search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-unittests: replace assertEquals(res, []) by assertEquals(len(res), 0)
[Samba/gebeck_regimport.git] / source4 / dsdb / tests / python / sec_descriptor.py
blobb3e620733673d77d9cb575dc29fbef656f203aab
1 #!/usr/bin/env python
2 # -*- coding: utf-8 -*-
3
4 import optparse
5 import sys
6 import os
7 import base64
8 import re
9 import random
10
11 sys.path.insert(0, "bin/python")
12 import samba
13 samba.ensure_external_module("testtools", "testtools")
14 samba.ensure_external_module("subunit", "subunit/python")
15
16 import samba.getopt as options
17
18 # Some error messages that are being tested
19 from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT
20
21 # For running the test unit
22 from samba.ndr import ndr_pack
23 from samba.dcerpc import security
24
25 from samba import gensec, sd_utils
26 from samba.samdb import SamDB
27 from samba.credentials import Credentials
28 from samba.auth import system_session
29 from samba.dsdb import DS_DOMAIN_FUNCTION_2008
30 from samba.dcerpc.security import (
31 SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL)
32 from subunit.run import SubunitTestRunner
33 import samba.tests
34 from samba.tests import delete_force
35 import unittest
36
37 parser = optparse.OptionParser("sec_descriptor.py [options] <host>")
38 sambaopts = options.SambaOptions(parser)
39 parser.add_option_group(sambaopts)
40 parser.add_option_group(options.VersionOptions(parser))
41
42 # use command line creds if available
43 credopts = options.CredentialsOptions(parser)
44 parser.add_option_group(credopts)
45 opts, args = parser.parse_args()
46
47 if len(args) < 1:
48 parser.print_usage()
49 sys.exit(1)
50
51 host = args[0]
52
53 lp = sambaopts.get_loadparm()
54 creds = credopts.get_credentials(lp)
55 creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
56
57 #
58 # Tests start here
59 #
60
61 class DescriptorTests(samba.tests.TestCase):
62
63 def get_users_domain_dn(self, name):
64 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
65
66 def get_unique_schema_class_name(self):
67 while True:
68 class_name = "test-class%s" % random.randint(1,100000)
69 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
70 try:
71 self.ldb_admin.search(base=class_dn, attrs=["*"])
72 except LdbError, (num, _):
73 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
74 return class_name
75
76 def create_schema_class(self, _ldb, object_dn, desc=None):
77 ldif = """
78 dn: """ + object_dn + """
79 objectClass: classSchema
80 objectCategory: CN=Class-Schema,""" + self.schema_dn + """
81 defaultObjectCategory: """ + object_dn + """
82 distinguishedName: """ + object_dn + """
83 governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
84 instanceType: 4
85 objectClassCategory: 1
86 subClassOf: organizationalPerson
87 systemFlags: 16
88 rDNAttID: cn
89 systemMustContain: cn
90 systemOnly: FALSE
91 """
92 if desc:
93 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
94 if isinstance(desc, str):
95 ldif += "nTSecurityDescriptor: %s" % desc
96 elif isinstance(desc, security.descriptor):
97 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
98 _ldb.add_ldif(ldif)
99
100 def create_configuration_container(self, _ldb, object_dn, desc=None):
101 ldif = """
102 dn: """ + object_dn + """
103 objectClass: container
104 objectCategory: CN=Container,""" + self.schema_dn + """
105 showInAdvancedViewOnly: TRUE
106 instanceType: 4
107 """
108 if desc:
109 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
110 if isinstance(desc, str):
111 ldif += "nTSecurityDescriptor: %s" % desc
112 elif isinstance(desc, security.descriptor):
113 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
114 _ldb.add_ldif(ldif)
115
116 def create_configuration_specifier(self, _ldb, object_dn, desc=None):
117 ldif = """
118 dn: """ + object_dn + """
119 objectClass: displaySpecifier
120 showInAdvancedViewOnly: TRUE
121 """
122 if desc:
123 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
124 if isinstance(desc, str):
125 ldif += "nTSecurityDescriptor: %s" % desc
126 elif isinstance(desc, security.descriptor):
127 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
128 _ldb.add_ldif(ldif)
129
130 def get_ldb_connection(self, target_username, target_password):
131 creds_tmp = Credentials()
132 creds_tmp.set_username(target_username)
133 creds_tmp.set_password(target_password)
134 creds_tmp.set_domain(creds.get_domain())
135 creds_tmp.set_realm(creds.get_realm())
136 creds_tmp.set_workstation(creds.get_workstation())
137 creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
138 | gensec.FEATURE_SEAL)
139 ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
140 return ldb_target
141
142 def setUp(self):
143 super(DescriptorTests, self).setUp()
144 self.ldb_admin = ldb
145 self.base_dn = ldb.domain_dn()
146 self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
147 self.schema_dn = self.ldb_admin.get_schema_basedn().get_linearized()
148 self.domain_sid = security.dom_sid(self.ldb_admin.get_domain_sid())
149 self.sd_utils = sd_utils.SDUtils(ldb)
150 print "baseDN: %s" % self.base_dn
151
152 ################################################################################################
153
154 ## Tests for DOMAIN
155
156 # Default descriptor tests #####################################################################
157
158 class OwnerGroupDescriptorTests(DescriptorTests):
159
160 def deleteAll(self):
161 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
162 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
163 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
164 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
165 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
166 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
167 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
168 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
169 # DOMAIN
170 delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
171 delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
172 delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
173 delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
174 # SCHEMA
175 # CONFIGURATION
176 delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
177 + self.configuration_dn)
178 delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
179
180 def setUp(self):
181 super(OwnerGroupDescriptorTests, self).setUp()
182 self.deleteAll()
183 ### Create users
184 # User 1 - Enterprise Admins
185 self.ldb_admin.newuser("testuser1", "samba123@")
186 # User 2 - Domain Admins
187 self.ldb_admin.newuser("testuser2", "samba123@")
188 # User 3 - Schema Admins
189 self.ldb_admin.newuser("testuser3", "samba123@")
190 # User 4 - regular user
191 self.ldb_admin.newuser("testuser4", "samba123@")
192 # User 5 - Enterprise Admins and Domain Admins
193 self.ldb_admin.newuser("testuser5", "samba123@")
194 # User 6 - Enterprise Admins, Domain Admins, Schema Admins
195 self.ldb_admin.newuser("testuser6", "samba123@")
196 # User 7 - Domain Admins and Schema Admins
197 self.ldb_admin.newuser("testuser7", "samba123@")
198 # User 5 - Enterprise Admins and Schema Admins
199 self.ldb_admin.newuser("testuser8", "samba123@")
200
201 self.ldb_admin.add_remove_group_members("Enterprise Admins",
202 "testuser1,testuser5,testuser6,testuser8",
203 add_members_operation=True)
204 self.ldb_admin.add_remove_group_members("Domain Admins",
205 "testuser2,testuser5,testuser6,testuser7",
206 add_members_operation=True)
207 self.ldb_admin.add_remove_group_members("Schema Admins",
208 "testuser3,testuser6,testuser7,testuser8",
209 add_members_operation=True)
210
211 self.results = {
212 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
213 "ds_behavior_win2003" : {
214 "100" : "O:EAG:DU",
215 "101" : "O:DAG:DU",
216 "102" : "O:%sG:DU",
217 "103" : "O:%sG:DU",
218 "104" : "O:DAG:DU",
219 "105" : "O:DAG:DU",
220 "106" : "O:DAG:DU",
221 "107" : "O:EAG:DU",
222 "108" : "O:DAG:DA",
223 "109" : "O:DAG:DA",
224 "110" : "O:%sG:DA",
225 "111" : "O:%sG:DA",
226 "112" : "O:DAG:DA",
227 "113" : "O:DAG:DA",
228 "114" : "O:DAG:DA",
229 "115" : "O:DAG:DA",
230 "130" : "O:EAG:DU",
231 "131" : "O:DAG:DU",
232 "132" : "O:SAG:DU",
233 "133" : "O:%sG:DU",
234 "134" : "O:EAG:DU",
235 "135" : "O:SAG:DU",
236 "136" : "O:SAG:DU",
237 "137" : "O:SAG:DU",
238 "138" : "O:DAG:DA",
239 "139" : "O:DAG:DA",
240 "140" : "O:%sG:DA",
241 "141" : "O:%sG:DA",
242 "142" : "O:DAG:DA",
243 "143" : "O:DAG:DA",
244 "144" : "O:DAG:DA",
245 "145" : "O:DAG:DA",
246 "160" : "O:EAG:DU",
247 "161" : "O:DAG:DU",
248 "162" : "O:%sG:DU",
249 "163" : "O:%sG:DU",
250 "164" : "O:EAG:DU",
251 "165" : "O:EAG:DU",
252 "166" : "O:DAG:DU",
253 "167" : "O:EAG:DU",
254 "168" : "O:DAG:DA",
255 "169" : "O:DAG:DA",
256 "170" : "O:%sG:DA",
257 "171" : "O:%sG:DA",
258 "172" : "O:DAG:DA",
259 "173" : "O:DAG:DA",
260 "174" : "O:DAG:DA",
261 "175" : "O:DAG:DA",
262 },
263 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
264 "ds_behavior_win2008" : {
265 "100" : "O:EAG:EA",
266 "101" : "O:DAG:DA",
267 "102" : "O:%sG:DU",
268 "103" : "O:%sG:DU",
269 "104" : "O:DAG:DA",
270 "105" : "O:DAG:DA",
271 "106" : "O:DAG:DA",
272 "107" : "O:EAG:EA",
273 "108" : "O:DAG:DA",
274 "109" : "O:DAG:DA",
275 "110" : "O:%sG:DA",
276 "111" : "O:%sG:DA",
277 "112" : "O:DAG:DA",
278 "113" : "O:DAG:DA",
279 "114" : "O:DAG:DA",
280 "115" : "O:DAG:DA",
281 "130" : "O:EAG:EA",
282 "131" : "O:DAG:DA",
283 "132" : "O:SAG:SA",
284 "133" : "O:%sG:DU",
285 "134" : "O:EAG:EA",
286 "135" : "O:SAG:SA",
287 "136" : "O:SAG:SA",
288 "137" : "O:SAG:SA",
289 "138" : "",
290 "139" : "",
291 "140" : "O:%sG:DA",
292 "141" : "O:%sG:DA",
293 "142" : "",
294 "143" : "",
295 "144" : "",
296 "145" : "",
297 "160" : "O:EAG:EA",
298 "161" : "O:DAG:DA",
299 "162" : "O:%sG:DU",
300 "163" : "O:%sG:DU",
301 "164" : "O:EAG:EA",
302 "165" : "O:EAG:EA",
303 "166" : "O:DAG:DA",
304 "167" : "O:EAG:EA",
305 "168" : "O:DAG:DA",
306 "169" : "O:DAG:DA",
307 "170" : "O:%sG:DA",
308 "171" : "O:%sG:DA",
309 "172" : "O:DAG:DA",
310 "173" : "O:DAG:DA",
311 "174" : "O:DAG:DA",
312 "175" : "O:DAG:DA",
313 },
314 }
315 # Discover 'msDS-Behavior-Version'
316 res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
317 attrs=['msDS-Behavior-Version'])
318 res = int(res[0]['msDS-Behavior-Version'][0])
319 if res < DS_DOMAIN_FUNCTION_2008:
320 self.DS_BEHAVIOR = "ds_behavior_win2003"
321 else:
322 self.DS_BEHAVIOR = "ds_behavior_win2008"
323
324 def tearDown(self):
325 super(DescriptorTests, self).tearDown()
326 self.deleteAll()
327
328 def check_user_belongs(self, user_dn, groups=[]):
329 """ Test wether user is member of the expected group(s) """
330 if groups != []:
331 # User is member of at least one additional group
332 res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
333 res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
334 expected = []
335 for x in groups:
336 expected.append(self.get_users_domain_dn(x))
337 expected = [x.upper() for x in sorted(expected)]
338 self.assertEqual(expected, res)
339 else:
340 # User is not a member of any additional groups but default
341 res = self.ldb_admin.search(user_dn, attrs=["*"])
342 res = [x.upper() for x in res[0].keys()]
343 self.assertFalse( "MEMBEROF" in res)
344
345 def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
346 # Modify
347 sd_user_utils = sd_utils.SDUtils(_ldb)
348 ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
349 if owner_group != "":
350 sd_user_utils.modify_sd_on_dn(object_dn, owner_group + "D:" + ace)
351 else:
352 sd_user_utils.modify_sd_on_dn(object_dn, "D:" + ace)
353 # Make sure the modify operation has been applied
354 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
355 self.assertTrue(ace in desc_sddl)
356 # Make sure we have identical result for both "add" and "modify"
357 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
358 print self._testMethodName
359 test_number = self._testMethodName[5:]
360 self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
361
362 def test_100(self):
363 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
364 """
365 user_name = "testuser1"
366 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
367 # Open Ldb connection with the tested user
368 _ldb = self.get_ldb_connection(user_name, "samba123@")
369 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
370 delete_force(self.ldb_admin, object_dn)
371 _ldb.newgroup("test_domain_group1", grouptype=4)
372 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
373 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
374 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
375 self.check_modify_inheritance(_ldb, object_dn)
376
377 def test_101(self):
378 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
379 """
380 user_name = "testuser2"
381 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
382 # Open Ldb connection with the tested user
383 _ldb = self.get_ldb_connection(user_name, "samba123@")
384 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
385 delete_force(self.ldb_admin, object_dn)
386 _ldb.newgroup("test_domain_group1", grouptype=4)
387 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
388 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
389 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
390 self.check_modify_inheritance(_ldb, object_dn)
391
392 def test_102(self):
393 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
394 """
395 user_name = "testuser3"
396 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
397 # Open Ldb connection with the tested user
398 _ldb = self.get_ldb_connection(user_name, "samba123@")
399 object_dn = "OU=test_domain_ou1," + self.base_dn
400 delete_force(self.ldb_admin, object_dn)
401 self.ldb_admin.create_ou(object_dn)
402 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
403 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
404 self.sd_utils.dacl_add_ace(object_dn, mod)
405 # Create additional object into the first one
406 object_dn = "CN=test_domain_user1," + object_dn
407 delete_force(self.ldb_admin, object_dn)
408 _ldb.newuser("test_domain_user1", "samba123@",
409 userou="OU=test_domain_ou1", setpassword=False)
410 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
411 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
412 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
413 # This fails, research why
414 #self.check_modify_inheritance(_ldb, object_dn)
415
416 def test_103(self):
417 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
418 """
419 user_name = "testuser4"
420 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
421 # Open Ldb connection with the tested user
422 _ldb = self.get_ldb_connection(user_name, "samba123@")
423 object_dn = "OU=test_domain_ou1," + self.base_dn
424 delete_force(self.ldb_admin, object_dn)
425 self.ldb_admin.create_ou(object_dn)
426 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
427 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
428 self.sd_utils.dacl_add_ace(object_dn, mod)
429 # Create additional object into the first one
430 object_dn = "CN=test_domain_user1," + object_dn
431 delete_force(self.ldb_admin, object_dn)
432 _ldb.newuser("test_domain_user1", "samba123@",
433 userou="OU=test_domain_ou1", setpassword=False)
434 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
435 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
436 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
437 #this fails, research why
438 #self.check_modify_inheritance(_ldb, object_dn)
439
440 def test_104(self):
441 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
442 """
443 user_name = "testuser5"
444 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
445 # Open Ldb connection with the tested user
446 _ldb = self.get_ldb_connection(user_name, "samba123@")
447 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
448 delete_force(self.ldb_admin, object_dn)
449 _ldb.newgroup("test_domain_group1", grouptype=4)
450 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
451 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
452 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
453 self.check_modify_inheritance(_ldb, object_dn)
454
455 def test_105(self):
456 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
457 """
458 user_name = "testuser6"
459 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
460 # Open Ldb connection with the tested user
461 _ldb = self.get_ldb_connection(user_name, "samba123@")
462 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
463 delete_force(self.ldb_admin, object_dn)
464 _ldb.newgroup("test_domain_group1", grouptype=4)
465 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
466 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
467 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
468 self.check_modify_inheritance(_ldb, object_dn)
469
470 def test_106(self):
471 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
472 """
473 user_name = "testuser7"
474 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
475 # Open Ldb connection with the tested user
476 _ldb = self.get_ldb_connection(user_name, "samba123@")
477 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
478 delete_force(self.ldb_admin, object_dn)
479 _ldb.newgroup("test_domain_group1", grouptype=4)
480 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
481 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
482 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
483 self.check_modify_inheritance(_ldb, object_dn)
484
485 def test_107(self):
486 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
487 """
488 user_name = "testuser8"
489 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
490 # Open Ldb connection with the tested user
491 _ldb = self.get_ldb_connection(user_name, "samba123@")
492 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
493 delete_force(self.ldb_admin, object_dn)
494 _ldb.newgroup("test_domain_group1", grouptype=4)
495 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
496 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
497 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
498 self.check_modify_inheritance(_ldb, object_dn)
499
500 # Control descriptor tests #####################################################################
501
502 def test_108(self):
503 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
504 """
505 user_name = "testuser1"
506 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
507 # Open Ldb connection with the tested user
508 _ldb = self.get_ldb_connection(user_name, "samba123@")
509 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
510 delete_force(self.ldb_admin, object_dn)
511 # Create a custom security descriptor
512 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
513 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
514 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
515 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
516 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
517 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
518
519 def test_109(self):
520 """ Domain admin group member creates object (custom descriptor) in DOMAIN
521 """
522 user_name = "testuser2"
523 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
524 # Open Ldb connection with the tested user
525 _ldb = self.get_ldb_connection(user_name, "samba123@")
526 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
527 delete_force(self.ldb_admin, object_dn)
528 # Create a custom security descriptor
529 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
530 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
531 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
532 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
533 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
534 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
535
536 def test_110(self):
537 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
538 """
539 user_name = "testuser3"
540 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
541 # Open Ldb connection with the tested user
542 _ldb = self.get_ldb_connection(user_name, "samba123@")
543 object_dn = "OU=test_domain_ou1," + self.base_dn
544 delete_force(self.ldb_admin, object_dn)
545 self.ldb_admin.create_ou(object_dn)
546 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
547 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
548 self.sd_utils.dacl_add_ace(object_dn, mod)
549 # Create a custom security descriptor
550 # NB! Problematic owner part won't accept DA only <User Sid> !!!
