| Index: sandbox/win/src/restricted_token_unittest.cc
|
| diff --git a/sandbox/win/src/restricted_token_unittest.cc b/sandbox/win/src/restricted_token_unittest.cc
|
| index 8186f9c77c436e3008e2f54c0ed1f149c73573f1..fca1a079750df0e5048e1d47ee3050f01578c745 100644
|
| --- a/sandbox/win/src/restricted_token_unittest.cc
|
| +++ b/sandbox/win/src/restricted_token_unittest.cc
|
| @@ -8,6 +8,8 @@
|
| #include <atlbase.h>
|
| #include <atlsecurity.h>
|
| #include <vector>
|
| +
|
| +#include "base/win/scoped_handle.h"
|
| #include "sandbox/win/src/restricted_token.h"
|
| #include "sandbox/win/src/sid.h"
|
| #include "testing/gtest/include/gtest/gtest.h"
|
| @@ -38,12 +40,12 @@ TEST(RestrictedTokenTest, DefaultInit) {
|
|
|
| // Get the handle to the restricted token.
|
|
|
| - HANDLE restricted_token_handle = NULL;
|
| + base::win::ScopedHandle restricted_token_handle;
|
| ASSERT_EQ(ERROR_SUCCESS,
|
| - token_default.GetRestrictedTokenHandle(&restricted_token_handle));
|
| + token_default.GetRestrictedToken(&restricted_token_handle));
|
|
|
| ATL::CAccessToken restricted_token;
|
| - restricted_token.Attach(restricted_token_handle);
|
| + restricted_token.Attach(restricted_token_handle.Take());
|
|
|
| ATL::CSid sid_user_restricted;
|
| ATL::CSid sid_user_default;
|
| @@ -80,12 +82,12 @@ TEST(RestrictedTokenTest, CustomInit) {
|
|
|
| // Get the handle to the restricted token.
|
|
|
| - HANDLE restricted_token_handle = NULL;
|
| + base::win::ScopedHandle restricted_token_handle;
|
| ASSERT_EQ(ERROR_SUCCESS,
|
| - token.GetRestrictedTokenHandle(&restricted_token_handle));
|
| + token.GetRestrictedToken(&restricted_token_handle));
|
|
|
| ATL::CAccessToken restricted_token;
|
| - restricted_token.Attach(restricted_token_handle);
|
| + restricted_token.Attach(restricted_token_handle.Take());
|
|
|
| ATL::CSid sid_restricted;
|
| ATL::CSid sid_default;
|
| @@ -104,14 +106,14 @@ TEST(RestrictedTokenTest, ResultToken) {
|
| ASSERT_EQ(ERROR_SUCCESS,
|
| token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
|
|
|
| - HANDLE restricted_token;
|
| - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&restricted_token));
|
| + base::win::ScopedHandle restricted_token;
|
| + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&restricted_token));
|
|
|
| - ASSERT_TRUE(::IsTokenRestricted(restricted_token));
|
| + ASSERT_TRUE(::IsTokenRestricted(restricted_token.Get()));
|
|
|
| DWORD length = 0;
|
| TOKEN_TYPE type;
|
| - ASSERT_TRUE(::GetTokenInformation(restricted_token,
|
| + ASSERT_TRUE(::GetTokenInformation(restricted_token.Get(),
|
| ::TokenType,
|
| &type,
|
| sizeof(type),
|
| @@ -119,22 +121,19 @@ TEST(RestrictedTokenTest, ResultToken) {
|
|
|
| ASSERT_EQ(type, TokenPrimary);
|
|
|
| - HANDLE impersonation_token;
|
| + base::win::ScopedHandle impersonation_token;
|
| ASSERT_EQ(ERROR_SUCCESS,
|
| - token.GetRestrictedTokenHandleForImpersonation(&impersonation_token));
|
| + token.GetRestrictedTokenForImpersonation(&impersonation_token));
|
|
|
| - ASSERT_TRUE(::IsTokenRestricted(impersonation_token));
|
| + ASSERT_TRUE(::IsTokenRestricted(impersonation_token.Get()));
|
|
|
| - ASSERT_TRUE(::GetTokenInformation(impersonation_token,
|
| + ASSERT_TRUE(::GetTokenInformation(impersonation_token.Get(),
|
| ::TokenType,
|
| &type,
|
| sizeof(type),
|
| &length));
|
|
|
| ASSERT_EQ(type, TokenImpersonation);
|
| -
|
| - ::CloseHandle(impersonation_token);
|
| - ::CloseHandle(restricted_token);
|
| }
|
|
|
| // Verifies that the token created has "Restricted" in its default dacl.
