search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Tests for descriptor inheritance
[Samba/fernandojvsilva.git] / source4 / lib / ldb / tests / python / sec_descriptor.py
blob58a345450bc072b757c44ee271a4da9144463011
1 #!/usr/bin/python
2 # -*- coding: utf-8 -*-
3
4 import getopt
5 import optparse
6 import sys
7 import os
8 import base64
9 import re
10 import random
11
12 sys.path.append("bin/python")
13 sys.path.append("../lib/subunit/python")
14
15 import samba.getopt as options
16
17 # Some error messages that are being tested
18 from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
19 from ldb import ERR_NO_SUCH_OBJECT, ERR_INVALID_DN_SYNTAX, ERR_UNWILLING_TO_PERFORM
20 from ldb import ERR_INSUFFICIENT_ACCESS_RIGHTS
21
22 # For running the test unit
23 from samba.ndr import ndr_pack, ndr_unpack
24 from samba.dcerpc import security
25
26 from samba.auth import system_session
27 from samba import Ldb, DS_BEHAVIOR_WIN2008
28 from subunit import SubunitTestRunner
29 import unittest
30
31 parser = optparse.OptionParser("ldap [options] <host>")
32 sambaopts = options.SambaOptions(parser)
33 parser.add_option_group(sambaopts)
34 parser.add_option_group(options.VersionOptions(parser))
35
36 # use command line creds if available
37 credopts = options.CredentialsOptions(parser)
38 parser.add_option_group(credopts)
39 opts, args = parser.parse_args()
40
41 if len(args) < 1:
42 parser.print_usage()
43 sys.exit(1)
44
45 host = args[0]
46
47 lp = sambaopts.get_loadparm()
48 creds = credopts.get_credentials(lp)
49
50 #
51 # Tests start here
52 #
53
54 class DescriptorTests(unittest.TestCase):
55
56 def delete_force(self, ldb, dn):
57 try:
58 ldb.delete(dn)
59 except LdbError, (num, _):
60 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
61
62 def find_basedn(self, ldb):
63 res = ldb.search(base="", expression="", scope=SCOPE_BASE,
64 attrs=["defaultNamingContext"])
65 self.assertEquals(len(res), 1)
66 return res[0]["defaultNamingContext"][0]
67
68 def find_configurationdn(self, ldb):
69 res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"])
70 self.assertEquals(len(res), 1)
71 return res[0]["configurationNamingContext"][0]
72
73 def find_schemadn(self, ldb):
74 res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"])
75 self.assertEquals(len(res), 1)
76 return res[0]["schemaNamingContext"][0]
77
78 def find_domain_sid(self, ldb):
79 res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
80 return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
81
82 def get_users_domain_dn(self, name):
83 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
84
85 def modify_desc(self, object_dn, desc):
86 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
87 mod = """
88 dn: """ + object_dn + """
89 changetype: modify
90 replace: nTSecurityDescriptor
91 """
92 if isinstance(desc, str):
93 mod += "nTSecurityDescriptor: %s" % desc
94 elif isinstance(desc, security.descriptor):
95 mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
96 self.ldb_admin.modify_ldif(mod)
97
98 def create_domain_ou(self, _ldb, ou_dn, desc=None):
99 ldif = """
100 dn: """ + ou_dn + """
101 ou: """ + ou_dn.split(",")[0][3:] + """
102 objectClass: organizationalUnit
103 url: www.example.com
104 """
105 if desc:
106 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
107 if isinstance(desc, str):
108 ldif += "nTSecurityDescriptor: %s" % desc
109 elif isinstance(desc, security.descriptor):
110 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
111 _ldb.add_ldif(ldif)
112
113 def create_domain_user(self, _ldb, user_dn, desc=None):
114 ldif = """
115 dn: """ + user_dn + """
116 sAMAccountName: """ + user_dn.split(",")[0][3:] + """
117 objectClass: user
118 userPassword: samba123@
119 url: www.example.com
120 """
121 if desc:
122 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
123 if isinstance(desc, str):
124 ldif += "nTSecurityDescriptor: %s" % desc
125 elif isinstance(desc, security.descriptor):
126 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
127 _ldb.add_ldif(ldif)
128
129 def create_domain_group(self, _ldb, group_dn, desc=None):
130 ldif = """
131 dn: """ + group_dn + """
132 objectClass: group
133 sAMAccountName: """ + group_dn.split(",")[0][3:] + """
134 groupType: 4
135 url: www.example.com
136 """
137 if desc:
138 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
139 if isinstance(desc, str):
140 ldif += "nTSecurityDescriptor: %s" % desc
141 elif isinstance(desc, security.descriptor):
142 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
143 _ldb.add_ldif(ldif)
144
145 def get_unique_schema_class_name(self):
146 while True:
147 class_name = "test-class%s" % random.randint(1,100000)
148 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
149 try:
150 self.ldb_admin.search(base=class_dn, attrs=["*"])
151 except LdbError, (num, _):
152 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
153 return class_name
154
155 def create_schema_class(self, _ldb, object_dn, desc=None):
156 ldif = """
157 dn: """ + object_dn + """
158 objectClass: classSchema
159 objectCategory: CN=Class-Schema,""" + self.schema_dn + """
160 defaultObjectCategory: """ + object_dn + """
161 distinguishedName: """ + object_dn + """
162 governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
163 instanceType: 4
164 objectClassCategory: 1
165 subClassOf: organizationalPerson
166 systemFlags: 16
167 rDNAttID: cn
168 systemMustContain: cn
169 systemOnly: FALSE
170 """
171 if desc:
172 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
173 if isinstance(desc, str):
174 ldif += "nTSecurityDescriptor: %s" % desc
175 elif isinstance(desc, security.descriptor):
176 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
177 _ldb.add_ldif(ldif)
178
179 def create_configuration_container(self, _ldb, object_dn, desc=None):
180 ldif = """
181 dn: """ + object_dn + """
182 objectClass: container
183 objectCategory: CN=Container,""" + self.schema_dn + """
184 showInAdvancedViewOnly: TRUE
185 instanceType: 4
186 """
187 if desc:
188 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
189 if isinstance(desc, str):
190 ldif += "nTSecurityDescriptor: %s" % desc
191 elif isinstance(desc, security.descriptor):
192 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
193 _ldb.add_ldif(ldif)
194
195 def create_configuration_specifier(self, _ldb, object_dn, desc=None):
196 ldif = """
197 dn: """ + object_dn + """
198 objectClass: displaySpecifier
199 showInAdvancedViewOnly: TRUE
200 """
201 if desc:
202 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
203 if isinstance(desc, str):
204 ldif += "nTSecurityDescriptor: %s" % desc
205 elif isinstance(desc, security.descriptor):
206 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
207 _ldb.add_ldif(ldif)
208
209 def read_desc(self, object_dn):
210 res = self.ldb_admin.search(base=object_dn, attrs=["nTSecurityDescriptor"])
211 desc = res[0]["nTSecurityDescriptor"][0]
212 return ndr_unpack( security.descriptor, desc )
213
214 def enable_account(self, user_dn):
215 """Enable an account.
216 :param user_dn: Dn of the account to enable.
217 """
218 res = self.ldb_admin.search(user_dn, SCOPE_BASE, None, ["userAccountControl"])
219 assert len(res) == 1
220 userAccountControl = res[0]["userAccountControl"][0]
221 userAccountControl = int(userAccountControl)
222 if (userAccountControl & 0x2):
223 userAccountControl = userAccountControl & ~0x2 # remove disabled bit
224 if (userAccountControl & 0x20):
225 userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit
226 mod = """
227 dn: """ + user_dn + """
228 changetype: modify
229 replace: userAccountControl
230 userAccountControl: %s""" % userAccountControl
231 if self.WIN2003:
232 mod = re.sub("userAccountControl: \d.*", "userAccountControl: 544", mod)
233 self.ldb_admin.modify_ldif(mod)
234
235 def get_ldb_connection(self, target_username, target_password):
236 username_save = creds.get_username(); password_save = creds.get_password()
237 creds.set_username(target_username)
238 creds.set_password(target_password)
239 ldb_target = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
240 creds.set_username(username_save); creds.set_password(password_save)
241 return ldb_target
242
243 def get_object_sid(self, object_dn):
244 res = self.ldb_admin.search(object_dn)
245 return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] )
246
247 def dacl_add_ace(self, object_dn, ace):
248 desc = self.read_desc( object_dn )
249 desc_sddl = desc.as_sddl( self.domain_sid )
250 if ace in desc_sddl:
251 return
252 desc_sddl = desc_sddl[0:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
253 self.modify_desc(object_dn, desc_sddl)
254
255 def get_desc_sddl(self, object_dn):
256 """ Return object nTSecutiryDescriptor in SDDL format
257 """
258 desc = self.read_desc(object_dn)
259 return desc.as_sddl(self.domain_sid)
260
261 def setUp(self):
262 self.ldb_admin = ldb
263 self.base_dn = self.find_basedn(self.ldb_admin)
264 self.configuration_dn = self.find_configurationdn(self.ldb_admin)
265 self.schema_dn = self.find_schemadn(self.ldb_admin)
266 self.domain_sid = self.find_domain_sid(self.ldb_admin)
267 print "baseDN: %s" % self.base_dn
268 self.SAMBA = False; self.WIN2003 = False
269 res = self.ldb_admin.search(base="", expression="", scope=SCOPE_BASE, attrs=["vendorName"])
270 if "vendorName" in res[0].keys() and "Samba Team" in res[0]["vendorName"][0]:
271 self.SAMBA = True
272 else:
273 self.WIN2003 = True
274 #print "self.SAMBA:", self.SAMBA
275 #print "self.WIN2003:", self.WIN2003
276
277 ################################################################################################
278
279 ## Tests for DOMAIN
280
281 # Default descriptor tests #####################################################################
282
283 class OwnerGroupDescriptorTests(DescriptorTests):
284
285 def setUp(self):
286 DescriptorTests.setUp(self)
287 if self.SAMBA:
288 ### Create users
289 # User 1
290 user_dn = self.get_users_domain_dn("testuser1")
291 self.create_domain_user(self.ldb_admin, user_dn)
292 self.enable_account(user_dn)
293 ldif = """
294 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
295 changetype: add
296 member: """ + user_dn
297 self.ldb_admin.modify_ldif(ldif)
298 # User 2
299 user_dn = self.get_users_domain_dn("testuser2")
300 self.create_domain_user(self.ldb_admin, user_dn)
301 self.enable_account(user_dn)
302 ldif = """
303 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
304 changetype: add
305 member: """ + user_dn
306 self.ldb_admin.modify_ldif(ldif)
307 # User 3
308 user_dn = self.get_users_domain_dn("testuser3")
309 self.create_domain_user(self.ldb_admin, user_dn)
310 self.enable_account(user_dn)
311 ldif = """
312 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
313 changetype: add
314 member: """ + user_dn
315 self.ldb_admin.modify_ldif(ldif)
316 # User 4
317 user_dn = self.get_users_domain_dn("testuser4")
318 self.create_domain_user(self.ldb_admin, user_dn)
319 self.enable_account(user_dn)
320 # User 5
321 user_dn = self.get_users_domain_dn("testuser5")
322 self.create_domain_user(self.ldb_admin, user_dn)
323 self.enable_account(user_dn)
324 ldif = """
325 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
326 changetype: add
327 member: """ + user_dn + """
328
329 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
330 changetype: add
331 member: """ + user_dn
332 self.ldb_admin.modify_ldif(ldif)
333 # User 6
334 user_dn = self.get_users_domain_dn("testuser6")
335 self.create_domain_user(self.ldb_admin, user_dn)
336 self.enable_account(user_dn)
337 ldif = """
338 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
339 changetype: add
340 member: """ + user_dn + """
341
342 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
343 changetype: add
344 member: """ + user_dn + """
345
346 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
347 changetype: add
348 member: """ + user_dn
349 self.ldb_admin.modify_ldif(ldif)
350 # User 7
351 user_dn = self.get_users_domain_dn("testuser7")
352 self.create_domain_user(self.ldb_admin, user_dn)
353 self.enable_account(user_dn)
354 ldif = """
355 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
356 changetype: add
357 member: """ + user_dn + """
358
359 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
360 changetype: add
361 member: """ + user_dn
362 self.ldb_admin.modify_ldif(ldif)
363 # User 8
364 user_dn = self.get_users_domain_dn("testuser8")
365 self.create_domain_user(self.ldb_admin, user_dn)
366 self.enable_account(user_dn)
367 ldif = """
368 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
369 changetype: add
370 member: """ + user_dn + """
371
372 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
373 changetype: add
374 member: """ + user_dn
375 self.ldb_admin.modify_ldif(ldif)
376 self.results = {
377 # msDS-Behavior-Version < DS_BEHAVIOR_WIN2008
378 "ds_behavior_win2003" : {
379 "100" : "O:EAG:DU",
380 "101" : "O:DAG:DU",
381 "102" : "O:%sG:DU",
382 "103" : "O:%sG:DU",
383 "104" : "O:DAG:DU",
384 "105" : "O:DAG:DU",
385 "106" : "O:DAG:DU",
386 "107" : "O:EAG:DU",
387 "108" : "O:DAG:DA",
388 "109" : "O:DAG:DA",
389 "110" : "O:%sG:DA",
390 "111" : "O:%sG:DA",
391 "112" : "O:DAG:DA",
392 "113" : "O:DAG:DA",
393 "114" : "O:DAG:DA",
394 "115" : "O:DAG:DA",
395 "130" : "O:EAG:DU",
396 "131" : "O:DAG:DU",
397 "132" : "O:SAG:DU",
398 "133" : "O:%sG:DU",
399 "134" : "O:EAG:DU",
400 "135" : "O:SAG:DU",
401 "136" : "O:SAG:DU",
402 "137" : "O:SAG:DU",
403 "138" : "O:DAG:DA",
404 "139" : "O:DAG:DA",
405 "140" : "O:%sG:DA",
406 "141" : "O:%sG:DA",
407 "142" : "O:DAG:DA",
408 "143" : "O:DAG:DA",
409 "144" : "O:DAG:DA",
410 "145" : "O:DAG:DA",
411 "160" : "O:EAG:DU",
412 "161" : "O:DAG:DU",
413 "162" : "O:%sG:DU",
414 "163" : "O:%sG:DU",
415 "164" : "O:EAG:DU",
416 "165" : "O:EAG:DU",
417 "166" : "O:DAG:DU",
418 "167" : "O:EAG:DU",
419 "168" : "O:DAG:DA",
420 "169" : "O:DAG:DA",
421 "170" : "O:%sG:DA",
422 "171" : "O:%sG:DA",
423 "172" : "O:DAG:DA",
424 "173" : "O:DAG:DA",
425 "174" : "O:DAG:DA",
426 "175" : "O:DAG:DA",
427 },
428 # msDS-Behavior-Version >= 3
429 "ds_behavior_win2008" : {
430 "100" : "O:EAG:EA",
431 "101" : "O:DAG:DA",
432 "102" : "O:%sG:DU",
433 "103" : "O:%sG:DU",
434 "104" : "O:DAG:DA",
435 "105" : "O:DAG:DA",
436 "106" : "O:DAG:DA",
437 "107" : "O:EAG:EA",
438 "108" : "O:DAG:DA",
439 "109" : "O:DAG:DA",
440 "110" : "O:%sG:DA",
441 "111" : "O:%sG:DA",
442 "112" : "O:DAG:DA",
443 "113" : "O:DAG:DA",
444 "114" : "O:DAG:DA",
445 "115" : "O:DAG:DA",
446 "130" : "",
447 "131" : "",
448 "132" : "",
449 "133" : "%s",
450 "134" : "",
451 "135" : "",
452 "136" : "",
453 "137" : "",
454 "138" : "",
455 "139" : "",
456 "140" : "%s",
457 "141" : "%s",
458 "142" : "",
459 "143" : "",
460 "144" : "",
461 "145" : "",
462 "160" : "O:EAG:EA",
463 "161" : "O:DAG:DA",
