Beispiel #1
0
        public void BVT_FilePermission_AccessAllow_UserSid()
        {
            _SID   sid = sutCommonControlAdapterAccessor.GetUserSid(azUser01Name);
            object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None);

            SetSecurityDescriptorOnFile(ace);

            BaseTestSite.Assert.IsTrue(
                TryReadFile(),
                "ACCESS_ALLOWED_ACE with user SID ({0}) exists in file Security Descriptor. User should be able to read the file.",
                DtypUtility.ToSddlString(sid));
        }
Beispiel #2
0
        public void FolderPermission_AccessAllow_GroupSid()
        {
            _SID   sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azGroup01Name, testConfig.UserName, testConfig.UserPassword);
            object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None);

            SetSecurityDescriptorOnShare(ace);

            BaseTestSite.Assert.IsTrue(
                AccessShare(),
                "ACCESS_ALLOWED_ACE with user's group SID ({0}) exists in share Security Descriptor. User should be able to access the share.",
                DtypUtility.ToSddlString(sid));
        }
Beispiel #3
0
        public void FilePermission_AccessDeny_UserSidWithoutReadPermission()
        {
            _SID   sid = sutCommonControlAdapterAccessor.GetUserSid(azUser01Name);
            object ace = DtypUtility.CreateAccessAllowedAce(sid, 0, ACE_FLAGS.None); // 0 stands for non access mask flag set

            SetSecurityDescriptorOnFile(ace);

            BaseTestSite.Assert.IsFalse(
                TryReadFile(),
                "ACCESS_ALLOWED_ACE with user SID ({0}) without READ permission in folder Security Descriptor. User should not be able to read the file.",
                DtypUtility.ToSddlString(sid));
        }
Beispiel #4
0
        public void FolderPermission_AccessDeny_UserSidWithoutReadPermission()
        {
            _SID   sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name, testConfig.UserName, testConfig.UserPassword);
            object ace = DtypUtility.CreateAccessAllowedAce(sid, 0, ACE_FLAGS.None);

            SetSecurityDescriptorOnShare(ace);

            BaseTestSite.Assert.IsFalse(
                AccessShare(),
                "ACCESS_ALLOWED_ACE with user SID ({0}) without READ permission in folder Security Descriptor. User should not be able to access the share.",
                DtypUtility.ToSddlString(sid));
        }
Beispiel #5
0
        public void BVT_FilePermission_AccessAllow_UserSid()
        {
            _SID   sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name, testConfig.UserName, testConfig.UserPassword);
            object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None);

            SetSecurityDescriptorOnFile(ace);

            BaseTestSite.Assert.IsTrue(
                TryReadFile(),
                "ACCESS_ALLOWED_ACE with user SID ({0}) exists in file Security Descriptor. User should be able to read the file.",
                DtypUtility.ToSddlString(sid));
        }
Beispiel #6
0
        public void BVT_SharePermission_AccessAllow_UserSid()
        {
            _SID   sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name);
            string shareName;

            if (dynamicallyConfigurableShareExist)
            {
                object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL, ACE_FLAGS.None);
                SetSecurityDescriptorOnDynamicallyConfigurableShare(ace);
                shareName = dynamicallyConfigurableShareName;
            }
            else
            {
                shareName = "AzShare01";
            }

            bool result = AccessShare(shareName);

            BaseTestSite.Assert.IsTrue(result, "ACCESS_ALLOWED_ACE with user SID ({0}) exists in folder Security Descriptor. User should be able to access the share.", DtypUtility.ToSddlString(sid));
        }
Beispiel #7
0
        public void SharePermission_AccessAllow_GroupSid()
        {
            _SID   sid = sutCommonControlAdapterAccessor.GetGroupSid(azGroup01Name);
            string shareName;

            if (dynamicallyConfigurableShareExist)
            {
                object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL, ACE_FLAGS.None);
                SetSecurityDescriptorOnDynamicallyConfigurableShare(ace);
                shareName = dynamicallyConfigurableShareName;
            }
            else
            {
                shareName = "AzShare02";
            }

            BaseTestSite.Assert.IsTrue(
                AccessShare(shareName),
                "ACCESS_ALLOWED_ACE with user's group SID ({0}) exists in share Security Descriptor. User should be able to access the share.",
                DtypUtility.ToSddlString(sid));
        }
Beispiel #8
0
        public void SharePermission_CreateClose_DeleteFile_MaximalAccessNotIncludeDeleteOrGenericAll()
        {
            _SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name);

            if (!dynamicallyConfigurableShareExist)
            {
                BaseTestSite.Assert.Inconclusive("Required share: {0} does not exist!", dynamicallyConfigurableShareName);
            }
            object ace = DtypUtility.CreateAccessAllowedAce(sid, (DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL) & ~DtypUtility.ACCESS_MASK_DELETE, ACE_FLAGS.None);

