summaryrefslogtreecommitdiffstats
path: root/tests/unit/test-authz-pam.c
diff options
context:
space:
mode:
Diffstat (limited to 'tests/unit/test-authz-pam.c')
-rw-r--r--tests/unit/test-authz-pam.c133
1 files changed, 133 insertions, 0 deletions
diff --git a/tests/unit/test-authz-pam.c b/tests/unit/test-authz-pam.c
new file mode 100644
index 0000000000..4fe1ef2603
--- /dev/null
+++ b/tests/unit/test-authz-pam.c
@@ -0,0 +1,133 @@
+/*
+ * QEMU PAM authorization object tests
+ *
+ * Copyright (c) 2018 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qemu/module.h"
+#include "authz/pamacct.h"
+
+#include <security/pam_appl.h>
+
+static bool failauth;
+
+/*
+ * These three functions are exported by libpam.so.
+ *
+ * By defining them again here, our impls are resolved
+ * by the linker instead of those in libpam.so
+ *
+ * The test suite is thus isolated from the host system
+ * PAM setup, so we can do predictable test scenarios
+ */
+int
+pam_start(const char *service_name, const char *user,
+ const struct pam_conv *pam_conversation,
+ pam_handle_t **pamh)
+{
+ failauth = true;
+ if (!g_str_equal(service_name, "qemu-vnc")) {
+ return PAM_AUTH_ERR;
+ }
+
+ if (g_str_equal(user, "fred")) {
+ failauth = false;
+ }
+
+ *pamh = (pam_handle_t *)0xbadeaffe;
+ return PAM_SUCCESS;
+}
+
+
+int
+pam_acct_mgmt(pam_handle_t *pamh, int flags)
+{
+ if (failauth) {
+ return PAM_AUTH_ERR;
+ }
+
+ return PAM_SUCCESS;
+}
+
+
+int
+pam_end(pam_handle_t *pamh, int status)
+{
+ return PAM_SUCCESS;
+}
+
+
+static void test_authz_unknown_service(void)
+{
+ Error *local_err = NULL;
+ QAuthZPAM *auth = qauthz_pam_new("auth0",
+ "qemu-does-not-exist",
+ &error_abort);
+
+ g_assert_nonnull(auth);
+
+ g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "fred", &local_err));
+
+ error_free_or_abort(&local_err);
+ object_unparent(OBJECT(auth));
+}
+
+
+static void test_authz_good_user(void)
+{
+ QAuthZPAM *auth = qauthz_pam_new("auth0",
+ "qemu-vnc",
+ &error_abort);
+
+ g_assert_nonnull(auth);
+
+ g_assert_true(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort));
+
+ object_unparent(OBJECT(auth));
+}
+
+
+static void test_authz_bad_user(void)
+{
+ Error *local_err = NULL;
+ QAuthZPAM *auth = qauthz_pam_new("auth0",
+ "qemu-vnc",
+ &error_abort);
+
+ g_assert_nonnull(auth);
+
+ g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "bob", &local_err));
+
+ error_free_or_abort(&local_err);
+ object_unparent(OBJECT(auth));
+}
+
+
+int main(int argc, char **argv)
+{
+ g_test_init(&argc, &argv, NULL);
+
+ module_call_init(MODULE_INIT_QOM);
+
+ g_test_add_func("/auth/pam/unknown-service", test_authz_unknown_service);
+ g_test_add_func("/auth/pam/good-user", test_authz_good_user);
+ g_test_add_func("/auth/pam/bad-user", test_authz_bad_user);
+
+ return g_test_run();
+}