From a5592f036862ae20f8a7d6cea6daf2ea70700983 Mon Sep 17 00:00:00 2001 From: Remi Ferrand Date: Tue, 5 Aug 2014 17:00:20 +0200 Subject: [PATCH 1/2] Add new file for common ACL tests procedures. * For now this helper only introduce the `new_request` function that (stupidly, without freeing memory) create a new request base on a `struct request` members. * acl-helpers header file introduce macro `USER_ONLY_REQUEST` that allow previous tests to work with as few modifications as possible (by just passing _username_ to the check function) --- tests/server/acl-helpers.c | 25 +++++++++++++++++++++++++ tests/server/acl-helpers.h | 14 ++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 tests/server/acl-helpers.c create mode 100644 tests/server/acl-helpers.h diff --git a/tests/server/acl-helpers.c b/tests/server/acl-helpers.c new file mode 100644 index 00000000..38dcdc04 --- /dev/null +++ b/tests/server/acl-helpers.c @@ -0,0 +1,25 @@ + +#include + +static struct request *srequest = NULL; + +struct request *new_request(const char *user, + const char *command, + const char *subcommand, + const char **argv) +{ + + struct request *request = NULL; + + if (srequest == NULL) + srequest = (struct request *) malloc(sizeof(struct request)); + + request = srequest; + + request->user = (char *) user; + request->command = (char *) command; + request->subcommand = (char *) subcommand; + request->argv = (char **) argv; + + return request; +} diff --git a/tests/server/acl-helpers.h b/tests/server/acl-helpers.h new file mode 100644 index 00000000..c39f6248 --- /dev/null +++ b/tests/server/acl-helpers.h @@ -0,0 +1,14 @@ +#ifndef REMCTL_TESTS_HELPERS_H +#define REMCTL_TESTS_HELPERS_H 1 + +#include +#include + +struct request *new_request(const char *user, + const char *command, + const char *subcommand, + const char **argv); + +#define USER_ONLY_REQUEST(user) new_request(user, NULL, NULL, NULL) + +#endif From a19dd496d3a3eb344028f1a058c8602767dc0158 Mon Sep 17 00:00:00 2001 From: Remi Ferrand Date: Tue, 5 Aug 2014 17:03:15 +0200 Subject: [PATCH 2/2] Introduce new `struct request` that holds all data requested by remote user. * The struct request is meant to be used by acl that requires _full_ information requested by remote user (command, subcommand, args, ...) --- Makefile.am | 3 +- server/commands.c | 26 ++++++- server/config.c | 69 +++++++++++------ server/internal.h | 10 ++- tests/server/acl-t.c | 127 ++++++++++++++++---------------- tests/server/acl/localgroup-t.c | 29 ++++---- 6 files changed, 162 insertions(+), 102 deletions(-) diff --git a/Makefile.am b/Makefile.am index dac972f5..2c284629 100644 --- a/Makefile.am +++ b/Makefile.am @@ -437,7 +437,7 @@ tests_server_accept_t_LDFLAGS = $(GSSAPI_LDFLAGS) $(KRB5_LDFLAGS) \ tests_server_accept_t_LDADD = tests/tap/libtap.a util/libutil.la \ portable/libportable.la $(GSSAPI_LIBS) $(KRB5_LIBS) $(GPUT_LIBS) \ $(PCRE_LIBS) $(LIBEVENT_LIBS) -tests_server_acl_t_SOURCES = tests/server/acl-t.c $(SERVER_FILES) +tests_server_acl_t_SOURCES = tests/server/acl-t.c tests/server/acl-helpers.c $(SERVER_FILES) tests_server_acl_t_LDFLAGS = $(GPUT_LDFLAGS) $(PCRE_LDFLAGS) \ $(LIBEVENT_LDFLAGS) tests_server_acl_t_LDADD = tests/tap/libtap.a util/libutil.la \ @@ -445,6 +445,7 @@ tests_server_acl_t_LDADD = tests/tap/libtap.a util/libutil.la \ tests_server_acl_localgroup_t_SOURCES = tests/server/acl/localgroup-t.c \ $(SERVER_FILES) tests/server/acl/fake-getgrnam.c \ tests/server/acl/fake-getgrnam.h tests/server/acl/fake-getpwnam.c \ + tests/server/acl-helpers.c \ tests/server/acl/fake-getpwnam.h tests_server_acl_localgroup_t_LDFLAGS = $(GPUT_LDFLAGS) $(PCRE_LDFLAGS) \ $(LIBEVENT_LDFLAGS) diff --git a/server/commands.c b/server/commands.c index 2b391c3d..fe17ab71 100644 --- a/server/commands.c +++ b/server/commands.c @@ -98,6 +98,7 @@ server_send_summary(struct client *client, struct config *config) int status_all = 0; struct process process; struct evbuffer *output = NULL; + struct request *request = NULL; /* Create a buffer to hold all the output for protocol version one. */ if (client->protocol == 1) { @@ -106,6 +107,13 @@ server_send_summary(struct client *client, struct config *config) die("internal error: cannot create output buffer"); } + /* Fill up request */ + request = (struct request *) xmalloc(sizeof(struct request)); + request->user = client->user; + request->command = "help"; + request->subcommand = NULL; + request->argv = NULL; + /* * Check each line in the config to find any that are " ALL" * lines, the user is authorized to run, and which have a summary field @@ -117,7 +125,7 @@ server_send_summary(struct client *client, struct config *config) rule = config->rules[i]; if (strcmp(rule->subcommand, "ALL") != 0) continue; - if (!server_config_acl_permit(rule, client->user)) + if (!server_config_acl_permit(rule, (const struct request *) request)) continue; if (rule->summary == NULL) continue; @@ -151,6 +159,9 @@ server_send_summary(struct client *client, struct config *config) free(req_argv); } + if (request != NULL) + free(request); + /* * Sets the last process status to 0 if all succeeded, or the last failed * exit status if any commands gave non-zero. Return that we had output @@ -299,6 +310,7 @@ server_run_command(struct client *client, struct config *config, char *subcommand = NULL; char *helpsubcommand = NULL; struct rule *rule = NULL; + struct request *request = NULL; char **req_argv = NULL; size_t i; bool ok = false; @@ -400,7 +412,15 @@ server_run_command(struct client *client, struct config *config, server_send_error(client, ERROR_UNKNOWN_COMMAND, "Unknown command"); goto done; } - if (!server_config_acl_permit(rule, user)) { + + /* Fill up request */ + request = (struct request *) xmalloc(sizeof(struct request)); + request->user = user; + request->command = xstrdup(command); + request->subcommand = (subcommand == NULL) ? NULL : xstrdup(subcommand); + request->argv = NULL; + + if (!server_config_acl_permit(rule, request)) { notice("access denied: user %s, command %s%s%s", user, command, (subcommand == NULL) ? "" : " ", (subcommand == NULL) ? "" : subcommand); @@ -448,6 +468,8 @@ server_run_command(struct client *client, struct config *config, } done: + if (request != NULL) + free(request); free(command); free(subcommand); free(helpsubcommand); diff --git a/server/config.c b/server/config.c index eafbc037..230b78d6 100644 --- a/server/config.c +++ b/server/config.c @@ -79,7 +79,7 @@ struct config_option { /* Holds information about ACL schemes */ struct acl_scheme { const char *name; - enum config_status (*check)(const char *user, const char *data, + enum config_status (*check)(const struct request *request, const char *data, const char *file, int lineno); }; @@ -91,8 +91,8 @@ struct acl_scheme { #define ACL_SCHEME_PRINC 1 /* Forward declarations. */ -static enum config_status acl_check(const char *user, const char *entry, - int def_index, const char *file, +static enum config_status acl_check(const struct request *request, + const char *entry, int def_index, const char *file, int lineno); /* @@ -585,7 +585,7 @@ read_conf_file(void *data, const char *name) static enum config_status acl_check_file_internal(void *data, const char *aclfile) { - const char *user = data; + struct request *request = (struct request *) data; FILE *file = NULL; char buffer[BUFSIZ]; char *p; @@ -624,11 +624,11 @@ acl_check_file_internal(void *data, const char *aclfile) /* Parse the line. */ if (strchr(p, ' ') == NULL) - s = acl_check(user, p, ACL_SCHEME_PRINC, aclfile, lineno); + s = acl_check(request, p, ACL_SCHEME_PRINC, aclfile, lineno); else { line = vector_split_space(buffer, NULL); if (line->count == 2 && strcmp(line->strings[0], "include") == 0) { - s = acl_check(data, line->strings[1], ACL_SCHEME_FILE, + s = acl_check(request, line->strings[1], ACL_SCHEME_FILE, aclfile, lineno); vector_free(line); line = NULL; @@ -672,11 +672,11 @@ acl_check_file_internal(void *data, const char *aclfile) * remaining result, which should be CONFIG_SUCCESS or CONFIG_NOMATCH. */ static enum config_status -acl_check_file(const char *user, const char *aclfile, const char *file, - int lineno) +acl_check_file(const struct request *request, const char *aclfile, + const char *file, int lineno) { return handle_include(aclfile, file, lineno, acl_check_file_internal, - (void *) user); + (void *) request); } @@ -689,9 +689,10 @@ acl_check_file(const char *user, const char *aclfile, const char *file, * aren't. */ static enum config_status -acl_check_princ(const char *user, const char *data, const char *file UNUSED, +acl_check_princ(const struct request *request, const char *data, const char *file UNUSED, int lineno UNUSED) { + char *user = (char *) request->user; return (strcmp(user, data) == 0) ? CONFIG_SUCCESS : CONFIG_NOMATCH; } @@ -720,12 +721,12 @@ acl_check_princ(const char *user, const char *data, const char *file UNUSED, * Any other result indicates a processing error and is returned as-is. */ static enum config_status -acl_check_deny(const char *user, const char *data, const char *file, +acl_check_deny(const struct request *request, const char *data, const char *file, int lineno) { enum config_status s; - s = acl_check(user, data, ACL_SCHEME_PRINC, file, lineno); + s = acl_check(request, data, ACL_SCHEME_PRINC, file, lineno); switch (s) { case CONFIG_SUCCESS: return CONFIG_DENY; case CONFIG_NOMATCH: return CONFIG_NOMATCH; @@ -768,9 +769,10 @@ server_config_set_gput_file(char *file UNUSED) */ #ifdef HAVE_GPUT static enum config_status -acl_check_gput(const char *user, const char *data, const char *file, +acl_check_gput(const struct request *request, const char *data, const char *file, int lineno) { + char *user = request->user; GPUT *G; char *role, *xform, *xform_start, *xform_end; enum config_status s; @@ -828,9 +830,10 @@ acl_check_gput(const char *user, const char *data, const char *file, */ #ifdef HAVE_PCRE static enum config_status -acl_check_pcre(const char *user, const char *data, const char *file, +acl_check_pcre(const struct request *request, const char *data, const char *file, int lineno) { + char *user = (char *) request->user; pcre *regex; const char *error; int offset, status; @@ -865,9 +868,10 @@ acl_check_pcre(const char *user, const char *data, const char *file, */ #ifdef HAVE_REGCOMP static enum config_status -acl_check_regex(const char *user, const char *data, const char *file, +acl_check_regex(const struct request *request, const char *data, const char *file, int lineno) { + char *user = (char *) request->user; regex_t regex; char error[BUFSIZ]; int status; @@ -1031,9 +1035,10 @@ acl_getgrnam(const char *group, struct group **grp, char **buffer) * file name and line number. */ static enum config_status -acl_check_localgroup(const char *user, const char *group, +acl_check_localgroup(const struct request *request, const char *group, const char *file, int lineno) { + char *user = (char *) request->user; struct passwd *pw; struct group *gr = NULL; char *grbuffer = NULL; @@ -1094,6 +1099,25 @@ acl_check_localgroup(const char *user, const char *group, #endif /* HAVE_KRB5 && HAVE_GETGRNAM_R */ +/* + * The ACL check operation for UNIX local group membership. Takes the user to + * check, the group of which they have to be a member, and the referencing + * file name and line number. + */ +#if 0 +static enum config_status +acl_check_exec(const char *user, const char *program, + const char *file, int lineno) +{ + + enum config_status result; + + result = CONFIG_NOMATCH; + +done: + return result; +} +#endif /* * The table relating ACL scheme names to functions. The first two ACL @@ -1104,6 +1128,7 @@ static const struct acl_scheme schemes[] = { { "file", acl_check_file }, { "princ", acl_check_princ }, { "deny", acl_check_deny }, +// { "exec", acl_check_exec }, #ifdef HAVE_GPUT { "gput", acl_check_gput }, #else @@ -1129,7 +1154,7 @@ static const struct acl_scheme schemes[] = { /* - * The access control check switch. Takes the user to check, the ACL entry, + * The access control check switch. Takes the request to check, the ACL entry, * default scheme index, and referencing file name and line number. * * Returns CONFIG_SUCCESS if the user is authorized, CONFIG_NOMATCH if they @@ -1137,7 +1162,7 @@ static const struct acl_scheme