[SCM] Samba Shared Repository - branch v4-19-test updated

Jule Anger janger at samba.org
Mon Feb 5 12:35:02 UTC 2024


The branch, v4-19-test has been updated
       via  60514eb6836 python:gp: Fix logging with gp
       via  d3061f5e940 gpo: Do not get templates list on first run
       via  90cf23e1cca gpo: Decode base64 root cert before importing
       via  a50016bc7ae gpo: Test certificate policy without NDES
       via  41cd6b95d49 python: Fix invalid escape sequences
      from  84020efb1fe smbd: use dirfsp and atname in open_directory()

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test


- Log -----------------------------------------------------------------
commit 60514eb68362ff883b7406fe03515d1439fb12a2
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Jan 29 17:46:30 2024 +0100

    python:gp: Fix logging with gp
    
    This allows enable INFO level logging with: `samba-gpupdate -d3`
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15558
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 145194071b10c4c1857f28fe79c57fd63ffab889)
    
    Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
    Autobuild-Date(v4-19-test): Mon Feb  5 12:34:12 UTC 2024 on atb-devel-224

commit d3061f5e9409b8a43363bb46fc81077b3b0cae9b
Author: Gabriel Nagy <gabriel.nagy at canonical.com>
Date:   Fri Jan 19 11:36:19 2024 +0200

    gpo: Do not get templates list on first run
    
    This is a visual fix and has no impact on functionality apart from
    cleaner log messages.
    
    The point of this is to get the list of supported templates in order to
    compute a diff between the current applied templates and the updated
    list, so we are able to unapply and reapply the policy in case there are
    differences.
    
    However this code path is executed on first applies as well, at which
    point the root CA is not yet set up. This causes the
    `get_supported_templates` call to fail, which is not a hard failure but
    still pollutes the logs. In this case it's safe to avoid executing the
    command as the policy will be applied regardless.
    
    Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
    Reviewed-by: David Mulder <dmulder at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Mon Jan 22 16:48:57 UTC 2024 on atb-devel-224
    
    (cherry picked from commit 8579340fc540633c13c017d896034904a8dbd55c)

commit 90cf23e1ccab6cef426f4027ffd93496ab7666be
Author: Gabriel Nagy <gabriel.nagy at canonical.com>
Date:   Thu Jan 18 20:23:24 2024 +0200

    gpo: Decode base64 root cert before importing
    
    The reasoning behind this is described in the previous commit message,
    but essentially this should either be wrapped in certificate blocks and
    imported as PEM, or converted back to binary and imported as DER.
    
    I've opted for the latter since it's how it used to work before it
    regressed in 157335ee93e.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15557
    
    Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
    Reviewed-by: David Mulder <dmulder at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit 3f3ddfa699a33c2c8a59f7fb9ee044bb2a6e0e06)

commit a50016bc7aec83b21cb9ac15af29a35575c8c365
Author: Gabriel Nagy <gabriel.nagy at canonical.com>
Date:   Mon Jan 8 18:05:08 2024 +0200

    gpo: Test certificate policy without NDES
    
    As of 8231eaf856b, the NDES feature is no longer required on Windows, as
    cert auto-enroll can use the certificate from the LDAP request.
    
    However, 157335ee93e changed the implementation to convert the LDAP
    certificate to base64 due to it failing to cleanly convert to a string.
    
    Because of insufficient test coverage I missed handling the part where
    NDES is disabled or not reachable and the LDAP certificate was imported.
    The call to load_der_x509_certificate now fails with an error because it
    expects binary data, yet it receives a base64 encoded string.
    
    This adds a test to confirm the issue.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15557
    
    Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
    Reviewed-by: David Mulder <dmulder at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit 0d1ff69936f18ea729fc11fbbb1569a833302572)

commit 41cd6b95d49845a9c865ec0adfa30f775b6117ba
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Aug 25 13:56:21 2023 +1200

    python: Fix invalid escape sequences
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit b068592dd0dccce634cb17b66f0659ba60523908)

