websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Import Upstream version 4.12.4

Browse Source
This commit is contained in:
geos_one
2025-08-12 22:28:56 +02:00
parent 03a8170b15
commit 9181ee2487
1629 changed files with 874094 additions and 554378 deletions
Download Patch File Download Diff File Expand all files Collapse all files

128
daemons/ipa-kdb/tests/ipa_kdb_tests.c
View File

@@ -70,7 +70,11 @@ struct test_ctx {
#define FLAT_NAME "MYDOM"
#define DOM_SID "S-1-5-21-1-2-3"
#define DOM_SID_TRUST "S-1-5-21-4-5-6"
#define BLACKLIST_SID "S-1-5-1"
#define BLOCKLIST_SID "S-1-5-1"
#define NUM_SUFFIXES 10
#define SUFFIX_TEMPLATE "d%zu" DOMAIN_NAME
#define TEST_REALM_TEMPLATE "some." SUFFIX_TEMPLATE
#define EXTERNAL_REALM "WRONG.DOMAIN"
static int setup(void **state)
{
@@ -92,13 +96,16 @@ static int setup(void **state)
ipa_ctx = calloc(1, sizeof(struct ipadb_context));
assert_non_null(ipa_ctx);
kerr = krb5_get_default_realm(krb5_ctx, &ipa_ctx->realm);
assert_int_equal(kerr, 0);
ipa_ctx->mspac = calloc(1, sizeof(struct ipadb_mspac));
assert_non_null(ipa_ctx->mspac);
/* make sure data is not read from LDAP */
ipa_ctx->mspac->last_update = time(NULL) - 1;
ret = string_to_sid(DOM_SID, &ipa_ctx->mspac->domsid);
ret = ipadb_string_to_sid(DOM_SID, &ipa_ctx->mspac->domsid);
assert_int_equal(ret, 0);
ipa_ctx->mspac->num_trusts = 1;
@@ -114,18 +121,28 @@ static int setup(void **state)
ipa_ctx->mspac->trusts[0].domain_sid = strdup(DOM_SID_TRUST);
assert_non_null(ipa_ctx->mspac->trusts[0].domain_sid);
ret = string_to_sid(DOM_SID_TRUST, &ipa_ctx->mspac->trusts[0].domsid);
ret = ipadb_string_to_sid(DOM_SID_TRUST, &ipa_ctx->mspac->trusts[0].domsid);
assert_int_equal(ret, 0);
ipa_ctx->mspac->trusts[0].len_sid_blacklist_incoming = 1;
ipa_ctx->mspac->trusts[0].sid_blacklist_incoming = calloc(
ipa_ctx->mspac->trusts[0].len_sid_blacklist_incoming,
ipa_ctx->mspac->trusts[0].len_sid_blocklist_incoming = 1;
ipa_ctx->mspac->trusts[0].sid_blocklist_incoming = calloc(
ipa_ctx->mspac->trusts[0].len_sid_blocklist_incoming,
sizeof(struct dom_sid));
assert_non_null(ipa_ctx->mspac->trusts[0].sid_blacklist_incoming);
ret = string_to_sid(BLACKLIST_SID,
&ipa_ctx->mspac->trusts[0].sid_blacklist_incoming[0]);
assert_non_null(ipa_ctx->mspac->trusts[0].sid_blocklist_incoming);
ret = ipadb_string_to_sid(BLOCKLIST_SID,
&ipa_ctx->mspac->trusts[0].sid_blocklist_incoming[0]);
assert_int_equal(ret, 0);
ipa_ctx->mspac->trusts[0].upn_suffixes = calloc(NUM_SUFFIXES + 1, sizeof(char *));
ipa_ctx->mspac->trusts[0].upn_suffixes_len = calloc(NUM_SUFFIXES, sizeof(size_t));
for (size_t i = 0; i < NUM_SUFFIXES; i++) {
assert_int_not_equal(asprintf(&(ipa_ctx->mspac->trusts[0].upn_suffixes[i]),
SUFFIX_TEMPLATE, i), -1);
ipa_ctx->mspac->trusts[0].upn_suffixes_len[i] =
strlen(ipa_ctx->mspac->trusts[0].upn_suffixes[i]);
}
ipa_ctx->kcontext = krb5_ctx;
kerr = krb5_db_set_context(krb5_ctx, ipa_ctx);
assert_int_equal(kerr, 0);
@@ -161,10 +178,10 @@ static int teardown(void **state)
extern krb5_error_code filter_logon_info(krb5_context context,
TALLOC_CTX *memctx,
krb5_data realm,
krb5_data *realm,
struct PAC_LOGON_INFO_CTR *info);
void test_filter_logon_info(void **state)
static void test_filter_logon_info(void **state)
{
krb5_error_code kerr;
krb5_data realm = {KV5M_DATA, REALM_LEN, REALM};
