From: David Mulder Date: Mon, 22 Feb 2021 22:01:04 +0000 (-0700) Subject: gpo: Test Group Policy Host Access Configuration for VGP X-Git-Tag: tevent-0.11.0~1459 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=de3dbfda9c513bc6fdf4bf38c40e72d4f278e7e0;p=thirdparty%2Fsamba.git gpo: Test Group Policy Host Access Configuration for VGP Signed-off-by: David Mulder Reviewed-by: Jeremy Allison --- diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py index b5d195b0445..e28b117f73a 100644 --- a/python/samba/tests/gpo.py +++ b/python/samba/tests/gpo.py @@ -36,6 +36,7 @@ from samba.vgp_openssh_ext import vgp_openssh_ext from samba.vgp_startup_scripts_ext import vgp_startup_scripts_ext from samba.vgp_motd_ext import vgp_motd_ext from samba.vgp_issue_ext import vgp_issue_ext +from samba.vgp_access_ext import vgp_access_ext import logging from samba.credentials import Credentials from samba.gp_msgs_ext import gp_msgs_ext @@ -1366,3 +1367,133 @@ class GPOTests(tests.TestCase): # Unstage the manifest.xml file unstage_file(manifest) + + def test_vgp_access(self): + local_path = self.lp.cache_path('gpo_cache') + guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}' + allow = os.path.join(local_path, policies, guid, 'MACHINE', + 'VGP/VTLA/VAS/HOSTACCESSCONTROL/ALLOW/MANIFEST.XML') + deny = os.path.join(local_path, policies, guid, 'MACHINE', + 'VGP/VTLA/VAS/HOSTACCESSCONTROL/DENY/MANIFEST.XML') + logger = logging.getLogger('gpo_tests') + cache_dir = self.lp.get('cache directory') + store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb')) + + machine_creds = Credentials() + machine_creds.guess(self.lp) + machine_creds.set_machine_account() + + # Initialize the group policy extension + ext = vgp_access_ext(logger, self.lp, machine_creds, store) + + ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds) + if ads.connect(): + gpos = ads.get_gpo_list(machine_creds.get_username()) + + # Stage the manifest.xml allow file + stage = etree.Element('vgppolicy') + policysetting = etree.SubElement(stage, 'policysetting') + version = etree.SubElement(policysetting, 'version') + version.text = '2' + apply_mode = etree.SubElement(policysetting, 'apply_mode') + apply_mode.text = 'merge' + data = etree.SubElement(policysetting, 'data') + # Add an allowed user + listelement = etree.SubElement(data, 'listelement') + otype = etree.SubElement(listelement, 'type') + otype.text = 'USER' + entry = etree.SubElement(listelement, 'entry') + entry.text = 'goodguy@%s' % realm + adobject = etree.SubElement(listelement, 'adobject') + name = etree.SubElement(adobject, 'name') + name.text = 'goodguy' + domain = etree.SubElement(adobject, 'domain') + domain.text = realm + otype = etree.SubElement(adobject, 'type') + otype.text = 'user' + # Add an allowed group + groupattr = etree.SubElement(data, 'groupattr') + groupattr.text = 'samAccountName' + listelement = etree.SubElement(data, 'listelement') + otype = etree.SubElement(listelement, 'type') + otype.text = 'GROUP' + entry = etree.SubElement(listelement, 'entry') + entry.text = '%s\\goodguys' % realm + dn = etree.SubElement(listelement, 'dn') + dn.text = 'CN=goodguys,CN=Users,%s' % base_dn + adobject = etree.SubElement(listelement, 'adobject') + name = etree.SubElement(adobject, 'name') + name.text = 'goodguys' + domain = etree.SubElement(adobject, 'domain') + domain.text = realm + otype = etree.SubElement(adobject, 'type') + otype.text = 'group' + ret = stage_file(allow, etree.tostring(stage)) + self.assertTrue(ret, 'Could not create the target %s' % allow) + + # Stage the manifest.xml deny file + stage = etree.Element('vgppolicy') + policysetting = etree.SubElement(stage, 'policysetting') + version = etree.SubElement(policysetting, 'version') + version.text = '2' + apply_mode = etree.SubElement(policysetting, 'apply_mode') + apply_mode.text = 'merge' + data = etree.SubElement(policysetting, 'data') + # Add a denied user + listelement = etree.SubElement(data, 'listelement') + otype = etree.SubElement(listelement, 'type') + otype.text = 'USER' + entry = etree.SubElement(listelement, 'entry') + entry.text = 'badguy@%s' % realm + adobject = etree.SubElement(listelement, 'adobject') + name = etree.SubElement(adobject, 'name') + name.text = 'badguy' + domain = etree.SubElement(adobject, 'domain') + domain.text = realm + otype = etree.SubElement(adobject, 'type') + otype.text = 'user' + # Add a denied group + groupattr = etree.SubElement(data, 'groupattr') + groupattr.text = 'samAccountName' + listelement = etree.SubElement(data, 'listelement') + otype = etree.SubElement(listelement, 'type') + otype.text = 'GROUP' + entry = etree.SubElement(listelement, 'entry') + entry.text = '%s\\badguys' % realm + dn = etree.SubElement(listelement, 'dn') + dn.text = 'CN=badguys,CN=Users,%s' % base_dn + adobject = etree.SubElement(listelement, 'adobject') + name = etree.SubElement(adobject, 'name') + name.text = 'badguys' + domain = etree.SubElement(adobject, 'domain') + domain.text = realm + otype = etree.SubElement(adobject, 'type') + otype.text = 'group' + ret = stage_file(deny, etree.tostring(stage)) + self.assertTrue(ret, 'Could not create the target %s' % deny) + + # Process all gpos, with temp output directory + with TemporaryDirectory() as dname: + ext.process_group_policy([], gpos, dname) + conf = os.listdir(dname) + self.assertEquals(len(conf), 1, 'The conf file was not created') + gp_cfg = os.path.join(dname, conf[0]) + + # Check the access config for the correct access.conf entries + print('Config file %s found' % gp_cfg) + data = open(gp_cfg, 'r').read() + self.assertIn('+:%s\\goodguy:ALL' % realm, data) + self.assertIn('+:%s\\goodguys:ALL' % realm, data) + self.assertIn('-:%s\\badguy:ALL' % realm, data) + self.assertIn('-:%s\\badguys:ALL' % realm, data) + + # Remove policy + gp_db = store.get_gplog(machine_creds.get_username()) + del_gpos = get_deleted_gpos_list(gp_db, []) + ext.process_group_policy(del_gpos, [], dname) + self.assertFalse(os.path.exists(gp_cfg), + 'Unapply failed to cleanup config') + + # Unstage the manifest.pol files + unstage_file(allow) + unstage_file(deny) diff --git a/python/samba/vgp_access_ext.py b/python/samba/vgp_access_ext.py new file mode 100644 index 00000000000..c42b81c9be8 --- /dev/null +++ b/python/samba/vgp_access_ext.py @@ -0,0 +1,26 @@ +# vgp_access_ext samba group policy +# Copyright (C) David Mulder 2020 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from samba.gpclass import gp_xml_ext + +class vgp_access_ext(gp_xml_ext): + def process_group_policy(self, deleted_gpo_list, changed_gpo_list, + access='/etc/security/access.d'): + pass + + def rsop(self, gpo): + output = {} + return output