mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
c50cde0cd5
These tests require provision data we do not ship in release tarballs. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Thu Apr 6 15:42:12 UTC 2023 on atb-devel-224
1850 lines
94 KiB
Python
1850 lines
94 KiB
Python
# Unix SMB/CIFS implementation.
|
|
# Copyright (C) Andrew Bartlett 2012
|
|
#
|
|
# based on time.py:
|
|
# Copyright (C) Sean Dague <sdague@linux.vnet.ibm.com> 2011
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
import os, pwd, grp
|
|
import ldb
|
|
import samba
|
|
from samba.tests.samba_tool.base import SambaToolCmdTest
|
|
import shutil
|
|
from samba.netcmd.gpo import get_gpo_dn, get_gpo_info
|
|
from samba.param import LoadParm
|
|
from samba.tests.gpo import stage_file, unstage_file
|
|
from samba.dcerpc import preg
|
|
from samba.ndr import ndr_pack, ndr_unpack
|
|
from samba.common import get_string
|
|
from configparser import ConfigParser
|
|
from io import StringIO
|
|
import xml.etree.ElementTree as etree
|
|
from tempfile import NamedTemporaryFile
|
|
from time import sleep
|
|
import re
|
|
from samba.gp.gpclass import check_guid
|
|
from samba.gp_parse.gp_ini import GPTIniParser
|
|
|
|
gpo_load_json = \
|
|
b"""
|
|
[
|
|
{
|
|
"keyname": "Software\\\\Policies\\\\Mozilla\\\\Firefox\\\\Homepage",
|
|
"valuename": "StartPage",
|
|
"class": "USER",
|
|
"type": "REG_SZ",
|
|
"data": "homepage"
|
|
},
|
|
{
|
|
"keyname": "Software\\\\Policies\\\\Mozilla\\\\Firefox\\\\Homepage",
|
|
"valuename": "URL",
|
|
"class": "USER",
|
|
"type": 1,
|
|
"data": "samba.org"
|
|
},
|
|
{
|
|
"keyname": "Software\\\\Microsoft\\\\Internet Explorer\\\\Toolbar",
|
|
"valuename": "IEToolbar",
|
|
"class": "USER",
|
|
"type": "REG_BINARY",
|
|
"data": [0]
|
|
},
|
|
{
|
|
"keyname": "Software\\\\Policies\\\\Microsoft\\\\InputPersonalization",
|
|
"valuename": "RestrictImplicitTextCollection",
|
|
"class": "USER",
|
|
"type": "REG_DWORD",
|
|
"data": 1
|
|
},
|
|
{
|
|
"keyname": "Software\\\\Policies\\\\Mozilla\\\\Firefox",
|
|
"valuename": "ExtensionSettings",
|
|
"class": "MACHINE",
|
|
"type": "REG_MULTI_SZ",
|
|
"data": [
|
|
"{",
|
|
" \\"key\\": \\"value\\"",
|
|
"}"
|
|
]
|
|
}
|
|
]
|
|
"""
|
|
|
|
gpo_remove_json = \
|
|
b"""
|
|
[
|
|
{
|
|
"keyname": "Software\\\\Policies\\\\Mozilla\\\\Firefox\\\\Homepage",
|
|
"valuename": "StartPage",
|
|
"class": "USER"
|
|
},
|
|
{
|
|
"keyname": "Software\\\\Policies\\\\Mozilla\\\\Firefox\\\\Homepage",
|
|
"valuename": "URL",
|
|
"class": "USER"
|
|
},
|
|
{
|
|
"keyname": "Software\\\\Microsoft\\\\Internet Explorer\\\\Toolbar",
|
|
"valuename": "IEToolbar",
|
|
"class": "USER"
|
|
},
|
|
{
|
|
"keyname": "Software\\\\Policies\\\\Microsoft\\\\InputPersonalization",
|
|
"valuename": "RestrictImplicitTextCollection",
|
|
"class": "USER"
|
|
},
|
|
{
|
|
"keyname": "Software\\\\Policies\\\\Mozilla\\\\Firefox",
|
|
"valuename": "ExtensionSettings",
|
|
"class": "MACHINE"
|
|
}
|
|
]
|
|
"""
|
|
|
|
def gpt_ini_version(gpo_guid):
|
|
lp = LoadParm()
|
|
lp.load(os.environ['SERVERCONFFILE'])
|
|
local_path = lp.get('path', 'sysvol')
|
|
GPT_INI = os.path.join(local_path, lp.get('realm').lower(), 'Policies',
|
|
gpo_guid, 'GPT.INI')
|
|
if os.path.exists(GPT_INI):
|
|
with open(GPT_INI, 'rb') as f:
|
|
data = f.read()
|
|
parser = GPTIniParser()
|
|
parser.parse(data)
|
|
if parser.ini_conf.has_option('General', 'Version'):
|
|
version = int(parser.ini_conf.get('General',
|
|
'Version').encode('utf-8'))
|
|
else:
|
|
version = 0
|
|
else:
|
|
version = 0
|
|
return version
|
|
|
|
# These are new GUIDs, not used elsewhere, made up for the use of testing the
|
|
# adding of extension GUIDs in `samba-tool gpo load`.
|
|
ext_guids = ['{123d2b56-7b14-4516-bbc4-763d29d57654}',
|
|
'{d000e91b-e70f-481b-9549-58de7929bcee}']
|
|
|
|
source_path = os.path.abspath(os.path.join(os.path.dirname(__file__), "../../../../.."))
|
|
provision_path = os.path.join(source_path, "source4/selftest/provisions/")
|
|
|
|
def has_difference(path1, path2, binary=True, xml=True, sortlines=False):
|
|
"""Use this function to determine if the GPO backup differs from another.
