search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Implementation of sDRightsEffective, allowedAttributesEffective and allowedChildClass...
[Samba.git] / source4 / lib / ldb / tests / python / sec_descriptor.py
blobe420cec3bd1ea11667fc6cc34eabd34bac397a6b
1 #!/usr/bin/python
2 # -*- coding: utf-8 -*-
3
4 import getopt
5 import optparse
6 import sys
7 import os
8 import base64
9 import re
10 import random
11 import time
12
13 sys.path.append("bin/python")
14 sys.path.append("../lib/subunit/python")
15
16 import samba.getopt as options
17
18 # Some error messages that are being tested
19 from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
20 from ldb import ERR_NO_SUCH_OBJECT, ERR_INVALID_DN_SYNTAX, ERR_UNWILLING_TO_PERFORM
21 from ldb import ERR_INSUFFICIENT_ACCESS_RIGHTS
22
23 # For running the test unit
24 from samba.ndr import ndr_pack, ndr_unpack
25 from samba.dcerpc import security
26
27 from samba.auth import system_session
28 from samba import Ldb, DS_DOMAIN_FUNCTION_2008, SECINFO_OWNER, \
29 SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL
30 from subunit import SubunitTestRunner
31 import unittest
32
33 parser = optparse.OptionParser("sec_descriptor [options] <host>")
34 sambaopts = options.SambaOptions(parser)
35 parser.add_option_group(sambaopts)
36 parser.add_option_group(options.VersionOptions(parser))
37
38 # use command line creds if available
39 credopts = options.CredentialsOptions(parser)
40 parser.add_option_group(credopts)
41 opts, args = parser.parse_args()
42
43 if len(args) < 1:
44 parser.print_usage()
45 sys.exit(1)
46
47 host = args[0]
48
49 lp = sambaopts.get_loadparm()
50 creds = credopts.get_credentials(lp)
51
52 #
53 # Tests start here
54 #
55
56 class DescriptorTests(unittest.TestCase):
57
58 def delete_force(self, ldb, dn):
59 try:
60 ldb.delete(dn)
61 except LdbError, (num, _):
62 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
63
64 def find_basedn(self, ldb):
65 res = ldb.search(base="", expression="", scope=SCOPE_BASE,
66 attrs=["defaultNamingContext"])
67 self.assertEquals(len(res), 1)
68 return res[0]["defaultNamingContext"][0]
69
70 def find_configurationdn(self, ldb):
71 res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"])
72 self.assertEquals(len(res), 1)
73 return res[0]["configurationNamingContext"][0]
74
75 def find_schemadn(self, ldb):
76 res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"])
77 self.assertEquals(len(res), 1)
78 return res[0]["schemaNamingContext"][0]
79
80 def find_domain_sid(self, ldb):
81 res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
82 return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
83
84 def get_users_domain_dn(self, name):
85 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
86
87 def modify_desc(self, _ldb, object_dn, desc, controls=None):
88 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
89 mod = """
90 dn: """ + object_dn + """
91 changetype: modify
92 replace: nTSecurityDescriptor
93 """
94 if isinstance(desc, str):
95 mod += "nTSecurityDescriptor: %s" % desc
96 elif isinstance(desc, security.descriptor):
97 mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
98 _ldb.modify_ldif(mod, controls)
99
100 def create_domain_ou(self, _ldb, ou_dn, desc=None, controls=None):
101 ldif = """
102 dn: """ + ou_dn + """
103 ou: """ + ou_dn.split(",")[0][3:] + """
104 objectClass: organizationalUnit
105 url: www.example.com
106 """
107 if desc:
108 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
109 if isinstance(desc, str):
110 ldif += "nTSecurityDescriptor: %s" % desc
111 elif isinstance(desc, security.descriptor):
112 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
113 _ldb.add_ldif(ldif, controls)
114
115 def create_domain_user(self, _ldb, user_dn, desc=None):
116 ldif = """
117 dn: """ + user_dn + """
118 sAMAccountName: """ + user_dn.split(",")[0][3:] + """
119 objectClass: user
120 userPassword: samba123@
121 url: www.example.com
122 """
123 if desc:
124 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
125 if isinstance(desc, str):
126 ldif += "nTSecurityDescriptor: %s" % desc
127 elif isinstance(desc, security.descriptor):
128 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
129 _ldb.add_ldif(ldif)
130
131 def create_domain_group(self, _ldb, group_dn, desc=None):
132 ldif = """
133 dn: """ + group_dn + """
134 objectClass: group
135 sAMAccountName: """ + group_dn.split(",")[0][3:] + """
136 groupType: 4
137 url: www.example.com
138 """
139 if desc:
140 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
141 if isinstance(desc, str):
142 ldif += "nTSecurityDescriptor: %s" % desc
143 elif isinstance(desc, security.descriptor):
144 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
145 _ldb.add_ldif(ldif)
146
147 def get_unique_schema_class_name(self):
148 while True:
149 class_name = "test-class%s" % random.randint(1,100000)
150 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
151 try:
152 self.ldb_admin.search(base=class_dn, attrs=["*"])
153 except LdbError, (num, _):
154 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
155 return class_name
156
157 def create_schema_class(self, _ldb, object_dn, desc=None):
158 ldif = """
159 dn: """ + object_dn + """
160 objectClass: classSchema
161 objectCategory: CN=Class-Schema,""" + self.schema_dn + """
162 defaultObjectCategory: """ + object_dn + """
163 distinguishedName: """ + object_dn + """
164 governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
165 instanceType: 4
166 objectClassCategory: 1
167 subClassOf: organizationalPerson
168 systemFlags: 16
169 rDNAttID: cn
170 systemMustContain: cn
171 systemOnly: FALSE
172 """
173 if desc:
174 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
175 if isinstance(desc, str):
176 ldif += "nTSecurityDescriptor: %s" % desc
177 elif isinstance(desc, security.descriptor):
178 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
179 _ldb.add_ldif(ldif)
180
181 def create_configuration_container(self, _ldb, object_dn, desc=None):
182 ldif = """
183 dn: """ + object_dn + """
184 objectClass: container
185 objectCategory: CN=Container,""" + self.schema_dn + """
186 showInAdvancedViewOnly: TRUE
187 instanceType: 4
188 """
189 if desc:
190 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
191 if isinstance(desc, str):
192 ldif += "nTSecurityDescriptor: %s" % desc
193 elif isinstance(desc, security.descriptor):
194 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
195 _ldb.add_ldif(ldif)
196
197 def create_configuration_specifier(self, _ldb, object_dn, desc=None):
198 ldif = """
199 dn: """ + object_dn + """
200 objectClass: displaySpecifier
201 showInAdvancedViewOnly: TRUE
202 """
203 if desc:
204 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
205 if isinstance(desc, str):
206 ldif += "nTSecurityDescriptor: %s" % desc
207 elif isinstance(desc, security.descriptor):
208 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
209 _ldb.add_ldif(ldif)
210
211 def read_desc(self, object_dn, controls=None):
212 res = self.ldb_admin.search(base=object_dn, scope=SCOPE_BASE, attrs=["nTSecurityDescriptor"], controls=controls)
213 desc = res[0]["nTSecurityDescriptor"][0]
214 return ndr_unpack(security.descriptor, desc)
215
216 def enable_account(self, user_dn):
217 """Enable an account.
218 :param user_dn: Dn of the account to enable.
