2 # -*- coding: utf-8 -*-
11 sys
.path
.append("bin/python")
13 samba
.ensure_external_module("testtools", "testtools")
14 samba
.ensure_external_module("subunit", "subunit/python")
16 import samba
.getopt
as options
18 # Some error messages that are being tested
19 from ldb
import SCOPE_SUBTREE
, SCOPE_BASE
, LdbError
, ERR_NO_SUCH_OBJECT
21 # For running the test unit
22 from samba
.ndr
import ndr_pack
, ndr_unpack
23 from samba
.dcerpc
import security
25 from samba
import gensec
26 from samba
.samdb
import SamDB
27 from samba
.credentials
import Credentials
28 from samba
.auth
import system_session
29 from samba
.dsdb
import DS_DOMAIN_FUNCTION_2008
30 from samba
.dcerpc
.security
import (
31 SECINFO_OWNER
, SECINFO_GROUP
, SECINFO_DACL
, SECINFO_SACL
)
32 from subunit
.run
import SubunitTestRunner
34 from samba
.tests
import delete_force
37 parser
= optparse
.OptionParser("sec_descriptor.py [options] <host>")
38 sambaopts
= options
.SambaOptions(parser
)
39 parser
.add_option_group(sambaopts
)
40 parser
.add_option_group(options
.VersionOptions(parser
))
42 # use command line creds if available
43 credopts
= options
.CredentialsOptions(parser
)
44 parser
.add_option_group(credopts
)
45 opts
, args
= parser
.parse_args()
53 lp
= sambaopts
.get_loadparm()
54 creds
= credopts
.get_credentials(lp
)
55 creds
.set_gensec_features(creds
.get_gensec_features() | gensec
.FEATURE_SEAL
)
61 class DescriptorTests(samba
.tests
.TestCase
):
63 def get_users_domain_dn(self
, name
):
64 return "CN=%s,CN=Users,%s" % (name
, self
.base_dn
)
66 def modify_desc(self
, _ldb
, object_dn
, desc
, controls
=None):
67 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
69 dn: """ + object_dn
+ """
71 replace: nTSecurityDescriptor
73 if isinstance(desc
, str):
74 mod
+= "nTSecurityDescriptor: %s" % desc
75 elif isinstance(desc
, security
.descriptor
):
76 mod
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
77 _ldb
.modify_ldif(mod
, controls
)
79 def get_unique_schema_class_name(self
):
81 class_name
= "test-class%s" % random
.randint(1,100000)
82 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
84 self
.ldb_admin
.search(base
=class_dn
, attrs
=["*"])
85 except LdbError
, (num
, _
):
86 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
89 def create_schema_class(self
, _ldb
, object_dn
, desc
=None):
91 dn: """ + object_dn
+ """
92 objectClass: classSchema
93 objectCategory: CN=Class-Schema,""" + self
.schema_dn
+ """
94 defaultObjectCategory: """ + object_dn
+ """
95 distinguishedName: """ + object_dn
+ """
96 governsID: 1.2.840.""" + str(random
.randint(1,100000)) + """.1.5.9939
98 objectClassCategory: 1
99 subClassOf: organizationalPerson
102 systemMustContain: cn
106 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
107 if isinstance(desc
, str):
108 ldif
+= "nTSecurityDescriptor: %s" % desc
109 elif isinstance(desc
, security
.descriptor
):
110 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
113 def create_configuration_container(self
, _ldb
, object_dn
, desc
=None):
115 dn: """ + object_dn
+ """
116 objectClass: container
117 objectCategory: CN=Container,""" + self
.schema_dn
+ """
118 showInAdvancedViewOnly: TRUE
122 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
123 if isinstance(desc
, str):
124 ldif
+= "nTSecurityDescriptor: %s" % desc
125 elif isinstance(desc
, security
.descriptor
):
126 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
129 def create_configuration_specifier(self
, _ldb
, object_dn
, desc
=None):
131 dn: """ + object_dn
+ """
132 objectClass: displaySpecifier
133 showInAdvancedViewOnly: TRUE
136 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
137 if isinstance(desc
, str):
138 ldif
+= "nTSecurityDescriptor: %s" % desc
139 elif isinstance(desc
, security
.descriptor
):
140 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
143 def read_desc(self
, object_dn
, controls
=None):
144 res
= self
.ldb_admin
.search(base
=object_dn
, scope
=SCOPE_BASE
, attrs
=["nTSecurityDescriptor"], controls
=controls
)
145 desc
= res
[0]["nTSecurityDescriptor"][0]
146 return ndr_unpack(security
.descriptor
, desc
)
148 def get_ldb_connection(self
, target_username
, target_password
):
149 creds_tmp
= Credentials()
150 creds_tmp
.set_username(target_username
)
151 creds_tmp
.set_password(target_password
)
152 creds_tmp
.set_domain(creds
.get_domain())
153 creds_tmp
.set_realm(creds
.get_realm())
154 creds_tmp
.set_workstation(creds
.get_workstation())
155 creds_tmp
.set_gensec_features(creds_tmp
.get_gensec_features()
156 | gensec
.FEATURE_SEAL
)
157 ldb_target
= SamDB(url
=host
, credentials
=creds_tmp
, lp
=lp
)
160 def get_object_sid(self
, object_dn
):
161 res
= self
.ldb_admin
.search(object_dn
)
162 return ndr_unpack( security
.dom_sid
, res
[0]["objectSid"][0] )
164 def dacl_add_ace(self
, object_dn
, ace
):
165 desc
= self
.read_desc( object_dn
)
166 desc_sddl
= desc
.as_sddl( self
.domain_sid
)
169 if desc_sddl
.find("(") >= 0:
170 desc_sddl
= desc_sddl
[:desc_sddl
.index("(")] + ace
+ desc_sddl
[desc_sddl
.index("("):]
172 desc_sddl
= desc_sddl
+ ace
173 self
.modify_desc(self
.ldb_admin
, object_dn
, desc_sddl
)
175 def get_desc_sddl(self
, object_dn
, controls
=None):
176 """ Return object nTSecutiryDescriptor in SDDL format
178 desc
= self
.read_desc(object_dn
, controls
)
179 return desc
.as_sddl(self
.domain_sid
)
182 super(DescriptorTests
, self
).setUp()
184 self
.base_dn
= ldb
.domain_dn()
185 self
.configuration_dn
= self
.ldb_admin
.get_config_basedn().get_linearized()
186 self
.schema_dn
= self
.ldb_admin
.get_schema_basedn().get_linearized()
187 self
.domain_sid
= security
.dom_sid(self
.ldb_admin
.get_domain_sid())
188 print "baseDN: %s" % self
.base_dn
190 ################################################################################################
194 # Default descriptor tests #####################################################################
196 class OwnerGroupDescriptorTests(DescriptorTests
):
199 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser1"))
200 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser2"))
201 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser3"))
202 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser4"))
203 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser5"))
204 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser6"))
205 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser7"))
206 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser8"))
208 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("test_domain_group1"))
209 delete_force(self
.ldb_admin
, "CN=test_domain_user1,OU=test_domain_ou1," + self
.base_dn
)
210 delete_force(self
.ldb_admin
, "OU=test_domain_ou2,OU=test_domain_ou1," + self
.base_dn
)
211 delete_force(self
.ldb_admin
, "OU=test_domain_ou1," + self
.base_dn
)
214 delete_force(self
.ldb_admin
, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
215 + self
.configuration_dn
)
216 delete_force(self
.ldb_admin
, "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
)
219 super(OwnerGroupDescriptorTests
, self
).setUp()
222 # User 1 - Enterprise Admins
223 self
.ldb_admin
.newuser("testuser1", "samba123@")
224 # User 2 - Domain Admins
225 self
.ldb_admin
.newuser("testuser2", "samba123@")
226 # User 3 - Schema Admins
227 self
.ldb_admin
.newuser("testuser3", "samba123@")
228 # User 4 - regular user
229 self
.ldb_admin
.newuser("testuser4", "samba123@")
230 # User 5 - Enterprise Admins and Domain Admins
231 self
.ldb_admin
.newuser("testuser5", "samba123@")
232 # User 6 - Enterprise Admins, Domain Admins, Schema Admins
233 self
.ldb_admin
.newuser("testuser6", "samba123@")
234 # User 7 - Domain Admins and Schema Admins
235 self
.ldb_admin
.newuser("testuser7", "samba123@")
236 # User 5 - Enterprise Admins and Schema Admins
237 self
.ldb_admin
.newuser("testuser8", "samba123@")
239 self
.ldb_admin
.add_remove_group_members("Enterprise Admins",
240 "testuser1,testuser5,testuser6,testuser8",
241 add_members_operation
=True)
242 self
.ldb_admin
.add_remove_group_members("Domain Admins",
243 "testuser2,testuser5,testuser6,testuser7",
244 add_members_operation
=True)
245 self
.ldb_admin
.add_remove_group_members("Schema Admins",
246 "testuser3,testuser6,testuser7,testuser8",
247 add_members_operation
=True)
250 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
251 "ds_behavior_win2003" : {
301 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
302 "ds_behavior_win2008" : {
353 # Discover 'msDS-Behavior-Version'
354 res
= self
.ldb_admin
.search(base
=self
.base_dn
, expression
="distinguishedName=%s" % self
.base_dn
, \
355 attrs
=['msDS-Behavior-Version'])
356 res
= int(res
[0]['msDS-Behavior-Version'][0])
357 if res
< DS_DOMAIN_FUNCTION_2008
:
358 self
.DS_BEHAVIOR
= "ds_behavior_win2003"
360 self
.DS_BEHAVIOR
= "ds_behavior_win2008"
363 super(DescriptorTests
, self
).tearDown()
366 def check_user_belongs(self
, user_dn
, groups
=[]):
367 """ Test wether user is member of the expected group(s) """
369 # User is member of at least one additional group
370 res
= self
.ldb_admin
.search(user_dn
, attrs
=["memberOf"])
371 res
= [x
.upper() for x
in sorted(list(res
