search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-smbtorture: test workstation auth as well in RPC-SPOOLSS-ACCESS.
[Samba/ekacnet.git] / source4 / torture / rpc / spoolss_access.c
blob412366435f9a1b408ff8cf511fdb3684b3d39ec1
1 /*
2 Unix SMB/CIFS implementation.
3 test suite for spoolss rpc operations
4
5 Copyright (C) Guenther Deschner 2010
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "torture/torture.h"
23 #include "librpc/gen_ndr/ndr_misc.h"
24 #include "librpc/gen_ndr/ndr_spoolss.h"
25 #include "librpc/gen_ndr/ndr_spoolss_c.h"
26 #include "librpc/gen_ndr/ndr_samr_c.h"
27 #include "librpc/gen_ndr/ndr_lsa_c.h"
28 #include "librpc/gen_ndr/ndr_security.h"
29 #include "libcli/security/security.h"
30 #include "torture/rpc/torture_rpc.h"
31 #include "param/param.h"
32 #include "lib/cmdline/popt_common.h"
33
34 #define TORTURE_USER "torture_user"
35 #define TORTURE_USER_ADMINGROUP "torture_user_544"
36 #define TORTURE_USER_PRINTOPGROUP "torture_user_550"
37 #define TORTURE_USER_PRINTOPPRIV "torture_user_priv"
38 #define TORTURE_USER_SD "torture_user_sd"
39 #define TORTURE_WORKSTATION "torture_workstation"
40
41 struct torture_user {
42 const char *username;
43 void *testuser;
44 uint32_t *builtin_memberships;
45 uint32_t num_builtin_memberships;
46 const char **privs;
47 uint32_t num_privs;
48 bool privs_present;
49 bool sd;
50 };
51
52 struct torture_access_context {
53 struct dcerpc_pipe *spoolss_pipe;
54 const char *printername;
55 struct security_descriptor *sd_orig;
56 struct torture_user user;
57 };
58
59 static bool test_openprinter_handle(struct torture_context *tctx,
60 struct dcerpc_pipe *p,
61 const char *printername,
62 const char *username,
63 uint32_t access_mask,
64 struct policy_handle *handle)
65 {
66 struct spoolss_OpenPrinterEx r;
67 struct spoolss_UserLevel1 level1;
68 struct dcerpc_binding_handle *b = p->binding_handle;
69
70 level1.size = 28;
71 level1.client = talloc_asprintf(tctx, "\\\\%s", "smbtorture");
72 level1.user = username;
73 level1.build = 1381;
74 level1.major = 3;
75 level1.minor = 0;
76 level1.processor= 0;
77
78 r.in.printername = printername;
79 r.in.datatype = NULL;
80 r.in.devmode_ctr.devmode= NULL;
81 r.in.access_mask = access_mask;
82 r.in.level = 1;
83 r.in.userlevel.level1 = &level1;
84 r.out.handle = handle;
85
86 torture_comment(tctx, "Testing OpenPrinterEx(%s) with access_mask 0x%08x\n",
87 r.in.printername, r.in.access_mask);
88
89 torture_assert_ntstatus_ok(tctx,
90 dcerpc_spoolss_OpenPrinterEx_r(b, tctx, &r),
91 "OpenPrinterEx failed");
92 torture_assert_werr_ok(tctx, r.out.result,
93 talloc_asprintf(tctx, "OpenPrinterEx(%s) as '%s' with access_mask: 0x%08x failed",
94 r.in.printername, username, r.in.access_mask));
95
96 return true;
97 }
98
99 static bool test_openprinter_access(struct torture_context *tctx,
100 struct dcerpc_pipe *p,
101 const char *printername,
102 const char *username,
103 uint32_t access_mask)
104 {
105 struct policy_handle handle;
106 struct dcerpc_binding_handle *b = p->binding_handle;
107
108 if (test_openprinter_handle(tctx, p, printername, username, access_mask, &handle)) {
109 test_ClosePrinter(tctx, b, &handle);
110 return true;
111 }
112
113 return false;
114 }
115
116 static bool spoolss_access_setup_membership(struct torture_context *tctx,
117 struct dcerpc_pipe *p,
118 uint32_t num_members,
119 uint32_t *members,
120 struct dom_sid *user_sid)
121 {
122 struct dcerpc_binding_handle *b = p->binding_handle;
123 struct policy_handle connect_handle, domain_handle;