551 sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
552 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
553 # Create additional object into the first one
554 object_dn = "CN=test_domain_user1," + object_dn
555 delete_force(self.ldb_admin, object_dn)
556 _ldb.newuser("test_domain_user1", "samba123@",
557 userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
558 desc = self.sd_utils.read_sd_on_dn(object_dn)
559 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
560 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
561 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
562
563 def test_111(self):
564 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
565 """
566 user_name = "testuser4"
567 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
568 # Open Ldb connection with the tested user
569 _ldb = self.get_ldb_connection(user_name, "samba123@")
570 object_dn = "OU=test_domain_ou1," + self.base_dn
571 delete_force(self.ldb_admin, object_dn)
572 self.ldb_admin.create_ou(object_dn)
573 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
574 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
575 self.sd_utils.dacl_add_ace(object_dn, mod)
576 # Create a custom security descriptor
577 # NB! Problematic owner part won't accept DA only <User Sid> !!!
578 sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
579 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
580 # Create additional object into the first one
581 object_dn = "CN=test_domain_user1," + object_dn
582 delete_force(self.ldb_admin, object_dn)
583 _ldb.newuser("test_domain_user1", "samba123@",
584 userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
585 desc = self.sd_utils.read_sd_on_dn(object_dn)
586 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
587 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
588 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
589
590 def test_112(self):
591 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
592 """
593 user_name = "testuser5"
594 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
595 # Open Ldb connection with the tested user
596 _ldb = self.get_ldb_connection(user_name, "samba123@")
597 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
598 delete_force(self.ldb_admin, object_dn)
599 # Create a custom security descriptor
600 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
601 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
602 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
603 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
604 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
605 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
606
607 def test_113(self):
608 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
609 """
610 user_name = "testuser6"
611 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
612 # Open Ldb connection with the tested user
613 _ldb = self.get_ldb_connection(user_name, "samba123@")
614 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
615 delete_force(self.ldb_admin, object_dn)
616 # Create a custom security descriptor
617 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
618 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
619 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
620 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
621 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
622 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
623
624 def test_114(self):
625 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
626 """
627 user_name = "testuser7"
628 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
629 # Open Ldb connection with the tested user
630 _ldb = self.get_ldb_connection(user_name, "samba123@")
631 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
632 delete_force(self.ldb_admin, object_dn)
633 # Create a custom security descriptor
634 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
635 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
636 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
637 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
638 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
639 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
640
641 def test_115(self):
642 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
643 """
644 user_name = "testuser8"
645 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
646 # Open Ldb connection with the tested user
647 _ldb = self.get_ldb_connection(user_name, "samba123@")
648 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
649 delete_force(self.ldb_admin, object_dn)
650 # Create a custom security descriptor
651 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
652 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
653 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
654 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
655 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
656 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
657
658 def test_999(self):
659 user_name = "Administrator"
660 object_dn = "OU=test_domain_ou1," + self.base_dn
661 delete_force(self.ldb_admin, object_dn)
662 self.ldb_admin.create_ou(object_dn)
663 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
664 mod = "(D;CI;WP;;;S-1-3-0)"
665 #mod = ""
666 self.sd_utils.dacl_add_ace(object_dn, mod)
667 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
668 # Create additional object into the first one
669 object_dn = "OU=test_domain_ou2," + object_dn
670 delete_force(self.ldb_admin, object_dn)
671 self.ldb_admin.create_ou(object_dn)
672 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
673
674 ## Tests for SCHEMA
675
676 # Defalt descriptor tests ##################################################################
677
678 def test_130(self):
679 user_name = "testuser1"
680 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
681 # Open Ldb connection with the tested user
682 _ldb = self.get_ldb_connection(user_name, "samba123@")
683 # Change Schema partition descriptor
684 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
685 mod = "(A;;WDCC;;;AU)"
686 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
687 # Create example Schema class
688 class_name = self.get_unique_schema_class_name()
689 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
690 self.create_schema_class(_ldb, class_dn)
691 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
692 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
693 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
694 self.check_modify_inheritance(_ldb, class_dn)
695
696 def test_131(self):
697 user_name = "testuser2"
698 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
699 # Open Ldb connection with the tested user
700 _ldb = self.get_ldb_connection(user_name, "samba123@")
701 # Change Schema partition descriptor
702 mod = "(A;CI;WDCC;;;AU)"
703 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
704 # Create example Schema class
705 class_name = self.get_unique_schema_class_name()
706 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
707 self.create_schema_class(_ldb, class_dn)
708 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
709 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
710 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
711 self.check_modify_inheritance(_ldb, class_dn)
712
713 def test_132(self):
714 user_name = "testuser3"
715 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
716 # Open Ldb connection with the tested user
717 _ldb = self.get_ldb_connection(user_name, "samba123@")
718 # Change Schema partition descriptor
719 mod = "(A;CI;WDCC;;;AU)"
720 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
721 # Create example Schema class
722 class_name = self.get_unique_schema_class_name()
723 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
724 self.create_schema_class(_ldb, class_dn)
725 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
726 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
727 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
728 #self.check_modify_inheritance(_ldb, class_dn)
729
730 def test_133(self):
731 user_name = "testuser4"
732 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
733 # Open Ldb connection with the tested user
734 _ldb = self.get_ldb_connection(user_name, "samba123@")
735 #Change Schema partition descriptor
736 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
737 mod = "(A;CI;WDCC;;;AU)"
738 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
739 # Create example Schema class
740 class_name = self.get_unique_schema_class_name()
741 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
742 self.create_schema_class(_ldb, class_dn)
743 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
744 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
745 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
746 #self.check_modify_inheritance(_ldb, class_dn)
747
748 def test_134(self):
749 user_name = "testuser5"
750 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
751 # Open Ldb connection with the tested user
752 _ldb = self.get_ldb_connection(user_name, "samba123@")
753 #Change Schema partition descriptor
754 mod = "(A;CI;WDCC;;;AU)"
755 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
756 # Create example Schema class
757 class_name = self.get_unique_schema_class_name()
758 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
759 self.create_schema_class(_ldb, class_dn)
760 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
761 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
762 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
763 self.check_modify_inheritance(_ldb, class_dn)
764
765 def test_135(self):
766 user_name = "testuser6"
767 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
768 # Open Ldb connection with the tested user
769 _ldb = self.get_ldb_connection(user_name, "samba123@")
770 # Change Schema partition descriptor
771 mod = "(A;CI;WDCC;;;AU)"
772 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
773 # Create example Schema class
774 class_name = self.get_unique_schema_class_name()
775 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
776 self.create_schema_class(_ldb, class_dn)
777 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
778 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
779 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
780 self.check_modify_inheritance(_ldb, class_dn)
781
782 def test_136(self):
783 user_name = "testuser7"
784 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
785 # Open Ldb connection with the tested user
786 _ldb = self.get_ldb_connection(user_name, "samba123@")
787 # Change Schema partition descriptor
788 mod = "(A;CI;WDCC;;;AU)"
789 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
790 # Create example Schema class
791 class_name = self.get_unique_schema_class_name()
792 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
793 self.create_schema_class(_ldb, class_dn)
794 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
795 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
796 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
797 self.check_modify_inheritance(_ldb, class_dn)
798
799 def test_137(self):
800 user_name = "testuser8"
801 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
