On Tue, May 26, 2015 at 01:36:35PM +0200, Martin Kosek wrote:
> On 05/26/2015 01:33 PM, Sumit Bose wrote:
> >Hi,
> >
> >these patches add some unit tests and some additional improvements
> >related to the issues described in
> >https://bugzilla.redhat.com/show_bug.cgi?id=1222475 . The original issue
> >is fixed by a patch from Alexander attached to the ticket.
> >
> >The first patch converts the existing check-based test to cmocka. If I
> >see it correctly all check-based test are converted now.
> 
> Cool! Before pushing, we should also reference ticket
> https://fedorahosted.org/freeipa/ticket/4922
> in the patch (no need to rebase right now).
> 
> >
> >The second adds tests for filter_logon_info() where the original issue
> >occurred. The wrong behavior in filter_logon_info() caused a crash in
> >dom_sid_string() which is made a bit more robust together with
> >string_to_sid() in the 3rd patch. The last patch add unit tests for
> >those two calls as well.

New version rebased on one-way trust patches attached.

Please note that the unit-test will fail with the initial version of the
one-way trust patches which does not allow an empty group list in the
PAC.

bye,
Sumit
From 4a31cfdd848e0ef51ee32817e634340d1e90c97f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Wed, 20 May 2015 18:31:19 +0200
Subject: [PATCH 145/148] ipa-kdb: convert test to cmocka

---
 daemons/ipa-kdb/Makefile.am           |   6 +-
 daemons/ipa-kdb/tests/ipa_kdb_tests.c | 129 ++++++++++++----------------------
 2 files changed, 48 insertions(+), 87 deletions(-)

diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 
80747491f8315a9cb0b38965423ba5d160946278..a4ea366b01b248d3f0fbc0b694e02d00c2e4c3d1
 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -55,7 +55,7 @@ ipadb_la_LIBADD =             \
        $(NSS_LIBS)             \
        $(NULL)
 
-if HAVE_CHECK
+if HAVE_CMOCKA
 TESTS = ipa_kdb_tests
 check_PROGRAMS = ipa_kdb_tests
 endif
@@ -73,9 +73,9 @@ ipa_kdb_tests_SOURCES =        \
        ipa_kdb_audit_as.c      \
        $(KRB5_UTIL_SRCS)       \
        $(NULL)
-ipa_kdb_tests_CFLAGS = $(CHECK_CFLAGS)
+ipa_kdb_tests_CFLAGS = $(CMOCKA_CFLAGS)
 ipa_kdb_tests_LDADD =          \
-       $(CHECK_LIBS)           \
+       $(CMOCKA_LIBS)          \
        $(KRB5_LIBS)            \
        $(LDAP_LIBS)            \
        $(NDRPAC_LIBS)          \
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c 
b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
index 
e1ae06a6e359e65873241116581f028f1a4e1bf3..1ff1cd49a4e409545ee908f0f7842520ae82e0a0
 100644
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
@@ -1,49 +1,30 @@
-/** BEGIN COPYRIGHT BLOCK
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- * Additional permission under GPLv3 section 7:
- *
- * In the following paragraph, "GPL" means the GNU General Public
- * License, version 3 or any later version, and "Non-GPL Code" means
- * code that is governed neither by the GPL nor a license
- * compatible with the GPL.
- *
- * You may link the code of this Program with Non-GPL Code and convey
- * linked combinations including the two, provided that such Non-GPL
- * Code only links to the code of this Program through those well
- * defined interfaces identified in the file named EXCEPTION found in
- * the source code files (the "Approved Interfaces"). The files of
- * Non-GPL Code may instantiate templates or use macros or inline
- * functions from the Approved Interfaces without causing the resulting
- * work to be covered by the GPL. Only the copyright holders of this
- * Program may make changes or additions to the list of Approved
- * Interfaces.
- *
- * Authors:
- * Sumit Bose <sb...@redhat.com>
- *
- * Copyright (C) 2013 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK **/
+/*
+    Authors:
+        Sumit Bose <sb...@redhat.com>
 
