Commit 8687a348 authored by David Zeuthen's avatar David Zeuthen
Browse files

fix unit tests for polkit-authorization-db.c

parent 2de93f9b
......@@ -151,76 +151,6 @@ out:
return ret;
}
#ifdef POLKIT_BUILD_TESTS
static struct passwd *
kit_getpwnam (const char *username)
{
struct passwd *pw;
FILE *f;
const char *passwd_file;
f = NULL;
pw = NULL;
if ((passwd_file = getenv ("POLKIT_TEST_PASSWD_FILE")) == NULL)
return getpwnam (username);
f = fopen (passwd_file, "r");
if (f == NULL)
goto out;
while ((pw = fgetpwent (f)) != NULL) {
if (strcmp (pw->pw_name, username) == 0)
goto out;
}
out:
if (f != NULL)
fclose (f);
return pw;
}
static struct passwd *
kit_getpwuid (uid_t uid)
{
struct passwd *pw;
FILE *f;
const char *passwd_file;
f = NULL;
pw = NULL;
if ((passwd_file = getenv ("POLKIT_TEST_PASSWD_FILE")) == NULL)
return getpwuid (uid);
f = fopen (passwd_file, "r");
if (f == NULL)
goto out;
while ((pw = fgetpwent (f)) != NULL) {
if (pw->pw_uid == uid)
goto out;
}
out:
if (f != NULL)
fclose (f);
return pw;
}
#else
static struct passwd *
kit_getpwnam (const char *username)
{
return getpwnam (username);
}
static struct passwd *
kit_getpwuid (uid_t uid)
{
return getpwuid (uid);
}
#endif
static polkit_bool_t
dump_auths_all (const char *root)
{
......
......@@ -107,11 +107,13 @@ main (int argc, char *argv[])
ret = 1;
#ifndef POLKIT_BUILD_TESTS
/* clear the entire environment to avoid attacks using with libraries honoring environment variables */
if (clearenv () != 0)
goto out;
/* set a minimal environment */
setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1);
#endif
openlog ("polkit-revoke-helper", LOG_CONS | LOG_PID, LOG_AUTHPRIV);
......@@ -132,6 +134,14 @@ main (int argc, char *argv[])
invoking_uid = getuid ();
/* check that we are setgid polkituser */
#ifdef POLKIT_BUILD_TESTS
char *pretend;
if ((pretend = getenv ("POLKIT_TEST_PRETEND_TO_BE_UID")) != NULL) {
invoking_uid = atoi (pretend);
goto skip_check;
}
kit_warning ("foo %s", pretend);
#endif
egid = getegid ();
group = getgrgid (egid);
if (group == NULL) {
......@@ -142,6 +152,9 @@ main (int argc, char *argv[])
fprintf (stderr, "polkit-revoke-helper: needs to be setgid " POLKIT_GROUP "\n");
goto out;
}
#ifdef POLKIT_BUILD_TESTS
skip_check:
#endif
entry_to_remove = argv[1];
target_type = argv[2];
......@@ -181,21 +194,38 @@ main (int argc, char *argv[])
not_granted_by_self = FALSE;
#ifdef POLKIT_BUILD_TESTS
char *test_dir;
char dir_run[256];
char dir_lib[256];
if ((test_dir = getenv ("POLKIT_TEST_LOCALSTATE_DIR")) == NULL) {
test_dir = PACKAGE_LOCALSTATE_DIR;
}
kit_assert ((size_t) snprintf (dir_run, sizeof (dir_run), "%s/run/PolicyKit", test_dir) < sizeof (dir_run));
kit_assert ((size_t) snprintf (dir_lib, sizeof (dir_lib), "%s/lib/PolicyKit", test_dir) < sizeof (dir_lib));
#else
char *dir_run = PACKAGE_LOCALSTATE_DIR "/run/PolicyKit";
char *dir_lib = PACKAGE_LOCALSTATE_DIR "/lib/PolicyKit";
#endif
is_one_shot = FALSE;
if (strcmp (scope, "scope=process") == 0) {
root = PACKAGE_LOCALSTATE_DIR "/run/PolicyKit";
root = dir_run;
} else if (strcmp (scope, "scope=process-one-shot") == 0) {
root = PACKAGE_LOCALSTATE_DIR "/run/PolicyKit";
root = dir_run;
is_one_shot = TRUE;
} else if (strcmp (scope, "scope=session") == 0) {
root = PACKAGE_LOCALSTATE_DIR "/run/PolicyKit";
root = dir_run;
} else if (strcmp (scope, "scope=always") == 0) {
root = PACKAGE_LOCALSTATE_DIR "/lib/PolicyKit";
root = dir_lib;
} else if (strcmp (scope, "scope=grant") == 0 ||
strcmp (scope, "scope=grant-negative") == 0) {
unsigned int n;
root = PACKAGE_LOCALSTATE_DIR "/lib/PolicyKit";
root = dir_lib;
for (n = 1; n < num_tokens; n++) {
if (strncmp (tokens[n], "granted-by=", sizeof ("granted-by=") - 1) == 0) {
......@@ -223,6 +253,7 @@ main (int argc, char *argv[])
goto out;
}
if (invoking_uid != 0) {
/* Check that the caller is privileged to do this... basically, callers can only
* revoke auths granted by themselves...