802 # Open Ldb connection with the tested user
803 _ldb = self.get_ldb_connection(user_name, "samba123@")
804 # Change Schema partition descriptor
805 mod = "(A;CI;WDCC;;;AU)"
806 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
807 # Create example Schema class
808 class_name = self.get_unique_schema_class_name()
809 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
810 self.create_schema_class(_ldb, class_dn)
811 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
812 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
813 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
814 self.check_modify_inheritance(_ldb, class_dn)
815
816 # Custom descriptor tests ##################################################################
817
818 def test_138(self):
819 user_name = "testuser1"
820 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
821 # Open Ldb connection with the tested user
822 _ldb = self.get_ldb_connection(user_name, "samba123@")
823 # Change Schema partition descriptor
824 mod = "(A;;CC;;;AU)"
825 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
826 # Create a custom security descriptor
827 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
828 # Create example Schema class
829 class_name = self.get_unique_schema_class_name()
830 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
831 self.create_schema_class(_ldb, class_dn, desc_sddl)
832 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
833 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
834 self.assertEqual("O:DAG:DA", res)
835
836 def test_139(self):
837 user_name = "testuser2"
838 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
839 # Open Ldb connection with the tested user
840 _ldb = self.get_ldb_connection(user_name, "samba123@")
841 # Change Schema partition descriptor
842 mod = "(A;;CC;;;AU)"
843 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
844 # Create a custom security descriptor
845 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
846 # Create example Schema class
847 class_name = self.get_unique_schema_class_name()
848 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
849 self.create_schema_class(_ldb, class_dn, desc_sddl)
850 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
851 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
852 self.assertEqual("O:DAG:DA", res)
853
854 def test_140(self):
855 user_name = "testuser3"
856 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
857 # Open Ldb connection with the tested user
858 _ldb = self.get_ldb_connection(user_name, "samba123@")
859 # Create a custom security descriptor
860 # NB! Problematic owner part won't accept DA only <User Sid> !!!
861 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
862 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
863 # Create example Schema class
864 class_name = self.get_unique_schema_class_name()
865 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
866 self.create_schema_class(_ldb, class_dn, desc_sddl)
867 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
868 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
869 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
870
871 def test_141(self):
872 user_name = "testuser4"
873 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
874 # Open Ldb connection with the tested user
875 _ldb = self.get_ldb_connection(user_name, "samba123@")
876 # Create a custom security descriptor
877 # NB! Problematic owner part won't accept DA only <User Sid> !!!
878 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
879 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
880 # Create example Schema class
881 class_name = self.get_unique_schema_class_name()
882 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
883 self.create_schema_class(_ldb, class_dn, desc_sddl)
884 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
885 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
886 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
887
888 def test_142(self):
889 user_name = "testuser5"
890 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
891 # Open Ldb connection with the tested user
892 _ldb = self.get_ldb_connection(user_name, "samba123@")
893 # Change Schema partition descriptor
894 mod = "(A;;CC;;;AU)"
895 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
896 # Create a custom security descriptor
897 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
898 # Create example Schema class
899 class_name = self.get_unique_schema_class_name()
900 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
901 self.create_schema_class(_ldb, class_dn, desc_sddl)
902 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
903 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
904 self.assertEqual("O:DAG:DA", res)
905
906 def test_143(self):
907 user_name = "testuser6"
908 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
909 # Open Ldb connection with the tested user
910 _ldb = self.get_ldb_connection(user_name, "samba123@")
911 # Change Schema partition descriptor
912 mod = "(A;;CC;;;AU)"
913 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
914 # Create a custom security descriptor
915 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
916 # Create example Schema class
917 class_name = self.get_unique_schema_class_name()
918 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
919 self.create_schema_class(_ldb, class_dn, desc_sddl)
920 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
921 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
922 self.assertEqual("O:DAG:DA", res)
923
924 def test_144(self):
925 user_name = "testuser7"
926 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
927 # Open Ldb connection with the tested user
928 _ldb = self.get_ldb_connection(user_name, "samba123@")
929 # Change Schema partition descriptor
930 mod = "(A;;CC;;;AU)"
931 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
932 # Create a custom security descriptor
933 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
934 # Create example Schema class
935 class_name = self.get_unique_schema_class_name()
936 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
937 self.create_schema_class(_ldb, class_dn, desc_sddl)
938 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
939 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
940 self.assertEqual("O:DAG:DA", res)
941
942 def test_145(self):
943 user_name = "testuser8"
944 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
945 # Open Ldb connection with the tested user
946 _ldb = self.get_ldb_connection(user_name, "samba123@")
947 # Change Schema partition descriptor
948 mod = "(A;;CC;;;AU)"
949 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
950 # Create a custom security descriptor
951 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
952 # Create example Schema class
953 class_name = self.get_unique_schema_class_name()
954 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
955 self.create_schema_class(_ldb, class_dn, desc_sddl)
956 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
957 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
958 self.assertEqual("O:DAG:DA", res)
959
960 ## Tests for CONFIGURATION
961
962 # Defalt descriptor tests ##################################################################
963
964 def test_160(self):
965 user_name = "testuser1"
966 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
967 # Open Ldb connection with the tested user
968 _ldb = self.get_ldb_connection(user_name, "samba123@")
969 # Create example Configuration container
970 container_name = "test-container1"
971 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
972 delete_force(self.ldb_admin, object_dn)
973 self.create_configuration_container(_ldb, object_dn, )
974 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
975 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
976 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
977 self.check_modify_inheritance(_ldb, object_dn)
978
979 def test_161(self):
980 user_name = "testuser2"
981 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
982 # Open Ldb connection with the tested user
983 _ldb = self.get_ldb_connection(user_name, "samba123@")
984 # Create example Configuration container
985 container_name = "test-container1"
986 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
987 delete_force(self.ldb_admin, object_dn)
988 self.create_configuration_container(_ldb, object_dn, )
989 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
990 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
991 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
992 self.check_modify_inheritance(_ldb, object_dn)
993
994 def test_162(self):
995 user_name = "testuser3"
996 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
997 # Open Ldb connection with the tested user
998 _ldb = self.get_ldb_connection(user_name, "samba123@")
999 # Create example Configuration container
1000 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1001 delete_force(self.ldb_admin, object_dn)
1002 self.create_configuration_container(self.ldb_admin, object_dn, )
1003 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1004 mod = "(A;;WDCC;;;AU)"
1005 self.sd_utils.dacl_add_ace(object_dn, mod)
1006 # Create child object with user's credentials
1007 object_dn = "CN=test-specifier1," + object_dn
1008 delete_force(self.ldb_admin, object_dn)
1009 self.create_configuration_specifier(_ldb, object_dn)
1010 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1011 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1012 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1013 #self.check_modify_inheritance(_ldb, object_dn)
1014
1015 def test_163(self):
1016 user_name = "testuser4"
1017 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1018 # Open Ldb connection with the tested user
1019 _ldb = self.get_ldb_connection(user_name, "samba123@")
1020 # Create example Configuration container
1021 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1022 delete_force(self.ldb_admin, object_dn)
1023 self.create_configuration_container(self.ldb_admin, object_dn, )
1024 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1025 mod = "(A;CI;WDCC;;;AU)"
1026 self.sd_utils.dacl_add_ace(object_dn, mod)
1027 # Create child object with user's credentials
1028 object_dn = "CN=test-specifier1," + object_dn
1029 delete_force(self.ldb_admin, object_dn)
1030 self.create_configuration_specifier(_ldb, object_dn)
1031 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1032 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1033 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1034 #self.check_modify_inheritance(_ldb, object_dn)
1035
1036 def test_164(self):
1037 user_name = "testuser5"
1038 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1039 # Open Ldb connection with the tested user
1040 _ldb = self.get_ldb_connection(user_name, "samba123@")
1041 # Create example Configuration container
1042 container_name = "test-container1"
1043 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1044 delete_force(self.ldb_admin, object_dn)
1045 self.create_configuration_container(_ldb, object_dn, )
