diff options
| -rw-r--r-- | misc/nix-ocaml-shell.nix | 1 | ||||
| -rw-r--r-- | sid.ml | 288 | ||||
| -rw-r--r-- | sid.mli | 56 | ||||
| -rw-r--r-- | sid_test.ml | 30 | ||||
| -rwxr-xr-x | util/sidparse_test.sh | 6 |
5 files changed, 207 insertions, 174 deletions
diff --git a/misc/nix-ocaml-shell.nix b/misc/nix-ocaml-shell.nix index 316f156..8a61a5b 100644 --- a/misc/nix-ocaml-shell.nix +++ b/misc/nix-ocaml-shell.nix @@ -3,6 +3,7 @@ with import <nixpkgs> {}; let libs = [ autoconf + gmp bubblewrap binutils curl @@ -14,16 +14,17 @@ let max_ident_auth = U64.of_string "0x0000_ffff_ffff_ffff" let sizeof_sub_auth = 4 let max_subauth_count = 15 -let create_unsafe sa ia = +let create_unsafe ia sa = { sid_ident_auth = ia ; sid_sub_auths = sa } (* There isn’t much to validate to begin with except for the hard cap on the number of subauths. *) -let create ?(sa=[||]) ia = - if Array.length sa > max_subauth_count then None else +let create ia sa = + let nsa = Array.length sa in + if nsa < 1 || max_subauth_count < nsa then None else if U64.compare ia max_ident_auth > 0 then None else - Some (create_unsafe sa ia) + Some (create_unsafe ia sa) let get_ident_auth s = s.sid_ident_auth let get_sub_auths s = s.sid_sub_auths @@ -101,8 +102,23 @@ module StringFmt = struct s i s.[i])) done; Bytes.blit_string s (p+2) b 2 12; - p + ident_auth_hexlen, - U64.of_string (Bytes.unsafe_to_string b) + let ia = U64.of_string (Bytes.unsafe_to_string b) in + if ia < ident_auth_hexmin then + raise + (Invalid_argument + (Printf.sprintf + "input malformed: identifier authority less than 2³² must \ + not be hex-encoded (value=%s)" + (U64.to_string ia))) + else if ia > max_ident_auth then + raise (Invalid_argument + (Printf.sprintf + "Invalid SID: identifier authority (value=%s) cannot fit \ + 6 B (%s)" + (U64.to_string ia) (U64.to_string max_ident_auth))) + else + p + ident_auth_hexlen, + ia let ident_auth_decimal s p = let p, ia = read_decimal_u64 s p in @@ -119,16 +135,7 @@ module StringFmt = struct let r = String.length s - p in if r < ident_auth_hexlen then ident_auth_decimal s p else (* hex can’t fit *) match s.[p], s.[p+1] with - | '0', 'x' -> - (let p, ia = read_ident_auth_hex s p in - if ia < ident_auth_hexmin then - raise - (Invalid_argument - (Printf.sprintf - "input malformed: identifier authority less than 2³² must \ - not be hex-encoded (value=%s)" - (U64.to_string ia))) else - p, ia) + | '0', 'x' -> read_ident_auth_hex s p | _ -> ident_auth_decimal s p (* @@ -150,14 +157,17 @@ module StringFmt = struct expect_char s '-' 3; let p = 4 in let p, ia = read_ident_auth s p in - if ia > max_ident_auth then + if p = n || s.[p] <> '-' then raise (Invalid_argument (Printf.sprintf - "Invalid SID: identifier authority cannot fit 6 B (%s)" - (U64.to_string max_ident_auth))); + "Invalid SID: error parsing SID [%s] at position %d, \ + grammar mandates at least one subauthority" + s p)) else let sa = ref [] and p' = ref p in - while !p' < n - 1 && List.length !sa < max_subauth_count do - expect_char s '-' !p'; + while !p' < n - 1 + && List.length !sa < max_subauth_count + && s.