From: Rob van der Linde <rob@catalyst.net.nz>
Date: Thu, 28 Sep 2023 02:33:18 +0000 (+1300)
Subject: netcmd: tests: add some tests for valid and invalid SDDL in cli commands
X-Git-Tag: tevent-0.16.0~312
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=12a98ab4fc7765f8b58f115f90ef399c26a2fb77;p=thirdparty%2Fsamba.git

netcmd: tests: add some tests for valid and invalid SDDL in cli commands

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/tests/samba_tool/domain_auth_policy.py b/python/samba/tests/samba_tool/domain_auth_policy.py
index e1ce394fc94..674c30fc2f7 100644
--- a/python/samba/tests/samba_tool/domain_auth_policy.py
+++ b/python/samba/tests/samba_tool/domain_auth_policy.py
@@ -24,6 +24,8 @@ import json
 from optparse import OptionValueError
 from unittest.mock import patch
 
+from samba.dcerpc import security
+from samba.ndr import ndr_unpack
 from samba.netcmd import CommandError
 from samba.netcmd.domain.models.exceptions import ModelError
 from samba.samdb import SamDB
@@ -228,6 +230,36 @@ class AuthPolicyCmdTestCase(BaseAuthCmdTest):
         self.assertIn("--computer-tgt-lifetime must be between 45 and 2147483647",
                       str(e.exception))
 
+    def test_authentication_policy_create_valid_sddl(self):
+        """Test creating a new authentication policy with valid SDDL in a field."""
+        expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))"
+
+        self.addCleanup(self.delete_authentication_policy,
+                        name="validSDDLPolicy", force=True)
+
+        result, out, err = self.runcmd("domain", "auth", "policy", "create",
+                                       "--name", "validSDDLPolicy",
+                                       "--user-allowed-to-authenticate-from",
+                                       expected)
+        self.assertIsNone(result, msg=err)
+
+        # Check policy fields.
+        policy = self.get_authentication_policy("validSDDLPolicy")
+        self.assertEqual(str(policy["cn"]), "validSDDLPolicy")
+        desc = policy["msDS-UserAllowedToAuthenticateFrom"][0]
+        sddl = ndr_unpack(security.descriptor, desc).as_sddl()
+        self.assertEqual(sddl, expected)
+
+    def test_authentication_policy_create_invalid_sddl(self):
+        """Test creating a new authentication policy with invalid SDDL in a field."""
+        result, out, err = self.runcmd("domain", "auth", "policy", "create",
+                                       "--name", "invalidSDDLPolicy",
+                                       "--user-allowed-to-authenticate-from",
+                                       "*INVALID SDDL*")
+        self.assertEqual(result, -1)
+        self.assertIn(
+            "msDS-UserAllowedToAuthenticateFrom: Unable to parse SDDL", err)
+
     def test_authentication_policy_create_already_exists(self):
         """Test creating a new authentication policy that already exists."""
         result, out, err = self.runcmd("domain", "auth", "policy", "create",