test_acl.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452
  1. /*
  2. * Asterisk -- An open source telephony toolkit.
  3. *
  4. * Copyright (C) 2010, Digium, Inc.
  5. *
  6. * Mark Michelson <mmichelson@digium.com>
  7. *
  8. * See http://www.asterisk.org for more information about
  9. * the Asterisk project. Please do not directly contact
  10. * any of the maintainers of this project for assistance;
  11. * the project provides a web site, mailing lists and IRC
  12. * channels for your use.
  13. *
  14. * This program is free software, distributed under the terms of
  15. * the GNU General Public License Version 2. See the LICENSE file
  16. * at the top of the source tree.
  17. */
  18. /*!
  19. * \file
  20. * \brief ACL unit tests
  21. *
  22. * \author Mark Michelson <mmichelson@digium.com>
  23. *
  24. */
  25. /*** MODULEINFO
  26. <depend>TEST_FRAMEWORK</depend>
  27. <support_level>core</support_level>
  28. ***/
  29. #include "asterisk.h"
  30. ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
  31. #include "asterisk/test.h"
  32. #include "asterisk/acl.h"
  33. #include "asterisk/module.h"
  34. #include "asterisk/netsock2.h"
  35. #include "asterisk/config.h"
  36. AST_TEST_DEFINE(invalid_acl)
  37. {
  38. const char * invalid_acls[] = {
  39. /* Negative netmask */
  40. "1.3.3.7/-1",
  41. /* Netmask too large */
  42. "1.3.3.7/33",
  43. /* Netmask waaaay too large */
  44. "1.3.3.7/92342348927389492307420",
  45. /* Netmask non-numeric */
  46. "1.3.3.7/California",
  47. /* Too many octets in Netmask */
  48. "1.3.3.7/255.255.255.255.255",
  49. /* Octets in IP address exceed 255 */
  50. "57.60.278.900/31",
  51. /* Octets in IP address exceed 255 and are negative */
  52. "400.32.201029.-6/24",
  53. /* Invalidly formatted IP address */
  54. "EGGSOFDEATH/4000",
  55. /* Too many octets in IP address */
  56. "33.4.7.8.3/300030",
  57. /* Too many octets in Netmask */
  58. "1.2.3.4/6.7.8.9.0",
  59. /* Too many octets in IP address */
  60. "3.1.4.1.5.9/3",
  61. /* IPv6 address has multiple double colons */
  62. "ff::ff::ff/3",
  63. /* IPv6 address is too long */
  64. "1234:5678:90ab:cdef:1234:5678:90ab:cdef:1234/56",
  65. /* IPv6 netmask is too large */
  66. "::ffff/129",
  67. /* IPv4-mapped IPv6 address has too few octets */
  68. "::ffff:255.255.255/128",
  69. /* Leading and trailing colons for IPv6 address */
  70. ":1234:/15",
  71. /* IPv6 address and IPv4 netmask */
  72. "fe80::1234/255.255.255.0",
  73. };
  74. enum ast_test_result_state res = AST_TEST_PASS;
  75. struct ast_ha *ha = NULL;
  76. int i;
  77. switch (cmd) {
  78. case TEST_INIT:
  79. info->name = "invalid_acl";
  80. info->category = "/main/acl/";
  81. info->summary = "Invalid ACL unit test";
  82. info->description =
  83. "Ensures that garbage ACL values are not accepted";
  84. return AST_TEST_NOT_RUN;
  85. case TEST_EXECUTE:
  86. break;
  87. }
  88. for (i = 0; i < ARRAY_LEN(invalid_acls); ++i) {
  89. int err = 0;
  90. ha = ast_append_ha("permit", invalid_acls[i], ha, &err);
  91. if (ha || !err) {
  92. ast_test_status_update(test, "ACL %s accepted even though it is total garbage.\n",
  93. invalid_acls[i]);
  94. if (ha) {
  95. ast_free_ha(ha);
  96. }
  97. res = AST_TEST_FAIL;
  98. }
  99. }
  100. return res;
  101. }
  102. struct acl {
  103. const char *host;
  104. const char *access;
  105. };
  106. /* These constants are defined for the sole purpose of being shorter
  107. * than their real names. It makes lines in this test quite a bit shorter
  108. */
  109. #define TACL_A AST_SENSE_ALLOW
  110. #define TACL_D AST_SENSE_DENY
