2 # -*- coding: utf-8 -*-
11 sys
.path
.insert(0, "bin/python")
13 samba
.ensure_external_module("testtools", "testtools")
14 samba
.ensure_external_module("subunit", "subunit/python")
16 import samba
.getopt
as options
18 # Some error messages that are being tested
19 from ldb
import SCOPE_SUBTREE
, SCOPE_BASE
, LdbError
, ERR_NO_SUCH_OBJECT
21 # For running the test unit
22 from samba
.ndr
import ndr_pack
, ndr_unpack
23 from samba
.dcerpc
import security
25 from samba
import gensec
, sd_utils
26 from samba
.samdb
import SamDB
27 from samba
.credentials
import Credentials
, DONT_USE_KERBEROS
28 from samba
.auth
import system_session
29 from samba
.dsdb
import DS_DOMAIN_FUNCTION_2008
30 from samba
.dcerpc
.security
import (
31 SECINFO_OWNER
, SECINFO_GROUP
, SECINFO_DACL
, SECINFO_SACL
)
32 from subunit
.run
import SubunitTestRunner
34 from samba
.tests
import delete_force
37 parser
= optparse
.OptionParser("sec_descriptor.py [options] <host>")
38 sambaopts
= options
.SambaOptions(parser
)
39 parser
.add_option_group(sambaopts
)
40 parser
.add_option_group(options
.VersionOptions(parser
))
42 # use command line creds if available
43 credopts
= options
.CredentialsOptions(parser
)
44 parser
.add_option_group(credopts
)
45 opts
, args
= parser
.parse_args()
53 lp
= sambaopts
.get_loadparm()
54 creds
= credopts
.get_credentials(lp
)
55 creds
.set_gensec_features(creds
.get_gensec_features() | gensec
.FEATURE_SEAL
)
61 class DescriptorTests(samba
.tests
.TestCase
):
63 def get_users_domain_dn(self
, name
):
64 return "CN=%s,CN=Users,%s" % (name
, self
.base_dn
)
66 def get_unique_schema_class_name(self
):
68 class_name
= "test-class%s" % random
.randint(1,100000)
69 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
71 self
.ldb_admin
.search(base
=class_dn
, attrs
=["*"])
72 except LdbError
, (num
, _
):
73 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
76 def create_schema_class(self
, _ldb
, object_dn
, desc
=None):
78 dn: """ + object_dn
+ """
79 objectClass: classSchema
80 objectCategory: CN=Class-Schema,""" + self
.schema_dn
+ """
81 defaultObjectCategory: """ + object_dn
+ """
82 distinguishedName: """ + object_dn
+ """
83 governsID: 1.2.840.""" + str(random
.randint(1,100000)) + """.1.5.9939
85 objectClassCategory: 1
86 subClassOf: organizationalPerson
93 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
94 if isinstance(desc
, str):
95 ldif
+= "nTSecurityDescriptor: %s" % desc
96 elif isinstance(desc
, security
.descriptor
):
97 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
100 def create_configuration_container(self
, _ldb
, object_dn
, desc
=None):
102 dn: """ + object_dn
+ """
103 objectClass: container
104 objectCategory: CN=Container,""" + self
.schema_dn
+ """
105 showInAdvancedViewOnly: TRUE
109 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
110 if isinstance(desc
, str):
111 ldif
+= "nTSecurityDescriptor: %s" % desc
112 elif isinstance(desc
, security
.descriptor
):
113 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
116 def create_configuration_specifier(self
, _ldb
, object_dn
, desc
=None):
118 dn: """ + object_dn
+ """
119 objectClass: displaySpecifier
120 showInAdvancedViewOnly: TRUE
123 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
124 if isinstance(desc
, str):
125 ldif
+= "nTSecurityDescriptor: %s" % desc
126 elif isinstance(desc
, security
.descriptor
):
127 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
130 def get_ldb_connection(self
, target_username
, target_password
):
131 creds_tmp
= Credentials()
132 creds_tmp
.set_username(target_username
)
133 creds_tmp
.set_password(target_password
)
134 creds_tmp
.set_domain(creds
.get_domain())
135 creds_tmp
.set_realm(creds
.get_realm())
136 creds_tmp
.set_workstation(creds
.get_workstation())
137 creds_tmp
.set_gensec_features(creds_tmp
.get_gensec_features()
138 | gensec
.FEATURE_SEAL
)
139 creds_tmp
.set_kerberos_state(DONT_USE_KERBEROS
) # kinit is too expensive to use in a tight loop
140 ldb_target
= SamDB(url
=host
, credentials
=creds_tmp
, lp
=lp
)
144 super(DescriptorTests
, self
).setUp()
146 self
.base_dn
= ldb
.domain_dn()
147 self
.configuration_dn
= self
.ldb_admin
.get_config_basedn().get_linearized()
148 self
.schema_dn
= self
.ldb_admin
.get_schema_basedn().get_linearized()
149 self
.domain_sid
= security
.dom_sid(self
.ldb_admin
.get_domain_sid())
150 self
.sd_utils
= sd_utils
.SDUtils(ldb
)
151 print "baseDN: %s" % self
.base_dn
153 ################################################################################################
157 # Default descriptor tests #####################################################################
159 class OwnerGroupDescriptorTests(DescriptorTests
):
162 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser1"))
163 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser2"))
164 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser3"))
165 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser4"))
166 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser5"))
167 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser6"))
168 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser7"))
169 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser8"))
171 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("test_domain_group1"))
172 delete_force(self
.ldb_admin
, "CN=test_domain_user1,OU=test_domain_ou1," + self
.base_dn
)
173 delete_force(self
.ldb_admin
, "OU=test_domain_ou2,OU=test_domain_ou1," + self
.base_dn
)
174 delete_force(self
.ldb_admin
, "OU=test_domain_ou1," + self
.base_dn
)
177 delete_force(self
.ldb_admin
, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
178 + self
.configuration_dn
)
179 delete_force(self
.ldb_admin
, "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
)
182 super(OwnerGroupDescriptorTests
, self
).setUp()
185 # User 1 - Enterprise Admins
186 self
.ldb_admin
.newuser("testuser1", "samba123@")
187 # User 2 - Domain Admins
188 self
.ldb_admin
.newuser("testuser2", "samba123@")
189 # User 3 - Schema Admins
190 self
.ldb_admin
.newuser("testuser3", "samba123@")
191 # User 4 - regular user
192 self
.ldb_admin
.newuser("testuser4", "samba123@")
193 # User 5 - Enterprise Admins and Domain Admins
194 self
.ldb_admin
.newuser("testuser5", "samba123@")
195 # User 6 - Enterprise Admins, Domain Admins, Schema Admins
196 self
.ldb_admin
.newuser("testuser6", "samba123@")
197 # User 7 - Domain Admins and Schema Admins
198 self
.ldb_admin
.newuser("testuser7", "samba123@")
199 # User 5 - Enterprise Admins and Schema Admins
200 self
.ldb_admin
.newuser("testuser8", "samba123@")
202 self
.ldb_admin
.add_remove_group_members("Enterprise Admins",
203 ["testuser1", "testuser5", "testuser6", "testuser8"],
204 add_members_operation
=True)
205 self
.ldb_admin
.add_remove_group_members("Domain Admins",
206 ["testuser2","testuser5","testuser6","testuser7"],
207 add_members_operation
=True)
208 self
.ldb_admin
.add_remove_group_members("Schema Admins",
209 ["testuser3","testuser6","testuser7","testuser8"],
210 add_members_operation
=True)
213 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
214 "ds_behavior_win2003" : {
264 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
265 "ds_behavior_win2008" : {
316 # Discover 'msDS-Behavior-Version'
317 res
= self
.ldb_admin
.search(base
=self
.base_dn
, expression
="distinguishedName=%s" % self
.base_dn
, \
318 attrs
=['msDS-Behavior-Version'])
319 res
= int(res
[0]['msDS-Behavior-Version'][0])
320 if res
< DS_DOMAIN_FUNCTION_2008
:
321 self
.DS_BEHAVIOR
= "ds_behavior_win2003"
323 self
.DS_BEHAVIOR
= "ds_behavior_win2008"
326 super(DescriptorTests
, self
).tearDown()
329 def check_user_belongs(self
, user_dn
, groups
=[]):
330 """ Test wether user is member of the expected group(s) """
332 # User is member of at least one additional group
333 res
= self
.ldb_admin
.search(user_dn
, attrs
=["memberOf"])
334 res
= [x
.upper() for x
in sorted(list(res
[0]["memberOf"]))]
337 expected
.append(self
.get_users_domain_dn(x
))
338 expected
= [x
.upper() for x
in sorted(expected
)]
339 self
.assertEqual(expected
, res
)
341 # User is not a member of any additional groups but default
342 res
= self
.ldb_admin
.search(user_dn
, attrs
=["*"])
343 res
= [x
.upper() for x
in res
[0].keys()]
344 self
.assertFalse( "MEMBEROF" in res
)
346 def check_modify_inheritance(self
, _ldb
, object_dn
, owner_group
=""):
348 sd_user_utils
= sd_utils
.SDUtils(_ldb
)
349 ace
= "(D;;CC;;;LG)" # Deny Create Children to Guest account
350 if owner_group
!= "":
351 sd_user_utils
.modify_sd_on_dn(object_dn
, owner_group
+ "D:" + ace
)
353 sd_user_utils
.modify_sd_on_dn(object_dn
, "D:" + ace
)
354 # Make sure the modify operation has been applied
355 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
356 self
.assertTrue(ace
in desc_sddl
)
357 # Make sure we have identical result for both "add" and "modify"
358 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
359 print self
._testMethodName
360 test_number
= self
._testMethodName
[5:]
361 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][test_number
], res
)
364 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
366 user_name
= "testuser1"
367 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
368 # Open Ldb connection with the tested user
