diff options
author | Joe Guo <joeg@catalyst.net.nz> | 2018-07-06 10:36:54 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2018-07-12 04:32:04 +0200 |
commit | a8a9bb553c8195425f385eee1cc8efab8cd889e9 (patch) | |
tree | 2a257e9c947527a33427119715340475b781e111 | |
parent | 1c09fc2de3cb4cb18cba35ea410fb74742cd9065 (diff) | |
download | samba-a8a9bb553c8195425f385eee1cc8efab8cd889e9.tar.gz |
tests/posixacl: derive a new testcase to run same tests with session
1. existing tests still run with session_info=None
2. new class override `get_session_info` to return a session, so same
set of tests will run again, but with session.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
-rw-r--r-- | python/samba/tests/posixacl.py | 92 |
1 files changed, 72 insertions, 20 deletions
diff --git a/python/samba/tests/posixacl.py b/python/samba/tests/posixacl.py index 175fcb2c177..4261ef36544 100644 --- a/python/samba/tests/posixacl.py +++ b/python/samba/tests/posixacl.py @@ -25,6 +25,8 @@ from samba import provision import os from samba.samba3 import smbd, passdb from samba.samba3 import param as s3param +from samba import auth +from samba.samdb import SamDB DOM_SID = "S-1-5-21-2212615479-2695158682-2101375467" ACL = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)" @@ -40,12 +42,22 @@ class PosixAclMappingTests(TestCaseInTempDir): self.lp = s3conf self.tempf = os.path.join(self.tempdir, "test") open(self.tempf, 'w').write("empty") + self.samdb = SamDB(lp=self.lp, session_info=auth.system_session()) def tearDown(self): smbd.unlink(self.tempf) os.unlink(os.path.join(self.tempdir, "xattr.tdb")) super(PosixAclMappingTests, self).tearDown() + def get_session_info(self, domsid=DOM_SID): + """ + Get session_info for setntacl. + + This test case always return None, to run tests without session_info + like before. To be overrided in derived class. + """ + return None + def print_posix_acl(self, posix_acl): aclstr = "" for entry in posix_acl.acl: @@ -59,18 +71,21 @@ class PosixAclMappingTests(TestCaseInTempDir): def test_setntacl(self): acl = ACL - setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False) + setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False, + session_info=self.get_session_info()) def test_setntacl_smbd_getntacl(self): acl = ACL - setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True) + setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True, + session_info=self.get_session_info()) facl = getntacl(self.lp, self.tempf, direct_db_access=True) anysid = security.dom_sid(security.SID_NT_SELF) self.assertEquals(facl.as_sddl(anysid),acl) def test_setntacl_smbd_setposixacl_getntacl(self): acl = ACL - setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True) + setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True, + session_info=self.get_session_info()) # This will invalidate the ACL, as we have a hook! smbd.set_simple_acl(self.tempf, 0o640) @@ -81,7 +96,8 @@ class PosixAclMappingTests(TestCaseInTempDir): def test_setntacl_invalidate_getntacl(self): acl = ACL - setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True) + setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True, + session_info=self.get_session_info()) # This should invalidate the ACL, as we include the posix ACL in the hash (backend_obj, dbname) = checkset_backend(self.lp, None, None) @@ -95,7 +111,8 @@ class PosixAclMappingTests(TestCaseInTempDir): def test_setntacl_invalidate_getntacl_smbd(self): acl = ACL - setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False) + setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False, + session_info=self.get_session_info()) # This should invalidate the ACL, as we include the posix ACL in the hash (backend_obj, dbname) = checkset_backend(self.lp, None, None) @@ -111,7 +128,8 @@ class PosixAclMappingTests(TestCaseInTempDir): acl = ACL simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)" os.chmod(self.tempf, 0o750) - setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False) + setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False, + session_info=self.get_session_info()) # This should invalidate the ACL, as we include the posix ACL in the hash (backend_obj, dbname) = checkset_backend(self.lp, None, None) @@ -125,14 +143,16 @@ class PosixAclMappingTests(TestCaseInTempDir): def test_setntacl_getntacl_smbd(self): acl = ACL - setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True) + setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True, + session_info=self.get_session_info()) facl = getntacl(self.lp, self.tempf, direct_db_access=False) anysid = security.dom_sid(security.SID_NT_SELF) self.assertEquals(facl.as_sddl(anysid),acl) def test_setntacl_smbd_getntacl_smbd(self): acl = ACL - setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False) + setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False, + session_info=self.get_session_info()) facl = getntacl(self.lp, self.tempf, direct_db_access=False) anysid = security.dom_sid(security.SID_NT_SELF) self.assertEquals(facl.as_sddl(anysid),acl) @@ -140,7 +160,8 @@ class PosixAclMappingTests(TestCaseInTempDir): def test_setntacl_smbd_setposixacl_getntacl_smbd(self): acl = ACL simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)" - setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False) + setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False, + session_info=self.get_session_info()) # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code smbd.set_simple_acl(self.tempf, 0o640) facl = getntacl(self.lp, self.tempf, direct_db_access=False) @@ -151,7 +172,8 @@ class PosixAclMappingTests(TestCaseInTempDir): acl = ACL BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS) simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)" - setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False) + setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False, + session_info=self.get_session_info()) # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code s4_passdb = passdb.PDB(self.lp.get("passdb backend")) (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid) @@ -164,14 +186,16 @@ class PosixAclMappingTests(TestCaseInTempDir): def test_setntacl_smbd_getntacl_smbd_gpo(self): acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" - setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False) + setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False, + session_info=self.get_session_info()) facl = getntacl(self.lp, self.tempf, direct_db_access=False) domsid = security.dom_sid(DOM_SID) self.assertEquals(facl.as_sddl(domsid),acl) def test_setntacl_getposixacl(self): acl = ACL - setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False) + setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False, + session_info=self.get_session_info()) facl = getntacl(self.lp, self.tempf) anysid = security.dom_sid(security.SID_NT_SELF) self.assertEquals(facl.as_sddl(anysid),acl) @@ -287,7 +311,9 @@ class PosixAclMappingTests(TestCaseInTempDir): def test_setntacl_sysvol_check_getposixacl(self): acl = provision.SYSVOL_ACL domsid = passdb.get_global_sam_sid() - setntacl(self.lp, self.tempf,acl,str(domsid), use_ntvfs=False) + session_info = self.get_session_info(domsid) + setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False, + session_info=session_info) facl = getntacl(self.lp, self.tempf) self.assertEquals(facl.as_sddl(domsid),acl) posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS) @@ -327,7 +353,7 @@ class PosixAclMappingTests(TestCaseInTempDir): self.assertEquals(posix_acl.acl[0].info.gid, BA_gid) self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER) - if nwrap_winbind_active: + if nwrap_winbind_active or session_info: self.assertEquals(posix_acl.acl[1].a_perm, 7) else: self.assertEquals(posix_acl.acl[1].a_perm, 6) @@ -337,7 +363,7 @@ class PosixAclMappingTests(TestCaseInTempDir): self.assertEquals(posix_acl.acl[2].a_perm, 0) self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ) - if nwrap_winbind_active: + if nwrap_winbind_active or session_info: self.assertEquals(posix_acl.acl[3].a_perm, 7) else: self.assertEquals(posix_acl.acl[3].a_perm, 6) @@ -433,7 +459,9 @@ class PosixAclMappingTests(TestCaseInTempDir): def test_setntacl_sysvol_dir_check_getposixacl(self): acl = provision.SYSVOL_ACL domsid = passdb.get_global_sam_sid() - setntacl(self.lp, self.tempdir,acl,str(domsid), use_ntvfs=False) + session_info = self.get_session_info(domsid) + setntacl(self.lp, self.tempdir, acl, str(domsid), use_ntvfs=False, + session_info=session_info) facl = getntacl(self.lp, self.tempdir) self.assertEquals(facl.as_sddl(domsid),acl) posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS) @@ -526,7 +554,9 @@ class PosixAclMappingTests(TestCaseInTempDir): def test_setntacl_policies_dir_check_getposixacl(self): acl = provision.POLICIES_ACL domsid = passdb.get_global_sam_sid() - setntacl(self.lp, self.tempdir,acl,str(domsid), use_ntvfs=False) + session_info = self.get_session_info(domsid) + setntacl(self.lp, self.tempdir, acl, str(domsid), use_ntvfs=False, + session_info=session_info) facl = getntacl(self.lp, self.tempdir) self.assertEquals(facl.as_sddl(domsid),acl) posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS) @@ -633,7 +663,9 @@ class PosixAclMappingTests(TestCaseInTempDir): acl = provision.POLICIES_ACL domsid = passdb.get_global_sam_sid() - setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False) + session_info = self.get_session_info(domsid) + setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False, + session_info=session_info) facl = getntacl(self.lp, self.tempf) self.assertEquals(facl.as_sddl(domsid),acl) posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS) @@ -676,7 +708,7 @@ class PosixAclMappingTests(TestCaseInTempDir): self.assertEquals(posix_acl.acl[0].info.gid, BA_gid) self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER) - if nwrap_winbind_active: + if nwrap_winbind_active or session_info: self.assertEquals(posix_acl.acl[1].a_perm, 7) else: self.assertEquals(posix_acl.acl[1].a_perm, 6) @@ -686,7 +718,7 @@ class PosixAclMappingTests(TestCaseInTempDir): self.assertEquals(posix_acl.acl[2].a_perm, 0) self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ) - if nwrap_winbind_active: + if nwrap_winbind_active or session_info: self.assertEquals(posix_acl.acl[3].a_perm, 7) else: self.assertEquals(posix_acl.acl[3].a_perm, 6) @@ -788,3 +820,23 @@ class PosixAclMappingTests(TestCaseInTempDir): # a_perm: 7 # uid: -1 # gid: -1 + +class SessionedPosixAclMappingTests(PosixAclMappingTests): + """ + Run same test suite with session enabled. + """ + + def get_session_info(self, domsid=DOM_SID): + """ + Get session_info for setntacl. + """ + if str(domsid) != str(self.samdb.get_domain_sid()): + # fake it with admin session as domsid is not in local db + return auth.admin_session(self.lp, str(domsid)) + + dn = '<SID={}-{}>'.format(domsid, security.DOMAIN_RID_ADMINISTRATOR) + flags = (auth.AUTH_SESSION_INFO_DEFAULT_GROUPS | + auth.AUTH_SESSION_INFO_AUTHENTICATED | + auth.AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) + return auth.user_session(self.samdb, lp_ctx=self.lp, dn=dn, + session_info_flags=flags) |