pytest:sddl: tests around spaces in access flags and SIDs

It turns out that in accesss flags Windows will allow leading spaces
and spaces separating flags but not trailing spaces.

We choose to follow this in part because we found it happening in the
wild in our tests for upgradeprovision until a few commits ago.

Windows will also allow spaces in some parts of SIDs.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/sddl.py b/python/samba/tests/sddl.py
index 338599ba2c8670a13b0b18998238face86323035..b8750880d6de9da405c6c73375d9625b38391bce 100644 (file)
--- a/python/samba/tests/sddl.py
+++ b/python/samba/tests/sddl.py
@@ -572,6 +572,12 @@ class SddlNonCanonical(SddlDecodeEncodeBase):
           ''.join(f"(A;;0xabc{i:03};;;S-1-5-21-11111111-22222222-33333333-{i})"
                   for i in range(101, 601)))
          ),
+
+        # Windows allows a space in the middle of access flags
+        ("D:AI(A;CI;RP LCLORC;;;AU)", "D:AI(A;CI;LCRPLORC;;;AU)"),
+        ("D:AI(A;CI;RP LCLO  RC;;;AU)", "D:AI(A;CI;LCRPLORC;;;AU)"),
+        # space before string flags is ignored.
+        ("D:(A;; GA;;;LG)", "D:(A;;GA;;;LG)"),
     ]
 
 
@@ -650,6 +656,25 @@ class SddlShouldFail(SddlDecodeEncodeBase):
         "D:(A;;GA;f30e3bbf-9ff0-11d1-b603-0000f80367c1 ;;WD)",
         "D:(A;;GA;; f30e3bbf-9ff0-11d1-b603-0000f80367c1;WD)",
         "D:(A;;GA;;f30e3bbf-9ff0-11d1-b603-0000f80367c1 ;WD)",
+
+        # space splits a flag in half.
+        "D:AI(A;CI;RP LCLOR C;;;AU)",
+        # tabs in flags
+        "D:AI(A;CI;RP LC\tLORC;;;AU)",
+        "D:AI(A;CI;RP LC\t LORC;;;AU)",
+
+        # incomplete SIDs
+        "O:S",
+        "O:S-",
+        "O:S-1",
+        "O:S-10",
+        "O:S-0",
+        "O:S-1-",
+        "O:S-0x1",
+        "O:S-0x1-",
+
+        "O:",
+        "O:XX",
     ]
 
 
@@ -679,8 +704,8 @@ class SddlWindowsIsLessFussy(SddlDecodeEncodeBase):
         # whitespace is ignored, repaired on return
         ("D:(A;;GA;;; LG)", "D:(A;;GA;;;LG)"),
         ("D: (A;;GA;;;LG)", "D:(A;;GA;;;LG)"),
-        # whitespace before string flags is ignored.
-        ("D:(A;; GA;;;LG)", "D:(A;;GA;;;LG)"),
+        # whitespace before ACL string flags is ignored.
+        ("D: AI(A;;GA;;;LG)", "D:AI(A;;GA;;;LG)"),
         # wrong case on type is ignored, fixed
         ("D:(a;;GA;;;LG)", "D:(A;;GA;;;LG)"),
         ("D:(A;;GA;;;lg)", "D:(A;;GA;;;LG)"),
@@ -698,6 +723,9 @@ class SddlWindowsIsLessFussy(SddlDecodeEncodeBase):
         # whitespace in absent ace flags
         ("D:(A; ;GA;;;LG)","D:(A;;GA;;;LG)"),
 
+        # space after ACL flags
+        ("D:AI (A;;GA;;;LG)", "D:AI(A;;GA;;;LG)"),
+
         # and more whitespace.
         ("D:(A;;GA;;; WD)", "D:(A;;GA;;;WD)"),
         ("D:(A;;GA;;;WD )", "D:(A;;GA;;;WD)"),

diff --git a/selftest/knownfail.d/sddl b/selftest/knownfail.d/sddl
index cf38e28bb4a5e3dcd180d542626d0463de4b32dd..5b09c474a7e01479e6ca139a44c18b49fff63364 100644 (file)
--- a/selftest/knownfail.d/sddl
+++ b/selftest/knownfail.d/sddl
@@ -1,3 +1,6 @@
+^samba.tests.sddl.+.SddlNonCanonical.test_sddl_D:.A;;.GA;;;LG..none
+^samba.tests.sddl.+.SddlNonCanonical.test_sddl_D:AI.A;CI;RP.LCLO..RC;;;AU..none
+^samba.tests.sddl.+.SddlNonCanonical.test_sddl_D:AI.A;CI;RP.LCLORC;;;AU..none
 ^samba.tests.sddl.+.SddlWindowsFlagsAreDifferent.test_sddl_D:.A;;0x001f01ff;;;WD..A;;0x001f01ff;;;S-1.+S
 ^samba.tests.sddl.+.SddlWindowsFlagsAreDifferent.test_sddl_D:.A;;FA;;;WD..none
 ^samba.tests.sddl.+.SddlWindowsFlagsAreDifferent.test_sddl_O:S-1-5-21-2212615479-2695158682-210137546.+: