1 # Unix SMB/CIFS implementation.
2 # Copyright (C) David Mulder 2021
5 # Copyright (C) Andrew Bartlett 2012
7 # This program is free software; you can redistribute it and/or modify
8 # it under the terms of the GNU General Public License as published by
9 # the Free Software Foundation; either version 3 of the License, or
10 # (at your option) any later version.
12 # This program is distributed in the hope that it will be useful,
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
17 # You should have received a copy of the GNU General Public License
18 # along with this program. If not, see <http://www.gnu.org/licenses/>.
22 from samba.tests.samba_tool.base import SambaToolCmdTest
24 from samba.param import LoadParm
25 from samba.tests.gpo import stage_file, unstage_file
26 import xml.etree.ElementTree as etree
28 class GpoCmdTestCase(SambaToolCmdTest):
29 """Tests for samba-tool time subcommands"""
33 def test_vgp_access_list(self):
35 lp.load(os.environ['SERVERCONFFILE'])
36 local_path = lp.get('path', 'sysvol')
37 vgp_xml = os.path.join(local_path, lp.get('realm').lower(), 'Policies',
38 self.gpo_guid, 'Machine/VGP/VTLA/VAS',
39 'HostAccessControl/Allow/manifest.xml')
41 stage = etree.Element('vgppolicy')
42 policysetting = etree.SubElement(stage, 'policysetting')
43 pv = etree.SubElement(policysetting, 'version')
45 name = etree.SubElement(policysetting, 'name')
46 name.text = 'Host Access Control'
47 description = etree.SubElement(policysetting, 'description')
48 description.text = 'Represents host access control data (pam_access)'
49 apply_mode = etree.SubElement(policysetting, 'apply_mode')
50 apply_mode.text = 'merge'
51 data = etree.SubElement(policysetting, 'data')
52 listelement = etree.SubElement(data, 'listelement')
53 etype = etree.SubElement(listelement, 'type')
55 entry = etree.SubElement(listelement, 'entry')
56 entry.text = 'goodguy@%s' % lp.get('realm').lower()
57 adobject = etree.SubElement(listelement, 'adobject')
58 name = etree.SubElement(adobject, 'name')
60 domain = etree.SubElement(adobject, 'domain')
61 domain.text = lp.get('realm').lower()
62 etype = etree.SubElement(adobject, 'type')
64 groupattr = etree.SubElement(data, 'groupattr')
65 groupattr.text = 'samAccountName'
66 listelement = etree.SubElement(data, 'listelement')
67 etype = etree.SubElement(listelement, 'type')
69 entry = etree.SubElement(listelement, 'entry')
70 entry.text = '%s\\goodguys' % lp.get('realm').lower()
71 adobject = etree.SubElement(listelement, 'adobject')
72 name = etree.SubElement(adobject, 'name')
73 name.text = 'goodguys'
74 domain = etree.SubElement(adobject, 'domain')
75 domain.text = lp.get('realm').lower()
76 etype = etree.SubElement(adobject, 'type')
78 ret = stage_file(vgp_xml, etree.tostring(stage, 'utf-8'))
79 self.assertTrue(ret, 'Could not create the target %s' % vgp_xml)
81 uentry = '+:%s\\goodguy:ALL' % domain.text
82 gentry = '+:%s\\goodguys:ALL' % domain.text
83 (result, out, err) = self.runsublevelcmd("gpo", ("manage",
89 (os.environ["USERNAME"],
90 os.environ["PASSWORD"]))
91 self.assertIn(uentry, out, 'The test entry was not found!')
92 self.assertIn(gentry, out, 'The test entry was not found!')
94 # Unstage the manifest.xml file
97 def test_vgp_access_add(self):
99 lp.load(os.environ['SERVERCONFFILE'])
101 (result, out, err) = self.runsublevelcmd("gpo", ("manage",
104 "allow", self.test_user,
105 lp.get('realm').lower(),
107 os.environ["SERVER"],
109 (os.environ["USERNAME"],
110 os.environ["PASSWORD"]))
111 self.assertCmdSuccess(result, out, err, 'Access add failed')
113 (result, out, err) = self.runsublevelcmd("gpo", ("manage",
116 "deny", self.test_group,
117 lp.get('realm').lower(),
119 os.environ["SERVER"],
121 (os.environ["USERNAME"],
122 os.environ["PASSWORD"]))
123 self.assertCmdSuccess(result, out, err, 'Access add failed')
125 allow_entry = '+:%s\\%s:ALL' % (lp.get('realm').lower(), self.test_user)
126 deny_entry = '-:%s\\%s:ALL' % (lp.get('realm').lower(), self.test_group)
127 (result, out, err) = self.runsublevelcmd("gpo", ("manage",
131 os.environ["SERVER"],
133 (os.environ["USERNAME"],
134 os.environ["PASSWORD"]))
135 self.assertIn(allow_entry, out, 'The test entry was not found!')
136 self.assertIn(deny_entry, out, 'The test entry was not found!')
138 (result, out, err) = self.runsublevelcmd("gpo", ("manage",
141 "allow", self.test_user,
142 lp.get('realm').lower(),
144 os.environ["SERVER"],
146 (os.environ["USERNAME"],
147 os.environ["PASSWORD"]))
148 self.assertCmdSuccess(result, out, err, 'Access remove failed')
149 (result, out, err) = self.runsublevelcmd("gpo", ("manage",
152 "deny", self.test_group,
153 lp.get('realm').lower(),
155 os.environ["SERVER"],
157 (os.environ["USERNAME"],
158 os.environ["PASSWORD"]))
159 self.assertCmdSuccess(result, out, err, 'Access remove failed')
161 (result, out, err) = self.runsublevelcmd("gpo", ("manage",
165 os.environ["SERVER"],
167 (os.environ["USERNAME"],
168 os.environ["PASSWORD"]))
169 self.assertNotIn(allow_entry, out, 'The test entry was still found!')
170 self.assertNotIn(deny_entry, out, 'The test entry was still found!')
173 """set up a temporary GPO to work with"""
175 (result, out, err) = self.runsubcmd("gpo", "create", self.gpo_name,
176 "-H", "ldap://%s" % os.environ["SERVER"],
177 "-U%s%%%s" % (os.environ["USERNAME"], os.environ["PASSWORD"]),
178 "--tmpdir", self.tempdir)
179 self.assertCmdSuccess(result, out, err, "Ensuring gpo created successfully")
180 shutil.rmtree(os.path.join(self.tempdir, "policy"))
182 self.gpo_guid = "{%s}" % out.split("{")[1].split("}")[0]
184 self.fail("Failed to find GUID in output: %s" % out)
186 self.test_user = 'testuser'
187 (result, out, err) = self.runsubcmd("user", "add", self.test_user,
189 self.assertCmdSuccess(result, out, err, 'User creation failed')
190 self.test_group = 'testgroup'
191 (result, out, err) = self.runsubcmd("group", "add", self.test_group)
192 self.assertCmdSuccess(result, out, err, 'Group creation failed')
195 """remove the temporary GPO to work with"""
196 (result, out, err) = self.runsubcmd("gpo", "del", self.gpo_guid, "-H", "ldap://%s" % os.environ["SERVER"], "-U%s%%%s" % (os.environ["USERNAME"], os.environ["PASSWORD"]))
197 self.assertCmdSuccess(result, out, err, "Ensuring gpo deleted successfully")
198 (result, out, err) = self.runsubcmd("user", "delete", self.test_user)
199 self.assertCmdSuccess(result, out, err, 'User delete failed')
200 (result, out, err) = self.runsubcmd("group", "delete", self.test_group)
201 self.assertCmdSuccess(result, out, err, 'Group delete failed')