|
|
|
|
xml=True checks whether any xml files are equal
|
|
binary=True checks whether any .SAMBABACKUP files are equal
|
|
"""
|
|
if os.path.isfile(path1):
|
|
if sortlines:
|
|
file1 = open(path1).readlines()
|
|
file1.sort()
|
|
file2 = open(path1).readlines()
|
|
file2.sort()
|
|
if file1 != file2:
|
|
return path1
|
|
|
|
elif open(path1).read() != open(path2).read():
|
|
return path1
|
|
|
|
return None
|
|
|
|
l_dirs = [ path1 ]
|
|
r_dirs = [ path2 ]
|
|
while l_dirs:
|
|
l_dir = l_dirs.pop()
|
|
r_dir = r_dirs.pop()
|
|
|
|
dirlist = os.listdir(l_dir)
|
|
dirlist_other = os.listdir(r_dir)
|
|
|
|
dirlist.sort()
|
|
dirlist_other.sort()
|
|
if dirlist != dirlist_other:
|
|
return dirlist
|
|
|
|
for e in dirlist:
|
|
l_name = os.path.join(l_dir, e)
|
|
r_name = os.path.join(r_dir, e)
|
|
|
|
if os.path.isdir(l_name):
|
|
l_dirs.append(l_name)
|
|
r_dirs.append(r_name)
|
|
else:
|
|
if (l_name.endswith('.xml') and xml or
|
|
l_name.endswith('.SAMBABACKUP') and binary):
|
|
if open(l_name, "rb").read() != open(r_name, "rb").read():
|
|
return l_name
|
|
|
|
return None
|
|
|
|
|
|
class GpoCmdTestCase(SambaToolCmdTest):
|
|
"""Tests for samba-tool time subcommands"""
|
|
|
|
gpo_name = "testgpo"
|
|
|
|
# This exists in the source tree to be restored
|
|
backup_gpo_guid = "{1E1DC8EA-390C-4800-B327-98B56A0AEA5D}"
|
|
|
|
def test_gpo_list(self):
|
|
"""Run gpo list against the server and make sure it looks accurate"""
|
|
(result, out, err) = self.runsubcmd("gpo", "listall", "-H", "ldap://%s" % os.environ["SERVER"])
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo listall ran successfully")
|
|
|
|
def test_fetchfail(self):
|
|
"""Run against a non-existent GPO, and make sure it fails (this hard-coded UUID is very unlikely to exist"""
|
|
(result, out, err) = self.runsubcmd("gpo", "fetch", "c25cac17-a02a-4151-835d-fae17446ee43", "-H", "ldap://%s" % os.environ["SERVER"])
|
|
self.assertCmdFail(result, "check for result code")
|
|
|
|
def test_fetch(self):
|
|
"""Run against a real GPO, and make sure it passes"""
|
|
(result, out, err) = self.runsubcmd("gpo", "fetch", self.gpo_guid, "-H", "ldap://%s" % os.environ["SERVER"], "--tmpdir", self.tempdir)
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo fetched successfully")
|
|
shutil.rmtree(os.path.join(self.tempdir, "policy"))
|
|
|
|
def test_show(self):
|
|
"""Show a real GPO, and make sure it passes"""
|
|
(result, out, err) = self.runsubcmd("gpo", "show", self.gpo_guid, "-H", "ldap://%s" % os.environ["SERVER"])
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo fetched successfully")
|
|
|
|
def test_show_as_admin(self):
|
|
"""Show a real GPO, and make sure it passes"""
|
|
(result, out, err) = self.runsubcmd("gpo", "show", self.gpo_guid, "-H", "ldap://%s" % os.environ["SERVER"], "-U%s%%%s" % (os.environ["USERNAME"], os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo fetched successfully")
|
|
|
|
def test_aclcheck(self):
|
|
"""Check all the GPOs on the remote server have correct ACLs"""
|
|
(result, out, err) = self.runsubcmd("gpo", "aclcheck", "-H", "ldap://%s" % os.environ["SERVER"], "-U%s%%%s" % (os.environ["USERNAME"], os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo checked successfully")
|
|
|
|
def test_getlink_empty(self):
|
|
self.samdb = self.getSamDB("-H", "ldap://%s" % os.environ["DC_SERVER"],
|
|
"-U%s%%%s" % (os.environ["DC_USERNAME"],
|
|
os.environ["DC_PASSWORD"]))
|
|
|
|
container_dn = 'OU=gpo_test_link,%s' % self.samdb.get_default_basedn()
|
|
|
|
self.samdb.add({
|
|
'dn': container_dn,
|
|
'objectClass': 'organizationalUnit'
|
|
})
|
|
|
|
(result, out, err) = self.runsubcmd("gpo", "getlink", container_dn,
|
|
"-H", "ldap://%s" % os.environ["SERVER"],
|
|
"-U%s%%%s" % (os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo link fetched successfully")
|
|
|
|
# Microsoft appears to allow an empty space character after deletion of
|
|
# a GPO. We should be able to handle this.
|
|
m = ldb.Message()
|
|
m.dn = ldb.Dn(self.samdb, container_dn)
|
|
m['gPLink'] = ldb.MessageElement(' ', ldb.FLAG_MOD_REPLACE, 'gPLink')
|
|
self.samdb.modify(m)
|
|
|
|
(result, out, err) = self.runsubcmd("gpo", "getlink", container_dn,
|
|
"-H", "ldap://%s" % os.environ["SERVER"],
|
|
"-U%s%%%s" % (os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo link fetched successfully")
|
|
|
|
self.samdb.delete(container_dn)
|
|
|
|
def test_backup_restore_compare_binary(self):
|
|
"""Restore from a static backup and compare the binary contents"""
|
|
|
|
if not os.path.exists(provision_path):
|
|
self.skipTest('Test requires provision data not available in '
|
|
+ 'release tarball')
|
|
|
|
static_path = os.path.join(self.backup_path, 'policy',
|
|
self.backup_gpo_guid)
|
|
|
|
temp_path = os.path.join(self.tempdir, 'temp')
|
|
os.mkdir(temp_path)
|
|
|
|
new_path = os.path.join(self.tempdir, 'new')
|
|
os.mkdir(new_path)
|
|
|
|
gpo_guid = None
|
|
try:
|
|
(result, out, err) = self.runsubcmd("gpo", "restore", "BACKUP_RESTORE1",
|
|
static_path,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"], "--tmpdir",
|
|
temp_path, "--entities",
|
|
self.entity_file, "-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]),
|
|
"--restore-metadata")
|
|
|
|
self.assertCmdSuccess(result, out, err,
|
|
"Ensure gpo restore successful")
|
|
|
|
gpo_guid = "{%s}" % out.split("{")[1].split("}")[0]
|
|
|
|
(result, out, err) = self.runsubcmd("gpo", "backup", gpo_guid,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"--tmpdir", new_path)
|
|
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo fetched successfully")
|
|
|
|
# Compare the directories
|
|
self.assertIsNone(has_difference(os.path.join(new_path, 'policy',
|
|
gpo_guid),
|
|
static_path, binary=True,
|
|
xml=False))
|
|
finally:
|
|
if gpo_guid:
|
|
(result, out, err) = self.runsubcmd("gpo", "del", gpo_guid,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo deleted successfully")
|
|
|
|
shutil.rmtree(temp_path)
|
|
shutil.rmtree(new_path)
|
|
|
|
def test_backup_restore_no_entities_compare_binary(self):
|
|
"""Restore from a static backup (and use no entity file, resulting in
|
|
copy-restore fallback), and compare the binary contents"""
|
|
|
|
if not os.path.exists(provision_path):
|
|
self.skipTest('Test requires provision data not available in '
|
|
+ 'release tarball')
|
|
|
|
static_path = os.path.join(self.backup_path, 'policy',
|
|
self.backup_gpo_guid)
|
|
|
|
temp_path = os.path.join(self.tempdir, 'temp')
|
|
os.mkdir(temp_path)
|
|
|
|
new_path = os.path.join(self.tempdir, 'new')
|
|
os.mkdir(new_path)
|
|
|
|
gpo_guid = None
|
|
gpo_guid1 = None
|
|
gpo_guid2 = None
|
|
try:
|
|
(result, out, err) = self.runsubcmd("gpo", "restore", "BACKUP_RESTORE1",
|
|
static_path,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"], "--tmpdir",
|
|
temp_path, "--entities",
|
|
self.entity_file, "-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]),
|
|
"--restore-metadata")
|
|
|
|
self.assertCmdSuccess(result, out, err,
|
|
"Ensure gpo restore successful")
|
|
|
|
gpo_guid = "{%s}" % out.split("{")[1].split("}")[0]
|
|
gpo_guid1 = gpo_guid
|
|
|
|
# Do not output entities file
|
|
