fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-05-24 05:18:12 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
NetworkManager/src/libnm-core-impl/tests/test-keyfile.c
Thomas Haller 782f2fa8ef
keyfile: don't require verified profile in nm_keyfile_write() 
Previously, only the daemon was writing keyfiles, and it ensures
that they are always valid.

As we now have this function as public API of libnm, we should drop this
restriction and write the profile the best we can. Granted, an invalid
profile may not be expressed in keyfile format, and the result is
undefined. But make the best of it.
2022-03-28 18:27:37 +02:00

1006 lines
42 KiB
C
Raw Blame History

/* SPDX-License-Identifier: GPL-2.0-or-later */
/*
* Copyright (C) 2015 Red Hat, Inc.
*/
#include "libnm-core-impl/nm-default-libnm-core.h"
#include "libnm-base/nm-ethtool-utils-base.h"
#include "libnm-core-intern/nm-keyfile-internal.h"
#include "libnm-core-intern/nm-keyfile-utils.h"
#include "libnm-glib-aux/nm-json-aux.h"
#include "nm-setting-8021x.h"
#include "nm-setting-connection.h"
#include "nm-setting-ethtool.h"
#include "nm-setting-proxy.h"
#include "nm-setting-team.h"
#include "nm-setting-user.h"
#include "nm-setting-wired.h"
#include "nm-simple-connection.h"
#include "libnm-glib-aux/nm-test-utils.h"
#define TEST_CERT_DIR NM_BUILD_SRCDIR "/src/libnm-core-impl/tests/certs"
#define TEST_WIRED_TLS_CA_CERT TEST_CERT_DIR "/test-ca-cert.pem"
#define TEST_WIRED_TLS_PRIVKEY TEST_CERT_DIR "/test-key-and-cert.pem"
#define TEST_WIRED_TLS_TPM2KEY TEST_CERT_DIR "/test-tpm2wrapped-key.pem"
/*****************************************************************************/
static void
do_test_encode_key_full(GKeyFile *kf,
const char *name,
const char *key,
const char *key_decode_encode)
{
gs_free char *to_free1 = NULL;
gs_free char *to_free2 = NULL;
const char *key2;
const char *name2;
g_assert(key);
if (name) {
key2 = nm_keyfile_key_encode(name, &to_free1);
g_assert(key2);
g_assert(NM_STRCHAR_ALL(key2, ch, (guchar) ch < 127));
g_assert_cmpstr(key2, ==, key);
/* try to add the encoded key to the keyfile. We expect
* no g_critical warning about invalid key. */
g_key_file_set_value(kf, "group", key, "dummy");
}
name2 = nm_keyfile_key_decode(key, &to_free2);
if (name)
g_assert_cmpstr(name2, ==, name);
else {
key2 = nm_keyfile_key_encode(name2, &to_free1);
g_assert(key2);
g_assert(NM_STRCHAR_ALL(key2, ch, (guchar) ch < 127));
if (key_decode_encode)
g_assert_cmpstr(key2, ==, key_decode_encode);
g_key_file_set_value(kf, "group", key2, "dummy");
}
}
#define do_test_encode_key_bijection(kf, name, key) \
do_test_encode_key_full(kf, "" name, "" key, NULL)
#define do_test_encode_key_identity(kf, name) do_test_encode_key_full(kf, "" name, "" name, NULL)
#define do_test_encode_key_decode_surjection(kf, key, key_decode_encode) \
do_test_encode_key_full(kf, NULL, "" key, "" key_decode_encode)
static void
test_encode_key(void)
{
nm_auto_unref_keyfile GKeyFile *kf = g_key_file_new();
do_test_encode_key_identity(kf, "a");
do_test_encode_key_bijection(kf, "", "\\00");
do_test_encode_key_bijection(kf, " ", "\\20");
do_test_encode_key_bijection(kf, "\\ ", "\\\\20");
do_test_encode_key_identity(kf, "\\0");
do_test_encode_key_identity(kf, "\\a");
do_test_encode_key_identity(kf, "\\0g");
do_test_encode_key_bijection(kf, "\\0f", "\\5C0f");
do_test_encode_key_bijection(kf, "\\0f ", "\\5C0f\\20");
do_test_encode_key_bijection(kf, " \\0f ", "\\20\\5C0f\\20");
do_test_encode_key_bijection(kf, "\xF5", "\\F5");
do_test_encode_key_bijection(kf, "\x7F", "\\7F");
do_test_encode_key_bijection(kf, "\x1f", "\\1F");
do_test_encode_key_bijection(kf, " ", "\\20\\20");
do_test_encode_key_bijection(kf, " ", "\\20 \\20");
do_test_encode_key_decode_surjection(kf, "f\\20c", "f c");
do_test_encode_key_decode_surjection(kf, "\\20\\20\\20", "\\20 \\20");
do_test_encode_key_bijection(kf, "\t", "\\09");
do_test_encode_key_bijection(kf, "\t=x", "\\09\\3Dx");
do_test_encode_key_bijection(
kf,
"(nm-openvpn-auth-dialog:10283): GdkPixbuf-DEBUG: \tCopy pixels == false",
"(nm-openvpn-auth-dialog:10283): GdkPixbuf-DEBUG: \\09Copy pixels \\3D\\3D false");
}
/*****************************************************************************/
#define CLEAR(con, keyfile) \
G_STMT_START \
{ \
NMConnection **_con = (con); \
GKeyFile **_keyfile = (keyfile); \
\
g_clear_object(_con); \
