rpms / samba

Clone
Source Code
GIT

Blame samba-4.19-fix-gpupdate-rhel-fedora.patch

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main master private-gd-master private-gd-rawhide private-gd-rawhide-4.17.0rc1 rawhide
  1.   a0149239aa31a7f0083e05c8e2e46ec25b6f17f0
  2.   samba-4.19-fix-gpupdate-rhel-fedora.patch
Blob History Raw
Andreas Schneider cbf258a 
From 549b5fe579fc15d63b71b1cc8a0ebf4e4869171b Mon Sep 17 00:00:00 2001
Andreas Schneider cbf258a 
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Andreas Schneider cbf258a 
Date: Thu, 17 Aug 2023 01:05:54 +0300
Andreas Schneider cbf258a 
Subject: [PATCH 1/9] gp: Support more global trust directories
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
In addition to the SUSE global trust directory, add support for RHEL and
Andreas Schneider cbf258a 
Debian-based distributions (including Ubuntu).
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
To determine the correct directory to use, we iterate over the variants
Andreas Schneider cbf258a 
and stop at the first which is a directory.
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
In case none is found, fallback to the first option which will produce a
Andreas Schneider cbf258a 
warning as it did previously.
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Andreas Schneider cbf258a 
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider cbf258a 
Reviewed-by: David Mulder <dmulder@samba.org>
Andreas Schneider cbf258a 
(cherry picked from commit a1b285e485c0b5a8747499bdbbb9f3f4fc025b2f)
Andreas Schneider cbf258a 
---
Andreas Schneider cbf258a 
 python/samba/gp/gp_cert_auto_enroll_ext.py | 12 +++++++++++-
Andreas Schneider cbf258a 
 1 file changed, 11 insertions(+), 1 deletion(-)
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
Andreas Schneider cbf258a 
index 312c8ddf467..1b90ab46e90 100644
Andreas Schneider cbf258a 
--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
Andreas Schneider cbf258a 
+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
Andreas Schneider cbf258a 
@@ -45,10 +45,12 @@ cert_wrap = b"""
Andreas Schneider cbf258a 
 -----BEGIN CERTIFICATE-----
Andreas Schneider cbf258a 
 %s
Andreas Schneider cbf258a 
 -----END CERTIFICATE-----"""
Andreas Schneider cbf258a 
-global_trust_dir = '/etc/pki/trust/anchors'
Andreas Schneider cbf258a 
 endpoint_re = '(https|HTTPS)://(?P<server>[a-zA-Z0-9.-]+)/ADPolicyProvider' + \
Andreas Schneider cbf258a 
               '_CEP_(?P<auth>[a-zA-Z]+)/service.svc/CEP'
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
+global_trust_dirs = ['/etc/pki/trust/anchors',           # SUSE
Andreas Schneider cbf258a 
+                     '/etc/pki/ca-trust/source/anchors', # RHEL/Fedora
Andreas Schneider cbf258a 
+                     '/usr/local/share/ca-certificates'] # Debian/Ubuntu
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
 def octet_string_to_objectGUID(data):
Andreas Schneider cbf258a 
     """Convert an octet string to an objectGUID."""
Andreas Schneider cbf258a 
@@ -249,12 +251,20 @@ def getca(ca, url, trust_dir):
Andreas Schneider cbf258a 
     return root_certs
Andreas Schneider cbf258a
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
+def find_global_trust_dir():
Andreas Schneider cbf258a 
+    """Return the global trust dir using known paths from various Linux distros."""
Andreas Schneider cbf258a 
+    for trust_dir in global_trust_dirs:
Andreas Schneider cbf258a 
+        if os.path.isdir(trust_dir):
Andreas Schneider cbf258a 
+            return trust_dir
Andreas Schneider cbf258a 
+    return global_trust_dirs[0]
Andreas Schneider cbf258a 
+
Andreas Schneider cbf258a 
 def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
Andreas Schneider cbf258a 
     """Install the root certificate chain."""
Andreas Schneider cbf258a 
     data = dict({'files': [], 'templates': []}, **ca)
Andreas Schneider cbf258a 
     url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname']
Andreas Schneider cbf258a 
     root_certs = getca(ca, url, trust_dir)
Andreas Schneider cbf258a 
     data['files'].extend(root_certs)
Andreas Schneider cbf258a 
+    global_trust_dir = find_global_trust_dir()
Andreas Schneider cbf258a 
     for src in root_certs:
Andreas Schneider cbf258a 
         # Symlink the certs to global trust dir
Andreas Schneider cbf258a 
         dst = os.path.join(global_trust_dir, os.path.basename(src))
Andreas Schneider cbf258a 
--
Andreas Schneider cbf258a 
2.43.0
Andreas Schneider cbf258a
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
From c624a1e9b1d09fe2bb3f9778cb616230e57168a8 Mon Sep 17 00:00:00 2001
Andreas Schneider cbf258a 
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Andreas Schneider cbf258a 
Date: Thu, 17 Aug 2023 01:09:28 +0300
Andreas Schneider cbf258a 
Subject: [PATCH 2/9] gp: Support update-ca-trust helper
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
This is used on RHEL/Fedora instead of update-ca-certificates. They
Andreas Schneider cbf258a 
behave similarly so it's enough to change the command name.
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Andreas Schneider cbf258a 
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider cbf258a 
Reviewed-by: David Mulder <dmulder@samba.org>
Andreas Schneider cbf258a 
(cherry picked from commit fa80d1d86439749c44e60cf9075e84dc9ed3c268)
Andreas Schneider cbf258a 
---
Andreas Schneider cbf258a 
 python/samba/gp/gp_cert_auto_enroll_ext.py | 6 +++++-
Andreas Schneider cbf258a 
 1 file changed, 5 insertions(+), 1 deletion(-)
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
Andreas Schneider cbf258a 
index 1b90ab46e90..cefdafa21b2 100644
Andreas Schneider cbf258a 
--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
Andreas Schneider cbf258a 
+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
Andreas Schneider cbf258a 
@@ -258,6 +258,10 @@ def find_global_trust_dir():
Andreas Schneider cbf258a 
             return trust_dir
Andreas Schneider cbf258a 
     return global_trust_dirs[0]
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
+def update_ca_command():
Andreas Schneider cbf258a 
+    """Return the command to update the CA trust store."""
Andreas Schneider cbf258a 
+    return which('update-ca-certificates') or which('update-ca-trust')
Andreas Schneider cbf258a 
+
Andreas Schneider cbf258a 
 def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
Andreas Schneider cbf258a 
     """Install the root certificate chain."""
Andreas Schneider cbf258a 
     data = dict({'files': [], 'templates': []}, **ca)
Andreas Schneider cbf258a 
@@ -283,7 +287,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
Andreas Schneider cbf258a 
             # already exists. Ignore the FileExistsError. Preserve the
Andreas Schneider cbf258a 
             # existing symlink in the unapply data.
Andreas Schneider cbf258a 
             data['files'].append(dst)
Andreas Schneider cbf258a 
-    update = which('update-ca-certificates')
Andreas Schneider cbf258a 
+    update = update_ca_command()
Andreas Schneider cbf258a 
     if update is not None:
Andreas Schneider cbf258a 
         Popen([update]).wait()
Andreas Schneider cbf258a 
     # Setup Certificate Auto Enrollment
Andreas Schneider cbf258a 
--
Andreas Schneider cbf258a 
2.43.0
Andreas Schneider cbf258a
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
From 086406ca457cc17e15001fb44802276ada068679 Mon Sep 17 00:00:00 2001
Andreas Schneider cbf258a 
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Andreas Schneider cbf258a 
Date: Fri, 11 Aug 2023 18:46:42 +0300
Andreas Schneider cbf258a 
Subject: [PATCH 3/9] gp: Change root cert extension suffix
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
On Ubuntu, certificates must end in '.crt' in order to be considered by
Andreas Schneider cbf258a 
the `update-ca-certificates` helper.
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Andreas Schneider cbf258a 
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider cbf258a 
Reviewed-by: David Mulder <dmulder@samba.org>
Andreas Schneider cbf258a 
(cherry picked from commit bce3a89204545dcab5fb39a712590f6e166f997b)
Andreas Schneider cbf258a 
---
Andreas Schneider cbf258a 
 python/samba/gp/gp_cert_auto_enroll_ext.py | 3 ++-
Andreas Schneider cbf258a 
 1 file changed, 2 insertions(+), 1 deletion(-)
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
Andreas Schneider cbf258a 
index cefdafa21b2..c562722906b 100644
Andreas Schneider cbf258a 
--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
Andreas Schneider cbf258a 
+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
Andreas Schneider cbf258a 
@@ -241,7 +241,8 @@ def getca(ca, url, trust_dir):
Andreas Schneider cbf258a 
         certs = load_der_pkcs7_certificates(r.content)
Andreas Schneider cbf258a 
         for i in range(0, len(certs)):
Andreas Schneider cbf258a 
             cert = certs[i].public_bytes(Encoding.PEM)
Andreas Schneider cbf258a 
-            dest = '%s.%d' % (root_cert, i)
Andreas Schneider cbf258a 
+            filename, extension = root_cert.rsplit('.', 1)
Andreas Schneider cbf258a 
+            dest = '%s.%d.%s' % (filename, i, extension)
Andreas Schneider cbf258a 
             with open(dest, 'wb') as w:
Andreas Schneider cbf258a 
                 w.write(cert)
Andreas Schneider cbf258a 
             root_certs.append(dest)
Andreas Schneider cbf258a 
--
Andreas Schneider cbf258a 
2.43.0
Andreas Schneider cbf258a
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
From c57c32020cc9017191b8c8657ebabe00d552a6e3 Mon Sep 17 00:00:00 2001
Andreas Schneider cbf258a 
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Andreas Schneider cbf258a 
Date: Fri, 18 Aug 2023 17:06:43 +0300
Andreas Schneider cbf258a 
Subject: [PATCH 4/9] gp: Test with binary content for certificate data
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
This fails all GPO-related tests that call `gpupdate --rsop`.
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Andreas Schneider cbf258a 
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider cbf258a 
Reviewed-by: David Mulder <dmulder@samba.org>
Andreas Schneider cbf258a 
(cherry picked from commit 1ef722cf66f9ec99f52939f1cfca031c5fe1ad70)
Andreas Schneider cbf258a 
---
Andreas Schneider cbf258a 
 python/samba/tests/gpo.py |  8 ++++----
Andreas Schneider cbf258a 
 selftest/knownfail.d/gpo  | 13 +++++++++++++
Andreas Schneider cbf258a 
 2 files changed, 17 insertions(+), 4 deletions(-)
Andreas Schneider cbf258a 
 create mode 100644 selftest/knownfail.d/gpo
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py
Andreas Schneider cbf258a 
index e4b75cc62a4..963f873f755 100644
Andreas Schneider cbf258a 
--- a/python/samba/tests/gpo.py
Andreas Schneider cbf258a 
+++ b/python/samba/tests/gpo.py
Andreas Schneider cbf258a 
@@ -6783,14 +6783,14 @@ class GPOTests(tests.TestCase):
Andreas Schneider cbf258a 
         ldb.add({'dn': certa_dn,
Andreas Schneider cbf258a 
                  'objectClass': 'certificationAuthority',
Andreas Schneider cbf258a 
                  'authorityRevocationList': ['XXX'],
Andreas Schneider cbf258a 
-                 'cACertificate': 'XXX',
Andreas Schneider cbf258a 
+                 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I',
Andreas Schneider cbf258a 
                  'certificateRevocationList': ['XXX'],
Andreas Schneider cbf258a 
                 })
Andreas Schneider cbf258a 
         # Write the dummy pKIEnrollmentService
Andreas Schneider cbf258a 
         enroll_dn = 'CN=%s,CN=Enrollment Services,%s' % (ca_cn, confdn)
Andreas Schneider cbf258a 
         ldb.add({'dn': enroll_dn,
Andreas Schneider cbf258a 
                  'objectClass': 'pKIEnrollmentService',
Andreas Schneider cbf258a 
-                 'cACertificate': 'XXXX',
Andreas Schneider cbf258a 
+                 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I',
Andreas Schneider cbf258a 
                  'certificateTemplates': ['Machine'],
Andreas Schneider cbf258a 
                  'dNSHostName': hostname,
Andreas Schneider cbf258a 
                 })
Andreas Schneider cbf258a 
@@ -7201,14 +7201,14 @@ class GPOTests(tests.TestCase):
Andreas Schneider cbf258a 
         ldb.add({'dn': certa_dn,
Andreas Schneider cbf258a 
                  'objectClass': 'certificationAuthority',
Andreas Schneider cbf258a 
                  'authorityRevocationList': ['XXX'],
Andreas Schneider cbf258a 
-                 'cACertificate': 'XXX',
Andreas Schneider cbf258a 
+                 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I',
Andreas Schneider cbf258a 
                  'certificateRevocationList': ['XXX'],
Andreas Schneider cbf258a 
                 })
Andreas Schneider cbf258a 
         # Write the dummy pKIEnrollmentService
Andreas Schneider cbf258a 
         enroll_dn = 'CN=%s,CN=Enrollment Services,%s' % (ca_cn, confdn)
Andreas Schneider cbf258a 
         ldb.add({'dn': enroll_dn,
Andreas Schneider cbf258a 
                  'objectClass': 'pKIEnrollmentService',
Andreas Schneider cbf258a 
-                 'cACertificate': 'XXXX',
Andreas Schneider cbf258a 
+                 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I',
Andreas Schneider cbf258a 
                  'certificateTemplates': ['Machine'],
Andreas Schneider cbf258a 
                  'dNSHostName': hostname,
Andreas Schneider cbf258a 
                 })
Andreas Schneider cbf258a 
diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo
Andreas Schneider cbf258a 
new file mode 100644
Andreas Schneider cbf258a 
index 00000000000..0aad59607c2
Andreas Schneider cbf258a 
--- /dev/null
Andreas Schneider cbf258a 
+++ b/selftest/knownfail.d/gpo
Andreas Schneider cbf258a 
@@ -0,0 +1,13 @@
Andreas Schneider cbf258a 
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_centrify_crontab_ext
Andreas Schneider cbf258a 
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_scripts_ext
Andreas Schneider cbf258a 
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_rsop
Andreas Schneider cbf258a 
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_access
Andreas Schneider cbf258a 
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_files
Andreas Schneider cbf258a 
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_issue
Andreas Schneider cbf258a 
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_motd
Andreas Schneider cbf258a 
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_openssh
Andreas Schneider cbf258a 
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_startup_scripts
Andreas Schneider cbf258a 
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_sudoers
Andreas Schneider cbf258a 
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_symlink
Andreas Schneider cbf258a 
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext
Andreas Schneider cbf258a 
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext
Andreas Schneider cbf258a 
--
Andreas Schneider cbf258a 
2.43.0
Andreas Schneider cbf258a
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
From c53b2994fd13f4c74cee891e725a4558cdb06b2d Mon Sep 17 00:00:00 2001
Andreas Schneider cbf258a 
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Andreas Schneider cbf258a 
Date: Wed, 16 Aug 2023 12:20:11 +0300
Andreas Schneider cbf258a 
Subject: [PATCH 5/9] gp: Convert CA certificates to base64
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
I don't know whether this applies universally, but in our case the
Andreas Schneider cbf258a 
contents of `es['cACertificate'][0]` are binary, so cleanly converting
Andreas Schneider cbf258a 
to a string fails with the following:
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
'utf-8' codec can't decode byte 0x82 in position 1: invalid start byte
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
We found a fix to be encoding the certificate to base64 when
Andreas Schneider cbf258a 
constructing the CA list.
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
Section 4.4.5.2 of MS-CAESO also suggests that the content of
Andreas Schneider cbf258a 
`cACertificate` is binary (OCTET string).
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Andreas Schneider cbf258a 
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider cbf258a 
Reviewed-by: David Mulder <dmulder@samba.org>
Andreas Schneider cbf258a 
(cherry picked from commit 157335ee93eb866f9b6a47486a5668d6e76aced5)
Andreas Schneider cbf258a 
---
Andreas Schneider cbf258a 
 python/samba/gp/gp_cert_auto_enroll_ext.py |  5 ++---
Andreas Schneider cbf258a 
 selftest/knownfail.d/gpo                   | 13 -------------
Andreas Schneider cbf258a 
 2 files changed, 2 insertions(+), 16 deletions(-)
Andreas Schneider cbf258a 
 delete mode 100644 selftest/knownfail.d/gpo
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
Andreas Schneider cbf258a 
index c562722906b..c8b5368c16a 100644
Andreas Schneider cbf258a 
--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
Andreas Schneider cbf258a 
+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
Andreas Schneider cbf258a 
@@ -158,7 +158,7 @@ def fetch_certification_authorities(ldb):
Andreas Schneider cbf258a 
     for es in res:
Andreas Schneider cbf258a 
         data = { 'name': get_string(es['cn'][0]),
Andreas Schneider cbf258a 
                  'hostname': get_string(es['dNSHostName'][0]),
Andreas Schneider cbf258a 
-                 'cACertificate': get_string(es['cACertificate'][0])
Andreas Schneider cbf258a 
+                 'cACertificate': get_string(base64.b64encode(es['cACertificate'][0]))
Andreas Schneider cbf258a 
                }
Andreas Schneider cbf258a 
         result.append(data)
Andreas Schneider cbf258a 
     return result
Andreas Schneider cbf258a 
@@ -176,8 +176,7 @@ def fetch_template_attrs(ldb, name, attrs=None):
Andreas Schneider cbf258a 
         return {'msPKI-Minimal-Key-Size': ['2048']}
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
 def format_root_cert(cert):
Andreas Schneider cbf258a 
-    cert = base64.b64encode(cert.encode())
Andreas Schneider cbf258a 
-    return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert, 0, re.DOTALL)
Andreas Schneider cbf258a 
+    return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert.encode(), 0, re.DOTALL)
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
 def find_cepces_submit():
Andreas Schneider cbf258a 
     certmonger_dirs = [os.environ.get("PATH"), '/usr/lib/certmonger',
Andreas Schneider cbf258a 
diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo
Andreas Schneider cbf258a 
deleted file mode 100644
Andreas Schneider cbf258a 
index 0aad59607c2..00000000000
Andreas Schneider cbf258a 
--- a/selftest/knownfail.d/gpo
Andreas Schneider cbf258a 
+++ /dev/null
Andreas Schneider cbf258a 
@@ -1,13 +0,0 @@
Andreas Schneider cbf258a 
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_centrify_crontab_ext
Andreas Schneider cbf258a 
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_scripts_ext
Andreas Schneider cbf258a 
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_rsop
Andreas Schneider cbf258a 
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_access
Andreas Schneider cbf258a 
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_files
Andreas Schneider cbf258a 
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_issue
Andreas Schneider cbf258a 
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_motd
Andreas Schneider cbf258a 
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_openssh
Andreas Schneider cbf258a 
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_startup_scripts
Andreas Schneider cbf258a 
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_sudoers
Andreas Schneider cbf258a 
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_symlink
Andreas Schneider cbf258a 
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext
Andreas Schneider cbf258a 
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext
Andreas Schneider cbf258a 
--
Andreas Schneider cbf258a 
2.43.0
Andreas Schneider cbf258a
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
From fd13702a9cd6475a14113de87ccad6588d2d443b Mon Sep 17 00:00:00 2001
Andreas Schneider cbf258a 
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Andreas Schneider cbf258a 
Date: Fri, 18 Aug 2023 17:16:23 +0300
Andreas Schneider cbf258a 
Subject: [PATCH 6/9] gp: Test adding new cert templates enforces changes
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
Ensure that cepces-submit reporting additional templates and re-applying
Andreas Schneider cbf258a 
will enforce the updated policy.
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Andreas Schneider cbf258a 
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider cbf258a 
Reviewed-by: David Mulder <dmulder@samba.org>
Andreas Schneider cbf258a 
(cherry picked from commit 2d6943a864405f324c467e8c3464c31ac08457b0)
Andreas Schneider cbf258a 
---
Andreas Schneider cbf258a 
 python/samba/tests/bin/cepces-submit |  3 +-
Andreas Schneider cbf258a 
 python/samba/tests/gpo.py            | 48 ++++++++++++++++++++++++++++
Andreas Schneider cbf258a 
 selftest/knownfail.d/gpo             |  2 ++
Andreas Schneider cbf258a 
 3 files changed, 52 insertions(+), 1 deletion(-)
Andreas Schneider cbf258a 
 create mode 100644 selftest/knownfail.d/gpo
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
diff --git a/python/samba/tests/bin/cepces-submit b/python/samba/tests/bin/cepces-submit
Andreas Schneider cbf258a 
index 668682a9f58..de63164692b 100755
Andreas Schneider cbf258a 
--- a/python/samba/tests/bin/cepces-submit
Andreas Schneider cbf258a 
+++ b/python/samba/tests/bin/cepces-submit
Andreas Schneider cbf258a 
@@ -14,4 +14,5 @@ if __name__ == "__main__":
Andreas Schneider cbf258a 
     assert opts.auth == 'Kerberos'
Andreas Schneider cbf258a 
     if 'CERTMONGER_OPERATION' in os.environ and \
Andreas Schneider cbf258a 
        os.environ['CERTMONGER_OPERATION'] == 'GET-SUPPORTED-TEMPLATES':
Andreas Schneider cbf258a 
-        print('Machine') # Report a Machine template
Andreas Schneider cbf258a 
+        templates = os.environ.get('CEPCES_SUBMIT_SUPPORTED_TEMPLATES', 'Machine').split(',')
Andreas Schneider cbf258a 
+        print('\n'.join(templates)) # Report the requested templates
Andreas Schneider cbf258a 
diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py
Andreas Schneider cbf258a 
index 963f873f755..e75c411bde7 100644
Andreas Schneider cbf258a 
--- a/python/samba/tests/gpo.py
Andreas Schneider cbf258a 
+++ b/python/samba/tests/gpo.py
Andreas Schneider cbf258a 
@@ -6812,6 +6812,23 @@ class GPOTests(tests.TestCase):
Andreas Schneider cbf258a 
             self.assertTrue(os.path.exists(machine_crt),
Andreas Schneider cbf258a 
                             'Machine key was not generated')
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
+            # Subsequent apply should react to new certificate templates
Andreas Schneider cbf258a 
+            os.environ['CEPCES_SUBMIT_SUPPORTED_TEMPLATES'] = 'Machine,Workstation'
Andreas Schneider cbf258a 
+            self.addCleanup(os.environ.pop, 'CEPCES_SUBMIT_SUPPORTED_TEMPLATES')
Andreas Schneider cbf258a 
+            ext.process_group_policy([], gpos, dname, dname)
Andreas Schneider cbf258a 
+            self.assertTrue(os.path.exists(ca_crt),
Andreas Schneider cbf258a 
+                            'Root CA certificate was not requested')
Andreas Schneider cbf258a 
+            self.assertTrue(os.path.exists(machine_crt),
Andreas Schneider cbf258a 
+                            'Machine certificate was not requested')
Andreas Schneider cbf258a 
+            self.assertTrue(os.path.exists(machine_crt),
Andreas Schneider cbf258a 
+                            'Machine key was not generated')
Andreas Schneider cbf258a 
+            workstation_crt = os.path.join(dname, '%s.Workstation.crt' % ca_cn)
Andreas Schneider cbf258a 
+            self.assertTrue(os.path.exists(workstation_crt),
Andreas Schneider cbf258a 
+                            'Workstation certificate was not requested')
Andreas Schneider cbf258a 
+            workstation_key = os.path.join(dname, '%s.Workstation.key' % ca_cn)
Andreas Schneider cbf258a 
+            self.assertTrue(os.path.exists(workstation_crt),
Andreas Schneider cbf258a 
+                            'Workstation key was not generated')
Andreas Schneider cbf258a 
+
Andreas Schneider cbf258a 
             # Verify RSOP does not fail
Andreas Schneider cbf258a 
             ext.rsop([g for g in gpos if g.name == guid][0])
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
@@ -6829,11 +6846,17 @@ class GPOTests(tests.TestCase):
Andreas Schneider cbf258a 
                             'Machine certificate was not removed')
Andreas Schneider cbf258a 
             self.assertFalse(os.path.exists(machine_crt),
Andreas Schneider cbf258a 
                             'Machine key was not removed')
Andreas Schneider cbf258a 
+            self.assertFalse(os.path.exists(workstation_crt),
Andreas Schneider cbf258a 
+                            'Workstation certificate was not removed')
Andreas Schneider cbf258a 
+            self.assertFalse(os.path.exists(workstation_crt),
Andreas Schneider cbf258a 
+                            'Workstation key was not removed')
Andreas Schneider cbf258a 
             out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate()
Andreas Schneider cbf258a 
             self.assertNotIn(get_bytes(ca_cn), out, 'CA was not removed')
Andreas Schneider cbf258a 
             out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate()
Andreas Schneider cbf258a 
             self.assertNotIn(b'Machine', out,
Andreas Schneider cbf258a 
                              'Machine certificate not removed')
Andreas Schneider cbf258a 
+            self.assertNotIn(b'Workstation', out,
Andreas Schneider cbf258a 
+                             'Workstation certificate not removed')
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
         # Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate
Andreas Schneider cbf258a 
         ldb.delete(certa_dn)
Andreas Schneider cbf258a 
@@ -7233,6 +7256,25 @@ class GPOTests(tests.TestCase):
Andreas Schneider cbf258a 
                 self.assertTrue(os.path.exists(machine_crt),
Andreas Schneider cbf258a 
                                 'Machine key was not generated')
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
+            # Subsequent apply should react to new certificate templates
Andreas Schneider cbf258a 
+            os.environ['CEPCES_SUBMIT_SUPPORTED_TEMPLATES'] = 'Machine,Workstation'
Andreas Schneider cbf258a 
+            self.addCleanup(os.environ.pop, 'CEPCES_SUBMIT_SUPPORTED_TEMPLATES')
Andreas Schneider cbf258a 
+            ext.process_group_policy([], gpos, dname, dname)
Andreas Schneider cbf258a 
+            for ca in ca_list:
Andreas Schneider cbf258a 
+                self.assertTrue(os.path.exists(ca_crt),
Andreas Schneider cbf258a 
+                                'Root CA certificate was not requested')
Andreas Schneider cbf258a 
+                self.assertTrue(os.path.exists(machine_crt),
Andreas Schneider cbf258a 
+                                'Machine certificate was not requested')
Andreas Schneider cbf258a 
+                self.assertTrue(os.path.exists(machine_crt),
Andreas Schneider cbf258a 
+                                'Machine key was not generated')
Andreas Schneider cbf258a 
+
Andreas Schneider cbf258a 
+                workstation_crt = os.path.join(dname, '%s.Workstation.crt' % ca)
Andreas Schneider cbf258a 
+                self.assertTrue(os.path.exists(workstation_crt),
Andreas Schneider cbf258a 
+                                'Workstation certificate was not requested')
Andreas Schneider cbf258a 
+                workstation_key = os.path.join(dname, '%s.Workstation.key' % ca)
Andreas Schneider cbf258a 
+                self.assertTrue(os.path.exists(workstation_crt),
Andreas Schneider cbf258a 
+                                'Workstation key was not generated')
Andreas Schneider cbf258a 
+
Andreas Schneider cbf258a 
             # Verify RSOP does not fail
Andreas Schneider cbf258a 
             ext.rsop([g for g in gpos if g.name == guid][0])
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
@@ -7250,12 +7292,18 @@ class GPOTests(tests.TestCase):
Andreas Schneider cbf258a 
                             'Machine certificate was not removed')
Andreas Schneider cbf258a 
             self.assertFalse(os.path.exists(machine_crt),
Andreas Schneider cbf258a 
                             'Machine key was not removed')
Andreas Schneider cbf258a 
+            self.assertFalse(os.path.exists(workstation_crt),
Andreas Schneider cbf258a 
+                            'Workstation certificate was not removed')
Andreas Schneider cbf258a 
+            self.assertFalse(os.path.exists(workstation_crt),
Andreas Schneider cbf258a 
+                            'Workstation key was not removed')
Andreas Schneider cbf258a 
             out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate()