......@@ -240,7 +271,7 @@ main (int argc, char *argv[])
}
}
pw = getpwuid (uid_to_revoke);
pw = kit_getpwuid (uid_to_revoke);
if (pw == NULL) {
fprintf (stderr, "polkit-revoke-helper: cannot lookup user name for uid %d\n", uid_to_revoke);
goto out;
......@@ -309,11 +340,18 @@ main (int argc, char *argv[])
*/
ret = 0;
#ifdef POLKIT_BUILD_TESTS
if (test_dir != NULL)
goto no_reload;
#endif
/* trigger a reload */
if (utimes (PACKAGE_LOCALSTATE_DIR "/lib/misc/PolicyKit.reload", NULL) != 0) {
fprintf (stderr, "Error updating access+modification time on file '%s': %m\n",
PACKAGE_LOCALSTATE_DIR "/lib/misc/PolicyKit.reload");
}
#ifdef POLKIT_BUILD_TESTS
no_reload:
#endif
out:
......
......@@ -317,9 +317,15 @@ _authdb_get_auths_for_uid (PolKitAuthorizationDB *authdb,
&standard_output, /* char **stdout */
NULL, /* char **stderr */
&exit_status)) { /* int *exit_status */
polkit_error_set_error (error,
POLKIT_ERROR_GENERAL_ERROR,
"Error spawning read auth helper: %m");
if (errno == ENOMEM) {
polkit_error_set_error (error,
POLKIT_ERROR_OUT_OF_MEMORY,
"Error spawning read auth helper: OOM");
} else {
polkit_error_set_error (error,
POLKIT_ERROR_GENERAL_ERROR,
"Error spawning read auth helper: %m");
}
goto out;
}
......@@ -754,6 +760,8 @@ typedef struct {
polkit_bool_t *out_is_authorized;
polkit_bool_t *out_is_negative_authorized;
PolKitError *error;
} CheckData;
static polkit_bool_t
......@@ -766,7 +774,6 @@ _check_auth_for_caller (PolKitAuthorizationDB *authdb, PolKitAuthorization *auth
polkit_uint64_t caller_pid_start_time;
CheckData *cd = (CheckData *) user_data;
PolKitAuthorizationConstraint *constraint;
PolKitError *error;
ret = FALSE;
......@@ -790,12 +797,14 @@ _check_auth_for_caller (PolKitAuthorizationDB *authdb, PolKitAuthorization *auth
/* it's a match already; revoke if asked to do so */
if (cd->revoke_if_one_shot) {
error = NULL;
if (!polkit_authorization_db_revoke_entry (authdb, auth, &error)) {
kit_warning ("Cannot revoke one-shot auth: %s: %s",
polkit_error_get_error_name (error),
polkit_error_get_error_message (error));
polkit_error_free (error);
cd->error = NULL;
if (!polkit_authorization_db_revoke_entry (authdb, auth, &(cd->error))) {
//kit_warning ("Cannot revoke one-shot auth: %s: %s",
// polkit_error_get_error_name (cd->error),
// polkit_error_get_error_message (cd->error));
/* stop iterating */
ret = TRUE;
goto no_match;
}
}
}
......@@ -886,6 +895,7 @@ polkit_authorization_db_is_caller_authorized (PolKitAuthorizationDB *authdb,
cd.caller = caller;
cd.revoke_if_one_shot = revoke_if_one_shot;
cd.error = NULL;
cd.caller_pid_start_time = polkit_sysdeps_get_start_time_for_pid (cd.caller_pid);
if (cd.caller_pid_start_time == 0) {
......@@ -931,6 +941,15 @@ polkit_authorization_db_is_caller_authorized (PolKitAuthorizationDB *authdb,
goto out;
}
if (polkit_error_is_set (cd.error)) {
if (error != NULL) {
*error = cd.error;
} else {
polkit_error_free (cd.error);
}
goto out;
}
ret = TRUE;
out:
......@@ -955,7 +974,7 @@ polkit_authorization_db_revoke_entry (PolKitAuthorizationDB *authdb,