-----------------------------------------------------------------------

Summary of changes:
 python/samba/gp/gp_cert_auto_enroll_ext.py |  14 ++-
 python/samba/gp/util/logging.py            |   5 +-
 python/samba/graph.py                      |   2 +-
 python/samba/tests/gpo.py                  | 192 +++++++++++++++++++++++------
 python/samba/tests/samba_tool/gpo.py       |   2 +-
 5 files changed, 166 insertions(+), 49 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
index 08d1a7348cd..df3b472f5a9 100644
--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
@@ -217,10 +217,11 @@ def getca(ca, url, trust_dir):
                  ' installed or not configured.')
         if 'cACertificate' in ca:
             log.warn('Installing the server certificate only.')
+            der_certificate = base64.b64decode(ca['cACertificate'])
             try:
-                cert = load_der_x509_certificate(ca['cACertificate'])
+                cert = load_der_x509_certificate(der_certificate)
             except TypeError:
-                cert = load_der_x509_certificate(ca['cACertificate'],
+                cert = load_der_x509_certificate(der_certificate,
                                                  default_backend())
             cert_data = cert.public_bytes(Encoding.PEM)
             with open(root_cert, 'wb') as w:
@@ -337,7 +338,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
 
 class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
     def __str__(self):
-        return 'Cryptography\AutoEnrollment'
+        return r'Cryptography\AutoEnrollment'
 
     def unapply(self, guid, attribute, value):
         ca_cn = base64.b64decode(attribute)
@@ -358,7 +359,8 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
         # If the policy has changed, unapply, then apply new policy
         old_val = self.cache_get_attribute_value(guid, attribute)
         old_data = json.loads(old_val) if old_val is not None else {}
-        templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])]
+        templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])] \
+            if old_val is not None else []
         new_data = { 'templates': templates, **ca }
         if changed(new_data, old_data) or self.cache_get_apply_state() == GPOSTATE.ENFORCE:
             self.unapply(guid, attribute, old_val)
@@ -389,7 +391,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
 
         for gpo in changed_gpo_list:
             if gpo.file_sys_path:
-                section = 'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
+                section = r'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
                 pol_file = 'MACHINE/Registry.pol'
                 path = os.path.join(gpo.file_sys_path, pol_file)
                 pol_conf = self.parse(path)
@@ -509,7 +511,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
     def rsop(self, gpo):
         output = {}
         pol_file = 'MACHINE/Registry.pol'
-        section = 'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
+        section = r'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
         if gpo.file_sys_path:
             path = os.path.join(gpo.file_sys_path, pol_file)
             pol_conf = self.parse(path)
diff --git a/python/samba/gp/util/logging.py b/python/samba/gp/util/logging.py
index a74a8707d50..c3de32825db 100644
--- a/python/samba/gp/util/logging.py
+++ b/python/samba/gp/util/logging.py
@@ -24,9 +24,10 @@ import gettext
 import random
 import sys
 
-logger = logging.getLogger()
+logger = logging.getLogger("gp")
+
+
 def logger_init(name, log_level):
-    logger = logging.getLogger(name)
     logger.addHandler(logging.StreamHandler(sys.stdout))
     logger.setLevel(logging.CRITICAL)
     if log_level == 1:
diff --git a/python/samba/graph.py b/python/samba/graph.py
index 537dc661fb3..4c4a07f47ae 100644
--- a/python/samba/graph.py
+++ b/python/samba/graph.py
@@ -192,7 +192,7 @@ def compile_graph_key(key_items, nodes_above=None, elisions=None,
                 short = short[1:]
                 long = long[1:]
             elision_str += ('\nelision%d[shape=plaintext; style=solid; '
-                            'label="\“%s”  means  “%s”\\r"]\n'
+                            'label="\\“%s”  means  “%s”\\r"]\n'
                             % ((i, short, long)))
 
     above_lines = []
diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py
index 580f3568de8..a6a33ea4ba1 100644
--- a/python/samba/tests/gpo.py
+++ b/python/samba/tests/gpo.py
@@ -102,17 +102,21 @@ def dummy_certificate():
 
 # Dummy requests structure for Certificate Auto Enrollment
 class dummy_requests(object):
-    @staticmethod
-    def get(url=None, params=None):
+    class exceptions(object):
+        ConnectionError = Exception
+
+    def __init__(self, want_exception=False):
+        self.want_exception = want_exception
+
+    def get(self, url=None, params=None):
+        if self.want_exception:
+            raise self.exceptions.ConnectionError
+
         dummy = requests.Response()
         dummy._content = dummy_certificate()
         dummy.headers = {'Content-Type': 'application/x-x509-ca-cert'}
         return dummy
 