nm_clear_pointer(_keyfile, g_key_file_unref); \
} \
G_STMT_END
static void
_assert_gbytes(GBytes *bytes, gconstpointer data, gssize len)
{
g_assert((data && len > 0) || !len || (data && len == -1));
if (len == -1)
len = strlen(data);
if (!len)
g_assert(!bytes);
g_assert(nm_g_bytes_equal_mem(bytes, data, len));
}
static GKeyFile *
_keyfile_load_from_data(const char *str)
{
GError *error = NULL;
gboolean success;
GKeyFile *keyfile;
g_assert(str);
keyfile = g_key_file_new();
success = g_key_file_load_from_data(keyfile, str, strlen(str), G_KEY_FILE_NONE, &error);
g_assert_no_error(error);
g_assert(success);
return keyfile;
}
static GKeyFile *
_nm_keyfile_write(NMConnection *connection, NMKeyfileWriteHandler handler, void *user_data)
{
GError *error = NULL;
GKeyFile *kf;
g_assert(NM_IS_CONNECTION(connection));
kf = nm_keyfile_write(connection, NM_KEYFILE_HANDLER_FLAGS_NONE, handler, user_data, &error);
g_assert_no_error(error);
g_assert(kf);
return kf;
}
static NMConnection *
_nm_keyfile_read(GKeyFile *keyfile,
const char *keyfile_name,
NMKeyfileReadHandler read_handler,
void *read_data,
gboolean needs_normalization)
{
GError *error = NULL;
NMConnection *con;
gs_free char *filename = NULL;
gs_free char *base_dir = NULL;
g_assert(keyfile);
g_assert(!keyfile_name || (keyfile_name[0] == '/'));
base_dir = g_path_get_dirname(keyfile_name);
filename = g_path_get_basename(keyfile_name);
con = nm_keyfile_read(keyfile,
base_dir,
NM_KEYFILE_HANDLER_FLAGS_NONE,
read_handler,
read_data,
&error);
g_assert_no_error(error);
g_assert(NM_IS_CONNECTION(con));
nm_keyfile_read_ensure_id(con, filename);
nm_keyfile_read_ensure_uuid(con, keyfile_name);
if (needs_normalization) {
nmtst_assert_connection_verifies_after_normalization(con, 0, 0);
nmtst_connection_normalize(con);
} else {
{
NMSettingConnection *s_con;
/* a non-slave connection must have a proxy setting, but
* keyfile reader does not add that (unless a [proxy] section
* is present. */
s_con = nm_connection_get_setting_connection(con);
if (s_con && !nm_setting_connection_get_master(s_con)
&& !nm_connection_get_setting_proxy(con))
nm_connection_add_setting(con, nm_setting_proxy_new());
}
nmtst_assert_connection_verifies_without_normalization(con);
}
return con;
}
static void
_keyfile_convert(NMConnection **con,
GKeyFile **keyfile,
const char *keyfile_name,
NMKeyfileReadHandler read_handler,
void *read_data,
NMKeyfileWriteHandler write_handler,
void *write_data,
gboolean needs_normalization)
{
NMConnection *c0;
GKeyFile *k0;
gs_unref_object NMConnection *c0_k1_c2 = NULL, *k0_c1 = NULL, *k0_c1_k2_c3 = NULL;
nm_auto_unref_keyfile GKeyFile *k0_c1_k2 = NULL, *c0_k1 = NULL, *c0_k1_c2_k3 = NULL;
/* convert from @con to @keyfile and check that we can make
* full round trips and obtaining the same result. */
g_assert(con);
g_assert(keyfile);
g_assert(*con || *keyfile);
c0 = *con;
k0 = *keyfile;
if (c0) {
c0_k1 = _nm_keyfile_write(c0, write_handler, write_data);
c0_k1_c2 = _nm_keyfile_read(c0_k1, keyfile_name, read_handler, read_data, FALSE);
c0_k1_c2_k3 = _nm_keyfile_write(c0_k1_c2, write_handler, write_data);
g_assert(_nm_keyfile_equal(c0_k1, c0_k1_c2_k3, TRUE));
}
if (k0) {
NMSetting8021x *s1, *s2;
k0_c1 = _nm_keyfile_read(k0, keyfile_name, read_handler, read_data, needs_normalization);
k0_c1_k2 = _nm_keyfile_write(k0_c1, write_handler, write_data);
k0_c1_k2_c3 = _nm_keyfile_read(k0_c1_k2, keyfile_name, read_handler, read_data, FALSE);
/* It is a expected behavior, that if @k0 contains a relative path ca-cert, @k0_c1 will
* contain that path as relative. But @k0_c1_k2 and @k0_c1_k2_c3 will have absolute paths.
* In this case, hack up @k0_c1_k2_c3 to contain the same relative path. */
s1 = nm_connection_get_setting_802_1x(k0_c1);
s2 = nm_connection_get_setting_802_1x(k0_c1_k2_c3);
if (s1 || s2) {
g_assert_cmpint(nm_setting_802_1x_get_ca_cert_scheme(s1),
==,
nm_setting_802_1x_get_ca_cert_scheme(s2));
switch (nm_setting_802_1x_get_ca_cert_scheme(s1)) {
case NM_SETTING_802_1X_CK_SCHEME_PATH:
{
const char *p1 = nm_setting_802_1x_get_ca_cert_path(s1);
const char *p2 = nm_setting_802_1x_get_ca_cert_path(s2);
nmtst_assert_resolve_relative_path_equals(p1, p2);
if (strcmp(p1, p2) != 0) {
gs_free char *puri = NULL;
gs_unref_bytes GBytes *pfile = NULL;
g_assert(p1[0] != '/' && p2[0] == '/');
/* one of the paths is a relative path and the other is absolute. This is an
* expected difference.
