From 6837eee3f7f81c0ee454d3718d67d7f3cc6b48ef Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Sun, 3 Mar 2013 21:43:44 +0100 Subject: Add unit tests for simple access test by groups I realized that the current unit tests for the simple access provider only tested the user directives. To have a baseline and be able to detect new bugs in the upcoming patch, I implemented unit tests for the group lists, too. --- src/tests/simple_access-tests.c | 284 +++++++++++++++++++++++++++++++++++----- 1 file changed, 253 insertions(+), 31 deletions(-) (limited to 'src/tests') diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c index 486f87d9..19c72b66 100644 --- a/src/tests/simple_access-tests.c +++ b/src/tests/simple_access-tests.c @@ -30,39 +30,153 @@ #include "providers/simple/simple_access.h" #include "tests/common.h" +#define TESTS_PATH "tests_simple_access" +#define TEST_CONF_FILE "tests_conf.ldb" + const char *ulist_1[] = {"u1", "u2", NULL}; +const char *glist_1[] = {"g1", "g2", NULL}; + +struct simple_test_ctx *test_ctx = NULL; + +struct simple_test_ctx { + struct sysdb_ctx *sysdb; + struct confdb_ctx *confdb; -struct simple_ctx *ctx = NULL; + struct simple_ctx *ctx; +}; void setup_simple(void) { - fail_unless(ctx == NULL, "Simple context already initialized."); - ctx = talloc_zero(NULL, struct simple_ctx); - fail_unless(ctx != NULL, "Cannot create simple context."); + errno_t ret; + char *conf_db; + const char *val[2]; + val[1] = NULL; + + /* Create tests directory if it doesn't exist */ + /* (relative to current dir) */ + ret = mkdir(TESTS_PATH, 0775); + fail_if(ret == -1 && errno != EEXIST, + "Could not create %s directory", TESTS_PATH); + + fail_unless(test_ctx == NULL, "Simple context already initialized."); + test_ctx = talloc_zero(NULL, struct simple_test_ctx); + fail_unless(test_ctx != NULL, "Cannot create simple test context."); + + test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx); + fail_unless(test_ctx->ctx != NULL, "Cannot create simple context."); + + conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE); + fail_if(conf_db == NULL, "Out of memory, aborting!"); + DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db)); + + /* Connect to the conf db */ + ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db); + fail_if(ret != EOK, "Could not initialize connection to the confdb"); + + val[0] = "LOCAL"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/sssd", "domains", val); + fail_if(ret != EOK, "Could not initialize domains placeholder"); + + val[0] = "local"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "id_provider", val); + fail_if(ret != EOK, "Could not initialize provider"); + + val[0] = "TRUE"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "enumerate", val); + fail_if(ret != EOK, "Could not initialize LOCAL domain"); + + val[0] = "TRUE"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "cache_credentials", val); + fail_if(ret != EOK, "Could not initialize LOCAL domain"); + + ret = sssd_domain_init(test_ctx, test_ctx->confdb, "local", + TESTS_PATH, &test_ctx->ctx->domain); + fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret); + test_ctx->sysdb = test_ctx->ctx->domain->sysdb; + test_ctx->ctx->domain->case_sensitive = true; - ctx->domain = talloc_zero(ctx, struct sss_domain_info); - fail_unless(ctx != NULL, "Cannot create domain in simple context."); - ctx->domain->case_sensitive = true; } void teardown_simple(void) { int ret; - fail_unless(ctx != NULL, "Simple context already freed."); - ret = talloc_free(ctx); - ctx = NULL; + fail_unless(test_ctx != NULL, "Simple context already freed."); + ret = talloc_free(test_ctx); + test_ctx = NULL; fail_unless(ret == 0, "Connot free simple context."); } +void setup_simple_group(void) +{ + errno_t ret; + + setup_simple(); + + /* Add test users u1 and u2 that would be members of test groups + * g1 and g2 respectively */ + ret = sysdb_store_user(test_ctx->sysdb, test_ctx->ctx->domain, + "u1", NULL, 123, 0, "u1", "/home/u1", + "/bin/bash", NULL, NULL, NULL, -1, 0); + fail_if(ret != EOK, "Could not add u1"); + + ret = sysdb_store_user(test_ctx->sysdb, test_ctx->ctx->domain, + "u2", NULL, 456, 0, "u1", "/home/u1", + "/bin/bash", NULL, NULL, NULL, -1, 0); + fail_if(ret != EOK, "Could not add u2"); + + ret = sysdb_store_user(test_ctx->sysdb, test_ctx->ctx->domain, + "u3", NULL, 