search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:Added a test for correct CO expansion in SD creation.
[Samba/gebeck_regimport.git] / source4 / lib / ldb / tests / python / sec_descriptor.py
blob609fca86ab9fbd48603e5d05c2e955d435ddf38e
1 #!/usr/bin/env python
2 # -*- coding: utf-8 -*-
3
4 import optparse
5 import sys
6 import os
7 import base64
8 import re
9 import random
10
11 sys.path.append("bin/python")
12
13 import samba.getopt as options
14
15 # Some error messages that are being tested
16 from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT
17
18 # For running the test unit
19 from samba.ndr import ndr_pack, ndr_unpack
20 from samba.dcerpc import security
21
22 from samba import Ldb
23 from samba.auth import system_session
24 from samba.dsdb import DS_DOMAIN_FUNCTION_2008
25 from samba.dcerpc.security import (
26 SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL)
27 from subunit.run import SubunitTestRunner
28 import unittest
29
30 parser = optparse.OptionParser("sec_descriptor [options] <host>")
31 sambaopts = options.SambaOptions(parser)
32 parser.add_option_group(sambaopts)
33 parser.add_option_group(options.VersionOptions(parser))
34
35 # use command line creds if available
36 credopts = options.CredentialsOptions(parser)
37 parser.add_option_group(credopts)
38 opts, args = parser.parse_args()
39
40 if len(args) < 1:
41 parser.print_usage()
42 sys.exit(1)
43
44 host = args[0]
45
46 lp = sambaopts.get_loadparm()
47 creds = credopts.get_credentials(lp)
48
49 #
50 # Tests start here
51 #
52
53 class DescriptorTests(unittest.TestCase):
54
55 def delete_force(self, ldb, dn):
56 try:
57 ldb.delete(dn)
58 except LdbError, (num, _):
59 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
60
61 def find_basedn(self, ldb):
62 res = ldb.search(base="", expression="", scope=SCOPE_BASE,
63 attrs=["defaultNamingContext"])
64 self.assertEquals(len(res), 1)
65 return res[0]["defaultNamingContext"][0]
66
67 def find_configurationdn(self, ldb):
68 res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"])
69 self.assertEquals(len(res), 1)
70 return res[0]["configurationNamingContext"][0]
71
72 def find_schemadn(self, ldb):
73 res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"])
74 self.assertEquals(len(res), 1)
75 return res[0]["schemaNamingContext"][0]
76
77 def find_domain_sid(self, ldb):
78 res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
79 return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
80
81 def get_users_domain_dn(self, name):
82 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
83
84 def modify_desc(self, _ldb, object_dn, desc, controls=None):
85 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
86 mod = """
87 dn: """ + object_dn + """
88 changetype: modify
89 replace: nTSecurityDescriptor
90 """
91 if isinstance(desc, str):
92 mod += "nTSecurityDescriptor: %s" % desc
93 elif isinstance(desc, security.descriptor):
94 mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
95 _ldb.modify_ldif(mod, controls)
96
97 def create_domain_ou(self, _ldb, ou_dn, desc=None, controls=None):
98 ldif = """
99 dn: """ + ou_dn + """
100 ou: """ + ou_dn.split(",")[0][3:] + """
101 objectClass: organizationalUnit
102 url: www.example.com
103 """
104 if desc:
105 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
106 if isinstance(desc, str):
107 ldif += "nTSecurityDescriptor: %s" % desc
108 elif isinstance(desc, security.descriptor):
109 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
110 _ldb.add_ldif(ldif, controls)
111
112 def create_domain_user(self, _ldb, user_dn, desc=None):
113 ldif = """
114 dn: """ + user_dn + """
115 sAMAccountName: """ + user_dn.split(",")[0][3:] + """
116 objectClass: user
117 userPassword: samba123@
118 url: www.example.com
119 """
120 if desc:
121 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
122 if isinstance(desc, str):
123 ldif += "nTSecurityDescriptor: %s" % desc
124 elif isinstance(desc, security.descriptor):
125 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
126 _ldb.add_ldif(ldif)
127
128 def create_domain_group(self, _ldb, group_dn, desc=None):
129 ldif = """
130 dn: """ + group_dn + """
131 objectClass: group
132 sAMAccountName: """ + group_dn.split(",")[0][3:] + """
133 groupType: 4
134 url: www.example.com
135 """
136 if desc:
137 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
138 if isinstance(desc, str):
139 ldif += "nTSecurityDescriptor: %s" % desc
140 elif isinstance(desc, security.descriptor):
141 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
142 _ldb.add_ldif(ldif)
143
144 def get_unique_schema_class_name(self):
145 while True:
146 class_name = "test-class%s" % random.randint(1,100000)
147 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
148 try:
149 self.ldb_admin.search(base=class_dn, attrs=["*"])
150 except LdbError, (num, _):
151 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
152 return class_name
153
154 def create_schema_class(self, _ldb, object_dn, desc=None):
155 ldif = """
156 dn: """ + object_dn + """
157 objectClass: classSchema
158 objectCategory: CN=Class-Schema,""" + self.schema_dn + """
159 defaultObjectCategory: """ + object_dn + """
160 distinguishedName: """ + object_dn + """
161 governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
162 instanceType: 4
163 objectClassCategory: 1
164 subClassOf: organizationalPerson
165 systemFlags: 16
166 rDNAttID: cn
167 systemMustContain: cn
168 systemOnly: FALSE
169 """
170 if desc:
171 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
172 if isinstance(desc, str):
173 ldif += "nTSecurityDescriptor: %s" % desc
174 elif isinstance(desc, security.descriptor):
175 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
176 _ldb.add_ldif(ldif)
177
178 def create_configuration_container(self, _ldb, object_dn, desc=None):
179 ldif = """
180 dn: """ + object_dn + """
181 objectClass: container
182 objectCategory: CN=Container,""" + self.schema_dn + """
183 showInAdvancedViewOnly: TRUE
184 instanceType: 4
185 """
186 if desc:
187 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
188 if isinstance(desc, str):
189 ldif += "nTSecurityDescriptor: %s" % desc
190 elif isinstance(desc, security.descriptor):
191 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
192 _ldb.add_ldif(ldif)
193
194 def create_configuration_specifier(self, _ldb, object_dn, desc=None):
195 ldif = """
196 dn: """ + object_dn + """
197 objectClass: displaySpecifier
198 showInAdvancedViewOnly: TRUE
199 """
200 if desc:
201 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
202 if isinstance(desc, str):
203 ldif += "nTSecurityDescriptor: %s" % desc
204 elif isinstance(desc, security.descriptor):
205 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
206 _ldb.add_ldif(ldif)
207
208 def read_desc(self, object_dn, controls=None):
209 res = self.ldb_admin.search(base=object_dn, scope=SCOPE_BASE, attrs=["nTSecurityDescriptor"], controls=controls)
210 desc = res[0]["nTSecurityDescriptor"][0]
211 return ndr_unpack(security.descriptor, desc)
212
213 def enable_account(self, user_dn):
214 """Enable an account.
215 :param user_dn: Dn of the account to enable.