-#include <check.h>
-#include <stdlib.h>
+    Copyright (C) 2015 Red Hat
+
+    ipa-kdb tests
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <errno.h>
 #include <stdarg.h>
-#include <stdio.h>
-#include <stdbool.h>
-#include <krb5/krb5.h>
-#include <kdb.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
 
 #include "ipa-kdb/ipa_kdb.h"
 
@@ -74,7 +55,7 @@ int krb5_klog_syslog(int l, const char *format, ...)
 extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
                                  bool *with_pac, bool *with_pad);
 
-START_TEST(test_get_authz_data_types)
+void test_get_authz_data_types(void **state)
 {
     bool with_pac;
     bool with_pad;
@@ -100,40 +81,40 @@ START_TEST(test_get_authz_data_types)
 
     with_pad = true;
     get_authz_data_types(NULL, NULL, NULL, &with_pad);
-    fail_unless(!with_pad, "with_pad not false with NULL inuput.");
+    assert_false(with_pad);
 
     with_pac = true;
     get_authz_data_types(NULL, NULL, &with_pac, NULL);
-    fail_unless(!with_pac, "with_pac not false with NULL inuput.");
+    assert_false(with_pad);
 
     with_pad = true;
     with_pac = true;
     get_authz_data_types(NULL, NULL, &with_pac, &with_pad);
-    fail_unless(!with_pad, "with_pad not false with NULL inuput.");
-    fail_unless(!with_pac, "with_pac not false with NULL inuput.");
+    assert_false(with_pac);
+    assert_false(with_pad);
 
     entry = calloc(1, sizeof(krb5_db_entry));
-    fail_unless(entry != NULL, "calloc krb5_db_entry failed.");
+    assert_non_null(entry);
 
     ied = calloc(1, sizeof(struct ipadb_e_data));
-    fail_unless(ied != NULL, "calloc struct ipadb_e_data failed.");
+    assert_non_null(ied);
     entry->e_data = (void *) ied;
 
     kerr = krb5_init_context(&krb5_ctx);
-    fail_unless(kerr == 0, "krb5_init_context failed.");
+    assert_int_equal(kerr, 0);
     kerr = krb5_db_setup_lib_handle(krb5_ctx);
-    fail_unless(kerr == 0, "krb5_db_setup_lib_handle failed.\n");
+    assert_int_equal(kerr, 0);
     ipa_ctx = calloc(1, sizeof(struct ipadb_context));
-    fail_unless(ipa_ctx != NULL, "calloc failed.\n");
+    assert_non_null(ipa_ctx);
     ipa_ctx->kcontext = krb5_ctx;
     kerr = krb5_db_set_context(krb5_ctx, ipa_ctx);
-    fail_unless(kerr == 0, "krb5_db_set_context failed.\n");
+    assert_int_equal(kerr, 0);
 
     kerr = krb5_parse_name(krb5_ctx, NFS_PRINC_STRING, &nfs_princ);
-    fail_unless(kerr == 0, "krb5_parse_name failed.");
+    assert_int_equal(kerr, 0);
 
     kerr = krb5_parse_name(krb5_ctx, NON_NFS_PRINC_STRING, &non_nfs_princ);
-    fail_unless(kerr == 0, "krb5_parse_name failed.");
+    assert_int_equal(kerr, 0);
 
     struct test_set {
         char **authz_data;
@@ -179,12 +160,8 @@ START_TEST(test_get_authz_data_types)
         ipa_ctx->config.last_update = time(NULL);
         entry->princ = test_set[c].princ;
         get_authz_data_types(krb5_ctx, entry, &with_pac, &with_pad);
-        fail_unless(with_pad == test_set[c].exp_with_pad, "with_pad not %s 
%s.",
-                    test_set[c].exp_with_pad ? "true" : "false",
-                    test_set[c].err_msg);
-        fail_unless(with_pac == test_set[c].exp_with_pac, "with_pac not %s 
%s.",
-                    test_set[c].exp_with_pac ? "true" : "false",
-                    test_set[c].err_msg);
+        assert_true(with_pad == test_set[c].exp_with_pad);
+        assert_true(with_pac == test_set[c].exp_with_pac);
     }
 
     krb5_free_principal(krb5_ctx, nfs_princ);
@@ -192,28 +169,12 @@ START_TEST(test_get_authz_data_types)
     krb5_db_fini(krb5_ctx);
     krb5_free_context(krb5_ctx);
 }
-END_TEST
 
