1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/sandbox/win/src/restricted_token_unittest.cc Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,593 @@
1.4 +// Copyright (c) 2012 The Chromium Authors. All rights reserved.
1.5 +// Use of this source code is governed by a BSD-style license that can be
1.6 +// found in the LICENSE file.
1.7 +
1.8 +// This file contains unit tests for the RestrictedToken.
1.9 +
1.10 +#define _ATL_NO_EXCEPTIONS
1.11 +#include <atlbase.h>
1.12 +#include <atlsecurity.h>
1.13 +#include <vector>
1.14 +#include "sandbox/win/src/restricted_token.h"
1.15 +#include "sandbox/win/src/sid.h"
1.16 +#include "testing/gtest/include/gtest/gtest.h"
1.17 +
1.18 +namespace sandbox {
1.19 +
1.20 +// Tests the initializatioin with an invalid token handle.
1.21 +TEST(RestrictedTokenTest, InvalidHandle) {
1.22 + RestrictedToken token;
1.23 + ASSERT_EQ(ERROR_INVALID_HANDLE, token.Init(reinterpret_cast<HANDLE>(0x5555)));
1.24 +}
1.25 +
1.26 +// Tests the initialization with NULL as parameter.
1.27 +TEST(RestrictedTokenTest, DefaultInit) {
1.28 + // Get the current process token.
1.29 + HANDLE token_handle = INVALID_HANDLE_VALUE;
1.30 + ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS,
1.31 + &token_handle));
1.32 +
1.33 + ASSERT_NE(INVALID_HANDLE_VALUE, token_handle);
1.34 +
1.35 + ATL::CAccessToken access_token;
1.36 + access_token.Attach(token_handle);
1.37 +
1.38 + // Create the token using the current token.
1.39 + RestrictedToken token_default;
1.40 + ASSERT_EQ(ERROR_SUCCESS, token_default.Init(NULL));
1.41 +
1.42 + // Get the handle to the restricted token.
1.43 +
1.44 + HANDLE restricted_token_handle = NULL;
1.45 + ASSERT_EQ(ERROR_SUCCESS,
1.46 + token_default.GetRestrictedTokenHandle(&restricted_token_handle));
1.47 +
1.48 + ATL::CAccessToken restricted_token;
1.49 + restricted_token.Attach(restricted_token_handle);
1.50 +
1.51 + ATL::CSid sid_user_restricted;
1.52 + ATL::CSid sid_user_default;
1.53 + ATL::CSid sid_owner_restricted;
1.54 + ATL::CSid sid_owner_default;
1.55 + ASSERT_TRUE(restricted_token.GetUser(&sid_user_restricted));
1.56 + ASSERT_TRUE(access_token.GetUser(&sid_user_default));
1.57 + ASSERT_TRUE(restricted_token.GetOwner(&sid_owner_restricted));
1.58 + ASSERT_TRUE(access_token.GetOwner(&sid_owner_default));
1.59 +
1.60 + // Check if both token have the same owner and user.
1.61 + ASSERT_EQ(sid_user_restricted, sid_user_default);
1.62 + ASSERT_EQ(sid_owner_restricted, sid_owner_default);
1.63 +}
1.64 +
1.65 +// Tests the initialization with a custom token as parameter.
1.66 +TEST(RestrictedTokenTest, CustomInit) {
1.67 + // Get the current process token.
1.68 + HANDLE token_handle = INVALID_HANDLE_VALUE;
1.69 + ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS,
1.70 + &token_handle));
1.71 +
1.72 + ASSERT_NE(INVALID_HANDLE_VALUE, token_handle);
1.73 +
1.74 + ATL::CAccessToken access_token;
1.75 + access_token.Attach(token_handle);
1.76 +
1.77 + // Change the primary group.
1.78 + access_token.SetPrimaryGroup(ATL::Sids::World());
1.79 +
1.80 + // Create the token using the current token.
1.81 + RestrictedToken token;
1.82 + ASSERT_EQ(ERROR_SUCCESS, token.Init(access_token.GetHandle()));
1.83 +
1.84 + // Get the handle to the restricted token.