216 """
217 res = self.ldb_admin.search(user_dn, SCOPE_BASE, None, ["userAccountControl"])
218 assert len(res) == 1
219 userAccountControl = res[0]["userAccountControl"][0]
220 userAccountControl = int(userAccountControl)
221 if (userAccountControl & 0x2):
222 userAccountControl = userAccountControl & ~0x2 # remove disabled bit
223 if (userAccountControl & 0x20):
224 userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit
225 mod = """
226 dn: """ + user_dn + """
227 changetype: modify
228 replace: userAccountControl
229 userAccountControl: %s""" % userAccountControl
230 if self.WIN2003:
231 mod = re.sub("userAccountControl: \d.*", "userAccountControl: 544", mod)
232 self.ldb_admin.modify_ldif(mod)
233
234 def get_ldb_connection(self, target_username, target_password):
235 username_save = creds.get_username(); password_save = creds.get_password()
236 creds.set_username(target_username)
237 creds.set_password(target_password)
238 ldb_target = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
239 creds.set_username(username_save); creds.set_password(password_save)
240 return ldb_target
241
242 def get_object_sid(self, object_dn):
243 res = self.ldb_admin.search(object_dn)
244 return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] )
245
246 def dacl_add_ace(self, object_dn, ace):
247 desc = self.read_desc( object_dn )
248 desc_sddl = desc.as_sddl( self.domain_sid )
249 if ace in desc_sddl:
250 return
251 if desc_sddl.find("(") >= 0:
252 desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
253 else:
254 desc_sddl = desc_sddl + ace
255 self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
256
257 def get_desc_sddl(self, object_dn, controls=None):
258 """ Return object nTSecutiryDescriptor in SDDL format
259 """
260 desc = self.read_desc(object_dn, controls)
261 return desc.as_sddl(self.domain_sid)
262
263 def setUp(self):
264 self.ldb_admin = ldb
265 self.base_dn = self.find_basedn(self.ldb_admin)
266 self.configuration_dn = self.find_configurationdn(self.ldb_admin)
267 self.schema_dn = self.find_schemadn(self.ldb_admin)
268 self.domain_sid = self.find_domain_sid(self.ldb_admin)
269 print "baseDN: %s" % self.base_dn
270 self.SAMBA = False; self.WIN2003 = False
271 res = self.ldb_admin.search(base="", expression="", scope=SCOPE_BASE, attrs=["vendorName"])
272 if "vendorName" in res[0].keys() and "Samba Team" in res[0]["vendorName"][0]:
273 self.SAMBA = True
274 else:
275 self.WIN2003 = True
276
277 ################################################################################################
278
279 ## Tests for DOMAIN
280
281 # Default descriptor tests #####################################################################
282
283 class OwnerGroupDescriptorTests(DescriptorTests):
284
285 def deleteAll(self):
286 if self.SAMBA:
287 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
288 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
289 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
290 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
291 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
292 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
293 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
294 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
295 # DOMAIN
296 self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
297 self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
298 self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
299 self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
300 # SCHEMA
301 # CONFIGURATION
302 self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
303 + self.configuration_dn)
304 self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
305
306 def setUp(self):
307 DescriptorTests.setUp(self)
308 self.deleteAll()
309 if self.SAMBA:
310 ### Create users
311 # User 1
312 user_dn = self.get_users_domain_dn("testuser1")
313 self.create_domain_user(self.ldb_admin, user_dn)
314 self.enable_account(user_dn)
315 ldif = """
316 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
317 changetype: modify
318 add: member
319 member: """ + user_dn
320 self.ldb_admin.modify_ldif(ldif)
321 # User 2
322 user_dn = self.get_users_domain_dn("testuser2")
323 self.create_domain_user(self.ldb_admin, user_dn)
324 self.enable_account(user_dn)
325 ldif = """
326 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
327 changetype: modify
328 add: member
329 member: """ + user_dn
330 self.ldb_admin.modify_ldif(ldif)
331 # User 3
332 user_dn = self.get_users_domain_dn("testuser3")
333 self.create_domain_user(self.ldb_admin, user_dn)
334 self.enable_account(user_dn)
335 ldif = """
336 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
337 changetype: modify
338 add: member
339 member: """ + user_dn
340 self.ldb_admin.modify_ldif(ldif)
341 # User 4
342 user_dn = self.get_users_domain_dn("testuser4")
343 self.create_domain_user(self.ldb_admin, user_dn)
344 self.enable_account(user_dn)
345 # User 5
346 user_dn = self.get_users_domain_dn("testuser5")
347 self.create_domain_user(self.ldb_admin, user_dn)
348 self.enable_account(user_dn)
349 ldif = """
350 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
351 changetype: modify
352 add: member
353 member: """ + user_dn + """
354
355 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
356 changetype: modify
357 add: member
358 member: """ + user_dn
359 self.ldb_admin.modify_ldif(ldif)
360 # User 6
361 user_dn = self.get_users_domain_dn("testuser6")
362 self.create_domain_user(self.ldb_admin, user_dn)
363 self.enable_account(user_dn)
364 ldif = """
365 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
366 changetype: modify
367 add: member
368 member: """ + user_dn + """
369
370 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
371 changetype: modify
372 add: member
373 member: """ + user_dn + """
374
375 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
376 changetype: modify
377 add: member
378 member: """ + user_dn
379 self.ldb_admin.modify_ldif(ldif)
380 # User 7
381 user_dn = self.get_users_domain_dn("testuser7")
382 self.create_domain_user(self.ldb_admin, user_dn)
383 self.enable_account(user_dn)
384 ldif = """
385 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
386 changetype: modify
387 add: member
388 member: """ + user_dn + """
389
390 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
391 changetype: modify
392 add: member
393 member: """ + user_dn
394 self.ldb_admin.modify_ldif(ldif)
395 # User 8
396 user_dn = self.get_users_domain_dn("testuser8")
397 self.create_domain_user(self.ldb_admin, user_dn)
398 self.enable_account(user_dn)
399 ldif = """
400 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
401 changetype: modify
402 add: member
403 member: """ + user_dn + """
404
405 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
406 changetype: modify
407 add: member
408 member: """ + user_dn
409 self.ldb_admin.modify_ldif(ldif)
410 self.results = {
411 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
412 "ds_behavior_win2003" : {
413 "100" : "O:EAG:DU",
414 "101" : "O:DAG:DU",
415 "102" : "O:%sG:DU",
416 "103" : "O:%sG:DU",
417 "104" : "O:DAG:DU",
418 "105" : "O:DAG:DU",
419 "106" : "O:DAG:DU",
420 "107" : "O:EAG:DU",
421 "108" : "O:DAG:DA",
422 "109" : "O:DAG:DA",
423 "110" : "O:%sG:DA",
424 "111" : "O:%sG:DA",
425 "112" : "O:DAG:DA",
426 "113" : "O:DAG:DA",
427 "114" : "O:DAG:DA",
428 "115" : "O:DAG:DA",
429 "130" : "O:EAG:DU",
430 "131" : "O:DAG:DU",
431 "132" : "O:SAG:DU",
432 "133" : "O:%sG:DU",
433 "134" : "O:EAG:DU",
434 "135" : "O:SAG:DU",
435 "136" : "O:SAG:DU",
436 "137" : "O:SAG:DU",
437 "138" : "O:DAG:DA",
438 "139" : "O:DAG:DA",
439 "140" : "O:%sG:DA",
440 "141" : "O:%sG:DA",
441 "142" : "O:DAG:DA",
442 "143" : "O:DAG:DA",
443 "144" : "O:DAG:DA",
444 "145" : "O:DAG:DA",
445 "160" : "O:EAG:DU",
446 "161" : "O:DAG:DU",
447 "162" : "O:%sG:DU",
448 "163" : "O:%sG:DU",
449 "164" : "O:EAG:DU",
450 "165" : "O:EAG:DU",
451 "166" : "O:DAG:DU",
452 "167" : "O:EAG:DU",
453 "168" : "O:DAG:DA",
454 "169" : "O:DAG:DA",
455 "170" : "O:%sG:DA",
456 "171" : "O:%sG:DA",
457 "172" : "O:DAG:DA",
458 "173" : "O:DAG:DA",
459 "174" : "O:DAG:DA",
460 "175" : "O:DAG:DA",
461 },
462 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
463 "ds_behavior_win2008" : {
464 "100" : "O:EAG:EA",
465 "101" : "O:DAG:DA",
466 "102" : "O:%sG:DU",
467 "103" : "O:%sG:DU",
468 "104" : "O:DAG:DA",
469 "105" : "O:DAG:DA",
470 "106" : "O:DAG:DA",
471 "107" : "O:EAG:EA",
472 "108" : "O:DAG:DA",
473 "109" : "O:DAG:DA",
474 "110" : "O:%sG:DA",
475 "111" : "O:%sG:DA",
476 "112" : "O:DAG:DA",
477 "113" : "O:DAG:DA",
478 "114" : "O:DAG:DA",
479 "115" : "O:DAG:DA",
480 "130" : "O:EAG:EA",
481 "131" : "O:DAG:DA",
482 "132" : "O:SAG:SA",
483 "133" : "O:%sG:DU",
484 "134" : "O:EAG:EA",
485 "135" : "O:SAG:SA",
486 "136" : "O:SAG:SA",
487 "137" : "O:SAG:SA",
488 "138" : "",
489 "139" : "",
490 "140" : "O:%sG:DA",
491 "141" : "O:%sG:DA",
492 "142" : "",
493 "143" : "",
494 "144" : "",
495 "145" : "",
496 "160" : "O:EAG:EA",
497 "161" : "O:DAG:DA",
498 "162" : "O:%sG:DU",
499 "163" : "O:%sG:DU",
500 "164" : "O:EAG:EA",
501 "165" : "O:EAG:EA",
502 "166" : "O:DAG:DA",
503 "167" : "O:EAG:EA",
504 "168" : "O:DAG:DA",
505 "169" : "O:DAG:DA",
506 "170" : "O:%sG:DA",
507 "171" : "O:%sG:DA",
508 "172" : "O:DAG:DA",
509 "173" : "O:DAG:DA",
510 "174" : "O:DAG:DA",
511 "175" : "O:DAG:DA",
512 },
513 }
514 # Discover 'msDS-Behavior-Version'
515 res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
516 attrs=['msDS-Behavior-Version'])
517 res = int(res[0]['msDS-Behavior-Version'][0])
518 if res < DS_DOMAIN_FUNCTION_2008:
519 self.DS_BEHAVIOR = "ds_behavior_win2003"
520 else:
521 self.DS_BEHAVIOR = "ds_behavior_win2008"
522
523 def tearDown(self):
524 self.deleteAll()
525
526 def check_user_belongs(self, user_dn, groups=[]):
527 """ Test wether user is member of the expected group(s) """
528 if groups != []:
529 # User is member of at least one additional group
530 res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
531 res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
532 expected = []
533 for x in groups:
534 expected.append(self.get_users_domain_dn(x))
535 expected = [x.upper() for x in sorted(expected)]
536 self.assertEqual(expected, res)
537 else:
