From 4874068070485419d695a5ac6a81cf2a41c7367e Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Fri, 2 Mar 2018 11:30:19 -0700
Subject: [PATCH] Add tests for round-tripping sudoers -> ldif -> sudoers

---
 MANIFEST                                      | 11 ++++++
 plugins/sudoers/Makefile.in                   | 13 +++++++
 .../regress/sudoers/test1.ldif2sudo.ok        | 13 +++++++
 .../regress/sudoers/test14.ldif2sudo.ok       |  5 +++
 .../regress/sudoers/test15.ldif2sudo.ok       |  2 +
 .../regress/sudoers/test16.ldif2sudo.ok       |  2 +
 .../regress/sudoers/test17.ldif2sudo.ok       | 29 ++++++++++++++
 .../regress/sudoers/test19.ldif2sudo.ok       | 29 ++++++++++++++
 .../regress/sudoers/test2.ldif2sudo.ok        | 38 +++++++++++++++++++
 .../regress/sudoers/test20.ldif2sudo.ok       | 22 +++++++++++
 .../regress/sudoers/test21.ldif2sudo.ok       | 33 ++++++++++++++++
 .../regress/sudoers/test3.ldif2sudo.ok        |  0
 .../regress/sudoers/test6.ldif2sudo.ok        |  5 +++
 13 files changed, 202 insertions(+)
 create mode 100644 plugins/sudoers/regress/sudoers/test1.ldif2sudo.ok
 create mode 100644 plugins/sudoers/regress/sudoers/test14.ldif2sudo.ok
 create mode 100644 plugins/sudoers/regress/sudoers/test15.ldif2sudo.ok
 create mode 100644 plugins/sudoers/regress/sudoers/test16.ldif2sudo.ok
 create mode 100644 plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok
 create mode 100644 plugins/sudoers/regress/sudoers/test19.ldif2sudo.ok
 create mode 100644 plugins/sudoers/regress/sudoers/test2.ldif2sudo.ok
 create mode 100644 plugins/sudoers/regress/sudoers/test20.ldif2sudo.ok
 create mode 100644 plugins/sudoers/regress/sudoers/test21.ldif2sudo.ok
 create mode 100644 plugins/sudoers/regress/sudoers/test3.ldif2sudo.ok
 create mode 100644 plugins/sudoers/regress/sudoers/test6.ldif2sudo.ok

diff --git a/MANIFEST b/MANIFEST
index c909b72cf..b8ddce75a 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -407,6 +407,7 @@ plugins/sudoers/regress/starttime/check_starttime.c
 plugins/sudoers/regress/sudoers/test1.in
 plugins/sudoers/regress/sudoers/test1.json.ok
 plugins/sudoers/regress/sudoers/test1.ldif.ok
+plugins/sudoers/regress/sudoers/test1.ldif2sudo.ok
 plugins/sudoers/regress/sudoers/test1.out.ok
 plugins/sudoers/regress/sudoers/test1.toke.ok
 plugins/sudoers/regress/sudoers/test10.in
@@ -432,21 +433,25 @@ plugins/sudoers/regress/sudoers/test13.toke.ok
 plugins/sudoers/regress/sudoers/test14.in
 plugins/sudoers/regress/sudoers/test14.json.ok
 plugins/sudoers/regress/sudoers/test14.ldif.ok
+plugins/sudoers/regress/sudoers/test14.ldif2sudo.ok
 plugins/sudoers/regress/sudoers/test14.out.ok
 plugins/sudoers/regress/sudoers/test14.toke.ok
 plugins/sudoers/regress/sudoers/test15.in
 plugins/sudoers/regress/sudoers/test15.json.ok
 plugins/sudoers/regress/sudoers/test15.ldif.ok
+plugins/sudoers/regress/sudoers/test15.ldif2sudo.ok
 plugins/sudoers/regress/sudoers/test15.out.ok
 plugins/sudoers/regress/sudoers/test15.toke.ok
 plugins/sudoers/regress/sudoers/test16.in
 plugins/sudoers/regress/sudoers/test16.json.ok
 plugins/sudoers/regress/sudoers/test16.ldif.ok
+plugins/sudoers/regress/sudoers/test16.ldif2sudo.ok
 plugins/sudoers/regress/sudoers/test16.out.ok
 plugins/sudoers/regress/sudoers/test16.toke.ok
 plugins/sudoers/regress/sudoers/test17.in
 plugins/sudoers/regress/sudoers/test17.json.ok
 plugins/sudoers/regress/sudoers/test17.ldif.ok
+plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok
 plugins/sudoers/regress/sudoers/test17.out.ok
 plugins/sudoers/regress/sudoers/test17.toke.ok
 plugins/sudoers/regress/sudoers/test18.in
@@ -457,26 +462,31 @@ plugins/sudoers/regress/sudoers/test18.toke.ok
 plugins/sudoers/regress/sudoers/test19.in
 plugins/sudoers/regress/sudoers/test19.json.ok
 plugins/sudoers/regress/sudoers/test19.ldif.ok
+plugins/sudoers/regress/sudoers/test19.ldif2sudo.ok
 plugins/sudoers/regress/sudoers/test19.out.ok
 plugins/sudoers/regress/sudoers/test19.toke.ok
 plugins/sudoers/regress/sudoers/test2.in
 plugins/sudoers/regress/sudoers/test2.json.ok
 plugins/sudoers/regress/sudoers/test2.ldif.ok
+plugins/sudoers/regress/sudoers/test2.ldif2sudo.ok
 plugins/sudoers/regress/sudoers/test2.out.ok
 plugins/sudoers/regress/sudoers/test2.toke.ok
 plugins/sudoers/regress/sudoers/test20.in
 plugins/sudoers/regress/sudoers/test20.json.ok
 plugins/sudoers/regress/sudoers/test20.ldif.ok
+plugins/sudoers/regress/sudoers/test20.ldif2sudo.ok
 plugins/sudoers/regress/sudoers/test20.out.ok
 plugins/sudoers/regress/sudoers/test20.toke.ok
 plugins/sudoers/regress/sudoers/test21.in
 plugins/sudoers/regress/sudoers/test21.json.ok
 plugins/sudoers/regress/sudoers/test21.ldif.ok
+plugins/sudoers/regress/sudoers/test21.ldif2sudo.ok
 plugins/sudoers/regress/sudoers/test21.out.ok
 plugins/sudoers/regress/sudoers/test21.toke.ok
 plugins/sudoers/regress/sudoers/test3.in
 plugins/sudoers/regress/sudoers/test3.json.ok
 plugins/sudoers/regress/sudoers/test3.ldif.ok
+plugins/sudoers/regress/sudoers/test3.ldif2sudo.ok
 plugins/sudoers/regress/sudoers/test3.out.ok
 plugins/sudoers/regress/sudoers/test3.toke.ok
 plugins/sudoers/regress/sudoers/test4.in
@@ -492,6 +502,7 @@ plugins/sudoers/regress/sudoers/test5.toke.ok
 plugins/sudoers/regress/sudoers/test6.in
 plugins/sudoers/regress/sudoers/test6.json.ok
 plugins/sudoers/regress/sudoers/test6.ldif.ok
+plugins/sudoers/regress/sudoers/test6.ldif2sudo.ok
 plugins/sudoers/regress/sudoers/test6.out.ok
 plugins/sudoers/regress/sudoers/test6.toke.ok
 plugins/sudoers/regress/sudoers/test7.in
diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in
index 14b4dfbba..f09cee65a 100644
--- a/plugins/sudoers/Makefile.in
+++ b/plugins/sudoers/Makefile.in
@@ -425,6 +425,7 @@ check: $(TEST_PROGS) visudo testsudoers
 		json="regress/sudoers/$${base}.json"; \
 		ldif="regress/sudoers/$${base}.ldif"; \
 		sudo="regress/sudoers/$${base}.sudo"; \
+		ldif2sudo="regress/sudoers/$${base}.ldif2sudo"; \
 		if test -s $$json.ok; then \
 		    ASAN_OPTIONS=; \
 		else \
@@ -481,6 +482,18 @@ check: $(TEST_PROGS) visudo testsudoers
 		    echo "$$dir/$$base: (reparse) FAIL"; \
 		    ./visudo -cf $$sudo || true; \
 		fi; \
+		if test -s $(srcdir)/$$ldif.ok; then \
+		    ./cvtsudoers -c "" -i ldif -f sudoers $(srcdir)/$$ldif.ok >$$ldif2sudo || true; \
+		    total=`expr $$total + 1`; \
+		    if cmp $$ldif2sudo $(srcdir)/$$ldif2sudo.ok >/dev/null; then \
+			passed=`expr $$passed + 1`; \
+			echo "$$dir/$$base (ldif2sudo): OK"; \
+		    else \
+			failed=`expr $$failed + 1`; \
+			echo "$$dir/$$base: (ldif2sudo) FAIL"; \
+			diff $$ldif $(srcdir)/$$ldif.ok || true; \
+		    fi; \
+		fi; \
 	    done; \
 	    echo "$$dir: $$passed/$$total tests passed; $$failed/$$total tests failed"; \
 	    if test $$failed -ne 0; then \
diff --git a/plugins/sudoers/regress/sudoers/test1.ldif2sudo.ok b/plugins/sudoers/regress/sudoers/test1.ldif2sudo.ok
new file mode 100644
index 000000000..126fe9149
--- /dev/null
+++ b/plugins/sudoers/regress/sudoers/test1.ldif2sudo.ok
@@ -0,0 +1,13 @@
+# sudoRole user1, user1_1
+user1 ALL = LOG_INPUT: LOG_OUTPUT: /usr/bin/su -, NOLOG_INPUT: NOLOG_OUTPUT:\
+    /usr/bin/id
+
+# sudoRole user2, user2_1
+user2 ALL = SETENV: NOEXEC: NOPASSWD: /usr/bin/vi, NOSETENV: EXEC: PASSWD:\
+    /usr/bin/echo
+
+# sudoRole user3, user3_1
+user3 ALL = MAIL: /bin/sh, NOMAIL: /usr/bin/id
+
+# sudoRole user4, user4_1
+user4 ALL = FOLLOW: sudoedit /etc/motd, NOFOLLOW: sudoedit /home/*/*
diff --git a/plugins/sudoers/regress/sudoers/test14.ldif2sudo.ok b/plugins/sudoers/regress/sudoers/test14.ldif2sudo.ok
new file mode 100644
index 000000000..6bc0156f5
--- /dev/null
+++ b/plugins/sudoers/regress/sudoers/test14.ldif2sudo.ok
@@ -0,0 +1,5 @@
+# sudoRole millert
+millert ALL = sha224:d06a2617c98d377c250edd470fd5e576327748d82915d6e33b5f8db1\
+    /bin/ls, sha256:hOtoe/iK6SlGg7w4BfZBBdSsXjUmTJ5+ts51yjh7vkM= /bin/sh,\
+    sha512:srzYEQ2aqzm+it3f74opTMkIImZRLxBARVpb0g9RSouJYdLt7DTRMEY4Ry9NyaOiDoUIplpNjqYH0JMYPVdFnw\
+    /bin/kill
diff --git a/plugins/sudoers/regress/sudoers/test15.ldif2sudo.ok b/plugins/sudoers/regress/sudoers/test15.ldif2sudo.ok
new file mode 100644
index 000000000..775d59e22
--- /dev/null
+++ b/plugins/sudoers/regress/sudoers/test15.ldif2sudo.ok
@@ -0,0 +1,2 @@
+# sudoRole user
+user ALL = sudoedit /etc/motd
diff --git a/plugins/sudoers/regress/sudoers/test16.ldif2sudo.ok b/plugins/sudoers/regress/sudoers/test16.ldif2sudo.ok
new file mode 100644
index 000000000..775d59e22
--- /dev/null
+++ b/plugins/sudoers/regress/sudoers/test16.ldif2sudo.ok
@@ -0,0 +1,2 @@
+# sudoRole user
+user ALL = sudoedit /etc/motd
diff --git a/plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok b/plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok
new file mode 100644
index 000000000..6bc2a36ed
--- /dev/null
+++ b/plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok
@@ -0,0 +1,29 @@
+Defaults command_timeout=2d8h10m59s
+
+# sudoRole user0
+user0 ALL = /usr/bin/id, /usr/bin/who, /bin/ls
+
+# sudoRole user1
+user1 ALL = /usr/bin/id
+
+# sudoRole user2
+user2 ALL = /usr/bin/id
+
+# sudoRole user3
+user3 ALL = /usr/bin/id
+
+# sudoRole user4
+user4 ALL = /usr/bin/id
+
+# sudoRole user5
+user5 ALL = /usr/bin/id
+
+# sudoRole user6
+user6 ALL = /usr/bin/id
+
+# sudoRole user7
+user7 ALL = /usr/bin/id
+
+# sudoRole user8
+user8 ALL = /usr/bin/id, /usr/bin/id, /usr/bin/id, /usr/bin/id, /usr/bin/id,\
+    /usr/bin/id
diff --git a/plugins/sudoers/regress/sudoers/test19.ldif2sudo.ok b/plugins/sudoers/regress/sudoers/test19.ldif2sudo.ok
new file mode 100644
index 000000000..fc202e41e
--- /dev/null
+++ b/plugins/sudoers/regress/sudoers/test19.ldif2sudo.ok
@@ -0,0 +1,29 @@
+# sudoRole user0
+user0 ALL = NOTBEFORE=20170301083000Z /usr/bin/id, /bin/ls
+
+# sudoRole user1
+user1 ALL = NOTBEFORE=20170214083000Z /usr/bin/id, /bin/ls
+
+# sudoRole user2
+user2 ALL = NOTBEFORE=20170214083018Z /usr/bin/id
+
+# sudoRole user3
+user3 ALL = NOTBEFORE=20170214080000Z /usr/bin/id
+
+# sudoRole user4
+user4 ALL = NOTBEFORE=20170214082400Z /usr/bin/id
+
+# sudoRole user5
+user5 ALL = NOTBEFORE=20170214083000Z /usr/bin/id
+
+# sudoRole user6
+user6 ALL = NOTBEFORE=20170214083000Z /usr/bin/id
+
+# sudoRole user7
+user7 ALL = NOTBEFORE=20170214083000Z /usr/bin/id
+
+# sudoRole user8
+user8 ALL = NOTBEFORE=20170214083000Z /usr/bin/id
+
+# sudoRole user9
+user9 ALL = NOTBEFORE=20170214083000Z /usr/bin/id
diff --git a/plugins/sudoers/regress/sudoers/test2.ldif2sudo.ok b/plugins/sudoers/regress/sudoers/test2.ldif2sudo.ok
new file mode 100644
index 000000000..7039523c6
--- /dev/null
+++ b/plugins/sudoers/regress/sudoers/test2.ldif2sudo.ok
@@ -0,0 +1,38 @@
+# sudoRole foo
+foo hosta = (root) ALL
+
+# sudoRole foo.bar
+foo.bar hostb = (root) ALL
+
+# sudoRole foo"
+foo\" hostc = (root) ALL
+
+# sudoRole foo:bar
+foo\:bar hostd = (root) ALL
+
+# sudoRole foo:bar"
+foo\:bar\" hoste = (root) ALL
+
+# sudoRole %baz
+%baz hosta = (root) ALL
+
+# sudoRole %baz.biz
+%baz.biz hostb = (root) ALL
+
+# sudoRole %:C/non UNIX 0 c
+"%:C/non UNIX 0 c" hostc = (root) ALL
+
