libcli/security: cmocka test for running conditional ACEs

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libcli/security/tests/test_run_conditional_ace.c b/libcli/security/tests/test_run_conditional_ace.c
new file mode 100644 (file)
index 0000000..38b8ed8
--- /dev/null
+++ b/libcli/security/tests/test_run_conditional_ace.c
@@ -0,0 +1,674 @@
+/*
+ * Unit tests for conditional ACE SDDL.
+ *
+ *  Copyright (C) Catalyst.NET Ltd 2023
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include "cmocka.h"
+
+#include "lib/util/attr.h"
+#include "includes.h"
+#include "librpc/gen_ndr/ndr_security.h"
+#include "libcli/security/security.h"
+#include "libcli/security/conditional_ace.h"
+#include "librpc/gen_ndr/conditional_ace.h"
+#include "libcli/security/claims-conversions.h"
+
+#define debug_message(...) print_message(__VA_ARGS__)
+
+#define debug_fail(x, ...) print_message("\033[1;31m" x "\033[0m", __VA_ARGS__)
+#define debug_ok(x, ...) print_message("\033[1;32m" x "\033[0m", __VA_ARGS__)
+
+#define assert_ntstatus_equal(got, expected, comment)    \
+       do { NTSTATUS __got = got, __expected = expected;               \
+               if (!NT_STATUS_EQUAL(__got, __expected)) {              \
+                       print_message(": "#got" was %s, expected %s: %s", \
+                                     nt_errstr(__got),                 \
+                                     nt_errstr(__expected), comment);  \
+                       fail();                                         \
+               }                                                       \
+       } while(0)
+
+
+
+
+/*
+static void print_error_message(const char *sddl,
+                               const char *message,
+                               size_t message_offset)
+{
+       print_message("%s\n\033[1;33m %*c\033[0m\n", sddl,
+                     (int)message_offset, '^');
+       print_message("%s\n", message);
+}
+*/
+static bool fill_token_claims(TALLOC_CTX *mem_ctx,
+                             struct security_token *token,
+                          const char *claim_type,
+                          const char *name,
+                          ...)
+{
+       va_list args;
+       va_start(args, name);
+       while (true) {
+               struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim = NULL;
+               const char *str = va_arg(args, const char *);
+               if (str == NULL) {
+                       break;
+               }
+               claim = parse_sddl_literal_as_claim(mem_ctx,
+                                                   name,
+                                                   str);
+               if (claim == NULL) {
+                       debug_fail("bad claim: %s\n", str);
+                       return false;
+               }
+               add_claim_to_token(mem_ctx, token, claim, claim_type);
+       }
+       va_end(args);
+       return true;
+}
+
+
+static bool fill_token_sids(TALLOC_CTX *mem_ctx,
+                           struct security_token *token,
+                           const char *owner,
+                        ...)