(result, out, err) = self.runsubcmd("gpo", "backup", gpo_guid,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"--tmpdir", new_path,
|
|
"--generalize")
|
|
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo fetched successfully")
|
|
|
|
# Do not use an entities file
|
|
(result, out, err) = self.runsubcmd("gpo", "restore", "BACKUP_RESTORE2",
|
|
os.path.join(new_path, 'policy', gpo_guid1),
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"], "--tmpdir",
|
|
temp_path, "-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]),
|
|
"--restore-metadata")
|
|
|
|
self.assertCmdSuccess(result, out, err,
|
|
"Ensure gpo restore successful")
|
|
|
|
gpo_guid = "{%s}" % out.split("{")[1].split("}")[0]
|
|
gpo_guid2 = gpo_guid
|
|
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo restored successfully")
|
|
|
|
(result, out, err) = self.runsubcmd("gpo", "backup", gpo_guid,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"--tmpdir", new_path)
|
|
|
|
# Compare the directories
|
|
self.assertIsNone(has_difference(os.path.join(new_path, 'policy',
|
|
gpo_guid1),
|
|
os.path.join(new_path, 'policy',
|
|
gpo_guid2),
|
|
binary=True, xml=False))
|
|
finally:
|
|
if gpo_guid1:
|
|
(result, out, err) = self.runsubcmd("gpo", "del", gpo_guid1,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo deleted successfully")
|
|
|
|
if gpo_guid2:
|
|
(result, out, err) = self.runsubcmd("gpo", "del", gpo_guid2,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo deleted successfully")
|
|
|
|
shutil.rmtree(temp_path)
|
|
shutil.rmtree(new_path)
|
|
|
|
def test_backup_restore_backup_compare_XML(self):
|
|
"""Restore from a static backup and backup to compare XML"""
|
|
|
|
if not os.path.exists(provision_path):
|
|
self.skipTest('Test requires provision data not available in '
|
|
+ 'release tarball')
|
|
|
|
static_path = os.path.join(self.backup_path, 'policy',
|
|
self.backup_gpo_guid)
|
|
|
|
temp_path = os.path.join(self.tempdir, 'temp')
|
|
os.mkdir(temp_path)
|
|
|
|
new_path = os.path.join(self.tempdir, 'new')
|
|
os.mkdir(new_path)
|
|
|
|
gpo_guid = None
|
|
gpo_guid1 = None
|
|
gpo_guid2 = None
|
|
try:
|
|
(result, out, err) = self.runsubcmd("gpo", "restore", "BACKUP_RESTORE1",
|
|
static_path,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"], "--tmpdir",
|
|
temp_path, "--entities",
|
|
self.entity_file, "-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]),
|
|
"--restore-metadata")
|
|
|
|
self.assertCmdSuccess(result, out, err,
|
|
"Ensure gpo restore successful")
|
|
|
|
gpo_guid = "{%s}" % out.split("{")[1].split("}")[0]
|
|
gpo_guid1 = gpo_guid
|
|
|
|
(result, out, err) = self.runsubcmd("gpo", "backup", gpo_guid,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"--tmpdir", new_path)
|
|
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo fetched successfully")
|
|
|
|
(result, out, err) = self.runsubcmd("gpo", "restore", "BACKUP_RESTORE2",
|
|
os.path.join(new_path, 'policy', gpo_guid1),
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"], "--tmpdir",
|
|
temp_path, "--entities",
|
|
self.entity_file, "-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]),
|
|
"--restore-metadata")
|
|
|
|
self.assertCmdSuccess(result, out, err,
|
|
"Ensure gpo restore successful")
|
|
|
|
gpo_guid = "{%s}" % out.split("{")[1].split("}")[0]
|
|
gpo_guid2 = gpo_guid
|
|
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo restored successfully")
|
|
|
|
(result, out, err) = self.runsubcmd("gpo", "backup", gpo_guid,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"--tmpdir", new_path)
|
|
|
|
# Compare the directories
|
|
self.assertIsNone(has_difference(os.path.join(new_path, 'policy',
|
|
gpo_guid1),
|
|
os.path.join(new_path, 'policy',
|
|
gpo_guid2),
|
|
binary=True, xml=True))
|
|
finally:
|
|
if gpo_guid1:
|
|
(result, out, err) = self.runsubcmd("gpo", "del", gpo_guid1,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo deleted successfully")
|
|
|
|
if gpo_guid2:
|
|
(result, out, err) = self.runsubcmd("gpo", "del", gpo_guid2,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo deleted successfully")
|
|
|
|
shutil.rmtree(temp_path)
|
|
shutil.rmtree(new_path)
|
|
|
|
def test_backup_restore_generalize(self):
|
|
"""Restore from a static backup with different entities, generalize it
|
|
again, and compare the XML"""
|
|
|
|
if not os.path.exists(provision_path):
|
|
self.skipTest('Test requires provision data not available in '
|
|
+ 'release tarball')
|
|
|
|
static_path = os.path.join(self.backup_path, 'policy',
|
|
self.backup_gpo_guid)
|
|
|
|
temp_path = os.path.join(self.tempdir, 'temp')
|
|
os.mkdir(temp_path)
|
|
|
|
new_path = os.path.join(self.tempdir, 'new')
|
|
os.mkdir(new_path)
|
|
|
|
alt_entity_file = os.path.join(new_path, 'entities')
|
|
with open(alt_entity_file, 'wb') as f:
|
|
f.write(b'''<!ENTITY SAMBA__NETWORK_PATH__82419dafed126a07d6b96c66fc943735__ "\\\\samdom.example.com">
|
|
<!ENTITY SAMBA__NETWORK_PATH__0484cd41ded45a0728333a9c5e5ef619__ "\\\\samdom">
|
|
<!ENTITY SAMBA____SDDL_ACL____4ce8277be3f630300cbcf80a80e21cf4__ "D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;S-1-16-0)">
|
|
<!ENTITY SAMBA____USER_ID_____d0970f5a1e19cb803f916c203d5c39c4__ "*S-1-5-113">
|
|
<!ENTITY SAMBA____USER_ID_____7b7bc2512ee1fedcd76bdc68926d4f7b__ "Administrator">
|
|
<!ENTITY SAMBA____USER_ID_____a3069f5a7a6530293ad8df6abd32af3d__ "Foobaz">
|
|
<!ENTITY SAMBA____USER_ID_____fdf60b2473b319c8c341de5f62479a7d__ "*S-1-5-32-545">
|
|
<!ENTITY SAMBA____USER_ID_____adb831a7fdd83dd1e2a309ce7591dff8__ "Guest">
|
|
<!ENTITY SAMBA____USER_ID_____9fa835214b4fc8b6102c991f7d97c2f8__ "*S-1-5-32-547">
|
|
<!ENTITY SAMBA____USER_ID_____bf8caafa94a19a6262bad2e8b6d4bce6__ "*S-1-5-32-546">
|
|
<!ENTITY SAMBA____USER_ID_____a45da96d0bf6575970f2d27af22be28a__ "System">
|
|
<!ENTITY SAMBA____USER_ID_____171d33a63ebd67f856552940ed491ad3__ "s-1-5-32-545">
|
|
<!ENTITY SAMBA____USER_ID_____7140932fff16ce85cc64d3caab588d0d__ "s-1-1-0">
|
|
''')
|
|
|
|
gen_entity_file = os.path.join(temp_path, 'entities')
|
|
|
|
gpo_guid = None
|
|
try:
|
|
(result, out, err) = self.runsubcmd("gpo", "restore", "BACKUP_RESTORE1",
|
|
static_path,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"], "--tmpdir",
|
|
temp_path, "--entities",
|
|
alt_entity_file, "-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]),
|
|
"--restore-metadata")
|
|
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo restored successfully")
|
|
|
|
gpo_guid = "{%s}" % out.split("{")[1].split("}")[0]
|
|
|
|
(result, out, err) = self.runsubcmd("gpo", "backup", gpo_guid,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"--tmpdir", new_path,
|
|
"--generalize", "--entities",
|
|
gen_entity_file)
|
|
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo fetched successfully")
|
|
|
|
# Assert entity files are identical (except for line order)
|
|
self.assertIsNone(has_difference(alt_entity_file,
|
|
gen_entity_file,
|
|
sortlines=True))
|
|
|
|
# Compare the directories (XML)
|
|
self.assertIsNone(has_difference(os.path.join(new_path, 'policy',
|
|
gpo_guid),
|
|
static_path, binary=False,
|
|
xml=True))
|
|
finally:
|
|
if gpo_guid:
|
|
