2 # -*- coding: utf-8 -*-
11 sys
.path
.append("bin/python")
13 samba
.ensure_external_module("testtools", "testtools")
14 samba
.ensure_external_module("subunit", "subunit/python")
16 import samba
.getopt
as options
18 # Some error messages that are being tested
19 from ldb
import SCOPE_SUBTREE
, SCOPE_BASE
, LdbError
, ERR_NO_SUCH_OBJECT
21 # For running the test unit
22 from samba
.ndr
import ndr_pack
, ndr_unpack
23 from samba
.dcerpc
import security
25 from samba
import gensec
, sd_utils
26 from samba
.samdb
import SamDB
27 from samba
.credentials
import Credentials
28 from samba
.auth
import system_session
29 from samba
.dsdb
import DS_DOMAIN_FUNCTION_2008
30 from samba
.dcerpc
.security
import (
31 SECINFO_OWNER
, SECINFO_GROUP
, SECINFO_DACL
, SECINFO_SACL
)
32 from subunit
.run
import SubunitTestRunner
34 from samba
.tests
import delete_force
37 parser
= optparse
.OptionParser("sec_descriptor.py [options] <host>")
38 sambaopts
= options
.SambaOptions(parser
)
39 parser
.add_option_group(sambaopts
)
40 parser
.add_option_group(options
.VersionOptions(parser
))
42 # use command line creds if available
43 credopts
= options
.CredentialsOptions(parser
)
44 parser
.add_option_group(credopts
)
45 opts
, args
= parser
.parse_args()
53 lp
= sambaopts
.get_loadparm()
54 creds
= credopts
.get_credentials(lp
)
55 creds
.set_gensec_features(creds
.get_gensec_features() | gensec
.FEATURE_SEAL
)
61 class DescriptorTests(samba
.tests
.TestCase
):
63 def get_users_domain_dn(self
, name
):
64 return "CN=%s,CN=Users,%s" % (name
, self
.base_dn
)
66 def get_unique_schema_class_name(self
):
68 class_name
= "test-class%s" % random
.randint(1,100000)
69 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
71 self
.ldb_admin
.search(base
=class_dn
, attrs
=["*"])
72 except LdbError
, (num
, _
):
73 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
76 def create_schema_class(self
, _ldb
, object_dn
, desc
=None):
78 dn: """ + object_dn
+ """
79 objectClass: classSchema
80 objectCategory: CN=Class-Schema,""" + self
.schema_dn
+ """
81 defaultObjectCategory: """ + object_dn
+ """
82 distinguishedName: """ + object_dn
+ """
83 governsID: 1.2.840.""" + str(random
.randint(1,100000)) + """.1.5.9939
85 objectClassCategory: 1
86 subClassOf: organizationalPerson
93 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
94 if isinstance(desc
, str):
95 ldif
+= "nTSecurityDescriptor: %s" % desc
96 elif isinstance(desc
, security
.descriptor
):
97 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
100 def create_configuration_container(self
, _ldb
, object_dn
, desc
=None):
102 dn: """ + object_dn
+ """
103 objectClass: container
104 objectCategory: CN=Container,""" + self
.schema_dn
+ """
105 showInAdvancedViewOnly: TRUE
109 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
110 if isinstance(desc
, str):
111 ldif
+= "nTSecurityDescriptor: %s" % desc
112 elif isinstance(desc
, security
.descriptor
):
113 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
116 def create_configuration_specifier(self
, _ldb
, object_dn
, desc
=None):
118 dn: """ + object_dn
+ """
119 objectClass: displaySpecifier
120 showInAdvancedViewOnly: TRUE
123 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
124 if isinstance(desc
, str):
125 ldif
+= "nTSecurityDescriptor: %s" % desc
126 elif isinstance(desc
, security
.descriptor
):
127 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
130 def get_ldb_connection(self
, target_username
, target_password
):
131 creds_tmp
= Credentials()
132 creds_tmp
.set_username(target_username
)
133 creds_tmp
.set_password(target_password
)
134 creds_tmp
.set_domain(creds
.get_domain())
135 creds_tmp
.set_realm(creds
.get_realm())
136 creds_tmp
.set_workstation(creds
.get_workstation())
137 creds_tmp
.set_gensec_features(creds_tmp
.get_gensec_features()
138 | gensec
.FEATURE_SEAL
)
139 ldb_target
= SamDB(url
=host
, credentials
=creds_tmp
, lp
=lp
)
143 super(DescriptorTests
, self
).setUp()
145 self
.base_dn
= ldb
.domain_dn()
146 self
.configuration_dn
= self
.ldb_admin
.get_config_basedn().get_linearized()
147 self
.schema_dn
= self
.ldb_admin
.get_schema_basedn().get_linearized()
148 self
.domain_sid
= security
.dom_sid(self
.ldb_admin
.get_domain_sid())
149 self
.sd_utils
= sd_utils
.SDUtils(ldb
)
150 print "baseDN: %s" % self
.base_dn
152 ################################################################################################
156 # Default descriptor tests #####################################################################
158 class OwnerGroupDescriptorTests(DescriptorTests
):
161 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser1"))
162 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser2"))
163 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser3"))
164 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser4"))
165 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser5"))
166 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser6"))
167 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser7"))
168 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser8"))
170 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("test_domain_group1"))
171 delete_force(self
.ldb_admin
, "CN=test_domain_user1,OU=test_domain_ou1," + self
.base_dn
)
172 delete_force(self
.ldb_admin
, "OU=test_domain_ou2,OU=test_domain_ou1," + self
.base_dn
)
173 delete_force(self
.ldb_admin
, "OU=test_domain_ou1," + self
.base_dn
)
176 delete_force(self
.ldb_admin
, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
177 + self
.configuration_dn
)
178 delete_force(self
.ldb_admin
, "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
)
181 super(OwnerGroupDescriptorTests
, self
).setUp()
184 # User 1 - Enterprise Admins
185 self
.ldb_admin
.newuser("testuser1", "samba123@")
186 # User 2 - Domain Admins
187 self
.ldb_admin
.newuser("testuser2", "samba123@")
188 # User 3 - Schema Admins
189 self
.ldb_admin
.newuser("testuser3", "samba123@")
190 # User 4 - regular user
191 self
.ldb_admin
.newuser("testuser4", "samba123@")
192 # User 5 - Enterprise Admins and Domain Admins
193 self
.ldb_admin
.newuser("testuser5", "samba123@")
194 # User 6 - Enterprise Admins, Domain Admins, Schema Admins
195 self
.ldb_admin
.newuser("testuser6", "samba123@")
196 # User 7 - Domain Admins and Schema Admins
197 self
.ldb_admin
.newuser("testuser7", "samba123@")
198 # User 5 - Enterprise Admins and Schema Admins
199 self
.ldb_admin
.newuser("testuser8", "samba123@")
201 self
.ldb_admin
.add_remove_group_members("Enterprise Admins",
202 "testuser1,testuser5,testuser6,testuser8",
203 add_members_operation
=True)
204 self
.ldb_admin
.add_remove_group_members("Domain Admins",
205 "testuser2,testuser5,testuser6,testuser7",
206 add_members_operation
=True)
207 self
.ldb_admin
.add_remove_group_members("Schema Admins",
208 "testuser3,testuser6,testuser7,testuser8",
209 add_members_operation
=True)
212 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
213 "ds_behavior_win2003" : {
263 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
264 "ds_behavior_win2008" : {
315 # Discover 'msDS-Behavior-Version'
316 res
= self
.ldb_admin
.search(base
=self
.base_dn
, expression
="distinguishedName=%s" % self
.base_dn
, \
317 attrs
=['msDS-Behavior-Version'])
318 res
= int(res
[0]['msDS-Behavior-Version'][0])
319 if res
< DS_DOMAIN_FUNCTION_2008
:
320 self
.DS_BEHAVIOR
= "ds_behavior_win2003"
322 self
.DS_BEHAVIOR
= "ds_behavior_win2008"
325 super(DescriptorTests
, self
).tearDown()
328 def check_user_belongs(self
, user_dn
, groups
=[]):
329 """ Test wether user is member of the expected group(s) """
331 # User is member of at least one additional group
332 res
= self
.ldb_admin
.search(user_dn
, attrs
=["memberOf"])
333 res
= [x
.upper() for x
in sorted(list(res
[0]["memberOf"]))]
336 expected
.append(self
.get_users_domain_dn(x
))
337 expected
= [x
.upper() for x
in sorted(expected
)]
338 self
.assertEqual(expected
, res
)
340 # User is not a member of any additional groups but default
341 res
= self
.ldb_admin
.search(user_dn
, attrs
=["*"])
342 res
= [x
.upper() for x
in res
[0].keys()]
343 self
.assertFalse( "MEMBEROF" in res
)
345 def check_modify_inheritance(self
, _ldb
, object_dn
, owner_group
=""):
347 sd_user_utils
= sd_utils
.SDUtils(_ldb
)
348 ace
= "(D;;CC;;;LG)" # Deny Create Children to Guest account
349 if owner_group
!= "":
350 sd_user_utils
.modify_sd_on_dn(object_dn
, owner_group
+ "D:" + ace
)
352 sd_user_utils
.modify_sd_on_dn(object_dn
, "D:" + ace
)
353 # Make sure the modify operation has been applied
