authpolicy/stub_common.cc - chromiumos/platform2 - Git at Google

 // Copyright 2017 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "authpolicy/stub_common.h"

 // For getresuid
 #include <unistd.h>

 #include <base/files/file_path.h>
 #include <base/files/file_util.h>
 #include <base/files/scoped_file.h>
 #include <base/strings/string_util.h>
 #include <base/strings/utf_string_conversions.h>

 #include "authpolicy/constants.h"
 #include "authpolicy/samba_helper.h"

 namespace authpolicy {

 const int kExitCodeOk = 0;
 const int kExitCodeError = 1;
 const int kExitCodeUnspecifiedError = 255;

 const char kUserRealm[] = "REALM.EXAMPLE.COM";
 const char kMachineRealm[] = "DEVICES.EXAMPLE.COM";

 const char kUserName[] = "user";
 const char kUserPrincipal[] = "user@REALM.EXAMPLE.COM";
 const char kInvalidUserPrincipal[] = "user.REALM.EXAMPLE.COM";
 const char kNonExistingUserPrincipal[] = "non_existing_user@REALM.EXAMPLE.COM";
 const char kNetworkErrorUserPrincipal[] =
     "network_error_user@REALM.EXAMPLE.COM";
 const char kAccessDeniedUserPrincipal[] =
     "access_denied_user@REALM.EXAMPLE.COM";
 const char kKdcRetryUserPrincipal[] = "kdc_retry_user@REALM.EXAMPLE.COM";
 const char kKdcRetryFailsUserPrincipal[] =
     "kdc_retry_fails_user@REALM.EXAMPLE.COM";
 const char kInsufficientQuotaUserPrincipal[] =
     "insufficient_quota_user@REALM.EXAMPLE.COM";
 const char kEncTypeNotSupportedUserPrincipal[] =
     "enc_type_not_supported_user@REALM.EXAMPLE.COM";
 const char kExpiredTgtUserPrincipal[] = "tgt_expired@REALM.EXAMPLE.COM";
 const char kPasswordChangedUserPrincipal[] =
     "password_changed@REALM.EXAMPLE.COM";
 const char kPasswordChangedUserName[] = "password_changed";
 const char kNoPwdFieldsUserPrincipal[] = "no_pwd_fields@REALM.EXAMPLE.COM";
 const char kNoPwdFieldsUserName[] = "no_pwd_fields";
 const char kSeccompUserPrincipal[] = "seccomp@REALM.EXAMPLE.COM";
 const char kExpectOuUserPrincipal[] = "expect_ou@REALM.EXAMPLE.COM";

 const char kExpectedOuCreatecomputer[] =
     "ou=leaf,ou=\\ a\\\"b\\ ,ou=\\#123,ou=root,dc=REALM,dc=EXAMPLE,dc=COM";
 const char* kExpectedOuParts[] = {"leaf", " a\"b ", "#123", "root"};
 constexpr size_t kExpectedOuPartsSize = arraysize(kExpectedOuParts);

 const char kDisplayName[] = "John Doe";
 const char kGivenName[] = "John";
 const char kCommonName[] = "John Doe [user]";
 const uint64_t kPwdLastSet = 131292078840924254ul;
 const uint32_t kUserAccountControl = 512;

 // Should still be valid GUIDs, so GuidToOctetString() works.
 const char kAccountId[] = "f892eb9d-9e11-4a74-b894-0647e218c4df";
 const char kAltAccountId[] = "21094d26-9e11-4a74-b894-c8cd12a6f83b";
 const char kBadAccountId[] = "88adef4f-74ec-420d-b0a5-3726dbe711eb";
 const char kExpiredPasswordAccountId[] = "21094d26-2720-4ba4-942c-c8cd12a6f83b";
 const char kNeverExpirePasswordAccountId[] =
     "a95a88c0-862d-48f1-b9f6-ee726d0190f6";
 const char kPasswordChangedAccountId[] = "c7297a6d-2b7f-4063-bfa2-c7223e635549";
 const char kNoPwdFieldsAccountId[] = "f5ebf5a8-2fc2-46b5-a326-afd958c71f4a";

