search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
netcmd:domain:policy: Fix missing conversion from tgt_lifetime minutes to 10^(-7...
[Samba.git] / source4 / dsdb / tests / python / sec_descriptor.py
blob1f22b2bfa4fe8322c4a651b98c56712286870bec
1 #!/usr/bin/env python3
2 # -*- coding: utf-8 -*-
3
4 import optparse
5 import sys
6 import os
7 import base64
8 import re
9 import random
10
11 sys.path.insert(0, "bin/python")
12 import samba
13
14 from samba.tests.subunitrun import SubunitOptions, TestProgram
15
16 import samba.getopt as options
17
18 # Some error messages that are being tested
19 from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT
20
21 # For running the test unit
22 from samba.ndr import ndr_pack, ndr_unpack
23 from samba.dcerpc import security
24
25 from samba import gensec, sd_utils
26 from samba.samdb import SamDB
27 from samba.credentials import Credentials, DONT_USE_KERBEROS
28 from samba.auth import system_session
29 from samba.dsdb import DS_DOMAIN_FUNCTION_2008
30 from samba.dcerpc.security import (
31 SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL)
32 import samba.tests
33 from samba.tests import delete_force
34
35 parser = optparse.OptionParser("sec_descriptor.py [options] <host>")
36 sambaopts = options.SambaOptions(parser)
37 parser.add_option_group(sambaopts)
38 parser.add_option_group(options.VersionOptions(parser))
39
40 # use command line creds if available
41 credopts = options.CredentialsOptions(parser)
42 parser.add_option_group(credopts)
43 subunitopts = SubunitOptions(parser)
44 parser.add_option_group(subunitopts)
45
46 opts, args = parser.parse_args()
47
48 if len(args) < 1:
49 parser.print_usage()
50 sys.exit(1)
51
52 host = args[0]
53
54 lp = sambaopts.get_loadparm()
55 creds = credopts.get_credentials(lp)
56 creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
57
58 #
59 # Tests start here
60 #
61
62
63 class DescriptorTests(samba.tests.TestCase):
64
65 def get_users_domain_dn(self, name):
66 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
67
68 def create_schema_class(self, _ldb, desc=None):
69 while True:
70 class_id = random.randint(0, 65535)
71 class_name = "descriptor-test-class%s" % class_id
72 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
73 try:
74 self.ldb_admin.search(base=class_dn, attrs=["name"])
75 except LdbError as e:
76 (num, _) = e.args
77 self.assertEqual(num, ERR_NO_SUCH_OBJECT)
78 break
79
80 ldif = """
81 dn: """ + class_dn + """
82 objectClass: classSchema
83 objectCategory: CN=Class-Schema,""" + self.schema_dn + """
84 defaultObjectCategory: """ + class_dn + """
85 governsId: 1.3.6.1.4.1.7165.4.6.2.3.""" + str(class_id) + """
86 instanceType: 4
87 objectClassCategory: 1
88 subClassOf: organizationalPerson
89 systemFlags: 16
90 rDNAttID: cn
91 systemMustContain: cn
92 systemOnly: FALSE
93 """
94 if desc:
95 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
96 if isinstance(desc, str):
97 ldif += "nTSecurityDescriptor: %s" % desc
98 elif isinstance(desc, security.descriptor):
99 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)).decode('utf8')
100 _ldb.add_ldif(ldif)
101 return class_dn
102
103 def create_configuration_container(self, _ldb, object_dn, desc=None):
104 ldif = """
105 dn: """ + object_dn + """
106 objectClass: container
107 objectCategory: CN=Container,""" + self.schema_dn + """
108 showInAdvancedViewOnly: TRUE
109 instanceType: 4
110 """
111 if desc:
112 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
113 if isinstance(desc, str):
114 ldif += "nTSecurityDescriptor: %s" % desc
115 elif isinstance(desc, security.descriptor):
116 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)).decode('utf8')
117 _ldb.add_ldif(ldif)
118
119 def create_configuration_specifier(self, _ldb, object_dn, desc=None):
120 ldif = """
121 dn: """ + object_dn + """
122 objectClass: displaySpecifier
123 showInAdvancedViewOnly: TRUE
124 """
125 if desc:
126 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
127 if isinstance(desc, str):
128 ldif += "nTSecurityDescriptor: %s" % desc
129 elif isinstance(desc, security.descriptor):
130 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)).decode('utf8')
131 _ldb.add_ldif(ldif)
132
133 def get_ldb_connection(self, target_username, target_password):
134 creds_tmp = Credentials()
135 creds_tmp.set_username(target_username)
136 creds_tmp.set_password(target_password)
137 creds_tmp.set_domain(creds.get_domain())
138 creds_tmp.set_realm(creds.get_realm())
139 creds_tmp.set_workstation(creds.get_workstation())
140 creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
141 | gensec.FEATURE_SEAL)
142 creds_tmp.set_kerberos_state(DONT_USE_KERBEROS) # kinit is too expensive to use in a tight loop
143 ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
144 return ldb_target
145
146 def setUp(self):
147 super(DescriptorTests, self).setUp()
148 self.ldb_admin = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp,
149 options=ldb_options)
150 self.base_dn = self.ldb_admin.domain_dn()
151 self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
152 self.schema_dn = self.ldb_admin.get_schema_basedn().get_linearized()
153 self.domain_sid = security.dom_sid(self.ldb_admin.get_domain_sid())
154 self.sd_utils = sd_utils.SDUtils(self.ldb_admin)
155 self.addCleanup(self.delete_admin_connection)
156 print("baseDN: %s" % self.base_dn)
157
158 def delete_admin_connection(self):
159 del self.sd_utils
160 del self.ldb_admin
161
162 ################################################################################################
163
164 # Tests for DOMAIN
165
166 # Default descriptor tests #####################################################################
167
168
169 class OwnerGroupDescriptorTests(DescriptorTests):
170
171 def deleteAll(self):
172 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
173 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
174 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
175 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
176 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
177 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
178 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
179 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
180 # DOMAIN
181 delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
182 delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
183 delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
184 delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
185 # SCHEMA
186 mod = "(A;CI;WDCC;;;AU)(A;;CC;;;AU)"
187 self.sd_utils.dacl_delete_aces(self.schema_dn, mod)
188 # CONFIGURATION
189 delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers,"
190 + self.configuration_dn)
191 delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
192
193 def setUp(self):
194 super(OwnerGroupDescriptorTests, self).setUp()
195 self.deleteAll()
196 # Create users
197 # User 1 - Enterprise Admins
198 self.ldb_admin.newuser("testuser1", "samba123@")
199 # User 2 - Domain Admins
200 self.ldb_admin.newuser("testuser2", "samba123@")
201 # User 3 - Schema Admins
202 self.ldb_admin.newuser("testuser3", "samba123@")
203 # User 4 - regular user
204 self.ldb_admin.newuser("testuser4", "samba123@")
205 # User 5 - Enterprise Admins and Domain Admins
206 self.ldb_admin.newuser("testuser5", "samba123@")
207 # User 6 - Enterprise Admins, Domain Admins, Schema Admins
208 self.ldb_admin.newuser("testuser6", "samba123@")
209 # User 7 - Domain Admins and Schema Admins
210 self.ldb_admin.newuser("testuser7", "samba123@")
211 # User 5 - Enterprise Admins and Schema Admins
212 self.ldb_admin.newuser("testuser8", "samba123@")
213
214 self.ldb_admin.add_remove_group_members("Enterprise Admins",
215 ["testuser1", "testuser5", "testuser6", "testuser8"],
216 add_members_operation=True)
217 self.ldb_admin.add_remove_group_members("Domain Admins",
218 ["testuser2", "testuser5", "testuser6", "testuser7"],
219 add_members_operation=True)
220 self.ldb_admin.add_remove_group_members("Schema Admins",
221 ["testuser3", "testuser6", "testuser7", "testuser8"],
222 add_members_operation=True)
223
224 self.results = {
225 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
226 "ds_behavior_win2003": {
227 "100": "O:EAG:DU",
228 "101": "O:DAG:DU",
229 "102": "O:%sG:DU",
230 "103": "O:%sG:DU",
231 "104": "O:DAG:DU",
232 "105": "O:DAG:DU",
233 "106": "O:DAG:DU",
234 "107": "O:EAG:DU",
235 "108": "O:DAG:DA",
236 "109": "O:DAG:DA",
237 "110": "O:%sG:DA",
238 "111": "O:%sG:DA",
239 "112": "O:DAG:DA",
240 "113": "O:DAG:DA",
241 "114": "O:DAG:DA",
242 "115": "O:DAG:DA",
243 "130": "O:EAG:DU",
244 "131": "O:DAG:DU",
245 "132": "O:SAG:DU",
246 "133": "O:%sG:DU",
247 "134": "O:EAG:DU",
248 "135": "O:SAG:DU",
249 "136": "O:SAG:DU",
250 "137": "O:SAG:DU",
251 "138": "O:DAG:DA",
252 "139": "O:DAG:DA",
253 "140": "O:%sG:DA",
254 "141": "O:%sG:DA",
255 "142": "O:DAG:DA",
256 "143": "O:DAG:DA",
257 "144": "O:DAG:DA",
258 "145": "O:DAG:DA",
259 "160": "O:EAG:DU",
260 "161": "O:DAG:DU",
261 "162": "O:%sG:DU",
262 "163": "O:%sG:DU",
263 "164": "O:EAG:DU",
264 "165": "O:EAG:DU",
265 "166": "O:DAG:DU",
266 "167": "O:EAG:DU",
267 "168": "O:DAG:DA",
268 "169": "O:DAG:DA",
269 "170": "O:%sG:DA",
270 "171": "O:%sG:DA",
271 "172": "O:DAG:DA",
272 "173": "O:DAG:DA",
273 "174": "O:DAG:DA",
274 "175": "O:DAG:DA",
275 },
276 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
277 "ds_behavior_win2008": {
278 "100": "O:EAG:EA",
279 "101": "O:DAG:DA",
280 "102": "O:%sG:DU",
281 "103": "O:%sG:DU",
282 "104": "O:DAG:DA",
283 "105": "O:DAG:DA",
284 "106": "O:DAG:DA",
285 "107": "O:EAG:EA",
286 "108": "O:DAG:DA",
287 "109": "O:DAG:DA",
288 "110": "O:%sG:DA",
289 "111": "O:%sG:DA",
290 "112": "O:DAG:DA",
291 "113": "O:DAG:DA",
292 "114": "O:DAG:DA",
293 "115": "O:DAG:DA",
294 "130": "O:EAG:EA",
295 "131": "O:DAG:DA",
296 "132": "O:SAG:SA",
297 "133": "O:%sG:DU",
298 "134": "O:EAG:EA",
299 "135": "O:SAG:SA",
300 "136": "O:SAG:SA",
301 "137": "O:SAG:SA",
302 "138": "",
303 "139": "",
304 "140": "O:%sG:DA",
305 "141": "O:%sG:DA",
306 "142": "",
307 "143": "",
308 "144": "",
309 "145": "",
310 "160": "O:EAG:EA",
311 "161": "O:DAG:DA",
312 "162": "O:%sG:DU",
313 "163": "O:%sG:DU",
314 "164": "O:EAG:EA",
315 "165": "O:EAG:EA",
316 "166": "O:DAG:DA",
317 "167": "O:EAG:EA",
318 "168": "O:DAG:DA",
319 "169": "O:DAG:DA",
320 "170": "O:%sG:DA",
321 "171": "O:%sG:DA",
322 "172": "O:DAG:DA",
323 "173": "O:DAG:DA",
324 "174": "O:DAG:DA",
325 "175": "O:DAG:DA",
326 },
327 }
328 # Discover 'domainControllerFunctionality'
329 res = self.ldb_admin.search(base="", scope=SCOPE_BASE,
330 attrs=['domainControllerFunctionality'])
331 res = int(res[0]['domainControllerFunctionality'][0])
332 if res < DS_DOMAIN_FUNCTION_2008:
333 self.DS_BEHAVIOR = "ds_behavior_win2003"
334 else:
335 self.DS_BEHAVIOR = "ds_behavior_win2008"
336
337 def tearDown(self):
338 super(OwnerGroupDescriptorTests, self).tearDown()
339 self.deleteAll()
340
341 def check_user_belongs(self, user_dn, groups=None):
342 """ Test whether user is member of the expected group(s) """
343 if groups is None:
344 groups = []
345
346 if groups != []:
347 # User is member of at least one additional group
348 res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
349 res = [str(x).upper() for x in sorted(list(res[0]["memberOf"]))]
350 expected = []
351 for x in groups:
352 expected.append(self.get_users_domain_dn(x))
353 expected = [x.upper() for x in sorted(expected)]
354 self.assertEqual(expected, res)
355 else:
356 # User is not a member of any additional groups but default
357 res = self.ldb_admin.search(user_dn, attrs=["*"])
358 res = [x.upper() for x in res[0].keys()]
359 self.assertNotIn("MEMBEROF", res)
360
361 def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
362 # Modify
363 sd_user_utils = sd_utils.SDUtils(_ldb)
364 ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
365 if owner_group != "":
366 sd_user_utils.modify_sd_on_dn(object_dn, owner_group + "D:" + ace)
367 else:
368 sd_user_utils.modify_sd_on_dn(object_dn, "D:" + ace)
369 # Make sure the modify operation has been applied
370 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
371 self.assertIn(ace, desc_sddl)
372 # Make sure we have identical result for both "add" and "modify"
373 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
374 print(self._testMethodName)
375 test_number = self._testMethodName[5:]
376 self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
377
378 def test_100(self):
379 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
380 """
381 user_name = "testuser1"
382 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
383 # Open Ldb connection with the tested user
384 _ldb = self.get_ldb_connection(user_name, "samba123@")
385 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
386 delete_force(self.ldb_admin, object_dn)
387 _ldb.newgroup("test_domain_group1", grouptype=4)
388 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
389 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
390 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
391 self.check_modify_inheritance(_ldb, object_dn)
392
393 def test_101(self):
394 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
395 """
396 user_name = "testuser2"
397 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
398 # Open Ldb connection with the tested user
399 _ldb = self.get_ldb_connection(user_name, "samba123@")
400 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
401 delete_force(self.ldb_admin, object_dn)
402 _ldb.newgroup("test_domain_group1", grouptype=4)
403 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
404 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
405 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
406 self.check_modify_inheritance(_ldb, object_dn)
407
408 def test_102(self):
409 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
410 """
411 user_name = "testuser3"
412 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
413 # Open Ldb connection with the tested user
414 _ldb = self.get_ldb_connection(user_name, "samba123@")
415 object_dn = "OU=test_domain_ou1," + self.base_dn
416 delete_force(self.ldb_admin, object_dn)
417 self.ldb_admin.create_ou(object_dn)
418 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
419 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
420 self.sd_utils.dacl_add_ace(object_dn, mod)
421 # Create additional object into the first one
422 object_dn = "CN=test_domain_user1," + object_dn
423 delete_force(self.ldb_admin, object_dn)
424 _ldb.newuser("test_domain_user1", "samba123@",
425 userou="OU=test_domain_ou1", setpassword=False)
426 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
427 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
428 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
429 # This fails, research why
430 #self.check_modify_inheritance(_ldb, object_dn)
431
432 def test_103(self):
433 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
434 """
435 user_name = "testuser4"
436 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
437 # Open Ldb connection with the tested user
438 _ldb = self.get_ldb_connection(user_name, "samba123@")
439 object_dn = "OU=test_domain_ou1," + self.base_dn
440 delete_force(self.ldb_admin, object_dn)
441 self.ldb_admin.create_ou(object_dn)
442 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
443 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
444 self.sd_utils.dacl_add_ace(object_dn, mod)
445 # Create additional object into the first one
446 object_dn = "CN=test_domain_user1," + object_dn
447 delete_force(self.ldb_admin, object_dn)
448 _ldb.newuser("test_domain_user1", "samba123@",
449 userou="OU=test_domain_ou1", setpassword=False)
450 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
451 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
452 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
453 # this fails, research why
454 #self.check_modify_inheritance(_ldb, object_dn)
455
456 def test_104(self):
457 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
458 """
459 user_name = "testuser5"
460 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
461 # Open Ldb connection with the tested user
462 _ldb = self.get_ldb_connection(user_name, "samba123@")
463 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
464 delete_force(self.ldb_admin, object_dn)
465 _ldb.newgroup("test_domain_group1", grouptype=4)
466 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
467 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
468 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
469 self.check_modify_inheritance(_ldb, object_dn)
470
471 def test_105(self):
472 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
473 """
474 user_name = "testuser6"
475 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
476 # Open Ldb connection with the tested user
477 _ldb = self.get_ldb_connection(user_name, "samba123@")