+# sudoRole %:C/non\'UNIX\'1 c
+"%:C/non\'UNIX\'1 c" hostd = (root) ALL
+
+# sudoRole %:C/non"UNIX"0 c
+"%:C/non\"UNIX\"0 c" hoste = (root) ALL
+
+# sudoRole %:C/non_UNIX_0 c
+"%:C/non_UNIX_0 c" hostf = (root) ALL
+
+# sudoRole %:C/non\'UNIX_3 c
+"%:C/non\'UNIX_3 c" hostg = (root) ALL
+
+# sudoRole +netgr
++netgr hosth = (root) ALL
diff --git a/plugins/sudoers/regress/sudoers/test20.ldif2sudo.ok b/plugins/sudoers/regress/sudoers/test20.ldif2sudo.ok
new file mode 100644
index 000000000..e1c743cd1
--- /dev/null
+++ b/plugins/sudoers/regress/sudoers/test20.ldif2sudo.ok
@@ -0,0 +1,22 @@
+Defaults lecture
+Defaults !lecture
+Defaults lecture=never
+Defaults lecture=once
+Defaults lecture=always
+Defaults listpw
+Defaults !listpw
+Defaults listpw=never
+Defaults listpw=any
+Defaults listpw=all
+Defaults listpw=always
+Defaults verifypw
+Defaults !verifypw
+Defaults verifypw=never
+Defaults verifypw=any
+Defaults verifypw=all
+Defaults verifypw=always
+Defaults fdexec
+Defaults !fdexec
+Defaults fdexec=never
+Defaults fdexec=digest_only
+Defaults fdexec=always
diff --git a/plugins/sudoers/regress/sudoers/test21.ldif2sudo.ok b/plugins/sudoers/regress/sudoers/test21.ldif2sudo.ok
new file mode 100644
index 000000000..56e09ff0b
--- /dev/null
+++ b/plugins/sudoers/regress/sudoers/test21.ldif2sudo.ok
@@ -0,0 +1,33 @@
+Defaults syslog
+Defaults !syslog
+Defaults syslog=auth
+Defaults syslog=daemon
+Defaults syslog=user
+Defaults syslog=local0
+Defaults syslog=local1
+Defaults syslog=local2
+Defaults syslog=local3
+Defaults syslog=local4
+Defaults syslog=local5
+Defaults syslog=local6
+Defaults syslog=local7
+Defaults !syslog_goodpri
+Defaults syslog_goodpri=alert
+Defaults syslog_goodpri=crit
+Defaults syslog_goodpri=debug
+Defaults syslog_goodpri=emerg
+Defaults syslog_goodpri=err
+Defaults syslog_goodpri=info
+Defaults syslog_goodpri=notice
+Defaults syslog_goodpri=warning
+Defaults syslog_goodpri=none
+Defaults !syslog_badpri
+Defaults syslog_badpri=alert
+Defaults syslog_badpri=crit
+Defaults syslog_badpri=debug
+Defaults syslog_badpri=emerg
+Defaults syslog_badpri=err
+Defaults syslog_badpri=info
+Defaults syslog_badpri=notice
+Defaults syslog_badpri=warning
+Defaults syslog_badpri=none
diff --git a/plugins/sudoers/regress/sudoers/test3.ldif2sudo.ok b/plugins/sudoers/regress/sudoers/test3.ldif2sudo.ok
new file mode 100644
index 000000000..e69de29bb
diff --git a/plugins/sudoers/regress/sudoers/test6.ldif2sudo.ok b/plugins/sudoers/regress/sudoers/test6.ldif2sudo.ok
new file mode 100644
index 000000000..bfe40bb8f
--- /dev/null
+++ b/plugins/sudoers/regress/sudoers/test6.ldif2sudo.ok
@@ -0,0 +1,5 @@
+# sudoRole #0, #0_1, #0_2, #0_3
+#0 ALL = ALL, (#0 : #0) ALL, ALL, (#0 : #0) ALL
+
+# sudoRole %#0, %#0_1
+%#0 ALL = ALL, ALL
-- 
2.40.0