xref: /qemu/tests/unit/test-authz-pam.c (revision da668aa1) 
1*da668aa1SThomas Huth /*
2*da668aa1SThomas Huth  * QEMU PAM authorization object tests
3*da668aa1SThomas Huth  *
4*da668aa1SThomas Huth  * Copyright (c) 2018 Red Hat, Inc.
5*da668aa1SThomas Huth  *
6*da668aa1SThomas Huth  * This library is free software; you can redistribute it and/or
7*da668aa1SThomas Huth  * modify it under the terms of the GNU Lesser General Public
8*da668aa1SThomas Huth  * License as published by the Free Software Foundation; either
9*da668aa1SThomas Huth  * version 2.1 of the License, or (at your option) any later version.
10*da668aa1SThomas Huth  *
11*da668aa1SThomas Huth  * This library is distributed in the hope that it will be useful,
12*da668aa1SThomas Huth  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13*da668aa1SThomas Huth  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14*da668aa1SThomas Huth  * Lesser General Public License for more details.
15*da668aa1SThomas Huth  *
16*da668aa1SThomas Huth  * You should have received a copy of the GNU Lesser General Public
17*da668aa1SThomas Huth  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18*da668aa1SThomas Huth  *
19*da668aa1SThomas Huth  */
20*da668aa1SThomas Huth 
21*da668aa1SThomas Huth #include "qemu/osdep.h"
22*da668aa1SThomas Huth #include "qapi/error.h"
23*da668aa1SThomas Huth #include "qemu/module.h"
24*da668aa1SThomas Huth #include "authz/pamacct.h"
25*da668aa1SThomas Huth 
26*da668aa1SThomas Huth #include <security/pam_appl.h>
27*da668aa1SThomas Huth 
28*da668aa1SThomas Huth static bool failauth;
29*da668aa1SThomas Huth 
30*da668aa1SThomas Huth /*
31*da668aa1SThomas Huth  * These three functions are exported by libpam.so.
32*da668aa1SThomas Huth  *
33*da668aa1SThomas Huth  * By defining them again here, our impls are resolved
34*da668aa1SThomas Huth  * by the linker instead of those in libpam.so
35*da668aa1SThomas Huth  *
36*da668aa1SThomas Huth  * The test suite is thus isolated from the host system
37*da668aa1SThomas Huth  * PAM setup, so we can do predictable test scenarios
38*da668aa1SThomas Huth  */
39*da668aa1SThomas Huth int
pam_start(const char * service_name,const char * user,const struct pam_conv * pam_conversation,pam_handle_t ** pamh)40*da668aa1SThomas Huth pam_start(const char *service_name, const char *user,
41*da668aa1SThomas Huth           const struct pam_conv *pam_conversation,
42*da668aa1SThomas Huth           pam_handle_t **pamh)
43*da668aa1SThomas Huth {
44*da668aa1SThomas Huth     failauth = true;
45*da668aa1SThomas Huth     if (!g_str_equal(service_name, "qemu-vnc")) {
46*da668aa1SThomas Huth         return PAM_AUTH_ERR;
47*da668aa1SThomas Huth     }
48*da668aa1SThomas Huth 
49*da668aa1SThomas Huth     if (g_str_equal(user, "fred")) {
50*da668aa1SThomas Huth         failauth = false;
51*da668aa1SThomas Huth     }
52*da668aa1SThomas Huth 
53*da668aa1SThomas Huth     *pamh = (pam_handle_t *)0xbadeaffe;
54*da668aa1SThomas Huth     return PAM_SUCCESS;
55*da668aa1SThomas Huth }
56*da668aa1SThomas Huth 
57*da668aa1SThomas Huth 
58*da668aa1SThomas Huth int
pam_acct_mgmt(pam_handle_t * pamh,int flags)59*da668aa1SThomas Huth pam_acct_mgmt(pam_handle_t *pamh, int flags)
60*da668aa1SThomas Huth {
61*da668aa1SThomas Huth     if (failauth) {
62*da668aa1SThomas Huth         return PAM_AUTH_ERR;
63*da668aa1SThomas Huth     }
64*da668aa1SThomas Huth 
65*da668aa1SThomas Huth     return PAM_SUCCESS;
