From b29ab3a0c16b2f1abed89b41c92c446e8fe59f9b Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Fri, 15 Dec 2017 07:17:54 +1300 Subject: [PATCH] tests dsdb encrypted secrets module Add tests to check that the encrypted_secrets module encrypts secrets/sensitive attributes on disk. This test also proves that the provision and join operations correctly configure the encrypted_secrets module. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett --- python/samba/tests/encrypted_secrets.py | 83 +++++++++++++++++++++++++ selftest/knownfail.d/encrypted_secrets | 12 ++++ source4/selftest/tests.py | 15 +++++ 3 files changed, 110 insertions(+) create mode 100644 python/samba/tests/encrypted_secrets.py create mode 100644 selftest/knownfail.d/encrypted_secrets diff --git a/python/samba/tests/encrypted_secrets.py b/python/samba/tests/encrypted_secrets.py new file mode 100644 index 00000000000..3b6934f0ccb --- /dev/null +++ b/python/samba/tests/encrypted_secrets.py @@ -0,0 +1,83 @@ +# Unix SMB/CIFS implementation. +# +# Copyright (C) Andrew Bartlett 2017 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +"""Smoke test for encrypted secrets + +A quick test to confirm that the secret attributes are being stored +encrypted on disk. +""" + + +import os +import ldb +import samba +from samba.tests import TestCase +from samba.credentials import Credentials +from samba.samdb import SamDB +from samba.auth import system_session +from samba.ndr import ndr_unpack +from samba.dcerpc import drsblobs + + +class EncryptedSecretsTests(TestCase): + + def setUp(self): + super(EncryptedSecretsTests, self).setUp() + self.lp = samba.tests.env_loadparm() + self.creds = Credentials() + self.session = system_session() + self.creds.guess(self.lp) + self.session = system_session() + self.ldb = SamDB(session_info=self.session, + credentials=self.creds, + lp=self.lp) + + def test_encrypted_secrets(self): + """Test that secret attributes are stored encrypted on disk""" + basedn = self.ldb.domain_dn() + backend_filename = "%s.ldb" % basedn.upper() + backend_subpath = os.path.join("sam.ldb.d", + backend_filename) + backend_path = self.lp.private_path(backend_subpath) + backenddb = ldb.Ldb(backend_path) + + dn = "CN=Administrator,CN=Users,%s" % basedn + + res = backenddb.search(scope=ldb.SCOPE_BASE, + base=dn, + attrs=["unicodePwd"]) + self.assertIs(True, len(res) > 0) + obj = res[0] + blob = obj["unicodePwd"][0] + self.assertTrue(len(blob) > 30) + # Now verify that the header contains the correct magic value. + encrypted = ndr_unpack(drsblobs.EncryptedSecret, blob) + magic = 0xca5caded + self.assertEquals(magic, encrypted.header.magic) + + def test_required_features(self): + """Test that databases are provisioned with encryptedSecrets as a + required feature + """ + res = self.ldb.search(scope=ldb.SCOPE_BASE, + base="@SAMBA_DSDB", + attrs=["requiredFeatures"]) + self.assertTrue(len(res) > 0) + self.assertTrue("requiredFeatures" in res[0]) + required_features = res[0]["requiredFeatures"] + self.assertTrue("encryptedSecrets" in required_features) diff --git a/selftest/knownfail.d/encrypted_secrets b/selftest/knownfail.d/encrypted_secrets new file mode 100644 index 00000000000..4fbc434f58a --- /dev/null +++ b/selftest/knownfail.d/encrypted_secrets @@ -0,0 +1,12 @@ +# The fl2000dc environment is provisioned with the --plaintext-secrets option +# running the ecnrypted secrets tests on it and expecting them to fail. +# verifies that: +# * --plaintext-secrets option correctly provisions a domain +# * the dsdb operational module correctly handles unencrypted secrets +# * secrets are not stored as encrypted text when this option is specified +^samba.tests.encrypted_secrets.samba.tests.encrypted_secrets.EncryptedSecretsTests.test_encrypted_secrets\(fl2000dc:local\) +^samba.tests.encrypted_secrets.samba.tests.encrypted_secrets.EncryptedSecretsTests.test_required_features\(fl2000dc:local\) + +# Tests that will pass as the remaining patches in the set are added +^samba.tests.encrypted_secrets.samba.tests.encrypted_secrets.EncryptedSecretsTests.test_encrypted_secrets +^samba.tests.encrypted_secrets.samba.tests.encrypted_secrets.EncryptedSecretsTests.test_required_features diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index a582e0d29ae..1c5714d8a7f 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -682,6 +682,21 @@ planoldpythontestsuite("fl2003dc:local", planoldpythontestsuite("ad_dc", "samba.tests.password_hash_ldap", extra_args=['-U"$USERNAME%$PASSWORD"']) +# Encrypted secrets +# ensure default provision (ad_dc) and join (vampire_dc) +# encrypt secret values on disk. +planoldpythontestsuite("ad_dc:local", + "samba.tests.encrypted_secrets", + extra_args=['-U"$USERNAME%$PASSWORD"']) +planoldpythontestsuite("vampire_dc:local", + "samba.tests.encrypted_secrets", + extra_args=['-U"$USERNAME%$PASSWORD"']) +# The fl2000dc environment is provisioned with the --plaintext_secrets option +# so this test will fail, which proves the secrets are not being encrypted. +# There is an entry in known_fail.d. +planoldpythontestsuite("fl2000dc:local", + "samba.tests.encrypted_secrets", + extra_args=['-U"$USERNAME%$PASSWORD"']) planpythontestsuite("ad_dc_ntvfs:local", "samba.tests.lsa_string") planoldpythontestsuite("ad_dc_ntvfs", -- 2.34.1