libvirt/tests/viridentitytest.c

/*
 * Copyright (C) 2013, 2014 Red Hat, Inc.
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library;  If not, see
 * <http://www.gnu.org/licenses/>.
 */

#include <config.h>


#if WITH_SELINUX
# include <selinux/selinux.h>
#endif

#include "testutils.h"

#include "viridentity.h"
#include "virerror.h"
#include "viralloc.h"
#include "virlog.h"

#include "virlockspace.h"

#define VIR_FROM_THIS VIR_FROM_NONE

VIR_LOG_INIT("tests.identitytest");

static int testIdentityAttrs(const void *data ATTRIBUTE_UNUSED)
{
    int ret = -1;
    virIdentityPtr ident;
    const char *val;

    if (!(ident = virIdentityNew()))
        goto cleanup;

    if (virIdentitySetAttr(ident,
                           VIR_IDENTITY_ATTR_UNIX_USER_NAME,
                           "fred") < 0)
        goto cleanup;

    if (virIdentityGetAttr(ident,
                           VIR_IDENTITY_ATTR_UNIX_USER_NAME,
                           &val) < 0)
        goto cleanup;

    if (STRNEQ_NULLABLE(val, "fred")) {
        VIR_DEBUG("Expected 'fred' got '%s'", NULLSTR(val));
        goto cleanup;
    }

    if (virIdentityGetAttr(ident,
                           VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
                           &val) < 0)
        goto cleanup;

    if (val != NULL) {
        VIR_DEBUG("Unexpected groupname attribute");
        goto cleanup;
    }

    if (virIdentitySetAttr(ident,
                           VIR_IDENTITY_ATTR_UNIX_USER_NAME,
                           "joe") != -1) {
        VIR_DEBUG("Unexpectedly overwrote attribute");
        goto cleanup;
    }

    if (virIdentityGetAttr(ident,
                           VIR_IDENTITY_ATTR_UNIX_USER_NAME,
                           &val) < 0)
        goto cleanup;

    if (STRNEQ_NULLABLE(val, "fred")) {
        VIR_DEBUG("Expected 'fred' got '%s'", NULLSTR(val));
        goto cleanup;
    }

    ret = 0;
 cleanup:
    virObjectUnref(ident);
    return ret;
}


static int testIdentityEqual(const void *data ATTRIBUTE_UNUSED)
{
    int ret = -1;
    virIdentityPtr identa = NULL;
    virIdentityPtr identb = NULL;

    if (!(identa = virIdentityNew()))
        goto cleanup;
    if (!(identb = virIdentityNew()))
        goto cleanup;

    if (!virIdentityIsEqual(identa, identb)) {
        VIR_DEBUG("Empty identities were not equal");
        goto cleanup;
    }

    if (virIdentitySetAttr(identa,
                           VIR_IDENTITY_ATTR_UNIX_USER_NAME,
                           "fred") < 0)
        goto cleanup;

    if (virIdentityIsEqual(identa, identb)) {
        VIR_DEBUG("Mis-matched identities should not be equal");
        goto cleanup;
    }

    if (virIdentitySetAttr(identb,
                           VIR_IDENTITY_ATTR_UNIX_USER_NAME,
                           "fred") < 0)
        goto cleanup;

    if (!virIdentityIsEqual(identa, identb)) {
        VIR_DEBUG("Matched identities were not equal");
        goto cleanup;
    }

    if (virIdentitySetAttr(identa,
                           VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
                           "flintstone") < 0)
        goto cleanup;
    if (virIdentitySetAttr(identb,
                           VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
                           "flintstone") < 0)
        goto cleanup;

    if (!virIdentityIsEqual(identa, identb)) {
        VIR_DEBUG("Matched identities were not equal");
        goto cleanup;
    }

    if (virIdentitySetAttr(identb,
                           VIR_IDENTITY_ATTR_SASL_USER_NAME,
                           "fred@FLINTSTONE.COM") < 0)
        goto cleanup;

    if (virIdentityIsEqual(identa, identb)) {
        VIR_DEBUG("Mis-matched identities should not be equal");
        goto cleanup;
    }

    ret = 0;
 cleanup:
    virObjectUnref(identa);
    virObjectUnref(identb);
    return ret;
}

static int testIdentityGetSystem(const void *data)
{
    const char *context = data;
    int ret = -1;
    virIdentityPtr ident = NULL;
    const char *val;

