2 # -*- coding: utf-8 -*-
11 sys
.path
.append("bin/python")
13 samba
.ensure_external_module("testtools", "testtools")
14 samba
.ensure_external_module("subunit", "subunit/python")
16 import samba
.getopt
as options
18 # Some error messages that are being tested
19 from ldb
import SCOPE_SUBTREE
, SCOPE_BASE
, LdbError
, ERR_NO_SUCH_OBJECT
21 # For running the test unit
22 from samba
.ndr
import ndr_pack
, ndr_unpack
23 from samba
.dcerpc
import security
25 from samba
import gensec
26 from samba
.samdb
import SamDB
27 from samba
.credentials
import Credentials
28 from samba
.auth
import system_session
29 from samba
.dsdb
import DS_DOMAIN_FUNCTION_2008
30 from samba
.dcerpc
.security
import (
31 SECINFO_OWNER
, SECINFO_GROUP
, SECINFO_DACL
, SECINFO_SACL
)
32 from subunit
.run
import SubunitTestRunner
36 parser
= optparse
.OptionParser("sec_descriptor.py [options] <host>")
37 sambaopts
= options
.SambaOptions(parser
)
38 parser
.add_option_group(sambaopts
)
39 parser
.add_option_group(options
.VersionOptions(parser
))
41 # use command line creds if available
42 credopts
= options
.CredentialsOptions(parser
)
43 parser
.add_option_group(credopts
)
44 opts
, args
= parser
.parse_args()
52 lp
= sambaopts
.get_loadparm()
53 creds
= credopts
.get_credentials(lp
)
54 creds
.set_gensec_features(creds
.get_gensec_features() | gensec
.FEATURE_SEAL
)
60 class DescriptorTests(samba
.tests
.TestCase
):
62 def delete_force(self
, ldb
, dn
):
65 except LdbError
, (num
, _
):
66 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
68 def find_domain_sid(self
, ldb
):
69 res
= ldb
.search(base
=self
.base_dn
, expression
="(objectClass=*)", scope
=SCOPE_BASE
)
70 return ndr_unpack( security
.dom_sid
,res
[0]["objectSid"][0])
72 def get_users_domain_dn(self
, name
):
73 return "CN=%s,CN=Users,%s" % (name
, self
.base_dn
)
75 def modify_desc(self
, _ldb
, object_dn
, desc
, controls
=None):
76 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
78 dn: """ + object_dn
+ """
80 replace: nTSecurityDescriptor
82 if isinstance(desc
, str):
83 mod
+= "nTSecurityDescriptor: %s" % desc
84 elif isinstance(desc
, security
.descriptor
):
85 mod
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
86 _ldb
.modify_ldif(mod
, controls
)
88 def create_domain_user(self
, _ldb
, user_dn
, desc
=None):
90 dn: """ + user_dn
+ """
91 sAMAccountName: """ + user_dn
.split(",")[0][3:] + """
93 userPassword: samba123@
97 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
98 if isinstance(desc
, str):
99 ldif
+= "nTSecurityDescriptor: %s" % desc
100 elif isinstance(desc
, security
.descriptor
):
101 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
104 def create_domain_group(self
, _ldb
, group_dn
, desc
=None):
106 dn: """ + group_dn
+ """
108 sAMAccountName: """ + group_dn
.split(",")[0][3:] + """
113 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
114 if isinstance(desc
, str):
115 ldif
+= "nTSecurityDescriptor: %s" % desc
116 elif isinstance(desc
, security
.descriptor
):
117 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
120 def get_unique_schema_class_name(self
):
122 class_name
= "test-class%s" % random
.randint(1,100000)
123 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
125 self
.ldb_admin
.search(base
=class_dn
, attrs
=["*"])
126 except LdbError
, (num
, _
):
127 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
130 def create_schema_class(self
, _ldb
, object_dn
, desc
=None):
132 dn: """ + object_dn
+ """
133 objectClass: classSchema
134 objectCategory: CN=Class-Schema,""" + self
.schema_dn
+ """
135 defaultObjectCategory: """ + object_dn
+ """
136 distinguishedName: """ + object_dn
+ """
137 governsID: 1.2.840.""" + str(random
.randint(1,100000)) + """.1.5.9939
139 objectClassCategory: 1
140 subClassOf: organizationalPerson
143 systemMustContain: cn
147 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
148 if isinstance(desc
, str):
149 ldif
+= "nTSecurityDescriptor: %s" % desc
150 elif isinstance(desc
, security
.descriptor
):
151 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
154 def create_configuration_container(self
, _ldb
, object_dn
, desc
=None):
156 dn: """ + object_dn
+ """
157 objectClass: container
158 objectCategory: CN=Container,""" + self
.schema_dn
+ """
159 showInAdvancedViewOnly: TRUE
163 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
164 if isinstance(desc
, str):
165 ldif
+= "nTSecurityDescriptor: %s" % desc
166 elif isinstance(desc
, security
.descriptor
):
167 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
170 def create_configuration_specifier(self
, _ldb
, object_dn
, desc
=None):
172 dn: """ + object_dn
+ """
173 objectClass: displaySpecifier
174 showInAdvancedViewOnly: TRUE
177 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
178 if isinstance(desc
, str):
179 ldif
+= "nTSecurityDescriptor: %s" % desc
180 elif isinstance(desc
, security
.descriptor
):
181 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
184 def read_desc(self
, object_dn
, controls
=None):
185 res
= self
.ldb_admin
.search(base
=object_dn
, scope
=SCOPE_BASE
, attrs
=["nTSecurityDescriptor"], controls
=controls
)
186 desc
= res
[0]["nTSecurityDescriptor"][0]
187 return ndr_unpack(security
.descriptor
, desc
)
189 def create_active_user(self
, _ldb
, user_dn
):
191 dn: """ + user_dn
+ """
192 sAMAccountName: """ + user_dn
.split(",")[0][3:] + """
194 unicodePwd:: """ + base64
.b64encode("\"samba123@\"".encode('utf-16-le')) + """
199 def get_ldb_connection(self
, target_username
, target_password
):
200 creds_tmp
= Credentials()
201 creds_tmp
.set_username(target_username
)
202 creds_tmp
.set_password(target_password
)
203 creds_tmp
.set_domain(creds
.get_domain())
204 creds_tmp
.set_realm(creds
.get_realm())
205 creds_tmp
.set_workstation(creds
.get_workstation())
206 creds_tmp
.set_gensec_features(creds_tmp
.get_gensec_features()
207 | gensec
.FEATURE_SEAL
)
208 ldb_target
= SamDB(url
=host
, credentials
=creds_tmp
, lp
=lp
)
211 def get_object_sid(self
, object_dn
):
212 res
= self
.ldb_admin
.search(object_dn
)
213 return ndr_unpack( security
.dom_sid
, res
[0]["objectSid"][0] )
215 def dacl_add_ace(self
, object_dn
, ace
):
216 desc
= self
.read_desc( object_dn
)
217 desc_sddl
= desc
.as_sddl( self
.domain_sid
)
220 if desc_sddl
.find("(") >= 0:
221 desc_sddl
= desc_sddl
[:desc_sddl
.index("(")] + ace
+ desc_sddl
[desc_sddl
.index("("):]
223 desc_sddl
= desc_sddl
+ ace
224 self
.modify_desc(self
.ldb_admin
, object_dn
, desc_sddl
)
226 def get_desc_sddl(self
, object_dn
, controls
=None):
227 """ Return object nTSecutiryDescriptor in SDDL format
229 desc
= self
.read_desc(object_dn
, controls
)
230 return desc
.as_sddl(self
.domain_sid
)
232 def create_enable_user(self
, username
):
233 user_dn
= self
.get_users_domain_dn(username
)
234 self
.create_active_user(self
.ldb_admin
, user_dn
)
235 self
.ldb_admin
.enable_account("(sAMAccountName=" + username
+ ")")
238 super(DescriptorTests
, self
).setUp()
240 self
.base_dn
= ldb
.domain_dn()
241 self
.configuration_dn
= self
.ldb_admin
.get_config_basedn().get_linearized()
242 self
.schema_dn
= self
.ldb_admin
.get_schema_basedn().get_linearized()
243 self
.domain_sid
= self
.find_domain_sid(self
.ldb_admin
)
244 print "baseDN: %s" % self
.base_dn
246 ################################################################################################
250 # Default descriptor tests #####################################################################
252 class OwnerGroupDescriptorTests(DescriptorTests
):
255 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser1"))
256 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser2"))
257 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser3"))
258 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser4"))
259 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser5"))
260 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser6"))
261 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser7"))
262 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser8"))
264 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("test_domain_group1"))
265 self
.delete_force(self
.ldb_admin
, "CN=test_domain_user1,OU=test_domain_ou1," + self
.base_dn
)
266 self
.delete_force(self
.ldb_admin
, "OU=test_domain_ou2,OU=test_domain_ou1," + self
.base_dn
)
267 self
.delete_force(self
.ldb_admin
, "OU=test_domain_ou1," + self
.base_dn
)
270 self
.delete_force(self
.ldb_admin
, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
271 + self
.configuration_dn
)
272 self
.delete_force(self
.ldb_admin
, "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
)
275 super(OwnerGroupDescriptorTests
, self
).setUp()
278 # User 1 - Enterprise Admins
279 self
.create_enable_user("testuser1")
280 # User 2 - Domain Admins
281 self
.create_enable_user("testuser2")
282 # User 3 - Schema Admins
283 self
.create_enable_user("testuser3")
284 # User 4 - regular user
285 self
.create_enable_user("testuser4")
286 # User 5 - Enterprise Admins and Domain Admins
287 self
.create_enable_user("testuser5")
288 # User 6 - Enterprise Admins, Domain Admins, Schema Admins
289 self
.create_enable_user("testuser6")
290 # User 7 - Domain Admins and Schema Admins
291 self
.create_enable_user("testuser7")
292 # User 5 - Enterprise Admins and Schema Admins
293 self
.create_enable_user("testuser8")
295 self
.ldb_admin
.add_remove_group_members("Enterprise Admins",
296 "testuser1,testuser5,testuser6,testuser8",
297 add_members_operation
=True)
298 self
.ldb_admin
.add_remove_group_members("Domain Admins",
299 "testuser2,testuser5,testuser6,testuser7",
300 add_members_operation
=True)
301 self
.ldb_admin
.add_remove_group_members("Schema Admins",
302 "testuser3,testuser6,testuser7,testuser8",
303 add_members_operation
=True)
306 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
