advapi32: Add some more tests for AccessCheck that determine what

token impersonation levels it accepts and to show that it doesn't accept primary tokens.

advapi32: Add some more tests for AccessCheck that determine what
4ea75354 · Rob Shearman · Alexandre Julliard · 3f8215d2 · 4ea75354
Commit 4ea75354 authored Feb 15, 2007 by Rob Shearman Committed by Alexandre Julliard Feb 15, 2007
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 5 deletions

security.c dlls/advapi32/tests/security.c +29 -5

No files found.
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -659,6 +659,7 @@ static void test_AccessCheck(void)
    ACCESS_MASK Access;
    BOOL AccessStatus;
    HANDLE Token;
+    HANDLE ProcessToken;
    BOOL ret;
    DWORD PrivSetLen;
    PRIVILEGE_SET *PrivSet;
@@ -716,13 +717,13 @@ static void test_AccessCheck(void)
    PrivSet = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, PrivSetLen);
    PrivSet->PrivilegeCount = 16;

-    ImpersonateSelf(SecurityImpersonation);
+    res = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE|TOKEN_QUERY, &ProcessToken);
+    ok(res, "OpenProcessToken failed with error %d\n", GetLastError());

    pRtlAdjustPrivilege(SE_SECURITY_PRIVILEGE, FALSE, TRUE, &Enabled);

-    ret = OpenThreadToken(GetCurrentThread(),
-                          TOKEN_QUERY, TRUE, &Token);
-    ok(ret, "OpenThreadToken failed with error %d\n", GetLastError());
+    res = DuplicateToken(ProcessToken, SecurityIdentification, &Token);
+    ok(res, "DuplicateToken failed with error %d\n", GetLastError());

    /* SD without owner/group */
    SetLastError(0xdeadbeef);
@@ -802,7 +803,30 @@ static void test_AccessCheck(void)
        trace("Couldn't get SE_SECURITY_PRIVILEGE (0x%08x), skipping ACCESS_SYSTEM_SECURITY test\n",
            ret);

-    RevertToSelf();
+    CloseHandle(Token);
+
+    res = DuplicateToken(ProcessToken, SecurityAnonymous, &Token);
+    ok(res, "DuplicateToken failed with error %d\n", GetLastError());
+
+    SetLastError(0xdeadbeef);
+    ret = AccessCheck(SecurityDescriptor, Token, MAXIMUM_ALLOWED, &Mapping,
+                      PrivSet, &PrivSetLen, &Access, &AccessStatus);
+    err = GetLastError();
+    todo_wine {
+    ok(!ret && err == ERROR_BAD_IMPERSONATION_LEVEL, "AccessCheck should have failed "
+       "with ERROR_BAD_IMPERSONATION_LEVEL, instead of %d\n", err);
+    }
+
+    CloseHandle(Token);
+
+    SetLastError(0xdeadbeef);
+    ret = AccessCheck(SecurityDescriptor, ProcessToken, KEY_READ, &Mapping,
+                      PrivSet, &PrivSetLen, &Access, &AccessStatus);
+    err = GetLastError();
+    ok(!ret && err == ERROR_NO_IMPERSONATION_TOKEN, "AccessCheck should have failed "
+       "with ERROR_NO_IMPERSONATION_TOKEN, instead of %d\n", err);
+
+    CloseHandle(ProcessToken);

    if (EveryoneSid)
        FreeSid(EveryoneSid);