s4:torture/smb2: run smb2.session.reauth5 in a subdirectory

[ddiss/samba.git] / source4 / torture / smb2 / session.c

diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
index 516f1649bcd7dc9836e1c4e728197c0feb710a8e..9592b5ef8dcf4d30fcb390c8217a8a644dceec7c 100644 (file)
--- a/source4/torture/smb2/session.c
+++ b/source4/torture/smb2/session.c
@@ -28,7 +28,8 @@
 #include "lib/cmdline/popt_common.h"
 #include "auth/credentials/credentials.h"
 #include "libcli/security/security.h"
-
+#include "libcli/resolve/resolve.h"
+#include "lib/param/param.h"
 
 #define CHECK_VAL(v, correct) do { \
        if ((v) != (correct)) { \
@@ -572,12 +573,16 @@ bool test_session_reauth5(struct torture_context *tctx, struct smb2_tree *tree)
 {
        NTSTATUS status;
        TALLOC_CTX *mem_ctx = talloc_new(tctx);
+       char dname[256];
        char fname[256];
        char fname2[256];
+       struct smb2_handle _dh1;
+       struct smb2_handle *dh1 = NULL;
        struct smb2_handle _h1;
        struct smb2_handle *h1 = NULL;
        struct smb2_create io1;
        bool ret = true;
+       bool ok;
        union smb_fileinfo qfinfo;
        union smb_setfileinfo sfinfo;
        struct cli_credentials *anon_creds = NULL;
@@ -586,15 +591,22 @@ bool test_session_reauth5(struct torture_context *tctx, struct smb2_tree *tree)
                                | SECINFO_DACL
                                | SECINFO_PROTECTED_DACL
                                | SECINFO_UNPROTECTED_DACL;
-       struct security_descriptor *sd1, *sd2;
+       struct security_descriptor *f_sd1, *f_sd2;
+       struct security_descriptor *d_sd1 = NULL;
        struct security_ace ace;
        struct dom_sid *extra_sid;
 
        /* Add some random component to the file name. */
-       snprintf(fname, 256, "session_reauth5_%s.dat",
+       snprintf(dname, 256, "session_reauth5_%s.d",
                 generate_random_str(tctx, 8));
+       snprintf(fname, 256, "%s\\file.dat", dname);
 
-       smb2_util_unlink(tree, fname);
+       ok = smb2_util_setup_dir(tctx, tree, dname);
+       CHECK_VAL(ok, true);
+
+       status = torture_smb2_testdir(tree, dname, &_dh1);
+       CHECK_STATUS(status, NT_STATUS_OK);
+       dh1 = &_dh1;
 
        smb2_oplock_create_share(&io1, fname,
                                 smb2_util_share_access(""),
@@ -618,7 +630,7 @@ bool test_session_reauth5(struct torture_context *tctx, struct smb2_tree *tree)
        status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
        CHECK_STATUS(status, NT_STATUS_OK);
 
-       sd1 = qfinfo.query_secdesc.out.sd;
+       f_sd1 = qfinfo.query_secdesc.out.sd;
 
        /* re-authenticate as anonymous */
 
@@ -632,8 +644,7 @@ bool test_session_reauth5(struct torture_context *tctx, struct smb2_tree *tree)
 
        /* try to rename the file: fails */
 
-       snprintf(fname2, 256, "session_reauth5.2_%s.dat",
-                generate_random_str(tctx, 8));
+       snprintf(fname2, 256, "%s\\file2.dat", dname);
 
        smb2_util_unlink(tree, fname2);
 
@@ -660,17 +671,17 @@ bool test_session_reauth5(struct torture_context *tctx, struct smb2_tree *tree)
        ZERO_STRUCT(ace);
        ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
        ace.flags = 0;
-       ace.access_mask = SEC_STD_ALL | SEC_FILE_ALL;
+       ace.access_mask = SEC_RIGHTS_FILE_ALL;
        ace.trustee = *extra_sid;
 
-       status = security_descriptor_dacl_add(sd1, &ace);
+       status = security_descriptor_dacl_add(f_sd1, &ace);
        CHECK_STATUS(status, NT_STATUS_OK);
 