-Suite * ipa_kdb_suite(void)
+int main(int argc, const char *argv[])
 {
-    Suite *s = suite_create("IPA kdb");
+    const UnitTest tests[] = {
+        unit_test(test_get_authz_data_types),
+    };
 
-    TCase *tc_helper = tcase_create("Helper functions");
-    tcase_add_test(tc_helper, test_get_authz_data_types);
-    suite_add_tcase(s, tc_helper);
-
-    return s;
-}
-
-int main(void)
-{
-    int number_failed;
-
-    Suite *s = ipa_kdb_suite ();
-    SRunner *sr = srunner_create (s);
-    srunner_run_all (sr, CK_VERBOSE);
-    number_failed = srunner_ntests_failed (sr);
-    srunner_free (sr);
-
-    return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
+    return run_tests(tests);
 }
-- 
2.1.0

From b34502fc964f197b0792b8d387bdb99c0b7f8521 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 26 May 2015 10:26:28 +0200
Subject: [PATCH 146/148] ipa-kdb: add unit-test for filter_logon_info()

---
 daemons/ipa-kdb/ipa_kdb_mspac.c         |  41 ++---
 daemons/ipa-kdb/ipa_kdb_mspac_private.h |  57 +++++++
 daemons/ipa-kdb/tests/ipa_kdb_tests.c   | 275 +++++++++++++++++++++++++++++---
 3 files changed, 323 insertions(+), 50 deletions(-)
 create mode 100644 daemons/ipa-kdb/ipa_kdb_mspac_private.h

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 
df19880d37f9c006c6ec3a5e392d9eeecb1e45cb..ca110fd662990835aa7ef27f99148f3c47a43942
 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -28,31 +28,7 @@
 #include "util/time.h"
 #include "gen_ndr/ndr_krb5pac.h"
 
-struct ipadb_adtrusts {
-    char *domain_name;
-    char *flat_name;
-    char *domain_sid;
-    struct dom_sid domsid;
-    struct dom_sid *sid_blacklist_incoming;
-    int len_sid_blacklist_incoming;
-    struct dom_sid *sid_blacklist_outgoing;
-    int len_sid_blacklist_outgoing;
-    struct ipadb_adtrusts *parent;
-    char *parent_name;
-};
-
-struct ipadb_mspac {
-    char *flat_domain_name;
-    char *flat_server_name;
-    struct dom_sid domsid;
-
-    char *fallback_group;
-    uint32_t fallback_rid;
-
-    int num_trusts;
-    struct ipadb_adtrusts *trusts;
-    time_t last_update;
-};
+#include "ipa_kdb_mspac_private.h"
 
 static char *user_pac_attrs[] = {
     "objectClass",
@@ -113,10 +89,11 @@ static struct {
 #define AUTHZ_DATA_TYPE_PAD "PAD"
 #define AUTHZ_DATA_TYPE_NONE "NONE"
 
-static int string_to_sid(char *str, struct dom_sid *sid)
+int string_to_sid(const char *str, struct dom_sid *sid)
 {
     unsigned long val;
-    char *s, *t;
+    const char *s;
+    char *t;
     int i;
 
     memset(sid, '\0', sizeof(struct dom_sid));
@@ -174,7 +151,7 @@ static int string_to_sid(char *str, struct dom_sid *sid)
     return 0;
 }
 
-static char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
+char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
 {
     size_t c;
     size_t len;
@@ -1333,10 +1310,10 @@ static void filter_logon_info_log_message_rid(struct 
dom_sid *sid, uint32_t rid)
     }
 }
 
-static krb5_error_code filter_logon_info(krb5_context context,
-                                         TALLOC_CTX *memctx,
-                                         krb5_data realm,
-                                         struct PAC_LOGON_INFO_CTR *info)
+krb5_error_code filter_logon_info(krb5_context context,
+                                  TALLOC_CTX *memctx,
+                                  krb5_data realm,
+                                  struct PAC_LOGON_INFO_CTR *info)
 {
 
