[SCM] Samba Shared Repository - branch v4-19-test updated

Jule Anger janger at samba.org
Mon Jan 15 11:12:01 UTC 2024


The branch, v4-19-test has been updated
       via  df025598884 python:gp: Print a nice message if cepces-submit can't be found
       via  de32d94ca87 gp: Send list of keys instead of dict to remove
       via  93735e8a9b0 gp: Test disabled enrollment unapplies policy
       via  28b1fe5eac4 gp: Template changes should invalidate cache
       via  dfbe7494683 gp: Test adding new cert templates enforces changes
       via  6dba94a3ab0 gp: Convert CA certificates to base64
       via  9db01a2c729 gp: Test with binary content for certificate data
       via  0dd51b02e8f gp: Change root cert extension suffix
       via  f9975df8414 gp: Support update-ca-trust helper
       via  9ab2eb21141 gp: Support more global trust directories
      from  cfbaab5654c smbd: move access override for previous versions to the SMB layer

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test


- Log -----------------------------------------------------------------
commit df025598884d28bdf2fc436cd46cbd04395ea4c7
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Jan 9 08:50:01 2024 +0100

    python:gp: Print a nice message if cepces-submit can't be found
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15552
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: David Mulder <dmulder at samba.org>
    (cherry picked from commit 8eb42425a8eb1b30ca0e94dfc01d8175ae5cde4b)
    
    Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
    Autobuild-Date(v4-19-test): Mon Jan 15 11:11:31 UTC 2024 on atb-devel-224

commit de32d94ca87f39c3227c7e997f55bb707fb4fffd
Author: Gabriel Nagy <gabriel.nagy at canonical.com>
Date:   Wed Aug 16 12:33:59 2023 +0300

    gp: Send list of keys instead of dict to remove
    
    `cache_get_all_attribute_values` returns a dict whereas we need to pass
    a list of keys to `remove`. These will be interpolated in the gpdb search.
    
    Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: David Mulder <dmulder at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Mon Aug 28 03:01:22 UTC 2023 on atb-devel-224
    
    (cherry picked from commit 7dc181757c76b881ceaf1915ebb0bfbcf5aca83a)

commit 93735e8a9b018209abbe16721ad9d37b3bf74bde
Author: Gabriel Nagy <gabriel.nagy at canonical.com>
Date:   Fri Aug 18 17:26:59 2023 +0300

    gp: Test disabled enrollment unapplies policy
    
    For this we need to stage a Registry.pol file with certificate
    autoenrollment enabled, but with checkboxes unticked.
    
    Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: David Mulder <dmulder at samba.org>
    (cherry picked from commit ee814f7707a8ddef2657212cd6d31799501b7bb3)

commit 28b1fe5eac4a42e478ea7eb81a755de206ecbda4
Author: Gabriel Nagy <gabriel.nagy at canonical.com>
Date:   Wed Aug 16 12:37:17 2023 +0300

    gp: Template changes should invalidate cache
    
    If certificate templates are added or removed, the autoenroll extension
    should react to this and reapply the policy. Previously this wasn't
    taken into account.
    
    Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: David Mulder <dmulder at samba.org>
    (cherry picked from commit 2a6ae997f2464b12b72b5314fa80d9784fb0f6c1)

commit dfbe7494683974b839b2c8083b7eb45cba0a6829
Author: Gabriel Nagy <gabriel.nagy at canonical.com>
Date:   Fri Aug 18 17:16:23 2023 +0300

    gp: Test adding new cert templates enforces changes
    
    Ensure that cepces-submit reporting additional templates and re-applying
    will enforce the updated policy.
    
    Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: David Mulder <dmulder at samba.org>
    (cherry picked from commit 2d6943a864405f324c467e8c3464c31ac08457b0)

commit 6dba94a3ab0e1e5bebeaaac0a9f9498146414a75
Author: Gabriel Nagy <gabriel.nagy at canonical.com>
Date:   Wed Aug 16 12:20:11 2023 +0300

    gp: Convert CA certificates to base64
    
    I don't know whether this applies universally, but in our case the
    contents of `es['cACertificate'][0]` are binary, so cleanly converting
    to a string fails with the following:
    
    'utf-8' codec can't decode byte 0x82 in position 1: invalid start byte
    
    We found a fix to be encoding the certificate to base64 when
    constructing the CA list.
    
    Section 4.4.5.2 of MS-CAESO also suggests that the content of
    `cACertificate` is binary (OCTET string).
    
    Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: David Mulder <dmulder at samba.org>
    (cherry picked from commit 157335ee93eb866f9b6a47486a5668d6e76aced5)

commit 9db01a2c7291493a3f20987e53b1e688123a246a
Author: Gabriel Nagy <gabriel.nagy at canonical.com>
Date:   Fri Aug 18 17:06:43 2023 +0300

    gp: Test with binary content for certificate data
    
    This fails all GPO-related tests that call `gpupdate --rsop`.
    
    Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: David Mulder <dmulder at samba.org>
    (cherry picked from commit 1ef722cf66f9ec99f52939f1cfca031c5fe1ad70)

commit 0dd51b02e8f2e44ce8bb41feda9bc83c7214f972
Author: Gabriel Nagy <gabriel.nagy at canonical.com>
Date:   Fri Aug 11 18:46:42 2023 +0300

    gp: Change root cert extension suffix
    
    On Ubuntu, certificates must end in '.crt' in order to be considered by
    the `update-ca-certificates` helper.
    
    Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: David Mulder <dmulder at samba.org>
    (cherry picked from commit bce3a89204545dcab5fb39a712590f6e166f997b)

commit f9975df8414cab23c486e5e1c299f49879b8b65e
Author: Gabriel Nagy <gabriel.nagy at canonical.com>
Date:   Thu Aug 17 01:09:28 2023 +0300

    gp: Support update-ca-trust helper
    
    This is used on RHEL/Fedora instead of update-ca-certificates. They
    behave similarly so it's enough to change the command name.
    
    Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: David Mulder <dmulder at samba.org>
    (cherry picked from commit fa80d1d86439749c44e60cf9075e84dc9ed3c268)

commit 9ab2eb21141aa23ef5a28b497bf8241db7565788
Author: Gabriel Nagy <gabriel.nagy at canonical.com>
Date:   Thu Aug 17 01:05:54 2023 +0300

    gp: Support more global trust directories
    
    In addition to the SUSE global trust directory, add support for RHEL and
    Debian-based distributions (including Ubuntu).
    
    To determine the correct directory to use, we iterate over the variants
    and stop at the first which is a directory.
    
    In case none is found, fallback to the first option which will produce a
    warning as it did previously.
    
    Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: David Mulder <dmulder at samba.org>
    (cherry picked from commit a1b285e485c0b5a8747499bdbbb9f3f4fc025b2f)

-----------------------------------------------------------------------

Summary of changes:
 python/samba/gp/gp_cert_auto_enroll_ext.py |  67 ++++++++++++------
 python/samba/tests/bin/cepces-submit       |   3 +-
 python/samba/tests/gpo.py                  | 110 +++++++++++++++++++++++++++--
 3 files changed, 152 insertions(+), 28 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
index 312c8ddf467..08d1a7348cd 100644
--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
@@ -45,10 +45,12 @@ cert_wrap = b"""
 -----BEGIN CERTIFICATE-----
 %s
 -----END CERTIFICATE-----"""
-global_trust_dir = '/etc/pki/trust/anchors'
 endpoint_re = '(https|HTTPS)://(?P<server>[a-zA-Z0-9.-]+)/ADPolicyProvider' + \
               '_CEP_(?P<auth>[a-zA-Z]+)/service.svc/CEP'
 