-    class exceptions(object):
-        ConnectionError = Exception
-cae.requests = dummy_requests
-
 realm = os.environ.get('REALM')
 policies = realm + '/POLICIES'
 realm = realm.lower()
@@ -123,7 +127,7 @@ dspath = 'CN=Policies,CN=System,' + base_dn
 gpt_data = '[General]\nVersion=%d'
 
 gnome_test_reg_pol = \
-b"""
+br"""
 <?xml version="1.0" encoding="utf-8"?>
 <PolFile num_entries="26" signature="PReg" version="1">
     <Entry type="4" type_name="REG_DWORD">
@@ -260,7 +264,7 @@ b"""
 """
 
 auto_enroll_reg_pol = \
-b"""
+br"""
 <?xml version="1.0" encoding="utf-8"?>
 <PolFile num_entries="3" signature="PReg" version="1">
         <Entry type="4" type_name="REG_DWORD">
@@ -282,7 +286,7 @@ b"""
 """
 
 auto_enroll_unchecked_reg_pol = \
-b"""
+br"""
 <?xml version="1.0" encoding="utf-8"?>
 <PolFile num_entries="3" signature="PReg" version="1">
         <Entry type="4" type_name="REG_DWORD">
@@ -304,7 +308,7 @@ b"""
 """
 
 advanced_enroll_reg_pol = \
-b"""
+br"""
 <?xml version="1.0" encoding="utf-8"?>
 <PolFile num_entries="30" signature="PReg" version="1">
     <Entry type="1" type_name="REG_SZ">
@@ -338,122 +342,122 @@ b"""
         <Value>0</Value>
     </Entry>
     <Entry type="1" type_name="REG_SZ">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
         <ValueName>URL</ValueName>
         <Value>LDAP:</Value>
     </Entry>
     <Entry type="1" type_name="REG_SZ">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
         <ValueName>PolicyID</ValueName>
         <Value>%s</Value>
     </Entry>
     <Entry type="1" type_name="REG_SZ">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
         <ValueName>FriendlyName</ValueName>
         <Value>Example</Value>
     </Entry>
     <Entry type="4" type_name="REG_DWORD">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
         <ValueName>Flags</ValueName>
         <Value>16</Value>
     </Entry>
     <Entry type="4" type_name="REG_DWORD">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
         <ValueName>AuthFlags</ValueName>
         <Value>2</Value>
     </Entry>
     <Entry type="4" type_name="REG_DWORD">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
         <ValueName>Cost</ValueName>
         <Value>2147483645</Value>
     </Entry>
     <Entry type="1" type_name="REG_SZ">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
         <ValueName>URL</ValueName>
         <Value>https://example2.com/ADPolicyProvider_CEP_Certificate/service.svc/CEP</Value>
     </Entry>
     <Entry type="1" type_name="REG_SZ">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
         <ValueName>PolicyID</ValueName>
         <Value>%s</Value>
     </Entry>
     <Entry type="1" type_name="REG_SZ">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
         <ValueName>FriendlyName</ValueName>
         <Value>Example2</Value>
     </Entry>
     <Entry type="4" type_name="REG_DWORD">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
         <ValueName>Flags</ValueName>
         <Value>16</Value>
     </Entry>
     <Entry type="4" type_name="REG_DWORD">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
         <ValueName>AuthFlags</ValueName>
         <Value>8</Value>
     </Entry>
     <Entry type="4" type_name="REG_DWORD">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
         <ValueName>Cost</ValueName>
         <Value>10</Value>
     </Entry>
     <Entry type="1" type_name="REG_SZ">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
         <ValueName>URL</ValueName>
         <Value>https://example0.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP</Value>
     </Entry>
     <Entry type="1" type_name="REG_SZ">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
         <ValueName>PolicyID</ValueName>
         <Value>%s</Value>
     </Entry>
     <Entry type="1" type_name="REG_SZ">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
         <ValueName>FriendlyName</ValueName>
         <Value>Example0</Value>
     </Entry>
     <Entry type="4" type_name="REG_DWORD">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
         <ValueName>Flags</ValueName>
         <Value>16</Value>
     </Entry>
     <Entry type="4" type_name="REG_DWORD">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
         <ValueName>AuthFlags</ValueName>
         <Value>2</Value>
     </Entry>
     <Entry type="4" type_name="REG_DWORD">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
         <ValueName>Cost</ValueName>
         <Value>1</Value>
     </Entry>
     <Entry type="1" type_name="REG_SZ">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
         <ValueName>URL</ValueName>
         <Value>https://example1.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP</Value>
     </Entry>
     <Entry type="1" type_name="REG_SZ">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
         <ValueName>PolicyID</ValueName>
         <Value>%s</Value>
     </Entry>
     <Entry type="1" type_name="REG_SZ">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
         <ValueName>FriendlyName</ValueName>
         <Value>Example1</Value>
     </Entry>
     <Entry type="4" type_name="REG_DWORD">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
         <ValueName>Flags</ValueName>
         <Value>16</Value>
     </Entry>
     <Entry type="4" type_name="REG_DWORD">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
         <ValueName>AuthFlags</ValueName>
         <Value>2</Value>
     </Entry>
     <Entry type="4" type_name="REG_DWORD">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
         <ValueName>Cost</ValueName>
         <Value>1</Value>
     </Entry>
@@ -2116,7 +2120,7 @@ firefox_json_expected = \
 """
 
