python/samba/tests/samba_tool/dsacl.py

   1 # Unix SMB/CIFS implementation.
   2 # Copyright (C) Martin Kraemer 2019 <mk.maddin@gmail.com>
   3 #
   4 # This program is free software; you can redistribute it and/or modify
   5 # it under the terms of the GNU General Public License as published by
   6 # the Free Software Foundation; either version 3 of the License, or
   7 # (at your option) any later version.
   8 #
   9 # This program is distributed in the hope that it will be useful,
  10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 # GNU General Public License for more details.
  13 #
  14 # You should have received a copy of the GNU General Public License
  15 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  16 #
  17
  18 import os
  19 import ldb
  20 from samba.tests.samba_tool.base import SambaToolCmdTest
  21 import re
  22
  23 class DSaclSetSddlTestCase(SambaToolCmdTest):
  24     """Tests for samba-tool dsacl set --sddl subcommand"""
  25     sddl       = "(OA;CIIO;RPWP;aaaaaaaa-1111-bbbb-2222-dddddddddddd;33333333-eeee-4444-ffff-555555555555;PS)"
  26     sddl_lc    = "(OA;CIIO;RPWP;aaaaaaaa-1111-bbbb-2222-dddddddddddd;33333333-eeee-4444-ffff-555555555555;PS)"
  27     sddl_uc    = "(OA;CIIO;RPWP;AAAAAAAA-1111-BBBB-2222-DDDDDDDDDDDD;33333333-EEEE-4444-FFFF-555555555555;PS)"
  28     sddl_sid   = "(OA;CIIO;RPWP;aaaaaaaa-1111-bbbb-2222-dddddddddddd;33333333-eeee-4444-ffff-555555555555;S-1-5-10)"
  29     sddl_multi = "(OA;CIIO;RPWP;aaaaaaaa-1111-bbbb-2222-dddddddddddd;33333333-eeee-4444-ffff-555555555555;PS)(OA;CIIO;RPWP;cccccccc-9999-ffff-8888-eeeeeeeeeeee;77777777-dddd-6666-bbbb-555555555555;PS)"
  30
  31     def setUp(self):
  32         super(DSaclSetSddlTestCase, self).setUp()
  33         self.samdb = self.getSamDB("-H", "ldap://%s" % os.environ["DC_SERVER"],"-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"]))
  34         self.dn="OU=DSaclSetSddlTestCase,%s" % self.samdb.domain_dn()
  35         self.samdb.create_ou(self.dn)
  36
  37     def tearDown(self):
  38         super(DSaclSetSddlTestCase, self).tearDown()
  39         # clean-up the created test ou
  40         self.samdb.delete(self.dn)
  41
  42     def test_sddl(self):
  43         """Tests if a sddl string can be added 'the normal way'"""
  44         (result, out, err) = self.runsubcmd("dsacl", "set","--objectdn=%s" % self.dn, "--sddl=%s" % self.sddl)
  45         self.assertCmdSuccess(result, out, err)
  46         self.assertEquals(err, "", "Shouldn't be any error messages")
  47         #extract only the two sddl strings from samba-tool output
  48         acl_list=re.findall('.*descriptor for.*:\n(.*?)\n',out)
  49         self.assertNotEqual(acl_list[0], acl_list[1], "new and old SDDL string differ")
  50         self.assertMatch(acl_list[1], self.sddl, "new SDDL string should be contained within second sddl output")
  51
  52     def test_sddl_set_get(self):
  53         """Tests if a sddl string can be added 'the normal way' and the output of 'get' is the same"""
  54         (result, out, err) = self.runsubcmd("dsacl", "get",
  55                                             "--objectdn=%s" % self.dn)
  56         self.assertCmdSuccess(result, out, err)
  57         self.assertEquals(err, "", "Shouldn't be any error messages")
  58         #extract only the two sddl strings from samba-tool output
  59         acl_list_get=re.findall('^descriptor for.*:\n(.*?)\n', out)
  60
  61         (result, out, err) = self.runsubcmd("dsacl", "set",
  62                                             "--objectdn=%s" % self.dn,
  63                                             "--sddl=%s" % self.sddl)
  64         self.assertCmdSuccess(result, out, err)
  65         self.assertEquals(err, "", "Shouldn't be any error messages")
