1*8953caf3SDaniel P. Berrange /* 2*8953caf3SDaniel P. Berrange * QEMU PAM authorization object tests 3*8953caf3SDaniel P. Berrange * 4*8953caf3SDaniel P. Berrange * Copyright (c) 2018 Red Hat, Inc. 5*8953caf3SDaniel P. Berrange * 6*8953caf3SDaniel P. Berrange * This library is free software; you can redistribute it and/or 7*8953caf3SDaniel P. Berrange * modify it under the terms of the GNU Lesser General Public 8*8953caf3SDaniel P. Berrange * License as published by the Free Software Foundation; either 9*8953caf3SDaniel P. Berrange * version 2 of the License, or (at your option) any later version. 10*8953caf3SDaniel P. Berrange * 11*8953caf3SDaniel P. Berrange * This library is distributed in the hope that it will be useful, 12*8953caf3SDaniel P. Berrange * but WITHOUT ANY WARRANTY; without even the implied warranty of 13*8953caf3SDaniel P. Berrange * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14*8953caf3SDaniel P. Berrange * Lesser General Public License for more details. 15*8953caf3SDaniel P. Berrange * 16*8953caf3SDaniel P. Berrange * You should have received a copy of the GNU Lesser General Public 17*8953caf3SDaniel P. Berrange * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18*8953caf3SDaniel P. Berrange * 19*8953caf3SDaniel P. Berrange */ 20*8953caf3SDaniel P. Berrange 21*8953caf3SDaniel P. Berrange #include "qemu/osdep.h" 22*8953caf3SDaniel P. Berrange #include "qapi/error.h" 23*8953caf3SDaniel P. Berrange #include "authz/pamacct.h" 24*8953caf3SDaniel P. Berrange 25*8953caf3SDaniel P. Berrange #include <security/pam_appl.h> 26*8953caf3SDaniel P. Berrange 27*8953caf3SDaniel P. Berrange static bool failauth; 28*8953caf3SDaniel P. Berrange 29*8953caf3SDaniel P. Berrange /* 30*8953caf3SDaniel P. Berrange * These two functions are exported by libpam.so. 31*8953caf3SDaniel P. Berrange * 32*8953caf3SDaniel P. Berrange * By defining them again here, our impls are resolved 33*8953caf3SDaniel P. Berrange * by the linker instead of those in libpam.so 34*8953caf3SDaniel P. Berrange * 35*8953caf3SDaniel P. Berrange * The test suite is thus isolated from the host system 36*8953caf3SDaniel P. Berrange * PAM setup, so we can do predictable test scenarios 37*8953caf3SDaniel P. Berrange */ 38*8953caf3SDaniel P. Berrange int 39*8953caf3SDaniel P. Berrange pam_start(const char *service_name, const char *user, 40*8953caf3SDaniel P. Berrange const struct pam_conv *pam_conversation, 41*8953caf3SDaniel P. Berrange pam_handle_t **pamh) 42*8953caf3SDaniel P. Berrange { 43*8953caf3SDaniel P. Berrange failauth = true; 44*8953caf3SDaniel P. Berrange if (!g_str_equal(service_name, "qemu-vnc")) { 45*8953caf3SDaniel P. Berrange return PAM_AUTH_ERR; 46*8953caf3SDaniel P. Berrange } 47*8953caf3SDaniel P. Berrange 48*8953caf3SDaniel P. Berrange if (g_str_equal(user, "fred")) { 49*8953caf3SDaniel P. Berrange failauth = false; 50*8953caf3SDaniel P. Berrange } 51*8953caf3SDaniel P. Berrange 52*8953caf3SDaniel P. Berrange return PAM_SUCCESS; 53*8953caf3SDaniel P. Berrange } 54*8953caf3SDaniel P. Berrange 55*8953caf3SDaniel P. Berrange 56*8953caf3SDaniel P. Berrange int 57*8953caf3SDaniel P. Berrange pam_acct_mgmt(pam_handle_t *pamh, int flags) 58*8953caf3SDaniel P. Berrange { 59*8953caf3SDaniel P. Berrange if (failauth) { 