        ZERO_STRUCT(sfinfo);
        sfinfo.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
        sfinfo.set_secdesc.in.file.handle = _h1;
        sfinfo.set_secdesc.in.secinfo_flags = secinfo_flags;
-       sfinfo.set_secdesc.in.sd = sd1;
+       sfinfo.set_secdesc.in.sd = f_sd1;
 
        status = smb2_setinfo_file(tree, &sfinfo);
        CHECK_STATUS(status, NT_STATUS_OK);
@@ -698,10 +709,60 @@ bool test_session_reauth5(struct torture_context *tctx, struct smb2_tree *tree)
 
        /* try to rename the file: fails */
 
-       snprintf(fname2, 256, "session_reauth3.2_%s.dat",
-                generate_random_str(tctx, 8));
+       ZERO_STRUCT(sfinfo);
+       sfinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION;
+       sfinfo.rename_information.in.file.handle = _h1;
+       sfinfo.rename_information.in.overwrite = true;
+       sfinfo.rename_information.in.new_name = fname2;
 
-       smb2_util_unlink(tree, fname2);
+       status = smb2_setinfo_file(tree, &sfinfo);
+       CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+
+       /* give full access on the parent dir to anonymous */
+
+       ZERO_STRUCT(qfinfo);
+
+       qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
+       qfinfo.query_secdesc.in.file.handle = _dh1;
+       qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
+
+       status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
+       CHECK_STATUS(status, NT_STATUS_OK);
+
+       d_sd1 = qfinfo.query_secdesc.out.sd;
+
+       ZERO_STRUCT(ace);
+       ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
+       ace.flags = 0;
+       ace.access_mask = SEC_RIGHTS_FILE_ALL;
+       ace.trustee = *extra_sid;
+
+       status = security_descriptor_dacl_add(d_sd1, &ace);
+       CHECK_STATUS(status, NT_STATUS_OK);
+
+       ZERO_STRUCT(sfinfo);
+       sfinfo.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
+       sfinfo.set_secdesc.in.file.handle = _dh1;
+       sfinfo.set_secdesc.in.secinfo_flags = secinfo_flags;
+       sfinfo.set_secdesc.in.secinfo_flags = SECINFO_DACL;
+       sfinfo.set_secdesc.in.sd = d_sd1;
+
+       status = smb2_setinfo_file(tree, &sfinfo);
+       CHECK_STATUS(status, NT_STATUS_OK);
+
+       ZERO_STRUCT(qfinfo);
+
+       qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
+       qfinfo.query_secdesc.in.file.handle = _dh1;
+       qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
+
+       status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
+       CHECK_STATUS(status, NT_STATUS_OK);
+
+       smb2_util_close(tree, _dh1);
+       dh1 = NULL;
+
+       /* try to rename the file: still fails */
 
        ZERO_STRUCT(sfinfo);
        sfinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION;
@@ -775,14 +836,17 @@ bool test_session_reauth5(struct torture_context *tctx, struct smb2_tree *tree)
        status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
        CHECK_STATUS(status, NT_STATUS_OK);
 
-       sd2 = qfinfo.query_secdesc.out.sd;
+       f_sd2 = qfinfo.query_secdesc.out.sd;
 
 done:
+       if (dh1 != NULL) {
+               smb2_util_close(tree, *dh1);
+       }
        if (h1 != NULL) {
                smb2_util_close(tree, *h1);
        }
 
-       smb2_util_unlink(tree, fname);
+       smb2_deltree(tree, dname);
 
        talloc_free(tree);
 
