search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-tests: Modified sec_descriptor.py to use SamDB.create_ou()
[Samba/gebeck_regimport.git] / source4 / dsdb / tests / python / sec_descriptor.py
blob3b09d0b44ed926cd7a5ff08175b7b04df2a7f1f9
1 #!/usr/bin/env python
2 # -*- coding: utf-8 -*-
3
4 import optparse
5 import sys
6 import os
7 import base64
8 import re
9 import random
10
11 sys.path.append("bin/python")
12 import samba
13 samba.ensure_external_module("testtools", "testtools")
14 samba.ensure_external_module("subunit", "subunit/python")
15
16 import samba.getopt as options
17
18 # Some error messages that are being tested
19 from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT
20
21 # For running the test unit
22 from samba.ndr import ndr_pack, ndr_unpack
23 from samba.dcerpc import security
24
25 from samba import gensec
26 from samba.samdb import SamDB
27 from samba.credentials import Credentials
28 from samba.auth import system_session
29 from samba.dsdb import DS_DOMAIN_FUNCTION_2008
30 from samba.dcerpc.security import (
31 SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL)
32 from subunit.run import SubunitTestRunner
33 import samba.tests
34 import unittest
35
36 parser = optparse.OptionParser("sec_descriptor.py [options] <host>")
37 sambaopts = options.SambaOptions(parser)
38 parser.add_option_group(sambaopts)
39 parser.add_option_group(options.VersionOptions(parser))
40
41 # use command line creds if available
42 credopts = options.CredentialsOptions(parser)
43 parser.add_option_group(credopts)
44 opts, args = parser.parse_args()
45
46 if len(args) < 1:
47 parser.print_usage()
48 sys.exit(1)
49
50 host = args[0]
51
52 lp = sambaopts.get_loadparm()
53 creds = credopts.get_credentials(lp)
54 creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
55
56 #
57 # Tests start here
58 #
59
60 class DescriptorTests(samba.tests.TestCase):
61
62 def delete_force(self, ldb, dn):
63 try:
64 ldb.delete(dn)
65 except LdbError, (num, _):
66 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
67
68 def find_domain_sid(self, ldb):
69 res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
70 return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
71
72 def get_users_domain_dn(self, name):
73 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
74
75 def modify_desc(self, _ldb, object_dn, desc, controls=None):
76 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
77 mod = """
78 dn: """ + object_dn + """
79 changetype: modify
80 replace: nTSecurityDescriptor
81 """
82 if isinstance(desc, str):
83 mod += "nTSecurityDescriptor: %s" % desc
84 elif isinstance(desc, security.descriptor):
85 mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
86 _ldb.modify_ldif(mod, controls)
87
88 def create_domain_user(self, _ldb, user_dn, desc=None):
89 ldif = """
90 dn: """ + user_dn + """
91 sAMAccountName: """ + user_dn.split(",")[0][3:] + """
92 objectClass: user
93 userPassword: samba123@
94 url: www.example.com
95 """
96 if desc:
97 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
98 if isinstance(desc, str):
99 ldif += "nTSecurityDescriptor: %s" % desc
100 elif isinstance(desc, security.descriptor):
101 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
102 _ldb.add_ldif(ldif)
103
104 def create_domain_group(self, _ldb, group_dn, desc=None):
105 ldif = """
106 dn: """ + group_dn + """
107 objectClass: group
108 sAMAccountName: """ + group_dn.split(",")[0][3:] + """
109 groupType: 4
110 url: www.example.com
111 """
112 if desc:
113 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
114 if isinstance(desc, str):
115 ldif += "nTSecurityDescriptor: %s" % desc
116 elif isinstance(desc, security.descriptor):
117 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
118 _ldb.add_ldif(ldif)
119
120 def get_unique_schema_class_name(self):
121 while True:
122 class_name = "test-class%s" % random.randint(1,100000)
123 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
124 try:
125 self.ldb_admin.search(base=class_dn, attrs=["*"])
126 except LdbError, (num, _):
127 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
128 return class_name
129
130 def create_schema_class(self, _ldb, object_dn, desc=None):
131 ldif = """
132 dn: """ + object_dn + """
133 objectClass: classSchema
134 objectCategory: CN=Class-Schema,""" + self.schema_dn + """
135 defaultObjectCategory: """ + object_dn + """
136 distinguishedName: """ + object_dn + """
137 governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
138 instanceType: 4
139 objectClassCategory: 1
140 subClassOf: organizationalPerson
141 systemFlags: 16
142 rDNAttID: cn
143 systemMustContain: cn
144 systemOnly: FALSE
145 """
146 if desc:
147 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
148 if isinstance(desc, str):
149 ldif += "nTSecurityDescriptor: %s" % desc
150 elif isinstance(desc, security.descriptor):
151 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
152 _ldb.add_ldif(ldif)
153
154 def create_configuration_container(self, _ldb, object_dn, desc=None):
155 ldif = """
156 dn: """ + object_dn + """
157 objectClass: container
158 objectCategory: CN=Container,""" + self.schema_dn + """
159 showInAdvancedViewOnly: TRUE
160 instanceType: 4
161 """
162 if desc:
163 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
164 if isinstance(desc, str):
165 ldif += "nTSecurityDescriptor: %s" % desc
166 elif isinstance(desc, security.descriptor):
167 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
168 _ldb.add_ldif(ldif)
169
170 def create_configuration_specifier(self, _ldb, object_dn, desc=None):
171 ldif = """
172 dn: """ + object_dn + """
173 objectClass: displaySpecifier
174 showInAdvancedViewOnly: TRUE
175 """
176 if desc:
177 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
178 if isinstance(desc, str):
179 ldif += "nTSecurityDescriptor: %s" % desc
180 elif isinstance(desc, security.descriptor):
181 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
182 _ldb.add_ldif(ldif)
183
184 def read_desc(self, object_dn, controls=None):
185 res = self.ldb_admin.search(base=object_dn, scope=SCOPE_BASE, attrs=["nTSecurityDescriptor"], controls=controls)
186 desc = res[0]["nTSecurityDescriptor"][0]
187 return ndr_unpack(security.descriptor, desc)
188
189 def create_active_user(self, _ldb, user_dn):
190 ldif = """
191 dn: """ + user_dn + """
192 sAMAccountName: """ + user_dn.split(",")[0][3:] + """
193 objectClass: user
194 unicodePwd:: """ + base64.b64encode("\"samba123@\"".encode('utf-16-le')) + """
195 url: www.example.com
196 """
197 _ldb.add_ldif(ldif)
198
199 def get_ldb_connection(self, target_username, target_password):
200 creds_tmp = Credentials()
201 creds_tmp.set_username(target_username)
202 creds_tmp.set_password(target_password)
203 creds_tmp.set_domain(creds.get_domain())
204 creds_tmp.set_realm(creds.get_realm())
205 creds_tmp.set_workstation(creds.get_workstation())
206 creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
207 | gensec.FEATURE_SEAL)
208 ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
209 return ldb_target
210
211 def get_object_sid(self, object_dn):
212 res = self.ldb_admin.search(object_dn)
213 return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] )
214
215 def dacl_add_ace(self, object_dn, ace):
216 desc = self.read_desc( object_dn )
217 desc_sddl = desc.as_sddl( self.domain_sid )
218 if ace in desc_sddl:
219 return
220 if desc_sddl.find("(") >= 0:
221 desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
222 else:
223 desc_sddl = desc_sddl + ace
224 self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
225
226 def get_desc_sddl(self, object_dn, controls=None):
227 """ Return object nTSecutiryDescriptor in SDDL format
228 """
229 desc = self.read_desc(object_dn, controls)
230 return desc.as_sddl(self.domain_sid)
231
232 def create_enable_user(self, username):
233 user_dn = self.get_users_domain_dn(username)
234 self.create_active_user(self.ldb_admin, user_dn)
235 self.ldb_admin.enable_account("(sAMAccountName=" + username + ")")
236
237 def setUp(self):
238 super(DescriptorTests, self).setUp()
239 self.ldb_admin = ldb
240 self.base_dn = ldb.domain_dn()
241 self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
242 self.schema_dn = self.ldb_admin.get_schema_basedn().get_linearized()
243 self.domain_sid = self.find_domain_sid(self.ldb_admin)
244 print "baseDN: %s" % self.base_dn
245
246 ################################################################################################
247
248 ## Tests for DOMAIN
249
250 # Default descriptor tests #####################################################################
251
252 class OwnerGroupDescriptorTests(DescriptorTests):
253
254 def deleteAll(self):
255 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
256 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
257 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
258 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
259 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
260 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
261 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
262 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
263 # DOMAIN
264 self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
265 self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
