search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:dsdb tests - make use of "ldb.get_domain_sid()"
[Samba.git] / source4 / dsdb / tests / python / sec_descriptor.py
blob17fed0ecc88ee2d4db9fd40ede2d907f44871b46
1 #!/usr/bin/env python
2 # -*- coding: utf-8 -*-
3
4 import optparse
5 import sys
6 import os
7 import base64
8 import re
9 import random
10
11 sys.path.append("bin/python")
12 import samba
13 samba.ensure_external_module("testtools", "testtools")
14 samba.ensure_external_module("subunit", "subunit/python")
15
16 import samba.getopt as options
17
18 # Some error messages that are being tested
19 from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT
20
21 # For running the test unit
22 from samba.ndr import ndr_pack, ndr_unpack
23 from samba.dcerpc import security
24
25 from samba import gensec
26 from samba.samdb import SamDB
27 from samba.credentials import Credentials
28 from samba.auth import system_session
29 from samba.dsdb import DS_DOMAIN_FUNCTION_2008
30 from samba.dcerpc.security import (
31 SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL)
32 from subunit.run import SubunitTestRunner
33 import samba.tests
34 from samba.tests import delete_force
35 import unittest
36
37 parser = optparse.OptionParser("sec_descriptor.py [options] <host>")
38 sambaopts = options.SambaOptions(parser)
39 parser.add_option_group(sambaopts)
40 parser.add_option_group(options.VersionOptions(parser))
41
42 # use command line creds if available
43 credopts = options.CredentialsOptions(parser)
44 parser.add_option_group(credopts)
45 opts, args = parser.parse_args()
46
47 if len(args) < 1:
48 parser.print_usage()
49 sys.exit(1)
50
51 host = args[0]
52
53 lp = sambaopts.get_loadparm()
54 creds = credopts.get_credentials(lp)
55 creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
56
57 #
58 # Tests start here
59 #
60
61 class DescriptorTests(samba.tests.TestCase):
62
63 def get_users_domain_dn(self, name):
64 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
65
66 def modify_desc(self, _ldb, object_dn, desc, controls=None):
67 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
68 mod = """
69 dn: """ + object_dn + """
70 changetype: modify
71 replace: nTSecurityDescriptor
72 """
73 if isinstance(desc, str):
74 mod += "nTSecurityDescriptor: %s" % desc
75 elif isinstance(desc, security.descriptor):
76 mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
77 _ldb.modify_ldif(mod, controls)
78
79 def get_unique_schema_class_name(self):
80 while True:
81 class_name = "test-class%s" % random.randint(1,100000)
82 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
83 try:
84 self.ldb_admin.search(base=class_dn, attrs=["*"])
85 except LdbError, (num, _):
86 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
87 return class_name
88
89 def create_schema_class(self, _ldb, object_dn, desc=None):
90 ldif = """
91 dn: """ + object_dn + """
92 objectClass: classSchema
93 objectCategory: CN=Class-Schema,""" + self.schema_dn + """
94 defaultObjectCategory: """ + object_dn + """
95 distinguishedName: """ + object_dn + """
96 governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
97 instanceType: 4
98 objectClassCategory: 1
99 subClassOf: organizationalPerson
100 systemFlags: 16
101 rDNAttID: cn
102 systemMustContain: cn
103 systemOnly: FALSE
104 """
105 if desc:
106 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
107 if isinstance(desc, str):
108 ldif += "nTSecurityDescriptor: %s" % desc
109 elif isinstance(desc, security.descriptor):
110 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
111 _ldb.add_ldif(ldif)
112
113 def create_configuration_container(self, _ldb, object_dn, desc=None):
114 ldif = """
115 dn: """ + object_dn + """
116 objectClass: container
117 objectCategory: CN=Container,""" + self.schema_dn + """
118 showInAdvancedViewOnly: TRUE
119 instanceType: 4
120 """
121 if desc:
122 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
123 if isinstance(desc, str):
124 ldif += "nTSecurityDescriptor: %s" % desc
125 elif isinstance(desc, security.descriptor):
126 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
127 _ldb.add_ldif(ldif)
128
129 def create_configuration_specifier(self, _ldb, object_dn, desc=None):
130 ldif = """
131 dn: """ + object_dn + """
132 objectClass: displaySpecifier
133 showInAdvancedViewOnly: TRUE
134 """
135 if desc:
136 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
137 if isinstance(desc, str):
138 ldif += "nTSecurityDescriptor: %s" % desc
139 elif isinstance(desc, security.descriptor):
140 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
141 _ldb.add_ldif(ldif)
142
143 def read_desc(self, object_dn, controls=None):
144 res = self.ldb_admin.search(base=object_dn, scope=SCOPE_BASE, attrs=["nTSecurityDescriptor"], controls=controls)
145 desc = res[0]["nTSecurityDescriptor"][0]
146 return ndr_unpack(security.descriptor, desc)
147
148 def get_ldb_connection(self, target_username, target_password):
149 creds_tmp = Credentials()
150 creds_tmp.set_username(target_username)
151 creds_tmp.set_password(target_password)
152 creds_tmp.set_domain(creds.get_domain())
153 creds_tmp.set_realm(creds.get_realm())
154 creds_tmp.set_workstation(creds.get_workstation())
155 creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
156 | gensec.FEATURE_SEAL)
157 ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
158 return ldb_target
159
160 def get_object_sid(self, object_dn):
161 res = self.ldb_admin.search(object_dn)
162 return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] )
163
164 def dacl_add_ace(self, object_dn, ace):
165 desc = self.read_desc( object_dn )
166 desc_sddl = desc.as_sddl( self.domain_sid )
167 if ace in desc_sddl:
168 return
169 if desc_sddl.find("(") >= 0:
170 desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
171 else:
172 desc_sddl = desc_sddl + ace
173 self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
174
175 def get_desc_sddl(self, object_dn, controls=None):
176 """ Return object nTSecutiryDescriptor in SDDL format
177 """
178 desc = self.read_desc(object_dn, controls)
179 return desc.as_sddl(self.domain_sid)
180
181 def setUp(self):
182 super(DescriptorTests, self).setUp()
183 self.ldb_admin = ldb
184 self.base_dn = ldb.domain_dn()
185 self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
186 self.schema_dn = self.ldb_admin.get_schema_basedn().get_linearized()
187 self.domain_sid = security.dom_sid(self.ldb_admin.get_domain_sid())
188 print "baseDN: %s" % self.base_dn
189
190 ################################################################################################
191
192 ## Tests for DOMAIN
193
194 # Default descriptor tests #####################################################################
195
196 class OwnerGroupDescriptorTests(DescriptorTests):
197
198 def deleteAll(self):
199 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
200 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
201 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
202 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
203 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
204 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
205 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
206 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
207 # DOMAIN
208 delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
209 delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
210 delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
211 delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
212 # SCHEMA
213 # CONFIGURATION
214 delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
215 + self.configuration_dn)
216 delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
217
218 def setUp(self):
219 super(OwnerGroupDescriptorTests, self).setUp()
220 self.deleteAll()
221 ### Create users
222 # User 1 - Enterprise Admins
223 self.ldb_admin.newuser("testuser1", "samba123@")
224 # User 2 - Domain Admins
225 self.ldb_admin.newuser("testuser2", "samba123@")
226 # User 3 - Schema Admins
227 self.ldb_admin.newuser("testuser3", "samba123@")
228 # User 4 - regular user
229 self.ldb_admin.newuser("testuser4", "samba123@")
230 # User 5 - Enterprise Admins and Domain Admins
231 self.ldb_admin.newuser("testuser5", "samba123@")
232 # User 6 - Enterprise Admins, Domain Admins, Schema Admins
233 self.ldb_admin.newuser("testuser6", "samba123@")
234 # User 7 - Domain Admins and Schema Admins
235 self.ldb_admin.newuser("testuser7", "samba123@")
236 # User 5 - Enterprise Admins and Schema Admins
237 self.ldb_admin.newuser("testuser8", "samba123@")
238
239 self.ldb_admin.add_remove_group_members("Enterprise Admins",
240 "testuser1,testuser5,testuser6,testuser8",
241 add_members_operation=True)
242 self.ldb_admin.add_remove_group_members("Domain Admins",
243 "testuser2,testuser5,testuser6,testuser7",
244 add_members_operation=True)
245 self.ldb_admin.add_remove_group_members("Schema Admins",
246 "testuser3,testuser6,testuser7,testuser8",
247 add_members_operation=True)
248
249 self.results = {
250 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
251 "ds_behavior_win2003" : {
252 "100" : "O:EAG:DU",
253 "101" : "O:DAG:DU",
254 "102" : "O:%sG:DU",
255 "103" : "O:%sG:DU",
256 "104" : "O:DAG:DU",
257 "105" : "O:DAG:DU",
258 "106" : "O:DAG:DU",
259 "107" : "O:EAG:DU",
260 "108" : "O:DAG:DA",
261 "109" : "O:DAG:DA",
262 "110" : "O:%sG:DA",
263 "111" : "O:%sG:DA",
264 "112" : "O:DAG:DA",
265 "113" : "O:DAG:DA",
266 "114" : "O:DAG:DA",
267 "115" : "O:DAG:DA",
268 "130" : "O:EAG:DU",
269 "131" : "O:DAG:DU",
270 "132" : "O:SAG:DU",
271 "133" : "O:%sG:DU",
272 "134" : "O:EAG:DU",
273 "135" : "O:SAG:DU",
274 "136" : "O:SAG:DU",
275 "137" : "O:SAG:DU",
276 "138" : "O:DAG:DA",
277 "139" : "O:DAG:DA",
278 "140" : "O:%sG:DA",
279 "141" : "O:%sG:DA",
280 "142" : "O:DAG:DA",
