ruby_smb 2.0.10 → 2.0.11

data/spec/lib/ruby_smb/client_spec.rb

@@ -209,6 +209,8 @@ RSpec.describe RubySMB::Client do
 
     context 'when signing' do
       it 'calls #smb1_sign if it is an SMB1 packet' do
+        allow(client).to receive(:signing_required).and_return(true)
+        allow(client).to receive(:session_key).and_return(Random.new.bytes(16))
         expect(client).to receive(:smb1_sign).with(smb1_request).and_call_original
         client.send_recv(smb1_request)
       end
@@ -223,15 +225,11 @@ RSpec.describe RubySMB::Client do
 
         it 'calls #smb2_sign if it is an SMB2 client' do
           allow(smb2_client).to receive(:is_status_pending?).and_return(false)
+          allow(smb2_client).to receive(:signing_required).and_return(true)
+          allow(smb2_client).to receive(:session_key).and_return(Random.new.bytes(16))
           expect(smb2_client).to receive(:smb2_sign).with(smb2_request).and_call_original
           smb2_client.send_recv(smb2_request)
         end
-
-        it 'calls #smb3_sign if it is an SMB3 client' do
-          allow(smb3_client).to receive(:is_status_pending?).and_return(false)
-          expect(smb3_client).to receive(:smb3_sign).with(smb2_request).and_call_original
-          smb3_client.send_recv(smb2_request)
-        end
       end
     end
 
@@ -2087,7 +2085,7 @@ RSpec.describe RubySMB::Client do
         it 'generates the HMAC based on the packet and the NTLM session key and signs the packet with it' do
           smb2_client.session_key = 'foo'
           smb2_client.signing_required = true
-          expect(OpenSSL::HMAC).to receive(:digest).with(instance_of(OpenSSL::Digest::SHA256), smb2_client.session_key, request1.to_binary_s).and_return(fake_hmac)
+          expect(OpenSSL::HMAC).to receive(:digest).with(instance_of(OpenSSL::Digest), smb2_client.session_key, request1.to_binary_s).and_return(fake_hmac)
           expect(smb2_client.smb2_sign(request1).smb2_header.signature).to eq fake_hmac
         end
       end
@@ -2187,7 +2185,7 @@ RSpec.describe RubySMB::Client do
             smb3_client.dialect = '0x0202'
             expect { smb3_client.smb3_sign(request) }.to raise_error(
               RubySMB::Error::SigningError,
-              'Dialect is incompatible with SMBv3 signing'
+              'Dialect "0x0202" is incompatible with SMBv3 signing'
             )
           end
         end
@@ -2237,7 +2235,7 @@ RSpec.describe RubySMB::Client do
             smb3_client.dialect = '0x0202'
             expect { smb3_client.smb3_sign(request) }.to raise_error(
               RubySMB::Error::SigningError,
-              'Dialect is incompatible with SMBv3 signing'
+              'Dialect "0x0202" is incompatible with SMBv3 signing'
             )
           end
         end

data/spec/lib/ruby_smb/gss/provider/ntlm/account_spec.rb

@@ -0,0 +1,32 @@
+RSpec.describe RubySMB::Gss::Provider::NTLM::Account do
+  let(:username) { 'RubySMB' }
+  let(:password) { 'password' }
+  let(:domain) { 'WORKGROUP' }
+  subject(:account) { RubySMB::Gss::Provider::NTLM::Account.new(username, password, domain) }
+
+  it { is_expected.to respond_to :username }
+  it { is_expected.to respond_to :password }
+  it { is_expected.to respond_to :domain }
+
+  it 'sets the username correct' do
+    expect(account.username).to eq username
+  end
+
+  it 'sets the password correctly' do
+    expect(account.password).to eq password
+  end
+
+  it 'sets the domain correctly' do
+    expect(account.domain).to eq domain
+  end
+
+  describe '#to_s' do
+    it 'converts to a string' do
+      expect(account.to_s).to be_a String
+    end
+
+    it 'formats the username and domain correctly' do
+      expect(account.to_s).to eq "#{domain}\\#{username}"
+    end
+  end
+end

