search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-selftest: Remove some unnecessary comma
[Samba/gebeck_regimport.git] / source4 / torture / rpc / samr_priv.c
blob20d9640a1c4aeb4185f077154b3007c529474630
1 /*
2 * Unix SMB/CIFS implementation.
3 * test suite for samr rpc operations
4 *
5 * Copyright (c) 2011 Andreas Schneider
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "param/param.h"
23 #include "torture/torture.h"
24 #include "librpc/gen_ndr/ndr_samr_c.h"
25 #include "librpc/rpc/dcerpc_proto.h"
26 #include "libcli/security/security.h"
27 #include "torture/rpc/torture_rpc.h"
28
29 #define TEST_ACCOUNT_NAME "guru"
30
31 struct torture_user {
32 const char *username;
33 const char *password;
34 const char *domain;
35 uint32_t *builtin_memberships;
36 uint32_t num_builtin_memberships;
37 bool admin_rights;
38 };
39
40 struct torture_access_context {
41 struct dcerpc_pipe *pipe;
42 struct torture_user user;
43 struct test_join *join;
44 };
45
46 static void init_lsa_String(struct lsa_String *name, const char *s)
47 {
48 name->string = s;
49 }
50
51 static bool test_samr_queryUserInfo(struct torture_context *tctx,
52 struct dcerpc_binding_handle *b,
53 struct policy_handle *user_handle)
54 {
55 struct samr_QueryUserInfo r;
56 union samr_UserInfo *info;
57 NTSTATUS status;
58
59 r.in.level = UserGeneralInformation;
60 r.in.user_handle = user_handle;
61 r.out.info = &info;
62
63 status = dcerpc_samr_QueryUserInfo_r(b,
64 tctx,
65 &r);
66 torture_assert_ntstatus_ok(tctx, status, "queryUserInfo failed");
67 if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_OK)) {
68 torture_comment(tctx, "queryUserInfo failed");
69 return false;
70 }
71
72 return true;
73 }
74
75 static bool test_LookupName(struct dcerpc_binding_handle *b,
76 struct torture_context *tctx,
77 struct policy_handle *domain_handle,
78 const char *name,
79 uint32_t *rid)
80 {
81 NTSTATUS status;
82 struct samr_LookupNames n;
83 struct lsa_String sname[1];
84 struct samr_Ids rids, types;
85
86 init_lsa_String(&sname[0], name);
87
88 n.in.domain_handle = domain_handle;
89 n.in.num_names = 1;
90 n.in.names = sname;
91 n.out.rids = &rids;
92 n.out.types = &types;
93
94 status = dcerpc_samr_LookupNames_r(b, tctx, &n);
95 if (!NT_STATUS_IS_OK(status)) {
96 return false;
97 }
98 if (!NT_STATUS_IS_OK(n.out.result)) {
99 return false;
100 }
101
102 *rid = n.out.rids->ids[0];
103 return true;
104 }
105
106 static bool test_samr_CreateUser(struct torture_context *tctx,
107 struct dcerpc_binding_handle *b,
108 struct policy_handle *domain_handle,
109 const char *name,
110 struct policy_handle *user_handle)
111 {
112 struct lsa_String username;
113 struct samr_CreateUser r;
114 uint32_t rid = 0;
115 NTSTATUS status;
116
117 init_lsa_String(&username, name);
118
119 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
120 r.in.domain_handle = domain_handle;
121 r.in.account_name = &username;
122 r.out.user_handle = user_handle;
123 r.out.rid = &rid;
124
125 status = dcerpc_samr_CreateUser_r(b, tctx, &r);
126 torture_assert_ntstatus_ok(tctx, status, "CreateUser failed");
127 if (!NT_STATUS_IS_OK(r.out.result)) {
128 torture_comment(tctx, "CreateUser failed");
129 return false;
130 }
131
132 return true;
133 }
134
135 static bool test_samr_OpenUser(struct torture_context *tctx,