307 "ds_behavior_win2003" : {
357 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
358 "ds_behavior_win2008" : {
409 # Discover 'msDS-Behavior-Version'
410 res
= self
.ldb_admin
.search(base
=self
.base_dn
, expression
="distinguishedName=%s" % self
.base_dn
, \
411 attrs
=['msDS-Behavior-Version'])
412 res
= int(res
[0]['msDS-Behavior-Version'][0])
413 if res
< DS_DOMAIN_FUNCTION_2008
:
414 self
.DS_BEHAVIOR
= "ds_behavior_win2003"
416 self
.DS_BEHAVIOR
= "ds_behavior_win2008"
419 super(DescriptorTests
, self
).tearDown()
422 def check_user_belongs(self
, user_dn
, groups
=[]):
423 """ Test wether user is member of the expected group(s) """
425 # User is member of at least one additional group
426 res
= self
.ldb_admin
.search(user_dn
, attrs
=["memberOf"])
427 res
= [x
.upper() for x
in sorted(list(res
[0]["memberOf"]))]
430 expected
.append(self
.get_users_domain_dn(x
))
431 expected
= [x
.upper() for x
in sorted(expected
)]
432 self
.assertEqual(expected
, res
)
434 # User is not a member of any additional groups but default
435 res
= self
.ldb_admin
.search(user_dn
, attrs
=["*"])
436 res
= [x
.upper() for x
in res
[0].keys()]
437 self
.assertFalse( "MEMBEROF" in res
)
439 def check_modify_inheritance(self
, _ldb
, object_dn
, owner_group
=""):
441 ace
= "(D;;CC;;;LG)" # Deny Create Children to Guest account
442 if owner_group
!= "":
443 self
.modify_desc(_ldb
, object_dn
, owner_group
+ "D:" + ace
)
445 self
.modify_desc(_ldb
, object_dn
, "D:" + ace
)
446 # Make sure the modify operation has been applied
447 desc_sddl
= self
.get_desc_sddl(object_dn
)
448 self
.assertTrue(ace
in desc_sddl
)
449 # Make sure we have identical result for both "add" and "modify"
450 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
451 print self
._testMethodName
452 test_number
= self
._testMethodName
[5:]
453 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][test_number
], res
)
456 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
458 user_name
= "testuser1"
459 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
460 # Open Ldb connection with the tested user
461 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
462 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
463 self
.delete_force(self
.ldb_admin
, object_dn
)
464 self
.create_domain_group(_ldb
, object_dn
)
465 desc_sddl
= self
.get_desc_sddl(object_dn
)
466 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
467 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
468 self
.check_modify_inheritance(_ldb
, object_dn
)
471 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
473 user_name
= "testuser2"
474 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
475 # Open Ldb connection with the tested user
476 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
477 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
478 self
.delete_force(self
.ldb_admin
, object_dn
)
479 self
.create_domain_group(_ldb
, object_dn
)
480 desc_sddl
= self
.get_desc_sddl(object_dn
)
481 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
482 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
483 self
.check_modify_inheritance(_ldb
, object_dn
)
486 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
488 user_name
= "testuser3"
489 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
490 # Open Ldb connection with the tested user
491 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
492 object_dn
= "OU=test_domain_ou1," + self
.base_dn
493 self
.delete_force(self
.ldb_admin
, object_dn
)
494 self
.ldb_admin
.create_ou(object_dn
)
495 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
496 mod
= "(A;CI;WPWDCC;;;%s)" % str(user_sid
)
497 self
.dacl_add_ace(object_dn
, mod
)
498 # Create additional object into the first one
499 object_dn
= "CN=test_domain_user1," + object_dn
500 self
.delete_force(self
.ldb_admin
, object_dn
)
501 self
.create_domain_user(_ldb
, object_dn
)
502 desc_sddl
= self
.get_desc_sddl(object_dn
)
503 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
504 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
505 # This fails, research why
506 #self.check_modify_inheritance(_ldb, object_dn)
509 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
511 user_name
= "testuser4"
512 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
513 # Open Ldb connection with the tested user
514 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
515 object_dn
= "OU=test_domain_ou1," + self
.base_dn
516 self
.delete_force(self
.ldb_admin
, object_dn
)
517 self
.ldb_admin
.create_ou(object_dn
)
518 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
519 mod
= "(A;CI;WPWDCC;;;%s)" % str(user_sid
)
520 self
.dacl_add_ace(object_dn
, mod
)
521 # Create additional object into the first one
522 object_dn
= "CN=test_domain_user1," + object_dn
523 self
.delete_force(self
.ldb_admin
, object_dn
)
524 self
.create_domain_user(_ldb
, object_dn
)
525 desc_sddl
= self
.get_desc_sddl(object_dn
)
526 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
527 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
528 #this fails, research why
529 #self.check_modify_inheritance(_ldb, object_dn)
532 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
534 user_name
= "testuser5"
535 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
536 # Open Ldb connection with the tested user
537 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
538 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
539 self
.delete_force(self
.ldb_admin
, object_dn
)
540 self
.create_domain_group(_ldb
, object_dn
)
541 desc_sddl
= self
.get_desc_sddl(object_dn
)
542 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
543 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
544 self
.check_modify_inheritance(_ldb
, object_dn
)
547 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
549 user_name
= "testuser6"
550 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
551 # Open Ldb connection with the tested user
552 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
553 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
554 self
.delete_force(self
.ldb_admin
, object_dn
)
555 self
.create_domain_group(_ldb
, object_dn
)
556 desc_sddl
= self
.get_desc_sddl(object_dn
)
557 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
558 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
559 self
.check_modify_inheritance(_ldb
, object_dn
)
562 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
564 user_name
= "testuser7"
565 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
566 # Open Ldb connection with the tested user
567 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
568 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
569 self
.delete_force(self
.ldb_admin
, object_dn
)
570 self
.create_domain_group(_ldb
, object_dn
)
571 desc_sddl
= self
.get_desc_sddl(object_dn
)
572 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
573 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
574 self
.check_modify_inheritance(_ldb
, object_dn
)
577 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
579 user_name
= "testuser8"
580 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
581 # Open Ldb connection with the tested user
582 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
583 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
584 self
.delete_force(self
.ldb_admin
, object_dn
)
585 self
.create_domain_group(_ldb
, object_dn
)
586 desc_sddl
= self
.get_desc_sddl(object_dn
)
587 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
588 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
589 self
.check_modify_inheritance(_ldb
, object_dn
)
591 # Control descriptor tests #####################################################################
594 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
596 user_name
= "testuser1"
597 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
598 # Open Ldb connection with the tested user
599 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
600 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
601 self
.delete_force(self
.ldb_admin
, object_dn
)
602 # Create a custom security descriptor
603 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
604 self
.create_domain_group(_ldb
, object_dn
, desc_sddl
)
605 desc_sddl
= self
.get_desc_sddl(object_dn
)
606 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
607 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
610 """ Domain admin group member creates object (custom descriptor) in DOMAIN
612 user_name
= "testuser2"
613 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
614 # Open Ldb connection with the tested user
615 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
616 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
617 self
.delete_force(self
.ldb_admin
, object_dn
)
618 # Create a custom security descriptor
619 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
620 self
.create_domain_group(_ldb
, object_dn
, desc_sddl
)
621 desc_sddl
= self
.get_desc_sddl(object_dn
)
622 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
623 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
626 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
628 user_name
= "testuser3"
629 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
630 # Open Ldb connection with the tested user
631 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
632 object_dn
= "OU=test_domain_ou1," + self
.base_dn
633 self
.delete_force(self
.ldb_admin
, object_dn
)
634 self
.ldb_admin
.create_ou(object_dn
)
635 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
636 mod
= "(A;CI;WOWDCC;;;%s)" % str(user_sid
)
637 self
.dacl_add_ace(object_dn
, mod
)
638 # Create a custom security descriptor
639 # NB! Problematic owner part won't accept DA only <User Sid> !!!
