From: David Mulder Date: Tue, 23 Feb 2021 20:12:09 +0000 (-0700) Subject: samba-tool: Test gpo manage access list command X-Git-Tag: tevent-0.11.0~1457 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=76868b50f3689107e101511322dbf749c26d8342;p=thirdparty%2Fsamba.git samba-tool: Test gpo manage access list command Signed-off-by: David Mulder Reviewed-by: Jeremy Allison --- diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py index 1b4159c4c0c..6fcc01d6080 100644 --- a/python/samba/netcmd/gpo.py +++ b/python/samba/netcmd/gpo.py @@ -3659,6 +3659,38 @@ class cmd_issue(SuperCommand): subcommands["list"] = cmd_list_issue() subcommands["set"] = cmd_set_issue() +class cmd_list_access(Command): + """List VGP Host Access Group Policy from the sysvol + +This command lists host access rules from the sysvol that will be applied to winbind clients. + +Example: +samba-tool gpo manage access list {31B2F340-016D-11D2-945F-00C04FB984F9} + """ + + synopsis = "%prog [options]" + + takes_optiongroups = { + "sambaopts": options.SambaOptions, + "versionopts": options.VersionOptions, + "credopts": options.CredentialsOptions, + } + + takes_options = [ + Option("-H", "--URL", help="LDB URL for database or target server", type=str, + metavar="URL", dest="H"), + ] + + takes_args = ["gpo"] + + def run(self, gpo, H=None, sambaopts=None, credopts=None, versionopts=None): + pass + +class cmd_access(SuperCommand): + """Manage Host Access Group Policy Objects""" + subcommands = {} + subcommands["list"] = cmd_list_access() + class cmd_manage(SuperCommand): """Manage Group Policy Objects""" subcommands = {} @@ -3671,6 +3703,7 @@ class cmd_manage(SuperCommand): subcommands["scripts"] = cmd_scripts() subcommands["motd"] = cmd_motd() subcommands["issue"] = cmd_issue() + subcommands["access"] = cmd_access() class cmd_gpo(SuperCommand): """Group Policy Object (GPO) management.""" diff --git a/python/samba/tests/samba_tool/gpo_exts.py b/python/samba/tests/samba_tool/gpo_exts.py new file mode 100644 index 00000000000..222973fbb72 --- /dev/null +++ b/python/samba/tests/samba_tool/gpo_exts.py @@ -0,0 +1,115 @@ +# Unix SMB/CIFS implementation. +# Copyright (C) David Mulder 2021 +# +# based on gpo.py: +# Copyright (C) Andrew Bartlett 2012 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import os +from samba.tests.samba_tool.base import SambaToolCmdTest +import shutil +from samba.param import LoadParm +from samba.tests.gpo import stage_file, unstage_file +import xml.etree.ElementTree as etree + +class GpoCmdTestCase(SambaToolCmdTest): + """Tests for samba-tool time subcommands""" + + gpo_name = "testgpo" + + def test_vgp_access_list(self): + lp = LoadParm() + lp.load(os.environ['SERVERCONFFILE']) + local_path = lp.get('path', 'sysvol') + vgp_xml = os.path.join(local_path, lp.get('realm').lower(), 'Policies', + self.gpo_guid, 'Machine/VGP/VTLA/VAS' + 'HostAccessControl/Allow/manifest.xml') + + stage = etree.Element('vgppolicy') + policysetting = etree.SubElement(stage, 'policysetting') + pv = etree.SubElement(policysetting, 'version') + pv.text = '1' + name = etree.SubElement(policysetting, 'name') + name.text = 'Host Access Control' + description = etree.SubElement(policysetting, 'description') + description.text = 'Represents host access control data (pam_access)' + apply_mode = etree.SubElement(policysetting, 'apply_mode') + apply_mode.text = 'merge' + data = etree.SubElement(policysetting, 'data') + listelement = etree.SubElement(data, 