[0]["memberOf"]))]
374 expected
.append(self
.get_users_domain_dn(x
))
375 expected
= [x
.upper() for x
in sorted(expected
)]
376 self
.assertEqual(expected
, res
)
378 # User is not a member of any additional groups but default
379 res
= self
.ldb_admin
.search(user_dn
, attrs
=["*"])
380 res
= [x
.upper() for x
in res
[0].keys()]
381 self
.assertFalse( "MEMBEROF" in res
)
383 def check_modify_inheritance(self
, _ldb
, object_dn
, owner_group
=""):
385 ace
= "(D;;CC;;;LG)" # Deny Create Children to Guest account
386 if owner_group
!= "":
387 self
.modify_desc(_ldb
, object_dn
, owner_group
+ "D:" + ace
)
389 self
.modify_desc(_ldb
, object_dn
, "D:" + ace
)
390 # Make sure the modify operation has been applied
391 desc_sddl
= self
.get_desc_sddl(object_dn
)
392 self
.assertTrue(ace
in desc_sddl
)
393 # Make sure we have identical result for both "add" and "modify"
394 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
395 print self
._testMethodName
396 test_number
= self
._testMethodName
[5:]
397 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][test_number
], res
)
400 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
402 user_name
= "testuser1"
403 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
404 # Open Ldb connection with the tested user
405 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
406 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
407 delete_force(self
.ldb_admin
, object_dn
)
408 _ldb
.newgroup("test_domain_group1", grouptype
=4)
409 desc_sddl
= self
.get_desc_sddl(object_dn
)
410 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
411 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
412 self
.check_modify_inheritance(_ldb
, object_dn
)
415 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
417 user_name
= "testuser2"
418 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
419 # Open Ldb connection with the tested user
420 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
421 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
422 delete_force(self
.ldb_admin
, object_dn
)
423 _ldb
.newgroup("test_domain_group1", grouptype
=4)
424 desc_sddl
= self
.get_desc_sddl(object_dn
)
425 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
426 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
427 self
.check_modify_inheritance(_ldb
, object_dn
)
430 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
432 user_name
= "testuser3"
433 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
434 # Open Ldb connection with the tested user
435 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
436 object_dn
= "OU=test_domain_ou1," + self
.base_dn
437 delete_force(self
.ldb_admin
, object_dn
)
438 self
.ldb_admin
.create_ou(object_dn
)
439 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
440 mod
= "(A;CI;WPWDCC;;;%s)" % str(user_sid
)
441 self
.dacl_add_ace(object_dn
, mod
)
442 # Create additional object into the first one
443 object_dn
= "CN=test_domain_user1," + object_dn
444 delete_force(self
.ldb_admin
, object_dn
)
445 _ldb
.newuser("test_domain_user1", "samba123@",
446 userou
="OU=test_domain_ou1", setpassword
=False)
447 desc_sddl
= self
.get_desc_sddl(object_dn
)
448 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
449 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
450 # This fails, research why
451 #self.check_modify_inheritance(_ldb, object_dn)
454 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
456 user_name
= "testuser4"
457 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
458 # Open Ldb connection with the tested user
459 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
460 object_dn
= "OU=test_domain_ou1," + self
.base_dn
461 delete_force(self
.ldb_admin
, object_dn
)
462 self
.ldb_admin
.create_ou(object_dn
)
463 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
464 mod
= "(A;CI;WPWDCC;;;%s)" % str(user_sid
)
465 self
.dacl_add_ace(object_dn
, mod
)
466 # Create additional object into the first one
467 object_dn
= "CN=test_domain_user1," + object_dn
468 delete_force(self
.ldb_admin
, object_dn
)
469 _ldb
.newuser("test_domain_user1", "samba123@",
470 userou
="OU=test_domain_ou1", setpassword
=False)
471 desc_sddl
= self
.get_desc_sddl(object_dn
)
472 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
473 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
474 #this fails, research why
475 #self.check_modify_inheritance(_ldb, object_dn)
478 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
480 user_name
= "testuser5"
481 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
482 # Open Ldb connection with the tested user
483 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
484 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
485 delete_force(self
.ldb_admin
, object_dn
)
486 _ldb
.newgroup("test_domain_group1", grouptype
=4)
487 desc_sddl
= self
.get_desc_sddl(object_dn
)
488 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
489 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
490 self
.check_modify_inheritance(_ldb
, object_dn
)
493 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
495 user_name
= "testuser6"
496 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
497 # Open Ldb connection with the tested user
498 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
499 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
500 delete_force(self
.ldb_admin
, object_dn
)
501 _ldb
.newgroup("test_domain_group1", grouptype
=4)
502 desc_sddl
= self
.get_desc_sddl(object_dn
)
503 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
504 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
505 self
.check_modify_inheritance(_ldb
, object_dn
)
508 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
510 user_name
= "testuser7"
511 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
512 # Open Ldb connection with the tested user
513 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
514 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
515 delete_force(self
.ldb_admin
, object_dn
)
516 _ldb
.newgroup("test_domain_group1", grouptype
=4)
517 desc_sddl
= self
.get_desc_sddl(object_dn
)
518 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
519 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
520 self
.check_modify_inheritance(_ldb
, object_dn
)
523 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
525 user_name
= "testuser8"
526 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
527 # Open Ldb connection with the tested user
528 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
529 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
530 delete_force(self
.ldb_admin
, object_dn
)
531 _ldb
.newgroup("test_domain_group1", grouptype
=4)
532 desc_sddl
= self
.get_desc_sddl(object_dn
)
533 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
534 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
535 self
.check_modify_inheritance(_ldb
, object_dn
)
537 # Control descriptor tests #####################################################################
540 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
542 user_name
= "testuser1"
543 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
544 # Open Ldb connection with the tested user
545 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
546 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
547 delete_force(self
.ldb_admin
, object_dn
)
548 # Create a custom security descriptor
549 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
550 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
551 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
552 desc_sddl
= self
.get_desc_sddl(object_dn
)
553 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
554 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
557 """ Domain admin group member creates object (custom descriptor) in DOMAIN
559 user_name
= "testuser2"
560 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
561 # Open Ldb connection with the tested user
562 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
563 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
564 delete_force(self
.ldb_admin
, object_dn
)
565 # Create a custom security descriptor
566 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
567 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
568 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
569 desc_sddl
= self
.get_desc_sddl(object_dn
)
570 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
571 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
574 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
576 user_name
= "testuser3"
577 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
578 # Open Ldb connection with the tested user
579 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
580 object_dn
= "OU=test_domain_ou1," + self
.base_dn
581 delete_force(self
.ldb_admin
, object_dn
)
582 self
.ldb_admin
.create_ou(object_dn
)
583 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
584 mod
= "(A;CI;WOWDCC;;;%s)" % str(user_sid
)
585 self
.dacl_add_ace(object_dn
, mod
)
586 # Create a custom security descriptor
587 # NB! Problematic owner part won't accept DA only <User Sid> !!!
