search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-dsdb/tests/python: Explicitly pass comamnd line LoadParm() instance to system_sess...
[Samba.git] / source4 / dsdb / tests / python / sec_descriptor.py
blobc24b6e989826290854aa8b5eb30d59b6454a3605
1 #!/usr/bin/env python
2 # -*- coding: utf-8 -*-
3
4 import optparse
5 import sys
6 import os
7 import base64
8 import re
9 import random
10
11 sys.path.append("bin/python")
12 import samba
13 samba.ensure_external_module("testtools", "testtools")
14 samba.ensure_external_module("subunit", "subunit/python")
15
16 import samba.getopt as options
17
18 # Some error messages that are being tested
19 from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT
20
21 # For running the test unit
22 from samba.ndr import ndr_pack, ndr_unpack
23 from samba.dcerpc import security
24
25 from samba import gensec, sd_utils
26 from samba.samdb import SamDB
27 from samba.credentials import Credentials
28 from samba.auth import system_session
29 from samba.dsdb import DS_DOMAIN_FUNCTION_2008
30 from samba.dcerpc.security import (
31 SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL)
32 from subunit.run import SubunitTestRunner
33 import samba.tests
34 from samba.tests import delete_force
35 import unittest
36
37 parser = optparse.OptionParser("sec_descriptor.py [options] <host>")
38 sambaopts = options.SambaOptions(parser)
39 parser.add_option_group(sambaopts)
40 parser.add_option_group(options.VersionOptions(parser))
41
42 # use command line creds if available
43 credopts = options.CredentialsOptions(parser)
44 parser.add_option_group(credopts)
45 opts, args = parser.parse_args()
46
47 if len(args) < 1:
48 parser.print_usage()
49 sys.exit(1)
50
51 host = args[0]
52
53 lp = sambaopts.get_loadparm()
54 creds = credopts.get_credentials(lp)
55 creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
56
57 #
58 # Tests start here
59 #
60
61 class DescriptorTests(samba.tests.TestCase):
62
63 def get_users_domain_dn(self, name):
64 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
65
66 def get_unique_schema_class_name(self):
67 while True:
68 class_name = "test-class%s" % random.randint(1,100000)
69 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
70 try:
71 self.ldb_admin.search(base=class_dn, attrs=["*"])
72 except LdbError, (num, _):
73 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
74 return class_name
75
76 def create_schema_class(self, _ldb, object_dn, desc=None):
77 ldif = """
78 dn: """ + object_dn + """
79 objectClass: classSchema
80 objectCategory: CN=Class-Schema,""" + self.schema_dn + """
81 defaultObjectCategory: """ + object_dn + """
82 distinguishedName: """ + object_dn + """
83 governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
84 instanceType: 4
85 objectClassCategory: 1
86 subClassOf: organizationalPerson
87 systemFlags: 16
88 rDNAttID: cn
89 systemMustContain: cn
90 systemOnly: FALSE
91 """
92 if desc:
93 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
94 if isinstance(desc, str):
95 ldif += "nTSecurityDescriptor: %s" % desc
96 elif isinstance(desc, security.descriptor):
97 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
98 _ldb.add_ldif(ldif)
99
100 def create_configuration_container(self, _ldb, object_dn, desc=None):
101 ldif = """
102 dn: """ + object_dn + """
103 objectClass: container
104 objectCategory: CN=Container,""" + self.schema_dn + """
105 showInAdvancedViewOnly: TRUE
106 instanceType: 4
107 """
108 if desc:
109 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
110 if isinstance(desc, str):
111 ldif += "nTSecurityDescriptor: %s" % desc
112 elif isinstance(desc, security.descriptor):
113 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
114 _ldb.add_ldif(ldif)
115
116 def create_configuration_specifier(self, _ldb, object_dn, desc=None):
117 ldif = """
118 dn: """ + object_dn + """
119 objectClass: displaySpecifier
120 showInAdvancedViewOnly: TRUE
121 """
122 if desc:
123 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
124 if isinstance(desc, str):
125 ldif += "nTSecurityDescriptor: %s" % desc
126 elif isinstance(desc, security.descriptor):
127 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
128 _ldb.add_ldif(ldif)
129
130 def get_ldb_connection(self, target_username, target_password):
131 creds_tmp = Credentials()
132 creds_tmp.set_username(target_username)
133 creds_tmp.set_password(target_password)
134 creds_tmp.set_domain(creds.get_domain())
135 creds_tmp.set_realm(creds.get_realm())
136 creds_tmp.set_workstation(creds.get_workstation())
137 creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
138 | gensec.FEATURE_SEAL)
139 ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
140 return ldb_target
141
142 def setUp(self):
143 super(DescriptorTests, self).setUp()
144 self.ldb_admin = ldb
145 self.base_dn = ldb.domain_dn()
146 self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
147 self.schema_dn = self.ldb_admin.get_schema_basedn().get_linearized()
148 self.domain_sid = security.dom_sid(self.ldb_admin.get_domain_sid())
149 self.sd_utils = sd_utils.SDUtils(ldb)
150 print "baseDN: %s" % self.base_dn
151
152 ################################################################################################
153
154 ## Tests for DOMAIN
155
156 # Default descriptor tests #####################################################################
157
158 class OwnerGroupDescriptorTests(DescriptorTests):
159
160 def deleteAll(self):
161 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
162 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
163 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
164 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
165 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
166 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
167 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
168 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
169 # DOMAIN
170 delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
171 delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
172 delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
173 delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
174 # SCHEMA
175 # CONFIGURATION
176 delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
177 + self.configuration_dn)
178 delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
179
180 def setUp(self):
181 super(OwnerGroupDescriptorTests, self).setUp()
182 self.deleteAll()
183 ### Create users
184 # User 1 - Enterprise Admins
185 self.ldb_admin.newuser("testuser1", "samba123@")
186 # User 2 - Domain Admins
187 self.ldb_admin.newuser("testuser2", "samba123@")
188 # User 3 - Schema Admins
189 self.ldb_admin.newuser("testuser3", "samba123@")
190 # User 4 - regular user
191 self.ldb_admin.newuser("testuser4", "samba123@")
192 # User 5 - Enterprise Admins and Domain Admins
193 self.ldb_admin.newuser("testuser5", "samba123@")
194 # User 6 - Enterprise Admins, Domain Admins, Schema Admins
195 self.ldb_admin.newuser("testuser6", "samba123@")
196 # User 7 - Domain Admins and Schema Admins
197 self.ldb_admin.newuser("testuser7", "samba123@")
198 # User 5 - Enterprise Admins and Schema Admins
199 self.ldb_admin.newuser("testuser8", "samba123@")
200
201 self.ldb_admin.add_remove_group_members("Enterprise Admins",
202 "testuser1,testuser5,testuser6,testuser8",
203 add_members_operation=True)
204 self.ldb_admin.add_remove_group_members("Domain Admins",
205 "testuser2,testuser5,testuser6,testuser7",
206 add_members_operation=True)
207 self.ldb_admin.add_remove_group_members("Schema Admins",
208 "testuser3,testuser6,testuser7,testuser8",
209 add_members_operation=True)
210
211 self.results = {
212 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
213 "ds_behavior_win2003" : {
214 "100" : "O:EAG:DU",
215 "101" : "O:DAG:DU",
216 "102" : "O:%sG:DU",
217 "103" : "O:%sG:DU",
218 "104" : "O:DAG:DU",
219 "105" : "O:DAG:DU",
220 "106" : "O:DAG:DU",
221 "107" : "O:EAG:DU",
222 "108" : "O:DAG:DA",
223 "109" : "O:DAG:DA",
224 "110" : "O:%sG:DA",
225 "111" : "O:%sG:DA",
226 "112" : "O:DAG:DA",
227 "113" : "O:DAG:DA",
228 "114" : "O:DAG:DA",
229 "115" : "O:DAG:DA",
230 "130" : "O:EAG:DU",
231 "131" : "O:DAG:DU",
232 "132" : "O:SAG:DU",
233 "133" : "O:%sG:DU",
234 "134" : "O:EAG:DU",
235 "135" : "O:SAG:DU",
236 "136" : "O:SAG:DU",
237 "137" : "O:SAG:DU",
238 "138" : "O:DAG:DA",
239 "139" : "O:DAG:DA",
240 "140" : "O:%sG:DA",
241 "141" : "O:%sG:DA",
242 "142" : "O:DAG:DA",
243 "143" : "O:DAG:DA",
244 "144" : "O:DAG:DA",
245 "145" : "O:DAG:DA",
246 "160" : "O:EAG:DU",
247 "161" : "O:DAG:DU",
248 "162" : "O:%sG:DU",
249 "163" : "O:%sG:DU",
250 "164" : "O:EAG:DU",
251 "165" : "O:EAG:DU",
252 "166" : "O:DAG:DU",
253 "167" : "O:EAG:DU",
254 "168" : "O:DAG:DA",
255 "169" : "O:DAG:DA",
256 "170" : "O:%sG:DA",
257 "171" : "O:%sG:DA",
258 "172" : "O:DAG:DA",
259 "173" : "O:DAG:DA",
260 "174" : "O:DAG:DA",
261 "175" : "O:DAG:DA",
262 },
263 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
264 "ds_behavior_win2008" : {
265 "100" : "O:EAG:EA",
266 "101" : "O:DAG:DA",
267 "102" : "O:%sG:DU",
268 "103" : "O:%sG:DU",
269 "104" : "O:DAG:DA",
270 "105" : "O:DAG:DA",
271 "106" : "O:DAG:DA",
272 "107" : "O:EAG:EA",
273 "108" : "O:DAG:DA",
274 "109" : "O:DAG:DA",
275 "110" : "O:%sG:DA",
276 "111" : "O:%sG:DA",
277 "112" : "O:DAG:DA",
278 "113" : "O:DAG:DA",
279 "114" : "O:DAG:DA",
280 "115" : "O:DAG:DA",
281 "130" : "O:EAG:EA",
282 "131" : "O:DAG:DA",
283 "132" : "O:SAG:SA",
284 "133" : "O:%sG:DU",
285 "134" : "O:EAG:EA",
286 "135" : "O:SAG:SA",
287 "136" : "O:SAG:SA",
288 "137" : "O:SAG:SA",
289 "138" : "",
290 "139" : "",
291 "140" : "O:%sG:DA",
292 "141" : "O:%sG:DA",
293 "142" : "",
294 "143" : "",
295 "144" : "",
296 "145" : "",
297 "160" : "O:EAG:EA",
298 "161" : "O:DAG:DA",
299 "162" : "O:%sG:DU",
300 "163" : "O:%sG:DU",
301 "164" : "O:EAG:EA",
302 "165" : "O:EAG:EA",
303 "166" : "O:DAG:DA",
304 "167" : "O:EAG:EA",
305 "168" : "O:DAG:DA",
306 "169" : "O:DAG:DA",
307 "170" : "O:%sG:DA",