     /* We must refuse a PAC that comes signed with a cross realm TGT
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h 
b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
new file mode 100644
index 
0000000000000000000000000000000000000000..be04071762316643d687e80986db0d7510e53ded
--- /dev/null
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
@@ -0,0 +1,57 @@
+/*
+ * MIT Kerberos KDC database backend for FreeIPA
+ * This head file contains private declarations for ipa_kdb_mspac.c and should
+ * be used only there or in unit-test.
+ *
+ * Authors: Sumit Bose <sb...@redhat.com>
+ *
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+
+#ifndef _IPA_KDB_MSPAC_PRIVATE_H_
+#define _IPA_KDB_MSPAC_PRIVATE_H_
+
+struct ipadb_mspac {
+    char *flat_domain_name;
+    char *flat_server_name;
+    struct dom_sid domsid;
+
+    char *fallback_group;
+    uint32_t fallback_rid;
+
+    int num_trusts;
+    struct ipadb_adtrusts *trusts;
+    time_t last_update;
+};
+
+struct ipadb_adtrusts {
+    char *domain_name;
+    char *flat_name;
+    char *domain_sid;
+    struct dom_sid domsid;
+    struct dom_sid *sid_blacklist_incoming;
+    int len_sid_blacklist_incoming;
+    struct dom_sid *sid_blacklist_outgoing;
+    int len_sid_blacklist_outgoing;
+    struct ipadb_adtrusts *parent;
+    char *parent_name;
+};
+
+int string_to_sid(const char *str, struct dom_sid *sid);
+char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid);
+
+#endif /* _IPA_KDB_MSPAC_PRIVATE_H_ */
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c 
b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
index 
1ff1cd49a4e409545ee908f0f7842520ae82e0a0..7b9b85d2cf7fcc2478a522eccf686b3e2582447e
 100644
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
@@ -22,11 +22,19 @@
 
 #include <errno.h>
 #include <stdarg.h>
+#include <stdbool.h>
 #include <stddef.h>
+#include <stdint.h>
 #include <setjmp.h>
 #include <cmocka.h>
 
+#include <talloc.h>
+
+#include "gen_ndr/ndr_krb5pac.h"
+#include "gen_ndr/netlogon.h"
+
 #include "ipa-kdb/ipa_kdb.h"
+#include "ipa-kdb/ipa_kdb_mspac_private.h"
 
 #define NFS_PRINC_STRING "nfs/fully.qualified.host.n...@realm.name"
 #define NON_NFS_PRINC_STRING "abcdef/fully.qualified.host.n...@realm.name"
@@ -52,6 +60,240 @@ int krb5_klog_syslog(int l, const char *format, ...)
     return 0;
 }
 