369 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
370 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
371 delete_force(self
.ldb_admin
, object_dn
)
372 _ldb
.newgroup("test_domain_group1", grouptype
=4)
373 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
374 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
375 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
376 self
.check_modify_inheritance(_ldb
, object_dn
)
379 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
381 user_name
= "testuser2"
382 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
383 # Open Ldb connection with the tested user
384 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
385 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
386 delete_force(self
.ldb_admin
, object_dn
)
387 _ldb
.newgroup("test_domain_group1", grouptype
=4)
388 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
389 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
390 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
391 self
.check_modify_inheritance(_ldb
, object_dn
)
394 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
396 user_name
= "testuser3"
397 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
398 # Open Ldb connection with the tested user
399 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
400 object_dn
= "OU=test_domain_ou1," + self
.base_dn
401 delete_force(self
.ldb_admin
, object_dn
)
402 self
.ldb_admin
.create_ou(object_dn
)
403 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
404 mod
= "(A;CI;WPWDCC;;;%s)" % str(user_sid
)
405 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
406 # Create additional object into the first one
407 object_dn
= "CN=test_domain_user1," + object_dn
408 delete_force(self
.ldb_admin
, object_dn
)
409 _ldb
.newuser("test_domain_user1", "samba123@",
410 userou
="OU=test_domain_ou1", setpassword
=False)
411 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
412 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
413 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
414 # This fails, research why
415 #self.check_modify_inheritance(_ldb, object_dn)
418 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
420 user_name
= "testuser4"
421 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
422 # Open Ldb connection with the tested user
423 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
424 object_dn
= "OU=test_domain_ou1," + self
.base_dn
425 delete_force(self
.ldb_admin
, object_dn
)
426 self
.ldb_admin
.create_ou(object_dn
)
427 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
428 mod
= "(A;CI;WPWDCC;;;%s)" % str(user_sid
)
429 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
430 # Create additional object into the first one
431 object_dn
= "CN=test_domain_user1," + object_dn
432 delete_force(self
.ldb_admin
, object_dn
)
433 _ldb
.newuser("test_domain_user1", "samba123@",
434 userou
="OU=test_domain_ou1", setpassword
=False)
435 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
436 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
437 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
438 #this fails, research why
439 #self.check_modify_inheritance(_ldb, object_dn)
442 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
444 user_name
= "testuser5"
445 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
446 # Open Ldb connection with the tested user
447 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
448 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
449 delete_force(self
.ldb_admin
, object_dn
)
450 _ldb
.newgroup("test_domain_group1", grouptype
=4)
451 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
452 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
453 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
454 self
.check_modify_inheritance(_ldb
, object_dn
)
457 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
459 user_name
= "testuser6"
460 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
461 # Open Ldb connection with the tested user
462 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
463 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
464 delete_force(self
.ldb_admin
, object_dn
)
465 _ldb
.newgroup("test_domain_group1", grouptype
=4)
466 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
467 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
468 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
469 self
.check_modify_inheritance(_ldb
, object_dn
)
472 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
474 user_name
= "testuser7"
475 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
476 # Open Ldb connection with the tested user
477 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
478 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
479 delete_force(self
.ldb_admin
, object_dn
)
480 _ldb
.newgroup("test_domain_group1", grouptype
=4)
481 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
482 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
483 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
484 self
.check_modify_inheritance(_ldb
, object_dn
)
487 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
489 user_name
= "testuser8"
490 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
491 # Open Ldb connection with the tested user
492 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
493 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
494 delete_force(self
.ldb_admin
, object_dn
)
495 _ldb
.newgroup("test_domain_group1", grouptype
=4)
496 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
497 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
498 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
499 self
.check_modify_inheritance(_ldb
, object_dn
)
501 # Control descriptor tests #####################################################################
504 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
506 user_name
= "testuser1"
507 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
508 # Open Ldb connection with the tested user
509 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
510 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
511 delete_force(self
.ldb_admin
, object_dn
)
512 # Create a custom security descriptor
513 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
514 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
515 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
516 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
517 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
518 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
521 """ Domain admin group member creates object (custom descriptor) in DOMAIN
523 user_name
= "testuser2"
524 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
525 # Open Ldb connection with the tested user
526 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
527 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
528 delete_force(self
.ldb_admin
, object_dn
)
529 # Create a custom security descriptor
530 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
531 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
532 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
533 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
534 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
535 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
538 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
540 user_name
= "testuser3"
541 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
542 # Open Ldb connection with the tested user
543 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
544 object_dn
= "OU=test_domain_ou1," + self
.base_dn
545 delete_force(self
.ldb_admin
, object_dn
)
546 self
.ldb_admin
.create_ou(object_dn
)
547 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
548 mod
= "(A;CI;WOWDCC;;;%s)" % str(user_sid
)
549 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
550 # Create a custom security descriptor
551 # NB! Problematic owner part won't accept DA only <User Sid> !!!
552 sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
553 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
554 # Create additional object into the first one
555 object_dn
= "CN=test_domain_user1," + object_dn
556 delete_force(self
.ldb_admin
, object_dn
)
557 _ldb
.newuser("test_domain_user1", "samba123@",
558 userou
="OU=test_domain_ou1", sd
=tmp_desc
, setpassword
=False)
559 desc
= self
.sd_utils
.read_sd_on_dn(object_dn
)
560 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
561 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
562 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
565 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
567 user_name
= "testuser4"
568 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
569 # Open Ldb connection with the tested user
570 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
571 object_dn
= "OU=test_domain_ou1," + self
.base_dn
572 delete_force(self
.ldb_admin
, object_dn
)
573 self
.ldb_admin
.create_ou(object_dn
)
574 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
575 mod
= "(A;CI;WOWDCC;;;%s)" % str(user_sid
)
576 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
577 # Create a custom security descriptor
578 # NB! Problematic owner part won't accept DA only <User Sid> !!!
