The branch, master has been updated
       via  7573b2a tests: Add tests for parsing LDAPv3 and LDAPv2 filter 
strings
       via  654b767 s3:tldap: Comment code for to LDAP escaping version
       via  c96dc78 s3:tldap: Fix parsing LDAPv2 escaped strings
       via  9c9c275 python/tests/sites: ensure we can't manipulate subnets as 
non-admin
       via  7b45dc6 subnet: Avoid a segfault when renaming subnet objects
      from  d35a22c Fix incorrect `ldbsearch` invocation

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7573b2a960c5bd32ac6d42b10bb46329ff7fa7b7
Author: Andreas Schneider <a...@samba.org>
Date:   Mon Feb 19 12:08:26 2018 +0100

    tests: Add tests for parsing LDAPv3 and LDAPv2 filter strings
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
    Autobuild-Date(master): Mon Feb 19 23:47:08 CET 2018 on sn-devel-144

commit 654b76739a72b8ecdf0542c0b9a566b82dcfb1e1
Author: Andreas Schneider <a...@samba.org>
Date:   Mon Feb 19 12:29:55 2018 +0100

    s3:tldap: Comment code for to LDAP escaping version
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit c96dc78aa680d3a1c1d53ea9b18a966025a93e16
Author: Andreas Schneider <a...@samba.org>
Date:   Wed Jul 26 17:48:34 2017 +0200

    s3:tldap: Fix parsing LDAPv2 escaped strings
    
    Yes, this is outdated, but the missing 'break' produces a compiler
    warning.
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Simo Sorce <i...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 9c9c2754a950d6cd411d490fa7fb9fad5b194a01
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date:   Thu Feb 15 15:08:03 2018 +1300

    python/tests/sites: ensure we can't manipulate subnets as non-admin
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13031
    
    Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 7b45dc6841ff534e7a0eb481aa4f4149a716824f
Author: Garming Sam <garm...@catalyst.net.nz>
Date:   Wed Sep 20 14:55:11 2017 +1200

    subnet: Avoid a segfault when renaming subnet objects
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13031
    
    Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
    Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

-----------------------------------------------------------------------

Summary of changes:
 python/samba/subnets.py                 |  33 ++++++++
 selftest/tests.py                       |   3 +
 source3/lib/test_tldap.c                |  62 +++++++++++++++
 source3/lib/tldap.c                     |   4 +
 source3/wscript_build                   |  10 +++
 source4/dsdb/samdb/ldb_modules/samldb.c |   8 +-
 source4/dsdb/tests/python/sites.py      | 133 +++++++++++++++++++++++++++++++-
 7 files changed, 248 insertions(+), 5 deletions(-)
 create mode 100644 source3/lib/test_tldap.c


Changeset truncated at 500 lines:

diff --git a/python/samba/subnets.py b/python/samba/subnets.py
index e859f06..72eeb0f 100644
--- a/python/samba/subnets.py
+++ b/python/samba/subnets.py
@@ -127,6 +127,39 @@ def delete_subnet(samdb, configDn, subnet_name):
 
     samdb.delete(dnsubnet)
 
+def rename_subnet(samdb, configDn, subnet_name, new_name):
+    """Rename a subnet.
+
+    :param samdb: A samdb connection
+    :param configDn: The DN of the configuration partition
+    :param subnet_name: Name of the subnet to rename
+    :param new_name: New name for the subnet
+    :return: None
+    :raise SubnetNotFound: if the subnet to be renamed does not exist.
+    :raise SubnetExists: if the subnet to be created already exists.
+    """
+    dnsubnet = ldb.Dn(samdb, "CN=Subnets,CN=Sites")
+    if dnsubnet.add_base(configDn) == False:
+        raise SubnetException("dnsubnet.add_base() failed")
+    if dnsubnet.add_child("CN=X") == False:
+        raise SubnetException("dnsubnet.add_child() failed")
+    dnsubnet.set_component(0, "CN", subnet_name)
+
+    newdnsubnet = ldb.Dn(samdb, str(dnsubnet))
+    newdnsubnet.set_component(0, "CN", new_name)
+    try:
+        samdb.rename(dnsubnet, newdnsubnet)
+    except LdbError as (enum, estr):
+        if enum == ldb.ERR_NO_SUCH_OBJECT:
+            raise SubnetNotFound('Subnet %s does not exist' % subnet)
+        elif enum == ldb.ERR_ENTRY_ALREADY_EXISTS:
+            raise SubnetAlreadyExists('A subnet with the CIDR %s already 
exists'
+                                      % new_name)
+        elif enum == ldb.ERR_INVALID_DN_SYNTAX:
+            raise SubnetInvalid("%s is not a valid subnet: %s" % (new_name,
+                                                                  estr))
+        else:
+            raise
 