[!p'] = '-' + do let np, d = try read_decimal_u32 s (!p' + 1) with Invalid_argument e -> @@ -319,139 +329,139 @@ module WellKnown = struct * see also * https://docs.microsoft.com/en-us/windows/desktop/secauthz/well-known-sids *) - let null = cu [| U32.zero |] U64.zero - let everyone = cu [| U32.zero |] U64.one + let null = cu U64.zero [| U32.zero |] + let everyone = cu U64.one [| U32.zero |] let world = everyone (* 1-2-… *) - let local = cu [| U32.zero |] (U64.of_int 2) - let console_logon = cu [| U32.one |] (U64.of_int 2) + let local = cu (U64.of_int 2) [| U32.zero |] + let console_logon = cu (U64.of_int 2) [| U32.one |] (* 1-3-… *) - let creator_owner_id = cu [| U32.zero |] (U64.of_int 3) - let creator_group_id = cu [| U32.one |] (U64.of_int 3) - let creator_owner_server = cu [| U32.of_int 2 |] (U64.of_int 3) - let creator_group_server = cu [| U32.of_int 3 |] (U64.of_int 3) - let owner_rights = cu [| U32.of_int 4 |] (U64.of_int 3) - let elite = cu [| U32.of_int 3 ; U32.of_int 3; U32.of_int 7 |] U64.one + let creator_owner_id = cu (U64.of_int 3) [| U32.zero |] + let creator_group_id = cu (U64.of_int 3) [| U32.one |] + let creator_owner_server = cu (U64.of_int 3) [| U32.of_int 2 |] + let creator_group_server = cu (U64.of_int 3) [| U32.of_int 3 |] + let owner_rights = cu (U64.of_int 3) [| U32.of_int 4 |] + let elite = cu U64.one [| U32.of_int 3 ; U32.of_int 3; U32.of_int 7 |] (* 1-5-… *) - let nt_authority = cu [| |] (U64.of_int 5) - let dialup = cu [| U32.one |] (U64.of_int 5) - let network = cu [| U32.of_int 2 |] (U64.of_int 5) - let batch = cu [| U32.of_int 3 |] (U64.of_int 5) - let interactive = cu [| U32.of_int 4 |] (U64.of_int 5) - let logon_id = cu [| U32.of_int 5 |] (U64.of_int 5) - let service = cu [| U32.of_int 6 |] (U64.of_int 5) - let anonymous = cu [| U32.of_int 7 |] (U64.of_int 5) - let proxy = cu [| U32.of_int 8 |] (U64.of_int 5) - let enterprise_domain_controllers = cu [| U32.of_int 9 |] (U64.of_int 5) - let principal_self = cu [| U32.of_int 10 |] (U64.of_int 5) - let authenticated_users = cu [| U32.of_int 11 |] (U64.of_int 5) - let restricted_code = cu [| U32.of_int 12 |] (U64.of_int 5) - let terminal_server_user = cu [| U32.of_int 13 |] (U64.of_int 5) - let remote_interactive_logon = cu [| U32.of_int 14 |] (U64.of_int 5) - let this_organisation = cu [| U32.of_int 15 |] (U64.of_int 5) - let iusr = cu [| U32.of_int 17 |] (U64.of_int 5) - let local_system = cu [| U32.of_int 18 |] (U64.of_int 5) - let local_service = cu [| U32.of_int 19 |] (U64.of_int 5) - let network_service = cu [| U32.of_int 20 |] (U64.of_int 5) - - let compounded_authentication = cu [| sa 21; U32.zero; U32.zero; U32.zero; sa 496 |] (ia 5) - let claims_valid = cu [| sa 21; U32.zero; U32.zero; U32.zero; sa 497 |] (ia 5) - - let administrator machine = cu [| sa 21; machine; sa 500 |] (ia 5) - let guest machine = cu [| sa 21; machine; sa 501 |] (ia 5) - let krbtgt domain = cu [| sa 21; domain; sa 502 |] (ia 5) - let domain_admins domain = cu [| sa 21; domain; sa 512 |] (ia 5) - let domain_users domain = cu [| sa 21; domain; sa 513 |] (ia 5) - let domain_guests domain = cu [| sa 21; domain; sa 514 |] (ia 5) - let domain_computers domain = cu [| sa 21; domain; sa 515 |] (ia 5) - let domain_domain_controllers domain = cu [| sa 21; domain; sa 516 |] (ia 5) - let cert_publishers