[SCM] Samba Shared Repository - branch v4-19-test updated
Jule Anger
janger at samba.org
Mon Feb 5 12:35:02 UTC 2024
The branch, v4-19-test has been updated
via 60514eb6836 python:gp: Fix logging with gp
via d3061f5e940 gpo: Do not get templates list on first run
via 90cf23e1cca gpo: Decode base64 root cert before importing
via a50016bc7ae gpo: Test certificate policy without NDES
via 41cd6b95d49 python: Fix invalid escape sequences
from 84020efb1fe smbd: use dirfsp and atname in open_directory()
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test
- Log -----------------------------------------------------------------
commit 60514eb68362ff883b7406fe03515d1439fb12a2
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jan 29 17:46:30 2024 +0100
python:gp: Fix logging with gp
This allows enable INFO level logging with: `samba-gpupdate -d3`
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15558
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 145194071b10c4c1857f28fe79c57fd63ffab889)
Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Mon Feb 5 12:34:12 UTC 2024 on atb-devel-224
commit d3061f5e9409b8a43363bb46fc81077b3b0cae9b
Author: Gabriel Nagy <gabriel.nagy at canonical.com>
Date: Fri Jan 19 11:36:19 2024 +0200
gpo: Do not get templates list on first run
This is a visual fix and has no impact on functionality apart from
cleaner log messages.
The point of this is to get the list of supported templates in order to
compute a diff between the current applied templates and the updated
list, so we are able to unapply and reapply the policy in case there are
differences.
However this code path is executed on first applies as well, at which
point the root CA is not yet set up. This causes the
`get_supported_templates` call to fail, which is not a hard failure but
still pollutes the logs. In this case it's safe to avoid executing the
command as the policy will be applied regardless.
Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Jan 22 16:48:57 UTC 2024 on atb-devel-224
(cherry picked from commit 8579340fc540633c13c017d896034904a8dbd55c)
commit 90cf23e1ccab6cef426f4027ffd93496ab7666be
Author: Gabriel Nagy <gabriel.nagy at canonical.com>
Date: Thu Jan 18 20:23:24 2024 +0200
gpo: Decode base64 root cert before importing
The reasoning behind this is described in the previous commit message,
but essentially this should either be wrapped in certificate blocks and
imported as PEM, or converted back to binary and imported as DER.
I've opted for the latter since it's how it used to work before it
regressed in 157335ee93e.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15557
Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 3f3ddfa699a33c2c8a59f7fb9ee044bb2a6e0e06)
commit a50016bc7aec83b21cb9ac15af29a35575c8c365
Author: Gabriel Nagy <gabriel.nagy at canonical.com>
Date: Mon Jan 8 18:05:08 2024 +0200
gpo: Test certificate policy without NDES
As of 8231eaf856b, the NDES feature is no longer required on Windows, as
cert auto-enroll can use the certificate from the LDAP request.
However, 157335ee93e changed the implementation to convert the LDAP
certificate to base64 due to it failing to cleanly convert to a string.
Because of insufficient test coverage I missed handling the part where
NDES is disabled or not reachable and the LDAP certificate was imported.
The call to load_der_x509_certificate now fails with an error because it
expects binary data, yet it receives a base64 encoded string.
This adds a test to confirm the issue.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15557
Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0d1ff69936f18ea729fc11fbbb1569a833302572)
commit 41cd6b95d49845a9c865ec0adfa30f775b6117ba
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 25 13:56:21 2023 +1200
python: Fix invalid escape sequences
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b068592dd0dccce634cb17b66f0659ba60523908)
-----------------------------------------------------------------------
Summary of changes:
python/samba/gp/gp_cert_auto_enroll_ext.py | 14 ++-
python/samba/gp/util/logging.py | 5 +-
python/samba/graph.py | 2 +-
python/samba/tests/gpo.py | 192 +++++++++++++++++++++++------
python/samba/tests/samba_tool/gpo.py | 2 +-
5 files changed, 166 insertions(+), 49 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
index 08d1a7348cd..df3b472f5a9 100644
--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
@@ -217,10 +217,11 @@ def getca(ca, url, trust_dir):
' installed or not configured.')
if 'cACertificate' in ca:
log.warn('Installing the server certificate only.')