266 self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
267 self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
268 # SCHEMA
269 # CONFIGURATION
270 self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
271 + self.configuration_dn)
272 self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
273
274 def setUp(self):
275 super(OwnerGroupDescriptorTests, self).setUp()
276 self.deleteAll()
277 ### Create users
278 # User 1 - Enterprise Admins
279 self.create_enable_user("testuser1")
280 # User 2 - Domain Admins
281 self.create_enable_user("testuser2")
282 # User 3 - Schema Admins
283 self.create_enable_user("testuser3")
284 # User 4 - regular user
285 self.create_enable_user("testuser4")
286 # User 5 - Enterprise Admins and Domain Admins
287 self.create_enable_user("testuser5")
288 # User 6 - Enterprise Admins, Domain Admins, Schema Admins
289 self.create_enable_user("testuser6")
290 # User 7 - Domain Admins and Schema Admins
291 self.create_enable_user("testuser7")
292 # User 5 - Enterprise Admins and Schema Admins
293 self.create_enable_user("testuser8")
294
295 self.ldb_admin.add_remove_group_members("Enterprise Admins",
296 "testuser1,testuser5,testuser6,testuser8",
297 add_members_operation=True)
298 self.ldb_admin.add_remove_group_members("Domain Admins",
299 "testuser2,testuser5,testuser6,testuser7",
300 add_members_operation=True)
301 self.ldb_admin.add_remove_group_members("Schema Admins",
302 "testuser3,testuser6,testuser7,testuser8",
303 add_members_operation=True)
304
305 self.results = {
306 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
307 "ds_behavior_win2003" : {
308 "100" : "O:EAG:DU",
309 "101" : "O:DAG:DU",
310 "102" : "O:%sG:DU",
311 "103" : "O:%sG:DU",
312 "104" : "O:DAG:DU",
313 "105" : "O:DAG:DU",
314 "106" : "O:DAG:DU",
315 "107" : "O:EAG:DU",
316 "108" : "O:DAG:DA",
317 "109" : "O:DAG:DA",
318 "110" : "O:%sG:DA",
319 "111" : "O:%sG:DA",
320 "112" : "O:DAG:DA",
321 "113" : "O:DAG:DA",
322 "114" : "O:DAG:DA",
323 "115" : "O:DAG:DA",
324 "130" : "O:EAG:DU",
325 "131" : "O:DAG:DU",
326 "132" : "O:SAG:DU",
327 "133" : "O:%sG:DU",
328 "134" : "O:EAG:DU",
329 "135" : "O:SAG:DU",
330 "136" : "O:SAG:DU",
331 "137" : "O:SAG:DU",
332 "138" : "O:DAG:DA",
333 "139" : "O:DAG:DA",
334 "140" : "O:%sG:DA",
335 "141" : "O:%sG:DA",
336 "142" : "O:DAG:DA",
337 "143" : "O:DAG:DA",
338 "144" : "O:DAG:DA",
339 "145" : "O:DAG:DA",
340 "160" : "O:EAG:DU",
341 "161" : "O:DAG:DU",
342 "162" : "O:%sG:DU",
343 "163" : "O:%sG:DU",
344 "164" : "O:EAG:DU",
345 "165" : "O:EAG:DU",
346 "166" : "O:DAG:DU",
347 "167" : "O:EAG:DU",
348 "168" : "O:DAG:DA",
349 "169" : "O:DAG:DA",
350 "170" : "O:%sG:DA",
351 "171" : "O:%sG:DA",
352 "172" : "O:DAG:DA",
353 "173" : "O:DAG:DA",
354 "174" : "O:DAG:DA",
355 "175" : "O:DAG:DA",
356 },
357 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
358 "ds_behavior_win2008" : {
359 "100" : "O:EAG:EA",
360 "101" : "O:DAG:DA",
361 "102" : "O:%sG:DU",
362 "103" : "O:%sG:DU",
363 "104" : "O:DAG:DA",
364 "105" : "O:DAG:DA",
365 "106" : "O:DAG:DA",
366 "107" : "O:EAG:EA",
367 "108" : "O:DAG:DA",
368 "109" : "O:DAG:DA",
369 "110" : "O:%sG:DA",
370 "111" : "O:%sG:DA",
371 "112" : "O:DAG:DA",
372 "113" : "O:DAG:DA",
373 "114" : "O:DAG:DA",
374 "115" : "O:DAG:DA",
375 "130" : "O:EAG:EA",
376 "131" : "O:DAG:DA",
377 "132" : "O:SAG:SA",
378 "133" : "O:%sG:DU",
379 "134" : "O:EAG:EA",
380 "135" : "O:SAG:SA",
381 "136" : "O:SAG:SA",
382 "137" : "O:SAG:SA",
383 "138" : "",
384 "139" : "",
385 "140" : "O:%sG:DA",
386 "141" : "O:%sG:DA",
387 "142" : "",
388 "143" : "",
389 "144" : "",
390 "145" : "",
391 "160" : "O:EAG:EA",
392 "161" : "O:DAG:DA",
393 "162" : "O:%sG:DU",
394 "163" : "O:%sG:DU",
395 "164" : "O:EAG:EA",
396 "165" : "O:EAG:EA",
397 "166" : "O:DAG:DA",
398 "167" : "O:EAG:EA",
399 "168" : "O:DAG:DA",
400 "169" : "O:DAG:DA",
401 "170" : "O:%sG:DA",
402 "171" : "O:%sG:DA",
403 "172" : "O:DAG:DA",
404 "173" : "O:DAG:DA",
405 "174" : "O:DAG:DA",
406 "175" : "O:DAG:DA",
407 },
408 }
409 # Discover 'msDS-Behavior-Version'
410 res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
411 attrs=['msDS-Behavior-Version'])
412 res = int(res[0]['msDS-Behavior-Version'][0])
413 if res < DS_DOMAIN_FUNCTION_2008:
414 self.DS_BEHAVIOR = "ds_behavior_win2003"
415 else:
416 self.DS_BEHAVIOR = "ds_behavior_win2008"
417
418 def tearDown(self):
419 super(DescriptorTests, self).tearDown()
420 self.deleteAll()
421
422 def check_user_belongs(self, user_dn, groups=[]):
423 """ Test wether user is member of the expected group(s) """
424 if groups != []:
425 # User is member of at least one additional group
426 res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
427 res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
428 expected = []
429 for x in groups:
430 expected.append(self.get_users_domain_dn(x))
431 expected = [x.upper() for x in sorted(expected)]
432 self.assertEqual(expected, res)
433 else:
434 # User is not a member of any additional groups but default
435 res = self.ldb_admin.search(user_dn, attrs=["*"])
436 res = [x.upper() for x in res[0].keys()]
437 self.assertFalse( "MEMBEROF" in res)
438
439 def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
440 # Modify
441 ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
442 if owner_group != "":
443 self.modify_desc(_ldb, object_dn, owner_group + "D:" + ace)
444 else:
445 self.modify_desc(_ldb, object_dn, "D:" + ace)
446 # Make sure the modify operation has been applied
447 desc_sddl = self.get_desc_sddl(object_dn)
448 self.assertTrue(ace in desc_sddl)
449 # Make sure we have identical result for both "add" and "modify"
450 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
451 print self._testMethodName
452 test_number = self._testMethodName[5:]
453 self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
454
455 def test_100(self):
456 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
457 """
458 user_name = "testuser1"
459 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
460 # Open Ldb connection with the tested user
461 _ldb = self.get_ldb_connection(user_name, "samba123@")
462 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
463 self.delete_force(self.ldb_admin, object_dn)
464 self.create_domain_group(_ldb, object_dn)
465 desc_sddl = self.get_desc_sddl(object_dn)
466 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
467 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
468 self.check_modify_inheritance(_ldb, object_dn)
469
470 def test_101(self):
471 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
472 """
473 user_name = "testuser2"
474 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
475 # Open Ldb connection with the tested user
476 _ldb = self.get_ldb_connection(user_name, "samba123@")
477 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
478 self.delete_force(self.ldb_admin, object_dn)
479 self.create_domain_group(_ldb, object_dn)
480 desc_sddl = self.get_desc_sddl(object_dn)
481 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
482 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
483 self.check_modify_inheritance(_ldb, object_dn)
484
485 def test_102(self):
486 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
487 """
488 user_name = "testuser3"
489 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
490 # Open Ldb connection with the tested user
491 _ldb = self.get_ldb_connection(user_name, "samba123@")
492 object_dn = "OU=test_domain_ou1," + self.base_dn
493 self.delete_force(self.ldb_admin, object_dn)
494 self.ldb_admin.create_ou(object_dn)
495 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
496 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
497 self.dacl_add_ace(object_dn, mod)
498 # Create additional object into the first one
499 object_dn = "CN=test_domain_user1," + object_dn
500 self.delete_force(self.ldb_admin, object_dn)
501 self.create_domain_user(_ldb, object_dn)
502 desc_sddl = self.get_desc_sddl(object_dn)
503 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
504 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
505 # This fails, research why
506 #self.check_modify_inheritance(_ldb, object_dn)
507
508 def test_103(self):
509 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
510 """
511 user_name = "testuser4"
512 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
513 # Open Ldb connection with the tested user
514 _ldb = self.get_ldb_connection(user_name, "samba123@")
515 object_dn = "OU=test_domain_ou1," + self.base_dn
516 self.delete_force(self.ldb_admin, object_dn)
517 self.ldb_admin.create_ou(object_dn)
518 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
519 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
520 self.dacl_add_ace(object_dn, mod)
521 # Create additional object into the first one
522 object_dn = "CN=test_domain_user1," + object_dn
523 self.delete_force(self.ldb_admin, object_dn)
524 self.create_domain_user(_ldb, object_dn)
525 desc_sddl = self.get_desc_sddl(object_dn)
526 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
527 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
528 #this fails, research why
529 #self.check_modify_inheritance(_ldb, object_dn)
530
531 def test_104(self):
532 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
533 """
534 user_name = "testuser5"
535 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
