Line data Source code
1 : /*
2 : * Unit tests for conditional ACE SDDL.
3 : *
4 : * Copyright (C) Catalyst.NET Ltd 2023
5 : *
6 : * This program is free software; you can redistribute it and/or modify
7 : * it under the terms of the GNU General Public License as published by
8 : * the Free Software Foundation; either version 3 of the License, or
9 : * (at your option) any later version.
10 : *
11 : * This program is distributed in the hope that it will be useful,
12 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 : * GNU General Public License for more details.
15 : *
16 : * You should have received a copy of the GNU General Public License
17 : * along with this program. If not, see <http://www.gnu.org/licenses/>.
18 : *
19 : */
20 :
21 : #include <stdarg.h>
22 : #include <stddef.h>
23 : #include <setjmp.h>
24 : #include "cmocka.h"
25 :
26 : #include "lib/util/attr.h"
27 : #include "includes.h"
28 : #include "librpc/gen_ndr/ndr_security.h"
29 : #include "libcli/security/security.h"
30 : #include "libcli/security/conditional_ace.h"
31 : #include "librpc/gen_ndr/conditional_ace.h"
32 : #include "libcli/security/claims-conversions.h"
33 :
34 : #define debug_message(...) print_message(__VA_ARGS__)
35 :
36 : #define debug_fail(x, ...) print_message("\033[1;31m" x "\033[0m", __VA_ARGS__)
37 : #define debug_ok(x, ...) print_message("\033[1;32m" x "\033[0m", __VA_ARGS__)
38 :
39 : #define assert_ntstatus_equal(got, expected, comment) \
40 : do { NTSTATUS __got = got, __expected = expected; \
41 : if (!NT_STATUS_EQUAL(__got, __expected)) { \
42 : print_message(": "#got" was %s, expected %s: %s", \
43 : nt_errstr(__got), \
44 : nt_errstr(__expected), comment); \
45 : fail(); \
46 : } \
47 : } while(0)
48 :
49 :
50 :
51 :
52 : /*
53 : static void print_error_message(const char *sddl,
54 : const char *message,
55 : size_t message_offset)
56 : {
57 : print_message("%s\n\033[1;33m %*c\033[0m\n", sddl,
58 : (int)message_offset, '^');
59 : print_message("%s\n", message);
60 : }
61 : */
62 36 : static bool fill_token_claims(TALLOC_CTX *mem_ctx,
63 : struct security_token *token,
64 : const char *claim_type,
65 : const char *name,
66 : ...)
67 : {
68 36 : va_list args;
69 36 : va_start(args, name);
70 36 : while (true) {
71 72 : struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim = NULL;
72 72 : const char *str = va_arg(args, const char *);
73 72 : if (str == NULL) {
74 : break;
75 : }
76 36 : claim = parse_sddl_literal_as_claim(mem_ctx,
77 : name,
78 : str);
79 36 : if (claim == NULL) {
80 0 : va_end(args);
81 0 : debug_fail("bad claim: %s\n", str);
82 0 : return false;
83 : }
84 36 : add_claim_to_token(mem_ctx, token, claim, claim_type);
85 : }
86 36 : va_end(args);
87 36 : return true;
88 : }
89 :
90 :
91 45 : static bool fill_token_sids(TALLOC_CTX *mem_ctx,
92 : struct security_token *token,
93 : const char *owner,
94 : ...)
