1*da668aa1SThomas Huth /*
2*da668aa1SThomas Huth * QEMU list authorization object tests
3*da668aa1SThomas Huth *
4*da668aa1SThomas Huth * Copyright (c) 2018 Red Hat, Inc.
5*da668aa1SThomas Huth *
6*da668aa1SThomas Huth * This library is free software; you can redistribute it and/or
7*da668aa1SThomas Huth * modify it under the terms of the GNU Lesser General Public
8*da668aa1SThomas Huth * License as published by the Free Software Foundation; either
9*da668aa1SThomas Huth * version 2.1 of the License, or (at your option) any later version.
10*da668aa1SThomas Huth *
11*da668aa1SThomas Huth * This library is distributed in the hope that it will be useful,
12*da668aa1SThomas Huth * but WITHOUT ANY WARRANTY; without even the implied warranty of
13*da668aa1SThomas Huth * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14*da668aa1SThomas Huth * Lesser General Public License for more details.
15*da668aa1SThomas Huth *
16*da668aa1SThomas Huth * You should have received a copy of the GNU Lesser General Public
17*da668aa1SThomas Huth * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18*da668aa1SThomas Huth *
19*da668aa1SThomas Huth */
20*da668aa1SThomas Huth
21*da668aa1SThomas Huth #include "qemu/osdep.h"
22*da668aa1SThomas Huth #include "qemu/main-loop.h"
23*da668aa1SThomas Huth #include "qemu/module.h"
24*da668aa1SThomas Huth #include "authz/listfile.h"
25*da668aa1SThomas Huth
26*da668aa1SThomas Huth static char *workdir;
27*da668aa1SThomas Huth
qemu_authz_listfile_test_save(const gchar * name,const gchar * cfg)28*da668aa1SThomas Huth static gchar *qemu_authz_listfile_test_save(const gchar *name,
29*da668aa1SThomas Huth const gchar *cfg)
30*da668aa1SThomas Huth {
31*da668aa1SThomas Huth gchar *path = g_strdup_printf("%s/default-deny.cfg", workdir);
32*da668aa1SThomas Huth GError *gerr = NULL;
33*da668aa1SThomas Huth
34*da668aa1SThomas Huth if (!g_file_set_contents(path, cfg, -1, &gerr)) {
35*da668aa1SThomas Huth g_printerr("Unable to save config %s: %s\n",
36*da668aa1SThomas Huth path, gerr->message);
37*da668aa1SThomas Huth g_error_free(gerr);
38*da668aa1SThomas Huth g_free(path);
39*da668aa1SThomas Huth rmdir(workdir);
40*da668aa1SThomas Huth abort();
41*da668aa1SThomas Huth }
42*da668aa1SThomas Huth
43*da668aa1SThomas Huth return path;
44*da668aa1SThomas Huth }
45*da668aa1SThomas Huth
test_authz_default_deny(void)46*da668aa1SThomas Huth static void test_authz_default_deny(void)
47*da668aa1SThomas Huth {
48*da668aa1SThomas Huth gchar *file = qemu_authz_listfile_test_save(
49*da668aa1SThomas Huth "default-deny.cfg",
50*da668aa1SThomas Huth "{ \"policy\": \"deny\" }");
51*da668aa1SThomas Huth Error *local_err = NULL;
52*da668aa1SThomas Huth
53*da668aa1SThomas Huth QAuthZListFile *auth = qauthz_list_file_new("auth0",
54*da668aa1SThomas Huth file, false,
55*da668aa1SThomas Huth &local_err);
56*da668aa1SThomas Huth unlink(file);
57*da668aa1SThomas Huth g_free(file);
58*da668aa1SThomas Huth g_assert(local_err == NULL);
59*da668aa1SThomas Huth g_assert(!qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
60*da668aa1SThomas Huth
61*da668aa1SThomas Huth object_unparent(OBJECT(auth));
62*da668aa1SThomas Huth }
63*da668aa1SThomas Huth
test_authz_default_allow(void)64*da668aa1SThomas Huth static void test_authz_default_allow(void)
65*da668aa1SThomas Huth {
66*da668aa1SThomas Huth gchar *file = qemu_authz_listfile_test_save(
67*da668aa1SThomas Huth "default-allow.cfg",
68*da668aa1SThomas Huth "{ \"policy\": \"allow\" }");
69*da668aa1SThomas Huth Error *local_err = NULL;
70*da668aa1SThomas Huth
71*da668aa1SThomas Huth QAuthZListFile *auth = qauthz_list_file_new("auth0",
72*da668aa1SThomas Huth file, false,
73*da668aa1SThomas Huth &local_err);
74*da668aa1SThomas Huth unlink(file);
75*da668aa1SThomas Huth g_free(file);
76*da668aa1SThomas Huth g_assert(local_err == NULL);
77*da668aa1SThomas Huth g_assert(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
78*da668aa1SThomas Huth
79*da668aa1SThomas Huth object_unparent(OBJECT(auth));
80*da668aa1SThomas Huth }
81*da668aa1SThomas Huth
test_authz_explicit_deny(void)82*da668aa1SThomas Huth static void test_authz_explicit_deny(void)
83*da668aa1SThomas Huth {
84*da668aa1SThomas Huth gchar *file = qemu_authz_listfile_test_save(
85*da668aa1SThomas Huth "explicit-deny.cfg",
86*da668aa1SThomas Huth "{ \"rules\": [ "
87*da668aa1SThomas Huth " { \"match\": \"fred\","
88*da668aa1SThomas Huth " \"policy\": \"deny\","
89*da668aa1SThomas Huth " \"format\": \"exact\" } ],"
90*da668aa1SThomas Huth " \"policy\": \"allow\" }");
91*da668aa1SThomas Huth Error *local_err = NULL;
92*da668aa1SThomas Huth
93*da668aa1SThomas Huth QAuthZListFile *auth = qauthz_list_file_new("auth0",
94*da668aa1SThomas Huth file, false,
95*da668aa1SThomas Huth &local_err);
96*da668aa1SThomas Huth unlink(file);
97*da668aa1SThomas Huth g_free(file);
98*da668aa1SThomas Huth g_assert(local_err == NULL);
99*da668aa1SThomas Huth
100*da668aa1SThomas Huth g_assert(!qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
101*da668aa1SThomas Huth
102*da668aa1SThomas Huth object_unparent(OBJECT(auth));
103*da668aa1SThomas Huth }
104*da668aa1SThomas Huth
test_authz_explicit_allow(void)105*da668aa1SThomas Huth static void test_authz_explicit_allow(void)
106*da668aa1SThomas Huth {
107*da668aa1SThomas Huth gchar *file = qemu_authz_listfile_test_save(
108*da668aa1SThomas Huth "explicit-allow.cfg",
109*da668aa1SThomas Huth "{ \"rules\": [ "
110*da668aa1SThomas Huth " { \"match\": \"fred\","
111*da668aa1SThomas Huth " \"policy\": \"allow\","
112*da668aa1SThomas Huth " \"format\": \"exact\" } ],"
113*da668aa1SThomas Huth " \"policy\": \"deny\" }");
114*da668aa1SThomas Huth Error *local_err = NULL;
115*da668aa1SThomas Huth
116*da668aa1SThomas Huth QAuthZListFile *auth = qauthz_list_file_new("auth0",
117*da668aa1SThomas Huth file, false,
118*da668aa1SThomas Huth &local_err);
119*da668aa1SThomas Huth unlink(file);
120*da668aa1SThomas Huth g_free(file);
121*da668aa1SThomas Huth g_assert(local_err == NULL);
122*da668aa1SThomas Huth
123*da668aa1SThomas Huth g_assert(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
124*da668aa1SThomas Huth
125*da668aa1SThomas Huth object_unparent(OBJECT(auth));
126*da668aa1SThomas Huth }
127*da668aa1SThomas Huth
128*da668aa1SThomas Huth
test_authz_complex(void)129*da668aa1SThomas Huth static void test_authz_complex(void)
130*da668aa1SThomas Huth {
131*da668aa1SThomas Huth gchar *file = qemu_authz_listfile_test_save(