354 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
355 self
.assertTrue(ace
in desc_sddl
)
356 # Make sure we have identical result for both "add" and "modify"
357 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
358 print self
._testMethodName
359 test_number
= self
._testMethodName
[5:]
360 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][test_number
], res
)
363 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
365 user_name
= "testuser1"
366 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
367 # Open Ldb connection with the tested user
368 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
369 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
370 delete_force(self
.ldb_admin
, object_dn
)
371 _ldb
.newgroup("test_domain_group1", grouptype
=4)
372 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
373 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
374 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
375 self
.check_modify_inheritance(_ldb
, object_dn
)
378 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
380 user_name
= "testuser2"
381 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
382 # Open Ldb connection with the tested user
383 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
384 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
385 delete_force(self
.ldb_admin
, object_dn
)
386 _ldb
.newgroup("test_domain_group1", grouptype
=4)
387 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
388 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
389 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
390 self
.check_modify_inheritance(_ldb
, object_dn
)
393 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
395 user_name
= "testuser3"
396 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
397 # Open Ldb connection with the tested user
398 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
399 object_dn
= "OU=test_domain_ou1," + self
.base_dn
400 delete_force(self
.ldb_admin
, object_dn
)
401 self
.ldb_admin
.create_ou(object_dn
)
402 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
403 mod
= "(A;CI;WPWDCC;;;%s)" % str(user_sid
)
404 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
405 # Create additional object into the first one
406 object_dn
= "CN=test_domain_user1," + object_dn
407 delete_force(self
.ldb_admin
, object_dn
)
408 _ldb
.newuser("test_domain_user1", "samba123@",
409 userou
="OU=test_domain_ou1", setpassword
=False)
410 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
411 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
412 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
413 # This fails, research why
414 #self.check_modify_inheritance(_ldb, object_dn)
417 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
419 user_name
= "testuser4"
420 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
421 # Open Ldb connection with the tested user
422 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
423 object_dn
= "OU=test_domain_ou1," + self
.base_dn
424 delete_force(self
.ldb_admin
, object_dn
)
425 self
.ldb_admin
.create_ou(object_dn
)
426 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
427 mod
= "(A;CI;WPWDCC;;;%s)" % str(user_sid
)
428 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
429 # Create additional object into the first one
430 object_dn
= "CN=test_domain_user1," + object_dn
431 delete_force(self
.ldb_admin
, object_dn
)
432 _ldb
.newuser("test_domain_user1", "samba123@",
433 userou
="OU=test_domain_ou1", setpassword
=False)
434 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
435 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
436 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
437 #this fails, research why
438 #self.check_modify_inheritance(_ldb, object_dn)
441 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
443 user_name
= "testuser5"
444 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
445 # Open Ldb connection with the tested user
446 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
447 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
448 delete_force(self
.ldb_admin
, object_dn
)
449 _ldb
.newgroup("test_domain_group1", grouptype
=4)
450 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
451 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
452 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
453 self
.check_modify_inheritance(_ldb
, object_dn
)
456 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
458 user_name
= "testuser6"
459 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
460 # Open Ldb connection with the tested user
461 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
462 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
463 delete_force(self
.ldb_admin
, object_dn
)
464 _ldb
.newgroup("test_domain_group1", grouptype
=4)
465 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
466 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
467 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
468 self
.check_modify_inheritance(_ldb
, object_dn
)
471 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
473 user_name
= "testuser7"
474 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
475 # Open Ldb connection with the tested user
476 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
477 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
478 delete_force(self
.ldb_admin
, object_dn
)
479 _ldb
.newgroup("test_domain_group1", grouptype
=4)
480 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
481 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
482 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
483 self
.check_modify_inheritance(_ldb
, object_dn
)
486 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
488 user_name
= "testuser8"
489 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
490 # Open Ldb connection with the tested user
491 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
492 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
493 delete_force(self
.ldb_admin
, object_dn
)
494 _ldb
.newgroup("test_domain_group1", grouptype
=4)
495 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
496 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
497 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
498 self
.check_modify_inheritance(_ldb
, object_dn
)
500 # Control descriptor tests #####################################################################
503 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
505 user_name
= "testuser1"
506 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
507 # Open Ldb connection with the tested user
508 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
509 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
510 delete_force(self
.ldb_admin
, object_dn
)
511 # Create a custom security descriptor
512 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
513 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
514 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
515 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
516 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
517 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
520 """ Domain admin group member creates object (custom descriptor) in DOMAIN
522 user_name
= "testuser2"
523 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
524 # Open Ldb connection with the tested user
525 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
526 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
527 delete_force(self
.ldb_admin
, object_dn
)
528 # Create a custom security descriptor
529 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
530 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
531 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
532 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
533 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
534 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
537 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
539 user_name
= "testuser3"
540 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
541 # Open Ldb connection with the tested user
542 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
543 object_dn
= "OU=test_domain_ou1," + self
.base_dn
544 delete_force(self
.ldb_admin
, object_dn
)
545 self
.ldb_admin
.create_ou(object_dn
)
546 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
547 mod
= "(A;CI;WOWDCC;;;%s)" % str(user_sid
)
548 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
549 # Create a custom security descriptor
550 # NB! Problematic owner part won't accept DA only <User Sid> !!!