588 sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
589 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
590 # Create additional object into the first one
591 object_dn
= "CN=test_domain_user1," + object_dn
592 delete_force(self
.ldb_admin
, object_dn
)
593 _ldb
.newuser("test_domain_user1", "samba123@",
594 userou
="OU=test_domain_ou1", sd
=tmp_desc
, setpassword
=False)
595 desc
= self
.read_desc(object_dn
)
596 desc_sddl
= self
.get_desc_sddl(object_dn
)
597 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
598 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
601 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
603 user_name
= "testuser4"
604 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
605 # Open Ldb connection with the tested user
606 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
607 object_dn
= "OU=test_domain_ou1," + self
.base_dn
608 delete_force(self
.ldb_admin
, object_dn
)
609 self
.ldb_admin
.create_ou(object_dn
)
610 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
611 mod
= "(A;CI;WOWDCC;;;%s)" % str(user_sid
)
612 self
.dacl_add_ace(object_dn
, mod
)
613 # Create a custom security descriptor
614 # NB! Problematic owner part won't accept DA only <User Sid> !!!
615 sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
616 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
617 # Create additional object into the first one
618 object_dn
= "CN=test_domain_user1," + object_dn
619 delete_force(self
.ldb_admin
, object_dn
)
620 _ldb
.newuser("test_domain_user1", "samba123@",
621 userou
="OU=test_domain_ou1", sd
=tmp_desc
, setpassword
=False)
622 desc
= self
.read_desc(object_dn
)
623 desc_sddl
= self
.get_desc_sddl(object_dn
)
624 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
625 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
628 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
630 user_name
= "testuser5"
631 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
632 # Open Ldb connection with the tested user
633 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
634 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
635 delete_force(self
.ldb_admin
, object_dn
)
636 # Create a custom security descriptor
637 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
638 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
639 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
640 desc_sddl
= self
.get_desc_sddl(object_dn
)
641 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
642 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
645 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
647 user_name
= "testuser6"
648 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
649 # Open Ldb connection with the tested user
650 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
651 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
652 delete_force(self
.ldb_admin
, object_dn
)
653 # Create a custom security descriptor
654 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
655 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
656 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
657 desc_sddl
= self
.get_desc_sddl(object_dn
)
658 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
659 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
662 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
664 user_name
= "testuser7"
665 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
666 # Open Ldb connection with the tested user
667 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
668 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
669 delete_force(self
.ldb_admin
, object_dn
)
670 # Create a custom security descriptor
671 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
672 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
673 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
674 desc_sddl
= self
.get_desc_sddl(object_dn
)
675 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
676 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
679 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
681 user_name
= "testuser8"
682 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
683 # Open Ldb connection with the tested user
684 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
685 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
686 delete_force(self
.ldb_admin
, object_dn
)
687 # Create a custom security descriptor
688 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
689 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
690 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
691 desc_sddl
= self
.get_desc_sddl(object_dn
)
692 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
693 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
696 user_name
= "Administrator"
697 object_dn
= "OU=test_domain_ou1," + self
.base_dn
698 delete_force(self
.ldb_admin
, object_dn
)
699 self
.ldb_admin
.create_ou(object_dn
)
700 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
701 mod
= "(D;CI;WP;;;S-1-3-0)"
703 self
.dacl_add_ace(object_dn
, mod
)
704 desc_sddl
= self
.get_desc_sddl(object_dn
)
705 # Create additional object into the first one
706 object_dn
= "OU=test_domain_ou2," + object_dn
707 delete_force(self
.ldb_admin
, object_dn
)
708 self
.ldb_admin
.create_ou(object_dn
)
709 desc_sddl
= self
.get_desc_sddl(object_dn
)
713 # Defalt descriptor tests ##################################################################
716 user_name
= "testuser1"
717 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
718 # Open Ldb connection with the tested user
719 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
720 # Change Schema partition descriptor
721 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
722 mod
= "(A;;WDCC;;;AU)"
723 self
.dacl_add_ace(self
.schema_dn
, mod
)
724 # Create example Schema class
725 class_name
= self
.get_unique_schema_class_name()
726 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
727 self
.create_schema_class(_ldb
, class_dn
)
728 desc_sddl
= self
.get_desc_sddl(class_dn
)
729 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
730 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
731 self
.check_modify_inheritance(_ldb
, class_dn
)
734 user_name
= "testuser2"
735 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
736 # Open Ldb connection with the tested user
737 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
738 # Change Schema partition descriptor
739 mod
= "(A;CI;WDCC;;;AU)"
740 self
.dacl_add_ace(self
.schema_dn
, mod
)
741 # Create example Schema class
742 class_name
= self
.get_unique_schema_class_name()
743 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
744 self
.create_schema_class(_ldb
, class_dn
)
745 desc_sddl
= self
.get_desc_sddl(class_dn
)
746 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
747 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
748 self
.check_modify_inheritance(_ldb
, class_dn
)
751 user_name
= "testuser3"
752 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
753 # Open Ldb connection with the tested user
754 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
755 # Change Schema partition descriptor
756 mod
= "(A;CI;WDCC;;;AU)"
757 self
.dacl_add_ace(self
.schema_dn
, mod
)
758 # Create example Schema class
759 class_name
= self
.get_unique_schema_class_name()
760 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
761 self
.create_schema_class(_ldb
, class_dn
)
762 desc_sddl
= self
.get_desc_sddl(class_dn
)
763 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
764 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
765 #self.check_modify_inheritance(_ldb, class_dn)
768 user_name
= "testuser4"
769 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
770 # Open Ldb connection with the tested user
771 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
772 #Change Schema partition descriptor
773 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
774 mod
= "(A;CI;WDCC;;;AU)"
775 self
.dacl_add_ace(self
.schema_dn
, mod
)
776 # Create example Schema class
777 class_name
= self
.get_unique_schema_class_name()
778 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
779 self
.create_schema_class(_ldb
, class_dn
)
780 desc_sddl
= self
.get_desc_sddl(class_dn
)
781 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
782 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
783 #self.check_modify_inheritance(_ldb, class_dn)
786 user_name
= "testuser5"
787 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
788 # Open Ldb connection with the tested user
789 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
790 #Change Schema partition descriptor
791 mod
= "(A;CI;WDCC;;;AU)"
792 self
.dacl_add_ace(self
.schema_dn
, mod
)
793 # Create example Schema class
794 class_name
= self
.get_unique_schema_class_name()
795 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
796 self
.create_schema_class(_ldb
, class_dn
)
797 desc_sddl
= self
.get_desc_sddl(class_dn
)
798 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
799 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
800 self
.check_modify_inheritance(_ldb
, class_dn
)
803 user_name
= "testuser6"
804 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
805 # Open Ldb connection with the tested user
806 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
807 # Change Schema partition descriptor
808 mod
= "(A;CI;WDCC;;;AU)"
809 self
.dacl_add_ace(self
.schema_dn
, mod
)
810 # Create example Schema class
811 class_name
= self
.get_unique_schema_class_name()
812 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
813 self
.create_schema_class(_ldb
, class_dn
)
814 desc_sddl
= self
.get_desc_sddl(class_dn
)
815 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
816 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
817 self
.check_modify_inheritance(_ldb
, class_dn
)
820 user_name
= "testuser7"
821 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
822 # Open Ldb connection with the tested user
823 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
824 # Change Schema partition descriptor
825 mod
= "(A;CI;WDCC;;;AU)"
826 self
.dacl_add_ace(self
.schema_dn
, mod
)
827 # Create example Schema class
828 class_name
= self
.get_unique_schema_class_name()
829 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
830 self
.create_schema_class(_ldb
, class_dn
)
831 desc_sddl
= self
.get_desc_sddl(class_dn
)
832 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
