OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file contains unit tests for the RestrictedToken. | 5 // This file contains unit tests for the RestrictedToken. |
6 | 6 |
7 #define _ATL_NO_EXCEPTIONS | 7 #define _ATL_NO_EXCEPTIONS |
8 #include <atlbase.h> | 8 #include <atlbase.h> |
9 #include <atlsecurity.h> | 9 #include <atlsecurity.h> |
10 #include <vector> | 10 #include <vector> |
11 | 11 |
12 #include "base/win/scoped_handle.h" | 12 #include "base/win/scoped_handle.h" |
13 #include "sandbox/win/src/restricted_token.h" | 13 #include "sandbox/win/src/restricted_token.h" |
14 #include "sandbox/win/src/sid.h" | 14 #include "sandbox/win/src/sid.h" |
15 #include "testing/gtest/include/gtest/gtest.h" | 15 #include "testing/gtest/include/gtest/gtest.h" |
16 | 16 |
17 namespace sandbox { | 17 namespace sandbox { |
18 | 18 |
19 // Tests the initializatioin with an invalid token handle. | 19 // Tests the initializatioin with an invalid token handle. |
20 TEST(RestrictedTokenTest, InvalidHandle) { | 20 TEST(RestrictedTokenTest, InvalidHandle) { |
21 RestrictedToken token; | 21 RestrictedToken token; |
22 ASSERT_EQ(ERROR_INVALID_HANDLE, token.Init(reinterpret_cast<HANDLE>(0x5555))); | 22 ASSERT_EQ(static_cast<DWORD>(ERROR_INVALID_HANDLE), |
| 23 token.Init(reinterpret_cast<HANDLE>(0x5555))); |
23 } | 24 } |
24 | 25 |
25 // Tests the initialization with NULL as parameter. | 26 // Tests the initialization with NULL as parameter. |
26 TEST(RestrictedTokenTest, DefaultInit) { | 27 TEST(RestrictedTokenTest, DefaultInit) { |
27 // Get the current process token. | 28 // Get the current process token. |
28 HANDLE token_handle = INVALID_HANDLE_VALUE; | 29 HANDLE token_handle = INVALID_HANDLE_VALUE; |
29 ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, | 30 ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, |
30 &token_handle)); | 31 &token_handle)); |
31 | 32 |
32 ASSERT_NE(INVALID_HANDLE_VALUE, token_handle); | 33 ASSERT_NE(INVALID_HANDLE_VALUE, token_handle); |
33 | 34 |
34 ATL::CAccessToken access_token; | 35 ATL::CAccessToken access_token; |
35 access_token.Attach(token_handle); | 36 access_token.Attach(token_handle); |
36 | 37 |
37 // Create the token using the current token. | 38 // Create the token using the current token. |
38 RestrictedToken token_default; | 39 RestrictedToken token_default; |
39 ASSERT_EQ(ERROR_SUCCESS, token_default.Init(NULL)); | 40 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token_default.Init(NULL)); |
40 | 41 |
41 // Get the handle to the restricted token. | 42 // Get the handle to the restricted token. |
42 | 43 |
43 base::win::ScopedHandle restricted_token_handle; | 44 base::win::ScopedHandle restricted_token_handle; |
44 ASSERT_EQ(ERROR_SUCCESS, | 45 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
45 token_default.GetRestrictedToken(&restricted_token_handle)); | 46 token_default.GetRestrictedToken(&restricted_token_handle)); |
46 | 47 |
47 ATL::CAccessToken restricted_token; | 48 ATL::CAccessToken restricted_token; |
48 restricted_token.Attach(restricted_token_handle.Take()); | 49 restricted_token.Attach(restricted_token_handle.Take()); |
49 | 50 |
50 ATL::CSid sid_user_restricted; | 51 ATL::CSid sid_user_restricted; |
51 ATL::CSid sid_user_default; | 52 ATL::CSid sid_user_default; |
52 ATL::CSid sid_owner_restricted; | 53 ATL::CSid sid_owner_restricted; |
53 ATL::CSid sid_owner_default; | 54 ATL::CSid sid_owner_default; |
54 ASSERT_TRUE(restricted_token.GetUser(&sid_user_restricted)); | 55 ASSERT_TRUE(restricted_token.GetUser(&sid_user_restricted)); |
55 ASSERT_TRUE(access_token.GetUser(&sid_user_default)); | 56 ASSERT_TRUE(access_token.GetUser(&sid_user_default)); |
(...skipping 15 matching lines...) Expand all Loading... |
71 ASSERT_NE(INVALID_HANDLE_VALUE, token_handle); | 72 ASSERT_NE(INVALID_HANDLE_VALUE, token_handle); |
72 | 73 |
73 ATL::CAccessToken access_token; | 74 ATL::CAccessToken access_token; |
74 access_token.Attach(token_handle); | 75 access_token.Attach(token_handle); |
75 | 76 |
76 // Change the primary group. | 77 // Change the primary group. |
77 access_token.SetPrimaryGroup(ATL::Sids::World()); | 78 access_token.SetPrimaryGroup(ATL::Sids::World()); |
78 | 79 |
79 // Create the token using the current token. | 80 // Create the token using the current token. |
80 RestrictedToken token; | 81 RestrictedToken token; |
81 ASSERT_EQ(ERROR_SUCCESS, token.Init(access_token.GetHandle())); | 82 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
| 83 token.Init(access_token.GetHandle())); |
82 | 84 |
83 // Get the handle to the restricted token. | 85 // Get the handle to the restricted token. |
84 | 86 |
85 base::win::ScopedHandle restricted_token_handle; | 87 base::win::ScopedHandle restricted_token_handle; |
86 ASSERT_EQ(ERROR_SUCCESS, | 88 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
87 token.GetRestrictedToken(&restricted_token_handle)); | 89 token.GetRestrictedToken(&restricted_token_handle)); |
88 | 90 |
89 ATL::CAccessToken restricted_token; | 91 ATL::CAccessToken restricted_token; |