551 sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
552 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
553 # Create additional object into the first one
554 object_dn
= "CN=test_domain_user1," + object_dn
555 delete_force(self
.ldb_admin
, object_dn
)
556 _ldb
.newuser("test_domain_user1", "samba123@",
557 userou
="OU=test_domain_ou1", sd
=tmp_desc
, setpassword
=False)
558 desc
= self
.sd_utils
.read_sd_on_dn(object_dn
)
559 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
560 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
561 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
564 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
566 user_name
= "testuser4"
567 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
568 # Open Ldb connection with the tested user
569 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
570 object_dn
= "OU=test_domain_ou1," + self
.base_dn
571 delete_force(self
.ldb_admin
, object_dn
)
572 self
.ldb_admin
.create_ou(object_dn
)
573 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
574 mod
= "(A;CI;WOWDCC;;;%s)" % str(user_sid
)
575 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
576 # Create a custom security descriptor
577 # NB! Problematic owner part won't accept DA only <User Sid> !!!
578 sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
579 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
580 # Create additional object into the first one
581 object_dn
= "CN=test_domain_user1," + object_dn
582 delete_force(self
.ldb_admin
, object_dn
)
583 _ldb
.newuser("test_domain_user1", "samba123@",
584 userou
="OU=test_domain_ou1", sd
=tmp_desc
, setpassword
=False)
585 desc
= self
.sd_utils
.read_sd_on_dn(object_dn
)
586 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
587 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
588 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
591 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
593 user_name
= "testuser5"
594 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
595 # Open Ldb connection with the tested user
596 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
597 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
598 delete_force(self
.ldb_admin
, object_dn
)
599 # Create a custom security descriptor
600 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
601 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
602 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
603 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
604 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
605 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
608 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
610 user_name
= "testuser6"
611 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
612 # Open Ldb connection with the tested user
613 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
614 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
615 delete_force(self
.ldb_admin
, object_dn
)
616 # Create a custom security descriptor
617 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
618 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
619 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
620 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
621 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
622 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
625 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
627 user_name
= "testuser7"
628 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
629 # Open Ldb connection with the tested user
630 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
631 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
632 delete_force(self
.ldb_admin
, object_dn
)
633 # Create a custom security descriptor
634 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
635 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
636 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
637 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
638 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
639 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
642 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
644 user_name
= "testuser8"
645 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
646 # Open Ldb connection with the tested user
647 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
648 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
649 delete_force(self
.ldb_admin
, object_dn
)
650 # Create a custom security descriptor
651 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
652 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
653 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
654 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
655 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
656 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
659 user_name
= "Administrator"
660 object_dn
= "OU=test_domain_ou1," + self
.base_dn
661 delete_force(self
.ldb_admin
, object_dn
)
662 self
.ldb_admin
.create_ou(object_dn
)
663 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
664 mod
= "(D;CI;WP;;;S-1-3-0)"
666 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
667 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
668 # Create additional object into the first one
669 object_dn
= "OU=test_domain_ou2," + object_dn
670 delete_force(self
.ldb_admin
, object_dn
)
671 self
.ldb_admin
.create_ou(object_dn
)
672 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
676 # Defalt descriptor tests ##################################################################
679 user_name
= "testuser1"
680 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
681 # Open Ldb connection with the tested user
682 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
683 # Change Schema partition descriptor
684 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
685 mod
= "(A;;WDCC;;;AU)"
686 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
687 # Create example Schema class
688 class_name
= self
.get_unique_schema_class_name()
689 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
690 self
.create_schema_class(_ldb
, class_dn
)
691 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
692 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
693 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
694 self
.check_modify_inheritance(_ldb
, class_dn
)
697 user_name
= "testuser2"
698 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
699 # Open Ldb connection with the tested user
700 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
701 # Change Schema partition descriptor
702 mod
= "(A;CI;WDCC;;;AU)"
703 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
704 # Create example Schema class
705 class_name
= self
.get_unique_schema_class_name()
706 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
707 self
.create_schema_class(_ldb
, class_dn
)
708 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
709 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
710 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
711 self
.check_modify_inheritance(_ldb
, class_dn
)
714 user_name
= "testuser3"
715 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
716 # Open Ldb connection with the tested user
717 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
718 # Change Schema partition descriptor
719 mod
= "(A;CI;WDCC;;;AU)"
720 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
721 # Create example Schema class
722 class_name
= self
.get_unique_schema_class_name()
723 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
724 self
.create_schema_class(_ldb
, class_dn
)
725 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
726 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
727 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
728 #self.check_modify_inheritance(_ldb, class_dn)
731 user_name
= "testuser4"
732 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
733 # Open Ldb connection with the tested user
734 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
735 #Change Schema partition descriptor
736 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
737 mod
= "(A;CI;WDCC;;;AU)"
738 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
739 # Create example Schema class
740 class_name
= self
.get_unique_schema_class_name()
741 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
742 self
.create_schema_class(_ldb
, class_dn
)
743 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
744 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
745 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
746 #self.check_modify_inheritance(_ldb, class_dn)
749 user_name
= "testuser5"
750 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
751 # Open Ldb connection with the tested user
752 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
753 #Change Schema partition descriptor
754 mod
= "(A;CI;WDCC;;;AU)"
755 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
756 # Create example Schema class
757 class_name
= self
.get_unique_schema_class_name()
758 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
759 self
.create_schema_class(_ldb
, class_dn
)
760 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
761 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
762 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
763 self
.check_modify_inheritance(_ldb
, class_dn
)
766 user_name
= "testuser6"
767 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
768 # Open Ldb connection with the tested user
769 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
770 # Change Schema partition descriptor
771 mod
= "(A;CI;WDCC;;;AU)"
772 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
773 # Create example Schema class
774 class_name
= self
.get_unique_schema_class_name()
775 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
776 self
.create_schema_class(_ldb
, class_dn
)
777 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
778 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
779 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
780 self
.check_modify_inheritance(_ldb
, class_dn
)
783 user_name
= "testuser7"
784 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
785 # Open Ldb connection with the tested user
786 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
787 # Change Schema partition descriptor
788 mod
= "(A;CI;WDCC;;;AU)"
789 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
790 # Create example Schema class
791 class_name
= self
.get_unique_schema_class_name()
792 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
793 self
.create_schema_class(_ldb
, class_dn
)
794 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