* Make the paths of s2 identical to s1... */
puri = g_strconcat(NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH, p1, NULL);
pfile = g_bytes_new(puri, strlen(puri) + 1);
g_object_set(s2, NM_SETTING_802_1X_CA_CERT, pfile, NULL);
}
} break;
case NM_SETTING_802_1X_CK_SCHEME_BLOB:
{
GBytes *b1, *b2;
b1 = nm_setting_802_1x_get_ca_cert_blob(s1);
b2 = nm_setting_802_1x_get_ca_cert_blob(s2);
g_assert(b1);
g_assert(b2);
g_assert(g_bytes_equal(b1, b2));
break;
}
default:
break;
}
}
nmtst_assert_connection_equals(k0_c1, FALSE, k0_c1_k2_c3, FALSE);
}
if (!k0)
*keyfile = g_key_file_ref(c0_k1);
else if (!c0)
*con = g_object_ref(k0_c1);
else {
/* finally, if both a keyfile and a connection are given, assert that they are equal
* after a round of conversion. */
g_assert(_nm_keyfile_equal(c0_k1, k0_c1_k2, TRUE));
nmtst_assert_connection_equals(k0_c1, FALSE, c0_k1_c2, FALSE);
}
}
/*****************************************************************************/
static void
_test_8021x_cert_check(NMConnection *con,
NMSetting8021xCKScheme expected_scheme,
const void *value,
gssize val_len)
{
GKeyFile *keyfile = NULL;
NMSetting8021x *s_8021x;
gs_free char *kval = NULL;
_keyfile_convert(&con, &keyfile, "/_test_8021x_cert_check/foo", NULL, NULL, NULL, NULL, FALSE);
s_8021x = nm_connection_get_setting_802_1x(con);
g_assert(nm_setting_802_1x_get_ca_cert_scheme(s_8021x) == expected_scheme);
if (expected_scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) {
const char *path = nm_setting_802_1x_get_ca_cert_path(s_8021x);
g_assert_cmpstr(path, ==, value);
g_assert(val_len == -1 || strlen(path) == val_len);
kval = g_key_file_get_string(keyfile, "802-1x", "ca-cert", NULL);
g_assert(kval);
g_assert_cmpstr(kval, ==, value);
} else if (expected_scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) {
GBytes *blob = nm_setting_802_1x_get_ca_cert_blob(s_8021x);
gs_free char *file_blob = NULL;
if (val_len == -1) {
gsize l;
gboolean success;
success = g_file_get_contents(value, &file_blob, &l, NULL);
g_assert(success);
value = file_blob;
val_len = l;
}
g_assert(blob);
g_assert(nm_g_bytes_equal_mem(blob, value, val_len));
kval = g_key_file_get_string(keyfile, "802-1x", "ca-cert", NULL);
g_assert(kval);
g_assert(g_str_has_prefix(kval, NM_KEYFILE_CERT_SCHEME_PREFIX_BLOB));
}
g_key_file_unref(keyfile);
}
static void
_test_8021x_cert_check_blob_full(NMConnection *con, const void *data, gsize len)
{
GBytes *bytes;
NMSetting8021x *s_8021x = nm_connection_get_setting_802_1x(con);
bytes = g_bytes_new(data, len);
g_object_set(s_8021x, NM_SETTING_802_1X_CA_CERT, bytes, NULL);
_test_8021x_cert_check(con,
NM_SETTING_802_1X_CK_SCHEME_BLOB,
g_bytes_get_data(bytes, NULL),
g_bytes_get_size(bytes));
g_bytes_unref(bytes);
}
#define _test_8021x_cert_check_blob(con, data) \
_test_8021x_cert_check_blob_full(con, data, NM_STRLEN(data))
static void
_test_8021x_cert_from_files(const char *cert, const char *key)
{
NMSetting8021x *s_8021x;
gs_unref_object NMConnection *con =
nmtst_create_minimal_connection("test-cert", NULL, NM_SETTING_WIRED_SETTING_NAME, NULL);
GError *error = NULL;
gboolean success;
NMSetting8021xCKScheme scheme = NM_SETTING_802_1X_CK_SCHEME_PATH;
gs_free char *full_TEST_WIRED_TLS_CA_CERT = nmtst_file_resolve_relative_path(cert, NULL);
gs_free char *full_TEST_WIRED_TLS_PRIVKEY = nmtst_file_resolve_relative_path(key, NULL);
/* test writing/reading of certificates of NMSetting8021x */
/* create a valid connection with NMSetting8021x */
s_8021x = (NMSetting8021x *) nm_setting_802_1x_new();
nm_setting_802_1x_add_eap_method(s_8021x, "tls");
g_object_set(s_8021x, NM_SETTING_802_1X_IDENTITY, "Bill Smith", NULL);
success =
nm_setting_802_1x_set_ca_cert(s_8021x, full_TEST_WIRED_TLS_CA_CERT, scheme, NULL, &error);
g_assert_no_error(error);
g_assert(success);
success = nm_setting_802_1x_set_client_cert(s_8021x,
full_TEST_WIRED_TLS_CA_CERT,
scheme,
NULL,
&error);
g_assert_no_error(error);
g_assert(success);
success = nm_setting_802_1x_set_private_key(s_8021x,
full_TEST_WIRED_TLS_PRIVKEY,
"test1",
scheme,
NULL,
&error);
g_assert_no_error(error);
g_assert(success);
/* test resetting ca-cert to different values and see whether we can write/read. */
nm_connection_add_setting(con, NM_SETTING(s_8021x));
nmtst_assert_connection_verifies_and_normalizable(con);
nmtst_connection_normalize(con);
_test_8021x_cert_check(con, scheme, full_TEST_WIRED_TLS_CA_CERT, -1);
scheme = NM_SETTING_802_1X_CK_SCHEME_BLOB;
success =
nm_setting_802_1x_set_ca_cert(s_8021x, full_TEST_WIRED_TLS_CA_CERT, scheme, NULL, &error);
g_assert_no_error(error);
g_assert(success);
_test_8021x_cert_check(con, scheme, full_TEST_WIRED_TLS_CA_CERT, -1);
_test_8021x_cert_check_blob(con, "a");
_test_8021x_cert_check_blob(con, "\0");
_test_8021x_cert_check_blob(con, "10");
_test_8021x_cert_check_blob(con, "data:;base64,a");
_test_8021x_cert_check_blob_full(con, "data:;base64,a", NM_STRLEN("data:;base64,a") + 1);
_test_8021x_cert_check_blob(con, "data:;base64,file://a");
_test_8021x_cert_check_blob(con, "123");
}
static void
test_8021x_cert(void)
{
_test_8021x_cert_from_files(TEST_WIRED_TLS_CA_CERT, TEST_WIRED_TLS_PRIVKEY);
}
static void
test_8021x_cert_tpm2key(void)
{
_test_8021x_cert_from_files(TEST_WIRED_TLS_CA_CERT, TEST_WIRED_TLS_TPM2KEY);
}
/*****************************************************************************/
static void
test_8021x_cert_read(void)
{
GKeyFile *keyfile = NULL;
gs_unref_object NMConnection *con = NULL;
NMSetting8021x *s_8021x;
con = nmtst_create_connection_from_keyfile("[connection]\n"
"type=ethernet",
"/test_8021x_cert_read/test0");
CLEAR(&con, &keyfile);
keyfile = _keyfile_load_from_data("[connection]\n"
"type=ethernet");
_keyfile_convert(&con, &keyfile, "/test_8021x_cert_read/test1", NULL, NULL, NULL, NULL, TRUE);
CLEAR(&con, &keyfile);
keyfile = _keyfile_load_from_data(
"[connection]\n"
"type=802-3-ethernet\n"
"[802-1x]\n"
"eap=tls;\n"
"identity=Bill Smith\n"
"ca-cert=48;130;2;52;48;130;1;161;2;16;2;173;102;126;78;69;254;94;87;111;60;152;25;94;221;"
"192;48;13;6;9;42;134;72;134;247;13;1;1;2;5;0;48;95;49;11;48;9;6;3;85;4;6;19;2;85;83;49;32;"
"48;30;6;3;85;4;10;19;23;82;83;65;32;68;97;116;97;32;83;101;99;117;114;105;116;121;44;32;"
"73;110;99;46;49;46;48;44;6;3;85;4;11;19;37;83;101;99;117;114;101;32;83;101;114;118;101;"
"114;32;67;101;114;116;105;102;105;99;97;116;105;111;110;32;65;117;116;104;111;114;105;116;"
"121;48;30;23;13;57;52;49;49;48;57;48;48;48;48;48;48;90;23;13;49;48;48;49;48;55;50;51;53;"
"57;53;57;90;48;95;49;11;48;9;6;3;85;4;6;19;2;85;83;49;32;48;30;6;3;85;4;10;19;23;82;83;65;"
"32;68;97;116;97;32;83;101;99;117;114;105;116;121;44;32;73;110;99;46;49;46;48;44;6;3;85;4;"
"11;19;37;83;101;99;117;114;101;32;83;101;114;118;101;114;32;67;101;114;116;105;102;105;99;"
"97;116;105;111;110;32;65;117;116;104;111;114;105;116;121;48;129;155;48;13;6;9;42;134;72;"
"134;247;13;1;1;1;5;0;3;129;137;0;48;129;133;2;126;0;146;206;122;193;174;131;62;90;170;137;"
"131;87;172;37;1;118;12;173;174;142;44;55;206;235;53;120;100;84;3;229;132;64;81;201;191;"
"143;8;226;138;130;8;210;22;134;55;85;233;177;33;2;173;118;104;129;154;5;162;75;201;75;37;"
"102;34;86;108;136;7;143;247;129;89;109;132;7;101;112;19;113;118;62;155;119;76;227;80;137;"
"86;152;72;185;29;167;41;26;19;46;74;17;89;156;30;21;213;73;84;44;115;58;105;130;177;151;"
"57;156;109;112;103;72;229;221;45;214;200;30;123;2;3;1;0;1;48;13;6;9;42;134;72;134;247;13;"
"1;1;2;5;0;3;126;0;101;221;126;225;178;236;176;226;58;224;236;113;70;154;25;17;184;211;199;"
"160;180;3;64;38;2;62;9;156;225;18;179;209;90;246;55;165;183;97;3;182;91;22;105;59;198;68;"
"8;12;136;83;12;107;151;73;199;62;53;220;108;185;187;170;223;92;187;58;47;147;96;182;169;"
"75;77;242;32;247;205;95;127;100;123;142;220;0;92;215;250;119;202;57;22;89;111;14;234;211;"
"181;131;127;77;77;66;86;118;180;201;95;4;248;56;248;235;210;95;117;95;205;123;252;229;142;"
"128;124;252;80;\n"
"client-cert=102;105;108;101;58;47;47;47;104;111;109;101;47;100;99;98;119;47;68;101;115;"
