1 /* 2 * QEMU list authorization object tests 3 * 4 * Copyright (c) 2018 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21 #include "qemu/osdep.h" 22 #include "qemu/main-loop.h" 23 #include "qemu/module.h" 24 #include "authz/listfile.h" 25 26 static char *workdir; 27 28 static gchar *qemu_authz_listfile_test_save(const gchar *name, 29 const gchar *cfg) 30 { 31 gchar *path = g_strdup_printf("%s/default-deny.cfg", workdir); 32 GError *gerr = NULL; 33 34 if (!g_file_set_contents(path, cfg, -1, &gerr)) { 35 g_printerr("Unable to save config %s: %s\n", 36 path, gerr->message); 37 g_error_free(gerr); 38 g_free(path); 39 rmdir(workdir); 40 abort(); 41 } 42 43 return path; 44 } 45 46 static void test_authz_default_deny(void) 47 { 48 gchar *file = qemu_authz_listfile_test_save( 49 "default-deny.cfg", 50 "{ \"policy\": \"deny\" }"); 51 Error *local_err = NULL; 52 53 QAuthZListFile *auth = qauthz_list_file_new("auth0", 54 file, false, 55 &local_err); 56 unlink(file); 57 g_free(file); 58 g_assert(local_err == NULL); 59 g_assert(!qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort)); 60 61 object_unparent(OBJECT(auth)); 62 } 63 64 static void test_authz_default_allow(void) 65 { 66 gchar *file = qemu_authz_listfile_test_save( 67 "default-allow.cfg", 68 "{ \"policy\": \"allow\" }"); 69 Error *local_err = NULL; 70 71 QAuthZListFile *auth = qauthz_list_file_new("auth0", 72 file, false, 73 &local_err); 74 unlink(file); 75 g_free(file); 76 g_assert(local_err == NULL); 77 g_assert(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort)); 78 79 object_unparent(OBJECT(auth)); 80 } 81 82 static void test_authz_explicit_deny(void) 83 { 84 gchar *file = qemu_authz_listfile_test_save( 85 "explicit-deny.cfg", 86 "{ \"rules\": [ " 87 " { \"match\": \"fred\"," 88 " \"policy\": \"deny\"," 89 " \"format\": \"exact\" } ]," 90 " \"policy\": \"allow\" }"); 91 Error *local_err = NULL; 92 93 QAuthZListFile *auth = qauthz_list_file_new("auth0", 94 file, false, 95 &local_err); 96 unlink(file); 97 g_free(file); 98 g_assert(local_err == NULL); 99 100 g_assert(!qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort)); 101 102 object_unparent(OBJECT(auth)); 103 } 104 105 static void test_authz_explicit_allow(void) 106 { 107 gchar *file = qemu_authz_listfile_test_save( 108 "explicit-allow.cfg", 109 "{ \"rules\": [ " 110 " { \"match\": \"fred\"," 111 " \"policy\": \"allow\"," 112 " \"format\": \"exact\" } ]," 113 " \"policy\": \"deny\" }"); 114 Error *local_err = NULL; 115 116 QAuthZListFile *auth = qauthz_list_file_new("auth0", 117 file, false, 118 &local_err); 119 unlink(file); 120 g_free(file); 121 g_assert(local_err == NULL); 122 123 g_assert(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort)); 124 125 object_unparent(OBJECT(auth)); 126 } 127 128 129 static void test_authz_complex(void) 130 { 131 gchar *file = qemu_authz_listfile_test_save( 132 "complex.cfg", 133 "{ \"rules\": [ " 134 " { \"match\": \"fred\"," 135 " \"policy\": \"allow\"," 136 " \"format\": \"exact\" }," 137 " { \"match\": \"bob\"," 138 " \"policy\": \"allow\"," 139 " \"format\": \"exact\" }," 140 " { \"match\": \"dan\"," 141 " \"policy\": \"deny\"," 142 " \"format\": \"exact\" }," 143 " { \"match\": \"dan*\"," 144 " \"policy\": \"allow\"," 145 " \"format\": \"glob\" } ]," 146 " \"policy\": \"deny\" }"); 147 148 Error *local_err = NULL; 149 150 QAuthZListFile *auth = qauthz_list_file_new("auth0", 151 file, false, 152 &local_err); 153 unlink(file); 154 g_free(file); 155 g_assert(local_err == NULL); 156 157 g_assert(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort)); 158 g_assert(qauthz_is_allowed(QAUTHZ(auth), "bob", &error_abort)); 159 g_assert(!qauthz_is_allowed(QAUTHZ(auth), "dan", &error_abort)); 160 g_assert(qauthz_is_allowed(QAUTHZ(auth), "danb", &error_abort)); 161 162 object_unparent(OBJECT(auth)); 163 } 164 165 166 int main(int argc, char **argv) 167 { 168 int ret; 169 GError *gerr = NULL; 170 171 g_test_init(&argc, &argv, NULL); 172 173 module_call_init(MODULE_INIT_QOM); 174 175 workdir = g_dir_make_tmp("qemu-test-authz-listfile-XXXXXX", 176 &gerr); 177 if (!workdir) { 178 g_printerr("Unable to create temporary dir: %s\n", 179 gerr->message); 180 g_error_free(gerr); 181 abort(); 182 } 183 184 g_test_add_func("/auth/list/default/deny", test_authz_default_deny); 185 g_test_add_func("/auth/list/default/allow", test_authz_default_allow); 186 g_test_add_func("/auth/list/explicit/deny", test_authz_explicit_deny); 187 g_test_add_func("/auth/list/explicit/allow", test_authz_explicit_allow); 188 g_test_add_func("/auth/list/complex", test_authz_complex); 189 190 ret = g_test_run(); 191 192 rmdir(workdir); 193 g_free(workdir); 194 195 return ret; 196 } 197