From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 26 Apr 2023 04:27:38 +0000 (+1200)
Subject: pytest:sddl Samba had the wrong value for FA, now fix the tests
X-Git-Tag: talloc-2.4.1~795
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=334afc7157ecf783db9186e93f5489136e273b8a;p=thirdparty%2Fsamba.git

pytest:sddl Samba had the wrong value for FA, now fix the tests

The tests that were in SddlWindowsFlagsAreDifferent have the behaviour
we want, and as we aim for Samba flags no longer being different, we
shift them to SddlNonCanonical. The tests in SddlSambaDoesItsOwnThing
are removed because they showed Samba's old behaviour around FA.

This will create knownfails, which will be fixed by the commit fixing the
value of "FA".

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/python/samba/tests/sddl.py b/python/samba/tests/sddl.py
index c1996de75ce..2e945b8799e 100644
--- a/python/samba/tests/sddl.py
+++ b/python/samba/tests/sddl.py
@@ -578,6 +578,44 @@ class SddlNonCanonical(SddlDecodeEncodeBase):
         ("D:AI(A;CI;RP LCLO  RC;;;AU)", "D:AI(A;CI;LCRPLORC;;;AU)"),
         # space before string flags is ignored.
         ("D:(A;; GA;;;LG)", "D:(A;;GA;;;LG)"),
+
+        # from 'samba3.blackbox.large_acl.NT1.able to retrieve a large ACL if VFS supports it'
+        (("D:(A;;0x001f01ff;;;WD)" +
+          ''.join(f"(A;;0x001f01ff;;;S-1-5-21-11111111-22222222-33333333-{i})"
+                  for i in range(1001, 1201))),
+         ("D:(A;;FA;;;WD)" +
+          ''.join(f"(A;;FA;;;S-1-5-21-11111111-22222222-33333333-{i})"
+                  for i in range(1001, 1201)))
+         ),
+
+        # from samba4.blackbox.samba-tool_ntacl, but using 0x1f01ff in place of FA (which it will become)
+        (("O:S-1-5-21-2212615479-2695158682-2101375468-512"
+          "G:S-1-5-21-2212615479-2695158682-2101375468-513"
+          "D:P(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
+          "(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-519)"
+          "(A;OICIIO;0x001f01ff;;;CO)"
+          "(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
+          "(A;OICI;0x001f01ff;;;SY)"
+          "(A;OICI;0x001200a9;;;AU)"
+          "(A;OICI;0x001200a9;;;ED)"
+          "S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;"
+          "bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
+          "(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;"
+          "bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"),
+         ("O:S-1-5-21-2212615479-2695158682-2101375468-512"
+          "G:S-1-5-21-2212615479-2695158682-2101375468-513"
+          "D:P(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
+          "(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-519)"
+          "(A;OICIIO;FA;;;CO)"
+          "(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
+          "(A;OICI;FA;;;SY)"
+          "(A;OICI;0x1200a9;;;AU)"
+          "(A;OICI;0x1200a9;;;ED)"
+          "S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;"
+          "bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
+          "(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;"
+          "bf967aa5-0de6-11d0-a285-00aa003049e2;WD)")),
+
     ]
 
 
@@ -611,6 +649,7 @@ class SddlCanonical(SddlDecodeEncodeBase):
         "O:S-1-2-512D:",
         "D:PARAI(A;;GA;;;SY)",
         "D:P(A;;GA;;;LG)(A;;GX;;;AA)",
+        "D:(A;;FA;;;WD)"
     ]
 
 
@@ -752,115 +791,6 @@ class SddlWindowsIsLessFussy(SddlDecodeEncodeBase):
     ]
 