579 sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
580 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
581 # Create additional object into the first one
582 object_dn
= "CN=test_domain_user1," + object_dn
583 delete_force(self
.ldb_admin
, object_dn
)
584 _ldb
.newuser("test_domain_user1", "samba123@",
585 userou
="OU=test_domain_ou1", sd
=tmp_desc
, setpassword
=False)
586 desc
= self
.sd_utils
.read_sd_on_dn(object_dn
)
587 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
588 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
589 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
592 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
594 user_name
= "testuser5"
595 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
596 # Open Ldb connection with the tested user
597 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
598 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
599 delete_force(self
.ldb_admin
, object_dn
)
600 # Create a custom security descriptor
601 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
602 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
603 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
604 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
605 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
606 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
609 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
611 user_name
= "testuser6"
612 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
613 # Open Ldb connection with the tested user
614 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
615 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
616 delete_force(self
.ldb_admin
, object_dn
)
617 # Create a custom security descriptor
618 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
619 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
620 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
621 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
622 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
623 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
626 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
628 user_name
= "testuser7"
629 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
630 # Open Ldb connection with the tested user
631 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
632 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
633 delete_force(self
.ldb_admin
, object_dn
)
634 # Create a custom security descriptor
635 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
636 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
637 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
638 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
639 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
640 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
643 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
645 user_name
= "testuser8"
646 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
647 # Open Ldb connection with the tested user
648 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
649 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
650 delete_force(self
.ldb_admin
, object_dn
)
651 # Create a custom security descriptor
652 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
653 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
654 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
655 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
656 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
657 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
660 user_name
= "Administrator"
661 object_dn
= "OU=test_domain_ou1," + self
.base_dn
662 delete_force(self
.ldb_admin
, object_dn
)
663 self
.ldb_admin
.create_ou(object_dn
)
664 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
665 mod
= "(D;CI;WP;;;S-1-3-0)"
667 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
668 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
669 # Create additional object into the first one
670 object_dn
= "OU=test_domain_ou2," + object_dn
671 delete_force(self
.ldb_admin
, object_dn
)
672 self
.ldb_admin
.create_ou(object_dn
)
673 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
677 # Defalt descriptor tests ##################################################################
680 user_name
= "testuser1"
681 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
682 # Open Ldb connection with the tested user
683 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
684 # Change Schema partition descriptor
685 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
686 mod
= "(A;;WDCC;;;AU)"
687 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
688 # Create example Schema class
689 class_name
= self
.get_unique_schema_class_name()
690 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
691 self
.create_schema_class(_ldb
, class_dn
)
692 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
693 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
694 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
695 self
.check_modify_inheritance(_ldb
, class_dn
)
698 user_name
= "testuser2"
699 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
700 # Open Ldb connection with the tested user
701 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
702 # Change Schema partition descriptor
703 mod
= "(A;CI;WDCC;;;AU)"
704 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
705 # Create example Schema class
706 class_name
= self
.get_unique_schema_class_name()
707 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
708 self
.create_schema_class(_ldb
, class_dn
)
709 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
710 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
711 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
712 self
.check_modify_inheritance(_ldb
, class_dn
)
715 user_name
= "testuser3"
716 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
717 # Open Ldb connection with the tested user
718 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
719 # Change Schema partition descriptor
720 mod
= "(A;CI;WDCC;;;AU)"
721 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
722 # Create example Schema class
723 class_name
= self
.get_unique_schema_class_name()
724 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
725 self
.create_schema_class(_ldb
, class_dn
)
726 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
727 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
728 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
729 #self.check_modify_inheritance(_ldb, class_dn)
732 user_name
= "testuser4"
733 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
734 # Open Ldb connection with the tested user
735 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
736 #Change Schema partition descriptor
737 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
738 mod
= "(A;CI;WDCC;;;AU)"
739 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
740 # Create example Schema class
741 class_name
= self
.get_unique_schema_class_name()
742 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
743 self
.create_schema_class(_ldb
, class_dn
)
744 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
745 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
746 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
747 #self.check_modify_inheritance(_ldb, class_dn)
750 user_name
= "testuser5"
751 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
752 # Open Ldb connection with the tested user
753 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
754 #Change Schema partition descriptor
755 mod
= "(A;CI;WDCC;;;AU)"
756 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
757 # Create example Schema class
758 class_name
= self
.get_unique_schema_class_name()
759 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
760 self
.create_schema_class(_ldb
, class_dn
)
761 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
762 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
763 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
764 self
.check_modify_inheritance(_ldb
, class_dn
)
767 user_name
= "testuser6"
768 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
769 # Open Ldb connection with the tested user
770 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
771 # Change Schema partition descriptor
772 mod
= "(A;CI;WDCC;;;AU)"
773 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
774 # Create example Schema class
775 class_name
= self
.get_unique_schema_class_name()
776 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
777 self
.create_schema_class(_ldb
, class_dn
)
778 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
779 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
780 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
781 self
.check_modify_inheritance(_ldb
, class_dn
)
784 user_name
= "testuser7"
785 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
786 # Open Ldb connection with the tested user
787 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
788 # Change Schema partition descriptor
789 mod
= "(A;CI;WDCC;;;AU)"
790 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
791 # Create example Schema class
792 class_name
= self
.get_unique_schema_class_name()
793 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
794 self
.create_schema_class(_ldb
, class_dn
)
795 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
796 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
797 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
798 self
.check_modify_inheritance(_ldb
, class_dn
)
801 user_name
= "testuser8"
802 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
803 # Open Ldb connection with the tested user
804 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
805 # Change Schema partition descriptor
806 mod
= "(A;CI;WDCC;;;AU)"
807 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
808 # Create example Schema class
809 class_name
= self
.get_unique_schema_class_name()
810 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
811 self
.create_schema_class(_ldb
, class_dn
)
812 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
813 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
814 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
815 self
.check_modify_inheritance(_ldb
, class_dn
)
817 # Custom descriptor tests ##################################################################
820 user_name
= "testuser1"
821 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
822 # Open Ldb connection with the tested user
823 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
824 # Change Schema partition descriptor
826 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
827 # Create a custom security descriptor
828 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
829 # Create example Schema class
830 class_name
= self
.get_unique_schema_class_name()
831 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
832 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
833 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
834 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
835 self
.assertEqual("O:DAG:DA", res
)
838 user_name
= "testuser2"
839 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
840 # Open Ldb connection with the tested user
841 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
842 # Change Schema partition descriptor
844 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
845 # Create a custom security descriptor
846 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
847 # Create example Schema class
848 class_name
= self
.get_unique_schema_class_name()
849 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
850 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
851 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
852 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
853 self
.assertEqual("O:DAG:DA", res
)
856 user_name
= "testuser3"
857 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
858 # Open Ldb connection with the tested user
859 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
860 # Create a custom security descriptor
861 # NB! Problematic owner part won't accept DA only <User Sid> !!!
862 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
863 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
864 # Create example Schema class
865 class_name
= self
.get_unique_schema_class_name()
866 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
867 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
868 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
869 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
870 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
873 user_name
= "testuser4"
874 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
875 # Open Ldb connection with the tested user
876 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
877 # Create a custom security descriptor
878 # NB! Problematic owner part won't accept DA only <User Sid> !!!
