s3:selftest: Add test for virus scanner

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner
new file mode 100644 (file)
index 0000000..6df3fd2
--- /dev/null
+++ b/selftest/knownfail.d/virus_scanner
@@ -0,0 +1,2 @@
+^samba3.blackbox.virus_scanner.check_infected_read  # test download infected file ('vfs objects = virusfilter')
+^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter')

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 9ad42efa71d9812d5c9352ad5dfe7079cf41db0b..2cc2d13d9e06edd70d0350726ee4b2370ba84191 100755 (executable)
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1694,6 +1694,9 @@ sub setup_fileserver
        my $veto_sharedir="$share_dir/veto";
        push(@dirs,$veto_sharedir);
 
+       my $virusfilter_sharedir="$share_dir/virusfilter";
+       push(@dirs,$virusfilter_sharedir);
+
        my $ip4 = Samba::get_ipv4_addr("FILESERVER");
        my $fileserver_options = "
        kernel change notify = yes
@@ -1818,6 +1821,15 @@ sub setup_fileserver
        path = $veto_sharedir
        delete veto files = yes
 
+[virusfilter]
+       path = $virusfilter_sharedir
+       vfs objects = acl_xattr virusfilter
+       virusfilter:scanner = dummy
+       virusfilter:min file size = 0
+       virusfilter:infected files = *infected*
+       virusfilter:infected file action = rename
+       virusfilter:scan on close = yes
+
 [homes]
        comment = Home directories
        browseable = No

diff --git a/source3/script/tests/test_virus_scanner.sh b/source3/script/tests/test_virus_scanner.sh
new file mode 100755 (executable)
index 0000000..2234ea6
--- /dev/null
+++ b/source3/script/tests/test_virus_scanner.sh
@@ -0,0 +1,124 @@
+#!/bin/sh
+# Copyright (c) 2022      Pavel Filipenský <pfilipen@redhat.com>
+# shellcheck disable=1091
+
+if [ $# -lt 4 ]; then
+cat <<EOF
+Usage: $0 SERVER_IP SHARE LOCAL_PATH SMBCLIENT
+EOF
+exit 1;
+fi
+
+SERVER_IP=${1}
+SHARE=${2}
+LOCAL_PATH=${3}
+SMBCLIENT=${4}
+
+SMBCLIENT="${VALGRIND} ${SMBCLIENT}"
+
+failed=0
+sharedir="${LOCAL_PATH}/${SHARE}"
+
+incdir="$(dirname "$0")/../../../testprogs/blackbox"
+. "${incdir}/subunit.sh"
+
+check_infected_read()
+{
+    rm -rf "${sharedir:?}"/*
+
+    if ! touch "${sharedir}/infected.txt"; then
+        echo "ERROR: Cannot create ${sharedir}/infected.txt"
+        return 1
+    fi
+
+    ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get infected.txt ${sharedir}/infected.download.txt"
+
+    # check that virusfilter:rename prefix/suffix was added
+    if [ ! -f "${sharedir}/virusfilter.infected.txt.infected" ]; then
+        echo "ERROR: ${sharedir}/virusfilter.infected.txt.infected is missing."
+        return 1
+    fi
+
+    # check that file was not downloaded
+    if [ -f "${sharedir}/infected.download.txt" ]; then
+        echo "ERROR: {sharedir}/infected.download.txt should not exist."
+        return 1
+    fi
+
+    return 0
+}
+
+check_infected_write()
+{
+    rm -rf "${sharedir:?}"/*
+    smbfile=infected.upload.txt
+    smbfilerenamed="virusfilter.${smbfile}.infected"
+
+    # non empty file is needed
+    # vsf_virusfilter performs a scan only if fsp->fsp_flags.modified
+    if ! echo "Hello Virus!" > "${sharedir}/infected.txt"; then
+        echo "ERROR: Cannot create ${sharedir}/infected.txt"
+        return 1
+    fi
+
+    ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/infected.txt ${smbfile}"
+
+    # check that virusfilter:rename prefix/suffix was added
+    if [ ! -f "${sharedir}/${smbfilerenamed}" ]; then
+        echo "ERROR: ${sharedir}/${smbfilerenamed} is missing."
+        return 1
+    fi
+
+    # check that file was not uploaded
+    if [ -f "${sharedir}/infected.upload.txt" ]; then
+        echo "ERROR: {sharedir}/${smbfile} should not exist."
+        return 1
+    fi
+
+    return 0
+}
+
+check_healthy_read()
+{
+    rm -rf "${sharedir:?}"/*
+
+    if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
+        echo "ERROR: Cannot create ${sharedir}/healthy.txt"
+        return 1
+    fi
+
+    ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get healthy.txt ${sharedir}/healthy.download.txt"
+
+    if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.download.txt"; then
+        echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.download.txt FAILED"
+        return 1
+    fi
+
+    return 0
+}
+
+check_healthy_write()
+{
+    rm -rf "${sharedir:?}"/*
+
+    if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
+        echo "ERROR: Cannot create ${sharedir}/healthy.txt"
+        return 1
+    fi
+
+    ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/healthy.txt healthy.upload.txt"
+
+    if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.upload.txt"; then
+        echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.upload.txt FAILED"
+        return 1
+    fi
+
+    return 0
+}
+
+testit "check_infected_read"  check_infected_read  || failed=$((failed + 1))
+testit "check_infected_write" check_infected_write || failed=$((failed + 1))
+testit "check_healthy_read"   check_healthy_read   || failed=$((failed + 1))
+testit "check_healthy_write"  check_healthy_write  || failed=$((failed + 1))
+
+testok "$0" "$failed"

diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index cab649694913a630040e088c1a49a8f79fbbb934..95192ae19aec7ef40607237598b9d835262424f1 100755 (executable)
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -1256,6 +1256,15 @@ plantestsuite("samba3.blackbox.smbXsrv_client_dead_rec", "fileserver:local",
                '$SERVER_IP',
                "tmp"])
 
+env = 'fileserver'
+plantestsuite("samba3.blackbox.virus_scanner", "%s:local" % (env),
+              [os.path.join(samba3srcdir,
+                            "script/tests/test_virus_scanner.sh"),
+               '$SERVER_IP',
+               "virusfilter",
+               '$LOCAL_PATH',
+               smbclient3])
+
 for env in ['fileserver', 'simpleserver']:
     plantestsuite("samba3.blackbox.smbclient.encryption", env,
                   [os.path.join(samba3srcdir, "script/tests/test_smbclient_encryption.sh"),