python/samba/tests/encrypted_secrets.py

   1 # Unix SMB/CIFS implementation.
   2 #
   3 #   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
   4 #
   5 # This program is free software; you can redistribute it and/or modify
   6 # it under the terms of the GNU General Public License as published by
   7 # the Free Software Foundation; either version 3 of the License, or
   8 # (at your option) any later version.
   9 #
  10 # This program is distributed in the hope that it will be useful,
  11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 # GNU General Public License for more details.
  14 #
  15 # You should have received a copy of the GNU General Public License
  16 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17 #
  18
  19 """Smoke test for encrypted secrets
  20
  21 A quick test to confirm that the secret attributes are being stored
  22 encrypted on disk.
  23 """
  24
  25
  26 import os
  27 import ldb
  28 import samba
  29 from samba.tests import TestCase
  30 from samba.credentials import Credentials
  31 from samba.samdb import SamDB
  32 from samba.auth import system_session
  33 from samba.ndr import ndr_unpack
  34 from samba.dcerpc import drsblobs
  35
  36
  37 class EncryptedSecretsTests(TestCase):
  38
  39     def setUp(self):
  40         super(EncryptedSecretsTests, self).setUp()
  41         self.lp = samba.tests.env_loadparm()
  42         self.creds = Credentials()
  43         self.session = system_session()
  44         self.creds.guess(self.lp)
  45         self.session = system_session()
  46         self.ldb = SamDB(session_info=self.session,
  47                          credentials=self.creds,
  48                          lp=self.lp)
  49
  50     def test_encrypted_secrets(self):
  51         """Test that secret attributes are stored encrypted on disk"""
  52         basedn = self.ldb.domain_dn()
  53         backend_filename = "%s.ldb" % basedn.upper()
  54         backend_subpath = os.path.join("sam.ldb.d",
  55                                        backend_filename)
  56         backend_path = self.lp.private_path(backend_subpath)
  57         backenddb = ldb.Ldb("ldb://" + backend_path, flags=ldb.FLG_DONT_CREATE_DB)
  58
  59         dn = "CN=Administrator,CN=Users,%s" % basedn
  60
  61         res = backenddb.search(scope=ldb.SCOPE_BASE,
  62                                base=dn,
  63                                attrs=["unicodePwd"])
  64         self.assertIs(True, len(res) > 0)
  65         obj = res[0]
  66         blob = obj["unicodePwd"][0]
  67         self.assertTrue(len(blob) > 30)
  68         # Now verify that the header contains the correct magic value.
  69         encrypted = ndr_unpack(drsblobs.EncryptedSecret, blob)
  70         magic = 0xca5caded
  71         self.assertEqual(magic, encrypted.header.magic)
  72
  73     def test_required_features(self):
  74         """Test that databases are provisioned with encryptedSecrets as a
  75            required feature
  76         """
  77         res = self.ldb.search(scope=ldb.SCOPE_BASE,
  78                               base="@SAMBA_DSDB",
  79                               attrs=["requiredFeatures"])
  80         self.assertTrue(len(res) > 0)
  81         self.assertTrue("requiredFeatures" in res[0])
  82         required_features = res[0]["requiredFeatures"]
  83         self.assertTrue(b"encryptedSecrets" in required_features)