136 struct dcerpc_binding_handle *b,
137 struct policy_handle *domain_handle,
138 const char *name,
139 struct policy_handle *user_handle,
140 bool expected)
141 {
142 struct samr_OpenUser r;
143 uint32_t rid = 0;
144 NTSTATUS status;
145 bool ok;
146
147 ok = test_LookupName(b, tctx, domain_handle, name, &rid);
148 if (!ok && expected) {
149 torture_comment(tctx, " - lookup name for %s failed\n", name);
150 return true;
151 } else if (!ok) {
152 return false;
153 }
154
155 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
156 r.in.domain_handle = domain_handle;
157 r.in.rid = rid;
158 r.out.user_handle = user_handle;
159
160 status = dcerpc_samr_OpenUser_r(b, tctx, &r);
161 torture_assert_ntstatus_ok(tctx, status, "CreateUser failed");
162 if (!NT_STATUS_IS_OK(r.out.result)) {
163 torture_comment(tctx, "CreateUser failed");
164 return false;
165 }
166
167 return true;
168 }
169
170 static bool test_samr_openDomain(struct torture_context *tctx,
171 struct dcerpc_binding_handle *b,
172 struct policy_handle *connect_handle,
173 const char *domain,
174 struct policy_handle *domain_handle)
175 {
176 struct samr_LookupDomain r;
177 struct samr_OpenDomain r2;
178 struct lsa_String n;
179 struct dom_sid *sid;
180 NTSTATUS status;
181
182 r.in.connect_handle = connect_handle;
183 init_lsa_String(&n, domain);
184 r.in.domain_name = &n;
185 r.out.sid = &sid;
186
187 status = dcerpc_samr_LookupDomain_r(b, tctx, &r);
188 torture_assert_ntstatus_ok(tctx, status, "LookupDomain failed");
189 if (!NT_STATUS_IS_OK(r.out.result)) {
190 torture_comment(tctx, "LookupDomain failed - %s\n", nt_errstr(r.out.result));
191 return false;
192 }
193
194 r2.in.connect_handle = connect_handle;
195 r2.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
196 r2.in.sid = sid;
197 r2.out.domain_handle = domain_handle;
198
199 status = dcerpc_samr_OpenDomain_r(b, tctx, &r2);
200 torture_assert_ntstatus_ok(tctx, status, "OpenDomain failed");
201 if (!NT_STATUS_IS_OK(r2.out.result)) {
202 torture_comment(tctx, "OpenDomain failed - %s\n", nt_errstr(r.out.result));
203 return false;
204 }
205
206 return true;
207 }
208
209 static bool test_samr_Connect(struct torture_context *tctx,
210 struct dcerpc_binding_handle *b,
211 struct policy_handle *connect_handle)
212 {
213 struct samr_Connect r;
214 NTSTATUS status;
215
216 r.in.system_name = 0;
217 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
218 r.out.connect_handle = connect_handle;
219
220 status = dcerpc_samr_Connect_r(b, tctx, &r);
221 torture_assert_ntstatus_ok(tctx, status, "SAMR connect failed");
222 if (!NT_STATUS_IS_OK(r.out.result)) {
223 torture_comment(tctx, "Connect failed - %s\n", nt_errstr(r.out.result));
224 return false;
225 }
226
227 return true;
228 }
229
230 static bool test_samr_create_user(struct torture_context *tctx,
231 struct torture_access_context *t,
232 const char *name)
233 {
234 struct dcerpc_binding_handle *b = t->pipe->binding_handle;
235 struct policy_handle connect_handle;
236 struct policy_handle domain_handle;
237 struct policy_handle user_handle;
238 bool ok = false;
239
240 torture_comment(tctx, "Connecting to SAMR\n");
241 ZERO_STRUCT(connect_handle);
242 ok = test_samr_Connect(tctx, b, &connect_handle);
243 torture_assert(tctx, ok, "Unable to connect to domain");
244
245 torture_comment(tctx, "Opening domain %s\n", t->user.domain);
246 ZERO_STRUCT(domain_handle);
247 ok = test_samr_openDomain(tctx,
248 b,
249 &connect_handle,
250 t->user.domain,
251 &domain_handle);
252 torture_assert(tctx, ok, "Unable to open to domain");
253
254 torture_comment(tctx, "Creating account %s\n", name);
255 ZERO_STRUCT(user_handle);
256 ok = test_samr_CreateUser(tctx,
257 b,
258 &domain_handle,
259 name,
260 &user_handle);
261
262 test_samr_handle_Close(b, tctx, &domain_handle);
263 test_samr_handle_Close(b, tctx, &connect_handle);
264
265 return ok;
266 }
267
268 static bool test_samr_userinfo_getinfo(struct torture_context *tctx,
269 struct dcerpc_pipe *p,
270 bool expected)
271 {
272 const char *name;
273 struct dcerpc_pipe *p2 = NULL;
274 struct dcerpc_binding_handle *b;
275 struct policy_handle connect_handle;
276 struct policy_handle domain_handle;
277 struct policy_handle user_handle;
278 NTSTATUS status;
279 uint32_t i = 0;
280 bool ok;
281
282 status = torture_rpc_connection(tctx, &p2, &ndr_table_samr);
283 torture_assert_ntstatus_ok(tctx, status,
284 "Creating secondary connection failed");
285 b = p2->binding_handle;
286
287 torture_comment(tctx, " - 2nd connect\n");
288 /* connect */
289 ZERO_STRUCT(connect_handle);
290 ok = test_samr_Connect(tctx, b, &connect_handle);
291 torture_assert(tctx, ok, "Unable to connect to domain");
292
293 torture_comment(tctx, " - 2nd open domain\n");
294 /* open domain */
295 ZERO_STRUCT(domain_handle);
296 ok = test_samr_openDomain(tctx,
297 b,
298 &connect_handle,
299 torture_setting_string(tctx, "workgroup",
300 lpcfg_workgroup(tctx->lp_ctx)),
301 &domain_handle);
302 torture_assert(tctx, ok, "Unable to open to domain");
303
304 /* create user */
305 name = talloc_asprintf(tctx,
306 "%s%04d",
307 TEST_ACCOUNT_NAME,
308 i);
309
310 torture_comment(tctx, " - 2nd open user\n");
311 ZERO_STRUCT(user_handle);
312 ok = test_samr_OpenUser(tctx,
313 b,
314 &domain_handle,
315 name,
316 &user_handle,
317 expected);
318 torture_assert(tctx, ok, "Unable to open user");
319
320 if (!expected) {
321 torture_comment(tctx, " - 2nd query user\n");
322 ok = test_samr_queryUserInfo(tctx, b, &user_handle);
323 torture_assert(tctx, ok, "Unable to query user");
324
325 test_samr_handle_Close(b, tctx, &user_handle);
326 }
327
328 test_samr_handle_Close(b, tctx, &domain_handle);
329 test_samr_handle_Close(b, tctx, &connect_handle);
330
331 talloc_free(p2);
332
333 return true;
334 }
335
336 #define NUM_RUNS 20
337 static bool torture_rpc_samr_caching(struct torture_context *tctx,
338 struct dcerpc_pipe *p)
339 {
340 struct test_join *join;
341 const char *password = NULL;
342 const char *name;
343 NTSTATUS status;
344 uint32_t i = 0;
345 bool ok;
346
347 torture_comment(tctx, ">>> Testing User Info Caching\n");
348
349 /* create user */
350 name = talloc_asprintf(tctx,
351 "%s%04d",
352 TEST_ACCOUNT_NAME,
353 i);
354
355 torture_comment(tctx, "- Creating user %s\n", name);
356
357 join = torture_create_testuser(tctx,
358 name,
359 torture_setting_string(tctx, "workgroup",
360 lpcfg_workgroup(tctx->lp_ctx)),
361 ACB_NORMAL,
362 &password);
363 if (join == NULL) {
364 return false;
365 }
366
367 torture_comment(tctx, "- Query user information\n");
368 for (i = 0; i < NUM_RUNS; i++) {
369 ok = test_samr_userinfo_getinfo(tctx, p, false);