"107;116;111;112;47;99;101;114;116;105;110;102;114;97;47;99;108;105;101;110;116;46;112;101;"
"109;0;\n"
"private-key=102;105;108;101;58;47;47;47;104;111;109;101;47;100;99;98;119;47;68;101;115;"
"107;116;111;112;47;99;101;114;116;105;110;102;114;97;47;99;108;105;101;110;116;46;112;101;"
"109;0;\n"
"private-key-password=12345testing\n");
_keyfile_convert(&con, &keyfile, "/test_8021x_cert_read/test2", NULL, NULL, NULL, NULL, TRUE);
CLEAR(&con, &keyfile);
keyfile =
_keyfile_load_from_data("[connection]\n"
"type=802-3-ethernet\n"
"[802-1x]\n"
"eap=tls;\n"
"identity=Bill Smith\n"
/* unqualified strings are only recognized as path up to 500 chars*/
"ca-cert="
"/11111111111111111111111111111111111111111111111111111111111111111"
"1111111111111111111111111111111111"
"/11111111111111111111111111111111111111111111111111111111111111111"
"1111111111111111111111111111111111"
"/11111111111111111111111111111111111111111111111111111111111111111"
"1111111111111111111111111111111111"
"/11111111111111111111111111111111111111111111111111111111111111111"
"1111111111111111111111111111111111"
"/11111111111111111111111111111111111111111111111111111111111111111"
"111111111111111111111111111111111\n"
"client-cert=/"
"222222222222222222222222222222222222222222222222222222222222222222"
"222222222222222222222222222222221"
"/22222222222222222222222222222222222222222222222222222222222222222"
"2222222222222222222222222222222221"
"/22222222222222222222222222222222222222222222222222222222222222222"
"2222222222222222222222222222222221"
"/22222222222222222222222222222222222222222222222222222222222222222"
"2222222222222222222222222222222221"
"/22222222222222222222222222222222222222222222222222222222222222222"
"2222222222222222222222222222222222\n"
"private-key=file://"
"/33333333333333333333333333333333333333333333333333333333333333333"
"3333333333333333333333333333333331"
"/33333333333333333333333333333333333333333333333333333333333333333"
"3333333333333333333333333333333331"
"/33333333333333333333333333333333333333333333333333333333333333333"
"3333333333333333333333333333333331"
"/33333333333333333333333333333333333333333333333333333333333333333"
"3333333333333333333333333333333331"
"/33333333333333333333333333333333333333333333333333333333333333333"
"333333333333333333333333333333333111111\n"
"private-key-password=12345testing\n");
_keyfile_convert(&con, &keyfile, "/test_8021x_cert_read/test2", NULL, NULL, NULL, NULL, TRUE);
s_8021x = nm_connection_get_setting_802_1x(con);
g_assert(nm_setting_802_1x_get_ca_cert_scheme(s_8021x) == NM_SETTING_802_1X_CK_SCHEME_PATH);
g_assert(g_str_has_prefix(nm_setting_802_1x_get_ca_cert_path(s_8021x), "/111111111111"));
g_assert_cmpint(strlen(nm_setting_802_1x_get_ca_cert_path(s_8021x)), ==, 499);
g_assert(nm_setting_802_1x_get_client_cert_scheme(s_8021x) == NM_SETTING_802_1X_CK_SCHEME_BLOB);
g_assert(
g_str_has_prefix(g_bytes_get_data(nm_setting_802_1x_get_client_cert_blob(s_8021x), NULL),
"/2222222222"));
g_assert_cmpint(g_bytes_get_size(nm_setting_802_1x_get_client_cert_blob(s_8021x)),
==,
500 + 1 /* keyfile reader adds a trailing NUL */);
g_assert(nm_setting_802_1x_get_private_key_scheme(s_8021x) == NM_SETTING_802_1X_CK_SCHEME_PATH);
g_assert(g_str_has_prefix(nm_setting_802_1x_get_private_key_path(s_8021x), "/333333333"));
g_assert_cmpint(strlen(nm_setting_802_1x_get_private_key_path(s_8021x)), ==, 505);
CLEAR(&con, &keyfile);
keyfile = _keyfile_load_from_data("[connection]\n"
"type=802-3-ethernet\n"
"[802-1x]\n"
"eap=tls;\n"
"identity=Bill Smith\n"
"ca-cert=/\n"
"client-cert=a.pem\n"
"private-key=data:;base64,aGFsbG8=\n" // hallo
"private-key-password=12345testing\n");
_keyfile_convert(&con, &keyfile, "/test_8021x_cert_read/test2", NULL, NULL, NULL, NULL, TRUE);
s_8021x = nm_connection_get_setting_802_1x(con);
g_assert(nm_setting_802_1x_get_ca_cert_scheme(s_8021x) == NM_SETTING_802_1X_CK_SCHEME_PATH);
g_assert_cmpstr(nm_setting_802_1x_get_ca_cert_path(s_8021x), ==, "/");
g_assert(nm_setting_802_1x_get_client_cert_scheme(s_8021x) == NM_SETTING_802_1X_CK_SCHEME_PATH);
