From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Fri, 27 Oct 2023 23:09:04 +0000 (+1300)
Subject: pytest:samba-tool domain test policy: test SDDL diagnostics
X-Git-Tag: talloc-2.4.2~889
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e7f38c3a190c0faacdbab230439d98d7e3fe7c0e;p=thirdparty%2Fsamba.git

pytest:samba-tool domain test policy: test SDDL diagnostics

The existing 'bad SDDL' test has SDDL so bad that the diagnostics
are not exercised.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Nov  1 21:12:33 UTC 2023 on atb-devel-224
---

diff --git a/python/samba/tests/samba_tool/domain_auth_policy.py b/python/samba/tests/samba_tool/domain_auth_policy.py
index 445be2ccec6..a9401ab41ba 100644
--- a/python/samba/tests/samba_tool/domain_auth_policy.py
+++ b/python/samba/tests/samba_tool/domain_auth_policy.py
@@ -297,6 +297,48 @@ class AuthPolicyCmdTestCase(BaseAuthCmdTest):
         self.assertIn("Unable to parse SDDL", err)
         self.assertIn(" *INVALID SDDL*\n ^\n unknown error", err)
 
+    def test_create__invalid_sddl_conditional_ace(self):
+        """Test creating a new authentication policy with invalid SDDL in a field."""
+        sddl = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {secret club}))"
+        result, out, err = self.runcmd("domain", "auth", "policy", "create",
+                                       "--name", "invalidSDDLPolicy2",
+                                       "--user-allowed-to-authenticate-from",
+                                       sddl)
+        self.assertEqual(result, -1)
+        self.assertIn("Unable to parse SDDL", err)
+        self.assertIn(sddl, err)
+        self.assertIn(f"\n{'^':>41}", err)
+        self.assertIn("unexpected byte 0x73 's' parsing literal", err)
+        self.assertNotIn("  File ", err)
+
+    def test_create__invalid_sddl_conditional_ace_non_ascii(self):
+        """Test creating a new authentication policy with invalid SDDL in a field."""
+        sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@User.ÄÄÄÄ == "ÅÄÂ¶Å§Â¹âÃ¾ÅÄ«ÅâÄÂ¢Ã°Â»" && Member_of {secret club}))'
+        result, out, err = self.runcmd("domain", "auth", "policy", "create",
+                                       "--name", "invalidSDDLPolicy2",
+                                       "--user-allowed-to-authenticate-from",
+                                       sddl)
+        self.assertEqual(result, -1)
+        self.assertIn("Unable to parse SDDL", err)
+        self.assertIn(sddl, err)
+        self.assertIn(f"\n{'^':>76}\n", err)
+        self.assertIn(" unexpected byte 0x73 's' parsing literal", err)
+        self.assertNotIn("  File ", err)
+
+    def test_create__invalid_sddl_normal_ace(self):
+        """Test creating a new authentication policy with invalid SDDL in a field."""
+        sddl = "O:SYG:SYD:(A;;;;ZZ)(XA;OICI;CR;;;WD;(Member_of {WD}))"
+        result, out, err = self.runcmd("domain", "auth", "policy", "create",
+                                       "--name", "invalidSDDLPolicy3",
+                                       "--user-allowed-to-authenticate-from",
+                                       sddl)
+        self.assertEqual(result, -1)
+        self.assertIn("Unable to parse SDDL", err)
+        self.assertIn(sddl, err)
+        self.assertIn(f"\n{'^':>12}", err)
+        self.assertIn("unknown error", err)
+        self.assertNotIn("  File ", err)  # traceback marker
+
     def test_create__already_exists(self):
         """Test creating a new authentication policy that already exists."""
         result, out, err = self.runcmd("domain", "auth", "policy", "create",