219 """
220 res = self.ldb_admin.search(user_dn, SCOPE_BASE, None, ["userAccountControl"])
221 assert len(res) == 1
222 userAccountControl = res[0]["userAccountControl"][0]
223 userAccountControl = int(userAccountControl)
224 if (userAccountControl & 0x2):
225 userAccountControl = userAccountControl & ~0x2 # remove disabled bit
226 if (userAccountControl & 0x20):
227 userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit
228 mod = """
229 dn: """ + user_dn + """
230 changetype: modify
231 replace: userAccountControl
232 userAccountControl: %s""" % userAccountControl
233 if self.WIN2003:
234 mod = re.sub("userAccountControl: \d.*", "userAccountControl: 544", mod)
235 self.ldb_admin.modify_ldif(mod)
236
237 def get_ldb_connection(self, target_username, target_password):
238 username_save = creds.get_username(); password_save = creds.get_password()
239 creds.set_username(target_username)
240 creds.set_password(target_password)
241 ldb_target = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
242 creds.set_username(username_save); creds.set_password(password_save)
243 return ldb_target
244
245 def get_object_sid(self, object_dn):
246 res = self.ldb_admin.search(object_dn)
247 return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] )
248
249 def dacl_add_ace(self, object_dn, ace):
250 desc = self.read_desc( object_dn )
251 desc_sddl = desc.as_sddl( self.domain_sid )
252 if ace in desc_sddl:
253 return
254 if desc_sddl.find("(") >= 0:
255 desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
256 else:
257 desc_sddl = desc_sddl + ace
258 self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
259
260 def get_desc_sddl(self, object_dn, controls=None):
261 """ Return object nTSecutiryDescriptor in SDDL format
262 """
263 desc = self.read_desc(object_dn, controls)
264 return desc.as_sddl(self.domain_sid)
265
266 def setUp(self):
267 self.ldb_admin = ldb
268 self.base_dn = self.find_basedn(self.ldb_admin)
269 self.configuration_dn = self.find_configurationdn(self.ldb_admin)
270 self.schema_dn = self.find_schemadn(self.ldb_admin)
271 self.domain_sid = self.find_domain_sid(self.ldb_admin)
272 print "baseDN: %s" % self.base_dn
273 self.SAMBA = False; self.WIN2003 = False
274 res = self.ldb_admin.search(base="", expression="", scope=SCOPE_BASE, attrs=["vendorName"])
275 if "vendorName" in res[0].keys() and "Samba Team" in res[0]["vendorName"][0]:
276 self.SAMBA = True
277 else:
278 self.WIN2003 = True
279
280 ################################################################################################
281
282 ## Tests for DOMAIN
283
284 # Default descriptor tests #####################################################################
285
286 class OwnerGroupDescriptorTests(DescriptorTests):
287
288 def setUp(self):
289 DescriptorTests.setUp(self)
290 if self.SAMBA:
291 ### Create users
292 # User 1
293 user_dn = self.get_users_domain_dn("testuser1")
294 self.create_domain_user(self.ldb_admin, user_dn)
295 self.enable_account(user_dn)
296 ldif = """
297 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
298 changetype: add
299 member: """ + user_dn
300 self.ldb_admin.modify_ldif(ldif)
301 # User 2
302 user_dn = self.get_users_domain_dn("testuser2")
303 self.create_domain_user(self.ldb_admin, user_dn)
304 self.enable_account(user_dn)
305 ldif = """
306 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
307 changetype: add
308 member: """ + user_dn
309 self.ldb_admin.modify_ldif(ldif)
310 # User 3
311 user_dn = self.get_users_domain_dn("testuser3")
312 self.create_domain_user(self.ldb_admin, user_dn)
313 self.enable_account(user_dn)
314 ldif = """
315 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
316 changetype: add
317 member: """ + user_dn
318 self.ldb_admin.modify_ldif(ldif)
319 # User 4
320 user_dn = self.get_users_domain_dn("testuser4")
321 self.create_domain_user(self.ldb_admin, user_dn)
322 self.enable_account(user_dn)
323 # User 5
324 user_dn = self.get_users_domain_dn("testuser5")
325 self.create_domain_user(self.ldb_admin, user_dn)
326 self.enable_account(user_dn)
327 ldif = """
328 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
329 changetype: add
330 member: """ + user_dn + """
331
332 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
333 changetype: add
334 member: """ + user_dn
335 self.ldb_admin.modify_ldif(ldif)
336 # User 6
337 user_dn = self.get_users_domain_dn("testuser6")
338 self.create_domain_user(self.ldb_admin, user_dn)
339 self.enable_account(user_dn)
340 ldif = """
341 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
342 changetype: add
343 member: """ + user_dn + """
344
345 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
346 changetype: add
347 member: """ + user_dn + """
348
349 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
350 changetype: add
351 member: """ + user_dn
352 self.ldb_admin.modify_ldif(ldif)
353 # User 7
354 user_dn = self.get_users_domain_dn("testuser7")
355 self.create_domain_user(self.ldb_admin, user_dn)
356 self.enable_account(user_dn)
357 ldif = """
358 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
359 changetype: add
360 member: """ + user_dn + """
361
362 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
363 changetype: add
364 member: """ + user_dn
365 self.ldb_admin.modify_ldif(ldif)
366 # User 8
367 user_dn = self.get_users_domain_dn("testuser8")
368 self.create_domain_user(self.ldb_admin, user_dn)
369 self.enable_account(user_dn)
370 ldif = """
371 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
372 changetype: add
373 member: """ + user_dn + """
374
375 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
376 changetype: add
377 member: """ + user_dn
378 self.ldb_admin.modify_ldif(ldif)
379 self.results = {
380 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
381 "ds_behavior_win2003" : {
382 "100" : "O:EAG:DU",
383 "101" : "O:DAG:DU",
384 "102" : "O:%sG:DU",
385 "103" : "O:%sG:DU",
386 "104" : "O:DAG:DU",
387 "105" : "O:DAG:DU",
388 "106" : "O:DAG:DU",
389 "107" : "O:EAG:DU",
390 "108" : "O:DAG:DA",
391 "109" : "O:DAG:DA",
392 "110" : "O:%sG:DA",
393 "111" : "O:%sG:DA",
394 "112" : "O:DAG:DA",
395 "113" : "O:DAG:DA",
396 "114" : "O:DAG:DA",
397 "115" : "O:DAG:DA",
398 "130" : "O:EAG:DU",
399 "131" : "O:DAG:DU",
400 "132" : "O:SAG:DU",
401 "133" : "O:%sG:DU",
402 "134" : "O:EAG:DU",
403 "135" : "O:SAG:DU",
404 "136" : "O:SAG:DU",
405 "137" : "O:SAG:DU",
406 "138" : "O:DAG:DA",
407 "139" : "O:DAG:DA",
408 "140" : "O:%sG:DA",
409 "141" : "O:%sG:DA",
410 "142" : "O:DAG:DA",
411 "143" : "O:DAG:DA",
412 "144" : "O:DAG:DA",
413 "145" : "O:DAG:DA",
414 "160" : "O:EAG:DU",
415 "161" : "O:DAG:DU",
416 "162" : "O:%sG:DU",
417 "163" : "O:%sG:DU",
418 "164" : "O:EAG:DU",
419 "165" : "O:EAG:DU",
420 "166" : "O:DAG:DU",
421 "167" : "O:EAG:DU",
422 "168" : "O:DAG:DA",
423 "169" : "O:DAG:DA",
424 "170" : "O:%sG:DA",
425 "171" : "O:%sG:DA",
426 "172" : "O:DAG:DA",
427 "173" : "O:DAG:DA",
428 "174" : "O:DAG:DA",
429 "175" : "O:DAG:DA",
430 },
431 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
432 "ds_behavior_win2008" : {
433 "100" : "O:EAG:EA",
434 "101" : "O:DAG:DA",
435 "102" : "O:%sG:DU",
436 "103" : "O:%sG:DU",
437 "104" : "O:DAG:DA",
438 "105" : "O:DAG:DA",
439 "106" : "O:DAG:DA",
440 "107" : "O:EAG:EA",
441 "108" : "O:DAG:DA",
442 "109" : "O:DAG:DA",
443 "110" : "O:%sG:DA",
444 "111" : "O:%sG:DA",
445 "112" : "O:DAG:DA",
446 "113" : "O:DAG:DA",
447 "114" : "O:DAG:DA",
448 "115" : "O:DAG:DA",
449 "130" : "O:EAG:EA",
450 "131" : "O:DAG:DA",
451 "132" : "O:SAG:SA",
452 "133" : "O:%sG:DU",
453 "134" : "O:EAG:EA",
454 "135" : "O:SAG:SA",
455 "136" : "O:SAG:SA",
456 "137" : "O:SAG:SA",
457 "138" : "",
458 "139" : "",
459 "140" : "O:%sG:DA",
460 "141" : "O:%sG:DA",
461 "142" : "",
462 "143" : "",
463 "144" : "",
464 "145" : "",
465 "160" : "O:EAG:EA",
466 "161" : "O:DAG:DA",
467 "162" : "O:%sG:DU",
468 "163" : "O:%sG:DU",
469 "164" : "O:EAG:EA",
470 "165" : "O:EAG:EA",
471 "166" : "O:DAG:DA",
472 "167" : "O:EAG:EA",
473 "168" : "O:DAG:DA",
474 "169" : "O:DAG:DA",
475 "170" : "O:%sG:DA",
476 "171" : "O:%sG:DA",
477 "172" : "O:DAG:DA",
478 "173" : "O:DAG:DA",
479 "174" : "O:DAG:DA",
480 "175" : "O:DAG:DA",
481 },
482 }
483 # Discover 'msDS-Behavior-Version'
484 res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
485 attrs=['msDS-Behavior-Version'])
486 res = int(res[0]['msDS-Behavior-Version'][0])
487 if res < DS_DOMAIN_FUNCTION_2008:
488 self.DS_BEHAVIOR = "ds_behavior_win2003"
489 else:
490 self.DS_BEHAVIOR = "ds_behavior_win2008"
491
492 def tearDown(self):
493 if self.SAMBA:
494 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
495 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
496 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
497 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
498 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
499 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
500 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
501 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
502 # DOMAIN
503 self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
504 self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
505 self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
506 self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
507 # SCHEMA
508 # CONFIGURATION
509 self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
510 + self.configuration_dn)
511 self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
512
513 def check_user_belongs(self, user_dn, groups=[]):
514 """ Test wether user is member of the expected group(s) """
515 if groups != []:
516 # User is member of at least one additional group
517 res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
518 res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
519 expected = []
520 for x in groups:
521 expected.append(self.get_users_domain_dn(x))
522 expected = [x.upper() for x in sorted(expected)]
523 self.assertEqual(expected, res)
524 else:
525 # User is not a member of any additional groups but default
526 res = self.ldb_admin.search(user_dn, attrs=["*"])
527 res = [x.upper() for x in res[0].keys()]
