From 9b2d28157107602fcbe659664cf9ca25f08bb30b Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Fri, 19 Aug 2022 17:29:55 +0200
Subject: [PATCH] smbtorture: check required access for SMB2-GETINFO

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15153

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 selftest/knownfail                       |   1 +
 selftest/knownfail.d/samba3.smb2.getinfo |   2 +
 source4/torture/smb2/getinfo.c           | 147 +++++++++++++++++++++++
 3 files changed, 150 insertions(+)
 create mode 100644 selftest/knownfail.d/samba3.smb2.getinfo

diff --git a/selftest/knownfail b/selftest/knownfail
index 0b4c5a44a7f..e16b5b4694b 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -176,6 +176,7 @@
 ^samba4.smb2.oplock.stream1 # samba 4 oplocks are a mess
 ^samba4.smb2.oplock.statopen1\(ad_dc_ntvfs\)$ # fails with ACCESS_DENIED on a SYNCHRONIZE_ACCESS open
 ^samba4.smb2.getinfo.complex # streams on directories does not work
+^samba4.smb2.getinfo.getinfo_access\(ad_dc_ntvfs\) # Access checks not implemented
 ^samba4.smb2.getinfo.qfs_buffercheck # S4 does not do the INFO_LENGTH_MISMATCH/BUFFER_OVERFLOW thingy
 ^samba4.smb2.getinfo.qfile_buffercheck # S4 does not do the INFO_LENGTH_MISMATCH/BUFFER_OVERFLOW thingy
 ^samba4.smb2.getinfo.qsec_buffercheck # S4 does not do the BUFFER_TOO_SMALL thingy
diff --git a/selftest/knownfail.d/samba3.smb2.getinfo b/selftest/knownfail.d/samba3.smb2.getinfo
new file mode 100644
index 00000000000..dbef40c83f9
--- /dev/null
+++ b/selftest/knownfail.d/samba3.smb2.getinfo
@@ -0,0 +1,2 @@
+^samba3.smb2.getinfo.getinfo_access\(nt4_dc\)
+^samba3.smb2.getinfo.getinfo_access\(ad_dc\)
diff --git a/source4/torture/smb2/getinfo.c b/source4/torture/smb2/getinfo.c
index 5c9097f4200..539090ac71a 100644
--- a/source4/torture/smb2/getinfo.c
+++ b/source4/torture/smb2/getinfo.c
@@ -783,6 +783,151 @@ static bool torture_smb2_getinfo(struct torture_context *tctx)
 	return ret;
 }
 