478 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
479 delete_force(self.ldb_admin, object_dn)
480 _ldb.newgroup("test_domain_group1", grouptype=4)
481 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
482 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
483 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
484 self.check_modify_inheritance(_ldb, object_dn)
485
486 def test_106(self):
487 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
488 """
489 user_name = "testuser7"
490 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
491 # Open Ldb connection with the tested user
492 _ldb = self.get_ldb_connection(user_name, "samba123@")
493 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
494 delete_force(self.ldb_admin, object_dn)
495 _ldb.newgroup("test_domain_group1", grouptype=4)
496 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
497 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
498 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
499 self.check_modify_inheritance(_ldb, object_dn)
500
501 def test_107(self):
502 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
503 """
504 user_name = "testuser8"
505 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
506 # Open Ldb connection with the tested user
507 _ldb = self.get_ldb_connection(user_name, "samba123@")
508 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
509 delete_force(self.ldb_admin, object_dn)
510 _ldb.newgroup("test_domain_group1", grouptype=4)
511 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
512 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
513 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
514 self.check_modify_inheritance(_ldb, object_dn)
515
516 # Control descriptor tests #####################################################################
517
518 def test_108(self):
519 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
520 """
521 user_name = "testuser1"
522 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
523 # Open Ldb connection with the tested user
524 _ldb = self.get_ldb_connection(user_name, "samba123@")
525 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
526 delete_force(self.ldb_admin, object_dn)
527 # Create a custom security descriptor
528 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
529 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
530 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
531 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
532 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
533 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
534
535 def test_109(self):
536 """ Domain admin group member creates object (custom descriptor) in DOMAIN
537 """
538 user_name = "testuser2"
539 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
540 # Open Ldb connection with the tested user
541 _ldb = self.get_ldb_connection(user_name, "samba123@")
542 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
543 delete_force(self.ldb_admin, object_dn)
544 # Create a custom security descriptor
545 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
546 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
547 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
548 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
549 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
550 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
551
552 def test_110(self):
553 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
554 """
555 user_name = "testuser3"
556 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
557 # Open Ldb connection with the tested user
558 _ldb = self.get_ldb_connection(user_name, "samba123@")
559 object_dn = "OU=test_domain_ou1," + self.base_dn
560 delete_force(self.ldb_admin, object_dn)
561 self.ldb_admin.create_ou(object_dn)
562 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
563 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
564 self.sd_utils.dacl_add_ace(object_dn, mod)
565 # Create a custom security descriptor
566 # NB! Problematic owner part won't accept DA only <User Sid> !!!
567 sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
568 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
569 # Create additional object into the first one
570 object_dn = "CN=test_domain_user1," + object_dn
571 delete_force(self.ldb_admin, object_dn)
572 _ldb.newuser("test_domain_user1", "samba123@",
573 userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
574 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
575 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
576 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
577
578 def test_111(self):
579 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
580 """
581 user_name = "testuser4"
582 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
583 # Open Ldb connection with the tested user
584 _ldb = self.get_ldb_connection(user_name, "samba123@")
585 object_dn = "OU=test_domain_ou1," + self.base_dn
586 delete_force(self.ldb_admin, object_dn)
587 self.ldb_admin.create_ou(object_dn)
588 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
589 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
590 self.sd_utils.dacl_add_ace(object_dn, mod)
591 # Create a custom security descriptor
592 # NB! Problematic owner part won't accept DA only <User Sid> !!!
593 sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
594 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
595 # Create additional object into the first one
596 object_dn = "CN=test_domain_user1," + object_dn
597 delete_force(self.ldb_admin, object_dn)
598 _ldb.newuser("test_domain_user1", "samba123@",
599 userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
600 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
601 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
602 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
603
604 def test_112(self):
605 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
606 """
607 user_name = "testuser5"
608 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
609 # Open Ldb connection with the tested user
610 _ldb = self.get_ldb_connection(user_name, "samba123@")
611 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
612 delete_force(self.ldb_admin, object_dn)
613 # Create a custom security descriptor
614 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
615 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
616 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
617 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
618 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
619 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
620
621 def test_113(self):
622 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
623 """
624 user_name = "testuser6"
625 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
626 # Open Ldb connection with the tested user
627 _ldb = self.get_ldb_connection(user_name, "samba123@")
628 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
629 delete_force(self.ldb_admin, object_dn)
630 # Create a custom security descriptor
631 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
632 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
633 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
634 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
635 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
636 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
637
638 def test_114(self):
639 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
640 """
641 user_name = "testuser7"
642 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
643 # Open Ldb connection with the tested user
644 _ldb = self.get_ldb_connection(user_name, "samba123@")
645 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
646 delete_force(self.ldb_admin, object_dn)
647 # Create a custom security descriptor
648 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
649 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
650 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
651 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
652 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
653 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
654
655 def test_115(self):
656 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
657 """
658 user_name = "testuser8"
659 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
660 # Open Ldb connection with the tested user
661 _ldb = self.get_ldb_connection(user_name, "samba123@")
662 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
663 delete_force(self.ldb_admin, object_dn)
664 # Create a custom security descriptor
665 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
666 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
667 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
668 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
669 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
670 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
671
672 def test_999(self):
673 user_name = "Administrator"
674 object_dn = "OU=test_domain_ou1," + self.base_dn
675 delete_force(self.ldb_admin, object_dn)
676 self.ldb_admin.create_ou(object_dn)
677 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
678 mod = "(D;CI;WP;;;S-1-3-0)"
679 #mod = ""
680 self.sd_utils.dacl_add_ace(object_dn, mod)
681 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
682 # Create additional object into the first one
683 object_dn = "OU=test_domain_ou2," + object_dn
684 delete_force(self.ldb_admin, object_dn)
685 self.ldb_admin.create_ou(object_dn)
686 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
687
688 # Tests for SCHEMA
689
690 # Default descriptor tests ##################################################################
691
692 def test_130(self):
693 user_name = "testuser1"
694 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
695 # Open Ldb connection with the tested user
696 _ldb = self.get_ldb_connection(user_name, "samba123@")
697 # Change Schema partition descriptor
698 mod = "(A;CI;WDCC;;;AU)"
699 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
700 # Create example Schema class
701 try:
702 class_dn = self.create_schema_class(_ldb)
703 except LdbError:
704 self.fail()
705 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
706 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
707 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
708 self.check_modify_inheritance(_ldb, class_dn)
709
710 def test_131(self):
711 user_name = "testuser2"
712 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
713 # Open Ldb connection with the tested user
714 _ldb = self.get_ldb_connection(user_name, "samba123@")
715 # Change Schema partition descriptor
716 mod = "(A;CI;WDCC;;;AU)"
717 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
718 # Create example Schema class
719 class_dn = self.create_schema_class(_ldb)
720 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
721 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
722 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
723 self.check_modify_inheritance(_ldb, class_dn)
724
725 def test_132(self):
726 user_name = "testuser3"
727 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
728 # Open Ldb connection with the tested user
729 _ldb = self.get_ldb_connection(user_name, "samba123@")
730 # Change Schema partition descriptor
731 mod = "(A;CI;WDCC;;;AU)"
732 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
733 # Create example Schema class
734 class_dn = self.create_schema_class(_ldb)
735 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
736 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
737 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
738 #self.check_modify_inheritance(_ldb, class_dn)
739
740 def test_133(self):
741 user_name = "testuser4"
742 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
743 # Open Ldb connection with the tested user
744 _ldb = self.get_ldb_connection(user_name, "samba123@")
745 # Change Schema partition descriptor
746 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
747 mod = "(A;CI;WDCC;;;AU)"
748 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
749 # Create example Schema class
750 class_dn = self.create_schema_class(_ldb)
751 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
752 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
753 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
754 #self.check_modify_inheritance(_ldb, class_dn)
755
756 def test_134(self):
757 user_name = "testuser5"
758 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
759 # Open Ldb connection with the tested user
760 _ldb = self.get_ldb_connection(user_name, "samba123@")
761 # Change Schema partition descriptor
762 mod = "(A;CI;WDCC;;;AU)"
763 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
764 # Create example Schema class
765 class_dn = self.create_schema_class(_ldb)
766 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
767 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
768 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
769 self.check_modify_inheritance(_ldb, class_dn)
770
771 def test_135(self):
772 user_name = "testuser6"
773 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
774 # Open Ldb connection with the tested user
775 _ldb = self.get_ldb_connection(user_name, "samba123@")
776 # Change Schema partition descriptor
777 mod = "(A;CI;WDCC;;;AU)"
778 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
779 # Create example Schema class
780 class_dn = self.create_schema_class(_ldb)
781 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
782 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
783 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
784 self.check_modify_inheritance(_ldb, class_dn)
785
786 def test_136(self):
787 user_name = "testuser7"
788 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
789 # Open Ldb connection with the tested user
790 _ldb = self.get_ldb_connection(user_name, "samba123@")
791 # Change Schema partition descriptor
792 mod = "(A;CI;WDCC;;;AU)"
793 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
794 # Create example Schema class
795 class_dn = self.create_schema_class(_ldb)
796 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
797 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
798 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
799 self.check_modify_inheritance(_ldb, class_dn)
800
801 def test_137(self):
802 user_name = "testuser8"
803 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
804 # Open Ldb connection with the tested user
805 _ldb = self.get_ldb_connection(user_name, "samba123@")
806 # Change Schema partition descriptor
807 mod = "(A;CI;WDCC;;;AU)"
808 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
809 # Create example Schema class
810 class_dn = self.create_schema_class(_ldb)
811 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
812 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
813 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
814 self.check_modify_inheritance(_ldb, class_dn)
815
816 # Custom descriptor tests ##################################################################
817
818 def test_138(self):
819 user_name = "testuser1"
820 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
821 # Open Ldb connection with the tested user
822 _ldb = self.get_ldb_connection(user_name, "samba123@")
823 # Change Schema partition descriptor
824 mod = "(A;;CC;;;AU)"
825 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
826 # Create a custom security descriptor
827 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
828 # Create example Schema class
829 class_dn = self.create_schema_class(_ldb, desc_sddl)
830 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
831 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
832 self.assertEqual("O:DAG:DA", res)
833
834 def test_139(self):
835 user_name = "testuser2"
836 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
837 # Open Ldb connection with the tested user
838 _ldb = self.get_ldb_connection(user_name, "samba123@")
839 # Change Schema partition descriptor
840 mod = "(A;;CC;;;AU)"
841 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
842 # Create a custom security descriptor
843 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
844 # Create example Schema class
845 class_dn = self.create_schema_class(_ldb, desc_sddl)
846 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
847 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
848 self.assertEqual("O:DAG:DA", res)
849
850 def test_140(self):
851 user_name = "testuser3"
852 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
853 # Open Ldb connection with the tested user
854 _ldb = self.get_ldb_connection(user_name, "samba123@")
855 # Create a custom security descriptor
856 # NB! Problematic owner part won't accept DA only <User Sid> !!!
