2 # -*- coding: utf-8 -*-
11 sys
.path
.insert(0, "bin/python")
14 from samba
.tests
.subunitrun
import SubunitOptions
, TestProgram
16 import samba
.getopt
as options
18 # Some error messages that are being tested
19 from ldb
import SCOPE_SUBTREE
, SCOPE_BASE
, LdbError
, ERR_NO_SUCH_OBJECT
21 # For running the test unit
22 from samba
.ndr
import ndr_pack
, ndr_unpack
23 from samba
.dcerpc
import security
25 from samba
import gensec
, sd_utils
26 from samba
.samdb
import SamDB
27 from samba
.credentials
import Credentials
, DONT_USE_KERBEROS
28 from samba
.auth
import system_session
29 from samba
.dsdb
import DS_DOMAIN_FUNCTION_2008
30 from samba
.dcerpc
.security
import (
31 SECINFO_OWNER
, SECINFO_GROUP
, SECINFO_DACL
, SECINFO_SACL
)
33 from samba
.tests
import delete_force
35 parser
= optparse
.OptionParser("sec_descriptor.py [options] <host>")
36 sambaopts
= options
.SambaOptions(parser
)
37 parser
.add_option_group(sambaopts
)
38 parser
.add_option_group(options
.VersionOptions(parser
))
40 # use command line creds if available
41 credopts
= options
.CredentialsOptions(parser
)
42 parser
.add_option_group(credopts
)
43 subunitopts
= SubunitOptions(parser
)
44 parser
.add_option_group(subunitopts
)
46 opts
, args
= parser
.parse_args()
54 lp
= sambaopts
.get_loadparm()
55 creds
= credopts
.get_credentials(lp
)
56 creds
.set_gensec_features(creds
.get_gensec_features() | gensec
.FEATURE_SEAL
)
63 class DescriptorTests(samba
.tests
.TestCase
):
65 def get_users_domain_dn(self
, name
):
66 return "CN=%s,CN=Users,%s" % (name
, self
.base_dn
)
68 def create_schema_class(self
, _ldb
, desc
=None):
70 class_id
= random
.randint(0, 65535)
71 class_name
= "descriptor-test-class%s" % class_id
72 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
74 self
.ldb_admin
.search(base
=class_dn
, attrs
=["name"])
77 self
.assertEqual(num
, ERR_NO_SUCH_OBJECT
)
81 dn: """ + class_dn
+ """
82 objectClass: classSchema
83 objectCategory: CN=Class-Schema,""" + self
.schema_dn
+ """
84 defaultObjectCategory: """ + class_dn
+ """
85 governsId: 1.3.6.1.4.1.7165.4.6.2.3.""" + str(class_id
) + """
87 objectClassCategory: 1
88 subClassOf: organizationalPerson
95 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
96 if isinstance(desc
, str):
97 ldif
+= "nTSecurityDescriptor: %s" % desc
98 elif isinstance(desc
, security
.descriptor
):
99 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
)).decode('utf8')
103 def create_configuration_container(self
, _ldb
, object_dn
, desc
=None):
105 dn: """ + object_dn
+ """
106 objectClass: container
107 objectCategory: CN=Container,""" + self
.schema_dn
+ """
108 showInAdvancedViewOnly: TRUE
112 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
113 if isinstance(desc
, str):
114 ldif
+= "nTSecurityDescriptor: %s" % desc
115 elif isinstance(desc
, security
.descriptor
):
116 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
)).decode('utf8')
119 def create_configuration_specifier(self
, _ldb
, object_dn
, desc
=None):
121 dn: """ + object_dn
+ """
122 objectClass: displaySpecifier
123 showInAdvancedViewOnly: TRUE
126 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
127 if isinstance(desc
, str):
128 ldif
+= "nTSecurityDescriptor: %s" % desc
129 elif isinstance(desc
, security
.descriptor
):
130 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
)).decode('utf8')
133 def get_ldb_connection(self
, target_username
, target_password
):
134 creds_tmp
= Credentials()
135 creds_tmp
.set_username(target_username
)
136 creds_tmp
.set_password(target_password
)
137 creds_tmp
.set_domain(creds
.get_domain())
138 creds_tmp
.set_realm(creds
.get_realm())
139 creds_tmp
.set_workstation(creds
.get_workstation())
140 creds_tmp
.set_gensec_features(creds_tmp
.get_gensec_features()
141 | gensec
.FEATURE_SEAL
)
142 creds_tmp
.set_kerberos_state(DONT_USE_KERBEROS
) # kinit is too expensive to use in a tight loop
143 ldb_target
= SamDB(url
=host
, credentials
=creds_tmp
, lp
=lp
)
147 super(DescriptorTests
, self
).setUp()
148 self
.ldb_admin
= SamDB(host
, credentials
=creds
, session_info
=system_session(lp
), lp
=lp
,
150 self
.base_dn
= self
.ldb_admin
.domain_dn()
151 self
.configuration_dn
= self
.ldb_admin
.get_config_basedn().get_linearized()
152 self
.schema_dn
= self
.ldb_admin
.get_schema_basedn().get_linearized()
153 self
.domain_sid
= security
.dom_sid(self
.ldb_admin
.get_domain_sid())
154 self
.sd_utils
= sd_utils
.SDUtils(self
.ldb_admin
)
155 self
.addCleanup(self
.delete_admin_connection
)
156 print("baseDN: %s" % self
.base_dn
)
158 def delete_admin_connection(self
):
162 ################################################################################################
166 # Default descriptor tests #####################################################################
169 class OwnerGroupDescriptorTests(DescriptorTests
):
172 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser1"))
173 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser2"))
174 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser3"))
175 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser4"))
176 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser5"))
177 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser6"))
178 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser7"))
179 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser8"))
181 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("test_domain_group1"))
182 delete_force(self
.ldb_admin
, "CN=test_domain_user1,OU=test_domain_ou1," + self
.base_dn
)
183 delete_force(self
.ldb_admin
, "OU=test_domain_ou2,OU=test_domain_ou1," + self
.base_dn
)
184 delete_force(self
.ldb_admin
, "OU=test_domain_ou1," + self
.base_dn
)
186 mod
= "(A;CI;WDCC;;;AU)(A;;CC;;;AU)"
187 self
.sd_utils
.dacl_delete_aces(self
.schema_dn
, mod
)
189 delete_force(self
.ldb_admin
, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers,"
190 + self
.configuration_dn
)
191 delete_force(self
.ldb_admin
, "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
)
194 super(OwnerGroupDescriptorTests
, self
).setUp()
197 # User 1 - Enterprise Admins
198 self
.ldb_admin
.newuser("testuser1", "samba123@")
199 # User 2 - Domain Admins
200 self
.ldb_admin
.newuser("testuser2", "samba123@")
201 # User 3 - Schema Admins
202 self
.ldb_admin
.newuser("testuser3", "samba123@")
203 # User 4 - regular user
204 self
.ldb_admin
.newuser("testuser4", "samba123@")
205 # User 5 - Enterprise Admins and Domain Admins
206 self
.ldb_admin
.newuser("testuser5", "samba123@")
207 # User 6 - Enterprise Admins, Domain Admins, Schema Admins
208 self
.ldb_admin
.newuser("testuser6", "samba123@")
209 # User 7 - Domain Admins and Schema Admins
210 self
.ldb_admin
.newuser("testuser7", "samba123@")
211 # User 5 - Enterprise Admins and Schema Admins
212 self
.ldb_admin
.newuser("testuser8", "samba123@")
214 self
.ldb_admin
.add_remove_group_members("Enterprise Admins",
215 ["testuser1", "testuser5", "testuser6", "testuser8"],
216 add_members_operation
=True)
217 self
.ldb_admin
.add_remove_group_members("Domain Admins",
218 ["testuser2", "testuser5", "testuser6", "testuser7"],
219 add_members_operation
=True)
220 self
.ldb_admin
.add_remove_group_members("Schema Admins",
221 ["testuser3", "testuser6", "testuser7", "testuser8"],
222 add_members_operation
=True)
225 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
226 "ds_behavior_win2003": {
276 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
277 "ds_behavior_win2008": {
328 # Discover 'domainControllerFunctionality'
329 res
= self
.ldb_admin
.search(base
="", scope
=SCOPE_BASE
,
330 attrs
=['domainControllerFunctionality'])
331 res
= int(res
[0]['domainControllerFunctionality'][0])
332 if res
< DS_DOMAIN_FUNCTION_2008
:
333 self
.DS_BEHAVIOR
= "ds_behavior_win2003"
335 self
.DS_BEHAVIOR
= "ds_behavior_win2008"
338 super(OwnerGroupDescriptorTests
, self
).tearDown()
341 def check_user_belongs(self
, user_dn
, groups
=None):
342 """ Test whether user is member of the expected group(s) """
347 # User is member of at least one additional group
348 res
= self
.ldb_admin
.search(user_dn
, attrs
=["memberOf"])
349 res
= [str(x
).upper() for x
in sorted(list(res
[0]["memberOf"]))]
352 expected
.append(self
.get_users_domain_dn(x
))
353 expected
= [x
.upper() for x
in sorted(expected
)]
354 self
.assertEqual(expected
, res
)
356 # User is not a member of any additional groups but default
357 res
= self
.ldb_admin
.search(user_dn
, attrs
=["*"])
358 res
= [x
.upper() for x
in res
[0].keys()]
359 self
.assertNotIn("MEMBEROF", res
)
361 def check_modify_inheritance(self
, _ldb
, object_dn
, owner_group
=""):
363 sd_user_utils
= sd_utils
.SDUtils(_ldb
)
364 ace
= "(D;;CC;;;LG)" # Deny Create Children to Guest account
365 if owner_group
!= "":
366 sd_user_utils
.modify_sd_on_dn(object_dn
, owner_group
+ "D:" + ace
)
368 sd_user_utils
.modify_sd_on_dn(object_dn
, "D:" + ace
)
369 # Make sure the modify operation has been applied
370 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
371 self
.assertIn(ace
, desc_sddl
)
372 # Make sure we have identical result for both "add" and "modify"
373 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
374 print(self
._testMethodName
)
375 test_number
= self
._testMethodName
[5:]
376 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][test_number
], res
)
379 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
381 user_name
= "testuser1"
382 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
383 # Open Ldb connection with the tested user
384 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
385 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
386 delete_force(self
.ldb_admin
, object_dn
)
387 _ldb
.newgroup("test_domain_group1", grouptype
=4)
388 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
389 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
390 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
391 self
.check_modify_inheritance(_ldb
, object_dn
)
394 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
396 user_name
= "testuser2"
397 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
398 # Open Ldb connection with the tested user
399 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
400 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
401 delete_force(self
.ldb_admin
, object_dn
)
402 _ldb
.newgroup("test_domain_group1", grouptype
=4)
403 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
404 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
405 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
406 self
.check_modify_inheritance(_ldb
, object_dn
)
409 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
411 user_name
= "testuser3"
412 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
413 # Open Ldb connection with the tested user
414 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
415 object_dn
= "OU=test_domain_ou1," + self
.base_dn
416 delete_force(self
.ldb_admin
, object_dn
)
417 self
.ldb_admin
.create_ou(object_dn
)
418 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn(user_name
))
419 mod
= "(A;CI;WPWDCC;;;%s)" % str(user_sid
)
420 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
421 # Create additional object into the first one
422 object_dn
= "CN=test_domain_user1," + object_dn
423 delete_force(self
.ldb_admin
, object_dn
)
424 _ldb
.newuser("test_domain_user1", "samba123@",
425 userou
="OU=test_domain_ou1", setpassword
=False)
426 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
427 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
428 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
429 # This fails, research why
430 #self.check_modify_inheritance(_ldb, object_dn)
433 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
435 user_name
= "testuser4"
436 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
437 # Open Ldb connection with the tested user
438 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
439 object_dn
= "OU=test_domain_ou1," + self
.base_dn
440 delete_force(self
.ldb_admin
, object_dn
)
441 self
.ldb_admin
.create_ou(object_dn
)
442 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn(user_name
))
443 mod
= "(A;CI;WPWDCC;;;%s)" % str(user_sid
)
444 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
445 # Create additional object into the first one
446 object_dn
= "CN=test_domain_user1," + object_dn
447 delete_force(self
.ldb_admin
, object_dn
)
448 _ldb
.newuser("test_domain_user1", "samba123@",
449 userou
="OU=test_domain_ou1", setpassword
=False)
450 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
451 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
452 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
453 # this fails, research why
454 #self.check_modify_inheritance(_ldb, object_dn)
457 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
459 user_name
= "testuser5"
460 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
461 # Open Ldb connection with the tested user
462 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
463 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
464 delete_force(self
.ldb_admin
, object_dn
)
465 _ldb
.newgroup("test_domain_group1", grouptype
=4)
466 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
467 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
468 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
469 self
.check_modify_inheritance(_ldb
, object_dn
)
472 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
474 user_name
= "testuser6"
475 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
476 # Open Ldb connection with the tested user
477 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
478 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
479 delete_force(self
.ldb_admin
, object_dn
)
480 _ldb
.newgroup("test_domain_group1", grouptype
=4)
481 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
482 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
483 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
484 self
.check_modify_inheritance(_ldb
, object_dn
)
487 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
489 user_name
= "testuser7"
490 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
491 # Open Ldb connection with the tested user
492 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
493 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
494 delete_force(self
.ldb_admin
, object_dn
)
495 _ldb
.newgroup("test_domain_group1", grouptype
=4)
496 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
497 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
498 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
499 self
.check_modify_inheritance(_ldb
, object_dn
)
502 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
504 user_name
= "testuser8"
505 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
506 # Open Ldb connection with the tested user
507 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
