1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

gp: Test modifying firewalld policy enforces changes

Ensure that modifying the firewalld policy and
re-applying will enforce the correct policy.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
David Mulder 2023-01-13 11:15:50 -07:00 committed by Andrew Bartlett
parent 217beca6e9
commit b49d150db9
3 changed files with 29 additions and 4 deletions

View File

@ -48,7 +48,8 @@ if __name__ == "__main__":
elif opts.new_zone: elif opts.new_zone:
if 'zones' not in data: if 'zones' not in data:
data['zones'] = [] data['zones'] = []
data['zones'].append(opts.new_zone) if opts.new_zone not in data['zones']:
data['zones'].append(opts.new_zone)
elif opts.get_zones: elif opts.get_zones:
if 'zones' in data: if 'zones' in data:
for zone in data['zones']: for zone in data['zones']:
@ -70,7 +71,8 @@ if __name__ == "__main__":
data['zone_interfaces'] = {} data['zone_interfaces'] = {}
if opts.zone not in data['zone_interfaces'].keys(): if opts.zone not in data['zone_interfaces'].keys():
data['zone_interfaces'][opts.zone] = [] data['zone_interfaces'][opts.zone] = []
data['zone_interfaces'][opts.zone].append(opts.add_interface) if opts.add_interface not in data['zone_interfaces'][opts.zone]:
data['zone_interfaces'][opts.zone].append(opts.add_interface)
elif opts.add_rich_rule: elif opts.add_rich_rule:
assert opts.zone assert opts.zone
if 'rules' not in data: if 'rules' not in data:
@ -80,9 +82,11 @@ if __name__ == "__main__":
# Test rule parsing if firewalld is installed # Test rule parsing if firewalld is installed
if Rich_Rule: if Rich_Rule:
# Parsing failure will throw an exception # Parsing failure will throw an exception
data['rules'][opts.zone].append(str(Rich_Rule(rule_str=opts.add_rich_rule))) rule = str(Rich_Rule(rule_str=opts.add_rich_rule))
else: else:
data['rules'][opts.zone].append(opts.add_rich_rule) rule = opts.add_rich_rule
if rule not in data['rules'][opts.zone]:
data['rules'][opts.zone].append(rule)
elif opts.remove_rich_rule: elif opts.remove_rich_rule:
assert opts.zone assert opts.zone
assert 'rules' in data assert 'rules' in data

View File

@ -7132,6 +7132,26 @@ class GPOTests(tests.TestCase):
b'service name="ftp" reject'] b'service name="ftp" reject']
self.assertIn(out.strip(), rules, 'Failed to set rich rule') self.assertIn(out.strip(), rules, 'Failed to set rich rule')
# Check that modifying the policy will enforce the correct settings
entries = [e for e in parser.pol_file.entries if e.data != 'home']
self.assertEquals(len(entries), len(parser.pol_file.entries)-1,
'Failed to remove the home zone entry')
parser.pol_file.entries = entries
parser.pol_file.num_entries = len(entries)
# Stage the Registry.pol file with altered test data
unstage_file(reg_pol)
ret = stage_file(reg_pol, ndr_pack(parser.pol_file))
self.assertTrue(ret, 'Could not create the target %s' % reg_pol)
# Enforce the altered policy
ext.process_group_policy([], gpos)
# Check that the home zone was removed
cmd = [firewall_cmd, '--get-zones']
p = Popen(cmd, stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
self.assertIn(b'work', out, 'Failed to apply zones')
self.assertNotIn(b'home', out, 'Failed to apply zones')
# Verify RSOP does not fail # Verify RSOP does not fail
ext.rsop([g for g in gpos if g.name == guid][0]) ext.rsop([g for g in gpos if g.name == guid][0])

1
selftest/knownfail.d/gpo Normal file
View File

@ -0,0 +1 @@
^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_firewalld_ext