diff options
Diffstat (limited to 'security/sandbox/chromium/sandbox/win/src/sid_unittest.cc')
-rw-r--r-- | security/sandbox/chromium/sandbox/win/src/sid_unittest.cc | 182 |
1 files changed, 182 insertions, 0 deletions
diff --git a/security/sandbox/chromium/sandbox/win/src/sid_unittest.cc b/security/sandbox/chromium/sandbox/win/src/sid_unittest.cc new file mode 100644 index 0000000000..81186cd0be --- /dev/null +++ b/security/sandbox/chromium/sandbox/win/src/sid_unittest.cc @@ -0,0 +1,182 @@ +// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// This file contains unit tests for the sid class. + +#include "sandbox/win/src/sid.h" + +#include <sddl.h> + +#include "base/win/atl.h" +#include "base/win/windows_version.h" +#include "testing/gtest/include/gtest/gtest.h" + +namespace sandbox { + +namespace { + +bool EqualSid(const Sid& sid, const ATL::CSid& compare_sid) { + if (!sid.IsValid()) + return false; + return !!::EqualSid(sid.GetPSID(), const_cast<SID*>(compare_sid.GetPSID())); +} + +bool EqualSid(const Sid& sid, const wchar_t* sddl_sid) { + PSID compare_sid; + if (!sid.IsValid()) + return false; + if (!::ConvertStringSidToSid(sddl_sid, &compare_sid)) + return false; + bool equal = !!::EqualSid(sid.GetPSID(), compare_sid); + ::LocalFree(compare_sid); + return equal; +} + +struct KnownCapabilityTestEntry { + WellKnownCapabilities capability; + const wchar_t* sddl_sid; +}; + +struct NamedCapabilityTestEntry { + const wchar_t* capability_name; + const wchar_t* sddl_sid; +}; + +} // namespace + +// Tests the creation of a Sid. +TEST(SidTest, Constructors) { + ATL::CSid sid_world = ATL::Sids::World(); + PSID sid_world_pointer = const_cast<SID*>(sid_world.GetPSID()); + + // Check the SID* constructor. + Sid sid_sid_star(sid_world_pointer); + ASSERT_TRUE(EqualSid(sid_sid_star, sid_world)); + + // Check the copy constructor. + Sid sid_copy(sid_sid_star); + ASSERT_TRUE(EqualSid(sid_copy, sid_world)); + + Sid sid_sddl = Sid::FromSddlString(L"S-1-1-0"); + ASSERT_TRUE(sid_sddl.IsValid()); + ASSERT_TRUE(EqualSid(sid_sddl, sid_world)); + + Sid sid_sddl_invalid = Sid::FromSddlString(L"X-1-1-0"); + ASSERT_FALSE(sid_sddl_invalid.IsValid()); + + Sid sid_sddl_empty = Sid::FromSddlString(L""); + ASSERT_FALSE(sid_sddl_empty.IsValid()); + + // Note that the WELL_KNOWN_SID_TYPE constructor is tested in the GetPSID + // test. AppContainer related constructors are tested in AppContainer. +} + +// Tests the method GetPSID +TEST(SidTest, GetPSID) { + // Check for non-null result; + ASSERT_NE(nullptr, Sid(::WinLocalSid).GetPSID()); + ASSERT_NE(nullptr, Sid(::WinCreatorOwnerSid).GetPSID()); + ASSERT_NE(nullptr, Sid(::WinBatchSid).GetPSID()); + + ASSERT_TRUE(EqualSid(Sid(::WinNullSid), ATL::Sids::Null())); + + ASSERT_TRUE(EqualSid(Sid(::WinWorldSid), ATL::Sids::World())); + + ASSERT_TRUE(EqualSid(Sid(::WinDialupSid), ATL::Sids::Dialup())); + + ASSERT_TRUE(EqualSid(Sid(::WinNetworkSid), ATL::Sids::Network())); + + ASSERT_TRUE( + EqualSid(Sid(::WinBuiltinAdministratorsSid), ATL::Sids::Admins())); + + ASSERT_TRUE(EqualSid(Sid(::WinBuiltinUsersSid), ATL::Sids::Users())); + + ASSERT_TRUE(EqualSid(Sid(::WinBuiltinGuestsSid), ATL::Sids::Guests())); + + ASSERT_TRUE(EqualSid(Sid(::WinProxySid), ATL::Sids::Proxy())); +} + +TEST(SidTest, KnownCapability) { + if (base::win::GetVersion() < base::win::Version::WIN8) + return; + + Sid sid_invalid_well_known = + Sid::FromKnownCapability(kMaxWellKnownCapability); + EXPECT_FALSE(sid_invalid_well_known.IsValid()); + + const KnownCapabilityTestEntry capabilities[] = { + {kInternetClient, L"S-1-15-3-1"}, + {kInternetClientServer, L"S-1-15-3-2"}, + {kPrivateNetworkClientServer, L"S-1-15-3-3"}, + {kPicturesLibrary, L"S-1-15-3-4"}, + {kVideosLibrary, L"S-1-15-3-5"}, + {kMusicLibrary, L"S-1-15-3-6"}, + {kDocumentsLibrary, L"S-1-15-3-7"}, + {kEnterpriseAuthentication, L"S-1-15-3-8"}, + {kSharedUserCertificates, L"S-1-15-3-9"}, + {kRemovableStorage, L"S-1-15-3-10"}, + {kAppointments, L"S-1-15-3-11"}, + {kContacts, L"S-1-15-3-12"}, + }; + + for (auto capability : capabilities) { + EXPECT_TRUE(EqualSid(Sid::FromKnownCapability(capability.capability), + capability.sddl_sid)) + << "Known Capability: " << capability.sddl_sid; + } +} + +TEST(SidTest, NamedCapability) { + if (base::win::GetVersion() < base::win::Version::WIN10) + return; + + Sid sid_nullptr = Sid::FromNamedCapability(nullptr); + EXPECT_FALSE(sid_nullptr.IsValid()); + + Sid sid_empty = Sid::FromNamedCapability(L""); + EXPECT_FALSE(sid_empty.IsValid()); + + const NamedCapabilityTestEntry capabilities[] = { + {L"internetClient", L"S-1-15-3-1"}, + {L"internetClientServer", L"S-1-15-3-2"}, + {L"registryRead", + L"S-1-15-3-1024-1065365936-1281604716-3511738428-" + "1654721687-432734479-3232135806-4053264122-3456934681"}, + {L"lpacCryptoServices", + L"S-1-15-3-1024-3203351429-2120443784-2872670797-" + "1918958302-2829055647-4275794519-765664414-2751773334"}, + {L"enterpriseAuthentication", L"S-1-15-3-8"}, + {L"privateNetworkClientServer", L"S-1-15-3-3"}}; + + for (auto capability : capabilities) { + EXPECT_TRUE(EqualSid(Sid::FromNamedCapability(capability.capability_name), + capability.sddl_sid)) + << "Named Capability: " << capability.sddl_sid; + } +} + +TEST(SidTest, Sddl) { + Sid sid_sddl = Sid::FromSddlString(L"S-1-1-0"); + ASSERT_TRUE(sid_sddl.IsValid()); + std::wstring sddl_str; + ASSERT_TRUE(sid_sddl.ToSddlString(&sddl_str)); + ASSERT_EQ(L"S-1-1-0", sddl_str); +} + +TEST(SidTest, SubAuthorities) { + DWORD world_subauthorities[] = {0}; + SID_IDENTIFIER_AUTHORITY world_authority = {SECURITY_WORLD_SID_AUTHORITY}; + Sid sid_world = + Sid::FromSubAuthorities(&world_authority, 1, world_subauthorities); + ASSERT_TRUE(EqualSid(sid_world, ATL::Sids::World())); + ASSERT_TRUE(Sid::FromSubAuthorities(&world_authority, 0, nullptr).IsValid()); + + DWORD admin_subauthorities[] = {32, 544}; + SID_IDENTIFIER_AUTHORITY nt_authority = {SECURITY_NT_AUTHORITY}; + Sid sid_admin = + Sid::FromSubAuthorities(&nt_authority, 2, admin_subauthorities); + ASSERT_TRUE(EqualSid(sid_admin, ATL::Sids::Admins())); +} + +} // namespace sandbox |