95 : {
96 45 : uint32_t *n = &token->num_sids;
97 45 : struct dom_sid **list = NULL;
98 45 : va_list args;
99 45 : if (strcmp(owner, "device") == 0) {
100 4 : n = &token->num_device_sids;
101 4 : list = &token->device_sids;
102 41 : } else if (strcmp(owner, "user") == 0) {
103 41 : n = &token->num_sids;
104 41 : list = &token->sids;
105 : } else {
106 : return false;
107 : }
108 :
109 45 : *n = 0;
110 45 : va_start(args, owner);
111 91 : while (true) {
112 136 : struct dom_sid *sid = NULL;
113 136 : const char *str = va_arg(args, const char *);
114 136 : if (str == NULL) {
115 : break;
116 : }
117 :
118 91 : sid = sddl_decode_sid(mem_ctx, &str, NULL);
119 91 : if (sid == NULL) {
120 0 : debug_fail("bad SID: %s\n", str);
121 0 : va_end(args);
122 0 : return false;
123 : }
124 91 : add_sid_to_array(mem_ctx, sid, list, n);
125 : }
126 45 : va_end(args);
127 45 : return true;
128 : }
129 :
130 :
131 1 : static void test_device_claims_composite(void **state)
132 : {
133 1 : TALLOC_CTX *mem_ctx = talloc_new(NULL);
134 1 : struct security_token token = {
135 : .evaluate_claims = CLAIMS_EVALUATION_ALWAYS
136 : };
137 1 : bool ok;
138 1 : NTSTATUS status;
139 1 : uint32_t access_granted = 0;
140 1 : struct security_descriptor *sd = NULL;
141 1 : const char *sddl = \
142 : "D:(XA;;0x1f;;;AA;(@Device.colour == {\"orange\", \"blue\"}))";
143 1 : ok = fill_token_sids(mem_ctx, &token,
144 : "user",
145 : "WD", "AA", NULL);
146 1 : assert_true(ok);
147 1 : ok = fill_token_claims(mem_ctx, &token,
148 : "device", "colour",
149 : "{\"orange\", \"blue\"}",
150 : NULL);
151 1 : assert_true(ok);
152 1 : sd = sddl_decode(mem_ctx, sddl, NULL);
153 1 : assert_non_null(sd);
154 1 : status = se_access_check(sd, &token, 0x10, &access_granted);
155 1 : assert_ntstatus_equal(status, NT_STATUS_OK, "access check failed\n");
156 1 : }
157 :
158 :
159 40 : static bool fill_sd(TALLOC_CTX *mem_ctx,
160 : struct security_descriptor **sd,
161 : const char *sddl)
162 : {
163 80 : *sd = sddl_decode(mem_ctx, sddl, NULL);
164 40 : return *sd != NULL;
165 : }
166 :
167 : #define USER_SIDS(...) \
168 : assert_true(fill_token_sids(mem_ctx, &token, "user", __VA_ARGS__, NULL))
169 :
170 : #define DEVICE_SIDS(...) \
171 : assert_true( \
172 : fill_token_sids(mem_ctx, &token, "device", __VA_ARGS__, NULL))
173 :
174 : #define USER_CLAIMS(...) \
175 : assert_true( \
176 : fill_token_claims(mem_ctx, &token, "user", __VA_ARGS__, NULL))
177 :
178 : #define LOCAL_CLAIMS(...) \
179 : assert_true(fill_token_claims(mem_ctx, \
180 : &token, \
181 : "local", \
182 : __VA_ARGS__, \
183 : NULL))
184 :
185 : #define DEVICE_CLAIMS(...) \
186 : assert_true(fill_token_claims(mem_ctx, \
187 : &token, \
188 : "device", \
189 : __VA_ARGS__, \
190 : NULL))
191 :
192 :
193 : #define SD(sddl) assert_true(fill_sd(mem_ctx, &sd, sddl))
194 : #define SD_FAIL(sddl) assert_false(fill_sd(mem_ctx, &sd, sddl))
195 :
196 : #define ALLOW_CHECK(requested) \
197 : do { \
198 : NTSTATUS status; \
199 : uint32_t access_granted = 0; \
200 : status = se_access_check(sd, \
201 : &token, \
202 : requested, \
203 : &access_granted); \
204 : assert_ntstatus_equal(status, \
205 : NT_STATUS_OK, \
206 : "access not granted\n"); \
207 : } while (0)
208 :
209 :
210 : #define DENY_CHECK(requested) \
211 : do { \
212 : NTSTATUS status; \
213 : uint32_t access_granted = 0; \
214 : status = se_access_check(sd, \
215 : &token, \
216 : requested, \
217 : &access_granted); \
218 : assert_ntstatus_equal(status, \
219 : NT_STATUS_ACCESS_DENIED, \
220 : "not denied\n"); \
221 : } while (0)
222 :
223 :
224 : #define INIT() \
225 : TALLOC_CTX *mem_ctx = talloc_new(NULL); \
226 : struct security_token token = { \
227 : .evaluate_claims = CLAIMS_EVALUATION_ALWAYS \
228 : }; \
229 : struct security_descriptor *sd = NULL;
230 :
231 :
232 :
233 1 : static void test_composite_different_order(void **state)
234 : {
235 1 : INIT()
236 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"orange\", \"blue\"}))");
237 1 : USER_SIDS("WD", "AA");
238 1 : DEVICE_CLAIMS("colour", "{\"blue\", \"orange\"}");
239 : /*
240 : * Claim arrays are sets, so we assume conditional ACE ones are too.
