diff options
author | Sumit Bose <sbose@redhat.com> | 2013-05-10 09:55:31 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-06 23:58:56 +0200 |
commit | 92af6f25864b5c389b57d0f659686801b45ca58c (patch) | |
tree | 739bd3da9da35820d45c2b2c4bdb0c65ae8777d4 /src/tests | |
parent | 3680bb9c72ea5c60e6ac2fd2cf500b801341ca59 (diff) | |
download | sssd-92af6f25864b5c389b57d0f659686801b45ca58c.tar.gz sssd-92af6f25864b5c389b57d0f659686801b45ca58c.tar.bz2 sssd-92af6f25864b5c389b57d0f659686801b45ca58c.zip |
Enhance PAC responder for AD users
This patch modifies the PAC responder so that it can be used with the AD
provider as well. The main difference is that the POSIX UIDs and GIDs
are now lookup up with the help of the SID instead of being calculated
algorithmically. This was necessary because the AD provider allows
either algorithmic mapping or reading the value from attributes stored
in AD.
Fixes https://fedorahosted.org/sssd/ticket/1558
Diffstat (limited to 'src/tests')
-rw-r--r-- | src/tests/pac_responder-tests.c | 524 |
1 files changed, 0 insertions, 524 deletions
diff --git a/src/tests/pac_responder-tests.c b/src/tests/pac_responder-tests.c deleted file mode 100644 index ed8c9170..00000000 --- a/src/tests/pac_responder-tests.c +++ /dev/null @@ -1,524 +0,0 @@ -/* - SSSD - Test for PAC reponder functions - - Authors: - Sumit Bose <sbose@redhat.com> - - Copyright (C) 2012 Red Hat - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include <check.h> - -#include <stdbool.h> -#include <math.h> -#include <util/data_blob.h> -#include <gen_ndr/security.h> - -#include "tests/common_check.h" -#include "responder/pac/pacsrv.h" -#include "lib/idmap/sss_idmap.h" - -struct dom_sid test_dom_sid = {1, 4, {0, 0, 0, 0, 0, 5}, - {21, 2127521184, 1604012920, 1887927527, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}; -const char *test_dom_sid_str = "S-1-5-21-2127521184-1604012920-1887927527"; - -struct dom_sid test_remote_dom_sid = {1, 4, {0, 0, 0, 0, 0, 5}, - {21, 123, 456, 789, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}; -const char *test_remote_dom_sid_str = "S-1-5-21-123-456-789"; - -struct dom_sid test_smb_sid = {1, 5, {0, 0, 0, 0, 0, 5}, - {21, 2127521184, 1604012920, 1887927527, 1123, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}; -const uint32_t test_id = 1200123; - -struct dom_sid test_smb_sid_2nd = {1, 5, {0, 0, 0, 0, 0, 5}, - {21, 2127521184, 1604012920, 1887927527, 201456, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}; -const uint32_t test_id_2nd = 1200456; - -struct local_mapping_ranges test_map = {{1200000, 1399999}, - {1000, 200999}, - {201000, 400999}}; - -static void *idmap_talloc(size_t size, void *pvt) -{ - return talloc_size(pvt, size); -} - -static void idmap_talloc_free(void *ptr, void *pvt) -{ - talloc_free(ptr); -} - -struct pac_ctx *pac_ctx; - -#define IDMAP_RANGE_MIN 1234 -#define IDMAP_RANGE_MAX 9876543 - -void pac_setup(void) { - enum idmap_error_code err; - struct sss_idmap_range remote_range = {IDMAP_RANGE_MIN, IDMAP_RANGE_MAX}; - struct sss_domain_info *sd; - - pac_ctx = talloc_zero(global_talloc_context, struct pac_ctx); - fail_unless(pac_ctx != NULL, "talloc_zero failed.