| blob | bef5fc9b27c40dcd70d36e09742eb441c5e3d0a7 |
1 #!/usr/bin/env python3
2 # -*- coding: utf-8 -*-
3 #
4 # Tests various schema replication scenarios
5 #
6 # Copyright (C) Catalyst.Net Ltd. 2017
7 #
8 # This program is free software; you can redistribute it and/or modify
9 # it under the terms of the GNU General Public License as published by
10 # the Free Software Foundation; either version 3 of the License, or
11 # (at your option) any later version.
12 #
13 # This program is distributed in the hope that it will be useful,
14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 # GNU General Public License for more details.
17 #
18 # You should have received a copy of the GNU General Public License
19 # along with this program. If not, see <http://www.gnu.org/licenses/>.
20 #
22 #
23 # Usage:
24 # export DC1=dc1_dns_name
25 # export DC2=dc2_dns_name
26 # export SUBUNITRUN=$samba4srcdir/scripting/bin/subunitrun
27 # PYTHONPATH="$PYTHONPATH:$samba4srcdir/torture/drs/python" $SUBUNITRUN \
28 # getncchanges -U"$DOMAIN/$DC_USERNAME"%"$DC_PASSWORD"
29 #
31 import drs_base
33 import ldb
35 import random
47 # Note that DC2 is the DC with the testenv-specific quirks (e.g. it's
48 # the vampire_dc), so we point this test directly at that DC
67 # 100 is the minimum max_objects that Microsoft seems to honour
68 # (the max honoured is 400ish), so we use that in these tests
71 # store whether we used GET_TGT/GET_ANC flags in the requests
76 """Adds an OU object"""
82 """Modifies an object's USN by adding an attribute value to it"""
89 """Deletes an attribute from an object"""
96 """Resets enough state info to start a new replication cycle"""
97 # reset rxd_links, but leave rxd_guids and rxd_dn_list alone so we know
98 # whether a parent/target is unknown and needs GET_ANC/GET_TGT to
99 # resolve
104 # mostly preserve self.last_ctr, so that we use the last HWM
110 """
111 Creates a block of objects. Object names are numbered sequentially,
112 using the optional prefix supplied. If the children parameter is
113 supplied it will create a parent-child hierarchy and return the
114 top-level parents separately.
115 """
116 dn_list = []
118 # Use dummy/empty lists if we're not creating a parent/child hierarchy
120 children = []
123 parent_list = []
125 # Create the parents first, then the children.
126 # This makes it easier to see in debug when GET_ANC takes effect
127 # because the parent/children become interleaved (by default,
128 # this approach means the objects are organized into blocks of
129 # parents and blocks of children together)
135 # keep track of the top-level parents (if needed)
138 # create the block of children (if needed)
145 return dn_list
148 """
149 Asserts that we received all the DNs that we expected and
150 none are missing.
151 """
154 # Note that with GET_ANC Windows can end up sending the same parent
155 # object multiple times, so this might be noteworthy but doesn't
156 # warrant failing the test
161 num_expected))
163 # Check that we received every object that we were expecting
169 """
170 Modify the objects being replicated while the replication is still
171 in progress and check that no object loss occurs.
172 """
174 # The server behaviour differs between samba and Windows. Samba returns
175 # the objects in the original order (up to the pre-modify HWM). Windows
176 # incorporates the modified objects and returns them in the new order
177 # (i.e. modified objects last), up to the post-modify HWM. The
178 # Microsoft docs state the Windows behaviour is optional.
180 # Create a range of objects to replicate.
184 # We ask for the first page of 100 objects.
185 # For this test, we don't care what order we receive the objects in,
186 # so long as by the end we've received everything
189 # Modify some of the second page of objects. This should bump the
190 # highwatermark
197 # Get the remaining blocks of data
201 # Check we still receive all the objects we're expecting
205 """
206 Returns True if the parent of the dn specified is in known_dn_list
207 """
209 # we can sometimes get system objects like the RID Manager returned.
210 # Ignore anything that is not under the test OU we created
212 return True
214 # Remove the child portion from the name to get the parent's DN
220 # check either this object is a parent (it's parent is the top-level
221 # test object), or its parent has been seen previously
225 """
226 Sends a GetNCChanges request for the next block of replication data.
227 """
229 # we're just trying to mimic regular client behaviour here, so just
230 # use the highwatermark in the last response we received
235 # this is the first replication chunk
239 # Ask for the next block of replication data
251 # return the response from the DC
260 """
261 Requests the next block of replication data. This tries to simulate
262 client behaviour - if we receive a replicated object that we don't know
263 the parent of, then re-request the block with the GET_ANC flag set.
264 If we don't know the target object for a linked attribute, then
265 re-request with GET_TGT.
266 """
268 # send a request to the DC and get the response
271 # extract the object DNs and their GUIDs from the response
275 # we'll add new objects as we discover them, so take a copy of the
276 # ones we already know about, so we can modify these lists safely
280 # check that we know the parent for every object received
288 # the new DN is now known so add it to the list.
289 # It may be the parent of another child in this block
293 # If we've already set the GET_ANC flag then it should mean
294 # we receive the parents before the child
299 # try the same thing again with the GET_ANC flag set this time
303 # check we know about references to any objects in the linked attrs
306 # This is so that older versions of Samba fail - we want the links to
307 # be sent roughly with the objects, rather than getting all links at
308 # the end
315 # skip any links that aren't part of the test
317 continue
319 # check the source object is known (Windows can actually send links
320 # where we don't know the source object yet). Samba shouldn't ever
321 # hit this case because it gets the links based on the source
324 # If we've already set the GET_ANC flag then it should mean
325 # this case doesn't happen
331 # try the same thing again with the GET_ANC flag set this time
335 # check we know the target object
338 # If we've already set the GET_TGT flag then we should have
339 # already received any objects we need to know about
345 # try the same thing again with the GET_TGT flag set this time
349 # store the last successful result so we know what HWM to request next
352 # store the objects, GUIDs, and links we received
357 return ctr6
360 """Returns True if the current/last replication cycle is complete"""
363 return False
365 return True
368 """
369 Modify the parent objects being replicated while the replication is
370 still in progress (using GET_ANC) and check that no object loss occurs.
371 """
373 # Note that GET_ANC behaviour varies between Windows and Samba.
374 # On Samba GET_ANC results in the replication restarting from the very
375 # beginning. After that, Samba remembers GET_ANC and also sends the
376 # parents in subsequent requests (regardless of whether GET_ANC is
377 # specified in the later request).
378 # Windows only sends the parents if GET_ANC was specified in the last
379 # request. It will also resend a parent, even if it's already sent the
380 # parent in a previous response (whereas Samba doesn't).
382 # Create a small block of 50 parents, each with 2 children (A and B)
383 # This is so that we receive some children in the first block, so we
384 # can resend with GET_ANC before we learn too many parents
385 parent_dn_list = []
390 # create the remaining parents and children
395 # We've now got objects in the following order:
396 # [50 parents][100 children][100 parents][200 children]
398 # Modify the first parent so that it's now ordered last by USN
399 # This means we set the GET_ANC flag pretty much straight away
400 # because we receive the first child before the first parent
403 # modify a later block of parents so they also get reordered
407 # Get the first block of objects - this should resend the request with
408 # GET_ANC set because we won't know about the first child's parent.
409 # On samba GET_ANC essentially starts the sync from scratch again, so
410 # we get this over with early before we learn too many parents
413 # modify the last chunk of parents. They should now have a USN higher
414 # than the highwater-mark for the replication cycle
418 # Get the remaining blocks of data - this will resend the request with
419 # GET_ANC if it encounters an object it doesn't have the parent for.
423 # The way the test objects have been created should force
424 # self.repl_get_next() to use the GET_ANC flag. If this doesn't
425 # actually happen, then the test isn't doing its job properly
429 # Check we get all the objects we're expecting
434 """
435 Asserts that a GetNCChanges response contains any expected links
436 for the objects it contains.
437 """
451 """
452 Queries the object in the DB and asserts there is a link in the
453 GetNCChanges response that matches.
454 """
456 # Look up the link attribute in the DB
457 # The extended_dn option will dump the GUID info for the link
458 # attribute (as a hex blob)
464 # We didn't find the expected link attribute in the DB for the object.
465 # Something has gone wrong somewhere...
469 # find the received link in the list and assert that the target and
470 # source GUIDs match what's in the DB
472 # Work out the expected source and target GUIDs for the DB link
487 break
493 """
494 Creates a scenario where we should receive the linked attribute before
495 we know about the target object, and therefore need to use GET_TGT.