464 "162" : "O:%sG:DU",
465 "163" : "O:%sG:DU",
466 "164" : "O:EAG:EA",
467 "165" : "O:EAG:EA",
468 "166" : "O:DAG:DA",
469 "167" : "O:EAG:EA",
470 "168" : "O:DAG:DA",
471 "169" : "O:DAG:DA",
472 "170" : "O:%sG:DA",
473 "171" : "O:%sG:DA",
474 "172" : "O:DAG:DA",
475 "173" : "O:DAG:DA",
476 "174" : "O:DAG:DA",
477 "175" : "O:DAG:DA",
478 },
479 }
480 # Discover 'msDS-Behavior-Version'
481 res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
482 attrs=['msDS-Behavior-Version'])
483 res = int(res[0]['msDS-Behavior-Version'][0])
484 if res < DS_BEHAVIOR_WIN2008:
485 self.DS_BEHAVIOR = "ds_behavior_win2003"
486 else:
487 self.DS_BEHAVIOR = "ds_behavior_win2008"
488
489 def tearDown(self):
490 if self.SAMBA:
491 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
492 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
493 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
494 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
495 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
496 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
497 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
498 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
499 # DOMAIN
500 self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
501 self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
502 self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
503 self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
504 # SCHEMA
505 # CONFIGURATION
506 self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
507 + self.configuration_dn)
508 self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
509
510 def check_user_belongs(self, user_dn, groups=[]):
511 """ Test wether user is member of the expected group(s) """
512 if groups != []:
513 # User is member of at least one additional group
514 res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
515 res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
516 expected = []
517 for x in groups:
518 expected.append(self.get_users_domain_dn(x))
519 expected = [x.upper() for x in sorted(expected)]
520 self.assertEqual(expected, res)
521 else:
522 # User is not a member of any additional groups but default
523 res = self.ldb_admin.search(user_dn, attrs=["*"])
524 res = [x.upper() for x in res[0].keys()]
525 self.assertFalse( "MEMBEROF" in res)
526
527 def test_100(self):
528 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
529 """
530 user_name = "testuser1"
531 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
532 # Open Ldb connection with the tested user
533 _ldb = self.get_ldb_connection("testuser1", "samba123@")
534 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
535 self.delete_force(self.ldb_admin, group_dn)
536 self.create_domain_group(_ldb, group_dn)
537 desc_sddl = self.get_desc_sddl(group_dn)
538 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
539 self.assertEqual(self.results[self.DS_BEHAVIOR]["100"], res)
540
541 def test_101(self):
542 """ Dmain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
543 """
544 user_name = "testuser2"
545 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
546 # Open Ldb connection with the tested user
547 _ldb = self.get_ldb_connection(user_name, "samba123@")
548 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
549 self.delete_force(self.ldb_admin, group_dn)
550 self.create_domain_group(_ldb, group_dn)
551 desc_sddl = self.get_desc_sddl(group_dn)
552 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
553 self.assertEqual(self.results[self.DS_BEHAVIOR]["101"], res)
554
555 def test_102(self):
556 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
557 """
558 user_name = "testuser3"
559 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
560 # Open Ldb connection with the tested user
561 _ldb = self.get_ldb_connection(user_name, "samba123@")
562 object_dn = "OU=test_domain_ou1," + self.base_dn
563 self.delete_force(self.ldb_admin, object_dn)
564 self.create_domain_ou(self.ldb_admin, object_dn)
565 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
566 mod = "(A;;CC;;;%s)" % str(user_sid)
567 self.dacl_add_ace(object_dn, mod)
568 # Create additional object into the first one
569 object_dn = "CN=test_domain_user1," + object_dn
570 self.delete_force(self.ldb_admin, object_dn)
571 self.create_domain_user(_ldb, object_dn)
572 desc_sddl = self.get_desc_sddl(object_dn)
573 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
574 self.assertEqual(self.results[self.DS_BEHAVIOR]["102"] % str(user_sid), res)
575
576 def test_103(self):
577 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
578 """
579 user_name = "testuser4"
580 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
581 # Open Ldb connection with the tested user
582 _ldb = self.get_ldb_connection(user_name, "samba123@")
583 object_dn = "OU=test_domain_ou1," + self.base_dn
584 self.delete_force(self.ldb_admin, object_dn)
585 self.create_domain_ou(self.ldb_admin, object_dn)
586 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
587 mod = "(A;;CC;;;%s)" % str(user_sid)
588 self.dacl_add_ace(object_dn, mod)
589 # Create additional object into the first one
590 object_dn = "CN=test_domain_user1," + object_dn
591 self.delete_force(self.ldb_admin, object_dn)
592 self.create_domain_user(_ldb, object_dn)
593 desc_sddl = self.get_desc_sddl(object_dn)
594 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
595 self.assertEqual(self.results[self.DS_BEHAVIOR]["103"] % str(user_sid), res)
596
597 def test_104(self):
598 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
599 """
600 user_name = "testuser5"
601 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
602 # Open Ldb connection with the tested user
603 _ldb = self.get_ldb_connection(user_name, "samba123@")
604 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
605 self.delete_force(self.ldb_admin, group_dn)
606 self.create_domain_group(_ldb, group_dn)
607 desc_sddl = self.get_desc_sddl(group_dn)
608 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
609 self.assertEqual(self.results[self.DS_BEHAVIOR]["104"], res)
610
611 def test_105(self):
612 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
613 """
614 user_name = "testuser6"
615 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
616 # Open Ldb connection with the tested user
617 _ldb = self.get_ldb_connection(user_name, "samba123@")
618 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
619 self.delete_force(self.ldb_admin, group_dn)
620 self.create_domain_group(_ldb, group_dn)
621 desc_sddl = self.get_desc_sddl(group_dn)
622 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
623 self.assertEqual(self.results[self.DS_BEHAVIOR]["105"], res)
624
625 def test_106(self):
626 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
627 """
628 user_name = "testuser7"
629 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
630 # Open Ldb connection with the tested user
631 _ldb = self.get_ldb_connection(user_name, "samba123@")
632 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
633 self.delete_force(self.ldb_admin, group_dn)
634 self.create_domain_group(_ldb, group_dn)
635 desc_sddl = self.get_desc_sddl(group_dn)
636 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
637 self.assertEqual(self.results[self.DS_BEHAVIOR]["106"], res)
638
639 def test_107(self):
640 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
641 """
642 user_name = "testuser8"
643 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
644 # Open Ldb connection with the tested user
645 _ldb = self.get_ldb_connection(user_name, "samba123@")
646 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
647 self.delete_force(self.ldb_admin, group_dn)
