1/* 2 Unix SMB/CIFS implementation. 3 test suite for eventlog rpc operations 4 5 Copyright (C) Tim Potter 2003,2005 6 Copyright (C) Jelmer Vernooij 2004 7 Copyright (C) Guenther Deschner 2009 8 9 This program is free software; you can redistribute it and/or modify 10 it under the terms of the GNU General Public License as published by 11 the Free Software Foundation; either version 3 of the License, or 12 (at your option) any later version. 13 14 This program is distributed in the hope that it will be useful, 15 but WITHOUT ANY WARRANTY; without even the implied warranty of 16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 GNU General Public License for more details. 18 19 You should have received a copy of the GNU General Public License 20 along with this program. If not, see <http://www.gnu.org/licenses/>. 21*/ 22 23#include "includes.h" 24#include "torture/torture.h" 25#include "librpc/gen_ndr/ndr_eventlog.h" 26#include "librpc/gen_ndr/ndr_eventlog_c.h" 27#include "librpc/gen_ndr/ndr_lsa.h" 28#include "torture/rpc/rpc.h" 29#include "param/param.h" 30 31#define TEST_BACKUP_NAME "samrtorturetest" 32 33static void init_lsa_String(struct lsa_String *name, const char *s) 34{ 35 name->string = s; 36 name->length = 2*strlen_m(s); 37 name->size = name->length; 38} 39 40static bool get_policy_handle(struct torture_context *tctx, 41 struct dcerpc_pipe *p, 42 struct policy_handle *handle) 43{ 44 struct eventlog_OpenEventLogW r; 45 struct eventlog_OpenUnknown0 unknown0; 46 struct lsa_String logname, servername; 47 48 unknown0.unknown0 = 0x005c; 49 unknown0.unknown1 = 0x0001; 50 51 r.in.unknown0 = &unknown0; 52 init_lsa_String(&logname, "dns server"); 53 init_lsa_String(&servername, NULL); 54 r.in.logname = &logname; 55 r.in.servername = &servername; 56 r.in.major_version = 0x00000001; 57 r.in.minor_version = 0x00000001; 58 r.out.handle = handle; 59 60 torture_assert_ntstatus_ok(tctx, 61 dcerpc_eventlog_OpenEventLogW(p, tctx, &r), 62 "OpenEventLog failed"); 63 64 torture_assert_ntstatus_ok(tctx, r.out.result, "OpenEventLog failed"); 65 66 return true; 67} 68 69 70 71static bool test_GetNumRecords(struct torture_context *tctx, struct dcerpc_pipe *p) 72{ 73 struct eventlog_GetNumRecords r; 74 struct eventlog_CloseEventLog cr; 75 struct policy_handle handle; 76 uint32_t number = 0; 77 78 if (!get_policy_handle(tctx, p, &handle)) 79 return false; 80 81 ZERO_STRUCT(r); 82 r.in.handle = &handle; 83 r.out.number = &number; 84 85 torture_assert_ntstatus_ok(tctx, 86 dcerpc_eventlog_GetNumRecords(p, tctx, &r), 87 "GetNumRecords failed"); 88 89 torture_comment(tctx, "%d records\n", *r.out.number); 90 91 cr.in.handle = cr.out.handle = &handle; 92 93 torture_assert_ntstatus_ok(tctx, 94 dcerpc_eventlog_CloseEventLog(p, tctx, &cr), 95 "CloseEventLog failed"); 96 return true; 97} 98 99static bool test_ReadEventLog(struct torture_context *tctx, 100 struct dcerpc_pipe *p) 101{ 102 NTSTATUS status; 103 struct eventlog_ReadEventLogW r; 104 struct eventlog_CloseEventLog cr; 105 struct policy_handle handle; 106 107 uint32_t sent_size = 0; 108 uint32_t real_size = 0; 109 110 if (!get_policy_handle(tctx, p, &handle)) 111 return false; 112 113 ZERO_STRUCT(r); 114 r.in.offset = 0; 115 r.in.handle = &handle; 116 r.in.flags = 0; 117 r.out.data = NULL; 118 