879 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
880 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
881 # Create example Schema class
882 class_name
= self
.get_unique_schema_class_name()
883 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
884 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
885 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
886 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
887 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
890 user_name
= "testuser5"
891 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
892 # Open Ldb connection with the tested user
893 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
894 # Change Schema partition descriptor
896 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
897 # Create a custom security descriptor
898 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
899 # Create example Schema class
900 class_name
= self
.get_unique_schema_class_name()
901 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
902 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
903 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
904 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
905 self
.assertEqual("O:DAG:DA", res
)
908 user_name
= "testuser6"
909 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
910 # Open Ldb connection with the tested user
911 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
912 # Change Schema partition descriptor
914 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
915 # Create a custom security descriptor
916 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
917 # Create example Schema class
918 class_name
= self
.get_unique_schema_class_name()
919 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
920 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
921 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
922 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
923 self
.assertEqual("O:DAG:DA", res
)
926 user_name
= "testuser7"
927 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
928 # Open Ldb connection with the tested user
929 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
930 # Change Schema partition descriptor
932 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
933 # Create a custom security descriptor
934 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
935 # Create example Schema class
936 class_name
= self
.get_unique_schema_class_name()
937 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
938 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
939 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
940 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
941 self
.assertEqual("O:DAG:DA", res
)
944 user_name
= "testuser8"
945 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
946 # Open Ldb connection with the tested user
947 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
948 # Change Schema partition descriptor
950 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
951 # Create a custom security descriptor
952 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
953 # Create example Schema class
954 class_name
= self
.get_unique_schema_class_name()
955 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
956 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
957 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
958 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
959 self
.assertEqual("O:DAG:DA", res
)
961 ## Tests for CONFIGURATION
963 # Defalt descriptor tests ##################################################################
966 user_name
= "testuser1"
967 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
968 # Open Ldb connection with the tested user
969 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
970 # Create example Configuration container
971 container_name
= "test-container1"
972 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
973 delete_force(self
.ldb_admin
, object_dn
)
974 self
.create_configuration_container(_ldb
, object_dn
, )
975 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
976 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
977 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
978 self
.check_modify_inheritance(_ldb
, object_dn
)
981 user_name
= "testuser2"
982 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
983 # Open Ldb connection with the tested user
984 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
985 # Create example Configuration container
986 container_name
= "test-container1"
987 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
988 delete_force(self
.ldb_admin
, object_dn
)
989 self
.create_configuration_container(_ldb
, object_dn
, )
990 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
991 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
992 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
993 self
.check_modify_inheritance(_ldb
, object_dn
)
996 user_name
= "testuser3"
997 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
998 # Open Ldb connection with the tested user
999 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1000 # Create example Configuration container
1001 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1002 delete_force(self
.ldb_admin
, object_dn
)
1003 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1004 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1005 mod
= "(A;;WDCC;;;AU)"
1006 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1007 # Create child object with user's credentials
1008 object_dn
= "CN=test-specifier1," + object_dn
1009 delete_force(self
.ldb_admin
, object_dn
)
1010 self
.create_configuration_specifier(_ldb
, object_dn
)
1011 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1012 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1013 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1014 #self.check_modify_inheritance(_ldb, object_dn)
1017 user_name
= "testuser4"
1018 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1019 # Open Ldb connection with the tested user
1020 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1021 # Create example Configuration container
1022 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1023 delete_force(self
.ldb_admin
, object_dn
)
1024 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1025 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1026 mod
= "(A;CI;WDCC;;;AU)"
1027 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1028 # Create child object with user's credentials
1029 object_dn
= "CN=test-specifier1," + object_dn
1030 delete_force(self
.ldb_admin
, object_dn
)
1031 self
.create_configuration_specifier(_ldb
, object_dn
)
1032 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1033 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1034 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1035 #self.check_modify_inheritance(_ldb, object_dn)
1038 user_name
= "testuser5"
1039 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1040 # Open Ldb connection with the tested user
1041 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1042 # Create example Configuration container
1043 container_name
= "test-container1"
1044 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1045 delete_force(self
.ldb_admin
, object_dn
)
1046 self
.create_configuration_container(_ldb
, object_dn
, )
1047 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1048 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1049 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1050 self
.check_modify_inheritance(_ldb
, object_dn
)
1053 user_name
= "testuser6"
1054 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1055 # Open Ldb connection with the tested user
1056 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1057 # Create example Configuration container
1058 container_name
= "test-container1"
1059 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1060 delete_force(self
.ldb_admin
, object_dn
)
1061 self
.create_configuration_container(_ldb
, object_dn
, )
1062 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1063 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1064 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1065 self
.check_modify_inheritance(_ldb
, object_dn
)
1068 user_name
= "testuser7"
1069 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1070 # Open Ldb connection with the tested user
1071 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1072 # Create example Configuration container
1073 container_name
= "test-container1"
1074 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1075 delete_force(self
.ldb_admin
, object_dn
)
1076 self
.create_configuration_container(_ldb
, object_dn
, )
1077 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1078 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1079 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1080 self
.check_modify_inheritance(_ldb
, object_dn
)
1083 user_name
= "testuser8"
1084 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1085 # Open Ldb connection with the tested user
1086 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1087 # Create example Configuration container
1088 container_name
= "test-container1"
1089 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1090 delete_force(self
.ldb_admin
, object_dn
)
1091 self
.create_configuration_container(_ldb
, object_dn
, )
1092 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1093 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1094 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1095 self
.check_modify_inheritance(_ldb
, object_dn
)
1097 # Custom descriptor tests ##################################################################
1100 user_name
= "testuser1"
1101 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
1102 # Open Ldb connection with the tested user
1103 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1104 # Create example Configuration container
1105 container_name
= "test-container1"
1106 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1107 delete_force(self
.ldb_admin
, object_dn
)
1108 # Create a custom security descriptor
1109 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1110 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1111 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1112 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1113 self
.assertEqual("O:DAG:DA", res
)
1116 user_name
= "testuser2"
1117 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
1118 # Open Ldb connection with the tested user
1119 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1120 # Create example Configuration container
1121 container_name
= "test-container1"
1122 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1123 delete_force(self
.ldb_admin
, object_dn
)
1124 # Create a custom security descriptor
1125 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1126 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1127 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1128 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1129 self
.assertEqual("O:DAG:DA", res
)
1132 user_name
= "testuser3"
1133 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
1134 # Open Ldb connection with the tested user
1135 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1136 # Create example Configuration container
1137 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1138 delete_force(self
.ldb_admin
, object_dn
)
1139 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1140 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1141 mod
= "(A;;CC;;;AU)"
1142 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1143 # Create child object with user's credentials
1144 object_dn
= "CN=test-specifier1," + object_dn
1145 delete_force(self
.ldb_admin
, object_dn
)
1146 # Create a custom security descriptor
1147 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1148 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1149 self
.create_configuration_specifier(_ldb
, object_dn
, desc_sddl
)
1150 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1151 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1152 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1155 user_name
= "testuser4"
