xref: /qemu/tests/unit/test-authz-pam.c (revision 8953caf3cd38534f8f63f4250f4ba4b4da4ff543) 
1 /*
2  * QEMU PAM authorization object tests
3  *
4  * Copyright (c) 2018 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20 
21 #include "qemu/osdep.h"
22 #include "qapi/error.h"
23 #include "authz/pamacct.h"
24 
25 #include <security/pam_appl.h>
26 
27 static bool failauth;
28 
29 /*
30  * These two functions are exported by libpam.so.
31  *
32  * By defining them again here, our impls are resolved
33  * by the linker instead of those in libpam.so
34  *
35  * The test suite is thus isolated from the host system
36  * PAM setup, so we can do predictable test scenarios
37  */
38 int
39 pam_start(const char *service_name, const char *user,
40           const struct pam_conv *pam_conversation,
41           pam_handle_t **pamh)
42 {
43     failauth = true;
44     if (!g_str_equal(service_name, "qemu-vnc")) {
45         return PAM_AUTH_ERR;
46     }
47 
48     if (g_str_equal(user, "fred")) {
49         failauth = false;
50     }
51 
52     return PAM_SUCCESS;
53 }
54 
55 
56 int
57 pam_acct_mgmt(pam_handle_t *pamh, int flags)
58 {
59     if (failauth) {
60         return PAM_AUTH_ERR;
61     }
62 
63     return PAM_SUCCESS;
64 }
65 
66 
67 static void test_authz_unknown_service(void)
68 {
69     Error *local_err = NULL;
70     QAuthZPAM *auth = qauthz_pam_new("auth0",
71                                      "qemu-does-not-exist",
72                                      &error_abort);
73 
74     g_assert_nonnull(auth);
75 
76     g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "fred", &local_err));
77 
78     error_free_or_abort(&local_err);
79     object_unparent(OBJECT(auth));
80 }
81 
82 
83 static void test_authz_good_user(void)
84 {
85     QAuthZPAM *auth = qauthz_pam_new("auth0",
86                                      "qemu-vnc",
87                                      &error_abort);
88 
89     g_assert_nonnull(auth);
90 
91     g_assert_true(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
92 
93     object_unparent(OBJECT(auth));
94 }
95 
96 
97 static void test_authz_bad_user(void)
98 {
99     Error *local_err = NULL;
100     QAuthZPAM *auth = qauthz_pam_new("auth0",
101                                      "qemu-vnc",
102                                      &error_abort);
103 
104     g_assert_nonnull(auth);
105 
106     g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "bob", &local_err));
107 
108     error_free_or_abort(&local_err);
109     object_unparent(OBJECT(auth));
110 }
111 
112 
113 int main(int argc, char **argv)
114 {
115     g_test_init(&argc, &argv, NULL);
116 
117     module_call_init(MODULE_INIT_QOM);
118 
119     g_test_add_func("/auth/pam/unknown-service", test_authz_unknown_service);
120     g_test_add_func("/auth/pam/good-user", test_authz_good_user);
121     g_test_add_func("/auth/pam/bad-user", test_authz_bad_user);
122 
123     return g_test_run();
124 }
125