libcli/security: test helper script extracts fuzz SDDL

This allows us to try the fuzz seeds as SDDL on Windows, then test
that Samba matches Windows' security descriptors in the cases where
the SDDL compiles. This will find SDDL edge cases that might otherwise
be missed.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libcli/security/tests/data/export-sddl-fuzz-seeds-as-json b/libcli/security/tests/data/export-sddl-fuzz-seeds-as-json
new file mode 100755 (executable)
index 0000000..f1e5ae1
--- /dev/null
+++ b/libcli/security/tests/data/export-sddl-fuzz-seeds-as-json
@@ -0,0 +1,49 @@
+#!/usr/bin/python3
+"""USAGE: $ ./export-sddl-fuzz-seeds-as-json DIR [DIR[...]] > x.json
+
+Some of our fuzzers generate SDDL strings with trailing garbage.
+
+This script converts them into the JSON format used by
+windws-sddl-tests.py, though it doesn't parse the SDDL, mapping all
+strings to an empty list. The idea is you can feed this through
+windws-sddl-tests.py or something else to get the correct bytes.
+
+Valid and invalid strings are treated alike, so long as they are
+utf-8. The JSON is un-indented, but structurally equivalent to this:
+
+{
+   "D:P" : [],
+   "yertle" : [],
+   "ł\n¼" : [],
+}
+"""
+from pathlib import Path
+import sys
+import json
+
+
+def main():
+    if {'-h', '--help'}.intersection(sys.argv) or len(sys.argv) < 2:
+        print(__doc__)
+        sys.exit(len(sys.argv) < 2)
+
+    bytes_json = {}
+    for arg in sys.argv[1:]:
+        d = Path(arg)
+        for fn in d.iterdir():
+            with fn.open("rb") as f:
+                b = f.read()
+            # the SDDL string is the nul-terminated portion.
+            if 0 in b:
+                b = b[:b.index(0)]
+            try:
+                s = b.decode()
+            except UnicodeDecodeError:
+                continue
+            bytes_json[s] = []
+
+    out = json.dumps(bytes_json)
+    print(out)
+
+
+main()