tests/getnc_exop: Ensure the remote prefixmap is always used (secret attrs)

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12187

(cherry picked from commit 1f4ea1686ff1575406b5e8e488feb7b900db12ef)

1 files changed, 86 insertions, 5 deletions

diff --git a/source4/torture/drs/python/getnc_exop.py b/source4/torture/drs/python/getnc_exop.py
index 858d02ed4c3..d4f8f1d7d8a 100644
--- a/source4/torture/drs/python/getnc_exop.py
+++ b/source4/torture/drs/python/getnc_exop.py
@@ -332,19 +332,27 @@ class DrsReplicaPrefixMapTestCase(drs_base.DrsBaseTestCase, ExopBaseTest):
         try:
             (level, ctr) = drs.DsGetNCChanges(drs_handle, 8, req8)
             self.assertEqual(ctr.extended_ret, drsuapi.DRSUAPI_EXOP_ERR_SUCCESS)
-        except Exception:
+        except RuntimeError:
             self.fail("Missing prefixmap shouldn't have triggered an error")
 
     def test_invalid_prefix_map_attid(self):
         # Request for invalid attid
         partial_attribute_set = self.get_partial_attribute_set([99999])
 
-        pfm = self._samdb_fetch_pfm_and_schi()
-
         dc_guid_1 = self.ldb_dc1.get_invocation_id()
-
         drs, drs_handle = self._ds_bind(self.dnsname_dc1)
 
+        try:
+            pfm = self._samdb_fetch_pfm_and_schi()
+        except KeyError:
+            # On Windows, prefixMap isn't available over LDAP
+            req8 = self._exop_req8(dest_dsa=None,
+                                   invocation_id=dc_guid_1,
+                                   nc_dn_str=self.user,
+                                   exop=drsuapi.DRSUAPI_EXOP_REPL_OBJ)
+            (level, ctr) = drs.DsGetNCChanges(drs_handle, 8, req8)
+            pfm = ctr.mapping_ctr
+
         req8 = self._exop_req8(dest_dsa=None,
                                invocation_id=dc_guid_1,
                                nc_dn_str=self.user,
@@ -355,10 +363,83 @@ class DrsReplicaPrefixMapTestCase(drs_base.DrsBaseTestCase, ExopBaseTest):
         try:
             (level, ctr) = drs.DsGetNCChanges(drs_handle, 8, req8)
             self.fail("Invalid attid (99999) should have triggered an error")
-        except Exception as (ecode, emsg):
+        except RuntimeError as (ecode, emsg):
             self.assertEqual(ecode, 0x000020E2, "Error code should have been "
                              "WERR_DS_DRA_SCHEMA_MISMATCH")
 
+    def test_secret_prefix_map_attid(self):
+        # Request for a secret attid
+        partial_attribute_set = self.get_partial_attribute_set([drsuapi.DRSUAPI_ATTID_unicodePwd])
+
+        dc_guid_1 = self.ldb_dc1.get_invocation_id()
+        drs, drs_handle = self._ds_bind(self.dnsname_dc1)
+
+        try:
+            pfm = self._samdb_fetch_pfm_and_schi()
+        except KeyError:
+            # On Windows, prefixMap isn't available over LDAP
+            req8 = self._exop_req8(dest_dsa=None,
+                                   invocation_id=dc_guid_1,
+                                   nc_dn_str=self.user,
+                                   exop=drsuapi.DRSUAPI_EXOP_REPL_OBJ)
+            (level, ctr) = drs.DsGetNCChanges(drs_handle, 8, req8)
+            pfm = ctr.mapping_ctr
+
+
+        req8 = self._exop_req8(dest_dsa=None,
+                               invocation_id=dc_guid_1,
+                               nc_dn_str=self.user,
+                               exop=drsuapi.DRSUAPI_EXOP_REPL_OBJ,
+                               partial_attribute_set=partial_attribute_set,
+                               mapping_ctr=pfm)
+
+        (level, ctr) = drs.DsGetNCChanges(drs_handle, 8, req8)
+
+        found = False
+        for attr in ctr.first_object.object.attribute_ctr.attributes:
+            if attr.attid == drsuapi.DRSUAPI_ATTID_unicodePwd:
+                found = True
+                break
+
+        self.assertTrue(found, "Ensure we get the unicodePwd attribute back")
+
+        for i, mapping in enumerate(pfm.mappings):
+            # OID: 2.5.4.*
+            # objectClass: 2.5.4.0
+            if mapping.oid.binary_oid == [85, 4]:
+                idx1 = i
+            # OID: 1.2.840.113556.1.4.*
+            # unicodePwd: 1.2.840.113556.1.4.90
+            elif mapping.oid.binary_oid == [42, 134, 72, 134, 247, 20, 1, 4]:
+                idx2 = i
+
+        (pfm.mappings[idx1].id_prefix,
+         pfm.mappings[idx2].id_prefix) = (pfm.mappings[idx2].id_prefix,
+                                          pfm.mappings[idx1].id_prefix)
+
+        tmp = pfm.mappings
+        tmp[idx1], tmp[idx2] = tmp[idx2], tmp[idx1]
+        pfm.mappings = tmp
+
+        # 90 for unicodePwd (with new prefix = 0)
+        partial_attribute_set = self.get_partial_attribute_set([90])
+        req8 = self._exop_req8(dest_dsa=None,
+                               invocation_id=dc_guid_1,
+                               nc_dn_str=self.user,
+                               exop=drsuapi.DRSUAPI_EXOP_REPL_OBJ,
+                               partial_attribute_set=partial_attribute_set,
+                               mapping_ctr=pfm)
+
+        (level, ctr) = drs.DsGetNCChanges(drs_handle, 8, req8)
+
+        found = False
+        for attr in ctr.first_object.object.attribute_ctr.attributes:
+            if attr.attid == drsuapi.DRSUAPI_ATTID_unicodePwd:
+                found = True
+                break
+
+        self.assertTrue(found, "Ensure we get the unicodePwd attribute back")
+
     def _samdb_fetch_pfm_and_schi(self):
         """Fetch prefixMap and schemaInfo stored in SamDB using LDB connection"""
         samdb = self.ldb_dc1