LXR qemu/tests/unit/test-authz-pam.c

   1/*
   2 * QEMU PAM authorization object tests
   3 *
   4 * Copyright (c) 2018 Red Hat, Inc.
   5 *
   6 * This library is free software; you can redistribute it and/or
   7 * modify it under the terms of the GNU Lesser General Public
   8 * License as published by the Free Software Foundation; either
   9 * version 2.1 of the License, or (at your option) any later version.
  10 *
  11 * This library is distributed in the hope that it will be useful,
  12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14 * Lesser General Public License for more details.
  15 *
  16 * You should have received a copy of the GNU Lesser General Public
  17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
  18 *
  19 */
  20
  21#include "qemu/osdep.h"
  22#include "qapi/error.h"
  23#include "qemu/module.h"
  24#include "authz/pamacct.h"
  25
  26#include <security/pam_appl.h>
  27
  28static bool failauth;
  29
  30/*
  31 * These three functions are exported by libpam.so.
  32 *
  33 * By defining them again here, our impls are resolved
  34 * by the linker instead of those in libpam.so
  35 *
  36 * The test suite is thus isolated from the host system
  37 * PAM setup, so we can do predictable test scenarios
  38 */
  39int
  40pam_start(const char *service_name, const char *user,
  41          const struct pam_conv *pam_conversation,
  42          pam_handle_t **pamh)
  43{
  44    failauth = true;
  45    if (!g_str_equal(service_name, "qemu-vnc")) {
  46        return PAM_AUTH_ERR;
  47    }
  48
  49    if (g_str_equal(user, "fred")) {
  50        failauth = false;
  51    }
  52
  53    *pamh = (pam_handle_t *)0xbadeaffe;
  54    return PAM_SUCCESS;
  55}
  56
  57
  58int
  59pam_acct_mgmt(pam_handle_t *pamh, int flags)
  60{
  61    if (failauth) {
  62        return PAM_AUTH_ERR;
  63    }
  64
  65    return PAM_SUCCESS;
  66}
  67
  68
  69int
  70pam_end(pam_handle_t *pamh, int status)
  71{
  72    return PAM_SUCCESS;
  73}
  74
  75
  76static void test_authz_unknown_service(void)
  77{
  78    Error *local_err = NULL;
  79    QAuthZPAM *auth = qauthz_pam_new("auth0",
  80                                     "qemu-does-not-exist",
  81                                     &error_abort);
  82
  83    g_assert_nonnull(auth);
  84
  85    g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "fred", &local_err));
  86
  87    error_free_or_abort(&local_err);
  88    object_unparent(OBJECT(auth));
  89}
  90
  91
  92static void test_authz_good_user(void)
  93{
  94    QAuthZPAM *auth = qauthz_pam_new("auth0",
  95                                     "qemu-vnc",
  96                                     &error_abort);
  97
  98    g_assert_nonnull(auth);
  99
 100    g_assert_true(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
 101
 102    object_unparent(OBJECT(auth));
 103}
 104
 105
 106static void test_authz_bad_user(void)
 107{
 108    Error *local_err = NULL;
 109    QAuthZPAM *auth = qauthz_pam_new("auth0",
 110                                     "qemu-vnc",
 111                                     &error_abort);
 112
 113    g_assert_nonnull(auth);
 114
 115    g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "bob", &local_err));
 116
 117    error_free_or_abort(&local_err);
 118    object_unparent(OBJECT(auth));
 119}
 120
 121
 122int main(int argc, char **argv)
 123{
 124    g_test_init(&argc, &argv, NULL);
 125
 126    module_call_init(MODULE_INIT_QOM);
 127
 128    g_test_add_func("/auth/pam/unknown-service", test_authz_unknown_service);
 129    g_test_add_func("/auth/pam/good-user", test_authz_good_user);
 130    g_test_add_func("/auth/pam/bad-user", test_authz_bad_user);
 131
 132    return g_test_run();
 133}
 134