From: David Mulder Date: Tue, 25 Jul 2023 19:41:06 +0000 (-0600) Subject: gp: Test modifying script user policy enforces changes X-Git-Tag: tevent-0.16.0~1319 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=70d3601fc648813b05ed2ec08da4c78229023763;p=thirdparty%2Fsamba.git gp: Test modifying script user policy enforces changes Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett --- diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py index cce8a0fb582..3ca9855b5c4 100644 --- a/python/samba/tests/gpo.py +++ b/python/samba/tests/gpo.py @@ -6958,9 +6958,12 @@ class GPOTests(tests.TestCase): def test_gp_user_scripts_ext(self): local_path = self.lp.cache_path('gpo_cache') - guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}' - reg_pol = os.path.join(local_path, policies, guid, + guids = ['{31B2F340-016D-11D2-945F-00C04FB984F9}', + '{6AC1786C-016F-11D2-945F-00C04FB984F9}'] + reg_pol = os.path.join(local_path, policies, guids[0], 'USER/REGISTRY.POL') + reg_pol2 = os.path.join(local_path, policies, guids[1], + 'USER/REGISTRY.POL') cache_dir = self.lp.get('cache directory') store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb')) @@ -6993,6 +6996,18 @@ class GPOTests(tests.TestCase): ret = stage_file(reg_pol, ndr_pack(stage)) self.assertTrue(ret, 'Could not create the target %s' % reg_pol) + # Stage the other Registry.pol + stage = preg.file() + e2 = preg.entry() + e2.keyname = keyname + e2.valuename = b'Software\\Policies\\Samba\\Unix Settings' + e2.type = 1 + e2.data = b'echo this is a second policy' + stage.num_entries = 1 + stage.entries = [e2] + ret = stage_file(reg_pol2, ndr_pack(stage)) + self.assertTrue(ret, 'Could not create the target %s' % reg_pol2) + # Process all gpos, intentionally skipping the privilege drop ext.process_group_policy([], gpos) # Dump the fake crontab setup for testing @@ -7001,13 +7016,31 @@ class GPOTests(tests.TestCase): entry = b'%s %s' % (sections[keyname], e.data.encode()) self.assertIn(entry, crontab, 'The crontab entry was not installed') + entry2 = b'%s %s' % (sections[keyname], e2.data.encode()) + self.assertIn(entry2, crontab, + 'The crontab entry was not installed') + + # Force apply with removal of second GPO + gp_db = store.get_gplog(os.environ.get('DC_USERNAME')) + del_gpos = gp_db.get_applied_settings([guids[1]]) + rgpos = [gpo for gpo in gpos if gpo.name != guids[1]] + ext.process_group_policy(del_gpos, rgpos) + + # Dump the fake crontab setup for testing + p = Popen(['crontab', '-l'], stdout=PIPE) + crontab, _ = p.communicate() + + # Ensure the first entry remains, and the second entry is removed + self.assertIn(entry, crontab, + 'The first crontab entry was not found') + self.assertNotIn(entry2, crontab, + 'The second crontab entry was still present') # Check that a call to gpupdate --rsop also succeeds ret = rsop(self.lp) self.assertEquals(ret, 0, 'gpupdate --rsop failed!') # Remove policy - gp_db = store.get_gplog(os.environ.get('DC_USERNAME')) del_gpos = get_deleted_gpos_list(gp_db, []) ext.process_group_policy(del_gpos, []) # Dump the fake crontab setup for testing @@ -7016,8 +7049,9 @@ class GPOTests(tests.TestCase): self.assertNotIn(entry, crontab, 'Unapply failed to cleanup crontab entry') - # Unstage the Registry.pol file + # Unstage the Registry.pol files unstage_file(reg_pol) + unstage_file(reg_pol2) def test_gp_firefox_ext(self): local_path = self.lp.cache_path('gpo_cache') diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo index 6f9d9f4f8c2..dcf179de83b 100644 --- a/selftest/knownfail.d/gpo +++ b/selftest/knownfail.d/gpo @@ -4,3 +4,4 @@ ^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_motd ^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_issue ^samba.tests.gpo.samba.tests.gpo.GPOTests.test_smb_conf_ext +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_scripts_ext