+{
+       uint32_t *n = &token->num_sids;
+       struct dom_sid **list = NULL;
+       va_list args;
+       if (strcmp(owner, "device") == 0) {
+               n = &token->num_device_sids;
+               list = &token->device_sids;
+       } else if (strcmp(owner, "user") == 0) {
+               n = &token->num_sids;
+               list = &token->sids;
+       } else {
+               return false;
+       }
+
+       *n = 0;
+       va_start(args, owner);
+       while (true) {
+               struct dom_sid *sid = NULL;
+               const char *str = va_arg(args, const char *);
+               if (str == NULL) {
+                       break;
+               }
+
+               sid = sddl_decode_sid(mem_ctx, &str, NULL);
+               if (sid == NULL) {
+                       debug_fail("bad SID: %s\n", str);
+                       return false;
+               }
+               add_sid_to_array(mem_ctx, sid, list, n);
+       }
+       va_end(args);
+       return true;
+}
+
+
+static void test_device_claims_composite(void **state)
+{
+       TALLOC_CTX *mem_ctx = talloc_new(NULL);
+       struct security_token token = {};
+       bool ok;
+       NTSTATUS status;
+       uint32_t access_granted = 0;
+       struct security_descriptor *sd = NULL;
+       const char *sddl = \
+               "D:(XA;;0x1f;;;AA;(@Device.colour == {\"orange\", \"blue\"}))";
+       ok = fill_token_sids(mem_ctx, &token,
+                            "user",
+                            "WD", "AA", NULL);
+       assert_true(ok);
+       ok = fill_token_claims(mem_ctx, &token,
+                              "device", "colour",
+                              "{\"orange\", \"blue\"}",
+                              NULL);
+       assert_true(ok);
+       sd = sddl_decode(mem_ctx, sddl, NULL);
+       assert_non_null(sd);
+       status = se_access_check(sd, &token, 0x10, &access_granted);
+       assert_ntstatus_equal(status, NT_STATUS_OK, "access check failed\n");
+}
+
+
+static bool fill_sd(TALLOC_CTX *mem_ctx,
+                   struct security_descriptor **sd,
+                   const char *sddl)
+{
+       *sd = sddl_decode(mem_ctx, sddl, NULL);
+       return *sd != NULL;
+}
+
+#define USER_SIDS(...) \
+       assert_true(fill_token_sids(mem_ctx, &token, "user", __VA_ARGS__, NULL))
+
+#define DEVICE_SIDS(...) \
+       assert_true(     \
+               fill_token_sids(mem_ctx, &token, "device", __VA_ARGS__, NULL))
+
+#define USER_CLAIMS(...) \
+       assert_true(     \
+               fill_token_claims(mem_ctx, &token, "user", __VA_ARGS__, NULL))
+
+#define LOCAL_CLAIMS(...)                          \
+       assert_true(fill_token_claims(mem_ctx,     \
+                                     &token,      \
+                                     "local",     \
+                                     __VA_ARGS__, \
+                                     NULL))
+
+#define DEVICE_CLAIMS(...)                         \
+       assert_true(fill_token_claims(mem_ctx,     \
+                                     &token,      \
+                                     "device",    \
+                                     __VA_ARGS__, \
+                                     NULL))
+
+
+#define SD(sddl) assert_true(fill_sd(mem_ctx, &sd, sddl))
+#define SD_FAIL(sddl) assert_false(fill_sd(mem_ctx, &sd, sddl))
+
+#define ALLOW_CHECK(requested)                                 \
+       do {                                                   \
+               NTSTATUS status;                               \
+               uint32_t access_granted = 0;                   \
+               status = se_access_check(sd,                   \
+                                        &token,               \
+                                        requested,            \
+                                        &access_granted);     \
+               assert_ntstatus_equal(status,                  \
+                                     NT_STATUS_OK,            \
+                                     "access not granted\n"); \
+       } while (0)
+
+
+#define DENY_CHECK(requested)                                  \
+       do {                                                   \
+               NTSTATUS status;                               \
+               uint32_t access_granted = 0;                   \
+               status = se_access_check(sd,                   \
+                                        &token,               \
+                                        requested,            \
+                                        &access_granted);     \
+               assert_ntstatus_equal(status,                  \
+                                     NT_STATUS_ACCESS_DENIED, \
+                                     "not denied\n");         \
+       } while (0)
+
+
+#define INIT()                                 \
+       TALLOC_CTX *mem_ctx = talloc_new(NULL); \
+       struct security_token token = {};       \
+       struct security_descriptor *sd = NULL;
+
+
+
+static void test_composite_different_order(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"orange\", \"blue\"}))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"blue\", \"orange\"}");
+       /*
+        * Claim arrays are sets, so we assume conditional ACE ones are too.
+        */
+       ALLOW_CHECK(0x10);
+}
+
+static void test_composite_different_order_with_dupes(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"orange\", \"blue\", \"orange\"}))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"blue\", \"orange\", \"blue\"}");
+       ALLOW_CHECK(0x10);
+}
+
+static void test_composite_different_order_with_SID_dupes(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour == {SID(WD), SID(AA), SID(WD)}))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{SID(AA), SID(AA), SID(WD)}");
+       ALLOW_CHECK(0x10);
+}
+
+static void test_composite_mixed_types(void **state)
+{
+       /*
+        * If the conditional ACE composite hasa mixed types, it can
+        * never equal a claim, which only has one type.
