selftest: add a test for the CreateTrustedDomainRelax wrapper

Originally copied from 'source4/scripting/devel/createtrust'
(had to drop the TRUST_AUTH_TYPE_VERSION part though, as it
fails against samba DC).

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

diff --git a/python/samba/tests/dcerpc/createtrustrelax.py b/python/samba/tests/dcerpc/createtrustrelax.py
new file mode 100644 (file)
index 0000000..48beb0f
--- /dev/null
+++ b/python/samba/tests/dcerpc/createtrustrelax.py
@@ -0,0 +1,131 @@
+# Unix SMB/CIFS implementation.
+#
+# Copyright (C) Andrew Bartlett 2011
+# Copyright (C) Isaac Boukris 2020
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+"""Tests for the CreateTrustedDomainRelax wrapper"""
+
+import os
+import samba
+from samba.tests import TestCase
+from samba.dcerpc import lsa, security, drsblobs
+from samba.credentials import Credentials, SMB_ENCRYPTION_REQUIRED, SMB_ENCRYPTION_OFF
+from samba.trust_utils import CreateTrustedDomainRelax
+
+class CreateTrustedDomainRelaxTest(TestCase):
+    def setUp(self):
+        super(CreateTrustedDomainRelaxTest, self).setUp()
+
+    def get_user_creds(self):
+        c = Credentials()
+        c.guess()
+        domain = samba.tests.env_get_var_value('DOMAIN')
+        username = samba.tests.env_get_var_value('USERNAME')
+        password = samba.tests.env_get_var_value('PASSWORD')
+        c.set_domain(domain)
+        c.set_username(username)
+        c.set_password(password)
+        return c
+
+    def _create_trust_relax(self, smbencrypt=True):
+        creds = self.get_user_creds()
+
+        if smbencrypt:
+            creds.set_smb_encryption(SMB_ENCRYPTION_REQUIRED)
+        else:
+            creds.set_smb_encryption(SMB_ENCRYPTION_OFF)
+
+        lp = self.get_loadparm()
+
+        binding_string = ("ncacn_np:%s" % (samba.tests.env_get_var_value('SERVER')))
+        lsa_conn = lsa.lsarpc(binding_string, lp, creds)
+
+        if smbencrypt:
+            self.assertTrue(lsa_conn.transport_encrypted())
+        else:
+            self.assertFalse(lsa_conn.transport_encrypted())
+
+        objectAttr = lsa.ObjectAttribute()
+        objectAttr.sec_qos = lsa.QosInfo()
+
+        pol_handle = lsa_conn.OpenPolicy2('',
+                                          objectAttr,
+                                          security.SEC_FLAG_MAXIMUM_ALLOWED)
+        self.assertIsNotNone(pol_handle)
+
+        name = lsa.String()
+        name.string = "tests.samba.example.com"
+        try:
+            info = lsa_conn.QueryTrustedDomainInfoByName(pol_handle, name,
+                                                         lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
+
+            lsa_conn.DeleteTrustedDomain(pol_handle, info.info_ex.sid)
+        except RuntimeError:
+            pass
+
+        info = lsa.TrustDomainInfoInfoEx()
+        info.domain_name.string = name.string
+        info.netbios_name.string = "createtrustrelax"
+        info.sid = security.dom_sid("S-1-5-21-538490383-3740119673-95748416")
+        info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND
+        info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL
+        info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
+
+        password_blob = samba.string_to_byte_array("password".encode('utf-16-le'))
+
+        clear_value = drsblobs.AuthInfoClear()
+        clear_value.size = len(password_blob)
+        clear_value.password = password_blob
+
+        clear_authentication_information = drsblobs.AuthenticationInformation()
+        clear_authentication_information.LastUpdateTime = 0
+        clear_authentication_information.AuthType = lsa.TRUST_AUTH_TYPE_CLEAR
+        clear_authentication_information.AuthInfo = clear_value
+
+        authentication_information_array = drsblobs.AuthenticationInformationArray()
+        authentication_information_array.count = 1
+        authentication_information_array.array = [clear_authentication_information]
+
+        outgoing = drsblobs.trustAuthInOutBlob()
+        outgoing.count = 1
+        outgoing.current = authentication_information_array
+
+        trustdom_handle = None
+        try:
+            trustdom_handle = CreateTrustedDomainRelax(lsa_conn,
+                                                       pol_handle,
+                                                       info,
+                                                       security.SEC_STD_DELETE,
+                                                       outgoing,
+                                                       outgoing)
+        except samba.NTSTATUSError as nt:
+            raise AssertionError(nt)
+        except OSError as e:
+            if smbencrypt:
+                raise AssertionError(e)
+
+        if smbencrypt:
+            self.assertIsNotNone(trustdom_handle)
+            lsa_conn.DeleteTrustedDomain(pol_handle, info.sid)
+        else:
+            self.assertIsNone(trustdom_handle)
+
+    def test_create_trust_relax_encrypt(self):
+        self._create_trust_relax(True)
+
+    def test_create_trust_relax_no_enc(self):
+        self._create_trust_relax(False)

diff --git a/selftest/knownfail.d/createtrustrelax_server b/selftest/knownfail.d/createtrustrelax_server
new file mode 100644 (file)
index 0000000..80effda
--- /dev/null
+++ b/selftest/knownfail.d/createtrustrelax_server
@@ -0,0 +1 @@
+^samba.tests.dcerpc.createtrustrelax.samba.tests.dcerpc.createtrustrelax.CreateTrustedDomainRelaxTest.test_create_trust_relax_encrypt\(ad_dc_fips\)

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 361676dfbf554ba0d3c74ca5da07229a65e24522..7afc8399255c82bb32500fc5a611d7bbabc64635 100755 (executable)
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -713,6 +713,10 @@ def planoldpythontestsuite(env, module, name=None, extra_path=[], environ={}, ex
         name = module
     plantestsuite_loadlist(name, env, args)
 
+if have_gnutls_crypto_policies:
+    planoldpythontestsuite("ad_dc", "samba.tests.dcerpc.createtrustrelax", environ={'GNUTLS_FORCE_FIPS_MODE':'1'})
+    planoldpythontestsuite("ad_dc_fips", "samba.tests.dcerpc.createtrustrelax", environ={'GNUTLS_FORCE_FIPS_MODE':'1'})
+
 # Run complex search expressions test once for each database backend.
 # Right now ad_dc has mdb and ad_dc_ntvfs has tdb
 mdb_testenv = "ad_dc"