Review Board 1.7.16


ACL unit tests

Review Request #532 - Created Feb. 25, 2010 and submitted

Mark Michelson
/trunk
Reviewers
asterisk-dev
Asterisk
There are two unit tests contained here.

1. "Invalid ACL" This attempts to read a bunch of badly formatted ACL entries and add them to a host access rule. The goal of this test is to be sure that all invalid entries are rejected as they should be.

2. "ACL" This sets up four ACLs. One is a permit all, one is a deny all, and the other two have specific rules about which subnets are allowed and which are not. Then a set of test addresses is used to determine whether we would allow those addresses to access us when each ACL is applied. This test, by the way, was what resulted in AST-2010-003's creation.
Both tests run and pass.

Diff revision 1 (Latest)

  1. /trunk/tests/test_acl.c: Loading...
/trunk/tests/test_acl.c
New File

    
   
1
/*

    
   
2
 * Asterisk -- An open source telephony toolkit.

    
   
3
 *

    
   
4
 * Copyright (C) 2010, Digium, Inc.

    
   
5
 *

    
   
6
 * Mark Michelson <mmichelson@digium.com>

    
   
7
 *

    
   
8
 * See http://www.asterisk.org for more information about

    
   
9
 * the Asterisk project. Please do not directly contact

    
   
10
 * any of the maintainers of this project for assistance;

    
   
11
 * the project provides a web site, mailing lists and IRC

    
   
12
 * channels for your use.

    
   
13
 *

    
   
14
 * This program is free software, distributed under the terms of

    
   
15
 * the GNU General Public License Version 2. See the LICENSE file

    
   
16
 * at the top of the source tree.

    
   
17
 */

    
   
18

   

    
   
19
/*!

    
   
20
 * \file

    
   
21
 * \brief ACL unit tests

    
   
22
 *

    
   
23
 * \author Mark Michelson <mmichelson@digium.com>

    
   
24
 *

    
   
25
 */

    
   
26

   

    
   
27
/*** MODULEINFO

    
   
28
	<depend>TEST_FRAMEWORK</depend>

    
   
29
 ***/

    
   
30

   

    
   
31
#include "asterisk.h"

    
   
32
#include "asterisk/test.h"

    
   
33
#include "asterisk/acl.h"

    
   
34
#include "asterisk/module.h"

    
   
35

   

    
   
36
AST_TEST_DEFINE(invalid_acl)

    
   
37
{

    
   
38
	const char * invalid_acls[] = {

    
   
39
		"1.3.3.7/-1",

    
   
40
		"1.3.3.7/33",

    
   
41
		"1.3.3.7/92342348927389492307420",

    
   
42
		"1.3.3.7/California",

    
   
43
		"1.3.3.7/255.255.255.255.255",

    
   
44
		"57.60.278.900/31",

    
   
45
		"400.32.201029.-6/24",

    
   
46
		"EGGSOFDEATH/4000",

    
   
47
		"33.4.7.8.3/300030",

    
   
48
		"1.2.3.4/6.7.8.9.0",

    
   
49
		"3.1.4.1.5.9/3",

    
   
50
	};

    
   
51

   

    
   
52
	struct ast_ha *ha = NULL;

    
   
53
	int i;

    
   
54

   

    
   
55
	switch (cmd) {

    
   
56
	case TEST_INIT:

    
   
57
		info->name = "invalid_acl";

    
   
58
		info->category = "main/acl/";

    
   
59
		info->summary = "Invalid ACL unit test";

    
   
60
		info->description =

    
   
61
			"Ensures that garbage ACL values are not accepted";

    
   
62
		return AST_TEST_NOT_RUN;

    
   
63
	case TEST_EXECUTE:

    
   
64
		break;

    
   
65
	}

    
   
66

   

    
   
67
	for (i = 0; i < ARRAY_LEN(invalid_acls); ++i) {

    
   
68
		int err = 0;

    
   
69
		ha = ast_append_ha("permit", invalid_acls[i], ha, &err);

    
   
70
		if (ha || !err) {

    
   
71
			ast_test_status_update(test, "ACL %s accepted even though it is total garbage.\n",

    
   
72
					invalid_acls[i]);

    
   
73
			if (ha) {

    
   
74
				ast_free_ha(ha);

    
   
75
			}

    
   
76
			return AST_TEST_FAIL;

    
   
77
		}

    
   
78
	}

    
   
