1 /*
2  * QEMU list authorization object tests
3  *
4  * Copyright (c) 2018 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20 
21 #include "qemu/osdep.h"
22 #include "qemu/main-loop.h"
23 #include "qemu/module.h"
24 #include "authz/listfile.h"
25 
26 static char *workdir;
27 
28 static gchar *qemu_authz_listfile_test_save(const gchar *name,
29                                             const gchar *cfg)
30 {
31     gchar *path = g_strdup_printf("%s/default-deny.cfg", workdir);
32     GError *gerr = NULL;
33 
34     if (!g_file_set_contents(path, cfg, -1, &gerr)) {
35         g_printerr("Unable to save config %s: %s\n",
36                    path, gerr->message);
37         g_error_free(gerr);
38         g_free(path);
39         rmdir(workdir);
40         abort();
41     }
42 
43     return path;
44 }
45 
46 static void test_authz_default_deny(void)
47 {
48     gchar *file = qemu_authz_listfile_test_save(
49         "default-deny.cfg",
50         "{ \"policy\": \"deny\" }");
51     Error *local_err = NULL;
52 
53     QAuthZListFile *auth = qauthz_list_file_new("auth0",
54                                                 file, false,
55                                                 &local_err);
56     unlink(file);
57     g_free(file);
58     g_assert(local_err == NULL);
59     g_assert(!qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
60 
61     object_unparent(OBJECT(auth));
62 }
63 
64 static void test_authz_default_allow(void)
65 {
66     gchar *file = qemu_authz_listfile_test_save(
67         "default-allow.cfg",
68         "{ \"policy\": \"allow\" }");
69     Error *local_err = NULL;
70 
71     QAuthZListFile *auth = qauthz_list_file_new("auth0",
72                                                 file, false,
73                                                 &local_err);
74     unlink(file);
75     g_free(file);
76     g_assert(local_err == NULL);
77     g_assert(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
78 
79     object_unparent(OBJECT(auth));
80 }
81 
82 static void test_authz_explicit_deny(void)
83 {
84     gchar *file = qemu_authz_listfile_test_save(
85         "explicit-deny.cfg",
86         "{ \"rules\": [ "
87         "    { \"match\": \"fred\","
88         "      \"policy\": \"deny\","
89         "      \"format\": \"exact\" } ],"
90         "  \"policy\": \"allow\" }");
91     Error *local_err = NULL;
92 
93     QAuthZListFile *auth = qauthz_list_file_new("auth0",
94                                                 file, false,
95                                                 &local_err);
96     unlink(file);
97     g_free(file);
98     g_assert(local_err == NULL);
99 
100     g_assert(!qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
101 
102     object_unparent(OBJECT(auth));
103 }
104 
105 static void test_authz_explicit_allow(void)
106 {
107     gchar *file = qemu_authz_listfile_test_save(
108         "explicit-allow.cfg",
109         "{ \"rules\": [ "
110         "    { \"match\": \"fred\","
111         "      \"policy\": \"allow\","
112         "      \"format\": \"exact\" } ],"
113         "  \"policy\": \"deny\" }");
114     Error *local_err = NULL;
115 
116     QAuthZListFile *auth = qauthz_list_file_new("auth0",
117                                                 file, false,
118                                                 &local_err);
119     unlink(file);
120     g_free(file);
121     g_assert(local_err == NULL);
122 
123     g_assert(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
124 
125     object_unparent(OBJECT(auth));
126 }
127 
128 
129 static void test_authz_complex(void)
130 {
131     gchar *file = qemu_authz_listfile_test_save(
132         "complex.cfg",
133         "{ \"rules\": [ "
134         "    { \"match\": \"fred\","
135         "      \"policy\": \"allow\","
136         "      \"format\": \"exact\" },"
137         "    { \"match\": \"bob\","
138         "      \"policy\": \"allow\","
139         "      \"format\": \"exact\" },"
140         "    { \"match\": \"dan\","
141         "      \"policy\": \"deny\","
142         "      \"format\": \"exact\" },"
143         "    { \"match\": \"dan*\","
144         "      \"policy\": \"allow\","
145         "      \"format\": \"glob\" } ],"
146         "  \"policy\": \"deny\" }");
147 
148     Error *local_err = NULL;
149 
150     QAuthZListFile *auth = qauthz_list_file_new("auth0",
151                                                 file, false,
152                                                 &local_err);
153     unlink(file);
154     g_free(file);
155     g_assert(local_err == NULL);
156 
157     g_assert(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
158     g_assert(qauthz_is_allowed(QAUTHZ(auth), "bob", &error_abort));
159     g_assert(!qauthz_is_allowed(QAUTHZ(auth), "dan", &error_abort));
160     g_assert(qauthz_is_allowed(QAUTHZ(auth), "danb", &error_abort));
161 
162     object_unparent(OBJECT(auth));
163 }
164 
165 
166 int main(int argc, char **argv)
167 {
168     int ret;
169     GError *gerr = NULL;
170 
171     g_test_init(&argc, &argv, NULL);
172 
173     module_call_init(MODULE_INIT_QOM);
174 
175     workdir = g_dir_make_tmp("qemu-test-authz-listfile-XXXXXX",
176                              &gerr);
177     if (!workdir) {
178         g_printerr("Unable to create temporary dir: %s\n",
179                    gerr->message);
180         g_error_free(gerr);
181         abort();
182     }
183 
184     g_test_add_func("/auth/list/default/deny", test_authz_default_deny);
185     g_test_add_func("/auth/list/default/allow", test_authz_default_allow);
186     g_test_add_func("/auth/list/explicit/deny", test_authz_explicit_deny);
187     g_test_add_func("/auth/list/explicit/allow", test_authz_explicit_allow);
188     g_test_add_func("/auth/list/complex", test_authz_complex);
189 
190     ret = g_test_run();
191 
192     rmdir(workdir);
193     g_free(workdir);
194 
195     return ret;
196 }
197