gpo: Test Group Policy Host Access Configuration for VGP

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py
index b5d195b044587ccc326bbd17fcb3024ce2634946..e28b117f73ad9efb14debc025498dbca48eeb7ca 100644 (file)
--- a/python/samba/tests/gpo.py
+++ b/python/samba/tests/gpo.py
@@ -36,6 +36,7 @@ from samba.vgp_openssh_ext import vgp_openssh_ext
 from samba.vgp_startup_scripts_ext import vgp_startup_scripts_ext
 from samba.vgp_motd_ext import vgp_motd_ext
 from samba.vgp_issue_ext import vgp_issue_ext
+from samba.vgp_access_ext import vgp_access_ext
 import logging
 from samba.credentials import Credentials
 from samba.gp_msgs_ext import gp_msgs_ext
@@ -1366,3 +1367,133 @@ class GPOTests(tests.TestCase):
 
         # Unstage the manifest.xml file
         unstage_file(manifest)
+
+    def test_vgp_access(self):
+        local_path = self.lp.cache_path('gpo_cache')
+        guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}'
+        allow = os.path.join(local_path, policies, guid, 'MACHINE',
+            'VGP/VTLA/VAS/HOSTACCESSCONTROL/ALLOW/MANIFEST.XML')
+        deny = os.path.join(local_path, policies, guid, 'MACHINE',
+            'VGP/VTLA/VAS/HOSTACCESSCONTROL/DENY/MANIFEST.XML')
+        logger = logging.getLogger('gpo_tests')
+        cache_dir = self.lp.get('cache directory')
+        store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb'))
+
+        machine_creds = Credentials()
+        machine_creds.guess(self.lp)
+        machine_creds.set_machine_account()
+
+        # Initialize the group policy extension
+        ext = vgp_access_ext(logger, self.lp, machine_creds, store)
+
+        ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds)
+        if ads.connect():
+            gpos = ads.get_gpo_list(machine_creds.get_username())
+
+        # Stage the manifest.xml allow file
+        stage = etree.Element('vgppolicy')
+        policysetting = etree.SubElement(stage, 'policysetting')
+        version = etree.SubElement(policysetting, 'version')
+        version.text = '2'
+        apply_mode = etree.SubElement(policysetting, 'apply_mode')
+        apply_mode.text = 'merge'
+        data = etree.SubElement(policysetting, 'data')
+        # Add an allowed user
+        listelement = etree.SubElement(data, 'listelement')
+        otype = etree.SubElement(listelement, 'type')
+        otype.text = 'USER'
+        entry = etree.SubElement(listelement, 'entry')
+        entry.text = 'goodguy@%s' % realm
+        adobject = etree.SubElement(listelement, 'adobject')
+        name = etree.SubElement(adobject, 'name')
+        name.text = 'goodguy'
+        domain = etree.SubElement(adobject, 'domain')
+        domain.text = realm
+        otype = etree.SubElement(adobject, 'type')
+        otype.text = 'user'
+        # Add an allowed group
+        groupattr = etree.SubElement(data, 'groupattr')
+        groupattr.text = 'samAccountName'
+        listelement = etree.SubElement(data, 'listelement')
+        otype = etree.SubElement(listelement, 'type')
+        otype.text = 'GROUP'
+        entry = etree.SubElement(listelement, 'entry')
+        entry.text = '%s\\goodguys' % realm
+        dn = etree.SubElement(listelement, 'dn')
+        dn.text = 'CN=goodguys,CN=Users,%s' % base_dn
+        adobject = etree.SubElement(listelement, 'adobject')
+        name = etree.SubElement(adobject, 'name')
+        name.text = 'goodguys'
+        domain = etree.SubElement(adobject, 'domain')
+        domain.text = realm
+        otype = etree.SubElement(adobject, 'type')
+        otype.text = 'group'
+        ret = stage_file(allow, etree.tostring(stage))
+        self.assertTrue(ret, 'Could not create the target %s' % allow)
+