124 int i;
125
126 {
127 struct samr_Connect2 r;
128 r.in.system_name = "";
129 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
130 r.out.connect_handle = &connect_handle;
131
132 torture_assert_ntstatus_ok(tctx,
133 dcerpc_samr_Connect2_r(b, tctx, &r),
134 "samr_Connect2 failed");
135 torture_assert_ntstatus_ok(tctx, r.out.result,
136 "samr_Connect2 failed");
137 }
138
139 {
140 struct samr_OpenDomain r;
141 r.in.connect_handle = &connect_handle;
142 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
143 r.in.sid = dom_sid_parse_talloc(tctx, "S-1-5-32");
144 r.out.domain_handle = &domain_handle;
145
146 torture_assert_ntstatus_ok(tctx,
147 dcerpc_samr_OpenDomain_r(b, tctx, &r),
148 "samr_OpenDomain failed");
149 torture_assert_ntstatus_ok(tctx, r.out.result,
150 "samr_OpenDomain failed");
151 }
152
153 for (i=0; i < num_members; i++) {
154
155 struct policy_handle alias_handle;
156
157 {
158 struct samr_OpenAlias r;
159 r.in.domain_handle = &domain_handle;
160 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
161 r.in.rid = members[i];
162 r.out.alias_handle = &alias_handle;
163
164 torture_assert_ntstatus_ok(tctx,
165 dcerpc_samr_OpenAlias_r(b, tctx, &r),
166 "samr_OpenAlias failed");
167 torture_assert_ntstatus_ok(tctx, r.out.result,
168 "samr_OpenAlias failed");
169 }
170
171 {
172 struct samr_AddAliasMember r;
173 r.in.alias_handle = &alias_handle;
174 r.in.sid = user_sid;
175
176 torture_assert_ntstatus_ok(tctx,
177 dcerpc_samr_AddAliasMember_r(b, tctx, &r),
178 "samr_AddAliasMember failed");
179 torture_assert_ntstatus_ok(tctx, r.out.result,
180 "samr_AddAliasMember failed");
181 }
182
183 test_samr_handle_Close(b, tctx, &alias_handle);
184 }
185
186 test_samr_handle_Close(b, tctx, &domain_handle);
187 test_samr_handle_Close(b, tctx, &connect_handle);
188
189 return true;
190 }
191
192 static void init_lsa_StringLarge(struct lsa_StringLarge *name, const char *s)
193 {
194 name->string = s;
195 }
196 static void init_lsa_String(struct lsa_String *name, const char *s)
197 {
198 name->string = s;
199 }
200
201 static bool spoolss_access_setup_privs(struct torture_context *tctx,
202 struct dcerpc_pipe *p,
203 uint32_t num_privs,
204 const char **privs,
205 struct dom_sid *user_sid,
206 bool *privs_present)
207 {
208 struct dcerpc_binding_handle *b = p->binding_handle;
209 struct policy_handle *handle;
210 int i;
211
212 torture_assert(tctx,
213 test_lsa_OpenPolicy2(b, tctx, &handle),
214 "failed to open policy");
215
216 for (i=0; i < num_privs; i++) {
217 struct lsa_LookupPrivValue r;
218 struct lsa_LUID luid;
219 struct lsa_String name;
220
221 init_lsa_String(&name, privs[i]);
222
223 r.in.handle = handle;
224 r.in.name = &name;
225 r.out.luid = &luid;
226
227 torture_assert_ntstatus_ok(tctx,
228 dcerpc_lsa_LookupPrivValue_r(b, tctx, &r),
229 "lsa_LookupPrivValue failed");
230 if (!NT_STATUS_IS_OK(r.out.result)) {
231 torture_comment(tctx, "lsa_LookupPrivValue failed for '%s' with %s\n",
232 privs[i], nt_errstr(r.out.result));
233 *privs_present = false;
234 return true;
235 }
236 }
237
238 *privs_present = true;
239
240 {
241 struct lsa_AddAccountRights r;
242 struct lsa_RightSet rights;
243
244 rights.count = num_privs;
245 rights.names = talloc_zero_array(tctx, struct lsa_StringLarge, rights.count);
246
247 for (i=0; i < rights.count; i++) {
248 init_lsa_StringLarge(&rights.names[i], privs[i]);
249 }
250
251 r.in.handle = handle;
252 r.in.sid = user_sid;
253 r.in.rights = &rights;
254
255 torture_assert_ntstatus_ok(tctx,
256 dcerpc_lsa_AddAccountRights_r(b, tctx, &r),
257 "lsa_AddAccountRights failed");
258 torture_assert_ntstatus_ok(tctx, r.out.result,
259 "lsa_AddAccountRights failed");
260 }
261
262 test_lsa_Close(b, tctx, handle);
263
264 return true;
265 }
266
267 static bool test_SetPrinter(struct torture_context *tctx,
268 struct dcerpc_binding_handle *b,
269 struct policy_handle *handle,
270 struct spoolss_SetPrinterInfoCtr *info_ctr,
271 struct spoolss_DevmodeContainer *devmode_ctr,
272 struct sec_desc_buf *secdesc_ctr,
273 enum spoolss_PrinterControl command)
274 {
275 struct spoolss_SetPrinter r;
276
277 r.in.handle = handle;
278 r.in.info_ctr = info_ctr;
279 r.in.devmode_ctr = devmode_ctr;
280 r.in.secdesc_ctr = secdesc_ctr;
281 r.in.command = command;
282
283 torture_comment(tctx, "Testing SetPrinter level %d\n", r.in.info_ctr->level);
284
285 torture_assert_ntstatus_ok(tctx, dcerpc_spoolss_SetPrinter_r(b, tctx, &r),
286 "failed to call SetPrinter");
287 torture_assert_werr_ok(tctx, r.out.result,
288 "failed to call SetPrinter");
289
290 return true;
291 }
292
293 static bool spoolss_access_setup_sd(struct torture_context *tctx,
294 struct dcerpc_pipe *p,
295 const char *printername,
296 struct dom_sid *user_sid,
297 struct security_descriptor **sd_orig)
298 {
299 struct dcerpc_binding_handle *b = p->binding_handle;
300 struct policy_handle handle;
301 union spoolss_PrinterInfo info;
302 struct spoolss_SetPrinterInfoCtr info_ctr;
303 struct spoolss_SetPrinterInfo3 info3;
304 struct spoolss_DevmodeContainer devmode_ctr;
305 struct sec_desc_buf secdesc_ctr;
306 struct security_ace *ace;
307 struct security_descriptor *sd;
308
309 torture_assert(tctx,
310 test_openprinter_handle(tctx, p, printername, "", SEC_FLAG_MAXIMUM_ALLOWED, &handle),
311 "failed to open printer");
312
313 torture_assert(tctx,
314 test_GetPrinter_level(tctx, b, &handle, 3, &info),
315 "failed to get sd");
316
317 sd = security_descriptor_copy(tctx, info.info3.secdesc);
318 *sd_orig = security_descriptor_copy(tctx, info.info3.secdesc);
319
320 ace = talloc_zero(tctx, struct security_ace);
321
322 ace->type = SEC_ACE_TYPE_ACCESS_ALLOWED;
323 ace->flags = 0;
324 ace->access_mask = PRINTER_ALL_ACCESS;
325 ace->trustee = *user_sid;
326
327 torture_assert_ntstatus_ok(tctx,
328 security_descriptor_dacl_add(sd, ace),
329 "failed to add new ace");
330
331 ace = talloc_zero(tctx, struct security_ace);
332
333 ace->type = SEC_ACE_TYPE_ACCESS_ALLOWED;
334 ace->flags = SEC_ACE_FLAG_OBJECT_INHERIT |
335 SEC_ACE_FLAG_CONTAINER_INHERIT |
336 SEC_ACE_FLAG_INHERIT_ONLY;
337 ace->access_mask = SEC_GENERIC_ALL;
338 ace->trustee = *user_sid;
339
340 torture_assert_ntstatus_ok(tctx,
341 security_descriptor_dacl_add(sd, ace),
342 "failed to add new ace");
343
344 ZERO_STRUCT(info3);
345 ZERO_STRUCT(info_ctr);
346 ZERO_STRUCT(devmode_ctr);
347 ZERO_STRUCT(secdesc_ctr);
348
349 info_ctr.level = 3;
350 info_ctr.info.info3 = &info3;
351 secdesc_ctr.sd = sd;
352
353 torture_assert(tctx,
354 test_SetPrinter(tctx, b, &handle, &info_ctr, &devmode_ctr, &secdesc_ctr, 0),
355 "failed to set sd");
356
357 return true;
358 }
359
360 static bool test_EnumPrinters_findone(struct torture_context *tctx,
361 struct dcerpc_pipe *p,
362 const char **printername)
363 {
364 struct spoolss_EnumPrinters r;
365 uint32_t count;
366 union spoolss_PrinterInfo *info;
367 uint32_t needed;
368 int i;
369 struct dcerpc_binding_handle *b = p->binding_handle;
370
371 *printername = NULL;
372