  111. static int build_ha(const struct acl *acl, size_t len, struct ast_ha **ha, const char *acl_name, int *err, struct ast_test *test, enum ast_test_result_state *res)
  112. {
  113. size_t i;
  114. for (i = 0; i < len; ++i) {
  115. if (!(*ha = ast_append_ha(acl[i].access, acl[i].host, *ha, err))) {
  116. ast_test_status_update(test, "Failed to add rule %s with access %s to %s\n",
  117. acl[i].host, acl[i].access, acl_name);
  118. *res = AST_TEST_FAIL;
  119. return -1;
  120. }
  121. }
  122. return 0;
  123. }
  124. AST_TEST_DEFINE(acl)
  125. {
  126. struct acl permitallv4 = { "0.0.0.0/0", "permit" };
  127. struct acl denyallv4 = { "0.0.0.0/0", "deny" };
  128. struct acl permitallv6 = { "::/0", "permit" };
  129. struct acl denyallv6 = { "::/0", "deny" };
  130. struct acl acl1[] = {
  131. { "0.0.0.0/0.0.0.0", "deny" },
  132. { "10.0.0.0/255.0.0.0", "permit" },
  133. { "192.168.0.0/255.255.255.0", "permit" },
  134. };
  135. struct acl acl2[] = {
  136. { "10.0.0.0/8", "deny" },
  137. { "10.0.0.0/8", "permit" },
  138. { "10.0.0.0/16", "deny" },
  139. { "10.0.0.0/24", "permit" },
  140. };
  141. struct acl acl3[] = {
  142. { "::/0", "deny" },
  143. { "fe80::/64", "permit" },
  144. };
  145. struct acl acl4[] = {
  146. { "::/0", "deny" },
  147. { "fe80::/64", "permit" },
  148. { "fe80::ffff:0:0:0/80", "deny" },
  149. { "fe80::ffff:0:ffff:0/112", "permit" },
  150. };
  151. struct acl acl5[] = {
  152. { "0.0.0.0/0.0.0.0", "deny" },
  153. { "10.0.0.0/255.0.0.0,192.168.0.0/255.255.255.0", "permit" },
  154. };
  155. struct acl acl6[] = {
  156. { "10.0.0.0/8", "deny" },
  157. { "10.0.0.0/8", "permit" },
  158. { "10.0.0.0/16,!10.0.0.0/24", "deny" },
  159. };
  160. struct acl acl7[] = {
  161. { "::/0,!fe80::/64", "deny" },
  162. { "fe80::ffff:0:0:0/80", "deny" },
  163. { "fe80::ffff:0:ffff:0/112", "permit" },
  164. };
  165. struct {
  166. const char *test_address;
  167. int v4_permitall_result;
  168. int v4_denyall_result;
  169. int v6_permitall_result;
  170. int v6_denyall_result;
  171. int acl1_result;
  172. int acl2_result;
  173. int acl3_result;
  174. int acl4_result;
  175. int acl5_result;
  176. int acl6_result;
  177. int acl7_result;
  178. } acl_tests[] = {
  179. { "10.1.1.5", TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A },
  180. { "192.168.0.5", TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A },
  181. { "192.168.1.5", TACL_A, TACL_D, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A },
  182. { "10.0.0.1", TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A },
  183. { "10.0.10.10", TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_D, TACL_A },
  184. { "172.16.0.1", TACL_A, TACL_D, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A },
  185. { "fe80::1234", TACL_A, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A },
  186. { "fe80::ffff:1213:dead:beef", TACL_A, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A, TACL_D },
  187. { "fe80::ffff:0:ffff:ABCD", TACL_A, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A },
  188. };
  189. struct ast_ha *permit_hav4 = NULL;
  190. struct ast_ha *deny_hav4 = NULL;
  191. struct ast_ha *permit_hav6 = NULL;
  192. struct ast_ha *deny_hav6 = NULL;
  193. struct ast_ha *ha1 = NULL;
  194. struct ast_ha *ha2 = NULL;
  195. struct ast_ha *ha3 = NULL;
  196. struct ast_ha *ha4 = NULL;
  197. struct ast_ha *ha5 = NULL;
  198. struct ast_ha *ha6 = NULL;
  199. struct ast_ha *ha7 = NULL;
  200. enum ast_test_result_state res = AST_TEST_PASS;
  201. int err = 0;
  202. int i;
  203. switch (cmd) {
  204. case TEST_INIT:
  205. info->name = "acl";
  206. info->category = "/main/acl/";