+struct test_ctx {
+    krb5_context krb5_ctx;
+};
+
+#define DOMAIN_NAME "my.domain"
+#define REALM "MY.DOMAIN"
+#define REALM_LEN (sizeof(REALM) - 1)
+#define FLAT_NAME "MYDOM"
+#define DOM_SID "S-1-5-21-1-2-3"
+#define DOM_SID_TRUST "S-1-5-21-4-5-6"
+#define BLACKLIST_SID "S-1-5-1"
+
+void setup(void **state)
+{
+    int ret;
+    krb5_context krb5_ctx;
+    krb5_error_code kerr;
+    struct ipadb_context *ipa_ctx;
+    struct test_ctx *test_ctx;
+
+    kerr = krb5_init_context(&krb5_ctx);
+    assert_int_equal(kerr, 0);
+    kerr = krb5_db_setup_lib_handle(krb5_ctx);
+    assert_int_equal(kerr, 0);
+
+    ipa_ctx = calloc(1, sizeof(struct ipadb_context));
+    assert_non_null(ipa_ctx);
+
+    ipa_ctx->mspac = calloc(1, sizeof(struct ipadb_mspac));
+    assert_non_null(ipa_ctx->mspac);
+
+    /* make sure data is not read from LDAP */
+    ipa_ctx->mspac->last_update = time(NULL) - 1;
+
+    ret = string_to_sid(DOM_SID, &ipa_ctx->mspac->domsid);
+    assert_int_equal(ret, 0);
+
+    ipa_ctx->mspac->num_trusts = 1;
+    ipa_ctx->mspac->trusts = calloc(1, sizeof(struct ipadb_adtrusts));
+    assert_non_null(ipa_ctx->mspac->trusts);
+
+    ipa_ctx->mspac->trusts[0].domain_name = strdup(DOMAIN_NAME);
+    assert_non_null(ipa_ctx->mspac->trusts[0].domain_name);
+
+    ipa_ctx->mspac->trusts[0].flat_name = strdup(FLAT_NAME);
+    assert_non_null(ipa_ctx->mspac->trusts[0].flat_name);
+
+    ipa_ctx->mspac->trusts[0].domain_sid = strdup(DOM_SID_TRUST);
+    assert_non_null(ipa_ctx->mspac->trusts[0].domain_sid);
+
+    ret = string_to_sid(DOM_SID_TRUST, &ipa_ctx->mspac->trusts[0].domsid);
+    assert_int_equal(ret, 0);
+
+    ipa_ctx->mspac->trusts[0].len_sid_blacklist_incoming = 1;
+    ipa_ctx->mspac->trusts[0].sid_blacklist_incoming = calloc(
+                           
ipa_ctx->mspac->trusts[0].len_sid_blacklist_incoming,
+                           sizeof(struct dom_sid));
+    assert_non_null(ipa_ctx->mspac->trusts[0].sid_blacklist_incoming);
+    ret = string_to_sid(BLACKLIST_SID,
+                        &ipa_ctx->mspac->trusts[0].sid_blacklist_incoming[0]);
+    assert_int_equal(ret, 0);
+
+    struct dom_sid *sid_blacklist_incoming;
+    int len_sid_blacklist_incoming;
+
+    ipa_ctx->kcontext = krb5_ctx;
+    kerr = krb5_db_set_context(krb5_ctx, ipa_ctx);
+    assert_int_equal(kerr, 0);
+
+    test_ctx = talloc(NULL, struct test_ctx);
+    assert_non_null(test_ctx);
+
+    test_ctx->krb5_ctx = krb5_ctx;
+
+    *state = test_ctx;
+}
+
+void teardown(void **state)
+{
+    struct test_ctx *test_ctx;
+    struct ipadb_context *ipa_ctx;
+
+    test_ctx = (struct test_ctx *) *state;
+
+    ipa_ctx = ipadb_get_context(test_ctx->krb5_ctx);
+    assert_non_null(ipa_ctx);
+    ipadb_mspac_struct_free(&ipa_ctx->mspac);
+
+    krb5_db_fini(test_ctx->krb5_ctx);
+    krb5_free_context(test_ctx->krb5_ctx);
+
+    talloc_free(test_ctx);
+}
+
+extern krb5_error_code filter_logon_info(krb5_context context,
+                                  TALLOC_CTX *memctx,
+                                  krb5_data realm,
+                                  struct PAC_LOGON_INFO_CTR *info);
+
+void test_filter_logon_info(void **state)
+{
+    krb5_error_code kerr;
+    krb5_data realm = {KV5M_DATA, REALM_LEN, REALM};
+    struct test_ctx *test_ctx;
+    struct PAC_LOGON_INFO_CTR *info;
+    int ret;
+    struct dom_sid dom_sid;
+    size_t c;
+    size_t d;
+
+    test_ctx = (struct test_ctx *) *state;
+
+    info = talloc_zero(test_ctx, struct PAC_LOGON_INFO_CTR);
+    assert_non_null(info);
+    info->info = talloc_zero(info, struct PAC_LOGON_INFO);
+    assert_non_null(info->info);
+
+    /* wrong flat name */
+    info->info->info3.base.logon_domain.string = talloc_strdup(info->info,
+                                                               "WRONG");
+    assert_non_null(info->info->info3.base.logon_domain.string);
+
+    kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
+    assert_int_equal(kerr, EINVAL);
+
+    info->info->info3.base.logon_domain.string = talloc_strdup(info->info,
+                                                               FLAT_NAME);
+    assert_non_null(info->info->info3.base.logon_domain.string);
+
+    /* missing domain SID */
+    kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
+    assert_int_equal(kerr, EINVAL);
+
+    /* wrong domain SID */