 chromium_reg_pol = \
-b"""
+br"""
 <?xml version="1.0" encoding="utf-8"?>
 <PolFile num_entries="418" signature="PReg" version="1">
     <Entry type="4" type_name="REG_DWORD">
@@ -3012,12 +3016,12 @@ b"""
     <Entry type="1" type_name="REG_SZ">
         <Key>Software\Policies\Google\Chrome</Key>
         <ValueName>RestrictSigninToPattern</ValueName>
-        <Value>.*@example\\.com</Value>
+        <Value>.*@example\.com</Value>
     </Entry>
     <Entry type="1" type_name="REG_SZ">
         <Key>Software\Policies\Google\Chrome</Key>
         <ValueName>RoamingProfileLocation</ValueName>
-        <Value>${roaming_app_data}\\chrome-profile</Value>
+        <Value>${roaming_app_data}\chrome-profile</Value>
     </Entry>
     <Entry type="4" type_name="REG_DWORD">
         <Key>Software\Policies\Google\Chrome</Key>
@@ -3267,7 +3271,7 @@ b"""
     <Entry type="1" type_name="REG_SZ">
         <Key>Software\Policies\Google\Chrome\AlternativeBrowserParameters</Key>
         <ValueName>5</ValueName>
-        <Value>%HOME%\\browser_profile</Value>
+        <Value>%HOME%\browser_profile</Value>
     </Entry>
     <Entry type="1" type_name="REG_SZ">
         <Key>Software\Policies\Google\Chrome\AudioCaptureAllowedUrls</Key>
@@ -4973,7 +4977,7 @@ b"""
 """
 
 firewalld_reg_pol = \
-b"""
+br"""
 <?xml version="1.0" encoding="utf-8"?>
 <PolFile num_entries="6" signature="PReg" version="1">
     <Entry type="4" type_name="REG_DWORD">
@@ -6764,6 +6768,114 @@ class GPOTests(tests.TestCase):
         # Unstage the Registry.pol file
         unstage_file(reg_pol)
 