'listelement') + etype = etree.SubElement(listelement, 'type') + etype.text = 'USER' + entry = etree.SubElement(listelement, 'entry') + entry.text = 'goodguy@%s' % lp.get('realm').lower() + adobject = etree.SubElement(listelement, 'adobject') + name = etree.SubElement(adobject, 'name') + name.text = 'goodguy' + domain = etree.SubElement(adobject, 'domain') + domain.text = lp.get('realm').lower() + etype = etree.SubElement(adobject, 'type') + etype.text = 'user' + groupattr = etree.SubElement(data, 'groupattr') + groupattr.text = 'samAccountName' + listelement = etree.SubElement(data, 'listelement') + etype = etree.SubElement(listelement, 'type') + etype.text = 'GROUP' + entry = etree.SubElement(listelement, 'entry') + entry.text = '%s\\goodguys' % lp.get('realm').lower() + adobject = etree.SubElement(listelement, 'adobject') + name = etree.SubElement(adobject, 'name') + name.text = 'goodguys' + domain = etree.SubElement(adobject, 'domain') + domain.text = lp.get('realm').lower() + etype = etree.SubElement(adobject, 'type') + etype.text = 'group' + ret = stage_file(vgp_xml, etree.tostring(stage, 'utf-8')) + self.assertTrue(ret, 'Could not create the target %s' % vgp_xml) + + uentry = '+:%s\\goodguy:ALL' % domain.text + gentry = '+:%s\\goodguys:ALL' % domain.text + (result, out, err) = self.runsublevelcmd("gpo", ("manage", + "access", "list"), + self.gpo_guid, "-H", + "ldap://%s" % + os.environ["SERVER"], + "-U%s%%%s" % + (os.environ["USERNAME"], + os.environ["PASSWORD"])) + self.assertIn(uentry, out, 'The test entry was not found!') + self.assertIn(gentry, out, 'The test entry was not found!') + + # Unstage the manifest.xml file + unstage_file(vgp_xml) + + def setUp(self): + """set up a temporary GPO to work with""" + super(GpoCmdTestCase, self).setUp() + (result, out, err) = self.runsubcmd("gpo", "create", self.gpo_name, + "-H", "ldap://%s" % os.environ["SERVER"], + "-U%s%%%s" % (os.environ["USERNAME"], os.environ["PASSWORD"]), + "--tmpdir", self.tempdir) + self.assertCmdSuccess(result, out, err, "Ensuring gpo created successfully") + shutil.rmtree(os.path.join(self.tempdir, "policy")) + try: + self.gpo_guid = "{%s}" % out.split("{")[1].split("}")[0] + except IndexError: + self.fail("Failed to find GUID in output: %s" % out) + + def tearDown(self): + """remove the temporary GPO to work with""" + (result, out, err) = self.runsubcmd("gpo", "del", self.gpo_guid, "-H", "ldap://%s" % os.environ["SERVER"], "-U%s%%%s" % (os.environ["USERNAME"], os.environ["PASSWORD"])) + self.assertCmdSuccess(result, out, err, "Ensuring gpo deleted successfully") + super(GpoCmdTestCase, self).tearDown() diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo new file mode 100644 index 00000000000..837f9c756f0 --- /dev/null +++ b/selftest/knownfail.d/gpo @@ -0,0 +1 @@ +^samba.tests.samba_tool.gpo_exts.samba.tests.samba_tool.gpo_exts.GpoCmdTestCase.test_vgp_access_list diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index a0afe76e8d9..781f1a59fdc 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -772,6 +772,8 @@ for env in all_fl_envs: for env in ["ad_dc_ntvfs", "ad_dc", "offlinebackupdc", "renamedc", smbv1_disabled_testenv]: planpythontestsuite(env + ":local", "samba.tests.samba_tool.gpo") +for env in ["ad_dc_ntvfs", "ad_dc"]: + planpythontestsuite(env + ":local", "samba.tests.samba_tool.gpo_exts") planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.processes") planpythontestsuite("ad_dc_ntvfs:local", "samba.tests.samba_tool.user")