2 # -*- coding: utf-8 -*-
11 sys
.path
.append("bin/python")
13 import samba
.getopt
as options
15 # Some error messages that are being tested
16 from ldb
import SCOPE_SUBTREE
, SCOPE_BASE
, LdbError
, ERR_NO_SUCH_OBJECT
18 # For running the test unit
19 from samba
.ndr
import ndr_pack
, ndr_unpack
20 from samba
.dcerpc
import security
23 from samba
.auth
import system_session
24 from samba
.dsdb
import DS_DOMAIN_FUNCTION_2008
25 from samba
.dcerpc
.security
import (
26 SECINFO_OWNER
, SECINFO_GROUP
, SECINFO_DACL
, SECINFO_SACL
)
27 from subunit
.run
import SubunitTestRunner
30 parser
= optparse
.OptionParser("sec_descriptor [options] <host>")
31 sambaopts
= options
.SambaOptions(parser
)
32 parser
.add_option_group(sambaopts
)
33 parser
.add_option_group(options
.VersionOptions(parser
))
35 # use command line creds if available
36 credopts
= options
.CredentialsOptions(parser
)
37 parser
.add_option_group(credopts
)
38 opts
, args
= parser
.parse_args()
46 lp
= sambaopts
.get_loadparm()
47 creds
= credopts
.get_credentials(lp
)
53 class DescriptorTests(unittest
.TestCase
):
55 def delete_force(self
, ldb
, dn
):
58 except LdbError
, (num
, _
):
59 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
61 def find_basedn(self
, ldb
):
62 res
= ldb
.search(base
="", expression
="", scope
=SCOPE_BASE
,
63 attrs
=["defaultNamingContext"])
64 self
.assertEquals(len(res
), 1)
65 return res
[0]["defaultNamingContext"][0]
67 def find_configurationdn(self
, ldb
):
68 res
= ldb
.search(base
="", expression
="", scope
=SCOPE_BASE
, attrs
=["configurationNamingContext"])
69 self
.assertEquals(len(res
), 1)
70 return res
[0]["configurationNamingContext"][0]
72 def find_schemadn(self
, ldb
):
73 res
= ldb
.search(base
="", expression
="", scope
=SCOPE_BASE
, attrs
=["schemaNamingContext"])
74 self
.assertEquals(len(res
), 1)
75 return res
[0]["schemaNamingContext"][0]
77 def find_domain_sid(self
, ldb
):
78 res
= ldb
.search(base
=self
.base_dn
, expression
="(objectClass=*)", scope
=SCOPE_BASE
)
79 return ndr_unpack( security
.dom_sid
,res
[0]["objectSid"][0])
81 def get_users_domain_dn(self
, name
):
82 return "CN=%s,CN=Users,%s" % (name
, self
.base_dn
)
84 def modify_desc(self
, _ldb
, object_dn
, desc
, controls
=None):
85 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
87 dn: """ + object_dn
+ """
89 replace: nTSecurityDescriptor
91 if isinstance(desc
, str):
92 mod
+= "nTSecurityDescriptor: %s" % desc
93 elif isinstance(desc
, security
.descriptor
):
94 mod
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
95 _ldb
.modify_ldif(mod
, controls
)
97 def create_domain_ou(self
, _ldb
, ou_dn
, desc
=None, controls
=None):
100 ou: """ + ou_dn
.split(",")[0][3:] + """
101 objectClass: organizationalUnit
105 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
106 if isinstance(desc
, str):
107 ldif
+= "nTSecurityDescriptor: %s" % desc
108 elif isinstance(desc
, security
.descriptor
):
109 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
110 _ldb
.add_ldif(ldif
, controls
)
112 def create_domain_user(self
, _ldb
, user_dn
, desc
=None):
114 dn: """ + user_dn
+ """
115 sAMAccountName: """ + user_dn
.split(",")[0][3:] + """
117 userPassword: samba123@
121 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
122 if isinstance(desc
, str):
123 ldif
+= "nTSecurityDescriptor: %s" % desc
124 elif isinstance(desc
, security
.descriptor
):
125 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
128 def create_domain_group(self
, _ldb
, group_dn
, desc
=None):
130 dn: """ + group_dn
+ """
132 sAMAccountName: """ + group_dn
.split(",")[0][3:] + """
137 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
138 if isinstance(desc
, str):
139 ldif
+= "nTSecurityDescriptor: %s" % desc
140 elif isinstance(desc
, security
.descriptor
):
141 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
144 def get_unique_schema_class_name(self
):
146 class_name
= "test-class%s" % random
.randint(1,100000)
147 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
149 self
.ldb_admin
.search(base
=class_dn
, attrs
=["*"])
150 except LdbError
, (num
, _
):
151 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
154 def create_schema_class(self
, _ldb
, object_dn
, desc
=None):
156 dn: """ + object_dn
+ """
157 objectClass: classSchema
158 objectCategory: CN=Class-Schema,""" + self
.schema_dn
+ """
159 defaultObjectCategory: """ + object_dn
+ """
160 distinguishedName: """ + object_dn
+ """
161 governsID: 1.2.840.""" + str(random
.randint(1,100000)) + """.1.5.9939
163 objectClassCategory: 1
164 subClassOf: organizationalPerson
167 systemMustContain: cn
171 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
172 if isinstance(desc
, str):
173 ldif
+= "nTSecurityDescriptor: %s" % desc
174 elif isinstance(desc
, security
.descriptor
):
175 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
178 def create_configuration_container(self
, _ldb
, object_dn
, desc
=None):
180 dn: """ + object_dn
+ """
181 objectClass: container
182 objectCategory: CN=Container,""" + self
.schema_dn
+ """
183 showInAdvancedViewOnly: TRUE
187 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
188 if isinstance(desc
, str):
189 ldif
+= "nTSecurityDescriptor: %s" % desc
190 elif isinstance(desc
, security
.descriptor
):
191 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
194 def create_configuration_specifier(self
, _ldb
, object_dn
, desc
=None):
196 dn: """ + object_dn
+ """
197 objectClass: displaySpecifier
198 showInAdvancedViewOnly: TRUE
201 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
202 if isinstance(desc
, str):
203 ldif
+= "nTSecurityDescriptor: %s" % desc
204 elif isinstance(desc
, security
.descriptor
):
205 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
208 def read_desc(self
, object_dn
, controls
=None):
209 res
= self
.ldb_admin
.search(base
=object_dn
, scope
=SCOPE_BASE
, attrs
=["nTSecurityDescriptor"], controls
=controls
)
210 desc
= res
[0]["nTSecurityDescriptor"][0]
211 return ndr_unpack(security
.descriptor
, desc
)
213 def enable_account(self
, user_dn
):
214 """Enable an account.
215 :param user_dn: Dn of the account to enable.
