diff options
Diffstat (limited to 'auth/credentials/tests')
| -rwxr-xr-x | auth/credentials/tests/bind.py | 261 | ||||
| -rw-r--r-- | auth/credentials/tests/test_creds.c | 349 |
2 files changed, 610 insertions, 0 deletions
diff --git a/auth/credentials/tests/bind.py b/auth/credentials/tests/bind.py new file mode 100755 index 0000000..ce81b73 --- /dev/null +++ b/auth/credentials/tests/bind.py @@ -0,0 +1,261 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# This is unit with tests for LDAP access checks + +import optparse +import sys +import base64 +import copy + +sys.path.insert(0, "bin/python") +import samba +from samba.tests.subunitrun import SubunitOptions, TestProgram + +import samba.getopt as options + +from ldb import SCOPE_BASE, SCOPE_SUBTREE, LdbError, ERR_INVALID_CREDENTIALS + +from samba import gensec +import samba.tests +from samba.tests import delete_force +from samba.credentials import Credentials + +def create_credential(lp, other): + c = Credentials() + c.guess(lp) + c.set_gensec_features(other.get_gensec_features()) + return c + +parser = optparse.OptionParser("bind [options] <host>") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) + +# use command line creds if available +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +subunitopts = SubunitOptions(parser) +parser.add_option_group(subunitopts) +opts, args = parser.parse_args() + +if len(args) < 1: + parser.print_usage() + sys.exit(1) + +host = args[0] +lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp) +creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) + +creds_machine = create_credential(lp, creds) +creds_virtual = create_credential(lp, creds) +creds_user1 = create_credential(lp, creds) +creds_user2 = create_credential(lp, creds) +creds_user3 = create_credential(lp, creds) +creds_user4 = create_credential(lp, creds) +creds_user5 = create_credential(lp, creds) +creds_user6 = create_credential(lp, creds) +creds_user7 = create_credential(lp, creds) + +class BindTests(samba.tests.TestCase): + + info_dc = None + + def setUp(self): + super(BindTests, self).setUp() + # fetch rootDSEs + + self.ldb = samba.tests.connect_samdb(host, credentials=creds, lp=lp, ldap_only=True) + + if self.info_dc is None: + res = self.ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + self.assertEqual(len(res), 1) + BindTests.info_dc = res[0] + # cache some of RootDSE props + self.schema_dn = self.info_dc["schemaNamingContext"][0] + self.domain_dn = self.info_dc["defaultNamingContext"][0] + self.config_dn = self.info_dc["configurationNamingContext"][0] + self.realm = self.info_dc["ldapServiceName"][0].split(b'@')[1].decode('utf-8') + self.computer_dn = "CN=centos53,CN=Computers,%s" % self.domain_dn + self.virtual_user_dn = "CN=frednurk@%s,CN=Computers,%s" % (self.realm, self.domain_dn) + self.password = "P@ssw0rd" + self.username = "BindTestUser" + + def tearDown(self): + delete_force(self.ldb, self.virtual_user_dn) + super(BindTests, self).tearDown() + + def test_virtual_email_account_style_bind(self): + # create a user in the style often deployed for authentication + # of virtual email account at a hosting provider + # + # The userPrincipalName must not match the samAccountName for + # this test to detect when the LDAP DN is being double-parsed + # but must be in the user@realm style to allow the account to + # be created + try: + self.ldb.add_ldif(""" +dn: """ + self.virtual_user_dn + """ +cn: frednurk@""" + self.realm + """ +displayName: Fred Nurk +sAMAccountName: frednurk@""" + self.realm + """ +userPrincipalName: frednurk@NOT.""" + self.realm + """ +countryCode: 0 +objectClass: computer +objectClass: organizationalPerson +objectClass: person +objectClass: top +objectClass: user +""") + except LdbError as e: + (num, msg) = e.args + self.fail(f"Failed to create e-mail user: {msg}") + + self.addCleanup(delete_force, self.ldb, self.virtual_user_dn) + try: + self.ldb.modify_ldif(""" +dn: """ + self.virtual_user_dn + """ +changetype: modify +replace: unicodePwd +unicodePwd:: """ + base64.b64encode(u"\"P@ssw0rd\"".encode('utf-16-le')).decode('utf8') + """ +""") + except LdbError as e: + (num, msg) = e.args + self.fail(f"Failed to set password on e-mail user: {msg}") + + self.ldb.enable_account('distinguishedName=%s' % self.virtual_user_dn) + + # do a simple bind and search with the machine account + creds_virtual.set_bind_dn(self.virtual_user_dn) + creds_virtual.set_password(self.password) + print("BindTest with: " + creds_virtual.get_bind_dn()) + try: + ldb_virtual = samba.tests.connect_samdb(host, credentials=creds_virtual, + lp=lp, ldap_only=True) + except LdbError as e: + (num, msg) = e.args + if num != ERR_INVALID_CREDENTIALS: + raise + self.fail(msg) + + res = ldb_virtual.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + + def test_computer_account_bind(self): + # create a computer acocount for the test + delete_force(self.ldb, self.computer_dn) + self.ldb.add_ldif(""" +dn: """ + self.computer_dn + """ +cn: CENTOS53 +displayName: CENTOS53$ +name: CENTOS53 +sAMAccountName: CENTOS53$ +countryCode: 0 +objectClass: computer +objectClass: organizationalPerson +objectClass: person +objectClass: top +objectClass: user +codePage: 0 +userAccountControl: 4096 +dNSHostName: centos53.alabala.test +operatingSystemVersion: 5.2 (3790) +operatingSystem: Windows Server 2003 +""") + self.ldb.modify_ldif(""" +dn: """ + self.computer_dn + """ +changetype: modify +replace: unicodePwd +unicodePwd:: """ + base64.b64encode(u"\"P@ssw0rd\"".encode('utf-16-le')).decode('utf8') + """ +""") + + # do a simple bind and search with the machine account + creds_machine.set_bind_dn(self.computer_dn) + creds_machine.set_password(self.password) + print("BindTest with: " + creds_machine.get_bind_dn()) + ldb_machine = samba.tests.connect_samdb(host, credentials=creds_machine, + lp=lp, ldap_only=True) + res = ldb_machine.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + + def test_user_account_bind(self): + # create user + self.ldb.newuser(username=self.username, password=self.password) + ldb_res = self.ldb.search(base=self.domain_dn, + scope=SCOPE_SUBTREE, + expression="(samAccountName=%s)" % self.username, + attrs=["objectSid"]) + self.assertEqual(len(ldb_res), 1) + user_dn = ldb_res[0]["dn"] + self.addCleanup(delete_force, self.ldb, user_dn) + + # do a simple bind and search with the user account in format user@realm + creds_user1.set_bind_dn(self.username + "@" + creds.get_realm()) + creds_user1.set_password(self.password) + print("BindTest with: " + creds_user1.get_bind_dn()) + ldb_user1 = samba.tests.connect_samdb(host, credentials=creds_user1, + lp=lp, ldap_only=True) + res = ldb_user1.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + + # do a simple bind and search with the user account in format domain\user + creds_user2.set_bind_dn(creds.get_domain() + "\\" + self.username) + creds_user2.set_password(self.password) + print("BindTest with: " + creds_user2.get_bind_dn()) + ldb_user2 = samba.tests.connect_samdb(host, credentials=creds_user2, + lp=lp, ldap_only=True) + res = ldb_user2.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + + # do a simple bind and search with the user account DN + creds_user3.set_bind_dn(str(user_dn)) + creds_user3.set_password(self.password) + print("BindTest with: " + creds_user3.get_bind_dn()) + ldb_user3 = samba.tests.connect_samdb(host, credentials=creds_user3, + lp=lp, ldap_only=True) + res = ldb_user3.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + + # do a simple bind and search with the user account SID + creds_user5.set_bind_dn(self.ldb.schema_format_value("objectSid", ldb_res[0]["objectSid"][0]).decode('utf8')) + creds_user5.set_password(self.password) + print("BindTest with: " + creds_user5.get_bind_dn()) + ldb_user5 = samba.tests.connect_samdb(host, credentials=creds_user5, + lp=lp, ldap_only=True) + res = ldb_user5.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + + # do a simple bind and search with the canonical name + creds_user6.set_bind_dn(user_dn.canonical_str()) + creds_user6.set_password(self.password) + print("BindTest with: " + creds_user6.get_bind_dn()) + ldb_user6 = samba.tests.connect_samdb(host, credentials=creds_user6, + lp=lp, ldap_only=True) + res = ldb_user6.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + + # do a simple bind and search with the extended canonical name + creds_user7.set_bind_dn(user_dn.canonical_ex_str()) + creds_user7.set_password(self.password) + print("BindTest with: " + creds_user7.get_bind_dn()) + ldb_user7 = samba.tests.connect_samdb(host, credentials=creds_user7, + lp=lp, ldap_only=True) + res = ldb_user7.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + + def test_user_account_bind_no_domain(self): + # create user + self.ldb.newuser(username=self.username, password=self.password) + ldb_res = self.ldb.search(base=self.domain_dn, + scope=SCOPE_SUBTREE, + expression="(samAccountName=%s)" % self.username) + self.assertEqual(len(ldb_res), 1) + user_dn = ldb_res[0]["dn"] + self.addCleanup(delete_force, self.ldb, user_dn) + + creds_user4.set_username(self.username) + creds_user4.set_password(self.password) + creds_user4.set_domain('') + creds_user4.set_workstation('') + print("BindTest (no domain) with: " + self.username) + try: + ldb_user4 = samba.tests.connect_samdb(host, credentials=creds_user4, + lp=lp, ldap_only=True) + except: + self.fail("Failed to connect without the domain set") + + res = ldb_user4.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + + +TestProgram(module=__name__, opts=subunitopts) diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c new file mode 100644 index 0000000..2cb2e6d --- /dev/null +++ b/auth/credentials/tests/test_creds.c @@ -0,0 +1,349 @@ +/* + * Unix SMB/CIFS implementation. + * + * Copyright (C) 2018-2019 Andreas Schneider <asn@samba.org> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#include <stdarg.h> +#include <stddef.h> +#include <stdint.h> +#include <setjmp.h> +#include <cmocka.h> + +#include "lib/replace/replace.h" +#include "auth/credentials/credentials.c" + +static int setup_talloc_context(void **state) +{ + TALLOC_CTX *frame = talloc_stackframe(); + + *state = frame; + return 0; +} + +static int teardown_talloc_context(void **state) +{ + TALLOC_CTX *frame = *state; + TALLOC_FREE(frame); + return 0; +} + +static void torture_creds_init(void **state) +{ + TALLOC_CTX *mem_ctx = *state; + struct cli_credentials *creds = NULL; + const char *username = NULL; + const char *domain = NULL; + const char *password = NULL; + enum credentials_obtained dom_obtained = CRED_UNINITIALISED; + enum credentials_obtained usr_obtained = CRED_UNINITIALISED; + enum credentials_obtained pwd_obtained = CRED_UNINITIALISED; + bool ok; + + creds = cli_credentials_init(mem_ctx); + assert_non_null(creds); + assert_null(creds->username); + assert_int_equal(creds->username_obtained, CRED_UNINITIALISED); + + domain = cli_credentials_get_domain(creds); + assert_null(domain); + ok = cli_credentials_set_domain(creds, "WURST", CRED_SPECIFIED); + assert_true(ok); + assert_int_equal(creds->domain_obtained, CRED_SPECIFIED); + domain = cli_credentials_get_domain(creds); + assert_string_equal(domain, "WURST"); + + domain = cli_credentials_get_domain_and_obtained(creds, + &dom_obtained); + assert_int_equal(dom_obtained, CRED_SPECIFIED); + assert_string_equal(domain, "WURST"); + + username = cli_credentials_get_username(creds); + assert_null(username); + ok = cli_credentials_set_username(creds, "brot", CRED_SPECIFIED); + assert_true(ok); + assert_int_equal(creds->username_obtained, CRED_SPECIFIED); + username = cli_credentials_get_username(creds); + assert_string_equal(username, "brot"); + + username = cli_credentials_get_username_and_obtained(creds, + &usr_obtained); + assert_int_equal(usr_obtained, CRED_SPECIFIED); + assert_string_equal(username, "brot"); + + password = cli_credentials_get_password(creds); + assert_null(password); + ok = cli_credentials_set_password(creds, "SECRET", CRED_SPECIFIED); + assert_true(ok); + assert_int_equal(creds->password_obtained, CRED_SPECIFIED); + password = cli_credentials_get_password(creds); + assert_string_equal(password, "SECRET"); + + password = cli_credentials_get_password_and_obtained(creds, + &pwd_obtained); + assert_int_equal(pwd_obtained, CRED_SPECIFIED); + assert_string_equal(password, "SECRET"); + + /* Run dump to check it works */ + cli_credentials_dump(creds); +} + +static void torture_creds_init_anonymous(void **state) +{ + TALLOC_CTX *mem_ctx = *state; + struct cli_credentials *creds = NULL; + + creds = cli_credentials_init_anon(mem_ctx); + assert_non_null(creds); + + assert_string_equal(creds->domain, ""); + assert_int_equal(creds->domain_obtained, CRED_SPECIFIED); + + assert_string_equal(creds->username, ""); + assert_int_equal(creds->username_obtained, CRED_SPECIFIED); + + assert_null(creds->password); + assert_int_equal(creds->password_obtained, CRED_SPECIFIED); +} + +static void torture_creds_guess(void **state) +{ + TALLOC_CTX *mem_ctx = *state; + struct cli_credentials *creds = NULL; + const char *env_user = getenv("USER"); + bool ok; + + creds = cli_credentials_init(mem_ctx); + assert_non_null(creds); + + setenv("PASSWD", "SECRET", 1); + ok = cli_credentials_guess(creds, NULL); + assert_true(ok); + + assert_string_equal(creds->username, env_user); + assert_int_equal(creds->username_obtained, CRED_GUESS_ENV); + + assert_string_equal(creds->password, "SECRET"); + assert_int_equal(creds->password_obtained, CRED_GUESS_ENV); + unsetenv("PASSWD"); +} + +static void torture_creds_anon_guess(void **state) +{ + TALLOC_CTX *mem_ctx = *state; + struct cli_credentials *creds = NULL; + bool ok; + + creds = cli_credentials_init_anon(mem_ctx); + assert_non_null(creds); + + setenv("PASSWD", "SECRET", 1); + ok = cli_credentials_guess(creds, NULL); + assert_true(ok); + + assert_string_equal(creds->username, ""); + assert_int_equal(creds->username_obtained, CRED_SPECIFIED); + + assert_null(creds->password); + assert_int_equal(creds->password_obtained, CRED_SPECIFIED); + unsetenv("PASSWD"); +} + +static void torture_creds_parse_string(void **state) +{ + TALLOC_CTX *mem_ctx = *state; + struct cli_credentials *creds = NULL; + + creds = cli_credentials_init(mem_ctx); + assert_non_null(creds); + + /* Anonymous */ + cli_credentials_parse_string(creds, "%", CRED_SPECIFIED); + + assert_string_equal(creds->domain, ""); + assert_int_equal(creds->domain_obtained, CRED_SPECIFIED); + + assert_string_equal(creds->username, ""); + assert_int_equal(creds->username_obtained, CRED_SPECIFIED); + + assert_null(creds->password); + assert_int_equal(creds->password_obtained, CRED_SPECIFIED); + + /* Username + password */ + cli_credentials_parse_string(creds, "wurst%BROT", CRED_SPECIFIED); + + assert_string_equal(creds->domain, ""); + assert_int_equal(creds->domain_obtained, CRED_SPECIFIED); + + assert_string_equal(creds->username, "wurst"); + assert_int_equal(creds->username_obtained, CRED_SPECIFIED); + + assert_string_equal(creds->password, "BROT"); + assert_int_equal(creds->password_obtained, CRED_SPECIFIED); + + /* Domain + username + password */ + cli_credentials_parse_string(creds, "XXL\\wurst%BROT", CRED_SPECIFIED); + + assert_string_equal(creds->domain, "XXL"); + assert_int_equal(creds->domain_obtained, CRED_SPECIFIED); + + assert_string_equal(creds->username, "wurst"); + assert_int_equal(creds->username_obtained, CRED_SPECIFIED); + + assert_string_equal(creds->password, "BROT"); + assert_int_equal(creds->password_obtained, CRED_SPECIFIED); + + /* Principal */ + cli_credentials_parse_string(creds, "wurst@brot.realm", CRED_SPECIFIED); + + assert_string_equal(creds->domain, ""); + assert_int_equal(creds->domain_obtained, CRED_SPECIFIED); + + assert_string_equal(creds->username, "wurst@brot.realm"); + assert_int_equal(creds->username_obtained, CRED_SPECIFIED); + + assert_string_equal(creds->principal, "wurst@brot.realm"); + assert_int_equal(creds->principal_obtained, CRED_SPECIFIED); + + assert_string_equal(creds->password, "BROT"); + assert_int_equal(creds->password_obtained, CRED_SPECIFIED); +} + +static void torture_creds_krb5_state(void **state) +{ + TALLOC_CTX *mem_ctx = *state; + struct cli_credentials *creds = NULL; + struct loadparm_context *lp_ctx = NULL; + bool ok; + + lp_ctx = loadparm_init_global(true); + assert_non_null(lp_ctx); + + creds = cli_credentials_init(mem_ctx); + assert_non_null(creds); + assert_int_equal(creds->kerberos_state_obtained, CRED_UNINITIALISED); + assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED); + + ok = cli_credentials_set_conf(creds, lp_ctx); + assert_true(ok); + assert_int_equal(creds->kerberos_state_obtained, CRED_SMB_CONF); + assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED); + + ok = cli_credentials_guess(creds, lp_ctx); + assert_true(ok); + assert_int_equal(creds->kerberos_state_obtained, CRED_SMB_CONF); + assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED); + assert_int_equal(creds->ccache_obtained, CRED_GUESS_FILE); + assert_non_null(creds->ccache); + + ok = cli_credentials_set_kerberos_state(creds, + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); + assert_true(ok); + assert_int_equal(creds->kerberos_state_obtained, CRED_SPECIFIED); + assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_REQUIRED); + + ok = cli_credentials_set_kerberos_state(creds, + CRED_USE_KERBEROS_DISABLED, + CRED_SMB_CONF); + assert_false(ok); + assert_int_equal(creds->kerberos_state_obtained, CRED_SPECIFIED); + assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_REQUIRED); + +} + +static void torture_creds_gensec_feature(void **state) +{ + TALLOC_CTX *mem_ctx = *state; + struct cli_credentials *creds = NULL; + bool ok; + + creds = cli_credentials_init(mem_ctx); + assert_non_null(creds); + assert_int_equal(creds->gensec_features_obtained, CRED_UNINITIALISED); + assert_int_equal(creds->gensec_features, 0); + + ok = cli_credentials_set_gensec_features(creds, + GENSEC_FEATURE_SIGN, + CRED_SPECIFIED); + assert_true(ok); + assert_int_equal(creds->gensec_features_obtained, CRED_SPECIFIED); + assert_int_equal(creds->gensec_features, GENSEC_FEATURE_SIGN); + + ok = cli_credentials_set_gensec_features(creds, + GENSEC_FEATURE_SEAL, + CRED_SMB_CONF); + assert_false(ok); + assert_int_equal(creds->gensec_features_obtained, CRED_SPECIFIED); + assert_int_equal(creds->gensec_features, GENSEC_FEATURE_SIGN); +} + +static const char *torture_get_password(struct cli_credentials *creds) +{ + return talloc_strdup(creds, "SECRET"); +} + +static void torture_creds_password_callback(void **state) +{ + TALLOC_CTX *mem_ctx = *state; + struct cli_credentials *creds = NULL; + const char *password = NULL; + enum credentials_obtained pwd_obtained = CRED_UNINITIALISED; + bool ok; + + creds = cli_credentials_init(mem_ctx); + assert_non_null(creds); + + ok = cli_credentials_set_domain(creds, "WURST", CRED_SPECIFIED); + assert_true(ok); + ok = cli_credentials_set_username(creds, "brot", CRED_SPECIFIED); + assert_true(ok); + + ok = cli_credentials_set_password_callback(creds, torture_get_password); + assert_true(ok); + assert_int_equal(creds->password_obtained, CRED_CALLBACK); + + password = cli_credentials_get_password_and_obtained(creds, + &pwd_obtained); + assert_int_equal(pwd_obtained, CRED_CALLBACK_RESULT); + assert_string_equal(password, "SECRET"); +} + +int main(int argc, char *argv[]) +{ + int rc; + const struct CMUnitTest tests[] = { + cmocka_unit_test(torture_creds_init), + cmocka_unit_test(torture_creds_init_anonymous), + cmocka_unit_test(torture_creds_guess), + cmocka_unit_test(torture_creds_anon_guess), + cmocka_unit_test(torture_creds_parse_string), + cmocka_unit_test(torture_creds_krb5_state), + cmocka_unit_test(torture_creds_gensec_feature), + cmocka_unit_test(torture_creds_password_callback) + }; + + if (argc == 2) { + cmocka_set_test_filter(argv[1]); + } + cmocka_set_message_output(CM_OUTPUT_SUBUNIT); + + rc = cmocka_run_group_tests(tests, + setup_talloc_context, + teardown_talloc_context); + + return rc; +} |