Path: blob/main/plugins/python/regress/check_python_examples.c
3866 views
/*1* SPDX-License-Identifier: ISC2*3* Copyright (c) 2020 Robert Manner <[email protected]>4*5* Permission to use, copy, modify, and distribute this software for any6* purpose with or without fee is hereby granted, provided that the above7* copyright notice and this permission notice appear in all copies.8*9* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES10* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF11* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR12* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES13* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN14* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF15* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.16*/1718#include "testhelpers.h"19#include <unistd.h>2021#include <sudo_dso.h>2223#define DECL_PLUGIN(type, variable_name) \24static struct type *variable_name = NULL; \25static struct type variable_name ## _original2627#define RESTORE_PYTHON_PLUGIN(variable_name) \28memcpy(variable_name, &(variable_name ## _original), sizeof(variable_name ## _original))2930#define SAVE_PYTHON_PLUGIN(variable_name) \31memcpy(&(variable_name ## _original), variable_name, sizeof(variable_name ## _original))3233static const char *python_plugin_so_path = NULL;34static void *python_plugin_handle = NULL;35DECL_PLUGIN(io_plugin, python_io);36DECL_PLUGIN(policy_plugin, python_policy);37DECL_PLUGIN(approval_plugin, python_approval);38DECL_PLUGIN(audit_plugin, python_audit);39DECL_PLUGIN(sudoers_group_plugin, group_plugin);4041static struct passwd example_pwd;42static bool verbose;4344static int _init_symbols(void);45static int _unlink_symbols(void);4647static void48create_plugin_options(const char *module_name, const char *class_name, const char *extra_option)49{50char opt_module_path[PATH_MAX + 256];51char opt_classname[PATH_MAX + 256];52snprintf(opt_module_path, sizeof(opt_module_path),53"ModulePath=" SRC_DIR "/%s.py", module_name);5455snprintf(opt_classname, sizeof(opt_classname), "ClassName=%s", class_name);5657str_array_free(&data.plugin_options);58size_t count = 3 + (extra_option != NULL);59data.plugin_options = create_str_array(count, opt_module_path,60opt_classname, extra_option, NULL);61}6263static void64create_io_plugin_options(const char *log_path)65{66char opt_logpath[PATH_MAX + 16];67snprintf(opt_logpath, sizeof(opt_logpath), "LogPath=%s", log_path);68create_plugin_options("example_io_plugin", "SudoIOPlugin", opt_logpath);69}7071static void72create_debugging_plugin_options(void)73{74create_plugin_options("example_debugging", "DebugDemoPlugin", NULL);75}7677static void78create_audit_plugin_options(const char *extra_argument)79{80create_plugin_options("example_audit_plugin", "SudoAuditPlugin", extra_argument);81}8283static void84create_conversation_plugin_options(void)85{86char opt_logpath[PATH_MAX + 16];87snprintf(opt_logpath, sizeof(opt_logpath), "LogPath=%s", data.tmp_dir);88create_plugin_options("example_conversation", "ReasonLoggerIOPlugin", opt_logpath);89}9091static void92create_policy_plugin_options(void)93{94create_plugin_options("example_policy_plugin", "SudoPolicyPlugin", NULL);95}9697static int98init(void)99{100// always start each test from clean state101memset(&data, 0, sizeof(data));102103memset(&example_pwd, 0, sizeof(example_pwd));104example_pwd.pw_name = (char *)"pw_name";105example_pwd.pw_passwd = (char *)"pw_passwd";106example_pwd.pw_gecos = (char *)"pw_gecos";107example_pwd.pw_shell = (char *)"pw_shell";108example_pwd.pw_dir = (char *)"pw_dir";109example_pwd.pw_uid = (uid_t)1001;110example_pwd.pw_gid = (gid_t)101;111112VERIFY_TRUE(asprintf(&data.tmp_dir, TEMP_PATH_TEMPLATE) >= 0);113VERIFY_NOT_NULL(mkdtemp(data.tmp_dir));114115sudo_conf_clear_paths();116117// some default values for the plugin open:118data.settings = create_str_array(1, NULL);119data.user_info = create_str_array(1, NULL);120data.command_info = create_str_array(1, NULL);121data.plugin_argc = 0;122data.plugin_argv = create_str_array(1, NULL);123data.user_env = create_str_array(1, NULL);124125VERIFY_TRUE(_init_symbols());126return true;127}128129static int130cleanup(int success)131{132if (!success) {133printf("\nThe output of the plugin:\n%s", data.stdout_str);134printf("\nThe error output of the plugin:\n%s", data.stderr_str);135}136137VERIFY_TRUE(rmdir_recursive(data.tmp_dir));138if (data.tmp_dir2) {139VERIFY_TRUE(rmdir_recursive(data.tmp_dir2));140}141142free(data.tmp_dir);143free(data.tmp_dir2);144145str_array_free(&data.settings);146str_array_free(&data.user_info);147str_array_free(&data.command_info);148str_array_free(&data.plugin_argv);149str_array_free(&data.user_env);150str_array_free(&data.plugin_options);151152return true;153}154155static int156check_example_io_plugin_version_display(int is_verbose)157{158const char *errstr = NULL;159create_io_plugin_options(data.tmp_dir);160161VERIFY_INT(python_io->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,162data.user_info, data.command_info, data.plugin_argc, data.plugin_argv, data.user_env,163data.plugin_options, &errstr), SUDO_RC_OK);164VERIFY_INT(python_io->show_version(is_verbose), SUDO_RC_OK);165166python_io->close(0, 0); // this should not call the python plugin close as there was no command run invocation167168if (is_verbose) {169// Note: the exact python version is environment dependent170VERIFY_STR_CONTAINS(data.stdout_str, "Python interpreter version:");171*strstr(data.stdout_str, "Python interpreter version:") = '\0';172VERIFY_STDOUT(expected_path("check_example_io_plugin_version_display_full.stdout"));173} else {174VERIFY_STDOUT(expected_path("check_example_io_plugin_version_display.stdout"));175}176177VERIFY_STDERR(expected_path("check_example_io_plugin_version_display.stderr"));178VERIFY_FILE("sudo.log", expected_path("check_example_io_plugin_version_display.stored"));179180return true;181}182183static int184check_example_io_plugin_command_log(void)185{186const char *errstr = NULL;187create_io_plugin_options(data.tmp_dir);188189str_array_free(&data.plugin_argv);190data.plugin_argc = 2;191data.plugin_argv = create_str_array(3, "id", "--help", NULL);192193str_array_free(&data.command_info);194data.command_info = create_str_array(3, "command=/bin/id", "runas_uid=0", NULL);195196VERIFY_INT(python_io->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,197data.user_info, data.command_info, data.plugin_argc, data.plugin_argv,198data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);199VERIFY_PTR(errstr, NULL);200VERIFY_INT(python_io->log_stdin("some standard input", strlen("some standard input"), &errstr), SUDO_RC_OK);201VERIFY_PTR(errstr, NULL);202VERIFY_INT(python_io->log_stdout("some standard output", strlen("some standard output"), &errstr), SUDO_RC_OK);203VERIFY_PTR(errstr, NULL);204VERIFY_INT(python_io->log_stderr("some standard error", strlen("some standard error"), &errstr), SUDO_RC_OK);205VERIFY_PTR(errstr, NULL);206VERIFY_INT(python_io->log_suspend(SIGTSTP, &errstr), SUDO_RC_OK);207VERIFY_PTR(errstr, NULL);208VERIFY_INT(python_io->log_suspend(SIGCONT, &errstr), SUDO_RC_OK);209VERIFY_PTR(errstr, NULL);210VERIFY_INT(python_io->change_winsize(200, 100, &errstr), SUDO_RC_OK);211VERIFY_PTR(errstr, NULL);212VERIFY_INT(python_io->log_ttyin("some tty input", strlen("some tty input"), &errstr), SUDO_RC_OK);213VERIFY_PTR(errstr, NULL);214VERIFY_INT(python_io->log_ttyout("some tty output", strlen("some tty output"), &errstr), SUDO_RC_OK);215VERIFY_PTR(errstr, NULL);216217python_io->close(1, 0); // successful execution, command returned 1218219VERIFY_STDOUT(expected_path("check_example_io_plugin_command_log.stdout"));220VERIFY_STDERR(expected_path("check_example_io_plugin_command_log.stderr"));221VERIFY_FILE("sudo.log", expected_path("check_example_io_plugin_command_log.stored"));222223return true;224}225226typedef struct io_plugin * (io_clone_func)(void);227228static int229check_example_io_plugin_command_log_multiple(void)230{231const char *errstr = NULL;232233// verify multiple python io plugin symbols are available234io_clone_func *python_io_clone = (io_clone_func *)sudo_dso_findsym(python_plugin_handle, "python_io_clone");235VERIFY_PTR_NE(python_io_clone, NULL);236237struct io_plugin *python_io2 = NULL;238239for (int i = 0; i < 7; ++i) {240python_io2 = (*python_io_clone)();241VERIFY_PTR_NE(python_io2, NULL);242VERIFY_PTR_NE(python_io2, python_io);243}244245// open the first plugin and let it log to tmp_dir246create_io_plugin_options(data.tmp_dir);247248str_array_free(&data.plugin_argv);249data.plugin_argc = 2;250data.plugin_argv = create_str_array(3, "id", "--help", NULL);251252str_array_free(&data.command_info);253data.command_info = create_str_array(3, "command=/bin/id", "runas_uid=0", NULL);254255VERIFY_INT(python_io->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,256data.user_info, data.command_info, data.plugin_argc, data.plugin_argv,257data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);258VERIFY_PTR(errstr, NULL);259260// For verifying the error message of no more plugin. It should be displayed only once.261VERIFY_PTR((*python_io_clone)(), NULL);262VERIFY_PTR((*python_io_clone)(), NULL);263264// open the second plugin with another log directory265VERIFY_TRUE(asprintf(&data.tmp_dir2, TEMP_PATH_TEMPLATE) >= 0);266VERIFY_NOT_NULL(mkdtemp(data.tmp_dir2));267create_io_plugin_options(data.tmp_dir2);268269str_array_free(&data.plugin_argv);270data.plugin_argc = 1;271data.plugin_argv = create_str_array(2, "whoami", NULL);272273str_array_free(&data.command_info);274data.command_info = create_str_array(3, "command=/bin/whoami", "runas_uid=1", NULL);275276VERIFY_INT(python_io2->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,277data.user_info, data.command_info, data.plugin_argc, data.plugin_argv,278data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);279VERIFY_PTR(errstr, NULL);280281VERIFY_INT(python_io->log_stdin("stdin for plugin 1", strlen("stdin for plugin 1"), &errstr), SUDO_RC_OK);282VERIFY_PTR(errstr, NULL);283VERIFY_INT(python_io2->log_stdin("stdin for plugin 2", strlen("stdin for plugin 2"), &errstr), SUDO_RC_OK);284VERIFY_PTR(errstr, NULL);285VERIFY_INT(python_io->log_stdout("stdout for plugin 1", strlen("stdout for plugin 1"), &errstr), SUDO_RC_OK);286VERIFY_PTR(errstr, NULL);287VERIFY_INT(python_io2->log_stdout("stdout for plugin 2", strlen("stdout for plugin 2"), &errstr), SUDO_RC_OK);288VERIFY_PTR(errstr, NULL);289VERIFY_INT(python_io->log_stderr("stderr for plugin 1", strlen("stderr for plugin 1"), &errstr), SUDO_RC_OK);290VERIFY_PTR(errstr, NULL);291VERIFY_INT(python_io2->log_stderr("stderr for plugin 2", strlen("stderr for plugin 2"), &errstr), SUDO_RC_OK);292VERIFY_PTR(errstr, NULL);293VERIFY_INT(python_io->log_suspend(SIGTSTP, &errstr), SUDO_RC_OK);294VERIFY_PTR(errstr, NULL);295VERIFY_INT(python_io2->log_suspend(SIGSTOP, &errstr), SUDO_RC_OK);296VERIFY_PTR(errstr, NULL);297VERIFY_INT(python_io->log_suspend(SIGCONT, &errstr), SUDO_RC_OK);298VERIFY_PTR(errstr, NULL);299VERIFY_INT(python_io2->log_suspend(SIGCONT, &errstr), SUDO_RC_OK);300VERIFY_PTR(errstr, NULL);301VERIFY_INT(python_io->change_winsize(20, 10, &errstr), SUDO_RC_OK);302VERIFY_PTR(errstr, NULL);303VERIFY_INT(python_io2->change_winsize(30, 40, &errstr), SUDO_RC_OK);304VERIFY_PTR(errstr, NULL);305VERIFY_INT(python_io->log_ttyin("tty input for plugin 1", strlen("tty input for plugin 1"), &errstr), SUDO_RC_OK);306VERIFY_PTR(errstr, NULL);307VERIFY_INT(python_io2->log_ttyin("tty input for plugin 2", strlen("tty input for plugin 2"), &errstr), SUDO_RC_OK);308VERIFY_PTR(errstr, NULL);309VERIFY_INT(python_io->log_ttyout("tty output for plugin 1", strlen("tty output for plugin 1"), &errstr), SUDO_RC_OK);310VERIFY_PTR(errstr, NULL);311VERIFY_INT(python_io2->log_ttyout("tty output for plugin 2", strlen("tty output for plugin 2"), &errstr), SUDO_RC_OK);312VERIFY_PTR(errstr, NULL);313314python_io->close(1, 0); // successful execution, command returned 1315python_io2->close(2, 0); // command returned 2316317VERIFY_STDOUT(expected_path("check_example_io_plugin_command_log_multiple.stdout"));318VERIFY_STDERR(expected_path("check_example_io_plugin_command_log_multiple.stderr"));319VERIFY_FILE("sudo.log", expected_path("check_example_io_plugin_command_log_multiple1.stored"));320VERIFY_TRUE(verify_file(data.tmp_dir2, "sudo.log", expected_path("check_example_io_plugin_command_log_multiple2.stored")));321322return true;323}324325static int326check_example_io_plugin_failed_to_start_command(void)327{328const char *errstr = NULL;329330create_io_plugin_options(data.tmp_dir);331332str_array_free(&data.plugin_argv);333data.plugin_argc = 1;334data.plugin_argv = create_str_array(2, "cmd", NULL);335336str_array_free(&data.command_info);337data.command_info = create_str_array(3, "command=/usr/share/cmd", "runas_uid=0", NULL);338339VERIFY_INT(python_io->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,340data.user_info, data.command_info, data.plugin_argc, data.plugin_argv,341data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);342VERIFY_PTR(errstr, NULL);343344python_io->close(0, EPERM); // execve returned with error345346VERIFY_STDOUT(expected_path("check_example_io_plugin_failed_to_start_command.stdout"));347VERIFY_STDERR(expected_path("check_example_io_plugin_failed_to_start_command.stderr"));348VERIFY_FILE("sudo.log", expected_path("check_example_io_plugin_failed_to_start_command.stored"));349350return true;351}352353static int354check_example_io_plugin_fails_with_python_backtrace(void)355{356const char *errstr = NULL;357358create_io_plugin_options("/some/not/writable/directory");359360VERIFY_INT(python_io->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,361data.user_info, data.command_info, data.plugin_argc, data.plugin_argv,362data.user_env, data.plugin_options, &errstr), SUDO_RC_ERROR);363VERIFY_PTR(errstr, NULL);364365VERIFY_STDOUT(expected_path("check_example_io_plugin_fails_with_python_backtrace.stdout"));366VERIFY_STDERR(expected_path("check_example_io_plugin_fails_with_python_backtrace.stderr"));367368python_io->close(0, 0);369return true;370}371372static int373check_io_plugin_reports_error(void)374{375const char *errstr = NULL;376str_array_free(&data.plugin_options);377data.plugin_options = create_str_array(3783,379"ModulePath=" SRC_DIR "/regress/plugin_errorstr.py",380"ClassName=ConstructErrorPlugin",381NULL382);383384VERIFY_INT(python_io->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,385data.user_info, data.command_info, data.plugin_argc, data.plugin_argv,386data.user_env, data.plugin_options, &errstr), SUDO_RC_ERROR);387388VERIFY_STR(errstr, "Something wrong in plugin constructor");389errstr = NULL;390391python_io->close(0, 0);392393str_array_free(&data.plugin_options);394data.plugin_options = create_str_array(3953,396"ModulePath=" SRC_DIR "/regress/plugin_errorstr.py",397"ClassName=ErrorMsgPlugin",398NULL399);400401VERIFY_INT(python_io->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,402data.user_info, data.command_info, data.plugin_argc, data.plugin_argv,403data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);404VERIFY_PTR(errstr, NULL);405406VERIFY_INT(python_io->log_stdin("", 0, &errstr), SUDO_RC_ERROR);407VERIFY_STR(errstr, "Something wrong in log_stdin");408409errstr = (void *)13;410VERIFY_INT(python_io->log_stdout("", 0, &errstr), SUDO_RC_ERROR);411VERIFY_STR(errstr, "Something wrong in log_stdout");412413errstr = NULL;414VERIFY_INT(python_io->log_stderr("", 0, &errstr), SUDO_RC_ERROR);415VERIFY_STR(errstr, "Something wrong in log_stderr");416417errstr = NULL;418VERIFY_INT(python_io->log_ttyin("", 0, &errstr), SUDO_RC_ERROR);419VERIFY_STR(errstr, "Something wrong in log_ttyin");420421errstr = NULL;422VERIFY_INT(python_io->log_ttyout("", 0, &errstr), SUDO_RC_ERROR);423VERIFY_STR(errstr, "Something wrong in log_ttyout");424425errstr = NULL;426VERIFY_INT(python_io->log_suspend(SIGTSTP, &errstr), SUDO_RC_ERROR);427VERIFY_STR(errstr, "Something wrong in log_suspend");428429errstr = NULL;430VERIFY_INT(python_io->change_winsize(200, 100, &errstr), SUDO_RC_ERROR);431VERIFY_STR(errstr, "Something wrong in change_winsize");432433python_io->close(0, 0);434435VERIFY_STR(data.stderr_str, "");436VERIFY_STR(data.stdout_str, "");437return true;438}439440static int441check_example_group_plugin(void)442{443create_plugin_options("example_group_plugin", "SudoGroupPlugin", NULL);444445VERIFY_INT(group_plugin->init(GROUP_API_VERSION, fake_printf, data.plugin_options), SUDO_RC_OK);446447VERIFY_INT(group_plugin->query("test", "mygroup", NULL), SUDO_RC_OK);448VERIFY_INT(group_plugin->query("testuser2", "testgroup", NULL), SUDO_RC_OK);449VERIFY_INT(group_plugin->query("testuser2", "mygroup", NULL), SUDO_RC_REJECT);450VERIFY_INT(group_plugin->query("test", "testgroup", NULL), SUDO_RC_REJECT);451452group_plugin->cleanup();453VERIFY_STR(data.stderr_str, "");454VERIFY_STR(data.stdout_str, "");455return true;456}457458#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION459static const char *460create_debug_config(const char *debug_spec)461{462char *result = NULL;463464static char config_path[PATH_MAX] = "/";465snprintf(config_path, sizeof(config_path), "%s/sudo.conf", data.tmp_dir);466467char *content = NULL;468if (asprintf(&content, "Debug %s %s/debug.log %s\n",469"python_plugin.so", data.tmp_dir, debug_spec) < 0)470{471puts("Failed to allocate string");472goto cleanup;473}474475if (fwriteall(config_path, content) != true) {476printf("Failed to write '%s'\n", config_path);477goto cleanup;478}479480result = config_path;481482cleanup:483free(content);484485return result;486}487488static int489check_example_group_plugin_is_able_to_debug(void)490{491const char *config_path = create_debug_config("py_calls@diag");492VERIFY_NOT_NULL(config_path);493VERIFY_INT(sudo_conf_read(config_path, SUDO_CONF_ALL), true);494495create_plugin_options("example_group_plugin", "SudoGroupPlugin", NULL);496497group_plugin->init(GROUP_API_VERSION, fake_printf, data.plugin_options);498499group_plugin->query("user", "group", &example_pwd);500501group_plugin->cleanup();502503VERIFY_STR(data.stderr_str, "");504VERIFY_STR(data.stdout_str, "");505506VERIFY_LOG_LINES(expected_path("check_example_group_plugin_is_able_to_debug.log"));507508return true;509}510#endif /* FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */511512static int513check_plugin_unload(void)514{515// You can call this test to avoid having a lot of subinterpreters516// (each plugin->open starts one, and only plugin unlink closes)517// It only verifies that python was shut down correctly.518VERIFY_TRUE(Py_IsInitialized());519VERIFY_TRUE(_unlink_symbols());520VERIFY_FALSE(Py_IsInitialized()); // python interpreter could be stopped521return true;522}523524#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION525static int526check_example_debugging(const char *debug_spec)527{528const char *errstr = NULL;529const char *config_path = create_debug_config(debug_spec);530VERIFY_NOT_NULL(config_path);531VERIFY_INT(sudo_conf_read(config_path, SUDO_CONF_ALL), true);532533create_debugging_plugin_options();534535str_array_free(&data.settings);536char *debug_flags_setting = NULL;537VERIFY_TRUE(asprintf(&debug_flags_setting, "debug_flags=%s/debug.log %s", data.tmp_dir, debug_spec) >= 0);538539data.settings = create_str_array(3, debug_flags_setting, "plugin_path=python_plugin.so", NULL);540541VERIFY_INT(python_io->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,542data.user_info, data.command_info, data.plugin_argc, data.plugin_argv,543data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);544VERIFY_PTR(errstr, NULL);545python_io->close(0, 0);546547VERIFY_STR(data.stderr_str, "");548VERIFY_STR(data.stdout_str, "");549550VERIFY_LOG_LINES(expected_path("check_example_debugging_%s.log", debug_spec));551552free(debug_flags_setting);553return true;554}555#endif /* FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */556557static int558check_loading_fails(const char *name)559{560const char *errstr = NULL;561562VERIFY_INT(python_io->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,563data.user_info, data.command_info, data.plugin_argc, data.plugin_argv,564data.user_env, data.plugin_options, &errstr), SUDO_RC_ERROR);565VERIFY_PTR(errstr, NULL);566python_io->close(0, 0);567568VERIFY_STDOUT(expected_path("check_loading_fails_%s.stdout", name));569VERIFY_STDERR(expected_path("check_loading_fails_%s.stderr", name));570571return true;572}573574static int575check_loading_fails_with_missing_path(void)576{577str_array_free(&data.plugin_options);578data.plugin_options = create_str_array(2, "ClassName=DebugDemoPlugin", NULL);579return check_loading_fails("missing_path");580}581582static int583check_loading_succeeds_with_missing_classname(void)584{585str_array_free(&data.plugin_options);586data.plugin_options = create_str_array(2, "ModulePath=" SRC_DIR "/example_debugging.py", NULL);587588const char *errstr = NULL;589590VERIFY_INT(python_io->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,591data.user_info, data.command_info, data.plugin_argc, data.plugin_argv,592data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);593VERIFY_PTR(errstr, NULL);594VERIFY_INT(python_io->show_version(1), SUDO_RC_OK);595python_io->close(0, 0);596597VERIFY_STDOUT(expected_path("check_loading_succeeds_with_missing_classname.stdout"));598VERIFY_STR(data.stderr_str, "");599600return true;601}602603static int604check_loading_fails_with_missing_classname(void)605{606str_array_free(&data.plugin_options);607data.plugin_options = create_str_array(2, "ModulePath=" SRC_DIR "/regress/plugin_errorstr.py", NULL);608return check_loading_fails("missing_classname");609}610611static