496 Note: Samba currently avoids this problem by sending all its links last
497 """
499 # create the test objects
503 expected_links = reportees
505 # add a link attribute to each reportee object that points to the
506 # corresponding manager object as the target
510 # touch the managers (the link-target objects) again to make sure the
511 # reportees (link source objects) get returned first by the replication
517 # Get all the replication data - this code should resend the requests
518 # with GET_TGT
521 # get the next block of replication data (this sets GET_TGT
522 # if needed)
526 # The way the test objects have been created should force
527 # self.repl_get_next() to use the GET_TGT flag. If this doesn't
528 # actually happen, then the test isn't doing its job properly
532 # Check we get all the objects we're expecting
535 # Check we received links for all the reportees
539 """
540 Tests the behaviour of GET_TGT with a more complicated scenario.
541 Here we create a chain of objects linked together, so if we follow
542 the link target, then we'd traverse ~200 objects each time.
543 """
545 # create the test objects
550 # create a complex set of object links:
551 # A0-->B0-->C1-->B2-->C3-->B4-->and so on...
552 # Basically each object-A should link to a circular chain of 200 B/C
553 # objects. We create the links in separate chunks here, as it makes it
554 # clearer what happens with the USN (links on Windows have their own
555 # USN, so this approach means the A->B/B->C links aren't interleaved)
568 expected_links = all_objects
570 # the default order the objects now get returned in should be:
571 # [A0-A99][B0-B99][C0-C99]
575 # Get all the replication data - this code should resend the requests
576 # with GET_TGT
579 # get the next block of replication data (this sets GET_TGT
580 # if needed)
584 # The way the test objects have been created should force
585 # self.repl_get_next() to use the GET_TGT flag. If this doesn't
586 # actually happen, then the test isn't doing its job properly
590 # Check we get all the objects we're expecting
593 # Check we received links for all the reportees
597 """
598 Tests adding links to new objects while a replication is in progress.
599 """
601 # create some source objects for the linked attributes, sandwiched
602 # between 2 blocks of filler objects
607 # Start the replication and get the first block of filler objects
608 # (We're being mean here and setting the GET_TGT flag right from the
609 # start. On earlier Samba versions, if the client encountered an
610 # unknown target object and retried with GET_TGT, it would restart the
611 # replication cycle from scratch, which avoids the problem).
614 # create the target objects and add the links. These objects should be
615 # outside the scope of the Samba replication cycle, but the links
616 # should still get sent with the source object
623 expected_links = reportees
625 # complete the replication
629 # If we didn't receive the most recently created objects in the last
630 # replication cycle, then kick off another replication to get them
637 # Check we get all the objects we're expecting
640 # Check we received links for all the parents
644 """
645 A basic GET_ANC test where the parents have linked attributes
646 """
648 # Create a block of 100 parents and 100 children
649 parent_dn_list = []
654 # Add links from the parents to the children
659 # add some filler objects at the end. This allows us to easily see
660 # which chunk the links get sent in
663 # We've now got objects in the following order:
664 # [100 x children][100 x parents][100 x filler]
666 # Get the replication data - because the block of children come first,
667 # this should retry the request with GET_ANC
674 # Check we get all the objects we're expecting
677 # Check we received links for all the parents
681 """
682 Check we can resolve an unknown ancestor when fetching the link target,
683 i.e. tests using GET_TGT and GET_ANC in combination
684 """
686 # Create some parent/child objects (the child will be the link target)
687 parents = []
694 # create the link source objects and link them to the child/target
696 all_objects += la_sources
701 expected_links = la_sources
703 # modify the children/targets so they come after the link source
707 # modify the parents, so they now come last in the replication
711 # We've now got objects in the following order:
712 # [100 la_source][100 la_target][100 parents (of la_target)]
716 # Get all the replication data - this code should resend the requests
717 # with GET_TGT and GET_ANC
720 # get the next block of replication data (this sets
721 # GET_TGT/GET_ANC)
725 # The way the test objects have been created should force
726 # self.repl_get_next() to use the GET_TGT/GET_ANC flags. If this
727 # doesn't actually happen, then the test isn't doing its job properly
733 # Check we get all the objects we're expecting
736 # Check we received links for all the link sources
739 # Second part of test. Add some extra objects and kick off another
740 # replication. The test code will use the HWM from the last replication
741 # so we'll only receive the objects we modify below
744 # add an extra level of grandchildren that hang off a child
745 # that got created last time
748 new_children = []
755 # replace half of the links to point to the new children
760 # add some filler objects to fill up the 1st chunk
763 # modify the new children/targets so they come after the link source
767 # modify the parent, so it now comes last in the replication
770 # We should now get the modified objects in the following order:
771 # [50 links (x 2)][100 filler][50 new children][new parent]
772 # Note that the link sources aren't actually sent (their new linked
773 # attributes are sent, but apart from that, nothing has changed)
788 # Check we get all the objects we're expecting
791 # Check we received links (50 deleted links and 50 new)
795 """