60*8953caf3SDaniel P. Berrange return PAM_AUTH_ERR; 61*8953caf3SDaniel P. Berrange } 62*8953caf3SDaniel P. Berrange 63*8953caf3SDaniel P. Berrange return PAM_SUCCESS; 64*8953caf3SDaniel P. Berrange } 65*8953caf3SDaniel P. Berrange 66*8953caf3SDaniel P. Berrange 67*8953caf3SDaniel P. Berrange static void test_authz_unknown_service(void) 68*8953caf3SDaniel P. Berrange { 69*8953caf3SDaniel P. Berrange Error *local_err = NULL; 70*8953caf3SDaniel P. Berrange QAuthZPAM *auth = qauthz_pam_new("auth0", 71*8953caf3SDaniel P. Berrange "qemu-does-not-exist", 72*8953caf3SDaniel P. Berrange &error_abort); 73*8953caf3SDaniel P. Berrange 74*8953caf3SDaniel P. Berrange g_assert_nonnull(auth); 75*8953caf3SDaniel P. Berrange 76*8953caf3SDaniel P. Berrange g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "fred", &local_err)); 77*8953caf3SDaniel P. Berrange 78*8953caf3SDaniel P. Berrange error_free_or_abort(&local_err); 79*8953caf3SDaniel P. Berrange object_unparent(OBJECT(auth)); 80*8953caf3SDaniel P. Berrange } 81*8953caf3SDaniel P. Berrange 82*8953caf3SDaniel P. Berrange 83*8953caf3SDaniel P. Berrange static void test_authz_good_user(void) 84*8953caf3SDaniel P. Berrange { 85*8953caf3SDaniel P. Berrange QAuthZPAM *auth = qauthz_pam_new("auth0", 86*8953caf3SDaniel P. Berrange "qemu-vnc", 87*8953caf3SDaniel P. Berrange &error_abort); 88*8953caf3SDaniel P. Berrange 89*8953caf3SDaniel P. Berrange g_assert_nonnull(auth); 90*8953caf3SDaniel P. Berrange 91*8953caf3SDaniel P. Berrange g_assert_true(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort)); 92*8953caf3SDaniel P. Berrange 93*8953caf3SDaniel P. Berrange object_unparent(OBJECT(auth)); 94*8953caf3SDaniel P. Berrange } 95*8953caf3SDaniel P. Berrange 96*8953caf3SDaniel P. Berrange 97*8953caf3SDaniel P. Berrange static void test_authz_bad_user(void) 98*8953caf3SDaniel P. Berrange { 99*8953caf3SDaniel P. Berrange Error *local_err = NULL; 100*8953caf3SDaniel P. Berrange QAuthZPAM *auth = qauthz_pam_new("auth0", 101*8953caf3SDaniel P. Berrange "qemu-vnc", 102*8953caf3SDaniel P. Berrange &error_abort); 103*8953caf3SDaniel P. Berrange 104*8953caf3SDaniel P. Berrange g_assert_nonnull(auth); 105*8953caf3SDaniel P. Berrange 106*8953caf3SDaniel P. Berrange g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "bob", &local_err)); 107*8953caf3SDaniel P. Berrange 108*8953caf3SDaniel P. Berrange error_free_or_abort(&local_err); 109*8953caf3SDaniel P. Berrange object_unparent(OBJECT(auth)); 110*8953caf3SDaniel P. Berrange } 111*8953caf3SDaniel P. Berrange 112*8953caf3SDaniel P. Berrange 113*8953caf3SDaniel P. Berrange int main(int argc, char **argv) 114*8953caf3SDaniel P. Berrange { 115*8953caf3SDaniel P. Berrange g_test_init(&argc, &argv, NULL); 116*8953caf3SDaniel P. Berrange 117*8953caf3SDaniel P. Berrange module_call_init(MODULE_INIT_QOM); 118*8953caf3SDaniel P. Berrange 119*8953caf3SDaniel P. Berrange g_test_add_func("/auth/pam/unknown-service", test_authz_unknown_service); 120*8953caf3SDaniel P. Berrange g_test_add_func("/auth/pam/good-user", test_authz_good_user); 121*8953caf3SDaniel P. Berrange g_test_add_func("/auth/pam/bad-user", test_authz_bad_user); 122*8953caf3SDaniel P. Berrange 123*8953caf3SDaniel P. Berrange return g_test_run(); 124*8953caf3SDaniel P. Berrange } 125