s3:tests: Add tests for 'valid users'.

author Denis Karpelevich <dkarpele@redhat.com>

Mon, 19 Oct 2020 13:20:04 +0000 (16:20 +0300)

committer Jeremy Allison <jra@samba.org>

Wed, 21 Oct 2020 01:17:05 +0000 (01:17 +0000)
author Denis Karpelevich <dkarpele@redhat.com>
Mon, 19 Oct 2020 13:20:04 +0000 (16:20 +0300)
committer Jeremy Allison <jra@samba.org>
Wed, 21 Oct 2020 01:17:05 +0000 (01:17 +0000)
diff --git a/selftest/knownfail.d/smb1-tests b/selftest/knownfail.d/smb1-tests

index 7d349fdc261169e0f533fea6089520133340ef7a..28e78fa04272a319c113a635c938ea8d62ee9135 100644 (file)
--- a/selftest/knownfail.d/smb1-tests
+++ b/selftest/knownfail.d/smb1-tests
@@ -30,6 +30,8 @@
  ^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.rename_dotdot\((ad_member|nt4_member)\)
  ^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.volume\((ad_member|nt4_member)\)
  ^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.delete a non empty directory\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.*valid.users.nt4.*
+^samba3.blackbox.smbclient_s3.NT1.*valid.users.*
  ^samba3.unix.whoami machine account.whoami\(ad_member:local\)
  ^samba3.unix.whoami.whoami\(nt4_member\)
  ^samba3.unix.whoami anonymous connection.whoami\(nt4_member\)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm

index 646ff9b48951c9006a1276f71c1f881ac4fcbce4..cfa2677a673ed8b6c86a671af822d29ae0f07116 100755 (executable)
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -716,6 +716,46 @@ sub provision_ad_member
         path = $share_dir
         valid users = ADDOMAIN/%U
  
+[sub_valid_users_domain]
+    path = $share_dir
+    valid users = %D/%U
+
+[sub_valid_users_group]
+    path = $share_dir
+    valid users = \@$dcvars->{DOMAIN}/%G
+
+[valid_users]
+    path = $share_dir
+    valid users = $dcvars->{DOMAIN}/$dcvars->{DC_USERNAME}
+
+[valid_users_group]
+    path = $share_dir
+    valid users = \"\@$dcvars->{DOMAIN}/domain users\"
+
+[valid_users_unix_group]
+    path = $share_dir
+    valid users = \"+$dcvars->{DOMAIN}/domain users\"
+
+[valid_users_nis_group]
+    path = $share_dir
+    valid users = \"&$dcvars->{DOMAIN}/domain users\"
+
+[valid_users_unix_nis_group]
+    path = $share_dir
+    valid users = \"+&$dcvars->{DOMAIN}/domain users\"
+
+[valid_users_nis_unix_group]
+    path = $share_dir
+    valid users = \"&+$dcvars->{DOMAIN}/domain users\"
+
+[invalid_users]
+    path = $share_dir
+    invalid users = $dcvars->{DOMAIN}/$dcvars->{DC_USERNAME}
+
+[valid_and_invalid_users]
+    path = $share_dir
+    valid users = $dcvars->{DOMAIN}/$dcvars->{DC_USERNAME} $dcvars->{DOMAIN}/alice
+    invalid users = $dcvars->{DOMAIN}/$dcvars->{DC_USERNAME}
  ";
  
         my $ret = $self->provision(
diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh

index 62662690415a493c22dc66bce0d230cb8d601e87..7d31af9e1ab9afe54b6ff9e3d2f1d213dbc35c66 100755 (executable)
--- a/source3/script/tests/test_smbclient_s3.sh
+++ b/source3/script/tests/test_smbclient_s3.sh
@@ -1796,6 +1796,140 @@ EOF
      fi
  }
  
