tests/test-authz-listfile.c

   1 /*
   2  * QEMU list authorization object tests
   3  *
   4  * Copyright (c) 2018 Red Hat, Inc.
   5  *
   6  * This library is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU Lesser General Public
   8  * License as published by the Free Software Foundation; either
   9  * version 2 of the License, or (at your option) any later version.
  10  *
  11  * This library is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14  * Lesser General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU Lesser General Public
  17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
  18  *
  19  */
  20
  21 #include "qemu/osdep.h"
  22 #include "qemu/main-loop.h"
  23 #include "authz/listfile.h"
  24
  25 static char *workdir;
  26
  27 static gchar *qemu_authz_listfile_test_save(const gchar *name,
  28                                             const gchar *cfg)
  29 {
  30     gchar *path = g_strdup_printf("%s/default-deny.cfg", workdir);
  31     GError *gerr = NULL;
  32
  33     if (!g_file_set_contents(path, cfg, -1, &gerr)) {
  34         g_printerr("Unable to save config %s: %s\n",
  35                    path, gerr->message);
  36         g_error_free(gerr);
  37         g_free(path);
  38         rmdir(workdir);
  39         abort();
  40     }
  41
  42     return path;
  43 }
  44
  45 static void test_authz_default_deny(void)
  46 {
  47     gchar *file = qemu_authz_listfile_test_save(
  48         "default-deny.cfg",
  49         "{ \"policy\": \"deny\" }");
  50     Error *local_err = NULL;
  51
  52     QAuthZListFile *auth = qauthz_list_file_new("auth0",
  53                                                 file, false,
  54                                                 &local_err);
  55     unlink(file);
  56     g_free(file);
  57     g_assert(local_err == NULL);
  58     g_assert(!qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
  59
  60     object_unparent(OBJECT(auth));
  61 }
  62
  63 static void test_authz_default_allow(void)
  64 {
  65     gchar *file = qemu_authz_listfile_test_save(
  66         "default-allow.cfg",
  67         "{ \"policy\": \"allow\" }");
  68     Error *local_err = NULL;
  69
  70     QAuthZListFile *auth = qauthz_list_file_new("auth0",
  71                                                 file, false,
  72                                                 &local_err);
  73     unlink(file);
  74     g_free(file);
  75     g_assert(local_err == NULL);
  76     g_assert(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
  77
  78     object_unparent(OBJECT(auth));
  79 }
  80
  81 static void test_authz_explicit_deny(void)
  82 {
  83     gchar *file = qemu_authz_listfile_test_save(
  84         "explicit-deny.cfg",
  85         "{ \"rules\": [ "
  86         "    { \"match\": \"fred\","
  87         "      \"policy\": \"deny\","
  88         "      \"format\": \"exact\" } ],"
  89         "  \"policy\": \"allow\" }");
  90     Error *local_err = NULL;
  91
  92     QAuthZListFile *auth = qauthz_list_file_new("auth0",
  93                                                 file, false,
  94                                                 &local_err);
  95     unlink(file);
  96     g_free(file);
  97     g_assert(local_err == NULL);
  98
  99     g_assert(!qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
 100
 101     object_unparent(OBJECT(auth));
 102 }
 103
 104 static void test_authz_explicit_allow(void)
 105 {
 106     gchar *file = qemu_authz_listfile_test_save(
 107         "explicit-allow.cfg",
 108         "{ \"rules\": [ "
 109         "    { \"match\": \"fred\","
 110         "      \"policy\": \"allow\","
 111         "      \"format\": \"exact\" } ],"
 112         "  \"policy\": \"deny\" }");
 113     Error *local_err = NULL;
 114
 115     QAuthZListFile *auth = qauthz_list_file_new("auth0",
 116                                                 file, false,
 117                                                 &local_err);
 118     unlink(file);
 119     g_free(file);
 120     g_assert(local_err == NULL);
 121
 122     g_assert(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
 123
 124     object_unparent(OBJECT(auth));
 125 }
 126
 127
 128 static void test_authz_complex(void)
 129 {
 130     gchar *file = qemu_authz_listfile_test_save(
 131         "complex.cfg",
 132         "{ \"rules\": [ "
 133         "    { \"match\": \"fred\","
 134         "      \"policy\": \"allow\","
 135         "      \"format\": \"exact\" },"
 136         "    { \"match\": \"bob\","
 137         "      \"policy\": \"allow\","
 138         "      \"format\": \"exact\" },"
 139         "    { \"match\": \"dan\","
 140         "      \"policy\": \"deny\","
 141         "      \"format\": \"exact\" },"
 142         "    { \"match\": \"dan*\","
 143         "      \"policy\": \"allow\","
 144         "      \"format\": \"glob\" } ],"
 145         "  \"policy\": \"deny\" }");
 146
 147     Error *local_err = NULL;
 148
 149     QAuthZListFile *auth = qauthz_list_file_new("auth0",
 150                                                 file, false,
 151                                                 &local_err);
 152     unlink(file);
 153     g_free(file);
 154     g_assert(local_err == NULL);
 155
 156     g_assert(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
 157     g_assert(qauthz_is_allowed(QAUTHZ(auth), "bob", &error_abort));
 158     g_assert(!qauthz_is_allowed(QAUTHZ(auth), "dan", &error_abort));
 159     g_assert(qauthz_is_allowed(QAUTHZ(auth), "danb", &error_abort));
 160
 161     object_unparent(OBJECT(auth));
 162 }
 163
 164
 165 int main(int argc, char **argv)
 166 {
 167     int ret;
 168     GError *gerr = NULL;
 169
 170     g_test_init(&argc, &argv, NULL);
 171
 172     module_call_init(MODULE_INIT_QOM);
 173
 174     workdir = g_dir_make_tmp("qemu-test-authz-listfile-XXXXXX",
 175                              &gerr);
 176     if (!workdir) {
 177         g_printerr("Unable to create temporary dir: %s\n",
 178                    gerr->message);
 179         g_error_free(gerr);
 180         abort();
 181     }
 182
 183     g_test_add_func("/auth/list/default/deny", test_authz_default_deny);
 184     g_test_add_func("/auth/list/default/allow", test_authz_default_allow);
 185     g_test_add_func("/auth/list/explicit/deny", test_authz_explicit_deny);
 186     g_test_add_func("/auth/list/explicit/allow", test_authz_explicit_allow);
 187     g_test_add_func("/auth/list/complex", test_authz_complex);
 188
 189     ret = g_test_run();
 190
 191     rmdir(workdir);
 192     g_free(workdir);
 193
 194     return ret;
 195 }