[Freeipa-devel] [PATCHES 145-148] ipa-kdb: add unit-test for filter_logon_info()
Sumit Bose
sbose at redhat.com
Tue Jul 7 13:49:13 UTC 2015
On Tue, May 26, 2015 at 01:36:35PM +0200, Martin Kosek wrote:
> On 05/26/2015 01:33 PM, Sumit Bose wrote:
> >Hi,
> >
> >these patches add some unit tests and some additional improvements
> >related to the issues described in
> >https://bugzilla.redhat.com/show_bug.cgi?id=1222475 . The original issue
> >is fixed by a patch from Alexander attached to the ticket.
> >
> >The first patch converts the existing check-based test to cmocka. If I
> >see it correctly all check-based test are converted now.
>
> Cool! Before pushing, we should also reference ticket
> https://fedorahosted.org/freeipa/ticket/4922
> in the patch (no need to rebase right now).
>
> >
> >The second adds tests for filter_logon_info() where the original issue
> >occurred. The wrong behavior in filter_logon_info() caused a crash in
> >dom_sid_string() which is made a bit more robust together with
> >string_to_sid() in the 3rd patch. The last patch add unit tests for
> >those two calls as well.
New version rebased on one-way trust patches attached.
Please note that the unit-test will fail with the initial version of the
one-way trust patches which does not allow an empty group list in the
PAC.
bye,
Sumit
-------------- next part --------------
From 4a31cfdd848e0ef51ee32817e634340d1e90c97f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Wed, 20 May 2015 18:31:19 +0200
Subject: [PATCH 145/148] ipa-kdb: convert test to cmocka
---
daemons/ipa-kdb/Makefile.am | 6 +-
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 129 ++++++++++++----------------------
2 files changed, 48 insertions(+), 87 deletions(-)
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 80747491f8315a9cb0b38965423ba5d160946278..a4ea366b01b248d3f0fbc0b694e02d00c2e4c3d1 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -55,7 +55,7 @@ ipadb_la_LIBADD = \
$(NSS_LIBS) \
$(NULL)
-if HAVE_CHECK
+if HAVE_CMOCKA
TESTS = ipa_kdb_tests
check_PROGRAMS = ipa_kdb_tests
endif
@@ -73,9 +73,9 @@ ipa_kdb_tests_SOURCES = \
ipa_kdb_audit_as.c \
$(KRB5_UTIL_SRCS) \
$(NULL)
-ipa_kdb_tests_CFLAGS = $(CHECK_CFLAGS)
+ipa_kdb_tests_CFLAGS = $(CMOCKA_CFLAGS)
ipa_kdb_tests_LDADD = \
- $(CHECK_LIBS) \
+ $(CMOCKA_LIBS) \
$(KRB5_LIBS) \
$(LDAP_LIBS) \
$(NDRPAC_LIBS) \
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
index e1ae06a6e359e65873241116581f028f1a4e1bf3..1ff1cd49a4e409545ee908f0f7842520ae82e0a0 100644
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
@@ -1,49 +1,30 @@
-/** BEGIN COPYRIGHT BLOCK
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- *
- * Additional permission under GPLv3 section 7:
- *
- * In the following paragraph, "GPL" means the GNU General Public
- * License, version 3 or any later version, and "Non-GPL Code" means
- * code that is governed neither by the GPL nor a license
- * compatible with the GPL.
- *
- * You may link the code of this Program with Non-GPL Code and convey
- * linked combinations including the two, provided that such Non-GPL
- * Code only links to the code of this Program through those well
- * defined interfaces identified in the file named EXCEPTION found in
- * the source code files (the "Approved Interfaces"). The files of
- * Non-GPL Code may instantiate templates or use macros or inline
- * functions from the Approved Interfaces without causing the resulting
- * work to be covered by the GPL. Only the copyright holders of this
- * Program may make changes or additions to the list of Approved
- * Interfaces.