g_assert_cmpstr(nm_setting_802_1x_get_client_cert_path(s_8021x),
==,
"/test_8021x_cert_read/a.pem");
g_assert(nm_setting_802_1x_get_private_key_scheme(s_8021x) == NM_SETTING_802_1X_CK_SCHEME_BLOB);
_assert_gbytes(nm_setting_802_1x_get_private_key_blob(s_8021x), "hallo", -1);
CLEAR(&con, &keyfile);
keyfile = _keyfile_load_from_data("[connection]\n"
"type=802-3-ethernet\n"
"[802-1x]\n"
"eap=tls;\n"
"identity=Bill Smith\n"
"ca-cert=file://data:;base64,x\n"
"client-cert=abc.der\n"
"private-key=abc.deR\n"
"private-key-password=12345testing\n");
_keyfile_convert(&con, &keyfile, "/test_8021x_cert_read/test2", NULL, NULL, NULL, NULL, TRUE);
s_8021x = nm_connection_get_setting_802_1x(con);
g_assert(nm_setting_802_1x_get_ca_cert_scheme(s_8021x) == NM_SETTING_802_1X_CK_SCHEME_PATH);
g_assert_cmpstr(nm_setting_802_1x_get_ca_cert_path(s_8021x), ==, "data:;base64,x");
g_assert(nm_setting_802_1x_get_client_cert_scheme(s_8021x) == NM_SETTING_802_1X_CK_SCHEME_PATH);
g_assert_cmpstr(nm_setting_802_1x_get_client_cert_path(s_8021x),
==,
"/test_8021x_cert_read/abc.der");
g_assert(nm_setting_802_1x_get_private_key_scheme(s_8021x) == NM_SETTING_802_1X_CK_SCHEME_BLOB);
_assert_gbytes(nm_setting_802_1x_get_private_key_blob(s_8021x), "abc.deR\0", 8);
CLEAR(&con, &keyfile);
keyfile =
_keyfile_load_from_data("[connection]\n"
"type=802-3-ethernet\n"
"[802-1x]\n"
"eap=tls;\n"
"identity=Bill Smith\n"
"ca-cert=104;97;108;108;111;\n" /* "hallo" without trailing NUL */
"client-cert=104;097;108;108;111;0;\n"
"private-key=hallo\n"
"private-key-password=12345testing\n");
_keyfile_convert(&con, &keyfile, "/test_8021x_cert_read/test2", NULL, NULL, NULL, NULL, TRUE);
s_8021x = nm_connection_get_setting_802_1x(con);
g_assert(nm_setting_802_1x_get_ca_cert_scheme(s_8021x) == NM_SETTING_802_1X_CK_SCHEME_BLOB);
_assert_gbytes(nm_setting_802_1x_get_ca_cert_blob(s_8021x), "hallo", 5);
g_assert(nm_setting_802_1x_get_client_cert_scheme(s_8021x) == NM_SETTING_802_1X_CK_SCHEME_BLOB);
_assert_gbytes(nm_setting_802_1x_get_client_cert_blob(s_8021x), "hallo\0", 6);
g_assert(nm_setting_802_1x_get_private_key_scheme(s_8021x) == NM_SETTING_802_1X_CK_SCHEME_BLOB);
_assert_gbytes(nm_setting_802_1x_get_private_key_blob(s_8021x), "hallo\0", 6);
CLEAR(&con, &keyfile);
}
static void
test_team_conf_read_valid(void)
{
GKeyFile *keyfile = NULL;
gs_unref_object NMConnection *con = NULL;
NMSettingTeam *s_team;
con = nmtst_create_connection_from_keyfile("[connection]\n"
"type=team\n"
"interface-name=nm-team1\n"
"[team]\n"
"config={\"foo\":\"bar\"}",
"/test_team_conf_read/valid");
g_assert(con);
s_team = nm_connection_get_setting_team(con);
g_assert(s_team);
g_assert_cmpstr(nm_setting_team_get_config(s_team), ==, "{\"foo\":\"bar\"}");
CLEAR(&con, &keyfile);
}
static void
test_team_conf_read_invalid(void)
{
GKeyFile *keyfile = NULL;
gs_unref_object NMConnection *con = NULL;
NMSettingTeam *s_team;
if (!nm_json_vt()) {
g_test_skip("team test requires JSON validation");
return;
}
con = nmtst_create_connection_from_keyfile("[connection]\n"
"type=team\n"
"interface-name=nm-team1\n"
"[team]\n"
"config={foobar}",
"/test_team_conf_read/invalid");
g_assert(con);
s_team = nm_connection_get_setting_team(con);
g_assert(s_team);
g_assert(nm_setting_team_get_config(s_team) == NULL);
CLEAR(&con, &keyfile);
}
/*****************************************************************************/
static void
test_user_1(void)
{
nm_auto_unref_keyfile GKeyFile *keyfile = NULL;
gs_unref_object NMConnection *con = NULL;
NMSettingUser *s_user;
con = nmtst_create_connection_from_keyfile("[connection]\n"
"id=t\n"
"type=ethernet\n"
"\n"
"[user]\n"
"my-value.x=value1\n"
"",
"/test_user_1/invalid");
g_assert(con);
s_user = NM_SETTING_USER(nm_connection_get_setting(con, NM_TYPE_SETTING_USER));
g_assert(s_user);
g_assert_cmpstr(nm_setting_user_get_data(s_user, "my-value.x"), ==, "value1");
CLEAR(&con, &keyfile);
con = nmtst_create_minimal_connection("user-2",
"8b85fb8d-3070-48ba-93d9-53eee231d9a2",
NM_SETTING_WIRED_SETTING_NAME,
