tests dsdb encrypted secrets module

Add tests to check that the encrypted_secrets module encrypts
secrets/sensitive attributes on disk.

This test also proves that the provision and join operations correctly
configure the encrypted_secrets module.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

1 files changed, 15 insertions, 0 deletions

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index a582e0d29ae..1c5714d8a7f 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -682,6 +682,21 @@ planoldpythontestsuite("fl2003dc:local",
 planoldpythontestsuite("ad_dc",
                        "samba.tests.password_hash_ldap",
                        extra_args=['-U"$USERNAME%$PASSWORD"'])
+# Encrypted secrets
+# ensure default provision (ad_dc) and join (vampire_dc)
+# encrypt secret values on disk.
+planoldpythontestsuite("ad_dc:local",
+                       "samba.tests.encrypted_secrets",
+                       extra_args=['-U"$USERNAME%$PASSWORD"'])
+planoldpythontestsuite("vampire_dc:local",
+                       "samba.tests.encrypted_secrets",
+                       extra_args=['-U"$USERNAME%$PASSWORD"'])
+# The fl2000dc environment is provisioned with the --plaintext_secrets option
+# so this test will fail, which proves the secrets are not being encrypted.
+# There is an entry in known_fail.d.
+planoldpythontestsuite("fl2000dc:local",
+                       "samba.tests.encrypted_secrets",
+                       extra_args=['-U"$USERNAME%$PASSWORD"'])
 
 planpythontestsuite("ad_dc_ntvfs:local", "samba.tests.lsa_string")
 planoldpythontestsuite("ad_dc_ntvfs",