int612check_loading_fails_with_wrong_classname(void)613{614create_plugin_options("example_debugging", "MispelledPluginName", NULL);615return check_loading_fails("wrong_classname");616}617618static int619check_loading_fails_with_wrong_path(void)620{621str_array_free(&data.plugin_options);622data.plugin_options = create_str_array(3, "ModulePath=/wrong_path.py", "ClassName=PluginName", NULL);623return check_loading_fails("wrong_path");624}625626static int627check_example_conversation_plugin_reason_log(int simulate_suspend, const char *description)628{629const char *errstr = NULL;630631create_conversation_plugin_options();632633str_array_free(&data.plugin_argv); // have a command run634data.plugin_argc = 1;635data.plugin_argv = create_str_array(2, "/bin/whoami", NULL);636637data.conv_replies[0] = "my fake reason";638data.conv_replies[1] = "my real secret reason";639640sudo_conv_t conversation = simulate_suspend ? fake_conversation_with_suspend : fake_conversation;641642VERIFY_INT(python_io->open(SUDO_API_VERSION, conversation, fake_printf, data.settings,643data.user_info, data.command_info, data.plugin_argc, data.plugin_argv,644data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);645VERIFY_PTR(errstr, NULL);646python_io->close(0, 0);647648VERIFY_STDOUT(expected_path("check_example_conversation_plugin_reason_log_%s.stdout", description));649VERIFY_STDERR(expected_path("check_example_conversation_plugin_reason_log_%s.stderr", description));650VERIFY_CONV(expected_path("check_example_conversation_plugin_reason_log_%s.conversation", description));651VERIFY_FILE("sudo_reasons.txt", expected_path("check_example_conversation_plugin_reason_log_%s.stored", description));652return true;653}654655static int656check_example_conversation_plugin_user_interrupts(void)657{658const char *errstr = NULL;659660create_conversation_plugin_options();661662str_array_free(&data.plugin_argv); // have a command run663data.plugin_argc = 1;664data.plugin_argv = create_str_array(2, "/bin/whoami", NULL);665666data.conv_replies[0] = NULL; // this simulates user interrupt for the first question667668VERIFY_INT(python_io->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,669data.user_info, data.command_info, data.plugin_argc, data.plugin_argv,670data.user_env, data.plugin_options, &errstr), SUDO_RC_REJECT);671python_io->close(0, 0);672673VERIFY_STDOUT(expected_path("check_example_conversation_plugin_user_interrupts.stdout"));674VERIFY_STDERR(expected_path("check_example_conversation_plugin_user_interrupts.stderr"));675VERIFY_CONV(expected_path("check_example_conversation_plugin_user_interrupts.conversation"));676return true;677}678679static int680check_example_policy_plugin_version_display(int is_verbose)681{682const char *errstr = NULL;683684create_policy_plugin_options();685686VERIFY_INT(python_policy->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,687data.user_info, data.user_env, data.plugin_options, &errstr),688SUDO_RC_OK);689VERIFY_PTR(errstr, NULL);690VERIFY_INT(python_policy->show_version(is_verbose), SUDO_RC_OK);691692python_policy->close(0, 0); // this should not call the python plugin close as there was no command run invocation693694if (is_verbose) {695// Note: the exact python version is environment dependent696VERIFY_STR_CONTAINS(data.stdout_str, "Python interpreter version:");697*strstr(data.stdout_str, "Python interpreter version:") = '\0';698VERIFY_STDOUT(expected_path("check_example_policy_plugin_version_display_full.stdout"));699} else {700VERIFY_STDOUT(expected_path("check_example_policy_plugin_version_display.stdout"));701}702703VERIFY_STDERR(expected_path("check_example_policy_plugin_version_display.stderr"));704705return true;706}707708static int709check_example_policy_plugin_accepted_execution(void)710{711const char *errstr = NULL;712713create_policy_plugin_options();714715str_array_free(&data.plugin_argv);716data.plugin_argc = 2;717data.plugin_argv = create_str_array(3, "/bin/whoami", "--help", NULL);718719str_array_free(&data.user_env);720data.user_env = create_str_array(3, "USER_ENV1=VALUE1", "USER_ENV2=value2", NULL);721722VERIFY_INT(python_policy->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,723data.user_info, data.user_env, data.plugin_options, &errstr),724SUDO_RC_OK);725VERIFY_PTR(errstr, NULL);726727char **env_add = create_str_array(3, "REQUESTED_ENV1=VALUE1", "REQUESTED_ENV2=value2", NULL);728729char **argv_out, **user_env_out, **command_info_out; // free to contain garbage730731VERIFY_INT(python_policy->check_policy(data.plugin_argc, data.plugin_argv, env_add,732&command_info_out, &argv_out, &user_env_out, &errstr),733SUDO_RC_ACCEPT);734VERIFY_PTR(errstr, NULL);735736VERIFY_STR_SET(command_info_out, 4, "command=/bin/whoami", "runas_uid=0", "runas_gid=0", NULL);737VERIFY_STR_SET(user_env_out, 5, "USER_ENV1=VALUE1", "USER_ENV2=value2",738"REQUESTED_ENV1=VALUE1", "REQUESTED_ENV2=value2", NULL);739VERIFY_STR_SET(argv_out, 3, "/bin/whoami", "--help", NULL);740741VERIFY_INT(python_policy->init_session(&example_pwd, &user_env_out, &errstr), SUDO_RC_ACCEPT);742VERIFY_PTR(errstr, NULL);743744// init session is able to modify the user env:745VERIFY_STR_SET(user_env_out, 6, "USER_ENV1=VALUE1", "USER_ENV2=value2",746"REQUESTED_ENV1=VALUE1", "REQUESTED_ENV2=value2", "PLUGIN_EXAMPLE_ENV=1", NULL);747748python_policy->close(3, 0); // successful execution returned exit code 3749750VERIFY_STDOUT(expected_path("check_example_policy_plugin_accepted_execution.stdout"));751VERIFY_STDERR(expected_path("check_example_policy_plugin_accepted_execution.stderr"));752753str_array_free(&env_add);754str_array_free(&user_env_out);755str_array_free(&command_info_out);756str_array_free(&argv_out);757return true;758}759760static int761check_example_policy_plugin_failed_execution(void)762{763const char *errstr = NULL;764765create_policy_plugin_options();766767str_array_free(&data.plugin_argv);768data.plugin_argc = 2;769data.plugin_argv = create_str_array(3, "/bin/id", "--help", NULL);770771VERIFY_INT(python_policy->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,772data.user_info, data.user_env, data.plugin_options, &errstr),773SUDO_RC_OK);774VERIFY_PTR(errstr, NULL);775776char **argv_out, **user_env_out, **command_info_out; // free to contain garbage777778VERIFY_INT(python_policy->check_policy(data.plugin_argc, data.plugin_argv, NULL,779&command_info_out, &argv_out, &user_env_out, &errstr),780SUDO_RC_ACCEPT);781VERIFY_PTR(errstr, NULL);782783// pwd is unset (user is not part of /etc/passwd)784VERIFY_INT(python_policy->init_session(NULL, &user_env_out, &errstr), SUDO_RC_ACCEPT);785VERIFY_PTR(errstr, NULL);786787python_policy->close(12345, ENOENT); // failed to execute788789VERIFY_STDOUT(expected_path("check_example_policy_plugin_failed_execution.stdout"));790VERIFY_STDERR(expected_path("check_example_policy_plugin_failed_execution.stderr"));791792str_array_free(&user_env_out);793str_array_free(&command_info_out);794str_array_free(&argv_out);795return true;796}797798static int799check_example_policy_plugin_denied_execution(void)800{801const char *errstr = NULL;802803create_policy_plugin_options();804805str_array_free(&data.plugin_argv);806data.plugin_argc = 1;807data.plugin_argv = create_str_array(2, "/bin/passwd", NULL);808809VERIFY_INT(python_policy->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,810data.user_info, data.user_env, data.plugin_options, &errstr),811SUDO_RC_OK);812VERIFY_PTR(errstr, NULL);813814char **argv_out, **user_env_out, **command_info_out; // free to contain garbage815816VERIFY_INT(python_policy->check_policy(data.plugin_argc, data.plugin_argv, NULL,817&command_info_out, &argv_out, &user_env_out, &errstr),818SUDO_RC_REJECT);819820VERIFY_PTR(command_info_out, NULL);821VERIFY_PTR(argv_out, NULL);822VERIFY_PTR(user_env_out, NULL);823824python_policy->close(0, 0); // there was no execution825826VERIFY_STDOUT(expected_path("check_example_policy_plugin_denied_execution.stdout"));827VERIFY_STDERR(expected_path("check_example_policy_plugin_denied_execution.stderr"));828829return true;830}831832static int833check_example_policy_plugin_list(void)834{835const char *errstr = NULL;836837create_policy_plugin_options();838839VERIFY_INT(python_policy->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,840data.user_info, data.user_env, data.plugin_options, &errstr),841SUDO_RC_OK);842VERIFY_PTR(errstr, NULL);843844snprintf_append(data.stdout_str, MAX_OUTPUT, "-- minimal --\n");845VERIFY_INT(python_policy->list(data.plugin_argc, data.plugin_argv, false, NULL, &errstr), SUDO_RC_OK);846VERIFY_PTR(errstr, NULL);847848snprintf_append(data.stdout_str, MAX_OUTPUT, "\n-- minimal (verbose) --\n");849VERIFY_INT(python_policy->list(data.plugin_argc, data.plugin_argv, true, NULL, &errstr), SUDO_RC_OK);850VERIFY_PTR(errstr, NULL);851852snprintf_append(data.stdout_str, MAX_OUTPUT, "\n-- with user --\n");853VERIFY_INT(python_policy->list(data.plugin_argc, data.plugin_argv, false, "testuser", &errstr), SUDO_RC_OK);854VERIFY_PTR(errstr, NULL);855856snprintf_append(data.stdout_str, MAX_OUTPUT, "\n-- with user (verbose) --\n");857VERIFY_INT(python_policy->list(data.plugin_argc, data.plugin_argv, true, "testuser", &errstr), SUDO_RC_OK);858VERIFY_PTR(errstr, NULL);859860snprintf_append(data.stdout_str, MAX_OUTPUT, "\n-- with allowed program --\n");861str_array_free(&data.plugin_argv);862data.plugin_argc = 3;863data.plugin_argv = create_str_array(4, "/bin/id", "some", "arguments", NULL);864VERIFY_INT(python_policy->list(data.plugin_argc, data.plugin_argv, false, NULL, &errstr), SUDO_RC_OK);865VERIFY_PTR(errstr, NULL);866867snprintf_append(data.stdout_str, MAX_OUTPUT, "\n-- with allowed program (verbose) --\n");868VERIFY_INT(python_policy->list(data.plugin_argc, data.plugin_argv, true, NULL, &errstr), SUDO_RC_OK);869VERIFY_PTR(errstr, NULL);870871snprintf_append(data.stdout_str, MAX_OUTPUT, "\n-- with denied program --\n");872str_array_free(&data.plugin_argv);873data.plugin_argc = 1;874data.plugin_argv = create_str_array(2, "/bin/passwd", NULL);875VERIFY_INT(python_policy->list(data.plugin_argc, data.plugin_argv, false, NULL, &errstr), SUDO_RC_OK);876VERIFY_PTR(errstr, NULL);877878snprintf_append(data.stdout_str, MAX_OUTPUT, "\n-- with denied program (verbose) --\n");879VERIFY_INT(python_policy->list(data.plugin_argc, data.plugin_argv, true, NULL, &errstr), SUDO_RC_OK);880VERIFY_PTR(errstr, NULL);881882python_policy->close(0, 0); // there was no execution883884VERIFY_STDOUT(expected_path("check_example_policy_plugin_list.stdout"));885VERIFY_STDERR(expected_path("check_example_policy_plugin_list.stderr"));886887return true;888}889890static int891check_example_policy_plugin_validate_invalidate(void)892{893const char *errstr = NULL;894895#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION896// the plugin does not do any meaningful for these, so using log to validate instead897const char *config_path = create_debug_config("py_calls@diag");898VERIFY_NOT_NULL(config_path);899VERIFY_INT(sudo_conf_read(config_path, SUDO_CONF_ALL), true);900#endif901902create_policy_plugin_options();903904VERIFY_INT(python_policy->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,905data.user_info, data.user_env, data.plugin_options, &errstr),906SUDO_RC_OK);907VERIFY_PTR(errstr, NULL);908909VERIFY_INT(python_policy->validate(&errstr), SUDO_RC_OK);910VERIFY_PTR(errstr, NULL);911912python_policy->invalidate(true);913python_policy->invalidate(false);914915python_policy->close(0, 0); // no command execution916917#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION918VERIFY_LOG_LINES(expected_path("check_example_policy_plugin_validate_invalidate.log"));919#endif920VERIFY_STR(data.stderr_str, "");921VERIFY_STR(data.stdout_str, "");922return true;923}924925static int926check_policy_plugin_callbacks_are_optional(void)927{928const char *errstr = NULL;929930create_debugging_plugin_options();931932VERIFY_INT(python_policy->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,933data.user_info, data.user_env, data.plugin_options, &errstr),934SUDO_RC_OK);935VERIFY_PTR(errstr, NULL);936937VERIFY_PTR(python_policy->list, NULL);938VERIFY_PTR(python_policy->validate, NULL);939VERIFY_PTR(python_policy->invalidate, NULL);940VERIFY_PTR_NE(python_policy->check_policy, NULL); // (not optional)941VERIFY_PTR(python_policy->init_session, NULL);942943// show_version always displays the plugin, but it is optional in the python layer944VERIFY_PTR_NE(python_policy->show_version, NULL);945VERIFY_INT(python_policy->show_version(1), SUDO_RC_OK);946947python_policy->close(0, 0);948return true;949}950951static int952check_policy_plugin_reports_error(void)953{954const char *errstr = NULL;955str_array_free(&data.plugin_options);956data.plugin_options = create_str_array(9573,958"ModulePath=" SRC_DIR "/regress/plugin_errorstr.py",959"ClassName=ConstructErrorPlugin",960NULL961);962963VERIFY_INT(python_policy->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,964data.user_info, data.user_env, data.plugin_options, &errstr), SUDO_RC_ERROR);965VERIFY_STR(errstr, "Something wrong in plugin constructor");966errstr = NULL;967968python_policy->close(0, 0);969970str_array_free(&data.plugin_options);971data.plugin_options = create_str_array(9723,973"ModulePath=" SRC_DIR "/regress/plugin_errorstr.py",974"ClassName=ErrorMsgPlugin",975NULL976);977978data.plugin_argc = 1;979str_array_free(&data.plugin_argv);980data.plugin_argv = create_str_array(2, "id", NULL);981982VERIFY_INT(python_policy->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,983data.user_info, data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);984VERIFY_PTR(errstr, NULL);985986char **command_info_out = NULL;987char **argv_out = NULL;988char **user_env_out = NULL;989990VERIFY_INT(python_policy->list(data.plugin_argc, data.plugin_argv, true, NULL, &errstr), SUDO_RC_ERROR);991VERIFY_STR(errstr, "Something wrong in list");992993errstr = NULL;994VERIFY_INT(python_policy->validate(&errstr), SUDO_RC_ERROR);995VERIFY_STR(errstr, "Something wrong in validate");996997errstr = NULL;998VERIFY_INT(python_policy->check_policy(data.plugin_argc, data.plugin_argv, data.user_env,999&command_info_out, &argv_out, &user_env_out, &errstr),1000SUDO_RC_ERROR);1001VERIFY_STR(errstr, "Something wrong in check_policy");10021003errstr = NULL;1004VERIFY_INT(python_policy->init_session(&example_pwd, &user_env_out, &errstr), SUDO_RC_ERROR);1005VERIFY_STR(errstr, "Something wrong in init_session");10061007python_policy->close(0, 0);10081009VERIFY_STR(data.stderr_str, "");1010VERIFY_STR(data.stdout_str, "");1011return true;1012}10131014static int1015check_io_plugin_callbacks_are_optional(void)1016{1017const char *errstr = NULL;10181019create_debugging_plugin_options();10201021VERIFY_INT(python_io->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,1022data.user_info, data.command_info, data.plugin_argc, data.plugin_argv,1023data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);1024VERIFY_PTR(errstr, NULL);10251026VERIFY_PTR(python_io->log_stdin, NULL);1027VERIFY_PTR(python_io->log_stdout, NULL);1028VERIFY_PTR(python_io->log_stderr, NULL);1029VERIFY_PTR(python_io->log_ttyin, NULL);1030VERIFY_PTR(python_io->log_ttyout, NULL);1031VERIFY_PTR(python_io->change_winsize, NULL);10321033// show_version always displays the plugin, but it is optional in the python layer1034VERIFY_PTR_NE(python_io->show_version, NULL);1035VERIFY_INT(python_io->show_version(1), SUDO_RC_OK);10361037python_io->close(0, 0);1038return true;1039}10401041static int1042check_python_plugins_do_not_affect_each_other(void)1043{1044const char *errstr = NULL;10451046// We test here that one plugin is not able to effect the environment of another1047// This is important so they do not ruin or depend on each other's state.1048create_plugin_options("regress/plugin_conflict", "ConflictPlugin", "Path=path_for_first_plugin");10491050VERIFY_INT(python_io->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,1051data.user_info, data.command_info, data.plugin_argc, data.plugin_argv,1052data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);1053VERIFY_PTR(errstr, NULL);10541055create_plugin_options("regress/plugin_conflict", "ConflictPlugin", "Path=path_for_second_plugin");1056VERIFY_INT(python_policy->open(SUDO_API_VERSION, fake_conversation, fake_printf, data.settings,1057data.user_info, data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);1058VERIFY_PTR(errstr, NULL);10591060python_io->close(0, 0);1061python_policy->close(0, 0);10621063VERIFY_STDOUT(expected_path("check_python_plugins_do_not_affect_each_other.stdout"));1064VERIFY_STR(data.stderr_str, "");1065return true;1066}10671068static int1069check_example_audit_plugin_receives_accept(void)1070{1071create_audit_plugin_options("");1072const char *errstr = NULL;10731074str_array_free(&data.plugin_argv);1075data.plugin_argv = create_str_array(6, "sudo", "-u", "user", "id", "--help", NULL);10761077str_array_free(&data.user_env);1078data.user_env = create_str_array(3, "KEY1=VALUE1", "KEY2=VALUE2", NULL);10791080str_array_free(&data.user_info);1081data.user_info = create_str_array(3, "user=testuser1", "uid=123", NULL);10821083VERIFY_INT(python_audit->open(SUDO_API_VERSION, fake_conversation, fake_printf,1084data.settings, data.user_info, 3, data.plugin_argv,1085data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);1086VERIFY_PTR(errstr, NULL);10871088str_array_free(&data.command_info);1089data.command_info = create_str_array(2, "command=/sbin/id", NULL);10901091str_array_free(&data.plugin_argv);1092data.plugin_argv = create_str_array(3, "id", "--help", NULL);10931094VERIFY_INT(python_audit->accept("accepter plugin name", SUDO_POLICY_PLUGIN,1095data.command_info, data.plugin_argv,1096data.user_env, &errstr), SUDO_RC_OK);1097VERIFY_PTR(errstr, NULL);10981099python_audit->close(SUDO_PLUGIN_WAIT_STATUS, W_EXITCODE(2, 0)); // process exited with 211001101VERIFY_STDOUT(expected_path("check_example_audit_plugin_receives_accept.stdout"));1102VERIFY_STR(data.stderr_str, "");11031104return true;1105}11061107static int1108check_example_audit_plugin_receives_reject(void)1109{1110create_audit_plugin_options(NULL);1111const char *errstr = NULL;11121113str_array_free(&data.plugin_argv);1114data.plugin_argv = create_str_array(3, "sudo", "passwd", NULL);11151116str_array_free(&data.user_info);1117data.user_info = create_str_array(3, "user=root", "uid=0", NULL);11181119VERIFY_INT(python_audit->open(SUDO_API_VERSION, fake_conversation, fake_printf,1120data.settings, data.user_info, 1, data.plugin_argv,1121data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);1122VERIFY_PTR(errstr, NULL);11231124VERIFY_INT(python_audit->reject("rejecter plugin name", SUDO_IO_PLUGIN,1125"Rejected just because!", data.command_info,1126&errstr), SUDO_RC_OK);1127VERIFY_PTR(errstr, NULL);11281129python_audit->close(SUDO_PLUGIN_NO_STATUS, 0); // program was not run11301131VERIFY_STDOUT(expected_path("check_example_audit_plugin_receives_reject.stdout"));1132VERIFY_STR(data.stderr_str, "");11331134return true;1135}11361137static int1138check_example_audit_plugin_receives_error(void)1139{1140create_audit_plugin_options("");1141const char *errstr = NULL;11421143str_array_free(&data.plugin_argv);1144data.plugin_argv = create_str_array(5, "sudo", "-u", "user", "id", NULL);11451146VERIFY_INT(python_audit->open(SUDO_API_VERSION, fake_conversation, fake_printf,1147data.settings, data.user_info, 3, data.plugin_argv,1148data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);1149VERIFY_PTR(errstr, NULL);11501151str_array_free(&data.command_info);1152data.command_info = create_str_array(2, "command=/sbin/id", NULL);11531154VERIFY_INT(python_audit->error("errorer plugin name", SUDO_AUDIT_PLUGIN,1155"Some error has happened", data.command_info,1156&errstr), SUDO_RC_OK);1157VERIFY_PTR(errstr, NULL);11581159python_audit->close(SUDO_PLUGIN_SUDO_ERROR, 222);11601161VERIFY_STDOUT(expected_path("check_example_audit_plugin_receives_error.stdout"));1162VERIFY_STR(data.stderr_str, "");11631164return true;1165}11661167typedef struct audit_plugin * (audit_clone_func)(void);11681169static int1170check_example_audit_plugin_workflow_multiple(void)1171{1172// verify multiple python audit plugins are available1173audit_clone_func *python_audit_clone = (audit_clone_func *)sudo_dso_findsym(1174python_plugin_handle, "python_audit_clone");1175VERIFY_PTR_NE(python_audit_clone, NULL);11761177struct audit_plugin *python_audit2 = NULL;11781179for (int i = 0; i < 7; ++i) {1180python_audit2 = (*python_audit_clone)();1181VERIFY_PTR_NE(python_audit2, NULL);1182VERIFY_PTR_NE(python_audit2, python_audit);1183}11841185const char *errstr = NULL;11861187str_array_free(&data.plugin_argv);1188data.plugin_argv = create_str_array(6, "sudo", "-u", "user", "id", "--help", NULL);11891190str_array_free(&data.user_env);1191data.user_env = create_str_array(3, "KEY1=VALUE1", "KEY2=VALUE2", NULL);11921193str_array_free(&data.user_info);1194data.user_info = create_str_array(3, "user=default", "uid=1000", NULL);11951196create_audit_plugin_options("Id=1");1197VERIFY_INT(python_audit->open(SUDO_API_VERSION, fake_conversation, fake_printf,1198data.settings, data.user_info, 3, data.plugin_argv,1199data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);1200VERIFY_PTR(errstr, NULL);12011202// For verifying the error message of no more plugin. It should be displayed only once.1203VERIFY_PTR((*python_audit_clone)(), NULL);1204VERIFY_PTR((*python_audit_clone)(), NULL);12051206create_audit_plugin_options("Id=2");1207VERIFY_INT(python_audit2->open(SUDO_API_VERSION, fake_conversation, fake_printf,1208data.settings, data.user_info, 3, data.plugin_argv,1209data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);1210VERIFY_PTR(errstr, NULL);12111212str_array_free(&data.command_info);1213data.command_info = create_str_array(2, "command=/sbin/id", NULL);12141215str_array_free(&data.plugin_argv);1216data.plugin_argv = create_str_array(3, "id", "--help", NULL);12171218VERIFY_INT(python_audit->accept("accepter plugin name", SUDO_POLICY_PLUGIN,1219data.command_info, data.plugin_argv,1220data.user_env, &errstr), SUDO_RC_OK);1221VERIFY_PTR(errstr, NULL);12221223VERIFY_INT(python_audit2->accept("accepter plugin name", SUDO_POLICY_PLUGIN,1224data.command_info, data.plugin_argv,1225data.user_env, &errstr), SUDO_RC_OK);1226VERIFY_PTR(errstr, NULL);12271228python_audit->close(SUDO_PLUGIN_WAIT_STATUS, W_EXITCODE(0, 11)); // process got signal 111229python_audit2->close(SUDO_PLUGIN_WAIT_STATUS, W_EXITCODE(0, 11));12301231VERIFY_STDOUT(expected_path("check_example_audit_plugin_workflow_multiple.stdout"));1232VERIFY_STDERR(expected_path("check_example_audit_plugin_workflow_multiple.stderr"));12331234return true;1235}12361237static int1238check_example_audit_plugin_version_display(void)1239{1240create_audit_plugin_options(NULL);1241const char *errstr = NULL;12421243str_array_free(&data.user_info);1244data.user_info = create_str_array(3, "user=root", "uid=0", NULL);12451246str_array_free(&data.plugin_argv);1247data.plugin_argv = create_str_array(3, "sudo", "-V", NULL);12481249VERIFY_INT(python_audit->open(SUDO_API_VERSION, fake_conversation, fake_printf,1250data.settings, data.user_info, 2, data.plugin_argv,1251data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);1252VERIFY_PTR(errstr, NULL);12531254VERIFY_INT(python_audit->show_version(false), SUDO_RC_OK);1255VERIFY_INT(python_audit->show_version(true), SUDO_RC_OK);12561257python_audit->close(SUDO_PLUGIN_SUDO_ERROR, 222);12581259VERIFY_STDOUT(expected_path("check_example_audit_plugin_version_display.stdout"));1260VERIFY_STR(data.stderr_str, "");12611262return true;1263}12641265static int1266check_audit_plugin_callbacks_are_optional(void)1267{1268const char *errstr = NULL;12691270create_debugging_plugin_options();12711272VERIFY_INT(python_audit->open(SUDO_API_VERSION, fake_conversation, fake_printf,1273data.settings, data.user_info, 2, data.plugin_argv,1274data.user_env, data.plugin_options, &errstr),1275SUDO_RC_OK);1276VERIFY_PTR(errstr, NULL);12771278VERIFY_PTR(python_audit->accept, NULL);1279VERIFY_PTR(python_audit->reject, NULL);1280VERIFY_PTR(python_audit->error, NULL);12811282// show_version always displays the plugin, but it is optional in the python layer1283VERIFY_PTR_NE(python_audit->show_version, NULL);1284VERIFY_INT(python_audit->show_version(1), SUDO_RC_OK);12851286python_audit->close(SUDO_PLUGIN_NO_STATUS, 0);1287return true;1288}12891290static int1291check_audit_plugin_reports_error(void)1292{1293const char *errstr = NULL;1294create_plugin_options("regress/plugin_errorstr", "ConstructErrorPlugin", NULL);12951296VERIFY_INT(python_audit->open(SUDO_API_VERSION, fake_conversation, fake_printf,1297data.settings, data.user_info, 0, data.plugin_argv,1298data.user_env, data.plugin_options, &errstr), SUDO_RC_ERROR);12991300VERIFY_STR(errstr, "Something wrong in plugin constructor");1301errstr = NULL;13021303python_audit->close(SUDO_PLUGIN_NO_STATUS, 0);13041305create_plugin_options("regress/plugin_errorstr", "ErrorMsgPlugin", NULL);13061307VERIFY_INT(python_audit->open(SUDO_API_VERSION, fake_conversation, fake_printf,1308data.settings, data.user_info, 0, data.plugin_argv,1309data.user_env, data.plugin_options, &errstr), SUDO_RC_ERROR);1310VERIFY_STR(errstr, "Something wrong in open");13111312errstr = NULL;1313VERIFY_INT(python_audit->accept("plugin name", SUDO_POLICY_PLUGIN,1314data.command_info, data.plugin_argv,1315data.user_env, &errstr), SUDO_RC_ERROR);1316VERIFY_STR(errstr, "Something wrong in accept");13171318errstr = NULL;1319VERIFY_INT(python_audit->reject("plugin name", SUDO_POLICY_PLUGIN,1320"audit message", data.command_info,1321&errstr), SUDO_RC_ERROR);1322VERIFY_STR(errstr, "Something wrong in reject");13231324errstr = NULL;1325VERIFY_INT(python_audit->error("plugin name", SUDO_POLICY_PLUGIN,1326"audit message", data.command_info,1327&errstr), SUDO_RC_ERROR);1328VERIFY_STR(errstr, "Something wrong in error");13291330python_audit->close(SUDO_PLUGIN_NO_STATUS, 0);13311332VERIFY_STR(data.stderr_str, "");1333VERIFY_STR(data.stdout_str, "");1334return true;1335}13361337static int1338check_example_approval_plugin(const char *date_str, const char *expected_error)1339{1340const char *errstr = NULL;13411342create_plugin_options("example_approval_plugin", "BusinessHoursApprovalPlugin", NULL);13431344VERIFY_INT(python_approval->open(SUDO_API_VERSION, fake_conversation, fake_printf,1345data.settings, data.user_info, 0, data.plugin_argv,1346data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);13471348VERIFY_TRUE(mock_python_datetime_now("example_approval_plugin", date_str));13491350int expected_rc = (expected_error == NULL) ? SUDO_RC_ACCEPT : SUDO_RC_REJECT;13511352VERIFY_INT(python_approval->check(data.command_info, data.plugin_argv, data.user_env, &errstr),1353expected_rc);13541355if (expected_error == NULL) {1356VERIFY_PTR(errstr, NULL);1357VERIFY_STR(data.stdout_str, "");1358} else {1359VERIFY_STR(errstr, expected_error);1360VERIFY_STR_CONTAINS(data.stdout_str, expected_error); // (ends with \n)1361}1362VERIFY_STR(data.stderr_str, "");13631364python_approval->close();13651366return true;1367}13681369typedef struct approval_plugin * (approval_clone_func)(void);13701371static int1372check_multiple_approval_plugin_and_arguments(void)1373{1374// verify multiple python approval plugins are available1375approval_clone_func *python_approval_clone = (approval_clone_func *)sudo_dso_findsym(1376python_plugin_handle, "python_approval_clone");1377VERIFY_PTR_NE(python_approval_clone, NULL);13781379struct approval_plugin *python_approval2 = NULL;13801381for (int i = 0; i < 7; ++i) {1382python_approval2 = (*python_approval_clone)();1383VERIFY_PTR_NE(python_approval2, NULL);1384VERIFY_PTR_NE(python_approval2, python_approval);1385}13861387const char *errstr = NULL;1388create_plugin_options("regress/plugin_approval_test", "ApprovalTestPlugin", "Id=1");13891390str_array_free(&data.plugin_argv);1391data.plugin_argv = create_str_array(6, "sudo", "-u", "user", "whoami", "--help", NULL);13921393str_array_free(&data.user_env);1394data.user_env = create_str_array(3, "USER_ENV1=VALUE1", "USER_ENV2=value2", NULL);13951396str_array_free(&data.user_info);1397data.user_info = create_str_array(3, "INFO1=VALUE1", "info2=value2", NULL);13981399str_array_free(&data.settings);1400data.settings = create_str_array(3, "SETTING1=VALUE1", "setting2=value2", NULL);14011402VERIFY_INT(python_approval->open(SUDO_API_VERSION, fake_conversation, fake_printf,1403data.settings, data.user_info, 3, data.plugin_argv,1404data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);1405VERIFY_PTR(errstr, NULL);14061407// For verifying the error message of no more plugin. It should be displayed only once.1408VERIFY_PTR((*python_approval_clone)(), NULL);1409VERIFY_PTR((*python_approval_clone)(), NULL);14101411create_plugin_options("regress/plugin_approval_test", "ApprovalTestPlugin", "Id=2");1412VERIFY_INT(python_approval2->open(SUDO_API_VERSION, fake_conversation, fake_printf,1413data.settings, data.user_info, 