From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 9 Aug 2023 02:15:27 +0000 (+1200)
Subject: pytest: security_descriptors: tests without revision number hack
X-Git-Tag: tevent-0.16.0~459
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b9462faf05e1235d0a09dbf061ea65cf22e5c12;p=thirdparty%2Fsamba.git

pytest: security_descriptors: tests without revision number hack

ACL revision 4 (SECURITY_ACL_REVISION_ADS) is effectively a superset
of revision 2 (SECURITY_ACL_REVISION_NT4), so any revision 2
ACL can be called revision 4 without any problem. But not vice versa:
a revision 4 ACL can contain ACE types that a revision 2 ACL can't. The
extra ACE types relate to objects.

Samba currently simplifies things by calling all its ACLs revision 4,
even if (as is commonly the case) the ACLs contain only revision 2 ACEs.
On the other hand, Windows will use revision 2 whenever it can. In other
tests we skip past this by forcing Windows ACLs to v4 before comparison.
This test is to remind us of the incompatibility.

It would not be hard to fix.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/libcli/security/tests/data/short-ordinary-acls-v2.json.gz b/libcli/security/tests/data/short-ordinary-acls-v2.json.gz
new file mode 100644
index 00000000000..1f4ef20df09
Binary files /dev/null and b/libcli/security/tests/data/short-ordinary-acls-v2.json.gz differ
diff --git a/python/samba/tests/security_descriptors.py b/python/samba/tests/security_descriptors.py
index 3edf8a8155d..7276d44e913 100644
--- a/python/samba/tests/security_descriptors.py
+++ b/python/samba/tests/security_descriptors.py
@@ -148,3 +148,12 @@ class SDDLvsDescriptorOverSizeAcls(SDDLvsDescriptorBase):
     ACEs), these cannot currently be parsed by Samba.
     """
     json_file = TEST_DIR / 'oversize-acls.json.gz'
+
+
+@DynamicTestCase
+class SDDLvsDescriptorShortOrdinaryAclsNoMungeV4(SDDLvsDescriptorBase):
+    """These ones have revision 2 ACLs (NT4), but Samba's SDDL only writes
+    revision 4 ACLs (which are otherwise identical).
+    """
+    munge_to_v4 = False
+    json_file = TEST_DIR / 'short-ordinary-acls-v2.json.gz'
diff --git a/selftest/knownfail.d/security-descriptors b/selftest/knownfail.d/security-descriptors
index c985057f94f..84e8e003c1f 100644
--- a/selftest/knownfail.d/security-descriptors
+++ b/selftest/knownfail.d/security-descriptors
@@ -1,3 +1,4 @@
 ^samba.tests.security_descriptors.+SDDLvsDescriptorRegistryObjectRights.+
+^samba.tests.security_descriptors.+SDDLvsDescriptorShortOrdinaryAclsNoMungeV4.+
 ^samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.+