857 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
858 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
859 # Create example Schema class
860 class_dn = self.create_schema_class(_ldb, desc_sddl)
861 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
862 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
863 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
864
865 def test_141(self):
866 user_name = "testuser4"
867 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
868 # Open Ldb connection with the tested user
869 _ldb = self.get_ldb_connection(user_name, "samba123@")
870 # Change Schema partition descriptor
871 mod = "(A;;CC;;;AU)"
872 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
873 # Create a custom security descriptor
874 # NB! Problematic owner part won't accept DA only <User Sid> !!!
875 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
876 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
877 # Create example Schema class
878 class_dn = self.create_schema_class(_ldb, desc_sddl)
879 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
880 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
881 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
882
883 def test_142(self):
884 user_name = "testuser5"
885 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
886 # Open Ldb connection with the tested user
887 _ldb = self.get_ldb_connection(user_name, "samba123@")
888 # Change Schema partition descriptor
889 mod = "(A;;CC;;;AU)"
890 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
891 # Create a custom security descriptor
892 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
893 # Create example Schema class
894 class_dn = self.create_schema_class(_ldb, desc_sddl)
895 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
896 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
897 self.assertEqual("O:DAG:DA", res)
898
899 def test_143(self):
900 user_name = "testuser6"
901 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
902 # Open Ldb connection with the tested user
903 _ldb = self.get_ldb_connection(user_name, "samba123@")
904 # Change Schema partition descriptor
905 mod = "(A;;CC;;;AU)"
906 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
907 # Create a custom security descriptor
908 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
909 # Create example Schema class
910 class_dn = self.create_schema_class(_ldb, desc_sddl)
911 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
912 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
913 self.assertEqual("O:DAG:DA", res)
914
915 def test_144(self):
916 user_name = "testuser7"
917 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
918 # Open Ldb connection with the tested user
919 _ldb = self.get_ldb_connection(user_name, "samba123@")
920 # Change Schema partition descriptor
921 mod = "(A;;CC;;;AU)"
922 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
923 # Create a custom security descriptor
924 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
925 # Create example Schema class
926 class_dn = self.create_schema_class(_ldb, desc_sddl)
927 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
928 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
929 self.assertEqual("O:DAG:DA", res)
930
931 def test_145(self):
932 user_name = "testuser8"
933 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
934 # Open Ldb connection with the tested user
935 _ldb = self.get_ldb_connection(user_name, "samba123@")
936 # Change Schema partition descriptor
937 mod = "(A;;CC;;;AU)"
938 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
939 # Create a custom security descriptor
940 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
941 # Create example Schema class
942 class_dn = self.create_schema_class(_ldb, desc_sddl)
943 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
944 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
945 self.assertEqual("O:DAG:DA", res)
946
947 # Tests for CONFIGURATION
948
949 # Default descriptor tests ##################################################################
950
951 def test_160(self):
952 user_name = "testuser1"
953 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
954 # Open Ldb connection with the tested user
955 _ldb = self.get_ldb_connection(user_name, "samba123@")
956 # Create example Configuration container
957 container_name = "test-container1"
958 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
959 delete_force(self.ldb_admin, object_dn)
960 self.create_configuration_container(_ldb, object_dn, )
961 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
962 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
963 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
964 self.check_modify_inheritance(_ldb, object_dn)
965
966 def test_161(self):
967 user_name = "testuser2"
968 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
969 # Open Ldb connection with the tested user
970 _ldb = self.get_ldb_connection(user_name, "samba123@")
971 # Create example Configuration container
972 container_name = "test-container1"
973 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
974 delete_force(self.ldb_admin, object_dn)
975 self.create_configuration_container(_ldb, object_dn, )
976 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
977 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
978 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
979 self.check_modify_inheritance(_ldb, object_dn)
980
981 def test_162(self):
982 user_name = "testuser3"
983 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
984 # Open Ldb connection with the tested user
985 _ldb = self.get_ldb_connection(user_name, "samba123@")
986 # Create example Configuration container
987 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
988 delete_force(self.ldb_admin, object_dn)
989 self.create_configuration_container(self.ldb_admin, object_dn, )
990 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
991 mod = "(A;CI;WDCC;;;AU)"
992 self.sd_utils.dacl_add_ace(object_dn, mod)
993 # Create child object with user's credentials
994 object_dn = "CN=test-specifier1," + object_dn
995 delete_force(self.ldb_admin, object_dn)
996 try:
997 self.create_configuration_specifier(_ldb, object_dn)
998 except LdbError:
999 self.fail()
1000 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1001 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1002 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1003 #self.check_modify_inheritance(_ldb, object_dn)
1004
1005 def test_163(self):
1006 user_name = "testuser4"
1007 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1008 # Open Ldb connection with the tested user
1009 _ldb = self.get_ldb_connection(user_name, "samba123@")
1010 # Create example Configuration container
1011 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1012 delete_force(self.ldb_admin, object_dn)
1013 self.create_configuration_container(self.ldb_admin, object_dn, )
1014 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
1015 mod = "(A;CI;WDCC;;;AU)"
1016 self.sd_utils.dacl_add_ace(object_dn, mod)
1017 # Create child object with user's credentials
1018 object_dn = "CN=test-specifier1," + object_dn
1019 delete_force(self.ldb_admin, object_dn)
1020 self.create_configuration_specifier(_ldb, object_dn)
1021 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1022 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1023 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1024 #self.check_modify_inheritance(_ldb, object_dn)
1025
1026 def test_164(self):
1027 user_name = "testuser5"
1028 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1029 # Open Ldb connection with the tested user
1030 _ldb = self.get_ldb_connection(user_name, "samba123@")
1031 # Create example Configuration container
1032 container_name = "test-container1"
1033 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1034 delete_force(self.ldb_admin, object_dn)
1035 self.create_configuration_container(_ldb, object_dn, )
1036 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1037 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1038 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1039 self.check_modify_inheritance(_ldb, object_dn)
1040
1041 def test_165(self):
1042 user_name = "testuser6"
1043 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1044 # Open Ldb connection with the tested user
1045 _ldb = self.get_ldb_connection(user_name, "samba123@")
1046 # Create example Configuration container
1047 container_name = "test-container1"
1048 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1049 delete_force(self.ldb_admin, object_dn)
1050 self.create_configuration_container(_ldb, object_dn, )
1051 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1052 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1053 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1054 self.check_modify_inheritance(_ldb, object_dn)
1055
1056 def test_166(self):
1057 user_name = "testuser7"
1058 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1059 # Open Ldb connection with the tested user
1060 _ldb = self.get_ldb_connection(user_name, "samba123@")
1061 # Create example Configuration container
1062 container_name = "test-container1"
1063 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1064 delete_force(self.ldb_admin, object_dn)
1065 self.create_configuration_container(_ldb, object_dn, )
1066 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1067 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1068 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1069 self.check_modify_inheritance(_ldb, object_dn)
1070
1071 def test_167(self):
1072 user_name = "testuser8"
1073 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1074 # Open Ldb connection with the tested user
1075 _ldb = self.get_ldb_connection(user_name, "samba123@")
1076 # Create example Configuration container
1077 container_name = "test-container1"
1078 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1079 delete_force(self.ldb_admin, object_dn)
1080 self.create_configuration_container(_ldb, object_dn, )
1081 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1082 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1083 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1084 self.check_modify_inheritance(_ldb, object_dn)
1085
1086 # Custom descriptor tests ##################################################################
1087
1088 def test_168(self):
1089 user_name = "testuser1"
1090 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1091 # Open Ldb connection with the tested user
1092 _ldb = self.get_ldb_connection(user_name, "samba123@")
1093 # Create example Configuration container
1094 container_name = "test-container1"
1095 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1096 delete_force(self.ldb_admin, object_dn)
1097 # Create a custom security descriptor
1098 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1099 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1100 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1101 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1102 self.assertEqual("O:DAG:DA", res)
1103
1104 def test_169(self):
1105 user_name = "testuser2"
1106 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1107 # Open Ldb connection with the tested user
1108 _ldb = self.get_ldb_connection(user_name, "samba123@")
1109 # Create example Configuration container
1110 container_name = "test-container1"
1111 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1112 delete_force(self.ldb_admin, object_dn)
1113 # Create a custom security descriptor
1114 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1115 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1116 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1117 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1118 self.assertEqual("O:DAG:DA", res)
1119
1120 def test_170(self):
1121 user_name = "testuser3"
1122 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1123 # Open Ldb connection with the tested user
1124 _ldb = self.get_ldb_connection(user_name, "samba123@")
1125 # Create example Configuration container
1126 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1127 delete_force(self.ldb_admin, object_dn)
1128 self.create_configuration_container(self.ldb_admin, object_dn, )
1129 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
1130 mod = "(A;CI;CCWD;;;AU)"
1131 self.sd_utils.dacl_add_ace(object_dn, mod)
1132 # Create child object with user's credentials
1133 object_dn = "CN=test-specifier1," + object_dn
1134 delete_force(self.ldb_admin, object_dn)
1135 # Create a custom security descriptor
1136 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1137 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1138 try:
1139 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1140 except LdbError:
1141 self.fail()
1142 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1143 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1144 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1145
1146 def test_171(self):
1147 user_name = "testuser4"
1148 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1149 # Open Ldb connection with the tested user
1150 _ldb = self.get_ldb_connection(user_name, "samba123@")
1151 # Create example Configuration container
1152 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1153 delete_force(self.ldb_admin, object_dn)
1154 self.create_configuration_container(self.ldb_admin, object_dn, )
1155 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
1156 mod = "(A;CI;CCWD;;;AU)"
1157 self.sd_utils.dacl_add_ace(object_dn, mod)
1158 # Create child object with user's credentials
1159 object_dn = "CN=test-specifier1," + object_dn
1160 delete_force(self.ldb_admin, object_dn)
1161 # Create a custom security descriptor
1162 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1163 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1164 try:
1165 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1166 except LdbError:
1167 self.fail()
1168 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1169 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1170 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1171