538 # User is not a member of any additional groups but default
539 res = self.ldb_admin.search(user_dn, attrs=["*"])
540 res = [x.upper() for x in res[0].keys()]
541 self.assertFalse( "MEMBEROF" in res)
542
543 def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
544 # Modify
545 ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
546 if owner_group != "":
547 self.modify_desc(_ldb, object_dn, owner_group + "D:" + ace)
548 else:
549 self.modify_desc(_ldb, object_dn, "D:" + ace)
550 # Make sure the modify operation has been applied
551 desc_sddl = self.get_desc_sddl(object_dn)
552 self.assertTrue(ace in desc_sddl)
553 # Make sure we have identical result for both "add" and "modify"
554 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
555 print self._testMethodName
556 test_number = self._testMethodName[5:]
557 self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
558
559 def test_100(self):
560 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
561 """
562 user_name = "testuser1"
563 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
564 # Open Ldb connection with the tested user
565 _ldb = self.get_ldb_connection(user_name, "samba123@")
566 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
567 self.delete_force(self.ldb_admin, object_dn)
568 self.create_domain_group(_ldb, object_dn)
569 desc_sddl = self.get_desc_sddl(object_dn)
570 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
571 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
572 self.check_modify_inheritance(_ldb, object_dn)
573
574 def test_101(self):
575 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
576 """
577 user_name = "testuser2"
578 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
579 # Open Ldb connection with the tested user
580 _ldb = self.get_ldb_connection(user_name, "samba123@")
581 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
582 self.delete_force(self.ldb_admin, object_dn)
583 self.create_domain_group(_ldb, object_dn)
584 desc_sddl = self.get_desc_sddl(object_dn)
585 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
586 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
587 self.check_modify_inheritance(_ldb, object_dn)
588
589 def test_102(self):
590 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
591 """
592 user_name = "testuser3"
593 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
594 # Open Ldb connection with the tested user
595 _ldb = self.get_ldb_connection(user_name, "samba123@")
596 object_dn = "OU=test_domain_ou1," + self.base_dn
597 self.delete_force(self.ldb_admin, object_dn)
598 self.create_domain_ou(self.ldb_admin, object_dn)
599 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
600 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
601 self.dacl_add_ace(object_dn, mod)
602 # Create additional object into the first one
603 object_dn = "CN=test_domain_user1," + object_dn
604 self.delete_force(self.ldb_admin, object_dn)
605 self.create_domain_user(_ldb, object_dn)
606 desc_sddl = self.get_desc_sddl(object_dn)
607 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
608 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
609 # This fails, research why
610 #self.check_modify_inheritance(_ldb, object_dn)
611
612 def test_103(self):
613 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
614 """
615 user_name = "testuser4"
616 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
617 # Open Ldb connection with the tested user
618 _ldb = self.get_ldb_connection(user_name, "samba123@")
619 object_dn = "OU=test_domain_ou1," + self.base_dn
620 self.delete_force(self.ldb_admin, object_dn)
621 self.create_domain_ou(self.ldb_admin, object_dn)
622 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
623 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
624 self.dacl_add_ace(object_dn, mod)
625 # Create additional object into the first one
626 object_dn = "CN=test_domain_user1," + object_dn
627 self.delete_force(self.ldb_admin, object_dn)
628 self.create_domain_user(_ldb, object_dn)
629 desc_sddl = self.get_desc_sddl(object_dn)
630 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
631 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
632 #this fails, research why
633 #self.check_modify_inheritance(_ldb, object_dn)
634
635 def test_104(self):
636 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
637 """
638 user_name = "testuser5"
639 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
640 # Open Ldb connection with the tested user
641 _ldb = self.get_ldb_connection(user_name, "samba123@")
642 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
643 self.delete_force(self.ldb_admin, object_dn)
644 self.create_domain_group(_ldb, object_dn)
645 desc_sddl = self.get_desc_sddl(object_dn)
646 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
647 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
648 self.check_modify_inheritance(_ldb, object_dn)
649
650 def test_105(self):
651 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
652 """
653 user_name = "testuser6"
654 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
655 # Open Ldb connection with the tested user
656 _ldb = self.get_ldb_connection(user_name, "samba123@")
657 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
658 self.delete_force(self.ldb_admin, object_dn)
659 self.create_domain_group(_ldb, object_dn)
660 desc_sddl = self.get_desc_sddl(object_dn)
661 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
662 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
663 self.check_modify_inheritance(_ldb, object_dn)
664
665 def test_106(self):
666 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
667 """
668 user_name = "testuser7"
669 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
670 # Open Ldb connection with the tested user
671 _ldb = self.get_ldb_connection(user_name, "samba123@")
672 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
673 self.delete_force(self.ldb_admin, object_dn)
674 self.create_domain_group(_ldb, object_dn)
675 desc_sddl = self.get_desc_sddl(object_dn)
676 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
677 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
678 self.check_modify_inheritance(_ldb, object_dn)
679
680 def test_107(self):
681 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
682 """
683 user_name = "testuser8"
684 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
685 # Open Ldb connection with the tested user
686 _ldb = self.get_ldb_connection(user_name, "samba123@")
687 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
688 self.delete_force(self.ldb_admin, object_dn)
689 self.create_domain_group(_ldb, object_dn)
690 desc_sddl = self.get_desc_sddl(object_dn)
691 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
692 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
693 self.check_modify_inheritance(_ldb, object_dn)
694
695 # Control descriptor tests #####################################################################
696
697 def test_108(self):
698 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
699 """
700 user_name = "testuser1"
701 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
702 # Open Ldb connection with the tested user
703 _ldb = self.get_ldb_connection(user_name, "samba123@")
704 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
705 self.delete_force(self.ldb_admin, object_dn)
706 # Create a custom security descriptor
707 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
708 self.create_domain_group(_ldb, object_dn, desc_sddl)
709 desc_sddl = self.get_desc_sddl(object_dn)
710 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
711 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
712
713 def test_109(self):
714 """ Domain admin group member creates object (custom descriptor) in DOMAIN
715 """
716 user_name = "testuser2"
717 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
718 # Open Ldb connection with the tested user
719 _ldb = self.get_ldb_connection(user_name, "samba123@")
720 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
721 self.delete_force(self.ldb_admin, object_dn)
722 # Create a custom security descriptor
723 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
724 self.create_domain_group(_ldb, object_dn, desc_sddl)
725 desc_sddl = self.get_desc_sddl(object_dn)
726 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
727 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
728
729 def test_110(self):
730 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
731 """
732 user_name = "testuser3"
733 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
734 # Open Ldb connection with the tested user
735 _ldb = self.get_ldb_connection(user_name, "samba123@")
736 object_dn = "OU=test_domain_ou1," + self.base_dn
737 self.delete_force(self.ldb_admin, object_dn)
738 self.create_domain_ou(self.ldb_admin, object_dn)
739 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
740 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
741 self.dacl_add_ace(object_dn, mod)
742 # Create a custom security descriptor
743 # NB! Problematic owner part won't accept DA only <User Sid> !!!
744 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
745 # Create additional object into the first one
746 object_dn = "CN=test_domain_user1," + object_dn
747 self.delete_force(self.ldb_admin, object_dn)
748 self.create_domain_user(_ldb, object_dn, desc_sddl)
749 desc = self.read_desc(object_dn)
750 desc_sddl = self.get_desc_sddl(object_dn)
751 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
752 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
753
754 def test_111(self):
755 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
756 """
757 user_name = "testuser4"
758 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
759 # Open Ldb connection with the tested user
760 _ldb = self.get_ldb_connection(user_name, "samba123@")
761 object_dn = "OU=test_domain_ou1," + self.base_dn
762 self.delete_force(self.ldb_admin, object_dn)
763 self.create_domain_ou(self.ldb_admin, object_dn)
764 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
765 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
766 self.dacl_add_ace(object_dn, mod)
767 # Create a custom security descriptor
768 # NB! Problematic owner part won't accept DA only <User Sid> !!!