3, data.plugin_argv,1414data.user_env, data.plugin_options, &errstr), SUDO_RC_OK);1415VERIFY_PTR(errstr, NULL);14161417VERIFY_INT(python_approval->show_version(false), SUDO_RC_OK);1418VERIFY_INT(python_approval2->show_version(true), SUDO_RC_OK);14191420str_array_free(&data.command_info);1421data.command_info = create_str_array(3, "CMDINFO1=value1", "CMDINFO2=VALUE2", NULL);14221423str_array_free(&data.plugin_argv);1424data.plugin_argv = create_str_array(3, "whoami", "--help", NULL);14251426VERIFY_INT(python_approval->check(data.command_info, data.plugin_argv, data.user_env, &errstr),1427SUDO_RC_OK);1428VERIFY_PTR(errstr, NULL);14291430VERIFY_INT(python_approval2->check(data.command_info, data.plugin_argv, data.user_env, &errstr),1431SUDO_RC_OK);1432VERIFY_PTR(errstr, NULL);14331434python_approval->close();1435python_approval2->close();14361437VERIFY_STDOUT(expected_path("check_multiple_approval_plugin_and_arguments.stdout"));1438VERIFY_STDERR(expected_path("check_multiple_approval_plugin_and_arguments.stderr"));14391440return true;1441}144214431444static int1445_init_symbols(void)1446{1447if (python_plugin_handle != NULL) {1448// symbols are already loaded, we just restore1449RESTORE_PYTHON_PLUGIN(python_io);1450RESTORE_PYTHON_PLUGIN(python_policy);1451RESTORE_PYTHON_PLUGIN(python_approval);1452RESTORE_PYTHON_PLUGIN(python_audit);1453RESTORE_PYTHON_PLUGIN(group_plugin);1454return true;1455}14561457// we load the symbols1458python_plugin_handle = sudo_dso_load(python_plugin_so_path, SUDO_DSO_LAZY|SUDO_DSO_GLOBAL);1459VERIFY_PTR_NE(python_plugin_handle, NULL);14601461python_io = sudo_dso_findsym(python_plugin_handle, "python_io");1462VERIFY_PTR_NE(python_io, NULL);14631464group_plugin = sudo_dso_findsym(python_plugin_handle, "group_plugin");1465VERIFY_PTR_NE(group_plugin, NULL);14661467python_policy = sudo_dso_findsym(python_plugin_handle, "python_policy");1468VERIFY_PTR_NE(python_policy, NULL);14691470python_audit = sudo_dso_findsym(python_plugin_handle, "python_audit");1471VERIFY_PTR_NE(python_audit, NULL);14721473python_approval = sudo_dso_findsym(python_plugin_handle, "python_approval");1474VERIFY_PTR_NE(python_approval, NULL);14751476SAVE_PYTHON_PLUGIN(python_io);1477SAVE_PYTHON_PLUGIN(python_policy);1478SAVE_PYTHON_PLUGIN(python_approval);1479SAVE_PYTHON_PLUGIN(python_audit);1480SAVE_PYTHON_PLUGIN(group_plugin);14811482return true;1483}14841485static int1486_unlink_symbols(void)1487{1488python_io = NULL;1489group_plugin = NULL;1490python_policy = NULL;1491python_approval = NULL;1492python_audit = NULL;1493VERIFY_INT(sudo_dso_unload(python_plugin_handle), 0);1494python_plugin_handle = NULL;1495VERIFY_FALSE(Py_IsInitialized());1496return true;1497}14981499int1500main(int argc, char *argv[])1501{1502int ch, errors = 0, ntests = 0;15031504while ((ch = getopt(argc, argv, "v")) != -1) {1505switch (ch) {1506case 'v':1507verbose = true;1508break;1509default:1510fprintf(stderr, "usage: %s [-v]\n", getprogname());1511return EXIT_FAILURE;1512}1513}1514argc -= optind;1515argv += optind;15161517if (argc != 1) {1518printf("Please specify the python_plugin.so as argument!\n");1519return EXIT_FAILURE;1520}1521python_plugin_so_path = argv[0];15221523// Unbuffer stdout so we don't miss output during a crash.1524setvbuf(stdout, NULL, _IONBF, 0);15251526RUN_TEST(check_example_io_plugin_version_display(true));1527RUN_TEST(check_example_io_plugin_version_display(false));1528RUN_TEST(check_example_io_plugin_command_log());1529RUN_TEST(check_example_io_plugin_command_log_multiple());1530RUN_TEST(check_example_io_plugin_failed_to_start_command());1531RUN_TEST(check_example_io_plugin_fails_with_python_backtrace());1532RUN_TEST(check_io_plugin_callbacks_are_optional());1533RUN_TEST(check_io_plugin_reports_error());1534RUN_TEST(check_plugin_unload());15351536RUN_TEST(check_example_group_plugin());1537#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION1538RUN_TEST(check_example_group_plugin_is_able_to_debug());1539#endif1540RUN_TEST(check_plugin_unload());15411542RUN_TEST(check_loading_fails_with_missing_path());1543RUN_TEST(check_loading_succeeds_with_missing_classname());1544RUN_TEST(check_loading_fails_with_missing_classname());1545RUN_TEST(check_loading_fails_with_wrong_classname());1546RUN_TEST(check_loading_fails_with_wrong_path());1547RUN_TEST(check_plugin_unload());15481549RUN_TEST(check_example_conversation_plugin_reason_log(false, "without_suspend"));1550RUN_TEST(check_example_conversation_plugin_reason_log(true, "with_suspend"));1551RUN_TEST(check_example_conversation_plugin_user_interrupts());1552RUN_TEST(check_plugin_unload());15531554RUN_TEST(check_example_policy_plugin_version_display(true));1555RUN_TEST(check_example_policy_plugin_version_display(false));1556RUN_TEST(check_example_policy_plugin_accepted_execution());1557RUN_TEST(check_example_policy_plugin_failed_execution());1558RUN_TEST(check_example_policy_plugin_denied_execution());1559RUN_TEST(check_example_policy_plugin_list());1560RUN_TEST(check_example_policy_plugin_validate_invalidate());1561RUN_TEST(check_policy_plugin_callbacks_are_optional());1562RUN_TEST(check_policy_plugin_reports_error());1563RUN_TEST(check_plugin_unload());15641565RUN_TEST(check_example_audit_plugin_receives_accept());1566RUN_TEST(check_example_audit_plugin_receives_reject());1567RUN_TEST(check_example_audit_plugin_receives_error());1568RUN_TEST(check_example_audit_plugin_workflow_multiple());1569RUN_TEST(check_example_audit_plugin_version_display());1570RUN_TEST(check_audit_plugin_callbacks_are_optional());1571RUN_TEST(check_audit_plugin_reports_error());1572RUN_TEST(check_plugin_unload());15731574// Monday, too early1575RUN_TEST(check_example_approval_plugin(1576"2020-02-10T07:55:23", "That is not allowed outside the business hours!"));1577// Monday, good time1578RUN_TEST(check_example_approval_plugin("2020-02-10T08:05:23", NULL));1579// Friday, good time1580RUN_TEST(check_example_approval_plugin("2020-02-14T17:59:23", NULL));1581// Friday, too late1582RUN_TEST(check_example_approval_plugin(1583"2020-02-10T18:05:23", "That is not allowed outside the business hours!"));1584// Saturday1585RUN_TEST(check_example_approval_plugin(1586"2020-02-15T08:05:23", "That is not allowed on the weekend!"));1587RUN_TEST(check_multiple_approval_plugin_and_arguments());15881589RUN_TEST(check_python_plugins_do_not_affect_each_other());1590RUN_TEST(check_plugin_unload());15911592#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION1593RUN_TEST(check_example_debugging("plugin@err"));1594RUN_TEST(check_example_debugging("plugin@info"));1595RUN_TEST(check_example_debugging("load@diag"));1596RUN_TEST(check_example_debugging("sudo_cb@info"));1597RUN_TEST(check_example_debugging("c_calls@diag"));1598RUN_TEST(check_example_debugging("c_calls@info"));1599RUN_TEST(check_example_debugging("py_calls@diag"));1600RUN_TEST(check_example_debugging("py_calls@info"));1601RUN_TEST(check_example_debugging("plugin@err"));1602RUN_TEST(check_plugin_unload());1603#endif /* FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */16041605if (ntests != 0) {1606printf("%s: %d tests run, %d errors, %d%% success rate\n",1607getprogname(), ntests, errors, (ntests - errors) * 100 / ntests);1608}16091610return errors;1611}161216131614