Google Git
Sign in
cos / mirrors / cros / chromiumos / platform2 / refs/heads/factory-excelsior-12812.B / . / permission_broker / firewall_test.cc
blob: 75edc08e486a67aaea0884717ea2323fd6d193e8 [file] [log] [blame]
// Copyright 2017 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "permission_broker/firewall.h"
#include <string>
#include <vector>
#include <gtest/gtest.h>
#include "permission_broker/mock_firewall.h"
namespace permission_broker {
using testing::_;
using testing::Return;
class FirewallTest : public testing::Test {
public:
FirewallTest() = default;
~FirewallTest() override = default;
protected:
void SetMockExpectations(MockFirewall* firewall, bool success) {
// Empty criterion matches all commands.
firewall->SetRunInMinijailFailCriterion(std::vector<std::string>(), true,
success);
}
void SetMockExpectationsPerExecutable(MockFirewall* firewall,
bool ip4_success,
bool ip6_success) {
if (!ip4_success)
firewall->SetRunInMinijailFailCriterion(
std::vector<std::string>({kIpTablesPath}), true /* repeat */,
false /* omit_failure */);
if (!ip6_success)
firewall->SetRunInMinijailFailCriterion(
std::vector<std::string>({kIp6TablesPath}), true, false);
}
private:
DISALLOW_COPY_AND_ASSIGN(FirewallTest);
};
TEST_F(FirewallTest, Port0Fails) {
MockFirewall mock_firewall;
// Don't fail on anything.
int id = mock_firewall.SetRunInMinijailFailCriterion(
std::vector<std::string>(), true, true);
// Try to punch hole for TCP port 0, port 0 is not a valid port.
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 0, "iface"));
// Try to punch hole for UDP port 0, port 0 is not a valid port.
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 0, "iface"));
// Try to plug hole for TCP port 0, port 0 is not a valid port.
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolTcp, 0, "iface"));
// Try to plug hole for UDP port 0, port 0 is not a valid port.
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolUdp, 0, "iface"));
// We should not be adding/removing any rules for port 0.
EXPECT_EQ(mock_firewall.GetRunInMinijailCriterionMatchCount(id), 0);
}
TEST_F(FirewallTest, ValidInterfaceName) {
MockFirewall mock_firewall;
SetMockExpectations(&mock_firewall, true /* success */);
EXPECT_TRUE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "shortname"));
EXPECT_TRUE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "shortname"));
EXPECT_TRUE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "middle-dash"));
EXPECT_TRUE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "middle-dash"));
EXPECT_TRUE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "middle.dot"));
EXPECT_TRUE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "middle.dot"));
}
TEST_F(FirewallTest, InvalidInterfaceName) {
MockFirewall mock_firewall;
int id = mock_firewall.SetRunInMinijailFailCriterion(
std::vector<std::string>(), true, true);
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 80,
"reallylonginterfacename"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "with spaces"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "with$ymbols"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "-startdash"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "enddash-"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, ".startdot"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "enddot."));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 53,
"reallylonginterfacename"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "with spaces"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "with$ymbols"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "-startdash"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "enddash-"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, ".startdot"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "enddot."));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolTcp, 80,
"reallylonginterfacename"));
EXPECT_FALSE(
mock_firewall.DeleteAcceptRules(kProtocolTcp, 80, "with spaces"));
EXPECT_FALSE(
mock_firewall.DeleteAcceptRules(kProtocolTcp, 80, "with$ymbols"));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolTcp, 80, "-startdash"));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolTcp, 80, "enddash-"));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolTcp, 80, ".startdot"));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolTcp, 80, "enddot."));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolUdp, 53,
"reallylonginterfacename"));
EXPECT_FALSE(
mock_firewall.DeleteAcceptRules(kProtocolUdp, 53, "with spaces"));
EXPECT_FALSE(
mock_firewall.DeleteAcceptRules(kProtocolUdp, 53, "with$ymbols"));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolUdp, 53, "-startdash"));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolUdp, 53, "enddash-"));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolUdp, 53, ".startdot"));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolUdp, 53, "enddot."));
// We should not be adding/removing any rules for invalid interface names.
EXPECT_EQ(mock_firewall.GetRunInMinijailCriterionMatchCount(id), 0);
}
TEST_F(FirewallTest, AddAcceptRules_Fails) {
MockFirewall mock_firewall;
SetMockExpectations(&mock_firewall, false /* success */);
// Punch hole for TCP port 80, should fail.
ASSERT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "iface"));
// Punch hole for UDP port 53, should fail.