217 res
= self
.ldb_admin
.search(user_dn
, SCOPE_BASE
, None, ["userAccountControl"])
219 userAccountControl
= res
[0]["userAccountControl"][0]
220 userAccountControl
= int(userAccountControl
)
221 if (userAccountControl
& 0x2):
222 userAccountControl
= userAccountControl
& ~
0x2 # remove disabled bit
223 if (userAccountControl
& 0x20):
224 userAccountControl
= userAccountControl
& ~
0x20 # remove 'no password required' bit
226 dn: """ + user_dn
+ """
228 replace: userAccountControl
229 userAccountControl: %s""" % userAccountControl
231 mod
= re
.sub("userAccountControl: \d.*", "userAccountControl: 544", mod
)
232 self
.ldb_admin
.modify_ldif(mod
)
234 def get_ldb_connection(self
, target_username
, target_password
):
235 username_save
= creds
.get_username(); password_save
= creds
.get_password()
236 creds
.set_username(target_username
)
237 creds
.set_password(target_password
)
238 ldb_target
= Ldb(host
, credentials
=creds
, session_info
=system_session(), lp
=lp
)
239 creds
.set_username(username_save
); creds
.set_password(password_save
)
242 def get_object_sid(self
, object_dn
):
243 res
= self
.ldb_admin
.search(object_dn
)
244 return ndr_unpack( security
.dom_sid
, res
[0]["objectSid"][0] )
246 def dacl_add_ace(self
, object_dn
, ace
):
247 desc
= self
.read_desc( object_dn
)
248 desc_sddl
= desc
.as_sddl( self
.domain_sid
)
251 if desc_sddl
.find("(") >= 0:
252 desc_sddl
= desc_sddl
[:desc_sddl
.index("(")] + ace
+ desc_sddl
[desc_sddl
.index("("):]
254 desc_sddl
= desc_sddl
+ ace
255 self
.modify_desc(self
.ldb_admin
, object_dn
, desc_sddl
)
257 def get_desc_sddl(self
, object_dn
, controls
=None):
258 """ Return object nTSecutiryDescriptor in SDDL format
260 desc
= self
.read_desc(object_dn
, controls
)
261 return desc
.as_sddl(self
.domain_sid
)
265 self
.base_dn
= self
.find_basedn(self
.ldb_admin
)
266 self
.configuration_dn
= self
.find_configurationdn(self
.ldb_admin
)
267 self
.schema_dn
= self
.find_schemadn(self
.ldb_admin
)
268 self
.domain_sid
= self
.find_domain_sid(self
.ldb_admin
)
269 print "baseDN: %s" % self
.base_dn
270 self
.SAMBA
= False; self
.WIN2003
= False
271 res
= self
.ldb_admin
.search(base
="", expression
="", scope
=SCOPE_BASE
, attrs
=["vendorName"])
272 if "vendorName" in res
[0].keys() and "Samba Team" in res
[0]["vendorName"][0]:
277 ################################################################################################
281 # Default descriptor tests #####################################################################
283 class OwnerGroupDescriptorTests(DescriptorTests
):
287 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser1"))
288 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser2"))
289 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser3"))
290 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser4"))
291 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser5"))
292 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser6"))
293 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser7"))
294 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser8"))
296 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("test_domain_group1"))
297 self
.delete_force(self
.ldb_admin
, "CN=test_domain_user1,OU=test_domain_ou1," + self
.base_dn
)
298 self
.delete_force(self
.ldb_admin
, "OU=test_domain_ou2,OU=test_domain_ou1," + self
.base_dn
)
299 self
.delete_force(self
.ldb_admin
, "OU=test_domain_ou1," + self
.base_dn
)
302 self
.delete_force(self
.ldb_admin
, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
303 + self
.configuration_dn
)
304 self
.delete_force(self
.ldb_admin
, "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
)
307 DescriptorTests
.setUp(self
)
312 user_dn
= self
.get_users_domain_dn("testuser1")
313 self
.create_domain_user(self
.ldb_admin
, user_dn
)
314 self
.enable_account(user_dn
)
316 dn: CN=Enterprise Admins,CN=Users,""" + self
.base_dn
+ """
319 member: """ + user_dn
320 self
.ldb_admin
.modify_ldif(ldif
)
322 user_dn
= self
.get_users_domain_dn("testuser2")
323 self
.create_domain_user(self
.ldb_admin
, user_dn
)
324 self
.enable_account(user_dn
)
326 dn: CN=Domain Admins,CN=Users,""" + self
.base_dn
+ """
329 member: """ + user_dn
330 self
.ldb_admin
.modify_ldif(ldif
)
332 user_dn
= self
.get_users_domain_dn("testuser3")
333 self
.create_domain_user(self
.ldb_admin
, user_dn
)
334 self
.enable_account(user_dn
)
336 dn: CN=Schema Admins,CN=Users,""" + self
.base_dn
+ """
339 member: """ + user_dn
340 self
.ldb_admin
.modify_ldif(ldif
)
342 user_dn
= self
.get_users_domain_dn("testuser4")
343 self
.create_domain_user(self
.ldb_admin
, user_dn
)
344 self
.enable_account(user_dn
)
346 user_dn
= self
.get_users_domain_dn("testuser5")
347 self
.create_domain_user(self
.ldb_admin
, user_dn
)
348 self
.enable_account(user_dn
)
350 dn: CN=Enterprise Admins,CN=Users,""" + self
.base_dn
+ """
353 member: """ + user_dn
+ """
355 dn: CN=Domain Admins,CN=Users,""" + self
.base_dn
+ """
358 member: """ + user_dn
359 self
.ldb_admin
.modify_ldif(ldif
)
361 user_dn
= self
.get_users_domain_dn("testuser6")
362 self
.create_domain_user(self
.ldb_admin
, user_dn
)
363 self
.enable_account(user_dn
)
365 dn: CN=Enterprise Admins,CN=Users,""" + self
.base_dn
+ """
368 member: """ + user_dn
+ """
370 dn: CN=Domain Admins,CN=Users,""" + self
.base_dn
+ """
373 member: """ + user_dn
+ """
375 dn: CN=Schema Admins,CN=Users,""" + self
.base_dn
+ """
378 member: """ + user_dn
379 self
.ldb_admin
.modify_ldif(ldif
)
381 user_dn
= self
.get_users_domain_dn("testuser7")
382 self
.create_domain_user(self
.ldb_admin
, user_dn
)
383 self
.enable_account(user_dn
)
385 dn: CN=Domain Admins,CN=Users,""" + self
.base_dn
+ """
388 member: """ + user_dn
+ """
390 dn: CN=Schema Admins,CN=Users,""" + self
.base_dn
+ """
393 member: """ + user_dn
394 self
.ldb_admin
.modify_ldif(ldif
)
396 user_dn
= self
.get_users_domain_dn("testuser8")
397 self
.create_domain_user(self
.ldb_admin
, user_dn
)
398 self
.enable_account(user_dn
)
400 dn: CN=Enterprise Admins,CN=Users,""" + self
.base_dn
+ """
403 member: """ + user_dn
+ """
405 dn: CN=Schema Admins,CN=Users,""" + self
.base_dn
+ """
408 member: """ + user_dn
409 self
.ldb_admin
.modify_ldif(ldif
)
411 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
412 "ds_behavior_win2003" : {
462 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
463 "ds_behavior_win2008" : {
514 # Discover 'msDS-Behavior-Version'
515 res
= self
.ldb_admin
.search(base
=self
.base_dn
, expression
="distinguishedName=%s" % self
.base_dn
, \
516 attrs
=['msDS-Behavior-Version'])
517 res
= int(res
[0]['msDS-Behavior-Version'][0])
518 if res
< DS_DOMAIN_FUNCTION_2008
:
519 self
.DS_BEHAVIOR
= "ds_behavior_win2003"
521 self
.DS_BEHAVIOR
= "ds_behavior_win2008"
526 def check_user_belongs(self
, user_dn
, groups
=[]):
527 """ Test wether user is member of the expected group(s) """
529 # User is member of at least one additional group
530 res
= self
.ldb_admin
.search(user_dn
, attrs
=["memberOf"])
531 res
= [x
.upper() for x
in sorted(list(res
[0]["memberOf"]))]
534 expected
.append(self
.get_users_domain_dn(x
))
535 expected
= [x
.upper() for x
in sorted(expected
)]
536 self
.assertEqual(expected
, res
)
538 # User is not a member of any additional groups but default
539 res
= self
.ldb_admin
.search(user_dn
, attrs
=["*"])
540 res
= [x
.upper() for x
in res
[0].keys()]
541 self
.assertFalse( "MEMBEROF" in res
)
543 def check_modify_inheritance(self
, _ldb
, object_dn
, owner_group
=""):
545 ace
= "(D;;CC;;;LG)" # Deny Create Children to Guest account
546 if owner_group
!= "":
547 self
.modify_desc(_ldb
, object_dn
, owner_group
+ "D:" + ace
)
549 self
.modify_desc(_ldb
, object_dn
, "D:" + ace
)
550 # Make sure the modify operation has been applied
551 desc_sddl
= self
.get_desc_sddl(object_dn
)
552 self
.assertTrue(ace
in desc_sddl
)
553 # Make sure we have identical result for both "add" and "modify"
554 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
555 print self
._testMethodName
556 test_number
= self
._testMethodName
[5:]
557 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][test_number
], res
)
560 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
562 user_name
= "testuser1"
563 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
564 # Open Ldb connection with the tested user
565 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
566 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
567 self
.delete_force(self
.ldb_admin
, object_dn
)
568 self
.create_domain_group(_ldb
, object_dn
)
569 desc_sddl
= self
.get_desc_sddl(object_dn
)