+    ret = string_to_sid("S-1-5-21-1-1-1", &dom_sid);
+    assert_int_equal(ret, 0);
+    info->info->info3.base.domain_sid = &dom_sid;
+
+    kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
+    assert_int_equal(kerr, EINVAL);
+
+    /* matching domain SID */
+    ret = string_to_sid(DOM_SID_TRUST, &dom_sid);
+    assert_int_equal(ret, 0);
+    info->info->info3.base.domain_sid = &dom_sid;
+
+    kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
+    assert_int_equal(kerr, 0);
+
+    /* empty SIDs */
+    info->info->info3.sidcount = 3;
+    info->info->info3.sids = talloc_zero_array(info->info,
+                                               struct netr_SidAttr,
+                                               info->info->info3.sidcount);
+    assert_non_null(info->info->info3.sids);
+    for(c = 0; c < info->info->info3.sidcount; c++) {
+        info->info->info3.sids[c].sid = talloc_zero(info->info->info3.sids,
+                                                    struct dom_sid2);
+        assert_non_null(info->info->info3.sids[c].sid);
+    }
+
+    kerr = filter_logon_info(test_ctx->krb5_ctx, NULL, realm, info);
+    assert_int_equal(kerr, 0);
+    assert_int_equal(info->info->info3.sidcount, 3);
+
+    struct test_data {
+        size_t sidcount;
+        const char *sids[3];
+        size_t exp_sidcount;
+        const char *exp_sids[3];
+    } test_data[] = {
+        /* only allowed SIDs */
+        {3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"},
+         3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", 
DOM_SID_TRUST"-1002"}},
+        /* last SID filtered */
+        {3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", BLACKLIST_SID"-1002"},
+         2, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001"}},
+        /* center SID filtered */
+        {3, {DOM_SID_TRUST"-1000", BLACKLIST_SID"-1001", DOM_SID_TRUST"-1002"},
+         2, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1002"}},
+        /* first SID filtered */
+        {3, {BLACKLIST_SID"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"},
+         2, {DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"}},
+        /* first and last SID filtered */
+        {3, {BLACKLIST_SID"-1000", DOM_SID_TRUST"-1001", BLACKLIST_SID"-1002"},
+         1, {DOM_SID_TRUST"-1001"}},
+        /* two SIDs in a rwo filtered */
+        {3, {BLACKLIST_SID"-1000", BLACKLIST_SID"-1001", DOM_SID_TRUST"-1002"},
+         1, {DOM_SID_TRUST"-1002"}},
+        /* all SIDs filtered*/
+        {3, {BLACKLIST_SID"-1000", BLACKLIST_SID"-1001", BLACKLIST_SID"-1002"},
+         0, NULL},
+        {0, NULL, 0 , NULL}
+    };
+
+    for (c = 0; test_data[c].sidcount != 0; c++) {
+        talloc_free(info->info->info3.sids);
+
+        info->info->info3.sidcount = test_data[c].sidcount;
+        info->info->info3.sids = talloc_zero_array(info->info,
+                                                   struct netr_SidAttr,
+                                                   info->info->info3.sidcount);
+        assert_non_null(info->info->info3.sids);
+        for(d = 0; d < info->info->info3.sidcount; d++) {
+            info->info->info3.sids[d].sid = talloc_zero(info->info->info3.sids,
+                                                        struct dom_sid2);
+            assert_non_null(info->info->info3.sids[d].sid);
+        }
+
+        for (d = 0; d < info->info->info3.sidcount; d++) {
+            ret = string_to_sid(test_data[c].sids[d],
+                                info->info->info3.sids[d].sid);
+            assert_int_equal(ret, 0);
+        }
+
+        kerr = filter_logon_info(test_ctx->krb5_ctx, NULL, realm, info);
+        assert_int_equal(kerr, 0);
+        assert_int_equal(info->info->info3.sidcount, 
test_data[c].exp_sidcount);
+        if (test_data[c].exp_sidcount == 0) {
+            assert_null(info->info->info3.sids);
+        } else {
+            for (d = 0; d < test_data[c].exp_sidcount; d++) {
+                assert_string_equal(test_data[c].exp_sids[d],
+                                 dom_sid_string(info->info->info3.sids,
+                                                
info->info->info3.sids[d].sid));
+            }
+        }
+    }
+
+
+    talloc_free(info);
+
+}
+
 extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
                                  bool *with_pac, bool *with_pad);
 
