Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 104 insertions, 0 deletions

diff --git a/lib/ldb-samba/tests/match_rules_remote.py b/lib/ldb-samba/tests/match_rules_remote.py
new file mode 100755
index 0000000..122231f
--- /dev/null
+++ b/lib/ldb-samba/tests/match_rules_remote.py
@@ -0,0 +1,104 @@
+#!/usr/bin/env python3
+
+import optparse
+import sys
+import os
+import samba
+import samba.getopt as options
+
+from samba.tests.subunitrun import SubunitOptions, TestProgram
+
+from samba.samdb import SamDB
+from samba.auth import system_session
+from samba import sd_utils
+from samba.ndr import ndr_unpack
+from ldb import Message, MessageElement, Dn, LdbError
+from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
+from ldb import SCOPE_BASE, SCOPE_SUBTREE, SCOPE_ONELEVEL
+
+from match_rules import MatchRulesTestsBase
+
+
+class MatchRulesTestsUser(MatchRulesTestsBase):
+    def setUp(self):
+        self.sambaopts = sambaopts
+        self.credopts = credopts
+        self.host = host
+        super().setUp()
+        self.sd_utils = sd_utils.SDUtils(self.ldb)
+
+        self.user_pass = "samba123@"
+        self.match_test_user = "matchtestuser"
+        self.ldb.newuser(self.match_test_user,
+                         self.user_pass,
+                         userou=self.ou_rdn)
+        user_creds = self.insta_creds(template=self.creds,
+                                      username=self.match_test_user,
+                                      userpass=self.user_pass)
+        self.user_ldb = SamDB(host, credentials=user_creds, lp=self.lp)
+        token_res = self.user_ldb.search(scope=SCOPE_BASE,
+                                         base="",
+                                         attrs=["tokenGroups"])
+        self.user_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
+                                   token_res[0]["tokenGroups"][0])
+
+        self.member_attr_guid = "bf9679c0-0de6-11d0-a285-00aa003049e2"
+
+    def test_with_denied_link(self):
+
+        # add an ACE that denies the user Read Property (RP) access to
+        # the member attr (which is similar to making the attribute
+        # confidential)
+        ace = "(OD;;RP;{0};;{1})".format(self.member_attr_guid,
+                                         self.user_sid)
+        g2_dn = Dn(self.ldb, "CN=g2,%s" % self.ou_groups)
+
+        # add the ACE that denies access to the attr under test
+        self.sd_utils.dacl_add_ace(g2_dn, ace)
+
+        # Search without transitive match must return 0 results
+        res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
+                               scope=SCOPE_BASE,
+                               expression="member=cn=u1,%s" % self.ou_users)
+        self.assertEqual(len(res1), 0)
+
+        # Search with transitive match must return 1 results
+        res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
+                               scope=SCOPE_BASE,
+                               expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
+        self.assertEqual(len(res1), 1)
+        self.assertEqual(str(res1[0].dn).lower(), ("CN=g4,%s" % self.ou_groups).lower())
+
+        # Search as a user match must return 0 results as the intermediate link can't be seen
+        res1 = self.user_ldb.search("cn=g4,%s" % self.ou_groups,
+                                    scope=SCOPE_BASE,
+                                    expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
+        self.assertEqual(len(res1), 0)
+
+
+
+parser = optparse.OptionParser("match_rules_remote.py [options] <host>")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+
+# use command line creds if available
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+opts, args = parser.parse_args()
+subunitopts = SubunitOptions(parser)
+parser.add_option_group(subunitopts)
+
+if len(args) < 1:
+    parser.print_usage()
+    sys.exit(1)
+
+host = args[0]
+
+if "://" not in host:
+    if os.path.isfile(host):
+        host = "tdb://%s" % host
+    else:
+        host = "ldap://%s" % host
+
+TestProgram(module=__name__, opts=subunitopts)