PolKitAuthorization *auth,
PolKitError **error)
{
char *helper_argv[] = {PACKAGE_LIBEXEC_DIR "/polkit-revoke-helper", "", NULL, NULL, NULL};
char *helper_argv[] = {NULL, "", NULL, NULL, NULL};
const char *auth_file_entry;
polkit_bool_t ret;
int exit_status;
......@@ -968,9 +987,28 @@ polkit_authorization_db_revoke_entry (PolKitAuthorizationDB *authdb,
auth_file_entry = _polkit_authorization_get_authfile_entry (auth);
//g_debug ("should delete line '%s'", auth_file_entry);
#ifdef POLKIT_BUILD_TESTS
char helper_buf[256];
char *helper_bin_dir;
if ((helper_bin_dir = getenv ("POLKIT_TEST_BUILD_DIR")) != NULL) {
kit_assert ((size_t) snprintf (helper_buf, sizeof (helper_buf), "%s/src/polkit-grant/polkit-revoke-helper", helper_bin_dir) < sizeof (helper_buf));
helper_argv[0] = helper_buf;
} else {
helper_argv[0] = PACKAGE_LIBEXEC_DIR "/polkit-revoke-helper";
}
#else
helper_argv[0] = PACKAGE_LIBEXEC_DIR "/polkit-revoke-helper";
#endif
helper_argv[1] = (char *) auth_file_entry;
helper_argv[2] = "uid";
helper_argv[3] = kit_strdup_printf ("%d", polkit_authorization_get_uid (auth));
if (helper_argv[3] == NULL) {
polkit_error_set_error (error,
POLKIT_ERROR_OUT_OF_MEMORY,
"Out of memory");
goto out;
}
if (!kit_spawn_sync (NULL, /* const char *working_directory */
0, /* flags */
......@@ -980,9 +1018,15 @@ polkit_authorization_db_revoke_entry (PolKitAuthorizationDB *authdb,
NULL, /* char **stdout */
NULL, /* char **stderr */
&exit_status)) { /* int *exit_status */
polkit_error_set_error (error,
POLKIT_ERROR_GENERAL_ERROR,
"Error spawning revoke helper: %m");
if (errno == ENOMEM) {
polkit_error_set_error (error,
POLKIT_ERROR_OUT_OF_MEMORY,
"Error spawning revoke helper: OOM");
} else {
polkit_error_set_error (error,
POLKIT_ERROR_GENERAL_ERROR,
"Error spawning revoke helper: %m");
}
goto out;
}
......@@ -1097,8 +1141,7 @@ _run_test (void)
"";
const char test_pu2_lib[] =
"";
const char test_pu3_run[] =
"";
char test_pu3_run[512];
const char test_pu3_lib[] =
"";
PolKitCaller *caller;
......@@ -1106,10 +1149,23 @@ _run_test (void)
polkit_bool_t is_auth;
polkit_bool_t is_neg;
PolKitError *error;
polkit_uint64_t start_time;
adb = NULL;
caller = NULL;
action = NULL;
start_time = polkit_sysdeps_get_start_time_for_pid (getpid ());
if (start_time == 0)
goto out;
if (snprintf (test_pu3_run, sizeof (test_pu3_run),
"scope=process:pid=%d:pid-start-time=%lld:action-id=org.example.per-process:when=1196307507:auth-as=500:constraint=none\n"
"scope=process-one-shot:pid=%d:pid-start-time=%lld:action-id=org.example.per-process-one-shot:when=1196307507:auth-as=500:constraint=none\n",
getpid (), start_time,
getpid (), start_time) >= (int) sizeof (test_pu3_run))
goto fail;
if (setenv ("POLKIT_TEST_LOCALSTATE_DIR", TEST_DATA_DIR "authdb-test", 1) != 0)
goto fail;
......@@ -1117,7 +1173,7 @@ _run_test (void)
if (setenv ("POLKIT_TEST_BUILD_DIR", TEST_BUILD_DIR, 1) != 0)
goto fail;
if (setenv ("POLKIT_TEST_PASSWD_FILE", TEST_DATA_DIR "authdb-test/passwd", 1) != 0)
if (setenv ("KIT_TEST_PASSWD_FILE", TEST_DATA_DIR "authdb-test/passwd", 1) != 0)