 const char kValidKrb5CCData[] = "valid";
 const char kExpiredKrb5CCData[] = "expired";

 const char kPassword[] = "p4zzw!5d";
 const char kWrongPassword[] = "pAzzwI5d";
 const char kExpiredPassword[] = "rootpw";
 const char kRejectedPassword[] = "some_previous_pw";
 const char kWillExpirePassword[] = "s00Nb4D";

 const char kMachineName[] = "testcomp";
 const char kTooLongMachineName[] = "too_long_machine_name";
 const char kInvalidMachineName[] = "invalid?na:me";
 const char kNonExistingMachineName[] = "nonexisting";
 const char kEmptyGpoMachineName[] = "emptygpo";
 const char kGpoDownloadErrorMachineName[] = "gpodownloaderr";
 const char kOneGpoMachineName[] = "onegpo";
 const char kTwoGposMachineName[] = "twogpos";
 const char kOneGpoKeepVersionMachineName[] = "keepversion1";
 const char kTwoGposKeepVersionMachineName[] = "keepversion2";
 const char kZeroUserVersionMachineName[] = "zerouserversion";
 const char kDisableUserFlagMachineName[] = "disableuserflag";
 const char kLoopbackGpoMachineName[] = "loopback";
 const char kExpectKeytabMachineName[] = "expectkeytab";
 const char kChangePasswordMachineName[] = "changepassword";
 const char kPingServerFailMachineName[] = "pingfail";
 const char kUnaffiliatedMachineName[] = "unaffiliated";
 const char kPropagationRetryMachineName[] = "propagat.nretry";
 const char kSeccompMachineName[] = "seccomp";

 const char kGpo1Guid[] = "{11111111-1111-1111-1111-111111111111}";
 const char kGpo2Guid[] = "{22222222-2222-2222-2222-222222222222}";
 const char kErrorGpoGuid[] = "{eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee}";
 const char kSeccompGpoGuid[] = "{seccomps-ecco-mpse-ccom-pseccompsecc}";

 const char kGpo1Filename[] = "stub_registry_1.pol";
 const char kGpo2Filename[] = "stub_registry_2.pol";

 const char kExpectedMachinePassFilename[] = "expected_machine_pass";

 // Helper file to implement a global counter that works across processes.
 const char kTestCounterFile[] = "test_counter";

 namespace {

 // Looks up the environment variable with key |env_key|. If |remove_prefix| is
 // false, returns its value. If |remove_prefix| is true, the value is expected
 // to be 'FILE:<path>' and only <path> is returned. CHECKs that the environment
 // variable exists, has the expected prefix if |remove_prefix| is true and that
 // the returned path is non-empty.
 std::string GetPathFromEnv(const char* env_key, bool remove_prefix) {
   const char* env_value = getenv(env_key);
   CHECK(env_value);
   if (!remove_prefix) {
     CHECK_NE(0, env_value[0]);  // Make sure it's not empty.
     return env_value;
   }

   // Remove FILE: prefix.
   std::string prefixed_path = env_value;
   CHECK(StartsWithCaseSensitive(prefixed_path, kFilePrefix));
   std::string value_without_prefix = prefixed_path.substr(strlen(kFilePrefix));
   CHECK_LT(0u, value_without_prefix.size());  // Make sure it's not empty.
   return value_without_prefix;
 }

 }  // namespace

 std::string GetCommandLine(int argc, const char* const* argv) {
   CHECK_GE(argc, 2);
   std::string command_line = argv[1];
   for (int n = 2; n < argc; ++n) {
     command_line += " ";
     command_line += argv[n];
   }
   return command_line;
 }

 std::string GetArgValue(int argc, const char* const* argv, const char* name) {
   for (int n = 1; n + 1 < argc; ++n) {
     if (strcmp(argv[n], name) == 0)
       return argv[n + 1];
   }
   return std::string();
 }

 bool StartsWithCaseSensitive(const std::string& str, const char* search_for) {
   return base::StartsWith(str, search_for, base::CompareCase::SENSITIVE);
 }

