s3:selftest: Add test for virus scanner

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a25c714c34d3e00e0f3c29d2acfa98cf9cdbc544)

selftest/knownfail.d/virus_scanner

@@ -0,0 +1,2 @@
+^samba3.blackbox.virus_scanner.check_infected_read  # test download infected file ('vfs objects = virusfilter')
+^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter')

selftest/target/Samba3.pm

@@ -1694,6 +1694,9 @@ sub setup_fileserver
 	my $veto_sharedir="$share_dir/veto";
 	push(@dirs,$veto_sharedir);
 
+	my $virusfilter_sharedir="$share_dir/virusfilter";
+	push(@dirs,$virusfilter_sharedir);
+
 	my $ip4 = Samba::get_ipv4_addr("FILESERVER");
 	my $fileserver_options = "
 	kernel change notify = yes
@@ -1818,6 +1821,15 @@ sub setup_fileserver
 	path = $veto_sharedir
 	delete veto files = yes
 
+[virusfilter]
+	path = $virusfilter_sharedir
+	vfs objects = acl_xattr virusfilter
+	virusfilter:scanner = dummy
+	virusfilter:min file size = 0
+	virusfilter:infected files = *infected*
+	virusfilter:infected file action = rename
+	virusfilter:scan on close = yes
+
 [homes]
 	comment = Home directories
 	browseable = No

source3/script/tests/test_virus_scanner.sh

@@ -0,0 +1,124 @@
+#!/bin/sh
+# Copyright (c) 2022      Pavel Filipenský <pfilipen@redhat.com>
+# shellcheck disable=1091
+
+if [ $# -lt 4 ]; then
+cat <<EOF
+Usage: $0 SERVER_IP SHARE LOCAL_PATH SMBCLIENT
+EOF
+exit 1;
+fi
+
+SERVER_IP=${1}
+SHARE=${2}
+LOCAL_PATH=${3}
+SMBCLIENT=${4}
+
+SMBCLIENT="${VALGRIND} ${SMBCLIENT}"
+
+failed=0
+sharedir="${LOCAL_PATH}/${SHARE}"
+
+incdir="$(dirname "$0")/../../../testprogs/blackbox"
+. "${incdir}/subunit.sh"
+
+check_infected_read()
+{
+    rm -rf "${sharedir:?}"/*
+
+    if ! touch "${sharedir}/infected.txt"; then
+        echo "ERROR: Cannot create ${sharedir}/infected.txt"
+        return 1
+    fi
+
+    ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get infected.txt ${sharedir}/infected.download.txt"
+
+    # check that virusfilter:rename prefix/suffix was added
+    if [ ! -f "${sharedir}/virusfilter.infected.txt.infected" ]; then
+        echo "ERROR: ${sharedir}/virusfilter.infected.txt.infected is missing."
+        return 1
+    fi
+
+    # check that file was not downloaded
+    if [ -f "${sharedir}/infected.download.txt" ]; then
+        echo "ERROR: {sharedir}/infected.download.txt should not exist."
+        return 1
+    fi
+
+    return 0
+}
+
+check_infected_write()
+{
+    rm -rf "${sharedir:?}"/*
+    smbfile=infected.upload.txt
+    smbfilerenamed="virusfilter.${smbfile}.infected"
+
+    # non empty file is needed
+    # vsf_virusfilter performs a scan only if fsp->fsp_flags.modified
+    if ! echo "Hello Virus!" > "${sharedir}/infected.txt"; then
+        echo "ERROR: Cannot create ${sharedir}/infected.txt"
+        return 1
+    fi
+
+    ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/infected.txt ${smbfile}"
+
+    # check that virusfilter:rename prefix/suffix was added
+    if [ ! -f "${sharedir}/${smbfilerenamed}" ]; then
+        echo "ERROR: ${sharedir}/${smbfilerenamed} is missing."
+        return 1
+    fi
+
+    # check that file was not uploaded
+    if [ -f "${sharedir}/infected.upload.txt" ]; then
+        echo "ERROR: {sharedir}/${smbfile} should not exist."
+        return 1
+    fi
+
+    return 0
+}
+
+check_healthy_read()
+{
+    rm -rf "${sharedir:?}"/*
+
+    if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
+        echo "ERROR: Cannot create ${sharedir}/healthy.txt"
+        return 1
+    fi
+
+    ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get healthy.txt ${sharedir}/healthy.download.txt"
+
+    if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.download.txt"; then
+        echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.download.txt FAILED"
+        return 1
+    fi
+
+    return 0
+}
+
+check_healthy_write()
+{
+    rm -rf "${sharedir:?}"/*
+
+    if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
+        echo "ERROR: Cannot create ${sharedir}/healthy.txt"
+        return 1
+    fi
+
+    ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/healthy.txt healthy.upload.txt"
+
+    if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.upload.txt"; then
+        echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.upload.txt FAILED"
+        return 1
+    fi
+
+    return 0
+}
+
+testit "check_infected_read"  check_infected_read  || failed=$((failed + 1))
+testit "check_infected_write" check_infected_write || failed=$((failed + 1))
+testit "check_healthy_read"   check_healthy_read   || failed=$((failed + 1))
+testit "check_healthy_write"  check_healthy_write  || failed=$((failed + 1))
+
+testok "$0" "$failed"

source3/selftest/tests.py

@@ -1248,6 +1248,15 @@ plantestsuite("samba3.blackbox.smbXsrv_client_dead_rec", "fileserver:local",
                '$SERVER_IP',
                "tmp"])
 
+env = 'fileserver'
+plantestsuite("samba3.blackbox.virus_scanner", "%s:local" % (env),
+              [os.path.join(samba3srcdir,
+                            "script/tests/test_virus_scanner.sh"),
+               '$SERVER_IP',
+               "virusfilter",
+               '$LOCAL_PATH',
+               smbclient3])
+
 for env in ['fileserver', 'simpleserver']:
     plantestsuite("samba3.blackbox.smbclient.encryption", env,
                   [os.path.join(samba3srcdir, "script/tests/test_smbclient_encryption.sh"),