795 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
796 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
797 self
.check_modify_inheritance(_ldb
, class_dn
)
800 user_name
= "testuser8"
801 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
802 # Open Ldb connection with the tested user
803 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
804 # Change Schema partition descriptor
805 mod
= "(A;CI;WDCC;;;AU)"
806 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
807 # Create example Schema class
808 class_name
= self
.get_unique_schema_class_name()
809 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
810 self
.create_schema_class(_ldb
, class_dn
)
811 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
812 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
813 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
814 self
.check_modify_inheritance(_ldb
, class_dn
)
816 # Custom descriptor tests ##################################################################
819 user_name
= "testuser1"
820 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
821 # Open Ldb connection with the tested user
822 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
823 # Change Schema partition descriptor
825 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
826 # Create a custom security descriptor
827 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
828 # Create example Schema class
829 class_name
= self
.get_unique_schema_class_name()
830 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
831 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
832 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
833 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
834 self
.assertEqual("O:DAG:DA", res
)
837 user_name
= "testuser2"
838 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
839 # Open Ldb connection with the tested user
840 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
841 # Change Schema partition descriptor
843 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
844 # Create a custom security descriptor
845 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
846 # Create example Schema class
847 class_name
= self
.get_unique_schema_class_name()
848 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
849 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
850 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
851 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
852 self
.assertEqual("O:DAG:DA", res
)
855 user_name
= "testuser3"
856 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
857 # Open Ldb connection with the tested user
858 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
859 # Create a custom security descriptor
860 # NB! Problematic owner part won't accept DA only <User Sid> !!!
861 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
862 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
863 # Create example Schema class
864 class_name
= self
.get_unique_schema_class_name()
865 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
866 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
867 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
868 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
869 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
872 user_name
= "testuser4"
873 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
874 # Open Ldb connection with the tested user
875 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
876 # Create a custom security descriptor
877 # NB! Problematic owner part won't accept DA only <User Sid> !!!
878 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
879 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
880 # Create example Schema class
881 class_name
= self
.get_unique_schema_class_name()
882 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
883 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
884 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
885 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
886 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
889 user_name
= "testuser5"
890 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
891 # Open Ldb connection with the tested user
892 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
893 # Change Schema partition descriptor
895 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
896 # Create a custom security descriptor
897 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
898 # Create example Schema class
899 class_name
= self
.get_unique_schema_class_name()
900 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
901 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
902 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
903 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
904 self
.assertEqual("O:DAG:DA", res
)
907 user_name
= "testuser6"
908 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
909 # Open Ldb connection with the tested user
910 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
911 # Change Schema partition descriptor
913 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
914 # Create a custom security descriptor
915 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
916 # Create example Schema class
917 class_name
= self
.get_unique_schema_class_name()
918 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
919 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
920 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
921 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
922 self
.assertEqual("O:DAG:DA", res
)
925 user_name
= "testuser7"
926 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
927 # Open Ldb connection with the tested user
928 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
929 # Change Schema partition descriptor
931 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
932 # Create a custom security descriptor
933 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
934 # Create example Schema class
935 class_name
= self
.get_unique_schema_class_name()
936 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
937 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
938 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
939 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
940 self
.assertEqual("O:DAG:DA", res
)
943 user_name
= "testuser8"
944 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
945 # Open Ldb connection with the tested user
946 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
947 # Change Schema partition descriptor
949 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
950 # Create a custom security descriptor
951 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
952 # Create example Schema class
953 class_name
= self
.get_unique_schema_class_name()
954 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
955 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
956 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
957 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
958 self
.assertEqual("O:DAG:DA", res
)
960 ## Tests for CONFIGURATION
962 # Defalt descriptor tests ##################################################################
965 user_name
= "testuser1"
966 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
967 # Open Ldb connection with the tested user
968 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
969 # Create example Configuration container
970 container_name
= "test-container1"
971 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
972 delete_force(self
.ldb_admin
, object_dn
)
973 self
.create_configuration_container(_ldb
, object_dn
, )
974 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
975 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
976 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
977 self
.check_modify_inheritance(_ldb
, object_dn
)
980 user_name
= "testuser2"
981 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
982 # Open Ldb connection with the tested user
983 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
984 # Create example Configuration container
985 container_name
= "test-container1"
986 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
987 delete_force(self
.ldb_admin
, object_dn
)
988 self
.create_configuration_container(_ldb
, object_dn
, )
989 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
990 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
991 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
992 self
.check_modify_inheritance(_ldb
, object_dn
)
995 user_name
= "testuser3"
996 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
997 # Open Ldb connection with the tested user
998 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
999 # Create example Configuration container
1000 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1001 delete_force(self
.ldb_admin
, object_dn
)
1002 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1003 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1004 mod
= "(A;;WDCC;;;AU)"
1005 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1006 # Create child object with user's credentials
1007 object_dn
= "CN=test-specifier1," + object_dn
1008 delete_force(self
.ldb_admin
, object_dn
)
1009 self
.create_configuration_specifier(_ldb
, object_dn
)
1010 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1011 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1012 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1013 #self.check_modify_inheritance(_ldb, object_dn)
1016 user_name
= "testuser4"
1017 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1018 # Open Ldb connection with the tested user
1019 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1020 # Create example Configuration container
1021 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1022 delete_force(self
.ldb_admin
, object_dn
)
1023 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1024 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1025 mod
= "(A;CI;WDCC;;;AU)"
1026 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1027 # Create child object with user's credentials
1028 object_dn
= "CN=test-specifier1," + object_dn
1029 delete_force(self
.ldb_admin
, object_dn
)
1030 self
.create_configuration_specifier(_ldb
, object_dn
)
1031 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1032 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1033 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1034 #self.check_modify_inheritance(_ldb, object_dn)
1037 user_name
= "testuser5"
1038 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1039 # Open Ldb connection with the tested user
1040 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1041 # Create example Configuration container