90 restricted_token.Attach(restricted_token_handle.Take()); | 92 restricted_token.Attach(restricted_token_handle.Take()); |
91 | 93 |
92 ATL::CSid sid_restricted; | 94 ATL::CSid sid_restricted; |
93 ATL::CSid sid_default; | 95 ATL::CSid sid_default; |
94 ASSERT_TRUE(restricted_token.GetPrimaryGroup(&sid_restricted)); | 96 ASSERT_TRUE(restricted_token.GetPrimaryGroup(&sid_restricted)); |
95 ASSERT_TRUE(access_token.GetPrimaryGroup(&sid_default)); | 97 ASSERT_TRUE(access_token.GetPrimaryGroup(&sid_default)); |
96 | 98 |
97 // Check if both token have the same owner. | 99 // Check if both token have the same owner. |
98 ASSERT_EQ(sid_restricted, sid_default); | 100 ASSERT_EQ(sid_restricted, sid_default); |
99 } | 101 } |
100 | 102 |
101 // Verifies that the token created by the object are valid. | 103 // Verifies that the token created by the object are valid. |
102 TEST(RestrictedTokenTest, ResultToken) { | 104 TEST(RestrictedTokenTest, ResultToken) { |
103 RestrictedToken token; | 105 RestrictedToken token; |
104 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); | 106 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL)); |
105 | 107 |
106 ASSERT_EQ(ERROR_SUCCESS, | 108 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
107 token.AddRestrictingSid(ATL::Sids::World().GetPSID())); | 109 token.AddRestrictingSid(ATL::Sids::World().GetPSID())); |
108 | 110 |
109 base::win::ScopedHandle restricted_token; | 111 base::win::ScopedHandle restricted_token; |
110 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&restricted_token)); | 112 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
| 113 token.GetRestrictedToken(&restricted_token)); |
111 | 114 |
112 ASSERT_TRUE(::IsTokenRestricted(restricted_token.Get())); | 115 ASSERT_TRUE(::IsTokenRestricted(restricted_token.Get())); |
113 | 116 |
114 DWORD length = 0; | 117 DWORD length = 0; |
115 TOKEN_TYPE type; | 118 TOKEN_TYPE type; |
116 ASSERT_TRUE(::GetTokenInformation(restricted_token.Get(), | 119 ASSERT_TRUE(::GetTokenInformation(restricted_token.Get(), |
117 ::TokenType, | 120 ::TokenType, |
118 &type, | 121 &type, |
119 sizeof(type), | 122 sizeof(type), |
120 &length)); | 123 &length)); |
121 | 124 |
122 ASSERT_EQ(type, TokenPrimary); | 125 ASSERT_EQ(type, TokenPrimary); |
123 | 126 |
124 base::win::ScopedHandle impersonation_token; | 127 base::win::ScopedHandle impersonation_token; |
125 ASSERT_EQ(ERROR_SUCCESS, | 128 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
126 token.GetRestrictedTokenForImpersonation(&impersonation_token)); | 129 token.GetRestrictedTokenForImpersonation(&impersonation_token)); |
127 | 130 |
128 ASSERT_TRUE(::IsTokenRestricted(impersonation_token.Get())); | 131 ASSERT_TRUE(::IsTokenRestricted(impersonation_token.Get())); |
129 | 132 |
130 ASSERT_TRUE(::GetTokenInformation(impersonation_token.Get(), | 133 ASSERT_TRUE(::GetTokenInformation(impersonation_token.Get(), |
131 ::TokenType, | 134 ::TokenType, |
132 &type, | 135 &type, |
133 sizeof(type), | 136 sizeof(type), |
134 &length)); | 137 &length)); |
135 | 138 |
136 ASSERT_EQ(type, TokenImpersonation); | 139 ASSERT_EQ(type, TokenImpersonation); |
137 } | 140 } |
138 | 141 |
139 // Verifies that the token created has "Restricted" in its default dacl. | 142 // Verifies that the token created has "Restricted" in its default dacl. |
140 TEST(RestrictedTokenTest, DefaultDacl) { | 143 TEST(RestrictedTokenTest, DefaultDacl) { |
141 RestrictedToken token; | 144 RestrictedToken token; |
142 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); | 145 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL)); |
143 | 146 |
144 ASSERT_EQ(ERROR_SUCCESS, | 147 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
145 token.AddRestrictingSid(ATL::Sids::World().GetPSID())); | 148 token.AddRestrictingSid(ATL::Sids::World().GetPSID())); |
146 | 149 |
147 base::win::ScopedHandle handle; | 150 base::win::ScopedHandle handle; |
148 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&handle)); | 151 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
| 152 token.GetRestrictedToken(&handle)); |
149 | 153 |
150 ATL::CAccessToken restricted_token; | 154 ATL::CAccessToken restricted_token; |
151 restricted_token.Attach(handle.Take()); | 155 restricted_token.Attach(handle.Take()); |
152 | 156 |
153 ATL::CDacl dacl; | 157 ATL::CDacl dacl; |
154 ASSERT_TRUE(restricted_token.GetDefaultDacl(&dacl)); | 158 ASSERT_TRUE(restricted_token.GetDefaultDacl(&dacl)); |
155 | 159 |
156 bool restricted_found = false; | 160 bool restricted_found = false; |
157 | 161 |
158 unsigned int ace_count = dacl.GetAceCount(); | 162 unsigned int ace_count = dacl.GetAceCount(); |
159 for (unsigned int i = 0; i < ace_count ; ++i) { | 163 for (unsigned int i = 0; i < ace_count ; ++i) { |
160 ATL::CSid sid; | 164 ATL::CSid sid; |
161 ACCESS_MASK mask = 0; | 165 ACCESS_MASK mask = 0; |
162 dacl.GetAclEntry(i, &sid, &mask); | 166 dacl.GetAclEntry(i, &sid, &mask); |
163 if (sid == ATL::Sids::RestrictedCode() && mask == GENERIC_ALL) { | 167 if (sid == ATL::Sids::RestrictedCode() && mask == GENERIC_ALL) { |
164 restricted_found = true; | 168 restricted_found = true; |
