python/samba/tests/auth_log_ncalrpc.py

   1 # Unix SMB/CIFS implementation.
   2 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
   3 #
   4 # This program is free software; you can redistribute it and/or modify
   5 # it under the terms of the GNU General Public License as published by
   6 # the Free Software Foundation; either version 3 of the License, or
   7 # (at your option) any later version.
   8 #
   9 # This program is distributed in the hope that it will be useful,
  10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 # GNU General Public License for more details.
  13 #
  14 # You should have received a copy of the GNU General Public License
  15 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  16 #
  17
  18 """Tests for the Auth and AuthZ logging.
  19 """
  20
  21 import samba.tests
  22 from samba.credentials import DONT_USE_KERBEROS
  23 from samba.dcerpc.dcerpc import AS_SYSTEM_MAGIC_PATH_TOKEN
  24 from samba.dcerpc import samr
  25 import samba.tests.auth_log_base
  26 from samba.dcerpc.windows_event_ids import EVT_ID_SUCCESSFUL_LOGON
  27
  28
  29 class AuthLogTestsNcalrpc(samba.tests.auth_log_base.AuthLogTestBase):
  30
  31     def setUp(self):
  32         super(AuthLogTestsNcalrpc, self).setUp()
  33         self.remoteAddress = AS_SYSTEM_MAGIC_PATH_TOKEN
  34
  35     def tearDown(self):
  36         super(AuthLogTestsNcalrpc, self).tearDown()
  37
  38     def _test_rpc_ncaclrpc(self, authTypes, binding, creds,
  39                            protection, checkFunction):
  40
  41         def isLastExpectedMessage(msg):
  42             return (
  43                 msg["type"] == "Authorization" and
  44                 msg["Authorization"]["serviceDescription"]  == "DCE/RPC" and
  45                 msg["Authorization"]["authType"]            == authTypes[0] and
  46                 msg["Authorization"]["transportProtection"] == protection)
  47
  48         if binding:
  49             binding = "[%s]" % binding
  50
  51         samr.samr("ncalrpc:%s" % binding, self.get_loadparm(), creds)
  52         messages = self.waitForMessages(isLastExpectedMessage)
  53         checkFunction(messages, authTypes, protection)
  54
  55     def rpc_ncacn_np_ntlm_check(self, messages, authTypes, protection):
  56
  57         expected_messages = len(authTypes)
  58         self.assertEquals(expected_messages,
  59                           len(messages),
  60                           "Did not receive the expected number of messages")
  61
  62         # Check the first message it should be an Authorization
  63         msg = messages[0]
  64         self.assertEquals("Authorization", msg["type"])
  65         self.assertEquals("DCE/RPC",
  66                           msg["Authorization"]["serviceDescription"])
  67         self.assertEquals(authTypes[1], msg["Authorization"]["authType"])
  68         self.assertEquals("NONE", msg["Authorization"]["transportProtection"])
  69         self.assertTrue(self.is_guid(msg["Authorization"]["sessionId"]))
  70
  71         # Check the second message it should be an Authentication
  72         msg = messages[1]
  73         self.assertEquals("Authentication", msg["type"])
  74         self.assertEquals("NT_STATUS_OK", msg["Authentication"]["status"])
  75         self.assertEquals("DCE/RPC",
  76                           msg["Authentication"]["serviceDescription"])
  77         self.assertEquals(authTypes[2],
  78                           msg["Authentication"]["authDescription"])
  79         self.assertEquals(EVT_ID_SUCCESSFUL_LOGON,
  80                           msg["Authentication"]["eventId"])
  81
  82     def test_ncalrpc_ntlm_dns_sign(self):
  83
  84         creds = self.insta_creds(template=self.get_credentials(),
  85                                  kerberos_state=DONT_USE_KERBEROS)
  86         self._test_rpc_ncaclrpc(["NTLMSSP",
  87                                  "ncalrpc",
  88                                  "NTLMSSP"],
  89                                 "", creds, "SIGN",
  90                                 self.rpc_ncacn_np_ntlm_check)
  91
  92     def test_ncalrpc_ntlm_dns_seal(self):
  93
  94         creds = self.insta_creds(template=self.get_credentials(),
  95                                  kerberos_state=DONT_USE_KERBEROS)
  96         self._test_rpc_ncaclrpc(["NTLMSSP",
  97                                  "ncalrpc",
  98                                  "NTLMSSP"],
  99                                 "seal", creds, "SEAL",
 100                                 self.rpc_ncacn_np_ntlm_check)