508 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
509 delete_force(self
.ldb_admin
, object_dn
)
510 _ldb
.newgroup("test_domain_group1", grouptype
=4)
511 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
512 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
513 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
514 self
.check_modify_inheritance(_ldb
, object_dn
)
516 # Control descriptor tests #####################################################################
519 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
521 user_name
= "testuser1"
522 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
523 # Open Ldb connection with the tested user
524 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
525 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
526 delete_force(self
.ldb_admin
, object_dn
)
527 # Create a custom security descriptor
528 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
529 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
530 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
531 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
532 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
533 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
536 """ Domain admin group member creates object (custom descriptor) in DOMAIN
538 user_name
= "testuser2"
539 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
540 # Open Ldb connection with the tested user
541 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
542 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
543 delete_force(self
.ldb_admin
, object_dn
)
544 # Create a custom security descriptor
545 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
546 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
547 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
548 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
549 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
550 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
553 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
555 user_name
= "testuser3"
556 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
557 # Open Ldb connection with the tested user
558 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
559 object_dn
= "OU=test_domain_ou1," + self
.base_dn
560 delete_force(self
.ldb_admin
, object_dn
)
561 self
.ldb_admin
.create_ou(object_dn
)
562 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn(user_name
))
563 mod
= "(A;CI;WOWDCC;;;%s)" % str(user_sid
)
564 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
565 # Create a custom security descriptor
566 # NB! Problematic owner part won't accept DA only <User Sid> !!!
567 sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
568 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
569 # Create additional object into the first one
570 object_dn
= "CN=test_domain_user1," + object_dn
571 delete_force(self
.ldb_admin
, object_dn
)
572 _ldb
.newuser("test_domain_user1", "samba123@",
573 userou
="OU=test_domain_ou1", sd
=tmp_desc
, setpassword
=False)
574 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
575 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
576 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
579 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
581 user_name
= "testuser4"
582 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
583 # Open Ldb connection with the tested user
584 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
585 object_dn
= "OU=test_domain_ou1," + self
.base_dn
586 delete_force(self
.ldb_admin
, object_dn
)
587 self
.ldb_admin
.create_ou(object_dn
)
588 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn(user_name
))
589 mod
= "(A;CI;WOWDCC;;;%s)" % str(user_sid
)
590 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
591 # Create a custom security descriptor
592 # NB! Problematic owner part won't accept DA only <User Sid> !!!
593 sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
594 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
595 # Create additional object into the first one
596 object_dn
= "CN=test_domain_user1," + object_dn
597 delete_force(self
.ldb_admin
, object_dn
)
598 _ldb
.newuser("test_domain_user1", "samba123@",
599 userou
="OU=test_domain_ou1", sd
=tmp_desc
, setpassword
=False)
600 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
601 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
602 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
605 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
607 user_name
= "testuser5"
608 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
609 # Open Ldb connection with the tested user
610 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
611 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
612 delete_force(self
.ldb_admin
, object_dn
)
613 # Create a custom security descriptor
614 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
615 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
616 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
617 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
618 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
619 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
622 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
624 user_name
= "testuser6"
625 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
626 # Open Ldb connection with the tested user
627 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
628 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
629 delete_force(self
.ldb_admin
, object_dn
)
630 # Create a custom security descriptor
631 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
632 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
633 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
634 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
635 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
636 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
639 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
641 user_name
= "testuser7"
642 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
643 # Open Ldb connection with the tested user
644 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
645 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
646 delete_force(self
.ldb_admin
, object_dn
)
647 # Create a custom security descriptor
648 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
649 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
650 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
651 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
652 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
653 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
656 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
658 user_name
= "testuser8"
659 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
660 # Open Ldb connection with the tested user
661 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
662 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
663 delete_force(self
.ldb_admin
, object_dn
)
664 # Create a custom security descriptor
665 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
666 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
667 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
668 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
669 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
670 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
673 user_name
= "Administrator"
674 object_dn
= "OU=test_domain_ou1," + self
.base_dn
675 delete_force(self
.ldb_admin
, object_dn
)
676 self
.ldb_admin
.create_ou(object_dn
)
677 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn(user_name
))
678 mod
= "(D;CI;WP;;;S-1-3-0)"
680 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
681 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
682 # Create additional object into the first one
683 object_dn
= "OU=test_domain_ou2," + object_dn
684 delete_force(self
.ldb_admin
, object_dn
)
685 self
.ldb_admin
.create_ou(object_dn
)
686 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
690 # Default descriptor tests ##################################################################
693 user_name
= "testuser1"
694 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
695 # Open Ldb connection with the tested user
696 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
697 # Change Schema partition descriptor
698 mod
= "(A;CI;WDCC;;;AU)"
699 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
700 # Create example Schema class
702 class_dn
= self
.create_schema_class(_ldb
)
705 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
706 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
707 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
708 self
.check_modify_inheritance(_ldb
, class_dn
)
711 user_name
= "testuser2"
712 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
713 # Open Ldb connection with the tested user
714 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
715 # Change Schema partition descriptor
716 mod
= "(A;CI;WDCC;;;AU)"
717 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
718 # Create example Schema class
719 class_dn
= self
.create_schema_class(_ldb
)
720 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
721 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
722 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
723 self
.check_modify_inheritance(_ldb
, class_dn
)
726 user_name
= "testuser3"
727 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
728 # Open Ldb connection with the tested user
729 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
730 # Change Schema partition descriptor
731 mod
= "(A;CI;WDCC;;;AU)"
732 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
733 # Create example Schema class
734 class_dn
= self
.create_schema_class(_ldb
)
735 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
736 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
737 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
738 #self.check_modify_inheritance(_ldb, class_dn)
741 user_name
= "testuser4"
742 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
743 # Open Ldb connection with the tested user
744 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
745 # Change Schema partition descriptor
746 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn(user_name
))
747 mod
= "(A;CI;WDCC;;;AU)"
748 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
749 # Create example Schema class
750 class_dn
= self
.create_schema_class(_ldb
)
751 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
752 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
753 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
754 #self.check_modify_inheritance(_ldb, class_dn)
757 user_name
= "testuser5"
758 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
759 # Open Ldb connection with the tested user
760 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
761 # Change Schema partition descriptor
762 mod
= "(A;CI;WDCC;;;AU)"
763 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
764 # Create example Schema class
765 class_dn
= self
.create_schema_class(_ldb
)
766 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
767 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
768 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
769 self
.check_modify_inheritance(_ldb
, class_dn
)
772 user_name
= "testuser6"
773 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
774 # Open Ldb connection with the tested user
775 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
776 # Change Schema partition descriptor
777 mod
= "(A;CI;WDCC;;;AU)"
778 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
779 # Create example Schema class
780 class_dn
= self
.create_schema_class(_ldb
)
781 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
782 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
783 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
784 self
.check_modify_inheritance(_ldb
, class_dn
)
787 user_name
= "testuser7"
788 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
789 # Open Ldb connection with the tested user
790 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
791 # Change Schema partition descriptor
792 mod
= "(A;CI;WDCC;;;AU)"
793 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
794 # Create example Schema class
795 class_dn
= self
.create_schema_class(_ldb
)
796 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
797 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
798 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
799 self
.check_modify_inheritance(_ldb
, class_dn
)
802 user_name
= "testuser8"
803 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
804 # Open Ldb connection with the tested user
805 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
806 # Change Schema partition descriptor
807 mod
= "(A;CI;WDCC;;;AU)"
808 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
809 # Create example Schema class
810 class_dn
= self
.create_schema_class(_ldb
)
811 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
812 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
813 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
814 self
.check_modify_inheritance(_ldb
, class_dn
)
816 # Custom descriptor tests ##################################################################
819 user_name
= "testuser1"
820 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
821 # Open Ldb connection with the tested user
822 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
823 # Change Schema partition descriptor
825 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
826 # Create a custom security descriptor
827 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
828 # Create example Schema class
829 class_dn
= self
.create_schema_class(_ldb
, desc_sddl
)
830 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
831 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
832 self
.assertEqual("O:DAG:DA", res
)
835 user_name
= "testuser2"
836 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
837 # Open Ldb connection with the tested user
838 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
839 # Change Schema partition descriptor
841 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
842 # Create a custom security descriptor
843 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
844 # Create example Schema class
845 class_dn
= self
.create_schema_class(_ldb
, desc_sddl
)
846 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
847 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
848 self
.assertEqual("O:DAG:DA", res
)
851 user_name
= "testuser3"
852 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
853 # Open Ldb connection with the tested user
854 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
855 # Create a custom security descriptor
856 # NB! Problematic owner part won't accept DA only <User Sid> !!!