570 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
571 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
572 self
.check_modify_inheritance(_ldb
, object_dn
)
575 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
577 user_name
= "testuser2"
578 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
579 # Open Ldb connection with the tested user
580 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
581 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
582 self
.delete_force(self
.ldb_admin
, object_dn
)
583 self
.create_domain_group(_ldb
, object_dn
)
584 desc_sddl
= self
.get_desc_sddl(object_dn
)
585 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
586 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
587 self
.check_modify_inheritance(_ldb
, object_dn
)
590 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
592 user_name
= "testuser3"
593 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
594 # Open Ldb connection with the tested user
595 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
596 object_dn
= "OU=test_domain_ou1," + self
.base_dn
597 self
.delete_force(self
.ldb_admin
, object_dn
)
598 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
599 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
600 mod
= "(A;CI;WPWDCC;;;%s)" % str(user_sid
)
601 self
.dacl_add_ace(object_dn
, mod
)
602 # Create additional object into the first one
603 object_dn
= "CN=test_domain_user1," + object_dn
604 self
.delete_force(self
.ldb_admin
, object_dn
)
605 self
.create_domain_user(_ldb
, object_dn
)
606 desc_sddl
= self
.get_desc_sddl(object_dn
)
607 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
608 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
609 # This fails, research why
610 #self.check_modify_inheritance(_ldb, object_dn)
613 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
615 user_name
= "testuser4"
616 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
617 # Open Ldb connection with the tested user
618 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
619 object_dn
= "OU=test_domain_ou1," + self
.base_dn
620 self
.delete_force(self
.ldb_admin
, object_dn
)
621 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
622 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
623 mod
= "(A;CI;WPWDCC;;;%s)" % str(user_sid
)
624 self
.dacl_add_ace(object_dn
, mod
)
625 # Create additional object into the first one
626 object_dn
= "CN=test_domain_user1," + object_dn
627 self
.delete_force(self
.ldb_admin
, object_dn
)
628 self
.create_domain_user(_ldb
, object_dn
)
629 desc_sddl
= self
.get_desc_sddl(object_dn
)
630 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
631 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
632 #this fails, research why
633 #self.check_modify_inheritance(_ldb, object_dn)
636 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
638 user_name
= "testuser5"
639 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
640 # Open Ldb connection with the tested user
641 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
642 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
643 self
.delete_force(self
.ldb_admin
, object_dn
)
644 self
.create_domain_group(_ldb
, object_dn
)
645 desc_sddl
= self
.get_desc_sddl(object_dn
)
646 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
647 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
648 self
.check_modify_inheritance(_ldb
, object_dn
)
651 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
653 user_name
= "testuser6"
654 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
655 # Open Ldb connection with the tested user
656 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
657 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
658 self
.delete_force(self
.ldb_admin
, object_dn
)
659 self
.create_domain_group(_ldb
, object_dn
)
660 desc_sddl
= self
.get_desc_sddl(object_dn
)
661 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
662 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
663 self
.check_modify_inheritance(_ldb
, object_dn
)
666 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
668 user_name
= "testuser7"
669 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
670 # Open Ldb connection with the tested user
671 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
672 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
673 self
.delete_force(self
.ldb_admin
, object_dn
)
674 self
.create_domain_group(_ldb
, object_dn
)
675 desc_sddl
= self
.get_desc_sddl(object_dn
)
676 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
677 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
678 self
.check_modify_inheritance(_ldb
, object_dn
)
681 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
683 user_name
= "testuser8"
684 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
685 # Open Ldb connection with the tested user
686 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
687 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
688 self
.delete_force(self
.ldb_admin
, object_dn
)
689 self
.create_domain_group(_ldb
, object_dn
)
690 desc_sddl
= self
.get_desc_sddl(object_dn
)
691 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
692 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
693 self
.check_modify_inheritance(_ldb
, object_dn
)
695 # Control descriptor tests #####################################################################
698 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
700 user_name
= "testuser1"
701 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
702 # Open Ldb connection with the tested user
703 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
704 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
705 self
.delete_force(self
.ldb_admin
, object_dn
)
706 # Create a custom security descriptor
707 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
708 self
.create_domain_group(_ldb
, object_dn
, desc_sddl
)
709 desc_sddl
= self
.get_desc_sddl(object_dn
)
710 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
711 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
714 """ Domain admin group member creates object (custom descriptor) in DOMAIN
716 user_name
= "testuser2"
717 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
718 # Open Ldb connection with the tested user
719 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
720 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
721 self
.delete_force(self
.ldb_admin
, object_dn
)
722 # Create a custom security descriptor
723 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
724 self
.create_domain_group(_ldb
, object_dn
, desc_sddl
)
725 desc_sddl
= self
.get_desc_sddl(object_dn
)
726 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
727 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
730 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
732 user_name
= "testuser3"
733 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
734 # Open Ldb connection with the tested user
735 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
736 object_dn
= "OU=test_domain_ou1," + self
.base_dn
737 self
.delete_force(self
.ldb_admin
, object_dn
)
738 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
739 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
740 mod
= "(A;CI;WOWDCC;;;%s)" % str(user_sid
)
741 self
.dacl_add_ace(object_dn
, mod
)
742 # Create a custom security descriptor
743 # NB! Problematic owner part won't accept DA only <User Sid> !!!
744 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
745 # Create additional object into the first one
746 object_dn
= "CN=test_domain_user1," + object_dn
747 self
.delete_force(self
.ldb_admin
, object_dn
)
748 self
.create_domain_user(_ldb
, object_dn
, desc_sddl
)
749 desc
= self
.read_desc(object_dn
)
750 desc_sddl
= self
.get_desc_sddl(object_dn
)
751 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
752 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
755 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
757 user_name
= "testuser4"
758 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
759 # Open Ldb connection with the tested user
760 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
761 object_dn
= "OU=test_domain_ou1," + self
.base_dn
762 self
.delete_force(self
.ldb_admin
, object_dn
)
763 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
764 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
765 mod
= "(A;CI;WOWDCC;;;%s)" % str(user_sid
)
766 self
.dacl_add_ace(object_dn
, mod
)
767 # Create a custom security descriptor
768 # NB! Problematic owner part won't accept DA only <User Sid> !!!