ASSERT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "iface"));
}
TEST_F(FirewallTest, AddAcceptRules_Ipv6Fails) {
MockFirewall mock_firewall;
SetMockExpectationsPerExecutable(&mock_firewall, true /* ip4_success */,
false /* ip6_success */);
// Punch hole for TCP port 80, should fail because 'ip6tables' fails.
ASSERT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "iface"));
// Punch hole for UDP port 53, should fail because 'ip6tables' fails.
ASSERT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "iface"));
}
TEST_F(FirewallTest, Port0LockdownFails) {
MockFirewall mock_firewall;
// Don't fail on anything.
int id = mock_firewall.SetRunInMinijailFailCriterion(
std::vector<std::string>(), true, true);
// Try to lock down TCP port 0, port 0 is not a valid port.
EXPECT_FALSE(mock_firewall.AddLoopbackLockdownRules(kProtocolTcp, 0));
// Try to lock down UDP port 0, port 0 is not a valid port.
EXPECT_FALSE(mock_firewall.AddLoopbackLockdownRules(kProtocolUdp, 0));
// We should not be adding/removing any rules for port 0.
EXPECT_EQ(mock_firewall.GetRunInMinijailCriterionMatchCount(id), 0);
}
TEST_F(FirewallTest, AddLoopbackLockdownRules_Success) {
MockFirewall mock_firewall;
SetMockExpectations(&mock_firewall, true /* success */);
ASSERT_TRUE(mock_firewall.AddLoopbackLockdownRules(kProtocolTcp, 80));
ASSERT_TRUE(mock_firewall.AddLoopbackLockdownRules(kProtocolUdp, 53));
ASSERT_TRUE(mock_firewall.AddLoopbackLockdownRules(kProtocolTcp, 1234));
ASSERT_TRUE(mock_firewall.AddLoopbackLockdownRules(kProtocolTcp, 8080));
}
TEST_F(FirewallTest, AddLoopbackLockdownRules_Fails) {
MockFirewall mock_firewall;
SetMockExpectations(&mock_firewall, false /* success */);
// Lock down TCP port 80, should fail.
ASSERT_FALSE(mock_firewall.AddLoopbackLockdownRules(kProtocolTcp, 80));
// Lock down UDP port 53, should fail.
ASSERT_FALSE(mock_firewall.AddLoopbackLockdownRules(kProtocolUdp, 53));
}
TEST_F(FirewallTest, AddLoopbackLockdownRules_Ipv6Fails) {
MockFirewall mock_firewall;
SetMockExpectationsPerExecutable(&mock_firewall, true /* ip4_success */,
false /* ip6_success */);
// Lock down TCP port 80, should fail because 'ip6tables' fails.
ASSERT_FALSE(mock_firewall.AddLoopbackLockdownRules(kProtocolTcp, 80));
// Lock down UDP port 53, should fail because 'ip6tables' fails.
ASSERT_FALSE(mock_firewall.AddLoopbackLockdownRules(kProtocolUdp, 53));
}
TEST_F(FirewallTest, AddAcceptRules_InvalidArguments) {
MockFirewall mock_firewall;
// Don't fail on anything.
int id = mock_firewall.SetRunInMinijailFailCriterion({}, true, true);
// Invalid input interface
ASSERT_FALSE(mock_firewall.AddIpv4ForwardRule(kProtocolTcp, 80, "-startdash",
"100.115.92.5", 8080));
ASSERT_FALSE(mock_firewall.AddIpv4ForwardRule(kProtocolUdp, 80, "enddash-",
"100.115.92.5", 8080));
ASSERT_FALSE(mock_firewall.DeleteIpv4ForwardRule(
kProtocolTcp, 80, ".startdot", "100.115.92.5", 8080));
ASSERT_FALSE(mock_firewall.DeleteIpv4ForwardRule(kProtocolUdp, 80, "enddot.",
"100.115.92.5", 8080));
// Empty interface
ASSERT_FALSE(mock_firewall.AddIpv4ForwardRule(kProtocolTcp, 80, "",
"100.115.92.5", 8080));
ASSERT_FALSE(mock_firewall.AddIpv4ForwardRule(kProtocolUdp, 80, "",
"100.115.92.5", 8080));
ASSERT_FALSE(mock_firewall.DeleteIpv4ForwardRule(kProtocolTcp, 80, "",
"100.115.92.5", 8080));