857 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn(user_name
))
858 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
859 # Create example Schema class
860 class_dn
= self
.create_schema_class(_ldb
, desc_sddl
)
861 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
862 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
863 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
866 user_name
= "testuser4"
867 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
868 # Open Ldb connection with the tested user
869 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
870 # Change Schema partition descriptor
872 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
873 # Create a custom security descriptor
874 # NB! Problematic owner part won't accept DA only <User Sid> !!!
875 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn(user_name
))
876 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
877 # Create example Schema class
878 class_dn
= self
.create_schema_class(_ldb
, desc_sddl
)
879 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
880 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
881 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
884 user_name
= "testuser5"
885 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
886 # Open Ldb connection with the tested user
887 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
888 # Change Schema partition descriptor
890 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
891 # Create a custom security descriptor
892 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
893 # Create example Schema class
894 class_dn
= self
.create_schema_class(_ldb
, desc_sddl
)
895 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
896 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
897 self
.assertEqual("O:DAG:DA", res
)
900 user_name
= "testuser6"
901 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
902 # Open Ldb connection with the tested user
903 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
904 # Change Schema partition descriptor
906 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
907 # Create a custom security descriptor
908 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
909 # Create example Schema class
910 class_dn
= self
.create_schema_class(_ldb
, desc_sddl
)
911 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
912 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
913 self
.assertEqual("O:DAG:DA", res
)
916 user_name
= "testuser7"
917 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
918 # Open Ldb connection with the tested user
919 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
920 # Change Schema partition descriptor
922 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
923 # Create a custom security descriptor
924 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
925 # Create example Schema class
926 class_dn
= self
.create_schema_class(_ldb
, desc_sddl
)
927 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
928 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
929 self
.assertEqual("O:DAG:DA", res
)
932 user_name
= "testuser8"
933 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
934 # Open Ldb connection with the tested user
935 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
936 # Change Schema partition descriptor
938 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
939 # Create a custom security descriptor
940 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
941 # Create example Schema class
942 class_dn
= self
.create_schema_class(_ldb
, desc_sddl
)
943 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
944 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
945 self
.assertEqual("O:DAG:DA", res
)
947 # Tests for CONFIGURATION
949 # Default descriptor tests ##################################################################
952 user_name
= "testuser1"
953 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
954 # Open Ldb connection with the tested user
955 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
956 # Create example Configuration container
957 container_name
= "test-container1"
958 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
959 delete_force(self
.ldb_admin
, object_dn
)
960 self
.create_configuration_container(_ldb
, object_dn
, )
961 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
962 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
963 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
964 self
.check_modify_inheritance(_ldb
, object_dn
)
967 user_name
= "testuser2"
968 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
969 # Open Ldb connection with the tested user
970 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
971 # Create example Configuration container
972 container_name
= "test-container1"
973 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
974 delete_force(self
.ldb_admin
, object_dn
)
975 self
.create_configuration_container(_ldb
, object_dn
, )
976 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
977 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
978 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
979 self
.check_modify_inheritance(_ldb
, object_dn
)
982 user_name
= "testuser3"
983 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
984 # Open Ldb connection with the tested user
985 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
986 # Create example Configuration container
987 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
988 delete_force(self
.ldb_admin
, object_dn
)
989 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
990 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn(user_name
))
991 mod
= "(A;CI;WDCC;;;AU)"
992 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
993 # Create child object with user's credentials
994 object_dn
= "CN=test-specifier1," + object_dn
995 delete_force(self
.ldb_admin
, object_dn
)
997 self
.create_configuration_specifier(_ldb
, object_dn
)
1000 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1001 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1002 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1003 #self.check_modify_inheritance(_ldb, object_dn)
1006 user_name
= "testuser4"
1007 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1008 # Open Ldb connection with the tested user
1009 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1010 # Create example Configuration container
1011 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1012 delete_force(self
.ldb_admin
, object_dn
)
1013 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1014 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn(user_name
))
1015 mod
= "(A;CI;WDCC;;;AU)"
1016 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1017 # Create child object with user's credentials
1018 object_dn
= "CN=test-specifier1," + object_dn
1019 delete_force(self
.ldb_admin
, object_dn
)
1020 self
.create_configuration_specifier(_ldb
, object_dn
)
1021 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1022 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1023 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1024 #self.check_modify_inheritance(_ldb, object_dn)
1027 user_name
= "testuser5"
1028 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1029 # Open Ldb connection with the tested user
1030 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1031 # Create example Configuration container
1032 container_name
= "test-container1"
1033 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1034 delete_force(self
.ldb_admin
, object_dn
)
1035 self
.create_configuration_container(_ldb
, object_dn
, )
1036 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1037 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1038 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1039 self
.check_modify_inheritance(_ldb
, object_dn
)
1042 user_name
= "testuser6"
1043 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1044 # Open Ldb connection with the tested user
1045 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1046 # Create example Configuration container
1047 container_name
= "test-container1"
1048 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1049 delete_force(self
.ldb_admin
, object_dn
)
1050 self
.create_configuration_container(_ldb
, object_dn
, )
1051 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1052 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1053 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1054 self
.check_modify_inheritance(_ldb
, object_dn
)
1057 user_name
= "testuser7"
1058 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1059 # Open Ldb connection with the tested user
1060 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1061 # Create example Configuration container
1062 container_name
= "test-container1"
1063 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1064 delete_force(self
.ldb_admin
, object_dn
)
1065 self
.create_configuration_container(_ldb
, object_dn
, )
1066 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1067 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1068 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1069 self
.check_modify_inheritance(_ldb
, object_dn
)
1072 user_name
= "testuser8"
1073 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1074 # Open Ldb connection with the tested user
1075 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1076 # Create example Configuration container
1077 container_name
= "test-container1"
1078 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1079 delete_force(self
.ldb_admin
, object_dn
)
1080 self
.create_configuration_container(_ldb
, object_dn
, )
1081 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1082 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1083 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1084 self
.check_modify_inheritance(_ldb
, object_dn
)
1086 # Custom descriptor tests ##################################################################
1089 user_name
= "testuser1"
1090 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
1091 # Open Ldb connection with the tested user
1092 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1093 # Create example Configuration container
1094 container_name
= "test-container1"
1095 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1096 delete_force(self
.ldb_admin
, object_dn
)
1097 # Create a custom security descriptor
1098 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1099 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1100 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1101 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1102 self
.assertEqual("O:DAG:DA", res
)
1105 user_name
= "testuser2"
1106 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
1107 # Open Ldb connection with the tested user
1108 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1109 # Create example Configuration container
1110 container_name
= "test-container1"
1111 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1112 delete_force(self
.ldb_admin
, object_dn
)
1113 # Create a custom security descriptor
1114 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1115 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1116 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1117 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1118 self
.assertEqual("O:DAG:DA", res
)
1121 user_name
= "testuser3"
1122 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
1123 # Open Ldb connection with the tested user
1124 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1125 # Create example Configuration container
1126 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1127 delete_force(self
.ldb_admin
, object_dn
)
1128 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1129 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn(user_name
))
1130 mod
= "(A;CI;CCWD;;;AU)"
1131 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1132 # Create child object with user's credentials
1133 object_dn
= "CN=test-specifier1," + object_dn
1134 delete_force(self
.ldb_admin
, object_dn
)
1135 # Create a custom security descriptor
1136 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1137 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1139 self
.create_configuration_specifier(_ldb
, object_dn
, desc_sddl
)
1142 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1143 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1144 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1147 user_name
= "testuser4"
1148 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1149 # Open Ldb connection with the tested user
1150 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1151 # Create example Configuration container
1152 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1153 delete_force(self
.ldb_admin
, object_dn
)
1154 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1155 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn(user_name
))
1156 mod
= "(A;CI;CCWD;;;AU)"
1157 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1158 # Create child object with user's credentials
1159 object_dn
= "CN=test-specifier1," + object_dn
1160 delete_force(self
.ldb_admin
, object_dn
)
1161 # Create a custom security descriptor
1162 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1163 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1165 self
.create_configuration_specifier(_ldb
, object_dn
, desc_sddl
)
1168 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1169 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1170 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1173 user_name
= "testuser5"
1174 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1175 # Open Ldb connection with the tested user
1176 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1177 # Create example Configuration container
1178 container_name
= "test-container1"
1179 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1180 delete_force(self
.ldb_admin
, object_dn
)
1181 # Create a custom security descriptor
1182 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1183 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1184 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1185 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1186 self
.assertEqual("O:DAG:DA", res
)
1189 user_name
= "testuser6"
1190 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1191 # Open Ldb connection with the tested user
1192 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1193 # Create example Configuration container
1194 container_name
= "test-container1"
1195 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1196 delete_force(self
.ldb_admin
, object_dn
)
1197 # Create a custom security descriptor
1198 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1199 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1200 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1201 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1202 self
.assertEqual("O:DAG:DA", res
)
1205 user_name
= "testuser7"
1206 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1207 # Open Ldb connection with the tested user
1208 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1209 # Create example Configuration container
1210 container_name
= "test-container1"
1211 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1212 delete_force(self
.ldb_admin
, object_dn
)
1213 # Create a custom security descriptor
1214 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1215 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1216 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1217 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1218 self
.assertEqual("O:DAG:DA", res
)
1221 user_name
= "testuser8"
1222 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1223 # Open Ldb connection with the tested user
1224 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1225 # Create example Configuration container
1226 container_name
= "test-container1"
1227 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1228 delete_force(self
.ldb_admin
, object_dn
)
1229 # Create a custom security descriptor
1230 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1231 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1232 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1233 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1234 self
.assertEqual("O:DAG:DA", res
)
1236 ########################################################################################
1237 # Inheritance tests for DACL
1240 class DaclDescriptorTests(DescriptorTests
):
1242 def deleteAll(self
):
1243 delete_force(self
.ldb_admin
, "CN=test_inherit_group,OU=test_inherit_ou," + self
.base_dn
)
1244 delete_force(self
.ldb_admin
, "OU=test_inherit_ou5,OU=test_inherit_ou1,OU=test_inherit_ou_p," + self
.base_dn
)
1245 delete_force(self
.ldb_admin
, "OU=test_inherit_ou6,OU=test_inherit_ou2,OU=test_inherit_ou_p," + self
.base_dn
)
1246 delete_force(self
.ldb_admin
, "OU=test_inherit_ou1,OU=test_inherit_ou_p," + self
.base_dn
)
1247 delete_force(self
.ldb_admin
, "OU=test_inherit_ou2,OU=test_inherit_ou_p," + self
.base_dn
)
1248 delete_force(self
.ldb_admin
, "OU=test_inherit_ou3,OU=test_inherit_ou_p," + self
.base_dn
)
1249 delete_force(self
.ldb_admin
, "OU=test_inherit_ou4,OU=test_inherit_ou_p," + self
.base_dn
)
1250 delete_force(self
.ldb_admin
, "OU=test_inherit_ou_p," + self
.base_dn
)
1251 delete_force(self
.ldb_admin
, "OU=test_inherit_ou," + self
.base_dn
)
1254 super(DaclDescriptorTests
, self
).setUp()
1257 def create_clean_ou(self
, object_dn
):
1258 """ Base repeating setup for unittests to follow """
1259 res
= self
.ldb_admin
.search(base
=self
.base_dn
, scope
=SCOPE_SUBTREE
,
1260 expression
="distinguishedName=%s" % object_dn
)
1261 # Make sure top testing OU has been deleted before starting the test
1262 self
.assertEqual(len(res
), 0)
1263 self
.ldb_admin
.create_ou(object_dn
)
1264 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1265 # Make sure there are inheritable ACEs initially
1266 self
.assertTrue("CI" in desc_sddl
or "OI" in desc_sddl
)
1267 # Find and remove all inherit ACEs
1268 res
= re
.findall(r
"\(.*?\)", desc_sddl
)
1269 res
= [x
for x
in res
if ("CI" in x
) or ("OI" in x
)]
1271 desc_sddl
= desc_sddl
.replace(x
, "")
1272 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1273 # can propagate from above
1274 # remove SACL, we are not interested
1275 desc_sddl
= desc_sddl
.replace(":AI", ":AIP")
1276 self
.sd_utils
.modify_sd_on_dn(object_dn
, desc_sddl
)
1277 # Verify all inheritable ACEs are gone
1278 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1279 self
.assertNotIn("CI", desc_sddl
)
1280 self
.assertNotIn("OI", desc_sddl
)
1283 """ OU with protected flag and child group. See if the group has inherit ACEs.