165 break; | 169 break; |
166 } | 170 } |
167 } | 171 } |
168 | 172 |
169 ASSERT_TRUE(restricted_found); | 173 ASSERT_TRUE(restricted_found); |
170 } | 174 } |
171 | 175 |
172 // Tests the method "AddSidForDenyOnly". | 176 // Tests the method "AddSidForDenyOnly". |
173 TEST(RestrictedTokenTest, DenySid) { | 177 TEST(RestrictedTokenTest, DenySid) { |
174 RestrictedToken token; | 178 RestrictedToken token; |
175 base::win::ScopedHandle token_handle; | 179 base::win::ScopedHandle token_handle; |
176 | 180 |
177 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); | 181 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL)); |
178 ASSERT_EQ(ERROR_SUCCESS, token.AddSidForDenyOnly(Sid(WinWorldSid))); | 182 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
179 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); | 183 token.AddSidForDenyOnly(Sid(WinWorldSid))); |
| 184 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
| 185 token.GetRestrictedToken(&token_handle)); |
180 | 186 |
181 ATL::CAccessToken restricted_token; | 187 ATL::CAccessToken restricted_token; |
182 restricted_token.Attach(token_handle.Take()); | 188 restricted_token.Attach(token_handle.Take()); |
183 | 189 |
184 ATL::CTokenGroups groups; | 190 ATL::CTokenGroups groups; |
185 ASSERT_TRUE(restricted_token.GetGroups(&groups)); | 191 ASSERT_TRUE(restricted_token.GetGroups(&groups)); |
186 | 192 |
187 ATL::CSid::CSidArray sids; | 193 ATL::CSid::CSidArray sids; |
188 ATL::CAtlArray<DWORD> attributes; | 194 ATL::CAtlArray<DWORD> attributes; |
189 groups.GetSidsAndAttributes(&sids, &attributes); | 195 groups.GetSidsAndAttributes(&sids, &attributes); |
190 | 196 |
191 for (unsigned int i = 0; i < sids.GetCount(); i++) { | 197 for (unsigned int i = 0; i < sids.GetCount(); i++) { |
192 if (ATL::Sids::World() == sids[i]) { | 198 if (ATL::Sids::World() == sids[i]) { |
193 ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY, | 199 ASSERT_EQ(static_cast<DWORD>(SE_GROUP_USE_FOR_DENY_ONLY), |
194 attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); | 200 attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); |
195 } | 201 } |
196 } | 202 } |
197 } | 203 } |
198 | 204 |
199 // Tests the method "AddAllSidsForDenyOnly". | 205 // Tests the method "AddAllSidsForDenyOnly". |
200 TEST(RestrictedTokenTest, DenySids) { | 206 TEST(RestrictedTokenTest, DenySids) { |
201 RestrictedToken token; | 207 RestrictedToken token; |
202 base::win::ScopedHandle token_handle; | 208 base::win::ScopedHandle token_handle; |
203 | 209 |
204 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); | 210 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL)); |
205 ASSERT_EQ(ERROR_SUCCESS, token.AddAllSidsForDenyOnly(NULL)); | 211 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
206 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); | 212 token.AddAllSidsForDenyOnly(NULL)); |
| 213 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
| 214 token.GetRestrictedToken(&token_handle)); |
207 | 215 |
208 ATL::CAccessToken restricted_token; | 216 ATL::CAccessToken restricted_token; |
209 restricted_token.Attach(token_handle.Take()); | 217 restricted_token.Attach(token_handle.Take()); |
210 | 218 |
211 ATL::CTokenGroups groups; | 219 ATL::CTokenGroups groups; |
212 ASSERT_TRUE(restricted_token.GetGroups(&groups)); | 220 ASSERT_TRUE(restricted_token.GetGroups(&groups)); |
213 | 221 |
214 ATL::CSid::CSidArray sids; | 222 ATL::CSid::CSidArray sids; |
215 ATL::CAtlArray<DWORD> attributes; | 223 ATL::CAtlArray<DWORD> attributes; |
216 groups.GetSidsAndAttributes(&sids, &attributes); | 224 groups.GetSidsAndAttributes(&sids, &attributes); |
217 | 225 |
218 // Verify that all sids are really gone. | 226 // Verify that all sids are really gone. |
219 for (unsigned int i = 0; i < sids.GetCount(); i++) { | 227 for (unsigned int i = 0; i < sids.GetCount(); i++) { |
220 if ((attributes[i] & SE_GROUP_LOGON_ID) == 0 && | 228 if ((attributes[i] & SE_GROUP_LOGON_ID) == 0 && |
221 (attributes[i] & SE_GROUP_INTEGRITY) == 0) { | 229 (attributes[i] & SE_GROUP_INTEGRITY) == 0) { |
222 ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY, | 230 ASSERT_EQ(static_cast<DWORD>(SE_GROUP_USE_FOR_DENY_ONLY), |
223 attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); | 231 attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); |
224 } | 232 } |
225 } | 233 } |
226 } | 234 } |
227 | 235 |
228 // Tests the method "AddAllSidsForDenyOnly" using an exception list. | 236 // Tests the method "AddAllSidsForDenyOnly" using an exception list. |
229 TEST(RestrictedTokenTest, DenySidsException) { | 237 TEST(RestrictedTokenTest, DenySidsException) { |
230 RestrictedToken token; | 238 RestrictedToken token; |
231 base::win::ScopedHandle token_handle; | 239 base::win::ScopedHandle token_handle; |
232 | 240 |
233 std::vector<Sid> sids_exception; | 241 std::vector<Sid> sids_exception; |
234 sids_exception.push_back(Sid(WinWorldSid)); | 242 sids_exception.push_back(Sid(WinWorldSid)); |
235 | 243 |
236 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); | 244 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL)); |
