Hi, these patches add some unit tests and some additional improvements related to the issues described in https://bugzilla.redhat.com/show_bug.cgi?id=1222475 . The original issue is fixed by a patch from Alexander attached to the ticket.
The first patch converts the existing check-based test to cmocka. If I see it correctly all check-based test are converted now. The second adds tests for filter_logon_info() where the original issue occurred. The wrong behavior in filter_logon_info() caused a crash in dom_sid_string() which is made a bit more robust together with string_to_sid() in the 3rd patch. The last patch add unit tests for those two calls as well. bye, Sumit
From ddd3ac0a38521ae9450f9dee46fbd8434ac85870 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Wed, 20 May 2015 18:31:19 +0200 Subject: [PATCH 145/148] ipa-kdb: convert test to cmocka --- daemons/ipa-kdb/Makefile.am | 6 +- daemons/ipa-kdb/tests/ipa_kdb_tests.c | 129 ++++++++++++---------------------- 2 files changed, 48 insertions(+), 87 deletions(-) diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am index 80747491f8315a9cb0b38965423ba5d160946278..a4ea366b01b248d3f0fbc0b694e02d00c2e4c3d1 100644 --- a/daemons/ipa-kdb/Makefile.am +++ b/daemons/ipa-kdb/Makefile.am @@ -55,7 +55,7 @@ ipadb_la_LIBADD = \ $(NSS_LIBS) \ $(NULL) -if HAVE_CHECK +if HAVE_CMOCKA TESTS = ipa_kdb_tests check_PROGRAMS = ipa_kdb_tests endif @@ -73,9 +73,9 @@ ipa_kdb_tests_SOURCES = \ ipa_kdb_audit_as.c \ $(KRB5_UTIL_SRCS) \ $(NULL) -ipa_kdb_tests_CFLAGS = $(CHECK_CFLAGS) +ipa_kdb_tests_CFLAGS = $(CMOCKA_CFLAGS) ipa_kdb_tests_LDADD = \ - $(CHECK_LIBS) \ + $(CMOCKA_LIBS) \ $(KRB5_LIBS) \ $(LDAP_LIBS) \ $(NDRPAC_LIBS) \ diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c index e1ae06a6e359e65873241116581f028f1a4e1bf3..1ff1cd49a4e409545ee908f0f7842520ae82e0a0 100644 --- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c +++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c @@ -1,49 +1,30 @@ -/** BEGIN COPYRIGHT BLOCK - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * - * Additional permission under GPLv3 section 7: - * - * In the following paragraph, "GPL" means the GNU General Public - * License, version 3 or any later version, and "Non-GPL Code" means - * code that is governed neither by the GPL nor a license - * compatible with the GPL. - * - * You may link the code of this Program with Non-GPL Code and convey - * linked combinations including the two, provided that such Non-GPL - * Code only links to the code of this Program through those well - * defined interfaces identified in the file named EXCEPTION found in - * the source code files (the "Approved Interfaces"). The files of - * Non-GPL Code may instantiate templates or use macros or inline - * functions from the Approved Interfaces without causing the resulting - * work to be covered by the GPL. Only the copyright holders of this - * Program may make changes or additions to the list of Approved - * Interfaces. - * - * Authors: - * Sumit Bose <sb...@redhat.com> - * - * Copyright (C) 2013 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ +/* + Authors: + Sumit Bose <sb...