@@ -791,6 +855,119 @@ done:
        return ret;
 }
 
+static bool test_session_expire1(struct torture_context *tctx)
+{
+       NTSTATUS status;
+       bool ret = false;
+       struct smbcli_options options;
+       const char *host = torture_setting_string(tctx, "host", NULL);
+       const char *share = torture_setting_string(tctx, "share", NULL);
+       struct cli_credentials *credentials = cmdline_credentials;
+       struct smb2_tree *tree;
+       enum credentials_use_kerberos use_kerberos;
+       char fname[256];
+       struct smb2_handle _h1;
+       struct smb2_handle *h1 = NULL;
+       struct smb2_create io1;
+       union smb_fileinfo qfinfo;
+       size_t i;
+
+       use_kerberos = cli_credentials_get_kerberos_state(credentials);
+       if (use_kerberos != CRED_MUST_USE_KERBEROS) {
+               torture_warning(tctx, "smb2.session.expire1 requires -k yes!");
+               torture_skip(tctx, "smb2.session.expire1 requires -k yes!");
+       }
+
+       torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS,
+                                "please use -k yes");
+
+       lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
+
+       lpcfg_smbcli_options(tctx->lp_ctx, &options);
+
+       status = smb2_connect(tctx,
+                             host,
+                             lpcfg_smb_ports(tctx->lp_ctx),
+                             share,
+                             lpcfg_resolve_context(tctx->lp_ctx),
+                             credentials,
+                             &tree,
+                             tctx->ev,
+                             &options,
+                             lpcfg_socket_options(tctx->lp_ctx),
+                             lpcfg_gensec_settings(tctx, tctx->lp_ctx)
+                             );
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+                                       "smb2_connect failed");
+
+       /* Add some random component to the file name. */
+       snprintf(fname, 256, "session_expire1_%s.dat",
+                generate_random_str(tctx, 8));
+
+       smb2_util_unlink(tree, fname);
+
+       smb2_oplock_create_share(&io1, fname,
+                                smb2_util_share_access(""),
+                                smb2_util_oplock_level("b"));
+       io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
+
+       status = smb2_create(tree, tctx, &io1);
+       CHECK_STATUS(status, NT_STATUS_OK);
+       _h1 = io1.out.file.handle;
+       h1 = &_h1;
+       CHECK_CREATED(&io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+       CHECK_VAL(io1.out.oplock_level, smb2_util_oplock_level("b"));
+
+       /* get the security descriptor */
+
+       ZERO_STRUCT(qfinfo);
+
+       qfinfo.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION;
+       qfinfo.access_information.in.file.handle = _h1;
+
+       for (i=0; i < 2; i++) {
+               torture_comment(tctx, "query info => OK\n");
+
+               ZERO_STRUCT(qfinfo.access_information.out);
+               status = smb2_getinfo_file(tree, tctx, &qfinfo);
+               CHECK_STATUS(status, NT_STATUS_OK);
+
+               torture_comment(tctx, "sleep 5 seconds\n");
+               smb_msleep(5*1000);
+
+               torture_comment(tctx, "query info => EXPIRED\n");
+               ZERO_STRUCT(qfinfo.access_information.out);
+               status = smb2_getinfo_file(tree, tctx, &qfinfo);
+               CHECK_STATUS(status, NT_STATUS_NETWORK_SESSION_EXPIRED);
+
+               /*
+                * the krb5 library may not handle expired creds
+                * well, lets start with an empty ccache.
+                */
+               cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
+               torture_comment(tctx, "reauth => OK\n");
+               status = smb2_session_setup_spnego(tree->session,
+                                                  credentials,
+                                                  0 /* previous_session_id */);
+               CHECK_STATUS(status, NT_STATUS_OK);
+       }
+
+       ZERO_STRUCT(qfinfo.access_information.out);
+       status = smb2_getinfo_file(tree, tctx, &qfinfo);
+       CHECK_STATUS(status, NT_STATUS_OK);
+
+       ret = true;
+done:
+       if (h1 != NULL) {
+               smb2_util_close(tree, *h1);
+       }
+
+       talloc_free(tree);
+       lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=0");
+       return ret;
+}
+
 struct torture_suite *torture_smb2_session_init(void)
 {
        struct torture_suite *suite =
@@ -803,6 +980,7 @@ struct torture_suite *torture_smb2_session_init(void)
        torture_suite_add_1smb2_test(suite, "reauth3", test_session_reauth3);
        torture_suite_add_1smb2_test(suite, "reauth4", test_session_reauth4);
        torture_suite_add_1smb2_test(suite, "reauth5", test_session_reauth5);
+       torture_suite_add_simple_test(suite, "expire1", test_session_expire1);
 
        suite->description = talloc_strdup(suite, "SMB2-SESSION tests");