schemes[] = { * file or a syntax error), and CONFIG_DENY for an explicit deny. */ static enum config_status -acl_check(const char *user, const char *entry, int def_index, +acl_check(const struct request *request, const char *entry, int def_index, const char *file, int lineno) { const struct acl_scheme *scheme; @@ -1167,7 +1192,7 @@ acl_check(const char *user, const char *entry, int def_index, scheme->name); return CONFIG_ERROR; } - return scheme->check(user, data, file, lineno); + return scheme->check(request, data, file, lineno); } @@ -1219,16 +1244,18 @@ server_config_free(struct config *config) * otherwise. */ bool -server_config_acl_permit(const struct rule *rule, const char *user) +server_config_acl_permit(const struct rule *rule, const struct request *request) { char **acls = rule->acls; size_t i; enum config_status status; + fprintf(stderr, "request->user = '%s'\n", request->user); + if (strcmp(acls[0], "ANYUSER") == 0) return true; for (i = 0; acls[i] != NULL; i++) { - status = acl_check(user, acls[i], ACL_SCHEME_FILE, rule->file, + status = acl_check(request, acls[i], ACL_SCHEME_FILE, rule->file, rule->lineno); if (status == 0) return true; diff --git a/server/internal.h b/server/internal.h index 622fc8df..edf04955 100644 --- a/server/internal.h +++ b/server/internal.h @@ -74,6 +74,14 @@ struct rule { char **acls; /* Full file names of ACL files. */ }; +/* Holds the detail of command, subcommand and args requested by remote user */ +struct request { + char *user; + char *command; + char *subcommand; + char **argv; +}; + /* Holds the complete parsed configuration for remctld. */ struct config { struct rule **rules; @@ -129,7 +137,7 @@ void server_log_command(struct iovec **, struct rule *, const char *user); /* Configuration file functions. */ struct config *server_config_load(const char *file); void server_config_free(struct config *); -bool server_config_acl_permit(const struct rule *, const char *user); +bool server_config_acl_permit(const struct rule *, const struct request *request); void server_config_set_gput_file(char *file); /* Running commands. */ diff --git a/tests/server/acl-t.c b/tests/server/acl-t.c index 8148b3fa..957950c6 100644 --- a/tests/server/acl-t.c +++ b/tests/server/acl-t.c @@ -15,6 +15,7 @@ #include #include #include +#include int @@ -37,56 +38,56 @@ main(void) acls[3] = NULL; acls[4] = NULL; - ok(server_config_acl_permit(&rule, "rra@example.org"), "simple 1"); - ok(server_config_acl_permit(&rule, "rra@EXAMPLE.COM"), "simple 2"); - ok(server_config_acl_permit(&rule, "cindy@EXAMPLE.COM"), "simple 3"); - ok(server_config_acl_permit(&rule, "test@EXAMPLE.COM"), "simple 4"); - ok(server_config_acl_permit(&rule, "test2@EXAMPLE.COM"), "simple 5"); + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("rra@example.org")), "simple 1"); + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("rra@EXAMPLE.COM")), "simple 2"); + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("cindy@EXAMPLE.COM")), "simple 3"); + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("test@EXAMPLE.COM")), "simple 4"); + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("test2@EXAMPLE.COM")), "simple 5"); - ok(!server_config_acl_permit(&rule, "rra@EXAMPLE.ORG"), "no 1"); - ok(!server_config_acl_permit(&rule, "rra@example.com"), "no 2"); - ok(!server_config_acl_permit(&rule, "paul@EXAMPLE.COM"), "no 3"); - ok(!server_config_acl_permit(&rule, "peter@EXAMPLE.COM"), "no 4"); + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("rra@EXAMPLE.ORG")), "no 1"); + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("rra@example.com")), "no 2"); + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("paul@EXAMPLE.COM")), "no 3"); + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("peter@EXAMPLE.COM")), "no 4"); /* Okay, now capture and check the errors. */ acls[0] = "data/acl-bad-include"; acls[1] = "data/acls/valid"; errors_capture(); - ok(!server_config_acl_permit(&rule, "test@EXAMPLE.COM"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("test@EXAMPLE.COM")), "included file not