search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-tests: Descriptor tests should use the existing samdb domain_dn method instead...
[Samba/gebeck_regimport.git] / source4 / dsdb / tests / python / sec_descriptor.py
blob5b3bb6a2cacfe97d6024b0619b600a858207a835
1 #!/usr/bin/env python
2 # -*- coding: utf-8 -*-
3
4 import optparse
5 import sys
6 import os
7 import base64
8 import re
9 import random
10
11 sys.path.append("bin/python")
12 import samba
13 samba.ensure_external_module("testtools", "testtools")
14 samba.ensure_external_module("subunit", "subunit/python")
15
16 import samba.getopt as options
17
18 # Some error messages that are being tested
19 from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT
20
21 # For running the test unit
22 from samba.ndr import ndr_pack, ndr_unpack
23 from samba.dcerpc import security
24
25 from samba import gensec
26 from samba.samdb import SamDB
27 from samba.credentials import Credentials
28 from samba.auth import system_session
29 from samba.dsdb import DS_DOMAIN_FUNCTION_2008
30 from samba.dcerpc.security import (
31 SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL)
32 from subunit.run import SubunitTestRunner
33 import samba.tests
34 import unittest
35
36 parser = optparse.OptionParser("sec_descriptor.py [options] <host>")
37 sambaopts = options.SambaOptions(parser)
38 parser.add_option_group(sambaopts)
39 parser.add_option_group(options.VersionOptions(parser))
40
41 # use command line creds if available
42 credopts = options.CredentialsOptions(parser)
43 parser.add_option_group(credopts)
44 opts, args = parser.parse_args()
45
46 if len(args) < 1:
47 parser.print_usage()
48 sys.exit(1)
49
50 host = args[0]
51
52 lp = sambaopts.get_loadparm()
53 creds = credopts.get_credentials(lp)
54 creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
55
56 #
57 # Tests start here
58 #
59
60 class DescriptorTests(samba.tests.TestCase):
61
62 def delete_force(self, ldb, dn):
63 try:
64 ldb.delete(dn)
65 except LdbError, (num, _):
66 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
67
68 def find_configurationdn(self, ldb):
69 res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"])
70 self.assertEquals(len(res), 1)
71 return res[0]["configurationNamingContext"][0]
72
73 def find_schemadn(self, ldb):
74 res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"])
75 self.assertEquals(len(res), 1)
76 return res[0]["schemaNamingContext"][0]
77
78 def find_domain_sid(self, ldb):
79 res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
80 return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
81
82 def get_users_domain_dn(self, name):
83 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
84
85 def modify_desc(self, _ldb, object_dn, desc, controls=None):
86 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
87 mod = """
88 dn: """ + object_dn + """
89 changetype: modify
90 replace: nTSecurityDescriptor
91 """
92 if isinstance(desc, str):
93 mod += "nTSecurityDescriptor: %s" % desc
94 elif isinstance(desc, security.descriptor):
95 mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
96 _ldb.modify_ldif(mod, controls)
97
98 def create_domain_ou(self, _ldb, ou_dn, desc=None, controls=None):
99 ldif = """
100 dn: """ + ou_dn + """
101 ou: """ + ou_dn.split(",")[0][3:] + """
102 objectClass: organizationalUnit
103 url: www.example.com
104 """
105 if desc:
106 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
107 if isinstance(desc, str):
108 ldif += "nTSecurityDescriptor: %s" % desc
109 elif isinstance(desc, security.descriptor):
110 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
111 _ldb.add_ldif(ldif, controls)
112
113 def create_domain_user(self, _ldb, user_dn, desc=None):
114 ldif = """
115 dn: """ + user_dn + """
116 sAMAccountName: """ + user_dn.split(",")[0][3:] + """
117 objectClass: user
118 userPassword: samba123@
119 url: www.example.com
120 """
121 if desc:
122 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
123 if isinstance(desc, str):
124 ldif += "nTSecurityDescriptor: %s" % desc
125 elif isinstance(desc, security.descriptor):
126 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
127 _ldb.add_ldif(ldif)
128
129 def create_domain_group(self, _ldb, group_dn, desc=None):
130 ldif = """
131 dn: """ + group_dn + """
132 objectClass: group
133 sAMAccountName: """ + group_dn.split(",")[0][3:] + """
134 groupType: 4
135 url: www.example.com
136 """
137 if desc:
138 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
139 if isinstance(desc, str):
140 ldif += "nTSecurityDescriptor: %s" % desc
141 elif isinstance(desc, security.descriptor):
142 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
143 _ldb.add_ldif(ldif)
144
145 def get_unique_schema_class_name(self):
146 while True:
147 class_name = "test-class%s" % random.randint(1,100000)
148 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
149 try:
150 self.ldb_admin.search(base=class_dn, attrs=["*"])
151 except LdbError, (num, _):
152 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
153 return class_name
154
155 def create_schema_class(self, _ldb, object_dn, desc=None):
156 ldif = """
157 dn: """ + object_dn + """
158 objectClass: classSchema
159 objectCategory: CN=Class-Schema,""" + self.schema_dn + """
160 defaultObjectCategory: """ + object_dn + """
161 distinguishedName: """ + object_dn + """
162 governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
163 instanceType: 4
164 objectClassCategory: 1
165 subClassOf: organizationalPerson
166 systemFlags: 16
167 rDNAttID: cn
168 systemMustContain: cn
169 systemOnly: FALSE
170 """
171 if desc:
172 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
173 if isinstance(desc, str):
174 ldif += "nTSecurityDescriptor: %s" % desc
175 elif isinstance(desc, security.descriptor):
176 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
177 _ldb.add_ldif(ldif)
178
179 def create_configuration_container(self, _ldb, object_dn, desc=None):
180 ldif = """
181 dn: """ + object_dn + """
182 objectClass: container
183 objectCategory: CN=Container,""" + self.schema_dn + """
184 showInAdvancedViewOnly: TRUE
185 instanceType: 4
186 """
187 if desc:
188 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
189 if isinstance(desc, str):
190 ldif += "nTSecurityDescriptor: %s" % desc
191 elif isinstance(desc, security.descriptor):
192 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
193 _ldb.add_ldif(ldif)
194
195 def create_configuration_specifier(self, _ldb, object_dn, desc=None):
196 ldif = """
197 dn: """ + object_dn + """
198 objectClass: displaySpecifier
199 showInAdvancedViewOnly: TRUE
200 """
201 if desc:
202 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
203 if isinstance(desc, str):
204 ldif += "nTSecurityDescriptor: %s" % desc
205 elif isinstance(desc, security.descriptor):
206 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
207 _ldb.add_ldif(ldif)
208
209 def read_desc(self, object_dn, controls=None):
210 res = self.ldb_admin.search(base=object_dn, scope=SCOPE_BASE, attrs=["nTSecurityDescriptor"], controls=controls)
211 desc = res[0]["nTSecurityDescriptor"][0]
212 return ndr_unpack(security.descriptor, desc)
213
214 def create_active_user(self, _ldb, user_dn):
215 ldif = """
216 dn: """ + user_dn + """
217 sAMAccountName: """ + user_dn.split(",")[0][3:] + """
218 objectClass: user
219 unicodePwd:: """ + base64.b64encode("\"samba123@\"".encode('utf-16-le')) + """
220 url: www.example.com
221 """
222 _ldb.add_ldif(ldif)
223
224 def add_user_to_group(self, _ldb, username, groupname):
225 ldif = """
226 dn: """ + self.get_users_domain_dn(groupname) + """
227 changetype: modify
228 add: member
229 member: """ + self.get_users_domain_dn(username)
230 _ldb.modify_ldif(ldif)
231
232 def get_ldb_connection(self, target_username, target_password):
233 creds_tmp = Credentials()
234 creds_tmp.set_username(target_username)
235 creds_tmp.set_password(target_password)
236 creds_tmp.set_domain(creds.get_domain())
237 creds_tmp.set_realm(creds.get_realm())
238 creds_tmp.set_workstation(creds.get_workstation())
239 creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
240 | gensec.FEATURE_SEAL)
241 ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
242 return ldb_target
243
244 def get_object_sid(self, object_dn):
245 res = self.ldb_admin.search(object_dn)
246 return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] )
247
248 def dacl_add_ace(self, object_dn, ace):
249 desc = self.read_desc( object_dn )
250 desc_sddl = desc.as_sddl( self.domain_sid )
251 if ace in desc_sddl:
252 return
253 if desc_sddl.find("(") >= 0:
254 desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
