diff options
| author | David Mulder <dmulder@suse.com> | 2018-01-08 07:17:29 -0700 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2018-07-12 22:11:22 +0200 |
| commit | 57faf35cf836e675e088b3a6e6e455c1309fd4ea (patch) | |
| tree | 6a7c766246ab8193e96a1e6c85c9436dd359d1d3 /python/samba/tests/gpo.py | |
| parent | 4c7348e44d10ca519dd1322fd40b12c69e17a8e6 (diff) | |
| download | samba-57faf35cf836e675e088b3a6e6e455c1309fd4ea.tar.gz | |
gpo: Read GPO versions locally, not from sysvol
Non-kdc clients cannot read directly from the
sysvol, so we need to store the GPT.INI file
locally to read each gpo version.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'python/samba/tests/gpo.py')
| -rw-r--r-- | python/samba/tests/gpo.py | 38 |
1 files changed, 36 insertions, 2 deletions
diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py index 49fb59f32b1..a25dbd1c365 100644 --- a/python/samba/tests/gpo.py +++ b/python/samba/tests/gpo.py @@ -17,6 +17,7 @@ import os from samba import gpo, tests from samba.param import LoadParm +from samba.gpclass import check_refresh_gpo_list, check_safe_path poldir = r'\\addom.samba.example.com\sysvol\addom.samba.example.com\Policies' dspath = 'CN=Policies,CN=System,DC=addom,DC=samba,DC=example,DC=com' @@ -59,8 +60,8 @@ class GPOTests(tests.TestCase): def test_gpt_version(self): global gpt_data - local_path = self.lp.get("path", "sysvol") - policies = 'addom.samba.example.com/Policies' + local_path = self.lp.cache_path('gpo_cache') + policies = 'ADDOM.SAMBA.EXAMPLE.COM/POLICIES' guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}' gpo_path = os.path.join(local_path, policies, guid) old_vers = gpo.gpo_get_sysvol_gpt_version(gpo_path)[1] @@ -75,3 +76,36 @@ class GPOTests(tests.TestCase): self.assertEquals(gpo.gpo_get_sysvol_gpt_version(gpo_path)[1], old_vers, 'gpo_get_sysvol_gpt_version() did not return the expected version') + def test_check_refresh_gpo_list(self): + cache = self.lp.cache_path('gpo_cache') + ads = gpo.ADS_STRUCT(self.server, self.lp, self.creds) + if ads.connect(): + gpos = ads.get_gpo_list(self.creds.get_username()) + check_refresh_gpo_list(self.server, self.lp, self.creds, gpos) + + self.assertTrue(os.path.exists(cache), + 'GPO cache %s was not created' % cache) + + guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}' + gpt_ini = os.path.join(cache, 'ADDOM.SAMBA.EXAMPLE.COM/POLICIES', + guid, 'GPT.INI') + self.assertTrue(os.path.exists(gpt_ini), + 'GPT.INI was not cached for %s' % guid) + + def test_check_refresh_gpo_list_malicious_paths(self): + # the path cannot contain .. + path = '/usr/local/samba/var/locks/sysvol/../../../../../../root/' + self.assertRaises(OSError, check_safe_path, path) + + self.assertEqual(check_safe_path('/etc/passwd'), 'etc/passwd') + self.assertEqual(check_safe_path('\\\\etc/\\passwd'), 'etc/passwd') + + # there should be no backslashes used to delineate paths + before = 'sysvol/addom.samba.example.com\\Policies/' \ + '{31B2F340-016D-11D2-945F-00C04FB984F9}\\GPT.INI' + after = 'addom.samba.example.com/Policies/' \ + '{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI' + result = check_safe_path(before) + self.assertEquals(result, after, 'check_safe_path() didn\'t' \ + ' correctly convert \\ to /') + |