+        # Stage the manifest.xml deny file
+        stage = etree.Element('vgppolicy')
+        policysetting = etree.SubElement(stage, 'policysetting')
+        version = etree.SubElement(policysetting, 'version')
+        version.text = '2'
+        apply_mode = etree.SubElement(policysetting, 'apply_mode')
+        apply_mode.text = 'merge'
+        data = etree.SubElement(policysetting, 'data')
+        # Add a denied user
+        listelement = etree.SubElement(data, 'listelement')
+        otype = etree.SubElement(listelement, 'type')
+        otype.text = 'USER'
+        entry = etree.SubElement(listelement, 'entry')
+        entry.text = 'badguy@%s' % realm
+        adobject = etree.SubElement(listelement, 'adobject')
+        name = etree.SubElement(adobject, 'name')
+        name.text = 'badguy'
+        domain = etree.SubElement(adobject, 'domain')
+        domain.text = realm
+        otype = etree.SubElement(adobject, 'type')
+        otype.text = 'user'
+        # Add a denied group
+        groupattr = etree.SubElement(data, 'groupattr')
+        groupattr.text = 'samAccountName'
+        listelement = etree.SubElement(data, 'listelement')
+        otype = etree.SubElement(listelement, 'type')
+        otype.text = 'GROUP'
+        entry = etree.SubElement(listelement, 'entry')
+        entry.text = '%s\\badguys' % realm
+        dn = etree.SubElement(listelement, 'dn')
+        dn.text = 'CN=badguys,CN=Users,%s' % base_dn
+        adobject = etree.SubElement(listelement, 'adobject')
+        name = etree.SubElement(adobject, 'name')
+        name.text = 'badguys'
+        domain = etree.SubElement(adobject, 'domain')
+        domain.text = realm
+        otype = etree.SubElement(adobject, 'type')
+        otype.text = 'group'
+        ret = stage_file(deny, etree.tostring(stage))
+        self.assertTrue(ret, 'Could not create the target %s' % deny)
+
+        # Process all gpos, with temp output directory
+        with TemporaryDirectory() as dname:
+            ext.process_group_policy([], gpos, dname)
+            conf = os.listdir(dname)
+            self.assertEquals(len(conf), 1, 'The conf file was not created')
+            gp_cfg = os.path.join(dname, conf[0])
+
+            # Check the access config for the correct access.conf entries
+            print('Config file %s found' % gp_cfg)
+            data = open(gp_cfg, 'r').read()
+            self.assertIn('+:%s\\goodguy:ALL' % realm, data)
+            self.assertIn('+:%s\\goodguys:ALL' % realm, data)
+            self.assertIn('-:%s\\badguy:ALL' % realm, data)
+            self.assertIn('-:%s\\badguys:ALL' % realm, data)
+
+            # Remove policy
+            gp_db = store.get_gplog(machine_creds.get_username())
+            del_gpos = get_deleted_gpos_list(gp_db, [])
+            ext.process_group_policy(del_gpos, [], dname)
+            self.assertFalse(os.path.exists(gp_cfg),
+                             'Unapply failed to cleanup config')
+
+        # Unstage the manifest.pol files
+        unstage_file(allow)
+        unstage_file(deny)

diff --git a/python/samba/vgp_access_ext.py b/python/samba/vgp_access_ext.py
new file mode 100644 (file)
index 0000000..c42b81c
--- /dev/null
+++ b/python/samba/vgp_access_ext.py
@@ -0,0 +1,26 @@
+# vgp_access_ext samba group policy
+# Copyright (C) David Mulder <dmulder@suse.com> 2020
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from samba.gpclass import gp_xml_ext
+
+class vgp_access_ext(gp_xml_ext):
+    def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
+                             access='/etc/security/access.d'):
+        pass
+
+    def rsop(self, gpo):
+        output = {}
+        return output