- *
- * Authors:
- * Sumit Bose <sbose at redhat.com>
- *
- * Copyright (C) 2013 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK **/
+/*
+ Authors:
+ Sumit Bose <sbose at redhat.com>
-#include <check.h>
-#include <stdlib.h>
+ Copyright (C) 2015 Red Hat
+
+ ipa-kdb tests
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <errno.h>
#include <stdarg.h>
-#include <stdio.h>
-#include <stdbool.h>
-#include <krb5/krb5.h>
-#include <kdb.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
#include "ipa-kdb/ipa_kdb.h"
@@ -74,7 +55,7 @@ int krb5_klog_syslog(int l, const char *format, ...)
extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
bool *with_pac, bool *with_pad);
-START_TEST(test_get_authz_data_types)
+void test_get_authz_data_types(void **state)
{
bool with_pac;
bool with_pad;
@@ -100,40 +81,40 @@ START_TEST(test_get_authz_data_types)
with_pad = true;
get_authz_data_types(NULL, NULL, NULL, &with_pad);
- fail_unless(!with_pad, "with_pad not false with NULL inuput.");
+ assert_false(with_pad);
with_pac = true;
get_authz_data_types(NULL, NULL, &with_pac, NULL);
- fail_unless(!with_pac, "with_pac not false with NULL inuput.");
+ assert_false(with_pad);
with_pad = true;
with_pac = true;
get_authz_data_types(NULL, NULL, &with_pac, &with_pad);
- fail_unless(!with_pad, "with_pad not false with NULL inuput.");
- fail_unless(!with_pac, "with_pac not false with NULL inuput.");
+ assert_false(with_pac);
+ assert_false(with_pad);
entry = calloc(1, sizeof(krb5_db_entry));
- fail_unless(entry != NULL, "calloc krb5_db_entry failed.");
+ assert_non_null(entry);
ied = calloc(1, sizeof(struct ipadb_e_data));
- fail_unless(ied != NULL, "calloc struct ipadb_e_data failed.");
+ assert_non_null(ied);
entry->e_data = (void *) ied;
kerr = krb5_init_context(&krb5_ctx);
- fail_unless(kerr == 0, "krb5_init_context failed.");
+ assert_int_equal(kerr, 0);
kerr = krb5_db_setup_lib_handle(krb5_ctx);
- fail_unless(kerr == 0, "krb5_db_setup_lib_handle failed.\n");
+ assert_int_equal(kerr, 0);
ipa_ctx = calloc(1, sizeof(struct ipadb_context));
- fail_unless(ipa_ctx != NULL, "calloc failed.\n");
+ assert_non_null(ipa_ctx);
ipa_ctx->kcontext = krb5_ctx;
kerr = krb5_db_set_context(krb5_ctx, ipa_ctx);
- fail_unless(kerr == 0, "krb5_db_set_context failed.\n");
+ assert_int_equal(kerr, 0);
kerr = krb5_parse_name(krb5_ctx, NFS_PRINC_STRING, &nfs_princ);
- fail_unless(kerr == 0, "krb5_parse_name failed.");
+ assert_int_equal(kerr, 0);
kerr = krb5_parse_name(krb5_ctx, NON_NFS_PRINC_STRING, &non_nfs_princ);
- fail_unless(kerr == 0, "krb5_parse_name failed.");
+ assert_int_equal(kerr, 0);
struct test_set {
char **authz_data;
@@ -179,12 +160,8 @@ START_TEST(test_get_authz_data_types)
ipa_ctx->config.last_update = time(NULL);
entry->princ = test_set[c].princ;
get_authz_data_types(krb5_ctx, entry, &with_pac, &with_pad);
- fail_unless(with_pad == test_set[c].exp_with_pad, "with_pad not %s %s.",
- test_set[c].exp_with_pad ? "true" : "false",
- test_set[c].err_msg);
- fail_unless(with_pac == test_set[c].exp_with_pac, "with_pac not %s %s.",
- test_set[c].exp_with_pac ? "true" : "false",
- test_set[c].err_msg);
+ assert_true(with_pad == test_set[c].exp_with_pad);
+ assert_true(with_pac == test_set[c].exp_with_pac);
}
krb5_free_principal(krb5_ctx, nfs_princ);
@@ -192,28 +169,12 @@ START_TEST(test_get_authz_data_types)
krb5_db_fini(krb5_ctx);
krb5_free_context(krb5_ctx);
}
-END_TEST
-Suite * ipa_kdb_suite(void)
+int main(int argc, const char *argv[])
{