domain = cu [| sa 21; domain; sa 517 |] (ia 5) - let schema_administrators root_domain = cu [| sa 21; root_domain; sa 518 |] (ia 5) - let enterprise_admins root_domain = cu [| sa 21; root_domain; sa 519 |] (ia 5) - let group_policy_creator_owners domain = cu [| sa 21; domain; sa 520 |] (ia 5) - let readonly_domain_controllers domain = cu [| sa 21; domain; sa 521 |] (ia 5) - let cloneable_controllers domain = cu [| sa 21; domain; sa 522 |] (ia 5) - let protected_users domain = cu [| sa 21; domain; sa 525 |] (ia 5) - let key_admins domain = cu [| sa 21; domain; sa 526 |] (ia 5) - let enterprise_key_admins domain = cu [| sa 21; domain; sa 527 |] (ia 5) - let ras_servers domain = cu [| sa 21; domain; sa 553 |] (ia 5) - let allowed_rodc_password_replication_group domain = cu [| sa 21; domain; sa 571 |] (ia 5) - let denied_rodc_password_replication_group domain = cu [| sa 21; domain; sa 572 |] (ia 5) - - let builtin_administrators = cu [| sa 32; sa 544 |] (ia 5) - let builtin_users = cu [| sa 32; sa 545 |] (ia 5) - let builtin_guests = cu [| sa 32; sa 546 |] (ia 5) - let power_users = cu [| sa 32; sa 547 |] (ia 5) - let account_operators = cu [| sa 32; sa 548 |] (ia 5) - let server_operators = cu [| sa 32; sa 549 |] (ia 5) - let printer_operators = cu [| sa 32; sa 550 |] (ia 5) - let backup_operators = cu [| sa 32; sa 551 |] (ia 5) - let replicator = cu [| sa 32; sa 552 |] (ia 5) - let alias_prew2kcompacc = cu [| sa 32; sa 554 |] (ia 5) - let remote_desktop = cu [| sa 32; sa 555 |] (ia 5) - let network_configuration_ops = cu [| sa 32; sa 556 |] (ia 5) - let incoming_forest_trust_builders = cu [| sa 32; sa 557 |] (ia 5) - let perfmon_users = cu [| sa 32; sa 558 |] (ia 5) - let perflog_users = cu [| sa 32; sa 559 |] (ia 5) - let windows_authorization_access_group = cu [| sa 32; sa 560 |] (ia 5) - let terminal_server_license_servers = cu [| sa 32; sa 561 |] (ia 5) - let distributed_com_users = cu [| sa 32; sa 562 |] (ia 5) - let iis_iusrs = cu [| sa 32; sa 568 |] (ia 5) - let cryptographic_operators = cu [| sa 32; sa 569 |] (ia 5) - let event_log_readers = cu [| sa 32; sa 573 |] (ia 5) - let certificate_service_dcom_access = cu [| sa 32; sa 574 |] (ia 5) - let rds_remote_access_servers = cu [| sa 32; sa 575 |] (ia 5) - let rds_endpoint_servers = cu [| sa 32; sa 576 |] (ia 5) - let rds_management_servers = cu [| sa 32; sa 577 |] (ia 5) - let hyper_v_admins = cu [| sa 32; sa 578 |] (ia 5) - let access_control_assistance_ops = cu [| sa 32; sa 579 |] (ia 5) - let remote_management_users = cu [| sa 32; sa 580 |] (ia 5) - - let write_restricted_code = cu [| sa 33 |] (ia 5) - let ntlm_authentication = cu [| sa 64; sa 10 |] (ia 5) - let schannel_authentication = cu [| sa 64; sa 14 |] (ia 5) - let digest_authentication = cu [| sa 64; sa 21 |] (ia 5) - let this_organization_certificate = cu [| sa 65; sa 1 |] (ia 5) - let nt_service = cu [| sa 80 |] (ia 5) - let user_mode_drivers = cu [| sa 84; U32.zero; U32.zero; U32.zero; U32.zero; U32.zero |] (ia 5) - let local_account = cu [| sa 113 |] (ia 5) - let local_account_and_member_of_administrators_group = cu [| sa 114 |] (ia 5) - let other_organization = cu [| sa 1000 |] (ia 5) + let nt_authority = cu (U64.of_int 5) [| |] + let dialup = cu (U64.of_int 5) [| U32.one |] + let network = cu (U64.of_int 5) [| U32.of_int 2 |] + let batch = cu (U64.of_int 5) [| U32.of_int 3 |] + let interactive = cu (U64.of_int 5) [| U32.of_int 4 |] + let logon_id = cu (U64.of_int 5) [| U32.of_int 5 |] + let service = cu (U64.of_int 5) [| U32.of_int 6 |] + let anonymous = cu (U64.of_int 5) [| U32.of_int 7 |] + let proxy = cu (U64.of_int 5) [| U32.of_int 8 |] + let enterprise_domain_controllers = cu (U64.of_int 5) [| U32.of_int 9 |] + let principal_self = cu (U64.of_int 5) [| U32.of_int 10 |] + let authenticated_users = cu (U64.of_int 5) [| U32.of_int 11 |] + let restricted_code = cu (U64.of_int 5) [| U32.of_int 12 |] + let terminal_server_user = cu (U64.of_int 5) [| U32.of_int 13 |] + let remote_interactive_logon = cu (U64.of_int 5) [| U32.of_int 14 |] + let this_organisation = cu (U64.of_int 5) [| U32.of_int 15 |] + let iusr = cu (U64.of_int 5) [| U32.of_int 17 |] + let local_system = cu (U64.of_int 5) [| U32.of_int 18 |] + let local_service = cu (U64.of_int 5) [| U32.of_int 19 |] + let network_service = cu (U64.of_int 5) [| U32.of_int 20 |] + + let compounded_authentication = cu (ia 5) [| sa 21; U32.zero; U32.zero; U32.zero; sa 496 |] + let claims_valid = cu (ia 5) [| sa 21; U32.zero; U32.zero; U32.zero; sa 497 |] + + let administrator machine = cu (ia 5) [| sa 21; machine; sa 500 |] + let guest machine = cu (ia 5) [| sa 21; machine; sa 501 |] + let krbtgt domain = cu (ia 5) [| sa 21; domain; sa 502 |] + let domain_admins domain = cu (ia 5) [| sa 21; domain; sa 512 |] + let domain_users domain = cu (ia 5) [| sa 21; domain; sa 513 |] + let domain_guests domain = cu (ia 5) [| sa 21; domain; sa 514 |] + let domain_computers domain = cu (ia 5) [| sa 21; domain; sa 515 |] + let domain_domain_controllers domain = cu (ia 5) [| sa 21; domain; sa 516 |] + let cert_publishers domain = cu (ia 5) [| sa 21; domain; sa 517 |] + let schema_administrators root_domain = cu (ia 5) [| sa 21; root_domain; sa 518 |] + let enterprise_admins root_domain = cu (ia 5) [| sa 21; root_domain; sa 519 |] + let group_policy_creator_owners domain = cu (ia 5) [| sa 21; domain; sa 520 |] + let readonly_domain_controllers domain = cu (ia 5) [| sa 21; domain; sa 521 |] + let cloneable_controllers domain = cu (ia 5) [| sa 21; domain; sa 522 |] + let protected_users domain = cu (ia 5) [| sa 21; domain; sa 525 |] + let key_admins domain = cu (ia 5) [| sa 21; domain; sa 526 |] + let enterprise_key_admins domain = cu (ia 5) [| sa 21; domain; sa 527 |] + let ras_servers domain = cu (ia 5) [| sa 21; domain; sa 553 |] + let allowed_rodc_password_replication_group domain = cu (ia 5) [| sa 21; domain; sa 571 |] + let denied_rodc_password_replication_group domain = cu (ia 5) [| sa 21; domain; sa 572 |] + + let builtin_administrators = cu (ia 5) [| sa 32; sa 544 |] + let builtin_users = cu (ia 5) [| sa 32; sa 545 |] + let builtin_guests = cu (ia 5) [| sa 32; sa 546 |] + let power_users = cu (ia 5) [| sa 32; sa 547 |] + let account_operators = cu (ia 5) [| sa 32; sa 548 |] + let server_operators = cu (ia 5) [| sa 32; sa 549 |] + let printer_operators = cu (ia 5) [| sa 32; sa 550 |] + let backup_operators = cu (ia 5) [| sa 32; sa 551 |] + let replicator = cu (ia 5) [| sa 32; sa 552 |] + let alias_prew2kcompacc = cu (ia 5) [| sa 32; sa 554 |] + let remote_desktop = cu (ia 5) [| sa 32; sa 555 |] + let network_configuration_ops = cu (ia 5) [| sa 32; sa 556 |] + let incoming_forest_trust_builders = cu (ia 5) [| sa 32; sa 557 |] + let perfmon_users = cu (ia 5) [| sa 32; sa 558 |] + let perflog_users = cu (ia 5) [| sa 32; sa 559 |] + let windows_authorization_access_group = cu (ia 5) [| sa 32; sa 560 |] + let terminal_server_license_servers = cu (ia 5) [| sa 32; sa 561 |] + let distributed_com_users = cu (ia 5) [| sa 32; sa 562 |] + let iis_iusrs = cu (ia 5) [| sa 32; sa 568 |] + let cryptographic_operators = cu (ia 5) [| sa 32; sa 569 |] + let event_log_readers = cu (ia 5) [| sa 32; sa 573 |] + let certificate_service_dcom_access = cu (ia 5) [| sa 32; sa 574 |] + let rds_remote_access_servers = cu (ia 5) [| sa 32; sa 575 |] + let rds_endpoint_servers = cu (ia 5) [| sa 32; sa 576 |] + let rds_management_servers = cu (ia 5) [| sa 32; sa 577 |] + let hyper_v_admins = cu (ia 5) [| sa 32; sa 578 |] + let access_control_assistance_ops = cu (ia 5) [| sa 32; sa 579 |] + let remote_management_users = cu (ia 5) [| sa 32; sa 580 |] + + let write_restricted_code = cu (ia 5) [| sa 33 |] + let ntlm_authentication = cu (ia 5) [| sa 64; sa 10 |] + let schannel_authentication = cu (ia 5) [| sa 64; sa 14 |] + let digest_authentication = cu (ia 5) [| sa 64; sa 21 |] + let this_organization_certificate = cu (ia 5) [| sa 65; sa 1 |] + let nt_service = cu (ia 5) [| sa 80 |] + let user_mode_drivers = cu (ia 5) [| sa 84; U32.zero; U32.zero; U32.zero; U32.zero; U32.zero |] + let local_account = cu (ia 5) [| sa 113 |] + let local_account_and_member_of_administrators_group = cu (ia 5) [| sa 114 |] + let other_organization = cu (ia 5) [| sa 1000 |] (* 1-15-… *) - let all_app_packages = cu [| sa 2; U32.one |] (ia 15) + let all_app_packages = cu (ia 15) [| sa 2; U32.one |] (* 1-16-… *) - let ml_untrusted = cu [| U32.zero |] (ia 16) - let ml_low = cu [| sa 4096 |] (ia 16) - let ml_medium = cu [| sa 8192 |] (ia 16) - let ml_medium_plus = cu [| sa 8448 |] (ia 16) - let ml_high = cu [| sa 12288 |] (ia 16) - let ml_system = cu [| sa 16384 |] (ia 16) - let ml_protected_process = cu [| sa 20480 |] (ia 16) - let ml_secure_process = cu [| sa 28672 |] (ia 16) + let ml_untrusted = cu (ia 16) [| U32.zero |] + let ml_low = cu (ia 16) [| sa 4096 |] + let ml_medium = cu (ia 16) [| sa 8192 |] + let ml_medium_plus = cu (ia 16) [| sa 8448 |] + let ml_high = cu (ia 16) [| sa 12288 |] + let ml_system = cu (ia 16) [| sa 16384 |] + let ml_protected_process = cu (ia 16) [| sa 20480 |] + let ml_secure_process = cu (ia 16) [| sa 28672 |] (* 1-18-… *) - let authentication_authority_asserted_identity = cu [| U32.one |] (ia 18) - let service_asserted_identity = cu [| sa 2 |] (ia 18) - let fresh_public_key_identity = cu [| sa 3 |] (ia 18) - let key_trust_identity = cu [| sa 4 |] (ia 18) - let key_property_mfa = cu [| sa 5 |] (ia 18) - let key_property_attestation = cu [| sa 6 |] (ia 18) + let authentication_authority_asserted_identity = cu (ia 18) [| U32.one |] + let service_asserted_identity = cu (ia 18) [| sa 