281 "143" : "O:DAG:DA",
282 "144" : "O:DAG:DA",
283 "145" : "O:DAG:DA",
284 "160" : "O:EAG:DU",
285 "161" : "O:DAG:DU",
286 "162" : "O:%sG:DU",
287 "163" : "O:%sG:DU",
288 "164" : "O:EAG:DU",
289 "165" : "O:EAG:DU",
290 "166" : "O:DAG:DU",
291 "167" : "O:EAG:DU",
292 "168" : "O:DAG:DA",
293 "169" : "O:DAG:DA",
294 "170" : "O:%sG:DA",
295 "171" : "O:%sG:DA",
296 "172" : "O:DAG:DA",
297 "173" : "O:DAG:DA",
298 "174" : "O:DAG:DA",
299 "175" : "O:DAG:DA",
300 },
301 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
302 "ds_behavior_win2008" : {
303 "100" : "O:EAG:EA",
304 "101" : "O:DAG:DA",
305 "102" : "O:%sG:DU",
306 "103" : "O:%sG:DU",
307 "104" : "O:DAG:DA",
308 "105" : "O:DAG:DA",
309 "106" : "O:DAG:DA",
310 "107" : "O:EAG:EA",
311 "108" : "O:DAG:DA",
312 "109" : "O:DAG:DA",
313 "110" : "O:%sG:DA",
314 "111" : "O:%sG:DA",
315 "112" : "O:DAG:DA",
316 "113" : "O:DAG:DA",
317 "114" : "O:DAG:DA",
318 "115" : "O:DAG:DA",
319 "130" : "O:EAG:EA",
320 "131" : "O:DAG:DA",
321 "132" : "O:SAG:SA",
322 "133" : "O:%sG:DU",
323 "134" : "O:EAG:EA",
324 "135" : "O:SAG:SA",
325 "136" : "O:SAG:SA",
326 "137" : "O:SAG:SA",
327 "138" : "",
328 "139" : "",
329 "140" : "O:%sG:DA",
330 "141" : "O:%sG:DA",
331 "142" : "",
332 "143" : "",
333 "144" : "",
334 "145" : "",
335 "160" : "O:EAG:EA",
336 "161" : "O:DAG:DA",
337 "162" : "O:%sG:DU",
338 "163" : "O:%sG:DU",
339 "164" : "O:EAG:EA",
340 "165" : "O:EAG:EA",
341 "166" : "O:DAG:DA",
342 "167" : "O:EAG:EA",
343 "168" : "O:DAG:DA",
344 "169" : "O:DAG:DA",
345 "170" : "O:%sG:DA",
346 "171" : "O:%sG:DA",
347 "172" : "O:DAG:DA",
348 "173" : "O:DAG:DA",
349 "174" : "O:DAG:DA",
350 "175" : "O:DAG:DA",
351 },
352 }
353 # Discover 'msDS-Behavior-Version'
354 res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
355 attrs=['msDS-Behavior-Version'])
356 res = int(res[0]['msDS-Behavior-Version'][0])
357 if res < DS_DOMAIN_FUNCTION_2008:
358 self.DS_BEHAVIOR = "ds_behavior_win2003"
359 else:
360 self.DS_BEHAVIOR = "ds_behavior_win2008"
361
362 def tearDown(self):
363 super(DescriptorTests, self).tearDown()
364 self.deleteAll()
365
366 def check_user_belongs(self, user_dn, groups=[]):
367 """ Test wether user is member of the expected group(s) """
368 if groups != []:
369 # User is member of at least one additional group
370 res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
371 res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
372 expected = []
373 for x in groups:
374 expected.append(self.get_users_domain_dn(x))
375 expected = [x.upper() for x in sorted(expected)]
376 self.assertEqual(expected, res)
377 else:
378 # User is not a member of any additional groups but default
379 res = self.ldb_admin.search(user_dn, attrs=["*"])
380 res = [x.upper() for x in res[0].keys()]
381 self.assertFalse( "MEMBEROF" in res)
382
383 def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
384 # Modify
385 ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
386 if owner_group != "":
387 self.modify_desc(_ldb, object_dn, owner_group + "D:" + ace)
388 else:
389 self.modify_desc(_ldb, object_dn, "D:" + ace)
390 # Make sure the modify operation has been applied
391 desc_sddl = self.get_desc_sddl(object_dn)
392 self.assertTrue(ace in desc_sddl)
393 # Make sure we have identical result for both "add" and "modify"
394 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
395 print self._testMethodName
396 test_number = self._testMethodName[5:]
397 self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
398
399 def test_100(self):
400 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
401 """
402 user_name = "testuser1"
403 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
404 # Open Ldb connection with the tested user
405 _ldb = self.get_ldb_connection(user_name, "samba123@")
406 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
407 delete_force(self.ldb_admin, object_dn)
408 _ldb.newgroup("test_domain_group1", grouptype=4)
409 desc_sddl = self.get_desc_sddl(object_dn)
410 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
411 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
412 self.check_modify_inheritance(_ldb, object_dn)
413
414 def test_101(self):
415 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
416 """
417 user_name = "testuser2"
418 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
419 # Open Ldb connection with the tested user
420 _ldb = self.get_ldb_connection(user_name, "samba123@")
421 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
422 delete_force(self.ldb_admin, object_dn)
423 _ldb.newgroup("test_domain_group1", grouptype=4)
424 desc_sddl = self.get_desc_sddl(object_dn)
425 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
426 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
427 self.check_modify_inheritance(_ldb, object_dn)
428
429 def test_102(self):
430 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
431 """
432 user_name = "testuser3"
433 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
434 # Open Ldb connection with the tested user
435 _ldb = self.get_ldb_connection(user_name, "samba123@")
436 object_dn = "OU=test_domain_ou1," + self.base_dn
437 delete_force(self.ldb_admin, object_dn)
438 self.ldb_admin.create_ou(object_dn)
439 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
440 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
441 self.dacl_add_ace(object_dn, mod)
442 # Create additional object into the first one
443 object_dn = "CN=test_domain_user1," + object_dn
444 delete_force(self.ldb_admin, object_dn)
445 _ldb.newuser("test_domain_user1", "samba123@",
446 userou="OU=test_domain_ou1", setpassword=False)
447 desc_sddl = self.get_desc_sddl(object_dn)
448 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
449 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
450 # This fails, research why
451 #self.check_modify_inheritance(_ldb, object_dn)
452
453 def test_103(self):
454 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
455 """
456 user_name = "testuser4"
457 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
458 # Open Ldb connection with the tested user
459 _ldb = self.get_ldb_connection(user_name, "samba123@")
460 object_dn = "OU=test_domain_ou1," + self.base_dn
461 delete_force(self.ldb_admin, object_dn)
462 self.ldb_admin.create_ou(object_dn)
463 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
464 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
465 self.dacl_add_ace(object_dn, mod)
466 # Create additional object into the first one
467 object_dn = "CN=test_domain_user1," + object_dn
468 delete_force(self.ldb_admin, object_dn)
469 _ldb.newuser("test_domain_user1", "samba123@",
470 userou="OU=test_domain_ou1", setpassword=False)
471 desc_sddl = self.get_desc_sddl(object_dn)
472 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
473 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
474 #this fails, research why
475 #self.check_modify_inheritance(_ldb, object_dn)
476
477 def test_104(self):
478 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
479 """
480 user_name = "testuser5"
481 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
482 # Open Ldb connection with the tested user
483 _ldb = self.get_ldb_connection(user_name, "samba123@")
484 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
485 delete_force(self.ldb_admin, object_dn)
486 _ldb.newgroup("test_domain_group1", grouptype=4)
487 desc_sddl = self.get_desc_sddl(object_dn)
488 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
489 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
490 self.check_modify_inheritance(_ldb, object_dn)
491
492 def test_105(self):
493 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
494 """
495 user_name = "testuser6"
496 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
497 # Open Ldb connection with the tested user
498 _ldb = self.get_ldb_connection(user_name, "samba123@")
499 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
500 delete_force(self.ldb_admin, object_dn)
501 _ldb.newgroup("test_domain_group1", grouptype=4)
502 desc_sddl = self.get_desc_sddl(object_dn)
503 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
504 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
505 self.check_modify_inheritance(_ldb, object_dn)
506
507 def test_106(self):
508 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
509 """
510 user_name = "testuser7"
511 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
512 # Open Ldb connection with the tested user
513 _ldb = self.get_ldb_connection(user_name, "samba123@")
514 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
515 delete_force(self.ldb_admin, object_dn)
516 _ldb.newgroup("test_domain_group1", grouptype=4)
517 desc_sddl = self.get_desc_sddl(object_dn)
518 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
519 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
520 self.check_modify_inheritance(_ldb, object_dn)
521
522 def test_107(self):
523 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
524 """
525 user_name = "testuser8"
526 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
527 # Open Ldb connection with the tested user
528 _ldb = self.get_ldb_connection(user_name, "samba123@")
529 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
530 delete_force(self.ldb_admin, object_dn)
531 _ldb.newgroup("test_domain_group1", grouptype=4)
532 desc_sddl = self.get_desc_sddl(object_dn)
533 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
534 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
535 self.check_modify_inheritance(_ldb, object_dn)
536
537 # Control descriptor tests #####################################################################
538
539 def test_108(self):
540 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
541 """
542 user_name = "testuser1"
543 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
544 # Open Ldb connection with the tested user
545 _ldb = self.get_ldb_connection(user_name, "samba123@")
546 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
547 delete_force(self.ldb_admin, object_dn)
548 # Create a custom security descriptor
549 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
550 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
551 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
552 desc_sddl = self.get_desc_sddl(object_dn)
553 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
554 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
555
556 def test_109(self):
557 """ Domain admin group member creates object (custom descriptor) in DOMAIN
558 """
559 user_name = "testuser2"
560 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
561 # Open Ldb connection with the tested user
562 _ldb = self.get_ldb_connection(user_name, "samba123@")
563 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
564 delete_force(self.ldb_admin, object_dn)
565 # Create a custom security descriptor
566 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
567 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
568 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
569 desc_sddl = self.get_desc_sddl(object_dn)
570 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
571 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
572
573 def test_110(self):
574 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
575 """
576 user_name = "testuser3"
577 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
578 # Open Ldb connection with the tested user
579 _ldb = self.get_ldb_connection(user_name, "samba123@")
580 object_dn = "OU=test_domain_ou1," + self.base_dn
581 delete_force(self.ldb_admin, object_dn)
582 self.ldb_admin.create_ou(object_dn)
583 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
584 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
585 self.dacl_add_ace(object_dn, mod)
586 # Create a custom security descriptor
587 # NB! Problematic owner part won't accept DA only <User Sid> !!!
588 sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
589 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
590 # Create additional object into the first one
591 object_dn = "CN=test_domain_user1," + object_dn
592 delete_force(self.ldb_admin, object_dn)
593 _ldb.newuser("test_domain_user1", "samba123@",
594 userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
595 desc = self.read_desc(object_dn)
596 desc_sddl = self.get_desc_sddl(object_dn)
597 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
598 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
599
600 def test_111(self):
601 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
602 """
603 user_name = "testuser4"
604 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
605 # Open Ldb connection with the tested user
606 _ldb = self.get_ldb_connection(user_name, "samba123@")
607 object_dn = "OU=test_domain_ou1," + self.base_dn
608 delete_force(self.ldb_admin, object_dn)
609 self.ldb_admin.create_ou(object_dn)
610 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
611 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
612 self.dacl_add_ace(object_dn, mod)
613 # Create a custom security descriptor
614 # NB! Problematic owner part won't accept DA only <User Sid> !!!
615 sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
616 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
617 # Create additional object into the first one
618 object_dn = "CN=test_domain_user1," + object_dn
619 delete_force(self.ldb_admin, object_dn)
620 _ldb.newuser("test_domain_user1", "samba123@",
621 userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
622 desc = self.read_desc(object_dn)
623 desc_sddl = self.get_desc_sddl(object_dn)
624 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
625 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
626
627 def test_112(self):
628 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
629 """
630 user_name = "testuser5"
631 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
632 # Open Ldb connection with the tested user
633 _ldb = self.get_ldb_connection(user_name, "samba123@")
634 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
635 delete_force(self.ldb_admin, object_dn)
636 # Create a custom security descriptor
637 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
638 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
639 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
640 desc_sddl = self.get_desc_sddl(object_dn)
641 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
642 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
643
644 def test_113(self):
645 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
646 """
647 user_name = "testuser6"
648 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
649 # Open Ldb connection with the tested user
650 _ldb = self.get_ldb_connection(user_name, "samba123@")
651 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
652 delete_force(self.ldb_admin, object_dn)
653 # Create a custom security descriptor
654 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
655 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
656 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
657 desc_sddl = self.get_desc_sddl(object_dn)
658 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
659 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
660
661 def test_114(self):
662 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
663 """
664 user_name = "testuser7"
665 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
666 # Open Ldb connection with the tested user
667 _ldb = self.get_ldb_connection(user_name, "samba123@")
668 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
669 delete_force(self.ldb_admin, object_dn)
670 # Create a custom security descriptor
671 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
672 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
673 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
674 desc_sddl = self.get_desc_sddl(object_dn)
675 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
676 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
677
678 def test_115(self):
679 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
680 """
681 user_name = "testuser8"
682 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
683 # Open Ldb connection with the tested user
684 _ldb = self.get_ldb_connection(user_name, "samba123@")
685 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
686 delete_force(self.ldb_admin, object_dn)
687 # Create a custom security descriptor
688 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
689 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
690 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
691 desc_sddl = self.get_desc_sddl(object_dn)
692 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
693 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
694
695 def test_999(self):
696 user_name = "Administrator"
697 object_dn = "OU=test_domain_ou1," + self.base_dn
698 delete_force(self.ldb_admin, object_dn)
699 self.ldb_admin.create_ou(object_dn)
700 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
701 mod = "(D;CI;WP;;;S-1-3-0)"
702 #mod = ""
703 self.dacl_add_ace(object_dn, mod)
704 desc_sddl = self.get_desc_sddl(object_dn)
705 # Create additional object into the first one
706 object_dn = "OU=test_domain_ou2," + object_dn
707 delete_force(self.ldb_admin, object_dn)
708 self.ldb_admin.create_ou(object_dn)
709 desc_sddl = self.get_desc_sddl(object_dn)
710
711 ## Tests for SCHEMA
712
713 # Defalt descriptor tests ##################################################################
714
715 def test_130(self):
716 user_name = "testuser1"
717 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
718 # Open Ldb connection with the tested user
719 _ldb = self.get_ldb_connection(user_name, "samba123@")
720 # Change Schema partition descriptor
721 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
722 mod = "(A;;WDCC;;;AU)"
723 self.dacl_add_ace(self.schema_dn, mod)
724 # Create example Schema class
725 class_name = self.get_unique_schema_class_name()
726 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
727 self.create_schema_class(_ldb, class_dn)
728 desc_sddl = self.get_desc_sddl(class_dn)
729 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
730 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
731 self.check_modify_inheritance(_ldb, class_dn)
732
733 def test_131(self):
734 user_name = "testuser2"
735 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
736 # Open Ldb connection with the tested user
737 _ldb = self.get_ldb_connection(user_name, "samba123@")
738 # Change Schema partition descriptor
739 mod = "(A;CI;WDCC;;;AU)"
740 self.dacl_add_ace(self.schema_dn, mod)
741 # Create example Schema class
742 class_name = self.get_unique_schema_class_name()
743 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
744 self.create_schema_class(_ldb, class_dn)
745 desc_sddl = self.get_desc_sddl(class_dn)
746 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
747 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
748 self.check_modify_inheritance(_ldb, class_dn)
749
750 def test_132(self):
751 user_name = "testuser3"
752 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
753 # Open Ldb connection with the tested user
754 _ldb = self.get_ldb_connection(user_name, "samba123@")
755 # Change Schema partition descriptor
756 mod = "(A;CI;WDCC;;;AU)"
757 self.dacl_add_ace(self.schema_dn, mod)
758 # Create example Schema class
759 class_name = self.get_unique_schema_class_name()
760 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
761 self.create_schema_class(_ldb, class_dn)
762 desc_sddl = self.get_desc_sddl(class_dn)
763 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