+        */
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour == {2, SID(WD), SID(AA), SID(WD)}))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{SID(AA), SID(AA), SID(WD)}");
+       DENY_CHECK(0x10);
+}
+
+static void test_different_case(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"OraNgE\", \"BLuE\"}))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       ALLOW_CHECK(0x10);
+}
+
+static void test_different_case_with_case_sensitive_flag(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"OraNgE\", \"BLuE\"}))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       /* set the flag bit */
+       token.device_claims[0].flags = CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE;
+       DENY_CHECK(0x10);
+}
+
+
+static void test_claim_name_different_case(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.Colour == {\"orange\", \"blue\"}))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       ALLOW_CHECK(0x10);
+}
+
+static void test_claim_name_different_case_case_flag(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.Colour == {\"orange\", \"blue\"}))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       /*
+        * The CASE_SENSITIVE flag is for the values, not the names.
+        */
+       token.device_claims[0].flags = CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE;
+       ALLOW_CHECK(0x10);
+}
+
+static void test_more_values_not_equal(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour != {\"orange\", \"blue\", \"green\"}))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       ALLOW_CHECK(0x10);
+}
+
+static void test_contains(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains {\"orange\", \"blue\"}))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       ALLOW_CHECK(0x10);
+}
+
+static void test_contains_incomplete(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains {\"orange\", \"blue\", \"red\"}))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       DENY_CHECK(0x10);
+}
+
+static void test_any_of(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of {\"orange\", \"blue\", \"red\"}))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       ALLOW_CHECK(0x10);
+}
+
+static void test_any_of_match_last(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of {\"a\", \"b\", \"blue\"}))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       ALLOW_CHECK(0x10);
+}
+
+static void test_any_of_1(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of\"blue\"))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       ALLOW_CHECK(0x10);
+}
+
+static void test_contains_1(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains \"blue\"))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       ALLOW_CHECK(0x10);
+}
+
+static void test_contains_1_fail(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains \"pink\"))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       DENY_CHECK(0x10);
+}
+
+static void test_any_of_1_fail(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of \"pink\"))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       DENY_CHECK(0x10);
+}
+
+
+static void test_not_any_of_1_fail(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Any_of\"blue\"))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       DENY_CHECK(0x10);
+}
+
+static void test_not_any_of_composite_1(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Any_of{\"blue\"}))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       DENY_CHECK(0x10);
+}
+
+static void test_not_contains_1_fail(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Contains \"blue\"))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       DENY_CHECK(0x10);
+}
+
+static void test_not_contains_1(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Contains \"pink\"))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       ALLOW_CHECK(0x10);
+}
+