2 |] + let fresh_public_key_identity = cu (ia 18) [| sa 3 |] + let key_trust_identity = cu (ia 18) [| sa 4 |] + let key_property_mfa = cu (ia 18) [| sa 5 |] + let key_property_attestation = cu (ia 18) [| sa 6 |] module Prefix = struct - let security_null_sid_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x00) - let security_world_sid_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x01) - let security_local_sid_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x02) - let security_creator_sid_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x03) - let security_nt_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x05) - let security_app_package_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x0f) - let security_mandatory_label_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x10) - let security_scoped_policy_id_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x11) - let security_authentication_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x12) + let security_null_sid_authority sa = create_unsafe (U64.of_int 0x00) sa + let security_world_sid_authority sa = create_unsafe (U64.of_int 0x01) sa + let security_local_sid_authority sa = create_unsafe (U64.of_int 0x02) sa + let security_creator_sid_authority sa = create_unsafe (U64.of_int 0x03) sa + let security_nt_authority sa = create_unsafe (U64.of_int 0x05) sa + let security_app_package_authority sa = create_unsafe (U64.of_int 0x0f) sa + let security_mandatory_label_authority sa = create_unsafe (U64.of_int 0x10) sa + let security_scoped_policy_id_authority sa = create_unsafe (U64.of_int 0x11) sa + let security_authentication_authority sa = create_unsafe (U64.of_int 0x12) sa end end @@ -3,16 +3,16 @@ type t type sub_auths = Stdint.Uint32.t array -val create : ?sa:Stdint.Uint32.t array -> Stdint.Uint64.t -> t option +val create : Stdint.Uint64.t -> Stdint.Uint32.t array -> t option (** [create sas ia] constructs a SID with the identifier authority [ia] - and, optionally, the subauthorities [sas]. The operation will return - [None] if [sa] contains more than fifteen subauthorities, or if [ia] + and the subauthorities [sas]. The operation will return [None] if [sa] + contains either zero or more than fifteen subauthorities, or if [ia] exceeds 48 bits. *) -val create_unsafe : Stdint.Uint32.t array -> Stdint.Uint64.t -> t +val create_unsafe : Stdint.Uint64.t -> Stdint.Uint32.t array -> t (** [create_unsafe sas ia] constructs a SID with the identifier authority [ia] - and, optionally, the sub authorities [sas] without validating the inputs. - Use with caution. *) + and the sub authorities [sas] without validating the inputs. Use with + caution. *) val equal : t -> t -> bool (** [equal sa sb] tests whether [sa] and [sb] are identical. *) @@ -98,7 +98,13 @@ module WellKnown : val elite : t val nt_authority : t - (** The SID {e S-1-5}. *) + (** The SID {e S-1-5}. + + Note that according to the offical grammar as layed out in MS-DTYP + 2.4.2.1, this SID cannot be converted to “string format” due to its + lack of subauthorities. However, it is the same document which also + specifies this SID. How to reconcile the two is left as an exercise + to the reader. *) val dialup : t (** The SID {e S-1-5-1}. *) @@ -389,40 +395,40 @@ module WellKnown : module Prefix : sig - val security_null_sid_authority : ?sa:sub_auths -> unit -> t - (** [security_null_sid_authority sub_auths ()] constructs a SID + val security_null_sid_authority : sub_auths -> t + (** [security_null_sid_authority sub_auths] constructs a SID {e S-1-0-[sub_auths]…}. *) - val security_world_sid_authority : ?sa:sub_auths -> unit -> t - (** [security_world_sid_authority sub_auths ()] constructs a SID + val security_world_sid_authority : sub_auths -> t + (** [security_world_sid_authority sub_auths] constructs a SID {e S-1-1-[sub_auths]…}. *) - val security_local_sid_authority : ?sa:sub_auths -> unit -> t - (** [security_local_sid_authority sub_auths ()] constructs a SID + val security_local_sid_authority : sub_auths -> t + (** [security_local_sid_authority sub_auths] constructs a SID {e S-1-2-[sub_auths]…}. *) - val security_creator_sid_authority : ?sa:sub_auths -> unit -> t - (** [security_creator_sid_authority sub_auths ()] constructs a SID + val security_creator_sid_authority : sub_auths -> t + (** [security_creator_sid_authority sub_auths] constructs a SID {e S-1-3-[sub_auths]…}. *) - val security_nt_authority : ?sa:sub_auths -> unit -> t - (** [security_nt_authority sub_auths ()] constructs a SID + val security_nt_authority : sub_auths -> t + (** [security_nt_authority sub_auths] constructs a SID {e S-1-5-[sub_auths]…}. *) - val security_app_package_authority : ?sa:sub_auths -> unit -> t - (** [security_app_package_authority sub_auths ()] constructs a SID + val security_app_package_authority : sub_auths -> t + (** [security_app_package_authority sub_auths] constructs a SID {e S-1-15-[sub_auths]…}. *) - val security_mandatory_label_authority : ?sa:sub_auths -> unit -> t - (** [security_mandatory_label_authority sub_auths ()] constructs a SID + val security_mandatory_label_authority : sub_auths -> t + (** [security_mandatory_label_authority sub_auths] constructs a SID {e S-1-16-[sub_auths]…}. *) - val security_scoped_policy_id_authority : ?sa:sub_auths -> unit -> t - (** [security_scoped_policy_id_authority sub_auths ()] constructs a SID + val security_scoped_policy_id_authority : sub_auths -> t + (** [security_scoped_policy_id_authority sub_auths] constructs a SID {e S-1-17-[sub_auths]…}. *) - val security_authentication_authority : ?sa:sub_auths -> unit -> t - (** [security_authentication_authority sub_auths ()] constructs a SID + val security_authentication_authority : sub_auths -> t + (** [security_authentication_authority sub_auths] constructs a SID {e S-1-18-[sub_auths]…}. *) end end diff --git a/sid_test.ml b/sid_test.ml index e7b6c24..7da0d7f 100644 --- a/sid_test.ml +++ b/sid_test.ml @@ -14,18 +14,18 @@ let () = Printexc.record_backtrace true ;; (* S-1-1-0-1-2-3-4-5-6-7-8-9-10-11-12-13-14 *) let max_sid = Sid.create_unsafe + U64.one [| U32.zero ; U32.one ; U32.of_int 2 ; U32.of_int 3 ; U32.of_int 4 ; U32.of_int 5 ; U32.of_int 6 ; U32.of_int 7 ; U32.of_int 8 ; U32.of_int 9 ; U32.of_int 10 ; U32.of_int 11 ; U32.of_int 12 ; U32.of_int 13 ; U32.of_int 14 |] - U64.one let create_ok () = let w = Sid.WellKnown.everyone and s = - match Sid.create ~sa:[| U32.zero |] U64.one with + match Sid.create U64.one [| U32.zero |] with | None -> assert_failure "Sid.create failed for S-1-0" | Some s -> s in @@ -33,16 +33,21 @@ let create_ok () = (Printf.sprintf "[%s] ≠ [%s]" (Sid.to_string s) (Sid.to_string w)) (Sid.equal s w) +let create_nosa_fail () = + match Sid.create U64.zero [| |] with + | None -> () + | Some s -> assert_failure ("Sid.create succeeded despite lack of sas") + let create_etoomany_fail () = let sas = Array.make 16 U32.one in - match Sid.create ~sa:sas U64.zero with + match Sid.create U64.zero sas with | None -> () | Some s -> assert_failure ("Sid.create succeeded on invalid sa array") let create_iatoobig_fail () = let sas = Array.make 2 U32.one in let ia = U64.add max_ident_auth U64.one in - match Sid.create ~sa:sas ia with + match Sid.create ia sas with | None -> () | Some s -> assert_failure ("Sid.create succeeded on invalid ident auth") @@ -55,7 +60,7 @@ let unwrap_of_string s = let sf_parse_ok () = let s = unwrap_of_string "S-1-1-0" - and z = Sid.create_unsafe [| U32.zero |] U64.one in + and z = Sid.create_unsafe U64.one [| U32.zero |] in assert_bool (Printf.sprintf "[%s] ≠ [%s]" (Sid.to_string s) (Sid.to_string z)) (Sid.equal s z); @@ -99,6 +104,16 @@ let sf_parse_ver_inval2_fail () = assert_equal e "Invalid SID [S-10-0]: expected ‘-’ at position 3, found ‘0’" +let sf_parse_nosa_fail () = + match Sid.of_string "S-1-1" with + | Ok s -> + assert_failure + (Printf.sprintf "unexpectedly parsed garbage as SID [%s]" + (Sid.to_string s)) + | Error e -> + assert_equal e "Invalid SID: error parsing SID [S-1-1] at position 5, \ + grammar mandates at least one subauthority" + let sf_parse_trailing_ok () = let s = unwrap_of_string "S-1-0-0-" in assert_equal (Sid.to_string s) "S-1-0-0" @@ -221,8 +236,8 @@ let sf_parse_iaxxlong_fail () = (* too many digits, need exactly 12 *) match Sid.of_string "S-1-0xC01DC01DB100D-17-01" with | Error e -> - let expect = "Invalid SID [S-1-0xC01DC01DB100D-17-01]: expected ‘-’ \ - at position 18, found ‘D’" + let expect = "Invalid SID: error parsing SID [S-1-0xC01DC01DB100D-17-01] \ + at position 18, grammar mandates at least one subauthority" in assert_equal ~msg:(Printf.sprintf "[%s] ≠ [%s]" e expect) @@ -425,6 +440,7 @@ let string_format_test = "string-format-syntax" >::: ; "parse-ver-junk-fail" >:: sf_parse_ver_junk_fail ; "parse-ver-inval-fail" >:: sf_parse_ver_inval_fail ; "parse-ver-inval2-fail" >:: sf_parse_ver_inval2_fail + ; "parse-nosa-fail" >:: sf_parse_nosa_fail ; "parse-trailing-ok" >:: sf_parse_trailing_ok ; "parse-maxint-ok" >:: sf_parse_maxint_ok ; "parse-oobia-fail" >:: sf_parse_oobia_fail diff --git a/util/sidparse_test.sh b/util/sidparse_test.sh index 374810d..5d16e1e 100755 --- a/util/sidparse_test.sh +++ b/util/sidparse_test.sh @@ -148,7 +148,7 @@ register_test () { test_parse_simple () { local name="$1" local ret - local cmd=( "./${testme}" S-1-0 ) + local cmd=( "./${testme}" S-1-1-0 ) timeout ${default_timeout} ${cmd[@]} &>/dev/null ret=$? @@ -168,8 +168,8 @@ test_parse_stdin () { local cmd=( "./${testme}" ) timeout ${default_timeout} ${cmd[@]} &>/dev/null <<-STOPTHAT - S-1-0 - S-1-1 + S-1-0-0 + S-1-1-0 S-1-42-2187-1337 STOPTHAT |