libvirt/tests/virpolkittest.c

305 lines
8.2 KiB
C
Raw Permalink Normal View History

/*
polkit: Adjust message when authentication agent isn't found When there isn't a ssh -X type session running and a user has not been added to the libvirt group, attempts to run 'virsh -c qemu:///system' commands from an otherwise unprivileged user will fail with rather generic or opaque error message: "error: authentication failed: no agent is available to authenticate" This patch will adjust the error code and message to help reflect the situation that the problem is the requested mechanism is UNAVAILABLE and a slightly more descriptive error. The result on a failure then becomes: "error: authentication unavailable: no polkit agent available to authenticate action 'org.libvirt.unix.manage'" A bit more history on this - at one time a failure generated the following type message when running the 'pkcheck' as a subprocess: "error: authentication failed: polkit\56retains_authorization_after_challenge=1 Authorization requires authentication but no agent is available." but, a patch was generated to adjust the error message to help provide more details about what failed. This was pushed as commit id '96a108c99'. That patch prepended a "polkit: " to the output. It really didn't solve the problem, but gave a hint. After some time it was deemed using DBus API calls directly was a better way to go (since pkcheck calls them anyway). So, commit id '1b854c76' (more or less) copied the code from remoteDispatchAuthPolkit and adjusted it. Then commit id 'c7542573' adjusted the remote.c code to call the new API (virPolkitCheckAuth). Finally, commit id '308c0c5a' altered the code to call DBus APIs directly. In doing so, it reverted the failing error message to the generic message that would have been received from DBus anyway.
2016-01-14 19:34:28 +00:00
* Copyright (C) 2013, 2014, 2016 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*/
#include <config.h>
#include "testutils.h"
#if defined(__ELF__)
# include "virpolkit.h"
# include "virgdbus.h"
# include "virlog.h"
# include "virmock.h"
# define VIR_FROM_THIS VIR_FROM_NONE
VIR_LOG_INIT("tests.systemdtest");
/* Some interesting numbers */
# define THE_PID 1458
# define THE_TIME 11011000001
# define THE_UID 1729
VIR_MOCK_WRAP_RET_ARGS(g_dbus_connection_call_sync,
GVariant *,
GDBusConnection *, connection,
const gchar *, bus_name,
const gchar *, object_path,
const gchar *, interface_name,
const gchar *, method_name,
GVariant *, parameters,
const GVariantType *, reply_type,
GDBusCallFlags, flags,
gint, timeout_msec,
GCancellable *, cancellable,
GError **, error)
{
GVariant *reply = NULL;
g_autoptr(GVariant) params = parameters;
if (params)
g_variant_ref_sink(params);
VIR_MOCK_REAL_INIT(g_dbus_connection_call_sync);
if (STREQ(bus_name, "org.freedesktop.PolicyKit1") &&
STREQ(method_name, "CheckAuthorization")) {
g_autoptr(GVariantIter) iter = NULL;
GVariantBuilder builder;
char *type;
char *actionid;
int is_authorized = 1;
int is_challenge = 0;
g_variant_get(params, "((&s@a{sv})&sa{ss}@u@s)",
&type,
NULL,
&actionid,
&iter,
NULL,
NULL);
g_variant_builder_init(&builder, G_VARIANT_TYPE("a{ss}"));
if (STREQ(actionid, "org.libvirt.test.success")) {
is_authorized = 1;
is_challenge = 0;
} else if (STREQ(actionid, "org.libvirt.test.challenge")) {
is_authorized = 0;
is_challenge = 1;
} else if (STREQ(actionid, "org.libvirt.test.cancelled")) {
is_authorized = 0;
is_challenge = 0;
g_variant_builder_add(&builder, "{ss}", "polkit.dismissed", "true");
} else if (STREQ(actionid, "org.libvirt.test.details")) {
char *key;
char *val;
is_authorized = 0;
is_challenge = 0;
while (g_variant_iter_loop(iter, "{ss}", &key, &val)) {
if (STREQ(key, "org.libvirt.test.person") && STREQ(val, "Fred")) {
is_authorized = 1;
is_challenge = 0;
}
}
} else {
is_authorized = 0;
is_challenge = 0;
}
reply = g_variant_new("((bb@a{ss}))", is_authorized, is_challenge,
g_variant_builder_end(&builder));
} else {
reply = g_variant_new("()");
}
return reply;
}
static int testPolkitAuthSuccess(const void *opaque G_GNUC_UNUSED)
{
if (virPolkitCheckAuth("org.libvirt.test.success",
THE_PID,
THE_TIME,
THE_UID,
NULL,
true) < 0)
return -1;
return 0;
}
static int testPolkitAuthDenied(const void *opaque G_GNUC_UNUSED)
{
int rv;
virErrorPtr err;
rv = virPolkitCheckAuth("org.libvirt.test.deny",
THE_PID,
THE_TIME,
THE_UID,
NULL,
true);
if (rv == 0) {
fprintf(stderr, "Unexpected auth success\n");
return -1;
} else if (rv != -2) {
return -1;