|
| @@ -145,11 +144,11 @@ TEST(RestrictedTokenTest, DefaultDacl) {
|
| ASSERT_EQ(ERROR_SUCCESS,
|
| token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
|
|
|
| - HANDLE handle;
|
| - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&handle));
|
| + base::win::ScopedHandle handle;
|
| + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&handle));
|
|
|
| ATL::CAccessToken restricted_token;
|
| - restricted_token.Attach(handle);
|
| + restricted_token.Attach(handle.Take());
|
|
|
| ATL::CDacl dacl;
|
| ASSERT_TRUE(restricted_token.GetDefaultDacl(&dacl));
|
| @@ -173,14 +172,14 @@ TEST(RestrictedTokenTest, DefaultDacl) {
|
| // Tests the method "AddSidForDenyOnly".
|
| TEST(RestrictedTokenTest, DenySid) {
|
| RestrictedToken token;
|
| - HANDLE token_handle = NULL;
|
| + base::win::ScopedHandle token_handle;
|
|
|
| ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
|
| ASSERT_EQ(ERROR_SUCCESS, token.AddSidForDenyOnly(Sid(WinWorldSid)));
|
| - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
|
| + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle));
|
|
|
| ATL::CAccessToken restricted_token;
|
| - restricted_token.Attach(token_handle);
|
| + restricted_token.Attach(token_handle.Take());
|
|
|
| ATL::CTokenGroups groups;
|
| ASSERT_TRUE(restricted_token.GetGroups(&groups));
|
| @@ -200,14 +199,14 @@ TEST(RestrictedTokenTest, DenySid) {
|
| // Tests the method "AddAllSidsForDenyOnly".
|
| TEST(RestrictedTokenTest, DenySids) {
|
| RestrictedToken token;
|
| - HANDLE token_handle = NULL;
|
| + base::win::ScopedHandle token_handle;
|
|
|
| ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
|
| ASSERT_EQ(ERROR_SUCCESS, token.AddAllSidsForDenyOnly(NULL));
|
| - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
|
| + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle));
|
|
|
| ATL::CAccessToken restricted_token;
|
| - restricted_token.Attach(token_handle);
|
| + restricted_token.Attach(token_handle.Take());
|
|
|
| ATL::CTokenGroups groups;
|
| ASSERT_TRUE(restricted_token.GetGroups(&groups));
|
| @@ -229,17 +228,17 @@ TEST(RestrictedTokenTest, DenySids) {
|
| // Tests the method "AddAllSidsForDenyOnly" using an exception list.
|
| TEST(RestrictedTokenTest, DenySidsException) {
|
| RestrictedToken token;
|
| - HANDLE token_handle = NULL;
|
| + base::win::ScopedHandle token_handle;
|
|
|
| std::vector<Sid> sids_exception;
|
| sids_exception.push_back(Sid(WinWorldSid));
|
|
|
| ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
|
| ASSERT_EQ(ERROR_SUCCESS, token.AddAllSidsForDenyOnly(&sids_exception));
|
| - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
|
| + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle));
|
|
|
| ATL::CAccessToken restricted_token;
|
| - restricted_token.Attach(token_handle);
|
| + restricted_token.Attach(token_handle.Take());
|
|
|
| ATL::CTokenGroups groups;
|
| ASSERT_TRUE(restricted_token.GetGroups(&groups));
|
| @@ -265,14 +264,14 @@ TEST(RestrictedTokenTest, DenySidsException) {
|
| // Tests test method AddOwnerSidForDenyOnly.
|
| TEST(RestrictedTokenTest, DenyOwnerSid) {
|
| RestrictedToken token;
|
| - HANDLE token_handle = NULL;
|
| + base::win::ScopedHandle token_handle;
|
|
|
| ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
|
| ASSERT_EQ(ERROR_SUCCESS, token.AddUserSidForDenyOnly());
|
| - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
|
| + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle));
|
|
|
| ATL::CAccessToken restricted_token;
|
| - restricted_token.Attach(token_handle);
|
| + restricted_token.Attach(token_handle.Take());
|
|
|
| ATL::CTokenGroups groups;
|
| ASSERT_TRUE(restricted_token.GetGroups(&groups));
|
| @@ -295,22 +294,23 @@ TEST(RestrictedTokenTest, DenyOwnerSid) {
|
| // Tests test method AddOwnerSidForDenyOnly with a custom effective token.
|
| TEST(RestrictedTokenTest, DenyOwnerSidCustom) {
|
| // Get the current process token.
