From: Isaac Boukris Date: Tue, 1 Sep 2020 17:14:29 +0000 (+0300) Subject: selftest: add a test for the CreateTrustedDomainRelax wrapper X-Git-Tag: talloc-2.3.2~38 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cfaad16ff632df83a881fe5d8ec498bab102c9c9;p=thirdparty%2Fsamba.git selftest: add a test for the CreateTrustedDomainRelax wrapper Originally copied from 'source4/scripting/devel/createtrust' (had to drop the TRUST_AUTH_TYPE_VERSION part though, as it fails against samba DC). Signed-off-by: Isaac Boukris Reviewed-by: Stefan Metzmacher Reviewed-by: Alexander Bokovoy --- diff --git a/python/samba/tests/dcerpc/createtrustrelax.py b/python/samba/tests/dcerpc/createtrustrelax.py new file mode 100644 index 00000000000..48beb0f9680 --- /dev/null +++ b/python/samba/tests/dcerpc/createtrustrelax.py @@ -0,0 +1,131 @@ +# Unix SMB/CIFS implementation. +# +# Copyright (C) Andrew Bartlett 2011 +# Copyright (C) Isaac Boukris 2020 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +"""Tests for the CreateTrustedDomainRelax wrapper""" + +import os +import samba +from samba.tests import TestCase +from samba.dcerpc import lsa, security, drsblobs +from samba.credentials import Credentials, SMB_ENCRYPTION_REQUIRED, SMB_ENCRYPTION_OFF +from samba.trust_utils import CreateTrustedDomainRelax + +class CreateTrustedDomainRelaxTest(TestCase): + def setUp(self): + super(CreateTrustedDomainRelaxTest, self).setUp() + + def get_user_creds(self): + c = Credentials() + c.guess() + domain = samba.tests.env_get_var_value('DOMAIN') + username = samba.tests.env_get_var_value('USERNAME') + password = samba.tests.env_get_var_value('PASSWORD') + c.set_domain(domain) + c.set_username(username) + c.set_password(password) + return c + + def _create_trust_relax(self, smbencrypt=True): + creds = self.get_user_creds() + + if smbencrypt: + creds.set_smb_encryption(SMB_ENCRYPTION_REQUIRED) + else: + creds.set_smb_encryption(SMB_ENCRYPTION_OFF) + + lp = self.get_loadparm() + + binding_string = ("ncacn_np:%s" % (samba.tests.env_get_var_value('SERVER'))) + lsa_conn = lsa.lsarpc(binding_string, lp, creds) + + if smbencrypt: + self.assertTrue(lsa_conn.transport_encrypted()) + else: + self.assertFalse(lsa_conn.transport_encrypted()) + + objectAttr = lsa.ObjectAttribute() + objectAttr.sec_qos = lsa.QosInfo() + + pol_handle = lsa_conn.OpenPolicy2('', + objectAttr, + security.SEC_FLAG_MAXIMUM_ALLOWED) + self.assertIsNotNone(pol_handle) + + name = lsa.String() + name.string = "tests.samba.example.com" + try: + info = lsa_conn.QueryTrustedDomainInfoByName(pol_handle, name, + lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO) + + lsa_conn.DeleteTrustedDomain(pol_handle, info.info_ex.sid) + except RuntimeError: + pass + + info = lsa.TrustDomainInfoInfoEx() + info.domain_name.string = name.string + info.netbios_name.string = "createtrustrelax" + info.sid = security.dom_sid("S-1-5-21-538490383-3740119673-95748416") + info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND + info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL + info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE + + password_blob = samba.string_to_byte_array("password".encode('utf-16-le')) + + clear_value = drsblobs.AuthInfoClear() + clear_value.size = len(password_blob) + clear_value.password = password_blob + + clear_authentication_information = drsblobs.AuthenticationInformation() + clear_authentication_information.LastUpdateTime = 0 + clear_authentication_information.AuthType = lsa.TRUST_AUTH_TYPE_CLEAR + clear_authentication_information.AuthInfo = clear_value + + authentication_information_array = drsblobs.AuthenticationInformationArray() + authentication_information_array.count = 1 + authentication_information_array.array = [clear_authentication_information] + + outgoing = drsblobs.trustAuthInOutBlob() + outgoing.count = 1 + outgoing.current = authentication_information_array + + trustdom_handle = None + try: + trustdom_handle = CreateTrustedDomainRelax(lsa_conn, + pol_handle, + info, + security.SEC_STD_DELETE, + outgoing, + outgoing) + except samba.NTSTATUSError as nt: + raise AssertionError(nt) + except OSError as e: + if smbencrypt: + raise AssertionError(e) + + if smbencrypt: + self.assertIsNotNone(trustdom_handle) + lsa_conn.DeleteTrustedDomain(pol_handle, info.sid) + else: + self.assertIsNone(trustdom_handle) + + def test_create_trust_relax_encrypt(self): + self._create_trust_relax(True) + + def test_create_trust_relax_no_enc(self): + self._create_trust_relax(False) diff --git a/selftest/knownfail.d/createtrustrelax_server b/selftest/knownfail.d/createtrustrelax_server new file mode 100644 index 00000000000..80effda8343 --- /dev/null +++ b/selftest/knownfail.d/createtrustrelax_server @@ -0,0 +1 @@ +^samba.tests.dcerpc.createtrustrelax.samba.tests.dcerpc.createtrustrelax.CreateTrustedDomainRelaxTest.test_create_trust_relax_encrypt\(ad_dc_fips\) diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 361676dfbf5..7afc8399255 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -713,6 +713,10 @@ def planoldpythontestsuite(env, module, name=None, extra_path=[], environ={}, ex name = module plantestsuite_loadlist(name, env, args) +if have_gnutls_crypto_policies: + planoldpythontestsuite("ad_dc", "samba.tests.dcerpc.createtrustrelax", environ={'GNUTLS_FORCE_FIPS_MODE':'1'}) + planoldpythontestsuite("ad_dc_fips", "samba.tests.dcerpc.createtrustrelax", environ={'GNUTLS_FORCE_FIPS_MODE':'1'}) + # Run complex search expressions test once for each database backend. # Right now ad_dc has mdb and ad_dc_ntvfs has tdb mdb_testenv = "ad_dc"