536 # Open Ldb connection with the tested user
537 _ldb = self.get_ldb_connection(user_name, "samba123@")
538 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
539 self.delete_force(self.ldb_admin, object_dn)
540 self.create_domain_group(_ldb, object_dn)
541 desc_sddl = self.get_desc_sddl(object_dn)
542 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
543 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
544 self.check_modify_inheritance(_ldb, object_dn)
545
546 def test_105(self):
547 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
548 """
549 user_name = "testuser6"
550 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
551 # Open Ldb connection with the tested user
552 _ldb = self.get_ldb_connection(user_name, "samba123@")
553 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
554 self.delete_force(self.ldb_admin, object_dn)
555 self.create_domain_group(_ldb, object_dn)
556 desc_sddl = self.get_desc_sddl(object_dn)
557 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
558 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
559 self.check_modify_inheritance(_ldb, object_dn)
560
561 def test_106(self):
562 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
563 """
564 user_name = "testuser7"
565 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
566 # Open Ldb connection with the tested user
567 _ldb = self.get_ldb_connection(user_name, "samba123@")
568 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
569 self.delete_force(self.ldb_admin, object_dn)
570 self.create_domain_group(_ldb, object_dn)
571 desc_sddl = self.get_desc_sddl(object_dn)
572 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
573 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
574 self.check_modify_inheritance(_ldb, object_dn)
575
576 def test_107(self):
577 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
578 """
579 user_name = "testuser8"
580 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
581 # Open Ldb connection with the tested user
582 _ldb = self.get_ldb_connection(user_name, "samba123@")
583 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
584 self.delete_force(self.ldb_admin, object_dn)
585 self.create_domain_group(_ldb, object_dn)
586 desc_sddl = self.get_desc_sddl(object_dn)
587 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
588 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
589 self.check_modify_inheritance(_ldb, object_dn)
590
591 # Control descriptor tests #####################################################################
592
593 def test_108(self):
594 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
595 """
596 user_name = "testuser1"
597 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
598 # Open Ldb connection with the tested user
599 _ldb = self.get_ldb_connection(user_name, "samba123@")
600 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
601 self.delete_force(self.ldb_admin, object_dn)
602 # Create a custom security descriptor
603 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
604 self.create_domain_group(_ldb, object_dn, desc_sddl)
605 desc_sddl = self.get_desc_sddl(object_dn)
606 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
607 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
608
609 def test_109(self):
610 """ Domain admin group member creates object (custom descriptor) in DOMAIN
611 """
612 user_name = "testuser2"
613 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
614 # Open Ldb connection with the tested user
615 _ldb = self.get_ldb_connection(user_name, "samba123@")
616 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
617 self.delete_force(self.ldb_admin, object_dn)
618 # Create a custom security descriptor
619 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
620 self.create_domain_group(_ldb, object_dn, desc_sddl)
621 desc_sddl = self.get_desc_sddl(object_dn)
622 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
623 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
624
625 def test_110(self):
626 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
627 """
628 user_name = "testuser3"
629 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
630 # Open Ldb connection with the tested user
631 _ldb = self.get_ldb_connection(user_name, "samba123@")
632 object_dn = "OU=test_domain_ou1," + self.base_dn
633 self.delete_force(self.ldb_admin, object_dn)
634 self.ldb_admin.create_ou(object_dn)
635 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
636 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
637 self.dacl_add_ace(object_dn, mod)
638 # Create a custom security descriptor
639 # NB! Problematic owner part won't accept DA only <User Sid> !!!
640 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
641 # Create additional object into the first one
642 object_dn = "CN=test_domain_user1," + object_dn
643 self.delete_force(self.ldb_admin, object_dn)
644 self.create_domain_user(_ldb, object_dn, desc_sddl)
645 desc = self.read_desc(object_dn)
646 desc_sddl = self.get_desc_sddl(object_dn)
647 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
648 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
649
650 def test_111(self):
651 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
652 """
653 user_name = "testuser4"
654 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
655 # Open Ldb connection with the tested user
656 _ldb = self.get_ldb_connection(user_name, "samba123@")
657 object_dn = "OU=test_domain_ou1," + self.base_dn
658 self.delete_force(self.ldb_admin, object_dn)
659 self.ldb_admin.create_ou(object_dn)
660 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
661 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
662 self.dacl_add_ace(object_dn, mod)
663 # Create a custom security descriptor
664 # NB! Problematic owner part won't accept DA only <User Sid> !!!
665 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
666 # Create additional object into the first one
667 object_dn = "CN=test_domain_user1," + object_dn
668 self.delete_force(self.ldb_admin, object_dn)
669 self.create_domain_user(_ldb, object_dn, desc_sddl)
670 desc = self.read_desc(object_dn)
671 desc_sddl = self.get_desc_sddl(object_dn)
672 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
673 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
674
675 def test_112(self):
676 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
677 """
678 user_name = "testuser5"
679 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
680 # Open Ldb connection with the tested user
681 _ldb = self.get_ldb_connection(user_name, "samba123@")
682 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
683 self.delete_force(self.ldb_admin, object_dn)
684 # Create a custom security descriptor
685 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
686 self.create_domain_group(_ldb, object_dn, desc_sddl)
687 desc_sddl = self.get_desc_sddl(object_dn)
688 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
689 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
690
691 def test_113(self):
692 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
693 """
694 user_name = "testuser6"
695 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
696 # Open Ldb connection with the tested user
697 _ldb = self.get_ldb_connection(user_name, "samba123@")
698 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
699 self.delete_force(self.ldb_admin, object_dn)
700 # Create a custom security descriptor
701 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
702 self.create_domain_group(_ldb, object_dn, desc_sddl)
703 desc_sddl = self.get_desc_sddl(object_dn)
704 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
705 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
706
707 def test_114(self):
708 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
709 """
710 user_name = "testuser7"
711 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
712 # Open Ldb connection with the tested user
713 _ldb = self.get_ldb_connection(user_name, "samba123@")
714 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
715 self.delete_force(self.ldb_admin, object_dn)
716 # Create a custom security descriptor
717 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
718 self.create_domain_group(_ldb, object_dn, desc_sddl)
719 desc_sddl = self.get_desc_sddl(object_dn)
720 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
721 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
722
723 def test_115(self):
724 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
725 """
726 user_name = "testuser8"
727 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
728 # Open Ldb connection with the tested user
729 _ldb = self.get_ldb_connection(user_name, "samba123@")
730 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
731 self.delete_force(self.ldb_admin, object_dn)
732 # Create a custom security descriptor
733 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
734 self.create_domain_group(_ldb, object_dn, desc_sddl)
735 desc_sddl = self.get_desc_sddl(object_dn)
736 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
737 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
738
739 def test_999(self):
740 user_name = "Administrator"
741 object_dn = "OU=test_domain_ou1," + self.base_dn
742 self.delete_force(self.ldb_admin, object_dn)
743 self.ldb_admin.create_ou(object_dn)