1156 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1157 # Open Ldb connection with the tested user
1158 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1159 # Create example Configuration container
1160 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1161 delete_force(self
.ldb_admin
, object_dn
)
1162 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1163 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1164 mod
= "(A;;CC;;;AU)"
1165 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1166 # Create child object with user's credentials
1167 object_dn
= "CN=test-specifier1," + object_dn
1168 delete_force(self
.ldb_admin
, object_dn
)
1169 # Create a custom security descriptor
1170 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1171 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1172 self
.create_configuration_specifier(_ldb
, object_dn
, desc_sddl
)
1173 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1174 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1175 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1178 user_name
= "testuser5"
1179 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1180 # Open Ldb connection with the tested user
1181 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1182 # Create example Configuration container
1183 container_name
= "test-container1"
1184 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1185 delete_force(self
.ldb_admin
, object_dn
)
1186 # Create a custom security descriptor
1187 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1188 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1189 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1190 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1191 self
.assertEqual("O:DAG:DA", res
)
1194 user_name
= "testuser6"
1195 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1196 # Open Ldb connection with the tested user
1197 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1198 # Create example Configuration container
1199 container_name
= "test-container1"
1200 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1201 delete_force(self
.ldb_admin
, object_dn
)
1202 # Create a custom security descriptor
1203 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1204 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1205 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1206 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1207 self
.assertEqual("O:DAG:DA", res
)
1210 user_name
= "testuser7"
1211 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1212 # Open Ldb connection with the tested user
1213 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1214 # Create example Configuration container
1215 container_name
= "test-container1"
1216 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1217 delete_force(self
.ldb_admin
, object_dn
)
1218 # Create a custom security descriptor
1219 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1220 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1221 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1222 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1223 self
.assertEqual("O:DAG:DA", res
)
1226 user_name
= "testuser8"
1227 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1228 # Open Ldb connection with the tested user
1229 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1230 # Create example Configuration container
1231 container_name
= "test-container1"
1232 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1233 delete_force(self
.ldb_admin
, object_dn
)
1234 # Create a custom security descriptor
1235 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1236 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1237 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1238 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1239 self
.assertEqual("O:DAG:DA", res
)
1241 ########################################################################################
1242 # Inheritance tests for DACL
1244 class DaclDescriptorTests(DescriptorTests
):
1246 def deleteAll(self
):
1247 delete_force(self
.ldb_admin
, "CN=test_inherit_group,OU=test_inherit_ou," + self
.base_dn
)
1248 delete_force(self
.ldb_admin
, "OU=test_inherit_ou5,OU=test_inherit_ou1,OU=test_inherit_ou_p," + self
.base_dn
)
1249 delete_force(self
.ldb_admin
, "OU=test_inherit_ou6,OU=test_inherit_ou2,OU=test_inherit_ou_p," + self
.base_dn
)
1250 delete_force(self
.ldb_admin
, "OU=test_inherit_ou1,OU=test_inherit_ou_p," + self
.base_dn
)
1251 delete_force(self
.ldb_admin
, "OU=test_inherit_ou2,OU=test_inherit_ou_p," + self
.base_dn
)
1252 delete_force(self
.ldb_admin
, "OU=test_inherit_ou3,OU=test_inherit_ou_p," + self
.base_dn
)
1253 delete_force(self
.ldb_admin
, "OU=test_inherit_ou4,OU=test_inherit_ou_p," + self
.base_dn
)
1254 delete_force(self
.ldb_admin
, "OU=test_inherit_ou_p," + self
.base_dn
)
1255 delete_force(self
.ldb_admin
, "OU=test_inherit_ou," + self
.base_dn
)
1258 super(DaclDescriptorTests
, self
).setUp()
1261 def create_clean_ou(self
, object_dn
):
1262 """ Base repeating setup for unittests to follow """
1263 res
= self
.ldb_admin
.search(base
=self
.base_dn
, scope
=SCOPE_SUBTREE
, \
1264 expression
="distinguishedName=%s" % object_dn
)
1265 # Make sure top testing OU has been deleted before starting the test
1266 self
.assertEqual(len(res
), 0)
1267 self
.ldb_admin
.create_ou(object_dn
)
1268 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1269 # Make sure there are inheritable ACEs initially
1270 self
.assertTrue("CI" in desc_sddl
or "OI" in desc_sddl
)
1271 # Find and remove all inherit ACEs
1272 res
= re
.findall("\(.*?\)", desc_sddl
)
1273 res
= [x
for x
in res
if ("CI" in x
) or ("OI" in x
)]
1275 desc_sddl
= desc_sddl
.replace(x
, "")
1276 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1277 # can propagate from above
1278 # remove SACL, we are not interested
1279 desc_sddl
= desc_sddl
.replace(":AI", ":AIP")
1280 self
.sd_utils
.modify_sd_on_dn(object_dn
, desc_sddl
)
1281 # Verify all inheritable ACEs are gone
1282 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1283 self
.assertFalse("CI" in desc_sddl
)
1284 self
.assertFalse("OI" in desc_sddl
)
1287 """ OU with protected flag and child group. See if the group has inherit ACEs.
1289 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1290 group_dn
= "CN=test_inherit_group," + ou_dn
1291 # Create inheritable-free OU
1292 self
.create_clean_ou(ou_dn
)
1293 # Create group child object
1294 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4)
1295 # Make sure created group object contains NO inherit ACEs
1296 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1297 self
.assertFalse("ID" in desc_sddl
)
1300 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1301 Verify group has custom and default ACEs only.
1303 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1304 group_dn
= "CN=test_inherit_group," + ou_dn
1305 # Create inheritable-free OU
1306 self
.create_clean_ou(ou_dn
)
1307 # Create group child object using custom security descriptor
1308 sddl
= "O:AUG:AUD:AI(D;;WP;;;DU)"
1309 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
1310 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1311 # Make sure created group descriptor has NO additional ACEs
1312 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1313 self
.assertEqual(desc_sddl
, sddl
)
1314 sddl
= "O:AUG:AUD:AI(D;;CC;;;LG)"
1315 self
.sd_utils
.modify_sd_on_dn(group_dn
, sddl
)
1316 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1317 self
.assertEqual(desc_sddl
, sddl
)
1320 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1321 See if the group has any of the added ACEs.
1323 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1324 group_dn
= "CN=test_inherit_group," + ou_dn
1325 # Create inheritable-free OU
1326 self
.create_clean_ou(ou_dn
)
1327 # Add some custom non-inheritable ACEs
1328 mod
= "(D;;WP;;;DU)(A;;RP;;;DU)"
1329 moded
= "(D;;CC;;;LG)"
1330 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1331 # Verify all inheritable ACEs are gone
1332 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1333 # Create group child object
1334 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4)
1335 # Make sure created group object contains NO inherit ACEs
1336 # also make sure the added above non-inheritable ACEs are absent too
1337 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1338 self
.assertFalse("ID" in desc_sddl
)
1339 for x
in re
.findall("\(.*?\)", mod
):
1340 self
.assertFalse(x
in desc_sddl
)
1341 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1342 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1343 self
.assertFalse("ID" in desc_sddl
)
1344 for x
in re
.findall("\(.*?\)", mod
):
1345 self
.assertFalse(x
in desc_sddl
)
1348 """ OU with protected flag and add 'CI' ACE, child group.
1349 See if the group has the added inherited ACE.
1351 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1352 group_dn
= "CN=test_inherit_group," + ou_dn
1353 # Create inheritable-free OU
1354 self
.create_clean_ou(ou_dn
)
1355 # Add some custom 'CI' ACE
1356 mod
= "(D;CI;WP;;;DU)"
1357 moded
= "(D;;CC;;;LG)"
1358 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1359 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1360 # Create group child object
1361 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1362 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1363 # Make sure created group object contains only the above inherited ACE
1364 # that we've added manually
1365 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1366 mod
= mod
.replace(";CI;", ";CIID;")
1367 self
.assertTrue(mod
in desc_sddl
)
1368 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1369 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1370 self
.assertTrue(moded
in desc_sddl
)
1371 self
.assertTrue(mod
in desc_sddl
)
1374 """ OU with protected flag and add 'OI' ACE, child group.
1375 See if the group has the added inherited ACE.
1377 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1378 group_dn
= "CN=test_inherit_group," + ou_dn
1379 # Create inheritable-free OU
1380 self
.create_clean_ou(ou_dn
)
1381 # Add some custom 'CI' ACE
1382 mod
= "(D;OI;WP;;;DU)"
1383 moded
= "(D;;CC;;;LG)"
1384 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1385 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1386 # Create group child object
1387 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1388 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1389 # Make sure created group object contains only the above inherited ACE
1390 # that we've added manually
1391 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1392 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1393 self
.assertTrue(mod
in desc_sddl
)
1394 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" +moded
)
1395 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1396 self
.assertTrue(moded
in desc_sddl
)
1397 self
.assertTrue(mod
in desc_sddl
)
1400 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1401 See if the group has the added inherited ACE.
1403 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1404 group_dn
= "CN=test_inherit_group," + ou_dn
1405 # Create inheritable-free OU
1406 self
.create_clean_ou(ou_dn
)
1407 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1408 mod
= "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1409 moded
= "(D;;CC;;;LG)"
1410 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1411 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1412 # Create group child object
1413 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1414 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1415 # Make sure created group object contains only the above inherited ACE
1416 # that we've added manually
1417 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1418 mod
= mod
.replace(";CI;", ";CIID;") # change it how it's gonna look like
1419 self
.assertTrue(mod
in desc_sddl
)
1420 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1421 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1422 self
.assertTrue(moded
in desc_sddl
)
1423 self
.assertTrue(mod
in desc_sddl
)
1426 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1427 See if the group has the added inherited ACE.
1429 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1430 group_dn
= "CN=test_inherit_group," + ou_dn
1431 # Create inheritable-free OU
1432 self
.create_clean_ou(ou_dn
)
1433 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1434 mod
= "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1435 moded
= "(D;;CC;;;LG)"
1436 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1437 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1438 # Create group child object
1439 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1440 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1441 # Make sure created group object contains only the above inherited ACE
1442 # that we've added manually
1443 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1444 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1445 self
.assertTrue(mod
in desc_sddl
)
1446 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1447 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1448 self
.assertTrue(moded
in desc_sddl
)
1449 self
.assertTrue(mod
in desc_sddl
)
1452 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1453 See if the group has the added inherited ACE.
1455 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1456 group_dn
= "CN=test_inherit_group," + ou_dn
1457 # Create inheritable-free OU
1458 self
.create_clean_ou(ou_dn
)
1459 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1460 mod
= "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1461 moded
= "(D;;CC;;;LG)"
1462 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1463 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1464 # Create group child object
1465 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1466 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1467 # Make sure created group object contains only the above inherited ACE
1468 # that we've added manually
1469 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1470 mod
= mod
.replace(";CI;", ";CIID;") # change it how it's gonna look like
1471 self
.assertTrue(mod
in desc_sddl
)
1472 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1473 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1474 self
.assertTrue(moded
in desc_sddl
)
1475 self
.assertTrue(mod
in desc_sddl
)
1478 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1479 See if the group has the added inherited ACE.
1481 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1482 group_dn
= "CN=test_inherit_group," + ou_dn
1483 # Create inheritable-free OU
1484 self
.create_clean_ou(ou_dn
)
1485 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1486 mod
= "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1487 moded
= "(D;;CC;;;LG)"
1488 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1489 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1490 # Create group child object
1491 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1492 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1493 # Make sure created group object contains only the above inherited ACE
1494 # that we've added manually
1495 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1496 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1497 self
.assertTrue(mod
in desc_sddl
)
1498 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded
)
1499 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1500 self
.assertTrue(moded
in desc_sddl
)
1501 self
.assertTrue(mod
in desc_sddl
)
1504 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1505 See if the group has the added inherited ACE.
1507 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1508 group_dn
= "CN=test_inherit_group," + ou_dn
1509 # Create inheritable-free OU
1510 self
.create_clean_ou(ou_dn
)
1511 # Add some custom 'CI' ACE
1512 mod
= "(D;CI;WP;;;CO)"
1513 moded
= "(D;;CC;;;LG)"
1514 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1515 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1516 # Create group child object
1517 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1518 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1519 # Make sure created group object contains only the above inherited ACE(s)
1520 # that we've added manually
1521 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1522 self
.assertTrue("(D;ID;WP;;;AU)" in desc_sddl
)
1523 self
.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl
)
1524 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1525 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1526 self
.assertTrue(moded
in desc_sddl
)
1527 self
.assertTrue("(D;ID;WP;;;DA)" in desc_sddl
)
1528 self
.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl
)
1531 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1533 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1534 group_dn
= "CN=test_inherit_group," + ou_dn
1535 self
.create_clean_ou(ou_dn
)
1536 # Add some custom ACE
1537 mod
= "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1538 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1539 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1540 # Make sure created group object does not contain the ID ace
1541 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1542 self
.assertFalse("(A;ID;WP;;;AU)" in desc_sddl
)
1545 """ Provide ACE with CO SID, should be expanded and replaced
1547 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1548 group_dn
= "CN=test_inherit_group," + ou_dn
1549 # Create inheritable-free OU
1550 self
.create_clean_ou(ou_dn
)
1551 # Add some custom 'CI' ACE
1552 mod
= "D:(D;CI;WP;;;CO)"
1553 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1554 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1555 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1556 self
.assertTrue("(D;;WP;;;DA)" in desc_sddl
)
1557 self
.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl
)
1560 """ Provide ACE with IO flag, should be ignored
1562 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1563 group_dn
= "CN=test_inherit_group," + ou_dn
1564 # Create inheritable-free OU
1565 self
.create_clean_ou(ou_dn
)
1566 # Add some custom 'CI' ACE
1567 mod
= "D:(D;CIIO;WP;;;CO)"
1568 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1569 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1570 # Make sure created group object contains only the above inherited ACE(s)
1571 # that we've added manually
1572 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1573 self
.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl
)
1574 self
.assertFalse("(D;;WP;;;DA)" in desc_sddl
)
1575 self
.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl
)
1578 """ Provide ACE with IO flag, should be ignored
1580 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1581 group_dn
= "CN=test_inherit_group," + ou_dn
1582 # Create inheritable-free OU
1583 self
.create_clean_ou(ou_dn
)
1584 mod
= "D:(D;IO;WP;;;DA)"
1585 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1586 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1587 # Make sure created group object contains only the above inherited ACE(s)
1588 # that we've added manually
1589 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1590 self
.assertFalse("(D;IO;WP;;;DA)" in desc_sddl
)
1593 """ Test behavior of ACEs containing generic rights
1595 ou_dn
= "OU=test_inherit_ou_p," + self
.base_dn
1596 ou_dn1
= "OU=test_inherit_ou1," + ou_dn
1597 ou_dn2
= "OU=test_inherit_ou2," + ou_dn
1598 ou_dn3
= "OU=test_inherit_ou3," + ou_dn
1599 ou_dn4
= "OU=test_inherit_ou4," + ou_dn
1600 ou_dn5
= "OU=test_inherit_ou5," + ou_dn1
1601 ou_dn6
= "OU=test_inherit_ou6," + ou_dn2
1602 # Create inheritable-free OU
1603 mod
= "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
1604 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1605 self
.ldb_admin
.create_ou(ou_dn
, sd
=tmp_desc
)
1606 mod
= "D:(A;CI;GA;;;DU)"
1607 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1608 self
.ldb_admin
.create_ou(ou_dn1
, sd
=tmp_desc
)
1609 mod
= "D:(A;CIIO;GA;;;DU)"
1610 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1611 self
.ldb_admin
.create_ou(ou_dn2
, sd
=tmp_desc
)
1612 mod
= "D:(A;;GA;;;DU)"
1613 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1614 self
.ldb_admin
.create_ou(ou_dn3
, sd
=tmp_desc
)
1615 mod
= "D:(A;IO;GA;;;DU)"
1616 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1617 self
.ldb_admin
.create_ou(ou_dn4
, sd
=tmp_desc
)
1619 self
.ldb_admin
.create_ou(ou_dn5
)
1620 self
.ldb_admin
.create_ou(ou_dn6
)
1622 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn1
)
1623 self
.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl
)
1624 self
.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl
)
1625 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn2
)
1626 self
.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl
)
1627 self
.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl
)
1628 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn3
)
1629 self
.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl
)
1630 self
.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl
)
1631 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn4
)
1632 self
.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl
)
1633 self
.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl
)
1634 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn5
)
1635 self
.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl
)
1636 self
.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl
)
1637 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn6
)
1638 self
.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl
)
1639 self
.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl
)
1642 """ Make sure IO flag is removed in child objects
1644 ou_dn
= "OU=test_inherit_ou_p," + self
.base_dn
1645 ou_dn1
= "OU=test_inherit_ou1," + ou_dn
1646 ou_dn5
= "OU=test_inherit_ou5," + ou_dn1
1647 # Create inheritable-free OU
1648 mod
= "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
1649 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1650 self
.ldb_admin
.create_ou(ou_dn
, sd
=tmp_desc
)
1651 mod
= "D:(A;CIIO;WP;;;DU)"
1652 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1653 self
.ldb_admin
.create_ou(ou_dn1
, sd
=tmp_desc
)
1654 self
.ldb_admin
.create_ou(ou_dn5
)
1655 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn5
)
1656 self
.assertTrue("(A;CIID;WP;;;DU)" in desc_sddl
)
1657 self
.assertFalse("(A;CIIOID;WP;;;DU)" in desc_sddl
)
1660 """ Make sure ID ACES provided by user are ignored
1662 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1663 group_dn
= "CN=test_inherit_group," + ou_dn
1664 mod
= "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
1665 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1666 self
.ldb_admin
.create_ou(ou_dn
, sd
=tmp_desc
)
1667 # Add some custom ACE
1668 mod
= "D:(D;ID;WP;;;AU)"
1669 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1670 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1671 # Make sure created group object does not contain the ID ace
1672 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1673 self
.assertFalse("(A;ID;WP;;;AU)" in desc_sddl
)
1674 self
.assertFalse("(A;;WP;;;AU)" in desc_sddl
)
1677 """ Make sure ID ACES provided by user are not ignored if P flag is set
1679 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1680 group_dn
= "CN=test_inherit_group," + ou_dn
1681 mod
= "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
1682 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1683 self
.ldb_admin
.create_ou(ou_dn
, sd
=tmp_desc
)
1684 # Add some custom ACE
1685 mod
= "D:P(A;ID;WP;;;AU)"
1686 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1687 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1688 # Make sure created group object does not contain the ID ace
1689 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1690 self
.assertFalse("(A;ID;WP;;;AU)" in desc_sddl
)
1691 self
.assertTrue("(A;;WP;;;AU)" in desc_sddl
)
1693 ########################################################################################
1696 class SdFlagsDescriptorTests(DescriptorTests
):
1697 def deleteAll(self
):
1698 delete_force(self
.ldb_admin
, "OU=test_sdflags_ou," + self
.base_dn
)
1701 super(SdFlagsDescriptorTests
, self
).setUp()
1702 self
.test_descr
= "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1706 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1707 See that only the owner has been changed.