NULL);
s_user = NM_SETTING_USER(nm_setting_user_new());
#define _USER_SET_DATA(s_user, key, val) \
G_STMT_START \
{ \
GError *_error = NULL; \
gboolean _success; \
\
_success = nm_setting_user_set_data((s_user), (key), (val), &_error); \
nmtst_assert_success(_success, _error); \
} \
G_STMT_END
#define _USER_SET_DATA_X(s_user, key) _USER_SET_DATA(s_user, key, "val=" key "")
_USER_SET_DATA(s_user, "my.val1", "");
_USER_SET_DATA_X(s_user, "my.val2");
_USER_SET_DATA_X(s_user, "my.v__al3");
_USER_SET_DATA_X(s_user, "my._v");
_USER_SET_DATA_X(s_user, "my.v+");
_USER_SET_DATA_X(s_user, "my.Av");
_USER_SET_DATA_X(s_user, "MY.AV");
_USER_SET_DATA_X(s_user, "MY.8V");
_USER_SET_DATA_X(s_user, "MY.8-V");
_USER_SET_DATA_X(s_user, "MY.8_V");
_USER_SET_DATA_X(s_user, "MY.8+V");
_USER_SET_DATA_X(s_user, "MY.8/V");
_USER_SET_DATA_X(s_user, "MY.8=V");
_USER_SET_DATA_X(s_user, "MY.-");
_USER_SET_DATA_X(s_user, "MY._");
_USER_SET_DATA_X(s_user, "MY.+");
_USER_SET_DATA_X(s_user, "MY./");
_USER_SET_DATA_X(s_user, "MY.=");
_USER_SET_DATA_X(s_user, "my.keys.1");
_USER_SET_DATA_X(s_user, "my.other.KEY.42");
nm_connection_add_setting(con, NM_SETTING(s_user));
nmtst_connection_normalize(con);
_keyfile_convert(&con, &keyfile, "/test_user_1/foo", NULL, NULL, NULL, NULL, FALSE);
}
/*****************************************************************************/
static void
test_vpn_1(void)
{
nm_auto_unref_keyfile GKeyFile *keyfile = NULL;
gs_unref_object NMConnection *con = NULL;
NMSettingVpn *s_vpn;
con = nmtst_create_connection_from_keyfile("[connection]\n"
"id=t\n"
"type=vpn\n"
"\n"
"[vpn]\n"
"service-type=a.b.c\n"
"vpn-key-1=value1\n"
"",
"/test_vpn_1/invalid");
g_assert(con);
s_vpn = NM_SETTING_VPN(nm_connection_get_setting(con, NM_TYPE_SETTING_VPN));
g_assert(s_vpn);
g_assert_cmpstr(nm_setting_vpn_get_data_item(s_vpn, "vpn-key-1"), ==, "value1");
CLEAR(&con, &keyfile);
}
/*****************************************************************************/
static void
test_bridge_vlans(void)
{
nm_auto_unref_keyfile GKeyFile *keyfile = NULL;
gs_unref_object NMConnection *con = NULL;
NMSettingBridge *s_bridge;
NMBridgeVlan *vlan;
guint16 vid, vid_end;
con = nmtst_create_connection_from_keyfile("[connection]\n"
"id=t\n"
"type=bridge\n"
"interface-name=br4\n"
"\n"
"[bridge]\n"
"vlans=900 , 1 pvid untagged, 100-123 untagged\n"
"",
"/test_bridge_port/vlans");
s_bridge = NM_SETTING_BRIDGE(nm_connection_get_setting(con, NM_TYPE_SETTING_BRIDGE));
g_assert(s_bridge);
g_assert_cmpuint(nm_setting_bridge_get_num_vlans(s_bridge), ==, 3);
vlan = nm_setting_bridge_get_vlan(s_bridge, 0);
g_assert(vlan);
nm_bridge_vlan_get_vid_range(vlan, &vid, &vid_end);
g_assert_cmpuint(vid, ==, 1);
g_assert_cmpuint(vid_end, ==, 1);
g_assert_cmpint(nm_bridge_vlan_is_pvid(vlan), ==, TRUE);
g_assert_cmpint(nm_bridge_vlan_is_untagged(vlan), ==, TRUE);
vlan = nm_setting_bridge_get_vlan(s_bridge, 1);
g_assert(vlan);
nm_bridge_vlan_get_vid_range(vlan, &vid, &vid_end);
g_assert_cmpuint(vid, ==, 100);
g_assert_cmpuint(vid_end, ==, 123);
g_assert_cmpint(nm_bridge_vlan_is_pvid(vlan), ==, FALSE);
g_assert_cmpint(nm_bridge_vlan_is_untagged(vlan), ==, TRUE);
vlan = nm_setting_bridge_get_vlan(s_bridge, 2);
g_assert(vlan);
nm_bridge_vlan_get_vid_range(vlan, &vid, &vid_end);
g_assert_cmpuint(vid, ==, 900);
g_assert_cmpuint(vid_end, ==, 900);
g_assert_cmpint(nm_bridge_vlan_is_pvid(vlan), ==, FALSE);
g_assert_cmpint(nm_bridge_vlan_is_untagged(vlan), ==, FALSE);
CLEAR(&con, &keyfile);
}
static void
test_bridge_port_vlans(void)
{
nm_auto_unref_keyfile GKeyFile *keyfile = NULL;
gs_unref_object NMConnection *con = NULL;
NMSettingBridgePort *s_port;
NMBridgeVlan *vlan;
guint16 vid_start, vid_end;
con = nmtst_create_connection_from_keyfile("[connection]\n"
"id=t\n"
"type=dummy\n"
"interface-name=dummy1\n"
"master=br0\n"
"slave-type=bridge\n"
"\n"
"[bridge-port]\n"
"vlans=4094 pvid , 10-20 untagged\n"
"",
"/test_bridge_port/vlans");
s_port = NM_SETTING_BRIDGE_PORT(nm_connection_get_setting(con, NM_TYPE_SETTING_BRIDGE_PORT));