648 self.create_domain_group(_ldb, group_dn)
649 desc_sddl = self.get_desc_sddl(group_dn)
650 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
651 self.assertEqual(self.results[self.DS_BEHAVIOR]["107"], res)
652
653 # Control descriptor tests #####################################################################
654
655 def test_108(self):
656 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
657 """
658 user_name = "testuser1"
659 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
660 # Open Ldb connection with the tested user
661 _ldb = self.get_ldb_connection(user_name, "samba123@")
662 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
663 self.delete_force(self.ldb_admin, group_dn)
664 # Create a custom security descriptor
665 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
666 self.create_domain_group(_ldb, group_dn, desc_sddl)
667 desc_sddl = self.get_desc_sddl(group_dn)
668 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
669 self.assertEqual(self.results[self.DS_BEHAVIOR]["108"], res)
670
671 def test_109(self):
672 """ Domain admin group member creates object (custom descriptor) in DOMAIN
673 """
674 user_name = "testuser2"
675 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
676 # Open Ldb connection with the tested user
677 _ldb = self.get_ldb_connection(user_name, "samba123@")
678 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
679 self.delete_force(self.ldb_admin, group_dn)
680 # Create a custom security descriptor
681 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
682 self.create_domain_group(_ldb, group_dn, desc_sddl)
683 desc_sddl = self.get_desc_sddl(group_dn)
684 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
685 self.assertEqual(self.results[self.DS_BEHAVIOR]["109"], res)
686
687 def test_110(self):
688 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
689 """
690 user_name = "testuser3"
691 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
692 # Open Ldb connection with the tested user
693 _ldb = self.get_ldb_connection(user_name, "samba123@")
694 object_dn = "OU=test_domain_ou1," + self.base_dn
695 self.delete_force(self.ldb_admin, object_dn)
696 self.create_domain_ou(self.ldb_admin, object_dn)
697 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
698 mod = "(A;;CC;;;%s)" % str(user_sid)
699 self.dacl_add_ace(object_dn, mod)
700 # Create a custom security descriptor
701 # NB! Problematic owner part won't accept DA only <User Sid> !!!
702 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
703 # Create additional object into the first one
704 object_dn = "CN=test_domain_user1," + object_dn
705 self.delete_force(self.ldb_admin, object_dn)
706 self.create_domain_user(_ldb, object_dn, desc_sddl)
707 desc = self.read_desc(object_dn)
708 desc_sddl = self.get_desc_sddl(object_dn)
709 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
710 self.assertEqual(self.results[self.DS_BEHAVIOR]["110"] % str(user_sid), res)
711
712 def test_111(self):
713 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
714 """
715 user_name = "testuser4"
716 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
717 # Open Ldb connection with the tested user
718 _ldb = self.get_ldb_connection(user_name, "samba123@")
719 object_dn = "OU=test_domain_ou1," + self.base_dn
720 self.delete_force(self.ldb_admin, object_dn)
721 self.create_domain_ou(self.ldb_admin, object_dn)
722 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
723 mod = "(A;;CC;;;%s)" % str(user_sid)
724 self.dacl_add_ace(object_dn, mod)
725 # Create a custom security descriptor
726 # NB! Problematic owner part won't accept DA only <User Sid> !!!
727 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
728 # Create additional object into the first one
729 object_dn = "CN=test_domain_user1," + object_dn
730 self.delete_force(self.ldb_admin, object_dn)
731 self.create_domain_user(_ldb, object_dn, desc_sddl)
732 desc = self.read_desc(object_dn)
733 desc_sddl = self.get_desc_sddl(object_dn)
734 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
735 self.assertEqual(self.results[self.DS_BEHAVIOR]["111"] % str(user_sid), res)
736
737 def test_112(self):
738 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
739 """
740 user_name = "testuser5"
741 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
742 # Open Ldb connection with the tested user
743 _ldb = self.get_ldb_connection(user_name, "samba123@")
744 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
745 self.delete_force(self.ldb_admin, group_dn)
746 # Create a custom security descriptor
747 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
748 self.create_domain_group(_ldb, group_dn, desc_sddl)
749 desc_sddl = self.get_desc_sddl(group_dn)
750 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
751 self.assertEqual(self.results[self.DS_BEHAVIOR]["112"], res)
752
753 def test_113(self):
754 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
755 """
756 user_name = "testuser6"
757 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
758 # Open Ldb connection with the tested user
759 _ldb = self.get_ldb_connection(user_name, "samba123@")
760 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
761 self.delete_force(self.ldb_admin, group_dn)
762 # Create a custom security descriptor
763 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
764 self.create_domain_group(_ldb, group_dn, desc_sddl)
765 desc_sddl = self.get_desc_sddl(group_dn)
766 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
767 self.assertEqual(self.results[self.DS_BEHAVIOR]["113"], res)
768
769 def test_114(self):
770 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
771 """
772 user_name = "testuser7"
773 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
774 # Open Ldb connection with the tested user
775 _ldb = self.get_ldb_connection(user_name, "samba123@")
776 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
777 self.delete_force(self.ldb_admin, group_dn)
778 # Create a custom security descriptor
779 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
780 self.create_domain_group(_ldb, group_dn, desc_sddl)
781 desc_sddl = self.get_desc_sddl(group_dn)
782 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
783 self.assertEqual(self.results[self.DS_BEHAVIOR]["114"], res)
784
785 def test_115(self):
786 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
787 """
788 user_name = "testuser8"
789 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
790 # Open Ldb connection with the tested user
791 _ldb = self.get_ldb_connection(user_name, "samba123@")
792 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
793 self.delete_force(self.ldb_admin, group_dn)
794 # Create a custom security descriptor
795 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
796 self.create_domain_group(_ldb, group_dn, desc_sddl)
797 desc_sddl = self.get_desc_sddl(group_dn)
798 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
799 self.assertEqual(self.results[self.DS_BEHAVIOR]["115"], res)
800
801
802 def test_999(self):
803 user_name = "Administrator"
804 object_dn = "OU=test_domain_ou1," + self.base_dn
805 self.delete_force(self.ldb_admin, object_dn)
806 self.create_domain_ou(self.ldb_admin, object_dn)
807 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
808 mod = "(D;CI;WP;;;S-1-3-0)"
809 #mod = ""
810 self.dacl_add_ace(object_dn, mod)
811 desc_sddl = self.get_desc_sddl(object_dn)
812 #print desc_sddl
813 # Create additional object into the first one
814 object_dn = "OU=test_domain_ou2," + object_dn
815 self.delete_force(self.ldb_admin, object_dn)
816 self.create_domain_ou(self.ldb_admin, object_dn)
817 desc_sddl = self.get_desc_sddl(object_dn)
818 #print desc_sddl
819
820 ## Tests for SCHEMA