237 ASSERT_EQ(ERROR_SUCCESS, token.AddAllSidsForDenyOnly(&sids_exception)); | 245 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
238 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); | 246 token.AddAllSidsForDenyOnly(&sids_exception)); |
| 247 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
| 248 token.GetRestrictedToken(&token_handle)); |
239 | 249 |
240 ATL::CAccessToken restricted_token; | 250 ATL::CAccessToken restricted_token; |
241 restricted_token.Attach(token_handle.Take()); | 251 restricted_token.Attach(token_handle.Take()); |
242 | 252 |
243 ATL::CTokenGroups groups; | 253 ATL::CTokenGroups groups; |
244 ASSERT_TRUE(restricted_token.GetGroups(&groups)); | 254 ASSERT_TRUE(restricted_token.GetGroups(&groups)); |
245 | 255 |
246 ATL::CSid::CSidArray sids; | 256 ATL::CSid::CSidArray sids; |
247 ATL::CAtlArray<DWORD> attributes; | 257 ATL::CAtlArray<DWORD> attributes; |
248 groups.GetSidsAndAttributes(&sids, &attributes); | 258 groups.GetSidsAndAttributes(&sids, &attributes); |
249 | 259 |
250 // Verify that all sids are really gone. | 260 // Verify that all sids are really gone. |
251 for (unsigned int i = 0; i < sids.GetCount(); i++) { | 261 for (unsigned int i = 0; i < sids.GetCount(); i++) { |
252 if ((attributes[i] & SE_GROUP_LOGON_ID) == 0 && | 262 if ((attributes[i] & SE_GROUP_LOGON_ID) == 0 && |
253 (attributes[i] & SE_GROUP_INTEGRITY) == 0) { | 263 (attributes[i] & SE_GROUP_INTEGRITY) == 0) { |
254 if (ATL::Sids::World() == sids[i]) { | 264 if (ATL::Sids::World() == sids[i]) { |
255 ASSERT_EQ(NULL, attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); | 265 ASSERT_EQ(0u, attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); |
256 } else { | 266 } else { |
257 ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY, | 267 ASSERT_EQ(static_cast<DWORD>(SE_GROUP_USE_FOR_DENY_ONLY), |
258 attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); | 268 attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); |
259 } | 269 } |
260 } | 270 } |
261 } | 271 } |
262 } | 272 } |
263 | 273 |
264 // Tests test method AddOwnerSidForDenyOnly. | 274 // Tests test method AddOwnerSidForDenyOnly. |
265 TEST(RestrictedTokenTest, DenyOwnerSid) { | 275 TEST(RestrictedTokenTest, DenyOwnerSid) { |
266 RestrictedToken token; | 276 RestrictedToken token; |
267 base::win::ScopedHandle token_handle; | 277 base::win::ScopedHandle token_handle; |
268 | 278 |
269 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); | 279 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL)); |
270 ASSERT_EQ(ERROR_SUCCESS, token.AddUserSidForDenyOnly()); | 280 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.AddUserSidForDenyOnly()); |
271 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); | 281 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
| 282 token.GetRestrictedToken(&token_handle)); |
272 | 283 |
273 ATL::CAccessToken restricted_token; | 284 ATL::CAccessToken restricted_token; |
274 restricted_token.Attach(token_handle.Take()); | 285 restricted_token.Attach(token_handle.Take()); |
275 | 286 |
276 ATL::CTokenGroups groups; | 287 ATL::CTokenGroups groups; |
277 ASSERT_TRUE(restricted_token.GetGroups(&groups)); | 288 ASSERT_TRUE(restricted_token.GetGroups(&groups)); |
278 | 289 |
279 ATL::CSid::CSidArray sids; | 290 ATL::CSid::CSidArray sids; |
280 ATL::CAtlArray<DWORD> attributes; | 291 ATL::CAtlArray<DWORD> attributes; |
281 groups.GetSidsAndAttributes(&sids, &attributes); | 292 groups.GetSidsAndAttributes(&sids, &attributes); |
282 | 293 |
283 ATL::CSid user_sid; | 294 ATL::CSid user_sid; |
284 ASSERT_TRUE(restricted_token.GetUser(&user_sid)); | 295 ASSERT_TRUE(restricted_token.GetUser(&user_sid)); |
285 | 296 |
286 for (unsigned int i = 0; i < sids.GetCount(); ++i) { | 297 for (unsigned int i = 0; i < sids.GetCount(); ++i) { |
287 if (user_sid == sids[i]) { | 298 if (user_sid == sids[i]) { |
288 ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY, | 299 ASSERT_EQ(static_cast<DWORD>(SE_GROUP_USE_FOR_DENY_ONLY), |
289 attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); | 300 attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); |
290 } | 301 } |
291 } | 302 } |
292 } | 303 } |
293 | 304 |
294 // Tests test method AddOwnerSidForDenyOnly with a custom effective token. | 305 // Tests test method AddOwnerSidForDenyOnly with a custom effective token. |
295 TEST(RestrictedTokenTest, DenyOwnerSidCustom) { | 306 TEST(RestrictedTokenTest, DenyOwnerSidCustom) { |
296 // Get the current process token. | 307 // Get the current process token. |
297 HANDLE access_handle = INVALID_HANDLE_VALUE; | 308 HANDLE access_handle = INVALID_HANDLE_VALUE; |
298 ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, | 309 ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, |
299 &access_handle)); | 310 &access_handle)); |
300 | 311 |
301 ASSERT_NE(INVALID_HANDLE_VALUE, access_handle); | 312 ASSERT_NE(INVALID_HANDLE_VALUE, access_handle); |
302 | 313 |
303 ATL::CAccessToken access_token; | 314 ATL::CAccessToken access_token; |