255 else:
256 desc_sddl = desc_sddl + ace
257 self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
258
259 def get_desc_sddl(self, object_dn, controls=None):
260 """ Return object nTSecutiryDescriptor in SDDL format
261 """
262 desc = self.read_desc(object_dn, controls)
263 return desc.as_sddl(self.domain_sid)
264
265 def create_enable_user(self, username):
266 user_dn = self.get_users_domain_dn(username)
267 self.create_active_user(self.ldb_admin, user_dn)
268 self.ldb_admin.enable_account("(sAMAccountName=" + username + ")")
269
270 def setUp(self):
271 super(DescriptorTests, self).setUp()
272 self.ldb_admin = ldb
273 self.base_dn = ldb.domain_dn()
274 self.configuration_dn = self.find_configurationdn(self.ldb_admin)
275 self.schema_dn = self.find_schemadn(self.ldb_admin)
276 self.domain_sid = self.find_domain_sid(self.ldb_admin)
277 print "baseDN: %s" % self.base_dn
278
279 ################################################################################################
280
281 ## Tests for DOMAIN
282
283 # Default descriptor tests #####################################################################
284
285 class OwnerGroupDescriptorTests(DescriptorTests):
286
287 def deleteAll(self):
288 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
289 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
290 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
291 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
292 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
293 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
294 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
295 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
296 # DOMAIN
297 self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
298 self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
299 self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
300 self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
301 # SCHEMA
302 # CONFIGURATION
303 self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
304 + self.configuration_dn)
305 self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
306
307 def setUp(self):
308 super(OwnerGroupDescriptorTests, self).setUp()
309 self.deleteAll()
310 ### Create users
311 # User 1
312 self.create_enable_user("testuser1")
313 self.add_user_to_group(self.ldb_admin, "testuser1", "Enterprise Admins")
314 # User 2
315 self.create_enable_user("testuser2")
316 self.add_user_to_group(self.ldb_admin, "testuser2", "Domain Admins")
317 # User 3
318 self.create_enable_user("testuser3")
319 self.add_user_to_group(self.ldb_admin, "testuser3", "Schema Admins")
320 # User 4
321 self.create_enable_user("testuser4")
322 # User 5
323 self.create_enable_user("testuser5")
324 self.add_user_to_group(self.ldb_admin, "testuser5", "Enterprise Admins")
325 self.add_user_to_group(self.ldb_admin, "testuser5", "Domain Admins")
326 # User 6
327 self.create_enable_user("testuser6")
328 self.add_user_to_group(self.ldb_admin, "testuser6", "Enterprise Admins")
329 self.add_user_to_group(self.ldb_admin, "testuser6", "Domain Admins")
330 self.add_user_to_group(self.ldb_admin, "testuser6", "Schema Admins")
331 # User 7
332 self.create_enable_user("testuser7")
333 self.add_user_to_group(self.ldb_admin, "testuser7", "Domain Admins")
334 self.add_user_to_group(self.ldb_admin, "testuser7", "Schema Admins")
335 # User 8
336 self.create_enable_user("testuser8")
337 self.add_user_to_group(self.ldb_admin, "testuser8", "Enterprise Admins")
338 self.add_user_to_group(self.ldb_admin, "testuser8", "Schema Admins")
339
340 self.results = {
341 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
342 "ds_behavior_win2003" : {
343 "100" : "O:EAG:DU",
344 "101" : "O:DAG:DU",
345 "102" : "O:%sG:DU",
346 "103" : "O:%sG:DU",
347 "104" : "O:DAG:DU",
348 "105" : "O:DAG:DU",
349 "106" : "O:DAG:DU",
350 "107" : "O:EAG:DU",
351 "108" : "O:DAG:DA",
352 "109" : "O:DAG:DA",
353 "110" : "O:%sG:DA",
354 "111" : "O:%sG:DA",
355 "112" : "O:DAG:DA",
356 "113" : "O:DAG:DA",
357 "114" : "O:DAG:DA",
358 "115" : "O:DAG:DA",
359 "130" : "O:EAG:DU",
360 "131" : "O:DAG:DU",
361 "132" : "O:SAG:DU",
362 "133" : "O:%sG:DU",
363 "134" : "O:EAG:DU",
364 "135" : "O:SAG:DU",
365 "136" : "O:SAG:DU",
366 "137" : "O:SAG:DU",
367 "138" : "O:DAG:DA",
368 "139" : "O:DAG:DA",
369 "140" : "O:%sG:DA",
370 "141" : "O:%sG:DA",
371 "142" : "O:DAG:DA",
372 "143" : "O:DAG:DA",
373 "144" : "O:DAG:DA",
374 "145" : "O:DAG:DA",
375 "160" : "O:EAG:DU",
376 "161" : "O:DAG:DU",
377 "162" : "O:%sG:DU",
378 "163" : "O:%sG:DU",
379 "164" : "O:EAG:DU",
380 "165" : "O:EAG:DU",
381 "166" : "O:DAG:DU",
382 "167" : "O:EAG:DU",
383 "168" : "O:DAG:DA",
384 "169" : "O:DAG:DA",
385 "170" : "O:%sG:DA",
386 "171" : "O:%sG:DA",
387 "172" : "O:DAG:DA",
388 "173" : "O:DAG:DA",
389 "174" : "O:DAG:DA",
390 "175" : "O:DAG:DA",
391 },
392 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
393 "ds_behavior_win2008" : {
394 "100" : "O:EAG:EA",
395 "101" : "O:DAG:DA",
396 "102" : "O:%sG:DU",
397 "103" : "O:%sG:DU",
398 "104" : "O:DAG:DA",
399 "105" : "O:DAG:DA",
400 "106" : "O:DAG:DA",
401 "107" : "O:EAG:EA",
402 "108" : "O:DAG:DA",
403 "109" : "O:DAG:DA",
404 "110" : "O:%sG:DA",
405 "111" : "O:%sG:DA",
406 "112" : "O:DAG:DA",
407 "113" : "O:DAG:DA",
408 "114" : "O:DAG:DA",
409 "115" : "O:DAG:DA",
410 "130" : "O:EAG:EA",
411 "131" : "O:DAG:DA",
412 "132" : "O:SAG:SA",
413 "133" : "O:%sG:DU",
414 "134" : "O:EAG:EA",
415 "135" : "O:SAG:SA",
416 "136" : "O:SAG:SA",
417 "137" : "O:SAG:SA",
418 "138" : "",
419 "139" : "",
420 "140" : "O:%sG:DA",
421 "141" : "O:%sG:DA",
422 "142" : "",
423 "143" : "",
424 "144" : "",
425 "145" : "",
426 "160" : "O:EAG:EA",
427 "161" : "O:DAG:DA",
428 "162" : "O:%sG:DU",
429 "163" : "O:%sG:DU",
430 "164" : "O:EAG:EA",
431 "165" : "O:EAG:EA",
432 "166" : "O:DAG:DA",
433 "167" : "O:EAG:EA",
434 "168" : "O:DAG:DA",
435 "169" : "O:DAG:DA",
436 "170" : "O:%sG:DA",
437 "171" : "O:%sG:DA",
438 "172" : "O:DAG:DA",
439 "173" : "O:DAG:DA",
440 "174" : "O:DAG:DA",
441 "175" : "O:DAG:DA",
442 },
443 }
444 # Discover 'msDS-Behavior-Version'
445 res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
446 attrs=['msDS-Behavior-Version'])
447 res = int(res[0]['msDS-Behavior-Version'][0])
448 if res < DS_DOMAIN_FUNCTION_2008:
449 self.DS_BEHAVIOR = "ds_behavior_win2003"
450 else:
451 self.DS_BEHAVIOR = "ds_behavior_win2008"
452
453 def tearDown(self):
454 super(DescriptorTests, self).tearDown()
455 self.deleteAll()
456
457 def check_user_belongs(self, user_dn, groups=[]):
458 """ Test wether user is member of the expected group(s) """
459 if groups != []:
460 # User is member of at least one additional group
461 res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
462 res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
463 expected = []
464 for x in groups:
465 expected.append(self.get_users_domain_dn(x))
466 expected = [x.upper() for x in sorted(expected)]
467 self.assertEqual(expected, res)
468 else:
469 # User is not a member of any additional groups but default
470 res = self.ldb_admin.search(user_dn, attrs=["*"])
471 res = [x.upper() for x in res[0].keys()]
472 self.assertFalse( "MEMBEROF" in res)
473
474 def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
475 # Modify
476 ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
477 if owner_group != "":
478 self.modify_desc(_ldb, object_dn, owner_group + "D:" + ace)
479 else:
480 self.modify_desc(_ldb, object_dn, "D:" + ace)
481 # Make sure the modify operation has been applied
482 desc_sddl = self.get_desc_sddl(object_dn)
483 self.assertTrue(ace in desc_sddl)
484 # Make sure we have identical result for both "add" and "modify"
485 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
486 print self._testMethodName
487 test_number = self._testMethodName[5:]
488 self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
489
490 def test_100(self):
491 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
492 """
493 user_name = "testuser1"
494 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
495 # Open Ldb connection with the tested user
496 _ldb = self.get_ldb_connection(user_name, "samba123@")
497 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
498 self.delete_force(self.ldb_admin, object_dn)
499 self.create_domain_group(_ldb, object_dn)
500 desc_sddl = self.get_desc_sddl(object_dn)
501 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
502 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
503 self.check_modify_inheritance(_ldb, object_dn)
504
505 def test_101(self):
506 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
507 """
508 user_name = "testuser2"