1172 def test_172(self):
1173 user_name = "testuser5"
1174 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1175 # Open Ldb connection with the tested user
1176 _ldb = self.get_ldb_connection(user_name, "samba123@")
1177 # Create example Configuration container
1178 container_name = "test-container1"
1179 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1180 delete_force(self.ldb_admin, object_dn)
1181 # Create a custom security descriptor
1182 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1183 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1184 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1185 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1186 self.assertEqual("O:DAG:DA", res)
1187
1188 def test_173(self):
1189 user_name = "testuser6"
1190 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1191 # Open Ldb connection with the tested user
1192 _ldb = self.get_ldb_connection(user_name, "samba123@")
1193 # Create example Configuration container
1194 container_name = "test-container1"
1195 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1196 delete_force(self.ldb_admin, object_dn)
1197 # Create a custom security descriptor
1198 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1199 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1200 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1201 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1202 self.assertEqual("O:DAG:DA", res)
1203
1204 def test_174(self):
1205 user_name = "testuser7"
1206 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1207 # Open Ldb connection with the tested user
1208 _ldb = self.get_ldb_connection(user_name, "samba123@")
1209 # Create example Configuration container
1210 container_name = "test-container1"
1211 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1212 delete_force(self.ldb_admin, object_dn)
1213 # Create a custom security descriptor
1214 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1215 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1216 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1217 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1218 self.assertEqual("O:DAG:DA", res)
1219
1220 def test_175(self):
1221 user_name = "testuser8"
1222 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1223 # Open Ldb connection with the tested user
1224 _ldb = self.get_ldb_connection(user_name, "samba123@")
1225 # Create example Configuration container
1226 container_name = "test-container1"
1227 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1228 delete_force(self.ldb_admin, object_dn)
1229 # Create a custom security descriptor
1230 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1231 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1232 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1233 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1234 self.assertEqual("O:DAG:DA", res)
1235
1236 ########################################################################################
1237 # Inheritance tests for DACL
1238
1239
1240 class DaclDescriptorTests(DescriptorTests):
1241
1242 def deleteAll(self):
1243 delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1244 delete_force(self.ldb_admin, "OU=test_inherit_ou5,OU=test_inherit_ou1,OU=test_inherit_ou_p," + self.base_dn)
1245 delete_force(self.ldb_admin, "OU=test_inherit_ou6,OU=test_inherit_ou2,OU=test_inherit_ou_p," + self.base_dn)
1246 delete_force(self.ldb_admin, "OU=test_inherit_ou1,OU=test_inherit_ou_p," + self.base_dn)
1247 delete_force(self.ldb_admin, "OU=test_inherit_ou2,OU=test_inherit_ou_p," + self.base_dn)
1248 delete_force(self.ldb_admin, "OU=test_inherit_ou3,OU=test_inherit_ou_p," + self.base_dn)
1249 delete_force(self.ldb_admin, "OU=test_inherit_ou4,OU=test_inherit_ou_p," + self.base_dn)
1250 delete_force(self.ldb_admin, "OU=test_inherit_ou_p," + self.base_dn)
1251 delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1252
1253 def setUp(self):
1254 super(DaclDescriptorTests, self).setUp()
1255 self.deleteAll()
1256
1257 def create_clean_ou(self, object_dn):
1258 """ Base repeating setup for unittests to follow """
1259 res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE,
1260 expression="distinguishedName=%s" % object_dn)
1261 # Make sure top testing OU has been deleted before starting the test
1262 self.assertEqual(len(res), 0)
1263 self.ldb_admin.create_ou(object_dn)
1264 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1265 # Make sure there are inheritable ACEs initially
1266 self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1267 # Find and remove all inherit ACEs
1268 res = re.findall(r"\(.*?\)", desc_sddl)
1269 res = [x for x in res if ("CI" in x) or ("OI" in x)]
1270 for x in res:
1271 desc_sddl = desc_sddl.replace(x, "")
1272 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1273 # can propagate from above
1274 # remove SACL, we are not interested
1275 desc_sddl = desc_sddl.replace(":AI", ":AIP")
1276 self.sd_utils.modify_sd_on_dn(object_dn, desc_sddl)
1277 # Verify all inheritable ACEs are gone
1278 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1279 self.assertNotIn("CI", desc_sddl)
1280 self.assertNotIn("OI", desc_sddl)
1281
1282 def test_200(self):
1283 """ OU with protected flag and child group. See if the group has inherit ACEs.
1284 """
1285 ou_dn = "OU=test_inherit_ou," + self.base_dn
1286 group_dn = "CN=test_inherit_group," + ou_dn
1287 # Create inheritable-free OU
1288 self.create_clean_ou(ou_dn)
1289 # Create group child object
1290 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1291 # Make sure created group object contains NO inherit ACEs
1292 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1293 self.assertNotIn("ID", desc_sddl)
1294
1295 def test_201(self):
1296 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1297 Verify group has custom and default ACEs only.
1298 """
1299 ou_dn = "OU=test_inherit_ou," + self.base_dn
1300 group_dn = "CN=test_inherit_group," + ou_dn
1301 # Create inheritable-free OU
1302 self.create_clean_ou(ou_dn)
1303 # Create group child object using custom security descriptor
1304 sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1305 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
1306 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1307 # Make sure created group descriptor has NO additional ACEs
1308 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1309 self.assertEqual(desc_sddl, sddl)
1310 sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
1311 try:
1312 self.sd_utils.modify_sd_on_dn(group_dn, sddl)
1313 except LdbError as e:
1314 self.fail(str(e))
1315 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1316 self.assertEqual(desc_sddl, sddl)
1317
1318 def test_202(self):
1319 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1320 See if the group has any of the added ACEs.
1321 """
1322 ou_dn = "OU=test_inherit_ou," + self.base_dn
1323 group_dn = "CN=test_inherit_group," + ou_dn
1324 # Create inheritable-free OU
1325 self.create_clean_ou(ou_dn)
1326 # Add some custom non-inheritable ACEs
1327 mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1328 moded = "(D;;CC;;;LG)"
1329 self.sd_utils.dacl_add_ace(ou_dn, mod)
1330 # Verify all inheritable ACEs are gone
1331 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1332 # Create group child object
1333 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1334 # Make sure created group object contains NO inherit ACEs
1335 # also make sure the added above non-inheritable ACEs are absent too
1336 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1337 self.assertNotIn("ID", desc_sddl)
1338 for x in re.findall(r"\(.*?\)", mod):
1339 self.assertNotIn(x, desc_sddl)
1340 try:
1341 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1342 except LdbError as e:
1343 self.fail(str(e))
1344 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1345 self.assertNotIn("ID", desc_sddl)
1346 for x in re.findall(r"\(.*?\)", mod):
1347 self.assertNotIn(x, desc_sddl)
1348
1349 def test_203(self):
1350 """ OU with protected flag and add 'CI' ACE, child group.
1351 See if the group has the added inherited ACE.
1352 """
1353 ou_dn = "OU=test_inherit_ou," + self.base_dn
1354 group_dn = "CN=test_inherit_group," + ou_dn
1355 # Create inheritable-free OU
1356 self.create_clean_ou(ou_dn)
1357 # Add some custom 'CI' ACE
1358 mod = "(D;CI;WP;;;DU)"
1359 moded = "(D;;CC;;;LG)"
1360 self.sd_utils.dacl_add_ace(ou_dn, mod)
1361 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1362 # Create group child object
1363 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1364 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1365 # Make sure created group object contains only the above inherited ACE
1366 # that we've added manually
1367 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1368 mod = mod.replace(";CI;", ";CIID;")
1369 self.assertIn(mod, desc_sddl)
1370 try:
1371 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1372 except LdbError as e:
1373 self.fail(str(e))
1374 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1375 self.assertIn(moded, desc_sddl)
1376 self.assertIn(mod, desc_sddl)
1377
1378 def test_204(self):
1379 """ OU with protected flag and add 'OI' ACE, child group.
1380 See if the group has the added inherited ACE.
1381 """
1382 ou_dn = "OU=test_inherit_ou," + self.base_dn
1383 group_dn = "CN=test_inherit_group," + ou_dn
1384 # Create inheritable-free OU
1385 self.create_clean_ou(ou_dn)
1386 # Add some custom 'CI' ACE
1387 mod = "(D;OI;WP;;;DU)"
1388 moded = "(D;;CC;;;LG)"
1389 self.sd_utils.dacl_add_ace(ou_dn, mod)
1390 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1391 # Create group child object
1392 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1393 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1394 # Make sure created group object contains only the above inherited ACE
1395 # that we've added manually
1396 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1397 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1398 self.assertIn(mod, desc_sddl)
1399 try:
1400 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1401 except LdbError as e:
1402 self.fail(str(e))
1403 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1404 self.assertIn(moded, desc_sddl)
1405 self.assertIn(mod, desc_sddl)
1406
1407 def test_205(self):
1408 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1409 See if the group has the added inherited ACE.
1410 """
1411 ou_dn = "OU=test_inherit_ou," + self.base_dn
1412 group_dn = "CN=test_inherit_group," + ou_dn
1413 # Create inheritable-free OU
1414 self.create_clean_ou(ou_dn)
1415 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1416 mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1417 moded = "(D;;CC;;;LG)"
1418 self.sd_utils.dacl_add_ace(ou_dn, mod)
1419 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1420 # Create group child object
1421 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1422 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1423 # Make sure created group object contains only the above inherited ACE
1424 # that we've added manually
1425 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1426 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1427 self.assertIn(mod, desc_sddl)
1428 try:
1429 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1430 except LdbError as e:
1431 self.fail(str(e))
1432 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1433 self.assertIn(moded, desc_sddl)
1434 self.assertIn(mod, desc_sddl)
1435
1436 def test_206(self):
1437 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1438 See if the group has the added inherited ACE.
1439 """
1440 ou_dn = "OU=test_inherit_ou," + self.base_dn
1441 group_dn = "CN=test_inherit_group," + ou_dn
1442 # Create inheritable-free OU
1443 self.create_clean_ou(ou_dn)
1444 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1445 mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1446 moded = "(D;;CC;;;LG)"
1447 self.sd_utils.dacl_add_ace(ou_dn, mod)
1448 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1449 # Create group child object
1450 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1451 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1452 # Make sure created group object contains only the above inherited ACE
1453 # that we've added manually
1454 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1455 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1456 self.assertIn(mod, desc_sddl)
1457 try:
1458 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1459 except LdbError as e:
1460 self.fail(str(e))
1461 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1462 self.assertIn(moded, desc_sddl)
1463 self.assertIn(mod, desc_sddl)
1464
1465 def test_207(self):
1466 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1467 See if the group has the added inherited ACE.
1468 """
1469 ou_dn = "OU=test_inherit_ou," + self.base_dn
1470 group_dn = "CN=test_inherit_group," + ou_dn
1471 # Create inheritable-free OU
1472 self.create_clean_ou(ou_dn)
1473 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1474 mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1475 moded = "(D;;CC;;;LG)"
1476 self.sd_utils.dacl_add_ace(ou_dn, mod)
1477 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1478 # Create group child object
1479 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1480 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1481 # Make sure created group object contains only the above inherited ACE
1482 # that we've added manually
1483 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1484 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1485 self.assertIn(mod, desc_sddl)
1486 try:
1487 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1488 except LdbError as e:
1489 self.fail(str(e))
1490 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1491 self.assertIn(moded, desc_sddl)
1492 self.assertIn(mod, desc_sddl)
1493
1494 def test_208(self):
1495 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1496 See if the group has the added inherited ACE.