1285 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1286 group_dn
= "CN=test_inherit_group," + ou_dn
1287 # Create inheritable-free OU
1288 self
.create_clean_ou(ou_dn
)
1289 # Create group child object
1290 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4)
1291 # Make sure created group object contains NO inherit ACEs
1292 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1293 self
.assertNotIn("ID", desc_sddl
)
1296 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1297 Verify group has custom and default ACEs only.
1299 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1300 group_dn
= "CN=test_inherit_group," + ou_dn
1301 # Create inheritable-free OU
1302 self
.create_clean_ou(ou_dn
)
1303 # Create group child object using custom security descriptor
1304 sddl
= "O:AUG:AUD:AI(D;;WP;;;DU)"
1305 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
1306 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1307 # Make sure created group descriptor has NO additional ACEs
1308 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1309 self
.assertEqual(desc_sddl
, sddl
)
1310 sddl
= "O:AUG:AUD:AI(D;;CC;;;LG)"
1312 self
.sd_utils
.modify_sd_on_dn(group_dn
, sddl
)
1313 except LdbError
as e
:
1315 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1316 self
.assertEqual(desc_sddl
, sddl
)
1319 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1320 See if the group has any of the added ACEs.
1322 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1323 group_dn
= "CN=test_inherit_group," + ou_dn
1324 # Create inheritable-free OU
1325 self
.create_clean_ou(ou_dn
)
1326 # Add some custom non-inheritable ACEs
1327 mod
= "(D;;WP;;;DU)(A;;RP;;;DU)"
1328 moded
= "(D;;CC;;;LG)"
1329 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1330 # Verify all inheritable ACEs are gone
1331 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1332 # Create group child object
1333 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4)
1334 # Make sure created group object contains NO inherit ACEs
1335 # also make sure the added above non-inheritable ACEs are absent too
1336 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1337 self
.assertNotIn("ID", desc_sddl
)
1338 for x
in re
.findall(r
"\(.*?\)", mod
):
1339 self
.assertNotIn(x
, desc_sddl
)
1341 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1342 except LdbError
as e
:
1344 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1345 self
.assertNotIn("ID", desc_sddl
)
1346 for x
in re
.findall(r
"\(.*?\)", mod
):
1347 self
.assertNotIn(x
, desc_sddl
)
1350 """ OU with protected flag and add 'CI' ACE, child group.
1351 See if the group has the added inherited ACE.
1353 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1354 group_dn
= "CN=test_inherit_group," + ou_dn
1355 # Create inheritable-free OU
1356 self
.create_clean_ou(ou_dn
)
1357 # Add some custom 'CI' ACE
1358 mod
= "(D;CI;WP;;;DU)"
1359 moded
= "(D;;CC;;;LG)"
1360 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1361 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1362 # Create group child object
1363 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1364 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1365 # Make sure created group object contains only the above inherited ACE
1366 # that we've added manually
1367 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1368 mod
= mod
.replace(";CI;", ";CIID;")
1369 self
.assertIn(mod
, desc_sddl
)
1371 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1372 except LdbError
as e
:
1374 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1375 self
.assertIn(moded
, desc_sddl
)
1376 self
.assertIn(mod
, desc_sddl
)
1379 """ OU with protected flag and add 'OI' ACE, child group.
1380 See if the group has the added inherited ACE.
1382 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1383 group_dn
= "CN=test_inherit_group," + ou_dn
1384 # Create inheritable-free OU
1385 self
.create_clean_ou(ou_dn
)
1386 # Add some custom 'CI' ACE
1387 mod
= "(D;OI;WP;;;DU)"
1388 moded
= "(D;;CC;;;LG)"
1389 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1390 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1391 # Create group child object
1392 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1393 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1394 # Make sure created group object contains only the above inherited ACE
1395 # that we've added manually
1396 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1397 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1398 self
.assertIn(mod
, desc_sddl
)
1400 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1401 except LdbError
as e
:
1403 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1404 self
.assertIn(moded
, desc_sddl
)
1405 self
.assertIn(mod
, desc_sddl
)
1408 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1409 See if the group has the added inherited ACE.
1411 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1412 group_dn
= "CN=test_inherit_group," + ou_dn
1413 # Create inheritable-free OU
1414 self
.create_clean_ou(ou_dn
)
1415 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1416 mod
= "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1417 moded
= "(D;;CC;;;LG)"
1418 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1419 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1420 # Create group child object
1421 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1422 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1423 # Make sure created group object contains only the above inherited ACE
1424 # that we've added manually
1425 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1426 mod
= mod
.replace(";CI;", ";CIID;") # change it how it's gonna look like
1427 self
.assertIn(mod
, desc_sddl
)
1429 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1430 except LdbError
as e
:
1432 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1433 self
.assertIn(moded
, desc_sddl
)
1434 self
.assertIn(mod
, desc_sddl
)
1437 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1438 See if the group has the added inherited ACE.
1440 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1441 group_dn
= "CN=test_inherit_group," + ou_dn
1442 # Create inheritable-free OU
1443 self
.create_clean_ou(ou_dn
)
1444 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1445 mod
= "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1446 moded
= "(D;;CC;;;LG)"
1447 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1448 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1449 # Create group child object
1450 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1451 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1452 # Make sure created group object contains only the above inherited ACE
1453 # that we've added manually
1454 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1455 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1456 self
.assertIn(mod
, desc_sddl
)
1458 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1459 except LdbError
as e
:
1461 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1462 self
.assertIn(moded
, desc_sddl
)
1463 self
.assertIn(mod
, desc_sddl
)
1466 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1467 See if the group has the added inherited ACE.
1469 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1470 group_dn
= "CN=test_inherit_group," + ou_dn
1471 # Create inheritable-free OU
1472 self
.create_clean_ou(ou_dn
)
1473 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1474 mod
= "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1475 moded
= "(D;;CC;;;LG)"
1476 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1477 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1478 # Create group child object
1479 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1480 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1481 # Make sure created group object contains only the above inherited ACE
1482 # that we've added manually
1483 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1484 mod
= mod
.replace(";CI;", ";CIID;") # change it how it's gonna look like
1485 self
.assertIn(mod
, desc_sddl
)
1487 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1488 except LdbError
as e
:
1490 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1491 self
.assertIn(moded
, desc_sddl
)
1492 self
.assertIn(mod
, desc_sddl
)
1495 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1496 See if the group has the added inherited ACE.
1498 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1499 group_dn
= "CN=test_inherit_group," + ou_dn
1500 # Create inheritable-free OU
1501 self
.create_clean_ou(ou_dn
)
1502 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1503 mod
= "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1504 moded
= "(D;;CC;;;LG)"
1505 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1506 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1507 # Create group child object
1508 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1509 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1510 # Make sure created group object contains only the above inherited ACE
1511 # that we've added manually
1512 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1513 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1514 self
.assertIn(mod
, desc_sddl
)
1516 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded
)
1517 except LdbError
as e
:
1519 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1520 self
.assertIn(moded
, desc_sddl
)
1521 self
.assertIn(mod
, desc_sddl
)
1524 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1525 See if the group has the added inherited ACE.
