python/samba/tests/samba_tool/gpo_exts.py

   1 # Unix SMB/CIFS implementation.
   2 # Copyright (C) David Mulder 2021
   3 #
   4 # based on gpo.py:
   5 # Copyright (C) Andrew Bartlett 2012
   6 #
   7 # This program is free software; you can redistribute it and/or modify
   8 # it under the terms of the GNU General Public License as published by
   9 # the Free Software Foundation; either version 3 of the License, or
  10 # (at your option) any later version.
  11 #
  12 # This program is distributed in the hope that it will be useful,
  13 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 # GNU General Public License for more details.
  16 #
  17 # You should have received a copy of the GNU General Public License
  18 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 #
  20
  21 import os
  22 from samba.tests.samba_tool.base import SambaToolCmdTest
  23 import shutil
  24 from samba.param import LoadParm
  25 from samba.tests.gpo import stage_file, unstage_file
  26 import xml.etree.ElementTree as etree
  27
  28 class GpoCmdTestCase(SambaToolCmdTest):
  29     """Tests for samba-tool time subcommands"""
  30
  31     gpo_name = "testgpo"
  32
  33     def test_vgp_access_list(self):
  34         lp = LoadParm()
  35         lp.load(os.environ['SERVERCONFFILE'])
  36         local_path = lp.get('path', 'sysvol')
  37         vgp_xml = os.path.join(local_path, lp.get('realm').lower(), 'Policies',
  38                                self.gpo_guid, 'Machine/VGP/VTLA/VAS',
  39                                'HostAccessControl/Allow/manifest.xml')
  40
  41         stage = etree.Element('vgppolicy')
  42         policysetting = etree.SubElement(stage, 'policysetting')
  43         pv = etree.SubElement(policysetting, 'version')
  44         pv.text = '1'
  45         name = etree.SubElement(policysetting, 'name')
  46         name.text = 'Host Access Control'
  47         description = etree.SubElement(policysetting, 'description')
  48         description.text = 'Represents host access control data (pam_access)'
  49         apply_mode = etree.SubElement(policysetting, 'apply_mode')
  50         apply_mode.text = 'merge'
  51         data = etree.SubElement(policysetting, 'data')
  52         listelement = etree.SubElement(data, 'listelement')
  53         etype = etree.SubElement(listelement, 'type')
  54         etype.text = 'USER'
  55         entry = etree.SubElement(listelement, 'entry')
  56         entry.text = 'goodguy@%s' % lp.get('realm').lower()
  57         adobject = etree.SubElement(listelement, 'adobject')
  58         name = etree.SubElement(adobject, 'name')
  59         name.text = 'goodguy'
  60         domain = etree.SubElement(adobject, 'domain')
  61         domain.text = lp.get('realm').lower()
  62         etype = etree.SubElement(adobject, 'type')
  63         etype.text = 'user'
  64         groupattr = etree.SubElement(data, 'groupattr')
  65         groupattr.text = 'samAccountName'
  66         listelement = etree.SubElement(data, 'listelement')
  67         etype = etree.SubElement(listelement, 'type')
  68         etype.text = 'GROUP'
  69         entry = etree.SubElement(listelement, 'entry')
  70         entry.text = '%s\\goodguys' % lp.get('realm').lower()
  71         adobject = etree.SubElement(listelement, 'adobject')
  72         name = etree.SubElement(adobject, 'name')
  73         name.text = 'goodguys'
  74         domain = etree.SubElement(adobject, 'domain')
  75         domain.text = lp.get('realm').lower()
  76         etype = etree.SubElement(adobject, 'type')
  77         etype.text = 'group'
  78         ret = stage_file(vgp_xml, etree.tostring(stage, 'utf-8'))
  79         self.assertTrue(ret, 'Could not create the target %s' % vgp_xml)
  80
  81         uentry = '+:%s\\goodguy:ALL' % domain.text
  82         gentry = '+:%s\\goodguys:ALL' % domain.text
  83         (result, out, err) = self.runsublevelcmd("gpo", ("manage",
  84                                                  "access", "list"),
  85                                                  self.gpo_guid, "-H",
  86                                                  "ldap://%s" %
  87                                                  os.environ["SERVER"],
  88                                                  "-U%s%%%s" %
  89                                                  (os.environ["USERNAME"],
  90                                                  os.environ["PASSWORD"]))
  91         self.assertIn(uentry, out, 'The test entry was not found!')
  92         self.assertIn(gentry, out, 'The test entry was not found!')
  93
  94         # Unstage the manifest.xml file
  95         unstage_file(vgp_xml)
  96
  97     def test_vgp_access_add(self):
  98         lp = LoadParm()
  99         lp.load(os.environ['SERVERCONFFILE'])
 100
 101         (result, out, err) = self.runsublevelcmd("gpo", ("manage",
 102                                                  "access", "add"),
 103                                                  self.gpo_guid,
 104                                                  "allow", self.test_user,
 105                                                  lp.get('realm').lower(),
 106                                                  "-H", "ldap://%s" %
 107                                                  os.environ["SERVER"],
 108                                                  "-U%s%%%s" %
 109                                                  (os.environ["USERNAME"],
 110                                                  os.environ["PASSWORD"]))
 111         self.assertCmdSuccess(result, out, err, 'Access add failed')
 112
 113         (result, out, err) = self.runsublevelcmd("gpo", ("manage",
 114                                                  "access", "add"),
 115                                                  self.gpo_guid,
 116                                                  "deny", self.test_group,
 117                                                  lp.get('realm').lower(),
 118                                                  "-H", "ldap://%s" %
 119                                                  os.environ["SERVER"],
 120                                                  "-U%s%%%s" %
 121                                                  (os.environ["USERNAME"],
 122                                                  os.environ["PASSWORD"]))
 123         self.assertCmdSuccess(result, out, err, 'Access add failed')
 124
 125         allow_entry = '+:%s\\%s:ALL' % (lp.get('realm').lower(), self.test_user)
 126         deny_entry = '-:%s\\%s:ALL' % (lp.get('realm').lower(), self.test_group)
 127         (result, out, err) = self.runsublevelcmd("gpo", ("manage",
 128                                                  "access", "list"),
 129                                                  self.gpo_guid, "-H",
 130                                                  "ldap://%s" %
 131                                                  os.environ["SERVER"],
 132                                                  "-U%s%%%s" %
 133                                                  (os.environ["USERNAME"],
 134                                                  os.environ["PASSWORD"]))
 135         self.assertIn(allow_entry, out, 'The test entry was not found!')
 136         self.assertIn(deny_entry, out, 'The test entry was not found!')
 137
 138         (result, out, err) = self.runsublevelcmd("gpo", ("manage",
 139                                                  "access", "remove"),
 140                                                  self.gpo_guid,
 141                                                  "allow", self.test_user,
 142                                                  lp.get('realm').lower(),
 143                                                  "-H", "ldap://%s" %
 144                                                  os.environ["SERVER"],
 145                                                  "-U%s%%%s" %
 146                                                  (os.environ["USERNAME"],
 147                                                  os.environ["PASSWORD"]))
 148         self.assertCmdSuccess(result, out, err, 'Access remove failed')
 149         (result, out, err) = self.runsublevelcmd("gpo", ("manage",
 150                                                  "access", "remove"),
 151                                                  self.gpo_guid,
 152                                                  "deny", self.test_group,
 153                                                  lp.get('realm').lower(),
 154                                                  "-H", "ldap://%s" %
 155                                                  os.environ["SERVER"],
 156                                                  "-U%s%%%s" %
 157                                                  (os.environ["USERNAME"],
 158                                                  os.environ["PASSWORD"]))
 159         self.assertCmdSuccess(result, out, err, 'Access remove failed')
 160
 161         (result, out, err) = self.runsublevelcmd("gpo", ("manage",
 162                                                  "access", "list"),
 163                                                  self.gpo_guid, "-H",
 164                                                  "ldap://%s" %
 165                                                  os.environ["SERVER"],
 166                                                  "-U%s%%%s" %
 167                                                  (os.environ["USERNAME"],
 168                                                  os.environ["PASSWORD"]))
 169         self.assertNotIn(allow_entry, out, 'The test entry was still found!')
 170         self.assertNotIn(deny_entry, out, 'The test entry was still found!')
 171
 172     def setUp(self):
 173         """set up a temporary GPO to work with"""
 174         super().setUp()
 175         (result, out, err) = self.runsubcmd("gpo", "create", self.gpo_name,
 176                                             "-H", "ldap://%s" % os.environ["SERVER"],
 177                                             "-U%s%%%s" % (os.environ["USERNAME"], os.environ["PASSWORD"]),
 178                                             "--tmpdir", self.tempdir)
 179         self.assertCmdSuccess(result, out, err, "Ensuring gpo created successfully")
 180         shutil.rmtree(os.path.join(self.tempdir, "policy"))
 181         try:
 182             self.gpo_guid = "{%s}" % out.split("{")[1].split("}")[0]
 183         except IndexError:
 184             self.fail("Failed to find GUID in output: %s" % out)
 185
 186         self.test_user = 'testuser'
 187         (result, out, err) = self.runsubcmd("user", "add", self.test_user,
 188                                             "--random-password")
 189         self.assertCmdSuccess(result, out, err, 'User creation failed')
 190         self.test_group = 'testgroup'
 191         (result, out, err) = self.runsubcmd("group", "add", self.test_group)
 192         self.assertCmdSuccess(result, out, err, 'Group creation failed')
 193
 194     def tearDown(self):
 195         """remove the temporary GPO to work with"""
 196         (result, out, err) = self.runsubcmd("gpo", "del", self.gpo_guid, "-H", "ldap://%s" % os.environ["SERVER"], "-U%s%%%s" % (os.environ["USERNAME"], os.environ["PASSWORD"]))
 197         self.assertCmdSuccess(result, out, err, "Ensuring gpo deleted successfully")
 198         (result, out, err) = self.runsubcmd("user", "delete", self.test_user)
 199         self.assertCmdSuccess(result, out, err, 'User delete failed')
 200         (result, out, err) = self.runsubcmd("group", "delete", self.test_group)
 201         self.assertCmdSuccess(result, out, err, 'Group delete failed')
 202         super().tearDown()