selftest: Add tests for ntlm-server-1 and --password mode in ntlm_auth

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jan  7 07:41:22 CET 2016 on sn-devel-144

source3/script/tests/test_ntlm_auth_s3.sh

@@ -24,7 +24,7 @@ BADSID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1 | sed 's/..$//'`
 
 failed=0
 
-test_interactive_prompt_stdout()
+test_plaintext_check_output_stdout()
 {
 	tmpfile=$PREFIX/ntlm_commands
 
@@ -55,7 +55,7 @@ EOF
 	fi
 }
 
-test_interactive_prompt_stdout_fail()
+test_plaintext_check_output_fail()
 {
 	tmpfile=$PREFIX/ntlm_commands
 
@@ -86,6 +86,188 @@ EOF
 	fi
 }
 
+test_ntlm_server_1_check_output()
+{
+	tmpfile=$PREFIX/ntlm_commands
+
+	cat > $tmpfile <<EOF
+LANMAN-Challenge: 0123456789abcdef
+NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6
+NT-Domain: TEST
+Username: testuser
+Request-User-Session-Key: Yes
+.
+EOF
+	cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1  --password=SecREt01< $tmpfile 2>&1'
+	eval echo "$cmd"
+	out=`eval $cmd`
+	ret=$?
+	rm -f $tmpfile
+
+	if [ $ret != 0 ] ; then
+		echo "$out"
+		echo "command failed"
+		false
+		return
+	fi
+
+	echo "$out" | grep "User-Session-Key: 3F373EA8E4AF954F14FAA506F8EEBDC4" >/dev/null 2>&1
+
+	if [ $? = 0 ] ; then
+		# authenticated .. succeed
+		true
+	else
+		echo failed to get successful authentication
+		false
+	fi
+}
+
+test_ntlm_server_1_check_output_fail()
+{
+	tmpfile=$PREFIX/ntlm_commands
+
+	# Break the password with a leading A on the challenge
+	cat > $tmpfile <<EOF
+LANMAN-Challenge: A123456789abcdef
+NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6
+NT-Domain: TEST
+Username: testuser
+Request-User-Session-Key: Yes
+.
+EOF
+	cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 --password=SecREt01 < $tmpfile 2>&1'
+	eval echo "$cmd"
+	out=`eval $cmd`
+	ret=$?
+	rm -f $tmpfile
+
+	if [ $ret != 0 ] ; then
+		echo "$out"
+		echo "command failed"
+		false
+		return
+	fi
+
+	echo "$out" | grep "Authenticated: No" >/dev/null 2>&1
+
+	if [ $? = 0 ] ; then
+		# failed to authenticate .. success
+		true
+	else
+		echo "incorrectly gave a successful authentication"
+		false
+	fi
+}
+
+test_ntlm_server_1_check_winbind_output()
+{
+	tmpfile=$PREFIX/ntlm_commands
+
+	# This isn't the correct password
+	cat > $tmpfile <<EOF
+Password: $PASSWORD
+NT-Domain: $DOMAIN
+Username: $USERNAME
+Request-User-Session-Key: Yes
+.
+EOF
+	cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 --require-membership-of=$SID < $tmpfile 2>&1'
+	eval echo "$cmd"
+	out=`eval $cmd`
+	ret=$?
+	rm -f $tmpfile
+
+	if [ $ret != 0 ] ; then
+		echo "$out"
+		echo "command failed"
+		false
+		return
+	fi
+
+	echo "$out" | grep "Authenticated: Yes" >/dev/null 2>&1
+
+	if [ $? = 0 ] ; then
+		# authenticated .. success
+		true
+	else
+		echo "Failed to authenticate the user or match with SID $SID"
+		false
+	fi
+}
+
+test_ntlm_server_1_check_winbind_output_wrong_sid()
+{
+	tmpfile=$PREFIX/ntlm_commands
+
+	# This isn't the correct password
+	cat > $tmpfile <<EOF
+Password: $PASSWORD
+NT-Domain: $DOMAIN
+Username: $USERNAME
+Request-User-Session-Key: Yes
+.
+EOF
+	cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 --require-membership-of=$BADSID < $tmpfile 2>&1'
+	eval echo "$cmd"
+	out=`eval $cmd`
+	ret=$?
+	rm -f $tmpfile
+
+	if [ $ret != 0 ] ; then
+		echo "$out"
+		echo "command failed"
+		false
+		return
+	fi
+
+	echo "$out" | grep "Authenticated: No" >/dev/null 2>&1
+
+	if [ $? = 0 ] ; then
+		# failed to authenticate .. success
+		true
+	else
+		echo "incorrectly gave a successful authentication"
+		false
+	fi
+}
+
+test_ntlm_server_1_check_winbind_output_fail()
+{
+	tmpfile=$PREFIX/ntlm_commands
+
+	# This isn't the correct password
+	cat > $tmpfile <<EOF
+LANMAN-Challenge: 0123456789abcdef
+NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6
+NT-Domain: $DOMAIN
+Username: $USERNAME
+Request-User-Session-Key: Yes
+.
+EOF
+	cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 < $tmpfile 2>&1'
+	eval echo "$cmd"
+	out=`eval $cmd`
+	ret=$?
+	rm -f $tmpfile
+
+	if [ $ret != 0 ] ; then
+		echo "$out"
+		echo "command failed"
+		false
+		return
+	fi
+
+	echo "$out" | grep "Authenticated: No" >/dev/null 2>&1
+
+	if [ $? = 0 ] ; then
+		# failed to authenticate .. success
+		true
+	else
+		echo "incorrectly gave a successful authentication"
+		false
+	fi
+}
+
 testit "ntlm_auth" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS || failed=`expr $failed + 1`
 # This should work even with NTLMv2
 testit "ntlm_auth with specified domain" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS --client-domain=fOo --server-domain=fOo || failed=`expr $failed + 1`
@@ -101,7 +283,13 @@ testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against w
 testit_expect_failure "ntlm_auth against winbindd with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1`
 testit_expect_failure "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1`
 
-testit "ntlm_auth plaintext authentication with require-membership-of" test_interactive_prompt_stdout || failed=`expr $failed + 1`
-testit "ntlm_auth plaintext authentication with failed require-membership-of" test_interactive_prompt_stdout_fail || failed=`expr $failed + 1`
+testit "ntlm_auth plaintext authentication with require-membership-of" test_plaintext_check_output_stdout || failed=`expr $failed + 1`
+testit "ntlm_auth plaintext authentication with failed require-membership-of" test_plaintext_check_output_fail || failed=`expr $failed + 1`
+
+testit "ntlm_auth ntlm-server-1 with fixed password" test_ntlm_server_1_check_output || failed=`expr $failed + 1`
+testit "ntlm_auth ntlm-server-1 with incorrect fixed password" test_ntlm_server_1_check_output_fail || failed=`expr $failed + 1`
+testit "ntlm_auth ntlm-server-1 with plaintext password against winbind" test_ntlm_server_1_check_winbind_output || failed=`expr $failed + 1`
+testit "ntlm_auth ntlm-server-1 with plaintext password against winbind but wrong sid" test_ntlm_server_1_check_winbind_output_wrong_sid || failed=`expr $failed + 1`
+testit "ntlm_auth ntlm-server-1 with incorrect fixed password against winbind" test_ntlm_server_1_check_winbind_output_fail || failed=`expr $failed + 1`
 
 testok $0 $failed