tests/test-authz-pam.c

   1 /*
   2  * QEMU PAM authorization object tests
   3  *
   4  * Copyright (c) 2018 Red Hat, Inc.
   5  *
   6  * This library is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU Lesser General Public
   8  * License as published by the Free Software Foundation; either
   9  * version 2 of the License, or (at your option) any later version.
  10  *
  11  * This library is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14  * Lesser General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU Lesser General Public
  17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
  18  *
  19  */
  20
  21 #include "qemu/osdep.h"
  22 #include "qapi/error.h"
  23 #include "authz/pamacct.h"
  24
  25 #include <security/pam_appl.h>
  26
  27 static bool failauth;
  28
  29 /*
  30  * These two functions are exported by libpam.so.
  31  *
  32  * By defining them again here, our impls are resolved
  33  * by the linker instead of those in libpam.so
  34  *
  35  * The test suite is thus isolated from the host system
  36  * PAM setup, so we can do predictable test scenarios
  37  */
  38 int
  39 pam_start(const char *service_name, const char *user,
  40           const struct pam_conv *pam_conversation,
  41           pam_handle_t **pamh)
  42 {
  43     failauth = true;
  44     if (!g_str_equal(service_name, "qemu-vnc")) {
  45         return PAM_AUTH_ERR;
  46     }
  47
  48     if (g_str_equal(user, "fred")) {
  49         failauth = false;
  50     }
  51
  52     return PAM_SUCCESS;
  53 }
  54
  55
  56 int
  57 pam_acct_mgmt(pam_handle_t *pamh, int flags)
  58 {
  59     if (failauth) {
  60         return PAM_AUTH_ERR;
  61     }
  62
  63     return PAM_SUCCESS;
  64 }
  65
  66
  67 static void test_authz_unknown_service(void)
  68 {
  69     Error *local_err = NULL;
  70     QAuthZPAM *auth = qauthz_pam_new("auth0",
  71                                      "qemu-does-not-exist",
  72                                      &error_abort);
  73
  74     g_assert_nonnull(auth);
  75
  76     g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "fred", &local_err));
  77
  78     error_free_or_abort(&local_err);
  79     object_unparent(OBJECT(auth));
  80 }
  81
  82
  83 static void test_authz_good_user(void)
  84 {
  85     QAuthZPAM *auth = qauthz_pam_new("auth0",
  86                                      "qemu-vnc",
  87                                      &error_abort);
  88
  89     g_assert_nonnull(auth);
  90
  91     g_assert_true(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
  92
  93     object_unparent(OBJECT(auth));
  94 }
  95
  96
  97 static void test_authz_bad_user(void)
  98 {
  99     Error *local_err = NULL;
 100     QAuthZPAM *auth = qauthz_pam_new("auth0",
 101                                      "qemu-vnc",
 102                                      &error_abort);
 103
 104     g_assert_nonnull(auth);
 105
 106     g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "bob", &local_err));
 107
 108     error_free_or_abort(&local_err);
 109     object_unparent(OBJECT(auth));
 110 }
 111
 112
 113 int main(int argc, char **argv)
 114 {
 115     g_test_init(&argc, &argv, NULL);
 116
 117     module_call_init(MODULE_INIT_QOM);
 118
 119     g_test_add_func("/auth/pam/unknown-service", test_authz_unknown_service);
 120     g_test_add_func("/auth/pam/good-user", test_authz_good_user);
 121     g_test_add_func("/auth/pam/bad-user", test_authz_bad_user);
 122
 123     return g_test_run();
 124 }