pytest:samba-tool domain test policy: test SDDL diagnostics

The existing 'bad SDDL' test has SDDL so bad that the diagnostics
are not exercised.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Nov  1 21:12:33 UTC 2023 on atb-devel-224

diff --git a/python/samba/tests/samba_tool/domain_auth_policy.py b/python/samba/tests/samba_tool/domain_auth_policy.py
index 445be2ccec6d0532eebc2f937cd97cf22a543265..a9401ab41ba154bce0e50b7434d199c1a0b188cf 100644 (file)
--- a/python/samba/tests/samba_tool/domain_auth_policy.py
+++ b/python/samba/tests/samba_tool/domain_auth_policy.py
@@ -297,6 +297,48 @@ class AuthPolicyCmdTestCase(BaseAuthCmdTest):
         self.assertIn("Unable to parse SDDL", err)
         self.assertIn(" *INVALID SDDL*\n ^\n unknown error", err)
 
+    def test_create__invalid_sddl_conditional_ace(self):
+        """Test creating a new authentication policy with invalid SDDL in a field."""
+        sddl = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {secret club}))"
+        result, out, err = self.runcmd("domain", "auth", "policy", "create",
+                                       "--name", "invalidSDDLPolicy2",
+                                       "--user-allowed-to-authenticate-from",
+                                       sddl)
+        self.assertEqual(result, -1)
+        self.assertIn("Unable to parse SDDL", err)
+        self.assertIn(sddl, err)
+        self.assertIn(f"\n{'^':>41}", err)
+        self.assertIn("unexpected byte 0x73 's' parsing literal", err)
+        self.assertNotIn("  File ", err)
+
+    def test_create__invalid_sddl_conditional_ace_non_ascii(self):
+        """Test creating a new authentication policy with invalid SDDL in a field."""
+        sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@User.āāēē == "łē¶ŧ¹⅓þōīŋ“đ¢ð»" && Member_of {secret club}))'
+        result, out, err = self.runcmd("domain", "auth", "policy", "create",
+                                       "--name", "invalidSDDLPolicy2",
+                                       "--user-allowed-to-authenticate-from",
+                                       sddl)
+        self.assertEqual(result, -1)
+        self.assertIn("Unable to parse SDDL", err)
+        self.assertIn(sddl, err)
+        self.assertIn(f"\n{'^':>76}\n", err)
+        self.assertIn(" unexpected byte 0x73 's' parsing literal", err)
+        self.assertNotIn("  File ", err)
+
+    def test_create__invalid_sddl_normal_ace(self):
+        """Test creating a new authentication policy with invalid SDDL in a field."""
+        sddl = "O:SYG:SYD:(A;;;;ZZ)(XA;OICI;CR;;;WD;(Member_of {WD}))"
+        result, out, err = self.runcmd("domain", "auth", "policy", "create",
+                                       "--name", "invalidSDDLPolicy3",
+                                       "--user-allowed-to-authenticate-from",
+                                       sddl)
+        self.assertEqual(result, -1)
+        self.assertIn("Unable to parse SDDL", err)
+        self.assertIn(sddl, err)
+        self.assertIn(f"\n{'^':>12}", err)
+        self.assertIn("unknown error", err)
+        self.assertNotIn("  File ", err)  # traceback marker
+
     def test_create__already_exists(self):
         """Test creating a new authentication policy that already exists."""
         result, out, err = self.runcmd("domain", "auth", "policy", "create",