmocka_run_group_tests(tests, NULL, NULL);
return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
}

2
daemons/ipa-kdb/tests/test_setup.sh
View File

@@ -1,2 +0,0 @@
KRB5_CONFIG=/dev/null
export KRB5_CONFIG