data/spec/lib/ruby_smb/gss/provider/ntlm/authenticator_spec.rb

@@ -0,0 +1,101 @@
+RSpec.describe RubySMB::Gss::Provider::NTLM::Authenticator do
+  let(:username) { 'RubySMB' }
+  let(:domain) { 'WORKGROUP' }
+  let(:password) { 'password' }
+  let(:provider) { RubySMB::Gss::Provider::NTLM.new.tap { |provider| provider.put_account(username, password, domain: domain) } }
+  let(:authenticator) { described_class.new(provider, nil) }
+  let(:type1_msg) do
+    Net::NTLM::Message::Type1.new.tap do |msg|
+      msg.domain = domain
+    end
+  end
+  let(:type3_msg) do
+    Net::NTLM::Message::Type2.new.response(user: username, password: '', domain: domain)
+  end
+
+  describe '#initialize' do
+    it 'defaults to a null session key' do
+      expect(authenticator.session_key).to be_nil
+    end
+
+    it 'defaults to a null server challenge' do
+      expect(authenticator.server_challenge).to be_nil
+    end
+  end
+
+  describe '#process' do
+    it 'should handle an empty GSS buffer' do
+      result = authenticator.process
+      expect(result).to be_a RubySMB::Gss::Provider::Result
+      expect(result.nt_status).to eq WindowsError::NTStatus::STATUS_SUCCESS
+      expect(result.buffer).to_not be_empty
+      expect(result.identity).to be_nil
+    end
+
+    it 'should handle an embedded NTLM type 1 message' do
+      expect(authenticator).to receive(:process_ntlm_type1).and_call_original
+      result = authenticator.process(RubySMB::Gss.gss_type1(type1_msg.serialize))
+      expect(result).to be_a RubySMB::Gss::Provider::Result
+      expect(result.nt_status).to eq WindowsError::NTStatus::STATUS_MORE_PROCESSING_REQUIRED
+      expect(result.buffer).to_not be_empty
+      expect(result.identity).to be_nil
+      expect(authenticator.session_key).to be_nil
+    end
+
+    it 'should handle an embedded NTLM type 3 message' do
+      authenticator.server_challenge = Random.new.bytes(8)
+      expect(authenticator).to receive(:process_ntlm_type3).and_call_original
+      result = authenticator.process(RubySMB::Gss.gss_type3(type3_msg.serialize))
+      expect(result).to be_a RubySMB::Gss::Provider::Result
+      expect(result.nt_status).to eq WindowsError::NTStatus::STATUS_LOGON_FAILURE
+      expect(result.buffer).to be_nil
+      expect(result.identity).to be_nil
+      expect(authenticator.session_key).to be_nil
+    end
+  end
+
+  describe '#process_ntlm_type1' do
+    it 'should process a NTLM type 1 message and return a type2 message' do
+      expect(authenticator.process_ntlm_type1(type1_msg)).to be_a Net::NTLM::Message::Type2
+    end
+  end
+
+  describe '#process_ntlm_type3' do
+    it 'should process a NTLM type 3 message and return an error code' do
+      expect(authenticator.process_ntlm_type3(type3_msg)).to be_a WindowsError::ErrorCode
+      expect(authenticator.process_ntlm_type3(type3_msg)).to eq WindowsError::NTStatus::STATUS_LOGON_FAILURE
+    end
+  end
+
+  describe '#reset!' do
+    it 'should clear the server challenge' do
+      authenticator.instance_variable_set(:@server_challenge, Random.new.bytes(8))
+      authenticator.reset!
+      expect(authenticator.instance_variable_get(:@server_challenge)).to be_nil
+    end
+
+    it 'should clear the session key' do
+      authenticator.instance_variable_set(:@session_key, Random.new.bytes(16))
+      authenticator.reset!
+      expect(authenticator.instance_variable_get(:@session_key)).to be_nil
+    end
+  end
+
+  describe 'a full Net-NTLMv2 authentication exchange' do
+    let(:type2_msg) { authenticator.process_ntlm_type1(type1_msg)}
+
+    it 'should respond to a correct password with STATUS_SUCCESS' do
+      type3_msg = type2_msg.response({user: username, domain: domain, password: password}, ntlmv2: true)
+      type3_msg.user.force_encoding('UTF-16LE')
+      type3_msg.domain.force_encoding('UTF-16LE')
+      expect(authenticator.process_ntlm_type3(type3_msg)).to eq WindowsError::NTStatus::STATUS_SUCCESS
+    end
+
+    it 'should respond to an incorrect password with STATUS_LOGON_FAILURE' do
+      type3_msg = type2_msg.response({user: username, domain: domain, password: password + rand(0x41..0x5b).chr}, ntlmv2: true)
+      type3_msg.user.force_encoding('UTF-16LE')
+      type3_msg.domain.force_encoding('UTF-16LE')
+      expect(authenticator.process_ntlm_type3(type3_msg)).to eq WindowsError::NTStatus::STATUS_LOGON_FAILURE
+    end
+  end
+end