769 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
770 # Create additional object into the first one
771 object_dn
= "CN=test_domain_user1," + object_dn
772 self
.delete_force(self
.ldb_admin
, object_dn
)
773 self
.create_domain_user(_ldb
, object_dn
, desc_sddl
)
774 desc
= self
.read_desc(object_dn
)
775 desc_sddl
= self
.get_desc_sddl(object_dn
)
776 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
777 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
780 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
782 user_name
= "testuser5"
783 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
784 # Open Ldb connection with the tested user
785 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
786 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
787 self
.delete_force(self
.ldb_admin
, object_dn
)
788 # Create a custom security descriptor
789 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
790 self
.create_domain_group(_ldb
, object_dn
, desc_sddl
)
791 desc_sddl
= self
.get_desc_sddl(object_dn
)
792 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
793 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
796 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
798 user_name
= "testuser6"
799 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
800 # Open Ldb connection with the tested user
801 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
802 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
803 self
.delete_force(self
.ldb_admin
, object_dn
)
804 # Create a custom security descriptor
805 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
806 self
.create_domain_group(_ldb
, object_dn
, desc_sddl
)
807 desc_sddl
= self
.get_desc_sddl(object_dn
)
808 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
809 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
812 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
814 user_name
= "testuser7"
815 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
816 # Open Ldb connection with the tested user
817 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
818 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
819 self
.delete_force(self
.ldb_admin
, object_dn
)
820 # Create a custom security descriptor
821 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
822 self
.create_domain_group(_ldb
, object_dn
, desc_sddl
)
823 desc_sddl
= self
.get_desc_sddl(object_dn
)
824 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
825 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
828 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
830 user_name
= "testuser8"
831 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
832 # Open Ldb connection with the tested user
833 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
834 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
835 self
.delete_force(self
.ldb_admin
, object_dn
)
836 # Create a custom security descriptor
837 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
838 self
.create_domain_group(_ldb
, object_dn
, desc_sddl
)
839 desc_sddl
= self
.get_desc_sddl(object_dn
)
840 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
841 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
844 user_name
= "Administrator"
845 object_dn
= "OU=test_domain_ou1," + self
.base_dn
846 self
.delete_force(self
.ldb_admin
, object_dn
)
847 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
848 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
849 mod
= "(D;CI;WP;;;S-1-3-0)"
851 self
.dacl_add_ace(object_dn
, mod
)
852 desc_sddl
= self
.get_desc_sddl(object_dn
)
853 # Create additional object into the first one
854 object_dn
= "OU=test_domain_ou2," + object_dn
855 self
.delete_force(self
.ldb_admin
, object_dn
)
856 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
857 desc_sddl
= self
.get_desc_sddl(object_dn
)
861 # Defalt descriptor tests ##################################################################
864 user_name
= "testuser1"
865 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
866 # Open Ldb connection with the tested user
867 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
868 # Change Schema partition descriptor
869 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
870 mod
= "(A;;WDCC;;;AU)"
871 self
.dacl_add_ace(self
.schema_dn
, mod
)
872 # Create example Schema class
873 class_name
= self
.get_unique_schema_class_name()
874 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
875 self
.create_schema_class(_ldb
, class_dn
)
876 desc_sddl
= self
.get_desc_sddl(class_dn
)
877 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
878 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
879 self
.check_modify_inheritance(_ldb
, class_dn
)
882 user_name
= "testuser2"
883 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
884 # Open Ldb connection with the tested user
885 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
886 # Change Schema partition descriptor
887 mod
= "(A;CI;WDCC;;;AU)"
888 self
.dacl_add_ace(self
.schema_dn
, mod
)
889 # Create example Schema class
890 class_name
= self
.get_unique_schema_class_name()
891 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
892 self
.create_schema_class(_ldb
, class_dn
)
893 desc_sddl
= self
.get_desc_sddl(class_dn
)
894 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
895 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
896 self
.check_modify_inheritance(_ldb
, class_dn
)
899 user_name
= "testuser3"
900 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
901 # Open Ldb connection with the tested user
902 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
903 # Change Schema partition descriptor
904 mod
= "(A;CI;WDCC;;;AU)"
905 self
.dacl_add_ace(self
.schema_dn
, mod
)
906 # Create example Schema class
907 class_name
= self
.get_unique_schema_class_name()
908 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
909 self
.create_schema_class(_ldb
, class_dn
)
910 desc_sddl
= self
.get_desc_sddl(class_dn
)
911 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
912 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
913 #self.check_modify_inheritance(_ldb, class_dn)
916 user_name
= "testuser4"
917 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
918 # Open Ldb connection with the tested user
919 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
920 #Change Schema partition descriptor
921 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
922 mod
= "(A;CI;WDCC;;;AU)"
923 self
.dacl_add_ace(self
.schema_dn
, mod
)
924 # Create example Schema class
925 class_name
= self
.get_unique_schema_class_name()
926 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
927 self
.create_schema_class(_ldb
, class_dn
)
928 desc_sddl
= self
.get_desc_sddl(class_dn
)
929 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
930 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
931 #self.check_modify_inheritance(_ldb, class_dn)
934 user_name
= "testuser5"
935 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
936 # Open Ldb connection with the tested user
937 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
938 #Change Schema partition descriptor
939 mod
= "(A;CI;WDCC;;;AU)"
940 self
.dacl_add_ace(self
.schema_dn
, mod
)
941 # Create example Schema class
942 class_name
= self
.get_unique_schema_class_name()
943 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
944 self
.create_schema_class(_ldb
, class_dn
)
945 desc_sddl
= self
.get_desc_sddl(class_dn
)
946 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
947 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
948 self
.check_modify_inheritance(_ldb
, class_dn
)
951 user_name
= "testuser6"
952 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
953 # Open Ldb connection with the tested user
954 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
955 # Change Schema partition descriptor
956 mod
= "(A;CI;WDCC;;;AU)"
957 self
.dacl_add_ace(self
.schema_dn
, mod
)
958 # Create example Schema class
959 class_name
= self
.get_unique_schema_class_name()
960 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
961 self
.create_schema_class(_ldb
, class_dn
)
962 desc_sddl
= self
.get_desc_sddl(class_dn
)
963 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
964 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
965 self
.check_modify_inheritance(_ldb
, class_dn
)
968 user_name
= "testuser7"
969 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
970 # Open Ldb connection with the tested user
971 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
972 # Change Schema partition descriptor
973 mod
= "(A;CI;WDCC;;;AU)"
974 self
.dacl_add_ace(self
.schema_dn
, mod
)
975 # Create example Schema class
976 class_name
= self
.get_unique_schema_class_name()
977 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
978 self
.create_schema_class(_ldb
, class_dn
)
979 desc_sddl
= self
.get_desc_sddl(class_dn
)
980 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
981 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
982 self
.check_modify_inheritance(_ldb
, class_dn
)
985 user_name
= "testuser8"
986 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
987 # Open Ldb connection with the tested user
988 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
989 # Change Schema partition descriptor
990 mod
= "(A;CI;WDCC;;;AU)"
991 self
.dacl_add_ace(self
.schema_dn
, mod
)
992 # Create example Schema class
993 class_name
= self
.get_unique_schema_class_name()
994 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
995 self
.create_schema_class(_ldb
, class_dn
)
996 desc_sddl
= self
.get_desc_sddl(class_dn
)
997 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
998 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
999 self
.check_modify_inheritance(_ldb
, class_dn
)
1001 # Custom descriptor tests ##################################################################
1004 user_name
= "testuser1"
1005 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
1006 # Open Ldb connection with the tested user
1007 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1008 # Change Schema partition descriptor
1009 mod
= "(A;;CC;;;AU)"
1010 self
.dacl_add_ace(self
.schema_dn
, mod
)
1011 # Create a custom security descriptor
1012 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1013 # Create example Schema class
1014 class_name
= self
.get_unique_schema_class_name()
1015 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1016 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1017 desc_sddl
= self
.get_desc_sddl(class_dn
)
1018 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1019 self
.assertEqual("O:DAG:DA", res
)
1022 user_name
= "testuser2"
1023 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
1024 # Open Ldb connection with the tested user
1025 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1026 # Change Schema partition descriptor
1027 mod
= "(A;;CC;;;AU)"
1028 self
.dacl_add_ace(self
.schema_dn
, mod
)
1029 # Create a custom security descriptor
1030 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1031 # Create example Schema class
1032 class_name
= self
.get_unique_schema_class_name()
1033 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1034 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1035 desc_sddl
= self
.get_desc_sddl(class_dn
)
1036 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1037 self
.assertEqual("O:DAG:DA", res
)
1040 user_name
= "testuser3"
1041 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
1042 # Open Ldb connection with the tested user
1043 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1044 # Create a custom security descriptor