833 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
834 self
.check_modify_inheritance(_ldb
, class_dn
)
837 user_name
= "testuser8"
838 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
839 # Open Ldb connection with the tested user
840 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
841 # Change Schema partition descriptor
842 mod
= "(A;CI;WDCC;;;AU)"
843 self
.dacl_add_ace(self
.schema_dn
, mod
)
844 # Create example Schema class
845 class_name
= self
.get_unique_schema_class_name()
846 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
847 self
.create_schema_class(_ldb
, class_dn
)
848 desc_sddl
= self
.get_desc_sddl(class_dn
)
849 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
850 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
851 self
.check_modify_inheritance(_ldb
, class_dn
)
853 # Custom descriptor tests ##################################################################
856 user_name
= "testuser1"
857 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
858 # Open Ldb connection with the tested user
859 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
860 # Change Schema partition descriptor
862 self
.dacl_add_ace(self
.schema_dn
, mod
)
863 # Create a custom security descriptor
864 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
865 # Create example Schema class
866 class_name
= self
.get_unique_schema_class_name()
867 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
868 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
869 desc_sddl
= self
.get_desc_sddl(class_dn
)
870 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
871 self
.assertEqual("O:DAG:DA", res
)
874 user_name
= "testuser2"
875 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
876 # Open Ldb connection with the tested user
877 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
878 # Change Schema partition descriptor
880 self
.dacl_add_ace(self
.schema_dn
, mod
)
881 # Create a custom security descriptor
882 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
883 # Create example Schema class
884 class_name
= self
.get_unique_schema_class_name()
885 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
886 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
887 desc_sddl
= self
.get_desc_sddl(class_dn
)
888 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
889 self
.assertEqual("O:DAG:DA", res
)
892 user_name
= "testuser3"
893 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
894 # Open Ldb connection with the tested user
895 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
896 # Create a custom security descriptor
897 # NB! Problematic owner part won't accept DA only <User Sid> !!!
898 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
899 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
900 # Create example Schema class
901 class_name
= self
.get_unique_schema_class_name()
902 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
903 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
904 desc_sddl
= self
.get_desc_sddl(class_dn
)
905 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
906 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
909 user_name
= "testuser4"
910 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
911 # Open Ldb connection with the tested user
912 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
913 # Create a custom security descriptor
914 # NB! Problematic owner part won't accept DA only <User Sid> !!!
915 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
916 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
917 # Create example Schema class
918 class_name
= self
.get_unique_schema_class_name()
919 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
920 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
921 desc_sddl
= self
.get_desc_sddl(class_dn
)
922 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
923 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
926 user_name
= "testuser5"
927 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
928 # Open Ldb connection with the tested user
929 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
930 # Change Schema partition descriptor
932 self
.dacl_add_ace(self
.schema_dn
, mod
)
933 # Create a custom security descriptor
934 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
935 # Create example Schema class
936 class_name
= self
.get_unique_schema_class_name()
937 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
938 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
939 desc_sddl
= self
.get_desc_sddl(class_dn
)
940 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
941 self
.assertEqual("O:DAG:DA", res
)
944 user_name
= "testuser6"
945 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
946 # Open Ldb connection with the tested user
947 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
948 # Change Schema partition descriptor
950 self
.dacl_add_ace(self
.schema_dn
, mod
)
951 # Create a custom security descriptor
952 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
953 # Create example Schema class
954 class_name
= self
.get_unique_schema_class_name()
955 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
956 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
957 desc_sddl
= self
.get_desc_sddl(class_dn
)
958 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
959 self
.assertEqual("O:DAG:DA", res
)
962 user_name
= "testuser7"
963 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
964 # Open Ldb connection with the tested user
965 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
966 # Change Schema partition descriptor
968 self
.dacl_add_ace(self
.schema_dn
, mod
)
969 # Create a custom security descriptor
970 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
971 # Create example Schema class
972 class_name
= self
.get_unique_schema_class_name()
973 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
974 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
975 desc_sddl
= self
.get_desc_sddl(class_dn
)
976 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
977 self
.assertEqual("O:DAG:DA", res
)
980 user_name
= "testuser8"
981 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
982 # Open Ldb connection with the tested user
983 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
984 # Change Schema partition descriptor
986 self
.dacl_add_ace(self
.schema_dn
, mod
)
987 # Create a custom security descriptor
988 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
989 # Create example Schema class
990 class_name
= self
.get_unique_schema_class_name()
991 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
992 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
993 desc_sddl
= self
.get_desc_sddl(class_dn
)
994 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
995 self
.assertEqual("O:DAG:DA", res
)
997 ## Tests for CONFIGURATION
999 # Defalt descriptor tests ##################################################################
1002 user_name
= "testuser1"
1003 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
1004 # Open Ldb connection with the tested user
1005 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1006 # Create example Configuration container
1007 container_name
= "test-container1"
1008 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1009 delete_force(self
.ldb_admin
, object_dn
)
1010 self
.create_configuration_container(_ldb
, object_dn
, )
1011 desc_sddl
= self
.get_desc_sddl(object_dn
)
1012 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1013 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1014 self
.check_modify_inheritance(_ldb
, object_dn
)
1017 user_name
= "testuser2"
1018 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
1019 # Open Ldb connection with the tested user
1020 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1021 # Create example Configuration container
1022 container_name
= "test-container1"
1023 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1024 delete_force(self
.ldb_admin
, object_dn
)
1025 self
.create_configuration_container(_ldb
, object_dn
, )
1026 desc_sddl
= self
.get_desc_sddl(object_dn
)
1027 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1028 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1029 self
.check_modify_inheritance(_ldb
, object_dn
)
1032 user_name
= "testuser3"
1033 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
1034 # Open Ldb connection with the tested user
1035 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1036 # Create example Configuration container
1037 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1038 delete_force(self
.ldb_admin
, object_dn
)
1039 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1040 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1041 mod
= "(A;;WDCC;;;AU)"
1042 self
.dacl_add_ace(object_dn
, mod
)
1043 # Create child object with user's credentials
1044 object_dn
= "CN=test-specifier1," + object_dn
1045 delete_force(self
.ldb_admin
, object_dn
)
1046 self
.create_configuration_specifier(_ldb
, object_dn
)
1047 desc_sddl
= self
.get_desc_sddl(object_dn
)
1048 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1049 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1050 #self.check_modify_inheritance(_ldb, object_dn)
1053 user_name
= "testuser4"
1054 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1055 # Open Ldb connection with the tested user
1056 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1057 # Create example Configuration container
1058 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1059 delete_force(self
.ldb_admin
, object_dn
)
1060 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1061 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1062 mod
= "(A;CI;WDCC;;;AU)"
1063 self
.dacl_add_ace(object_dn
, mod
)
1064 # Create child object with user's credentials
1065 object_dn
= "CN=test-specifier1," + object_dn
1066 delete_force(self
.ldb_admin
, object_dn
)
1067 self
.create_configuration_specifier(_ldb
, object_dn
)
1068 desc_sddl
= self
.get_desc_sddl(object_dn
)
1069 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1070 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1071 #self.check_modify_inheritance(_ldb, object_dn)
1074 user_name
= "testuser5"
1075 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1076 # Open Ldb connection with the tested user
1077 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1078 # Create example Configuration container
1079 container_name