373 r.in.flags = PRINTER_ENUM_LOCAL;
374 r.in.server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
375 r.in.level = 1;
376 r.in.buffer = NULL;
377 r.in.offered = 0;
378 r.out.count = &count;
379 r.out.info = &info;
380 r.out.needed = &needed;
381
382 torture_assert_ntstatus_ok(tctx,
383 dcerpc_spoolss_EnumPrinters_r(b, tctx, &r),
384 "failed to enum printers");
385
386 if (W_ERROR_EQUAL(r.out.result, WERR_INSUFFICIENT_BUFFER)) {
387 DATA_BLOB blob = data_blob_talloc_zero(tctx, needed);
388 r.in.buffer = &blob;
389 r.in.offered = needed;
390
391 torture_assert_ntstatus_ok(tctx,
392 dcerpc_spoolss_EnumPrinters_r(b, tctx, &r),
393 "failed to enum printers");
394 }
395
396 torture_assert_werr_ok(tctx, r.out.result,
397 "failed to enum printers");
398
399 for (i=0; i < count; i++) {
400
401 *printername = talloc_strdup(tctx, info[i].info1.name);
402
403 break;
404 }
405
406 return true;
407 }
408
409 static bool torture_rpc_spoolss_access_setup_common(struct torture_context *tctx, struct torture_access_context *t)
410 {
411 void *testuser;
412 const char *testuser_passwd;
413 struct cli_credentials *test_credentials;
414 struct dom_sid *test_sid;
415 struct dcerpc_pipe *p;
416 const char *printername;
417 const char *binding = torture_setting_string(tctx, "binding", NULL);
418 struct dcerpc_pipe *spoolss_pipe;
419
420 testuser = torture_create_testuser_max_pwlen(tctx, t->user.username,
421 torture_setting_string(tctx, "workgroup", NULL),
422 ACB_NORMAL,
423 &testuser_passwd,
424 32);
425 if (!testuser) {
426 torture_fail(tctx, "Failed to create test user");
427 }
428
429 test_credentials = cli_credentials_init(tctx);
430 cli_credentials_set_workstation(test_credentials, "localhost", CRED_SPECIFIED);
431 cli_credentials_set_domain(test_credentials, lp_workgroup(tctx->lp_ctx),
432 CRED_SPECIFIED);
433 cli_credentials_set_username(test_credentials, t->user.username, CRED_SPECIFIED);
434 cli_credentials_set_password(test_credentials, testuser_passwd, CRED_SPECIFIED);
435 test_sid = torture_join_user_sid(testuser);
436
437 if (t->user.num_builtin_memberships) {
438 struct dcerpc_pipe *samr_pipe = torture_join_samr_pipe(testuser);
439
440 torture_assert(tctx,
441 spoolss_access_setup_membership(tctx, samr_pipe,
442 t->user.num_builtin_memberships,
443 t->user.builtin_memberships,
444 test_sid),
445 "failed to setup membership");
446 }
447
448 if (t->user.num_privs) {
449 struct dcerpc_pipe *lsa_pipe;
450
451 torture_assert_ntstatus_ok(tctx,
452 torture_rpc_connection(tctx, &lsa_pipe, &ndr_table_lsarpc),
453 "Error connecting to server");
454
455 torture_assert(tctx,
456 spoolss_access_setup_privs(tctx, lsa_pipe,
457 t->user.num_privs,
458 t->user.privs,
459 test_sid,
460 &t->user.privs_present),
461 "failed to setup privs");
462 talloc_free(lsa_pipe);
463 }
464
465 torture_assert_ntstatus_ok(tctx,
466 torture_rpc_connection(tctx, &spoolss_pipe, &ndr_table_spoolss),
467 "Error connecting to server");
468
469 torture_assert(tctx,
470 test_EnumPrinters_findone(tctx, spoolss_pipe, &printername),
471 "failed to enumerate printers");
472
473 if (t->user.sd && printername) {
474 torture_assert(tctx,
475 spoolss_access_setup_sd(tctx, spoolss_pipe,
476 printername,
477 test_sid,
478 &t->sd_orig),
479 "failed to setup sd");
480 }
481
482 talloc_free(spoolss_pipe);
483
484 torture_assert_ntstatus_ok(tctx,
485 dcerpc_pipe_connect(tctx, &p, binding, &ndr_table_spoolss,
486 test_credentials, tctx->ev, tctx->lp_ctx),
487 "Error connecting to server");
488
489 t->spoolss_pipe = p;
