Line data Source code
1 : /*
2 : * Unit tests for conditional ACE SDDL.
3 : *
4 : * Copyright (C) Catalyst.NET Ltd 2023
5 : *
6 : * This program is free software; you can redistribute it and/or modify
7 : * it under the terms of the GNU General Public License as published by
8 : * the Free Software Foundation; either version 3 of the License, or
9 : * (at your option) any later version.
10 : *
11 : * This program is distributed in the hope that it will be useful,
12 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 : * GNU General Public License for more details.
15 : *
16 : * You should have received a copy of the GNU General Public License
17 : * along with this program. If not, see <http://www.gnu.org/licenses/>.
18 : *
19 : */
20 :
21 : #include <stdarg.h>
22 : #include <stddef.h>
23 : #include <setjmp.h>
24 : #include "cmocka.h"
25 :
26 : #include "lib/util/attr.h"
27 : #include "includes.h"
28 : #include "librpc/gen_ndr/ndr_security.h"
29 : #include "libcli/security/security.h"
30 : #include "libcli/security/conditional_ace.h"
31 : #include "librpc/gen_ndr/conditional_ace.h"
32 : #include "libcli/security/claims-conversions.h"
33 :
34 : #define debug_message(...) print_message(__VA_ARGS__)
35 :
36 : #define debug_fail(x, ...) print_message("\033[1;31m" x "\033[0m", __VA_ARGS__)
37 : #define debug_ok(x, ...) print_message("\033[1;32m" x "\033[0m", __VA_ARGS__)
38 :
39 : #define assert_ntstatus_equal(got, expected, comment) \
40 : do { NTSTATUS __got = got, __expected = expected; \
41 : if (!NT_STATUS_EQUAL(__got, __expected)) { \
42 : print_message(": "#got" was %s, expected %s: %s", \
43 : nt_errstr(__got), \
44 : nt_errstr(__expected), comment); \
45 : fail(); \
46 : } \
47 : } while(0)
48 :
49 :
50 :
51 :
52 : /*
53 : static void print_error_message(const char *sddl,
54 : const char *message,
55 : size_t message_offset)
56 : {
57 : print_message("%s\n\033[1;33m %*c\033[0m\n", sddl,
58 : (int)message_offset, '^');
59 : print_message("%s\n", message);
60 : }
61 : */
62 40 : static bool fill_token_claims(TALLOC_CTX *mem_ctx,
63 : struct security_token *token,
64 : const char *claim_type,
65 : const char *name,
66 : ...)
67 : {
68 40 : va_list args;
69 40 : va_start(args, name);
70 40 : while (true) {
71 80 : struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim = NULL;
72 80 : const char *str = va_arg(args, const char *);
73 80 : if (str == NULL) {
74 : break;
75 : }
76 40 : claim = parse_sddl_literal_as_claim(mem_ctx,
77 : name,
78 : str);
79 40 : if (claim == NULL) {
80 0 : va_end(args);
81 0 : debug_fail("bad claim: %s\n", str);
82 0 : return false;
83 : }
84 40 : add_claim_to_token(mem_ctx, token, claim, claim_type);
85 : }
86 40 : va_end(args);
87 40 : return true;
88 : }
89 :
90 :
91 49 : static bool fill_token_sids(TALLOC_CTX *mem_ctx,
92 : struct security_token *token,
93 : const char *owner,
94 : ...)