+ der_certificate = base64.b64decode(ca['cACertificate'])
try:
- cert = load_der_x509_certificate(ca['cACertificate'])
+ cert = load_der_x509_certificate(der_certificate)
except TypeError:
- cert = load_der_x509_certificate(ca['cACertificate'],
+ cert = load_der_x509_certificate(der_certificate,
default_backend())
cert_data = cert.public_bytes(Encoding.PEM)
with open(root_cert, 'wb') as w:
@@ -337,7 +338,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
def __str__(self):
- return 'Cryptography\AutoEnrollment'
+ return r'Cryptography\AutoEnrollment'
def unapply(self, guid, attribute, value):
ca_cn = base64.b64decode(attribute)
@@ -358,7 +359,8 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
# If the policy has changed, unapply, then apply new policy
old_val = self.cache_get_attribute_value(guid, attribute)
old_data = json.loads(old_val) if old_val is not None else {}
- templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])]
+ templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])] \
+ if old_val is not None else []
new_data = { 'templates': templates, **ca }
if changed(new_data, old_data) or self.cache_get_apply_state() == GPOSTATE.ENFORCE:
self.unapply(guid, attribute, old_val)
@@ -389,7 +391,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
for gpo in changed_gpo_list:
if gpo.file_sys_path:
- section = 'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
+ section = r'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
pol_file = 'MACHINE/Registry.pol'
path = os.path.join(gpo.file_sys_path, pol_file)
pol_conf = self.parse(path)
@@ -509,7 +511,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
def rsop(self, gpo):
output = {}
pol_file = 'MACHINE/Registry.pol'
- section = 'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
+ section = r'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
if gpo.file_sys_path:
path = os.path.join(gpo.file_sys_path, pol_file)
pol_conf = self.parse(path)
diff --git a/python/samba/gp/util/logging.py b/python/samba/gp/util/logging.py
index a74a8707d50..c3de32825db 100644
--- a/python/samba/gp/util/logging.py
+++ b/python/samba/gp/util/logging.py
@@ -24,9 +24,10 @@ import gettext
import random
import sys
-logger = logging.getLogger()
+logger = logging.getLogger("gp")
+
+
def logger_init(name, log_level):
- logger = logging.getLogger(name)
logger.addHandler(logging.StreamHandler(sys.stdout))
logger.setLevel(logging.CRITICAL)
if log_level == 1:
diff --git a/python/samba/graph.py b/python/samba/graph.py
index 537dc661fb3..4c4a07f47ae 100644
--- a/python/samba/graph.py
+++ b/python/samba/graph.py
@@ -192,7 +192,7 @@ def compile_graph_key(key_items, nodes_above=None, elisions=None,
short = short[1:]
long = long[1:]
elision_str += ('\nelision%d[shape=plaintext; style=solid; '
- 'label="\“%s” means “%s”\\r"]\n'
+ 'label="\\“%s” means “%s”\\r"]\n'
% ((i, short, long)))
above_lines = []
diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py
index 580f3568de8..a6a33ea4ba1 100644
--- a/python/samba/tests/gpo.py
+++ b/python/samba/tests/gpo.py
@@ -102,17 +102,21 @@ def dummy_certificate():
# Dummy requests structure for Certificate Auto Enrollment
class dummy_requests(object):
- @staticmethod
- def get(url=None, params=None):
+ class exceptions(object):
+ ConnectionError = Exception
+
+ def __init__(self, want_exception=False):
+ self.want_exception = want_exception
+
+ def get(self, url=None, params=None):
+ if self.want_exception:
+ raise self.exceptions.ConnectionError
+
dummy = requests.Response()