241 : */
242 1 : ALLOW_CHECK(0x10);
243 1 : }
244 :
245 1 : static void test_composite_different_order_with_dupes(void **state)
246 : {
247 1 : INIT()
248 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"orange\", \"blue\", \"orange\"}))");
249 1 : USER_SIDS("WD", "AA");
250 1 : DEVICE_CLAIMS("colour", "{\"blue\", \"orange\", \"blue\"}");
251 1 : ALLOW_CHECK(0x10);
252 1 : }
253 :
254 1 : static void test_composite_different_order_with_SID_dupes(void **state)
255 : {
256 1 : INIT()
257 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour == {SID(WD), SID(AA), SID(WD)}))");
258 1 : USER_SIDS("WD", "AA");
259 1 : DEVICE_CLAIMS("colour", "{SID(AA), SID(AA), SID(WD)}");
260 1 : ALLOW_CHECK(0x10);
261 1 : }
262 :
263 1 : static void test_composite_mixed_types(void **state)
264 : {
265 : /*
266 : * If the conditional ACE composite has mixed types, it can
267 : * never equal a claim, which only has one type.
268 : */
269 1 : INIT()
270 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour == {2, SID(WD), SID(AA), SID(WD)}))");
271 1 : USER_SIDS("WD", "AA");
272 1 : DEVICE_CLAIMS("colour", "{SID(AA), SID(AA), SID(WD)}");
273 1 : DENY_CHECK(0x10);
274 1 : }
275 :
276 1 : static void test_different_case(void **state)
277 : {
278 1 : INIT()
279 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"OraNgE\", \"BLuE\"}))");
280 1 : USER_SIDS("WD", "AA");
281 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
282 1 : ALLOW_CHECK(0x10);
283 1 : }
284 :
285 1 : static void test_different_case_with_case_sensitive_flag(void **state)
286 : {
287 1 : INIT()
288 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"OraNgE\", \"BLuE\"}))");
289 1 : USER_SIDS("WD", "AA");
290 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
291 : /* set the flag bit */
292 1 : token.device_claims[0].flags = CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE;
293 1 : DENY_CHECK(0x10);
294 1 : }
295 :
296 :
297 1 : static void test_claim_name_different_case(void **state)
298 : {
299 1 : INIT()
300 1 : SD("D:(XA;;0x1f;;;AA;(@Device.Colour == {\"orange\", \"blue\"}))");
301 1 : USER_SIDS("WD", "AA");
302 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
303 1 : ALLOW_CHECK(0x10);
304 1 : }
305 :
306 1 : static void test_claim_name_different_case_case_flag(void **state)
307 : {
308 1 : INIT()
309 1 : SD("D:(XA;;0x1f;;;AA;(@Device.Colour == {\"orange\", \"blue\"}))");
310 1 : USER_SIDS("WD", "AA");
311 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
312 : /*
313 : * The CASE_SENSITIVE flag is for the values, not the names.
314 : */
315 1 : token.device_claims[0].flags = CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE;
316 1 : ALLOW_CHECK(0x10);
317 1 : }
318 :
319 1 : static void test_more_values_not_equal(void **state)
320 : {
321 1 : INIT()
322 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour != {\"orange\", \"blue\", \"green\"}))");
323 1 : USER_SIDS("WD", "AA");
324 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
325 1 : ALLOW_CHECK(0x10);
326 1 : }
327 :
328 1 : static void test_contains(void **state)
329 : {
330 1 : INIT()
331 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains {\"orange\", \"blue\"}))");
332 1 : USER_SIDS("WD", "AA");
333 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
334 1 : ALLOW_CHECK(0x10);
335 1 : }
336 :
337 1 : static void test_contains_incomplete(void **state)
338 : {
339 1 : INIT()
340 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains {\"orange\", \"blue\", \"red\"}))");
341 1 : USER_SIDS("WD", "AA");
342 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
343 1 : DENY_CHECK(0x10);
344 1 : }
345 :
346 1 : static void test_any_of(void **state)
347 : {
348 1 : INIT()
349 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of {\"orange\", \"blue\", \"red\"}))");
350 1 : USER_SIDS("WD", "AA");
351 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
352 1 : ALLOW_CHECK(0x10);
353 1 : }
354 :
355 1 : static void test_any_of_match_last(void **state)
356 : {
357 1 : INIT()
358 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of {\"a\", \"b\", \"blue\"}))");
359 1 : USER_SIDS("WD", "AA");
360 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
361 1 : ALLOW_CHECK(0x10);
362 1 : }
363 :
364 1 : static void test_any_of_1(void **state)
365 : {
366 1 : INIT()
367 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of\"blue\"))");
368 1 : USER_SIDS("WD", "AA");
369 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
370 1 : ALLOW_CHECK(0x10);
371 1 : }
372 :
373 1 : static void test_contains_1(void **state)
374 : {
375 1 : INIT()
376 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains \"blue\"))");
377 1 : USER_SIDS("WD", "AA");
378 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
379 1 : ALLOW_CHECK(0x10);
380 1 : }
381 :
382 1 : static void test_contains_1_fail(void **state)
383 : {
384 1 : INIT()
385 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains \"pink\"))");
386 1 : USER_SIDS("WD", "AA");
387 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
388 1 : DENY_CHECK(0x10);
389 1 : }
390 :
391 1 : static void test_any_of_1_fail(void **state)
392 : {
393 1 : INIT()
394 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of \"pink\"))");
395 1 : USER_SIDS("WD", "AA");
396 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
397 1 : DENY_CHECK(0x10);
398 1 : }
399 :
400 :
401 1 : static void test_not_any_of_1_fail(void **state)
402 : {
403 1 : INIT()
404 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Any_of\"blue\"))");
405 1 : USER_SIDS("WD", "AA");
406 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
407 1 : DENY_CHECK(0x10);
408 1 : }
409 :
410 1 : static void test_not_any_of_composite_1(void **state)
411 : {
412 1 : INIT()
413 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Any_of{\"blue\"}))");
414 1 : USER_SIDS("WD", "AA");
415 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
416 1 : DENY_CHECK(0x10);
417 1 : }
418 :
419 1 : static void test_not_contains_1_fail(void **state)
420 : {
421 1 : INIT()
422 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Contains \"blue\"))");
423 1 : USER_SIDS("WD", "AA");
424 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
425 1 : DENY_CHECK(0x10);
426 1 : }
427 :
428 1 : static void test_not_contains_1(void **state)
429 : {
430 1 : INIT()
431 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Contains \"pink\"))");
432 1 : USER_SIDS("WD", "AA");
433 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
434 1 : ALLOW_CHECK(0x10);
435 1 : }
436 :
437 1 : static void test_not_any_of_1(void **state)
438 : {
439 1 : INIT()
440 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Any_of \"pink\"))");
441 1 : USER_SIDS("WD", "AA");
442 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
443 1 : ALLOW_CHECK(0x10);
444 1 : }
445 :
446 1 : static void test_not_Not_Any_of_1(void **state)
447 : {
448 1 : INIT()
449 1 : SD("D:(XA;;0x1f;;;AA;(!(@Device.colour Not_Any_of \"pink\")))");
450 1 : USER_SIDS("WD", "AA");
451 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
452 1 : DENY_CHECK(0x10);
453 1 : }
454 :
455 1 : static void test_not_Not_Contains_1(void **state)
456 : {
457 1 : INIT()
458 1 : SD("D:(XA;;0x1f;;;AA;(! (@Device.colour Not_Contains \"blue\")))");
459 1 : USER_SIDS("WD", "AA");
460 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
461 1 : ALLOW_CHECK(0x10);
462 1 : }
463 :
464 :
465 1 : static void test_not_not_Not_Member_of(void **state)
466 : {
467 1 : INIT();
