From 19129660dfe7312585b057a90b51ad9405661478 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Fri, 24 Nov 2023 16:59:05 +1300 Subject: [PATCH] libcli/security/tests: remove duplicate TX-integer tests from oversized-ACLs MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit We had two sets of test vectors (Windows ground-truth for SDDL compilation) that got mixed up. The "oversized ACLs" set is ACLs that contain repeated ACEs, like "D:P(D;;;;;MP)(D;;;;;MP)" -- Windows will assign a size to the ACL that is greater than the sum of the ACEs, while Samba will not (in part because we don't actually store a size for the ACL, instead calculating it on the fly from the size of the ACEs). The "TX integers" set is for resource attribute ACEs with octet-string data that contains pure integers (lacking '#' characters) in their SDDL, like «(RA;;;;;WD;("bar",TX,0x0,0077,00,0077,00))». We used to think that was weird, and that RA-TX ACEs should contain octet-strings in the conditional ACE style. But now we have realised it's not weird, it's normal, and we have fixed our handling of these ACEs. As a result of this mix-up, some of the tests labelled as "oversized ACLs" started passing when we fixed the TX integer problem, and that was confusing. All of the removed tests are already on the TX integer set -- the removed ones were duplicates. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- .../security/tests/data/oversize-acls.json.gz | Bin 2676 -> 563 bytes selftest/knownfail.d/security-descriptors | 11 +---------- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/libcli/security/tests/data/oversize-acls.json.gz b/libcli/security/tests/data/oversize-acls.json.gz index a45348b405d124ef05e9bb6551920ecfb9be898c..46394bcea1e2d0fc507f94fc522eafaaa18d8937 100644 GIT binary patch literal 563 zc-jFo0?hp%iwFQc9$;kv1MOB#Z`&{oz2{d1JvBfCh+mRbpR#5Hau`xz*r6DD*uNN1 z^uLd^GS9A4d-a?(=^QAEMDab*q+aC5#Zo_4+nei6x!>LH%1@iJEWbE#;t(7pjKma0 zTnaIX7fL!3!lH=m1aLJHm<*UfA2z>8cKd9(-9Mwfujl>;p!eUCS~p*7YkSu4`M6zO z-Bi!`4c1G)Uh;YgSX9HohRq2dOd0!(fwYC}Afh|yG;gQ9ba>T*(3k@ywUBZmT71B^ zk#cGlwTn?9(L8K1fdLLC+wcs+i0v?Je|{khJQfDE9s=850Cgq0bkL!rW0qIo&7)i0 z0|A7Te~W$sc!{9dUXT96?bFfo{IKrVI#I;nML0Mhlp;V%PBTV6A@+)W7&)uGQFb2= z3bPe&ryFc!R^y4LwIWN1jb3nSp^u4R*7!TnICCJ@tJynbRVoCJW+#w@0ez3ghmo_! z8~Z?gM+#?UL7`5;>MVApvN=S%SIMUK#i=j!(NWA=e+ODuU8*o+3{HD}@zxd{Xnm8) z1*u2t!^m0djk0^wmQsq=slu~W*t+T#1+)<)TQCnbg~?yt$Hg$~{GxPzcfB>Ol%MZb zzeinxFpn09gwDZ)u5V8oAQKQx1V7#eQgWi?6m?n8BsnL^?WjDTDC5=NT0J|5oSl2c z{<3=ivbHflU7Txs`S9u6pa-nDV{|SHl_ON(b`~_PjyZXtD`DRRz0oT5gVfFs29Fhra!=i{#Tod*|*Ui}t6U zR)1(w>OZl*`{9TFE>pns@&4xB`>TKJ+beZ@WpA&vRL##P4?)6qx7ug37)*WmmchAN zLQS^f>a*L6x4t79Xl-JB$JB9(r1WW<1l4iYC0L(As2>T5BLzmC9_Vf*foG76z{yDR z?L;zUEE$F}AAmR8*qsBOPaONT+eM&#Y_HXP1bQk0JPv>Qnd0MUd;aD2 zYEs9I3F4J=)^D^CS9u-drY!Da}#MTC}vxTGB5aQ$XUVZ~2p(=*Oj@==XZ``^Q?1?