From b49d150db9aca415f8473f785291c4c87300416e Mon Sep 17 00:00:00 2001 From: David Mulder Date: Fri, 13 Jan 2023 11:15:50 -0700 Subject: [PATCH] gp: Test modifying firewalld policy enforces changes Ensure that modifying the firewalld policy and re-applying will enforce the correct policy. Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett --- python/samba/tests/bin/firewall-cmd | 12 ++++++++---- python/samba/tests/gpo.py | 20 ++++++++++++++++++++ selftest/knownfail.d/gpo | 1 + 3 files changed, 29 insertions(+), 4 deletions(-) create mode 100644 selftest/knownfail.d/gpo diff --git a/python/samba/tests/bin/firewall-cmd b/python/samba/tests/bin/firewall-cmd index 503ae9a772c..3bc69da6cb8 100755 --- a/python/samba/tests/bin/firewall-cmd +++ b/python/samba/tests/bin/firewall-cmd @@ -48,7 +48,8 @@ if __name__ == "__main__": elif opts.new_zone: if 'zones' not in data: data['zones'] = [] - data['zones'].append(opts.new_zone) + if opts.new_zone not in data['zones']: + data['zones'].append(opts.new_zone) elif opts.get_zones: if 'zones' in data: for zone in data['zones']: @@ -70,7 +71,8 @@ if __name__ == "__main__": data['zone_interfaces'] = {} if opts.zone not in data['zone_interfaces'].keys(): data['zone_interfaces'][opts.zone] = [] - data['zone_interfaces'][opts.zone].append(opts.add_interface) + if opts.add_interface not in data['zone_interfaces'][opts.zone]: + data['zone_interfaces'][opts.zone].append(opts.add_interface) elif opts.add_rich_rule: assert opts.zone if 'rules' not in data: @@ -80,9 +82,11 @@ if __name__ == "__main__": # Test rule parsing if firewalld is installed if Rich_Rule: # Parsing failure will throw an exception - data['rules'][opts.zone].append(str(Rich_Rule(rule_str=opts.add_rich_rule))) + rule = str(Rich_Rule(rule_str=opts.add_rich_rule)) else: - data['rules'][opts.zone].append(opts.add_rich_rule) + rule = opts.add_rich_rule + if rule not in data['rules'][opts.zone]: + data['rules'][opts.zone].append(rule) elif opts.remove_rich_rule: assert opts.zone assert 'rules' in data diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py index eb1b53a7833..13cc435b20f 100644 --- a/python/samba/tests/gpo.py +++ b/python/samba/tests/gpo.py @@ -7132,6 +7132,26 @@ class GPOTests(tests.TestCase): b'service name="ftp" reject'] self.assertIn(out.strip(), rules, 'Failed to set rich rule') + # Check that modifying the policy will enforce the correct settings + entries = [e for e in parser.pol_file.entries if e.data != 'home'] + self.assertEquals(len(entries), len(parser.pol_file.entries)-1, + 'Failed to remove the home zone entry') + parser.pol_file.entries = entries + parser.pol_file.num_entries = len(entries) + # Stage the Registry.pol file with altered test data + unstage_file(reg_pol) + ret = stage_file(reg_pol, ndr_pack(parser.pol_file)) + self.assertTrue(ret, 'Could not create the target %s' % reg_pol) + + # Enforce the altered policy + ext.process_group_policy([], gpos) + + # Check that the home zone was removed + cmd = [firewall_cmd, '--get-zones'] + p = Popen(cmd, stdout=PIPE, stderr=PIPE) + out, err = p.communicate() + self.assertIn(b'work', out, 'Failed to apply zones') + self.assertNotIn(b'home', out, 'Failed to apply zones') # Verify RSOP does not fail ext.rsop([g for g in gpos if g.name == guid][0]) diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo new file mode 100644 index 00000000000..74e2de0dd39 --- /dev/null +++ b/selftest/knownfail.d/gpo @@ -0,0 +1 @@ +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_firewalld_ext