490 t->printername = printername;
491 t->user.testuser = testuser;
492
493 return true;
494 }
495
496 static bool torture_rpc_spoolss_access_setup(struct torture_context *tctx, void **data)
497 {
498 struct torture_access_context *t;
499
500 *data = t = talloc_zero(tctx, struct torture_access_context);
501
502 t->user.username = talloc_strdup(t, TORTURE_USER);
503
504 return torture_rpc_spoolss_access_setup_common(tctx, t);
505 }
506
507 static bool torture_rpc_spoolss_access_admin_setup(struct torture_context *tctx, void **data)
508 {
509 struct torture_access_context *t;
510
511 *data = t = talloc_zero(tctx, struct torture_access_context);
512
513 t->user.num_builtin_memberships = 1;
514 t->user.builtin_memberships = talloc_zero_array(t, uint32_t, t->user.num_builtin_memberships);
515 t->user.builtin_memberships[0] = BUILTIN_RID_ADMINISTRATORS;
516 t->user.username = talloc_strdup(t, TORTURE_USER_ADMINGROUP);
517
518 return torture_rpc_spoolss_access_setup_common(tctx, t);
519 }
520
521 static bool torture_rpc_spoolss_access_printop_setup(struct torture_context *tctx, void **data)
522 {
523 struct torture_access_context *t;
524
525 *data = t = talloc_zero(tctx, struct torture_access_context);
526
527 t->user.num_builtin_memberships = 1;
528 t->user.builtin_memberships = talloc_zero_array(t, uint32_t, t->user.num_builtin_memberships);
529 t->user.builtin_memberships[0] = BUILTIN_RID_PRINT_OPERATORS;
530 t->user.username = talloc_strdup(t, TORTURE_USER_PRINTOPGROUP);
531
532 return torture_rpc_spoolss_access_setup_common(tctx, t);
533 }
534
535 static bool torture_rpc_spoolss_access_priv_setup(struct torture_context *tctx, void **data)
536 {
537 struct torture_access_context *t;
538
539 *data = t = talloc_zero(tctx, struct torture_access_context);
540
541 t->user.username = talloc_strdup(t, TORTURE_USER_PRINTOPPRIV);
542 t->user.num_privs = 1;
543 t->user.privs = talloc_zero_array(t, const char *, t->user.num_privs);
544 t->user.privs[0] = talloc_strdup(t, "SePrintOperatorPrivilege");
545
546 return torture_rpc_spoolss_access_setup_common(tctx, t);
547 }
548
549 static bool torture_rpc_spoolss_access_sd_setup(struct torture_context *tctx, void **data)
550 {
551 struct torture_access_context *t;
552
553 *data = t = talloc_zero(tctx, struct torture_access_context);
554
555 t->user.username = talloc_strdup(t, TORTURE_USER_SD);
556 t->user.sd = true;
557
558 return torture_rpc_spoolss_access_setup_common(tctx, t);
559 }
560
561 static bool torture_rpc_spoolss_access_teardown_common(struct torture_context *tctx, struct torture_access_context *t)
562 {
563 if (t->user.testuser) {
564 torture_leave_domain(tctx, t->user.testuser);
565 }
566
567 /* remove membership ? */
568 if (t->user.num_builtin_memberships) {
569 }
570
571 /* remove privs ? */
572 if (t->user.num_privs) {
573 }
574
575 /* restore sd */
576 if (t->user.sd && t->printername) {
577 struct policy_handle handle;
578 struct spoolss_SetPrinterInfoCtr info_ctr;
579 struct spoolss_SetPrinterInfo3 info3;
580 struct spoolss_DevmodeContainer devmode_ctr;
581 struct sec_desc_buf secdesc_ctr;
582 struct dcerpc_pipe *spoolss_pipe;
583 struct dcerpc_binding_handle *b;
584
585 torture_assert_ntstatus_ok(tctx,
586 torture_rpc_connection(tctx, &spoolss_pipe, &ndr_table_spoolss),
587 "Error connecting to server");
588
589 b = spoolss_pipe->binding_handle;
590
591 ZERO_STRUCT(info_ctr);
592 ZERO_STRUCT(info3);
593 ZERO_STRUCT(devmode_ctr);
594 ZERO_STRUCT(secdesc_ctr);
595