+test_valid_users()
+{
+    tmpfile=$PREFIX/smbclient_interactive_prompt_commands
+    cat > $tmpfile <<EOF
+ls
+quit
+EOF
+    # User in "valid users" can login to service
+    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users $ADDARGS < $tmpfile 2>&1'
+    eval echo "$cmd"
+    out=`eval $cmd`
+    ret=$?
+
+    if [ $ret -ne 0 ] ; then
+       echo "$out"
+       echo "test_valid_users:valid_users 'User in 'valid users' can login to service' failed - $ret"
+       return 1
+    fi
+
+    # User from ad group in "valid users" can login to service
+    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users_group $ADDARGS < $tmpfile 2>&1'
+    eval echo "$cmd"
+    out=`eval $cmd`
+    ret=$?
+
+    if [ $ret -ne 0 ] ; then
+       echo "$out"
+       echo "test_valid_users:valid_users_group 'User from ad group in 'valid users' can login to service' failed - $ret"
+       return 1
+    fi
+
+    # User from UNIX group in "valid users" can login to service
+    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users_unix_group $ADDARGS < $tmpfile 2>&1'
+    eval echo "$cmd"
+    out=`eval $cmd`
+    ret=$?
+
+    if [ $ret -ne 0 ] ; then
+       echo "$out"
+       echo "test_valid_users:valid_users_unix_group 'User from UNIX group in 'valid users' can login to service' failed - $ret"
+       return 1
+    fi
+
+    # User not in NIS group in "valid users" can't login to service
+    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users_nis_group $ADDARGS < $tmpfile 2>&1'
+    eval echo "$cmd"
+    out=`eval $cmd`
+    echo "$out" | grep 'NT_STATUS_ACCESS_DENIED'
+    ret=$?
+
+    if [ $ret -ne 0 ] ; then
+       echo "$out"
+       echo "test_valid_users:valid_users_nis_group 'User not in NIS group in 'valid users' can't login to service' failed - $ret"
+       return 1
+    fi
+
+    # Check user in UNIX, then in NIS group in "valid users" can login to service
+    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users_unix_nis_group $ADDARGS < $tmpfile 2>&1'
+    eval echo "$cmd"
+    out=`eval $cmd`
+    ret=$?
+
+    if [ $ret -ne 0 ] ; then
+       echo "$out"
+       echo "test_valid_users:valid_users_unix_nis_group 'Check user in UNIX, then in NIS group in 'valid users' can login to service' failed - $ret"
+       return 1
+    fi
+
+    # Check user in NIS, then in UNIX group in "valid users" can login to service
+    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users_nis_unix_group $ADDARGS < $tmpfile 2>&1'
+    eval echo "$cmd"
+    out=`eval $cmd`
+    ret=$?
+
+    if [ $ret -ne 0 ] ; then
+       echo "$out"
+       echo "test_valid_users:valid_users_nis_unix_group 'Check user in NIS, then in UNIX group in 'valid users' can login to service' failed - $ret"
+       return 1
+    fi
+
+    # User not in "invalid users" can login to service
+    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -Ualice%Secret007 //$SERVER/invalid_users $ADDARGS < $tmpfile 2>&1'
+    eval echo "$cmd"
+    out=`eval $cmd`
+    ret=$?
+
+    if [ $ret -ne 0 ] ; then
+       echo "$out"
+       echo "test_valid_users:invalid_users 'User not in 'invalid users' can login to service' failed - $ret"
+       return 1
+    fi
+
+    # User in "invalid users" can't login to service
+    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/invalid_users $ADDARGS < $tmpfile 2>&1'
+    eval echo "$cmd"
+    out=`eval $cmd`
+    echo "$out" | grep 'NT_STATUS_ACCESS_DENIED'
+    ret=$?
+
+    if [ $ret -ne 0 ] ; then
+       echo "$out"
+       echo "test_valid_users:invalid_users 'User in 'invalid users' can't login to service' failed - $ret"
+       return 1
+    fi
+
+    # User is in "valid and invalid users" can't login to service
+    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_and_invalid_users $ADDARGS < $tmpfile 2>&1'
+    eval echo "$cmd"
+    out=`eval $cmd`
+    echo "$out" | grep 'NT_STATUS_ACCESS_DENIED'
+    ret=$?
+
+    if [ $ret -ne 0 ] ; then
+       echo "$out"
+       echo "test_valid_users:valid_and_invalid_users 'User is in 'valid and invalid users' can't login to service' failed - $ret"
+       return 1
+    fi
+
+    # 2 Users are in "valid users"
+    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -Ualice%Secret007 //$SERVER/valid_and_invalid_users $ADDARGS < $tmpfile 2>&1'
+    eval echo "$cmd"
+    out=`eval $cmd`
+    ret=$?
+    rm -f $tmpfile
+
+    if [ $ret -ne 0 ] ; then
+       echo "$out"
+       echo "test_valid_users:valid_and_invalid_users '2 Users are in 'valid users'' failed - $ret"
+       return 1
+    fi
+
+    return 0
+}
+
  #
  #
  LOGDIR_PREFIX=test_smbclient_s3
@@ -1949,4 +2083,8 @@ testit "delete a non empty directory" \
      test_del_nedir || \
      failed=`expr $failed + 1`
  
+testit "valid users" \
+    test_valid_users || \
+    failed=`expr $failed + 1`
+
  testok $0 $failed
diff --git a/source3/script/tests/test_substitutions.sh b/source3/script/tests/test_substitutions.sh

index c813a8f9def927299639fb627ee1c521ca2b2253..d1525fddc4e7a78efa7f04e89645b26153e91623 100755 (executable)
--- a/source3/script/tests/test_substitutions.sh
+++ b/source3/script/tests/test_substitutions.sh
@@ -39,4 +39,14 @@ SMB_UNC="//$SERVER/sub_valid_users"
  test_smbclient "Test login to share with substitution for valid users" \
         "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
  
+SMB_UNC="//$SERVER/sub_valid_users_domain"
+
+test_smbclient "Test login to share with substitution for valid user's domain" \
+       "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
+
+SMB_UNC="//$SERVER/sub_valid_users_group"
+
+test_smbclient "Test login to share with substitution for valid user's UNIX group" \
+       "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
+
  exit $failed
author	Denis Karpelevich <dkarpele@redhat.com>
	Mon, 19 Oct 2020 13:20:04 +0000 (16:20 +0300)
committer	Jeremy Allison <jra@samba.org>
	Wed, 21 Oct 2020 01:17:05 +0000 (01:17 +0000)
selftest/knownfail.d/smb1-tests		patch \| blob \| blame \| history
selftest/target/Samba3.pm		patch \| blob \| blame \| history
source3/script/tests/test_smbclient_s3.sh		patch \| blob \| blame \| history
source3/script/tests/test_substitutions.sh		patch \| blob \| blame \| history