selftest: add tests for samba-tool ntacl changedomsid

Signed-off-by: Björn Baumbach <bb@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Tue Jun 18 16:54:22 UTC 2019 on sn-devel-184

python/samba/tests/samba_tool/ntacl.py

@@ -133,3 +133,90 @@ class NtACLCmdGetSetTestCase(SambaToolCmdTest):
         self.assertCmdSuccess(result, out, err)
         self.assertEquals(err, "", "Shouldn't be any error messages")
         self.assertEquals(self.acl + "\n", out, "Output should be the ACL")
+
+class NtACLCmdChangedomsidTestCase(SambaToolCmdTest):
+    """Tests for samba-tool ntacl changedomsid subcommand"""
+
+    acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
+    new_acl="O:S-1-5-21-2212615479-2695158682-2101375468-512G:S-1-5-21-2212615479-2695158682-2101375468-513D:P(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-519)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
+    domain_sid=os.environ['DOMSID']
+    new_domain_sid="S-1-5-21-2212615479-2695158682-2101375468"
+
+    def test_ntvfs_check(self):
+        path = os.environ['SELFTEST_PREFIX']
+        tempf = os.path.join(
+            path, "pytests" + str(int(100000 * random.random())))
+        open(tempf, 'w').write("empty")
+
+        print("DOMSID: %s", self.domain_sid)
+
+        (result, out, err) = self.runsubcmd("ntacl",
+                                            "set",
+                                            self.acl,
+                                            tempf,
+                                            "--use-ntvfs")
+        self.assertCmdSuccess(result, out, err)
+        self.assertEquals(out, "", "Shouldn't be any output messages")
+        self.assertIn("Please note that POSIX permissions have NOT been "
+                      "changed, only the stored NT ACL", err)
+
+        (result, out, err) = self.runsubcmd("ntacl",
+                                            "changedomsid",
+                                            self.domain_sid,
+                                            self.new_domain_sid,
+                                            tempf,
+                                            "--use-ntvfs")
+        self.assertCmdSuccess(result, out, err)
+        self.assertEquals(out, "", "Shouldn't be any output messages")
+        self.assertIn("Please note that POSIX permissions have NOT been "
+                      "changed, only the stored NT ACL.", err)
+
+        # Now check they were set correctly
+        (result, out, err) = self.runsubcmd("ntacl",
+                                            "get",
+                                            tempf,
+                                            "--use-ntvfs",
+                                            "--as-sddl")
+        self.assertCmdSuccess(result, out, err)
+        self.assertEquals(err, "", "Shouldn't be any error messages")
+        self.assertEquals(self.new_acl + "\n", out, "Output should be the ACL")
+
+    def test_s3fs_check(self):
+        path = os.environ['SELFTEST_PREFIX']
+        tempf = os.path.join(
+            path, "pytests" + str(int(100000 * random.random())))
+        open(tempf, 'w').write("empty")
+
+        print("DOMSID: %s" % self.domain_sid)
+
+        (result, out, err) = self.runsubcmd("ntacl",
+                                            "set",
+                                            self.acl,
+                                            tempf,
+                                            "--use-s3fs",
+                                            "--service=sysvol")
+        self.assertCmdSuccess(result, out, err)
+        self.assertEquals(out, "", "Shouldn't be any output messages")
+        self.assertEquals(err, "", "Shouldn't be any error messages")
+
+        (result, out, err) = self.runsubcmd("ntacl",
+                                            "changedomsid",
+                                            self.domain_sid,
+                                            self.new_domain_sid,
+                                            tempf,
+                                            "--use-s3fs",
+                                            "--service=sysvol")
+        self.assertCmdSuccess(result, out, err)
+        self.assertEquals(out, "", "Shouldn't be any output messages")
+        self.assertEquals(err, "", "Shouldn't be any error messages")
+
+        # Now check they were set correctly
+        (result, out, err) = self.runsubcmd("ntacl",
+                                            "get",
+                                            tempf,
+                                            "--use-s3fs",
+                                            "--as-sddl",
+                                            "--service=sysvol")
+        self.assertCmdSuccess(result, out, err)
+        self.assertEquals(err, "", "Shouldn't be any error messages")
+        self.assertEquals(self.new_acl + "\n", out, "Output should be the ACL")