509 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
510 # Open Ldb connection with the tested user
511 _ldb = self.get_ldb_connection(user_name, "samba123@")
512 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
513 self.delete_force(self.ldb_admin, object_dn)
514 self.create_domain_group(_ldb, object_dn)
515 desc_sddl = self.get_desc_sddl(object_dn)
516 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
517 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
518 self.check_modify_inheritance(_ldb, object_dn)
519
520 def test_102(self):
521 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
522 """
523 user_name = "testuser3"
524 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
525 # Open Ldb connection with the tested user
526 _ldb = self.get_ldb_connection(user_name, "samba123@")
527 object_dn = "OU=test_domain_ou1," + self.base_dn
528 self.delete_force(self.ldb_admin, object_dn)
529 self.create_domain_ou(self.ldb_admin, object_dn)
530 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
531 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
532 self.dacl_add_ace(object_dn, mod)
533 # Create additional object into the first one
534 object_dn = "CN=test_domain_user1," + object_dn
535 self.delete_force(self.ldb_admin, object_dn)
536 self.create_domain_user(_ldb, object_dn)
537 desc_sddl = self.get_desc_sddl(object_dn)
538 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
539 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
540 # This fails, research why
541 #self.check_modify_inheritance(_ldb, object_dn)
542
543 def test_103(self):
544 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
545 """
546 user_name = "testuser4"
547 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
548 # Open Ldb connection with the tested user
549 _ldb = self.get_ldb_connection(user_name, "samba123@")
550 object_dn = "OU=test_domain_ou1," + self.base_dn
551 self.delete_force(self.ldb_admin, object_dn)
552 self.create_domain_ou(self.ldb_admin, object_dn)
553 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
554 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
555 self.dacl_add_ace(object_dn, mod)
556 # Create additional object into the first one
557 object_dn = "CN=test_domain_user1," + object_dn
558 self.delete_force(self.ldb_admin, object_dn)
559 self.create_domain_user(_ldb, object_dn)
560 desc_sddl = self.get_desc_sddl(object_dn)
561 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
562 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
563 #this fails, research why
564 #self.check_modify_inheritance(_ldb, object_dn)
565
566 def test_104(self):
567 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
568 """
569 user_name = "testuser5"
570 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
571 # Open Ldb connection with the tested user
572 _ldb = self.get_ldb_connection(user_name, "samba123@")
573 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
574 self.delete_force(self.ldb_admin, object_dn)
575 self.create_domain_group(_ldb, object_dn)
576 desc_sddl = self.get_desc_sddl(object_dn)
577 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
578 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
579 self.check_modify_inheritance(_ldb, object_dn)
580
581 def test_105(self):
582 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
583 """
584 user_name = "testuser6"
585 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
586 # Open Ldb connection with the tested user
587 _ldb = self.get_ldb_connection(user_name, "samba123@")
588 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
589 self.delete_force(self.ldb_admin, object_dn)
590 self.create_domain_group(_ldb, object_dn)
591 desc_sddl = self.get_desc_sddl(object_dn)
592 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
593 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
594 self.check_modify_inheritance(_ldb, object_dn)
595
596 def test_106(self):
597 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
598 """
599 user_name = "testuser7"
600 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
601 # Open Ldb connection with the tested user
602 _ldb = self.get_ldb_connection(user_name, "samba123@")
603 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
604 self.delete_force(self.ldb_admin, object_dn)
605 self.create_domain_group(_ldb, object_dn)
606 desc_sddl = self.get_desc_sddl(object_dn)
607 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
608 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
609 self.check_modify_inheritance(_ldb, object_dn)
610
611 def test_107(self):
612 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
613 """
614 user_name = "testuser8"
615 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
616 # Open Ldb connection with the tested user
617 _ldb = self.get_ldb_connection(user_name, "samba123@")
618 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
619 self.delete_force(self.ldb_admin, object_dn)
620 self.create_domain_group(_ldb, object_dn)
621 desc_sddl = self.get_desc_sddl(object_dn)
622 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
623 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
624 self.check_modify_inheritance(_ldb, object_dn)
625
626 # Control descriptor tests #####################################################################
627
628 def test_108(self):
629 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
630 """
631 user_name = "testuser1"
632 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
633 # Open Ldb connection with the tested user
634 _ldb = self.get_ldb_connection(user_name, "samba123@")
635 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
636 self.delete_force(self.ldb_admin, object_dn)
637 # Create a custom security descriptor
638 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
639 self.create_domain_group(_ldb, object_dn, desc_sddl)
640 desc_sddl = self.get_desc_sddl(object_dn)
641 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
642 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
643
644 def test_109(self):
645 """ Domain admin group member creates object (custom descriptor) in DOMAIN
646 """
647 user_name = "testuser2"
648 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
649 # Open Ldb connection with the tested user
650 _ldb = self.get_ldb_connection(user_name, "samba123@")
651 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
652 self.delete_force(self.ldb_admin, object_dn)
653 # Create a custom security descriptor
654 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
655 self.create_domain_group(_ldb, object_dn, desc_sddl)
656 desc_sddl = self.get_desc_sddl(object_dn)
657 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
658 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
659
660 def test_110(self):
661 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
662 """
663 user_name = "testuser3"
664 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
665 # Open Ldb connection with the tested user
666 _ldb = self.get_ldb_connection(user_name, "samba123@")
667 object_dn = "OU=test_domain_ou1," + self.base_dn
668 self.delete_force(self.ldb_admin, object_dn)
669 self.create_domain_ou(self.ldb_admin, object_dn)
670 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
671 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
672 self.dacl_add_ace(object_dn, mod)
673 # Create a custom security descriptor
674 # NB! Problematic owner part won't accept DA only <User Sid> !!!
675 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
676 # Create additional object into the first one
677 object_dn = "CN=test_domain_user1," + object_dn
678 self.delete_force(self.ldb_admin, object_dn)
679 self.create_domain_user(_ldb, object_dn, desc_sddl)
680 desc = self.read_desc(object_dn)
681 desc_sddl = self.get_desc_sddl(object_dn)
682 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
683 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
684
685 def test_111(self):
686 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
687 """
688 user_name = "testuser4"
689 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
690 # Open Ldb connection with the tested user
691 _ldb = self.get_ldb_connection(user_name, "samba123@")
692 object_dn = "OU=test_domain_ou1," + self.base_dn
693 self.delete_force(self.ldb_admin, object_dn)
694 self.create_domain_ou(self.ldb_admin, object_dn)
695 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
696 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
697 self.dacl_add_ace(object_dn, mod)
698 # Create a custom security descriptor
699 # NB! Problematic owner part won't accept DA only <User Sid> !!!