769 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
770 # Create additional object into the first one
771 object_dn = "CN=test_domain_user1," + object_dn
772 self.delete_force(self.ldb_admin, object_dn)
773 self.create_domain_user(_ldb, object_dn, desc_sddl)
774 desc = self.read_desc(object_dn)
775 desc_sddl = self.get_desc_sddl(object_dn)
776 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
777 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
778
779 def test_112(self):
780 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
781 """
782 user_name = "testuser5"
783 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
784 # Open Ldb connection with the tested user
785 _ldb = self.get_ldb_connection(user_name, "samba123@")
786 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
787 self.delete_force(self.ldb_admin, object_dn)
788 # Create a custom security descriptor
789 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
790 self.create_domain_group(_ldb, object_dn, desc_sddl)
791 desc_sddl = self.get_desc_sddl(object_dn)
792 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
793 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
794
795 def test_113(self):
796 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
797 """
798 user_name = "testuser6"
799 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
800 # Open Ldb connection with the tested user
801 _ldb = self.get_ldb_connection(user_name, "samba123@")
802 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
803 self.delete_force(self.ldb_admin, object_dn)
804 # Create a custom security descriptor
805 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
806 self.create_domain_group(_ldb, object_dn, desc_sddl)
807 desc_sddl = self.get_desc_sddl(object_dn)
808 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
809 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
810
811 def test_114(self):
812 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
813 """
814 user_name = "testuser7"
815 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
816 # Open Ldb connection with the tested user
817 _ldb = self.get_ldb_connection(user_name, "samba123@")
818 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
819 self.delete_force(self.ldb_admin, object_dn)
820 # Create a custom security descriptor
821 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
822 self.create_domain_group(_ldb, object_dn, desc_sddl)
823 desc_sddl = self.get_desc_sddl(object_dn)
824 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
825 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
826
827 def test_115(self):
828 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
829 """
830 user_name = "testuser8"
831 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
832 # Open Ldb connection with the tested user
833 _ldb = self.get_ldb_connection(user_name, "samba123@")
834 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
835 self.delete_force(self.ldb_admin, object_dn)
836 # Create a custom security descriptor
837 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
838 self.create_domain_group(_ldb, object_dn, desc_sddl)
839 desc_sddl = self.get_desc_sddl(object_dn)
840 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
841 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
842
843 def test_999(self):
844 user_name = "Administrator"
845 object_dn = "OU=test_domain_ou1," + self.base_dn
846 self.delete_force(self.ldb_admin, object_dn)
847 self.create_domain_ou(self.ldb_admin, object_dn)
848 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
849 mod = "(D;CI;WP;;;S-1-3-0)"
850 #mod = ""
851 self.dacl_add_ace(object_dn, mod)
852 desc_sddl = self.get_desc_sddl(object_dn)
853 # Create additional object into the first one
854 object_dn = "OU=test_domain_ou2," + object_dn
855 self.delete_force(self.ldb_admin, object_dn)
856 self.create_domain_ou(self.ldb_admin, object_dn)
857 desc_sddl = self.get_desc_sddl(object_dn)
858
859 ## Tests for SCHEMA
860
861 # Defalt descriptor tests ##################################################################
862
863 def test_130(self):
864 user_name = "testuser1"
865 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
866 # Open Ldb connection with the tested user
867 _ldb = self.get_ldb_connection(user_name, "samba123@")
868 # Change Schema partition descriptor
869 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
870 mod = "(A;;WDCC;;;AU)"
871 self.dacl_add_ace(self.schema_dn, mod)
872 # Create example Schema class
873 class_name = self.get_unique_schema_class_name()
874 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
875 self.create_schema_class(_ldb, class_dn)
876 desc_sddl = self.get_desc_sddl(class_dn)
877 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
878 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
879 self.check_modify_inheritance(_ldb, class_dn)
880
881 def test_131(self):
882 user_name = "testuser2"
883 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
884 # Open Ldb connection with the tested user
885 _ldb = self.get_ldb_connection(user_name, "samba123@")
886 # Change Schema partition descriptor
887 mod = "(A;CI;WDCC;;;AU)"
888 self.dacl_add_ace(self.schema_dn, mod)
889 # Create example Schema class
890 class_name = self.get_unique_schema_class_name()
891 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
892 self.create_schema_class(_ldb, class_dn)
893 desc_sddl = self.get_desc_sddl(class_dn)
894 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
895 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
896 self.check_modify_inheritance(_ldb, class_dn)
897
898 def test_132(self):
899 user_name = "testuser3"
900 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
901 # Open Ldb connection with the tested user
902 _ldb = self.get_ldb_connection(user_name, "samba123@")
903 # Change Schema partition descriptor
904 mod = "(A;CI;WDCC;;;AU)"
905 self.dacl_add_ace(self.schema_dn, mod)
906 # Create example Schema class
907 class_name = self.get_unique_schema_class_name()
908 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
909 self.create_schema_class(_ldb, class_dn)
910 desc_sddl = self.get_desc_sddl(class_dn)
911 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
912 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
913 #self.check_modify_inheritance(_ldb, class_dn)
914
915 def test_133(self):
916 user_name = "testuser4"
917 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
918 # Open Ldb connection with the tested user
919 _ldb = self.get_ldb_connection(user_name, "samba123@")
920 #Change Schema partition descriptor
921 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
922 mod = "(A;CI;WDCC;;;AU)"
923 self.dacl_add_ace(self.schema_dn, mod)
924 # Create example Schema class
925 class_name = self.get_unique_schema_class_name()
926 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
927 self.create_schema_class(_ldb, class_dn)
928 desc_sddl = self.get_desc_sddl(class_dn)
929 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
930 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
931 #self.check_modify_inheritance(_ldb, class_dn)
932
933 def test_134(self):
934 user_name = "testuser5"
935 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
936 # Open Ldb connection with the tested user
937 _ldb = self.get_ldb_connection(user_name, "samba123@")
938 #Change Schema partition descriptor
939 mod = "(A;CI;WDCC;;;AU)"
940 self.dacl_add_ace(self.schema_dn, mod)
941 # Create example Schema class
942 class_name = self.get_unique_schema_class_name()
943 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
944 self.create_schema_class(_ldb, class_dn)
945 desc_sddl = self.get_desc_sddl(class_dn)
946 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
947 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
948 self.check_modify_inheritance(_ldb, class_dn)
949
950 def test_135(self):
951 user_name = "testuser6"
952 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
953 # Open Ldb connection with the tested user
954 _ldb = self.get_ldb_connection(user_name, "samba123@")
955 # Change Schema partition descriptor
956 mod = "(A;CI;WDCC;;;AU)"
957 self.dacl_add_ace(self.schema_dn, mod)
958 # Create example Schema class
959 class_name = self.get_unique_schema_class_name()
960 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
961 self.create_schema_class(_ldb, class_dn)
962 desc_sddl = self.get_desc_sddl(class_dn)
963 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
964 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
965 self.check_modify_inheritance(_ldb, class_dn)
966
967 def test_136(self):
968 user_name = "testuser7"
969 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
970 # Open Ldb connection with the tested user
971 _ldb = self.get_ldb_connection(user_name, "samba123@")
972 # Change Schema partition descriptor
973 mod = "(A;CI;WDCC;;;AU)"
974 self.dacl_add_ace(self.schema_dn, mod)
975 # Create example Schema class
976 class_name = self.get_unique_schema_class_name()
977 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
978 self.create_schema_class(_ldb, class_dn)
979 desc_sddl = self.get_desc_sddl(class_dn)
980 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
981 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
982 self.check_modify_inheritance(_ldb, class_dn)
983
984 def test_137(self):
985 user_name = "testuser8"
986 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
987 # Open Ldb connection with the tested user
988 _ldb = self.get_ldb_connection(user_name, "samba123@")
989 # Change Schema partition descriptor
990 mod = "(A;CI;WDCC;;;AU)"
991 self.dacl_add_ace(self.schema_dn, mod)
992 # Create example Schema class
993 class_name = self.get_unique_schema_class_name()
994 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
995 self.create_schema_class(_ldb, class_dn)
996 desc_sddl = self.get_desc_sddl(class_dn)
997 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
998 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
999 self.check_modify_inheritance(_ldb, class_dn)
1000
1001 # Custom descriptor tests ##################################################################
1002
1003 def test_138(self):
1004 user_name = "testuser1"
1005 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1006 # Open Ldb connection with the tested user
1007 _ldb = self.get_ldb_connection(user_name, "samba123@")
1008 # Change Schema partition descriptor
1009 mod = "(A;;CC;;;AU)"
1010 self.dacl_add_ace(self.schema_dn, mod)
1011 # Create a custom security descriptor
1012 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1013 # Create example Schema class
1014 class_name = self.get_unique_schema_class_name()
1015 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1016 self.create_schema_class(_ldb, class_dn, desc_sddl)
1017 desc_sddl = self.get_desc_sddl(class_dn)
1018 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1019 self.assertEqual("O:DAG:DA", res)
1020
1021 def test_139(self):
1022 user_name = "testuser2"
1023 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1024 # Open Ldb connection with the tested user
1025 _ldb = self.get_ldb_connection(user_name, "samba123@")
1026 # Change Schema partition descriptor
1027 mod = "(A;;CC;;;AU)"
1028 self.dacl_add_ace(self.schema_dn, mod)
1029 # Create a custom security descriptor
1030 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1031 # Create example Schema class
1032 class_name = self.get_unique_schema_class_name()
1033 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1034 self.create_schema_class(_ldb, class_dn, desc_sddl)