468 1 : SD("D:(XA;;0x1f;;;AA;(!(!(Not_Member_of{SID(BA)}))))");
469 1 : USER_SIDS("WD", "AA");
470 1 : DEVICE_SIDS("BA", "BG");
471 1 : ALLOW_CHECK(0x10);
472 1 : }
473 :
474 1 : static void test_not_not_Not_Member_of_fail(void **state)
475 : {
476 1 : INIT();
477 1 : SD("D:(XA;;0x1f;;;AA;(!(!(Not_Member_of{SID(AA)}))))");
478 1 : USER_SIDS("WD", "AA");
479 1 : DEVICE_SIDS("BA", "BG");
480 1 : DENY_CHECK(0x10);
481 1 : }
482 :
483 1 : static void test_not_not_not_not_not_not_not_not_not_not_Not_Member_of(void **state)
484 : {
485 1 : INIT();
486 1 : SD("D:(XA;;0x1f;;;AA;(!(!(!( !(!(!( !(!(!( "
487 : "Not_Member_of{SID(AA)})))))))))))");
488 1 : USER_SIDS("WD", "AA");
489 1 : DEVICE_SIDS("BA", "BG");
490 1 : ALLOW_CHECK(0x10);
491 1 : }
492 :
493 :
494 1 : static void test_Device_Member_of_and_Member_of(void **state)
495 : {
496 1 : INIT();
497 1 : USER_SIDS("WD", "AA");
498 1 : DEVICE_SIDS("BA", "BG");
499 1 : SD("D:(XA;;0x1f;;;AA;"
500 : "(Device_Member_of{SID(BA)} && Member_of{SID(WD)}))");
501 1 : ALLOW_CHECK(0x10);
502 1 : }
503 :
504 :
505 1 : static void test_Device_claim_contains_Resource_claim(void **state)
506 : {
507 1 : INIT();
508 1 : USER_SIDS("WD", "AA");
509 1 : DEVICE_CLAIMS("colour", "\"blue\"");
510 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains @Resource.colour))"
511 : "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\"))");
512 1 : ALLOW_CHECK(0x10);
513 1 : }
514 :
515 :
516 1 : static void test_device_claim_contains_resource_claim(void **state)
517 : {
518 1 : INIT();
519 1 : USER_SIDS("WD", "AA");
520 1 : DEVICE_CLAIMS("colour", "\"blue\"");
521 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains @Resource.colour))"
522 : "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\"))");
523 1 : ALLOW_CHECK(0x10);
524 1 : }
525 :
526 1 : static void test_device_claim_eq_resource_claim(void **state)
527 : {
528 1 : INIT();
529 1 : USER_SIDS("WD", "AA");
530 1 : DEVICE_CLAIMS("colour", "\"blue\"");
531 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour == @Resource.colour))"
532 : "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\"))");
533 1 : ALLOW_CHECK(0x10);
534 1 : }
535 :
536 1 : static void test_user_claim_eq_device_claim(void **state)
537 : {
538 1 : INIT();
539 1 : USER_SIDS("WD", "AA");
540 1 : USER_CLAIMS("colour", "\"blue\"");
541 1 : DEVICE_CLAIMS("colour", "\"blue\"");
542 1 : SD("D:(XA;;0x1f;;;AA;(@User.colour == @Device.colour))");
543 1 : ALLOW_CHECK(0x10);
544 1 : }
545 :
546 1 : static void test_device_claim_eq_resource_claim_2(void **state)
547 : {
548 1 : INIT();
549 1 : USER_SIDS("WD", "AA");
550 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
551 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"orange\", \"blue\"}))");
552 1 : ALLOW_CHECK(0x10);
553 1 : }
554 :
555 1 : static void test_resource_ace_multi(void **state)
556 : {
557 1 : INIT();
558 1 : USER_SIDS("WD", "AA");
559 1 : DEVICE_CLAIMS("colour", "{\"blue\", \"red\"}");
560 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains @Resource.colour))"
561 : "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\", \"red\"))");
562 1 : ALLOW_CHECK(0x10);
563 1 : }
564 :
565 1 : static void test_resource_ace_multi_any_of(void **state)
566 : {
567 1 : INIT();
568 1 : USER_SIDS("WD", "AA");
569 1 : DEVICE_CLAIMS("colour", "\"blue\"");
570 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of @Resource.colour))"
571 : "S:(RA;;;;;WD;(\"colour\",TS,0,\"grue\", \"blue\", \"red\"))");
572 1 : ALLOW_CHECK(0x10);
573 1 : }
574 :
575 1 : static void test_horrible_fuzz_derived_test_3(void **state)
576 : {
577 1 : INIT();
578 1 : USER_SIDS("WD", "AA", "IS");
579 1 : SD_FAIL("S:PPD:(XA;OI;0x1;;;IS;(q>))");
580 1 : }
581 :
582 1 : static void test_resource_ace_single(void **state)
