security/sandbox/win/src/restricted_token_unittest.cc@b8a032363ba2 (annotated)
security/sandbox/win/src/restricted_token_unittest.cc
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| michael@0 | 2 | // Use of this source code is governed by a BSD-style license that can be |
| michael@0 | 3 | // found in the LICENSE file. |
| michael@0 | 4 | |
| michael@0 | 5 | // This file contains unit tests for the RestrictedToken. |
| michael@0 | 6 | |
| michael@0 | 7 | #define _ATL_NO_EXCEPTIONS |
| michael@0 | 8 | #include <atlbase.h> |
| michael@0 | 9 | #include <atlsecurity.h> |
| michael@0 | 10 | #include <vector> |
| michael@0 | 11 | #include "sandbox/win/src/restricted_token.h" |
| michael@0 | 12 | #include "sandbox/win/src/sid.h" |
| michael@0 | 13 | #include "testing/gtest/include/gtest/gtest.h" |
| michael@0 | 14 | |
| michael@0 | 15 | namespace sandbox { |
| michael@0 | 16 | |
| michael@0 | 17 | // Tests the initializatioin with an invalid token handle. |
| michael@0 | 18 | TEST(RestrictedTokenTest, InvalidHandle) { |
| michael@0 | 19 | RestrictedToken token; |
| michael@0 | 20 | ASSERT_EQ(ERROR_INVALID_HANDLE, token.Init(reinterpret_cast<HANDLE>(0x5555))); |
| michael@0 | 21 | } |
| michael@0 | 22 | |
| michael@0 | 23 | // Tests the initialization with NULL as parameter. |
| michael@0 | 24 | TEST(RestrictedTokenTest, DefaultInit) { |
| michael@0 | 25 | // Get the current process token. |
| michael@0 | 26 | HANDLE token_handle = INVALID_HANDLE_VALUE; |
| michael@0 | 27 | ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, |
| michael@0 | 28 | &token_handle)); |
| michael@0 | 29 | |
| michael@0 | 30 | ASSERT_NE(INVALID_HANDLE_VALUE, token_handle); |
| michael@0 | 31 | |
| michael@0 | 32 | ATL::CAccessToken access_token; |
| michael@0 | 33 | access_token.Attach(token_handle); |
| michael@0 | 34 | |
| michael@0 | 35 | // Create the token using the current token. |
| michael@0 | 36 | RestrictedToken token_default; |
| michael@0 | 37 | ASSERT_EQ(ERROR_SUCCESS, token_default.Init(NULL)); |
| michael@0 | 38 | |
| michael@0 | 39 | // Get the handle to the restricted token. |
| michael@0 | 40 | |
| michael@0 | 41 | HANDLE restricted_token_handle = NULL; |
| michael@0 | 42 | ASSERT_EQ(ERROR_SUCCESS, |
| michael@0 | 43 | token_default.GetRestrictedTokenHandle(&restricted_token_handle)); |
| michael@0 | 44 | |
| michael@0 | 45 | ATL::CAccessToken restricted_token; |
| michael@0 | 46 | restricted_token.Attach(restricted_token_handle); |
| michael@0 | 47 | |
| michael@0 | 48 | ATL::CSid sid_user_restricted; |
| michael@0 | 49 | ATL::CSid sid_user_default; |
| michael@0 | 50 | ATL::CSid sid_owner_restricted; |
| michael@0 | 51 | ATL::CSid sid_owner_default; |
| michael@0 | 52 | ASSERT_TRUE(restricted_token.GetUser(&sid_user_restricted)); |
| michael@0 | 53 | ASSERT_TRUE(access_token.GetUser(&sid_user_default)); |
| michael@0 | 54 | ASSERT_TRUE(restricted_token.GetOwner(&sid_owner_restricted)); |
| michael@0 | 55 | ASSERT_TRUE(access_token.GetOwner(&sid_owner_default)); |
| michael@0 | 56 | |
| michael@0 | 57 | // Check if both token have the same owner and user. |
| michael@0 | 58 | ASSERT_EQ(sid_user_restricted, sid_user_default); |
| michael@0 | 59 | ASSERT_EQ(sid_owner_restricted, sid_owner_default); |
| michael@0 | 60 | } |
| michael@0 | 61 | |
| michael@0 | 62 | // Tests the initialization with a custom token as parameter. |
| michael@0 | 63 | TEST(RestrictedTokenTest, CustomInit) { |
| michael@0 | 64 | // Get the current process token. |
| michael@0 | 65 | HANDLE token_handle = INVALID_HANDLE_VALUE; |
| michael@0 | 66 | ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, |
| michael@0 | 67 | &token_handle)); |
| michael@0 | 68 | |
| michael@0 | 69 | ASSERT_NE(INVALID_HANDLE_VALUE, token_handle); |
| michael@0 | 70 | |
| michael@0 | 71 | ATL::CAccessToken access_token; |
| michael@0 | 72 | access_token.Attach(token_handle); |
| michael@0 | 73 | |
| michael@0 | 74 | // Change the primary group. |
| michael@0 | 75 | access_token.SetPrimaryGroup(ATL::Sids::World()); |
| michael@0 | 76 | |
| michael@0 | 77 | // Create the token using the current token. |
| michael@0 | 78 | RestrictedToken token; |
| michael@0 | 79 | ASSERT_EQ(ERROR_SUCCESS, token.Init(access_token.GetHandle())); |
| michael@0 | 80 | |
| michael@0 | 81 | // Get the handle to the restricted token. |
| michael@0 | 82 | |
| michael@0 | 83 | HANDLE restricted_token_handle = NULL; |
| michael@0 | 84 | ASSERT_EQ(ERROR_SUCCESS, |
| michael@0 | 85 | token.GetRestrictedTokenHandle(&restricted_token_handle)); |
| michael@0 | 86 | |
| michael@0 | 87 | ATL::CAccessToken restricted_token; |
| michael@0 | 88 | restricted_token.Attach(restricted_token_handle); |
| michael@0 | 89 | |
| michael@0 | 90 | ATL::CSid sid_restricted; |
| michael@0 | 91 | ATL::CSid sid_default; |
| michael@0 | 92 | ASSERT_TRUE(restricted_token.GetPrimaryGroup(&sid_restricted)); |
| michael@0 | 93 | ASSERT_TRUE(access_token.GetPrimaryGroup(&sid_default)); |
| michael@0 | 94 | |
| michael@0 | 95 | // Check if both token have the same owner. |
| michael@0 | 96 | ASSERT_EQ(sid_restricted, sid_default); |
| michael@0 | 97 | } |
| michael@0 | 98 | |
| michael@0 | 99 | // Verifies that the token created by the object are valid. |
| michael@0 | 100 | TEST(RestrictedTokenTest, ResultToken) { |
| michael@0 | 101 | RestrictedToken token; |
| michael@0 | 102 | ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); |
| michael@0 | 103 | |
| michael@0 | 104 | ASSERT_EQ(ERROR_SUCCESS, |
| michael@0 | 105 | token.AddRestrictingSid(ATL::Sids::World().GetPSID())); |
| michael@0 | 106 | |
| michael@0 | 107 | HANDLE restricted_token; |
| michael@0 | 108 | ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&restricted_token)); |
| michael@0 | 109 | |
| michael@0 | 110 | ASSERT_TRUE(::IsTokenRestricted(restricted_token)); |
| michael@0 | 111 | |
| michael@0 | 112 | DWORD length = 0; |
| michael@0 | 113 | TOKEN_TYPE type; |
| michael@0 | 114 | ASSERT_TRUE(::GetTokenInformation(restricted_token, |
| michael@0 | 115 | ::TokenType, |
| michael@0 | 116 | &type, |
| michael@0 | 117 | sizeof(type), |
| michael@0 | 118 | &length)); |
| michael@0 | 119 | |
| michael@0 | 120 | ASSERT_EQ(type, TokenPrimary); |
| michael@0 | 121 | |
| michael@0 | 122 | HANDLE impersonation_token; |
| michael@0 | 123 | ASSERT_EQ(ERROR_SUCCESS, |
| michael@0 | 124 | token.GetRestrictedTokenHandleForImpersonation(&impersonation_token)); |
| michael@0 | 125 | |
| michael@0 | 126 | ASSERT_TRUE(::IsTokenRestricted(impersonation_token)); |
| michael@0 | 127 | |
| michael@0 | 128 | ASSERT_TRUE(::GetTokenInformation(impersonation_token, |
| michael@0 | 129 | ::TokenType, |
| michael@0 | 130 | &type, |
| michael@0 | 131 | sizeof(type), |
| michael@0 | 132 | &length)); |
| michael@0 | 133 | |
| michael@0 | 134 | ASSERT_EQ(type, TokenImpersonation); |
| michael@0 | 135 | |
| michael@0 | 136 | ::CloseHandle(impersonation_token); |
| michael@0 | 137 | ::CloseHandle(restricted_token); |
| michael@0 | 138 | } |
| michael@0 | 139 | |
| michael@0 | 140 | // Verifies that the token created has "Restricted" in its default dacl. |
| michael@0 | 141 | TEST(RestrictedTokenTest, DefaultDacl) { |
| michael@0 | 142 | RestrictedToken token; |
| michael@0 | 143 | ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); |
| michael@0 | 144 | |
| michael@0 | 145 | ASSERT_EQ(ERROR_SUCCESS, |
| michael@0 | 146 | token.AddRestrictingSid(ATL::Sids::World().GetPSID())); |
| michael@0 | 147 | |
| michael@0 | 148 | HANDLE handle; |
| michael@0 | 149 | ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&handle)); |
| michael@0 | 150 | |
| michael@0 | 151 | ATL::CAccessToken restricted_token; |
| michael@0 | 152 | restricted_token.Attach(handle); |
| michael@0 | 153 | |
| michael@0 | 154 | ATL::CDacl dacl; |
| michael@0 | 155 | ASSERT_TRUE(restricted_token.GetDefaultDacl(&dacl)); |
| michael@0 | 156 | |
| michael@0 | 157 | bool restricted_found = false; |
| michael@0 | 158 | |
| michael@0 | 159 | unsigned int ace_count = dacl.GetAceCount(); |
| michael@0 | 160 | for (unsigned int i = 0; i < ace_count ; ++i) { |
| michael@0 | 161 | ATL::CSid sid; |
| michael@0 | 162 | ACCESS_MASK mask = 0; |
| michael@0 | 163 | dacl.GetAclEntry(i, &sid, &mask); |
| michael@0 | 164 | if (sid == ATL::Sids::RestrictedCode() && mask == GENERIC_ALL) { |
| michael@0 | 165 | restricted_found = true; |
| michael@0 | 166 | break; |
| michael@0 | 167 | } |
| michael@0 | 168 | } |
| michael@0 | 169 | |
| michael@0 | 170 | ASSERT_TRUE(restricted_found); |
| michael@0 | 171 | } |
| michael@0 | 172 | |
| michael@0 | 173 | // Tests the method "AddSidForDenyOnly". |
| michael@0 | 174 | TEST(RestrictedTokenTest, DenySid) { |
| michael@0 | 175 | RestrictedToken token; |
| michael@0 | 176 | HANDLE token_handle = NULL; |
| michael@0 | 177 | |
| michael@0 | 178 | ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); |
| michael@0 | 179 | ASSERT_EQ(ERROR_SUCCESS, token.AddSidForDenyOnly(Sid(WinWorldSid))); |
| michael@0 | 180 | ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); |
| michael@0 | 181 | |
| michael@0 | 182 | ATL::CAccessToken restricted_token; |
| michael@0 | 183 | restricted_token.Attach(token_handle); |
| michael@0 | 184 | |
| michael@0 | 185 | ATL::CTokenGroups groups; |
| michael@0 | 186 | ASSERT_TRUE(restricted_token.GetGroups(&groups)); |
| michael@0 | 187 | |
| michael@0 | 188 | ATL::CSid::CSidArray sids; |
| michael@0 | 189 | ATL::CAtlArray<DWORD> attributes; |
| michael@0 | 190 | groups.GetSidsAndAttributes(&sids, &attributes); |
| michael@0 | 191 | |
| michael@0 | 192 | for (unsigned int i = 0; i < sids.GetCount(); i++) { |
| michael@0 | 193 | if (ATL::Sids::World() == sids[i]) { |
| michael@0 | 194 | ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY, |
| michael@0 | 195 | attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); |
| michael@0 | 196 | } |
| michael@0 | 197 | } |
| michael@0 | 198 | } |
| michael@0 | 199 | |
| michael@0 | 200 | // Tests the method "AddAllSidsForDenyOnly". |
| michael@0 | 201 | TEST(RestrictedTokenTest, DenySids) { |
| michael@0 | 202 | RestrictedToken token; |
| michael@0 | 203 | HANDLE token_handle = NULL; |
| michael@0 | 204 | |
| michael@0 | 205 | ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); |
| michael@0 | 206 | ASSERT_EQ(ERROR_SUCCESS, token.AddAllSidsForDenyOnly(NULL)); |
| michael@0 | 207 | ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); |
| michael@0 | 208 | |
| michael@0 | 209 | ATL::CAccessToken restricted_token; |
| michael@0 | 210 | restricted_token.Attach(token_handle); |
| michael@0 | 211 | |
| michael@0 | 212 | ATL::CTokenGroups groups; |
| michael@0 | 213 | ASSERT_TRUE(restricted_token.GetGroups(&groups)); |
| michael@0 | 214 | |
| michael@0 | 215 | ATL::CSid::CSidArray sids; |
| michael@0 | 216 | ATL::CAtlArray<DWORD> attributes; |
| michael@0 | 217 | groups.GetSidsAndAttributes(&sids, &attributes); |
| michael@0 | 218 | |
| michael@0 | 219 | // Verify that all sids are really gone. |
| michael@0 | 220 | for (unsigned int i = 0; i < sids.GetCount(); i++) { |
| michael@0 | 221 | if ((attributes[i] & SE_GROUP_LOGON_ID) == 0 && |
| michael@0 | 222 | (attributes[i] & SE_GROUP_INTEGRITY) == 0) { |
| michael@0 | 223 | ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY, |
| michael@0 | 224 | attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); |
| michael@0 | 225 | } |
| michael@0 | 226 | } |
| michael@0 | 227 | } |
| michael@0 | 228 | |
| michael@0 | 229 | // Tests the method "AddAllSidsForDenyOnly" using an exception list. |
| michael@0 | 230 | TEST(RestrictedTokenTest, DenySidsException) { |
| michael@0 | 231 | RestrictedToken token; |
| michael@0 | 232 | HANDLE token_handle = NULL; |
| michael@0 | 233 | |
| michael@0 | 234 | std::vector<Sid> sids_exception; |
| michael@0 | 235 | sids_exception.push_back(Sid(WinWorldSid)); |
| michael@0 | 236 | |
| michael@0 | 237 | ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); |
| michael@0 | 238 | ASSERT_EQ(ERROR_SUCCESS, token.AddAllSidsForDenyOnly(&sids_exception)); |
| michael@0 | 239 | ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); |
| michael@0 | 240 | |
| michael@0 | 241 | ATL::CAccessToken restricted_token; |
| michael@0 | 242 | restricted_token.Attach(token_handle); |
| michael@0 | 243 | |
| michael@0 | 244 | ATL::CTokenGroups groups; |
| michael@0 | 245 | ASSERT_TRUE(restricted_token.GetGroups(&groups)); |
| michael@0 | 246 | |
| michael@0 | 247 | ATL::CSid::CSidArray sids; |
| michael@0 | 248 | ATL::CAtlArray<DWORD> attributes; |
| michael@0 | 249 | groups.GetSidsAndAttributes(&sids, &attributes); |
| michael@0 | 250 | |
| michael@0 | 251 | // Verify that all sids are really gone. |
| michael@0 | 252 | for (unsigned int i = 0; i < sids.GetCount(); i++) { |
| michael@0 | 253 | if ((attributes[i] & SE_GROUP_LOGON_ID) == 0 && |
| michael@0 | 254 | (attributes[i] & SE_GROUP_INTEGRITY) == 0) { |
| michael@0 | 255 | if (ATL::Sids::World() == sids[i]) { |
| michael@0 | 256 | ASSERT_EQ(NULL, attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); |
| michael@0 | 257 | } else { |
| michael@0 | 258 | ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY, |
| michael@0 | 259 | attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); |
| michael@0 | 260 | } |
| michael@0 | 261 | } |
| michael@0 | 262 | } |
| michael@0 | 263 | } |
| michael@0 | 264 | |
| michael@0 | 265 | // Tests test method AddOwnerSidForDenyOnly. |
| michael@0 | 266 | TEST(RestrictedTokenTest, DenyOwnerSid) { |
| michael@0 | 267 | RestrictedToken token; |
| michael@0 | 268 | HANDLE token_handle = NULL; |
| michael@0 | 269 | |
| michael@0 | 270 | ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); |
| michael@0 | 271 | ASSERT_EQ(ERROR_SUCCESS, token.AddUserSidForDenyOnly()); |
| michael@0 | 272 | ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); |
| michael@0 | 273 | |
| michael@0 | 274 | ATL::CAccessToken restricted_token; |
| michael@0 | 275 | restricted_token.Attach(token_handle); |
| michael@0 | 276 | |
| michael@0 | 277 | ATL::CTokenGroups groups; |
| michael@0 | 278 | ASSERT_TRUE(restricted_token.GetGroups(&groups)); |
| michael@0 | 279 | |
| michael@0 | 280 | ATL::CSid::CSidArray sids; |
| michael@0 | 281 | ATL::CAtlArray<DWORD> attributes; |
| michael@0 | 282 | groups.GetSidsAndAttributes(&sids, &attributes); |
| michael@0 | 283 | |
| michael@0 | 284 | ATL::CSid user_sid; |
| michael@0 | 285 | ASSERT_TRUE(restricted_token.GetUser(&user_sid)); |
| michael@0 | 286 | |
| michael@0 | 287 | for (unsigned int i = 0; i < sids.GetCount(); ++i) { |
| michael@0 | 288 | if (user_sid == sids[i]) { |
| michael@0 | 289 | ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY, |
| michael@0 | 290 | attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); |
| michael@0 | 291 | } |
| michael@0 | 292 | } |
| michael@0 | 293 | } |
| michael@0 | 294 | |
| michael@0 | 295 | // Tests test method AddOwnerSidForDenyOnly with a custom effective token. |
| michael@0 | 296 | TEST(RestrictedTokenTest, DenyOwnerSidCustom) { |
| michael@0 | 297 | // Get the current process token. |
| michael@0 | 298 | HANDLE token_handle = INVALID_HANDLE_VALUE; |
| michael@0 | 299 | ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, |
| michael@0 | 300 | &token_handle)); |
| michael@0 | 301 | |
| michael@0 | 302 | ASSERT_NE(INVALID_HANDLE_VALUE, token_handle); |
| michael@0 | 303 | |
| michael@0 | 304 | ATL::CAccessToken access_token; |
| michael@0 | 305 | access_token.Attach(token_handle); |
| michael@0 | 306 | |
| michael@0 | 307 | RestrictedToken token; |
| michael@0 | 308 | ASSERT_EQ(ERROR_SUCCESS, token.Init(access_token.GetHandle())); |
| michael@0 | 309 | ASSERT_EQ(ERROR_SUCCESS, token.AddUserSidForDenyOnly()); |
| michael@0 | 310 | ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); |
| michael@0 | 311 | |
| michael@0 | 312 | ATL::CAccessToken restricted_token; |
| michael@0 | 313 | restricted_token.Attach(token_handle); |
| michael@0 | 314 | |
| michael@0 | 315 | ATL::CTokenGroups groups; |
| michael@0 | 316 | ASSERT_TRUE(restricted_token.GetGroups(&groups)); |
| michael@0 | 317 | |
| michael@0 | 318 | ATL::CSid::CSidArray sids; |
| michael@0 | 319 | ATL::CAtlArray<DWORD> attributes; |
| michael@0 | 320 | groups.GetSidsAndAttributes(&sids, &attributes); |
| michael@0 | 321 | |
| michael@0 | 322 | ATL::CSid user_sid; |
| michael@0 | 323 | ASSERT_TRUE(restricted_token.GetUser(&user_sid)); |
| michael@0 | 324 | |
| michael@0 | 325 | for (unsigned int i = 0; i < sids.GetCount(); ++i) { |
| michael@0 | 326 | if (user_sid == sids[i]) { |
| michael@0 | 327 | ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY, |
| michael@0 | 328 | attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); |
| michael@0 | 329 | } |
| michael@0 | 330 | } |
| michael@0 | 331 | } |
| michael@0 | 332 | |
| michael@0 | 333 | // Tests the method DeleteAllPrivileges. |
| michael@0 | 334 | TEST(RestrictedTokenTest, DeleteAllPrivileges) { |
| michael@0 | 335 | RestrictedToken token; |
| michael@0 | 336 | HANDLE token_handle = NULL; |
| michael@0 | 337 | |
| michael@0 | 338 | ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); |
| michael@0 | 339 | ASSERT_EQ(ERROR_SUCCESS, token.DeleteAllPrivileges(NULL)); |
| michael@0 | 340 | ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); |
| michael@0 | 341 | |
| michael@0 | 342 | ATL::CAccessToken restricted_token; |
| michael@0 | 343 | restricted_token.Attach(token_handle); |
| michael@0 | 344 | |
| michael@0 | 345 | ATL::CTokenPrivileges privileges; |
| michael@0 | 346 | ASSERT_TRUE(restricted_token.GetPrivileges(&privileges)); |
| michael@0 | 347 | |
| michael@0 | 348 | ASSERT_EQ(0, privileges.GetCount()); |
| michael@0 | 349 | } |
| michael@0 | 350 | |
| michael@0 | 351 | // Tests the method DeleteAllPrivileges with an exception list. |
| michael@0 | 352 | TEST(RestrictedTokenTest, DeleteAllPrivilegesException) { |
| michael@0 | 353 | RestrictedToken token; |
| michael@0 | 354 | HANDLE token_handle = NULL; |
| michael@0 | 355 | |
| michael@0 | 356 | std::vector<std::wstring> exceptions; |
| michael@0 | 357 | exceptions.push_back(SE_CHANGE_NOTIFY_NAME); |
| michael@0 | 358 | |
| michael@0 | 359 | ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); |
| michael@0 | 360 | ASSERT_EQ(ERROR_SUCCESS, token.DeleteAllPrivileges(&exceptions)); |
| michael@0 | 361 | ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); |
| michael@0 | 362 | |
| michael@0 | 363 | ATL::CAccessToken restricted_token; |
| michael@0 | 364 | restricted_token.Attach(token_handle); |
| michael@0 | 365 | |
| michael@0 | 366 | ATL::CTokenPrivileges privileges; |
| michael@0 | 367 | ASSERT_TRUE(restricted_token.GetPrivileges(&privileges)); |
| michael@0 | 368 | |
| michael@0 | 369 | ATL::CTokenPrivileges::CNames privilege_names; |
| michael@0 | 370 | ATL::CTokenPrivileges::CAttributes privilege_name_attributes; |
| michael@0 | 371 | privileges.GetNamesAndAttributes(&privilege_names, |
| michael@0 | 372 | &privilege_name_attributes); |
| michael@0 | 373 | |
| michael@0 | 374 | ASSERT_EQ(1, privileges.GetCount()); |
| michael@0 | 375 | |
| michael@0 | 376 | for (unsigned int i = 0; i < privileges.GetCount(); ++i) { |
| michael@0 | 377 | ASSERT_EQ(privilege_names[i], SE_CHANGE_NOTIFY_NAME); |
| michael@0 | 378 | } |
| michael@0 | 379 | } |
| michael@0 | 380 | |
| michael@0 | 381 | // Tests the method DeletePrivilege. |
| michael@0 | 382 | TEST(RestrictedTokenTest, DeletePrivilege) { |
| michael@0 | 383 | RestrictedToken token; |
| michael@0 | 384 | HANDLE token_handle = NULL; |
| michael@0 | 385 | |
| michael@0 | 386 | ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); |
| michael@0 | 387 | ASSERT_EQ(ERROR_SUCCESS, token.DeletePrivilege(SE_CHANGE_NOTIFY_NAME)); |
| michael@0 | 388 | ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); |
| michael@0 | 389 | |
| michael@0 | 390 | ATL::CAccessToken restricted_token; |
| michael@0 | 391 | restricted_token.Attach(token_handle); |
| michael@0 | 392 | |
| michael@0 | 393 | ATL::CTokenPrivileges privileges; |
| michael@0 | 394 | ASSERT_TRUE(restricted_token.GetPrivileges(&privileges)); |
| michael@0 | 395 | |
| michael@0 | 396 | ATL::CTokenPrivileges::CNames privilege_names; |
| michael@0 | 397 | ATL::CTokenPrivileges::CAttributes privilege_name_attributes; |
| michael@0 | 398 | privileges.GetNamesAndAttributes(&privilege_names, |
| michael@0 | 399 | &privilege_name_attributes); |
| michael@0 | 400 | |
| michael@0 | 401 | for (unsigned int i = 0; i < privileges.GetCount(); ++i) { |
| michael@0 | 402 | ASSERT_NE(privilege_names[i], SE_CHANGE_NOTIFY_NAME); |
| michael@0 | 403 | } |
| michael@0 | 404 | } |
| michael@0 | 405 | |
| michael@0 | 406 | // Checks if a sid is in the restricting list of the restricted token. |
| michael@0 | 407 | // Asserts if it's not the case. If count is a positive number, the number of |
| michael@0 | 408 | // elements in the restricting sids list has to be equal. |
| michael@0 | 409 | void CheckRestrictingSid(const ATL::CAccessToken &restricted_token, |
| michael@0 | 410 | ATL::CSid sid, int count) { |
| michael@0 | 411 | DWORD length = 1000; |
| michael@0 | 412 | BYTE *memory = new BYTE[1000]; |
| michael@0 | 413 | TOKEN_GROUPS *groups = reinterpret_cast<TOKEN_GROUPS*>(memory); |
| michael@0 | 414 | ASSERT_TRUE(::GetTokenInformation(restricted_token.GetHandle(), |
| michael@0 | 415 | TokenRestrictedSids, |
| michael@0 | 416 | groups, |
| michael@0 | 417 | length, |
| michael@0 | 418 | &length)); |
| michael@0 | 419 | |
| michael@0 | 420 | ATL::CTokenGroups atl_groups(*groups); |
| michael@0 | 421 | delete[] memory; |
| michael@0 | 422 | |
| michael@0 | 423 | if (count >= 0) |
| michael@0 | 424 | ASSERT_EQ(count, atl_groups.GetCount()); |
| michael@0 | 425 | |
| michael@0 | 426 | ATL::CSid::CSidArray sids; |
| michael@0 | 427 | ATL::CAtlArray<DWORD> attributes; |
| michael@0 | 428 | atl_groups.GetSidsAndAttributes(&sids, &attributes); |
| michael@0 | 429 | |
| michael@0 | 430 | bool present = false; |
| michael@0 | 431 | for (unsigned int i = 0; i < sids.GetCount(); ++i) { |
| michael@0 | 432 | if (sids[i] == sid) { |
| michael@0 | 433 | present = true; |
| michael@0 | 434 | break; |
| michael@0 | 435 | } |
| michael@0 | 436 | } |
| michael@0 | 437 | |
| michael@0 | 438 | ASSERT_TRUE(present); |
| michael@0 | 439 | } |
| michael@0 | 440 | |
| michael@0 | 441 | // Tests the method AddRestrictingSid. |
| michael@0 | 442 | TEST(RestrictedTokenTest, AddRestrictingSid) { |
| michael@0 | 443 | RestrictedToken token; |
| michael@0 | 444 | HANDLE token_handle = NULL; |
| michael@0 | 445 | |
| michael@0 | 446 | ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); |
| michael@0 | 447 | ASSERT_EQ(ERROR_SUCCESS, |
| michael@0 | 448 | token.AddRestrictingSid(ATL::Sids::World().GetPSID())); |
| michael@0 | 449 | ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); |
| michael@0 | 450 | |
| michael@0 | 451 | ATL::CAccessToken restricted_token; |
| michael@0 | 452 | restricted_token.Attach(token_handle); |
| michael@0 | 453 | |
| michael@0 | 454 | CheckRestrictingSid(restricted_token, ATL::Sids::World(), 1); |
| michael@0 | 455 | } |
| michael@0 | 456 | |
| michael@0 | 457 | // Tests the method AddRestrictingSidCurrentUser. |
| michael@0 | 458 | TEST(RestrictedTokenTest, AddRestrictingSidCurrentUser) { |
| michael@0 | 459 | RestrictedToken token; |
| michael@0 | 460 | HANDLE token_handle = NULL; |
| michael@0 | 461 | |
| michael@0 | 462 | ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); |
| michael@0 | 463 | ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser()); |
| michael@0 | 464 | ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); |
| michael@0 | 465 | |
| michael@0 | 466 | ATL::CAccessToken restricted_token; |
| michael@0 | 467 | restricted_token.Attach(token_handle); |
| michael@0 | 468 | ATL::CSid user; |
| michael@0 | 469 | restricted_token.GetUser(&user); |
| michael@0 | 470 | |
| michael@0 | 471 | CheckRestrictingSid(restricted_token, user, 1); |
| michael@0 | 472 | } |
| michael@0 | 473 | |
| michael@0 | 474 | // Tests the method AddRestrictingSidCurrentUser with a custom effective token. |
| michael@0 | 475 | TEST(RestrictedTokenTest, AddRestrictingSidCurrentUserCustom) { |
| michael@0 | 476 | // Get the current process token. |
| michael@0 | 477 | HANDLE token_handle = INVALID_HANDLE_VALUE; |
| michael@0 | 478 | ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, |
| michael@0 | 479 | &token_handle)); |
| michael@0 | 480 | |
| michael@0 | 481 | ASSERT_NE(INVALID_HANDLE_VALUE, token_handle); |
| michael@0 | 482 | |
| michael@0 | 483 | ATL::CAccessToken access_token; |
| michael@0 | 484 | access_token.Attach(token_handle); |
| michael@0 | 485 | |
| michael@0 | 486 | RestrictedToken token; |
| michael@0 | 487 | ASSERT_EQ(ERROR_SUCCESS, token.Init(access_token.GetHandle())); |
| michael@0 | 488 | ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser()); |
| michael@0 | 489 | ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); |
| michael@0 | 490 | |
| michael@0 | 491 | ATL::CAccessToken restricted_token; |
| michael@0 | 492 | restricted_token.Attach(token_handle); |
| michael@0 | 493 | ATL::CSid user; |
| michael@0 | 494 | restricted_token.GetUser(&user); |
| michael@0 | 495 | |
| michael@0 | 496 | CheckRestrictingSid(restricted_token, user, 1); |
| michael@0 | 497 | } |
| michael@0 | 498 | |
| michael@0 | 499 | // Tests the method AddRestrictingSidLogonSession. |
| michael@0 | 500 | TEST(RestrictedTokenTest, AddRestrictingSidLogonSession) { |
| michael@0 | 501 | RestrictedToken token; |
| michael@0 | 502 | HANDLE token_handle = NULL; |
| michael@0 | 503 | |
| michael@0 | 504 | ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); |
| michael@0 | 505 | ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidLogonSession()); |
| michael@0 | 506 | ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); |
| michael@0 | 507 | |
| michael@0 | 508 | ATL::CAccessToken restricted_token; |
| michael@0 | 509 | restricted_token.Attach(token_handle); |
| michael@0 | 510 | ATL::CSid session; |
| michael@0 | 511 | restricted_token.GetLogonSid(&session); |
| michael@0 | 512 | |
| michael@0 | 513 | CheckRestrictingSid(restricted_token, session, 1); |
| michael@0 | 514 | } |
| michael@0 | 515 | |
| michael@0 | 516 | // Tests adding a lot of restricting sids. |
| michael@0 | 517 | TEST(RestrictedTokenTest, AddMultipleRestrictingSids) { |
| michael@0 | 518 | RestrictedToken token; |