\n"); - - pac_ctx->rctx = talloc_zero(pac_ctx, struct resp_ctx); - fail_unless(pac_ctx->rctx != NULL, "talloc_zero failed."); - - pac_ctx->rctx->domains = talloc_zero(pac_ctx->rctx, struct sss_domain_info); - fail_unless(pac_ctx->rctx->domains != NULL, "talloc_zero failed."); - - pac_ctx->rctx->domains->name = talloc_strdup(pac_ctx->rctx->domains, - "TEST.DOM"); - fail_unless(pac_ctx->rctx->domains->name != NULL, "talloc_strdup failed."); - - pac_ctx->rctx->domains->flat_name = talloc_strdup(pac_ctx->rctx->domains, - "TESTDOM"); - fail_unless(pac_ctx->rctx->domains->flat_name != NULL, - "talloc_strdup failed."); - - pac_ctx->rctx->domains->domain_id = talloc_strdup(pac_ctx->rctx->domains, - test_dom_sid_str); - fail_unless(pac_ctx->rctx->domains->domain_id != NULL, - "talloc_strdup failed."); - - sd = talloc_zero(pac_ctx->rctx->domains, struct sss_domain_info); - fail_unless(sd != NULL, "talloc_zero failed."); - - sd->name = talloc_strdup(sd, "remote.dom"); - fail_unless(sd->name != NULL, "talloc_strdup failed"); - - sd->flat_name = talloc_strdup(sd, "REMOTEDOM"); - fail_unless(sd->flat_name != NULL, "talloc_strdup failed"); - - sd->domain_id = talloc_strdup(sd, test_remote_dom_sid_str); - fail_unless(sd->domain_id != NULL, "talloc_strdup failed"); - - pac_ctx->rctx->domains->subdomains = sd; - - err = sss_idmap_init(idmap_talloc, pac_ctx, idmap_talloc_free, - &pac_ctx->idmap_ctx); - - fail_unless(err == IDMAP_SUCCESS, "sss_idmap_init failed."); - fail_unless(pac_ctx->idmap_ctx != NULL, "sss_idmap_init returned NULL."); - - err = sss_idmap_add_domain(pac_ctx->idmap_ctx, "remote.dom", - test_remote_dom_sid_str, &remote_range); - - pac_ctx->my_dom_sid = &test_dom_sid; - - pac_ctx->range_map = &test_map; -} - -void pac_teardown(void) -{ - talloc_free(pac_ctx); -} - - -START_TEST(pac_test_local_sid_to_id) -{ - int ret; - uint32_t id; - - ret = local_sid_to_id(&test_map, &test_smb_sid, &id); - fail_unless(ret == EOK, - "Failed to convert local sid to id."); - fail_unless(id == test_id, "Wrong id returne, expected [%d], got [%d].", - test_id, id); -} -END_TEST - -START_TEST(pac_test_seondary_local_sid_to_id) -{ - int ret; - uint32_t id; - - ret = local_sid_to_id(&test_map, &test_smb_sid_2nd, &id); - fail_unless(ret == EOK, - "Failed to convert local sid to id."); - fail_unless(id == test_id_2nd, "Wrong id returne, expected [%d], got [%d].", - test_id_2nd, id); -} -END_TEST - -START_TEST(pac_test_get_gids_to_add_and_remove) -{ - TALLOC_CTX *mem_ctx; - int ret; - size_t c; - size_t add_gid_count = 0; - struct pac_dom_grps *add_gids = NULL; - size_t del_gid_count = 0; - struct grp_info **del_gids = NULL; - struct sss_domain_info grp_dom; - - memset(&grp_dom, 0, sizeof(grp_dom)); - - gid_t gid_list_2[] = {2}; - gid_t gid_list_3[] = {3}; - gid_t gid_list_23[] = {2, 3}; - struct pac_dom_grps empty_dom = {NULL, 0, NULL}; - - struct pac_dom_grps pac_grp_2 = {&grp_dom, 1, gid_list_2}; - struct pac_dom_grps pac_grp_3 = {&grp_dom, 1, gid_list_3}; - struct pac_dom_grps pac_grp_23 = {&grp_dom, 2, gid_list_23}; - - struct pac_dom_grps dom_grp_list_2[] = {pac_grp_2, empty_dom}; - struct pac_dom_grps dom_grp_list_3[] = {pac_grp_3, empty_dom}; - struct pac_dom_grps dom_grp_list_23[] = {pac_grp_23, empty_dom}; - - struct grp_info grp_info_1 = {1, NULL, NULL}; - struct grp_info grp_info_2 = {2, NULL, NULL}; - struct grp_info grp_list_1[] = {grp_info_1}; - struct grp_info grp_list_12[] = {grp_info_1, grp_info_2}; - - struct a_and_r_data { - size_t cur_gid_count; - struct grp_info *cur_gids; - size_t gid_count; - struct pac_dom_grps *gids; - int exp_ret; - size_t exp_add_gid_count; - struct pac_dom_grps *exp_add_gids; - size_t exp_del_gid_count; - struct grp_info *exp_del_gids; - } a_and_r_data[] = { - {1, grp_list_1, 1, dom_grp_list_2, EOK, 1, dom_grp_list_2, 