583 : {
584 1 : INIT();
585 1 : USER_SIDS("WD", "AA");
586 1 : DEVICE_CLAIMS("colour", "\"blue\"");
587 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains @Resource.colour))"
588 : "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\"))");
589 1 : ALLOW_CHECK(0x10);
590 1 : }
591 :
592 :
593 1 : static void test_user_attr_any_of_missing_resource_and_user_attr(void **state)
594 : {
595 1 : INIT();
596 1 : USER_SIDS("WD", "AA");
597 1 : DEVICE_CLAIMS("colour", "\"blue\"");
598 1 : SD("D:(XD;;FX;;;S-1-1-0;(@User.Project Any_of @Resource.Project))");
599 1 : DENY_CHECK(0x10);
600 1 : }
601 :
602 1 : static void test_user_attr_any_of_missing_resource_attr(void **state)
603 : {
604 1 : INIT();
605 1 : USER_SIDS("WD", "AA");
606 1 : USER_CLAIMS("Project", "3");
607 1 : SD("D:(XD;;FX;;;S-1-1-0;(@User.Project Any_of @Resource.Project))");
608 1 : DENY_CHECK(0x10);
609 1 : }
610 :
611 1 : static void test_user_attr_any_of_missing_user_attr(void **state)
612 : {
613 1 : INIT();
614 1 : USER_SIDS("WD", "AA");
615 1 : SD("D:(XD;;FX;;;S-1-1-0;(@User.Project Any_of @Resource.Project))"
616 : "S:(RA;;;;;WD;(\"Project\",TX,0,#1234))");
617 1 : DENY_CHECK(0x10);
618 1 : }
619 :
620 :
621 1 : int main(_UNUSED_ int argc, _UNUSED_ const char **argv)
622 : {
623 1 : const struct CMUnitTest tests[] = {
624 : cmocka_unit_test(test_user_attr_any_of_missing_resource_and_user_attr),
625 : cmocka_unit_test(test_user_attr_any_of_missing_resource_attr),
626 : cmocka_unit_test(test_user_attr_any_of_missing_user_attr),
627 : cmocka_unit_test(test_composite_mixed_types),
628 : cmocka_unit_test(test_composite_different_order_with_SID_dupes),
629 : cmocka_unit_test(test_device_claim_eq_resource_claim_2),
630 : cmocka_unit_test(test_not_Not_Any_of_1),
631 : cmocka_unit_test(test_not_any_of_composite_1),
632 : cmocka_unit_test(test_resource_ace_single),
633 : cmocka_unit_test(test_horrible_fuzz_derived_test_3),
634 : cmocka_unit_test(test_Device_Member_of_and_Member_of),
635 : cmocka_unit_test(test_resource_ace_multi),
636 : cmocka_unit_test(test_resource_ace_multi_any_of),
637 : cmocka_unit_test(test_user_claim_eq_device_claim),
638 : cmocka_unit_test(test_device_claim_contains_resource_claim),
639 : cmocka_unit_test(test_device_claim_eq_resource_claim),
640 : cmocka_unit_test(test_Device_claim_contains_Resource_claim),
641 : cmocka_unit_test(test_not_Not_Contains_1),
642 : cmocka_unit_test(test_not_not_Not_Member_of_fail),
643 : cmocka_unit_test(test_not_not_Not_Member_of),
644 : cmocka_unit_test(test_not_not_not_not_not_not_not_not_not_not_Not_Member_of),
645 : cmocka_unit_test(test_not_any_of_1_fail),
646 : cmocka_unit_test(test_not_any_of_1),
647 : cmocka_unit_test(test_not_contains_1),
648 : cmocka_unit_test(test_not_contains_1_fail),
649 : cmocka_unit_test(test_any_of_1_fail),
650 : cmocka_unit_test(test_any_of_1),
651 : cmocka_unit_test(test_any_of),
652 : cmocka_unit_test(test_any_of_match_last),
653 : cmocka_unit_test(test_contains_incomplete),
654 : cmocka_unit_test(test_contains),
655 : cmocka_unit_test(test_contains_1),
656 : cmocka_unit_test(test_contains_1_fail),
657 : cmocka_unit_test(test_device_claims_composite),
658 : cmocka_unit_test(test_claim_name_different_case),
659 : cmocka_unit_test(test_claim_name_different_case_case_flag),
660 : cmocka_unit_test(test_different_case_with_case_sensitive_flag),
661 : cmocka_unit_test(test_composite_different_order),
662 : cmocka_unit_test(test_different_case),
663 : cmocka_unit_test(test_composite_different_order_with_dupes),
664 : cmocka_unit_test(test_more_values_not_equal),
665 : };
666 1 : if (!isatty(1)) {
667 1 : cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
668 : }
669 1 : return cmocka_run_group_tests(tests, NULL, NULL);
670 : }
|