  207. info->summary = "ACL unit test";
  208. info->description =
  209. "Tests that hosts are properly permitted or denied";
  210. return AST_TEST_NOT_RUN;
  211. case TEST_EXECUTE:
  212. break;
  213. }
  214. if (!(permit_hav4 = ast_append_ha(permitallv4.access, permitallv4.host, permit_hav4, &err))) {
  215. ast_test_status_update(test, "Failed to create permit_all ACL\n");
  216. res = AST_TEST_FAIL;
  217. goto acl_cleanup;
  218. }
  219. if (!(deny_hav4 = ast_append_ha(denyallv4.access, denyallv4.host, deny_hav4, &err))) {
  220. ast_test_status_update(test, "Failed to create deny_all ACL\n");
  221. res = AST_TEST_FAIL;
  222. goto acl_cleanup;
  223. }
  224. if (!(permit_hav6 = ast_append_ha(permitallv6.access, permitallv6.host, permit_hav6, &err))) {
  225. ast_test_status_update(test, "Failed to create permit_all ACL\n");
  226. res = AST_TEST_FAIL;
  227. goto acl_cleanup;
  228. }
  229. if (!(deny_hav6 = ast_append_ha(denyallv6.access, denyallv6.host, deny_hav6, &err))) {
  230. ast_test_status_update(test, "Failed to create deny_all ACL\n");
  231. res = AST_TEST_FAIL;
  232. goto acl_cleanup;
  233. }
  234. if (build_ha(acl1, ARRAY_LEN(acl1), &ha1, "ha1", &err, test, &res) != 0) {
  235. goto acl_cleanup;
  236. }
  237. if (build_ha(acl2, ARRAY_LEN(acl2), &ha2, "ha2", &err, test, &res) != 0) {
  238. goto acl_cleanup;
  239. }
  240. if (build_ha(acl3, ARRAY_LEN(acl3), &ha3, "ha3", &err, test, &res) != 0) {
  241. goto acl_cleanup;
  242. }
  243. if (build_ha(acl4, ARRAY_LEN(acl4), &ha4, "ha4", &err, test, &res) != 0) {
  244. goto acl_cleanup;
  245. }
  246. if (build_ha(acl5, ARRAY_LEN(acl5), &ha5, "ha5", &err, test, &res) != 0) {
  247. goto acl_cleanup;
  248. }
  249. if (build_ha(acl6, ARRAY_LEN(acl6), &ha6, "ha6", &err, test, &res) != 0) {
  250. goto acl_cleanup;
  251. }
  252. if (build_ha(acl7, ARRAY_LEN(acl7), &ha7, "ha7", &err, test, &res) != 0) {
  253. goto acl_cleanup;
  254. }
  255. for (i = 0; i < ARRAY_LEN(acl_tests); ++i) {
  256. struct ast_sockaddr addr;
  257. int permit_resv4;
  258. int permit_resv6;
  259. int deny_resv4;
  260. int deny_resv6;
  261. int acl1_res;
  262. int acl2_res;
  263. int acl3_res;
  264. int acl4_res;
  265. int acl5_res;
  266. int acl6_res;
  267. int acl7_res;
  268. ast_sockaddr_parse(&addr, acl_tests[i].test_address, PARSE_PORT_FORBID);
  269. permit_resv4 = ast_apply_ha(permit_hav4, &addr);
  270. deny_resv4 = ast_apply_ha(deny_hav4, &addr);
  271. permit_resv6 = ast_apply_ha(permit_hav6, &addr);
  272. deny_resv6 = ast_apply_ha(deny_hav6, &addr);
  273. acl1_res = ast_apply_ha(ha1, &addr);
  274. acl2_res = ast_apply_ha(ha2, &addr);
  275. acl3_res = ast_apply_ha(ha3, &addr);
  276. acl4_res = ast_apply_ha(ha4, &addr);
  277. acl5_res = ast_apply_ha(ha5, &addr);
  278. acl6_res = ast_apply_ha(ha6, &addr);
  279. acl7_res = ast_apply_ha(ha7, &addr);
  280. if (permit_resv4 != acl_tests[i].v4_permitall_result) {
  281. ast_test_status_update(test, "Access not as expected to %s on permitallv4. Expected %d but "
  282. "got %d instead\n", acl_tests[i].test_address, acl_tests[i].v4_permitall_result, permit_resv4);
  283. res = AST_TEST_FAIL;
  284. goto acl_cleanup;
  285. }
  286. if (deny_resv4 != acl_tests[i].v4_denyall_result) {
  287. ast_test_status_update(test, "Access not as expected to %s on denyallv4. Expected %d but "
  288. "got %d instead\n", acl_tests[i].test_address, acl_tests[i].v4_denyall_result, deny_resv4);
  289. res = AST_TEST_FAIL;
  290. goto acl_cleanup;
  291. }
  292. if (permit_resv6 != acl_tests[i].v6_permitall_result) {
  293. ast_test_status_update(test, "Access not as expected to %s on permitallv6. Expected %d but "