764 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
765 #self.check_modify_inheritance(_ldb, class_dn)
766
767 def test_133(self):
768 user_name = "testuser4"
769 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
770 # Open Ldb connection with the tested user
771 _ldb = self.get_ldb_connection(user_name, "samba123@")
772 #Change Schema partition descriptor
773 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
774 mod = "(A;CI;WDCC;;;AU)"
775 self.dacl_add_ace(self.schema_dn, mod)
776 # Create example Schema class
777 class_name = self.get_unique_schema_class_name()
778 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
779 self.create_schema_class(_ldb, class_dn)
780 desc_sddl = self.get_desc_sddl(class_dn)
781 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
782 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
783 #self.check_modify_inheritance(_ldb, class_dn)
784
785 def test_134(self):
786 user_name = "testuser5"
787 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
788 # Open Ldb connection with the tested user
789 _ldb = self.get_ldb_connection(user_name, "samba123@")
790 #Change Schema partition descriptor
791 mod = "(A;CI;WDCC;;;AU)"
792 self.dacl_add_ace(self.schema_dn, mod)
793 # Create example Schema class
794 class_name = self.get_unique_schema_class_name()
795 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
796 self.create_schema_class(_ldb, class_dn)
797 desc_sddl = self.get_desc_sddl(class_dn)
798 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
799 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
800 self.check_modify_inheritance(_ldb, class_dn)
801
802 def test_135(self):
803 user_name = "testuser6"
804 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
805 # Open Ldb connection with the tested user
806 _ldb = self.get_ldb_connection(user_name, "samba123@")
807 # Change Schema partition descriptor
808 mod = "(A;CI;WDCC;;;AU)"
809 self.dacl_add_ace(self.schema_dn, mod)
810 # Create example Schema class
811 class_name = self.get_unique_schema_class_name()
812 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
813 self.create_schema_class(_ldb, class_dn)
814 desc_sddl = self.get_desc_sddl(class_dn)
815 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
816 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
817 self.check_modify_inheritance(_ldb, class_dn)
818
819 def test_136(self):
820 user_name = "testuser7"
821 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
822 # Open Ldb connection with the tested user
823 _ldb = self.get_ldb_connection(user_name, "samba123@")
824 # Change Schema partition descriptor
825 mod = "(A;CI;WDCC;;;AU)"
826 self.dacl_add_ace(self.schema_dn, mod)
827 # Create example Schema class
828 class_name = self.get_unique_schema_class_name()
829 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
830 self.create_schema_class(_ldb, class_dn)
831 desc_sddl = self.get_desc_sddl(class_dn)
832 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
833 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
834 self.check_modify_inheritance(_ldb, class_dn)
835
836 def test_137(self):
837 user_name = "testuser8"
838 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
839 # Open Ldb connection with the tested user
840 _ldb = self.get_ldb_connection(user_name, "samba123@")
841 # Change Schema partition descriptor
842 mod = "(A;CI;WDCC;;;AU)"
843 self.dacl_add_ace(self.schema_dn, mod)
844 # Create example Schema class
845 class_name = self.get_unique_schema_class_name()
846 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
847 self.create_schema_class(_ldb, class_dn)
848 desc_sddl = self.get_desc_sddl(class_dn)
849 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
850 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
851 self.check_modify_inheritance(_ldb, class_dn)
852
853 # Custom descriptor tests ##################################################################
854
855 def test_138(self):
856 user_name = "testuser1"
857 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
858 # Open Ldb connection with the tested user
859 _ldb = self.get_ldb_connection(user_name, "samba123@")
860 # Change Schema partition descriptor
861 mod = "(A;;CC;;;AU)"
862 self.dacl_add_ace(self.schema_dn, mod)
863 # Create a custom security descriptor
864 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
865 # Create example Schema class
866 class_name = self.get_unique_schema_class_name()
867 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
868 self.create_schema_class(_ldb, class_dn, desc_sddl)
869 desc_sddl = self.get_desc_sddl(class_dn)
870 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
871 self.assertEqual("O:DAG:DA", res)
872
873 def test_139(self):
874 user_name = "testuser2"
875 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
876 # Open Ldb connection with the tested user
877 _ldb = self.get_ldb_connection(user_name, "samba123@")
878 # Change Schema partition descriptor
879 mod = "(A;;CC;;;AU)"
880 self.dacl_add_ace(self.schema_dn, mod)
881 # Create a custom security descriptor
882 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
883 # Create example Schema class
884 class_name = self.get_unique_schema_class_name()
885 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
886 self.create_schema_class(_ldb, class_dn, desc_sddl)
887 desc_sddl = self.get_desc_sddl(class_dn)
888 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
889 self.assertEqual("O:DAG:DA", res)
890
891 def test_140(self):
892 user_name = "testuser3"
893 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
894 # Open Ldb connection with the tested user
895 _ldb = self.get_ldb_connection(user_name, "samba123@")
896 # Create a custom security descriptor
897 # NB! Problematic owner part won't accept DA only <User Sid> !!!
898 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
899 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
900 # Create example Schema class
901 class_name = self.get_unique_schema_class_name()
902 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
903 self.create_schema_class(_ldb, class_dn, desc_sddl)
904 desc_sddl = self.get_desc_sddl(class_dn)
905 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
906 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
907
908 def test_141(self):
909 user_name = "testuser4"
910 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
911 # Open Ldb connection with the tested user
912 _ldb = self.get_ldb_connection(user_name, "samba123@")
913 # Create a custom security descriptor
914 # NB! Problematic owner part won't accept DA only <User Sid> !!!
915 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
916 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
917 # Create example Schema class
918 class_name = self.get_unique_schema_class_name()
919 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
920 self.create_schema_class(_ldb, class_dn, desc_sddl)
921 desc_sddl = self.get_desc_sddl(class_dn)
922 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
923 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
924
925 def test_142(self):
926 user_name = "testuser5"
927 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
928 # Open Ldb connection with the tested user
929 _ldb = self.get_ldb_connection(user_name, "samba123@")
930 # Change Schema partition descriptor
931 mod = "(A;;CC;;;AU)"
932 self.dacl_add_ace(self.schema_dn, mod)
933 # Create a custom security descriptor
934 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
935 # Create example Schema class
936 class_name = self.get_unique_schema_class_name()
937 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
938 self.create_schema_class(_ldb, class_dn, desc_sddl)
939 desc_sddl = self.get_desc_sddl(class_dn)
940 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
941 self.assertEqual("O:DAG:DA", res)
942
943 def test_143(self):
944 user_name = "testuser6"
945 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
946 # Open Ldb connection with the tested user
947 _ldb = self.get_ldb_connection(user_name, "samba123@")
948 # Change Schema partition descriptor
949 mod = "(A;;CC;;;AU)"
950 self.dacl_add_ace(self.schema_dn, mod)
951 # Create a custom security descriptor
952 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
953 # Create example Schema class
954 class_name = self.get_unique_schema_class_name()
955 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
956 self.create_schema_class(_ldb, class_dn, desc_sddl)
957 desc_sddl = self.get_desc_sddl(class_dn)
958 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
959 self.assertEqual("O:DAG:DA", res)
960
961 def test_144(self):
962 user_name = "testuser7"
963 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
964 # Open Ldb connection with the tested user
965 _ldb = self.get_ldb_connection(user_name, "samba123@")
966 # Change Schema partition descriptor
967 mod = "(A;;CC;;;AU)"
968 self.dacl_add_ace(self.schema_dn, mod)
969 # Create a custom security descriptor
970 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
971 # Create example Schema class
972 class_name = self.get_unique_schema_class_name()
973 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
974 self.create_schema_class(_ldb, class_dn, desc_sddl)
975 desc_sddl = self.get_desc_sddl(class_dn)
976 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
977 self.assertEqual("O:DAG:DA", res)
978
979 def test_145(self):
980 user_name = "testuser8"
981 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
982 # Open Ldb connection with the tested user
983 _ldb = self.get_ldb_connection(user_name, "samba123@")
984 # Change Schema partition descriptor
985 mod = "(A;;CC;;;AU)"
986 self.dacl_add_ace(self.schema_dn, mod)
987 # Create a custom security descriptor
988 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