95 : {
96 49 : uint32_t *n = &token->num_sids;
97 49 : struct dom_sid **list = NULL;
98 49 : va_list args;
99 49 : if (strcmp(owner, "device") == 0) {
100 4 : n = &token->num_device_sids;
101 4 : list = &token->device_sids;
102 45 : } else if (strcmp(owner, "user") == 0) {
103 45 : n = &token->num_sids;
104 45 : list = &token->sids;
105 : } else {
106 : return false;
107 : }
108 :
109 49 : *n = 0;
110 49 : va_start(args, owner);
111 99 : while (true) {
112 148 : struct dom_sid *sid = NULL;
113 148 : const char *str = va_arg(args, const char *);
114 148 : if (str == NULL) {
115 : break;
116 : }
117 :
118 99 : sid = sddl_decode_sid(mem_ctx, &str, NULL);
119 99 : if (sid == NULL) {
120 0 : debug_fail("bad SID: %s\n", str);
121 0 : va_end(args);
122 0 : return false;
123 : }
124 99 : add_sid_to_array(mem_ctx, sid, list, n);
125 : }
126 49 : va_end(args);
127 49 : return true;
128 : }
129 :
130 :
131 1 : static void test_device_claims_composite(void **state)
132 : {
133 1 : TALLOC_CTX *mem_ctx = talloc_new(NULL);
134 1 : struct security_token token = {
135 : .evaluate_claims = CLAIMS_EVALUATION_ALWAYS
136 : };
137 1 : bool ok;
138 1 : NTSTATUS status;
139 1 : uint32_t access_granted = 0;
140 1 : struct security_descriptor *sd = NULL;
141 1 : const char *sddl = \
142 : "D:(XA;;0x1f;;;AA;(@Device.colour == {\"orange\", \"blue\"}))";
143 1 : ok = fill_token_sids(mem_ctx, &token,
144 : "user",
145 : "WD", "AA", NULL);
146 1 : assert_true(ok);
147 1 : ok = fill_token_claims(mem_ctx, &token,
148 : "device", "colour",
149 : "{\"orange\", \"blue\"}",
150 : NULL);
151 1 : assert_true(ok);
152 1 : sd = sddl_decode(mem_ctx, sddl, NULL);
153 1 : assert_non_null(sd);
154 1 : status = se_access_check(sd, &token, 0x10, &access_granted);
155 1 : assert_ntstatus_equal(status, NT_STATUS_OK, "access check failed\n");
156 1 : }
157 :
158 :
159 44 : static bool fill_sd(TALLOC_CTX *mem_ctx,
160 : struct security_descriptor **sd,
161 : const char *sddl)
162 : {
163 88 : *sd = sddl_decode(mem_ctx, sddl, NULL);
164 44 : return *sd != NULL;
165 : }
166 :
167 : #define USER_SIDS(...) \
168 : assert_true(fill_token_sids(mem_ctx, &token, "user", __VA_ARGS__, NULL))
169 :
170 : #define DEVICE_SIDS(...) \
171 : assert_true( \
172 : fill_token_sids(mem_ctx, &token, "device", __VA_ARGS__, NULL))
173 :
174 : #define USER_CLAIMS(...) \
175 : assert_true( \
176 : fill_token_claims(mem_ctx, &token, "user", __VA_ARGS__, NULL))
177 :
178 : #define LOCAL_CLAIMS(...) \
179 : assert_true(fill_token_claims(mem_ctx, \
180 : &token, \
181 : "local", \
182 : __VA_ARGS__, \
183 : NULL))
184 :
185 : #define DEVICE_CLAIMS(...) \
186 : assert_true(fill_token_claims(mem_ctx, \
187 : &token, \
188 : "device", \
189 : __VA_ARGS__, \
190 : NULL))
191 :
192 :
193 : #define SD(sddl) assert_true(fill_sd(mem_ctx, &sd, sddl))
194 : #define SD_FAIL(sddl) assert_false(fill_sd(mem_ctx, &sd, sddl))
195 :
196 : #define ALLOW_CHECK(requested) \
197 : do { \
198 : NTSTATUS status; \
199 : uint32_t access_granted = 0; \
200 : status = se_access_check(sd, \
201 : &token, \
202 : requested, \
203 : &access_granted); \
204 : assert_ntstatus_equal(status, \
205 : NT_STATUS_OK, \
206 : "access not granted\n"); \
207 : } while (0)
208 :
209 :
210 : #define DENY_CHECK(requested) \
211 : do { \
212 : NTSTATUS status; \
213 : uint32_t access_granted = 0; \
214 : status = se_access_check(sd, \
215 : &token, \
216 : requested, \
217 : &access_granted); \
218 : assert_ntstatus_equal(status, \
219 : NT_STATUS_ACCESS_DENIED, \
220 : "not denied\n"); \
221 : } while (0)
222 :
223 :
224 : #define INIT() \
225 : TALLOC_CTX *mem_ctx = talloc_new(NULL); \
226 : struct security_token token = { \
227 : .evaluate_claims = CLAIMS_EVALUATION_ALWAYS \
228 : }; \
229 : struct security_descriptor *sd = NULL;
230 :
231 :
232 :
233 1 : static void test_composite_different_order(void **state)
234 : {
235 1 : INIT()
236 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"orange\", \"blue\"}))");
237 1 : USER_SIDS("WD", "AA");
238 1 : DEVICE_CLAIMS("colour", "{\"blue\", \"orange\"}");
239 : /*
240 : * Claim arrays are sets, so we assume conditional ACE ones are too.
241 : */
242 1 : ALLOW_CHECK(0x10);
243 1 : }
244 :
245 1 : static void test_composite_different_order_with_dupes(void **state)
246 : {
247 1 : INIT()
248 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"orange\", \"blue\", \"orange\"}))");
249 1 : USER_SIDS("WD", "AA");
250 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\", \"orange\"}");
251 1 : DENY_CHECK(0x10);
252 1 : }
253 :
254 1 : static void test_composite_different_order_with_dupes_in_composite(void **state)
255 : {
256 1 : INIT()
257 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"orange\", \"blue\", \"orange\"}))");
258 1 : USER_SIDS("WD", "AA");
259 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
260 1 : ALLOW_CHECK(0x10);
261 1 : }
262 :
263 1 : static void test_composite_different_order_with_SID_dupes(void **state)
264 : {
265 1 : INIT()
266 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour == {SID(WD), SID(AA), SID(WD)}))");
267 1 : USER_SIDS("WD", "AA");
268 1 : DEVICE_CLAIMS("colour", "{SID(AA), SID(AA), SID(WD)}");
269 1 : DENY_CHECK(0x10);
270 1 : }
271 :
272 1 : static void test_composite_different_order_with_SID_dupes_in_composite(void **state)
273 : {
274 1 : INIT()
275 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour == {SID(WD), SID(AA), SID(WD)}))");
276 1 : USER_SIDS("WD", "AA");
277 1 : DEVICE_CLAIMS("colour", "{SID(AA), SID(WD)}");
278 1 : ALLOW_CHECK(0x10);
279 1 : }
280 :
281 1 : static void test_composite_mixed_types(void **state)
282 : {
283 : /*
284 : * If the conditional ACE composite has mixed types, it can
285 : * never equal a claim, which only has one type.
286 : */
287 1 : INIT()
288 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour == {2, SID(WD), SID(AA), SID(WD)}))");
289 1 : USER_SIDS("WD", "AA");
290 1 : DEVICE_CLAIMS("colour", "{SID(AA), SID(WD)}");
291 1 : DENY_CHECK(0x10);
292 1 : }
293 :
294 1 : static void test_composite_mixed_types_different_last(void **state)
295 : {
296 : /*
297 : * If the conditional ACE composite has mixed types, it can
298 : * never equal a claim, which only has one type.
299 : */
300 1 : INIT()
301 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour == {SID(WD), SID(AA), 2}))");
302 1 : USER_SIDS("WD", "AA");
303 1 : DEVICE_CLAIMS("colour", "{SID(AA), SID(WD)}");
304 1 : DENY_CHECK(0x10);
305 1 : }
306 :
307 1 : static void test_composite_mixed_types_deny(void **state)
308 : {
309 : /*
310 : * If the conditional ACE composite has mixed types, it can
311 : * never equal a claim, which only has one type.
