Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 705200 Details for
Bug 910938
CVE-2013-0287 sssd: simple access provider flaw prevents intended ACL use when client to an AD provider
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
[PATCH 2/4] Add unit tests for simple access test by groups
0002-Add-unit-tests-for-simple-access-test-by-groups.patch (text/plain), 15.87 KB, created by
Jakub Hrozek
on 2013-03-04 22:21:41 UTC
(
hide
)
Description:
[PATCH 2/4] Add unit tests for simple access test by groups
Filename:
MIME Type:
Creator:
Jakub Hrozek
Created:
2013-03-04 22:21:41 UTC
Size:
15.87 KB
patch
obsolete
>From 1fe64d76be289407fa2b1e2e5cf87cb4c30e4fe4 Mon Sep 17 00:00:00 2001 >From: Jakub Hrozek <jhrozek@redhat.com> >Date: Sun, 3 Mar 2013 21:43:44 +0100 >Subject: [PATCH 2/4] Add unit tests for simple access test by groups > >I realized that the current unit tests for the simple access provider >only tested the user directives. To have a baseline and be able to >detect new bugs in the upcoming patch, I implemented unit tests for the >group lists, too. >--- > src/tests/simple_access-tests.c | 284 +++++++++++++++++++++++++++++++++++----- > 1 file changed, 253 insertions(+), 31 deletions(-) > >diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c >index 486f87d9ac57ce7b6d7acb0d69731d7958816781..19c72b66e2db30262d99c3a677f6fbc6256da64f 100644 >--- a/src/tests/simple_access-tests.c >+++ b/src/tests/simple_access-tests.c >@@ -30,39 +30,153 @@ > #include "providers/simple/simple_access.h" > #include "tests/common.h" > >+#define TESTS_PATH "tests_simple_access" >+#define TEST_CONF_FILE "tests_conf.ldb" >+ > const char *ulist_1[] = {"u1", "u2", NULL}; >+const char *glist_1[] = {"g1", "g2", NULL}; > >-struct simple_ctx *ctx = NULL; >+struct simple_test_ctx *test_ctx = NULL; >+ >+struct simple_test_ctx { >+ struct sysdb_ctx *sysdb; >+ struct confdb_ctx *confdb; >+ >+ struct simple_ctx *ctx; >+}; > > void setup_simple(void) > { >- fail_unless(ctx == NULL, "Simple context already initialized."); >- ctx = talloc_zero(NULL, struct simple_ctx); >- fail_unless(ctx != NULL, "Cannot create simple context."); >+ errno_t ret; >+ char *conf_db; >+ const char *val[2]; >+ val[1] = NULL; >+ >+ /* Create tests directory if it doesn't exist */ >+ /* (relative to current dir) */ >+ ret = mkdir(TESTS_PATH, 0775); >+ fail_if(ret == -1 && errno != EEXIST, >+ "Could not create %s directory", TESTS_PATH); >+ >+ fail_unless(test_ctx == NULL, "Simple context already initialized."); >+ test_ctx = talloc_zero(NULL, struct simple_test_ctx); >+ fail_unless(test_ctx != NULL, "Cannot create simple test context."); >+ >+ test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx); >+ fail_unless(test_ctx->ctx != NULL, "Cannot create simple context."); >+ >+ conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE); >+ fail_if(conf_db == NULL, "Out of memory, aborting!"); >+ DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db)); >+ >+ /* Connect to the conf db */ >+ ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db); >+ fail_if(ret != EOK, "Could not initialize connection to the confdb"); >+ >+ val[0] = "LOCAL"; >+ ret = confdb_add_param(test_ctx->confdb, true, >+ "config/sssd", "domains", val); >+ fail_if(ret != EOK, "Could not initialize domains placeholder"); >+ >+ val[0] = "local"; >+ ret = confdb_add_param(test_ctx->confdb, true, >+ "config/domain/LOCAL", "id_provider", val); >+ fail_if(ret != EOK, "Could not initialize provider"); >+ >+ val[0] = "TRUE"; >+ ret = confdb_add_param(test_ctx->confdb, true, >+ "config/domain/LOCAL", "enumerate", val); >+ fail_if(ret != EOK, "Could not initialize LOCAL domain"); >+ >+ val[0] = "TRUE"; >+ ret = confdb_add_param(test_ctx->confdb, true, >+ "config/domain/LOCAL", "cache_credentials", val); >+ fail_if(ret != EOK, "Could