mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
gp: Test modifying firewalld policy enforces changes
Ensure that modifying the firewalld policy and re-applying will enforce the correct policy. Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
217beca6e9
commit
b49d150db9
@ -48,7 +48,8 @@ if __name__ == "__main__":
|
||||
elif opts.new_zone:
|
||||
if 'zones' not in data:
|
||||
data['zones'] = []
|
||||
data['zones'].append(opts.new_zone)
|
||||
if opts.new_zone not in data['zones']:
|
||||
data['zones'].append(opts.new_zone)
|
||||
elif opts.get_zones:
|
||||
if 'zones' in data:
|
||||
for zone in data['zones']:
|
||||
@ -70,7 +71,8 @@ if __name__ == "__main__":
|
||||
data['zone_interfaces'] = {}
|
||||
if opts.zone not in data['zone_interfaces'].keys():
|
||||
data['zone_interfaces'][opts.zone] = []
|
||||
data['zone_interfaces'][opts.zone].append(opts.add_interface)
|
||||
if opts.add_interface not in data['zone_interfaces'][opts.zone]:
|
||||
data['zone_interfaces'][opts.zone].append(opts.add_interface)
|
||||
elif opts.add_rich_rule:
|
||||
assert opts.zone
|
||||
if 'rules' not in data:
|
||||
@ -80,9 +82,11 @@ if __name__ == "__main__":
|
||||
# Test rule parsing if firewalld is installed
|
||||
if Rich_Rule:
|
||||
# Parsing failure will throw an exception
|
||||
data['rules'][opts.zone].append(str(Rich_Rule(rule_str=opts.add_rich_rule)))
|
||||
rule = str(Rich_Rule(rule_str=opts.add_rich_rule))
|
||||
else:
|
||||
data['rules'][opts.zone].append(opts.add_rich_rule)
|
||||
rule = opts.add_rich_rule
|
||||
if rule not in data['rules'][opts.zone]:
|
||||
data['rules'][opts.zone].append(rule)
|
||||
elif opts.remove_rich_rule:
|
||||
assert opts.zone
|
||||
assert 'rules' in data
|
||||
|
@ -7132,6 +7132,26 @@ class GPOTests(tests.TestCase):
|
||||
b'service name="ftp" reject']
|
||||
self.assertIn(out.strip(), rules, 'Failed to set rich rule')
|
||||
|
||||
# Check that modifying the policy will enforce the correct settings
|
||||
entries = [e for e in parser.pol_file.entries if e.data != 'home']
|
||||
self.assertEquals(len(entries), len(parser.pol_file.entries)-1,
|
||||
'Failed to remove the home zone entry')
|
||||
parser.pol_file.entries = entries
|
||||
parser.pol_file.num_entries = len(entries)
|
||||
# Stage the Registry.pol file with altered test data
|
||||
unstage_file(reg_pol)
|
||||
ret = stage_file(reg_pol, ndr_pack(parser.pol_file))
|
||||
self.assertTrue(ret, 'Could not create the target %s' % reg_pol)
|
||||
|
||||
# Enforce the altered policy
|
||||
ext.process_group_policy([], gpos)
|
||||
|
||||
# Check that the home zone was removed
|
||||
cmd = [firewall_cmd, '--get-zones']
|
||||
p = Popen(cmd, stdout=PIPE, stderr=PIPE)
|
||||
out, err = p.communicate()
|
||||
self.assertIn(b'work', out, 'Failed to apply zones')
|
||||
self.assertNotIn(b'home', out, 'Failed to apply zones')
|
||||
|
||||
# Verify RSOP does not fail
|
||||
ext.rsop([g for g in gpos if g.name == guid][0])
|
||||
|
1
selftest/knownfail.d/gpo
Normal file
1
selftest/knownfail.d/gpo
Normal file
@ -0,0 +1 @@
|
||||
^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_firewalld_ext
|
Loading…
Reference in New Issue
Block a user