370 torture_assert(tctx, ok, "test_samr_userinfo_getinfo failed");
371 }
372
373 torture_comment(tctx, "- Delete user\n");
374 status = torture_delete_testuser(tctx,
375 join,
376 name);
377 if (!NT_STATUS_IS_OK(status)) {
378 torture_comment(tctx, "DeleteUser failed - %s\n",
379 nt_errstr(status));
380 return false;
381 }
382
383 torture_comment(tctx, "- Try to query user information again (should fail)\n");
384 for (i = 0; i < NUM_RUNS; i++) {
385 ok = test_samr_userinfo_getinfo(tctx,
386 p,
387 true);
388 torture_assert(tctx, ok, "test_samr_userinfo_getinfo failed");
389 }
390
391 return true;
392 }
393 #undef NUM_RUNS
394
395 static bool torture_rpc_samr_access_setup_membership(struct torture_context *tctx,
396 struct dcerpc_pipe *p,
397 uint32_t num_members,
398 uint32_t *members,
399 struct dom_sid *user_sid)
400 {
401 struct dcerpc_binding_handle *b = p->binding_handle;
402 struct policy_handle connect_handle, domain_handle;
403 int i;
404
405 torture_comment(tctx,
406 "Setting up BUILTIN membership for %s\n",
407 dom_sid_string(tctx, user_sid));
408
409 for (i=0; i < num_members; i++) {
410 torture_comment(tctx, "adding user to S-1-5-32-%d\n", members[i]);
411 }
412
413 /* connect */
414 {
415 struct samr_Connect2 r;
416 r.in.system_name = "";
417 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
418 ZERO_STRUCT(connect_handle);
419 r.out.connect_handle = &connect_handle;
420
421 torture_assert_ntstatus_ok(tctx,
422 dcerpc_samr_Connect2_r(b, tctx, &r),
423 "samr_Connect2 failed");
424 torture_assert_ntstatus_ok(tctx, r.out.result,
425 "samr_Connect2 failed");
426 }
427
428 /* open domain */
429 {
430 struct samr_OpenDomain r;
431 r.in.connect_handle = &connect_handle;
432 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
433 r.in.sid = dom_sid_parse_talloc(tctx, "S-1-5-32");
434 ZERO_STRUCT(domain_handle);
435 r.out.domain_handle = &domain_handle;
436
437 torture_assert_ntstatus_ok(tctx,
438 dcerpc_samr_OpenDomain_r(b, tctx, &r),
439 "samr_OpenDomain failed");
440 torture_assert_ntstatus_ok(tctx, r.out.result,
441 "samr_OpenDomain failed");
442 }
443
444 for (i = 0; i < num_members; i++) {
445
446 struct policy_handle alias_handle;
447
448 /* open alias */
449 {
450 struct samr_OpenAlias r;
451 r.in.domain_handle = &domain_handle;
452 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
453 r.in.rid = members[i];
454 ZERO_STRUCT(alias_handle);
455 r.out.alias_handle = &alias_handle;
456
457 torture_assert_ntstatus_ok(tctx,
458 dcerpc_samr_OpenAlias_r(b, tctx, &r),
459 "samr_OpenAlias failed");
460 torture_assert_ntstatus_ok(tctx, r.out.result,
461 "samr_OpenAlias failed");
462 }
463
464 /* add alias member */
465 {
466 struct samr_AddAliasMember r;
467 ZERO_STRUCT(alias_handle);
468 r.in.alias_handle = &alias_handle;
469 r.in.sid = user_sid;
470
471 torture_assert_ntstatus_ok(tctx,
472 dcerpc_samr_AddAliasMember_r(b, tctx, &r),
473 "samr_AddAliasMember failed");
474 torture_assert_ntstatus_ok(tctx, r.out.result,
475 "samr_AddAliasMember failed");
476 }
477
478 test_samr_handle_Close(b, tctx, &alias_handle);
479 }
480
481 test_samr_handle_Close(b, tctx, &domain_handle);
482 test_samr_handle_Close(b, tctx, &connect_handle);
483
484 return true;
485 }
486
487 static bool torture_rpc_samr_access_setup(struct torture_context *tctx,
488 struct dcerpc_pipe *p,