1046 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1047 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1048 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1049 self.check_modify_inheritance(_ldb, object_dn)
1050
1051 def test_165(self):
1052 user_name = "testuser6"
1053 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1054 # Open Ldb connection with the tested user
1055 _ldb = self.get_ldb_connection(user_name, "samba123@")
1056 # Create example Configuration container
1057 container_name = "test-container1"
1058 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1059 delete_force(self.ldb_admin, object_dn)
1060 self.create_configuration_container(_ldb, object_dn, )
1061 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1062 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1063 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1064 self.check_modify_inheritance(_ldb, object_dn)
1065
1066 def test_166(self):
1067 user_name = "testuser7"
1068 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1069 # Open Ldb connection with the tested user
1070 _ldb = self.get_ldb_connection(user_name, "samba123@")
1071 # Create example Configuration container
1072 container_name = "test-container1"
1073 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1074 delete_force(self.ldb_admin, object_dn)
1075 self.create_configuration_container(_ldb, object_dn, )
1076 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1077 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1078 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1079 self.check_modify_inheritance(_ldb, object_dn)
1080
1081 def test_167(self):
1082 user_name = "testuser8"
1083 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1084 # Open Ldb connection with the tested user
1085 _ldb = self.get_ldb_connection(user_name, "samba123@")
1086 # Create example Configuration container
1087 container_name = "test-container1"
1088 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1089 delete_force(self.ldb_admin, object_dn)
1090 self.create_configuration_container(_ldb, object_dn, )
1091 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1092 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1093 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1094 self.check_modify_inheritance(_ldb, object_dn)
1095
1096 # Custom descriptor tests ##################################################################
1097
1098 def test_168(self):
1099 user_name = "testuser1"
1100 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1101 # Open Ldb connection with the tested user
1102 _ldb = self.get_ldb_connection(user_name, "samba123@")
1103 # Create example Configuration container
1104 container_name = "test-container1"
1105 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1106 delete_force(self.ldb_admin, object_dn)
1107 # Create a custom security descriptor
1108 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1109 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1110 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1111 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1112 self.assertEqual("O:DAG:DA", res)
1113
1114 def test_169(self):
1115 user_name = "testuser2"
1116 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1117 # Open Ldb connection with the tested user
1118 _ldb = self.get_ldb_connection(user_name, "samba123@")
1119 # Create example Configuration container
1120 container_name = "test-container1"
1121 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1122 delete_force(self.ldb_admin, object_dn)
1123 # Create a custom security descriptor
1124 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1125 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1126 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1127 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1128 self.assertEqual("O:DAG:DA", res)
1129
1130 def test_170(self):
1131 user_name = "testuser3"
1132 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1133 # Open Ldb connection with the tested user
1134 _ldb = self.get_ldb_connection(user_name, "samba123@")
1135 # Create example Configuration container
1136 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1137 delete_force(self.ldb_admin, object_dn)
1138 self.create_configuration_container(self.ldb_admin, object_dn, )
1139 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1140 mod = "(A;;CC;;;AU)"
1141 self.sd_utils.dacl_add_ace(object_dn, mod)
1142 # Create child object with user's credentials
1143 object_dn = "CN=test-specifier1," + object_dn
1144 delete_force(self.ldb_admin, object_dn)
1145 # Create a custom security descriptor
1146 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1147 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1148 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1149 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1150 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1151 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1152
1153 def test_171(self):
1154 user_name = "testuser4"
1155 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1156 # Open Ldb connection with the tested user
1157 _ldb = self.get_ldb_connection(user_name, "samba123@")
1158 # Create example Configuration container
1159 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1160 delete_force(self.ldb_admin, object_dn)
1161 self.create_configuration_container(self.ldb_admin, object_dn, )
1162 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1163 mod = "(A;;CC;;;AU)"
1164 self.sd_utils.dacl_add_ace(object_dn, mod)
1165 # Create child object with user's credentials
1166 object_dn = "CN=test-specifier1," + object_dn
1167 delete_force(self.ldb_admin, object_dn)
1168 # Create a custom security descriptor
1169 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1170 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1171 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1172 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1173 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1174 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1175
1176 def test_172(self):
1177 user_name = "testuser5"
1178 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1179 # Open Ldb connection with the tested user
1180 _ldb = self.get_ldb_connection(user_name, "samba123@")
1181 # Create example Configuration container
1182 container_name = "test-container1"
1183 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1184 delete_force(self.ldb_admin, object_dn)
1185 # Create a custom security descriptor
1186 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1187 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1188 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1189 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1190 self.assertEqual("O:DAG:DA", res)
1191
1192 def test_173(self):
1193 user_name = "testuser6"
1194 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1195 # Open Ldb connection with the tested user
1196 _ldb = self.get_ldb_connection(user_name, "samba123@")
1197 # Create example Configuration container
1198 container_name = "test-container1"
1199 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1200 delete_force(self.ldb_admin, object_dn)
1201 # Create a custom security descriptor
1202 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1203 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1204 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1205 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1206 self.assertEqual("O:DAG:DA", res)
1207
1208 def test_174(self):
1209 user_name = "testuser7"
1210 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1211 # Open Ldb connection with the tested user
1212 _ldb = self.get_ldb_connection(user_name, "samba123@")
1213 # Create example Configuration container
1214 container_name = "test-container1"
1215 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1216 delete_force(self.ldb_admin, object_dn)
1217 # Create a custom security descriptor
1218 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1219 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1220 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1221 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1222 self.assertEqual("O:DAG:DA", res)
1223
1224 def test_175(self):
1225 user_name = "testuser8"
1226 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1227 # Open Ldb connection with the tested user
1228 _ldb = self.get_ldb_connection(user_name, "samba123@")
1229 # Create example Configuration container
1230 container_name = "test-container1"
1231 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1232 delete_force(self.ldb_admin, object_dn)
1233 # Create a custom security descriptor
1234 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1235 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1236 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1237 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1238 self.assertEqual("O:DAG:DA", res)
1239
1240 ########################################################################################
1241 # Inheritance tests for DACL
1242
1243 class DaclDescriptorTests(DescriptorTests):
1244
1245 def deleteAll(self):
1246 delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1247 delete_force(self.ldb_admin, "OU=test_inherit_ou5,OU=test_inherit_ou1,OU=test_inherit_ou_p," + self.base_dn)
1248 delete_force(self.ldb_admin, "OU=test_inherit_ou6,OU=test_inherit_ou2,OU=test_inherit_ou_p," + self.base_dn)
1249 delete_force(self.ldb_admin, "OU=test_inherit_ou1,OU=test_inherit_ou_p," + self.base_dn)
1250 delete_force(self.ldb_admin, "OU=test_inherit_ou2,OU=test_inherit_ou_p," + self.base_dn)
1251 delete_force(self.ldb_admin, "OU=test_inherit_ou3,OU=test_inherit_ou_p," + self.base_dn)
1252 delete_force(self.ldb_admin, "OU=test_inherit_ou4,OU=test_inherit_ou_p," + self.base_dn)
1253 delete_force(self.ldb_admin, "OU=test_inherit_ou_p," + self.base_dn)
1254 delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1255
1256 def setUp(self):
1257 super(DaclDescriptorTests, self).setUp()
1258 self.deleteAll()
1259
1260 def create_clean_ou(self, object_dn):
1261 """ Base repeating setup for unittests to follow """
1262 res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
1263 expression="distinguishedName=%s" % object_dn)
1264 # Make sure top testing OU has been deleted before starting the test
1265 self.assertEqual(len(res), 0)
1266 self.ldb_admin.create_ou(object_dn)
1267 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1268 # Make sure there are inheritable ACEs initially
1269 self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1270 # Find and remove all inherit ACEs
1271 res = re.findall("\(.*?\)", desc_sddl)
1272 res = [x for x in res if ("CI" in x) or ("OI" in x)]
1273 for x in res:
1274 desc_sddl = desc_sddl.replace(x, "")
1275 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1276 # can propagate from above
1277 # remove SACL, we are not interested
1278 desc_sddl = desc_sddl.replace(":AI", ":AIP")
1279 self.sd_utils.modify_sd_on_dn(object_dn, desc_sddl)
1280 # Verify all inheritable ACEs are gone
1281 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1282 self.assertFalse("CI" in desc_sddl)
1283 self.assertFalse("OI" in desc_sddl)
1284
1285 def test_200(self):
1286 """ OU with protected flag and child group. See if the group has inherit ACEs.
1287 """
1288 ou_dn = "OU=test_inherit_ou," + self.base_dn
1289 group_dn = "CN=test_inherit_group," + ou_dn
1290 # Create inheritable-free OU
1291 self.create_clean_ou(ou_dn)
1292 # Create group child object
1293 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1294 # Make sure created group object contains NO inherit ACEs
1295 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1296 self.assertFalse("ID" in desc_sddl)
1297
1298 def test_201(self):
1299 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1300 Verify group has custom and default ACEs only.
1301 """
1302 ou_dn = "OU=test_inherit_ou," + self.base_dn
1303 group_dn = "CN=test_inherit_group," + ou_dn
1304 # Create inheritable-free OU
1305 self.create_clean_ou(ou_dn)
1306 # Create group child object using custom security descriptor
1307 sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1308 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
1309 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1310 # Make sure created group descriptor has NO additional ACEs
1311 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1312 self.assertEqual(desc_sddl, sddl)
1313 sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
1314 self.sd_utils.modify_sd_on_dn(group_dn, sddl)
1315 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1316 self.assertEqual(desc_sddl, sddl)
1317
1318 def test_202(self):
1319 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1320 See if the group has any of the added ACEs.
1321 """
1322 ou_dn = "OU=test_inherit_ou," + self.base_dn
1323 group_dn = "CN=test_inherit_group," + ou_dn
1324 # Create inheritable-free OU
1325 self.create_clean_ou(ou_dn)
1326 # Add some custom non-inheritable ACEs
1327 mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1328 moded = "(D;;CC;;;LG)"
1329 self.sd_utils.dacl_add_ace(ou_dn, mod)
1330 # Verify all inheritable ACEs are gone
1331 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1332 # Create group child object
1333 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1334 # Make sure created group object contains NO inherit ACEs
1335 # also make sure the added above non-inheritable ACEs are absent too
1336 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1337 self.assertFalse("ID" in desc_sddl)
1338 for x in re.findall("\(.*?\)", mod):
1339 self.assertFalse(x in desc_sddl)
1340 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1341 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1342 self.assertFalse("ID" in desc_sddl)
1343 for x in re.findall("\(.*?\)", mod):
1344 self.assertFalse(x in desc_sddl)
1345
1346 def test_203(self):
1347 """ OU with protected flag and add 'CI' ACE, child group.
1348 See if the group has the added inherited ACE.
1349 """
1350 ou_dn = "OU=test_inherit_ou," + self.base_dn
1351 group_dn = "CN=test_inherit_group," + ou_dn
1352 # Create inheritable-free OU
1353 self.create_clean_ou(ou_dn)
1354 # Add some custom 'CI' ACE
1355 mod = "(D;CI;WP;;;DU)"
1356 moded = "(D;;CC;;;LG)"
1357 self.sd_utils.dacl_add_ace(ou_dn, mod)
1358 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1359 # Create group child object
1360 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1361 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1362 # Make sure created group object contains only the above inherited ACE
1363 # that we've added manually
1364 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1365 mod = mod.replace(";CI;", ";CIID;")
1366 self.assertTrue(mod in desc_sddl)
1367 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1368 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1369 self.assertTrue(moded in desc_sddl)
1370 self.assertTrue(mod in desc_sddl)
1371
1372 def test_204(self):
1373 """ OU with protected flag and add 'OI' ACE, child group.
1374 See if the group has the added inherited ACE.
1375 """
1376 ou_dn = "OU=test_inherit_ou," + self.base_dn
1377 group_dn = "CN=test_inherit_group," + ou_dn
1378 # Create inheritable-free OU
1379 self.create_clean_ou(ou_dn)
1380 # Add some custom 'CI' ACE
1381 mod = "(D;OI;WP;;;DU)"
1382 moded = "(D;;CC;;;LG)"
1383 self.sd_utils.dacl_add_ace(ou_dn, mod)
1384 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1385 # Create group child object
1386 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1387 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1388 # Make sure created group object contains only the above inherited ACE
1389 # that we've added manually
1390 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1391 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1392 self.assertTrue(mod in desc_sddl)
1393 self.sd_utils.modify_sd_on_dn(group_dn, "D:" +moded)
1394 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1395 self.assertTrue(moded in desc_sddl)
1396 self.assertTrue(mod in desc_sddl)
1397
1398 def test_205(self):
1399 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1400 See if the group has the added inherited ACE.
1401 """
1402 ou_dn = "OU=test_inherit_ou," + self.base_dn
1403 group_dn = "CN=test_inherit_group," + ou_dn
1404 # Create inheritable-free OU
1405 self.create_clean_ou(ou_dn)
1406 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1407 mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1408 moded = "(D;;CC;;;LG)"
1409 self.sd_utils.dacl_add_ace(ou_dn, mod)
1410 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1411 # Create group child object
1412 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1413 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1414 # Make sure created group object contains only the above inherited ACE
1415 # that we've added manually
1416 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1417 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1418 self.assertTrue(mod in desc_sddl)
1419 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1420 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1421 self.assertTrue(moded in desc_sddl)
1422 self.assertTrue(mod in desc_sddl)
1423
1424 def test_206(self):
1425 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1426 See if the group has the added inherited ACE.
1427 """
1428 ou_dn = "OU=test_inherit_ou," + self.base_dn
1429 group_dn = "CN=test_inherit_group," + ou_dn
1430 # Create inheritable-free OU
1431 self.create_clean_ou(ou_dn)
1432 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1433 mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1434 moded = "(D;;CC;;;LG)"
1435 self.sd_utils.dacl_add_ace(ou_dn, mod)
1436 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1437 # Create group child object
1438 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1439 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1440 # Make sure created group object contains only the above inherited ACE
1441 # that we've added manually
1442 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1443 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1444 self.assertTrue(mod in desc_sddl)
1445 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1446 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1447 self.assertTrue(moded in desc_sddl)
1448 self.assertTrue(mod in desc_sddl)
1449
1450 def test_207(self):
1451 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1452 See if the group has the added inherited ACE.
1453 """
1454 ou_dn = "OU=test_inherit_ou," + self.base_dn
1455 group_dn = "CN=test_inherit_group," + ou_dn
1456 # Create inheritable-free OU
1457 self.create_clean_ou(ou_dn)
1458 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1459 mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1460 moded = "(D;;CC;;;LG)"
1461 self.sd_utils.dacl_add_ace(ou_dn, mod)
1462 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1463 # Create group child object
1464 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1465 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1466 # Make sure created group object contains only the above inherited ACE
1467 # that we've added manually
1468 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1469 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1470 self.assertTrue(mod in desc_sddl)
1471 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1472 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1473 self.assertTrue(moded in desc_sddl)
1474 self.assertTrue(mod in desc_sddl)
1475
1476 def test_208(self):
1477 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1478 See if the group has the added inherited ACE.
1479 """
1480 ou_dn = "OU=test_inherit_ou," + self.base_dn
1481 group_dn = "CN=test_inherit_group," + ou_dn
1482 # Create inheritable-free OU
1483 self.create_clean_ou(ou_dn)
1484 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1485 mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1486 moded = "(D;;CC;;;LG)"
1487 self.sd_utils.dacl_add_ace(ou_dn, mod)
1488 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1489 # Create group child object
1490 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1491 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1492 # Make sure created group object contains only the above inherited ACE
1493 # that we've added manually
1494 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1495 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1496 self.assertTrue(mod in desc_sddl)
1497 self.sd_utils.modify_sd_on_dn(group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
1498 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1499 self.assertTrue(moded in desc_sddl)
1500 self.assertTrue(mod in desc_sddl)
1501
1502 def test_209(self):
1503 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1504 See if the group has the added inherited ACE.
1505 """
1506 ou_dn = "OU=test_inherit_ou," + self.base_dn
1507 group_dn = "CN=test_inherit_group," + ou_dn
1508 # Create inheritable-free OU
1509 self.create_clean_ou(ou_dn)
1510 # Add some custom 'CI' ACE
1511 mod = "(D;CI;WP;;;CO)"
1512 moded = "(D;;CC;;;LG)"
1513 self.sd_utils.dacl_add_ace(ou_dn, mod)
1514 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1515 # Create group child object
1516 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1517 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1518 # Make sure created group object contains only the above inherited ACE(s)
1519 # that we've added manually
1520 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1521 self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
1522 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1523 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1524 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1525 self.assertTrue(moded in desc_sddl)
1526 self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
1527 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1528
1529 def test_210(self):
1530 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1531 """
1532 ou_dn = "OU=test_inherit_ou," + self.base_dn
1533 group_dn = "CN=test_inherit_group," + ou_dn
1534 self.create_clean_ou(ou_dn)
1535 # Add some custom ACE
1536 mod = "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1537 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1538 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1539 # Make sure created group object does not contain the ID ace
1540 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1541 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1542
1543 def test_211(self):
1544 """ Provide ACE with CO SID, should be expanded and replaced
1545 """
1546 ou_dn = "OU=test_inherit_ou," + self.base_dn
1547 group_dn = "CN=test_inherit_group," + ou_dn
1548 # Create inheritable-free OU
1549 self.create_clean_ou(ou_dn)
1550 # Add some custom 'CI' ACE
1551 mod = "D:(D;CI;WP;;;CO)"
1552 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1553 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1554 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1555 self.assertTrue("(D;;WP;;;DA)" in desc_sddl)
1556 self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
1557
1558 def test_212(self):
1559 """ Provide ACE with IO flag, should be ignored
1560 """
1561 ou_dn = "OU=test_inherit_ou," + self.base_dn
1562 group_dn = "CN=test_inherit_group," + ou_dn
1563 # Create inheritable-free OU
1564 self.create_clean_ou(ou_dn)
1565 # Add some custom 'CI' ACE
1566 mod = "D:(D;CIIO;WP;;;CO)"
1567 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1568 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1569 # Make sure created group object contains only the above inherited ACE(s)
1570 # that we've added manually
1571 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1572 self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
1573 self.assertFalse("(D;;WP;;;DA)" in desc_sddl)
1574 self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl)
1575
1576 def test_213(self):
1577 """ Provide ACE with IO flag, should be ignored
1578 """
1579 ou_dn = "OU=test_inherit_ou," + self.base_dn
1580 group_dn = "CN=test_inherit_group," + ou_dn
1581 # Create inheritable-free OU
1582 self.create_clean_ou(ou_dn)
1583 mod = "D:(D;IO;WP;;;DA)"
1584 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1585 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1586 # Make sure created group object contains only the above inherited ACE(s)
1587 # that we've added manually
1588 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1589 self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl)
1590
1591 def test_214(self):
1592 """ Test behavior of ACEs containing generic rights
1593 """
1594 ou_dn = "OU=test_inherit_ou_p," + self.base_dn
1595 ou_dn1 = "OU=test_inherit_ou1," + ou_dn
1596 ou_dn2 = "OU=test_inherit_ou2," + ou_dn
1597 ou_dn3 = "OU=test_inherit_ou3," + ou_dn
1598 ou_dn4 = "OU=test_inherit_ou4," + ou_dn
1599 ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
1600 ou_dn6 = "OU=test_inherit_ou6," + ou_dn2
1601 # Create inheritable-free OU
1602 mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
1603 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1604 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1605 mod = "D:(A;CI;GA;;;DU)"
1606 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1607 self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
1608 mod = "D:(A;CIIO;GA;;;DU)"
1609 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1610 self.ldb_admin.create_ou(ou_dn2, sd=tmp_desc)
1611 mod = "D:(A;;GA;;;DU)"
1612 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1613 self.ldb_admin.create_ou(ou_dn3, sd=tmp_desc)
1614 mod = "D:(A;IO;GA;;;DU)"
1615 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1616 self.ldb_admin.create_ou(ou_dn4, sd=tmp_desc)
1617
1618 self.ldb_admin.create_ou(ou_dn5)
1619 self.ldb_admin.create_ou(ou_dn6)
1620
1621 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn1)
1622 self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1623 self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl)
1624 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn2)
1625 self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1626 self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl)
1627 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn3)
1628 self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1629 self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl)
1630 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn4)
1631 self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1632 self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl)
1633 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
1634 self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1635 self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl)
1636 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn6)
1637 self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1638 self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl)
1639
1640 def test_215(self):
1641 """ Make sure IO flag is removed in child objects
1642 """
1643 ou_dn = "OU=test_inherit_ou_p," + self.base_dn
1644 ou_dn1 = "OU=test_inherit_ou1," + ou_dn
1645 ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
1646 # Create inheritable-free OU
1647 mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
1648 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1649 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1650 mod = "D:(A;CIIO;WP;;;DU)"
1651 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1652 self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
1653 self.ldb_admin.create_ou(ou_dn5)
1654 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
1655 self.assertTrue("(A;CIID;WP;;;DU)" in desc_sddl)
1656 self.assertFalse("(A;CIIOID;WP;;;DU)" in desc_sddl)
1657
1658 def test_216(self):
1659 """ Make sure ID ACES provided by user are ignored
1660 """
1661 ou_dn = "OU=test_inherit_ou," + self.base_dn
1662 group_dn = "CN=test_inherit_group," + ou_dn
1663 mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
1664 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1665 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1666 # Add some custom ACE
1667 mod = "D:(D;ID;WP;;;AU)"
1668 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1669 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1670 # Make sure created group object does not contain the ID ace
1671 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1672 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1673 self.assertFalse("(A;;WP;;;AU)" in desc_sddl)
1674
1675 def test_217(self):
1676 """ Make sure ID ACES provided by user are not ignored if P flag is set
1677 """
1678 ou_dn = "OU=test_inherit_ou," + self.base_dn
1679 group_dn = "CN=test_inherit_group," + ou_dn
1680 mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
1681 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1682 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1683 # Add some custom ACE
1684 mod = "D:P(A;ID;WP;;;AU)"
1685 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1686 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1687 # Make sure created group object does not contain the ID ace
1688 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1689 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1690 self.assertTrue("(A;;WP;;;AU)" in desc_sddl)
1691
1692 ########################################################################################
1693
1694
1695 class SdFlagsDescriptorTests(DescriptorTests):
1696 def deleteAll(self):
1697 delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
1698
1699 def setUp(self):
1700 super(SdFlagsDescriptorTests, self).setUp()
1701 self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1702 self.deleteAll()
1703
1704 def test_301(self):
1705 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1706 See that only the owner has been changed.
1707 """
1708 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1709 self.ldb_admin.create_ou(ou_dn)
1710 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1711 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1712 # make sure we have modified the owner
1713 self.assertTrue("O:AU" in desc_sddl)
1714 # make sure nothing else has been modified
1715 self.assertFalse("G:AU" in desc_sddl)
1716 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1717 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1718
1719 def test_302(self):
1720 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1721 See that only the owner has been changed.
1722 """
1723 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1724 self.ldb_admin.create_ou(ou_dn)
1725 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1726 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1727 # make sure we have modified the group
1728 self.assertTrue("G:AU" in desc_sddl)
1729 # make sure nothing else has been modified
1730 self.assertFalse("O:AU" in desc_sddl)
1731 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1732 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1733
1734 def test_303(self):
1735 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1736 See that only the owner has been changed.
1737 """
1738 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1739 self.ldb_admin.create_ou(ou_dn)
1740 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1741 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1742 # make sure we have modified the DACL
1743 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1744 # make sure nothing else has been modified
1745 self.assertFalse("O:AU" in desc_sddl)
1746 self.assertFalse("G:AU" in desc_sddl)
1747 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1748
1749 def test_304(self):
1750 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1751 See that only the owner has been changed.