#if !WITH_SELINUX
    if (context) {
        VIR_DEBUG("libvirt not compiled with SELinux, skipping this test");
        ret = EXIT_AM_SKIP;
        goto cleanup;
    }
#endif

    if (!(ident = virIdentityGetSystem())) {
        VIR_DEBUG("Unable to get system identity");
        goto cleanup;
    }

    if (virIdentityGetAttr(ident,
                           VIR_IDENTITY_ATTR_SELINUX_CONTEXT,
                           &val) < 0)
        goto cleanup;

    if (STRNEQ_NULLABLE(val, context)) {
        VIR_DEBUG("Unexpected SELinux context attribute");
        goto cleanup;
    }

    ret = 0;
 cleanup:
    virObjectUnref(ident);
    return ret;
}

static int testSetFakeSELinuxContext(const void *data ATTRIBUTE_UNUSED)
{
#if WITH_SELINUX
    return setcon_raw((security_context_t)data);
#else
    VIR_DEBUG("libvirt not compiled with SELinux, skipping this test");
    return EXIT_AM_SKIP;
#endif
}

static int testDisableFakeSELinux(const void *data ATTRIBUTE_UNUSED)
{
#if WITH_SELINUX
    return security_disable();
#else
    VIR_DEBUG("libvirt not compiled with SELinux, skipping this test");
    return EXIT_AM_SKIP;
#endif
}

static int
mymain(void)
{
    const char *context = "unconfined_u:unconfined_r:unconfined_t:s0";
    int ret = 0;

    if (virTestRun("Identity attributes ", testIdentityAttrs, NULL) < 0)
        ret = -1;
    if (virTestRun("Identity equality ", testIdentityEqual, NULL) < 0)
        ret = -1;
    if (virTestRun("Setting fake SELinux context ", testSetFakeSELinuxContext, context) < 0)
        ret = -1;
    if (virTestRun("System identity (fake SELinux enabled) ", testIdentityGetSystem, context) < 0)
        ret = -1;
    if (virTestRun("Disabling fake SELinux ", testDisableFakeSELinux, NULL) < 0)
        ret = -1;
    if (virTestRun("System identity (fake SELinux disabled) ", testIdentityGetSystem, NULL) < 0)
        ret = -1;

    return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}

#if WITH_SELINUX
VIR_TEST_MAIN_PRELOAD(mymain, abs_builddir "/.libs/libsecurityselinuxhelper.so")
#else
VIR_TEST_MAIN(mymain)
#endif
Define internal APIs for managing identities Introduce a local object virIdentity for managing security attributes used to form a client application's identity. Instances of this object are intended to be used as if they were immutable, once created & populated with attributes Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2012-01-20 21:49:32 +04:00			`/*`
Require spaces around equality comparisons Commit a1cbe4b5 added a check for spaces around assignments and this patch extends it to checks for spaces around '=='. One exception is virAssertCmpInt where comma after '==' is acceptable (since it is a macro and '==' is its argument). Signed-off-by: Martin Kletzander <mkletzan@redhat.com> 2014-03-17 13:38:38 +04:00			`* Copyright (C) 2013, 2014 Red Hat, Inc.`
Define internal APIs for managing identities Introduce a local object virIdentity for managing security attributes used to form a client application's identity. Instances of this object are intended to be used as if they were immutable, once created & populated with attributes Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2012-01-20 21:49:32 +04:00			`*`
			`* This library is free software; you can redistribute it and/or`
			`* modify it under the terms of the GNU Lesser General Public`
			`* License as published by the Free Software Foundation; either`
			`* version 2.1 of the License, or (at your option) any later version.`
			`*`
			`* This library is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`* Lesser General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Lesser General Public`
			`* License along with this library; If not, see`
			`* <http://www.gnu.org/licenses/>.`
			`*/`

			`#include <config.h>`


tests: Test virIdentityGetSystem Test it once with SELinux enabled and once with it disabled. Signed-off-by: Michael Chapman <mike@very.puzzling.org> 2014-03-06 10:02:49 +04:00			`#if WITH_SELINUX`
			`# include <selinux/selinux.h>`
			`#endif`

Define internal APIs for managing identities Introduce a local object virIdentity for managing security attributes used to form a client application's identity. Instances of this object are intended to be used as if they were immutable, once created & populated with attributes Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2012-01-20 21:49:32 +04:00			`#include "testutils.h"`

			`#include "viridentity.h"`
			`#include "virerror.h"`
			`#include "viralloc.h"`
			`#include "virlog.h"`

