18953caf3SDaniel P. Berrange /* 28953caf3SDaniel P. Berrange * QEMU PAM authorization object tests 38953caf3SDaniel P. Berrange * 48953caf3SDaniel P. Berrange * Copyright (c) 2018 Red Hat, Inc. 58953caf3SDaniel P. Berrange * 68953caf3SDaniel P. Berrange * This library is free software; you can redistribute it and/or 78953caf3SDaniel P. Berrange * modify it under the terms of the GNU Lesser General Public 88953caf3SDaniel P. Berrange * License as published by the Free Software Foundation; either 9*036a80cdSChetan Pant * version 2.1 of the License, or (at your option) any later version. 108953caf3SDaniel P. Berrange * 118953caf3SDaniel P. Berrange * This library is distributed in the hope that it will be useful, 128953caf3SDaniel P. Berrange * but WITHOUT ANY WARRANTY; without even the implied warranty of 138953caf3SDaniel P. Berrange * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 148953caf3SDaniel P. Berrange * Lesser General Public License for more details. 158953caf3SDaniel P. Berrange * 168953caf3SDaniel P. Berrange * You should have received a copy of the GNU Lesser General Public 178953caf3SDaniel P. Berrange * License along with this library; if not, see <http://www.gnu.org/licenses/>. 188953caf3SDaniel P. Berrange * 198953caf3SDaniel P. Berrange */ 208953caf3SDaniel P. Berrange 218953caf3SDaniel P. Berrange #include "qemu/osdep.h" 228953caf3SDaniel P. Berrange #include "qapi/error.h" 230b8fa32fSMarkus Armbruster #include "qemu/module.h" 248953caf3SDaniel P. Berrange #include "authz/pamacct.h" 258953caf3SDaniel P. Berrange 268953caf3SDaniel P. Berrange #include <security/pam_appl.h> 278953caf3SDaniel P. Berrange 288953caf3SDaniel P. Berrange static bool failauth; 298953caf3SDaniel P. Berrange 308953caf3SDaniel P. Berrange /* 318953caf3SDaniel P. Berrange * These two functions are exported by libpam.so. 328953caf3SDaniel P. Berrange * 338953caf3SDaniel P. Berrange * By defining them again here, our impls are resolved 348953caf3SDaniel P. Berrange * by the linker instead of those in libpam.so 358953caf3SDaniel P. Berrange * 368953caf3SDaniel P. Berrange * The test suite is thus isolated from the host system 378953caf3SDaniel P. Berrange * PAM setup, so we can do predictable test scenarios 388953caf3SDaniel P. Berrange */ 398953caf3SDaniel P. Berrange int 408953caf3SDaniel P. Berrange pam_start(const char *service_name, const char *user, 418953caf3SDaniel P. Berrange const struct pam_conv *pam_conversation, 428953caf3SDaniel P. Berrange pam_handle_t **pamh) 438953caf3SDaniel P. Berrange { 448953caf3SDaniel P. Berrange failauth = true; 458953caf3SDaniel P. Berrange if (!g_str_equal(service_name, "qemu-vnc")) { 468953caf3SDaniel P. Berrange return PAM_AUTH_ERR; 478953caf3SDaniel P. Berrange } 488953caf3SDaniel P. Berrange 498953caf3SDaniel P. Berrange if (g_str_equal(user, "fred")) { 508953caf3SDaniel P. Berrange failauth = false; 518953caf3SDaniel P. Berrange } 528953caf3SDaniel P. Berrange 538953caf3SDaniel P. Berrange return PAM_SUCCESS; 548953caf3SDaniel P. Berrange } 558953caf3SDaniel P. Berrange 568953caf3SDaniel P. Berrange 578953caf3SDaniel P. Berrange int 588953caf3SDaniel P. Berrange pam_acct_mgmt(pam_handle_t *pamh, int flags) 598953caf3SDaniel P. Berrange { 