796 Tests deleting link objects while a replication is in progress.
797 """
799 # create some objects and link them together, with some filler
800 # object in between the link sources
812 # touch the targets so that the sources get replicated first
816 # objects should now be in the following USN order:
817 # [50 la_source][100 filler][50 la_source][100 la_target]
819 # Get the first block containing 50 link sources
822 # delete either the link targets or link source objects
824 objects_to_delete = la_sources
825 # in GET_TGT testenvs we only receive the first 50 source objects
828 objects_to_delete = la_targets
834 # complete the replication
838 # Check we get all the objects we're expecting
841 # we can't use assert_expected_links() here because it tries to check
842 # against the deleted objects on the DC. (Although we receive some
843 # links from the first block processed, the Samba client should end up
844 # deleting these, as the source/target object involved is deleted)
855 """Re-animates a deleted object"""
863 return
875 # make sure DC1 has all the changes we've made to DC2
885 """
886 Switches over the connection state info that the underlying drs_base
887 class uses so that we replicate with a different DC.
888 """
896 expected_links):
897 """
898 Replicates against both the primary and secondary DCs in the testenv
899 and checks that both return the expected results.
900 """
903 # get the replication data from the test DC first
907 # Check we get all the objects and links we're expecting
911 # switch over the DC state info so we now talk to the peer DC
917 # check that we get the same information from the 2nd DC
924 # switch back to using the default connection
928 """
929 Checks receiving links for a re-animated object doesn't lose links.
930 We test this against the peer DC to make sure it doesn't drop links.
931 """
933 # This test is a little different in that we're particularly interested
934 # in exercising the replmd client code on the second DC.
935 # First, make sure the peer DC has the base OU, then connect to it (so
936 # we store its initial HWM)
940 # create the link source/target objects
944 # store the target object's GUIDs (we need to know these to
945 # reanimate them)
946 target_guids = []
951 # delete the link target
955 # sync the DCs, then disable replication. We want the peer DC to get
956 # all the following changes in a single replication cycle
960 # restore the target objects for the linked attributes again
964 # add the links
968 # create some additional filler objects
971 # modify the targets so they now come last
975 # the objects should now be sent in the following order:
976 # [la sources + links][filler][la targets]
978 expected_links = la_sources
980 # Enable replication again make sure the 2 DCs are back in sync
984 # Get the replication data from each DC in turn.
985 # Check that both give us all the objects and links we're expecting,
986 # i.e. no links were lost
988 expected_links)
991 """
992 Checks that a cross-partition link to an unknown target object does
993 not result in missing links.
994 """
996 # check the peer DC is up-to-date, then connect (storing its HWM)
1000 # stop replication so the peer gets the following objects in one go
1003 # optionally force the client-side to use GET_TGT locally, by adding a
1004 # one-way link to a missing/deleted target object
1012 missing_target)
1015 # create a link source object in the main NC
1019 # create the link target (a server object) in the config NC
1026 # add a cross-partition link between the two
1029 # First, sync to the peer the NC containing the link source object
1032 # Now, before the peer has received the partition containing the target
1033 # object, try replicating from the peer. It will only know about half
1034 # of the link at this point, but it should be a valid scenario
1038 # pretend we've received other link targets out of order and that's
1039 # forced us to use GET_TGT. This checks the peer doesn't fail
1040 # trying to fetch a cross-partition target object that doesn't
1041 # exist
1046 # delete the GET_TGT test object. We're not interested in asserting its
1047 # links - it was just there to make the client use GET_TGT (and it
1048 # creates an inconsistency because one DC correctly ignores the link,
1049 # because it points to a deleted object)
1055 # Now sync across the partition containing the link target object
1059 # Get the replication data from each DC in turn.
1060 # Check that both return the cross-partition link (note we're not
1061 # checking the config domain NC here for simplicity)
1066 # the cross-partition linked attribute has a missing backlink. Check
1067 # that we can still delete it successfully
1084 # Check receiving a cross-partition link to a deleted target.