- Suite *s = suite_create("IPA kdb");
+ const UnitTest tests[] = {
+ unit_test(test_get_authz_data_types),
+ };
- TCase *tc_helper = tcase_create("Helper functions");
- tcase_add_test(tc_helper, test_get_authz_data_types);
- suite_add_tcase(s, tc_helper);
-
- return s;
-}
-
-int main(void)
-{
- int number_failed;
-
- Suite *s = ipa_kdb_suite ();
- SRunner *sr = srunner_create (s);
- srunner_run_all (sr, CK_VERBOSE);
- number_failed = srunner_ntests_failed (sr);
- srunner_free (sr);
-
- return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
+ return run_tests(tests);
}
--
2.1.0
-------------- next part --------------
From b34502fc964f197b0792b8d387bdb99c0b7f8521 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Tue, 26 May 2015 10:26:28 +0200
Subject: [PATCH 146/148] ipa-kdb: add unit-test for filter_logon_info()
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 41 ++---
daemons/ipa-kdb/ipa_kdb_mspac_private.h | 57 +++++++
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 275 +++++++++++++++++++++++++++++---
3 files changed, 323 insertions(+), 50 deletions(-)
create mode 100644 daemons/ipa-kdb/ipa_kdb_mspac_private.h
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index df19880d37f9c006c6ec3a5e392d9eeecb1e45cb..ca110fd662990835aa7ef27f99148f3c47a43942 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -28,31 +28,7 @@
#include "util/time.h"
#include "gen_ndr/ndr_krb5pac.h"
-struct ipadb_adtrusts {
- char *domain_name;
- char *flat_name;
- char *domain_sid;
- struct dom_sid domsid;
- struct dom_sid *sid_blacklist_incoming;
- int len_sid_blacklist_incoming;
- struct dom_sid *sid_blacklist_outgoing;
- int len_sid_blacklist_outgoing;
- struct ipadb_adtrusts *parent;
- char *parent_name;
-};
-
-struct ipadb_mspac {
- char *flat_domain_name;
- char *flat_server_name;
- struct dom_sid domsid;
-
- char *fallback_group;
- uint32_t fallback_rid;
-
- int num_trusts;
- struct ipadb_adtrusts *trusts;
- time_t last_update;
-};
+#include "ipa_kdb_mspac_private.h"
static char *user_pac_attrs[] = {
"objectClass",
@@ -113,10 +89,11 @@ static struct {
#define AUTHZ_DATA_TYPE_PAD "PAD"
#define AUTHZ_DATA_TYPE_NONE "NONE"
-static int string_to_sid(char *str, struct dom_sid *sid)
+int string_to_sid(const char *str, struct dom_sid *sid)
{
unsigned long val;
- char *s, *t;
+ const char *s;
+ char *t;
int i;
memset(sid, '\0', sizeof(struct dom_sid));
@@ -174,7 +151,7 @@ static int string_to_sid(char *str, struct dom_sid *sid)
return 0;
}
-static char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
+char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
{
size_t c;
size_t len;
@@ -1333,10 +1310,10 @@ static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t rid)
}
}
-static krb5_error_code filter_logon_info(krb5_context context,
- TALLOC_CTX *memctx,
- krb5_data realm,
- struct PAC_LOGON_INFO_CTR *info)
+krb5_error_code filter_logon_info(krb5_context context,
+ TALLOC_CTX *memctx,
+ krb5_data realm,
+ struct PAC_LOGON_INFO_CTR *info)
{
/* We must refuse a PAC that comes signed with a cross realm TGT
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
new file mode 100644
index 0000000000000000000000000000000000000000..be04071762316643d687e80986db0d7510e53ded
--- /dev/null
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
@@ -0,0 +1,57 @@
+/*
+ * MIT Kerberos KDC database backend for FreeIPA
+ * This head file contains private declarations for ipa_kdb_mspac.c and should
+ * be used only there or in unit-test.