+static void test_not_any_of_1(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Any_of \"pink\"))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       ALLOW_CHECK(0x10);
+}
+
+static void test_not_Not_Any_of_1(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(!(@Device.colour Not_Any_of \"pink\")))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       DENY_CHECK(0x10);
+}
+
+static void test_not_Not_Contains_1(void **state)
+{
+       INIT()
+       SD("D:(XA;;0x1f;;;AA;(! (@Device.colour Not_Contains \"blue\")))");
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       ALLOW_CHECK(0x10);
+}
+
+
+static void test_not_not_Not_Member_of(void **state)
+{
+       INIT();
+       SD("D:(XA;;0x1f;;;AA;(!(!(Not_Member_of{SID(BA)}))))");
+       USER_SIDS("WD", "AA");
+       DEVICE_SIDS("BA", "BG");
+       ALLOW_CHECK(0x10);
+}
+
+static void test_not_not_Not_Member_of_fail(void **state)
+{
+       INIT();
+       SD("D:(XA;;0x1f;;;AA;(!(!(Not_Member_of{SID(AA)}))))");
+       USER_SIDS("WD", "AA");
+       DEVICE_SIDS("BA", "BG");
+       DENY_CHECK(0x10);
+}
+
+static void test_not_not_not_not_not_not_not_not_not_not_Not_Member_of(void **state)
+{
+       INIT();
+       SD("D:(XA;;0x1f;;;AA;(!(!(!( !(!(!(  !(!(!( "
+          "Not_Member_of{SID(AA)})))))))))))");
+       USER_SIDS("WD", "AA");
+       DEVICE_SIDS("BA", "BG");
+       ALLOW_CHECK(0x10);
+}
+
+
+static void test_Device_Member_of_and_Member_of(void **state)
+{
+       INIT();
+       USER_SIDS("WD", "AA");
+       DEVICE_SIDS("BA", "BG");
+       SD("D:(XA;;0x1f;;;AA;"
+          "(Device_Member_of{SID(BA)} && Member_of{SID(WD)}))");
+       ALLOW_CHECK(0x10);
+}
+
+
+static void test_Device_claim_contains_Resource_claim(void **state)
+{
+       INIT();
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "\"blue\"");
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains @Resource.colour))"
+          "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\"))");
+       ALLOW_CHECK(0x10);
+}
+
+
+static void test_device_claim_comtains_resource_claim(void **state)
+{
+       INIT();
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "\"blue\"");
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains @Resource.colour))"
+          "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\"))");
+       ALLOW_CHECK(0x10);
+}
+
+static void test_device_claim_eq_resource_claim(void **state)
+{
+       INIT();
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "\"blue\"");
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour == @Resource.colour))"
+          "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\"))");
+       ALLOW_CHECK(0x10);
+}
+
+static void test_user_claim_eq_device_claim(void **state)
+{
+       INIT();
+       USER_SIDS("WD", "AA");
+       USER_CLAIMS("colour", "\"blue\"");
+       DEVICE_CLAIMS("colour", "\"blue\"");
+       SD("D:(XA;;0x1f;;;AA;(@User.colour == @Device.colour))");
+       ALLOW_CHECK(0x10);
+}
+
+static void test_device_claim_eq_resource_claim_2(void **state)
+{
+       INIT();
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"orange\", \"blue\"}))");
+       ALLOW_CHECK(0x10);
+}
+
+static void test_resource_ace_multi(void **state)
+{
+       INIT();
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "{\"blue\", \"red\"}");
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains @Resource.colour))"
+          "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\", \"red\"))");
+       ALLOW_CHECK(0x10);
+}
+
+static void test_resource_ace_multi_any_of(void **state)
+{
+       INIT();
+       USER_SIDS("WD", "AA");
+       DEVICE_CLAIMS("colour", "\"blue\"");
+       SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of @Resource.colour))"
+          "S:(RA;;;;;WD;(\"colour\",TS,0,\"grue\", \"blue\", \"red\"))");
+       ALLOW_CHECK(0x10);
+}
+
+
+static void test_horrible_fuzz_derived_test_3(void **state)