821
822 # Defalt descriptor tests ##################################################################
823
824 def test_130(self):
825 user_name = "testuser1"
826 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
827 # Open Ldb connection with the tested user
828 _ldb = self.get_ldb_connection(user_name, "samba123@")
829 # Change Schema partition descriptor
830 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
831 mod = "(A;;CC;;;AU)"
832 self.dacl_add_ace(self.schema_dn, mod)
833 # Create example Schema class
834 class_name = self.get_unique_schema_class_name()
835 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
836 self.create_schema_class(_ldb, class_dn)
837 desc_sddl = self.get_desc_sddl(class_dn)
838 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
839 self.assertEqual(self.results[self.DS_BEHAVIOR]["130"], res)
840
841 def test_131(self):
842 user_name = "testuser2"
843 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
844 # Open Ldb connection with the tested user
845 _ldb = self.get_ldb_connection(user_name, "samba123@")
846 # Change Schema partition descriptor
847 mod = "(A;;CC;;;AU)"
848 self.dacl_add_ace(self.schema_dn, mod)
849 # Create example Schema class
850 class_name = self.get_unique_schema_class_name()
851 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
852 self.create_schema_class(_ldb, class_dn)
853 desc_sddl = self.get_desc_sddl(class_dn)
854 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
855 self.assertEqual(self.results[self.DS_BEHAVIOR]["131"], res)
856
857 def test_132(self):
858 user_name = "testuser3"
859 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
860 # Open Ldb connection with the tested user
861 _ldb = self.get_ldb_connection(user_name, "samba123@")
862 # Change Schema partition descriptor
863 mod = "(A;;CC;;;AU)"
864 self.dacl_add_ace(self.schema_dn, mod)
865 # Create example Schema class
866 class_name = self.get_unique_schema_class_name()
867 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
868 self.create_schema_class(_ldb, class_dn)
869 desc_sddl = self.get_desc_sddl(class_dn)
870 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
871 self.assertEqual(self.results[self.DS_BEHAVIOR]["132"], res)
872
873 def test_133(self):
874 user_name = "testuser4"
875 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
876 # Open Ldb connection with the tested user
877 _ldb = self.get_ldb_connection(user_name, "samba123@")
878 #Change Schema partition descriptor
879 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
880 mod = "(A;;CC;;;AU)"
881 self.dacl_add_ace(self.schema_dn, mod)
882 # Create example Schema class
883 class_name = self.get_unique_schema_class_name()
884 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
885 self.create_schema_class(_ldb, class_dn)
886 desc_sddl = self.get_desc_sddl(class_dn)
887 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
888 self.assertEqual(self.results[self.DS_BEHAVIOR]["133"] % str(user_sid), res)
889
890 def test_134(self):
891 user_name = "testuser5"
892 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
893 # Open Ldb connection with the tested user
894 _ldb = self.get_ldb_connection(user_name, "samba123@")
895 #Change Schema partition descriptor
896 mod = "(A;;CC;;;AU)"
897 self.dacl_add_ace(self.schema_dn, mod)
898 # Create example Schema class
899 class_name = self.get_unique_schema_class_name()
900 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
901 self.create_schema_class(_ldb, class_dn)
902 desc_sddl = self.get_desc_sddl(class_dn)
903 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
904 self.assertEqual(self.results[self.DS_BEHAVIOR]["134"], res)
905
906 def test_135(self):
907 user_name = "testuser6"
908 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
909 # Open Ldb connection with the tested user
910 _ldb = self.get_ldb_connection(user_name, "samba123@")
911 # Change Schema partition descriptor
912 mod = "(A;;CC;;;AU)"
913 self.dacl_add_ace(self.schema_dn, mod)
914 # Create example Schema class
915 class_name = self.get_unique_schema_class_name()
916 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
917 self.create_schema_class(_ldb, class_dn)
918 desc_sddl = self.get_desc_sddl(class_dn)
919 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
920 self.assertEqual(self.results[self.DS_BEHAVIOR]["135"], res)
921
922 def test_136(self):
923 user_name = "testuser7"
924 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
925 # Open Ldb connection with the tested user
926 _ldb = self.get_ldb_connection(user_name, "samba123@")
927 # Change Schema partition descriptor
928 mod = "(A;;CC;;;AU)"
929 self.dacl_add_ace(self.schema_dn, mod)
930 # Create example Schema class
931 class_name = self.get_unique_schema_class_name()
932 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
933 self.create_schema_class(_ldb, class_dn)
934 desc_sddl = self.get_desc_sddl(class_dn)
935 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
936 self.assertEqual(self.results[self.DS_BEHAVIOR]["136"], res)
937
938 def test_137(self):
939 user_name = "testuser8"
940 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
941 # Open Ldb connection with the tested user
942 _ldb = self.get_ldb_connection(user_name, "samba123@")
943 # Change Schema partition descriptor
944 mod = "(A;;CC;;;AU)"
945 self.dacl_add_ace(self.schema_dn, mod)
946 # Create example Schema class
947 class_name = self.get_unique_schema_class_name()
948 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
949 self.create_schema_class(_ldb, class_dn)
950 desc_sddl = self.get_desc_sddl(class_dn)
951 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
952 self.assertEqual(self.results[self.DS_BEHAVIOR]["137"], res)
953
954 # Custom descriptor tests ##################################################################
955
956 def test_138(self):
957 user_name = "testuser1"
958 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
959 # Open Ldb connection with the tested user
960 _ldb = self.get_ldb_connection(user_name, "samba123@")
961 # Change Schema partition descriptor
962 mod = "(A;;CC;;;AU)"
963 self.dacl_add_ace(self.schema_dn, mod)
964 # Create a custom security descriptor
965 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
966 # Create example Schema class
967 class_name = self.get_unique_schema_class_name()
968 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
969 self.create_schema_class(_ldb, class_dn, desc_sddl)
970 desc_sddl = self.get_desc_sddl(class_dn)
971 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
972 self.assertEqual("O:DAG:DA", res)
973
974 def test_139(self):
975 user_name = "testuser2"
976 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
977 # Open Ldb connection with the tested user
978 _ldb = self.get_ldb_connection(user_name, "samba123@")
979 # Change Schema partition descriptor
980 mod = "(A;;CC;;;AU)"
981 self.dacl_add_ace(self.schema_dn, mod)
982 # Create a custom security descriptor
983 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
984 # Create example Schema class
985 class_name = self.get_unique_schema_class_name()
986 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
987 self.create_schema_class(_ldb, class_dn, desc_sddl)
988 desc_sddl = self.get_desc_sddl(class_dn)
989 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
990 self.assertEqual("O:DAG:DA", res)
991
992 def test_140(self):
993 user_name = "testuser3"
994 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
995 # Open Ldb connection with the tested user
996 _ldb = self.get_ldb_connection(user_name, "samba123@")
997 # Create a custom security descriptor
998 # NB! Problematic owner part won't accept DA only <User Sid> !!!
999 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1000 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1001 # Create example Schema class
1002 class_name = self.get_unique_schema_class_name()
1003 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1004 self.create_schema_class(_ldb, class_dn, desc_sddl)
1005 desc_sddl = self.get_desc_sddl(class_dn)
1006 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1007 self.assertEqual(self.results[self.DS_BEHAVIOR]["140"] % str(user_sid), res)
1008
1009 def test_141(self):
1010 user_name = "testuser4"
1011 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1012 # Open Ldb connection with the tested user
1013 _ldb = self.get_ldb_connection(user_name, "samba123@")
1014 # Create a custom security descriptor
1015 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1016 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1017 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1018 # Create example Schema class
1019 class_name = self.get_unique_schema_class_name()
1020 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1021 self.create_schema_class(_ldb, class_dn, desc_sddl)
1022 desc_sddl = self.get_desc_sddl(class_dn)
1023 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1024 self.assertEqual(self.results[self.DS_BEHAVIOR]["141"] % str(user_sid), res)
1025
1026 def test_142(self):
1027 user_name = "testuser5"
1028 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1029 # Open Ldb connection with the tested user
1030 _ldb = self.get_ldb_connection(user_name, "samba123@")
1031 # Change Schema partition descriptor
1032 mod = "(A;;CC;;;AU)"
1033 self.dacl_add_ace(self.schema_dn, mod)
1034 # Create a custom security descriptor
1035 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1036 # Create example Schema class
1037 class_name = self.get_unique_schema_class_name()
1038 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1039 self.create_schema_class(_ldb, class_dn, desc_sddl)
1040 desc_sddl = self.get_desc_sddl(class_dn)
1041 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1042 self.assertEqual("O:DAG:DA", res)
1043
1044 def test_143(self):
1045 user_name = "testuser6"
1046 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1047 # Open Ldb connection with the tested user
1048 _ldb = self.get_ldb_connection(user_name, "samba123@")
1049 # Change Schema partition descriptor
1050 mod = "(A;;CC;;;AU)"
1051 self.dacl_add_ace(self.schema_dn, mod)
1052 # Create a custom security descriptor
1053 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1054 # Create example Schema class
1055 class_name = self.get_unique_schema_class_name()
1056 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1057 self.create_schema_class(_ldb, class_dn, desc_sddl)
1058 desc_sddl = self.get_desc_sddl(class_dn)
1059 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1060 self.assertEqual("O:DAG:DA", res)
1061
1062 def test_144(self):
1063 user_name = "testuser7"
1064 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1065 # Open Ldb connection with the tested user
1066 _ldb = self.get_ldb_connection(user_name, "samba123@")
1067 # Change Schema partition descriptor
1068 mod = "(A;;CC;;;AU)"
1069 self.dacl_add_ace(self.schema_dn, mod)
1070 # Create a custom security descriptor
1071 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1072 # Create example Schema class
1073 class_name = self.get_unique_schema_class_name()
1074 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1075 self.create_schema_class(_ldb, class_dn, desc_sddl)
1076 desc_sddl = self.get_desc_sddl(class_dn)
1077 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1078 self.assertEqual("O:DAG:DA", res)
1079
1080 def test_145(self):
1081 user_name = "testuser8"
1082 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1083 # Open Ldb connection with the tested user
1084 _ldb = self.get_ldb_connection(user_name, "samba123@")
1085 # Change Schema partition descriptor
1086 mod = "(A;;CC;;;AU)"
1087 self.dacl_add_ace(self.schema_dn, mod)
1088 # Create a custom security descriptor
1089 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1090 # Create example Schema class
1091 class_name = self.get_unique_schema_class_name()
1092 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1093 self.create_schema_class(_ldb, class_dn, desc_sddl)
1094 desc_sddl = self.get_desc_sddl(class_dn)
1095 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1096 self.assertEqual("O:DAG:DA", res)
1097
1098 ## Tests for CONFIGURATION
1099
1100 # Defalt descriptor tests ##################################################################
1101
1102 def test_160(self):
1103 user_name = "testuser1"
1104 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1105 # Open Ldb connection with the tested user
1106 _ldb = self.get_ldb_connection(user_name, "samba123@")
1107 # Create example Configuration container
1108 container_name = "test-container1"
1109 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1110 self.delete_force(self.ldb_admin, object_dn)
1111 self.create_configuration_container(_ldb, object_dn, )
1112 desc_sddl = self.get_desc_sddl(object_dn)
1113 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1114 self.assertEqual(self.results[self.DS_BEHAVIOR]["160"], res)
1115
1116 def test_161(self):
1117 user_name = "testuser2"
1118 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1119 # Open Ldb connection with the tested user
1120 _ldb = self.get_ldb_connection(user_name, "samba123@")
1121 # Create example Configuration container
1122 container_name = "test-container1"
1123 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1124 self.delete_force(self.ldb_admin, object_dn)
1125 self.create_configuration_container(_ldb, object_dn, )
1126 desc_sddl = self.get_desc_sddl(object_dn)
1127 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1128 self.assertEqual(self.results[self.DS_BEHAVIOR]["161"], res)
1129
1130 def test_162(self):
1131 user_name = "testuser3"
1132 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1133 # Open Ldb connection with the tested user
1134 _ldb = self.get_ldb_connection(user_name, "samba123@")
1135 # Create example Configuration container
1136 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1137 self.delete_force(self.ldb_admin, object_dn)
1138 self.create_configuration_container(self.ldb_admin, object_dn, )
1139 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1140 mod = "(A;;CC;;;AU)"
1141 self.dacl_add_ace(object_dn, mod)
1142 # Create child object with user's credentials
1143 object_dn = "CN=test-specifier1," + object_dn
1144 self.delete_force(self.ldb_admin, object_dn)
1145 self.create_configuration_specifier(_ldb, object_dn)
1146 desc_sddl = self.get_desc_sddl(object_dn)
1147 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1148 self.assertEqual(self.results[self.DS_BEHAVIOR]["162"] % str(user_sid), res)
1149
1150 def test_163(self):
1151 user_name = "testuser4"
1152 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1153 # Open Ldb connection with the tested user
1154 _ldb = self.get_ldb_connection(user_name, "samba123@")
1155 # Create example Configuration container
1156 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1157 self.delete_force(self.ldb_admin, object_dn)
1158 self.create_configuration_container(self.ldb_admin, object_dn, )
1159 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1160 mod = "(A;;CC;;;AU)"
1161 self.dacl_add_ace(object_dn, mod)
1162 # Create child object with user's credentials
1163 object_dn = "CN=test-specifier1," + object_dn
1164 self.delete_force(self.ldb_admin, object_dn)
1165 self.create_configuration_specifier(_ldb, object_dn)
1166 desc_sddl = self.get_desc_sddl(object_dn)
1167 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1168 self.assertEqual(self.results[self.DS_BEHAVIOR]["163"] % str(user_sid), res)
1169
1170 def test_164(self):
1171 user_name = "testuser5"
1172 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1173 # Open Ldb connection with the tested user
1174 _ldb = self.get_ldb_connection(user_name, "samba123@")
1175 # Create example Configuration container
1176 container_name = "test-container1"
1177 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1178 self.delete_force(self.ldb_admin, object_dn)
1179 self.create_configuration_container(_ldb, object_dn, )
1180 desc_sddl = self.get_desc_sddl(object_dn)
1181 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1182 self.assertEqual(self.results[self.DS_BEHAVIOR]["164"], res)
1183
1184 def test_165(self):
1185 user_name = "testuser6"
1186 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1187 # Open Ldb connection with the tested user
1188 _ldb = self.get_ldb_connection(user_name, "samba123@")
1189 # Create example Configuration container
1190 container_name = "test-container1"
1191 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1192 self.delete_force(self.ldb_admin, object_dn)
1193 self.create_configuration_container(_ldb, object_dn, )
1194 desc_sddl = self.get_desc_sddl(object_dn)
1195 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1196 self.assertEqual(self.results[self.DS_BEHAVIOR]["165"], res)
1197
1198 def test_166(self):
1199 user_name = "testuser7"
1200 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1201 # Open Ldb connection with the tested user
1202 _ldb = self.get_ldb_connection(user_name, "samba123@")
1203 # Create example Configuration container
1204 container_name = "test-container1"
1205 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1206 self.delete_force(self.ldb_admin, object_dn)
1207 self.create_configuration_container(_ldb, object_dn, )
1208 desc_sddl = self.get_desc_sddl(object_dn)