			`#include "virlockspace.h"`

			`#define VIR_FROM_THIS VIR_FROM_NONE`

Add virLogSource variables to all source files Any source file which calls the logging APIs now needs to have a VIR_LOG_INIT("source.name") declaration at the start of the file. This provides a static variable of the virLogSource type. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2014-02-28 16:16:17 +04:00			`VIR_LOG_INIT("tests.identitytest");`
Define internal APIs for managing identities Introduce a local object virIdentity for managing security attributes used to form a client application's identity. Instances of this object are intended to be used as if they were immutable, once created & populated with attributes Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2012-01-20 21:49:32 +04:00
			`static int testIdentityAttrs(const void *data ATTRIBUTE_UNUSED)`
			`{`
			`int ret = -1;`
			`virIdentityPtr ident;`
			`const char *val;`

			`if (!(ident = virIdentityNew()))`
			`goto cleanup;`

			`if (virIdentitySetAttr(ident,`
			`VIR_IDENTITY_ATTR_UNIX_USER_NAME,`
			`"fred") < 0)`
			`goto cleanup;`

			`if (virIdentityGetAttr(ident,`
			`VIR_IDENTITY_ATTR_UNIX_USER_NAME,`
			`&val) < 0)`
			`goto cleanup;`

			`if (STRNEQ_NULLABLE(val, "fred")) {`
			`VIR_DEBUG("Expected 'fred' got '%s'", NULLSTR(val));`
			`goto cleanup;`
			`}`

			`if (virIdentityGetAttr(ident,`
			`VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,`
			`&val) < 0)`
			`goto cleanup;`

			`if (val != NULL) {`
			`VIR_DEBUG("Unexpected groupname attribute");`
			`goto cleanup;`
			`}`

			`if (virIdentitySetAttr(ident,`
			`VIR_IDENTITY_ATTR_UNIX_USER_NAME,`
			`"joe") != -1) {`
			`VIR_DEBUG("Unexpectedly overwrote attribute");`
			`goto cleanup;`
			`}`

			`if (virIdentityGetAttr(ident,`
			`VIR_IDENTITY_ATTR_UNIX_USER_NAME,`
			`&val) < 0)`
			`goto cleanup;`

			`if (STRNEQ_NULLABLE(val, "fred")) {`
			`VIR_DEBUG("Expected 'fred' got '%s'", NULLSTR(val));`
			`goto cleanup;`
			`}`

			`ret = 0;`
Indent top-level labels by one space in tests/ 2014-03-25 10:53:44 +04:00			`cleanup:`
Define internal APIs for managing identities Introduce a local object virIdentity for managing security attributes used to form a client application's identity. Instances of this object are intended to be used as if they were immutable, once created & populated with attributes Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2012-01-20 21:49:32 +04:00			`virObjectUnref(ident);`
			`return ret;`
			`}`


			`static int testIdentityEqual(const void *data ATTRIBUTE_UNUSED)`
			`{`
			`int ret = -1;`
			`virIdentityPtr identa = NULL;`
			`virIdentityPtr identb = NULL;`

			`if (!(identa = virIdentityNew()))`
			`goto cleanup;`
			`if (!(identb = virIdentityNew()))`
			`goto cleanup;`

			`if (!virIdentityIsEqual(identa, identb)) {`
			`VIR_DEBUG("Empty identities were not equal");`
			`goto cleanup;`
			`}`

			`if (virIdentitySetAttr(identa,`
			`VIR_IDENTITY_ATTR_UNIX_USER_NAME,`
			`"fred") < 0)`
			`goto cleanup;`

			`if (virIdentityIsEqual(identa, identb)) {`
			`VIR_DEBUG("Mis-matched identities should not be equal");`
			`goto cleanup;`
			`}`

			`if (virIdentitySetAttr(identb,`
			`VIR_IDENTITY_ATTR_UNIX_USER_NAME,`
			`"fred") < 0)`
			`goto cleanup;`

			`if (!virIdentityIsEqual(identa, identb)) {`
			`VIR_DEBUG("Matched identities were not equal");`
			`goto cleanup;`
			`}`

			`if (virIdentitySetAttr(identa,`
			`VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,`
			`"flintstone") < 0)`
			`goto cleanup;`
			`if (virIdentitySetAttr(identb,`
			`VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,`
			`"flintstone") < 0)`
			`goto cleanup;`

			`if (!virIdentityIsEqual(identa, identb)) {`
			`VIR_DEBUG("Matched identities were not equal");`
			`goto cleanup;`
			`}`

			`if (virIdentitySetAttr(identb,`
			`VIR_IDENTITY_ATTR_SASL_USER_NAME,`
			`"fred@FLINTSTONE.COM") < 0)`
			`goto cleanup;`