66*da668aa1SThomas Huth }
67*da668aa1SThomas Huth 
68*da668aa1SThomas Huth 
69*da668aa1SThomas Huth int
pam_end(pam_handle_t * pamh,int status)70*da668aa1SThomas Huth pam_end(pam_handle_t *pamh, int status)
71*da668aa1SThomas Huth {
72*da668aa1SThomas Huth     return PAM_SUCCESS;
73*da668aa1SThomas Huth }
74*da668aa1SThomas Huth 
75*da668aa1SThomas Huth 
test_authz_unknown_service(void)76*da668aa1SThomas Huth static void test_authz_unknown_service(void)
77*da668aa1SThomas Huth {
78*da668aa1SThomas Huth     Error *local_err = NULL;
79*da668aa1SThomas Huth     QAuthZPAM *auth = qauthz_pam_new("auth0",
80*da668aa1SThomas Huth                                      "qemu-does-not-exist",
81*da668aa1SThomas Huth                                      &error_abort);
82*da668aa1SThomas Huth 
83*da668aa1SThomas Huth     g_assert_nonnull(auth);
84*da668aa1SThomas Huth 
85*da668aa1SThomas Huth     g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "fred", &local_err));
86*da668aa1SThomas Huth 
87*da668aa1SThomas Huth     error_free_or_abort(&local_err);
88*da668aa1SThomas Huth     object_unparent(OBJECT(auth));
89*da668aa1SThomas Huth }
90*da668aa1SThomas Huth 
91*da668aa1SThomas Huth 
test_authz_good_user(void)92*da668aa1SThomas Huth static void test_authz_good_user(void)
93*da668aa1SThomas Huth {
94*da668aa1SThomas Huth     QAuthZPAM *auth = qauthz_pam_new("auth0",
95*da668aa1SThomas Huth                                      "qemu-vnc",
96*da668aa1SThomas Huth                                      &error_abort);
97*da668aa1SThomas Huth 
98*da668aa1SThomas Huth     g_assert_nonnull(auth);
99*da668aa1SThomas Huth 
100*da668aa1SThomas Huth     g_assert_true(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
101*da668aa1SThomas Huth 
102*da668aa1SThomas Huth     object_unparent(OBJECT(auth));
103*da668aa1SThomas Huth }
104*da668aa1SThomas Huth 
105*da668aa1SThomas Huth 
test_authz_bad_user(void)106*da668aa1SThomas Huth static void test_authz_bad_user(void)
107*da668aa1SThomas Huth {
108*da668aa1SThomas Huth     Error *local_err = NULL;
109*da668aa1SThomas Huth     QAuthZPAM *auth = qauthz_pam_new("auth0",
110*da668aa1SThomas Huth                                      "qemu-vnc",
111*da668aa1SThomas Huth                                      &error_abort);
112*da668aa1SThomas Huth 
113*da668aa1SThomas Huth     g_assert_nonnull(auth);
114*da668aa1SThomas Huth 
115*da668aa1SThomas Huth     g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "bob", &local_err));
116*da668aa1SThomas Huth 
117*da668aa1SThomas Huth     error_free_or_abort(&local_err);
118*da668aa1SThomas Huth     object_unparent(OBJECT(auth));
119*da668aa1SThomas Huth }
120*da668aa1SThomas Huth 
121*da668aa1SThomas Huth 
main(int argc,char ** argv)122*da668aa1SThomas Huth int main(int argc, char **argv)
123*da668aa1SThomas Huth {
124*da668aa1SThomas Huth     g_test_init(&argc, &argv, NULL);
125*da668aa1SThomas Huth 
126*da668aa1SThomas Huth     module_call_init(MODULE_INIT_QOM);
127*da668aa1SThomas Huth 
128*da668aa1SThomas Huth     g_test_add_func("/auth/pam/unknown-service", test_authz_unknown_service);
129*da668aa1SThomas Huth     g_test_add_func("/auth/pam/good-user", test_authz_good_user);
130*da668aa1SThomas Huth     g_test_add_func("/auth/pam/bad-user", test_authz_bad_user);
131*da668aa1SThomas Huth 
132*da668aa1SThomas Huth     return g_test_run();
133*da668aa1SThomas Huth }
134