From: Gabriel Nagy Date: Fri, 18 Aug 2023 14:26:59 +0000 (+0300) Subject: gp: Test disabled enrollment unapplies policy X-Git-Tag: tevent-0.16.0~795 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ee814f7707a8ddef2657212cd6d31799501b7bb3;p=thirdparty%2Fsamba.git gp: Test disabled enrollment unapplies policy For this we need to stage a Registry.pol file with certificate autoenrollment enabled, but with checkboxes unticked. Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder --- diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py index 7d5986a27ff..fc72ca8b7cc 100644 --- a/python/samba/tests/gpo.py +++ b/python/samba/tests/gpo.py @@ -281,6 +281,28 @@ b""" """ +auto_enroll_unchecked_reg_pol = \ +b""" + + + + Software\Policies\Microsoft\Cryptography\AutoEnrollment + AEPolicy + 0 + + + Software\Policies\Microsoft\Cryptography\AutoEnrollment + OfflineExpirationPercent + 10 + + + Software\Policies\Microsoft\Cryptography\AutoEnrollment + OfflineExpirationStoreNames + MY + + +""" + advanced_enroll_reg_pol = \ b""" @@ -6949,6 +6971,38 @@ class GPOTests(tests.TestCase): ret = rsop(self.lp) self.assertEquals(ret, 0, 'gpupdate --rsop failed!') + # Remove policy by staging pol file with auto-enroll unchecked + parser.load_xml(etree.fromstring(auto_enroll_unchecked_reg_pol.strip())) + ret = stage_file(reg_pol, ndr_pack(parser.pol_file)) + self.assertTrue(ret, 'Could not create the target %s' % reg_pol) + ext.process_group_policy([], gpos, dname, dname) + self.assertFalse(os.path.exists(ca_crt), + 'Root CA certificate was not removed') + self.assertFalse(os.path.exists(machine_crt), + 'Machine certificate was not removed') + self.assertFalse(os.path.exists(machine_crt), + 'Machine key was not removed') + self.assertFalse(os.path.exists(workstation_crt), + 'Workstation certificate was not removed') + self.assertFalse(os.path.exists(workstation_crt), + 'Workstation key was not removed') + + # Reapply policy by staging the enabled pol file + parser.load_xml(etree.fromstring(auto_enroll_reg_pol.strip())) + ret = stage_file(reg_pol, ndr_pack(parser.pol_file)) + self.assertTrue(ret, 'Could not create the target %s' % reg_pol) + ext.process_group_policy([], gpos, dname, dname) + self.assertTrue(os.path.exists(ca_crt), + 'Root CA certificate was not requested') + self.assertTrue(os.path.exists(machine_crt), + 'Machine certificate was not requested') + self.assertTrue(os.path.exists(machine_crt), + 'Machine key was not generated') + self.assertTrue(os.path.exists(workstation_crt), + 'Workstation certificate was not requested') + self.assertTrue(os.path.exists(workstation_crt), + 'Workstation key was not generated') + # Remove policy gp_db = store.get_gplog(machine_creds.get_username()) del_gpos = get_deleted_gpos_list(gp_db, []) diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo new file mode 100644 index 00000000000..83bc9f0ac1f --- /dev/null +++ b/selftest/knownfail.d/gpo @@ -0,0 +1 @@ +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext