2 # -*- coding: utf-8 -*-
11 sys
.path
.insert(0, "bin/python")
13 samba
.ensure_external_module("testtools", "testtools")
14 samba
.ensure_external_module("subunit", "subunit/python")
16 import samba
.getopt
as options
18 # Some error messages that are being tested
19 from ldb
import SCOPE_SUBTREE
, SCOPE_BASE
, LdbError
, ERR_NO_SUCH_OBJECT
21 # For running the test unit
22 from samba
.ndr
import ndr_pack
23 from samba
.dcerpc
import security
25 from samba
import gensec
, sd_utils
26 from samba
.samdb
import SamDB
27 from samba
.credentials
import Credentials
28 from samba
.auth
import system_session
29 from samba
.dsdb
import DS_DOMAIN_FUNCTION_2008
30 from samba
.dcerpc
.security
import (
31 SECINFO_OWNER
, SECINFO_GROUP
, SECINFO_DACL
, SECINFO_SACL
)
32 from subunit
.run
import SubunitTestRunner
34 from samba
.tests
import delete_force
37 parser
= optparse
.OptionParser("sec_descriptor.py [options] <host>")
38 sambaopts
= options
.SambaOptions(parser
)
39 parser
.add_option_group(sambaopts
)
40 parser
.add_option_group(options
.VersionOptions(parser
))
42 # use command line creds if available
43 credopts
= options
.CredentialsOptions(parser
)
44 parser
.add_option_group(credopts
)
45 opts
, args
= parser
.parse_args()
53 lp
= sambaopts
.get_loadparm()
54 creds
= credopts
.get_credentials(lp
)
55 creds
.set_gensec_features(creds
.get_gensec_features() | gensec
.FEATURE_SEAL
)
61 class DescriptorTests(samba
.tests
.TestCase
):
63 def get_users_domain_dn(self
, name
):
64 return "CN=%s,CN=Users,%s" % (name
, self
.base_dn
)
66 def get_unique_schema_class_name(self
):
68 class_name
= "test-class%s" % random
.randint(1,100000)
69 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
71 self
.ldb_admin
.search(base
=class_dn
, attrs
=["*"])
72 except LdbError
, (num
, _
):
73 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
76 def create_schema_class(self
, _ldb
, object_dn
, desc
=None):
78 dn: """ + object_dn
+ """
79 objectClass: classSchema
80 objectCategory: CN=Class-Schema,""" + self
.schema_dn
+ """
81 defaultObjectCategory: """ + object_dn
+ """
82 distinguishedName: """ + object_dn
+ """
83 governsID: 1.2.840.""" + str(random
.randint(1,100000)) + """.1.5.9939
85 objectClassCategory: 1
86 subClassOf: organizationalPerson
93 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
94 if isinstance(desc
, str):
95 ldif
+= "nTSecurityDescriptor: %s" % desc
96 elif isinstance(desc
, security
.descriptor
):
97 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
100 def create_configuration_container(self
, _ldb
, object_dn
, desc
=None):
102 dn: """ + object_dn
+ """
103 objectClass: container
104 objectCategory: CN=Container,""" + self
.schema_dn
+ """
105 showInAdvancedViewOnly: TRUE
109 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
110 if isinstance(desc
, str):
111 ldif
+= "nTSecurityDescriptor: %s" % desc
112 elif isinstance(desc
, security
.descriptor
):
113 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
116 def create_configuration_specifier(self
, _ldb
, object_dn
, desc
=None):
118 dn: """ + object_dn
+ """
119 objectClass: displaySpecifier
120 showInAdvancedViewOnly: TRUE
123 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
124 if isinstance(desc
, str):
125 ldif
+= "nTSecurityDescriptor: %s" % desc
126 elif isinstance(desc
, security
.descriptor
):
127 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
130 def get_ldb_connection(self
, target_username
, target_password
):
131 creds_tmp
= Credentials()
132 creds_tmp
.set_username(target_username
)
133 creds_tmp
.set_password(target_password
)
134 creds_tmp
.set_domain(creds
.get_domain())
135 creds_tmp
.set_realm(creds
.get_realm())
136 creds_tmp
.set_workstation(creds
.get_workstation())
137 creds_tmp
.set_gensec_features(creds_tmp
.get_gensec_features()
138 | gensec
.FEATURE_SEAL
)
139 ldb_target
= SamDB(url
=host
, credentials
=creds_tmp
, lp
=lp
)
143 super(DescriptorTests
, self
).setUp()
145 self
.base_dn
= ldb
.domain_dn()
146 self
.configuration_dn
= self
.ldb_admin
.get_config_basedn().get_linearized()
147 self
.schema_dn
= self
.ldb_admin
.get_schema_basedn().get_linearized()
148 self
.domain_sid
= security
.dom_sid(self
.ldb_admin
.get_domain_sid())
149 self
.sd_utils
= sd_utils
.SDUtils(ldb
)
150 print "baseDN: %s" % self
.base_dn
152 ################################################################################################
156 # Default descriptor tests #####################################################################
158 class OwnerGroupDescriptorTests(DescriptorTests
):
161 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser1"))
162 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser2"))
163 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser3"))
164 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser4"))
165 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser5"))
166 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser6"))
167 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser7"))
168 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser8"))
170 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("test_domain_group1"))
171 delete_force(self
.ldb_admin
, "CN=test_domain_user1,OU=test_domain_ou1," + self
.base_dn
)
172 delete_force(self
.ldb_admin
, "OU=test_domain_ou2,OU=test_domain_ou1," + self
.base_dn
)
173 delete_force(self
.ldb_admin
, "OU=test_domain_ou1," + self
.base_dn
)
176 delete_force(self
.ldb_admin
, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
177 + self
.configuration_dn
)
178 delete_force(self
.ldb_admin
, "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
)
181 super(OwnerGroupDescriptorTests
, self
).setUp()
184 # User 1 - Enterprise Admins
185 self
.ldb_admin
.newuser("testuser1", "samba123@")
186 # User 2 - Domain Admins
187 self
.ldb_admin
.newuser("testuser2", "samba123@")
188 # User 3 - Schema Admins
189 self
.ldb_admin
.newuser("testuser3", "samba123@")
190 # User 4 - regular user
191 self
.ldb_admin
.newuser("testuser4", "samba123@")
192 # User 5 - Enterprise Admins and Domain Admins
193 self
.ldb_admin
.newuser("testuser5", "samba123@")
194 # User 6 - Enterprise Admins, Domain Admins, Schema Admins
195 self
.ldb_admin
.newuser("testuser6", "samba123@")
196 # User 7 - Domain Admins and Schema Admins
197 self
.ldb_admin
.newuser("testuser7", "samba123@")
198 # User 5 - Enterprise Admins and Schema Admins
199 self
.ldb_admin
.newuser("testuser8", "samba123@")
201 self
.ldb_admin
.add_remove_group_members("Enterprise Admins",
202 "testuser1,testuser5,testuser6,testuser8",
203 add_members_operation
=True)
204 self
.ldb_admin
.add_remove_group_members("Domain Admins",
205 "testuser2,testuser5,testuser6,testuser7",
206 add_members_operation
=True)
207 self
.ldb_admin
.add_remove_group_members("Schema Admins",
208 "testuser3,testuser6,testuser7,testuser8",
209 add_members_operation
=True)
212 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
213 "ds_behavior_win2003" : {
263 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
264 "ds_behavior_win2008" : {
315 # Discover 'msDS-Behavior-Version'
316 res
= self
.ldb_admin
.search(base
=self
.base_dn
, expression
="distinguishedName=%s" % self
.base_dn
, \
317 attrs
=['msDS-Behavior-Version'])
318 res
= int(res
[0]['msDS-Behavior-Version'][0])
319 if res
< DS_DOMAIN_FUNCTION_2008
:
320 self
.DS_BEHAVIOR
= "ds_behavior_win2003"
322 self
.DS_BEHAVIOR
= "ds_behavior_win2008"
325 super(DescriptorTests
, self
).tearDown()
328 def check_user_belongs(self
, user_dn
, groups
=[]):
329 """ Test wether user is member of the expected group(s) """
331 # User is member of at least one additional group
332 res
= self
.ldb_admin
.search(user_dn
, attrs
=["memberOf"])
333 res
= [x
.upper() for x
in sorted(list(res
[0]["memberOf"]))]
336 expected
.append(self
.get_users_domain_dn(x
))
337 expected
= [x
.upper() for x
in sorted(expected
)]
338 self
.assertEqual(expected
, res
)
340 # User is not a member of any additional groups but default
341 res
= self
.ldb_admin
.search(user_dn
, attrs
=["*"])
342 res
= [x
.upper() for x
in res
[0].keys()]
343 self
.assertFalse( "MEMBEROF" in res
)
345 def check_modify_inheritance(self
, _ldb
, object_dn
, owner_group
=""):
347 sd_user_utils
= sd_utils
.SDUtils(_ldb
)
348 ace
= "(D;;CC;;;LG)" # Deny Create Children to Guest account
349 if owner_group
!= "":
350 sd_user_utils
.modify_sd_on_dn(object_dn
, owner_group
+ "D:" + ace
)
352 sd_user_utils
.modify_sd_on_dn(object_dn
, "D:" + ace
)
353 # Make sure the modify operation has been applied
354 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
355 self
.assertTrue(ace
in desc_sddl
)
356 # Make sure we have identical result for both "add" and "modify"
357 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
358 print self
._testMethodName
359 test_number
= self
._testMethodName
[5:]
360 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][test_number
], res
)
363 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
365 user_name
= "testuser1"
366 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
367 # Open Ldb connection with the tested user
368 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
369 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
370 delete_force(self
.ldb_admin
, object_dn
)
371 _ldb
.newgroup("test_domain_group1", grouptype
=4)
372 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
373 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
374 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
375 self
.check_modify_inheritance(_ldb
, object_dn
)
378 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
380 user_name
= "testuser2"
381 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
382 # Open Ldb connection with the tested user
383 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
384 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
385 delete_force(self
.ldb_admin
, object_dn
)
386 _ldb
.newgroup("test_domain_group1", grouptype
=4)
387 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
388 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
389 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
390 self
.check_modify_inheritance(_ldb
, object_dn
)
393 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
395 user_name
= "testuser3"
396 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
397 # Open Ldb connection with the tested user
398 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
399 object_dn
= "OU=test_domain_ou1," + self
.base_dn
400 delete_force(self
.ldb_admin
, object_dn
)
401 self
.ldb_admin
.create_ou(object_dn
)
402 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
403 mod
= "(A;CI;WPWDCC;;;%s)" % str(user_sid
)
404 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
405 # Create additional object into the first one
406 object_dn
= "CN=test_domain_user1," + object_dn
407 delete_force(self
.ldb_admin
, object_dn
)
408 _ldb
.newuser("test_domain_user1", "samba123@",
409 userou
="OU=test_domain_ou1", setpassword
=False)
410 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
411 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
412 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
413 # This fails, research why
414 #self.check_modify_inheritance(_ldb, object_dn)
417 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
419 user_name
= "testuser4"
420 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
421 # Open Ldb connection with the tested user
422 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
423 object_dn
= "OU=test_domain_ou1," + self
.base_dn
424 delete_force(self
.ldb_admin
, object_dn
)
425 self
.ldb_admin
.create_ou(object_dn
)
426 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
427 mod
= "(A;CI;WPWDCC;;;%s)" % str(user_sid
)
428 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
429 # Create additional object into the first one
430 object_dn
= "CN=test_domain_user1," + object_dn
431 delete_force(self
.ldb_admin
, object_dn
)
432 _ldb
.newuser("test_domain_user1", "samba123@",
433 userou
="OU=test_domain_ou1", setpassword
=False)
434 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
435 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
436 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
437 #this fails, research why
438 #self.check_modify_inheritance(_ldb, object_dn)
441 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
443 user_name
= "testuser5"
444 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
445 # Open Ldb connection with the tested user
446 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
447 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
448 delete_force(self
.ldb_admin
, object_dn
)
449 _ldb
.newgroup("test_domain_group1", grouptype
=4)
450 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
451 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
452 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
453 self
.check_modify_inheritance(_ldb
, object_dn
)
456 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
458 user_name
= "testuser6"
459 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
460 # Open Ldb connection with the tested user
461 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
462 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
463 delete_force(self
.ldb_admin
, object_dn
)
464 _ldb
.newgroup("test_domain_group1", grouptype
=4)
465 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
466 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
467 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
468 self
.check_modify_inheritance(_ldb
, object_dn
)
471 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
473 user_name
= "testuser7"
474 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
475 # Open Ldb connection with the tested user
476 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
477 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
478 delete_force(self
.ldb_admin
, object_dn
)
479 _ldb
.newgroup("test_domain_group1", grouptype
=4)
480 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
481 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
482 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
483 self
.check_modify_inheritance(_ldb
, object_dn
)
486 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
488 user_name
= "testuser8"
489 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
490 # Open Ldb connection with the tested user
491 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
492 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
493 delete_force(self
.ldb_admin
, object_dn
)
494 _ldb
.newgroup("test_domain_group1", grouptype
=4)
495 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
496 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
497 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
498 self
.check_modify_inheritance(_ldb
, object_dn
)
500 # Control descriptor tests #####################################################################
503 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
505 user_name
= "testuser1"
506 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
507 # Open Ldb connection with the tested user
508 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
509 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
510 delete_force(self
.ldb_admin
, object_dn
)
511 # Create a custom security descriptor
512 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
513 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
514 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
515 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
516 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
517 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
520 """ Domain admin group member creates object (custom descriptor) in DOMAIN
522 user_name
= "testuser2"
523 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
524 # Open Ldb connection with the tested user
525 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
526 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
527 delete_force(self
.ldb_admin
, object_dn
)
528 # Create a custom security descriptor
529 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
530 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
531 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
532 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
533 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
534 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
537 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
539 user_name
= "testuser3"
540 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
541 # Open Ldb connection with the tested user
542 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
543 object_dn
= "OU=test_domain_ou1," + self
.base_dn
544 delete_force(self
.ldb_admin
, object_dn
)
545 self
.ldb_admin
.create_ou(object_dn
)
546 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
547 mod
= "(A;CI;WOWDCC;;;%s)" % str(user_sid
)
548 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
549 # Create a custom security descriptor
550 # NB! Problematic owner part won't accept DA only <User Sid> !!!
551 sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
552 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
553 # Create additional object into the first one
554 object_dn
= "CN=test_domain_user1," + object_dn
555 delete_force(self
.ldb_admin
, object_dn
)
556 _ldb
.newuser("test_domain_user1", "samba123@",
557 userou
="OU=test_domain_ou1", sd
=tmp_desc
, setpassword
=False)
558 desc
= self
.sd_utils
.read_sd_on_dn(object_dn
)
559 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
560 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
561 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
564 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
566 user_name
= "testuser4"
567 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
568 # Open Ldb connection with the tested user
569 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
570 object_dn
= "OU=test_domain_ou1," + self
.base_dn
571 delete_force(self
.ldb_admin
, object_dn
)
572 self
.ldb_admin
.create_ou(object_dn
)
573 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
574 mod
= "(A;CI;WOWDCC;;;%s)" % str(user_sid
)
575 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
576 # Create a custom security descriptor
577 # NB! Problematic owner part won't accept DA only <User Sid> !!!
578 sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
579 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
580 # Create additional object into the first one
581 object_dn
= "CN=test_domain_user1," + object_dn
582 delete_force(self
.ldb_admin
, object_dn
)
583 _ldb
.newuser("test_domain_user1", "samba123@",
584 userou
="OU=test_domain_ou1", sd
=tmp_desc
, setpassword
=False)
585 desc
= self
.sd_utils
.read_sd_on_dn(object_dn
)
586 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
587 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
588 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
591 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
593 user_name
= "testuser5"
594 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
595 # Open Ldb connection with the tested user
596 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
597 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
598 delete_force(self
.ldb_admin
, object_dn
)
599 # Create a custom security descriptor
600 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
601 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
602 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
603 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
604 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
605 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
608 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
610 user_name
= "testuser6"
611 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
612 # Open Ldb connection with the tested user
613 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
614 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
615 delete_force(self
.ldb_admin
, object_dn
)
616 # Create a custom security descriptor
617 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
618 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
619 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
620 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
621 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
622 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
625 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
627 user_name
= "testuser7"
628 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
629 # Open Ldb connection with the tested user
630 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
631 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
632 delete_force(self
.ldb_admin
, object_dn
)
633 # Create a custom security descriptor
634 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
635 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
636 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
637 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
638 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
639 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
642 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
644 user_name
= "testuser8"
645 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
646 # Open Ldb connection with the tested user
647 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
648 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
649 delete_force(self
.ldb_admin
, object_dn
)
650 # Create a custom security descriptor
651 sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
652 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
653 _ldb
.newgroup("test_domain_group1", grouptype
=4, sd
=tmp_desc
)
654 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
655 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
656 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
659 user_name
= "Administrator"
660 object_dn
= "OU=test_domain_ou1," + self
.base_dn
661 delete_force(self
.ldb_admin
, object_dn
)
662 self
.ldb_admin
.create_ou(object_dn
)
663 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
664 mod
= "(D;CI;WP;;;S-1-3-0)"
666 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
667 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
668 # Create additional object into the first one
669 object_dn
= "OU=test_domain_ou2," + object_dn
670 delete_force(self
.ldb_admin
, object_dn
)
671 self
.ldb_admin
.create_ou(object_dn
)
672 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
676 # Defalt descriptor tests ##################################################################
679 user_name
= "testuser1"
680 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
681 # Open Ldb connection with the tested user
682 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
683 # Change Schema partition descriptor
684 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
685 mod
= "(A;;WDCC;;;AU)"
686 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
687 # Create example Schema class
688 class_name
= self
.get_unique_schema_class_name()
689 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
690 self
.create_schema_class(_ldb
, class_dn
)
691 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
692 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
693 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
694 self
.check_modify_inheritance(_ldb
, class_dn
)
697 user_name
= "testuser2"
698 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
699 # Open Ldb connection with the tested user
700 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
701 # Change Schema partition descriptor
702 mod
= "(A;CI;WDCC;;;AU)"
703 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
704 # Create example Schema class
705 class_name
= self
.get_unique_schema_class_name()
706 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
707 self
.create_schema_class(_ldb
, class_dn
)
708 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
709 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
710 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
711 self
.check_modify_inheritance(_ldb
, class_dn
)
714 user_name
= "testuser3"
715 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
716 # Open Ldb connection with the tested user
717 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
718 # Change Schema partition descriptor
719 mod
= "(A;CI;WDCC;;;AU)"
720 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
721 # Create example Schema class
722 class_name
= self
.get_unique_schema_class_name()
723 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
724 self
.create_schema_class(_ldb
, class_dn
)
725 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
726 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
727 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
728 #self.check_modify_inheritance(_ldb, class_dn)
731 user_name
= "testuser4"
732 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
733 # Open Ldb connection with the tested user
734 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
735 #Change Schema partition descriptor
736 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
737 mod
= "(A;CI;WDCC;;;AU)"
738 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
739 # Create example Schema class
740 class_name
= self
.get_unique_schema_class_name()
741 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
742 self
.create_schema_class(_ldb
, class_dn
)
743 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
744 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
745 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
746 #self.check_modify_inheritance(_ldb, class_dn)
749 user_name
= "testuser5"
750 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
751 # Open Ldb connection with the tested user
752 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
753 #Change Schema partition descriptor
754 mod
= "(A;CI;WDCC;;;AU)"
755 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
756 # Create example Schema class
757 class_name
= self
.get_unique_schema_class_name()
758 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
759 self
.create_schema_class(_ldb
, class_dn
)
760 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
761 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
762 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
763 self
.check_modify_inheritance(_ldb
, class_dn
)
766 user_name
= "testuser6"
767 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
768 # Open Ldb connection with the tested user
769 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
770 # Change Schema partition descriptor
771 mod
= "(A;CI;WDCC;;;AU)"
772 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
773 # Create example Schema class
774 class_name
= self
.get_unique_schema_class_name()
775 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
776 self
.create_schema_class(_ldb
, class_dn
)
777 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
778 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
779 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
780 self
.check_modify_inheritance(_ldb
, class_dn
)
783 user_name
= "testuser7"
784 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
785 # Open Ldb connection with the tested user
786 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
787 # Change Schema partition descriptor
788 mod
= "(A;CI;WDCC;;;AU)"
789 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
790 # Create example Schema class
791 class_name
= self
.get_unique_schema_class_name()
792 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
793 self
.create_schema_class(_ldb
, class_dn
)
794 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
795 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
796 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
797 self
.check_modify_inheritance(_ldb
, class_dn
)
800 user_name
= "testuser8"
801 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
802 # Open Ldb connection with the tested user
803 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
804 # Change Schema partition descriptor
805 mod
= "(A;CI;WDCC;;;AU)"
806 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
807 # Create example Schema class
808 class_name
= self
.get_unique_schema_class_name()
809 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
810 self
.create_schema_class(_ldb
, class_dn
)
811 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
812 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
813 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
814 self
.check_modify_inheritance(_ldb
, class_dn
)
816 # Custom descriptor tests ##################################################################
819 user_name
= "testuser1"
820 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
821 # Open Ldb connection with the tested user
822 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
823 # Change Schema partition descriptor
825 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
826 # Create a custom security descriptor
827 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
828 # Create example Schema class
829 class_name
= self
.get_unique_schema_class_name()
830 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
831 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
832 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
833 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
834 self
.assertEqual("O:DAG:DA", res
)
837 user_name
= "testuser2"
838 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
839 # Open Ldb connection with the tested user
840 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
841 # Change Schema partition descriptor
843 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
844 # Create a custom security descriptor
845 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
846 # Create example Schema class
847 class_name
= self
.get_unique_schema_class_name()
848 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
849 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
850 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
851 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
852 self
.assertEqual("O:DAG:DA", res
)
855 user_name
= "testuser3"
856 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
857 # Open Ldb connection with the tested user
858 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
859 # Create a custom security descriptor
860 # NB! Problematic owner part won't accept DA only <User Sid> !!!
861 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
862 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
863 # Create example Schema class
864 class_name
= self
.get_unique_schema_class_name()
865 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
866 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
867 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
868 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
869 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
872 user_name
= "testuser4"
873 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
874 # Open Ldb connection with the tested user
875 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
876 # Create a custom security descriptor
877 # NB! Problematic owner part won't accept DA only <User Sid> !!!
878 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
879 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
880 # Create example Schema class
881 class_name
= self
.get_unique_schema_class_name()
882 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
883 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
884 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
885 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
886 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
889 user_name
= "testuser5"
890 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
891 # Open Ldb connection with the tested user
892 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
893 # Change Schema partition descriptor
895 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
896 # Create a custom security descriptor
897 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
898 # Create example Schema class
899 class_name
= self
.get_unique_schema_class_name()
900 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
901 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
902 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
903 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
904 self
.assertEqual("O:DAG:DA", res
)
907 user_name
= "testuser6"
908 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
909 # Open Ldb connection with the tested user
910 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
911 # Change Schema partition descriptor
913 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
914 # Create a custom security descriptor
915 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
916 # Create example Schema class
917 class_name
= self
.get_unique_schema_class_name()
918 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
919 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
920 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
921 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
922 self
.assertEqual("O:DAG:DA", res
)
925 user_name
= "testuser7"
926 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
927 # Open Ldb connection with the tested user
928 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
929 # Change Schema partition descriptor
931 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
932 # Create a custom security descriptor
933 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
934 # Create example Schema class
935 class_name
= self
.get_unique_schema_class_name()
936 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
937 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
938 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
939 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
940 self
.assertEqual("O:DAG:DA", res
)
943 user_name
= "testuser8"
944 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
945 # Open Ldb connection with the tested user
946 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
947 # Change Schema partition descriptor
949 self
.sd_utils
.dacl_add_ace(self
.schema_dn
, mod
)
950 # Create a custom security descriptor
951 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
952 # Create example Schema class
953 class_name
= self
.get_unique_schema_class_name()
954 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
955 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
956 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(class_dn
)
957 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
958 self
.assertEqual("O:DAG:DA", res
)
960 ## Tests for CONFIGURATION
962 # Defalt descriptor tests ##################################################################
965 user_name
= "testuser1"
966 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
967 # Open Ldb connection with the tested user
968 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
969 # Create example Configuration container
970 container_name
= "test-container1"
971 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
972 delete_force(self
.ldb_admin
, object_dn
)
973 self
.create_configuration_container(_ldb
, object_dn
, )
974 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
975 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
976 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
977 self
.check_modify_inheritance(_ldb
, object_dn
)
980 user_name
= "testuser2"
981 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
982 # Open Ldb connection with the tested user
983 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
984 # Create example Configuration container
985 container_name
= "test-container1"
986 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
987 delete_force(self
.ldb_admin
, object_dn
)
988 self
.create_configuration_container(_ldb
, object_dn
, )
989 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
990 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
991 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
992 self
.check_modify_inheritance(_ldb
, object_dn
)
995 user_name
= "testuser3"
996 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
997 # Open Ldb connection with the tested user
998 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
999 # Create example Configuration container
1000 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1001 delete_force(self
.ldb_admin
, object_dn
)
1002 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1003 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1004 mod
= "(A;;WDCC;;;AU)"
1005 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1006 # Create child object with user's credentials
1007 object_dn
= "CN=test-specifier1," + object_dn
1008 delete_force(self
.ldb_admin
, object_dn
)
1009 self
.create_configuration_specifier(_ldb
, object_dn
)
1010 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1011 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1012 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1013 #self.check_modify_inheritance(_ldb, object_dn)
1016 user_name
= "testuser4"
1017 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1018 # Open Ldb connection with the tested user
1019 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1020 # Create example Configuration container
1021 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1022 delete_force(self
.ldb_admin
, object_dn
)
1023 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1024 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1025 mod
= "(A;CI;WDCC;;;AU)"
1026 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1027 # Create child object with user's credentials
1028 object_dn
= "CN=test-specifier1," + object_dn
1029 delete_force(self
.ldb_admin
, object_dn
)
1030 self
.create_configuration_specifier(_ldb
, object_dn
)
1031 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1032 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1033 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1034 #self.check_modify_inheritance(_ldb, object_dn)
1037 user_name
= "testuser5"
1038 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1039 # Open Ldb connection with the tested user
1040 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1041 # Create example Configuration container
1042 container_name
= "test-container1"
1043 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1044 delete_force(self
.ldb_admin
, object_dn
)
1045 self
.create_configuration_container(_ldb
, object_dn
, )
1046 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1047 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1048 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1049 self
.check_modify_inheritance(_ldb
, object_dn
)
1052 user_name
= "testuser6"
1053 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1054 # Open Ldb connection with the tested user
1055 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1056 # Create example Configuration container
1057 container_name
= "test-container1"
1058 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1059 delete_force(self
.ldb_admin
, object_dn
)
1060 self
.create_configuration_container(_ldb
, object_dn
, )
1061 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1062 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1063 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1064 self
.check_modify_inheritance(_ldb
, object_dn
)
1067 user_name
= "testuser7"
1068 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1069 # Open Ldb connection with the tested user
1070 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1071 # Create example Configuration container
1072 container_name
= "test-container1"
1073 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1074 delete_force(self
.ldb_admin
, object_dn
)
1075 self
.create_configuration_container(_ldb
, object_dn
, )
1076 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1077 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1078 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1079 self
.check_modify_inheritance(_ldb
, object_dn
)
1082 user_name
= "testuser8"
1083 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1084 # Open Ldb connection with the tested user
1085 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1086 # Create example Configuration container
1087 container_name
= "test-container1"
1088 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1089 delete_force(self
.ldb_admin
, object_dn
)
1090 self
.create_configuration_container(_ldb
, object_dn
, )
1091 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1092 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1093 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1094 self
.check_modify_inheritance(_ldb
, object_dn
)
1096 # Custom descriptor tests ##################################################################
1099 user_name
= "testuser1"
1100 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
1101 # Open Ldb connection with the tested user
1102 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1103 # Create example Configuration container
1104 container_name
= "test-container1"
1105 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1106 delete_force(self
.ldb_admin
, object_dn
)
1107 # Create a custom security descriptor
1108 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1109 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1110 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1111 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1112 self
.assertEqual("O:DAG:DA", res
)
1115 user_name
= "testuser2"
1116 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
1117 # Open Ldb connection with the tested user
1118 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1119 # Create example Configuration container
1120 container_name
= "test-container1"
1121 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1122 delete_force(self
.ldb_admin
, object_dn
)
1123 # Create a custom security descriptor
1124 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1125 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1126 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1127 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1128 self
.assertEqual("O:DAG:DA", res
)
1131 user_name
= "testuser3"
1132 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
1133 # Open Ldb connection with the tested user
1134 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1135 # Create example Configuration container
1136 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1137 delete_force(self
.ldb_admin
, object_dn
)
1138 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1139 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1140 mod
= "(A;;CC;;;AU)"
1141 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1142 # Create child object with user's credentials
1143 object_dn
= "CN=test-specifier1," + object_dn
1144 delete_force(self
.ldb_admin
, object_dn
)
1145 # Create a custom security descriptor
1146 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1147 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1148 self
.create_configuration_specifier(_ldb
, object_dn
, desc_sddl
)
1149 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1150 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1151 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1154 user_name
= "testuser4"
1155 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1156 # Open Ldb connection with the tested user
1157 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1158 # Create example Configuration container
1159 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1160 delete_force(self
.ldb_admin
, object_dn
)
1161 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1162 user_sid
= self
.sd_utils
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1163 mod
= "(A;;CC;;;AU)"
1164 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1165 # Create child object with user's credentials
1166 object_dn
= "CN=test-specifier1," + object_dn
1167 delete_force(self
.ldb_admin
, object_dn
)
1168 # Create a custom security descriptor
1169 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1170 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1171 self
.create_configuration_specifier(_ldb
, object_dn
, desc_sddl
)
1172 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1173 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1174 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1177 user_name
= "testuser5"
1178 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1179 # Open Ldb connection with the tested user
1180 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1181 # Create example Configuration container
1182 container_name
= "test-container1"
1183 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1184 delete_force(self
.ldb_admin
, object_dn
)
1185 # Create a custom security descriptor
1186 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1187 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1188 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1189 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1190 self
.assertEqual("O:DAG:DA", res
)
1193 user_name
= "testuser6"
1194 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1195 # Open Ldb connection with the tested user
1196 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1197 # Create example Configuration container
1198 container_name
= "test-container1"
1199 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1200 delete_force(self
.ldb_admin
, object_dn
)
1201 # Create a custom security descriptor
1202 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1203 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1204 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1205 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1206 self
.assertEqual("O:DAG:DA", res
)
1209 user_name
= "testuser7"
1210 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1211 # Open Ldb connection with the tested user
1212 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1213 # Create example Configuration container
1214 container_name
= "test-container1"
1215 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1216 delete_force(self
.ldb_admin
, object_dn
)
1217 # Create a custom security descriptor
1218 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1219 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1220 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1221 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1222 self
.assertEqual("O:DAG:DA", res
)
1225 user_name
= "testuser8"
1226 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1227 # Open Ldb connection with the tested user
1228 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1229 # Create example Configuration container
1230 container_name
= "test-container1"
1231 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1232 delete_force(self
.ldb_admin
, object_dn
)
1233 # Create a custom security descriptor
1234 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1235 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1236 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1237 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1238 self
.assertEqual("O:DAG:DA", res
)
1240 ########################################################################################
1241 # Inheritance tests for DACL
1243 class DaclDescriptorTests(DescriptorTests
):
1245 def deleteAll(self
):
1246 delete_force(self
.ldb_admin
, "CN=test_inherit_group,OU=test_inherit_ou," + self
.base_dn
)
1247 delete_force(self
.ldb_admin
, "OU=test_inherit_ou5,OU=test_inherit_ou1,OU=test_inherit_ou_p," + self
.base_dn
)
1248 delete_force(self
.ldb_admin
, "OU=test_inherit_ou6,OU=test_inherit_ou2,OU=test_inherit_ou_p," + self
.base_dn
)
1249 delete_force(self
.ldb_admin
, "OU=test_inherit_ou1,OU=test_inherit_ou_p," + self
.base_dn
)
1250 delete_force(self
.ldb_admin
, "OU=test_inherit_ou2,OU=test_inherit_ou_p," + self
.base_dn
)
1251 delete_force(self
.ldb_admin
, "OU=test_inherit_ou3,OU=test_inherit_ou_p," + self
.base_dn
)
1252 delete_force(self
.ldb_admin
, "OU=test_inherit_ou4,OU=test_inherit_ou_p," + self
.base_dn
)
1253 delete_force(self
.ldb_admin
, "OU=test_inherit_ou_p," + self
.base_dn
)
1254 delete_force(self
.ldb_admin
, "OU=test_inherit_ou," + self
.base_dn
)
1257 super(DaclDescriptorTests
, self
).setUp()
1260 def create_clean_ou(self
, object_dn
):
1261 """ Base repeating setup for unittests to follow """
1262 res
= self
.ldb_admin
.search(base
=self
.base_dn
, scope
=SCOPE_SUBTREE
, \
1263 expression
="distinguishedName=%s" % object_dn
)
1264 # Make sure top testing OU has been deleted before starting the test
1265 self
.assertEqual(len(res
), 0)
1266 self
.ldb_admin
.create_ou(object_dn
)
1267 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1268 # Make sure there are inheritable ACEs initially
1269 self
.assertTrue("CI" in desc_sddl
or "OI" in desc_sddl
)
1270 # Find and remove all inherit ACEs
1271 res
= re
.findall("\(.*?\)", desc_sddl
)
1272 res
= [x
for x
in res
if ("CI" in x
) or ("OI" in x
)]
1274 desc_sddl
= desc_sddl
.replace(x
, "")
1275 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1276 # can propagate from above
1277 # remove SACL, we are not interested
1278 desc_sddl
= desc_sddl
.replace(":AI", ":AIP")
1279 self
.sd_utils
.modify_sd_on_dn(object_dn
, desc_sddl
)
1280 # Verify all inheritable ACEs are gone
1281 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(object_dn
)
1282 self
.assertFalse("CI" in desc_sddl
)
1283 self
.assertFalse("OI" in desc_sddl
)
1286 """ OU with protected flag and child group. See if the group has inherit ACEs.
1288 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1289 group_dn
= "CN=test_inherit_group," + ou_dn
1290 # Create inheritable-free OU
1291 self
.create_clean_ou(ou_dn
)
1292 # Create group child object
1293 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4)
1294 # Make sure created group object contains NO inherit ACEs
1295 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1296 self
.assertFalse("ID" in desc_sddl
)
1299 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1300 Verify group has custom and default ACEs only.
1302 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1303 group_dn
= "CN=test_inherit_group," + ou_dn
1304 # Create inheritable-free OU
1305 self
.create_clean_ou(ou_dn
)
1306 # Create group child object using custom security descriptor
1307 sddl
= "O:AUG:AUD:AI(D;;WP;;;DU)"
1308 tmp_desc
= security
.descriptor
.from_sddl(sddl
, self
.domain_sid
)
1309 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1310 # Make sure created group descriptor has NO additional ACEs
1311 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1312 self
.assertEqual(desc_sddl
, sddl
)
1313 sddl
= "O:AUG:AUD:AI(D;;CC;;;LG)"
1314 self
.sd_utils
.modify_sd_on_dn(group_dn
, sddl
)
1315 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1316 self
.assertEqual(desc_sddl
, sddl
)
1319 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1320 See if the group has any of the added ACEs.
1322 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1323 group_dn
= "CN=test_inherit_group," + ou_dn
1324 # Create inheritable-free OU
1325 self
.create_clean_ou(ou_dn
)
1326 # Add some custom non-inheritable ACEs
1327 mod
= "(D;;WP;;;DU)(A;;RP;;;DU)"
1328 moded
= "(D;;CC;;;LG)"
1329 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1330 # Verify all inheritable ACEs are gone
1331 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1332 # Create group child object
1333 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4)
1334 # Make sure created group object contains NO inherit ACEs
1335 # also make sure the added above non-inheritable ACEs are absent too
1336 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1337 self
.assertFalse("ID" in desc_sddl
)
1338 for x
in re
.findall("\(.*?\)", mod
):
1339 self
.assertFalse(x
in desc_sddl
)
1340 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1341 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1342 self
.assertFalse("ID" in desc_sddl
)
1343 for x
in re
.findall("\(.*?\)", mod
):
1344 self
.assertFalse(x
in desc_sddl
)
1347 """ OU with protected flag and add 'CI' ACE, child group.
1348 See if the group has the added inherited ACE.
1350 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1351 group_dn
= "CN=test_inherit_group," + ou_dn
1352 # Create inheritable-free OU
1353 self
.create_clean_ou(ou_dn
)
1354 # Add some custom 'CI' ACE
1355 mod
= "(D;CI;WP;;;DU)"
1356 moded
= "(D;;CC;;;LG)"
1357 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1358 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1359 # Create group child object
1360 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1361 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1362 # Make sure created group object contains only the above inherited ACE
1363 # that we've added manually
1364 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1365 mod
= mod
.replace(";CI;", ";CIID;")
1366 self
.assertTrue(mod
in desc_sddl
)
1367 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1368 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1369 self
.assertTrue(moded
in desc_sddl
)
1370 self
.assertTrue(mod
in desc_sddl
)
1373 """ OU with protected flag and add 'OI' ACE, child group.
1374 See if the group has the added inherited ACE.
1376 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1377 group_dn
= "CN=test_inherit_group," + ou_dn
1378 # Create inheritable-free OU
1379 self
.create_clean_ou(ou_dn
)
1380 # Add some custom 'CI' ACE
1381 mod
= "(D;OI;WP;;;DU)"
1382 moded
= "(D;;CC;;;LG)"
1383 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1384 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1385 # Create group child object
1386 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1387 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1388 # Make sure created group object contains only the above inherited ACE
1389 # that we've added manually
1390 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1391 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1392 self
.assertTrue(mod
in desc_sddl
)
1393 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" +moded
)
1394 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1395 self
.assertTrue(moded
in desc_sddl
)
1396 self
.assertTrue(mod
in desc_sddl
)
1399 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1400 See if the group has the added inherited ACE.
1402 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1403 group_dn
= "CN=test_inherit_group," + ou_dn
1404 # Create inheritable-free OU
1405 self
.create_clean_ou(ou_dn
)
1406 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1407 mod
= "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1408 moded
= "(D;;CC;;;LG)"
1409 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1410 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1411 # Create group child object
1412 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1413 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1414 # Make sure created group object contains only the above inherited ACE
1415 # that we've added manually
1416 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1417 mod
= mod
.replace(";CI;", ";CIID;") # change it how it's gonna look like
1418 self
.assertTrue(mod
in desc_sddl
)
1419 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1420 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1421 self
.assertTrue(moded
in desc_sddl
)
1422 self
.assertTrue(mod
in desc_sddl
)
1425 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1426 See if the group has the added inherited ACE.
1428 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1429 group_dn
= "CN=test_inherit_group," + ou_dn
1430 # Create inheritable-free OU
1431 self
.create_clean_ou(ou_dn
)
1432 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1433 mod
= "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1434 moded
= "(D;;CC;;;LG)"
1435 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1436 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1437 # Create group child object
1438 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1439 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1440 # Make sure created group object contains only the above inherited ACE
1441 # that we've added manually
1442 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1443 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1444 self
.assertTrue(mod
in desc_sddl
)
1445 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1446 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1447 self
.assertTrue(moded
in desc_sddl
)
1448 self
.assertTrue(mod
in desc_sddl
)
1451 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1452 See if the group has the added inherited ACE.
1454 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1455 group_dn
= "CN=test_inherit_group," + ou_dn
1456 # Create inheritable-free OU
1457 self
.create_clean_ou(ou_dn
)
1458 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1459 mod
= "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1460 moded
= "(D;;CC;;;LG)"
1461 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1462 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1463 # Create group child object
1464 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1465 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1466 # Make sure created group object contains only the above inherited ACE
1467 # that we've added manually
1468 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1469 mod
= mod
.replace(";CI;", ";CIID;") # change it how it's gonna look like
1470 self
.assertTrue(mod
in desc_sddl
)
1471 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1472 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1473 self
.assertTrue(moded
in desc_sddl
)
1474 self
.assertTrue(mod
in desc_sddl
)
1477 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1478 See if the group has the added inherited ACE.
1480 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1481 group_dn
= "CN=test_inherit_group," + ou_dn
1482 # Create inheritable-free OU
1483 self
.create_clean_ou(ou_dn
)
1484 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1485 mod
= "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1486 moded
= "(D;;CC;;;LG)"
1487 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1488 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1489 # Create group child object
1490 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1491 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1492 # Make sure created group object contains only the above inherited ACE
1493 # that we've added manually
1494 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1495 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1496 self
.assertTrue(mod
in desc_sddl
)
1497 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded
)
1498 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1499 self
.assertTrue(moded
in desc_sddl
)
1500 self
.assertTrue(mod
in desc_sddl
)
1503 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1504 See if the group has the added inherited ACE.
1506 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1507 group_dn
= "CN=test_inherit_group," + ou_dn
1508 # Create inheritable-free OU
1509 self
.create_clean_ou(ou_dn
)
1510 # Add some custom 'CI' ACE
1511 mod
= "(D;CI;WP;;;CO)"
1512 moded
= "(D;;CC;;;LG)"
1513 self
.sd_utils
.dacl_add_ace(ou_dn
, mod
)
1514 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1515 # Create group child object
1516 tmp_desc
= security
.descriptor
.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self
.domain_sid
)
1517 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1518 # Make sure created group object contains only the above inherited ACE(s)
1519 # that we've added manually
1520 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1521 self
.assertTrue("(D;ID;WP;;;AU)" in desc_sddl
)
1522 self
.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl
)
1523 self
.sd_utils
.modify_sd_on_dn(group_dn
, "D:" + moded
)
1524 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1525 self
.assertTrue(moded
in desc_sddl
)
1526 self
.assertTrue("(D;ID;WP;;;DA)" in desc_sddl
)
1527 self
.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl
)
1530 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1532 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1533 group_dn
= "CN=test_inherit_group," + ou_dn
1534 self
.create_clean_ou(ou_dn
)
1535 # Add some custom ACE
1536 mod
= "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1537 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1538 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1539 # Make sure created group object does not contain the ID ace
1540 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1541 self
.assertFalse("(A;ID;WP;;;AU)" in desc_sddl
)
1544 """ Provide ACE with CO SID, should be expanded and replaced
1546 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1547 group_dn
= "CN=test_inherit_group," + ou_dn
1548 # Create inheritable-free OU
1549 self
.create_clean_ou(ou_dn
)
1550 # Add some custom 'CI' ACE
1551 mod
= "D:(D;CI;WP;;;CO)"
1552 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1553 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1554 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1555 self
.assertTrue("(D;;WP;;;DA)" in desc_sddl
)
1556 self
.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl
)
1559 """ Provide ACE with IO flag, should be ignored
1561 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1562 group_dn
= "CN=test_inherit_group," + ou_dn
1563 # Create inheritable-free OU
1564 self
.create_clean_ou(ou_dn
)
1565 # Add some custom 'CI' ACE
1566 mod
= "D:(D;CIIO;WP;;;CO)"
1567 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1568 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1569 # Make sure created group object contains only the above inherited ACE(s)
1570 # that we've added manually
1571 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1572 self
.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl
)
1573 self
.assertFalse("(D;;WP;;;DA)" in desc_sddl
)
1574 self
.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl
)
1577 """ Provide ACE with IO flag, should be ignored
1579 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1580 group_dn
= "CN=test_inherit_group," + ou_dn
1581 # Create inheritable-free OU
1582 self
.create_clean_ou(ou_dn
)
1583 mod
= "D:(D;IO;WP;;;DA)"
1584 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1585 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1586 # Make sure created group object contains only the above inherited ACE(s)
1587 # that we've added manually
1588 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1589 self
.assertFalse("(D;IO;WP;;;DA)" in desc_sddl
)
1592 """ Test behavior of ACEs containing generic rights
1594 ou_dn
= "OU=test_inherit_ou_p," + self
.base_dn
1595 ou_dn1
= "OU=test_inherit_ou1," + ou_dn
1596 ou_dn2
= "OU=test_inherit_ou2," + ou_dn
1597 ou_dn3
= "OU=test_inherit_ou3," + ou_dn
1598 ou_dn4
= "OU=test_inherit_ou4," + ou_dn
1599 ou_dn5
= "OU=test_inherit_ou5," + ou_dn1
1600 ou_dn6
= "OU=test_inherit_ou6," + ou_dn2
1601 # Create inheritable-free OU
1602 mod
= "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
1603 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1604 self
.ldb_admin
.create_ou(ou_dn
, sd
=tmp_desc
)
1605 mod
= "D:(A;CI;GA;;;DU)"
1606 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1607 self
.ldb_admin
.create_ou(ou_dn1
, sd
=tmp_desc
)
1608 mod
= "D:(A;CIIO;GA;;;DU)"
1609 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1610 self
.ldb_admin
.create_ou(ou_dn2
, sd
=tmp_desc
)
1611 mod
= "D:(A;;GA;;;DU)"
1612 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1613 self
.ldb_admin
.create_ou(ou_dn3
, sd
=tmp_desc
)
1614 mod
= "D:(A;IO;GA;;;DU)"
1615 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1616 self
.ldb_admin
.create_ou(ou_dn4
, sd
=tmp_desc
)
1618 self
.ldb_admin
.create_ou(ou_dn5
)
1619 self
.ldb_admin
.create_ou(ou_dn6
)
1621 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn1
)
1622 self
.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl
)
1623 self
.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl
)
1624 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn2
)
1625 self
.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl
)
1626 self
.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl
)
1627 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn3
)
1628 self
.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl
)
1629 self
.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl
)
1630 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn4
)
1631 self
.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl
)
1632 self
.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl
)
1633 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn5
)
1634 self
.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl
)
1635 self
.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl
)
1636 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn6
)
1637 self
.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl
)
1638 self
.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl
)
1641 """ Make sure IO flag is removed in child objects
1643 ou_dn
= "OU=test_inherit_ou_p," + self
.base_dn
1644 ou_dn1
= "OU=test_inherit_ou1," + ou_dn
1645 ou_dn5
= "OU=test_inherit_ou5," + ou_dn1
1646 # Create inheritable-free OU
1647 mod
= "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
1648 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1649 self
.ldb_admin
.create_ou(ou_dn
, sd
=tmp_desc
)
1650 mod
= "D:(A;CIIO;WP;;;DU)"
1651 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1652 self
.ldb_admin
.create_ou(ou_dn1
, sd
=tmp_desc
)
1653 self
.ldb_admin
.create_ou(ou_dn5
)
1654 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn5
)
1655 self
.assertTrue("(A;CIID;WP;;;DU)" in desc_sddl
)
1656 self
.assertFalse("(A;CIIOID;WP;;;DU)" in desc_sddl
)
1659 """ Make sure ID ACES provided by user are ignored
1661 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1662 group_dn
= "CN=test_inherit_group," + ou_dn
1663 mod
= "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
1664 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1665 self
.ldb_admin
.create_ou(ou_dn
, sd
=tmp_desc
)
1666 # Add some custom ACE
1667 mod
= "D:(D;ID;WP;;;AU)"
1668 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1669 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1670 # Make sure created group object does not contain the ID ace
1671 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1672 self
.assertFalse("(A;ID;WP;;;AU)" in desc_sddl
)
1673 self
.assertFalse("(A;;WP;;;AU)" in desc_sddl
)
1676 """ Make sure ID ACES provided by user are not ignored if P flag is set
1678 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1679 group_dn
= "CN=test_inherit_group," + ou_dn
1680 mod
= "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
1681 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1682 self
.ldb_admin
.create_ou(ou_dn
, sd
=tmp_desc
)
1683 # Add some custom ACE
1684 mod
= "D:P(A;ID;WP;;;AU)"
1685 tmp_desc
= security
.descriptor
.from_sddl(mod
, self
.domain_sid
)
1686 self
.ldb_admin
.newgroup("test_inherit_group", groupou
="OU=test_inherit_ou", grouptype
=4, sd
=tmp_desc
)
1687 # Make sure created group object does not contain the ID ace
1688 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(group_dn
)
1689 self
.assertFalse("(A;ID;WP;;;AU)" in desc_sddl
)
1690 self
.assertTrue("(A;;WP;;;AU)" in desc_sddl
)
1692 ########################################################################################
1695 class SdFlagsDescriptorTests(DescriptorTests
):
1696 def deleteAll(self
):
1697 delete_force(self
.ldb_admin
, "OU=test_sdflags_ou," + self
.base_dn
)
1700 super(SdFlagsDescriptorTests
, self
).setUp()
1701 self
.test_descr
= "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1705 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1706 See that only the owner has been changed.
1708 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1709 self
.ldb_admin
.create_ou(ou_dn
)
1710 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_OWNER
)])
1711 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1712 # make sure we have modified the owner
1713 self
.assertTrue("O:AU" in desc_sddl
)
1714 # make sure nothing else has been modified
1715 self
.assertFalse("G:AU" in desc_sddl
)
1716 self
.assertFalse("D:(D;;CC;;;LG)" in desc_sddl
)
1717 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1720 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1721 See that only the owner has been changed.
1723 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1724 self
.ldb_admin
.create_ou(ou_dn
)
1725 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_GROUP
)])
1726 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1727 # make sure we have modified the group
1728 self
.assertTrue("G:AU" in desc_sddl
)
1729 # make sure nothing else has been modified
1730 self
.assertFalse("O:AU" in desc_sddl
)
1731 self
.assertFalse("D:(D;;CC;;;LG)" in desc_sddl
)
1732 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1735 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1736 See that only the owner has been changed.
1738 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1739 self
.ldb_admin
.create_ou(ou_dn
)
1740 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_DACL
)])
1741 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1742 # make sure we have modified the DACL
1743 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1744 # make sure nothing else has been modified
1745 self
.assertFalse("O:AU" in desc_sddl
)
1746 self
.assertFalse("G:AU" in desc_sddl
)
1747 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1750 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1751 See that only the owner has been changed.
1753 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1754 self
.ldb_admin
.create_ou(ou_dn
)
1755 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_SACL
)])
1756 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1757 # make sure we have modified the DACL
1758 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1759 # make sure nothing else has been modified
1760 self
.assertFalse("O:AU" in desc_sddl
)
1761 self
.assertFalse("G:AU" in desc_sddl
)
1762 self
.assertFalse("(D;;CC;;;LG)" in desc_sddl
)
1765 """ Modify a descriptor with 0x0 set.
1766 Contrary to logic this is interpreted as no control,
1767 which is the same as 0xF
1769 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1770 self
.ldb_admin
.create_ou(ou_dn
)
1771 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:0"])
1772 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1773 # make sure we have modified the DACL
1774 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1775 # make sure nothing else has been modified
1776 self
.assertTrue("O:AU" in desc_sddl
)
1777 self
.assertTrue("G:AU" in desc_sddl
)
1778 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1781 """ Modify a descriptor with 0xF set.
1783 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1784 self
.ldb_admin
.create_ou(ou_dn
)
1785 self
.sd_utils
.modify_sd_on_dn(ou_dn
, self
.test_descr
, controls
=["sd_flags:1:15"])
1786 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
)
1787 # make sure we have modified the DACL
1788 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1789 # make sure nothing else has been modified
1790 self
.assertTrue("O:AU" in desc_sddl
)
1791 self
.assertTrue("G:AU" in desc_sddl
)
1792 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1795 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1796 Only the owner part should be returned.
1798 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1799 self
.ldb_admin
.create_ou(ou_dn
)
1800 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_OWNER
)])
1801 # make sure we have read the owner
1802 self
.assertTrue("O:" in desc_sddl
)
1803 # make sure we have read nothing else
1804 self
.assertFalse("G:" in desc_sddl
)
1805 self
.assertFalse("D:" in desc_sddl
)
1806 self
.assertFalse("S:" in desc_sddl
)
1809 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1810 Only the group part should be returned.
1812 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1813 self
.ldb_admin
.create_ou(ou_dn
)
1814 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_GROUP
)])
1815 # make sure we have read the owner
1816 self
.assertTrue("G:" in desc_sddl
)
1817 # make sure we have read nothing else
1818 self
.assertFalse("O:" in desc_sddl
)
1819 self
.assertFalse("D:" in desc_sddl
)
1820 self
.assertFalse("S:" in desc_sddl
)
1823 """ Read a descriptor with SACL_SECURITY_INFORMATION
1824 Only the sacl part should be returned.
1826 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1827 self
.ldb_admin
.create_ou(ou_dn
)
1828 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_SACL
)])
1829 # make sure we have read the owner
1830 self
.assertTrue("S:" in desc_sddl
)
1831 # make sure we have read nothing else
1832 self
.assertFalse("O:" in desc_sddl
)
1833 self
.assertFalse("D:" in desc_sddl
)
1834 self
.assertFalse("G:" in desc_sddl
)
1837 """ Read a descriptor with DACL_SECURITY_INFORMATION
1838 Only the dacl part should be returned.
1840 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1841 self
.ldb_admin
.create_ou(ou_dn
)
1842 desc_sddl
= self
.sd_utils
.get_sd_as_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_DACL
)])
1843 # make sure we have read the owner
1844 self
.assertTrue("D:" in desc_sddl
)
1845 # make sure we have read nothing else
1846 self
.assertFalse("O:" in desc_sddl
)
1847 self
.assertFalse("S:" in desc_sddl
)
1848 self
.assertFalse("G:" in desc_sddl
)
1851 class RightsAttributesTests(DescriptorTests
):
1853 def deleteAll(self
):
1854 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser_attr"))
1855 delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser_attr2"))
1856 delete_force(self
.ldb_admin
, "OU=test_domain_ou1," + self
.base_dn
)
1859 super(RightsAttributesTests
, self
).setUp()
1863 self
.ldb_admin
.newuser("testuser_attr", "samba123@")
1864 # User 2, Domain Admins
1865 self
.ldb_admin
.newuser("testuser_attr2", "samba123@")
1866 self
.ldb_admin
.add_remove_group_members("Domain Admins",
1868 add_members_operation
=True)
1870 def test_sDRightsEffective(self
):
1871 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1872 delete_force(self
.ldb_admin
, object_dn
)
1873 self
.ldb_admin
.create_ou(object_dn
)
1874 print self
.get_users_domain_dn("testuser_attr")
1875 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1876 #give testuser1 read access so attributes can be retrieved
1877 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1878 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1879 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1880 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1881 attrs
=["sDRightsEffective"])
1882 #user whould have no rights at all
1883 self
.assertEquals(len(res
), 1)
1884 self
.assertEquals(res
[0]["sDRightsEffective"][0], "0")
1885 #give the user Write DACL and see what happens
1886 mod
= "(A;CI;WD;;;%s)" % str(user_sid
)
1887 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1888 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1889 attrs
=["sDRightsEffective"])
1890 #user whould have DACL_SECURITY_INFORMATION
1891 self
.assertEquals(len(res
), 1)
1892 self
.assertEquals(res
[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL
)
1893 #give the user Write Owners and see what happens
1894 mod
= "(A;CI;WO;;;%s)" % str(user_sid
)
1895 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1896 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1897 attrs
=["sDRightsEffective"])
1898 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1899 self
.assertEquals(len(res
), 1)
1900 self
.assertEquals(res
[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER
))
1901 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1902 _ldb
= self
.get_ldb_connection("testuser_attr2", "samba123@")
1903 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1904 attrs
=["sDRightsEffective"])
1905 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1906 self
.assertEquals(len(res
), 1)
1907 self
.assertEquals(res
[0]["sDRightsEffective"][0], \
1908 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL
))
1910 def test_allowedChildClassesEffective(self
):
1911 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1912 delete_force(self
.ldb_admin
, object_dn
)
1913 self
.ldb_admin
.create_ou(object_dn
)
1914 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1915 #give testuser1 read access so attributes can be retrieved
1916 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1917 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1918 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1919 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1920 attrs
=["allowedChildClassesEffective"])
1921 #there should be no allowed child classes
1922 self
.assertEquals(len(res
), 1)
1923 self
.assertFalse("allowedChildClassesEffective" in res
[0].keys())
1924 #give the user the right to create children of type user
1925 mod
= "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid
)
1926 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1927 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1928 attrs
=["allowedChildClassesEffective"])
1929 # allowedChildClassesEffective should only have one value, user
1930 self
.assertEquals(len(res
), 1)
1931 self
.assertEquals(len(res
[0]["allowedChildClassesEffective"]), 1)
1932 self
.assertEquals(res
[0]["allowedChildClassesEffective"][0], "user")
1934 def test_allowedAttributesEffective(self
):
1935 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1936 delete_force(self
.ldb_admin
, object_dn
)
1937 self
.ldb_admin
.create_ou(object_dn
)
1938 user_sid
= self
.sd_utils
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1939 #give testuser1 read access so attributes can be retrieved
1940 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1941 self
.sd_utils
.dacl_add_ace(object_dn
, mod
)
1942 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1943 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1944 attrs
=["allowedAttributesEffective"])
1945 #there should be no allowed attributes
1946 self
.assertEquals(len(res
), 1)
1947 self
.assertFalse("allowedAttributesEffective" in res
[0].keys())
1948 #give the user the right to write displayName and managedBy
1949 mod2
= "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid
)
1950 mod
= "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid
)
1951 # also rights to modify an read only attribute, fromEntry
1952 mod3
= "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid
)
1953 self
.sd_utils
.dacl_add_ace(object_dn
, mod
+ mod2
+ mod3
)
1954 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1955 attrs
=["allowedAttributesEffective"])
1956 # value should only contain user and managedBy
1957 self
.assertEquals(len(res
), 1)
1958 self
.assertEquals(len(res
[0]["allowedAttributesEffective"]), 2)
1959 self
.assertTrue("displayName" in res
[0]["allowedAttributesEffective"])
1960 self
.assertTrue("managedBy" in res
[0]["allowedAttributesEffective"])
1962 if not "://" in host
:
1963 if os
.path
.isfile(host
):
1964 host
= "tdb://%s" % host
1966 host
= "ldap://%s" % host
1968 # use 'paged_search' module when connecting remotely
1969 if host
.lower().startswith("ldap://"):
1970 ldb_options
= ["modules:paged_searches"]
1974 session_info
=system_session(lp
),
1976 options
=ldb_options
)
1978 runner
= SubunitTestRunner()
1980 if not runner
.run(unittest
.makeSuite(OwnerGroupDescriptorTests
)).wasSuccessful():
1982 if not runner
.run(unittest
.makeSuite(DaclDescriptorTests
)).wasSuccessful():
1984 if not runner
.run(unittest
.makeSuite(SdFlagsDescriptorTests
)).wasSuccessful():
1986 if not runner
.run(unittest
.makeSuite(RightsAttributesTests
)).wasSuccessful():