989 # Create example Schema class
990 class_name = self.get_unique_schema_class_name()
991 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
992 self.create_schema_class(_ldb, class_dn, desc_sddl)
993 desc_sddl = self.get_desc_sddl(class_dn)
994 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
995 self.assertEqual("O:DAG:DA", res)
996
997 ## Tests for CONFIGURATION
998
999 # Defalt descriptor tests ##################################################################
1000
1001 def test_160(self):
1002 user_name = "testuser1"
1003 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1004 # Open Ldb connection with the tested user
1005 _ldb = self.get_ldb_connection(user_name, "samba123@")
1006 # Create example Configuration container
1007 container_name = "test-container1"
1008 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1009 delete_force(self.ldb_admin, object_dn)
1010 self.create_configuration_container(_ldb, object_dn, )
1011 desc_sddl = self.get_desc_sddl(object_dn)
1012 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1013 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1014 self.check_modify_inheritance(_ldb, object_dn)
1015
1016 def test_161(self):
1017 user_name = "testuser2"
1018 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1019 # Open Ldb connection with the tested user
1020 _ldb = self.get_ldb_connection(user_name, "samba123@")
1021 # Create example Configuration container
1022 container_name = "test-container1"
1023 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1024 delete_force(self.ldb_admin, object_dn)
1025 self.create_configuration_container(_ldb, object_dn, )
1026 desc_sddl = self.get_desc_sddl(object_dn)
1027 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1028 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1029 self.check_modify_inheritance(_ldb, object_dn)
1030
1031 def test_162(self):
1032 user_name = "testuser3"
1033 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1034 # Open Ldb connection with the tested user
1035 _ldb = self.get_ldb_connection(user_name, "samba123@")
1036 # Create example Configuration container
1037 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1038 delete_force(self.ldb_admin, object_dn)
1039 self.create_configuration_container(self.ldb_admin, object_dn, )
1040 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1041 mod = "(A;;WDCC;;;AU)"
1042 self.dacl_add_ace(object_dn, mod)
1043 # Create child object with user's credentials
1044 object_dn = "CN=test-specifier1," + object_dn
1045 delete_force(self.ldb_admin, object_dn)
1046 self.create_configuration_specifier(_ldb, object_dn)
1047 desc_sddl = self.get_desc_sddl(object_dn)
1048 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1049 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1050 #self.check_modify_inheritance(_ldb, object_dn)
1051
1052 def test_163(self):
1053 user_name = "testuser4"
1054 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1055 # Open Ldb connection with the tested user
1056 _ldb = self.get_ldb_connection(user_name, "samba123@")
1057 # Create example Configuration container
1058 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1059 delete_force(self.ldb_admin, object_dn)
1060 self.create_configuration_container(self.ldb_admin, object_dn, )
1061 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1062 mod = "(A;CI;WDCC;;;AU)"
1063 self.dacl_add_ace(object_dn, mod)
1064 # Create child object with user's credentials
1065 object_dn = "CN=test-specifier1," + object_dn
1066 delete_force(self.ldb_admin, object_dn)
1067 self.create_configuration_specifier(_ldb, object_dn)
1068 desc_sddl = self.get_desc_sddl(object_dn)
1069 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1070 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1071 #self.check_modify_inheritance(_ldb, object_dn)
1072
1073 def test_164(self):
1074 user_name = "testuser5"
1075 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1076 # Open Ldb connection with the tested user
1077 _ldb = self.get_ldb_connection(user_name, "samba123@")
1078 # Create example Configuration container
1079 container_name = "test-container1"
1080 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1081 delete_force(self.ldb_admin, object_dn)
1082 self.create_configuration_container(_ldb, object_dn, )
1083 desc_sddl = self.get_desc_sddl(object_dn)
1084 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1085 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1086 self.check_modify_inheritance(_ldb, object_dn)
1087
1088 def test_165(self):
1089 user_name = "testuser6"
1090 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1091 # Open Ldb connection with the tested user
1092 _ldb = self.get_ldb_connection(user_name, "samba123@")
1093 # Create example Configuration container
1094 container_name = "test-container1"
1095 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1096 delete_force(self.ldb_admin, object_dn)
1097 self.create_configuration_container(_ldb, object_dn, )
1098 desc_sddl = self.get_desc_sddl(object_dn)
1099 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1100 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1101 self.check_modify_inheritance(_ldb, object_dn)
1102
1103 def test_166(self):
1104 user_name = "testuser7"
1105 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1106 # Open Ldb connection with the tested user
1107 _ldb = self.get_ldb_connection(user_name, "samba123@")
1108 # Create example Configuration container
1109 container_name = "test-container1"
1110 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1111 delete_force(self.ldb_admin, object_dn)
1112 self.create_configuration_container(_ldb, object_dn, )
1113 desc_sddl = self.get_desc_sddl(object_dn)
1114 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1115 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1116 self.check_modify_inheritance(_ldb, object_dn)
1117
1118 def test_167(self):
1119 user_name = "testuser8"
1120 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1121 # Open Ldb connection with the tested user
1122 _ldb = self.get_ldb_connection(user_name, "samba123@")
1123 # Create example Configuration container
1124 container_name = "test-container1"
1125 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1126 delete_force(self.ldb_admin, object_dn)
1127 self.create_configuration_container(_ldb, object_dn, )
1128 desc_sddl = self.get_desc_sddl(object_dn)
1129 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1130 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1131 self.check_modify_inheritance(_ldb, object_dn)
1132
1133 # Custom descriptor tests ##################################################################
1134
1135 def test_168(self):
1136 user_name = "testuser1"
1137 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1138 # Open Ldb connection with the tested user
1139 _ldb = self.get_ldb_connection(user_name, "samba123@")
1140 # Create example Configuration container
1141 container_name = "test-container1"
1142 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1143 delete_force(self.ldb_admin, object_dn)
1144 # Create a custom security descriptor
1145 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1146 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1147 desc_sddl = self.get_desc_sddl(object_dn)
1148 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1149 self.assertEqual("O:DAG:DA", res)
1150
1151 def test_169(self):
1152 user_name = "testuser2"
1153 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1154 # Open Ldb connection with the tested user
1155 _ldb = self.get_ldb_connection(user_name, "samba123@")
1156 # Create example Configuration container
1157 container_name = "test-container1"
1158 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1159 delete_force(self.ldb_admin, object_dn)
1160 # Create a custom security descriptor
1161 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1162 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1163 desc_sddl = self.get_desc_sddl(object_dn)
1164 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1165 self.assertEqual("O:DAG:DA", res)
1166
1167 def test_170(self):
1168 user_name = "testuser3"
1169 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1170 # Open Ldb connection with the tested user
1171 _ldb = self.get_ldb_connection(user_name, "samba123@")
1172 # Create example Configuration container
1173 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1174 delete_force(self.ldb_admin, object_dn)
1175 self.create_configuration_container(self.ldb_admin, object_dn, )
1176 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1177 mod = "(A;;CC;;;AU)"
1178 self.dacl_add_ace(object_dn, mod)
1179 # Create child object with user's credentials
1180 object_dn = "CN=test-specifier1," + object_dn
1181 delete_force(self.ldb_admin, object_dn)
1182 # Create a custom security descriptor
1183 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1184 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1185 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1186 desc_sddl = self.get_desc_sddl(object_dn)
1187 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1188 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1189
1190 def test_171(self):
1191 user_name = "testuser4"
1192 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1193 # Open Ldb connection with the tested user
1194 _ldb = self.get_ldb_connection(user_name, "samba123@")
1195 # Create example Configuration container
1196 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1197 delete_force(self.ldb_admin, object_dn)
1198 self.create_configuration_container(self.ldb_admin, object_dn, )
1199 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1200 mod = "(A;;CC;;;AU)"
1201 self.dacl_add_ace(object_dn, mod)
1202 # Create child object with user's credentials