 def set_subnet_site(samdb, configDn, subnet_name, site_name):
     """Assign a subnet to a site.
diff --git a/selftest/tests.py b/selftest/tests.py
index ec48b03..be1be45 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -180,3 +180,6 @@ if with_cmocka:
 
     plantestsuite("samba.unittests.smb1cli_session", "none",
                   [os.path.join(bindir(), 
"default/libcli/smb/test_smb1cli_session")])
+
+    plantestsuite("samba.unittests.tldap", "none",
+                  [os.path.join(bindir(), "default/source3/test_tldap")])
diff --git a/source3/lib/test_tldap.c b/source3/lib/test_tldap.c
new file mode 100644
index 0000000..a6c2f21
--- /dev/null
+++ b/source3/lib/test_tldap.c
@@ -0,0 +1,62 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Test suite for ldap client
+ *
+ * Copyright (C) 2018      Andreas Schneider <a...@samba.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "source3/lib/tldap.c"
+
+static void test_tldap_unescape_ldapv3(void **state)
+{
+       const char *unescaped_dn = "(&(objectclass=group)(cn=Samba*))";
+       char dn[] = "\\28&\\28objectclass=group\\29\\28cn=Samba\\2a\\29\\29";
+       size_t dnlen = sizeof(dn);
+       bool ok;
+
+       ok = tldap_unescape_inplace(dn, &dnlen);
+       assert_true(ok);
+
+       assert_string_equal(dn, unescaped_dn);
+}
+
+static void test_tldap_unescape_ldapv2(void **state)
+{
+       const char *unescaped_dn = "(&(objectclass=group)(cn=Samba*))";
+       char dn[] = "\\(&\\(objectclass=group\\)\\(cn=Samba\\*\\)\\)";
+       size_t dnlen = sizeof(dn);
+       bool ok;
+
+       ok = tldap_unescape_inplace(dn, &dnlen);
+       assert_true(ok);
+
+       assert_string_equal(dn, unescaped_dn);
+}
+
+int main(void) {
+       const struct CMUnitTest tests[] = {
+               cmocka_unit_test(test_tldap_unescape_ldapv3),
+               cmocka_unit_test(test_tldap_unescape_ldapv2)
+       };
+
+       cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+       return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c
index 40064fd..205a9cf 100644
--- a/source3/lib/tldap.c
+++ b/source3/lib/tldap.c
@@ -1280,6 +1280,7 @@ static bool tldap_unescape_inplace(char *value, size_t 
*val_len)
                        }
                        i++;
 
+                       /* LDAPv3 escaped */
                        c = tldap_hex2char(&value[i]);
                        if (c >= 0 && c < 256) {
                                value[p] = c;
@@ -1288,6 +1289,7 @@ static bool tldap_unescape_inplace(char *value, size_t 
*val_len)
                                break;
                        }
 
+                       /* LDAPv2 escaped */
                        switch (value[i]) {
                        case '(':
                        case ')':
@@ -1295,6 +1297,8 @@ static bool tldap_unescape_inplace(char *value, size_t 
*val_len)
                        case '\\':
                                value[p] = value[i];
                                p++;
+
+                               break;
                        default:
                                /* invalid */
                                return false;
diff --git a/source3/wscript_build b/source3/wscript_build
index 76c5d6e..d5ac7a2 100644
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -106,6 +106,16 @@ bld.SAMBA3_SUBSYSTEM('TLDAP',
                          samba3util
                          ''')
 
+bld.SAMBA3_BINARY('test_tldap',
+                  source='lib/test_tldap.c',
+                  deps='''
+                       asn1util
+                       LIBTSOCKET
+                       samba3util
+                       smbconf
+                       cmocka
+                       ''')
+
 # libpdb.so should not expose internal symbols that are only usable
 # to the statically linked modules that are merged into libpdb.
 # Note that we always filter these symbols out in libpdb, even
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c 
b/source4/dsdb/samdb/ldb_modules/samldb.c
index 971048d..3e429e1 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -3351,13 +3351,13 @@ static int verify_cidr(const char *cidr)
 }
 