640 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
641 # Create additional object into the first one
642 object_dn
= "CN=test_domain_user1," + object_dn
643 self
.delete_force(self
.ldb_admin
, object_dn
)
644 self
.create_domain_user(_ldb
, object_dn
, desc_sddl
)
645 desc
= self
.read_desc(object_dn
)
646 desc_sddl
= self
.get_desc_sddl(object_dn
)
647 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
648 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
651 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
653 user_name
= "testuser4"
654 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
655 # Open Ldb connection with the tested user
656 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
657 object_dn
= "OU=test_domain_ou1," + self
.base_dn
658 self
.delete_force(self
.ldb_admin
, object_dn
)
659 self
.ldb_admin
.create_ou(object_dn
)
660 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
661 mod
= "(A;CI;WOWDCC;;;%s)" % str(user_sid
)
662 self
.dacl_add_ace(object_dn
, mod
)
663 # Create a custom security descriptor
664 # NB! Problematic owner part won't accept DA only <User Sid> !!!
665 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
666 # Create additional object into the first one
667 object_dn
= "CN=test_domain_user1," + object_dn
668 self
.delete_force(self
.ldb_admin
, object_dn
)
669 self
.create_domain_user(_ldb
, object_dn
, desc_sddl
)
670 desc
= self
.read_desc(object_dn
)
671 desc_sddl
= self
.get_desc_sddl(object_dn
)
672 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
673 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
676 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
678 user_name
= "testuser5"
679 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
680 # Open Ldb connection with the tested user
681 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
682 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
683 self
.delete_force(self
.ldb_admin
, object_dn
)
684 # Create a custom security descriptor
685 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
686 self
.create_domain_group(_ldb
, object_dn
, desc_sddl
)
687 desc_sddl
= self
.get_desc_sddl(object_dn
)
688 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
689 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
692 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
694 user_name
= "testuser6"
695 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
696 # Open Ldb connection with the tested user
697 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
698 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
699 self
.delete_force(self
.ldb_admin
, object_dn
)
700 # Create a custom security descriptor
701 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
702 self
.create_domain_group(_ldb
, object_dn
, desc_sddl
)
703 desc_sddl
= self
.get_desc_sddl(object_dn
)
704 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
705 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
708 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
710 user_name
= "testuser7"
711 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
712 # Open Ldb connection with the tested user
713 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
714 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
715 self
.delete_force(self
.ldb_admin
, object_dn
)
716 # Create a custom security descriptor
717 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
718 self
.create_domain_group(_ldb
, object_dn
, desc_sddl
)
719 desc_sddl
= self
.get_desc_sddl(object_dn
)
720 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
721 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
724 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
726 user_name
= "testuser8"
727 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
728 # Open Ldb connection with the tested user
729 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
730 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
731 self
.delete_force(self
.ldb_admin
, object_dn
)
732 # Create a custom security descriptor
733 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
734 self
.create_domain_group(_ldb
, object_dn
, desc_sddl
)
735 desc_sddl
= self
.get_desc_sddl(object_dn
)
736 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
737 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
740 user_name
= "Administrator"
741 object_dn
= "OU=test_domain_ou1," + self
.base_dn
742 self
.delete_force(self
.ldb_admin
, object_dn
)
743 self
.ldb_admin
.create_ou(object_dn
)
744 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
745 mod
= "(D;CI;WP;;;S-1-3-0)"
747 self
.dacl_add_ace(object_dn
, mod
)
748 desc_sddl
= self
.get_desc_sddl(object_dn
)
749 # Create additional object into the first one
750 object_dn
= "OU=test_domain_ou2," + object_dn
751 self
.delete_force(self
.ldb_admin
, object_dn
)
752 self
.ldb_admin
.create_ou(object_dn
)
753 desc_sddl
= self
.get_desc_sddl(object_dn
)
757 # Defalt descriptor tests ##################################################################
760 user_name
= "testuser1"
761 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
762 # Open Ldb connection with the tested user
763 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
764 # Change Schema partition descriptor
765 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
766 mod
= "(A;;WDCC;;;AU)"
767 self
.dacl_add_ace(self
.schema_dn
, mod
)
768 # Create example Schema class
769 class_name
= self
.get_unique_schema_class_name()
770 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
771 self
.create_schema_class(_ldb
, class_dn
)
772 desc_sddl
= self
.get_desc_sddl(class_dn
)
773 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
774 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
775 self
.check_modify_inheritance(_ldb
, class_dn
)
778 user_name
= "testuser2"
779 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
780 # Open Ldb connection with the tested user
781 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
782 # Change Schema partition descriptor
783 mod
= "(A;CI;WDCC;;;AU)"
784 self
.dacl_add_ace(self
.schema_dn
, mod
)
785 # Create example Schema class
786 class_name
= self
.get_unique_schema_class_name()
787 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
788 self
.create_schema_class(_ldb
, class_dn
)
789 desc_sddl
= self
.get_desc_sddl(class_dn
)
790 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
791 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
792 self
.check_modify_inheritance(_ldb
, class_dn
)
795 user_name
= "testuser3"
796 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
797 # Open Ldb connection with the tested user
798 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
799 # Change Schema partition descriptor
800 mod
= "(A;CI;WDCC;;;AU)"
801 self
.dacl_add_ace(self
.schema_dn
, mod
)
802 # Create example Schema class
803 class_name
= self
.get_unique_schema_class_name()
804 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
805 self
.create_schema_class(_ldb
, class_dn
)
806 desc_sddl
= self
.get_desc_sddl(class_dn
)
807 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
808 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
809 #self.check_modify_inheritance(_ldb, class_dn)
812 user_name
= "testuser4"
813 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
814 # Open Ldb connection with the tested user
815 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
816 #Change Schema partition descriptor
817 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
818 mod
= "(A;CI;WDCC;;;AU)"
819 self
.dacl_add_ace(self
.schema_dn
, mod
)
820 # Create example Schema class
821 class_name
= self
.get_unique_schema_class_name()
822 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
823 self
.create_schema_class(_ldb
, class_dn
)
824 desc_sddl
= self
.get_desc_sddl(class_dn
)
825 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
826 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
827 #self.check_modify_inheritance(_ldb, class_dn)
830 user_name
= "testuser5"
831 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
832 # Open Ldb connection with the tested user
833 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
834 #Change Schema partition descriptor
835 mod
= "(A;CI;WDCC;;;AU)"
836 self
.dacl_add_ace(self
.schema_dn
, mod
)
837 # Create example Schema class
838 class_name
= self
.get_unique_schema_class_name()
839 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
840 self
.create_schema_class(_ldb
, class_dn
)
841 desc_sddl
= self
.get_desc_sddl(class_dn
)
842 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
843 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
844 self
.check_modify_inheritance(_ldb
, class_dn
)
847 user_name
= "testuser6"
848 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
849 # Open Ldb connection with the tested user
850 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
851 # Change Schema partition descriptor
852 mod
= "(A;CI;WDCC;;;AU)"
853 self
.dacl_add_ace(self
.schema_dn
, mod
)
854 # Create example Schema class
855 class_name
= self
.get_unique_schema_class_name()
856 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
857 self
.create_schema_class(_ldb
, class_dn
)
858 desc_sddl
= self
.get_desc_sddl(class_dn
)
859 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
860 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
861 self
.check_modify_inheritance(_ldb
, class_dn
)
864 user_name
= "testuser7"
865 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
866 # Open Ldb connection with the tested user
867 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
868 # Change Schema partition descriptor
869 mod
= "(A;CI;WDCC;;;AU)"
870 self
.dacl_add_ace(self
.schema_dn
, mod
)
871 # Create example Schema class
872 class_name
= self
.get_unique_schema_class_name()
873 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
874 self
.create_schema_class(_ldb
, class_dn
)
875 desc_sddl
= self
.get_desc_sddl(class_dn
)
876 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
877 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
878 self
.check_modify_inheritance(_ldb
, class_dn
)
881 user_name
= "testuser8"
882 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
883 # Open Ldb connection with the tested user
884 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
885 # Change Schema partition descriptor
886 mod
= "(A;CI;WDCC;;;AU)"
887 self
.dacl_add_ace(self
.schema_dn
, mod
)
888 # Create example Schema class
889 class_name
= self
.get_unique_schema_class_name()
890 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
891 self
.create_schema_class(_ldb
, class_dn
)
892 desc_sddl
= self
.get_desc_sddl(class_dn
)
893 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
894 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
895 self
.check_modify_inheritance(_ldb
, class_dn
)
897 # Custom descriptor tests ##################################################################
900 user_name
= "testuser1"
901 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
902 # Open Ldb connection with the tested user
903 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
904 # Change Schema partition descriptor
906 self
.dacl_add_ace(self
.schema_dn
, mod
)
907 # Create a custom security descriptor
908 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
909 # Create example Schema class
910 class_name
= self
.get_unique_schema_class_name()
911 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
912 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
913 desc_sddl
= self
.get_desc_sddl(class_dn
)
914 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
915 self
.assertEqual("O:DAG:DA", res
)
918 user_name
= "testuser2"
919 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
920 # Open Ldb connection with the tested user
921 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
922 # Change Schema partition descriptor
924 self
.dacl_add_ace(self
.schema_dn
, mod
)
925 # Create a custom security descriptor
926 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
927 # Create example Schema class
928 class_name
= self
.get_unique_schema_class_name()
929 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
930 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
931 desc_sddl
= self
.get_desc_sddl(class_dn
)
932 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
933 self
.assertEqual("O:DAG:DA", res
)
936 user_name
= "testuser3"
937 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
938 # Open Ldb connection with the tested user
939 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
940 # Create a custom security descriptor
941 # NB! Problematic owner part won't accept DA only <User Sid> !!!
942 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
943 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
944 # Create example Schema class
945 class_name
= self
.get_unique_schema_class_name()
946 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
947 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
948 desc_sddl
= self
.get_desc_sddl(class_dn
)
949 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
950 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
953 user_name
= "testuser4"
954 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
955 # Open Ldb connection with the tested user
956 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
957 # Create a custom security descriptor
958 # NB! Problematic owner part won't accept DA only <User Sid> !!!
959 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
960 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
961 # Create example Schema class
962 class_name
= self
.get_unique_schema_class_name()
963 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
964 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
965 desc_sddl
= self
.get_desc_sddl(class_dn
)
966 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
967 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
970 user_name
= "testuser5"
971 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
972 # Open Ldb connection with the tested user
973 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
974 # Change Schema partition descriptor
976 self
.dacl_add_ace(self
.schema_dn
, mod
)
977 # Create a custom security descriptor
978 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
979 # Create example Schema class
980 class_name
= self
.get_unique_schema_class_name()
981 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
982 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
983 desc_sddl
= self
.get_desc_sddl(class_dn
)
984 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
985 self
.assertEqual("O:DAG:DA", res
)
988 user_name
= "testuser6"
989 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
990 # Open Ldb connection with the tested user
991 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
992 # Change Schema partition descriptor
994 self
.dacl_add_ace(self
.schema_dn
, mod
)
995 # Create a custom security descriptor
996 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
997 # Create example Schema class
998 class_name
= self
.get_unique_schema_class_name()
999 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1000 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1001 desc_sddl
= self
.get_desc_sddl(class_dn
)
1002 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1003 self
.assertEqual("O:DAG:DA", res
)
1006 user_name
= "testuser7"
1007 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1008 # Open Ldb connection with the tested user
1009 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1010 # Change Schema partition descriptor
1011 mod
= "(A;;CC;;;AU)"
1012 self
.dacl_add_ace(self
.schema_dn
, mod
)
1013 # Create a custom security descriptor
1014 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1015 # Create example Schema class
1016 class_name
= self
.get_unique_schema_class_name()
1017 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1018 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1019 desc_sddl
= self
.get_desc_sddl(class_dn
)
1020 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1021 self
.assertEqual("O:DAG:DA", res
)
1024 user_name
= "testuser8"
1025 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1026 # Open Ldb connection with the tested user
1027 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1028 # Change Schema partition descriptor
1029 mod
= "(A;;CC;;;AU)"
1030 self
.dacl_add_ace(self
.schema_dn
, mod
)
1031 # Create a custom security descriptor
1032 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1033 # Create example Schema class
1034 class_name
= self
.get_unique_schema_class_name()
1035 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1036 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1037 desc_sddl
= self
.get_desc_sddl(class_dn
)
1038 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1039 self
.assertEqual("O:DAG:DA", res
)
1041 ## Tests for CONFIGURATION
1043 # Defalt descriptor tests ##################################################################
1046 user_name
= "testuser1"
1047 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
1048 # Open Ldb connection with the tested user
1049 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1050 # Create example Configuration container
1051 container_name
= "test-container1"
1052 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1053 self
.delete_force(self
.ldb_admin
, object_dn
)
1054 self
.create_configuration_container(_ldb
, object_dn
, )
1055 desc_sddl
= self
.get_desc_sddl(object_dn
)
1056 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1057 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1058 self
.check_modify_inheritance(_ldb
, object_dn
)
1061 user_name
= "testuser2"
1062 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
1063 # Open Ldb connection with the tested user
1064 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1065 # Create example Configuration container
1066 container_name
= "test-container1"
1067 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1068 self
.delete_force(self
.ldb_admin
, object_dn
)
1069 self
.create_configuration_container(_ldb
, object_dn
, )
1070 desc_sddl
= self
.get_desc_sddl(object_dn
)
1071 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1072 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1073 self
.check_modify_inheritance(_ldb
, object_dn
)
1076 user_name
= "testuser3"
1077 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
1078 # Open Ldb connection with the tested user
1079 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1080 # Create example Configuration container
1081 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1082 self
.delete_force(self
.ldb_admin
, object_dn
)
1083 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1084 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1085 mod
= "(A;;WDCC;;;AU)"
1086 self
.dacl_add_ace(object_dn
, mod
)
1087 # Create child object with user's credentials
1088 object_dn
= "CN=test-specifier1," + object_dn
1089 self
.delete_force(self
.ldb_admin
, object_dn
)
1090 self
.create_configuration_specifier(_ldb
, object_dn
)
1091 desc_sddl
= self
.get_desc_sddl(object_dn
)
1092 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1093 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1094 #self.check_modify_inheritance(_ldb, object_dn)
1097 user_name
= "testuser4"
1098 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1099 # Open Ldb connection with the tested user
1100 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1101 # Create example Configuration container
1102 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1103 self
.delete_force(self
.ldb_admin
, object_dn
)
1104 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1105 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1106 mod
= "(A;CI;WDCC;;;AU)"
1107 self
.dacl_add_ace(object_dn
, mod
)
1108 # Create child object with user's credentials
1109 object_dn
= "CN=test-specifier1," + object_dn
1110 self
.delete_force(self
.ldb_admin
, object_dn
)
1111 self
.create_configuration_specifier(_ldb
, object_dn
)
1112 desc_sddl
= self
.get_desc_sddl(object_dn
)
1113 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1114 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1115 #self.check_modify_inheritance(_ldb, object_dn)
1118 user_name
= "testuser5"
1119 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1120 # Open Ldb connection with the tested user
1121 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1122 # Create example Configuration container
1123 container_name
= "test-container1"
1124 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1125 self
.delete_force(self
.ldb_admin
, object_dn
)
1126 self
.create_configuration_container(_ldb