= "test-container1"
1080 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1081 delete_force(self
.ldb_admin
, object_dn
)
1082 self
.create_configuration_container(_ldb
, object_dn
, )
1083 desc_sddl
= self
.get_desc_sddl(object_dn
)
1084 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1085 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1086 self
.check_modify_inheritance(_ldb
, object_dn
)
1089 user_name
= "testuser6"
1090 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1091 # Open Ldb connection with the tested user
1092 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1093 # Create example Configuration container
1094 container_name
= "test-container1"
1095 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1096 delete_force(self
.ldb_admin
, object_dn
)
1097 self
.create_configuration_container(_ldb
, object_dn
, )
1098 desc_sddl
= self
.get_desc_sddl(object_dn
)
1099 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1100 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1101 self
.check_modify_inheritance(_ldb
, object_dn
)
1104 user_name
= "testuser7"
1105 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1106 # Open Ldb connection with the tested user
1107 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1108 # Create example Configuration container
1109 container_name
= "test-container1"
1110 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1111 delete_force(self
.ldb_admin
, object_dn
)
1112 self
.create_configuration_container(_ldb
, object_dn
, )
1113 desc_sddl
= self
.get_desc_sddl(object_dn
)
1114 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1115 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1116 self
.check_modify_inheritance(_ldb
, object_dn
)
1119 user_name
= "testuser8"
1120 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1121 # Open Ldb connection with the tested user
1122 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1123 # Create example Configuration container
1124 container_name
= "test-container1"
1125 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1126 delete_force(self
.ldb_admin
, object_dn
)
1127 self
.create_configuration_container(_ldb
, object_dn
, )
1128 desc_sddl
= self
.get_desc_sddl(object_dn
)
1129 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1130 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1131 self
.check_modify_inheritance(_ldb
, object_dn
)
1133 # Custom descriptor tests ##################################################################
1136 user_name
= "testuser1"
1137 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
1138 # Open Ldb connection with the tested user
1139 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1140 # Create example Configuration container
1141 container_name
= "test-container1"
1142 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1143 delete_force(self
.ldb_admin
, object_dn
)
1144 # Create a custom security descriptor
1145 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1146 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1147 desc_sddl
= self
.get_desc_sddl(object_dn
)
1148 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1149 self
.assertEqual("O:DAG:DA", res
)
1152 user_name
= "testuser2"
1153 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
1154 # Open Ldb connection with the tested user
1155 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1156 # Create example Configuration container
1157 container_name
= "test-container1"
1158 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1159 delete_force(self
.ldb_admin
, object_dn
)
1160 # Create a custom security descriptor
1161 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1162 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1163 desc_sddl
= self
.get_desc_sddl(object_dn
)
1164 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1165 self
.assertEqual("O:DAG:DA", res
)
1168 user_name
= "testuser3"
1169 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
1170 # Open Ldb connection with the tested user
1171 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1172 # Create example Configuration container
1173 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1174 delete_force(self
.ldb_admin
, object_dn
)
1175 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1176 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1177 mod
= "(A;;CC;;;AU)"
1178 self
.dacl_add_ace(object_dn
, mod
)
1179 # Create child object with user's credentials
1180 object_dn
= "CN=test-specifier1," + object_dn
1181 delete_force(self
.ldb_admin
, object_dn
)
1182 # Create a custom security descriptor
1183 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1184 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1185 self
.create_configuration_specifier(_ldb
, object_dn
, desc_sddl
)
1186 desc_sddl
= self
.get_desc_sddl(object_dn
)
1187 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1188 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1191 user_name
= "testuser4"
1192 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1193 # Open Ldb connection with the tested user
1194 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1195 # Create example Configuration container
1196 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1197 delete_force(self
.ldb_admin
, object_dn
)
1198 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1199 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1200 mod
= "(A;;CC;;;AU)"
1201 self
.dacl_add_ace(object_dn
, mod
)
1202 # Create child object with user's credentials
1203 object_dn
= "CN=test-specifier1," + object_dn
1204 delete_force(self
.ldb_admin
, object_dn
)
1205 # Create a custom security descriptor
1206 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1207 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1208 self
.create_configuration_specifier(_ldb
, object_dn
, desc_sddl
)
1209 desc_sddl
= self
.get_desc_sddl(object_dn
)
1210 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1211 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1214 user_name
= "testuser5"
1215 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1216 # Open Ldb connection with the tested user
1217 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1218 # Create example Configuration container
1219 container_name
= "test-container1"
1220 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1221 delete_force(self
.ldb_admin
, object_dn
)
1222 # Create a custom security descriptor
1223 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1224 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1225 desc_sddl
= self
.get_desc_sddl(object_dn
)
1226 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1227 self
.assertEqual("O:DAG:DA", res
)
1230 user_name
= "testuser6"
1231 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1232 # Open Ldb connection with the tested user
1233 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1234 # Create example Configuration container
1235 container_name
= "test-container1"
1236 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1237 delete_force(self
.ldb_admin
, object_dn
)
1238 # Create a custom security descriptor
1239 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1240 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1241 desc_sddl
= self
.get_desc_sddl(object_dn
)
1242 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1243 self
.assertEqual("O:DAG:DA", res
)
1246 user_name
= "testuser7"
1247 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1248 # Open Ldb connection with the tested user
1249 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1250 # Create example Configuration container
1251 container_name
= "test-container1"
1252 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1253 delete_force(self
.ldb_admin
, object_dn
)
1254 # Create a custom security descriptor
1255 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1256 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1257 desc_sddl
= self
.get_desc_sddl(object_dn
)
1258 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1259 self
.assertEqual("O:DAG:DA", res
)
1262 user_name
= "testuser8"
1263 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1264 # Open Ldb connection with the tested user
1265 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1266 # Create example Configuration container
1267 container_name
= "test-container1"
1268 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1269 delete_force(self
.ldb_admin
, object_dn
)
1270 # Create a custom security descriptor
1271 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1272 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1273 desc_sddl
= self
.get_desc_sddl(object_dn
)
1274 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1275 self
.assertEqual("O:DAG:DA", res
)
1277 ########################################################################################
1278 # Inharitance tests for DACL
1280 class DaclDescriptorTests(DescriptorTests
):
1282 def deleteAll(self
):
1283 delete_force(self
.ldb_admin
, "CN=test_inherit_group,OU=test_inherit_ou," + self
.base_dn
)
1284 delete_force(self
.ldb_admin
, "OU=test_inherit_ou," + self
.base_dn
)
1287 super(DaclDescriptorTests
, self
).setUp()
1290 def create_clean_ou(self
, object_dn
):
1291 """ Base repeating setup for unittests to follow """
1292 res
= self
.ldb_admin
.search(base
=self
.base_dn
, scope
=SCOPE_SUBTREE
, \
1293 expression
="distinguishedName=%s" % object_dn
)
1294 # Make sure top testing OU has been deleted before starting the test
1295 self
.assertEqual(res
, [])
1296 self
.ldb_admin
.create_ou(object_dn
)
1297 desc_sddl
= self
.get_desc_sddl(object_dn
)
1298 # Make sure there are inheritable ACEs initially
1299 self
.assertTrue("CI" in desc_sddl
or "OI" in desc_sddl
)
1300 # Find and remove all inherit ACEs
1301 res
= re
.findall("\(.*?\)", desc_sddl
)
1302 res
= [x
for x
in res
if ("CI" in x
) or ("OI" in x
)]
1304 desc_sddl
= desc_sddl
.replace(x
, "")
1305 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1306 # can propagate from above
1307 # remove SACL, we are not interested
1308 desc_sddl
= desc_sddl
.replace(":AI", ":AIP")
1309 self
.modify_desc(self
.ldb_admin
, object_dn
, desc_sddl
)
1310 # Verify all inheritable ACEs are gone
1311 desc_sddl
= self
.get_desc_sddl(object_dn
)
1312 self
.assertFalse("CI" in desc_sddl
)
1313 self
.assertFalse("OI" in desc_sddl
)
1316 """ OU with protected flag and child group. See if the group has inherit ACEs.
