win32-sspi 0.0.1.rc1-x86-mingw32

data/lib/win32/sspi/negotiate/server.rb

@@ -0,0 +1,199 @@
+require_relative '../windows/constants'
+require_relative '../windows/misc'
+require_relative '../api/server'
+
+module Win32
+  module SSPI
+    module Negotiate
+      class Server
+        include Windows::Constants
+        include API::Server
+      
+        attr_accessor :auth_type
+        attr_reader :token
+        attr_reader :username
+        attr_reader :domain
+      
+        def initialize(options={})
+          @auth_type = options[:auth_type] || AUTH_TYPE_NEGOTIATE
+          @token = ""
+          @username = ''
+          @domain = ''
+          @credentials_handle = nil
+          @context_handle = nil
+        end
+        
+        def http_authenticate(header,&block)
+          perform_authenticate(header,block,true)
+        end
+        
+        def authenticate(client_msg,&block)
+          perform_authenticate(client_msg,block,false)
+        end
+        
+        def perform_authenticate(client_msg,block,is_http_header)
+          authenticated = false
+
+          status = acquire_handle
+          if SEC_E_OK == status
+            token_from_client_message(client_msg,is_http_header)
+            status = accept_context(self.token)
+            if SEC_I_CONTINUE_NEEDED == status
+              block.call(block_arg_from_token(is_http_header),authenticated)
+              return authenticated
+            end
+            
+            if [SEC_I_COMPLETE_NEEDED, SEC_I_COMPLETE_AND_CONTINUE].include?(status)
+              status = complete_authentication
+            end
+            
+            if SEC_E_OK == status
+              authenticated = true
+              status = query_attributes
+              if SEC_E_OK == status
+                free_handles
+              end
+              
+              block.call(block_arg_from_token(is_http_header),authenticated)
+            end
+          end
+          
+          return authenticated
+        end
+        
+        def block_arg_from_token(is_http_header)
+          block_arg = nil
+          if self.token && self.token.length > 0
+            block_arg = is_http_header ? construct_http_header(self.auth_type,self.token) : self.token
+          end
+          block_arg
+        end
+        
+        def token_from_client_message(client_msg,is_http_header)
+          if client_msg
+            if is_http_header
+              @auth_type, @token = de_construct_http_header(client_msg)
+            else
+              @token = client_msg
+            end
+          end
+        end
+        
+        def acquire_handle
+          return SEC_E_OK if @credentials_handle
+        
+          @credentials_handle = create_credhandle
+          expiry = create_timestamp
+        
+          status = acquire_credentials_handle(
+            nil,
+            @auth_type,
+            SECPKG_CRED_INBOUND,
+            nil,
+            nil,
+            nil,
+            nil,
+            @credentials_handle,
+            expiry
+          )
+
+          if SEC_E_OK != status
+            @credentials_handle = nil
+            raise SecurityStatusError.new('AcquireCredentialsHandle', status, FFI.errno)
+          end
+          
+          status
+        end
+      
+        def accept_context(token=nil)
+          ctx = @context_handle
+          @context_handle ||= create_ctxhandle
+
+          if token
+            input_buffer   = create_secbuffer(token)
+            input_buffer_desc  = create_secbufferdesc(input_buffer)
+          end
+          
+          rflags = ASC_REQ_CONFIDENTIALITY | ASC_REQ_REPLAY_DETECT | ASC_REQ_CONNECTION
+
+          output_buffer  = create_secbuffer
+          output_buffer_desc = create_secbufferdesc(output_buffer)
+
+          context_attributes = FFI::MemoryPointer.new(:ulong)
+          expiry = create_timestamp
+
+          status = accept_security_context(
+            @credentials_handle,
+            ctx,
+            (token ? input_buffer_desc : nil),
+            rflags,
+            SECURITY_NATIVE_DREP,
+            @context_handle,
+            output_buffer_desc,
+            context_attributes,
+            expiry
+          )
+
+          a_success = [SEC_E_OK, SEC_I_CONTINUE_NEEDED, SEC_I_COMPLETE_NEEDED, SEC_I_COMPLETE_AND_CONTINUE]
+          if a_success.include?(status)
+            @token = output_buffer.to_ruby_s
+          else
+            raise SecurityStatusError.new('AcceptSecurityContext', status, FFI.errno)
+          end
+          
+          status
+        end
+        
+        def complete_authentication
+          status = SEC_E_OK
+          
+          if @token
+            input_buffer = create_secbuffer(@token)
+            input_buffer_desc  = create_secbufferdesc(input_buffer)
+            
+            status = complete_auth_token(@context_handle, input_buffer_desc)
+            if SEC_E_OK != status
+              raise SecurityStatusError.new('CompleteAuthToken', status, FFI.errno)
+            end
+          end
+          
+          status
+        end
+
+        def query_attributes
+          # Finally, let's get the user and domain
+          ptr = create_secpkg_context_names
+
+          status = query_context_attributes(@context_handle, SECPKG_ATTR_NAMES, ptr)
+          if SEC_E_OK != status
+            raise SecurityStatusError.new('QueryContextAttributes', status, FFI.errno)
+          end
+
+          @username = ptr.to_ruby_s
+          if @username.include?("\\")
+            @domain, @username = @username.split("\\")
+          end
+          
+          status = free_context_buffer(ptr.to_username_ptr)
+          if SEC_E_OK != status
+            raise SecurityStatusError.new('FreeContextBuffer', status, FFI.errno)
+          end
+          
+          status
+        end
+        
+        def free_handles
+          result = free_context_and_credentials(@context_handle, @credentials_handle)
+          @context_handle, @credentials_handle = [nil,nil]
+          
+          if SEC_E_OK != result[:status]
+            raise SecurityStatusError.new(result[:name], result[:status], FFI.errno)
+          end
+          
+          result[:status]
+        end
+      
+      end
+    end
+  end
+end

data/lib/win32/sspi/windows/constants.rb

@@ -0,0 +1,36 @@
+module Windows
+  module Constants
+    SECURITY_NATIVE_DREP              = 0x00000010
+    SECURITY_NETWORK_DREP             = 0x00000000
+    SEC_WINNT_AUTH_IDENTITY_ANSI      = 1
+    SEC_WINNT_AUTH_IDENTITY_UNICODE   = 2
+    SECBUFFER_TOKEN                   = 2
+    SECBUFFER_VERSION                 = 0
+    TOKENBUFSIZE                      = 4096
+
+    SECPKG_ATTR_NAMES                 = 1
+    SECPKG_CRED_INBOUND               = 0x00000001
+    SECPKG_CRED_OUTBOUND              = 0x00000002
+
+    ISC_REQ_CONFIDENTIALITY           = 0x00000010
+    ISC_REQ_REPLAY_DETECT             = 0x00000004
+    ISC_REQ_CONNECTION                = 0x00000800
+
+    ASC_REQ_DELEGATE                  = 0x00000001
+    ASC_REQ_MUTUAL_AUTH               = 0x00000002
+    ASC_REQ_REPLAY_DETECT             = 0x00000004
+    ASC_REQ_SEQUENCE_DETECT           = 0x00000008
+    ASC_REQ_CONFIDENTIALITY           = 0x00000010
+    ASC_REQ_CONNECTION                = 0x00000800
+    
+    SEC_E_OK                          = 0x00000000
+    SEC_I_CONTINUE_NEEDED             = 0x00090312
+    SEC_I_COMPLETE_NEEDED             = 0x00090313
+    SEC_I_COMPLETE_AND_CONTINUE       = 0x00090314
+    SEC_E_INVALID_HANDLE              = 0x80090301
+    SEC_E_INVALID_TOKEN               = 0x80090308
+    SEC_E_LOGON_DENIED                = 0x8009030C
+    SEC_E_SECPKG_NOT_FOUND            = 0x80090305
+    SEC_E_WRONG_PRINCIPAL             = 0x80090322
+  end
+end

data/lib/win32/sspi/windows/functions.rb

@@ -0,0 +1,31 @@
+require 'ffi'
+
+module Windows
+  module Functions
+    extend FFI::Library
+    ffi_lib :secur32
+
+    attach_function :AcquireCredentialsHandle, :AcquireCredentialsHandleA,
+      [:string, :string, :ulong, :pointer, :pointer, :pointer, :pointer, :pointer, :pointer],
+      :ulong
+
+    attach_function :InitializeSecurityContext, :InitializeSecurityContextA,
+      [:pointer, :pointer, :string, :ulong, :ulong, :ulong, :pointer, :ulong, :pointer, :pointer, :pointer, :pointer],
+      :ulong
+
+    attach_function :AcceptSecurityContext,
+      [:pointer, :pointer, :pointer, :ulong, :ulong, :pointer, :pointer, :pointer, :pointer],
+      :ulong
+
+    attach_function :CompleteAuthToken, [:pointer, :pointer], :ulong
+    attach_function :DeleteSecurityContext, [:pointer], :ulong
+    attach_function :EnumerateSecurityPackages, :EnumerateSecurityPackagesA, [:pointer, :pointer], :ulong
+    attach_function :FreeContextBuffer, [:pointer], :ulong
+    attach_function :FreeCredentialsHandle, [:pointer], :ulong
+    attach_function :ImpersonateSecurityContext, [:pointer], :ulong
+    attach_function :QueryContextAttributes, :QueryContextAttributesA, [:pointer, :ulong, :pointer], :ulong
+    attach_function :QuerySecurityContextToken, [:pointer, :pointer], :ulong
+    attach_function :QuerySecurityPackageInfo, :QuerySecurityPackageInfoA, [:string, :pointer], :ulong
+    attach_function :RevertSecurityContext, [:pointer], :ulong
+  end
+end

data/lib/win32/sspi/windows/misc.rb

@@ -0,0 +1,24 @@
+require 'ffi'
+require_relative 'constants'
+
+class SecurityStatusError < StandardError
+  extend FFI::Library
+
+  FORMAT_MESSAGE_FROM_SYSTEM_TABLE = 0x00001000
+
+  ffi_lib :kernel32
+  attach_function :FormatMessageA, [:ulong, :ulong, :ulong, :ulong, :pointer, :ulong, :pointer], :ulong
+
+  def initialize(context,status,errno)
+    hex_status = '0x%X' % status
+    msg = get_return_status_message(status)
+    super("#{context}:\nffi_errno:#{errno} win32_status:#{hex_status}\nwin32 message:#{msg}")
+  end
+
+  def get_return_status_message(win32_return_status)
+    buf = FFI::MemoryPointer.new(:char, 512)
+    flags = FORMAT_MESSAGE_FROM_SYSTEM_TABLE
+    FormatMessageA(flags, 0, win32_return_status, 0, buf, buf.size, nil)
+    buf.read_string
+  end
+end

data/lib/win32/sspi/windows/structs.rb

@@ -0,0 +1,147 @@
+require 'ffi'
+
+module Windows
+  module Structs
+    extend FFI::Library
+
+    class SEC_WINNT_AUTH_IDENTITY < FFI::Struct
+      layout(
+        :User, :pointer,
+        :UserLength, :ulong,
+        :Domain, :pointer,
+        :DomainLength, :ulong,
+        :Password, :pointer,
+        :PasswordLength, :ulong,
+        :Flags, :ulong
+      )
+      
+      def user_to_ruby_s
+        bsize = self[:UserLength]
+        bsize > 0 ? self[:User].read_string_length(bsize) : nil
+      end
+      
+      def domain_to_ruby_s
+        bsize = self[:DomainLength]
+        bsize > 0 ? self[:Domain].read_string_length(bsize) : nil
+      end
+      
+      def password_to_ruby_s
+        bsize = self[:PasswordLength]
+        bsize > 0 ? self[:Password].read_string_length(bsize) : nil
+      end
+    end
+
+    class SecHandle < FFI::Struct
+      layout(:dwLower, :pointer, :dwUpper, :pointer)
+
+      # NOTE: Experimental for now, may remove this marshalling stuff later
+
+      def marshal_dump
+        [self[:dwLower].read_ulong, self[:dwUpper].read_ulong]
+      end
+
+      def marshal_load(values)
+        self[:dwLower] = FFI::MemoryPointer.new(:ulong)
+        self[:dwUpper] = FFI::MemoryPointer.new(:ulong)
+        self[:dwLower].write_ulong(values[0])
+        self[:dwUpper].write_ulong(values[1])
+      end
+    end
+
+    CredHandle = SecHandle
+    CtxtHandle = SecHandle
+
+    class TimeStamp < FFI::Struct
+      layout(:dwLowDateTime, :ulong, :dwHighDateTime, :ulong)
+      
+      def marshal_dump
+        [self[:dwLowDateTime], self[:dwHighDateTime]]
+      end
+
+      def marshal_load(values)
+        self[:dwLowDateTime] = values[0]
+        self[:dwHighDateTime] = values[1]
+      end
+    end
+
+    class SecBuffer < FFI::Struct
+      layout(
+        :cbBuffer, :ulong,
+        :BufferType, :ulong,
+        :pvBuffer, :pointer
+      )
+
+      def init(token = nil)
+        self[:BufferType] = 2 # SECBUFFER_TOKEN
+
+        if token
+          self[:cbBuffer] = token.size
+          self[:pvBuffer] = FFI::MemoryPointer.from_string(token)
+        else
+          self[:cbBuffer] = Windows::Constants::TOKENBUFSIZE # Our TOKENBUFSIZE = 4096
+          self[:pvBuffer] = FFI::MemoryPointer.new(:char, Windows::Constants::TOKENBUFSIZE)
+        end
+
+        self
+      end
+      
+      def to_ruby_s
+        bsize = self[:cbBuffer]
+        bsize > 0 ? self[:pvBuffer].read_string_length(bsize) : nil
+      end
+    end
+
+    class SecBufferDesc < FFI::Struct
+      layout(
+        :ulVersion, :ulong,
+        :cBuffers, :ulong,
+        :pBuffers, :pointer
+      )
+
+      def init(sec_buffer)
+        self[:ulVersion] = Windows::Constants::SECBUFFER_VERSION
+        self[:cBuffers]  = 1
+        self[:pBuffers]  = sec_buffer
+        self
+      end
+      
+      def marshal_dump
+        buffer = SecBuffer.new(self[:pBuffers])
+        buffer.to_ruby_s
+      end
+      
+      def marshal_load(content)
+        buffer = SecBuffer.new(self[:pBuffers])
+        buffer[:cbBuffer] = content.length
+        buffer[:pvBuffer].write_string(content)
+      end
+    end
+
+    class SecPkgInfo < FFI::Struct
+      layout(
+        :fCapabilities, :ulong,
+        :wVersion, :ushort,
+        :wRPCID, :ushort,
+        :cbMaxToken, :ulong,
+        :Name, :string,
+        :Comment, :string
+      )
+    end
+
+    class SecPkgContext_Names < FFI::Struct
+      layout(:sUserName, :pointer)
+      
+      def marshal_load(username)
+        self[:sUserName] = FFI::MemoryPointer.from_string(username)
+      end
+      
+      def to_ruby_s
+        self[:sUserName].null? ? nil : self[:sUserName].read_string
+      end
+      
+      def to_username_ptr
+        self[:sUserName]
+      end
+    end
+  end
+end

data/test/all_tests.rb

@@ -0,0 +1,2 @@
+require_relative "test_win32_sspi_negotiate_client"
+require_relative "test_win32_sspi_negotiate_server"

data/test/test_win32_sspi_negotiate_client.rb

@@ -0,0 +1,417 @@
+########################################################################
+# Tests for the Win32::SSPI::Negotiate::Client class.
+########################################################################
+require 'test-unit'
+require 'win32/sspi/negotiate/client'
+
+class TC_Win32_SSPI_Negotiate_Client < Test::Unit::TestCase
+  SPN = "HTTP/virtual-server.gas.local"
+  MockCredentialHandle = [777,888]
+  MockTimeStamp = [0x000000FF,0xFF000000]
+  MockContextHandle = [123,987]
+  MockSecBufferContent = Random.new.bytes(128)
+  ContextAttr = Windows::Constants::ISC_REQ_CONFIDENTIALITY | 
+                Windows::Constants::ISC_REQ_REPLAY_DETECT | 
+                Windows::Constants::ISC_REQ_CONNECTION
+
+  def setup
+    @client = Win32::SSPI::Negotiate::Client.new(spn:SPN)
+  end
+  
+  # assert helper that helps reduce test duplication
+  def assert_client_call_state(client)
+    acquire_args = client.retrieve_state(:acquire)
+    refute_nil acquire_args
+    assert_equal 9, acquire_args.length
+    
+    isc_args = client.retrieve_state(:isc)
+    refute_nil isc_args
+    assert_equal 12, isc_args.length
+    
+    dsc_args = client.retrieve_state(:dsc)
+    refute_nil dsc_args
+    assert_equal 1, dsc_args.length
+    
+    fch_args = client.retrieve_state(:fch)
+    refute_nil fch_args
+    assert_equal 1, fch_args.length
+    
+    assert_nil client.instance_variable_get(:@credentials_handle)
+    assert_nil client.instance_variable_get(:@context_handle)
+  end
+  
+  def assert_base64_http_header(header,auth_type)
+    if Win32::SSPI::API::Common::AUTH_TYPE_NEGOTIATE == auth_type
+      assert_match( /\ANegotiate \p{Print}+={,2}\z/,header)
+    end
+    if Win32::SSPI::API::Common::AUTH_TYPE_NTLM == auth_type
+      assert_match( /\ANTLM \p{Print}+={,2}\z/,header)
+    end
+  end
+
+  def test_spn_basic_functionality
+    assert_respond_to(@client, :spn)
+    assert_nothing_raised{ @client.spn }
+    assert_kind_of(String, @client.spn)
+    assert_equal "HTTP/virtual-server.gas.local", @client.spn
+  end
+
+  def test_auth_type_basic_functionality
+    assert_respond_to(@client, :auth_type)
+    assert_nothing_raised{ @client.auth_type }
+    assert_kind_of(String, @client.auth_type)
+    assert_equal Win32::SSPI::API::Common::AUTH_TYPE_NEGOTIATE, @client.auth_type
+    
+    client = Win32::SSPI::Negotiate::Client.new(spn:SPN, auth_type:"Kerberos")
+    assert_equal "Kerberos", client.auth_type
+  end
+
+  def test_token_basic_functionality
+    assert_respond_to(@client, :token)
+    assert_nothing_raised{ @client.token }
+    assert_nil @client.token
+  end
+
+  def test_acquire_handle_basic_functionality
+    assert_respond_to(@client, :acquire_handle)
+    assert_equal 0, @client.method(:acquire_handle).arity
+    assert_respond_to(@client, :acquire_credentials_handle)
+    assert_equal 9, @client.method(:acquire_credentials_handle).arity
+  end
+
+  def test_initialize_context_basic_functionality
+    assert_respond_to(@client, :initialize_context)
+    assert_equal( -1, @client.method(:initialize_context).arity)
+    assert_respond_to(@client, :initialize_security_context)
+    assert_equal 12, @client.method(:initialize_security_context).arity
+  end
+
+  def test_acquire_handle_invokes_windows_api_as_expected
+    client = Class.new(MockNegotiateClient).new(spn:SPN)
+    assert_nothing_raised{ @status = client.acquire_handle }
+    assert_equal Windows::Constants::SEC_E_OK, @status
+
+    args = client.retrieve_state(:acquire)
+    assert_equal 9, args.length, "acquire_credentials_handle should have 9 arguments"
+    assert_equal SPN, args[0], "unexpected psz_principal"
+    assert_equal Win32::SSPI::API::Common::AUTH_TYPE_NEGOTIATE, args[1], "unexpected psz_package"
+    assert_equal Windows::Constants::SECPKG_CRED_OUTBOUND, args[2], "unexpected f_credentialuse"
+    assert_nil args[3], "unexpected pv_logonid"
+    assert_nil args[4], "unexpected p_authdata"
+    assert_nil args[5], "unexpected p_getkeyfn"
+    assert_nil args[6], "unexpected p_getkeyarg"
+    assert_kind_of Windows::Structs::CredHandle, args[7], "unexpected ph_newcredentials"
+    assert_equal MockCredentialHandle, args[7].marshal_dump
+    assert_kind_of Windows::Structs::TimeStamp, args[8], "unexpected pts_expiry"
+    assert_equal MockTimeStamp, args[8].marshal_dump
+  end
+  
+  def test_acquire_handle_memoizes_handle
+    client = Class.new(MockNegotiateClient).new(spn:SPN)
+    assert_nothing_raised{ client.acquire_handle }
+    assert_nothing_raised{ @status = client.acquire_handle }
+    assert_equal Windows::Constants::SEC_E_OK, @status
+    assert_equal 9, client.retrieve_state(:acquire).length
+  end
+  
+  def test_acquire_handle_raises_when_windows_api_returns_failed_status
+    client = Class.new(MockNegotiateClient) do
+      def acquire_credentials_handle(*args)
+        capture_state(:acquire, args)
+        return Windows::Constants::SEC_E_WRONG_PRINCIPAL
+      end
+    end.new(spn:SPN)
+
+    exception = assert_raises(SecurityStatusError){ client.acquire_handle }
+    assert_not_nil exception
+    expected_message = <<-EOM
+AcquireCredentialsHandle:
+ffi_errno:0 win32_status:0x80090322
+win32 message:The target principal name is incorrect.\r
+EOM
+    assert_equal expected_message, exception.message
+  end
+  
+  def test_initialize_context_invokes_windows_api_as_expected
+    client = Class.new(MockNegotiateClient).new(spn:SPN)
+    assert_nothing_raised{ client.acquire_handle }
+    assert_nothing_raised{ @status = client.initialize_context }
+    assert_equal Windows::Constants::SEC_I_CONTINUE_NEEDED, @status
+
+    args = client.retrieve_state(:isc)
+    assert_equal 12, args.length, "unexpected arguments"
+    assert_kind_of Windows::Structs::CredHandle, args[0], "unexpected ph_credentials"
+    assert_equal MockCredentialHandle, args[0].marshal_dump
+    assert_nil args[1], "unexpected ph_context"
+    assert_equal SPN, args[2], "unexpected psz_targetname"
+    
+    assert_equal ContextAttr, args[3], "unexpected f_contextreq"
+    assert_equal 0, args[4], "unexpected reserved1"
+    assert_equal Windows::Constants::SECURITY_NETWORK_DREP, args[5], "unexpected targetrep"
+    assert_nil args[6], "unexpected p_input"
+    assert_equal 0, args[7], "unexpected reserved2"
+    assert_kind_of Windows::Structs::CtxtHandle, args[8], "unexpected ph_newcontext"
+    assert_equal MockContextHandle, args[8].marshal_dump
+    assert_kind_of Windows::Structs::SecBufferDesc, args[9], "unexpected p_output"
+    assert_equal MockSecBufferContent, client.token
+    assert_kind_of FFI::MemoryPointer, args[10], "unexpected pf_contextattr"
+    assert_equal ContextAttr, args[10].read_ulong
+    assert_kind_of Windows::Structs::TimeStamp, args[11], "unexpected pts_expiry"
+    assert_equal MockTimeStamp, args[11].marshal_dump
+  end
+  
+  def test_initialize_context_raises_when_windows_api_returns_failed_status
+    client = Class.new(MockNegotiateClient) do
+      def initialize_security_context(*args)
+        capture_state(:isc, args)
+        return Windows::Constants::SEC_E_INVALID_TOKEN
+      end
+    end.new(spn:SPN)
+
+    assert_nothing_raised{ client.acquire_handle }
+    exception = assert_raises(SecurityStatusError){ client.initialize_context }
+    assert_not_nil exception
+    expected_message = <<-EOM
+InitializeSecurityContext:
+ffi_errno:0 win32_status:0x80090308
+win32 message:The token supplied to the function is invalid\r
+EOM
+    assert_equal expected_message, exception.message
+  end
+  
+  def test_free_context_and_credentials
+    client = Class.new(MockNegotiateClient).new(spn:SPN)
+    credentials = client.create_credhandle(MockCredentialHandle)
+    context = client.create_ctxhandle(MockContextHandle)
+    result = client.free_context_and_credentials(context,credentials)
+    status_ok = Windows::Constants::SEC_E_OK
+    assert_equal({name:"",status:status_ok,dsc_status:status_ok,fch_status:status_ok}, result)
+  end
+  
+  def test_free_context_and_credentials_when_failed_delete
+    client = Class.new(MockNegotiateClient) do
+      def delete_security_context(*args)
+        return Windows::Constants::SEC_E_INVALID_HANDLE
+      end
+    end.new(spn:SPN)
+    credentials = client.create_credhandle(MockCredentialHandle)
+    context = client.create_ctxhandle(MockContextHandle)
+    result = client.free_context_and_credentials(context,credentials)
+    status_ok = Windows::Constants::SEC_E_OK
+    status_failed = Windows::Constants::SEC_E_INVALID_HANDLE
+    expected_result = {name:"DeleteSecurityContext",
+                        status:status_failed, dsc_status:status_failed, fch_status:status_ok}
+    assert_equal expected_result, result
+  end
+  
+  def test_free_context_and_credentials_when_failed_free
+    client = Class.new(MockNegotiateClient) do
+      def free_credentials_handle(*args)
+        return Windows::Constants::SEC_E_INVALID_HANDLE
+      end
+    end.new(spn:SPN)
+    credentials = client.create_credhandle(MockCredentialHandle)
+    context = client.create_ctxhandle(MockContextHandle)
+    result = client.free_context_and_credentials(context,credentials)
+    status_ok = Windows::Constants::SEC_E_OK
+    status_failed = Windows::Constants::SEC_E_INVALID_HANDLE
+    expected_result = {name:"FreeCredentialsHandle",
+                        status:status_failed, dsc_status:status_ok, fch_status:status_failed}
+    assert_equal expected_result, result
+  end
+  
+  def test_free_context_and_credentials_when_both_fail
+    client = Class.new(MockNegotiateClient) do
+      def delete_security_context(*args)
+        return Windows::Constants::SEC_E_INVALID_HANDLE
+      end
+      def free_credentials_handle(*args)
+        return Windows::Constants::SEC_E_INVALID_HANDLE
+      end
+    end.new(spn:SPN)
+    credentials = client.create_credhandle(MockCredentialHandle)
+    context = client.create_ctxhandle(MockContextHandle)
+    result = client.free_context_and_credentials(context,credentials)
+    status_failed = Windows::Constants::SEC_E_INVALID_HANDLE
+    expected_result = {name:"FreeCredentialsHandle",
+                        status:status_failed, dsc_status:status_failed, fch_status:status_failed}
+    assert_equal expected_result, result
+  end
+  
+  def test_both_handles_freed_when_free_handles_raises
+    client = Class.new(MockNegotiateClient) do
+      def delete_security_context(*args)
+        capture_state(:dsc, args)
+        return Windows::Constants::SEC_E_INVALID_TOKEN
+      end
+    end.new(spn:SPN)
+
+    assert_nothing_raised{ client.acquire_handle }
+    assert_nothing_raised{ client.initialize_context }
+    
+    refute_nil client.instance_variable_get(:@context_handle)
+    refute_nil client.instance_variable_get(:@credentials_handle)
+    
+    assert_raises{ client.free_handles }
+    
+    assert_nil client.instance_variable_get(:@context_handle)
+    assert_nil client.instance_variable_get(:@credentials_handle)
+  end
+  
+  def test_acquire_handle_invokes_windows_api_as_expected_with_ntlm_auth_type
+    client = Class.new(MockNegotiateClient).new(auth_type:Win32::SSPI::API::Common::AUTH_TYPE_NTLM)
+    assert_nothing_raised{ @status = client.acquire_handle }
+    assert_equal Windows::Constants::SEC_E_OK, @status
+
+    args = client.retrieve_state(:acquire)
+    assert_equal 9, args.length, "acquire_credentials_handle should have 9 arguments"
+    assert_nil args[0], "unexpected psz_principal"
+    assert_equal Win32::SSPI::API::Common::AUTH_TYPE_NTLM, args[1], "unexpected psz_package"
+    assert_equal Windows::Constants::SECPKG_CRED_OUTBOUND, args[2], "unexpected f_credentialuse"
+    assert_nil args[3], "unexpected pv_logonid"
+    assert_kind_of Windows::Structs::SEC_WINNT_AUTH_IDENTITY, args[4], "unexpected p_authdata"
+    assert_equal ENV['USERNAME'], args[4].user_to_ruby_s
+    assert_equal ENV['USERDOMAIN'], args[4].domain_to_ruby_s
+    assert_nil args[5], "unexpected p_getkeyfn"
+    assert_nil args[6], "unexpected p_getkeyarg"
+    assert_kind_of Windows::Structs::CredHandle, args[7], "unexpected ph_newcredentials"
+    assert_equal MockCredentialHandle, args[7].marshal_dump
+    assert_kind_of Windows::Structs::TimeStamp, args[8], "unexpected pts_expiry"
+    assert_equal MockTimeStamp, args[8].marshal_dump
+  end
+  
+  def test_acquire_handle_invokes_windows_api_as_expected_with_ntlm_auth_type_and_supplied_credentials
+    client = Class.new(MockNegotiateClient).new(
+        auth_type:Win32::SSPI::API::Common::AUTH_TYPE_NTLM,
+        username:'joey',
+        domain:'local',
+        password:'kskeidksi'
+      )
+    assert_nothing_raised{ @status = client.acquire_handle }
+    assert_equal Windows::Constants::SEC_E_OK, @status
+
+    args = client.retrieve_state(:acquire)
+    assert_equal 9, args.length, "acquire_credentials_handle should have 9 arguments"
+    assert_nil args[0], "unexpected psz_principal"
+    assert_equal Win32::SSPI::API::Common::AUTH_TYPE_NTLM, args[1], "unexpected psz_package"
+    assert_equal Windows::Constants::SECPKG_CRED_OUTBOUND, args[2], "unexpected f_credentialuse"
+    assert_nil args[3], "unexpected pv_logonid"
+    assert_kind_of Windows::Structs::SEC_WINNT_AUTH_IDENTITY, args[4], "unexpected p_authdata"
+    assert_equal 'joey', args[4].user_to_ruby_s
+    assert_equal 'local', args[4].domain_to_ruby_s
+    assert_equal 'kskeidksi', args[4].password_to_ruby_s
+    assert_nil args[5], "unexpected p_getkeyfn"
+    assert_nil args[6], "unexpected p_getkeyarg"
+    assert_kind_of Windows::Structs::CredHandle, args[7], "unexpected ph_newcredentials"
+    assert_equal MockCredentialHandle, args[7].marshal_dump
+    assert_kind_of Windows::Structs::TimeStamp, args[8], "unexpected pts_expiry"
+    assert_equal MockTimeStamp, args[8].marshal_dump
+  end
+  
+  def test_http_authenticate
+    client = Class.new(MockNegotiateClient).new(spn:SPN)
+    counter = 0
+    client.http_authenticate do |header|
+      counter += 1
+      fail "loop failed to complete in a reasonable iteration count" if counter > 3
+      assert_base64_http_header(header,Win32::SSPI::API::Common::AUTH_TYPE_NEGOTIATE)
+      header
+    end
+    
+    assert_equal 1, counter
+
+    assert_client_call_state(client)
+  end
+  
+  def test_http_authenticate_with_ntlm_protocol
+    client = Class.new(MockNegotiateClient).new(auth_type:Win32::SSPI::API::Common::AUTH_TYPE_NTLM)
+    counter = 0
+    client.http_authenticate do |header|
+      counter += 1
+      fail "loop failed to complete in a reasonable iteration count" if counter > 3
+      assert_base64_http_header(header,Win32::SSPI::API::Common::AUTH_TYPE_NTLM)
+      header
+    end
+
+    assert_equal 2, counter
+
+    assert_client_call_state(client)
+  end
+  
+  def test_authenticate
+    client = Class.new(MockNegotiateClient).new(spn:SPN)
+    counter = 0
+    client.authenticate do |token|
+      counter += 1
+      fail "loop failed to complete in a reasonable iteration count" if counter > 3
+      assert_equal MockSecBufferContent, token
+      token
+    end
+    
+    assert_equal 1, counter
+
+    assert_client_call_state(client)
+  end
+  
+  def teardown
+    @client = nil
+  end
+end
+
+class MockNegotiateClient < Win32::SSPI::Negotiate::Client
+  def acquire_credentials_handle(*args)
+    s_args = retrieve_state(:acquire) || Array.new
+    s_args << args
+    capture_state(:acquire,s_args.flatten)
+    # this api should return a credential handle in arg[7] and a timestamp in arg[8]
+    args[7].marshal_load(TC_Win32_SSPI_Negotiate_Client::MockCredentialHandle)
+    args[8].marshal_load(TC_Win32_SSPI_Negotiate_Client::MockTimeStamp)
+    return Windows::Constants::SEC_E_OK
+  end
+  
+  def initialize_security_context(*args)
+    capture_state(:isc, args)
+    status = Windows::Constants::SEC_E_OK
+    status = Windows::Constants::SEC_I_CONTINUE_NEEDED if args[6].nil?
+    # this api should return a new context, p_output, context attr and timestamp
+    args[8].marshal_load(TC_Win32_SSPI_Negotiate_Client::MockContextHandle)
+    args[9].marshal_load(TC_Win32_SSPI_Negotiate_Client::MockSecBufferContent)
+    args[10].write_ulong(TC_Win32_SSPI_Negotiate_Client::ContextAttr)
+    args[11].marshal_load(TC_Win32_SSPI_Negotiate_Client::MockTimeStamp)
+    return status
+  end
+  
+  def delete_security_context(*args)
+    capture_state(:dsc,args)
+    return Windows::Constants::SEC_E_OK
+  end
+  
+  def free_credentials_handle(*args)
+    capture_state(:fch,args)
+    return Windows::Constants::SEC_E_OK
+  end
+  
+  def capture_state(key,value)
+    self.class.capture_state(key,value)
+  end
+  
+  def retrieve_state(key)
+    self.class.retrieve_state(key)
+  end
+  
+  def self.state
+    @state ||= Hash.new
+  end
+  
+  def self.capture_state(key,value)
+    state[key] = value
+  end
+  
+  def self.retrieve_state(key)
+    state[key]
+  end
+  
+  def self.clear_state
+    state.clear
+  end
+end