From dfbe7494683974b839b2c8083b7eb45cba0a6829 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Fri, 18 Aug 2023 17:16:23 +0300 Subject: [PATCH] gp: Test adding new cert templates enforces changes Ensure that cepces-submit reporting additional templates and re-applying will enforce the updated policy. Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder (cherry picked from commit 2d6943a864405f324c467e8c3464c31ac08457b0) --- python/samba/tests/bin/cepces-submit | 3 ++- python/samba/tests/gpo.py | 48 ++++++++++++++++++++++++++++++++++++ selftest/knownfail.d/gpo | 2 ++ 3 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 selftest/knownfail.d/gpo diff --git a/python/samba/tests/bin/cepces-submit b/python/samba/tests/bin/cepces-submit index 668682a9f58..de63164692b 100755 --- a/python/samba/tests/bin/cepces-submit +++ b/python/samba/tests/bin/cepces-submit @@ -14,4 +14,5 @@ if __name__ == "__main__": assert opts.auth == 'Kerberos' if 'CERTMONGER_OPERATION' in os.environ and \ os.environ['CERTMONGER_OPERATION'] == 'GET-SUPPORTED-TEMPLATES': - print('Machine') # Report a Machine template + templates = os.environ.get('CEPCES_SUBMIT_SUPPORTED_TEMPLATES', 'Machine').split(',') + print('\n'.join(templates)) # Report the requested templates diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py index 963f873f755..e75c411bde7 100644 --- a/python/samba/tests/gpo.py +++ b/python/samba/tests/gpo.py @@ -6812,6 +6812,23 @@ class GPOTests(tests.TestCase): self.assertTrue(os.path.exists(machine_crt), 'Machine key was not generated') + # Subsequent apply should react to new certificate templates + os.environ['CEPCES_SUBMIT_SUPPORTED_TEMPLATES'] = 'Machine,Workstation' + self.addCleanup(os.environ.pop, 'CEPCES_SUBMIT_SUPPORTED_TEMPLATES') + ext.process_group_policy([], gpos, dname, dname) + self.assertTrue(os.path.exists(ca_crt), + 'Root CA certificate was not requested') + self.assertTrue(os.path.exists(machine_crt), + 'Machine certificate was not requested') + self.assertTrue(os.path.exists(machine_crt), + 'Machine key was not generated') + workstation_crt = os.path.join(dname, '%s.Workstation.crt' % ca_cn) + self.assertTrue(os.path.exists(workstation_crt), + 'Workstation certificate was not requested') + workstation_key = os.path.join(dname, '%s.Workstation.key' % ca_cn) + self.assertTrue(os.path.exists(workstation_crt), + 'Workstation key was not generated') + # Verify RSOP does not fail ext.rsop([g for g in gpos if g.name == guid][0]) @@ -6829,11 +6846,17 @@ class GPOTests(tests.TestCase): 'Machine certificate was not removed') self.assertFalse(os.path.exists(machine_crt), 'Machine key was not removed') + self.assertFalse(os.path.exists(workstation_crt), + 'Workstation certificate was not removed') + self.assertFalse(os.path.exists(workstation_crt), + 'Workstation key was not removed') out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate() self.assertNotIn(get_bytes(ca_cn), out, 'CA was not removed') out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate() self.assertNotIn(b'Machine', out, 'Machine certificate not removed') + self.assertNotIn(b'Workstation', out, + 'Workstation certificate not removed') # Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate ldb.delete(certa_dn) @@ -7233,6 +7256,25 @@ class GPOTests(tests.TestCase): self.assertTrue(os.path.exists(machine_crt), 'Machine key was not generated') + # Subsequent apply should react to new certificate templates + os.environ['CEPCES_SUBMIT_SUPPORTED_TEMPLATES'] = 'Machine,Workstation' + self.addCleanup(os.environ.pop, 'CEPCES_SUBMIT_SUPPORTED_TEMPLATES') + ext.process_group_policy([], gpos, dname, dname) + for ca in ca_list: + self.assertTrue(os.path.exists(ca_crt), + 'Root CA certificate was not requested') + self.assertTrue(os.path.exists(machine_crt), + 'Machine certificate was not requested') + self.assertTrue(os.path.exists(machine_crt), + 'Machine key was not generated') + + workstation_crt = os.path.join(dname, '%s.Workstation.crt' % ca) + self.assertTrue(os.path.exists(workstation_crt), + 'Workstation certificate was not requested') + workstation_key = os.path.join(dname, '%s.Workstation.key' % ca) + self.assertTrue(os.path.exists(workstation_crt), + 'Workstation key was not generated') + # Verify RSOP does not fail ext.rsop([g for g in gpos if g.name == guid][0]) @@ -7250,12 +7292,18 @@ class GPOTests(tests.TestCase): 'Machine certificate was not removed') self.assertFalse(os.path.exists(machine_crt), 'Machine key was not removed') + self.assertFalse(os.path.exists(workstation_crt), + 'Workstation certificate was not removed') + self.assertFalse(os.path.exists(workstation_crt), + 'Workstation key was not removed') out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate() for ca in ca_list: self.assertNotIn(get_bytes(ca), out, 'CA was not removed') out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate() self.assertNotIn(b'Machine', out, 'Machine certificate not removed') + self.assertNotIn(b'Workstation', out, + 'Workstation certificate not removed') # Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate ldb.delete(certa_dn) diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo new file mode 100644 index 00000000000..4edc1dce730 --- /dev/null +++ b/selftest/knownfail.d/gpo @@ -0,0 +1,2 @@ +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- 2.11.4.GIT