1042 container_name
= "test-container1"
1043 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1044 delete_force(self
.ldb_admin
, object_dn
)
1045 self
.create_configuration_container(_ldb
, object_dn
, )
1046 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1047 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1048 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1049 self
.check_modify_inheritance(_ldb
, object_dn
)
1052 user_name
= "testuser6"
1053 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1054 # Open Ldb connection with the tested user
1055 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1056 # Create example Configuration container
1057 container_name
= "test-container1"
1058 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1059 delete_force(self
.ldb_admin
, object_dn
)
1060 self
.create_configuration_container(_ldb
, object_dn
, )
1061 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1062 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1063 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1064 self
.check_modify_inheritance(_ldb
, object_dn
)
1067 user_name
= "testuser7"
1068 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1069 # Open Ldb connection with the tested user
1070 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1071 # Create example Configuration container
1072 container_name
= "test-container1"
1073 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1074 delete_force(self
.ldb_admin
, object_dn
)
1075 self
.create_configuration_container(_ldb
, object_dn
, )
1076 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1077 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1078 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1079 self
.check_modify_inheritance(_ldb
, object_dn
)
1082 user_name
= "testuser8"
1083 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1084 # Open Ldb connection with the tested user
1085 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1086 # Create example Configuration container
1087 container_name
= "test-container1"
1088 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1089 delete_force(self
.ldb_admin
, object_dn
)
1090 self
.create_configuration_container(_ldb
, object_dn
, )
1091 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1092 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1093 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1094 self
.check_modify_inheritance(_ldb
, object_dn
)
1096 # Custom descriptor tests ##################################################################
1099 user_name
= "testuser1"
1100 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
1101 # Open Ldb connection with the tested user
1102 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1103 # Create example Configuration container
1104 container_name
= "test-container1"
1105 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1106 delete_force(self
.ldb_admin
, object_dn
)
1107 # Create a custom security descriptor
1108 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1109 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1110 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1111 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1112 self
.assertEqual("O:DAG:DA", res
)
1115 user_name
= "testuser2"
1116 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
1117 # Open Ldb connection with the tested user
1118 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1119 # Create example Configuration container
1120 container_name
= "test-container1"
1121 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1122 delete_force(self
.ldb_admin
, object_dn
)
1123 # Create a custom security descriptor
1124 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1125 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1126 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1127 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1128 self
.assertEqual("O:DAG:DA", res
)
1131 user_name
= "testuser3"
1132 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
1133 # Open Ldb connection with the tested user
1134 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1135 # Create example Configuration container
1136 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1137 delete_force(self
.ldb_admin
, object_dn
)
1138 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1139 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1140 mod
= "(A;;CC;;;AU)"
1141 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1142 # Create child object with user's credentials
1143 object_dn
= "CN=test-specifier1," + object_dn
1144 delete_force(self
.ldb_admin
, object_dn
)
1145 # Create a custom security descriptor
1146 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1147 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1148 self
.create_configuration_specifier(_ldb
, object_dn
, desc_sddl
)
1149 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1150 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1151 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1154 user_name
= "testuser4"
1155 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1156 # Open Ldb connection with the tested user
1157 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1158 # Create example Configuration container
1159 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1160 delete_force(self
.ldb_admin
, object_dn
)
1161 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1162 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1163 mod
= "(A;;CC;;;AU)"
1164 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1165 # Create child object with user's credentials
1166 object_dn
= "CN=test-specifier1," + object_dn
1167 delete_force(self
.ldb_admin
, object_dn
)
1168 # Create a custom security descriptor
1169 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1170 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1171 self
.create_configuration_specifier(_ldb
, object_dn
, desc_sddl
)
1172 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1173 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1174 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1177 user_name
= "testuser5"
1178 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1179 # Open Ldb connection with the tested user
1180 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1181 # Create example Configuration container
1182 container_name
= "test-container1"
1183 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1184 delete_force(self
.ldb_admin
, object_dn
)
1185 # Create a custom security descriptor
1186 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1187 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1188 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1189 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1190 self
.assertEqual("O:DAG:DA", res
)
1193 user_name
= "testuser6"
1194 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1195 # Open Ldb connection with the tested user
1196 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1197 # Create example Configuration container
1198 container_name
= "test-container1"
1199 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1200 delete_force(self
.ldb_admin
, object_dn
)
1201 # Create a custom security descriptor
1202 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1203 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1204 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1205 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1206 self
.assertEqual("O:DAG:DA", res
)
1209 user_name
= "testuser7"
1210 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1211 # Open Ldb connection with the tested user
1212 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1213 # Create example Configuration container
1214 container_name
= "test-container1"
1215 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1216 delete_force(self
.ldb_admin
, object_dn
)
1217 # Create a custom security descriptor
1218 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1219 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1220 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1221 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1222 self
.assertEqual("O:DAG:DA", res
)
1225 user_name
= "testuser8"
1226 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1227 # Open Ldb connection with the tested user
1228 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1229 # Create example Configuration container
1230 container_name
= "test-container1"
1231 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1232 delete_force(self
.ldb_admin
, object_dn
)
1233 # Create a custom security descriptor
1234 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1235 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1236 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1237 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1238 self
.assertEqual("O:DAG:DA", res
)
1240 ########################################################################################
1241 # Inharitance tests for DACL
1243 class DaclDescriptorTests(DescriptorTests
):
1245 def deleteAll(self
):
1246 delete_force(self
.ldb_admin
, "CN=test_inherit_group,OU=test_inherit_ou," + self
.base_dn
)
1247 delete_force(self
.ldb_admin
, "OU=test_inherit_ou," + self
.base_dn
)
1250 super(DaclDescriptorTests
, self
).setUp()
1253 def create_clean_ou(self
, object_dn
):
1254 """ Base repeating setup for unittests to follow """
1255 res
= self
.ldb_admin
.search(base
=self
.base_dn
, scope
=SCOPE_SUBTREE
, \
1256 expression
="distinguishedName=%s" % object_dn
)
1257 # Make sure top testing OU has been deleted before starting the test
1258 self
.assertEqual(res
, [])
1259 self
.ldb_admin
.create_ou(object_dn
)
1260 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1261 # Make sure there are inheritable ACEs initially
1262 self
.assertTrue("CI" in desc_sddl
or "OI" in desc_sddl
)
1263 # Find and remove all inherit ACEs
1264 res
= re
.findall("\(.*?\)", desc_sddl
)
1265 res
= [x
for x
in res
if ("CI" in x
) or ("OI" in x
)]
1267 desc_sddl
= desc_sddl
.replace(x
, "")
1268 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1269 # can propagate from above
1270 # remove SACL, we are not interested
1271 desc_sddl
= desc_sddl
.replace(":AI", ":AIP")
1272 self
.sd_utils
.modify_sd_on_dn(object_dn
, desc_sddl
)
1273 # Verify all inheritable ACEs are gone
1274 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1275 self
.assertFalse("CI" in desc_sddl
)
1276 self
.assertFalse("OI" in desc_sddl
)
1279 """ OU with protected flag and child group. See if the group has inherit ACEs.