dummy._content = dummy_certificate()
dummy.headers = {'Content-Type': 'application/x-x509-ca-cert'}
return dummy
- class exceptions(object):
- ConnectionError = Exception
-cae.requests = dummy_requests
-
realm = os.environ.get('REALM')
policies = realm + '/POLICIES'
realm = realm.lower()
@@ -123,7 +127,7 @@ dspath = 'CN=Policies,CN=System,' + base_dn
gpt_data = '[General]\nVersion=%d'
gnome_test_reg_pol = \
-b"""
+br"""
<?xml version="1.0" encoding="utf-8"?>
<PolFile num_entries="26" signature="PReg" version="1">
<Entry type="4" type_name="REG_DWORD">
@@ -260,7 +264,7 @@ b"""
"""
auto_enroll_reg_pol = \
-b"""
+br"""
<?xml version="1.0" encoding="utf-8"?>
<PolFile num_entries="3" signature="PReg" version="1">
<Entry type="4" type_name="REG_DWORD">
@@ -282,7 +286,7 @@ b"""
"""
auto_enroll_unchecked_reg_pol = \
-b"""
+br"""
<?xml version="1.0" encoding="utf-8"?>
<PolFile num_entries="3" signature="PReg" version="1">
<Entry type="4" type_name="REG_DWORD">
@@ -304,7 +308,7 @@ b"""
"""
advanced_enroll_reg_pol = \
-b"""
+br"""
<?xml version="1.0" encoding="utf-8"?>
<PolFile num_entries="30" signature="PReg" version="1">
<Entry type="1" type_name="REG_SZ">
@@ -338,122 +342,122 @@ b"""
<Value>0</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
<ValueName>URL</ValueName>
<Value>LDAP:</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
<ValueName>PolicyID</ValueName>
<Value>%s</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
<ValueName>FriendlyName</ValueName>
<Value>Example</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
<ValueName>Flags</ValueName>
<Value>16</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
<ValueName>AuthFlags</ValueName>
<Value>2</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
<ValueName>Cost</ValueName>
<Value>2147483645</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
<ValueName>URL</ValueName>
<Value>https://example2.com/ADPolicyProvider_CEP_Certificate/service.svc/CEP</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
<ValueName>PolicyID</ValueName>
<Value>%s</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
<ValueName>FriendlyName</ValueName>
<Value>Example2</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
<ValueName>Flags</ValueName>
<Value>16</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
<ValueName>AuthFlags</ValueName>
<Value>8</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
<ValueName>Cost</ValueName>
<Value>10</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
<ValueName>URL</ValueName>
<Value>https://example0.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
<ValueName>PolicyID</ValueName>
<Value>%s</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
<ValueName>FriendlyName</ValueName>
<Value>Example0</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
<ValueName>Flags</ValueName>
<Value>16</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
<ValueName>AuthFlags</ValueName>
<Value>2</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
<ValueName>Cost</ValueName>
<Value>1</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
<ValueName>URL</ValueName>
<Value>https://example1.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
<ValueName>PolicyID</ValueName>
<Value>%s</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
<ValueName>FriendlyName</ValueName>
<Value>Example1</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
<ValueName>Flags</ValueName>
<Value>16</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