 // Writes |str| to |file_descriptor|.
 void WriteFileDescriptor(int file_descriptor, const std::string& str) {
   if (!str.empty()) {
     CHECK(base::WriteFileDescriptor(file_descriptor, str.data(), str.size()));
   }
 }

 // Writes |stdout_str| and |stderr_str| to stdout and stderr, resp.
 void WriteOutput(const std::string& stdout_str, const std::string& stderr_str) {
   WriteFileDescriptor(STDOUT_FILENO, stdout_str);
   WriteFileDescriptor(STDERR_FILENO, stderr_str);
 }

 std::string GetKeytabFilePath() {
   return GetPathFromEnv(kKrb5KTEnvKey, true /* remove_prefix */);
 }

 std::string GetKrb5ConfFilePath() {
   return GetPathFromEnv(kKrb5ConfEnvKey, true /* remove_prefix */);
 }

 std::string GetKrb5CCFilePath() {
   return GetPathFromEnv(kKrb5CCEnvKey, false /* remove_prefix */);
 }

 void CheckMachinePassword(const std::string& password) {
   std::wstring wide_password;
   CHECK(base::UTF8ToWide(password.data(), password.size(), &wide_password));
   CHECK_EQ(kMachinePasswordCodePoints, wide_password.size());
 }

 void TriggerSeccompFailure() {
   // If the tests start failing because this call got added to some seccomp
   // file, switch to any other syscall that is not whitelisted.
   uid_t unused_uid;
   getresuid(&unused_uid, &unused_uid, &unused_uid);
 }

 int64_t PostIncTestCounter(const base::FilePath& test_dir) {
   const base::FilePath test_path = test_dir.Append(kTestCounterFile);
   int64_t size;
   if (!base::GetFileSize(test_path, &size))
     size = 0;

   // Note: base::WriteFile triggers a seccomp failure, so do it old-school.
   base::ScopedFILE test_file(fopen(test_path.value().c_str(), "a"));
   CHECK(test_file);
   const char zero = 0;
   CHECK_EQ(1U, fwrite(&zero, 1, 1, test_file.get()));
   return size;
 }

 }  // namespace authpolicy
	// Copyright 2017 The Chromium OS Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "authpolicy/stub_common.h"

	// For getresuid
	#include <unistd.h>

	#include <base/files/file_path.h>
	#include <base/files/file_util.h>
	#include <base/files/scoped_file.h>
	#include <base/strings/string_util.h>
	#include <base/strings/utf_string_conversions.h>

	#include "authpolicy/constants.h"
	#include "authpolicy/samba_helper.h"

	namespace authpolicy {

	const int kExitCodeOk = 0;
	const int kExitCodeError = 1;
	const int kExitCodeUnspecifiedError = 255;

	const char kUserRealm[] = "REALM.EXAMPLE.COM";
	const char kMachineRealm[] = "DEVICES.EXAMPLE.COM";

	const char kUserName[] = "user";
	const char kUserPrincipal[] = "user@REALM.EXAMPLE.COM";
	const char kInvalidUserPrincipal[] = "user.REALM.EXAMPLE.COM";
	const char kNonExistingUserPrincipal[] = "non_existing_user@REALM.EXAMPLE.COM";
	const char kNetworkErrorUserPrincipal[] =
	"network_error_user@REALM.EXAMPLE.COM";
	const char kAccessDeniedUserPrincipal[] =
	"access_denied_user@REALM.EXAMPLE.COM";
	const char kKdcRetryUserPrincipal[] = "kdc_retry_user@REALM.EXAMPLE.COM";
	const char kKdcRetryFailsUserPrincipal[] =
	"kdc_retry_fails_user@REALM.EXAMPLE.COM";
	const char kInsufficientQuotaUserPrincipal[] =
	"insufficient_quota_user@REALM.EXAMPLE.COM";
	const char kEncTypeNotSupportedUserPrincipal[] =
	"enc_type_not_supported_user@REALM.EXAMPLE.COM";
	const char kExpiredTgtUserPrincipal[] = "tgt_expired@REALM.EXAMPLE.COM";
	const char kPasswordChangedUserPrincipal[] =
	"password_changed@REALM.EXAMPLE.COM";
	const char kPasswordChangedUserName[] = "password_changed";
	const char kNoPwdFieldsUserPrincipal[] = "no_pwd_fields@REALM.EXAMPLE.COM";
	const char kNoPwdFieldsUserName[] = "no_pwd_fields";
	const char kSeccompUserPrincipal[] = "seccomp@REALM.EXAMPLE.COM";
	const char kExpectOuUserPrincipal[] = "expect_ou@REALM.EXAMPLE.COM";

