From babfb2279544a0052a02898ab25eee19fee3566c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 8 Feb 2022 15:35:48 +0100
Subject: [PATCH] s3:selftest: Add test for virus scanner
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a25c714c34d3e00e0f3c29d2acfa98cf9cdbc544)
---
 selftest/knownfail.d/virus_scanner         |   2 +
 selftest/target/Samba3.pm                  |  12 ++
 source3/script/tests/test_virus_scanner.sh | 124 +++++++++++++++++++++
 source3/selftest/tests.py                  |   9 ++
 4 files changed, 147 insertions(+)
 create mode 100644 selftest/knownfail.d/virus_scanner
 create mode 100755 source3/script/tests/test_virus_scanner.sh

diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner
new file mode 100644
index 00000000000..6df3fd20627
--- /dev/null
+++ b/selftest/knownfail.d/virus_scanner
@@ -0,0 +1,2 @@
+^samba3.blackbox.virus_scanner.check_infected_read  # test download infected file ('vfs objects = virusfilter')
+^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter')
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 306783931e0..baec3347c7d 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1463,6 +1463,9 @@ sub setup_fileserver
 	my $veto_sharedir="$share_dir/veto";
 	push(@dirs,$veto_sharedir);
 
+	my $virusfilter_sharedir="$share_dir/virusfilter";
+	push(@dirs,$virusfilter_sharedir);
+
 	my $ip4 = Samba::get_ipv4_addr("FILESERVER");
 	my $fileserver_options = "
 	kernel change notify = yes
@@ -1588,6 +1591,15 @@ sub setup_fileserver
 	path = $veto_sharedir
 	delete veto files = yes
 
+[virusfilter]
+	path = $virusfilter_sharedir
+	vfs objects = acl_xattr virusfilter
+	virusfilter:scanner = dummy
+	virusfilter:min file size = 0
+	virusfilter:infected files = *infected*
+	virusfilter:infected file action = rename
+	virusfilter:scan on close = yes
+
 [homes]
 	comment = Home directories
 	browseable = No
diff --git a/source3/script/tests/test_virus_scanner.sh b/source3/script/tests/test_virus_scanner.sh
new file mode 100755
index 00000000000..2234ea6ca89
--- /dev/null
+++ b/source3/script/tests/test_virus_scanner.sh
@@ -0,0 +1,124 @@
+#!/bin/sh
+# Copyright (c) 2022      Pavel Filipenský <pfilipen@redhat.com>
+# shellcheck disable=1091
+
+if [ $# -lt 4 ]; then
+cat <<EOF
+Usage: $0 SERVER_IP SHARE LOCAL_PATH SMBCLIENT
+EOF
+exit 1;
+fi
+
+SERVER_IP=${1}
+SHARE=${2}
+LOCAL_PATH=${3}
+SMBCLIENT=${4}
+
+SMBCLIENT="${VALGRIND} ${SMBCLIENT}"
+
+failed=0
+sharedir="${LOCAL_PATH}/${SHARE}"
+
+incdir="$(dirname "$0")/../../../testprogs/blackbox"
+. "${incdir}/subunit.sh"
+
+check_infected_read()
+{
+    rm -rf "${sharedir:?}"/*
+
+    if ! touch "${sharedir}/infected.txt"; then
+        echo "ERROR: Cannot create ${sharedir}/infected.txt"
+        return 1
+    fi
+
+    ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get infected.txt ${sharedir}/infected.download.txt"
+
+    # check that virusfilter:rename prefix/suffix was added
+    if [ ! -f "${sharedir}/virusfilter.infected.txt.infected" ]; then
+        echo "ERROR: ${sharedir}/virusfilter.infected.txt.infected is missing."
+        return 1
+    fi
+
+    # check that file was not downloaded
+    if [ -f "${sharedir}/infected.download.txt" ]; then
+        echo "ERROR: {sharedir}/infected.download.txt should not exist."
+        return 1
+    fi
+
+    return 0
+}
+
+check_infected_write()
+{
+    rm -rf "${sharedir:?}"/*
+    smbfile=infected.upload.txt
+    smbfilerenamed="virusfilter.${smbfile}.infected"
+
+    # non empty file is needed
+    # vsf_virusfilter performs a scan only if fsp->fsp_flags.modified
+    if ! echo "Hello Virus!" > "${sharedir}/infected.txt"; then
+        echo "ERROR: Cannot create ${sharedir}/infected.txt"
+        return 1
+    fi
+
+    ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/infected.txt ${smbfile}"
+
+    # check that virusfilter:rename prefix/suffix was added
+    if [ ! -f "${sharedir}/${smbfilerenamed}" ]; then
+        echo "ERROR: ${sharedir}/${smbfilerenamed} is missing."
+        return 1
+    fi
+
+    # check that file was not uploaded
+    if [ -f "${sharedir}/infected.upload.txt" ]; then
+        echo "ERROR: {sharedir}/${smbfile} should not exist."
+        return 1
+    fi
+
+    return 0
+}
+
+check_healthy_read()
+{
+    rm -rf "${sharedir:?}"/*
+
+    if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
+        echo "ERROR: Cannot create ${sharedir}/healthy.txt"
+        return 1
+    fi
+
+    ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get healthy.txt ${sharedir}/healthy.download.txt"
+
+    if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.download.txt"; then
+        echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.download.txt FAILED"
+        return 1
+    fi
+
+    return 0
+}
+
+check_healthy_write()
+{
+    rm -rf "${sharedir:?}"/*
+
+    if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
+        echo "ERROR: Cannot create ${sharedir}/healthy.txt"
+        return 1
+    fi
+
+    ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/healthy.txt healthy.upload.txt"
+
+    if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.upload.txt"; then
+        echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.upload.txt FAILED"
+        return 1
+    fi
+
+    return 0
+}
+
+testit "check_infected_read"  check_infected_read  || failed=$((failed + 1))
+testit "check_infected_write" check_infected_write || failed=$((failed + 1))
+testit "check_healthy_read"   check_healthy_read   || failed=$((failed + 1))
+testit "check_healthy_write"  check_healthy_write  || failed=$((failed + 1))
+
+testok "$0" "$failed"
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index c78c9ea4ab8..3c8976874e6 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -1113,6 +1113,15 @@ plantestsuite("samba3.blackbox.smbclient.encryption_off", "simpleserver",
                "$USERNAME", "$PASSWORD", "$SERVER",
                smbclient3])
 
+env = 'fileserver'
+plantestsuite("samba3.blackbox.virus_scanner", "%s:local" % (env),
+              [os.path.join(samba3srcdir,
+                            "script/tests/test_virus_scanner.sh"),
+               '$SERVER_IP',
+               "virusfilter",
+               '$LOCAL_PATH',
+               smbclient3])
+
 for env in ['fileserver', 'simpleserver']:
     plantestsuite("samba3.blackbox.smbclient.encryption", env,
                   [os.path.join(samba3srcdir, "script/tests/test_smbclient_encryption.sh"),