michael@0: // Copyright (c) 2012 The Chromium Authors. All rights reserved. michael@0: // Use of this source code is governed by a BSD-style license that can be michael@0: // found in the LICENSE file. michael@0: michael@0: // This file contains unit tests for the RestrictedToken. michael@0: michael@0: #define _ATL_NO_EXCEPTIONS michael@0: #include michael@0: #include michael@0: #include michael@0: #include "sandbox/win/src/restricted_token.h" michael@0: #include "sandbox/win/src/sid.h" michael@0: #include "testing/gtest/include/gtest/gtest.h" michael@0: michael@0: namespace sandbox { michael@0: michael@0: // Tests the initializatioin with an invalid token handle. michael@0: TEST(RestrictedTokenTest, InvalidHandle) { michael@0: RestrictedToken token; michael@0: ASSERT_EQ(ERROR_INVALID_HANDLE, token.Init(reinterpret_cast(0x5555))); michael@0: } michael@0: michael@0: // Tests the initialization with NULL as parameter. michael@0: TEST(RestrictedTokenTest, DefaultInit) { michael@0: // Get the current process token. michael@0: HANDLE token_handle = INVALID_HANDLE_VALUE; michael@0: ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, michael@0: &token_handle)); michael@0: michael@0: ASSERT_NE(INVALID_HANDLE_VALUE, token_handle); michael@0: michael@0: ATL::CAccessToken access_token; michael@0: access_token.Attach(token_handle); michael@0: michael@0: // Create the token using the current token. michael@0: RestrictedToken token_default; michael@0: ASSERT_EQ(ERROR_SUCCESS, token_default.Init(NULL)); michael@0: michael@0: // Get the handle to the restricted token. michael@0: michael@0: HANDLE restricted_token_handle = NULL; michael@0: ASSERT_EQ(ERROR_SUCCESS, michael@0: token_default.GetRestrictedTokenHandle(&restricted_token_handle)); michael@0: michael@0: ATL::CAccessToken restricted_token; michael@0: restricted_token.Attach(restricted_token_handle); michael@0: michael@0: ATL::CSid sid_user_restricted; michael@0: ATL::CSid sid_user_default; michael@0: ATL::CSid sid_owner_restricted; michael@0: ATL::CSid sid_owner_default; michael@0: ASSERT_TRUE(restricted_token.GetUser(&sid_user_restricted)); michael@0: ASSERT_TRUE(access_token.GetUser(&sid_user_default)); michael@0: ASSERT_TRUE(restricted_token.GetOwner(&sid_owner_restricted)); michael@0: ASSERT_TRUE(access_token.GetOwner(&sid_owner_default)); michael@0: michael@0: // Check if both token have the same owner and user. michael@0: ASSERT_EQ(sid_user_restricted, sid_user_default); michael@0: ASSERT_EQ(sid_owner_restricted, sid_owner_default); michael@0: } michael@0: michael@0: // Tests the initialization with a custom token as parameter. michael@0: TEST(RestrictedTokenTest, CustomInit) { michael@0: // Get the current process token. michael@0: HANDLE token_handle = INVALID_HANDLE_VALUE; michael@0: ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, michael@0: &token_handle)); michael@0: michael@0: ASSERT_NE(INVALID_HANDLE_VALUE, token_handle); michael@0: michael@0: ATL::CAccessToken access_token; michael@0: access_token.Attach(token_handle); michael@0: michael@0: // Change the primary group. michael@0: access_token.SetPrimaryGroup(ATL::Sids::World()); michael@0: michael@0: // Create the token using the current token. michael@0: RestrictedToken token; michael@0: ASSERT_EQ(ERROR_SUCCESS, token.Init(access_token.GetHandle())); michael@0: michael@0: // Get the handle to the restricted token. michael@0: michael@0: HANDLE restricted_token_handle = NULL; michael@0: ASSERT_EQ(ERROR_SUCCESS, michael@0: token.GetRestrictedTokenHandle(&restricted_token_handle)); michael@0: michael@0: ATL::CAccessToken restricted_token; michael@0: restricted_token.Attach(restricted_token_handle); michael@0: michael@0: ATL::CSid sid_restricted; michael@0: ATL::CSid sid_default; michael@0: ASSERT_TRUE(restricted_token.GetPrimaryGroup(&sid_restricted)); michael@0: ASSERT_TRUE(access_token.GetPrimaryGroup(&sid_default)); michael@0: michael@0: // Check if both token have the same owner. michael@0: ASSERT_EQ(sid_restricted, sid_default); michael@0: } michael@0: michael@0: // Verifies that the token created by the object are valid. michael@0: TEST(RestrictedTokenTest, ResultToken) { michael@0: RestrictedToken token; michael@0: ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); michael@0: michael@0: ASSERT_EQ(ERROR_SUCCESS, michael@0: token.AddRestrictingSid(ATL::Sids::World().GetPSID())); michael@0: michael@0: HANDLE restricted_token; michael@0: ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&restricted_token)); michael@0: michael@0: ASSERT_TRUE(::IsTokenRestricted(restricted_token)); michael@0: michael@0: DWORD length = 0; michael@0: TOKEN_TYPE type; michael@0: ASSERT_TRUE(::GetTokenInformation(restricted_token, michael@0: ::TokenType, michael@0: &type, michael@0: sizeof(type), michael@0: &length)); michael@0: michael@0: ASSERT_EQ(type, TokenPrimary); michael@0: michael@0: HANDLE impersonation_token; michael@0: ASSERT_EQ(ERROR_SUCCESS, michael@0: token.GetRestrictedTokenHandleForImpersonation(&impersonation_token)); michael@0: michael@0: ASSERT_TRUE(::IsTokenRestricted(impersonation_token)); michael@0: michael@0: ASSERT_TRUE(::GetTokenInformation(impersonation_token, michael@0: ::TokenType, michael@0: &type, michael@0: sizeof(type), michael@0: &length)); michael@0: michael@0: ASSERT_EQ(type, TokenImpersonation); michael@0: michael@0: ::CloseHandle(impersonation_token); michael@0: ::CloseHandle(restricted_token); michael@0: } michael@0: michael@0: // Verifies that the token created has "Restricted" in its default dacl. michael@0: TEST(RestrictedTokenTest, DefaultDacl) { michael@0: RestrictedToken token; michael@0: ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); michael@0: michael@0: ASSERT_EQ(ERROR_SUCCESS, michael@0: token.AddRestrictingSid(ATL::Sids::World().GetPSID())); michael@0: michael@0: HANDLE handle; michael@0: ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&handle)); michael@0: michael@0: ATL::CAccessToken restricted_token; michael@0: restricted_token.Attach(handle); michael@0: michael@0: ATL::CDacl dacl; michael@0: ASSERT_TRUE(restricted_token.GetDefaultDacl(&dacl)); michael@0: michael@0: bool restricted_found = false; michael@0: michael@0: unsigned int ace_count = dacl.GetAceCount(); michael@0: for (unsigned int i = 0; i < ace_count ; ++i) { michael@0: ATL::CSid sid; michael@0: ACCESS_MASK mask = 0; michael@0: dacl.GetAclEntry(i, &sid, &mask); michael@0: if (sid == ATL::Sids::RestrictedCode() && mask == GENERIC_ALL) { michael@0: restricted_found = true; michael@0: break; michael@0: } michael@0: } michael@0: michael@0: ASSERT_TRUE(restricted_found); michael@0: } michael@0: michael@0: // Tests the method "AddSidForDenyOnly". michael@0: TEST(RestrictedTokenTest, DenySid) { michael@0: RestrictedToken token; michael@0: HANDLE token_handle = NULL; michael@0: michael@0: ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.AddSidForDenyOnly(Sid(WinWorldSid))); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); michael@0: michael@0: ATL::CAccessToken restricted_token; michael@0: restricted_token.Attach(token_handle); michael@0: michael@0: ATL::CTokenGroups groups; michael@0: ASSERT_TRUE(restricted_token.GetGroups(&groups)); michael@0: michael@0: ATL::CSid::CSidArray sids; michael@0: ATL::CAtlArray attributes; michael@0: groups.GetSidsAndAttributes(&sids, &attributes); michael@0: michael@0: for (unsigned int i = 0; i < sids.GetCount(); i++) { michael@0: if (ATL::Sids::World() == sids[i]) { michael@0: ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY, michael@0: attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); michael@0: } michael@0: } michael@0: } michael@0: michael@0: // Tests the method "AddAllSidsForDenyOnly". michael@0: TEST(RestrictedTokenTest, DenySids) { michael@0: RestrictedToken token; michael@0: HANDLE token_handle = NULL; michael@0: michael@0: ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.AddAllSidsForDenyOnly(NULL)); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); michael@0: michael@0: ATL::CAccessToken restricted_token; michael@0: restricted_token.Attach(token_handle); michael@0: michael@0: ATL::CTokenGroups groups; michael@0: ASSERT_TRUE(restricted_token.GetGroups(&groups)); michael@0: michael@0: ATL::CSid::CSidArray sids; michael@0: ATL::CAtlArray attributes; michael@0: groups.GetSidsAndAttributes(&sids, &attributes); michael@0: michael@0: // Verify that all sids are really gone. michael@0: for (unsigned int i = 0; i < sids.GetCount(); i++) { michael@0: if ((attributes[i] & SE_GROUP_LOGON_ID) == 0 && michael@0: (attributes[i] & SE_GROUP_INTEGRITY) == 0) { michael@0: ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY, michael@0: attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); michael@0: } michael@0: } michael@0: } michael@0: michael@0: // Tests the method "AddAllSidsForDenyOnly" using an exception list. michael@0: TEST(RestrictedTokenTest, DenySidsException) { michael@0: RestrictedToken token; michael@0: HANDLE token_handle = NULL; michael@0: michael@0: std::vector sids_exception; michael@0: sids_exception.push_back(Sid(WinWorldSid)); michael@0: michael@0: ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.AddAllSidsForDenyOnly(&sids_exception)); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); michael@0: michael@0: ATL::CAccessToken restricted_token; michael@0: restricted_token.Attach(token_handle); michael@0: michael@0: ATL::CTokenGroups groups; michael@0: ASSERT_TRUE(restricted_token.GetGroups(&groups)); michael@0: michael@0: ATL::CSid::CSidArray sids; michael@0: ATL::CAtlArray attributes; michael@0: groups.GetSidsAndAttributes(&sids, &attributes); michael@0: michael@0: // Verify that all sids are really gone. michael@0: for (unsigned int i = 0; i < sids.GetCount(); i++) { michael@0: if ((attributes[i] & SE_GROUP_LOGON_ID) == 0 && michael@0: (attributes[i] & SE_GROUP_INTEGRITY) == 0) { michael@0: if (ATL::Sids::World() == sids[i]) { michael@0: ASSERT_EQ(NULL, attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); michael@0: } else { michael@0: ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY, michael@0: attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); michael@0: } michael@0: } michael@0: } michael@0: } michael@0: michael@0: // Tests test method AddOwnerSidForDenyOnly. michael@0: TEST(RestrictedTokenTest, DenyOwnerSid) { michael@0: RestrictedToken token; michael@0: HANDLE token_handle = NULL; michael@0: michael@0: ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.AddUserSidForDenyOnly()); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); michael@0: michael@0: ATL::CAccessToken restricted_token; michael@0: restricted_token.Attach(token_handle); michael@0: michael@0: ATL::CTokenGroups groups; michael@0: ASSERT_TRUE(restricted_token.GetGroups(&groups)); michael@0: michael@0: ATL::CSid::CSidArray sids; michael@0: ATL::CAtlArray attributes; michael@0: groups.GetSidsAndAttributes(&sids, &attributes); michael@0: michael@0: ATL::CSid user_sid; michael@0: ASSERT_TRUE(restricted_token.GetUser(&user_sid)); michael@0: michael@0: for (unsigned int i = 0; i < sids.GetCount(); ++i) { michael@0: if (user_sid == sids[i]) { michael@0: ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY, michael@0: attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); michael@0: } michael@0: } michael@0: } michael@0: michael@0: // Tests test method AddOwnerSidForDenyOnly with a custom effective token. michael@0: TEST(RestrictedTokenTest, DenyOwnerSidCustom) { michael@0: // Get the current process token. michael@0: HANDLE token_handle = INVALID_HANDLE_VALUE; michael@0: ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, michael@0: &token_handle)); michael@0: michael@0: ASSERT_NE(INVALID_HANDLE_VALUE, token_handle); michael@0: michael@0: ATL::CAccessToken access_token; michael@0: access_token.Attach(token_handle); michael@0: michael@0: RestrictedToken token; michael@0: ASSERT_EQ(ERROR_SUCCESS, token.Init(access_token.GetHandle())); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.AddUserSidForDenyOnly()); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); michael@0: michael@0: ATL::CAccessToken restricted_token; michael@0: restricted_token.Attach(token_handle); michael@0: michael@0: ATL::CTokenGroups groups; michael@0: ASSERT_TRUE(restricted_token.GetGroups(&groups)); michael@0: michael@0: ATL::CSid::CSidArray sids; michael@0: ATL::CAtlArray attributes; michael@0: groups.GetSidsAndAttributes(&sids, &attributes); michael@0: michael@0: ATL::CSid user_sid; michael@0: ASSERT_TRUE(restricted_token.GetUser(&user_sid)); michael@0: michael@0: for (unsigned int i = 0; i < sids.GetCount(); ++i) { michael@0: if (user_sid == sids[i]) { michael@0: ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY, michael@0: attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); michael@0: } michael@0: } michael@0: } michael@0: michael@0: // Tests the method DeleteAllPrivileges. michael@0: TEST(RestrictedTokenTest, DeleteAllPrivileges) { michael@0: RestrictedToken token; michael@0: HANDLE token_handle = NULL; michael@0: michael@0: ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.DeleteAllPrivileges(NULL)); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); michael@0: michael@0: ATL::CAccessToken restricted_token; michael@0: restricted_token.Attach(token_handle); michael@0: michael@0: ATL::CTokenPrivileges privileges; michael@0: ASSERT_TRUE(restricted_token.GetPrivileges(&privileges)); michael@0: michael@0: ASSERT_EQ(0, privileges.GetCount()); michael@0: } michael@0: michael@0: // Tests the method DeleteAllPrivileges with an exception list. michael@0: TEST(RestrictedTokenTest, DeleteAllPrivilegesException) { michael@0: RestrictedToken token; michael@0: HANDLE token_handle = NULL; michael@0: michael@0: std::vector exceptions; michael@0: exceptions.push_back(SE_CHANGE_NOTIFY_NAME); michael@0: michael@0: ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.DeleteAllPrivileges(&exceptions)); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); michael@0: michael@0: ATL::CAccessToken restricted_token; michael@0: restricted_token.Attach(token_handle); michael@0: michael@0: ATL::CTokenPrivileges privileges; michael@0: ASSERT_TRUE(restricted_token.GetPrivileges(&privileges)); michael@0: michael@0: ATL::CTokenPrivileges::CNames privilege_names; michael@0: ATL::CTokenPrivileges::CAttributes privilege_name_attributes; michael@0: privileges.GetNamesAndAttributes(&privilege_names, michael@0: &privilege_name_attributes); michael@0: michael@0: ASSERT_EQ(1, privileges.GetCount()); michael@0: michael@0: for (unsigned int i = 0; i < privileges.GetCount(); ++i) { michael@0: ASSERT_EQ(privilege_names[i], SE_CHANGE_NOTIFY_NAME); michael@0: } michael@0: } michael@0: michael@0: // Tests the method DeletePrivilege. michael@0: TEST(RestrictedTokenTest, DeletePrivilege) { michael@0: RestrictedToken token; michael@0: HANDLE token_handle = NULL; michael@0: michael@0: ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.DeletePrivilege(SE_CHANGE_NOTIFY_NAME)); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); michael@0: michael@0: ATL::CAccessToken restricted_token; michael@0: restricted_token.Attach(token_handle); michael@0: michael@0: ATL::CTokenPrivileges privileges; michael@0: ASSERT_TRUE(restricted_token.GetPrivileges(&privileges)); michael@0: michael@0: ATL::CTokenPrivileges::CNames privilege_names; michael@0: ATL::CTokenPrivileges::CAttributes privilege_name_attributes; michael@0: privileges.GetNamesAndAttributes(&privilege_names, michael@0: &privilege_name_attributes); michael@0: michael@0: for (unsigned int i = 0; i < privileges.GetCount(); ++i) { michael@0: ASSERT_NE(privilege_names[i], SE_CHANGE_NOTIFY_NAME); michael@0: } michael@0: } michael@0: michael@0: // Checks if a sid is in the restricting list of the restricted token. michael@0: // Asserts if it's not the case. If count is a positive number, the number of michael@0: // elements in the restricting sids list has to be equal. michael@0: void CheckRestrictingSid(const ATL::CAccessToken &restricted_token, michael@0: ATL::CSid sid, int count) { michael@0: DWORD length = 1000; michael@0: BYTE *memory = new BYTE[1000]; michael@0: TOKEN_GROUPS *groups = reinterpret_cast(memory); michael@0: ASSERT_TRUE(::GetTokenInformation(restricted_token.GetHandle(), michael@0: TokenRestrictedSids, michael@0: groups, michael@0: length, michael@0: &length)); michael@0: michael@0: ATL::CTokenGroups atl_groups(*groups); michael@0: delete[] memory; michael@0: michael@0: if (count >= 0) michael@0: ASSERT_EQ(count, atl_groups.GetCount()); michael@0: michael@0: ATL::CSid::CSidArray sids; michael@0: ATL::CAtlArray attributes; michael@0: atl_groups.GetSidsAndAttributes(&sids, &attributes); michael@0: michael@0: bool present = false; michael@0: for (unsigned int i = 0; i < sids.GetCount(); ++i) { michael@0: if (sids[i] == sid) { michael@0: present = true; michael@0: break; michael@0: } michael@0: } michael@0: michael@0: ASSERT_TRUE(present); michael@0: } michael@0: michael@0: // Tests the method AddRestrictingSid. michael@0: TEST(RestrictedTokenTest, AddRestrictingSid) { michael@0: RestrictedToken token; michael@0: HANDLE token_handle = NULL; michael@0: michael@0: ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); michael@0: ASSERT_EQ(ERROR_SUCCESS, michael@0: token.AddRestrictingSid(ATL::Sids::World().GetPSID())); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); michael@0: michael@0: ATL::CAccessToken restricted_token; michael@0: restricted_token.Attach(token_handle); michael@0: michael@0: CheckRestrictingSid(restricted_token, ATL::Sids::World(), 1); michael@0: } michael@0: michael@0: // Tests the method AddRestrictingSidCurrentUser. michael@0: TEST(RestrictedTokenTest, AddRestrictingSidCurrentUser) { michael@0: RestrictedToken token; michael@0: HANDLE token_handle = NULL; michael@0: michael@0: ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser()); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); michael@0: michael@0: ATL::CAccessToken restricted_token; michael@0: restricted_token.Attach(token_handle); michael@0: ATL::CSid user; michael@0: restricted_token.GetUser(&user); michael@0: michael@0: CheckRestrictingSid(restricted_token, user, 1); michael@0: } michael@0: michael@0: // Tests the method AddRestrictingSidCurrentUser with a custom effective token. michael@0: TEST(RestrictedTokenTest, AddRestrictingSidCurrentUserCustom) { michael@0: // Get the current process token. michael@0: HANDLE token_handle = INVALID_HANDLE_VALUE; michael@0: ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, michael@0: &token_handle)); michael@0: michael@0: ASSERT_NE(INVALID_HANDLE_VALUE, token_handle); michael@0: michael@0: ATL::CAccessToken access_token; michael@0: access_token.Attach(token_handle); michael@0: michael@0: RestrictedToken token; michael@0: ASSERT_EQ(ERROR_SUCCESS, token.Init(access_token.GetHandle())); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser()); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); michael@0: michael@0: ATL::CAccessToken