ASSERT_FALSE(mock_firewall.DeleteIpv4ForwardRule(kProtocolUdp, 80, "",
"100.115.92.5", 8080));
// Invalid input dst port
ASSERT_FALSE(mock_firewall.AddIpv4ForwardRule(kProtocolTcp, 0, "iface",
"100.115.92.5", 8080));
ASSERT_FALSE(mock_firewall.AddIpv4ForwardRule(kProtocolTcp, 0, "iface",
"100.115.92.5", 8080));
ASSERT_FALSE(mock_firewall.DeleteIpv4ForwardRule(kProtocolUdp, 0, "iface",
"100.115.92.5", 8080));
ASSERT_FALSE(mock_firewall.DeleteIpv4ForwardRule(kProtocolUdp, 0, "iface",
"100.115.92.5", 8080));
// Invalid output dst address
ASSERT_FALSE(
mock_firewall.AddIpv4ForwardRule(kProtocolTcp, 80, "iface", "", 8080));
ASSERT_FALSE(mock_firewall.AddIpv4ForwardRule(kProtocolUdp, 80, "iface",
"qodpjqwpod", 8080));
ASSERT_FALSE(mock_firewall.DeleteIpv4ForwardRule(kProtocolTcp, 80, "iface",
"1.1", 8080));
ASSERT_FALSE(mock_firewall.DeleteIpv4ForwardRule(kProtocolUdp, 80, "iface",
"2001:db8::1", 8080));
// Invalid output dst port
ASSERT_FALSE(mock_firewall.AddIpv4ForwardRule(kProtocolTcp, 80, "iface",
"100.115.92.5", 0));
ASSERT_FALSE(mock_firewall.AddIpv4ForwardRule(kProtocolUdp, 80, "iface",
"100.115.92.5", 0));
ASSERT_FALSE(mock_firewall.DeleteIpv4ForwardRule(kProtocolTcp, 80, "iface",
"100.115.92.5", 0));
ASSERT_FALSE(mock_firewall.DeleteIpv4ForwardRule(kProtocolUdp, 80, "iface",
"100.115.92.5", 0));
EXPECT_EQ(mock_firewall.GetRunInMinijailCriterionMatchCount(id), 0);
}
TEST_F(FirewallTest, AddAcceptRules_IptablesFails) {
MockFirewall mock_firewall;
SetMockExpectations(&mock_firewall, false /* success */);
ASSERT_FALSE(mock_firewall.AddIpv4ForwardRule(kProtocolTcp, 80, "iface",
"100.115.92.6", 8080));
ASSERT_FALSE(mock_firewall.AddIpv4ForwardRule(kProtocolUdp, 80, "iface",
"100.115.92.6", 8080));
ASSERT_FALSE(mock_firewall.DeleteIpv4ForwardRule(kProtocolTcp, 80, "iface",
"100.115.92.6", 8080));
ASSERT_FALSE(mock_firewall.DeleteIpv4ForwardRule(kProtocolUdp, 80, "iface",
"100.115.92.6", 8080));
}
TEST_F(FirewallTest, AddAcceptRules_ValidRules) {
MockFirewall mock_firewall;
int id = mock_firewall.SetRunInMinijailFailCriterion({}, true, true);
// Invalid input interface
ASSERT_TRUE(mock_firewall.AddIpv4ForwardRule(kProtocolTcp, 80, "wlan0",
"100.115.92.2", 8080));
ASSERT_TRUE(mock_firewall.AddIpv4ForwardRule(kProtocolUdp, 5353, "eth0",
"192.168.1.1", 5353));
ASSERT_TRUE(mock_firewall.DeleteIpv4ForwardRule(kProtocolTcp, 5000, "mlan0",
"10.0.0.24", 5001));
ASSERT_TRUE(mock_firewall.DeleteIpv4ForwardRule(kProtocolUdp, 443, "eth1",
"1.2.3.4", 443));
EXPECT_EQ(mock_firewall.GetRunInMinijailCriterionMatchCount(id), 4);
std::vector<std::string> expected_commands = {
"/sbin/iptables -t nat -I PREROUTING -i wlan0 -p tcp --dport 80 -j DNAT "
"--to-destination 100.115.92.2:8080 -w",
"/sbin/iptables -t nat -I PREROUTING -i eth0 -p udp --dport 5353 -j DNAT "
"--to-destination 192.168.1.1:5353 -w",
"/sbin/iptables -t nat -D PREROUTING -i mlan0 -p tcp --dport 5000 -j "
"DNAT --to-destination 10.0.0.24:5001 -w",
"/sbin/iptables -t nat -D PREROUTING -i eth1 -p udp --dport 443 -j DNAT "
"--to-destination 1.2.3.4:443 -w"};
std::vector<std::string> issued_commands = mock_firewall.GetAllCommands();
ASSERT_EQ(expected_commands.size(), issued_commands.size());
for (int i = 0; i < expected_commands.size(); i++) {
ASSERT_EQ(expected_commands[i], issued_commands[i]);
}
}
} // namespace permission_broker