@redhat.com> -#include <check.h> -#include <stdlib.h> + Copyright (C) 2015 Red Hat + + ipa-kdb tests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <errno.h> #include <stdarg.h> -#include <stdio.h> -#include <stdbool.h> -#include <krb5/krb5.h> -#include <kdb.h> +#include <stddef.h> +#include <setjmp.h> +#include <cmocka.h> #include "ipa-kdb/ipa_kdb.h" @@ -74,7 +55,7 @@ int krb5_klog_syslog(int l, const char *format, ...) extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry, bool *with_pac, bool *with_pad); -START_TEST(test_get_authz_data_types) +void test_get_authz_data_types(void **state) { bool with_pac; bool with_pad; @@ -100,40 +81,40 @@ START_TEST(test_get_authz_data_types) with_pad = true; get_authz_data_types(NULL, NULL, NULL, &with_pad); - fail_unless(!with_pad, "with_pad not false with NULL inuput."); + assert_false(with_pad); with_pac = true; get_authz_data_types(NULL, NULL, &with_pac, NULL); - fail_unless(!with_pac, "with_pac not false with NULL inuput."); + assert_false(with_pad); with_pad = true; with_pac = true; get_authz_data_types(NULL, NULL, &with_pac, &with_pad); - fail_unless(!with_pad, "with_pad not false with NULL inuput."); - fail_unless(!with_pac, "with_pac not false with NULL inuput."); + assert_false(with_pac); + assert_false(with_pad); entry = calloc(1, sizeof(krb5_db_entry)); - fail_unless(entry != NULL, "calloc krb5_db_entry failed."); + assert_non_null(entry); ied = calloc(1, sizeof(struct ipadb_e_data)); - fail_unless(ied != NULL, "calloc struct ipadb_e_data failed."); + assert_non_null(ied); entry->e_data = (void *) ied; kerr = krb5_init_context(&krb5_ctx); - fail_unless(kerr == 0, "krb5_init_context failed."); + assert_int_equal(kerr, 0); kerr = krb5_db_setup_lib_handle(krb5_ctx); - fail_unless(kerr == 0, "krb5_db_setup_lib_handle failed.\n"); + assert_int_equal(kerr, 0); ipa_ctx = calloc(1, sizeof(struct ipadb_context)); - fail_unless(ipa_ctx != NULL, "calloc failed.\n"); + assert_non_null(ipa_ctx); ipa_ctx->kcontext = krb5_ctx; kerr = krb5_db_set_context(krb5_ctx, ipa_ctx); - fail_unless(kerr == 0, "krb5_db_set_context failed.\n"); + assert_int_equal(kerr, 0); kerr = krb5_parse_name(krb5_ctx, NFS_PRINC_STRING, &nfs_princ); - fail_unless(kerr == 0, "krb5_parse_name failed."); + assert_int_equal(kerr, 0); kerr = krb5_parse_name(krb5_ctx, NON_NFS_PRINC_STRING, &non_nfs_princ); - fail_unless(kerr == 0, "krb5_parse_name failed."); + assert_int_equal(kerr, 0); struct test_set { char **authz_data; @@ -179,12 +160,8 @@ START_TEST(test_get_authz_data_types) ipa_ctx->config.last_update = time(NULL); entry->princ = test_set[c].princ; get_authz_data_types(krb5_ctx, entry, &with_pac, &with_pad); - fail_unless(with_pad == test_set[c].exp_with_pad, "with_pad not %s %s.", - test_set[c].exp_with_pad ? "true" : "false", - test_set[c].err_msg); - fail_unless(with_pac == test_set[c].exp_with_pac, "with_pac not %s %s.", - test_set[c].exp_with_pac ? "true" : "false", - test_set[c].err_msg); + assert_true(with_pad == test_set[c].exp_with_pad); + assert_true(with_pac == test_set[c].exp_with_pac); } krb5_free_principal(krb5_ctx, nfs_princ); @@ -192,28 +169,12 @@ START_TEST(test_get_authz_data_types) krb5_db_fini(krb5_ctx); krb5_free_context(krb5_ctx); } -END_TEST -Suite * ipa_kdb_suite(void) +int main(int argc, const char *argv[]) { - Suite *s = suite_create("IPA kdb"); + const UnitTest tests[] = { + unit_test(test_get_authz_data_types), + }; - TCase *tc_helper = tcase_create("Helper functions"); - tcase_add_test(tc_helper, test_get_authz_data_types); - suite_add_tcase(s, tc_helper); - - return s; -} - -int main(void) -{ - int number_failed; - - Suite *s = ipa_kdb_suite (); - SRunner *sr = srunner_create (s); - srunner_run_all (sr, CK_VERBOSE); - number_failed = srunner_ntests_failed (sr); - srunner_free (sr); - - return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; + return run_tests(tests); } -- 2.1.0