+{
+       INIT();
+       USER_SIDS("WD", "AA", "IS");
+       SD("S:PPPPPPD:(XD;OI;0x1;;;IS;())(OL;;GR;;;S-1-5-75-552)");
+       DENY_CHECK(0x1);
+}
+
+static void test_horrible_fuzz_derived_test_4(void **state)
+{
+       INIT();
+       USER_SIDS("WD", "AA", "IS");
+       SD_FAIL("S:PPD:(XA;OI;0x1;;;IS;(q>))");
+}
+
+static void test_resource_ace_single(void **state)
+{
+        INIT();
+        USER_SIDS("WD", "AA");
+        DEVICE_CLAIMS("colour", "\"blue\"");
+        SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains @Resource.colour))"
+          "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\"))");
+        ALLOW_CHECK(0x10);
+}
+
+
+static void test_user_attr_any_of_missing_resource_and_user_attr(void **state)
+{
+        INIT();
+        USER_SIDS("WD", "AA");
+        DEVICE_CLAIMS("colour", "\"blue\"");
+        SD("D:(XD;;FX;;;S-1-1-0;(@User.Project Any_of @Resource.Project))");
+        DENY_CHECK(0x10);
+}
+
+static void test_user_attr_any_of_missing_resource_attr(void **state)
+{
+        INIT();
+        USER_SIDS("WD", "AA");
+        USER_CLAIMS("Project", "3");
+        SD("D:(XD;;FX;;;S-1-1-0;(@User.Project Any_of @Resource.Project))");
+        DENY_CHECK(0x10);
+}
+
+static void test_user_attr_any_of_missing_user_attr(void **state)
+{
+        INIT();
+        USER_SIDS("WD", "AA");
+        SD("D:(XD;;FX;;;S-1-1-0;(@User.Project Any_of @Resource.Project))"
+          "S:(RA;;;;;WD;(\"Project\",TX,0,#1234))");
+        DENY_CHECK(0x10);
+}
+
+
+int main(_UNUSED_ int argc, _UNUSED_ const char **argv)
+{
+       const struct CMUnitTest tests[] = {
+               cmocka_unit_test(test_user_attr_any_of_missing_resource_and_user_attr),
+               cmocka_unit_test(test_user_attr_any_of_missing_resource_attr),
+               cmocka_unit_test(test_user_attr_any_of_missing_user_attr),
+               cmocka_unit_test(test_composite_mixed_types),
+               cmocka_unit_test(test_composite_different_order_with_SID_dupes),
+               cmocka_unit_test(test_device_claim_eq_resource_claim_2),
+               cmocka_unit_test(test_not_Not_Any_of_1),                
+               cmocka_unit_test(test_not_any_of_composite_1),          
+               cmocka_unit_test(test_resource_ace_single),
+               cmocka_unit_test(test_horrible_fuzz_derived_test_4),
+               cmocka_unit_test(test_horrible_fuzz_derived_test_3),
+               cmocka_unit_test(test_Device_Member_of_and_Member_of),
+               cmocka_unit_test(test_resource_ace_multi),
+               cmocka_unit_test(test_resource_ace_multi_any_of),
+               cmocka_unit_test(test_user_claim_eq_device_claim),
+               cmocka_unit_test(test_device_claim_comtains_resource_claim),
+               cmocka_unit_test(test_device_claim_eq_resource_claim),
+               cmocka_unit_test(test_Device_claim_contains_Resource_claim),
+               cmocka_unit_test(test_not_Not_Contains_1),
+               cmocka_unit_test(test_not_not_Not_Member_of_fail),
+               cmocka_unit_test(test_not_not_Not_Member_of),
+               cmocka_unit_test(test_not_not_not_not_not_not_not_not_not_not_Not_Member_of),
+               cmocka_unit_test(test_not_any_of_1_fail),
+               cmocka_unit_test(test_not_any_of_1),
+               cmocka_unit_test(test_not_contains_1),
+               cmocka_unit_test(test_not_contains_1_fail),
+               cmocka_unit_test(test_any_of_1_fail),
+               cmocka_unit_test(test_any_of_1),
+               cmocka_unit_test(test_any_of),
+               cmocka_unit_test(test_any_of_match_last),
+               cmocka_unit_test(test_contains_incomplete),
+               cmocka_unit_test(test_contains),
+               cmocka_unit_test(test_contains_1),
+               cmocka_unit_test(test_contains_1_fail),
+               cmocka_unit_test(test_device_claims_composite),