1318 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1319 group_dn
= "CN=test_inherit_group," + ou_dn
1320 # Create inheritable-free OU
1321 self
.create_clean_ou(ou_dn
)
1322 # Create group child object
1323 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4)
1324 # Make sure created group object contains NO inherit ACEs
1325 desc_sddl
= self
.get_desc_sddl(group_dn
)
1326 self
.assertFalse("ID" in desc_sddl
)
1329 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1330 Verify group has custom and default ACEs only.
1332 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1333 group_dn
= "CN=test_inherit_group," + ou_dn
1334 # Create inheritable-free OU
1335 self
.create_clean_ou(ou_dn
)
1336 # Create group child object using custom security descriptor
1337 sddl
= "O:AUG:AUD:AI(D;;WP;;;DU)"
1338 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
1339 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1340 # Make sure created group descriptor has NO additional ACEs
1341 desc_sddl
= self
.get_desc_sddl(group_dn
)
1342 self
.assertEqual(desc_sddl
, sddl
)
1343 sddl
= "O:AUG:AUD:AI(D;;CC;;;LG)"
1344 self
.modify_desc(self
.ldb_admin
, group_dn
, sddl
)
1345 desc_sddl
= self
.get_desc_sddl(group_dn
)
1346 self
.assertEqual(desc_sddl
, sddl
)
1349 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1350 See if the group has any of the added ACEs.
1352 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1353 group_dn
= "CN=test_inherit_group," + ou_dn
1354 # Create inheritable-free OU
1355 self
.create_clean_ou(ou_dn
)
1356 # Add some custom non-inheritable ACEs
1357 mod
= "(D;;WP;;;DU)(A;;RP;;;DU)"
1358 moded
= "(D;;CC;;;LG)"
1359 self
.dacl_add_ace(ou_dn
, mod
)
1360 # Verify all inheritable ACEs are gone
1361 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1362 # Create group child object
1363 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4)
1364 # Make sure created group object contains NO inherit ACEs
1365 # also make sure the added above non-inheritable ACEs are absent too
1366 desc_sddl
= self
.get_desc_sddl(group_dn
)
1367 self
.assertFalse("ID" in desc_sddl
)
1368 for x
in re
.findall("\(.*?\)", mod
):
1369 self
.assertFalse(x
in desc_sddl
)
1370 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1371 desc_sddl
= self
.get_desc_sddl(group_dn
)
1372 self
.assertFalse("ID" in desc_sddl
)
1373 for x
in re
.findall("\(.*?\)", mod
):
1374 self
.assertFalse(x
in desc_sddl
)
1377 """ OU with protected flag and add 'CI' ACE, child group.
1378 See if the group has the added inherited ACE.
1380 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1381 group_dn
= "CN=test_inherit_group," + ou_dn
1382 # Create inheritable-free OU
1383 self
.create_clean_ou(ou_dn
)
1384 # Add some custom 'CI' ACE
1385 mod
= "(D;CI;WP;;;DU)"
1386 moded
= "(D;;CC;;;LG)"
1387 self
.dacl_add_ace(ou_dn
, mod
)
1388 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1389 # Create group child object
1390 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1391 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1392 # Make sure created group object contains only the above inherited ACE
1393 # that we've added manually
1394 desc_sddl
= self
.get_desc_sddl(group_dn
)
1395 mod
= mod
.replace(";CI;", ";CIID;")
1396 self
.assertTrue(mod
in desc_sddl
)
1397 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1398 desc_sddl
= self
.get_desc_sddl(group_dn
)
1399 self
.assertTrue(moded
in desc_sddl
)
1400 self
.assertTrue(mod
in desc_sddl
)
1403 """ OU with protected flag and add 'OI' ACE, child group.
1404 See if the group has the added inherited ACE.
1406 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1407 group_dn
= "CN=test_inherit_group," + ou_dn
1408 # Create inheritable-free OU
1409 self
.create_clean_ou(ou_dn
)
1410 # Add some custom 'CI' ACE
1411 mod
= "(D;OI;WP;;;DU)"
1412 moded
= "(D;;CC;;;LG)"
1413 self
.dacl_add_ace(ou_dn
, mod
)
1414 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1415 # Create group child object
1416 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1417 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1418 # Make sure created group object contains only the above inherited ACE
1419 # that we've added manually
1420 desc_sddl
= self
.get_desc_sddl(group_dn
)
1421 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1422 self
.assertTrue(mod
in desc_sddl
)
1423 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" +moded
)
1424 desc_sddl
= self
.get_desc_sddl(group_dn
)
1425 self
.assertTrue(moded
in desc_sddl
)
1426 self
.assertTrue(mod
in desc_sddl
)
1429 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1430 See if the group has the added inherited ACE.
1432 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1433 group_dn
= "CN=test_inherit_group," + ou_dn
1434 # Create inheritable-free OU
1435 self
.create_clean_ou(ou_dn
)
1436 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1437 mod
= "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1438 moded
= "(D;;CC;;;LG)"
1439 self
.dacl_add_ace(ou_dn
, mod
)
1440 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1441 # Create group child object
1442 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1443 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1444 # Make sure created group object contains only the above inherited ACE
1445 # that we've added manually
1446 desc_sddl
= self
.get_desc_sddl(group_dn
)
1447 mod
= mod
.replace(";CI;", ";CIID;") # change it how it's gonna look like
1448 self
.assertTrue(mod
in desc_sddl
)
1449 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1450 desc_sddl
= self
.get_desc_sddl(group_dn
)
1451 self
.assertTrue(moded
in desc_sddl
)
1452 self
.assertTrue(mod
in desc_sddl
)
1455 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1456 See if the group has the added inherited ACE.
1458 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1459 group_dn
= "CN=test_inherit_group," + ou_dn
1460 # Create inheritable-free OU
1461 self
.create_clean_ou(ou_dn
)
1462 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1463 mod
= "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1464 moded
= "(D;;CC;;;LG)"
1465 self
.dacl_add_ace(ou_dn
, mod
)
1466 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1467 # Create group child object
1468 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1469 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1470 # Make sure created group object contains only the above inherited ACE
1471 # that we've added manually
1472 desc_sddl
= self
.get_desc_sddl(group_dn
)
1473 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1474 self
.assertTrue(mod
in desc_sddl
)
1475 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1476 desc_sddl
= self
.get_desc_sddl(group_dn
)
1477 self
.assertTrue(moded
in desc_sddl
)
1478 self
.assertTrue(mod
in desc_sddl
)
1481 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1482 See if the group has the added inherited ACE.
1484 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1485 group_dn
= "CN=test_inherit_group," + ou_dn
1486 # Create inheritable-free OU
1487 self
.create_clean_ou(ou_dn
)
1488 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1489 mod
= "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1490 moded
= "(D;;CC;;;LG)"
1491 self
.dacl_add_ace(ou_dn
, mod
)
1492 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1493 # Create group child object
1494 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1495 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1496 # Make sure created group object contains only the above inherited ACE
1497 # that we've added manually
1498 desc_sddl
= self
.get_desc_sddl(group_dn
)
1499 mod
= mod
.replace(";CI;", ";CIID;") # change it how it's gonna look like
1500 self
.assertTrue(mod
in desc_sddl
)
1501 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1502 desc_sddl
= self
.get_desc_sddl(group_dn
)
1503 self
.assertTrue(moded
in desc_sddl
)
1504 self
.assertTrue(mod
in desc_sddl
)
1507 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1508 See if the group has the added inherited ACE.
1510 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1511 group_dn
= "CN=test_inherit_group," + ou_dn
1512 # Create inheritable-free OU
1513 self
.create_clean_ou(ou_dn
)
1514 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1515 mod
= "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1516 moded
= "(D;;CC;;;LG)"
1517 self
.dacl_add_ace(ou_dn
, mod
)
1518 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1519 # Create group child object
1520 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1521 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1522 # Make sure created group object contains only the above inherited ACE
1523 # that we've added manually
1524 desc_sddl
= self
.get_desc_sddl(group_dn
)
1525 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1526 self
.assertTrue(mod
in desc_sddl
)
1527 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded
)
1528 desc_sddl
= self
.get_desc_sddl(group_dn
)
1529 self
.assertTrue(moded
in desc_sddl
)
1530 self
.assertTrue(mod
in desc_sddl
)
1533 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1534 See if the group has the added inherited ACE.
1536 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1537 group_dn
= "CN=test_inherit_group," + ou_dn
1538 # Create inheritable-free OU
1539 self
.create_clean_ou(ou_dn
)
1540 # Add some custom 'CI' ACE
1541 mod
= "(D;CI;WP;;;CO)"
1542 moded
= "(D;;CC;;;LG)"
1543 self
.dacl_add_ace(ou_dn
, mod
)
1544 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1545 # Create group child object
1546 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1547 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1548 # Make sure created group object contains only the above inherited ACE(s)
1549 # that we've added manually
1550 desc_sddl
= self
.get_desc_sddl(group_dn
)
1551 self
.assertTrue("(D;ID;WP;;;AU)" in desc_sddl
)
1552 self
.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl
)
1553 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1554 desc_sddl
= self
.get_desc_sddl(group_dn
)
1555 self
.assertTrue(moded
in desc_sddl
)
1556 self
.assertTrue("(D;ID;WP;;;DA)" in desc_sddl
)
1557 self
.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl
)
1560 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1562 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1563 group_dn
= "CN=test_inherit_group," + ou_dn
1564 self
.create_clean_ou(ou_dn
)
1565 # Add some custom ACE
1566 mod
= "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1567 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1568 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1569 # Make sure created group object does not contain the ID ace
1570 desc_sddl
= self
.get_desc_sddl(group_dn
)
1571 self
.assertFalse("(A;ID;WP;;;AU)" in desc_sddl
)
1574 """ Provide ACE with CO SID, should be expanded and replaced
1576 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1577 group_dn
= "CN=test_inherit_group," + ou_dn
1578 # Create inheritable-free OU
1579 self
.create_clean_ou(ou_dn
)
1580 # Add some custom 'CI' ACE
1581 mod
= "D:(D;CI;WP;;;CO)"
1582 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1583 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1584 desc_sddl
= self
.get_desc_sddl(group_dn
)
1585 self
.assertTrue("(D;;WP;;;DA)(D;CIIO;WP;;;CO)" in desc_sddl
)
1588 """ Provide ACE with IO flag, should be ignored
1590 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1591 group_dn
= "CN=test_inherit_group," + ou_dn
1592 # Create inheritable-free OU
1593 self
.create_clean_ou(ou_dn
)
1594 # Add some custom 'CI' ACE
1595 mod
= "D:(D;CIIO;WP;;;CO)"
1596 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1597 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1598 # Make sure created group object contains only the above inherited ACE(s)
1599 # that we've added manually
1600 desc_sddl
= self
.get_desc_sddl(group_dn
)
1601 self
.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl
)
1602 self
.assertFalse("(D;;WP;;;DA)" in desc_sddl
)
1603 self
.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl
)
1606 """ Provide ACE with IO flag, should be ignored
1608 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1609 group_dn
= "CN=test_inherit_group," + ou_dn
1610 # Create inheritable-free OU
1611 self
.create_clean_ou(ou_dn
)
1612 mod
= "D:(D;IO;WP;;;DA)"
1613 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1614 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1615 # Make sure created group object contains only the above inherited ACE(s)
1616 # that we've added manually
1617 desc_sddl
= self
.get_desc_sddl(group_dn
)
1618 self
.assertFalse("(D;IO;WP;;;DA)" in desc_sddl
)
1620 ########################################################################################
1623 class SdFlagsDescriptorTests(DescriptorTests
):
1624 def deleteAll(self
):
1625 delete_force(self
.ldb_admin
, "OU=test_sdflags_ou," + self
.base_dn
)
1628 super(SdFlagsDescriptorTests
, self
).setUp()
1629 self
.test_descr
= "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1633 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1634 See that only the owner has been changed.
1636 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1637 self
.ldb_admin
.create_ou(ou_dn
)
1638 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_OWNER
)])
1639 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1640 # make sure we have modified the owner
1641 self
.assertTrue("O:AU" in desc_sddl
)
1642 # make sure nothing else has been modified
1643 self
.assertFalse("G:AU" in desc_sddl
)
1644 self
.assertFalse("D:(D;;CC;;;LG)" in desc_sddl
)
1645 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1648 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1649 See that only the owner has been changed.
1651 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1652 self
.ldb_admin
.create_ou(ou_dn
)
1653 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_GROUP
)])
1654 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1655 # make sure we have modified the group
1656 self
.assertTrue("G:AU" in desc_sddl
)
1657 # make sure nothing else has been modified
1658 self
.assertFalse("O:AU" in desc_sddl
)
1659 self
.assertFalse("D:(D;;CC;;;LG)" in desc_sddl
)
1660 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1663 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1664 See that only the owner has been changed.
1666 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1667 self
.ldb_admin
.create_ou(ou_dn
)
1668 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_DACL
)])
1669 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1670 # make sure we have modified the DACL
1671 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1672 # make sure nothing else has been modified
1673 self
.assertFalse("O:AU" in desc_sddl
)
1674 self
.assertFalse("G:AU" in desc_sddl
)
1675 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1678 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1679 See that only the owner has been changed.
1681 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1682 self
.ldb_admin
.create_ou(ou_dn
)
1683 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_SACL
)])
1684 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1685 # make sure we have modified the DACL
1686 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1687 # make sure nothing else has been modified
1688 self
.assertFalse("O:AU" in desc_sddl
)
1689 self
.assertFalse("G:AU" in desc_sddl
)
1690 self
.assertFalse("(D;;CC;;;LG)" in desc_sddl
)
1693 """ Modify a descriptor with 0x0 set.
1694 Contrary to logic this is interpreted as no control,
1695 which is the same as 0xF
1697 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1698 self
.ldb_admin
.create_ou(ou_dn
)
1699 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:0"])
1700 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1701 # make sure we have modified the DACL
1702 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1703 # make sure nothing else has been modified
1704 self
.assertTrue("O:AU" in desc_sddl
)
1705 self
.assertTrue("G:AU" in desc_sddl
)
1706 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1709 """ Modify a descriptor with 0xF set.
1711 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1712 self
.ldb_admin
.create_ou(ou_dn
)
1713 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:15"])
1714 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1715 # make sure we have modified the DACL
1716 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1717 # make sure nothing else has been modified
1718 self
.assertTrue("O:AU" in desc_sddl
)
1719 self
.assertTrue("G:AU" in desc_sddl
)
1720 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1723 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1724 Only the owner part should be returned.
1726 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1727 self
.ldb_admin
.create_ou(ou_dn
)
1728 desc_sddl
= self
.get_desc_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_OWNER
)])
1729 # make sure we have read the owner
1730 self
.assertTrue("O:" in desc_sddl
)
1731 # make sure we have read nothing else
1732 self
.assertFalse("G:" in desc_sddl
)
1733 self
.assertFalse("D:" in desc_sddl
)
1734 self
.assertFalse("S:" in desc_sddl
)
1737 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1738 Only the group part should be returned.
1740 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1741 self
.ldb_admin
.create_ou(ou_dn
)
1742 desc_sddl
= self
.get_desc_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_GROUP
)])
1743 # make sure we have read the owner
1744 self
.assertTrue("G:" in desc_sddl
)
1745 # make sure we have read nothing else
1746 self
.assertFalse("O:" in desc_sddl
)
1747 self
.assertFalse("D:" in desc_sddl
)
1748 self
.assertFalse("S:" in desc_sddl
)
1751 """ Read a descriptor with SACL_SECURITY_INFORMATION
1752 Only the sacl part should be returned.
1754 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1755 self
.ldb_admin
.create_ou(ou_dn
)
1756 desc_sddl
= self
.get_desc_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_SACL
)])
1757 # make sure we have read the owner
1758 self
.assertTrue("S:" in desc_sddl
)
1759 # make sure we have read nothing else
1760 self
.assertFalse("O:" in desc_sddl
)
1761 self
.assertFalse("D:" in desc_sddl
)
1762 self
.assertFalse("G:" in desc_sddl
)
1765 """ Read a descriptor with DACL_SECURITY_INFORMATION
1766 Only the dacl part should be returned.
1768 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1769 self
.ldb_admin
.create_ou(ou_dn
)
1770 desc_sddl
= self
.get_desc_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_DACL
)])
1771 # make sure we have read the owner
1772 self
.assertTrue("D:" in desc_sddl
)
1773 # make sure we have read nothing else
1774 self
.assertFalse("O:" in desc_sddl
)
1775 self
.assertFalse("S:" in desc_sddl
)
1776 self
.assertFalse("G:" in desc_sddl
)
1779 class RightsAttributesTests(DescriptorTests
):
1781 def deleteAll(self
):
1782 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser_attr"))
1783 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser_attr2"))
1784 delete_force(self
.ldb_admin
, "OU=test_domain_ou1," + self
.base_dn
)
1787 super(RightsAttributesTests
, self
).setUp()
1791 self
.ldb_admin
.newuser("testuser_attr", "samba123@")
1792 # User 2, Domain Admins
1793 self
.ldb_admin
.newuser("testuser_attr2", "samba123@")
1794 self
.ldb_admin
.add_remove_group_members("Domain Admins",
1796 add_members_operation
=True)
1798 def test_sDRightsEffective(self
):
1799 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1800 delete_force(self
.ldb_admin
, object_dn
)
1801 self
.ldb_admin
.create_ou(object_dn
)
1802 print self
.get_users_domain_dn("testuser_attr")
1803 user_sid
= self
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1804 #give testuser1 read access so attributes can be retrieved
1805 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1806 self
.dacl_add_ace(object_dn
, mod
)
1807 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1808 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1809 attrs
=["sDRightsEffective"])
1810 #user whould have no rights at all
1811 self
.assertEquals(len(res
), 1)
1812 self
.assertEquals(res
[0]["sDRightsEffective"][0], "0")
1813 #give the user Write DACL and see what happens
1814 mod
= "(A;CI;WD;;;%s)" % str(user_sid
)
1815 self
.dacl_add_ace(object_dn
, mod
)
1816 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1817 attrs
=["sDRightsEffective"])
1818 #user whould have DACL_SECURITY_INFORMATION
1819 self
.assertEquals(len(res
), 1)
1820 self
.assertEquals(res
[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL
)
1821 #give the user Write Owners and see what happens
1822 mod
= "(A;CI;WO;;;%s)" % str(user_sid
)
1823 self
.dacl_add_ace(object_dn
, mod
)
1824 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1825 attrs
=["sDRightsEffective"])
1826 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1827 self
.assertEquals(len(res
), 1)
1828 self
.assertEquals(res
[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER
))
1829 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1830 _ldb
= self
.get_ldb_connection("testuser_attr2", "samba123@")
1831 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1832 attrs
=["sDRightsEffective"])
1833 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1834 self
.assertEquals(len(res
), 1)
1835 self
.assertEquals(res
[0]["sDRightsEffective"][0], \
1836 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL
))
1838 def test_allowedChildClassesEffective(self
):
1839 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1840 delete_force(self
.ldb_admin
, object_dn
)
1841 self
.ldb_admin
.create_ou(object_dn
)
1842 user_sid
= self
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1843 #give testuser1 read access so attributes can be retrieved
1844 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1845 self
.dacl_add_ace(object_dn
, mod
)
1846 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1847 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1848 attrs
=["allowedChildClassesEffective"])
1849 #there should be no allowed child classes
1850 self
.assertEquals(len(res
), 1)
1851 self
.assertFalse("allowedChildClassesEffective" in res
[0].keys())
1852 #give the user the right to create children of type user
1853 mod
= "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid
)
1854 self
.dacl_add_ace(object_dn
, mod
)
1855 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1856 attrs
=["allowedChildClassesEffective"])
1857 # allowedChildClassesEffective should only have one value, user
1858 self
.assertEquals(len(res
), 1)
1859 self
.assertEquals(len(res
[0]["allowedChildClassesEffective"]), 1)
1860 self
.assertEquals(res
[0]["allowedChildClassesEffective"][0], "user")
1862 def test_allowedAttributesEffective(self
):
1863 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1864 delete_force(self
.ldb_admin
, object_dn
)
1865 self
.ldb_admin
.create_ou(object_dn
)
1866 user_sid
= self
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1867 #give testuser1 read access so attributes can be retrieved
1868 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1869 self
.dacl_add_ace(object_dn
, mod
)
1870 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1871 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1872 attrs
=["allowedAttributesEffective"])
1873 #there should be no allowed attributes
1874 self
.assertEquals(len(res
), 1)
1875 self
.assertFalse("allowedAttributesEffective" in res
[0].keys())
1876 #give the user the right to write displayName and managedBy
1877 mod2
= "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid
)
1878 mod
= "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid
)
1879 # also rights to modify an read only attribute, fromEntry
1880 mod3
= "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid
)
1881 self
.dacl_add_ace(object_dn
, mod
+ mod2
+ mod3
)
1882 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1883 attrs
=["allowedAttributesEffective"])
1884 # value should only contain user and managedBy
1885 self
.assertEquals(len(res
), 1)
1886 self
.assertEquals(len(res
[0]["allowedAttributesEffective"]), 2)
1887 self
.assertTrue("displayName" in res
[0]["allowedAttributesEffective"])
1888 self
.assertTrue("managedBy" in res
[0]["allowedAttributesEffective"])
1890 if not "://" in host
:
1891 if os
.path
.isfile(host
):
1892 host
= "tdb://%s" % host
1894 host
= "ldap://%s" % host
1896 # use 'paged_search' module when connecting remotely
1897 if host
.lower().startswith("ldap://"):
1898 ldb_options
= ["modules:paged_searches"]
1902 session_info
=system_session(),
1904 options
=ldb_options
)
1906 runner
= SubunitTestRunner()
1908 if not runner
.run(unittest
.makeSuite(OwnerGroupDescriptorTests
)).wasSuccessful():
1910 if not runner
.run(unittest
.makeSuite(DaclDescriptorTests
)).wasSuccessful():
1912 if not runner
.run(unittest
.makeSuite(SdFlagsDescriptorTests
)).wasSuccessful():
1914 if not runner
.run(unittest
.makeSuite(RightsAttributesTests
)).wasSuccessful():