+ *
+ * Authors: Sumit Bose <sbose at redhat.com>
+ *
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+
+#ifndef _IPA_KDB_MSPAC_PRIVATE_H_
+#define _IPA_KDB_MSPAC_PRIVATE_H_
+
+struct ipadb_mspac {
+ char *flat_domain_name;
+ char *flat_server_name;
+ struct dom_sid domsid;
+
+ char *fallback_group;
+ uint32_t fallback_rid;
+
+ int num_trusts;
+ struct ipadb_adtrusts *trusts;
+ time_t last_update;
+};
+
+struct ipadb_adtrusts {
+ char *domain_name;
+ char *flat_name;
+ char *domain_sid;
+ struct dom_sid domsid;
+ struct dom_sid *sid_blacklist_incoming;
+ int len_sid_blacklist_incoming;
+ struct dom_sid *sid_blacklist_outgoing;
+ int len_sid_blacklist_outgoing;
+ struct ipadb_adtrusts *parent;
+ char *parent_name;
+};
+
+int string_to_sid(const char *str, struct dom_sid *sid);
+char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid);
+
+#endif /* _IPA_KDB_MSPAC_PRIVATE_H_ */
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
index 1ff1cd49a4e409545ee908f0f7842520ae82e0a0..7b9b85d2cf7fcc2478a522eccf686b3e2582447e 100644
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
@@ -22,11 +22,19 @@
#include <errno.h>
#include <stdarg.h>
+#include <stdbool.h>
#include <stddef.h>
+#include <stdint.h>
#include <setjmp.h>
#include <cmocka.h>
+#include <talloc.h>
+
+#include "gen_ndr/ndr_krb5pac.h"
+#include "gen_ndr/netlogon.h"
+
#include "ipa-kdb/ipa_kdb.h"
+#include "ipa-kdb/ipa_kdb_mspac_private.h"
#define NFS_PRINC_STRING "nfs/fully.qualified.host.name at REALM.NAME"
#define NON_NFS_PRINC_STRING "abcdef/fully.qualified.host.name at REALM.NAME"
@@ -52,6 +60,240 @@ int krb5_klog_syslog(int l, const char *format, ...)
return 0;
}
+struct test_ctx {
+ krb5_context krb5_ctx;
+};
+
+#define DOMAIN_NAME "my.domain"
+#define REALM "MY.DOMAIN"
+#define REALM_LEN (sizeof(REALM) - 1)
+#define FLAT_NAME "MYDOM"
+#define DOM_SID "S-1-5-21-1-2-3"
+#define DOM_SID_TRUST "S-1-5-21-4-5-6"
+#define BLACKLIST_SID "S-1-5-1"
+
+void setup(void **state)
+{
+ int ret;
+ krb5_context krb5_ctx;
+ krb5_error_code kerr;
+ struct ipadb_context *ipa_ctx;
+ struct test_ctx *test_ctx;
+
+ kerr = krb5_init_context(&krb5_ctx);
+ assert_int_equal(kerr, 0);
+ kerr = krb5_db_setup_lib_handle(krb5_ctx);
+ assert_int_equal(kerr, 0);
+
+ ipa_ctx = calloc(1, sizeof(struct ipadb_context));
+ assert_non_null(ipa_ctx);
+
+ ipa_ctx->mspac = calloc(1, sizeof(struct ipadb_mspac));
+ assert_non_null(ipa_ctx->mspac);
+
+ /* make sure data is not read from LDAP */
+ ipa_ctx->mspac->last_update = time(NULL) - 1;
+
+ ret = string_to_sid(DOM_SID, &ipa_ctx->mspac->domsid);
+ assert_int_equal(ret, 0);
+
+ ipa_ctx->mspac->num_trusts = 1;
+ ipa_ctx->mspac->trusts = calloc(1, sizeof(struct ipadb_adtrusts));
+ assert_non_null(ipa_ctx->mspac->trusts);
+
+ ipa_ctx->mspac->trusts[0].domain_name = strdup(DOMAIN_NAME);
+ assert_non_null(ipa_ctx->mspac->trusts[0].domain_name);
+
+ ipa_ctx->mspac->trusts[0].flat_name = strdup(FLAT_NAME);
+ assert_non_null(ipa_ctx->mspac->trusts[0].flat_name);