79

   

    
   
80
	return AST_TEST_PASS;

    
   
81
}

    
   
82

   

    
   
83
struct acl {

    
   
84
	const char *host;

    
   
85
	const char *access;

    
   
86
};

    
   
87

   

    
   
88
AST_TEST_DEFINE(acl) {

    
   
89
	struct acl permitall = { "0.0.0.0/0", "permit" };

    
   
90
	struct acl denyall = { "0.0.0.0/0", "deny" };

    
   
91
	struct acl acl1[] = {

    
   
92
		{ "0.0.0.0/0.0.0.0", "deny" },

    
   
93
		{ "10.0.0.0/255.0.0.0", "permit" },

    
   
94
		{ "192.168.0.0/255.255.255.0", "permit" },

    
   
95
	};

    
   
96
	struct acl acl2[] = {

    
   
97
		{ "10.0.0.0/8", "deny" },

    
   
98
		{ "10.0.0.0/8", "permit" },

    
   
99
		{ "10.0.0.0/16", "deny" },

    
   
100
		{ "10.0.0.0/24", "permit" },

    
   
101
	};

    
   
102

   

    
   
103
	struct {

    
   
104
		const char *test_address;

    
   
105
		int acl1_result;

    
   
106
		int acl2_result;

    
   
107
	} acl_tests[] = {

    
   
108
		{ "10.1.1.5", AST_SENSE_ALLOW, AST_SENSE_ALLOW },

    
   
109
		{ "192.168.0.5", AST_SENSE_ALLOW, AST_SENSE_ALLOW },

    
   
110
		{ "192.168.1.5", AST_SENSE_DENY, AST_SENSE_ALLOW },

    
   
111
		{ "10.0.0.1", AST_SENSE_ALLOW, AST_SENSE_ALLOW },

    
   
112
		{ "10.0.10.10", AST_SENSE_ALLOW, AST_SENSE_DENY },

    
   
113
		{ "172.16.0.1", AST_SENSE_DENY, AST_SENSE_ALLOW },

    
   
114
	};

    
   
115

   

    
   
116
	struct ast_ha *permit_ha = NULL;

    
   
117
	struct ast_ha *deny_ha = NULL;

    
   
118
	struct ast_ha *ha1 = NULL;

    
   
119
	struct ast_ha *ha2 = NULL;

    
   
120
	enum ast_test_result_state res = AST_TEST_PASS;

    
   
121
	int err = 0;

    
   
122
	int i;

    
   
123
	

    
   
124
	switch (cmd) {

    
   
125
	case TEST_INIT:

    
   
126
		info->name = "acl";

    
   
127
		info->category = "main/acl/";

    
   
128
		info->summary = "ACL unit test";

    
   
129
		info->description =

    
   
130
			"Tests that hosts are properly permitted or denied";

    
   
131
		return AST_TEST_NOT_RUN;

    
   
132
	case TEST_EXECUTE:

    
   
133
		break;

    
   
134
	}

    
   
135

   

    
   
136
	if (!(permit_ha = ast_append_ha(permitall.access, permitall.host, permit_ha, &err))) {

    
   
137
		ast_test_status_update(test, "Failed to create permit_all ACL\n");

    
   
138
		res = AST_TEST_FAIL;

    
   
139
		goto acl_cleanup;

    
   
140
	}

    
   
141

   

    
   
142
	if (!(deny_ha = ast_append_ha(denyall.access, denyall.host, deny_ha, &err))) {

    
   
143
		ast_test_status_update(test, "Failed to create deny_all ACL\n");

    
   
144
		res = AST_TEST_FAIL;

    
   
145
		goto acl_cleanup;

    
   
146
	}

    
   
147

   

    
   
148
	for (i = 0; i < ARRAY_LEN(acl1); ++i) {

    
   
149
		if (!(ha1 = ast_append_ha(acl1[i].access, acl1[i].host, ha1, &err))) {

    
   
150
			ast_test_status_update(test, "Failed to add rule %s with access %s to ha1\n",

    
   
151
					acl1[i].host, acl1[i].access);

    
   
152
			res = AST_TEST_FAIL;

    
   
153
			goto acl_cleanup;

    
   
154
		}

    
   
155
	}

    
   
156

   

    
   
157
	for (i = 0; i < ARRAY_LEN(acl2); ++i) {

    
   