	const char kExpectedOuCreatecomputer[] =
	"ou=leaf,ou=\\ a\\\"b\\ ,ou=\\#123,ou=root,dc=REALM,dc=EXAMPLE,dc=COM";
	const char* kExpectedOuParts[] = {"leaf", " a\"b ", "#123", "root"};
	constexpr size_t kExpectedOuPartsSize = arraysize(kExpectedOuParts);

	const char kDisplayName[] = "John Doe";
	const char kGivenName[] = "John";
	const char kCommonName[] = "John Doe [user]";
	const uint64_t kPwdLastSet = 131292078840924254ul;
	const uint32_t kUserAccountControl = 512;

	// Should still be valid GUIDs, so GuidToOctetString() works.
	const char kAccountId[] = "f892eb9d-9e11-4a74-b894-0647e218c4df";
	const char kAltAccountId[] = "21094d26-9e11-4a74-b894-c8cd12a6f83b";
	const char kBadAccountId[] = "88adef4f-74ec-420d-b0a5-3726dbe711eb";
	const char kExpiredPasswordAccountId[] = "21094d26-2720-4ba4-942c-c8cd12a6f83b";
	const char kNeverExpirePasswordAccountId[] =
	"a95a88c0-862d-48f1-b9f6-ee726d0190f6";
	const char kPasswordChangedAccountId[] = "c7297a6d-2b7f-4063-bfa2-c7223e635549";
	const char kNoPwdFieldsAccountId[] = "f5ebf5a8-2fc2-46b5-a326-afd958c71f4a";

	const char kValidKrb5CCData[] = "valid";
	const char kExpiredKrb5CCData[] = "expired";

	const char kPassword[] = "p4zzw!5d";
	const char kWrongPassword[] = "pAzzwI5d";
	const char kExpiredPassword[] = "rootpw";
	const char kRejectedPassword[] = "some_previous_pw";
	const char kWillExpirePassword[] = "s00Nb4D";

	const char kMachineName[] = "testcomp";
	const char kTooLongMachineName[] = "too_long_machine_name";
	const char kInvalidMachineName[] = "invalid?na:me";
	const char kNonExistingMachineName[] = "nonexisting";
	const char kEmptyGpoMachineName[] = "emptygpo";
	const char kGpoDownloadErrorMachineName[] = "gpodownloaderr";
	const char kOneGpoMachineName[] = "onegpo";
	const char kTwoGposMachineName[] = "twogpos";
	const char kOneGpoKeepVersionMachineName[] = "keepversion1";
	const char kTwoGposKeepVersionMachineName[] = "keepversion2";
	const char kZeroUserVersionMachineName[] = "zerouserversion";
	const char kDisableUserFlagMachineName[] = "disableuserflag";
	const char kLoopbackGpoMachineName[] = "loopback";
	const char kExpectKeytabMachineName[] = "expectkeytab";
	const char kChangePasswordMachineName[] = "changepassword";
	const char kPingServerFailMachineName[] = "pingfail";
	const char kUnaffiliatedMachineName[] = "unaffiliated";
	const char kPropagationRetryMachineName[] = "propagat.nretry";
	const char kSeccompMachineName[] = "seccomp";

	const char kGpo1Guid[] = "{11111111-1111-1111-1111-111111111111}";
	const char kGpo2Guid[] = "{22222222-2222-2222-2222-222222222222}";
	const char kErrorGpoGuid[] = "{eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee}";
	const char kSeccompGpoGuid[] = "{seccomps-ecco-mpse-ccom-pseccompsecc}";

	const char kGpo1Filename[] = "stub_registry_1.pol";
	const char kGpo2Filename[] = "stub_registry_2.pol";

	const char kExpectedMachinePassFilename[] = "expected_machine_pass";