1497 """
1498 ou_dn = "OU=test_inherit_ou," + self.base_dn
1499 group_dn = "CN=test_inherit_group," + ou_dn
1500 # Create inheritable-free OU
1501 self.create_clean_ou(ou_dn)
1502 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1503 mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1504 moded = "(D;;CC;;;LG)"
1505 self.sd_utils.dacl_add_ace(ou_dn, mod)
1506 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1507 # Create group child object
1508 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1509 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1510 # Make sure created group object contains only the above inherited ACE
1511 # that we've added manually
1512 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1513 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1514 self.assertIn(mod, desc_sddl)
1515 try:
1516 self.sd_utils.modify_sd_on_dn(group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
1517 except LdbError as e:
1518 self.fail(str(e))
1519 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1520 self.assertIn(moded, desc_sddl)
1521 self.assertIn(mod, desc_sddl)
1522
1523 def test_209(self):
1524 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1525 See if the group has the added inherited ACE.
1526 """
1527 ou_dn = "OU=test_inherit_ou," + self.base_dn
1528 group_dn = "CN=test_inherit_group," + ou_dn
1529 # Create inheritable-free OU
1530 self.create_clean_ou(ou_dn)
1531 # Add some custom 'CI' ACE
1532 mod = "(D;CI;WP;;;CO)"
1533 moded = "(D;;CC;;;LG)"
1534 self.sd_utils.dacl_add_ace(ou_dn, mod)
1535 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1536 # Create group child object
1537 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1538 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1539 # Make sure created group object contains only the above inherited ACE(s)
1540 # that we've added manually
1541 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1542 self.assertIn("(D;ID;WP;;;AU)", desc_sddl)
1543 self.assertIn("(D;CIIOID;WP;;;CO)", desc_sddl)
1544 try:
1545 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1546 except LdbError as e:
1547 self.fail(str(e))
1548 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1549 self.assertIn(moded, desc_sddl)
1550 self.assertIn("(D;ID;WP;;;DA)", desc_sddl)
1551 self.assertIn("(D;CIIOID;WP;;;CO)", desc_sddl)
1552
1553 def test_210(self):
1554 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1555 """
1556 ou_dn = "OU=test_inherit_ou," + self.base_dn
1557 group_dn = "CN=test_inherit_group," + ou_dn
1558 self.create_clean_ou(ou_dn)
1559 # Add some custom ACE
1560 mod = "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1561 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1562 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1563 # Make sure created group object does not contain the ID ace
1564 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1565 self.assertNotIn("(A;ID;WP;;;AU)", desc_sddl)
1566
1567 def test_211(self):
1568 """ Provide ACE with CO SID, should be expanded and replaced
1569 """
1570 ou_dn = "OU=test_inherit_ou," + self.base_dn
1571 group_dn = "CN=test_inherit_group," + ou_dn
1572 # Create inheritable-free OU
1573 self.create_clean_ou(ou_dn)
1574 # Add some custom 'CI' ACE
1575 mod = "D:(D;CI;WP;;;CO)"
1576 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1577 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1578 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1579 self.assertIn("(D;;WP;;;DA)", desc_sddl)
1580 self.assertIn("(D;CIIO;WP;;;CO)", desc_sddl)
1581
1582 def test_212(self):
1583 """ Provide ACE with IO flag, should be ignored
1584 """
1585 ou_dn = "OU=test_inherit_ou," + self.base_dn
1586 group_dn = "CN=test_inherit_group," + ou_dn
1587 # Create inheritable-free OU
1588 self.create_clean_ou(ou_dn)
1589 # Add some custom 'CI' ACE
1590 mod = "D:(D;CIIO;WP;;;CO)"
1591 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1592 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1593 # Make sure created group object contains only the above inherited ACE(s)
1594 # that we've added manually
1595 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1596 self.assertIn("(D;CIIO;WP;;;CO)", desc_sddl)
1597 self.assertNotIn("(D;;WP;;;DA)", desc_sddl)
1598 self.assertNotIn("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)", desc_sddl)
1599
1600 def test_213(self):
1601 """ Provide ACE with IO flag, should be ignored
1602 """
1603 ou_dn = "OU=test_inherit_ou," + self.base_dn
1604 group_dn = "CN=test_inherit_group," + ou_dn
1605 # Create inheritable-free OU
1606 self.create_clean_ou(ou_dn)
1607 mod = "D:(D;IO;WP;;;DA)"
1608 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1609 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1610 # Make sure created group object contains only the above inherited ACE(s)
1611 # that we've added manually
1612 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1613 self.assertNotIn("(D;IO;WP;;;DA)", desc_sddl)
1614
1615 def test_214(self):
1616 """ Test behavior of ACEs containing generic rights
1617 """
1618 ou_dn = "OU=test_inherit_ou_p," + self.base_dn
1619 ou_dn1 = "OU=test_inherit_ou1," + ou_dn
1620 ou_dn2 = "OU=test_inherit_ou2," + ou_dn
1621 ou_dn3 = "OU=test_inherit_ou3," + ou_dn
1622 ou_dn4 = "OU=test_inherit_ou4," + ou_dn
1623 ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
1624 ou_dn6 = "OU=test_inherit_ou6," + ou_dn2
1625 # Create inheritable-free OU
1626 mod = "D:P(A;CI;WPRPLCCCDCWDRCSD;;;DA)"
1627 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1628 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1629 mod = "D:(A;CI;GA;;;DU)"
1630 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1631 self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
1632 mod = "D:(A;CIIO;GA;;;DU)"
1633 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1634 self.ldb_admin.create_ou(ou_dn2, sd=tmp_desc)
1635 mod = "D:(A;;GA;;;DU)"
1636 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1637 self.ldb_admin.create_ou(ou_dn3, sd=tmp_desc)
1638 mod = "D:(A;IO;GA;;;DU)"
1639 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1640 self.ldb_admin.create_ou(ou_dn4, sd=tmp_desc)
1641
1642 self.ldb_admin.create_ou(ou_dn5)
1643 self.ldb_admin.create_ou(ou_dn6)
1644
1645 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn1)
1646 self.assertIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl)
1647 self.assertIn("(A;CIIO;GA;;;DU)", desc_sddl)
1648 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn2)
1649 self.assertNotIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl)
1650 self.assertIn("(A;CIIO;GA;;;DU)", desc_sddl)
1651 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn3)
1652 self.assertIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl)
1653 self.assertNotIn("(A;CIIO;GA;;;DU)", desc_sddl)
1654 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn4)
1655 self.assertNotIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl)
1656 self.assertNotIn("(A;CIIO;GA;;;DU)", desc_sddl)
1657 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
1658 self.assertIn("(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl)
1659 self.assertIn("(A;CIIOID;GA;;;DU)", desc_sddl)
1660 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn6)
1661 self.assertIn("(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl)
1662 self.assertIn("(A;CIIOID;GA;;;DU)", desc_sddl)
1663
1664 def test_215(self):
1665 """ Make sure IO flag is removed in child objects
1666 """
1667 ou_dn = "OU=test_inherit_ou_p," + self.base_dn
1668 ou_dn1 = "OU=test_inherit_ou1," + ou_dn
1669 ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
1670 # Create inheritable-free OU
1671 mod = "D:P(A;CI;WPRPLCCCDCWDRCSD;;;DA)"
1672 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1673 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1674 mod = "D:(A;CIIO;WP;;;DU)"
1675 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1676 self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
1677 self.ldb_admin.create_ou(ou_dn5)
1678 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
1679 self.assertIn("(A;CIID;WP;;;DU)", desc_sddl)
1680 self.assertNotIn("(A;CIIOID;WP;;;DU)", desc_sddl)
1681
1682 def test_216(self):
1683 """ Make sure ID ACES provided by user are ignored
1684 """
1685 ou_dn = "OU=test_inherit_ou," + self.base_dn
1686 group_dn = "CN=test_inherit_group," + ou_dn
1687 mod = "D:P(A;;WPRPLCCCDCWDRCSD;;;DA)"
1688 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1689 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1690 # Add some custom ACE
1691 mod = "D:(D;ID;WP;;;AU)"
1692 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1693 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1694 # Make sure created group object does not contain the ID ace
1695 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1696 self.assertNotIn("(A;ID;WP;;;AU)", desc_sddl)
1697 self.assertNotIn("(A;;WP;;;AU)", desc_sddl)
1698
1699 def test_217(self):
1700 """ Make sure ID ACES provided by user are not ignored if P flag is set
1701 """
1702 ou_dn = "OU=test_inherit_ou," + self.base_dn
1703 group_dn = "CN=test_inherit_group," + ou_dn
1704 mod = "D:P(A;;WPRPLCCCDCWDRCSD;;;DA)"
1705 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1706 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1707 # Add some custom ACE
1708 mod = "D:P(A;ID;WP;;;AU)"
1709 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1710 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1711 # Make sure created group object does not contain the ID ace
1712 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1713 self.assertNotIn("(A;ID;WP;;;AU)", desc_sddl)
1714 self.assertIn("(A;;WP;;;AU)", desc_sddl)
1715
1716 def test_ci_and_io_on_attribute(self):
1717 ou_dn = "OU=test_inherit_ou," + self.base_dn
1718 group_dn = "CN=test_inherit_group," + ou_dn
1719 # Create inheritable-free OU
1720 self.create_clean_ou(ou_dn)
1721 mod = "(OA;CIOI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1722 moded = "(D;;CC;;;LG)"
1723 self.sd_utils.dacl_add_ace(ou_dn, mod)
1724 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1725 # Create group child object
1726 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1727 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1728 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1729 mod = mod.replace(";CIOI;", ";OICIID;") # change it how it's gonna look like
1730 self.assertIn(mod, desc_sddl)
1731 try:
1732 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1733 except LdbError as e:
1734 self.fail(str(e))
1735 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1736 self.assertIn(moded, desc_sddl)
1737 self.assertIn(mod, desc_sddl)
1738
1739 def test_ci_and_np_on_attribute(self):
1740 ou_dn = "OU=test_inherit_ou," + self.base_dn
1741 group_dn = "CN=test_inherit_group," + ou_dn
1742 # Create inheritable-free OU
1743 self.create_clean_ou(ou_dn)
1744 mod = "(OA;CINP;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1745 moded = "(D;;CC;;;LG)"
1746 self.sd_utils.dacl_add_ace(ou_dn, mod)
1747 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1748 # Create group child object
1749 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1750 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1751 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1752 mod = mod.replace(";CINP;", ";ID;") # change it how it's gonna look like
1753 self.assertIn(mod, desc_sddl)
1754 try:
1755 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1756 except LdbError as e:
1757 self.fail(str(e))
1758 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1759 self.assertIn(moded, desc_sddl)
1760 self.assertIn(mod, desc_sddl)
1761
1762 def test_oi_and_np_on_attribute(self):
1763 ou_dn = "OU=test_inherit_ou," + self.base_dn
1764 group_dn = "CN=test_inherit_group," + ou_dn
1765 # Create inheritable-free OU
1766 self.create_clean_ou(ou_dn)
1767 mod = "(OA;OINP;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1768 moded = "(D;;CC;;;LG)"
1769 self.sd_utils.dacl_add_ace(ou_dn, mod)
1770 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1771 # Create group child object
1772 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1773 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1774 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1775 mod = mod.replace(";OINP;", ";ID;") # change it how it's gonna look like
1776 self.assertNotIn(mod, desc_sddl)
1777 self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl)
1778 try:
1779 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1780 except LdbError as e:
1781 self.fail(str(e))
1782 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1783 self.assertIn(moded, desc_sddl)
1784 self.assertNotIn(mod, desc_sddl)
1785 self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl)
1786
1787 def test_ci_ga_no_attr_objectclass_same(self):
1788 ou_dn = "OU=test_inherit_ou," + self.base_dn
1789 group_dn = "CN=test_inherit_group," + ou_dn
1790 # Create inheritable-free OU
1791 self.create_clean_ou(ou_dn)
1792 mod = "(OA;CI;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
1793 modob = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)"
1794 modid = "(OA;CIIOID;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
1795 moded = "(D;;CC;;;LG)"
1796 self.sd_utils.dacl_add_ace(ou_dn, mod)
1797 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1798 # Create group child object
1799 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1800 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1801 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1802 self.assertIn(modob, desc_sddl)
1803 self.assertIn(modid, desc_sddl)
1804 try:
1805 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1806 except LdbError as e:
1807 self.fail(str(e))
1808 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1809 self.assertIn(moded, desc_sddl)
1810 self.assertIn(modob, desc_sddl)
1811 self.assertIn(modid, desc_sddl)
1812
1813 def test_ci_ga_no_attr_objectclass_different(self):
1814 ou_dn = "OU=test_inherit_ou," + self.base_dn
1815 group_dn = "CN=test_inherit_group," + ou_dn
1816 # Create inheritable-free OU
1817 self.create_clean_ou(ou_dn)
1818 mod = "(OA;CI;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
1819 modno = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)"
1820 modid = "(OA;CIIOID;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
1821 moded = "(D;;CC;;;LG)"
1822 self.sd_utils.dacl_add_ace(ou_dn, mod)
1823 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1824 # Create group child object
1825 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1826 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1827 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1828 self.assertNotIn(modno, desc_sddl)
1829 self.assertIn(modid, desc_sddl)
1830 try:
1831 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1832 except LdbError as e:
1833 self.fail(str(e))
1834 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1835 self.assertIn(moded, desc_sddl)
1836 self.assertNotIn(modno, desc_sddl)
1837 self.assertIn(modid, desc_sddl)
1838
1839 def test_ci_ga_name_attr_objectclass_same(self):
1840 ou_dn = "OU=test_inherit_ou," + self.base_dn
1841 group_dn = "CN=test_inherit_group," + ou_dn
1842 # Create inheritable-free OU
1843 self.create_clean_ou(ou_dn)
1844 mod = "(OA;CI;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
1845 modob = "(OA;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
1846 modid = "(OA;CIIOID;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
1847 moded = "(D;;CC;;;LG)"
1848 self.sd_utils.dacl_add_ace(ou_dn, mod)
1849 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1850 # Create group child object
1851 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1852 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1853 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1854 self.assertIn(modob, desc_sddl)
1855 self.assertIn(modid, desc_sddl)
1856 try:
1857 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1858 except LdbError as e:
1859 self.fail(str(e))
1860 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1861 self.assertIn(moded, desc_sddl)
1862 self.assertIn(modob, desc_sddl)
1863 self.assertIn(modid, desc_sddl)
1864
1865 def test_ci_ga_name_attr_objectclass_different(self):