1045 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1046 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1047 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1048 # Create example Schema class
1049 class_name
= self
.get_unique_schema_class_name()
1050 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1051 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1052 desc_sddl
= self
.get_desc_sddl(class_dn
)
1053 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1054 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1057 user_name
= "testuser4"
1058 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1059 # Open Ldb connection with the tested user
1060 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1061 # Create a custom security descriptor
1062 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1063 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1064 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1065 # Create example Schema class
1066 class_name
= self
.get_unique_schema_class_name()
1067 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1068 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1069 desc_sddl
= self
.get_desc_sddl(class_dn
)
1070 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1071 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1074 user_name
= "testuser5"
1075 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1076 # Open Ldb connection with the tested user
1077 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1078 # Change Schema partition descriptor
1079 mod
= "(A;;CC;;;AU)"
1080 self
.dacl_add_ace(self
.schema_dn
, mod
)
1081 # Create a custom security descriptor
1082 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1083 # Create example Schema class
1084 class_name
= self
.get_unique_schema_class_name()
1085 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1086 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1087 desc_sddl
= self
.get_desc_sddl(class_dn
)
1088 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1089 self
.assertEqual("O:DAG:DA", res
)
1092 user_name
= "testuser6"
1093 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1094 # Open Ldb connection with the tested user
1095 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1096 # Change Schema partition descriptor
1097 mod
= "(A;;CC;;;AU)"
1098 self
.dacl_add_ace(self
.schema_dn
, mod
)
1099 # Create a custom security descriptor
1100 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1101 # Create example Schema class
1102 class_name
= self
.get_unique_schema_class_name()
1103 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1104 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1105 desc_sddl
= self
.get_desc_sddl(class_dn
)
1106 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1107 self
.assertEqual("O:DAG:DA", res
)
1110 user_name
= "testuser7"
1111 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1112 # Open Ldb connection with the tested user
1113 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1114 # Change Schema partition descriptor
1115 mod
= "(A;;CC;;;AU)"
1116 self
.dacl_add_ace(self
.schema_dn
, mod
)
1117 # Create a custom security descriptor
1118 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1119 # Create example Schema class
1120 class_name
= self
.get_unique_schema_class_name()
1121 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1122 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1123 desc_sddl
= self
.get_desc_sddl(class_dn
)
1124 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1125 self
.assertEqual("O:DAG:DA", res
)
1128 user_name
= "testuser8"
1129 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1130 # Open Ldb connection with the tested user
1131 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1132 # Change Schema partition descriptor
1133 mod
= "(A;;CC;;;AU)"
1134 self
.dacl_add_ace(self
.schema_dn
, mod
)
1135 # Create a custom security descriptor
1136 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1137 # Create example Schema class
1138 class_name
= self
.get_unique_schema_class_name()
1139 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1140 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1141 desc_sddl
= self
.get_desc_sddl(class_dn
)
1142 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1143 self
.assertEqual("O:DAG:DA", res
)
1145 ## Tests for CONFIGURATION
1147 # Defalt descriptor tests ##################################################################
1150 user_name
= "testuser1"
1151 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
1152 # Open Ldb connection with the tested user
1153 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1154 # Create example Configuration container
1155 container_name
= "test-container1"
1156 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1157 self
.delete_force(self
.ldb_admin
, object_dn
)
1158 self
.create_configuration_container(_ldb
, object_dn
, )
1159 desc_sddl
= self
.get_desc_sddl(object_dn
)
1160 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1161 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1162 self
.check_modify_inheritance(_ldb
, object_dn
)
1165 user_name
= "testuser2"
1166 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
1167 # Open Ldb connection with the tested user
1168 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1169 # Create example Configuration container
1170 container_name
= "test-container1"
1171 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1172 self
.delete_force(self
.ldb_admin
, object_dn
)
1173 self
.create_configuration_container(_ldb
, object_dn
, )
1174 desc_sddl
= self
.get_desc_sddl(object_dn
)
1175 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1176 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1177 self
.check_modify_inheritance(_ldb
, object_dn
)
1180 user_name
= "testuser3"
1181 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
1182 # Open Ldb connection with the tested user
1183 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1184 # Create example Configuration container
1185 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1186 self
.delete_force(self
.ldb_admin
, object_dn
)
1187 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1188 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1189 mod
= "(A;;WDCC;;;AU)"
1190 self
.dacl_add_ace(object_dn
, mod
)
1191 # Create child object with user's credentials
1192 object_dn
= "CN=test-specifier1," + object_dn
1193 self
.delete_force(self
.ldb_admin
, object_dn
)
1194 self
.create_configuration_specifier(_ldb
, object_dn
)
1195 desc_sddl
= self
.get_desc_sddl(object_dn
)
1196 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1197 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1198 #self.check_modify_inheritance(_ldb, object_dn)
1201 user_name
= "testuser4"
1202 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1203 # Open Ldb connection with the tested user
1204 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1205 # Create example Configuration container
1206 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1207 self
.delete_force(self
.ldb_admin
, object_dn
)
1208 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1209 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1210 mod
= "(A;CI;WDCC;;;AU)"
1211 self
.dacl_add_ace(object_dn
, mod
)
1212 # Create child object with user's credentials
1213 object_dn
= "CN=test-specifier1," + object_dn
1214 self
.delete_force(self
.ldb_admin
, object_dn
)
1215 self
.create_configuration_specifier(_ldb
, object_dn
)
1216 desc_sddl
= self
.get_desc_sddl(object_dn
)
1217 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1218 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1219 #self.check_modify_inheritance(_ldb, object_dn)
1222 user_name
= "testuser5"
1223 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1224 # Open Ldb connection with the tested user
1225 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1226 # Create example Configuration container
1227 container_name
= "test-container1"
1228 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1229 self
.delete_force(self
.ldb_admin
, object_dn
)
1230 self
.create_configuration_container(_ldb
, object_dn
, )
1231 desc_sddl
= self
.get_desc_sddl(object_dn
)
1232 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1233 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1234 self
.check_modify_inheritance(_ldb
, object_dn
)
1237 user_name
= "testuser6"
1238 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1239 # Open Ldb connection with the tested user
1240 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1241 # Create example Configuration container
1242 container_name
= "test-container1"
1243 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1244 self
.delete_force(self
.ldb_admin
, object_dn
)
1245 self
.create_configuration_container(_ldb
, object_dn
, )
1246 desc_sddl
= self
.get_desc_sddl(object_dn
)
1247 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1248 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1249 self
.check_modify_inheritance(_ldb
, object_dn
)
1252 user_name
= "testuser7"
1253 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1254 # Open Ldb connection with the tested user
1255 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1256 # Create example Configuration container
1257 container_name
= "test-container1"
1258 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1259 self
.delete_force(self
.ldb_admin
, object_dn
)
1260 self
.create_configuration_container(_ldb
, object_dn
, )
1261 desc_sddl
= self
.get_desc_sddl(object_dn
)
1262 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1263 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1264 self
.check_modify_inheritance(_ldb
, object_dn
)
1267 user_name
= "testuser8"
1268 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1269 # Open Ldb connection with the tested user
1270 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1271 # Create example Configuration container
1272 container_name
= "test-container1"
1273 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1274 self
.delete_force(self
.ldb_admin
, object_dn
)
1275 self
.create_configuration_container(_ldb
, object_dn
, )
1276 desc_sddl
= self
.get_desc_sddl(object_dn
)
1277 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1278 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1279 self
.check_modify_inheritance(_ldb
, object_dn
)
1281 # Custom descriptor tests ##################################################################
1284 user_name
= "testuser1"
1285 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
1286 # Open Ldb connection with the tested user
1287 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1288 # Create example Configuration container
1289 container_name
= "test-container1"
1290 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1291 self
.delete_force(self
.ldb_admin
, object_dn
)
1292 # Create a custom security descriptor
1293 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1294 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1295 desc_sddl
= self
.get_desc_sddl(object_dn
)
1296 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1297 self
.assertEqual("O:DAG:DA", res
)
1300 user_name
= "testuser2"
1301 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
1302 # Open Ldb connection with the tested user
1303 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1304 # Create example Configuration container
1305 container_name
= "test-container1"
