test-authz-pam.c (3278B)
1/* 2 * QEMU PAM authorization object tests 3 * 4 * Copyright (c) 2018 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21#include "qemu/osdep.h" 22#include "qapi/error.h" 23#include "qemu/module.h" 24#include "authz/pamacct.h" 25 26#include <security/pam_appl.h> 27 28static bool failauth; 29 30/* 31 * These three functions are exported by libpam.so. 32 * 33 * By defining them again here, our impls are resolved 34 * by the linker instead of those in libpam.so 35 * 36 * The test suite is thus isolated from the host system 37 * PAM setup, so we can do predictable test scenarios 38 */ 39int 40pam_start(const char *service_name, const char *user, 41 const struct pam_conv *pam_conversation, 42 pam_handle_t **pamh) 43{ 44 failauth = true; 45 if (!g_str_equal(service_name, "qemu-vnc")) { 46 return PAM_AUTH_ERR; 47 } 48 49 if (g_str_equal(user, "fred")) { 50 failauth = false; 51 } 52 53 *pamh = (pam_handle_t *)0xbadeaffe; 54 return PAM_SUCCESS; 55} 56 57 58int 59pam_acct_mgmt(pam_handle_t *pamh, int flags) 60{ 61 if (failauth) { 62 return PAM_AUTH_ERR; 63 } 64 65 return PAM_SUCCESS; 66} 67 68 69int 70pam_end(pam_handle_t *pamh, int status) 71{ 72 return PAM_SUCCESS; 73} 74 75 76static void test_authz_unknown_service(void) 77{ 78 Error *local_err = NULL; 79 QAuthZPAM *auth = qauthz_pam_new("auth0", 80 "qemu-does-not-exist", 81 &error_abort); 82 83 g_assert_nonnull(auth); 84 85 g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "fred", &local_err)); 86 87 error_free_or_abort(&local_err); 88 object_unparent(OBJECT(auth)); 89} 90 91 92static void test_authz_good_user(void) 93{ 94 QAuthZPAM *auth = qauthz_pam_new("auth0", 95 "qemu-vnc", 96 &error_abort); 97 98 g_assert_nonnull(auth); 99 100 g_assert_true(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort)); 101 102 object_unparent(OBJECT(auth)); 103} 104 105 106static void test_authz_bad_user(void) 107{ 108 Error *local_err = NULL; 109 QAuthZPAM *auth = qauthz_pam_new("auth0", 110 "qemu-vnc", 111 &error_abort); 112 113 g_assert_nonnull(auth); 114 115 g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "bob", &local_err)); 116 117 error_free_or_abort(&local_err); 118 object_unparent(OBJECT(auth)); 119} 120 121 122int main(int argc, char **argv) 123{ 124 g_test_init(&argc, &argv, NULL); 125 126 module_call_init(MODULE_INIT_QOM); 127 128 g_test_add_func("/auth/pam/unknown-service", test_authz_unknown_service); 129 g_test_add_func("/auth/pam/good-user", test_authz_good_user); 130 g_test_add_func("/auth/pam/bad-user", test_authz_bad_user); 131 132 return g_test_run(); 133}