308 "171" : "O:%sG:DA",
309 "172" : "O:DAG:DA",
310 "173" : "O:DAG:DA",
311 "174" : "O:DAG:DA",
312 "175" : "O:DAG:DA",
313 },
314 }
315 # Discover 'msDS-Behavior-Version'
316 res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
317 attrs=['msDS-Behavior-Version'])
318 res = int(res[0]['msDS-Behavior-Version'][0])
319 if res < DS_DOMAIN_FUNCTION_2008:
320 self.DS_BEHAVIOR = "ds_behavior_win2003"
321 else:
322 self.DS_BEHAVIOR = "ds_behavior_win2008"
323
324 def tearDown(self):
325 super(DescriptorTests, self).tearDown()
326 self.deleteAll()
327
328 def check_user_belongs(self, user_dn, groups=[]):
329 """ Test wether user is member of the expected group(s) """
330 if groups != []:
331 # User is member of at least one additional group
332 res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
333 res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
334 expected = []
335 for x in groups:
336 expected.append(self.get_users_domain_dn(x))
337 expected = [x.upper() for x in sorted(expected)]
338 self.assertEqual(expected, res)
339 else:
340 # User is not a member of any additional groups but default
341 res = self.ldb_admin.search(user_dn, attrs=["*"])
342 res = [x.upper() for x in res[0].keys()]
343 self.assertFalse( "MEMBEROF" in res)
344
345 def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
346 # Modify
347 sd_user_utils = sd_utils.SDUtils(_ldb)
348 ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
349 if owner_group != "":
350 sd_user_utils.modify_sd_on_dn(object_dn, owner_group + "D:" + ace)
351 else:
352 sd_user_utils.modify_sd_on_dn(object_dn, "D:" + ace)
353 # Make sure the modify operation has been applied
354 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
355 self.assertTrue(ace in desc_sddl)
356 # Make sure we have identical result for both "add" and "modify"
357 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
358 print self._testMethodName
359 test_number = self._testMethodName[5:]
360 self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
361
362 def test_100(self):
363 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
364 """
365 user_name = "testuser1"
366 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
367 # Open Ldb connection with the tested user
368 _ldb = self.get_ldb_connection(user_name, "samba123@")
369 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
370 delete_force(self.ldb_admin, object_dn)
371 _ldb.newgroup("test_domain_group1", grouptype=4)
372 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
373 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
374 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
375 self.check_modify_inheritance(_ldb, object_dn)
376
377 def test_101(self):
378 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
379 """
380 user_name = "testuser2"
381 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
382 # Open Ldb connection with the tested user
383 _ldb = self.get_ldb_connection(user_name, "samba123@")
384 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
385 delete_force(self.ldb_admin, object_dn)
386 _ldb.newgroup("test_domain_group1", grouptype=4)
387 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
388 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
389 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
390 self.check_modify_inheritance(_ldb, object_dn)
391
392 def test_102(self):
393 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
394 """
395 user_name = "testuser3"
396 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
397 # Open Ldb connection with the tested user
398 _ldb = self.get_ldb_connection(user_name, "samba123@")
399 object_dn = "OU=test_domain_ou1," + self.base_dn
400 delete_force(self.ldb_admin, object_dn)
401 self.ldb_admin.create_ou(object_dn)
402 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
403 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
404 self.sd_utils.dacl_add_ace(object_dn, mod)
405 # Create additional object into the first one
406 object_dn = "CN=test_domain_user1," + object_dn
407 delete_force(self.ldb_admin, object_dn)
408 _ldb.newuser("test_domain_user1", "samba123@",
409 userou="OU=test_domain_ou1", setpassword=False)
410 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
411 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
412 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
413 # This fails, research why
414 #self.check_modify_inheritance(_ldb, object_dn)
415
416 def test_103(self):
417 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
418 """
419 user_name = "testuser4"
420 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
421 # Open Ldb connection with the tested user
422 _ldb = self.get_ldb_connection(user_name, "samba123@")
423 object_dn = "OU=test_domain_ou1," + self.base_dn
424 delete_force(self.ldb_admin, object_dn)
425 self.ldb_admin.create_ou(object_dn)
426 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
427 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
428 self.sd_utils.dacl_add_ace(object_dn, mod)
429 # Create additional object into the first one
430 object_dn = "CN=test_domain_user1," + object_dn
431 delete_force(self.ldb_admin, object_dn)
432 _ldb.newuser("test_domain_user1", "samba123@",
433 userou="OU=test_domain_ou1", setpassword=False)
434 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
435 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
436 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
437 #this fails, research why
438 #self.check_modify_inheritance(_ldb, object_dn)
439
440 def test_104(self):
441 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
442 """
443 user_name = "testuser5"
444 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
445 # Open Ldb connection with the tested user
446 _ldb = self.get_ldb_connection(user_name, "samba123@")
447 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
448 delete_force(self.ldb_admin, object_dn)
449 _ldb.newgroup("test_domain_group1", grouptype=4)
450 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
451 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
452 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
453 self.check_modify_inheritance(_ldb, object_dn)
454
455 def test_105(self):
456 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
457 """
458 user_name = "testuser6"
459 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
460 # Open Ldb connection with the tested user
461 _ldb = self.get_ldb_connection(user_name, "samba123@")
462 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
463 delete_force(self.ldb_admin, object_dn)
464 _ldb.newgroup("test_domain_group1", grouptype=4)
465 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
466 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
467 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
468 self.check_modify_inheritance(_ldb, object_dn)
469
470 def test_106(self):
471 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
472 """
473 user_name = "testuser7"
474 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
475 # Open Ldb connection with the tested user
476 _ldb = self.get_ldb_connection(user_name, "samba123@")
477 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
478 delete_force(self.ldb_admin, object_dn)
479 _ldb.newgroup("test_domain_group1", grouptype=4)
480 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
481 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
482 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
483 self.check_modify_inheritance(_ldb, object_dn)
484
485 def test_107(self):
486 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
487 """
488 user_name = "testuser8"
489 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
490 # Open Ldb connection with the tested user
491 _ldb = self.get_ldb_connection(user_name, "samba123@")
492 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
493 delete_force(self.ldb_admin, object_dn)
494 _ldb.newgroup("test_domain_group1", grouptype=4)
495 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
496 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
497 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
498 self.check_modify_inheritance(_ldb, object_dn)
499
500 # Control descriptor tests #####################################################################
501
502 def test_108(self):
503 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
504 """
505 user_name = "testuser1"
506 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
507 # Open Ldb connection with the tested user
508 _ldb = self.get_ldb_connection(user_name, "samba123@")
509 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
510 delete_force(self.ldb_admin, object_dn)
511 # Create a custom security descriptor
512 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
513 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
514 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
515 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
516 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
517 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
518
519 def test_109(self):
520 """ Domain admin group member creates object (custom descriptor) in DOMAIN
521 """
522 user_name = "testuser2"
523 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
524 # Open Ldb connection with the tested user
525 _ldb = self.get_ldb_connection(user_name, "samba123@")
526 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
527 delete_force(self.ldb_admin, object_dn)
528 # Create a custom security descriptor
529 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
530 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
531 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
532 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
533 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
534 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
535
536 def test_110(self):
537 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
538 """
539 user_name = "testuser3"
