summaryrefslogtreecommitdiff
path: root/source4/torture
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2012-06-22 11:02:39 +0200
committerStefan Metzmacher <metze@samba.org>2012-06-22 12:56:48 +0200
commit9c44f40b8d3eb9ca87bca4367e7ceb7c1198a7f1 (patch)
tree99b761a4bec307a73a5bcb3d78bdac2c472d58d2 /source4/torture
parentb40fa9436010a434ba7deb98ec9ed24b4900309a (diff)
downloadsamba-9c44f40b8d3eb9ca87bca4367e7ceb7c1198a7f1.tar.gz
samba-9c44f40b8d3eb9ca87bca4367e7ceb7c1198a7f1.tar.bz2
samba-9c44f40b8d3eb9ca87bca4367e7ceb7c1198a7f1.zip
s4:torture/raw: add raw.session.expire1
This demonstrates the interaction of CAP_DYNAMIC_REAUTH and NT_STATUS_NETWORK_SESSION_EXPIRED. metze
Diffstat (limited to 'source4/torture')
-rw-r--r--source4/torture/raw/session.c200
1 files changed, 200 insertions, 0 deletions
diff --git a/source4/torture/raw/session.c b/source4/torture/raw/session.c
index 21fb4da1ba..5b5b782a1c 100644
--- a/source4/torture/raw/session.c
+++ b/source4/torture/raw/session.c
@@ -26,6 +26,7 @@
#include "param/param.h"
#include "torture/util.h"
#include "auth/credentials/credentials.h"
+#include "libcli/resolve/resolve.h"
static bool test_session_reauth1(struct torture_context *tctx,
@@ -223,6 +224,204 @@ static bool test_session_reauth2(struct torture_context *tctx,
return true;
}
+static bool test_session_expire1(struct torture_context *tctx)
+{
+ NTSTATUS status;
+ bool ret = false;
+ struct smbcli_options options;
+ struct smbcli_session_options session_options;
+ const char *host = torture_setting_string(tctx, "host", NULL);
+ const char *share = torture_setting_string(tctx, "share", NULL);
+ struct cli_credentials *credentials = cmdline_credentials;
+ struct smbcli_state *cli = NULL;
+ enum credentials_use_kerberos use_kerberos;
+ char fname[256];
+ union smb_fileinfo qfinfo;
+ uint16_t vuid;
+ uint16_t fnum;
+ struct smb_composite_sesssetup io_sesssetup;
+ size_t i;
+
+ use_kerberos = cli_credentials_get_kerberos_state(credentials);
+ if (use_kerberos != CRED_MUST_USE_KERBEROS) {
+ torture_warning(tctx, "smb2.session.expire1 requires -k yes!");
+ torture_skip(tctx, "smb2.session.expire1 requires -k yes!");
+ }
+
+ torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS,
+ "please use -k yes");
+
+ lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
+
+ lpcfg_smbcli_options(tctx->lp_ctx, &options);
+
+ lpcfg_smbcli_session_options(tctx->lp_ctx, &session_options);
+
+ status = smbcli_full_connection(tctx, &cli,
+ host,
+ lpcfg_smb_ports(tctx->lp_ctx),
+ share, NULL,
+ lpcfg_socket_options(tctx->lp_ctx),
+ credentials,
+ lpcfg_resolve_context(tctx->lp_ctx),
+ tctx->ev, &options, &session_options,
+ lpcfg_gensec_settings(tctx, tctx->lp_ctx));
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smbcli_full_connection failed");
+
+ vuid = cli->session->vuid;
+
+ /* Add some random component to the file name. */
+ snprintf(fname, 256, "session_expire1_%s.dat",
+ generate_random_str(tctx, 8));
+
+ smbcli_unlink(cli->tree, fname);
+
+ fnum = smbcli_nt_create_full(cli->tree, fname, 0,
+ SEC_RIGHTS_FILE_ALL,
+ FILE_ATTRIBUTE_NORMAL,
+ NTCREATEX_SHARE_ACCESS_NONE,
+ NTCREATEX_DISP_OPEN_IF,
+ NTCREATEX_OPTIONS_DELETE_ON_CLOSE,
+ 0);
+ torture_assert_ntstatus_ok_goto(tctx, smbcli_nt_error(cli->tree), ret,
+ done, "create file");
+ torture_assert_goto(tctx, fnum > 0, ret, done, "create file");
+
+ /* get the access information */
+
+ ZERO_STRUCT(qfinfo);
+
+ qfinfo.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION;
+ qfinfo.access_information.in.file.fnum = fnum;
+
+ for (i=0; i < 2; i++) {
+ torture_comment(tctx, "query info => OK\n");
+ ZERO_STRUCT(qfinfo.access_information.out);
+ status = smb_raw_fileinfo(cli->tree, tctx, &qfinfo);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "raw_fileinfo failed");
+
+ torture_comment(tctx, "sleep 5 seconds\n");
+ smb_msleep(5*1000);
+ }
+
+ /*
+ * the krb5 library may not handle expired creds
+ * well, lets start with an empty ccache.