	// Helper file to implement a global counter that works across processes.
	const char kTestCounterFile[] = "test_counter";

	namespace {

	// Looks up the environment variable with key \|env_key\|. If \|remove_prefix\| is
	// false, returns its value. If \|remove_prefix\| is true, the value is expected
	// to be 'FILE:<path>' and only <path> is returned. CHECKs that the environment
	// variable exists, has the expected prefix if \|remove_prefix\| is true and that
	// the returned path is non-empty.
	std::string GetPathFromEnv(const char* env_key, bool remove_prefix) {
	const char* env_value = getenv(env_key);
	CHECK(env_value);
	if (!remove_prefix) {
	CHECK_NE(0, env_value[0]); // Make sure it's not empty.
	return env_value;
	}

	// Remove FILE: prefix.
	std::string prefixed_path = env_value;
	CHECK(StartsWithCaseSensitive(prefixed_path, kFilePrefix));
	std::string value_without_prefix = prefixed_path.substr(strlen(kFilePrefix));
	CHECK_LT(0u, value_without_prefix.size()); // Make sure it's not empty.
	return value_without_prefix;
	}

	} // namespace

	std::string GetCommandLine(int argc, const char* const* argv) {
	CHECK_GE(argc, 2);
	std::string command_line = argv[1];
	for (int n = 2; n < argc; ++n) {
	command_line += " ";
	command_line += argv[n];
	}
	return command_line;
	}

	std::string GetArgValue(int argc, const char* const* argv, const char* name) {
	for (int n = 1; n + 1 < argc; ++n) {
	if (strcmp(argv[n], name) == 0)
	return argv[n + 1];
	}
	return std::string();
	}

	bool StartsWithCaseSensitive(const std::string& str, const char* search_for) {
	return base::StartsWith(str, search_for, base::CompareCase::SENSITIVE);
	}

	// Writes \|str\| to \|file_descriptor\|.
	void WriteFileDescriptor(int file_descriptor, const std::string& str) {
	if (!str.empty()) {
	CHECK(base::WriteFileDescriptor(file_descriptor, str.data(), str.size()));
	}
	}

	// Writes \|stdout_str\| and \|stderr_str\| to stdout and stderr, resp.
	void WriteOutput(const std::string& stdout_str, const std::string& stderr_str) {
	WriteFileDescriptor(STDOUT_FILENO, stdout_str);
	WriteFileDescriptor(STDERR_FILENO, stderr_str);
	}

	std::string GetKeytabFilePath() {
	return GetPathFromEnv(kKrb5KTEnvKey, true /* remove_prefix */);
	}

	std::string GetKrb5ConfFilePath() {
	return GetPathFromEnv(kKrb5ConfEnvKey, true /* remove_prefix */);
	}

	std::string GetKrb5CCFilePath() {
	return GetPathFromEnv(kKrb5CCEnvKey, false /* remove_prefix */);
	}

	void CheckMachinePassword(const std::string& password) {
	std::wstring wide_password;
	CHECK(base::UTF8ToWide(password.data(), password.size(), &wide_password));
	CHECK_EQ(kMachinePasswordCodePoints, wide_password.size());
	}

	void TriggerSeccompFailure() {
	// If the tests start failing because this call got added to some seccomp
	// file, switch to any other syscall that is not whitelisted.
	uid_t unused_uid;
	getresuid(&unused_uid, &unused_uid, &unused_uid);
	}

	int64_t PostIncTestCounter(const base::FilePath& test_dir) {
	const base::FilePath test_path = test_dir.Append(kTestCounterFile);
	int64_t size;
	if (!base::GetFileSize(test_path, &size))
	size = 0;

	// Note: base::WriteFile triggers a seccomp failure, so do it old-school.
	base::ScopedFILE test_file(fopen(test_path.value().c_str(), "a"));
	CHECK(test_file);
	const char zero = 0;
	CHECK_EQ(1U, fwrite(&zero, 1, 1, test_file.get()));
	return size;
	}

	} // namespace authpolicy