1709 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1710 self
.ldb_admin
.create_ou(ou_dn
)
1711 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_OWNER
)])
1712 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1713 # make sure we have modified the owner
1714 self
.assertTrue("O:AU" in desc_sddl
)
1715 # make sure nothing else has been modified
1716 self
.assertFalse("G:AU" in desc_sddl
)
1717 self
.assertFalse("D:(D;;CC;;;LG)" in desc_sddl
)
1718 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1721 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1722 See that only the owner has been changed.
1724 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1725 self
.ldb_admin
.create_ou(ou_dn
)
1726 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_GROUP
)])
1727 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1728 # make sure we have modified the group
1729 self
.assertTrue("G:AU" in desc_sddl
)
1730 # make sure nothing else has been modified
1731 self
.assertFalse("O:AU" in desc_sddl
)
1732 self
.assertFalse("D:(D;;CC;;;LG)" in desc_sddl
)
1733 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1736 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1737 See that only the owner has been changed.
1739 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1740 self
.ldb_admin
.create_ou(ou_dn
)
1741 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_DACL
)])
1742 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1743 # make sure we have modified the DACL
1744 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1745 # make sure nothing else has been modified
1746 self
.assertFalse("O:AU" in desc_sddl
)
1747 self
.assertFalse("G:AU" in desc_sddl
)
1748 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1751 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1752 See that only the owner has been changed.
1754 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1755 self
.ldb_admin
.create_ou(ou_dn
)
1756 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_SACL
)])
1757 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1758 # make sure we have modified the DACL
1759 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1760 # make sure nothing else has been modified
1761 self
.assertFalse("O:AU" in desc_sddl
)
1762 self
.assertFalse("G:AU" in desc_sddl
)
1763 self
.assertFalse("(D;;CC;;;LG)" in desc_sddl
)
1766 """ Modify a descriptor with 0x0 set.
1767 Contrary to logic this is interpreted as no control,
1768 which is the same as 0xF
1770 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1771 self
.ldb_admin
.create_ou(ou_dn
)
1772 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:0"])
1773 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1774 # make sure we have modified the DACL
1775 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1776 # make sure nothing else has been modified
1777 self
.assertTrue("O:AU" in desc_sddl
)
1778 self
.assertTrue("G:AU" in desc_sddl
)
1779 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1782 """ Modify a descriptor with 0xF set.
1784 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1785 self
.ldb_admin
.create_ou(ou_dn
)
1786 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:15"])
1787 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1788 # make sure we have modified the DACL
1789 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1790 # make sure nothing else has been modified
1791 self
.assertTrue("O:AU" in desc_sddl
)
1792 self
.assertTrue("G:AU" in desc_sddl
)
1793 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1796 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1797 Only the owner part should be returned.
1799 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1800 self
.ldb_admin
.create_ou(ou_dn
)
1801 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_OWNER
)])
1802 # make sure we have read the owner
1803 self
.assertTrue("O:" in desc_sddl
)
1804 # make sure we have read nothing else
1805 self
.assertFalse("G:" in desc_sddl
)
1806 self
.assertFalse("D:" in desc_sddl
)
1807 self
.assertFalse("S:" in desc_sddl
)
1810 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1811 Only the group part should be returned.
1813 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1814 self
.ldb_admin
.create_ou(ou_dn
)
1815 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_GROUP
)])
1816 # make sure we have read the owner
1817 self
.assertTrue("G:" in desc_sddl
)
1818 # make sure we have read nothing else
1819 self
.assertFalse("O:" in desc_sddl
)
1820 self
.assertFalse("D:" in desc_sddl
)
1821 self
.assertFalse("S:" in desc_sddl
)
1824 """ Read a descriptor with SACL_SECURITY_INFORMATION
1825 Only the sacl part should be returned.
1827 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1828 self
.ldb_admin
.create_ou(ou_dn
)
1829 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_SACL
)])
1830 # make sure we have read the owner
1831 self
.assertTrue("S:" in desc_sddl
)
1832 # make sure we have read nothing else
1833 self
.assertFalse("O:" in desc_sddl
)
1834 self
.assertFalse("D:" in desc_sddl
)
1835 self
.assertFalse("G:" in desc_sddl
)