1281 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1282 group_dn
= "CN=test_inherit_group," + ou_dn
1283 # Create inheritable-free OU
1284 self
.create_clean_ou(ou_dn
)
1285 # Create group child object
1286 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4)
1287 # Make sure created group object contains NO inherit ACEs
1288 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1289 self
.assertFalse("ID" in desc_sddl
)
1292 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1293 Verify group has custom and default ACEs only.
1295 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1296 group_dn
= "CN=test_inherit_group," + ou_dn
1297 # Create inheritable-free OU
1298 self
.create_clean_ou(ou_dn
)
1299 # Create group child object using custom security descriptor
1300 sddl
= "O:AUG:AUD:AI(D;;WP;;;DU)"
1301 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
1302 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1303 # Make sure created group descriptor has NO additional ACEs
1304 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1305 self
.assertEqual(desc_sddl
, sddl
)
1306 sddl
= "O:AUG:AUD:AI(D;;CC;;;LG)"
1307 self
.sd_utils
.modify_sd_on_dn(group_dn
, sddl
)
1308 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1309 self
.assertEqual(desc_sddl
, sddl
)
1312 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1313 See if the group has any of the added ACEs.
1315 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1316 group_dn
= "CN=test_inherit_group," + ou_dn
1317 # Create inheritable-free OU
1318 self
.create_clean_ou(ou_dn
)
1319 # Add some custom non-inheritable ACEs
1320 mod
= "(D;;WP;;;DU)(A;;RP;;;DU)"
1321 moded
= "(D;;CC;;;LG)"
1322 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1323 # Verify all inheritable ACEs are gone
1324 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1325 # Create group child object
1326 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4)
1327 # Make sure created group object contains NO inherit ACEs
1328 # also make sure the added above non-inheritable ACEs are absent too
1329 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1330 self
.assertFalse("ID" in desc_sddl
)
1331 for x
in re
.findall("\(.*?\)", mod
):
1332 self
.assertFalse(x
in desc_sddl
)
1333 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1334 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1335 self
.assertFalse("ID" in desc_sddl
)
1336 for x
in re
.findall("\(.*?\)", mod
):
1337 self
.assertFalse(x
in desc_sddl
)
1340 """ OU with protected flag and add 'CI' ACE, child group.
1341 See if the group has the added inherited ACE.
1343 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1344 group_dn
= "CN=test_inherit_group," + ou_dn
1345 # Create inheritable-free OU
1346 self
.create_clean_ou(ou_dn
)
1347 # Add some custom 'CI' ACE
1348 mod
= "(D;CI;WP;;;DU)"
1349 moded
= "(D;;CC;;;LG)"
1350 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1351 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1352 # Create group child object
1353 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1354 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1355 # Make sure created group object contains only the above inherited ACE
1356 # that we've added manually
1357 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1358 mod
= mod
.replace(";CI;", ";CIID;")
1359 self
.assertTrue(mod
in desc_sddl
)
1360 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1361 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1362 self
.assertTrue(moded
in desc_sddl
)
1363 self
.assertTrue(mod
in desc_sddl
)
1366 """ OU with protected flag and add 'OI' ACE, child group.
1367 See if the group has the added inherited ACE.
1369 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1370 group_dn
= "CN=test_inherit_group," + ou_dn
1371 # Create inheritable-free OU
1372 self
.create_clean_ou(ou_dn
)
1373 # Add some custom 'CI' ACE
1374 mod
= "(D;OI;WP;;;DU)"
1375 moded
= "(D;;CC;;;LG)"
1376 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1377 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1378 # Create group child object
1379 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1380 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1381 # Make sure created group object contains only the above inherited ACE
1382 # that we've added manually
1383 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1384 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1385 self
.assertTrue(mod
in desc_sddl
)
1386 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" +moded
)
1387 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1388 self
.assertTrue(moded
in desc_sddl
)
1389 self
.assertTrue(mod
in desc_sddl
)
1392 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1393 See if the group has the added inherited ACE.
1395 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1396 group_dn
= "CN=test_inherit_group," + ou_dn
1397 # Create inheritable-free OU
1398 self
.create_clean_ou(ou_dn
)
1399 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1400 mod
= "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1401 moded
= "(D;;CC;;;LG)"
1402 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1403 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1404 # Create group child object
1405 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1406 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1407 # Make sure created group object contains only the above inherited ACE
1408 # that we've added manually
1409 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1410 mod
= mod
.replace(";CI;", ";CIID;") # change it how it's gonna look like
1411 self
.assertTrue(mod
in desc_sddl
)
1412 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1413 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1414 self
.assertTrue(moded
in desc_sddl
)
1415 self
.assertTrue(mod
in desc_sddl
)
1418 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1419 See if the group has the added inherited ACE.
1421 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1422 group_dn
= "CN=test_inherit_group," + ou_dn
1423 # Create inheritable-free OU
1424 self
.create_clean_ou(ou_dn
)
1425 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1426 mod
= "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1427 moded
= "(D;;CC;;;LG)"
1428 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1429 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1430 # Create group child object
1431 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1432 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1433 # Make sure created group object contains only the above inherited ACE
1434 # that we've added manually
1435 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1436 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1437 self
.assertTrue(mod
in desc_sddl
)
1438 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1439 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1440 self
.assertTrue(moded
in desc_sddl
)
1441 self
.assertTrue(mod
in desc_sddl
)
1444 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1445 See if the group has the added inherited ACE.
1447 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1448 group_dn
= "CN=test_inherit_group," + ou_dn
1449 # Create inheritable-free OU
1450 self
.create_clean_ou(ou_dn
)
1451 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1452 mod
= "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1453 moded
= "(D;;CC;;;LG)"
1454 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1455 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1456 # Create group child object
1457 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1458 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1459 # Make sure created group object contains only the above inherited ACE
1460 # that we've added manually
1461 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1462 mod
= mod
.replace(";CI;", ";CIID;") # change it how it's gonna look like
1463 self
.assertTrue(mod
in desc_sddl
)
1464 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1465 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1466 self
.assertTrue(moded
in desc_sddl
)
1467 self
.assertTrue(mod
in desc_sddl
)
1470 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1471 See if the group has the added inherited ACE.
1473 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1474 group_dn
= "CN=test_inherit_group," + ou_dn
1475 # Create inheritable-free OU
1476 self
.create_clean_ou(ou_dn
)
1477 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1478 mod
= "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1479 moded
= "(D;;CC;;;LG)"
1480 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1481 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1482 # Create group child object
1483 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1484 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1485 # Make sure created group object contains only the above inherited ACE
1486 # that we've added manually
1487 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1488 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1489 self
.assertTrue(mod
in desc_sddl
)
1490 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded
)
1491 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1492 self
.assertTrue(moded
in desc_sddl
)
1493 self
.assertTrue(mod
in desc_sddl
)
1496 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1497 See if the group has the added inherited ACE.