700 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
701 # Create additional object into the first one
702 object_dn = "CN=test_domain_user1," + object_dn
703 self.delete_force(self.ldb_admin, object_dn)
704 self.create_domain_user(_ldb, object_dn, desc_sddl)
705 desc = self.read_desc(object_dn)
706 desc_sddl = self.get_desc_sddl(object_dn)
707 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
708 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
709
710 def test_112(self):
711 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
712 """
713 user_name = "testuser5"
714 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
715 # Open Ldb connection with the tested user
716 _ldb = self.get_ldb_connection(user_name, "samba123@")
717 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
718 self.delete_force(self.ldb_admin, object_dn)
719 # Create a custom security descriptor
720 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
721 self.create_domain_group(_ldb, object_dn, desc_sddl)
722 desc_sddl = self.get_desc_sddl(object_dn)
723 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
724 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
725
726 def test_113(self):
727 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
728 """
729 user_name = "testuser6"
730 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
731 # Open Ldb connection with the tested user
732 _ldb = self.get_ldb_connection(user_name, "samba123@")
733 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
734 self.delete_force(self.ldb_admin, object_dn)
735 # Create a custom security descriptor
736 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
737 self.create_domain_group(_ldb, object_dn, desc_sddl)
738 desc_sddl = self.get_desc_sddl(object_dn)
739 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
740 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
741
742 def test_114(self):
743 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
744 """
745 user_name = "testuser7"
746 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
747 # Open Ldb connection with the tested user
748 _ldb = self.get_ldb_connection(user_name, "samba123@")
749 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
750 self.delete_force(self.ldb_admin, object_dn)
751 # Create a custom security descriptor
752 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
753 self.create_domain_group(_ldb, object_dn, desc_sddl)
754 desc_sddl = self.get_desc_sddl(object_dn)
755 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
756 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
757
758 def test_115(self):
759 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
760 """
761 user_name = "testuser8"
762 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
763 # Open Ldb connection with the tested user
764 _ldb = self.get_ldb_connection(user_name, "samba123@")
765 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
766 self.delete_force(self.ldb_admin, object_dn)
767 # Create a custom security descriptor
768 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
769 self.create_domain_group(_ldb, object_dn, desc_sddl)
770 desc_sddl = self.get_desc_sddl(object_dn)
771 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
772 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
773
774 def test_999(self):
775 user_name = "Administrator"
776 object_dn = "OU=test_domain_ou1," + self.base_dn
777 self.delete_force(self.ldb_admin, object_dn)
778 self.create_domain_ou(self.ldb_admin, object_dn)
779 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
780 mod = "(D;CI;WP;;;S-1-3-0)"
781 #mod = ""
782 self.dacl_add_ace(object_dn, mod)
783 desc_sddl = self.get_desc_sddl(object_dn)
784 # Create additional object into the first one
785 object_dn = "OU=test_domain_ou2," + object_dn
786 self.delete_force(self.ldb_admin, object_dn)
787 self.create_domain_ou(self.ldb_admin, object_dn)
788 desc_sddl = self.get_desc_sddl(object_dn)
789
790 ## Tests for SCHEMA
791
792 # Defalt descriptor tests ##################################################################
793
794 def test_130(self):
795 user_name = "testuser1"
796 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
797 # Open Ldb connection with the tested user
798 _ldb = self.get_ldb_connection(user_name, "samba123@")
799 # Change Schema partition descriptor
800 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
801 mod = "(A;;WDCC;;;AU)"
802 self.dacl_add_ace(self.schema_dn, mod)
803 # Create example Schema class
804 class_name = self.get_unique_schema_class_name()
805 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
806 self.create_schema_class(_ldb, class_dn)
807 desc_sddl = self.get_desc_sddl(class_dn)
808 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
809 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
810 self.check_modify_inheritance(_ldb, class_dn)
811
812 def test_131(self):
813 user_name = "testuser2"
814 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
815 # Open Ldb connection with the tested user
816 _ldb = self.get_ldb_connection(user_name, "samba123@")
817 # Change Schema partition descriptor
818 mod = "(A;CI;WDCC;;;AU)"
819 self.dacl_add_ace(self.schema_dn, mod)
820 # Create example Schema class
821 class_name = self.get_unique_schema_class_name()
822 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
823 self.create_schema_class(_ldb, class_dn)
824 desc_sddl = self.get_desc_sddl(class_dn)
825 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
826 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
827 self.check_modify_inheritance(_ldb, class_dn)
828
829 def test_132(self):
830 user_name = "testuser3"
831 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
832 # Open Ldb connection with the tested user
833 _ldb = self.get_ldb_connection(user_name, "samba123@")
834 # Change Schema partition descriptor
835 mod = "(A;CI;WDCC;;;AU)"
836 self.dacl_add_ace(self.schema_dn, mod)
837 # Create example Schema class
838 class_name = self.get_unique_schema_class_name()
839 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
840 self.create_schema_class(_ldb, class_dn)
841 desc_sddl = self.get_desc_sddl(class_dn)
842 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
843 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
844 #self.check_modify_inheritance(_ldb, class_dn)
845
846 def test_133(self):
847 user_name = "testuser4"
848 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
849 # Open Ldb connection with the tested user
850 _ldb = self.get_ldb_connection(user_name, "samba123@")
851 #Change Schema partition descriptor
852 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
853 mod = "(A;CI;WDCC;;;AU)"
854 self.dacl_add_ace(self.schema_dn, mod)
855 # Create example Schema class
856 class_name = self.get_unique_schema_class_name()
857 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
858 self.create_schema_class(_ldb, class_dn)
859 desc_sddl = self.get_desc_sddl(class_dn)
860 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
861 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
862 #self.check_modify_inheritance(_ldb, class_dn)
863
864 def test_134(self):
865 user_name = "testuser5"
866 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
867 # Open Ldb connection with the tested user
868 _ldb = self.get_ldb_connection(user_name, "samba123@")
869 #Change Schema partition descriptor
870 mod = "(A;CI;WDCC;;;AU)"
871 self.dacl_add_ace(self.schema_dn, mod)
872 # Create example Schema class
873 class_name = self.get_unique_schema_class_name()
874 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
875 self.create_schema_class(_ldb, class_dn)
876 desc_sddl = self.get_desc_sddl(class_dn)
877 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
878 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
879 self.check_modify_inheritance(_ldb, class_dn)
880
881 def test_135(self):
882 user_name = "testuser6"
883 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
884 # Open Ldb connection with the tested user
885 _ldb = self.get_ldb_connection(user_name, "samba123@")
886 # Change Schema partition descriptor
887 mod = "(A;CI;WDCC;;;AU)"
888 self.dacl_add_ace(self.schema_dn, mod)
889 # Create example Schema class
890 class_name = self.get_unique_schema_class_name()
891 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
892 self.create_schema_class(_ldb, class_dn)
893 desc_sddl = self.get_desc_sddl(class_dn)
894 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
895 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
896 self.check_modify_inheritance(_ldb, class_dn)
897
898 def test_136(self):
899 user_name = "testuser7"
900 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
901 # Open Ldb connection with the tested user
902 _ldb = self.get_ldb_connection(user_name, "samba123@")
903 # Change Schema partition descriptor
904 mod = "(A;CI;WDCC;;;AU)"
905 self.dacl_add_ace(self.schema_dn, mod)
906 # Create example Schema class
907 class_name = self.get_unique_schema_class_name()
908 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
909 self.create_schema_class(_ldb, class_dn)
910 desc_sddl = self.get_desc_sddl(class_dn)
911 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
912 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
913 self.check_modify_inheritance(_ldb, class_dn)
914
915 def test_137(self):
916 user_name = "testuser8"
917 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
918 # Open Ldb connection with the tested user
919 _ldb = self.get_ldb_connection(user_name, "samba123@")
920 # Change Schema partition descriptor
921 mod = "(A;CI;WDCC;;;AU)"
922 self.dacl_add_ace(self.schema_dn, mod)
923 # Create example Schema class
924 class_name = self.get_unique_schema_class_name()
925 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
926 self.create_schema_class(_ldb, class_dn)
927 desc_sddl = self.get_desc_sddl(class_dn)
928 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
929 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
930 self.check_modify_inheritance(_ldb, class_dn)
931
932 # Custom descriptor tests ##################################################################
933
934 def test_138(self):
935 user_name = "testuser1"
936 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
937 # Open Ldb connection with the tested user
938 _ldb = self.get_ldb_connection(user_name, "samba123@")
939 # Change Schema partition descriptor
940 mod = "(A;;CC;;;AU)"
941 self.dacl_add_ace(self.schema_dn, mod)
942 # Create a custom security descriptor
943 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
944 # Create example Schema class
945 class_name = self.get_unique_schema_class_name()
946 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
947 self.create_schema_class(_ldb, class_dn, desc_sddl)
948 desc_sddl = self.get_desc_sddl(class_dn)
949 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
950 self.assertEqual("O:DAG:DA", res)
951
952 def test_139(self):
953 user_name = "testuser2"
954 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
955 # Open Ldb connection with the tested user
956 _ldb = self.get_ldb_connection(user_name, "samba123@")
957 # Change Schema partition descriptor
958 mod = "(A;;CC;;;AU)"
959 self.dacl_add_ace(self.schema_dn, mod)
960 # Create a custom security descriptor
961 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
962 # Create example Schema class
963 class_name = self.get_unique_schema_class_name()
964 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
965 self.create_schema_class(_ldb, class_dn, desc_sddl)
966 desc_sddl = self.get_desc_sddl(class_dn)
967 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
968 self.assertEqual("O:DAG:DA", res)
969
970 def test_140(self):
971 user_name = "testuser3"
972 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
973 # Open Ldb connection with the tested user
974 _ldb = self.get_ldb_connection(user_name, "samba123@")
975 # Create a custom security descriptor
976 # NB! Problematic owner part won't accept DA only <User Sid> !!!
977 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
978 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
979 # Create example Schema class
980 class_name = self.get_unique_schema_class_name()
981 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
982 self.create_schema_class(_ldb, class_dn, desc_sddl)
983 desc_sddl = self.get_desc_sddl(class_dn)
984 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
985 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
986
987 def test_141(self):
988 user_name = "testuser4"
989 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
990 # Open Ldb connection with the tested user
991 _ldb = self.get_ldb_connection(user_name, "samba123@")
992 # Create a custom security descriptor
993 # NB! Problematic owner part won't accept DA only <User Sid> !!!