158
		if (!(ha2 = ast_append_ha(acl2[i].access, acl2[i].host, ha2, &err))) {

    
   
159
			ast_test_status_update(test, "Failed to add rule %s with access %s to ha2\n",

    
   
160
					acl2[i].host, acl2[i].access);

    
   
161
			res = AST_TEST_FAIL;

    
   
162
			goto acl_cleanup;

    
   
163
		}

    
   
164
	}

    
   
165

   

    
   
166
	for (i = 0; i < ARRAY_LEN(acl_tests); ++i) {

    
   
167
		struct sockaddr_in sin;

    
   
168
		int permit_res;

    
   
169
		int deny_res;

    
   
170
		int acl1_res;

    
   
171
		int acl2_res;

    
   
172

   

    
   
173
		inet_aton(acl_tests[i].test_address, &sin.sin_addr);

    
   
174

   

    
   
175
		permit_res = ast_apply_ha(permit_ha, &sin);

    
   
176
		deny_res = ast_apply_ha(deny_ha, &sin);

    
   
177
		acl1_res = ast_apply_ha(ha1, &sin);

    
   
178
		acl2_res = ast_apply_ha(ha2, &sin);

    
   
179

   

    
   
180
		if (permit_res != AST_SENSE_ALLOW) {

    
   
181
			ast_test_status_update(test, "Access denied to %s on permit_all ACL\n",

    
   
182
					acl_tests[i].test_address);

    
   
183
			res = AST_TEST_FAIL;

    
   
184
			goto acl_cleanup;

    
   
185
		}

    
   
186

   

    
   
187
		if (deny_res != AST_SENSE_DENY) {

    
   
188
			ast_test_status_update(test, "Access allowed to %s on deny_all ACL\n",

    
   
189
					acl_tests[i].test_address);

    
   
190
			res = AST_TEST_FAIL;

    
   
191
			goto acl_cleanup;

    
   
192
		}

    
   
193

   

    
   
194
		if (acl1_res != acl_tests[i].acl1_result) {

    
   
195
			ast_test_status_update(test, "Access not as expected to %s on acl1. Expected %d but"

    
   
196
					"got %d instead\n", acl_tests[i].test_address, acl_tests[i].acl1_result, acl1_res);

    
   
197
			res = AST_TEST_FAIL;

    
   
198
			goto acl_cleanup;

    
   
199
		}

    
   
200

   

    
   
201
		if (acl2_res != acl_tests[i].acl2_result) {

    
   
202
			ast_test_status_update(test, "Access not as expected to %s on acl2. Expected %d but"

    
   
203
					"got %d instead\n", acl_tests[i].test_address, acl_tests[i].acl2_result, acl2_res);

    
   
204
			res = AST_TEST_FAIL;

    
   
205
			goto acl_cleanup;

    
   
206
		}

    
   
207
	}

    
   
208

   

    
   
209
acl_cleanup:

    
   
210
	if (permit_ha) {

    
   
211
		ast_free_ha(permit_ha);

    
   
212
	}

    
   
213
	if (deny_ha) {

    
   
214
		ast_free_ha(deny_ha);

    
   
215
	}

    
   
216
	if (ha1) {

    
   
217
		ast_free_ha(ha1);

    
   
218
	}

    
   
219
	if (ha1) {

    
   
220
		ast_free_ha(ha2);

    
   
221
	}

    
   
222
	return res;

    
   
223
}

    
   
224

   

    
   
225
static int unload_module(void)

    
   
226
{

    
   
227
	AST_TEST_UNREGISTER(invalid_acl);

    
   
228
	AST_TEST_UNREGISTER(acl);

    
   
229
	return 0;

    
   
230
}

    
   
231

   

    
   
232
static int load_module(void)

    
   
233
{

    
   
234
	AST_TEST_REGISTER(invalid_acl);

    
   
235
	AST_TEST_REGISTER(acl);

    
   
236
	return AST_MODULE_LOAD_SUCCESS;

    
   
237
}

    
   
238

   

    
   
239
AST_MODULE_INFO_STANDARD(ASTERISK_GPL_KEY, "ACL test module");
  1. /trunk/tests/test_acl.c: Loading...

https://reviewboard.asterisk.org/ runs on a server provided by Digium, Inc. and uses bandwidth donated to the open source Asterisk community by API Digital Communications in Huntsville, AL USA.
Please report problems with this site to asteriskteam@digium.com.