selftest: add tests for "samba-tool user list --locked-only"

Signed-off-by: Jule Anger <janger@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Tue Mar 12 10:54:49 UTC 2024 on atb-devel-224

diff --git a/python/samba/tests/samba_tool/user.py b/python/samba/tests/samba_tool/user.py
index ef74858eaec8a6b2e0f29684c7598e393807ad7f..290d5daebe182b629d01f3e3f1bd7eb07881d2dc 100644 (file)
--- a/python/samba/tests/samba_tool/user.py
+++ b/python/samba/tests/samba_tool/user.py
@@ -437,6 +437,31 @@ class UserCmdTestCase(SambaToolCmdTest):
             self.assertMatch(out, name,
                              "user '%s' not found" % name)
 
+    # Test: samba-tool user list --locked-only
+    # This test does not verify that the command lists the locked user, it just
+    # tests that it does not list unlocked users. The funcional test, which
+    # lists locked users, is located in the 'samba4.ldap.password_lockout' test
+    # in source8/dsdb/tests/python/password_lockout.py
+    def test_list_locked(self):
+        (result, out, err) = self.runsubcmd("user", "list",
+                                            "-H", "ldap://%s" % os.environ["DC_SERVER"],
+                                            "-U%s%%%s" % (os.environ["DC_USERNAME"],
+                                                          os.environ["DC_PASSWORD"]),
+                                            "--locked-only")
+        self.assertCmdSuccess(result, out, err, "Error running list")
+
+        search_filter = ("(&(objectClass=user)(userAccountControl:%s:=%u))" %
+                         (ldb.OID_COMPARATOR_AND, dsdb.UF_NORMAL_ACCOUNT))
+
+        userlist = self.samdb.search(base=self.samdb.domain_dn(),
+                                     scope=ldb.SCOPE_SUBTREE,
+                                     expression=search_filter,
+                                     attrs=["samaccountname"])
+
+        for userobj in userlist:
+            name = str(userobj.get("samaccountname", idx=0))
+            self.assertNotIn(name, out,
+                             "user '%s' is incorrectly listed as locked" % name)
 
     def test_list_base_dn(self):
         base_dn = "CN=Users"

diff --git a/source4/dsdb/tests/python/password_lockout.py b/source4/dsdb/tests/python/password_lockout.py
index 78edcce7792464a318781ee0b628649fdf83eedb..01cf8e02f7b7ead5efbb9e80d5d3799a23aa0034 100755 (executable)
--- a/source4/dsdb/tests/python/password_lockout.py
+++ b/source4/dsdb/tests/python/password_lockout.py
@@ -11,6 +11,7 @@ import optparse
 import sys
 import base64
 import time
+import subprocess
 
 sys.path.insert(0, "bin/python")
 import samba
@@ -489,8 +490,23 @@ unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2x\"".encode('utf-16-le'))
                                   userAccountControl=dsdb.UF_NORMAL_ACCOUNT,
                                   msDSUserAccountControlComputed=dsdb.UF_LOCKOUT)
 
+        username = res[0]["sAMAccountName"][0]
+        cmd = ["bin/samba-tool", "user", "list", "--locked-only",
+               "-H%s" % self.host_url,
+               "-U%s%%%s" % (global_creds.get_username(),
+                             global_creds.get_password())]
+        out = subprocess.check_output(cmd)
+        self.assertIn(username, out)
+
         self._reset_by_method(res, method)
 
+        cmd = ["bin/samba-tool", "user", "list", "--locked-only",
+               "-H%s" % self.host_url,
+               "-U%s%%%s" % (global_creds.get_username(),
+                             global_creds.get_password())]
+        out = subprocess.check_output(cmd)
+        self.assertNotIn(username, out)
+
         # Here bad password counts are reset without logon success.
         res = self._check_account(userdn,
                                   badPwdCount=0,