  294. "got %d instead\n", acl_tests[i].test_address, acl_tests[i].v6_permitall_result, permit_resv6);
  295. res = AST_TEST_FAIL;
  296. goto acl_cleanup;
  297. }
  298. if (deny_resv6 != acl_tests[i].v6_denyall_result) {
  299. ast_test_status_update(test, "Access not as expected to %s on denyallv6. Expected %d but "
  300. "got %d instead\n", acl_tests[i].test_address, acl_tests[i].v6_denyall_result, deny_resv6);
  301. res = AST_TEST_FAIL;
  302. goto acl_cleanup;
  303. }
  304. if (acl1_res != acl_tests[i].acl1_result) {
  305. ast_test_status_update(test, "Access not as expected to %s on acl1. Expected %d but "
  306. "got %d instead\n", acl_tests[i].test_address, acl_tests[i].acl1_result, acl1_res);
  307. res = AST_TEST_FAIL;
  308. goto acl_cleanup;
  309. }
  310. if (acl2_res != acl_tests[i].acl2_result) {
  311. ast_test_status_update(test, "Access not as expected to %s on acl2. Expected %d but "
  312. "got %d instead\n", acl_tests[i].test_address, acl_tests[i].acl2_result, acl2_res);
  313. res = AST_TEST_FAIL;
  314. goto acl_cleanup;
  315. }
  316. if (acl3_res != acl_tests[i].acl3_result) {
  317. ast_test_status_update(test, "Access not as expected to %s on acl3. Expected %d but "
  318. "got %d instead\n", acl_tests[i].test_address, acl_tests[i].acl3_result, acl3_res);
  319. res = AST_TEST_FAIL;
  320. goto acl_cleanup;
  321. }
  322. if (acl4_res != acl_tests[i].acl4_result) {
  323. ast_test_status_update(test, "Access not as expected to %s on acl4. Expected %d but "
  324. "got %d instead\n", acl_tests[i].test_address, acl_tests[i].acl4_result, acl4_res);
  325. res = AST_TEST_FAIL;
  326. goto acl_cleanup;
  327. }
  328. if (acl5_res != acl_tests[i].acl5_result) {
  329. ast_test_status_update(test, "Access not as expected to %s on acl5. Expected %d but "
  330. "got %d instead\n", acl_tests[i].test_address, acl_tests[i].acl5_result, acl5_res);
  331. res = AST_TEST_FAIL;
  332. goto acl_cleanup;
  333. }
  334. if (acl6_res != acl_tests[i].acl6_result) {
  335. ast_test_status_update(test, "Access not as expected to %s on acl6. Expected %d but "
  336. "got %d instead\n", acl_tests[i].test_address, acl_tests[i].acl6_result, acl6_res);
  337. res = AST_TEST_FAIL;
  338. goto acl_cleanup;
  339. }
  340. if (acl7_res != acl_tests[i].acl7_result) {
  341. ast_test_status_update(test, "Access not as expected to %s on acl7. Expected %d but "
  342. "got %d instead\n", acl_tests[i].test_address, acl_tests[i].acl7_result, acl7_res);
  343. res = AST_TEST_FAIL;
  344. goto acl_cleanup;
  345. }
  346. }
  347. acl_cleanup:
  348. if (permit_hav4) {
  349. ast_free_ha(permit_hav4);
  350. }
  351. if (deny_hav4) {
  352. ast_free_ha(deny_hav4);
  353. }
  354. if (permit_hav6) {
  355. ast_free_ha(permit_hav6);
  356. }
  357. if (deny_hav6) {
  358. ast_free_ha(deny_hav6);
  359. }
  360. if (ha1) {
  361. ast_free_ha(ha1);
  362. }
  363. if (ha2) {
  364. ast_free_ha(ha2);
  365. }
  366. if (ha3) {
  367. ast_free_ha(ha3);
  368. }
  369. if (ha4) {
  370. ast_free_ha(ha4);
  371. }
  372. if (ha5) {
  373. ast_free_ha(ha5);
  374. }
  375. if (ha6) {
  376. ast_free_ha(ha6);
  377. }
  378. if (ha7) {
  379. ast_free_ha(ha7);
  380. }
  381. return res;
  382. }
  383. static int unload_module(void)
  384. {
  385. AST_TEST_UNREGISTER(invalid_acl);
  386. AST_TEST_UNREGISTER(acl);
  387. return 0;
  388. }
  389. static int load_module(void)
  390. {
  391. AST_TEST_REGISTER(invalid_acl);
  392. AST_TEST_REGISTER(acl);
  393. return AST_MODULE_LOAD_SUCCESS;
  394. }
  395. AST_MODULE_INFO_STANDARD(ASTERISK_GPL_KEY, "ACL test module");