528 self.assertFalse( "MEMBEROF" in res)
529
530 def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
531 # Modify
532 ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
533 if owner_group != "":
534 self.modify_desc(_ldb, object_dn, owner_group + "D:" + ace)
535 else:
536 self.modify_desc(_ldb, object_dn, "D:" + ace)
537 # Make sure the modify operation has been applied
538 desc_sddl = self.get_desc_sddl(object_dn)
539 self.assertTrue(ace in desc_sddl)
540 # Make sure we have identical result for both "add" and "modify"
541 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
542 print self._testMethodName
543 test_number = self._testMethodName[5:]
544 self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
545
546 def test_100(self):
547 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
548 """
549 user_name = "testuser1"
550 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
551 # Open Ldb connection with the tested user
552 _ldb = self.get_ldb_connection(user_name, "samba123@")
553 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
554 self.delete_force(self.ldb_admin, object_dn)
555 self.create_domain_group(_ldb, object_dn)
556 desc_sddl = self.get_desc_sddl(object_dn)
557 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
558 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
559 self.check_modify_inheritance(_ldb, object_dn)
560
561 def test_101(self):
562 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
563 """
564 user_name = "testuser2"
565 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
566 # Open Ldb connection with the tested user
567 _ldb = self.get_ldb_connection(user_name, "samba123@")
568 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
569 self.delete_force(self.ldb_admin, object_dn)
570 self.create_domain_group(_ldb, object_dn)
571 desc_sddl = self.get_desc_sddl(object_dn)
572 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
573 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
574 self.check_modify_inheritance(_ldb, object_dn)
575
576 def test_102(self):
577 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
578 """
579 user_name = "testuser3"
580 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
581 # Open Ldb connection with the tested user
582 _ldb = self.get_ldb_connection(user_name, "samba123@")
583 object_dn = "OU=test_domain_ou1," + self.base_dn
584 self.delete_force(self.ldb_admin, object_dn)
585 self.create_domain_ou(self.ldb_admin, object_dn)
586 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
587 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
588 self.dacl_add_ace(object_dn, mod)
589 # Create additional object into the first one
590 object_dn = "CN=test_domain_user1," + object_dn
591 self.delete_force(self.ldb_admin, object_dn)
592 self.create_domain_user(_ldb, object_dn)
593 desc_sddl = self.get_desc_sddl(object_dn)
594 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
595 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
596 # This fails, research why
597 #self.check_modify_inheritance(_ldb, object_dn)
598
599 def test_103(self):
600 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
601 """
602 user_name = "testuser4"
603 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
604 # Open Ldb connection with the tested user
605 _ldb = self.get_ldb_connection(user_name, "samba123@")
606 object_dn = "OU=test_domain_ou1," + self.base_dn
607 self.delete_force(self.ldb_admin, object_dn)
608 self.create_domain_ou(self.ldb_admin, object_dn)
609 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
610 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
611 self.dacl_add_ace(object_dn, mod)
612 # Create additional object into the first one
613 object_dn = "CN=test_domain_user1," + object_dn
614 self.delete_force(self.ldb_admin, object_dn)
615 self.create_domain_user(_ldb, object_dn)
616 desc_sddl = self.get_desc_sddl(object_dn)
617 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
618 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
619 #this fails, research why
620 #self.check_modify_inheritance(_ldb, object_dn)
621
622 def test_104(self):
623 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
624 """
625 user_name = "testuser5"
626 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
627 # Open Ldb connection with the tested user
628 _ldb = self.get_ldb_connection(user_name, "samba123@")
629 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
630 self.delete_force(self.ldb_admin, object_dn)
631 self.create_domain_group(_ldb, object_dn)
632 desc_sddl = self.get_desc_sddl(object_dn)
633 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
634 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
635 self.check_modify_inheritance(_ldb, object_dn)
636
637 def test_105(self):
638 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
639 """
640 user_name = "testuser6"
641 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
642 # Open Ldb connection with the tested user
643 _ldb = self.get_ldb_connection(user_name, "samba123@")
644 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
645 self.delete_force(self.ldb_admin, object_dn)
646 self.create_domain_group(_ldb, object_dn)
647 desc_sddl = self.get_desc_sddl(object_dn)
648 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
649 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
650 self.check_modify_inheritance(_ldb, object_dn)
651
652 def test_106(self):
653 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
654 """
655 user_name = "testuser7"
656 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
657 # Open Ldb connection with the tested user
658 _ldb = self.get_ldb_connection(user_name, "samba123@")
659 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
660 self.delete_force(self.ldb_admin, object_dn)
661 self.create_domain_group(_ldb, object_dn)
662 desc_sddl = self.get_desc_sddl(object_dn)
663 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
664 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
665 self.check_modify_inheritance(_ldb, object_dn)
666
667 def test_107(self):
668 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
669 """
670 user_name = "testuser8"
671 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
672 # Open Ldb connection with the tested user
673 _ldb = self.get_ldb_connection(user_name, "samba123@")
674 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
675 self.delete_force(self.ldb_admin, object_dn)
676 self.create_domain_group(_ldb, object_dn)
677 desc_sddl = self.get_desc_sddl(object_dn)
678 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
679 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
680 self.check_modify_inheritance(_ldb, object_dn)
681
682 # Control descriptor tests #####################################################################
683
684 def test_108(self):
685 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
686 """
687 user_name = "testuser1"
688 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
689 # Open Ldb connection with the tested user
690 _ldb = self.get_ldb_connection(user_name, "samba123@")
691 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
692 self.delete_force(self.ldb_admin, object_dn)
693 # Create a custom security descriptor
694 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
695 self.create_domain_group(_ldb, object_dn, desc_sddl)
696 desc_sddl = self.get_desc_sddl(object_dn)
697 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
698 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
699
700 def test_109(self):
701 """ Domain admin group member creates object (custom descriptor) in DOMAIN
702 """
703 user_name = "testuser2"
704 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
705 # Open Ldb connection with the tested user
706 _ldb = self.get_ldb_connection(user_name, "samba123@")
707 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
708 self.delete_force(self.ldb_admin, object_dn)
709 # Create a custom security descriptor
710 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
711 self.create_domain_group(_ldb, object_dn, desc_sddl)
712 desc_sddl = self.get_desc_sddl(object_dn)
713 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
714 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
715
716 def test_110(self):
717 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
718 """
719 user_name = "testuser3"
720 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
721 # Open Ldb connection with the tested user
722 _ldb = self.get_ldb_connection(user_name, "samba123@")
723 object_dn = "OU=test_domain_ou1," + self.base_dn
724 self.delete_force(self.ldb_admin, object_dn)
725 self.create_domain_ou(self.ldb_admin, object_dn)
726 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
727 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
728 self.dacl_add_ace(object_dn, mod)
729 # Create a custom security descriptor
730 # NB! Problematic owner part won't accept DA only <User Sid> !!!
731 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
732 # Create additional object into the first one
733 object_dn = "CN=test_domain_user1," + object_dn
734 self.delete_force(self.ldb_admin, object_dn)
735 self.create_domain_user(_ldb, object_dn, desc_sddl)
736 desc = self.read_desc(object_dn)
737 desc_sddl = self.get_desc_sddl(object_dn)
738 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
739 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
740
741 def test_111(self):
742 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
743 """
744 user_name = "testuser4"
745 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
746 # Open Ldb connection with the tested user
747 _ldb = self.get_ldb_connection(user_name, "samba123@")
748 object_dn = "OU=test_domain_ou1," + self.base_dn
749 self.delete_force(self.ldb_admin, object_dn)
750 self.create_domain_ou(self.ldb_admin, object_dn)
751 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
752 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
753 self.dacl_add_ace(object_dn, mod)
754 # Create a custom security descriptor
755 # NB! Problematic owner part won't accept DA only <User Sid> !!!