132*da668aa1SThomas Huth "complex.cfg",
133*da668aa1SThomas Huth "{ \"rules\": [ "
134*da668aa1SThomas Huth " { \"match\": \"fred\","
135*da668aa1SThomas Huth " \"policy\": \"allow\","
136*da668aa1SThomas Huth " \"format\": \"exact\" },"
137*da668aa1SThomas Huth " { \"match\": \"bob\","
138*da668aa1SThomas Huth " \"policy\": \"allow\","
139*da668aa1SThomas Huth " \"format\": \"exact\" },"
140*da668aa1SThomas Huth " { \"match\": \"dan\","
141*da668aa1SThomas Huth " \"policy\": \"deny\","
142*da668aa1SThomas Huth " \"format\": \"exact\" },"
143*da668aa1SThomas Huth " { \"match\": \"dan*\","
144*da668aa1SThomas Huth " \"policy\": \"allow\","
145*da668aa1SThomas Huth " \"format\": \"glob\" } ],"
146*da668aa1SThomas Huth " \"policy\": \"deny\" }");
147*da668aa1SThomas Huth
148*da668aa1SThomas Huth Error *local_err = NULL;
149*da668aa1SThomas Huth
150*da668aa1SThomas Huth QAuthZListFile *auth = qauthz_list_file_new("auth0",
151*da668aa1SThomas Huth file, false,
152*da668aa1SThomas Huth &local_err);
153*da668aa1SThomas Huth unlink(file);
154*da668aa1SThomas Huth g_free(file);
155*da668aa1SThomas Huth g_assert(local_err == NULL);
156*da668aa1SThomas Huth
157*da668aa1SThomas Huth g_assert(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
158*da668aa1SThomas Huth g_assert(qauthz_is_allowed(QAUTHZ(auth), "bob", &error_abort));
159*da668aa1SThomas Huth g_assert(!qauthz_is_allowed(QAUTHZ(auth), "dan", &error_abort));
160*da668aa1SThomas Huth g_assert(qauthz_is_allowed(QAUTHZ(auth), "danb", &error_abort));
161*da668aa1SThomas Huth
162*da668aa1SThomas Huth object_unparent(OBJECT(auth));
163*da668aa1SThomas Huth }
164*da668aa1SThomas Huth
165*da668aa1SThomas Huth
main(int argc,char ** argv)166*da668aa1SThomas Huth int main(int argc, char **argv)
167*da668aa1SThomas Huth {
168*da668aa1SThomas Huth int ret;
169*da668aa1SThomas Huth GError *gerr = NULL;
170*da668aa1SThomas Huth
171*da668aa1SThomas Huth g_test_init(&argc, &argv, NULL);
172*da668aa1SThomas Huth
173*da668aa1SThomas Huth module_call_init(MODULE_INIT_QOM);
174*da668aa1SThomas Huth
175*da668aa1SThomas Huth workdir = g_dir_make_tmp("qemu-test-authz-listfile-XXXXXX",
176*da668aa1SThomas Huth &gerr);
177*da668aa1SThomas Huth if (!workdir) {
178*da668aa1SThomas Huth g_printerr("Unable to create temporary dir: %s\n",
179*da668aa1SThomas Huth gerr->message);
180*da668aa1SThomas Huth g_error_free(gerr);
181*da668aa1SThomas Huth abort();
182*da668aa1SThomas Huth }
183*da668aa1SThomas Huth
184*da668aa1SThomas Huth g_test_add_func("/auth/list/default/deny", test_authz_default_deny);
185*da668aa1SThomas Huth g_test_add_func("/auth/list/default/allow", test_authz_default_allow);
186*da668aa1SThomas Huth g_test_add_func("/auth/list/explicit/deny", test_authz_explicit_deny);
187*da668aa1SThomas Huth g_test_add_func("/auth/list/explicit/allow", test_authz_explicit_allow);
188*da668aa1SThomas Huth g_test_add_func("/auth/list/complex", test_authz_complex);
189*da668aa1SThomas Huth
190*da668aa1SThomas Huth ret = g_test_run();
191*da668aa1SThomas Huth
192*da668aa1SThomas Huth rmdir(workdir);
193*da668aa1SThomas Huth g_free(workdir);
194*da668aa1SThomas Huth
195*da668aa1SThomas Huth return ret;
196*da668aa1SThomas Huth }
197