1866 ou_dn = "OU=test_inherit_ou," + self.base_dn
1867 group_dn = "CN=test_inherit_group," + ou_dn
1868 # Create inheritable-free OU
1869 self.create_clean_ou(ou_dn)
1870 mod = "(OA;CI;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
1871 modno = "(OA;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
1872 modid = "(OA;CIIOID;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
1873 moded = "(D;;CC;;;LG)"
1874 self.sd_utils.dacl_add_ace(ou_dn, mod)
1875 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1876 # Create group child object
1877 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1878 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1879 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1880 self.assertNotIn(modno, desc_sddl)
1881 self.assertIn(modid, desc_sddl)
1882 try:
1883 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1884 except LdbError as e:
1885 self.fail(str(e))
1886 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1887 self.assertIn(moded, desc_sddl)
1888 self.assertNotIn(modno, desc_sddl)
1889 self.assertIn(modid, desc_sddl)
1890
1891 def test_ci_lc_no_attr_objectclass_same(self):
1892 ou_dn = "OU=test_inherit_ou," + self.base_dn
1893 group_dn = "CN=test_inherit_group," + ou_dn
1894 # Create inheritable-free OU
1895 self.create_clean_ou(ou_dn)
1896 mod = "(OA;CI;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
1897 modno = "(A;ID;LC;;;DA)"
1898 modid = "(OA;CIID;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
1899 moded = "(D;;CC;;;LG)"
1900 self.sd_utils.dacl_add_ace(ou_dn, mod)
1901 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1902 # Create group child object
1903 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1904 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1905 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1906 self.assertNotIn(modno, desc_sddl)
1907 self.assertIn(modid, desc_sddl)
1908 try:
1909 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1910 except LdbError as e:
1911 self.fail(str(e))
1912 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1913 self.assertIn(moded, desc_sddl)
1914 self.assertNotIn(modno, desc_sddl)
1915 self.assertIn(modid, desc_sddl)
1916
1917 def test_ci_lc_no_attr_objectclass_different(self):
1918 ou_dn = "OU=test_inherit_ou," + self.base_dn
1919 group_dn = "CN=test_inherit_group," + ou_dn
1920 # Create inheritable-free OU
1921 self.create_clean_ou(ou_dn)
1922 mod = "(OA;CI;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
1923 modno = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)"
1924 modid = "(OA;CIIOID;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
1925 moded = "(D;;CC;;;LG)"
1926 self.sd_utils.dacl_add_ace(ou_dn, mod)
1927 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1928 # Create group child object
1929 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1930 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1931 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1932 self.assertNotIn(modno, desc_sddl)
1933 self.assertIn(modid, desc_sddl)
1934 try:
1935 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1936 except LdbError as e:
1937 self.fail(str(e))
1938 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1939 self.assertIn(moded, desc_sddl)
1940 self.assertNotIn(modno, desc_sddl)
1941 self.assertIn(modid, desc_sddl)
1942
1943 def test_ci_lc_name_attr_objectclass_same(self):
1944 ou_dn = "OU=test_inherit_ou," + self.base_dn
1945 group_dn = "CN=test_inherit_group," + ou_dn
1946 # Create inheritable-free OU
1947 self.create_clean_ou(ou_dn)
1948 mod = "(OA;CI;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
1949 modob = "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
1950 modid = "(OA;CIID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
1951 moded = "(D;;CC;;;LG)"
1952 self.sd_utils.dacl_add_ace(ou_dn, mod)
1953 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1954 # Create group child object
1955 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1956 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1957 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1958 self.assertNotIn(modob, desc_sddl)
1959 self.assertIn(modid, desc_sddl)
1960 try:
1961 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1962 except LdbError as e:
1963 self.fail(str(e))
1964 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1965 self.assertIn(moded, desc_sddl)
1966 self.assertNotIn(modob, desc_sddl)
1967 self.assertIn(modid, desc_sddl)
1968
1969 def test_ci_lc_name_attr_objectclass_different(self):
1970 ou_dn = "OU=test_inherit_ou," + self.base_dn
1971 group_dn = "CN=test_inherit_group," + ou_dn
1972 # Create inheritable-free OU
1973 self.create_clean_ou(ou_dn)
1974 mod = "(OA;CI;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
1975 modno = "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
1976 modid = "(OA;CIIOID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
1977 moded = "(D;;CC;;;LG)"
1978 self.sd_utils.dacl_add_ace(ou_dn, mod)
1979 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1980 # Create group child object
1981 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1982 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1983 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1984 self.assertNotIn(modno, desc_sddl)
1985 self.assertIn(modid, desc_sddl)
1986 try:
1987 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1988 except LdbError as e:
1989 self.fail(str(e))
1990 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1991 self.assertIn(moded, desc_sddl)
1992 self.assertNotIn(modno, desc_sddl)
1993 self.assertIn(modid, desc_sddl)
1994
1995 def test_ci_np_ga_no_attr_objectclass_same(self):
1996 ou_dn = "OU=test_inherit_ou," + self.base_dn
1997 group_dn = "CN=test_inherit_group," + ou_dn
1998 # Create inheritable-free OU
1999 self.create_clean_ou(ou_dn)
2000 # Add some custom 'OA' for 'name' attribute & 'CI'+'OI' ACE
2001 mod = "(OA;CINP;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
2002 modob = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)"
2003 modid = "(OA;CIIOID;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
2004 moded = "(D;;CC;;;LG)"
2005 self.sd_utils.dacl_add_ace(ou_dn, mod)
2006 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
2007 # Create group child object
2008 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
2009 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
2010 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
2011 self.assertIn(modob, desc_sddl)
2012 self.assertNotIn(modid, desc_sddl)
2013 self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl)
2014 try:
2015 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
2016 except LdbError as e:
2017 self.fail(str(e))
2018 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
2019 self.assertIn(moded, desc_sddl)
2020 self.assertNotIn(modid, desc_sddl)
2021 self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl)
2022
2023 def test_ci_np_ga_no_attr_objectclass_different(self):
2024 ou_dn = "OU=test_inherit_ou," + self.base_dn
2025 group_dn = "CN=test_inherit_group," + ou_dn
2026 # Create inheritable-free OU
2027 self.create_clean_ou(ou_dn)
2028 mod = "(OA;CINP;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
2029 modno = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)"
2030 modid = "(OA;CIIOID;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
2031 moded = "(D;;CC;;;LG)"
2032 self.sd_utils.dacl_add_ace(ou_dn, mod)
2033 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
2034 # Create group child object
2035 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
2036 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
2037 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
2038 self.assertNotIn(modno, desc_sddl)
2039 self.assertNotIn(modid, desc_sddl)
2040 self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl)
2041 try:
2042 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
2043 except LdbError as e:
2044 self.fail(str(e))
2045 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
2046 self.assertIn(moded, desc_sddl)
2047 self.assertNotIn(modno, desc_sddl)
2048 self.assertNotIn(modid, desc_sddl)
2049 self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl)
2050
2051 def test_ci_np_ga_name_attr_objectclass_same(self):
2052 ou_dn = "OU=test_inherit_ou," + self.base_dn
2053 group_dn = "CN=test_inherit_group," + ou_dn
2054 # Create inheritable-free OU
2055 self.create_clean_ou(ou_dn)
2056 mod = "(OA;CINP;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
2057 modob = "(OA;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
2058 modid = "(OA;CIIOID;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
2059 moded = "(D;;CC;;;LG)"
2060 self.sd_utils.dacl_add_ace(ou_dn, mod)
2061 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
2062 # Create group child object
2063 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
2064 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
2065 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
2066 self.assertIn(modob, desc_sddl)
2067 self.assertNotIn(modid, desc_sddl)
2068 self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl)
2069 try:
2070 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
2071 except LdbError as e:
2072 self.fail(str(e))
2073 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
2074 self.assertIn(moded, desc_sddl)
2075 self.assertIn(modob, desc_sddl)
2076 self.assertNotIn(modid, desc_sddl)
2077 self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl)
2078
2079 def test_ci_np_ga_name_attr_objectclass_different(self):
2080 ou_dn = "OU=test_inherit_ou," + self.base_dn
2081 group_dn = "CN=test_inherit_group," + ou_dn
2082 # Create inheritable-free OU
2083 self.create_clean_ou(ou_dn)
2084 mod = "(OA;CINP;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
2085 moded = "(D;;CC;;;LG)"
2086 self.sd_utils.dacl_add_ace(ou_dn, mod)
2087 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
2088 # Create group child object
2089 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
2090 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
2091 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
2092 self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl)
2093 self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl)
2094 try:
2095 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
2096 except LdbError as e:
2097 self.fail(str(e))
2098 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
2099 self.assertIn(moded, desc_sddl)
2100 self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl)
2101 self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl)
2102
2103 def test_ci_np_lc_no_attr_objectclass_same(self):
2104 ou_dn = "OU=test_inherit_ou," + self.base_dn
2105 group_dn = "CN=test_inherit_group," + ou_dn
2106 # Create inheritable-free OU
2107 self.create_clean_ou(ou_dn)
2108 mod = "(OA;CINP;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
2109 modno = "(A;ID;LC;;;DA)"
2110 modid = "(OA;CIID;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
2111 moded = "(D;;CC;;;LG)"
2112 self.sd_utils.dacl_add_ace(ou_dn, mod)
2113 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
2114 # Create group child object
2115 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
2116 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
2117 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
2118 self.assertIn(modno, desc_sddl)
2119 self.assertNotIn(modid, desc_sddl)
2120 self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl)
2121 try:
2122 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
2123 except LdbError as e:
2124 self.fail(str(e))
2125 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
2126 self.assertIn(moded, desc_sddl)
2127 self.assertIn(modno, desc_sddl)
2128 self.assertNotIn(modid, desc_sddl)
2129 self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl)
2130
2131 def test_ci_np_lc_no_attr_objectclass_different(self):
2132 ou_dn = "OU=test_inherit_ou," + self.base_dn
2133 group_dn = "CN=test_inherit_group," + ou_dn
2134 # Create inheritable-free OU
2135 self.create_clean_ou(ou_dn)
2136 mod = "(OA;CINP;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
2137 modno = "(A;ID;LC;;;DA)"
2138 modid = "(OA;CIIOID;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
2139 moded = "(D;;CC;;;LG)"
2140 self.sd_utils.dacl_add_ace(ou_dn, mod)
2141 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
2142 # Create group child object
2143 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
2144 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
2145 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
2146 self.assertNotIn(modno, desc_sddl)
2147 self.assertNotIn(modid, desc_sddl)
2148 self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl)
2149 try:
2150 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
2151 except LdbError as e:
2152 self.fail(str(e))
2153 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
2154 self.assertIn(moded, desc_sddl)
2155 self.assertNotIn(modno, desc_sddl)
2156 self.assertNotIn(modid, desc_sddl)
2157 self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl)
2158
2159 def test_ci_np_lc_name_attr_objectclass_same(self):
2160 ou_dn = "OU=test_inherit_ou," + self.base_dn
2161 group_dn = "CN=test_inherit_group," + ou_dn
2162 # Create inheritable-free OU
2163 self.create_clean_ou(ou_dn)
2164 mod = "(OA;CINP;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
2165 modob = "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
2166 modid = "(OA;CIID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
2167 moded = "(D;;CC;;;LG)"
2168 self.sd_utils.dacl_add_ace(ou_dn, mod)
2169 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
2170 # Create group child object
2171 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
2172 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
2173 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
2174 self.assertIn(modob, desc_sddl)
2175 self.assertNotIn(modid, desc_sddl)
2176 self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl)
2177 try:
2178 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
2179 except LdbError as e:
2180 self.fail(str(e))
2181 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
2182 self.assertIn(moded, desc_sddl)
2183 self.assertIn(modob, desc_sddl)
2184 self.assertNotIn(modid, desc_sddl)
2185 self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl)
2186
2187 def test_ci_np_lc_name_attr_objectclass_different(self):
2188 ou_dn = "OU=test_inherit_ou," + self.base_dn
2189 group_dn = "CN=test_inherit_group," + ou_dn
2190 # Create inheritable-free OU
2191 self.create_clean_ou(ou_dn)
2192 mod = "(OA;CINP;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
2193 modno = "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
2194 modid = "(OA;CIIOID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
2195 moded = "(D;;CC;;;LG)"
2196 self.sd_utils.dacl_add_ace(ou_dn, mod)
2197 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
2198 # Create group child object
2199 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
2200 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
2201 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
2202 self.assertNotIn(modno, desc_sddl)
2203 self.assertNotIn(modid, desc_sddl)
2204 self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl)
2205 self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl)
2206 try:
2207 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
2208 except LdbError as e:
2209 self.fail(str(e))
2210 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
2211 self.assertIn(moded, desc_sddl)
2212 self.assertNotIn(modno, desc_sddl)
2213 self.assertNotIn(modid, desc_sddl)
2214 self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl)
2215 self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl)
2216
2217 ########################################################################################
2218
2219
2220 class SdFlagsDescriptorTests(DescriptorTests):
2221 def deleteAll(self):
2222 delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
2223
2224 def setUp(self):
2225 super(SdFlagsDescriptorTests, self).setUp()
2226 self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
2227 self.deleteAll()
2228
2229 def test_301(self):