744 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
745 mod = "(D;CI;WP;;;S-1-3-0)"
746 #mod = ""
747 self.dacl_add_ace(object_dn, mod)
748 desc_sddl = self.get_desc_sddl(object_dn)
749 # Create additional object into the first one
750 object_dn = "OU=test_domain_ou2," + object_dn
751 self.delete_force(self.ldb_admin, object_dn)
752 self.ldb_admin.create_ou(object_dn)
753 desc_sddl = self.get_desc_sddl(object_dn)
754
755 ## Tests for SCHEMA
756
757 # Defalt descriptor tests ##################################################################
758
759 def test_130(self):
760 user_name = "testuser1"
761 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
762 # Open Ldb connection with the tested user
763 _ldb = self.get_ldb_connection(user_name, "samba123@")
764 # Change Schema partition descriptor
765 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
766 mod = "(A;;WDCC;;;AU)"
767 self.dacl_add_ace(self.schema_dn, mod)
768 # Create example Schema class
769 class_name = self.get_unique_schema_class_name()
770 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
771 self.create_schema_class(_ldb, class_dn)
772 desc_sddl = self.get_desc_sddl(class_dn)
773 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
774 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
775 self.check_modify_inheritance(_ldb, class_dn)
776
777 def test_131(self):
778 user_name = "testuser2"
779 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
780 # Open Ldb connection with the tested user
781 _ldb = self.get_ldb_connection(user_name, "samba123@")
782 # Change Schema partition descriptor
783 mod = "(A;CI;WDCC;;;AU)"
784 self.dacl_add_ace(self.schema_dn, mod)
785 # Create example Schema class
786 class_name = self.get_unique_schema_class_name()
787 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
788 self.create_schema_class(_ldb, class_dn)
789 desc_sddl = self.get_desc_sddl(class_dn)
790 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
791 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
792 self.check_modify_inheritance(_ldb, class_dn)
793
794 def test_132(self):
795 user_name = "testuser3"
796 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
797 # Open Ldb connection with the tested user
798 _ldb = self.get_ldb_connection(user_name, "samba123@")
799 # Change Schema partition descriptor
800 mod = "(A;CI;WDCC;;;AU)"
801 self.dacl_add_ace(self.schema_dn, mod)
802 # Create example Schema class
803 class_name = self.get_unique_schema_class_name()
804 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
805 self.create_schema_class(_ldb, class_dn)
806 desc_sddl = self.get_desc_sddl(class_dn)
807 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
808 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
809 #self.check_modify_inheritance(_ldb, class_dn)
810
811 def test_133(self):
812 user_name = "testuser4"
813 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
814 # Open Ldb connection with the tested user
815 _ldb = self.get_ldb_connection(user_name, "samba123@")
816 #Change Schema partition descriptor
817 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
818 mod = "(A;CI;WDCC;;;AU)"
819 self.dacl_add_ace(self.schema_dn, mod)
820 # Create example Schema class
821 class_name = self.get_unique_schema_class_name()
822 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
823 self.create_schema_class(_ldb, class_dn)
824 desc_sddl = self.get_desc_sddl(class_dn)
825 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
826 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
827 #self.check_modify_inheritance(_ldb, class_dn)
828
829 def test_134(self):
830 user_name = "testuser5"
831 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
832 # Open Ldb connection with the tested user
833 _ldb = self.get_ldb_connection(user_name, "samba123@")
834 #Change Schema partition descriptor
835 mod = "(A;CI;WDCC;;;AU)"
836 self.dacl_add_ace(self.schema_dn, mod)
837 # Create example Schema class
838 class_name = self.get_unique_schema_class_name()
839 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
840 self.create_schema_class(_ldb, class_dn)
841 desc_sddl = self.get_desc_sddl(class_dn)
842 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
843 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
844 self.check_modify_inheritance(_ldb, class_dn)
845
846 def test_135(self):
847 user_name = "testuser6"
848 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
849 # Open Ldb connection with the tested user
850 _ldb = self.get_ldb_connection(user_name, "samba123@")
851 # Change Schema partition descriptor
852 mod = "(A;CI;WDCC;;;AU)"
853 self.dacl_add_ace(self.schema_dn, mod)
854 # Create example Schema class
855 class_name = self.get_unique_schema_class_name()
856 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
857 self.create_schema_class(_ldb, class_dn)
858 desc_sddl = self.get_desc_sddl(class_dn)
859 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
860 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
861 self.check_modify_inheritance(_ldb, class_dn)
862
863 def test_136(self):
864 user_name = "testuser7"
865 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
866 # Open Ldb connection with the tested user
867 _ldb = self.get_ldb_connection(user_name, "samba123@")
868 # Change Schema partition descriptor
869 mod = "(A;CI;WDCC;;;AU)"
870 self.dacl_add_ace(self.schema_dn, mod)
871 # Create example Schema class
872 class_name = self.get_unique_schema_class_name()
873 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
874 self.create_schema_class(_ldb, class_dn)
875 desc_sddl = self.get_desc_sddl(class_dn)
876 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
877 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
878 self.check_modify_inheritance(_ldb, class_dn)
879
880 def test_137(self):
881 user_name = "testuser8"
882 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
883 # Open Ldb connection with the tested user
884 _ldb = self.get_ldb_connection(user_name, "samba123@")
885 # Change Schema partition descriptor
886 mod = "(A;CI;WDCC;;;AU)"
887 self.dacl_add_ace(self.schema_dn, mod)
888 # Create example Schema class
889 class_name = self.get_unique_schema_class_name()
890 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
891 self.create_schema_class(_ldb, class_dn)
892 desc_sddl = self.get_desc_sddl(class_dn)
893 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
894 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
895 self.check_modify_inheritance(_ldb, class_dn)
896
897 # Custom descriptor tests ##################################################################
898
899 def test_138(self):
900 user_name = "testuser1"
901 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
902 # Open Ldb connection with the tested user
903 _ldb = self.get_ldb_connection(user_name, "samba123@")
904 # Change Schema partition descriptor
905 mod = "(A;;CC;;;AU)"
906 self.dacl_add_ace(self.schema_dn, mod)
907 # Create a custom security descriptor
908 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
909 # Create example Schema class
910 class_name = self.get_unique_schema_class_name()
911 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
912 self.create_schema_class(_ldb, class_dn, desc_sddl)
913 desc_sddl = self.get_desc_sddl(class_dn)
914 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
915 self.assertEqual("O:DAG:DA", res)
916
917 def test_139(self):
918 user_name = "testuser2"
919 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
920 # Open Ldb connection with the tested user
921 _ldb = self.get_ldb_connection(user_name, "samba123@")
922 # Change Schema partition descriptor
923 mod = "(A;;CC;;;AU)"
924 self.dacl_add_ace(self.schema_dn, mod)
925 # Create a custom security descriptor
926 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
927 # Create example Schema class
928 class_name = self.get_unique_schema_class_name()
929 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
930 self.create_schema_class(_ldb, class_dn, desc_sddl)
931 desc_sddl = self.get_desc_sddl(class_dn)
932 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
933 self.assertEqual("O:DAG:DA", res)
934
935 def test_140(self):
936 user_name = "testuser3"
937 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
938 # Open Ldb connection with the tested user
939 _ldb = self.get_ldb_connection(user_name, "samba123@")
940 # Create a custom security descriptor
941 # NB! Problematic owner part won't accept DA only <User Sid> !!!
942 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
943 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
944 # Create example Schema class
945 class_name = self.get_unique_schema_class_name()
946 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
947 self.create_schema_class(_ldb, class_dn, desc_sddl)
948 desc_sddl = self.get_desc_sddl(class_dn)
949 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
950 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
951
952 def test_141(self):
953 user_name = "testuser4"
954 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
955 # Open Ldb connection with the tested user
956 _ldb = self.get_ldb_connection(user_name, "samba123@")
957 # Create a custom security descriptor
958 # NB! Problematic owner part won't accept DA only <User Sid> !!!