Andreas Schneider cbf258a 
             for ca in ca_list:
Andreas Schneider cbf258a 
                 self.assertNotIn(get_bytes(ca), out, 'CA was not removed')
Andreas Schneider cbf258a 
             out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate()
Andreas Schneider cbf258a 
             self.assertNotIn(b'Machine', out,
Andreas Schneider cbf258a 
                              'Machine certificate not removed')
Andreas Schneider cbf258a 
+            self.assertNotIn(b'Workstation', out,
Andreas Schneider cbf258a 
+                             'Workstation certificate not removed')
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
         # Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate
Andreas Schneider cbf258a 
         ldb.delete(certa_dn)
Andreas Schneider cbf258a 
diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo
Andreas Schneider cbf258a 
new file mode 100644
Andreas Schneider cbf258a 
index 00000000000..4edc1dce730
Andreas Schneider cbf258a 
--- /dev/null
Andreas Schneider cbf258a 
+++ b/selftest/knownfail.d/gpo
Andreas Schneider cbf258a 
@@ -0,0 +1,2 @@
Andreas Schneider cbf258a 
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext
Andreas Schneider cbf258a 
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext
Andreas Schneider cbf258a 
--
Andreas Schneider cbf258a 
2.43.0
Andreas Schneider cbf258a
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
From 4578c6664ab6eac476ee10afae4a1a95b3b63272 Mon Sep 17 00:00:00 2001
Andreas Schneider cbf258a 
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Andreas Schneider cbf258a 
Date: Wed, 16 Aug 2023 12:37:17 +0300
Andreas Schneider cbf258a 
Subject: [PATCH 7/9] gp: Template changes should invalidate cache
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
If certificate templates are added or removed, the autoenroll extension
Andreas Schneider cbf258a 
should react to this and reapply the policy. Previously this wasn't
Andreas Schneider cbf258a 
taken into account.
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Andreas Schneider cbf258a 
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider cbf258a 
Reviewed-by: David Mulder <dmulder@samba.org>
Andreas Schneider cbf258a 
(cherry picked from commit 2a6ae997f2464b12b72b5314fa80d9784fb0f6c1)
Andreas Schneider cbf258a 
---
Andreas Schneider cbf258a 
 python/samba/gp/gp_cert_auto_enroll_ext.py | 15 ++++++++++-----
Andreas Schneider cbf258a 
 selftest/knownfail.d/gpo                   |  2 --
Andreas Schneider cbf258a 
 2 files changed, 10 insertions(+), 7 deletions(-)
Andreas Schneider cbf258a 
 delete mode 100644 selftest/knownfail.d/gpo
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
Andreas Schneider cbf258a 
index c8b5368c16a..8233713e8ad 100644
Andreas Schneider cbf258a 
--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
Andreas Schneider cbf258a 
+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
Andreas Schneider cbf258a 
@@ -262,6 +262,11 @@ def update_ca_command():
Andreas Schneider cbf258a 
     """Return the command to update the CA trust store."""
Andreas Schneider cbf258a 
     return which('update-ca-certificates') or which('update-ca-trust')
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
+def changed(new_data, old_data):
Andreas Schneider cbf258a 
+    """Return True if any key present in both dicts has changed."""
Andreas Schneider cbf258a 
+    return any((new_data[k] != old_data[k] if k in old_data else False) \
Andreas Schneider cbf258a 
+            for k in new_data.keys())
Andreas Schneider cbf258a 
+
Andreas Schneider cbf258a 
 def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
Andreas Schneider cbf258a 
     """Install the root certificate chain."""
Andreas Schneider cbf258a 
     data = dict({'files': [], 'templates': []}, **ca)
Andreas Schneider cbf258a 
@@ -351,12 +356,12 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
Andreas Schneider cbf258a 
         # If the policy has changed, unapply, then apply new policy
Andreas Schneider cbf258a 
         old_val = self.cache_get_attribute_value(guid, attribute)
Andreas Schneider cbf258a 
         old_data = json.loads(old_val) if old_val is not None else {}
Andreas Schneider cbf258a 
-        if all([(ca[k] == old_data[k] if k in old_data else False) \
Andreas Schneider cbf258a 
-                    for k in ca.keys()]) or \
Andreas Schneider cbf258a 
-                self.cache_get_apply_state() == GPOSTATE.ENFORCE:
Andreas Schneider cbf258a 
+        templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])]
Andreas Schneider cbf258a 
+        new_data = { 'templates': templates, **ca }
Andreas Schneider cbf258a 
+        if changed(new_data, old_data) or self.cache_get_apply_state() == GPOSTATE.ENFORCE:
Andreas Schneider cbf258a 
             self.unapply(guid, attribute, old_val)
Andreas Schneider cbf258a 
-        # If policy is already applied, skip application
Andreas Schneider cbf258a 
-        if old_val is not None and \
Andreas Schneider cbf258a 
+        # If policy is already applied and unchanged, skip application
Andreas Schneider cbf258a 
+        if old_val is not None and not changed(new_data, old_data) and \
Andreas Schneider cbf258a 
                 self.cache_get_apply_state() != GPOSTATE.ENFORCE:
Andreas Schneider cbf258a 
             return
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo
Andreas Schneider cbf258a 
deleted file mode 100644
Andreas Schneider cbf258a 
index 4edc1dce730..00000000000
Andreas Schneider cbf258a 
--- a/selftest/knownfail.d/gpo
Andreas Schneider cbf258a 
+++ /dev/null
Andreas Schneider cbf258a 
@@ -1,2 +0,0 @@
Andreas Schneider cbf258a 
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext
Andreas Schneider cbf258a 
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext
Andreas Schneider cbf258a 
--
Andreas Schneider cbf258a 
2.43.0
Andreas Schneider cbf258a
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
From 2d641b736b42f7623955f251ad354439b954159d Mon Sep 17 00:00:00 2001
Andreas Schneider cbf258a 
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Andreas Schneider cbf258a 
Date: Fri, 18 Aug 2023 17:26:59 +0300
Andreas Schneider cbf258a 
Subject: [PATCH 8/9] gp: Test disabled enrollment unapplies policy
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
For this we need to stage a Registry.pol file with certificate
Andreas Schneider cbf258a 
autoenrollment enabled, but with checkboxes unticked.
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Andreas Schneider cbf258a 
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider cbf258a 
Reviewed-by: David Mulder <dmulder@samba.org>
Andreas Schneider cbf258a 
(cherry picked from commit ee814f7707a8ddef2657212cd6d31799501b7bb3)
Andreas Schneider cbf258a 
---
Andreas Schneider cbf258a 
 python/samba/tests/gpo.py | 54 +++++++++++++++++++++++++++++++++++++++
Andreas Schneider cbf258a 
 selftest/knownfail.d/gpo  |  1 +
Andreas Schneider cbf258a 
 2 files changed, 55 insertions(+)
Andreas Schneider cbf258a 
 create mode 100644 selftest/knownfail.d/gpo
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py
Andreas Schneider cbf258a 
index e75c411bde7..580f3568de8 100644
Andreas Schneider cbf258a 
--- a/python/samba/tests/gpo.py
Andreas Schneider cbf258a 
+++ b/python/samba/tests/gpo.py
Andreas Schneider cbf258a 
@@ -281,6 +281,28 @@ b"""
Andreas Schneider cbf258a 
 </PolFile>
Andreas Schneider cbf258a 
 """
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
+auto_enroll_unchecked_reg_pol = \
Andreas Schneider cbf258a 
+b"""
Andreas Schneider cbf258a 
+
Andreas Schneider cbf258a 
+<PolFile num_entries="3" signature="PReg" version="1">
Andreas Schneider cbf258a 
+        <Entry type="4" type_name="REG_DWORD">
Andreas Schneider cbf258a 
+                <Key>Software\Policies\Microsoft\Cryptography\AutoEnrollment</Key>
Andreas Schneider cbf258a 
+                <ValueName>AEPolicy</ValueName>
Andreas Schneider cbf258a 
+                <Value>0</Value>
Andreas Schneider cbf258a 
+        </Entry>
Andreas Schneider cbf258a 
+        <Entry type="4" type_name="REG_DWORD">
Andreas Schneider cbf258a 
+                <Key>Software\Policies\Microsoft\Cryptography\AutoEnrollment</Key>
Andreas Schneider cbf258a 
+                <ValueName>OfflineExpirationPercent</ValueName>
Andreas Schneider cbf258a 
+                <Value>10</Value>
Andreas Schneider cbf258a 
+        </Entry>
Andreas Schneider cbf258a 
+        <Entry type="1" type_name="REG_SZ">
Andreas Schneider cbf258a 
+                <Key>Software\Policies\Microsoft\Cryptography\AutoEnrollment</Key>
Andreas Schneider cbf258a 
+                <ValueName>OfflineExpirationStoreNames</ValueName>
Andreas Schneider cbf258a 
+                <Value>MY</Value>
Andreas Schneider cbf258a 
+        </Entry>
Andreas Schneider cbf258a 
+</PolFile>
Andreas Schneider cbf258a 
+"""
Andreas Schneider cbf258a 
+
Andreas Schneider cbf258a 
 advanced_enroll_reg_pol = \
Andreas Schneider cbf258a 
 b"""
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
@@ -6836,6 +6858,38 @@ class GPOTests(tests.TestCase):
Andreas Schneider cbf258a 
             ret = rsop(self.lp)
Andreas Schneider cbf258a 
             self.assertEqual(ret, 0, 'gpupdate --rsop failed!')