(result, out, err) = self.runsubcmd("gpo", "del", gpo_guid,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo deleted successfully")
|
|
|
|
shutil.rmtree(temp_path)
|
|
shutil.rmtree(new_path)
|
|
|
|
def test_backup_with_extension_attributes(self):
|
|
self.samdb = self.getSamDB("-H", "ldap://%s" % os.environ["DC_SERVER"],
|
|
"-U%s%%%s" % (os.environ["DC_USERNAME"],
|
|
os.environ["DC_PASSWORD"]))
|
|
|
|
temp_path = os.path.join(self.tempdir, 'temp')
|
|
os.mkdir(temp_path)
|
|
|
|
extensions = {
|
|
# Taken from "source4/setup/provision_group_policy.ldif" on domain
|
|
'gPCMachineExtensionNames': '[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]',
|
|
'gPCUserExtensionNames': '[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]'
|
|
}
|
|
|
|
gpo_dn = get_gpo_dn(self.samdb, self.gpo_guid)
|
|
for ext in extensions:
|
|
data = extensions[ext]
|
|
|
|
m = ldb.Message()
|
|
m.dn = gpo_dn
|
|
m[ext] = ldb.MessageElement(data, ldb.FLAG_MOD_REPLACE, ext)
|
|
|
|
self.samdb.modify(m)
|
|
|
|
try:
|
|
(result, out, err) = self.runsubcmd("gpo", "backup", self.gpo_guid,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"--tmpdir", temp_path)
|
|
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo fetched successfully")
|
|
|
|
guid = "{%s}" % out.split("{")[1].split("}")[0]
|
|
|
|
temp_path = os.path.join(temp_path, 'policy', guid)
|
|
|
|
(result, out, err) = self.runsubcmd("gpo", "restore", "RESTORE_EXT",
|
|
temp_path,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"], "--tmpdir",
|
|
self.tempdir, "-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]),
|
|
"--restore-metadata")
|
|
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo restored successfully")
|
|
|
|
gpo_guid = "{%s}" % out.split("{")[1].split("}")[0]
|
|
|
|
msg = get_gpo_info(self.samdb, gpo_guid)
|
|
self.assertEqual(len(msg), 1)
|
|
|
|
for ext in extensions:
|
|
self.assertTrue(ext in msg[0])
|
|
self.assertEqual(extensions[ext], str(msg[0][ext][0]))
|
|
|
|
finally:
|
|
if gpo_guid:
|
|
(result, out, err) = self.runsubcmd("gpo", "del", gpo_guid,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo deleted successfully")
|
|
|
|
shutil.rmtree(os.path.join(self.tempdir, "policy"))
|
|
shutil.rmtree(os.path.join(self.tempdir, 'temp'))
|
|
|
|
def test_admx_load(self):
|
|
lp = LoadParm()
|
|
lp.load(os.environ['SERVERCONFFILE'])
|
|
local_path = lp.get('path', 'sysvol')
|
|
admx_path = os.path.join(local_path, os.environ['REALM'].lower(),
|
|
'Policies', 'PolicyDefinitions')
|
|
(result, out, err) = self.runsubcmd("gpo", "admxload",
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"--admx-dir=%s" %
|
|
os.path.join(source_path,
|
|
'libgpo/admx'),
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err,
|
|
'Filling PolicyDefinitions failed')
|
|
self.assertTrue(os.path.exists(admx_path),
|
|
'PolicyDefinitions was not created')
|
|
self.assertTrue(os.path.exists(os.path.join(admx_path, 'samba.admx')),
|
|
'Filling PolicyDefinitions failed')
|
|
shutil.rmtree(admx_path)
|
|
|
|
def test_smb_conf_set(self):
|
|
lp = LoadParm()
|
|
lp.load(os.environ['SERVERCONFFILE'])
|
|
local_path = lp.get('path', 'sysvol')
|
|
reg_pol = os.path.join(local_path, lp.get('realm').lower(), 'Policies',
|
|
self.gpo_guid, 'Machine/Registry.pol')
|
|
|
|
policy = 'apply group policies'
|
|
before_vers = gpt_ini_version(self.gpo_guid)
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage", "smb_conf",
|
|
"set"), self.gpo_guid,
|
|
policy, "yes",
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err,
|
|
'Failed to set apply group policies')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
self.assertTrue(os.path.exists(reg_pol),
|
|
'The Registry.pol does not exist')
|
|
reg_data = ndr_unpack(preg.file, open(reg_pol, 'rb').read())
|
|
ret = any([get_string(e.valuename) == policy and e.data == 1 \
|
|
for e in reg_data.entries])
|
|
self.assertTrue(ret, 'The sudoers entry was not added')
|
|
|
|
before_vers = after_vers
|
|
# Ensure an empty set command deletes the entry
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage", "smb_conf",
|
|
"set"), self.gpo_guid,
|
|
policy, "-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err,
|
|
'Failed to unset apply group policies')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
reg_data = ndr_unpack(preg.file, open(reg_pol, 'rb').read())
|
|
ret = not any([get_string(e.valuename) == policy and e.data == 1 \
|
|
for e in reg_data.entries])
|
|
self.assertTrue(ret, 'The sudoers entry was not removed')
|
|
|
|
def test_smb_conf_list(self):
|
|
lp = LoadParm()
|
|
lp.load(os.environ['SERVERCONFFILE'])
|
|
local_path = lp.get('path', 'sysvol')
|
|
reg_pol = os.path.join(local_path, lp.get('realm').lower(), 'Policies',
|
|
self.gpo_guid, 'Machine/Registry.pol')
|
|
|
|
# Stage the Registry.pol file with test data
|
|
stage = preg.file()
|
|
e = preg.entry()
|
|
e.keyname = b'Software\\Policies\\Samba\\smb_conf'
|
|
e.valuename = b'apply group policies'
|
|
e.type = 4
|
|
e.data = 1
|
|
stage.num_entries = 1
|
|
stage.entries = [e]
|
|
ret = stage_file(reg_pol, ndr_pack(stage))
|
|
self.assertTrue(ret, 'Could not create the target %s' % reg_pol)
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage", "smb_conf",
|
|
"list"), self.gpo_guid,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertIn('%s = True' % e.valuename, out, 'The test entry was not found!')
|
|
|
|
# Unstage the Registry.pol file
|
|
unstage_file(reg_pol)
|
|
|
|
def test_security_set(self):
|
|
lp = LoadParm()
|
|
lp.load(os.environ['SERVERCONFFILE'])
|
|
local_path = lp.get('path', 'sysvol')
|
|
inf_pol = os.path.join(local_path, lp.get('realm').lower(), 'Policies',
|
|
self.gpo_guid, 'Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf')
|
|
|
|
before_vers = gpt_ini_version(self.gpo_guid)
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage", "security",
|
|
"set"), self.gpo_guid,
|
|
'MaxTicketAge', '10',
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err,
|
|
'Failed to set MaxTicketAge')
|
|
self.assertTrue(os.path.exists(inf_pol),
|
|
'%s was not created' % inf_pol)
|
|
inf_pol_contents = open(inf_pol, 'r').read()
|
|
self.assertIn('MaxTicketAge = 10', inf_pol_contents,
|
|
'The test entry was not found!')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
before_vers = after_vers
|
|
# Ensure an empty set command deletes the entry
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage", "security",
|
|
"set"), self.gpo_guid,
|
|
'MaxTicketAge',
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err,
|
|
'Failed to unset MaxTicketAge')
|
|
inf_pol_contents = open(inf_pol, 'r').read()
|
|
self.assertNotIn('MaxTicketAge = 10', inf_pol_contents,
|
|
'The test entry was still found!')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
def test_security_list(self):
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage", "security",
|
|
"set"), self.gpo_guid,
|
|
'MaxTicketAge', '10',
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err,
|
|
'Failed to set MaxTicketAge')
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage", "security",
|
|
"list"), self.gpo_guid,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertIn('MaxTicketAge = 10', out, 'The test entry was not found!')