@@ -187,7 +204,7 @@ void test_filter_logon_info(void **state)
"WRONG");
assert_non_null(info->info->info3.base.logon_domain.string);
kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, &realm, info);
assert_int_equal(kerr, EINVAL);
info->info->info3.base.logon_domain.string = talloc_strdup(info->info,
@@ -195,23 +212,23 @@ void test_filter_logon_info(void **state)
assert_non_null(info->info->info3.base.logon_domain.string);
/* missing domain SID */
kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, &realm, info);
assert_int_equal(kerr, EINVAL);
/* wrong domain SID */
ret = string_to_sid("S-1-5-21-1-1-1", &dom_sid);
ret = ipadb_string_to_sid("S-1-5-21-1-1-1", &dom_sid);
assert_int_equal(ret, 0);
info->info->info3.base.domain_sid = &dom_sid;
kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, &realm, info);
assert_int_equal(kerr, EINVAL);
/* matching domain SID */
ret = string_to_sid(DOM_SID_TRUST, &dom_sid);
ret = ipadb_string_to_sid(DOM_SID_TRUST, &dom_sid);
assert_int_equal(ret, 0);
info->info->info3.base.domain_sid = &dom_sid;
kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, &realm, info);
assert_int_equal(kerr, 0);
/* empty SIDs */
@@ -226,7 +243,7 @@ void test_filter_logon_info(void **state)
assert_non_null(info->info->info3.sids[c].sid);
}
kerr = filter_logon_info(test_ctx->krb5_ctx, NULL, realm, info);
kerr = filter_logon_info(test_ctx->krb5_ctx, NULL, &realm, info);
assert_int_equal(kerr, 0);
assert_int_equal(info->info->info3.sidcount, 3);
@@ -240,22 +257,22 @@ void test_filter_logon_info(void **state)
{3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"},
3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"}},
/* last SID filtered */
{3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", BLACKLIST_SID"-1002"},
{3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", BLOCKLIST_SID"-1002"},
2, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001"}},
/* center SID filtered */
{3, {DOM_SID_TRUST"-1000", BLACKLIST_SID"-1001", DOM_SID_TRUST"-1002"},
{3, {DOM_SID_TRUST"-1000", BLOCKLIST_SID"-1001", DOM_SID_TRUST"-1002"},
2, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1002"}},
/* first SID filtered */
{3, {BLACKLIST_SID"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"},
{3, {BLOCKLIST_SID"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"},
2, {DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"}},
/* first and last SID filtered */
{3, {BLACKLIST_SID"-1000", DOM_SID_TRUST"-1001", BLACKLIST_SID"-1002"},
{3, {BLOCKLIST_SID"-1000", DOM_SID_TRUST"-1001", BLOCKLIST_SID"-1002"},
1, {DOM_SID_TRUST"-1001"}},
/* two SIDs in a rwo filtered */
{3, {BLACKLIST_SID"-1000", BLACKLIST_SID"-1001", DOM_SID_TRUST"-1002"},
{3, {BLOCKLIST_SID"-1000", BLOCKLIST_SID"-1001", DOM_SID_TRUST"-1002"},
1, {DOM_SID_TRUST"-1002"}},
/* all SIDs filtered*/
{3, {BLACKLIST_SID"-1000", BLACKLIST_SID"-1001", BLACKLIST_SID"-1002"},
{3, {BLOCKLIST_SID"-1000", BLOCKLIST_SID"-1001", BLOCKLIST_SID"-1002"},
0, {}},
{0, {}, 0 , {}}
};
@@ -275,12 +292,12 @@ void test_filter_logon_info(void **state)
}
for (d = 0; d < info->info->info3.sidcount; d++) {
ret = string_to_sid(test_data[c].sids[d],
ret = ipadb_string_to_sid(test_data[c].sids[d],
info->info->info3.sids[d].sid);
assert_int_equal(ret, 0);
}