, object_dn
, )
1127 desc_sddl
= self
.get_desc_sddl(object_dn
)
1128 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1129 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1130 self
.check_modify_inheritance(_ldb
, object_dn
)
1133 user_name
= "testuser6"
1134 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1135 # Open Ldb connection with the tested user
1136 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1137 # Create example Configuration container
1138 container_name
= "test-container1"
1139 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1140 self
.delete_force(self
.ldb_admin
, object_dn
)
1141 self
.create_configuration_container(_ldb
, object_dn
, )
1142 desc_sddl
= self
.get_desc_sddl(object_dn
)
1143 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1144 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1145 self
.check_modify_inheritance(_ldb
, object_dn
)
1148 user_name
= "testuser7"
1149 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1150 # Open Ldb connection with the tested user
1151 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1152 # Create example Configuration container
1153 container_name
= "test-container1"
1154 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1155 self
.delete_force(self
.ldb_admin
, object_dn
)
1156 self
.create_configuration_container(_ldb
, object_dn
, )
1157 desc_sddl
= self
.get_desc_sddl(object_dn
)
1158 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1159 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1160 self
.check_modify_inheritance(_ldb
, object_dn
)
1163 user_name
= "testuser8"
1164 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1165 # Open Ldb connection with the tested user
1166 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1167 # Create example Configuration container
1168 container_name
= "test-container1"
1169 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1170 self
.delete_force(self
.ldb_admin
, object_dn
)
1171 self
.create_configuration_container(_ldb
, object_dn
, )
1172 desc_sddl
= self
.get_desc_sddl(object_dn
)
1173 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1174 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1175 self
.check_modify_inheritance(_ldb
, object_dn
)
1177 # Custom descriptor tests ##################################################################
1180 user_name
= "testuser1"
1181 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
1182 # Open Ldb connection with the tested user
1183 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1184 # Create example Configuration container
1185 container_name
= "test-container1"
1186 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1187 self
.delete_force(self
.ldb_admin
, object_dn
)
1188 # Create a custom security descriptor
1189 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1190 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1191 desc_sddl
= self
.get_desc_sddl(object_dn
)
1192 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1193 self
.assertEqual("O:DAG:DA", res
)
1196 user_name
= "testuser2"
1197 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
1198 # Open Ldb connection with the tested user
1199 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1200 # Create example Configuration container
1201 container_name
= "test-container1"
1202 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1203 self
.delete_force(self
.ldb_admin
, object_dn
)
1204 # Create a custom security descriptor
1205 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1206 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1207 desc_sddl
= self
.get_desc_sddl(object_dn
)
1208 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1209 self
.assertEqual("O:DAG:DA", res
)
1212 user_name
= "testuser3"
1213 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
1214 # Open Ldb connection with the tested user
1215 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1216 # Create example Configuration container
1217 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1218 self
.delete_force(self
.ldb_admin
, object_dn
)
1219 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1220 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1221 mod
= "(A;;CC;;;AU)"
1222 self
.dacl_add_ace(object_dn
, mod
)
1223 # Create child object with user's credentials
1224 object_dn
= "CN=test-specifier1," + object_dn
1225 self
.delete_force(self
.ldb_admin
, object_dn
)
1226 # Create a custom security descriptor
1227 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1228 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1229 self
.create_configuration_specifier(_ldb
, object_dn
, desc_sddl
)
1230 desc_sddl
= self
.get_desc_sddl(object_dn
)
1231 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1232 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1235 user_name
= "testuser4"
1236 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1237 # Open Ldb connection with the tested user
1238 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1239 # Create example Configuration container
1240 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1241 self
.delete_force(self
.ldb_admin
, object_dn
)
1242 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1243 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1244 mod
= "(A;;CC;;;AU)"
1245 self
.dacl_add_ace(object_dn
, mod
)
1246 # Create child object with user's credentials
1247 object_dn
= "CN=test-specifier1," + object_dn
1248 self
.delete_force(self
.ldb_admin
, object_dn
)
1249 # Create a custom security descriptor
1250 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1251 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1252 self
.create_configuration_specifier(_ldb
, object_dn
, desc_sddl
)
1253 desc_sddl
= self
.get_desc_sddl(object_dn
)
1254 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1255 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1258 user_name
= "testuser5"
1259 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1260 # Open Ldb connection with the tested user
1261 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1262 # Create example Configuration container
1263 container_name
= "test-container1"
1264 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1265 self
.delete_force(self
.ldb_admin
, object_dn
)
1266 # Create a custom security descriptor
1267 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1268 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1269 desc_sddl
= self
.get_desc_sddl(object_dn
)
1270 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1271 self
.assertEqual("O:DAG:DA", res
)
1274 user_name
= "testuser6"
1275 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1276 # Open Ldb connection with the tested user
1277 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1278 # Create example Configuration container
1279 container_name
= "test-container1"
1280 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1281 self
.delete_force(self
.ldb_admin
, object_dn
)
1282 # Create a custom security descriptor
1283 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1284 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1285 desc_sddl
= self
.get_desc_sddl(object_dn
)
1286 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1287 self
.assertEqual("O:DAG:DA", res
)
1290 user_name
= "testuser7"
1291 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1292 # Open Ldb connection with the tested user
1293 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1294 # Create example Configuration container
1295 container_name
= "test-container1"
1296 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1297 self
.delete_force(self
.ldb_admin
, object_dn
)
1298 # Create a custom security descriptor
1299 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1300 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1301 desc_sddl
= self
.get_desc_sddl(object_dn
)
1302 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1303 self
.assertEqual("O:DAG:DA", res
)
1306 user_name
= "testuser8"
1307 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1308 # Open Ldb connection with the tested user
1309 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1310 # Create example Configuration container
1311 container_name
= "test-container1"
1312 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1313 self
.delete_force(self
.ldb_admin
, object_dn
)
1314 # Create a custom security descriptor
1315 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1316 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1317 desc_sddl
= self
.get_desc_sddl(object_dn
)
1318 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1319 self
.assertEqual("O:DAG:DA", res
)
1321 ########################################################################################
1322 # Inharitance tests for DACL
1324 class DaclDescriptorTests(DescriptorTests
):
1326 def deleteAll(self
):
1327 self
.delete_force(self
.ldb_admin
, "CN=test_inherit_group,OU=test_inherit_ou," + self
.base_dn
)
1328 self
.delete_force(self
.ldb_admin
, "OU=test_inherit_ou," + self
.base_dn
)
1331 super(DaclDescriptorTests
, self
).setUp()
1334 def create_clean_ou(self
, object_dn
):
1335 """ Base repeating setup for unittests to follow """
1336 res
= self
.ldb_admin
.search(base
=self
.base_dn
, scope
=SCOPE_SUBTREE
, \
1337 expression
="distinguishedName=%s" % object_dn
)
1338 # Make sure top testing OU has been deleted before starting the test
1339 self
.assertEqual(res
, [])
1340 self
.ldb_admin
.create_ou(object_dn
)
1341 desc_sddl
= self
.get_desc_sddl(object_dn
)
1342 # Make sure there are inheritable ACEs initially
1343 self
.assertTrue("CI" in desc_sddl
or "OI" in desc_sddl
)
1344 # Find and remove all inherit ACEs
1345 res
= re
.findall("\(.*?\)", desc_sddl
)
1346 res
= [x
for x
in res
if ("CI" in x
) or ("OI" in x
)]
1348 desc_sddl
= desc_sddl
.replace(x
, "")
1349 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1350 # can propagate from above
1351 # remove SACL, we are not interested
1352 desc_sddl
= desc_sddl
.replace(":AI", ":AIP")
1353 self
.modify_desc(self
.ldb_admin
, object_dn
, desc_sddl
)
1354 # Verify all inheritable ACEs are gone
1355 desc_sddl
= self
.get_desc_sddl(object_dn
)
1356 self
.assertFalse("CI" in desc_sddl
)
1357 self
.assertFalse("OI" in desc_sddl
)
1360 """ OU with protected flag and child group. See if the group has inherit ACEs.