1527 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1528 group_dn
= "CN=test_inherit_group," + ou_dn
1529 # Create inheritable-free OU
1530 self
.create_clean_ou(ou_dn
)
1531 # Add some custom 'CI' ACE
1532 mod
= "(D;CI;WP;;;CO)"
1533 moded
= "(D;;CC;;;LG)"
1534 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1535 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1536 # Create group child object
1537 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1538 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1539 # Make sure created group object contains only the above inherited ACE(s)
1540 # that we've added manually
1541 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1542 self
.assertIn("(D;ID;WP;;;AU)", desc_sddl
)
1543 self
.assertIn("(D;CIIOID;WP;;;CO)", desc_sddl
)
1545 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1546 except LdbError
as e
:
1548 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1549 self
.assertIn(moded
, desc_sddl
)
1550 self
.assertIn("(D;ID;WP;;;DA)", desc_sddl
)
1551 self
.assertIn("(D;CIIOID;WP;;;CO)", desc_sddl
)
1554 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1556 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1557 group_dn
= "CN=test_inherit_group," + ou_dn
1558 self
.create_clean_ou(ou_dn
)
1559 # Add some custom ACE
1560 mod
= "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1561 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1562 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1563 # Make sure created group object does not contain the ID ace
1564 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1565 self
.assertNotIn("(A;ID;WP;;;AU)", desc_sddl
)
1568 """ Provide ACE with CO SID, should be expanded and replaced
1570 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1571 group_dn
= "CN=test_inherit_group," + ou_dn
1572 # Create inheritable-free OU
1573 self
.create_clean_ou(ou_dn
)
1574 # Add some custom 'CI' ACE
1575 mod
= "D:(D;CI;WP;;;CO)"
1576 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1577 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1578 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1579 self
.assertIn("(D;;WP;;;DA)", desc_sddl
)
1580 self
.assertIn("(D;CIIO;WP;;;CO)", desc_sddl
)
1583 """ Provide ACE with IO flag, should be ignored
1585 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1586 group_dn
= "CN=test_inherit_group," + ou_dn
1587 # Create inheritable-free OU
1588 self
.create_clean_ou(ou_dn
)
1589 # Add some custom 'CI' ACE
1590 mod
= "D:(D;CIIO;WP;;;CO)"
1591 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1592 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1593 # Make sure created group object contains only the above inherited ACE(s)
1594 # that we've added manually
1595 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1596 self
.assertIn("(D;CIIO;WP;;;CO)", desc_sddl
)
1597 self
.assertNotIn("(D;;WP;;;DA)", desc_sddl
)
1598 self
.assertNotIn("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)", desc_sddl
)
1601 """ Provide ACE with IO flag, should be ignored
1603 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1604 group_dn
= "CN=test_inherit_group," + ou_dn
1605 # Create inheritable-free OU
1606 self
.create_clean_ou(ou_dn
)
1607 mod
= "D:(D;IO;WP;;;DA)"
1608 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1609 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1610 # Make sure created group object contains only the above inherited ACE(s)
1611 # that we've added manually
1612 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1613 self
.assertNotIn("(D;IO;WP;;;DA)", desc_sddl
)
1616 """ Test behavior of ACEs containing generic rights
1618 ou_dn
= "OU=test_inherit_ou_p," + self
.base_dn
1619 ou_dn1
= "OU=test_inherit_ou1," + ou_dn
1620 ou_dn2
= "OU=test_inherit_ou2," + ou_dn
1621 ou_dn3
= "OU=test_inherit_ou3," + ou_dn
1622 ou_dn4
= "OU=test_inherit_ou4," + ou_dn
1623 ou_dn5
= "OU=test_inherit_ou5," + ou_dn1
1624 ou_dn6
= "OU=test_inherit_ou6," + ou_dn2
1625 # Create inheritable-free OU
1626 mod
= "D:P(A;CI;WPRPLCCCDCWDRCSD;;;DA)"
1627 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1628 self
.ldb_admin
.create_ou(ou_dn
, sd
=tmp_desc
)
1629 mod
= "D:(A;CI;GA;;;DU)"
1630 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1631 self
.ldb_admin
.create_ou(ou_dn1
, sd
=tmp_desc
)
1632 mod
= "D:(A;CIIO;GA;;;DU)"
1633 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1634 self
.ldb_admin
.create_ou(ou_dn2
, sd
=tmp_desc
)
1635 mod
= "D:(A;;GA;;;DU)"
1636 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1637 self
.ldb_admin
.create_ou(ou_dn3
, sd
=tmp_desc
)
1638 mod
= "D:(A;IO;GA;;;DU)"
1639 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1640 self
.ldb_admin
.create_ou(ou_dn4
, sd
=tmp_desc
)
1642 self
.ldb_admin
.create_ou(ou_dn5
)
1643 self
.ldb_admin
.create_ou(ou_dn6
)
1645 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn1
)
1646 self
.assertIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl
)
1647 self
.assertIn("(A;CIIO;GA;;;DU)", desc_sddl
)
1648 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn2
)
1649 self
.assertNotIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl
)
1650 self
.assertIn("(A;CIIO;GA;;;DU)", desc_sddl
)
1651 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn3
)
1652 self
.assertIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl
)
1653 self
.assertNotIn("(A;CIIO;GA;;;DU)", desc_sddl
)
1654 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn4
)
1655 self
.assertNotIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl
)
1656 self
.assertNotIn("(A;CIIO;GA;;;DU)", desc_sddl
)
1657 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn5
)
1658 self
.assertIn("(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl
)
1659 self
.assertIn("(A;CIIOID;GA;;;DU)", desc_sddl
)
1660 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn6
)
1661 self
.assertIn("(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl
)
1662 self
.assertIn("(A;CIIOID;GA;;;DU)", desc_sddl
)
1665 """ Make sure IO flag is removed in child objects
1667 ou_dn
= "OU=test_inherit_ou_p," + self
.base_dn
1668 ou_dn1
= "OU=test_inherit_ou1," + ou_dn
1669 ou_dn5
= "OU=test_inherit_ou5," + ou_dn1
1670 # Create inheritable-free OU
1671 mod
= "D:P(A;CI;WPRPLCCCDCWDRCSD;;;DA)"
1672 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1673 self
.ldb_admin
.create_ou(ou_dn
, sd
=tmp_desc
)
1674 mod
= "D:(A;CIIO;WP;;;DU)"
1675 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1676 self
.ldb_admin
.create_ou(ou_dn1
, sd
=tmp_desc
)
1677 self
.ldb_admin
.create_ou(ou_dn5
)
1678 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn5
)
1679 self
.assertIn("(A;CIID;WP;;;DU)", desc_sddl
)
1680 self
.assertNotIn("(A;CIIOID;WP;;;DU)", desc_sddl
)
1683 """ Make sure ID ACES provided by user are ignored
1685 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1686 group_dn
= "CN=test_inherit_group," + ou_dn
1687 mod
= "D:P(A;;WPRPLCCCDCWDRCSD;;;DA)"
1688 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1689 self
.ldb_admin
.create_ou(ou_dn
, sd
=tmp_desc
)
1690 # Add some custom ACE
1691 mod
= "D:(D;ID;WP;;;AU)"
1692 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1693 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1694 # Make sure created group object does not contain the ID ace
1695 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1696 self
.assertNotIn("(A;ID;WP;;;AU)", desc_sddl
)
1697 self
.assertNotIn("(A;;WP;;;AU)", desc_sddl
)
1700 """ Make sure ID ACES provided by user are not ignored if P flag is set
1702 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1703 group_dn
= "CN=test_inherit_group," + ou_dn
1704 mod
= "D:P(A;;WPRPLCCCDCWDRCSD;;;DA)"
1705 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1706 self
.ldb_admin
.create_ou(ou_dn
, sd
=tmp_desc
)
1707 # Add some custom ACE
1708 mod
= "D:P(A;ID;WP;;;AU)"
1709 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1710 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1711 # Make sure created group object does not contain the ID ace
1712 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1713 self
.assertNotIn("(A;ID;WP;;;AU)", desc_sddl
)
1714 self
.assertIn("(A;;WP;;;AU)", desc_sddl
)
1716 def test_ci_and_io_on_attribute(self
):
1717 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1718 group_dn
= "CN=test_inherit_group," + ou_dn
1719 # Create inheritable-free OU
1720 self
.create_clean_ou(ou_dn
)
1721 mod
= "(OA;CIOI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1722 moded
= "(D;;CC;;;LG)"
1723 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1724 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1725 # Create group child object
1726 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1727 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1728 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1729 mod
= mod
.replace(";CIOI;", ";OICIID;") # change it how it's gonna look like
1730 self
.assertIn(mod
, desc_sddl
)
1732 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1733 except LdbError
as e
:
1735 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1736 self
.assertIn(moded
, desc_sddl
)
1737 self
.assertIn(mod
, desc_sddl
)
1739 def test_ci_and_np_on_attribute(self
):
1740 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1741 group_dn
= "CN=test_inherit_group," + ou_dn
1742 # Create inheritable-free OU
1743 self
.create_clean_ou(ou_dn
)
1744 mod
= "(OA;CINP;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1745 moded
= "(D;;CC;;;LG)"
1746 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1747 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1748 # Create group child object
1749 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1750 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1751 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1752 mod
= mod
.replace(";CINP;", ";ID;") # change it how it's gonna look like
1753 self
.assertIn(mod
, desc_sddl
)
1755 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1756 except LdbError
as e
:
1758 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1759 self
.assertIn(moded
, desc_sddl
)
1760 self
.assertIn(mod
, desc_sddl
)
1762 def test_oi_and_np_on_attribute(self
):
1763 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1764 group_dn
= "CN=test_inherit_group," + ou_dn
1765 # Create inheritable-free OU
1766 self
.create_clean_ou(ou_dn
)
1767 mod
= "(OA;OINP;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1768 moded
= "(D;;CC;;;LG)"
1769 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1770 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1771 # Create group child object
1772 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1773 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1774 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1775 mod
= mod
.replace(";OINP;", ";ID;") # change it how it's gonna look like
1776 self
.assertNotIn(mod
, desc_sddl
)
1777 self
.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl
)
1779 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1780 except LdbError
as e
:
1782 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1783 self
.assertIn(moded
, desc_sddl
)
1784 self
.assertNotIn(mod
, desc_sddl
)
1785 self
.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl
)
1787 def test_ci_ga_no_attr_objectclass_same(self
):
1788 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1789 group_dn
= "CN=test_inherit_group," + ou_dn
1790 # Create inheritable-free OU
1791 self
.create_clean_ou(ou_dn
)
1792 mod
= "(OA;CI;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
1793 modob
= "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)"
1794 modid
= "(OA;CIIOID;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
1795 moded
= "(D;;CC;;;LG)"
1796 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1797 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1798 # Create group child object
1799 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1800 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1801 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1802 self
.assertIn(modob
, desc_sddl
)
1803 self
.assertIn(modid
, desc_sddl
)
1805 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1806 except LdbError
as e
:
1808 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1809 self
.assertIn(moded
, desc_sddl
)
1810 self
.assertIn(modob
, desc_sddl
)
1811 self
.assertIn(modid
, desc_sddl
)
1813 def test_ci_ga_no_attr_objectclass_different(self
):
1814 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1815 group_dn
= "CN=test_inherit_group," + ou_dn
1816 # Create inheritable-free OU
1817 self
.create_clean_ou(ou_dn
)
1818 mod
= "(OA;CI;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
1819 modno
= "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)"
1820 modid
= "(OA;CIIOID;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
1821 moded
= "(D;;CC;;;LG)"
1822 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1823 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1824 # Create group child object
1825 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1826 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1827 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1828 self
.assertNotIn(modno
, desc_sddl
)
1829 self
.assertIn(modid
, desc_sddl
)
1831 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1832 except LdbError
as e
:
1834 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1835 self
.assertIn(moded
, desc_sddl
)
1836 self
.assertNotIn(modno
, desc_sddl
)
1837 self
.assertIn(modid
, desc_sddl
)
1839 def test_ci_ga_name_attr_objectclass_same(self
):
1840 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1841 group_dn
= "CN=test_inherit_group," + ou_dn
1842 # Create inheritable-free OU
1843 self
.create_clean_ou(ou_dn
)
1844 mod
= "(OA;CI;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
1845 modob
= "(OA;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
1846 modid
= "(OA;CIIOID;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
1847 moded
= "(D;;CC;;;LG)"
1848 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1849 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1850 # Create group child object
1851 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1852 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1853 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1854 self
.assertIn(modob
, desc_sddl
)
1855 self
.assertIn(modid
, desc_sddl
)
1857 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1858 except LdbError
as e
:
1860 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1861 self
.assertIn(moded
, desc_sddl
)
1862 self
.assertIn(modob
, desc_sddl
)
1863 self
.assertIn(modid
, desc_sddl
)
1865 def test_ci_ga_name_attr_objectclass_different(self
):
1866 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1867 group_dn
= "CN=test_inherit_group," + ou_dn
1868 # Create inheritable-free OU
1869 self
.create_clean_ou(ou_dn
)
1870 mod
= "(OA;CI;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
1871 modno
= "(OA;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
1872 modid
= "(OA;CIIOID;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
1873 moded
= "(D;;CC;;;LG)"
1874 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1875 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1876 # Create group child object
1877 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1878 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1879 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1880 self
.assertNotIn(modno
, desc_sddl
)
1881 self
.assertIn(modid
, desc_sddl
)
1883 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1884 except LdbError
as e
:
1886 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1887 self
.assertIn(moded
, desc_sddl
)
1888 self
.assertNotIn(modno
, desc_sddl
)
1889 self
.assertIn(modid