540 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
541 # Open Ldb connection with the tested user
542 _ldb = self.get_ldb_connection(user_name, "samba123@")
543 object_dn = "OU=test_domain_ou1," + self.base_dn
544 delete_force(self.ldb_admin, object_dn)
545 self.ldb_admin.create_ou(object_dn)
546 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
547 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
548 self.sd_utils.dacl_add_ace(object_dn, mod)
549 # Create a custom security descriptor
550 # NB! Problematic owner part won't accept DA only <User Sid> !!!
551 sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
552 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
553 # Create additional object into the first one
554 object_dn = "CN=test_domain_user1," + object_dn
555 delete_force(self.ldb_admin, object_dn)
556 _ldb.newuser("test_domain_user1", "samba123@",
557 userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
558 desc = self.sd_utils.read_sd_on_dn(object_dn)
559 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
560 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
561 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
562
563 def test_111(self):
564 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
565 """
566 user_name = "testuser4"
567 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
568 # Open Ldb connection with the tested user
569 _ldb = self.get_ldb_connection(user_name, "samba123@")
570 object_dn = "OU=test_domain_ou1," + self.base_dn
571 delete_force(self.ldb_admin, object_dn)
572 self.ldb_admin.create_ou(object_dn)
573 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
574 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
575 self.sd_utils.dacl_add_ace(object_dn, mod)
576 # Create a custom security descriptor
577 # NB! Problematic owner part won't accept DA only <User Sid> !!!
578 sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
579 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
580 # Create additional object into the first one
581 object_dn = "CN=test_domain_user1," + object_dn
582 delete_force(self.ldb_admin, object_dn)
583 _ldb.newuser("test_domain_user1", "samba123@",
584 userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
585 desc = self.sd_utils.read_sd_on_dn(object_dn)
586 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
587 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
588 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
589
590 def test_112(self):
591 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
592 """
593 user_name = "testuser5"
594 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
595 # Open Ldb connection with the tested user
596 _ldb = self.get_ldb_connection(user_name, "samba123@")
597 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
598 delete_force(self.ldb_admin, object_dn)
599 # Create a custom security descriptor
600 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
601 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
602 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
603 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
604 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
605 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
606
607 def test_113(self):
608 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
609 """
610 user_name = "testuser6"
611 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
612 # Open Ldb connection with the tested user
613 _ldb = self.get_ldb_connection(user_name, "samba123@")
614 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
615 delete_force(self.ldb_admin, object_dn)
616 # Create a custom security descriptor
617 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
618 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
619 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
620 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
621 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
622 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
623
624 def test_114(self):
625 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
626 """
627 user_name = "testuser7"
628 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
629 # Open Ldb connection with the tested user
630 _ldb = self.get_ldb_connection(user_name, "samba123@")
631 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
632 delete_force(self.ldb_admin, object_dn)
633 # Create a custom security descriptor
634 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
635 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
636 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
637 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
638 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
639 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
640
641 def test_115(self):
642 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
643 """
644 user_name = "testuser8"
645 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
646 # Open Ldb connection with the tested user
647 _ldb = self.get_ldb_connection(user_name, "samba123@")
648 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
649 delete_force(self.ldb_admin, object_dn)
650 # Create a custom security descriptor
651 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
652 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
653 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
654 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
655 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
656 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
657
658 def test_999(self):
659 user_name = "Administrator"
660 object_dn = "OU=test_domain_ou1," + self.base_dn
661 delete_force(self.ldb_admin, object_dn)
662 self.ldb_admin.create_ou(object_dn)
663 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
664 mod = "(D;CI;WP;;;S-1-3-0)"
665 #mod = ""
666 self.sd_utils.dacl_add_ace(object_dn, mod)
667 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
668 # Create additional object into the first one
669 object_dn = "OU=test_domain_ou2," + object_dn
670 delete_force(self.ldb_admin, object_dn)
671 self.ldb_admin.create_ou(object_dn)
672 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
673
674 ## Tests for SCHEMA
675
676 # Defalt descriptor tests ##################################################################
677
678 def test_130(self):
679 user_name = "testuser1"
680 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
681 # Open Ldb connection with the tested user
682 _ldb = self.get_ldb_connection(user_name, "samba123@")
683 # Change Schema partition descriptor
684 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
685 mod = "(A;;WDCC;;;AU)"
686 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
687 # Create example Schema class
688 class_name = self.get_unique_schema_class_name()
689 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
690 self.create_schema_class(_ldb, class_dn)
691 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
692 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
693 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
694 self.check_modify_inheritance(_ldb, class_dn)
695
696 def test_131(self):
697 user_name = "testuser2"
698 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
699 # Open Ldb connection with the tested user
700 _ldb = self.get_ldb_connection(user_name, "samba123@")
701 # Change Schema partition descriptor
702 mod = "(A;CI;WDCC;;;AU)"
703 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
704 # Create example Schema class
705 class_name = self.get_unique_schema_class_name()
706 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
707 self.create_schema_class(_ldb, class_dn)
708 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
709 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
710 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
711 self.check_modify_inheritance(_ldb, class_dn)
712
713 def test_132(self):
714 user_name = "testuser3"
715 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
716 # Open Ldb connection with the tested user
717 _ldb = self.get_ldb_connection(user_name, "samba123@")
718 # Change Schema partition descriptor
719 mod = "(A;CI;WDCC;;;AU)"
720 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
721 # Create example Schema class
722 class_name = self.get_unique_schema_class_name()
723 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
724 self.create_schema_class(_ldb, class_dn)
725 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
726 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
727 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
728 #self.check_modify_inheritance(_ldb, class_dn)
729
730 def test_133(self):
731 user_name = "testuser4"
732 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
733 # Open Ldb connection with the tested user
734 _ldb = self.get_ldb_connection(user_name, "samba123@")
735 #Change Schema partition descriptor
736 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
737 mod = "(A;CI;WDCC;;;AU)"
738 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
739 # Create example Schema class
740 class_name = self.get_unique_schema_class_name()
741 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
742 self.create_schema_class(_ldb, class_dn)
743 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
744 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
745 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
746 #self.check_modify_inheritance(_ldb, class_dn)
747
748 def test_134(self):
749 user_name = "testuser5"
750 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
751 # Open Ldb connection with the tested user
752 _ldb = self.get_ldb_connection(user_name, "samba123@")
753 #Change Schema partition descriptor
754 mod = "(A;CI;WDCC;;;AU)"
755 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
756 # Create example Schema class
757 class_name = self.get_unique_schema_class_name()