1085 # Delete the target and make sure the deletion is sync'd between DCs
1091 # re-animate the target
1095 # now sync the link - because the target is in another partition, the
1096 # peer DC receives a link for a deleted target, which it should accept
1105 # cleanup the server object we created in the Configuration partition
1116 """Tests replication with multi-valued link attributes."""
1118 # create the target/source objects and link them together
1128 # We should receive the objects/links in the following order:
1129 # [500 targets + 1 source][500 links][100 filler]
1133 # First do the replication without needing GET_TGT
1140 # we should receive one chunk that contains only links
1144 # check we received all the expected objects/links
1149 # Do the replication again, forcing the use of GET_TGT this time
1155 # The objects/links should get sent in the following order:
1156 # [1 source][500 targets][500 links][100 filler]
1164 # check we received all the expected objects/links
1171 """Test full replication on a totally invalid GUID fails with the right error code"""
1213 # The NC should be the first object returned due to GET_ANC
1219 # We set get_anc=True so we can assert the BASE DN will be the
1220 # first object
1240 # This should be the first object in the main replication due
1241 # to get_anc=True above in one case, and a rule that the NC must be first regardless otherwise
1251 """
1252 Make sure that a full replication on an nc succeeds to the goal despite needing multiple passes
1253 """
1257 """
1258 Make sure that a full replication on an nc succeeds to the goal despite needing multiple passes
1259 """
1263 """
1264 Make sure that a full replication on an nc succeeds to the goal despite needing multiple passes
1266 Assert this is true even if we do a REPL_OBJ in between the replications
1268 """
1278 rec_cleanup,
1284 "oEMInformation": f"Tortured by Samba's getncchanges.py {self.id()} against {self.default_conn.dnsname_dc}"}
1288 def _test_repl_nc_is_first(self, start_at_zero=True, nc_change=True, ou_change=True, mid_change=False):
1289 """Tests that the NC is always replicated first, but does not move the
1290 tmp_highest_usn at that point, just like 'early' GET_ANC objects.
1291 """
1293 # create objects, twice more than the page size of 133
1300 # create even more objects
1312 # Make one more modification. We want to assert we have
1313 # caught up to the base DN, but Windows both promotes the NC
1314 # to the front and skips including it in the tmp_highest_usn,
1315 # so we make a later modification that will be to show we get
1316 # this change.
1330 # Check some predicates about USN ordering that the below tests will rely on
1363 f"pass={i} more_data={ctr6.more_data} base_usn={base_usn} tmp_highest_usn={ctr6.new_highwatermark.tmp_highest_usn} last_tmp_highest_usn={last_tmp_highest_usn}")
1365 f"pass {i}·more_data={ctr6.more_data} base_usn={base_usn} tmp_highest_usn={ctr6.new_highwatermark.tmp_highest_usn} last_tmp_highest_usn={last_tmp_highest_usn}")
1368 f"pass {i}·more_data={ctr6.more_data} base_usn={base_usn} tmp_highest_usn={ctr6.new_highwatermark.tmp_highest_usn} last_tmp_highest_usn={last_tmp_highest_usn}")
1371 # The modification to the base OU should be in the final chunk
1374 ou_usn)
1376 # Show that the NC root change does not show up in the
1377 # highest_usn. We either get the change before or after
1378 # it.
1380 base_usn)
1391 # Get the NC change in the middle of the replication stream, certainly not at the start or end
1397 # This is a modification of the next test, that Samba
1398 # will pass as it will always include the NC in the
1399 # tmp_highest_usn at the point where it belongs
1406 # This is a modification of the next test, that Samba
1407 # will pass as it will always include the NC in the
1408 # tmp_highest_usn at the point where it belongs
1412 # This shows that the NC change is not reflected in the tmp_highest_usn
1416 # The NC should not be present in this replication
1421 """This repeats all of DrsReplicaSyncIntegrityTestCase, but the client
1422 always sets highwatermark.reserved_usn = 0. This is what Azure AD
1423 / Entra ID Connect does.
1424 """
1425 @staticmethod
1430 SKIPPED_TESTS = {
1452 }
1455 # Only some tests behave any differently with the zeroed
1456 # reserved_usn. The getncchanges tests are quite slow, so it
1457 # is worth skipping unnecessary tests.
1458 #
1459 # If you think a test is worth running here, add it to the
1460 # list.
1469 """Helper class to track a connection to another DC"""