mirror of
https://github.com/samba-team/samba.git
synced 2025-01-10 01:18:15 +03:00
pytest:samba-tool domain kds root-key: test with normal user
It would be bad if samba-tool let ordinary users read root-key secrets. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Mar 4 03:20:46 UTC 2024 on atb-devel-224
This commit is contained in:
parent
ccfa16e2ec
commit
9b0330ea3f
@ -39,6 +39,9 @@ HOST = "ldap://{DC_SERVER}".format(**os.environ)
|
||||
CREDS = "-U{DC_USERNAME}%{DC_PASSWORD}".format(**os.environ)
|
||||
SMBCONF = os.environ['SERVERCONFFILE']
|
||||
|
||||
# alice%Secret007
|
||||
NON_ADMIN_CREDS = "-U{DOMAIN_USER}%{DOMAIN_USER_PASSWORD}".format(**os.environ)
|
||||
|
||||
TIMESTAMP_RE = r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}\+00:00'
|
||||
|
||||
NOWISH = 'about now'
|
||||
@ -500,6 +503,22 @@ class KdsRootKeyTests(KdsRootKeyTestsBase):
|
||||
f"created root key {new_guids[0]}, usable from {TIMESTAMP_RE}")
|
||||
self._delete_root_key(new_guids[0])
|
||||
|
||||
def test_create_json_non_admin(self):
|
||||
"""can you create a root-key without being admin?"""
|
||||
pre_create = self._get_root_key_guids()
|
||||
|
||||
result, out, err = self.runcmd("domain", "kds", "root-key", "create",
|
||||
"-H", HOST, NON_ADMIN_CREDS, "--json")
|
||||
self.assertCmdFail(result)
|
||||
|
||||
post_create = self._get_root_key_guids()
|
||||
|
||||
self.assertEqual(set(pre_create), set(post_create))
|
||||
data = json.loads(out)
|
||||
self.assertEqual(data['status'], 'error')
|
||||
self.assertEqual(data['message'], 'User has insufficient access rights')
|
||||
self.assertEqual(err, "", "not expecting stderr messages")
|
||||
|
||||
def test_create_json_1997(self):
|
||||
"""does create work?"""
|
||||
pre_create = self._get_root_key_guids()
|
||||
@ -640,6 +659,81 @@ class KdsRootKeyTests(KdsRootKeyTestsBase):
|
||||
self.assertIn(guid, pre_names)
|
||||
self.assertNotIn(guid, post_names)
|
||||
|
||||
def test_delete_non_admin(self):
|
||||
"""does delete as non-admin fail?"""
|
||||
# make one to delete, and get the list as JSON
|
||||
_guid, dn, _created, _used = self._create_root_key_timediff()
|
||||
guid = str(_guid)
|
||||
|
||||
result, out, err = self.runcmd("domain", "kds", "root-key", "list", "--json",
|
||||
"-H", HOST, CREDS)
|
||||
pre_delete = json.loads(out)
|
||||
|
||||
result, out, err = self.runcmd("domain", "kds", "root-key", "delete",
|
||||
"-H", HOST, NON_ADMIN_CREDS,
|
||||
"--name", guid)
|
||||
self.assertCmdFail(result)
|
||||
self.assertIn(f"ERROR: no such root key: {guid}", err)
|
||||
|
||||
# a bad guid should be just like a good guid
|
||||
guid2 = 'eeeeeeee-1111-eeee-1111-000000000000'
|
||||
result, out2, err2 = self.runcmd("domain", "kds", "root-key", "delete",
|
||||
"-H", HOST, NON_ADMIN_CREDS,
|
||||
"--name", guid2)
|
||||
self.assertCmdFail(result)
|
||||
self.assertIn(f"ERROR: no such root key: {guid2}", err2)
|
||||
|
||||
result, out, err = self.runcmd("domain", "kds", "root-key", "list", "--json",
|
||||
"-H", HOST, CREDS)
|
||||
post_delete = json.loads(out)
|
||||
|
||||
self.assertEqual(len(pre_delete), len(post_delete))
|
||||
|
||||
post_names = [x['name'] for x in post_delete]
|
||||
pre_names = [x['name'] for x in pre_delete]
|
||||
|
||||
self.assertIn(guid, pre_names)
|
||||
self.assertIn(guid, post_names)
|
||||
|
||||
def test_list_non_admin(self):
|
||||
"""There are root keys, but non-admins can't see them"""
|
||||
result, out, err = self.runcmd("domain", "kds", "root-key", "list",
|
||||
"-H", HOST, NON_ADMIN_CREDS)
|
||||
self.assertCmdSuccess(result, out, err)
|
||||
self.assertEqual(err, "", "not expecting error messages")
|
||||
self.assertEqual(out, "no root keys found.\n")
|
||||
|
||||
def test_list_json_non_admin(self):
|
||||
"""Insufficient rights should look like an empty list."""
|
||||
# this is a copy of the KdsNoRootKeyTests test below --
|
||||
# non-admin should look exactly like an empty list.
|
||||
for extra in ([], ["-v"]):
|
||||
result, out, err = self.runcmd("domain", "kds", "root-key", "list",
|
||||
"-H", HOST, NON_ADMIN_CREDS, "--json", *extra)
|
||||
self.assertCmdSuccess(result, out, err)
|
||||
self.assertEqual(err, "", "not expecting error messages")
|
||||
data = json.loads(out)
|
||||
self.assertEqual(data, [])
|
||||
|
||||
def test_view_key_non_admin(self):
|
||||
"""should not appear to non-admin"""
|
||||
guid, dn, _created, _used = self._create_root_key_timediff_cleanup()
|
||||
|
||||
result, out, err = self.runcmd("domain", "kds", "root-key", "view",
|
||||
"--json",
|
||||
"--name", str(guid),
|
||||
"-H", HOST, NON_ADMIN_CREDS)
|
||||
self.assertCmdFail(result)
|
||||
self.assertEqual(err, "", "not expecting error messages")
|
||||
data = json.loads(out)
|
||||
data = json.loads(out)
|
||||
self.assertEqual(
|
||||
data,
|
||||
{
|
||||
"message": f"no such root key: {guid}",
|
||||
"status": "error"
|
||||
})
|
||||
|
||||
|
||||
class KdsNoRootKeyTests(KdsRootKeyTestsBase):
|
||||
"""Here we test the case were there are no root keys, which we need to
|
||||
@ -679,6 +773,17 @@ class KdsNoRootKeyTests(KdsRootKeyTestsBase):
|
||||
data = json.loads(out)
|
||||
self.assertEqual(data, [])
|
||||
|
||||
def test_list_empty_json_non_admin(self):
|
||||
"""Insufficient rights should look like an empty list."""
|
||||
# verbose flag makes no difference here.
|
||||
for extra in ([], ["-v"]):
|
||||
result, out, err = self.runcmd("domain", "kds", "root-key", "list",
|
||||
"-H", HOST, NON_ADMIN_CREDS, "--json", *extra)
|
||||
self.assertCmdSuccess(result, out, err)
|
||||
self.assertEqual(err, "", "not expecting error messages")
|
||||
data = json.loads(out)
|
||||
self.assertEqual(data, [])
|
||||
|
||||
def test_view_latest_non_existent(self):
|
||||
"""With no root keys, --latest should return an error"""
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user