1306 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1307 self
.delete_force(self
.ldb_admin
, object_dn
)
1308 # Create a custom security descriptor
1309 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1310 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1311 desc_sddl
= self
.get_desc_sddl(object_dn
)
1312 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1313 self
.assertEqual("O:DAG:DA", res
)
1316 user_name
= "testuser3"
1317 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
1318 # Open Ldb connection with the tested user
1319 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1320 # Create example Configuration container
1321 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1322 self
.delete_force(self
.ldb_admin
, object_dn
)
1323 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1324 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1325 mod
= "(A;;CC;;;AU)"
1326 self
.dacl_add_ace(object_dn
, mod
)
1327 # Create child object with user's credentials
1328 object_dn
= "CN=test-specifier1," + object_dn
1329 self
.delete_force(self
.ldb_admin
, object_dn
)
1330 # Create a custom security descriptor
1331 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1332 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1333 self
.create_configuration_specifier(_ldb
, object_dn
, desc_sddl
)
1334 desc_sddl
= self
.get_desc_sddl(object_dn
)
1335 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1336 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1339 user_name
= "testuser4"
1340 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1341 # Open Ldb connection with the tested user
1342 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1343 # Create example Configuration container
1344 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1345 self
.delete_force(self
.ldb_admin
, object_dn
)
1346 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1347 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1348 mod
= "(A;;CC;;;AU)"
1349 self
.dacl_add_ace(object_dn
, mod
)
1350 # Create child object with user's credentials
1351 object_dn
= "CN=test-specifier1," + object_dn
1352 self
.delete_force(self
.ldb_admin
, object_dn
)
1353 # Create a custom security descriptor
1354 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1355 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1356 self
.create_configuration_specifier(_ldb
, object_dn
, desc_sddl
)
1357 desc_sddl
= self
.get_desc_sddl(object_dn
)
1358 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1359 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1362 user_name
= "testuser5"
1363 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1364 # Open Ldb connection with the tested user
1365 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1366 # Create example Configuration container
1367 container_name
= "test-container1"
1368 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1369 self
.delete_force(self
.ldb_admin
, object_dn
)
1370 # Create a custom security descriptor
1371 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1372 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1373 desc_sddl
= self
.get_desc_sddl(object_dn
)
1374 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1375 self
.assertEqual("O:DAG:DA", res
)
1378 user_name
= "testuser6"
1379 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1380 # Open Ldb connection with the tested user
1381 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1382 # Create example Configuration container
1383 container_name
= "test-container1"
1384 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1385 self
.delete_force(self
.ldb_admin
, object_dn
)
1386 # Create a custom security descriptor
1387 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1388 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1389 desc_sddl
= self
.get_desc_sddl(object_dn
)
1390 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1391 self
.assertEqual("O:DAG:DA", res
)
1394 user_name
= "testuser7"
1395 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1396 # Open Ldb connection with the tested user
1397 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1398 # Create example Configuration container
1399 container_name
= "test-container1"
1400 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1401 self
.delete_force(self
.ldb_admin
, object_dn
)
1402 # Create a custom security descriptor
1403 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1404 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1405 desc_sddl
= self
.get_desc_sddl(object_dn
)
1406 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1407 self
.assertEqual("O:DAG:DA", res
)
1410 user_name
= "testuser8"
1411 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1412 # Open Ldb connection with the tested user
1413 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1414 # Create example Configuration container
1415 container_name
= "test-container1"
1416 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1417 self
.delete_force(self
.ldb_admin
, object_dn
)
1418 # Create a custom security descriptor
1419 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1420 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1421 desc_sddl
= self
.get_desc_sddl(object_dn
)
1422 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1423 self
.assertEqual("O:DAG:DA", res
)
1425 ########################################################################################
1426 # Inharitance tests for DACL
1428 class DaclDescriptorTests(DescriptorTests
):
1430 def deleteAll(self
):
1431 self
.delete_force(self
.ldb_admin
, "CN=test_inherit_group,OU=test_inherit_ou," + self
.base_dn
)
1432 self
.delete_force(self
.ldb_admin
, "OU=test_inherit_ou," + self
.base_dn
)
1435 DescriptorTests
.setUp(self
)
1441 def create_clean_ou(self
, object_dn
):
1442 """ Base repeating setup for unittests to follow """
1443 res
= self
.ldb_admin
.search(base
=self
.base_dn
, scope
=SCOPE_SUBTREE
, \
1444 expression
="distinguishedName=%s" % object_dn
)
1445 # Make sure top testing OU has been deleted before starting the test
1446 self
.assertEqual(res
, [])
1447 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
1448 desc_sddl
= self
.get_desc_sddl(object_dn
)
1449 # Make sure there are inheritable ACEs initially
1450 self
.assertTrue("CI" in desc_sddl
or "OI" in desc_sddl
)
1451 # Find and remove all inherit ACEs
1452 res
= re
.findall("\(.*?\)", desc_sddl
)
1453 res
= [x
for x
in res
if ("CI" in x
) or ("OI" in x
)]
1455 desc_sddl
= desc_sddl
.replace(x
, "")
1456 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1457 # can propagate from above
1458 # remove SACL, we are not interested
1459 desc_sddl
= desc_sddl
.replace(":AI", ":AIP")
1460 self
.modify_desc(self
.ldb_admin
, object_dn
, desc_sddl
)
1461 # Verify all inheritable ACEs are gone
1462 desc_sddl
= self
.get_desc_sddl(object_dn
)
1463 self
.assertFalse("CI" in desc_sddl
)
1464 self
.assertFalse("OI" in desc_sddl
)
1467 """ OU with protected flag and child group. See if the group has inherit ACEs.
1469 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1470 group_dn
= "CN=test_inherit_group," + ou_dn
1471 # Create inheritable-free OU
1472 self
.create_clean_ou(ou_dn
)
1473 # Create group child object
1474 self
.create_domain_group(self
.ldb_admin
, group_dn
)
1475 # Make sure created group object contains NO inherit ACEs
1476 desc_sddl
= self
.get_desc_sddl(group_dn
)
1477 self
.assertFalse("ID" in desc_sddl
)
1480 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1481 Verify group has custom and default ACEs only.
1483 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1484 group_dn
= "CN=test_inherit_group," + ou_dn
1485 # Create inheritable-free OU
1486 self
.create_clean_ou(ou_dn
)
1487 # Create group child object using custom security descriptor
1488 sddl
= "O:AUG:AUD:AI(D;;WP;;;DU)"
1489 self
.create_domain_group(self
.ldb_admin
, group_dn
, sddl
)
1490 # Make sure created group descriptor has NO additional ACEs
1491 desc_sddl
= self
.get_desc_sddl(group_dn
)
1492 self
.assertEqual(desc_sddl
, sddl
)
1493 sddl
= "O:AUG:AUD:AI(D;;CC;;;LG)"
1494 self
.modify_desc(self
.ldb_admin
, group_dn
, sddl
)
1495 desc_sddl
= self
.get_desc_sddl(group_dn
)
1496 self
.assertEqual(desc_sddl
, sddl
)
1499 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1500 See if the group has any of the added ACEs.
1502 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1503 group_dn
= "CN=test_inherit_group," + ou_dn
1504 # Create inheritable-free OU
1505 self
.create_clean_ou(ou_dn
)
1506 # Add some custom non-inheritable ACEs
1507 mod
= "(D;;WP;;;DU)(A;;RP;;;DU)"
1508 moded
= "(D;;CC;;;LG)"
1509 self
.dacl_add_ace(ou_dn
, mod
)
1510 # Verify all inheritable ACEs are gone
1511 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1512 # Create group child object
1513 self
.create_domain_group(self
.ldb_admin
, group_dn
)
1514 # Make sure created group object contains NO inherit ACEs
1515 # also make sure the added above non-inheritable ACEs are absent too
1516 desc_sddl
= self
.get_desc_sddl(group_dn
)
1517 self
.assertFalse("ID" in desc_sddl
)
1518 for x
in re
.findall("\(.*?\)", mod
):
1519 self
.assertFalse(x
in desc_sddl
)
1520 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1521 desc_sddl
= self
.get_desc_sddl(group_dn
)
1522 self
.assertFalse("ID" in desc_sddl
)
1523 for x
in re
.findall("\(.*?\)", mod
):
1524 self
.assertFalse(x
in desc_sddl
)
1527 """ OU with protected flag and add 'CI' ACE, child group.
1528 See if the group has the added inherited ACE.
1530 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1531 group_dn
= "CN=test_inherit_group," + ou_dn
1532 # Create inheritable-free OU
1533 self
.create_clean_ou(ou_dn
)
1534 # Add some custom 'CI' ACE
1535 mod
= "(D;CI;WP;;;DU)"
1536 moded
= "(D;;CC;;;LG)"
1537 self
.dacl_add_ace(ou_dn
, mod
)
1538 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1539 # Create group child object
1540 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1541 # Make sure created group object contains only the above inherited ACE
1542 # that we've added manually
1543 desc_sddl
= self
.get_desc_sddl(group_dn
)
1544 mod
= mod
.replace(";CI;", ";CIID;")
1545 self
.assertTrue(mod
in desc_sddl
)
1546 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1547 desc_sddl
= self
.get_desc_sddl(group_dn
)
1548 self
.assertTrue(moded
in desc_sddl
)
1549 self
.assertTrue(mod
in desc_sddl
)
1552 """ OU with protected flag and add 'OI' ACE, child group.
1553 See if the group has the added inherited ACE.
1555 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1556 group_dn
= "CN=test_inherit_group," + ou_dn
1557 # Create inheritable-free OU
1558 self
.create_clean_ou(ou_dn
)
1559 # Add some custom 'CI' ACE
1560 mod
= "(D;OI;WP;;;DU)"
1561 moded
= "(D;;CC;;;LG)"
1562 self
.dacl_add_ace(ou_dn
, mod
)
1563 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1564 # Create group child object
1565 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1566 # Make sure created group object contains only the above inherited ACE
1567 # that we've added manually
1568 desc_sddl
= self
.get_desc_sddl(group_dn
)
1569 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1570 self
.assertTrue(mod
in desc_sddl
)
1571 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" +moded
)
1572 desc_sddl
= self
.get_desc_sddl(group_dn
)
1573 self
.assertTrue(moded
in desc_sddl
)
1574 self
.assertTrue(mod
in desc_sddl
)
1577 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1578 See if the group has the added inherited ACE.