304 access_token.Attach(access_handle); | 315 access_token.Attach(access_handle); |
305 | 316 |
306 RestrictedToken token; | 317 RestrictedToken token; |
307 base::win::ScopedHandle token_handle; | 318 base::win::ScopedHandle token_handle; |
308 ASSERT_EQ(ERROR_SUCCESS, token.Init(access_token.GetHandle())); | 319 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
309 ASSERT_EQ(ERROR_SUCCESS, token.AddUserSidForDenyOnly()); | 320 token.Init(access_token.GetHandle())); |
310 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); | 321 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.AddUserSidForDenyOnly()); |
| 322 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
| 323 token.GetRestrictedToken(&token_handle)); |
311 | 324 |
312 ATL::CAccessToken restricted_token; | 325 ATL::CAccessToken restricted_token; |
313 restricted_token.Attach(token_handle.Take()); | 326 restricted_token.Attach(token_handle.Take()); |
314 | 327 |
315 ATL::CTokenGroups groups; | 328 ATL::CTokenGroups groups; |
316 ASSERT_TRUE(restricted_token.GetGroups(&groups)); | 329 ASSERT_TRUE(restricted_token.GetGroups(&groups)); |
317 | 330 |
318 ATL::CSid::CSidArray sids; | 331 ATL::CSid::CSidArray sids; |
319 ATL::CAtlArray<DWORD> attributes; | 332 ATL::CAtlArray<DWORD> attributes; |
320 groups.GetSidsAndAttributes(&sids, &attributes); | 333 groups.GetSidsAndAttributes(&sids, &attributes); |
321 | 334 |
322 ATL::CSid user_sid; | 335 ATL::CSid user_sid; |
323 ASSERT_TRUE(restricted_token.GetUser(&user_sid)); | 336 ASSERT_TRUE(restricted_token.GetUser(&user_sid)); |
324 | 337 |
325 for (unsigned int i = 0; i < sids.GetCount(); ++i) { | 338 for (unsigned int i = 0; i < sids.GetCount(); ++i) { |
326 if (user_sid == sids[i]) { | 339 if (user_sid == sids[i]) { |
327 ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY, | 340 ASSERT_EQ(static_cast<DWORD>(SE_GROUP_USE_FOR_DENY_ONLY), |
328 attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); | 341 attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY); |
329 } | 342 } |
330 } | 343 } |
331 } | 344 } |
332 | 345 |
333 // Tests the method DeleteAllPrivileges. | 346 // Tests the method DeleteAllPrivileges. |
334 TEST(RestrictedTokenTest, DeleteAllPrivileges) { | 347 TEST(RestrictedTokenTest, DeleteAllPrivileges) { |
335 RestrictedToken token; | 348 RestrictedToken token; |
336 base::win::ScopedHandle token_handle; | 349 base::win::ScopedHandle token_handle; |
337 | 350 |
338 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); | 351 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL)); |
339 ASSERT_EQ(ERROR_SUCCESS, token.DeleteAllPrivileges(NULL)); | 352 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.DeleteAllPrivileges(NULL)); |
340 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); | 353 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
| 354 token.GetRestrictedToken(&token_handle)); |
341 | 355 |
342 ATL::CAccessToken restricted_token; | 356 ATL::CAccessToken restricted_token; |
343 restricted_token.Attach(token_handle.Take()); | 357 restricted_token.Attach(token_handle.Take()); |
344 | 358 |
345 ATL::CTokenPrivileges privileges; | 359 ATL::CTokenPrivileges privileges; |
346 ASSERT_TRUE(restricted_token.GetPrivileges(&privileges)); | 360 ASSERT_TRUE(restricted_token.GetPrivileges(&privileges)); |
347 | 361 |
348 ASSERT_EQ(0, privileges.GetCount()); | 362 ASSERT_EQ(0u, privileges.GetCount()); |
349 } | 363 } |
350 | 364 |
351 // Tests the method DeleteAllPrivileges with an exception list. | 365 // Tests the method DeleteAllPrivileges with an exception list. |
352 TEST(RestrictedTokenTest, DeleteAllPrivilegesException) { | 366 TEST(RestrictedTokenTest, DeleteAllPrivilegesException) { |
353 RestrictedToken token; | 367 RestrictedToken token; |
354 base::win::ScopedHandle token_handle; | 368 base::win::ScopedHandle token_handle; |
355 | 369 |
356 std::vector<base::string16> exceptions; | 370 std::vector<base::string16> exceptions; |
357 exceptions.push_back(SE_CHANGE_NOTIFY_NAME); | 371 exceptions.push_back(SE_CHANGE_NOTIFY_NAME); |
358 | 372 |
359 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); | 373 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL)); |
360 ASSERT_EQ(ERROR_SUCCESS, token.DeleteAllPrivileges(&exceptions)); | 374 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
361 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); | 375 token.DeleteAllPrivileges(&exceptions)); |
| 376 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
| 377 token.GetRestrictedToken(&token_handle)); |
362 | 378 |
363 ATL::CAccessToken restricted_token; | 379 ATL::CAccessToken restricted_token; |
364 restricted_token.Attach(token_handle.Take()); | 380 restricted_token.Attach(token_handle.Take()); |
365 | 381 |
366 ATL::CTokenPrivileges privileges; | 382 ATL::CTokenPrivileges privileges; |
367 ASSERT_TRUE(restricted_token.GetPrivileges(&privileges)); | 383 ASSERT_TRUE(restricted_token.GetPrivileges(&privileges)); |
368 | 384 |
369 ATL::CTokenPrivileges::CNames privilege_names; | 385 ATL::CTokenPrivileges::CNames privilege_names; |
