mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
gp: Test modifying firewalld policy enforces changes
Ensure that modifying the firewalld policy and re-applying will enforce the correct policy. Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
217beca6e9
commit
b49d150db9
@ -48,7 +48,8 @@ if __name__ == "__main__":
|
|||||||
elif opts.new_zone:
|
elif opts.new_zone:
|
||||||
if 'zones' not in data:
|
if 'zones' not in data:
|
||||||
data['zones'] = []
|
data['zones'] = []
|
||||||
data['zones'].append(opts.new_zone)
|
if opts.new_zone not in data['zones']:
|
||||||
|
data['zones'].append(opts.new_zone)
|
||||||
elif opts.get_zones:
|
elif opts.get_zones:
|
||||||
if 'zones' in data:
|
if 'zones' in data:
|
||||||
for zone in data['zones']:
|
for zone in data['zones']:
|
||||||
@ -70,7 +71,8 @@ if __name__ == "__main__":
|
|||||||
data['zone_interfaces'] = {}
|
data['zone_interfaces'] = {}
|
||||||
if opts.zone not in data['zone_interfaces'].keys():
|
if opts.zone not in data['zone_interfaces'].keys():
|
||||||
data['zone_interfaces'][opts.zone] = []
|
data['zone_interfaces'][opts.zone] = []
|
||||||
data['zone_interfaces'][opts.zone].append(opts.add_interface)
|
if opts.add_interface not in data['zone_interfaces'][opts.zone]:
|
||||||
|
data['zone_interfaces'][opts.zone].append(opts.add_interface)
|
||||||
elif opts.add_rich_rule:
|
elif opts.add_rich_rule:
|
||||||
assert opts.zone
|
assert opts.zone
|
||||||
if 'rules' not in data:
|
if 'rules' not in data:
|
||||||
@ -80,9 +82,11 @@ if __name__ == "__main__":
|
|||||||
# Test rule parsing if firewalld is installed
|
# Test rule parsing if firewalld is installed
|
||||||
if Rich_Rule:
|
if Rich_Rule:
|
||||||
# Parsing failure will throw an exception
|
# Parsing failure will throw an exception
|
||||||
data['rules'][opts.zone].append(str(Rich_Rule(rule_str=opts.add_rich_rule)))
|
rule = str(Rich_Rule(rule_str=opts.add_rich_rule))
|
||||||
else:
|
else:
|
||||||
data['rules'][opts.zone].append(opts.add_rich_rule)
|
rule = opts.add_rich_rule
|
||||||
|
if rule not in data['rules'][opts.zone]:
|
||||||
|
data['rules'][opts.zone].append(rule)
|
||||||
elif opts.remove_rich_rule:
|
elif opts.remove_rich_rule:
|
||||||
assert opts.zone
|
assert opts.zone
|
||||||
assert 'rules' in data
|
assert 'rules' in data
|
||||||
|
@ -7132,6 +7132,26 @@ class GPOTests(tests.TestCase):
|
|||||||
b'service name="ftp" reject']
|
b'service name="ftp" reject']
|
||||||
self.assertIn(out.strip(), rules, 'Failed to set rich rule')
|
self.assertIn(out.strip(), rules, 'Failed to set rich rule')
|
||||||
|
|
||||||
|
# Check that modifying the policy will enforce the correct settings
|
||||||
|
entries = [e for e in parser.pol_file.entries if e.data != 'home']
|
||||||
|
self.assertEquals(len(entries), len(parser.pol_file.entries)-1,
|
||||||
|
'Failed to remove the home zone entry')
|
||||||
|
parser.pol_file.entries = entries
|
||||||
|
parser.pol_file.num_entries = len(entries)
|
||||||
|
# Stage the Registry.pol file with altered test data
|
||||||
|
unstage_file(reg_pol)
|
||||||
|
ret = stage_file(reg_pol, ndr_pack(parser.pol_file))
|
||||||
|
self.assertTrue(ret, 'Could not create the target %s' % reg_pol)
|
||||||
|
|
||||||
|
# Enforce the altered policy
|
||||||
|
ext.process_group_policy([], gpos)
|
||||||
|
|
||||||
|
# Check that the home zone was removed
|
||||||
|
cmd = [firewall_cmd, '--get-zones']
|
||||||
|
p = Popen(cmd, stdout=PIPE, stderr=PIPE)
|
||||||
|
out, err = p.communicate()
|
||||||
|
self.assertIn(b'work', out, 'Failed to apply zones')
|
||||||
|
self.assertNotIn(b'home', out, 'Failed to apply zones')
|
||||||
|
|
||||||
# Verify RSOP does not fail
|
# Verify RSOP does not fail
|
||||||
ext.rsop([g for g in gpos if g.name == guid][0])
|
ext.rsop([g for g in gpos if g.name == guid][0])
|
||||||
|
1
selftest/knownfail.d/gpo
Normal file
1
selftest/knownfail.d/gpo
Normal file
@ -0,0 +1 @@
|
|||||||
|
^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_firewalld_ext
|
Loading…
Reference in New Issue
Block a user