994 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
995 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
996 # Create example Schema class
997 class_name = self.get_unique_schema_class_name()
998 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
999 self.create_schema_class(_ldb, class_dn, desc_sddl)
1000 desc_sddl = self.get_desc_sddl(class_dn)
1001 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1002 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1003
1004 def test_142(self):
1005 user_name = "testuser5"
1006 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1007 # Open Ldb connection with the tested user
1008 _ldb = self.get_ldb_connection(user_name, "samba123@")
1009 # Change Schema partition descriptor
1010 mod = "(A;;CC;;;AU)"
1011 self.dacl_add_ace(self.schema_dn, mod)
1012 # Create a custom security descriptor
1013 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1014 # Create example Schema class
1015 class_name = self.get_unique_schema_class_name()
1016 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1017 self.create_schema_class(_ldb, class_dn, desc_sddl)
1018 desc_sddl = self.get_desc_sddl(class_dn)
1019 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1020 self.assertEqual("O:DAG:DA", res)
1021
1022 def test_143(self):
1023 user_name = "testuser6"
1024 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1025 # Open Ldb connection with the tested user
1026 _ldb = self.get_ldb_connection(user_name, "samba123@")
1027 # Change Schema partition descriptor
1028 mod = "(A;;CC;;;AU)"
1029 self.dacl_add_ace(self.schema_dn, mod)
1030 # Create a custom security descriptor
1031 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1032 # Create example Schema class
1033 class_name = self.get_unique_schema_class_name()
1034 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1035 self.create_schema_class(_ldb, class_dn, desc_sddl)
1036 desc_sddl = self.get_desc_sddl(class_dn)
1037 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1038 self.assertEqual("O:DAG:DA", res)
1039
1040 def test_144(self):
1041 user_name = "testuser7"
1042 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1043 # Open Ldb connection with the tested user
1044 _ldb = self.get_ldb_connection(user_name, "samba123@")
1045 # Change Schema partition descriptor
1046 mod = "(A;;CC;;;AU)"
1047 self.dacl_add_ace(self.schema_dn, mod)
1048 # Create a custom security descriptor
1049 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1050 # Create example Schema class
1051 class_name = self.get_unique_schema_class_name()
1052 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1053 self.create_schema_class(_ldb, class_dn, desc_sddl)
1054 desc_sddl = self.get_desc_sddl(class_dn)
1055 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1056 self.assertEqual("O:DAG:DA", res)
1057
1058 def test_145(self):
1059 user_name = "testuser8"
1060 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1061 # Open Ldb connection with the tested user
1062 _ldb = self.get_ldb_connection(user_name, "samba123@")
1063 # Change Schema partition descriptor
1064 mod = "(A;;CC;;;AU)"
1065 self.dacl_add_ace(self.schema_dn, mod)
1066 # Create a custom security descriptor
1067 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1068 # Create example Schema class
1069 class_name = self.get_unique_schema_class_name()
1070 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1071 self.create_schema_class(_ldb, class_dn, desc_sddl)
1072 desc_sddl = self.get_desc_sddl(class_dn)
1073 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1074 self.assertEqual("O:DAG:DA", res)
1075
1076 ## Tests for CONFIGURATION
1077
1078 # Defalt descriptor tests ##################################################################
1079
1080 def test_160(self):
1081 user_name = "testuser1"
1082 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1083 # Open Ldb connection with the tested user
1084 _ldb = self.get_ldb_connection(user_name, "samba123@")
1085 # Create example Configuration container
1086 container_name = "test-container1"
1087 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1088 self.delete_force(self.ldb_admin, object_dn)
1089 self.create_configuration_container(_ldb, object_dn, )
1090 desc_sddl = self.get_desc_sddl(object_dn)
1091 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1092 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1093 self.check_modify_inheritance(_ldb, object_dn)
1094
1095 def test_161(self):
1096 user_name = "testuser2"
1097 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1098 # Open Ldb connection with the tested user
1099 _ldb = self.get_ldb_connection(user_name, "samba123@")
1100 # Create example Configuration container
1101 container_name = "test-container1"
1102 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1103 self.delete_force(self.ldb_admin, object_dn)
1104 self.create_configuration_container(_ldb, object_dn, )
1105 desc_sddl = self.get_desc_sddl(object_dn)
1106 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1107 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1108 self.check_modify_inheritance(_ldb, object_dn)
1109
1110 def test_162(self):
1111 user_name = "testuser3"
1112 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1113 # Open Ldb connection with the tested user
1114 _ldb = self.get_ldb_connection(user_name, "samba123@")
1115 # Create example Configuration container
1116 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1117 self.delete_force(self.ldb_admin, object_dn)
1118 self.create_configuration_container(self.ldb_admin, object_dn, )
1119 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1120 mod = "(A;;WDCC;;;AU)"
1121 self.dacl_add_ace(object_dn, mod)
1122 # Create child object with user's credentials
1123 object_dn = "CN=test-specifier1," + object_dn
1124 self.delete_force(self.ldb_admin, object_dn)
1125 self.create_configuration_specifier(_ldb, object_dn)
1126 desc_sddl = self.get_desc_sddl(object_dn)
1127 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1128 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1129 #self.check_modify_inheritance(_ldb, object_dn)
1130
1131 def test_163(self):
1132 user_name = "testuser4"
1133 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1134 # Open Ldb connection with the tested user
1135 _ldb = self.get_ldb_connection(user_name, "samba123@")
1136 # Create example Configuration container
1137 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1138 self.delete_force(self.ldb_admin, object_dn)
1139 self.create_configuration_container(self.ldb_admin, object_dn, )
1140 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1141 mod = "(A;CI;WDCC;;;AU)"
1142 self.dacl_add_ace(object_dn, mod)
1143 # Create child object with user's credentials
1144 object_dn = "CN=test-specifier1," + object_dn
1145 self.delete_force(self.ldb_admin, object_dn)
1146 self.create_configuration_specifier(_ldb, object_dn)
1147 desc_sddl = self.get_desc_sddl(object_dn)
1148 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1149 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1150 #self.check_modify_inheritance(_ldb, object_dn)
1151
1152 def test_164(self):
1153 user_name = "testuser5"
1154 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1155 # Open Ldb connection with the tested user
1156 _ldb = self.get_ldb_connection(user_name, "samba123@")
1157 # Create example Configuration container
1158 container_name = "test-container1"
1159 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1160 self.delete_force(self.ldb_admin, object_dn)
1161 self.create_configuration_container(_ldb, object_dn, )
1162 desc_sddl = self.get_desc_sddl(object_dn)
1163 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1164 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1165 self.check_modify_inheritance(_ldb, object_dn)
1166
1167 def test_165(self):
1168 user_name = "testuser6"
1169 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1170 # Open Ldb connection with the tested user
1171 _ldb = self.get_ldb_connection(user_name, "samba123@")
1172 # Create example Configuration container
1173 container_name = "test-container1"
1174 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1175 self.delete_force(self.ldb_admin, object_dn)
1176 self.create_configuration_container(_ldb, object_dn, )
1177 desc_sddl = self.get_desc_sddl(object_dn)
1178 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1179 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1180 self.check_modify_inheritance(_ldb, object_dn)
1181
1182 def test_166(self):
1183 user_name = "testuser7"
1184 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1185 # Open Ldb connection with the tested user
1186 _ldb = self.get_ldb_connection(user_name, "samba123@")
1187 # Create example Configuration container
1188 container_name = "test-container1"
1189 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1190 self.delete_force(self.ldb_admin, object_dn)
1191 self.create_configuration_container(_ldb, object_dn, )
1192 desc_sddl = self.get_desc_sddl(object_dn)
1193 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1194 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1195 self.check_modify_inheritance(_ldb, object_dn)
1196
1197 def test_167(self):
1198 user_name = "testuser8"
1199 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1200 # Open Ldb connection with the tested user
1201 _ldb = self.get_ldb_connection(user_name, "samba123@")
1202 # Create example Configuration container
1203 container_name = "test-container1"
1204 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1205 self.delete_force(self.ldb_admin, object_dn)
1206 self.create_configuration_container(_ldb, object_dn, )
1207 desc_sddl = self.get_desc_sddl(object_dn)
1208 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1209 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1210 self.check_modify_inheritance(_ldb, object_dn)
1211
1212 # Custom descriptor tests ##################################################################
1213
1214 def test_168(self):
1215 user_name = "testuser1"
1216 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1217 # Open Ldb connection with the tested user
1218 _ldb = self.get_ldb_connection(user_name, "samba123@")
1219 # Create example Configuration container
1220 container_name = "test-container1"
1221 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1222 self.delete_force(self.ldb_admin, object_dn)
1223 # Create a custom security descriptor
1224 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1225 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1226 desc_sddl = self.get_desc_sddl(object_dn)
1227 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1228 self.assertEqual("O:DAG:DA", res)
1229
1230 def test_169(self):
1231 user_name = "testuser2"
1232 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1233 # Open Ldb connection with the tested user
1234 _ldb = self.get_ldb_connection(user_name, "samba123@")
1235 # Create example Configuration container
1236 container_name = "test-container1"
1237 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1238 self.delete_force(self.ldb_admin, object_dn)
1239 # Create a custom security descriptor
1240 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1241 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1242 desc_sddl = self.get_desc_sddl(object_dn)
1243 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1244 self.assertEqual("O:DAG:DA", res)
1245
1246 def test_170(self):
1247 user_name = "testuser3"
1248 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1249 # Open Ldb connection with the tested user
1250 _ldb = self.get_ldb_connection(user_name, "samba123@")
1251 # Create example Configuration container
1252 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1253 self.delete_force(self.ldb_admin, object_dn)
1254 self.create_configuration_container(self.ldb_admin, object_dn, )
1255 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1256 mod = "(A;;CC;;;AU)"
1257 self.dacl_add_ace(object_dn, mod)
1258 # Create child object with user's credentials
1259 object_dn = "CN=test-specifier1," + object_dn
1260 self.delete_force(self.ldb_admin, object_dn)
1261 # Create a custom security descriptor
1262 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1263 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1264 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1265 desc_sddl = self.get_desc_sddl(object_dn)
1266 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1267 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1268
1269 def test_171(self):
1270 user_name = "testuser4"
1271 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1272 # Open Ldb connection with the tested user
1273 _ldb = self.get_ldb_connection(user_name, "samba123@")
1274 # Create example Configuration container
1275 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1276 self.delete_force(self.ldb_admin, object_dn)
1277 self.create_configuration_container(self.ldb_admin, object_dn, )
1278 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1279 mod = "(A;;CC;;;AU)"
1280 self.dacl_add_ace(object_dn, mod)
1281 # Create child object with user's credentials
1282 object_dn = "CN=test-specifier1," + object_dn
1283 self.delete_force(self.ldb_admin, object_dn)
1284 # Create a custom security descriptor
1285 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1286 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1287 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1288 desc_sddl = self.get_desc_sddl(object_dn)
1289 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1290 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1291
1292 def test_172(self):
1293 user_name = "testuser5"
1294 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1295 # Open Ldb connection with the tested user
1296 _ldb = self.get_ldb_connection(user_name, "samba123@")
1297 # Create example Configuration container
1298 container_name = "test-container1"
1299 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1300 self.delete_force(self.ldb_admin, object_dn)
1301 # Create a custom security descriptor
1302 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1303 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1304 desc_sddl = self.get_desc_sddl(object_dn)
1305 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1306 self.assertEqual("O:DAG:DA", res)
1307
1308 def test_173(self):
1309 user_name = "testuser6"
1310 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1311 # Open Ldb connection with the tested user
1312 _ldb = self.get_ldb_connection(user_name, "samba123@")
1313 # Create example Configuration container
1314 container_name = "test-container1"
1315 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1316 self.delete_force(self.ldb_admin, object_dn)
1317 # Create a custom security descriptor
1318 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1319 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1320 desc_sddl = self.get_desc_sddl(object_dn)
1321 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1322 self.assertEqual("O:DAG:DA", res)
1323
1324 def test_174(self):
1325 user_name = "testuser7"
1326 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1327 # Open Ldb connection with the tested user
1328 _ldb = self.get_ldb_connection(user_name, "samba123@")
1329 # Create example Configuration container
1330 container_name = "test-container1"
1331 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1332 self.delete_force(self.ldb_admin, object_dn)
1333 # Create a custom security descriptor
1334 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1335 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1336 desc_sddl = self.get_desc_sddl(object_dn)
1337 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1338 self.assertEqual("O:DAG:DA", res)
1339
1340 def test_175(self):
1341 user_name = "testuser8"
1342 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1343 # Open Ldb connection with the tested user
1344 _ldb = self.get_ldb_connection(user_name, "samba123@")
1345 # Create example Configuration container
1346 container_name = "test-container1"
1347 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1348 self.delete_force(self.ldb_admin, object_dn)
1349 # Create a custom security descriptor
1350 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1351 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1352 desc_sddl = self.get_desc_sddl(object_dn)
1353 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1354 self.assertEqual("O:DAG:DA", res)
1355
1356 ########################################################################################
1357 # Inharitance tests for DACL
1358
1359 class DaclDescriptorTests(DescriptorTests):
1360
1361 def deleteAll(self):
1362 self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1363 self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1364
1365 def setUp(self):
1366 super(DaclDescriptorTests, self).setUp()
1367 self.deleteAll()
1368
1369 def create_clean_ou(self, object_dn):
1370 """ Base repeating setup for unittests to follow """
1371 res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
1372 expression="distinguishedName=%s" % object_dn)
1373 # Make sure top testing OU has been deleted before starting the test
1374 self.assertEqual(res, [])
1375 self.create_domain_ou(self.ldb_admin, object_dn)
1376 desc_sddl = self.get_desc_sddl(object_dn)
1377 # Make sure there are inheritable ACEs initially
1378 self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1379 # Find and remove all inherit ACEs
1380 res = re.findall("\(.*?\)", desc_sddl)
1381 res = [x for x in res if ("CI" in x) or ("OI" in x)]
1382 for x in res:
1383 desc_sddl = desc_sddl.replace(x, "")
1384 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1385 # can propagate from above
1386 # remove SACL, we are not interested
1387 desc_sddl = desc_sddl.replace(":AI", ":AIP")
1388 self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
1389 # Verify all inheritable ACEs are gone
1390 desc_sddl = self.get_desc_sddl(object_dn)
1391 self.assertFalse("CI" in desc_sddl)
1392 self.assertFalse("OI" in desc_sddl)
1393
1394 def test_200(self):
1395 """ OU with protected flag and child group. See if the group has inherit ACEs.
1396 """
1397 ou_dn = "OU=test_inherit_ou," + self.base_dn
1398 group_dn = "CN=test_inherit_group," + ou_dn
1399 # Create inheritable-free OU
1400 self.create_clean_ou(ou_dn)
1401 # Create group child object
1402 self.create_domain_group(self.ldb_admin, group_dn)
1403 # Make sure created group object contains NO inherit ACEs
1404 desc_sddl = self.get_desc_sddl(group_dn)
1405 self.assertFalse("ID" in desc_sddl)
1406
1407 def test_201(self):
1408 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1409 Verify group has custom and default ACEs only.
1410 """
1411 ou_dn = "OU=test_inherit_ou," + self.base_dn
1412 group_dn = "CN=test_inherit_group," + ou_dn
1413 # Create inheritable-free OU
1414 self.create_clean_ou(ou_dn)
1415 # Create group child object using custom security descriptor
1416 sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1417 self.create_domain_group(self.ldb_admin, group_dn, sddl)
1418 # Make sure created group descriptor has NO additional ACEs
1419 desc_sddl = self.get_desc_sddl(group_dn)
1420 self.assertEqual(desc_sddl, sddl)
1421 sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
1422 self.modify_desc(self.ldb_admin, group_dn, sddl)
1423 desc_sddl = self.get_desc_sddl(group_dn)
1424 self.assertEqual(desc_sddl, sddl)
1425
1426 def test_202(self):
1427 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1428 See if the group has any of the added ACEs.
1429 """
1430 ou_dn = "OU=test_inherit_ou," + self.base_dn
1431 group_dn = "CN=test_inherit_group," + ou_dn
1432 # Create inheritable-free OU
1433 self.create_clean_ou(ou_dn)
1434 # Add some custom non-inheritable ACEs
1435 mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1436 moded = "(D;;CC;;;LG)"
1437 self.dacl_add_ace(ou_dn, mod)
1438 # Verify all inheritable ACEs are gone
1439 desc_sddl = self.get_desc_sddl(ou_dn)
1440 # Create group child object
1441 self.create_domain_group(self.ldb_admin, group_dn)
1442 # Make sure created group object contains NO inherit ACEs
1443 # also make sure the added above non-inheritable ACEs are absent too
1444 desc_sddl = self.get_desc_sddl(group_dn)
1445 self.assertFalse("ID" in desc_sddl)
1446 for x in re.findall("\(.*?\)", mod):
1447 self.assertFalse(x in desc_sddl)
1448 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1449 desc_sddl = self.get_desc_sddl(group_dn)
1450 self.assertFalse("ID" in desc_sddl)
1451 for x in re.findall("\(.*?\)", mod):
1452 self.assertFalse(x in desc_sddl)
1453
1454 def test_203(self):
1455 """ OU with protected flag and add 'CI' ACE, child group.
1456 See if the group has the added inherited ACE.
1457 """
1458 ou_dn = "OU=test_inherit_ou," + self.base_dn
1459 group_dn = "CN=test_inherit_group," + ou_dn
1460 # Create inheritable-free OU
1461 self.create_clean_ou(ou_dn)
1462 # Add some custom 'CI' ACE
1463 mod = "(D;CI;WP;;;DU)"
1464 moded = "(D;;CC;;;LG)"
1465 self.dacl_add_ace(ou_dn, mod)
1466 desc_sddl = self.get_desc_sddl(ou_dn)
1467 # Create group child object
1468 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1469 # Make sure created group object contains only the above inherited ACE
1470 # that we've added manually
1471 desc_sddl = self.get_desc_sddl(group_dn)
1472 mod = mod.replace(";CI;", ";CIID;")
1473 self.assertTrue(mod in desc_sddl)
1474 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1475 desc_sddl = self.get_desc_sddl(group_dn)
1476 self.assertTrue(moded in desc_sddl)
1477 self.assertTrue(mod in desc_sddl)
1478
1479 def test_204(self):
1480 """ OU with protected flag and add 'OI' ACE, child group.
1481 See if the group has the added inherited ACE.
1482 """
1483 ou_dn = "OU=test_inherit_ou," + self.base_dn
1484 group_dn = "CN=test_inherit_group," + ou_dn
1485 # Create inheritable-free OU
1486 self.create_clean_ou(ou_dn)
1487 # Add some custom 'CI' ACE
1488 mod = "(D;OI;WP;;;DU)"
1489 moded = "(D;;CC;;;LG)"
1490 self.dacl_add_ace(ou_dn, mod)
1491 desc_sddl = self.get_desc_sddl(ou_dn)
1492 # Create group child object
1493 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1494 # Make sure created group object contains only the above inherited ACE
1495 # that we've added manually
1496 desc_sddl = self.get_desc_sddl(group_dn)
1497 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1498 self.assertTrue(mod in desc_sddl)
1499 self.modify_desc(self.ldb_admin, group_dn, "D:" +moded)
1500 desc_sddl = self.get_desc_sddl(group_dn)
1501 self.assertTrue(moded in desc_sddl)
1502 self.assertTrue(mod in desc_sddl)
1503
1504 def test_205(self):
1505 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1506 See if the group has the added inherited ACE.
