git.samba.org / samba.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
fuzzing: fix fuzz_stable_sort_r_unstable comparison
[samba.git] / source4 / selftest / tests.py
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 7b6df50002927678270d4138b64eaef82da376f7..044b07d2a6a8dd025b1d839a1d7762985883a463 100755 (executable)
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -163,19 +163,47 @@ for env in ["ad_dc_ntvfs", "fl2008r2dc", "fl2003dc"]:
         '--use-kerberos=required --option=clientldapsaslwrapping=plain',
         '--use-kerberos=required --client-protection=sign',
         '--use-kerberos=required --client-protection=encrypt',
+        '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=yes"',
+        '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=no"',
+        '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
+        '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"',
         '--use-kerberos=disabled --option=clientldapsaslwrapping=plain',
         '--use-kerberos=disabled --client-protection=sign --option=ntlmssp_client:ldap_style_send_seal=no',
         '--use-kerberos=disabled --client-protection=sign',
         '--use-kerberos=disabled --client-protection=encrypt',
+        '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=yes"',
+        '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=no"',
+        '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
+        '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"',
     ]
 
     for auth_option in auth_options:
         options = '-U"$USERNAME%$PASSWORD"' + ' ' + auth_option
         plantestsuite("samba4.ldb.simple.ldap with SASL-BIND %s(%s)" % (options, env),
                       env, "%s/test_ldb_simple.sh ldap $SERVER %s" % (bbdir, options))
-    options = '-U"$USERNAME%$PASSWORD" --option="tlsverifypeer=no_check"'
-    plantestsuite("samba4.ldb.simple.ldaps with SASL-BIND %s(%s)" % (options, env),
-                  env, "%s/test_ldb_simple.sh ldaps $SERVER %s" % (bbdir, options))
+
+    auth_options = [
+        '--use-kerberos=required --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=yes"',
+        '--use-kerberos=required --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=no"',
+        '--use-kerberos=required --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
+        '--use-kerberos=required --option="ldap_testing:channel_bound=no"  --option="ldap_testing:tls_channel_bindings=no"',
+        '--use-kerberos=required --option="ldap_testing:channel_bound=no"  --option="ldap_testing:tls_channel_bindings=yes"',
+        '--use-kerberos=required --option="ldap_testing:channel_bound=no"  --option="ldap_testing:forced_channel_binding=wRoNg"',
+        '--use-kerberos=disabled --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=yes"',
+        '--use-kerberos=disabled --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=no"',
+        '--use-kerberos=disabled --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
+        '--use-kerberos=disabled --option="ldap_testing:channel_bound=no"  --option="ldap_testing:tls_channel_bindings=no"',
+        '--use-kerberos=disabled --option="ldap_testing:channel_bound=no"  --option="ldap_testing:tls_channel_bindings=yes"',
+        '--use-kerberos=disabled --option="ldap_testing:channel_bound=no"  --option="ldap_testing:forced_channel_binding=wRoNg"',
+    ]
+    for auth_option in auth_options:
+        options = '-U"$USERNAME%$PASSWORD" --option="tlsverifypeer=no_check" ' + auth_option
+        plantestsuite("samba4.ldb.simple.ldaps with SASL-BIND %s(%s)" % (options, env),
+                      env, "%s/test_ldb_simple.sh ldaps $SERVER %s" % (bbdir, options))
+        options += ' --option="clientldapsaslwrapping=starttls"'
+        plantestsuite("samba4.ldb.simple.ldap starttls with SASL-BIND %s(%s)" % (options, env),
+                      env, "%s/test_ldb_simple.sh ldap $SERVER %s" % (bbdir, options))
+
 
 envraw = "fl2008r2dc"
 env = "%s:local" % envraw
@@ -202,13 +230,6 @@ for t in smbtorture4_testsuites("ldap."):
 for t in smbtorture4_testsuites("dsdb."):
     plansmbtorture4testsuite(t, "ad_dc:local", "localhost")
 
-ldbdir = os.path.join(srcdir(), "lib/ldb")
-# Don't run LDB tests when using system ldb, as we won't have ldbtest installed
-if os.path.exists(os.path.join(samba4bindir, "ldbtest")):
-    plantestsuite("ldb.base", "none", "%s/tests/test-tdb-subunit.sh %s" % (ldbdir, samba4bindir))
-else:
-    skiptestsuite("ldb.base", "Using system LDB, ldbtest not available")
-
 plantestsuite_loadlist("samba4.tests.attr_from_server.python(ad_dc_ntvfs)",
                        "ad_dc_ntvfs:local",
                        [python, os.path.join(DSDB_PYTEST_DIR, "attr_from_server.py"),
@@ -346,13 +367,11 @@ for env in all_fl_envs:
     transport = "ncacn_np"
     plansmbtorture4testsuite('rpc.pac', env, ["%s:$SERVER[]" % (transport, ), '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.pac on %s" % (transport,))
     plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--option=gensec:target_hostname=$NETBIOSNAME', 'rpc.lsa.secrets'], "samba4.rpc.lsa.secrets on %s with Kerberos" % (transport,))
-    plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use target principal" % (transport,))
     plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[target_principal=dcom/$NETBIOSNAME]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.lsa.secrets on %s with Kerberos - netbios name principal dcom" % (transport,))
     plansmbtorture4testsuite('rpc.lsa.secrets', env, [r"%s:$SERVER[target_principal=$NETBIOSNAME\$]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.lsa.secrets on %s with Kerberos - netbios name principal dollar" % (transport,))
     plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[target_principal=$NETBIOSNAME]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.lsa.secrets on %s with Kerberos - netbios name principal" % (transport,))
     plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login" % transport)
     plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME', '--option=gensec_krb5:send_authenticator_checksum=false'], "samba4.rpc.lsa.secrets on %s with Kerberos - use raw-krb5-no-authenticator-checksum style login" % transport)
-    plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:fake_gssapi_krb5=yes', '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login, use target principal" % transport)
 