+
+ ipa_ctx->mspac->trusts[0].domain_sid = strdup(DOM_SID_TRUST);
+ assert_non_null(ipa_ctx->mspac->trusts[0].domain_sid);
+
+ ret = string_to_sid(DOM_SID_TRUST, &ipa_ctx->mspac->trusts[0].domsid);
+ assert_int_equal(ret, 0);
+
+ ipa_ctx->mspac->trusts[0].len_sid_blacklist_incoming = 1;
+ ipa_ctx->mspac->trusts[0].sid_blacklist_incoming = calloc(
+ ipa_ctx->mspac->trusts[0].len_sid_blacklist_incoming,
+ sizeof(struct dom_sid));
+ assert_non_null(ipa_ctx->mspac->trusts[0].sid_blacklist_incoming);
+ ret = string_to_sid(BLACKLIST_SID,
+ &ipa_ctx->mspac->trusts[0].sid_blacklist_incoming[0]);
+ assert_int_equal(ret, 0);
+
+ struct dom_sid *sid_blacklist_incoming;
+ int len_sid_blacklist_incoming;
+
+ ipa_ctx->kcontext = krb5_ctx;
+ kerr = krb5_db_set_context(krb5_ctx, ipa_ctx);
+ assert_int_equal(kerr, 0);
+
+ test_ctx = talloc(NULL, struct test_ctx);
+ assert_non_null(test_ctx);
+
+ test_ctx->krb5_ctx = krb5_ctx;
+
+ *state = test_ctx;
+}
+
+void teardown(void **state)
+{
+ struct test_ctx *test_ctx;
+ struct ipadb_context *ipa_ctx;
+
+ test_ctx = (struct test_ctx *) *state;
+
+ ipa_ctx = ipadb_get_context(test_ctx->krb5_ctx);
+ assert_non_null(ipa_ctx);
+ ipadb_mspac_struct_free(&ipa_ctx->mspac);
+
+ krb5_db_fini(test_ctx->krb5_ctx);
+ krb5_free_context(test_ctx->krb5_ctx);
+
+ talloc_free(test_ctx);
+}
+
+extern krb5_error_code filter_logon_info(krb5_context context,
+ TALLOC_CTX *memctx,
+ krb5_data realm,
+ struct PAC_LOGON_INFO_CTR *info);
+
+void test_filter_logon_info(void **state)
+{
+ krb5_error_code kerr;
+ krb5_data realm = {KV5M_DATA, REALM_LEN, REALM};
+ struct test_ctx *test_ctx;
+ struct PAC_LOGON_INFO_CTR *info;
+ int ret;
+ struct dom_sid dom_sid;
+ size_t c;
+ size_t d;
+
+ test_ctx = (struct test_ctx *) *state;
+
+ info = talloc_zero(test_ctx, struct PAC_LOGON_INFO_CTR);
+ assert_non_null(info);
+ info->info = talloc_zero(info, struct PAC_LOGON_INFO);
+ assert_non_null(info->info);
+
+ /* wrong flat name */
+ info->info->info3.base.logon_domain.string = talloc_strdup(info->info,
+ "WRONG");
+ assert_non_null(info->info->info3.base.logon_domain.string);
+
+ kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
+ assert_int_equal(kerr, EINVAL);
+
+ info->info->info3.base.logon_domain.string = talloc_strdup(info->info,
+ FLAT_NAME);
+ assert_non_null(info->info->info3.base.logon_domain.string);
+
+ /* missing domain SID */
+ kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
+ assert_int_equal(kerr, EINVAL);
+
+ /* wrong domain SID */
+ ret = string_to_sid("S-1-5-21-1-1-1", &dom_sid);
+ assert_int_equal(ret, 0);
+ info->info->info3.base.domain_sid = &dom_sid;
+
+ kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
+ assert_int_equal(kerr, EINVAL);
+
+ /* matching domain SID */
+ ret = string_to_sid(DOM_SID_TRUST, &dom_sid);
+ assert_int_equal(ret, 0);
+ info->info->info3.base.domain_sid = &dom_sid;
+
+ kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
+ assert_int_equal(kerr, 0);
+