312 : */
313 1 : INIT()
314 1 : SD("D:(XD;;0x1f;;;AA;(@Device.colour == {2, SID(WD), SID(AA), SID(WD)}))"
315 : "(D;;;;;WD)");
316 1 : USER_SIDS("WD", "AA");
317 1 : DEVICE_CLAIMS("colour", "{SID(AA), SID(WD)}");
318 1 : DENY_CHECK(0x10);
319 1 : }
320 :
321 1 : static void test_different_case(void **state)
322 : {
323 1 : INIT()
324 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"OraNgE\", \"BLuE\"}))");
325 1 : USER_SIDS("WD", "AA");
326 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
327 1 : ALLOW_CHECK(0x10);
328 1 : }
329 :
330 1 : static void test_different_case_with_case_sensitive_flag(void **state)
331 : {
332 1 : INIT()
333 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"OraNgE\", \"BLuE\"}))");
334 1 : USER_SIDS("WD", "AA");
335 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
336 : /* set the flag bit */
337 1 : token.device_claims[0].flags = CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE;
338 1 : DENY_CHECK(0x10);
339 1 : }
340 :
341 :
342 1 : static void test_claim_name_different_case(void **state)
343 : {
344 1 : INIT()
345 1 : SD("D:(XA;;0x1f;;;AA;(@Device.Colour == {\"orange\", \"blue\"}))");
346 1 : USER_SIDS("WD", "AA");
347 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
348 1 : ALLOW_CHECK(0x10);
349 1 : }
350 :
351 1 : static void test_claim_name_different_case_case_flag(void **state)
352 : {
353 1 : INIT()
354 1 : SD("D:(XA;;0x1f;;;AA;(@Device.Colour == {\"orange\", \"blue\"}))");
355 1 : USER_SIDS("WD", "AA");
356 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
357 : /*
358 : * The CASE_SENSITIVE flag is for the values, not the names.
359 : */
360 1 : token.device_claims[0].flags = CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE;
361 1 : ALLOW_CHECK(0x10);
362 1 : }
363 :
364 1 : static void test_more_values_not_equal(void **state)
365 : {
366 1 : INIT()
367 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour != {\"orange\", \"blue\", \"green\"}))");
368 1 : USER_SIDS("WD", "AA");
369 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
370 1 : ALLOW_CHECK(0x10);
371 1 : }
372 :
373 1 : static void test_contains(void **state)
374 : {
375 1 : INIT()
376 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains {\"orange\", \"blue\"}))");
377 1 : USER_SIDS("WD", "AA");
378 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
379 1 : ALLOW_CHECK(0x10);
380 1 : }
381 :
382 1 : static void test_contains_incomplete(void **state)
383 : {
384 1 : INIT()
385 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains {\"orange\", \"blue\", \"red\"}))");
386 1 : USER_SIDS("WD", "AA");
387 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
388 1 : DENY_CHECK(0x10);
389 1 : }
390 :
391 1 : static void test_any_of(void **state)
392 : {
393 1 : INIT()
394 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of {\"orange\", \"blue\", \"red\"}))");
395 1 : USER_SIDS("WD", "AA");
396 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
397 1 : ALLOW_CHECK(0x10);
398 1 : }
399 :
400 1 : static void test_any_of_match_last(void **state)
401 : {
402 1 : INIT()
403 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of {\"a\", \"b\", \"blue\"}))");
404 1 : USER_SIDS("WD", "AA");
405 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
406 1 : ALLOW_CHECK(0x10);
407 1 : }
408 :
409 1 : static void test_any_of_1(void **state)
410 : {
411 1 : INIT()
412 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of\"blue\"))");
413 1 : USER_SIDS("WD", "AA");
414 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
415 1 : ALLOW_CHECK(0x10);
416 1 : }
417 :
418 1 : static void test_contains_1(void **state)
419 : {
420 1 : INIT()
421 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains \"blue\"))");
422 1 : USER_SIDS("WD", "AA");
423 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
424 1 : ALLOW_CHECK(0x10);
425 1 : }
426 :
427 1 : static void test_contains_1_fail(void **state)
428 : {
429 1 : INIT()
430 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains \"pink\"))");
431 1 : USER_SIDS("WD", "AA");
432 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
433 1 : DENY_CHECK(0x10);
434 1 : }
435 :
436 1 : static void test_any_of_1_fail(void **state)
437 : {
438 1 : INIT()
439 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of \"pink\"))");
440 1 : USER_SIDS("WD", "AA");
441 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
442 1 : DENY_CHECK(0x10);
443 1 : }
444 :
445 :
446 1 : static void test_not_any_of_1_fail(void **state)
447 : {
448 1 : INIT()
449 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Any_of\"blue\"))");
450 1 : USER_SIDS("WD", "AA");
451 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
452 1 : DENY_CHECK(0x10);
453 1 : }
454 :
455 1 : static void test_not_any_of_composite_1(void **state)
456 : {
457 1 : INIT()
458 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Any_of{\"blue\"}))");
459 1 : USER_SIDS("WD", "AA");
460 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
461 1 : DENY_CHECK(0x10);
462 1 : }
463 :
464 1 : static void test_not_contains_1_fail(void **state)
465 : {
466 1 : INIT()
467 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Contains \"blue\"))");
468 1 : USER_SIDS("WD", "AA");
469 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
470 1 : DENY_CHECK(0x10);
471 1 : }
472 :
473 1 : static void test_not_contains_1(void **state)
474 : {
475 1 : INIT()
476 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Contains \"pink\"))");
477 1 : USER_SIDS("WD", "AA");
478 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
479 1 : ALLOW_CHECK(0x10);
480 1 : }
481 :
482 1 : static void test_not_any_of_1(void **state)
483 : {
484 1 : INIT()
485 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Any_of \"pink\"))");
486 1 : USER_SIDS("WD", "AA");
487 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
488 1 : ALLOW_CHECK(0x10);
489 1 : }
490 :
491 1 : static void test_not_Not_Any_of_1(void **state)
492 : {
493 1 : INIT()
494 1 : SD("D:(XA;;0x1f;;;AA;(!(@Device.colour Not_Any_of \"pink\")))");
495 1 : USER_SIDS("WD", "AA");
496 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
497 1 : DENY_CHECK(0x10);
498 1 : }
499 :
500 1 : static void test_not_Not_Contains_1(void **state)
501 : {
502 1 : INIT()
503 1 : SD("D:(XA;;0x1f;;;AA;(! (@Device.colour Not_Contains \"blue\")))");
504 1 : USER_SIDS("WD", "AA");
505 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
506 1 : ALLOW_CHECK(0x10);
507 1 : }
508 :
509 :
510 1 : static void test_not_not_Not_Member_of(void **state)
511 : {
512 1 : INIT();
513 1 : SD("D:(XA;;0x1f;;;AA;(!(!(Not_Member_of{SID(BA)}))))");
514 1 : USER_SIDS("WD", "AA");
515 1 : DEVICE_SIDS("BA", "BG");
516 1 : ALLOW_CHECK(0x10);
517 1 : }
518 :
519 1 : static void test_not_not_Not_Member_of_fail(void **state)
520 : {
521 1 : INIT();
522 1 : SD("D:(XA;;0x1f;;;AA;(!(!(Not_Member_of{SID(AA)}))))");
523 1 : USER_SIDS("WD", "AA");
524 1 : DEVICE_SIDS("BA", "BG");
525 1 : DENY_CHECK(0x10);
526 1 : }
527 :
528 1 : static void test_not_not_not_not_not_not_not_not_not_not_Not_Member_of(void **state)
529 : {
530 1 : INIT();
531 1 : SD("D:(XA;;0x1f;;;AA;(!(!(!( !(!(!( !(!(!( "
532 : "Not_Member_of{SID(AA)})))))))))))");
533 1 : USER_SIDS("WD", "AA");
534 1 : DEVICE_SIDS("BA", "BG");
535 1 : ALLOW_CHECK(0x10);
536 1 : }
537 :
538 :
