xref: /qemu/tests/unit/test-authz-pam.c (revision a07e9fdd339e2142572d3da45e2e6869064a3055) 
18953caf3SDaniel P. Berrange /*
28953caf3SDaniel P. Berrange  * QEMU PAM authorization object tests
38953caf3SDaniel P. Berrange  *
48953caf3SDaniel P. Berrange  * Copyright (c) 2018 Red Hat, Inc.
58953caf3SDaniel P. Berrange  *
68953caf3SDaniel P. Berrange  * This library is free software; you can redistribute it and/or
78953caf3SDaniel P. Berrange  * modify it under the terms of the GNU Lesser General Public
88953caf3SDaniel P. Berrange  * License as published by the Free Software Foundation; either
9036a80cdSChetan Pant  * version 2.1 of the License, or (at your option) any later version.
108953caf3SDaniel P. Berrange  *
118953caf3SDaniel P. Berrange  * This library is distributed in the hope that it will be useful,
128953caf3SDaniel P. Berrange  * but WITHOUT ANY WARRANTY; without even the implied warranty of
138953caf3SDaniel P. Berrange  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
148953caf3SDaniel P. Berrange  * Lesser General Public License for more details.
158953caf3SDaniel P. Berrange  *
168953caf3SDaniel P. Berrange  * You should have received a copy of the GNU Lesser General Public
178953caf3SDaniel P. Berrange  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
188953caf3SDaniel P. Berrange  *
198953caf3SDaniel P. Berrange  */
208953caf3SDaniel P. Berrange 
218953caf3SDaniel P. Berrange #include "qemu/osdep.h"
228953caf3SDaniel P. Berrange #include "qapi/error.h"
230b8fa32fSMarkus Armbruster #include "qemu/module.h"
248953caf3SDaniel P. Berrange #include "authz/pamacct.h"
258953caf3SDaniel P. Berrange 
268953caf3SDaniel P. Berrange #include <security/pam_appl.h>
278953caf3SDaniel P. Berrange 
288953caf3SDaniel P. Berrange static bool failauth;
298953caf3SDaniel P. Berrange 
308953caf3SDaniel P. Berrange /*
31*a07e9fddSStefan Weil  * These three functions are exported by libpam.so.
328953caf3SDaniel P. Berrange  *
338953caf3SDaniel P. Berrange  * By defining them again here, our impls are resolved
348953caf3SDaniel P. Berrange  * by the linker instead of those in libpam.so
358953caf3SDaniel P. Berrange  *
368953caf3SDaniel P. Berrange  * The test suite is thus isolated from the host system
378953caf3SDaniel P. Berrange  * PAM setup, so we can do predictable test scenarios
388953caf3SDaniel P. Berrange  */
398953caf3SDaniel P. Berrange int
408953caf3SDaniel P. Berrange pam_start(const char *service_name, const char *user,
418953caf3SDaniel P. Berrange           const struct pam_conv *pam_conversation,
428953caf3SDaniel P. Berrange           pam_handle_t **pamh)
438953caf3SDaniel P. Berrange {
448953caf3SDaniel P. Berrange     failauth = true;
458953caf3SDaniel P. Berrange     if (!g_str_equal(service_name, "qemu-vnc")) {
468953caf3SDaniel P. Berrange         return PAM_AUTH_ERR;
478953caf3SDaniel P. Berrange     }
488953caf3SDaniel P. Berrange 
498953caf3SDaniel P. Berrange     if (g_str_equal(user, "fred")) {
508953caf3SDaniel P. Berrange         failauth = false;
518953caf3SDaniel P. Berrange     }
528953caf3SDaniel P. Berrange 
53*a07e9fddSStefan Weil     *pamh = (pam_handle_t *)0xbadeaffe;
548953caf3SDaniel P. Berrange     return PAM_SUCCESS;
558953caf3SDaniel P. Berrange }
568953caf3SDaniel P. Berrange 
578953caf3SDaniel P. Berrange 
588953caf3SDaniel P. Berrange int
598953caf3SDaniel P. Berrange pam_acct_mgmt(pam_handle_t *pamh, int flags)
608953caf3SDaniel P. Berrange {
618953caf3SDaniel P. Berrange     if (failauth) {
628953caf3SDaniel P. Berrange         return PAM_AUTH_ERR;
638953caf3SDaniel P. Berrange     }
648953caf3SDaniel P. Berrange 