  66         #extract only the two sddl strings from samba-tool output
  67         acl_list_old=re.findall('old descriptor for.*:\n(.*?)\n', out)
  68         self.assertEqual(acl_list_old, acl_list_get,
  69                          "output of dsacl get should be the same as before set")
  70
  71         acl_list=re.findall('new descriptor for.*:\n(.*?)\n', out)
  72
  73         (result, out, err) = self.runsubcmd("dsacl", "get",
  74                                             "--objectdn=%s" % self.dn)
  75         self.assertCmdSuccess(result, out, err)
  76         self.assertEquals(err, "", "Shouldn't be any error messages")
  77         #extract only the two sddl strings from samba-tool output
  78         acl_list_get2=re.findall('^descriptor for.*:\n(.*?)\n', out)
  79         self.assertEqual(acl_list, acl_list_get2,
  80                          "output of dsacl get should be the same as after set")
  81
  82     def test_multisddl(self):
  83         """Tests if we can add multiple, different sddl strings at the same time"""
  84         (result, out, err) = self.runsubcmd("dsacl", "set","--objectdn=%s" % self.dn, "--sddl=%s" % self.sddl_multi)
  85         self.assertCmdSuccess(result, out, err)
  86         self.assertEquals(err, "", "Shouldn't be any error messages")
  87         #extract only the two sddl strings from samba-tool output
  88         acl_list=re.findall('.*descriptor for.*:\n(.*?)\n',out)
  89         for ace in re.findall('\(.*?\)',self.sddl_multi):
  90             self.assertMatch(acl_list[1], ace, "new SDDL string should be contained within second sddl output")
  91
  92     def test_duplicatesddl(self):
  93         """Tests if an already existing sddl string can be added causing duplicate entry"""
  94         acl_list = self._double_sddl_check(self.sddl,self.sddl)
  95         self.assertEquals(acl_list[0],acl_list[1])
  96
  97     def test_casesensitivesddl(self):
  98         """Tests if an already existing sddl string can be added in different cases causing duplicate entry"""
  99         acl_list = self._double_sddl_check(self.sddl_lc,self.sddl_uc)
 100         self.assertEquals(acl_list[0],acl_list[1])
 101
 102     def test_sidsddl(self):
 103         """Tests if an already existing sddl string can be added with SID instead of SDDL SIDString causing duplicate entry"""
 104         acl_list = self._double_sddl_check(self.sddl,self.sddl_sid)
 105         self.assertEquals(acl_list[0],acl_list[1])
 106
 107     def test_twosddl(self):
 108         """Tests if an already existing sddl string can be added by using it twice/in combination with non existing sddl string causing duplicate entry"""
 109         acl_list = self._double_sddl_check(self.sddl,self.sddl + self.sddl)
 110         self.assertEquals(acl_list[0],acl_list[1])
 111
 112     def _double_sddl_check(self,sddl1,sddl2):
 113         """Adds two sddl strings and checks if there was an ace change after the second adding"""
 114         (result, out, err) = self.runsubcmd("dsacl", "set","--objectdn=%s" % self.dn, "--sddl=%s" % sddl1)
 115         self.assertCmdSuccess(result, out, err)
 116         self.assertEquals(err, "", "Shouldn't be any error messages")
 117         acl_list = re.findall('.*descriptor for.*:\n(.*?)\n',out)
 118         self.assertMatch(acl_list[1], sddl1, "new SDDL string should be contained within second sddl output - is not")
 119         #add sddl2
 120         (result, out, err) = self.runsubcmd("dsacl", "set","--objectdn=%s" % self.dn, "--sddl=%s" % sddl2)
 121         self.assertCmdSuccess(result, out, err)
 122         self.assertEquals(err, "", "Shouldn't be any error messages")
 123         acl_list = re.findall('.*descriptor for.*:\n(.*?)\n',out)
 124         return acl_list