758 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
759 self.create_schema_class(_ldb, class_dn)
760 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
761 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
762 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
763 self.check_modify_inheritance(_ldb, class_dn)
764
765 def test_135(self):
766 user_name = "testuser6"
767 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
768 # Open Ldb connection with the tested user
769 _ldb = self.get_ldb_connection(user_name, "samba123@")
770 # Change Schema partition descriptor
771 mod = "(A;CI;WDCC;;;AU)"
772 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
773 # Create example Schema class
774 class_name = self.get_unique_schema_class_name()
775 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
776 self.create_schema_class(_ldb, class_dn)
777 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
778 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
779 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
780 self.check_modify_inheritance(_ldb, class_dn)
781
782 def test_136(self):
783 user_name = "testuser7"
784 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
785 # Open Ldb connection with the tested user
786 _ldb = self.get_ldb_connection(user_name, "samba123@")
787 # Change Schema partition descriptor
788 mod = "(A;CI;WDCC;;;AU)"
789 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
790 # Create example Schema class
791 class_name = self.get_unique_schema_class_name()
792 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
793 self.create_schema_class(_ldb, class_dn)
794 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
795 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
796 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
797 self.check_modify_inheritance(_ldb, class_dn)
798
799 def test_137(self):
800 user_name = "testuser8"
801 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
802 # Open Ldb connection with the tested user
803 _ldb = self.get_ldb_connection(user_name, "samba123@")
804 # Change Schema partition descriptor
805 mod = "(A;CI;WDCC;;;AU)"
806 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
807 # Create example Schema class
808 class_name = self.get_unique_schema_class_name()
809 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
810 self.create_schema_class(_ldb, class_dn)
811 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
812 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
813 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
814 self.check_modify_inheritance(_ldb, class_dn)
815
816 # Custom descriptor tests ##################################################################
817
818 def test_138(self):
819 user_name = "testuser1"
820 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
821 # Open Ldb connection with the tested user
822 _ldb = self.get_ldb_connection(user_name, "samba123@")
823 # Change Schema partition descriptor
824 mod = "(A;;CC;;;AU)"
825 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
826 # Create a custom security descriptor
827 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
828 # Create example Schema class
829 class_name = self.get_unique_schema_class_name()
830 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
831 self.create_schema_class(_ldb, class_dn, desc_sddl)
832 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
833 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
834 self.assertEqual("O:DAG:DA", res)
835
836 def test_139(self):
837 user_name = "testuser2"
838 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
839 # Open Ldb connection with the tested user
840 _ldb = self.get_ldb_connection(user_name, "samba123@")
841 # Change Schema partition descriptor
842 mod = "(A;;CC;;;AU)"
843 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
844 # Create a custom security descriptor
845 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
846 # Create example Schema class
847 class_name = self.get_unique_schema_class_name()
848 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
849 self.create_schema_class(_ldb, class_dn, desc_sddl)
850 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
851 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
852 self.assertEqual("O:DAG:DA", res)
853
854 def test_140(self):
855 user_name = "testuser3"
856 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
857 # Open Ldb connection with the tested user
858 _ldb = self.get_ldb_connection(user_name, "samba123@")
859 # Create a custom security descriptor
860 # NB! Problematic owner part won't accept DA only <User Sid> !!!
861 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
862 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
863 # Create example Schema class
864 class_name = self.get_unique_schema_class_name()
865 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
866 self.create_schema_class(_ldb, class_dn, desc_sddl)
867 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
868 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
869 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
870
871 def test_141(self):
872 user_name = "testuser4"
873 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
874 # Open Ldb connection with the tested user
875 _ldb = self.get_ldb_connection(user_name, "samba123@")
876 # Create a custom security descriptor
877 # NB! Problematic owner part won't accept DA only <User Sid> !!!
878 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
879 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
880 # Create example Schema class
881 class_name = self.get_unique_schema_class_name()
882 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
883 self.create_schema_class(_ldb, class_dn, desc_sddl)
884 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
885 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
886 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
887
888 def test_142(self):
889 user_name = "testuser5"
890 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
891 # Open Ldb connection with the tested user
892 _ldb = self.get_ldb_connection(user_name, "samba123@")
893 # Change Schema partition descriptor
894 mod = "(A;;CC;;;AU)"
895 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
896 # Create a custom security descriptor
897 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
898 # Create example Schema class
899 class_name = self.get_unique_schema_class_name()
900 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
901 self.create_schema_class(_ldb, class_dn, desc_sddl)
902 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
903 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
904 self.assertEqual("O:DAG:DA", res)
905
906 def test_143(self):
907 user_name = "testuser6"
908 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
909 # Open Ldb connection with the tested user
910 _ldb = self.get_ldb_connection(user_name, "samba123@")
911 # Change Schema partition descriptor
912 mod = "(A;;CC;;;AU)"
913 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
914 # Create a custom security descriptor
915 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
916 # Create example Schema class
917 class_name = self.get_unique_schema_class_name()
918 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
919 self.create_schema_class(_ldb, class_dn, desc_sddl)
920 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
921 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
922 self.assertEqual("O:DAG:DA", res)
923
924 def test_144(self):
925 user_name = "testuser7"
926 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
927 # Open Ldb connection with the tested user
928 _ldb = self.get_ldb_connection(user_name, "samba123@")
929 # Change Schema partition descriptor
930 mod = "(A;;CC;;;AU)"
931 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
932 # Create a custom security descriptor
933 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
934 # Create example Schema class
935 class_name = self.get_unique_schema_class_name()
936 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
937 self.create_schema_class(_ldb, class_dn, desc_sddl)
938 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
939 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
940 self.assertEqual("O:DAG:DA", res)
941
942 def test_145(self):
943 user_name = "testuser8"
944 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
945 # Open Ldb connection with the tested user
946 _ldb = self.get_ldb_connection(user_name, "samba123@")
947 # Change Schema partition descriptor
948 mod = "(A;;CC;;;AU)"
949 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
950 # Create a custom security descriptor
951 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
952 # Create example Schema class
953 class_name = self.get_unique_schema_class_name()
954 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
955 self.create_schema_class(_ldb, class_dn, desc_sddl)
956 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
957 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
958 self.assertEqual("O:DAG:DA", res)
959
960 ## Tests for CONFIGURATION
961
962 # Defalt descriptor tests ##################################################################
963
964 def test_160(self):
965 user_name = "testuser1"
966 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
967 # Open Ldb connection with the tested user
968 _ldb = self.get_ldb_connection(user_name, "samba123@")
969 # Create example Configuration container
970 container_name = "test-container1"
971 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
972 delete_force(self.ldb_admin, object_dn)
973 self.create_configuration_container(_ldb, object_dn, )
974 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
975 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
976 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
977 self.check_modify_inheritance(_ldb, object_dn)
978
979 def test_161(self):
980 user_name = "testuser2"