found"); is_string("data/acl-bad-include:1: included file data/acl-nosuchfile" " not found\n", errors, "...and correct error message"); acls[0] = "data/acl-recursive"; errors_capture(); - ok(!server_config_acl_permit(&rule, "test@EXAMPLE.COM"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("test@EXAMPLE.COM")), "recursive ACL inclusion"); is_string("data/acl-recursive:3: data/acl-recursive recursively" " included\n", errors, "...and correct error message"); acls[0] = "data/acls/valid-2"; acls[1] = "data/acl-too-long"; errors_capture(); - ok(server_config_acl_permit(&rule, "test2@EXAMPLE.COM"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("test2@EXAMPLE.COM")), "granted access based on first ACL file"); ok(errors == NULL, "...with no errors"); - ok(!server_config_acl_permit(&rule, "test@EXAMPLE.COM"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("test@EXAMPLE.COM")), "...but failed when we hit second file with long line"); is_string("data/acl-too-long:1: ACL file line too long\n", errors, "...with correct error message"); acls[0] = "data/acl-no-such-file"; acls[1] = "data/acls/valid"; errors_capture(); - ok(!server_config_acl_permit(&rule, "test@EXAMPLE.COM"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("test@EXAMPLE.COM")), "no such ACL file"); is_string("TEST:0: included file data/acl-no-such-file not found\n", errors, "...with correct error message"); errors_capture(); - ok(!server_config_acl_permit(&rule, "test2@EXAMPLE.COM"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("test2@EXAMPLE.COM")), "...even with a principal in an ACL file"); is_string("TEST:0: included file data/acl-no-such-file not found\n", errors, "...still with right error message"); acls[0] = "data/acl-bad-syntax"; errors_capture(); - ok(!server_config_acl_permit(&rule, "test@EXAMPLE.COM"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("test@EXAMPLE.COM")), "incorrect syntax"); is_string("data/acl-bad-syntax:2: parse error\n", errors, "...with correct error message"); @@ -95,30 +96,30 @@ main(void) /* Check that file: works at the top level. */ acls[0] = "file:data/acl-simple"; acls[1] = NULL; - ok(server_config_acl_permit(&rule, "rra@example.org"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("rra@example.org")), "file: success"); - ok(!server_config_acl_permit(&rule, "rra@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("rra@EXAMPLE.ORG")), "file: failure"); /* Check that include syntax works. */ - ok(server_config_acl_permit(&rule, "incfile@EXAMPLE.ORG"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("incfile@EXAMPLE.ORG")), "include 1"); - ok(server_config_acl_permit(&rule, "incfdir@EXAMPLE.ORG"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("incfdir@EXAMPLE.ORG")), "include 2"); - ok(server_config_acl_permit(&rule, "explicit@EXAMPLE.COM"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("explicit@EXAMPLE.COM")), "include 3"); - ok(server_config_acl_permit(&rule, "direct@EXAMPLE.COM"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("direct@EXAMPLE.COM")), "include 4"); - ok(server_config_acl_permit(&rule, "good@EXAMPLE.ORG"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("good@EXAMPLE.ORG")), "include 5"); - ok(!server_config_acl_permit(&rule, "evil@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("evil@EXAMPLE.ORG")), "include failure"); /* Check that princ: works at the top level. */ acls[0] = "princ:direct@EXAMPLE.NET"; - ok(server_config_acl_permit(&rule, "direct@EXAMPLE.NET"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("direct@EXAMPLE.NET")), "princ: success"); - ok(!server_config_acl_permit(&rule, "wrong@EXAMPLE.NET"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("wrong@EXAMPLE.NET")), "princ: failure"); /* Check that deny: works at the top level. */ @@ -126,20 +127,20 @@ main(void) acls[1] = "princ:good@EXAMPLE.NET"; acls[2] = "princ:evil@EXAMPLE.NET"; acls[3] = NULL; - ok(server_config_acl_permit(&rule, "good@EXAMPLE.NET"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("good@EXAMPLE.NET")), "deny: success"); - ok(!server_config_acl_permit(&rule, "evil@EXAMPLE.NET"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("evil@EXAMPLE.NET")), "deny: failure"); /* And make sure deny interacts correctly with files. */ acls[0] = "data/acl-simple"; acls[1] = "princ:evil@EXAMPLE.NET"; acls[2] = NULL; - ok(!server_config_acl_permit(&rule, "evil@EXAMPLE.NET"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("evil@EXAMPLE.NET")), "deny in file beats later princ"); acls[0] = "deny:princ:rra@example.org"; acls[1] = "data/acl-simple"; - ok(!server_config_acl_permit(&rule, "rra@example.org"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("rra@example.org")), "deny overrides later file"); /* @@ -148,9 +149,9 @@ main(void) */ acls[0] = "deny:deny:princ:rra@example.org"; acls[1] = "data/acl-simple"; - ok(server_config_acl_permit(&rule, "rra@example.org"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("rra@example.org")), "deny:deny does nothing"); - ok(server_config_acl_permit(&rule, "rra@EXAMPLE.COM"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("rra@EXAMPLE.COM")), "deny:deny doesn't break anything"); /* @@ -162,18 +163,18 @@ main(void) acls[2] = "princ:evil@EXAMPLE.ORG"; acls[3] = "princ:evil@EXAMPLE.NET"; acls[4] = NULL; - ok(!server_config_acl_permit(&rule, "explicit@EXAMPLE.COM"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("explicit@EXAMPLE.COM")), "deny of a file works"); - ok(server_config_acl_permit(&rule, "evil@EXAMPLE.ORG"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("evil@EXAMPLE.ORG")), "...and doesn't break anything"); - ok(server_config_acl_permit(&rule, "evil@EXAMPLE.NET"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("evil@EXAMPLE.NET")), "...and deny inside a denied file is ignored"); /* Check for an invalid ACL scheme. */ acls[0] = "ihateyou:verymuch"; acls[1] = "data/acls/valid"; errors_capture(); - ok(!server_config_acl_permit(&rule, "test@EXAMPLE.COM"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("test@EXAMPLE.COM")), "invalid ACL scheme"); is_string("TEST:0: invalid ACL scheme 'ihateyou'\n", errors, "...with correct error"); @@ -187,19 +188,19 @@ main(void) acls[0] = "gput:test"; acls[1] = NULL; #ifdef HAVE_GPUT - ok(server_config_acl_permit(&rule, "priv@EXAMPLE.ORG"), "GPUT 1"); - ok(!server_config_acl_permit(&rule, "nonpriv@EXAMPLE.ORG"), "GPUT 2"); - ok(!server_config_acl_permit(&rule, "priv@EXAMPLE.NET"), "GPUT 3"); + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("priv@EXAMPLE.ORG"), "GPUT 1")); + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("nonpriv@EXAMPLE.ORG"), "GPUT 2")); + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("priv@EXAMPLE.NET"), "GPUT 3")); acls[0] = "gput:test[%@EXAMPLE.NET]"; - ok(server_config_acl_permit(&rule, "priv@EXAMPLE.NET"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("priv@EXAMPLE.NET")), "GPUT with transform 1"); - ok(!server_config_acl_permit(&rule, "nonpriv@EXAMPLE.NET"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("nonpriv@EXAMPLE.NET")), "GPUT with transform 2"); - ok(!server_config_acl_permit(&rule, "priv@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("priv@EXAMPLE.ORG")), "GPUT with transform 3"); #else errors_capture(); - ok(!server_config_acl_permit(&rule, "priv@EXAMPLE.ORG"), "GPUT"); + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("priv@EXAMPLE.ORG")), "GPUT"); is_string("TEST:0: ACL scheme 'gput' is not supported\n", errors, "...with not supported error"); errors_uncapture(); @@ -214,26 +215,26 @@ main(void) acls[1] = "pcre:host/.+\\.org@EXAMPLE\\.ORG"; acls[2] = NULL; #ifdef HAVE_PCRE - ok(server_config_acl_permit(&rule, "host/bar.org@EXAMPLE.ORG"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("host/bar.org@EXAMPLE.ORG")), "PCRE 1"); - ok(!server_config_acl_permit(&rule, "host/foobar.org@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("host/foobar.org@EXAMPLE.ORG")), "PCRE 2"); - ok(!server_config_acl_permit(&rule, "host/baz.org@EXAMPLE.NET"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("host/baz.org@EXAMPLE.NET")), "PCRE 3"); - ok(!server_config_acl_permit(&rule, "host/.org@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("host/.org@EXAMPLE.ORG")), "PCRE 4 (plus operator)"); - ok(!server_config_acl_permit(&rule, "host/seaorg@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("host/seaorg@EXAMPLE.ORG")), "PCRE 5 (escaped period)"); acls[1] = "pcre:+host/.