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage", "security",
|
|
"set"), self.gpo_guid,
|
|
'MaxTicketAge',
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err,
|
|
'Failed to unset MaxTicketAge')
|
|
|
|
def test_security_nonempty_sections(self):
|
|
lp = LoadParm()
|
|
lp.load(os.environ['SERVERCONFFILE'])
|
|
local_path = lp.get('path', 'sysvol')
|
|
gpt_inf = os.path.join(local_path, lp.get('realm').lower(), 'Policies',
|
|
self.gpo_guid, 'Machine/Microsoft/Windows NT',
|
|
'SecEdit/GptTmpl.inf')
|
|
|
|
before_vers = gpt_ini_version(self.gpo_guid)
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage", "security",
|
|
"set"), self.gpo_guid,
|
|
'MaxTicketAge', '10',
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err,
|
|
'Failed to set MaxTicketAge')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
before_vers = after_vers
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage", "security",
|
|
"set"), self.gpo_guid,
|
|
'MaxTicketAge',
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err,
|
|
'Failed to unset MaxTicketAge')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
inf_data = ConfigParser(interpolation=None)
|
|
inf_data.read(gpt_inf)
|
|
|
|
self.assertFalse(inf_data.has_section('Kerberos Policy'))
|
|
|
|
def test_sudoers_add(self):
|
|
lp = LoadParm()
|
|
lp.load(os.environ['SERVERCONFFILE'])
|
|
local_path = lp.get('path', 'sysvol')
|
|
reg_pol = os.path.join(local_path, lp.get('realm').lower(), 'Policies',
|
|
self.gpo_guid, 'Machine/Registry.pol')
|
|
|
|
# Stage the Registry.pol file with test data
|
|
stage = preg.file()
|
|
e = preg.entry()
|
|
e.keyname = b'Software\\Policies\\Samba\\Unix Settings\\Sudo Rights'
|
|
e.valuename = b'Software\\Policies\\Samba\\Unix Settings'
|
|
e.type = 1
|
|
e.data = b'fakeu ALL=(ALL) NOPASSWD: ALL'
|
|
stage.num_entries = 1
|
|
stage.entries = [e]
|
|
ret = stage_file(reg_pol, ndr_pack(stage))
|
|
self.assertTrue(ret, 'Could not create the target %s' % reg_pol)
|
|
|
|
before_vers = gpt_ini_version(self.gpo_guid)
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"sudoers", "add"),
|
|
self.gpo_guid, 'ALL', 'ALL',
|
|
'fakeu', 'fakeg', "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'Sudoers add failed')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
sudoer = 'fakeu,fakeg% ALL=(ALL) NOPASSWD: ALL'
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"sudoers", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertIn(sudoer, out, 'The test entry was not found!')
|
|
self.assertIn(get_string(e.data), out, 'The test entry was not found!')
|
|
|
|
before_vers = after_vers
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"sudoers", "remove"),
|
|
self.gpo_guid, sudoer,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'Sudoers remove failed')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
before_vers = after_vers
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"sudoers", "remove"),
|
|
self.gpo_guid,
|
|
get_string(e.data),
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'Sudoers remove failed')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"sudoers", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertNotIn(sudoer, out, 'The test entry was still found!')
|
|
self.assertNotIn(get_string(e.data), out,
|
|
'The test entry was still found!')
|
|
|
|
# Unstage the Registry.pol file
|
|
unstage_file(reg_pol)
|
|
|
|
def test_sudoers_list(self):
|
|
lp = LoadParm()
|
|
lp.load(os.environ['SERVERCONFFILE'])
|
|
local_path = lp.get('path', 'sysvol')
|
|
vgp_xml = os.path.join(local_path, lp.get('realm').lower(), 'Policies',
|
|
self.gpo_guid, 'Machine/VGP/VTLA/Sudo',
|
|
'SudoersConfiguration/manifest.xml')
|
|
|
|
stage = etree.Element('vgppolicy')
|
|
policysetting = etree.SubElement(stage, 'policysetting')
|
|
pv = etree.SubElement(policysetting, 'version')
|
|
pv.text = '1'
|
|
name = etree.SubElement(policysetting, 'name')
|
|
name.text = 'Sudo Policy'
|
|
description = etree.SubElement(policysetting, 'description')
|
|
description.text = 'Sudoers File Configuration Policy'
|
|
apply_mode = etree.SubElement(policysetting, 'apply_mode')
|
|
apply_mode.text = 'merge'
|
|
data = etree.SubElement(policysetting, 'data')
|
|
load_plugin = etree.SubElement(data, 'load_plugin')
|
|
load_plugin.text = 'true'
|
|
sudoers_entry = etree.SubElement(data, 'sudoers_entry')
|
|
command = etree.SubElement(sudoers_entry, 'command')
|
|
command.text = 'ALL'
|
|
user = etree.SubElement(sudoers_entry, 'user')
|
|
user.text = 'ALL'
|
|
listelement = etree.SubElement(sudoers_entry, 'listelement')
|
|
principal = etree.SubElement(listelement, 'principal')
|
|
principal.text = 'fakeu'
|
|
principal.attrib['type'] = 'user'
|
|
# Ensure an empty principal doesn't cause a crash
|
|
sudoers_entry = etree.SubElement(data, 'sudoers_entry')
|
|
command = etree.SubElement(sudoers_entry, 'command')
|
|
command.text = 'ALL'
|
|
user = etree.SubElement(sudoers_entry, 'user')
|
|
user.text = 'ALL'
|
|
# Ensure having dispersed principals still works
|
|
sudoers_entry = etree.SubElement(data, 'sudoers_entry')
|
|
command = etree.SubElement(sudoers_entry, 'command')
|
|
command.text = 'ALL'
|
|
user = etree.SubElement(sudoers_entry, 'user')
|
|
user.text = 'ALL'
|
|
listelement = etree.SubElement(sudoers_entry, 'listelement')
|
|
principal = etree.SubElement(listelement, 'principal')
|
|
principal.text = 'fakeu2'
|
|
principal.attrib['type'] = 'user'
|
|
listelement = etree.SubElement(sudoers_entry, 'listelement')
|
|
group = etree.SubElement(listelement, 'principal')
|
|
group.text = 'fakeg2'
|
|
group.attrib['type'] = 'group'
|
|
ret = stage_file(vgp_xml, etree.tostring(stage, 'utf-8'))
|
|
self.assertTrue(ret, 'Could not create the target %s' % vgp_xml)
|
|
|
|
reg_pol = os.path.join(local_path, lp.get('realm').lower(), 'Policies',
|
|
self.gpo_guid, 'Machine/Registry.pol')
|
|
|
|
# Stage the Registry.pol file with test data
|
|
stage = preg.file()
|
|
e = preg.entry()
|
|
e.keyname = b'Software\\Policies\\Samba\\Unix Settings\\Sudo Rights'
|
|
e.valuename = b'Software\\Policies\\Samba\\Unix Settings'
|
|
e.type = 1
|
|
e.data = b'fakeu3 ALL=(ALL) NOPASSWD: ALL'
|
|
stage.num_entries = 1
|
|
stage.entries = [e]
|
|
ret = stage_file(reg_pol, ndr_pack(stage))
|
|
self.assertTrue(ret, 'Could not create the target %s' % reg_pol)
|
|
|
|
sudoer = 'fakeu ALL=(ALL) NOPASSWD: ALL'
|
|
sudoer2 = 'fakeu2,fakeg2% ALL=(ALL) NOPASSWD: ALL'
|
|
sudoer_no_principal = 'ALL ALL=(ALL) NOPASSWD: ALL'
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"sudoers", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'Sudoers list failed')
|
|
self.assertIn(sudoer, out, 'The test entry was not found!')
|
|
self.assertIn(sudoer2, out, 'The test entry was not found!')
|
|
self.assertIn(get_string(e.data), out, 'The test entry was not found!')
|
|
self.assertIn(sudoer_no_principal, out,
|
|
'The test entry was not found!')