959 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
960 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
961 # Create example Schema class
962 class_name = self.get_unique_schema_class_name()
963 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
964 self.create_schema_class(_ldb, class_dn, desc_sddl)
965 desc_sddl = self.get_desc_sddl(class_dn)
966 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
967 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
968
969 def test_142(self):
970 user_name = "testuser5"
971 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
972 # Open Ldb connection with the tested user
973 _ldb = self.get_ldb_connection(user_name, "samba123@")
974 # Change Schema partition descriptor
975 mod = "(A;;CC;;;AU)"
976 self.dacl_add_ace(self.schema_dn, mod)
977 # Create a custom security descriptor
978 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
979 # Create example Schema class
980 class_name = self.get_unique_schema_class_name()
981 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
982 self.create_schema_class(_ldb, class_dn, desc_sddl)
983 desc_sddl = self.get_desc_sddl(class_dn)
984 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
985 self.assertEqual("O:DAG:DA", res)
986
987 def test_143(self):
988 user_name = "testuser6"
989 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
990 # Open Ldb connection with the tested user
991 _ldb = self.get_ldb_connection(user_name, "samba123@")
992 # Change Schema partition descriptor
993 mod = "(A;;CC;;;AU)"
994 self.dacl_add_ace(self.schema_dn, mod)
995 # Create a custom security descriptor
996 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
997 # Create example Schema class
998 class_name = self.get_unique_schema_class_name()
999 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1000 self.create_schema_class(_ldb, class_dn, desc_sddl)
1001 desc_sddl = self.get_desc_sddl(class_dn)
1002 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1003 self.assertEqual("O:DAG:DA", res)
1004
1005 def test_144(self):
1006 user_name = "testuser7"
1007 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1008 # Open Ldb connection with the tested user
1009 _ldb = self.get_ldb_connection(user_name, "samba123@")
1010 # Change Schema partition descriptor
1011 mod = "(A;;CC;;;AU)"
1012 self.dacl_add_ace(self.schema_dn, mod)
1013 # Create a custom security descriptor
1014 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1015 # Create example Schema class
1016 class_name = self.get_unique_schema_class_name()
1017 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1018 self.create_schema_class(_ldb, class_dn, desc_sddl)
1019 desc_sddl = self.get_desc_sddl(class_dn)
1020 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1021 self.assertEqual("O:DAG:DA", res)
1022
1023 def test_145(self):
1024 user_name = "testuser8"
1025 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1026 # Open Ldb connection with the tested user
1027 _ldb = self.get_ldb_connection(user_name, "samba123@")
1028 # Change Schema partition descriptor
1029 mod = "(A;;CC;;;AU)"
1030 self.dacl_add_ace(self.schema_dn, mod)
1031 # Create a custom security descriptor
1032 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1033 # Create example Schema class
1034 class_name = self.get_unique_schema_class_name()
1035 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1036 self.create_schema_class(_ldb, class_dn, desc_sddl)
1037 desc_sddl = self.get_desc_sddl(class_dn)
1038 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1039 self.assertEqual("O:DAG:DA", res)
1040
1041 ## Tests for CONFIGURATION
1042
1043 # Defalt descriptor tests ##################################################################
1044
1045 def test_160(self):
1046 user_name = "testuser1"
1047 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1048 # Open Ldb connection with the tested user
1049 _ldb = self.get_ldb_connection(user_name, "samba123@")
1050 # Create example Configuration container
1051 container_name = "test-container1"
1052 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1053 self.delete_force(self.ldb_admin, object_dn)
1054 self.create_configuration_container(_ldb, object_dn, )
1055 desc_sddl = self.get_desc_sddl(object_dn)
1056 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1057 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1058 self.check_modify_inheritance(_ldb, object_dn)
1059
1060 def test_161(self):
1061 user_name = "testuser2"
1062 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1063 # Open Ldb connection with the tested user
1064 _ldb = self.get_ldb_connection(user_name, "samba123@")
1065 # Create example Configuration container
1066 container_name = "test-container1"
1067 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1068 self.delete_force(self.ldb_admin, object_dn)
1069 self.create_configuration_container(_ldb, object_dn, )
1070 desc_sddl = self.get_desc_sddl(object_dn)
1071 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1072 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1073 self.check_modify_inheritance(_ldb, object_dn)
1074
1075 def test_162(self):
1076 user_name = "testuser3"
1077 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1078 # Open Ldb connection with the tested user
1079 _ldb = self.get_ldb_connection(user_name, "samba123@")
1080 # Create example Configuration container
1081 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1082 self.delete_force(self.ldb_admin, object_dn)
1083 self.create_configuration_container(self.ldb_admin, object_dn, )
1084 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1085 mod = "(A;;WDCC;;;AU)"
1086 self.dacl_add_ace(object_dn, mod)
1087 # Create child object with user's credentials
1088 object_dn = "CN=test-specifier1," + object_dn
1089 self.delete_force(self.ldb_admin, object_dn)
1090 self.create_configuration_specifier(_ldb, object_dn)
1091 desc_sddl = self.get_desc_sddl(object_dn)
1092 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1093 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1094 #self.check_modify_inheritance(_ldb, object_dn)
1095
1096 def test_163(self):
1097 user_name = "testuser4"
1098 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1099 # Open Ldb connection with the tested user
1100 _ldb = self.get_ldb_connection(user_name, "samba123@")
1101 # Create example Configuration container
1102 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1103 self.delete_force(self.ldb_admin, object_dn)
1104 self.create_configuration_container(self.ldb_admin, object_dn, )
1105 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1106 mod = "(A;CI;WDCC;;;AU)"
1107 self.dacl_add_ace(object_dn, mod)
1108 # Create child object with user's credentials
1109 object_dn = "CN=test-specifier1," + object_dn
1110 self.delete_force(self.ldb_admin, object_dn)
1111 self.create_configuration_specifier(_ldb, object_dn)
1112 desc_sddl = self.get_desc_sddl(object_dn)
1113 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1114 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1115 #self.check_modify_inheritance(_ldb, object_dn)
1116
1117 def test_164(self):
1118 user_name = "testuser5"
1119 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1120 # Open Ldb connection with the tested user
1121 _ldb = self.get_ldb_connection(user_name, "samba123@")
1122 # Create example Configuration container
1123 container_name = "test-container1"
1124 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1125 self.delete_force(self.ldb_admin, object_dn)
1126 self.create_configuration_container(_ldb, object_dn, )
1127 desc_sddl = self.get_desc_sddl(object_dn)
1128 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1129 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1130 self.check_modify_inheritance(_ldb, object_dn)
1131
1132 def test_165(self):
1133 user_name = "testuser6"
1134 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1135 # Open Ldb connection with the tested user
1136 _ldb = self.get_ldb_connection(user_name, "samba123@")
1137 # Create example Configuration container
1138 container_name = "test-container1"
1139 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1140 self.delete_force(self.ldb_admin, object_dn)
1141 self.create_configuration_container(_ldb, object_dn, )
1142 desc_sddl = self.get_desc_sddl(object_dn)
1143 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1144 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1145 self.check_modify_inheritance(_ldb, object_dn)
1146
1147 def test_166(self):
1148 user_name = "testuser7"
1149 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1150 # Open Ldb connection with the tested user
1151 _ldb = self.get_ldb_connection(user_name, "samba123@")
1152 # Create example Configuration container
1153 container_name = "test-container1"
1154 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1155 self.delete_force(self.ldb_admin, object_dn)
1156 self.create_configuration_container(_ldb, object_dn, )
1157 desc_sddl = self.get_desc_sddl(object_dn)
1158 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1159 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1160 self.check_modify_inheritance(_ldb, object_dn)
1161
1162 def test_167(self):
1163 user_name = "testuser8"
1164 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1165 # Open Ldb connection with the tested user
1166 _ldb = self.get_ldb_connection(user_name, "samba123@")
1167 # Create example Configuration container
1168 container_name = "test-container1"
1169 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1170 self.delete_force(self.ldb_admin, object_dn)
1171 self.create_configuration_container(_ldb, object_dn, )
1172 desc_sddl = self.get_desc_sddl(object_dn)
1173 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1174 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1175 self.check_modify_inheritance(_ldb, object_dn)
1176
1177 # Custom descriptor tests ##################################################################
1178
1179 def test_168(self):
1180 user_name = "testuser1"
1181 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1182 # Open Ldb connection with the tested user
1183 _ldb = self.get_ldb_connection(user_name, "samba123@")
1184 # Create example Configuration container
1185 container_name = "test-container1"
1186 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1187 self.delete_force(self.ldb_admin, object_dn)
1188 # Create a custom security descriptor
1189 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1190 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1191 desc_sddl = self.get_desc_sddl(object_dn)
1192 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1193 self.assertEqual("O:DAG:DA", res)
1194
1195 def test_169(self):
1196 user_name = "testuser2"
1197 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1198 # Open Ldb connection with the tested user
1199 _ldb = self.get_ldb_connection(user_name, "samba123@")
1200 # Create example Configuration container
1201 container_name = "test-container1"
1202 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1203 self.delete_force(self.ldb_admin, object_dn)
1204 # Create a custom security descriptor
1205 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1206 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1207 desc_sddl = self.get_desc_sddl(object_dn)
1208 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1209 self.assertEqual("O:DAG:DA", res)