981 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
982 # Open Ldb connection with the tested user
983 _ldb = self.get_ldb_connection(user_name, "samba123@")
984 # Create example Configuration container
985 container_name = "test-container1"
986 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
987 delete_force(self.ldb_admin, object_dn)
988 self.create_configuration_container(_ldb, object_dn, )
989 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
990 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
991 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
992 self.check_modify_inheritance(_ldb, object_dn)
993
994 def test_162(self):
995 user_name = "testuser3"
996 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
997 # Open Ldb connection with the tested user
998 _ldb = self.get_ldb_connection(user_name, "samba123@")
999 # Create example Configuration container
1000 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1001 delete_force(self.ldb_admin, object_dn)
1002 self.create_configuration_container(self.ldb_admin, object_dn, )
1003 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1004 mod = "(A;;WDCC;;;AU)"
1005 self.sd_utils.dacl_add_ace(object_dn, mod)
1006 # Create child object with user's credentials
1007 object_dn = "CN=test-specifier1," + object_dn
1008 delete_force(self.ldb_admin, object_dn)
1009 self.create_configuration_specifier(_ldb, object_dn)
1010 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1011 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1012 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1013 #self.check_modify_inheritance(_ldb, object_dn)
1014
1015 def test_163(self):
1016 user_name = "testuser4"
1017 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1018 # Open Ldb connection with the tested user
1019 _ldb = self.get_ldb_connection(user_name, "samba123@")
1020 # Create example Configuration container
1021 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1022 delete_force(self.ldb_admin, object_dn)
1023 self.create_configuration_container(self.ldb_admin, object_dn, )
1024 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1025 mod = "(A;CI;WDCC;;;AU)"
1026 self.sd_utils.dacl_add_ace(object_dn, mod)
1027 # Create child object with user's credentials
1028 object_dn = "CN=test-specifier1," + object_dn
1029 delete_force(self.ldb_admin, object_dn)
1030 self.create_configuration_specifier(_ldb, object_dn)
1031 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1032 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1033 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1034 #self.check_modify_inheritance(_ldb, object_dn)
1035
1036 def test_164(self):
1037 user_name = "testuser5"
1038 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1039 # Open Ldb connection with the tested user
1040 _ldb = self.get_ldb_connection(user_name, "samba123@")
1041 # Create example Configuration container
1042 container_name = "test-container1"
1043 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1044 delete_force(self.ldb_admin, object_dn)
1045 self.create_configuration_container(_ldb, object_dn, )
1046 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1047 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1048 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1049 self.check_modify_inheritance(_ldb, object_dn)
1050
1051 def test_165(self):
1052 user_name = "testuser6"
1053 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1054 # Open Ldb connection with the tested user
1055 _ldb = self.get_ldb_connection(user_name, "samba123@")
1056 # Create example Configuration container
1057 container_name = "test-container1"
1058 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1059 delete_force(self.ldb_admin, object_dn)
1060 self.create_configuration_container(_ldb, object_dn, )
1061 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1062 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1063 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1064 self.check_modify_inheritance(_ldb, object_dn)
1065
1066 def test_166(self):
1067 user_name = "testuser7"
1068 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1069 # Open Ldb connection with the tested user
1070 _ldb = self.get_ldb_connection(user_name, "samba123@")
1071 # Create example Configuration container
1072 container_name = "test-container1"
1073 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1074 delete_force(self.ldb_admin, object_dn)
1075 self.create_configuration_container(_ldb, object_dn, )
1076 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1077 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1078 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1079 self.check_modify_inheritance(_ldb, object_dn)
1080
1081 def test_167(self):
1082 user_name = "testuser8"
1083 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1084 # Open Ldb connection with the tested user
1085 _ldb = self.get_ldb_connection(user_name, "samba123@")
1086 # Create example Configuration container
1087 container_name = "test-container1"
1088 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1089 delete_force(self.ldb_admin, object_dn)
1090 self.create_configuration_container(_ldb, object_dn, )
1091 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1092 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1093 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1094 self.check_modify_inheritance(_ldb, object_dn)
1095
1096 # Custom descriptor tests ##################################################################
1097
1098 def test_168(self):
1099 user_name = "testuser1"
1100 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1101 # Open Ldb connection with the tested user
1102 _ldb = self.get_ldb_connection(user_name, "samba123@")
1103 # Create example Configuration container
1104 container_name = "test-container1"
1105 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1106 delete_force(self.ldb_admin, object_dn)
1107 # Create a custom security descriptor
1108 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1109 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1110 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1111 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1112 self.assertEqual("O:DAG:DA", res)
1113
1114 def test_169(self):
1115 user_name = "testuser2"
1116 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1117 # Open Ldb connection with the tested user
1118 _ldb = self.get_ldb_connection(user_name, "samba123@")
1119 # Create example Configuration container
1120 container_name = "test-container1"
1121 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1122 delete_force(self.ldb_admin, object_dn)
1123 # Create a custom security descriptor
1124 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1125 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1126 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1127 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1128 self.assertEqual("O:DAG:DA", res)
1129
1130 def test_170(self):
1131 user_name = "testuser3"
1132 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1133 # Open Ldb connection with the tested user
1134 _ldb = self.get_ldb_connection(user_name, "samba123@")
1135 # Create example Configuration container
1136 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1137 delete_force(self.ldb_admin, object_dn)
1138 self.create_configuration_container(self.ldb_admin, object_dn, )
1139 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1140 mod = "(A;;CC;;;AU)"
1141 self.sd_utils.dacl_add_ace(object_dn, mod)
1142 # Create child object with user's credentials
1143 object_dn = "CN=test-specifier1," + object_dn
1144 delete_force(self.ldb_admin, object_dn)
1145 # Create a custom security descriptor
1146 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1147 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1148 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1149 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1150 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1151 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1152
1153 def test_171(self):
1154 user_name = "testuser4"
1155 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1156 # Open Ldb connection with the tested user
1157 _ldb = self.get_ldb_connection(user_name, "samba123@")
1158 # Create example Configuration container
1159 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1160 delete_force(self.ldb_admin, object_dn)
1161 self.create_configuration_container(self.ldb_admin, object_dn, )
1162 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1163 mod = "(A;;CC;;;AU)"
1164 self.sd_utils.dacl_add_ace(object_dn, mod)
1165 # Create child object with user's credentials
1166 object_dn = "CN=test-specifier1," + object_dn
1167 delete_force(self.ldb_admin, object_dn)
1168 # Create a custom security descriptor
1169 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1170 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1171 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1172 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1173 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1174 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1175
1176 def test_172(self):
1177 user_name = "testuser5"
1178 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1179 # Open Ldb connection with the tested user
1180 _ldb = self.get_ldb_connection(user_name, "samba123@")
1181 # Create example Configuration container
1182 container_name = "test-container1"
1183 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1184 delete_force(self.ldb_admin, object_dn)
1185 # Create a custom security descriptor
1186 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1187 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1188 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1189 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1190 self.assertEqual("O:DAG:DA", res)
1191
1192 def test_173(self):