756 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
757 # Create additional object into the first one
758 object_dn = "CN=test_domain_user1," + object_dn
759 self.delete_force(self.ldb_admin, object_dn)
760 self.create_domain_user(_ldb, object_dn, desc_sddl)
761 desc = self.read_desc(object_dn)
762 desc_sddl = self.get_desc_sddl(object_dn)
763 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
764 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
765
766 def test_112(self):
767 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
768 """
769 user_name = "testuser5"
770 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
771 # Open Ldb connection with the tested user
772 _ldb = self.get_ldb_connection(user_name, "samba123@")
773 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
774 self.delete_force(self.ldb_admin, object_dn)
775 # Create a custom security descriptor
776 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
777 self.create_domain_group(_ldb, object_dn, desc_sddl)
778 desc_sddl = self.get_desc_sddl(object_dn)
779 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
780 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
781
782 def test_113(self):
783 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
784 """
785 user_name = "testuser6"
786 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
787 # Open Ldb connection with the tested user
788 _ldb = self.get_ldb_connection(user_name, "samba123@")
789 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
790 self.delete_force(self.ldb_admin, object_dn)
791 # Create a custom security descriptor
792 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
793 self.create_domain_group(_ldb, object_dn, desc_sddl)
794 desc_sddl = self.get_desc_sddl(object_dn)
795 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
796 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
797
798 def test_114(self):
799 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
800 """
801 user_name = "testuser7"
802 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
803 # Open Ldb connection with the tested user
804 _ldb = self.get_ldb_connection(user_name, "samba123@")
805 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
806 self.delete_force(self.ldb_admin, object_dn)
807 # Create a custom security descriptor
808 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
809 self.create_domain_group(_ldb, object_dn, desc_sddl)
810 desc_sddl = self.get_desc_sddl(object_dn)
811 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
812 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
813
814 def test_115(self):
815 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
816 """
817 user_name = "testuser8"
818 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
819 # Open Ldb connection with the tested user
820 _ldb = self.get_ldb_connection(user_name, "samba123@")
821 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
822 self.delete_force(self.ldb_admin, object_dn)
823 # Create a custom security descriptor
824 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
825 self.create_domain_group(_ldb, object_dn, desc_sddl)
826 desc_sddl = self.get_desc_sddl(object_dn)
827 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
828 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
829
830 def test_999(self):
831 user_name = "Administrator"
832 object_dn = "OU=test_domain_ou1," + self.base_dn
833 self.delete_force(self.ldb_admin, object_dn)
834 self.create_domain_ou(self.ldb_admin, object_dn)
835 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
836 mod = "(D;CI;WP;;;S-1-3-0)"
837 #mod = ""
838 self.dacl_add_ace(object_dn, mod)
839 desc_sddl = self.get_desc_sddl(object_dn)
840 # Create additional object into the first one
841 object_dn = "OU=test_domain_ou2," + object_dn
842 self.delete_force(self.ldb_admin, object_dn)
843 self.create_domain_ou(self.ldb_admin, object_dn)
844 desc_sddl = self.get_desc_sddl(object_dn)
845
846 ## Tests for SCHEMA
847
848 # Defalt descriptor tests ##################################################################
849
850 def test_130(self):
851 user_name = "testuser1"
852 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
853 # Open Ldb connection with the tested user
854 _ldb = self.get_ldb_connection(user_name, "samba123@")
855 # Change Schema partition descriptor
856 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
857 mod = "(A;;WDCC;;;AU)"
858 self.dacl_add_ace(self.schema_dn, mod)
859 # Create example Schema class
860 class_name = self.get_unique_schema_class_name()
861 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
862 self.create_schema_class(_ldb, class_dn)
863 desc_sddl = self.get_desc_sddl(class_dn)
864 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
865 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
866 self.check_modify_inheritance(_ldb, class_dn)
867
868 def test_131(self):
869 user_name = "testuser2"
870 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
871 # Open Ldb connection with the tested user
872 _ldb = self.get_ldb_connection(user_name, "samba123@")
873 # Change Schema partition descriptor
874 mod = "(A;CI;WDCC;;;AU)"
875 self.dacl_add_ace(self.schema_dn, mod)
876 # Create example Schema class
877 class_name = self.get_unique_schema_class_name()
878 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
879 self.create_schema_class(_ldb, class_dn)
880 desc_sddl = self.get_desc_sddl(class_dn)
881 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
882 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
883 self.check_modify_inheritance(_ldb, class_dn)
884
885 def test_132(self):
886 user_name = "testuser3"
887 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
888 # Open Ldb connection with the tested user
889 _ldb = self.get_ldb_connection(user_name, "samba123@")
890 # Change Schema partition descriptor
891 mod = "(A;CI;WDCC;;;AU)"
892 self.dacl_add_ace(self.schema_dn, mod)
893 # Create example Schema class
894 class_name = self.get_unique_schema_class_name()
895 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
896 self.create_schema_class(_ldb, class_dn)
897 desc_sddl = self.get_desc_sddl(class_dn)
898 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
899 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
900 #self.check_modify_inheritance(_ldb, class_dn)
901
902 def test_133(self):
903 user_name = "testuser4"
904 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
905 # Open Ldb connection with the tested user
906 _ldb = self.get_ldb_connection(user_name, "samba123@")
907 #Change Schema partition descriptor
908 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
909 mod = "(A;CI;WDCC;;;AU)"
910 self.dacl_add_ace(self.schema_dn, mod)
911 # Create example Schema class
912 class_name = self.get_unique_schema_class_name()
913 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
914 self.create_schema_class(_ldb, class_dn)
915 desc_sddl = self.get_desc_sddl(class_dn)
916 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
917 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
918 #self.check_modify_inheritance(_ldb, class_dn)
919
920 def test_134(self):
921 user_name = "testuser5"
922 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
923 # Open Ldb connection with the tested user
924 _ldb = self.get_ldb_connection(user_name, "samba123@")
925 #Change Schema partition descriptor
926 mod = "(A;CI;WDCC;;;AU)"
927 self.dacl_add_ace(self.schema_dn, mod)
928 # Create example Schema class
929 class_name = self.get_unique_schema_class_name()
930 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
931 self.create_schema_class(_ldb, class_dn)
932 desc_sddl = self.get_desc_sddl(class_dn)
933 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
934 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
935 self.check_modify_inheritance(_ldb, class_dn)
936
937 def test_135(self):
938 user_name = "testuser6"
939 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
940 # Open Ldb connection with the tested user
941 _ldb = self.get_ldb_connection(user_name, "samba123@")
942 # Change Schema partition descriptor
943 mod = "(A;CI;WDCC;;;AU)"
944 self.dacl_add_ace(self.schema_dn, mod)
945 # Create example Schema class
946 class_name = self.get_unique_schema_class_name()
947 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
948 self.create_schema_class(_ldb, class_dn)
949 desc_sddl = self.get_desc_sddl(class_dn)
950 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
951 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
952 self.check_modify_inheritance(_ldb, class_dn)
953
954 def test_136(self):
955 user_name = "testuser7"
956 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
957 # Open Ldb connection with the tested user
958 _ldb = self.get_ldb_connection(user_name, "samba123@")
959 # Change Schema partition descriptor
960 mod = "(A;CI;WDCC;;;AU)"
961 self.dacl_add_ace(self.schema_dn, mod)
962 # Create example Schema class
963 class_name = self.get_unique_schema_class_name()
964 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
965 self.create_schema_class(_ldb, class_dn)
966 desc_sddl = self.get_desc_sddl(class_dn)
967 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
968 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
969 self.check_modify_inheritance(_ldb, class_dn)
970
971 def test_137(self):
972 user_name = "testuser8"
973 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
974 # Open Ldb connection with the tested user
975 _ldb = self.get_ldb_connection(user_name, "samba123@")
976 # Change Schema partition descriptor
977 mod = "(A;CI;WDCC;;;AU)"
978 self.dacl_add_ace(self.schema_dn, mod)
979 # Create example Schema class
980 class_name = self.get_unique_schema_class_name()
981 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
982 self.create_schema_class(_ldb, class_dn)
983 desc_sddl = self.get_desc_sddl(class_dn)
984 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
985 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
986 self.check_modify_inheritance(_ldb, class_dn)
987
988 # Custom descriptor tests ##################################################################
989
990 def test_138(self):
991 user_name = "testuser1"
992 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
993 # Open Ldb connection with the tested user
994 _ldb = self.get_ldb_connection(user_name, "samba123@")
995 # Change Schema partition descriptor
996 mod = "(A;;CC;;;AU)"
997 self.dacl_add_ace(self.schema_dn, mod)
998 # Create a custom security descriptor
999 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1000 # Create example Schema class
1001 class_name = self.get_unique_schema_class_name()
1002 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1003 self.create_schema_class(_ldb, class_dn, desc_sddl)
1004 desc_sddl = self.get_desc_sddl(class_dn)
1005 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1006 self.assertEqual("O:DAG:DA", res)
1007
1008 def test_139(self):
1009 user_name = "testuser2"
1010 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1011 # Open Ldb connection with the tested user
1012 _ldb = self.get_ldb_connection(user_name, "samba123@")
1013 # Change Schema partition descriptor
