python:tests/dns_tkey: add test_update_tsig_record_access_denied()

This demonstrates that access_denied is only generated if the client
really generates a change in the database.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 708a6fae6978e1462e1a53f4ee08f11b51a5637a)

diff --git a/python/samba/tests/dns_tkey.py b/python/samba/tests/dns_tkey.py
index a88c30a6754f4897fb0f6865026477d36b099db0..694ad22b4e4fac4262a67052dbf58ca39026c172 100644 (file)
--- a/python/samba/tests/dns_tkey.py
+++ b/python/samba/tests/dns_tkey.py
@@ -408,5 +408,60 @@ class TestDNSUpdates(DNSTKeyTest):
         rcode = self.search_record(self.newrecname)
         self.assert_rcode_equals(rcode, dns.DNS_RCODE_NXDOMAIN)
 
+    def test_update_tsig_record_access_denied(self):
+        """test DNS update with a TSIG record where the user does not have
+        permissions to change the record"""
+
+        self.tkey_trans()
+        adm_tkey = self.tkey
+
+        # First create the record as admin
+        p = self.make_update_request()
+        mac = self.sign_packet(p, self.tkey['name'])
+        (response, response_p) = self.dns_transaction_udp(p, self.server_ip)
+        self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK)
+        self.verify_packet(response, response_p, mac)
+
+        # Check the record is around
+        rcode = self.search_record(self.newrecname)
+        self.assert_rcode_equals(rcode, dns.DNS_RCODE_OK)
+
+        # Now update the same values as normal user
+        # should work without error
+        self.tkey_trans(creds=self.get_unpriv_creds())
+        unpriv_tkey = self.tkey
+
+        p = self.make_update_request()
+        mac = self.sign_packet(p, self.tkey['name'])
+        (response, response_p) = self.dns_transaction_udp(p, self.server_ip)
+        self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK)
+        self.verify_packet(response, response_p, mac)
+
+        # Check the record is still around
+        rcode = self.search_record(self.newrecname)
+        self.assert_rcode_equals(rcode, dns.DNS_RCODE_OK)
+
+        # Now try to delete the record a normal user (should fail)
+        p = self.make_update_request(delete=True)
+        mac = self.sign_packet(p, self.tkey['name'])
+        (response, response_p) = self.dns_transaction_udp(p, self.server_ip)
+        self.assert_echoed_dns_error(p, response, response_p, dns.DNS_RCODE_REFUSED)
+
+        # Check the record is still around
+        rcode = self.search_record(self.newrecname)
+        self.assert_rcode_equals(rcode, dns.DNS_RCODE_OK)
+
+        # Now delete the record as admin
+        self.tkey = adm_tkey
+        p = self.make_update_request(delete=True)
+        mac = self.sign_packet(p, self.tkey['name'])
+        (response, response_p) = self.dns_transaction_udp(p, self.server_ip)
+        self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK)
+        self.verify_packet(response, response_p, mac)
+
+        # check it's gone
+        rcode = self.search_record(self.newrecname)
+        self.assert_rcode_equals(rcode, dns.DNS_RCODE_NXDOMAIN)
+
 
 TestProgram(module=__name__, opts=subunitopts)

diff --git a/selftest/knownfail.d/dns_tkey b/selftest/knownfail.d/dns_tkey
index 30dbcb2bff6107f536ab3770a920c05916f54507..0925ca288a1f157415c31ebf981cb28cbe11dd18 100644 (file)
--- a/selftest/knownfail.d/dns_tkey
+++ b/selftest/knownfail.d/dns_tkey
@@ -12,3 +12,4 @@
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_gss_tsig_tkey_req_additional.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_windows.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_wo_tsig.fl2008r2dc
+^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_record_access_denied.fl2008r2dc