1035 desc_sddl = self.get_desc_sddl(class_dn)
1036 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1037 self.assertEqual("O:DAG:DA", res)
1038
1039 def test_140(self):
1040 user_name = "testuser3"
1041 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1042 # Open Ldb connection with the tested user
1043 _ldb = self.get_ldb_connection(user_name, "samba123@")
1044 # Create a custom security descriptor
1045 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1046 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1047 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1048 # Create example Schema class
1049 class_name = self.get_unique_schema_class_name()
1050 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1051 self.create_schema_class(_ldb, class_dn, desc_sddl)
1052 desc_sddl = self.get_desc_sddl(class_dn)
1053 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1054 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1055
1056 def test_141(self):
1057 user_name = "testuser4"
1058 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1059 # Open Ldb connection with the tested user
1060 _ldb = self.get_ldb_connection(user_name, "samba123@")
1061 # Create a custom security descriptor
1062 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1063 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1064 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1065 # Create example Schema class
1066 class_name = self.get_unique_schema_class_name()
1067 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1068 self.create_schema_class(_ldb, class_dn, desc_sddl)
1069 desc_sddl = self.get_desc_sddl(class_dn)
1070 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1071 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1072
1073 def test_142(self):
1074 user_name = "testuser5"
1075 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1076 # Open Ldb connection with the tested user
1077 _ldb = self.get_ldb_connection(user_name, "samba123@")
1078 # Change Schema partition descriptor
1079 mod = "(A;;CC;;;AU)"
1080 self.dacl_add_ace(self.schema_dn, mod)
1081 # Create a custom security descriptor
1082 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1083 # Create example Schema class
1084 class_name = self.get_unique_schema_class_name()
1085 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1086 self.create_schema_class(_ldb, class_dn, desc_sddl)
1087 desc_sddl = self.get_desc_sddl(class_dn)
1088 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1089 self.assertEqual("O:DAG:DA", res)
1090
1091 def test_143(self):
1092 user_name = "testuser6"
1093 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1094 # Open Ldb connection with the tested user
1095 _ldb = self.get_ldb_connection(user_name, "samba123@")
1096 # Change Schema partition descriptor
1097 mod = "(A;;CC;;;AU)"
1098 self.dacl_add_ace(self.schema_dn, mod)
1099 # Create a custom security descriptor
1100 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1101 # Create example Schema class
1102 class_name = self.get_unique_schema_class_name()
1103 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1104 self.create_schema_class(_ldb, class_dn, desc_sddl)
1105 desc_sddl = self.get_desc_sddl(class_dn)
1106 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1107 self.assertEqual("O:DAG:DA", res)
1108
1109 def test_144(self):
1110 user_name = "testuser7"
1111 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1112 # Open Ldb connection with the tested user
1113 _ldb = self.get_ldb_connection(user_name, "samba123@")
1114 # Change Schema partition descriptor
1115 mod = "(A;;CC;;;AU)"
1116 self.dacl_add_ace(self.schema_dn, mod)
1117 # Create a custom security descriptor
1118 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1119 # Create example Schema class
1120 class_name = self.get_unique_schema_class_name()
1121 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1122 self.create_schema_class(_ldb, class_dn, desc_sddl)
1123 desc_sddl = self.get_desc_sddl(class_dn)
1124 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1125 self.assertEqual("O:DAG:DA", res)
1126
1127 def test_145(self):
1128 user_name = "testuser8"
1129 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1130 # Open Ldb connection with the tested user
1131 _ldb = self.get_ldb_connection(user_name, "samba123@")
1132 # Change Schema partition descriptor
1133 mod = "(A;;CC;;;AU)"
1134 self.dacl_add_ace(self.schema_dn, mod)
1135 # Create a custom security descriptor
1136 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1137 # Create example Schema class
1138 class_name = self.get_unique_schema_class_name()
1139 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1140 self.create_schema_class(_ldb, class_dn, desc_sddl)
1141 desc_sddl = self.get_desc_sddl(class_dn)
1142 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1143 self.assertEqual("O:DAG:DA", res)
1144
1145 ## Tests for CONFIGURATION
1146
1147 # Defalt descriptor tests ##################################################################
1148
1149 def test_160(self):
1150 user_name = "testuser1"
1151 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1152 # Open Ldb connection with the tested user
1153 _ldb = self.get_ldb_connection(user_name, "samba123@")
1154 # Create example Configuration container
1155 container_name = "test-container1"
1156 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1157 self.delete_force(self.ldb_admin, object_dn)
1158 self.create_configuration_container(_ldb, object_dn, )
1159 desc_sddl = self.get_desc_sddl(object_dn)
1160 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1161 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1162 self.check_modify_inheritance(_ldb, object_dn)
1163
1164 def test_161(self):
1165 user_name = "testuser2"
1166 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1167 # Open Ldb connection with the tested user
1168 _ldb = self.get_ldb_connection(user_name, "samba123@")
1169 # Create example Configuration container
1170 container_name = "test-container1"
1171 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1172 self.delete_force(self.ldb_admin, object_dn)
1173 self.create_configuration_container(_ldb, object_dn, )
1174 desc_sddl = self.get_desc_sddl(object_dn)
1175 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1176 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1177 self.check_modify_inheritance(_ldb, object_dn)
1178
1179 def test_162(self):
1180 user_name = "testuser3"
1181 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1182 # Open Ldb connection with the tested user
1183 _ldb = self.get_ldb_connection(user_name, "samba123@")
1184 # Create example Configuration container
1185 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1186 self.delete_force(self.ldb_admin, object_dn)
1187 self.create_configuration_container(self.ldb_admin, object_dn, )
1188 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1189 mod = "(A;;WDCC;;;AU)"
1190 self.dacl_add_ace(object_dn, mod)
1191 # Create child object with user's credentials
1192 object_dn = "CN=test-specifier1," + object_dn
1193 self.delete_force(self.ldb_admin, object_dn)
1194 self.create_configuration_specifier(_ldb, object_dn)
1195 desc_sddl = self.get_desc_sddl(object_dn)
1196 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1197 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1198 #self.check_modify_inheritance(_ldb, object_dn)
1199
1200 def test_163(self):
1201 user_name = "testuser4"
1202 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1203 # Open Ldb connection with the tested user
1204 _ldb = self.get_ldb_connection(user_name, "samba123@")
1205 # Create example Configuration container
1206 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1207 self.delete_force(self.ldb_admin, object_dn)
1208 self.create_configuration_container(self.ldb_admin, object_dn, )
1209 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1210 mod = "(A;CI;WDCC;;;AU)"
1211 self.dacl_add_ace(object_dn, mod)
1212 # Create child object with user's credentials
1213 object_dn = "CN=test-specifier1," + object_dn
1214 self.delete_force(self.ldb_admin, object_dn)
1215 self.create_configuration_specifier(_ldb, object_dn)
1216 desc_sddl = self.get_desc_sddl(object_dn)
1217 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1218 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1219 #self.check_modify_inheritance(_ldb, object_dn)
1220
1221 def test_164(self):
1222 user_name = "testuser5"
1223 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1224 # Open Ldb connection with the tested user
1225 _ldb = self.get_ldb_connection(user_name, "samba123@")
1226 # Create example Configuration container
1227 container_name = "test-container1"
1228 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1229 self.delete_force(self.ldb_admin, object_dn)
1230 self.create_configuration_container(_ldb, object_dn, )
1231 desc_sddl = self.get_desc_sddl(object_dn)
1232 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1233 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1234 self.check_modify_inheritance(_ldb, object_dn)
1235
1236 def test_165(self):
1237 user_name = "testuser6"
1238 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1239 # Open Ldb connection with the tested user
1240 _ldb = self.get_ldb_connection(user_name, "samba123@")
1241 # Create example Configuration container
1242 container_name = "test-container1"
1243 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1244 self.delete_force(self.ldb_admin, object_dn)
1245 self.create_configuration_container(_ldb, object_dn, )
1246 desc_sddl = self.get_desc_sddl(object_dn)
1247 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1248 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1249 self.check_modify_inheritance(_ldb, object_dn)
1250
1251 def test_166(self):
1252 user_name = "testuser7"
1253 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1254 # Open Ldb connection with the tested user
1255 _ldb = self.get_ldb_connection(user_name, "samba123@")
1256 # Create example Configuration container
1257 container_name = "test-container1"
1258 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1259 self.delete_force(self.ldb_admin, object_dn)
1260 self.create_configuration_container(_ldb, object_dn, )
1261 desc_sddl = self.get_desc_sddl(object_dn)
1262 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1263 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1264 self.check_modify_inheritance(_ldb, object_dn)
1265
1266 def test_167(self):
1267 user_name = "testuser8"
1268 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1269 # Open Ldb connection with the tested user
1270 _ldb = self.get_ldb_connection(user_name, "samba123@")
1271 # Create example Configuration container
1272 container_name = "test-container1"
1273 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1274 self.delete_force(self.ldb_admin, object_dn)
1275 self.create_configuration_container(_ldb, object_dn, )
1276 desc_sddl = self.get_desc_sddl(object_dn)
1277 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1278 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1279 self.check_modify_inheritance(_ldb, object_dn)
1280
1281 # Custom descriptor tests ##################################################################
1282
1283 def test_168(self):
1284 user_name = "testuser1"
1285 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1286 # Open Ldb connection with the tested user
1287 _ldb = self.get_ldb_connection(user_name, "samba123@")
1288 # Create example Configuration container
1289 container_name = "test-container1"
1290 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1291 self.delete_force(self.ldb_admin, object_dn)
1292 # Create a custom security descriptor
1293 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1294 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1295 desc_sddl = self.get_desc_sddl(object_dn)
1296 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1297 self.assertEqual("O:DAG:DA", res)
1298
1299 def test_169(self):
1300 user_name = "testuser2"
1301 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1302 # Open Ldb connection with the tested user
1303 _ldb = self.get_ldb_connection(user_name, "samba123@")
1304 # Create example Configuration container
1305 container_name = "test-container1"
1306 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1307 self.delete_force(self.ldb_admin, object_dn)
1308 # Create a custom security descriptor
1309 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1310 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1311 desc_sddl = self.get_desc_sddl(object_dn)
1312 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1313 self.assertEqual("O:DAG:DA", res)
1314
1315 def test_170(self):
1316 user_name = "testuser3"
1317 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1318 # Open Ldb connection with the tested user
1319 _ldb = self.get_ldb_connection(user_name, "samba123@")
1320 # Create example Configuration container
1321 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1322 self.delete_force(self.ldb_admin, object_dn)
1323 self.create_configuration_container(self.ldb_admin, object_dn, )
1324 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1325 mod = "(A;;CC;;;AU)"
1326 self.dacl_add_ace(object_dn, mod)
1327 # Create child object with user's credentials
1328 object_dn = "CN=test-specifier1," + object_dn
1329 self.delete_force(self.ldb_admin, object_dn)
1330 # Create a custom security descriptor
1331 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1332 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1333 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1334 desc_sddl = self.get_desc_sddl(object_dn)
1335 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1336 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1337
1338 def test_171(self):
1339 user_name = "testuser4"
1340 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1341 # Open Ldb connection with the tested user
1342 _ldb = self.get_ldb_connection(user_name, "samba123@")
1343 # Create example Configuration container
1344 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1345 self.delete_force(self.ldb_admin, object_dn)
1346 self.create_configuration_container(self.ldb_admin, object_dn, )
1347 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1348 mod = "(A;;CC;;;AU)"
1349 self.dacl_add_ace(object_dn, mod)
1350 # Create child object with user's credentials
1351 object_dn = "CN=test-specifier1," + object_dn
1352 self.delete_force(self.ldb_admin, object_dn)
1353 # Create a custom security descriptor
1354 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1355 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1356 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1357 desc_sddl = self.get_desc_sddl(object_dn)
1358 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1359 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1360
1361 def test_172(self):
1362 user_name = "testuser5"
1363 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1364 # Open Ldb connection with the tested user
1365 _ldb = self.get_ldb_connection(user_name, "samba123@")
1366 # Create example Configuration container
1367 container_name = "test-container1"
1368 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1369 self.delete_force(self.ldb_admin, object_dn)
1370 # Create a custom security descriptor
1371 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1372 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1373 desc_sddl = self.get_desc_sddl(object_dn)
1374 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1375 self.assertEqual("O:DAG:DA", res)
1376
1377 def test_173(self):
1378 user_name = "testuser6"
1379 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1380 # Open Ldb connection with the tested user
1381 _ldb = self.get_ldb_connection(user_name, "samba123@")
1382 # Create example Configuration container
1383 container_name = "test-container1"
1384 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1385 self.delete_force(self.ldb_admin, object_dn)
1386 # Create a custom security descriptor
1387 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1388 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1389 desc_sddl = self.get_desc_sddl(object_dn)
1390 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1391 self.assertEqual("O:DAG:DA", res)
1392
1393 def test_174(self):
1394 user_name = "testuser7"
1395 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1396 # Open Ldb connection with the tested user
1397 _ldb = self.get_ldb_connection(user_name, "samba123@")
1398 # Create example Configuration container
1399 container_name = "test-container1"
1400 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1401 self.delete_force(self.ldb_admin, object_dn)
1402 # Create a custom security descriptor
1403 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1404 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1405 desc_sddl = self.get_desc_sddl(object_dn)
1406 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1407 self.assertEqual("O:DAG:DA", res)
1408
1409 def test_175(self):
1410 user_name = "testuser8"
1411 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1412 # Open Ldb connection with the tested user
1413 _ldb = self.get_ldb_connection(user_name, "samba123@")
1414 # Create example Configuration container
1415 container_name = "test-container1"
1416 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1417 self.delete_force(self.ldb_admin, object_dn)
1418 # Create a custom security descriptor
1419 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1420 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1421 desc_sddl = self.get_desc_sddl(object_dn)
1422 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1423 self.assertEqual("O:DAG:DA", res)
1424
1425 ########################################################################################
1426 # Inharitance tests for DACL
1427
1428 class DaclDescriptorTests(DescriptorTests):
1429
1430 def deleteAll(self):
1431 self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1432 self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1433
1434 def setUp(self):
1435 DescriptorTests.setUp(self)
1436 self.deleteAll()
1437
1438 def tearDown(self):
1439 self.deleteAll()
1440
1441 def create_clean_ou(self, object_dn):
1442 """ Base repeating setup for unittests to follow """
1443 res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
1444 expression="distinguishedName=%s" % object_dn)
1445 # Make sure top testing OU has been deleted before starting the test
1446 self.assertEqual(res, [])
1447 self.create_domain_ou(self.ldb_admin, object_dn)
1448 desc_sddl = self.get_desc_sddl(object_dn)
1449 # Make sure there are inheritable ACEs initially
1450 self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1451 # Find and remove all inherit ACEs
1452 res = re.findall("\(.*?\)", desc_sddl)
1453 res = [x for x in res if ("CI" in x) or ("OI" in x)]
1454 for x in res:
1455 desc_sddl = desc_sddl.replace(x, "")
1456 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1457 # can propagate from above
1458 # remove SACL, we are not interested
1459 desc_sddl = desc_sddl.replace(":AI", ":AIP")
1460 self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
1461 # Verify all inheritable ACEs are gone
1462 desc_sddl = self.get_desc_sddl(object_dn)
1463 self.assertFalse("CI" in desc_sddl)
1464 self.assertFalse("OI" in desc_sddl)
1465
1466 def test_200(self):
1467 """ OU with protected flag and child group. See if the group has inherit ACEs.
1468 """
1469 ou_dn = "OU=test_inherit_ou," + self.base_dn
1470 group_dn = "CN=test_inherit_group," + ou_dn
1471 # Create inheritable-free OU
1472 self.create_clean_ou(ou_dn)
1473 # Create group child object
1474 self.create_domain_group(self.ldb_admin, group_dn)
1475 # Make sure created group object contains NO inherit ACEs
1476 desc_sddl = self.get_desc_sddl(group_dn)
1477 self.assertFalse("ID" in desc_sddl)
1478
1479 def test_201(self):
1480 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1481 Verify group has custom and default ACEs only.
1482 """
1483 ou_dn = "OU=test_inherit_ou," + self.base_dn
1484 group_dn = "CN=test_inherit_group," + ou_dn
1485 # Create inheritable-free OU
1486 self.create_clean_ou(ou_dn)
1487 # Create group child object using custom security descriptor
1488 sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1489 self.create_domain_group(self.ldb_admin, group_dn, sddl)
1490 # Make sure created group descriptor has NO additional ACEs
1491 desc_sddl = self.get_desc_sddl(group_dn)
1492 self.assertEqual(desc_sddl, sddl)
1493 sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
1494 self.modify_desc(self.ldb_admin, group_dn, sddl)
1495 desc_sddl = self.get_desc_sddl(group_dn)
1496 self.assertEqual(desc_sddl, sddl)
1497
1498 def test_202(self):
1499 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1500 See if the group has any of the added ACEs.
1501 """
1502 ou_dn = "OU=test_inherit_ou," + self.base_dn
1503 group_dn = "CN=test_inherit_group," + ou_dn
1504 # Create inheritable-free OU
1505 self.create_clean_ou(ou_dn)
1506 # Add some custom non-inheritable ACEs
1507 mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1508 moded = "(D;;CC;;;LG)"
1509 self.dacl_add_ace(ou_dn, mod)
1510 # Verify all inheritable ACEs are gone
1511 desc_sddl = self.get_desc_sddl(ou_dn)
1512 # Create group child object
1513 self.create_domain_group(self.ldb_admin, group_dn)
1514 # Make sure created group object contains NO inherit ACEs
1515 # also make sure the added above non-inheritable ACEs are absent too
1516 desc_sddl = self.get_desc_sddl(group_dn)
1517 self.assertFalse("ID" in desc_sddl)
1518 for x in re.findall("\(.*?\)", mod):
1519 self.assertFalse(x in desc_sddl)
1520 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1521 desc_sddl = self.get_desc_sddl(group_dn)
1522 self.assertFalse("ID" in desc_sddl)
1523 for x in re.findall("\(.*?\)", mod):
1524 self.assertFalse(x in desc_sddl)
1525
1526 def test_203(self):
1527 """ OU with protected flag and add 'CI' ACE, child group.
1528 See if the group has the added inherited ACE.
1529 """
1530 ou_dn = "OU=test_inherit_ou," + self.base_dn
1531 group_dn = "CN=test_inherit_group," + ou_dn
1532 # Create inheritable-free OU
1533 self.create_clean_ou(ou_dn)
1534 # Add some custom 'CI' ACE
1535 mod = "(D;CI;WP;;;DU)"
1536 moded = "(D;;CC;;;LG)"
1537 self.dacl_add_ace(ou_dn, mod)
1538 desc_sddl = self.get_desc_sddl(ou_dn)
1539 # Create group child object
1540 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1541 # Make sure created group object contains only the above inherited ACE
1542 # that we've added manually
1543 desc_sddl = self.get_desc_sddl(group_dn)
1544 mod = mod.replace(";CI;", ";CIID;")
1545 self.assertTrue(mod in desc_sddl)
1546 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1547 desc_sddl = self.get_desc_sddl(group_dn)
1548 self.assertTrue(moded in desc_sddl)
1549 self.assertTrue(mod in desc_sddl)
1550
1551 def test_204(self):
1552 """ OU with protected flag and add 'OI' ACE, child group.
1553 See if the group has the added inherited ACE.
1554 """
1555 ou_dn = "OU=test_inherit_ou," + self.base_dn
1556 group_dn = "CN=test_inherit_group," + ou_dn
1557 # Create inheritable-free OU
1558 self.create_clean_ou(ou_dn)
1559 # Add some custom 'CI' ACE
1560 mod = "(D;OI;WP;;;DU)"
1561 moded = "(D;;CC;;;LG)"
1562 self.dacl_add_ace(ou_dn, mod)
1563 desc_sddl = self.get_desc_sddl(ou_dn)
1564 # Create group child object
1565 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1566 # Make sure created group object contains only the above inherited ACE
1567 # that we've added manually
1568 desc_sddl = self.get_desc_sddl(group_dn)
1569 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1570 self.assertTrue(mod in desc_sddl)
1571 self.modify_desc(self.ldb_admin, group_dn, "D:" +moded)
1572 desc_sddl = self.get_desc_sddl(group_dn)
1573 self.assertTrue(moded in desc_sddl)
1574 self.assertTrue(mod in desc_sddl)
1575
1576 def test_205(self):
1577 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1578 See if the group has the added inherited ACE.
1579 """
1580 ou_dn = "OU=test_inherit_ou," + self.base_dn
1581 group_dn = "CN=test_inherit_group," + ou_dn
1582 # Create inheritable-free OU
1583 self.create_clean_ou(ou_dn)
1584 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1585 mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1586 moded = "(D;;CC;;;LG)"
1587 self.dacl_add_ace(ou_dn, mod)
1588 desc_sddl = self.get_desc_sddl(ou_dn)
1589 # Create group child object
1590 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1591 # Make sure created group object contains only the above inherited ACE
1592 # that we've added manually
1593 desc_sddl = self.get_desc_sddl(group_dn)
1594 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1595 self.assertTrue(mod in desc_sddl)
1596 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1597 desc_sddl = self.get_desc_sddl(group_dn)
1598 self.assertTrue(moded in desc_sddl)
1599 self.assertTrue(mod in desc_sddl)
1600
1601 def test_206(self):
1602 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1603 See if the group has the added inherited ACE.
1604 """
1605 ou_dn = "OU=test_inherit_ou," + self.base_dn
1606 group_dn = "CN=test_inherit_group," + ou_dn
1607 # Create inheritable-free OU
1608 self.create_clean_ou(ou_dn)
1609 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1610 mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1611 moded = "(D;;CC;;;LG)"
1612 self.dacl_add_ace(ou_dn, mod)
1613 desc_sddl = self.get_desc_sddl(ou_dn)
1614 # Create group child object
1615 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1616 # Make sure created group object contains only the above inherited ACE
1617 # that we've added manually
1618 desc_sddl = self.get_desc_sddl(group_dn)
1619 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1620 self.assertTrue(mod in desc_sddl)
1621 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1622 desc_sddl = self.get_desc_sddl(group_dn)
1623 self.assertTrue(moded in desc_sddl)
1624 self.assertTrue(mod in desc_sddl)
1625
1626 def test_207(self):
1627 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1628 See if the group has the added inherited ACE.
1629 """
1630 ou_dn = "OU=test_inherit_ou," + self.base_dn
1631 group_dn = "CN=test_inherit_group," + ou_dn
1632 # Create inheritable-free OU
1633 self.create_clean_ou(ou_dn)
1634 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1635 mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1636 moded = "(D;;CC;;;LG)"
1637 self.dacl_add_ace(ou_dn, mod)
1638 desc_sddl = self.get_desc_sddl(ou_dn)
1639 # Create group child object
1640 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1641 # Make sure created group object contains only the above inherited ACE
1642 # that we've added manually
1643 desc_sddl = self.get_desc_sddl(group_dn)
1644 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1645 self.assertTrue(mod in desc_sddl)
1646 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1647 desc_sddl = self.get_desc_sddl(group_dn)
1648 self.assertTrue(moded in desc_sddl)
1649 self.assertTrue(mod in desc_sddl)
1650
1651 def test_208(self):
1652 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1653 See if the group has the added inherited ACE.
1654 """
1655 ou_dn = "OU=test_inherit_ou," + self.base_dn
1656 group_dn = "CN=test_inherit_group," + ou_dn
1657 # Create inheritable-free OU
1658 self.create_clean_ou(ou_dn)
1659 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1660 mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1661 moded = "(D;;CC;;;LG)"
1662 self.dacl_add_ace(ou_dn, mod)
1663 desc_sddl = self.get_desc_sddl(ou_dn)
1664 # Create group child object
1665 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1666 # Make sure created group object contains only the above inherited ACE
1667 # that we've added manually
1668 desc_sddl = self.get_desc_sddl(group_dn)
1669 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1670 self.assertTrue(mod in desc_sddl)
1671 self.modify_desc(self.ldb_admin, group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
1672 desc_sddl = self.get_desc_sddl(group_dn)
1673 self.assertTrue(moded in desc_sddl)
1674 self.assertTrue(mod in desc_sddl)
1675
1676 def test_209(self):
1677 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1678 See if the group has the added inherited ACE.
1679 """
1680 ou_dn = "OU=test_inherit_ou," + self.base_dn
1681 group_dn = "CN=test_inherit_group," + ou_dn
1682 # Create inheritable-free OU
1683 self.create_clean_ou(ou_dn)
1684 # Add some custom 'CI' ACE
1685 mod = "(D;CI;WP;;;CO)"
1686 moded = "(D;;CC;;;LG)"
1687 self.dacl_add_ace(ou_dn, mod)
1688 desc_sddl = self.get_desc_sddl(ou_dn)
1689 # Create group child object
1690 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1691 # Make sure created group object contains only the above inherited ACE(s)
1692 # that we've added manually
1693 desc_sddl = self.get_desc_sddl(group_dn)
1694 self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
1695 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1696 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1697 desc_sddl = self.get_desc_sddl(group_dn)
1698 self.assertTrue(moded in desc_sddl)
1699 self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
1700 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1701
1702 def test_210(self):
1703 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1704 """
1705 ou_dn = "OU=test_inherit_ou," + self.base_dn
1706 group_dn = "CN=test_inherit_group," + ou_dn
1707 self.create_clean_ou(ou_dn)
1708 # Add some custom ACE
1709 mod = "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1710 self.create_domain_group(self.ldb_admin, group_dn, mod)
1711 # Make sure created group object does not contain the ID ace
1712 desc_sddl = self.get_desc_sddl(group_dn)
1713 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1714
1715 def test_211(self):
1716 """ Provide ACE with CO SID, should be expanded and replaced
1717 """
1718 ou_dn = "OU=test_inherit_ou," + self.base_dn
1719 group_dn = "CN=test_inherit_group," + ou_dn
1720 # Create inheritable-free OU
1721 self.create_clean_ou(ou_dn)
1722 # Add some custom 'CI' ACE
1723 mod = "D:(D;CI;WP;;;CO)"
1724 self.create_domain_group(self.ldb_admin, group_dn, mod)
1725 desc_sddl = self.get_desc_sddl(group_dn)
1726 self.assertTrue("(D;;WP;;;DA)(D;CIIO;WP;;;CO)" in desc_sddl)
1727
1728 ########################################################################################
1729
1730
1731 class SdFlagsDescriptorTests(DescriptorTests):
1732 def deleteAll(self):
1733 self.delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
1734
1735 def setUp(self):
1736 DescriptorTests.setUp(self)
1737 self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1738 self.deleteAll()
1739
1740 def tearDown(self):
1741 self.deleteAll()
1742
1743 def test_301(self):
1744 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1745 See that only the owner has been changed.
1746 """
1747 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1748 self.create_domain_ou(self.ldb_admin, ou_dn)
1749 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1750 desc_sddl = self.get_desc_sddl(ou_dn)
1751 # make sure we have modified the owner
1752 self.assertTrue("O:AU" in desc_sddl)
1753 # make sure nothing else has been modified
1754 self.assertFalse("G:AU" in desc_sddl)
1755 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1756 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1757
1758 def test_302(self):
1759 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1760 See that only the owner has been changed.
1761 """
1762 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1763 self.create_domain_ou(self.ldb_admin, ou_dn)
1764 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1765 desc_sddl = self.get_desc_sddl(ou_dn)
1766 # make sure we have modified the group
1767 self.assertTrue("G:AU" in desc_sddl)
1768 # make sure nothing else has been modified
1769 self.assertFalse("O:AU" in desc_sddl)
1770 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1771 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1772
1773 def test_303(self):
1774 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1775 See that only the owner has been changed.