1.85 +
1.86 + HANDLE restricted_token_handle = NULL;
1.87 + ASSERT_EQ(ERROR_SUCCESS,
1.88 + token.GetRestrictedTokenHandle(&restricted_token_handle));
1.89 +
1.90 + ATL::CAccessToken restricted_token;
1.91 + restricted_token.Attach(restricted_token_handle);
1.92 +
1.93 + ATL::CSid sid_restricted;
1.94 + ATL::CSid sid_default;
1.95 + ASSERT_TRUE(restricted_token.GetPrimaryGroup(&sid_restricted));
1.96 + ASSERT_TRUE(access_token.GetPrimaryGroup(&sid_default));
1.97 +
1.98 + // Check if both token have the same owner.
1.99 + ASSERT_EQ(sid_restricted, sid_default);
1.100 +}
1.101 +
1.102 +// Verifies that the token created by the object are valid.
1.103 +TEST(RestrictedTokenTest, ResultToken) {
1.104 + RestrictedToken token;
1.105 + ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
1.106 +
1.107 + ASSERT_EQ(ERROR_SUCCESS,
1.108 + token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
1.109 +
1.110 + HANDLE restricted_token;
1.111 + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&restricted_token));
1.112 +
1.113 + ASSERT_TRUE(::IsTokenRestricted(restricted_token));
1.114 +
1.115 + DWORD length = 0;
1.116 + TOKEN_TYPE type;
1.117 + ASSERT_TRUE(::GetTokenInformation(restricted_token,
1.118 + ::TokenType,
1.119 + &type,
1.120 + sizeof(type),
1.121 + &length));
1.122 +
1.123 + ASSERT_EQ(type, TokenPrimary);
1.124 +
1.125 + HANDLE impersonation_token;
1.126 + ASSERT_EQ(ERROR_SUCCESS,
1.127 + token.GetRestrictedTokenHandleForImpersonation(&impersonation_token));
1.128 +
1.129 + ASSERT_TRUE(::IsTokenRestricted(impersonation_token));
1.130 +
1.131 + ASSERT_TRUE(::GetTokenInformation(impersonation_token,
1.132 + ::TokenType,
1.133 + &type,
1.134 + sizeof(type),
1.135 + &length));
1.136 +
1.137 + ASSERT_EQ(type, TokenImpersonation);
1.138 +
1.139 + ::CloseHandle(impersonation_token);
1.140 + ::CloseHandle(restricted_token);
1.141 +}
1.142 +
1.143 +// Verifies that the token created has "Restricted" in its default dacl.
1.144 +TEST(RestrictedTokenTest, DefaultDacl) {
1.145 + RestrictedToken token;
1.146 + ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
1.147 +
1.148 + ASSERT_EQ(ERROR_SUCCESS,
1.149 + token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
1.150 +
1.151 + HANDLE handle;
1.152 + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&handle));
1.153 +
1.154 + ATL::CAccessToken restricted_token;
1.155 + restricted_token.Attach(handle);
1.156 +
1.157 + ATL::CDacl dacl;
1.158 + ASSERT_TRUE(restricted_token.GetDefaultDacl(&dacl));
1.159 +
1.160 + bool restricted_found = false;
1.161 +
1.162 + unsigned int ace_count = dacl.GetAceCount();
1.163 + for (unsigned int i = 0; i < ace_count ; ++i) {
1.164 + ATL::CSid sid;
1.165 + ACCESS_MASK mask = 0;
1.166 + dacl.GetAclEntry(i, &sid, &mask);
1.167 + if (sid == ATL::Sids::RestrictedCode() && mask == GENERIC_ALL) {
1.168 + restricted_found = true;
1.169 + break;
1.170 + }
1.171 + }
1.172 +
1.173 + ASSERT_TRUE(restricted_found);
1.174 +}
1.175 +
1.176 +// Tests the method "AddSidForDenyOnly".
1.177 +TEST(RestrictedTokenTest, DenySid) {
1.178 + RestrictedToken token;
1.179 + HANDLE token_handle = NULL;
1.180 +
1.181 + ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
1.182 + ASSERT_EQ(ERROR_SUCCESS, token.AddSidForDenyOnly(Sid(WinWorldSid)));
1.183 + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
1.184 +
1.185 + ATL::CAccessToken restricted_token;
1.186 + restricted_token.Attach(token_handle);
1.187 +
1.188 + ATL::CTokenGroups groups;
1.189 + ASSERT_TRUE(restricted_token.GetGroups(&groups));
1.190 +
1.191 + ATL::CSid::CSidArray sids;
1.192 + ATL::CAtlArray<DWORD> attributes;
1.193 + groups.GetSidsAndAttributes(&sids, &attributes);
1.194 +
1.195 + for (unsigned int i = 0; i < sids.GetCount(); i++) {
1.196 + if (ATL::Sids::World() == sids[i]) {
1.197 + ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY,
1.198 + attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY);
1.199 + }
1.200 + }
1.201 +}
1.202 +
1.203 +// Tests the method "AddAllSidsForDenyOnly".