1580 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1581 group_dn
= "CN=test_inherit_group," + ou_dn
1582 # Create inheritable-free OU
1583 self
.create_clean_ou(ou_dn
)
1584 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1585 mod
= "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1586 moded
= "(D;;CC;;;LG)"
1587 self
.dacl_add_ace(ou_dn
, mod
)
1588 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1589 # Create group child object
1590 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1591 # Make sure created group object contains only the above inherited ACE
1592 # that we've added manually
1593 desc_sddl
= self
.get_desc_sddl(group_dn
)
1594 mod
= mod
.replace(";CI;", ";CIID;") # change it how it's gonna look like
1595 self
.assertTrue(mod
in desc_sddl
)
1596 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1597 desc_sddl
= self
.get_desc_sddl(group_dn
)
1598 self
.assertTrue(moded
in desc_sddl
)
1599 self
.assertTrue(mod
in desc_sddl
)
1602 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1603 See if the group has the added inherited ACE.
1605 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1606 group_dn
= "CN=test_inherit_group," + ou_dn
1607 # Create inheritable-free OU
1608 self
.create_clean_ou(ou_dn
)
1609 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1610 mod
= "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1611 moded
= "(D;;CC;;;LG)"
1612 self
.dacl_add_ace(ou_dn
, mod
)
1613 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1614 # Create group child object
1615 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1616 # Make sure created group object contains only the above inherited ACE
1617 # that we've added manually
1618 desc_sddl
= self
.get_desc_sddl(group_dn
)
1619 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1620 self
.assertTrue(mod
in desc_sddl
)
1621 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1622 desc_sddl
= self
.get_desc_sddl(group_dn
)
1623 self
.assertTrue(moded
in desc_sddl
)
1624 self
.assertTrue(mod
in desc_sddl
)
1627 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1628 See if the group has the added inherited ACE.
1630 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1631 group_dn
= "CN=test_inherit_group," + ou_dn
1632 # Create inheritable-free OU
1633 self
.create_clean_ou(ou_dn
)
1634 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1635 mod
= "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1636 moded
= "(D;;CC;;;LG)"
1637 self
.dacl_add_ace(ou_dn
, mod
)
1638 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1639 # Create group child object
1640 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1641 # Make sure created group object contains only the above inherited ACE
1642 # that we've added manually
1643 desc_sddl
= self
.get_desc_sddl(group_dn
)
1644 mod
= mod
.replace(";CI;", ";CIID;") # change it how it's gonna look like
1645 self
.assertTrue(mod
in desc_sddl
)
1646 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1647 desc_sddl
= self
.get_desc_sddl(group_dn
)
1648 self
.assertTrue(moded
in desc_sddl
)
1649 self
.assertTrue(mod
in desc_sddl
)
1652 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1653 See if the group has the added inherited ACE.
1655 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1656 group_dn
= "CN=test_inherit_group," + ou_dn
1657 # Create inheritable-free OU
1658 self
.create_clean_ou(ou_dn
)
1659 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1660 mod
= "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1661 moded
= "(D;;CC;;;LG)"
1662 self
.dacl_add_ace(ou_dn
, mod
)
1663 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1664 # Create group child object
1665 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1666 # Make sure created group object contains only the above inherited ACE
1667 # that we've added manually
1668 desc_sddl
= self
.get_desc_sddl(group_dn
)
1669 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1670 self
.assertTrue(mod
in desc_sddl
)
1671 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded
)
1672 desc_sddl
= self
.get_desc_sddl(group_dn
)
1673 self
.assertTrue(moded
in desc_sddl
)
1674 self
.assertTrue(mod
in desc_sddl
)
1677 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1678 See if the group has the added inherited ACE.
1680 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1681 group_dn
= "CN=test_inherit_group," + ou_dn
1682 # Create inheritable-free OU
1683 self
.create_clean_ou(ou_dn
)
1684 # Add some custom 'CI' ACE
1685 mod
= "(D;CI;WP;;;CO)"
1686 moded
= "(D;;CC;;;LG)"
1687 self
.dacl_add_ace(ou_dn
, mod
)
1688 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1689 # Create group child object
1690 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1691 # Make sure created group object contains only the above inherited ACE(s)
1692 # that we've added manually
1693 desc_sddl
= self
.get_desc_sddl(group_dn
)
1694 self
.assertTrue("(D;ID;WP;;;AU)" in desc_sddl
)
1695 self
.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl
)
1696 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1697 desc_sddl
= self
.get_desc_sddl(group_dn
)
1698 self
.assertTrue(moded
in desc_sddl
)
1699 self
.assertTrue("(D;ID;WP;;;DA)" in desc_sddl
)
1700 self
.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl
)
1703 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1705 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1706 group_dn
= "CN=test_inherit_group," + ou_dn
1707 self
.create_clean_ou(ou_dn
)
1708 # Add some custom ACE
1709 mod
= "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1710 self
.create_domain_group(self
.ldb_admin
, group_dn
, mod
)
1711 # Make sure created group object does not contain the ID ace
1712 desc_sddl
= self
.get_desc_sddl(group_dn
)
1713 self
.assertFalse("(A;ID;WP;;;AU)" in desc_sddl
)
1716 """ Provide ACE with CO SID, should be expanded and replaced
1718 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1719 group_dn
= "CN=test_inherit_group," + ou_dn
1720 # Create inheritable-free OU
1721 self
.create_clean_ou(ou_dn
)
1722 # Add some custom 'CI' ACE
1723 mod
= "D:(D;CI;WP;;;CO)"
1724 self
.create_domain_group(self
.ldb_admin
, group_dn
, mod
)
1725 desc_sddl
= self
.get_desc_sddl(group_dn
)
1726 self
.assertTrue("(D;;WP;;;DA)(D;CIIO;WP;;;CO)" in desc_sddl
)
1728 ########################################################################################
1731 class SdFlagsDescriptorTests(DescriptorTests
):
1732 def deleteAll(self
):
1733 self
.delete_force(self
.ldb_admin
, "OU=test_sdflags_ou," + self
.base_dn
)
1736 DescriptorTests
.setUp(self
)
1737 self
.test_descr
= "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1744 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1745 See that only the owner has been changed.
1747 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1748 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1749 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_OWNER
)])
1750 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1751 # make sure we have modified the owner
1752 self
.assertTrue("O:AU" in desc_sddl
)
1753 # make sure nothing else has been modified
1754 self
.assertFalse("G:AU" in desc_sddl
)
1755 self
.assertFalse("D:(D;;CC;;;LG)" in desc_sddl
)
1756 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1759 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1760 See that only the owner has been changed.
1762 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1763 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1764 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_GROUP
)])
1765 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1766 # make sure we have modified the group
1767 self
.assertTrue("G:AU" in desc_sddl
)
1768 # make sure nothing else has been modified
1769 self
.assertFalse("O:AU" in desc_sddl
)
1770 self
.assertFalse("D:(D;;CC;;;LG)" in desc_sddl
)
1771 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1774 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1775 See that only the owner has been changed.
1777 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1778 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1779 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_DACL
)])
1780 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1781 # make sure we have modified the DACL
1782 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1783 # make sure nothing else has been modified
1784 self
.assertFalse("O:AU" in desc_sddl
)
1785 self
.assertFalse("G:AU" in desc_sddl
)
1786 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1789 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1790 See that only the owner has been changed.
1792 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1793 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1794 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_SACL
)])
1795 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1796 # make sure we have modified the DACL
1797 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1798 # make sure nothing else has been modified
1799 self
.assertFalse("O:AU" in desc_sddl
)
1800 self
.assertFalse("G:AU" in desc_sddl
)
1801 self
.assertFalse("(D;;CC;;;LG)" in desc_sddl
)
1804 """ Modify a descriptor with 0x0 set.
1805 Contrary to logic this is interpreted as no control,
1806 which is the same as 0xF
1808 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1809 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1810 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:0"])
1811 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1812 # make sure we have modified the DACL
1813 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1814 # make sure nothing else has been modified
1815 self
.assertTrue("O:AU" in desc_sddl
)
1816 self
.assertTrue("G:AU" in desc_sddl
)
1817 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1820 """ Modify a descriptor with 0xF set.