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"sudoers", "remove"),
|
|
self.gpo_guid, sudoer2,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'Sudoers remove failed')
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"sudoers", "remove"),
|
|
self.gpo_guid,
|
|
sudoer_no_principal,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'Sudoers remove failed')
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"sudoers", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertNotIn(sudoer2, out, 'The test entry was still found!')
|
|
self.assertNotIn(sudoer_no_principal, out,
|
|
'The test entry was still found!')
|
|
|
|
# Unstage the manifest.xml file
|
|
unstage_file(vgp_xml)
|
|
# Unstage the Registry.pol file
|
|
unstage_file(reg_pol)
|
|
|
|
def test_symlink_list(self):
|
|
lp = LoadParm()
|
|
lp.load(os.environ['SERVERCONFFILE'])
|
|
local_path = lp.get('path', 'sysvol')
|
|
vgp_xml = os.path.join(local_path, lp.get('realm').lower(), 'Policies',
|
|
self.gpo_guid, 'Machine/VGP/VTLA/Unix',
|
|
'Symlink/manifest.xml')
|
|
stage = etree.Element('vgppolicy')
|
|
policysetting = etree.SubElement(stage, 'policysetting')
|
|
pv = etree.SubElement(policysetting, 'version')
|
|
pv.text = '1'
|
|
name = etree.SubElement(policysetting, 'name')
|
|
name.text = 'Symlink Policy'
|
|
description = etree.SubElement(policysetting, 'description')
|
|
description.text = 'Specifies symbolic link data'
|
|
apply_mode = etree.SubElement(policysetting, 'apply_mode')
|
|
apply_mode.text = 'merge'
|
|
data = etree.SubElement(policysetting, 'data')
|
|
file_properties = etree.SubElement(data, 'file_properties')
|
|
source = etree.SubElement(file_properties, 'source')
|
|
source.text = os.path.join(self.tempdir, 'test.source')
|
|
target = etree.SubElement(file_properties, 'target')
|
|
target.text = os.path.join(self.tempdir, 'test.target')
|
|
ret = stage_file(vgp_xml, etree.tostring(stage, 'utf-8'))
|
|
self.assertTrue(ret, 'Could not create the target %s' % vgp_xml)
|
|
|
|
symlink = 'ln -s %s %s' % (source.text, target.text)
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"symlink", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertIn(symlink, out, 'The test entry was not found!')
|
|
|
|
# Unstage the manifest.xml file
|
|
unstage_file(vgp_xml)
|
|
|
|
def test_symlink_add(self):
|
|
source_text = os.path.join(self.tempdir, 'test.source')
|
|
target_text = os.path.join(self.tempdir, 'test.target')
|
|
symlink = 'ln -s %s %s' % (source_text, target_text)
|
|
before_vers = gpt_ini_version(self.gpo_guid)
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"symlink", "add"),
|
|
self.gpo_guid,
|
|
source_text, target_text,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'Symlink add failed')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"symlink", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertIn(symlink, out, 'The test entry was not found!')
|
|
|
|
before_vers = after_vers
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"symlink", "remove"),
|
|
self.gpo_guid,
|
|
source_text, target_text,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'Symlink remove failed')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"symlink", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertNotIn(symlink, out, 'The test entry was not removed!')
|
|
|
|
def test_files_list(self):
|
|
lp = LoadParm()
|
|
lp.load(os.environ['SERVERCONFFILE'])
|
|
local_path = lp.get('path', 'sysvol')
|
|
vgp_xml = os.path.join(local_path, lp.get('realm').lower(), 'Policies',
|
|
self.gpo_guid, 'Machine/VGP/VTLA/Unix',
|
|
'Files/manifest.xml')
|
|
source_file = os.path.join(local_path, lp.get('realm').lower(),
|
|
'Policies', self.gpo_guid, 'Machine/VGP',
|
|
'VTLA/Unix/Files/test.source')
|
|
stage = etree.Element('vgppolicy')
|
|
policysetting = etree.SubElement(stage, 'policysetting')
|
|
pv = etree.SubElement(policysetting, 'version')
|
|
pv.text = '1'
|
|
name = etree.SubElement(policysetting, 'name')
|
|
name.text = 'Files'
|
|
description = etree.SubElement(policysetting, 'description')
|
|
description.text = 'Represents file data to set/copy on clients'
|
|
data = etree.SubElement(policysetting, 'data')
|
|
file_properties = etree.SubElement(data, 'file_properties')
|
|
source = etree.SubElement(file_properties, 'source')
|
|
source.text = source_file
|
|
target = etree.SubElement(file_properties, 'target')
|
|
target.text = os.path.join(self.tempdir, 'test.target')
|
|
user = etree.SubElement(file_properties, 'user')
|
|
user.text = pwd.getpwuid(os.getuid()).pw_name
|
|
group = etree.SubElement(file_properties, 'group')
|
|
group.text = grp.getgrgid(os.getgid()).gr_name
|
|
|
|
# Request permissions of 755
|
|
permissions = etree.SubElement(file_properties, 'permissions')
|
|
permissions.set('type', 'user')
|
|
etree.SubElement(permissions, 'read')
|
|
etree.SubElement(permissions, 'write')
|
|
etree.SubElement(permissions, 'execute')
|
|
permissions = etree.SubElement(file_properties, 'permissions')
|
|
permissions.set('type', 'group')
|
|
etree.SubElement(permissions, 'read')
|
|
etree.SubElement(permissions, 'execute')
|
|
permissions = etree.SubElement(file_properties, 'permissions')
|
|
permissions.set('type', 'other')
|
|
etree.SubElement(permissions, 'read')
|
|
etree.SubElement(permissions, 'execute')
|
|
|
|
ret = stage_file(vgp_xml, etree.tostring(stage, 'utf-8'))
|
|
self.assertTrue(ret, 'Could not create the target %s' % vgp_xml)
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"files", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertIn(target.text, out, 'The test entry was not found!')
|
|
self.assertIn('-rwxr-xr-x', out,
|
|
'The test entry permissions were not found')
|
|
|
|
# Unstage the manifest.xml file
|
|
unstage_file(vgp_xml)
|
|
|
|
def test_files_add(self):
|
|
lp = LoadParm()
|
|
lp.load(os.environ['SERVERCONFFILE'])
|
|
local_path = lp.get('path', 'sysvol')
|
|
sysvol_source = os.path.join(local_path, lp.get('realm').lower(),
|
|
'Policies', self.gpo_guid, 'Machine/VGP',
|
|
'VTLA/Unix/Files/test.source')
|
|
source_file = os.path.join(self.tempdir, 'test.source')
|
|
source_data = '#!/bin/sh\necho hello world'
|
|
with open(source_file, 'w') as w:
|
|
w.write(source_data)
|
|
target_file = os.path.join(self.tempdir, 'test.target')
|
|
user = pwd.getpwuid(os.getuid()).pw_name
|
|
group = grp.getgrgid(os.getgid()).gr_name
|
|
before_vers = gpt_ini_version(self.gpo_guid)
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"files", "add"),
|
|
self.gpo_guid,
|
|
source_file,
|
|
target_file,
|
|
user, group,
|
|
'755', "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'File add failed')
|
|
self.assertIn(source_data, open(sysvol_source, 'r').read(),
|
|
'Failed to find the source file on the sysvol')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"files", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertIn(target_file, out, 'The test entry was not found!')
|
|
self.assertIn('-rwxr-xr-x', out,
|
|
'The test entry permissions were not found')
|
|
|
|
os.unlink(source_file)
|
|
|
|
before_vers = after_vers
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"files", "remove"),
|
|
self.gpo_guid,
|
|
target_file, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'File remove failed')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"files", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertNotIn(target_file, out, 'The test entry was still found!')
|
|
|
|
def test_vgp_openssh_list(self):
|
|
lp = LoadParm()
|
|
lp.load(os.environ['SERVERCONFFILE'])
|
|
local_path = lp.get('path', 'sysvol')
|
|
vgp_xml = os.path.join(local_path, lp.get('realm').lower(), 'Policies',
|
|
self.gpo_guid, 'Machine/VGP/VTLA/SshCfg',
|
|
'SshD/manifest.xml')
|
|
|
|
stage = etree.Element('vgppolicy')
|
|
policysetting = etree.SubElement(stage, 'policysetting')
|
|
pv = etree.SubElement(policysetting, 'version')
|
|
pv.text = '1'
|
|
name = etree.SubElement(policysetting, 'name')
|
|
name.text = 'Configuration File'
|
|
description = etree.SubElement(policysetting, 'description')
|
|
description.text = 'Represents Unix configuration file settings'
|
|
apply_mode = etree.SubElement(policysetting, 'apply_mode')
|
|
apply_mode.text = 'merge'
|
|
data = etree.SubElement(policysetting, 'data')
|
|
configfile = etree.SubElement(data, 'configfile')
|
|
etree.SubElement(configfile, 'filename')
|
|
configsection = etree.SubElement(configfile, 'configsection')
|
|
etree.SubElement(configsection, 'sectionname')
|
|
opt = etree.SubElement(configsection, 'keyvaluepair')
|
|
key = etree.SubElement(opt, 'key')
|
|
key.text = 'KerberosAuthentication'
|
|
value = etree.SubElement(opt, 'value')
|
|
value.text = 'Yes'
|
|
ret = stage_file(vgp_xml, etree.tostring(stage, 'utf-8'))
|
|
self.assertTrue(ret, 'Could not create the target %s' % vgp_xml)
|
|
|
|
openssh = 'KerberosAuthentication Yes'
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"openssh", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertIn(openssh, out, 'The test entry was not found!')
