From 2c1a473ddc95652ae2589f8a3c18c3e2c54dc076 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 29 Jun 2023 11:13:01 -0600
Subject: [PATCH] testsudoers: add support for NOTBEFORE and NOTAFTER

Also adds -T option to set the value of "now".
---
 MANIFEST                                      |  2 +
 .../sudoers/regress/testsudoers/test24.out.ok | 40 ++++++++++++++++++
 plugins/sudoers/regress/testsudoers/test24.sh | 42 +++++++++++++++++++
 plugins/sudoers/testsudoers.c                 | 25 ++++++++++-
 4 files changed, 107 insertions(+), 2 deletions(-)
 create mode 100644 plugins/sudoers/regress/testsudoers/test24.out.ok
 create mode 100644 plugins/sudoers/regress/testsudoers/test24.sh

diff --git a/MANIFEST b/MANIFEST
index e8c9e023a..4e115cb10 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -1088,6 +1088,8 @@ plugins/sudoers/regress/testsudoers/test22.out.ok
 plugins/sudoers/regress/testsudoers/test22.sh
 plugins/sudoers/regress/testsudoers/test23.out.ok
 plugins/sudoers/regress/testsudoers/test23.sh
+plugins/sudoers/regress/testsudoers/test24.out.ok
+plugins/sudoers/regress/testsudoers/test24.sh
 plugins/sudoers/regress/testsudoers/test3.out.ok
 plugins/sudoers/regress/testsudoers/test3.sh
 plugins/sudoers/regress/testsudoers/test4.out.ok
diff --git a/plugins/sudoers/regress/testsudoers/test24.out.ok b/plugins/sudoers/regress/testsudoers/test24.out.ok
new file mode 100644
index 000000000..74106704c
--- /dev/null
+++ b/plugins/sudoers/regress/testsudoers/test24.out.ok
@@ -0,0 +1,40 @@
+Parses OK
+
+Entries for user root:
+
+ALL = NOTBEFORE=20170214083000Z /bin/ls
+	host  matched
+	time  matched
+	runas matched
+	cmnd  allowed
+
+Command allowed
+Parses OK
+
+Entries for user root:
+
+ALL = NOTBEFORE=20170214083001Z /bin/ls
+	host  matched
+	time  unmatched
+
+Command unmatched
+Parses OK
+
+Entries for user root:
+
+ALL = NOTAFTER=20170214083000Z /bin/ls
+	host  matched
+	time  matched
+	runas matched
+	cmnd  allowed
+
+Command allowed
+Parses OK
+
+Entries for user root:
+
+ALL = NOTAFTER=20170214083000Z /bin/ls
+	host  matched
+	time  unmatched
+
+Command unmatched
diff --git a/plugins/sudoers/regress/testsudoers/test24.sh b/plugins/sudoers/regress/testsudoers/test24.sh
new file mode 100644
index 000000000..8be4ebc8f
--- /dev/null
+++ b/plugins/sudoers/regress/testsudoers/test24.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+#
+# Verify that NOTBEFORE and NOTAFTER work as expected.
+#
+
+: ${TESTSUDOERS=testsudoers}
+
+exec 2>&1
+
+retval=0
+
+$TESTSUDOERS -T 20170214083000Z root /bin/ls <<'EOF'
+root ALL = NOTBEFORE=20170214083000Z /bin/ls
+EOF
+if [ $? -ne 0 ]; then
+    retval=$?
+fi
+
+# expect failure
+$TESTSUDOERS -T 20170214083000Z root /bin/ls <<'EOF'
+root ALL = NOTBEFORE=20170214083001Z /bin/ls
+EOF
+if [ $? -eq 0 ]; then
+    retval=1
+fi
+
+$TESTSUDOERS -T 20170214083000Z root /bin/ls <<'EOF'
+root ALL = NOTAFTER=20170214083000Z /bin/ls
+EOF
+if [ $? -ne 0 ]; then
+    retval=$?
+fi
+
+# expect failure
+$TESTSUDOERS -T 20170214083001Z root /bin/ls <<'EOF'
+root ALL = NOTAFTER=20170214083000Z /bin/ls
+EOF
+if [ $? -eq 0 ]; then
+    retval=1
+fi
+
+exit $retval
diff --git a/plugins/sudoers/testsudoers.c b/plugins/sudoers/testsudoers.c
index 23af90c5c..e9fcc3c24 100644
--- a/plugins/sudoers/testsudoers.c
+++ b/plugins/sudoers/testsudoers.c
@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 1996, 1998-2005, 2007-2022
+ * Copyright (c) 1996, 1998-2005, 2007-2023
  *	Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -107,6 +107,7 @@ main(int argc, char *argv[])
     int match, host_match, runas_match, cmnd_match;
     int ch, dflag, exitcode = EXIT_FAILURE;
     struct sudo_lbuf lbuf;
+    time_t now;
     id_t id;
     debug_decl(main, SUDOERS_DEBUG_MAIN);
 
@@ -124,6 +125,7 @@ main(int argc, char *argv[])
     sudo_warn_set_locale_func(sudoers_warn_setlocale);
     bindtextdomain("sudoers", LOCALEDIR); /* XXX - should have own domain */
     textdomain("sudoers");
+    time(&now);
 
     /* No word wrap on output. */
     sudo_lbuf_init(&lbuf, testsudoers_output, 0, NULL, 0);
@@ -136,7 +138,7 @@ main(int argc, char *argv[])
 
     dflag = 0;
     grfile = pwfile = NULL;
-    while ((ch = getopt(argc, argv, "+dg:G:h:i:P:p:tu:U:")) != -1) {
+    while ((ch = getopt(argc, argv, "+dg:G:h:i:P:p:T:tu:U:")) != -1) {
 	switch (ch) {
 	    case 'd':
 		dflag = 1;
@@ -170,6 +172,11 @@ main(int argc, char *argv[])
 	    case 'P':
 		grfile = optarg;
 		break;
+	    case 'T':
+		now = parse_gentime(optarg);
+		if (now == -1)
+		    sudo_fatalx("invalid time: %s", optarg);
+		break;
 	    case 't':
 		trace_print = testsudoers_error;
 		break;
@@ -339,6 +346,20 @@ main(int argc, char *argv[])
 	    if (host_match == ALLOW) {
 		puts("\thost  matched");
 		TAILQ_FOREACH_REVERSE(cs, &priv->cmndlist, cmndspec_list, entries) {
+		    if (cs->notbefore != UNSPEC) {
+			if (now < cs->notbefore) {
+			    puts(U_("\ttime  unmatched"));
+			    continue;
+			}
+			puts(U_("\ttime  matched"));
+		    }
+		    if (cs->notafter != UNSPEC) {
+			if (now > cs->notafter) {
+			    puts(U_("\ttime  unmatched"));
+			    continue;
+			}
+			puts(U_("\ttime  matched"));
+		    }
 		    runas_match = runaslist_matches(&parsed_policy,
 			cs->runasuserlist, cs->runasgrouplist, NULL, NULL);
 		    if (runas_match == ALLOW) {