608953caf3SDaniel P. Berrange if (failauth) { 618953caf3SDaniel P. Berrange return PAM_AUTH_ERR; 628953caf3SDaniel P. Berrange } 638953caf3SDaniel P. Berrange 648953caf3SDaniel P. Berrange return PAM_SUCCESS; 658953caf3SDaniel P. Berrange } 668953caf3SDaniel P. Berrange 678953caf3SDaniel P. Berrange 688953caf3SDaniel P. Berrange static void test_authz_unknown_service(void) 698953caf3SDaniel P. Berrange { 708953caf3SDaniel P. Berrange Error *local_err = NULL; 718953caf3SDaniel P. Berrange QAuthZPAM *auth = qauthz_pam_new("auth0", 728953caf3SDaniel P. Berrange "qemu-does-not-exist", 738953caf3SDaniel P. Berrange &error_abort); 748953caf3SDaniel P. Berrange 758953caf3SDaniel P. Berrange g_assert_nonnull(auth); 768953caf3SDaniel P. Berrange 778953caf3SDaniel P. Berrange g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "fred", &local_err)); 788953caf3SDaniel P. Berrange 798953caf3SDaniel P. Berrange error_free_or_abort(&local_err); 808953caf3SDaniel P. Berrange object_unparent(OBJECT(auth)); 818953caf3SDaniel P. Berrange } 828953caf3SDaniel P. Berrange 838953caf3SDaniel P. Berrange 848953caf3SDaniel P. Berrange static void test_authz_good_user(void) 858953caf3SDaniel P. Berrange { 868953caf3SDaniel P. Berrange QAuthZPAM *auth = qauthz_pam_new("auth0", 878953caf3SDaniel P. Berrange "qemu-vnc", 888953caf3SDaniel P. Berrange &error_abort); 898953caf3SDaniel P. Berrange 908953caf3SDaniel P. Berrange g_assert_nonnull(auth); 918953caf3SDaniel P. Berrange 928953caf3SDaniel P. Berrange g_assert_true(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort)); 938953caf3SDaniel P. Berrange 948953caf3SDaniel P. Berrange object_unparent(OBJECT(auth)); 958953caf3SDaniel P. Berrange } 968953caf3SDaniel P. Berrange 978953caf3SDaniel P. Berrange 988953caf3SDaniel P. Berrange static void test_authz_bad_user(void) 998953caf3SDaniel P. Berrange { 1008953caf3SDaniel P. Berrange Error *local_err = NULL; 1018953caf3SDaniel P. Berrange QAuthZPAM *auth = qauthz_pam_new("auth0", 1028953caf3SDaniel P. Berrange "qemu-vnc", 1038953caf3SDaniel P. Berrange &error_abort); 1048953caf3SDaniel P. Berrange 1058953caf3SDaniel P. Berrange g_assert_nonnull(auth); 1068953caf3SDaniel P. Berrange 1078953caf3SDaniel P. Berrange g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "bob", &local_err)); 1088953caf3SDaniel P. Berrange 1098953caf3SDaniel P. Berrange error_free_or_abort(&local_err); 1108953caf3SDaniel P. Berrange object_unparent(OBJECT(auth)); 1118953caf3SDaniel P. Berrange } 1128953caf3SDaniel P. Berrange 1138953caf3SDaniel P. Berrange 1148953caf3SDaniel P. Berrange int main(int argc, char **argv) 1158953caf3SDaniel P. Berrange { 1168953caf3SDaniel P. Berrange g_test_init(&argc, &argv, NULL); 1178953caf3SDaniel P. Berrange 1188953caf3SDaniel P. Berrange module_call_init(MODULE_INIT_QOM); 1198953caf3SDaniel P. Berrange 1208953caf3SDaniel P. Berrange g_test_add_func("/auth/pam/unknown-service", test_authz_unknown_service); 1218953caf3SDaniel P. Berrange g_test_add_func("/auth/pam/good-user", test_authz_good_user); 1228953caf3SDaniel P. Berrange g_test_add_func("/auth/pam/bad-user", test_authz_bad_user); 1238953caf3SDaniel P. Berrange 1248953caf3SDaniel P. Berrange return g_test_run(); 1258953caf3SDaniel P. Berrange } 126