1362 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1363 group_dn
= "CN=test_inherit_group," + ou_dn
1364 # Create inheritable-free OU
1365 self
.create_clean_ou(ou_dn
)
1366 # Create group child object
1367 self
.create_domain_group(self
.ldb_admin
, group_dn
)
1368 # Make sure created group object contains NO inherit ACEs
1369 desc_sddl
= self
.get_desc_sddl(group_dn
)
1370 self
.assertFalse("ID" in desc_sddl
)
1373 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1374 Verify group has custom and default ACEs only.
1376 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1377 group_dn
= "CN=test_inherit_group," + ou_dn
1378 # Create inheritable-free OU
1379 self
.create_clean_ou(ou_dn
)
1380 # Create group child object using custom security descriptor
1381 sddl
= "O:AUG:AUD:AI(D;;WP;;;DU)"
1382 self
.create_domain_group(self
.ldb_admin
, group_dn
, sddl
)
1383 # Make sure created group descriptor has NO additional ACEs
1384 desc_sddl
= self
.get_desc_sddl(group_dn
)
1385 self
.assertEqual(desc_sddl
, sddl
)
1386 sddl
= "O:AUG:AUD:AI(D;;CC;;;LG)"
1387 self
.modify_desc(self
.ldb_admin
, group_dn
, sddl
)
1388 desc_sddl
= self
.get_desc_sddl(group_dn
)
1389 self
.assertEqual(desc_sddl
, sddl
)
1392 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1393 See if the group has any of the added ACEs.
1395 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1396 group_dn
= "CN=test_inherit_group," + ou_dn
1397 # Create inheritable-free OU
1398 self
.create_clean_ou(ou_dn
)
1399 # Add some custom non-inheritable ACEs
1400 mod
= "(D;;WP;;;DU)(A;;RP;;;DU)"
1401 moded
= "(D;;CC;;;LG)"
1402 self
.dacl_add_ace(ou_dn
, mod
)
1403 # Verify all inheritable ACEs are gone
1404 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1405 # Create group child object
1406 self
.create_domain_group(self
.ldb_admin
, group_dn
)
1407 # Make sure created group object contains NO inherit ACEs
1408 # also make sure the added above non-inheritable ACEs are absent too
1409 desc_sddl
= self
.get_desc_sddl(group_dn
)
1410 self
.assertFalse("ID" in desc_sddl
)
1411 for x
in re
.findall("\(.*?\)", mod
):
1412 self
.assertFalse(x
in desc_sddl
)
1413 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1414 desc_sddl
= self
.get_desc_sddl(group_dn
)
1415 self
.assertFalse("ID" in desc_sddl
)
1416 for x
in re
.findall("\(.*?\)", mod
):
1417 self
.assertFalse(x
in desc_sddl
)
1420 """ OU with protected flag and add 'CI' ACE, child group.
1421 See if the group has the added inherited ACE.
1423 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1424 group_dn
= "CN=test_inherit_group," + ou_dn
1425 # Create inheritable-free OU
1426 self
.create_clean_ou(ou_dn
)
1427 # Add some custom 'CI' ACE
1428 mod
= "(D;CI;WP;;;DU)"
1429 moded
= "(D;;CC;;;LG)"
1430 self
.dacl_add_ace(ou_dn
, mod
)
1431 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1432 # Create group child object
1433 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1434 # Make sure created group object contains only the above inherited ACE
1435 # that we've added manually
1436 desc_sddl
= self
.get_desc_sddl(group_dn
)
1437 mod
= mod
.replace(";CI;", ";CIID;")
1438 self
.assertTrue(mod
in desc_sddl
)
1439 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1440 desc_sddl
= self
.get_desc_sddl(group_dn
)
1441 self
.assertTrue(moded
in desc_sddl
)
1442 self
.assertTrue(mod
in desc_sddl
)
1445 """ OU with protected flag and add 'OI' ACE, child group.
1446 See if the group has the added inherited ACE.
1448 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1449 group_dn
= "CN=test_inherit_group," + ou_dn
1450 # Create inheritable-free OU
1451 self
.create_clean_ou(ou_dn
)
1452 # Add some custom 'CI' ACE
1453 mod
= "(D;OI;WP;;;DU)"
1454 moded
= "(D;;CC;;;LG)"
1455 self
.dacl_add_ace(ou_dn
, mod
)
1456 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1457 # Create group child object
1458 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1459 # Make sure created group object contains only the above inherited ACE
1460 # that we've added manually
1461 desc_sddl
= self
.get_desc_sddl(group_dn
)
1462 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1463 self
.assertTrue(mod
in desc_sddl
)
1464 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" +moded
)
1465 desc_sddl
= self
.get_desc_sddl(group_dn
)
1466 self
.assertTrue(moded
in desc_sddl
)
1467 self
.assertTrue(mod
in desc_sddl
)
1470 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1471 See if the group has the added inherited ACE.
1473 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1474 group_dn
= "CN=test_inherit_group," + ou_dn
1475 # Create inheritable-free OU
1476 self
.create_clean_ou(ou_dn
)
1477 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1478 mod
= "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1479 moded
= "(D;;CC;;;LG)"
1480 self
.dacl_add_ace(ou_dn
, mod
)
1481 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1482 # Create group child object
1483 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1484 # Make sure created group object contains only the above inherited ACE
1485 # that we've added manually
1486 desc_sddl
= self
.get_desc_sddl(group_dn
)
1487 mod
= mod
.replace(";CI;", ";CIID;") # change it how it's gonna look like
1488 self
.assertTrue(mod
in desc_sddl
)
1489 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1490 desc_sddl
= self
.get_desc_sddl(group_dn
)
1491 self
.assertTrue(moded
in desc_sddl
)
1492 self
.assertTrue(mod
in desc_sddl
)
1495 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1496 See if the group has the added inherited ACE.
1498 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1499 group_dn
= "CN=test_inherit_group," + ou_dn
1500 # Create inheritable-free OU
1501 self
.create_clean_ou(ou_dn
)
1502 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1503 mod
= "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1504 moded
= "(D;;CC;;;LG)"
1505 self
.dacl_add_ace(ou_dn
, mod
)
1506 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1507 # Create group child object
1508 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1509 # Make sure created group object contains only the above inherited ACE
1510 # that we've added manually
1511 desc_sddl
= self
.get_desc_sddl(group_dn
)
1512 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1513 self
.assertTrue(mod
in desc_sddl
)
1514 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1515 desc_sddl
= self
.get_desc_sddl(group_dn
)
1516 self
.assertTrue(moded
in desc_sddl
)
1517 self
.assertTrue(mod
in desc_sddl
)
1520 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1521 See if the group has the added inherited ACE.