1193 user_name = "testuser6"
1194 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1195 # Open Ldb connection with the tested user
1196 _ldb = self.get_ldb_connection(user_name, "samba123@")
1197 # Create example Configuration container
1198 container_name = "test-container1"
1199 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1200 delete_force(self.ldb_admin, object_dn)
1201 # Create a custom security descriptor
1202 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1203 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1204 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1205 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1206 self.assertEqual("O:DAG:DA", res)
1207
1208 def test_174(self):
1209 user_name = "testuser7"
1210 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1211 # Open Ldb connection with the tested user
1212 _ldb = self.get_ldb_connection(user_name, "samba123@")
1213 # Create example Configuration container
1214 container_name = "test-container1"
1215 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1216 delete_force(self.ldb_admin, object_dn)
1217 # Create a custom security descriptor
1218 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1219 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1220 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1221 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1222 self.assertEqual("O:DAG:DA", res)
1223
1224 def test_175(self):
1225 user_name = "testuser8"
1226 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1227 # Open Ldb connection with the tested user
1228 _ldb = self.get_ldb_connection(user_name, "samba123@")
1229 # Create example Configuration container
1230 container_name = "test-container1"
1231 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1232 delete_force(self.ldb_admin, object_dn)
1233 # Create a custom security descriptor
1234 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1235 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1236 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1237 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1238 self.assertEqual("O:DAG:DA", res)
1239
1240 ########################################################################################
1241 # Inharitance tests for DACL
1242
1243 class DaclDescriptorTests(DescriptorTests):
1244
1245 def deleteAll(self):
1246 delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1247 delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1248
1249 def setUp(self):
1250 super(DaclDescriptorTests, self).setUp()
1251 self.deleteAll()
1252
1253 def create_clean_ou(self, object_dn):
1254 """ Base repeating setup for unittests to follow """
1255 res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
1256 expression="distinguishedName=%s" % object_dn)
1257 # Make sure top testing OU has been deleted before starting the test
1258 self.assertEqual(res, [])
1259 self.ldb_admin.create_ou(object_dn)
1260 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1261 # Make sure there are inheritable ACEs initially
1262 self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1263 # Find and remove all inherit ACEs
1264 res = re.findall("\(.*?\)", desc_sddl)
1265 res = [x for x in res if ("CI" in x) or ("OI" in x)]
1266 for x in res:
1267 desc_sddl = desc_sddl.replace(x, "")
1268 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1269 # can propagate from above
1270 # remove SACL, we are not interested
1271 desc_sddl = desc_sddl.replace(":AI", ":AIP")
1272 self.sd_utils.modify_sd_on_dn(object_dn, desc_sddl)
1273 # Verify all inheritable ACEs are gone
1274 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1275 self.assertFalse("CI" in desc_sddl)
1276 self.assertFalse("OI" in desc_sddl)
1277
1278 def test_200(self):
1279 """ OU with protected flag and child group. See if the group has inherit ACEs.
1280 """
1281 ou_dn = "OU=test_inherit_ou," + self.base_dn
1282 group_dn = "CN=test_inherit_group," + ou_dn
1283 # Create inheritable-free OU
1284 self.create_clean_ou(ou_dn)
1285 # Create group child object
1286 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1287 # Make sure created group object contains NO inherit ACEs
1288 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1289 self.assertFalse("ID" in desc_sddl)
1290
1291 def test_201(self):
1292 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1293 Verify group has custom and default ACEs only.
1294 """
1295 ou_dn = "OU=test_inherit_ou," + self.base_dn
1296 group_dn = "CN=test_inherit_group," + ou_dn
1297 # Create inheritable-free OU
1298 self.create_clean_ou(ou_dn)
1299 # Create group child object using custom security descriptor
1300 sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1301 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
1302 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1303 # Make sure created group descriptor has NO additional ACEs
1304 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1305 self.assertEqual(desc_sddl, sddl)
1306 sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
1307 self.sd_utils.modify_sd_on_dn(group_dn, sddl)
1308 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1309 self.assertEqual(desc_sddl, sddl)
1310
1311 def test_202(self):
1312 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1313 See if the group has any of the added ACEs.
1314 """
1315 ou_dn = "OU=test_inherit_ou," + self.base_dn
1316 group_dn = "CN=test_inherit_group," + ou_dn
1317 # Create inheritable-free OU
1318 self.create_clean_ou(ou_dn)
1319 # Add some custom non-inheritable ACEs
1320 mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1321 moded = "(D;;CC;;;LG)"
1322 self.sd_utils.dacl_add_ace(ou_dn, mod)
1323 # Verify all inheritable ACEs are gone
1324 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1325 # Create group child object
1326 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1327 # Make sure created group object contains NO inherit ACEs
1328 # also make sure the added above non-inheritable ACEs are absent too
1329 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1330 self.assertFalse("ID" in desc_sddl)
1331 for x in re.findall("\(.*?\)", mod):
1332 self.assertFalse(x in desc_sddl)
1333 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1334 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1335 self.assertFalse("ID" in desc_sddl)
1336 for x in re.findall("\(.*?\)", mod):
1337 self.assertFalse(x in desc_sddl)
1338
1339 def test_203(self):
1340 """ OU with protected flag and add 'CI' ACE, child group.
1341 See if the group has the added inherited ACE.
1342 """
1343 ou_dn = "OU=test_inherit_ou," + self.base_dn
1344 group_dn = "CN=test_inherit_group," + ou_dn
1345 # Create inheritable-free OU
1346 self.create_clean_ou(ou_dn)
1347 # Add some custom 'CI' ACE
1348 mod = "(D;CI;WP;;;DU)"
1349 moded = "(D;;CC;;;LG)"
1350 self.sd_utils.dacl_add_ace(ou_dn, mod)
1351 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1352 # Create group child object
1353 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1354 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1355 # Make sure created group object contains only the above inherited ACE
1356 # that we've added manually
1357 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1358 mod = mod.replace(";CI;", ";CIID;")
1359 self.assertTrue(mod in desc_sddl)
1360 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1361 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1362 self.assertTrue(moded in desc_sddl)
1363 self.assertTrue(mod in desc_sddl)
1364
1365 def test_204(self):
1366 """ OU with protected flag and add 'OI' ACE, child group.
1367 See if the group has the added inherited ACE.
1368 """
1369 ou_dn = "OU=test_inherit_ou," + self.base_dn
1370 group_dn = "CN=test_inherit_group," + ou_dn
1371 # Create inheritable-free OU
1372 self.create_clean_ou(ou_dn)
1373 # Add some custom 'CI' ACE
1374 mod = "(D;OI;WP;;;DU)"
1375 moded = "(D;;CC;;;LG)"
1376 self.sd_utils.dacl_add_ace(ou_dn, mod)
1377 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1378 # Create group child object
1379 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1380 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1381 # Make sure created group object contains only the above inherited ACE
1382 # that we've added manually
1383 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1384 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1385 self.assertTrue(mod in desc_sddl)
1386 self.sd_utils.modify_sd_on_dn(group_dn, "D:" +moded)
1387 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1388 self.assertTrue(moded in desc_sddl)
1389 self.assertTrue(mod in desc_sddl)
1390
1391 def test_205(self):
1392 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1393 See if the group has the added inherited ACE.
1394 """
1395 ou_dn = "OU=test_inherit_ou," + self.base_dn
1396 group_dn = "CN=test_inherit_group," + ou_dn
1397 # Create inheritable-free OU
1398 self.create_clean_ou(ou_dn)
1399 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1400 mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1401 moded = "(D;;CC;;;LG)"
1402 self.sd_utils.dacl_add_ace(ou_dn, mod)
1403 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1404 # Create group child object
1405 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1406 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1407 # Make sure created group object contains only the above inherited ACE
1408 # that we've added manually
1409 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1410 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1411 self.assertTrue(mod in desc_sddl)
1412 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1413 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1414 self.assertTrue(moded in desc_sddl)
1415 self.assertTrue(mod in desc_sddl)
1416
1417 def test_206(self):
1418 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1419 See if the group has the added inherited ACE.