<ValueName>AuthFlags</ValueName>
<Value>2</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
<ValueName>Cost</ValueName>
<Value>1</Value>
</Entry>
@@ -2116,7 +2120,7 @@ firefox_json_expected = \
"""
chromium_reg_pol = \
-b"""
+br"""
<?xml version="1.0" encoding="utf-8"?>
<PolFile num_entries="418" signature="PReg" version="1">
<Entry type="4" type_name="REG_DWORD">
@@ -3012,12 +3016,12 @@ b"""
<Entry type="1" type_name="REG_SZ">
<Key>Software\Policies\Google\Chrome</Key>
<ValueName>RestrictSigninToPattern</ValueName>
- <Value>.*@example\\.com</Value>
+ <Value>.*@example\.com</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
<Key>Software\Policies\Google\Chrome</Key>
<ValueName>RoamingProfileLocation</ValueName>
- <Value>${roaming_app_data}\\chrome-profile</Value>
+ <Value>${roaming_app_data}\chrome-profile</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
<Key>Software\Policies\Google\Chrome</Key>
@@ -3267,7 +3271,7 @@ b"""
<Entry type="1" type_name="REG_SZ">
<Key>Software\Policies\Google\Chrome\AlternativeBrowserParameters</Key>
<ValueName>5</ValueName>
- <Value>%HOME%\\browser_profile</Value>
+ <Value>%HOME%\browser_profile</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
<Key>Software\Policies\Google\Chrome\AudioCaptureAllowedUrls</Key>
@@ -4973,7 +4977,7 @@ b"""
"""
firewalld_reg_pol = \
-b"""
+br"""
<?xml version="1.0" encoding="utf-8"?>
<PolFile num_entries="6" signature="PReg" version="1">
<Entry type="4" type_name="REG_DWORD">
@@ -6764,6 +6768,114 @@ class GPOTests(tests.TestCase):
# Unstage the Registry.pol file
unstage_file(reg_pol)
+ def test_gp_cert_auto_enroll_ext_without_ndes(self):
+ local_path = self.lp.cache_path('gpo_cache')
+ guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}'
+ reg_pol = os.path.join(local_path, policies, guid,
+ 'MACHINE/REGISTRY.POL')
+ cache_dir = self.lp.get('cache directory')
+ store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb'))
+
+ machine_creds = Credentials()
+ machine_creds.guess(self.lp)
+ machine_creds.set_machine_account()
+
+ # Initialize the group policy extension
+ cae.requests = dummy_requests(want_exception=True)
+ ext = cae.gp_cert_auto_enroll_ext(self.lp, machine_creds,
+ machine_creds.get_username(), store)
+
+ gpos = get_gpo_list(self.server, machine_creds, self.lp,
+ machine_creds.get_username())
+
+ # Stage the Registry.pol file with test data
+ parser = GPPolParser()
+ parser.load_xml(etree.fromstring(auto_enroll_reg_pol.strip()))
+ ret = stage_file(reg_pol, ndr_pack(parser.pol_file))
+ self.assertTrue(ret, 'Could not create the target %s' % reg_pol)
+
+ # Write the dummy CA entry, Enrollment Services, and Templates Entries
+ admin_creds = Credentials()
+ admin_creds.set_username(os.environ.get('DC_USERNAME'))
+ admin_creds.set_password(os.environ.get('DC_PASSWORD'))
+ admin_creds.set_realm(os.environ.get('REALM'))
+ hostname = get_dc_hostname(machine_creds, self.lp)
+ url = 'ldap://%s' % hostname
+ ldb = Ldb(url=url, session_info=system_session(),
+ lp=self.lp, credentials=admin_creds)
+ # Write the dummy CA
+ confdn = 'CN=Public Key Services,CN=Services,CN=Configuration,%s' % base_dn
+ ca_cn = '%s-CA' % hostname.replace('.', '-')
+ certa_dn = 'CN=%s,CN=Certification Authorities,%s' % (ca_cn, confdn)
+ ldb.add({'dn': certa_dn,
+ 'objectClass': 'certificationAuthority',
+ 'authorityRevocationList': ['XXX'],
+ 'cACertificate': dummy_certificate(),
+ 'certificateRevocationList': ['XXX'],
+ })
+ # Write the dummy pKIEnrollmentService