From bc375ae2bd2f23f2a5fc7a45db13d732bec4f6d3 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Tue, 26 May 2015 10:26:28 +0200 Subject: [PATCH 146/148] ipa-kdb: add unit-test for filter_logon_info() --- daemons/ipa-kdb/ipa_kdb_mspac.c | 41 ++--- daemons/ipa-kdb/ipa_kdb_mspac_private.h | 57 +++++++ daemons/ipa-kdb/tests/ipa_kdb_tests.c | 275 +++++++++++++++++++++++++++++--- 3 files changed, 323 insertions(+), 50 deletions(-) create mode 100644 daemons/ipa-kdb/ipa_kdb_mspac_private.h diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 0e53a8099dc272f7bfbf54a8b3cd13c8f472ca67..70b111ac7858f47324d71b8a53996e26fc52e9f5 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -28,31 +28,7 @@ #include "util/time.h" #include "gen_ndr/ndr_krb5pac.h" -struct ipadb_adtrusts { - char *domain_name; - char *flat_name; - char *domain_sid; - struct dom_sid domsid; - struct dom_sid *sid_blacklist_incoming; - int len_sid_blacklist_incoming; - struct dom_sid *sid_blacklist_outgoing; - int len_sid_blacklist_outgoing; - struct ipadb_adtrusts *parent; - char *parent_name; -}; - -struct ipadb_mspac { - char *flat_domain_name; - char *flat_server_name; - struct dom_sid domsid; - - char *fallback_group; - uint32_t fallback_rid; - - int num_trusts; - struct ipadb_adtrusts *trusts; - time_t last_update; -}; +#include "ipa_kdb_mspac_private.h" static char *user_pac_attrs[] = { "objectClass", @@ -113,10 +89,11 @@ static struct { #define AUTHZ_DATA_TYPE_PAD "PAD" #define AUTHZ_DATA_TYPE_NONE "NONE" -static int string_to_sid(char *str, struct dom_sid *sid) +int string_to_sid(const char *str, struct dom_sid *sid) { unsigned long val; - char *s, *t; + const char *s; + char *t; int i; memset(sid, '\0', sizeof(struct dom_sid)); @@ -174,7 +151,7 @@ static int string_to_sid(char *str, struct dom_sid *sid) return 0; } -static char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid) +char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid) { size_t c; size_t len; @@ -1317,10 +1294,10 @@ static void filter_logon_info_log_message(struct dom_sid *sid) } } -static krb5_error_code filter_logon_info(krb5_context context, - TALLOC_CTX *memctx, - krb5_data realm, - struct PAC_LOGON_INFO_CTR *info) +krb5_error_code filter_logon_info(krb5_context context, + TALLOC_CTX *memctx, + krb5_data realm, + struct PAC_LOGON_INFO_CTR *info) { /* We must refuse a PAC that comes signed with a cross realm TGT diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h new file mode 100644 index 0000000000000000000000000000000000000000..be04071762316643d687e80986db0d7510e53ded --- /dev/null +++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h @@ -0,0 +1,57 @@ +/* + * MIT Kerberos KDC database backend for FreeIPA + * This head file contains private declarations for ipa_kdb_mspac.c and should + * be used only there or in unit-test. + * + * Authors: Sumit Bose <sb...@redhat.com> + * + * see file 'COPYING' for use and warranty information + * + * This program is free software you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + + +#ifndef _IPA_KDB_MSPAC_PRIVATE_H_ +#define _IPA_KDB_MSPAC_PRIVATE_H_ + +struct ipadb_mspac { + char *flat_domain_name; + char *flat_server_name; + struct dom_sid domsid; + + char *fallback_group; + uint32_t fallback_rid; + + int num_trusts; + struct ipadb_adtrusts *trusts; + time_t last_update; +}; + +struct ipadb_adtrusts { + char *domain_name; + char *flat_name; + char *domain_sid; + struct dom_sid domsid; + struct dom_sid *sid_blacklist_incoming; + int len_sid_blacklist_incoming; + struct dom_sid *sid_blacklist_outgoing; + int len_sid_blacklist_outgoing; + struct