1209 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1210 self.assertEqual(self.results[self.DS_BEHAVIOR]["166"], res)
1211
1212 def test_167(self):
1213 user_name = "testuser8"
1214 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1215 # Open Ldb connection with the tested user
1216 _ldb = self.get_ldb_connection(user_name, "samba123@")
1217 # Create example Configuration container
1218 container_name = "test-container1"
1219 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1220 self.delete_force(self.ldb_admin, object_dn)
1221 self.create_configuration_container(_ldb, object_dn, )
1222 desc_sddl = self.get_desc_sddl(object_dn)
1223 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1224 self.assertEqual(self.results[self.DS_BEHAVIOR]["167"], res)
1225
1226 # Custom descriptor tests ##################################################################
1227
1228 def test_168(self):
1229 user_name = "testuser1"
1230 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1231 # Open Ldb connection with the tested user
1232 _ldb = self.get_ldb_connection(user_name, "samba123@")
1233 # Create example Configuration container
1234 container_name = "test-container1"
1235 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1236 self.delete_force(self.ldb_admin, object_dn)
1237 # Create a custom security descriptor
1238 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1239 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1240 desc_sddl = self.get_desc_sddl(object_dn)
1241 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1242 self.assertEqual("O:DAG:DA", res)
1243
1244 def test_169(self):
1245 user_name = "testuser2"
1246 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1247 # Open Ldb connection with the tested user
1248 _ldb = self.get_ldb_connection(user_name, "samba123@")
1249 # Create example Configuration container
1250 container_name = "test-container1"
1251 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1252 self.delete_force(self.ldb_admin, object_dn)
1253 # Create a custom security descriptor
1254 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1255 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1256 desc_sddl = self.get_desc_sddl(object_dn)
1257 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1258 self.assertEqual("O:DAG:DA", res)
1259
1260 def test_170(self):
1261 user_name = "testuser3"
1262 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1263 # Open Ldb connection with the tested user
1264 _ldb = self.get_ldb_connection(user_name, "samba123@")
1265 # Create example Configuration container
1266 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1267 self.delete_force(self.ldb_admin, object_dn)
1268 self.create_configuration_container(self.ldb_admin, object_dn, )
1269 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1270 mod = "(A;;CC;;;AU)"
1271 self.dacl_add_ace(object_dn, mod)
1272 # Create child object with user's credentials
1273 object_dn = "CN=test-specifier1," + object_dn
1274 self.delete_force(self.ldb_admin, object_dn)
1275 # Create a custom security descriptor
1276 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1277 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1278 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1279 desc_sddl = self.get_desc_sddl(object_dn)
1280 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1281 self.assertEqual(self.results[self.DS_BEHAVIOR]["170"] % str(user_sid), res)
1282
1283 def test_171(self):
1284 user_name = "testuser4"
1285 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1286 # Open Ldb connection with the tested user
1287 _ldb = self.get_ldb_connection(user_name, "samba123@")
1288 # Create example Configuration container
1289 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1290 self.delete_force(self.ldb_admin, object_dn)
1291 self.create_configuration_container(self.ldb_admin, object_dn, )
1292 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1293 mod = "(A;;CC;;;AU)"
1294 self.dacl_add_ace(object_dn, mod)
1295 # Create child object with user's credentials
1296 object_dn = "CN=test-specifier1," + object_dn
1297 self.delete_force(self.ldb_admin, object_dn)
1298 # Create a custom security descriptor
1299 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1300 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1301 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1302 desc_sddl = self.get_desc_sddl(object_dn)
1303 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1304 self.assertEqual(self.results[self.DS_BEHAVIOR]["171"] % str(user_sid), res)
1305
1306 def test_172(self):
1307 user_name = "testuser5"
1308 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1309 # Open Ldb connection with the tested user
1310 _ldb = self.get_ldb_connection(user_name, "samba123@")
1311 # Create example Configuration container
1312 container_name = "test-container1"
1313 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1314 self.delete_force(self.ldb_admin, object_dn)
1315 # Create a custom security descriptor
1316 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1317 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1318 desc_sddl = self.get_desc_sddl(object_dn)
1319 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1320 self.assertEqual("O:DAG:DA", res)
1321
1322 def test_173(self):
1323 user_name = "testuser6"
1324 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1325 # Open Ldb connection with the tested user
1326 _ldb = self.get_ldb_connection(user_name, "samba123@")
1327 # Create example Configuration container
1328 container_name = "test-container1"
1329 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1330 self.delete_force(self.ldb_admin, object_dn)
1331 # Create a custom security descriptor
1332 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1333 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1334 desc_sddl = self.get_desc_sddl(object_dn)
1335 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1336 self.assertEqual("O:DAG:DA", res)
1337
1338 def test_174(self):
1339 user_name = "testuser7"
1340 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1341 # Open Ldb connection with the tested user
1342 _ldb = self.get_ldb_connection(user_name, "samba123@")
1343 # Create example Configuration container
1344 container_name = "test-container1"
1345 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1346 self.delete_force(self.ldb_admin, object_dn)
1347 # Create a custom security descriptor
1348 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1349 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1350 desc_sddl = self.get_desc_sddl(object_dn)
1351 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1352 self.assertEqual("O:DAG:DA", res)
1353
1354 def test_175(self):
1355 user_name = "testuser8"
1356 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1357 # Open Ldb connection with the tested user
1358 _ldb = self.get_ldb_connection(user_name, "samba123@")
1359 # Create example Configuration container
1360 container_name = "test-container1"
1361 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1362 self.delete_force(self.ldb_admin, object_dn)
1363 # Create a custom security descriptor
1364 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1365 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1366 desc_sddl = self.get_desc_sddl(object_dn)
1367 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1368 self.assertEqual("O:DAG:DA", res)
1369
1370 ########################################################################################
1371 # Inharitance tests for DACL
1372
1373 class DaclDescriptorTests(DescriptorTests):
1374
1375 def setUp(self):
1376 DescriptorTests.setUp(self)
1377
1378 def tearDown(self):
1379 self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1380 self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1381
1382 def create_clean_ou(self, object_dn):
1383 """ Base repeating setup for unittests to follow """
1384 res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
1385 expression="distinguishedName=%s" % object_dn)
1386 # Make sure top testing OU has been deleted before starting the test
1387 self.assertEqual(res, [])
1388 self.create_domain_ou(self.ldb_admin, object_dn)
1389 desc_sddl = self.get_desc_sddl(object_dn)
1390 # Make sutre there are inheritable ACEs initially
1391 self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1392 # Find and remove all inherit ACEs
1393 res = re.findall("\(.*?\)", desc_sddl)
1394 res = [x for x in res if ("CI" in x) or ("OI" in x)]
1395 for x in res:
1396 desc_sddl = desc_sddl.replace(x, "")
1397 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1398 # can propagate from above
1399 desc_sddl = desc_sddl.replace(":AI", ":AIP")
1400 self.modify_desc(object_dn, desc_sddl)
1401 # Verify all inheritable ACEs are gone
1402 desc_sddl = self.get_desc_sddl(object_dn)
1403 self.assertFalse("CI" in desc_sddl)
1404 self.assertFalse("OI" in desc_sddl)
1405
1406 def test_200(self):
1407 """ OU with protected flag and child group. See if the group has inherit ACEs.
1408 """
1409 ou_dn = "OU=test_inherit_ou," + self.base_dn
1410 group_dn = "CN=test_inherit_group," + ou_dn
1411 # Create inheritable-free OU
1412 self.create_clean_ou(ou_dn)
1413 # Create group child object
1414 self.create_domain_group(self.ldb_admin, group_dn)
1415 # Make sure created group object contains NO inherit ACEs
1416 desc_sddl = self.get_desc_sddl(group_dn)
1417 self.assertFalse("ID" in desc_sddl)
1418
1419 def test_201(self):
1420 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1421 Verify group has custom and default ACEs only.