596 info_ctr.level = 3;
597 info_ctr.info.info3 = &info3;
598 secdesc_ctr.sd = t->sd_orig;
599
600 torture_assert(tctx,
601 test_openprinter_handle(tctx, spoolss_pipe, t->printername, "", SEC_FLAG_MAXIMUM_ALLOWED, &handle),
602 "failed to open printer");
603
604 torture_assert(tctx,
605 test_SetPrinter(tctx, b, &handle, &info_ctr, &devmode_ctr, &secdesc_ctr, 0),
606 "failed to set sd");
607
608 talloc_free(spoolss_pipe);
609 }
610
611 return true;
612 }
613
614 static bool torture_rpc_spoolss_access_teardown(struct torture_context *tctx, void *data)
615 {
616 struct torture_access_context *t = talloc_get_type(data, struct torture_access_context);
617 bool ret;
618
619 ret = torture_rpc_spoolss_access_teardown_common(tctx, t);
620 talloc_free(t);
621
622 return ret;
623 }
624
625 static bool test_openprinter(struct torture_context *tctx,
626 void *private_data)
627 {
628 struct torture_access_context *t =
629 (struct torture_access_context *)talloc_get_type_abort(private_data, struct torture_access_context);
630 struct dcerpc_pipe *p = t->spoolss_pipe;
631 bool ret = true;
632 const char *printername;
633 const char *username = t->user.username;
634
635 printername = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
636
637 ret &= test_openprinter_access(tctx, p, printername, username, 0);
638 ret &= test_openprinter_access(tctx, p, printername, username, SEC_FLAG_MAXIMUM_ALLOWED);
639 ret &= test_openprinter_access(tctx, p, printername, username, SERVER_ACCESS_ENUMERATE);
640 ret &= test_openprinter_access(tctx, p, printername, username, SERVER_READ);
641
642 if (t->printername == NULL) {
643 return ret;
644 }
645
646 printername = t->printername;
647
648 ret &= test_openprinter_access(tctx, p, printername, username, 0);
649 ret &= test_openprinter_access(tctx, p, printername, username, SEC_FLAG_MAXIMUM_ALLOWED);
650 ret &= test_openprinter_access(tctx, p, printername, username, PRINTER_ACCESS_USE);
651 ret &= test_openprinter_access(tctx, p, printername, username, PRINTER_READ);
652
653 return ret;
654 }
655
656 static bool test_openprinter_admin(struct torture_context *tctx,
657 void *private_data)
658 {
659 struct torture_access_context *t =
660 (struct torture_access_context *)talloc_get_type_abort(private_data, struct torture_access_context);
661 struct dcerpc_pipe *p = t->spoolss_pipe;
662 bool ret = true;
663 const char *printername;
664 const char *username = t->user.username;
665
666 if (t->user.num_privs && !t->user.privs_present) {
667 torture_skip(tctx, "skipping test as not all required privileges are present on the server\n");
668 }
669
670 if (t->user.sd) {
671 goto try_printer;
672 }
673
674 printername = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
675
676 ret &= test_openprinter_access(tctx, p, printername, username, 0);
677 ret &= test_openprinter_access(tctx, p, printername, username, SEC_FLAG_MAXIMUM_ALLOWED);
678 ret &= test_openprinter_access(tctx, p, printername, username, SERVER_ACCESS_ENUMERATE);
679 ret &= test_openprinter_access(tctx, p, printername, username, SERVER_ACCESS_ADMINISTER);
680 ret &= test_openprinter_access(tctx, p, printername, username, SERVER_READ);
681 ret &= test_openprinter_access(tctx, p, printername, username, SERVER_WRITE);
682 ret &= test_openprinter_access(tctx, p, printername, username, SERVER_EXECUTE);
683 ret &= test_openprinter_access(tctx, p, printername, username, SERVER_ALL_ACCESS);
684
685 try_printer:
686 if (t->printername == NULL) {
687 return ret;
688 }
689