+global_trust_dirs = ['/etc/pki/trust/anchors',           # SUSE
+                     '/etc/pki/ca-trust/source/anchors', # RHEL/Fedora
+                     '/usr/local/share/ca-certificates'] # Debian/Ubuntu
 
 def octet_string_to_objectGUID(data):
     """Convert an octet string to an objectGUID."""
@@ -156,7 +158,7 @@ def fetch_certification_authorities(ldb):
     for es in res:
         data = { 'name': get_string(es['cn'][0]),
                  'hostname': get_string(es['dNSHostName'][0]),
-                 'cACertificate': get_string(es['cACertificate'][0])
+                 'cACertificate': get_string(base64.b64encode(es['cACertificate'][0]))
                }
         result.append(data)
     return result
@@ -174,8 +176,7 @@ def fetch_template_attrs(ldb, name, attrs=None):
         return {'msPKI-Minimal-Key-Size': ['2048']}
 
 def format_root_cert(cert):
-    cert = base64.b64encode(cert.encode())
-    return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert, 0, re.DOTALL)
+    return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert.encode(), 0, re.DOTALL)
 
 def find_cepces_submit():
     certmonger_dirs = [os.environ.get("PATH"), '/usr/lib/certmonger',
@@ -184,17 +185,19 @@ def find_cepces_submit():
 
 def get_supported_templates(server):
     cepces_submit = find_cepces_submit()
-    if os.path.exists(cepces_submit):
-        env = os.environ
-        env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES'
-        p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'],
-                       env=env, stdout=PIPE, stderr=PIPE)
-        out, err = p.communicate()
-        if p.returncode != 0:
-            data = { 'Error': err.decode() }
-            log.error('Failed to fetch the list of supported templates.', data)
-        return out.strip().split()
-    return []
+    if not cepces_submit or not os.path.exists(cepces_submit):
+        log.error('Failed to find cepces-submit')
+        return []
+
+    env = os.environ
+    env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES'
+    p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'],
+              env=env, stdout=PIPE, stderr=PIPE)
+    out, err = p.communicate()
+    if p.returncode != 0:
+        data = {'Error': err.decode()}
+        log.error('Failed to fetch the list of supported templates.', data)
+    return out.strip().split()
 
 
 def getca(ca, url, trust_dir):
@@ -239,7 +242,8 @@ def getca(ca, url, trust_dir):
         certs = load_der_pkcs7_certificates(r.content)
         for i in range(0, len(certs)):
             cert = certs[i].public_bytes(Encoding.PEM)
-            dest = '%s.%d' % (root_cert, i)
+            filename, extension = root_cert.rsplit('.', 1)
+            dest = '%s.%d.%s' % (filename, i, extension)
             with open(dest, 'wb') as w:
                 w.write(cert)
             root_certs.append(dest)
@@ -249,12 +253,29 @@ def getca(ca, url, trust_dir):
     return root_certs
 