 
-static int samldb_verify_subnet(struct samldb_ctx *ac)
+static int samldb_verify_subnet(struct samldb_ctx *ac, struct ldb_dn *dn)
 {
        struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
        const char *cidr = NULL;
        const struct ldb_val *rdn_value = NULL;
 
-       rdn_value = ldb_dn_get_rdn_val(ac->msg->dn);
+       rdn_value = ldb_dn_get_rdn_val(dn);
        if (rdn_value == NULL) {
                ldb_set_errstring(ldb, "samldb: ldb_dn_get_rdn_val "
                                  "failed");
@@ -3588,7 +3588,7 @@ static int samldb_add(struct ldb_module *module, struct 
ldb_request *req)
 
        if (samdb_find_attribute(ldb, ac->msg,
                                 "objectclass", "subnet") != NULL) {
-               ret = samldb_verify_subnet(ac);
+               ret = samldb_verify_subnet(ac, ac->msg->dn);
                if (ret != LDB_SUCCESS) {
                        talloc_free(ac);
                        return ret;
@@ -3991,7 +3991,7 @@ static int check_rename_constraints(struct ldb_message 
*msg,
 
        /* subnet objects */
        if (samdb_find_attribute(ldb, msg, "objectclass", "subnet") != NULL) {
-               ret = samldb_verify_subnet(ac);
+               ret = samldb_verify_subnet(ac, newdn);
                if (ret != LDB_SUCCESS) {
                        talloc_free(ac);
                        return ret;
diff --git a/source4/dsdb/tests/python/sites.py 
b/source4/dsdb/tests/python/sites.py
index a24f9b5..3bb53d9 100755
--- a/source4/dsdb/tests/python/sites.py
+++ b/source4/dsdb/tests/python/sites.py
@@ -30,9 +30,12 @@ from samba import sites
 from samba import subnets
 from samba.auth import system_session
 from samba.samdb import SamDB
+from samba import gensec
+from samba.credentials import Credentials, DONT_USE_KERBEROS
 import samba.tests
+from samba.tests import delete_force
 from samba.dcerpc import security
-from ldb import SCOPE_SUBTREE
+from ldb import SCOPE_SUBTREE, LdbError, ERR_INSUFFICIENT_ACCESS_RIGHTS
 
 parser = optparse.OptionParser("sites.py [options] <host>")
 sambaopts = options.SambaOptions(parser)
@@ -183,6 +186,134 @@ class SimpleSubnetTests(SitesBaseTests):
         self.assertRaises(subnets.SubnetNotFound,
                           subnets.delete_subnet, self.ldb, basedn, cidr)
 