r.out.sent_size = &sent_size; 119 r.out.real_size = &real_size; 120 121 status = dcerpc_eventlog_ReadEventLogW(p, tctx, &r); 122 123 torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_INVALID_PARAMETER, 124 "ReadEventLog failed"); 125 126 while (1) { 127 DATA_BLOB blob; 128 struct EVENTLOGRECORD rec; 129 enum ndr_err_code ndr_err; 130 uint32_t size = 0; 131 uint32_t pos = 0; 132 133 /* Read first for number of bytes in record */ 134 135 r.in.number_of_bytes = 0; 136 r.in.flags = EVENTLOG_BACKWARDS_READ|EVENTLOG_SEQUENTIAL_READ; 137 r.out.data = NULL; 138 r.out.sent_size = &sent_size; 139 r.out.real_size = &real_size; 140 141 status = dcerpc_eventlog_ReadEventLogW(p, tctx, &r); 142 143 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_END_OF_FILE)) { 144 /* FIXME: still need to decode then */ 145 break; 146 } 147 148 torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_BUFFER_TOO_SMALL, 149 "ReadEventLog failed"); 150 151 /* Now read the actual record */ 152 153 r.in.number_of_bytes = *r.out.real_size; 154 r.out.data = talloc_array(tctx, uint8_t, r.in.number_of_bytes); 155 156 status = dcerpc_eventlog_ReadEventLogW(p, tctx, &r); 157 158 torture_assert_ntstatus_ok(tctx, status, "ReadEventLog failed"); 159 160 /* Decode a user-marshalled record */ 161 size = IVAL(r.out.data, pos); 162 163 while (size > 0) { 164 165 blob = data_blob_const(r.out.data + pos, size); 166 dump_data(0, blob.data, blob.length); 167 168 ndr_err = ndr_pull_struct_blob_all(&blob, tctx, 169 lp_iconv_convenience(tctx->lp_ctx), &rec, 170 (ndr_pull_flags_fn_t)ndr_pull_EVENTLOGRECORD); 171 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { 172 status = ndr_map_error2ntstatus(ndr_err); 173 torture_assert_ntstatus_ok(tctx, status, 174 "ReadEventLog failed parsing event log record"); 175 } 176 177 NDR_PRINT_DEBUG(EVENTLOGRECORD, &rec); 178 179 pos += size; 180 181 if (pos + 4 > *r.out.sent_size) { 182 break; 183 } 184 185 size = IVAL(r.out.data, pos); 186 } 187 188 torture_assert_ntstatus_ok(tctx, status, 189 "ReadEventLog failed parsing event log record"); 190 191 r.in.offset++; 192 } 193 194 cr.in.handle = cr.out.handle = &handle; 195 196 torture_assert_ntstatus_ok(tctx, 197 dcerpc_eventlog_CloseEventLog(p, tctx, &cr), 198 "CloseEventLog failed"); 199 200 return true; 201} 202 203static bool test_ReportEventLog(struct torture_context *tctx, 204 struct dcerpc_pipe *p) 205{ 206 struct eventlog_ReportEventW r; 207 struct eventlog_CloseEventLog cr; 208 struct policy_handle handle; 209 210 uint32_t record_number = 0; 211 time_t time_written = 0; 212 struct lsa_String servername, *strings; 213 214 if (!get_policy_handle(tctx, p, &handle)) 215 return false; 216 217 init_lsa_String(&servername, NULL); 218 219 strings = talloc_array(tctx, struct lsa_String, 1); 220 init_lsa_String(&strings[0], "Currently tortured by samba 4"); 221 222 ZERO_STRUCT(r); 223 224 r.in.handle = &handle; 225 r.in.timestamp = time(NULL); 226 r.in.event_type = EVENTLOG_INFORMATION_TYPE; 227 r.in.event_category = 0; 228 r.in.event_id = 0; 229 r.in.num_of_strings = 1; 230 r.in.data_size = 0; 231 r.in.servername = &servername; 232 r.in.user_sid = NULL; 233 r.in.strings = &strings; 234 r.in.data = NULL; 235 r.in.flags = 0; 236 r.in.record_number = r.out.record_number = &record_number; 237 