			`if (virIdentityIsEqual(identa, identb)) {`
tests: Test virIdentityGetSystem Test it once with SELinux enabled and once with it disabled. Signed-off-by: Michael Chapman <mike@very.puzzling.org> 2014-03-06 10:02:49 +04:00			`VIR_DEBUG("Mis-matched identities should not be equal");`
Define internal APIs for managing identities Introduce a local object virIdentity for managing security attributes used to form a client application's identity. Instances of this object are intended to be used as if they were immutable, once created & populated with attributes Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2012-01-20 21:49:32 +04:00			`goto cleanup;`
			`}`

			`ret = 0;`
Indent top-level labels by one space in tests/ 2014-03-25 10:53:44 +04:00			`cleanup:`
Define internal APIs for managing identities Introduce a local object virIdentity for managing security attributes used to form a client application's identity. Instances of this object are intended to be used as if they were immutable, once created & populated with attributes Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2012-01-20 21:49:32 +04:00			`virObjectUnref(identa);`
			`virObjectUnref(identb);`
			`return ret;`
			`}`

tests: Test virIdentityGetSystem Test it once with SELinux enabled and once with it disabled. Signed-off-by: Michael Chapman <mike@very.puzzling.org> 2014-03-06 10:02:49 +04:00			`static int testIdentityGetSystem(const void *data)`
			`{`
			`const char *context = data;`
			`int ret = -1;`
			`virIdentityPtr ident = NULL;`
			`const char *val;`

			`#if !WITH_SELINUX`
			`if (context) {`
			`VIR_DEBUG("libvirt not compiled with SELinux, skipping this test");`
			`ret = EXIT_AM_SKIP;`
			`goto cleanup;`
			`}`
			`#endif`

			`if (!(ident = virIdentityGetSystem())) {`
			`VIR_DEBUG("Unable to get system identity");`
			`goto cleanup;`
			`}`

			`if (virIdentityGetAttr(ident,`
			`VIR_IDENTITY_ATTR_SELINUX_CONTEXT,`
			`&val) < 0)`
			`goto cleanup;`

			`if (STRNEQ_NULLABLE(val, context)) {`
			`VIR_DEBUG("Unexpected SELinux context attribute");`
			`goto cleanup;`
			`}`

			`ret = 0;`
Indent top-level labels by one space in tests/ 2014-03-25 10:53:44 +04:00			`cleanup:`
tests: Test virIdentityGetSystem Test it once with SELinux enabled and once with it disabled. Signed-off-by: Michael Chapman <mike@very.puzzling.org> 2014-03-06 10:02:49 +04:00			`virObjectUnref(ident);`
			`return ret;`
			`}`

			`static int testSetFakeSELinuxContext(const void *data ATTRIBUTE_UNUSED)`
			`{`
			`#if WITH_SELINUX`
			`return setcon_raw((security_context_t)data);`
			`#else`
			`VIR_DEBUG("libvirt not compiled with SELinux, skipping this test");`
			`return EXIT_AM_SKIP;`
			`#endif`
			`}`

			`static int testDisableFakeSELinux(const void *data ATTRIBUTE_UNUSED)`
			`{`
			`#if WITH_SELINUX`
			`return security_disable();`
			`#else`
			`VIR_DEBUG("libvirt not compiled with SELinux, skipping this test");`
			`return EXIT_AM_SKIP;`
			`#endif`
			`}`

Define internal APIs for managing identities Introduce a local object virIdentity for managing security attributes used to form a client application's identity. Instances of this object are intended to be used as if they were immutable, once created & populated with attributes Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2012-01-20 21:49:32 +04:00			`static int`
			`mymain(void)`
			`{`
tests: Test virIdentityGetSystem Test it once with SELinux enabled and once with it disabled. Signed-off-by: Michael Chapman <mike@very.puzzling.org> 2014-03-06 10:02:49 +04:00			`const char *context = "unconfined_u:unconfined_r:unconfined_t:s0";`
Define internal APIs for managing identities Introduce a local object virIdentity for managing security attributes used to form a client application's identity. Instances of this object are intended to be used as if they were immutable, once created & populated with attributes Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2012-01-20 21:49:32 +04:00			`int ret = 0;`