, desc_sddl
)
1891 def test_ci_lc_no_attr_objectclass_same(self
):
1892 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1893 group_dn
= "CN=test_inherit_group," + ou_dn
1894 # Create inheritable-free OU
1895 self
.create_clean_ou(ou_dn
)
1896 mod
= "(OA;CI;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
1897 modno
= "(A;ID;LC;;;DA)"
1898 modid
= "(OA;CIID;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
1899 moded
= "(D;;CC;;;LG)"
1900 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1901 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1902 # Create group child object
1903 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1904 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1905 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1906 self
.assertNotIn(modno
, desc_sddl
)
1907 self
.assertIn(modid
, desc_sddl
)
1909 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1910 except LdbError
as e
:
1912 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1913 self
.assertIn(moded
, desc_sddl
)
1914 self
.assertNotIn(modno
, desc_sddl
)
1915 self
.assertIn(modid
, desc_sddl
)
1917 def test_ci_lc_no_attr_objectclass_different(self
):
1918 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1919 group_dn
= "CN=test_inherit_group," + ou_dn
1920 # Create inheritable-free OU
1921 self
.create_clean_ou(ou_dn
)
1922 mod
= "(OA;CI;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
1923 modno
= "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)"
1924 modid
= "(OA;CIIOID;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
1925 moded
= "(D;;CC;;;LG)"
1926 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1927 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1928 # Create group child object
1929 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1930 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1931 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1932 self
.assertNotIn(modno
, desc_sddl
)
1933 self
.assertIn(modid
, desc_sddl
)
1935 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1936 except LdbError
as e
:
1938 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1939 self
.assertIn(moded
, desc_sddl
)
1940 self
.assertNotIn(modno
, desc_sddl
)
1941 self
.assertIn(modid
, desc_sddl
)
1943 def test_ci_lc_name_attr_objectclass_same(self
):
1944 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1945 group_dn
= "CN=test_inherit_group," + ou_dn
1946 # Create inheritable-free OU
1947 self
.create_clean_ou(ou_dn
)
1948 mod
= "(OA;CI;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
1949 modob
= "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
1950 modid
= "(OA;CIID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
1951 moded
= "(D;;CC;;;LG)"
1952 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1953 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1954 # Create group child object
1955 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1956 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1957 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1958 self
.assertNotIn(modob
, desc_sddl
)
1959 self
.assertIn(modid
, desc_sddl
)
1961 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1962 except LdbError
as e
:
1964 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1965 self
.assertIn(moded
, desc_sddl
)
1966 self
.assertNotIn(modob
, desc_sddl
)
1967 self
.assertIn(modid
, desc_sddl
)
1969 def test_ci_lc_name_attr_objectclass_different(self
):
1970 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1971 group_dn
= "CN=test_inherit_group," + ou_dn
1972 # Create inheritable-free OU
1973 self
.create_clean_ou(ou_dn
)
1974 mod
= "(OA;CI;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
1975 modno
= "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
1976 modid
= "(OA;CIIOID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
1977 moded
= "(D;;CC;;;LG)"
1978 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1979 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1980 # Create group child object
1981 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1982 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1983 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1984 self
.assertNotIn(modno
, desc_sddl
)
1985 self
.assertIn(modid
, desc_sddl
)
1987 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1988 except LdbError
as e
:
1990 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1991 self
.assertIn(moded
, desc_sddl
)
1992 self
.assertNotIn(modno
, desc_sddl
)
1993 self
.assertIn(modid
, desc_sddl
)
1995 def test_ci_np_ga_no_attr_objectclass_same(self
):
1996 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1997 group_dn
= "CN=test_inherit_group," + ou_dn
1998 # Create inheritable-free OU
1999 self
.create_clean_ou(ou_dn
)
2000 # Add some custom 'OA' for 'name' attribute & 'CI'+'OI' ACE
2001 mod
= "(OA;CINP;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
2002 modob
= "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)"
2003 modid
= "(OA;CIIOID;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
2004 moded
= "(D;;CC;;;LG)"
2005 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
2006 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
2007 # Create group child object
2008 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
2009 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
2010 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
2011 self
.assertIn(modob
, desc_sddl
)
2012 self
.assertNotIn(modid
, desc_sddl
)
2013 self
.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl
)
2015 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
2016 except LdbError
as e
:
2018 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
2019 self
.assertIn(moded
, desc_sddl
)
2020 self
.assertNotIn(modid
, desc_sddl
)
2021 self
.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl
)
2023 def test_ci_np_ga_no_attr_objectclass_different(self
):
2024 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
2025 group_dn
= "CN=test_inherit_group," + ou_dn
2026 # Create inheritable-free OU
2027 self
.create_clean_ou(ou_dn
)
2028 mod
= "(OA;CINP;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
2029 modno
= "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)"
2030 modid
= "(OA;CIIOID;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
2031 moded
= "(D;;CC;;;LG)"
2032 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
2033 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
2034 # Create group child object
2035 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
2036 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
2037 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
2038 self
.assertNotIn(modno
, desc_sddl
)
2039 self
.assertNotIn(modid
, desc_sddl
)
2040 self
.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl
)
2042 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
2043 except LdbError
as e
:
2045 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
2046 self
.assertIn(moded
, desc_sddl
)
2047 self
.assertNotIn(modno
, desc_sddl
)
2048 self
.assertNotIn(modid
, desc_sddl
)
2049 self
.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl
)
2051 def test_ci_np_ga_name_attr_objectclass_same(self
):
2052 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
2053 group_dn
= "CN=test_inherit_group," + ou_dn
2054 # Create inheritable-free OU
2055 self
.create_clean_ou(ou_dn
)
2056 mod
= "(OA;CINP;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
2057 modob
= "(OA;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
2058 modid
= "(OA;CIIOID;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
2059 moded
= "(D;;CC;;;LG)"
2060 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
2061 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
2062 # Create group child object
2063 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
2064 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
2065 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
2066 self
.assertIn(modob
, desc_sddl
)
2067 self
.assertNotIn(modid
, desc_sddl
)
2068 self
.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl
)
2070 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
2071 except LdbError
as e
:
2073 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
2074 self
.assertIn(moded
, desc_sddl
)
2075 self
.assertIn(modob
, desc_sddl
)
2076 self
.assertNotIn(modid
, desc_sddl
)
2077 self
.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl
)
2079 def test_ci_np_ga_name_attr_objectclass_different(self
):
2080 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
2081 group_dn
= "CN=test_inherit_group," + ou_dn
2082 # Create inheritable-free OU
2083 self
.create_clean_ou(ou_dn
)
2084 mod
= "(OA;CINP;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
2085 moded
= "(D;;CC;;;LG)"
2086 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
2087 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
2088 # Create group child object
2089 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
2090 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
2091 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
2092 self
.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl
)
2093 self
.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl
)
2095 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
2096 except LdbError
as e
:
2098 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
2099 self
.assertIn(moded
, desc_sddl
)
2100 self
.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl
)
2101 self
.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl
)
2103 def test_ci_np_lc_no_attr_objectclass_same(self
):
2104 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
2105 group_dn
= "CN=test_inherit_group," + ou_dn
2106 # Create inheritable-free OU
2107 self
.create_clean_ou(ou_dn
)
2108 mod
= "(OA;CINP;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
2109 modno
= "(A;ID;LC;;;DA)"
2110 modid
= "(OA;CIID;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
2111 moded
= "(D;;CC;;;LG)"
2112 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
2113 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
2114 # Create group child object
2115 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
2116 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
2117 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
2118 self
.assertIn(modno
, desc_sddl
)
2119 self
.assertNotIn(modid
, desc_sddl
)
2120 self
.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl
)
2122 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
2123 except LdbError
as e
:
2125 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
2126 self
.assertIn(moded
, desc_sddl
)
2127 self
.assertIn(modno
, desc_sddl
)
2128 self
.assertNotIn(modid
, desc_sddl
)
2129 self
.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl
)
2131 def test_ci_np_lc_no_attr_objectclass_different(self
):
2132 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
2133 group_dn
= "CN=test_inherit_group," + ou_dn
2134 # Create inheritable-free OU
2135 self
.create_clean_ou(ou_dn
)
2136 mod
= "(OA;CINP;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
2137 modno
= "(A;ID;LC;;;DA)"
2138 modid
= "(OA;CIIOID;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
2139 moded
= "(D;;CC;;;LG)"
2140 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
2141 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
2142 # Create group child object
2143 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
2144 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
2145 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
2146 self
.assertNotIn(modno
, desc_sddl
)
2147 self
.assertNotIn(modid
, desc_sddl
)
2148 self
.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl
)
2150 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
2151 except LdbError
as e
:
2153 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
2154 self
.assertIn(moded
, desc_sddl
)
2155 self
.assertNotIn(modno
, desc_sddl
)
2156 self
.assertNotIn(modid
, desc_sddl
)
2157 self
.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl
)
2159 def test_ci_np_lc_name_attr_objectclass_same(self
):
2160 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
2161 group_dn
= "CN=test_inherit_group," + ou_dn
2162 # Create inheritable-free OU
2163 self
.create_clean_ou(ou_dn
)
2164 mod
= "(OA;CINP;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
2165 modob
= "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
2166 modid
= "(OA;CIID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
2167 moded
= "(D;;CC;;;LG)"
2168 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
2169 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
2170 # Create group child object
2171 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
2172 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
2173 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
2174 self
.assertIn(modob
, desc_sddl
)
2175 self
.assertNotIn(modid
, desc_sddl
)
2176 self
.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl
)
2178 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
2179 except LdbError
as e
:
2181 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
2182 self
.assertIn(moded
, desc_sddl
)
2183 self
.assertIn(modob
, desc_sddl
)
2184 self
.assertNotIn(modid
, desc_sddl
)
2185 self
.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl
)
2187 def test_ci_np_lc_name_attr_objectclass_different(self
):
2188 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
2189 group_dn
= "CN=test_inherit_group," + ou_dn
2190 # Create inheritable-free OU
2191 self
.create_clean_ou(ou_dn
)
2192 mod
= "(OA;CINP;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
2193 modno
= "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
2194 modid
= "(OA;CIIOID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
2195 moded
= "(D;;CC;;;LG)"
2196 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
2197 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
2198 # Create group child object
2199 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
2200 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
2201 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
2202 self
.assertNotIn(modno
, desc_sddl
)
2203 self
.assertNotIn(modid
, desc_sddl
)
2204 self
.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl
)
2205 self
.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl
)
2207 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
2208 except LdbError
as e
:
2210 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
2211 self
.assertIn(moded
, desc_sddl
)
2212 self
.assertNotIn(modno
, desc_sddl
)
2213 self
.assertNotIn(modid
, desc_sddl
)
2214 self
.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl
)
2215 self
.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl
)
2217 ########################################################################################
2220 class SdFlagsDescriptorTests(DescriptorTests
):
2221 def deleteAll(self
):
2222 delete_force(self
.ldb_admin
, "OU=test_sdflags_ou," + self
.base_dn
)
2225 super(SdFlagsDescriptorTests
, self
).setUp()
2226 self
.test_descr
= "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
2230 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
2231 See that only the owner has been changed.
2233 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
2234 self
.ldb_admin
.create_ou(ou_dn
)
2235 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_OWNER
)])
2236 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
2237 # make sure we have modified the owner
2238 self
.assertIn("O:AU", desc_sddl
)
2239 # make sure nothing else has been modified
2240 self
.assertNotIn("G:AU", desc_sddl
)
2241 self
.assertNotIn("D:(D;;CC;;;LG)", desc_sddl
)
2242 self
.assertNotIn("(OU;;WP;;;AU)", desc_sddl
)