1523 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1524 group_dn
= "CN=test_inherit_group," + ou_dn
1525 # Create inheritable-free OU
1526 self
.create_clean_ou(ou_dn
)
1527 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1528 mod
= "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1529 moded
= "(D;;CC;;;LG)"
1530 self
.dacl_add_ace(ou_dn
, mod
)
1531 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1532 # Create group child object
1533 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1534 # Make sure created group object contains only the above inherited ACE
1535 # that we've added manually
1536 desc_sddl
= self
.get_desc_sddl(group_dn
)
1537 mod
= mod
.replace(";CI;", ";CIID;") # change it how it's gonna look like
1538 self
.assertTrue(mod
in desc_sddl
)
1539 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1540 desc_sddl
= self
.get_desc_sddl(group_dn
)
1541 self
.assertTrue(moded
in desc_sddl
)
1542 self
.assertTrue(mod
in desc_sddl
)
1545 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1546 See if the group has the added inherited ACE.
1548 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1549 group_dn
= "CN=test_inherit_group," + ou_dn
1550 # Create inheritable-free OU
1551 self
.create_clean_ou(ou_dn
)
1552 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1553 mod
= "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1554 moded
= "(D;;CC;;;LG)"
1555 self
.dacl_add_ace(ou_dn
, mod
)
1556 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1557 # Create group child object
1558 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1559 # Make sure created group object contains only the above inherited ACE
1560 # that we've added manually
1561 desc_sddl
= self
.get_desc_sddl(group_dn
)
1562 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1563 self
.assertTrue(mod
in desc_sddl
)
1564 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded
)
1565 desc_sddl
= self
.get_desc_sddl(group_dn
)
1566 self
.assertTrue(moded
in desc_sddl
)
1567 self
.assertTrue(mod
in desc_sddl
)
1570 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1571 See if the group has the added inherited ACE.
1573 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1574 group_dn
= "CN=test_inherit_group," + ou_dn
1575 # Create inheritable-free OU
1576 self
.create_clean_ou(ou_dn
)
1577 # Add some custom 'CI' ACE
1578 mod
= "(D;CI;WP;;;CO)"
1579 moded
= "(D;;CC;;;LG)"
1580 self
.dacl_add_ace(ou_dn
, mod
)
1581 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1582 # Create group child object
1583 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1584 # Make sure created group object contains only the above inherited ACE(s)
1585 # that we've added manually
1586 desc_sddl
= self
.get_desc_sddl(group_dn
)
1587 self
.assertTrue("(D;ID;WP;;;AU)" in desc_sddl
)
1588 self
.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl
)
1589 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1590 desc_sddl
= self
.get_desc_sddl(group_dn
)
1591 self
.assertTrue(moded
in desc_sddl
)
1592 self
.assertTrue("(D;ID;WP;;;DA)" in desc_sddl
)
1593 self
.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl
)
1596 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1598 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1599 group_dn
= "CN=test_inherit_group," + ou_dn
1600 self
.create_clean_ou(ou_dn
)
1601 # Add some custom ACE
1602 mod
= "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1603 self
.create_domain_group(self
.ldb_admin
, group_dn
, mod
)
1604 # Make sure created group object does not contain the ID ace
1605 desc_sddl
= self
.get_desc_sddl(group_dn
)
1606 self
.assertFalse("(A;ID;WP;;;AU)" in desc_sddl
)
1609 """ Provide ACE with CO SID, should be expanded and replaced
1611 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1612 group_dn
= "CN=test_inherit_group," + ou_dn
1613 # Create inheritable-free OU
1614 self
.create_clean_ou(ou_dn
)
1615 # Add some custom 'CI' ACE
1616 mod
= "D:(D;CI;WP;;;CO)"
1617 self
.create_domain_group(self
.ldb_admin
, group_dn
, mod
)
1618 desc_sddl
= self
.get_desc_sddl(group_dn
)
1619 self
.assertTrue("(D;;WP;;;DA)(D;CIIO;WP;;;CO)" in desc_sddl
)
1622 """ Provide ACE with IO flag, should be ignored
1624 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1625 group_dn
= "CN=test_inherit_group," + ou_dn
1626 # Create inheritable-free OU
1627 self
.create_clean_ou(ou_dn
)
1628 # Add some custom 'CI' ACE
1629 mod
= "D:(D;CIIO;WP;;;CO)"
1630 self
.create_domain_group(self
.ldb_admin
, group_dn
, mod
)
1631 # Make sure created group object contains only the above inherited ACE(s)
1632 # that we've added manually
1633 desc_sddl
= self
.get_desc_sddl(group_dn
)
1634 self
.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl
)
1635 self
.assertFalse("(D;;WP;;;DA)" in desc_sddl
)
1636 self
.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl
)
1639 """ Provide ACE with IO flag, should be ignored
1641 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1642 group_dn
= "CN=test_inherit_group," + ou_dn
1643 # Create inheritable-free OU
1644 self
.create_clean_ou(ou_dn
)
1645 mod
= "D:(D;IO;WP;;;DA)"
1646 self
.create_domain_group(self
.ldb_admin
, group_dn
, mod
)
1647 # Make sure created group object contains only the above inherited ACE(s)
1648 # that we've added manually
1649 desc_sddl
= self
.get_desc_sddl(group_dn
)
1650 self
.assertFalse("(D;IO;WP;;;DA)" in desc_sddl
)
1652 ########################################################################################
1655 class SdFlagsDescriptorTests(DescriptorTests
):
1656 def deleteAll(self
):
1657 self
.delete_force(self
.ldb_admin
, "OU=test_sdflags_ou," + self
.base_dn
)
1660 super(SdFlagsDescriptorTests
, self
).setUp()
1661 self
.test_descr
= "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1665 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1666 See that only the owner has been changed.
1668 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1669 self
.ldb_admin
.create_ou(ou_dn
)
1670 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_OWNER
)])
1671 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1672 # make sure we have modified the owner
1673 self
.assertTrue("O:AU" in desc_sddl
)
1674 # make sure nothing else has been modified
1675 self
.assertFalse("G:AU" in desc_sddl
)
1676 self
.assertFalse("D:(D;;CC;;;LG)" in desc_sddl
)
1677 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1680 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1681 See that only the owner has been changed.
1683 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1684 self
.ldb_admin
.create_ou(ou_dn
)
1685 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_GROUP
)])
1686 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1687 # make sure we have modified the group
1688 self
.assertTrue("G:AU" in desc_sddl
)
1689 # make sure nothing else has been modified
1690 self
.assertFalse("O:AU" in desc_sddl
)
1691 self
.assertFalse("D:(D;;CC;;;LG)" in desc_sddl
)
1692 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1695 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1696 See that only the owner has been changed.
1698 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1699 self
.ldb_admin
.create_ou(ou_dn
)
1700 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_DACL
)])
1701 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1702 # make sure we have modified the DACL
1703 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1704 # make sure nothing else has been modified
1705 self
.assertFalse("O:AU" in desc_sddl
)
1706 self
.assertFalse("G:AU" in desc_sddl
)
1707 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1710 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1711 See that only the owner has been changed.
1713 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1714 self
.ldb_admin
.create_ou(ou_dn
)
1715 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_SACL
)])
1716 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1717 # make sure we have modified the DACL
1718 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1719 # make sure nothing else has been modified
1720 self
.assertFalse("O:AU" in desc_sddl
)
1721 self
.assertFalse("G:AU" in desc_sddl
)
1722 self
.assertFalse("(D;;CC;;;LG)" in desc_sddl
)
1725 """ Modify a descriptor with 0x0 set.
1726 Contrary to logic this is interpreted as no control,
1727 which is the same as 0xF
1729 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1730 self
.ldb_admin
.create_ou(ou_dn
)
1731 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:0"])
1732 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1733 # make sure we have modified the DACL
1734 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1735 # make sure nothing else has been modified
1736 self
.assertTrue("O:AU" in desc_sddl
)
1737 self
.assertTrue("G:AU" in desc_sddl
)
1738 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1741 """ Modify a descriptor with 0xF set.