data/spec/lib/ruby_smb/gss/provider/ntlm/os_version_spec.rb

@@ -0,0 +1,32 @@
+RSpec.describe RubySMB::Gss::Provider::NTLM::OSVersion do
+  subject(:os_version) { RubySMB::Gss::Provider::NTLM::OSVersion.new }
+
+  it { is_expected.to respond_to :major }
+  it { is_expected.to respond_to :minor }
+  it { is_expected.to respond_to :build }
+  it { is_expected.to respond_to :ntlm_revision }
+
+  describe '#initialize' do
+    it 'defaults to an NTLM revision of 15' do
+      expect(os_version.ntlm_revision).to eq 15
+    end
+  end
+
+  describe '#read' do
+    it 'reads a packed version correctly' do
+      # Version 6.1 (Build 7601); NTLM Current Revision 15
+      os_version = RubySMB::Gss::Provider::NTLM::OSVersion.read("\x06\x01\x1d\xb1\x00\x00\x00\x0f")
+      expect(os_version.major).to eq 6
+      expect(os_version.minor).to eq 1
+      expect(os_version.build).to eq 7601
+      expect(os_version.ntlm_revision).to eq 15
+    end
+  end
+
+  describe '#to_s' do
+    it 'creates a string representation of the OS version' do
+      expect(os_version.to_s).to be_a String
+      expect(os_version.to_s).to match /Version \d+\.\d+ \(Build \d+\); NTLM Current Revision \d+/
+    end
+  end
+end