|
| - HANDLE token_handle = INVALID_HANDLE_VALUE;
|
| + HANDLE access_handle = INVALID_HANDLE_VALUE;
|
| ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS,
|
| - &token_handle));
|
| + &access_handle));
|
|
|
| - ASSERT_NE(INVALID_HANDLE_VALUE, token_handle);
|
| + ASSERT_NE(INVALID_HANDLE_VALUE, access_handle);
|
|
|
| ATL::CAccessToken access_token;
|
| - access_token.Attach(token_handle);
|
| + access_token.Attach(access_handle);
|
|
|
| RestrictedToken token;
|
| + base::win::ScopedHandle token_handle;
|
| ASSERT_EQ(ERROR_SUCCESS, token.Init(access_token.GetHandle()));
|
| ASSERT_EQ(ERROR_SUCCESS, token.AddUserSidForDenyOnly());
|
| - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
|
| + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle));
|
|
|
| ATL::CAccessToken restricted_token;
|
| - restricted_token.Attach(token_handle);
|
| + restricted_token.Attach(token_handle.Take());
|
|
|
| ATL::CTokenGroups groups;
|
| ASSERT_TRUE(restricted_token.GetGroups(&groups));
|
| @@ -333,14 +333,14 @@ TEST(RestrictedTokenTest, DenyOwnerSidCustom) {
|
| // Tests the method DeleteAllPrivileges.
|
| TEST(RestrictedTokenTest, DeleteAllPrivileges) {
|
| RestrictedToken token;
|
| - HANDLE token_handle = NULL;
|
| + base::win::ScopedHandle token_handle;
|
|
|
| ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
|
| ASSERT_EQ(ERROR_SUCCESS, token.DeleteAllPrivileges(NULL));
|
| - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
|
| + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle));
|
|
|
| ATL::CAccessToken restricted_token;
|
| - restricted_token.Attach(token_handle);
|
| + restricted_token.Attach(token_handle.Take());
|
|
|
| ATL::CTokenPrivileges privileges;
|
| ASSERT_TRUE(restricted_token.GetPrivileges(&privileges));
|
| @@ -351,17 +351,17 @@ TEST(RestrictedTokenTest, DeleteAllPrivileges) {
|
| // Tests the method DeleteAllPrivileges with an exception list.
|
| TEST(RestrictedTokenTest, DeleteAllPrivilegesException) {
|
| RestrictedToken token;
|
| - HANDLE token_handle = NULL;
|
| + base::win::ScopedHandle token_handle;
|
|
|
| std::vector<base::string16> exceptions;
|
| exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
|
|
|
| ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
|
| ASSERT_EQ(ERROR_SUCCESS, token.DeleteAllPrivileges(&exceptions));
|
| - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
|
| + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle));
|
|
|
| ATL::CAccessToken restricted_token;
|
| - restricted_token.Attach(token_handle);
|
| + restricted_token.Attach(token_handle.Take());
|
|
|
| ATL::CTokenPrivileges privileges;
|
| ASSERT_TRUE(restricted_token.GetPrivileges(&privileges));
|
| @@ -381,14 +381,14 @@ TEST(RestrictedTokenTest, DeleteAllPrivilegesException) {
|
| // Tests the method DeletePrivilege.
|
| TEST(RestrictedTokenTest, DeletePrivilege) {
|
| RestrictedToken token;
|
| - HANDLE token_handle = NULL;
|
| + base::win::ScopedHandle token_handle;
|
|
|
| ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
|
| ASSERT_EQ(ERROR_SUCCESS, token.DeletePrivilege(SE_CHANGE_NOTIFY_NAME));
|
| - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
|
| + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle));
|
|
|
| ATL::CAccessToken restricted_token;
|
| - restricted_token.Attach(token_handle);
|
| + restricted_token.Attach(token_handle.Take());
|
|
|
| ATL::CTokenPrivileges privileges;
|
| ASSERT_TRUE(restricted_token.GetPrivileges(&privileges));
|
| @@ -441,15 +441,15 @@ void CheckRestrictingSid(const ATL::CAccessToken &restricted_token,
|
| // Tests the method AddRestrictingSid.
|
| TEST(RestrictedTokenTest, AddRestrictingSid) {
|
| RestrictedToken token;
|
| - HANDLE token_handle = NULL;
|
| + base::win::ScopedHandle token_handle;
|
|
|
| ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
|
| ASSERT_EQ(ERROR_SUCCESS,
|
| token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
|
| - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
|
| + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle));
|
|
|
| ATL::CAccessToken restricted_token;
|
| - restricted_token.Attach(token_handle);
|
| + restricted_token.Attach(token_handle.Take());
|
|
|
| CheckRestrictingSid(restricted_token, ATL::Sids::World(), 1);
|
| }
|
| @@ -457,14 +457,14 @@ TEST(RestrictedTokenTest, AddRestrictingSid) {
|
| // Tests the method AddRestrictingSidCurrentUser.