+ /* empty SIDs */
+ info->info->info3.sidcount = 3;
+ info->info->info3.sids = talloc_zero_array(info->info,
+ struct netr_SidAttr,
+ info->info->info3.sidcount);
+ assert_non_null(info->info->info3.sids);
+ for(c = 0; c < info->info->info3.sidcount; c++) {
+ info->info->info3.sids[c].sid = talloc_zero(info->info->info3.sids,
+ struct dom_sid2);
+ assert_non_null(info->info->info3.sids[c].sid);
+ }
+
+ kerr = filter_logon_info(test_ctx->krb5_ctx, NULL, realm, info);
+ assert_int_equal(kerr, 0);
+ assert_int_equal(info->info->info3.sidcount, 3);
+
+ struct test_data {
+ size_t sidcount;
+ const char *sids[3];
+ size_t exp_sidcount;
+ const char *exp_sids[3];
+ } test_data[] = {
+ /* only allowed SIDs */
+ {3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"},
+ 3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"}},
+ /* last SID filtered */
+ {3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", BLACKLIST_SID"-1002"},
+ 2, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001"}},
+ /* center SID filtered */
+ {3, {DOM_SID_TRUST"-1000", BLACKLIST_SID"-1001", DOM_SID_TRUST"-1002"},
+ 2, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1002"}},
+ /* first SID filtered */
+ {3, {BLACKLIST_SID"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"},
+ 2, {DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"}},
+ /* first and last SID filtered */
+ {3, {BLACKLIST_SID"-1000", DOM_SID_TRUST"-1001", BLACKLIST_SID"-1002"},
+ 1, {DOM_SID_TRUST"-1001"}},
+ /* two SIDs in a rwo filtered */
+ {3, {BLACKLIST_SID"-1000", BLACKLIST_SID"-1001", DOM_SID_TRUST"-1002"},
+ 1, {DOM_SID_TRUST"-1002"}},
+ /* all SIDs filtered*/
+ {3, {BLACKLIST_SID"-1000", BLACKLIST_SID"-1001", BLACKLIST_SID"-1002"},
+ 0, NULL},
+ {0, NULL, 0 , NULL}
+ };
+
+ for (c = 0; test_data[c].sidcount != 0; c++) {
+ talloc_free(info->info->info3.sids);
+
+ info->info->info3.sidcount = test_data[c].sidcount;
+ info->info->info3.sids = talloc_zero_array(info->info,
+ struct netr_SidAttr,
+ info->info->info3.sidcount);
+ assert_non_null(info->info->info3.sids);
+ for(d = 0; d < info->info->info3.sidcount; d++) {
+ info->info->info3.sids[d].sid = talloc_zero(info->info->info3.sids,
+ struct dom_sid2);
+ assert_non_null(info->info->info3.sids[d].sid);
+ }
+
+ for (d = 0; d < info->info->info3.sidcount; d++) {
+ ret = string_to_sid(test_data[c].sids[d],
+ info->info->info3.sids[d].sid);
+ assert_int_equal(ret, 0);
+ }
+
+ kerr = filter_logon_info(test_ctx->krb5_ctx, NULL, realm, info);
+ assert_int_equal(kerr, 0);
+ assert_int_equal(info->info->info3.sidcount, test_data[c].exp_sidcount);
+ if (test_data[c].exp_sidcount == 0) {
+ assert_null(info->info->info3.sids);
+ } else {
+ for (d = 0; d < test_data[c].exp_sidcount; d++) {
+ assert_string_equal(test_data[c].exp_sids[d],
+ dom_sid_string(info->info->info3.sids,
+ info->info->info3.sids[d].sid));
+ }
+ }
+ }
+
+
+ talloc_free(info);
+
+}
+
extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