data/spec/lib/ruby_smb/gss/provider/ntlm_spec.rb

@@ -0,0 +1,113 @@
+require 'spec_helper'
+
+RSpec.describe RubySMB::Gss::Provider::NTLM do
+  let(:provider) { described_class.new }
+
+  it { is_expected.to respond_to :allow_anonymous }
+  it { is_expected.to respond_to :default_domain }
+
+  describe '#initialize' do
+    it 'defaults to false for allowing anonymous access' do
+      expect(provider.allow_anonymous).to be false
+    end
+
+    it 'defaults to a default domain of WORKGROUP' do
+      expect(provider.default_domain).to eq 'WORKGROUP'
+    end
+
+    it 'defaults to a random challenge generator' do
+      expect(provider.generate_server_challenge).to_not eq provider.generate_server_challenge
+    end
+  end
+
+  describe '#generate_server_challenge' do
+    it 'generates a valid 8-byte challenge' do
+      challenge = provider.generate_server_challenge
+      expect(challenge).to be_a String
+      expect(challenge.length).to eq 8
+    end
+
+    it 'should take a generator block' do
+      random_challenge = Random.new.bytes(8)
+      provider.generate_server_challenge do
+        random_challenge
+      end
+      expect(provider.generate_server_challenge).to eq random_challenge
+    end
+  end
+
+  describe '#get_account' do
+    let(:username) { 'RubySMB' }
+    let(:password) { 'password' }
+    let(:domain) { 'WORKGROUP' }
+
+    context 'when getting accounts' do
+     before(:each) do
+       provider.put_account(username, password)
+     end
+
+     it 'should return nil for an unknown account' do
+       account = provider.get_account('Spencer')
+       expect(account).to be_nil
+     end
+
+     it 'should work with a case sensitive name' do
+       account = provider.get_account(username)
+       expect(account).to be_a RubySMB::Gss::Provider::NTLM::Account
+       expect(account.username).to eq username
+     end
+
+     it 'should work with a case insensitive name' do
+       account = provider.get_account(username.downcase)
+       expect(account).to be_a RubySMB::Gss::Provider::NTLM::Account
+       expect(account.username).to eq username
+     end
+
+     it 'should work with a case sensitive domain' do
+       account = provider.get_account(username, domain: domain)
+       expect(account).to be_a RubySMB::Gss::Provider::NTLM::Account
+       expect(account.domain).to eq domain
+     end
+
+     it 'should work with a case insensitive domain' do
+       account = provider.get_account(username, domain: domain.downcase)
+       expect(account).to be_a RubySMB::Gss::Provider::NTLM::Account
+       expect(account.domain).to eq domain
+     end
+
+     it 'should work with the special . domain' do
+       account = provider.get_account(username, domain: '.')
+       expect(account).to be_a RubySMB::Gss::Provider::NTLM::Account
+       expect(account.domain).to eq domain
+     end
+
+     # UTF-16LE is optionally used for encoding some Net-NTLM message fields, the #get_account method should handle it
+     # transparently
+     it 'should work with a UTF16-LE name' do
+       account = provider.get_account(username.encode('UTF-16LE'))
+       expect(account).to be_a RubySMB::Gss::Provider::NTLM::Account
+       expect(account.username).to eq username
+     end
+
+     it 'should work with a UTF16-LE domain' do
+       account = provider.get_account(username, domain: domain.encode('UTF-16LE'))
+       expect(account).to be_a RubySMB::Gss::Provider::NTLM::Account
+       expect(account.domain).to eq domain
+     end
+    end
+
+    context 'when putting accounts' do
+     it 'should accept new accounts with the default domain' do
+       provider.put_account(username, password)
+     end
+
+     after(:each) do
+       account = provider.get_account(username, domain: domain)
+       expect(account).to be_a RubySMB::Gss::Provider::NTLM::Account
+       expect(account.username).to eq username
+       expect(account.password).to eq password
+       expect(account.domain).to eq domain
+     end
+    end
+  end
+end

data/spec/lib/ruby_smb/server/server_client_spec.rb

@@ -0,0 +1,156 @@
+RSpec.describe RubySMB::Server::ServerClient do
+  let(:server) { RubySMB::Server.new(server_sock: ::TCPServer.new(0)) }
+  let(:sock) { double('Socket', peeraddr: '192.168.1.5') }
+  let(:dispatcher) { RubySMB::Dispatcher::Socket.new(sock) }
+  subject(:server_client) { described_class.new(server, dispatcher) }
+
+  it { is_expected.to respond_to :dialect }
+  it { is_expected.to respond_to :identity }
+  it { is_expected.to respond_to :state }
+  it { is_expected.to respond_to :session_key }
+
+  describe '#disconnect!' do
+    it 'closes the socket' do
+      expect(dispatcher.tcp_socket).to receive(:close).with(no_args).and_return(nil)
+      server_client.disconnect!
+    end
+  end
+
+  describe '#initialize' do
+    it 'starts in the negotiate state' do
+      expect(server_client.state).to eq :negotiate
+    end
+
+    it 'starts without a dialect' do
+      expect(server_client.dialect).to be_nil
+      expect(server_client.metadialect).to be_nil
+    end
+
+    it 'starts without an identity' do
+      expect(server_client.identity).to be_nil
+    end
+
+    it 'starts without a session_key' do
+      expect(server_client.session_key).to be_nil
+    end
+
+    it 'creates a new authenticator instance' do
+      expect(server.gss_provider).to receive(:new_authenticator).and_call_original
+      described_class.new(server, dispatcher)
+    end
+  end
+
+  describe '#process_gss' do
+    before(:each) do
+      expect(server_client.instance_eval { @gss_authenticator }).to receive(:process).and_call_original
+    end
+
+    it 'should handle an empty GSS buffer' do
+      result = server_client.process_gss
+      expect(result).to be_a RubySMB::Gss::Provider::Result
+      expect(result.nt_status).to eq WindowsError::NTStatus::STATUS_SUCCESS
+      expect(result.buffer).to_not be_empty
+      expect(result.identity).to be_nil
+    end
+  end
+
+  describe '#recv_packet' do
+    it 'receives a new packet from the dispatcher' do
+      expect(dispatcher).to receive(:recv_packet).with(no_args)
+      server_client.recv_packet
+    end
+  end
+
+  describe '#run' do
+    let(:packet) { Random.new.bytes(16) }
+    before(:each) do
+      expect(server_client).to receive(:recv_packet).and_return(packet)
+      # this hook should ensure that the dispatcher loop returns after processing a single request
+      expect(dispatcher.tcp_socket).to receive(:closed?).and_return(true)
+    end
+
+    it 'calls #handle_negotiate when the state is negotiate' do
+      expect(server_client).to receive(:handle_negotiate).with(packet).and_return(nil)
+      server_client.instance_eval { @state = :negotiate }
+      server_client.run
+    end
+
+    it 'calls #handle_session_setup when the state is session_setup' do
+      expect(server_client).to receive(:handle_session_setup).with(packet).and_return(nil)
+      server_client.instance_eval { @state = :session_setup }
+      server_client.run
+    end
+
+    it 'calls #authenticated when the state is authenticated' do
+      expect(server_client).to receive(:handle_authenticated).with(packet).and_return(nil)
+      server_client.instance_eval { @state = :authenticated }
+      server_client.run
+    end
+  end
+
+  describe '#send_packet' do
+    let(:packet) { RubySMB::GenericPacket.new }
+
+    before(:each) do
+      expect(dispatcher).to receive(:send_packet).with(packet).and_return(nil)
+    end
+
+    it 'sends a packet to the dispatcher' do
+      server_client.send_packet(packet)
+    end
+
+    %w{ 0x0202 0x0210 0x0300 0x0302 0x0311 }.each do |dialect|
+      context "when the dialect is #{dialect}" do
+        before(:each) do
+          server_client.instance_eval { @dialect = dialect }
+        end
+
+        context 'and the state is authenticated' do
+          before(:each) do
+            server_client.instance_eval { @state = :authenticated }
+          end
+
+          context 'and the identity is anonymous' do
+            before(:each) do
+              server_client.instance_eval { @identity = RubySMB::Gss::Provider::IDENTITY_ANONYMOUS }
+            end
+
+            it 'does not sign packets' do
+              expect(server_client).to_not receive(:smb2_sign)
+              expect(server_client).to_not receive(:smb3_sign)
+              server_client.send_packet(packet)
+            end
+          end
+
+          context 'and the identity is not anonymous' do
+            before(:each) do
+              server_client.instance_eval { @identity = 'WORKGROUP\RubySMB'; @session_key = Random.new.bytes(16) }
+            end
+
+            it 'does sign packets' do
+              packet = RubySMB::GenericPacket.new
+              dialect_family = RubySMB::Dialect[dialect].family
+              if dialect_family == RubySMB::Dialect::FAMILY_SMB2
+                expect(server_client).to receive(:smb2_sign).with(packet).and_return(packet)
+                expect(server_client).to_not receive(:smb3_sign)
+              elsif dialect_family == RubySMB::Dialect::FAMILY_SMB3
+                expect(server_client).to receive(:smb3_sign).with(packet).and_return(packet)
+                expect(server_client).to_not receive(:smb2_sign)
+              end
+              server_client.send_packet(packet)
+            end
+          end
+        end
+      end
+    end
+  end
+
+  describe '#update_preauth_hash' do
+    it 'raises an EncryptionError exception if the preauth integrity hash algorithm is not known' do
+      expect { server_client.update_preauth_hash('Test') }.to raise_error(
+        RubySMB::Error::EncryptionError,
+        'Cannot compute the Preauth Integrity Hash value: Preauth Integrity Hash Algorithm is nil'
+      )
+    end
+  end
+end