489 struct torture_access_context *t)
490 {
491 const char *binding = torture_setting_string(tctx, "binding", NULL);
492 struct cli_credentials *test_credentials;
493 struct test_join *join;
494 struct dom_sid *test_sid;
495 struct dcerpc_pipe *samr_pipe;
496
497 t->user.domain = torture_setting_string(tctx, "workgroup",
498 lpcfg_workgroup(tctx->lp_ctx)),
499
500 join = torture_create_testuser(tctx,
501 t->user.username,
502 t->user.domain,
503 ACB_NORMAL,
504 &t->user.password);
505 if (join == NULL) {
506 return false;
507 }
508 t->join = join;
509
510 test_credentials = cli_credentials_init(tctx);
511
512 cli_credentials_set_workstation(test_credentials,
513 "localhost",
514 CRED_SPECIFIED);
515 cli_credentials_set_domain(test_credentials,
516 torture_setting_string(tctx, "workgroup",
517 lpcfg_workgroup(tctx->lp_ctx)),
518 CRED_SPECIFIED);
519 cli_credentials_set_username(test_credentials,
520 t->user.username,
521 CRED_SPECIFIED);
522 cli_credentials_set_password(test_credentials,
523 t->user.password,
524 CRED_SPECIFIED);
525 test_sid = discard_const_p(struct dom_sid,
526 torture_join_user_sid(t->join));
527
528 if (t->user.num_builtin_memberships) {
529 torture_assert(tctx,
530 torture_rpc_samr_access_setup_membership(tctx,
531 p,
532 t->user.num_builtin_memberships,
533 t->user.builtin_memberships,
534 test_sid),
535 "failed to setup membership");
536 }
537
538 torture_assert_ntstatus_ok(tctx,
539 dcerpc_pipe_connect(tctx,
540 &samr_pipe,
541 binding,
542 &ndr_table_samr,
543 test_credentials,
544 tctx->ev,
545 tctx->lp_ctx),
546 "Error connecting to server");
547
548 t->pipe = samr_pipe;
549
550 return true;
551 }
552
553 static bool torture_rpc_samr_access(struct torture_context *tctx,
554 struct dcerpc_pipe *p)
555 {
556 struct torture_access_context *t;
557 const char *testuser;
558 bool ok;
559
560 torture_comment(tctx, "Testing non-privileged user access\n");
561
562 t = talloc_zero(tctx, struct torture_access_context);
563 if (t == NULL) {
564 return false;
565 }
566
567 t->user.username = talloc_asprintf(t, "%s%04d", TEST_ACCOUNT_NAME, 100);
568
569 torture_comment(tctx, "*** Setting up non-privleged user\n"
570 "***\n");
571
572 ok = torture_rpc_samr_access_setup(tctx, p, t);
573 if (!ok) {
574 return false;
575 }
576
577 testuser = talloc_asprintf(t, "%s%04d", TEST_ACCOUNT_NAME, 200);
578
579 torture_comment(tctx, "*** Try to create user (%s) as non-privileged "
580 "user - should fail\n"
581 "***\n", testuser);
582
583 ok = test_samr_create_user(tctx, t, testuser);
584 if (!ok) {
585 torture_comment(tctx, "*** Creating user (%s) failed, which is "
586 "correct!\n", testuser);
587 return true;
588 }
589
590 torture_comment(tctx, "*** Creating user (%s) was successful, but "
591 "should fail!\n", testuser);
592
593 return false;
594 }
595
596 struct torture_suite *torture_rpc_samr_priv(TALLOC_CTX *mem_ctx)
597 {
598 struct torture_suite *suite =
599 torture_suite_create(mem_ctx, "samr.priv");
600 struct torture_rpc_tcase *tcase;
601
602 tcase = torture_suite_add_rpc_iface_tcase(suite,
603 "samr",
604 &ndr_table_samr);
605
606 torture_rpc_tcase_add_test(tcase,
607 "caching",
608 torture_rpc_samr_caching);
609
610 torture_rpc_tcase_add_test(tcase,
611 "access",
612 torture_rpc_samr_access);
613
614 return suite;
615 }
reg import