From ca60a0cb1751788d8cc688ad70f690ad099b2193 Mon Sep 17 00:00:00 2001
From: David Mulder <dmulder@suse.com>
Date: Mon, 21 Dec 2020 13:14:41 -0700
Subject: [PATCH] samba-tool: Test gpo manage vgp sudoers list command

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 python/samba/netcmd/gpo.py           | 35 +-----------------
 python/samba/tests/samba_tool/gpo.py | 54 ++++++++++++++++++----------
 selftest/knownfail.d/gpo             |  1 +
 3 files changed, 37 insertions(+), 53 deletions(-)
 create mode 100644 selftest/knownfail.d/gpo

diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py
index 33069200a44..f34f814e3dc 100644
--- a/python/samba/netcmd/gpo.py
+++ b/python/samba/netcmd/gpo.py
@@ -1770,40 +1770,7 @@ samba-tool gpo manage sudoers list {31B2F340-016D-11D2-945F-00C04FB984F9}
     takes_args = ["gpo"]
 
     def run(self, gpo, H=None, sambaopts=None, credopts=None, versionopts=None):
-        self.lp = sambaopts.get_loadparm()
-        self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
-
-        # We need to know writable DC to setup SMB connection
-        if H and H.startswith('ldap://'):
-            dc_hostname = H[7:]
-            self.url = H
-        else:
-            dc_hostname = netcmd_finddc(self.lp, self.creds)
-            self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
-
-        # SMB connect to DC
-        conn = smb_connection(dc_hostname,
-                              'sysvol',
-                              lp=self.lp,
-                              creds=self.creds)
-
-        realm = self.lp.get('realm')
-        pol_file = '\\'.join([realm.lower(), 'Policies', gpo,
-                                'MACHINE\\Registry.pol'])
-        try:
-            pol_data = ndr_unpack(preg.file, conn.loadfile(pol_file))
-        except NTSTATUSError as e:
-            if e.args[0] == 0xC0000033: # STATUS_OBJECT_NAME_INVALID
-                return # The file doesn't exist, so there is nothing to list
-            if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED
-                raise CommandError("The authenticated user does "
-                                   "not have sufficient privileges")
-            raise
-
-        keyname = b'Software\\Policies\\Samba\\Unix Settings\\Sudo Rights'
-        for entry in pol_data.entries:
-            if get_bytes(entry.keyname) == keyname:
-                self.outf.write('%s\n' % entry.data)
+        pass
 
 class cmd_remove_sudoers(Command):
     """Removes a Samba Sudoers Group Policy from the sysvol
diff --git a/python/samba/tests/samba_tool/gpo.py b/python/samba/tests/samba_tool/gpo.py
index 588c63a703c..0b420bb0f33 100644
--- a/python/samba/tests/samba_tool/gpo.py
+++ b/python/samba/tests/samba_tool/gpo.py
@@ -783,32 +783,48 @@ class GpoCmdTestCase(SambaToolCmdTest):
         lp = LoadParm()
         lp.load(os.environ['SERVERCONFFILE'])
         local_path = lp.get('path', 'sysvol')
-        reg_pol = os.path.join(local_path, lp.get('realm').lower(), 'Policies',
-                               self.gpo_guid, 'Machine/Registry.pol')
+        vgp_xml = os.path.join(local_path, lp.get('realm').lower(), 'Policies',
+                               self.gpo_guid, 'Machine/VGP/VTLA/Sudo',
+                               'SudoersConfiguration/manifest.xml')
 
-        # Stage the Registry.pol file with test data
-        stage = preg.file()
-        e = preg.entry()
-        e.keyname = b'Software\\Policies\\Samba\\Unix Settings\\Sudo Rights'
-        e.valuename = b'Software\\Policies\\Samba\\Unix Settings'
-        e.type = 1
-        e.data = b'fakeu  ALL=(ALL) NOPASSWD: ALL'
-        stage.num_entries = 1
-        stage.entries = [e]
-        ret = stage_file(reg_pol, ndr_pack(stage))
-        self.assertTrue(ret, 'Could not create the target %s' % reg_pol)
+        stage = etree.Element('vgppolicy')
+        policysetting = etree.SubElement(stage, 'policysetting')
+        pv = etree.SubElement(policysetting, 'version')
+        pv.text = '1'
+        name = etree.SubElement(policysetting, 'name')
+        name.text = 'Sudo Policy'
+        description = etree.SubElement(policysetting, 'description')
+        description.text = 'Sudoers File Configuration Policy'
+        apply_mode = etree.SubElement(policysetting, 'apply_mode')
+        apply_mode.text = 'merge'
+        data = etree.SubElement(policysetting, 'data')
+        load_plugin = etree.SubElement(data, 'load_plugin')
+        load_plugin.text = 'true'
+        sudoers_entry = etree.SubElement(data, 'sudoers_entry')
+        command = etree.SubElement(sudoers_entry, 'command')
+        command.text = 'ALL'
+        user = etree.SubElement(sudoers_entry, 'user')
+        user.text = 'ALL'
+        listelement = etree.SubElement(sudoers_entry, 'listelement')
+        principal = etree.SubElement(listelement, 'principal')
+        principal.text = 'fakeu'
+        principal.attrib['type'] = 'user'
+        ret = stage_file(vgp_xml, etree.tostring(stage, 'utf-8'))
+        self.assertTrue(ret, 'Could not create the target %s' % vgp_xml)
 
-        (result, out, err) = self.runsublevelcmd("gpo", ("manage", "sudoers",
-                                                 "list"), self.gpo_guid,
-                                                 "-H", "ldap://%s" %
+        sudoer = 'fakeu ALL=(ALL) NOPASSWD: ALL'
+        (result, out, err) = self.runsublevelcmd("gpo", ("manage",
+                                                 "sudoers", "list"),
+                                                 self.gpo_guid, "-H",
+                                                 "ldap://%s" %
                                                  os.environ["SERVER"],
                                                  "-U%s%%%s" %
                                                  (os.environ["USERNAME"],
                                                  os.environ["PASSWORD"]))
-        self.assertIn(e.data, out, 'The test entry was not found!')
+        self.assertIn(sudoer, out, 'The test entry was not found!')
 
-        # Unstage the Registry.pol file
-        unstage_file(reg_pol)
+        # Unstage the manifest.xml file
+        unstage_file(vgp_xml)
 
     def test_symlink_list(self):
         lp = LoadParm()
diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo
new file mode 100644
index 00000000000..895780383fb
--- /dev/null
+++ b/selftest/knownfail.d/gpo
@@ -0,0 +1 @@
+^samba.tests.samba_tool.gpo.samba.tests.samba_tool.gpo.GpoCmdTestCase.test_vgp_sudoers_list
-- 
2.47.3