            SetSecurityDescriptorOnDynamicallyConfigurableShare(ace);
            string shareName    = dynamicallyConfigurableShareName;
            string shareUncPath = Smb2Utility.GetUncPath(TestConfig.SutComputerName, shareName);

            Smb2FunctionalClient client = new Smb2FunctionalClient(TestConfig.Timeout, TestConfig, BaseTestSite);

            client.ConnectToServer(TestConfig.UnderlyingTransport, TestConfig.SutComputerName, TestConfig.SutIPAddress);
            AccountCredential user = new AccountCredential(TestConfig.DomainName, azUser01Name, TestConfig.UserPassword);

            try
            {
                BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends NEGOTIATE message.");
                client.Negotiate(TestConfig.RequestDialects, TestConfig.IsSMB1NegotiateEnabled);
                BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends SESSION_SETUP message using account: {0}@{1}.", user.AccountName, user.DomainName);
                client.SessionSetup(TestConfig.DefaultSecurityPackage, TestConfig.SutComputerName, user, false);

                uint treeId;
                BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends TREE_CONNECT message to access share: {0}.", shareUncPath);
                client.TreeConnect(shareUncPath, out treeId, checker: (header, response) =>
                {
                    BaseTestSite.Assert.IsTrue((response.MaximalAccess.ACCESS_MASK & (DtypUtility.ACCESS_MASK_DELETE | DtypUtility.ACCESS_MASK_GENERIC_ALL)) == 0,
                                               "Treeconnect.MaximalAccess does not include DELETE or GENERIC_ALL.");
                });

                string fileName = GetTestFileName(shareUncPath);
                FILEID fileId;
                Smb2CreateContextResponse[] createContexResponse;
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create the file: {0}", fileName);
                BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends CREATE request.");
                uint status = client.Create(
                    treeId,
                    fileName,
                    CreateOptions_Values.FILE_NON_DIRECTORY_FILE,
                    out fileId,
                    out createContexResponse,
                    accessMask: AccessMask.FILE_READ_DATA | AccessMask.FILE_WRITE_DATA | AccessMask.FILE_APPEND_DATA |
                    AccessMask.FILE_READ_ATTRIBUTES | AccessMask.FILE_READ_EA | AccessMask.FILE_WRITE_ATTRIBUTES |
                    AccessMask.FILE_WRITE_EA | AccessMask.READ_CONTROL | AccessMask.WRITE_DAC | AccessMask.SYNCHRONIZE, // Windows client behavior
                    shareAccess: ShareAccess_Values.NONE,
                    createDisposition: CreateDisposition_Values.FILE_CREATE);
                client.Close(treeId, fileId);

                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Delete the file: {0}", fileName);
                BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends CREATE request with FILE_DELETE_ON_CLOSE flag set in CreateOptions .");
                status = client.Create(
                    treeId,
                    fileName,
                    CreateOptions_Values.FILE_NON_DIRECTORY_FILE | CreateOptions_Values.FILE_DELETE_ON_CLOSE,
                    out fileId,
                    out createContexResponse,
                    accessMask: AccessMask.DELETE | AccessMask.FILE_READ_ATTRIBUTES | AccessMask.SYNCHRONIZE, // Windows client behavior
                    shareAccess: ShareAccess_Values.FILE_SHARE_DELETE,
                    createDisposition: CreateDisposition_Values.FILE_OPEN,
                    checker: (header, response) =>
                {
                    if (TestConfig.Platform == Platform.NonWindows)
                    {
                        BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, header.Status,
                                                        "If the FILE_DELETE_ON_CLOSE flag is set in CreateOptions and " +
                                                        "Treeconnect.MaximalAccess does not include DELETE or GENERIC_ALL, " +
                                                        "the server SHOULD fail the request with STATUS_ACCESS_DENIED");
                    }
                    else
                    {
                        BaseTestSite.Assert.AreEqual(Smb2Status.STATUS_ACCESS_DENIED, header.Status,
                                                     "If the FILE_DELETE_ON_CLOSE flag is set in CreateOptions and " +
                                                     "Treeconnect.MaximalAccess does not include DELETE or GENERIC_ALL, " +
                                                     "the server SHOULD fail the request with STATUS_ACCESS_DENIED");
                    }
                });

                client.TreeDisconnect(treeId);
                client.LogOff();
            }
            catch (Exception e)
            {
                BaseTestSite.Assert.Fail("Case failed due to: {0}", e.Message);
            }
            finally
            {
                client.Disconnect();
            }
        }