690 printername = t->printername;
691
692 ret &= test_openprinter_access(tctx, p, printername, username, 0);
693 ret &= test_openprinter_access(tctx, p, printername, username, SEC_FLAG_MAXIMUM_ALLOWED);
694 ret &= test_openprinter_access(tctx, p, printername, username, PRINTER_ACCESS_USE);
695 ret &= test_openprinter_access(tctx, p, printername, username, PRINTER_ACCESS_ADMINISTER);
696 ret &= test_openprinter_access(tctx, p, printername, username, PRINTER_READ);
697 ret &= test_openprinter_access(tctx, p, printername, username, PRINTER_WRITE);
698 ret &= test_openprinter_access(tctx, p, printername, username, PRINTER_EXECUTE);
699 ret &= test_openprinter_access(tctx, p, printername, username, PRINTER_ALL_ACCESS);
700
701 return ret;
702 }
703
704 static bool test_openprinter_wrap(struct torture_context *tctx,
705 struct dcerpc_pipe *p)
706 {
707 struct torture_access_context *t;
708 const char *printername;
709 bool ret = true;
710
711 t = talloc_zero(tctx, struct torture_access_context);
712
713 t->user.username = talloc_strdup(tctx, "dummy");
714 t->spoolss_pipe = p;
715
716 torture_assert(tctx,
717 test_EnumPrinters_findone(tctx, p, &printername),
718 "failed to enumerate printers");
719
720 t->printername = printername;
721
722 ret = test_openprinter(tctx, (void *)t);
723
724 talloc_free(t);
725
726 return true;
727 }
728
729 struct torture_suite *torture_rpc_spoolss_access(TALLOC_CTX *mem_ctx)
730 {
731 struct torture_suite *suite = torture_suite_create(mem_ctx, "SPOOLSS-ACCESS");
732 struct torture_tcase *tcase;
733 struct torture_rpc_tcase *rpc_tcase;
734
735 tcase = torture_suite_add_tcase(suite, "normaluser");
736
737 torture_tcase_set_fixture(tcase,
738 torture_rpc_spoolss_access_setup,
739 torture_rpc_spoolss_access_teardown);
740
741 torture_tcase_add_simple_test(tcase, "openprinter", test_openprinter);
742
743 tcase = torture_suite_add_tcase(suite, "adminuser");
744
745 torture_tcase_set_fixture(tcase,
746 torture_rpc_spoolss_access_admin_setup,
747 torture_rpc_spoolss_access_teardown);
748
749 torture_tcase_add_simple_test(tcase, "openprinter", test_openprinter);
750 torture_tcase_add_simple_test(tcase, "openprinter_admin", test_openprinter_admin);
751
752 tcase = torture_suite_add_tcase(suite, "printopuser");
753
754 torture_tcase_set_fixture(tcase,
755 torture_rpc_spoolss_access_printop_setup,
756 torture_rpc_spoolss_access_teardown);
757
758 torture_tcase_add_simple_test(tcase, "openprinter", test_openprinter);
759 torture_tcase_add_simple_test(tcase, "openprinter_admin", test_openprinter_admin);
760
761 tcase = torture_suite_add_tcase(suite, "printopuserpriv");
762
763 torture_tcase_set_fixture(tcase,
764 torture_rpc_spoolss_access_priv_setup,
765 torture_rpc_spoolss_access_teardown);
766
767 torture_tcase_add_simple_test(tcase, "openprinter", test_openprinter);
768 torture_tcase_add_simple_test(tcase, "openprinter_admin", test_openprinter_admin);
769
770 tcase = torture_suite_add_tcase(suite, "normaluser_sd");
771
772 torture_tcase_set_fixture(tcase,
773 torture_rpc_spoolss_access_sd_setup,
774 torture_rpc_spoolss_access_teardown);
775
776 torture_tcase_add_simple_test(tcase, "openprinter", test_openprinter);
777 torture_tcase_add_simple_test(tcase, "openprinter_admin", test_openprinter_admin);
778
779 rpc_tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "workstation",
780 &ndr_table_spoolss,
781 TORTURE_WORKSTATION);
782
783 torture_rpc_tcase_add_test(rpc_tcase, "openprinter", test_openprinter_wrap);
784
785 return suite;
786 }