1 /*
2 * QEMU list authorization object tests
3 *
4 * Copyright (c) 2018 Red Hat, Inc.
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 *
19 */
20
21 #include "qemu/osdep.h"
22 #include "qemu/main-loop.h"
23 #include "qemu/module.h"
24 #include "authz/listfile.h"
25
26 static char *workdir;
27
qemu_authz_listfile_test_save(const gchar * name,const gchar * cfg)28 static gchar *qemu_authz_listfile_test_save(const gchar *name,
29 const gchar *cfg)
30 {
31 gchar *path = g_strdup_printf("%s/default-deny.cfg", workdir);
32 GError *gerr = NULL;
33
34 if (!g_file_set_contents(path, cfg, -1, &gerr)) {
35 g_printerr("Unable to save config %s: %s\n",
36 path, gerr->message);
37 g_error_free(gerr);
38 g_free(path);
39 rmdir(workdir);
40 abort();
41 }
42
43 return path;
44 }
45
test_authz_default_deny(void)46 static void test_authz_default_deny(void)
47 {
48 gchar *file = qemu_authz_listfile_test_save(
49 "default-deny.cfg",
50 "{ \"policy\": \"deny\" }");
51 Error *local_err = NULL;
52
53 QAuthZListFile *auth = qauthz_list_file_new("auth0",
54 file, false,
55 &local_err);
56 unlink(file);
57 g_free(file);
58 g_assert(local_err == NULL);
59 g_assert(!qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
60
61 object_unparent(OBJECT(auth));
62 }
63
test_authz_default_allow(void)64 static void test_authz_default_allow(void)
65 {
66 gchar *file = qemu_authz_listfile_test_save(
67 "default-allow.cfg",
68 "{ \"policy\": \"allow\" }");
69 Error *local_err = NULL;
70
71 QAuthZListFile *auth = qauthz_list_file_new("auth0",
72 file, false,
73 &local_err);
74 unlink(file);
75 g_free(file);
76 g_assert(local_err == NULL);
77 g_assert(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
78
79 object_unparent(OBJECT(auth));
80 }
81
test_authz_explicit_deny(void)82 static void test_authz_explicit_deny(void)
83 {
84 gchar *file = qemu_authz_listfile_test_save(
85 "explicit-deny.cfg",
86 "{ \"rules\": [ "
87 " { \"match\": \"fred\","
88 " \"policy\": \"deny\","
89 " \"format\": \"exact\" } ],"
90 " \"policy\": \"allow\" }");
91 Error *local_err = NULL;
92
93 QAuthZListFile *auth = qauthz_list_file_new("auth0",
94 file, false,
95 &local_err);
96 unlink(file);
97 g_free(file);
98 g_assert(local_err == NULL);
99
100 g_assert(!qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
101
102 object_unparent(OBJECT(auth));
103 }
104
test_authz_explicit_allow(void)105 static void test_authz_explicit_allow(void)
106 {
107 gchar *file = qemu_authz_listfile_test_save(
108 "explicit-allow.cfg",
109 "{ \"rules\": [ "
110 " { \"match\": \"fred\","
111 " \"policy\": \"allow\","
112 " \"format\": \"exact\" } ],"
113 " \"policy\": \"deny\" }");
114 Error *local_err = NULL;
115
116 QAuthZListFile *auth = qauthz_list_file_new("auth0",
117 file, false,
118 &local_err);
119 unlink(file);
120 g_free(file);
121 g_assert(local_err == NULL);
122
123 g_assert(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
124
125 object_unparent(OBJECT(auth));
126 }
127
128
test_authz_complex(void)129 static void test_authz_complex(void)
130 {
131 gchar *file = qemu_authz_listfile_test_save(
132 "complex.cfg",
133 "{ \"rules\": [ "
134 " { \"match\": \"fred\","
135 " \"policy\": \"allow\","
136 " \"format\": \"exact\" },"
137 " { \"match\": \"bob\","
138 " \"policy\": \"allow\","
139 " \"format\": \"exact\" },"
140 " { \"match\": \"dan\","
141 " \"policy\": \"deny\","
142 " \"format\": \"exact\" },"
143 " { \"match\": \"dan*\","
144 " \"policy\": \"allow\","
145 " \"format\": \"glob\" } ],"
146 " \"policy\": \"deny\" }");
147
148 Error *local_err = NULL;
149
150 QAuthZListFile *auth = qauthz_list_file_new("auth0",
151 file, false,
152 &local_err);
153 unlink(file);
154 g_free(file);
155 g_assert(local_err == NULL);
156
157 g_assert(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
158 g_assert(qauthz_is_allowed(QAUTHZ(auth), "bob", &error_abort));
159 g_assert(!qauthz_is_allowed(QAUTHZ(auth), "dan", &error_abort));
160 g_assert(qauthz_is_allowed(QAUTHZ(auth), "danb", &error_abort));
161
162 object_unparent(OBJECT(auth));
163 }
164
165
main(int argc,char ** argv)166 int main(int argc, char **argv)
167 {
168 int ret;
169 GError *gerr = NULL;
170
171 g_test_init(&argc, &argv, NULL);
172
173 module_call_init(MODULE_INIT_QOM);
174
175 workdir = g_dir_make_tmp("qemu-test-authz-listfile-XXXXXX",
176 &gerr);
177 if (!workdir) {
178 g_printerr("Unable to create temporary dir: %s\n",
179 gerr->message);
180 g_error_free(gerr);
181 abort();
182 }
183
184 g_test_add_func("/auth/list/default/deny", test_authz_default_deny);
185 g_test_add_func("/auth/list/default/allow", test_authz_default_allow);
186 g_test_add_func("/auth/list/explicit/deny", test_authz_explicit_deny);
187 g_test_add_func("/auth/list/explicit/allow", test_authz_explicit_allow);
188 g_test_add_func("/auth/list/complex", test_authz_complex);
189
190 ret = g_test_run();
191
192 rmdir(workdir);
193 g_free(workdir);
194
195 return ret;
196 }
197