From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Sat, 22 Apr 2023 20:52:42 +0000 (+1200)
Subject: pytest:sddl: tests around spaces in access flags and SIDs
X-Git-Tag: talloc-2.4.1~800
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ec2d2f8ea83f433b32071ebf40a8358c084b060b;p=thirdparty%2Fsamba.git

pytest:sddl: tests around spaces in access flags and SIDs

It turns out that in accesss flags Windows will allow leading spaces
and spaces separating flags but not trailing spaces.

We choose to follow this in part because we found it happening in the
wild in our tests for upgradeprovision until a few commits ago.

Windows will also allow spaces in some parts of SIDs.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/tests/sddl.py b/python/samba/tests/sddl.py
index 338599ba2c8..b8750880d6d 100644
--- a/python/samba/tests/sddl.py
+++ b/python/samba/tests/sddl.py
@@ -572,6 +572,12 @@ class SddlNonCanonical(SddlDecodeEncodeBase):
           ''.join(f"(A;;0xabc{i:03};;;S-1-5-21-11111111-22222222-33333333-{i})"
                   for i in range(101, 601)))
          ),
+
+        # Windows allows a space in the middle of access flags
+        ("D:AI(A;CI;RP LCLORC;;;AU)", "D:AI(A;CI;LCRPLORC;;;AU)"),
+        ("D:AI(A;CI;RP LCLO  RC;;;AU)", "D:AI(A;CI;LCRPLORC;;;AU)"),
+        # space before string flags is ignored.
+        ("D:(A;; GA;;;LG)", "D:(A;;GA;;;LG)"),
     ]
 
 
@@ -650,6 +656,25 @@ class SddlShouldFail(SddlDecodeEncodeBase):
         "D:(A;;GA;f30e3bbf-9ff0-11d1-b603-0000f80367c1 ;;WD)",
         "D:(A;;GA;; f30e3bbf-9ff0-11d1-b603-0000f80367c1;WD)",
         "D:(A;;GA;;f30e3bbf-9ff0-11d1-b603-0000f80367c1 ;WD)",
+
+        # space splits a flag in half.
+        "D:AI(A;CI;RP LCLOR C;;;AU)",
+        # tabs in flags
+        "D:AI(A;CI;RP LC\tLORC;;;AU)",
+        "D:AI(A;CI;RP LC\t LORC;;;AU)",
+
+        # incomplete SIDs
+        "O:S",
+        "O:S-",
+        "O:S-1",
+        "O:S-10",
+        "O:S-0",
+        "O:S-1-",
+        "O:S-0x1",
+        "O:S-0x1-",
+
+        "O:",
+        "O:XX",
     ]
 
 
@@ -679,8 +704,8 @@ class SddlWindowsIsLessFussy(SddlDecodeEncodeBase):
         # whitespace is ignored, repaired on return
         ("D:(A;;GA;;; LG)", "D:(A;;GA;;;LG)"),
         ("D: (A;;GA;;;LG)", "D:(A;;GA;;;LG)"),
-        # whitespace before string flags is ignored.
-        ("D:(A;; GA;;;LG)", "D:(A;;GA;;;LG)"),
+        # whitespace before ACL string flags is ignored.
+        ("D: AI(A;;GA;;;LG)", "D:AI(A;;GA;;;LG)"),
         # wrong case on type is ignored, fixed
         ("D:(a;;GA;;;LG)", "D:(A;;GA;;;LG)"),
         ("D:(A;;GA;;;lg)", "D:(A;;GA;;;LG)"),
@@ -698,6 +723,9 @@ class SddlWindowsIsLessFussy(SddlDecodeEncodeBase):
         # whitespace in absent ace flags
         ("D:(A; ;GA;;;LG)","D:(A;;GA;;;LG)"),
 
+        # space after ACL flags
+        ("D:AI (A;;GA;;;LG)", "D:AI(A;;GA;;;LG)"),
+
         # and more whitespace.
         ("D:(A;;GA;;; WD)", "D:(A;;GA;;;WD)"),
         ("D:(A;;GA;;;WD )", "D:(A;;GA;;;WD)"),
diff --git a/selftest/knownfail.d/sddl b/selftest/knownfail.d/sddl
index cf38e28bb4a..5b09c474a7e 100644
--- a/selftest/knownfail.d/sddl
+++ b/selftest/knownfail.d/sddl
@@ -1,3 +1,6 @@
+^samba.tests.sddl.+.SddlNonCanonical.test_sddl_D:.A;;.GA;;;LG..none
+^samba.tests.sddl.+.SddlNonCanonical.test_sddl_D:AI.A;CI;RP.LCLO..RC;;;AU..none
+^samba.tests.sddl.+.SddlNonCanonical.test_sddl_D:AI.A;CI;RP.LCLORC;;;AU..none
 ^samba.tests.sddl.+.SddlWindowsFlagsAreDifferent.test_sddl_D:.A;;0x001f01ff;;;WD..A;;0x001f01ff;;;S-1.+S
 ^samba.tests.sddl.+.SddlWindowsFlagsAreDifferent.test_sddl_D:.A;;FA;;;WD..none
 ^samba.tests.sddl.+.SddlWindowsFlagsAreDifferent.test_sddl_O:S-1-5-21-2212615479-2695158682-210137546.+: