lsa.c

samba最新软件

/* 
   Unix SMB/CIFS implementation.
   test suite for lsa rpc operations

   Copyright (C) Andrew Tridgell 2003
   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.
   
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
   
   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include "includes.h"
#include "torture/torture.h"
#include "librpc/gen_ndr/ndr_lsa_c.h"
#include "librpc/gen_ndr/netlogon.h"
#include "lib/events/events.h"
#include "libcli/security/security.h"
#include "libcli/auth/libcli_auth.h"
#include "torture/rpc/rpc.h"
#include "param/param.h"

#define TEST_MACHINENAME "lsatestmach"

static void init_lsa_String(struct lsa_String *name, const char *s)
{
	name->string = s;
}

static bool test_OpenPolicy(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
{
	struct lsa_ObjectAttribute attr;
	struct policy_handle handle;
	struct lsa_QosInfo qos;
	struct lsa_OpenPolicy r;
	NTSTATUS status;
	uint16_t system_name = '\\';

	printf("\ntesting OpenPolicy\n");

	qos.len = 0;
	qos.impersonation_level = 2;
	qos.context_mode = 1;
	qos.effective_only = 0;

	attr.len = 0;
	attr.root_dir = NULL;
	attr.object_name = NULL;
	attr.attributes = 0;
	attr.sec_desc = NULL;
	attr.sec_qos = &qos;

	r.in.system_name = &system_name;
	r.in.attr = &attr;
	r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
	r.out.handle = &handle;

	status = dcerpc_lsa_OpenPolicy(p, mem_ctx, &r);
	if (!NT_STATUS_IS_OK(status)) {
		if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
		    NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
			printf("not considering %s to be an error\n", nt_errstr(status));
			return true;
		}
		printf("OpenPolicy failed - %s\n", nt_errstr(status));
		return false;
	}

	return true;
}


bool test_lsa_OpenPolicy2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, 
			  struct policy_handle **handle)
{
	struct lsa_ObjectAttribute attr;
	struct lsa_QosInfo qos;
	struct lsa_OpenPolicy2 r;
	NTSTATUS status;

	printf("\ntesting OpenPolicy2\n");

	*handle = talloc(mem_ctx, struct policy_handle);
	if (!*handle) {
		return false;
	}

	qos.len = 0;
	qos.impersonation_level = 2;
	qos.context_mode = 1;
	qos.effective_only = 0;

	attr.len = 0;
	attr.root_dir = NULL;
	attr.object_name = NULL;
	attr.attributes = 0;
	attr.sec_desc = NULL;
	attr.sec_qos = &qos;

	r.in.system_name = "\\";
	r.in.attr = &attr;
	r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
	r.out.handle = *handle;

	status = dcerpc_lsa_OpenPolicy2(p, mem_ctx, &r);
	if (!NT_STATUS_IS_OK(status)) {
		if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
		    NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
			printf("not considering %s to be an error\n", nt_errstr(status));
			talloc_free(*handle);
			*handle = NULL;
			return true;
		}
		printf("OpenPolicy2 failed - %s\n", nt_errstr(status));
		return false;
	}

	return true;
}


static const char *sid_type_lookup(enum lsa_SidType r)
{
	switch (r) {
		case SID_NAME_USE_NONE: return "SID_NAME_USE_NONE"; break;
		case SID_NAME_USER: return "SID_NAME_USER"; break;
		case SID_NAME_DOM_GRP: return "SID_NAME_DOM_GRP"; break;
		case SID_NAME_DOMAIN: return "SID_NAME_DOMAIN"; break;
		case SID_NAME_ALIAS: return "SID_NAME_ALIAS"; break;
		case SID_NAME_WKN_GRP: return "SID_NAME_WKN_GRP"; break;
		case SID_NAME_DELETED: return "SID_NAME_DELETED"; break;
		case SID_NAME_INVALID: return "SID_NAME_INVALID"; break;
		case SID_NAME_UNKNOWN: return "SID_NAME_UNKNOWN"; break;
		case SID_NAME_COMPUTER: return "SID_NAME_COMPUTER"; break;
	}
	return "Invalid sid type\n";
}

static bool test_LookupNames(struct dcerpc_pipe *p, 
			     TALLOC_CTX *mem_ctx, 
			     struct policy_handle *handle,
			     struct lsa_TransNameArray *tnames)
{
	struct lsa_LookupNames r;
	struct lsa_TransSidArray sids;
	struct lsa_String *names;
	uint32_t count = 0;
	NTSTATUS status;
	int i;