1499 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1500 group_dn
= "CN=test_inherit_group," + ou_dn
1501 # Create inheritable-free OU
1502 self
.create_clean_ou(ou_dn
)
1503 # Add some custom 'CI' ACE
1504 mod
= "(D;CI;WP;;;CO)"
1505 moded
= "(D;;CC;;;LG)"
1506 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1507 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1508 # Create group child object
1509 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1510 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1511 # Make sure created group object contains only the above inherited ACE(s)
1512 # that we've added manually
1513 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1514 self
.assertTrue("(D;ID;WP;;;AU)" in desc_sddl
)
1515 self
.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl
)
1516 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1517 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1518 self
.assertTrue(moded
in desc_sddl
)
1519 self
.assertTrue("(D;ID;WP;;;DA)" in desc_sddl
)
1520 self
.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl
)
1523 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1525 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1526 group_dn
= "CN=test_inherit_group," + ou_dn
1527 self
.create_clean_ou(ou_dn
)
1528 # Add some custom ACE
1529 mod
= "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1530 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1531 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1532 # Make sure created group object does not contain the ID ace
1533 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1534 self
.assertFalse("(A;ID;WP;;;AU)" in desc_sddl
)
1537 """ Provide ACE with CO SID, should be expanded and replaced
1539 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1540 group_dn
= "CN=test_inherit_group," + ou_dn
1541 # Create inheritable-free OU
1542 self
.create_clean_ou(ou_dn
)
1543 # Add some custom 'CI' ACE
1544 mod
= "D:(D;CI;WP;;;CO)"
1545 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1546 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1547 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1548 self
.assertTrue("(D;;WP;;;DA)(D;CIIO;WP;;;CO)" in desc_sddl
)
1551 """ Provide ACE with IO flag, should be ignored
1553 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1554 group_dn
= "CN=test_inherit_group," + ou_dn
1555 # Create inheritable-free OU
1556 self
.create_clean_ou(ou_dn
)
1557 # Add some custom 'CI' ACE
1558 mod
= "D:(D;CIIO;WP;;;CO)"
1559 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1560 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1561 # Make sure created group object contains only the above inherited ACE(s)
1562 # that we've added manually
1563 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1564 self
.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl
)
1565 self
.assertFalse("(D;;WP;;;DA)" in desc_sddl
)
1566 self
.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl
)
1569 """ Provide ACE with IO flag, should be ignored
1571 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1572 group_dn
= "CN=test_inherit_group," + ou_dn
1573 # Create inheritable-free OU
1574 self
.create_clean_ou(ou_dn
)
1575 mod
= "D:(D;IO;WP;;;DA)"
1576 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1577 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1578 # Make sure created group object contains only the above inherited ACE(s)
1579 # that we've added manually
1580 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1581 self
.assertFalse("(D;IO;WP;;;DA)" in desc_sddl
)
1583 ########################################################################################
1586 class SdFlagsDescriptorTests(DescriptorTests
):
1587 def deleteAll(self
):
1588 delete_force(self
.ldb_admin
, "OU=test_sdflags_ou," + self
.base_dn
)
1591 super(SdFlagsDescriptorTests
, self
).setUp()
1592 self
.test_descr
= "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1596 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1597 See that only the owner has been changed.
1599 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1600 self
.ldb_admin
.create_ou(ou_dn
)
1601 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_OWNER
)])
1602 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1603 # make sure we have modified the owner
1604 self
.assertTrue("O:AU" in desc_sddl
)
1605 # make sure nothing else has been modified
1606 self
.assertFalse("G:AU" in desc_sddl
)
1607 self
.assertFalse("D:(D;;CC;;;LG)" in desc_sddl
)
1608 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1611 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1612 See that only the owner has been changed.
1614 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1615 self
.ldb_admin
.create_ou(ou_dn
)
1616 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_GROUP
)])
1617 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1618 # make sure we have modified the group
1619 self
.assertTrue("G:AU" in desc_sddl
)
1620 # make sure nothing else has been modified
1621 self
.assertFalse("O:AU" in desc_sddl
)
1622 self
.assertFalse("D:(D;;CC;;;LG)" in desc_sddl
)
1623 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1626 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1627 See that only the owner has been changed.
1629 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1630 self
.ldb_admin
.create_ou(ou_dn
)
1631 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_DACL
)])
1632 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1633 # make sure we have modified the DACL
1634 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1635 # make sure nothing else has been modified
1636 self
.assertFalse("O:AU" in desc_sddl
)
1637 self
.assertFalse("G:AU" in desc_sddl
)
1638 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1641 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1642 See that only the owner has been changed.
1644 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1645 self
.ldb_admin
.create_ou(ou_dn
)
1646 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_SACL
)])
1647 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1648 # make sure we have modified the DACL
1649 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1650 # make sure nothing else has been modified
1651 self
.assertFalse("O:AU" in desc_sddl
)
1652 self
.assertFalse("G:AU" in desc_sddl
)
1653 self
.assertFalse("(D;;CC;;;LG)" in desc_sddl
)
1656 """ Modify a descriptor with 0x0 set.
1657 Contrary to logic this is interpreted as no control,
1658 which is the same as 0xF
1660 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1661 self
.ldb_admin
.create_ou(ou_dn
)
1662 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:0"])
1663 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1664 # make sure we have modified the DACL
1665 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1666 # make sure nothing else has been modified
1667 self
.assertTrue("O:AU" in desc_sddl
)
1668 self
.assertTrue("G:AU" in desc_sddl
)
1669 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1672 """ Modify a descriptor with 0xF set.
1674 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1675 self
.ldb_admin
.create_ou(ou_dn
)
1676 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:15"])
1677 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1678 # make sure we have modified the DACL
1679 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1680 # make sure nothing else has been modified
1681 self
.assertTrue("O:AU" in desc_sddl
)
1682 self
.assertTrue("G:AU" in desc_sddl
)
1683 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1686 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1687 Only the owner part should be returned.
1689 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1690 self
.ldb_admin
.create_ou(ou_dn
)
1691 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_OWNER
)])
1692 # make sure we have read the owner
1693 self
.assertTrue("O:" in desc_sddl
)
1694 # make sure we have read nothing else
1695 self
.assertFalse("G:" in desc_sddl
)
1696 self
.assertFalse("D:" in desc_sddl
)
1697 self
.assertFalse("S:" in desc_sddl
)
1700 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1701 Only the group part should be returned.
1703 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1704 self
.ldb_admin
.create_ou(ou_dn
)
1705 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_GROUP
)])
1706 # make sure we have read the owner
1707 self
.assertTrue("G:" in desc_sddl
)
1708 # make sure we have read nothing else
1709 self
.assertFalse("O:" in desc_sddl
)
1710 self
.assertFalse("D:" in desc_sddl
)
1711 self
.assertFalse("S:" in desc_sddl
)
1714 """ Read a descriptor with SACL_SECURITY_INFORMATION
1715 Only the sacl part should be returned.
1717 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1718 self
.ldb_admin
.create_ou(ou_dn
)
1719 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_SACL
)])
1720 # make sure we have read the owner
1721 self
.assertTrue("S:" in desc_sddl
)
1722 # make sure we have read nothing else
1723 self
.assertFalse("O:" in desc_sddl
)
1724 self
.assertFalse("D:" in desc_sddl
)
1725 self
.assertFalse("G:" in desc_sddl
)
1728 """ Read a descriptor with DACL_SECURITY_INFORMATION
1729 Only the dacl part should be returned.
1731 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1732 self
.ldb_admin
.create_ou(ou_dn
)
1733 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_DACL
)])
1734 # make sure we have read the owner
1735 self
.assertTrue("D:" in desc_sddl
)
1736 # make sure we have read nothing else
1737 self
.assertFalse("O:" in desc_sddl
)
1738 self
.assertFalse("S:" in desc_sddl
)
1739 self
.assertFalse("G:" in desc_sddl
)
1742 class RightsAttributesTests(DescriptorTests
):
1744 def deleteAll(self
):
1745 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser_attr"))
1746 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser_attr2"))
1747 delete_force(self
.ldb_admin
, "OU=test_domain_ou1," + self
.base_dn
)
1750 super(RightsAttributesTests
, self
).setUp()
1754 self
.ldb_admin
.newuser("testuser_attr", "samba123@")
1755 # User 2, Domain Admins
1756 self
.ldb_admin
.newuser("testuser_attr2", "samba123@")
1757 self
.ldb_admin
.add_remove_group_members("Domain Admins",
1759 add_members_operation
=True)
1761 def test_sDRightsEffective(self
):
1762 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1763 delete_force(self
.ldb_admin
, object_dn
)
1764 self
.ldb_admin
.create_ou(object_dn
)
1765 print self
.get_users_domain_dn("testuser_attr")
1766 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1767 #give testuser1 read access so attributes can be retrieved
1768 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1769 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1770 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1771 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1772 attrs
=["sDRightsEffective"])
1773 #user whould have no rights at all
1774 self
.assertEquals(len(res
), 1)
1775 self
.assertEquals(res
[0]["sDRightsEffective"][0], "0")
1776 #give the user Write DACL and see what happens
1777 mod
= "(A;CI;WD;;;%s)" % str(user_sid
)
1778 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1779 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1780 attrs
=["sDRightsEffective"])
1781 #user whould have DACL_SECURITY_INFORMATION
1782 self
.assertEquals(len(res
), 1)
1783 self
.assertEquals(res
[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL
)
1784 #give the user Write Owners and see what happens
1785 mod
= "(A;CI;WO;;;%s)" % str(user_sid
)
1786 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1787 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1788 attrs
=["sDRightsEffective"])
1789 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1790 self
.assertEquals(len(res
), 1)
1791 self
.assertEquals(res
[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER
))
1792 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1793 _ldb
= self
.get_ldb_connection("testuser_attr2", "samba123@")
1794 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1795 attrs
=["sDRightsEffective"])
1796 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1797 self
.assertEquals(len(res
), 1)
1798 self
.assertEquals(res
[0]["sDRightsEffective"][0], \
1799 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL
))
1801 def test_allowedChildClassesEffective(self
):
1802 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1803 delete_force(self
.ldb_admin
, object_dn
)
1804 self
.ldb_admin
.create_ou(object_dn
)
1805 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1806 #give testuser1 read access so attributes can be retrieved
1807 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1808 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1809 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1810 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1811 attrs
=["allowedChildClassesEffective"])
1812 #there should be no allowed child classes
1813 self
.assertEquals(len(res
), 1)
1814 self
.assertFalse("allowedChildClassesEffective" in res
[0].keys())
1815 #give the user the right to create children of type user
1816 mod
= "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid
)
1817 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1818 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1819 attrs
=["allowedChildClassesEffective"])
1820 # allowedChildClassesEffective should only have one value, user
1821 self
.assertEquals(len(res
), 1)
1822 self
.assertEquals(len(res
[0]["allowedChildClassesEffective"]), 1)
1823 self
.assertEquals(res
[0]["allowedChildClassesEffective"][0], "user")
1825 def test_allowedAttributesEffective(self
):
1826 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1827 delete_force(self
.ldb_admin
, object_dn
)
1828 self
.ldb_admin
.create_ou(object_dn
)
1829 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1830 #give testuser1 read access so attributes can be retrieved
1831 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1832 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1833 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1834 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1835 attrs
=["allowedAttributesEffective"])
1836 #there should be no allowed attributes
1837 self
.assertEquals(len(res
), 1)
1838 self
.assertFalse("allowedAttributesEffective" in res
[0].keys())
1839 #give the user the right to write displayName and managedBy
1840 mod2
= "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid
)
1841 mod
= "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid
)
1842 # also rights to modify an read only attribute, fromEntry
1843 mod3
= "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid
)
1844 self
.sd_utils
.dacl_add_ace(object_dn
, mod
+ mod2
+ mod3
)
1845 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1846 attrs
=["allowedAttributesEffective"])
1847 # value should only contain user and managedBy
1848 self
.assertEquals(len(res
), 1)
1849 self
.assertEquals(len(res
[0]["allowedAttributesEffective"]), 2)
1850 self
.assertTrue("displayName" in res
[0]["allowedAttributesEffective"])
1851 self
.assertTrue("managedBy" in res
[0]["allowedAttributesEffective"])
1853 if not "://" in host
:
1854 if os
.path
.isfile(host
):
1855 host
= "tdb://%s" % host
1857 host
= "ldap://%s" % host
1859 # use 'paged_search' module when connecting remotely
1860 if host
.lower().startswith("ldap://"):
1861 ldb_options
= ["modules:paged_searches"]
1865 session_info
=system_session(lp
),
1867 options
=ldb_options
)
1869 runner
= SubunitTestRunner()
1871 if not runner
.run(unittest
.makeSuite(OwnerGroupDescriptorTests
)).wasSuccessful():
1873 if not runner
.run(unittest
.makeSuite(DaclDescriptorTests
)).wasSuccessful():
1875 if not runner
.run(unittest
.makeSuite(SdFlagsDescriptorTests
)).wasSuccessful():
1877 if not runner
.run(unittest
.makeSuite(RightsAttributesTests
)).wasSuccessful():