1507 """
1508 ou_dn = "OU=test_inherit_ou," + self.base_dn
1509 group_dn = "CN=test_inherit_group," + ou_dn
1510 # Create inheritable-free OU
1511 self.create_clean_ou(ou_dn)
1512 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1513 mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1514 moded = "(D;;CC;;;LG)"
1515 self.dacl_add_ace(ou_dn, mod)
1516 desc_sddl = self.get_desc_sddl(ou_dn)
1517 # Create group child object
1518 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1519 # Make sure created group object contains only the above inherited ACE
1520 # that we've added manually
1521 desc_sddl = self.get_desc_sddl(group_dn)
1522 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1523 self.assertTrue(mod in desc_sddl)
1524 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1525 desc_sddl = self.get_desc_sddl(group_dn)
1526 self.assertTrue(moded in desc_sddl)
1527 self.assertTrue(mod in desc_sddl)
1528
1529 def test_206(self):
1530 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1531 See if the group has the added inherited ACE.
1532 """
1533 ou_dn = "OU=test_inherit_ou," + self.base_dn
1534 group_dn = "CN=test_inherit_group," + ou_dn
1535 # Create inheritable-free OU
1536 self.create_clean_ou(ou_dn)
1537 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1538 mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1539 moded = "(D;;CC;;;LG)"
1540 self.dacl_add_ace(ou_dn, mod)
1541 desc_sddl = self.get_desc_sddl(ou_dn)
1542 # Create group child object
1543 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1544 # Make sure created group object contains only the above inherited ACE
1545 # that we've added manually
1546 desc_sddl = self.get_desc_sddl(group_dn)
1547 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1548 self.assertTrue(mod in desc_sddl)
1549 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1550 desc_sddl = self.get_desc_sddl(group_dn)
1551 self.assertTrue(moded in desc_sddl)
1552 self.assertTrue(mod in desc_sddl)
1553
1554 def test_207(self):
1555 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1556 See if the group has the added inherited ACE.
1557 """
1558 ou_dn = "OU=test_inherit_ou," + self.base_dn
1559 group_dn = "CN=test_inherit_group," + ou_dn
1560 # Create inheritable-free OU
1561 self.create_clean_ou(ou_dn)
1562 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1563 mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1564 moded = "(D;;CC;;;LG)"
1565 self.dacl_add_ace(ou_dn, mod)
1566 desc_sddl = self.get_desc_sddl(ou_dn)
1567 # Create group child object
1568 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1569 # Make sure created group object contains only the above inherited ACE
1570 # that we've added manually
1571 desc_sddl = self.get_desc_sddl(group_dn)
1572 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1573 self.assertTrue(mod in desc_sddl)
1574 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1575 desc_sddl = self.get_desc_sddl(group_dn)
1576 self.assertTrue(moded in desc_sddl)
1577 self.assertTrue(mod in desc_sddl)
1578
1579 def test_208(self):
1580 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1581 See if the group has the added inherited ACE.
1582 """
1583 ou_dn = "OU=test_inherit_ou," + self.base_dn
1584 group_dn = "CN=test_inherit_group," + ou_dn
1585 # Create inheritable-free OU
1586 self.create_clean_ou(ou_dn)
1587 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1588 mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1589 moded = "(D;;CC;;;LG)"
1590 self.dacl_add_ace(ou_dn, mod)
1591 desc_sddl = self.get_desc_sddl(ou_dn)
1592 # Create group child object
1593 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1594 # Make sure created group object contains only the above inherited ACE
1595 # that we've added manually
1596 desc_sddl = self.get_desc_sddl(group_dn)
1597 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1598 self.assertTrue(mod in desc_sddl)
1599 self.modify_desc(self.ldb_admin, group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
1600 desc_sddl = self.get_desc_sddl(group_dn)
1601 self.assertTrue(moded in desc_sddl)
1602 self.assertTrue(mod in desc_sddl)
1603
1604 def test_209(self):
1605 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1606 See if the group has the added inherited ACE.
1607 """
1608 ou_dn = "OU=test_inherit_ou," + self.base_dn
1609 group_dn = "CN=test_inherit_group," + ou_dn
1610 # Create inheritable-free OU
1611 self.create_clean_ou(ou_dn)
1612 # Add some custom 'CI' ACE
1613 mod = "(D;CI;WP;;;CO)"
1614 moded = "(D;;CC;;;LG)"
1615 self.dacl_add_ace(ou_dn, mod)
1616 desc_sddl = self.get_desc_sddl(ou_dn)
1617 # Create group child object
1618 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1619 # Make sure created group object contains only the above inherited ACE(s)
1620 # that we've added manually
1621 desc_sddl = self.get_desc_sddl(group_dn)
1622 self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
1623 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1624 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1625 desc_sddl = self.get_desc_sddl(group_dn)
1626 self.assertTrue(moded in desc_sddl)
1627 self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
1628 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1629
1630 def test_210(self):
1631 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1632 """
1633 ou_dn = "OU=test_inherit_ou," + self.base_dn
1634 group_dn = "CN=test_inherit_group," + ou_dn
1635 self.create_clean_ou(ou_dn)
1636 # Add some custom ACE
1637 mod = "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1638 self.create_domain_group(self.ldb_admin, group_dn, mod)
1639 # Make sure created group object does not contain the ID ace
1640 desc_sddl = self.get_desc_sddl(group_dn)
1641 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1642
1643 def test_211(self):
1644 """ Provide ACE with CO SID, should be expanded and replaced
1645 """
1646 ou_dn = "OU=test_inherit_ou," + self.base_dn
1647 group_dn = "CN=test_inherit_group," + ou_dn
1648 # Create inheritable-free OU
1649 self.create_clean_ou(ou_dn)
1650 # Add some custom 'CI' ACE
1651 mod = "D:(D;CI;WP;;;CO)"
1652 self.create_domain_group(self.ldb_admin, group_dn, mod)
1653 desc_sddl = self.get_desc_sddl(group_dn)
1654 self.assertTrue("(D;;WP;;;DA)(D;CIIO;WP;;;CO)" in desc_sddl)
1655
1656 def test_212(self):
1657 """ Provide ACE with IO flag, should be ignored
1658 """
1659 ou_dn = "OU=test_inherit_ou," + self.base_dn
1660 group_dn = "CN=test_inherit_group," + ou_dn
1661 # Create inheritable-free OU
1662 self.create_clean_ou(ou_dn)
1663 # Add some custom 'CI' ACE
1664 mod = "D:(D;CIIO;WP;;;CO)"
1665 self.create_domain_group(self.ldb_admin, group_dn, mod)
1666 # Make sure created group object contains only the above inherited ACE(s)
1667 # that we've added manually
1668 desc_sddl = self.get_desc_sddl(group_dn)
1669 self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
1670 self.assertFalse("(D;;WP;;;DA)" in desc_sddl)
1671 self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl)
1672
1673 def test_213(self):
1674 """ Provide ACE with IO flag, should be ignored
1675 """
1676 ou_dn = "OU=test_inherit_ou," + self.base_dn
1677 group_dn = "CN=test_inherit_group," + ou_dn
1678 # Create inheritable-free OU
1679 self.create_clean_ou(ou_dn)
1680 mod = "D:(D;IO;WP;;;DA)"
1681 self.create_domain_group(self.ldb_admin, group_dn, mod)
1682 # Make sure created group object contains only the above inherited ACE(s)
1683 # that we've added manually
1684 desc_sddl = self.get_desc_sddl(group_dn)
1685 self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl)
1686
1687 ########################################################################################
1688
1689
1690 class SdFlagsDescriptorTests(DescriptorTests):
1691 def deleteAll(self):
1692 self.delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
1693
1694 def setUp(self):
1695 super(SdFlagsDescriptorTests, self).setUp()
1696 self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1697 self.deleteAll()
1698
1699 def test_301(self):
1700 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1701 See that only the owner has been changed.
1702 """
1703 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1704 self.create_domain_ou(self.ldb_admin, ou_dn)
1705 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1706 desc_sddl = self.get_desc_sddl(ou_dn)
1707 # make sure we have modified the owner
1708 self.assertTrue("O:AU" in desc_sddl)
1709 # make sure nothing else has been modified
1710 self.assertFalse("G:AU" in desc_sddl)
1711 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1712 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1713
1714 def test_302(self):
1715 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1716 See that only the owner has been changed.
1717 """
1718 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1719 self.create_domain_ou(self.ldb_admin, ou_dn)
1720 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1721 desc_sddl = self.get_desc_sddl(ou_dn)
1722 # make sure we have modified the group
1723 self.assertTrue("G:AU" in desc_sddl)
1724 # make sure nothing else has been modified
1725 self.assertFalse("O:AU" in desc_sddl)
1726 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1727 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1728
1729 def test_303(self):
1730 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1731 See that only the owner has been changed.
