gpo: Test Centrify Compatible Sudoers Extension

Signed-off-by: David Mulder <dmulder@suse.com> Reviewed-by: Jeremy Allison <jra@samba.org>
author: David Mulder <dmulder@suse.com> 2022-04-29 09:14:10 -0600
committer: Jeremy Allison <jra@samba.org> 2022-05-10 19:13:29 +0000
commit: c28e4396de27be05c5ba8f96eb9b1e86d01f58ec (patch)
tree: 5aab3da20567eaa4dd3bc30ca7f2fbfec810a15a /python
parent: 4580fd10468e22ea39cc38921fb0d8ad6be46339 (diff)
download: samba-c28e4396de27be05c5ba8f96eb9b1e86d01f58ec.tar.gz
samba-c28e4396de27be05c5ba8f96eb9b1e86d01f58ec.tar.bz2
samba-c28e4396de27be05c5ba8f96eb9b1e86d01f58ec.zip
2 files changed, 83 insertions, 0 deletions
diff --git a/python/samba/gp_centrify_sudoers_ext.py b/python/samba/gp_centrify_sudoers_ext.py
new file mode 100644
index 00000000000..181d74138d6
--- /dev/null
+++ b/python/samba/gp_centrify_sudoers_ext.py
@@ -0,0 +1,26 @@
+# gp_centrify_sudoers_ext samba gpo policy
+# Copyright (C) David Mulder <dmulder@suse.com> 2022
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from samba.gpclass import gp_pol_ext
+
+class gp_centrify_sudoers_ext(gp_pol_ext):
+    def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
+            sdir='/etc/sudoers.d'):
+        pass
+
+    def rsop(self, gpo):
+        output = {}
+        return output
diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py
index 8d2b3545209..670debedc3d 100644
--- a/python/samba/tests/gpo.py
+++ b/python/samba/tests/gpo.py
@@ -48,6 +48,7 @@ from samba.gp_chromium_ext import gp_chromium_ext
 from samba.gp_firewalld_ext import gp_firewalld_ext
 from samba.credentials import Credentials
 from samba.gp_msgs_ext import gp_msgs_ext
+from samba.gp_centrify_sudoers_ext import gp_centrify_sudoers_ext
 from samba.common import get_bytes
 from samba.dcerpc import preg
 from samba.ndr import ndr_pack
@@ -9163,3 +9164,59 @@ class GPOTests(tests.TestCase):
 
         # Unstage the Registry.pol file
         unstage_file(reg_pol)
+
+    def test_gp_centrify_sudoers_ext(self):
+        local_path = self.lp.cache_path('gpo_cache')
+        guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}'
+        reg_pol = os.path.join(local_path, policies, guid,
+                               'MACHINE/REGISTRY.POL')
+        cache_dir = self.lp.get('cache directory')
+        store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb'))
+
+        machine_creds = Credentials()
+        machine_creds.guess(self.lp)
+        machine_creds.set_machine_account()
+
+        # Initialize the group policy extension
+        ext = gp_centrify_sudoers_ext(self.lp, machine_creds,
+                                      machine_creds.get_username(), store)
+
+        ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds)
+        if ads.connect():
+            gpos = ads.get_gpo_list(machine_creds.get_username())
+
+        # Stage the Registry.pol file with test data
+        stage = preg.file()
+        e1 = preg.entry()
+        e1.keyname = b'Software\\Policies\\Centrify\\UnixSettings'
+        e1.valuename = b'sudo.enabled'
+        e1.type = 4
+        e1.data = 1
+        e2 = preg.entry()
+        e2.keyname = b'Software\\Policies\\Centrify\\UnixSettings\\SuDo'
+        e2.valuename = b'1'
+        e2.type = 1
+        e2.data = b'fakeu ALL=(ALL) NOPASSWD: ALL'
+        stage.num_entries = 2
+        stage.entries = [e1, e2]
+        ret = stage_file(reg_pol, ndr_pack(stage))
+        self.assertTrue(ret, 'Could not create the target %s' % reg_pol)
+
+        # Process all gpos, with temp output directory
+        with TemporaryDirectory() as dname:
+            ext.process_group_policy([], gpos, dname)
+            sudoers = os.listdir(dname)
+            self.assertEquals(len(sudoers), 1, 'The sudoer file was not created')
+            self.assertIn(e2.data,
+                    open(os.path.join(dname, sudoers[0]), 'r').read(),
+                    'The sudoers entry was not applied')
+
+            # Remove policy
+            gp_db = store.get_gplog(machine_creds.get_username())
+            del_gpos = get_deleted_gpos_list(gp_db, [])
+            ext.process_group_policy(del_gpos, [])
+            self.assertEquals(len(os.listdir(dname)), 0,
+                              'Unapply failed to cleanup scripts')
+
+        # Unstage the Registry.pol file
+        unstage_file(reg_pol)
author	David Mulder <dmulder@suse.com>	2022-04-29 09:14:10 -0600
committer	Jeremy Allison <jra@samba.org>	2022-05-10 19:13:29 +0000
commit	c28e4396de27be05c5ba8f96eb9b1e86d01f58ec (patch)
tree	5aab3da20567eaa4dd3bc30ca7f2fbfec810a15a /python
parent	4580fd10468e22ea39cc38921fb0d8ad6be46339 (diff)
download	samba-c28e4396de27be05c5ba8f96eb9b1e86d01f58ec.tar.gz samba-c28e4396de27be05c5ba8f96eb9b1e86d01f58ec.tar.bz2 samba-c28e4396de27be05c5ba8f96eb9b1e86d01f58ec.zip