pytest: security_descriptors: tests without revision number hack

ACL revision 4 (SECURITY_ACL_REVISION_ADS) is effectively a superset
of revision 2 (SECURITY_ACL_REVISION_NT4), so any revision 2
ACL can be called revision 4 without any problem. But not vice versa:
a revision 4 ACL can contain ACE types that a revision 2 ACL can't. The
extra ACE types relate to objects.

Samba currently simplifies things by calling all its ACLs revision 4,
even if (as is commonly the case) the ACLs contain only revision 2 ACEs.
On the other hand, Windows will use revision 2 whenever it can. In other
tests we skip past this by forcing Windows ACLs to v4 before comparison.
This test is to remind us of the incompatibility.

It would not be hard to fix.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python/samba/tests/security_descriptors.py

@@ -148,3 +148,12 @@ class SDDLvsDescriptorOverSizeAcls(SDDLvsDescriptorBase):
     ACEs), these cannot currently be parsed by Samba.
     """
     json_file = TEST_DIR / 'oversize-acls.json.gz'
+
+
+@DynamicTestCase
+class SDDLvsDescriptorShortOrdinaryAclsNoMungeV4(SDDLvsDescriptorBase):
+    """These ones have revision 2 ACLs (NT4), but Samba's SDDL only writes
+    revision 4 ACLs (which are otherwise identical).
+    """
+    munge_to_v4 = False
+    json_file = TEST_DIR / 'short-ordinary-acls-v2.json.gz'

selftest/knownfail.d/security-descriptors

@@ -1,3 +1,4 @@
 ^samba.tests.security_descriptors.+SDDLvsDescriptorRegistryObjectRights.+
+^samba.tests.security_descriptors.+SDDLvsDescriptorShortOrdinaryAclsNoMungeV4.+
 ^samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.+