1, grp_list_1}, - {1, grp_list_1, 0, NULL, EOK, 0, NULL, 1, grp_list_1}, - {0, NULL, 1, dom_grp_list_2, EOK, 1, dom_grp_list_2, 0, NULL}, - {2, grp_list_12, 1, dom_grp_list_2, EOK, 0, NULL, 1, grp_list_1}, - {2, grp_list_12, 2, dom_grp_list_23, EOK, 1, dom_grp_list_3, 1, grp_list_1}, - {0, NULL, 0, NULL, 0, 0, NULL, 0, NULL} - }; - - mem_ctx = talloc_new(NULL); - fail_unless(mem_ctx != NULL, "talloc_new failed."); - - ret = diff_gid_lists(mem_ctx, 0, NULL, 0, NULL, - &add_gid_count, &add_gids, - &del_gid_count, &del_gids); - fail_unless(ret == EOK, "get_gids_to_add_and_remove failed with empty " \ - "groups."); - - ret = diff_gid_lists(mem_ctx, 1, NULL, 0, NULL, - &add_gid_count, &add_gids, - &del_gid_count, &del_gids); - fail_unless(ret == EINVAL, "get_gids_to_add_and_remove failed with " \ - "invalid current groups."); - - ret = diff_gid_lists(mem_ctx, 0, NULL, 1, NULL, - &add_gid_count, &add_gids, - &del_gid_count, &del_gids); - fail_unless(ret == EINVAL, "get_gids_to_add_and_remove failed with " \ - "invalid new groups."); - - for (c = 0; a_and_r_data[c].cur_gids != NULL || - a_and_r_data[c].gids != NULL; c++) { - ret = diff_gid_lists(mem_ctx, - a_and_r_data[c].cur_gid_count, - a_and_r_data[c].cur_gids, - a_and_r_data[c].gid_count, - a_and_r_data[c].gids, - &add_gid_count, &add_gids, - &del_gid_count, &del_gids); - fail_unless(ret == a_and_r_data[c].exp_ret, - "Unexpected return value for test data #%d, " \ - "expected [%d], got [%d]", - c, a_and_r_data[c].exp_ret, ret); - fail_unless(add_gid_count == a_and_r_data[c].exp_add_gid_count, - "Unexpected numer of groups to add for test data #%d, " \ - "expected [%d], got [%d]", - c, a_and_r_data[c].exp_add_gid_count, add_gid_count); - fail_unless(del_gid_count == a_and_r_data[c].exp_del_gid_count, - "Unexpected numer of groups to delete for test data #%d, " \ - "expected [%d], got [%d]", - c, a_and_r_data[c].exp_del_gid_count, del_gid_count); - - /* The lists might be returned in any order, to make tests simple we - * only look at lists with 1 element. TODO: add code to compare lists - * with more than 1 member. */ - if (add_gid_count == 1) { - fail_unless(add_gids[0].gids[0] == a_and_r_data[c].exp_add_gids[0].gids[0], - "Unexpected gid to add for test data #%d, " \ - "expected [%d], got [%d]", - c, a_and_r_data[c].exp_add_gids[0].gids[0], add_gids[0].gids[0]); - } - - if (del_gid_count == 1) { - fail_unless(del_gids[0]->gid == a_and_r_data[c].exp_del_gids[0].gid, - "Unexpected gid to delete for test data #%d, " \ - "expected [%d], got [%d]", - c, a_and_r_data[c].exp_del_gids[0].gid, - del_gids[0]->gid); - } - } - - talloc_free(mem_ctx); -} -END_TEST - -#define NUM_DOMAINS 10 -START_TEST(pac_test_find_domain_by_id) -{ - struct sss_domain_info *domains; - struct sss_domain_info *dom; - size_t c; - char *id; - - dom = find_domain_by_id(NULL, NULL); - fail_unless(dom == NULL, "Domain returned without any input."); - - dom = find_domain_by_id(NULL, "id"); - fail_unless(dom == NULL, "Domain returned without domain list."); - - domains = NULL; - for (c = 0; c < NUM_DOMAINS; c++) { - dom = talloc_zero(domains, struct sss_domain_info); - fail_unless(dom != NULL, "talloc_zero failed."); - - dom->domain_id = talloc_asprintf(dom, "ID-of-domains-%zu", c); - fail_unless(dom->domain_id != NULL, "talloc_aprintf failed."); - - DLIST_ADD(domains, dom); - } - - dom = find_domain_by_id(domains, NULL); - fail_unless(dom == NULL, "Domain returned without search domain."); - - dom = find_domain_by_id(domains, "DOES-NOT_EXISTS"); - fail_unless(dom == NULL, "Domain returned with non existing id."); - - for (c = 0; c < NUM_DOMAINS; c++) { - id = talloc_asprintf(global_talloc_context, "ID-of-domains-%zu", c); - fail_unless(id != NULL, "talloc_asprintf failed.\n"); - - dom = find_domain_by_id(domains, id); - fail_unless(dom != NULL, "Domain %zu not found by id.", c); - fail_unless((strcmp(dom->domain_id, id) == 0), - "Wrong domain returned for id [%s].", id); - - talloc_free(id); - } - - talloc_free(domains); -} -END_TEST - -START_TEST(pac_test_get_gids_from_pac) -{ - int ret; - size_t c; - size_t d; - size_t g; - size_t t; - size_t gid_count; - struct pac_dom_grps *gids; - struct PAC_LOGON_INFO *logon_info; - bool found; - gid_t exp_gid; - struct timeval start_time; - struct timeval end_time; - struct timeval diff_time; - - ret = get_gids_from_pac(NULL, NULL, NULL, NULL, NULL, NULL, NULL); - fail_unless(ret == EINVAL, "Unexpected return value for NULL parameters"); - - logon_info = talloc_zero(global_talloc_context, struct PAC_LOGON_INFO); - fail_unless(logon_info != NULL, "talloc_zero failed.\n"); - - ret = get_gids_from_pac(global_talloc_context, pac_ctx, pac_ctx->range_map, - pac_ctx->my_dom_sid, logon_info, &gid_count, &gids); - fail_unless(ret == EOK, "Failed with empty PAC"); - fail_unless(gid_count == 0, "O groups expected, got [%d]", gid_count); - fail_unless(gids == NULL, "Expected NULL gid array."); - - logon_info->info3.base.domain_sid = &test_smb_sid_2nd; /* unknown SID */ - logon_info->info3.base.groups.count = 10; - logon_info->info3.base.groups.rids = talloc_array(logon_info, - struct samr_RidWithAttribute, - logon_info->info3.base.groups.count); - fail_unless(logon_info->info3.base.groups.rids != NULL, "talloc_array failed."); - - for (c = 0; c < logon_info->info3.base.groups.count; c++) { - logon_info->info3.base.groups.rids[c].rid = 500 + c; - } - - ret = get_gids_from_pac(global_talloc_context, pac_ctx, pac_ctx->range_map, - pac_ctx->my_dom_sid, logon_info, &gid_count, &gids); - fail_unless(ret == EINVAL, "Unexpected return code [%d] with unknown SID.", - ret); - - /* change SID to a known one */ - logon_info->info3.base.domain_sid = &test_remote_dom_sid; - - ret = get_gids_from_pac(global_talloc_context, pac_ctx, pac_ctx->range_map, - pac_ctx->my_dom_sid, logon_info, &gid_count, &gids); - fail_unless(ret == EOK, "Failed with 10 RIDs in PAC"); - fail_unless(gid_count == logon_info->info3.base.groups.count, - "[%d] groups expected, got [%d]", - logon_info->info3.base.groups.count, gid_count); - fail_unless(gids != NULL, "Expected gid array."); - - for (c = 0; c < logon_info->info3.base.groups.count; c++) { - found = false; - exp_gid = IDMAP_RANGE_MIN + 500 + c; - for (g = 0; g < gid_count; g++) { - if (gids[1].gids[g] == exp_gid) { - found = true; - break; - } - } - fail_unless(found, "[%d] not found in group list", exp_gid); - } - - talloc_free(gids); - gids = NULL; - - /* duplicated RIDs */ - for (c = 0; c < logon_info->info3.base.groups.count; c++) { - logon_info->info3.base.groups.rids[c].rid = 500; - } - - ret = get_gids_from_pac(global_talloc_context, pac_ctx, pac_ctx->range_map, - pac_ctx->my_dom_sid, logon_info, &gid_count, &gids); - fail_unless(ret == EOK, "Failed with 10 duplicated RIDs in PAC"); - fail_unless(gid_count == 1, "[%d] groups expected, got [%d]", 1, gid_count); - fail_unless(gids != NULL, "Expected gid array."); - fail_unless(gids[1].gids[0] == IDMAP_RANGE_MIN + 500, - "Wrong gid returned, got [%d], expected [%d].", gids[1].gids[0], - IDMAP_RANGE_MIN + 500); - talloc_free(gids); - gids = NULL; - - logon_info->info3.sidcount = 2; - logon_info->info3.sids = talloc_zero_array(logon_info, struct netr_SidAttr, - logon_info->info3.sidcount); - fail_unless(logon_info->info3.sids != NULL, "talloc_zero_array failed."); - - logon_info->info3.sids[0].sid = &test_smb_sid; - logon_info->info3.sids[1].sid = &test_smb_sid_2nd; - - ret = get_gids_from_pac(global_talloc_context, pac_ctx, pac_ctx->range_map, - pac_ctx->my_dom_sid, logon_info, &gid_count, &gids); - fail_unless(ret == EOK, "Failed with 10 duplicated RIDs and local SIDS in PAC"); - fail_unless(gid_count == 3, "[%d] groups expected, got [%d]", 3, gid_count); - fail_unless(gids != NULL, "Expected gid array."); - - gid_t exp_gids[] = {IDMAP_RANGE_MIN + 500, test_id, test_id_2nd, 0}; - - for (c = 0; exp_gids[c] != 0; c++) { - found = false; - for (d = 0; d < 2; d++) { - for (g = 0; g < gids[d].gid_count; g++) { - if (gids[d].gids[g] == exp_gids[c]) { - found = true; - break; - } - } - if (found) { - break; - } - } - fail_unless(found, "[%d] not found in group list", exp_gids[c]); - } - - talloc_free(gids); - gids = NULL; - - talloc_free(logon_info->info3.base.groups.rids); - - for (t = 0; t < 7; t++) { - logon_info->info3.base.groups.count = powl(10, t); - logon_info->info3.base.groups.rids = talloc_array(logon_info, - struct samr_RidWithAttribute, - logon_info->info3.base.groups.count); - fail_unless(logon_info->info3.base.groups.rids != NULL, "talloc_array failed."); - - for (c = 0; c < logon_info->info3.base.groups.count; c++) { - logon_info->info3.base.groups.rids[c].rid = 500 + c; - } - - ret = gettimeofday(&start_time, NULL); - fail_unless(ret == 0, "gettimeofday failed."); - - ret = get_gids_from_pac(global_talloc_context, pac_ctx, pac_ctx->range_map, - pac_ctx->my_dom_sid, logon_info, &gid_count, &gids); - fail_unless(ret == EOK, "Unexpected return code [%d].", ret); - - ret = gettimeofday(&end_time, NULL); - fail_unless(ret == 0, "gettimeofday failed."); - - timersub(&end_time, &start_time, &diff_time); - fprintf(stderr, "Testcase [%zu], number of groups [%u], " \ - "duration [%ds %dus]\n", t, - logon_info->info3.base.groups.count, - (int) diff_time.tv_sec, - (int) diff_time.tv_usec); - - talloc_free(gids); - gids = NULL; - - talloc_free(logon_info->info3.base.groups.rids); - } - - talloc_free(logon_info); -} -END_TEST - -Suite *idmap_test_suite (void) -{ - Suite *s = suite_create ("PAC responder"); - - TCase *tc_pac = tcase_create("PAC responder tests"); - tcase_add_checked_fixture(tc_pac, - ck_leak_check_setup, - ck_leak_check_teardown); - - tcase_add_checked_fixture(tc_pac, - pac_setup, - pac_teardown); - - tcase_add_test(tc_pac, pac_test_local_sid_to_id); - tcase_add_test(tc_pac, pac_test_seondary_local_sid_to_id); - tcase_add_test(tc_pac, pac_test_get_gids_to_add_and_remove); - tcase_add_test(tc_pac, pac_test_find_domain_by_id); - tcase_add_test(tc_pac, pac_test_get_gids_from_pac); - - suite_add_tcase(s, tc_pac); - - return s; -} - -int main(int argc, const char *argv[]) -{ - int number_failed; - - tests_set_cwd(); - - Suite *s = idmap_test_suite(); - SRunner *sr = srunner_create(s); - - /* If CK_VERBOSITY is set, use that, otherwise it defaults to CK_NORMAL */ - srunner_run_all(sr, CK_ENV); - number_failed = srunner_ntests_failed (sr); - srunner_free (sr); - - return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; -} |