tests: Rename virtTestRun to virTestRun. This function doesn't follow our convention of naming functions. 2016-05-26 18:01:50 +03:00			`if (virTestRun("Identity attributes ", testIdentityAttrs, NULL) < 0)`
Define internal APIs for managing identities Introduce a local object virIdentity for managing security attributes used to form a client application's identity. Instances of this object are intended to be used as if they were immutable, once created & populated with attributes Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2012-01-20 21:49:32 +04:00			`ret = -1;`
tests: Rename virtTestRun to virTestRun. This function doesn't follow our convention of naming functions. 2016-05-26 18:01:50 +03:00			`if (virTestRun("Identity equality ", testIdentityEqual, NULL) < 0)`
Define internal APIs for managing identities Introduce a local object virIdentity for managing security attributes used to form a client application's identity. Instances of this object are intended to be used as if they were immutable, once created & populated with attributes Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2012-01-20 21:49:32 +04:00			`ret = -1;`
tests: Rename virtTestRun to virTestRun. This function doesn't follow our convention of naming functions. 2016-05-26 18:01:50 +03:00			`if (virTestRun("Setting fake SELinux context ", testSetFakeSELinuxContext, context) < 0)`
tests: Test virIdentityGetSystem Test it once with SELinux enabled and once with it disabled. Signed-off-by: Michael Chapman <mike@very.puzzling.org> 2014-03-06 10:02:49 +04:00			`ret = -1;`
tests: Rename virtTestRun to virTestRun. This function doesn't follow our convention of naming functions. 2016-05-26 18:01:50 +03:00			`if (virTestRun("System identity (fake SELinux enabled) ", testIdentityGetSystem, context) < 0)`
tests: Test virIdentityGetSystem Test it once with SELinux enabled and once with it disabled. Signed-off-by: Michael Chapman <mike@very.puzzling.org> 2014-03-06 10:02:49 +04:00			`ret = -1;`
tests: Rename virtTestRun to virTestRun. This function doesn't follow our convention of naming functions. 2016-05-26 18:01:50 +03:00			`if (virTestRun("Disabling fake SELinux ", testDisableFakeSELinux, NULL) < 0)`
tests: Test virIdentityGetSystem Test it once with SELinux enabled and once with it disabled. Signed-off-by: Michael Chapman <mike@very.puzzling.org> 2014-03-06 10:02:49 +04:00			`ret = -1;`
tests: Rename virtTestRun to virTestRun. This function doesn't follow our convention of naming functions. 2016-05-26 18:01:50 +03:00			`if (virTestRun("System identity (fake SELinux disabled) ", testIdentityGetSystem, NULL) < 0)`
tests: Test virIdentityGetSystem Test it once with SELinux enabled and once with it disabled. Signed-off-by: Michael Chapman <mike@very.puzzling.org> 2014-03-06 10:02:49 +04:00			`ret = -1;`
Define internal APIs for managing identities Introduce a local object virIdentity for managing security attributes used to form a client application's identity. Instances of this object are intended to be used as if they were immutable, once created & populated with attributes Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2012-01-20 21:49:32 +04:00
Require spaces around equality comparisons Commit a1cbe4b5 added a check for spaces around assignments and this patch extends it to checks for spaces around '=='. One exception is virAssertCmpInt where comma after '==' is acceptable (since it is a macro and '==' is its argument). Signed-off-by: Martin Kletzander <mkletzan@redhat.com> 2014-03-17 13:38:38 +04:00			`return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;`
Define internal APIs for managing identities Introduce a local object virIdentity for managing security attributes used to form a client application's identity. Instances of this object are intended to be used as if they were immutable, once created & populated with attributes Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2012-01-20 21:49:32 +04:00			`}`

tests: Test virIdentityGetSystem Test it once with SELinux enabled and once with it disabled. Signed-off-by: Michael Chapman <mike@very.puzzling.org> 2014-03-06 10:02:49 +04:00			`#if WITH_SELINUX`
tests: Rename VIRT_TEST_* macros to VIR_TEST_* We use the "vir" prefix pretty consistently in our APIs, both external and internal, which made these macros stood out. 2017-03-29 17:45:42 +03:00			`VIR_TEST_MAIN_PRELOAD(mymain, abs_builddir "/.libs/libsecurityselinuxhelper.so")`
tests: Test virIdentityGetSystem Test it once with SELinux enabled and once with it disabled. Signed-off-by: Michael Chapman <mike@very.puzzling.org> 2014-03-06 10:02:49 +04:00			`#else`
tests: Rename VIRT_TEST_* macros to VIR_TEST_* We use the "vir" prefix pretty consistently in our APIs, both external and internal, which made these macros stood out. 2017-03-29 17:45:42 +03:00			`VIR_TEST_MAIN(mymain)`
tests: Test virIdentityGetSystem Test it once with SELinux enabled and once with it disabled. Signed-off-by: Michael Chapman <mike@very.puzzling.org> 2014-03-06 10:02:49 +04:00			`#endif`