1 # Unix SMB/CIFS implementation.
2 # Copyright (C) Martin Kraemer 2019 <mk.maddin@gmail.com>
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License as published by
6 # the Free Software Foundation; either version 3 of the License, or
7 # (at your option) any later version.
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
14 # You should have received a copy of the GNU General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
20 from samba
.tests
.samba_tool
.base
import SambaToolCmdTest
23 class DSaclSetSddlTestCase(SambaToolCmdTest
):
24 """Tests for samba-tool dsacl set --sddl subcommand"""
25 sddl
= "(OA;CIIO;RPWP;aaaaaaaa-1111-bbbb-2222-dddddddddddd;33333333-eeee-4444-ffff-555555555555;PS)"
26 sddl_lc
= "(OA;CIIO;RPWP;aaaaaaaa-1111-bbbb-2222-dddddddddddd;33333333-eeee-4444-ffff-555555555555;PS)"
27 sddl_uc
= "(OA;CIIO;RPWP;AAAAAAAA-1111-BBBB-2222-DDDDDDDDDDDD;33333333-EEEE-4444-FFFF-555555555555;PS)"
28 sddl_sid
= "(OA;CIIO;RPWP;aaaaaaaa-1111-bbbb-2222-dddddddddddd;33333333-eeee-4444-ffff-555555555555;S-1-5-10)"
29 sddl_multi
= "(OA;CIIO;RPWP;aaaaaaaa-1111-bbbb-2222-dddddddddddd;33333333-eeee-4444-ffff-555555555555;PS)(OA;CIIO;RPWP;cccccccc-9999-ffff-8888-eeeeeeeeeeee;77777777-dddd-6666-bbbb-555555555555;PS)"
32 super(DSaclSetSddlTestCase
, self
).setUp()
33 self
.samdb
= self
.getSamDB("-H", "ldap://%s" % os
.environ
["DC_SERVER"],"-U%s%%%s" % (os
.environ
["DC_USERNAME"], os
.environ
["DC_PASSWORD"]))
34 self
.dn
="OU=DSaclSetSddlTestCase,%s" % self
.samdb
.domain_dn()
35 self
.samdb
.create_ou(self
.dn
)
38 super(DSaclSetSddlTestCase
, self
).tearDown()
39 # clean-up the created test ou
40 self
.samdb
.delete(self
.dn
)
43 """Tests if a sddl string can be added 'the normal way'"""
44 (result
, out
, err
) = self
.runsubcmd("dsacl", "set","--objectdn=%s" % self
.dn
, "--sddl=%s" % self
.sddl
)
45 self
.assertCmdSuccess(result
, out
, err
)
46 self
.assertEquals(err
, "", "Shouldn't be any error messages")
47 #extract only the two sddl strings from samba-tool output
48 acl_list
=re
.findall('.*descriptor for.*:\n(.*?)\n',out
)
49 self
.assertNotEqual(acl_list
[0], acl_list
[1], "new and old SDDL string differ")
50 self
.assertMatch(acl_list
[1], self
.sddl
, "new SDDL string should be contained within second sddl output")
52 def test_sddl_set_get(self
):
53 """Tests if a sddl string can be added 'the normal way' and the output of 'get' is the same"""
54 (result
, out
, err
) = self
.runsubcmd("dsacl", "get",
55 "--objectdn=%s" % self
.dn
)
56 self
.assertCmdSuccess(result
, out
, err
)
57 self
.assertEquals(err
, "", "Shouldn't be any error messages")
58 #extract only the two sddl strings from samba-tool output
59 acl_list_get
=re
.findall('^descriptor for.*:\n(.*?)\n', out
)
61 (result
, out
, err
) = self
.runsubcmd("dsacl", "set",
62 "--objectdn=%s" % self
.dn
,
63 "--sddl=%s" % self
.sddl
)
64 self
.assertCmdSuccess(result
, out
, err
)
65 self
.assertEquals(err
, "", "Shouldn't be any error messages")
66 #extract only the two sddl strings from samba-tool output
67 acl_list_old
=re
.findall('old descriptor for.*:\n(.*?)\n', out
)
68 self
.assertEqual(acl_list_old