2230 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
2231 See that only the owner has been changed.
2232 """
2233 ou_dn = "OU=test_sdflags_ou," + self.base_dn
2234 self.ldb_admin.create_ou(ou_dn)
2235 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
2236 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
2237 # make sure we have modified the owner
2238 self.assertIn("O:AU", desc_sddl)
2239 # make sure nothing else has been modified
2240 self.assertNotIn("G:AU", desc_sddl)
2241 self.assertNotIn("D:(D;;CC;;;LG)", desc_sddl)
2242 self.assertNotIn("(OU;;WP;;;AU)", desc_sddl)
2243
2244 def test_302(self):
2245 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
2246 See that only the owner has been changed.
2247 """
2248 ou_dn = "OU=test_sdflags_ou," + self.base_dn
2249 self.ldb_admin.create_ou(ou_dn)
2250 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
2251 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
2252 # make sure we have modified the group
2253 self.assertIn("G:AU", desc_sddl)
2254 # make sure nothing else has been modified
2255 self.assertNotIn("O:AU", desc_sddl)
2256 self.assertNotIn("D:(D;;CC;;;LG)", desc_sddl)
2257 self.assertNotIn("(OU;;WP;;;AU)", desc_sddl)
2258
2259 def test_303(self):
2260 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
2261 See that only the owner has been changed.
2262 """
2263 ou_dn = "OU=test_sdflags_ou," + self.base_dn
2264 self.ldb_admin.create_ou(ou_dn)
2265 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
2266 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
2267 # make sure we have modified the DACL
2268 self.assertIn("(D;;CC;;;LG)", desc_sddl)
2269 # make sure nothing else has been modified
2270 self.assertNotIn("O:AU", desc_sddl)
2271 self.assertNotIn("G:AU", desc_sddl)
2272 self.assertNotIn("(OU;;WP;;;AU)", desc_sddl)
2273
2274 def test_304(self):
2275 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
2276 See that only the owner has been changed.
2277 """
2278 ou_dn = "OU=test_sdflags_ou," + self.base_dn
2279 self.ldb_admin.create_ou(ou_dn)
2280 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
2281 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
2282 # make sure we have modified the DACL
2283 self.assertIn("(OU;;WP;;;AU)", desc_sddl)
2284 # make sure nothing else has been modified
2285 self.assertNotIn("O:AU", desc_sddl)
2286 self.assertNotIn("G:AU", desc_sddl)
2287 self.assertNotIn("(D;;CC;;;LG)", desc_sddl)
2288
2289 def test_305(self):
2290 """ Modify a descriptor with 0x0 set.
2291 Contrary to logic this is interpreted as no control,
2292 which is the same as 0xF
2293 """
2294 ou_dn = "OU=test_sdflags_ou," + self.base_dn
2295 self.ldb_admin.create_ou(ou_dn)
2296 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:0"])
2297 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
2298 # make sure we have modified the DACL
2299 self.assertIn("(OU;;WP;;;AU)", desc_sddl)
2300 # make sure nothing else has been modified
2301 self.assertIn("O:AU", desc_sddl)
2302 self.assertIn("G:AU", desc_sddl)
2303 self.assertIn("(D;;CC;;;LG)", desc_sddl)
2304
2305 def test_306(self):
2306 """ Modify a descriptor with 0xF set.
2307 """
2308 ou_dn = "OU=test_sdflags_ou," + self.base_dn
2309 self.ldb_admin.create_ou(ou_dn)
2310 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:15"])
2311 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
2312 # make sure we have modified the DACL
2313 self.assertIn("(OU;;WP;;;AU)", desc_sddl)
2314 # make sure nothing else has been modified
2315 self.assertIn("O:AU", desc_sddl)
2316 self.assertIn("G:AU", desc_sddl)
2317 self.assertIn("(D;;CC;;;LG)", desc_sddl)
2318
2319 def test_307(self):
2320 """ Read a descriptor with OWNER_SECURITY_INFORMATION
2321 Only the owner part should be returned.
2322 """
2323 ou_dn = "OU=test_sdflags_ou," + self.base_dn
2324 self.ldb_admin.create_ou(ou_dn)
2325 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
2326 # make sure we have read the owner
2327 self.assertIn("O:", desc_sddl)
2328 # make sure we have read nothing else
2329 self.assertNotIn("G:", desc_sddl)
2330 self.assertNotIn("D:", desc_sddl)
2331 self.assertNotIn("S:", desc_sddl)
2332
2333 def test_308(self):
2334 """ Read a descriptor with GROUP_SECURITY_INFORMATION
2335 Only the group part should be returned.
2336 """
2337 ou_dn = "OU=test_sdflags_ou," + self.base_dn
2338 self.ldb_admin.create_ou(ou_dn)
2339 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
2340 # make sure we have read the owner
2341 self.assertIn("G:", desc_sddl)
2342 # make sure we have read nothing else
2343 self.assertNotIn("O:", desc_sddl)
2344 self.assertNotIn("D:", desc_sddl)
2345 self.assertNotIn("S:", desc_sddl)
2346
2347 def test_309(self):
2348 """ Read a descriptor with SACL_SECURITY_INFORMATION
2349 Only the sacl part should be returned.
2350 """
2351 ou_dn = "OU=test_sdflags_ou," + self.base_dn
2352 self.ldb_admin.create_ou(ou_dn)
2353 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
2354 # make sure we have read the owner
2355 self.assertIn("S:", desc_sddl)
2356 # make sure we have read nothing else
2357 self.assertNotIn("O:", desc_sddl)
2358 self.assertNotIn("D:", desc_sddl)
2359 self.assertNotIn("G:", desc_sddl)
2360
2361 def test_310(self):
2362 """ Read a descriptor with DACL_SECURITY_INFORMATION
2363 Only the dacl part should be returned.
2364 """
2365 ou_dn = "OU=test_sdflags_ou," + self.base_dn
2366 self.ldb_admin.create_ou(ou_dn)
2367 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
2368 # make sure we have read the owner
2369 self.assertIn("D:", desc_sddl)
2370 # make sure we have read nothing else
2371 self.assertNotIn("O:", desc_sddl)
2372 self.assertNotIn("S:", desc_sddl)
2373 self.assertNotIn("G:", desc_sddl)
2374
2375 def test_311(self):
2376 sd_flags = (SECINFO_OWNER |
2377 SECINFO_GROUP |
2378 SECINFO_DACL |
2379 SECINFO_SACL)
2380
2381 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
2382 [], controls=None)
2383 self.assertNotIn("nTSecurityDescriptor", res[0])
2384
2385 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
2386 ["name"], controls=None)
2387 self.assertNotIn("nTSecurityDescriptor", res[0])
2388
2389 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
2390 ["name"], controls=["sd_flags:1:%d" % (sd_flags)])
2391 self.assertNotIn("nTSecurityDescriptor", res[0])
2392
2393 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
2394 controls=["sd_flags:1:%d" % (sd_flags)])
2395 self.assertIn("nTSecurityDescriptor", res[0])
2396 tmp = res[0]["nTSecurityDescriptor"][0]
2397 sd = ndr_unpack(security.descriptor, tmp)
2398 sddl = sd.as_sddl(self.sd_utils.domain_sid)
2399 self.assertIn("O:", sddl)
2400 self.assertIn("G:", sddl)
2401 self.assertIn("D:", sddl)
2402 self.assertIn("S:", sddl)
2403
2404 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
2405 ["*"], controls=["sd_flags:1:%d" % (sd_flags)])
2406 self.assertIn("nTSecurityDescriptor", res[0])
2407 tmp = res[0]["nTSecurityDescriptor"][0]
2408 sd = ndr_unpack(security.descriptor, tmp)
2409 sddl = sd.as_sddl(self.sd_utils.domain_sid)
2410 self.assertIn("O:", sddl)
2411 self.assertIn("G:", sddl)
2412 self.assertIn("D:", sddl)
2413 self.assertIn("S:", sddl)
2414
2415 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
2416 ["nTSecurityDescriptor", "*"], controls=["sd_flags:1:%d" % (sd_flags)])
2417 self.assertIn("nTSecurityDescriptor", res[0])
2418 tmp = res[0]["nTSecurityDescriptor"][0]
2419 sd = ndr_unpack(security.descriptor, tmp)
2420 sddl = sd.as_sddl(self.sd_utils.domain_sid)
2421 self.assertIn("O:", sddl)
2422 self.assertIn("G:", sddl)
2423 self.assertIn("D:", sddl)
2424 self.assertIn("S:", sddl)
2425
2426 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
2427 ["*", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)])
2428 self.assertIn("nTSecurityDescriptor", res[0])
2429 tmp = res[0]["nTSecurityDescriptor"][0]
2430 sd = ndr_unpack(security.descriptor, tmp)
2431 sddl = sd.as_sddl(self.sd_utils.domain_sid)
2432 self.assertIn("O:", sddl)
2433 self.assertIn("G:", sddl)
2434 self.assertIn("D:", sddl)
2435 self.assertIn("S:", sddl)
2436
2437 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
2438 ["nTSecurityDescriptor", "name"], controls=["sd_flags:1:%d" % (sd_flags)])
2439 self.assertIn("nTSecurityDescriptor", res[0])
2440 tmp = res[0]["nTSecurityDescriptor"][0]
2441 sd = ndr_unpack(security.descriptor, tmp)
2442 sddl = sd.as_sddl(self.sd_utils.domain_sid)
2443 self.assertIn("O:", sddl)
2444 self.assertIn("G:", sddl)
2445 self.assertIn("D:", sddl)
2446 self.assertIn("S:", sddl)
2447
2448 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
2449 ["name", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)])
2450 self.assertIn("nTSecurityDescriptor", res[0])
2451 tmp = res[0]["nTSecurityDescriptor"][0]
2452 sd = ndr_unpack(security.descriptor, tmp)
2453 sddl = sd.as_sddl(self.sd_utils.domain_sid)
2454 self.assertIn("O:", sddl)
2455 self.assertIn("G:", sddl)
2456 self.assertIn("D:", sddl)
2457 self.assertIn("S:", sddl)
2458
2459 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
2460 ["nTSecurityDescriptor"], controls=None)
2461 self.assertIn("nTSecurityDescriptor", res[0])
2462 tmp = res[0]["nTSecurityDescriptor"][0]
2463 sd = ndr_unpack(security.descriptor, tmp)
2464 sddl = sd.as_sddl(self.sd_utils.domain_sid)
2465 self.assertIn("O:", sddl)
2466 self.assertIn("G:", sddl)
2467 self.assertIn("D:", sddl)
2468 self.assertIn("S:", sddl)
2469
2470 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
2471 ["name", "nTSecurityDescriptor"], controls=None)
2472 self.assertIn("nTSecurityDescriptor", res[0])
2473 tmp = res[0]["nTSecurityDescriptor"][0]
2474 sd = ndr_unpack(security.descriptor, tmp)
2475 sddl = sd.as_sddl(self.sd_utils.domain_sid)
2476 self.assertIn("O:", sddl)
2477 self.assertIn("G:", sddl)
2478 self.assertIn("D:", sddl)
2479 self.assertIn("S:", sddl)
2480
2481 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
2482 ["nTSecurityDescriptor", "name"], controls=None)
2483 self.assertIn("nTSecurityDescriptor", res[0])
2484 tmp = res[0]["nTSecurityDescriptor"][0]
2485 sd = ndr_unpack(security.descriptor, tmp)
2486 sddl = sd.as_sddl(self.sd_utils.domain_sid)
2487 self.assertIn("O:", sddl)
2488 self.assertIn("G:", sddl)
2489 self.assertIn("D:", sddl)
2490 self.assertIn("S:", sddl)
2491
2492 def test_312(self):
2493 """This search is done by the windows dc join..."""