|
|
|
|
# Unstage the manifest.xml file
|
|
unstage_file(vgp_xml)
|
|
|
|
def test_vgp_openssh_set(self):
|
|
before_vers = gpt_ini_version(self.gpo_guid)
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"openssh", "set"),
|
|
self.gpo_guid,
|
|
"KerberosAuthentication",
|
|
"Yes", "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'OpenSSH set failed')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
openssh = 'KerberosAuthentication Yes'
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"openssh", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertIn(openssh, out, 'The test entry was not found!')
|
|
|
|
before_vers = after_vers
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"openssh", "set"),
|
|
self.gpo_guid,
|
|
"KerberosAuthentication", "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'OpenSSH unset failed')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"openssh", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertNotIn(openssh, out, 'The test entry was still found!')
|
|
|
|
def test_startup_script_add(self):
|
|
lp = LoadParm()
|
|
fname = None
|
|
before_vers = gpt_ini_version(self.gpo_guid)
|
|
with NamedTemporaryFile() as f:
|
|
fname = os.path.basename(f.name)
|
|
f.write(b'#!/bin/sh\necho $@ hello world')
|
|
f.flush()
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"scripts", "startup",
|
|
"add"), self.gpo_guid,
|
|
f.name, "'-n'", "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'Script add failed')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
script_path = '\\'.join(['\\', lp.get('realm').lower(), 'Policies',
|
|
self.gpo_guid, 'MACHINE\\VGP\\VTLA\\Unix',
|
|
'Scripts\\Startup', fname])
|
|
entry = '@reboot root %s -n' % script_path
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage", "scripts",
|
|
"startup", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertIn(entry, out, 'The test entry was not found!')
|
|
local_path = lp.get('path', 'sysvol')
|
|
local_script_path = os.path.join(local_path, lp.get('realm').lower(),
|
|
'Policies', self.gpo_guid,
|
|
'Machine/VGP/VTLA/Unix',
|
|
'Scripts/Startup', fname)
|
|
self.assertTrue(os.path.exists(local_script_path),
|
|
'The test script was not uploaded to the sysvol')
|
|
|
|
before_vers = after_vers
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"scripts", "startup",
|
|
"remove"), self.gpo_guid,
|
|
f.name, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'Script remove failed')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage", "scripts",
|
|
"startup", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertNotIn(entry, out, 'The test entry was still found!')
|
|
|
|
def test_startup_script_list(self):
|
|
lp = LoadParm()
|
|
lp.load(os.environ['SERVERCONFFILE'])
|
|
local_path = lp.get('path', 'sysvol')
|
|
vgp_xml = os.path.join(local_path, lp.get('realm').lower(), 'Policies',
|
|
self.gpo_guid, 'Machine/VGP/VTLA/Unix',
|
|
'Scripts/Startup/manifest.xml')
|
|
stage = etree.Element('vgppolicy')
|
|
policysetting = etree.SubElement(stage, 'policysetting')
|
|
pv = etree.SubElement(policysetting, 'version')
|
|
pv.text = '1'
|
|
name = etree.SubElement(policysetting, 'name')
|
|
name.text = 'Unix Scripts'
|
|
description = etree.SubElement(policysetting, 'description')
|
|
description.text = 'Represents Unix scripts to run on Group Policy clients'
|
|
data = etree.SubElement(policysetting, 'data')
|
|
listelement = etree.SubElement(data, 'listelement')
|
|
script = etree.SubElement(listelement, 'script')
|
|
script.text = 'test.sh'
|
|
parameters = etree.SubElement(listelement, 'parameters')
|
|
parameters.text = '-e'
|
|
ret = stage_file(vgp_xml, etree.tostring(stage, 'utf-8'))
|
|
self.assertTrue(ret, 'Could not create the target %s' % vgp_xml)
|
|
|
|
script_path = '\\'.join(['\\', lp.get('realm').lower(), 'Policies',
|
|
self.gpo_guid, 'MACHINE\\VGP\\VTLA\\Unix',
|
|
'Scripts\\Startup', script.text])
|
|
entry = '@reboot root %s %s' % (script_path, parameters.text)
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage", "scripts",
|
|
"startup", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertIn(entry, out, 'The test entry was not found!')
|
|
|
|
# Unstage the manifest.xml file
|
|
unstage_file(vgp_xml)
|
|
|
|
def test_vgp_motd_set(self):
|
|
text = 'This is the message of the day'
|
|
msg = '"%s\n"' % text
|
|
before_vers = gpt_ini_version(self.gpo_guid)
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"motd", "set"),
|
|
self.gpo_guid,
|
|
msg, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'MOTD set failed')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"motd", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertIn(text, out, 'The test entry was not found!')
|
|
|
|
before_vers = after_vers
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"motd", "set"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'MOTD unset failed')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"motd", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertNotIn(text, out, 'The test entry was still found!')
|
|
|
|
def test_vgp_motd(self):
|
|
lp = LoadParm()
|
|
lp.load(os.environ['SERVERCONFFILE'])
|
|
local_path = lp.get('path', 'sysvol')
|
|
vgp_xml = os.path.join(local_path, lp.get('realm').lower(), 'Policies',
|
|
self.gpo_guid, 'Machine/VGP/VTLA/Unix',
|
|
'MOTD/manifest.xml')
|
|
|
|
stage = etree.Element('vgppolicy')
|
|
policysetting = etree.SubElement(stage, 'policysetting')
|
|
pv = etree.SubElement(policysetting, 'version')
|
|
pv.text = '1'
|
|
name = etree.SubElement(policysetting, 'name')
|
|
name.text = 'Text File'
|
|
description = etree.SubElement(policysetting, 'description')
|
|
description.text = 'Represents a Generic Text File'
|
|
apply_mode = etree.SubElement(policysetting, 'apply_mode')
|
|
apply_mode.text = 'replace'
|
|
data = etree.SubElement(policysetting, 'data')
|
|
filename = etree.SubElement(data, 'filename')
|
|
filename.text = 'motd'
|
|
text = etree.SubElement(data, 'text')
|
|
text.text = 'This is a message of the day'
|
|
ret = stage_file(vgp_xml, etree.tostring(stage, 'utf-8'))
|
|
self.assertTrue(ret, 'Could not create the target %s' % vgp_xml)
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"motd", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertIn(text.text, out, 'The test entry was not found!')
|
|
|
|
# Unstage the manifest.xml file
|
|
unstage_file(vgp_xml)
|
|
|
|
def test_vgp_issue_list(self):
|
|
lp = LoadParm()
|
|
lp.load(os.environ['SERVERCONFFILE'])
|
|
local_path = lp.get('path', 'sysvol')
|
|
vgp_xml = os.path.join(local_path, lp.get('realm').lower(), 'Policies',
|
|
self.gpo_guid, 'Machine/VGP/VTLA/Unix',
|
|
'Issue/manifest.xml')
|
|
|
|
stage = etree.Element('vgppolicy')
|
|
policysetting = etree.SubElement(stage, 'policysetting')
|
|
pv = etree.SubElement(policysetting, 'version')
|
|
pv.text = '1'
|
|
name = etree.SubElement(policysetting, 'name')
|
|
name.text = 'Text File'
|
|
description = etree.SubElement(policysetting, 'description')
|
|
description.text = 'Represents a Generic Text File'
|
|
apply_mode = etree.SubElement(policysetting, 'apply_mode')
|
|
apply_mode.text = 'replace'
|
|
data = etree.SubElement(policysetting, 'data')
|
|
filename = etree.SubElement(data, 'filename')
|
|
filename.text = 'issue'
|
|
text = etree.SubElement(data, 'text')
|
|
text.text = 'Welcome to Samba!'