1203 object_dn = "CN=test-specifier1," + object_dn
1204 delete_force(self.ldb_admin, object_dn)
1205 # Create a custom security descriptor
1206 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1207 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1208 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1209 desc_sddl = self.get_desc_sddl(object_dn)
1210 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1211 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1212
1213 def test_172(self):
1214 user_name = "testuser5"
1215 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1216 # Open Ldb connection with the tested user
1217 _ldb = self.get_ldb_connection(user_name, "samba123@")
1218 # Create example Configuration container
1219 container_name = "test-container1"
1220 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1221 delete_force(self.ldb_admin, object_dn)
1222 # Create a custom security descriptor
1223 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1224 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1225 desc_sddl = self.get_desc_sddl(object_dn)
1226 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1227 self.assertEqual("O:DAG:DA", res)
1228
1229 def test_173(self):
1230 user_name = "testuser6"
1231 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1232 # Open Ldb connection with the tested user
1233 _ldb = self.get_ldb_connection(user_name, "samba123@")
1234 # Create example Configuration container
1235 container_name = "test-container1"
1236 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1237 delete_force(self.ldb_admin, object_dn)
1238 # Create a custom security descriptor
1239 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1240 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1241 desc_sddl = self.get_desc_sddl(object_dn)
1242 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1243 self.assertEqual("O:DAG:DA", res)
1244
1245 def test_174(self):
1246 user_name = "testuser7"
1247 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1248 # Open Ldb connection with the tested user
1249 _ldb = self.get_ldb_connection(user_name, "samba123@")
1250 # Create example Configuration container
1251 container_name = "test-container1"
1252 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1253 delete_force(self.ldb_admin, object_dn)
1254 # Create a custom security descriptor
1255 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1256 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1257 desc_sddl = self.get_desc_sddl(object_dn)
1258 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1259 self.assertEqual("O:DAG:DA", res)
1260
1261 def test_175(self):
1262 user_name = "testuser8"
1263 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1264 # Open Ldb connection with the tested user
1265 _ldb = self.get_ldb_connection(user_name, "samba123@")
1266 # Create example Configuration container
1267 container_name = "test-container1"
1268 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1269 delete_force(self.ldb_admin, object_dn)
1270 # Create a custom security descriptor
1271 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1272 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1273 desc_sddl = self.get_desc_sddl(object_dn)
1274 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1275 self.assertEqual("O:DAG:DA", res)
1276
1277 ########################################################################################
1278 # Inharitance tests for DACL
1279
1280 class DaclDescriptorTests(DescriptorTests):
1281
1282 def deleteAll(self):
1283 delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1284 delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1285
1286 def setUp(self):
1287 super(DaclDescriptorTests, self).setUp()
1288 self.deleteAll()
1289
1290 def create_clean_ou(self, object_dn):
1291 """ Base repeating setup for unittests to follow """
1292 res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
1293 expression="distinguishedName=%s" % object_dn)
1294 # Make sure top testing OU has been deleted before starting the test
1295 self.assertEqual(res, [])
1296 self.ldb_admin.create_ou(object_dn)
1297 desc_sddl = self.get_desc_sddl(object_dn)
1298 # Make sure there are inheritable ACEs initially
1299 self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1300 # Find and remove all inherit ACEs
1301 res = re.findall("\(.*?\)", desc_sddl)
1302 res = [x for x in res if ("CI" in x) or ("OI" in x)]
1303 for x in res:
1304 desc_sddl = desc_sddl.replace(x, "")
1305 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1306 # can propagate from above
1307 # remove SACL, we are not interested
1308 desc_sddl = desc_sddl.replace(":AI", ":AIP")
1309 self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
1310 # Verify all inheritable ACEs are gone
1311 desc_sddl = self.get_desc_sddl(object_dn)
1312 self.assertFalse("CI" in desc_sddl)
1313 self.assertFalse("OI" in desc_sddl)
1314
1315 def test_200(self):
1316 """ OU with protected flag and child group. See if the group has inherit ACEs.
1317 """
1318 ou_dn = "OU=test_inherit_ou," + self.base_dn
1319 group_dn = "CN=test_inherit_group," + ou_dn
1320 # Create inheritable-free OU
1321 self.create_clean_ou(ou_dn)
1322 # Create group child object
1323 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1324 # Make sure created group object contains NO inherit ACEs
1325 desc_sddl = self.get_desc_sddl(group_dn)
1326 self.assertFalse("ID" in desc_sddl)
1327
1328 def test_201(self):
1329 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1330 Verify group has custom and default ACEs only.
1331 """
1332 ou_dn = "OU=test_inherit_ou," + self.base_dn
1333 group_dn = "CN=test_inherit_group," + ou_dn
1334 # Create inheritable-free OU
1335 self.create_clean_ou(ou_dn)
1336 # Create group child object using custom security descriptor
1337 sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1338 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
1339 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1340 # Make sure created group descriptor has NO additional ACEs
1341 desc_sddl = self.get_desc_sddl(group_dn)
1342 self.assertEqual(desc_sddl, sddl)
1343 sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
1344 self.modify_desc(self.ldb_admin, group_dn, sddl)
1345 desc_sddl = self.get_desc_sddl(group_dn)
1346 self.assertEqual(desc_sddl, sddl)
1347
1348 def test_202(self):
1349 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1350 See if the group has any of the added ACEs.
1351 """
1352 ou_dn = "OU=test_inherit_ou," + self.base_dn
1353 group_dn = "CN=test_inherit_group," + ou_dn
1354 # Create inheritable-free OU
1355 self.create_clean_ou(ou_dn)
1356 # Add some custom non-inheritable ACEs
1357 mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1358 moded = "(D;;CC;;;LG)"
1359 self.dacl_add_ace(ou_dn, mod)
1360 # Verify all inheritable ACEs are gone
1361 desc_sddl = self.get_desc_sddl(ou_dn)
1362 # Create group child object
1363 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1364 # Make sure created group object contains NO inherit ACEs
1365 # also make sure the added above non-inheritable ACEs are absent too
1366 desc_sddl = self.get_desc_sddl(group_dn)
1367 self.assertFalse("ID" in desc_sddl)
1368 for x in re.findall("\(.*?\)", mod):
1369 self.assertFalse(x in desc_sddl)
1370 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1371 desc_sddl = self.get_desc_sddl(group_dn)
1372 self.assertFalse("ID" in desc_sddl)
1373 for x in re.findall("\(.*?\)", mod):
1374 self.assertFalse(x in desc_sddl)
1375
1376 def test_203(self):
1377 """ OU with protected flag and add 'CI' ACE, child group.
1378 See if the group has the added inherited ACE.
1379 """
1380 ou_dn = "OU=test_inherit_ou," + self.base_dn
1381 group_dn = "CN=test_inherit_group," + ou_dn
1382 # Create inheritable-free OU
1383 self.create_clean_ou(ou_dn)
1384 # Add some custom 'CI' ACE
1385 mod = "(D;CI;WP;;;DU)"
1386 moded = "(D;;CC;;;LG)"
1387 self.dacl_add_ace(ou_dn, mod)
1388 desc_sddl = self.get_desc_sddl(ou_dn)
1389 # Create group child object
1390 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1391 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1392 # Make sure created group object contains only the above inherited ACE
1393 # that we've added manually
1394 desc_sddl = self.get_desc_sddl(group_dn)
1395 mod = mod.replace(";CI;", ";CIID;")
1396 self.assertTrue(mod in desc_sddl)
1397 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1398 desc_sddl = self.get_desc_sddl(group_dn)
1399 self.assertTrue(moded in desc_sddl)
1400 self.assertTrue(mod in desc_sddl)
1401
1402 def test_204(self):
1403 """ OU with protected flag and add 'OI' ACE, child group.
1404 See if the group has the added inherited ACE.
1405 """
1406 ou_dn = "OU=test_inherit_ou," + self.base_dn
1407 group_dn = "CN=test_inherit_group," + ou_dn
1408 # Create inheritable-free OU
1409 self.create_clean_ou(ou_dn)
1410 # Add some custom 'CI' ACE
1411 mod = "(D;OI;WP;;;DU)"
1412 moded = "(D;;CC;;;LG)"
1413 self.dacl_add_ace(ou_dn, mod)
1414 desc_sddl = self.get_desc_sddl(ou_dn)
1415 # Create group child object
1416 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1417 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1418 # Make sure created group object contains only the above inherited ACE
1419 # that we've added manually
1420 desc_sddl = self.get_desc_sddl(group_dn)
1421 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1422 self.assertTrue(mod in desc_sddl)
1423 self.modify_desc(self.ldb_admin, group_dn, "D:" +moded)
1424 desc_sddl = self.get_desc_sddl(group_dn)
1425 self.assertTrue(moded in desc_sddl)
1426 self.assertTrue(mod in desc_sddl)
1427
1428 def test_205(self):
1429 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1430 See if the group has the added inherited ACE.
