From d4b72821dc3484d29f459c954061e737cb1f5b5e Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bj=C3=B6rn=20Baumbach?= Date: Wed, 12 Jun 2019 21:02:43 +0200 Subject: [PATCH] selftest: add tests for samba-tool ntacl changedomsid MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Björn Baumbach Reviewed-by: Stefan Metzmacher Autobuild-User(master): Björn Baumbach Autobuild-Date(master): Tue Jun 18 16:54:22 UTC 2019 on sn-devel-184 --- python/samba/tests/samba_tool/ntacl.py | 87 +++++++++++++++++++++ source4/selftest/tests.py | 2 +- testprogs/blackbox/test_samba-tool_ntacl.sh | 45 +++++++++++ 3 files changed, 133 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/samba_tool/ntacl.py b/python/samba/tests/samba_tool/ntacl.py index e8fee852651..ee166764b6a 100644 --- a/python/samba/tests/samba_tool/ntacl.py +++ b/python/samba/tests/samba_tool/ntacl.py @@ -133,3 +133,90 @@ class NtACLCmdGetSetTestCase(SambaToolCmdTest): self.assertCmdSuccess(result, out, err) self.assertEquals(err, "", "Shouldn't be any error messages") self.assertEquals(self.acl + "\n", out, "Output should be the ACL") + +class NtACLCmdChangedomsidTestCase(SambaToolCmdTest): + """Tests for samba-tool ntacl changedomsid subcommand""" + + acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" + new_acl="O:S-1-5-21-2212615479-2695158682-2101375468-512G:S-1-5-21-2212615479-2695158682-2101375468-513D:P(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-519)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" + domain_sid=os.environ['DOMSID'] + new_domain_sid="S-1-5-21-2212615479-2695158682-2101375468" + + def test_ntvfs_check(self): + path = os.environ['SELFTEST_PREFIX'] + tempf = os.path.join( + path, "pytests" + str(int(100000 * random.random()))) + open(tempf, 'w').write("empty") + + print("DOMSID: %s", self.domain_sid) + + (result, out, err) = self.runsubcmd("ntacl", + "set", + self.acl, + tempf, + "--use-ntvfs") + self.assertCmdSuccess(result, out, err) + self.assertEquals(out, "", "Shouldn't be any output messages") + self.assertIn("Please note that POSIX permissions have NOT been " + "changed, only the stored NT ACL", err) + + (result, out, err) = self.runsubcmd("ntacl", + "changedomsid", + self.domain_sid, + self.new_domain_sid, + tempf, + "--use-ntvfs") + self.assertCmdSuccess(result, out, err) + self.assertEquals(out, "", "Shouldn't be any output messages") + self.assertIn("Please note that POSIX permissions have NOT been " + "changed, only the stored NT ACL.", err) + + # Now check they were set correctly + (result, out, err) = self.runsubcmd("ntacl", + "get", + tempf, + "--use-ntvfs", + "--as-sddl") + self.assertCmdSuccess(result, out, err) + self.assertEquals(err, "", "Shouldn't be any error messages") + self.assertEquals(self.new_acl + "\n", out, "Output should be the ACL") + + def test_s3fs_check(self): + path = os.environ['SELFTEST_PREFIX'] + tempf = os.path.join( + path, "pytests" + str(int(100000 * random.random()))) + open(tempf, 'w').write("empty") + + print("DOMSID: %s" % self.domain_sid) + + (result, out, err) = self.runsubcmd("ntacl", + "set", + self.acl, + tempf, + "--use-s3fs", + "--service=sysvol") + self.assertCmdSuccess(result, out, err) + self.assertEquals(out, "", "Shouldn't be any output messages") + self.assertEquals(err, "", "Shouldn't be any error messages") + + (result, out, err) = self.runsubcmd("ntacl", + "changedomsid", + self.domain_sid, + self.new_domain_sid, + tempf, + "--use-s3fs", + "--service=sysvol") + self.assertCmdSuccess(result, out, err) + self.assertEquals(out, "", "Shouldn't be any output messages") + self.assertEquals(err, "", "Shouldn't be any error messages") + + # Now check they were set correctly + (result, out, err) = self.runsubcmd("ntacl", + "get", + tempf, + "--use-s3fs", + "--as-sddl", + "--service=sysvol") + self.assertCmdSuccess(result, out, err) + self.assertEquals(err, "", "Shouldn't be any error messages") + self.assertEquals(self.new_acl + "\n", out, "Output should be the ACL") diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 156bd200372..0e2138a007c 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -488,7 +488,7 @@ plantestsuite("samba4.blackbox.client_etypes_all(ad_dc:client)", "ad_dc:client", plantestsuite("samba4.blackbox.client_etypes_legacy(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'legacy', '23']) plantestsuite("samba4.blackbox.client_etypes_strong(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'strong', '17_18']) plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_net_ads_dns.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$USERNAME', '$PASSWORD']) -plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX']) +plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID']) plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs", [valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo']) # json tests hook into ``chgdcpass'' to make them run in contributor CI on # gitlab diff --git a/testprogs/blackbox/test_samba-tool_ntacl.sh b/testprogs/blackbox/test_samba-tool_ntacl.sh index 64a7e6b55d3..6991165cc63 100755 --- a/testprogs/blackbox/test_samba-tool_ntacl.sh +++ b/testprogs/blackbox/test_samba-tool_ntacl.sh @@ -10,6 +10,7 @@ exit 1; fi PREFIX=$1 +domain_sid=$2 failed=0 @@ -20,6 +21,8 @@ testfile="$PREFIX/ntacl_testfile" # acl from samba_tool/ntacl.py tests acl="O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" +new_acl="O:S-1-5-21-2212615479-2695158682-2101375468-512G:S-1-5-21-2212615479-2695158682-2101375468-513D:P(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-519)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" +new_domain_sid="S-1-5-21-2212615479-2695158682-2101375468" . `dirname $0`/subunit.sh @@ -62,6 +65,44 @@ test_set_acl_ntvfs() $PYTHON $samba_tool ntacl set "$acl" "$testfile" --use-ntvfs --xattr-backend=tdb -s $PREFIX/ad_member/lib/server.conf } +test_changedomsid() +{ + testfile="$1" + + $PYTHON $samba_tool ntacl changedomsid \ + "$domain_sid" "$new_domain_sid" "$testfile" \ + --service=tmp \ + -s $PREFIX/ad_member/lib/server.conf + + retacl=$($PYTHON $samba_tool ntacl get \ + "$testfile" \ + --as-sddl \ + --service=tmp \ + -s $PREFIX/ad_member/lib/server.conf) || return $? + + test "$retacl" = "$new_acl" +} + +test_changedomsid_ntvfs() +{ + testfile="$1" + + $PYTHON $samba_tool ntacl changedomsid \ + "$domain_sid" "$new_domain_sid" "$testfile" \ + --use-ntvfs \ + --xattr-backend=tdb \ + -s $PREFIX/ad_member/lib/server.conf + + retacl=$($PYTHON $samba_tool ntacl get \ + "$testfile" \ + --as-sddl \ + --xattr-backend=tdb \ + --use-ntvfs \ + -s $PREFIX/ad_member/lib/server.conf) || return $? + + test "$retacl" = "$new_acl" +} + # work around include error - s4-loadparm does not allow missing include files # # Unable to load file /home/bbaumba/src/git/samba/st/ad_member/lib/server.conf @@ -81,9 +122,13 @@ testit "set_ntacl" test_set_acl "$testfile" "$acl" || failed=`expr $failed + 1` testit "get_ntacl" test_get_acl "$testfile" "$acl" || failed=`expr $failed + 1` +testit "changedomsid" test_changedomsid "$testfile" || failed=`expr $failed + 1` + testit "set_ntacl_ntvfs" test_set_acl_ntvfs "$testfile" "$acl" || failed=`expr $failed + 1` testit "get_ntacl_ntvfs" test_get_acl_ntvfs "$testfile" "$acl" || failed=`expr $failed + 1` +testit "changedomsid_ntvfs" test_changedomsid_ntvfs "$testfile" || failed=`expr $failed + 1` + rm -f "$testfile" exit $failed -- 2.34.1