a W×a<ã@sXddlZddlZddlmZmZddlmZmZmZm Z ddl m Z ddlm Z m Z mZmZmZmZddlmZmZddlmZmZddlmZdd lmZddlZdd lmZdd lm Z dd l!m"Z"dd l#m$Z$ej% &d¡Z'e'dZ(e' )¡Z'd *e'¡a+d *e' ,d¡d¡Z-de-a.da/dd„Z0dd„Z1dd„Z2dd„Z3dd„Z4Gdd „d ej5ƒZ6dS)!éN)ÚgpoÚtests)Úregister_gp_extensionÚlist_gp_extensionsÚunregister_gp_extensionÚ GPOStorage)ÚLoadParm)Úcheck_refresh_gpo_listÚcheck_safe_pathÚ check_guidÚparse_gpext_confÚatomic_write_confÚget_deleted_gpos_list)ÚPopenÚPIPE)ÚNamedTemporaryFileÚTemporaryDirectory)Ú gp_sec_ext)Úgp_scripts_ext)Ú Credentials)Ú get_bytes)Úpreg)Úndr_packZREALMz /POLICIESz\\{0}\sysvol\{0}\Policiesz!DC={0},DC=samba,DC=example,DC=comÚ.zCN=Policies,CN=System,z[General] Version=%dcCs&d}d}d}d}||||| S)Né<éi€–˜©)ÚvalZsecondsZminutesZhoursZsam_addrrú1/usr/lib/python3/dist-packages/samba/tests/gpo.pyÚdays2rel_nttime,s rcCs&| d¡}| d¡t|ttd ¡S)Núgpo update commandz--force©ÚstdoutÚstderr©ÚgetÚappendrrÚwait©ÚlpZgpupdaterrrÚgpupdate_force3s  r*cCs&| d¡}| d¡t|ttd ¡S)Nr z --unapplyr!r$r(rrrÚgpupdate_unapply9s  r+c Csîtj |¡}tj |¡srzt |¡WnJtyp}z2|jtjkrNtj |¡s\WYd}~dSWYd}~n d}~00tj |¡rŽt  |d|¡t dtj |¡d8}|  t |ƒ¡t  |j |¡t |d¡Wdƒn1sà0YdS)NFú%s.bak)ÚdeleteÚdiri¤T)ÚosÚpathÚdirnameÚexistsÚmakedirsÚOSErrorÚerrnoZEEXISTÚisdirÚrenamerÚwriterÚnameÚchmod)r0Údatar1ÚeÚfrrrÚ stage_file?s  $ *r>cCs<d|}tj |¡r"t ||¡ntj |¡r8t |¡dS)Nr,)r/r0r2r7Úremove)r0ZbackuprrrÚ unstage_fileOs   r@cspeZdZ‡fdd„Z‡fdd„Zdd„Zdd„Zd d „Zd d „Zd d„Z dd„Z dd„Z dd„Z dd„Z ‡ZS)ÚGPOTestscsRtt|ƒ ¡tjd|_|j ¡d|_tƒ|_ |j   ¡|j |  ¡d|_ dS)NZSERVERú$)Útemplate)ÚsuperrAÚsetUpr/ÚenvironÚserverÚupperÚ dc_accountrr)Z load_defaultZ insta_credsZget_credentialsÚcreds©Úself©Ú __class__rrrEWs   zGPOTests.setUpcstt|ƒ ¡dS)N)rDrAÚtearDownrKrMrrrO_szGPOTests.tearDowncCsÖt |j|j|j¡}| ¡r,| |j ¡¡}d}d|g}ddt|fg}dd|t fg}t dt |ƒƒD]j}|  ||j ||d||j ¡|  ||j||d||j¡|  ||j||d||j¡qfdS) Nú&{31B2F340-016D-11D2-945F-00C04FB984F9}z Local Policyz%s\%szCN=%s,%srz+The gpo name did not match expected name %sz'file_sys_path did not match expected %sz!ds_path did not match expected %s)rÚ ADS_STRUCTrGr)rJÚconnectÚ get_gpo_listÚ get_usernameÚpoldirÚdspathÚrangeÚlenÚ assertEqualr9Z file_sys_pathZds_path)rLÚadsÚgposÚguidÚnamesZfile_sys_pathsZds_pathsÚirrrÚ test_gpo_listbs" ÿ ÿ ÿzGPOTests.test_gpo_listcCs(zt |jd|j¡}Wn Yn0dS)Né*)rrQrGrJ)rLrZrrrÚtest_gpo_ads_does_not_segfaultssz'GPOTests.test_gpo_ads_does_not_segfaultcCsæ|j d¡}d}tj |t|¡}t |¡d}ttj |d¡dƒ}|  t d¡Wdƒn1sf0Y|  t |¡ddd¡ttj |d¡dƒ}|  t |¡Wdƒn1sÀ0Y|  t |¡d|d¡dS)NÚ gpo_cacherPéúGPT.INIÚwr`z@gpo_get_sysvol_gpt_version() did not return the expected version) r)Ú cache_pathr/r0ÚjoinÚpoliciesrZgpo_get_sysvol_gpt_versionÚopenr8Úgpt_datarY)rLÚ local_pathr\Zgpo_pathZold_versZgptrrrÚtest_gpt_versionys ,ÿ,ÿzGPOTests.test_gpt_versioncCs–|j d¡}t |j|j|j¡}| ¡r8| |j ¡¡}t |j|j|j|ƒ|  t j   |¡d|¡d}t j  |t|d¡}|  t j   |¡d|¡dS)NrbzGPO cache %s was not createdrPrdzGPT.INI was not cached for %s)r)rfrrQrGrJrRrSrTr Ú assertTruer/r0r2rgrh)rLÚcacherZr[r\Zgpt_inirrrÚtest_check_refresh_gpo_listŠs ÿ ÿÿz$GPOTests.test_check_refresh_gpo_listcCs`d}| tt|¡| tdƒd¡| tdƒd¡dtd}td}t|ƒ}| ||d¡dS) Nz9/usr/local/samba/var/locks/sysvol/../../../../../../root/z /etc/passwdz etc/passwdz \\etc/\passwdzsysvol/z8\Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INIz8/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INIz1check_safe_path() didn't correctly convert \ to /)Z assertRaisesr4r rYÚrealm)rLr0ZbeforeZafterÚresultrrrÚ+test_check_refresh_gpo_list_malicious_pathsšs z4GPOTests.test_check_refresh_gpo_list_malicious_pathsc Csrtj tj t¡¡}tj tj |d¡¡}tj |d¡}d}t|d||jjddd}|  |d¡t |jjƒ}|  ||  ¡vd ¡|  ||d |d ¡t |ƒt |jjƒ}|  ||  ¡vd ¡|  t|ƒd ¡| td ƒd¡t|jjƒ\}}|  |oø|d¡| d¡| dd|¡t||ƒt|jjƒ\}}|  d| ¡vd¡|  | dd¡|d¡| d¡t||ƒdS)Nz ../../../zpython/samba/gp_sec_ext.pyz&{827D319E-6EAC-11D2-A4EA-00C04F79F83A}rTF)Zsmb_confÚmachineÚuserzFailed to register a gp extzFailed to list gp extsZDllNamezFailed to unregister gp extszFailed to parse valid guidZAAAAAABBBBBBBCCCzParsed invalid guidz!parse_gpext_conf() invalid returnZ test_sectionZtest_varz$test_section not found in gpext.confz*Failed to find test variable in gpext.conf)r/r0r1ÚrealpathÚ__file__rgrr)Z configfilermrÚkeysrYrr Z assertFalser Z add_sectionÚsetr Zsectionsr%Zremove_section) rLZ this_pathZ samba_pathZext_pathZext_guidÚretZgp_extsr)ÚparserrrrÚtest_gpt_ext_register«sJþ  ÿÿ ÿ  ÿÿ zGPOTests.test_gpt_ext_registercCs^|j dd¡}ddg}dtd}d}|j d¡}ttj |d ¡ƒ}|D]*}|||f}t||ƒ} | | d |¡qHt |jƒ} |  | d d ¡|  |j ¡} |   ¡} |  t| ƒd d¡| |d | d|d ¡| |d| d|d¡|  | ¡} | D]”} | d| dd¡| d| ddd¡| d |d krV|  t| dddƒtdƒd¡qô| d |dkrô|  t| dddƒtdƒd¡qôt |j|j|j¡}| ¡r´| |j ¡}t| |dd…ƒ}|  t|ƒdd¡|  |d|d d d¡| d|d dd¡| d|d ddd¡|D]}|||f}t|ƒq&t|jƒ} |  | d d¡dS)Nr0ZsysvolrPú&{6AC1786C-016F-11D2-945F-00C04FB984F9}ú%s/z=/Policies/%s/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.infz)[System Access] MinimumPasswordAge = 998 úcache directoryúgpo.tdbúCould not create the target %srzgpupdate force