r.in.time_written = r.out.time_written = &time_written; 238 239 torture_assert_ntstatus_ok(tctx, 240 dcerpc_eventlog_ReportEventW(p, tctx, &r), 241 "ReportEventW failed"); 242 243 torture_assert_ntstatus_ok(tctx, r.out.result, "ReportEventW failed"); 244 245 cr.in.handle = cr.out.handle = &handle; 246 247 torture_assert_ntstatus_ok(tctx, 248 dcerpc_eventlog_CloseEventLog(p, tctx, &cr), 249 "CloseEventLog failed"); 250 return true; 251} 252 253static bool test_FlushEventLog(struct torture_context *tctx, 254 struct dcerpc_pipe *p) 255{ 256 struct eventlog_FlushEventLog r; 257 struct eventlog_CloseEventLog cr; 258 struct policy_handle handle; 259 260 if (!get_policy_handle(tctx, p, &handle)) 261 return false; 262 263 r.in.handle = &handle; 264 265 /* Huh? Does this RPC always return access denied? */ 266 torture_assert_ntstatus_equal(tctx, 267 dcerpc_eventlog_FlushEventLog(p, tctx, &r), 268 NT_STATUS_ACCESS_DENIED, 269 "FlushEventLog failed"); 270 271 cr.in.handle = cr.out.handle = &handle; 272 273 torture_assert_ntstatus_ok(tctx, 274 dcerpc_eventlog_CloseEventLog(p, tctx, &cr), 275 "CloseEventLog failed"); 276 277 return true; 278} 279 280static bool test_ClearEventLog(struct torture_context *tctx, 281 struct dcerpc_pipe *p) 282{ 283 struct eventlog_ClearEventLogW r; 284 struct eventlog_CloseEventLog cr; 285 struct policy_handle handle; 286 287 if (!get_policy_handle(tctx, p, &handle)) 288 return false; 289 290 r.in.handle = &handle; 291 r.in.backupfile = NULL; 292 293 torture_assert_ntstatus_ok(tctx, 294 dcerpc_eventlog_ClearEventLogW(p, tctx, &r), 295 "ClearEventLog failed"); 296 297 cr.in.handle = cr.out.handle = &handle; 298 299 torture_assert_ntstatus_ok(tctx, 300 dcerpc_eventlog_CloseEventLog(p, tctx, &cr), 301 "CloseEventLog failed"); 302 303 return true; 304} 305 306static bool test_GetLogInformation(struct torture_context *tctx, 307 struct dcerpc_pipe *p) 308{ 309 NTSTATUS status; 310 struct eventlog_GetLogInformation r; 311 struct eventlog_CloseEventLog cr; 312 struct policy_handle handle; 313 uint32_t bytes_needed = 0; 314 315 if (!get_policy_handle(tctx, p, &handle)) 316 return false; 317 318 r.in.handle = &handle; 319 r.in.level = 1; 320 r.in.buf_size = 0; 321 r.out.buffer = NULL; 322 r.out.bytes_needed = &bytes_needed; 323 324 status = dcerpc_eventlog_GetLogInformation(p, tctx, &r); 325 326 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_LEVEL, 327 "GetLogInformation failed"); 328 329 r.in.level = 0; 330 331 status = dcerpc_eventlog_GetLogInformation(p, tctx, &r); 332 333 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_BUFFER_TOO_SMALL, 334 "GetLogInformation failed"); 335 336 r.in.buf_size = bytes_needed; 337 r.out.buffer = talloc_array(tctx, uint8_t, bytes_needed); 338 339 status = dcerpc_eventlog_GetLogInformation(p, tctx, &r); 340 341 torture_assert_ntstatus_ok(tctx, status, "GetLogInformation failed"); 342 343 cr.in.handle = cr.out.handle = &handle; 344 345 torture_assert_ntstatus_ok(tctx, 346 dcerpc_eventlog_CloseEventLog(p, tctx, &cr), 347 "CloseEventLog failed"); 348 349 return true; 350} 351 352 353static bool test_OpenEventLog(struct torture_context *tctx, 354 struct dcerpc_pipe *p) 355{ 356 struct policy_handle handle; 357 struct eventlog_CloseEventLog cr; 358 359 if (!get_policy_handle(tctx, p, &handle)) 