2245 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
2246 See that only the owner has been changed.
2248 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
2249 self
.ldb_admin
.create_ou(ou_dn
)
2250 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_GROUP
)])
2251 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
2252 # make sure we have modified the group
2253 self
.assertIn("G:AU", desc_sddl
)
2254 # make sure nothing else has been modified
2255 self
.assertNotIn("O:AU", desc_sddl
)
2256 self
.assertNotIn("D:(D;;CC;;;LG)", desc_sddl
)
2257 self
.assertNotIn("(OU;;WP;;;AU)", desc_sddl
)
2260 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
2261 See that only the owner has been changed.
2263 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
2264 self
.ldb_admin
.create_ou(ou_dn
)
2265 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_DACL
)])
2266 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
2267 # make sure we have modified the DACL
2268 self
.assertIn("(D;;CC;;;LG)", desc_sddl
)
2269 # make sure nothing else has been modified
2270 self
.assertNotIn("O:AU", desc_sddl
)
2271 self
.assertNotIn("G:AU", desc_sddl
)
2272 self
.assertNotIn("(OU;;WP;;;AU)", desc_sddl
)
2275 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
2276 See that only the owner has been changed.
2278 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
2279 self
.ldb_admin
.create_ou(ou_dn
)
2280 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_SACL
)])
2281 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
2282 # make sure we have modified the DACL
2283 self
.assertIn("(OU;;WP;;;AU)", desc_sddl
)
2284 # make sure nothing else has been modified
2285 self
.assertNotIn("O:AU", desc_sddl
)
2286 self
.assertNotIn("G:AU", desc_sddl
)
2287 self
.assertNotIn("(D;;CC;;;LG)", desc_sddl
)
2290 """ Modify a descriptor with 0x0 set.
2291 Contrary to logic this is interpreted as no control,
2292 which is the same as 0xF
2294 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
2295 self
.ldb_admin
.create_ou(ou_dn
)
2296 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:0"])
2297 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
2298 # make sure we have modified the DACL
2299 self
.assertIn("(OU;;WP;;;AU)", desc_sddl
)
2300 # make sure nothing else has been modified
2301 self
.assertIn("O:AU", desc_sddl
)
2302 self
.assertIn("G:AU", desc_sddl
)
2303 self
.assertIn("(D;;CC;;;LG)", desc_sddl
)
2306 """ Modify a descriptor with 0xF set.
2308 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
2309 self
.ldb_admin
.create_ou(ou_dn
)
2310 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:15"])
2311 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
2312 # make sure we have modified the DACL
2313 self
.assertIn("(OU;;WP;;;AU)", desc_sddl
)
2314 # make sure nothing else has been modified
2315 self
.assertIn("O:AU", desc_sddl
)
2316 self
.assertIn("G:AU", desc_sddl
)
2317 self
.assertIn("(D;;CC;;;LG)", desc_sddl
)
2320 """ Read a descriptor with OWNER_SECURITY_INFORMATION
2321 Only the owner part should be returned.
2323 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
2324 self
.ldb_admin
.create_ou(ou_dn
)
2325 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_OWNER
)])
2326 # make sure we have read the owner
2327 self
.assertIn("O:", desc_sddl
)
2328 # make sure we have read nothing else
2329 self
.assertNotIn("G:", desc_sddl
)
2330 self
.assertNotIn("D:", desc_sddl
)
2331 self
.assertNotIn("S:", desc_sddl
)
2334 """ Read a descriptor with GROUP_SECURITY_INFORMATION
2335 Only the group part should be returned.
2337 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
2338 self
.ldb_admin
.create_ou(ou_dn
)
2339 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_GROUP
)])
2340 # make sure we have read the owner
2341 self
.assertIn("G:", desc_sddl
)
2342 # make sure we have read nothing else
2343 self
.assertNotIn("O:", desc_sddl
)
2344 self
.assertNotIn("D:", desc_sddl
)
2345 self
.assertNotIn("S:", desc_sddl
)
2348 """ Read a descriptor with SACL_SECURITY_INFORMATION
2349 Only the sacl part should be returned.
2351 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
2352 self
.ldb_admin
.create_ou(ou_dn
)
2353 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_SACL
)])
2354 # make sure we have read the owner
2355 self
.assertIn("S:", desc_sddl
)
2356 # make sure we have read nothing else
2357 self
.assertNotIn("O:", desc_sddl
)
2358 self
.assertNotIn("D:", desc_sddl
)
2359 self
.assertNotIn("G:", desc_sddl
)
2362 """ Read a descriptor with DACL_SECURITY_INFORMATION
2363 Only the dacl part should be returned.
2365 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
2366 self
.ldb_admin
.create_ou(ou_dn
)
2367 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_DACL
)])
2368 # make sure we have read the owner
2369 self
.assertIn("D:", desc_sddl
)
2370 # make sure we have read nothing else
2371 self
.assertNotIn("O:", desc_sddl
)
2372 self
.assertNotIn("S:", desc_sddl
)
2373 self
.assertNotIn("G:", desc_sddl
)
2376 sd_flags
= (SECINFO_OWNER |
2381 res
= self
.ldb_admin
.search(self
.base_dn
, SCOPE_BASE
, None,
2383 self
.assertNotIn("nTSecurityDescriptor", res
[0])
2385 res
= self
.ldb_admin
.search(self
.base_dn
, SCOPE_BASE
, None,
2386 ["name"], controls
=None)
2387 self
.assertNotIn("nTSecurityDescriptor", res
[0])
2389 res
= self
.ldb_admin
.search(self
.base_dn
, SCOPE_BASE
, None,
2390 ["name"], controls
=["sd_flags:1:%d" % (sd_flags
)])
2391 self
.assertNotIn("nTSecurityDescriptor", res
[0])
2393 res
= self
.ldb_admin
.search(self
.base_dn
, SCOPE_BASE
, None,
2394 controls
=["sd_flags:1:%d" % (sd_flags
)])
2395 self
.assertIn("nTSecurityDescriptor", res
[0])
2396 tmp
= res
[0]["nTSecurityDescriptor"][0]
2397 sd
= ndr_unpack(security
.descriptor
, tmp
)
2398 sddl
= sd
.as_sddl(self
.sd_utils
.domain_sid
)
2399 self
.assertIn("O:", sddl
)
2400 self
.assertIn("G:", sddl
)
2401 self
.assertIn("D:", sddl
)
2402 self
.assertIn("S:", sddl
)
2404 res
= self
.ldb_admin
.search(self
.base_dn
, SCOPE_BASE
, None,
2405 ["*"], controls
=["sd_flags:1:%d" % (sd_flags
)])
2406 self
.assertIn("nTSecurityDescriptor", res
[0])
2407 tmp
= res
[0]["nTSecurityDescriptor"][0]
2408 sd
= ndr_unpack(security
.descriptor
, tmp
)
2409 sddl
= sd
.as_sddl(self
.sd_utils
.domain_sid
)
2410 self
.assertIn("O:", sddl
)
2411 self
.assertIn("G:", sddl
)
2412 self
.assertIn("D:", sddl
)
2413 self
.assertIn("S:", sddl
)
2415 res
= self
.ldb_admin
.search(self
.base_dn
, SCOPE_BASE
, None,
2416 ["nTSecurityDescriptor", "*"], controls
=["sd_flags:1:%d" % (sd_flags
)])
2417 self
.assertIn("nTSecurityDescriptor", res
[0])
2418 tmp
= res
[0]["nTSecurityDescriptor"][0]
2419 sd
= ndr_unpack(security
.descriptor
, tmp
)
2420 sddl
= sd
.as_sddl(self
.sd_utils
.domain_sid
)
2421 self
.assertIn("O:", sddl
)
2422 self
.assertIn("G:", sddl
)
2423 self
.assertIn("D:", sddl
)
2424 self
.assertIn("S:", sddl
)
2426 res
= self
.ldb_admin
.search(self
.base_dn
, SCOPE_BASE
, None,
2427 ["*", "nTSecurityDescriptor"], controls
=["sd_flags:1:%d" % (sd_flags
)])
2428 self
.assertIn("nTSecurityDescriptor", res
[0])
2429 tmp
= res
[0]["nTSecurityDescriptor"][0]
2430 sd
= ndr_unpack(security
.descriptor
, tmp
)
2431 sddl
= sd
.as_sddl(self
.sd_utils
.domain_sid
)
2432 self
.assertIn("O:", sddl
)
2433 self
.assertIn("G:", sddl
)
2434 self
.assertIn("D:", sddl
)
2435 self
.assertIn("S:", sddl
)
2437 res
= self
.ldb_admin
.search(self
.base_dn
, SCOPE_BASE
, None,
2438 ["nTSecurityDescriptor", "name"], controls
=["sd_flags:1:%d" % (sd_flags
)])
2439 self
.assertIn("nTSecurityDescriptor", res
[0])
2440 tmp
= res
[0]["nTSecurityDescriptor"][0]
2441 sd
= ndr_unpack(security
.descriptor
, tmp
)
2442 sddl
= sd
.as_sddl(self
.sd_utils
.domain_sid
)
2443 self
.assertIn("O:", sddl
)
2444 self
.assertIn("G:", sddl
)
2445 self
.assertIn("D:", sddl
)
2446 self
.assertIn("S:", sddl
)
2448 res
= self
.ldb_admin
.search(self
.base_dn
, SCOPE_BASE
, None,
2449 ["name", "nTSecurityDescriptor"], controls
=["sd_flags:1:%d" % (sd_flags
)])
2450 self
.assertIn("nTSecurityDescriptor", res
[0])
2451 tmp
= res
[0]["nTSecurityDescriptor"][0]
2452 sd
= ndr_unpack(security
.descriptor
, tmp
)
2453 sddl
= sd
.as_sddl(self
.sd_utils
.domain_sid
)
2454 self
.assertIn("O:", sddl
)
2455 self
.assertIn("G:", sddl
)
2456 self
.assertIn("D:", sddl
)
2457 self
.assertIn("S:", sddl
)
2459 res
= self
.ldb_admin
.search(self
.base_dn
, SCOPE_BASE
, None,
2460 ["nTSecurityDescriptor"], controls
=None)
2461 self
.assertIn("nTSecurityDescriptor", res
[0])
2462 tmp
= res
[0]["nTSecurityDescriptor"][0]
2463 sd
= ndr_unpack(security
.descriptor
, tmp
)
2464 sddl
= sd
.as_sddl(self
.sd_utils
.domain_sid
)
2465 self
.assertIn("O:", sddl
)
2466 self
.assertIn("G:", sddl
)
2467 self
.assertIn("D:", sddl
)
2468 self
.assertIn("S:", sddl
)
2470 res
= self
.ldb_admin
.search(self
.base_dn
, SCOPE_BASE
, None,
2471 ["name", "nTSecurityDescriptor"], controls
=None)
2472 self
.assertIn("nTSecurityDescriptor", res
[0])
2473 tmp
= res
[0]["nTSecurityDescriptor"][0]
2474 sd
= ndr_unpack(security
.descriptor
, tmp
)
2475 sddl
= sd
.as_sddl(self
.sd_utils
.domain_sid
)
2476 self
.assertIn("O:", sddl
)
2477 self
.assertIn("G:", sddl
)
2478 self
.assertIn("D:", sddl
)
2479 self
.assertIn("S:", sddl
)
2481 res
= self
.ldb_admin
.search(self
.base_dn
, SCOPE_BASE
, None,
2482 ["nTSecurityDescriptor", "name"], controls
=None)
2483 self
.assertIn("nTSecurityDescriptor", res
[0])
2484 tmp
= res
[0]["nTSecurityDescriptor"][0]
2485 sd
= ndr_unpack(security
.descriptor
, tmp
)
2486 sddl
= sd
.as_sddl(self
.sd_utils
.domain_sid
)
2487 self
.assertIn("O:", sddl
)
2488 self
.assertIn("G:", sddl
)
2489 self
.assertIn("D:", sddl
)
2490 self
.assertIn("S:", sddl
)
2493 """This search is done by the windows dc join..."""