2494
2495 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["1.1"],
2496 controls=["extended_dn:1:0", "sd_flags:1:0", "search_options:1:1"])
2497 self.assertNotIn("nTSecurityDescriptor", res[0])
2498
2499
2500 class RightsAttributesTests(DescriptorTests):
2501
2502 def deleteAll(self):
2503 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
2504 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
2505 delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
2506
2507 def setUp(self):
2508 super(RightsAttributesTests, self).setUp()
2509 self.deleteAll()
2510 # Create users
2511 # User 1
2512 self.ldb_admin.newuser("testuser_attr", "samba123@")
2513 # User 2, Domain Admins
2514 self.ldb_admin.newuser("testuser_attr2", "samba123@")
2515 self.ldb_admin.add_remove_group_members("Domain Admins",
2516 ["testuser_attr2"],
2517 add_members_operation=True)
2518
2519 def test_sDRightsEffective(self):
2520 object_dn = "OU=test_domain_ou1," + self.base_dn
2521 delete_force(self.ldb_admin, object_dn)
2522 self.ldb_admin.create_ou(object_dn)
2523 print(self.get_users_domain_dn("testuser_attr"))
2524 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
2525 # give testuser1 read access so attributes can be retrieved
2526 mod = "(A;CI;RP;;;%s)" % str(user_sid)
2527 self.sd_utils.dacl_add_ace(object_dn, mod)
2528 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
2529 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2530 attrs=["sDRightsEffective"])
2531 # user should have no rights at all
2532 self.assertEqual(len(res), 1)
2533 self.assertEqual(str(res[0]["sDRightsEffective"][0]), "0")
2534 # give the user Write DACL and see what happens
2535 mod = "(A;CI;WD;;;%s)" % str(user_sid)
2536 self.sd_utils.dacl_add_ace(object_dn, mod)
2537 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2538 attrs=["sDRightsEffective"])
2539 # user should have DACL_SECURITY_INFORMATION
2540 self.assertEqual(len(res), 1)
2541 self.assertEqual(str(res[0]["sDRightsEffective"][0]), ("%d") % SECINFO_DACL)
2542 # give the user Write Owners and see what happens
2543 mod = "(A;CI;WO;;;%s)" % str(user_sid)
2544 self.sd_utils.dacl_add_ace(object_dn, mod)
2545 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2546 attrs=["sDRightsEffective"])
2547 # user should have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
2548 self.assertEqual(len(res), 1)
2549 self.assertEqual(str(res[0]["sDRightsEffective"][0]), ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
2550 # no way to grant security privilege bu adding ACE's so we use a member of Domain Admins
2551 _ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
2552 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2553 attrs=["sDRightsEffective"])
2554 # user should have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
2555 self.assertEqual(len(res), 1)
2556 self.assertEqual(str(res[0]["sDRightsEffective"][0]),
2557 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
2558
2559 def test_allowedChildClassesEffective(self):
2560 object_dn = "OU=test_domain_ou1," + self.base_dn
2561 delete_force(self.ldb_admin, object_dn)
2562 self.ldb_admin.create_ou(object_dn)
2563 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
2564 # give testuser1 read access so attributes can be retrieved
2565 mod = "(A;CI;RP;;;%s)" % str(user_sid)
2566 self.sd_utils.dacl_add_ace(object_dn, mod)
2567 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
2568 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2569 attrs=["allowedChildClassesEffective"])
2570 # there should be no allowed child classes
2571 self.assertEqual(len(res), 1)
2572 self.assertNotIn("allowedChildClassesEffective", res[0].keys())
2573 # give the user the right to create children of type user
2574 mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
2575 self.sd_utils.dacl_add_ace(object_dn, mod)
2576 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2577 attrs=["allowedChildClassesEffective"])
2578 # allowedChildClassesEffective should only have one value, user
2579 self.assertEqual(len(res), 1)
2580 self.assertEqual(len(res[0]["allowedChildClassesEffective"]), 1)
2581 self.assertEqual(str(res[0]["allowedChildClassesEffective"][0]), "user")
2582
2583 def test_allowedAttributesEffective(self):
2584 object_dn = "OU=test_domain_ou1," + self.base_dn
2585 delete_force(self.ldb_admin, object_dn)
2586 self.ldb_admin.create_ou(object_dn)
2587 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
2588 # give testuser1 read access so attributes can be retrieved
2589 mod = "(A;CI;RP;;;%s)" % str(user_sid)
2590 self.sd_utils.dacl_add_ace(object_dn, mod)
2591 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
2592 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2593 attrs=["allowedAttributesEffective"])
2594 # there should be no allowed attributes
2595 self.assertEqual(len(res), 1)
2596 self.assertNotIn("allowedAttributesEffective", res[0].keys())
2597 # give the user the right to write displayName and managedBy
2598 mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
2599 mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
2600 # also rights to modify an read only attribute, fromEntry
2601 mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
2602 self.sd_utils.dacl_add_ace(object_dn, mod + mod2 + mod3)
2603 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2604 attrs=["allowedAttributesEffective"])
2605 # value should only contain user and managedBy
2606 self.assertEqual(len(res), 1)
2607 self.assertEqual(len(res[0]["allowedAttributesEffective"]), 2)
2608 self.assertIn(b"displayName", res[0]["allowedAttributesEffective"])
2609 self.assertIn(b"managedBy", res[0]["allowedAttributesEffective"])
2610
2611
2612 class SdAutoInheritTests(DescriptorTests):
2613 def deleteAll(self):
2614 delete_force(self.ldb_admin, self.sub_dn)
2615 delete_force(self.ldb_admin, self.ou_dn)
2616
2617 def setUp(self):
2618 super(SdAutoInheritTests, self).setUp()
2619 self.ou_dn = "OU=test_SdAutoInherit_ou," + self.base_dn
2620 self.sub_dn = "OU=test_sub," + self.ou_dn
2621 self.deleteAll()
2622
2623 def test_301(self):
2624 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
2625 See that only the owner has been changed.
2626 """
2627 attrs = ["nTSecurityDescriptor", "replPropertyMetaData", "uSNChanged"]
2628 controls = ["sd_flags:1:%d" % (SECINFO_DACL)]
2629 ace = "(A;CI;CC;;;NU)"
2630 sub_ace = "(A;CIID;CC;;;NU)"
2631 sd_sddl = "O:BAG:BAD:P(A;CI;0x000f01ff;;;AU)"
2632 sd = security.descriptor.from_sddl(sd_sddl, self.domain_sid)
2633
2634 self.ldb_admin.create_ou(self.ou_dn, sd=sd)
2635 self.ldb_admin.create_ou(self.sub_dn)
2636
2637 ou_res0 = self.sd_utils.ldb.search(self.ou_dn, SCOPE_BASE,
2638 None, attrs, controls=controls)
2639 sub_res0 = self.sd_utils.ldb.search(self.sub_dn, SCOPE_BASE,
2640 None, attrs, controls=controls)
2641
2642 ou_sd0 = ndr_unpack(security.descriptor, ou_res0[0]["nTSecurityDescriptor"][0])
2643 sub_sd0 = ndr_unpack(security.descriptor, sub_res0[0]["nTSecurityDescriptor"][0])
2644
2645 ou_sddl0 = ou_sd0.as_sddl(self.domain_sid)
2646 sub_sddl0 = sub_sd0.as_sddl(self.domain_sid)
2647
2648 self.assertNotIn(ace, ou_sddl0)
2649 self.assertNotIn(ace, sub_sddl0)
2650
2651 ou_sddl1 = (ou_sddl0[:ou_sddl0.index("(")] + ace +
2652 ou_sddl0[ou_sddl0.index("("):])
2653
2654 sub_sddl1 = (sub_sddl0[:sub_sddl0.index("(")] + ace +
2655 sub_sddl0[sub_sddl0.index("("):])
2656
2657 self.sd_utils.modify_sd_on_dn(self.ou_dn, ou_sddl1, controls=controls)
2658
2659 self.sd_utils.modify_sd_on_dn(self.sub_dn, sub_sddl1, controls=controls)
2660
2661 sub_res2 = self.sd_utils.ldb.search(self.sub_dn, SCOPE_BASE,
2662 None, attrs, controls=controls)
2663 ou_res2 = self.sd_utils.ldb.search(self.ou_dn, SCOPE_BASE,
2664 None, attrs, controls=controls)
2665
2666 ou_sd2 = ndr_unpack(security.descriptor, ou_res2[0]["nTSecurityDescriptor"][0])
2667 sub_sd2 = ndr_unpack(security.descriptor, sub_res2[0]["nTSecurityDescriptor"][0])
2668
2669 ou_sddl2 = ou_sd2.as_sddl(self.domain_sid)
2670 sub_sddl2 = sub_sd2.as_sddl(self.domain_sid)
2671
2672 self.assertNotEqual(ou_sddl2, ou_sddl0)
2673 self.assertNotEqual(sub_sddl2, sub_sddl0)
2674
2675 if ace not in ou_sddl2:
2676 print("ou0: %s" % ou_sddl0)
2677 print("ou2: %s" % ou_sddl2)
2678
2679 if sub_ace not in sub_sddl2:
2680 print("sub0: %s" % sub_sddl0)
2681 print("sub2: %s" % sub_sddl2)
2682
2683 self.assertIn(ace, ou_sddl2)
2684 self.assertIn(sub_ace, sub_sddl2)
2685
2686 ou_usn0 = int(ou_res0[0]["uSNChanged"][0])
2687 ou_usn2 = int(ou_res2[0]["uSNChanged"][0])
2688 self.assertGreater(ou_usn2, ou_usn0)
2689
2690 sub_usn0 = int(sub_res0[0]["uSNChanged"][0])
2691 sub_usn2 = int(sub_res2[0]["uSNChanged"][0])
2692 self.assertGreater(sub_usn2, sub_usn0)
2693
2694
2695 if "://" not in host:
2696 if os.path.isfile(host):
2697 host = "tdb://%s" % host
2698 else:
2699 host = "ldap://%s" % host
2700
2701 # use 'paged_search' module when connecting remotely
2702 if host.lower().startswith("ldap://"):
2703 ldb_options = ["modules:paged_searches"]
2704
2705 TestProgram(module=__name__, opts=subunitopts)
Samba GIT mirror