selftest: Add tests for ntlm-server-1 and --password mode in ntlm_auth

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jan  7 07:41:22 CET 2016 on sn-devel-144

diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index 655556b692c694a741563112d9f2a2a125a48160..a6f20ed04da18378cb2405b77feca6853cf982bc 100755 (executable)
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -24,7 +24,7 @@ BADSID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1 | sed 's/..$//'`
 
 failed=0
 
-test_interactive_prompt_stdout()
+test_plaintext_check_output_stdout()
 {
        tmpfile=$PREFIX/ntlm_commands
 
@@ -55,7 +55,7 @@ EOF
        fi
 }
 
-test_interactive_prompt_stdout_fail()
+test_plaintext_check_output_fail()
 {
        tmpfile=$PREFIX/ntlm_commands
 
@@ -86,6 +86,188 @@ EOF
        fi
 }
 
+test_ntlm_server_1_check_output()
+{
+       tmpfile=$PREFIX/ntlm_commands
+
+       cat > $tmpfile <<EOF
+LANMAN-Challenge: 0123456789abcdef
+NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6
+NT-Domain: TEST
+Username: testuser
+Request-User-Session-Key: Yes
+.
+EOF
+       cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1  --password=SecREt01< $tmpfile 2>&1'
+       eval echo "$cmd"
+       out=`eval $cmd`
+       ret=$?
+       rm -f $tmpfile
+
+       if [ $ret != 0 ] ; then
+               echo "$out"
+               echo "command failed"
+               false
+               return
+       fi
+
+       echo "$out" | grep "User-Session-Key: 3F373EA8E4AF954F14FAA506F8EEBDC4" >/dev/null 2>&1
+
+       if [ $? = 0 ] ; then
+               # authenticated .. succeed
+               true
+       else
+               echo failed to get successful authentication
+               false
+       fi
+}
+
+test_ntlm_server_1_check_output_fail()
+{
+       tmpfile=$PREFIX/ntlm_commands
+
+       # Break the password with a leading A on the challenge
+       cat > $tmpfile <<EOF
+LANMAN-Challenge: A123456789abcdef
+NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6
+NT-Domain: TEST
+Username: testuser
+Request-User-Session-Key: Yes
+.
+EOF
+       cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 --password=SecREt01 < $tmpfile 2>&1'
+       eval echo "$cmd"
+       out=`eval $cmd`
+       ret=$?
+       rm -f $tmpfile
+
+       if [ $ret != 0 ] ; then
+               echo "$out"
+               echo "command failed"
+               false
+               return
+       fi
+
+       echo "$out" | grep "Authenticated: No" >/dev/null 2>&1
+
+       if [ $? = 0 ] ; then
+               # failed to authenticate .. success
+               true
+       else
+               echo "incorrectly gave a successful authentication"
+               false
+       fi
+}
+
+test_ntlm_server_1_check_winbind_output()
+{
+       tmpfile=$PREFIX/ntlm_commands
+
+       # This isn't the correct password
+       cat > $tmpfile <<EOF
+Password: $PASSWORD
+NT-Domain: $DOMAIN
+Username: $USERNAME
+Request-User-Session-Key: Yes
+.
+EOF
+       cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 --require-membership-of=$SID < $tmpfile 2>&1'
+       eval echo "$cmd"
+       out=`eval $cmd`
+       ret=$?
+       rm -f $tmpfile
+
+       if [ $ret != 0 ] ; then
+               echo "$out"
+               echo "command failed"
+               false
+               return
+       fi
+
+       echo "$out" | grep "Authenticated: Yes" >/dev/null 2>&1
+
+       if [ $? = 0 ] ; then
+               # authenticated .. success
+               true
+       else
+               echo "Failed to authenticate the user or match with SID $SID"
+               false
+       fi
+}
+
+test_ntlm_server_1_check_winbind_output_wrong_sid()
+{
+       tmpfile=$PREFIX/ntlm_commands
+
+       # This isn't the correct password
+       cat > $tmpfile <<EOF
+Password: $PASSWORD
+NT-Domain: $DOMAIN
+Username: $USERNAME
+Request-User-Session-Key: Yes
+.
+EOF
+       cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 --require-membership-of=$BADSID < $tmpfile 2>&1'
+       eval echo "$cmd"
+       out=`eval $cmd`
+       ret=$?
+       rm -f $tmpfile
+
+       if [ $ret != 0 ] ; then
+               echo "$out"
+               echo "command failed"
+               false
+               return
+       fi
+
+       echo "$out" | grep "Authenticated: No" >/dev/null 2>&1
+
+       if [ $? = 0 ] ; then
+               # failed to authenticate .. success
+               true
+       else
+               echo "incorrectly gave a successful authentication"
+               false
+       fi
+}
+
+test_ntlm_server_1_check_winbind_output_fail()
+{
+       tmpfile=$PREFIX/ntlm_commands
+
+       # This isn't the correct password
+       cat > $tmpfile <<EOF
+LANMAN-Challenge: 0123456789abcdef
+NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6
+NT-Domain: $DOMAIN
+Username: $USERNAME
+Request-User-Session-Key: Yes
+.
+EOF
+       cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 < $tmpfile 2>&1'
+       eval echo "$cmd"
+       out=`eval $cmd`
+       ret=$?
+       rm -f $tmpfile
+
+       if [ $ret != 0 ] ; then
+               echo "$out"
+               echo "command failed"
+               false
+               return
+       fi
+
+       echo "$out" | grep "Authenticated: No" >/dev/null 2>&1
+
+       if [ $? = 0 ] ; then
+               # failed to authenticate .. success
+               true
+       else
+               echo "incorrectly gave a successful authentication"
+               false
+       fi
+}
+
 testit "ntlm_auth" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS || failed=`expr $failed + 1`
 # This should work even with NTLMv2
 testit "ntlm_auth with specified domain" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS --client-domain=fOo --server-domain=fOo || failed=`expr $failed + 1`
@@ -101,7 +283,13 @@ testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against w
 testit_expect_failure "ntlm_auth against winbindd with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1`
 testit_expect_failure "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1`
 
-testit "ntlm_auth plaintext authentication with require-membership-of" test_interactive_prompt_stdout || failed=`expr $failed + 1`
-testit "ntlm_auth plaintext authentication with failed require-membership-of" test_interactive_prompt_stdout_fail || failed=`expr $failed + 1`
+testit "ntlm_auth plaintext authentication with require-membership-of" test_plaintext_check_output_stdout || failed=`expr $failed + 1`
+testit "ntlm_auth plaintext authentication with failed require-membership-of" test_plaintext_check_output_fail || failed=`expr $failed + 1`
+
+testit "ntlm_auth ntlm-server-1 with fixed password" test_ntlm_server_1_check_output || failed=`expr $failed + 1`
+testit "ntlm_auth ntlm-server-1 with incorrect fixed password" test_ntlm_server_1_check_output_fail || failed=`expr $failed + 1`
+testit "ntlm_auth ntlm-server-1 with plaintext password against winbind" test_ntlm_server_1_check_winbind_output || failed=`expr $failed + 1`
+testit "ntlm_auth ntlm-server-1 with plaintext password against winbind but wrong sid" test_ntlm_server_1_check_winbind_output_wrong_sid || failed=`expr $failed + 1`
+testit "ntlm_auth ntlm-server-1 with incorrect fixed password against winbind" test_ntlm_server_1_check_winbind_output_fail || failed=`expr $failed + 1`
 
 testok $0 $failed