@@ -76,6 +318,11 @@ void test_get_authz_data_types(void **state)
     struct ipadb_context *ipa_ctx;
     krb5_principal nfs_princ;
     krb5_principal non_nfs_princ;
+    struct test_ctx *test_ctx;
+
+    test_ctx = (struct test_ctx *) *state;
+    ipa_ctx = ipadb_get_context(test_ctx->krb5_ctx);
+    assert_non_null(ipa_ctx);
 
     get_authz_data_types(NULL, NULL, NULL, NULL);
 
@@ -100,20 +347,11 @@ void test_get_authz_data_types(void **state)
     assert_non_null(ied);
     entry->e_data = (void *) ied;
 
-    kerr = krb5_init_context(&krb5_ctx);
-    assert_int_equal(kerr, 0);
-    kerr = krb5_db_setup_lib_handle(krb5_ctx);
-    assert_int_equal(kerr, 0);
-    ipa_ctx = calloc(1, sizeof(struct ipadb_context));
-    assert_non_null(ipa_ctx);
-    ipa_ctx->kcontext = krb5_ctx;
-    kerr = krb5_db_set_context(krb5_ctx, ipa_ctx);
-    assert_int_equal(kerr, 0);
-
-    kerr = krb5_parse_name(krb5_ctx, NFS_PRINC_STRING, &nfs_princ);
+    kerr = krb5_parse_name(test_ctx->krb5_ctx, NFS_PRINC_STRING, &nfs_princ);
     assert_int_equal(kerr, 0);
 
-    kerr = krb5_parse_name(krb5_ctx, NON_NFS_PRINC_STRING, &non_nfs_princ);
+    kerr = krb5_parse_name(test_ctx->krb5_ctx, NON_NFS_PRINC_STRING,
+                           &non_nfs_princ);
     assert_int_equal(kerr, 0);
 
     struct test_set {
@@ -159,21 +397,22 @@ void test_get_authz_data_types(void **state)
         /* Set last_update to avoid LDAP lookups during tests */
         ipa_ctx->config.last_update = time(NULL);
         entry->princ = test_set[c].princ;
-        get_authz_data_types(krb5_ctx, entry, &with_pac, &with_pad);
+        get_authz_data_types(test_ctx->krb5_ctx, entry, &with_pac, &with_pad);
         assert_true(with_pad == test_set[c].exp_with_pad);
         assert_true(with_pac == test_set[c].exp_with_pac);
     }
 
-    krb5_free_principal(krb5_ctx, nfs_princ);
-    krb5_free_principal(krb5_ctx, non_nfs_princ);
-    krb5_db_fini(krb5_ctx);
-    krb5_free_context(krb5_ctx);
+    free(ied);
+    free(entry);
+    krb5_free_principal(test_ctx->krb5_ctx, nfs_princ);
+    krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
 }
 
 int main(int argc, const char *argv[])
 {
     const UnitTest tests[] = {
-        unit_test(test_get_authz_data_types),
+        unit_test_setup_teardown(test_get_authz_data_types, setup, teardown),
+        unit_test_setup_teardown(test_filter_logon_info, setup, teardown),
     };
 
     return run_tests(tests);
-- 
2.1.0

From e4c6a3b480b8b3a3d655f47ba5b758a5279981e8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 26 May 2015 13:00:26 +0200
Subject: [PATCH 147/148] ipa-kdb: make string_to_sid() and dom_sid_string()
 more robust

---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 
ca110fd662990835aa7ef27f99148f3c47a43942..abbc7ac7f0adf76da5823d0813ecf2e10622cd7d
 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -96,6 +96,10 @@ int string_to_sid(const char *str, struct dom_sid *sid)
     char *t;
     int i;
 