goto fail;
/* create test users */
......@@ -1170,6 +1226,11 @@ _run_test (void)
if (polkit_authorization_db_is_caller_authorized (adb, action, caller, FALSE, &is_auth, &is_neg, &error)) {
kit_assert (! polkit_error_is_set (error) && is_auth && !is_neg);
} else {
//kit_warning ("%p: %d: %s: %s",
// error,
// polkit_error_get_error_code (error),
// polkit_error_get_error_name (error),
// polkit_error_get_error_message (error));
kit_assert (polkit_error_is_set (error) &&
polkit_error_get_error_code (error) == POLKIT_ERROR_OUT_OF_MEMORY);
polkit_error_free (error);
......@@ -1225,6 +1286,55 @@ _run_test (void)
_polkit_authorization_db_invalidate_cache (adb);
/* test: pu3 is authorized for org.example.per-process */
if (!polkit_action_set_action_id (action, "org.example.per-process"))
goto out;
kit_assert (polkit_caller_set_uid (caller, 50403));
if (setenv ("POLKIT_TEST_PRETEND_TO_BE_UID", "50403", 1) != 0)
goto fail;
error = NULL;
if (polkit_authorization_db_is_caller_authorized (adb, action, caller, FALSE, &is_auth, &is_neg, &error)) {
kit_assert (! polkit_error_is_set (error) && is_auth && !is_neg);
} else {
kit_assert (polkit_error_is_set (error) &&
polkit_error_get_error_code (error) == POLKIT_ERROR_OUT_OF_MEMORY);
polkit_error_free (error);
}
/* test: pu3 is authorized for org.example.per-process-one-shot just once */
if (!polkit_action_set_action_id (action, "org.example.per-process-one-shot"))
goto out;
kit_assert (polkit_caller_set_uid (caller, 50403));
if (setenv ("POLKIT_TEST_PRETEND_TO_BE_UID", "50403", 1) != 0)
goto fail;
error = NULL;
if (polkit_authorization_db_is_caller_authorized (adb, action, caller, TRUE, &is_auth, &is_neg, &error)) {
kit_assert (! polkit_error_is_set (error) && is_auth && !is_neg);
_polkit_authorization_db_invalidate_cache (adb);
if (polkit_authorization_db_is_caller_authorized (adb, action, caller, TRUE, &is_auth, &is_neg, &error)) {
if (is_auth || is_neg) {
kit_warning ("pu3 shouldn't be authorized for something twice: %d %d", is_auth, is_neg);
goto fail;
}
} else {
if (polkit_error_is_set (error)) {
kit_assert (polkit_error_get_error_code (error) == POLKIT_ERROR_OUT_OF_MEMORY);
polkit_error_free (error);
}
}
} else {
kit_assert (polkit_error_is_set (error) &&
polkit_error_get_error_code (error) == POLKIT_ERROR_OUT_OF_MEMORY);
polkit_error_free (error);
}
_polkit_authorization_db_invalidate_cache (adb);
out:
if (action != NULL)
......@@ -1250,7 +1360,7 @@ out:
if (unsetenv ("POLKIT_TEST_BUILD_DIR") != 0)
goto fail;
if (unsetenv ("POLKIT_TEST_PASSWD_FILE") != 0)
if (unsetenv ("KIT_TEST_PASSWD_FILE") != 0)
goto fail;
return TRUE;
......
......@@ -148,7 +148,10 @@ _polkit_policy_cache_new (const char *dirname, polkit_bool_t load_descriptions,
if (pf == NULL) {
if (polkit_error_get_error_code (pk_error) == POLKIT_ERROR_OUT_OF_MEMORY) {
polkit_error_set_error (error, POLKIT_ERROR_OUT_OF_MEMORY, "Out of memory");
if (error != NULL)
*error = pk_error;
else
polkit_error_free (pk_error);
goto out;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment