gp: Test modifying firewalld policy enforces changes

Ensure that modifying the firewalld policy and
re-applying will enforce the correct policy.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/bin/firewall-cmd b/python/samba/tests/bin/firewall-cmd
index 503ae9a772cd60799a349714de3bff0a6d3d217a..3bc69da6cb87b6924088b62c628f62d94a75edd2 100755 (executable)
--- a/python/samba/tests/bin/firewall-cmd
+++ b/python/samba/tests/bin/firewall-cmd
@@ -48,7 +48,8 @@ if __name__ == "__main__":
     elif opts.new_zone:
         if 'zones' not in data:
             data['zones'] = []
-        data['zones'].append(opts.new_zone)
+        if opts.new_zone not in data['zones']:
+            data['zones'].append(opts.new_zone)
     elif opts.get_zones:
         if 'zones' in data:
             for zone in data['zones']:
@@ -70,7 +71,8 @@ if __name__ == "__main__":
             data['zone_interfaces'] = {}
         if opts.zone not in data['zone_interfaces'].keys():
             data['zone_interfaces'][opts.zone] = []
-        data['zone_interfaces'][opts.zone].append(opts.add_interface)
+        if opts.add_interface not in data['zone_interfaces'][opts.zone]:
+            data['zone_interfaces'][opts.zone].append(opts.add_interface)
     elif opts.add_rich_rule:
         assert opts.zone
         if 'rules' not in data:
@@ -80,9 +82,11 @@ if __name__ == "__main__":
         # Test rule parsing if firewalld is installed
         if Rich_Rule:
             # Parsing failure will throw an exception
-            data['rules'][opts.zone].append(str(Rich_Rule(rule_str=opts.add_rich_rule)))
+            rule = str(Rich_Rule(rule_str=opts.add_rich_rule))
         else:
-            data['rules'][opts.zone].append(opts.add_rich_rule)
+            rule = opts.add_rich_rule
+        if rule not in data['rules'][opts.zone]:
+            data['rules'][opts.zone].append(rule)
     elif opts.remove_rich_rule:
         assert opts.zone
         assert 'rules' in data

diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py
index eb1b53a78332014d69d13cb854bed891ffb0fed4..13cc435b20fd99143ec80e0e05490f4c7ba2d51f 100644 (file)
--- a/python/samba/tests/gpo.py
+++ b/python/samba/tests/gpo.py
@@ -7132,6 +7132,26 @@ class GPOTests(tests.TestCase):
                  b'service name="ftp" reject']
         self.assertIn(out.strip(), rules, 'Failed to set rich rule')
 
+        # Check that modifying the policy will enforce the correct settings
+        entries = [e for e in parser.pol_file.entries if e.data != 'home']
+        self.assertEquals(len(entries), len(parser.pol_file.entries)-1,
+                          'Failed to remove the home zone entry')
+        parser.pol_file.entries = entries
+        parser.pol_file.num_entries = len(entries)
+        # Stage the Registry.pol file with altered test data
+        unstage_file(reg_pol)
+        ret = stage_file(reg_pol, ndr_pack(parser.pol_file))
+        self.assertTrue(ret, 'Could not create the target %s' % reg_pol)
+
+        # Enforce the altered policy
+        ext.process_group_policy([], gpos)
+
+        # Check that the home zone was removed
+        cmd = [firewall_cmd, '--get-zones']
+        p = Popen(cmd, stdout=PIPE, stderr=PIPE)
+        out, err = p.communicate()
+        self.assertIn(b'work', out, 'Failed to apply zones')
+        self.assertNotIn(b'home', out, 'Failed to apply zones')
 
         # Verify RSOP does not fail
         ext.rsop([g for g in gpos if g.name == guid][0])

diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo
new file mode 100644 (file)
index 0000000..74e2de0
--- /dev/null
+++ b/selftest/knownfail.d/gpo
@@ -0,0 +1 @@
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_firewalld_ext