370 ATL::CTokenPrivileges::CAttributes privilege_name_attributes; | 386 ATL::CTokenPrivileges::CAttributes privilege_name_attributes; |
371 privileges.GetNamesAndAttributes(&privilege_names, | 387 privileges.GetNamesAndAttributes(&privilege_names, |
372 &privilege_name_attributes); | 388 &privilege_name_attributes); |
373 | 389 |
374 ASSERT_EQ(1, privileges.GetCount()); | 390 ASSERT_EQ(1u, privileges.GetCount()); |
375 | 391 |
376 for (unsigned int i = 0; i < privileges.GetCount(); ++i) { | 392 for (unsigned int i = 0; i < privileges.GetCount(); ++i) { |
377 ASSERT_EQ(privilege_names[i], SE_CHANGE_NOTIFY_NAME); | 393 ASSERT_EQ(privilege_names[i], SE_CHANGE_NOTIFY_NAME); |
378 } | 394 } |
379 } | 395 } |
380 | 396 |
381 // Tests the method DeletePrivilege. | 397 // Tests the method DeletePrivilege. |
382 TEST(RestrictedTokenTest, DeletePrivilege) { | 398 TEST(RestrictedTokenTest, DeletePrivilege) { |
383 RestrictedToken token; | 399 RestrictedToken token; |
384 base::win::ScopedHandle token_handle; | 400 base::win::ScopedHandle token_handle; |
385 | 401 |
386 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); | 402 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL)); |
387 ASSERT_EQ(ERROR_SUCCESS, token.DeletePrivilege(SE_CHANGE_NOTIFY_NAME)); | 403 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
388 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); | 404 token.DeletePrivilege(SE_CHANGE_NOTIFY_NAME)); |
| 405 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
| 406 token.GetRestrictedToken(&token_handle)); |
389 | 407 |
390 ATL::CAccessToken restricted_token; | 408 ATL::CAccessToken restricted_token; |
391 restricted_token.Attach(token_handle.Take()); | 409 restricted_token.Attach(token_handle.Take()); |
392 | 410 |
393 ATL::CTokenPrivileges privileges; | 411 ATL::CTokenPrivileges privileges; |
394 ASSERT_TRUE(restricted_token.GetPrivileges(&privileges)); | 412 ASSERT_TRUE(restricted_token.GetPrivileges(&privileges)); |
395 | 413 |
396 ATL::CTokenPrivileges::CNames privilege_names; | 414 ATL::CTokenPrivileges::CNames privilege_names; |
397 ATL::CTokenPrivileges::CAttributes privilege_name_attributes; | 415 ATL::CTokenPrivileges::CAttributes privilege_name_attributes; |
398 privileges.GetNamesAndAttributes(&privilege_names, | 416 privileges.GetNamesAndAttributes(&privilege_names, |
(...skipping 15 matching lines...) Expand all Loading... |
414 ASSERT_TRUE(::GetTokenInformation(restricted_token.GetHandle(), | 432 ASSERT_TRUE(::GetTokenInformation(restricted_token.GetHandle(), |
415 TokenRestrictedSids, | 433 TokenRestrictedSids, |
416 groups, | 434 groups, |
417 length, | 435 length, |
418 &length)); | 436 &length)); |
419 | 437 |
420 ATL::CTokenGroups atl_groups(*groups); | 438 ATL::CTokenGroups atl_groups(*groups); |
421 delete[] memory; | 439 delete[] memory; |
422 | 440 |
423 if (count >= 0) | 441 if (count >= 0) |
424 ASSERT_EQ(count, atl_groups.GetCount()); | 442 ASSERT_EQ(static_cast<unsigned>(count), atl_groups.GetCount()); |
425 | 443 |
426 ATL::CSid::CSidArray sids; | 444 ATL::CSid::CSidArray sids; |
427 ATL::CAtlArray<DWORD> attributes; | 445 ATL::CAtlArray<DWORD> attributes; |
428 atl_groups.GetSidsAndAttributes(&sids, &attributes); | 446 atl_groups.GetSidsAndAttributes(&sids, &attributes); |
429 | 447 |
430 bool present = false; | 448 bool present = false; |
431 for (unsigned int i = 0; i < sids.GetCount(); ++i) { | 449 for (unsigned int i = 0; i < sids.GetCount(); ++i) { |
432 if (sids[i] == sid) { | 450 if (sids[i] == sid) { |
433 present = true; | 451 present = true; |
434 break; | 452 break; |
435 } | 453 } |
436 } | 454 } |
437 | 455 |
438 ASSERT_TRUE(present); | 456 ASSERT_TRUE(present); |
439 } | 457 } |
440 | 458 |
441 // Tests the method AddRestrictingSid. | 459 // Tests the method AddRestrictingSid. |
442 TEST(RestrictedTokenTest, AddRestrictingSid) { | 460 TEST(RestrictedTokenTest, AddRestrictingSid) { |
443 RestrictedToken token; | 461 RestrictedToken token; |
444 base::win::ScopedHandle token_handle; | 462 base::win::ScopedHandle token_handle; |
445 | 463 |
446 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); | 464 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL)); |
447 ASSERT_EQ(ERROR_SUCCESS, | 465 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
448 token.AddRestrictingSid(ATL::Sids::World().GetPSID())); | 466 token.AddRestrictingSid(ATL::Sids::World().GetPSID())); |
449 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); | 467 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
| 468 token.GetRestrictedToken(&token_handle)); |
450 | 469 |
451 ATL::CAccessToken restricted_token; | 470 ATL::CAccessToken restricted_token; |
452 restricted_token.Attach(token_handle.Take()); | 471 restricted_token.Attach(token_handle.Take()); |
453 | 472 |
454 CheckRestrictingSid(restricted_token, ATL::Sids::World(), 1); | 473 CheckRestrictingSid(restricted_token, ATL::Sids::World(), 1); |
455 } | 474 } |
456 | 475 |
457 // Tests the method AddRestrictingSidCurrentUser. | 476 // Tests the method AddRestrictingSidCurrentUser. |