+               cmocka_unit_test(test_claim_name_different_case),
+               cmocka_unit_test(test_claim_name_different_case_case_flag),
+               cmocka_unit_test(test_different_case_with_case_sensitive_flag),
+               cmocka_unit_test(test_composite_different_order),
+               cmocka_unit_test(test_different_case),
+               cmocka_unit_test(test_composite_different_order_with_dupes),
+               cmocka_unit_test(test_more_values_not_equal),
+};
+       if (!isatty(1)) {
+               cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+       }
+       return cmocka_run_group_tests(tests, NULL, NULL);
+}

diff --git a/libcli/security/wscript_build b/libcli/security/wscript_build
index f8f10e787c54ff261eb7960c92d4c438953c2eb6..d02c1e44ab504690fed4d98e238c93bd4a8f1f7f 100644 (file)
--- a/libcli/security/wscript_build
+++ b/libcli/security/wscript_build
@@ -32,3 +32,17 @@ bld.SAMBA_BINARY(
     ''',
     for_selftest=True
 )
+
+bld.SAMBA_BINARY(
+    'test_run_conditional_ace',
+    source='tests/test_run_conditional_ace.c',
+    deps='''
+        cmocka
+        talloc
+        samba-util
+        asn1util
+        NDR_SECURITY
+        samba-security
+    ''',
+    for_selftest=True
+)

diff --git a/selftest/knownfail.d/run_conditional_ace b/selftest/knownfail.d/run_conditional_ace
new file mode 100644 (file)
index 0000000..0bddf92
--- /dev/null
+++ b/selftest/knownfail.d/run_conditional_ace
@@ -0,0 +1,28 @@
+^samba.unittests.run_conditional_ace.test_composite_different_order_with_SID_dupes\b
+^samba.unittests.run_conditional_ace.test_device_claim_eq_resource_claim_2\b
+^samba.unittests.run_conditional_ace.test_resource_ace_single\b
+^samba.unittests.run_conditional_ace.test_Device_Member_of_and_Member_of\b
+^samba.unittests.run_conditional_ace.test_resource_ace_multi\b
+^samba.unittests.run_conditional_ace.test_resource_ace_multi_any_of\b
+^samba.unittests.run_conditional_ace.test_user_claim_eq_device_claim\b
+^samba.unittests.run_conditional_ace.test_device_claim_comtains_resource_claim\b
+^samba.unittests.run_conditional_ace.test_device_claim_eq_resource_claim\b
+^samba.unittests.run_conditional_ace.test_Device_claim_contains_Resource_claim\b
+^samba.unittests.run_conditional_ace.test_not_Not_Contains_1\b
+^samba.unittests.run_conditional_ace.test_not_not_Not_Member_of\b
+^samba.unittests.run_conditional_ace.test_not_not_not_not_not_not_not_not_not_not_Not_Member_of\b
+^samba.unittests.run_conditional_ace.test_not_any_of_1\b
+^samba.unittests.run_conditional_ace.test_not_contains_1\b
+^samba.unittests.run_conditional_ace.test_any_of_1\b
+^samba.unittests.run_conditional_ace.test_any_of\b
+^samba.unittests.run_conditional_ace.test_any_of_match_last\b
+^samba.unittests.run_conditional_ace.test_contains\b
+^samba.unittests.run_conditional_ace.test_contains_1\b
+^samba.unittests.run_conditional_ace.test_device_claims_composite\b
+^samba.unittests.run_conditional_ace.test_claim_name_different_case\b
+^samba.unittests.run_conditional_ace.test_claim_name_different_case_case_flag\b
+^samba.unittests.run_conditional_ace.test_composite_different_order\b
+^samba.unittests.run_conditional_ace.test_different_case\b
+^samba.unittests.run_conditional_ace.test_composite_different_order_with_dupes\b
+^samba.unittests.run_conditional_ace.test_more_values_not_equal\b
+

diff --git a/selftest/tests.py b/selftest/tests.py
index 68271e70bc13da8ae43b833de3b126fd3293563d..6faa22a717b3110919951f92a8b42222f9ae7d15 100644 (file)
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -488,3 +488,5 @@ plantestsuite("samba.unittests.compression.lzxpress_plain", "none",
 
 plantestsuite("samba.unittests.sddl_conditional_ace", "none",
               [os.path.join(bindir(), "test_sddl_conditional_ace")])
+plantestsuite("samba.unittests.run_conditional_ace", "none",
+              [os.path.join(bindir(), "test_run_conditional_ace")])