+    def get_user_and_ldb(self, username, password, hostname=ldaphost):
+        """Get a connection for a temporarily user that will vanish as soon as
+        the test is over."""
+        user = self.ldb.newuser(username, password)
+        creds_tmp = Credentials()
+        creds_tmp.set_username(username)
+        creds_tmp.set_password(password)
+        creds_tmp.set_domain(creds.get_domain())
+        creds_tmp.set_realm(creds.get_realm())
+        creds_tmp.set_workstation(creds.get_workstation())
+        creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
+                                      | gensec.FEATURE_SEAL)
+        creds_tmp.set_kerberos_state(DONT_USE_KERBEROS)
+        ldb_target = SamDB(url=hostname, credentials=creds_tmp, lp=lp)
+        self.addCleanup(delete_force, self.ldb, self.get_user_dn(username))
+        return (user, ldb_target)
+
+    def test_rename_delete_good_subnet_to_good_subnet_other_user(self):
+        """Make sure that we can't rename or delete subnets when we aren't
+        admin."""
+        basedn = self.ldb.get_config_basedn()
+        cidr = "10.16.0.0/24"
+        new_cidr = "10.16.1.0/24"
+        subnets.create_subnet(self.ldb, basedn, cidr, self.sitename)
+        user, non_admin_ldb = self.get_user_and_ldb("notadmin", "samba123@")
+        try:
+            subnets.rename_subnet(non_admin_ldb, basedn, cidr, new_cidr)
+        except LdbError as e:
+            self.assertEqual(e.args[0], ERR_INSUFFICIENT_ACCESS_RIGHTS,
+                             ("subnet rename by non-admin failed "
+                              "in the wrong way: %s" % e))
+        else:
+            self.fail("subnet rename by non-admin succeeded: %s" % e)
+
+        ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+                              expression='(&(objectclass=subnet)(cn=%s))' % 
cidr)
+
+        self.assertEqual(len(ret), 1, ('Subnet %s destroyed or renamed '
+                                       'by non-admin' % cidr))
+
+        ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+                              expression=('(&(objectclass=subnet)(cn=%s))'
+                                          % new_cidr))
+
+        self.assertEqual(len(ret), 0,
+                         'New subnet %s created by non-admin' % cidr)
+
+        try:
+            subnets.delete_subnet(non_admin_ldb, basedn, cidr)
+        except LdbError as e:
+            self.assertEqual(e.args[0], ERR_INSUFFICIENT_ACCESS_RIGHTS,
+                             ("subnet delete by non-admin failed "
+                              "in the wrong way: %s" % e))
+        else:
+            self.fail("subnet delete by non-admin succeeded: %s" % e)
+
+        ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+                              expression='(&(objectclass=subnet)(cn=%s))' % 
cidr)
+
+        self.assertEqual(len(ret), 1, 'Subnet %s deleted non-admin' % cidr)
+
+        subnets.delete_subnet(self.ldb, basedn, cidr)
+
+    def test_create_good_subnet_other_user(self):
+        """Make sure that we can't create subnets when we aren't admin."""
+        basedn = self.ldb.get_config_basedn()
+        cidr = "10.16.0.0/24"
+        user, non_admin_ldb = self.get_user_and_ldb("notadmin", "samba123@")
+        try:
+            subnets.create_subnet(non_admin_ldb, basedn, cidr, self.sitename)
+        except LdbError as e:
+            self.assertEqual(e.args[0], ERR_INSUFFICIENT_ACCESS_RIGHTS,
+                             ("subnet create by non-admin failed "
+                              "in the wrong way: %s" % e))
+        else:
+            subnets.delete_subnet(self.ldb, basedn, cidr)
+            self.fail("subnet create by non-admin succeeded: %s")
+
+        ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+                              expression='(&(objectclass=subnet)(cn=%s))' % 
cidr)
+
+        self.assertEqual(len(ret), 0, 'New subnet %s created by non-admin' % 
cidr)
+
+    def test_rename_good_subnet_to_good_subnet(self):
+        """Make sure that we can rename subnets"""
+        basedn = self.ldb.get_config_basedn()
+        cidr = "10.16.0.0/24"
+        new_cidr = "10.16.1.0/24"
+
+        subnets.create_subnet(self.ldb, basedn, cidr, self.sitename)
+
+        subnets.rename_subnet(self.ldb, basedn, cidr, new_cidr)
+
+        ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+                              expression='(&(objectclass=subnet)(cn=%s))' % 
new_cidr)
+
+        self.assertEqual(len(ret), 1, 'Failed to rename subnet %s' % cidr)
+
+        ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+                              expression='(&(objectclass=subnet)(cn=%s))' % 
cidr)
+
+        self.assertEqual(len(ret), 0, 'Failed to remove old subnet during 
rename %s' % cidr)
+
+        subnets.delete_subnet(self.ldb, basedn, new_cidr)
+
+    def test_rename_good_subnet_to_bad_subnet(self):
+        """Make sure that the CIDR checking runs during rename"""
+        basedn = self.ldb.get_config_basedn()
+        cidr = "10.17.0.0/24"
+        bad_cidr = "10.11.12.0/14"
+
+        subnets.create_subnet(self.ldb, basedn, cidr, self.sitename)
+
+        self.assertRaises(subnets.SubnetInvalid, subnets.rename_subnet,
+                          self.ldb, basedn, cidr, bad_cidr)
+
+        ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+                              expression='(&(objectclass=subnet)(cn=%s))' % 
bad_cidr)
+
+        self.assertEqual(len(ret), 0, 'Failed to rename subnet %s' % cidr)
+
+        ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+                              expression='(&(objectclass=subnet)(cn=%s))' % 
cidr)
+
+        self.assertEqual(len(ret), 1, 'Failed to remove old subnet during 
rename %s' % cidr)
+
+        subnets.delete_subnet(self.ldb, basedn, cidr)
+
     def test_create_bad_ranges(self):
         """These CIDR ranges all have something wrong with them, and they
         should all fail."""


-- 
Samba Shared Repository

Reply via email to