539 1 : static void test_Device_Member_of_and_Member_of(void **state)
540 : {
541 1 : INIT();
542 1 : USER_SIDS("WD", "AA");
543 1 : DEVICE_SIDS("BA", "BG");
544 1 : SD("D:(XA;;0x1f;;;AA;"
545 : "(Device_Member_of{SID(BA)} && Member_of{SID(WD)}))");
546 1 : ALLOW_CHECK(0x10);
547 1 : }
548 :
549 :
550 1 : static void test_Device_claim_contains_Resource_claim(void **state)
551 : {
552 1 : INIT();
553 1 : USER_SIDS("WD", "AA");
554 1 : DEVICE_CLAIMS("colour", "\"blue\"");
555 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains @Resource.colour))"
556 : "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\"))");
557 1 : ALLOW_CHECK(0x10);
558 1 : }
559 :
560 :
561 1 : static void test_device_claim_contains_resource_claim(void **state)
562 : {
563 1 : INIT();
564 1 : USER_SIDS("WD", "AA");
565 1 : DEVICE_CLAIMS("colour", "\"blue\"");
566 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains @Resource.colour))"
567 : "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\"))");
568 1 : ALLOW_CHECK(0x10);
569 1 : }
570 :
571 1 : static void test_device_claim_eq_resource_claim(void **state)
572 : {
573 1 : INIT();
574 1 : USER_SIDS("WD", "AA");
575 1 : DEVICE_CLAIMS("colour", "\"blue\"");
576 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour == @Resource.colour))"
577 : "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\"))");
578 1 : ALLOW_CHECK(0x10);
579 1 : }
580 :
581 1 : static void test_user_claim_eq_device_claim(void **state)
582 : {
583 1 : INIT();
584 1 : USER_SIDS("WD", "AA");
585 1 : USER_CLAIMS("colour", "\"blue\"");
586 1 : DEVICE_CLAIMS("colour", "\"blue\"");
587 1 : SD("D:(XA;;0x1f;;;AA;(@User.colour == @Device.colour))");
588 1 : ALLOW_CHECK(0x10);
589 1 : }
590 :
591 1 : static void test_device_claim_eq_resource_claim_2(void **state)
592 : {
593 1 : INIT();
594 1 : USER_SIDS("WD", "AA");
595 1 : DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
596 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"orange\", \"blue\"}))");
597 1 : ALLOW_CHECK(0x10);
598 1 : }
599 :
600 1 : static void test_resource_ace_multi(void **state)
601 : {
602 1 : INIT();
603 1 : USER_SIDS("WD", "AA");
604 1 : DEVICE_CLAIMS("colour", "{\"blue\", \"red\"}");
605 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains @Resource.colour))"
606 : "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\", \"red\"))");
607 1 : ALLOW_CHECK(0x10);
608 1 : }
609 :
610 1 : static void test_resource_ace_multi_any_of(void **state)
611 : {
612 1 : INIT();
613 1 : USER_SIDS("WD", "AA");
614 1 : DEVICE_CLAIMS("colour", "\"blue\"");
615 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of @Resource.colour))"
616 : "S:(RA;;;;;WD;(\"colour\",TS,0,\"grue\", \"blue\", \"red\"))");
617 1 : ALLOW_CHECK(0x10);
618 1 : }
619 :
620 1 : static void test_horrible_fuzz_derived_test_3(void **state)
621 : {
622 1 : INIT();
623 1 : USER_SIDS("WD", "AA", "IS");
624 1 : SD_FAIL("S:PPD:(XA;OI;0x1;;;IS;(q>))");
625 1 : }
626 :
627 1 : static void test_resource_ace_single(void **state)
628 : {
629 1 : INIT();
630 1 : USER_SIDS("WD", "AA");
631 1 : DEVICE_CLAIMS("colour", "\"blue\"");
632 1 : SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains @Resource.colour))"
633 : "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\"))");
634 1 : ALLOW_CHECK(0x10);
635 1 : }
636 :
637 :
638 1 : static void test_user_attr_any_of_missing_resource_and_user_attr(void **state)
639 : {
640 1 : INIT();
641 1 : USER_SIDS("WD", "AA");
642 1 : DEVICE_CLAIMS("colour", "\"blue\"");
643 1 : SD("D:(XD;;FX;;;S-1-1-0;(@User.Project Any_of @Resource.Project))");
644 1 : DENY_CHECK(0x10);
645 1 : }
646 :
647 1 : static void test_user_attr_any_of_missing_resource_attr(void **state)