}
err = virGetLastError();
if (!err || !strstr(err->message,
_("access denied by policy"))) {
fprintf(stderr, "Incorrect error response\n");
return -1;
}
return 0;
}
static int testPolkitAuthChallenge(const void *opaque G_GNUC_UNUSED)
{
int rv;
virErrorPtr err;
rv = virPolkitCheckAuth("org.libvirt.test.challenge",
THE_PID,
THE_TIME,
THE_UID,
NULL,
true);
if (rv == 0) {
fprintf(stderr, "Unexpected auth success\n");
return -1;
} else if (rv != -2) {
return -1;
}
err = virGetLastError();
polkit: Adjust message when authentication agent isn't found When there isn't a ssh -X type session running and a user has not been added to the libvirt group, attempts to run 'virsh -c qemu:///system' commands from an otherwise unprivileged user will fail with rather generic or opaque error message: "error: authentication failed: no agent is available to authenticate" This patch will adjust the error code and message to help reflect the situation that the problem is the requested mechanism is UNAVAILABLE and a slightly more descriptive error. The result on a failure then becomes: "error: authentication unavailable: no polkit agent available to authenticate action 'org.libvirt.unix.manage'" A bit more history on this - at one time a failure generated the following type message when running the 'pkcheck' as a subprocess: "error: authentication failed: polkit\56retains_authorization_after_challenge=1 Authorization requires authentication but no agent is available." but, a patch was generated to adjust the error message to help provide more details about what failed. This was pushed as commit id '96a108c99'. That patch prepended a "polkit: " to the output. It really didn't solve the problem, but gave a hint. After some time it was deemed using DBus API calls directly was a better way to go (since pkcheck calls them anyway). So, commit id '1b854c76' (more or less) copied the code from remoteDispatchAuthPolkit and adjusted it. Then commit id 'c7542573' adjusted the remote.c code to call the new API (virPolkitCheckAuth). Finally, commit id '308c0c5a' altered the code to call DBus APIs directly. In doing so, it reverted the failing error message to the generic message that would have been received from DBus anyway.
2016-01-14 19:34:28 +00:00
if (!err || err->domain != VIR_FROM_POLKIT ||
err->code != VIR_ERR_AUTH_UNAVAILABLE ||
!strstr(err->message, _("no polkit agent available to authenticate"))) {
fprintf(stderr, "Incorrect error response\n");
return -1;
}
return 0;
}
static int testPolkitAuthCancelled(const void *opaque G_GNUC_UNUSED)
{
int rv;
virErrorPtr err;
rv = virPolkitCheckAuth("org.libvirt.test.cancelled",
THE_PID,
THE_TIME,
THE_UID,
NULL,
true);
if (rv == 0) {
fprintf(stderr, "Unexpected auth success\n");
return -1;
} else if (rv != -2) {
return -1;
}
err = virGetLastError();
if (!err || !strstr(err->message,
_("user cancelled authentication process"))) {
fprintf(stderr, "Incorrect error response\n");
return -1;
}
return 0;
}
static int testPolkitAuthDetailsSuccess(const void *opaque G_GNUC_UNUSED)
{
const char *details[] = {
"org.libvirt.test.person", "Fred",
NULL,
};
if (virPolkitCheckAuth("org.libvirt.test.details",
THE_PID,
THE_TIME,
THE_UID,
details,
true) < 0)
return -1;
return 0;
}
static int testPolkitAuthDetailsDenied(const void *opaque G_GNUC_UNUSED)
{
int rv;
virErrorPtr err;
const char *details[] = {
"org.libvirt.test.person", "Joe",
NULL,
};
rv = virPolkitCheckAuth("org.libvirt.test.details",
THE_PID,
THE_TIME,
THE_UID,
details,
true);
if (rv == 0) {
fprintf(stderr, "Unexpected auth success\n");
return -1;
} else if (rv != -2) {
return -1;
}
err = virGetLastError();
if (!err || !strstr(err->message,
_("access denied by policy"))) {
fprintf(stderr, "Incorrect error response\n");
return -1;
}
return 0;
}
static int
mymain(void)
{
int ret = 0;
if (virTestRun("Polkit auth success ", testPolkitAuthSuccess, NULL) < 0)
ret = -1;
if (virTestRun("Polkit auth deny ", testPolkitAuthDenied, NULL) < 0)
ret = -1;
if (virTestRun("Polkit auth challenge ", testPolkitAuthChallenge, NULL) < 0)
ret = -1;
if (virTestRun("Polkit auth cancel ", testPolkitAuthCancelled, NULL) < 0)
ret = -1;
if (virTestRun("Polkit auth details success ", testPolkitAuthDetailsSuccess, NULL) < 0)
ret = -1;
if (virTestRun("Polkit auth details deny ", testPolkitAuthDetailsDenied, NULL) < 0)
ret = -1;
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virgdbus"))
#else /* ! __ELF__ */
int
main(void)
{
return EXIT_AM_SKIP;
}
#endif /* ! __ELF__ */