restricted_token; michael@0: restricted_token.Attach(token_handle); michael@0: ATL::CSid user; michael@0: restricted_token.GetUser(&user); michael@0: michael@0: CheckRestrictingSid(restricted_token, user, 1); michael@0: } michael@0: michael@0: // Tests the method AddRestrictingSidLogonSession. michael@0: TEST(RestrictedTokenTest, AddRestrictingSidLogonSession) { michael@0: RestrictedToken token; michael@0: HANDLE token_handle = NULL; michael@0: michael@0: ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidLogonSession()); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); michael@0: michael@0: ATL::CAccessToken restricted_token; michael@0: restricted_token.Attach(token_handle); michael@0: ATL::CSid session; michael@0: restricted_token.GetLogonSid(&session); michael@0: michael@0: CheckRestrictingSid(restricted_token, session, 1); michael@0: } michael@0: michael@0: // Tests adding a lot of restricting sids. michael@0: TEST(RestrictedTokenTest, AddMultipleRestrictingSids) { michael@0: RestrictedToken token; michael@0: HANDLE token_handle = NULL; michael@0: michael@0: ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser()); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidLogonSession()); michael@0: ASSERT_EQ(ERROR_SUCCESS, michael@0: token.AddRestrictingSid(ATL::Sids::World().GetPSID())); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); michael@0: michael@0: ATL::CAccessToken restricted_token; michael@0: restricted_token.Attach(token_handle); michael@0: ATL::CSid session; michael@0: restricted_token.GetLogonSid(&session); michael@0: michael@0: DWORD length = 1000; michael@0: BYTE *memory = new BYTE[1000]; michael@0: TOKEN_GROUPS *groups = reinterpret_cast(memory); michael@0: ASSERT_TRUE(::GetTokenInformation(restricted_token.GetHandle(), michael@0: TokenRestrictedSids, michael@0: groups, michael@0: length, michael@0: &length)); michael@0: michael@0: ATL::CTokenGroups atl_groups(*groups); michael@0: delete[] memory; michael@0: michael@0: ASSERT_EQ(3, atl_groups.GetCount()); michael@0: } michael@0: michael@0: // Tests the method "AddRestrictingSidAllSids". michael@0: TEST(RestrictedTokenTest, AddAllSidToRestrictingSids) { michael@0: RestrictedToken token; michael@0: HANDLE token_handle = NULL; michael@0: michael@0: ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidAllSids()); michael@0: ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); michael@0: michael@0: ATL::CAccessToken restricted_token; michael@0: restricted_token.Attach(token_handle); michael@0: michael@0: ATL::CTokenGroups groups; michael@0: ASSERT_TRUE(restricted_token.GetGroups(&groups)); michael@0: michael@0: ATL::CSid::CSidArray sids; michael@0: ATL::CAtlArray attributes; michael@0: groups.GetSidsAndAttributes(&sids, &attributes); michael@0: michael@0: // Verify that all group sids are in the restricting sid list. michael@0: for (unsigned int i = 0; i < sids.GetCount(); i++) { michael@0: if ((attributes[i] & SE_GROUP_INTEGRITY) == 0) { michael@0: CheckRestrictingSid(restricted_token, sids[i], -1); michael@0: } michael@0: } michael@0: michael@0: // Verify that the user is in the restricting sid list. michael@0: ATL::CSid user; michael@0: restricted_token.GetUser(&user); michael@0: CheckRestrictingSid(restricted_token, user, -1); michael@0: } michael@0: michael@0: // Test to be executed only in release because they are triggering DCHECKs. michael@0: #ifndef _DEBUG michael@0: michael@0: // Checks the error code when the object is initialized twice. michael@0: TEST(RestrictedTokenTest, DoubleInit) { michael@0: RestrictedToken token; michael@0: ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); michael@0: michael@0: ASSERT_EQ(ERROR_ALREADY_INITIALIZED, token.Init(NULL)); michael@0: } michael@0: michael@0: #endif michael@0: michael@0: } // namespace sandbox