+ */
+ cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
+ /*
+ * now with CAP_DYNAMIC_REAUTH
+ *
+ * This should trigger NT_STATUS_NETWORK_SESSION_EXPIRED
+ */
+ ZERO_STRUCT(io_sesssetup);
+ io_sesssetup.in.sesskey = cli->transport->negotiate.sesskey;
+ io_sesssetup.in.capabilities = cli->transport->negotiate.capabilities;
+ io_sesssetup.in.capabilities |= CAP_DYNAMIC_REAUTH;
+ io_sesssetup.in.credentials = credentials;
+ io_sesssetup.in.workgroup = lpcfg_workgroup(tctx->lp_ctx);
+ io_sesssetup.in.gensec_settings = lpcfg_gensec_settings(tctx,
+ tctx->lp_ctx);
+
+ torture_comment(tctx, "reauth with CAP_DYNAMIC_REAUTH => OK\n");
+ ZERO_STRUCT(io_sesssetup.out);
+ status = smb_composite_sesssetup(cli->session, &io_sesssetup);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "reauth failed");
+ torture_assert_int_equal_goto(tctx, io_sesssetup.out.vuid, vuid,
+ ret, done, "reauth");
+
+ for (i=0; i < 2; i++) {
+ torture_comment(tctx, "query info => OK\n");
+ ZERO_STRUCT(qfinfo.access_information.out);
+ status = smb_raw_fileinfo(cli->tree, tctx, &qfinfo);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "raw_fileinfo failed");
+
+ torture_comment(tctx, "sleep 5 seconds\n");
+ smb_msleep(5*1000);
+
+ torture_comment(tctx, "query info => EXPIRED\n");
+ ZERO_STRUCT(qfinfo.access_information.out);
+ status = smb_raw_fileinfo(cli->tree, tctx, &qfinfo);
+ torture_assert_ntstatus_equal_goto(tctx, status,
+ NT_STATUS_NETWORK_SESSION_EXPIRED,
+ ret, done, "raw_fileinfo expired");
+
+ /*
+ * the krb5 library may not handle expired creds
+ * well, lets start with an empty ccache.
+ */
+ cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
+ torture_comment(tctx, "reauth with CAP_DYNAMIC_REAUTH => OK\n");
+ ZERO_STRUCT(io_sesssetup.out);
+ status = smb_composite_sesssetup(cli->session, &io_sesssetup);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "reauth failed");
+ torture_assert_int_equal_goto(tctx, io_sesssetup.out.vuid, vuid,
+ ret, done, "reauth");
+ }
+
+ torture_comment(tctx, "query info => OK\n");
+ ZERO_STRUCT(qfinfo.access_information.out);
+ status = smb_raw_fileinfo(cli->tree, tctx, &qfinfo);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "raw_fileinfo failed");
+
+ /*
+ * the krb5 library may not handle expired creds
+ * well, lets start with an empty ccache.
+ */
+ cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
+ /*
+ * now without CAP_DYNAMIC_REAUTH
+ *
+ * This should not trigger NT_STATUS_NETWORK_SESSION_EXPIRED
+ */
+ torture_comment(tctx, "reauth without CAP_DYNAMIC_REAUTH => OK\n");
+ io_sesssetup.in.capabilities &= ~CAP_DYNAMIC_REAUTH;
+
+ ZERO_STRUCT(io_sesssetup.out);
+ status = smb_composite_sesssetup(cli->session, &io_sesssetup);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "reauth failed");
+ torture_assert_int_equal_goto(tctx, io_sesssetup.out.vuid, vuid,
+ ret, done, "reauth");
+
+ for (i=0; i < 2; i++) {
+ torture_comment(tctx, "query info => OK\n");
+
+ ZERO_STRUCT(qfinfo.access_information.out);
+ status = smb_raw_fileinfo(cli->tree, tctx, &qfinfo);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "raw_fileinfo failed");
+
+ torture_comment(tctx, "sleep 5 seconds\n");
+ smb_msleep(5*1000);
+ }
+
+ torture_comment(tctx, "query info => OK\n");
+ ZERO_STRUCT(qfinfo.access_information.out);
+ status = smb_raw_fileinfo(cli->tree, tctx, &qfinfo);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "raw_fileinfo failed");
+
+ ret = true;
+done:
+ if (fnum > 0) {
+ smbcli_close(cli->tree, fnum);
+ }
+
+ talloc_free(cli);
+ lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=0");
+ return ret;
+}
+
struct torture_suite *torture_raw_session(TALLOC_CTX *mem_ctx)
{
struct torture_suite *suite = torture_suite_create(mem_ctx, "session");
@@ -230,6 +429,7 @@ struct torture_suite *torture_raw_session(TALLOC_CTX *mem_ctx)
torture_suite_add_1smb_test(suite, "reauth1", test_session_reauth1);
torture_suite_add_1smb_test(suite, "reauth2", test_session_reauth2);
+ torture_suite_add_simple_test(suite, "expire1", test_session_expire1);
return suite;
}