bool *with_pac, bool *with_pad);
@@ -76,6 +318,11 @@ void test_get_authz_data_types(void **state)
struct ipadb_context *ipa_ctx;
krb5_principal nfs_princ;
krb5_principal non_nfs_princ;
+ struct test_ctx *test_ctx;
+
+ test_ctx = (struct test_ctx *) *state;
+ ipa_ctx = ipadb_get_context(test_ctx->krb5_ctx);
+ assert_non_null(ipa_ctx);
get_authz_data_types(NULL, NULL, NULL, NULL);
@@ -100,20 +347,11 @@ void test_get_authz_data_types(void **state)
assert_non_null(ied);
entry->e_data = (void *) ied;
- kerr = krb5_init_context(&krb5_ctx);
- assert_int_equal(kerr, 0);
- kerr = krb5_db_setup_lib_handle(krb5_ctx);
- assert_int_equal(kerr, 0);
- ipa_ctx = calloc(1, sizeof(struct ipadb_context));
- assert_non_null(ipa_ctx);
- ipa_ctx->kcontext = krb5_ctx;
- kerr = krb5_db_set_context(krb5_ctx, ipa_ctx);
- assert_int_equal(kerr, 0);
-
- kerr = krb5_parse_name(krb5_ctx, NFS_PRINC_STRING, &nfs_princ);
+ kerr = krb5_parse_name(test_ctx->krb5_ctx, NFS_PRINC_STRING, &nfs_princ);
assert_int_equal(kerr, 0);
- kerr = krb5_parse_name(krb5_ctx, NON_NFS_PRINC_STRING, &non_nfs_princ);
+ kerr = krb5_parse_name(test_ctx->krb5_ctx, NON_NFS_PRINC_STRING,
+ &non_nfs_princ);
assert_int_equal(kerr, 0);
struct test_set {
@@ -159,21 +397,22 @@ void test_get_authz_data_types(void **state)
/* Set last_update to avoid LDAP lookups during tests */
ipa_ctx->config.last_update = time(NULL);
entry->princ = test_set[c].princ;
- get_authz_data_types(krb5_ctx, entry, &with_pac, &with_pad);
+ get_authz_data_types(test_ctx->krb5_ctx, entry, &with_pac, &with_pad);
assert_true(with_pad == test_set[c].exp_with_pad);
assert_true(with_pac == test_set[c].exp_with_pac);
}
- krb5_free_principal(krb5_ctx, nfs_princ);
- krb5_free_principal(krb5_ctx, non_nfs_princ);
- krb5_db_fini(krb5_ctx);
- krb5_free_context(krb5_ctx);
+ free(ied);
+ free(entry);
+ krb5_free_principal(test_ctx->krb5_ctx, nfs_princ);
+ krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
}
int main(int argc, const char *argv[])
{
const UnitTest tests[] = {
- unit_test(test_get_authz_data_types),
+ unit_test_setup_teardown(test_get_authz_data_types, setup, teardown),
+ unit_test_setup_teardown(test_filter_logon_info, setup, teardown),
};
return run_tests(tests);
--
2.1.0
-------------- next part --------------
From e4c6a3b480b8b3a3d655f47ba5b758a5279981e8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Tue, 26 May 2015 13:00:26 +0200
Subject: [PATCH 147/148] ipa-kdb: make string_to_sid() and dom_sid_string()
more robust
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index ca110fd662990835aa7ef27f99148f3c47a43942..abbc7ac7f0adf76da5823d0813ecf2e10622cd7d 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -96,6 +96,10 @@ int string_to_sid(const char *str, struct dom_sid *sid)
char *t;
int i;
+ if (str == NULL) {
+ return EINVAL;
+ }
+
memset(sid, '\0', sizeof(struct dom_sid));
s = str;
@@ -159,13 +163,18 @@ char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
uint32_t ia;
char *buf;
- if (dom_sid == NULL) {