458 TEST(RestrictedTokenTest, AddRestrictingSidCurrentUser) { | 477 TEST(RestrictedTokenTest, AddRestrictingSidCurrentUser) { |
459 RestrictedToken token; | 478 RestrictedToken token; |
460 base::win::ScopedHandle token_handle; | 479 base::win::ScopedHandle token_handle; |
461 | 480 |
462 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); | 481 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL)); |
463 ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser()); | 482 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
464 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); | 483 token.AddRestrictingSidCurrentUser()); |
| 484 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
| 485 token.GetRestrictedToken(&token_handle)); |
465 | 486 |
466 ATL::CAccessToken restricted_token; | 487 ATL::CAccessToken restricted_token; |
467 restricted_token.Attach(token_handle.Take()); | 488 restricted_token.Attach(token_handle.Take()); |
468 ATL::CSid user; | 489 ATL::CSid user; |
469 restricted_token.GetUser(&user); | 490 restricted_token.GetUser(&user); |
470 | 491 |
471 CheckRestrictingSid(restricted_token, user, 1); | 492 CheckRestrictingSid(restricted_token, user, 1); |
472 } | 493 } |
473 | 494 |
474 // Tests the method AddRestrictingSidCurrentUser with a custom effective token. | 495 // Tests the method AddRestrictingSidCurrentUser with a custom effective token. |
475 TEST(RestrictedTokenTest, AddRestrictingSidCurrentUserCustom) { | 496 TEST(RestrictedTokenTest, AddRestrictingSidCurrentUserCustom) { |
476 // Get the current process token. | 497 // Get the current process token. |
477 HANDLE access_handle = INVALID_HANDLE_VALUE; | 498 HANDLE access_handle = INVALID_HANDLE_VALUE; |
478 ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, | 499 ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, |
479 &access_handle)); | 500 &access_handle)); |
480 | 501 |
481 ASSERT_NE(INVALID_HANDLE_VALUE, access_handle); | 502 ASSERT_NE(INVALID_HANDLE_VALUE, access_handle); |
482 | 503 |
483 ATL::CAccessToken access_token; | 504 ATL::CAccessToken access_token; |
484 access_token.Attach(access_handle); | 505 access_token.Attach(access_handle); |
485 | 506 |
486 RestrictedToken token; | 507 RestrictedToken token; |
487 base::win::ScopedHandle token_handle; | 508 base::win::ScopedHandle token_handle; |
488 ASSERT_EQ(ERROR_SUCCESS, token.Init(access_token.GetHandle())); | 509 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
489 ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser()); | 510 token.Init(access_token.GetHandle())); |
490 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); | 511 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
| 512 token.AddRestrictingSidCurrentUser()); |
| 513 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
| 514 token.GetRestrictedToken(&token_handle)); |
491 | 515 |
492 ATL::CAccessToken restricted_token; | 516 ATL::CAccessToken restricted_token; |
493 restricted_token.Attach(token_handle.Take()); | 517 restricted_token.Attach(token_handle.Take()); |
494 ATL::CSid user; | 518 ATL::CSid user; |
495 restricted_token.GetUser(&user); | 519 restricted_token.GetUser(&user); |
496 | 520 |
497 CheckRestrictingSid(restricted_token, user, 1); | 521 CheckRestrictingSid(restricted_token, user, 1); |
498 } | 522 } |
499 | 523 |
500 // Tests the method AddRestrictingSidLogonSession. | 524 // Tests the method AddRestrictingSidLogonSession. |
501 TEST(RestrictedTokenTest, AddRestrictingSidLogonSession) { | 525 TEST(RestrictedTokenTest, AddRestrictingSidLogonSession) { |
502 RestrictedToken token; | 526 RestrictedToken token; |
503 base::win::ScopedHandle token_handle; | 527 base::win::ScopedHandle token_handle; |
504 | 528 |
505 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); | 529 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL)); |
506 ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidLogonSession()); | 530 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
507 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); | 531 token.AddRestrictingSidLogonSession()); |
| 532 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
| 533 token.GetRestrictedToken(&token_handle)); |
508 | 534 |
509 ATL::CAccessToken restricted_token; | 535 ATL::CAccessToken restricted_token; |
510 restricted_token.Attach(token_handle.Take()); | 536 restricted_token.Attach(token_handle.Take()); |
511 ATL::CSid session; | 537 ATL::CSid session; |
512 restricted_token.GetLogonSid(&session); | 538 restricted_token.GetLogonSid(&session); |
513 | 539 |
514 CheckRestrictingSid(restricted_token, session, 1); | 540 CheckRestrictingSid(restricted_token, session, 1); |
515 } | 541 } |
516 | 542 |
517 // Tests adding a lot of restricting sids. | 543 // Tests adding a lot of restricting sids. |
518 TEST(RestrictedTokenTest, AddMultipleRestrictingSids) { | 544 TEST(RestrictedTokenTest, AddMultipleRestrictingSids) { |
519 RestrictedToken token; | 545 RestrictedToken token; |
520 base::win::ScopedHandle token_handle; | 546 base::win::ScopedHandle token_handle; |
521 | 547 |