g_assert(s_port);
g_assert_cmpuint(nm_setting_bridge_port_get_num_vlans(s_port), ==, 2);
vlan = nm_setting_bridge_port_get_vlan(s_port, 0);
g_assert(vlan);
nm_bridge_vlan_get_vid_range(vlan, &vid_start, &vid_end);
g_assert_cmpuint(vid_start, ==, 10);
g_assert_cmpuint(vid_end, ==, 20);
g_assert_cmpint(nm_bridge_vlan_is_pvid(vlan), ==, FALSE);
g_assert_cmpint(nm_bridge_vlan_is_untagged(vlan), ==, TRUE);
vlan = nm_setting_bridge_port_get_vlan(s_port, 1);
g_assert(vlan);
nm_bridge_vlan_get_vid_range(vlan, &vid_start, &vid_end);
g_assert_cmpuint(vid_start, ==, 4094);
g_assert_cmpuint(vid_end, ==, 4094);
g_assert_cmpint(nm_bridge_vlan_is_pvid(vlan), ==, TRUE);
g_assert_cmpint(nm_bridge_vlan_is_untagged(vlan), ==, FALSE);
CLEAR(&con, &keyfile);
}
/*****************************************************************************/
typedef struct {
bool expect;
guint n_calls;
} InvalidOptionWriteData;
static gboolean
_invalid_option_write_handler(NMConnection *connection,
GKeyFile *keyfile,
NMKeyfileHandlerType handler_type,
NMKeyfileHandlerData *handler_data,
void *user_data)
{
InvalidOptionWriteData *data = user_data;
const char *message;
NMKeyfileWarnSeverity severity;
g_assert(data);
g_assert(data->expect);
g_assert(data->n_calls == 0);
data->n_calls++;
switch (handler_type) {
case NM_KEYFILE_HANDLER_TYPE_WARN:
nm_keyfile_handler_data_warn_get(handler_data, &message, &severity);
g_assert(message && strstr(message, "ethtool.bogus"));
break;
default:
g_assert_not_reached();
}
return TRUE;
}
static void
test_invalid_option(void)
{
gs_unref_object NMConnection *con = NULL;
NMSetting *s_ethtool;
nm_auto_unref_keyfile GKeyFile *kf = NULL;
gs_free_error GError *error = NULL;
InvalidOptionWriteData data;
con = nmtst_create_minimal_connection("test invalid option",
NULL,
NM_SETTING_WIRED_SETTING_NAME,
NULL);
s_ethtool = nm_setting_ethtool_new();
nm_connection_add_setting(con, s_ethtool);
nm_setting_option_set_boolean(s_ethtool, NM_ETHTOOL_OPTNAME_PAUSE_RX, TRUE);
data = (InvalidOptionWriteData){};
kf = nm_keyfile_write(con,
NM_KEYFILE_HANDLER_FLAGS_NONE,
_invalid_option_write_handler,
&data,
nmtst_get_rand_bool() ? &error : NULL);
nmtst_assert_success(kf, error);
nm_clear_pointer(&kf, g_key_file_unref);
nmtst_connection_normalize(con);
nmtst_assert_connection_verifies_without_normalization(con);
data = (InvalidOptionWriteData){};
kf = nm_keyfile_write(con,
NM_KEYFILE_HANDLER_FLAGS_NONE,
_invalid_option_write_handler,
&data,
nmtst_get_rand_bool() ? &error : NULL);
nmtst_assert_success(kf, error);
nm_clear_pointer(&kf, g_key_file_unref);
nm_setting_option_set(s_ethtool, "bogus", g_variant_new_int64(0));
data = (InvalidOptionWriteData){
.expect = TRUE,
};
kf = nm_keyfile_write(con,
NM_KEYFILE_HANDLER_FLAGS_NONE,
_invalid_option_write_handler,
&data,
nmtst_get_rand_bool() ? &error : NULL);
nmtst_assert_success(kf, error);
nm_clear_pointer(&kf, g_key_file_unref);
g_assert_cmpint(data.n_calls, ==, 1);
}
/*****************************************************************************/
NMTST_DEFINE();
int
main(int argc, char **argv)
{
nmtst_init(&argc, &argv, TRUE);
g_test_add_func("/core/keyfile/encode_key", test_encode_key);
g_test_add_func("/core/keyfile/test_8021x_cert", test_8021x_cert);
g_test_add_func("/core/keyfile/test_8021x_cert_tpm2key", test_8021x_cert_tpm2key);
g_test_add_func("/core/keyfile/test_8021x_cert_read", test_8021x_cert_read);
g_test_add_func("/core/keyfile/test_team_conf_read/valid", test_team_conf_read_valid);
g_test_add_func("/core/keyfile/test_team_conf_read/invalid", test_team_conf_read_invalid);
g_test_add_func("/core/keyfile/test_user/1", test_user_1);
g_test_add_func("/core/keyfile/test_vpn/1", test_vpn_1);
g_test_add_func("/core/keyfile/bridge/vlans", test_bridge_vlans);
g_test_add_func("/core/keyfile/bridge-port/vlans", test_bridge_port_vlans);
g_test_add_func("/core/keyfile/invalid-option", test_invalid_option);
return g_test_run();
}
Reference in a new issue View git blame Copy permalink