1743 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1744 self
.ldb_admin
.create_ou(ou_dn
)
1745 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:15"])
1746 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1747 # make sure we have modified the DACL
1748 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1749 # make sure nothing else has been modified
1750 self
.assertTrue("O:AU" in desc_sddl
)
1751 self
.assertTrue("G:AU" in desc_sddl
)
1752 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1755 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1756 Only the owner part should be returned.
1758 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1759 self
.ldb_admin
.create_ou(ou_dn
)
1760 desc_sddl
= self
.get_desc_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_OWNER
)])
1761 # make sure we have read the owner
1762 self
.assertTrue("O:" in desc_sddl
)
1763 # make sure we have read nothing else
1764 self
.assertFalse("G:" in desc_sddl
)
1765 self
.assertFalse("D:" in desc_sddl
)
1766 self
.assertFalse("S:" in desc_sddl
)
1769 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1770 Only the group part should be returned.
1772 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1773 self
.ldb_admin
.create_ou(ou_dn
)
1774 desc_sddl
= self
.get_desc_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_GROUP
)])
1775 # make sure we have read the owner
1776 self
.assertTrue("G:" in desc_sddl
)
1777 # make sure we have read nothing else
1778 self
.assertFalse("O:" in desc_sddl
)
1779 self
.assertFalse("D:" in desc_sddl
)
1780 self
.assertFalse("S:" in desc_sddl
)
1783 """ Read a descriptor with SACL_SECURITY_INFORMATION
1784 Only the sacl part should be returned.
1786 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1787 self
.ldb_admin
.create_ou(ou_dn
)
1788 desc_sddl
= self
.get_desc_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_SACL
)])
1789 # make sure we have read the owner
1790 self
.assertTrue("S:" in desc_sddl
)
1791 # make sure we have read nothing else
1792 self
.assertFalse("O:" in desc_sddl
)
1793 self
.assertFalse("D:" in desc_sddl
)
1794 self
.assertFalse("G:" in desc_sddl
)
1797 """ Read a descriptor with DACL_SECURITY_INFORMATION
1798 Only the dacl part should be returned.
1800 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1801 self
.ldb_admin
.create_ou(ou_dn
)
1802 desc_sddl
= self
.get_desc_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_DACL
)])
1803 # make sure we have read the owner
1804 self
.assertTrue("D:" in desc_sddl
)
1805 # make sure we have read nothing else
1806 self
.assertFalse("O:" in desc_sddl
)
1807 self
.assertFalse("S:" in desc_sddl
)
1808 self
.assertFalse("G:" in desc_sddl
)
1811 class RightsAttributesTests(DescriptorTests
):
1813 def deleteAll(self
):
1814 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser_attr"))
1815 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser_attr2"))
1816 self
.delete_force(self
.ldb_admin
, "OU=test_domain_ou1," + self
.base_dn
)
1819 super(RightsAttributesTests
, self
).setUp()
1823 self
.create_enable_user("testuser_attr")
1824 # User 2, Domain Admins
1825 self
.create_enable_user("testuser_attr2")
1826 self
.ldb_admin
.add_remove_group_members("Domain Admins",
1828 add_members_operation
=True)
1830 def test_sDRightsEffective(self
):
1831 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1832 self
.delete_force(self
.ldb_admin
, object_dn
)
1833 self
.ldb_admin
.create_ou(object_dn
)
1834 print self
.get_users_domain_dn("testuser_attr")
1835 user_sid
= self
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1836 #give testuser1 read access so attributes can be retrieved
1837 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1838 self
.dacl_add_ace(object_dn
, mod
)
1839 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1840 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1841 attrs
=["sDRightsEffective"])
1842 #user whould have no rights at all
1843 self
.assertEquals(len(res
), 1)
1844 self
.assertEquals(res
[0]["sDRightsEffective"][0], "0")
1845 #give the user Write DACL and see what happens
1846 mod
= "(A;CI;WD;;;%s)" % str(user_sid
)
1847 self
.dacl_add_ace(object_dn
, mod
)
1848 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1849 attrs
=["sDRightsEffective"])
1850 #user whould have DACL_SECURITY_INFORMATION
1851 self
.assertEquals(len(res
), 1)
1852 self
.assertEquals(res
[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL
)
1853 #give the user Write Owners and see what happens
1854 mod
= "(A;CI;WO;;;%s)" % str(user_sid
)
1855 self
.dacl_add_ace(object_dn
, mod
)
1856 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1857 attrs
=["sDRightsEffective"])
1858 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1859 self
.assertEquals(len(res
), 1)
1860 self
.assertEquals(res
[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER
))
1861 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1862 _ldb
= self
.get_ldb_connection("testuser_attr2", "samba123@")
1863 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1864 attrs
=["sDRightsEffective"])
1865 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1866 self
.assertEquals(len(res
), 1)
1867 self
.assertEquals(res
[0]["sDRightsEffective"][0], \
1868 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL
))
1870 def test_allowedChildClassesEffective(self
):
1871 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1872 self
.delete_force(self
.ldb_admin
, object_dn
)
1873 self
.ldb_admin
.create_ou(object_dn
)
1874 user_sid
= self
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1875 #give testuser1 read access so attributes can be retrieved
1876 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1877 self
.dacl_add_ace(object_dn
, mod
)
1878 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1879 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1880 attrs
=["allowedChildClassesEffective"])
1881 #there should be no allowed child classes
1882 self
.assertEquals(len(res
), 1)
1883 self
.assertFalse("allowedChildClassesEffective" in res
[0].keys())
1884 #give the user the right to create children of type user
1885 mod
= "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid
)
1886 self
.dacl_add_ace(object_dn
, mod
)
1887 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1888 attrs
=["allowedChildClassesEffective"])
1889 # allowedChildClassesEffective should only have one value, user
1890 self
.assertEquals(len(res
), 1)
1891 self
.assertEquals(len(res
[0]["allowedChildClassesEffective"]), 1)
1892 self
.assertEquals(res
[0]["allowedChildClassesEffective"][0], "user")
1894 def test_allowedAttributesEffective(self
):
1895 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1896 self
.delete_force(self
.ldb_admin
, object_dn
)
1897 self
.ldb_admin
.create_ou(object_dn
)
1898 user_sid
= self
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1899 #give testuser1 read access so attributes can be retrieved
1900 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1901 self
.dacl_add_ace(object_dn
, mod
)
1902 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1903 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1904 attrs
=["allowedAttributesEffective"])
1905 #there should be no allowed attributes
1906 self
.assertEquals(len(res
), 1)
1907 self
.assertFalse("allowedAttributesEffective" in res
[0].keys())
1908 #give the user the right to write displayName and managedBy
1909 mod2
= "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid
)
1910 mod
= "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid
)
1911 # also rights to modify an read only attribute, fromEntry
1912 mod3
= "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid
)
1913 self
.dacl_add_ace(object_dn
, mod
+ mod2
+ mod3
)
1914 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1915 attrs
=["allowedAttributesEffective"])
1916 # value should only contain user and managedBy
1917 self
.assertEquals(len(res
), 1)
1918 self
.assertEquals(len(res
[0]["allowedAttributesEffective"]), 2)
1919 self
.assertTrue("displayName" in res
[0]["allowedAttributesEffective"])
1920 self
.assertTrue("managedBy" in res
[0]["allowedAttributesEffective"])
1922 if not "://" in host
:
1923 if os
.path
.isfile(host
):
1924 host
= "tdb://%s" % host
1926 host
= "ldap://%s" % host
1928 # use 'paged_search' module when connecting remotely
1929 if host
.lower().startswith("ldap://"):
1930 ldb_options
= ["modules:paged_searches"]
1934 session_info
=system_session(),
1936 options
=ldb_options
)
1938 runner
= SubunitTestRunner()
1940 if not runner
.run(unittest
.makeSuite(OwnerGroupDescriptorTests
)).wasSuccessful():
1942 if not runner
.run(unittest
.makeSuite(DaclDescriptorTests
)).wasSuccessful():
1944 if not runner
.run(unittest
.makeSuite(SdFlagsDescriptorTests
)).wasSuccessful():
1946 if not runner
.run(unittest
.makeSuite(RightsAttributesTests
)).wasSuccessful():