ipadb_adtrusts *parent; + char *parent_name; +}; + +int string_to_sid(const char *str, struct dom_sid *sid); +char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid); + +#endif /* _IPA_KDB_MSPAC_PRIVATE_H_ */ diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c index 1ff1cd49a4e409545ee908f0f7842520ae82e0a0..7b9b85d2cf7fcc2478a522eccf686b3e2582447e 100644 --- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c +++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c @@ -22,11 +22,19 @@ #include <errno.h> #include <stdarg.h> +#include <stdbool.h> #include <stddef.h> +#include <stdint.h> #include <setjmp.h> #include <cmocka.h> +#include <talloc.h> + +#include "gen_ndr/ndr_krb5pac.h" +#include "gen_ndr/netlogon.h" + #include "ipa-kdb/ipa_kdb.h" +#include "ipa-kdb/ipa_kdb_mspac_private.h" #define NFS_PRINC_STRING "nfs/fully.qualified.host.n...@realm.name" #define NON_NFS_PRINC_STRING "abcdef/fully.qualified.host.n...@realm.name" @@ -52,6 +60,240 @@ int krb5_klog_syslog(int l, const char *format, ...) return 0; } +struct test_ctx { + krb5_context krb5_ctx; +}; + +#define DOMAIN_NAME "my.domain" +#define REALM "MY.DOMAIN" +#define REALM_LEN (sizeof(REALM) - 1) +#define FLAT_NAME "MYDOM" +#define DOM_SID "S-1-5-21-1-2-3" +#define DOM_SID_TRUST "S-1-5-21-4-5-6" +#define BLACKLIST_SID "S-1-5-1" + +void setup(void **state) +{ + int ret; + krb5_context krb5_ctx; + krb5_error_code kerr; + struct ipadb_context *ipa_ctx; + struct test_ctx *test_ctx; + + kerr = krb5_init_context(&krb5_ctx); + assert_int_equal(kerr, 0); + kerr = krb5_db_setup_lib_handle(krb5_ctx); + assert_int_equal(kerr, 0); + + ipa_ctx = calloc(1, sizeof(struct ipadb_context)); + assert_non_null(ipa_ctx); + + ipa_ctx->mspac = calloc(1, sizeof(struct ipadb_mspac)); + assert_non_null(ipa_ctx->mspac); + + /* make sure data is not read from LDAP */ + ipa_ctx->mspac->last_update = time(NULL) - 1; + + ret = string_to_sid(DOM_SID, &ipa_ctx->mspac->domsid); + assert_int_equal(ret, 0); + + ipa_ctx->mspac->num_trusts = 1; + ipa_ctx->mspac->trusts = calloc(1, sizeof(struct ipadb_adtrusts)); + assert_non_null(ipa_ctx->mspac->trusts); + + ipa_ctx->mspac->trusts[0].domain_name = strdup(DOMAIN_NAME); + assert_non_null(ipa_ctx->mspac->trusts[0].domain_name); + + ipa_ctx->mspac->trusts[0].flat_name = strdup(FLAT_NAME); + assert_non_null(ipa_ctx->mspac->trusts[0].flat_name); + + ipa_ctx->mspac->trusts[0].domain_sid = strdup(DOM_SID_TRUST); + assert_non_null(ipa_ctx->mspac->trusts[0].domain_sid); + + ret = string_to_sid(DOM_SID_TRUST, &ipa_ctx->mspac->trusts[0].domsid); + assert_int_equal(ret, 0); + + ipa_ctx->mspac->trusts[0].len_sid_blacklist_incoming = 1; + ipa_ctx->mspac->trusts[0].sid_blacklist_incoming = calloc( + ipa_ctx->mspac->trusts[0].len_sid_blacklist_incoming, + sizeof(struct dom_sid)); + assert_non_null(ipa_ctx->mspac->trusts[0].sid_blacklist_incoming); + ret = string_to_sid(BLACKLIST_SID, + &ipa_ctx->mspac->trusts[0].sid_blacklist_incoming[0]); + assert_int_equal(ret, 0); + + struct dom_sid *sid_blacklist_incoming; + int len_sid_blacklist_incoming; + + ipa_ctx->kcontext = krb5_ctx; + kerr = krb5_db_set_context(krb5_ctx, ipa_ctx); + assert_int_equal(kerr, 0); + + test_ctx = talloc(NULL, struct test_ctx); + assert_non_null(test_ctx); + + test_ctx->krb5_ctx = krb5_ctx; + + *state = test_ctx; +} + +void teardown(void **state) +{ + struct test_ctx *test_ctx; + struct ipadb_context *ipa_ctx; + + test_ctx = (struct test_ctx *) *state; + + ipa_ctx = ipadb_get_context(test_ctx->krb5_ctx); + assert_non_null(ipa_ctx); + ipadb_mspac_struct_free(&ipa_ctx->mspac); + + krb5_db_fini(test_ctx->krb5_ctx); + krb5_free_context(test_ctx->krb5_ctx); + + talloc_free(test_ctx); +} + +extern krb5_error_code filter_logon_info(krb5_context context, + TALLOC_CTX *memctx, + krb5_data realm, + struct PAC_LOGON_INFO_CTR *info); + +void test_filter_logon_info(void **state) +{ + krb5_error_code kerr; + krb5_data realm = {KV5M_DATA, REALM_LEN, REALM}; + struct test_ctx *test_ctx; + struct PAC_LOGON_INFO_CTR *info; + int ret; + struct dom_sid dom_sid; + size_t c; + size_t d; + + test_ctx = (struct test_ctx *) *state; + + info = talloc_zero(test_ctx, struct PAC_LOGON_INFO_CTR); + assert_non_null(info); + info->info = talloc_zero(info, struct PAC_LOGON_INFO); + assert_non_null(info->info); + + /* wrong flat name */ + info->info->info3.base.logon_domain.string = talloc_strdup(info->info, + "WRONG"); + assert_non_null(info->info->info3.base.logon_domain.string); + + kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info); + assert_int_equal(kerr, EINVAL); + + info->info->info3.base.logon_domain.string = talloc_strdup(info->info, + FLAT_NAME); + assert_non_null(info->info->info3.base.logon_domain.string); + + /* missing domain SID */ + kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info); + assert_int_equal(kerr, EINVAL); + + /* wrong domain SID */ + ret = string_to_sid("S-1-5-21-1-1-1", &dom_sid); + assert_int_equal(ret, 0); + info->info->info3.base.domain_sid = &dom_sid; + + kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info); + assert_int_equal(kerr, EINVAL); + + /* matching domain SID */ + ret = string_to_sid(DOM_SID_TRUST, &dom_sid); + assert_int_equal(ret, 0); + info->info->info3.base.domain_sid = &dom_sid; + + kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info); + assert_int_equal(kerr, 0); + + /* empty SIDs */ + info->info->info3.sidcount = 3; + info->info->info3.sids = talloc_zero_array(info->info, + struct netr_SidAttr, + info->info->info3.sidcount); + assert_non_null(info->info->info3.sids); + for(c = 0; c < info->info->info3.sidcount; c++) { + info->info->info3.sids[c].sid = talloc_zero(info->info->info3.sids, + struct dom_sid2); + assert_non_null(info->info->info3.sids[c].sid); + } + + kerr = filter_logon_info(test_ctx->krb5_ctx, NULL, realm, info); + assert_int_equal(kerr, 0); + assert_int_equal(info->info->info3.sidcount, 3); + + struct test_data { + size_t sidcount; + const char *sids[3]; + size_t exp_sidcount; + const char *exp_sids[3]; + } test_data[] = { + /* only allowed SIDs */ + {3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"}, + 3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"}}, + /* last SID filtered */ + {3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", BLACKLIST_SID"-1002"}, + 2, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001"}}, + /* center SID filtered */ + {3, {DOM_SID_TRUST"-1000", BLACKLIST_SID"-1001", DOM_SID_TRUST"-1002"}, + 2, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1002"}}, + /* first SID filtered */ + {3, {BLACKLIST_SID"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"}, + 2, {DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"}}, + /* first and last SID filtered */ + {3, {BLACKLIST_SID"-1000", DOM_SID_TRUST"-1001", BLACKLIST_SID"-1002"}, + 1, {DOM_SID_TRUST"-1001"}}, + /* two SIDs in a rwo filtered */ + {3, {BLACKLIST_SID"-1000", BLACKLIST_SID"-1001", DOM_SID_TRUST"-1002"}, + 1, {DOM_SID_TRUST"-1002"}}, + /* all SIDs filtered*/ + {3, {BLACKLIST_SID"-1000", BLACKLIST_SID"-1001", BLACKLIST_SID"-1002"}, + 0, NULL}, + {0, NULL, 0 , NULL} + }; + + for (c = 0; test_data[c].sidcount != 0; c++) { + talloc_free(info->info->info3.sids); + + info->info->info3.sidcount = test_data[c].sidcount; + info->info->info3.sids = talloc_zero_array(info->info, + struct netr_SidAttr, + info->info->info3.sidcount); + assert_non_null(info->info->info3.sids); + for(d = 0; d < info->info->info3.sidcount; d++) { + info->info->info3.sids[d].sid = talloc_zero(info->info->info3.sids, + struct dom_sid2); + assert_non_null(info->info->info3.sids[d].sid); + } + + for (d = 0; d < info->info->info3.sidcount; d++) { + ret = string_to_sid(test_data[c].sids[d], + info->info->info3.sids[d].sid); + assert_int_equal(ret, 0); + } + + kerr = filter_logon_info(test_ctx->krb5_ctx, NULL, realm, info); + assert_int_equal(kerr, 0); + assert_int_equal(info->info->info3.sidcount, test_data[c].exp_sidcount); + if (test_data[c].exp_sidcount == 0) { + assert_null(info->info->info3.sids); + } else { + for (d = 0; d < test_data[c].exp_sidcount; d++) { + assert_string_equal(test_data[c].exp_sids[d], + dom_sid_string(info->info->info3.sids, + info->info->info3.sids[d].sid)); + } + } + } + + + talloc_free(info); + +} + extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry, bool *with_pac, bool *with_pad); @@ -76,6 +318,11 @@ void test_get_authz_data_types(void **state) struct ipadb_context *ipa_ctx; krb5_principal nfs_princ; krb5_principal non_nfs_princ; + struct test_ctx *test_ctx; + + test_ctx = (struct test_ctx *) *state; + ipa_ctx = ipadb_get_context(test_ctx->krb5_ctx); + assert_non_null(ipa_ctx); get_authz_data_types(NULL, NULL, NULL, NULL); @@ -100,20 +347,11 @@ void test_get_authz_data_types(void **state) assert_non_null(ied); entry->e_data = (void *) ied; - kerr = krb5_init_context(&krb5_ctx); - assert_int_equal(kerr, 0); - kerr = krb5_db_setup_lib_handle(krb5_ctx); - assert_int_equal(kerr, 0); - ipa_ctx = calloc(1, sizeof(struct ipadb_context)); - assert_non_null(ipa_ctx); - ipa_ctx->kcontext = krb5_ctx; - kerr = krb5_db_set_context(krb5_ctx, ipa_ctx); - assert_int_equal(kerr, 0); - - kerr = krb5_parse_name(krb5_ctx, NFS_PRINC_STRING, &nfs_princ); + kerr = krb5_parse_name(test_ctx->krb5_ctx, NFS_PRINC_STRING, &nfs_princ); assert_int_equal(kerr, 0); - kerr = krb5_parse_name(krb5_ctx, NON_NFS_PRINC_STRING, &non_nfs_princ); + kerr = krb5_parse_name(test_ctx->krb5_ctx, NON_NFS_PRINC_STRING, + &non_nfs_princ); assert_int_equal(kerr, 0); struct test_set { @@ -159,21 +397,22 @@ void test_get_authz_data_types(void **state) /* Set last_update to avoid LDAP lookups during tests */ ipa_ctx->config.last_update = time(NULL); entry->princ = test_set[c].princ; - get_authz_data_types(krb5_ctx, entry, &with_pac, &with_pad); + get_authz_data_types(test_ctx->krb5_ctx, entry, &with_pac, &with_pad); assert_true(with_pad == test_set[c].exp_with_pad); assert_true(with_pac == test_set[c].exp_with_pac); } - krb5_free_principal(krb5_ctx, nfs_princ); - krb5_free_principal(krb5_ctx, non_nfs_princ); - krb5_db_fini(krb5_ctx); - krb5_free_context(krb5_ctx); + free(ied); + free(entry); + krb5_free_principal(test_ctx->krb5_ctx, nfs_princ); + krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ); } int main(int argc, const char *argv[]) { const UnitTest tests[] = { - unit_test(test_get_authz_data_types), + unit_test_setup_teardown(test_get_authz_data_types, setup, teardown), + unit_test_setup_teardown(test_filter_logon_info, setup, teardown), }; return run_tests(tests); -- 2.1.0
