winreg.c

来自「samba最新软件」· C语言 代码 · 共 1,909 行 · 第 1/4 页

	struct security_descriptor *sd = NULL;
	int i;

	if (!test_GetKeySecurity(p, tctx, handle, &sd)) {
		return false;
	}

	if (!sd || !sd->dacl) {
		return false;
	}

	for (i = 0; i < sd->dacl->num_aces; i++) {
		if (dom_sid_equal(&sd->dacl->aces[i].trustee, sid)) {
			return true;
		}
	}

	return false;
}

static bool _test_dacl_trustee_present(struct dcerpc_pipe *p,
				       struct torture_context *tctx,
				       struct policy_handle *handle,
				       const char *key,
				       const struct dom_sid *sid)
{
	struct policy_handle new_handle;
	bool ret = true;

	if (!test_OpenKey(p, tctx, handle, key, &new_handle)) {
		return false;
	}

	ret = test_dacl_trustee_present(p, tctx, &new_handle, sid);

	test_CloseKey(p, tctx, &new_handle);

	return ret;
}

static bool test_sacl_trustee_present(struct dcerpc_pipe *p,
				      struct torture_context *tctx,
				      struct policy_handle *handle,
				      const struct dom_sid *sid)
{
	struct security_descriptor *sd = NULL;
	int i;
	uint32_t sec_info = SECINFO_SACL;

	if (!_test_GetKeySecurity(p, tctx, handle, &sec_info, WERR_OK, &sd)) {
		return false;
	}

	if (!sd || !sd->sacl) {
		return false;
	}

	for (i = 0; i < sd->sacl->num_aces; i++) {
		if (dom_sid_equal(&sd->sacl->aces[i].trustee, sid)) {
			return true;
		}
	}

	return false;
}

static bool _test_sacl_trustee_present(struct dcerpc_pipe *p,
				       struct torture_context *tctx,
				       struct policy_handle *handle,
				       const char *key,
				       const struct dom_sid *sid)
{
	struct policy_handle new_handle;
	bool ret = true;

	if (!_test_OpenKey(p, tctx, handle, key, SEC_FLAG_SYSTEM_SECURITY,
			   &new_handle, WERR_OK, NULL)) {
		return false;
	}

	ret = test_sacl_trustee_present(p, tctx, &new_handle, sid);

	test_CloseKey(p, tctx, &new_handle);

	return ret;
}

static bool test_owner_present(struct dcerpc_pipe *p,
			       struct torture_context *tctx,
			       struct policy_handle *handle,
			       const struct dom_sid *sid)
{
	struct security_descriptor *sd = NULL;
	uint32_t sec_info = SECINFO_OWNER;

	if (!_test_GetKeySecurity(p, tctx, handle, &sec_info, WERR_OK, &sd)) {
		return false;
	}

	if (!sd || !sd->owner_sid) {
		return false;
	}

	return dom_sid_equal(sd->owner_sid, sid);
}

static bool _test_owner_present(struct dcerpc_pipe *p,
				struct torture_context *tctx,
				struct policy_handle *handle,
				const char *key,
				const struct dom_sid *sid)
{
	struct policy_handle new_handle;
	bool ret = true;

	if (!test_OpenKey(p, tctx, handle, key, &new_handle)) {
		return false;
	}

	ret = test_owner_present(p, tctx, &new_handle, sid);

	test_CloseKey(p, tctx, &new_handle);

	return ret;
}

static bool test_group_present(struct dcerpc_pipe *p,
			       struct torture_context *tctx,
			       struct policy_handle *handle,
			       const struct dom_sid *sid)
{
	struct security_descriptor *sd = NULL;
	uint32_t sec_info = SECINFO_GROUP;

	if (!_test_GetKeySecurity(p, tctx, handle, &sec_info, WERR_OK, &sd)) {
		return false;
	}

	if (!sd || !sd->group_sid) {
		return false;
	}

	return dom_sid_equal(sd->group_sid, sid);
}

static bool _test_group_present(struct dcerpc_pipe *p,
				struct torture_context *tctx,
				struct policy_handle *handle,
				const char *key,
				const struct dom_sid *sid)
{
	struct policy_handle new_handle;
	bool ret = true;

	if (!test_OpenKey(p, tctx, handle, key, &new_handle)) {
		return false;
	}

	ret = test_group_present(p, tctx, &new_handle, sid);

	test_CloseKey(p, tctx, &new_handle);