1431 """
1432 ou_dn = "OU=test_inherit_ou," + self.base_dn
1433 group_dn = "CN=test_inherit_group," + ou_dn
1434 # Create inheritable-free OU
1435 self.create_clean_ou(ou_dn)
1436 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1437 mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1438 moded = "(D;;CC;;;LG)"
1439 self.dacl_add_ace(ou_dn, mod)
1440 desc_sddl = self.get_desc_sddl(ou_dn)
1441 # Create group child object
1442 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1443 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1444 # Make sure created group object contains only the above inherited ACE
1445 # that we've added manually
1446 desc_sddl = self.get_desc_sddl(group_dn)
1447 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1448 self.assertTrue(mod in desc_sddl)
1449 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1450 desc_sddl = self.get_desc_sddl(group_dn)
1451 self.assertTrue(moded in desc_sddl)
1452 self.assertTrue(mod in desc_sddl)
1453
1454 def test_206(self):
1455 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1456 See if the group has the added inherited ACE.
1457 """
1458 ou_dn = "OU=test_inherit_ou," + self.base_dn
1459 group_dn = "CN=test_inherit_group," + ou_dn
1460 # Create inheritable-free OU
1461 self.create_clean_ou(ou_dn)
1462 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1463 mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1464 moded = "(D;;CC;;;LG)"
1465 self.dacl_add_ace(ou_dn, mod)
1466 desc_sddl = self.get_desc_sddl(ou_dn)
1467 # Create group child object
1468 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1469 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1470 # Make sure created group object contains only the above inherited ACE
1471 # that we've added manually
1472 desc_sddl = self.get_desc_sddl(group_dn)
1473 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1474 self.assertTrue(mod in desc_sddl)
1475 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1476 desc_sddl = self.get_desc_sddl(group_dn)
1477 self.assertTrue(moded in desc_sddl)
1478 self.assertTrue(mod in desc_sddl)
1479
1480 def test_207(self):
1481 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1482 See if the group has the added inherited ACE.
1483 """
1484 ou_dn = "OU=test_inherit_ou," + self.base_dn
1485 group_dn = "CN=test_inherit_group," + ou_dn
1486 # Create inheritable-free OU
1487 self.create_clean_ou(ou_dn)
1488 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1489 mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1490 moded = "(D;;CC;;;LG)"
1491 self.dacl_add_ace(ou_dn, mod)
1492 desc_sddl = self.get_desc_sddl(ou_dn)
1493 # Create group child object
1494 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1495 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1496 # Make sure created group object contains only the above inherited ACE
1497 # that we've added manually
1498 desc_sddl = self.get_desc_sddl(group_dn)
1499 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1500 self.assertTrue(mod in desc_sddl)
1501 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1502 desc_sddl = self.get_desc_sddl(group_dn)
1503 self.assertTrue(moded in desc_sddl)
1504 self.assertTrue(mod in desc_sddl)
1505
1506 def test_208(self):
1507 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1508 See if the group has the added inherited ACE.
1509 """
1510 ou_dn = "OU=test_inherit_ou," + self.base_dn
1511 group_dn = "CN=test_inherit_group," + ou_dn
1512 # Create inheritable-free OU
1513 self.create_clean_ou(ou_dn)
1514 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1515 mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1516 moded = "(D;;CC;;;LG)"
1517 self.dacl_add_ace(ou_dn, mod)
1518 desc_sddl = self.get_desc_sddl(ou_dn)
1519 # Create group child object
1520 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1521 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1522 # Make sure created group object contains only the above inherited ACE
1523 # that we've added manually
1524 desc_sddl = self.get_desc_sddl(group_dn)
1525 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1526 self.assertTrue(mod in desc_sddl)
1527 self.modify_desc(self.ldb_admin, group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
1528 desc_sddl = self.get_desc_sddl(group_dn)
1529 self.assertTrue(moded in desc_sddl)
1530 self.assertTrue(mod in desc_sddl)
1531
1532 def test_209(self):
1533 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1534 See if the group has the added inherited ACE.
1535 """
1536 ou_dn = "OU=test_inherit_ou," + self.base_dn
1537 group_dn = "CN=test_inherit_group," + ou_dn
1538 # Create inheritable-free OU
1539 self.create_clean_ou(ou_dn)
1540 # Add some custom 'CI' ACE
1541 mod = "(D;CI;WP;;;CO)"
1542 moded = "(D;;CC;;;LG)"
1543 self.dacl_add_ace(ou_dn, mod)
1544 desc_sddl = self.get_desc_sddl(ou_dn)
1545 # Create group child object
1546 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1547 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1548 # Make sure created group object contains only the above inherited ACE(s)
1549 # that we've added manually
1550 desc_sddl = self.get_desc_sddl(group_dn)
1551 self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
1552 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1553 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1554 desc_sddl = self.get_desc_sddl(group_dn)
1555 self.assertTrue(moded in desc_sddl)
1556 self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
1557 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1558
1559 def test_210(self):
1560 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1561 """
1562 ou_dn = "OU=test_inherit_ou," + self.base_dn
1563 group_dn = "CN=test_inherit_group," + ou_dn
1564 self.create_clean_ou(ou_dn)
1565 # Add some custom ACE
1566 mod = "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1567 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1568 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1569 # Make sure created group object does not contain the ID ace
1570 desc_sddl = self.get_desc_sddl(group_dn)
1571 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1572
1573 def test_211(self):
1574 """ Provide ACE with CO SID, should be expanded and replaced
1575 """
1576 ou_dn = "OU=test_inherit_ou," + self.base_dn
1577 group_dn = "CN=test_inherit_group," + ou_dn
1578 # Create inheritable-free OU
1579 self.create_clean_ou(ou_dn)
1580 # Add some custom 'CI' ACE
1581 mod = "D:(D;CI;WP;;;CO)"
1582 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1583 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1584 desc_sddl = self.get_desc_sddl(group_dn)
1585 self.assertTrue("(D;;WP;;;DA)(D;CIIO;WP;;;CO)" in desc_sddl)
1586
1587 def test_212(self):
1588 """ Provide ACE with IO flag, should be ignored
1589 """
1590 ou_dn = "OU=test_inherit_ou," + self.base_dn
1591 group_dn = "CN=test_inherit_group," + ou_dn
1592 # Create inheritable-free OU
1593 self.create_clean_ou(ou_dn)
1594 # Add some custom 'CI' ACE
1595 mod = "D:(D;CIIO;WP;;;CO)"
1596 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1597 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1598 # Make sure created group object contains only the above inherited ACE(s)
1599 # that we've added manually
1600 desc_sddl = self.get_desc_sddl(group_dn)
1601 self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
1602 self.assertFalse("(D;;WP;;;DA)" in desc_sddl)
1603 self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl)
1604
1605 def test_213(self):
1606 """ Provide ACE with IO flag, should be ignored
1607 """
1608 ou_dn = "OU=test_inherit_ou," + self.base_dn
1609 group_dn = "CN=test_inherit_group," + ou_dn
1610 # Create inheritable-free OU
1611 self.create_clean_ou(ou_dn)
1612 mod = "D:(D;IO;WP;;;DA)"
1613 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1614 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1615 # Make sure created group object contains only the above inherited ACE(s)
1616 # that we've added manually
1617 desc_sddl = self.get_desc_sddl(group_dn)
1618 self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl)
1619
1620 ########################################################################################
1621
1622
1623 class SdFlagsDescriptorTests(DescriptorTests):
1624 def deleteAll(self):
1625 delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
1626
1627 def setUp(self):
1628 super(SdFlagsDescriptorTests, self).setUp()
1629 self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1630 self.deleteAll()
1631
1632 def test_301(self):
1633 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1634 See that only the owner has been changed.
1635 """
1636 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1637 self.ldb_admin.create_ou(ou_dn)
1638 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1639 desc_sddl = self.get_desc_sddl(ou_dn)
1640 # make sure we have modified the owner
1641 self.assertTrue("O:AU" in desc_sddl)
1642 # make sure nothing else has been modified
1643 self.assertFalse("G:AU" in desc_sddl)
1644 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1645 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1646
1647 def test_302(self):
1648 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1649 See that only the owner has been changed.
1650 """
1651 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1652 self.ldb_admin.create_ou(ou_dn)
1653 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1654 desc_sddl = self.get_desc_sddl(ou_dn)
1655 # make sure we have modified the group
1656 self.assertTrue("G:AU" in desc_sddl)
1657 # make sure nothing else has been modified
1658 self.assertFalse("O:AU" in desc_sddl)
1659 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1660 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1661
1662 def test_303(self):
1663 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1664 See that only the owner has been changed.
1665 """
1666 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1667 self.ldb_admin.create_ou(ou_dn)
1668 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1669 desc_sddl = self.get_desc_sddl(ou_dn)
1670 # make sure we have modified the DACL
1671 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1672 # make sure nothing else has been modified
1673 self.assertFalse("O:AU" in desc_sddl)
1674 self.assertFalse("G:AU" in desc_sddl)
1675 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1676
1677 def test_304(self):
1678 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1679 See that only the owner has been changed.