1732 """
1733 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1734 self.create_domain_ou(self.ldb_admin, ou_dn)
1735 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1736 desc_sddl = self.get_desc_sddl(ou_dn)
1737 # make sure we have modified the DACL
1738 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1739 # make sure nothing else has been modified
1740 self.assertFalse("O:AU" in desc_sddl)
1741 self.assertFalse("G:AU" in desc_sddl)
1742 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1743
1744 def test_304(self):
1745 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1746 See that only the owner has been changed.
1747 """
1748 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1749 self.create_domain_ou(self.ldb_admin, ou_dn)
1750 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1751 desc_sddl = self.get_desc_sddl(ou_dn)
1752 # make sure we have modified the DACL
1753 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1754 # make sure nothing else has been modified
1755 self.assertFalse("O:AU" in desc_sddl)
1756 self.assertFalse("G:AU" in desc_sddl)
1757 self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
1758
1759 def test_305(self):
1760 """ Modify a descriptor with 0x0 set.
1761 Contrary to logic this is interpreted as no control,
1762 which is the same as 0xF
1763 """
1764 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1765 self.create_domain_ou(self.ldb_admin, ou_dn)
1766 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:0"])
1767 desc_sddl = self.get_desc_sddl(ou_dn)
1768 # make sure we have modified the DACL
1769 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1770 # make sure nothing else has been modified
1771 self.assertTrue("O:AU" in desc_sddl)
1772 self.assertTrue("G:AU" in desc_sddl)
1773 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1774
1775 def test_306(self):
1776 """ Modify a descriptor with 0xF set.
1777 """
1778 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1779 self.create_domain_ou(self.ldb_admin, ou_dn)
1780 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:15"])
1781 desc_sddl = self.get_desc_sddl(ou_dn)
1782 # make sure we have modified the DACL
1783 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1784 # make sure nothing else has been modified
1785 self.assertTrue("O:AU" in desc_sddl)
1786 self.assertTrue("G:AU" in desc_sddl)
1787 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1788
1789 def test_307(self):
1790 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1791 Only the owner part should be returned.
1792 """
1793 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1794 self.create_domain_ou(self.ldb_admin, ou_dn)
1795 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1796 # make sure we have read the owner
1797 self.assertTrue("O:" in desc_sddl)
1798 # make sure we have read nothing else
1799 self.assertFalse("G:" in desc_sddl)
1800 self.assertFalse("D:" in desc_sddl)
1801 self.assertFalse("S:" in desc_sddl)
1802
1803 def test_308(self):
1804 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1805 Only the group part should be returned.
1806 """
1807 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1808 self.create_domain_ou(self.ldb_admin, ou_dn)
1809 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1810 # make sure we have read the owner
1811 self.assertTrue("G:" in desc_sddl)
1812 # make sure we have read nothing else
1813 self.assertFalse("O:" in desc_sddl)
1814 self.assertFalse("D:" in desc_sddl)
1815 self.assertFalse("S:" in desc_sddl)
1816
1817 def test_309(self):
1818 """ Read a descriptor with SACL_SECURITY_INFORMATION
1819 Only the sacl part should be returned.
1820 """
1821 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1822 self.create_domain_ou(self.ldb_admin, ou_dn)
1823 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1824 # make sure we have read the owner
1825 self.assertTrue("S:" in desc_sddl)
1826 # make sure we have read nothing else
1827 self.assertFalse("O:" in desc_sddl)
1828 self.assertFalse("D:" in desc_sddl)
1829 self.assertFalse("G:" in desc_sddl)
1830
1831 def test_310(self):
1832 """ Read a descriptor with DACL_SECURITY_INFORMATION
1833 Only the dacl part should be returned.
1834 """
1835 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1836 self.create_domain_ou(self.ldb_admin, ou_dn)
1837 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1838 # make sure we have read the owner
1839 self.assertTrue("D:" in desc_sddl)
1840 # make sure we have read nothing else
1841 self.assertFalse("O:" in desc_sddl)
1842 self.assertFalse("S:" in desc_sddl)
1843 self.assertFalse("G:" in desc_sddl)
1844
1845
1846 class RightsAttributesTests(DescriptorTests):
1847
1848 def deleteAll(self):
1849 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
1850 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
1851 self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
1852
1853 def setUp(self):
1854 super(RightsAttributesTests, self).setUp()
1855 self.deleteAll()
1856 ### Create users
1857 # User 1
1858 self.create_enable_user("testuser_attr")
1859 # User 2, Domain Admins
1860 self.create_enable_user("testuser_attr2")
1861 self.add_user_to_group(self.ldb_admin, "testuser_attr2", "Domain Admins")
1862
1863 def test_sDRightsEffective(self):
1864 object_dn = "OU=test_domain_ou1," + self.base_dn
1865 self.delete_force(self.ldb_admin, object_dn)
1866 self.create_domain_ou(self.ldb_admin, object_dn)
1867 print self.get_users_domain_dn("testuser_attr")
1868 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1869 #give testuser1 read access so attributes can be retrieved
1870 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1871 self.dacl_add_ace(object_dn, mod)
1872 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1873 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1874 attrs=["sDRightsEffective"])
1875 #user whould have no rights at all
1876 self.assertEquals(len(res), 1)
1877 self.assertEquals(res[0]["sDRightsEffective"][0], "0")
1878 #give the user Write DACL and see what happens
1879 mod = "(A;CI;WD;;;%s)" % str(user_sid)
1880 self.dacl_add_ace(object_dn, mod)
1881 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1882 attrs=["sDRightsEffective"])
1883 #user whould have DACL_SECURITY_INFORMATION
1884 self.assertEquals(len(res), 1)
1885 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL)
1886 #give the user Write Owners and see what happens
1887 mod = "(A;CI;WO;;;%s)" % str(user_sid)
1888 self.dacl_add_ace(object_dn, mod)
1889 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1890 attrs=["sDRightsEffective"])
1891 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1892 self.assertEquals(len(res), 1)
1893 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
1894 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1895 _ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
1896 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1897 attrs=["sDRightsEffective"])
1898 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1899 self.assertEquals(len(res), 1)
1900 self.assertEquals(res[0]["sDRightsEffective"][0], \
1901 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
1902
1903 def test_allowedChildClassesEffective(self):
1904 object_dn = "OU=test_domain_ou1," + self.base_dn
1905 self.delete_force(self.ldb_admin, object_dn)
1906 self.create_domain_ou(self.ldb_admin, object_dn)
1907 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1908 #give testuser1 read access so attributes can be retrieved
1909 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1910 self.dacl_add_ace(object_dn, mod)
1911 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1912 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1913 attrs=["allowedChildClassesEffective"])
1914 #there should be no allowed child classes
1915 self.assertEquals(len(res), 1)
1916 self.assertFalse("allowedChildClassesEffective" in res[0].keys())
1917 #give the user the right to create children of type user
1918 mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1919 self.dacl_add_ace(object_dn, mod)
1920 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1921 attrs=["allowedChildClassesEffective"])
1922 # allowedChildClassesEffective should only have one value, user
1923 self.assertEquals(len(res), 1)
1924 self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1)
1925 self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user")
1926
1927 def test_allowedAttributesEffective(self):
1928 object_dn = "OU=test_domain_ou1," + self.base_dn
1929 self.delete_force(self.ldb_admin, object_dn)
1930 self.create_domain_ou(self.ldb_admin, object_dn)
1931 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1932 #give testuser1 read access so attributes can be retrieved
1933 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1934 self.dacl_add_ace(object_dn, mod)
1935 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1936 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1937 attrs=["allowedAttributesEffective"])
1938 #there should be no allowed attributes
1939 self.assertEquals(len(res), 1)
1940 self.assertFalse("allowedAttributesEffective" in res[0].keys())
1941 #give the user the right to write displayName and managedBy
1942 mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1943 mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
1944 # also rights to modify an read only attribute, fromEntry
1945 mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
1946 self.dacl_add_ace(object_dn, mod + mod2 + mod3)
1947 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1948 attrs=["allowedAttributesEffective"])
1949 # value should only contain user and managedBy
1950 self.assertEquals(len(res), 1)
1951 self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
1952 self.assertTrue("displayName" in res[0]["allowedAttributesEffective"])
1953 self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"])
1954
1955 if not "://" in host:
1956 if os.path.isfile(host):
1957 host = "tdb://%s" % host
1958 else:
1959 host = "ldap://%s" % host
1960
1961 # use 'paged_search' module when connecting remotely
1962 if host.lower().startswith("ldap://"):
1963 ldb_options = ["modules:paged_searches"]
1964
1965 ldb = SamDB(host,
1966 credentials=creds,
1967 session_info=system_session(),
1968 lp=lp,
1969 options=ldb_options)
1970
1971 runner = SubunitTestRunner()
1972 rc = 0
1973 if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful():
1974 rc = 1
1975 if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
1976 rc = 1
1977 if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful():
1978 rc = 1
1979 if not runner.run(unittest.makeSuite(RightsAttributesTests)).wasSuccessful():
1980 rc = 1
1981 sys.exit(rc)
reg import