1420 """
1421 ou_dn = "OU=test_inherit_ou," + self.base_dn
1422 group_dn = "CN=test_inherit_group," + ou_dn
1423 # Create inheritable-free OU
1424 self.create_clean_ou(ou_dn)
1425 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1426 mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1427 moded = "(D;;CC;;;LG)"
1428 self.sd_utils.dacl_add_ace(ou_dn, mod)
1429 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1430 # Create group child object
1431 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1432 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1433 # Make sure created group object contains only the above inherited ACE
1434 # that we've added manually
1435 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1436 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1437 self.assertTrue(mod in desc_sddl)
1438 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1439 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1440 self.assertTrue(moded in desc_sddl)
1441 self.assertTrue(mod in desc_sddl)
1442
1443 def test_207(self):
1444 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1445 See if the group has the added inherited ACE.
1446 """
1447 ou_dn = "OU=test_inherit_ou," + self.base_dn
1448 group_dn = "CN=test_inherit_group," + ou_dn
1449 # Create inheritable-free OU
1450 self.create_clean_ou(ou_dn)
1451 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1452 mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1453 moded = "(D;;CC;;;LG)"
1454 self.sd_utils.dacl_add_ace(ou_dn, mod)
1455 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1456 # Create group child object
1457 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1458 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1459 # Make sure created group object contains only the above inherited ACE
1460 # that we've added manually
1461 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1462 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1463 self.assertTrue(mod in desc_sddl)
1464 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1465 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1466 self.assertTrue(moded in desc_sddl)
1467 self.assertTrue(mod in desc_sddl)
1468
1469 def test_208(self):
1470 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1471 See if the group has the added inherited ACE.
1472 """
1473 ou_dn = "OU=test_inherit_ou," + self.base_dn
1474 group_dn = "CN=test_inherit_group," + ou_dn
1475 # Create inheritable-free OU
1476 self.create_clean_ou(ou_dn)
1477 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1478 mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1479 moded = "(D;;CC;;;LG)"
1480 self.sd_utils.dacl_add_ace(ou_dn, mod)
1481 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1482 # Create group child object
1483 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1484 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1485 # Make sure created group object contains only the above inherited ACE
1486 # that we've added manually
1487 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1488 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1489 self.assertTrue(mod in desc_sddl)
1490 self.sd_utils.modify_sd_on_dn(group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
1491 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1492 self.assertTrue(moded in desc_sddl)
1493 self.assertTrue(mod in desc_sddl)
1494
1495 def test_209(self):
1496 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1497 See if the group has the added inherited ACE.
1498 """
1499 ou_dn = "OU=test_inherit_ou," + self.base_dn
1500 group_dn = "CN=test_inherit_group," + ou_dn
1501 # Create inheritable-free OU
1502 self.create_clean_ou(ou_dn)
1503 # Add some custom 'CI' ACE
1504 mod = "(D;CI;WP;;;CO)"
1505 moded = "(D;;CC;;;LG)"
1506 self.sd_utils.dacl_add_ace(ou_dn, mod)
1507 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1508 # Create group child object
1509 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1510 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1511 # Make sure created group object contains only the above inherited ACE(s)
1512 # that we've added manually
1513 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1514 self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
1515 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1516 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1517 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1518 self.assertTrue(moded in desc_sddl)
1519 self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
1520 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1521
1522 def test_210(self):
1523 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1524 """
1525 ou_dn = "OU=test_inherit_ou," + self.base_dn
1526 group_dn = "CN=test_inherit_group," + ou_dn
1527 self.create_clean_ou(ou_dn)
1528 # Add some custom ACE
1529 mod = "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1530 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1531 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1532 # Make sure created group object does not contain the ID ace
1533 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1534 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1535
1536 def test_211(self):
1537 """ Provide ACE with CO SID, should be expanded and replaced
1538 """
1539 ou_dn = "OU=test_inherit_ou," + self.base_dn
1540 group_dn = "CN=test_inherit_group," + ou_dn
1541 # Create inheritable-free OU
1542 self.create_clean_ou(ou_dn)
1543 # Add some custom 'CI' ACE
1544 mod = "D:(D;CI;WP;;;CO)"
1545 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1546 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1547 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1548 self.assertTrue("(D;;WP;;;DA)(D;CIIO;WP;;;CO)" in desc_sddl)
1549
1550 def test_212(self):
1551 """ Provide ACE with IO flag, should be ignored
1552 """
1553 ou_dn = "OU=test_inherit_ou," + self.base_dn
1554 group_dn = "CN=test_inherit_group," + ou_dn
1555 # Create inheritable-free OU
1556 self.create_clean_ou(ou_dn)
1557 # Add some custom 'CI' ACE
1558 mod = "D:(D;CIIO;WP;;;CO)"
1559 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1560 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1561 # Make sure created group object contains only the above inherited ACE(s)
1562 # that we've added manually
1563 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1564 self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
1565 self.assertFalse("(D;;WP;;;DA)" in desc_sddl)
1566 self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl)
1567
1568 def test_213(self):
1569 """ Provide ACE with IO flag, should be ignored
1570 """
1571 ou_dn = "OU=test_inherit_ou," + self.base_dn
1572 group_dn = "CN=test_inherit_group," + ou_dn
1573 # Create inheritable-free OU
1574 self.create_clean_ou(ou_dn)
1575 mod = "D:(D;IO;WP;;;DA)"
1576 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1577 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1578 # Make sure created group object contains only the above inherited ACE(s)
1579 # that we've added manually
1580 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1581 self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl)
1582
1583 ########################################################################################
1584
1585
1586 class SdFlagsDescriptorTests(DescriptorTests):
1587 def deleteAll(self):
1588 delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
1589
1590 def setUp(self):
1591 super(SdFlagsDescriptorTests, self).setUp()
1592 self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1593 self.deleteAll()
1594
1595 def test_301(self):
1596 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1597 See that only the owner has been changed.
1598 """
1599 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1600 self.ldb_admin.create_ou(ou_dn)
1601 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1602 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1603 # make sure we have modified the owner
1604 self.assertTrue("O:AU" in desc_sddl)
1605 # make sure nothing else has been modified
1606 self.assertFalse("G:AU" in desc_sddl)
1607 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1608 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1609
1610 def test_302(self):
1611 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1612 See that only the owner has been changed.
1613 """
1614 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1615 self.ldb_admin.create_ou(ou_dn)
1616 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1617 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1618 # make sure we have modified the group
1619 self.assertTrue("G:AU" in desc_sddl)
1620 # make sure nothing else has been modified
1621 self.assertFalse("O:AU" in desc_sddl)
1622 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1623 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1624
1625 def test_303(self):
1626 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1627 See that only the owner has been changed.
1628 """
1629 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1630 self.ldb_admin.create_ou(ou_dn)
1631 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1632 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1633 # make sure we have modified the DACL
1634 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1635 # make sure nothing else has been modified
1636 self.assertFalse("O:AU" in desc_sddl)
1637 self.assertFalse("G:AU" in desc_sddl)
1638 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1639
1640 def test_304(self):
1641 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1642 See that only the owner has been changed.
1643 """
1644 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1645 self.ldb_admin.create_ou(ou_dn)
1646 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1647 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1648 # make sure we have modified the DACL
1649 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1650 # make sure nothing else has been modified
1651 self.assertFalse("O:AU" in desc_sddl)
1652 self.assertFalse("G:AU" in desc_sddl)
1653 self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
1654
1655 def test_305(self):
1656 """ Modify a descriptor with 0x0 set.
1657 Contrary to logic this is interpreted as no control,
1658 which is the same as 0xF
1659 """
1660 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1661 self.ldb_admin.create_ou(ou_dn)
1662 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:0"])
1663 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1664 # make sure we have modified the DACL
1665 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1666 # make sure nothing else has been modified
1667 self.assertTrue("O:AU" in desc_sddl)
1668 self.assertTrue("G:AU" in desc_sddl)
1669 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1670
1671 def test_306(self):
1672 """ Modify a descriptor with 0xF set.