*"; errors_capture(); - ok(!server_config_acl_permit(&rule, "host/bar.org@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("host/bar.org@EXAMPLE.ORG")), "PCRE invalid regex"); is_string("TEST:0: compilation of regex '+host/.*' failed around 0\n", errors, "...with invalid regex error"); errors_uncapture(); #else errors_capture(); - ok(!server_config_acl_permit(&rule, "host/foobar.org@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("host/foobar.org@EXAMPLE.ORG")), "PCRE"); is_string("TEST:0: ACL scheme 'pcre' is not supported\n", errors, "...with not supported error"); @@ -249,19 +250,19 @@ main(void) acls[1] = "regex:host/.*\\.org@EXAMPLE\\.ORG"; acls[2] = NULL; #ifdef HAVE_REGCOMP - ok(server_config_acl_permit(&rule, "host/bar.org@EXAMPLE.ORG"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("host/bar.org@EXAMPLE.ORG")), "regex 1"); - ok(!server_config_acl_permit(&rule, "host/foobar.org@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("host/foobar.org@EXAMPLE.ORG")), "regex 2"); - ok(!server_config_acl_permit(&rule, "host/baz.org@EXAMPLE.NET"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("host/baz.org@EXAMPLE.NET")), "regex 3"); - ok(server_config_acl_permit(&rule, "host/.org@EXAMPLE.ORG"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("host/.org@EXAMPLE.ORG")), "regex 4"); - ok(!server_config_acl_permit(&rule, "host/seaorg@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("host/seaorg@EXAMPLE.ORG")), "regex 5 (escaped period)"); acls[1] = "regex:*host/.*"; errors_capture(); - ok(!server_config_acl_permit(&rule, "host/bar.org@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("host/bar.org@EXAMPLE.ORG")), "regex invalid regex"); ok(strncmp(errors, "TEST:0: compilation of regex '*host/.*' failed:", strlen("TEST:0: compilation of regex '*host/.*' failed:")) == 0, @@ -271,7 +272,7 @@ main(void) errors = NULL; #else errors_capture(); - ok(!server_config_acl_permit(&rule, "host/foobar.org@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("host/foobar.org@EXAMPLE.ORG")), "regex"); is_string("TEST:0: ACL scheme 'regex' is not supported\n", errors, "...with not supported error"); @@ -284,17 +285,17 @@ main(void) /* Test for valid characters in ACL files. */ acls[0] = "file:data/acls"; acls[1] = NULL; - ok(server_config_acl_permit(&rule, "upcase@EXAMPLE.ORG"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("upcase@EXAMPLE.ORG")), "valid chars 1"); - ok(server_config_acl_permit(&rule, "test@EXAMPLE.COM"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("test@EXAMPLE.COM")), "valid chars 2"); - ok(server_config_acl_permit(&rule, "test2@EXAMPLE.COM"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("test2@EXAMPLE.COM")), "valid chars 3"); - ok(!server_config_acl_permit(&rule, "hash@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("hash@EXAMPLE.ORG")), "invalid chars 1"); - ok(!server_config_acl_permit(&rule, "period@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("period@EXAMPLE.ORG")), "invalid chars 2"); - ok(!server_config_acl_permit(&rule, "tilde@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("tilde@EXAMPLE.ORG")), "invalid chars 3"); return 0; diff --git a/tests/server/acl/localgroup-t.c b/tests/server/acl/localgroup-t.c index e56efbd2..0a4b0c8e 100644 --- a/tests/server/acl/localgroup-t.c +++ b/tests/server/acl/localgroup-t.c @@ -28,6 +28,7 @@ #include #include #include +#include /* * Lists of users used to populate the group membership field of various test @@ -73,7 +74,7 @@ main(void) errors_capture(); acls[0] = "localgroup:foobargroup"; acls[1] = NULL; - ok(!server_config_acl_permit(&rule, "foobaruser@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("foobaruser@EXAMPLE.ORG")), "localgroup ACL check fails"); is_string("TEST:0: ACL scheme 'localgroup' is not