1014 mod = "(A;;CC;;;AU)"
1015 self.dacl_add_ace(self.schema_dn, mod)
1016 # Create a custom security descriptor
1017 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1018 # Create example Schema class
1019 class_name = self.get_unique_schema_class_name()
1020 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1021 self.create_schema_class(_ldb, class_dn, desc_sddl)
1022 desc_sddl = self.get_desc_sddl(class_dn)
1023 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1024 self.assertEqual("O:DAG:DA", res)
1025
1026 def test_140(self):
1027 user_name = "testuser3"
1028 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1029 # Open Ldb connection with the tested user
1030 _ldb = self.get_ldb_connection(user_name, "samba123@")
1031 # Create a custom security descriptor
1032 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1033 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1034 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1035 # Create example Schema class
1036 class_name = self.get_unique_schema_class_name()
1037 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1038 self.create_schema_class(_ldb, class_dn, desc_sddl)
1039 desc_sddl = self.get_desc_sddl(class_dn)
1040 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1041 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1042
1043 def test_141(self):
1044 user_name = "testuser4"
1045 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1046 # Open Ldb connection with the tested user
1047 _ldb = self.get_ldb_connection(user_name, "samba123@")
1048 # Create a custom security descriptor
1049 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1050 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1051 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1052 # Create example Schema class
1053 class_name = self.get_unique_schema_class_name()
1054 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1055 self.create_schema_class(_ldb, class_dn, desc_sddl)
1056 desc_sddl = self.get_desc_sddl(class_dn)
1057 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1058 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1059
1060 def test_142(self):
1061 user_name = "testuser5"
1062 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1063 # Open Ldb connection with the tested user
1064 _ldb = self.get_ldb_connection(user_name, "samba123@")
1065 # Change Schema partition descriptor
1066 mod = "(A;;CC;;;AU)"
1067 self.dacl_add_ace(self.schema_dn, mod)
1068 # Create a custom security descriptor
1069 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1070 # Create example Schema class
1071 class_name = self.get_unique_schema_class_name()
1072 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1073 self.create_schema_class(_ldb, class_dn, desc_sddl)
1074 desc_sddl = self.get_desc_sddl(class_dn)
1075 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1076 self.assertEqual("O:DAG:DA", res)
1077
1078 def test_143(self):
1079 user_name = "testuser6"
1080 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1081 # Open Ldb connection with the tested user
1082 _ldb = self.get_ldb_connection(user_name, "samba123@")
1083 # Change Schema partition descriptor
1084 mod = "(A;;CC;;;AU)"
1085 self.dacl_add_ace(self.schema_dn, mod)
1086 # Create a custom security descriptor
1087 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1088 # Create example Schema class
1089 class_name = self.get_unique_schema_class_name()
1090 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1091 self.create_schema_class(_ldb, class_dn, desc_sddl)
1092 desc_sddl = self.get_desc_sddl(class_dn)
1093 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1094 self.assertEqual("O:DAG:DA", res)
1095
1096 def test_144(self):
1097 user_name = "testuser7"
1098 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1099 # Open Ldb connection with the tested user
1100 _ldb = self.get_ldb_connection(user_name, "samba123@")
1101 # Change Schema partition descriptor
1102 mod = "(A;;CC;;;AU)"
1103 self.dacl_add_ace(self.schema_dn, mod)
1104 # Create a custom security descriptor
1105 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1106 # Create example Schema class
1107 class_name = self.get_unique_schema_class_name()
1108 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1109 self.create_schema_class(_ldb, class_dn, desc_sddl)
1110 desc_sddl = self.get_desc_sddl(class_dn)
1111 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1112 self.assertEqual("O:DAG:DA", res)
1113
1114 def test_145(self):
1115 user_name = "testuser8"
1116 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1117 # Open Ldb connection with the tested user
1118 _ldb = self.get_ldb_connection(user_name, "samba123@")
1119 # Change Schema partition descriptor
1120 mod = "(A;;CC;;;AU)"
1121 self.dacl_add_ace(self.schema_dn, mod)
1122 # Create a custom security descriptor
1123 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1124 # Create example Schema class
1125 class_name = self.get_unique_schema_class_name()
1126 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1127 self.create_schema_class(_ldb, class_dn, desc_sddl)
1128 desc_sddl = self.get_desc_sddl(class_dn)
1129 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1130 self.assertEqual("O:DAG:DA", res)
1131
1132 ## Tests for CONFIGURATION
1133
1134 # Defalt descriptor tests ##################################################################
1135
1136 def test_160(self):
1137 user_name = "testuser1"
1138 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1139 # Open Ldb connection with the tested user
1140 _ldb = self.get_ldb_connection(user_name, "samba123@")
1141 # Create example Configuration container
1142 container_name = "test-container1"
1143 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1144 self.delete_force(self.ldb_admin, object_dn)
1145 self.create_configuration_container(_ldb, object_dn, )
1146 desc_sddl = self.get_desc_sddl(object_dn)
1147 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1148 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1149 self.check_modify_inheritance(_ldb, object_dn)
1150
1151 def test_161(self):
1152 user_name = "testuser2"
1153 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1154 # Open Ldb connection with the tested user
1155 _ldb = self.get_ldb_connection(user_name, "samba123@")
1156 # Create example Configuration container
1157 container_name = "test-container1"
1158 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1159 self.delete_force(self.ldb_admin, object_dn)
1160 self.create_configuration_container(_ldb, object_dn, )
1161 desc_sddl = self.get_desc_sddl(object_dn)
1162 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1163 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1164 self.check_modify_inheritance(_ldb, object_dn)
1165
1166 def test_162(self):
1167 user_name = "testuser3"
1168 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1169 # Open Ldb connection with the tested user
1170 _ldb = self.get_ldb_connection(user_name, "samba123@")
1171 # Create example Configuration container
1172 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1173 self.delete_force(self.ldb_admin, object_dn)
1174 self.create_configuration_container(self.ldb_admin, object_dn, )
1175 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1176 mod = "(A;;WDCC;;;AU)"
1177 self.dacl_add_ace(object_dn, mod)
1178 # Create child object with user's credentials
1179 object_dn = "CN=test-specifier1," + object_dn
1180 self.delete_force(self.ldb_admin, object_dn)
1181 self.create_configuration_specifier(_ldb, object_dn)
1182 desc_sddl = self.get_desc_sddl(object_dn)
1183 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1184 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1185 #self.check_modify_inheritance(_ldb, object_dn)
1186
1187 def test_163(self):
1188 user_name = "testuser4"
1189 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1190 # Open Ldb connection with the tested user
1191 _ldb = self.get_ldb_connection(user_name, "samba123@")
1192 # Create example Configuration container
1193 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1194 self.delete_force(self.ldb_admin, object_dn)
1195 self.create_configuration_container(self.ldb_admin, object_dn, )
1196 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1197 mod = "(A;CI;WDCC;;;AU)"
1198 self.dacl_add_ace(object_dn, mod)
1199 # Create child object with user's credentials
1200 object_dn = "CN=test-specifier1," + object_dn
1201 self.delete_force(self.ldb_admin, object_dn)
1202 self.create_configuration_specifier(_ldb, object_dn)
1203 desc_sddl = self.get_desc_sddl(object_dn)
1204 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1205 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1206 #self.check_modify_inheritance(_ldb, object_dn)
1207
1208 def test_164(self):
1209 user_name = "testuser5"
1210 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1211 # Open Ldb connection with the tested user
1212 _ldb = self.get_ldb_connection(user_name, "samba123@")
1213 # Create example Configuration container
1214 container_name = "test-container1"
1215 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1216 self.delete_force(self.ldb_admin, object_dn)
1217 self.create_configuration_container(_ldb, object_dn, )
1218 desc_sddl = self.get_desc_sddl(object_dn)
1219 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1220 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1221 self.check_modify_inheritance(_ldb, object_dn)
1222
1223 def test_165(self):
1224 user_name = "testuser6"
1225 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1226 # Open Ldb connection with the tested user
1227 _ldb = self.get_ldb_connection(user_name, "samba123@")
1228 # Create example Configuration container
1229 container_name = "test-container1"
1230 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1231 self.delete_force(self.ldb_admin, object_dn)
1232 self.create_configuration_container(_ldb, object_dn, )
1233 desc_sddl = self.get_desc_sddl(object_dn)
1234 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1235 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1236 self.check_modify_inheritance(_ldb, object_dn)
1237
1238 def test_166(self):
1239 user_name = "testuser7"
1240 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1241 # Open Ldb connection with the tested user
1242 _ldb = self.get_ldb_connection(user_name, "samba123@")
1243 # Create example Configuration container
1244 container_name = "test-container1"
1245 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1246 self.delete_force(self.ldb_admin, object_dn)
1247 self.create_configuration_container(_ldb, object_dn, )
1248 desc_sddl = self.get_desc_sddl(object_dn)
1249 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1250 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1251 self.check_modify_inheritance(_ldb, object_dn)
1252
1253 def test_167(self):
1254 user_name = "testuser8"
1255 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1256 # Open Ldb connection with the tested user
1257 _ldb = self.get_ldb_connection(user_name, "samba123@")
1258 # Create example Configuration container
1259 container_name = "test-container1"