+ if (dom_sid == NULL
+ || dom_sid->num_auths < 0
+ || dom_sid->num_auths > SID_SUB_AUTHS) {
return NULL;
}
len = 25 + dom_sid->num_auths * 11;
buf = talloc_zero_size(memctx, len);
+ if (buf == NULL) {
+ return NULL;
+ }
ia = (dom_sid->id_auth[5]) +
(dom_sid->id_auth[4] << 8 ) +
--
2.1.0
-------------- next part --------------
From aff3c985a7e3ea6bef691db3d0578aae1a7013a1 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Tue, 26 May 2015 13:01:13 +0200
Subject: [PATCH 148/148] ipa-kdb: add unit_tests for string_to_sid() and
dom_sid_string()
---
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 60 +++++++++++++++++++++++++++++++++++
1 file changed, 60 insertions(+)
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
index 7b9b85d2cf7fcc2478a522eccf686b3e2582447e..edd4ae0975628d6b3abe9bab2852c990c9a8c590 100644
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
@@ -408,11 +408,71 @@ void test_get_authz_data_types(void **state)
krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
}
+void test_string_to_sid(void **state)
+{
+ int ret;
+ struct dom_sid sid;
+ struct dom_sid exp_sid = {1, 5, {0, 0, 0, 0, 0, 5},
+ {21, 2127521184, 1604012920, 1887927527, 72713,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}};
+
+ ret = string_to_sid(NULL, &sid);
+ assert_int_equal(ret, EINVAL);
+
+ ret = string_to_sid("abc", &sid);
+ assert_int_equal(ret, EINVAL);
+
+ ret = string_to_sid("S-", &sid);
+ assert_int_equal(ret, EINVAL);
+
+ ret = string_to_sid("S-ABC", &sid);
+ assert_int_equal(ret, EINVAL);
+
+ ret = string_to_sid("S-123", &sid);
+ assert_int_equal(ret, EINVAL);
+
+ ret = string_to_sid("S-1-123-1-2-3-4-5-6-7-8-9-0-1-2-3-4-5-6", &sid);
+ assert_int_equal(ret, EINVAL);
+
+ ret = string_to_sid("S-1-5-21-2127521184-1604012920-1887927527-72713",
+ &sid);
+ assert_int_equal(ret, 0);
+ assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
+}
+
+void test_dom_sid_string(void **state)
+{
+ struct test_ctx *test_ctx;
+ char *str_sid;
+ struct dom_sid test_sid = {1, 5, {0, 0, 0, 0, 0, 5},
+ {21, 2127521184, 1604012920, 1887927527, 72713,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}};
+
+ test_ctx = (struct test_ctx *) *state;
+
+ str_sid = dom_sid_string(test_ctx, NULL);
+ assert_null(str_sid);
+
+ str_sid = dom_sid_string(test_ctx, &test_sid);
+ assert_non_null(str_sid);
+ assert_string_equal(str_sid,
+ "S-1-5-21-2127521184-1604012920-1887927527-72713");
+
+ test_sid.num_auths = -3;
+ str_sid = dom_sid_string(test_ctx, &test_sid);
+
+ test_sid.num_auths = 16;
+ str_sid = dom_sid_string(test_ctx, &test_sid);
+}
+
+
int main(int argc, const char *argv[])
{
const UnitTest tests[] = {
unit_test_setup_teardown(test_get_authz_data_types, setup, teardown),
unit_test_setup_teardown(test_filter_logon_info, setup, teardown),
+ unit_test(test_string_to_sid),
+ unit_test_setup_teardown(test_dom_sid_string, setup, teardown),
};
return run_tests(tests);
--
2.1.0
More information about the Freeipa-devel
mailing list