ntlm_auth: added require-membership tests

(updated by abartlet to fix knownfail changes due to AD DC winbindd
use in master)
Change-Id: Iec41fbfc0f501888fd16323bf78da61aa549b4de
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by:
Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
Autobuild-User(master): Kamen Mazdrashki <kamenim@samba.org>
Autobuild-Date(master): Tue Jul 15 15:59:49 CEST 2014 on sn-devel-104

diff --git a/selftest/knownfail b/selftest/knownfail
index 7d1702deca4b0dd24a6d3483756273cf3e33e92d..214a1704863f33c0e664bdd4fb92e0ffd657983d 100644 (file)
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -298,3 +298,5 @@
 ^samba.blackbox.wbinfo\(s3member:local\).wbinfo -U check for sane mapping\(s3member:local\)
 ^samba.blackbox.wbinfo\(s3member:local\).wbinfo -G against s3member\(s3member:local\)
 ^samba.blackbox.wbinfo\(s3member:local\).wbinfo -G check for sane mapping\(s3member:local\)
+^samba.ntlm_auth.\(dc:local\).ntlm_auth against winbindd with failed require-membership-of
+^samba.ntlm_auth.\(dc:local\).ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of

diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index ca7a952b7446716140571cbbd0b0427c3bf44962..655556b692c694a741563112d9f2a2a125a48160 100755 (executable)
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -19,8 +19,73 @@ ADDARGS="$*"
 incdir=`dirname $0`/../../../testprogs/blackbox
 . $incdir/subunit.sh
 
+SID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1`
+BADSID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1 | sed 's/..$//'`
+
 failed=0
 
+test_interactive_prompt_stdout()
+{
+       tmpfile=$PREFIX/ntlm_commands
+
+       cat > $tmpfile <<EOF
+$DOMAIN/$USERNAME $PASSWORD
+EOF
+       cmd='$NTLM_AUTH "$@" --require-membership-of=$SID --helper-protocol=squid-2.5-basic < $tmpfile 2>&1'
+       eval echo "$cmd"
+       out=`eval $cmd`
+       ret=$?
+       rm -f $tmpfile
+
+       if [ $ret != 0 ] ; then
+               echo "$out"
+               echo "command failed"
+               false
+               return
+       fi
+
+       echo "$out" | grep "OK" >/dev/null 2>&1
+
+       if [ $? = 0 ] ; then
+               # authenticated .. succeed
+               true
+       else
+               echo failed to get successful authentication
+               false
+       fi
+}
+
+test_interactive_prompt_stdout_fail()
+{
+       tmpfile=$PREFIX/ntlm_commands
+
+       cat > $tmpfile <<EOF
+$DOMAIN\\$USERNAME $PASSWORD
+EOF
+       cmd='$NTLM_AUTH "$@" --require-membership-of=$BADSID --helper-protocol=squid-2.5-basic < $tmpfile 2>&1'
+       eval echo "$cmd"
+       out=`eval $cmd`
+       ret=$?
+       rm -f $tmpfile
+
+       if [ $ret != 0 ] ; then
+               echo "$out"
+               echo "command failed"
+               false
+               return
+       fi
+
+       echo "$out" | grep "ERR" >/dev/null 2>&1
+
+       if [ $? = 0 ] ; then
+               # failed to authenticate .. success
+               true
+       else
+               echo "incorrectly gave a successful authentication"
+               false
+       fi
+}
+
 testit "ntlm_auth" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS || failed=`expr $failed + 1`
 # This should work even with NTLMv2
 testit "ntlm_auth with specified domain" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS --client-domain=fOo --server-domain=fOo || failed=`expr $failed + 1`
@@ -30,4 +95,13 @@ testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server" $PYTHON
 testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS || failed=`expr $failed + 1`
 
 
+testit "ntlm_auth against winbindd with require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd $ADDARGS --require-membership-of=$SID || failed=`expr $failed + 1`
+testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS --require-membership-of=$SID || failed=`expr $failed + 1`
+
+testit_expect_failure "ntlm_auth against winbindd with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1`
+testit_expect_failure "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1`
+
+testit "ntlm_auth plaintext authentication with require-membership-of" test_interactive_prompt_stdout || failed=`expr $failed + 1`
+testit "ntlm_auth plaintext authentication with failed require-membership-of" test_interactive_prompt_stdout_fail || failed=`expr $failed + 1`
+
 testok $0 $failed