failedézThe guids were not foundz%s not in applied guidsrcz System AccesszSystem Access policies not setZ minPwdAgezminPwdAge policy not setiæéÿÿÿÿz!Returned delete gpos is incorrectz GUID for delete gpo is incorrectz*System Access policies not set for removalz$minPwdAge policy not set for removalzgpupdate unapply failed)r)r%rprr/r0rgr>rmr*rYÚ get_gplogrIZget_applied_guidsrXÚassertInZget_applied_settingsÚintrrrQrGrJrRrSrr@r+)rLrkÚguidsÚgpofileÚstageÚ cache_dirÚstorer\ÚgpttmplryÚgp_dbZ applied_guidsZapplied_settingsZpolicyrZr[Údel_gposrrrÚtest_gp_log_get_appliedÐsxÿ        ÿ  ÿ  ÿÿþþ  ÿÿÿ   z GPOTests.test_gp_log_get_appliedcCs¬|j d¡}ddg}dtd}t d¡}|j d¡}ttj  |d¡ƒ}t ƒ}|  |j¡|  ¡t ||j||ƒ}t |j|j|¡} |  ¡rš|  | ¡¡} d } d d g} td d ƒD]6} |||| f}t|| | | ƒ}| |d|¡q°| g| ¡| d¡}| || dd¡| | ¡¡}t|gƒ}| |g¡| d¡}| |dd¡| g| dd…¡| d¡}| || d d¡| |g¡|D]}|||f}t|ƒqŒdS)NrbrPr|r}z4/%s/MACHINE/MICROSOFT/WINDOWS NT/SECEDIT/GPTTMPL.INFÚ gpo_testsr~rz$[Kerberos Policy] MaxTicketAge = %d édéÈrrr€zkdc:user_ticket_lifetimercz"Higher priority policy was not setz$MaxTicketAge should not have appliedr‚z!Lower priority policy was not set)r)rfrhÚloggingÚ getLoggerr%rr/r0rgrÚguessÚset_machine_accountrrrQrGrRrSrTrWr>rmÚprocess_group_policyZget_intrYrƒrr@)rLrkr†r‡Úloggerr‰rŠÚ machine_credsÚextrZr[rˆZoptsr^r‹ryrŒrr\rrrÚtest_process_group_policy sH ÿ            z"GPOTests.test_process_group_policycCs€|j d¡}d}tj |t|d¡}t d¡}|j d¡}t tj |d¡ƒ}t ƒ}|  |j¡|  ¡t ||j||ƒ}t |j|j|¡} |  ¡rœ|  | ¡¡} t ¡} t ¡} d| _d| _d | _d | _d | _| g| _t|t| ƒƒ} | | d |¡t ƒl}| !g| |¡t "|¡}| #t$|ƒd d ¡t%tj ||d ¡gt&d '¡\}}| (d|d¡Wdƒn1sj0Yt)|ƒdS)NrbrPzMACHINE/REGISTRY.POLrr~rs3Software\Policies\Samba\Unix Settings\Daily Scriptss%Software\Policies\Samba\Unix Settingsrcsecho hello worldr€z The daily script was not createdr)r"s hello worldzDaily script execution failed)*r)rfr/r0rgrhr’r“r%rrr”r•rrrQrGrRrSrTrÚfileÚentryZkeynameZ valuenameÚtyper;Z num_entriesÚentriesr>rrmrr–ÚlistdirZ assertEqualsrXrrZ communicater„r@)rLrkr\Zreg_polr—r‰rŠr˜r™rZr[rˆr<ryZdnameZscriptsÚoutÚ_rrrÚtest_gp_daily_scriptsCs@  ÿ    $.zGPOTests.test_gp_daily_scripts)Ú__name__Ú __module__Ú __qualname__rErOr_rarlrorrr{rŽršr¢Ú __classcell__rrrMrrAVs  %<7rA)7r/r5ZsambarrZ samba.gpclassrrrrZ samba.paramrr r r r r rÚ subprocessrrZtempfilerrZsamba.gp_sec_extrZsamba.gp_scripts_extrr’Zsamba.credentialsrZ samba.compatrZ samba.dcerpcrZ samba.ndrrrFr%rprhÚlowerÚformatrUÚsplitZbase_dnrVrjrr*r+r>r@ZTestCaserArrrrÚs6