kerr = filter_logon_info(test_ctx->krb5_ctx, NULL, realm, info);
kerr = filter_logon_info(test_ctx->krb5_ctx, NULL, &realm, info);
assert_int_equal(kerr, 0);
assert_int_equal(info->info->info3.sidcount, test_data[c].exp_sidcount);
if (test_data[c].exp_sidcount == 0) {
@@ -299,10 +316,7 @@ void test_filter_logon_info(void **state)
}
extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
bool *with_pac, bool *with_pad);
void test_get_authz_data_types(void **state)
static void test_get_authz_data_types(void **state)
{
bool with_pac;
bool with_pad;
@@ -420,7 +434,7 @@ void test_get_authz_data_types(void **state)
krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
}
void test_string_to_sid(void **state)
static void test_ipadb_string_to_sid(void **state)
{
int ret;
struct dom_sid sid;
@@ -428,31 +442,31 @@ void test_string_to_sid(void **state)
{21, 2127521184, 1604012920, 1887927527, 72713,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0}};
ret = string_to_sid(NULL, &sid);
ret = ipadb_string_to_sid(NULL, &sid);
assert_int_equal(ret, EINVAL);
ret = string_to_sid("abc", &sid);
ret = ipadb_string_to_sid("abc", &sid);
assert_int_equal(ret, EINVAL);
ret = string_to_sid("S-", &sid);
ret = ipadb_string_to_sid("S-", &sid);
assert_int_equal(ret, EINVAL);
ret = string_to_sid("S-ABC", &sid);
ret = ipadb_string_to_sid("S-ABC", &sid);
assert_int_equal(ret, EINVAL);
ret = string_to_sid("S-123", &sid);
ret = ipadb_string_to_sid("S-123", &sid);
assert_int_equal(ret, EINVAL);
ret = string_to_sid("S-1-123-1-2-3-4-5-6-7-8-9-0-1-2-3-4-5-6", &sid);
ret = ipadb_string_to_sid("S-1-123-1-2-3-4-5-6-7-8-9-0-1-2-3-4-5-6", &sid);
assert_int_equal(ret, EINVAL);
ret = string_to_sid("S-1-5-21-2127521184-1604012920-1887927527-72713",
ret = ipadb_string_to_sid("S-1-5-21-2127521184-1604012920-1887927527-72713",
&sid);
assert_int_equal(ret, 0);
assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
}
void test_dom_sid_string(void **state)
static void test_dom_sid_string(void **state)
{
struct test_ctx *test_ctx;
char *str_sid;
@@ -478,6 +492,38 @@ void test_dom_sid_string(void **state)
}
static void test_check_trusted_realms(void **state)
{
struct test_ctx *test_ctx;
krb5_error_code kerr = 0;
char *trusted_realm = NULL;
test_ctx = (struct test_ctx *) *state;
for(size_t i = 0; i < NUM_SUFFIXES; i++) {
char *test_realm = NULL;
assert_int_not_equal(asprintf(&test_realm, TEST_REALM_TEMPLATE, i), -1);
if (test_realm) {
kerr = ipadb_is_princ_from_trusted_realm(
test_ctx->krb5_ctx,
test_realm,
strlen(test_realm),
&trusted_realm);
assert_int_equal(kerr, 0);
free(test_realm);
free(trusted_realm);
}
}
kerr = ipadb_is_princ_from_trusted_realm(
test_ctx->krb5_ctx,
EXTERNAL_REALM,
strlen(EXTERNAL_REALM),
&trusted_realm);
assert_int_equal(kerr, KRB5_KDB_NOENTRY);
}
int main(int argc, const char *argv[])
{
const struct CMUnitTest tests[] = {
@@ -485,9 +531,11 @@ int main(int argc, const char *argv[])
setup, teardown),
cmocka_unit_test_setup_teardown(test_filter_logon_info,
setup, teardown),
cmocka_unit_test(test_string_to_sid),
cmocka_unit_test(test_ipadb_string_to_sid),
cmocka_unit_test_setup_teardown(test_dom_sid_string,
setup, teardown),
cmocka_unit_test_setup_teardown(test_check_trusted_realms,
setup, teardown),
};
return cmocka_run_group_tests(tests, NULL, NULL);