 
+def find_global_trust_dir():
+    """Return the global trust dir using known paths from various Linux distros."""
+    for trust_dir in global_trust_dirs:
+        if os.path.isdir(trust_dir):
+            return trust_dir
+    return global_trust_dirs[0]
+
+def update_ca_command():
+    """Return the command to update the CA trust store."""
+    return which('update-ca-certificates') or which('update-ca-trust')
+
+def changed(new_data, old_data):
+    """Return True if any key present in both dicts has changed."""
+    return any((new_data[k] != old_data[k] if k in old_data else False) \
+            for k in new_data.keys())
+
 def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
     """Install the root certificate chain."""
     data = dict({'files': [], 'templates': []}, **ca)
     url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname']
     root_certs = getca(ca, url, trust_dir)
     data['files'].extend(root_certs)
+    global_trust_dir = find_global_trust_dir()
     for src in root_certs:
         # Symlink the certs to global trust dir
         dst = os.path.join(global_trust_dir, os.path.basename(src))
@@ -273,7 +294,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
             # already exists. Ignore the FileExistsError. Preserve the
             # existing symlink in the unapply data.
             data['files'].append(dst)
-    update = which('update-ca-certificates')
+    update = update_ca_command()
     if update is not None:
         Popen([update]).wait()
     # Setup Certificate Auto Enrollment
@@ -337,12 +358,12 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
         # If the policy has changed, unapply, then apply new policy
         old_val = self.cache_get_attribute_value(guid, attribute)
         old_data = json.loads(old_val) if old_val is not None else {}
-        if all([(ca[k] == old_data[k] if k in old_data else False) \
-                    for k in ca.keys()]) or \
-                self.cache_get_apply_state() == GPOSTATE.ENFORCE:
+        templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])]
+        new_data = { 'templates': templates, **ca }
+        if changed(new_data, old_data) or self.cache_get_apply_state() == GPOSTATE.ENFORCE:
             self.unapply(guid, attribute, old_val)
-        # If policy is already applied, skip application
-        if old_val is not None and \
+        # If policy is already applied and unchanged, skip application
+        if old_val is not None and not changed(new_data, old_data) and \
                 self.cache_get_apply_state() != GPOSTATE.ENFORCE:
             return
 
@@ -396,7 +417,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
                             # remove any existing policy
                             ca_attrs = \
                                 self.cache_get_all_attribute_values(gpo.name)
-                            self.clean(gpo.name, remove=ca_attrs)
+                            self.clean(gpo.name, remove=list(ca_attrs.keys()))
 
     def __read_cep_data(self, guid, ldb, end_point_information,
                         trust_dir, private_dir):
diff --git a/python/samba/tests/bin/cepces-submit b/python/samba/tests/bin/cepces-submit
index 668682a9f58..de63164692b 100755
--- a/python/samba/tests/bin/cepces-submit
+++ b/python/samba/tests/bin/cepces-submit
@@ -14,4 +14,5 @@ if __name__ == "__main__":
     assert opts.auth == 'Kerberos'
     if 'CERTMONGER_OPERATION' in os.environ and \
        os.environ['CERTMONGER_OPERATION'] == 'GET-SUPPORTED-TEMPLATES':
-        print('Machine') # Report a Machine template
+        templates = os.environ.get('CEPCES_SUBMIT_SUPPORTED_TEMPLATES', 'Machine').split(',')
+        print('\n'.join(templates)) # Report the requested templates
diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py
index e4b75cc62a4..580f3568de8 100644
--- a/python/samba/tests/gpo.py
+++ b/python/samba/tests/gpo.py
@@ -281,6 +281,28 @@ b"""
 </PolFile>
 """
 
+auto_enroll_unchecked_reg_pol = \
+b"""
+<?xml version="1.0" encoding="utf-8"?>
+<PolFile num_entries="3" signature="PReg" version="1">
+        <Entry type="4" type_name="REG_DWORD">
+                <Key>Software\Policies\Microsoft\Cryptography\AutoEnrollment</Key>
+                <ValueName>AEPolicy</ValueName>
+                <Value>0</Value>
+        </Entry>
+        <Entry type="4" type_name="REG_DWORD">
+                <Key>Software\Policies\Microsoft\Cryptography\AutoEnrollment</Key>
+                <ValueName>OfflineExpirationPercent</ValueName>
+                <Value>10</Value>
+        </Entry>
+        <Entry type="1" type_name="REG_SZ">
+                <Key>Software\Policies\Microsoft\Cryptography\AutoEnrollment</Key>
+                <ValueName>OfflineExpirationStoreNames</ValueName>
+                <Value>MY</Value>
+        </Entry>
+</PolFile>
+"""
+
 advanced_enroll_reg_pol = \
 b"""
 <?xml version="1.0" encoding="utf-8"?>
@@ -6783,14 +6805,14 @@ class GPOTests(tests.TestCase):
         ldb.add({'dn': certa_dn,
                  'objectClass': 'certificationAuthority',
                  'authorityRevocationList': ['XXX'],
-                 'cACertificate': 'XXX',
+                 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I',
                  'certificateRevocationList': ['XXX'],
                 })
         # Write the dummy pKIEnrollmentService
         enroll_dn = 'CN=%s,CN=Enrollment Services,%s' % (ca_cn, confdn)
         ldb.add({'dn': enroll_dn,
                  'objectClass': 'pKIEnrollmentService',
-                 'cACertificate': 'XXXX',
+                 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I',
                  'certificateTemplates': ['Machine'],
                  'dNSHostName': hostname,
                 })
@@ -6812,6 +6834,23 @@ class GPOTests(tests.TestCase):
             self.assertTrue(os.path.exists(machine_crt),
                             'Machine key was not generated')
 
