From 10f61cd39b9e03e7bb781edf04022ea6ae1f1cac Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 29 Jun 2020 16:55:33 +0300
Subject: selftest: add tests for net-ads over TLS

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 selftest/knownfail.d/net_ads_ntlm_fallback | 10 ++++
 selftest/knownfail.d/net_ads_tls           |  1 +
 source4/selftest/tests.py                  |  8 ++++
 testprogs/blackbox/test_net_ads_base.sh    | 76 ++++++++++++++++++++++++++++++
 4 files changed, 95 insertions(+)
 create mode 100644 selftest/knownfail.d/net_ads_ntlm_fallback
 create mode 100644 selftest/knownfail.d/net_ads_tls
 create mode 100755 testprogs/blackbox/test_net_ads_base.sh

diff --git a/selftest/knownfail.d/net_ads_ntlm_fallback b/selftest/knownfail.d/net_ads_ntlm_fallback
new file mode 100644
index 00000000000..b16a39d134d
--- /dev/null
+++ b/selftest/knownfail.d/net_ads_ntlm_fallback
@@ -0,0 +1,10 @@
+# net-ads commands that fail with: --option=gensec:gse_krb5=no
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.testjoin
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.check dNSHostName
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.check SPN
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.test setspn list
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.testjoin
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check dNSHostName
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check ldapssl=off
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check SPN
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.test setspn list
diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls
new file mode 100644
index 00000000000..251c948b6a9
--- /dev/null
+++ b/selftest/knownfail.d/net_ads_tls
@@ -0,0 +1 @@
+^samba4.blackbox.net_ads_tls
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 0e219f94d04..588586e39b3 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -544,6 +544,12 @@ plantestsuite("samba4.blackbox.client_etypes_strong(ad_dc:client)", "ad_dc:clien
 plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_net_ads_dns.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$USERNAME', '$PASSWORD'])
 plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID'])
 
+for nomech in ["none", "gse_krb5", "ntlmssp"]:
+    # we can't test TLS with ad_dc env as it doesn't allow SASL over TLS
+    plantestsuite("samba4.blackbox.net_ads_base.nomech=%s" % nomech, "ad_dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'no', nomech, '$PREFIX_ABS'])
+    plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'yes', nomech, '$PREFIX_ABS'])
+    plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008r2dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'noverify', nomech, '$PREFIX_ABS'])
+
 if have_gnutls_crypto_policies:
     plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"])
 
@@ -554,6 +560,8 @@ if have_gnutls_crypto_policies:
     t = "--krb5auth=$DOMAIN/$DC_USERNAME%$DC_PASSWORD"
     plantestsuite("samba3.wbinfo_simple.fips.%s" % t, "ad_member_fips:local", [os.path.join(srcdir(), "nsswitch/tests/test_wbinfo_simple.sh"), t])
     plantestsuite("samba4.wbinfo_name_lookup.fips", "ad_member_fips", [os.path.join(srcdir(), "nsswitch/tests/test_wbinfo_name_lookup.sh"), '$DOMAIN', '$REALM', '$DC_USERNAME'])
+    for nomech in ["none", "ntlmssp"]:
+        plantestsuite("samba4.blackbox.net_ads_base.nomech=%s" % nomech, "ad_dc_fips:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'no', nomech, '$PREFIX_ABS'])
 
 plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs", [valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
 # json tests hook into ``chgdcpass'' to make them run in contributor CI on
diff --git a/testprogs/blackbox/test_net_ads_base.sh b/testprogs/blackbox/test_net_ads_base.sh
new file mode 100755
index 00000000000..59e3da67a7f
--- /dev/null
+++ b/testprogs/blackbox/test_net_ads_base.sh
@@ -0,0 +1,76 @@
+#!/bin/sh
+
+if [ $# -lt 5 ]; then
+cat <<EOF
+Usage: test_net_ads_base.sh DC_SERVER DC_USERNAME DC_PASSWORD TLS_MODE NO_MECH PREFIX_ABS
+EOF
+exit 1;
+fi
+
+DC_SERVER=$1
+DC_USERNAME=$2
+DC_PASSWORD=$3
+TLS_MODE=$4
+NO_MECH=$5
+BASEDIR=$6
+shift 6
+
+HOSTNAME=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10`
+HOSTNAME=`echo hn$HOSTNAME | tr '[:lower:]' '[:upper:]'`
+LCHOSTNAME=`echo $HOSTNAME | tr '[:upper:]' '[:lower:]'`
+
+RUNDIR=`pwd`
+cd $BASEDIR
+WORKDIR=`mktemp -d -p .`
+WORKDIR=`basename $WORKDIR`
+cp -a client/* $WORKDIR/
+sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf
+sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf
+sed -ri "s/workgroup = .*/workgroup = $DOMAIN/" $WORKDIR/client.conf
+sed -ri "s/realm = .*/realm = $REALM/" $WORKDIR/client.conf
+rm -f $WORKDIR/private/secrets.tdb
+cd $RUNDIR
+
+failed=0
+
+export LDAPTLS_CACERT=$(grep "tls cafile" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
+
+xoptions=""
+if [ $TLS_MODE != "no" ]; then
+	xoptions="--option=ldapsslads=yes"
+fi
+
+if [ $NO_MECH != "none" ]; then
+	xoptions="$xoptions --option=gensec:$NO_MECH=no"
+fi
+
+if [ $TLS_MODE = "noverify" ]; then
+	export LDAPTLS_REQCERT=allow
+fi
+
+net_tool="$VALGRIND $BINDIR/net -s $BASEDIR/$WORKDIR/client.conf --option=security=ads -k $xoptions"
+
+# Load test functions
+. `dirname $0`/subunit.sh
+
+testit "join" $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --no-dns-updates || failed=`expr $failed + 1`
+
+testit "testjoin" $net_tool ads testjoin -P || failed=`expr $failed + 1`
+
+testit_grep "check dNSHostName" $LCHOSTNAME $net_tool ads search -P samaccountname=$HOSTNAME\$ dNSHostName || failed=`expr $failed + 1`
+
+tls_log="StartTLS issued: using a TLS connection"
+opt="-d3 --option=ldapssl=off"
+if [ $TLS_MODE != "no" ]; then
+	testit_grep "check ldapssl=off" "$tls_log" $net_tool $opt ads search -P samaccountname=$HOSTNAME\$ dn || failed=`expr $failed + 1`
+fi
+
+testit_grep "check SPN" "HOST/$HOSTNAME" $net_tool ads search -P samaccountname=$HOSTNAME\$ servicePrincipalName || failed=`expr $failed + 1`
+
+testit_grep "test setspn list" "HOST/$HOSTNAME" $net_tool ads setspn list $HOSTNAME -P || failed=`expr $failed + 1`
+
+testit "leave" $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+rm -rf $BASEDIR/$WORKDIR
+
+exit $failed
-- 
cgit v1.2.1