+    def test_gp_cert_auto_enroll_ext_without_ndes(self):
+        local_path = self.lp.cache_path('gpo_cache')
+        guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}'
+        reg_pol = os.path.join(local_path, policies, guid,
+                               'MACHINE/REGISTRY.POL')
+        cache_dir = self.lp.get('cache directory')
+        store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb'))
+
+        machine_creds = Credentials()
+        machine_creds.guess(self.lp)
+        machine_creds.set_machine_account()
+
+        # Initialize the group policy extension
+        cae.requests = dummy_requests(want_exception=True)
+        ext = cae.gp_cert_auto_enroll_ext(self.lp, machine_creds,
+                                          machine_creds.get_username(), store)
+
+        gpos = get_gpo_list(self.server, machine_creds, self.lp,
+                            machine_creds.get_username())
+
+        # Stage the Registry.pol file with test data
+        parser = GPPolParser()
+        parser.load_xml(etree.fromstring(auto_enroll_reg_pol.strip()))
+        ret = stage_file(reg_pol, ndr_pack(parser.pol_file))
+        self.assertTrue(ret, 'Could not create the target %s' % reg_pol)
+
+        # Write the dummy CA entry, Enrollment Services, and Templates Entries
+        admin_creds = Credentials()
+        admin_creds.set_username(os.environ.get('DC_USERNAME'))
+        admin_creds.set_password(os.environ.get('DC_PASSWORD'))
+        admin_creds.set_realm(os.environ.get('REALM'))
+        hostname = get_dc_hostname(machine_creds, self.lp)
+        url = 'ldap://%s' % hostname
+        ldb = Ldb(url=url, session_info=system_session(),
+                  lp=self.lp, credentials=admin_creds)
+        # Write the dummy CA
+        confdn = 'CN=Public Key Services,CN=Services,CN=Configuration,%s' % base_dn
+        ca_cn = '%s-CA' % hostname.replace('.', '-')
+        certa_dn = 'CN=%s,CN=Certification Authorities,%s' % (ca_cn, confdn)
+        ldb.add({'dn': certa_dn,
+                 'objectClass': 'certificationAuthority',
+                 'authorityRevocationList': ['XXX'],
+                 'cACertificate': dummy_certificate(),
+                 'certificateRevocationList': ['XXX'],
+                })
+        # Write the dummy pKIEnrollmentService
+        enroll_dn = 'CN=%s,CN=Enrollment Services,%s' % (ca_cn, confdn)
+        ldb.add({'dn': enroll_dn,
+                 'objectClass': 'pKIEnrollmentService',
+                 'cACertificate': dummy_certificate(),
+                 'certificateTemplates': ['Machine'],
+                 'dNSHostName': hostname,
+                })
+        # Write the dummy pKICertificateTemplate
+        template_dn = 'CN=Machine,CN=Certificate Templates,%s' % confdn
+        ldb.add({'dn': template_dn,
+                 'objectClass': 'pKICertificateTemplate',
+                })
+
+        with TemporaryDirectory() as dname:
+            try:
+                ext.process_group_policy([], gpos, dname, dname)
+            except Exception as e:
+                self.fail(str(e))
+
+            ca_crt = os.path.join(dname, '%s.crt' % ca_cn)
+            self.assertTrue(os.path.exists(ca_crt),
+                            'Root CA certificate was not requested')
+            machine_crt = os.path.join(dname, '%s.Machine.crt' % ca_cn)
+            self.assertTrue(os.path.exists(machine_crt),
+                            'Machine certificate was not requested')
+            machine_key = os.path.join(dname, '%s.Machine.key' % ca_cn)
+            self.assertTrue(os.path.exists(machine_key),
+                            'Machine key was not generated')
+
+            # Verify RSOP does not fail
+            ext.rsop([g for g in gpos if g.name == guid][0])
+
+            # Check that a call to gpupdate --rsop also succeeds
+            ret = rsop(self.lp)
+            self.assertEqual(ret, 0, 'gpupdate --rsop failed!')
+
+            # Remove policy
+            gp_db = store.get_gplog(machine_creds.get_username())
+            del_gpos = get_deleted_gpos_list(gp_db, [])
+            ext.process_group_policy(del_gpos, [], dname)
+            self.assertFalse(os.path.exists(ca_crt),
+                            'Root CA certificate was not removed')
+            self.assertFalse(os.path.exists(machine_crt),
+                            'Machine certificate was not removed')
+            self.assertFalse(os.path.exists(machine_key),
+                            'Machine key was not removed')
+            out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate()
+            self.assertNotIn(get_bytes(ca_cn), out, 'CA was not removed')
+            out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate()
+            self.assertNotIn(b'Machine', out,
+                             'Machine certificate not removed')
+            self.assertNotIn(b'Workstation', out,
+                             'Workstation certificate not removed')
+
+        # Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate
+        ldb.delete(certa_dn)
+        ldb.delete(enroll_dn)
+        ldb.delete(template_dn)
+
+        # Unstage the Registry.pol file
+        unstage_file(reg_pol)
+
     def test_gp_cert_auto_enroll_ext(self):
         local_path = self.lp.cache_path('gpo_cache')
         guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}'
@@ -6777,6 +6889,7 @@ class GPOTests(tests.TestCase):
         machine_creds.set_machine_account()
 
         # Initialize the group policy extension
+        cae.requests = dummy_requests()
         ext = cae.gp_cert_auto_enroll_ext(self.lp, machine_creds,
                                           machine_creds.get_username(), store)
 
@@ -7241,6 +7354,7 @@ class GPOTests(tests.TestCase):
         machine_creds.set_machine_account()
 
         # Initialize the group policy extension
+        cae.requests = dummy_requests()
         ext = cae.gp_cert_auto_enroll_ext(self.lp, machine_creds,
                                           machine_creds.get_username(), store)
 
diff --git a/python/samba/tests/samba_tool/gpo.py b/python/samba/tests/samba_tool/gpo.py
index e49944c204d..654f254de7d 100644
--- a/python/samba/tests/samba_tool/gpo.py
+++ b/python/samba/tests/samba_tool/gpo.py
@@ -1806,7 +1806,7 @@ class GpoCmdTestCase(SambaToolCmdTest):
                           'The test cse was not enabled')
             self.assertIn('UserPolicy         : False', out,
                           'The test cse should not have User policy enabled')
-            cse_ext = re.findall('^UniqueGUID\s+:\s+(.*)', out)
+            cse_ext = re.findall(r'^UniqueGUID\s+:\s+(.*)', out)
             self.assertEquals(len(cse_ext), 1,
                               'The test cse GUID was not found')
             cse_ext = cse_ext[0]


-- 
Samba Shared Repository



More information about the samba-cvs mailing list