|
| TEST(RestrictedTokenTest, AddRestrictingSidCurrentUser) {
|
| RestrictedToken token;
|
| - HANDLE token_handle = NULL;
|
| + base::win::ScopedHandle token_handle;
|
|
|
| ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
|
| ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser());
|
| - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
|
| + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle));
|
|
|
| ATL::CAccessToken restricted_token;
|
| - restricted_token.Attach(token_handle);
|
| + restricted_token.Attach(token_handle.Take());
|
| ATL::CSid user;
|
| restricted_token.GetUser(&user);
|
|
|
| @@ -474,22 +474,23 @@ TEST(RestrictedTokenTest, AddRestrictingSidCurrentUser) {
|
| // Tests the method AddRestrictingSidCurrentUser with a custom effective token.
|
| TEST(RestrictedTokenTest, AddRestrictingSidCurrentUserCustom) {
|
| // Get the current process token.
|
| - HANDLE token_handle = INVALID_HANDLE_VALUE;
|
| + HANDLE access_handle = INVALID_HANDLE_VALUE;
|
| ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS,
|
| - &token_handle));
|
| + &access_handle));
|
|
|
| - ASSERT_NE(INVALID_HANDLE_VALUE, token_handle);
|
| + ASSERT_NE(INVALID_HANDLE_VALUE, access_handle);
|
|
|
| ATL::CAccessToken access_token;
|
| - access_token.Attach(token_handle);
|
| + access_token.Attach(access_handle);
|
|
|
| RestrictedToken token;
|
| + base::win::ScopedHandle token_handle;
|
| ASSERT_EQ(ERROR_SUCCESS, token.Init(access_token.GetHandle()));
|
| ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser());
|
| - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
|
| + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle));
|
|
|
| ATL::CAccessToken restricted_token;
|
| - restricted_token.Attach(token_handle);
|
| + restricted_token.Attach(token_handle.Take());
|
| ATL::CSid user;
|
| restricted_token.GetUser(&user);
|
|
|
| @@ -499,14 +500,14 @@ TEST(RestrictedTokenTest, AddRestrictingSidCurrentUserCustom) {
|
| // Tests the method AddRestrictingSidLogonSession.
|
| TEST(RestrictedTokenTest, AddRestrictingSidLogonSession) {
|
| RestrictedToken token;
|
| - HANDLE token_handle = NULL;
|
| + base::win::ScopedHandle token_handle;
|
|
|
| ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
|
| ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidLogonSession());
|
| - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
|
| + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle));
|
|
|
| ATL::CAccessToken restricted_token;
|
| - restricted_token.Attach(token_handle);
|
| + restricted_token.Attach(token_handle.Take());
|
| ATL::CSid session;
|
| restricted_token.GetLogonSid(&session);
|
|
|
| @@ -516,17 +517,17 @@ TEST(RestrictedTokenTest, AddRestrictingSidLogonSession) {
|
| // Tests adding a lot of restricting sids.
|
| TEST(RestrictedTokenTest, AddMultipleRestrictingSids) {
|
| RestrictedToken token;
|
| - HANDLE token_handle = NULL;
|
| + base::win::ScopedHandle token_handle;
|
|
|
| ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
|
| ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser());
|
| ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidLogonSession());
|
| ASSERT_EQ(ERROR_SUCCESS,
|
| token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
|
| - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
|
| + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle));
|
|
|
| ATL::CAccessToken restricted_token;
|
| - restricted_token.Attach(token_handle);
|
| + restricted_token.Attach(token_handle.Take());
|
| ATL::CSid session;
|
| restricted_token.GetLogonSid(&session);
|
|
|
| @@ -548,14 +549,14 @@ TEST(RestrictedTokenTest, AddMultipleRestrictingSids) {
|
| // Tests the method "AddRestrictingSidAllSids".
|
| TEST(RestrictedTokenTest, AddAllSidToRestrictingSids) {
|
| RestrictedToken token;
|
| - HANDLE token_handle = NULL;
|
| + base::win::ScopedHandle token_handle;
|
|
|
| ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));
|
| ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidAllSids());
|
| - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));
|
| + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle));
|
|
|
| ATL::CAccessToken restricted_token;
|
| - restricted_token.Attach(token_handle);
|
| + restricted_token.Attach(token_handle.Take());
|
|
|
| ATL::CTokenGroups groups;
|
| ASSERT_TRUE(restricted_token.GetGroups(&groups));
|
|
|
Chromium Code Reviews
Issue 1232963002:
Sandbox: Make CreateRestrictedToken return a ScopedHandle. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master