	return ret;
}

static bool test_dacl_trustee_flags_present(struct dcerpc_pipe *p,
					    struct torture_context *tctx,
					    struct policy_handle *handle,
					    const struct dom_sid *sid,
					    uint8_t flags)
{
	struct security_descriptor *sd = NULL;
	int i;

	if (!test_GetKeySecurity(p, tctx, handle, &sd)) {
		return false;
	}

	if (!sd || !sd->dacl) {
		return false;
	}

	for (i = 0; i < sd->dacl->num_aces; i++) {
		if ((dom_sid_equal(&sd->dacl->aces[i].trustee, sid)) &&
		    (sd->dacl->aces[i].flags == flags)) {
			return true;
		}
	}

	return false;
}

static bool test_dacl_ace_present(struct dcerpc_pipe *p,
				  struct torture_context *tctx,
				  struct policy_handle *handle,
				  const struct security_ace *ace)
{
	struct security_descriptor *sd = NULL;
	int i;

	if (!test_GetKeySecurity(p, tctx, handle, &sd)) {
		return false;
	}

	if (!sd || !sd->dacl) {
		return false;
	}

	for (i = 0; i < sd->dacl->num_aces; i++) {
		if (security_ace_equal(&sd->dacl->aces[i], ace)) {
			return true;
		}
	}

	return false;
}

static bool test_RestoreSecurity(struct dcerpc_pipe *p,
				 struct torture_context *tctx,
				 struct policy_handle *handle,
				 const char *key,
				 struct security_descriptor *sd)
{
	struct policy_handle new_handle;
	bool ret = true;

	if (!test_OpenKey(p, tctx, handle, key, &new_handle)) {
		return false;
	}

	if (!test_SetKeySecurity(p, tctx, &new_handle, sd)) {
		ret = false;
	}

	if (!test_CloseKey(p, tctx, &new_handle)) {
		ret = false;
	}

	return ret;
}

static bool test_BackupSecurity(struct dcerpc_pipe *p,
				struct torture_context *tctx,
				struct policy_handle *handle,
				const char *key,
				struct security_descriptor **sd)
{
	struct policy_handle new_handle;
	bool ret = true;

	if (!test_OpenKey(p, tctx, handle, key, &new_handle)) {
		return false;
	}

	if (!test_GetKeySecurity(p, tctx, &new_handle, sd)) {
		ret = false;
	}

	if (!test_CloseKey(p, tctx, &new_handle)) {
		ret = false;
	}

	return ret;
}

static bool test_SecurityDescriptorInheritance(struct dcerpc_pipe *p,
					       struct torture_context *tctx,
					       struct policy_handle *handle,
					       const char *key)
{
	/* get sd
	   add ace SEC_ACE_FLAG_CONTAINER_INHERIT
	   set sd
	   get sd
	   check ace
	   add subkey
	   get sd
	   check ace
	   add subsubkey
	   get sd
	   check ace
	   del subsubkey
	   del subkey
	   reset sd
	*/

	struct security_descriptor *sd = NULL;
	struct security_descriptor *sd_orig = NULL;
	struct security_ace *ace = NULL;
	struct policy_handle new_handle;
	NTSTATUS status;
	bool ret = true;

	torture_comment(tctx, "SecurityDescriptor inheritance\n");

	if (!test_OpenKey(p, tctx, handle, key, &new_handle)) {
		return false;
	}

	if (!_test_GetKeySecurity(p, tctx, &new_handle, NULL, WERR_OK, &sd)) {
		return false;
	}

	sd_orig = security_descriptor_copy(tctx, sd);
	if (sd_orig == NULL) {
		return false;
	}

	ace = security_ace_create(tctx,
				  TEST_SID,
				  SEC_ACE_TYPE_ACCESS_ALLOWED,
				  SEC_STD_REQUIRED,
				  SEC_ACE_FLAG_CONTAINER_INHERIT);

	status = security_descriptor_dacl_add(sd, ace);
	if (!NT_STATUS_IS_OK(status)) {
		printf("failed to add ace: %s\n", nt_errstr(status));
		return false;
	}

	/* FIXME: add further tests for these flags */
	sd->type |= SEC_DESC_DACL_AUTO_INHERIT_REQ |
		    SEC_DESC_SACL_AUTO_INHERITED;

	if (!test_SetKeySecurity(p, tctx, &new_handle, sd)) {
		return false;
	}

	if (!test_dacl_ace_present(p, tctx, &new_handle, ace)) {
		printf("new ACE not present!\n");
		return false;
	}

	if (!test_CloseKey(p, tctx, &new_handle)) {
		return false;
	}

	if (!test_CreateKey(p, tctx, handle, TEST_SUBKEY_SD, NULL)) {
		ret = false;
		goto out;
	}

	if (!test_OpenKey(p, tctx, handle, TEST_SUBKEY_SD, &new_handle)) {
		ret = false;
		goto out;
	}

	if (!test_dacl_ace_present(p, tctx, &new_handle, ace)) {
		printf("inherited ACE not present!\n");
		ret = false;
		goto out;
	}

	test_CloseKey(p, tctx, &new_handle);
	if (!test_CreateKey(p, tctx, handle, TEST_SUBSUBKEY_SD, NULL)) {
		ret = false;
		goto out;
	}

	if (!test_OpenKey(p, tctx, handle, TEST_SUBSUBKEY_SD, &new_handle)) {
		ret = false;
		goto out;
	}

	if (!test_dacl_ace_present(p, tctx, &new_handle, ace)) {
		printf("inherited ACE not present!\n");
		ret = false;
		goto out;
	}

 out:
	test_CloseKey(p, tctx, &new_handle);
	test_Cleanup(p, tctx, handle, TEST_SUBKEY_SD);
	test_RestoreSecurity(p, tctx, handle, key, sd_orig);

	return true;
}

static bool test_SecurityDescriptorBlockInheritance(struct dcerpc_pipe *p,
						    struct torture_context *tctx,
						    struct policy_handle *handle,
						    const char *key)
{
	/* get sd
	   add ace SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
	   set sd
	   add subkey/subkey
	   get sd
	   check ace
	   get sd from subkey
	   check ace
	   del subkey/subkey
	   del subkey
	   reset sd
	*/

	struct security_descriptor *sd = NULL;
	struct security_descriptor *sd_orig = NULL;
	struct security_ace *ace = NULL;
	struct policy_handle new_handle;
	struct dom_sid *sid = NULL;
	NTSTATUS status;
	bool ret = true;
	uint8_t ace_flags = 0x0;

	torture_comment(tctx, "SecurityDescriptor inheritance block\n");

	if (!test_OpenKey(p, tctx, handle, key, &new_handle)) {
		return false;
	}

	if (!_test_GetKeySecurity(p, tctx, &new_handle, NULL, WERR_OK, &sd)) {
		return false;
	}

	sd_orig = security_descriptor_copy(tctx, sd);
	if (sd_orig == NULL) {
		return false;
	}

	ace = security_ace_create(tctx,
				  TEST_SID,
				  SEC_ACE_TYPE_ACCESS_ALLOWED,
				  SEC_STD_REQUIRED,
				  SEC_ACE_FLAG_CONTAINER_INHERIT |
				  SEC_ACE_FLAG_NO_PROPAGATE_INHERIT);

	status = security_descriptor_dacl_add(sd, ace);
	if (!NT_STATUS_IS_OK(status)) {
		printf("failed to add ace: %s\n", nt_errstr(status));
		return false;
	}

	if (!_test_SetKeySecurity(p, tctx, &new_handle, NULL, sd, WERR_OK)) {
		return false;
	}

	if (!test_dacl_ace_present(p, tctx, &new_handle, ace)) {
		printf("new ACE not present!\n");
		return false;
	}

	if (!test_CloseKey(p, tctx, &new_handle)) {
		return false;
	}

	if (!test_CreateKey(p, tctx, handle, TEST_SUBSUBKEY_SD, NULL)) {
		return false;
	}

	if (!test_OpenKey(p, tctx, handle, TEST_SUBSUBKEY_SD, &new_handle)) {
		ret = false;
		goto out;
	}

	if (test_dacl_ace_present(p, tctx, &new_handle, ace)) {
		printf("inherited ACE present but should not!\n");
		ret = false;
		goto out;
	}

	sid = dom_sid_parse_talloc(tctx, TEST_SID);
	if (sid == NULL) {
		return false;
	}

	if (test_dacl_trustee_present(p, tctx, &new_handle, sid)) {
		printf("inherited trustee SID present but should not!\n");
		ret = false;
		goto out;
	}

	test_CloseKey(p, tctx, &new_handle);

	if (!test_OpenKey(p, tctx, handle, TEST_SUBKEY_SD, &new_handle)) {
		ret = false;
		goto out;
	}