658953caf3SDaniel P. Berrange     return PAM_SUCCESS;
668953caf3SDaniel P. Berrange }
678953caf3SDaniel P. Berrange 
688953caf3SDaniel P. Berrange 
69*a07e9fddSStefan Weil int
70*a07e9fddSStefan Weil pam_end(pam_handle_t *pamh, int status)
71*a07e9fddSStefan Weil {
72*a07e9fddSStefan Weil     return PAM_SUCCESS;
73*a07e9fddSStefan Weil }
74*a07e9fddSStefan Weil 
75*a07e9fddSStefan Weil 
768953caf3SDaniel P. Berrange static void test_authz_unknown_service(void)
778953caf3SDaniel P. Berrange {
788953caf3SDaniel P. Berrange     Error *local_err = NULL;
798953caf3SDaniel P. Berrange     QAuthZPAM *auth = qauthz_pam_new("auth0",
808953caf3SDaniel P. Berrange                                      "qemu-does-not-exist",
818953caf3SDaniel P. Berrange                                      &error_abort);
828953caf3SDaniel P. Berrange 
838953caf3SDaniel P. Berrange     g_assert_nonnull(auth);
848953caf3SDaniel P. Berrange 
858953caf3SDaniel P. Berrange     g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "fred", &local_err));
868953caf3SDaniel P. Berrange 
878953caf3SDaniel P. Berrange     error_free_or_abort(&local_err);
888953caf3SDaniel P. Berrange     object_unparent(OBJECT(auth));
898953caf3SDaniel P. Berrange }
908953caf3SDaniel P. Berrange 
918953caf3SDaniel P. Berrange 
928953caf3SDaniel P. Berrange static void test_authz_good_user(void)
938953caf3SDaniel P. Berrange {
948953caf3SDaniel P. Berrange     QAuthZPAM *auth = qauthz_pam_new("auth0",
958953caf3SDaniel P. Berrange                                      "qemu-vnc",
968953caf3SDaniel P. Berrange                                      &error_abort);
978953caf3SDaniel P. Berrange 
988953caf3SDaniel P. Berrange     g_assert_nonnull(auth);
998953caf3SDaniel P. Berrange 
1008953caf3SDaniel P. Berrange     g_assert_true(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
1018953caf3SDaniel P. Berrange 
1028953caf3SDaniel P. Berrange     object_unparent(OBJECT(auth));
1038953caf3SDaniel P. Berrange }
1048953caf3SDaniel P. Berrange 
1058953caf3SDaniel P. Berrange 
1068953caf3SDaniel P. Berrange static void test_authz_bad_user(void)
1078953caf3SDaniel P. Berrange {
1088953caf3SDaniel P. Berrange     Error *local_err = NULL;
1098953caf3SDaniel P. Berrange     QAuthZPAM *auth = qauthz_pam_new("auth0",
1108953caf3SDaniel P. Berrange                                      "qemu-vnc",
1118953caf3SDaniel P. Berrange                                      &error_abort);
1128953caf3SDaniel P. Berrange 
1138953caf3SDaniel P. Berrange     g_assert_nonnull(auth);
1148953caf3SDaniel P. Berrange 
1158953caf3SDaniel P. Berrange     g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "bob", &local_err));
1168953caf3SDaniel P. Berrange 
1178953caf3SDaniel P. Berrange     error_free_or_abort(&local_err);
1188953caf3SDaniel P. Berrange     object_unparent(OBJECT(auth));
1198953caf3SDaniel P. Berrange }
1208953caf3SDaniel P. Berrange 
1218953caf3SDaniel P. Berrange 
1228953caf3SDaniel P. Berrange int main(int argc, char **argv)
1238953caf3SDaniel P. Berrange {
1248953caf3SDaniel P. Berrange     g_test_init(&argc, &argv, NULL);
1258953caf3SDaniel P. Berrange 
1268953caf3SDaniel P. Berrange     module_call_init(MODULE_INIT_QOM);
1278953caf3SDaniel P. Berrange 
1288953caf3SDaniel P. Berrange     g_test_add_func("/auth/pam/unknown-service", test_authz_unknown_service);
1298953caf3SDaniel P. Berrange     g_test_add_func("/auth/pam/good-user", test_authz_good_user);
1308953caf3SDaniel P. Berrange     g_test_add_func("/auth/pam/bad-user", test_authz_bad_user);
1318953caf3SDaniel P. Berrange 
1328953caf3SDaniel P. Berrange     return g_test_run();
1338953caf3SDaniel P. Berrange }
134