supported\n", errors, "...with not supported error"); @@ -124,32 +125,32 @@ main(void) set_passwd("someone", 0); acls[0] = "localgroup:empty"; acls[1] = NULL; - ok(!server_config_acl_permit(&rule, "someone@EXAMPLE.ORG"), "Empty"); + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("someone@EXAMPLE.ORG")), "Empty"); /* Check behavior when user is expected to be in supplied group. */ fake_queue_group(&goodguys, 0); set_passwd("remi", 0); acls[0] = "localgroup:goodguys"; acls[1] = NULL; - ok(server_config_acl_permit(&rule, "remi@EXAMPLE.ORG"), "User in group"); + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("remi@EXAMPLE.ORG")), "User in group"); /* And when the user is not in the supplied group. */ fake_queue_group(&goodguys, 0); set_passwd("someoneelse", 0); - ok(!server_config_acl_permit(&rule, "someoneelse@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("someoneelse@EXAMPLE.ORG")), "User not in group"); /* Check that the user's primary group also counts. */ fake_queue_group(&goodguys, 0); set_passwd("otheruser", 42); - ok(server_config_acl_permit(&rule, "otheruser@EXAMPLE.ORG"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("otheruser@EXAMPLE.ORG")), "User has group as primary group"); /* And when the user does not convert to a local user or is complex. */ fake_queue_group(&goodguys, 0); set_passwd("remi", 0); errors_capture(); - ok(!server_config_acl_permit(&rule, "remi/admin@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("remi/admin@EXAMPLE.ORG")), "User with instance with base user in group"); is_string(NULL, errors, "...with no error"); @@ -158,7 +159,7 @@ main(void) memset(long_principal, 'A', sizeof(long_principal)); long_principal[sizeof(long_principal) - 1] = '\0'; errors_capture(); - ok(!server_config_acl_permit(&rule, long_principal), "Long principal"); + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST(long_principal)), "Long principal"); /* Determine the expected error message and check it. */ if (krb5_init_context(&ctx) != 0) @@ -173,14 +174,14 @@ main(void) /* Unsupported realm. */ fake_queue_group(&goodguys, 0); set_passwd("eagle", 0); - ok(!server_config_acl_permit(&rule, "eagle@ANY.OTHER.REALM.FR"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("eagle@ANY.OTHER.REALM.FR")), "Non-local realm"); /* Check behavior when syscall fails */ fake_queue_group(&goodguys, EPERM); set_passwd("remi", 0); errors_capture(); - ok(!server_config_acl_permit(&rule, "remi@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("remi@EXAMPLE.ORG")), "Failing getgrnam_r"); is_string("TEST:0: retrieving membership of localgroup goodguys failed\n", errors, "...with correct error message"); @@ -190,11 +191,11 @@ main(void) set_passwd("boba-fett", 0); acls[0] = "deny:localgroup:badguys"; acls[1] = NULL; - ok(!server_config_acl_permit(&rule, "boba-fett@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("boba-fett@EXAMPLE.ORG")), "Denied user"); fake_queue_group(&badguys, 0); set_passwd("remi", 0); - ok(!server_config_acl_permit(&rule, "remi@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("remi@EXAMPLE.ORG")), "User not in denied group but also not allowed"); /* Check that both deny and "allow" pragma work together */ @@ -204,17 +205,17 @@ main(void) acls[0] = "localgroup:goodguys"; acls[1] = "deny:localgroup:badguys"; acls[2] = NULL; - ok(server_config_acl_permit(&rule, "eagle@EXAMPLE.ORG"), + ok(server_config_acl_permit(&rule, USER_ONLY_REQUEST("eagle@EXAMPLE.ORG")), "User in allowed group plus a denied group"); fake_queue_group(&goodguys, 0); fake_queue_group(&badguys, 0); set_passwd("darth-maul", 0); - ok(!server_config_acl_permit(&rule, "darth-maul@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("darth-maul@EXAMPLE.ORG")), "User in a denied group plus an allowed group"); fake_queue_group(&goodguys, 0); fake_queue_group(&badguys, 0); set_passwd("anyoneelse", 0); - ok(!server_config_acl_permit(&rule, "anyoneelse@EXAMPLE.ORG"), + ok(!server_config_acl_permit(&rule, USER_ONLY_REQUEST("anyoneelse@EXAMPLE.ORG")), "User in neither denied nor allowed group"); /* Clean up. */