2495 res
= self
.ldb_admin
.search(self
.base_dn
, SCOPE_BASE
, None, ["1.1"],
2496 controls
=["extended_dn:1:0", "sd_flags:1:0", "search_options:1:1"])
2497 self
.assertNotIn("nTSecurityDescriptor", res
[0])
2500 class RightsAttributesTests(DescriptorTests
):
2502 def deleteAll(self
):
2503 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser_attr"))
2504 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser_attr2"))
2505 delete_force(self
.ldb_admin
, "OU=test_domain_ou1," + self
.base_dn
)
2508 super(RightsAttributesTests
, self
).setUp()
2512 self
.ldb_admin
.newuser("testuser_attr", "samba123@")
2513 # User 2, Domain Admins
2514 self
.ldb_admin
.newuser("testuser_attr2", "samba123@")
2515 self
.ldb_admin
.add_remove_group_members("Domain Admins",
2517 add_members_operation
=True)
2519 def test_sDRightsEffective(self
):
2520 object_dn
= "OU=test_domain_ou1," + self
.base_dn
2521 delete_force(self
.ldb_admin
, object_dn
)
2522 self
.ldb_admin
.create_ou(object_dn
)
2523 print(self
.get_users_domain_dn("testuser_attr"))
2524 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
2525 # give testuser1 read access so attributes can be retrieved
2526 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
2527 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
2528 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
2529 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
2530 attrs
=["sDRightsEffective"])
2531 # user should have no rights at all
2532 self
.assertEqual(len(res
), 1)
2533 self
.assertEqual(str(res
[0]["sDRightsEffective"][0]), "0")
2534 # give the user Write DACL and see what happens
2535 mod
= "(A;CI;WD;;;%s)" % str(user_sid
)
2536 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
2537 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
2538 attrs
=["sDRightsEffective"])
2539 # user should have DACL_SECURITY_INFORMATION
2540 self
.assertEqual(len(res
), 1)
2541 self
.assertEqual(str(res
[0]["sDRightsEffective"][0]), ("%d") % SECINFO_DACL
)
2542 # give the user Write Owners and see what happens
2543 mod
= "(A;CI;WO;;;%s)" % str(user_sid
)
2544 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
2545 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
2546 attrs
=["sDRightsEffective"])
2547 # user should have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
2548 self
.assertEqual(len(res
), 1)
2549 self
.assertEqual(str(res
[0]["sDRightsEffective"][0]), ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER
))
2550 # no way to grant security privilege bu adding ACE's so we use a member of Domain Admins
2551 _ldb
= self
.get_ldb_connection("testuser_attr2", "samba123@")
2552 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
2553 attrs
=["sDRightsEffective"])
2554 # user should have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
2555 self
.assertEqual(len(res
), 1)
2556 self
.assertEqual(str(res
[0]["sDRightsEffective"][0]),
2557 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL
))
2559 def test_allowedChildClassesEffective(self
):
2560 object_dn
= "OU=test_domain_ou1," + self
.base_dn
2561 delete_force(self
.ldb_admin
, object_dn
)
2562 self
.ldb_admin
.create_ou(object_dn
)
2563 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
2564 # give testuser1 read access so attributes can be retrieved
2565 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
2566 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
2567 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
2568 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
2569 attrs
=["allowedChildClassesEffective"])
2570 # there should be no allowed child classes
2571 self
.assertEqual(len(res
), 1)
2572 self
.assertNotIn("allowedChildClassesEffective", res
[0].keys())
2573 # give the user the right to create children of type user
2574 mod
= "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid
)
2575 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
2576 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
2577 attrs
=["allowedChildClassesEffective"])
2578 # allowedChildClassesEffective should only have one value, user
2579 self
.assertEqual(len(res
), 1)
2580 self
.assertEqual(len(res
[0]["allowedChildClassesEffective"]), 1)
2581 self
.assertEqual(str(res
[0]["allowedChildClassesEffective"][0]), "user")
2583 def test_allowedAttributesEffective(self
):
2584 object_dn
= "OU=test_domain_ou1," + self
.base_dn
2585 delete_force(self
.ldb_admin
, object_dn
)
2586 self
.ldb_admin
.create_ou(object_dn
)
2587 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
2588 # give testuser1 read access so attributes can be retrieved
2589 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
2590 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
2591 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
2592 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
2593 attrs
=["allowedAttributesEffective"])
2594 # there should be no allowed attributes
2595 self
.assertEqual(len(res
), 1)
2596 self
.assertNotIn("allowedAttributesEffective", res
[0].keys())
2597 # give the user the right to write displayName and managedBy
2598 mod2
= "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid
)
2599 mod
= "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid
)
2600 # also rights to modify an read only attribute, fromEntry
2601 mod3
= "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid
)
2602 self
.sd_utils
.dacl_add_ace(object_dn
, mod
+ mod2
+ mod3
)
2603 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
2604 attrs
=["allowedAttributesEffective"])
2605 # value should only contain user and managedBy
2606 self
.assertEqual(len(res
), 1)
2607 self
.assertEqual(len(res
[0]["allowedAttributesEffective"]), 2)
2608 self
.assertIn(b
"displayName", res
[0]["allowedAttributesEffective"])
2609 self
.assertIn(b
"managedBy", res
[0]["allowedAttributesEffective"])
2612 class SdAutoInheritTests(DescriptorTests
):
2613 def deleteAll(self
):
2614 delete_force(self
.ldb_admin
, self
.sub_dn
)
2615 delete_force(self
.ldb_admin
, self
.ou_dn
)
2618 super(SdAutoInheritTests
, self
).setUp()
2619 self
.ou_dn
= "OU=test_SdAutoInherit_ou," + self
.base_dn
2620 self
.sub_dn
= "OU=test_sub," + self
.ou_dn
2624 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
2625 See that only the owner has been changed.
2627 attrs
= ["nTSecurityDescriptor", "replPropertyMetaData", "uSNChanged"]
2628 controls
= ["sd_flags:1:%d" % (SECINFO_DACL
)]
2629 ace
= "(A;CI;CC;;;NU)"
2630 sub_ace
= "(A;CIID;CC;;;NU)"
2631 sd_sddl
= "O:BAG:BAD:P(A;CI;0x000f01ff;;;AU)"
2632 sd
= security
.descriptor
.from_sddl(sd_sddl
, self
.domain_sid
)
2634 self
.ldb_admin
.create_ou(self
.ou_dn
, sd
=sd
)
2635 self
.ldb_admin
.create_ou(self
.sub_dn
)
2637 ou_res0
= self
.sd_utils
.ldb
.search(self
.ou_dn
, SCOPE_BASE
,
2638 None, attrs
, controls
=controls
)
2639 sub_res0
= self
.sd_utils
.ldb
.search(self
.sub_dn
, SCOPE_BASE
,
2640 None, attrs
, controls
=controls
)
2642 ou_sd0
= ndr_unpack(security
.descriptor
, ou_res0
[0]["nTSecurityDescriptor"][0])
2643 sub_sd0
= ndr_unpack(security
.descriptor
, sub_res0
[0]["nTSecurityDescriptor"][0])
2645 ou_sddl0
= ou_sd0
.as_sddl(self
.domain_sid
)
2646 sub_sddl0
= sub_sd0
.as_sddl(self
.domain_sid
)
2648 self
.assertNotIn(ace
, ou_sddl0
)
2649 self
.assertNotIn(ace
, sub_sddl0
)
2651 ou_sddl1
= (ou_sddl0
[:ou_sddl0
.index("(")] + ace
+
2652 ou_sddl0
[ou_sddl0
.index("("):])
2654 sub_sddl1
= (sub_sddl0
[:sub_sddl0
.index("(")] + ace
+
2655 sub_sddl0
[sub_sddl0
.index("("):])
2657 self
.sd_utils
.modify_sd_on_dn(self
.ou_dn
, ou_sddl1
, controls
=controls
)
2659 self
.sd_utils
.modify_sd_on_dn(self
.sub_dn
, sub_sddl1
, controls
=controls
)
2661 sub_res2
= self
.sd_utils
.ldb
.search(self
.sub_dn
, SCOPE_BASE
,
2662 None, attrs
, controls
=controls
)
2663 ou_res2
= self
.sd_utils
.ldb
.search(self
.ou_dn
, SCOPE_BASE
,
2664 None, attrs
, controls
=controls
)
2666 ou_sd2
= ndr_unpack(security
.descriptor
, ou_res2
[0]["nTSecurityDescriptor"][0])
2667 sub_sd2
= ndr_unpack(security
.descriptor
, sub_res2
[0]["nTSecurityDescriptor"][0])
2669 ou_sddl2
= ou_sd2
.as_sddl(self
.domain_sid
)
2670 sub_sddl2
= sub_sd2
.as_sddl(self
.domain_sid
)
2672 self
.assertNotEqual(ou_sddl2
, ou_sddl0
)
2673 self
.assertNotEqual(sub_sddl2
, sub_sddl0
)
2675 if ace
not in ou_sddl2
:
2676 print("ou0: %s" % ou_sddl0
)
2677 print("ou2: %s" % ou_sddl2
)
2679 if sub_ace
not in sub_sddl2
:
2680 print("sub0: %s" % sub_sddl0
)
2681 print("sub2: %s" % sub_sddl2
)
2683 self
.assertIn(ace
, ou_sddl2
)
2684 self
.assertIn(sub_ace
, sub_sddl2
)
2686 ou_usn0
= int(ou_res0
[0]["uSNChanged"][0])
2687 ou_usn2
= int(ou_res2
[0]["uSNChanged"][0])
2688 self
.assertGreater(ou_usn2
, ou_usn0
)
2690 sub_usn0
= int(sub_res0
[0]["uSNChanged"][0])
2691 sub_usn2
= int(sub_res2
[0]["uSNChanged"][0])
2692 self
.assertGreater(sub_usn2
, sub_usn0
)
2695 if "://" not in host
:
2696 if os
.path
.isfile(host
):
2697 host
= "tdb://%s" % host
2699 host
= "ldap://%s" % host
2701 # use 'paged_search' module when connecting remotely
2702 if host
.lower().startswith("ldap://"):
2703 ldb_options
= ["modules:paged_searches"]
2705 TestProgram(module
=__name__
, opts
=subunitopts
)