+            # Subsequent apply should react to new certificate templates
+            os.environ['CEPCES_SUBMIT_SUPPORTED_TEMPLATES'] = 'Machine,Workstation'
+            self.addCleanup(os.environ.pop, 'CEPCES_SUBMIT_SUPPORTED_TEMPLATES')
+            ext.process_group_policy([], gpos, dname, dname)
+            self.assertTrue(os.path.exists(ca_crt),
+                            'Root CA certificate was not requested')
+            self.assertTrue(os.path.exists(machine_crt),
+                            'Machine certificate was not requested')
+            self.assertTrue(os.path.exists(machine_crt),
+                            'Machine key was not generated')
+            workstation_crt = os.path.join(dname, '%s.Workstation.crt' % ca_cn)
+            self.assertTrue(os.path.exists(workstation_crt),
+                            'Workstation certificate was not requested')
+            workstation_key = os.path.join(dname, '%s.Workstation.key' % ca_cn)
+            self.assertTrue(os.path.exists(workstation_crt),
+                            'Workstation key was not generated')
+
             # Verify RSOP does not fail
             ext.rsop([g for g in gpos if g.name == guid][0])
 
@@ -6819,6 +6858,38 @@ class GPOTests(tests.TestCase):
             ret = rsop(self.lp)
             self.assertEqual(ret, 0, 'gpupdate --rsop failed!')
 
+            # Remove policy by staging pol file with auto-enroll unchecked
+            parser.load_xml(etree.fromstring(auto_enroll_unchecked_reg_pol.strip()))
+            ret = stage_file(reg_pol, ndr_pack(parser.pol_file))
+            self.assertTrue(ret, 'Could not create the target %s' % reg_pol)
+            ext.process_group_policy([], gpos, dname, dname)
+            self.assertFalse(os.path.exists(ca_crt),
+                            'Root CA certificate was not removed')
+            self.assertFalse(os.path.exists(machine_crt),
+                            'Machine certificate was not removed')
+            self.assertFalse(os.path.exists(machine_crt),
+                            'Machine key was not removed')
+            self.assertFalse(os.path.exists(workstation_crt),
+                            'Workstation certificate was not removed')
+            self.assertFalse(os.path.exists(workstation_crt),
+                            'Workstation key was not removed')
+
+            # Reapply policy by staging the enabled pol file
+            parser.load_xml(etree.fromstring(auto_enroll_reg_pol.strip()))
+            ret = stage_file(reg_pol, ndr_pack(parser.pol_file))
+            self.assertTrue(ret, 'Could not create the target %s' % reg_pol)
+            ext.process_group_policy([], gpos, dname, dname)
+            self.assertTrue(os.path.exists(ca_crt),
+                            'Root CA certificate was not requested')
+            self.assertTrue(os.path.exists(machine_crt),
+                            'Machine certificate was not requested')
+            self.assertTrue(os.path.exists(machine_crt),
+                            'Machine key was not generated')
+            self.assertTrue(os.path.exists(workstation_crt),
+                            'Workstation certificate was not requested')
+            self.assertTrue(os.path.exists(workstation_crt),
+                            'Workstation key was not generated')
+
             # Remove policy
             gp_db = store.get_gplog(machine_creds.get_username())
             del_gpos = get_deleted_gpos_list(gp_db, [])
@@ -6829,11 +6900,17 @@ class GPOTests(tests.TestCase):
                             'Machine certificate was not removed')
             self.assertFalse(os.path.exists(machine_crt),
                             'Machine key was not removed')
+            self.assertFalse(os.path.exists(workstation_crt),
+                            'Workstation certificate was not removed')
+            self.assertFalse(os.path.exists(workstation_crt),
+                            'Workstation key was not removed')
             out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate()
             self.assertNotIn(get_bytes(ca_cn), out, 'CA was not removed')
             out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate()
             self.assertNotIn(b'Machine', out,
                              'Machine certificate not removed')
+            self.assertNotIn(b'Workstation', out,
+                             'Workstation certificate not removed')
 
         # Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate
         ldb.delete(certa_dn)
@@ -7201,14 +7278,14 @@ class GPOTests(tests.TestCase):
         ldb.add({'dn': certa_dn,
                  'objectClass': 'certificationAuthority',
                  'authorityRevocationList': ['XXX'],
-                 'cACertificate': 'XXX',
+                 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I',
                  'certificateRevocationList': ['XXX'],
                 })
         # Write the dummy pKIEnrollmentService
         enroll_dn = 'CN=%s,CN=Enrollment Services,%s' % (ca_cn, confdn)
         ldb.add({'dn': enroll_dn,
                  'objectClass': 'pKIEnrollmentService',
-                 'cACertificate': 'XXXX',
+                 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I',
                  'certificateTemplates': ['Machine'],
                  'dNSHostName': hostname,
                 })
@@ -7233,6 +7310,25 @@ class GPOTests(tests.TestCase):
                 self.assertTrue(os.path.exists(machine_crt),
                                 'Machine key was not generated')
 
+            # Subsequent apply should react to new certificate templates
+            os.environ['CEPCES_SUBMIT_SUPPORTED_TEMPLATES'] = 'Machine,Workstation'
+            self.addCleanup(os.environ.pop, 'CEPCES_SUBMIT_SUPPORTED_TEMPLATES')
+            ext.process_group_policy([], gpos, dname, dname)
+            for ca in ca_list:
+                self.assertTrue(os.path.exists(ca_crt),
+                                'Root CA certificate was not requested')
+                self.assertTrue(os.path.exists(machine_crt),
+                                'Machine certificate was not requested')
+                self.assertTrue(os.path.exists(machine_crt),
+                                'Machine key was not generated')
+
+                workstation_crt = os.path.join(dname, '%s.Workstation.crt' % ca)
+                self.assertTrue(os.path.exists(workstation_crt),
+                                'Workstation certificate was not requested')
+                workstation_key = os.path.join(dname, '%s.Workstation.key' % ca)
+                self.assertTrue(os.path.exists(workstation_crt),
+                                'Workstation key was not generated')
+
             # Verify RSOP does not fail
             ext.rsop([g for g in gpos if g.name == guid][0])
 
@@ -7250,12 +7346,18 @@ class GPOTests(tests.TestCase):
                             'Machine certificate was not removed')
             self.assertFalse(os.path.exists(machine_crt),
                             'Machine key was not removed')
+            self.assertFalse(os.path.exists(workstation_crt),
+                            'Workstation certificate was not removed')
+            self.assertFalse(os.path.exists(workstation_crt),
+                            'Workstation key was not removed')
             out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate()
             for ca in ca_list:
                 self.assertNotIn(get_bytes(ca), out, 'CA was not removed')
             out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate()
             self.assertNotIn(b'Machine', out,
                              'Machine certificate not removed')
+            self.assertNotIn(b'Workstation', out,
+                             'Workstation certificate not removed')
 
         # Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate
         ldb.delete(certa_dn)


-- 
Samba Shared Repository



More information about the samba-cvs mailing list