not initialize LOCAL domain"); >+ >+ ret = sssd_domain_init(test_ctx, test_ctx->confdb, "local", >+ TESTS_PATH, &test_ctx->ctx->domain); >+ fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret); >+ test_ctx->sysdb = test_ctx->ctx->domain->sysdb; >+ test_ctx->ctx->domain->case_sensitive = true; > >- ctx->domain = talloc_zero(ctx, struct sss_domain_info); >- fail_unless(ctx != NULL, "Cannot create domain in simple context."); >- ctx->domain->case_sensitive = true; > } > > void teardown_simple(void) > { > int ret; >- fail_unless(ctx != NULL, "Simple context already freed."); >- ret = talloc_free(ctx); >- ctx = NULL; >+ fail_unless(test_ctx != NULL, "Simple context already freed."); >+ ret = talloc_free(test_ctx); >+ test_ctx = NULL; > fail_unless(ret == 0, "Connot free simple context."); > } > >+void setup_simple_group(void) >+{ >+ errno_t ret; >+ >+ setup_simple(); >+ >+ /* Add test users u1 and u2 that would be members of test groups >+ * g1 and g2 respectively */ >+ ret = sysdb_store_user(test_ctx->sysdb, test_ctx->ctx->domain, >+ "u1", NULL, 123, 0, "u1", "/home/u1", >+ "/bin/bash", NULL, NULL, NULL, -1, 0); >+ fail_if(ret != EOK, "Could not add u1"); >+ >+ ret = sysdb_store_user(test_ctx->sysdb, test_ctx->ctx->domain, >+ "u2", NULL, 456, 0, "u1", "/home/u1", >+ "/bin/bash", NULL, NULL, NULL, -1, 0); >+ fail_if(ret != EOK, "Could not add u2"); >+ >+ ret = sysdb_store_user(test_ctx->sysdb, test_ctx->ctx->domain, >+ "u3", NULL, 789, 0, "u1", "/home/u1", >+ "/bin/bash", NULL, NULL, NULL, -1, 0); >+ fail_if(ret != EOK, "Could not add u3"); >+ >+ ret = sysdb_add_group(test_ctx->sysdb, test_ctx->ctx->domain, >+ "g1", 321, NULL, 0, 0); >+ fail_if(ret != EOK, "Could not add g1"); >+ >+ ret = sysdb_add_group(test_ctx->sysdb, test_ctx->ctx->domain, >+ "g2", 654, NULL, 0, 0); >+ fail_if(ret != EOK, "Could not add g2"); >+ >+ ret = sysdb_add_group_member(test_ctx->sysdb, test_ctx->ctx->domain, >+ "g1", "u1", SYSDB_MEMBER_USER); >+ fail_if(ret != EOK, "Could not add u1 to g1"); >+ >+ ret = sysdb_add_group_member(test_ctx->sysdb, test_ctx->ctx->domain, >+ "g2", "u2", SYSDB_MEMBER_USER); >+ fail_if(ret != EOK, "Could not add u2 to g2"); >+} >+ >+void teardown_simple_group(void) >+{ >+ errno_t ret; >+ >+ ret = sysdb_delete_user(test_ctx->sysdb, test_ctx->ctx->domain, "u1", 0); >+ fail_if(ret != EOK, "Could not delete u1"); >+ ret = sysdb_delete_user(test_ctx->sysdb, test_ctx->ctx->domain, "u2", 0); >+ fail_if(ret != EOK, "Could not delete u2"); >+ ret = sysdb_delete_user(test_ctx->sysdb, test_ctx->ctx->domain, "u3", 0); >+ fail_if(ret != EOK, "Could not delete u3"); >+ ret = sysdb_delete_group(test_ctx->sysdb, test_ctx->ctx->domain, "g1", 0); >+ fail_if(ret != EOK, "Could not delete g1"); >+ ret = sysdb_delete_group(test_ctx->sysdb, test_ctx->ctx->domain, "g2", 0); >+ fail_if(ret != EOK, "Could not delete g2"); >+ >+ teardown_simple(); >+} >+ > START_TEST(test_both_empty) > { > int ret; > bool access_granted = false; > >- ctx->allow_users = NULL; >- ctx->deny_users = NULL; >+ test_ctx->ctx->allow_users = NULL; >+ test_ctx->ctx->deny_users = NULL; > >- ret = simple_access_check(ctx, "u1", &access_granted); >+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); > fail_unless(ret == EOK, "access_simple_check failed."); > fail_unless(access_granted == true, "Access denied " > "while both lists are empty."); >@@ -74,15 +188,15 @@ START_TEST(test_allow_empty) > int ret; > bool access_granted = true; > >- ctx->allow_users = NULL; >- ctx->deny_users = discard_const(ulist_1); >+ test_ctx->ctx->allow_users = NULL; >+ test_ctx->ctx->deny_users = discard_const(ulist_1); > >- ret = simple_access_check(ctx, "u1", &access_granted); >+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); > fail_unless(ret == EOK, "access_simple_check failed."); > fail_unless(access_granted == false, "Access granted " > "while user is in deny list."); > >- ret = simple_access_check(ctx, "u3", &access_granted); >+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); > fail_unless(ret == EOK, "access_simple_check failed."); > fail_unless(access_granted == true, "Access denied " > "while user is not in deny list."); >@@ -94,15 +208,15 @@ START_TEST(test_deny_empty) > int ret; > bool access_granted = false; > >- ctx->allow_users = discard_const(ulist_1); >- ctx->deny_users = NULL; >+ test_ctx->ctx->allow_users = discard_const(ulist_1); >+ test_ctx->ctx->deny_users = NULL; > >- ret = simple_access_check(ctx, "u1", &access_granted); >+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); > fail_unless(ret == EOK, "access_simple_check failed."); > fail_unless(access_granted == true, "Access denied " > "while user is in allow list."); > >- ret = simple_access_check(ctx, "u3", &access_granted); >+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); > fail_unless(ret == EOK, "access_simple_check failed."); > fail_unless(access_granted == false, "Access granted " > "while user is not in allow list."); >@@ -114,15 +228,15 @@ START_TEST(test_both_set) > int ret; > bool access_granted = false; > >- ctx->allow_users = discard_const(ulist_1); >- ctx->deny_users = discard_const(ulist_1); >+ test_ctx->ctx->allow_users = discard_const(ulist_1); >+ test_ctx->ctx->deny_users = discard_const(ulist_1); > >- ret = simple_access_check(ctx, "u1", &access_granted); >+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); > fail_unless(ret == EOK, "access_simple_check failed."); > fail_unless(access_granted == false, "Access granted " > "while user is in deny list."); > >- ret = simple_access_check(ctx, "u3", &access_granted); >+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); > fail_unless(ret == EOK, "access_simple_check failed."); > fail_unless(access_granted == false, "Access granted " > "while user is not in allow list."); >@@ -134,18 +248,18 @@ START_TEST(test_case) > int ret; > bool access_granted = false; > >- ctx->allow_users = discard_const(ulist_1); >- ctx->deny_users = NULL; >+ test_ctx->ctx->allow_users = discard_const(ulist_1); >+ test_ctx->ctx->deny_users = NULL; > >- ret = simple_access_check(ctx, "U1", &access_granted); >+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); > fail_unless(ret == EOK, "access_simple_check failed."); > fail_unless(access_granted == false, "Access granted " > "for user with different case " > "in case-sensitive domain"); > >- ctx->domain->case_sensitive = false; >+ test_ctx->ctx->domain->case_sensitive = false; > >- ret = simple_access_check(ctx, "U1", &access_granted); >+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); > fail_unless(ret == EOK, "access_simple_check failed."); > fail_unless(access_granted == true, "Access denied " > "for user with different case " >@@ -153,11 +267,95 @@ START_TEST(test_case) > } > END_TEST > >+START_TEST(test_group_allow_empty) >+{ >+ int ret; >+ bool access_granted = true; >+ >+ test_ctx->ctx->allow_groups = NULL; >+ test_ctx->ctx->deny_groups = discard_const(glist_1); >+ >+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); >+ fail_unless(ret == EOK, "access_simple_check failed."); >+ fail_unless(access_granted == false, "Access granted " >+ "while group is in deny list."); >+ >+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); >+ fail_unless(ret == EOK, "access_simple_check failed."); >+ fail_unless(access_granted == true, "Access denied " >+ "while group is not in deny list."); >+} >+END_TEST >+ >+START_TEST(test_group_deny_empty) >+{ >+ int ret; >+ bool access_granted = false; >+ >+ test_ctx->ctx->allow_groups = discard_const(glist_1); >+ test_ctx->ctx->deny_groups = NULL; >+ >+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); >+ fail_unless(ret == EOK, "access_simple_check failed."); >+ fail_unless(access_granted == true, "Access denied " >+ "while group is in allow list."); >+ >+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); >+ fail_unless(ret == EOK, "access_simple_check failed."); >+ fail_unless(access_granted == false, "Access granted " >+ "while group is not in allow list."); >+} >+END_TEST >+ >+START_TEST(test_group_both_set) >+{ >+ int ret; >+ bool access_granted = false; >+ >+ test_ctx->ctx->allow_groups = discard_const(ulist_1); >+ test_ctx->ctx->deny_groups = discard_const(ulist_1); >+ >+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); >+ fail_unless(ret == EOK, "access_simple_check failed."); >+ fail_unless(access_granted == false, "Access granted " >+ "while group is in deny list."); >+ >+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); >+ fail_unless(ret == EOK, "access_simple_check failed."); >+ fail_unless(access_granted == false, "Access granted " >+ "while group is not in allow list."); >+} >+END_TEST >+ >+START_TEST(test_group_case) >+{ >+ int ret; >+ bool access_granted = false; >+ >+ test_ctx->ctx->allow_groups = discard_const(ulist_1); >+ test_ctx->ctx->deny_groups = NULL; >+ >+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); >+ fail_unless(ret == EOK, "access_simple_check failed."); >+ fail_unless(access_granted == false, "Access granted " >+ "for group with different case " >+ "in case-sensitive domain"); >+ >+ test_ctx->ctx->domain->case_sensitive = false; >+ >+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); >+ fail_unless(ret == EOK, "access_simple_check failed."); >+ fail_unless(access_granted == true, "Access denied " >+ "for group with different case " >+ "in case-insensitive domain"); >+} >+END_TEST >+ > Suite *access_simple_suite (void) > { > Suite *s = suite_create("access_simple"); > >- TCase *tc_allow_deny = tcase_create("allow/deny"); >+ TCase *tc_allow_deny = tcase_create("user allow/deny"); > tcase_add_checked_fixture(tc_allow_deny, setup_simple, teardown_simple); > tcase_add_test(tc_allow_deny, test_both_empty); > tcase_add_test(tc_allow_deny, test_allow_empty); >@@ -166,6 +364,15 @@ Suite *access_simple_suite (void) > tcase_add_test(tc_allow_deny, test_case); > suite_add_tcase(s, tc_allow_deny); > >+ TCase *tc_grp_allow_deny = tcase_create("group allow/deny"); >+ tcase_add_checked_fixture(tc_grp_allow_deny, >+ setup_simple_group, teardown_simple_group); >+ tcase_add_test(tc_grp_allow_deny, test_group_allow_empty); >+ tcase_add_test(tc_grp_allow_deny, test_group_deny_empty); >+ tcase_add_test(tc_grp_allow_deny, test_group_both_set); >+ tcase_add_test(tc_grp_allow_deny, test_group_case); >+ suite_add_tcase(s, tc_grp_allow_deny); >+ > return s; > } > >@@ -174,6 +381,7 @@ int main(int argc, const char *argv[]) > int opt; > poptContext pc; > int number_failed; >+ int ret; > > struct poptOption long_options[] = { > POPT_AUTOHELP >@@ -205,6 +413,20 @@ int main(int argc, const char *argv[]) > srunner_run_all(sr, CK_ENV); > number_failed = srunner_ntests_failed(sr); > srunner_free(sr); >+ >+ ret = unlink(TESTS_PATH"/"TEST_CONF_FILE); >+ if (ret != EOK) { >+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n", >+ errno, strerror(errno)); >+ return EXIT_FAILURE; >+ } >+ ret = unlink(TESTS_PATH"/"LOCAL_SYSDB_FILE); >+ if (ret != EOK) { >+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n", >+ errno, strerror(errno)); >+ return EXIT_FAILURE; >+ } >+ > return (number_failed==0 ? EXIT_SUCCESS : EXIT_FAILURE); > } > >-- >1.8.1.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=705200">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
jhrozek
: review?
Actions:
View
|
Diff
Attachments on
bug 910938
:
704993
|
704995
|
704996
|
704997
|
704998
|
705198
| 705200 |
705201
|
705202