+#undef LEVEL
+#define LEVEL(l, u, ua, ra) \
+	.name = #l, \
+	.level = l, \
+	.unrestricted = u, \
+	.unrestricted_access = ua, \
+	.required_access = ra
+
+static struct {
+	const char *name;
+	uint16_t level;
+	bool unrestricted;
+	uint32_t unrestricted_access;
+	uint32_t required_access;
+} file_levels_access[] = {
+	/*
+	 * The following info levels are not checked:
+	 * - FileFullEaInformation and FileIdInformation:
+	 *   not implemented by the s4/libcli/raw
+	 * - all pipe infolevels: that should be tested elsewhere by RPC tests
+	 */
+
+	/*
+	 * The following allow unrestricted access, so requesting
+	 * SEC_FILE_READ_ATTRIBUTE works, SEC_FILE_READ_ATTRIBUTE or
+	 * SEC_FILE_READ_EA as well of course.
+	 */
+	{ LEVEL(RAW_FILEINFO_STANDARD_INFORMATION, true, SEC_STD_SYNCHRONIZE, SEC_FILE_READ_ATTRIBUTE) },
+	{ LEVEL(RAW_FILEINFO_INTERNAL_INFORMATION, true, SEC_STD_SYNCHRONIZE, SEC_FILE_READ_ATTRIBUTE) },
+	{ LEVEL(RAW_FILEINFO_ACCESS_INFORMATION, true, SEC_STD_SYNCHRONIZE, SEC_FILE_READ_ATTRIBUTE) },
+	{ LEVEL(RAW_FILEINFO_POSITION_INFORMATION, true, SEC_STD_SYNCHRONIZE, SEC_FILE_READ_ATTRIBUTE) },
+	{ LEVEL(RAW_FILEINFO_MODE_INFORMATION, true, SEC_STD_SYNCHRONIZE, SEC_FILE_READ_ATTRIBUTE) },
+	{ LEVEL(RAW_FILEINFO_ALIGNMENT_INFORMATION, true, SEC_STD_SYNCHRONIZE, SEC_FILE_READ_ATTRIBUTE) },
+	{ LEVEL(RAW_FILEINFO_ALT_NAME_INFORMATION, true, SEC_STD_SYNCHRONIZE, SEC_FILE_READ_ATTRIBUTE) },
+	{ LEVEL(RAW_FILEINFO_STREAM_INFORMATION, true, SEC_STD_SYNCHRONIZE, SEC_FILE_READ_ATTRIBUTE) },
+	{ LEVEL(RAW_FILEINFO_COMPRESSION_INFORMATION, true, SEC_STD_SYNCHRONIZE, SEC_FILE_READ_ATTRIBUTE) },
+	{ LEVEL(RAW_FILEINFO_NORMALIZED_NAME_INFORMATION, true, SEC_STD_SYNCHRONIZE, SEC_FILE_READ_ATTRIBUTE) },
+	{ LEVEL(RAW_FILEINFO_EA_INFORMATION, true, SEC_STD_SYNCHRONIZE, SEC_FILE_READ_EA) },
+
+	/*
+	 * The following require either SEC_FILE_READ_ATTRIBUTE or
+	 * SEC_FILE_READ_EA.
+	 */
+	{ LEVEL(RAW_FILEINFO_BASIC_INFORMATION, false, SEC_STD_SYNCHRONIZE, SEC_FILE_READ_ATTRIBUTE) },
+	{ LEVEL(RAW_FILEINFO_ALL_INFORMATION, false, SEC_STD_SYNCHRONIZE, SEC_FILE_READ_ATTRIBUTE) },
+	{ LEVEL(RAW_FILEINFO_NETWORK_OPEN_INFORMATION, false, SEC_STD_SYNCHRONIZE, SEC_FILE_READ_ATTRIBUTE) },
+	{ LEVEL(RAW_FILEINFO_ATTRIBUTE_TAG_INFORMATION, false, SEC_STD_SYNCHRONIZE, SEC_FILE_READ_ATTRIBUTE) },
+	{ LEVEL(RAW_FILEINFO_SMB2_ALL_INFORMATION, false, SEC_STD_SYNCHRONIZE, SEC_FILE_READ_ATTRIBUTE) },
+	{ LEVEL(RAW_FILEINFO_SMB2_ALL_EAS, false, SEC_STD_SYNCHRONIZE, SEC_FILE_READ_EA) },
+	/* Also try SEC_FILE_READ_ATTRIBUTE to show that it is the wrong one */
+	{ LEVEL(RAW_FILEINFO_SMB2_ALL_EAS, false, SEC_FILE_READ_ATTRIBUTE, SEC_FILE_READ_EA) },
+	{ LEVEL(RAW_FILEINFO_SEC_DESC, false, SEC_STD_SYNCHRONIZE, SEC_STD_READ_CONTROL) },
+	/* Also try SEC_FILE_READ_ATTRIBUTE to show that it is the wrong one */
+	{ LEVEL(RAW_FILEINFO_SEC_DESC, false, SEC_FILE_READ_ATTRIBUTE, SEC_STD_READ_CONTROL) }
+};
+
+
+/*
+  test fileinfo levels
+*/
+static bool torture_smb2_getfinfo_access(struct torture_context *tctx,
+					 struct smb2_tree *tree)
+{
+	const char *fname = "torture_smb2_getfinfo_access";
+	struct smb2_handle hfile;
+	NTSTATUS status;
+	bool ret = true;
+	int i;
+
+	smb2_deltree(tree, fname);
+
+	torture_setup_complex_file(tctx, tree, fname);
+
+	for (i = 0; i < ARRAY_SIZE(file_levels_access); i++) {
+		union smb_fileinfo finfo;
+		NTSTATUS expected_status;
+
+		/*
+		 * First open with unrestricted_access, SEC_STD_SYNCHRONIZE for
+		 * most tests, info levels with unrestricted=true should allow
+		 * this.
+		 */
+		status = torture_smb2_testfile_access(
+			tree, fname, &hfile, file_levels_access[i].unrestricted_access);
+		torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					   "Unable to open test file\n");
+
+		if (file_levels_access[i].level == RAW_FILEINFO_SEC_DESC) {
+			finfo.query_secdesc.in.secinfo_flags = 0x7;
+		}
+		if (file_levels_access[i].level == RAW_FILEINFO_SMB2_ALL_EAS) {
+			finfo.all_eas.in.continue_flags =
+				SMB2_CONTINUE_FLAG_RESTART;
+		}
+
+		finfo.generic.level = file_levels_access[i].level;
+		finfo.generic.in.file.handle = hfile;
+
+		if (file_levels_access[i].unrestricted) {
+			expected_status = NT_STATUS_OK;
+		} else {
+			expected_status = NT_STATUS_ACCESS_DENIED;
+		}
+
+		status = smb2_getinfo_file(tree, tree, &finfo);
+		torture_assert_ntstatus_equal_goto(
+			tctx, status, expected_status, ret, done,
+			talloc_asprintf(tctx, "Level %s failed\n",
+					file_levels_access[i].name));
+
+		smb2_util_close(tree, hfile);
+
+		/*
+		 * Now open with expected access, getinfo should work.
+		 */
+		status = torture_smb2_testfile_access(
+			tree, fname, &hfile, file_levels_access[i].required_access);
+		torture_assert_ntstatus_ok_goto(
+			tctx, status, ret, done,
+			"Unable to open test file\n");
+
+		if (file_levels_access[i].level == RAW_FILEINFO_SEC_DESC) {
+			finfo.query_secdesc.in.secinfo_flags = 0x7;
+		}
+		if (file_levels_access[i].level == RAW_FILEINFO_SMB2_ALL_EAS) {
+			finfo.all_eas.in.continue_flags =
+				SMB2_CONTINUE_FLAG_RESTART;
+		}
+		finfo.generic.level = file_levels_access[i].level;
+		finfo.generic.in.file.handle = hfile;
+
+		status = smb2_getinfo_file(tree, tree, &finfo);
+		torture_assert_ntstatus_ok_goto(
+			tctx, status, ret, done,
+			talloc_asprintf(tctx, "%s on file",
+					file_levels_access[i].name));
+
+		smb2_util_close(tree, hfile);
+	}
+
+done:
+	smb2_deltree(tree, fname);
+	return ret;
+}
+
 struct torture_suite *torture_smb2_getinfo_init(TALLOC_CTX *ctx)
 {
 	struct torture_suite *suite = torture_suite_create(
@@ -800,5 +945,7 @@ struct torture_suite *torture_smb2_getinfo_init(TALLOC_CTX *ctx)
 				      torture_smb2_fileinfo_grant_read);
 	torture_suite_add_simple_test(suite, "normalized",
 				      torture_smb2_fileinfo_normalized);
+	torture_suite_add_1smb2_test(suite, "getinfo_access",
+				     torture_smb2_getfinfo_access);
 	return suite;
 }
-- 
2.47.3