	printf("\nTesting LookupNames with %d names\n", tnames->count);

	sids.count = 0;
	sids.sids = NULL;

	names = talloc_array(mem_ctx, struct lsa_String, tnames->count);
	for (i=0;i<tnames->count;i++) {
		init_lsa_String(&names[i], tnames->names[i].name.string);
	}

	r.in.handle = handle;
	r.in.num_names = tnames->count;
	r.in.names = names;
	r.in.sids = &sids;
	r.in.level = 1;
	r.in.count = &count;
	r.out.count = &count;
	r.out.sids = &sids;

	status = dcerpc_lsa_LookupNames(p, mem_ctx, &r);

	if (NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) || 
	    NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
		for (i=0;i< tnames->count;i++) {
			if (i < count && sids.sids[i].sid_type == SID_NAME_UNKNOWN) {
				printf("LookupName of %s was unmapped\n", 
				       tnames->names[i].name.string);	
			} else if (i >=count) {
				printf("LookupName of %s failed to return a result\n",
				       tnames->names[i].name.string);
			}
		}
		printf("LookupNames failed - %s\n", nt_errstr(status));
		return false;
	} else if (!NT_STATUS_IS_OK(status)) {
		printf("LookupNames failed - %s\n", nt_errstr(status));
		return false;
	}
	
	for (i=0;i< tnames->count;i++) {
		if (i < count && sids.sids[i].sid_type != tnames->names[i].sid_type) {
			printf("LookupName of %s got unexpected name type: %s\n", 
			       tnames->names[i].name.string, sid_type_lookup(sids.sids[i].sid_type));
		} else if (i >=count) {
			printf("LookupName of %s failed to return a result\n",
			       tnames->names[i].name.string);
		}
	}
	printf("\n");

	return true;
}

static bool test_LookupNames_bogus(struct dcerpc_pipe *p, 
			    TALLOC_CTX *mem_ctx, 
			    struct policy_handle *handle)
{
	struct lsa_LookupNames r;
	struct lsa_TransSidArray sids;
	struct lsa_String *names;
	uint32_t count = 0;
	NTSTATUS status;
	int i;

	struct lsa_TranslatedName name;
	struct lsa_TransNameArray tnames;

	tnames.names = &name;
	tnames.count = 1;
	name.name.string = "NT AUTHORITY\\BOGUS";

	printf("\nTesting LookupNames with bogus names\n");

	sids.count = 0;
	sids.sids = NULL;

	names = talloc_array(mem_ctx, struct lsa_String, tnames.count);
	for (i=0;i<tnames.count;i++) {
		init_lsa_String(&names[i], tnames.names[i].name.string);
	}

	r.in.handle = handle;
	r.in.num_names = tnames.count;
	r.in.names = names;
	r.in.sids = &sids;
	r.in.level = 1;
	r.in.count = &count;
	r.out.count = &count;
	r.out.sids = &sids;

	status = dcerpc_lsa_LookupNames(p, mem_ctx, &r);
	if (!NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
		printf("LookupNames failed - %s\n", nt_errstr(status));
		return false;
	}

	printf("\n");

	return true;
}

static bool test_LookupNames_wellknown(struct dcerpc_pipe *p, 
				       TALLOC_CTX *mem_ctx, 
				       struct policy_handle *handle)
{
	struct lsa_TranslatedName name;
	struct lsa_TransNameArray tnames;
	bool ret = true;

	printf("Testing LookupNames with well known names\n");

	tnames.names = &name;
	tnames.count = 1;
	name.name.string = "NT AUTHORITY\\SYSTEM";
	name.sid_type = SID_NAME_WKN_GRP;
	ret &= test_LookupNames(p, mem_ctx, handle, &tnames);

	name.name.string = "NT AUTHORITY\\ANONYMOUS LOGON";
	name.sid_type = SID_NAME_WKN_GRP;
	ret &= test_LookupNames(p, mem_ctx, handle, &tnames);

	name.name.string = "NT AUTHORITY\\Authenticated Users";
	name.sid_type = SID_NAME_WKN_GRP;
	ret &= test_LookupNames(p, mem_ctx, handle, &tnames);

#if 0
	name.name.string = "NT AUTHORITY";
	ret &= test_LookupNames(p, mem_ctx, handle, &tnames);

	name.name.string = "NT AUTHORITY\\";
	ret &= test_LookupNames(p, mem_ctx, handle, &tnames);
#endif

	name.name.string = "BUILTIN\\";
	name.sid_type = SID_NAME_DOMAIN;
	ret &= test_LookupNames(p, mem_ctx, handle, &tnames);

	name.name.string = "BUILTIN\\Administrators";
	name.sid_type = SID_NAME_ALIAS;
	ret &= test_LookupNames(p, mem_ctx, handle, &tnames);

	name.name.string = "SYSTEM";
	name.sid_type = SID_NAME_WKN_GRP;
	ret &= test_LookupNames(p, mem_ctx, handle, &tnames);

	name.name.string = "Everyone";
	name.sid_type = SID_NAME_WKN_GRP;
	ret &= test_LookupNames(p, mem_ctx, handle, &tnames);
	return ret;
}

static bool test_LookupNames2(struct dcerpc_pipe *p, 
			      TALLOC_CTX *mem_ctx, 
			      struct policy_handle *handle,
			      struct lsa_TransNameArray2 *tnames)
{
	struct lsa_LookupNames2 r;
	struct lsa_TransSidArray2 sids;
	struct lsa_String *names;
	uint32_t count = 0;
	NTSTATUS status;
	int i;

	printf("\nTesting LookupNames2 with %d names\n", tnames->count);

	sids.count = 0;
	sids.sids = NULL;

	names = talloc_array(mem_ctx, struct lsa_String, tnames->count);
	for (i=0;i<tnames->count;i++) {
		init_lsa_String(&names[i], tnames->names[i].name.string);
	}

	r.in.handle = handle;
	r.in.num_names = tnames->count;
	r.in.names = names;
	r.in.sids = &sids;
	r.in.level = 1;
	r.in.count = &count;
	r.in.unknown1 = 0;
	r.in.unknown2 = 0;
	r.out.count = &count;
	r.out.sids = &sids;

	status = dcerpc_lsa_LookupNames2(p, mem_ctx, &r);
	if (!NT_STATUS_IS_OK(status)) {
		printf("LookupNames2 failed - %s\n", nt_errstr(status));
		return false;
	}

	printf("\n");

	return true;
}


static bool test_LookupNames3(struct dcerpc_pipe *p, 
			      TALLOC_CTX *mem_ctx, 
			      struct policy_handle *handle,
			      struct lsa_TransNameArray2 *tnames)
{
	struct lsa_LookupNames3 r;
	struct lsa_TransSidArray3 sids;
	struct lsa_String *names;
	uint32_t count = 0;
	NTSTATUS status;
	int i;

	printf("\nTesting LookupNames3 with %d names\n", tnames->count);

	sids.count = 0;
	sids.sids = NULL;

	names = talloc_array(mem_ctx, struct lsa_String, tnames->count);
	for (i=0;i<tnames->count;i++) {
		init_lsa_String(&names[i], tnames->names[i].name.string);
	}

	r.in.handle = handle;
	r.in.num_names = tnames->count;
	r.in.names = names;
	r.in.sids = &sids;
	r.in.level = 1;
	r.in.count = &count;
	r.in.unknown1 = 0;
	r.in.unknown2 = 0;
	r.out.count = &count;
	r.out.sids = &sids;

	status = dcerpc_lsa_LookupNames3(p, mem_ctx, &r);
	if (!NT_STATUS_IS_OK(status)) {
		printf("LookupNames3 failed - %s\n", nt_errstr(status));
		return false;
	}

	printf("\n");

	return true;
}

static bool test_LookupNames4(struct dcerpc_pipe *p, 
			      TALLOC_CTX *mem_ctx, 
			      struct lsa_TransNameArray2 *tnames)
{
	struct lsa_LookupNames4 r;
	struct lsa_TransSidArray3 sids;
	struct lsa_String *names;
	uint32_t count = 0;
	NTSTATUS status;
	int i;

	printf("\nTesting LookupNames4 with %d names\n", tnames->count);

	sids.count = 0;
	sids.sids = NULL;

	names = talloc_array(mem_ctx, struct lsa_String, tnames->count);
	for (i=0;i<tnames->count;i++) {
		init_lsa_String(&names[i], tnames->names[i].name.string);
	}