1838 """ Read a descriptor with DACL_SECURITY_INFORMATION
1839 Only the dacl part should be returned.
1841 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1842 self
.ldb_admin
.create_ou(ou_dn
)
1843 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_DACL
)])
1844 # make sure we have read the owner
1845 self
.assertTrue("D:" in desc_sddl
)
1846 # make sure we have read nothing else
1847 self
.assertFalse("O:" in desc_sddl
)
1848 self
.assertFalse("S:" in desc_sddl
)
1849 self
.assertFalse("G:" in desc_sddl
)
1852 class RightsAttributesTests(DescriptorTests
):
1854 def deleteAll(self
):
1855 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser_attr"))
1856 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser_attr2"))
1857 delete_force(self
.ldb_admin
, "OU=test_domain_ou1," + self
.base_dn
)
1860 super(RightsAttributesTests
, self
).setUp()
1864 self
.ldb_admin
.newuser("testuser_attr", "samba123@")
1865 # User 2, Domain Admins
1866 self
.ldb_admin
.newuser("testuser_attr2", "samba123@")
1867 self
.ldb_admin
.add_remove_group_members("Domain Admins",
1869 add_members_operation
=True)
1871 def test_sDRightsEffective(self
):
1872 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1873 delete_force(self
.ldb_admin
, object_dn
)
1874 self
.ldb_admin
.create_ou(object_dn
)
1875 print self
.get_users_domain_dn("testuser_attr")
1876 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1877 #give testuser1 read access so attributes can be retrieved
1878 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1879 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1880 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1881 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1882 attrs
=["sDRightsEffective"])
1883 #user whould have no rights at all
1884 self
.assertEquals(len(res
), 1)
1885 self
.assertEquals(res
[0]["sDRightsEffective"][0], "0")
1886 #give the user Write DACL and see what happens
1887 mod
= "(A;CI;WD;;;%s)" % str(user_sid
)
1888 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1889 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1890 attrs
=["sDRightsEffective"])
1891 #user whould have DACL_SECURITY_INFORMATION
1892 self
.assertEquals(len(res
), 1)
1893 self
.assertEquals(res
[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL
)
1894 #give the user Write Owners and see what happens
1895 mod
= "(A;CI;WO;;;%s)" % str(user_sid
)
1896 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1897 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1898 attrs
=["sDRightsEffective"])
1899 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1900 self
.assertEquals(len(res
), 1)
1901 self
.assertEquals(res
[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER
))
1902 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1903 _ldb
= self
.get_ldb_connection("testuser_attr2", "samba123@")
1904 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1905 attrs
=["sDRightsEffective"])
1906 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1907 self
.assertEquals(len(res
), 1)
1908 self
.assertEquals(res
[0]["sDRightsEffective"][0], \
1909 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL
))
1911 def test_allowedChildClassesEffective(self
):
1912 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1913 delete_force(self
.ldb_admin
, object_dn
)
1914 self
.ldb_admin
.create_ou(object_dn
)
1915 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1916 #give testuser1 read access so attributes can be retrieved
1917 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1918 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1919 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1920 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1921 attrs
=["allowedChildClassesEffective"])
1922 #there should be no allowed child classes
1923 self
.assertEquals(len(res
), 1)
1924 self
.assertFalse("allowedChildClassesEffective" in res
[0].keys())
1925 #give the user the right to create children of type user
1926 mod
= "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid
)
1927 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1928 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1929 attrs
=["allowedChildClassesEffective"])
1930 # allowedChildClassesEffective should only have one value, user
1931 self
.assertEquals(len(res
), 1)
1932 self
.assertEquals(len(res
[0]["allowedChildClassesEffective"]), 1)
1933 self
.assertEquals(res
[0]["allowedChildClassesEffective"][0], "user")
1935 def test_allowedAttributesEffective(self
):
1936 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1937 delete_force(self
.ldb_admin
, object_dn
)
1938 self
.ldb_admin
.create_ou(object_dn
)
1939 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1940 #give testuser1 read access so attributes can be retrieved
1941 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1942 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1943 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1944 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1945 attrs
=["allowedAttributesEffective"])
1946 #there should be no allowed attributes
1947 self
.assertEquals(len(res
), 1)
1948 self
.assertFalse("allowedAttributesEffective" in res
[0].keys())
1949 #give the user the right to write displayName and managedBy
1950 mod2
= "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid
)
1951 mod
= "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid
)
1952 # also rights to modify an read only attribute, fromEntry
1953 mod3
= "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid
)
1954 self
.sd_utils
.dacl_add_ace(object_dn
, mod
+ mod2
+ mod3
)
1955 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1956 attrs
=["allowedAttributesEffective"])
1957 # value should only contain user and managedBy
1958 self
.assertEquals(len(res
), 1)
1959 self
.assertEquals(len(res
[0]["allowedAttributesEffective"]), 2)
1960 self
.assertTrue("displayName" in res
[0]["allowedAttributesEffective"])
1961 self
.assertTrue("managedBy" in res
[0]["allowedAttributesEffective"])
1963 class SdAutoInheritTests(DescriptorTests
):
1964 def deleteAll(self
):
1965 delete_force(self
.ldb_admin
, self
.sub_dn
)
1966 delete_force(self
.ldb_admin
, self
.ou_dn
)
1969 super(SdAutoInheritTests
, self
).setUp()
1970 self
.ou_dn
= "OU=test_SdAutoInherit_ou," + self
.base_dn
1971 self
.sub_dn
= "OU=test_sub," + self
.ou_dn
1975 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1976 See that only the owner has been changed.
1978 attrs
= ["nTSecurityDescriptor", "replPropertyMetaData", "uSNChanged"]
1979 controls
=["sd_flags:1:%d" % (SECINFO_DACL
)]
1980 ace
= "(A;CI;CC;;;NU)"
1981 sub_ace
= "(A;CIID;CC;;;NU)"
1982 sd_sddl
= "O:BAG:BAD:P(A;CI;0x000f01ff;;;AU)"
1983 sd
= security
.descriptor
.from_sddl(sd_sddl
, self
.domain_sid
)
1985 self
.ldb_admin
.create_ou(self
.ou_dn
,sd
=sd
)
1986 self
.ldb_admin
.create_ou(self
.sub_dn
)
1988 ou_res0
= self
.sd_utils
.ldb
.search(self
.ou_dn
, SCOPE_BASE
,
1989 None, attrs
, controls
=controls
)
1990 sub_res0
= self
.sd_utils
.ldb
.search(self
.sub_dn
, SCOPE_BASE
,
1991 None, attrs
, controls
=controls
)
1993 ou_sd0
= ndr_unpack(security
.descriptor
, ou_res0
[0]["nTSecurityDescriptor"][0])
1994 sub_sd0
= ndr_unpack(security
.descriptor
, sub_res0
[0]["nTSecurityDescriptor"][0])
1996 ou_sddl0
= ou_sd0
.as_sddl(self
.domain_sid
)
1997 sub_sddl0
= sub_sd0
.as_sddl(self
.domain_sid
)
1999 self
.assertFalse(ace
in ou_sddl0
)
2000 self
.assertFalse(ace
in sub_sddl0
)
2002 ou_sddl1
= (ou_sddl0
[:ou_sddl0
.index("(")] + ace
+
2003 ou_sddl0
[ou_sddl0
.index("("):])
2005 sub_sddl1
= (sub_sddl0
[:sub_sddl0
.index("(")] + ace
+
2006 sub_sddl0
[sub_sddl0
.index("("):])
2008 self
.sd_utils
.modify_sd_on_dn(self
.ou_dn
, ou_sddl1
, controls
=controls
)
2010 sub_res2
= self
.sd_utils
.ldb
.search(self
.sub_dn
, SCOPE_BASE
,
2011 None, attrs
, controls
=controls
)
2012 ou_res2
= self
.sd_utils
.ldb
.search(self
.ou_dn
, SCOPE_BASE
,
2013 None, attrs
, controls
=controls
)
2015 ou_sd2
= ndr_unpack(security
.descriptor
, ou_res2
[0]["nTSecurityDescriptor"][0])
2016 sub_sd2
= ndr_unpack(security
.descriptor
, sub_res2
[0]["nTSecurityDescriptor"][0])
2018 ou_sddl2
= ou_sd2
.as_sddl(self
.domain_sid
)
2019 sub_sddl2
= sub_sd2
.as_sddl(self
.domain_sid
)
2021 self
.assertFalse(ou_sddl2
== ou_sddl0
)
2022 self
.assertFalse(sub_sddl2
== sub_sddl0
)
2024 if ace
not in ou_sddl2
:
2025 print "ou0: %s" % ou_sddl0
2026 print "ou2: %s" % ou_sddl2
2028 if sub_ace
not in sub_sddl2
:
2029 print "sub0: %s" % sub_sddl0
2030 print "sub2: %s" % sub_sddl2
2032 self
.assertTrue(ace
in ou_sddl2
)
2033 self
.assertTrue(sub_ace
in sub_sddl2
)
2035 ou_usn0
= int(ou_res0
[0]["uSNChanged"][0])
2036 ou_usn2
= int(ou_res2
[0]["uSNChanged"][0])
2037 self
.assertTrue(ou_usn2
> ou_usn0
)
2039 sub_usn0
= int(sub_res0
[0]["uSNChanged"][0])
2040 sub_usn2
= int(sub_res2
[0]["uSNChanged"][0])
2041 self
.assertTrue(sub_usn2
== sub_usn0
)
2043 if not "://" in host
:
2044 if os
.path
.isfile(host
):
2045 host
= "tdb://%s" % host
2047 host
= "ldap://%s" % host
2049 # use 'paged_search' module when connecting remotely
2050 if host
.lower().startswith("ldap://"):
2051 ldb_options
= ["modules:paged_searches"]
2055 session_info
=system_session(lp
),
2057 options
=ldb_options
)
2059 runner
= SubunitTestRunner()
2061 if not runner
.run(unittest
.makeSuite(OwnerGroupDescriptorTests
)).wasSuccessful():
2063 if not runner
.run(unittest
.makeSuite(DaclDescriptorTests
)).wasSuccessful():
2065 if not runner
.run(unittest
.makeSuite(SdFlagsDescriptorTests
)).wasSuccessful():
2067 if not runner
.run(unittest
.makeSuite(RightsAttributesTests
)).wasSuccessful():
2069 if not runner
.run(unittest
.makeSuite(SdAutoInheritTests
)).wasSuccessful():