     # Winreg tests test bulk Kerberos encryption of DCE/RPC
     # We test rpc.winreg here too, because the winreg interface if
@@ -567,8 +586,13 @@ for t in smbtorture4_testsuites("dns_internal."):
     plansmbtorture4testsuite(t, "ad_dc_default:local", '//$SERVER/whavever')
 
 # These tests want to run on a barely changed fresh provision, before
-# too much happens to this environment.
-planpythontestsuite("chgdcpass:local", "samba.tests.dsdb_quiet_provision_tests")
+# too much happens to this environment, it is read only and local
+# (direct to the DB) so we use proclimitdc as it is otherwise empty
+# bar a test for process limits.
+planpythontestsuite("proclimitdc:local", "samba.tests.dsdb_quiet_provision_tests")
+
+# We want this local test to run in an environment where not much is happening that could use root keys
+planpythontestsuite("chgdcpass:local", "samba.tests.dsdb_quiet_env_tests")
 
 # Local tests
 for t in smbtorture4_testsuites("dlz_bind9."):
@@ -611,6 +635,8 @@ plantestsuite("samba4.blackbox.test_old_enctypes", "fl2003dc:local", [os.path.jo
 
 planpythontestsuite("ad_dc_default", "samba.tests.blackbox.claims")
 
+planpythontestsuite("ad_dc_default", "samba.tests.blackbox.gmsa")
+
 if have_heimdal_support:
     plantestsuite("samba4.blackbox.kpasswd",
                   "ad_dc:local",
@@ -1081,11 +1107,11 @@ for env in ["ad_dc:local", "s4member:local", "nt4_dc:local", "ad_member:local",
 
 if have_gnutls_fips_mode_support:
     planoldpythontestsuite("ad_dc",
-                           "samba.tests.dcerpc.createtrustrelax",
+                           "samba.tests.dcerpc.lsa_utils",
                            environ={'GNUTLS_FORCE_FIPS_MODE': '1',
                                     'OPENSSL_FORCE_FIPS_MODE': '1'})
     planoldpythontestsuite("ad_dc_fips",
-                           "samba.tests.dcerpc.createtrustrelax",
+                           "samba.tests.dcerpc.lsa_utils",
                            environ={'GNUTLS_FORCE_FIPS_MODE': '1',
                                     'OPENSSL_FORCE_FIPS_MODE': '1'})
 
@@ -1175,8 +1201,14 @@ planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.schema")
 planpythontestsuite("ad_dc_default", "samba.tests.samba_tool.domain_claim")
 planpythontestsuite("ad_dc_default", "samba.tests.samba_tool.domain_auth_policy")
 planpythontestsuite("ad_dc_default", "samba.tests.samba_tool.domain_auth_silo")
-planpythontestsuite("ad_dc_default", "samba.tests.samba_tool.domain_kds_root_key")
+
+# This test needs to be run in an environment well apart from most
+# other tests as it deletes root keys and we don't want this to happen
+# where a gMSA account might be live.
+planpythontestsuite("chgdcpass", "samba.tests.samba_tool.domain_kds_root_key")
+
 planpythontestsuite("ad_dc_default", "samba.tests.samba_tool.domain_models")
+planpythontestsuite("ad_dc_default", "samba.tests.samba_tool.service_account")
 planpythontestsuite("schema_dc:local", "samba.tests.samba_tool.schema")
 planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.ntacl")
 planpythontestsuite("none", "samba.tests.samba_tool.provision_password_check")
@@ -1381,7 +1413,8 @@ planoldpythontestsuite("ad_dc",
                        extra_args=['-U"$USERNAME%$PASSWORD"'])
 planoldpythontestsuite("ad_dc",
                        "samba.tests.segfault",
-                       extra_args=['-U"$USERNAME%$PASSWORD"'])
+                       extra_args=['-U"$USERNAME%$PASSWORD"'],
+                       environ={"TALLOC_FREE_FILL": "0xab"})
 # Need to test the password hashing in multiple environments to ensure that
 # all the possible options are covered
 #
@@ -2053,6 +2086,10 @@ planoldpythontestsuite(
     'ad_dc',
     'samba.tests.krb5.gkdi_tests',
     environ=krb5_environ)
+planoldpythontestsuite(
+    'ad_dc:local',
+    'samba.tests.krb5.gmsa_tests',
+    environ=krb5_environ)
 
 for env in [
         'vampire_dc',
Samba Shared Repository