policy/win/sandbox_test_utils.cc - chromium/src/sandbox - Git at Google

 // Copyright 2021 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "sandbox/policy/win/sandbox_test_utils.h"

 #include "base/strings/strcat.h"
 #include "base/win/security_util.h"
 #include "testing/gtest/include/gtest/gtest.h"

 namespace sandbox {
 namespace policy {

 constexpr wchar_t kBaseSecurityDescriptor[] = L"D:(A;;GA;;;WD)";
 constexpr wchar_t kRegistryRead[] = L"registryRead";
 constexpr wchar_t klpacPnpNotifications[] = L"lpacPnpNotifications";

 std::vector<base::win::Sid> GetCapabilitySids(
     const std::initializer_list<std::wstring>& capabilities) {
   std::vector<base::win::Sid> sids;
   for (const auto& capability : capabilities) {
     sids.push_back(*base::win::Sid::FromNamedCapability(capability.c_str()));
   }
   return sids;
 }

 std::wstring GetAccessAllowedForCapabilities(
     const std::initializer_list<std::wstring>& capabilities) {
   std::wstring sddl = kBaseSecurityDescriptor;
   for (const auto& capability : GetCapabilitySids(capabilities)) {
     absl::optional<std::wstring> sid_string = capability.ToSddlString();
     CHECK(sid_string);
     base::StrAppend(&sddl, {L"(A;;GRGX;;;", *sid_string, L")"});
   }
   return sddl;
 }

 void EqualSidList(const std::vector<base::win::Sid>& left,
                   const std::vector<base::win::Sid>& right) {
   EXPECT_EQ(left.size(), right.size());
   auto result = std::mismatch(left.cbegin(), left.cend(), right.cbegin(),
                               [](const auto& left_sid, const auto& right_sid) {
                                 return left_sid == right_sid;
                               });
   EXPECT_EQ(result.first, left.cend());
 }

 void CheckCapabilities(
     AppContainerBase* profile,
     const std::initializer_list<std::wstring>& additional_capabilities) {
   auto additional_caps = GetCapabilitySids(additional_capabilities);
   auto impersonation_caps =
       GetCapabilitySids({kChromeInstallFiles, klpacPnpNotifications,
                          kLpacChromeInstallFiles, kRegistryRead});
   auto base_caps = GetCapabilitySids(
       {klpacPnpNotifications, kLpacChromeInstallFiles, kRegistryRead});

   base::win::AppendSidVector(impersonation_caps, additional_caps);
   base::win::AppendSidVector(base_caps, additional_caps);

   EqualSidList(impersonation_caps, profile->GetImpersonationCapabilities());
   EqualSidList(base_caps, profile->GetCapabilities());
 }
 }  // namespace policy
 }  // namespace sandbox
	// Copyright 2021 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "sandbox/policy/win/sandbox_test_utils.h"

	#include "base/strings/strcat.h"
	#include "base/win/security_util.h"
	#include "testing/gtest/include/gtest/gtest.h"

	namespace sandbox {
	namespace policy {

	constexpr wchar_t kBaseSecurityDescriptor[] = L"D:(A;;GA;;;WD)";
	constexpr wchar_t kRegistryRead[] = L"registryRead";
	constexpr wchar_t klpacPnpNotifications[] = L"lpacPnpNotifications";

	std::vector<base::win::Sid> GetCapabilitySids(
	const std::initializer_list<std::wstring>& capabilities) {
	std::vector<base::win::Sid> sids;
	for (const auto& capability : capabilities) {
	sids.push_back(*base::win::Sid::FromNamedCapability(capability.c_str()));
	}
	return sids;
	}

	std::wstring GetAccessAllowedForCapabilities(
	const std::initializer_list<std::wstring>& capabilities) {
	std::wstring sddl = kBaseSecurityDescriptor;
	for (const auto& capability : GetCapabilitySids(capabilities)) {
	absl::optional<std::wstring> sid_string = capability.ToSddlString();
	CHECK(sid_string);
	base::StrAppend(&sddl, {L"(A;;GRGX;;;", *sid_string, L")"});
	}
	return sddl;
	}

	void EqualSidList(const std::vector<base::win::Sid>& left,
	const std::vector<base::win::Sid>& right) {
	EXPECT_EQ(left.size(), right.size());
	auto result = std::mismatch(left.cbegin(), left.cend(), right.cbegin(),
	[](const auto& left_sid, const auto& right_sid) {
	return left_sid == right_sid;
	});
	EXPECT_EQ(result.first, left.cend());
	}

	void CheckCapabilities(
	AppContainerBase* profile,
	const std::initializer_list<std::wstring>& additional_capabilities) {
	auto additional_caps = GetCapabilitySids(additional_capabilities);
	auto impersonation_caps =
	GetCapabilitySids({kChromeInstallFiles, klpacPnpNotifications,
	kLpacChromeInstallFiles, kRegistryRead});
	auto base_caps = GetCapabilitySids(
	{klpacPnpNotifications, kLpacChromeInstallFiles, kRegistryRead});

	base::win::AppendSidVector(impersonation_caps, additional_caps);
	base::win::AppendSidVector(base_caps, additional_caps);

	EqualSidList(impersonation_caps, profile->GetImpersonationCapabilities());
	EqualSidList(base_caps, profile->GetCapabilities());
	}
	} // namespace policy
	} // namespace sandbox