Re: [PATCH 3/3] advapi32/tests: Test GetTokenInformation with TokenIntegrityLevel

30 Jul 2012

On 7/29/2012 02:24, Detlef Riekenberg wrote:
...
--
By by ... Detlef
---
  dlls/advapi32/tests/security.c |   99 ++++++++++++++++++++++++++++++++++++++--
  1 files changed, 94 insertions(+), 5 deletions(-)

diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 28e43ec..93bbc62 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -167,6 +167,8 @@ static void init(void)
      pSetSecurityDescriptorControl = (void *)GetProcAddress(hmod, "SetSecurityDescriptorControl");
      pGetSecurityInfo = (void *)GetProcAddress(hmod, "GetSecurityInfo");
      pCreateRestrictedToken = (void *)GetProcAddress(hmod, "CreateRestrictedToken");
+    pConvertSidToStringSidA = (void *)GetProcAddress( hmod, "ConvertSidToStringSidA" );
+    pConvertStringSidToSidA = (void *)GetProcAddress( hmod, "ConvertStringSidToSidA" );
myARGC = winetest_get_mainargs( &myARGV );
  }
@@ -211,12 +213,11 @@ static void test_sid(void)
      BOOL r;
      LPSTR str = NULL;
-    pConvertSidToStringSidA = (void *)GetProcAddress( hmod, "ConvertSidToStringSidA" );
-    if( !pConvertSidToStringSidA )
-        return;
-    pConvertStringSidToSidA = (void *)GetProcAddress( hmod, "ConvertStringSidToSidA" );
-    if( !pConvertStringSidToSidA )
+    if( !pConvertSidToStringSidA || !pConvertStringSidToSidA )
+    {
+        skip("ConvertSidToStringSidA or ConvertStringSidToSidA not available\n");
          return;
+    }
r = pConvertStringSidToSidA( NULL, NULL );
      ok( !r, "expected failure with NULL parameters\n" );
@@ -4274,6 +4275,93 @@ static void test_kernel_objects_security(void)
      CloseHandle(token);
  }
+static void test_TokenIntegrityLevel(void)
+{
+    TOKEN_MANDATORY_LABEL *tml;
+    UCHAR expected_authority[] = SECURITY_MANDATORY_LABEL_AUTHORITY;
+    HANDLE token;
+    DWORD size;
+    DWORD res;
+    LPVOID buffer = NULL;
+    char *sidname = NULL;
+    ULONG level;
+    SID *psid;
+
+    if(!pConvertSidToStringSidA)
+    {
+        skip("ConvertSidToStringSidA not available\n");
+        return;
+    }
+
+    SetLastError(0xdeadbeef);
+    res = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token);
+    ok(res, "got %d with %d (expected TRUE)\n", res, GetLastError());
+    if (!res)
+        return;
+
+    SetLastError(0xdeadbeef);
+    res = GetTokenInformation(token, TokenIntegrityLevel, NULL, 0, &size);
+
+    /* not supported before Vista */
+    if (!res && (GetLastError() == ERROR_INVALID_PARAMETER))
+    {
+        skip("TokenIntegrityLevel not supported\n");
+        CloseHandle(token);
+        return;
+    }
+
+    if (!res && (GetLastError() == ERROR_INSUFFICIENT_BUFFER))
+    {
+        buffer = HeapAlloc(GetProcessHeap(), 0, size * 2);
+        SetLastError(0xdeadbeef);
+        res = GetTokenInformation(token, TokenIntegrityLevel, buffer, size, &size);
+    }
You don't need that, buffer size is fixed for this case.
+
+    ok(res, "got %d with %d (expected TRUE)\n", res, GetLastError());
+
+    if (!res || !buffer)
+        goto cleanup;
+
+    tml = buffer;
+
+    psid = tml->Label.Sid;
+    ok(psid != NULL, "Label.Sid: NULL\n");
+    if (!psid)
+        goto cleanup;
+
+    ok(tml->Label.Attributes == (SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED),
+        "got 0x%x (expected 0x%x)\n", tml->Label.Attributes, (SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED));
Attributes value probably depends on system setup, I believe you can 
disable all that intergity level stuff. If it doesn't currently fail on 
testbot let's keep it that way for now.
+
+    res = pConvertSidToStringSidA(psid, &sidname);
+    trace("sid: %s\n", sidname);
+    LocalFree(sidname);
+
+    ok(psid->Revision == 1, "got Revision %d (expected 1)\n", psid->Revision);
+    ok(psid->SubAuthorityCount == 1, "got SubAuthorityCount %d (expected 1)\n", psid->SubAuthorityCount);
+    ok(!memcmp(psid->IdentifierAuthority.Value, expected_authority, sizeof(expected_authority)),
+            "got IdentifierAuthority %d, %d, %d, %d, %d, %d (expected 0,0,0,0,0,16)\n",
+            psid->IdentifierAuthority.Value[0], psid->IdentifierAuthority.Value[1],
+            psid->IdentifierAuthority.Value[2], psid->IdentifierAuthority.Value[3],
+            psid->IdentifierAuthority.Value[4], psid->IdentifierAuthority.Value[5]);
+
+    level = psid->SubAuthority[0];
+    ok((level == SECURITY_MANDATORY_MEDIUM_RID) || (level == SECURITY_MANDATORY_HIGH_RID),
+        "got level 0x%x (expected 0x%x or 0x%x)\n", level, SECURITY_MANDATORY_MEDIUM_RID, SECURITY_MANDATORY_HIGH_RID);
All this mess should be replaced with EqualSid()
+
+    SetLastError(0xdeadbeef);
+    res = GetTokenInformation(token, TokenIntegrityLevel, buffer, size - 1, &size);
+    ok(!res && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
+        "got %d and %u (expected FALSE and ERROR_INSUFFICIENT_BUFFER)\n", res, GetLastError());
Doesn't make much sense, behaviour is not specific to TokenIntegrityLevel.
+
+    SetLastError(0xdeadbeef);
+    res = GetTokenInformation(token, TokenIntegrityLevel, buffer, size + 1, &size);
+    ok(res, "got %d and %u (expected TRUE)\n", res, GetLastError());
Same here.
+
+cleanup:
+    HeapFree(GetProcessHeap(), 0, buffer);
+    CloseHandle(token);
+}
+
  START_TEST(security)
  {
      init();
@@ -4311,4 +4399,5 @@ START_TEST(security)
      test_GetUserNameA();
      test_GetUserNameW();
      test_CreateRestrictedToken();
+    test_TokenIntegrityLevel();
  }

    

Nikolay Sivov

tags

participants (1)