1752 """
1753 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1754 self.ldb_admin.create_ou(ou_dn)
1755 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1756 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1757 # make sure we have modified the DACL
1758 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1759 # make sure nothing else has been modified
1760 self.assertFalse("O:AU" in desc_sddl)
1761 self.assertFalse("G:AU" in desc_sddl)
1762 self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
1763
1764 def test_305(self):
1765 """ Modify a descriptor with 0x0 set.
1766 Contrary to logic this is interpreted as no control,
1767 which is the same as 0xF
1768 """
1769 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1770 self.ldb_admin.create_ou(ou_dn)
1771 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:0"])
1772 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1773 # make sure we have modified the DACL
1774 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1775 # make sure nothing else has been modified
1776 self.assertTrue("O:AU" in desc_sddl)
1777 self.assertTrue("G:AU" in desc_sddl)
1778 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1779
1780 def test_306(self):
1781 """ Modify a descriptor with 0xF set.
1782 """
1783 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1784 self.ldb_admin.create_ou(ou_dn)
1785 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:15"])
1786 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1787 # make sure we have modified the DACL
1788 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1789 # make sure nothing else has been modified
1790 self.assertTrue("O:AU" in desc_sddl)
1791 self.assertTrue("G:AU" in desc_sddl)
1792 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1793
1794 def test_307(self):
1795 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1796 Only the owner part should be returned.
1797 """
1798 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1799 self.ldb_admin.create_ou(ou_dn)
1800 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1801 # make sure we have read the owner
1802 self.assertTrue("O:" in desc_sddl)
1803 # make sure we have read nothing else
1804 self.assertFalse("G:" in desc_sddl)
1805 self.assertFalse("D:" in desc_sddl)
1806 self.assertFalse("S:" in desc_sddl)
1807
1808 def test_308(self):
1809 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1810 Only the group part should be returned.
1811 """
1812 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1813 self.ldb_admin.create_ou(ou_dn)
1814 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1815 # make sure we have read the owner
1816 self.assertTrue("G:" in desc_sddl)
1817 # make sure we have read nothing else
1818 self.assertFalse("O:" in desc_sddl)
1819 self.assertFalse("D:" in desc_sddl)
1820 self.assertFalse("S:" in desc_sddl)
1821
1822 def test_309(self):
1823 """ Read a descriptor with SACL_SECURITY_INFORMATION
1824 Only the sacl part should be returned.
1825 """
1826 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1827 self.ldb_admin.create_ou(ou_dn)
1828 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1829 # make sure we have read the owner
1830 self.assertTrue("S:" in desc_sddl)
1831 # make sure we have read nothing else
1832 self.assertFalse("O:" in desc_sddl)
1833 self.assertFalse("D:" in desc_sddl)
1834 self.assertFalse("G:" in desc_sddl)
1835
1836 def test_310(self):
1837 """ Read a descriptor with DACL_SECURITY_INFORMATION
1838 Only the dacl part should be returned.
1839 """
1840 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1841 self.ldb_admin.create_ou(ou_dn)
1842 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1843 # make sure we have read the owner
1844 self.assertTrue("D:" in desc_sddl)
1845 # make sure we have read nothing else
1846 self.assertFalse("O:" in desc_sddl)
1847 self.assertFalse("S:" in desc_sddl)
1848 self.assertFalse("G:" in desc_sddl)
1849
1850
1851 class RightsAttributesTests(DescriptorTests):
1852
1853 def deleteAll(self):
1854 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
1855 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
1856 delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
1857
1858 def setUp(self):
1859 super(RightsAttributesTests, self).setUp()
1860 self.deleteAll()
1861 ### Create users
1862 # User 1
1863 self.ldb_admin.newuser("testuser_attr", "samba123@")
1864 # User 2, Domain Admins
1865 self.ldb_admin.newuser("testuser_attr2", "samba123@")
1866 self.ldb_admin.add_remove_group_members("Domain Admins",
1867 "testuser_attr2",
1868 add_members_operation=True)
1869
1870 def test_sDRightsEffective(self):
1871 object_dn = "OU=test_domain_ou1," + self.base_dn
1872 delete_force(self.ldb_admin, object_dn)
1873 self.ldb_admin.create_ou(object_dn)
1874 print self.get_users_domain_dn("testuser_attr")
1875 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1876 #give testuser1 read access so attributes can be retrieved
1877 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1878 self.sd_utils.dacl_add_ace(object_dn, mod)
1879 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1880 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1881 attrs=["sDRightsEffective"])
1882 #user whould have no rights at all
1883 self.assertEquals(len(res), 1)
1884 self.assertEquals(res[0]["sDRightsEffective"][0], "0")
1885 #give the user Write DACL and see what happens
1886 mod = "(A;CI;WD;;;%s)" % str(user_sid)
1887 self.sd_utils.dacl_add_ace(object_dn, mod)
1888 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1889 attrs=["sDRightsEffective"])
1890 #user whould have DACL_SECURITY_INFORMATION
1891 self.assertEquals(len(res), 1)
1892 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL)
1893 #give the user Write Owners and see what happens
1894 mod = "(A;CI;WO;;;%s)" % str(user_sid)
1895 self.sd_utils.dacl_add_ace(object_dn, mod)
1896 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1897 attrs=["sDRightsEffective"])
1898 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1899 self.assertEquals(len(res), 1)
1900 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
1901 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1902 _ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
1903 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1904 attrs=["sDRightsEffective"])
1905 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1906 self.assertEquals(len(res), 1)
1907 self.assertEquals(res[0]["sDRightsEffective"][0], \
1908 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
1909
1910 def test_allowedChildClassesEffective(self):
1911 object_dn = "OU=test_domain_ou1," + self.base_dn
1912 delete_force(self.ldb_admin, object_dn)
1913 self.ldb_admin.create_ou(object_dn)
1914 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1915 #give testuser1 read access so attributes can be retrieved
1916 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1917 self.sd_utils.dacl_add_ace(object_dn, mod)
1918 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1919 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1920 attrs=["allowedChildClassesEffective"])
1921 #there should be no allowed child classes
1922 self.assertEquals(len(res), 1)
1923 self.assertFalse("allowedChildClassesEffective" in res[0].keys())
1924 #give the user the right to create children of type user
1925 mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1926 self.sd_utils.dacl_add_ace(object_dn, mod)
1927 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1928 attrs=["allowedChildClassesEffective"])
1929 # allowedChildClassesEffective should only have one value, user
1930 self.assertEquals(len(res), 1)
1931 self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1)
1932 self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user")
1933
1934 def test_allowedAttributesEffective(self):
1935 object_dn = "OU=test_domain_ou1," + self.base_dn
1936 delete_force(self.ldb_admin, object_dn)
1937 self.ldb_admin.create_ou(object_dn)
1938 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1939 #give testuser1 read access so attributes can be retrieved
1940 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1941 self.sd_utils.dacl_add_ace(object_dn, mod)
1942 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1943 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1944 attrs=["allowedAttributesEffective"])
1945 #there should be no allowed attributes
1946 self.assertEquals(len(res), 1)
1947 self.assertFalse("allowedAttributesEffective" in res[0].keys())
1948 #give the user the right to write displayName and managedBy
1949 mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1950 mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
1951 # also rights to modify an read only attribute, fromEntry
1952 mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
1953 self.sd_utils.dacl_add_ace(object_dn, mod + mod2 + mod3)
1954 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1955 attrs=["allowedAttributesEffective"])
1956 # value should only contain user and managedBy
1957 self.assertEquals(len(res), 1)
1958 self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
1959 self.assertTrue("displayName" in res[0]["allowedAttributesEffective"])
1960 self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"])
1961
1962 if not "://" in host:
1963 if os.path.isfile(host):
1964 host = "tdb://%s" % host
1965 else:
1966 host = "ldap://%s" % host
1967
1968 # use 'paged_search' module when connecting remotely
1969 if host.lower().startswith("ldap://"):
1970 ldb_options = ["modules:paged_searches"]
1971
1972 ldb = SamDB(host,
1973 credentials=creds,
1974 session_info=system_session(lp),
1975 lp=lp,
1976 options=ldb_options)
1977
1978 runner = SubunitTestRunner()
1979 rc = 0
1980 if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful():
1981 rc = 1
1982 if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
1983 rc = 1
1984 if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful():
1985 rc = 1
1986 if not runner.run(unittest.makeSuite(RightsAttributesTests)).wasSuccessful():
1987 rc = 1
1988 sys.exit(rc)
reg import