	r.in.num_names = tnames->count;
	r.in.names = names;
	r.in.sids = &sids;
	r.in.level = 1;
	r.in.count = &count;
	r.in.unknown1 = 0;
	r.in.unknown2 = 0;
	r.out.count = &count;
	r.out.sids = &sids;

	status = dcerpc_lsa_LookupNames4(p, mem_ctx, &r);
	if (!NT_STATUS_IS_OK(status)) {
		printf("LookupNames4 failed - %s\n", nt_errstr(status));
		return false;
	}

	printf("\n");

	return true;
}


static bool test_LookupSids(struct dcerpc_pipe *p, 
			    TALLOC_CTX *mem_ctx, 
			    struct policy_handle *handle,
			    struct lsa_SidArray *sids)
{
	struct lsa_LookupSids r;
	struct lsa_TransNameArray names;
	uint32_t count = sids->num_sids;
	NTSTATUS status;

	printf("\nTesting LookupSids\n");

	names.count = 0;
	names.names = NULL;

	r.in.handle = handle;
	r.in.sids = sids;
	r.in.names = &names;
	r.in.level = 1;
	r.in.count = &count;
	r.out.count = &count;
	r.out.names = &names;

	status = dcerpc_lsa_LookupSids(p, mem_ctx, &r);
	if (!NT_STATUS_IS_OK(status)) {
		printf("LookupSids failed - %s\n", nt_errstr(status));
		return false;
	}

	printf("\n");

	if (!test_LookupNames(p, mem_ctx, handle, &names)) {
		return false;
	}

	return true;
}


static bool test_LookupSids2(struct dcerpc_pipe *p, 
			    TALLOC_CTX *mem_ctx, 
			    struct policy_handle *handle,
			    struct lsa_SidArray *sids)
{
	struct lsa_LookupSids2 r;
	struct lsa_TransNameArray2 names;
	uint32_t count = sids->num_sids;
	NTSTATUS status;

	printf("\nTesting LookupSids2\n");

	names.count = 0;
	names.names = NULL;

	r.in.handle = handle;
	r.in.sids = sids;
	r.in.names = &names;
	r.in.level = 1;
	r.in.count = &count;
	r.in.unknown1 = 0;
	r.in.unknown2 = 0;
	r.out.count = &count;
	r.out.names = &names;

	status = dcerpc_lsa_LookupSids2(p, mem_ctx, &r);
	if (!NT_STATUS_IS_OK(status)) {
		printf("LookupSids2 failed - %s\n", nt_errstr(status));
		return false;
	}

	printf("\n");

	if (!test_LookupNames2(p, mem_ctx, handle, &names)) {
		return false;
	}

	if (!test_LookupNames3(p, mem_ctx, handle, &names)) {
		return false;
	}

	return true;
}

static bool test_LookupSids3(struct dcerpc_pipe *p, 
			    TALLOC_CTX *mem_ctx, 
			    struct lsa_SidArray *sids)
{
	struct lsa_LookupSids3 r;
	struct lsa_TransNameArray2 names;
	uint32_t count = sids->num_sids;
	NTSTATUS status;

	printf("\nTesting LookupSids3\n");

	names.count = 0;
	names.names = NULL;

	r.in.sids = sids;
	r.in.names = &names;
	r.in.level = 1;
	r.in.count = &count;
	r.in.unknown1 = 0;
	r.in.unknown2 = 0;
	r.out.count = &count;
	r.out.names = &names;

	status = dcerpc_lsa_LookupSids3(p, mem_ctx, &r);
	if (!NT_STATUS_IS_OK(status)) {
		if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
		    NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
			printf("not considering %s to be an error\n", nt_errstr(status));
			return true;
		}
		printf("LookupSids3 failed - %s - not considered an error\n", 
		       nt_errstr(status));
		return false;
	}

	printf("\n");

	if (!test_LookupNames4(p, mem_ctx, &names)) {
		return false;
	}

	return true;
}

bool test_many_LookupSids(struct dcerpc_pipe *p, 
			  TALLOC_CTX *mem_ctx, 
			  struct policy_handle *handle)
{
	uint32_t count;
	NTSTATUS status;
	struct lsa_SidArray sids;
	int i;

	printf("\nTesting LookupSids with lots of SIDs\n");

	sids.num_sids = 100;