1680 """
1681 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1682 self.ldb_admin.create_ou(ou_dn)
1683 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1684 desc_sddl = self.get_desc_sddl(ou_dn)
1685 # make sure we have modified the DACL
1686 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1687 # make sure nothing else has been modified
1688 self.assertFalse("O:AU" in desc_sddl)
1689 self.assertFalse("G:AU" in desc_sddl)
1690 self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
1691
1692 def test_305(self):
1693 """ Modify a descriptor with 0x0 set.
1694 Contrary to logic this is interpreted as no control,
1695 which is the same as 0xF
1696 """
1697 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1698 self.ldb_admin.create_ou(ou_dn)
1699 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:0"])
1700 desc_sddl = self.get_desc_sddl(ou_dn)
1701 # make sure we have modified the DACL
1702 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1703 # make sure nothing else has been modified
1704 self.assertTrue("O:AU" in desc_sddl)
1705 self.assertTrue("G:AU" in desc_sddl)
1706 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1707
1708 def test_306(self):
1709 """ Modify a descriptor with 0xF set.
1710 """
1711 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1712 self.ldb_admin.create_ou(ou_dn)
1713 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:15"])
1714 desc_sddl = self.get_desc_sddl(ou_dn)
1715 # make sure we have modified the DACL
1716 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1717 # make sure nothing else has been modified
1718 self.assertTrue("O:AU" in desc_sddl)
1719 self.assertTrue("G:AU" in desc_sddl)
1720 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1721
1722 def test_307(self):
1723 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1724 Only the owner part should be returned.
1725 """
1726 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1727 self.ldb_admin.create_ou(ou_dn)
1728 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1729 # make sure we have read the owner
1730 self.assertTrue("O:" in desc_sddl)
1731 # make sure we have read nothing else
1732 self.assertFalse("G:" in desc_sddl)
1733 self.assertFalse("D:" in desc_sddl)
1734 self.assertFalse("S:" in desc_sddl)
1735
1736 def test_308(self):
1737 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1738 Only the group part should be returned.
1739 """
1740 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1741 self.ldb_admin.create_ou(ou_dn)
1742 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1743 # make sure we have read the owner
1744 self.assertTrue("G:" in desc_sddl)
1745 # make sure we have read nothing else
1746 self.assertFalse("O:" in desc_sddl)
1747 self.assertFalse("D:" in desc_sddl)
1748 self.assertFalse("S:" in desc_sddl)
1749
1750 def test_309(self):
1751 """ Read a descriptor with SACL_SECURITY_INFORMATION
1752 Only the sacl part should be returned.
1753 """
1754 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1755 self.ldb_admin.create_ou(ou_dn)
1756 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1757 # make sure we have read the owner
1758 self.assertTrue("S:" in desc_sddl)
1759 # make sure we have read nothing else
1760 self.assertFalse("O:" in desc_sddl)
1761 self.assertFalse("D:" in desc_sddl)
1762 self.assertFalse("G:" in desc_sddl)
1763
1764 def test_310(self):
1765 """ Read a descriptor with DACL_SECURITY_INFORMATION
1766 Only the dacl part should be returned.
1767 """
1768 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1769 self.ldb_admin.create_ou(ou_dn)
1770 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1771 # make sure we have read the owner
1772 self.assertTrue("D:" in desc_sddl)
1773 # make sure we have read nothing else
1774 self.assertFalse("O:" in desc_sddl)
1775 self.assertFalse("S:" in desc_sddl)
1776 self.assertFalse("G:" in desc_sddl)
1777
1778
1779 class RightsAttributesTests(DescriptorTests):
1780
1781 def deleteAll(self):
1782 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
1783 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
1784 delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
1785
1786 def setUp(self):
1787 super(RightsAttributesTests, self).setUp()
1788 self.deleteAll()
1789 ### Create users
1790 # User 1
1791 self.ldb_admin.newuser("testuser_attr", "samba123@")
1792 # User 2, Domain Admins
1793 self.ldb_admin.newuser("testuser_attr2", "samba123@")
1794 self.ldb_admin.add_remove_group_members("Domain Admins",
1795 "testuser_attr2",
1796 add_members_operation=True)
1797
1798 def test_sDRightsEffective(self):
1799 object_dn = "OU=test_domain_ou1," + self.base_dn
1800 delete_force(self.ldb_admin, object_dn)
1801 self.ldb_admin.create_ou(object_dn)
1802 print self.get_users_domain_dn("testuser_attr")
1803 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1804 #give testuser1 read access so attributes can be retrieved
1805 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1806 self.dacl_add_ace(object_dn, mod)
1807 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1808 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1809 attrs=["sDRightsEffective"])
1810 #user whould have no rights at all
1811 self.assertEquals(len(res), 1)
1812 self.assertEquals(res[0]["sDRightsEffective"][0], "0")
1813 #give the user Write DACL and see what happens
1814 mod = "(A;CI;WD;;;%s)" % str(user_sid)
1815 self.dacl_add_ace(object_dn, mod)
1816 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1817 attrs=["sDRightsEffective"])
1818 #user whould have DACL_SECURITY_INFORMATION
1819 self.assertEquals(len(res), 1)
1820 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL)
1821 #give the user Write Owners and see what happens
1822 mod = "(A;CI;WO;;;%s)" % str(user_sid)
1823 self.dacl_add_ace(object_dn, mod)
1824 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1825 attrs=["sDRightsEffective"])
1826 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1827 self.assertEquals(len(res), 1)
1828 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
1829 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1830 _ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
1831 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1832 attrs=["sDRightsEffective"])
1833 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1834 self.assertEquals(len(res), 1)
1835 self.assertEquals(res[0]["sDRightsEffective"][0], \
1836 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
1837
1838 def test_allowedChildClassesEffective(self):
1839 object_dn = "OU=test_domain_ou1," + self.base_dn
1840 delete_force(self.ldb_admin, object_dn)
1841 self.ldb_admin.create_ou(object_dn)
1842 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1843 #give testuser1 read access so attributes can be retrieved
1844 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1845 self.dacl_add_ace(object_dn, mod)
1846 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1847 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1848 attrs=["allowedChildClassesEffective"])
1849 #there should be no allowed child classes
1850 self.assertEquals(len(res), 1)
1851 self.assertFalse("allowedChildClassesEffective" in res[0].keys())
1852 #give the user the right to create children of type user
1853 mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1854 self.dacl_add_ace(object_dn, mod)
1855 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1856 attrs=["allowedChildClassesEffective"])
1857 # allowedChildClassesEffective should only have one value, user
1858 self.assertEquals(len(res), 1)
1859 self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1)
1860 self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user")
1861
1862 def test_allowedAttributesEffective(self):
1863 object_dn = "OU=test_domain_ou1," + self.base_dn
1864 delete_force(self.ldb_admin, object_dn)
1865 self.ldb_admin.create_ou(object_dn)
1866 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1867 #give testuser1 read access so attributes can be retrieved
1868 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1869 self.dacl_add_ace(object_dn, mod)
1870 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1871 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1872 attrs=["allowedAttributesEffective"])
1873 #there should be no allowed attributes
1874 self.assertEquals(len(res), 1)
1875 self.assertFalse("allowedAttributesEffective" in res[0].keys())
1876 #give the user the right to write displayName and managedBy
1877 mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1878 mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
1879 # also rights to modify an read only attribute, fromEntry
1880 mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
1881 self.dacl_add_ace(object_dn, mod + mod2 + mod3)
1882 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1883 attrs=["allowedAttributesEffective"])
1884 # value should only contain user and managedBy
1885 self.assertEquals(len(res), 1)
1886 self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
1887 self.assertTrue("displayName" in res[0]["allowedAttributesEffective"])
1888 self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"])
1889
1890 if not "://" in host:
1891 if os.path.isfile(host):
1892 host = "tdb://%s" % host
1893 else:
1894 host = "ldap://%s" % host
1895
1896 # use 'paged_search' module when connecting remotely
1897 if host.lower().startswith("ldap://"):
1898 ldb_options = ["modules:paged_searches"]
1899
1900 ldb = SamDB(host,
1901 credentials=creds,
1902 session_info=system_session(),
1903 lp=lp,
1904 options=ldb_options)
1905
1906 runner = SubunitTestRunner()
1907 rc = 0
1908 if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful():
1909 rc = 1
1910 if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
1911 rc = 1
1912 if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful():
1913 rc = 1
1914 if not runner.run(unittest.makeSuite(RightsAttributesTests)).wasSuccessful():
1915 rc = 1
1916 sys.exit(rc)
Samba GIT mirror