(XjI{(1N1 z>*vR>kF{!i|G2&W$LEh<9)9?I_wnz)-rRh7fBiXW+jjf)etZ4%yI+6%@586xzfns2 zb2|P0^Sj%B{dlYXP`9e?V(Qb#b^LB~4S_G&Z2T>mzvRRzelZ9 zM-Q6V{?MVlN1aC38hy2=-lHuvyCc?Opr1%u2S>Dr$0Q`VJrN8N5s1nH5iuRn0il&5 zio&!e$|EI0R6xpLsHmHj8W)*&Gf#4&`_pYCMJn3<=nEqAfm-A zC`A-yPZK9)uxU6@5GYMk9%CHZWFw;L+kB@7J5f!2y_w4{OIiEb6>a49buyNDa=B!f zvBzcu4vJ-rIqQOx{-l3f^$$uZ)mLI34=DAqco9cPyWKCHHn?+SJVr5Y1GPG4dd3*K zo~^YinlZs;h1K==Z_tu2rv*Ks%zaSve=qPCG}@qT!;P}10G+!)=J=eZFzE;ym~s}- z0~Uw&0yzO_7Lz@Ta>>#qLznDai>bd<+pJvHeObb`ez8fRL(Y>u^vt7--Q{$Kr)Qy< zBcR`Du|C42y3RoMHDHJJ(NI69D@=M!&*bQ>Nd*anqEynrjN*A<#-tM1Mpzp`Z64VI zMi3Aot1ty+%rBQUUS0`L8)G@#C0`I)D275goz-dIP)K8b(3SC3^j@NihFtkYW(6yn zB5F0Enz9pUP@U5hChdq8?H_nwtPn+Z22XJzfp!AT(UrlxT-JDb#$dkZP4{DIqbQ9b zot6RVG%_`l#kN`RlReiSVR6vC494YjhNnXi_oaPz8fCkF!0zk8&Ua5LbHtz=Jjt9$ znZ`wif|3Lc2O4Y*8uAwXeTyLuL)cwMKRjS&X54j*AktbIRV;yWS^MQIq5RXB1dBw9 zaTRN$oX+ZW>>R;D3xgev>+QYHsu(jkG*M_O2!S`v%T&PLp@|Ml zVYJqPwy?l&-j{;?URrC>6SPCqAe%)thinez&`z;{LIcKDVQdlmvxp)2RvX;=)7Vr% z(dHTvqNpScNwCCeiPI6MCwY`nO*z#SaaP31TZtmoghF{uI|7Qrc;^&VVe>u?plGKb zW0BC74$&hynrB^Q9xKCJP;0Ja~NCNvo#PH5>QUSfjBj!VX#D@5rsCu zA7n@oMVvyMg2I~aV4$oJMVyW}DQB9prUS`KsOCUb6jo7Kq$-Liy=h1TMY$Eqtx#@- zs!%AmO&0`IW)1Z{;H7#zW$)V3R(aXGwnV9(;oi0C!1{R0)$@9dK1=2)i@G%P((N29 zvQK+KSqjQ>J}ApYVJ>OUXNI{1nZjJsOv*8s3r#^yV=kCxq2-=Al0qoUERup5nM6`B zfRPk*?G1Jx1UXpr&k1lKyn*0`X;`H~Vh%|mOkx&Ep|A`|nR$hYVZ4cO4ti0GCd5d4 z;ta$YNM6O*i6V-y427KYND84P^b(qRB!$8ngz_f@Wbu$81lXa^&kIb*<432S)>{xTK&vfiv4umzqtJk{1&pmi1cKm?h#`@{ z7DbSaqA<KzJP|H7e}1g0vZN>NFL?1d0RG6#7Rqngz_hpKVfiABOI13 znGp&z1Q;0tlPrNklv@QIDB?64;T%COLAGS&^n_If=y?XvlieeP9@vU`Kf}Bxzjr;Q z>c*Jmco_xuS*W7c)cgzVb7cC?rwZRdeM|=QX)nl6IbHB+;iXtF!kkVHGVyMk&T#L5 zhY^^Gzos+S17xIo*6VEy+FhDcqR`={36fqA22|4>=*wbj*e_tTSE)g&{|M)rrFMs>w{NjK&~EyBxa7FZbqIO? z@T`wy7~*o|QPAtDnu##*FX)4|l_HA#nW%{(k3x~3pvX_)&w%kOxx^5KDVzOltj$J+ zzFcWmo2P)0pwGtATs*o2JQt54Gw-rMp*%59J1{UgG;@8xXJdKt9XX53QZD6k%1d!s zipz3oMSOO1ERWasjR*7nMauNx@?D^$n~jl*SH-Tns28uP7u4EcRj1uo67XXwtFDwwe*E;uNgM57 i-?&=`T@%=`<_a#4U*_YlfBf?Qzx@f^Qsk!+od5s{1{?JN diff --git a/selftest/knownfail.d/security-descriptors b/selftest/knownfail.d/security-descriptors index 32b1fd11360..3a73e2031e9 100644 --- a/selftest/knownfail.d/security-descriptors +++ b/selftest/knownfail.d/security-descriptors @@ -1,13 +1,4 @@ ^samba.tests.security_descriptors.+SDDLvsDescriptorRegistryObjectRights.+ ^samba.tests.security_descriptors.+SDDLvsDescriptorShortOrdinaryAclsNoMungeV4.+ -samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.test_sddl_vs_sd_001 -samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.test_sddl_vs_sd_002 -samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.test_sddl_vs_sd_003 -samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.test_sddl_vs_sd_004 -samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.test_sddl_vs_sd_016 -samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.test_sddl_vs_sd_017 -samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.test_sddl_vs_sd_018 -samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.test_sddl_vs_sd_019 -samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.test_sddl_vs_sd_020 - +samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.+ -- 2.47.3