1210
1211 def test_170(self):
1212 user_name = "testuser3"
1213 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1214 # Open Ldb connection with the tested user
1215 _ldb = self.get_ldb_connection(user_name, "samba123@")
1216 # Create example Configuration container
1217 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1218 self.delete_force(self.ldb_admin, object_dn)
1219 self.create_configuration_container(self.ldb_admin, object_dn, )
1220 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1221 mod = "(A;;CC;;;AU)"
1222 self.dacl_add_ace(object_dn, mod)
1223 # Create child object with user's credentials
1224 object_dn = "CN=test-specifier1," + object_dn
1225 self.delete_force(self.ldb_admin, object_dn)
1226 # Create a custom security descriptor
1227 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1228 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1229 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1230 desc_sddl = self.get_desc_sddl(object_dn)
1231 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1232 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1233
1234 def test_171(self):
1235 user_name = "testuser4"
1236 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1237 # Open Ldb connection with the tested user
1238 _ldb = self.get_ldb_connection(user_name, "samba123@")
1239 # Create example Configuration container
1240 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1241 self.delete_force(self.ldb_admin, object_dn)
1242 self.create_configuration_container(self.ldb_admin, object_dn, )
1243 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1244 mod = "(A;;CC;;;AU)"
1245 self.dacl_add_ace(object_dn, mod)
1246 # Create child object with user's credentials
1247 object_dn = "CN=test-specifier1," + object_dn
1248 self.delete_force(self.ldb_admin, object_dn)
1249 # Create a custom security descriptor
1250 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1251 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1252 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1253 desc_sddl = self.get_desc_sddl(object_dn)
1254 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1255 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1256
1257 def test_172(self):
1258 user_name = "testuser5"
1259 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1260 # Open Ldb connection with the tested user
1261 _ldb = self.get_ldb_connection(user_name, "samba123@")
1262 # Create example Configuration container
1263 container_name = "test-container1"
1264 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1265 self.delete_force(self.ldb_admin, object_dn)
1266 # Create a custom security descriptor
1267 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1268 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1269 desc_sddl = self.get_desc_sddl(object_dn)
1270 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1271 self.assertEqual("O:DAG:DA", res)
1272
1273 def test_173(self):
1274 user_name = "testuser6"
1275 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1276 # Open Ldb connection with the tested user
1277 _ldb = self.get_ldb_connection(user_name, "samba123@")
1278 # Create example Configuration container
1279 container_name = "test-container1"
1280 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1281 self.delete_force(self.ldb_admin, object_dn)
1282 # Create a custom security descriptor
1283 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1284 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1285 desc_sddl = self.get_desc_sddl(object_dn)
1286 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1287 self.assertEqual("O:DAG:DA", res)
1288
1289 def test_174(self):
1290 user_name = "testuser7"
1291 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1292 # Open Ldb connection with the tested user
1293 _ldb = self.get_ldb_connection(user_name, "samba123@")
1294 # Create example Configuration container
1295 container_name = "test-container1"
1296 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1297 self.delete_force(self.ldb_admin, object_dn)
1298 # Create a custom security descriptor
1299 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1300 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1301 desc_sddl = self.get_desc_sddl(object_dn)
1302 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1303 self.assertEqual("O:DAG:DA", res)
1304
1305 def test_175(self):
1306 user_name = "testuser8"
1307 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1308 # Open Ldb connection with the tested user
1309 _ldb = self.get_ldb_connection(user_name, "samba123@")
1310 # Create example Configuration container
1311 container_name = "test-container1"
1312 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1313 self.delete_force(self.ldb_admin, object_dn)
1314 # Create a custom security descriptor
1315 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1316 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1317 desc_sddl = self.get_desc_sddl(object_dn)
1318 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1319 self.assertEqual("O:DAG:DA", res)
1320
1321 ########################################################################################
1322 # Inharitance tests for DACL
1323
1324 class DaclDescriptorTests(DescriptorTests):
1325
1326 def deleteAll(self):
1327 self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1328 self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1329
1330 def setUp(self):
1331 super(DaclDescriptorTests, self).setUp()
1332 self.deleteAll()
1333
1334 def create_clean_ou(self, object_dn):
1335 """ Base repeating setup for unittests to follow """
1336 res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
1337 expression="distinguishedName=%s" % object_dn)
1338 # Make sure top testing OU has been deleted before starting the test
1339 self.assertEqual(res, [])
1340 self.ldb_admin.create_ou(object_dn)
1341 desc_sddl = self.get_desc_sddl(object_dn)
1342 # Make sure there are inheritable ACEs initially
1343 self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1344 # Find and remove all inherit ACEs
1345 res = re.findall("\(.*?\)", desc_sddl)
1346 res = [x for x in res if ("CI" in x) or ("OI" in x)]
1347 for x in res:
1348 desc_sddl = desc_sddl.replace(x, "")
1349 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1350 # can propagate from above
1351 # remove SACL, we are not interested
1352 desc_sddl = desc_sddl.replace(":AI", ":AIP")
1353 self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
1354 # Verify all inheritable ACEs are gone
1355 desc_sddl = self.get_desc_sddl(object_dn)
1356 self.assertFalse("CI" in desc_sddl)
1357 self.assertFalse("OI" in desc_sddl)
1358
1359 def test_200(self):
1360 """ OU with protected flag and child group. See if the group has inherit ACEs.
1361 """
1362 ou_dn = "OU=test_inherit_ou," + self.base_dn
1363 group_dn = "CN=test_inherit_group," + ou_dn
1364 # Create inheritable-free OU
1365 self.create_clean_ou(ou_dn)
1366 # Create group child object
1367 self.create_domain_group(self.ldb_admin, group_dn)
1368 # Make sure created group object contains NO inherit ACEs
1369 desc_sddl = self.get_desc_sddl(group_dn)
1370 self.assertFalse("ID" in desc_sddl)
1371
1372 def test_201(self):
1373 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1374 Verify group has custom and default ACEs only.
1375 """
1376 ou_dn = "OU=test_inherit_ou," + self.base_dn
1377 group_dn = "CN=test_inherit_group," + ou_dn
1378 # Create inheritable-free OU
1379 self.create_clean_ou(ou_dn)
1380 # Create group child object using custom security descriptor
1381 sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1382 self.create_domain_group(self.ldb_admin, group_dn, sddl)
1383 # Make sure created group descriptor has NO additional ACEs
1384 desc_sddl = self.get_desc_sddl(group_dn)
1385 self.assertEqual(desc_sddl, sddl)
1386 sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
1387 self.modify_desc(self.ldb_admin, group_dn, sddl)
1388 desc_sddl = self.get_desc_sddl(group_dn)
1389 self.assertEqual(desc_sddl, sddl)
1390
1391 def test_202(self):
1392 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1393 See if the group has any of the added ACEs.
1394 """
1395 ou_dn = "OU=test_inherit_ou," + self.base_dn
1396 group_dn = "CN=test_inherit_group," + ou_dn
1397 # Create inheritable-free OU
1398 self.create_clean_ou(ou_dn)
1399 # Add some custom non-inheritable ACEs
1400 mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1401 moded = "(D;;CC;;;LG)"
1402 self.dacl_add_ace(ou_dn, mod)
1403 # Verify all inheritable ACEs are gone
1404 desc_sddl = self.get_desc_sddl(ou_dn)
1405 # Create group child object
1406 self.create_domain_group(self.ldb_admin, group_dn)
1407 # Make sure created group object contains NO inherit ACEs
1408 # also make sure the added above non-inheritable ACEs are absent too
1409 desc_sddl = self.get_desc_sddl(group_dn)
1410 self.assertFalse("ID" in desc_sddl)
1411 for x in re.findall("\(.*?\)", mod):
1412 self.assertFalse(x in desc_sddl)
1413 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1414 desc_sddl = self.get_desc_sddl(group_dn)
1415 self.assertFalse("ID" in desc_sddl)
1416 for x in re.findall("\(.*?\)", mod):
1417 self.assertFalse(x in desc_sddl)
1418
1419 def test_203(self):
1420 """ OU with protected flag and add 'CI' ACE, child group.
1421 See if the group has the added inherited ACE.
1422 """
1423 ou_dn = "OU=test_inherit_ou," + self.base_dn
1424 group_dn = "CN=test_inherit_group," + ou_dn
1425 # Create inheritable-free OU
1426 self.create_clean_ou(ou_dn)
1427 # Add some custom 'CI' ACE
1428 mod = "(D;CI;WP;;;DU)"
1429 moded = "(D;;CC;;;LG)"
1430 self.dacl_add_ace(ou_dn, mod)
1431 desc_sddl = self.get_desc_sddl(ou_dn)
1432 # Create group child object
1433 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1434 # Make sure created group object contains only the above inherited ACE
1435 # that we've added manually
1436 desc_sddl = self.get_desc_sddl(group_dn)
1437 mod = mod.replace(";CI;", ";CIID;")
1438 self.assertTrue(mod in desc_sddl)
1439 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1440 desc_sddl = self.get_desc_sddl(group_dn)
1441 self.assertTrue(moded in desc_sddl)
1442 self.assertTrue(mod in desc_sddl)
1443
1444 def test_204(self):
1445 """ OU with protected flag and add 'OI' ACE, child group.
1446 See if the group has the added inherited ACE.
1447 """
1448 ou_dn = "OU=test_inherit_ou," + self.base_dn
1449 group_dn = "CN=test_inherit_group," + ou_dn
1450 # Create inheritable-free OU
1451 self.create_clean_ou(ou_dn)
1452 # Add some custom 'CI' ACE
1453 mod = "(D;OI;WP;;;DU)"
1454 moded = "(D;;CC;;;LG)"
1455 self.dacl_add_ace(ou_dn, mod)
1456 desc_sddl = self.get_desc_sddl(ou_dn)
1457 # Create group child object
1458 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1459 # Make sure created group object contains only the above inherited ACE
1460 # that we've added manually
1461 desc_sddl = self.get_desc_sddl(group_dn)
1462 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1463 self.assertTrue(mod in desc_sddl)
1464 self.modify_desc(self.ldb_admin, group_dn, "D:" +moded)
1465 desc_sddl = self.get_desc_sddl(group_dn)
1466 self.assertTrue(moded in desc_sddl)
1467 self.assertTrue(mod in desc_sddl)
1468
1469 def test_205(self):
1470 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1471 See if the group has the added inherited ACE.