1673 """
1674 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1675 self.ldb_admin.create_ou(ou_dn)
1676 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:15"])
1677 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1678 # make sure we have modified the DACL
1679 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1680 # make sure nothing else has been modified
1681 self.assertTrue("O:AU" in desc_sddl)
1682 self.assertTrue("G:AU" in desc_sddl)
1683 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1684
1685 def test_307(self):
1686 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1687 Only the owner part should be returned.
1688 """
1689 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1690 self.ldb_admin.create_ou(ou_dn)
1691 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1692 # make sure we have read the owner
1693 self.assertTrue("O:" in desc_sddl)
1694 # make sure we have read nothing else
1695 self.assertFalse("G:" in desc_sddl)
1696 self.assertFalse("D:" in desc_sddl)
1697 self.assertFalse("S:" in desc_sddl)
1698
1699 def test_308(self):
1700 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1701 Only the group part should be returned.
1702 """
1703 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1704 self.ldb_admin.create_ou(ou_dn)
1705 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1706 # make sure we have read the owner
1707 self.assertTrue("G:" in desc_sddl)
1708 # make sure we have read nothing else
1709 self.assertFalse("O:" in desc_sddl)
1710 self.assertFalse("D:" in desc_sddl)
1711 self.assertFalse("S:" in desc_sddl)
1712
1713 def test_309(self):
1714 """ Read a descriptor with SACL_SECURITY_INFORMATION
1715 Only the sacl part should be returned.
1716 """
1717 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1718 self.ldb_admin.create_ou(ou_dn)
1719 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1720 # make sure we have read the owner
1721 self.assertTrue("S:" in desc_sddl)
1722 # make sure we have read nothing else
1723 self.assertFalse("O:" in desc_sddl)
1724 self.assertFalse("D:" in desc_sddl)
1725 self.assertFalse("G:" in desc_sddl)
1726
1727 def test_310(self):
1728 """ Read a descriptor with DACL_SECURITY_INFORMATION
1729 Only the dacl part should be returned.
1730 """
1731 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1732 self.ldb_admin.create_ou(ou_dn)
1733 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1734 # make sure we have read the owner
1735 self.assertTrue("D:" in desc_sddl)
1736 # make sure we have read nothing else
1737 self.assertFalse("O:" in desc_sddl)
1738 self.assertFalse("S:" in desc_sddl)
1739 self.assertFalse("G:" in desc_sddl)
1740
1741
1742 class RightsAttributesTests(DescriptorTests):
1743
1744 def deleteAll(self):
1745 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
1746 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
1747 delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
1748
1749 def setUp(self):
1750 super(RightsAttributesTests, self).setUp()
1751 self.deleteAll()
1752 ### Create users
1753 # User 1
1754 self.ldb_admin.newuser("testuser_attr", "samba123@")
1755 # User 2, Domain Admins
1756 self.ldb_admin.newuser("testuser_attr2", "samba123@")
1757 self.ldb_admin.add_remove_group_members("Domain Admins",
1758 "testuser_attr2",
1759 add_members_operation=True)
1760
1761 def test_sDRightsEffective(self):
1762 object_dn = "OU=test_domain_ou1," + self.base_dn
1763 delete_force(self.ldb_admin, object_dn)
1764 self.ldb_admin.create_ou(object_dn)
1765 print self.get_users_domain_dn("testuser_attr")
1766 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1767 #give testuser1 read access so attributes can be retrieved
1768 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1769 self.sd_utils.dacl_add_ace(object_dn, mod)
1770 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1771 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1772 attrs=["sDRightsEffective"])
1773 #user whould have no rights at all
1774 self.assertEquals(len(res), 1)
1775 self.assertEquals(res[0]["sDRightsEffective"][0], "0")
1776 #give the user Write DACL and see what happens
1777 mod = "(A;CI;WD;;;%s)" % str(user_sid)
1778 self.sd_utils.dacl_add_ace(object_dn, mod)
1779 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1780 attrs=["sDRightsEffective"])
1781 #user whould have DACL_SECURITY_INFORMATION
1782 self.assertEquals(len(res), 1)
1783 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL)
1784 #give the user Write Owners and see what happens
1785 mod = "(A;CI;WO;;;%s)" % str(user_sid)
1786 self.sd_utils.dacl_add_ace(object_dn, mod)
1787 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1788 attrs=["sDRightsEffective"])
1789 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1790 self.assertEquals(len(res), 1)
1791 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
1792 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1793 _ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
1794 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1795 attrs=["sDRightsEffective"])
1796 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1797 self.assertEquals(len(res), 1)
1798 self.assertEquals(res[0]["sDRightsEffective"][0], \
1799 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
1800
1801 def test_allowedChildClassesEffective(self):
1802 object_dn = "OU=test_domain_ou1," + self.base_dn
1803 delete_force(self.ldb_admin, object_dn)
1804 self.ldb_admin.create_ou(object_dn)
1805 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1806 #give testuser1 read access so attributes can be retrieved
1807 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1808 self.sd_utils.dacl_add_ace(object_dn, mod)
1809 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1810 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1811 attrs=["allowedChildClassesEffective"])
1812 #there should be no allowed child classes
1813 self.assertEquals(len(res), 1)
1814 self.assertFalse("allowedChildClassesEffective" in res[0].keys())
1815 #give the user the right to create children of type user
1816 mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1817 self.sd_utils.dacl_add_ace(object_dn, mod)
1818 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1819 attrs=["allowedChildClassesEffective"])
1820 # allowedChildClassesEffective should only have one value, user
1821 self.assertEquals(len(res), 1)
1822 self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1)
1823 self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user")
1824
1825 def test_allowedAttributesEffective(self):
1826 object_dn = "OU=test_domain_ou1," + self.base_dn
1827 delete_force(self.ldb_admin, object_dn)
1828 self.ldb_admin.create_ou(object_dn)
1829 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1830 #give testuser1 read access so attributes can be retrieved
1831 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1832 self.sd_utils.dacl_add_ace(object_dn, mod)
1833 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1834 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1835 attrs=["allowedAttributesEffective"])
1836 #there should be no allowed attributes
1837 self.assertEquals(len(res), 1)
1838 self.assertFalse("allowedAttributesEffective" in res[0].keys())
1839 #give the user the right to write displayName and managedBy
1840 mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1841 mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
1842 # also rights to modify an read only attribute, fromEntry
1843 mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
1844 self.sd_utils.dacl_add_ace(object_dn, mod + mod2 + mod3)
1845 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1846 attrs=["allowedAttributesEffective"])
1847 # value should only contain user and managedBy
1848 self.assertEquals(len(res), 1)
1849 self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
1850 self.assertTrue("displayName" in res[0]["allowedAttributesEffective"])
1851 self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"])
1852
1853 if not "://" in host:
1854 if os.path.isfile(host):
1855 host = "tdb://%s" % host
1856 else:
1857 host = "ldap://%s" % host
1858
1859 # use 'paged_search' module when connecting remotely
1860 if host.lower().startswith("ldap://"):
1861 ldb_options = ["modules:paged_searches"]
1862
1863 ldb = SamDB(host,
1864 credentials=creds,
1865 session_info=system_session(lp),
1866 lp=lp,
1867 options=ldb_options)
1868
1869 runner = SubunitTestRunner()
1870 rc = 0
1871 if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful():
1872 rc = 1
1873 if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
1874 rc = 1
1875 if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful():
1876 rc = 1
1877 if not runner.run(unittest.makeSuite(RightsAttributesTests)).wasSuccessful():
1878 rc = 1
1879 sys.exit(rc)
Samba GIT mirror