1776 """
1777 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1778 self.create_domain_ou(self.ldb_admin, ou_dn)
1779 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1780 desc_sddl = self.get_desc_sddl(ou_dn)
1781 # make sure we have modified the DACL
1782 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1783 # make sure nothing else has been modified
1784 self.assertFalse("O:AU" in desc_sddl)
1785 self.assertFalse("G:AU" in desc_sddl)
1786 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1787
1788 def test_304(self):
1789 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1790 See that only the owner has been changed.
1791 """
1792 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1793 self.create_domain_ou(self.ldb_admin, ou_dn)
1794 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1795 desc_sddl = self.get_desc_sddl(ou_dn)
1796 # make sure we have modified the DACL
1797 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1798 # make sure nothing else has been modified
1799 self.assertFalse("O:AU" in desc_sddl)
1800 self.assertFalse("G:AU" in desc_sddl)
1801 self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
1802
1803 def test_305(self):
1804 """ Modify a descriptor with 0x0 set.
1805 Contrary to logic this is interpreted as no control,
1806 which is the same as 0xF
1807 """
1808 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1809 self.create_domain_ou(self.ldb_admin, ou_dn)
1810 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:0"])
1811 desc_sddl = self.get_desc_sddl(ou_dn)
1812 # make sure we have modified the DACL
1813 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1814 # make sure nothing else has been modified
1815 self.assertTrue("O:AU" in desc_sddl)
1816 self.assertTrue("G:AU" in desc_sddl)
1817 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1818
1819 def test_306(self):
1820 """ Modify a descriptor with 0xF set.
1821 """
1822 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1823 self.create_domain_ou(self.ldb_admin, ou_dn)
1824 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:15"])
1825 desc_sddl = self.get_desc_sddl(ou_dn)
1826 # make sure we have modified the DACL
1827 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1828 # make sure nothing else has been modified
1829 self.assertTrue("O:AU" in desc_sddl)
1830 self.assertTrue("G:AU" in desc_sddl)
1831 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1832
1833 def test_307(self):
1834 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1835 Only the owner part should be returned.
1836 """
1837 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1838 self.create_domain_ou(self.ldb_admin, ou_dn)
1839 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1840 # make sure we have read the owner
1841 self.assertTrue("O:" in desc_sddl)
1842 # make sure we have read nothing else
1843 self.assertFalse("G:" in desc_sddl)
1844 self.assertFalse("D:" in desc_sddl)
1845 self.assertFalse("S:" in desc_sddl)
1846
1847 def test_308(self):
1848 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1849 Only the group part should be returned.
1850 """
1851 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1852 self.create_domain_ou(self.ldb_admin, ou_dn)
1853 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1854 # make sure we have read the owner
1855 self.assertTrue("G:" in desc_sddl)
1856 # make sure we have read nothing else
1857 self.assertFalse("O:" in desc_sddl)
1858 self.assertFalse("D:" in desc_sddl)
1859 self.assertFalse("S:" in desc_sddl)
1860
1861 def test_309(self):
1862 """ Read a descriptor with SACL_SECURITY_INFORMATION
1863 Only the sacl part should be returned.
1864 """
1865 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1866 self.create_domain_ou(self.ldb_admin, ou_dn)
1867 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1868 # make sure we have read the owner
1869 self.assertTrue("S:" in desc_sddl)
1870 # make sure we have read nothing else
1871 self.assertFalse("O:" in desc_sddl)
1872 self.assertFalse("D:" in desc_sddl)
1873 self.assertFalse("G:" in desc_sddl)
1874
1875 def test_310(self):
1876 """ Read a descriptor with DACL_SECURITY_INFORMATION
1877 Only the dacl part should be returned.
1878 """
1879 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1880 self.create_domain_ou(self.ldb_admin, ou_dn)
1881 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1882 # make sure we have read the owner
1883 self.assertTrue("D:" in desc_sddl)
1884 # make sure we have read nothing else
1885 self.assertFalse("O:" in desc_sddl)
1886 self.assertFalse("S:" in desc_sddl)
1887 self.assertFalse("G:" in desc_sddl)
1888
1889 class RightsAttributesTests(DescriptorTests):
1890
1891 def deleteAll(self):
1892 if self.SAMBA:
1893 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
1894 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
1895
1896 self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
1897
1898 def setUp(self):
1899 DescriptorTests.setUp(self)
1900 self.deleteAll()
1901 if self.SAMBA:
1902 ### Create users
1903 # User 1
1904 user_dn = self.get_users_domain_dn("testuser_attr")
1905 self.create_domain_user(self.ldb_admin, user_dn)
1906 self.enable_account(user_dn)
1907 # User 2, Domain Admins
1908 user_dn = self.get_users_domain_dn("testuser_attr2")
1909 self.create_domain_user(self.ldb_admin, user_dn)
1910 self.enable_account(user_dn)
1911 ldif = """
1912 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
1913 changetype: modify
1914 add: member
1915 member: """ + user_dn
1916 self.ldb_admin.modify_ldif(ldif)
1917
1918 def tearDown(self):
1919 self.deleteAll()
1920
1921 def test_sDRightsEffective(self):
1922 object_dn = "OU=test_domain_ou1," + self.base_dn
1923 self.delete_force(self.ldb_admin, object_dn)
1924 self.create_domain_ou(self.ldb_admin, object_dn)
1925 print self.get_users_domain_dn("testuser_attr")
1926 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1927 #give testuser1 read access so attributes can be retrieved
1928 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1929 self.dacl_add_ace(object_dn, mod)
1930 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1931 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1932 attrs=["sDRightsEffective"])
1933 #user whould have no rights at all
1934 self.assertEquals(len(res), 1)
1935 self.assertEquals(res[0]["sDRightsEffective"][0], "0")
1936 #give the user Write DACL and see what happens
1937 mod = "(A;CI;WD;;;%s)" % str(user_sid)
1938 self.dacl_add_ace(object_dn, mod)
1939 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1940 attrs=["sDRightsEffective"])
1941 #user whould have DACL_SECURITY_INFORMATION
1942 self.assertEquals(len(res), 1)
1943 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL)
1944 #give the user Write Owners and see what happens
1945 mod = "(A;CI;WO;;;%s)" % str(user_sid)
1946 self.dacl_add_ace(object_dn, mod)
1947 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1948 attrs=["sDRightsEffective"])
1949 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1950 self.assertEquals(len(res), 1)
1951 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
1952 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1953 _ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
1954 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1955 attrs=["sDRightsEffective"])
1956 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1957 self.assertEquals(len(res), 1)
1958 self.assertEquals(res[0]["sDRightsEffective"][0], \
1959 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
1960
1961 def test_allowedChildClassesEffective(self):
1962 object_dn = "OU=test_domain_ou1," + self.base_dn
1963 self.delete_force(self.ldb_admin, object_dn)
1964 self.create_domain_ou(self.ldb_admin, object_dn)
1965 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1966 #give testuser1 read access so attributes can be retrieved
1967 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1968 self.dacl_add_ace(object_dn, mod)
1969 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1970 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1971 attrs=["allowedChildClassesEffective"])
1972 #there should be no allowed child classes
1973 self.assertEquals(len(res), 1)
1974 self.assertFalse("allowedChildClassesEffective" in res[0].keys())
1975 #give the user the right to create children of type user
1976 mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1977 self.dacl_add_ace(object_dn, mod)
1978 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1979 attrs=["allowedChildClassesEffective"])
1980 # allowedChildClassesEffective should only have one value, user
1981 self.assertEquals(len(res), 1)
1982 self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1)
1983 self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user")
1984
1985 def test_allowedAttributesEffective(self):
1986 object_dn = "OU=test_domain_ou1," + self.base_dn
1987 self.delete_force(self.ldb_admin, object_dn)
1988 self.create_domain_ou(self.ldb_admin, object_dn)
1989 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1990 #give testuser1 read access so attributes can be retrieved
1991 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1992 self.dacl_add_ace(object_dn, mod)
1993 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1994 #res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1995 # attrs=["allowedAttributes"])
1996 #print res
1997 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1998 attrs=["allowedAttributesEffective"])
1999 #there should be no allowed attributes
2000 self.assertEquals(len(res), 1)
2001 self.assertFalse("allowedAttributesEffective" in res[0].keys())
2002 #give the user the right to write displayName and managedBy
2003 mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
2004 mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
2005 # also rights to modify an read only attribute, fromEntry
2006 mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
2007 self.dacl_add_ace(object_dn, mod + mod2 + mod3)
2008 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2009 attrs=["allowedAttributesEffective"])
2010 # value should only contain user and managedBy
2011 print res
2012 self.assertEquals(len(res), 1)
2013 self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
2014 self.assertTrue("displayName" in res[0]["allowedAttributesEffective"])
2015 self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"])
2016
2017 if not "://" in host:
2018 if os.path.isfile(host):
2019 host = "tdb://%s" % host
2020 else:
2021 host = "ldap://%s" % host
2022
2023 ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"])
2024
2025 runner = SubunitTestRunner()
2026 rc = 0
2027 if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful():
2028 rc = 1
2029 if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
2030 rc = 1
2031 if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful():
2032 rc = 1
2033 if not runner.run(unittest.makeSuite(RightsAttributesTests)).wasSuccessful():
2034 rc = 1
2035 sys.exit(rc)
reg import