1472 """
1473 ou_dn = "OU=test_inherit_ou," + self.base_dn
1474 group_dn = "CN=test_inherit_group," + ou_dn
1475 # Create inheritable-free OU
1476 self.create_clean_ou(ou_dn)
1477 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1478 mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1479 moded = "(D;;CC;;;LG)"
1480 self.dacl_add_ace(ou_dn, mod)
1481 desc_sddl = self.get_desc_sddl(ou_dn)
1482 # Create group child object
1483 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1484 # Make sure created group object contains only the above inherited ACE
1485 # that we've added manually
1486 desc_sddl = self.get_desc_sddl(group_dn)
1487 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1488 self.assertTrue(mod in desc_sddl)
1489 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1490 desc_sddl = self.get_desc_sddl(group_dn)
1491 self.assertTrue(moded in desc_sddl)
1492 self.assertTrue(mod in desc_sddl)
1493
1494 def test_206(self):
1495 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1496 See if the group has the added inherited ACE.
1497 """
1498 ou_dn = "OU=test_inherit_ou," + self.base_dn
1499 group_dn = "CN=test_inherit_group," + ou_dn
1500 # Create inheritable-free OU
1501 self.create_clean_ou(ou_dn)
1502 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1503 mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1504 moded = "(D;;CC;;;LG)"
1505 self.dacl_add_ace(ou_dn, mod)
1506 desc_sddl = self.get_desc_sddl(ou_dn)
1507 # Create group child object
1508 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1509 # Make sure created group object contains only the above inherited ACE
1510 # that we've added manually
1511 desc_sddl = self.get_desc_sddl(group_dn)
1512 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1513 self.assertTrue(mod in desc_sddl)
1514 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1515 desc_sddl = self.get_desc_sddl(group_dn)
1516 self.assertTrue(moded in desc_sddl)
1517 self.assertTrue(mod in desc_sddl)
1518
1519 def test_207(self):
1520 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1521 See if the group has the added inherited ACE.
1522 """
1523 ou_dn = "OU=test_inherit_ou," + self.base_dn
1524 group_dn = "CN=test_inherit_group," + ou_dn
1525 # Create inheritable-free OU
1526 self.create_clean_ou(ou_dn)
1527 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1528 mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1529 moded = "(D;;CC;;;LG)"
1530 self.dacl_add_ace(ou_dn, mod)
1531 desc_sddl = self.get_desc_sddl(ou_dn)
1532 # Create group child object
1533 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1534 # Make sure created group object contains only the above inherited ACE
1535 # that we've added manually
1536 desc_sddl = self.get_desc_sddl(group_dn)
1537 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1538 self.assertTrue(mod in desc_sddl)
1539 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1540 desc_sddl = self.get_desc_sddl(group_dn)
1541 self.assertTrue(moded in desc_sddl)
1542 self.assertTrue(mod in desc_sddl)
1543
1544 def test_208(self):
1545 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1546 See if the group has the added inherited ACE.
1547 """
1548 ou_dn = "OU=test_inherit_ou," + self.base_dn
1549 group_dn = "CN=test_inherit_group," + ou_dn
1550 # Create inheritable-free OU
1551 self.create_clean_ou(ou_dn)
1552 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1553 mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1554 moded = "(D;;CC;;;LG)"
1555 self.dacl_add_ace(ou_dn, mod)
1556 desc_sddl = self.get_desc_sddl(ou_dn)
1557 # Create group child object
1558 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1559 # Make sure created group object contains only the above inherited ACE
1560 # that we've added manually
1561 desc_sddl = self.get_desc_sddl(group_dn)
1562 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1563 self.assertTrue(mod in desc_sddl)
1564 self.modify_desc(self.ldb_admin, group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
1565 desc_sddl = self.get_desc_sddl(group_dn)
1566 self.assertTrue(moded in desc_sddl)
1567 self.assertTrue(mod in desc_sddl)
1568
1569 def test_209(self):
1570 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1571 See if the group has the added inherited ACE.
1572 """
1573 ou_dn = "OU=test_inherit_ou," + self.base_dn
1574 group_dn = "CN=test_inherit_group," + ou_dn
1575 # Create inheritable-free OU
1576 self.create_clean_ou(ou_dn)
1577 # Add some custom 'CI' ACE
1578 mod = "(D;CI;WP;;;CO)"
1579 moded = "(D;;CC;;;LG)"
1580 self.dacl_add_ace(ou_dn, mod)
1581 desc_sddl = self.get_desc_sddl(ou_dn)
1582 # Create group child object
1583 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1584 # Make sure created group object contains only the above inherited ACE(s)
1585 # that we've added manually
1586 desc_sddl = self.get_desc_sddl(group_dn)
1587 self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
1588 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1589 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1590 desc_sddl = self.get_desc_sddl(group_dn)
1591 self.assertTrue(moded in desc_sddl)
1592 self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
1593 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1594
1595 def test_210(self):
1596 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1597 """
1598 ou_dn = "OU=test_inherit_ou," + self.base_dn
1599 group_dn = "CN=test_inherit_group," + ou_dn
1600 self.create_clean_ou(ou_dn)
1601 # Add some custom ACE
1602 mod = "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1603 self.create_domain_group(self.ldb_admin, group_dn, mod)
1604 # Make sure created group object does not contain the ID ace
1605 desc_sddl = self.get_desc_sddl(group_dn)
1606 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1607
1608 def test_211(self):
1609 """ Provide ACE with CO SID, should be expanded and replaced
1610 """
1611 ou_dn = "OU=test_inherit_ou," + self.base_dn
1612 group_dn = "CN=test_inherit_group," + ou_dn
1613 # Create inheritable-free OU
1614 self.create_clean_ou(ou_dn)
1615 # Add some custom 'CI' ACE
1616 mod = "D:(D;CI;WP;;;CO)"
1617 self.create_domain_group(self.ldb_admin, group_dn, mod)
1618 desc_sddl = self.get_desc_sddl(group_dn)
1619 self.assertTrue("(D;;WP;;;DA)(D;CIIO;WP;;;CO)" in desc_sddl)
1620
1621 def test_212(self):
1622 """ Provide ACE with IO flag, should be ignored
1623 """
1624 ou_dn = "OU=test_inherit_ou," + self.base_dn
1625 group_dn = "CN=test_inherit_group," + ou_dn
1626 # Create inheritable-free OU
1627 self.create_clean_ou(ou_dn)
1628 # Add some custom 'CI' ACE
1629 mod = "D:(D;CIIO;WP;;;CO)"
1630 self.create_domain_group(self.ldb_admin, group_dn, mod)
1631 # Make sure created group object contains only the above inherited ACE(s)
1632 # that we've added manually
1633 desc_sddl = self.get_desc_sddl(group_dn)
1634 self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
1635 self.assertFalse("(D;;WP;;;DA)" in desc_sddl)
1636 self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl)
1637
1638 def test_213(self):
1639 """ Provide ACE with IO flag, should be ignored
1640 """
1641 ou_dn = "OU=test_inherit_ou," + self.base_dn
1642 group_dn = "CN=test_inherit_group," + ou_dn
1643 # Create inheritable-free OU
1644 self.create_clean_ou(ou_dn)
1645 mod = "D:(D;IO;WP;;;DA)"
1646 self.create_domain_group(self.ldb_admin, group_dn, mod)
1647 # Make sure created group object contains only the above inherited ACE(s)
1648 # that we've added manually
1649 desc_sddl = self.get_desc_sddl(group_dn)
1650 self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl)
1651
1652 ########################################################################################
1653
1654
1655 class SdFlagsDescriptorTests(DescriptorTests):
1656 def deleteAll(self):
1657 self.delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
1658
1659 def setUp(self):
1660 super(SdFlagsDescriptorTests, self).setUp()
1661 self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1662 self.deleteAll()
1663
1664 def test_301(self):
1665 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1666 See that only the owner has been changed.
1667 """
1668 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1669 self.ldb_admin.create_ou(ou_dn)
1670 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1671 desc_sddl = self.get_desc_sddl(ou_dn)
1672 # make sure we have modified the owner
1673 self.assertTrue("O:AU" in desc_sddl)
1674 # make sure nothing else has been modified
1675 self.assertFalse("G:AU" in desc_sddl)
1676 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1677 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1678
1679 def test_302(self):
1680 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1681 See that only the owner has been changed.
1682 """
1683 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1684 self.ldb_admin.create_ou(ou_dn)
1685 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1686 desc_sddl = self.get_desc_sddl(ou_dn)
1687 # make sure we have modified the group
1688 self.assertTrue("G:AU" in desc_sddl)
1689 # make sure nothing else has been modified
1690 self.assertFalse("O:AU" in desc_sddl)
1691 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1692 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1693
1694 def test_303(self):
1695 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1696 See that only the owner has been changed.