1260 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1261 self.delete_force(self.ldb_admin, object_dn)
1262 self.create_configuration_container(_ldb, object_dn, )
1263 desc_sddl = self.get_desc_sddl(object_dn)
1264 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1265 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1266 self.check_modify_inheritance(_ldb, object_dn)
1267
1268 # Custom descriptor tests ##################################################################
1269
1270 def test_168(self):
1271 user_name = "testuser1"
1272 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1273 # Open Ldb connection with the tested user
1274 _ldb = self.get_ldb_connection(user_name, "samba123@")
1275 # Create example Configuration container
1276 container_name = "test-container1"
1277 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1278 self.delete_force(self.ldb_admin, object_dn)
1279 # Create a custom security descriptor
1280 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1281 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1282 desc_sddl = self.get_desc_sddl(object_dn)
1283 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1284 self.assertEqual("O:DAG:DA", res)
1285
1286 def test_169(self):
1287 user_name = "testuser2"
1288 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1289 # Open Ldb connection with the tested user
1290 _ldb = self.get_ldb_connection(user_name, "samba123@")
1291 # Create example Configuration container
1292 container_name = "test-container1"
1293 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1294 self.delete_force(self.ldb_admin, object_dn)
1295 # Create a custom security descriptor
1296 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1297 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1298 desc_sddl = self.get_desc_sddl(object_dn)
1299 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1300 self.assertEqual("O:DAG:DA", res)
1301
1302 def test_170(self):
1303 user_name = "testuser3"
1304 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1305 # Open Ldb connection with the tested user
1306 _ldb = self.get_ldb_connection(user_name, "samba123@")
1307 # Create example Configuration container
1308 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1309 self.delete_force(self.ldb_admin, object_dn)
1310 self.create_configuration_container(self.ldb_admin, object_dn, )
1311 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1312 mod = "(A;;CC;;;AU)"
1313 self.dacl_add_ace(object_dn, mod)
1314 # Create child object with user's credentials
1315 object_dn = "CN=test-specifier1," + object_dn
1316 self.delete_force(self.ldb_admin, object_dn)
1317 # Create a custom security descriptor
1318 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1319 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1320 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1321 desc_sddl = self.get_desc_sddl(object_dn)
1322 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1323 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1324
1325 def test_171(self):
1326 user_name = "testuser4"
1327 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1328 # Open Ldb connection with the tested user
1329 _ldb = self.get_ldb_connection(user_name, "samba123@")
1330 # Create example Configuration container
1331 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1332 self.delete_force(self.ldb_admin, object_dn)
1333 self.create_configuration_container(self.ldb_admin, object_dn, )
1334 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1335 mod = "(A;;CC;;;AU)"
1336 self.dacl_add_ace(object_dn, mod)
1337 # Create child object with user's credentials
1338 object_dn = "CN=test-specifier1," + object_dn
1339 self.delete_force(self.ldb_admin, object_dn)
1340 # Create a custom security descriptor
1341 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1342 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1343 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1344 desc_sddl = self.get_desc_sddl(object_dn)
1345 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1346 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1347
1348 def test_172(self):
1349 user_name = "testuser5"
1350 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1351 # Open Ldb connection with the tested user
1352 _ldb = self.get_ldb_connection(user_name, "samba123@")
1353 # Create example Configuration container
1354 container_name = "test-container1"
1355 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1356 self.delete_force(self.ldb_admin, object_dn)
1357 # Create a custom security descriptor
1358 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1359 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1360 desc_sddl = self.get_desc_sddl(object_dn)
1361 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1362 self.assertEqual("O:DAG:DA", res)
1363
1364 def test_173(self):
1365 user_name = "testuser6"
1366 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1367 # Open Ldb connection with the tested user
1368 _ldb = self.get_ldb_connection(user_name, "samba123@")
1369 # Create example Configuration container
1370 container_name = "test-container1"
1371 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1372 self.delete_force(self.ldb_admin, object_dn)
1373 # Create a custom security descriptor
1374 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1375 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1376 desc_sddl = self.get_desc_sddl(object_dn)
1377 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1378 self.assertEqual("O:DAG:DA", res)
1379
1380 def test_174(self):
1381 user_name = "testuser7"
1382 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1383 # Open Ldb connection with the tested user
1384 _ldb = self.get_ldb_connection(user_name, "samba123@")
1385 # Create example Configuration container
1386 container_name = "test-container1"
1387 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1388 self.delete_force(self.ldb_admin, object_dn)
1389 # Create a custom security descriptor
1390 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1391 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1392 desc_sddl = self.get_desc_sddl(object_dn)
1393 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1394 self.assertEqual("O:DAG:DA", res)
1395
1396 def test_175(self):
1397 user_name = "testuser8"
1398 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1399 # Open Ldb connection with the tested user
1400 _ldb = self.get_ldb_connection(user_name, "samba123@")
1401 # Create example Configuration container
1402 container_name = "test-container1"
1403 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1404 self.delete_force(self.ldb_admin, object_dn)
1405 # Create a custom security descriptor
1406 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1407 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1408 desc_sddl = self.get_desc_sddl(object_dn)
1409 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1410 self.assertEqual("O:DAG:DA", res)
1411
1412 ########################################################################################
1413 # Inharitance tests for DACL
1414
1415 class DaclDescriptorTests(DescriptorTests):
1416
1417 def setUp(self):
1418 DescriptorTests.setUp(self)
1419
1420 def tearDown(self):
1421 self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1422 self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1423
1424 def create_clean_ou(self, object_dn):
1425 """ Base repeating setup for unittests to follow """
1426 res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
1427 expression="distinguishedName=%s" % object_dn)
1428 # Make sure top testing OU has been deleted before starting the test
1429 self.assertEqual(res, [])
1430 self.create_domain_ou(self.ldb_admin, object_dn)
1431 desc_sddl = self.get_desc_sddl(object_dn)
1432 # Make sure there are inheritable ACEs initially
1433 self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1434 # Find and remove all inherit ACEs
1435 res = re.findall("\(.*?\)", desc_sddl)
1436 res = [x for x in res if ("CI" in x) or ("OI" in x)]
1437 for x in res:
1438 desc_sddl = desc_sddl.replace(x, "")
1439 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1440 # can propagate from above
1441 # remove SACL, we are not interested
1442 desc_sddl = desc_sddl.replace(":AI", ":AIP")
1443 self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
1444 # Verify all inheritable ACEs are gone
1445 desc_sddl = self.get_desc_sddl(object_dn)
1446 self.assertFalse("CI" in desc_sddl)
1447 self.assertFalse("OI" in desc_sddl)
1448
1449 def test_200(self):
1450 """ OU with protected flag and child group. See if the group has inherit ACEs.
1451 """
1452 ou_dn = "OU=test_inherit_ou," + self.base_dn
1453 group_dn = "CN=test_inherit_group," + ou_dn
1454 # Create inheritable-free OU
1455 self.create_clean_ou(ou_dn)
1456 # Create group child object
1457 self.create_domain_group(self.ldb_admin, group_dn)
1458 # Make sure created group object contains NO inherit ACEs
1459 desc_sddl = self.get_desc_sddl(group_dn)
1460 self.assertFalse("ID" in desc_sddl)
1461
1462 def test_201(self):
1463 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1464 Verify group has custom and default ACEs only.
1465 """
1466 ou_dn = "OU=test_inherit_ou," + self.base_dn
1467 group_dn = "CN=test_inherit_group," + ou_dn
1468 # Create inheritable-free OU
1469 self.create_clean_ou(ou_dn)
1470 # Create group child object using custom security descriptor
1471 sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1472 self.create_domain_group(self.ldb_admin, group_dn, sddl)
1473 # Make sure created group descriptor has NO additional ACEs
1474 desc_sddl = self.get_desc_sddl(group_dn)
1475 self.assertEqual(desc_sddl, sddl)
1476 sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
1477 self.modify_desc(self.ldb_admin, group_dn, sddl)
1478 desc_sddl = self.get_desc_sddl(group_dn)
1479 self.assertEqual(desc_sddl, sddl)
1480
1481 def test_202(self):
1482 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1483 See if the group has any of the added ACEs.
1484 """
1485 ou_dn = "OU=test_inherit_ou," + self.base_dn
1486 group_dn = "CN=test_inherit_group," + ou_dn
1487 # Create inheritable-free OU
1488 self.create_clean_ou(ou_dn)
1489 # Add some custom non-inheritable ACEs
1490 mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1491 moded = "(D;;CC;;;LG)"
1492 self.dacl_add_ace(ou_dn, mod)
1493 # Verify all inheritable ACEs are gone
1494 desc_sddl = self.get_desc_sddl(ou_dn)
1495 # Create group child object
1496 self.create_domain_group(self.ldb_admin, group_dn)
1497 # Make sure created group object contains NO inherit ACEs
1498 # also make sure the added above non-inheritable ACEs are absent too
1499 desc_sddl = self.get_desc_sddl(group_dn)
1500 self.assertFalse("ID" in desc_sddl)
1501 for x in re.findall("\(.*?\)", mod):
1502 self.assertFalse(x in desc_sddl)
1503 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1504 desc_sddl = self.get_desc_sddl(group_dn)
1505 self.assertFalse("ID" in desc_sddl)
1506 for x in re.findall("\(.*?\)", mod):
1507 self.assertFalse(x in desc_sddl)
1508
1509 def test_203(self):
1510 """ OU with protected flag and add 'CI' ACE, child group.
1511 See if the group has the added inherited ACE.
1512 """
1513 ou_dn = "OU=test_inherit_ou," + self.base_dn
1514 group_dn = "CN=test_inherit_group," + ou_dn
1515 # Create inheritable-free OU
1516 self.create_clean_ou(ou_dn)
1517 # Add some custom 'CI' ACE
1518 mod = "(D;CI;WP;;;DU)"
1519 moded = "(D;;CC;;;LG)"
1520 self.dacl_add_ace(ou_dn, mod)
1521 desc_sddl = self.get_desc_sddl(ou_dn)
1522 # Create group child object
1523 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1524 # Make sure created group object contains only the above inherited ACE
1525 # that we've added manually
1526 desc_sddl = self.get_desc_sddl(group_dn)
1527 mod = mod.replace(";CI;", ";CIID;")
1528 self.assertTrue(mod in desc_sddl)
1529 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1530 desc_sddl = self.get_desc_sddl(group_dn)
1531 self.assertTrue(moded in desc_sddl)
1532 self.assertTrue(mod in desc_sddl)
1533
1534 def test_204(self):
1535 """ OU with protected flag and add 'OI' ACE, child group.
1536 See if the group has the added inherited ACE.
1537 """
1538 ou_dn = "OU=test_inherit_ou," + self.base_dn
1539 group_dn = "CN=test_inherit_group," + ou_dn
1540 # Create inheritable-free OU
1541 self.create_clean_ou(ou_dn)
1542 # Add some custom 'CI' ACE
1543 mod = "(D;OI;WP;;;DU)"
1544 moded = "(D;;CC;;;LG)"
1545 self.dacl_add_ace(ou_dn, mod)
1546 desc_sddl = self.get_desc_sddl(ou_dn)
1547 # Create group child object
1548 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1549 # Make sure created group object contains only the above inherited ACE
1550 # that we've added manually
1551 desc_sddl = self.get_desc_sddl(group_dn)
1552 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1553 self.assertTrue(mod in desc_sddl)
1554 self.modify_desc(self.ldb_admin, group_dn, "D:" +moded)
1555 desc_sddl = self.get_desc_sddl(group_dn)
1556 self.assertTrue(moded in desc_sddl)
1557 self.assertTrue(mod in desc_sddl)
1558
1559 def test_205(self):
1560 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1561 See if the group has the added inherited ACE.
1562 """
1563 ou_dn = "OU=test_inherit_ou," + self.base_dn
1564 group_dn = "CN=test_inherit_group," + ou_dn
1565 # Create inheritable-free OU
1566 self.create_clean_ou(ou_dn)
1567 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1568 mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1569 moded = "(D;;CC;;;LG)"
1570 self.dacl_add_ace(ou_dn, mod)
1571 desc_sddl = self.get_desc_sddl(ou_dn)
1572 # Create group child object
1573 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1574 # Make sure created group object contains only the above inherited ACE
1575 # that we've added manually
1576 desc_sddl = self.get_desc_sddl(group_dn)
1577 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1578 self.assertTrue(mod in desc_sddl)
1579 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1580 desc_sddl = self.get_desc_sddl(group_dn)
1581 self.assertTrue(moded in desc_sddl)
1582 self.assertTrue(mod in desc_sddl)
1583
1584 def test_206(self):
1585 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1586 See if the group has the added inherited ACE.
1587 """
1588 ou_dn = "OU=test_inherit_ou," + self.base_dn
1589 group_dn = "CN=test_inherit_group," + ou_dn
1590 # Create inheritable-free OU
1591 self.create_clean_ou(ou_dn)
1592 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1593 mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1594 moded = "(D;;CC;;;LG)"
1595 self.dacl_add_ace(ou_dn, mod)
1596 desc_sddl = self.get_desc_sddl(ou_dn)
1597 # Create group child object
1598 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1599 # Make sure created group object contains only the above inherited ACE
1600 # that we've added manually
1601 desc_sddl = self.get_desc_sddl(group_dn)
1602 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1603 self.assertTrue(mod in desc_sddl)
1604 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1605 desc_sddl = self.get_desc_sddl(group_dn)
1606 self.assertTrue(moded in desc_sddl)
1607 self.assertTrue(mod in desc_sddl)
1608
1609 def test_207(self):
1610 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1611 See if the group has the added inherited ACE.
1612 """
1613 ou_dn = "OU=test_inherit_ou," + self.base_dn
1614 group_dn = "CN=test_inherit_group," + ou_dn
1615 # Create inheritable-free OU
1616 self.create_clean_ou(ou_dn)
1617 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1618 mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1619 moded = "(D;;CC;;;LG)"
1620 self.dacl_add_ace(ou_dn, mod)
1621 desc_sddl = self.get_desc_sddl(ou_dn)
1622 # Create group child object
1623 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1624 # Make sure created group object contains only the above inherited ACE
1625 # that we've added manually
1626 desc_sddl = self.get_desc_sddl(group_dn)
1627 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1628 self.assertTrue(mod in desc_sddl)
1629 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1630 desc_sddl = self.get_desc_sddl(group_dn)
1631 self.assertTrue(moded in desc_sddl)
1632 self.assertTrue(mod in desc_sddl)
1633
1634 def test_208(self):
1635 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1636 See if the group has the added inherited ACE.
1637 """
1638 ou_dn = "OU=test_inherit_ou," + self.base_dn
1639 group_dn = "CN=test_inherit_group," + ou_dn
1640 # Create inheritable-free OU
1641 self.create_clean_ou(ou_dn)
1642 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1643 mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1644 moded = "(D;;CC;;;LG)"
1645 self.dacl_add_ace(ou_dn, mod)
1646 desc_sddl = self.get_desc_sddl(ou_dn)
1647 # Create group child object
1648 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1649 # Make sure created group object contains only the above inherited ACE
1650 # that we've added manually
1651 desc_sddl = self.get_desc_sddl(group_dn)
1652 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1653 self.assertTrue(mod in desc_sddl)
1654 self.modify_desc(self.ldb_admin, group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
1655 desc_sddl = self.get_desc_sddl(group_dn)
1656 self.assertTrue(moded in desc_sddl)
1657 self.assertTrue(mod in desc_sddl)
1658
1659 def test_209(self):
1660 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1661 See if the group has the added inherited ACE.
1662 """
1663 ou_dn = "OU=test_inherit_ou," + self.base_dn
1664 group_dn = "CN=test_inherit_group," + ou_dn
1665 # Create inheritable-free OU
1666 self.create_clean_ou(ou_dn)
1667 # Add some custom 'CI' ACE
1668 mod = "(D;CI;WP;;;CO)"
1669 moded = "(D;;CC;;;LG)"
1670 self.dacl_add_ace(ou_dn, mod)
1671 desc_sddl = self.get_desc_sddl(ou_dn)
1672 # Create group child object
1673 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1674 # Make sure created group object contains only the above inherited ACE(s)
1675 # that we've added manually
1676 desc_sddl = self.get_desc_sddl(group_dn)
1677 self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
1678 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1679 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1680 desc_sddl = self.get_desc_sddl(group_dn)
1681 self.assertTrue(moded in desc_sddl)
1682 self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
1683 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1684
1685 ########################################################################################
1686
1687
1688 class SdFlagsDescriptorTests(DescriptorTests):
1689 def setUp(self):
1690 DescriptorTests.setUp(self)
1691 self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1692
1693 def tearDown(self):
1694 self.delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
1695
1696 def test_301(self):
1697 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1698 See that only the owner has been changed.
1699 """
1700 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1701 self.create_domain_ou(self.ldb_admin, ou_dn)
1702 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1703 desc_sddl = self.get_desc_sddl(ou_dn)
1704 # make sure we have modified the owner
1705 self.assertTrue("O:AU" in desc_sddl)
1706 # make sure nothing else has been modified
1707 self.assertFalse("G:AU" in desc_sddl)
1708 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1709 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1710
1711 def test_302(self):
1712 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1713 See that only the owner has been changed.
1714 """
1715 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1716 self.create_domain_ou(self.ldb_admin, ou_dn)
1717 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1718 desc_sddl = self.get_desc_sddl(ou_dn)
1719 # make sure we have modified the group
1720 self.assertTrue("G:AU" in desc_sddl)
1721 # make sure nothing else has been modified
1722 self.assertFalse("O:AU" in desc_sddl)
1723 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1724 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1725
1726 def test_303(self):
1727 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1728 See that only the owner has been changed.