648 : {
649 1 : INIT();
650 1 : USER_SIDS("WD", "AA");
651 1 : USER_CLAIMS("Project", "3");
652 1 : SD("D:(XD;;FX;;;S-1-1-0;(@User.Project Any_of @Resource.Project))");
653 1 : DENY_CHECK(0x10);
654 1 : }
655 :
656 1 : static void test_user_attr_any_of_missing_user_attr(void **state)
657 : {
658 1 : INIT();
659 1 : USER_SIDS("WD", "AA");
660 1 : SD("D:(XD;;FX;;;S-1-1-0;(@User.Project Any_of @Resource.Project))"
661 : "S:(RA;;;;;WD;(\"Project\",TX,0,1234))");
662 1 : DENY_CHECK(0x10);
663 1 : }
664 :
665 :
666 1 : int main(_UNUSED_ int argc, _UNUSED_ const char **argv)
667 : {
668 1 : const struct CMUnitTest tests[] = {
669 : cmocka_unit_test(test_user_attr_any_of_missing_resource_and_user_attr),
670 : cmocka_unit_test(test_user_attr_any_of_missing_resource_attr),
671 : cmocka_unit_test(test_user_attr_any_of_missing_user_attr),
672 : cmocka_unit_test(test_composite_mixed_types),
673 : cmocka_unit_test(test_composite_mixed_types_different_last),
674 : cmocka_unit_test(test_composite_mixed_types_deny),
675 : cmocka_unit_test(test_composite_different_order_with_SID_dupes),
676 : cmocka_unit_test(test_composite_different_order_with_SID_dupes_in_composite),
677 : cmocka_unit_test(test_device_claim_eq_resource_claim_2),
678 : cmocka_unit_test(test_not_Not_Any_of_1),
679 : cmocka_unit_test(test_not_any_of_composite_1),
680 : cmocka_unit_test(test_resource_ace_single),
681 : cmocka_unit_test(test_horrible_fuzz_derived_test_3),
682 : cmocka_unit_test(test_Device_Member_of_and_Member_of),
683 : cmocka_unit_test(test_resource_ace_multi),
684 : cmocka_unit_test(test_resource_ace_multi_any_of),
685 : cmocka_unit_test(test_user_claim_eq_device_claim),
686 : cmocka_unit_test(test_device_claim_contains_resource_claim),
687 : cmocka_unit_test(test_device_claim_eq_resource_claim),
688 : cmocka_unit_test(test_Device_claim_contains_Resource_claim),
689 : cmocka_unit_test(test_not_Not_Contains_1),
690 : cmocka_unit_test(test_not_not_Not_Member_of_fail),
691 : cmocka_unit_test(test_not_not_Not_Member_of),
692 : cmocka_unit_test(test_not_not_not_not_not_not_not_not_not_not_Not_Member_of),
693 : cmocka_unit_test(test_not_any_of_1_fail),
694 : cmocka_unit_test(test_not_any_of_1),
695 : cmocka_unit_test(test_not_contains_1),
696 : cmocka_unit_test(test_not_contains_1_fail),
697 : cmocka_unit_test(test_any_of_1_fail),
698 : cmocka_unit_test(test_any_of_1),
699 : cmocka_unit_test(test_any_of),
700 : cmocka_unit_test(test_any_of_match_last),
701 : cmocka_unit_test(test_contains_incomplete),
702 : cmocka_unit_test(test_contains),
703 : cmocka_unit_test(test_contains_1),
704 : cmocka_unit_test(test_contains_1_fail),
705 : cmocka_unit_test(test_device_claims_composite),
706 : cmocka_unit_test(test_claim_name_different_case),
707 : cmocka_unit_test(test_claim_name_different_case_case_flag),
708 : cmocka_unit_test(test_different_case_with_case_sensitive_flag),
709 : cmocka_unit_test(test_composite_different_order),
710 : cmocka_unit_test(test_different_case),
711 : cmocka_unit_test(test_composite_different_order_with_dupes),
712 : cmocka_unit_test(test_composite_different_order_with_dupes_in_composite),
713 : cmocka_unit_test(test_more_values_not_equal),
714 : };
715 1 : if (isatty(1)) {
716 : /*
717 : * interactive testers can set debug level
718 : * -- just give it a number.
719 : */
720 0 : int debug_level = DBGLVL_WARNING;
721 0 : if (argc > 1) {
722 0 : debug_level = atoi(argv[1]);
723 : }
724 0 : debuglevel_set(debug_level);
725 :
726 : } else {
727 1 : cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
728 : }
729 1 : return cmocka_run_group_tests(tests, NULL, NULL);
730 : }
|