, acl_list_get
,
69 "output of dsacl get should be the same as before set")
71 acl_list
=re
.findall('new descriptor for.*:\n(.*?)\n', out
)
73 (result
, out
, err
) = self
.runsubcmd("dsacl", "get",
74 "--objectdn=%s" % self
.dn
)
75 self
.assertCmdSuccess(result
, out
, err
)
76 self
.assertEquals(err
, "", "Shouldn't be any error messages")
77 #extract only the two sddl strings from samba-tool output
78 acl_list_get2
=re
.findall('^descriptor for.*:\n(.*?)\n', out
)
79 self
.assertEqual(acl_list
, acl_list_get2
,
80 "output of dsacl get should be the same as after set")
82 def test_multisddl(self
):
83 """Tests if we can add multiple, different sddl strings at the same time"""
84 (result
, out
, err
) = self
.runsubcmd("dsacl", "set","--objectdn=%s" % self
.dn
, "--sddl=%s" % self
.sddl_multi
)
85 self
.assertCmdSuccess(result
, out
, err
)
86 self
.assertEquals(err
, "", "Shouldn't be any error messages")
87 #extract only the two sddl strings from samba-tool output
88 acl_list
=re
.findall('.*descriptor for.*:\n(.*?)\n',out
)
89 for ace
in re
.findall('\(.*?\)',self
.sddl_multi
):
90 self
.assertMatch(acl_list
[1], ace
, "new SDDL string should be contained within second sddl output")
92 def test_duplicatesddl(self
):
93 """Tests if an already existing sddl string can be added causing duplicate entry"""
94 acl_list
= self
._double
_sddl
_check
(self
.sddl
,self
.sddl
)
95 self
.assertEquals(acl_list
[0],acl_list
[1])
97 def test_casesensitivesddl(self
):
98 """Tests if an already existing sddl string can be added in different cases causing duplicate entry"""
99 acl_list
= self
._double
_sddl
_check
(self
.sddl_lc
,self
.sddl_uc
)
100 self
.assertEquals(acl_list
[0],acl_list
[1])
102 def test_sidsddl(self
):
103 """Tests if an already existing sddl string can be added with SID instead of SDDL SIDString causing duplicate entry"""
104 acl_list
= self
._double
_sddl
_check
(self
.sddl
,self
.sddl_sid
)
105 self
.assertEquals(acl_list
[0],acl_list
[1])
107 def test_twosddl(self
):
108 """Tests if an already existing sddl string can be added by using it twice/in combination with non existing sddl string causing duplicate entry"""
109 acl_list
= self
._double
_sddl
_check
(self
.sddl
,self
.sddl
+ self
.sddl
)
110 self
.assertEquals(acl_list
[0],acl_list
[1])
112 def _double_sddl_check(self
,sddl1
,sddl2
):
113 """Adds two sddl strings and checks if there was an ace change after the second adding"""
114 (result
, out
, err
) = self
.runsubcmd("dsacl", "set","--objectdn=%s" % self
.dn
, "--sddl=%s" % sddl1
)
115 self
.assertCmdSuccess(result
, out
, err
)
116 self
.assertEquals(err
, "", "Shouldn't be any error messages")
117 acl_list
= re
.findall('.*descriptor for.*:\n(.*?)\n',out
)
118 self
.assertMatch(acl_list
[1], sddl1
, "new SDDL string should be contained within second sddl output - is not")
120 (result
, out
, err
) = self
.runsubcmd("dsacl", "set","--objectdn=%s" % self
.dn
, "--sddl=%s" % sddl2
)
121 self
.assertCmdSuccess(result
, out
, err
)
122 self
.assertEquals(err
, "", "Shouldn't be any error messages")
123 acl_list
= re
.findall('.*descriptor for.*:\n(.*?)\n',out
)