789, 0, "u1", "/home/u1", + "/bin/bash", NULL, NULL, NULL, -1, 0); + fail_if(ret != EOK, "Could not add u3"); + + ret = sysdb_add_group(test_ctx->sysdb, test_ctx->ctx->domain, + "g1", 321, NULL, 0, 0); + fail_if(ret != EOK, "Could not add g1"); + + ret = sysdb_add_group(test_ctx->sysdb, test_ctx->ctx->domain, + "g2", 654, NULL, 0, 0); + fail_if(ret != EOK, "Could not add g2"); + + ret = sysdb_add_group_member(test_ctx->sysdb, test_ctx->ctx->domain, + "g1", "u1", SYSDB_MEMBER_USER); + fail_if(ret != EOK, "Could not add u1 to g1"); + + ret = sysdb_add_group_member(test_ctx->sysdb, test_ctx->ctx->domain, + "g2", "u2", SYSDB_MEMBER_USER); + fail_if(ret != EOK, "Could not add u2 to g2"); +} + +void teardown_simple_group(void) +{ + errno_t ret; + + ret = sysdb_delete_user(test_ctx->sysdb, test_ctx->ctx->domain, "u1", 0); + fail_if(ret != EOK, "Could not delete u1"); + ret = sysdb_delete_user(test_ctx->sysdb, test_ctx->ctx->domain, "u2", 0); + fail_if(ret != EOK, "Could not delete u2"); + ret = sysdb_delete_user(test_ctx->sysdb, test_ctx->ctx->domain, "u3", 0); + fail_if(ret != EOK, "Could not delete u3"); + ret = sysdb_delete_group(test_ctx->sysdb, test_ctx->ctx->domain, "g1", 0); + fail_if(ret != EOK, "Could not delete g1"); + ret = sysdb_delete_group(test_ctx->sysdb, test_ctx->ctx->domain, "g2", 0); + fail_if(ret != EOK, "Could not delete g2"); + + teardown_simple(); +} + START_TEST(test_both_empty) { int ret; bool access_granted = false; - ctx->allow_users = NULL; - ctx->deny_users = NULL; + test_ctx->ctx->allow_users = NULL; + test_ctx->ctx->deny_users = NULL; - ret = simple_access_check(ctx, "u1", &access_granted); + ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); fail_unless(ret == EOK, "access_simple_check failed."); fail_unless(access_granted == true, "Access denied " "while both lists are empty."); @@ -74,15 +188,15 @@ START_TEST(test_allow_empty) int ret; bool access_granted = true; - ctx->allow_users = NULL; - ctx->deny_users = discard_const(ulist_1); + test_ctx->ctx->allow_users = NULL; + test_ctx->ctx->deny_users = discard_const(ulist_1); - ret = simple_access_check(ctx, "u1", &access_granted); + ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); fail_unless(ret == EOK, "access_simple_check failed."); fail_unless(access_granted == false, "Access granted " "while user is in deny list."); - ret = simple_access_check(ctx, "u3", &access_granted); + ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); fail_unless(ret == EOK, "access_simple_check failed."); fail_unless(access_granted == true, "Access denied " "while user is not in deny list."); @@ -94,15 +208,15 @@ START_TEST(test_deny_empty) int ret; bool access_granted = false; - ctx->allow_users = discard_const(ulist_1); - ctx->deny_users = NULL; + test_ctx->ctx->allow_users = discard_const(ulist_1); + test_ctx->ctx->deny_users = NULL; - ret = simple_access_check(ctx, "u1", &access_granted); + ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); fail_unless(ret == EOK, "access_simple_check failed."); fail_unless(access_granted == true, "Access denied " "while user is in allow list."); - ret = simple_access_check(ctx, "u3", &access_granted); + ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); fail_unless(ret == EOK, "access_simple_check failed."); fail_unless(access_granted == false, "Access granted " "while user is not in allow list."); @@ -114,15 +228,15 @@ START_TEST(test_both_set) int ret; bool access_granted = false; - ctx->allow_users = discard_const(ulist_1); - ctx->deny_users = discard_const(ulist_1); + test_ctx->ctx->allow_users = discard_const(ulist_1); + test_ctx->ctx->deny_users = discard_const(ulist_1); - ret = simple_access_check(ctx, "u1", &access_granted); + ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); fail_unless(ret == EOK, "access_simple_check failed."); fail_unless(access_granted == false, "Access granted " "while user is in deny list."); - ret = simple_access_check(ctx, "u3", &access_granted); + ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); fail_unless(ret == EOK, "access_simple_check failed."); fail_unless(access_granted == false, "Access granted " "while user is not in allow list."); @@ -134,18 +248,18 @@ START_TEST(test_case) int ret; bool access_granted = false; - ctx->allow_users = discard_const(ulist_1); - ctx->deny_users = NULL; + test_ctx->ctx->allow_users = discard_const(ulist_1); + test_ctx->ctx->deny_users = NULL; - ret = simple_access_check(ctx, "U1", &access_granted); + ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); fail_unless(ret == EOK, "access_simple_check failed."); fail_unless(access_granted == false, "Access granted " "for user with different case " "in case-sensitive domain"); - ctx->domain->case_sensitive = false; + test_ctx->ctx->domain->case_sensitive = false; - ret = simple_access_check(ctx, "U1", &access_granted); + ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); fail_unless(ret == EOK, "access_simple_check failed."); fail_unless(access_granted == true, "Access denied " "for user with different case " @@ -153,11 +267,95 @@ START_TEST(test_case) } END_TEST +START_TEST(test_group_allow_empty) +{ + int ret; + bool access_granted = true; + + test_ctx->ctx->allow_groups = NULL; + test_ctx->ctx->deny_groups = discard_const(glist_1); + + ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == false, "Access granted " + "while group is in deny list."); + + ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == true, "Access denied " + "while group is not in deny list."); +} +END_TEST + +START_TEST(test_group_deny_empty) +{ + int ret; + bool access_granted = false; + + test_ctx->ctx->allow_groups = discard_const(glist_1); + test_ctx->ctx->deny_groups = NULL; + + ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == true, "Access denied " + "while group is in allow list."); + + ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == false, "Access granted " + "while group is not in allow list."); +} +END_TEST + +START_TEST(test_group_both_set) +{ + int ret; + bool access_granted = false; + + test_ctx->ctx->allow_groups = discard_const(ulist_1); + test_ctx->ctx->deny_groups = discard_const(ulist_1); + + ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == false, "Access granted " + "while group is in deny list."); + + ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == false, "Access granted " + "while group is not in allow list."); +} +END_TEST + +START_TEST(test_group_case) +{ + int ret; + bool access_granted = false; + + test_ctx->ctx->allow_groups = discard_const(ulist_1); + test_ctx->ctx->deny_groups = NULL; + + ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == false, "Access granted " + "for group with different case " + "in case-sensitive domain"); + + test_ctx->ctx->domain->case_sensitive = false; + + ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == true, "Access denied " + "for group with different case " + "in case-insensitive domain"); +} +END_TEST + Suite *access_simple_suite (void) { Suite *s = suite_create("access_simple"); - TCase *tc_allow_deny = tcase_create("allow/deny"); + TCase *tc_allow_deny = tcase_create("user allow/deny"); tcase_add_checked_fixture(tc_allow_deny, setup_simple, teardown_simple); tcase_add_test(tc_allow_deny, test_both_empty); tcase_add_test(tc_allow_deny, test_allow_empty); @@ -166,6 +364,15 @@ Suite *access_simple_suite (void) tcase_add_test(tc_allow_deny, test_case); suite_add_tcase(s, tc_allow_deny); + TCase *tc_grp_allow_deny = tcase_create("group allow/deny"); + tcase_add_checked_fixture(tc_grp_allow_deny, + setup_simple_group, teardown_simple_group); + tcase_add_test(tc_grp_allow_deny, test_group_allow_empty); + tcase_add_test(tc_grp_allow_deny, test_group_deny_empty); + tcase_add_test(tc_grp_allow_deny, test_group_both_set); + tcase_add_test(tc_grp_allow_deny, test_group_case); + suite_add_tcase(s, tc_grp_allow_deny); + return s; } @@ -174,6 +381,7 @@ int main(int argc, const char *argv[]) int opt; poptContext pc; int number_failed; + int ret; struct poptOption long_options[] = { POPT_AUTOHELP @@ -205,6 +413,20 @@ int main(int argc, const char *argv[]) srunner_run_all(sr, CK_ENV); number_failed = srunner_ntests_failed(sr); srunner_free(sr); + + ret = unlink(TESTS_PATH"/"TEST_CONF_FILE); + if (ret != EOK) { + fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n", + errno, strerror(errno)); + return EXIT_FAILURE; + } + ret = unlink(TESTS_PATH"/"LOCAL_SYSDB_FILE); + if (ret != EOK) { + fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n", + errno, strerror(errno)); + return EXIT_FAILURE; + } + return (number_failed==0 ? EXIT_SUCCESS : EXIT_FAILURE); } -- cgit