From d113fa62f208e80dcfc354b1594dbf17783dc3b5 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Tue, 26 May 2015 13:00:26 +0200 Subject: [PATCH 147/148] ipa-kdb: make string_to_sid() and dom_sid_string() more robust --- daemons/ipa-kdb/ipa_kdb_mspac.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 70b111ac7858f47324d71b8a53996e26fc52e9f5..7c0e4dc792dc99bb493477c88c11967b443a197f 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -96,6 +96,10 @@ int string_to_sid(const char *str, struct dom_sid *sid) char *t; int i; + if (str == NULL) { + return EINVAL; + } + memset(sid, '\0', sizeof(struct dom_sid)); s = str; @@ -159,13 +163,18 @@ char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid) uint32_t ia; char *buf; - if (dom_sid == NULL) { + if (dom_sid == NULL + || dom_sid->num_auths < 0 + || dom_sid->num_auths > SID_SUB_AUTHS) { return NULL; } len = 25 + dom_sid->num_auths * 11; buf = talloc_zero_size(memctx, len); + if (buf == NULL) { + return NULL; + } ia = (dom_sid->id_auth[5]) + (dom_sid->id_auth[4] << 8 ) + -- 2.1.0
From 26cf5d8247a462bd3584fd4ad6a204c4592650fe Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Tue, 26 May 2015 13:01:13 +0200 Subject: [PATCH 148/148] ipa-kdb: add unit_tests for string_to_sid() and dom_sid_string() --- daemons/ipa-kdb/tests/ipa_kdb_tests.c | 60 +++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c index 7b9b85d2cf7fcc2478a522eccf686b3e2582447e..edd4ae0975628d6b3abe9bab2852c990c9a8c590 100644 --- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c +++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c @@ -408,11 +408,71 @@ void test_get_authz_data_types(void **state) krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ); } +void test_string_to_sid(void **state) +{ + int ret; + struct dom_sid sid; + struct dom_sid exp_sid = {1, 5, {0, 0, 0, 0, 0, 5}, + {21, 2127521184, 1604012920, 1887927527, 72713, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}; + + ret = string_to_sid(NULL, &sid); + assert_int_equal(ret, EINVAL); + + ret = string_to_sid("abc", &sid); + assert_int_equal(ret, EINVAL); + + ret = string_to_sid("S-", &sid); + assert_int_equal(ret, EINVAL); + + ret = string_to_sid("S-ABC", &sid); + assert_int_equal(ret, EINVAL); + + ret = string_to_sid("S-123", &sid); + assert_int_equal(ret, EINVAL); + + ret = string_to_sid("S-1-123-1-2-3-4-5-6-7-8-9-0-1-2-3-4-5-6", &sid); + assert_int_equal(ret, EINVAL); + + ret = string_to_sid("S-1-5-21-2127521184-1604012920-1887927527-72713", + &sid); + assert_int_equal(ret, 0); + assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid)); +} + +void test_dom_sid_string(void **state) +{ + struct test_ctx *test_ctx; + char *str_sid; + struct dom_sid test_sid = {1, 5, {0, 0, 0, 0, 0, 5}, + {21, 2127521184, 1604012920, 1887927527, 72713, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}; + + test_ctx = (struct test_ctx *) *state; + + str_sid = dom_sid_string(test_ctx, NULL); + assert_null(str_sid); + + str_sid = dom_sid_string(test_ctx, &test_sid); + assert_non_null(str_sid); + assert_string_equal(str_sid, + "S-1-5-21-2127521184-1604012920-1887927527-72713"); + + test_sid.num_auths = -3; + str_sid = dom_sid_string(test_ctx, &test_sid); + + test_sid.num_auths = 16; + str_sid = dom_sid_string(test_ctx, &test_sid); +} + + int main(int argc, const char *argv[]) { const UnitTest tests[] = { unit_test_setup_teardown(test_get_authz_data_types, setup, teardown), unit_test_setup_teardown(test_filter_logon_info, setup, teardown), + unit_test(test_string_to_sid), + unit_test_setup_teardown(test_dom_sid_string, setup, teardown), }; return run_tests(tests); -- 2.1.0
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code