1697 """
1698 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1699 self.ldb_admin.create_ou(ou_dn)
1700 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1701 desc_sddl = self.get_desc_sddl(ou_dn)
1702 # make sure we have modified the DACL
1703 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1704 # make sure nothing else has been modified
1705 self.assertFalse("O:AU" in desc_sddl)
1706 self.assertFalse("G:AU" in desc_sddl)
1707 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1708
1709 def test_304(self):
1710 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1711 See that only the owner has been changed.
1712 """
1713 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1714 self.ldb_admin.create_ou(ou_dn)
1715 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1716 desc_sddl = self.get_desc_sddl(ou_dn)
1717 # make sure we have modified the DACL
1718 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1719 # make sure nothing else has been modified
1720 self.assertFalse("O:AU" in desc_sddl)
1721 self.assertFalse("G:AU" in desc_sddl)
1722 self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
1723
1724 def test_305(self):
1725 """ Modify a descriptor with 0x0 set.
1726 Contrary to logic this is interpreted as no control,
1727 which is the same as 0xF
1728 """
1729 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1730 self.ldb_admin.create_ou(ou_dn)
1731 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:0"])
1732 desc_sddl = self.get_desc_sddl(ou_dn)
1733 # make sure we have modified the DACL
1734 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1735 # make sure nothing else has been modified
1736 self.assertTrue("O:AU" in desc_sddl)
1737 self.assertTrue("G:AU" in desc_sddl)
1738 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1739
1740 def test_306(self):
1741 """ Modify a descriptor with 0xF set.
1742 """
1743 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1744 self.ldb_admin.create_ou(ou_dn)
1745 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:15"])
1746 desc_sddl = self.get_desc_sddl(ou_dn)
1747 # make sure we have modified the DACL
1748 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1749 # make sure nothing else has been modified
1750 self.assertTrue("O:AU" in desc_sddl)
1751 self.assertTrue("G:AU" in desc_sddl)
1752 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1753
1754 def test_307(self):
1755 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1756 Only the owner part should be returned.
1757 """
1758 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1759 self.ldb_admin.create_ou(ou_dn)
1760 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1761 # make sure we have read the owner
1762 self.assertTrue("O:" in desc_sddl)
1763 # make sure we have read nothing else
1764 self.assertFalse("G:" in desc_sddl)
1765 self.assertFalse("D:" in desc_sddl)
1766 self.assertFalse("S:" in desc_sddl)
1767
1768 def test_308(self):
1769 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1770 Only the group part should be returned.
1771 """
1772 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1773 self.ldb_admin.create_ou(ou_dn)
1774 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1775 # make sure we have read the owner
1776 self.assertTrue("G:" in desc_sddl)
1777 # make sure we have read nothing else
1778 self.assertFalse("O:" in desc_sddl)
1779 self.assertFalse("D:" in desc_sddl)
1780 self.assertFalse("S:" in desc_sddl)
1781
1782 def test_309(self):
1783 """ Read a descriptor with SACL_SECURITY_INFORMATION
1784 Only the sacl part should be returned.
1785 """
1786 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1787 self.ldb_admin.create_ou(ou_dn)
1788 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1789 # make sure we have read the owner
1790 self.assertTrue("S:" in desc_sddl)
1791 # make sure we have read nothing else
1792 self.assertFalse("O:" in desc_sddl)
1793 self.assertFalse("D:" in desc_sddl)
1794 self.assertFalse("G:" in desc_sddl)
1795
1796 def test_310(self):
1797 """ Read a descriptor with DACL_SECURITY_INFORMATION
1798 Only the dacl part should be returned.
1799 """
1800 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1801 self.ldb_admin.create_ou(ou_dn)
1802 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1803 # make sure we have read the owner
1804 self.assertTrue("D:" in desc_sddl)
1805 # make sure we have read nothing else
1806 self.assertFalse("O:" in desc_sddl)
1807 self.assertFalse("S:" in desc_sddl)
1808 self.assertFalse("G:" in desc_sddl)
1809
1810
1811 class RightsAttributesTests(DescriptorTests):
1812
1813 def deleteAll(self):
1814 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
1815 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
1816 self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
1817
1818 def setUp(self):
1819 super(RightsAttributesTests, self).setUp()
1820 self.deleteAll()
1821 ### Create users
1822 # User 1
1823 self.create_enable_user("testuser_attr")
1824 # User 2, Domain Admins
1825 self.create_enable_user("testuser_attr2")
1826 self.ldb_admin.add_remove_group_members("Domain Admins",
1827 "testuser_attr2",
1828 add_members_operation=True)
1829
1830 def test_sDRightsEffective(self):
1831 object_dn = "OU=test_domain_ou1," + self.base_dn
1832 self.delete_force(self.ldb_admin, object_dn)
1833 self.ldb_admin.create_ou(object_dn)
1834 print self.get_users_domain_dn("testuser_attr")
1835 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1836 #give testuser1 read access so attributes can be retrieved
1837 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1838 self.dacl_add_ace(object_dn, mod)
1839 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1840 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1841 attrs=["sDRightsEffective"])
1842 #user whould have no rights at all
1843 self.assertEquals(len(res), 1)
1844 self.assertEquals(res[0]["sDRightsEffective"][0], "0")
1845 #give the user Write DACL and see what happens
1846 mod = "(A;CI;WD;;;%s)" % str(user_sid)
1847 self.dacl_add_ace(object_dn, mod)
1848 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1849 attrs=["sDRightsEffective"])
1850 #user whould have DACL_SECURITY_INFORMATION
1851 self.assertEquals(len(res), 1)
1852 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL)
1853 #give the user Write Owners and see what happens
1854 mod = "(A;CI;WO;;;%s)" % str(user_sid)
1855 self.dacl_add_ace(object_dn, mod)
1856 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1857 attrs=["sDRightsEffective"])
1858 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1859 self.assertEquals(len(res), 1)
1860 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
1861 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1862 _ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
1863 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1864 attrs=["sDRightsEffective"])
1865 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1866 self.assertEquals(len(res), 1)
1867 self.assertEquals(res[0]["sDRightsEffective"][0], \
1868 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
1869
1870 def test_allowedChildClassesEffective(self):
1871 object_dn = "OU=test_domain_ou1," + self.base_dn
1872 self.delete_force(self.ldb_admin, object_dn)
1873 self.ldb_admin.create_ou(object_dn)
1874 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1875 #give testuser1 read access so attributes can be retrieved
1876 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1877 self.dacl_add_ace(object_dn, mod)
1878 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1879 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1880 attrs=["allowedChildClassesEffective"])
1881 #there should be no allowed child classes
1882 self.assertEquals(len(res), 1)
1883 self.assertFalse("allowedChildClassesEffective" in res[0].keys())
1884 #give the user the right to create children of type user
1885 mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1886 self.dacl_add_ace(object_dn, mod)
1887 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1888 attrs=["allowedChildClassesEffective"])
1889 # allowedChildClassesEffective should only have one value, user
1890 self.assertEquals(len(res), 1)
1891 self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1)
1892 self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user")
1893
1894 def test_allowedAttributesEffective(self):
1895 object_dn = "OU=test_domain_ou1," + self.base_dn
1896 self.delete_force(self.ldb_admin, object_dn)
1897 self.ldb_admin.create_ou(object_dn)
1898 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1899 #give testuser1 read access so attributes can be retrieved
1900 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1901 self.dacl_add_ace(object_dn, mod)
1902 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1903 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1904 attrs=["allowedAttributesEffective"])
1905 #there should be no allowed attributes
1906 self.assertEquals(len(res), 1)
1907 self.assertFalse("allowedAttributesEffective" in res[0].keys())
1908 #give the user the right to write displayName and managedBy
1909 mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1910 mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
1911 # also rights to modify an read only attribute, fromEntry
1912 mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
1913 self.dacl_add_ace(object_dn, mod + mod2 + mod3)
1914 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1915 attrs=["allowedAttributesEffective"])
1916 # value should only contain user and managedBy
1917 self.assertEquals(len(res), 1)
1918 self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
1919 self.assertTrue("displayName" in res[0]["allowedAttributesEffective"])
1920 self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"])
1921
1922 if not "://" in host:
1923 if os.path.isfile(host):
1924 host = "tdb://%s" % host
1925 else:
1926 host = "ldap://%s" % host
1927
1928 # use 'paged_search' module when connecting remotely
1929 if host.lower().startswith("ldap://"):
1930 ldb_options = ["modules:paged_searches"]
1931
1932 ldb = SamDB(host,
1933 credentials=creds,
1934 session_info=system_session(),
1935 lp=lp,
1936 options=ldb_options)
1937
1938 runner = SubunitTestRunner()
1939 rc = 0
1940 if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful():
1941 rc = 1
1942 if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
1943 rc = 1
1944 if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful():
1945 rc = 1
1946 if not runner.run(unittest.makeSuite(RightsAttributesTests)).wasSuccessful():
1947 rc = 1
1948 sys.exit(rc)
reg import