diff options
-rwxr-xr-x | source3/script/tests/test_ntlm_auth_s3.sh | 21 | ||||
-rwxr-xr-x | source3/script/tests/tests_all.sh | 1 | ||||
-rwxr-xr-x | source3/torture/test_ntlm_auth.py | 212 |
3 files changed, 234 insertions, 0 deletions
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh new file mode 100755 index 0000000000..8568da97e4 --- /dev/null +++ b/source3/script/tests/test_ntlm_auth_s3.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +incdir=`dirname $0` +. $incdir/test_functions.sh + +failed=0 + +(/usr/bin/env python --version > /dev/null 2&>1) + +if $? -ne 0: +then + echo "Python binary not found in path. Skipping ntlm_auth tests." + exit 0 +fi + +testit "ntlm_auth" $VALGRIND $SRCDIR/torture/test_ntlm_auth.py $BINDIR/ntlm_auth || failed=`expr $failed + 1` +# This should work even with NTLMv2 +testit "ntlm_auth" $VALGRIND $SRCDIR/torture/test_ntlm_auth.py $BINDIR/ntlm_auth --client-domain=fOo --server-domain=fOo || failed=`expr $failed + 1` + + +testok $0 $failed diff --git a/source3/script/tests/tests_all.sh b/source3/script/tests/tests_all.sh index 259e28e6e7..369cf3ebe3 100755 --- a/source3/script/tests/tests_all.sh +++ b/source3/script/tests/tests_all.sh @@ -6,6 +6,7 @@ $SCRIPTDIR/test_smbclient_s3.sh $SERVER $SERVER_IP || failed=`expr $failed + $?` echo "Testing encrypted" $SCRIPTDIR/test_smbclient_s3.sh $SERVER $SERVER_IP "-e" || failed=`expr $failed + $?` $SCRIPTDIR/test_wbinfo_s3.sh $WORKGROUP $SERVER $USERNAME $PASSWORD || failed=`expr $failed + $?` +$SCRIPTDIR/test_ntlm_auth_s3.sh || failed=`expr $failed + $?` eval "$LIB_PATH_VAR="\$SAMBA4SHAREDDIR:\$$LIB_PATH_VAR"; export $LIB_PATH_VAR" eval echo "$LIB_PATH_VAR=\$$LIB_PATH_VAR" diff --git a/source3/torture/test_ntlm_auth.py b/source3/torture/test_ntlm_auth.py new file mode 100755 index 0000000000..3e7cc0551f --- /dev/null +++ b/source3/torture/test_ntlm_auth.py @@ -0,0 +1,212 @@ +#!/usr/bin/env python + +# Unix SMB/CIFS implementation. +# A test for the ntlm_auth tool +# Copyright (C) Kai Blin <kai@samba.org> 2008 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +"""Test ntlm_auth +This test program will start ntlm_auth with the given command line switches and +see if it will get the expected results. +""" + +import os +import sys +from optparse import OptionParser + +class ReadChildError(Exception): + pass + +class WriteChildError(Exception): + pass + +def readLine(pipe): + """readLine(pipe) -> str + Read a line from the child's pipe, returns the string read. + Throws ReadChildError if the read fails. + """ + buf = os.read(pipe, 2047) + newline = buf.find('\n') + if newline == -1: + raise ReadChildError() + return buf[:newline] + +def writeLine(pipe, buf): + """writeLine(pipe, buf) -> nul + Write a line to the child's pipe. + Raises WriteChildError if the write fails. + """ + written = os.write(pipe, buf) + if written != len(buf): + raise WriteChildError() + os.write(pipe, "\n") + +def parseCommandLine(): + """parseCommandLine() -> (opts, ntlm_auth_path) + Parse the command line. + Return a tuple consisting of the options and the path to ntlm_auth. + """ + usage = "usage: %prog [options] path/to/ntlm_auth" + parser = OptionParser(usage) + + parser.set_defaults(client_username="foo") + parser.set_defaults(client_password="secret") + parser.set_defaults(client_domain="FOO") + parser.set_defaults(client_helper="ntlmssp-client-1") + + parser.set_defaults(server_username="foo") + parser.set_defaults(server_password="secret") + parser.set_defaults(server_domain="FOO") + parser.set_defaults(server_helper="squid-2.5-ntlmssp") + + parser.add_option("--client-username", dest="client_username",\ + help="User name for the client. [default: foo]") + parser.add_option("--client-password", dest="client_password",\ + help="Password the client will send. [default: secret]") + parser.add_option("--client-domain", dest="client_domain",\ + help="Domain the client authenticates for. [default: FOO]") + parser.add_option("--client-helper", dest="client_helper",\ + help="Helper mode for the ntlm_auth client. [default: ntlmssp-client-1]") + + parser.add_option("--server-username", dest="server_username",\ + help="User name server uses for local auth. [default: foo]") + parser.add_option("--server-password", dest="server_password",\ + help="Password server uses for local auth. [default: secret]") + parser.add_option("--server-domain", dest="server_domain",\ + help="Domain server uses for local auth. [default: FOO]") + parser.add_option("--server-helper", dest="server_helper",\ + help="Helper mode for the ntlm_auth server. [default: squid-2.5-server]") + + (opts, args) = parser.parse_args() + if len(args) != 1: + parser.error("Invalid number of arguments.") + + if not os.access(args[0], os.X_OK): + parser.error("%s is not executable." % args[0]) + + return (opts, args[0]) + + +def main(): + """main() -> int + Run the test. + Returns 0 if test succeeded, <>0 otherwise. + """ + (opts, ntlm_auth_path) = parseCommandLine() + + (client_in_r, client_in_w) = os.pipe() + (client_out_r, client_out_w) = os.pipe() + + client_pid = os.fork() + + if not client_pid: + # We're in the client child + os.close(0) + os.close(1) + + os.dup2(client_out_r, 0) + os.close(client_out_r) + os.close(client_out_w) + + os.dup2(client_in_w, 1) + os.close(client_in_r) + os.close(client_in_w) + + client_args = [] + client_args.append("--helper-protocol=%s" % opts.client_helper) + client_args.append("--username=%s" % opts.client_username) + client_args.append("--password=%s" % opts.client_password) + client_args.append("--domain=%s" % opts.client_domain) + + os.execv(ntlm_auth_path, client_args) + + client_in = client_in_r + os.close(client_in_w) + + client_out = client_out_w + os.close(client_out_r) + + (server_in_r, server_in_w) = os.pipe() + (server_out_r, server_out_w) = os.pipe() + + server_pid = os.fork() + + if not server_pid: + # We're in the server child + os.close(0) + os.close(1) + + os.dup2(server_out_r, 0) + os.close(server_out_r) + os.close(server_out_w) + + os.dup2(server_in_w, 1) + os.close(server_in_r) + os.close(server_in_w) + + server_args = [] + server_args.append("--helper-protocol=%s" % opts.server_helper) + server_args.append("--username=%s" % opts.server_username) + server_args.append("--password=%s" % opts.server_password) + server_args.append("--domain=%s" % opts.server_domain) + + os.execv(ntlm_auth_path, server_args) + + server_in = server_in_r + os.close(server_in_w) + + server_out = server_out_w + os.close(server_out_r) + + # We're in the parent + writeLine(client_out, "YR") + buf = readLine(client_in) + + if buf.count("YR ", 0, 3) != 1: + sys.exit(1) + + writeLine(server_out, buf) + buf = readLine(server_in) + + if buf.count("TT ", 0, 3) != 1: + sys.exit(2) + + writeLine(client_out, buf) + buf = readLine(client_in) + + if buf.count("AF ", 0, 3) != 1: + sys.exit(3) + + # Client sends 'AF <base64 blob>' but server expects 'KK <abse64 blob>' + buf = buf.replace("AF", "KK", 1) + + writeLine(server_out, buf) + buf = readLine(server_in) + + if buf.count("AF ", 0, 3) != 1: + sys.exit(4) + + os.close(server_in) + os.close(server_out) + os.close(client_in) + os.close(client_out) + os.waitpid(server_pid, 0) + os.waitpid(client_pid, 0) + sys.exit(0) + +if __name__ == "__main__": + main() + + |