1422 """
1423 ou_dn = "OU=test_inherit_ou," + self.base_dn
1424 group_dn = "CN=test_inherit_group," + ou_dn
1425 # Create inheritable-free OU
1426 self.create_clean_ou(ou_dn)
1427 # Create group child object using custom security descriptor
1428 sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1429 self.create_domain_group(self.ldb_admin, group_dn, sddl)
1430 # Make sure created group descriptor has NO additional ACEs
1431 desc_sddl = self.get_desc_sddl(group_dn)
1432 self.assertEqual(desc_sddl, sddl)
1433
1434 def test_202(self):
1435 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1436 See if the group has any of the added ACEs.
1437 """
1438 ou_dn = "OU=test_inherit_ou," + self.base_dn
1439 group_dn = "CN=test_inherit_group," + ou_dn
1440 # Create inheritable-free OU
1441 self.create_clean_ou(ou_dn)
1442 # Add some custom non-inheritable ACEs
1443 mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1444 self.dacl_add_ace(ou_dn, mod)
1445 # Verify all inheritable ACEs are gone
1446 desc_sddl = self.get_desc_sddl(ou_dn)
1447 # Create group child object
1448 self.create_domain_group(self.ldb_admin, group_dn)
1449 # Make sure created group object contains NO inherit ACEs
1450 # also make sure the added above non-inheritable ACEs are absant too
1451 desc_sddl = self.get_desc_sddl(group_dn)
1452 self.assertFalse("ID" in desc_sddl)
1453 for x in re.findall("\(.*?\)", mod):
1454 self.assertFalse(x in desc_sddl)
1455
1456 def test_203(self):
1457 """ OU with protected flag and add 'CI' ACE, child group.
1458 See if the group has the added inherited ACE.
1459 """
1460 ou_dn = "OU=test_inherit_ou," + self.base_dn
1461 group_dn = "CN=test_inherit_group," + ou_dn
1462 # Create inheritable-free OU
1463 self.create_clean_ou(ou_dn)
1464 # Add some custom 'CI' ACE
1465 mod = "(D;CI;WP;;;DU)"
1466 self.dacl_add_ace(ou_dn, mod)
1467 desc_sddl = self.get_desc_sddl(ou_dn)
1468 # Create group child object
1469 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1470 # Make sure created group object contains only the above inherited ACE
1471 # that we've added manually
1472 desc_sddl = self.get_desc_sddl(group_dn)
1473 mod = mod.replace(";CI;", ";CIID;")
1474 self.assertTrue(mod in desc_sddl)
1475
1476 def test_204(self):
1477 """ OU with protected flag and add 'OI' ACE, child group.
1478 See if the group has the added inherited ACE.
1479 """
1480 ou_dn = "OU=test_inherit_ou," + self.base_dn
1481 group_dn = "CN=test_inherit_group," + ou_dn
1482 # Create inheritable-free OU
1483 self.create_clean_ou(ou_dn)
1484 # Add some custom 'CI' ACE
1485 mod = "(D;OI;WP;;;DU)"
1486 self.dacl_add_ace(ou_dn, mod)
1487 desc_sddl = self.get_desc_sddl(ou_dn)
1488 # Create group child object
1489 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1490 # Make sure created group object contains only the above inherited ACE
1491 # that we've added manually
1492 desc_sddl = self.get_desc_sddl(group_dn)
1493 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1494 self.assertTrue(mod in desc_sddl)
1495
1496 def test_205(self):
1497 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1498 See if the group has the added inherited ACE.
1499 """
1500 ou_dn = "OU=test_inherit_ou," + self.base_dn
1501 group_dn = "CN=test_inherit_group," + ou_dn
1502 # Create inheritable-free OU
1503 self.create_clean_ou(ou_dn)
1504 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1505 mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1506 self.dacl_add_ace(ou_dn, mod)
1507 desc_sddl = self.get_desc_sddl(ou_dn)
1508 # Create group child object
1509 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1510 # Make sure created group object contains only the above inherited ACE
1511 # that we've added manually
1512 desc_sddl = self.get_desc_sddl(group_dn)
1513 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1514 self.assertTrue(mod in desc_sddl)
1515
1516 def test_206(self):
1517 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1518 See if the group has the added inherited ACE.
1519 """
1520 ou_dn = "OU=test_inherit_ou," + self.base_dn
1521 group_dn = "CN=test_inherit_group," + ou_dn
1522 # Create inheritable-free OU
1523 self.create_clean_ou(ou_dn)
1524 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1525 mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1526 self.dacl_add_ace(ou_dn, mod)
1527 desc_sddl = self.get_desc_sddl(ou_dn)
1528 # Create group child object
1529 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1530 # Make sure created group object contains only the above inherited ACE
1531 # that we've added manually
1532 desc_sddl = self.get_desc_sddl(group_dn)
1533 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1534 self.assertTrue(mod in desc_sddl)
1535
1536 def test_207(self):
1537 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1538 See if the group has the added inherited ACE.
1539 """
1540 ou_dn = "OU=test_inherit_ou," + self.base_dn
1541 group_dn = "CN=test_inherit_group," + ou_dn
1542 # Create inheritable-free OU
1543 self.create_clean_ou(ou_dn)
1544 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1545 mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1546 self.dacl_add_ace(ou_dn, mod)
1547 desc_sddl = self.get_desc_sddl(ou_dn)
1548 # Create group child object
1549 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1550 # Make sure created group object contains only the above inherited ACE
1551 # that we've added manually
1552 desc_sddl = self.get_desc_sddl(group_dn)
1553 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1554 self.assertTrue(mod in desc_sddl)
1555
1556 def test_208(self):
1557 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1558 See if the group has the added inherited ACE.
1559 """
1560 ou_dn = "OU=test_inherit_ou," + self.base_dn
1561 group_dn = "CN=test_inherit_group," + ou_dn
1562 # Create inheritable-free OU
1563 self.create_clean_ou(ou_dn)
1564 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1565 mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1566 self.dacl_add_ace(ou_dn, mod)
1567 desc_sddl = self.get_desc_sddl(ou_dn)
1568 # Create group child object
1569 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1570 # Make sure created group object contains only the above inherited ACE
1571 # that we've added manually
1572 desc_sddl = self.get_desc_sddl(group_dn)
1573 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1574 self.assertTrue(mod in desc_sddl)
1575
1576 def test_209(self):
1577 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1578 See if the group has the added inherited ACE.
1579 """
1580 ou_dn = "OU=test_inherit_ou," + self.base_dn
1581 group_dn = "CN=test_inherit_group," + ou_dn
1582 # Create inheritable-free OU
1583 self.create_clean_ou(ou_dn)
1584 # Add some custom 'CI' ACE
1585 mod = "(D;CI;WP;;;CO)"
1586 self.dacl_add_ace(ou_dn, mod)
1587 desc_sddl = self.get_desc_sddl(ou_dn)
1588 # Create group child object
1589 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1590 # Make sure created group object contains only the above inherited ACE(s)
1591 # that we've added manually
1592 desc_sddl = self.get_desc_sddl(group_dn)
1593 #print desc_sddl
1594 self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
1595 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1596
1597 ########################################################################################
1598
1599 if not "://" in host:
1600 host = "ldap://%s" % host
1601 ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"])
1602
1603 runner = SubunitTestRunner()
1604 rc = 0
1605 if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful():
1606 rc = 1
1607 if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
1608 rc = 1
1609
1610 sys.exit(rc)
fernandojvsilva's samba4 branch