| michael@0 | 519 | HANDLE token_handle = NULL; |
| michael@0 | 520 | |
| michael@0 | 521 | ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); |
| michael@0 | 522 | ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser()); |
| michael@0 | 523 | ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidLogonSession()); |
| michael@0 | 524 | ASSERT_EQ(ERROR_SUCCESS, |
| michael@0 | 525 | token.AddRestrictingSid(ATL::Sids::World().GetPSID())); |
| michael@0 | 526 | ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); |
| michael@0 | 527 | |
| michael@0 | 528 | ATL::CAccessToken restricted_token; |
| michael@0 | 529 | restricted_token.Attach(token_handle); |
| michael@0 | 530 | ATL::CSid session; |
| michael@0 | 531 | restricted_token.GetLogonSid(&session); |
| michael@0 | 532 | |
| michael@0 | 533 | DWORD length = 1000; |
| michael@0 | 534 | BYTE *memory = new BYTE[1000]; |
| michael@0 | 535 | TOKEN_GROUPS *groups = reinterpret_cast<TOKEN_GROUPS*>(memory); |
| michael@0 | 536 | ASSERT_TRUE(::GetTokenInformation(restricted_token.GetHandle(), |
| michael@0 | 537 | TokenRestrictedSids, |
| michael@0 | 538 | groups, |
| michael@0 | 539 | length, |
| michael@0 | 540 | &length)); |
| michael@0 | 541 | |
| michael@0 | 542 | ATL::CTokenGroups atl_groups(*groups); |
| michael@0 | 543 | delete[] memory; |
| michael@0 | 544 | |
| michael@0 | 545 | ASSERT_EQ(3, atl_groups.GetCount()); |
| michael@0 | 546 | } |
| michael@0 | 547 | |
| michael@0 | 548 | // Tests the method "AddRestrictingSidAllSids". |
| michael@0 | 549 | TEST(RestrictedTokenTest, AddAllSidToRestrictingSids) { |
| michael@0 | 550 | RestrictedToken token; |
| michael@0 | 551 | HANDLE token_handle = NULL; |
| michael@0 | 552 | |
| michael@0 | 553 | ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); |
| michael@0 | 554 | ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidAllSids()); |
| michael@0 | 555 | ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); |
| michael@0 | 556 | |
| michael@0 | 557 | ATL::CAccessToken restricted_token; |
| michael@0 | 558 | restricted_token.Attach(token_handle); |
| michael@0 | 559 | |
| michael@0 | 560 | ATL::CTokenGroups groups; |
| michael@0 | 561 | ASSERT_TRUE(restricted_token.GetGroups(&groups)); |
| michael@0 | 562 | |
| michael@0 | 563 | ATL::CSid::CSidArray sids; |
| michael@0 | 564 | ATL::CAtlArray<DWORD> attributes; |
| michael@0 | 565 | groups.GetSidsAndAttributes(&sids, &attributes); |
| michael@0 | 566 | |
| michael@0 | 567 | // Verify that all group sids are in the restricting sid list. |
| michael@0 | 568 | for (unsigned int i = 0; i < sids.GetCount(); i++) { |
| michael@0 | 569 | if ((attributes[i] & SE_GROUP_INTEGRITY) == 0) { |
| michael@0 | 570 | CheckRestrictingSid(restricted_token, sids[i], -1); |
| michael@0 | 571 | } |
| michael@0 | 572 | } |
| michael@0 | 573 | |
| michael@0 | 574 | // Verify that the user is in the restricting sid list. |
| michael@0 | 575 | ATL::CSid user; |
| michael@0 | 576 | restricted_token.GetUser(&user); |
| michael@0 | 577 | CheckRestrictingSid(restricted_token, user, -1); |
| michael@0 | 578 | } |
| michael@0 | 579 | |
| michael@0 | 580 | // Test to be executed only in release because they are triggering DCHECKs. |
| michael@0 | 581 | #ifndef _DEBUG |
| michael@0 | 582 | |
| michael@0 | 583 | // Checks the error code when the object is initialized twice. |
| michael@0 | 584 | TEST(RestrictedTokenTest, DoubleInit) { |
| michael@0 | 585 | RestrictedToken token; |
| michael@0 | 586 | ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); |
| michael@0 | 587 | |
| michael@0 | 588 | ASSERT_EQ(ERROR_ALREADY_INITIALIZED, token.Init(NULL)); |
| michael@0 | 589 | } |
| michael@0 | 590 | |
| michael@0 | 591 | #endif |
| michael@0 | 592 | |
| michael@0 | 593 | } // namespace sandbox |