522 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); | 548 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL)); |
523 ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser()); | 549 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
524 ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidLogonSession()); | 550 token.AddRestrictingSidCurrentUser()); |
525 ASSERT_EQ(ERROR_SUCCESS, | 551 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
| 552 token.AddRestrictingSidLogonSession()); |
| 553 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
526 token.AddRestrictingSid(ATL::Sids::World().GetPSID())); | 554 token.AddRestrictingSid(ATL::Sids::World().GetPSID())); |
527 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); | 555 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
| 556 token.GetRestrictedToken(&token_handle)); |
528 | 557 |
529 ATL::CAccessToken restricted_token; | 558 ATL::CAccessToken restricted_token; |
530 restricted_token.Attach(token_handle.Take()); | 559 restricted_token.Attach(token_handle.Take()); |
531 ATL::CSid session; | 560 ATL::CSid session; |
532 restricted_token.GetLogonSid(&session); | 561 restricted_token.GetLogonSid(&session); |
533 | 562 |
534 DWORD length = 8192; | 563 DWORD length = 8192; |
535 BYTE *memory = new BYTE[length]; | 564 BYTE *memory = new BYTE[length]; |
536 TOKEN_GROUPS *groups = reinterpret_cast<TOKEN_GROUPS*>(memory); | 565 TOKEN_GROUPS *groups = reinterpret_cast<TOKEN_GROUPS*>(memory); |
537 ASSERT_TRUE(::GetTokenInformation(restricted_token.GetHandle(), | 566 ASSERT_TRUE(::GetTokenInformation(restricted_token.GetHandle(), |
538 TokenRestrictedSids, | 567 TokenRestrictedSids, |
539 groups, | 568 groups, |
540 length, | 569 length, |
541 &length)); | 570 &length)); |
542 | 571 |
543 ATL::CTokenGroups atl_groups(*groups); | 572 ATL::CTokenGroups atl_groups(*groups); |
544 delete[] memory; | 573 delete[] memory; |
545 | 574 |
546 ASSERT_EQ(3, atl_groups.GetCount()); | 575 ASSERT_EQ(3u, atl_groups.GetCount()); |
547 } | 576 } |
548 | 577 |
549 // Tests the method "AddRestrictingSidAllSids". | 578 // Tests the method "AddRestrictingSidAllSids". |
550 TEST(RestrictedTokenTest, AddAllSidToRestrictingSids) { | 579 TEST(RestrictedTokenTest, AddAllSidToRestrictingSids) { |
551 RestrictedToken token; | 580 RestrictedToken token; |
552 base::win::ScopedHandle token_handle; | 581 base::win::ScopedHandle token_handle; |
553 | 582 |
554 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); | 583 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL)); |
555 ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidAllSids()); | 584 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
556 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); | 585 token.AddRestrictingSidAllSids()); |
| 586 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), |
| 587 token.GetRestrictedToken(&token_handle)); |
557 | 588 |
558 ATL::CAccessToken restricted_token; | 589 ATL::CAccessToken restricted_token; |
559 restricted_token.Attach(token_handle.Take()); | 590 restricted_token.Attach(token_handle.Take()); |
560 | 591 |
561 ATL::CTokenGroups groups; | 592 ATL::CTokenGroups groups; |
562 ASSERT_TRUE(restricted_token.GetGroups(&groups)); | 593 ASSERT_TRUE(restricted_token.GetGroups(&groups)); |
563 | 594 |
564 ATL::CSid::CSidArray sids; | 595 ATL::CSid::CSidArray sids; |
565 ATL::CAtlArray<DWORD> attributes; | 596 ATL::CAtlArray<DWORD> attributes; |
566 groups.GetSidsAndAttributes(&sids, &attributes); | 597 groups.GetSidsAndAttributes(&sids, &attributes); |
567 | 598 |
568 // Verify that all group sids are in the restricting sid list. | 599 // Verify that all group sids are in the restricting sid list. |
569 for (unsigned int i = 0; i < sids.GetCount(); i++) { | 600 for (unsigned int i = 0; i < sids.GetCount(); i++) { |
570 if ((attributes[i] & SE_GROUP_INTEGRITY) == 0) { | 601 if ((attributes[i] & SE_GROUP_INTEGRITY) == 0) { |
571 CheckRestrictingSid(restricted_token, sids[i], -1); | 602 CheckRestrictingSid(restricted_token, sids[i], -1); |
572 } | 603 } |
573 } | 604 } |
574 | 605 |
575 // Verify that the user is in the restricting sid list. | 606 // Verify that the user is in the restricting sid list. |
576 ATL::CSid user; | 607 ATL::CSid user; |
577 restricted_token.GetUser(&user); | 608 restricted_token.GetUser(&user); |
578 CheckRestrictingSid(restricted_token, user, -1); | 609 CheckRestrictingSid(restricted_token, user, -1); |
579 } | 610 } |
580 | 611 |
581 // Checks the error code when the object is initialized twice. | 612 // Checks the error code when the object is initialized twice. |
582 TEST(RestrictedTokenTest, DoubleInit) { | 613 TEST(RestrictedTokenTest, DoubleInit) { |
583 RestrictedToken token; | 614 RestrictedToken token; |
584 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); | 615 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL)); |
585 | 616 |
586 ASSERT_EQ(ERROR_ALREADY_INITIALIZED, token.Init(NULL)); | 617 ASSERT_EQ(static_cast<DWORD>(ERROR_ALREADY_INITIALIZED), token.Init(NULL)); |
587 } | 618 } |
588 | 619 |
589 } // namespace sandbox | 620 } // namespace sandbox |
OLD | NEW |