+    if (str == NULL) {
+        return EINVAL;
+    }
+
     memset(sid, '\0', sizeof(struct dom_sid));
 
     s = str;
@@ -159,13 +163,18 @@ char *dom_sid_string(TALLOC_CTX *memctx, const struct 
dom_sid *dom_sid)
     uint32_t ia;
     char *buf;
 
-    if (dom_sid == NULL) {
+    if (dom_sid == NULL
+            || dom_sid->num_auths < 0
+            || dom_sid->num_auths > SID_SUB_AUTHS) {
         return NULL;
     }
 
     len = 25 + dom_sid->num_auths * 11;
 
     buf = talloc_zero_size(memctx, len);
+    if (buf == NULL) {
+        return NULL;
+    }
 
     ia = (dom_sid->id_auth[5]) +
          (dom_sid->id_auth[4] << 8 ) +
-- 
2.1.0

From aff3c985a7e3ea6bef691db3d0578aae1a7013a1 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 26 May 2015 13:01:13 +0200
Subject: [PATCH 148/148] ipa-kdb: add unit_tests for string_to_sid() and
 dom_sid_string()

---
 daemons/ipa-kdb/tests/ipa_kdb_tests.c | 60 +++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c 
b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
index 
7b9b85d2cf7fcc2478a522eccf686b3e2582447e..edd4ae0975628d6b3abe9bab2852c990c9a8c590
 100644
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
@@ -408,11 +408,71 @@ void test_get_authz_data_types(void **state)
     krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
 }
 
+void test_string_to_sid(void **state)
+{
+    int ret;
+    struct dom_sid sid;
+    struct dom_sid exp_sid = {1, 5, {0, 0, 0, 0, 0, 5},
+                              {21, 2127521184, 1604012920, 1887927527, 72713,
+                               0, 0, 0, 0, 0, 0, 0, 0, 0, 0}};
+
+    ret = string_to_sid(NULL, &sid);
+    assert_int_equal(ret, EINVAL);
+
+    ret = string_to_sid("abc", &sid);
+    assert_int_equal(ret, EINVAL);
+
+    ret = string_to_sid("S-", &sid);
+    assert_int_equal(ret, EINVAL);
+
+    ret = string_to_sid("S-ABC", &sid);
+    assert_int_equal(ret, EINVAL);
+
+    ret = string_to_sid("S-123", &sid);
+    assert_int_equal(ret, EINVAL);
+
+    ret = string_to_sid("S-1-123-1-2-3-4-5-6-7-8-9-0-1-2-3-4-5-6", &sid);
+    assert_int_equal(ret, EINVAL);
+
+    ret = string_to_sid("S-1-5-21-2127521184-1604012920-1887927527-72713",
+                        &sid);
+    assert_int_equal(ret, 0);
+    assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
+}
+
+void test_dom_sid_string(void **state)
+{
+    struct test_ctx *test_ctx;
+    char *str_sid;
+    struct dom_sid test_sid = {1, 5, {0, 0, 0, 0, 0, 5},
+                               {21, 2127521184, 1604012920, 1887927527, 72713,
+                                0, 0, 0, 0, 0, 0, 0, 0, 0, 0}};
+
+    test_ctx = (struct test_ctx *) *state;
+
+    str_sid = dom_sid_string(test_ctx, NULL);
+    assert_null(str_sid);
+
+    str_sid = dom_sid_string(test_ctx, &test_sid);
+    assert_non_null(str_sid);
+    assert_string_equal(str_sid,
+                        "S-1-5-21-2127521184-1604012920-1887927527-72713");
+
+    test_sid.num_auths = -3;
+    str_sid = dom_sid_string(test_ctx, &test_sid);
+
+    test_sid.num_auths = 16;
+    str_sid = dom_sid_string(test_ctx, &test_sid);
+}
+
+
 int main(int argc, const char *argv[])
 {
     const UnitTest tests[] = {
         unit_test_setup_teardown(test_get_authz_data_types, setup, teardown),
         unit_test_setup_teardown(test_filter_logon_info, setup, teardown),
+        unit_test(test_string_to_sid),
+        unit_test_setup_teardown(test_dom_sid_string, setup, teardown),
     };
 
     return run_tests(tests);
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to