1729 """
1730 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1731 self.create_domain_ou(self.ldb_admin, ou_dn)
1732 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1733 desc_sddl = self.get_desc_sddl(ou_dn)
1734 # make sure we have modified the DACL
1735 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1736 # make sure nothing else has been modified
1737 self.assertFalse("O:AU" in desc_sddl)
1738 self.assertFalse("G:AU" in desc_sddl)
1739 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1740
1741 def test_304(self):
1742 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1743 See that only the owner has been changed.
1744 """
1745 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1746 self.create_domain_ou(self.ldb_admin, ou_dn)
1747 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1748 desc_sddl = self.get_desc_sddl(ou_dn)
1749 # make sure we have modified the DACL
1750 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1751 # make sure nothing else has been modified
1752 self.assertFalse("O:AU" in desc_sddl)
1753 self.assertFalse("G:AU" in desc_sddl)
1754 self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
1755
1756 def test_305(self):
1757 """ Modify a descriptor with 0x0 set.
1758 Contrary to logic this is interpreted as no control,
1759 which is the same as 0xF
1760 """
1761 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1762 self.create_domain_ou(self.ldb_admin, ou_dn)
1763 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:0"])
1764 desc_sddl = self.get_desc_sddl(ou_dn)
1765 # make sure we have modified the DACL
1766 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1767 # make sure nothing else has been modified
1768 self.assertTrue("O:AU" in desc_sddl)
1769 self.assertTrue("G:AU" in desc_sddl)
1770 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1771
1772 def test_306(self):
1773 """ Modify a descriptor with 0xF set.
1774 """
1775 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1776 self.create_domain_ou(self.ldb_admin, ou_dn)
1777 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:15"])
1778 desc_sddl = self.get_desc_sddl(ou_dn)
1779 # make sure we have modified the DACL
1780 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1781 # make sure nothing else has been modified
1782 self.assertTrue("O:AU" in desc_sddl)
1783 self.assertTrue("G:AU" in desc_sddl)
1784 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1785
1786 def test_307(self):
1787 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1788 Only the owner part should be returned.
1789 """
1790 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1791 self.create_domain_ou(self.ldb_admin, ou_dn)
1792 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1793 # make sure we have read the owner
1794 self.assertTrue("O:" in desc_sddl)
1795 # make sure we have read nothing else
1796 self.assertFalse("G:" in desc_sddl)
1797 self.assertFalse("D:" in desc_sddl)
1798 self.assertFalse("S:" in desc_sddl)
1799
1800 def test_308(self):
1801 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1802 Only the group part should be returned.
1803 """
1804 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1805 self.create_domain_ou(self.ldb_admin, ou_dn)
1806 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1807 # make sure we have read the owner
1808 self.assertTrue("G:" in desc_sddl)
1809 # make sure we have read nothing else
1810 self.assertFalse("O:" in desc_sddl)
1811 self.assertFalse("D:" in desc_sddl)
1812 self.assertFalse("S:" in desc_sddl)
1813
1814 def test_309(self):
1815 """ Read a descriptor with SACL_SECURITY_INFORMATION
1816 Only the sacl part should be returned.
1817 """
1818 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1819 self.create_domain_ou(self.ldb_admin, ou_dn)
1820 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1821 # make sure we have read the owner
1822 self.assertTrue("S:" in desc_sddl)
1823 # make sure we have read nothing else
1824 self.assertFalse("O:" in desc_sddl)
1825 self.assertFalse("D:" in desc_sddl)
1826 self.assertFalse("G:" in desc_sddl)
1827
1828 def test_310(self):
1829 """ Read a descriptor with DACL_SECURITY_INFORMATION
1830 Only the dacl part should be returned.
1831 """
1832 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1833 self.create_domain_ou(self.ldb_admin, ou_dn)
1834 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1835 # make sure we have read the owner
1836 self.assertTrue("D:" in desc_sddl)
1837 # make sure we have read nothing else
1838 self.assertFalse("O:" in desc_sddl)
1839 self.assertFalse("S:" in desc_sddl)
1840 self.assertFalse("G:" in desc_sddl)
1841
1842 class RightsAttributesTests(DescriptorTests):
1843
1844 def setUp(self):
1845 DescriptorTests.setUp(self)
1846 if self.SAMBA:
1847 ### Create users
1848 # User 1
1849 user_dn = self.get_users_domain_dn("testuser_attr")
1850 self.create_domain_user(self.ldb_admin, user_dn)
1851 self.enable_account(user_dn)
1852 # User 2, Domain Admins
1853 user_dn = self.get_users_domain_dn("testuser_attr2")
1854 self.create_domain_user(self.ldb_admin, user_dn)
1855 self.enable_account(user_dn)
1856 ldif = """
1857 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
1858 changetype: add
1859 member: """ + user_dn
1860 self.ldb_admin.modify_ldif(ldif)
1861
1862 def tearDown(self):
1863
1864 if self.SAMBA:
1865 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
1866 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
1867
1868 self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
1869
1870 def test_sDRightsEffective(self):
1871 object_dn = "OU=test_domain_ou1," + self.base_dn
1872 self.delete_force(self.ldb_admin, object_dn)
1873 self.create_domain_ou(self.ldb_admin, object_dn)
1874 print self.get_users_domain_dn("testuser_attr")
1875 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1876 #give testuser1 read access so attributes can be retrieved
1877 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1878 self.dacl_add_ace(object_dn, mod)
1879 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1880 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1881 attrs=["sDRightsEffective"])
1882 #user whould have no rights at all
1883 self.assertEquals(len(res), 1)
1884 self.assertEquals(res[0]["sDRightsEffective"][0], "0")
1885 #give the user Write DACL and see what happens
1886 mod = "(A;CI;WD;;;%s)" % str(user_sid)
1887 self.dacl_add_ace(object_dn, mod)
1888 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1889 attrs=["sDRightsEffective"])
1890 #user whould have DACL_SECURITY_INFORMATION
1891 self.assertEquals(len(res), 1)
1892 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL)
1893 #give the user Write Owners and see what happens
1894 mod = "(A;CI;WO;;;%s)" % str(user_sid)
1895 self.dacl_add_ace(object_dn, mod)
1896 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1897 attrs=["sDRightsEffective"])
1898 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1899 self.assertEquals(len(res), 1)
1900 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
1901 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1902 _ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
1903 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1904 attrs=["sDRightsEffective"])
1905 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1906 self.assertEquals(len(res), 1)
1907 self.assertEquals(res[0]["sDRightsEffective"][0], \
1908 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
1909
1910 def test_allowedChildClassesEffective(self):
1911 object_dn = "OU=test_domain_ou1," + self.base_dn
1912 self.delete_force(self.ldb_admin, object_dn)
1913 self.create_domain_ou(self.ldb_admin, object_dn)
1914 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1915 #give testuser1 read access so attributes can be retrieved
1916 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1917 self.dacl_add_ace(object_dn, mod)
1918 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1919 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1920 attrs=["allowedChildClassesEffective"])
1921 #there should be no allowed child classes
1922 self.assertEquals(len(res), 1)
1923 self.assertFalse("allowedChildClassesEffective" in res[0].keys())
1924 #give the user the right to create children of type user
1925 mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1926 self.dacl_add_ace(object_dn, mod)
1927 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1928 attrs=["allowedChildClassesEffective"])
1929 # allowedChildClassesEffective should only have one value, user
1930 self.assertEquals(len(res), 1)
1931 self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1)
1932 self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user")
1933
1934 def test_allowedAttributesEffective(self):
1935 object_dn = "OU=test_domain_ou1," + self.base_dn
1936 self.delete_force(self.ldb_admin, object_dn)
1937 self.create_domain_ou(self.ldb_admin, object_dn)
1938 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1939 #give testuser1 read access so attributes can be retrieved
1940 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1941 self.dacl_add_ace(object_dn, mod)
1942 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1943 #res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1944 # attrs=["allowedAttributes"])
1945 #print res
1946 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1947 attrs=["allowedAttributesEffective"])
1948 #there should be no allowed attributes
1949 self.assertEquals(len(res), 1)
1950 self.assertFalse("allowedAttributesEffective" in res[0].keys())
1951 #give the user the right to write displayName and managedBy
1952 mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1953 mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
1954 # also rights to modify an read only attribute, fromEntry
1955 mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
1956 self.dacl_add_ace(object_dn, mod + mod2 + mod3)
1957 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1958 attrs=["allowedAttributesEffective"])
1959 # value should only contain user and managedBy
1960 print res
1961 self.assertEquals(len(res), 1)
1962 self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
1963 self.assertTrue("displayName" in res[0]["allowedAttributesEffective"])
1964 self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"])
1965
1966 if not "://" in host:
1967 host = "ldap://%s" % host
1968 ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"])
1969
1970 runner = SubunitTestRunner()
1971 rc = 0
1972 if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful():
1973 rc = 1
1974 if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
1975 rc = 1
1976 if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful():
1977 rc = 1
1978 if not runner.run(unittest.makeSuite(RightsAttributesTests)).wasSuccessful():
1979 rc = 1
1980 sys.exit(rc)
Samba GIT mirror