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
+            # Remove policy by staging pol file with auto-enroll unchecked
Andreas Schneider cbf258a 
+            parser.load_xml(etree.fromstring(auto_enroll_unchecked_reg_pol.strip()))
Andreas Schneider cbf258a 
+            ret = stage_file(reg_pol, ndr_pack(parser.pol_file))
Andreas Schneider cbf258a 
+            self.assertTrue(ret, 'Could not create the target %s' % reg_pol)
Andreas Schneider cbf258a 
+            ext.process_group_policy([], gpos, dname, dname)
Andreas Schneider cbf258a 
+            self.assertFalse(os.path.exists(ca_crt),
Andreas Schneider cbf258a 
+                            'Root CA certificate was not removed')
Andreas Schneider cbf258a 
+            self.assertFalse(os.path.exists(machine_crt),
Andreas Schneider cbf258a 
+                            'Machine certificate was not removed')
Andreas Schneider cbf258a 
+            self.assertFalse(os.path.exists(machine_crt),
Andreas Schneider cbf258a 
+                            'Machine key was not removed')
Andreas Schneider cbf258a 
+            self.assertFalse(os.path.exists(workstation_crt),
Andreas Schneider cbf258a 
+                            'Workstation certificate was not removed')
Andreas Schneider cbf258a 
+            self.assertFalse(os.path.exists(workstation_crt),
Andreas Schneider cbf258a 
+                            'Workstation key was not removed')
Andreas Schneider cbf258a 
+
Andreas Schneider cbf258a 
+            # Reapply policy by staging the enabled pol file
Andreas Schneider cbf258a 
+            parser.load_xml(etree.fromstring(auto_enroll_reg_pol.strip()))
Andreas Schneider cbf258a 
+            ret = stage_file(reg_pol, ndr_pack(parser.pol_file))
Andreas Schneider cbf258a 
+            self.assertTrue(ret, 'Could not create the target %s' % reg_pol)
Andreas Schneider cbf258a 
+            ext.process_group_policy([], gpos, dname, dname)
Andreas Schneider cbf258a 
+            self.assertTrue(os.path.exists(ca_crt),
Andreas Schneider cbf258a 
+                            'Root CA certificate was not requested')
Andreas Schneider cbf258a 
+            self.assertTrue(os.path.exists(machine_crt),
Andreas Schneider cbf258a 
+                            'Machine certificate was not requested')
Andreas Schneider cbf258a 
+            self.assertTrue(os.path.exists(machine_crt),
Andreas Schneider cbf258a 
+                            'Machine key was not generated')
Andreas Schneider cbf258a 
+            self.assertTrue(os.path.exists(workstation_crt),
Andreas Schneider cbf258a 
+                            'Workstation certificate was not requested')
Andreas Schneider cbf258a 
+            self.assertTrue(os.path.exists(workstation_crt),
Andreas Schneider cbf258a 
+                            'Workstation key was not generated')
Andreas Schneider cbf258a 
+
Andreas Schneider cbf258a 
             # Remove policy
Andreas Schneider cbf258a 
             gp_db = store.get_gplog(machine_creds.get_username())
Andreas Schneider cbf258a 
             del_gpos = get_deleted_gpos_list(gp_db, [])
Andreas Schneider cbf258a 
diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo
Andreas Schneider cbf258a 
new file mode 100644
Andreas Schneider cbf258a 
index 00000000000..83bc9f0ac1f
Andreas Schneider cbf258a 
--- /dev/null
Andreas Schneider cbf258a 
+++ b/selftest/knownfail.d/gpo
Andreas Schneider cbf258a 
@@ -0,0 +1 @@
Andreas Schneider cbf258a 
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext
Andreas Schneider cbf258a 
--
Andreas Schneider cbf258a 
2.43.0
Andreas Schneider cbf258a
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
From e5588f8800899894388284468b9e25463d3c3e6c Mon Sep 17 00:00:00 2001
Andreas Schneider cbf258a 
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Andreas Schneider cbf258a 
Date: Wed, 16 Aug 2023 12:33:59 +0300
Andreas Schneider cbf258a 
Subject: [PATCH 9/9] gp: Send list of keys instead of dict to remove
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
`cache_get_all_attribute_values` returns a dict whereas we need to pass
Andreas Schneider cbf258a 
a list of keys to `remove`. These will be interpolated in the gpdb search.
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Andreas Schneider cbf258a 
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider cbf258a 
Reviewed-by: David Mulder <dmulder@samba.org>
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Andreas Schneider cbf258a 
Autobuild-Date(master): Mon Aug 28 03:01:22 UTC 2023 on atb-devel-224
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
(cherry picked from commit 7dc181757c76b881ceaf1915ebb0bfbcf5aca83a)
Andreas Schneider cbf258a 
---
Andreas Schneider cbf258a 
 python/samba/gp/gp_cert_auto_enroll_ext.py | 2 +-
Andreas Schneider cbf258a 
 selftest/knownfail.d/gpo                   | 1 -
Andreas Schneider cbf258a 
 2 files changed, 1 insertion(+), 2 deletions(-)
Andreas Schneider cbf258a 
 delete mode 100644 selftest/knownfail.d/gpo
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
Andreas Schneider cbf258a 
index 8233713e8ad..64c35782ae8 100644
Andreas Schneider cbf258a 
--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
Andreas Schneider cbf258a 
+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
Andreas Schneider cbf258a 
@@ -415,7 +415,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
Andreas Schneider cbf258a 
                             # remove any existing policy
Andreas Schneider cbf258a 
                             ca_attrs = \
Andreas Schneider cbf258a 
                                 self.cache_get_all_attribute_values(gpo.name)
Andreas Schneider cbf258a 
-                            self.clean(gpo.name, remove=ca_attrs)
Andreas Schneider cbf258a 
+                            self.clean(gpo.name, remove=list(ca_attrs.keys()))
Andreas Schneider cbf258a
Andreas Schneider cbf258a 
     def __read_cep_data(self, guid, ldb, end_point_information,
Andreas Schneider cbf258a 
                         trust_dir, private_dir):
Andreas Schneider cbf258a 
diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo
Andreas Schneider cbf258a 
deleted file mode 100644
Andreas Schneider cbf258a 
index 83bc9f0ac1f..00000000000
Andreas Schneider cbf258a 
--- a/selftest/knownfail.d/gpo
Andreas Schneider cbf258a 
+++ /dev/null
Andreas Schneider cbf258a 
@@ -1 +0,0 @@
Andreas Schneider cbf258a 
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext
Andreas Schneider cbf258a 
--
Andreas Schneider cbf258a 
2.43.0
Andreas Schneider cbf258a
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.