360 return false; 361 362 cr.in.handle = cr.out.handle = &handle; 363 364 torture_assert_ntstatus_ok(tctx, 365 dcerpc_eventlog_CloseEventLog(p, tctx, &cr), 366 "CloseEventLog failed"); 367 368 return true; 369} 370 371static bool test_BackupLog(struct torture_context *tctx, 372 struct dcerpc_pipe *p) 373{ 374 NTSTATUS status; 375 struct policy_handle handle, backup_handle; 376 struct eventlog_BackupEventLogW r; 377 struct eventlog_OpenBackupEventLogW b; 378 struct eventlog_CloseEventLog cr; 379 const char *tmp; 380 struct lsa_String backup_filename; 381 struct eventlog_OpenUnknown0 unknown0; 382 383 if (!get_policy_handle(tctx, p, &handle)) 384 return false; 385 386 tmp = talloc_asprintf(tctx, "C:\\%s", TEST_BACKUP_NAME); 387 init_lsa_String(&backup_filename, tmp); 388 389 r.in.handle = &handle; 390 r.in.backup_filename = &backup_filename; 391 392 status = dcerpc_eventlog_BackupEventLogW(p, tctx, &r); 393 torture_assert_ntstatus_equal(tctx, status, 394 NT_STATUS_OBJECT_PATH_SYNTAX_BAD, "BackupEventLogW failed"); 395 396 tmp = talloc_asprintf(tctx, "\\??\\C:\\%s", TEST_BACKUP_NAME); 397 init_lsa_String(&backup_filename, tmp); 398 399 r.in.handle = &handle; 400 r.in.backup_filename = &backup_filename; 401 402 status = dcerpc_eventlog_BackupEventLogW(p, tctx, &r); 403 torture_assert_ntstatus_ok(tctx, status, "BackupEventLogW failed"); 404 405 status = dcerpc_eventlog_BackupEventLogW(p, tctx, &r); 406 torture_assert_ntstatus_equal(tctx, status, 407 NT_STATUS_OBJECT_NAME_COLLISION, "BackupEventLogW failed"); 408 409 cr.in.handle = cr.out.handle = &handle; 410 411 torture_assert_ntstatus_ok(tctx, 412 dcerpc_eventlog_CloseEventLog(p, tctx, &cr), 413 "BackupLog failed"); 414 415 unknown0.unknown0 = 0x005c; 416 unknown0.unknown1 = 0x0001; 417 418 b.in.unknown0 = &unknown0; 419 b.in.backup_logname = &backup_filename; 420 b.in.major_version = 1; 421 b.in.minor_version = 1; 422 b.out.handle = &backup_handle; 423 424 status = dcerpc_eventlog_OpenBackupEventLogW(p, tctx, &b); 425 426 torture_assert_ntstatus_ok(tctx, status, "OpenBackupEventLogW failed"); 427 428 cr.in.handle = cr.out.handle = &backup_handle; 429 430 torture_assert_ntstatus_ok(tctx, 431 dcerpc_eventlog_CloseEventLog(p, tctx, &cr), 432 "CloseEventLog failed"); 433 434 return true; 435} 436 437struct torture_suite *torture_rpc_eventlog(TALLOC_CTX *mem_ctx) 438{ 439 struct torture_suite *suite; 440 struct torture_rpc_tcase *tcase; 441 struct torture_test *test; 442 443 suite = torture_suite_create(mem_ctx, "EVENTLOG"); 444 tcase = torture_suite_add_rpc_iface_tcase(suite, "eventlog", 445 &ndr_table_eventlog); 446 447 torture_rpc_tcase_add_test(tcase, "OpenEventLog", test_OpenEventLog); 448 test = torture_rpc_tcase_add_test(tcase, "ClearEventLog", 449 test_ClearEventLog); 450 test->dangerous = true; 451 torture_rpc_tcase_add_test(tcase, "GetNumRecords", test_GetNumRecords); 452 torture_rpc_tcase_add_test(tcase, "ReadEventLog", test_ReadEventLog); 453 torture_rpc_tcase_add_test(tcase, "ReportEventLog", test_ReportEventLog); 454 torture_rpc_tcase_add_test(tcase, "FlushEventLog", test_FlushEventLog); 455 torture_rpc_tcase_add_test(tcase, "GetLogIntormation", test_GetLogInformation); 456 torture_rpc_tcase_add_test(tcase, "BackupLog", test_BackupLog); 457 458 return suite; 459} 460