source4/selftest/tests.py

@@ -488,7 +488,7 @@ plantestsuite("samba4.blackbox.client_etypes_all(ad_dc:client)", "ad_dc:client",
 plantestsuite("samba4.blackbox.client_etypes_legacy(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'legacy', '23'])
 plantestsuite("samba4.blackbox.client_etypes_strong(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'strong', '17_18'])
 plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_net_ads_dns.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$USERNAME', '$PASSWORD'])
-plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX'])
+plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID'])
 plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs", [valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
 # json tests hook into ``chgdcpass'' to make them run in contributor CI on
 # gitlab

testprogs/blackbox/test_samba-tool_ntacl.sh

@@ -10,6 +10,7 @@ exit 1;
 fi
 
 PREFIX=$1
+domain_sid=$2
 
 failed=0
 
@@ -20,6 +21,8 @@ testfile="$PREFIX/ntacl_testfile"
 
 # acl from samba_tool/ntacl.py tests
 acl="O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
+new_acl="O:S-1-5-21-2212615479-2695158682-2101375468-512G:S-1-5-21-2212615479-2695158682-2101375468-513D:P(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-519)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
+new_domain_sid="S-1-5-21-2212615479-2695158682-2101375468"
 
 . `dirname $0`/subunit.sh
 
@@ -62,6 +65,44 @@ test_set_acl_ntvfs()
 	$PYTHON $samba_tool ntacl set "$acl" "$testfile" --use-ntvfs --xattr-backend=tdb -s $PREFIX/ad_member/lib/server.conf
 }
 
+test_changedomsid()
+{
+	testfile="$1"
+
+	$PYTHON $samba_tool ntacl changedomsid \
+		"$domain_sid" "$new_domain_sid" "$testfile" \
+		--service=tmp \
+		-s $PREFIX/ad_member/lib/server.conf
+
+	retacl=$($PYTHON $samba_tool ntacl get \
+			"$testfile" \
+			--as-sddl \
+			--service=tmp \
+			-s $PREFIX/ad_member/lib/server.conf) || return $?
+
+	test "$retacl" = "$new_acl"
+}
+
+test_changedomsid_ntvfs()
+{
+	testfile="$1"
+
+	$PYTHON $samba_tool ntacl changedomsid \
+		"$domain_sid" "$new_domain_sid" "$testfile" \
+		--use-ntvfs \
+		--xattr-backend=tdb \
+		-s $PREFIX/ad_member/lib/server.conf
+
+	retacl=$($PYTHON $samba_tool ntacl get \
+			"$testfile" \
+			--as-sddl \
+			--xattr-backend=tdb \
+			--use-ntvfs \
+			-s $PREFIX/ad_member/lib/server.conf) || return $?
+
+	test "$retacl" = "$new_acl"
+}
+
 # work around include error - s4-loadparm does not allow missing include files
 #
 # Unable to load file /home/bbaumba/src/git/samba/st/ad_member/lib/server.conf
@@ -81,9 +122,13 @@ testit "set_ntacl" test_set_acl "$testfile" "$acl" || failed=`expr $failed + 1`
 
 testit "get_ntacl" test_get_acl "$testfile" "$acl" || failed=`expr $failed + 1`
 
+testit "changedomsid" test_changedomsid "$testfile" || failed=`expr $failed + 1`
+
 testit "set_ntacl_ntvfs" test_set_acl_ntvfs "$testfile" "$acl" || failed=`expr $failed + 1`
 testit "get_ntacl_ntvfs" test_get_acl_ntvfs "$testfile" "$acl" || failed=`expr $failed + 1`
 
+testit "changedomsid_ntvfs" test_changedomsid_ntvfs "$testfile" || failed=`expr $failed + 1`
+
 rm -f "$testfile"
 
 exit $failed