+ enroll_dn = 'CN=%s,CN=Enrollment Services,%s' % (ca_cn, confdn)
+ ldb.add({'dn': enroll_dn,
+ 'objectClass': 'pKIEnrollmentService',
+ 'cACertificate': dummy_certificate(),
+ 'certificateTemplates': ['Machine'],
+ 'dNSHostName': hostname,
+ })
+ # Write the dummy pKICertificateTemplate
+ template_dn = 'CN=Machine,CN=Certificate Templates,%s' % confdn
+ ldb.add({'dn': template_dn,
+ 'objectClass': 'pKICertificateTemplate',
+ })
+
+ with TemporaryDirectory() as dname:
+ try:
+ ext.process_group_policy([], gpos, dname, dname)
+ except Exception as e:
+ self.fail(str(e))
+
+ ca_crt = os.path.join(dname, '%s.crt' % ca_cn)
+ self.assertTrue(os.path.exists(ca_crt),
+ 'Root CA certificate was not requested')
+ machine_crt = os.path.join(dname, '%s.Machine.crt' % ca_cn)
+ self.assertTrue(os.path.exists(machine_crt),
+ 'Machine certificate was not requested')
+ machine_key = os.path.join(dname, '%s.Machine.key' % ca_cn)
+ self.assertTrue(os.path.exists(machine_key),
+ 'Machine key was not generated')
+
+ # Verify RSOP does not fail
+ ext.rsop([g for g in gpos if g.name == guid][0])
+
+ # Check that a call to gpupdate --rsop also succeeds
+ ret = rsop(self.lp)
+ self.assertEqual(ret, 0, 'gpupdate --rsop failed!')
+
+ # Remove policy
+ gp_db = store.get_gplog(machine_creds.get_username())
+ del_gpos = get_deleted_gpos_list(gp_db, [])
+ ext.process_group_policy(del_gpos, [], dname)
+ self.assertFalse(os.path.exists(ca_crt),
+ 'Root CA certificate was not removed')
+ self.assertFalse(os.path.exists(machine_crt),
+ 'Machine certificate was not removed')
+ self.assertFalse(os.path.exists(machine_key),
+ 'Machine key was not removed')
+ out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate()
+ self.assertNotIn(get_bytes(ca_cn), out, 'CA was not removed')
+ out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate()
+ self.assertNotIn(b'Machine', out,
+ 'Machine certificate not removed')
+ self.assertNotIn(b'Workstation', out,
+ 'Workstation certificate not removed')
+
+ # Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate
+ ldb.delete(certa_dn)
+ ldb.delete(enroll_dn)
+ ldb.delete(template_dn)
+
+ # Unstage the Registry.pol file
+ unstage_file(reg_pol)
+
def test_gp_cert_auto_enroll_ext(self):
local_path = self.lp.cache_path('gpo_cache')
guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}'
@@ -6777,6 +6889,7 @@ class GPOTests(tests.TestCase):
machine_creds.set_machine_account()
# Initialize the group policy extension
+ cae.requests = dummy_requests()
ext = cae.gp_cert_auto_enroll_ext(self.lp, machine_creds,
machine_creds.get_username(), store)
@@ -7241,6 +7354,7 @@ class GPOTests(tests.TestCase):
machine_creds.set_machine_account()
# Initialize the group policy extension
+ cae.requests = dummy_requests()
ext = cae.gp_cert_auto_enroll_ext(self.lp, machine_creds,
machine_creds.get_username(), store)
diff --git a/python/samba/tests/samba_tool/gpo.py b/python/samba/tests/samba_tool/gpo.py
index e49944c204d..654f254de7d 100644
--- a/python/samba/tests/samba_tool/gpo.py
+++ b/python/samba/tests/samba_tool/gpo.py
@@ -1806,7 +1806,7 @@ class GpoCmdTestCase(SambaToolCmdTest):
'The test cse was not enabled')
self.assertIn('UserPolicy : False', out,
'The test cse should not have User policy enabled')
- cse_ext = re.findall('^UniqueGUID\s+:\s+(.*)', out)
+ cse_ext = re.findall(r'^UniqueGUID\s+:\s+(.*)', out)
self.assertEquals(len(cse_ext), 1,
'The test cse GUID was not found')
cse_ext = cse_ext[0]
--
Samba Shared Repository
More information about the samba-cvs
mailing list