[PATCH 6/6] advapi32/tests: Add basic tests for token security descriptors.
Matteo Bruni
mbruni at codeweavers.com
Mon Jun 12 13:34:41 CDT 2017
From: Michael Müller <michael at fds-team.de>
Signed-off-by: Matteo Bruni <mbruni at codeweavers.com>
---
dlls/advapi32/tests/security.c | 82 +++++++++++++++++++++++++++++++++++++++++-
1 file changed, 81 insertions(+), 1 deletion(-)
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 3d14e4285f..65e196b453 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -229,6 +229,7 @@ static void init(void)
pGetAce = (void *)GetProcAddress(hmod, "GetAce");
pGetWindowsAccountDomainSid = (void *)GetProcAddress(hmod, "GetWindowsAccountDomainSid");
pGetSidIdentifierAuthority = (void *)GetProcAddress(hmod, "GetSidIdentifierAuthority");
+ pDuplicateTokenEx = (void *)GetProcAddress(hmod, "DuplicateTokenEx");
myARGC = winetest_get_mainargs( &myARGV );
}
@@ -3012,7 +3013,6 @@ static void test_impersonation_level(void)
HKEY hkey;
DWORD error;
- pDuplicateTokenEx = (void *)GetProcAddress(hmod, "DuplicateTokenEx");
if( !pDuplicateTokenEx ) {
win_skip("DuplicateTokenEx is not available\n");
return;
@@ -6717,6 +6717,85 @@ static void test_maximum_allowed(void)
CloseHandle(handle);
}
+static void test_token_security_descriptor(void)
+{
+ char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
+ SECURITY_DESCRIPTOR *sd = (SECURITY_DESCRIPTOR *)&buffer_sd, *sd2;
+ char buffer_acl[256];
+ ACL *acl = (ACL *)&buffer_acl, *acl2;
+ BOOL defaulted, present, ret;
+ ACCESS_ALLOWED_ACE *ace;
+ SECURITY_ATTRIBUTES sa;
+ HANDLE token, token2;
+ DWORD size;
+ PSID psid;
+
+ if (!pDuplicateTokenEx || !pConvertStringSidToSidA || !pAddAccessAllowedAceEx || !pGetAce
+ || !pSetEntriesInAclW)
+ {
+ win_skip("Some functions not available\n");
+ return;
+ }
+
+ /* Test whether we can create tokens with security descriptors */
+ ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &token);
+ ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
+
+ ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
+ ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
+
+ ret = InitializeAcl(acl, 256, ACL_REVISION);
+ ok(ret, "InitializeAcl failed with error %u\n", GetLastError());
+
+ ret = pConvertStringSidToSidA("S-1-5-6", &psid);
+ ok(ret, "ConvertStringSidToSidA failed with error %u\n", GetLastError());
+
+ ret = pAddAccessAllowedAceEx(acl, ACL_REVISION, NO_PROPAGATE_INHERIT_ACE, GENERIC_ALL, psid);
+ ok(ret, "AddAccessAllowedAceEx failed with error %u\n", GetLastError());
+
+ ret = SetSecurityDescriptorDacl(sd, TRUE, acl, FALSE);
+ ok(ret, "SetSecurityDescriptorDacl failed with error %u\n", GetLastError());
+
+ sa.nLength = sizeof(SECURITY_ATTRIBUTES);
+ sa.lpSecurityDescriptor = sd;
+ sa.bInheritHandle = FALSE;
+
+ ret = pDuplicateTokenEx(token, MAXIMUM_ALLOWED, &sa, SecurityImpersonation, TokenImpersonation, &token2);
+ ok(ret, "DuplicateTokenEx failed with error %u\n", GetLastError());
+
+ ret = GetKernelObjectSecurity(token2, DACL_SECURITY_INFORMATION, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
+ "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
+
+ sd2 = HeapAlloc(GetProcessHeap(), 0, size);
+ ret = GetKernelObjectSecurity(token2, DACL_SECURITY_INFORMATION, sd2, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
+
+ acl2 = (void *)0xdeadbeef;
+ present = FALSE;
+ defaulted = TRUE;
+ ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
+ ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
+ ok(present, "acl2 not present\n");
+ ok(acl2 != (void *)0xdeadbeef, "acl2 not set\n");
+ ok(acl2->AceCount == 1, "Expected 1 ACE, got %d\n", acl2->AceCount);
+ ok(!defaulted, "acl2 defaulted\n");
+
+ ret = pGetAce(acl2, 0, (void **)&ace);
+ ok(ret, "GetAce failed with error %u\n", GetLastError());
+ ok(ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE, "Unexpected ACE type %#x\n", ace->Header.AceType);
+ ok(EqualSid(&ace->SidStart, psid), "Expected access allowed ACE\n");
+ ok(ace->Header.AceFlags == NO_PROPAGATE_INHERIT_ACE,
+ "Expected NO_PROPAGATE_INHERIT_ACE as flags, got %x\n", ace->Header.AceFlags);
+
+ HeapFree(GetProcessHeap(), 0, sd2);
+
+ LocalFree(psid);
+
+ CloseHandle(token2);
+ CloseHandle(token);
+}
+
START_TEST(security)
{
init();
@@ -6766,4 +6845,5 @@ START_TEST(security)
test_GetSidIdentifierAuthority();
test_pseudo_tokens();
test_maximum_allowed();
+ test_token_security_descriptor();
}
--
2.13.0
More information about the wine-patches
mailing list