|
|
ret = stage_file(vgp_xml, etree.tostring(stage, 'utf-8'))
|
|
self.assertTrue(ret, 'Could not create the target %s' % vgp_xml)
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"issue", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertIn(text.text, out, 'The test entry was not found!')
|
|
|
|
# Unstage the manifest.xml file
|
|
unstage_file(vgp_xml)
|
|
|
|
def test_vgp_issue_set(self):
|
|
text = 'Welcome to Samba!'
|
|
msg = '"%s\n"' % text
|
|
before_vers = gpt_ini_version(self.gpo_guid)
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"issue", "set"),
|
|
self.gpo_guid,
|
|
msg, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'Issue set failed')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"issue", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertIn(text, out, 'The test entry was not found!')
|
|
|
|
before_vers = after_vers
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"issue", "set"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'Issue unset failed')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("manage",
|
|
"issue", "list"),
|
|
self.gpo_guid, "-H",
|
|
"ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertNotIn(text, out, 'The test entry was still found!')
|
|
|
|
def test_load_show_remove(self):
|
|
before_vers = gpt_ini_version(self.gpo_guid)
|
|
with NamedTemporaryFile() as f:
|
|
f.write(gpo_load_json)
|
|
f.flush()
|
|
(result, out, err) = self.runsubcmd("gpo", "load",
|
|
self.gpo_guid,
|
|
"--content=%s" % f.name,
|
|
"--machine-ext-name=%s" %
|
|
ext_guids[0],
|
|
"--user-ext-name=%s" %
|
|
ext_guids[1],
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'Loading policy failed')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
before_vers = after_vers
|
|
# Write the default registry extension
|
|
with NamedTemporaryFile() as f:
|
|
f.write(b'[]') # Intentionally empty policy
|
|
f.flush()
|
|
# Load an empty policy, taking the default client extension
|
|
(result, out, err) = self.runsubcmd("gpo", "load",
|
|
self.gpo_guid,
|
|
"--content=%s" % f.name,
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'Loading policy failed')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertEqual(after_vers, before_vers,
|
|
'GPT.INI changed on empty merge')
|
|
|
|
(result, out, err) = self.runsubcmd("gpo", "show", self.gpo_guid, "-H",
|
|
"ldap://%s" % os.environ["SERVER"])
|
|
self.assertCmdSuccess(result, out, err, 'Failed to fetch gpos')
|
|
self.assertIn('homepage', out, 'Homepage policy not loaded')
|
|
self.assertIn('samba.org', out, 'Homepage policy not loaded')
|
|
self.assertIn(ext_guids[0], out, 'Machine extension not loaded')
|
|
self.assertIn(ext_guids[1], out, 'User extension not loaded')
|
|
self.assertIn('{35378eac-683f-11d2-a89a-00c04fbbcfa2}', out,
|
|
'Default extension not loaded')
|
|
toolbar_data = '"valuename": "IEToolbar",\n "class": "USER",' + \
|
|
'\n "type": "REG_BINARY",' + \
|
|
'\n "data": [\n 0\n ]'
|
|
self.assertIn(toolbar_data, out, 'Toolbar policy not loaded')
|
|
restrict_data = '"valuename": "RestrictImplicitTextCollection",' + \
|
|
'\n "class": "USER",' + \
|
|
'\n "type": "REG_DWORD",\n "data": 1\n'
|
|
self.assertIn(restrict_data, out, 'Restrict policy not loaded')
|
|
ext_data = '" \\"key\\": \\"value\\"",'
|
|
self.assertIn(ext_data, out, 'Extension policy not loaded')
|
|
|
|
before_vers = after_vers
|
|
with NamedTemporaryFile() as f:
|
|
f.write(gpo_remove_json)
|
|
f.flush()
|
|
(result, out, err) = self.runsubcmd("gpo", "remove",
|
|
self.gpo_guid,
|
|
"--content=%s" % f.name,
|
|
"--machine-ext-name=%s" %
|
|
ext_guids[0],
|
|
"--user-ext-name=%s" %
|
|
ext_guids[1],
|
|
"-H", "ldap://%s" %
|
|
os.environ["SERVER"],
|
|
"-U%s%%%s" %
|
|
(os.environ["USERNAME"],
|
|
os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, 'Removing policy failed')
|
|
after_vers = gpt_ini_version(self.gpo_guid)
|
|
self.assertGreater(after_vers, before_vers, 'GPT.INI was not updated')
|
|
|
|
(result, out, err) = self.runsubcmd("gpo", "show", self.gpo_guid, "-H",
|
|
"ldap://%s" % os.environ["SERVER"])
|
|
self.assertCmdSuccess(result, out, err, 'Failed to fetch gpos')
|
|
self.assertNotIn('samba.org', out, 'Homepage policy not removed')
|
|
self.assertNotIn(ext_guids[0], out, 'Machine extension not unloaded')
|
|
self.assertNotIn(ext_guids[1], out, 'User extension not unloaded')
|
|
|
|
def test_cse_register_unregister_list(self):
|
|
with NamedTemporaryFile() as f:
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("cse",
|
|
"register"),
|
|
f.name, 'gp_test_ext',
|
|
'--machine')
|
|
self.assertCmdSuccess(result, out, err, 'CSE register failed')
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("cse",
|
|
"list"))
|
|
self.assertIn(f.name, out, 'The test cse was not found')
|
|
self.assertIn('ProcessGroupPolicy : gp_test_ext', out,
|
|
'The test cse was not found')
|
|
self.assertIn('MachinePolicy : True', out,
|
|
'The test cse was not enabled')
|
|
self.assertIn('UserPolicy : False', out,
|
|
'The test cse should not have User policy enabled')
|
|
cse_ext = re.findall('^UniqueGUID\s+:\s+(.*)', out)
|
|
self.assertEquals(len(cse_ext), 1,
|
|
'The test cse GUID was not found')
|
|
cse_ext = cse_ext[0]
|
|
self.assertTrue(check_guid(cse_ext),
|
|
'The test cse GUID was not formatted correctly')
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("cse",
|
|
"unregister"),
|
|
cse_ext)
|
|
self.assertCmdSuccess(result, out, err, 'CSE unregister failed')
|
|
|
|
(result, out, err) = self.runsublevelcmd("gpo", ("cse",
|
|
"list"))
|
|
self.assertNotIn(f.name, out, 'The test cse was still found')
|
|
|
|
def setUp(self):
|
|
"""set up a temporary GPO to work with"""
|
|
super(GpoCmdTestCase, self).setUp()
|
|
(result, out, err) = self.runsubcmd("gpo", "create", self.gpo_name,
|
|
"-H", "ldap://%s" % os.environ["SERVER"],
|
|
"-U%s%%%s" % (os.environ["USERNAME"], os.environ["PASSWORD"]),
|
|
"--tmpdir", self.tempdir)
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo created successfully")
|
|
shutil.rmtree(os.path.join(self.tempdir, "policy"))
|
|
try:
|
|
self.gpo_guid = "{%s}" % out.split("{")[1].split("}")[0]
|
|
except IndexError:
|
|
self.fail("Failed to find GUID in output: %s" % out)
|
|
|
|
self.backup_path = os.path.join(samba.source_tree_topdir(), 'source4',
|
|
'selftest', 'provisions',
|
|
'generalized-gpo-backup')
|
|
|
|
self.entity_file = os.path.join(self.backup_path, 'entities')
|
|
|
|
def tearDown(self):
|
|
"""remove the temporary GPO to work with"""
|
|
(result, out, err) = self.runsubcmd("gpo", "del", self.gpo_guid, "-H", "ldap://%s" % os.environ["SERVER"], "-U%s%%%s" % (os.environ["USERNAME"], os.environ["PASSWORD"]))
|
|
self.assertCmdSuccess(result, out, err, "Ensuring gpo deleted successfully")
|
|
super(GpoCmdTestCase, self).tearDown()
|