Patch: testprogs/blackbox: Improve the net ads dns register tests ...

[Jeremy Allison]

On Thu, Jun 30, 2016 at 09:12:16PM -0700, Richard Sharpe wrote:
> Hi folks,
> 
> The attached patch improves the test somewhat by adding tests for
> unprivileged users to ensure that they can add new names to the domain
> but cannot update names they do not own.
> 
> Please review and push if appropriate.

Nice update ! Pushed.

> Regards,
> Richard Sharpe
> (何以解憂？唯有杜康。--曹操)

> From 4cd75624b18da44051aec6ae9a89b22c096f7f2b Mon Sep 17 00:00:00 2001
> From: Richard Sharpe <rsharpe at samba.org>
> Date: Thu, 30 Jun 2016 21:07:19 -0700
> Subject: [PATCH] testprogs/blackbox: Improve the net ads dns register tests.
> 
> More tests are added that add an unprivileged user, enable their
> account, and then test that they can add IP addressed but that they
> cannot modify other user's IP addresses.
> 
> Signed-off-by: Richard Sharpe <rsharpe at samba.org>
> ---
>  testprogs/blackbox/test_net_ads_dns.sh | 19 ++++++++++++++++++-
>  1 file changed, 18 insertions(+), 1 deletion(-)
> 
> diff --git a/testprogs/blackbox/test_net_ads_dns.sh b/testprogs/blackbox/test_net_ads_dns.sh
> index 41bc63d..8f9a91b 100755
> --- a/testprogs/blackbox/test_net_ads_dns.sh
> +++ b/testprogs/blackbox/test_net_ads_dns.sh
> @@ -44,7 +44,11 @@ export UID_WRAPPER_ROOT
>  
>  IPADDRESS=10.1.4.111
>  IPADDRMAC=10.1.4.124
> +UNPRIVIP=10.1.4.130
>  NAME=testname
> +UNPRIVNAME=unprivname
> +UNPRIVUSER=unprivuser
> +UNPRIVPASS=UnPrivPass1
>  
>  # These tests check that privileged users can add DNS names and that
>  # unprivileged users cannot do so.
> @@ -63,7 +67,17 @@ testit "We should be able to unregister the name $NAME.$REALM $IPADDRESS" $VALGR
>  testit "The name $NAME.$REALM should not be there any longer" test X"`$net_tool ads dns gethostbyname $SERVER $NAME.$REALM -U$DC_USERNAME%$DC_PASSWORD | tr " " B | tr \! N`" != X"$IPADDRESS" || failed=`expr $failed + 1`
>  
>  # This should be an expect_failure test ...
> -# testit "unprivileged users should not be able to add a DNS entry" $VALGRIND $net_tool ads dns register funnyname2.$REALM 10.1.4.112 -U$USERNAME%$PASSWORD && failed=`expr $failed + 1`
> +testit "Adding an unprivileged user" $VALGRIND $net_tool user add $UNPRIVUSER $UNPRIVPASS -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
> +
> +LDIF="dn: CN=$UNPRIVUSER,CN=users,DC=samba,DC=example,DC=com+changetype: modify+replace: userAccountControl+userAccountControl: 512"
> +
> +echo $LDIF | tr '+' '\n' | ./bin/ldbmodify -Uadministrator%locDCpass1 -H ldap://localdc.samba.example.com -i
> +STATUS=$?
> +
> +testit "We should have enabled the account" test $STATUS -eq 0 || failed=`expr $failed + 1`
> +
> +#Unprivileged users should be able to add new names
> +testit "Unprivileged users should be able to add new names" $net_tool ads dns register $UNPRIVNAME.$REALM $UNPRIVIP -U$UNPRIVUSER%$UNPRIVPASS || failed=`expr $failed + 1`
>  
>  # This should work as well
>  testit "machine account should be able to add a DNS entry net ads dns register membername.$REALM $IPADDRMAC -P " $net_tool ads dns register membername.$REALM $IPADDRMAC -P || failed=`expr $failed + 1`
> @@ -72,6 +86,9 @@ testit "machine account should be able to add a DNS entry net ads dns register m
>  # and spaces from the output. Thew will screw up the comparison syntax.
>  testit "We should be able to see the new name membername.$REALM using -P" [ X"`$VALGRIND $net_tool ads dns gethostbyname $SERVER membername.$REALM -P | tr \! N | tr " " B`" = X"$IPADDRMAC" ] || failed=`expr $failed + 1`
>  
> +#Unprivileged users should not be able to overwrite other's names
> +testit_expect_failure "Unprivileged users should not be able modify existing names" $net_tool ads dns register membername.$REALM $UNPRIVIP -U$UNPRIVUSER%$UNPRIVPASS || failed=`expr $failed + 1`
> +
>  testit "We should be able to unregister the name $NAME.$REALM $IPADDRESS" $VALGRIND $net_tool ads dns unregister $NAME.$REALM -P || failed=`expr $failed + 1`
>  
>  # The complicated pipeline is to ensure that we remove exclamation points
> -- 
> 2.4.3
>