 
-@DynamicTestCase
-class SddlWindowsFlagsAreDifferent(SddlDecodeEncodeBase):
-    """On Windows the 'FA' symbol means 0x1f01ff, while on Samba it means
-    0x1ff (Samba is SEC_FILE_ALL, Windows is SEC_FILE_ALL |
-    SEC_STD_ALL).
-
-    https://lists.samba.org/archive/cifs-protocol/2010-February/001387.html
-    is maybe relevant.
-    """
-    name = "windows_flags_are_different"
-    should_succeed = True
-    strings = [
-        # from 'samba3.blackbox.large_acl.NT1.able to retrieve a large ACL if VFS supports it'
-        (("D:(A;;0x001f01ff;;;WD)" +
-          ''.join(f"(A;;0x001f01ff;;;S-1-5-21-11111111-22222222-33333333-{i})"
-                  for i in range(1001, 1201))),
-         ("D:(A;;FA;;;WD)" +
-          ''.join(f"(A;;FA;;;S-1-5-21-11111111-22222222-33333333-{i})"
-                  for i in range(1001, 1201)))
-         ),
-        # from samba4.blackbox.samba-tool_ntacl, but using FA in place of 0x1f01ff
-        (("O:S-1-5-21-2212615479-2695158682-2101375468-512"
-          "G:S-1-5-21-2212615479-2695158682-2101375468-513"
-          "D:P(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
-          "(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-519)"
-          "(A;OICIIO;0x001f01ff;;;CO)"
-          "(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
-          "(A;OICI;0x001f01ff;;;SY)"
-          "(A;OICI;0x001200a9;;;AU)"
-          "(A;OICI;0x001200a9;;;ED)"
-          "S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;"
-          "bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
-          "(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;"
-          "bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"),
-         ("O:S-1-5-21-2212615479-2695158682-2101375468-512"
-          "G:S-1-5-21-2212615479-2695158682-2101375468-513"
-          "D:P(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
-          "(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-519)"
-          "(A;OICIIO;FA;;;CO)"
-          "(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
-          "(A;OICI;FA;;;SY)"
-          "(A;OICI;0x1200a9;;;AU)"
-          "(A;OICI;0x1200a9;;;ED)"
-          "S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;"
-          "bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
-          "(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;"
-          "bf967aa5-0de6-11d0-a285-00aa003049e2;WD)")),
-
-        ("D:(A;;FA;;;WD)", "D:(A;;FA;;;WD)"),
-    ]
-
-
-@DynamicTestCase
-class SddlSambaDoesItsOwnThing(SddlDecodeEncodeBase):
-    """Samba's corresponding strings for the "windows flags are different"
-    examples.
-    """
-    name = "samba_does_its_own_thing"
-    should_succeed = True
-    strings = [
-        # from 'samba3.blackbox.large_acl.NT1.able to retrieve a large ACL if VFS supports it'
-        (("D:(A;;0x001f01ff;;;WD)" +
-          ''.join(f"(A;;0x001f01ff;;;S-1-5-21-11111111-22222222-33333333-{i})"
-                  for i in range(1001, 1201))),
-         ("D:(A;;0x1f01ff;;;WD)" +
-          ''.join(f"(A;;0x1f01ff;;;S-1-5-21-11111111-22222222-33333333-{i})"
-                  for i in range(1001, 1201)))
-         ),
-        # On Samba this is like a canonical test (same string
-        # returned), but Windows will turn all the 0x1f01ff into FA.
-        (("D:(A;;0x1f01ff;;;WD)" +
-          ''.join(f"(A;;0x1f01ff;;;S-1-5-21-11111111-22222222-33333333-{i})"
-                  for i in range(1001, 1201))),
-         ("D:(A;;0x1f01ff;;;WD)" +
-          ''.join(f"(A;;0x1f01ff;;;S-1-5-21-11111111-22222222-33333333-{i})"
-                  for i in range(1001, 1201)))
-         ),
-        # from samba4.blackbox.samba-tool_ntacl, removing 00 padding in 0x flags
-        (("O:S-1-5-21-2212615479-2695158682-2101375468-512"
-          "G:S-1-5-21-2212615479-2695158682-2101375468-513"
-          "D:P(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
-          "(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-519)"
-          "(A;OICIIO;0x001f01ff;;;CO)"
-          "(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
-          "(A;OICI;0x001f01ff;;;SY)"
-          "(A;OICI;0x001200a9;;;AU)"
-          "(A;OICI;0x001200a9;;;ED)"
-          "S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;"
-          "bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
-          "(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;"
-          "bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"),
-         ("O:S-1-5-21-2212615479-2695158682-2101375468-512"
-          "G:S-1-5-21-2212615479-2695158682-2101375468-513"
-          "D:P(A;OICI;0x1f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
-          "(A;OICI;0x1f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-519)"
-          "(A;OICIIO;0x1f01ff;;;CO)"
-          "(A;OICI;0x1f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
-          "(A;OICI;0x1f01ff;;;SY)"
-          "(A;OICI;0x1200a9;;;AU)"
-          "(A;OICI;0x1200a9;;;ED)"
-          "S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;"
-          "bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
-          "(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;"
-          "bf967aa5-0de6-11d0-a285-00aa003049e2;WD)")),
-
-        ("D:(A;;FA;;;WD)", "D:(A;;CCDCLCSWRPWPDTLOCR;;;WD)"),
-    ]
-
-
 @DynamicTestCase
 class SddlWindowsIsWeird(SddlDecodeEncodeBase):
     """Windows will accept some very misleading SDDL strings.
diff --git a/selftest/knownfail.d/sddl b/selftest/knownfail.d/sddl
index 3c33617e793..a6bcc5d27f7 100644
--- a/selftest/knownfail.d/sddl
+++ b/selftest/knownfail.d/sddl
@@ -1,3 +1,3 @@
-^samba.tests.sddl.+.SddlWindowsFlagsAreDifferent.test_sddl_D:.A;;0x001f01ff;;;WD..A;;0x001f01ff;;;S-1-5-21-11111111-22222222-33333333-1001..A;;0x001f01ff;;;S-1.11522-more-characters.none
-^samba.tests.sddl.+.SddlWindowsFlagsAreDifferent.test_sddl_D:.A;;FA;;;WD..none
-^samba.tests.sddl.+.SddlWindowsFlagsAreDifferent.test_sddl_O:S-1-5-21-2212615479-2695158682-2101375468-512G:S-1-5-21-2212615479-2695158682-2101375468-513D:P.A;.482-more-characters.none
+^samba.tests.sddl.+.SddlCanonical.test_sddl_D:.A;;FA;;;WD..none
+^samba.tests.sddl.+.SddlNonCanonical.test_sddl_D:.A;;0x001f01ff;;;WD..A;;0x001f01ff;;;S-1-5-21-11111111-22222222-33333333-1001..A;;0x001f01ff;;;S-1+11522-more-characters.none
+^samba.tests.sddl.+.SddlNonCanonical.test_sddl_O:S-1-5-21-2212615479-2695158682-2101375468-512G:S-1-5-21-2212615479-2695158682-2101375468-513D:P.A;+482-more-characters.none