1.204 +TEST(RestrictedTokenTest, DenySids) {
1.205 + RestrictedToken token;
1.206 + HANDLE token_handle = NULL;
1.207 +
1.208 + ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
1.209 + ASSERT_EQ(ERROR_SUCCESS, token.AddAllSidsForDenyOnly(NULL));
1.210 + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
1.211 +
1.212 + ATL::CAccessToken restricted_token;
1.213 + restricted_token.Attach(token_handle);
1.214 +
1.215 + ATL::CTokenGroups groups;
1.216 + ASSERT_TRUE(restricted_token.GetGroups(&groups));
1.217 +
1.218 + ATL::CSid::CSidArray sids;
1.219 + ATL::CAtlArray<DWORD> attributes;
1.220 + groups.GetSidsAndAttributes(&sids, &attributes);
1.221 +
1.222 + // Verify that all sids are really gone.
1.223 + for (unsigned int i = 0; i < sids.GetCount(); i++) {
1.224 + if ((attributes[i] & SE_GROUP_LOGON_ID) == 0 &&
1.225 + (attributes[i] & SE_GROUP_INTEGRITY) == 0) {
1.226 + ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY,
1.227 + attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY);
1.228 + }
1.229 + }
1.230 +}
1.231 +
1.232 +// Tests the method "AddAllSidsForDenyOnly" using an exception list.
1.233 +TEST(RestrictedTokenTest, DenySidsException) {
1.234 + RestrictedToken token;
1.235 + HANDLE token_handle = NULL;
1.236 +
1.237 + std::vector<Sid> sids_exception;
1.238 + sids_exception.push_back(Sid(WinWorldSid));
1.239 +
1.240 + ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
1.241 + ASSERT_EQ(ERROR_SUCCESS, token.AddAllSidsForDenyOnly(&sids_exception));
1.242 + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
1.243 +
1.244 + ATL::CAccessToken restricted_token;
1.245 + restricted_token.Attach(token_handle);
1.246 +
1.247 + ATL::CTokenGroups groups;
1.248 + ASSERT_TRUE(restricted_token.GetGroups(&groups));
1.249 +
1.250 + ATL::CSid::CSidArray sids;
1.251 + ATL::CAtlArray<DWORD> attributes;
1.252 + groups.GetSidsAndAttributes(&sids, &attributes);
1.253 +
1.254 + // Verify that all sids are really gone.
1.255 + for (unsigned int i = 0; i < sids.GetCount(); i++) {
1.256 + if ((attributes[i] & SE_GROUP_LOGON_ID) == 0 &&
1.257 + (attributes[i] & SE_GROUP_INTEGRITY) == 0) {
1.258 + if (ATL::Sids::World() == sids[i]) {
1.259 + ASSERT_EQ(NULL, attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY);
1.260 + } else {
1.261 + ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY,
1.262 + attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY);
1.263 + }
1.264 + }
1.265 + }
1.266 +}
1.267 +
1.268 +// Tests test method AddOwnerSidForDenyOnly.
1.269 +TEST(RestrictedTokenTest, DenyOwnerSid) {
1.270 + RestrictedToken token;
1.271 + HANDLE token_handle = NULL;
1.272 +
1.273 + ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
1.274 + ASSERT_EQ(ERROR_SUCCESS, token.AddUserSidForDenyOnly());
1.275 + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
1.276 +
1.277 + ATL::CAccessToken restricted_token;
1.278 + restricted_token.Attach(token_handle);
1.279 +
1.280 + ATL::CTokenGroups groups;
1.281 + ASSERT_TRUE(restricted_token.GetGroups(&groups));
1.282 +
1.283 + ATL::CSid::CSidArray sids;
1.284 + ATL::CAtlArray<DWORD> attributes;
1.285 + groups.GetSidsAndAttributes(&sids, &attributes);
1.286 +
1.287 + ATL::CSid user_sid;
1.288 + ASSERT_TRUE(restricted_token.GetUser(&user_sid));
1.289 +
1.290 + for (unsigned int i = 0; i < sids.GetCount(); ++i) {
1.291 + if (user_sid == sids[i]) {
1.292 + ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY,
1.293 + attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY);
1.294 + }
1.295 + }
1.296 +}
1.297 +
1.298 +// Tests test method AddOwnerSidForDenyOnly with a custom effective token.
1.299 +TEST(RestrictedTokenTest, DenyOwnerSidCustom) {
1.300 + // Get the current process token.
1.301 + HANDLE token_handle = INVALID_HANDLE_VALUE;
1.302 + ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS,
1.303 + &token_handle));
1.304 +
1.305 + ASSERT_NE(INVALID_HANDLE_VALUE, token_handle);
1.306 +
1.307 + ATL::CAccessToken access_token;
1.308 + access_token.Attach(token_handle);
1.309 +
1.310 + RestrictedToken token;
1.311 + ASSERT_EQ(ERROR_SUCCESS, token.Init(access_token.GetHandle()));
1.312 + ASSERT_EQ(ERROR_SUCCESS, token.AddUserSidForDenyOnly());
1.313 + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
1.314 +
1.315 + ATL::CAccessToken restricted_token;
1.316 + restricted_token.Attach(token_handle);
1.317 +
1.318 + ATL::CTokenGroups groups;
1.319 + ASSERT_TRUE(restricted_token.GetGroups(&groups));
1.320 +
1.321 + ATL::CSid::CSidArray sids;
1.322 + ATL::CAtlArray<DWORD> attributes;
1.323 + groups.GetSidsAndAttributes(&sids, &attributes);
1.324 +
1.325 + ATL::CSid user_sid;
1.326 + ASSERT_TRUE(restricted_token.GetUser(&user_sid));
1.327 +
1.328 + for (unsigned int i = 0; i < sids.GetCount(); ++i) {
1.329 + if (user_sid == sids[i]) {
1.330 + ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY,
1.331 + attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY);
1.332 + }
1.333 + }
1.334 +}
1.335 +
1.336 +// Tests the method DeleteAllPrivileges.
1.337 +TEST(RestrictedTokenTest, DeleteAllPrivileges) {
1.338 + RestrictedToken token;
1.339 + HANDLE token_handle = NULL;
1.340 +
1.341 + ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
1.342 + ASSERT_EQ(ERROR_SUCCESS, token.DeleteAllPrivileges(NULL));
1.343 + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
1.344 +
1.345 + ATL::CAccessToken restricted_token;
1.346 + restricted_token.Attach(token_handle);
1.347 +
1.348 + ATL::CTokenPrivileges privileges;
1.349 + ASSERT_TRUE(restricted_token.GetPrivileges(&privileges));
1.350 +
1.351 + ASSERT_EQ(0, privileges.GetCount());
1.352 +}
1.353 +
1.354 +// Tests the method DeleteAllPrivileges with an exception list.
1.355 +TEST(RestrictedTokenTest, DeleteAllPrivilegesException) {
1.356 + RestrictedToken token;
1.357 + HANDLE token_handle = NULL;
1.358 +
1.359 + std::vector<std::wstring> exceptions;
1.360 + exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
1.361 +
1.362 + ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
1.363 + ASSERT_EQ(ERROR_SUCCESS, token.DeleteAllPrivileges(&exceptions));
1.364 + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
1.365 +
1.366 + ATL::CAccessToken restricted_token;
1.367 + restricted_token.Attach(token_handle);
1.368 +
1.369 + ATL::CTokenPrivileges privileges;
1.370 + ASSERT_TRUE(restricted_token.GetPrivileges(&privileges));
1.371 +
1.372 + ATL::CTokenPrivileges::CNames privilege_names;
1.373 + ATL::CTokenPrivileges::CAttributes privilege_name_attributes;
1.374 + privileges.GetNamesAndAttributes(&privilege_names,
1.375 + &privilege_name_attributes);
1.376 +
1.377 + ASSERT_EQ(1, privileges.GetCount());
1.378 +
1.379 + for (unsigned int i = 0; i < privileges.GetCount(); ++i) {
1.380 + ASSERT_EQ(privilege_names[i], SE_CHANGE_NOTIFY_NAME);
1.381 + }
1.382 +}
1.383 +
1.384 +// Tests the method DeletePrivilege.
1.385 +TEST(RestrictedTokenTest, DeletePrivilege) {
1.386 + RestrictedToken token;
1.387 + HANDLE token_handle = NULL;
1.388 +
1.389 + ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
1.390 + ASSERT_EQ(ERROR_SUCCESS, token.DeletePrivilege(SE_CHANGE_NOTIFY_NAME));
1.391 + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
1.392 +
1.393 + ATL::CAccessToken restricted_token;
1.394 + restricted_token.Attach(token_handle);
1.395 +
1.396 + ATL::CTokenPrivileges privileges;
1.397 + ASSERT_TRUE(restricted_token.GetPrivileges(&privileges));
1.398 +
1.399 + ATL::CTokenPrivileges::CNames privilege_names;
1.400 + ATL::CTokenPrivileges::CAttributes privilege_name_attributes;
1.401 + privileges.GetNamesAndAttributes(&privilege_names,
1.402 + &privilege_name_attributes);
1.403 +
1.404 + for (unsigned int i = 0; i < privileges.GetCount(); ++i) {
1.405 + ASSERT_NE(privilege_names[i], SE_CHANGE_NOTIFY_NAME);
1.406 + }
1.407 +}
1.408 +
1.409 +// Checks if a sid is in the restricting list of the restricted token.
1.410 +// Asserts if it's not the case. If count is a positive number, the number of
1.411 +// elements in the restricting sids list has to be equal.
1.412 +void CheckRestrictingSid(const ATL::CAccessToken &restricted_token,
1.413 + ATL::CSid sid, int count) {
1.414 + DWORD length = 1000;
1.415 + BYTE *memory = new BYTE[1000];
1.416 + TOKEN_GROUPS *groups = reinterpret_cast<TOKEN_GROUPS*>(memory);
1.417 + ASSERT_TRUE(::GetTokenInformation(restricted_token.GetHandle(),
1.418 + TokenRestrictedSids,
1.419 + groups,
1.420 + length,
1.421 + &length));
1.422 +
1.423 + ATL::CTokenGroups atl_groups(*groups);
1.424 + delete[] memory;
1.425 +
1.426 + if (count >= 0)
1.427 + ASSERT_EQ(count, atl_groups.GetCount());
1.428 +
1.429 + ATL::CSid::CSidArray sids;
1.430 + ATL::CAtlArray<DWORD> attributes;
1.431 + atl_groups.GetSidsAndAttributes(&sids, &attributes);
1.432 +
1.433 + bool present = false;
1.434 + for (unsigned int i = 0; i < sids.GetCount(); ++i) {
1.435 + if (sids[i] == sid) {
1.436 + present = true;
1.437 + break;
1.438 + }
1.439 + }
1.440 +
1.441 + ASSERT_TRUE(present);
1.442 +}
1.443 +
1.444 +// Tests the method AddRestrictingSid.
1.445 +TEST(RestrictedTokenTest, AddRestrictingSid) {
1.446 + RestrictedToken token;
1.447 + HANDLE token_handle = NULL;
1.448 +
1.449 + ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
1.450 + ASSERT_EQ(ERROR_SUCCESS,
1.451 + token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
1.452 + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
1.453 +
1.454 + ATL::CAccessToken restricted_token;
1.455 + restricted_token.Attach(token_handle);
1.456 +
1.457 + CheckRestrictingSid(restricted_token, ATL::Sids::World(), 1);
1.458 +}
1.459 +
1.460 +// Tests the method AddRestrictingSidCurrentUser.
1.461 +TEST(RestrictedTokenTest, AddRestrictingSidCurrentUser) {
1.462 + RestrictedToken token;
1.463 + HANDLE token_handle = NULL;
1.464 +
1.465 + ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
1.466 + ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser());
1.467 + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
1.468 +
1.469 + ATL::CAccessToken restricted_token;
1.470 + restricted_token.Attach(token_handle);
1.471 + ATL::CSid user;
1.472 + restricted_token.GetUser(&user);
1.473 +
1.474 + CheckRestrictingSid(restricted_token, user, 1);
1.475 +}
1.476 +
1.477 +// Tests the method AddRestrictingSidCurrentUser with a custom effective token.
1.478 +TEST(RestrictedTokenTest, AddRestrictingSidCurrentUserCustom) {
1.479 + // Get the current process token.
1.480 + HANDLE token_handle = INVALID_HANDLE_VALUE;
1.481 + ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS,
1.482 + &token_handle));
1.483 +
1.484 + ASSERT_NE(INVALID_HANDLE_VALUE, token_handle);
1.485 +
1.486 + ATL::CAccessToken access_token;
1.487 + access_token.Attach(token_handle);
1.488 +
1.489 + RestrictedToken token;
1.490 + ASSERT_EQ(ERROR_SUCCESS, token.Init(access_token.GetHandle()));
1.491 + ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser());
1.492 + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
1.493 +
1.494 + ATL::CAccessToken restricted_token;
1.495 + restricted_token.Attach(token_handle);
1.496 + ATL::CSid user;
1.497 + restricted_token.GetUser(&user);
1.498 +
1.499 + CheckRestrictingSid(restricted_token, user, 1);
1.500 +}
1.501 +
1.502 +// Tests the method AddRestrictingSidLogonSession.
1.503 +TEST(RestrictedTokenTest, AddRestrictingSidLogonSession) {
1.504 + RestrictedToken token;
1.505 + HANDLE token_handle = NULL;
1.506 +
1.507 + ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
1.508 + ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidLogonSession());
1.509 + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
1.510 +
1.511 + ATL::CAccessToken restricted_token;
1.512 + restricted_token.Attach(token_handle);
1.513 + ATL::CSid session;
1.514 + restricted_token.GetLogonSid(&session);
1.515 +
1.516 + CheckRestrictingSid(restricted_token, session, 1);
1.517 +}
1.518 +
1.519 +// Tests adding a lot of restricting sids.
1.520 +TEST(RestrictedTokenTest, AddMultipleRestrictingSids) {
1.521 + RestrictedToken token;
1.522 + HANDLE token_handle = NULL;
1.523 +
1.524 + ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
1.525 + ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser());
1.526 + ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidLogonSession());
1.527 + ASSERT_EQ(ERROR_SUCCESS,
1.528 + token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
1.529 + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
1.530 +
1.531 + ATL::CAccessToken restricted_token;
1.532 + restricted_token.Attach(token_handle);
1.533 + ATL::CSid session;
1.534 + restricted_token.GetLogonSid(&session);
1.535 +
1.536 + DWORD length = 1000;
1.537 + BYTE *memory = new BYTE[1000];
1.538 + TOKEN_GROUPS *groups = reinterpret_cast<TOKEN_GROUPS*>(memory);
1.539 + ASSERT_TRUE(::GetTokenInformation(restricted_token.GetHandle(),
1.540 + TokenRestrictedSids,
1.541 + groups,
1.542 + length,
1.543 + &length));
1.544 +
1.545 + ATL::CTokenGroups atl_groups(*groups);
1.546 + delete[] memory;
1.547 +
1.548 + ASSERT_EQ(3, atl_groups.GetCount());
1.549 +}
1.550 +
1.551 +// Tests the method "AddRestrictingSidAllSids".
1.552 +TEST(RestrictedTokenTest, AddAllSidToRestrictingSids) {
1.553 + RestrictedToken token;
1.554 + HANDLE token_handle = NULL;
1.555 +
1.556 + ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
1.557 + ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidAllSids());
1.558 + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
1.559 +
1.560 + ATL::CAccessToken restricted_token;
1.561 + restricted_token.Attach(token_handle);
1.562 +
1.563 + ATL::CTokenGroups groups;
1.564 + ASSERT_TRUE(restricted_token.GetGroups(&groups));
1.565 +
1.566 + ATL::CSid::CSidArray sids;
1.567 + ATL::CAtlArray<DWORD> attributes;
1.568 + groups.GetSidsAndAttributes(&sids, &attributes);
1.569 +
1.570 + // Verify that all group sids are in the restricting sid list.
1.571 + for (unsigned int i = 0; i < sids.GetCount(); i++) {
1.572 + if ((attributes[i] & SE_GROUP_INTEGRITY) == 0) {
1.573 + CheckRestrictingSid(restricted_token, sids[i], -1);
1.574 + }
1.575 + }
1.576 +
1.577 + // Verify that the user is in the restricting sid list.
1.578 + ATL::CSid user;
1.579 + restricted_token.GetUser(&user);
1.580 + CheckRestrictingSid(restricted_token, user, -1);
1.581 +}
1.582 +
1.583 +// Test to be executed only in release because they are triggering DCHECKs.
1.584 +#ifndef _DEBUG
1.585 +
1.586 +// Checks the error code when the object is initialized twice.
1.587 +TEST(RestrictedTokenTest, DoubleInit) {
1.588 + RestrictedToken token;
1.589 + ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
1.590 +
1.591 + ASSERT_EQ(ERROR_ALREADY_INITIALIZED, token.Init(NULL));
1.592 +}
1.593 +
1.594 +#endif
1.595 +
1.596 +} // namespace sandbox