1822 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1823 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1824 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:15"])
1825 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1826 # make sure we have modified the DACL
1827 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1828 # make sure nothing else has been modified
1829 self
.assertTrue("O:AU" in desc_sddl
)
1830 self
.assertTrue("G:AU" in desc_sddl
)
1831 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1834 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1835 Only the owner part should be returned.
1837 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1838 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1839 desc_sddl
= self
.get_desc_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_OWNER
)])
1840 # make sure we have read the owner
1841 self
.assertTrue("O:" in desc_sddl
)
1842 # make sure we have read nothing else
1843 self
.assertFalse("G:" in desc_sddl
)
1844 self
.assertFalse("D:" in desc_sddl
)
1845 self
.assertFalse("S:" in desc_sddl
)
1848 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1849 Only the group part should be returned.
1851 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1852 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1853 desc_sddl
= self
.get_desc_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_GROUP
)])
1854 # make sure we have read the owner
1855 self
.assertTrue("G:" in desc_sddl
)
1856 # make sure we have read nothing else
1857 self
.assertFalse("O:" in desc_sddl
)
1858 self
.assertFalse("D:" in desc_sddl
)
1859 self
.assertFalse("S:" in desc_sddl
)
1862 """ Read a descriptor with SACL_SECURITY_INFORMATION
1863 Only the sacl part should be returned.
1865 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1866 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1867 desc_sddl
= self
.get_desc_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_SACL
)])
1868 # make sure we have read the owner
1869 self
.assertTrue("S:" in desc_sddl
)
1870 # make sure we have read nothing else
1871 self
.assertFalse("O:" in desc_sddl
)
1872 self
.assertFalse("D:" in desc_sddl
)
1873 self
.assertFalse("G:" in desc_sddl
)
1876 """ Read a descriptor with DACL_SECURITY_INFORMATION
1877 Only the dacl part should be returned.
1879 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1880 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1881 desc_sddl
= self
.get_desc_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_DACL
)])
1882 # make sure we have read the owner
1883 self
.assertTrue("D:" in desc_sddl
)
1884 # make sure we have read nothing else
1885 self
.assertFalse("O:" in desc_sddl
)
1886 self
.assertFalse("S:" in desc_sddl
)
1887 self
.assertFalse("G:" in desc_sddl
)
1889 class RightsAttributesTests(DescriptorTests
):
1891 def deleteAll(self
):
1893 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser_attr"))
1894 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser_attr2"))
1896 self
.delete_force(self
.ldb_admin
, "OU=test_domain_ou1," + self
.base_dn
)
1899 DescriptorTests
.setUp(self
)
1904 user_dn
= self
.get_users_domain_dn("testuser_attr")
1905 self
.create_domain_user(self
.ldb_admin
, user_dn
)
1906 self
.enable_account(user_dn
)
1907 # User 2, Domain Admins
1908 user_dn
= self
.get_users_domain_dn("testuser_attr2")
1909 self
.create_domain_user(self
.ldb_admin
, user_dn
)
1910 self
.enable_account(user_dn
)
1912 dn: CN=Domain Admins,CN=Users,""" + self
.base_dn
+ """
1915 member: """ + user_dn
1916 self
.ldb_admin
.modify_ldif(ldif
)
1921 def test_sDRightsEffective(self
):
1922 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1923 self
.delete_force(self
.ldb_admin
, object_dn
)
1924 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
1925 print self
.get_users_domain_dn("testuser_attr")
1926 user_sid
= self
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1927 #give testuser1 read access so attributes can be retrieved
1928 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1929 self
.dacl_add_ace(object_dn
, mod
)
1930 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1931 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1932 attrs
=["sDRightsEffective"])
1933 #user whould have no rights at all
1934 self
.assertEquals(len(res
), 1)
1935 self
.assertEquals(res
[0]["sDRightsEffective"][0], "0")
1936 #give the user Write DACL and see what happens
1937 mod
= "(A;CI;WD;;;%s)" % str(user_sid
)
1938 self
.dacl_add_ace(object_dn
, mod
)
1939 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1940 attrs
=["sDRightsEffective"])
1941 #user whould have DACL_SECURITY_INFORMATION
1942 self
.assertEquals(len(res
), 1)
1943 self
.assertEquals(res
[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL
)
1944 #give the user Write Owners and see what happens
1945 mod
= "(A;CI;WO;;;%s)" % str(user_sid
)
1946 self
.dacl_add_ace(object_dn
, mod
)
1947 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1948 attrs
=["sDRightsEffective"])
1949 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1950 self
.assertEquals(len(res
), 1)
1951 self
.assertEquals(res
[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER
))
1952 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1953 _ldb
= self
.get_ldb_connection("testuser_attr2", "samba123@")
1954 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1955 attrs
=["sDRightsEffective"])
1956 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1957 self
.assertEquals(len(res
), 1)
1958 self
.assertEquals(res
[0]["sDRightsEffective"][0], \
1959 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL
))
1961 def test_allowedChildClassesEffective(self
):
1962 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1963 self
.delete_force(self
.ldb_admin
, object_dn
)
1964 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
1965 user_sid
= self
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1966 #give testuser1 read access so attributes can be retrieved
1967 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1968 self
.dacl_add_ace(object_dn
, mod
)
1969 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1970 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1971 attrs
=["allowedChildClassesEffective"])
1972 #there should be no allowed child classes
1973 self
.assertEquals(len(res
), 1)
1974 self
.assertFalse("allowedChildClassesEffective" in res
[0].keys())
1975 #give the user the right to create children of type user
1976 mod
= "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid
)
1977 self
.dacl_add_ace(object_dn
, mod
)
1978 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1979 attrs
=["allowedChildClassesEffective"])
1980 # allowedChildClassesEffective should only have one value, user
1981 self
.assertEquals(len(res
), 1)
1982 self
.assertEquals(len(res
[0]["allowedChildClassesEffective"]), 1)
1983 self
.assertEquals(res
[0]["allowedChildClassesEffective"][0], "user")
1985 def test_allowedAttributesEffective(self
):
1986 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1987 self
.delete_force(self
.ldb_admin
, object_dn
)
1988 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
1989 user_sid
= self
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1990 #give testuser1 read access so attributes can be retrieved
1991 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1992 self
.dacl_add_ace(object_dn
, mod
)
1993 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1994 #res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1995 # attrs=["allowedAttributes"])
1997 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1998 attrs
=["allowedAttributesEffective"])
1999 #there should be no allowed attributes
2000 self
.assertEquals(len(res
), 1)
2001 self
.assertFalse("allowedAttributesEffective" in res
[0].keys())
2002 #give the user the right to write displayName and managedBy
2003 mod2
= "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid
)
2004 mod
= "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid
)
2005 # also rights to modify an read only attribute, fromEntry
2006 mod3
= "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid
)
2007 self
.dacl_add_ace(object_dn
, mod
+ mod2
+ mod3
)
2008 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
2009 attrs
=["allowedAttributesEffective"])
2010 # value should only contain user and managedBy
2012 self
.assertEquals(len(res
), 1)
2013 self
.assertEquals(len(res
[0]["allowedAttributesEffective"]), 2)
2014 self
.assertTrue("displayName" in res
[0]["allowedAttributesEffective"])
2015 self
.assertTrue("managedBy" in res
[0]["allowedAttributesEffective"])
2017 if not "://" in host
:
2018 if os
.path
.isfile(host
):
2019 host
= "tdb://%s" % host
2021 host
= "ldap://%s" % host
2023 ldb
= Ldb(host
, credentials
=creds
, session_info
=system_session(), lp
=lp
, options
=["modules:paged_searches"])
2025 runner
= SubunitTestRunner()
2027 if not runner
.run(unittest
.makeSuite(OwnerGroupDescriptorTests
)).wasSuccessful():
2029 if not runner
.run(unittest
.makeSuite(DaclDescriptorTests
)).wasSuccessful():
2031 if not runner
.run(unittest
.makeSuite(SdFlagsDescriptorTests
)).wasSuccessful():
2033 if not runner
.run(unittest
.makeSuite(RightsAttributesTests
)).wasSuccessful():